void ge25519_pack(unsigned char r[32], const ge25519_p3 *p)
{
fe25519 tx, ty, zi;
fe25519_invert(&zi, &p->z);
fe25519_mul(&tx, &p->x, &zi);
fe25519_mul(&ty, &p->y, &zi);
fe25519_pack(r, &ty);
r[31] ^= fe25519_getparity(&tx) << 7;
}
void x25519_x86_64(uint8_t out[32], const uint8_t scalar[32],
const uint8_t point[32]) {
uint8_t e[32];
OPENSSL_memcpy(e, scalar, sizeof(e));
e[0] &= 248;
e[31] &= 127;
e[31] |= 64;
fe25519 t;
fe25519 z;
fe25519_unpack(&t, point);
mladder(&t, &z, e);
fe25519_invert(&z, &z);
x25519_x86_64_mul(&t, &t, &z);
fe25519_pack(out, &t);
}
int edmont_conv(unsigned char r[crypto_scalarmult_curve25519_BYTES],
const unsigned char p[ED25519_PUBLICKEYBYTES]) {
fe25519 u, y, num, den, inv, one;
fe25519_unpack(&y, p);
// u = (1 + y) / (1 -y)
fe25519_setone(&one);
fe25519_add(&num, &one, &y);
fe25519_sub(&den, &one, &y);
fe25519_invert(&inv, &den);
fe25519_mul(&u, &num, &inv);
fe25519_pack(r, &u);
return 0;
}
int
crypto_sign_ed25519_pk_to_curve25519(unsigned char *curve25519_pk,
const unsigned char *ed25519_pk)
{
ge25519_p3 A;
fe25519 x;
fe25519 one_minus_y;
if (ge25519_has_small_order(ed25519_pk) != 0 ||
ge25519_frombytes_negate_vartime(&A, ed25519_pk) != 0 ||
ge25519_is_on_main_subgroup(&A) == 0) {
return -1;
}
fe25519_1(one_minus_y);
fe25519_sub(one_minus_y, one_minus_y, A.Y);
fe25519_1(x);
fe25519_add(x, x, A.Y);
fe25519_invert(one_minus_y, one_minus_y);
fe25519_mul(x, x, one_minus_y);
fe25519_tobytes(curve25519_pk, x);
return 0;
}
