From 425dde5d75a6ffff9a1027107711b99da39e3519 Mon Sep 17 00:00:00 2001 From: "Dr. Matthias St. Pierre" Date: Tue, 4 Dec 2018 23:59:24 +0100 Subject: [PATCH] curve25519.c: improve formula alignment Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/7750) --- crypto/ec/curve25519.c | 1036 ++++++++++++++++++++-------------------- 1 file changed, 513 insertions(+), 523 deletions(-) diff --git a/crypto/ec/curve25519.c b/crypto/ec/curve25519.c index 87ca46568f..7d12c5d5eb 100644 --- a/crypto/ec/curve25519.c +++ b/crypto/ec/curve25519.c @@ -759,6 +759,7 @@ static void x25519_scalar_mult(uint8_t out[32], const uint8_t scalar[32], */ typedef int32_t fe[10]; +static const int64_t kBottom21Bits = 0x1fffffLL; static const int64_t kBottom25Bits = 0x1ffffffLL; static const int64_t kBottom26Bits = 0x3ffffffLL; static const int64_t kTop39Bits = 0xfffffffffe000000LL; @@ -768,7 +769,7 @@ static uint64_t load_3(const uint8_t *in) { uint64_t result; - result = (uint64_t)in[0]; + result = ((uint64_t)in[0]); result |= ((uint64_t)in[1]) << 8; result |= ((uint64_t)in[2]) << 16; return result; @@ -778,7 +779,7 @@ static uint64_t load_4(const uint8_t *in) { uint64_t result; - result = (uint64_t)in[0]; + result = ((uint64_t)in[0]); result |= ((uint64_t)in[1]) << 8; result |= ((uint64_t)in[2]) << 16; result |= ((uint64_t)in[3]) << 24; @@ -788,16 +789,16 @@ static uint64_t load_4(const uint8_t *in) static void fe_frombytes(fe h, const uint8_t *s) { /* Ignores top bit of h. */ - int64_t h0 = load_4(s); - int64_t h1 = load_3(s + 4) << 6; - int64_t h2 = load_3(s + 7) << 5; - int64_t h3 = load_3(s + 10) << 3; - int64_t h4 = load_3(s + 13) << 2; - int64_t h5 = load_4(s + 16); - int64_t h6 = load_3(s + 20) << 7; - int64_t h7 = load_3(s + 23) << 5; - int64_t h8 = load_3(s + 26) << 4; - int64_t h9 = (load_3(s + 29) & 8388607) << 2; + int64_t h0 = load_4(s); + int64_t h1 = load_3(s + 4) << 6; + int64_t h2 = load_3(s + 7) << 5; + int64_t h3 = load_3(s + 10) << 3; + int64_t h4 = load_3(s + 13) << 2; + int64_t h5 = load_4(s + 16); + int64_t h6 = load_3(s + 20) << 7; + int64_t h7 = load_3(s + 23) << 5; + int64_t h8 = load_3(s + 26) << 4; + int64_t h9 = (load_3(s + 29) & 0x7fffff) << 2; int64_t carry0; int64_t carry1; int64_t carry2; @@ -905,38 +906,38 @@ static void fe_tobytes(uint8_t *s, const fe h) * evidently 2^255 h10-2^255 q = 0. * Goal: Output h0+...+2^230 h9. */ - s[0] = (uint8_t)(h0 >> 0); - s[1] = (uint8_t)(h0 >> 8); - s[2] = (uint8_t)(h0 >> 16); - s[3] = (uint8_t)((h0 >> 24) | ((uint32_t)(h1) << 2)); - s[4] = (uint8_t)(h1 >> 6); - s[5] = (uint8_t)(h1 >> 14); - s[6] = (uint8_t)((h1 >> 22) | ((uint32_t)(h2) << 3)); - s[7] = (uint8_t)(h2 >> 5); - s[8] = (uint8_t)(h2 >> 13); - s[9] = (uint8_t)((h2 >> 21) | ((uint32_t)(h3) << 5)); - s[10] = (uint8_t)(h3 >> 3); - s[11] = (uint8_t)(h3 >> 11); + s[ 0] = (uint8_t) (h0 >> 0); + s[ 1] = (uint8_t) (h0 >> 8); + s[ 2] = (uint8_t) (h0 >> 16); + s[ 3] = (uint8_t)((h0 >> 24) | ((uint32_t)(h1) << 2)); + s[ 4] = (uint8_t) (h1 >> 6); + s[ 5] = (uint8_t) (h1 >> 14); + s[ 6] = (uint8_t)((h1 >> 22) | ((uint32_t)(h2) << 3)); + s[ 7] = (uint8_t) (h2 >> 5); + s[ 8] = (uint8_t) (h2 >> 13); + s[ 9] = (uint8_t)((h2 >> 21) | ((uint32_t)(h3) << 5)); + s[10] = (uint8_t) (h3 >> 3); + s[11] = (uint8_t) (h3 >> 11); s[12] = (uint8_t)((h3 >> 19) | ((uint32_t)(h4) << 6)); - s[13] = (uint8_t)(h4 >> 2); - s[14] = (uint8_t)(h4 >> 10); - s[15] = (uint8_t)(h4 >> 18); - s[16] = (uint8_t)(h5 >> 0); - s[17] = (uint8_t)(h5 >> 8); - s[18] = (uint8_t)(h5 >> 16); + s[13] = (uint8_t) (h4 >> 2); + s[14] = (uint8_t) (h4 >> 10); + s[15] = (uint8_t) (h4 >> 18); + s[16] = (uint8_t) (h5 >> 0); + s[17] = (uint8_t) (h5 >> 8); + s[18] = (uint8_t) (h5 >> 16); s[19] = (uint8_t)((h5 >> 24) | ((uint32_t)(h6) << 1)); - s[20] = (uint8_t)(h6 >> 7); - s[21] = (uint8_t)(h6 >> 15); + s[20] = (uint8_t) (h6 >> 7); + s[21] = (uint8_t) (h6 >> 15); s[22] = (uint8_t)((h6 >> 23) | ((uint32_t)(h7) << 3)); - s[23] = (uint8_t)(h7 >> 5); - s[24] = (uint8_t)(h7 >> 13); + s[23] = (uint8_t) (h7 >> 5); + s[24] = (uint8_t) (h7 >> 13); s[25] = (uint8_t)((h7 >> 21) | ((uint32_t)(h8) << 4)); - s[26] = (uint8_t)(h8 >> 4); - s[27] = (uint8_t)(h8 >> 12); + s[26] = (uint8_t) (h8 >> 4); + s[27] = (uint8_t) (h8 >> 12); s[28] = (uint8_t)((h8 >> 20) | ((uint32_t)(h9) << 6)); - s[29] = (uint8_t)(h9 >> 2); - s[30] = (uint8_t)(h9 >> 10); - s[31] = (uint8_t)(h9 >> 18); + s[29] = (uint8_t) (h9 >> 2); + s[30] = (uint8_t) (h9 >> 10); + s[31] = (uint8_t) (h9 >> 18); } /* h = f */ @@ -1166,16 +1167,16 @@ static void fe_mul(fe h, const fe f, const fe g) int64_t f9g7_38 = f9_2 * (int64_t) g7_19; int64_t f9g8_19 = f9 * (int64_t) g8_19; int64_t f9g9_38 = f9_2 * (int64_t) g9_19; - int64_t h0 = f0g0+f1g9_38+f2g8_19+f3g7_38+f4g6_19+f5g5_38+f6g4_19+f7g3_38+f8g2_19+f9g1_38; - int64_t h1 = f0g1+f1g0 +f2g9_19+f3g8_19+f4g7_19+f5g6_19+f6g5_19+f7g4_19+f8g3_19+f9g2_19; - int64_t h2 = f0g2+f1g1_2 +f2g0 +f3g9_38+f4g8_19+f5g7_38+f6g6_19+f7g5_38+f8g4_19+f9g3_38; - int64_t h3 = f0g3+f1g2 +f2g1 +f3g0 +f4g9_19+f5g8_19+f6g7_19+f7g6_19+f8g5_19+f9g4_19; - int64_t h4 = f0g4+f1g3_2 +f2g2 +f3g1_2 +f4g0 +f5g9_38+f6g8_19+f7g7_38+f8g6_19+f9g5_38; - int64_t h5 = f0g5+f1g4 +f2g3 +f3g2 +f4g1 +f5g0 +f6g9_19+f7g8_19+f8g7_19+f9g6_19; - int64_t h6 = f0g6+f1g5_2 +f2g4 +f3g3_2 +f4g2 +f5g1_2 +f6g0 +f7g9_38+f8g8_19+f9g7_38; - int64_t h7 = f0g7+f1g6 +f2g5 +f3g4 +f4g3 +f5g2 +f6g1 +f7g0 +f8g9_19+f9g8_19; - int64_t h8 = f0g8+f1g7_2 +f2g6 +f3g5_2 +f4g4 +f5g3_2 +f6g2 +f7g1_2 +f8g0 +f9g9_38; - int64_t h9 = f0g9+f1g8 +f2g7 +f3g6 +f4g5 +f5g4 +f6g3 +f7g2 +f8g1 +f9g0 ; + int64_t h0 = f0g0 + f1g9_38 + f2g8_19 + f3g7_38 + f4g6_19 + f5g5_38 + f6g4_19 + f7g3_38 + f8g2_19 + f9g1_38; + int64_t h1 = f0g1 + f1g0 + f2g9_19 + f3g8_19 + f4g7_19 + f5g6_19 + f6g5_19 + f7g4_19 + f8g3_19 + f9g2_19; + int64_t h2 = f0g2 + f1g1_2 + f2g0 + f3g9_38 + f4g8_19 + f5g7_38 + f6g6_19 + f7g5_38 + f8g4_19 + f9g3_38; + int64_t h3 = f0g3 + f1g2 + f2g1 + f3g0 + f4g9_19 + f5g8_19 + f6g7_19 + f7g6_19 + f8g5_19 + f9g4_19; + int64_t h4 = f0g4 + f1g3_2 + f2g2 + f3g1_2 + f4g0 + f5g9_38 + f6g8_19 + f7g7_38 + f8g6_19 + f9g5_38; + int64_t h5 = f0g5 + f1g4 + f2g3 + f3g2 + f4g1 + f5g0 + f6g9_19 + f7g8_19 + f8g7_19 + f9g6_19; + int64_t h6 = f0g6 + f1g5_2 + f2g4 + f3g3_2 + f4g2 + f5g1_2 + f6g0 + f7g9_38 + f8g8_19 + f9g7_38; + int64_t h7 = f0g7 + f1g6 + f2g5 + f3g4 + f4g3 + f5g2 + f6g1 + f7g0 + f8g9_19 + f9g8_19; + int64_t h8 = f0g8 + f1g7_2 + f2g6 + f3g5_2 + f4g4 + f5g3_2 + f6g2 + f7g1_2 + f8g0 + f9g9_38; + int64_t h9 = f0g9 + f1g8 + f2g7 + f3g6 + f4g5 + f5g4 + f6g3 + f7g2 + f8g1 + f9g0 ; int64_t carry0; int64_t carry1; int64_t carry2; @@ -1340,16 +1341,16 @@ static void fe_sq(fe h, const fe f) int64_t f8f8_19 = f8 * (int64_t) f8_19; int64_t f8f9_38 = f8 * (int64_t) f9_38; int64_t f9f9_38 = f9 * (int64_t) f9_38; - int64_t h0 = f0f0 +f1f9_76+f2f8_38+f3f7_76+f4f6_38+f5f5_38; - int64_t h1 = f0f1_2+f2f9_38+f3f8_38+f4f7_38+f5f6_38; - int64_t h2 = f0f2_2+f1f1_2 +f3f9_76+f4f8_38+f5f7_76+f6f6_19; - int64_t h3 = f0f3_2+f1f2_2 +f4f9_38+f5f8_38+f6f7_38; - int64_t h4 = f0f4_2+f1f3_4 +f2f2 +f5f9_76+f6f8_38+f7f7_38; - int64_t h5 = f0f5_2+f1f4_2 +f2f3_2 +f6f9_38+f7f8_38; - int64_t h6 = f0f6_2+f1f5_4 +f2f4_2 +f3f3_2 +f7f9_76+f8f8_19; - int64_t h7 = f0f7_2+f1f6_2 +f2f5_2 +f3f4_2 +f8f9_38; - int64_t h8 = f0f8_2+f1f7_4 +f2f6_2 +f3f5_4 +f4f4 +f9f9_38; - int64_t h9 = f0f9_2+f1f8_2 +f2f7_2 +f3f6_2 +f4f5_2; + int64_t h0 = f0f0 + f1f9_76 + f2f8_38 + f3f7_76 + f4f6_38 + f5f5_38; + int64_t h1 = f0f1_2 + f2f9_38 + f3f8_38 + f4f7_38 + f5f6_38; + int64_t h2 = f0f2_2 + f1f1_2 + f3f9_76 + f4f8_38 + f5f7_76 + f6f6_19; + int64_t h3 = f0f3_2 + f1f2_2 + f4f9_38 + f5f8_38 + f6f7_38; + int64_t h4 = f0f4_2 + f1f3_4 + f2f2 + f5f9_76 + f6f8_38 + f7f7_38; + int64_t h5 = f0f5_2 + f1f4_2 + f2f3_2 + f6f9_38 + f7f8_38; + int64_t h6 = f0f6_2 + f1f5_4 + f2f4_2 + f3f3_2 + f7f9_76 + f8f8_19; + int64_t h7 = f0f7_2 + f1f6_2 + f2f5_2 + f3f4_2 + f8f9_38; + int64_t h8 = f0f8_2 + f1f7_4 + f2f6_2 + f3f5_4 + f4f4 + f9f9_38; + int64_t h9 = f0f9_2 + f1f8_2 + f2f7_2 + f3f6_2 + f4f5_2; int64_t carry0; int64_t carry1; int64_t carry2; @@ -1649,16 +1650,16 @@ static void fe_sq2(fe h, const fe f) int64_t f8f8_19 = f8 * (int64_t) f8_19; int64_t f8f9_38 = f8 * (int64_t) f9_38; int64_t f9f9_38 = f9 * (int64_t) f9_38; - int64_t h0 = f0f0 +f1f9_76+f2f8_38+f3f7_76+f4f6_38+f5f5_38; - int64_t h1 = f0f1_2+f2f9_38+f3f8_38+f4f7_38+f5f6_38; - int64_t h2 = f0f2_2+f1f1_2 +f3f9_76+f4f8_38+f5f7_76+f6f6_19; - int64_t h3 = f0f3_2+f1f2_2 +f4f9_38+f5f8_38+f6f7_38; - int64_t h4 = f0f4_2+f1f3_4 +f2f2 +f5f9_76+f6f8_38+f7f7_38; - int64_t h5 = f0f5_2+f1f4_2 +f2f3_2 +f6f9_38+f7f8_38; - int64_t h6 = f0f6_2+f1f5_4 +f2f4_2 +f3f3_2 +f7f9_76+f8f8_19; - int64_t h7 = f0f7_2+f1f6_2 +f2f5_2 +f3f4_2 +f8f9_38; - int64_t h8 = f0f8_2+f1f7_4 +f2f6_2 +f3f5_4 +f4f4 +f9f9_38; - int64_t h9 = f0f9_2+f1f8_2 +f2f7_2 +f3f6_2 +f4f5_2; + int64_t h0 = f0f0 + f1f9_76 + f2f8_38 + f3f7_76 + f4f6_38 + f5f5_38; + int64_t h1 = f0f1_2 + f2f9_38 + f3f8_38 + f4f7_38 + f5f6_38; + int64_t h2 = f0f2_2 + f1f1_2 + f3f9_76 + f4f8_38 + f5f7_76 + f6f6_19; + int64_t h3 = f0f3_2 + f1f2_2 + f4f9_38 + f5f8_38 + f6f7_38; + int64_t h4 = f0f4_2 + f1f3_4 + f2f2 + f5f9_76 + f6f8_38 + f7f7_38; + int64_t h5 = f0f5_2 + f1f4_2 + f2f3_2 + f6f9_38 + f7f8_38; + int64_t h6 = f0f6_2 + f1f5_4 + f2f4_2 + f3f3_2 + f7f9_76 + f8f8_19; + int64_t h7 = f0f7_2 + f1f6_2 + f2f5_2 + f3f4_2 + f8f9_38; + int64_t h8 = f0f8_2 + f1f7_4 + f2f6_2 + f3f5_4 + f4f4 + f9f9_38; + int64_t h9 = f0f9_2 + f1f8_2 + f2f7_2 + f3f6_2 + f4f5_2; int64_t carry0; int64_t carry1; int64_t carry2; @@ -4612,30 +4613,30 @@ static void ge_double_scalarmult_vartime(ge_p2 *r, const uint8_t *a, */ static void x25519_sc_reduce(uint8_t *s) { - int64_t s0 = 2097151 & load_3(s); - int64_t s1 = 2097151 & (load_4(s + 2) >> 5); - int64_t s2 = 2097151 & (load_3(s + 5) >> 2); - int64_t s3 = 2097151 & (load_4(s + 7) >> 7); - int64_t s4 = 2097151 & (load_4(s + 10) >> 4); - int64_t s5 = 2097151 & (load_3(s + 13) >> 1); - int64_t s6 = 2097151 & (load_4(s + 15) >> 6); - int64_t s7 = 2097151 & (load_3(s + 18) >> 3); - int64_t s8 = 2097151 & load_3(s + 21); - int64_t s9 = 2097151 & (load_4(s + 23) >> 5); - int64_t s10 = 2097151 & (load_3(s + 26) >> 2); - int64_t s11 = 2097151 & (load_4(s + 28) >> 7); - int64_t s12 = 2097151 & (load_4(s + 31) >> 4); - int64_t s13 = 2097151 & (load_3(s + 34) >> 1); - int64_t s14 = 2097151 & (load_4(s + 36) >> 6); - int64_t s15 = 2097151 & (load_3(s + 39) >> 3); - int64_t s16 = 2097151 & load_3(s + 42); - int64_t s17 = 2097151 & (load_4(s + 44) >> 5); - int64_t s18 = 2097151 & (load_3(s + 47) >> 2); - int64_t s19 = 2097151 & (load_4(s + 49) >> 7); - int64_t s20 = 2097151 & (load_4(s + 52) >> 4); - int64_t s21 = 2097151 & (load_3(s + 55) >> 1); - int64_t s22 = 2097151 & (load_4(s + 57) >> 6); - int64_t s23 = (load_4(s + 60) >> 3); + int64_t s0 = kBottom21Bits & load_3(s); + int64_t s1 = kBottom21Bits & (load_4(s + 2) >> 5); + int64_t s2 = kBottom21Bits & (load_3(s + 5) >> 2); + int64_t s3 = kBottom21Bits & (load_4(s + 7) >> 7); + int64_t s4 = kBottom21Bits & (load_4(s + 10) >> 4); + int64_t s5 = kBottom21Bits & (load_3(s + 13) >> 1); + int64_t s6 = kBottom21Bits & (load_4(s + 15) >> 6); + int64_t s7 = kBottom21Bits & (load_3(s + 18) >> 3); + int64_t s8 = kBottom21Bits & load_3(s + 21); + int64_t s9 = kBottom21Bits & (load_4(s + 23) >> 5); + int64_t s10 = kBottom21Bits & (load_3(s + 26) >> 2); + int64_t s11 = kBottom21Bits & (load_4(s + 28) >> 7); + int64_t s12 = kBottom21Bits & (load_4(s + 31) >> 4); + int64_t s13 = kBottom21Bits & (load_3(s + 34) >> 1); + int64_t s14 = kBottom21Bits & (load_4(s + 36) >> 6); + int64_t s15 = kBottom21Bits & (load_3(s + 39) >> 3); + int64_t s16 = kBottom21Bits & load_3(s + 42); + int64_t s17 = kBottom21Bits & (load_4(s + 44) >> 5); + int64_t s18 = kBottom21Bits & (load_3(s + 47) >> 2); + int64_t s19 = kBottom21Bits & (load_4(s + 49) >> 7); + int64_t s20 = kBottom21Bits & (load_4(s + 52) >> 4); + int64_t s21 = kBottom21Bits & (load_3(s + 55) >> 1); + int64_t s22 = kBottom21Bits & (load_4(s + 57) >> 6); + int64_t s23 = (load_4(s + 60) >> 3); int64_t carry0; int64_t carry1; int64_t carry2; @@ -4660,7 +4661,7 @@ static void x25519_sc_reduce(uint8_t *s) s14 -= s23 * 997805; s15 += s23 * 136657; s16 -= s23 * 683901; - s23 = 0; + s23 = 0; s10 += s22 * 666643; s11 += s22 * 470296; @@ -4668,46 +4669,46 @@ static void x25519_sc_reduce(uint8_t *s) s13 -= s22 * 997805; s14 += s22 * 136657; s15 -= s22 * 683901; - s22 = 0; + s22 = 0; - s9 += s21 * 666643; + s9 += s21 * 666643; s10 += s21 * 470296; s11 += s21 * 654183; s12 -= s21 * 997805; s13 += s21 * 136657; s14 -= s21 * 683901; - s21 = 0; + s21 = 0; - s8 += s20 * 666643; - s9 += s20 * 470296; + s8 += s20 * 666643; + s9 += s20 * 470296; s10 += s20 * 654183; s11 -= s20 * 997805; s12 += s20 * 136657; s13 -= s20 * 683901; - s20 = 0; + s20 = 0; - s7 += s19 * 666643; - s8 += s19 * 470296; - s9 += s19 * 654183; + s7 += s19 * 666643; + s8 += s19 * 470296; + s9 += s19 * 654183; s10 -= s19 * 997805; s11 += s19 * 136657; s12 -= s19 * 683901; - s19 = 0; + s19 = 0; - s6 += s18 * 666643; - s7 += s18 * 470296; - s8 += s18 * 654183; - s9 -= s18 * 997805; + s6 += s18 * 666643; + s7 += s18 * 470296; + s8 += s18 * 654183; + s9 -= s18 * 997805; s10 += s18 * 136657; s11 -= s18 * 683901; - s18 = 0; + s18 = 0; carry6 = (s6 + (1 << 20)) >> 21; - s7 += carry6; - s6 -= carry6 * (1 << 21); + s7 += carry6; + s6 -= carry6 * (1 << 21); carry8 = (s8 + (1 << 20)) >> 21; - s9 += carry8; - s8 -= carry8 * (1 << 21); + s9 += carry8; + s8 -= carry8 * (1 << 21); carry10 = (s10 + (1 << 20)) >> 21; s11 += carry10; s10 -= carry10 * (1 << 21); @@ -4722,11 +4723,11 @@ static void x25519_sc_reduce(uint8_t *s) s16 -= carry16 * (1 << 21); carry7 = (s7 + (1 << 20)) >> 21; - s8 += carry7; - s7 -= carry7 * (1 << 21); + s8 += carry7; + s7 -= carry7 * (1 << 21); carry9 = (s9 + (1 << 20)) >> 21; s10 += carry9; - s9 -= carry9 * (1 << 21); + s9 -= carry9 * (1 << 21); carry11 = (s11 + (1 << 20)) >> 21; s12 += carry11; s11 -= carry11 * (1 << 21); @@ -4737,130 +4738,130 @@ static void x25519_sc_reduce(uint8_t *s) s16 += carry15; s15 -= carry15 * (1 << 21); - s5 += s17 * 666643; - s6 += s17 * 470296; - s7 += s17 * 654183; - s8 -= s17 * 997805; - s9 += s17 * 136657; + s5 += s17 * 666643; + s6 += s17 * 470296; + s7 += s17 * 654183; + s8 -= s17 * 997805; + s9 += s17 * 136657; s10 -= s17 * 683901; - s17 = 0; - - s4 += s16 * 666643; - s5 += s16 * 470296; - s6 += s16 * 654183; - s7 -= s16 * 997805; - s8 += s16 * 136657; - s9 -= s16 * 683901; - s16 = 0; - - s3 += s15 * 666643; - s4 += s15 * 470296; - s5 += s15 * 654183; - s6 -= s15 * 997805; - s7 += s15 * 136657; - s8 -= s15 * 683901; - s15 = 0; - - s2 += s14 * 666643; - s3 += s14 * 470296; - s4 += s14 * 654183; - s5 -= s14 * 997805; - s6 += s14 * 136657; - s7 -= s14 * 683901; - s14 = 0; - - s1 += s13 * 666643; - s2 += s13 * 470296; - s3 += s13 * 654183; - s4 -= s13 * 997805; - s5 += s13 * 136657; - s6 -= s13 * 683901; - s13 = 0; - - s0 += s12 * 666643; - s1 += s12 * 470296; - s2 += s12 * 654183; - s3 -= s12 * 997805; - s4 += s12 * 136657; - s5 -= s12 * 683901; - s12 = 0; + s17 = 0; + + s4 += s16 * 666643; + s5 += s16 * 470296; + s6 += s16 * 654183; + s7 -= s16 * 997805; + s8 += s16 * 136657; + s9 -= s16 * 683901; + s16 = 0; + + s3 += s15 * 666643; + s4 += s15 * 470296; + s5 += s15 * 654183; + s6 -= s15 * 997805; + s7 += s15 * 136657; + s8 -= s15 * 683901; + s15 = 0; + + s2 += s14 * 666643; + s3 += s14 * 470296; + s4 += s14 * 654183; + s5 -= s14 * 997805; + s6 += s14 * 136657; + s7 -= s14 * 683901; + s14 = 0; + + s1 += s13 * 666643; + s2 += s13 * 470296; + s3 += s13 * 654183; + s4 -= s13 * 997805; + s5 += s13 * 136657; + s6 -= s13 * 683901; + s13 = 0; + + s0 += s12 * 666643; + s1 += s12 * 470296; + s2 += s12 * 654183; + s3 -= s12 * 997805; + s4 += s12 * 136657; + s5 -= s12 * 683901; + s12 = 0; carry0 = (s0 + (1 << 20)) >> 21; - s1 += carry0; - s0 -= carry0 * (1 << 21); + s1 += carry0; + s0 -= carry0 * (1 << 21); carry2 = (s2 + (1 << 20)) >> 21; - s3 += carry2; - s2 -= carry2 * (1 << 21); + s3 += carry2; + s2 -= carry2 * (1 << 21); carry4 = (s4 + (1 << 20)) >> 21; - s5 += carry4; - s4 -= carry4 * (1 << 21); + s5 += carry4; + s4 -= carry4 * (1 << 21); carry6 = (s6 + (1 << 20)) >> 21; s7 += carry6; s6 -= carry6 * (1 << 21); carry8 = (s8 + (1 << 20)) >> 21; - s9 += carry8; - s8 -= carry8 * (1 << 21); + s9 += carry8; + s8 -= carry8 * (1 << 21); carry10 = (s10 + (1 << 20)) >> 21; s11 += carry10; s10 -= carry10 * (1 << 21); carry1 = (s1 + (1 << 20)) >> 21; - s2 += carry1; - s1 -= carry1 * (1 << 21); + s2 += carry1; + s1 -= carry1 * (1 << 21); carry3 = (s3 + (1 << 20)) >> 21; - s4 += carry3; - s3 -= carry3 * (1 << 21); + s4 += carry3; + s3 -= carry3 * (1 << 21); carry5 = (s5 + (1 << 20)) >> 21; - s6 += carry5; - s5 -= carry5 * (1 << 21); + s6 += carry5; + s5 -= carry5 * (1 << 21); carry7 = (s7 + (1 << 20)) >> 21; - s8 += carry7; - s7 -= carry7 * (1 << 21); + s8 += carry7; + s7 -= carry7 * (1 << 21); carry9 = (s9 + (1 << 20)) >> 21; s10 += carry9; - s9 -= carry9 * (1 << 21); + s9 -= carry9 * (1 << 21); carry11 = (s11 + (1 << 20)) >> 21; s12 += carry11; s11 -= carry11 * (1 << 21); - s0 += s12 * 666643; - s1 += s12 * 470296; - s2 += s12 * 654183; - s3 -= s12 * 997805; - s4 += s12 * 136657; - s5 -= s12 * 683901; - s12 = 0; + s0 += s12 * 666643; + s1 += s12 * 470296; + s2 += s12 * 654183; + s3 -= s12 * 997805; + s4 += s12 * 136657; + s5 -= s12 * 683901; + s12 = 0; carry0 = s0 >> 21; - s1 += carry0; - s0 -= carry0 * (1 << 21); + s1 += carry0; + s0 -= carry0 * (1 << 21); carry1 = s1 >> 21; - s2 += carry1; - s1 -= carry1 * (1 << 21); + s2 += carry1; + s1 -= carry1 * (1 << 21); carry2 = s2 >> 21; - s3 += carry2; - s2 -= carry2 * (1 << 21); + s3 += carry2; + s2 -= carry2 * (1 << 21); carry3 = s3 >> 21; - s4 += carry3; - s3 -= carry3 * (1 << 21); + s4 += carry3; + s3 -= carry3 * (1 << 21); carry4 = s4 >> 21; - s5 += carry4; - s4 -= carry4 * (1 << 21); + s5 += carry4; + s4 -= carry4 * (1 << 21); carry5 = s5 >> 21; - s6 += carry5; - s5 -= carry5 * (1 << 21); + s6 += carry5; + s5 -= carry5 * (1 << 21); carry6 = s6 >> 21; - s7 += carry6; - s6 -= carry6 * (1 << 21); + s7 += carry6; + s6 -= carry6 * (1 << 21); carry7 = s7 >> 21; - s8 += carry7; - s7 -= carry7 * (1 << 21); + s8 += carry7; + s7 -= carry7 * (1 << 21); carry8 = s8 >> 21; - s9 += carry8; - s8 -= carry8 * (1 << 21); + s9 += carry8; + s8 -= carry8 * (1 << 21); carry9 = s9 >> 21; s10 += carry9; - s9 -= carry9 * (1 << 21); + s9 -= carry9 * (1 << 21); carry10 = s10 >> 21; s11 += carry10; s10 -= carry10 * (1 << 21); @@ -4868,80 +4869,80 @@ static void x25519_sc_reduce(uint8_t *s) s12 += carry11; s11 -= carry11 * (1 << 21); - s0 += s12 * 666643; - s1 += s12 * 470296; - s2 += s12 * 654183; - s3 -= s12 * 997805; - s4 += s12 * 136657; - s5 -= s12 * 683901; - s12 = 0; + s0 += s12 * 666643; + s1 += s12 * 470296; + s2 += s12 * 654183; + s3 -= s12 * 997805; + s4 += s12 * 136657; + s5 -= s12 * 683901; + s12 = 0; carry0 = s0 >> 21; - s1 += carry0; - s0 -= carry0 * (1 << 21); + s1 += carry0; + s0 -= carry0 * (1 << 21); carry1 = s1 >> 21; - s2 += carry1; - s1 -= carry1 * (1 << 21); + s2 += carry1; + s1 -= carry1 * (1 << 21); carry2 = s2 >> 21; - s3 += carry2; - s2 -= carry2 * (1 << 21); + s3 += carry2; + s2 -= carry2 * (1 << 21); carry3 = s3 >> 21; - s4 += carry3; - s3 -= carry3 * (1 << 21); + s4 += carry3; + s3 -= carry3 * (1 << 21); carry4 = s4 >> 21; - s5 += carry4; - s4 -= carry4 * (1 << 21); + s5 += carry4; + s4 -= carry4 * (1 << 21); carry5 = s5 >> 21; - s6 += carry5; - s5 -= carry5 * (1 << 21); + s6 += carry5; + s5 -= carry5 * (1 << 21); carry6 = s6 >> 21; - s7 += carry6; - s6 -= carry6 * (1 << 21); + s7 += carry6; + s6 -= carry6 * (1 << 21); carry7 = s7 >> 21; - s8 += carry7; - s7 -= carry7 * (1 << 21); + s8 += carry7; + s7 -= carry7 * (1 << 21); carry8 = s8 >> 21; - s9 += carry8; - s8 -= carry8 * (1 << 21); + s9 += carry8; + s8 -= carry8 * (1 << 21); carry9 = s9 >> 21; s10 += carry9; - s9 -= carry9 * (1 << 21); + s9 -= carry9 * (1 << 21); carry10 = s10 >> 21; s11 += carry10; s10 -= carry10 * (1 << 21); - s[0] = (uint8_t)(s0 >> 0); - s[1] = (uint8_t)(s0 >> 8); - s[2] = (uint8_t)((s0 >> 16) | (s1 << 5)); - s[3] = (uint8_t)(s1 >> 3); - s[4] = (uint8_t)(s1 >> 11); - s[5] = (uint8_t)((s1 >> 19) | (s2 << 2)); - s[6] = (uint8_t)(s2 >> 6); - s[7] = (uint8_t)((s2 >> 14) | (s3 << 7)); - s[8] = (uint8_t)(s3 >> 1); - s[9] = (uint8_t)(s3 >> 9); - s[10] = (uint8_t)((s3 >> 17) | (s4 << 4)); - s[11] = (uint8_t)(s4 >> 4); - s[12] = (uint8_t)(s4 >> 12); - s[13] = (uint8_t)((s4 >> 20) | (s5 << 1)); - s[14] = (uint8_t)(s5 >> 7); - s[15] = (uint8_t)((s5 >> 15) | (s6 << 6)); - s[16] = (uint8_t)(s6 >> 2); - s[17] = (uint8_t)(s6 >> 10); - s[18] = (uint8_t)((s6 >> 18) | (s7 << 3)); - s[19] = (uint8_t)(s7 >> 5); - s[20] = (uint8_t)(s7 >> 13); - s[21] = (uint8_t)(s8 >> 0); - s[22] = (uint8_t)(s8 >> 8); - s[23] = (uint8_t)((s8 >> 16) | (s9 << 5)); - s[24] = (uint8_t)(s9 >> 3); - s[25] = (uint8_t)(s9 >> 11); - s[26] = (uint8_t)((s9 >> 19) | (s10 << 2)); - s[27] = (uint8_t)(s10 >> 6); - s[28] = (uint8_t)((s10 >> 14) | (s11 << 7)); - s[29] = (uint8_t)(s11 >> 1); - s[30] = (uint8_t)(s11 >> 9); - s[31] = (uint8_t)(s11 >> 17); + s[ 0] = (uint8_t) (s0 >> 0); + s[ 1] = (uint8_t) (s0 >> 8); + s[ 2] = (uint8_t)((s0 >> 16) | (s1 << 5)); + s[ 3] = (uint8_t) (s1 >> 3); + s[ 4] = (uint8_t) (s1 >> 11); + s[ 5] = (uint8_t)((s1 >> 19) | (s2 << 2)); + s[ 6] = (uint8_t) (s2 >> 6); + s[ 7] = (uint8_t)((s2 >> 14) | (s3 << 7)); + s[ 8] = (uint8_t) (s3 >> 1); + s[ 9] = (uint8_t) (s3 >> 9); + s[10] = (uint8_t)((s3 >> 17) | (s4 << 4)); + s[11] = (uint8_t) (s4 >> 4); + s[12] = (uint8_t) (s4 >> 12); + s[13] = (uint8_t)((s4 >> 20) | (s5 << 1)); + s[14] = (uint8_t) (s5 >> 7); + s[15] = (uint8_t)((s5 >> 15) | (s6 << 6)); + s[16] = (uint8_t) (s6 >> 2); + s[17] = (uint8_t) (s6 >> 10); + s[18] = (uint8_t)((s6 >> 18) | (s7 << 3)); + s[19] = (uint8_t) (s7 >> 5); + s[20] = (uint8_t) (s7 >> 13); + s[21] = (uint8_t) (s8 >> 0); + s[22] = (uint8_t) (s8 >> 8); + s[23] = (uint8_t)((s8 >> 16) | (s9 << 5)); + s[24] = (uint8_t) (s9 >> 3); + s[25] = (uint8_t) (s9 >> 11); + s[26] = (uint8_t)((s9 >> 19) | (s10 << 2)); + s[27] = (uint8_t) (s10 >> 6); + s[28] = (uint8_t)((s10 >> 14) | (s11 << 7)); + s[29] = (uint8_t) (s11 >> 1); + s[30] = (uint8_t) (s11 >> 9); + s[31] = (uint8_t) (s11 >> 17); } /* @@ -4957,42 +4958,42 @@ static void x25519_sc_reduce(uint8_t *s) static void sc_muladd(uint8_t *s, const uint8_t *a, const uint8_t *b, const uint8_t *c) { - int64_t a0 = 2097151 & load_3(a); - int64_t a1 = 2097151 & (load_4(a + 2) >> 5); - int64_t a2 = 2097151 & (load_3(a + 5) >> 2); - int64_t a3 = 2097151 & (load_4(a + 7) >> 7); - int64_t a4 = 2097151 & (load_4(a + 10) >> 4); - int64_t a5 = 2097151 & (load_3(a + 13) >> 1); - int64_t a6 = 2097151 & (load_4(a + 15) >> 6); - int64_t a7 = 2097151 & (load_3(a + 18) >> 3); - int64_t a8 = 2097151 & load_3(a + 21); - int64_t a9 = 2097151 & (load_4(a + 23) >> 5); - int64_t a10 = 2097151 & (load_3(a + 26) >> 2); - int64_t a11 = (load_4(a + 28) >> 7); - int64_t b0 = 2097151 & load_3(b); - int64_t b1 = 2097151 & (load_4(b + 2) >> 5); - int64_t b2 = 2097151 & (load_3(b + 5) >> 2); - int64_t b3 = 2097151 & (load_4(b + 7) >> 7); - int64_t b4 = 2097151 & (load_4(b + 10) >> 4); - int64_t b5 = 2097151 & (load_3(b + 13) >> 1); - int64_t b6 = 2097151 & (load_4(b + 15) >> 6); - int64_t b7 = 2097151 & (load_3(b + 18) >> 3); - int64_t b8 = 2097151 & load_3(b + 21); - int64_t b9 = 2097151 & (load_4(b + 23) >> 5); - int64_t b10 = 2097151 & (load_3(b + 26) >> 2); - int64_t b11 = (load_4(b + 28) >> 7); - int64_t c0 = 2097151 & load_3(c); - int64_t c1 = 2097151 & (load_4(c + 2) >> 5); - int64_t c2 = 2097151 & (load_3(c + 5) >> 2); - int64_t c3 = 2097151 & (load_4(c + 7) >> 7); - int64_t c4 = 2097151 & (load_4(c + 10) >> 4); - int64_t c5 = 2097151 & (load_3(c + 13) >> 1); - int64_t c6 = 2097151 & (load_4(c + 15) >> 6); - int64_t c7 = 2097151 & (load_3(c + 18) >> 3); - int64_t c8 = 2097151 & load_3(c + 21); - int64_t c9 = 2097151 & (load_4(c + 23) >> 5); - int64_t c10 = 2097151 & (load_3(c + 26) >> 2); - int64_t c11 = (load_4(c + 28) >> 7); + int64_t a0 = kBottom21Bits & load_3(a); + int64_t a1 = kBottom21Bits & (load_4(a + 2) >> 5); + int64_t a2 = kBottom21Bits & (load_3(a + 5) >> 2); + int64_t a3 = kBottom21Bits & (load_4(a + 7) >> 7); + int64_t a4 = kBottom21Bits & (load_4(a + 10) >> 4); + int64_t a5 = kBottom21Bits & (load_3(a + 13) >> 1); + int64_t a6 = kBottom21Bits & (load_4(a + 15) >> 6); + int64_t a7 = kBottom21Bits & (load_3(a + 18) >> 3); + int64_t a8 = kBottom21Bits & load_3(a + 21); + int64_t a9 = kBottom21Bits & (load_4(a + 23) >> 5); + int64_t a10 = kBottom21Bits & (load_3(a + 26) >> 2); + int64_t a11 = (load_4(a + 28) >> 7); + int64_t b0 = kBottom21Bits & load_3(b); + int64_t b1 = kBottom21Bits & (load_4(b + 2) >> 5); + int64_t b2 = kBottom21Bits & (load_3(b + 5) >> 2); + int64_t b3 = kBottom21Bits & (load_4(b + 7) >> 7); + int64_t b4 = kBottom21Bits & (load_4(b + 10) >> 4); + int64_t b5 = kBottom21Bits & (load_3(b + 13) >> 1); + int64_t b6 = kBottom21Bits & (load_4(b + 15) >> 6); + int64_t b7 = kBottom21Bits & (load_3(b + 18) >> 3); + int64_t b8 = kBottom21Bits & load_3(b + 21); + int64_t b9 = kBottom21Bits & (load_4(b + 23) >> 5); + int64_t b10 = kBottom21Bits & (load_3(b + 26) >> 2); + int64_t b11 = (load_4(b + 28) >> 7); + int64_t c0 = kBottom21Bits & load_3(c); + int64_t c1 = kBottom21Bits & (load_4(c + 2) >> 5); + int64_t c2 = kBottom21Bits & (load_3(c + 5) >> 2); + int64_t c3 = kBottom21Bits & (load_4(c + 7) >> 7); + int64_t c4 = kBottom21Bits & (load_4(c + 10) >> 4); + int64_t c5 = kBottom21Bits & (load_3(c + 13) >> 1); + int64_t c6 = kBottom21Bits & (load_4(c + 15) >> 6); + int64_t c7 = kBottom21Bits & (load_3(c + 18) >> 3); + int64_t c8 = kBottom21Bits & load_3(c + 21); + int64_t c9 = kBottom21Bits & (load_4(c + 23) >> 5); + int64_t c10 = kBottom21Bits & (load_3(c + 26) >> 2); + int64_t c11 = (load_4(c + 28) >> 7); int64_t s0; int64_t s1; int64_t s2; @@ -5041,57 +5042,46 @@ static void sc_muladd(uint8_t *s, const uint8_t *a, const uint8_t *b, int64_t carry21; int64_t carry22; - s0 = c0 + a0 * b0; - s1 = c1 + a0 * b1 + a1 * b0; - s2 = c2 + a0 * b2 + a1 * b1 + a2 * b0; - s3 = c3 + a0 * b3 + a1 * b2 + a2 * b1 + a3 * b0; - s4 = c4 + a0 * b4 + a1 * b3 + a2 * b2 + a3 * b1 + a4 * b0; - s5 = c5 + a0 * b5 + a1 * b4 + a2 * b3 + a3 * b2 + a4 * b1 + a5 * b0; - s6 = c6 + a0 * b6 + a1 * b5 + a2 * b4 + a3 * b3 + a4 * b2 + a5 * b1 + - a6 * b0; - s7 = c7 + a0 * b7 + a1 * b6 + a2 * b5 + a3 * b4 + a4 * b3 + a5 * b2 + - a6 * b1 + a7 * b0; - s8 = c8 + a0 * b8 + a1 * b7 + a2 * b6 + a3 * b5 + a4 * b4 + a5 * b3 + - a6 * b2 + a7 * b1 + a8 * b0; - s9 = c9 + a0 * b9 + a1 * b8 + a2 * b7 + a3 * b6 + a4 * b5 + a5 * b4 + - a6 * b3 + a7 * b2 + a8 * b1 + a9 * b0; - s10 = c10 + a0 * b10 + a1 * b9 + a2 * b8 + a3 * b7 + a4 * b6 + a5 * b5 + - a6 * b4 + a7 * b3 + a8 * b2 + a9 * b1 + a10 * b0; - s11 = c11 + a0 * b11 + a1 * b10 + a2 * b9 + a3 * b8 + a4 * b7 + a5 * b6 + - a6 * b5 + a7 * b4 + a8 * b3 + a9 * b2 + a10 * b1 + a11 * b0; - s12 = a1 * b11 + a2 * b10 + a3 * b9 + a4 * b8 + a5 * b7 + a6 * b6 + - a7 * b5 + a8 * b4 + a9 * b3 + a10 * b2 + a11 * b1; - s13 = a2 * b11 + a3 * b10 + a4 * b9 + a5 * b8 + a6 * b7 + a7 * b6 + - a8 * b5 + a9 * b4 + a10 * b3 + a11 * b2; - s14 = a3 * b11 + a4 * b10 + a5 * b9 + a6 * b8 + a7 * b7 + a8 * b6 + - a9 * b5 + a10 * b4 + a11 * b3; - s15 = a4 * b11 + a5 * b10 + a6 * b9 + a7 * b8 + a8 * b7 + a9 * b6 + - a10 * b5 + a11 * b4; - s16 = a5 * b11 + a6 * b10 + a7 * b9 + a8 * b8 + a9 * b7 + a10 * b6 + - a11 * b5; - s17 = a6 * b11 + a7 * b10 + a8 * b9 + a9 * b8 + a10 * b7 + a11 * b6; - s18 = a7 * b11 + a8 * b10 + a9 * b9 + a10 * b8 + a11 * b7; - s19 = a8 * b11 + a9 * b10 + a10 * b9 + a11 * b8; - s20 = a9 * b11 + a10 * b10 + a11 * b9; - s21 = a10 * b11 + a11 * b10; - s22 = a11 * b11; - s23 = 0; + s0 = c0 + a0 * b0; + s1 = c1 + a0 * b1 + a1 * b0; + s2 = c2 + a0 * b2 + a1 * b1 + a2 * b0; + s3 = c3 + a0 * b3 + a1 * b2 + a2 * b1 + a3 * b0; + s4 = c4 + a0 * b4 + a1 * b3 + a2 * b2 + a3 * b1 + a4 * b0; + s5 = c5 + a0 * b5 + a1 * b4 + a2 * b3 + a3 * b2 + a4 * b1 + a5 * b0; + s6 = c6 + a0 * b6 + a1 * b5 + a2 * b4 + a3 * b3 + a4 * b2 + a5 * b1 + a6 * b0; + s7 = c7 + a0 * b7 + a1 * b6 + a2 * b5 + a3 * b4 + a4 * b3 + a5 * b2 + a6 * b1 + a7 * b0; + s8 = c8 + a0 * b8 + a1 * b7 + a2 * b6 + a3 * b5 + a4 * b4 + a5 * b3 + a6 * b2 + a7 * b1 + a8 * b0; + s9 = c9 + a0 * b9 + a1 * b8 + a2 * b7 + a3 * b6 + a4 * b5 + a5 * b4 + a6 * b3 + a7 * b2 + a8 * b1 + a9 * b0; + s10 = c10 + a0 * b10 + a1 * b9 + a2 * b8 + a3 * b7 + a4 * b6 + a5 * b5 + a6 * b4 + a7 * b3 + a8 * b2 + a9 * b1 + a10 * b0; + s11 = c11 + a0 * b11 + a1 * b10 + a2 * b9 + a3 * b8 + a4 * b7 + a5 * b6 + a6 * b5 + a7 * b4 + a8 * b3 + a9 * b2 + a10 * b1 + a11 * b0; + s12 = a1 * b11 + a2 * b10 + a3 * b9 + a4 * b8 + a5 * b7 + a6 * b6 + a7 * b5 + a8 * b4 + a9 * b3 + a10 * b2 + a11 * b1; + s13 = a2 * b11 + a3 * b10 + a4 * b9 + a5 * b8 + a6 * b7 + a7 * b6 + a8 * b5 + a9 * b4 + a10 * b3 + a11 * b2; + s14 = a3 * b11 + a4 * b10 + a5 * b9 + a6 * b8 + a7 * b7 + a8 * b6 + a9 * b5 + a10 * b4 + a11 * b3; + s15 = a4 * b11 + a5 * b10 + a6 * b9 + a7 * b8 + a8 * b7 + a9 * b6 + a10 * b5 + a11 * b4; + s16 = a5 * b11 + a6 * b10 + a7 * b9 + a8 * b8 + a9 * b7 + a10 * b6 + a11 * b5; + s17 = a6 * b11 + a7 * b10 + a8 * b9 + a9 * b8 + a10 * b7 + a11 * b6; + s18 = a7 * b11 + a8 * b10 + a9 * b9 + a10 * b8 + a11 * b7; + s19 = a8 * b11 + a9 * b10 + a10 * b9 + a11 * b8; + s20 = a9 * b11 + a10 * b10 + a11 * b9; + s21 = a10 * b11 + a11 * b10; + s22 = a11 * b11; + s23 = 0; carry0 = (s0 + (1 << 20)) >> 21; - s1 += carry0; - s0 -= carry0 * (1 << 21); + s1 += carry0; + s0 -= carry0 * (1 << 21); carry2 = (s2 + (1 << 20)) >> 21; - s3 += carry2; - s2 -= carry2 * (1 << 21); + s3 += carry2; + s2 -= carry2 * (1 << 21); carry4 = (s4 + (1 << 20)) >> 21; - s5 += carry4; - s4 -= carry4 * (1 << 21); + s5 += carry4; + s4 -= carry4 * (1 << 21); carry6 = (s6 + (1 << 20)) >> 21; - s7 += carry6; - s6 -= carry6 * (1 << 21); + s7 += carry6; + s6 -= carry6 * (1 << 21); carry8 = (s8 + (1 << 20)) >> 21; - s9 += carry8; - s8 -= carry8 * (1 << 21); + s9 += carry8; + s8 -= carry8 * (1 << 21); carry10 = (s10 + (1 << 20)) >> 21; s11 += carry10; s10 -= carry10 * (1 << 21); @@ -5115,20 +5105,20 @@ static void sc_muladd(uint8_t *s, const uint8_t *a, const uint8_t *b, s22 -= carry22 * (1 << 21); carry1 = (s1 + (1 << 20)) >> 21; - s2 += carry1; - s1 -= carry1 * (1 << 21); + s2 += carry1; + s1 -= carry1 * (1 << 21); carry3 = (s3 + (1 << 20)) >> 21; - s4 += carry3; - s3 -= carry3 * (1 << 21); + s4 += carry3; + s3 -= carry3 * (1 << 21); carry5 = (s5 + (1 << 20)) >> 21; - s6 += carry5; - s5 -= carry5 * (1 << 21); + s6 += carry5; + s5 -= carry5 * (1 << 21); carry7 = (s7 + (1 << 20)) >> 21; - s8 += carry7; - s7 -= carry7 * (1 << 21); + s8 += carry7; + s7 -= carry7 * (1 << 21); carry9 = (s9 + (1 << 20)) >> 21; s10 += carry9; - s9 -= carry9 * (1 << 21); + s9 -= carry9 * (1 << 21); carry11 = (s11 + (1 << 20)) >> 21; s12 += carry11; s11 -= carry11 * (1 << 21); @@ -5154,7 +5144,7 @@ static void sc_muladd(uint8_t *s, const uint8_t *a, const uint8_t *b, s14 -= s23 * 997805; s15 += s23 * 136657; s16 -= s23 * 683901; - s23 = 0; + s23 = 0; s10 += s22 * 666643; s11 += s22 * 470296; @@ -5162,46 +5152,46 @@ static void sc_muladd(uint8_t *s, const uint8_t *a, const uint8_t *b, s13 -= s22 * 997805; s14 += s22 * 136657; s15 -= s22 * 683901; - s22 = 0; + s22 = 0; - s9 += s21 * 666643; + s9 += s21 * 666643; s10 += s21 * 470296; s11 += s21 * 654183; s12 -= s21 * 997805; s13 += s21 * 136657; s14 -= s21 * 683901; - s21 = 0; + s21 = 0; - s8 += s20 * 666643; - s9 += s20 * 470296; + s8 += s20 * 666643; + s9 += s20 * 470296; s10 += s20 * 654183; s11 -= s20 * 997805; s12 += s20 * 136657; s13 -= s20 * 683901; - s20 = 0; + s20 = 0; - s7 += s19 * 666643; - s8 += s19 * 470296; - s9 += s19 * 654183; + s7 += s19 * 666643; + s8 += s19 * 470296; + s9 += s19 * 654183; s10 -= s19 * 997805; s11 += s19 * 136657; s12 -= s19 * 683901; - s19 = 0; + s19 = 0; - s6 += s18 * 666643; - s7 += s18 * 470296; - s8 += s18 * 654183; - s9 -= s18 * 997805; + s6 += s18 * 666643; + s7 += s18 * 470296; + s8 += s18 * 654183; + s9 -= s18 * 997805; s10 += s18 * 136657; s11 -= s18 * 683901; - s18 = 0; + s18 = 0; carry6 = (s6 + (1 << 20)) >> 21; - s7 += carry6; - s6 -= carry6 * (1 << 21); + s7 += carry6; + s6 -= carry6 * (1 << 21); carry8 = (s8 + (1 << 20)) >> 21; - s9 += carry8; - s8 -= carry8 * (1 << 21); + s9 += carry8; + s8 -= carry8 * (1 << 21); carry10 = (s10 + (1 << 20)) >> 21; s11 += carry10; s10 -= carry10 * (1 << 21); @@ -5216,11 +5206,11 @@ static void sc_muladd(uint8_t *s, const uint8_t *a, const uint8_t *b, s16 -= carry16 * (1 << 21); carry7 = (s7 + (1 << 20)) >> 21; - s8 += carry7; - s7 -= carry7 * (1 << 21); + s8 += carry7; + s7 -= carry7 * (1 << 21); carry9 = (s9 + (1 << 20)) >> 21; s10 += carry9; - s9 -= carry9 * (1 << 21); + s9 -= carry9 * (1 << 21); carry11 = (s11 + (1 << 20)) >> 21; s12 += carry11; s11 -= carry11 * (1 << 21); @@ -5231,130 +5221,130 @@ static void sc_muladd(uint8_t *s, const uint8_t *a, const uint8_t *b, s16 += carry15; s15 -= carry15 * (1 << 21); - s5 += s17 * 666643; - s6 += s17 * 470296; - s7 += s17 * 654183; - s8 -= s17 * 997805; - s9 += s17 * 136657; + s5 += s17 * 666643; + s6 += s17 * 470296; + s7 += s17 * 654183; + s8 -= s17 * 997805; + s9 += s17 * 136657; s10 -= s17 * 683901; - s17 = 0; - - s4 += s16 * 666643; - s5 += s16 * 470296; - s6 += s16 * 654183; - s7 -= s16 * 997805; - s8 += s16 * 136657; - s9 -= s16 * 683901; - s16 = 0; - - s3 += s15 * 666643; - s4 += s15 * 470296; - s5 += s15 * 654183; - s6 -= s15 * 997805; - s7 += s15 * 136657; - s8 -= s15 * 683901; - s15 = 0; - - s2 += s14 * 666643; - s3 += s14 * 470296; - s4 += s14 * 654183; - s5 -= s14 * 997805; - s6 += s14 * 136657; - s7 -= s14 * 683901; - s14 = 0; - - s1 += s13 * 666643; - s2 += s13 * 470296; - s3 += s13 * 654183; - s4 -= s13 * 997805; - s5 += s13 * 136657; - s6 -= s13 * 683901; - s13 = 0; - - s0 += s12 * 666643; - s1 += s12 * 470296; - s2 += s12 * 654183; - s3 -= s12 * 997805; - s4 += s12 * 136657; - s5 -= s12 * 683901; + s17 = 0; + + s4 += s16 * 666643; + s5 += s16 * 470296; + s6 += s16 * 654183; + s7 -= s16 * 997805; + s8 += s16 * 136657; + s9 -= s16 * 683901; + s16 = 0; + + s3 += s15 * 666643; + s4 += s15 * 470296; + s5 += s15 * 654183; + s6 -= s15 * 997805; + s7 += s15 * 136657; + s8 -= s15 * 683901; + s15 = 0; + + s2 += s14 * 666643; + s3 += s14 * 470296; + s4 += s14 * 654183; + s5 -= s14 * 997805; + s6 += s14 * 136657; + s7 -= s14 * 683901; + s14 = 0; + + s1 += s13 * 666643; + s2 += s13 * 470296; + s3 += s13 * 654183; + s4 -= s13 * 997805; + s5 += s13 * 136657; + s6 -= s13 * 683901; + s13 = 0; + + s0 += s12 * 666643; + s1 += s12 * 470296; + s2 += s12 * 654183; + s3 -= s12 * 997805; + s4 += s12 * 136657; + s5 -= s12 * 683901; s12 = 0; carry0 = (s0 + (1 << 20)) >> 21; - s1 += carry0; - s0 -= carry0 * (1 << 21); + s1 += carry0; + s0 -= carry0 * (1 << 21); carry2 = (s2 + (1 << 20)) >> 21; - s3 += carry2; - s2 -= carry2 * (1 << 21); + s3 += carry2; + s2 -= carry2 * (1 << 21); carry4 = (s4 + (1 << 20)) >> 21; - s5 += carry4; - s4 -= carry4 * (1 << 21); + s5 += carry4; + s4 -= carry4 * (1 << 21); carry6 = (s6 + (1 << 20)) >> 21; - s7 += carry6; - s6 -= carry6 * (1 << 21); + s7 += carry6; + s6 -= carry6 * (1 << 21); carry8 = (s8 + (1 << 20)) >> 21; - s9 += carry8; - s8 -= carry8 * (1 << 21); + s9 += carry8; + s8 -= carry8 * (1 << 21); carry10 = (s10 + (1 << 20)) >> 21; s11 += carry10; s10 -= carry10 * (1 << 21); carry1 = (s1 + (1 << 20)) >> 21; - s2 += carry1; - s1 -= carry1 * (1 << 21); + s2 += carry1; + s1 -= carry1 * (1 << 21); carry3 = (s3 + (1 << 20)) >> 21; - s4 += carry3; - s3 -= carry3 * (1 << 21); + s4 += carry3; + s3 -= carry3 * (1 << 21); carry5 = (s5 + (1 << 20)) >> 21; - s6 += carry5; - s5 -= carry5 * (1 << 21); + s6 += carry5; + s5 -= carry5 * (1 << 21); carry7 = (s7 + (1 << 20)) >> 21; - s8 += carry7; - s7 -= carry7 * (1 << 21); + s8 += carry7; + s7 -= carry7 * (1 << 21); carry9 = (s9 + (1 << 20)) >> 21; s10 += carry9; - s9 -= carry9 * (1 << 21); + s9 -= carry9 * (1 << 21); carry11 = (s11 + (1 << 20)) >> 21; s12 += carry11; s11 -= carry11 * (1 << 21); - s0 += s12 * 666643; - s1 += s12 * 470296; - s2 += s12 * 654183; - s3 -= s12 * 997805; - s4 += s12 * 136657; - s5 -= s12 * 683901; - s12 = 0; + s0 += s12 * 666643; + s1 += s12 * 470296; + s2 += s12 * 654183; + s3 -= s12 * 997805; + s4 += s12 * 136657; + s5 -= s12 * 683901; + s12 = 0; carry0 = s0 >> 21; - s1 += carry0; - s0 -= carry0 * (1 << 21); + s1 += carry0; + s0 -= carry0 * (1 << 21); carry1 = s1 >> 21; - s2 += carry1; - s1 -= carry1 * (1 << 21); + s2 += carry1; + s1 -= carry1 * (1 << 21); carry2 = s2 >> 21; - s3 += carry2; - s2 -= carry2 * (1 << 21); + s3 += carry2; + s2 -= carry2 * (1 << 21); carry3 = s3 >> 21; - s4 += carry3; - s3 -= carry3 * (1 << 21); + s4 += carry3; + s3 -= carry3 * (1 << 21); carry4 = s4 >> 21; - s5 += carry4; - s4 -= carry4 * (1 << 21); + s5 += carry4; + s4 -= carry4 * (1 << 21); carry5 = s5 >> 21; - s6 += carry5; - s5 -= carry5 * (1 << 21); + s6 += carry5; + s5 -= carry5 * (1 << 21); carry6 = s6 >> 21; - s7 += carry6; - s6 -= carry6 * (1 << 21); + s7 += carry6; + s6 -= carry6 * (1 << 21); carry7 = s7 >> 21; - s8 += carry7; - s7 -= carry7 * (1 << 21); + s8 += carry7; + s7 -= carry7 * (1 << 21); carry8 = s8 >> 21; - s9 += carry8; - s8 -= carry8 * (1 << 21); + s9 += carry8; + s8 -= carry8 * (1 << 21); carry9 = s9 >> 21; s10 += carry9; - s9 -= carry9 * (1 << 21); + s9 -= carry9 * (1 << 21); carry10 = s10 >> 21; s11 += carry10; s10 -= carry10 * (1 << 21); @@ -5362,80 +5352,80 @@ static void sc_muladd(uint8_t *s, const uint8_t *a, const uint8_t *b, s12 += carry11; s11 -= carry11 * (1 << 21); - s0 += s12 * 666643; - s1 += s12 * 470296; - s2 += s12 * 654183; - s3 -= s12 * 997805; - s4 += s12 * 136657; - s5 -= s12 * 683901; - s12 = 0; + s0 += s12 * 666643; + s1 += s12 * 470296; + s2 += s12 * 654183; + s3 -= s12 * 997805; + s4 += s12 * 136657; + s5 -= s12 * 683901; + s12 = 0; carry0 = s0 >> 21; - s1 += carry0; - s0 -= carry0 * (1 << 21); + s1 += carry0; + s0 -= carry0 * (1 << 21); carry1 = s1 >> 21; - s2 += carry1; - s1 -= carry1 * (1 << 21); + s2 += carry1; + s1 -= carry1 * (1 << 21); carry2 = s2 >> 21; - s3 += carry2; - s2 -= carry2 * (1 << 21); + s3 += carry2; + s2 -= carry2 * (1 << 21); carry3 = s3 >> 21; - s4 += carry3; - s3 -= carry3 * (1 << 21); + s4 += carry3; + s3 -= carry3 * (1 << 21); carry4 = s4 >> 21; - s5 += carry4; - s4 -= carry4 * (1 << 21); + s5 += carry4; + s4 -= carry4 * (1 << 21); carry5 = s5 >> 21; - s6 += carry5; - s5 -= carry5 * (1 << 21); + s6 += carry5; + s5 -= carry5 * (1 << 21); carry6 = s6 >> 21; - s7 += carry6; - s6 -= carry6 * (1 << 21); + s7 += carry6; + s6 -= carry6 * (1 << 21); carry7 = s7 >> 21; - s8 += carry7; - s7 -= carry7 * (1 << 21); + s8 += carry7; + s7 -= carry7 * (1 << 21); carry8 = s8 >> 21; - s9 += carry8; - s8 -= carry8 * (1 << 21); + s9 += carry8; + s8 -= carry8 * (1 << 21); carry9 = s9 >> 21; s10 += carry9; - s9 -= carry9 * (1 << 21); + s9 -= carry9 * (1 << 21); carry10 = s10 >> 21; s11 += carry10; s10 -= carry10 * (1 << 21); - s[0] = (uint8_t)(s0 >> 0); - s[1] = (uint8_t)(s0 >> 8); - s[2] = (uint8_t)((s0 >> 16) | (s1 << 5)); - s[3] = (uint8_t)(s1 >> 3); - s[4] = (uint8_t)(s1 >> 11); - s[5] = (uint8_t)((s1 >> 19) | (s2 << 2)); - s[6] = (uint8_t)(s2 >> 6); - s[7] = (uint8_t)((s2 >> 14) | (s3 << 7)); - s[8] = (uint8_t)(s3 >> 1); - s[9] = (uint8_t)(s3 >> 9); - s[10] = (uint8_t)((s3 >> 17) | (s4 << 4)); - s[11] = (uint8_t)(s4 >> 4); - s[12] = (uint8_t)(s4 >> 12); - s[13] = (uint8_t)((s4 >> 20) | (s5 << 1)); - s[14] = (uint8_t)(s5 >> 7); - s[15] = (uint8_t)((s5 >> 15) | (s6 << 6)); - s[16] = (uint8_t)(s6 >> 2); - s[17] = (uint8_t)(s6 >> 10); - s[18] = (uint8_t)((s6 >> 18) | (s7 << 3)); - s[19] = (uint8_t)(s7 >> 5); - s[20] = (uint8_t)(s7 >> 13); - s[21] = (uint8_t)(s8 >> 0); - s[22] = (uint8_t)(s8 >> 8); - s[23] = (uint8_t)((s8 >> 16) | (s9 << 5)); - s[24] = (uint8_t)(s9 >> 3); - s[25] = (uint8_t)(s9 >> 11); - s[26] = (uint8_t)((s9 >> 19) | (s10 << 2)); - s[27] = (uint8_t)(s10 >> 6); + s[ 0] = (uint8_t) (s0 >> 0); + s[ 1] = (uint8_t) (s0 >> 8); + s[ 2] = (uint8_t)((s0 >> 16) | (s1 << 5)); + s[ 3] = (uint8_t) (s1 >> 3); + s[ 4] = (uint8_t) (s1 >> 11); + s[ 5] = (uint8_t)((s1 >> 19) | (s2 << 2)); + s[ 6] = (uint8_t) (s2 >> 6); + s[ 7] = (uint8_t)((s2 >> 14) | (s3 << 7)); + s[ 8] = (uint8_t) (s3 >> 1); + s[ 9] = (uint8_t) (s3 >> 9); + s[10] = (uint8_t)((s3 >> 17) | (s4 << 4)); + s[11] = (uint8_t) (s4 >> 4); + s[12] = (uint8_t) (s4 >> 12); + s[13] = (uint8_t)((s4 >> 20) | (s5 << 1)); + s[14] = (uint8_t) (s5 >> 7); + s[15] = (uint8_t)((s5 >> 15) | (s6 << 6)); + s[16] = (uint8_t) (s6 >> 2); + s[17] = (uint8_t) (s6 >> 10); + s[18] = (uint8_t)((s6 >> 18) | (s7 << 3)); + s[19] = (uint8_t) (s7 >> 5); + s[20] = (uint8_t) (s7 >> 13); + s[21] = (uint8_t) (s8 >> 0); + s[22] = (uint8_t) (s8 >> 8); + s[23] = (uint8_t)((s8 >> 16) | (s9 << 5)); + s[24] = (uint8_t) (s9 >> 3); + s[25] = (uint8_t) (s9 >> 11); + s[26] = (uint8_t)((s9 >> 19) | (s10 << 2)); + s[27] = (uint8_t) (s10 >> 6); s[28] = (uint8_t)((s10 >> 14) | (s11 << 7)); - s[29] = (uint8_t)(s11 >> 1); - s[30] = (uint8_t)(s11 >> 9); - s[31] = (uint8_t)(s11 >> 17); + s[29] = (uint8_t) (s11 >> 1); + s[30] = (uint8_t) (s11 >> 9); + s[31] = (uint8_t) (s11 >> 17); } int ED25519_sign(uint8_t *out_sig, const uint8_t *message, size_t message_len, -- 2.34.1