/* See http://www.hyperelliptic.org/EFD/g1p/auto-twisted-extended-1.html#doubling-dbl-2008-hwcd */
static void dbl_p1p1(ge25519_p1p1 *r, const ge25519_p2 *p)
{
fe25519 a,b,c,d;
fe25519_square(&a, &p->x);
fe25519_square(&b, &p->y);
fe25519_square(&c, &p->z);
fe25519_add(&c, &c, &c);
fe25519_neg(&d, &a);
fe25519_add(&r->x, &p->x, &p->y);
fe25519_square(&r->x, &r->x);
fe25519_sub(&r->x, &r->x, &a);
fe25519_sub(&r->x, &r->x, &b);
fe25519_add(&r->z, &d, &b);
fe25519_sub(&r->t, &r->z, &c);
fe25519_sub(&r->y, &d, &b);
}
void fe25519_neg(fe25519 *r, const fe25519 *x)
{
fe25519 t;
int i;
for(i=0;i<32;i++) t.v[i]=x->v[i];
fe25519_setzero(r);
fe25519_sub(r, r, &t);
}
/* See http://www.hyperelliptic.org/EFD/g1p/auto-twisted-extended-1.html#doubling-dbl-2008-hwcd */
static void dbl_p1p1(ge25519_p1p1 *r, const ge25519_p2 *p)
{
fe25519 a,b,c,d;
fe25519_square(&a, &p->x);
fe25519_square(&b, &p->y);
fe25519_square(&c, &p->z);
fe25519_add(&c, &c, &c);
//here, you have to fully reduce &d because subtraction needs a <= p
fe25519_freeze(&c); //do not remove
fe25519_neg(&d, &a);
fe25519_add(&r->x, &p->x, &p->y);
fe25519_square(&r->x, &r->x);
fe25519_sub(&r->x, &r->x, &a);
fe25519_sub(&r->x, &r->x, &b);
fe25519_add(&r->z, &d, &b);
fe25519_sub(&r->t, &r->z, &c);
fe25519_sub(&r->y, &d, &b);
}
static void add_p1p1(ge25519_p1p1 *r, const ge25519_p3 *p, const ge25519_p3 *q)
{
fe25519 a, b, c, d, t;
fe25519_sub(&a, &p->y, &p->x); /* A = (Y1-X1)*(Y2-X2) */
fe25519_sub(&t, &q->y, &q->x);
fe25519_mul(&a, &a, &t);
fe25519_add(&b, &p->x, &p->y); /* B = (Y1+X1)*(Y2+X2) */
fe25519_add(&t, &q->x, &q->y);
fe25519_mul(&b, &b, &t);
fe25519_mul(&c, &p->t, &q->t); /* C = T1*k*T2 */
fe25519_mul(&c, &c, &ge25519_ec2d);
fe25519_mul(&d, &p->z, &q->z); /* D = Z1*2*Z2 */
fe25519_add(&d, &d, &d);
fe25519_sub(&r->x, &b, &a); /* E = B-A */
fe25519_sub(&r->t, &d, &c); /* F = D-C */
fe25519_add(&r->z, &d, &c); /* G = D+C */
fe25519_add(&r->y, &b, &a); /* H = B+A */
}
static void add_p1p1(ge25519_p1p1 *r, const ge25519_p3 *p, const ge25519_p3 *q)
{
fe25519 a, b, c, d, t;
fe25519_sub(&a, &p->y, &p->x); /* A = (Y1-X1)*(Y2-X2) */
fe25519_sub(&t, &q->y, &q->x);
fe25519_mul(&a, &a, &t);
fe25519_add(&b, &p->x, &p->y); /* B = (Y1+X1)*(Y2+X2) */
fe25519_add(&t, &q->x, &q->y);
fe25519_mul(&b, &b, &t);
fe25519_mul(&c, &p->t, &q->t); /* C = T1*k*T2 */
fe25519_mul(&c, &c, &ge25519_ec2d);
fe25519_mul(&d, &p->z, &q->z); /* D = Z1*2*Z2 */
fe25519_add(&d, &d, &d);
//here, you have to fully reduce &d because subtraction needs a <= p
fe25519_freeze(&d); //do not remove!
fe25519_sub(&r->x, &b, &a); /* E = B-A */
fe25519_sub(&r->t, &d, &c); /* F = D-C */
fe25519_add(&r->z, &d, &c); /* G = D+C */
fe25519_add(&r->y, &b, &a); /* H = B+A */
}
static void ge25519_mixadd2(ge25519_p3 *r, const ge25519_aff *q)
{
fe25519 a,b,t1,t2,c,d,e,f,g,h,qt;
fe25519_mul(&qt, &q->x, &q->y);
fe25519_sub(&a, &r->y, &r->x); /* A = (Y1-X1)*(Y2-X2) */
fe25519_add(&b, &r->y, &r->x); /* B = (Y1+X1)*(Y2+X2) */
fe25519_sub(&t1, &q->y, &q->x);
fe25519_add(&t2, &q->y, &q->x);
fe25519_mul(&a, &a, &t1);
fe25519_mul(&b, &b, &t2);
fe25519_sub(&e, &b, &a); /* E = B-A */
fe25519_add(&h, &b, &a); /* H = B+A */
fe25519_mul(&c, &r->t, &qt); /* C = T1*k*T2 */
fe25519_mul(&c, &c, &ge25519_ec2d);
fe25519_add(&d, &r->z, &r->z); /* D = Z1*2 */
fe25519_sub(&f, &d, &c); /* F = D-C */
fe25519_add(&g, &d, &c); /* G = D+C */
fe25519_mul(&r->x, &e, &f);
fe25519_mul(&r->y, &h, &g);
fe25519_mul(&r->z, &g, &f);
fe25519_mul(&r->t, &e, &h);
}
/* return 0 on success, -1 otherwise */
int ge25519_unpackneg_vartime(ge25519_p3 *r, const unsigned char p[32])
{
unsigned char par;
fe25519 t, chk, num, den, den2, den4, den6;
fe25519_setone(&r->z);
par = p[31] >> 7;
fe25519_unpack(&r->y, p);
fe25519_square(&num, &r->y); /* x = y^2 */
fe25519_mul(&den, &num, &ge25519_ecd); /* den = dy^2 */
fe25519_sub(&num, &num, &r->z); /* x = y^2-1 */
fe25519_add(&den, &r->z, &den); /* den = dy^2+1 */
/* Computation of sqrt(num/den) */
/* 1.: computation of num^((p-5)/8)*den^((7p-35)/8) = (num*den^7)^((p-5)/8) */
fe25519_square(&den2, &den);
fe25519_square(&den4, &den2);
fe25519_mul(&den6, &den4, &den2);
fe25519_mul(&t, &den6, &num);
fe25519_mul(&t, &t, &den);
fe25519_pow2523(&t, &t);
/* 2. computation of r->x = t * num * den^3 */
fe25519_mul(&t, &t, &num);
fe25519_mul(&t, &t, &den);
fe25519_mul(&t, &t, &den);
fe25519_mul(&r->x, &t, &den);
/* 3. Check whether sqrt computation gave correct result, multiply by sqrt(-1) if not: */
fe25519_square(&chk, &r->x);
fe25519_mul(&chk, &chk, &den);
if (!fe25519_iseq_vartime(&chk, &num)) {
fe25519_mul(&r->x, &r->x, &ge25519_sqrtm1);
}
/* 4. Now we have one of the two square roots, except if input was not a square */
fe25519_square(&chk, &r->x);
fe25519_mul(&chk, &chk, &den);
if (!fe25519_iseq_vartime(&chk, &num)) {
return -1;
}
/* 5. Choose the desired square root according to parity: */
if(fe25519_getparity(&r->x) != (1-par)) {
fe25519_neg(&r->x, &r->x);
}
fe25519_mul(&r->t, &r->x, &r->y);
return 0;
}
static void ge25519_mixadd2(ge25519_p3 *r, const ge25519_aff *q)
{
fe25519 a,b,t1,t2,c,d,e,f,g,h,qt;
fe25519_mul(&qt, &q->x, &q->y);
fe25519_sub(&a, &r->y, &r->x); /* A = (Y1-X1)*(Y2-X2) */
fe25519_add(&b, &r->y, &r->x); /* B = (Y1+X1)*(Y2+X2) */
fe25519_sub(&t1, &q->y, &q->x);
fe25519_add(&t2, &q->y, &q->x);
fe25519_mul(&a, &a, &t1);
fe25519_mul(&b, &b, &t2);
fe25519_sub(&e, &b, &a); /* E = B-A */
fe25519_add(&h, &b, &a); /* H = B+A */
fe25519_mul(&c, &r->t, &qt); /* C = T1*k*T2 */
fe25519_mul(&c, &c, &ge25519_ec2d);
fe25519_add(&d, &r->z, &r->z); /* D = Z1*2 */
//here, you have to fully reduce &d because subtraction needs a <= p
fe25519_freeze(&d);
fe25519_sub(&f, &d, &c); /* F = D-C */
fe25519_add(&g, &d, &c); /* G = D+C */
fe25519_mul(&r->x, &e, &f);
fe25519_mul(&r->y, &h, &g);
fe25519_mul(&r->z, &g, &f);
fe25519_mul(&r->t, &e, &h); //XXX: For small tables we can remove this multiplication, as t is not used in doubling
}
int edmont_conv(unsigned char r[crypto_scalarmult_curve25519_BYTES],
const unsigned char p[ED25519_PUBLICKEYBYTES]) {
fe25519 u, y, num, den, inv, one;
fe25519_unpack(&y, p);
// u = (1 + y) / (1 -y)
fe25519_setone(&one);
fe25519_add(&num, &one, &y);
fe25519_sub(&den, &one, &y);
fe25519_invert(&inv, &den);
fe25519_mul(&u, &num, &inv);
fe25519_pack(r, &u);
return 0;
}
int
crypto_sign_ed25519_pk_to_curve25519(unsigned char *curve25519_pk,
const unsigned char *ed25519_pk)
{
ge25519_p3 A;
fe25519 x;
fe25519 one_minus_y;
if (ge25519_has_small_order(ed25519_pk) != 0 ||
ge25519_frombytes_negate_vartime(&A, ed25519_pk) != 0 ||
ge25519_is_on_main_subgroup(&A) == 0) {
return -1;
}
fe25519_1(one_minus_y);
fe25519_sub(one_minus_y, one_minus_y, A.Y);
fe25519_1(x);
fe25519_add(x, x, A.Y);
fe25519_invert(one_minus_y, one_minus_y);
fe25519_mul(x, x, one_minus_y);
fe25519_tobytes(curve25519_pk, x);
return 0;
}
/* computes [s1]p1 + [s2]p2 */
void ge25519_double_scalarmult_vartime(ge25519_p3 *r, const ge25519_p3 *p1, const sc25519 *s1, const sc25519 *s2)
{
signed char slide1[256], slide2[256];
ge25519_pniels pre1[PRE1_SIZE], neg;
ge25519_p3 d1;
ge25519_p1p1 t;
ge25519_niels nneg;
fe25519 d;
int i;
sc25519_slide(slide1, s1, S1_SWINDOWSIZE);
sc25519_slide(slide2, s2, S2_SWINDOWSIZE);
/* precomputation */
pre1[0] = *(ge25519_pniels *)p1;
ge25519_dbl_p1p1(&t,(ge25519_p2 *)pre1); ge25519_p1p1_to_p3(&d1, &t);
/* Convert pre[0] to projective Niels representation */
d = pre1[0].ysubx;
fe25519_sub(&pre1[0].ysubx, &pre1[0].xaddy, &pre1[0].ysubx);
fe25519_add(&pre1[0].xaddy, &pre1[0].xaddy, &d);
fe25519_mul(&pre1[0].t2d, &pre1[0].t2d, &ec2d);
for(i=0;i<PRE1_SIZE-1;i++)
{
ge25519_pnielsadd_p1p1(&t, &d1, &pre1[i]); ge25519_p1p1_to_pniels(&pre1[i+1], &t);
}
setneutral(r);
for (i = 255;i >= 0;--i) {
if (slide1[i] || slide2[i]) goto firstbit;
}
for(;i>=0;i--)
{
firstbit:
ge25519_dbl_p1p1(&t, (ge25519_p2 *)r);
if(slide1[i]>0)
{
ge25519_p1p1_to_p3(r, &t);
ge25519_pnielsadd_p1p1(&t, r, &pre1[slide1[i]/2]);
}
else if(slide1[i]<0)
{
ge25519_p1p1_to_p3(r, &t);
neg = pre1[-slide1[i]/2];
d = neg.ysubx;
neg.ysubx = neg.xaddy;
neg.xaddy = d;
fe25519_neg(&neg.t2d, &neg.t2d);
ge25519_pnielsadd_p1p1(&t, r, &neg);
}
if(slide2[i]>0)
{
ge25519_p1p1_to_p3(r, &t);
ge25519_nielsadd_p1p1(&t, r, &pre2[slide2[i]/2]);
}
else if(slide2[i]<0)
{
ge25519_p1p1_to_p3(r, &t);
nneg = pre2[-slide2[i]/2];
d = nneg.ysubx;
nneg.ysubx = nneg.xaddy;
nneg.xaddy = d;
fe25519_neg(&nneg.t2d, &nneg.t2d);
ge25519_nielsadd_p1p1(&t, r, &nneg);
}
ge25519_p1p1_to_p2((ge25519_p2 *)r, &t);
}
}
void fe25519_neg(fe25519 *r, const fe25519 *x)
{
fe25519 t;
fe25519_setint(&t,0);
fe25519_sub(r,&t,x);
}
