Improve optional 64-bit NIST-P224 implementation, and add NIST-P256 and
authorBodo Möller <bodo@openssl.org>
Tue, 18 Oct 2011 19:43:16 +0000 (19:43 +0000)
committerBodo Möller <bodo@openssl.org>
Tue, 18 Oct 2011 19:43:16 +0000 (19:43 +0000)
NIST-P521. (Now -DEC_NISTP_64_GCC_128 enables all three of these;
-DEC_NISTP224_64_GCC_128 no longer works.)

Submitted by: Google Inc.

CHANGES
crypto/ec/Makefile
crypto/ec/ec.h
crypto/ec/ec_curve.c
crypto/ec/ec_err.c
crypto/ec/ec_lcl.h
crypto/ec/ecp_nistp224.c
crypto/ec/ecp_nistp256.c [new file with mode: 0644]
crypto/ec/ecp_nistp521.c [new file with mode: 0644]
crypto/ec/ecp_nistputil.c [new file with mode: 0644]
crypto/ec/ectest.c

diff --git a/CHANGES b/CHANGES
index cab7143..6c6b9d7 100644 (file)
--- a/CHANGES
+++ b/CHANGES
   
  Changes between 1.0.0f and 1.0.1  [xx XXX xxxx]
 
+  *) Add optional 64-bit optimized implementations of elliptic curves NIST-P224,
+     NIST-P256, NIST-P521, with constant-time single point multiplication on
+     typical inputs. Compiler support for the nonstandard type __uint128_t is
+     required to use this. Code made available under Apache License version 2.0.
+
+     To include this in your build of OpenSSL, use -DEC_NISTP_64_GCC_128 on
+     the Configure (or config) command line, and run "make depend" (or "make
+     update"). This enables the following EC_METHODs:
+
+         EC_GFp_nistp224_method()
+         EC_GFp_nistp256_method()
+         EC_GFp_nistp521_method()
+
+     EC_GROUP_new_by_curve_name() will automatically use these (while
+     EC_GROUP_new_curve_GFp() currently prefers the more flexible
+     implementations).
+     [Emilia Käsper, Adam Langley, Bodo Moeller (Google)]
+
   *) Use type ossl_ssize_t instad of ssize_t which isn't available on
      all platforms. Move ssize_t definition from e_os.h to the public
      header file e_os2.h as it now appears in public header file cms.h
   *) Add functions to copy EVP_PKEY_METHOD and retrieve flags and id.
      [Steve Henson]
 
-  *) Add EC_GFp_nistp224_method(), a 64-bit optimized implementation for
-     elliptic curve NIST-P224 with constant-time single point multiplication on
-     typical inputs.  EC_GROUP_new_by_curve_name() will automatically use this
-     (while EC_GROUP_new_curve_GFp() currently won't and prefers the more
-     flexible implementations).
-
-     The implementation requires support for the nonstandard type __uint128_t,
-     and so is disabled by default.  To include this in your build of OpenSSL,
-     use -DEC_NISTP224_64_GCC_128 on the Configure (or config) command line,
-     and run "make depend" (or "make update").
-     [Emilia Käsper <emilia.kasper@esat.kuleuven.be> (Google)]
-
   *) Permit abbreviated handshakes when renegotiating using the function
      SSL_renegotiate_abbreviated().
      [Robin Seggelmann <seggelmann@fh-muenster.de>]
index 4026247..3eb04c0 100644 (file)
@@ -20,12 +20,14 @@ LIB=$(TOP)/libcrypto.a
 LIBSRC=        ec_lib.c ecp_smpl.c ecp_mont.c ecp_nist.c ec_cvt.c ec_mult.c\
        ec_err.c ec_curve.c ec_check.c ec_print.c ec_asn1.c ec_key.c\
        ec2_smpl.c ec2_mult.c ec_ameth.c ec_pmeth.c eck_prn.c \
-       ecp_nistp224.c ecp_oct.c ec2_oct.c ec_oct.c
+       ecp_nistp224.c ecp_nistp256.c ecp_nistp521.c ecp_nistputil.c \
+       ecp_oct.c ec2_oct.c ec_oct.c
 
 LIBOBJ=        ec_lib.o ecp_smpl.o ecp_mont.o ecp_nist.o ec_cvt.o ec_mult.o\
        ec_err.o ec_curve.o ec_check.o ec_print.o ec_asn1.o ec_key.o\
        ec2_smpl.o ec2_mult.o ec_ameth.o ec_pmeth.o eck_prn.o \
-       ecp_nistp224.o ecp_oct.o ec2_oct.o ec_oct.o
+       ecp_nistp224.o ecp_nistp256.o ecp_nistp521.o ecp_nistputil.o \
+       ecp_oct.o ec2_oct.o ec_oct.o
 
 SRC= $(LIBSRC)
 
@@ -240,6 +242,9 @@ ecp_nist.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
 ecp_nist.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
 ecp_nist.o: ../../include/openssl/symhacks.h ec_lcl.h ecp_nist.c
 ecp_nistp224.o: ../../include/openssl/opensslconf.h ecp_nistp224.c
+ecp_nistp256.o: ../../include/openssl/opensslconf.h ecp_nistp256.c
+ecp_nistp521.o: ../../include/openssl/opensslconf.h ecp_nistp521.c
+ecp_nistputil.o: ../../include/openssl/opensslconf.h ecp_nistputil.c
 ecp_oct.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
 ecp_oct.o: ../../include/openssl/bn.h ../../include/openssl/crypto.h
 ecp_oct.o: ../../include/openssl/e_os2.h ../../include/openssl/ec.h
index 0a380d6..1f46b52 100644 (file)
@@ -151,12 +151,22 @@ const EC_METHOD *EC_GFp_mont_method(void);
  */
 const EC_METHOD *EC_GFp_nist_method(void);
 
-#ifndef OPENSSL_NO_EC_NISTP224_64_GCC_128
+#ifdef EC_NISTP_64_GCC_128
+#ifndef OPENSSL_SYS_WIN32
 /** Returns 64-bit optimized methods for nistp224
  *  \return  EC_METHOD object
  */
-#ifndef OPENSSL_SYS_WIN32
 const EC_METHOD *EC_GFp_nistp224_method(void);
+
+/** Returns 64-bit optimized methods for nistp256
+ *  \return  EC_METHOD object
+ */
+const EC_METHOD *EC_GFp_nistp256_method(void);
+
+/** Returns 64-bit optimized methods for nistp521
+ *  \return  EC_METHOD object
+ */
+const EC_METHOD *EC_GFp_nistp521_method(void);
 #endif
 #endif
 
@@ -1005,6 +1015,12 @@ void ERR_load_EC_strings(void);
 #define EC_F_EC_GFP_NISTP224_GROUP_SET_CURVE            225
 #define EC_F_EC_GFP_NISTP224_POINTS_MUL                         228
 #define EC_F_EC_GFP_NISTP224_POINT_GET_AFFINE_COORDINATES 226
+#define EC_F_EC_GFP_NISTP256_GROUP_SET_CURVE            230
+#define EC_F_EC_GFP_NISTP256_POINTS_MUL                         231
+#define EC_F_EC_GFP_NISTP256_POINT_GET_AFFINE_COORDINATES 232
+#define EC_F_EC_GFP_NISTP521_GROUP_SET_CURVE            233
+#define EC_F_EC_GFP_NISTP521_POINTS_MUL                         234
+#define EC_F_EC_GFP_NISTP521_POINT_GET_AFFINE_COORDINATES 235
 #define EC_F_EC_GFP_NIST_FIELD_MUL                      200
 #define EC_F_EC_GFP_NIST_FIELD_SQR                      201
 #define EC_F_EC_GFP_NIST_GROUP_SET_CURVE                202
@@ -1079,6 +1095,8 @@ void ERR_load_EC_strings(void);
 #define EC_F_I2D_ECPRIVATEKEY                           192
 #define EC_F_I2O_ECPUBLICKEY                            151
 #define EC_F_NISTP224_PRE_COMP_NEW                      227
+#define EC_F_NISTP256_PRE_COMP_NEW                      236
+#define EC_F_NISTP521_PRE_COMP_NEW                      237
 #define EC_F_O2I_ECPUBLICKEY                            152
 #define EC_F_OLD_EC_PRIV_DECODE                                 222
 #define EC_F_PKEY_EC_CTRL                               197
index a51a545..f8722f8 100644 (file)
@@ -1903,16 +1903,19 @@ static const ec_list_element curve_list[] = {
        /* SECG secp192r1 is the same as X9.62 prime192v1 and hence omitted */
        { NID_secp192k1, &_EC_SECG_PRIME_192K1.h, 0, "SECG curve over a 192 bit prime field" },
        { NID_secp224k1, &_EC_SECG_PRIME_224K1.h, 0, "SECG curve over a 224 bit prime field" },
-#ifdef EC_NISTP224_64_GCC_128
-        { NID_secp224r1, &_EC_NIST_PRIME_224.h, EC_GFp_nistp224_method, "NIST/SECG curve over a 224 bit prime field,\n"
-         "\t\t64-bit optimized implementation." },
+#ifdef EC_NISTP_64_GCC_128
+       { NID_secp224r1, &_EC_NIST_PRIME_224.h, EC_GFp_nistp224_method, "NIST/SECG curve over a 224 bit prime field" },
 #else
        { NID_secp224r1, &_EC_NIST_PRIME_224.h, 0, "NIST/SECG curve over a 224 bit prime field" },
 #endif
        { NID_secp256k1, &_EC_SECG_PRIME_256K1.h, 0, "SECG curve over a 256 bit prime field" },
        /* SECG secp256r1 is the same as X9.62 prime256v1 and hence omitted */
        { NID_secp384r1, &_EC_NIST_PRIME_384.h, 0, "NIST/SECG curve over a 384 bit prime field" },
+#ifdef EC_NISTP_64_GCC_128
+       { NID_secp521r1, &_EC_NIST_PRIME_521.h, EC_GFp_nistp521_method, "NIST/SECG curve over a 521 bit prime field" },
+#else
        { NID_secp521r1, &_EC_NIST_PRIME_521.h, 0, "NIST/SECG curve over a 521 bit prime field" },
+#endif
        /* X9.62 curves */
        { NID_X9_62_prime192v1, &_EC_NIST_PRIME_192.h, 0, "NIST/X9.62/SECG curve over a 192 bit prime field" },
        { NID_X9_62_prime192v2, &_EC_X9_62_PRIME_192V2.h, 0, "X9.62 curve over a 192 bit prime field" },
@@ -1920,7 +1923,11 @@ static const ec_list_element curve_list[] = {
        { NID_X9_62_prime239v1, &_EC_X9_62_PRIME_239V1.h, 0, "X9.62 curve over a 239 bit prime field" },
        { NID_X9_62_prime239v2, &_EC_X9_62_PRIME_239V2.h, 0, "X9.62 curve over a 239 bit prime field" },
        { NID_X9_62_prime239v3, &_EC_X9_62_PRIME_239V3.h, 0, "X9.62 curve over a 239 bit prime field" },
+#ifdef EC_NISTP_64_GCC_128
+       { NID_X9_62_prime256v1, &_EC_X9_62_PRIME_256V1.h, EC_GFp_nistp256_method, "X9.62/SECG curve over a 256 bit prime field" },
+#else
        { NID_X9_62_prime256v1, &_EC_X9_62_PRIME_256V1.h, 0, "X9.62/SECG curve over a 256 bit prime field" },
+#endif
 #ifndef OPENSSL_NO_EC2M
        /* characteristic two field curves */
        /* NIST/SECG curves */
index 15d539c..0d19398 100644 (file)
@@ -1,6 +1,6 @@
 /* crypto/ec/ec_err.c */
 /* ====================================================================
- * Copyright (c) 1999-2010 The OpenSSL Project.  All rights reserved.
+ * Copyright (c) 1999-2011 The OpenSSL Project.  All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
@@ -116,6 +116,12 @@ static ERR_STRING_DATA EC_str_functs[]=
 {ERR_FUNC(EC_F_EC_GFP_NISTP224_GROUP_SET_CURVE),       "ec_GFp_nistp224_group_set_curve"},
 {ERR_FUNC(EC_F_EC_GFP_NISTP224_POINTS_MUL),    "ec_GFp_nistp224_points_mul"},
 {ERR_FUNC(EC_F_EC_GFP_NISTP224_POINT_GET_AFFINE_COORDINATES),  "ec_GFp_nistp224_point_get_affine_coordinates"},
+{ERR_FUNC(EC_F_EC_GFP_NISTP256_GROUP_SET_CURVE),       "ec_GFp_nistp256_group_set_curve"},
+{ERR_FUNC(EC_F_EC_GFP_NISTP256_POINTS_MUL),    "ec_GFp_nistp256_points_mul"},
+{ERR_FUNC(EC_F_EC_GFP_NISTP256_POINT_GET_AFFINE_COORDINATES),  "ec_GFp_nistp256_point_get_affine_coordinates"},
+{ERR_FUNC(EC_F_EC_GFP_NISTP521_GROUP_SET_CURVE),       "ec_GFp_nistp521_group_set_curve"},
+{ERR_FUNC(EC_F_EC_GFP_NISTP521_POINTS_MUL),    "ec_GFp_nistp521_points_mul"},
+{ERR_FUNC(EC_F_EC_GFP_NISTP521_POINT_GET_AFFINE_COORDINATES),  "ec_GFp_nistp521_point_get_affine_coordinates"},
 {ERR_FUNC(EC_F_EC_GFP_NIST_FIELD_MUL), "ec_GFp_nist_field_mul"},
 {ERR_FUNC(EC_F_EC_GFP_NIST_FIELD_SQR), "ec_GFp_nist_field_sqr"},
 {ERR_FUNC(EC_F_EC_GFP_NIST_GROUP_SET_CURVE),   "ec_GFp_nist_group_set_curve"},
@@ -190,6 +196,8 @@ static ERR_STRING_DATA EC_str_functs[]=
 {ERR_FUNC(EC_F_I2D_ECPRIVATEKEY),      "i2d_ECPrivateKey"},
 {ERR_FUNC(EC_F_I2O_ECPUBLICKEY),       "i2o_ECPublicKey"},
 {ERR_FUNC(EC_F_NISTP224_PRE_COMP_NEW), "NISTP224_PRE_COMP_NEW"},
+{ERR_FUNC(EC_F_NISTP256_PRE_COMP_NEW), "NISTP256_PRE_COMP_NEW"},
+{ERR_FUNC(EC_F_NISTP521_PRE_COMP_NEW), "NISTP521_PRE_COMP_NEW"},
 {ERR_FUNC(EC_F_O2I_ECPUBLICKEY),       "o2i_ECPublicKey"},
 {ERR_FUNC(EC_F_OLD_EC_PRIV_DECODE),    "OLD_EC_PRIV_DECODE"},
 {ERR_FUNC(EC_F_PKEY_EC_CTRL),  "PKEY_EC_CTRL"},
index afa1efa..72c0638 100644 (file)
@@ -398,15 +398,49 @@ int ec_GF2m_simple_mul(const EC_GROUP *group, EC_POINT *r, const BIGNUM *scalar,
 int ec_GF2m_precompute_mult(EC_GROUP *group, BN_CTX *ctx);
 int ec_GF2m_have_precompute_mult(const EC_GROUP *group);
 
-#ifdef EC_NISTP224_64_GCC_128
+#ifdef EC_NISTP_64_GCC_128
+/* method functions in ec2_mult.c */
+int ec_GF2m_simple_mul(const EC_GROUP *group, EC_POINT *r, const BIGNUM *scalar,
+       size_t num, const EC_POINT *points[], const BIGNUM *scalars[], BN_CTX *);
+int ec_GF2m_precompute_mult(EC_GROUP *group, BN_CTX *ctx);
+int ec_GF2m_have_precompute_mult(const EC_GROUP *group);
+
 /* method functions in ecp_nistp224.c */
 int ec_GFp_nistp224_group_init(EC_GROUP *group);
-int ec_GFp_nistp224_group_set_curve(EC_GROUP *group, const BIGNUM *p,
-       const BIGNUM *a, const BIGNUM *n, BN_CTX *);
-int ec_GFp_nistp224_point_get_affine_coordinates(const EC_GROUP *group,
-       const EC_POINT *point, BIGNUM *x, BIGNUM *y, BN_CTX *ctx);
-int ec_GFp_nistp224_points_mul(const EC_GROUP *group, EC_POINT *r, const BIGNUM *scalar,
-       size_t num, const EC_POINT *points[], const BIGNUM *scalars[], BN_CTX *);
+int ec_GFp_nistp224_group_set_curve(EC_GROUP *group, const BIGNUM *p, const BIGNUM *a, const BIGNUM *n, BN_CTX *);
+int ec_GFp_nistp224_point_get_affine_coordinates(const EC_GROUP *group, const EC_POINT *point, BIGNUM *x, BIGNUM *y, BN_CTX *ctx);
+int ec_GFp_nistp224_mul(const EC_GROUP *group, EC_POINT *r, const BIGNUM *scalar, size_t num, const EC_POINT *points[], const BIGNUM *scalars[], BN_CTX *);
+int ec_GFp_nistp224_points_mul(const EC_GROUP *group, EC_POINT *r, const BIGNUM *scalar, size_t num, const EC_POINT *points[], const BIGNUM *scalars[], BN_CTX *ctx);
 int ec_GFp_nistp224_precompute_mult(EC_GROUP *group, BN_CTX *ctx);
 int ec_GFp_nistp224_have_precompute_mult(const EC_GROUP *group);
+
+/* method functions in ecp_nistp256.c */
+int ec_GFp_nistp256_group_init(EC_GROUP *group);
+int ec_GFp_nistp256_group_set_curve(EC_GROUP *group, const BIGNUM *p, const BIGNUM *a, const BIGNUM *n, BN_CTX *);
+int ec_GFp_nistp256_point_get_affine_coordinates(const EC_GROUP *group, const EC_POINT *point, BIGNUM *x, BIGNUM *y, BN_CTX *ctx);
+int ec_GFp_nistp256_mul(const EC_GROUP *group, EC_POINT *r, const BIGNUM *scalar, size_t num, const EC_POINT *points[], const BIGNUM *scalars[], BN_CTX *);
+int ec_GFp_nistp256_points_mul(const EC_GROUP *group, EC_POINT *r, const BIGNUM *scalar, size_t num, const EC_POINT *points[], const BIGNUM *scalars[], BN_CTX *ctx);
+int ec_GFp_nistp256_precompute_mult(EC_GROUP *group, BN_CTX *ctx);
+int ec_GFp_nistp256_have_precompute_mult(const EC_GROUP *group);
+
+/* method functions in ecp_nistp521.c */
+int ec_GFp_nistp521_group_init(EC_GROUP *group);
+int ec_GFp_nistp521_group_set_curve(EC_GROUP *group, const BIGNUM *p, const BIGNUM *a, const BIGNUM *n, BN_CTX *);
+int ec_GFp_nistp521_point_get_affine_coordinates(const EC_GROUP *group, const EC_POINT *point, BIGNUM *x, BIGNUM *y, BN_CTX *ctx);
+int ec_GFp_nistp521_mul(const EC_GROUP *group, EC_POINT *r, const BIGNUM *scalar, size_t num, const EC_POINT *points[], const BIGNUM *scalars[], BN_CTX *);
+int ec_GFp_nistp521_points_mul(const EC_GROUP *group, EC_POINT *r, const BIGNUM *scalar, size_t num, const EC_POINT *points[], const BIGNUM *scalars[], BN_CTX *ctx);
+int ec_GFp_nistp521_precompute_mult(EC_GROUP *group, BN_CTX *ctx);
+int ec_GFp_nistp521_have_precompute_mult(const EC_GROUP *group);
+
+/* utility functions in ecp_nistputil.c */
+void ec_GFp_nistp_points_make_affine_internal(size_t num, void *point_array,
+       size_t felem_size, void *tmp_felems,
+       void (*felem_one)(void *out),
+       int (*felem_is_zero)(const void *in),
+       void (*felem_assign)(void *out, const void *in),
+       void (*felem_square)(void *out, const void *in),
+       void (*felem_mul)(void *out, const void *in1, const void *in2),
+       void (*felem_inv)(void *out, const void *in),
+       void (*felem_contract)(void *out, const void *in));
+void ec_GFp_nistp_recode_scalar_bits(unsigned char *sign, unsigned char *digit, unsigned char in);
 #endif
index 90c3589..8b2c6d3 100644 (file)
@@ -2,58 +2,20 @@
 /*
  * Written by Emilia Kasper (Google) for the OpenSSL project.
  */
-/* ====================================================================
- * Copyright (c) 2000-2010 The OpenSSL Project.  All rights reserved.
+/* Copyright 2011 Google Inc.
  *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
+ * Licensed under the Apache License, Version 2.0 (the "License");
  *
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
  *
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in
- *    the documentation and/or other materials provided with the
- *    distribution.
- *
- * 3. All advertising materials mentioning features or use of this
- *    software must display the following acknowledgment:
- *    "This product includes software developed by the OpenSSL Project
- *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
- *
- * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
- *    endorse or promote products derived from this software without
- *    prior written permission. For written permission, please contact
- *    licensing@OpenSSL.org.
- *
- * 5. Products derived from this software may not be called "OpenSSL"
- *    nor may "OpenSSL" appear in their names without prior written
- *    permission of the OpenSSL Project.
- *
- * 6. Redistributions of any form whatsoever must retain the following
- *    acknowledgment:
- *    "This product includes software developed by the OpenSSL Project
- *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
- *
- * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
- * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
- * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
- * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
- * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
- * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
- * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
- * OF THE POSSIBILITY OF SUCH DAMAGE.
- * ====================================================================
- *
- * This product includes cryptographic software written by Eric Young
- * (eay@cryptsoft.com).  This product includes software written by Tim
- * Hudson (tjh@cryptsoft.com).
+ *     http://www.apache.org/licenses/LICENSE-2.0
  *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS,
+ *  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
  */
 
 /*
@@ -62,8 +24,7 @@
  * Inspired by Daniel J. Bernstein's public domain nistp224 implementation
  * and Adam Langley's public domain 64-bit C implementation of curve25519
  */
-#include <openssl/opensslconf.h>
-#ifndef OPENSSL_NO_EC_NISTP224_64_GCC_128
+#ifdef EC_NISTP_64_GCC_128
 #include <stdint.h>
 #include <string.h>
 #include <openssl/err.h>
 #endif
 
 typedef uint8_t u8;
+typedef uint64_t u64;
+typedef int64_t s64;
 
 
 /******************************************************************************/
 /*                 INTERNAL REPRESENTATION OF FIELD ELEMENTS
  *
  * Field elements are represented as a_0 + 2^56*a_1 + 2^112*a_2 + 2^168*a_3
- * where each slice a_i is a 64-bit word, i.e., a field element is an fslice
- * array a with 4 elements, where a[i] = a_i.
- * Outputs from multiplications are represented as unreduced polynomials
+ * using 64-bit coefficients called 'limbs',
+ * and sometimes (for multiplication results) as
  * b_0 + 2^56*b_1 + 2^112*b_2 + 2^168*b_3 + 2^224*b_4 + 2^280*b_5 + 2^336*b_6
- * where each b_i is a 128-bit word. We ensure that inputs to each field
+ * using 128-bit coefficients called 'widelimbs'.
+ * A 4-limb representation is an 'felem';
+ * a 7-widelimb representation is a 'widefelem'.
+ * Even within felems, bits of adjacent limbs overlap, and we don't always
+ * reduce the representations: we ensure that inputs to each felem
  * multiplication satisfy a_i < 2^60, so outputs satisfy b_i < 4*2^60*2^60,
  * and fit into a 128-bit word without overflow. The coefficients are then
- * again partially reduced to a_i < 2^57. We only reduce to the unique minimal
- * representation at the end of the computation.
- *
+ * again partially reduced to obtain an felem satisfying a_i < 2^57.
+ * We only reduce to the unique minimal representation at the end of the
+ * computation.
  */
 
-typedef uint64_t fslice;
+typedef uint64_t limb;
+typedef uint128_t widelimb;
+
+typedef limb felem[4];
+typedef widelimb widefelem[7];
 
 /* Field element represented as a byte arrary.
- * 28*8 = 224 bits is also the group order size for the elliptic curve.  */
+ * 28*8 = 224 bits is also the group order size for the elliptic curve,
+ * and we also use this type for scalars for point multiplication.
+  */
 typedef u8 felem_bytearray[28];
 
 static const felem_bytearray nistp224_curve_params[5] = {
@@ -120,72 +92,143 @@ static const felem_bytearray nistp224_curve_params[5] = {
 };
 
 /* Precomputed multiples of the standard generator
- * b_0*G + b_1*2^56*G + b_2*2^112*G + b_3*2^168*G for
- * (b_3, b_2, b_1, b_0) in [0,15], i.e., gmul[0] = point_at_infinity,
- * gmul[1] = G, gmul[2] = 2^56*G, gmul[3] = 2^56*G + G, etc.
- * Points are given in Jacobian projective coordinates: words 0-3 represent the
- * X-coordinate (slice a_0 is word 0, etc.), words 4-7 represent the
- * Y-coordinate and words 8-11 represent the Z-coordinate. */
-static const fslice gmul[16][3][4] = {
-       {{0x00000000000000, 0x00000000000000, 0x00000000000000, 0x00000000000000},
-        {0x00000000000000, 0x00000000000000, 0x00000000000000, 0x00000000000000},
-        {0x00000000000000, 0x00000000000000, 0x00000000000000, 0x00000000000000}},
-       {{0x3280d6115c1d21, 0xc1d356c2112234, 0x7f321390b94a03, 0xb70e0cbd6bb4bf},
-        {0xd5819985007e34, 0x75a05a07476444, 0xfb4c22dfe6cd43, 0xbd376388b5f723},
-        {0x00000000000001, 0x00000000000000, 0x00000000000000, 0x00000000000000}},
-       {{0xfd9675666ebbe9, 0xbca7664d40ce5e, 0x2242df8d8a2a43, 0x1f49bbb0f99bc5},
-        {0x29e0b892dc9c43, 0xece8608436e662, 0xdc858f185310d0, 0x9812dd4eb8d321},
-        {0x00000000000001, 0x00000000000000, 0x00000000000000, 0x00000000000000}},
-       {{0x6d3e678d5d8eb8, 0x559eed1cb362f1, 0x16e9a3bbce8a3f, 0xeedcccd8c2a748},
-        {0xf19f90ed50266d, 0xabf2b4bf65f9df, 0x313865468fafec, 0x5cb379ba910a17},
-        {0x00000000000001, 0x00000000000000, 0x00000000000000, 0x00000000000000}},
-       {{0x0641966cab26e3, 0x91fb2991fab0a0, 0xefec27a4e13a0b, 0x0499aa8a5f8ebe},
-        {0x7510407766af5d, 0x84d929610d5450, 0x81d77aae82f706, 0x6916f6d4338c5b},
-        {0x00000000000001, 0x00000000000000, 0x00000000000000, 0x00000000000000}},
-       {{0xea95ac3b1f15c6, 0x086000905e82d4, 0xdd323ae4d1c8b1, 0x932b56be7685a3},
-        {0x9ef93dea25dbbf, 0x41665960f390f0, 0xfdec76dbe2a8a7, 0x523e80f019062a},
-        {0x00000000000001, 0x00000000000000, 0x00000000000000, 0x00000000000000}},
-       {{0x822fdd26732c73, 0xa01c83531b5d0f, 0x363f37347c1ba4, 0xc391b45c84725c},
-        {0xbbd5e1b2d6ad24, 0xddfbcde19dfaec, 0xc393da7e222a7f, 0x1efb7890ede244},
-        {0x00000000000001, 0x00000000000000, 0x00000000000000, 0x00000000000000}},
-       {{0x4c9e90ca217da1, 0xd11beca79159bb, 0xff8d33c2c98b7c, 0x2610b39409f849},
-        {0x44d1352ac64da0, 0xcdbb7b2c46b4fb, 0x966c079b753c89, 0xfe67e4e820b112},
-        {0x00000000000001, 0x00000000000000, 0x00000000000000, 0x00000000000000}},
-       {{0xe28cae2df5312d, 0xc71b61d16f5c6e, 0x79b7619a3e7c4c, 0x05c73240899b47},
-        {0x9f7f6382c73e3a, 0x18615165c56bda, 0x641fab2116fd56, 0x72855882b08394},
-        {0x00000000000001, 0x00000000000000, 0x00000000000000, 0x00000000000000}},
-       {{0x0469182f161c09, 0x74a98ca8d00fb5, 0xb89da93489a3e0, 0x41c98768fb0c1d},
-        {0xe5ea05fb32da81, 0x3dce9ffbca6855, 0x1cfe2d3fbf59e6, 0x0e5e03408738a7},
-        {0x00000000000001, 0x00000000000000, 0x00000000000000, 0x00000000000000}},
-       {{0xdab22b2333e87f, 0x4430137a5dd2f6, 0xe03ab9f738beb8, 0xcb0c5d0dc34f24},
-        {0x764a7df0c8fda5, 0x185ba5c3fa2044, 0x9281d688bcbe50, 0xc40331df893881},
-        {0x00000000000001, 0x00000000000000, 0x00000000000000, 0x00000000000000}},
-       {{0xb89530796f0f60, 0xade92bd26909a3, 0x1a0c83fb4884da, 0x1765bf22a5a984},
-        {0x772a9ee75db09e, 0x23bc6c67cec16f, 0x4c1edba8b14e2f, 0xe2a215d9611369},
-        {0x00000000000001, 0x00000000000000, 0x00000000000000, 0x00000000000000}},
-       {{0x571e509fb5efb3, 0xade88696410552, 0xc8ae85fada74fe, 0x6c7e4be83bbde3},
-        {0xff9f51160f4652, 0xb47ce2495a6539, 0xa2946c53b582f4, 0x286d2db3ee9a60},
-        {0x00000000000001, 0x00000000000000, 0x00000000000000, 0x00000000000000}},
-       {{0x40bbd5081a44af, 0x0995183b13926c, 0xbcefba6f47f6d0, 0x215619e9cc0057},
-        {0x8bc94d3b0df45e, 0xf11c54a3694f6f, 0x8631b93cdfe8b5, 0xe7e3f4b0982db9},
-        {0x00000000000001, 0x00000000000000, 0x00000000000000, 0x00000000000000}},
-       {{0xb17048ab3e1c7b, 0xac38f36ff8a1d8, 0x1c29819435d2c6, 0xc813132f4c07e9},
-        {0x2891425503b11f, 0x08781030579fea, 0xf5426ba5cc9674, 0x1e28ebf18562bc},
-        {0x00000000000001, 0x00000000000000, 0x00000000000000, 0x00000000000000}},
-       {{0x9f31997cc864eb, 0x06cd91d28b5e4c, 0xff17036691a973, 0xf1aef351497c58},
-        {0xdd1f2d600564ff, 0xdead073b1402db, 0x74a684435bd693, 0xeea7471f962558},
-        {0x00000000000001, 0x00000000000000, 0x00000000000000, 0x00000000000000}}
-};
+ * Points are given in coordinates (X, Y, Z) where Z normally is 1
+ * (0 for the point at infinity).
+ * For each field element, slice a_0 is word 0, etc.
+ *
+ * The table has 2 * 16 elements, starting with the following:
+ * index | bits    | point
+ * ------+---------+------------------------------
+ *     0 | 0 0 0 0 | 0G
+ *     1 | 0 0 0 1 | 1G
+ *     2 | 0 0 1 0 | 2^56G
+ *     3 | 0 0 1 1 | (2^56 + 1)G
+ *     4 | 0 1 0 0 | 2^112G
+ *     5 | 0 1 0 1 | (2^112 + 1)G
+ *     6 | 0 1 1 0 | (2^112 + 2^56)G
+ *     7 | 0 1 1 1 | (2^112 + 2^56 + 1)G
+ *     8 | 1 0 0 0 | 2^168G
+ *     9 | 1 0 0 1 | (2^168 + 1)G
+ *    10 | 1 0 1 0 | (2^168 + 2^56)G
+ *    11 | 1 0 1 1 | (2^168 + 2^56 + 1)G
+ *    12 | 1 1 0 0 | (2^168 + 2^112)G
+ *    13 | 1 1 0 1 | (2^168 + 2^112 + 1)G
+ *    14 | 1 1 1 0 | (2^168 + 2^112 + 2^56)G
+ *    15 | 1 1 1 1 | (2^168 + 2^112 + 2^56 + 1)G
+ * followed by a copy of this with each element multiplied by 2^28.
+ *
+ * The reason for this is so that we can clock bits into four different
+ * locations when doing simple scalar multiplies against the base point,
+ * and then another four locations using the second 16 elements.
+ */
+static const felem gmul[2][16][3] =
+{{{{0, 0, 0, 0},
+   {0, 0, 0, 0},
+   {0, 0, 0, 0}},
+  {{0x3280d6115c1d21, 0xc1d356c2112234, 0x7f321390b94a03, 0xb70e0cbd6bb4bf},
+   {0xd5819985007e34, 0x75a05a07476444, 0xfb4c22dfe6cd43, 0xbd376388b5f723},
+   {1, 0, 0, 0}},
+  {{0xfd9675666ebbe9, 0xbca7664d40ce5e, 0x2242df8d8a2a43, 0x1f49bbb0f99bc5},
+   {0x29e0b892dc9c43, 0xece8608436e662, 0xdc858f185310d0, 0x9812dd4eb8d321},
+   {1, 0, 0, 0}},
+  {{0x6d3e678d5d8eb8, 0x559eed1cb362f1, 0x16e9a3bbce8a3f, 0xeedcccd8c2a748},
+   {0xf19f90ed50266d, 0xabf2b4bf65f9df, 0x313865468fafec, 0x5cb379ba910a17},
+   {1, 0, 0, 0}},
+  {{0x0641966cab26e3, 0x91fb2991fab0a0, 0xefec27a4e13a0b, 0x0499aa8a5f8ebe},
+   {0x7510407766af5d, 0x84d929610d5450, 0x81d77aae82f706, 0x6916f6d4338c5b},
+   {1, 0, 0, 0}},
+  {{0xea95ac3b1f15c6, 0x086000905e82d4, 0xdd323ae4d1c8b1, 0x932b56be7685a3},
+   {0x9ef93dea25dbbf, 0x41665960f390f0, 0xfdec76dbe2a8a7, 0x523e80f019062a},
+   {1, 0, 0, 0}},
+  {{0x822fdd26732c73, 0xa01c83531b5d0f, 0x363f37347c1ba4, 0xc391b45c84725c},
+   {0xbbd5e1b2d6ad24, 0xddfbcde19dfaec, 0xc393da7e222a7f, 0x1efb7890ede244},
+   {1, 0, 0, 0}},
+  {{0x4c9e90ca217da1, 0xd11beca79159bb, 0xff8d33c2c98b7c, 0x2610b39409f849},
+   {0x44d1352ac64da0, 0xcdbb7b2c46b4fb, 0x966c079b753c89, 0xfe67e4e820b112},
+   {1, 0, 0, 0}},
+  {{0xe28cae2df5312d, 0xc71b61d16f5c6e, 0x79b7619a3e7c4c, 0x05c73240899b47},
+   {0x9f7f6382c73e3a, 0x18615165c56bda, 0x641fab2116fd56, 0x72855882b08394},
+   {1, 0, 0, 0}},
+  {{0x0469182f161c09, 0x74a98ca8d00fb5, 0xb89da93489a3e0, 0x41c98768fb0c1d},
+   {0xe5ea05fb32da81, 0x3dce9ffbca6855, 0x1cfe2d3fbf59e6, 0x0e5e03408738a7},
+   {1, 0, 0, 0}},
+  {{0xdab22b2333e87f, 0x4430137a5dd2f6, 0xe03ab9f738beb8, 0xcb0c5d0dc34f24},
+   {0x764a7df0c8fda5, 0x185ba5c3fa2044, 0x9281d688bcbe50, 0xc40331df893881},
+   {1, 0, 0, 0}},
+  {{0xb89530796f0f60, 0xade92bd26909a3, 0x1a0c83fb4884da, 0x1765bf22a5a984},
+   {0x772a9ee75db09e, 0x23bc6c67cec16f, 0x4c1edba8b14e2f, 0xe2a215d9611369},
+   {1, 0, 0, 0}},
+  {{0x571e509fb5efb3, 0xade88696410552, 0xc8ae85fada74fe, 0x6c7e4be83bbde3},
+   {0xff9f51160f4652, 0xb47ce2495a6539, 0xa2946c53b582f4, 0x286d2db3ee9a60},
+   {1, 0, 0, 0}},
+  {{0x40bbd5081a44af, 0x0995183b13926c, 0xbcefba6f47f6d0, 0x215619e9cc0057},
+   {0x8bc94d3b0df45e, 0xf11c54a3694f6f, 0x8631b93cdfe8b5, 0xe7e3f4b0982db9},
+   {1, 0, 0, 0}},
+  {{0xb17048ab3e1c7b, 0xac38f36ff8a1d8, 0x1c29819435d2c6, 0xc813132f4c07e9},
+   {0x2891425503b11f, 0x08781030579fea, 0xf5426ba5cc9674, 0x1e28ebf18562bc},
+   {1, 0, 0, 0}},
+  {{0x9f31997cc864eb, 0x06cd91d28b5e4c, 0xff17036691a973, 0xf1aef351497c58},
+   {0xdd1f2d600564ff, 0xdead073b1402db, 0x74a684435bd693, 0xeea7471f962558},
+   {1, 0, 0, 0}}},
+ {{{0, 0, 0, 0},
+   {0, 0, 0, 0},
+   {0, 0, 0, 0}},
+  {{0x9665266dddf554, 0x9613d78b60ef2d, 0xce27a34cdba417, 0xd35ab74d6afc31},
+   {0x85ccdd22deb15e, 0x2137e5783a6aab, 0xa141cffd8c93c6, 0x355a1830e90f2d},
+   {1, 0, 0, 0}},
+  {{0x1a494eadaade65, 0xd6da4da77fe53c, 0xe7992996abec86, 0x65c3553c6090e3},
+   {0xfa610b1fb09346, 0xf1c6540b8a4aaf, 0xc51a13ccd3cbab, 0x02995b1b18c28a},
+   {1, 0, 0, 0}},
+  {{0x7874568e7295ef, 0x86b419fbe38d04, 0xdc0690a7550d9a, 0xd3966a44beac33},
+   {0x2b7280ec29132f, 0xbeaa3b6a032df3, 0xdc7dd88ae41200, 0xd25e2513e3a100},
+   {1, 0, 0, 0}},
+  {{0x924857eb2efafd, 0xac2bce41223190, 0x8edaa1445553fc, 0x825800fd3562d5},
+   {0x8d79148ea96621, 0x23a01c3dd9ed8d, 0xaf8b219f9416b5, 0xd8db0cc277daea},
+   {1, 0, 0, 0}},
+  {{0x76a9c3b1a700f0, 0xe9acd29bc7e691, 0x69212d1a6b0327, 0x6322e97fe154be},
+   {0x469fc5465d62aa, 0x8d41ed18883b05, 0x1f8eae66c52b88, 0xe4fcbe9325be51},
+   {1, 0, 0, 0}},
+  {{0x825fdf583cac16, 0x020b857c7b023a, 0x683c17744b0165, 0x14ffd0a2daf2f1},
+   {0x323b36184218f9, 0x4944ec4e3b47d4, 0xc15b3080841acf, 0x0bced4b01a28bb},
+   {1, 0, 0, 0}},
+  {{0x92ac22230df5c4, 0x52f33b4063eda8, 0xcb3f19870c0c93, 0x40064f2ba65233},
+   {0xfe16f0924f8992, 0x012da25af5b517, 0x1a57bb24f723a6, 0x06f8bc76760def},
+   {1, 0, 0, 0}},
+  {{0x4a7084f7817cb9, 0xbcab0738ee9a78, 0x3ec11e11d9c326, 0xdc0fe90e0f1aae},
+   {0xcf639ea5f98390, 0x5c350aa22ffb74, 0x9afae98a4047b7, 0x956ec2d617fc45},
+   {1, 0, 0, 0}},
+  {{0x4306d648c1be6a, 0x9247cd8bc9a462, 0xf5595e377d2f2e, 0xbd1c3caff1a52e},
+   {0x045e14472409d0, 0x29f3e17078f773, 0x745a602b2d4f7d, 0x191837685cdfbb},
+   {1, 0, 0, 0}},
+  {{0x5b6ee254a8cb79, 0x4953433f5e7026, 0xe21faeb1d1def4, 0xc4c225785c09de},
+   {0x307ce7bba1e518, 0x31b125b1036db8, 0x47e91868839e8f, 0xc765866e33b9f3},
+   {1, 0, 0, 0}},
+  {{0x3bfece24f96906, 0x4794da641e5093, 0xde5df64f95db26, 0x297ecd89714b05},
+   {0x701bd3ebb2c3aa, 0x7073b4f53cb1d5, 0x13c5665658af16, 0x9895089d66fe58},
+   {1, 0, 0, 0}},
+  {{0x0fef05f78c4790, 0x2d773633b05d2e, 0x94229c3a951c94, 0xbbbd70df4911bb},
+   {0xb2c6963d2c1168, 0x105f47a72b0d73, 0x9fdf6111614080, 0x7b7e94b39e67b0},
+   {1, 0, 0, 0}},
+  {{0xad1a7d6efbe2b3, 0xf012482c0da69d, 0x6b3bdf12438345, 0x40d7558d7aa4d9},
+   {0x8a09fffb5c6d3d, 0x9a356e5d9ffd38, 0x5973f15f4f9b1c, 0xdcd5f59f63c3ea},
+   {1, 0, 0, 0}},
+  {{0xacf39f4c5ca7ab, 0x4c8071cc5fd737, 0xc64e3602cd1184, 0x0acd4644c9abba},
+   {0x6c011a36d8bf6e, 0xfecd87ba24e32a, 0x19f6f56574fad8, 0x050b204ced9405},
+   {1, 0, 0, 0}},
+  {{0xed4f1cae7d9a96, 0x5ceef7ad94c40a, 0x778e4a3bf3ef9b, 0x7405783dc3b55e},
+   {0x32477c61b6e8c6, 0xb46a97570f018b, 0x91176d0a7e95d1, 0x3df90fbc4c7d0e},
+   {1, 0, 0, 0}}}};
 
 /* Precomputation for the group generator. */
 typedef struct {
-       fslice g_pre_comp[16][3][4];
+       felem g_pre_comp[2][16][3];
        int references;
 } NISTP224_PRE_COMP;
 
 const EC_METHOD *EC_GFp_nistp224_method(void)
        {
        static const EC_METHOD ret = {
+               EC_FLAGS_DEFAULT_OCT,
                NID_X9_62_prime_field,
                ec_GFp_nistp224_group_init,
                ec_GFp_simple_group_finish,
@@ -204,9 +247,9 @@ const EC_METHOD *EC_GFp_nistp224_method(void)
                ec_GFp_simple_get_Jprojective_coordinates_GFp,
                ec_GFp_simple_point_set_affine_coordinates,
                ec_GFp_nistp224_point_get_affine_coordinates,
-               ec_GFp_simple_set_compressed_coordinates,
-               ec_GFp_simple_point2oct,
-               ec_GFp_simple_oct2point,
+                0 /* point_set_compressed_coordinates */,
+                0 /* point2oct */,
+                0 /* oct2point */,
                ec_GFp_simple_add,
                ec_GFp_simple_dbl,
                ec_GFp_simple_invert,
@@ -229,7 +272,7 @@ const EC_METHOD *EC_GFp_nistp224_method(void)
        }
 
 /* Helper functions to convert field elements to/from internal representation */
-static void bin28_to_felem(fslice out[4], const u8 in[28])
+static void bin28_to_felem(felem out, const u8 in[28])
        {
        out[0] = *((const uint64_t *)(in)) & 0x00ffffffffffffff;
        out[1] = (*((const uint64_t *)(in+7))) & 0x00ffffffffffffff;
@@ -237,7 +280,7 @@ static void bin28_to_felem(fslice out[4], const u8 in[28])
        out[3] = (*((const uint64_t *)(in+21))) & 0x00ffffffffffffff;
        }
 
-static void felem_to_bin28(u8 out[28], const fslice in[4])
+static void felem_to_bin28(u8 out[28], const felem in)
        {
        unsigned i;
        for (i = 0; i < 7; ++i)
@@ -258,9 +301,9 @@ static void flip_endian(u8 *out, const u8 *in, unsigned len)
        }
 
 /* From OpenSSL BIGNUM to internal representation */
-static int BN_to_felem(fslice out[4], const BIGNUM *bn)
+static int BN_to_felem(felem out, const BIGNUM *bn)
        {
-        felem_bytearray b_in;
+       felem_bytearray b_in;
        felem_bytearray b_out;
        unsigned num_bytes;
 
@@ -284,7 +327,7 @@ static int BN_to_felem(fslice out[4], const BIGNUM *bn)
        }
 
 /* From internal representation to OpenSSL BIGNUM */
-static BIGNUM *felem_to_BN(BIGNUM *out, const fslice in[4])
+static BIGNUM *felem_to_BN(BIGNUM *out, const felem in)
        {
        felem_bytearray b_in, b_out;
        felem_to_bin28(b_in, in);
@@ -302,8 +345,24 @@ static BIGNUM *felem_to_BN(BIGNUM *out, const fslice in[4])
  *
  */
 
+static void felem_one(felem out)
+       {
+       out[0] = 1;
+       out[1] = 0;
+       out[2] = 0;
+       out[3] = 0;
+       }
+
+static void felem_assign(felem out, const felem in)
+       {
+       out[0] = in[0];
+       out[1] = in[1];
+       out[2] = in[2];
+       out[3] = in[3];
+       }
+
 /* Sum two field elements: out += in */
-static void felem_sum64(fslice out[4], const fslice in[4])
+static void felem_sum(felem out, const felem in)
        {
        out[0] += in[0];
        out[1] += in[1];
@@ -311,14 +370,30 @@ static void felem_sum64(fslice out[4], const fslice in[4])
        out[3] += in[3];
        }
 
+/* Get negative value: out = -in */
+/* Assumes in[i] < 2^57 */
+static void felem_neg(felem out, const felem in)
+       {
+       static const limb two58p2 = (((limb) 1) << 58) + (((limb) 1) << 2);
+       static const limb two58m2 = (((limb) 1) << 58) - (((limb) 1) << 2);
+       static const limb two58m42m2 = (((limb) 1) << 58) -
+           (((limb) 1) << 42) - (((limb) 1) << 2);
+
+       /* Set to 0 mod 2^224-2^96+1 to ensure out > in */
+       out[0] = two58p2 - in[0];
+       out[1] = two58m42m2 - in[1];
+       out[2] = two58m2 - in[2];
+       out[3] = two58m2 - in[3];
+       }
+
 /* Subtract field elements: out -= in */
 /* Assumes in[i] < 2^57 */
-static void felem_diff64(fslice out[4], const fslice in[4])
+static void felem_diff(felem out, const felem in)
        {
-       static const uint64_t two58p2 = (((uint64_t) 1) << 58) + (((uint64_t) 1) << 2);
-       static const uint64_t two58m2 = (((uint64_t) 1) << 58) - (((uint64_t) 1) << 2);
-       static const uint64_t two58m42m2 = (((uint64_t) 1) << 58) -
-           (((uint64_t) 1) << 42) - (((uint64_t) 1) << 2);
+       static const limb two58p2 = (((limb) 1) << 58) + (((limb) 1) << 2);
+       static const limb two58m2 = (((limb) 1) << 58) - (((limb) 1) << 2);
+       static const limb two58m42m2 = (((limb) 1) << 58) -
+           (((limb) 1) << 42) - (((limb) 1) << 2);
 
        /* Add 0 mod 2^224-2^96+1 to ensure out > in */
        out[0] += two58p2;
@@ -332,15 +407,15 @@ static void felem_diff64(fslice out[4], const fslice in[4])
        out[3] -= in[3];
        }
 
-/* Subtract in unreduced 128-bit mode: out128 -= in128 */
+/* Subtract in unreduced 128-bit mode: out -= in */
 /* Assumes in[i] < 2^119 */
-static void felem_diff128(uint128_t out[7], const uint128_t in[4])
+static void widefelem_diff(widefelem out, const widefelem in)
        {
-       static const uint128_t two120 = ((uint128_t) 1) << 120;
-       static const uint128_t two120m64 = (((uint128_t) 1) << 120) -
-               (((uint128_t) 1) << 64);
-       static const uint128_t two120m104m64 = (((uint128_t) 1) << 120) -
-               (((uint128_t) 1) << 104) - (((uint128_t) 1) << 64);
+       static const widelimb two120 = ((widelimb) 1) << 120;
+       static const widelimb two120m64 = (((widelimb) 1) << 120) -
+               (((widelimb) 1) << 64);
+       static const widelimb two120m104m64 = (((widelimb) 1) << 120) -
+               (((widelimb) 1) << 104) - (((widelimb) 1) << 64);
 
        /* Add 0 mod 2^224-2^96+1 to ensure out > in */
        out[0] += two120;
@@ -362,14 +437,14 @@ static void felem_diff128(uint128_t out[7], const uint128_t in[4])
 
 /* Subtract in mixed mode: out128 -= in64 */
 /* in[i] < 2^63 */
-static void felem_diff_128_64(uint128_t out[7], const fslice in[4])
+static void felem_diff_128_64(widefelem out, const felem in)
        {
-       static const uint128_t two64p8 = (((uint128_t) 1) << 64) +
-               (((uint128_t) 1) << 8);
-       static const uint128_t two64m8 = (((uint128_t) 1) << 64) -
-               (((uint128_t) 1) << 8);
-       static const uint128_t two64m48m8 = (((uint128_t) 1) << 64) -
-               (((uint128_t) 1) << 48) - (((uint128_t) 1) << 8);
+       static const widelimb two64p8 = (((widelimb) 1) << 64) +
+               (((widelimb) 1) << 8);
+       static const widelimb two64m8 = (((widelimb) 1) << 64) -
+               (((widelimb) 1) << 8);
+       static const widelimb two64m48m8 = (((widelimb) 1) << 64) -
+               (((widelimb) 1) << 48) - (((widelimb) 1) << 8);
 
        /* Add 0 mod 2^224-2^96+1 to ensure out > in */
        out[0] += two64p8;
@@ -383,9 +458,9 @@ static void felem_diff_128_64(uint128_t out[7], const fslice in[4])
        out[3] -= in[3];
        }
 
-/* Multiply a field element by a scalar: out64 = out64 * scalar
+/* Multiply a field element by a scalar: out = out * scalar
  * The scalars we actually use are small, so results fit without overflow */
-static void felem_scalar64(fslice out[4], const fslice scalar)
+static void felem_scalar(felem out, const limb scalar)
        {
        out[0] *= scalar;
        out[1] *= scalar;
@@ -393,9 +468,9 @@ static void felem_scalar64(fslice out[4], const fslice scalar)
        out[3] *= scalar;
        }
 
-/* Multiply an unreduced field element by a scalar: out128 = out128 * scalar
+/* Multiply an unreduced field element by a scalar: out = out * scalar
  * The scalars we actually use are small, so results fit without overflow */
-static void felem_scalar128(uint128_t out[7], const uint128_t scalar)
+static void widefelem_scalar(widefelem out, const widelimb scalar)
        {
        out[0] *= scalar;
        out[1] *= scalar;
@@ -407,44 +482,47 @@ static void felem_scalar128(uint128_t out[7], const uint128_t scalar)
        }
 
 /* Square a field element: out = in^2 */
-static void felem_square(uint128_t out[7], const fslice in[4])
+static void felem_square(widefelem out, const felem in)
        {
-       out[0] = ((uint128_t) in[0]) * in[0];
-       out[1] = ((uint128_t) in[0]) * in[1] * 2;
-       out[2] = ((uint128_t) in[0]) * in[2] * 2 + ((uint128_t) in[1]) * in[1];
-       out[3] = ((uint128_t) in[0]) * in[3] * 2 +
-               ((uint128_t) in[1]) * in[2] * 2;
-       out[4] = ((uint128_t) in[1]) * in[3] * 2 + ((uint128_t) in[2]) * in[2];
-       out[5] = ((uint128_t) in[2]) * in[3] * 2;
-       out[6] = ((uint128_t) in[3]) * in[3];
+       limb tmp0, tmp1, tmp2;
+       tmp0 = 2 * in[0]; tmp1 = 2 * in[1]; tmp2 = 2 * in[2];
+       out[0] = ((widelimb) in[0]) * in[0];
+       out[1] = ((widelimb) in[0]) * tmp1;
+       out[2] = ((widelimb) in[0]) * tmp2 + ((widelimb) in[1]) * in[1];
+       out[3] = ((widelimb) in[3]) * tmp0 +
+               ((widelimb) in[1]) * tmp2;
+       out[4] = ((widelimb) in[3]) * tmp1 + ((widelimb) in[2]) * in[2];
+       out[5] = ((widelimb) in[3]) * tmp2;
+       out[6] = ((widelimb) in[3]) * in[3];
        }
 
 /* Multiply two field elements: out = in1 * in2 */
-static void felem_mul(uint128_t out[7], const fslice in1[4], const fslice in2[4])
+static void felem_mul(widefelem out, const felem in1, const felem in2)
        {
-       out[0] = ((uint128_t) in1[0]) * in2[0];
-       out[1] = ((uint128_t) in1[0]) * in2[1] + ((uint128_t) in1[1]) * in2[0];
-       out[2] = ((uint128_t) in1[0]) * in2[2] + ((uint128_t) in1[1]) * in2[1] +
-               ((uint128_t) in1[2]) * in2[0];
-       out[3] = ((uint128_t) in1[0]) * in2[3] + ((uint128_t) in1[1]) * in2[2] +
-               ((uint128_t) in1[2]) * in2[1] + ((uint128_t) in1[3]) * in2[0];
-       out[4] = ((uint128_t) in1[1]) * in2[3] + ((uint128_t) in1[2]) * in2[2] +
-               ((uint128_t) in1[3]) * in2[1];
-       out[5] = ((uint128_t) in1[2]) * in2[3] + ((uint128_t) in1[3]) * in2[2];
-       out[6] = ((uint128_t) in1[3]) * in2[3];
+       out[0] = ((widelimb) in1[0]) * in2[0];
+       out[1] = ((widelimb) in1[0]) * in2[1] + ((widelimb) in1[1]) * in2[0];
+       out[2] = ((widelimb) in1[0]) * in2[2] + ((widelimb) in1[1]) * in2[1] +
+               ((widelimb) in1[2]) * in2[0];
+       out[3] = ((widelimb) in1[0]) * in2[3] + ((widelimb) in1[1]) * in2[2] +
+               ((widelimb) in1[2]) * in2[1] + ((widelimb) in1[3]) * in2[0];
+       out[4] = ((widelimb) in1[1]) * in2[3] + ((widelimb) in1[2]) * in2[2] +
+               ((widelimb) in1[3]) * in2[1];
+       out[5] = ((widelimb) in1[2]) * in2[3] + ((widelimb) in1[3]) * in2[2];
+       out[6] = ((widelimb) in1[3]) * in2[3];
        }
 
-/* Reduce 128-bit coefficients to 64-bit coefficients. Requires in[i] < 2^126,
- * ensures out[0] < 2^56, out[1] < 2^56, out[2] < 2^56, out[3] < 2^57 */
-static void felem_reduce(fslice out[4], const uint128_t in[7])
+/* Reduce seven 128-bit coefficients to four 64-bit coefficients.
+ * Requires in[i] < 2^126,
+ * ensures out[0] < 2^56, out[1] < 2^56, out[2] < 2^56, out[3] <= 2^56 + 2^16 */
+static void felem_reduce(felem out, const widefelem in)
        {
-       static const uint128_t two127p15 = (((uint128_t) 1) << 127) +
-               (((uint128_t) 1) << 15);
-       static const uint128_t two127m71 = (((uint128_t) 1) << 127) -
-               (((uint128_t) 1) << 71);
-       static const uint128_t two127m71m55 = (((uint128_t) 1) << 127) -
-               (((uint128_t) 1) << 71) - (((uint128_t) 1) << 55);
-       uint128_t output[5];
+       static const widelimb two127p15 = (((widelimb) 1) << 127) +
+               (((widelimb) 1) << 15);
+       static const widelimb two127m71 = (((widelimb) 1) << 127) -
+               (((widelimb) 1) << 71);
+       static const widelimb two127m71m55 = (((widelimb) 1) << 127) -
+               (((widelimb) 1) << 71) - (((widelimb) 1) << 55);
+       widelimb output[5];
 
        /* Add 0 mod 2^224-2^96+1 to ensure all differences are positive */
        output[0] = in[0] + two127p15;
@@ -455,30 +533,30 @@ static void felem_reduce(fslice out[4], const uint128_t in[7])
 
        /* Eliminate in[4], in[5], in[6] */
        output[4] += in[6] >> 16;
-       output[3] += (in[6]&0xffff) << 40;
+       output[3] += (in[6] & 0xffff) << 40;
        output[2] -= in[6];
 
        output[3] += in[5] >> 16;
-       output[2] += (in[5]&0xffff) << 40;
+       output[2] += (in[5] & 0xffff) << 40;
        output[1] -= in[5];
 
        output[2] += output[4] >> 16;
-       output[1] += (output[4]&0xffff) << 40;
+       output[1] += (output[4] & 0xffff) << 40;
        output[0] -= output[4];
-       output[4] = 0;
 
        /* Carry 2 -> 3 -> 4 */
        output[3] += output[2] >> 56;
        output[2] &= 0x00ffffffffffffff;
 
-       output[4] += output[3] >> 56;
+       output[4] = output[3] >> 56;
        output[3] &= 0x00ffffffffffffff;
 
-       /* Now output[2] < 2^56, output[3] < 2^56 */
+       /* Now output[2] < 2^56, output[3] < 2^56, output[4] < 2^72 */
 
        /* Eliminate output[4] */
        output[2] += output[4] >> 16;
-       output[1] += (output[4]&0xffff) << 40;
+       /* output[2] < 2^56 + 2^56 = 2^57 */
+       output[1] += (output[4] & 0xffff) << 40;
        output[0] -= output[4];
 
        /* Carry 0 -> 1 -> 2 -> 3 */
@@ -486,76 +564,68 @@ static void felem_reduce(fslice out[4], const uint128_t in[7])
        out[0] = output[0] & 0x00ffffffffffffff;
 
        output[2] += output[1] >> 56;
+       /* output[2] < 2^57 + 2^72 */
        out[1] = output[1] & 0x00ffffffffffffff;
        output[3] += output[2] >> 56;
+       /* output[3] <= 2^56 + 2^16 */
        out[2] = output[2] & 0x00ffffffffffffff;
 
        /* out[0] < 2^56, out[1] < 2^56, out[2] < 2^56,
-        * out[3] < 2^57 (due to final carry) */
+        * out[3] <= 2^56 + 2^16 (due to final carry),
+        * so out < 2*p */
        out[3] = output[3];
        }
 
-/* Reduce to unique minimal representation */
-static void felem_contract(fslice out[4], const fslice in[4])
+static void felem_square_reduce(felem out, const felem in)
        {
-       static const int64_t two56 = ((uint64_t) 1) << 56;
-       /* 0 <= in < 2^225 */
-       /* if in > 2^224 , reduce in = in - 2^224 + 2^96 - 1 */
-       int64_t tmp[4], a;
-       tmp[0] = (int64_t) in[0] - (in[3] >> 56);
-       tmp[1] = (int64_t) in[1] + ((in[3] >> 16) & 0x0000010000000000);
-       tmp[2] = (int64_t) in[2];
-       tmp[3] = (int64_t) in[3] & 0x00ffffffffffffff;
-
-       /* eliminate negative coefficients */
-       a = tmp[0] >> 63;
-       tmp[0] += two56 & a;
-       tmp[1] -= 1 & a;
-
-       a = tmp[1] >> 63;
-       tmp[1] += two56 & a;
-       tmp[2] -= 1 & a;
-
-       a = tmp[2] >> 63;
-       tmp[2] += two56 & a;
-       tmp[3] -= 1 & a;
-
-       a = tmp[3] >> 63;
-       tmp[3] += two56 & a;
-       tmp[0] += 1 & a;
-       tmp[1] -= (1 & a) << 40;
-
-       /* carry 1 -> 2 -> 3 */
-       tmp[2] += tmp[1] >> 56;
-       tmp[1] &= 0x00ffffffffffffff;
+       widefelem tmp;
+       felem_square(tmp, in);
+       felem_reduce(out, tmp);
+       }
 
-       tmp[3] += tmp[2] >> 56;
-       tmp[2] &= 0x00ffffffffffffff;
+static void felem_mul_reduce(felem out, const felem in1, const felem in2)
+       {
+       widefelem tmp;
+       felem_mul(tmp, in1, in2);
+       felem_reduce(out, tmp);
+       }
 
-       /* 0 <= in < 2^224 + 2^96 - 1 */
-       /* if in > 2^224 , reduce in = in - 2^224 + 2^96 - 1 */
-       tmp[0] -= (tmp[3] >> 56);
-       tmp[1] += ((tmp[3] >> 16) & 0x0000010000000000);
+/* Reduce to unique minimal representation.
+ * Requires 0 <= in < 2*p (always call felem_reduce first) */
+static void felem_contract(felem out, const felem in)
+       {
+       static const int64_t two56 = ((limb) 1) << 56;
+       /* 0 <= in < 2*p, p = 2^224 - 2^96 + 1 */
+       /* if in > p , reduce in = in - 2^224 + 2^96 - 1 */
+       int64_t tmp[4], a;
+       tmp[0] = in[0];
+       tmp[1] = in[1];
+       tmp[2] = in[2];
+       tmp[3] = in[3];
+       /* Case 1: a = 1 iff in >= 2^224 */
+       a = (in[3] >> 56);
+       tmp[0] -= a;
+       tmp[1] += a << 40;
        tmp[3] &= 0x00ffffffffffffff;
+       /* Case 2: a = 0 iff p <= in < 2^224, i.e.,
+        * the high 128 bits are all 1 and the lower part is non-zero */
+       a = ((in[3] & in[2] & (in[1] | 0x000000ffffffffff)) + 1) |
+               (((int64_t)(in[0] + (in[1] & 0x000000ffffffffff)) - 1) >> 63);
+       a &= 0x00ffffffffffffff;
+       /* turn a into an all-one mask (if a = 0) or an all-zero mask */
+       a = (a - 1) >> 63;
+       /* subtract 2^224 - 2^96 + 1 if a is all-one*/
+       tmp[3] &= a ^ 0xffffffffffffffff;
+       tmp[2] &= a ^ 0xffffffffffffffff;
+       tmp[1] &= (a ^ 0xffffffffffffffff) | 0x000000ffffffffff;
+       tmp[0] -= 1 & a;
 
-       /* eliminate negative coefficients */
+       /* eliminate negative coefficients: if tmp[0] is negative, tmp[1] must
+        * be non-zero, so we only need one step */
        a = tmp[0] >> 63;
        tmp[0] += two56 & a;
        tmp[1] -= 1 & a;
 
-       a = tmp[1] >> 63;
-       tmp[1] += two56 & a;
-       tmp[2] -= 1 & a;
-
-       a = tmp[2] >> 63;
-       tmp[2] += two56 & a;
-       tmp[3] -= 1 & a;
-
-       a = tmp[3] >> 63;
-       tmp[3] += two56 & a;
-       tmp[0] += 1 & a;
-       tmp[1] -= (1 & a) << 40;
-
        /* carry 1 -> 2 -> 3 */
        tmp[2] += tmp[1] >> 56;
        tmp[1] &= 0x00ffffffffffffff;
@@ -563,27 +633,7 @@ static void felem_contract(fslice out[4], const fslice in[4])
        tmp[3] += tmp[2] >> 56;
        tmp[2] &= 0x00ffffffffffffff;
 
-       /* Now 0 <= in < 2^224 */
-
-       /* if in > 2^224 - 2^96, reduce */
-       /* a = 0 iff in > 2^224 - 2^96, i.e.,
-        * the high 128 bits are all 1 and the lower part is non-zero */
-       a = (tmp[3] + 1) | (tmp[2] + 1) |
-               ((tmp[1] | 0x000000ffffffffff) + 1) |
-               ((((tmp[1] & 0xffff) - 1) >> 63) & ((tmp[0] - 1) >> 63));
-       /* turn a into an all-one mask (if a = 0) or an all-zero mask */
-       a = ((a & 0x00ffffffffffffff) - 1) >> 63;
-       /* subtract 2^224 - 2^96 + 1 if a is all-one*/
-       tmp[3] &= a ^ 0xffffffffffffffff;
-       tmp[2] &= a ^ 0xffffffffffffffff;
-       tmp[1] &= (a ^ 0xffffffffffffffff) | 0x000000ffffffffff;
-       tmp[0] -= 1 & a;
-       /* eliminate negative coefficients: if tmp[0] is negative, tmp[1] must be
-        * non-zero, so we only need one step */
-       a = tmp[0] >> 63;
-       tmp[0] += two56 & a;
-       tmp[1] -= 1 & a;
-
+       /* Now 0 <= out < p */
        out[0] = tmp[0];
        out[1] = tmp[1];
        out[2] = tmp[2];
@@ -594,9 +644,9 @@ static void felem_contract(fslice out[4], const fslice in[4])
  * We know that field elements are reduced to in < 2^225,
  * so we only need to check three cases: 0, 2^224 - 2^96 + 1,
  * and 2^225 - 2^97 + 2 */
-static fslice felem_is_zero(const fslice in[4])
+static limb felem_is_zero(const felem in)
        {
-       fslice zero, two224m96p1, two225m97p2;
+       limb zero, two224m96p1, two225m97p2;
 
        zero = in[0] | in[1] | in[2] | in[3];
        zero = (((int64_t)(zero) - 1) >> 63) & 1;
@@ -609,12 +659,17 @@ static fslice felem_is_zero(const fslice in[4])
        return (zero | two224m96p1 | two225m97p2);
        }
 
+static limb felem_is_zero_int(const felem in)
+       {
+       return (int) (felem_is_zero(in) & ((limb)1));
+       }
+
 /* Invert a field element */
 /* Computation chain copied from djb's code */
-static void felem_inv(fslice out[4], const fslice in[4])
+static void felem_inv(felem out, const felem in)
        {
-       fslice ftmp[4], ftmp2[4], ftmp3[4], ftmp4[4];
-       uint128_t tmp[7];
+       felem ftmp, ftmp2, ftmp3, ftmp4;
+       widefelem tmp;
        unsigned i;
 
        felem_square(tmp, in); felem_reduce(ftmp, tmp);         /* 2 */
@@ -673,34 +728,18 @@ static void felem_inv(fslice out[4], const fslice in[4])
  * if icopy == 1, copy in to out,
  * if icopy == 0, copy out to itself. */
 static void
-copy_conditional(fslice *out, const fslice *in, unsigned len, fslice icopy)
+copy_conditional(felem out, const felem in, limb icopy)
        {
        unsigned i;
        /* icopy is a (64-bit) 0 or 1, so copy is either all-zero or all-one */
-       const fslice copy = -icopy;
-       for (i = 0; i < len; ++i)
+       const limb copy = -icopy;
+       for (i = 0; i < 4; ++i)
                {
-               const fslice tmp = copy & (in[i] ^ out[i]);
+               const limb tmp = copy & (in[i] ^ out[i]);
                out[i] ^= tmp;
                }
        }
 
-/* Copy in constant time:
- * if isel == 1, copy in2 to out,
- * if isel == 0, copy in1 to out. */
-static void select_conditional(fslice *out, const fslice *in1, const fslice *in2,
-       unsigned len, fslice isel)
-       {
-       unsigned i;
-       /* isel is a (64-bit) 0 or 1, so sel is either all-zero or all-one */
-       const fslice sel = -isel;
-       for (i = 0; i < len; ++i)
-               {
-               const fslice tmp = sel & (in1[i] ^ in2[i]);
-               out[i] = in1[i] ^ tmp;
-               }
-}
-
 /******************************************************************************/
 /*                      ELLIPTIC CURVE POINT OPERATIONS
  *
@@ -718,17 +757,14 @@ static void select_conditional(fslice *out, const fslice *in1, const fslice *in2
  * Outputs can equal corresponding inputs, i.e., x_out == x_in is allowed,
  * while x_out == y_in is not (maybe this works, but it's not tested). */
 static void
-point_double(fslice x_out[4], fslice y_out[4], fslice z_out[4],
-            const fslice x_in[4], const fslice y_in[4], const fslice z_in[4])
+point_double(felem x_out, felem y_out, felem z_out,
+             const felem x_in, const felem y_in, const felem z_in)
        {
-       uint128_t tmp[7], tmp2[7];
-       fslice delta[4];
-       fslice gamma[4];
-       fslice beta[4];
-       fslice alpha[4];
-       fslice ftmp[4], ftmp2[4];
-       memcpy(ftmp, x_in, 4 * sizeof(fslice));
-       memcpy(ftmp2, x_in, 4 * sizeof(fslice));
+       widefelem tmp, tmp2;
+       felem delta, gamma, beta, alpha, ftmp, ftmp2;
+
+       felem_assign(ftmp, x_in);
+       felem_assign(ftmp2, x_in);
 
        /* delta = z^2 */
        felem_square(tmp, z_in);
@@ -743,11 +779,11 @@ point_double(fslice x_out[4], fslice y_out[4], fslice z_out[4],
        felem_reduce(beta, tmp);
 
        /* alpha = 3*(x-delta)*(x+delta) */
-       felem_diff64(ftmp, delta);
+       felem_diff(ftmp, delta);
        /* ftmp[i] < 2^57 + 2^58 + 2 < 2^59 */
-       felem_sum64(ftmp2, delta);
+       felem_sum(ftmp2, delta);
        /* ftmp2[i] < 2^57 + 2^57 = 2^58 */
-       felem_scalar64(ftmp2, 3);
+       felem_scalar(ftmp2, 3);
        /* ftmp2[i] < 3 * 2^58 < 2^60 */
        felem_mul(tmp, ftmp, ftmp2);
        /* tmp[i] < 2^60 * 2^59 * 4 = 2^121 */
@@ -756,18 +792,18 @@ point_double(fslice x_out[4], fslice y_out[4], fslice z_out[4],
        /* x' = alpha^2 - 8*beta */
        felem_square(tmp, alpha);
        /* tmp[i] < 4 * 2^57 * 2^57 = 2^116 */
-       memcpy(ftmp, beta, 4 * sizeof(fslice));
-       felem_scalar64(ftmp, 8);
+       felem_assign(ftmp, beta);
+       felem_scalar(ftmp, 8);
        /* ftmp[i] < 8 * 2^57 = 2^60 */
        felem_diff_128_64(tmp, ftmp);
        /* tmp[i] < 2^116 + 2^64 + 8 < 2^117 */
        felem_reduce(x_out, tmp);
 
        /* z' = (y + z)^2 - gamma - delta */
-       felem_sum64(delta, gamma);
+       felem_sum(delta, gamma);
        /* delta[i] < 2^57 + 2^57 = 2^58 */
-       memcpy(ftmp, y_in, 4 * sizeof(fslice));
-       felem_sum64(ftmp, z_in);
+       felem_assign(ftmp, y_in);
+       felem_sum(ftmp, z_in);
        /* ftmp[i] < 2^57 + 2^57 = 2^58 */
        felem_square(tmp, ftmp);
        /* tmp[i] < 4 * 2^58 * 2^58 = 2^118 */
@@ -776,17 +812,17 @@ point_double(fslice x_out[4], fslice y_out[4], fslice z_out[4],
        felem_reduce(z_out, tmp);
 
        /* y' = alpha*(4*beta - x') - 8*gamma^2 */
-       felem_scalar64(beta, 4);
+       felem_scalar(beta, 4);
        /* beta[i] < 4 * 2^57 = 2^59 */
-       felem_diff64(beta, x_out);
+       felem_diff(beta, x_out);
        /* beta[i] < 2^59 + 2^58 + 2 < 2^60 */
        felem_mul(tmp, alpha, beta);
        /* tmp[i] < 4 * 2^57 * 2^60 = 2^119 */
        felem_square(tmp2, gamma);
        /* tmp2[i] < 4 * 2^57 * 2^57 = 2^116 */
-       felem_scalar128(tmp2, 8);
+       widefelem_scalar(tmp2, 8);
        /* tmp2[i] < 8 * 2^116 = 2^119 */
-       felem_diff128(tmp, tmp2);
+       widefelem_diff(tmp, tmp2);
        /* tmp[i] < 2^119 + 2^120 < 2^121 */
        felem_reduce(y_out, tmp);
        }
@@ -797,60 +833,76 @@ point_double(fslice x_out[4], fslice y_out[4], fslice z_out[4],
  * 2 * Z_2^2 * X_1 * (Z_1^2 * X_2 - Z_2^2 * X_1)^2
  * Y_3 = (Z_1^3 * Y_2 - Z_2^3 * Y_1) * (Z_2^2 * X_1 * (Z_1^2 * X_2 - Z_2^2 * X_1)^2 - X_3) -
  *        Z_2^3 * Y_1 * (Z_1^2 * X_2 - Z_2^2 * X_1)^3
- * Z_3 = (Z_1^2 * X_2 - Z_2^2 * X_1) * (Z_1 * Z_2) */
+ * Z_3 = (Z_1^2 * X_2 - Z_2^2 * X_1) * (Z_1 * Z_2)
+ *
+ * This runs faster if 'mixed' is set, which requires Z_2 = 1 or Z_2 = 0.
+ */
 
 /* This function is not entirely constant-time:
  * it includes a branch for checking whether the two input points are equal,
  * (while not equal to the point at infinity).
  * This case never happens during single point multiplication,
  * so there is no timing leak for ECDH or ECDSA signing. */
-static void point_add(fslice x3[4], fslice y3[4], fslice z3[4],
-       const fslice x1[4], const fslice y1[4], const fslice z1[4],
-       const fslice x2[4], const fslice y2[4], const fslice z2[4])
+static void point_add(felem x3, felem y3, felem z3,
+       const felem x1, const felem y1, const felem z1,
+       const int mixed, const felem x2, const felem y2, const felem z2)
        {
-       fslice ftmp[4], ftmp2[4], ftmp3[4], ftmp4[4], ftmp5[4];
-       uint128_t tmp[7], tmp2[7];
-       fslice z1_is_zero, z2_is_zero, x_equal, y_equal;
+       felem ftmp, ftmp2, ftmp3, ftmp4, ftmp5, x_out, y_out, z_out;
+       widefelem tmp, tmp2;
+       limb z1_is_zero, z2_is_zero, x_equal, y_equal;
+
+       if (!mixed)
+               {
+               /* ftmp2 = z2^2 */
+               felem_square(tmp, z2);
+               felem_reduce(ftmp2, tmp);
+
+               /* ftmp4 = z2^3 */
+               felem_mul(tmp, ftmp2, z2);
+               felem_reduce(ftmp4, tmp);
+
+               /* ftmp4 = z2^3*y1 */
+               felem_mul(tmp2, ftmp4, y1);
+               felem_reduce(ftmp4, tmp2);
+
+               /* ftmp2 = z2^2*x1 */
+               felem_mul(tmp2, ftmp2, x1);
+               felem_reduce(ftmp2, tmp2);
+               }
+       else
+               {
+               /* We'll assume z2 = 1 (special case z2 = 0 is handled later) */
+
+               /* ftmp4 = z2^3*y1 */
+               felem_assign(ftmp4, y1);
+
+               /* ftmp2 = z2^2*x1 */
+               felem_assign(ftmp2, x1);
+               }
 
        /* ftmp = z1^2 */
        felem_square(tmp, z1);
        felem_reduce(ftmp, tmp);
 
-       /* ftmp2 = z2^2 */
-       felem_square(tmp, z2);
-       felem_reduce(ftmp2, tmp);
-
        /* ftmp3 = z1^3 */
        felem_mul(tmp, ftmp, z1);
        felem_reduce(ftmp3, tmp);
 
-       /* ftmp4 = z2^3 */
-       felem_mul(tmp, ftmp2, z2);
-       felem_reduce(ftmp4, tmp);
-
-       /* ftmp3 = z1^3*y2 */
+       /* tmp = z1^3*y2 */
        felem_mul(tmp, ftmp3, y2);
        /* tmp[i] < 4 * 2^57 * 2^57 = 2^116 */
 
-       /* ftmp4 = z2^3*y1 */
-       felem_mul(tmp2, ftmp4, y1);
-       felem_reduce(ftmp4, tmp2);
-
        /* ftmp3 = z1^3*y2 - z2^3*y1 */
        felem_diff_128_64(tmp, ftmp4);
        /* tmp[i] < 2^116 + 2^64 + 8 < 2^117 */
        felem_reduce(ftmp3, tmp);
 
-       /* ftmp = z1^2*x2 */
+       /* tmp = z1^2*x2 */
        felem_mul(tmp, ftmp, x2);
        /* tmp[i] < 4 * 2^57 * 2^57 = 2^116 */
 
-       /* ftmp2 =z2^2*x1 */
-       felem_mul(tmp2, ftmp2, x1);
-       felem_reduce(ftmp2, tmp2);
-
        /* ftmp = z1^2*x2 - z2^2*x1 */
-       felem_diff128(tmp, tmp2);
+       felem_diff_128_64(tmp, ftmp2);
        /* tmp[i] < 2^116 + 2^64 + 8 < 2^117 */
        felem_reduce(ftmp, tmp);
 
@@ -868,15 +920,23 @@ static void point_add(fslice x3[4], fslice y3[4], fslice z3[4],
                }
 
        /* ftmp5 = z1*z2 */
-       felem_mul(tmp, z1, z2);
-       felem_reduce(ftmp5, tmp);
+       if (!mixed)
+               {
+               felem_mul(tmp, z1, z2);
+               felem_reduce(ftmp5, tmp);
+               }
+       else
+               {
+               /* special case z2 = 0 is handled later */
+               felem_assign(ftmp5, z1);
+               }
 
-       /* z3 = (z1^2*x2 - z2^2*x1)*(z1*z2) */
+       /* z_out = (z1^2*x2 - z2^2*x1)*(z1*z2) */
        felem_mul(tmp, ftmp, ftmp5);
-       felem_reduce(z3, tmp);
+       felem_reduce(z_out, tmp);
 
        /* ftmp = (z1^2*x2 - z2^2*x1)^2 */
-       memcpy(ftmp5, ftmp, 4 * sizeof(fslice));
+       felem_assign(ftmp5, ftmp);
        felem_square(tmp, ftmp);
        felem_reduce(ftmp, tmp);
 
@@ -888,7 +948,7 @@ static void point_add(fslice x3[4], fslice y3[4], fslice z3[4],
        felem_mul(tmp, ftmp2, ftmp);
        felem_reduce(ftmp2, tmp);
 
-       /* ftmp4 = z2^3*y1*(z1^2*x2 - z2^2*x1)^3 */
+       /* tmp = z2^3*y1*(z1^2*x2 - z2^2*x1)^3 */
        felem_mul(tmp, ftmp4, ftmp5);
        /* tmp[i] < 4 * 2^57 * 2^57 = 2^116 */
 
@@ -901,131 +961,176 @@ static void point_add(fslice x3[4], fslice y3[4], fslice z3[4],
        /* tmp2[i] < 2^116 + 2^64 + 8 < 2^117 */
 
        /* ftmp5 = 2*z2^2*x1*(z1^2*x2 - z2^2*x1)^2 */
-       memcpy(ftmp5, ftmp2, 4 * sizeof(fslice));
-       felem_scalar64(ftmp5, 2);
+       felem_assign(ftmp5, ftmp2);
+       felem_scalar(ftmp5, 2);
        /* ftmp5[i] < 2 * 2^57 = 2^58 */
 
-       /* x3 = (z1^3*y2 - z2^3*y1)^2 - (z1^2*x2 - z2^2*x1)^3 -
+       /* x_out = (z1^3*y2 - z2^3*y1)^2 - (z1^2*x2 - z2^2*x1)^3 -
           2*z2^2*x1*(z1^2*x2 - z2^2*x1)^2 */
        felem_diff_128_64(tmp2, ftmp5);
        /* tmp2[i] < 2^117 + 2^64 + 8 < 2^118 */
-       felem_reduce(x3, tmp2);
+       felem_reduce(x_out, tmp2);
 
-       /* ftmp2 = z2^2*x1*(z1^2*x2 - z2^2*x1)^2 - x3 */
-       felem_diff64(ftmp2, x3);
+       /* ftmp2 = z2^2*x1*(z1^2*x2 - z2^2*x1)^2 - x_out */
+       felem_diff(ftmp2, x_out);
        /* ftmp2[i] < 2^57 + 2^58 + 2 < 2^59 */
 
-       /* tmp2 = (z1^3*y2 - z2^3*y1)*(z2^2*x1*(z1^2*x2 - z2^2*x1)^2 - x3) */
+       /* tmp2 = (z1^3*y2 - z2^3*y1)*(z2^2*x1*(z1^2*x2 - z2^2*x1)^2 - x_out) */
        felem_mul(tmp2, ftmp3, ftmp2);
        /* tmp2[i] < 4 * 2^57 * 2^59 = 2^118 */
 
-       /* y3 = (z1^3*y2 - z2^3*y1)*(z2^2*x1*(z1^2*x2 - z2^2*x1)^2 - x3) -
+       /* y_out = (z1^3*y2 - z2^3*y1)*(z2^2*x1*(z1^2*x2 - z2^2*x1)^2 - x_out) -
           z2^3*y1*(z1^2*x2 - z2^2*x1)^3 */
-       felem_diff128(tmp2, tmp);
+       widefelem_diff(tmp2, tmp);
        /* tmp2[i] < 2^118 + 2^120 < 2^121 */
-       felem_reduce(y3, tmp2);
+       felem_reduce(y_out, tmp2);
 
-       /* the result (x3, y3, z3) is incorrect if one of the inputs is the
-        * point at infinity, so we need to check for this separately */
+       /* the result (x_out, y_out, z_out) is incorrect if one of the inputs is
+        * the point at infinity, so we need to check for this separately */
 
        /* if point 1 is at infinity, copy point 2 to output, and vice versa */
-       copy_conditional(x3, x2, 4, z1_is_zero);
-       copy_conditional(x3, x1, 4, z2_is_zero);
-       copy_conditional(y3, y2, 4, z1_is_zero);
-       copy_conditional(y3, y1, 4, z2_is_zero);
-       copy_conditional(z3, z2, 4, z1_is_zero);
-       copy_conditional(z3, z1, 4, z2_is_zero);
+       copy_conditional(x_out, x2, z1_is_zero);
+       copy_conditional(x_out, x1, z2_is_zero);
+       copy_conditional(y_out, y2, z1_is_zero);
+       copy_conditional(y_out, y1, z2_is_zero);
+       copy_conditional(z_out, z2, z1_is_zero);
+       copy_conditional(z_out, z1, z2_is_zero);
+       felem_assign(x3, x_out);
+       felem_assign(y3, y_out);
+       felem_assign(z3, z_out);
        }
 
-/* Select a point from an array of 16 precomputed point multiples,
- * in constant time: for bits = {b_0, b_1, b_2, b_3}, return the point
- * pre_comp[8*b_3 + 4*b_2 + 2*b_1 + b_0] */
-static void select_point(const fslice bits[4], const fslice pre_comp[16][3][4],
-       fslice out[12])
+/* select_point selects the |index|th point from a precomputation table and
+ * copies it to out. */
+static void select_point(const u64 index, unsigned int size, const felem pre_comp[/*size*/][3], felem out[3])
        {
-       fslice tmp[5][12];
-       select_conditional(tmp[0], pre_comp[7][0], pre_comp[15][0], 12, bits[3]);
-       select_conditional(tmp[1], pre_comp[3][0], pre_comp[11][0], 12, bits[3]);
-       select_conditional(tmp[2], tmp[1], tmp[0], 12, bits[2]);
-       select_conditional(tmp[0], pre_comp[5][0], pre_comp[13][0], 12, bits[3]);
-       select_conditional(tmp[1], pre_comp[1][0], pre_comp[9][0], 12, bits[3]);
-       select_conditional(tmp[3], tmp[1], tmp[0], 12, bits[2]);
-       select_conditional(tmp[4], tmp[3], tmp[2], 12, bits[1]);
-       select_conditional(tmp[0], pre_comp[6][0], pre_comp[14][0], 12, bits[3]);
-       select_conditional(tmp[1], pre_comp[2][0], pre_comp[10][0], 12, bits[3]);
-       select_conditional(tmp[2], tmp[1], tmp[0], 12, bits[2]);
-       select_conditional(tmp[0], pre_comp[4][0], pre_comp[12][0], 12, bits[3]);
-       select_conditional(tmp[1], pre_comp[0][0], pre_comp[8][0], 12, bits[3]);
-       select_conditional(tmp[3], tmp[1], tmp[0], 12, bits[2]);
-       select_conditional(tmp[1], tmp[3], tmp[2], 12, bits[1]);
-       select_conditional(out, tmp[1], tmp[4], 12, bits[0]);
+       unsigned i, j;
+       limb *outlimbs = &out[0][0];
+       memset(outlimbs, 0, 3 * sizeof(felem));
+
+       for (i = 0; i < size; i++)
+               {
+               const limb *inlimbs = &pre_comp[i][0][0];
+               u64 mask = i ^ index;
+               mask |= mask >> 4;
+               mask |= mask >> 2;
+               mask |= mask >> 1;
+               mask &= 1;
+               mask--;
+               for (j = 0; j < 4 * 3; j++)
+                       outlimbs[j] |= inlimbs[j] & mask;
+               }
+       }
+
+/* get_bit returns the |i|th bit in |in| */
+static char get_bit(const felem_bytearray in, unsigned i)
+       {
+       if (i >= 224)
+               return 0;
+       return (in[i >> 3] >> (i & 7)) & 1;
        }
 
 /* Interleaved point multiplication using precomputed point multiples:
- * The small point multiples 0*P, 1*P, ..., 15*P are in pre_comp[],
+ * The small point multiples 0*P, 1*P, ..., 16*P are in pre_comp[],
  * the scalars in scalars[]. If g_scalar is non-NULL, we also add this multiple
  * of the generator, using certain (large) precomputed multiples in g_pre_comp.
  * Output point (X, Y, Z) is stored in x_out, y_out, z_out */
-static void batch_mul(fslice x_out[4], fslice y_out[4], fslice z_out[4],
+static void batch_mul(felem x_out, felem y_out, felem z_out,
        const felem_bytearray scalars[], const unsigned num_points, const u8 *g_scalar,
-       const fslice pre_comp[][16][3][4], const fslice g_pre_comp[16][3][4])
+       const int mixed, const felem pre_comp[][17][3], const felem g_pre_comp[2][16][3])
        {
-       unsigned i, j, num;
+       int i, skip;
+       unsigned num;
        unsigned gen_mul = (g_scalar != NULL);
-       fslice nq[12], nqt[12], tmp[12];
-       fslice bits[4];
-       u8 byte;
+       felem nq[3], tmp[4];
+       u64 bits;
+       u8 sign, digit;
 
        /* set nq to the point at infinity */
-       memset(nq, 0, 12 * sizeof(fslice));
-
-       /* Loop over all scalars msb-to-lsb, 4 bits at a time: for each nibble,
-        * double 4 times, then add the precomputed point multiples.
-        * If we are also adding multiples of the generator, then interleave
-        * these additions with the last 56 doublings. */
-       for (i = (num_points ? 28 : 7); i > 0; --i)
+       memset(nq, 0, 3 * sizeof(felem));
+
+       /* Loop over all scalars msb-to-lsb, interleaving additions
+        * of multiples of the generator (two in each of the last 28 rounds)
+        * and additions of other points multiples (every 5th round).
+        */
+       skip = 1; /* save two point operations in the first round */
+       for (i = (num_points ? 220 : 27); i >= 0; --i)
                {
-               for (j = 0; j < 8; ++j)
+               /* double */
+               if (!skip)
+                       point_double(nq[0], nq[1], nq[2], nq[0], nq[1], nq[2]);
+
+               /* add multiples of the generator */
+               if (gen_mul && (i <= 27))
                        {
-                       /* double once */
-                       point_double(nq, nq+4, nq+8, nq, nq+4, nq+8);
-                       /* add multiples of the generator */
-                       if ((gen_mul) && (i <= 7))
+                       /* first, look 28 bits upwards */
+                       bits = get_bit(g_scalar, i + 196) << 3;
+                       bits |= get_bit(g_scalar, i + 140) << 2;
+                       bits |= get_bit(g_scalar, i + 84) << 1;
+                       bits |= get_bit(g_scalar, i + 28);
+                       /* select the point to add, in constant time */
+                       select_point(bits, 16, g_pre_comp[1], tmp);
+
+                       if (!skip)
+                               {
+                               point_add(nq[0], nq[1], nq[2],
+                                       nq[0], nq[1], nq[2],
+                                       1 /* mixed */, tmp[0], tmp[1], tmp[2]);
+                               }
+                       else
                                {
-                               bits[3] = (g_scalar[i+20] >> (7-j)) & 1;
-                               bits[2] = (g_scalar[i+13] >> (7-j)) & 1;
-                               bits[1] = (g_scalar[i+6] >> (7-j)) & 1;
-                               bits[0] = (g_scalar[i-1] >> (7-j)) & 1;
-                               /* select the point to add, in constant time */
-                               select_point(bits, g_pre_comp, tmp);
-                               memcpy(nqt, nq, 12 * sizeof(fslice));
-                               point_add(nq, nq+4, nq+8, nqt, nqt+4, nqt+8,
-                                       tmp, tmp+4, tmp+8);
+                               memcpy(nq, tmp, 3 * sizeof(felem));
+                               skip = 0;
                                }
-                       /* do an addition after every 4 doublings */
-                       if (j % 4 == 3)
+
+                       /* second, look at the current position */
+                       bits = get_bit(g_scalar, i + 168) << 3;
+                       bits |= get_bit(g_scalar, i + 112) << 2;
+                       bits |= get_bit(g_scalar, i + 56) << 1;
+                       bits |= get_bit(g_scalar, i);
+                       /* select the point to add, in constant time */
+                       select_point(bits, 16, g_pre_comp[0], tmp);
+                       point_add(nq[0], nq[1], nq[2],
+                               nq[0], nq[1], nq[2],
+                               1 /* mixed */, tmp[0], tmp[1], tmp[2]);
+                       }
+
+               /* do other additions every 5 doublings */
+               if (num_points && (i % 5 == 0))
+                       {
+                       /* loop over all scalars */
+                       for (num = 0; num < num_points; ++num)
                                {
-                               /* loop over all scalars */
-                               for (num = 0; num < num_points; ++num)
+                               bits = get_bit(scalars[num], i + 4) << 5;
+                               bits |= get_bit(scalars[num], i + 3) << 4;
+                               bits |= get_bit(scalars[num], i + 2) << 3;
+                               bits |= get_bit(scalars[num], i + 1) << 2;
+                               bits |= get_bit(scalars[num], i) << 1;
+                               bits |= get_bit(scalars[num], i - 1);
+                               ec_GFp_nistp_recode_scalar_bits(&sign, &digit, bits);
+
+                               /* select the point to add or subtract */
+                               select_point(digit, 17, pre_comp[num], tmp);
+                               felem_neg(tmp[3], tmp[1]); /* (X, -Y, Z) is the negative point */
+                               copy_conditional(tmp[1], tmp[3], sign);
+
+                               if (!skip)
                                        {
-                                       byte = scalars[num][i-1];
-                                       bits[3] = (byte >> (10-j)) & 1;
-                                       bits[2] = (byte >> (9-j)) & 1;
-                                       bits[1] = (byte >> (8-j)) & 1;
-                                       bits[0] = (byte >> (7-j)) & 1;
-                                       /* select the point to add */
-                                       select_point(bits,
-                                               pre_comp[num], tmp);
-                                       memcpy(nqt, nq, 12 * sizeof(fslice));
-                                       point_add(nq, nq+4, nq+8, nqt, nqt+4,
-                                               nqt+8, tmp, tmp+4, tmp+8);
+                                       point_add(nq[0], nq[1], nq[2],
+                                               nq[0], nq[1], nq[2],
+                                               mixed, tmp[0], tmp[1], tmp[2]);
+                                       }
+                               else
+                                       {
+                                       memcpy(nq, tmp, 3 * sizeof(felem));
+                                       skip = 0;
                                        }
                                }
                        }
                }
-       memcpy(x_out, nq, 4 * sizeof(fslice));
-       memcpy(y_out, nq+4, 4 * sizeof(fslice));
-       memcpy(z_out, nq+8, 4 * sizeof(fslice));
+       felem_assign(x_out, nq[0]);
+       felem_assign(y_out, nq[1]);
+       felem_assign(z_out, nq[2]);
        }
 
 /******************************************************************************/
@@ -1035,7 +1140,7 @@ static void batch_mul(fslice x_out[4], fslice y_out[4], fslice z_out[4],
 static NISTP224_PRE_COMP *nistp224_pre_comp_new()
        {
        NISTP224_PRE_COMP *ret = NULL;
-       ret = (NISTP224_PRE_COMP *)OPENSSL_malloc(sizeof(NISTP224_PRE_COMP));
+       ret = (NISTP224_PRE_COMP *) OPENSSL_malloc(sizeof *ret);
        if (!ret)
                {
                ECerr(EC_F_NISTP224_PRE_COMP_NEW, ERR_R_MALLOC_FAILURE);
@@ -1136,8 +1241,8 @@ err:
 int ec_GFp_nistp224_point_get_affine_coordinates(const EC_GROUP *group,
        const EC_POINT *point, BIGNUM *x, BIGNUM *y, BN_CTX *ctx)
        {
-       fslice z1[4], z2[4], x_in[4], y_in[4], x_out[4], y_out[4];
-       uint128_t tmp[7];
+       felem z1, z2, x_in, y_in, x_out, y_out;
+       widefelem tmp;
 
        if (EC_POINT_is_at_infinity(group, point))
                {
@@ -1173,6 +1278,24 @@ int ec_GFp_nistp224_point_get_affine_coordinates(const EC_GROUP *group,
        return 1;
        }
 
+static void make_points_affine(size_t num, felem points[/*num*/][3], felem tmp_felems[/*num+1*/])
+       {
+       /* Runs in constant time, unless an input is the point at infinity
+        * (which normally shouldn't happen). */
+       ec_GFp_nistp_points_make_affine_internal(
+               num,
+               points,
+               sizeof(felem),
+               tmp_felems,
+               (void (*)(void *)) felem_one,
+               (int (*)(const void *)) felem_is_zero_int,
+               (void (*)(void *, const void *)) felem_assign,
+               (void (*)(void *, const void *)) felem_square_reduce,
+               (void (*)(void *, const void *, const void *)) felem_mul_reduce,
+               (void (*)(void *, const void *)) felem_inv,
+               (void (*)(void *, const void *)) felem_contract);
+       }
+
 /* Computes scalar*generator + \sum scalars[i]*points[i], ignoring NULL values
  * Result is stored in r (r can equal one of the inputs). */
 int ec_GFp_nistp224_points_mul(const EC_GROUP *group, EC_POINT *r,
@@ -1180,19 +1303,22 @@ int ec_GFp_nistp224_points_mul(const EC_GROUP *group, EC_POINT *r,
        const BIGNUM *scalars[], BN_CTX *ctx)
        {
        int ret = 0;
-       int i, j;
+       int j;
+       unsigned i;
+       int mixed = 0;
        BN_CTX *new_ctx = NULL;
        BIGNUM *x, *y, *z, *tmp_scalar;
        felem_bytearray g_secret;
        felem_bytearray *secrets = NULL;
-       fslice (*pre_comp)[16][3][4] = NULL;
+       felem (*pre_comp)[17][3] = NULL;
+       felem *tmp_felems = NULL;
        felem_bytearray tmp;
        unsigned num_bytes;
        int have_pre_comp = 0;
        size_t num_points = num;
-       fslice x_in[4], y_in[4], z_in[4], x_out[4], y_out[4], z_out[4];
+       felem x_in, y_in, z_in, x_out, y_out, z_out;
        NISTP224_PRE_COMP *pre = NULL;
-       fslice (*g_pre_comp)[3][4] = NULL;
+       const felem (*g_pre_comp)[16][3] = NULL;
        EC_POINT *generator = NULL;
        const EC_POINT *p = NULL;
        const BIGNUM *p_scalar = NULL;
@@ -1213,17 +1339,17 @@ int ec_GFp_nistp224_points_mul(const EC_GROUP *group, EC_POINT *r,
                        nistp224_pre_comp_clear_free);
                if (pre)
                        /* we have precomputation, try to use it */
-                       g_pre_comp = pre->g_pre_comp;
+                       g_pre_comp = (const felem (*)[16][3]) pre->g_pre_comp;
                else
                        /* try to use the standard precomputation */
-                       g_pre_comp = (fslice (*)[3][4]) gmul;
+                       g_pre_comp = &gmul[0];
                generator = EC_POINT_new(group);
                if (generator == NULL)
                        goto err;
                /* get the generator from precomputation */
-               if (!felem_to_BN(x, g_pre_comp[1][0]) ||
-                       !felem_to_BN(y, g_pre_comp[1][1]) ||
-                       !felem_to_BN(z, g_pre_comp[1][2]))
+               if (!felem_to_BN(x, g_pre_comp[0][1][0]) ||
+                       !felem_to_BN(y, g_pre_comp[0][1][1]) ||
+                       !felem_to_BN(z, g_pre_comp[0][1][2]))
                        {
                        ECerr(EC_F_EC_GFP_NISTP224_POINTS_MUL, ERR_R_BN_LIB);
                        goto err;
@@ -1239,86 +1365,95 @@ int ec_GFp_nistp224_points_mul(const EC_GROUP *group, EC_POINT *r,
                         * treat the generator as a random point */
                        num_points = num_points + 1;
                }
-       secrets = OPENSSL_malloc(num_points * sizeof(felem_bytearray));
-       pre_comp = OPENSSL_malloc(num_points * 16 * 3 * 4 * sizeof(fslice));
 
-       if ((num_points) && ((secrets == NULL) || (pre_comp == NULL)))
+       if (num_points > 0)
                {
-               ECerr(EC_F_EC_GFP_NISTP224_POINTS_MUL, ERR_R_MALLOC_FAILURE);
-               goto err;
-               }
-
-       /* we treat NULL scalars as 0, and NULL points as points at infinity,
-        * i.e., they contribute nothing to the linear combination */
-       memset(secrets, 0, num_points * sizeof(felem_bytearray));
-       memset(pre_comp, 0, num_points * 16 * 3 * 4 * sizeof(fslice));
-       for (i = 0; i < num_points; ++i)
-               {
-               if (i == num)
-                       /* the generator */
+               if (num_points >= 3)
                        {
-                       p = EC_GROUP_get0_generator(group);
-                       p_scalar = scalar;
+                       /* unless we precompute multiples for just one or two points,
+                        * converting those into affine form is time well spent  */
+                       mixed = 1;
                        }
-               else
-                       /* the i^th point */
+               secrets = OPENSSL_malloc(num_points * sizeof(felem_bytearray));
+               pre_comp = OPENSSL_malloc(num_points * 17 * 3 * sizeof(felem));
+               if (mixed)
+                       tmp_felems = OPENSSL_malloc((num_points * 17 + 1) * sizeof(felem));
+               if ((secrets == NULL) || (pre_comp == NULL) || (mixed && (tmp_felems == NULL)))
                        {
-                       p = points[i];
-                       p_scalar = scalars[i];
+                       ECerr(EC_F_EC_GFP_NISTP224_POINTS_MUL, ERR_R_MALLOC_FAILURE);
+                       goto err;
                        }
-               if ((p_scalar != NULL) && (p != NULL))
+
+               /* we treat NULL scalars as 0, and NULL points as points at infinity,
+                * i.e., they contribute nothing to the linear combination */
+               memset(secrets, 0, num_points * sizeof(felem_bytearray));
+               memset(pre_comp, 0, num_points * 17 * 3 * sizeof(felem));
+               for (i = 0; i < num_points; ++i)
                        {
-                       num_bytes = BN_num_bytes(p_scalar);
-                       /* reduce scalar to 0 <= scalar < 2^224 */
-                       if ((num_bytes > sizeof(felem_bytearray)) || (BN_is_negative(p_scalar)))
+                       if (i == num)
+                               /* the generator */
                                {
-                               /* this is an unusual input, and we don't guarantee
-                                * constant-timeness */
-                               if (!BN_nnmod(tmp_scalar, p_scalar, &group->order, ctx))
-                                       {
-                                       ECerr(EC_F_EC_GFP_NISTP224_POINTS_MUL, ERR_R_BN_LIB);
-                                       goto err;
-                                       }
-                               num_bytes = BN_bn2bin(tmp_scalar, tmp);
+                               p = EC_GROUP_get0_generator(group);
+                               p_scalar = scalar;
                                }
                        else
-                               BN_bn2bin(p_scalar, tmp);
-                       flip_endian(secrets[i], tmp, num_bytes);
-                       /* precompute multiples */
-                       if ((!BN_to_felem(x_out, &p->X)) ||
-                               (!BN_to_felem(y_out, &p->Y)) ||
-                               (!BN_to_felem(z_out, &p->Z))) goto err;
-                       memcpy(pre_comp[i][1][0], x_out, 4 * sizeof(fslice));
-                       memcpy(pre_comp[i][1][1], y_out, 4 * sizeof(fslice));
-                       memcpy(pre_comp[i][1][2], z_out, 4 * sizeof(fslice));
-                       for (j = 1; j < 8; ++j)
+                               /* the i^th point */
                                {
-                               point_double(pre_comp[i][2*j][0],
-                                       pre_comp[i][2*j][1],
-                                       pre_comp[i][2*j][2],
-                                       pre_comp[i][j][0],
-                                       pre_comp[i][j][1],
-                                       pre_comp[i][j][2]);
-                               point_add(pre_comp[i][2*j+1][0],
-                                       pre_comp[i][2*j+1][1],
-                                       pre_comp[i][2*j+1][2],
-                                       pre_comp[i][1][0],
-                                       pre_comp[i][1][1],
-                                       pre_comp[i][1][2],
-                                       pre_comp[i][2*j][0],
-                                       pre_comp[i][2*j][1],
-                                       pre_comp[i][2*j][2]);
+                               p = points[i];
+                               p_scalar = scalars[i];
+                               }
+                       if ((p_scalar != NULL) && (p != NULL))
+                               {
+                               /* reduce scalar to 0 <= scalar < 2^224 */
+                               if ((BN_num_bits(p_scalar) > 224) || (BN_is_negative(p_scalar)))
+                                       {
+                                       /* this is an unusual input, and we don't guarantee
+                                        * constant-timeness */
+                                       if (!BN_nnmod(tmp_scalar, p_scalar, &group->order, ctx))
+                                               {
+                                               ECerr(EC_F_EC_GFP_NISTP224_POINTS_MUL, ERR_R_BN_LIB);
+                                               goto err;
+                                               }
+                                       num_bytes = BN_bn2bin(tmp_scalar, tmp);
+                                       }
+                               else
+                                       num_bytes = BN_bn2bin(p_scalar, tmp);
+                               flip_endian(secrets[i], tmp, num_bytes);
+                               /* precompute multiples */
+                               if ((!BN_to_felem(x_out, &p->X)) ||
+                                       (!BN_to_felem(y_out, &p->Y)) ||
+                                       (!BN_to_felem(z_out, &p->Z))) goto err;
+                               felem_assign(pre_comp[i][1][0], x_out);
+                               felem_assign(pre_comp[i][1][1], y_out);
+                               felem_assign(pre_comp[i][1][2], z_out);
+                               for (j = 2; j <= 16; ++j)
+                                       {
+                                       if (j & 1)
+                                               {
+                                               point_add(
+                                                       pre_comp[i][j][0], pre_comp[i][j][1], pre_comp[i][j][2],
+                                                       pre_comp[i][1][0], pre_comp[i][1][1], pre_comp[i][1][2],
+                                                       0, pre_comp[i][j-1][0], pre_comp[i][j-1][1], pre_comp[i][j-1][2]);
+                                               }
+                                       else
+                                               {
+                                               point_double(
+                                                       pre_comp[i][j][0], pre_comp[i][j][1], pre_comp[i][j][2],
+                                                       pre_comp[i][j/2][0], pre_comp[i][j/2][1], pre_comp[i][j/2][2]);
+                                               }
+                                       }
                                }
                        }
+               if (mixed)
+                       make_points_affine(num_points * 17, pre_comp[0], tmp_felems);
                }
 
        /* the scalar for the generator */
        if ((scalar != NULL) && (have_pre_comp))
                {
                memset(g_secret, 0, sizeof g_secret);
-               num_bytes = BN_num_bytes(scalar);
                /* reduce scalar to 0 <= scalar < 2^224 */
-               if ((num_bytes > sizeof(felem_bytearray)) || (BN_is_negative(scalar)))
+               if ((BN_num_bits(scalar) > 224) || (BN_is_negative(scalar)))
                        {
                        /* this is an unusual input, and we don't guarantee
                         * constant-timeness */
@@ -1330,19 +1465,20 @@ int ec_GFp_nistp224_points_mul(const EC_GROUP *group, EC_POINT *r,
                        num_bytes = BN_bn2bin(tmp_scalar, tmp);
                        }
                else
-                       BN_bn2bin(scalar, tmp);
+                       num_bytes = BN_bn2bin(scalar, tmp);
                flip_endian(g_secret, tmp, num_bytes);
                /* do the multiplication with generator precomputation*/
                batch_mul(x_out, y_out, z_out,
                        (const felem_bytearray (*)) secrets, num_points,
-                       g_secret, (const fslice (*)[16][3][4]) pre_comp,
-                       (const fslice (*)[3][4]) g_pre_comp);
+                       g_secret,
+                       mixed, (const felem (*)[17][3]) pre_comp,
+                       g_pre_comp);
                }
        else
                /* do the multiplication without generator precomputation */
                batch_mul(x_out, y_out, z_out,
                        (const felem_bytearray (*)) secrets, num_points,
-                       NULL, (const fslice (*)[16][3][4]) pre_comp, NULL);
+                       NULL, mixed, (const felem (*)[17][3]) pre_comp, NULL);
        /* reduce the output to its unique minimal representation */
        felem_contract(x_in, x_out);
        felem_contract(y_in, y_out);
@@ -1365,6 +1501,8 @@ err:
                OPENSSL_free(secrets);
        if (pre_comp != NULL)
                OPENSSL_free(pre_comp);
+       if (tmp_felems != NULL)
+               OPENSSL_free(tmp_felems);
        return ret;
        }
 
@@ -1376,6 +1514,7 @@ int ec_GFp_nistp224_precompute_mult(EC_GROUP *group, BN_CTX *ctx)
        BN_CTX *new_ctx = NULL;
        BIGNUM *x, *y;
        EC_POINT *generator = NULL;
+       felem tmp_felems[32];
 
        /* throw away old precomputation */
        EC_EX_DATA_free_data(&group->extra_data, nistp224_pre_comp_dup,
@@ -1404,62 +1543,81 @@ int ec_GFp_nistp224_precompute_mult(EC_GROUP *group, BN_CTX *ctx)
                ret = 1;
                goto err;
                }
-       if ((!BN_to_felem(pre->g_pre_comp[1][0], &group->generator->X)) ||
-               (!BN_to_felem(pre->g_pre_comp[1][1], &group->generator->Y)) ||
-               (!BN_to_felem(pre->g_pre_comp[1][2], &group->generator->Z)))
+       if ((!BN_to_felem(pre->g_pre_comp[0][1][0], &group->generator->X)) ||
+               (!BN_to_felem(pre->g_pre_comp[0][1][1], &group->generator->Y)) ||
+               (!BN_to_felem(pre->g_pre_comp[0][1][2], &group->generator->Z)))
                goto err;
-       /* compute 2^56*G, 2^112*G, 2^168*G */
-       for (i = 1; i < 5; ++i)
+       /* compute 2^56*G, 2^112*G, 2^168*G for the first table,
+        * 2^28*G, 2^84*G, 2^140*G, 2^196*G for the second one
+        */
+       for (i = 1; i <= 8; i <<= 1)
                {
-               point_double(pre->g_pre_comp[2*i][0], pre->g_pre_comp[2*i][1],
-                       pre->g_pre_comp[2*i][2], pre->g_pre_comp[i][0],
-                       pre->g_pre_comp[i][1], pre->g_pre_comp[i][2]);
-               for (j = 0; j < 55; ++j)
+               point_double(
+                       pre->g_pre_comp[1][i][0], pre->g_pre_comp[1][i][1], pre->g_pre_comp[1][i][2],
+                       pre->g_pre_comp[0][i][0], pre->g_pre_comp[0][i][1], pre->g_pre_comp[0][i][2]);
+               for (j = 0; j < 27; ++j)
                        {
-                       point_double(pre->g_pre_comp[2*i][0],
-                               pre->g_pre_comp[2*i][1],
-                               pre->g_pre_comp[2*i][2],
-                               pre->g_pre_comp[2*i][0],
-                               pre->g_pre_comp[2*i][1],
-                               pre->g_pre_comp[2*i][2]);
+                       point_double(
+                               pre->g_pre_comp[1][i][0], pre->g_pre_comp[1][i][1], pre->g_pre_comp[1][i][2],
+                               pre->g_pre_comp[1][i][0], pre->g_pre_comp[1][i][1], pre->g_pre_comp[1][i][2]);
+                       }
+               if (i == 8)
+                       break;
+               point_double(
+                       pre->g_pre_comp[0][2*i][0], pre->g_pre_comp[0][2*i][1], pre->g_pre_comp[0][2*i][2],
+                       pre->g_pre_comp[1][i][0], pre->g_pre_comp[1][i][1], pre->g_pre_comp[1][i][2]);
+               for (j = 0; j < 27; ++j)
+                       {
+                       point_double(
+                               pre->g_pre_comp[0][2*i][0], pre->g_pre_comp[0][2*i][1], pre->g_pre_comp[0][2*i][2],
+                               pre->g_pre_comp[0][2*i][0], pre->g_pre_comp[0][2*i][1], pre->g_pre_comp[0][2*i][2]);
                        }
                }
-       /* g_pre_comp[0] is the point at infinity */
-       memset(pre->g_pre_comp[0], 0, sizeof(pre->g_pre_comp[0]));
-       /* the remaining multiples */
-       /* 2^56*G + 2^112*G */
-       point_add(pre->g_pre_comp[6][0], pre->g_pre_comp[6][1],
-               pre->g_pre_comp[6][2], pre->g_pre_comp[4][0],
-               pre->g_pre_comp[4][1], pre->g_pre_comp[4][2],
-               pre->g_pre_comp[2][0], pre->g_pre_comp[2][1],
-               pre->g_pre_comp[2][2]);
-       /* 2^56*G + 2^168*G */
-       point_add(pre->g_pre_comp[10][0], pre->g_pre_comp[10][1],
-               pre->g_pre_comp[10][2], pre->g_pre_comp[8][0],
-               pre->g_pre_comp[8][1], pre->g_pre_comp[8][2],
-               pre->g_pre_comp[2][0], pre->g_pre_comp[2][1],
-               pre->g_pre_comp[2][2]);
-       /* 2^112*G + 2^168*G */
-       point_add(pre->g_pre_comp[12][0], pre->g_pre_comp[12][1],
-               pre->g_pre_comp[12][2], pre->g_pre_comp[8][0],
-               pre->g_pre_comp[8][1], pre->g_pre_comp[8][2],
-               pre->g_pre_comp[4][0], pre->g_pre_comp[4][1],
-               pre->g_pre_comp[4][2]);
-       /* 2^56*G + 2^112*G + 2^168*G */
-       point_add(pre->g_pre_comp[14][0], pre->g_pre_comp[14][1],
-               pre->g_pre_comp[14][2], pre->g_pre_comp[12][0],
-               pre->g_pre_comp[12][1], pre->g_pre_comp[12][2],
-               pre->g_pre_comp[2][0], pre->g_pre_comp[2][1],
-               pre->g_pre_comp[2][2]);
-       for (i = 1; i < 8; ++i)
+       for (i = 0; i < 2; i++)
                {
-               /* odd multiples: add G */
-               point_add(pre->g_pre_comp[2*i+1][0], pre->g_pre_comp[2*i+1][1],
-                       pre->g_pre_comp[2*i+1][2], pre->g_pre_comp[2*i][0],
-                       pre->g_pre_comp[2*i][1], pre->g_pre_comp[2*i][2],
-                       pre->g_pre_comp[1][0], pre->g_pre_comp[1][1],
-                       pre->g_pre_comp[1][2]);
+               /* g_pre_comp[i][0] is the point at infinity */
+               memset(pre->g_pre_comp[i][0], 0, sizeof(pre->g_pre_comp[i][0]));
+               /* the remaining multiples */
+               /* 2^56*G + 2^112*G resp. 2^84*G + 2^140*G */
+               point_add(
+                       pre->g_pre_comp[i][6][0], pre->g_pre_comp[i][6][1],
+                       pre->g_pre_comp[i][6][2], pre->g_pre_comp[i][4][0],
+                       pre->g_pre_comp[i][4][1], pre->g_pre_comp[i][4][2],
+                       0, pre->g_pre_comp[i][2][0], pre->g_pre_comp[i][2][1],
+                       pre->g_pre_comp[i][2][2]);
+               /* 2^56*G + 2^168*G resp. 2^84*G + 2^196*G */
+               point_add(
+                       pre->g_pre_comp[i][10][0], pre->g_pre_comp[i][10][1],
+                       pre->g_pre_comp[i][10][2], pre->g_pre_comp[i][8][0],
+                       pre->g_pre_comp[i][8][1], pre->g_pre_comp[i][8][2],
+                       0, pre->g_pre_comp[i][2][0], pre->g_pre_comp[i][2][1],
+                       pre->g_pre_comp[i][2][2]);
+               /* 2^112*G + 2^168*G resp. 2^140*G + 2^196*G */
+               point_add(
+                       pre->g_pre_comp[i][12][0], pre->g_pre_comp[i][12][1],
+                       pre->g_pre_comp[i][12][2], pre->g_pre_comp[i][8][0],
+                       pre->g_pre_comp[i][8][1], pre->g_pre_comp[i][8][2],
+                       0, pre->g_pre_comp[i][4][0], pre->g_pre_comp[i][4][1],
+                       pre->g_pre_comp[i][4][2]);
+               /* 2^56*G + 2^112*G + 2^168*G resp. 2^84*G + 2^140*G + 2^196*G */
+               point_add(
+                       pre->g_pre_comp[i][14][0], pre->g_pre_comp[i][14][1],
+                       pre->g_pre_comp[i][14][2], pre->g_pre_comp[i][12][0],
+                       pre->g_pre_comp[i][12][1], pre->g_pre_comp[i][12][2],
+                       0, pre->g_pre_comp[i][2][0], pre->g_pre_comp[i][2][1],
+                       pre->g_pre_comp[i][2][2]);
+               for (j = 1; j < 8; ++j)
+                       {
+                       /* odd multiples: add G resp. 2^28*G */
+                       point_add(
+                               pre->g_pre_comp[i][2*j+1][0], pre->g_pre_comp[i][2*j+1][1],
+                               pre->g_pre_comp[i][2*j+1][2], pre->g_pre_comp[i][2*j][0],
+                               pre->g_pre_comp[i][2*j][1], pre->g_pre_comp[i][2*j][2],
+                               0, pre->g_pre_comp[i][1][0], pre->g_pre_comp[i][1][1],
+                               pre->g_pre_comp[i][1][2]);
+                       }
                }
+       make_points_affine(31, &(pre->g_pre_comp[0][1]), tmp_felems);
 
        if (!EC_EX_DATA_set_data(&group->extra_data, pre, nistp224_pre_comp_dup,
                        nistp224_pre_comp_free, nistp224_pre_comp_clear_free))
diff --git a/crypto/ec/ecp_nistp256.c b/crypto/ec/ecp_nistp256.c
new file mode 100644 (file)
index 0000000..a1cef69
--- /dev/null
@@ -0,0 +1,2158 @@
+/* crypto/ec/ecp_nistp256.c */
+/*
+ * Written by Adam Langley (Google) for the OpenSSL project
+ */
+/* Copyright 2011 Google Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ *
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS,
+ *  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ */
+
+/*
+ * A 64-bit implementation of the NIST P-256 elliptic curve point multiplication
+ *
+ * OpenSSL integration was taken from Emilia Kasper's work in ecp_nistp224.c.
+ * Otherwise based on Emilia's P224 work, which was inspired by my curve25519
+ * work which got its smarts from Daniel J. Bernstein's work on the same.
+ */
+
+#ifdef EC_NISTP_64_GCC_128
+
+#include <stdint.h>
+#include <string.h>
+#include <openssl/err.h>
+#include "ec_lcl.h"
+
+#if defined(__GNUC__) && (__GNUC__ > 3 || (__GNUC__ == 3 && __GNUC_MINOR__ >= 1))
+  /* even with gcc, the typedef won't work for 32-bit platforms */
+  typedef __uint128_t uint128_t; /* nonstandard; implemented by gcc on 64-bit platforms */
+  typedef __int128_t int128_t;
+#else
+  #error "Need GCC 3.1 or later to define type uint128_t"
+#endif
+
+typedef uint8_t u8;
+typedef uint32_t u32;
+typedef uint64_t u64;
+typedef int64_t s64;
+
+/* The underlying field.
+ *
+ * P256 operates over GF(2^256-2^224+2^192+2^96-1). We can serialise an element
+ * of this field into 32 bytes. We call this an felem_bytearray. */
+
+typedef u8 felem_bytearray[32];
+
+/* These are the parameters of P256, taken from FIPS 186-3, page 86. These
+ * values are big-endian. */
+static const felem_bytearray nistp256_curve_params[5] = {
+       {0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x01,       /* p */
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0xff, 0xff, 0xff, 0xff,
+        0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff},
+       {0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x01,       /* a = -3 */
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0xff, 0xff, 0xff, 0xff,
+        0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfc},      /* b */
+       {0x5a, 0xc6, 0x35, 0xd8, 0xaa, 0x3a, 0x93, 0xe7,
+        0xb3, 0xeb, 0xbd, 0x55, 0x76, 0x98, 0x86, 0xbc,
+        0x65, 0x1d, 0x06, 0xb0, 0xcc, 0x53, 0xb0, 0xf6,
+        0x3b, 0xce, 0x3c, 0x3e, 0x27, 0xd2, 0x60, 0x4b},
+       {0x6b, 0x17, 0xd1, 0xf2, 0xe1, 0x2c, 0x42, 0x47,       /* x */
+        0xf8, 0xbc, 0xe6, 0xe5, 0x63, 0xa4, 0x40, 0xf2,
+        0x77, 0x03, 0x7d, 0x81, 0x2d, 0xeb, 0x33, 0xa0,
+        0xf4, 0xa1, 0x39, 0x45, 0xd8, 0x98, 0xc2, 0x96},
+       {0x4f, 0xe3, 0x42, 0xe2, 0xfe, 0x1a, 0x7f, 0x9b,       /* y */
+        0x8e, 0xe7, 0xeb, 0x4a, 0x7c, 0x0f, 0x9e, 0x16,
+        0x2b, 0xce, 0x33, 0x57, 0x6b, 0x31, 0x5e, 0xce,
+        0xcb, 0xb6, 0x40, 0x68, 0x37, 0xbf, 0x51, 0xf5}
+};
+
+/* The representation of field elements.
+ * ------------------------------------
+ *
+ * We represent field elements with either four 128-bit values, eight 128-bit
+ * values, or four 64-bit values. The field element represented is:
+ *   v[0]*2^0 + v[1]*2^64 + v[2]*2^128 + v[3]*2^192  (mod p)
+ * or:
+ *   v[0]*2^0 + v[1]*2^64 + v[2]*2^128 + ... + v[8]*2^512  (mod p)
+ *
+ * 128-bit values are called 'limbs'. Since the limbs are spaced only 64 bits
+ * apart, but are 128-bits wide, the most significant bits of each limb overlap
+ * with the least significant bits of the next.
+ *
+ * A field element with four limbs is an 'felem'. One with eight limbs is a
+ * 'longfelem'
+ *
+ * A field element with four, 64-bit values is called a 'smallfelem'. Small
+ * values are used as intermediate values before multiplication.
+ */
+
+#define NLIMBS 4
+
+typedef uint128_t limb;
+typedef limb felem[NLIMBS];
+typedef limb longfelem[NLIMBS * 2];
+typedef u64 smallfelem[NLIMBS];
+
+/* This is the value of the prime as four 64-bit words, little-endian. */
+static const u64 kPrime[4] = { 0xfffffffffffffffful, 0xffffffff, 0, 0xffffffff00000001ul };
+static const limb bottom32bits = 0xffffffff;
+static const u64 bottom63bits = 0x7ffffffffffffffful;
+
+/* bin32_to_felem takes a little-endian byte array and converts it into felem
+ * form. This assumes that the CPU is little-endian. */
+static void bin32_to_felem(felem out, const u8 in[32])
+       {
+       out[0] = *((u64*) &in[0]);
+       out[1] = *((u64*) &in[8]);
+       out[2] = *((u64*) &in[16]);
+       out[3] = *((u64*) &in[24]);
+       }
+
+/* smallfelem_to_bin32 takes a smallfelem and serialises into a little endian,
+ * 32 byte array. This assumes that the CPU is little-endian. */
+static void smallfelem_to_bin32(u8 out[32], const smallfelem in)
+       {
+       *((u64*) &out[0]) = in[0];
+       *((u64*) &out[8]) = in[1];
+       *((u64*) &out[16]) = in[2];
+       *((u64*) &out[24]) = in[3];
+       }
+
+/* To preserve endianness when using BN_bn2bin and BN_bin2bn */
+static void flip_endian(u8 *out, const u8 *in, unsigned len)
+       {
+       unsigned i;
+       for (i = 0; i < len; ++i)
+               out[i] = in[len-1-i];
+       }
+
+/* BN_to_felem converts an OpenSSL BIGNUM into an felem */
+static int BN_to_felem(felem out, const BIGNUM *bn)
+       {
+       felem_bytearray b_in;
+       felem_bytearray b_out;
+       unsigned num_bytes;
+
+       /* BN_bn2bin eats leading zeroes */
+       memset(b_out, 0, sizeof b_out);
+       num_bytes = BN_num_bytes(bn);
+       if (num_bytes > sizeof b_out)
+               {
+               ECerr(EC_F_BN_TO_FELEM, EC_R_BIGNUM_OUT_OF_RANGE);
+               return 0;
+               }
+       if (BN_is_negative(bn))
+               {
+               ECerr(EC_F_BN_TO_FELEM, EC_R_BIGNUM_OUT_OF_RANGE);
+               return 0;
+               }
+       num_bytes = BN_bn2bin(bn, b_in);
+       flip_endian(b_out, b_in, num_bytes);
+       bin32_to_felem(out, b_out);
+       return 1;
+       }
+
+/* felem_to_BN converts an felem into an OpenSSL BIGNUM */
+static BIGNUM *smallfelem_to_BN(BIGNUM *out, const smallfelem in)
+       {
+       felem_bytearray b_in, b_out;
+       smallfelem_to_bin32(b_in, in);
+       flip_endian(b_out, b_in, sizeof b_out);
+       return BN_bin2bn(b_out, sizeof b_out, out);
+       }
+
+
+/* Field operations
+ * ---------------- */
+
+static void smallfelem_one(smallfelem out)
+       {
+       out[0] = 1;
+       out[1] = 0;
+       out[2] = 0;
+       out[3] = 0;
+       }
+
+static void smallfelem_assign(smallfelem out, const smallfelem in)
+       {
+       out[0] = in[0];
+       out[1] = in[1];
+       out[2] = in[2];
+       out[3] = in[3];
+       }
+
+static void felem_assign(felem out, const felem in)
+       {
+       out[0] = in[0];
+       out[1] = in[1];
+       out[2] = in[2];
+       out[3] = in[3];
+       }
+
+/* felem_sum sets out = out + in. */
+static void felem_sum(felem out, const felem in)
+       {
+       out[0] += in[0];
+       out[1] += in[1];
+       out[2] += in[2];
+       out[3] += in[3];
+       }
+
+/* felem_small_sum sets out = out + in. */
+static void felem_small_sum(felem out, const smallfelem in)
+       {
+       out[0] += in[0];
+       out[1] += in[1];
+       out[2] += in[2];
+       out[3] += in[3];
+       }
+
+/* felem_scalar sets out = out * scalar */
+static void felem_scalar(felem out, const u64 scalar)
+       {
+       out[0] *= scalar;
+       out[1] *= scalar;
+       out[2] *= scalar;
+       out[3] *= scalar;
+       }
+
+/* longfelem_scalar sets out = out * scalar */
+static void longfelem_scalar(longfelem out, const u64 scalar)
+       {
+       out[0] *= scalar;
+       out[1] *= scalar;
+       out[2] *= scalar;
+       out[3] *= scalar;
+       out[4] *= scalar;
+       out[5] *= scalar;
+       out[6] *= scalar;
+       out[7] *= scalar;
+       }
+
+#define two105m41m9 (((limb)1) << 105) - (((limb)1) << 41) - (((limb)1) << 9)
+#define two105 (((limb)1) << 105)
+#define two105m41p9 (((limb)1) << 105) - (((limb)1) << 41) + (((limb)1) << 9)
+
+/* zero105 is 0 mod p */
+static const felem zero105 = { two105m41m9, two105, two105m41p9, two105m41p9 };
+
+/* smallfelem_neg sets |out| to |-small|
+ * On exit:
+ *   out[i] < out[i] + 2^105
+ */
+static void smallfelem_neg(felem out, const smallfelem small)
+       {
+       /* In order to prevent underflow, we subtract from 0 mod p. */
+       out[0] = zero105[0] - small[0];
+       out[1] = zero105[1] - small[1];
+       out[2] = zero105[2] - small[2];
+       out[3] = zero105[3] - small[3];
+       }
+
+/* felem_diff subtracts |in| from |out|
+ * On entry:
+ *   in[i] < 2^104
+ * On exit:
+ *   out[i] < out[i] + 2^105
+ */
+static void felem_diff(felem out, const felem in)
+       {
+       /* In order to prevent underflow, we add 0 mod p before subtracting. */
+       out[0] += zero105[0];
+       out[1] += zero105[1];
+       out[2] += zero105[2];
+       out[3] += zero105[3];
+
+       out[0] -= in[0];
+       out[1] -= in[1];
+       out[2] -= in[2];
+       out[3] -= in[3];
+       }
+
+#define two107m43m11 (((limb)1) << 107) - (((limb)1) << 43) - (((limb)1) << 11)
+#define two107 (((limb)1) << 107)
+#define two107m43p11 (((limb)1) << 107) - (((limb)1) << 43) + (((limb)1) << 11)
+
+/* zero107 is 0 mod p */
+static const felem zero107 = { two107m43m11, two107, two107m43p11, two107m43p11 };
+
+/* An alternative felem_diff for larger inputs |in|
+ * felem_diff_zero107 subtracts |in| from |out|
+ * On entry:
+ *   in[i] < 2^106
+ * On exit:
+ *   out[i] < out[i] + 2^107
+ */
+static void felem_diff_zero107(felem out, const felem in)
+       {
+       /* In order to prevent underflow, we add 0 mod p before subtracting. */
+       out[0] += zero107[0];
+       out[1] += zero107[1];
+       out[2] += zero107[2];
+       out[3] += zero107[3];
+
+       out[0] -= in[0];
+       out[1] -= in[1];
+       out[2] -= in[2];
+       out[3] -= in[3];
+       }
+
+/* longfelem_diff subtracts |in| from |out|
+ * On entry:
+ *   in[i] < 7*2^67
+ * On exit:
+ *   out[i] < out[i] + 2^70 + 2^40
+ */
+static void longfelem_diff(longfelem out, const longfelem in)
+       {
+       static const limb two70m8p6 = (((limb)1) << 70) - (((limb)1) << 8) + (((limb)1) << 6);
+       static const limb two70p40 = (((limb)1) << 70) + (((limb)1) << 40);
+       static const limb two70 = (((limb)1) << 70);
+       static const limb two70m40m38p6 = (((limb)1) << 70) - (((limb)1) << 40) - (((limb)1) << 38) + (((limb)1) << 6);
+       static const limb two70m6 = (((limb)1) << 70) - (((limb)1) << 6);
+
+       /* add 0 mod p to avoid underflow */
+       out[0] += two70m8p6;
+       out[1] += two70p40;
+       out[2] += two70;
+       out[3] += two70m40m38p6;
+       out[4] += two70m6;
+       out[5] += two70m6;
+       out[6] += two70m6;
+       out[7] += two70m6;
+
+       /* in[i] < 7*2^67 < 2^70 - 2^40 - 2^38 + 2^6 */
+       out[0] -= in[0];
+       out[1] -= in[1];
+       out[2] -= in[2];
+       out[3] -= in[3];
+       out[4] -= in[4];
+       out[5] -= in[5];
+       out[6] -= in[6];
+       out[7] -= in[7];
+       }
+
+#define two64m0 (((limb)1) << 64) - 1
+#define two110p32m0 (((limb)1) << 110) + (((limb)1) << 32) - 1
+#define two64m46 (((limb)1) << 64) - (((limb)1) << 46)
+#define two64m32 (((limb)1) << 64) - (((limb)1) << 32)
+
+/* zero110 is 0 mod p */
+static const felem zero110 = { two64m0, two110p32m0, two64m46, two64m32 };
+
+/* felem_shrink converts an felem into a smallfelem. The result isn't quite
+ * minimal as the value may be greater than p.
+ *
+ * On entry:
+ *   in[i] < 2^109
+ * On exit:
+ *   out[i] < 2^64
+ */
+static void felem_shrink(smallfelem out, const felem in)
+       {
+       felem tmp;
+       /* Carry 2->3 */
+       tmp[3] = zero110[3] + in[3] + ((u64) (in[2] >> 64));
+       /* tmp[3] < 2^110 */
+
+       tmp[2] = zero110[2] + (u64) in[2];
+       tmp[0] = zero110[0] + in[0];
+       tmp[1] = zero110[1] + in[1];
+       /* tmp[0] < 2**110, tmp[1] < 2^111, tmp[2] < 2**65 */
+
+       /* We perform two partial reductions where we eliminate the
+        * high-word of tmp[3]. We don't update the other words till the end.
+        */
+       u64 a = tmp[3] >> 64; /* a < 2^46 */
+       tmp[3] = (u64) tmp[3];
+       tmp[3] -= a;
+       tmp[3] += ((limb)a) << 32;
+       /* tmp[3] < 2^79 */
+
+       u64 b = a;
+       a = tmp[3] >> 64; /* a < 2^15 */
+       b += a; /* b < 2^46 + 2^15 < 2^47 */
+       tmp[3] = (u64) tmp[3];
+       tmp[3] -= a;
+       tmp[3] += ((limb)a) << 32;
+       /* tmp[3] < 2^64 + 2^47 */
+
+       /* This adjusts the other two words to complete the two partial
+        * reductions. */
+       tmp[0] += b;
+       tmp[1] -= (((limb)b) << 32);
+
+       /* In order to make space in tmp[3] for the carry from 2 -> 3, we
+        * conditionally subtract kPrime if tmp[3] is large enough. */
+       static const u64 kPrime3Test = 0x7fffffff00000001ul; /* 2^63 - 2^32 + 1 */
+       s64 high = tmp[3] >> 64;
+       /* As tmp[3] < 2^65, high is either 1 or 0 */
+       high <<= 63;
+       high >>= 63;
+       /* high is:
+        *   all ones   if the high word of tmp[3] is 1
+        *   all zeros  if the high word of tmp[3] if 0 */
+       s64 low = tmp[3];
+       u64 mask = low >> 63;
+       /* mask is:
+        *   all ones   if the MSB of low is 1
+        *   all zeros  if the MSB of low if 0 */
+       low &= bottom63bits;
+       low -= kPrime3Test;
+       /* if low was greater than kPrime3Test then the MSB is zero */
+       low = ~low;
+       low >>= 63;
+       /* low is:
+        *   all ones   if low was > kPrime3Test
+        *   all zeros  if low was <= kPrime3Test */
+       mask = (mask & low) | high;
+       tmp[0] -= mask & kPrime[0];
+       tmp[1] -= mask & kPrime[1];
+       /* kPrime[2] is zero, so omitted */
+       tmp[3] -= mask & kPrime[3];
+       /* tmp[3] < 2**64 - 2**32 + 1 */
+
+       tmp[1] += ((u64) (tmp[0] >> 64)); tmp[0] = (u64) tmp[0];
+       tmp[2] += ((u64) (tmp[1] >> 64)); tmp[1] = (u64) tmp[1];
+       tmp[3] += ((u64) (tmp[2] >> 64)); tmp[2] = (u64) tmp[2];
+       /* tmp[i] < 2^64 */
+
+       out[0] = tmp[0];
+       out[1] = tmp[1];
+       out[2] = tmp[2];
+       out[3] = tmp[3];
+       }
+
+/* smallfelem_expand converts a smallfelem to an felem */
+static void smallfelem_expand(felem out, const smallfelem in)
+       {
+       out[0] = in[0];
+       out[1] = in[1];
+       out[2] = in[2];
+       out[3] = in[3];
+       }
+
+/* smallfelem_square sets |out| = |small|^2
+ * On entry:
+ *   small[i] < 2^64
+ * On exit:
+ *   out[i] < 7 * 2^64 < 2^67
+ */
+static void smallfelem_square(longfelem out, const smallfelem small)
+       {
+       limb a;
+       u64 high, low;
+
+       a = ((uint128_t) small[0]) * small[0];
+       low = a;
+       high = a >> 64;
+       out[0] = low;
+       out[1] = high;
+
+       a = ((uint128_t) small[0]) * small[1];
+       low = a;
+       high = a >> 64;
+       out[1] += low;
+       out[1] += low;
+       out[2] = high;
+
+       a = ((uint128_t) small[0]) * small[2];
+       low = a;
+       high = a >> 64;
+       out[2] += low;
+       out[2] *= 2;
+       out[3] = high;
+
+       a = ((uint128_t) small[0]) * small[3];
+       low = a;
+       high = a >> 64;
+       out[3] += low;
+       out[4] = high;
+
+       a = ((uint128_t) small[1]) * small[2];
+       low = a;
+       high = a >> 64;
+       out[3] += low;
+       out[3] *= 2;
+       out[4] += high;
+
+       a = ((uint128_t) small[1]) * small[1];
+       low = a;
+       high = a >> 64;
+       out[2] += low;
+       out[3] += high;
+
+       a = ((uint128_t) small[1]) * small[3];
+       low = a;
+       high = a >> 64;
+       out[4] += low;
+       out[4] *= 2;
+       out[5] = high;
+
+       a = ((uint128_t) small[2]) * small[3];
+       low = a;
+       high = a >> 64;
+       out[5] += low;
+       out[5] *= 2;
+       out[6] = high;
+       out[6] += high;
+
+       a = ((uint128_t) small[2]) * small[2];
+       low = a;
+       high = a >> 64;
+       out[4] += low;
+       out[5] += high;
+
+       a = ((uint128_t) small[3]) * small[3];
+       low = a;
+       high = a >> 64;
+       out[6] += low;
+       out[7] = high;
+       }
+
+/* felem_square sets |out| = |in|^2
+ * On entry:
+ *   in[i] < 2^109
+ * On exit:
+ *   out[i] < 7 * 2^64 < 2^67
+ */
+static void felem_square(longfelem out, const felem in)
+       {
+       u64 small[4];
+       felem_shrink(small, in);
+       smallfelem_square(out, small);
+       }
+
+/* smallfelem_mul sets |out| = |small1| * |small2|
+ * On entry:
+ *   small1[i] < 2^64
+ *   small2[i] < 2^64
+ * On exit:
+ *   out[i] < 7 * 2^64 < 2^67
+ */
+static void smallfelem_mul(longfelem out, const smallfelem small1, const smallfelem small2)
+       {
+       limb a;
+       u64 high, low;
+
+       a = ((uint128_t) small1[0]) * small2[0];
+       low = a;
+       high = a >> 64;
+       out[0] = low;
+       out[1] = high;
+
+
+       a = ((uint128_t) small1[0]) * small2[1];
+       low = a;
+       high = a >> 64;
+       out[1] += low;
+       out[2] = high;
+
+       a = ((uint128_t) small1[1]) * small2[0];
+       low = a;
+       high = a >> 64;
+       out[1] += low;
+       out[2] += high;
+
+
+       a = ((uint128_t) small1[0]) * small2[2];
+       low = a;
+       high = a >> 64;
+       out[2] += low;
+       out[3] = high;
+
+       a = ((uint128_t) small1[1]) * small2[1];
+       low = a;
+       high = a >> 64;
+       out[2] += low;
+       out[3] += high;
+
+       a = ((uint128_t) small1[2]) * small2[0];
+       low = a;
+       high = a >> 64;
+       out[2] += low;
+       out[3] += high;
+
+
+       a = ((uint128_t) small1[0]) * small2[3];
+       low = a;
+       high = a >> 64;
+       out[3] += low;
+       out[4] = high;
+
+       a = ((uint128_t) small1[1]) * small2[2];
+       low = a;
+       high = a >> 64;
+       out[3] += low;
+       out[4] += high;
+
+       a = ((uint128_t) small1[2]) * small2[1];
+       low = a;
+       high = a >> 64;
+       out[3] += low;
+       out[4] += high;
+
+       a = ((uint128_t) small1[3]) * small2[0];
+       low = a;
+       high = a >> 64;
+       out[3] += low;
+       out[4] += high;
+
+
+       a = ((uint128_t) small1[1]) * small2[3];
+       low = a;
+       high = a >> 64;
+       out[4] += low;
+       out[5] = high;
+
+       a = ((uint128_t) small1[2]) * small2[2];
+       low = a;
+       high = a >> 64;
+       out[4] += low;
+       out[5] += high;
+
+       a = ((uint128_t) small1[3]) * small2[1];
+       low = a;
+       high = a >> 64;
+       out[4] += low;
+       out[5] += high;
+
+
+       a = ((uint128_t) small1[2]) * small2[3];
+       low = a;
+       high = a >> 64;
+       out[5] += low;
+       out[6] = high;
+
+       a = ((uint128_t) small1[3]) * small2[2];
+       low = a;
+       high = a >> 64;
+       out[5] += low;
+       out[6] += high;
+
+
+       a = ((uint128_t) small1[3]) * small2[3];
+       low = a;
+       high = a >> 64;
+       out[6] += low;
+       out[7] = high;
+       }
+
+/* felem_mul sets |out| = |in1| * |in2|
+ * On entry:
+ *   in1[i] < 2^109
+ *   in2[i] < 2^109
+ * On exit:
+ *   out[i] < 7 * 2^64 < 2^67
+ */
+static void felem_mul(longfelem out, const felem in1, const felem in2)
+       {
+       smallfelem small1, small2;
+       felem_shrink(small1, in1);
+       felem_shrink(small2, in2);
+       smallfelem_mul(out, small1, small2);
+       }
+
+/* felem_small_mul sets |out| = |small1| * |in2|
+ * On entry:
+ *   small1[i] < 2^64
+ *   in2[i] < 2^109
+ * On exit:
+ *   out[i] < 7 * 2^64 < 2^67
+ */
+static void felem_small_mul(longfelem out, const smallfelem small1, const felem in2)
+       {
+       smallfelem small2;
+       felem_shrink(small2, in2);
+       smallfelem_mul(out, small1, small2);
+       }
+
+#define two100m36m4 (((limb)1) << 100) - (((limb)1) << 36) - (((limb)1) << 4)
+#define two100 (((limb)1) << 100)
+#define two100m36p4 (((limb)1) << 100) - (((limb)1) << 36) + (((limb)1) << 4)
+/* zero100 is 0 mod p */
+static const felem zero100 = { two100m36m4, two100, two100m36p4, two100m36p4 };
+
+/* Internal function for the different flavours of felem_reduce.
+ * felem_reduce_ reduces the higher coefficients in[4]-in[7].
+ * On entry:
+ *   out[0] >= in[6] + 2^32*in[6] + in[7] + 2^32*in[7] 
+ *   out[1] >= in[7] + 2^32*in[4]
+ *   out[2] >= in[5] + 2^32*in[5]
+ *   out[3] >= in[4] + 2^32*in[5] + 2^32*in[6]
+ * On exit:
+ *   out[0] <= out[0] + in[4] + 2^32*in[5]
+ *   out[1] <= out[1] + in[5] + 2^33*in[6]
+ *   out[2] <= out[2] + in[7] + 2*in[6] + 2^33*in[7]
+ *   out[3] <= out[3] + 2^32*in[4] + 3*in[7]
+ */
+static void felem_reduce_(felem out, const longfelem in)
+       {
+       int128_t c;
+       /* combine common terms from below */
+       c = in[4] + (in[5] << 32);
+       out[0] += c;
+       out[3] -= c;
+
+       c = in[5] - in[7];
+       out[1] += c;
+       out[2] -= c;
+
+       /* the remaining terms */
+       /* 256: [(0,1),(96,-1),(192,-1),(224,1)] */
+       out[1] -= (in[4] << 32);
+       out[3] += (in[4] << 32);
+
+       /* 320: [(32,1),(64,1),(128,-1),(160,-1),(224,-1)] */
+       out[2] -= (in[5] << 32);
+
+       /* 384: [(0,-1),(32,-1),(96,2),(128,2),(224,-1)] */
+       out[0] -= in[6];
+       out[0] -= (in[6] << 32);
+       out[1] += (in[6] << 33);
+       out[2] += (in[6] * 2);
+       out[3] -= (in[6] << 32);
+
+       /* 448: [(0,-1),(32,-1),(64,-1),(128,1),(160,2),(192,3)] */
+       out[0] -= in[7];
+       out[0] -= (in[7] << 32);
+       out[2] += (in[7] << 33);
+       out[3] += (in[7] * 3);
+       }
+
+/* felem_reduce converts a longfelem into an felem.
+ * To be called directly after felem_square or felem_mul.
+ * On entry:
+ *   in[0] < 2^64, in[1] < 3*2^64, in[2] < 5*2^64, in[3] < 7*2^64
+ *   in[4] < 7*2^64, in[5] < 5*2^64, in[6] < 3*2^64, in[7] < 2*64
+ * On exit:
+ *   out[i] < 2^101
+ */
+static void felem_reduce(felem out, const longfelem in)
+       {
+       out[0] = zero100[0] + in[0];
+       out[1] = zero100[1] + in[1];
+       out[2] = zero100[2] + in[2];
+       out[3] = zero100[3] + in[3];
+
+       felem_reduce_(out, in);
+
+       /* out[0] > 2^100 - 2^36 - 2^4 - 3*2^64 - 3*2^96 - 2^64 - 2^96 > 0
+        * out[1] > 2^100 - 2^64 - 7*2^96 > 0
+        * out[2] > 2^100 - 2^36 + 2^4 - 5*2^64 - 5*2^96 > 0
+        * out[3] > 2^100 - 2^36 + 2^4 - 7*2^64 - 5*2^96 - 3*2^96 > 0
+        *
+        * out[0] < 2^100 + 2^64 + 7*2^64 + 5*2^96 < 2^101
+        * out[1] < 2^100 + 3*2^64 + 5*2^64 + 3*2^97 < 2^101
+        * out[2] < 2^100 + 5*2^64 + 2^64 + 3*2^65 + 2^97 < 2^101
+        * out[3] < 2^100 + 7*2^64 + 7*2^96 + 3*2^64 < 2^101
+        */
+       }
+
+/* felem_reduce_zero105 converts a larger longfelem into an felem.
+ * On entry:
+ *   in[0] < 2^71
+ * On exit:
+ *   out[i] < 2^106
+ */
+static void felem_reduce_zero105(felem out, const longfelem in)
+       {
+       out[0] = zero105[0] + in[0];
+       out[1] = zero105[1] + in[1];
+       out[2] = zero105[2] + in[2];
+       out[3] = zero105[3] + in[3];
+
+       felem_reduce_(out, in);
+
+       /* out[0] > 2^105 - 2^41 - 2^9 - 2^71 - 2^103 - 2^71 - 2^103 > 0
+        * out[1] > 2^105 - 2^71 - 2^103 > 0
+        * out[2] > 2^105 - 2^41 + 2^9 - 2^71 - 2^103 > 0
+        * out[3] > 2^105 - 2^41 + 2^9 - 2^71 - 2^103 - 2^103 > 0
+        *
+        * out[0] < 2^105 + 2^71 + 2^71 + 2^103 < 2^106
+        * out[1] < 2^105 + 2^71 + 2^71 + 2^103 < 2^106
+        * out[2] < 2^105 + 2^71 + 2^71 + 2^71 + 2^103 < 2^106
+        * out[3] < 2^105 + 2^71 + 2^103 + 2^71 < 2^106
+        */
+       }
+
+/* subtract_u64 sets *result = *result - v and *carry to one if the subtraction
+ * underflowed. */
+static void subtract_u64(u64* result, u64* carry, u64 v)
+       {
+       uint128_t r = *result;
+       r -= v;
+       *carry = (r >> 64) & 1;
+       *result = (u64) r;
+       }
+
+/* felem_contract converts |in| to its unique, minimal representation.
+ * On entry:
+ *   in[i] < 2^109
+ */
+static void felem_contract(smallfelem out, const felem in)
+       {
+       unsigned i;
+       u64 all_equal_so_far = 0, result = 0, carry;
+
+       felem_shrink(out, in);
+       /* small is minimal except that the value might be > p */
+
+       all_equal_so_far--;
+       /* We are doing a constant time test if out >= kPrime. We need to
+        * compare each u64, from most-significant to least significant. For
+        * each one, if all words so far have been equal (m is all ones) then a
+        * non-equal result is the answer. Otherwise we continue. */
+       for (i = 3; i < 4; i--) {
+               uint128_t a = ((uint128_t) kPrime[i]) - out[i];
+               /* if out[i] > kPrime[i] then a will underflow and the high
+                * 64-bits will all be set. */
+               result |= all_equal_so_far & ((u64) (a >> 64));
+
+               /* if kPrime[i] == out[i] then |equal| will be all zeros and
+                * the decrement will make it all ones. */
+               u64 equal = kPrime[i] ^ out[i];
+               equal--;
+               equal &= equal << 32;
+               equal &= equal << 16;
+               equal &= equal << 8;
+               equal &= equal << 4;
+               equal &= equal << 2;
+               equal &= equal << 1;
+               equal = ((s64) equal) >> 63;
+
+               all_equal_so_far &= equal;
+       }
+
+       /* if all_equal_so_far is still all ones then the two values are equal
+        * and so out >= kPrime is true. */
+       result |= all_equal_so_far;
+
+       /* if out >= kPrime then we subtract kPrime. */
+       subtract_u64(&out[0], &carry, result & kPrime[0]);
+       subtract_u64(&out[1], &carry, carry);
+       subtract_u64(&out[2], &carry, carry);
+       subtract_u64(&out[3], &carry, carry);
+
+       subtract_u64(&out[1], &carry, result & kPrime[1]);
+       subtract_u64(&out[2], &carry, carry);
+       subtract_u64(&out[3], &carry, carry);
+
+       subtract_u64(&out[2], &carry, result & kPrime[2]);
+       subtract_u64(&out[3], &carry, carry);
+
+       subtract_u64(&out[3], &carry, result & kPrime[3]);
+       }
+
+static void smallfelem_square_contract(smallfelem out, const smallfelem in)
+       {
+       longfelem longtmp;
+       felem tmp;
+
+       smallfelem_square(longtmp, in);
+       felem_reduce(tmp, longtmp);
+       felem_contract(out, tmp);
+       }
+
+static void smallfelem_mul_contract(smallfelem out, const smallfelem in1, const smallfelem in2)
+       {
+       longfelem longtmp;
+       felem tmp;
+
+       smallfelem_mul(longtmp, in1, in2);
+       felem_reduce(tmp, longtmp);
+       felem_contract(out, tmp);
+       }
+
+/* felem_is_zero returns a limb with all bits set if |in| == 0 (mod p) and 0
+ * otherwise.
+ * On entry:
+ *   small[i] < 2^64
+ */
+static limb smallfelem_is_zero(const smallfelem small)
+       {
+       limb result;
+
+       u64 is_zero = small[0] | small[1] | small[2] | small[3];
+       is_zero--;
+       is_zero &= is_zero << 32;
+       is_zero &= is_zero << 16;
+       is_zero &= is_zero << 8;
+       is_zero &= is_zero << 4;
+       is_zero &= is_zero << 2;
+       is_zero &= is_zero << 1;
+       is_zero = ((s64) is_zero) >> 63;
+
+       u64 is_p = (small[0] ^ kPrime[0]) |
+                  (small[1] ^ kPrime[1]) |
+                  (small[2] ^ kPrime[2]) |
+                  (small[3] ^ kPrime[3]);
+       is_p--;
+       is_p &= is_p << 32;
+       is_p &= is_p << 16;
+       is_p &= is_p << 8;
+       is_p &= is_p << 4;
+       is_p &= is_p << 2;
+       is_p &= is_p << 1;
+       is_p = ((s64) is_p) >> 63;
+
+       is_zero |= is_p;
+
+       result = is_zero;
+       result |= ((limb) is_zero) << 64;
+       return result;
+       }
+
+static int smallfelem_is_zero_int(const smallfelem small)
+       {
+       return (int) (smallfelem_is_zero(small) & ((limb)1));
+       }
+
+/* felem_inv calculates |out| = |in|^{-1}
+ *
+ * Based on Fermat's Little Theorem:
+ *   a^p = a (mod p)
+ *   a^{p-1} = 1 (mod p)
+ *   a^{p-2} = a^{-1} (mod p)
+ */
+static void felem_inv(felem out, const felem in)
+       {
+       felem ftmp, ftmp2;
+       /* each e_I will hold |in|^{2^I - 1} */
+       felem e2, e4, e8, e16, e32, e64;
+       longfelem tmp;
+       unsigned i;
+
+       felem_square(tmp, in); felem_reduce(ftmp, tmp);                 /* 2^1 */
+       felem_mul(tmp, in, ftmp); felem_reduce(ftmp, tmp);              /* 2^2 - 2^0 */
+       felem_assign(e2, ftmp);
+       felem_square(tmp, ftmp); felem_reduce(ftmp, tmp);               /* 2^3 - 2^1 */
+       felem_square(tmp, ftmp); felem_reduce(ftmp, tmp);               /* 2^4 - 2^2 */
+       felem_mul(tmp, ftmp, e2); felem_reduce(ftmp, tmp);              /* 2^4 - 2^0 */
+       felem_assign(e4, ftmp);
+       felem_square(tmp, ftmp); felem_reduce(ftmp, tmp);               /* 2^5 - 2^1 */
+       felem_square(tmp, ftmp); felem_reduce(ftmp, tmp);               /* 2^6 - 2^2 */
+       felem_square(tmp, ftmp); felem_reduce(ftmp, tmp);               /* 2^7 - 2^3 */
+       felem_square(tmp, ftmp); felem_reduce(ftmp, tmp);               /* 2^8 - 2^4 */
+       felem_mul(tmp, ftmp, e4); felem_reduce(ftmp, tmp);              /* 2^8 - 2^0 */
+       felem_assign(e8, ftmp);
+       for (i = 0; i < 8; i++) {
+               felem_square(tmp, ftmp); felem_reduce(ftmp, tmp);
+       }                                                               /* 2^16 - 2^8 */
+       felem_mul(tmp, ftmp, e8); felem_reduce(ftmp, tmp);              /* 2^16 - 2^0 */
+       felem_assign(e16, ftmp);
+       for (i = 0; i < 16; i++) {
+               felem_square(tmp, ftmp); felem_reduce(ftmp, tmp);
+       }                                                               /* 2^32 - 2^16 */
+       felem_mul(tmp, ftmp, e16); felem_reduce(ftmp, tmp);             /* 2^32 - 2^0 */
+       felem_assign(e32, ftmp);
+       for (i = 0; i < 32; i++) {
+               felem_square(tmp, ftmp); felem_reduce(ftmp, tmp);
+       }                                                               /* 2^64 - 2^32 */
+       felem_assign(e64, ftmp);
+       felem_mul(tmp, ftmp, in); felem_reduce(ftmp, tmp);              /* 2^64 - 2^32 + 2^0 */
+       for (i = 0; i < 192; i++) {
+               felem_square(tmp, ftmp); felem_reduce(ftmp, tmp);
+       }                                                               /* 2^256 - 2^224 + 2^192 */
+
+       felem_mul(tmp, e64, e32); felem_reduce(ftmp2, tmp);             /* 2^64 - 2^0 */
+       for (i = 0; i < 16; i++) {
+               felem_square(tmp, ftmp2); felem_reduce(ftmp2, tmp);
+       }                                                               /* 2^80 - 2^16 */
+       felem_mul(tmp, ftmp2, e16); felem_reduce(ftmp2, tmp);           /* 2^80 - 2^0 */
+       for (i = 0; i < 8; i++) {
+               felem_square(tmp, ftmp2); felem_reduce(ftmp2, tmp);
+       }                                                               /* 2^88 - 2^8 */
+       felem_mul(tmp, ftmp2, e8); felem_reduce(ftmp2, tmp);            /* 2^88 - 2^0 */
+       for (i = 0; i < 4; i++) {
+               felem_square(tmp, ftmp2); felem_reduce(ftmp2, tmp);
+       }                                                               /* 2^92 - 2^4 */
+       felem_mul(tmp, ftmp2, e4); felem_reduce(ftmp2, tmp);            /* 2^92 - 2^0 */
+       felem_square(tmp, ftmp2); felem_reduce(ftmp2, tmp);             /* 2^93 - 2^1 */
+       felem_square(tmp, ftmp2); felem_reduce(ftmp2, tmp);             /* 2^94 - 2^2 */
+       felem_mul(tmp, ftmp2, e2); felem_reduce(ftmp2, tmp);            /* 2^94 - 2^0 */
+       felem_square(tmp, ftmp2); felem_reduce(ftmp2, tmp);             /* 2^95 - 2^1 */
+       felem_square(tmp, ftmp2); felem_reduce(ftmp2, tmp);             /* 2^96 - 2^2 */
+       felem_mul(tmp, ftmp2, in); felem_reduce(ftmp2, tmp);            /* 2^96 - 3 */
+
+       felem_mul(tmp, ftmp2, ftmp); felem_reduce(out, tmp); /* 2^256 - 2^224 + 2^192 + 2^96 - 3 */
+       }
+
+static void smallfelem_inv_contract(smallfelem out, const smallfelem in)
+       {
+       felem tmp;
+
+       smallfelem_expand(tmp, in);
+       felem_inv(tmp, tmp);
+       felem_contract(out, tmp);
+       }
+
+/* Group operations
+ * ----------------
+ *
+ * Building on top of the field operations we have the operations on the
+ * elliptic curve group itself. Points on the curve are represented in Jacobian
+ * coordinates */
+
+/* point_double calculates 2*(x_in, y_in, z_in)
+ *
+ * The method is taken from:
+ *   http://hyperelliptic.org/EFD/g1p/auto-shortw-jacobian-3.html#doubling-dbl-2001-b
+ *
+ * Outputs can equal corresponding inputs, i.e., x_out == x_in is allowed.
+ * while x_out == y_in is not (maybe this works, but it's not tested). */
+static void
+point_double(felem x_out, felem y_out, felem z_out,
+            const felem x_in, const felem y_in, const felem z_in)
+       {
+       longfelem tmp, tmp2;
+       felem delta, gamma, beta, alpha, ftmp, ftmp2;
+       smallfelem small1, small2;
+
+       felem_assign(ftmp, x_in);
+       /* ftmp[i] < 2^106 */
+       felem_assign(ftmp2, x_in);
+       /* ftmp2[i] < 2^106 */
+
+       /* delta = z^2 */
+       felem_square(tmp, z_in);
+       felem_reduce(delta, tmp);
+       /* delta[i] < 2^101 */
+
+       /* gamma = y^2 */
+       felem_square(tmp, y_in);
+       felem_reduce(gamma, tmp);
+       /* gamma[i] < 2^101 */
+       felem_shrink(small1, gamma);
+
+       /* beta = x*gamma */
+       felem_small_mul(tmp, small1, x_in);
+       felem_reduce(beta, tmp);
+       /* beta[i] < 2^101 */
+
+       /* alpha = 3*(x-delta)*(x+delta) */
+       felem_diff(ftmp, delta);
+       /* ftmp[i] < 2^105 + 2^106 < 2^107 */
+       felem_sum(ftmp2, delta);
+       /* ftmp2[i] < 2^105 + 2^106 < 2^107 */
+       felem_scalar(ftmp2, 3);
+       /* ftmp2[i] < 3 * 2^107 < 2^109 */
+       felem_mul(tmp, ftmp, ftmp2);
+       felem_reduce(alpha, tmp);
+       /* alpha[i] < 2^101 */
+       felem_shrink(small2, alpha);
+
+       /* x' = alpha^2 - 8*beta */
+       smallfelem_square(tmp, small2);
+       felem_reduce(x_out, tmp);
+       felem_assign(ftmp, beta);
+       felem_scalar(ftmp, 8);
+       /* ftmp[i] < 8 * 2^101 = 2^104 */
+       felem_diff(x_out, ftmp);
+       /* x_out[i] < 2^105 + 2^101 < 2^106 */
+
+       /* z' = (y + z)^2 - gamma - delta */
+       felem_sum(delta, gamma);
+       /* delta[i] < 2^101 + 2^101 = 2^102 */
+       felem_assign(ftmp, y_in);
+       felem_sum(ftmp, z_in);
+       /* ftmp[i] < 2^106 + 2^106 = 2^107 */
+       felem_square(tmp, ftmp);
+       felem_reduce(z_out, tmp);
+       felem_diff(z_out, delta);
+       /* z_out[i] < 2^105 + 2^101 < 2^106 */
+
+       /* y' = alpha*(4*beta - x') - 8*gamma^2 */
+       felem_scalar(beta, 4);
+       /* beta[i] < 4 * 2^101 = 2^103 */
+       felem_diff_zero107(beta, x_out);
+       /* beta[i] < 2^107 + 2^103 < 2^108 */
+       felem_small_mul(tmp, small2, beta);
+       /* tmp[i] < 7 * 2^64 < 2^67 */
+       smallfelem_square(tmp2, small1);
+       /* tmp2[i] < 7 * 2^64 */
+       longfelem_scalar(tmp2, 8);
+       /* tmp2[i] < 8 * 7 * 2^64 = 7 * 2^67 */
+       longfelem_diff(tmp, tmp2);
+       /* tmp[i] < 2^67 + 2^70 + 2^40 < 2^71 */
+       felem_reduce_zero105(y_out, tmp);
+       /* y_out[i] < 2^106 */
+       }
+
+/* point_double_small is the same as point_double, except that it operates on
+ * smallfelems */
+static void
+point_double_small(smallfelem x_out, smallfelem y_out, smallfelem z_out,
+                  const smallfelem x_in, const smallfelem y_in, const smallfelem z_in)
+       {
+       felem felem_x_out, felem_y_out, felem_z_out;
+       felem felem_x_in, felem_y_in, felem_z_in;
+
+       smallfelem_expand(felem_x_in, x_in);
+       smallfelem_expand(felem_y_in, y_in);
+       smallfelem_expand(felem_z_in, z_in);
+       point_double(felem_x_out, felem_y_out, felem_z_out,
+                    felem_x_in, felem_y_in, felem_z_in);
+       felem_shrink(x_out, felem_x_out);
+       felem_shrink(y_out, felem_y_out);
+       felem_shrink(z_out, felem_z_out);
+       }
+
+/* copy_conditional copies in to out iff mask is all ones. */
+static void
+copy_conditional(felem out, const felem in, limb mask)
+       {
+       unsigned i;
+       for (i = 0; i < NLIMBS; ++i)
+               {
+               const limb tmp = mask & (in[i] ^ out[i]);
+               out[i] ^= tmp;
+               }
+       }
+
+/* copy_small_conditional copies in to out iff mask is all ones. */
+static void
+copy_small_conditional(felem out, const smallfelem in, limb mask)
+       {
+       unsigned i;
+       const u64 mask64 = mask;
+       for (i = 0; i < NLIMBS; ++i)
+               {
+               out[i] = ((limb) (in[i] & mask64)) | (out[i] & ~mask);
+               }
+       }
+
+/* point_add calcuates (x1, y1, z1) + (x2, y2, z2)
+ *
+ * The method is taken from:
+ *   http://hyperelliptic.org/EFD/g1p/auto-shortw-jacobian-3.html#addition-add-2007-bl,
+ * adapted for mixed addition (z2 = 1, or z2 = 0 for the point at infinity).
+ *
+ * This function includes a branch for checking whether the two input points
+ * are equal, (while not equal to the point at infinity). This case never
+ * happens during single point multiplication, so there is no timing leak for
+ * ECDH or ECDSA signing. */
+static void point_add(felem x3, felem y3, felem z3,
+       const felem x1, const felem y1, const felem z1,
+       const int mixed, const smallfelem x2, const smallfelem y2, const smallfelem z2)
+       {
+       felem ftmp, ftmp2, ftmp3, ftmp4, ftmp5, ftmp6, x_out, y_out, z_out;
+       longfelem tmp, tmp2;
+       smallfelem small1, small2, small3, small4, small5;
+       limb x_equal, y_equal, z1_is_zero, z2_is_zero;
+
+       felem_shrink(small3, z1);
+
+       z1_is_zero = smallfelem_is_zero(small3);
+       z2_is_zero = smallfelem_is_zero(z2);
+
+       /* ftmp = z1z1 = z1**2 */
+       smallfelem_square(tmp, small3);
+       felem_reduce(ftmp, tmp);
+       /* ftmp[i] < 2^101 */
+       felem_shrink(small1, ftmp);
+
+       if(!mixed)
+               {
+               /* ftmp2 = z2z2 = z2**2 */
+               smallfelem_square(tmp, z2);
+               felem_reduce(ftmp2, tmp);
+               /* ftmp2[i] < 2^101 */
+               felem_shrink(small2, ftmp2);
+
+               felem_shrink(small5, x1);
+
+               /* u1 = ftmp3 = x1*z2z2 */
+               smallfelem_mul(tmp, small5, small2);
+               felem_reduce(ftmp3, tmp);
+               /* ftmp3[i] < 2^101 */
+
+               /* ftmp5 = z1 + z2 */
+               felem_assign(ftmp5, z1);
+               felem_small_sum(ftmp5, z2);
+               /* ftmp5[i] < 2^107 */
+
+               /* ftmp5 = (z1 + z2)**2 - (z1z1 + z2z2) = 2z1z2 */
+               felem_square(tmp, ftmp5);
+               felem_reduce(ftmp5, tmp);
+               /* ftmp2 = z2z2 + z1z1 */
+               felem_sum(ftmp2, ftmp);
+               /* ftmp2[i] < 2^101 + 2^101 = 2^102 */
+               felem_diff(ftmp5, ftmp2);
+               /* ftmp5[i] < 2^105 + 2^101 < 2^106 */
+
+               /* ftmp2 = z2 * z2z2 */
+               smallfelem_mul(tmp, small2, z2);
+               felem_reduce(ftmp2, tmp);
+
+               /* s1 = ftmp2 = y1 * z2**3 */
+               felem_mul(tmp, y1, ftmp2);
+               felem_reduce(ftmp6, tmp);
+               /* ftmp6[i] < 2^101 */
+               }
+       else
+               {
+               /* We'll assume z2 = 1 (special case z2 = 0 is handled later) */
+
+               /* u1 = ftmp3 = x1*z2z2 */
+               felem_assign(ftmp3, x1);
+               /* ftmp3[i] < 2^106 */
+
+               /* ftmp5 = 2z1z2 */
+               felem_assign(ftmp5, z1);
+               felem_scalar(ftmp5, 2);
+               /* ftmp5[i] < 2*2^106 = 2^107 */
+
+               /* s1 = ftmp2 = y1 * z2**3 */
+               felem_assign(ftmp6, y1);
+               /* ftmp6[i] < 2^106 */
+               }
+
+       /* u2 = x2*z1z1 */
+       smallfelem_mul(tmp, x2, small1);
+       felem_reduce(ftmp4, tmp);
+
+       /* h = ftmp4 = u2 - u1 */
+       felem_diff_zero107(ftmp4, ftmp3);
+       /* ftmp4[i] < 2^107 + 2^101 < 2^108 */
+       felem_shrink(small4, ftmp4);
+
+       x_equal = smallfelem_is_zero(small4);
+
+       /* z_out = ftmp5 * h */
+       felem_small_mul(tmp, small4, ftmp5);
+       felem_reduce(z_out, tmp);
+       /* z_out[i] < 2^101 */
+
+       /* ftmp = z1 * z1z1 */
+       smallfelem_mul(tmp, small1, small3);
+       felem_reduce(ftmp, tmp);
+
+       /* s2 = tmp = y2 * z1**3 */
+       felem_small_mul(tmp, y2, ftmp);
+       felem_reduce(ftmp5, tmp);
+
+       /* r = ftmp5 = (s2 - s1)*2 */
+       felem_diff_zero107(ftmp5, ftmp6);
+       /* ftmp5[i] < 2^107 + 2^107 = 2^108*/
+       felem_scalar(ftmp5, 2);
+       /* ftmp5[i] < 2^109 */
+       felem_shrink(small1, ftmp5);
+       y_equal = smallfelem_is_zero(small1);
+
+       if (x_equal && y_equal && !z1_is_zero && !z2_is_zero)
+               {
+               point_double(x3, y3, z3, x1, y1, z1);
+               return;
+               }
+
+       /* I = ftmp = (2h)**2 */
+       felem_assign(ftmp, ftmp4);
+       felem_scalar(ftmp, 2);
+       /* ftmp[i] < 2*2^108 = 2^109 */
+       felem_square(tmp, ftmp);
+       felem_reduce(ftmp, tmp);
+
+       /* J = ftmp2 = h * I */
+       felem_mul(tmp, ftmp4, ftmp);
+       felem_reduce(ftmp2, tmp);
+
+       /* V = ftmp4 = U1 * I */
+       felem_mul(tmp, ftmp3, ftmp);
+       felem_reduce(ftmp4, tmp);
+
+       /* x_out = r**2 - J - 2V */
+       smallfelem_square(tmp, small1);
+       felem_reduce(x_out, tmp);
+       felem_assign(ftmp3, ftmp4);
+       felem_scalar(ftmp4, 2);
+       felem_sum(ftmp4, ftmp2);
+       /* ftmp4[i] < 2*2^101 + 2^101 < 2^103 */
+       felem_diff(x_out, ftmp4);
+       /* x_out[i] < 2^105 + 2^101 */
+
+       /* y_out = r(V-x_out) - 2 * s1 * J */
+       felem_diff_zero107(ftmp3, x_out);
+       /* ftmp3[i] < 2^107 + 2^101 < 2^108 */
+       felem_small_mul(tmp, small1, ftmp3);
+       felem_mul(tmp2, ftmp6, ftmp2);
+       longfelem_scalar(tmp2, 2);
+       /* tmp2[i] < 2*2^67 = 2^68 */
+       longfelem_diff(tmp, tmp2);
+       /* tmp[i] < 2^67 + 2^70 + 2^40 < 2^71 */
+       felem_reduce_zero105(y_out, tmp);
+       /* y_out[i] < 2^106 */
+
+       copy_small_conditional(x_out, x2, z1_is_zero);
+       copy_conditional(x_out, x1, z2_is_zero);
+       copy_small_conditional(y_out, y2, z1_is_zero);
+       copy_conditional(y_out, y1, z2_is_zero);
+       copy_small_conditional(z_out, z2, z1_is_zero);
+       copy_conditional(z_out, z1, z2_is_zero);
+       felem_assign(x3, x_out);
+       felem_assign(y3, y_out);
+       felem_assign(z3, z_out);
+       }
+
+/* point_add_small is the same as point_add, except that it operates on
+ * smallfelems */
+static void point_add_small(smallfelem x3, smallfelem y3, smallfelem z3,
+                           smallfelem x1, smallfelem y1, smallfelem z1,
+                           smallfelem x2, smallfelem y2, smallfelem z2)
+       {
+       felem felem_x3, felem_y3, felem_z3;
+       felem felem_x1, felem_y1, felem_z1;
+       smallfelem_expand(felem_x1, x1);
+       smallfelem_expand(felem_y1, y1);
+       smallfelem_expand(felem_z1, z1);
+       point_add(felem_x3, felem_y3, felem_z3, felem_x1, felem_y1, felem_z1, 0, x2, y2, z2);
+       felem_shrink(x3, felem_x3);
+       felem_shrink(y3, felem_y3);
+       felem_shrink(z3, felem_z3);
+       }
+
+/* Base point pre computation
+ * --------------------------
+ *
+ * Two different sorts of precomputed tables are used in the following code.
+ * Each contain various points on the curve, where each point is three field
+ * elements (x, y, z).
+ *
+ * For the base point table, z is usually 1 (0 for the point at infinity).
+ * This table has 2 * 16 elements, starting with the following:
+ * index | bits    | point
+ * ------+---------+------------------------------
+ *     0 | 0 0 0 0 | 0G
+ *     1 | 0 0 0 1 | 1G
+ *     2 | 0 0 1 0 | 2^64G
+ *     3 | 0 0 1 1 | (2^64 + 1)G
+ *     4 | 0 1 0 0 | 2^128G
+ *     5 | 0 1 0 1 | (2^128 + 1)G
+ *     6 | 0 1 1 0 | (2^128 + 2^64)G
+ *     7 | 0 1 1 1 | (2^128 + 2^64 + 1)G
+ *     8 | 1 0 0 0 | 2^192G
+ *     9 | 1 0 0 1 | (2^192 + 1)G
+ *    10 | 1 0 1 0 | (2^192 + 2^64)G
+ *    11 | 1 0 1 1 | (2^192 + 2^64 + 1)G
+ *    12 | 1 1 0 0 | (2^192 + 2^128)G
+ *    13 | 1 1 0 1 | (2^192 + 2^128 + 1)G
+ *    14 | 1 1 1 0 | (2^192 + 2^128 + 2^64)G
+ *    15 | 1 1 1 1 | (2^192 + 2^128 + 2^64 + 1)G
+ * followed by a copy of this with each element multiplied by 2^32.
+ *
+ * The reason for this is so that we can clock bits into four different
+ * locations when doing simple scalar multiplies against the base point,
+ * and then another four locations using the second 16 elements.
+ *
+ * Tables for other points have table[i] = iG for i in 0 .. 16. */
+
+/* gmul is the table of precomputed base points */
+static const smallfelem gmul[2][16][3] =
+{{{{0, 0, 0, 0},
+   {0, 0, 0, 0},
+   {0, 0, 0, 0}},
+  {{0xf4a13945d898c296, 0x77037d812deb33a0, 0xf8bce6e563a440f2, 0x6b17d1f2e12c4247},
+   {0xcbb6406837bf51f5, 0x2bce33576b315ece, 0x8ee7eb4a7c0f9e16, 0x4fe342e2fe1a7f9b},
+   {1, 0, 0, 0}},
+  {{0x90e75cb48e14db63, 0x29493baaad651f7e, 0x8492592e326e25de, 0x0fa822bc2811aaa5},
+   {0xe41124545f462ee7, 0x34b1a65050fe82f5, 0x6f4ad4bcb3df188b, 0xbff44ae8f5dba80d},
+   {1, 0, 0, 0}},
+  {{0x93391ce2097992af, 0xe96c98fd0d35f1fa, 0xb257c0de95e02789, 0x300a4bbc89d6726f},
+   {0xaa54a291c08127a0, 0x5bb1eeada9d806a5, 0x7f1ddb25ff1e3c6f, 0x72aac7e0d09b4644},
+   {1, 0, 0, 0}},
+  {{0x57c84fc9d789bd85, 0xfc35ff7dc297eac3, 0xfb982fd588c6766e, 0x447d739beedb5e67},
+   {0x0c7e33c972e25b32, 0x3d349b95a7fae500, 0xe12e9d953a4aaff7, 0x2d4825ab834131ee},
+   {1, 0, 0, 0}},
+  {{0x13949c932a1d367f, 0xef7fbd2b1a0a11b7, 0xddc6068bb91dfc60, 0xef9519328a9c72ff},
+   {0x196035a77376d8a8, 0x23183b0895ca1740, 0xc1ee9807022c219c, 0x611e9fc37dbb2c9b},
+   {1, 0, 0, 0}},
+  {{0xcae2b1920b57f4bc, 0x2936df5ec6c9bc36, 0x7dea6482e11238bf, 0x550663797b51f5d8},
+   {0x44ffe216348a964c, 0x9fb3d576dbdefbe1, 0x0afa40018d9d50e5, 0x157164848aecb851},
+   {1, 0, 0, 0}},
+  {{0xe48ecafffc5cde01, 0x7ccd84e70d715f26, 0xa2e8f483f43e4391, 0xeb5d7745b21141ea},
+   {0xcac917e2731a3479, 0x85f22cfe2844b645, 0x0990e6a158006cee, 0xeafd72ebdbecc17b},
+   {1, 0, 0, 0}},
+  {{0x6cf20ffb313728be, 0x96439591a3c6b94a, 0x2736ff8344315fc5, 0xa6d39677a7849276},
+   {0xf2bab833c357f5f4, 0x824a920c2284059b, 0x66b8babd2d27ecdf, 0x674f84749b0b8816},
+   {1, 0, 0, 0}},
+  {{0x2df48c04677c8a3e, 0x74e02f080203a56b, 0x31855f7db8c7fedb, 0x4e769e7672c9ddad},
+   {0xa4c36165b824bbb0, 0xfb9ae16f3b9122a5, 0x1ec0057206947281, 0x42b99082de830663},
+   {1, 0, 0, 0}},
+  {{0x6ef95150dda868b9, 0xd1f89e799c0ce131, 0x7fdc1ca008a1c478, 0x78878ef61c6ce04d},
+   {0x9c62b9121fe0d976, 0x6ace570ebde08d4f, 0xde53142c12309def, 0xb6cb3f5d7b72c321},
+   {1, 0, 0, 0}},
+  {{0x7f991ed2c31a3573, 0x5b82dd5bd54fb496, 0x595c5220812ffcae, 0x0c88bc4d716b1287},
+   {0x3a57bf635f48aca8, 0x7c8181f4df2564f3, 0x18d1b5b39c04e6aa, 0xdd5ddea3f3901dc6},
+   {1, 0, 0, 0}},
+  {{0xe96a79fb3e72ad0c, 0x43a0a28c42ba792f, 0xefe0a423083e49f3, 0x68f344af6b317466},
+   {0xcdfe17db3fb24d4a, 0x668bfc2271f5c626, 0x604ed93c24d67ff3, 0x31b9c405f8540a20},
+   {1, 0, 0, 0}},
+  {{0xd36b4789a2582e7f, 0x0d1a10144ec39c28, 0x663c62c3edbad7a0, 0x4052bf4b6f461db9},
+   {0x235a27c3188d25eb, 0xe724f33999bfcc5b, 0x862be6bd71d70cc8, 0xfecf4d5190b0fc61},
+   {1, 0, 0, 0}},
+  {{0x74346c10a1d4cfac, 0xafdf5cc08526a7a4, 0x123202a8f62bff7a, 0x1eddbae2c802e41a},
+   {0x8fa0af2dd603f844, 0x36e06b7e4c701917, 0x0c45f45273db33a0, 0x43104d86560ebcfc},
+   {1, 0, 0, 0}},
+  {{0x9615b5110d1d78e5, 0x66b0de3225c4744b, 0x0a4a46fb6aaf363a, 0xb48e26b484f7a21c},
+   {0x06ebb0f621a01b2d, 0xc004e4048b7b0f98, 0x64131bcdfed6f668, 0xfac015404d4d3dab},
+   {1, 0, 0, 0}}},
+ {{{0, 0, 0, 0},
+   {0, 0, 0, 0},
+   {0, 0, 0, 0}},
+  {{0x3a5a9e22185a5943, 0x1ab919365c65dfb6, 0x21656b32262c71da, 0x7fe36b40af22af89},
+   {0xd50d152c699ca101, 0x74b3d5867b8af212, 0x9f09f40407dca6f1, 0xe697d45825b63624},
+   {1, 0, 0, 0}},
+  {{0xa84aa9397512218e, 0xe9a521b074ca0141, 0x57880b3a18a2e902, 0x4a5b506612a677a6},
+   {0x0beada7a4c4f3840, 0x626db15419e26d9d, 0xc42604fbe1627d40, 0xeb13461ceac089f1},
+   {1, 0, 0, 0}},
+  {{0xf9faed0927a43281, 0x5e52c4144103ecbc, 0xc342967aa815c857, 0x0781b8291c6a220a},
+   {0x5a8343ceeac55f80, 0x88f80eeee54a05e3, 0x97b2a14f12916434, 0x690cde8df0151593},
+   {1, 0, 0, 0}},
+  {{0xaee9c75df7f82f2a, 0x9e4c35874afdf43a, 0xf5622df437371326, 0x8a535f566ec73617},
+   {0xc5f9a0ac223094b7, 0xcde533864c8c7669, 0x37e02819085a92bf, 0x0455c08468b08bd7},
+   {1, 0, 0, 0}},
+  {{0x0c0a6e2c9477b5d9, 0xf9a4bf62876dc444, 0x5050a949b6cdc279, 0x06bada7ab77f8276},
+   {0xc8b4aed1ea48dac9, 0xdebd8a4b7ea1070f, 0x427d49101366eb70, 0x5b476dfd0e6cb18a},
+   {1, 0, 0, 0}},
+  {{0x7c5c3e44278c340a, 0x4d54606812d66f3b, 0x29a751b1ae23c5d8, 0x3e29864e8a2ec908},
+   {0x142d2a6626dbb850, 0xad1744c4765bd780, 0x1f150e68e322d1ed, 0x239b90ea3dc31e7e},
+   {1, 0, 0, 0}},
+  {{0x78c416527a53322a, 0x305dde6709776f8e, 0xdbcab759f8862ed4, 0x820f4dd949f72ff7},
+   {0x6cc544a62b5debd4, 0x75be5d937b4e8cc4, 0x1b481b1b215c14d3, 0x140406ec783a05ec},
+   {1, 0, 0, 0}},
+  {{0x6a703f10e895df07, 0xfd75f3fa01876bd8, 0xeb5b06e70ce08ffe, 0x68f6b8542783dfee},
+   {0x90c76f8a78712655, 0xcf5293d2f310bf7f, 0xfbc8044dfda45028, 0xcbe1feba92e40ce6},
+   {1, 0, 0, 0}},
+  {{0xe998ceea4396e4c1, 0xfc82ef0b6acea274, 0x230f729f2250e927, 0xd0b2f94d2f420109},
+   {0x4305adddb38d4966, 0x10b838f8624c3b45, 0x7db2636658954e7a, 0x971459828b0719e5},
+   {1, 0, 0, 0}},
+  {{0x4bd6b72623369fc9, 0x57f2929e53d0b876, 0xc2d5cba4f2340687, 0x961610004a866aba},
+   {0x49997bcd2e407a5e, 0x69ab197d92ddcb24, 0x2cf1f2438fe5131c, 0x7acb9fadcee75e44},
+   {1, 0, 0, 0}},
+  {{0x254e839423d2d4c0, 0xf57f0c917aea685b, 0xa60d880f6f75aaea, 0x24eb9acca333bf5b},
+   {0xe3de4ccb1cda5dea, 0xfeef9341c51a6b4f, 0x743125f88bac4c4d, 0x69f891c5acd079cc},
+   {1, 0, 0, 0}},
+  {{0xeee44b35702476b5, 0x7ed031a0e45c2258, 0xb422d1e7bd6f8514, 0xe51f547c5972a107},
+   {0xa25bcd6fc9cf343d, 0x8ca922ee097c184e, 0xa62f98b3a9fe9a06, 0x1c309a2b25bb1387},
+   {1, 0, 0, 0}},
+  {{0x9295dbeb1967c459, 0xb00148833472c98e, 0xc504977708011828, 0x20b87b8aa2c4e503},
+   {0x3063175de057c277, 0x1bd539338fe582dd, 0x0d11adef5f69a044, 0xf5c6fa49919776be},
+   {1, 0, 0, 0}},
+  {{0x8c944e760fd59e11, 0x3876cba1102fad5f, 0xa454c3fad83faa56, 0x1ed7d1b9332010b9},
+   {0xa1011a270024b889, 0x05e4d0dcac0cd344, 0x52b520f0eb6a2a24, 0x3a2b03f03217257a},
+   {1, 0, 0, 0}},
+  {{0xf20fc2afdf1d043d, 0xf330240db58d5a62, 0xfc7d229ca0058c3b, 0x15fee545c78dd9f6},
+   {0x501e82885bc98cda, 0x41ef80e5d046ac04, 0x557d9f49461210fb, 0x4ab5b6b2b8753f81},
+   {1, 0, 0, 0}}}};
+
+/* select_point selects the |index|th point from a precomputation table and
+ * copies it to out. */
+static void select_point(const u64 index, unsigned int size, const smallfelem pre_comp[16][3], smallfelem out[3])
+       {
+       unsigned i, j;
+       u64 *outlimbs = &out[0][0];
+       memset(outlimbs, 0, 3 * sizeof(smallfelem));
+
+       for (i = 0; i < size; i++)
+               {
+               const u64 *inlimbs = (u64*) &pre_comp[i][0][0];
+               u64 mask = i ^ index;
+               mask |= mask >> 4;
+               mask |= mask >> 2;
+               mask |= mask >> 1;
+               mask &= 1;
+               mask--;
+               for (j = 0; j < NLIMBS * 3; j++)
+                       outlimbs[j] |= inlimbs[j] & mask;
+               }
+       }
+
+/* get_bit returns the |i|th bit in |in| */
+static char get_bit(const felem_bytearray in, int i)
+       {
+       if ((i < 0) || (i >= 256))
+               return 0;
+       return (in[i >> 3] >> (i & 7)) & 1;
+       }
+
+/* Interleaved point multiplication using precomputed point multiples:
+ * The small point multiples 0*P, 1*P, ..., 17*P are in pre_comp[],
+ * the scalars in scalars[]. If g_scalar is non-NULL, we also add this multiple
+ * of the generator, using certain (large) precomputed multiples in g_pre_comp.
+ * Output point (X, Y, Z) is stored in x_out, y_out, z_out */
+static void batch_mul(felem x_out, felem y_out, felem z_out,
+       const felem_bytearray scalars[], const unsigned num_points, const u8 *g_scalar,
+       const int mixed, const smallfelem pre_comp[][17][3], const smallfelem g_pre_comp[2][16][3])
+       {
+       int i, skip;
+       unsigned num, gen_mul = (g_scalar != NULL);
+       felem nq[3], ftmp;
+       smallfelem tmp[3];
+       u64 bits;
+       u8 sign, digit;
+
+       /* set nq to the point at infinity */
+       memset(nq, 0, 3 * sizeof(felem));
+
+       /* Loop over all scalars msb-to-lsb, interleaving additions
+        * of multiples of the generator (two in each of the last 32 rounds)
+        * and additions of other points multiples (every 5th round).
+        */
+       skip = 1; /* save two point operations in the first round */
+       for (i = (num_points ? 255 : 31); i >= 0; --i)
+               {
+               /* double */
+               if (!skip)
+                       point_double(nq[0], nq[1], nq[2], nq[0], nq[1], nq[2]);
+
+               /* add multiples of the generator */
+               if (gen_mul && (i <= 31))
+                       {
+                       /* first, look 32 bits upwards */
+                       bits = get_bit(g_scalar, i + 224) << 3;
+                       bits |= get_bit(g_scalar, i + 160) << 2;
+                       bits |= get_bit(g_scalar, i + 96) << 1;
+                       bits |= get_bit(g_scalar, i + 32);
+                       /* select the point to add, in constant time */
+                       select_point(bits, 16, g_pre_comp[1], tmp);
+
+                       if (!skip)
+                               {
+                               point_add(nq[0], nq[1], nq[2],
+                                       nq[0], nq[1], nq[2],
+                                       1 /* mixed */, tmp[0], tmp[1], tmp[2]);
+                               }
+                       else
+                               {
+                               smallfelem_expand(nq[0], tmp[0]);
+                               smallfelem_expand(nq[1], tmp[1]);
+                               smallfelem_expand(nq[2], tmp[2]);
+                               skip = 0;
+                               }
+
+                       /* second, look at the current position */
+                       bits = get_bit(g_scalar, i + 192) << 3;
+                       bits |= get_bit(g_scalar, i + 128) << 2;
+                       bits |= get_bit(g_scalar, i + 64) << 1;
+                       bits |= get_bit(g_scalar, i);
+                       /* select the point to add, in constant time */
+                       select_point(bits, 16, g_pre_comp[0], tmp);
+                       point_add(nq[0], nq[1], nq[2],
+                               nq[0], nq[1], nq[2],
+                               1 /* mixed */, tmp[0], tmp[1], tmp[2]);
+                       }
+
+               /* do other additions every 5 doublings */
+               if (num_points && (i % 5 == 0))
+                       {
+                       /* loop over all scalars */
+                       for (num = 0; num < num_points; ++num)
+                               {
+                               bits = get_bit(scalars[num], i + 4) << 5;
+                               bits |= get_bit(scalars[num], i + 3) << 4;
+                               bits |= get_bit(scalars[num], i + 2) << 3;
+                               bits |= get_bit(scalars[num], i + 1) << 2;
+                               bits |= get_bit(scalars[num], i) << 1;
+                               bits |= get_bit(scalars[num], i - 1);
+                               ec_GFp_nistp_recode_scalar_bits(&sign, &digit, bits);
+
+                               /* select the point to add or subtract, in constant time */
+                               select_point(digit, 17, pre_comp[num], tmp);
+                               smallfelem_neg(ftmp, tmp[1]); /* (X, -Y, Z) is the negative point */
+                               copy_small_conditional(ftmp, tmp[1], (((limb) sign) - 1));
+                               felem_contract(tmp[1], ftmp);
+
+                               if (!skip)
+                                       {
+                                       point_add(nq[0], nq[1], nq[2],
+                                               nq[0], nq[1], nq[2],
+                                               mixed, tmp[0], tmp[1], tmp[2]);
+                                       }
+                               else
+                                       {
+                                       smallfelem_expand(nq[0], tmp[0]);
+                                       smallfelem_expand(nq[1], tmp[1]);
+                                       smallfelem_expand(nq[2], tmp[2]);
+                                       skip = 0;
+                                       }
+                               }
+                       }
+               }
+       felem_assign(x_out, nq[0]);
+       felem_assign(y_out, nq[1]);
+       felem_assign(z_out, nq[2]);
+       }
+
+/* Precomputation for the group generator. */
+typedef struct {
+       smallfelem g_pre_comp[2][16][3];
+       int references;
+} NISTP256_PRE_COMP;
+
+const EC_METHOD *EC_GFp_nistp256_method(void)
+       {
+       static const EC_METHOD ret = {
+               EC_FLAGS_DEFAULT_OCT,
+               NID_X9_62_prime_field,
+               ec_GFp_nistp256_group_init,
+               ec_GFp_simple_group_finish,
+               ec_GFp_simple_group_clear_finish,
+               ec_GFp_nist_group_copy,
+               ec_GFp_nistp256_group_set_curve,
+               ec_GFp_simple_group_get_curve,
+               ec_GFp_simple_group_get_degree,
+               ec_GFp_simple_group_check_discriminant,
+               ec_GFp_simple_point_init,
+               ec_GFp_simple_point_finish,
+               ec_GFp_simple_point_clear_finish,
+               ec_GFp_simple_point_copy,
+               ec_GFp_simple_point_set_to_infinity,
+               ec_GFp_simple_set_Jprojective_coordinates_GFp,
+               ec_GFp_simple_get_Jprojective_coordinates_GFp,
+               ec_GFp_simple_point_set_affine_coordinates,
+               ec_GFp_nistp256_point_get_affine_coordinates,
+                0 /* point_set_compressed_coordinates */,
+                0 /* point2oct */,
+                0 /* oct2point */,
+               ec_GFp_simple_add,
+               ec_GFp_simple_dbl,
+               ec_GFp_simple_invert,
+               ec_GFp_simple_is_at_infinity,
+               ec_GFp_simple_is_on_curve,
+               ec_GFp_simple_cmp,
+               ec_GFp_simple_make_affine,
+               ec_GFp_simple_points_make_affine,
+               ec_GFp_nistp256_points_mul,
+               ec_GFp_nistp256_precompute_mult,
+               ec_GFp_nistp256_have_precompute_mult,
+               ec_GFp_nist_field_mul,
+               ec_GFp_nist_field_sqr,
+               0 /* field_div */,
+               0 /* field_encode */,
+               0 /* field_decode */,
+               0 /* field_set_to_one */ };
+
+       return &ret;
+       }
+
+/******************************************************************************/
+/*                    FUNCTIONS TO MANAGE PRECOMPUTATION
+ */
+
+static NISTP256_PRE_COMP *nistp256_pre_comp_new()
+       {
+       NISTP256_PRE_COMP *ret = NULL;
+       ret = (NISTP256_PRE_COMP *) OPENSSL_malloc(sizeof *ret);
+       if (!ret)
+               {
+               ECerr(EC_F_NISTP256_PRE_COMP_NEW, ERR_R_MALLOC_FAILURE);
+               return ret;
+               }
+       memset(ret->g_pre_comp, 0, sizeof(ret->g_pre_comp));
+       ret->references = 1;
+       return ret;
+       }
+
+static void *nistp256_pre_comp_dup(void *src_)
+       {
+       NISTP256_PRE_COMP *src = src_;
+
+       /* no need to actually copy, these objects never change! */
+       CRYPTO_add(&src->references, 1, CRYPTO_LOCK_EC_PRE_COMP);
+
+       return src_;
+       }
+
+static void nistp256_pre_comp_free(void *pre_)
+       {
+       int i;
+       NISTP256_PRE_COMP *pre = pre_;
+
+       if (!pre)
+               return;
+
+       i = CRYPTO_add(&pre->references, -1, CRYPTO_LOCK_EC_PRE_COMP);
+       if (i > 0)
+               return;
+
+       OPENSSL_free(pre);
+       }
+
+static void nistp256_pre_comp_clear_free(void *pre_)
+       {
+       int i;
+       NISTP256_PRE_COMP *pre = pre_;
+
+       if (!pre)
+               return;
+
+       i = CRYPTO_add(&pre->references, -1, CRYPTO_LOCK_EC_PRE_COMP);
+       if (i > 0)
+               return;
+
+       OPENSSL_cleanse(pre, sizeof *pre);
+       OPENSSL_free(pre);
+       }
+
+/******************************************************************************/
+/*                        OPENSSL EC_METHOD FUNCTIONS
+ */
+
+int ec_GFp_nistp256_group_init(EC_GROUP *group)
+       {
+       int ret;
+       ret = ec_GFp_simple_group_init(group);
+       group->a_is_minus3 = 1;
+       return ret;
+       }
+
+int ec_GFp_nistp256_group_set_curve(EC_GROUP *group, const BIGNUM *p,
+       const BIGNUM *a, const BIGNUM *b, BN_CTX *ctx)
+       {
+       int ret = 0;
+       BN_CTX *new_ctx = NULL;
+       BIGNUM *curve_p, *curve_a, *curve_b;
+
+       if (ctx == NULL)
+               if ((ctx = new_ctx = BN_CTX_new()) == NULL) return 0;
+       BN_CTX_start(ctx);
+       if (((curve_p = BN_CTX_get(ctx)) == NULL) ||
+               ((curve_a = BN_CTX_get(ctx)) == NULL) ||
+               ((curve_b = BN_CTX_get(ctx)) == NULL)) goto err;
+       BN_bin2bn(nistp256_curve_params[0], sizeof(felem_bytearray), curve_p);
+       BN_bin2bn(nistp256_curve_params[1], sizeof(felem_bytearray), curve_a);
+       BN_bin2bn(nistp256_curve_params[2], sizeof(felem_bytearray), curve_b);
+       if ((BN_cmp(curve_p, p)) || (BN_cmp(curve_a, a)) ||
+               (BN_cmp(curve_b, b)))
+               {
+               ECerr(EC_F_EC_GFP_NISTP256_GROUP_SET_CURVE,
+                       EC_R_WRONG_CURVE_PARAMETERS);
+               goto err;
+               }
+       group->field_mod_func = BN_nist_mod_256;
+       ret = ec_GFp_simple_group_set_curve(group, p, a, b, ctx);
+err:
+       BN_CTX_end(ctx);
+       if (new_ctx != NULL)
+               BN_CTX_free(new_ctx);
+       return ret;
+       }
+
+/* Takes the Jacobian coordinates (X, Y, Z) of a point and returns
+ * (X', Y') = (X/Z^2, Y/Z^3) */
+int ec_GFp_nistp256_point_get_affine_coordinates(const EC_GROUP *group,
+       const EC_POINT *point, BIGNUM *x, BIGNUM *y, BN_CTX *ctx)
+       {
+       felem z1, z2, x_in, y_in;
+       smallfelem x_out, y_out;
+       longfelem tmp;
+
+       if (EC_POINT_is_at_infinity(group, point))
+               {
+               ECerr(EC_F_EC_GFP_NISTP256_POINT_GET_AFFINE_COORDINATES,
+                       EC_R_POINT_AT_INFINITY);
+               return 0;
+               }
+       if ((!BN_to_felem(x_in, &point->X)) || (!BN_to_felem(y_in, &point->Y)) ||
+               (!BN_to_felem(z1, &point->Z))) return 0;
+       felem_inv(z2, z1);
+       felem_square(tmp, z2); felem_reduce(z1, tmp);
+       felem_mul(tmp, x_in, z1); felem_reduce(x_in, tmp);
+       felem_contract(x_out, x_in);
+       if (x != NULL)
+               {
+               if (!smallfelem_to_BN(x, x_out)) {
+               ECerr(EC_F_EC_GFP_NISTP256_POINT_GET_AFFINE_COORDINATES,
+                       ERR_R_BN_LIB);
+               return 0;
+               }
+               }
+       felem_mul(tmp, z1, z2); felem_reduce(z1, tmp);
+       felem_mul(tmp, y_in, z1); felem_reduce(y_in, tmp);
+       felem_contract(y_out, y_in);
+       if (y != NULL)
+               {
+               if (!smallfelem_to_BN(y, y_out)) {
+               ECerr(EC_F_EC_GFP_NISTP256_POINT_GET_AFFINE_COORDINATES,
+                       ERR_R_BN_LIB);
+               return 0;
+               }
+               }
+       return 1;
+       }
+
+static void make_points_affine(size_t num, smallfelem points[num][3], smallfelem tmp_smallfelems[num+1])
+       {
+       /* Runs in constant time, unless an input is the point at infinity
+        * (which normally shouldn't happen). */
+       ec_GFp_nistp_points_make_affine_internal(
+               num,
+               points,
+               sizeof(smallfelem),
+               tmp_smallfelems,
+               (void (*)(void *)) smallfelem_one,
+               (int (*)(const void *)) smallfelem_is_zero_int,
+               (void (*)(void *, const void *)) smallfelem_assign,
+               (void (*)(void *, const void *)) smallfelem_square_contract,
+               (void (*)(void *, const void *, const void *)) smallfelem_mul_contract,
+               (void (*)(void *, const void *)) smallfelem_inv_contract,
+               (void (*)(void *, const void *)) smallfelem_assign /* nothing to contract */);
+       }
+
+/* Computes scalar*generator + \sum scalars[i]*points[i], ignoring NULL values
+ * Result is stored in r (r can equal one of the inputs). */
+int ec_GFp_nistp256_points_mul(const EC_GROUP *group, EC_POINT *r,
+       const BIGNUM *scalar, size_t num, const EC_POINT *points[],
+       const BIGNUM *scalars[], BN_CTX *ctx)
+       {
+       int ret = 0;
+       int j;
+       int mixed = 0;
+       BN_CTX *new_ctx = NULL;
+       BIGNUM *x, *y, *z, *tmp_scalar;
+       felem_bytearray g_secret;
+       felem_bytearray *secrets = NULL;
+       smallfelem (*pre_comp)[17][3] = NULL;
+       smallfelem *tmp_smallfelems = NULL;
+       felem_bytearray tmp;
+       unsigned i, num_bytes;
+       int have_pre_comp = 0;
+       size_t num_points = num;
+       smallfelem x_in, y_in, z_in;
+       felem x_out, y_out, z_out;
+       NISTP256_PRE_COMP *pre = NULL;
+       const smallfelem (*g_pre_comp)[16][3] = NULL;
+       EC_POINT *generator = NULL;
+       const EC_POINT *p = NULL;
+       const BIGNUM *p_scalar = NULL;
+
+       if (ctx == NULL)
+               if ((ctx = new_ctx = BN_CTX_new()) == NULL) return 0;
+       BN_CTX_start(ctx);
+       if (((x = BN_CTX_get(ctx)) == NULL) ||
+               ((y = BN_CTX_get(ctx)) == NULL) ||
+               ((z = BN_CTX_get(ctx)) == NULL) ||
+               ((tmp_scalar = BN_CTX_get(ctx)) == NULL))
+               goto err;
+
+       if (scalar != NULL)
+               {
+               pre = EC_EX_DATA_get_data(group->extra_data,
+                       nistp256_pre_comp_dup, nistp256_pre_comp_free,
+                       nistp256_pre_comp_clear_free);
+               if (pre)
+                       /* we have precomputation, try to use it */
+                       g_pre_comp = (const smallfelem (*)[16][3]) pre->g_pre_comp;
+               else
+                       /* try to use the standard precomputation */
+                       g_pre_comp = &gmul[0];
+               generator = EC_POINT_new(group);
+               if (generator == NULL)
+                       goto err;
+               /* get the generator from precomputation */
+               if (!smallfelem_to_BN(x, g_pre_comp[0][1][0]) ||
+                       !smallfelem_to_BN(y, g_pre_comp[0][1][1]) ||
+                       !smallfelem_to_BN(z, g_pre_comp[0][1][2]))
+                       {
+                       ECerr(EC_F_EC_GFP_NISTP256_POINTS_MUL, ERR_R_BN_LIB);
+                       goto err;
+                       }
+               if (!EC_POINT_set_Jprojective_coordinates_GFp(group,
+                               generator, x, y, z, ctx))
+                       goto err;
+               if (0 == EC_POINT_cmp(group, generator, group->generator, ctx))
+                       /* precomputation matches generator */
+                       have_pre_comp = 1;
+               else
+                       /* we don't have valid precomputation:
+                        * treat the generator as a random point */
+                       num_points++;
+               }
+       if (num_points > 0)
+               {
+               if (num_points >= 3)
+                       {
+                       /* unless we precompute multiples for just one or two points,
+                        * converting those into affine form is time well spent  */
+                       mixed = 1;
+                       }
+               secrets = OPENSSL_malloc(num_points * sizeof(felem_bytearray));
+               pre_comp = OPENSSL_malloc(num_points * 17 * 3 * sizeof(smallfelem));
+               if (mixed)
+                       tmp_smallfelems = OPENSSL_malloc((num_points * 17 + 1) * sizeof(smallfelem));
+               if ((secrets == NULL) || (pre_comp == NULL) || (mixed && (tmp_smallfelems == NULL)))
+                       {
+                       ECerr(EC_F_EC_GFP_NISTP256_POINTS_MUL, ERR_R_MALLOC_FAILURE);
+                       goto err;
+                       }
+
+               /* we treat NULL scalars as 0, and NULL points as points at infinity,
+                * i.e., they contribute nothing to the linear combination */
+               memset(secrets, 0, num_points * sizeof(felem_bytearray));
+               memset(pre_comp, 0, num_points * 17 * 3 * sizeof(smallfelem));
+               for (i = 0; i < num_points; ++i)
+                       {
+                       if (i == num)
+                               /* we didn't have a valid precomputation, so we pick
+                                * the generator */
+                               {
+                               p = EC_GROUP_get0_generator(group);
+                               p_scalar = scalar;
+                               }
+                       else
+                               /* the i^th point */
+                               {
+                               p = points[i];
+                               p_scalar = scalars[i];
+                               }
+                       if ((p_scalar != NULL) && (p != NULL))
+                               {
+                               /* reduce scalar to 0 <= scalar < 2^256 */
+                               if ((BN_num_bits(p_scalar) > 256) || (BN_is_negative(p_scalar)))
+                                       {
+                                       /* this is an unusual input, and we don't guarantee
+                                        * constant-timeness */
+                                       if (!BN_nnmod(tmp_scalar, p_scalar, &group->order, ctx))
+                                               {
+                                               ECerr(EC_F_EC_GFP_NISTP256_POINTS_MUL, ERR_R_BN_LIB);
+                                               goto err;
+                                               }
+                                       num_bytes = BN_bn2bin(tmp_scalar, tmp);
+                                       }
+                               else
+                                       num_bytes = BN_bn2bin(p_scalar, tmp);
+                               flip_endian(secrets[i], tmp, num_bytes);
+                               /* precompute multiples */
+                               if ((!BN_to_felem(x_out, &p->X)) ||
+                                       (!BN_to_felem(y_out, &p->Y)) ||
+                                       (!BN_to_felem(z_out, &p->Z))) goto err;
+                               felem_shrink(pre_comp[i][1][0], x_out);
+                               felem_shrink(pre_comp[i][1][1], y_out);
+                               felem_shrink(pre_comp[i][1][2], z_out);
+                               for (j = 2; j <= 16; ++j)
+                                       {
+                                       if (j & 1)
+                                               {
+                                               point_add_small(
+                                                       pre_comp[i][j][0], pre_comp[i][j][1], pre_comp[i][j][2],
+                                                       pre_comp[i][1][0], pre_comp[i][1][1], pre_comp[i][1][2],
+                                                       pre_comp[i][j-1][0], pre_comp[i][j-1][1], pre_comp[i][j-1][2]);
+                                               }
+                                       else
+                                               {
+                                               point_double_small(
+                                                       pre_comp[i][j][0], pre_comp[i][j][1], pre_comp[i][j][2],
+                                                       pre_comp[i][j/2][0], pre_comp[i][j/2][1], pre_comp[i][j/2][2]);
+                                               }
+                                       }
+                               }
+                       }
+               if (mixed)
+                       make_points_affine(num_points * 17, pre_comp[0], tmp_smallfelems);
+               }
+
+       /* the scalar for the generator */
+       if ((scalar != NULL) && (have_pre_comp))
+               {
+               memset(g_secret, 0, sizeof(g_secret));
+               /* reduce scalar to 0 <= scalar < 2^256 */
+               if ((BN_num_bits(scalar) > 256) || (BN_is_negative(scalar)))
+                       {
+                       /* this is an unusual input, and we don't guarantee
+                        * constant-timeness */
+                       if (!BN_nnmod(tmp_scalar, scalar, &group->order, ctx))
+                               {
+                               ECerr(EC_F_EC_GFP_NISTP256_POINTS_MUL, ERR_R_BN_LIB);
+                               goto err;
+                               }
+                       num_bytes = BN_bn2bin(tmp_scalar, tmp);
+                       }
+               else
+                       num_bytes = BN_bn2bin(scalar, tmp);
+               flip_endian(g_secret, tmp, num_bytes);
+               /* do the multiplication with generator precomputation*/
+               batch_mul(x_out, y_out, z_out,
+                       (const felem_bytearray (*)) secrets, num_points,
+                       g_secret,
+                       mixed, (const smallfelem (*)[17][3]) pre_comp,
+                       g_pre_comp);
+               }
+       else
+               /* do the multiplication without generator precomputation */
+               batch_mul(x_out, y_out, z_out,
+                       (const felem_bytearray (*)) secrets, num_points,
+                       NULL, mixed, (const smallfelem (*)[17][3]) pre_comp, NULL);
+       /* reduce the output to its unique minimal representation */
+       felem_contract(x_in, x_out);
+       felem_contract(y_in, y_out);
+       felem_contract(z_in, z_out);
+       if ((!smallfelem_to_BN(x, x_in)) || (!smallfelem_to_BN(y, y_in)) ||
+               (!smallfelem_to_BN(z, z_in)))
+               {
+               ECerr(EC_F_EC_GFP_NISTP256_POINTS_MUL, ERR_R_BN_LIB);
+               goto err;
+               }
+       ret = EC_POINT_set_Jprojective_coordinates_GFp(group, r, x, y, z, ctx);
+
+err:
+       BN_CTX_end(ctx);
+       if (generator != NULL)
+               EC_POINT_free(generator);
+       if (new_ctx != NULL)
+               BN_CTX_free(new_ctx);
+       if (secrets != NULL)
+               OPENSSL_free(secrets);
+       if (pre_comp != NULL)
+               OPENSSL_free(pre_comp);
+       if (tmp_smallfelems != NULL)
+               OPENSSL_free(tmp_smallfelems);
+       return ret;
+       }
+
+int ec_GFp_nistp256_precompute_mult(EC_GROUP *group, BN_CTX *ctx)
+       {
+       int ret = 0;
+       NISTP256_PRE_COMP *pre = NULL;
+       int i, j;
+       BN_CTX *new_ctx = NULL;
+       BIGNUM *x, *y;
+       EC_POINT *generator = NULL;
+       smallfelem tmp_smallfelems[32];
+       felem x_tmp, y_tmp, z_tmp;
+
+       /* throw away old precomputation */
+       EC_EX_DATA_free_data(&group->extra_data, nistp256_pre_comp_dup,
+               nistp256_pre_comp_free, nistp256_pre_comp_clear_free);
+       if (ctx == NULL)
+               if ((ctx = new_ctx = BN_CTX_new()) == NULL) return 0;
+       BN_CTX_start(ctx);
+       if (((x = BN_CTX_get(ctx)) == NULL) ||
+               ((y = BN_CTX_get(ctx)) == NULL))
+               goto err;
+       /* get the generator */
+       if (group->generator == NULL) goto err;
+       generator = EC_POINT_new(group);
+       if (generator == NULL)
+               goto err;
+       BN_bin2bn(nistp256_curve_params[3], sizeof (felem_bytearray), x);
+       BN_bin2bn(nistp256_curve_params[4], sizeof (felem_bytearray), y);
+       if (!EC_POINT_set_affine_coordinates_GFp(group, generator, x, y, ctx))
+               goto err;
+       if ((pre = nistp256_pre_comp_new()) == NULL)
+               goto err;
+       /* if the generator is the standard one, use built-in precomputation */
+       if (0 == EC_POINT_cmp(group, generator, group->generator, ctx))
+               {
+               memcpy(pre->g_pre_comp, gmul, sizeof(pre->g_pre_comp));
+               ret = 1;
+               goto err;
+               }
+       if ((!BN_to_felem(x_tmp, &group->generator->X)) ||
+               (!BN_to_felem(y_tmp, &group->generator->Y)) ||
+               (!BN_to_felem(z_tmp, &group->generator->Z)))
+               goto err;
+       felem_shrink(pre->g_pre_comp[0][1][0], x_tmp);
+       felem_shrink(pre->g_pre_comp[0][1][1], y_tmp);
+       felem_shrink(pre->g_pre_comp[0][1][2], z_tmp);
+       /* compute 2^64*G, 2^128*G, 2^192*G for the first table,
+        * 2^32*G, 2^96*G, 2^160*G, 2^224*G for the second one
+        */
+       for (i = 1; i <= 8; i <<= 1)
+               {
+               point_double_small(
+                       pre->g_pre_comp[1][i][0], pre->g_pre_comp[1][i][1], pre->g_pre_comp[1][i][2],
+                       pre->g_pre_comp[0][i][0], pre->g_pre_comp[0][i][1], pre->g_pre_comp[0][i][2]);
+               for (j = 0; j < 31; ++j)
+                       {
+                       point_double_small(
+                               pre->g_pre_comp[1][i][0], pre->g_pre_comp[1][i][1], pre->g_pre_comp[1][i][2],
+                               pre->g_pre_comp[1][i][0], pre->g_pre_comp[1][i][1], pre->g_pre_comp[1][i][2]);
+                       }
+               if (i == 8)
+                       break;
+               point_double_small(
+                       pre->g_pre_comp[0][2*i][0], pre->g_pre_comp[0][2*i][1], pre->g_pre_comp[0][2*i][2],
+                       pre->g_pre_comp[1][i][0], pre->g_pre_comp[1][i][1], pre->g_pre_comp[1][i][2]);
+               for (j = 0; j < 31; ++j)
+                       {
+                       point_double_small(
+                               pre->g_pre_comp[0][2*i][0], pre->g_pre_comp[0][2*i][1], pre->g_pre_comp[0][2*i][2],
+                               pre->g_pre_comp[0][2*i][0], pre->g_pre_comp[0][2*i][1], pre->g_pre_comp[0][2*i][2]);
+                       }
+               }
+       for (i = 0; i < 2; i++)
+               {
+               /* g_pre_comp[i][0] is the point at infinity */
+               memset(pre->g_pre_comp[i][0], 0, sizeof(pre->g_pre_comp[i][0]));
+               /* the remaining multiples */
+               /* 2^64*G + 2^128*G resp. 2^96*G + 2^160*G */
+               point_add_small(
+                       pre->g_pre_comp[i][6][0], pre->g_pre_comp[i][6][1], pre->g_pre_comp[i][6][2],
+                       pre->g_pre_comp[i][4][0], pre->g_pre_comp[i][4][1], pre->g_pre_comp[i][4][2],
+                       pre->g_pre_comp[i][2][0], pre->g_pre_comp[i][2][1], pre->g_pre_comp[i][2][2]);
+               /* 2^64*G + 2^192*G resp. 2^96*G + 2^224*G */
+               point_add_small(
+                       pre->g_pre_comp[i][10][0], pre->g_pre_comp[i][10][1], pre->g_pre_comp[i][10][2],
+                       pre->g_pre_comp[i][8][0], pre->g_pre_comp[i][8][1], pre->g_pre_comp[i][8][2],
+                       pre->g_pre_comp[i][2][0], pre->g_pre_comp[i][2][1], pre->g_pre_comp[i][2][2]);
+               /* 2^128*G + 2^192*G resp. 2^160*G + 2^224*G */
+               point_add_small(
+                       pre->g_pre_comp[i][12][0], pre->g_pre_comp[i][12][1], pre->g_pre_comp[i][12][2],
+                       pre->g_pre_comp[i][8][0], pre->g_pre_comp[i][8][1], pre->g_pre_comp[i][8][2],
+                       pre->g_pre_comp[i][4][0], pre->g_pre_comp[i][4][1], pre->g_pre_comp[i][4][2]);
+               /* 2^64*G + 2^128*G + 2^192*G resp. 2^96*G + 2^160*G + 2^224*G */
+               point_add_small(
+                       pre->g_pre_comp[i][14][0], pre->g_pre_comp[i][14][1], pre->g_pre_comp[i][14][2],
+                       pre->g_pre_comp[i][12][0], pre->g_pre_comp[i][12][1], pre->g_pre_comp[i][12][2],
+                       pre->g_pre_comp[i][2][0], pre->g_pre_comp[i][2][1], pre->g_pre_comp[i][2][2]);
+               for (j = 1; j < 8; ++j)
+                       {
+                       /* odd multiples: add G resp. 2^32*G */
+                       point_add_small(
+                               pre->g_pre_comp[i][2*j+1][0], pre->g_pre_comp[i][2*j+1][1], pre->g_pre_comp[i][2*j+1][2],
+                               pre->g_pre_comp[i][2*j][0], pre->g_pre_comp[i][2*j][1], pre->g_pre_comp[i][2*j][2],
+                               pre->g_pre_comp[i][1][0], pre->g_pre_comp[i][1][1], pre->g_pre_comp[i][1][2]);
+                       }
+               }
+       make_points_affine(31, &(pre->g_pre_comp[0][1]), tmp_smallfelems);
+
+       if (!EC_EX_DATA_set_data(&group->extra_data, pre, nistp256_pre_comp_dup,
+                       nistp256_pre_comp_free, nistp256_pre_comp_clear_free))
+               goto err;
+       ret = 1;
+       pre = NULL;
+ err:
+       BN_CTX_end(ctx);
+       if (generator != NULL)
+               EC_POINT_free(generator);
+       if (new_ctx != NULL)
+               BN_CTX_free(new_ctx);
+       if (pre)
+               nistp256_pre_comp_free(pre);
+       return ret;
+       }
+
+int ec_GFp_nistp256_have_precompute_mult(const EC_GROUP *group)
+       {
+       if (EC_EX_DATA_get_data(group->extra_data, nistp256_pre_comp_dup,
+                       nistp256_pre_comp_free, nistp256_pre_comp_clear_free)
+               != NULL)
+               return 1;
+       else
+               return 0;
+       }
+#else
+static void *dummy=&dummy;
+#endif
diff --git a/crypto/ec/ecp_nistp521.c b/crypto/ec/ecp_nistp521.c
new file mode 100644 (file)
index 0000000..abf1cb7
--- /dev/null
@@ -0,0 +1,2017 @@
+/* crypto/ec/ecp_nistp521.c */
+/*
+ * Written by Adam Langley (Google) for the OpenSSL project
+ */
+/* Copyright 2011 Google Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ *
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS,
+ *  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ */
+
+/*
+ * A 64-bit implementation of the NIST P-521 elliptic curve point multiplication
+ *
+ * OpenSSL integration was taken from Emilia Kasper's work in ecp_nistp224.c.
+ * Otherwise based on Emilia's P224 work, which was inspired by my curve25519
+ * work which got its smarts from Daniel J. Bernstein's work on the same.
+ */
+
+#ifdef EC_NISTP_64_GCC_128
+
+#include <stdint.h>
+#include <string.h>
+#include <openssl/err.h>
+#include "ec_lcl.h"
+
+#if defined(__GNUC__) && (__GNUC__ > 3 || (__GNUC__ == 3 && __GNUC_MINOR__ >= 1))
+  /* even with gcc, the typedef won't work for 32-bit platforms */
+  typedef __uint128_t uint128_t; /* nonstandard; implemented by gcc on 64-bit platforms */
+#else
+  #error "Need GCC 3.1 or later to define type uint128_t"
+#endif
+
+typedef uint8_t u8;
+typedef uint64_t u64;
+typedef int64_t s64;
+
+/* The underlying field.
+ *
+ * P521 operates over GF(2^521-1). We can serialise an element of this field
+ * into 66 bytes where the most significant byte contains only a single bit. We
+ * call this an felem_bytearray. */
+
+typedef u8 felem_bytearray[66];
+
+/* These are the parameters of P521, taken from FIPS 186-3, section D.1.2.5.
+ * These values are big-endian. */
+static const felem_bytearray nistp521_curve_params[5] =
+       {
+       {0x01, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,  /* p */
+        0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
+        0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
+        0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
+        0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
+        0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
+        0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
+        0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
+        0xff, 0xff},
+       {0x01, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,  /* a = -3 */
+        0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
+        0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
+        0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
+        0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
+        0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
+        0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
+        0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
+        0xff, 0xfc},
+       {0x00, 0x51, 0x95, 0x3e, 0xb9, 0x61, 0x8e, 0x1c,  /* b */
+        0x9a, 0x1f, 0x92, 0x9a, 0x21, 0xa0, 0xb6, 0x85,
+        0x40, 0xee, 0xa2, 0xda, 0x72, 0x5b, 0x99, 0xb3,
+        0x15, 0xf3, 0xb8, 0xb4, 0x89, 0x91, 0x8e, 0xf1,
+        0x09, 0xe1, 0x56, 0x19, 0x39, 0x51, 0xec, 0x7e,
+        0x93, 0x7b, 0x16, 0x52, 0xc0, 0xbd, 0x3b, 0xb1,
+        0xbf, 0x07, 0x35, 0x73, 0xdf, 0x88, 0x3d, 0x2c,
+        0x34, 0xf1, 0xef, 0x45, 0x1f, 0xd4, 0x6b, 0x50,
+        0x3f, 0x00},
+       {0x00, 0xc6, 0x85, 0x8e, 0x06, 0xb7, 0x04, 0x04,  /* x */
+        0xe9, 0xcd, 0x9e, 0x3e, 0xcb, 0x66, 0x23, 0x95,
+        0xb4, 0x42, 0x9c, 0x64, 0x81, 0x39, 0x05, 0x3f,
+        0xb5, 0x21, 0xf8, 0x28, 0xaf, 0x60, 0x6b, 0x4d,
+        0x3d, 0xba, 0xa1, 0x4b, 0x5e, 0x77, 0xef, 0xe7,
+        0x59, 0x28, 0xfe, 0x1d, 0xc1, 0x27, 0xa2, 0xff,
+        0xa8, 0xde, 0x33, 0x48, 0xb3, 0xc1, 0x85, 0x6a,
+        0x42, 0x9b, 0xf9, 0x7e, 0x7e, 0x31, 0xc2, 0xe5,
+        0xbd, 0x66},
+       {0x01, 0x18, 0x39, 0x29, 0x6a, 0x78, 0x9a, 0x3b,  /* y */
+        0xc0, 0x04, 0x5c, 0x8a, 0x5f, 0xb4, 0x2c, 0x7d,
+        0x1b, 0xd9, 0x98, 0xf5, 0x44, 0x49, 0x57, 0x9b,
+        0x44, 0x68, 0x17, 0xaf, 0xbd, 0x17, 0x27, 0x3e,
+        0x66, 0x2c, 0x97, 0xee, 0x72, 0x99, 0x5e, 0xf4,
+        0x26, 0x40, 0xc5, 0x50, 0xb9, 0x01, 0x3f, 0xad,
+        0x07, 0x61, 0x35, 0x3c, 0x70, 0x86, 0xa2, 0x72,
+        0xc2, 0x40, 0x88, 0xbe, 0x94, 0x76, 0x9f, 0xd1,
+        0x66, 0x50}
+       };
+
+/* The representation of field elements.
+ * ------------------------------------
+ *
+ * We represent field elements with nine values. These values are either 64 or
+ * 128 bits and the field element represented is:
+ *   v[0]*2^0 + v[1]*2^58 + v[2]*2^116 + ... + v[8]*2^464  (mod p)
+ * Each of the nine values is called a 'limb'. Since the limbs are spaced only
+ * 58 bits apart, but are greater than 58 bits in length, the most significant
+ * bits of each limb overlap with the least significant bits of the next.
+ *
+ * A field element with 64-bit limbs is an 'felem'. One with 128-bit limbs is a
+ * 'largefelem' */
+
+#define NLIMBS 9
+
+typedef uint64_t limb;
+typedef limb felem[NLIMBS];
+typedef uint128_t largefelem[NLIMBS];
+
+static const limb bottom57bits = 0x1ffffffffffffff;
+static const limb bottom58bits = 0x3ffffffffffffff;
+
+/* bin66_to_felem takes a little-endian byte array and converts it into felem
+ * form. This assumes that the CPU is little-endian. */
+static void bin66_to_felem(felem out, const u8 in[66])
+       {
+       out[0] = (*((limb*) &in[0])) & bottom58bits;
+       out[1] = (*((limb*) &in[7]) >> 2) & bottom58bits;
+       out[2] = (*((limb*) &in[14]) >> 4) & bottom58bits;
+       out[3] = (*((limb*) &in[21]) >> 6) & bottom58bits;
+       out[4] = (*((limb*) &in[29])) & bottom58bits;
+       out[5] = (*((limb*) &in[36]) >> 2) & bottom58bits;
+       out[6] = (*((limb*) &in[43]) >> 4) & bottom58bits;
+       out[7] = (*((limb*) &in[50]) >> 6) & bottom58bits;
+       out[8] = (*((limb*) &in[58])) & bottom57bits;
+       }
+
+/* felem_to_bin66 takes an felem and serialises into a little endian, 66 byte
+ * array. This assumes that the CPU is little-endian. */
+static void felem_to_bin66(u8 out[66], const felem in)
+       {
+       memset(out, 0, 66);
+       (*((limb*) &out[0])) = in[0];
+       (*((limb*) &out[7])) |= in[1] << 2;
+       (*((limb*) &out[14])) |= in[2] << 4;
+       (*((limb*) &out[21])) |= in[3] << 6;
+       (*((limb*) &out[29])) = in[4];
+       (*((limb*) &out[36])) |= in[5] << 2;
+       (*((limb*) &out[43])) |= in[6] << 4;
+       (*((limb*) &out[50])) |= in[7] << 6;
+       (*((limb*) &out[58])) = in[8];
+       }
+
+/* To preserve endianness when using BN_bn2bin and BN_bin2bn */
+static void flip_endian(u8 *out, const u8 *in, unsigned len)
+       {
+       unsigned i;
+       for (i = 0; i < len; ++i)
+               out[i] = in[len-1-i];
+       }
+
+/* BN_to_felem converts an OpenSSL BIGNUM into an felem */
+static int BN_to_felem(felem out, const BIGNUM *bn)
+       {
+       felem_bytearray b_in;
+       felem_bytearray b_out;
+       unsigned num_bytes;
+
+       /* BN_bn2bin eats leading zeroes */
+       memset(b_out, 0, sizeof b_out);
+       num_bytes = BN_num_bytes(bn);
+       if (num_bytes > sizeof b_out)
+               {
+               ECerr(EC_F_BN_TO_FELEM, EC_R_BIGNUM_OUT_OF_RANGE);
+               return 0;
+               }
+       if (BN_is_negative(bn))
+               {
+               ECerr(EC_F_BN_TO_FELEM, EC_R_BIGNUM_OUT_OF_RANGE);
+               return 0;
+               }
+       num_bytes = BN_bn2bin(bn, b_in);
+       flip_endian(b_out, b_in, num_bytes);
+       bin66_to_felem(out, b_out);
+       return 1;
+       }
+
+/* felem_to_BN converts an felem into an OpenSSL BIGNUM */
+static BIGNUM *felem_to_BN(BIGNUM *out, const felem in)
+       {
+       felem_bytearray b_in, b_out;
+       felem_to_bin66(b_in, in);
+       flip_endian(b_out, b_in, sizeof b_out);
+       return BN_bin2bn(b_out, sizeof b_out, out);
+       }
+
+
+/* Field operations
+ * ---------------- */
+
+static void felem_one(felem out)
+       {
+       out[0] = 1;
+       out[1] = 0;
+       out[2] = 0;
+       out[3] = 0;
+       out[4] = 0;
+       out[5] = 0;
+       out[6] = 0;
+       out[7] = 0;
+       out[8] = 0;
+       }
+
+static void felem_assign(felem out, const felem in)
+       {
+       out[0] = in[0];
+       out[1] = in[1];
+       out[2] = in[2];
+       out[3] = in[3];
+       out[4] = in[4];
+       out[5] = in[5];
+       out[6] = in[6];
+       out[7] = in[7];
+       out[8] = in[8];
+       }
+
+/* felem_sum64 sets out = out + in. */
+static void felem_sum64(felem out, const felem in)
+       {
+       out[0] += in[0];
+       out[1] += in[1];
+       out[2] += in[2];
+       out[3] += in[3];
+       out[4] += in[4];
+       out[5] += in[5];
+       out[6] += in[6];
+       out[7] += in[7];
+       out[8] += in[8];
+       }
+
+/* felem_scalar sets out = in * scalar */
+static void felem_scalar(felem out, const felem in, limb scalar)
+       {
+       out[0] = in[0] * scalar;
+       out[1] = in[1] * scalar;
+       out[2] = in[2] * scalar;
+       out[3] = in[3] * scalar;
+       out[4] = in[4] * scalar;
+       out[5] = in[5] * scalar;
+       out[6] = in[6] * scalar;
+       out[7] = in[7] * scalar;
+       out[8] = in[8] * scalar;
+       }
+
+/* felem_scalar64 sets out = out * scalar */
+static void felem_scalar64(felem out, limb scalar)
+       {
+       out[0] *= scalar;
+       out[1] *= scalar;
+       out[2] *= scalar;
+       out[3] *= scalar;
+       out[4] *= scalar;
+       out[5] *= scalar;
+       out[6] *= scalar;
+       out[7] *= scalar;
+       out[8] *= scalar;
+       }
+
+/* felem_scalar128 sets out = out * scalar */
+static void felem_scalar128(largefelem out, limb scalar)
+       {
+       out[0] *= scalar;
+       out[1] *= scalar;
+       out[2] *= scalar;
+       out[3] *= scalar;
+       out[4] *= scalar;
+       out[5] *= scalar;
+       out[6] *= scalar;
+       out[7] *= scalar;
+       out[8] *= scalar;
+       }
+
+/* felem_neg sets |out| to |-in|
+ * On entry:
+ *   in[i] < 2^59 + 2^14
+ * On exit:
+ *   out[i] < 2^62
+ */
+static void felem_neg(felem out, const felem in)
+       {
+       /* In order to prevent underflow, we subtract from 0 mod p. */
+       static const limb two62m3 = (((limb)1) << 62) - (((limb)1) << 5);
+       static const limb two62m2 = (((limb)1) << 62) - (((limb)1) << 4);
+
+       out[0] = two62m3 - in[0];
+       out[1] = two62m2 - in[1];
+       out[2] = two62m2 - in[2];
+       out[3] = two62m2 - in[3];
+       out[4] = two62m2 - in[4];
+       out[5] = two62m2 - in[5];
+       out[6] = two62m2 - in[6];
+       out[7] = two62m2 - in[7];
+       out[8] = two62m2 - in[8];
+       }
+
+/* felem_diff64 subtracts |in| from |out|
+ * On entry:
+ *   in[i] < 2^59 + 2^14
+ * On exit:
+ *   out[i] < out[i] + 2^62
+ */
+static void felem_diff64(felem out, const felem in)
+       {
+       /* In order to prevent underflow, we add 0 mod p before subtracting. */
+       static const limb two62m3 = (((limb)1) << 62) - (((limb)1) << 5);
+       static const limb two62m2 = (((limb)1) << 62) - (((limb)1) << 4);
+
+       out[0] += two62m3 - in[0];
+       out[1] += two62m2 - in[1];
+       out[2] += two62m2 - in[2];
+       out[3] += two62m2 - in[3];
+       out[4] += two62m2 - in[4];
+       out[5] += two62m2 - in[5];
+       out[6] += two62m2 - in[6];
+       out[7] += two62m2 - in[7];
+       out[8] += two62m2 - in[8];
+       }
+
+/* felem_diff_128_64 subtracts |in| from |out|
+ * On entry:
+ *   in[i] < 2^62 + 2^17
+ * On exit:
+ *   out[i] < out[i] + 2^63
+ */
+static void felem_diff_128_64(largefelem out, const felem in)
+       {
+       // In order to prevent underflow, we add 0 mod p before subtracting.
+       static const limb two63m6 = (((limb)1) << 62) - (((limb)1) << 5);
+       static const limb two63m5 = (((limb)1) << 62) - (((limb)1) << 4);
+
+       out[0] += two63m6 - in[0];
+       out[1] += two63m5 - in[1];
+       out[2] += two63m5 - in[2];
+       out[3] += two63m5 - in[3];
+       out[4] += two63m5 - in[4];
+       out[5] += two63m5 - in[5];
+       out[6] += two63m5 - in[6];
+       out[7] += two63m5 - in[7];
+       out[8] += two63m5 - in[8];
+       }
+
+/* felem_diff_128_64 subtracts |in| from |out|
+ * On entry:
+ *   in[i] < 2^126
+ * On exit:
+ *   out[i] < out[i] + 2^127 - 2^69
+ */
+static void felem_diff128(largefelem out, const largefelem in)
+       {
+       // In order to prevent underflow, we add 0 mod p before subtracting.
+       static const uint128_t two127m70 = (((uint128_t)1) << 127) - (((uint128_t)1) << 70);
+       static const uint128_t two127m69 = (((uint128_t)1) << 127) - (((uint128_t)1) << 69);
+
+       out[0] += (two127m70 - in[0]);
+       out[1] += (two127m69 - in[1]);
+       out[2] += (two127m69 - in[2]);
+       out[3] += (two127m69 - in[3]);
+       out[4] += (two127m69 - in[4]);
+       out[5] += (two127m69 - in[5]);
+       out[6] += (two127m69 - in[6]);
+       out[7] += (two127m69 - in[7]);
+       out[8] += (two127m69 - in[8]);
+       }
+
+/* felem_square sets |out| = |in|^2
+ * On entry:
+ *   in[i] < 2^62
+ * On exit:
+ *   out[i] < 17 * max(in[i]) * max(in[i])
+ */
+static void felem_square(largefelem out, const felem in)
+       {
+       felem inx2, inx4;
+       felem_scalar(inx2, in, 2);
+       felem_scalar(inx4, in, 4);
+
+       /* We have many cases were we want to do
+        *   in[x] * in[y] +
+        *   in[y] * in[x]
+        * This is obviously just
+        *   2 * in[x] * in[y]
+        * However, rather than do the doubling on the 128 bit result, we
+        * double one of the inputs to the multiplication by reading from
+        * |inx2| */
+
+       out[0] = ((uint128_t) in[0]) * in[0];
+       out[1] = ((uint128_t) in[0]) * inx2[1];
+       out[2] = ((uint128_t) in[0]) * inx2[2] +
+                ((uint128_t) in[1]) * in[1];
+       out[3] = ((uint128_t) in[0]) * inx2[3] +
+                ((uint128_t) in[1]) * inx2[2];
+       out[4] = ((uint128_t) in[0]) * inx2[4] +
+                ((uint128_t) in[1]) * inx2[3] +
+                ((uint128_t) in[2]) * in[2];
+       out[5] = ((uint128_t) in[0]) * inx2[5] +
+                ((uint128_t) in[1]) * inx2[4] +
+                ((uint128_t) in[2]) * inx2[3];
+       out[6] = ((uint128_t) in[0]) * inx2[6] +
+                ((uint128_t) in[1]) * inx2[5] +
+                ((uint128_t) in[2]) * inx2[4] +
+                ((uint128_t) in[3]) * in[3];
+       out[7] = ((uint128_t) in[0]) * inx2[7] +
+                ((uint128_t) in[1]) * inx2[6] +
+                ((uint128_t) in[2]) * inx2[5] +
+                ((uint128_t) in[3]) * inx2[4];
+       out[8] = ((uint128_t) in[0]) * inx2[8] +
+                ((uint128_t) in[1]) * inx2[7] +
+                ((uint128_t) in[2]) * inx2[6] +
+                ((uint128_t) in[3]) * inx2[5] +
+                ((uint128_t) in[4]) * in[4];
+
+       /* The remaining limbs fall above 2^521, with the first falling at
+        * 2^522. They correspond to locations one bit up from the limbs
+        * produced above so we would have to multiply by two to align them.
+        * Again, rather than operate on the 128-bit result, we double one of
+        * the inputs to the multiplication. If we want to double for both this
+        * reason, and the reason above, then we end up multiplying by four. */
+
+       // 9
+       out[0] += ((uint128_t) in[1]) * inx4[8] +
+                 ((uint128_t) in[2]) * inx4[7] +
+                 ((uint128_t) in[3]) * inx4[6] +
+                 ((uint128_t) in[4]) * inx4[5];
+
+       // 10
+       out[1] += ((uint128_t) in[2]) * inx4[8] +
+                 ((uint128_t) in[3]) * inx4[7] +
+                 ((uint128_t) in[4]) * inx4[6] +
+                 ((uint128_t) in[5]) * inx2[5];
+
+       // 11
+       out[2] += ((uint128_t) in[3]) * inx4[8] +
+                 ((uint128_t) in[4]) * inx4[7] +
+                 ((uint128_t) in[5]) * inx4[6];
+
+       // 12
+       out[3] += ((uint128_t) in[4]) * inx4[8] +
+                 ((uint128_t) in[5]) * inx4[7] +
+                 ((uint128_t) in[6]) * inx2[6];
+
+       // 13
+       out[4] += ((uint128_t) in[5]) * inx4[8] +
+                 ((uint128_t) in[6]) * inx4[7];
+
+       // 14
+       out[5] += ((uint128_t) in[6]) * inx4[8] +
+                 ((uint128_t) in[7]) * inx2[7];
+
+       // 15
+       out[6] += ((uint128_t) in[7]) * inx4[8];
+
+       // 16
+       out[7] += ((uint128_t) in[8]) * inx2[8];
+       }
+
+/* felem_mul sets |out| = |in1| * |in2|
+ * On entry:
+ *   in1[i] < 2^64
+ *   in2[i] < 2^63
+ * On exit:
+ *   out[i] < 17 * max(in1[i]) * max(in2[i])
+ */
+static void felem_mul(largefelem out, const felem in1, const felem in2)
+       {
+       felem in2x2;
+       felem_scalar(in2x2, in2, 2);
+
+       out[0] = ((uint128_t) in1[0]) * in2[0];
+
+       out[1] = ((uint128_t) in1[0]) * in2[1] +
+                ((uint128_t) in1[1]) * in2[0];
+
+       out[2] = ((uint128_t) in1[0]) * in2[2] +
+                ((uint128_t) in1[1]) * in2[1] +
+                ((uint128_t) in1[2]) * in2[0];
+
+       out[3] = ((uint128_t) in1[0]) * in2[3] +
+                ((uint128_t) in1[1]) * in2[2] +
+                ((uint128_t) in1[2]) * in2[1] +
+                ((uint128_t) in1[3]) * in2[0];
+
+       out[4] = ((uint128_t) in1[0]) * in2[4] +
+                ((uint128_t) in1[1]) * in2[3] +
+                ((uint128_t) in1[2]) * in2[2] +
+                ((uint128_t) in1[3]) * in2[1] +
+                ((uint128_t) in1[4]) * in2[0];
+
+       out[5] = ((uint128_t) in1[0]) * in2[5] +
+                ((uint128_t) in1[1]) * in2[4] +
+                ((uint128_t) in1[2]) * in2[3] +
+                ((uint128_t) in1[3]) * in2[2] +
+                ((uint128_t) in1[4]) * in2[1] +
+                ((uint128_t) in1[5]) * in2[0];
+
+       out[6] = ((uint128_t) in1[0]) * in2[6] +
+                ((uint128_t) in1[1]) * in2[5] +
+                ((uint128_t) in1[2]) * in2[4] +
+                ((uint128_t) in1[3]) * in2[3] +
+                ((uint128_t) in1[4]) * in2[2] +
+                ((uint128_t) in1[5]) * in2[1] +
+                ((uint128_t) in1[6]) * in2[0];
+
+       out[7] = ((uint128_t) in1[0]) * in2[7] +
+                ((uint128_t) in1[1]) * in2[6] +
+                ((uint128_t) in1[2]) * in2[5] +
+                ((uint128_t) in1[3]) * in2[4] +
+                ((uint128_t) in1[4]) * in2[3] +
+                ((uint128_t) in1[5]) * in2[2] +
+                ((uint128_t) in1[6]) * in2[1] +
+                ((uint128_t) in1[7]) * in2[0];
+
+       out[8] = ((uint128_t) in1[0]) * in2[8] +
+                ((uint128_t) in1[1]) * in2[7] +
+                ((uint128_t) in1[2]) * in2[6] +
+                ((uint128_t) in1[3]) * in2[5] +
+                ((uint128_t) in1[4]) * in2[4] +
+                ((uint128_t) in1[5]) * in2[3] +
+                ((uint128_t) in1[6]) * in2[2] +
+                ((uint128_t) in1[7]) * in2[1] +
+                ((uint128_t) in1[8]) * in2[0];
+
+       /* See comment in felem_square about the use of in2x2 here */
+
+       out[0] += ((uint128_t) in1[1]) * in2x2[8] +
+                 ((uint128_t) in1[2]) * in2x2[7] +
+                 ((uint128_t) in1[3]) * in2x2[6] +
+                 ((uint128_t) in1[4]) * in2x2[5] +
+                 ((uint128_t) in1[5]) * in2x2[4] +
+                 ((uint128_t) in1[6]) * in2x2[3] +
+                 ((uint128_t) in1[7]) * in2x2[2] +
+                 ((uint128_t) in1[8]) * in2x2[1];
+
+       out[1] += ((uint128_t) in1[2]) * in2x2[8] +
+                 ((uint128_t) in1[3]) * in2x2[7] +
+                 ((uint128_t) in1[4]) * in2x2[6] +
+                 ((uint128_t) in1[5]) * in2x2[5] +
+                 ((uint128_t) in1[6]) * in2x2[4] +
+                 ((uint128_t) in1[7]) * in2x2[3] +
+                 ((uint128_t) in1[8]) * in2x2[2];
+
+       out[2] += ((uint128_t) in1[3]) * in2x2[8] +
+                 ((uint128_t) in1[4]) * in2x2[7] +
+                 ((uint128_t) in1[5]) * in2x2[6] +
+                 ((uint128_t) in1[6]) * in2x2[5] +
+                 ((uint128_t) in1[7]) * in2x2[4] +
+                 ((uint128_t) in1[8]) * in2x2[3];
+
+       out[3] += ((uint128_t) in1[4]) * in2x2[8] +
+                 ((uint128_t) in1[5]) * in2x2[7] +
+                 ((uint128_t) in1[6]) * in2x2[6] +
+                 ((uint128_t) in1[7]) * in2x2[5] +
+                 ((uint128_t) in1[8]) * in2x2[4];
+
+       out[4] += ((uint128_t) in1[5]) * in2x2[8] +
+                 ((uint128_t) in1[6]) * in2x2[7] +
+                 ((uint128_t) in1[7]) * in2x2[6] +
+                 ((uint128_t) in1[8]) * in2x2[5];
+
+       out[5] += ((uint128_t) in1[6]) * in2x2[8] +
+                 ((uint128_t) in1[7]) * in2x2[7] +
+                 ((uint128_t) in1[8]) * in2x2[6];
+
+       out[6] += ((uint128_t) in1[7]) * in2x2[8] +
+                 ((uint128_t) in1[8]) * in2x2[7];
+
+       out[7] += ((uint128_t) in1[8]) * in2x2[8];
+       }
+
+static const limb bottom52bits = 0xfffffffffffff;
+
+/* felem_reduce converts a largefelem to an felem.
+ * On entry:
+ *   in[i] < 2^128
+ * On exit:
+ *   out[i] < 2^59 + 2^14
+ */
+static void felem_reduce(felem out, const largefelem in)
+       {
+       out[0] = ((limb) in[0]) & bottom58bits;
+       out[1] = ((limb) in[1]) & bottom58bits;
+       out[2] = ((limb) in[2]) & bottom58bits;
+       out[3] = ((limb) in[3]) & bottom58bits;
+       out[4] = ((limb) in[4]) & bottom58bits;
+       out[5] = ((limb) in[5]) & bottom58bits;
+       out[6] = ((limb) in[6]) & bottom58bits;
+       out[7] = ((limb) in[7]) & bottom58bits;
+       out[8] = ((limb) in[8]) & bottom58bits;
+
+       /* out[i] < 2^58 */
+
+       out[1] += ((limb) in[0]) >> 58;
+       out[1] += (((limb) (in[0] >> 64)) & bottom52bits) << 6;
+       /* out[1] < 2^58 + 2^6 + 2^58
+        *        = 2^59 + 2^6 */
+       out[2] += ((limb) (in[0] >> 64)) >> 52;
+
+       out[2] += ((limb) in[1]) >> 58;
+       out[2] += (((limb) (in[1] >> 64)) & bottom52bits) << 6;
+       out[3] += ((limb) (in[1] >> 64)) >> 52;
+
+       out[3] += ((limb) in[2]) >> 58;
+       out[3] += (((limb) (in[2] >> 64)) & bottom52bits) << 6;
+       out[4] += ((limb) (in[2] >> 64)) >> 52;
+
+       out[4] += ((limb) in[3]) >> 58;
+       out[4] += (((limb) (in[3] >> 64)) & bottom52bits) << 6;
+       out[5] += ((limb) (in[3] >> 64)) >> 52;
+
+       out[5] += ((limb) in[4]) >> 58;
+       out[5] += (((limb) (in[4] >> 64)) & bottom52bits) << 6;
+       out[6] += ((limb) (in[4] >> 64)) >> 52;
+
+       out[6] += ((limb) in[5]) >> 58;
+       out[6] += (((limb) (in[5] >> 64)) & bottom52bits) << 6;
+       out[7] += ((limb) (in[5] >> 64)) >> 52;
+
+       out[7] += ((limb) in[6]) >> 58;
+       out[7] += (((limb) (in[6] >> 64)) & bottom52bits) << 6;
+       out[8] += ((limb) (in[6] >> 64)) >> 52;
+
+       out[8] += ((limb) in[7]) >> 58;
+       out[8] += (((limb) (in[7] >> 64)) & bottom52bits) << 6;
+       /* out[x > 1] < 2^58 + 2^6 + 2^58 + 2^12
+        *            < 2^59 + 2^13 */
+       u64 overflow1 = ((limb) (in[7] >> 64)) >> 52;
+
+       overflow1 += ((limb) in[8]) >> 58;
+       overflow1 += (((limb) (in[8] >> 64)) & bottom52bits) << 6;
+       u64 overflow2 = ((limb) (in[8] >> 64)) >> 52;
+
+       overflow1 <<= 1;  /* overflow1 < 2^13 + 2^7 + 2^59 */
+       overflow2 <<= 1;  /* overflow2 < 2^13 */
+
+       out[0] += overflow1;  /* out[0] < 2^60 */
+       out[1] += overflow2;  /* out[1] < 2^59 + 2^6 + 2^13 */
+
+       out[1] += out[0] >> 58; out[0] &= bottom58bits;
+       /* out[0] < 2^58
+        * out[1] < 2^59 + 2^6 + 2^13 + 2^2
+        *        < 2^59 + 2^14 */
+       }
+
+static void felem_square_reduce(felem out, const felem in)
+       {
+       largefelem tmp;
+       felem_square(tmp, in);
+       felem_reduce(out, tmp);
+       }
+
+static void felem_mul_reduce(felem out, const felem in1, const felem in2)
+       {
+       largefelem tmp;
+       felem_mul(tmp, in1, in2);
+       felem_reduce(out, tmp);
+       }
+
+/* felem_inv calculates |out| = |in|^{-1}
+ *
+ * Based on Fermat's Little Theorem:
+ *   a^p = a (mod p)
+ *   a^{p-1} = 1 (mod p)
+ *   a^{p-2} = a^{-1} (mod p)
+ */
+static void felem_inv(felem out, const felem in)
+       {
+       felem ftmp, ftmp2, ftmp3, ftmp4;
+       largefelem tmp;
+       unsigned i;
+
+       felem_square(tmp, in); felem_reduce(ftmp, tmp);         /* 2^1 */
+       felem_mul(tmp, in, ftmp); felem_reduce(ftmp, tmp);      /* 2^2 - 2^0 */
+       felem_assign(ftmp2, ftmp);
+       felem_square(tmp, ftmp); felem_reduce(ftmp, tmp);       /* 2^3 - 2^1 */
+       felem_mul(tmp, in, ftmp); felem_reduce(ftmp, tmp);      /* 2^3 - 2^0 */
+       felem_square(tmp, ftmp); felem_reduce(ftmp, tmp);       /* 2^4 - 2^1 */
+
+       felem_square(tmp, ftmp2); felem_reduce(ftmp3, tmp);     /* 2^3 - 2^1 */
+       felem_square(tmp, ftmp3); felem_reduce(ftmp3, tmp);     /* 2^4 - 2^2 */
+       felem_mul(tmp, ftmp3, ftmp2); felem_reduce(ftmp3, tmp); /* 2^4 - 2^0 */
+
+       felem_assign(ftmp2, ftmp3);
+       felem_square(tmp, ftmp3); felem_reduce(ftmp3, tmp);     /* 2^5 - 2^1 */
+       felem_square(tmp, ftmp3); felem_reduce(ftmp3, tmp);     /* 2^6 - 2^2 */
+       felem_square(tmp, ftmp3); felem_reduce(ftmp3, tmp);     /* 2^7 - 2^3 */
+       felem_square(tmp, ftmp3); felem_reduce(ftmp3, tmp);     /* 2^8 - 2^4 */
+       felem_assign(ftmp4, ftmp3);
+       felem_mul(tmp, ftmp3, ftmp); felem_reduce(ftmp4, tmp);  /* 2^8 - 2^1 */
+       felem_square(tmp, ftmp4); felem_reduce(ftmp4, tmp);     /* 2^9 - 2^2 */
+       felem_mul(tmp, ftmp3, ftmp2); felem_reduce(ftmp3, tmp); /* 2^8 - 2^0 */
+       felem_assign(ftmp2, ftmp3);
+
+       for (i = 0; i < 8; i++)
+               {
+               felem_square(tmp, ftmp3); felem_reduce(ftmp3, tmp);     /* 2^16 - 2^8 */
+               }
+       felem_mul(tmp, ftmp3, ftmp2); felem_reduce(ftmp3, tmp); /* 2^16 - 2^0 */
+       felem_assign(ftmp2, ftmp3);
+
+       for (i = 0; i < 16; i++)
+               {
+               felem_square(tmp, ftmp3); felem_reduce(ftmp3, tmp);     /* 2^32 - 2^16 */
+               }
+       felem_mul(tmp, ftmp3, ftmp2); felem_reduce(ftmp3, tmp); /* 2^32 - 2^0 */
+       felem_assign(ftmp2, ftmp3);
+
+       for (i = 0; i < 32; i++)
+               {
+               felem_square(tmp, ftmp3); felem_reduce(ftmp3, tmp);     /* 2^64 - 2^32 */
+               }
+       felem_mul(tmp, ftmp3, ftmp2); felem_reduce(ftmp3, tmp); /* 2^64 - 2^0 */
+       felem_assign(ftmp2, ftmp3);
+
+       for (i = 0; i < 64; i++)
+               {
+               felem_square(tmp, ftmp3); felem_reduce(ftmp3, tmp);     /* 2^128 - 2^64 */
+               }
+       felem_mul(tmp, ftmp3, ftmp2); felem_reduce(ftmp3, tmp); /* 2^128 - 2^0 */
+       felem_assign(ftmp2, ftmp3);
+
+       for (i = 0; i < 128; i++)
+               {
+               felem_square(tmp, ftmp3); felem_reduce(ftmp3, tmp);     /* 2^256 - 2^128 */
+               }
+       felem_mul(tmp, ftmp3, ftmp2); felem_reduce(ftmp3, tmp); /* 2^256 - 2^0 */
+       felem_assign(ftmp2, ftmp3);
+
+       for (i = 0; i < 256; i++)
+               {
+               felem_square(tmp, ftmp3); felem_reduce(ftmp3, tmp);     /* 2^512 - 2^256 */
+               }
+       felem_mul(tmp, ftmp3, ftmp2); felem_reduce(ftmp3, tmp); /* 2^512 - 2^0 */
+
+       for (i = 0; i < 9; i++)
+               {
+               felem_square(tmp, ftmp3); felem_reduce(ftmp3, tmp);     /* 2^521 - 2^9 */
+               }
+       felem_mul(tmp, ftmp3, ftmp4); felem_reduce(ftmp3, tmp); /* 2^512 - 2^2 */
+       felem_mul(tmp, ftmp3, in); felem_reduce(out, tmp);      /* 2^512 - 3 */
+}
+
+/* This is 2^521-1, expressed as an felem */
+static const felem kPrime =
+       {
+       0x03ffffffffffffff, 0x03ffffffffffffff, 0x03ffffffffffffff,
+       0x03ffffffffffffff, 0x03ffffffffffffff, 0x03ffffffffffffff,
+       0x03ffffffffffffff, 0x03ffffffffffffff, 0x01ffffffffffffff
+       };
+
+/* felem_is_zero returns a limb with all bits set if |in| == 0 (mod p) and 0
+ * otherwise.
+ * On entry:
+ *   in[i] < 2^59 + 2^14
+ */
+static limb felem_is_zero(const felem in)
+       {
+       felem ftmp;
+       limb is_zero, is_p;
+       felem_assign(ftmp, in);
+
+       ftmp[0] += ftmp[8] >> 57; ftmp[8] &= bottom57bits;
+       /* ftmp[8] < 2^57 */
+       ftmp[1] += ftmp[0] >> 58; ftmp[0] &= bottom58bits;
+       ftmp[2] += ftmp[1] >> 58; ftmp[1] &= bottom58bits;
+       ftmp[3] += ftmp[2] >> 58; ftmp[2] &= bottom58bits;
+       ftmp[4] += ftmp[3] >> 58; ftmp[3] &= bottom58bits;
+       ftmp[5] += ftmp[4] >> 58; ftmp[4] &= bottom58bits;
+       ftmp[6] += ftmp[5] >> 58; ftmp[5] &= bottom58bits;
+       ftmp[7] += ftmp[6] >> 58; ftmp[6] &= bottom58bits;
+       ftmp[8] += ftmp[7] >> 58; ftmp[7] &= bottom58bits;
+       /* ftmp[8] < 2^57 + 4 */
+
+       /* The ninth limb of 2*(2^521-1) is 0x03ffffffffffffff, which is
+        * greater than our bound for ftmp[8]. Therefore we only have to check
+        * if the zero is zero or 2^521-1. */
+
+       is_zero = 0;
+       is_zero |= ftmp[0];
+       is_zero |= ftmp[1];
+       is_zero |= ftmp[2];
+       is_zero |= ftmp[3];
+       is_zero |= ftmp[4];
+       is_zero |= ftmp[5];
+       is_zero |= ftmp[6];
+       is_zero |= ftmp[7];
+       is_zero |= ftmp[8];
+
+       is_zero--;
+       // We know that ftmp[i] < 2^63, therefore the only way that the top bit
+       // can be set is if is_zero was 0 before the decrement.
+       is_zero = ((s64) is_zero) >> 63;
+
+       is_p = ftmp[0] ^ kPrime[0];
+       is_p |= ftmp[1] ^ kPrime[1];
+       is_p |= ftmp[2] ^ kPrime[2];
+       is_p |= ftmp[3] ^ kPrime[3];
+       is_p |= ftmp[4] ^ kPrime[4];
+       is_p |= ftmp[5] ^ kPrime[5];
+       is_p |= ftmp[6] ^ kPrime[6];
+       is_p |= ftmp[7] ^ kPrime[7];
+       is_p |= ftmp[8] ^ kPrime[8];
+
+       is_p--;
+       is_p = ((s64) is_p) >> 63;
+
+       is_zero |= is_p;
+       return is_zero;
+       }
+
+static int felem_is_zero_int(const felem in)
+       {
+       return (int) (felem_is_zero(in) & ((limb)1));
+       }
+
+/* felem_contract converts |in| to its unique, minimal representation.
+ * On entry:
+ *   in[i] < 2^59 + 2^14
+ */
+static void felem_contract(felem out, const felem in)
+       {
+       limb is_p, is_greater, sign;
+       static const limb two58 = ((limb)1) << 58;
+
+       felem_assign(out, in);
+
+       out[0] += out[8] >> 57; out[8] &= bottom57bits;
+       /* out[8] < 2^57 */
+       out[1] += out[0] >> 58; out[0] &= bottom58bits;
+       out[2] += out[1] >> 58; out[1] &= bottom58bits;
+       out[3] += out[2] >> 58; out[2] &= bottom58bits;
+       out[4] += out[3] >> 58; out[3] &= bottom58bits;
+       out[5] += out[4] >> 58; out[4] &= bottom58bits;
+       out[6] += out[5] >> 58; out[5] &= bottom58bits;
+       out[7] += out[6] >> 58; out[6] &= bottom58bits;
+       out[8] += out[7] >> 58; out[7] &= bottom58bits;
+       /* out[8] < 2^57 + 4 */
+
+       /* If the value is greater than 2^521-1 then we have to subtract
+        * 2^521-1 out. See the comments in felem_is_zero regarding why we
+        * don't test for other multiples of the prime. */
+
+       /* First, if |out| is equal to 2^521-1, we subtract it out to get zero. */
+
+       is_p = out[0] ^ kPrime[0];
+       is_p |= out[1] ^ kPrime[1];
+       is_p |= out[2] ^ kPrime[2];
+       is_p |= out[3] ^ kPrime[3];
+       is_p |= out[4] ^ kPrime[4];
+       is_p |= out[5] ^ kPrime[5];
+       is_p |= out[6] ^ kPrime[6];
+       is_p |= out[7] ^ kPrime[7];
+       is_p |= out[8] ^ kPrime[8];
+
+       is_p--;
+       is_p &= is_p << 32;
+       is_p &= is_p << 16;
+       is_p &= is_p << 8;
+       is_p &= is_p << 4;
+       is_p &= is_p << 2;
+       is_p &= is_p << 1;
+       is_p = ((s64) is_p) >> 63;
+       is_p = ~is_p;
+
+       /* is_p is 0 iff |out| == 2^521-1 and all ones otherwise */
+
+       out[0] &= is_p;
+       out[1] &= is_p;
+       out[2] &= is_p;
+       out[3] &= is_p;
+       out[4] &= is_p;
+       out[5] &= is_p;
+       out[6] &= is_p;
+       out[7] &= is_p;
+       out[8] &= is_p;
+
+       /* In order to test that |out| >= 2^521-1 we need only test if out[8]
+        * >> 57 is greater than zero as (2^521-1) + x >= 2^522 */
+       is_greater = out[8] >> 57;
+       is_greater |= is_greater << 32;
+       is_greater |= is_greater << 16;
+       is_greater |= is_greater << 8;
+       is_greater |= is_greater << 4;
+       is_greater |= is_greater << 2;
+       is_greater |= is_greater << 1;
+       is_greater = ((s64) is_greater) >> 63;
+
+       out[0] -= kPrime[0] & is_greater;
+       out[1] -= kPrime[1] & is_greater;
+       out[2] -= kPrime[2] & is_greater;
+       out[3] -= kPrime[3] & is_greater;
+       out[4] -= kPrime[4] & is_greater;
+       out[5] -= kPrime[5] & is_greater;
+       out[6] -= kPrime[6] & is_greater;
+       out[7] -= kPrime[7] & is_greater;
+       out[8] -= kPrime[8] & is_greater;
+
+       /* Eliminate negative coefficients */
+       sign = -(out[0] >> 63); out[0] += (two58 & sign); out[1] -= (1 & sign);
+       sign = -(out[1] >> 63); out[1] += (two58 & sign); out[2] -= (1 & sign);
+       sign = -(out[2] >> 63); out[2] += (two58 & sign); out[3] -= (1 & sign);
+       sign = -(out[3] >> 63); out[3] += (two58 & sign); out[4] -= (1 & sign);
+       sign = -(out[4] >> 63); out[4] += (two58 & sign); out[5] -= (1 & sign);
+       sign = -(out[0] >> 63); out[5] += (two58 & sign); out[6] -= (1 & sign);
+       sign = -(out[6] >> 63); out[6] += (two58 & sign); out[7] -= (1 & sign);
+       sign = -(out[7] >> 63); out[7] += (two58 & sign); out[8] -= (1 & sign);
+       sign = -(out[5] >> 63); out[5] += (two58 & sign); out[6] -= (1 & sign);
+       sign = -(out[6] >> 63); out[6] += (two58 & sign); out[7] -= (1 & sign);
+       sign = -(out[7] >> 63); out[7] += (two58 & sign); out[8] -= (1 & sign);
+       }
+
+/* Group operations
+ * ----------------
+ *
+ * Building on top of the field operations we have the operations on the
+ * elliptic curve group itself. Points on the curve are represented in Jacobian
+ * coordinates */
+
+/* point_double calcuates 2*(x_in, y_in, z_in)
+ *
+ * The method is taken from:
+ *   http://hyperelliptic.org/EFD/g1p/auto-shortw-jacobian-3.html#doubling-dbl-2001-b
+ *
+ * Outputs can equal corresponding inputs, i.e., x_out == x_in is allowed.
+ * while x_out == y_in is not (maybe this works, but it's not tested). */
+static void
+point_double(felem x_out, felem y_out, felem z_out,
+            const felem x_in, const felem y_in, const felem z_in)
+       {
+       largefelem tmp, tmp2;
+       felem delta, gamma, beta, alpha, ftmp, ftmp2;
+
+       felem_assign(ftmp, x_in);
+       felem_assign(ftmp2, x_in);
+
+       /* delta = z^2 */
+       felem_square(tmp, z_in);
+       felem_reduce(delta, tmp);  /* delta[i] < 2^59 + 2^14 */
+
+       /* gamma = y^2 */
+       felem_square(tmp, y_in);
+       felem_reduce(gamma, tmp);  /* gamma[i] < 2^59 + 2^14 */
+
+       /* beta = x*gamma */
+       felem_mul(tmp, x_in, gamma);
+       felem_reduce(beta, tmp);  /* beta[i] < 2^59 + 2^14 */
+
+       /* alpha = 3*(x-delta)*(x+delta) */
+       felem_diff64(ftmp, delta);
+       /* ftmp[i] < 2^61 */
+       felem_sum64(ftmp2, delta);
+       /* ftmp2[i] < 2^60 + 2^15 */
+       felem_scalar64(ftmp2, 3);
+       /* ftmp2[i] < 3*2^60 + 3*2^15 */
+       felem_mul(tmp, ftmp, ftmp2);
+       /* tmp[i] < 17(3*2^121 + 3*2^76)
+        *        = 61*2^121 + 61*2^76
+        *        < 64*2^121 + 64*2^76
+        *        = 2^127 + 2^82
+        *        < 2^128 */
+       felem_reduce(alpha, tmp);
+
+       /* x' = alpha^2 - 8*beta */
+       felem_square(tmp, alpha);
+       /* tmp[i] < 17*2^120
+        *        < 2^125 */
+       felem_assign(ftmp, beta);
+       felem_scalar64(ftmp, 8);
+       /* ftmp[i] < 2^62 + 2^17 */
+       felem_diff_128_64(tmp, ftmp);
+       /* tmp[i] < 2^125 + 2^63 + 2^62 + 2^17 */
+       felem_reduce(x_out, tmp);
+
+       /* z' = (y + z)^2 - gamma - delta */
+       felem_sum64(delta, gamma);
+       /* delta[i] < 2^60 + 2^15 */
+       felem_assign(ftmp, y_in);
+       felem_sum64(ftmp, z_in);
+       /* ftmp[i] < 2^60 + 2^15 */
+       felem_square(tmp, ftmp);
+       /* tmp[i] < 17(2^122)
+        *        < 2^127 */
+       felem_diff_128_64(tmp, delta);
+       /* tmp[i] < 2^127 + 2^63 */
+       felem_reduce(z_out, tmp);
+
+       /* y' = alpha*(4*beta - x') - 8*gamma^2 */
+       felem_scalar64(beta, 4);
+       /* beta[i] < 2^61 + 2^16 */
+       felem_diff64(beta, x_out);
+       /* beta[i] < 2^61 + 2^60 + 2^16 */
+       felem_mul(tmp, alpha, beta);
+       /* tmp[i] < 17*((2^59 + 2^14)(2^61 + 2^60 + 2^16))
+        *        = 17*(2^120 + 2^75 + 2^119 + 2^74 + 2^75 + 2^30) 
+        *        = 17*(2^120 + 2^119 + 2^76 + 2^74 + 2^30)
+        *        < 2^128 */
+       felem_square(tmp2, gamma);
+       /* tmp2[i] < 17*(2^59 + 2^14)^2
+        *         = 17*(2^118 + 2^74 + 2^28) */
+       felem_scalar128(tmp2, 8);
+       /* tmp2[i] < 8*17*(2^118 + 2^74 + 2^28)
+        *         = 2^125 + 2^121 + 2^81 + 2^77 + 2^35 + 2^31
+        *         < 2^126 */
+       felem_diff128(tmp, tmp2);
+       /* tmp[i] < 2^127 - 2^69 + 17(2^120 + 2^119 + 2^76 + 2^74 + 2^30)
+        *        = 2^127 + 2^124 + 2^122 + 2^120 + 2^118 + 2^80 + 2^78 + 2^76 +
+        *          2^74 + 2^69 + 2^34 + 2^30
+        *        < 2^128 */
+       felem_reduce(y_out, tmp);
+       }
+
+/* copy_conditional copies in to out iff mask is all ones. */
+static void
+copy_conditional(felem out, const felem in, limb mask)
+       {
+       unsigned i;
+       for (i = 0; i < NLIMBS; ++i)
+               {
+               const limb tmp = mask & (in[i] ^ out[i]);
+               out[i] ^= tmp;
+               }
+       }
+
+/* point_add calcuates (x1, y1, z1) + (x2, y2, z2)
+ *
+ * The method is taken from
+ *   http://hyperelliptic.org/EFD/g1p/auto-shortw-jacobian-3.html#addition-add-2007-bl,
+ * adapted for mixed addition (z2 = 1, or z2 = 0 for the point at infinity).
+ *
+ * This function includes a branch for checking whether the two input points
+ * are equal (while not equal to the point at infinity). This case never
+ * happens during single point multiplication, so there is no timing leak for
+ * ECDH or ECDSA signing. */
+static void point_add(felem x3, felem y3, felem z3,
+       const felem x1, const felem y1, const felem z1,
+       const int mixed, const felem x2, const felem y2, const felem z2)
+       {
+       felem ftmp, ftmp2, ftmp3, ftmp4, ftmp5, ftmp6, x_out, y_out, z_out;
+       largefelem tmp, tmp2;
+       limb x_equal, y_equal, z1_is_zero, z2_is_zero;
+
+       z1_is_zero = felem_is_zero(z1);
+       z2_is_zero = felem_is_zero(z2);
+
+       /* ftmp = z1z1 = z1**2 */
+       felem_square(tmp, z1);
+       felem_reduce(ftmp, tmp);
+
+       if (!mixed)
+               {
+               /* ftmp2 = z2z2 = z2**2 */
+               felem_square(tmp, z2);
+               felem_reduce(ftmp2, tmp);
+
+               /* u1 = ftmp3 = x1*z2z2 */
+               felem_mul(tmp, x1, ftmp2);
+               felem_reduce(ftmp3, tmp);
+
+               /* ftmp5 = z1 + z2 */
+               felem_assign(ftmp5, z1);
+               felem_sum64(ftmp5, z2);
+               /* ftmp5[i] < 2^61 */
+
+               /* ftmp5 = (z1 + z2)**2 - z1z1 - z2z2 = 2*z1z2 */
+               felem_square(tmp, ftmp5);
+               /* tmp[i] < 17*2^122 */
+               felem_diff_128_64(tmp, ftmp);
+               /* tmp[i] < 17*2^122 + 2^63 */
+               felem_diff_128_64(tmp, ftmp2);
+               /* tmp[i] < 17*2^122 + 2^64 */
+               felem_reduce(ftmp5, tmp);
+
+               /* ftmp2 = z2 * z2z2 */
+               felem_mul(tmp, ftmp2, z2);
+               felem_reduce(ftmp2, tmp);
+
+               /* s1 = ftmp6 = y1 * z2**3 */
+               felem_mul(tmp, y1, ftmp2);
+               felem_reduce(ftmp6, tmp);
+               }
+       else
+               {
+               /* We'll assume z2 = 1 (special case z2 = 0 is handled later) */
+
+               /* u1 = ftmp3 = x1*z2z2 */
+               felem_assign(ftmp3, x1);
+
+               /* ftmp5 = 2*z1z2 */
+               felem_scalar(ftmp5, z1, 2);
+
+               /* s1 = ftmp6 = y1 * z2**3 */
+               felem_assign(ftmp6, y1);
+               }
+
+       /* u2 = x2*z1z1 */
+       felem_mul(tmp, x2, ftmp);
+       /* tmp[i] < 17*2^120 */
+
+       /* h = ftmp4 = u2 - u1 */
+       felem_diff_128_64(tmp, ftmp3);
+       /* tmp[i] < 17*2^120 + 2^63 */
+       felem_reduce(ftmp4, tmp);
+
+       x_equal = felem_is_zero(ftmp4);
+
+       /* z_out = ftmp5 * h */
+       felem_mul(tmp, ftmp5, ftmp4);
+       felem_reduce(z_out, tmp);
+
+       /* ftmp = z1 * z1z1 */
+       felem_mul(tmp, ftmp, z1);
+       felem_reduce(ftmp, tmp);
+
+       /* s2 = tmp = y2 * z1**3 */
+       felem_mul(tmp, y2, ftmp);
+       /* tmp[i] < 17*2^120 */
+
+       /* r = ftmp5 = (s2 - s1)*2 */
+       felem_diff_128_64(tmp, ftmp6);
+       /* tmp[i] < 17*2^120 + 2^63 */
+       felem_reduce(ftmp5, tmp);
+       y_equal = felem_is_zero(ftmp5);
+       felem_scalar64(ftmp5, 2);
+       /* ftmp5[i] < 2^61 */
+
+       if (x_equal && y_equal && !z1_is_zero && !z2_is_zero)
+               {
+               point_double(x3, y3, z3, x1, y1, z1);
+               return;
+               }
+
+       /* I = ftmp = (2h)**2 */
+       felem_assign(ftmp, ftmp4);
+       felem_scalar64(ftmp, 2);
+       /* ftmp[i] < 2^61 */
+       felem_square(tmp, ftmp);
+       /* tmp[i] < 17*2^122 */
+       felem_reduce(ftmp, tmp);
+
+       /* J = ftmp2 = h * I */
+       felem_mul(tmp, ftmp4, ftmp);
+       felem_reduce(ftmp2, tmp);
+
+       /* V = ftmp4 = U1 * I */
+       felem_mul(tmp, ftmp3, ftmp);
+       felem_reduce(ftmp4, tmp);
+
+       /* x_out = r**2 - J - 2V */
+       felem_square(tmp, ftmp5);
+       /* tmp[i] < 17*2^122 */
+       felem_diff_128_64(tmp, ftmp2);
+       /* tmp[i] < 17*2^122 + 2^63 */
+       felem_assign(ftmp3, ftmp4);
+       felem_scalar64(ftmp4, 2);
+       /* ftmp4[i] < 2^61 */
+       felem_diff_128_64(tmp, ftmp4);
+       /* tmp[i] < 17*2^122 + 2^64 */
+       felem_reduce(x_out, tmp);
+
+       /* y_out = r(V-x_out) - 2 * s1 * J */
+       felem_diff64(ftmp3, x_out);
+       /* ftmp3[i] < 2^60 + 2^60
+        *          = 2^61 */
+       felem_mul(tmp, ftmp5, ftmp3);
+       /* tmp[i] < 17*2^122 */
+       felem_mul(tmp2, ftmp6, ftmp2);
+       /* tmp2[i] < 17*2^120 */
+       felem_scalar128(tmp2, 2);
+       /* tmp2[i] < 17*2^121 */
+       felem_diff128(tmp, tmp2);
+       /* tmp[i] < 2^127 - 2^69 + 17*2^122
+        *        = 2^126 - 2^122 - 2^6 - 2^2 - 1
+        *        < 2^127 */
+       felem_reduce(y_out, tmp);
+
+       copy_conditional(x_out, x2, z1_is_zero);
+       copy_conditional(x_out, x1, z2_is_zero);
+       copy_conditional(y_out, y2, z1_is_zero);
+       copy_conditional(y_out, y1, z2_is_zero);
+       copy_conditional(z_out, z2, z1_is_zero);
+       copy_conditional(z_out, z1, z2_is_zero);
+       felem_assign(x3, x_out);
+       felem_assign(y3, y_out);
+       felem_assign(z3, z_out);
+       }
+
+/* Base point pre computation
+ * --------------------------
+ *
+ * Two different sorts of precomputed tables are used in the following code.
+ * Each contain various points on the curve, where each point is three field
+ * elements (x, y, z).
+ *
+ * For the base point table, z is usually 1 (0 for the point at infinity).
+ * This table has 16 elements:
+ * index | bits    | point
+ * ------+---------+------------------------------
+ *     0 | 0 0 0 0 | 0G
+ *     1 | 0 0 0 1 | 1G
+ *     2 | 0 0 1 0 | 2^130G
+ *     3 | 0 0 1 1 | (2^130 + 1)G
+ *     4 | 0 1 0 0 | 2^260G
+ *     5 | 0 1 0 1 | (2^260 + 1)G
+ *     6 | 0 1 1 0 | (2^260 + 2^130)G
+ *     7 | 0 1 1 1 | (2^260 + 2^130 + 1)G
+ *     8 | 1 0 0 0 | 2^390G
+ *     9 | 1 0 0 1 | (2^390 + 1)G
+ *    10 | 1 0 1 0 | (2^390 + 2^130)G
+ *    11 | 1 0 1 1 | (2^390 + 2^130 + 1)G
+ *    12 | 1 1 0 0 | (2^390 + 2^260)G
+ *    13 | 1 1 0 1 | (2^390 + 2^260 + 1)G
+ *    14 | 1 1 1 0 | (2^390 + 2^260 + 2^130)G
+ *    15 | 1 1 1 1 | (2^390 + 2^260 + 2^130 + 1)G
+ *
+ * The reason for this is so that we can clock bits into four different
+ * locations when doing simple scalar multiplies against the base point.
+ *
+ * Tables for other points have table[i] = iG for i in 0 .. 16. */
+
+/* gmul is the table of precomputed base points */
+static const felem gmul[16][3] =
+       {{{0, 0, 0, 0, 0, 0, 0, 0, 0},
+         {0, 0, 0, 0, 0, 0, 0, 0, 0},
+         {0, 0, 0, 0, 0, 0, 0, 0, 0}},
+        {{0x017e7e31c2e5bd66, 0x022cf0615a90a6fe, 0x00127a2ffa8de334,
+          0x01dfbf9d64a3f877, 0x006b4d3dbaa14b5e, 0x014fed487e0a2bd8,
+          0x015b4429c6481390, 0x03a73678fb2d988e, 0x00c6858e06b70404},
+         {0x00be94769fd16650, 0x031c21a89cb09022, 0x039013fad0761353,
+          0x02657bd099031542, 0x03273e662c97ee72, 0x01e6d11a05ebef45,
+          0x03d1bd998f544495, 0x03001172297ed0b1, 0x011839296a789a3b},
+         {1, 0, 0, 0, 0, 0, 0, 0, 0}},
+        {{0x0373faacbc875bae, 0x00f325023721c671, 0x00f666fd3dbde5ad,
+          0x01a6932363f88ea7, 0x01fc6d9e13f9c47b, 0x03bcbffc2bbf734e,
+          0x013ee3c3647f3a92, 0x029409fefe75d07d, 0x00ef9199963d85e5},
+         {0x011173743ad5b178, 0x02499c7c21bf7d46, 0x035beaeabb8b1a58,
+          0x00f989c4752ea0a3, 0x0101e1de48a9c1a3, 0x01a20076be28ba6c,
+          0x02f8052e5eb2de95, 0x01bfe8f82dea117c, 0x0160074d3c36ddb7},
+         {1, 0, 0, 0, 0, 0, 0, 0, 0}},
+        {{0x012f3fc373393b3b, 0x03d3d6172f1419fa, 0x02adc943c0b86873,
+          0x00d475584177952b, 0x012a4d1673750ee2, 0x00512517a0f13b0c,
+          0x02b184671a7b1734, 0x0315b84236f1a50a, 0x00a4afc472edbdb9},
+         {0x00152a7077f385c4, 0x03044007d8d1c2ee, 0x0065829d61d52b52,
+          0x00494ff6b6631d0d, 0x00a11d94d5f06bcf, 0x02d2f89474d9282e,
+          0x0241c5727c06eeb9, 0x0386928710fbdb9d, 0x01f883f727b0dfbe},
+         {1, 0, 0, 0, 0, 0, 0, 0, 0}},
+        {{0x019b0c3c9185544d, 0x006243a37c9d97db, 0x02ee3cbe030a2ad2,
+          0x00cfdd946bb51e0d, 0x0271c00932606b91, 0x03f817d1ec68c561,
+          0x03f37009806a369c, 0x03c1f30baf184fd5, 0x01091022d6d2f065},
+         {0x0292c583514c45ed, 0x0316fca51f9a286c, 0x00300af507c1489a,
+          0x0295f69008298cf1, 0x02c0ed8274943d7b, 0x016509b9b47a431e,
+          0x02bc9de9634868ce, 0x005b34929bffcb09, 0x000c1a0121681524},
+         {1, 0, 0, 0, 0, 0, 0, 0, 0}},
+        {{0x0286abc0292fb9f2, 0x02665eee9805b3f7, 0x01ed7455f17f26d6,
+          0x0346355b83175d13, 0x006284944cd0a097, 0x0191895bcdec5e51,
+          0x02e288370afda7d9, 0x03b22312bfefa67a, 0x01d104d3fc0613fe},
+         {0x0092421a12f7e47f, 0x0077a83fa373c501, 0x03bd25c5f696bd0d,
+          0x035c41e4d5459761, 0x01ca0d1742b24f53, 0x00aaab27863a509c,
+          0x018b6de47df73917, 0x025c0b771705cd01, 0x01fd51d566d760a7},
+         {1, 0, 0, 0, 0, 0, 0, 0, 0}},
+        {{0x01dd92ff6b0d1dbd, 0x039c5e2e8f8afa69, 0x0261ed13242c3b27,
+          0x0382c6e67026e6a0, 0x01d60b10be2089f9, 0x03c15f3dce86723f,
+          0x03c764a32d2a062d, 0x017307eac0fad056, 0x018207c0b96c5256},
+         {0x0196a16d60e13154, 0x03e6ce74c0267030, 0x00ddbf2b4e52a5aa,
+          0x012738241bbf31c8, 0x00ebe8dc04685a28, 0x024c2ad6d380d4a2,
+          0x035ee062a6e62d0e, 0x0029ed74af7d3a0f, 0x00eef32aec142ebd},
+         {1, 0, 0, 0, 0, 0, 0, 0, 0}},
+        {{0x00c31ec398993b39, 0x03a9f45bcda68253, 0x00ac733c24c70890,
+          0x00872b111401ff01, 0x01d178c23195eafb, 0x03bca2c816b87f74,
+          0x0261a9af46fbad7a, 0x0324b2a8dd3d28f9, 0x00918121d8f24e23},
+         {0x032bc8c1ca983cd7, 0x00d869dfb08fc8c6, 0x01693cb61fce1516,
+          0x012a5ea68f4e88a8, 0x010869cab88d7ae3, 0x009081ad277ceee1,
+          0x033a77166d064cdc, 0x03955235a1fb3a95, 0x01251a4a9b25b65e},
+         {1, 0, 0, 0, 0, 0, 0, 0, 0}},
+        {{0x00148a3a1b27f40b, 0x0123186df1b31fdc, 0x00026e7beaad34ce,
+          0x01db446ac1d3dbba, 0x0299c1a33437eaec, 0x024540610183cbb7,
+          0x0173bb0e9ce92e46, 0x02b937e43921214b, 0x01ab0436a9bf01b5},
+         {0x0383381640d46948, 0x008dacbf0e7f330f, 0x03602122bcc3f318,
+          0x01ee596b200620d6, 0x03bd0585fda430b3, 0x014aed77fd123a83,
+          0x005ace749e52f742, 0x0390fe041da2b842, 0x0189a8ceb3299242},
+         {1, 0, 0, 0, 0, 0, 0, 0, 0}},
+        {{0x012a19d6b3282473, 0x00c0915918b423ce, 0x023a954eb94405ae,
+          0x00529f692be26158, 0x0289fa1b6fa4b2aa, 0x0198ae4ceea346ef,
+          0x0047d8cdfbdedd49, 0x00cc8c8953f0f6b8, 0x001424abbff49203},
+         {0x0256732a1115a03a, 0x0351bc38665c6733, 0x03f7b950fb4a6447,
+          0x000afffa94c22155, 0x025763d0a4dab540, 0x000511e92d4fc283,
+          0x030a7e9eda0ee96c, 0x004c3cd93a28bf0a, 0x017edb3a8719217f},
+         {1, 0, 0, 0, 0, 0, 0, 0, 0}},
+        {{0x011de5675a88e673, 0x031d7d0f5e567fbe, 0x0016b2062c970ae5,
+          0x03f4a2be49d90aa7, 0x03cef0bd13822866, 0x03f0923dcf774a6c,
+          0x0284bebc4f322f72, 0x016ab2645302bb2c, 0x01793f95dace0e2a},
+         {0x010646e13527a28f, 0x01ca1babd59dc5e7, 0x01afedfd9a5595df,
+          0x01f15785212ea6b1, 0x0324e5d64f6ae3f4, 0x02d680f526d00645,
+          0x0127920fadf627a7, 0x03b383f75df4f684, 0x0089e0057e783b0a},
+         {1, 0, 0, 0, 0, 0, 0, 0, 0}},
+        {{0x00f334b9eb3c26c6, 0x0298fdaa98568dce, 0x01c2d24843a82292,
+          0x020bcb24fa1b0711, 0x02cbdb3d2b1875e6, 0x0014907598f89422,
+          0x03abe3aa43b26664, 0x02cbf47f720bc168, 0x0133b5e73014b79b},
+         {0x034aab5dab05779d, 0x00cdc5d71fee9abb, 0x0399f16bd4bd9d30,
+          0x03582fa592d82647, 0x02be1cdfb775b0e9, 0x0034f7cea32e94cb,
+          0x0335a7f08f56f286, 0x03b707e9565d1c8b, 0x0015c946ea5b614f},
+         {1, 0, 0, 0, 0, 0, 0, 0, 0}},
+        {{0x024676f6cff72255, 0x00d14625cac96378, 0x00532b6008bc3767,
+          0x01fc16721b985322, 0x023355ea1b091668, 0x029de7afdc0317c3,
+          0x02fc8a7ca2da037c, 0x02de1217d74a6f30, 0x013f7173175b73bf},
+         {0x0344913f441490b5, 0x0200f9e272b61eca, 0x0258a246b1dd55d2,
+          0x03753db9ea496f36, 0x025e02937a09c5ef, 0x030cbd3d14012692,
+          0x01793a67e70dc72a, 0x03ec1d37048a662e, 0x006550f700c32a8d},
+         {1, 0, 0, 0, 0, 0, 0, 0, 0}},
+        {{0x00d3f48a347eba27, 0x008e636649b61bd8, 0x00d3b93716778fb3,
+          0x004d1915757bd209, 0x019d5311a3da44e0, 0x016d1afcbbe6aade,
+          0x0241bf5f73265616, 0x0384672e5d50d39b, 0x005009fee522b684},
+         {0x029b4fab064435fe, 0x018868ee095bbb07, 0x01ea3d6936cc92b8,
+          0x000608b00f78a2f3, 0x02db911073d1c20f, 0x018205938470100a,
+          0x01f1e4964cbe6ff2, 0x021a19a29eed4663, 0x01414485f42afa81},
+         {1, 0, 0, 0, 0, 0, 0, 0, 0}},
+        {{0x01612b3a17f63e34, 0x03813992885428e6, 0x022b3c215b5a9608,
+          0x029b4057e19f2fcb, 0x0384059a587af7e6, 0x02d6400ace6fe610,
+          0x029354d896e8e331, 0x00c047ee6dfba65e, 0x0037720542e9d49d},
+         {0x02ce9eed7c5e9278, 0x0374ed703e79643b, 0x01316c54c4072006,
+          0x005aaa09054b2ee8, 0x002824000c840d57, 0x03d4eba24771ed86,
+          0x0189c50aabc3bdae, 0x0338c01541e15510, 0x00466d56e38eed42},
+         {1, 0, 0, 0, 0, 0, 0, 0, 0}},
+        {{0x007efd8330ad8bd6, 0x02465ed48047710b, 0x0034c6606b215e0c,
+          0x016ae30c53cbf839, 0x01fa17bd37161216, 0x018ead4e61ce8ab9,
+          0x005482ed5f5dee46, 0x037543755bba1d7f, 0x005e5ac7e70a9d0f},
+         {0x0117e1bb2fdcb2a2, 0x03deea36249f40c4, 0x028d09b4a6246cb7,
+          0x03524b8855bcf756, 0x023d7d109d5ceb58, 0x0178e43e3223ef9c,
+          0x0154536a0c6e966a, 0x037964d1286ee9fe, 0x0199bcd90e125055},
+        {1, 0, 0, 0, 0, 0, 0, 0, 0}}};
+
+/* select_point selects the |index|th point from a precomputation table and
+ * copies it to out. */
+static void select_point(const limb index, unsigned int size, const felem pre_comp[size][3],
+                        felem out[3])
+       {
+       unsigned i, j;
+       limb *outlimbs = &out[0][0];
+       memset(outlimbs, 0, 3 * sizeof(felem));
+
+       for (i = 0; i < size; i++)
+               {
+               const limb *inlimbs = &pre_comp[i][0][0];
+               limb mask = i ^ index;
+               mask |= mask >> 4;
+               mask |= mask >> 2;
+               mask |= mask >> 1;
+               mask &= 1;
+               mask--;
+               for (j = 0; j < NLIMBS * 3; j++)
+                       outlimbs[j] |= inlimbs[j] & mask;
+               }
+       }
+
+/* get_bit returns the |i|th bit in |in| */
+static char get_bit(const felem_bytearray in, int i)
+       {
+       if (i < 0)
+               return 0;
+       return (in[i >> 3] >> (i & 7)) & 1;
+       }
+
+/* Interleaved point multiplication using precomputed point multiples:
+ * The small point multiples 0*P, 1*P, ..., 16*P are in pre_comp[],
+ * the scalars in scalars[]. If g_scalar is non-NULL, we also add this multiple
+ * of the generator, using certain (large) precomputed multiples in g_pre_comp.
+ * Output point (X, Y, Z) is stored in x_out, y_out, z_out */
+static void batch_mul(felem x_out, felem y_out, felem z_out,
+       const felem_bytearray scalars[], const unsigned num_points, const u8 *g_scalar,
+       const int mixed, const felem pre_comp[][17][3], const felem g_pre_comp[16][3])
+       {
+       int i, skip;
+       unsigned num, gen_mul = (g_scalar != NULL);
+       felem nq[3], tmp[4];
+       limb bits;
+       u8 sign, digit;
+
+       /* set nq to the point at infinity */
+       memset(nq, 0, 3 * sizeof(felem));
+
+       /* Loop over all scalars msb-to-lsb, interleaving additions
+        * of multiples of the generator (last quarter of rounds)
+        * and additions of other points multiples (every 5th round).
+        */
+       skip = 1; /* save two point operations in the first round */
+       for (i = (num_points ? 520 : 130); i >= 0; --i)
+               {
+               /* double */
+               if (!skip)
+                       point_double(nq[0], nq[1], nq[2], nq[0], nq[1], nq[2]);
+
+               /* add multiples of the generator */
+               if (gen_mul && (i <= 130))
+                       {
+                       bits = get_bit(g_scalar, i + 390) << 3;
+                       if (i < 130)
+                               {
+                               bits |= get_bit(g_scalar, i + 260) << 2;
+                               bits |= get_bit(g_scalar, i + 130) << 1;
+                               bits |= get_bit(g_scalar, i);
+                               }
+                       /* select the point to add, in constant time */
+                       select_point(bits, 16, g_pre_comp, tmp);
+                       if (!skip)
+                               {
+                               point_add(nq[0], nq[1], nq[2],
+                                       nq[0], nq[1], nq[2],
+                                       1 /* mixed */, tmp[0], tmp[1], tmp[2]);
+                               }
+                       else
+                               {
+                               memcpy(nq, tmp, 3 * sizeof(felem));
+                               skip = 0;
+                               }
+                       }
+
+               /* do other additions every 5 doublings */
+               if (num_points && (i % 5 == 0))
+                       {
+                       /* loop over all scalars */
+                       for (num = 0; num < num_points; ++num)
+                               {
+                               bits = get_bit(scalars[num], i + 4) << 5;
+                               bits |= get_bit(scalars[num], i + 3) << 4;
+                               bits |= get_bit(scalars[num], i + 2) << 3;
+                               bits |= get_bit(scalars[num], i + 1) << 2;
+                               bits |= get_bit(scalars[num], i) << 1;
+                               bits |= get_bit(scalars[num], i - 1);
+                               ec_GFp_nistp_recode_scalar_bits(&sign, &digit, bits);
+
+                               /* select the point to add or subtract, in constant time */
+                               select_point(digit, 17, pre_comp[num], tmp);
+                               felem_neg(tmp[3], tmp[1]); /* (X, -Y, Z) is the negative point */
+                               copy_conditional(tmp[1], tmp[3], (-(limb) sign));
+
+                               if (!skip)
+                                       {
+                                       point_add(nq[0], nq[1], nq[2],
+                                               nq[0], nq[1], nq[2],
+                                               mixed, tmp[0], tmp[1], tmp[2]);
+                                       }
+                               else
+                                       {
+                                       memcpy(nq, tmp, 3 * sizeof(felem));
+                                       skip = 0;
+                                       }
+                               }
+                       }
+               }
+       felem_assign(x_out, nq[0]);
+       felem_assign(y_out, nq[1]);
+       felem_assign(z_out, nq[2]);
+       }
+
+
+/* Precomputation for the group generator. */
+typedef struct {
+       felem g_pre_comp[16][3];
+       int references;
+} NISTP521_PRE_COMP;
+
+const EC_METHOD *EC_GFp_nistp521_method(void)
+       {
+       static const EC_METHOD ret = {
+               EC_FLAGS_DEFAULT_OCT,
+               NID_X9_62_prime_field,
+               ec_GFp_nistp521_group_init,
+               ec_GFp_simple_group_finish,
+               ec_GFp_simple_group_clear_finish,
+               ec_GFp_nist_group_copy,
+               ec_GFp_nistp521_group_set_curve,
+               ec_GFp_simple_group_get_curve,
+               ec_GFp_simple_group_get_degree,
+               ec_GFp_simple_group_check_discriminant,
+               ec_GFp_simple_point_init,
+               ec_GFp_simple_point_finish,
+               ec_GFp_simple_point_clear_finish,
+               ec_GFp_simple_point_copy,
+               ec_GFp_simple_point_set_to_infinity,
+               ec_GFp_simple_set_Jprojective_coordinates_GFp,
+               ec_GFp_simple_get_Jprojective_coordinates_GFp,
+               ec_GFp_simple_point_set_affine_coordinates,
+               ec_GFp_nistp521_point_get_affine_coordinates,
+                0 /* point_set_compressed_coordinates */,
+                0 /* point2oct */,
+                0 /* oct2point */,
+               ec_GFp_simple_add,
+               ec_GFp_simple_dbl,
+               ec_GFp_simple_invert,
+               ec_GFp_simple_is_at_infinity,
+               ec_GFp_simple_is_on_curve,
+               ec_GFp_simple_cmp,
+               ec_GFp_simple_make_affine,
+               ec_GFp_simple_points_make_affine,
+               ec_GFp_nistp521_points_mul,
+               ec_GFp_nistp521_precompute_mult,
+               ec_GFp_nistp521_have_precompute_mult,
+               ec_GFp_nist_field_mul,
+               ec_GFp_nist_field_sqr,
+               0 /* field_div */,
+               0 /* field_encode */,
+               0 /* field_decode */,
+               0 /* field_set_to_one */ };
+
+       return &ret;
+       }
+
+
+/******************************************************************************/
+/*                    FUNCTIONS TO MANAGE PRECOMPUTATION
+ */
+
+static NISTP521_PRE_COMP *nistp521_pre_comp_new()
+       {
+       NISTP521_PRE_COMP *ret = NULL;
+       ret = (NISTP521_PRE_COMP *)OPENSSL_malloc(sizeof(NISTP521_PRE_COMP));
+       if (!ret)
+               {
+               ECerr(EC_F_NISTP521_PRE_COMP_NEW, ERR_R_MALLOC_FAILURE);
+               return ret;
+               }
+       memset(ret->g_pre_comp, 0, sizeof(ret->g_pre_comp));
+       ret->references = 1;
+       return ret;
+       }
+
+static void *nistp521_pre_comp_dup(void *src_)
+       {
+       NISTP521_PRE_COMP *src = src_;
+
+       /* no need to actually copy, these objects never change! */
+       CRYPTO_add(&src->references, 1, CRYPTO_LOCK_EC_PRE_COMP);
+
+       return src_;
+       }
+
+static void nistp521_pre_comp_free(void *pre_)
+       {
+       int i;
+       NISTP521_PRE_COMP *pre = pre_;
+
+       if (!pre)
+               return;
+
+       i = CRYPTO_add(&pre->references, -1, CRYPTO_LOCK_EC_PRE_COMP);
+       if (i > 0)
+               return;
+
+       OPENSSL_free(pre);
+       }
+
+static void nistp521_pre_comp_clear_free(void *pre_)
+       {
+       int i;
+       NISTP521_PRE_COMP *pre = pre_;
+
+       if (!pre)
+               return;
+
+       i = CRYPTO_add(&pre->references, -1, CRYPTO_LOCK_EC_PRE_COMP);
+       if (i > 0)
+               return;
+
+       OPENSSL_cleanse(pre, sizeof(*pre));
+       OPENSSL_free(pre);
+       }
+
+/******************************************************************************/
+/*                        OPENSSL EC_METHOD FUNCTIONS
+ */
+
+int ec_GFp_nistp521_group_init(EC_GROUP *group)
+       {
+       int ret;
+       ret = ec_GFp_simple_group_init(group);
+       group->a_is_minus3 = 1;
+       return ret;
+       }
+
+int ec_GFp_nistp521_group_set_curve(EC_GROUP *group, const BIGNUM *p,
+       const BIGNUM *a, const BIGNUM *b, BN_CTX *ctx)
+       {
+       int ret = 0;
+       BN_CTX *new_ctx = NULL;
+       BIGNUM *curve_p, *curve_a, *curve_b;
+
+       if (ctx == NULL)
+               if ((ctx = new_ctx = BN_CTX_new()) == NULL) return 0;
+       BN_CTX_start(ctx);
+       if (((curve_p = BN_CTX_get(ctx)) == NULL) ||
+               ((curve_a = BN_CTX_get(ctx)) == NULL) ||
+               ((curve_b = BN_CTX_get(ctx)) == NULL)) goto err;
+       BN_bin2bn(nistp521_curve_params[0], sizeof(felem_bytearray), curve_p);
+       BN_bin2bn(nistp521_curve_params[1], sizeof(felem_bytearray), curve_a);
+       BN_bin2bn(nistp521_curve_params[2], sizeof(felem_bytearray), curve_b);
+       if ((BN_cmp(curve_p, p)) || (BN_cmp(curve_a, a)) ||
+               (BN_cmp(curve_b, b)))
+               {
+               ECerr(EC_F_EC_GFP_NISTP521_GROUP_SET_CURVE,
+                       EC_R_WRONG_CURVE_PARAMETERS);
+               goto err;
+               }
+       group->field_mod_func = BN_nist_mod_521;
+       ret = ec_GFp_simple_group_set_curve(group, p, a, b, ctx);
+err:
+       BN_CTX_end(ctx);
+       if (new_ctx != NULL)
+               BN_CTX_free(new_ctx);
+       return ret;
+       }
+
+/* Takes the Jacobian coordinates (X, Y, Z) of a point and returns
+ * (X', Y') = (X/Z^2, Y/Z^3) */
+int ec_GFp_nistp521_point_get_affine_coordinates(const EC_GROUP *group,
+       const EC_POINT *point, BIGNUM *x, BIGNUM *y, BN_CTX *ctx)
+       {
+       felem z1, z2, x_in, y_in, x_out, y_out;
+       largefelem tmp;
+
+       if (EC_POINT_is_at_infinity(group, point))
+               {
+               ECerr(EC_F_EC_GFP_NISTP521_POINT_GET_AFFINE_COORDINATES,
+                       EC_R_POINT_AT_INFINITY);
+               return 0;
+               }
+       if ((!BN_to_felem(x_in, &point->X)) || (!BN_to_felem(y_in, &point->Y)) ||
+               (!BN_to_felem(z1, &point->Z))) return 0;
+       felem_inv(z2, z1);
+       felem_square(tmp, z2); felem_reduce(z1, tmp);
+       felem_mul(tmp, x_in, z1); felem_reduce(x_in, tmp);
+       felem_contract(x_out, x_in);
+       if (x != NULL)
+               {
+               if (!felem_to_BN(x, x_out))
+                       {
+                       ECerr(EC_F_EC_GFP_NISTP521_POINT_GET_AFFINE_COORDINATES, ERR_R_BN_LIB);
+                       return 0;
+                       }
+               }
+       felem_mul(tmp, z1, z2); felem_reduce(z1, tmp);
+       felem_mul(tmp, y_in, z1); felem_reduce(y_in, tmp);
+       felem_contract(y_out, y_in);
+       if (y != NULL)
+               {
+               if (!felem_to_BN(y, y_out))
+                       {
+                       ECerr(EC_F_EC_GFP_NISTP521_POINT_GET_AFFINE_COORDINATES, ERR_R_BN_LIB);
+                       return 0;
+                       }
+               }
+       return 1;
+       }
+
+static void make_points_affine(size_t num, felem points[num][3], felem tmp_felems[num+1])
+       {
+       /* Runs in constant time, unless an input is the point at infinity
+        * (which normally shouldn't happen). */
+       ec_GFp_nistp_points_make_affine_internal(
+               num,
+               points,
+               sizeof(felem),
+               tmp_felems,
+               (void (*)(void *)) felem_one,
+               (int (*)(const void *)) felem_is_zero_int,
+               (void (*)(void *, const void *)) felem_assign,
+               (void (*)(void *, const void *)) felem_square_reduce,
+               (void (*)(void *, const void *, const void *)) felem_mul_reduce,
+               (void (*)(void *, const void *)) felem_inv,
+               (void (*)(void *, const void *)) felem_contract);
+       }
+
+/* Computes scalar*generator + \sum scalars[i]*points[i], ignoring NULL values
+ * Result is stored in r (r can equal one of the inputs). */
+int ec_GFp_nistp521_points_mul(const EC_GROUP *group, EC_POINT *r,
+       const BIGNUM *scalar, size_t num, const EC_POINT *points[],
+       const BIGNUM *scalars[], BN_CTX *ctx)
+       {
+       int ret = 0;
+       int j;
+       int mixed = 0;
+       BN_CTX *new_ctx = NULL;
+       BIGNUM *x, *y, *z, *tmp_scalar;
+       felem_bytearray g_secret;
+       felem_bytearray *secrets = NULL;
+       felem (*pre_comp)[17][3] = NULL;
+       felem *tmp_felems = NULL;
+       felem_bytearray tmp;
+       unsigned i, num_bytes;
+       int have_pre_comp = 0;
+       size_t num_points = num;
+       felem x_in, y_in, z_in, x_out, y_out, z_out;
+       NISTP521_PRE_COMP *pre = NULL;
+       felem (*g_pre_comp)[3] = NULL;
+       EC_POINT *generator = NULL;
+       const EC_POINT *p = NULL;
+       const BIGNUM *p_scalar = NULL;
+
+       if (ctx == NULL)
+               if ((ctx = new_ctx = BN_CTX_new()) == NULL) return 0;
+       BN_CTX_start(ctx);
+       if (((x = BN_CTX_get(ctx)) == NULL) ||
+               ((y = BN_CTX_get(ctx)) == NULL) ||
+               ((z = BN_CTX_get(ctx)) == NULL) ||
+               ((tmp_scalar = BN_CTX_get(ctx)) == NULL))
+               goto err;
+
+       if (scalar != NULL)
+               {
+               pre = EC_EX_DATA_get_data(group->extra_data,
+                       nistp521_pre_comp_dup, nistp521_pre_comp_free,
+                       nistp521_pre_comp_clear_free);
+               if (pre)
+                       /* we have precomputation, try to use it */
+                       g_pre_comp = &pre->g_pre_comp[0];
+               else
+                       /* try to use the standard precomputation */
+                       g_pre_comp = (felem (*)[3]) gmul;
+               generator = EC_POINT_new(group);
+               if (generator == NULL)
+                       goto err;
+               /* get the generator from precomputation */
+               if (!felem_to_BN(x, g_pre_comp[1][0]) ||
+                       !felem_to_BN(y, g_pre_comp[1][1]) ||
+                       !felem_to_BN(z, g_pre_comp[1][2]))
+                       {
+                       ECerr(EC_F_EC_GFP_NISTP521_POINTS_MUL, ERR_R_BN_LIB);
+                       goto err;
+                       }
+               if (!EC_POINT_set_Jprojective_coordinates_GFp(group,
+                               generator, x, y, z, ctx))
+                       goto err;
+               if (0 == EC_POINT_cmp(group, generator, group->generator, ctx))
+                       /* precomputation matches generator */
+                       have_pre_comp = 1;
+               else
+                       /* we don't have valid precomputation:
+                        * treat the generator as a random point */
+                       num_points++;
+               }
+
+       if (num_points > 0)
+               {
+               if (num_points >= 2)
+                       {
+                       /* unless we precompute multiples for just one point,
+                        * converting those into affine form is time well spent  */
+                       mixed = 1;
+                       }
+               secrets = OPENSSL_malloc(num_points * sizeof(felem_bytearray));
+               pre_comp = OPENSSL_malloc(num_points * 17 * 3 * sizeof(felem));
+               if (mixed)
+                       tmp_felems = OPENSSL_malloc((num_points * 17 + 1) * sizeof(felem));
+               if ((secrets == NULL) || (pre_comp == NULL) || (mixed && (tmp_felems == NULL)))
+                       {
+                       ECerr(EC_F_EC_GFP_NISTP521_POINTS_MUL, ERR_R_MALLOC_FAILURE);
+                       goto err;
+                       }
+
+               /* we treat NULL scalars as 0, and NULL points as points at infinity,
+                * i.e., they contribute nothing to the linear combination */
+               memset(secrets, 0, num_points * sizeof(felem_bytearray));
+               memset(pre_comp, 0, num_points * 17 * 3 * sizeof(felem));
+               for (i = 0; i < num_points; ++i)
+                       {
+                       if (i == num)
+                               /* we didn't have a valid precomputation, so we pick
+                                * the generator */
+                               {
+                               p = EC_GROUP_get0_generator(group);
+                               p_scalar = scalar;
+                               }
+                       else
+                               /* the i^th point */
+                               {
+                               p = points[i];
+                               p_scalar = scalars[i];
+                               }
+                       if ((p_scalar != NULL) && (p != NULL))
+                               {
+                               /* reduce scalar to 0 <= scalar < 2^521 */
+                               if ((BN_num_bits(p_scalar) > 521) || (BN_is_negative(p_scalar)))
+                                       {
+                                       /* this is an unusual input, and we don't guarantee
+                                        * constant-timeness */
+                                       if (!BN_nnmod(tmp_scalar, p_scalar, &group->order, ctx))
+                                               {
+                                               ECerr(EC_F_EC_GFP_NISTP521_POINTS_MUL, ERR_R_BN_LIB);
+                                               goto err;
+                                               }
+                                       num_bytes = BN_bn2bin(tmp_scalar, tmp);
+                                       }
+                               else
+                                       num_bytes = BN_bn2bin(p_scalar, tmp);
+                               flip_endian(secrets[i], tmp, num_bytes);
+                               /* precompute multiples */
+                               if ((!BN_to_felem(x_out, &p->X)) ||
+                                       (!BN_to_felem(y_out, &p->Y)) ||
+                                       (!BN_to_felem(z_out, &p->Z))) goto err;
+                               memcpy(pre_comp[i][1][0], x_out, sizeof(felem));
+                               memcpy(pre_comp[i][1][1], y_out, sizeof(felem));
+                               memcpy(pre_comp[i][1][2], z_out, sizeof(felem));
+                               for (j = 2; j <= 16; ++j)
+                                       {
+                                       if (j & 1)
+                                               {
+                                               point_add(
+                                                       pre_comp[i][j][0], pre_comp[i][j][1], pre_comp[i][j][2],
+                                                       pre_comp[i][1][0], pre_comp[i][1][1], pre_comp[i][1][2],
+                                                       0, pre_comp[i][j-1][0], pre_comp[i][j-1][1], pre_comp[i][j-1][2]);
+                                               }
+                                       else
+                                               {
+                                               point_double(
+                                                       pre_comp[i][j][0], pre_comp[i][j][1], pre_comp[i][j][2],
+                                                       pre_comp[i][j/2][0], pre_comp[i][j/2][1], pre_comp[i][j/2][2]);
+                                               }
+                                       }
+                               }
+                       }
+               if (mixed)
+                       make_points_affine(num_points * 17, pre_comp[0], tmp_felems);
+               }
+
+       /* the scalar for the generator */
+       if ((scalar != NULL) && (have_pre_comp))
+               {
+               memset(g_secret, 0, sizeof(g_secret));
+               /* reduce scalar to 0 <= scalar < 2^521 */
+               if ((BN_num_bits(scalar) > 521) || (BN_is_negative(scalar)))
+                       {
+                       /* this is an unusual input, and we don't guarantee
+                        * constant-timeness */
+                       if (!BN_nnmod(tmp_scalar, scalar, &group->order, ctx))
+                               {
+                               ECerr(EC_F_EC_GFP_NISTP521_POINTS_MUL, ERR_R_BN_LIB);
+                               goto err;
+                               }
+                       num_bytes = BN_bn2bin(tmp_scalar, tmp);
+                       }
+               else
+                       num_bytes = BN_bn2bin(scalar, tmp);
+               flip_endian(g_secret, tmp, num_bytes);
+               /* do the multiplication with generator precomputation*/
+               batch_mul(x_out, y_out, z_out,
+                       (const felem_bytearray (*)) secrets, num_points,
+                       g_secret,
+                       mixed, (const felem (*)[17][3]) pre_comp,
+                       (const felem (*)[3]) g_pre_comp);
+               }
+       else
+               /* do the multiplication without generator precomputation */
+               batch_mul(x_out, y_out, z_out,
+                       (const felem_bytearray (*)) secrets, num_points,
+                       NULL, mixed, (const felem (*)[17][3]) pre_comp, NULL);
+       /* reduce the output to its unique minimal representation */
+       felem_contract(x_in, x_out);
+       felem_contract(y_in, y_out);
+       felem_contract(z_in, z_out);
+       if ((!felem_to_BN(x, x_in)) || (!felem_to_BN(y, y_in)) ||
+               (!felem_to_BN(z, z_in)))
+               {
+               ECerr(EC_F_EC_GFP_NISTP521_POINTS_MUL, ERR_R_BN_LIB);
+               goto err;
+               }
+       ret = EC_POINT_set_Jprojective_coordinates_GFp(group, r, x, y, z, ctx);
+
+err:
+       BN_CTX_end(ctx);
+       if (generator != NULL)
+               EC_POINT_free(generator);
+       if (new_ctx != NULL)
+               BN_CTX_free(new_ctx);
+       if (secrets != NULL)
+               OPENSSL_free(secrets);
+       if (pre_comp != NULL)
+               OPENSSL_free(pre_comp);
+       if (tmp_felems != NULL)
+               OPENSSL_free(tmp_felems);
+       return ret;
+       }
+
+int ec_GFp_nistp521_precompute_mult(EC_GROUP *group, BN_CTX *ctx)
+       {
+       int ret = 0;
+       NISTP521_PRE_COMP *pre = NULL;
+       int i, j;
+       BN_CTX *new_ctx = NULL;
+       BIGNUM *x, *y;
+       EC_POINT *generator = NULL;
+       felem tmp_felems[16];
+
+       /* throw away old precomputation */
+       EC_EX_DATA_free_data(&group->extra_data, nistp521_pre_comp_dup,
+               nistp521_pre_comp_free, nistp521_pre_comp_clear_free);
+       if (ctx == NULL)
+               if ((ctx = new_ctx = BN_CTX_new()) == NULL) return 0;
+       BN_CTX_start(ctx);
+       if (((x = BN_CTX_get(ctx)) == NULL) ||
+               ((y = BN_CTX_get(ctx)) == NULL))
+               goto err;
+       /* get the generator */
+       if (group->generator == NULL) goto err;
+       generator = EC_POINT_new(group);
+       if (generator == NULL)
+               goto err;
+       BN_bin2bn(nistp521_curve_params[3], sizeof (felem_bytearray), x);
+       BN_bin2bn(nistp521_curve_params[4], sizeof (felem_bytearray), y);
+       if (!EC_POINT_set_affine_coordinates_GFp(group, generator, x, y, ctx))
+               goto err;
+       if ((pre = nistp521_pre_comp_new()) == NULL)
+               goto err;
+       /* if the generator is the standard one, use built-in precomputation */
+       if (0 == EC_POINT_cmp(group, generator, group->generator, ctx))
+               {
+               memcpy(pre->g_pre_comp, gmul, sizeof(pre->g_pre_comp));
+               ret = 1;
+               goto err;
+               }
+       if ((!BN_to_felem(pre->g_pre_comp[1][0], &group->generator->X)) ||
+               (!BN_to_felem(pre->g_pre_comp[1][1], &group->generator->Y)) ||
+               (!BN_to_felem(pre->g_pre_comp[1][2], &group->generator->Z)))
+               goto err;
+       /* compute 2^130*G, 2^260*G, 2^390*G */
+       for (i = 1; i <= 4; i <<= 1)
+               {
+               point_double(pre->g_pre_comp[2*i][0], pre->g_pre_comp[2*i][1],
+                       pre->g_pre_comp[2*i][2], pre->g_pre_comp[i][0],
+                       pre->g_pre_comp[i][1], pre->g_pre_comp[i][2]);
+               for (j = 0; j < 129; ++j)
+                       {
+                       point_double(pre->g_pre_comp[2*i][0],
+                               pre->g_pre_comp[2*i][1],
+                               pre->g_pre_comp[2*i][2],
+                               pre->g_pre_comp[2*i][0],
+                               pre->g_pre_comp[2*i][1],
+                               pre->g_pre_comp[2*i][2]);
+                       }
+               }
+       /* g_pre_comp[0] is the point at infinity */
+       memset(pre->g_pre_comp[0], 0, sizeof(pre->g_pre_comp[0]));
+       /* the remaining multiples */
+       /* 2^130*G + 2^260*G */
+       point_add(pre->g_pre_comp[6][0], pre->g_pre_comp[6][1],
+               pre->g_pre_comp[6][2], pre->g_pre_comp[4][0],
+               pre->g_pre_comp[4][1], pre->g_pre_comp[4][2],
+               0, pre->g_pre_comp[2][0], pre->g_pre_comp[2][1],
+               pre->g_pre_comp[2][2]);
+       /* 2^130*G + 2^390*G */
+       point_add(pre->g_pre_comp[10][0], pre->g_pre_comp[10][1],
+               pre->g_pre_comp[10][2], pre->g_pre_comp[8][0],
+               pre->g_pre_comp[8][1], pre->g_pre_comp[8][2],
+               0, pre->g_pre_comp[2][0], pre->g_pre_comp[2][1],
+               pre->g_pre_comp[2][2]);
+       /* 2^260*G + 2^390*G */
+       point_add(pre->g_pre_comp[12][0], pre->g_pre_comp[12][1],
+               pre->g_pre_comp[12][2], pre->g_pre_comp[8][0],
+               pre->g_pre_comp[8][1], pre->g_pre_comp[8][2],
+               0, pre->g_pre_comp[4][0], pre->g_pre_comp[4][1],
+               pre->g_pre_comp[4][2]);
+       /* 2^130*G + 2^260*G + 2^390*G */
+       point_add(pre->g_pre_comp[14][0], pre->g_pre_comp[14][1],
+               pre->g_pre_comp[14][2], pre->g_pre_comp[12][0],
+               pre->g_pre_comp[12][1], pre->g_pre_comp[12][2],
+               0, pre->g_pre_comp[2][0], pre->g_pre_comp[2][1],
+               pre->g_pre_comp[2][2]);
+       for (i = 1; i < 8; ++i)
+               {
+               /* odd multiples: add G */
+               point_add(pre->g_pre_comp[2*i+1][0], pre->g_pre_comp[2*i+1][1],
+                       pre->g_pre_comp[2*i+1][2], pre->g_pre_comp[2*i][0],
+                       pre->g_pre_comp[2*i][1], pre->g_pre_comp[2*i][2],
+                       0, pre->g_pre_comp[1][0], pre->g_pre_comp[1][1],
+                       pre->g_pre_comp[1][2]);
+               }
+       make_points_affine(15, &(pre->g_pre_comp[1]), tmp_felems);
+
+       if (!EC_EX_DATA_set_data(&group->extra_data, pre, nistp521_pre_comp_dup,
+                       nistp521_pre_comp_free, nistp521_pre_comp_clear_free))
+               goto err;
+       ret = 1;
+       pre = NULL;
+ err:
+       BN_CTX_end(ctx);
+       if (generator != NULL)
+               EC_POINT_free(generator);
+       if (new_ctx != NULL)
+               BN_CTX_free(new_ctx);
+       if (pre)
+               nistp521_pre_comp_free(pre);
+       return ret;
+       }
+
+int ec_GFp_nistp521_have_precompute_mult(const EC_GROUP *group)
+       {
+       if (EC_EX_DATA_get_data(group->extra_data, nistp521_pre_comp_dup,
+                       nistp521_pre_comp_free, nistp521_pre_comp_clear_free)
+               != NULL)
+               return 1;
+       else
+               return 0;
+       }
+
+#else
+static void *dummy=&dummy;
+#endif
diff --git a/crypto/ec/ecp_nistputil.c b/crypto/ec/ecp_nistputil.c
new file mode 100644 (file)
index 0000000..6280a43
--- /dev/null
@@ -0,0 +1,196 @@
+/* crypto/ec/ecp_nistputil.c */
+/*
+ * Written by Bodo Moeller for the OpenSSL project.
+ */
+/* Copyright 2011 Google Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ *
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS,
+ *  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ */
+
+#ifdef EC_NISTP_64_GCC_128
+
+/*
+ * Common utility functions for ecp_nistp224.c, ecp_nistp256.c, ecp_nistp521.c.
+ */
+
+#include <stddef.h>
+#include "ec_lcl.h"
+
+/* Convert an array of points into affine coordinates.
+ * (If the point at infinity is found (Z = 0), it remains unchanged.)
+ * This function is essentially an equivalent to EC_POINTs_make_affine(), but
+ * works with the internal representation of points as used by ecp_nistp###.c
+ * rather than with (BIGNUM-based) EC_POINT data structures.
+ *
+ * point_array is the input/output buffer ('num' points in projective form,
+ * i.e. three coordinates each), based on an internal representation of
+ * field elements of size 'felem_size'.
+ *
+ * tmp_felems needs to point to a temporary array of 'num'+1 field elements
+ * for storage of intermediate values.
+ */
+void ec_GFp_nistp_points_make_affine_internal(size_t num, void *point_array,
+       size_t felem_size, void *tmp_felems,
+       void (*felem_one)(void *out),
+       int (*felem_is_zero)(const void *in),
+       void (*felem_assign)(void *out, const void *in),
+       void (*felem_square)(void *out, const void *in),
+       void (*felem_mul)(void *out, const void *in1, const void *in2),
+       void (*felem_inv)(void *out, const void *in),
+       void (*felem_contract)(void *out, const void *in))
+       {
+       int i = 0;
+
+#define tmp_felem(I) (&((char *)tmp_felems)[(I) * felem_size])
+#define X(I) (&((char *)point_array)[3*(I) * felem_size])
+#define Y(I) (&((char *)point_array)[(3*(I) + 1) * felem_size])
+#define Z(I) (&((char *)point_array)[(3*(I) + 2) * felem_size])
+
+       if (!felem_is_zero(Z(0)))
+               felem_assign(tmp_felem(0), Z(0));
+       else
+               felem_one(tmp_felem(0));
+       for (i = 1; i < (int)num; i++)
+               {
+               if (!felem_is_zero(Z(i)))
+                       felem_mul(tmp_felem(i), tmp_felem(i-1), Z(i));
+               else
+                       felem_assign(tmp_felem(i), tmp_felem(i-1));
+               }
+       /* Now each tmp_felem(i) is the product of Z(0) .. Z(i), skipping any zero-valued factors:
+        * if Z(i) = 0, we essentially pretend that Z(i) = 1 */
+
+       felem_inv(tmp_felem(num-1), tmp_felem(num-1));
+       for (i = num - 1; i >= 0; i--)
+               {
+               if (i > 0)
+                       /* tmp_felem(i-1) is the product of Z(0) .. Z(i-1),
+                        * tmp_felem(i) is the inverse of the product of Z(0) .. Z(i)
+                        */
+                       felem_mul(tmp_felem(num), tmp_felem(i-1), tmp_felem(i)); /* 1/Z(i) */
+               else
+                       felem_assign(tmp_felem(num), tmp_felem(0)); /* 1/Z(0) */
+
+               if (!felem_is_zero(Z(i)))
+                       {
+                       if (i > 0)
+                               /* For next iteration, replace tmp_felem(i-1) by its inverse */
+                               felem_mul(tmp_felem(i-1), tmp_felem(i), Z(i));
+
+                       /* Convert point (X, Y, Z) into affine form (X/(Z^2), Y/(Z^3), 1) */
+                       felem_square(Z(i), tmp_felem(num)); /* 1/(Z^2) */
+                       felem_mul(X(i), X(i), Z(i)); /* X/(Z^2) */
+                       felem_mul(Z(i), Z(i), tmp_felem(num)); /* 1/(Z^3) */
+                       felem_mul(Y(i), Y(i), Z(i)); /* Y/(Z^3) */
+                       felem_contract(X(i), X(i));
+                       felem_contract(Y(i), Y(i));
+                       felem_one(Z(i));
+                       }
+               else
+                       {
+                       if (i > 0)
+                               /* For next iteration, replace tmp_felem(i-1) by its inverse */
+                               felem_assign(tmp_felem(i-1), tmp_felem(i));
+                       }
+               }
+       }
+
+/*
+ * This function looks at 5+1 scalar bits (5 current, 1 adjacent less
+ * significant bit), and recodes them into a signed digit for use in fast point
+ * multiplication: the use of signed rather than unsigned digits means that
+ * fewer points need to be precomputed, given that point inversion is easy
+ * (a precomputed point dP makes -dP available as well).
+ *
+ * BACKGROUND:
+ *
+ * Signed digits for multiplication were introduced by Booth ("A signed binary
+ * multiplication technique", Quart. Journ. Mech. and Applied Math., vol. IV,
+ * pt. 2 (1951), pp. 236-240), in that case for multiplication of integers.
+ * Booth's original encoding did not generally improve the density of nonzero
+ * digits over the binary representation, and was merely meant to simplify the
+ * handling of signed factors given in two's complement; but it has since been
+ * shown to be the basis of various signed-digit representations that do have
+ * further advantages, including the wNAF, using the following general approach:
+ *
+ * (1) Given a binary representation
+ *
+ *       b_k  ...  b_2  b_1  b_0,
+ *
+ *     of a nonnegative integer (b_k in {0, 1}), rewrite it in digits 0, 1, -1
+ *     by using bit-wise subtraction as follows:
+ *
+ *        b_k b_(k-1)  ...  b_2  b_1  b_0
+ *      -     b_k      ...  b_3  b_2  b_1  b_0
+ *       -------------------------------------
+ *        s_k b_(k-1)  ...  s_3  s_2  s_1  s_0
+ *
+ *     A left-shift followed by subtraction of the original value yields a new
+ *     representation of the same value, using signed bits s_i = b_(i+1) - b_i.
+ *     This representation from Booth's paper has since appeared in the
+ *     literature under a variety of different names including "reversed binary
+ *     form", "alternating greedy expansion", "mutual opposite form", and
+ *     "sign-alternating {+-1}-representation".
+ *
+ *     An interesting property is that among the nonzero bits, values 1 and -1
+ *     strictly alternate.
+ *
+ * (2) Various window schemes can be applied to the Booth representation of
+ *     integers: for example, right-to-left sliding windows yield the wNAF
+ *     (a signed-digit encoding independently discovered by various researchers
+ *     in the 1990s), and left-to-right sliding windows yield a left-to-right
+ *     equivalent of the wNAF (independently discovered by various researchers
+ *     around 2004).
+ *
+ * To prevent leaking information through side channels in point multiplication,
+ * we need to recode the given integer into a regular pattern: sliding windows
+ * as in wNAFs won't do, we need their fixed-window equivalent -- which is a few
+ * decades older: we'll be using the so-called "modified Booth encoding" due to
+ * MacSorley ("High-speed arithmetic in binary computers", Proc. IRE, vol. 49
+ * (1961), pp. 67-91), in a radix-2^5 setting.  That is, we always combine five
+ * signed bits into a signed digit:
+ *
+ *       s_(4j + 4) s_(4j + 3) s_(4j + 2) s_(4j + 1) s_(4j)
+ *
+ * The sign-alternating property implies that the resulting digit values are
+ * integers from -16 to 16.
+ *
+ * Of course, we don't actually need to compute the signed digits s_i as an
+ * intermediate step (that's just a nice way to see how this scheme relates
+ * to the wNAF): a direct computation obtains the recoded digit from the
+ * six bits b_(4j + 4) ... b_(4j - 1).
+ *
+ * This function takes those five bits as an integer (0 .. 63), writing the
+ * recoded digit to *sign (0 for positive, 1 for negative) and *digit (absolute
+ * value, in the range 0 .. 8).  Note that this integer essentially provides the
+ * input bits "shifted to the left" by one position: for example, the input to
+ * compute the least significant recoded digit, given that there's no bit b_-1,
+ * has to be b_4 b_3 b_2 b_1 b_0 0.
+ *
+ */
+void ec_GFp_nistp_recode_scalar_bits(unsigned char *sign, unsigned char *digit, unsigned char in)
+       {
+       unsigned char s, d;
+
+       s = ~((in >> 5) - 1); /* sets all bits to MSB(in), 'in' seen as 6-bit value */
+       d = (1 << 6) - in - 1;
+       d = (d & s) | (in & ~s);
+       d = (d >> 1) + (d & 1);
+
+       *sign = s & 1;
+       *digit = d;
+       }
+#else
+static void *dummy=&dummy;
+#endif
index 67dfdaa..7f41ffa 100644 (file)
@@ -235,7 +235,7 @@ static void group_order_tests(EC_GROUP *group)
        }
 
 static void prime_field_tests(void)
-       {       
+       {
        BN_CTX *ctx = NULL;
        BIGNUM *p, *a, *b;
        EC_GROUP *group;
@@ -1262,15 +1262,76 @@ static void internal_curve_test(void)
        if (ok)
                fprintf(stdout, " ok\n\n");
        else
+               {
                fprintf(stdout, " failed\n\n");
+               ABORT;
+               }
        OPENSSL_free(curves);
        return;
        }
 
-#ifdef EC_NISTP224_64_GCC_128
-void nistp224_test()
+#ifdef EC_NISTP_64_GCC_128
+/* nistp_test_params contains magic numbers for testing our optimized
+ * implementations of several NIST curves with characteristic > 3. */
+struct nistp_test_params
+       {
+       const EC_METHOD* (*meth) ();
+       int degree;
+       /* Qx, Qy and D are taken from
+        * http://csrc.nist.gov/groups/ST/toolkit/documents/Examples/ECDSA_Prime.pdf
+        * Otherwise, values are standard curve parameters from FIPS 180-3 */
+       const char *p, *a, *b, *Qx, *Qy, *Gx, *Gy, *order, *d;
+       };
+
+static const struct nistp_test_params nistp_tests_params[] =
+       {
+               {
+               /* P-224 */
+               EC_GFp_nistp224_method,
+               224,
+               "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF000000000000000000000001", /* p */
+               "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFFFFFFFFFFFFFFFFFFFE", /* a */
+               "B4050A850C04B3ABF54132565044B0B7D7BFD8BA270B39432355FFB4", /* b */
+               "E84FB0B8E7000CB657D7973CF6B42ED78B301674276DF744AF130B3E", /* Qx */
+               "4376675C6FC5612C21A0FF2D2A89D2987DF7A2BC52183B5982298555", /* Qy */
+               "B70E0CBD6BB4BF7F321390B94A03C1D356C21122343280D6115C1D21", /* Gx */
+               "BD376388B5F723FB4C22DFE6CD4375A05A07476444D5819985007E34", /* Gy */
+               "FFFFFFFFFFFFFFFFFFFFFFFFFFFF16A2E0B8F03E13DD29455C5C2A3D", /* order */
+               "3F0C488E987C80BE0FEE521F8D90BE6034EC69AE11CA72AA777481E8", /* d */
+               },
+               {
+               /* P-256 */
+               EC_GFp_nistp256_method,
+               256,
+               "ffffffff00000001000000000000000000000000ffffffffffffffffffffffff", /* p */
+               "ffffffff00000001000000000000000000000000fffffffffffffffffffffffc", /* a */
+               "5ac635d8aa3a93e7b3ebbd55769886bc651d06b0cc53b0f63bce3c3e27d2604b", /* b */
+               "b7e08afdfe94bad3f1dc8c734798ba1c62b3a0ad1e9ea2a38201cd0889bc7a19", /* Qx */
+               "3603f747959dbf7a4bb226e41928729063adc7ae43529e61b563bbc606cc5e09", /* Qy */
+               "6b17d1f2e12c4247f8bce6e563a440f277037d812deb33a0f4a13945d898c296", /* Gx */
+               "4fe342e2fe1a7f9b8ee7eb4a7c0f9e162bce33576b315ececbb6406837bf51f5", /* Gy */
+               "ffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc632551", /* order */
+               "c477f9f65c22cce20657faa5b2d1d8122336f851a508a1ed04e479c34985bf96", /* d */
+               },
+               {
+               /* P-521 */
+               EC_GFp_nistp521_method,
+               521,
+               "1ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff", /* p */
+               "1fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffc", /* a */
+               "051953eb9618e1c9a1f929a21a0b68540eea2da725b99b315f3b8b489918ef109e156193951ec7e937b1652c0bd3bb1bf073573df883d2c34f1ef451fd46b503f00", /* b */
+               "0098e91eef9a68452822309c52fab453f5f117c1da8ed796b255e9ab8f6410cca16e59df403a6bdc6ca467a37056b1e54b3005d8ac030decfeb68df18b171885d5c4", /* Qx */
+               "0164350c321aecfc1cca1ba4364c9b15656150b4b78d6a48d7d28e7f31985ef17be8554376b72900712c4b83ad668327231526e313f5f092999a4632fd50d946bc2e", /* Qy */
+               "c6858e06b70404e9cd9e3ecb662395b4429c648139053fb521f828af606b4d3dbaa14b5e77efe75928fe1dc127a2ffa8de3348b3c1856a429bf97e7e31c2e5bd66", /* Gx */
+               "11839296a789a3bc0045c8a5fb42c7d1bd998f54449579b446817afbd17273e662c97ee72995ef42640c550b9013fad0761353c7086a272c24088be94769fd16650", /* Gy */
+               "1fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffa51868783bf2f966b7fcc0148f709a5d03bb5c9b8899c47aebb6fb71e91386409", /* order */
+               "0100085f47b8e1b8b11b7eb33028c0b2888e304bfc98501955b45bba1478dc184eeedf09b86a5f7c21994406072787205e69a63709fe35aa93ba333514b24f961722", /* d */
+               },
+       };
+
+void nistp_single_test(const struct nistp_test_params *test)
        {
-       fprintf(stdout, "\nNIST curve P-224 (optimised implementation):\n");
+       fprintf(stdout, "\nNIST curve P-%d (optimised implementation):\n", test->degree);
        BIGNUM *p, *a, *b, *x, *y, *n, *m, *order;
        p = BN_new();
        a = BN_new();
@@ -1278,82 +1339,82 @@ void nistp224_test()
        x = BN_new(); y = BN_new();
        m = BN_new(); n = BN_new(); order = BN_new();
        BN_CTX *ctx = BN_CTX_new();
-       EC_GROUP *NISTP224;
+       EC_GROUP *NISTP;
        EC_POINT *G, *P, *Q, *Q_CHECK;
 
-       NISTP224 = EC_GROUP_new(EC_GFp_nistp224_method());
-       if(!NISTP224) ABORT;
-       if (!BN_hex2bn(&p, "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF000000000000000000000001")) ABORT;
+       NISTP = EC_GROUP_new(test->meth());
+       if(!NISTP) ABORT;
+       if (!BN_hex2bn(&p, test->p)) ABORT;
        if (1 != BN_is_prime_ex(p, BN_prime_checks, ctx, NULL)) ABORT;
-       if (!BN_hex2bn(&a, "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFFFFFFFFFFFFFFFFFFFE")) ABORT;
-       if (!BN_hex2bn(&b, "B4050A850C04B3ABF54132565044B0B7D7BFD8BA270B39432355FFB4")) ABORT;
-       if (!EC_GROUP_set_curve_GFp(NISTP224, p, a, b, ctx)) ABORT;
-       G = EC_POINT_new(NISTP224);
-       P = EC_POINT_new(NISTP224);
-       Q = EC_POINT_new(NISTP224);
-       Q_CHECK = EC_POINT_new(NISTP224);
-       if(!BN_hex2bn(&x, "E84FB0B8E7000CB657D7973CF6B42ED78B301674276DF744AF130B3E")) ABORT;
-       if(!BN_hex2bn(&y, "4376675C6FC5612C21A0FF2D2A89D2987DF7A2BC52183B5982298555")) ABORT;
-       if(!EC_POINT_set_affine_coordinates_GFp(NISTP224, Q_CHECK, x, y, ctx)) ABORT;
-       if (!BN_hex2bn(&x, "B70E0CBD6BB4BF7F321390B94A03C1D356C21122343280D6115C1D21")) ABORT;
-       if (!BN_hex2bn(&y, "BD376388B5F723FB4C22DFE6CD4375A05A07476444D5819985007E34")) ABORT;
-       if (!EC_POINT_set_affine_coordinates_GFp(NISTP224, G, x, y, ctx)) ABORT;
-       if (!BN_hex2bn(&order, "FFFFFFFFFFFFFFFFFFFFFFFFFFFF16A2E0B8F03E13DD29455C5C2A3D")) ABORT;
-       if (!EC_GROUP_set_generator(NISTP224, G, order, BN_value_one())) ABORT;
+       if (!BN_hex2bn(&a, test->a)) ABORT;
+       if (!BN_hex2bn(&b, test->b)) ABORT;
+       if (!EC_GROUP_set_curve_GFp(NISTP, p, a, b, ctx)) ABORT;
+       G = EC_POINT_new(NISTP);
+       P = EC_POINT_new(NISTP);
+       Q = EC_POINT_new(NISTP);
+       Q_CHECK = EC_POINT_new(NISTP);
+       if(!BN_hex2bn(&x, test->Qx)) ABORT;
+       if(!BN_hex2bn(&y, test->Qy)) ABORT;
+       if(!EC_POINT_set_affine_coordinates_GFp(NISTP, Q_CHECK, x, y, ctx)) ABORT;
+       if (!BN_hex2bn(&x, test->Gx)) ABORT;
+       if (!BN_hex2bn(&y, test->Gy)) ABORT;
+       if (!EC_POINT_set_affine_coordinates_GFp(NISTP, G, x, y, ctx)) ABORT;
+       if (!BN_hex2bn(&order, test->order)) ABORT;
+       if (!EC_GROUP_set_generator(NISTP, G, order, BN_value_one())) ABORT;
 
        fprintf(stdout, "verify degree ... ");
-       if (EC_GROUP_get_degree(NISTP224) != 224) ABORT;
+       if (EC_GROUP_get_degree(NISTP) != test->degree) ABORT;
        fprintf(stdout, "ok\n");
 
        fprintf(stdout, "NIST test vectors ... ");
-       if (!BN_hex2bn(&n, "3F0C488E987C80BE0FEE521F8D90BE6034EC69AE11CA72AA777481E8")) ABORT;
+       if (!BN_hex2bn(&n, test->d)) ABORT;
        /* fixed point multiplication */
-       EC_POINT_mul(NISTP224, Q, n, NULL, NULL, ctx);
-       if (0 != EC_POINT_cmp(NISTP224, Q, Q_CHECK, ctx)) ABORT;
+       EC_POINT_mul(NISTP, Q, n, NULL, NULL, ctx);
+       if (0 != EC_POINT_cmp(NISTP, Q, Q_CHECK, ctx)) ABORT;
        /* random point multiplication */
-       EC_POINT_mul(NISTP224, Q, NULL, G, n, ctx);
-       if (0 != EC_POINT_cmp(NISTP224, Q, Q_CHECK, ctx)) ABORT;
+       EC_POINT_mul(NISTP, Q, NULL, G, n, ctx);
+       if (0 != EC_POINT_cmp(NISTP, Q, Q_CHECK, ctx)) ABORT;
 
        /* set generator to P = 2*G, where G is the standard generator */
-       if (!EC_POINT_dbl(NISTP224, P, G, ctx)) ABORT;
-       if (!EC_GROUP_set_generator(NISTP224, P, order, BN_value_one())) ABORT;
+       if (!EC_POINT_dbl(NISTP, P, G, ctx)) ABORT;
+       if (!EC_GROUP_set_generator(NISTP, P, order, BN_value_one())) ABORT;
        /* set the scalar to m=n/2, where n is the NIST test scalar */
        if (!BN_rshift(m, n, 1)) ABORT;
 
        /* test the non-standard generator */
        /* fixed point multiplication */
-       EC_POINT_mul(NISTP224, Q, m, NULL, NULL, ctx);
-       if (0 != EC_POINT_cmp(NISTP224, Q, Q_CHECK, ctx)) ABORT;
+       EC_POINT_mul(NISTP, Q, m, NULL, NULL, ctx);
+       if (0 != EC_POINT_cmp(NISTP, Q, Q_CHECK, ctx)) ABORT;
        /* random point multiplication */
-       EC_POINT_mul(NISTP224, Q, NULL, P, m, ctx);
-       if (0 != EC_POINT_cmp(NISTP224, Q, Q_CHECK, ctx)) ABORT;
+       EC_POINT_mul(NISTP, Q, NULL, P, m, ctx);
+       if (0 != EC_POINT_cmp(NISTP, Q, Q_CHECK, ctx)) ABORT;
 
        /* now repeat all tests with precomputation */
-       if (!EC_GROUP_precompute_mult(NISTP224, ctx)) ABORT;
+       if (!EC_GROUP_precompute_mult(NISTP, ctx)) ABORT;
 
        /* fixed point multiplication */
-       EC_POINT_mul(NISTP224, Q, m, NULL, NULL, ctx);
-       if (0 != EC_POINT_cmp(NISTP224, Q, Q_CHECK, ctx)) ABORT;
+       EC_POINT_mul(NISTP, Q, m, NULL, NULL, ctx);
+       if (0 != EC_POINT_cmp(NISTP, Q, Q_CHECK, ctx)) ABORT;
        /* random point multiplication */
-       EC_POINT_mul(NISTP224, Q, NULL, P, m, ctx);
-       if (0 != EC_POINT_cmp(NISTP224, Q, Q_CHECK, ctx)) ABORT;
+       EC_POINT_mul(NISTP, Q, NULL, P, m, ctx);
+       if (0 != EC_POINT_cmp(NISTP, Q, Q_CHECK, ctx)) ABORT;
 
        /* reset generator */
-       if (!EC_GROUP_set_generator(NISTP224, G, order, BN_value_one())) ABORT;
+       if (!EC_GROUP_set_generator(NISTP, G, order, BN_value_one())) ABORT;
        /* fixed point multiplication */
-       EC_POINT_mul(NISTP224, Q, n, NULL, NULL, ctx);
-       if (0 != EC_POINT_cmp(NISTP224, Q, Q_CHECK, ctx)) ABORT;
+       EC_POINT_mul(NISTP, Q, n, NULL, NULL, ctx);
+       if (0 != EC_POINT_cmp(NISTP, Q, Q_CHECK, ctx)) ABORT;
        /* random point multiplication */
-       EC_POINT_mul(NISTP224, Q, NULL, G, n, ctx);
-       if (0 != EC_POINT_cmp(NISTP224, Q, Q_CHECK, ctx)) ABORT;
+       EC_POINT_mul(NISTP, Q, NULL, G, n, ctx);
+       if (0 != EC_POINT_cmp(NISTP, Q, Q_CHECK, ctx)) ABORT;
 
        fprintf(stdout, "ok\n");
-       group_order_tests(NISTP224);
+       group_order_tests(NISTP);
 #if 0
-       timings(NISTP224, TIMING_BASE_PT, ctx);
-       timings(NISTP224, TIMING_RAND_PT, ctx);
+       timings(NISTP, TIMING_BASE_PT, ctx);
+       timings(NISTP, TIMING_RAND_PT, ctx);
 #endif
-       EC_GROUP_free(NISTP224);
+       EC_GROUP_free(NISTP);
        EC_POINT_free(G);
        EC_POINT_free(P);
        EC_POINT_free(Q);
@@ -1368,6 +1429,16 @@ void nistp224_test()
        BN_free(order);
        BN_CTX_free(ctx);
        }
+
+void nistp_tests()
+       {
+       unsigned i;
+
+       for (i = 0; i < sizeof(nistp_tests_params) / sizeof(struct nistp_test_params); i++)
+               {
+               nistp_single_test(&nistp_tests_params[i]);
+               }
+       }
 #endif
 
 static const char rnd_seed[] = "string to make the random number generator think it has entropy";
@@ -1396,8 +1467,8 @@ int main(int argc, char *argv[])
 #ifndef OPENSSL_NO_EC2M
        char2_field_tests();
 #endif
-#ifdef EC_NISTP224_64_GCC_128
-       nistp224_test();
+#ifdef EC_NISTP_64_GCC_128
+       nistp_tests();
 #endif
        /* test the internal curves */
        internal_curve_test();