/* return 0 on success, -1 otherwise */
int ge25519_unpackneg_vartime(ge25519_p3 *r, const unsigned char p[32])
{
unsigned char par;
fe25519 t, chk, num, den, den2, den4, den6;
fe25519_setone(&r->z);
par = p[31] >> 7;
fe25519_unpack(&r->y, p);
fe25519_square(&num, &r->y); /* x = y^2 */
fe25519_mul(&den, &num, &ge25519_ecd); /* den = dy^2 */
fe25519_sub(&num, &num, &r->z); /* x = y^2-1 */
fe25519_add(&den, &r->z, &den); /* den = dy^2+1 */
/* Computation of sqrt(num/den) */
/* 1.: computation of num^((p-5)/8)*den^((7p-35)/8) = (num*den^7)^((p-5)/8) */
fe25519_square(&den2, &den);
fe25519_square(&den4, &den2);
fe25519_mul(&den6, &den4, &den2);
fe25519_mul(&t, &den6, &num);
fe25519_mul(&t, &t, &den);
fe25519_pow2523(&t, &t);
/* 2. computation of r->x = t * num * den^3 */
fe25519_mul(&t, &t, &num);
fe25519_mul(&t, &t, &den);
fe25519_mul(&t, &t, &den);
fe25519_mul(&r->x, &t, &den);
/* 3. Check whether sqrt computation gave correct result, multiply by sqrt(-1) if not: */
fe25519_square(&chk, &r->x);
fe25519_mul(&chk, &chk, &den);
if (!fe25519_iseq_vartime(&chk, &num)) {
fe25519_mul(&r->x, &r->x, &ge25519_sqrtm1);
}
/* 4. Now we have one of the two square roots, except if input was not a square */
fe25519_square(&chk, &r->x);
fe25519_mul(&chk, &chk, &den);
if (!fe25519_iseq_vartime(&chk, &num)) {
return -1;
}
/* 5. Choose the desired square root according to parity: */
if(fe25519_getparity(&r->x) != (1-par)) {
fe25519_neg(&r->x, &r->x);
}
fe25519_mul(&r->t, &r->x, &r->y);
return 0;
}
/* See http://www.hyperelliptic.org/EFD/g1p/auto-twisted-extended-1.html#doubling-dbl-2008-hwcd */
static void dbl_p1p1(ge25519_p1p1 *r, const ge25519_p2 *p)
{
fe25519 a,b,c,d;
fe25519_square(&a, &p->x);
fe25519_square(&b, &p->y);
fe25519_square(&c, &p->z);
fe25519_add(&c, &c, &c);
fe25519_neg(&d, &a);
fe25519_add(&r->x, &p->x, &p->y);
fe25519_square(&r->x, &r->x);
fe25519_sub(&r->x, &r->x, &a);
fe25519_sub(&r->x, &r->x, &b);
fe25519_add(&r->z, &d, &b);
fe25519_sub(&r->t, &r->z, &c);
fe25519_sub(&r->y, &d, &b);
}
/* See http://www.hyperelliptic.org/EFD/g1p/auto-twisted-extended-1.html#doubling-dbl-2008-hwcd */
static void dbl_p1p1(ge25519_p1p1 *r, const ge25519_p2 *p)
{
fe25519 a,b,c,d;
fe25519_square(&a, &p->x);
fe25519_square(&b, &p->y);
fe25519_square(&c, &p->z);
fe25519_add(&c, &c, &c);
//here, you have to fully reduce &d because subtraction needs a <= p
fe25519_freeze(&c); //do not remove
fe25519_neg(&d, &a);
fe25519_add(&r->x, &p->x, &p->y);
fe25519_square(&r->x, &r->x);
fe25519_sub(&r->x, &r->x, &a);
fe25519_sub(&r->x, &r->x, &b);
fe25519_add(&r->z, &d, &b);
fe25519_sub(&r->t, &r->z, &c);
fe25519_sub(&r->y, &d, &b);
}
void fe25519_pow2523(fe25519 *r, const fe25519 *x)
{
fe25519 z2;
fe25519 z9;
fe25519 z11;
fe25519 z2_5_0;
fe25519 z2_10_0;
fe25519 z2_20_0;
fe25519 z2_50_0;
fe25519 z2_100_0;
fe25519 t;
int i;
/* 2 */ fe25519_square(&z2,x);
/* 4 */ fe25519_square(&t,&z2);
/* 8 */ fe25519_square(&t,&t);
/* 9 */ fe25519_mul(&z9,&t,x);
/* 11 */ fe25519_mul(&z11,&z9,&z2);
/* 22 */ fe25519_square(&t,&z11);
/* 2^5 - 2^0 = 31 */ fe25519_mul(&z2_5_0,&t,&z9);
/* 2^6 - 2^1 */ fe25519_square(&t,&z2_5_0);
/* 2^10 - 2^5 */ for (i = 1;i < 5;i++) { fe25519_square(&t,&t); }
/* 2^10 - 2^0 */ fe25519_mul(&z2_10_0,&t,&z2_5_0);
/* 2^11 - 2^1 */ fe25519_square(&t,&z2_10_0);
/* 2^20 - 2^10 */ for (i = 1;i < 10;i++) { fe25519_square(&t,&t); }
/* 2^20 - 2^0 */ fe25519_mul(&z2_20_0,&t,&z2_10_0);
/* 2^21 - 2^1 */ fe25519_square(&t,&z2_20_0);
/* 2^40 - 2^20 */ for (i = 1;i < 20;i++) { fe25519_square(&t,&t); }
/* 2^40 - 2^0 */ fe25519_mul(&t,&t,&z2_20_0);
/* 2^41 - 2^1 */ fe25519_square(&t,&t);
/* 2^50 - 2^10 */ for (i = 1;i < 10;i++) { fe25519_square(&t,&t); }
/* 2^50 - 2^0 */ fe25519_mul(&z2_50_0,&t,&z2_10_0);
/* 2^51 - 2^1 */ fe25519_square(&t,&z2_50_0);
/* 2^100 - 2^50 */ for (i = 1;i < 50;i++) { fe25519_square(&t,&t); }
/* 2^100 - 2^0 */ fe25519_mul(&z2_100_0,&t,&z2_50_0);
/* 2^101 - 2^1 */ fe25519_square(&t,&z2_100_0);
/* 2^200 - 2^100 */ for (i = 1;i < 100;i++) { fe25519_square(&t,&t); }
/* 2^200 - 2^0 */ fe25519_mul(&t,&t,&z2_100_0);
/* 2^201 - 2^1 */ fe25519_square(&t,&t);
/* 2^250 - 2^50 */ for (i = 1;i < 50;i++) { fe25519_square(&t,&t); }
/* 2^250 - 2^0 */ fe25519_mul(&t,&t,&z2_50_0);
/* 2^251 - 2^1 */ fe25519_square(&t,&t);
/* 2^252 - 2^2 */ fe25519_square(&t,&t);
/* 2^252 - 3 */ fe25519_mul(r,&t,x);
}
void fe25519_invert(fe25519 *r, const fe25519 *x)
{
fe25519 z2;
fe25519 z9;
fe25519 z11;
fe25519 z2_5_0;
fe25519 z2_10_0;
fe25519 z2_20_0;
fe25519 z2_50_0;
fe25519 z2_100_0;
fe25519 t0;
fe25519 t1;
int i;
/* 2 */ fe25519_square(&z2,x);
/* 4 */ fe25519_square(&t1,&z2);
/* 8 */ fe25519_square(&t0,&t1);
/* 9 */ fe25519_mul(&z9,&t0,x);
/* 11 */ fe25519_mul(&z11,&z9,&z2);
/* 22 */ fe25519_square(&t0,&z11);
/* 2^5 - 2^0 = 31 */ fe25519_mul(&z2_5_0,&t0,&z9);
/* 2^6 - 2^1 */ fe25519_square(&t0,&z2_5_0);
/* 2^7 - 2^2 */ fe25519_square(&t1,&t0);
/* 2^8 - 2^3 */ fe25519_square(&t0,&t1);
/* 2^9 - 2^4 */ fe25519_square(&t1,&t0);
/* 2^10 - 2^5 */ fe25519_square(&t0,&t1);
/* 2^10 - 2^0 */ fe25519_mul(&z2_10_0,&t0,&z2_5_0);
/* 2^11 - 2^1 */ fe25519_square(&t0,&z2_10_0);
/* 2^12 - 2^2 */ fe25519_square(&t1,&t0);
/* 2^20 - 2^10 */ for (i = 2;i < 10;i += 2) { fe25519_square(&t0,&t1); fe25519_square(&t1,&t0); }
/* 2^20 - 2^0 */ fe25519_mul(&z2_20_0,&t1,&z2_10_0);
/* 2^21 - 2^1 */ fe25519_square(&t0,&z2_20_0);
/* 2^22 - 2^2 */ fe25519_square(&t1,&t0);
/* 2^40 - 2^20 */ for (i = 2;i < 20;i += 2) { fe25519_square(&t0,&t1); fe25519_square(&t1,&t0); }
/* 2^40 - 2^0 */ fe25519_mul(&t0,&t1,&z2_20_0);
/* 2^41 - 2^1 */ fe25519_square(&t1,&t0);
/* 2^42 - 2^2 */ fe25519_square(&t0,&t1);
/* 2^50 - 2^10 */ for (i = 2;i < 10;i += 2) { fe25519_square(&t1,&t0); fe25519_square(&t0,&t1); }
/* 2^50 - 2^0 */ fe25519_mul(&z2_50_0,&t0,&z2_10_0);
/* 2^51 - 2^1 */ fe25519_square(&t0,&z2_50_0);
/* 2^52 - 2^2 */ fe25519_square(&t1,&t0);
/* 2^100 - 2^50 */ for (i = 2;i < 50;i += 2) { fe25519_square(&t0,&t1); fe25519_square(&t1,&t0); }
/* 2^100 - 2^0 */ fe25519_mul(&z2_100_0,&t1,&z2_50_0);
/* 2^101 - 2^1 */ fe25519_square(&t1,&z2_100_0);
/* 2^102 - 2^2 */ fe25519_square(&t0,&t1);
/* 2^200 - 2^100 */ for (i = 2;i < 100;i += 2) { fe25519_square(&t1,&t0); fe25519_square(&t0,&t1); }
/* 2^200 - 2^0 */ fe25519_mul(&t1,&t0,&z2_100_0);
/* 2^201 - 2^1 */ fe25519_square(&t0,&t1);
/* 2^202 - 2^2 */ fe25519_square(&t1,&t0);
/* 2^250 - 2^50 */ for (i = 2;i < 50;i += 2) { fe25519_square(&t0,&t1); fe25519_square(&t1,&t0); }
/* 2^250 - 2^0 */ fe25519_mul(&t0,&t1,&z2_50_0);
/* 2^251 - 2^1 */ fe25519_square(&t1,&t0);
/* 2^252 - 2^2 */ fe25519_square(&t0,&t1);
/* 2^253 - 2^3 */ fe25519_square(&t1,&t0);
/* 2^254 - 2^4 */ fe25519_square(&t0,&t1);
/* 2^255 - 2^5 */ fe25519_square(&t1,&t0);
/* 2^255 - 21 */ fe25519_mul(r,&t1,&z11);
}
void fe25519_pow2523(fe25519 *r, const fe25519 *x)
{
fe25519 z2;
fe25519 z9;
fe25519 z11;
fe25519 z2_5_0;
fe25519 z2_10_0;
fe25519 z2_20_0;
fe25519 z2_50_0;
fe25519 z2_100_0;
fe25519 t;
/* 2 */ fe25519_square(&z2,x);
/* 4 */ fe25519_square(&t,&z2);
/* 8 */ fe25519_square(&t,&t);
/* 9 */ fe25519_mul(&z9,&t,x);
/* 11 */ fe25519_mul(&z11,&z9,&z2);
/* 22 */ fe25519_square(&t,&z11);
/* 2^5 - 2^0 = 31 */ fe25519_mul(&z2_5_0,&t,&z9);
/* 2^6 - 2^1 */ fe25519_square(&t,&z2_5_0);
/* 2^10 - 2^5 */ fe25519_nsquare(&t,4);
/* 2^10 - 2^0 */ fe25519_mul(&z2_10_0,&t,&z2_5_0);
/* 2^11 - 2^1 */ fe25519_square(&t,&z2_10_0);
/* 2^20 - 2^10 */ fe25519_nsquare(&t,9);
/* 2^20 - 2^0 */ fe25519_mul(&z2_20_0,&t,&z2_10_0);
/* 2^21 - 2^1 */ fe25519_square(&t,&z2_20_0);
/* 2^40 - 2^20 */ fe25519_nsquare(&t,19);
/* 2^40 - 2^0 */ fe25519_mul(&t,&t,&z2_20_0);
/* 2^41 - 2^1 */ fe25519_square(&t,&t);
/* 2^50 - 2^10 */ fe25519_nsquare(&t,9);
/* 2^50 - 2^0 */ fe25519_mul(&z2_50_0,&t,&z2_10_0);
/* 2^51 - 2^1 */ fe25519_square(&t,&z2_50_0);
/* 2^100 - 2^50 */ fe25519_nsquare(&t,49);
/* 2^100 - 2^0 */ fe25519_mul(&z2_100_0,&t,&z2_50_0);
/* 2^101 - 2^1 */ fe25519_square(&t,&z2_100_0);
/* 2^200 - 2^100 */ fe25519_nsquare(&t,99);
/* 2^200 - 2^0 */ fe25519_mul(&t,&t,&z2_100_0);
/* 2^201 - 2^1 */ fe25519_square(&t,&t);
/* 2^250 - 2^50 */ fe25519_nsquare(&t,49);
/* 2^250 - 2^0 */ fe25519_mul(&t,&t,&z2_50_0);
/* 2^251 - 2^1 */ fe25519_square(&t,&t);
/* 2^252 - 2^2 */ fe25519_square(&t,&t);
/* 2^252 - 3 */ fe25519_mul(r,&t,x);
}
