void ge25519_pack(unsigned char r[32], const ge25519_p3 *p)
{
fe25519 tx, ty, zi;
fe25519_invert(&zi, &p->z);
fe25519_mul(&tx, &p->x, &zi);
fe25519_mul(&ty, &p->y, &zi);
fe25519_pack(r, &ty);
r[31] ^= fe25519_getparity(&tx) << 7;
}
void test_fe25519_mul()
{
fe25519 fa, fb, fr;
int i,n;
for(n=0;n<NTESTS;n++)
{
//multiply random values
randombytes(fa.v,32);
randombytes(fb.v,32);
fe25519_mul(&fr, &fa, &fb);
print("(");
fe25519_print(&fa);
print("*");
fe25519_print(&fb);
print("-");
fe25519_print(&fr);
print(") % (2^255-19)\r\n");
}
//multiply maximal values
for(i=0;i<32;i++)
fa.v[i] = fb.v[i] = 255;
fe25519_mul(&fr, &fa, &fb);
print("(");
fe25519_print(&fa);
print("*");
fe25519_print(&fb);
print("-");
fe25519_print(&fr);
print(") % (2^255-19)\r\n");
//multiply bad case for final carry
for(i=0;i<32;i++)
fa.v[i] = fb.v[i] = 255;
fb.v[0] = 253;
fe25519_mul(&fr, &fa, &fb);
print("(");
fe25519_print(&fa);
print("*");
fe25519_print(&fb);
print("-");
fe25519_print(&fr);
print(") % (2^255-19)\r\n");
}
void ge25519_scalarmult_base(ge25519_p3 *r, const sc25519 *s)
{
signed char b[64];
signed char i; //1 byte
ge25519_aff t; //64 bytes
ge25519_p1p1 tp1p1; //128 bytes
sc25519_window4(b,s);
choose_t((ge25519_aff *)r, b[63]);
fe25519_setone(&r->z);
fe25519_mul(&r->t, &r->x, &r->y);
for(i=62;i>=0;i--)
{
dbl_p1p1(&tp1p1, (ge25519_p2 *)r);
p1p1_to_p2((ge25519_p2 *)r, &tp1p1);
dbl_p1p1(&tp1p1, (ge25519_p2 *)r);
p1p1_to_p2((ge25519_p2 *)r, &tp1p1);
dbl_p1p1(&tp1p1, (ge25519_p2 *)r);
p1p1_to_p2((ge25519_p2 *)r, &tp1p1);
dbl_p1p1(&tp1p1, (ge25519_p2 *)r);
p1p1_to_p3(r, &tp1p1);
choose_t(&t, b[i]);
ge25519_mixadd2(r, &t);
}
}
static void add_p1p1(ge25519_p1p1 *r, const ge25519_p3 *p, const ge25519_p3 *q)
{
fe25519 a, b, c, d, t;
fe25519_sub(&a, &p->y, &p->x); /* A = (Y1-X1)*(Y2-X2) */
fe25519_sub(&t, &q->y, &q->x);
fe25519_mul(&a, &a, &t);
fe25519_add(&b, &p->x, &p->y); /* B = (Y1+X1)*(Y2+X2) */
fe25519_add(&t, &q->x, &q->y);
fe25519_mul(&b, &b, &t);
fe25519_mul(&c, &p->t, &q->t); /* C = T1*k*T2 */
fe25519_mul(&c, &c, &ge25519_ec2d);
fe25519_mul(&d, &p->z, &q->z); /* D = Z1*2*Z2 */
fe25519_add(&d, &d, &d);
fe25519_sub(&r->x, &b, &a); /* E = B-A */
fe25519_sub(&r->t, &d, &c); /* F = D-C */
fe25519_add(&r->z, &d, &c); /* G = D+C */
fe25519_add(&r->y, &b, &a); /* H = B+A */
}
static void add_p1p1(ge25519_p1p1 *r, const ge25519_p3 *p, const ge25519_p3 *q)
{
fe25519 a, b, c, d, t;
fe25519_sub(&a, &p->y, &p->x); /* A = (Y1-X1)*(Y2-X2) */
fe25519_sub(&t, &q->y, &q->x);
fe25519_mul(&a, &a, &t);
fe25519_add(&b, &p->x, &p->y); /* B = (Y1+X1)*(Y2+X2) */
fe25519_add(&t, &q->x, &q->y);
fe25519_mul(&b, &b, &t);
fe25519_mul(&c, &p->t, &q->t); /* C = T1*k*T2 */
fe25519_mul(&c, &c, &ge25519_ec2d);
fe25519_mul(&d, &p->z, &q->z); /* D = Z1*2*Z2 */
fe25519_add(&d, &d, &d);
//here, you have to fully reduce &d because subtraction needs a <= p
fe25519_freeze(&d); //do not remove!
fe25519_sub(&r->x, &b, &a); /* E = B-A */
fe25519_sub(&r->t, &d, &c); /* F = D-C */
fe25519_add(&r->z, &d, &c); /* G = D+C */
fe25519_add(&r->y, &b, &a); /* H = B+A */
}
void ge25519_scalarmult_base(ge25519_p3 *r, const sc25519 *s)
{
signed char b[85];
int i;
ge25519_aff t;
sc25519_window3(b,s);
choose_t((ge25519_aff *)r, 0, b[0]);
fe25519_setone(&r->z);
fe25519_mul(&r->t, &r->x, &r->y);
for(i=1;i<85;i++)
{
choose_t(&t, (unsigned long long) i, b[i]);
ge25519_mixadd2(r, &t);
}
}
static void ge25519_mixadd2(ge25519_p3 *r, const ge25519_aff *q)
{
fe25519 a,b,t1,t2,c,d,e,f,g,h,qt;
fe25519_mul(&qt, &q->x, &q->y);
fe25519_sub(&a, &r->y, &r->x); /* A = (Y1-X1)*(Y2-X2) */
fe25519_add(&b, &r->y, &r->x); /* B = (Y1+X1)*(Y2+X2) */
fe25519_sub(&t1, &q->y, &q->x);
fe25519_add(&t2, &q->y, &q->x);
fe25519_mul(&a, &a, &t1);
fe25519_mul(&b, &b, &t2);
fe25519_sub(&e, &b, &a); /* E = B-A */
fe25519_add(&h, &b, &a); /* H = B+A */
fe25519_mul(&c, &r->t, &qt); /* C = T1*k*T2 */
fe25519_mul(&c, &c, &ge25519_ec2d);
fe25519_add(&d, &r->z, &r->z); /* D = Z1*2 */
fe25519_sub(&f, &d, &c); /* F = D-C */
fe25519_add(&g, &d, &c); /* G = D+C */
fe25519_mul(&r->x, &e, &f);
fe25519_mul(&r->y, &h, &g);
fe25519_mul(&r->z, &g, &f);
fe25519_mul(&r->t, &e, &h);
}
static void ge25519_mixadd2(ge25519_p3 *r, const ge25519_aff *q)
{
fe25519 a,b,t1,t2,c,d,e,f,g,h,qt;
fe25519_mul(&qt, &q->x, &q->y);
fe25519_sub(&a, &r->y, &r->x); /* A = (Y1-X1)*(Y2-X2) */
fe25519_add(&b, &r->y, &r->x); /* B = (Y1+X1)*(Y2+X2) */
fe25519_sub(&t1, &q->y, &q->x);
fe25519_add(&t2, &q->y, &q->x);
fe25519_mul(&a, &a, &t1);
fe25519_mul(&b, &b, &t2);
fe25519_sub(&e, &b, &a); /* E = B-A */
fe25519_add(&h, &b, &a); /* H = B+A */
fe25519_mul(&c, &r->t, &qt); /* C = T1*k*T2 */
fe25519_mul(&c, &c, &ge25519_ec2d);
fe25519_add(&d, &r->z, &r->z); /* D = Z1*2 */
//here, you have to fully reduce &d because subtraction needs a <= p
fe25519_freeze(&d);
fe25519_sub(&f, &d, &c); /* F = D-C */
fe25519_add(&g, &d, &c); /* G = D+C */
fe25519_mul(&r->x, &e, &f);
fe25519_mul(&r->y, &h, &g);
fe25519_mul(&r->z, &g, &f);
fe25519_mul(&r->t, &e, &h); //XXX: For small tables we can remove this multiplication, as t is not used in doubling
}
int edmont_conv(unsigned char r[crypto_scalarmult_curve25519_BYTES],
const unsigned char p[ED25519_PUBLICKEYBYTES]) {
fe25519 u, y, num, den, inv, one;
fe25519_unpack(&y, p);
// u = (1 + y) / (1 -y)
fe25519_setone(&one);
fe25519_add(&num, &one, &y);
fe25519_sub(&den, &one, &y);
fe25519_invert(&inv, &den);
fe25519_mul(&u, &num, &inv);
fe25519_pack(r, &u);
return 0;
}
int
crypto_sign_ed25519_pk_to_curve25519(unsigned char *curve25519_pk,
const unsigned char *ed25519_pk)
{
ge25519_p3 A;
fe25519 x;
fe25519 one_minus_y;
if (ge25519_has_small_order(ed25519_pk) != 0 ||
ge25519_frombytes_negate_vartime(&A, ed25519_pk) != 0 ||
ge25519_is_on_main_subgroup(&A) == 0) {
return -1;
}
fe25519_1(one_minus_y);
fe25519_sub(one_minus_y, one_minus_y, A.Y);
fe25519_1(x);
fe25519_add(x, x, A.Y);
fe25519_invert(one_minus_y, one_minus_y);
fe25519_mul(x, x, one_minus_y);
fe25519_tobytes(curve25519_pk, x);
return 0;
}
static void p1p1_to_p3(ge25519_p3 *r, const ge25519_p1p1 *p)
{
p1p1_to_p2((ge25519_p2 *)r, p);
fe25519_mul(&r->t, &p->x, &p->y);
}
static void p1p1_to_p2(ge25519_p2 *r, const ge25519_p1p1 *p)
{
fe25519_mul(&r->x, &p->x, &p->t);
fe25519_mul(&r->y, &p->y, &p->z);
fe25519_mul(&r->z, &p->z, &p->t);
}
/* return 0 on success, -1 otherwise */
int ge25519_unpackneg_vartime(ge25519_p3 *r, const unsigned char p[32])
{
fe25519 t, chk, num, den, den2, den4, den6;
fe25519_setone(&r->z);
unsigned char par = p[31] >> 7;
fe25519_unpack(&r->y, p);
fe25519_square(&num, &r->y); /* x = y^2 */
fe25519_mul(&den, &num, &ge25519_ecd); /* den = dy^2 */
fe25519_sub(&num, &num, &r->z); /* x = y^2-1 */
fe25519_add(&den, &r->z, &den); /* den = dy^2+1 */
/* Computation of sqrt(num/den) */
/* 1.: computation of num^((p-5)/8)*den^((7p-35)/8) = (num*den^7)^((p-5)/8) */
fe25519_square(&den2, &den);
fe25519_square(&den4, &den2);
fe25519_mul(&den6, &den4, &den2);
fe25519_mul(&t, &den6, &num);
fe25519_mul(&t, &t, &den);
fe25519_pow2523(&t, &t);
/* 2. computation of r->x = t * num * den^3 */
fe25519_mul(&t, &t, &num);
fe25519_mul(&t, &t, &den);
fe25519_mul(&t, &t, &den);
fe25519_mul(&r->x, &t, &den);
/* 3. Check whether sqrt computation gave correct result, multiply by sqrt(-1) if not: */
fe25519_square(&chk, &r->x);
fe25519_mul(&chk, &chk, &den);
if (!fe25519_iseq_vartime(&chk, &num))
fe25519_mul(&r->x, &r->x, &ge25519_sqrtm1);
/* 4. Now we have one of the two square roots, except if input was not a square */
fe25519_square(&chk, &r->x);
fe25519_mul(&chk, &chk, &den);
if (!fe25519_iseq_vartime(&chk, &num))
return -1;
/* 5. Choose the desired square root according to parity: */
if(fe25519_getparity(&r->x) != (1-par))
fe25519_neg(&r->x, &r->x);
fe25519_mul(&r->t, &r->x, &r->y);
return 0;
}
/* computes [s1]p1 + [s2]p2 */
void ge25519_double_scalarmult_vartime(ge25519_p3 *r, const ge25519_p3 *p1, const sc25519 *s1, const sc25519 *s2)
{
signed char slide1[256], slide2[256];
ge25519_pniels pre1[PRE1_SIZE], neg;
ge25519_p3 d1;
ge25519_p1p1 t;
ge25519_niels nneg;
fe25519 d;
int i;
sc25519_slide(slide1, s1, S1_SWINDOWSIZE);
sc25519_slide(slide2, s2, S2_SWINDOWSIZE);
/* precomputation */
pre1[0] = *(ge25519_pniels *)p1;
ge25519_dbl_p1p1(&t,(ge25519_p2 *)pre1); ge25519_p1p1_to_p3(&d1, &t);
/* Convert pre[0] to projective Niels representation */
d = pre1[0].ysubx;
fe25519_sub(&pre1[0].ysubx, &pre1[0].xaddy, &pre1[0].ysubx);
fe25519_add(&pre1[0].xaddy, &pre1[0].xaddy, &d);
fe25519_mul(&pre1[0].t2d, &pre1[0].t2d, &ec2d);
for(i=0;i<PRE1_SIZE-1;i++)
{
ge25519_pnielsadd_p1p1(&t, &d1, &pre1[i]); ge25519_p1p1_to_pniels(&pre1[i+1], &t);
}
setneutral(r);
for (i = 255;i >= 0;--i) {
if (slide1[i] || slide2[i]) goto firstbit;
}
for(;i>=0;i--)
{
firstbit:
ge25519_dbl_p1p1(&t, (ge25519_p2 *)r);
if(slide1[i]>0)
{
ge25519_p1p1_to_p3(r, &t);
ge25519_pnielsadd_p1p1(&t, r, &pre1[slide1[i]/2]);
}
else if(slide1[i]<0)
{
ge25519_p1p1_to_p3(r, &t);
neg = pre1[-slide1[i]/2];
d = neg.ysubx;
neg.ysubx = neg.xaddy;
neg.xaddy = d;
fe25519_neg(&neg.t2d, &neg.t2d);
ge25519_pnielsadd_p1p1(&t, r, &neg);
}
if(slide2[i]>0)
{
ge25519_p1p1_to_p3(r, &t);
ge25519_nielsadd_p1p1(&t, r, &pre2[slide2[i]/2]);
}
else if(slide2[i]<0)
{
ge25519_p1p1_to_p3(r, &t);
nneg = pre2[-slide2[i]/2];
d = nneg.ysubx;
nneg.ysubx = nneg.xaddy;
nneg.xaddy = d;
fe25519_neg(&nneg.t2d, &nneg.t2d);
ge25519_nielsadd_p1p1(&t, r, &nneg);
}
ge25519_p1p1_to_p2((ge25519_p2 *)r, &t);
}
}
void fe25519_pow2523(fe25519 *r, const fe25519 *x)
{
fe25519 z2;
fe25519 z9;
fe25519 z11;
fe25519 z2_5_0;
fe25519 z2_10_0;
fe25519 z2_20_0;
fe25519 z2_50_0;
fe25519 z2_100_0;
fe25519 t;
int i;
/* 2 */ fe25519_square(&z2,x);
/* 4 */ fe25519_square(&t,&z2);
/* 8 */ fe25519_square(&t,&t);
/* 9 */ fe25519_mul(&z9,&t,x);
/* 11 */ fe25519_mul(&z11,&z9,&z2);
/* 22 */ fe25519_square(&t,&z11);
/* 2^5 - 2^0 = 31 */ fe25519_mul(&z2_5_0,&t,&z9);
/* 2^6 - 2^1 */ fe25519_square(&t,&z2_5_0);
/* 2^10 - 2^5 */ for (i = 1;i < 5;i++) { fe25519_square(&t,&t); }
/* 2^10 - 2^0 */ fe25519_mul(&z2_10_0,&t,&z2_5_0);
/* 2^11 - 2^1 */ fe25519_square(&t,&z2_10_0);
/* 2^20 - 2^10 */ for (i = 1;i < 10;i++) { fe25519_square(&t,&t); }
/* 2^20 - 2^0 */ fe25519_mul(&z2_20_0,&t,&z2_10_0);
/* 2^21 - 2^1 */ fe25519_square(&t,&z2_20_0);
/* 2^40 - 2^20 */ for (i = 1;i < 20;i++) { fe25519_square(&t,&t); }
/* 2^40 - 2^0 */ fe25519_mul(&t,&t,&z2_20_0);
/* 2^41 - 2^1 */ fe25519_square(&t,&t);
/* 2^50 - 2^10 */ for (i = 1;i < 10;i++) { fe25519_square(&t,&t); }
/* 2^50 - 2^0 */ fe25519_mul(&z2_50_0,&t,&z2_10_0);
/* 2^51 - 2^1 */ fe25519_square(&t,&z2_50_0);
/* 2^100 - 2^50 */ for (i = 1;i < 50;i++) { fe25519_square(&t,&t); }
/* 2^100 - 2^0 */ fe25519_mul(&z2_100_0,&t,&z2_50_0);
/* 2^101 - 2^1 */ fe25519_square(&t,&z2_100_0);
/* 2^200 - 2^100 */ for (i = 1;i < 100;i++) { fe25519_square(&t,&t); }
/* 2^200 - 2^0 */ fe25519_mul(&t,&t,&z2_100_0);
/* 2^201 - 2^1 */ fe25519_square(&t,&t);
/* 2^250 - 2^50 */ for (i = 1;i < 50;i++) { fe25519_square(&t,&t); }
/* 2^250 - 2^0 */ fe25519_mul(&t,&t,&z2_50_0);
/* 2^251 - 2^1 */ fe25519_square(&t,&t);
/* 2^252 - 2^2 */ fe25519_square(&t,&t);
/* 2^252 - 3 */ fe25519_mul(r,&t,x);
}
void fe25519_invert(fe25519 *r, const fe25519 *x)
{
fe25519 z2;
fe25519 z9;
fe25519 z11;
fe25519 z2_5_0;
fe25519 z2_10_0;
fe25519 z2_20_0;
fe25519 z2_50_0;
fe25519 z2_100_0;
fe25519 t0;
fe25519 t1;
int i;
/* 2 */ fe25519_square(&z2,x);
/* 4 */ fe25519_square(&t1,&z2);
/* 8 */ fe25519_square(&t0,&t1);
/* 9 */ fe25519_mul(&z9,&t0,x);
/* 11 */ fe25519_mul(&z11,&z9,&z2);
/* 22 */ fe25519_square(&t0,&z11);
/* 2^5 - 2^0 = 31 */ fe25519_mul(&z2_5_0,&t0,&z9);
/* 2^6 - 2^1 */ fe25519_square(&t0,&z2_5_0);
/* 2^7 - 2^2 */ fe25519_square(&t1,&t0);
/* 2^8 - 2^3 */ fe25519_square(&t0,&t1);
/* 2^9 - 2^4 */ fe25519_square(&t1,&t0);
/* 2^10 - 2^5 */ fe25519_square(&t0,&t1);
/* 2^10 - 2^0 */ fe25519_mul(&z2_10_0,&t0,&z2_5_0);
/* 2^11 - 2^1 */ fe25519_square(&t0,&z2_10_0);
/* 2^12 - 2^2 */ fe25519_square(&t1,&t0);
/* 2^20 - 2^10 */ for (i = 2;i < 10;i += 2) { fe25519_square(&t0,&t1); fe25519_square(&t1,&t0); }
/* 2^20 - 2^0 */ fe25519_mul(&z2_20_0,&t1,&z2_10_0);
/* 2^21 - 2^1 */ fe25519_square(&t0,&z2_20_0);
/* 2^22 - 2^2 */ fe25519_square(&t1,&t0);
/* 2^40 - 2^20 */ for (i = 2;i < 20;i += 2) { fe25519_square(&t0,&t1); fe25519_square(&t1,&t0); }
/* 2^40 - 2^0 */ fe25519_mul(&t0,&t1,&z2_20_0);
/* 2^41 - 2^1 */ fe25519_square(&t1,&t0);
/* 2^42 - 2^2 */ fe25519_square(&t0,&t1);
/* 2^50 - 2^10 */ for (i = 2;i < 10;i += 2) { fe25519_square(&t1,&t0); fe25519_square(&t0,&t1); }
/* 2^50 - 2^0 */ fe25519_mul(&z2_50_0,&t0,&z2_10_0);
/* 2^51 - 2^1 */ fe25519_square(&t0,&z2_50_0);
/* 2^52 - 2^2 */ fe25519_square(&t1,&t0);
/* 2^100 - 2^50 */ for (i = 2;i < 50;i += 2) { fe25519_square(&t0,&t1); fe25519_square(&t1,&t0); }
/* 2^100 - 2^0 */ fe25519_mul(&z2_100_0,&t1,&z2_50_0);
/* 2^101 - 2^1 */ fe25519_square(&t1,&z2_100_0);
/* 2^102 - 2^2 */ fe25519_square(&t0,&t1);
/* 2^200 - 2^100 */ for (i = 2;i < 100;i += 2) { fe25519_square(&t1,&t0); fe25519_square(&t0,&t1); }
/* 2^200 - 2^0 */ fe25519_mul(&t1,&t0,&z2_100_0);
/* 2^201 - 2^1 */ fe25519_square(&t0,&t1);
/* 2^202 - 2^2 */ fe25519_square(&t1,&t0);
/* 2^250 - 2^50 */ for (i = 2;i < 50;i += 2) { fe25519_square(&t0,&t1); fe25519_square(&t1,&t0); }
/* 2^250 - 2^0 */ fe25519_mul(&t0,&t1,&z2_50_0);
/* 2^251 - 2^1 */ fe25519_square(&t1,&t0);
/* 2^252 - 2^2 */ fe25519_square(&t0,&t1);
/* 2^253 - 2^3 */ fe25519_square(&t1,&t0);
/* 2^254 - 2^4 */ fe25519_square(&t0,&t1);
/* 2^255 - 2^5 */ fe25519_square(&t1,&t0);
/* 2^255 - 21 */ fe25519_mul(r,&t1,&z11);
}
void fe25519_square(fe25519 *r, const fe25519 *x)
{
fe25519_mul(r, x, x);
}
void fe25519_pow2523(fe25519 *r, const fe25519 *x)
{
fe25519 z2;
fe25519 z9;
fe25519 z11;
fe25519 z2_5_0;
fe25519 z2_10_0;
fe25519 z2_20_0;
fe25519 z2_50_0;
fe25519 z2_100_0;
fe25519 t;
/* 2 */ fe25519_square(&z2,x);
/* 4 */ fe25519_square(&t,&z2);
/* 8 */ fe25519_square(&t,&t);
/* 9 */ fe25519_mul(&z9,&t,x);
/* 11 */ fe25519_mul(&z11,&z9,&z2);
/* 22 */ fe25519_square(&t,&z11);
/* 2^5 - 2^0 = 31 */ fe25519_mul(&z2_5_0,&t,&z9);
/* 2^6 - 2^1 */ fe25519_square(&t,&z2_5_0);
/* 2^10 - 2^5 */ fe25519_nsquare(&t,4);
/* 2^10 - 2^0 */ fe25519_mul(&z2_10_0,&t,&z2_5_0);
/* 2^11 - 2^1 */ fe25519_square(&t,&z2_10_0);
/* 2^20 - 2^10 */ fe25519_nsquare(&t,9);
/* 2^20 - 2^0 */ fe25519_mul(&z2_20_0,&t,&z2_10_0);
/* 2^21 - 2^1 */ fe25519_square(&t,&z2_20_0);
/* 2^40 - 2^20 */ fe25519_nsquare(&t,19);
/* 2^40 - 2^0 */ fe25519_mul(&t,&t,&z2_20_0);
/* 2^41 - 2^1 */ fe25519_square(&t,&t);
/* 2^50 - 2^10 */ fe25519_nsquare(&t,9);
/* 2^50 - 2^0 */ fe25519_mul(&z2_50_0,&t,&z2_10_0);
/* 2^51 - 2^1 */ fe25519_square(&t,&z2_50_0);
/* 2^100 - 2^50 */ fe25519_nsquare(&t,49);
/* 2^100 - 2^0 */ fe25519_mul(&z2_100_0,&t,&z2_50_0);
/* 2^101 - 2^1 */ fe25519_square(&t,&z2_100_0);
/* 2^200 - 2^100 */ fe25519_nsquare(&t,99);
/* 2^200 - 2^0 */ fe25519_mul(&t,&t,&z2_100_0);
/* 2^201 - 2^1 */ fe25519_square(&t,&t);
/* 2^250 - 2^50 */ fe25519_nsquare(&t,49);
/* 2^250 - 2^0 */ fe25519_mul(&t,&t,&z2_50_0);
/* 2^251 - 2^1 */ fe25519_square(&t,&t);
/* 2^252 - 2^2 */ fe25519_square(&t,&t);
/* 2^252 - 3 */ fe25519_mul(r,&t,x);
}
