XEdDSA-0.4.6/0000755000175000017500000000000013407120556012512 5ustar useruser00000000000000XEdDSA-0.4.6/MANIFEST.in0000644000175000017500000000012313372774360014255 0ustar useruser00000000000000recursive-include ref10 build.py CMakeLists.txt README* *.c *.h prune ref10/build/ XEdDSA-0.4.6/ref10/0000755000175000017500000000000013407120556013427 5ustar useruser00000000000000XEdDSA-0.4.6/ref10/crypto_core/0000755000175000017500000000000013407120556015757 5ustar useruser00000000000000XEdDSA-0.4.6/ref10/crypto_core/crypto_core.h0000644000175000017500000000103313372774360020466 0ustar useruser00000000000000#ifndef crypto_core_H #define crypto_core_H #include "crypto_core_salsa20.h" #define crypto_core crypto_core_salsa20 #define crypto_core_OUTPUTBYTES crypto_core_salsa20_OUTPUTBYTES #define crypto_core_INPUTBYTES crypto_core_salsa20_INPUTBYTES #define crypto_core_KEYBYTES crypto_core_salsa20_KEYBYTES #define crypto_core_CONSTBYTES crypto_core_salsa20_CONSTBYTES #define crypto_core_PRIMITIVE "salsa20" #define crypto_core_IMPLEMENTATION crypto_core_salsa20_IMPLEMENTATION #define crypto_core_VERSION crypto_core_salsa20_VERSION #endif XEdDSA-0.4.6/ref10/crypto_core/api.h0000644000175000017500000000016313372774360016712 0ustar useruser00000000000000#define CRYPTO_OUTPUTBYTES 64 #define CRYPTO_INPUTBYTES 16 #define CRYPTO_KEYBYTES 32 #define CRYPTO_CONSTBYTES 16 XEdDSA-0.4.6/ref10/crypto_core/module.h0000644000175000017500000000077113372774360017433 0ustar useruser00000000000000// #include "api.h" #define CRYPTO_OUTPUTBYTES 64 #define CRYPTO_INPUTBYTES 16 #define CRYPTO_KEYBYTES 32 #define CRYPTO_CONSTBYTES 16 // #include "crypto_core_salsa20.h" #define crypto_core_salsa20_ref_OUTPUTBYTES 64 #define crypto_core_salsa20_ref_INPUTBYTES 16 #define crypto_core_salsa20_ref_KEYBYTES 32 #define crypto_core_salsa20_ref_CONSTBYTES 16 extern int crypto_core_salsa20_ref(unsigned char *,const unsigned char *,const unsigned char *,const unsigned char *); // #include "crypto_core.h" XEdDSA-0.4.6/ref10/crypto_core/README0000644000175000017500000000005513372774360016650 0ustar useruser00000000000000This is the "ref" implementation of salsa20. XEdDSA-0.4.6/ref10/crypto_core/crypto_core_salsa20.h0000644000175000017500000000203613372774360022017 0ustar useruser00000000000000#include "cross_platform.h" #ifndef crypto_core_salsa20_H #define crypto_core_salsa20_H #define crypto_core_salsa20_ref_OUTPUTBYTES 64 #define crypto_core_salsa20_ref_INPUTBYTES 16 #define crypto_core_salsa20_ref_KEYBYTES 32 #define crypto_core_salsa20_ref_CONSTBYTES 16 #ifdef __cplusplus extern "C" { #endif extern int INTERFACE crypto_core_salsa20_ref(unsigned char *,const unsigned char *,const unsigned char *,const unsigned char *); #ifdef __cplusplus } #endif #define crypto_core_salsa20 crypto_core_salsa20_ref #define crypto_core_salsa20_OUTPUTBYTES crypto_core_salsa20_ref_OUTPUTBYTES #define crypto_core_salsa20_INPUTBYTES crypto_core_salsa20_ref_INPUTBYTES #define crypto_core_salsa20_KEYBYTES crypto_core_salsa20_ref_KEYBYTES #define crypto_core_salsa20_CONSTBYTES crypto_core_salsa20_ref_CONSTBYTES #define crypto_core_salsa20_IMPLEMENTATION "crypto_core/salsa20/ref" #ifndef crypto_core_salsa20_ref_VERSION #define crypto_core_salsa20_ref_VERSION "-" #endif #define crypto_core_salsa20_VERSION crypto_core_salsa20_ref_VERSION #endif XEdDSA-0.4.6/ref10/crypto_core/core.c0000644000175000017500000000631713372774360017073 0ustar useruser00000000000000/* version 20080912 D. J. Bernstein Public domain. */ #include "crypto_core.h" #define ROUNDS 20 typedef unsigned int uint32; static uint32 rotate(uint32 u,int c) { return (u << c) | (u >> (32 - c)); } static uint32 load_littleendian(const unsigned char *x) { return (uint32) (x[0]) \ | (((uint32) (x[1])) << 8) \ | (((uint32) (x[2])) << 16) \ | (((uint32) (x[3])) << 24) ; } static void store_littleendian(unsigned char *x,uint32 u) { x[0] = u; u >>= 8; x[1] = u; u >>= 8; x[2] = u; u >>= 8; x[3] = u; } int crypto_core( unsigned char *out, const unsigned char *in, const unsigned char *k, const unsigned char *c ) { uint32 x0, x1, x2, x3, x4, x5, x6, x7, x8, x9, x10, x11, x12, x13, x14, x15; uint32 j0, j1, j2, j3, j4, j5, j6, j7, j8, j9, j10, j11, j12, j13, j14, j15; int i; j0 = x0 = load_littleendian(c + 0); j1 = x1 = load_littleendian(k + 0); j2 = x2 = load_littleendian(k + 4); j3 = x3 = load_littleendian(k + 8); j4 = x4 = load_littleendian(k + 12); j5 = x5 = load_littleendian(c + 4); j6 = x6 = load_littleendian(in + 0); j7 = x7 = load_littleendian(in + 4); j8 = x8 = load_littleendian(in + 8); j9 = x9 = load_littleendian(in + 12); j10 = x10 = load_littleendian(c + 8); j11 = x11 = load_littleendian(k + 16); j12 = x12 = load_littleendian(k + 20); j13 = x13 = load_littleendian(k + 24); j14 = x14 = load_littleendian(k + 28); j15 = x15 = load_littleendian(c + 12); for (i = ROUNDS;i > 0;i -= 2) { x4 ^= rotate( x0+x12, 7); x8 ^= rotate( x4+ x0, 9); x12 ^= rotate( x8+ x4,13); x0 ^= rotate(x12+ x8,18); x9 ^= rotate( x5+ x1, 7); x13 ^= rotate( x9+ x5, 9); x1 ^= rotate(x13+ x9,13); x5 ^= rotate( x1+x13,18); x14 ^= rotate(x10+ x6, 7); x2 ^= rotate(x14+x10, 9); x6 ^= rotate( x2+x14,13); x10 ^= rotate( x6+ x2,18); x3 ^= rotate(x15+x11, 7); x7 ^= rotate( x3+x15, 9); x11 ^= rotate( x7+ x3,13); x15 ^= rotate(x11+ x7,18); x1 ^= rotate( x0+ x3, 7); x2 ^= rotate( x1+ x0, 9); x3 ^= rotate( x2+ x1,13); x0 ^= rotate( x3+ x2,18); x6 ^= rotate( x5+ x4, 7); x7 ^= rotate( x6+ x5, 9); x4 ^= rotate( x7+ x6,13); x5 ^= rotate( x4+ x7,18); x11 ^= rotate(x10+ x9, 7); x8 ^= rotate(x11+x10, 9); x9 ^= rotate( x8+x11,13); x10 ^= rotate( x9+ x8,18); x12 ^= rotate(x15+x14, 7); x13 ^= rotate(x12+x15, 9); x14 ^= rotate(x13+x12,13); x15 ^= rotate(x14+x13,18); } x0 += j0; x1 += j1; x2 += j2; x3 += j3; x4 += j4; x5 += j5; x6 += j6; x7 += j7; x8 += j8; x9 += j9; x10 += j10; x11 += j11; x12 += j12; x13 += j13; x14 += j14; x15 += j15; store_littleendian(out + 0,x0); store_littleendian(out + 4,x1); store_littleendian(out + 8,x2); store_littleendian(out + 12,x3); store_littleendian(out + 16,x4); store_littleendian(out + 20,x5); store_littleendian(out + 24,x6); store_littleendian(out + 28,x7); store_littleendian(out + 32,x8); store_littleendian(out + 36,x9); store_littleendian(out + 40,x10); store_littleendian(out + 44,x11); store_littleendian(out + 48,x12); store_littleendian(out + 52,x13); store_littleendian(out + 56,x14); store_littleendian(out + 60,x15); return 0; } XEdDSA-0.4.6/ref10/fastrandombytes/0000755000175000017500000000000013407120556016634 5ustar useruser00000000000000XEdDSA-0.4.6/ref10/fastrandombytes/module.h0000644000175000017500000000026313372774360020304 0ustar useruser00000000000000// #include "randombytes.h" extern void randombytes(unsigned char *,unsigned long long); extern unsigned long long randombytes_calls; extern unsigned long long randombytes_bytes; XEdDSA-0.4.6/ref10/fastrandombytes/fastrandombytes.c0000644000175000017500000000242613372774360022222 0ustar useruser00000000000000#include #include "kernelrandombytes.h" #include "crypto_rng.h" #include "randombytes.h" unsigned long long randombytes_calls = 0; unsigned long long randombytes_bytes = 0; static unsigned int init = 0; static unsigned char g[crypto_rng_KEYBYTES]; static unsigned char r[crypto_rng_OUTPUTBYTES]; unsigned long long pos = crypto_rng_OUTPUTBYTES; void randombytes(unsigned char *x,unsigned long long xlen) { randombytes_calls += 1; randombytes_bytes += xlen; if (!init) { kernelrandombytes(g,sizeof g); init = 1; } #ifdef SIMPLE while (xlen > 0) { if (pos == crypto_rng_OUTPUTBYTES) { crypto_rng(r,g,g); pos = 0; } *x++ = r[pos]; xlen -= 1; r[pos++] = 0; } #else /* same output but optimizing copies */ while (xlen > 0) { unsigned long long ready; if (pos == crypto_rng_OUTPUTBYTES) { while (xlen > crypto_rng_OUTPUTBYTES) { crypto_rng(x,g,g); x += crypto_rng_OUTPUTBYTES; xlen -= crypto_rng_OUTPUTBYTES; } if (xlen == 0) return; crypto_rng(r,g,g); pos = 0; } ready = crypto_rng_OUTPUTBYTES - pos; if (xlen <= ready) ready = xlen; memcpy(x,r + pos,ready); memset(r + pos,0,ready); x += ready; xlen -= ready; pos += ready; } #endif } XEdDSA-0.4.6/ref10/fastrandombytes/randombytes.h0000644000175000017500000000051413372774360021345 0ustar useruser00000000000000#include "cross_platform.h" #ifndef randombytes_h #define randombytes_h #ifdef __cplusplus extern "C" { #endif extern void INTERFACE randombytes(unsigned char *,unsigned long long); extern unsigned long long INTERFACE randombytes_calls; extern unsigned long long INTERFACE randombytes_bytes; #ifdef __cplusplus } #endif #endif XEdDSA-0.4.6/ref10/crypto_scalarmult/0000755000175000017500000000000013407120556017176 5ustar useruser00000000000000XEdDSA-0.4.6/ref10/crypto_scalarmult/fe_add.c0000644000175000017500000000233313372774360020556 0ustar useruser00000000000000#include "fe.h" /* h = f + g Can overlap h with f or g. Preconditions: |f| bounded by 1.1*2^25,1.1*2^24,1.1*2^25,1.1*2^24,etc. |g| bounded by 1.1*2^25,1.1*2^24,1.1*2^25,1.1*2^24,etc. Postconditions: |h| bounded by 1.1*2^26,1.1*2^25,1.1*2^26,1.1*2^25,etc. */ void fe_add(fe h,fe f,fe g) { crypto_int32 f0 = f[0]; crypto_int32 f1 = f[1]; crypto_int32 f2 = f[2]; crypto_int32 f3 = f[3]; crypto_int32 f4 = f[4]; crypto_int32 f5 = f[5]; crypto_int32 f6 = f[6]; crypto_int32 f7 = f[7]; crypto_int32 f8 = f[8]; crypto_int32 f9 = f[9]; crypto_int32 g0 = g[0]; crypto_int32 g1 = g[1]; crypto_int32 g2 = g[2]; crypto_int32 g3 = g[3]; crypto_int32 g4 = g[4]; crypto_int32 g5 = g[5]; crypto_int32 g6 = g[6]; crypto_int32 g7 = g[7]; crypto_int32 g8 = g[8]; crypto_int32 g9 = g[9]; crypto_int32 h0 = f0 + g0; crypto_int32 h1 = f1 + g1; crypto_int32 h2 = f2 + g2; crypto_int32 h3 = f3 + g3; crypto_int32 h4 = f4 + g4; crypto_int32 h5 = f5 + g5; crypto_int32 h6 = f6 + g6; crypto_int32 h7 = f7 + g7; crypto_int32 h8 = f8 + g8; crypto_int32 h9 = f9 + g9; h[0] = h0; h[1] = h1; h[2] = h2; h[3] = h3; h[4] = h4; h[5] = h5; h[6] = h6; h[7] = h7; h[8] = h8; h[9] = h9; } XEdDSA-0.4.6/ref10/crypto_scalarmult/montgomery.h0000644000175000017500000000546613372774360021573 0ustar useruser00000000000000 /* qhasm: fe X2 */ /* qhasm: fe Z2 */ /* qhasm: fe X3 */ /* qhasm: fe Z3 */ /* qhasm: fe X4 */ /* qhasm: fe Z4 */ /* qhasm: fe X5 */ /* qhasm: fe Z5 */ /* qhasm: fe A */ /* qhasm: fe B */ /* qhasm: fe C */ /* qhasm: fe D */ /* qhasm: fe E */ /* qhasm: fe AA */ /* qhasm: fe BB */ /* qhasm: fe DA */ /* qhasm: fe CB */ /* qhasm: fe t0 */ /* qhasm: fe t1 */ /* qhasm: fe t2 */ /* qhasm: fe t3 */ /* qhasm: fe t4 */ /* qhasm: enter ladder */ /* qhasm: D = X3-Z3 */ /* asm 1: fe_sub(>D=fe#5,D=tmp0,B=fe#6,B=tmp1,A=fe#1,A=x2,C=fe#2,C=z2,DA=fe#4,DA=z3,CB=fe#2,CB=z2,BB=fe#5,BB=tmp0,AA=fe#6,AA=tmp1,t0=fe#3,t0=x3,t1=fe#2,t1=z2,X4=fe#1,X4=x2,E=fe#6,E=tmp1,t2=fe#2,t2=z2,t3=fe#4,t3=z3,X5=fe#3,X5=x3,t4=fe#5,t4=tmp0,Z5=fe#4,x1,Z5=z3,x1,Z4=fe#2,Z4=z2,> 25; h0 += carry9 * 19; h9 -= carry9 << 25; carry1 = (h1 + (crypto_int64) (1<<24)) >> 25; h2 += carry1; h1 -= carry1 << 25; carry3 = (h3 + (crypto_int64) (1<<24)) >> 25; h4 += carry3; h3 -= carry3 << 25; carry5 = (h5 + (crypto_int64) (1<<24)) >> 25; h6 += carry5; h5 -= carry5 << 25; carry7 = (h7 + (crypto_int64) (1<<24)) >> 25; h8 += carry7; h7 -= carry7 << 25; carry0 = (h0 + (crypto_int64) (1<<25)) >> 26; h1 += carry0; h0 -= carry0 << 26; carry2 = (h2 + (crypto_int64) (1<<25)) >> 26; h3 += carry2; h2 -= carry2 << 26; carry4 = (h4 + (crypto_int64) (1<<25)) >> 26; h5 += carry4; h4 -= carry4 << 26; carry6 = (h6 + (crypto_int64) (1<<25)) >> 26; h7 += carry6; h6 -= carry6 << 26; carry8 = (h8 + (crypto_int64) (1<<25)) >> 26; h9 += carry8; h8 -= carry8 << 26; h[0] = h0; h[1] = h1; h[2] = h2; h[3] = h3; h[4] = h4; h[5] = h5; h[6] = h6; h[7] = h7; h[8] = h8; h[9] = h9; } XEdDSA-0.4.6/ref10/crypto_scalarmult/crypto_scalarmult_curve25519.h0000644000175000017500000000216313372774360024743 0ustar useruser00000000000000#include "cross_platform.h" #ifndef crypto_scalarmult_curve25519_H #define crypto_scalarmult_curve25519_H #define crypto_scalarmult_curve25519_ref10_BYTES 32 #define crypto_scalarmult_curve25519_ref10_SCALARBYTES 32 #ifdef __cplusplus extern "C" { #endif extern int INTERFACE crypto_scalarmult_curve25519_ref10(unsigned char *,const unsigned char *,const unsigned char *); extern int INTERFACE crypto_scalarmult_curve25519_ref10_base(unsigned char *,const unsigned char *); #ifdef __cplusplus } #endif #define crypto_scalarmult_curve25519 crypto_scalarmult_curve25519_ref10 #define crypto_scalarmult_curve25519_base crypto_scalarmult_curve25519_ref10_base #define crypto_scalarmult_curve25519_BYTES crypto_scalarmult_curve25519_ref10_BYTES #define crypto_scalarmult_curve25519_SCALARBYTES crypto_scalarmult_curve25519_ref10_SCALARBYTES #define crypto_scalarmult_curve25519_IMPLEMENTATION "crypto_scalarmult/curve25519/ref10" #ifndef crypto_scalarmult_curve25519_ref10_VERSION #define crypto_scalarmult_curve25519_ref10_VERSION "-" #endif #define crypto_scalarmult_curve25519_VERSION crypto_scalarmult_curve25519_ref10_VERSION #endif XEdDSA-0.4.6/ref10/crypto_scalarmult/base.c0000644000175000017500000000030413372774360020262 0ustar useruser00000000000000#include "crypto_scalarmult.h" static const unsigned char basepoint[32] = {9}; int crypto_scalarmult_base(unsigned char *q,const unsigned char *n) { return crypto_scalarmult(q,n,basepoint); } XEdDSA-0.4.6/ref10/crypto_scalarmult/fe_sub.c0000644000175000017500000000233313372774360020617 0ustar useruser00000000000000#include "fe.h" /* h = f - g Can overlap h with f or g. Preconditions: |f| bounded by 1.1*2^25,1.1*2^24,1.1*2^25,1.1*2^24,etc. |g| bounded by 1.1*2^25,1.1*2^24,1.1*2^25,1.1*2^24,etc. Postconditions: |h| bounded by 1.1*2^26,1.1*2^25,1.1*2^26,1.1*2^25,etc. */ void fe_sub(fe h,fe f,fe g) { crypto_int32 f0 = f[0]; crypto_int32 f1 = f[1]; crypto_int32 f2 = f[2]; crypto_int32 f3 = f[3]; crypto_int32 f4 = f[4]; crypto_int32 f5 = f[5]; crypto_int32 f6 = f[6]; crypto_int32 f7 = f[7]; crypto_int32 f8 = f[8]; crypto_int32 f9 = f[9]; crypto_int32 g0 = g[0]; crypto_int32 g1 = g[1]; crypto_int32 g2 = g[2]; crypto_int32 g3 = g[3]; crypto_int32 g4 = g[4]; crypto_int32 g5 = g[5]; crypto_int32 g6 = g[6]; crypto_int32 g7 = g[7]; crypto_int32 g8 = g[8]; crypto_int32 g9 = g[9]; crypto_int32 h0 = f0 - g0; crypto_int32 h1 = f1 - g1; crypto_int32 h2 = f2 - g2; crypto_int32 h3 = f3 - g3; crypto_int32 h4 = f4 - g4; crypto_int32 h5 = f5 - g5; crypto_int32 h6 = f6 - g6; crypto_int32 h7 = f7 - g7; crypto_int32 h8 = f8 - g8; crypto_int32 h9 = f9 - g9; h[0] = h0; h[1] = h1; h[2] = h2; h[3] = h3; h[4] = h4; h[5] = h5; h[6] = h6; h[7] = h7; h[8] = h8; h[9] = h9; } XEdDSA-0.4.6/ref10/crypto_scalarmult/scalarmult.c0000644000175000017500000000142213372774360021521 0ustar useruser00000000000000#include "crypto_scalarmult.h" #include "fe.h" int crypto_scalarmult(unsigned char *q, const unsigned char *n, const unsigned char *p) { unsigned char e[32]; unsigned int i; fe x1; fe x2; fe z2; fe x3; fe z3; fe tmp0; fe tmp1; int pos; unsigned int swap; unsigned int b; for (i = 0;i < 32;++i) e[i] = n[i]; e[0] &= 248; e[31] &= 127; e[31] |= 64; fe_frombytes(x1,p); fe_1(x2); fe_0(z2); fe_copy(x3,x1); fe_1(z3); swap = 0; for (pos = 254;pos >= 0;--pos) { b = e[pos / 8] >> (pos & 7); b &= 1; swap ^= b; fe_cswap(x2,x3,swap); fe_cswap(z2,z3,swap); swap = b; #include "montgomery.h" } fe_cswap(x2,x3,swap); fe_cswap(z2,z3,swap); fe_invert(z2,z2); fe_mul(x2,x2,z2); fe_tobytes(q,x2); return 0; } XEdDSA-0.4.6/ref10/crypto_scalarmult/crypto_scalarmult.h0000644000175000017500000000110313372774360023122 0ustar useruser00000000000000#ifndef crypto_scalarmult_H #define crypto_scalarmult_H #include "crypto_scalarmult_curve25519.h" #define crypto_scalarmult crypto_scalarmult_curve25519 #define crypto_scalarmult_base crypto_scalarmult_curve25519_base #define crypto_scalarmult_BYTES crypto_scalarmult_curve25519_BYTES #define crypto_scalarmult_SCALARBYTES crypto_scalarmult_curve25519_SCALARBYTES #define crypto_scalarmult_PRIMITIVE "curve25519" #define crypto_scalarmult_IMPLEMENTATION crypto_scalarmult_curve25519_IMPLEMENTATION #define crypto_scalarmult_VERSION crypto_scalarmult_curve25519_VERSION #endif XEdDSA-0.4.6/ref10/crypto_scalarmult/pow225521.h0000644000175000017500000001262713372774360020656 0ustar useruser00000000000000 /* qhasm: fe z1 */ /* qhasm: fe z2 */ /* qhasm: fe z8 */ /* qhasm: fe z9 */ /* qhasm: fe z11 */ /* qhasm: fe z22 */ /* qhasm: fe z_5_0 */ /* qhasm: fe z_10_5 */ /* qhasm: fe z_10_0 */ /* qhasm: fe z_20_10 */ /* qhasm: fe z_20_0 */ /* qhasm: fe z_40_20 */ /* qhasm: fe z_40_0 */ /* qhasm: fe z_50_10 */ /* qhasm: fe z_50_0 */ /* qhasm: fe z_100_50 */ /* qhasm: fe z_100_0 */ /* qhasm: fe z_200_100 */ /* qhasm: fe z_200_0 */ /* qhasm: fe z_250_50 */ /* qhasm: fe z_250_0 */ /* qhasm: fe z_255_5 */ /* qhasm: fe z_255_21 */ /* qhasm: enter pow225521 */ /* qhasm: z2 = z1^2^1 */ /* asm 1: fe_sq(>z2=fe#1,z2=fe#1,>z2=fe#1); */ /* asm 2: fe_sq(>z2=t0,z2=t0,>z2=t0); */ fe_sq(t0,z); for (i = 1;i < 1;++i) fe_sq(t0,t0); /* qhasm: z8 = z2^2^2 */ /* asm 1: fe_sq(>z8=fe#2,z8=fe#2,>z8=fe#2); */ /* asm 2: fe_sq(>z8=t1,z8=t1,>z8=t1); */ fe_sq(t1,t0); for (i = 1;i < 2;++i) fe_sq(t1,t1); /* qhasm: z9 = z1*z8 */ /* asm 1: fe_mul(>z9=fe#2,z9=t1,z11=fe#1,z11=t0,z22=fe#3,z22=fe#3,>z22=fe#3); */ /* asm 2: fe_sq(>z22=t2,z22=t2,>z22=t2); */ fe_sq(t2,t0); for (i = 1;i < 1;++i) fe_sq(t2,t2); /* qhasm: z_5_0 = z9*z22 */ /* asm 1: fe_mul(>z_5_0=fe#2,z_5_0=t1,z_10_5=fe#3,z_10_5=fe#3,>z_10_5=fe#3); */ /* asm 2: fe_sq(>z_10_5=t2,z_10_5=t2,>z_10_5=t2); */ fe_sq(t2,t1); for (i = 1;i < 5;++i) fe_sq(t2,t2); /* qhasm: z_10_0 = z_10_5*z_5_0 */ /* asm 1: fe_mul(>z_10_0=fe#2,z_10_0=t1,z_20_10=fe#3,z_20_10=fe#3,>z_20_10=fe#3); */ /* asm 2: fe_sq(>z_20_10=t2,z_20_10=t2,>z_20_10=t2); */ fe_sq(t2,t1); for (i = 1;i < 10;++i) fe_sq(t2,t2); /* qhasm: z_20_0 = z_20_10*z_10_0 */ /* asm 1: fe_mul(>z_20_0=fe#3,z_20_0=t2,z_40_20=fe#4,z_40_20=fe#4,>z_40_20=fe#4); */ /* asm 2: fe_sq(>z_40_20=t3,z_40_20=t3,>z_40_20=t3); */ fe_sq(t3,t2); for (i = 1;i < 20;++i) fe_sq(t3,t3); /* qhasm: z_40_0 = z_40_20*z_20_0 */ /* asm 1: fe_mul(>z_40_0=fe#3,z_40_0=t2,z_50_10=fe#3,z_50_10=fe#3,>z_50_10=fe#3); */ /* asm 2: fe_sq(>z_50_10=t2,z_50_10=t2,>z_50_10=t2); */ fe_sq(t2,t2); for (i = 1;i < 10;++i) fe_sq(t2,t2); /* qhasm: z_50_0 = z_50_10*z_10_0 */ /* asm 1: fe_mul(>z_50_0=fe#2,z_50_0=t1,z_100_50=fe#3,z_100_50=fe#3,>z_100_50=fe#3); */ /* asm 2: fe_sq(>z_100_50=t2,z_100_50=t2,>z_100_50=t2); */ fe_sq(t2,t1); for (i = 1;i < 50;++i) fe_sq(t2,t2); /* qhasm: z_100_0 = z_100_50*z_50_0 */ /* asm 1: fe_mul(>z_100_0=fe#3,z_100_0=t2,z_200_100=fe#4,z_200_100=fe#4,>z_200_100=fe#4); */ /* asm 2: fe_sq(>z_200_100=t3,z_200_100=t3,>z_200_100=t3); */ fe_sq(t3,t2); for (i = 1;i < 100;++i) fe_sq(t3,t3); /* qhasm: z_200_0 = z_200_100*z_100_0 */ /* asm 1: fe_mul(>z_200_0=fe#3,z_200_0=t2,z_250_50=fe#3,z_250_50=fe#3,>z_250_50=fe#3); */ /* asm 2: fe_sq(>z_250_50=t2,z_250_50=t2,>z_250_50=t2); */ fe_sq(t2,t2); for (i = 1;i < 50;++i) fe_sq(t2,t2); /* qhasm: z_250_0 = z_250_50*z_50_0 */ /* asm 1: fe_mul(>z_250_0=fe#2,z_250_0=t1,z_255_5=fe#2,z_255_5=fe#2,>z_255_5=fe#2); */ /* asm 2: fe_sq(>z_255_5=t1,z_255_5=t1,>z_255_5=t1); */ fe_sq(t1,t1); for (i = 1;i < 5;++i) fe_sq(t1,t1); /* qhasm: z_255_21 = z_255_5*z11 */ /* asm 1: fe_mul(>z_255_21=fe#12,z_255_21=out,> 26; h1 += carry0; h0 -= carry0 << 26; carry4 = (h4 + (crypto_int64) (1<<25)) >> 26; h5 += carry4; h4 -= carry4 << 26; carry1 = (h1 + (crypto_int64) (1<<24)) >> 25; h2 += carry1; h1 -= carry1 << 25; carry5 = (h5 + (crypto_int64) (1<<24)) >> 25; h6 += carry5; h5 -= carry5 << 25; carry2 = (h2 + (crypto_int64) (1<<25)) >> 26; h3 += carry2; h2 -= carry2 << 26; carry6 = (h6 + (crypto_int64) (1<<25)) >> 26; h7 += carry6; h6 -= carry6 << 26; carry3 = (h3 + (crypto_int64) (1<<24)) >> 25; h4 += carry3; h3 -= carry3 << 25; carry7 = (h7 + (crypto_int64) (1<<24)) >> 25; h8 += carry7; h7 -= carry7 << 25; carry4 = (h4 + (crypto_int64) (1<<25)) >> 26; h5 += carry4; h4 -= carry4 << 26; carry8 = (h8 + (crypto_int64) (1<<25)) >> 26; h9 += carry8; h8 -= carry8 << 26; carry9 = (h9 + (crypto_int64) (1<<24)) >> 25; h0 += carry9 * 19; h9 -= carry9 << 25; carry0 = (h0 + (crypto_int64) (1<<25)) >> 26; h1 += carry0; h0 -= carry0 << 26; h[0] = h0; h[1] = h1; h[2] = h2; h[3] = h3; h[4] = h4; h[5] = h5; h[6] = h6; h[7] = h7; h[8] = h8; h[9] = h9; } XEdDSA-0.4.6/ref10/crypto_scalarmult/module.h0000644000175000017500000000315213372774360020646 0ustar useruser00000000000000// #include "api.h" #define CRYPTO_BYTES 32 #define CRYPTO_SCALARBYTES 32 // #include // #include "crypto_int32.h" typedef int32_t crypto_int32; // #include "crypto_scalarmult_curve25519.h" #define crypto_scalarmult_curve25519_ref10_BYTES 32 #define crypto_scalarmult_curve25519_ref10_SCALARBYTES 32 extern int crypto_scalarmult_curve25519_ref10(unsigned char *,const unsigned char *,const unsigned char *); extern int crypto_scalarmult_curve25519_ref10_base(unsigned char *,const unsigned char *); // #include "crypto_scalarmult.h" // #include "fe.h" typedef crypto_int32 fe[10]; /* fe means field element. Here the field is \Z/(2^255-19). An element t, entries t[0]...t[9], represents the integer t[0]+2^26 t[1]+2^51 t[2]+2^77 t[3]+2^102 t[4]+...+2^230 t[9]. Bounds on each t[i] vary depending on context. */ extern void crypto_scalarmult_curve25519_ref10_fe_frombytes(fe,const unsigned char *); extern void crypto_scalarmult_curve25519_ref10_fe_tobytes(unsigned char *,fe); extern void crypto_scalarmult_curve25519_ref10_fe_copy(fe,fe); extern void crypto_scalarmult_curve25519_ref10_fe_0(fe); extern void crypto_scalarmult_curve25519_ref10_fe_1(fe); extern void crypto_scalarmult_curve25519_ref10_fe_cswap(fe,fe,unsigned int); extern void crypto_scalarmult_curve25519_ref10_fe_add(fe,fe,fe); extern void crypto_scalarmult_curve25519_ref10_fe_sub(fe,fe,fe); extern void crypto_scalarmult_curve25519_ref10_fe_mul(fe,fe,fe); extern void crypto_scalarmult_curve25519_ref10_fe_sq(fe,fe); extern void crypto_scalarmult_curve25519_ref10_fe_mul121666(fe,fe); extern void crypto_scalarmult_curve25519_ref10_fe_invert(fe,fe); XEdDSA-0.4.6/ref10/crypto_scalarmult/fe_mul121666.c0000644000175000017500000000422713372774360021315 0ustar useruser00000000000000#include "fe.h" #include "crypto_int64.h" /* h = f * 121666 Can overlap h with f. Preconditions: |f| bounded by 1.1*2^26,1.1*2^25,1.1*2^26,1.1*2^25,etc. Postconditions: |h| bounded by 1.1*2^25,1.1*2^24,1.1*2^25,1.1*2^24,etc. */ void fe_mul121666(fe h,fe f) { crypto_int32 f0 = f[0]; crypto_int32 f1 = f[1]; crypto_int32 f2 = f[2]; crypto_int32 f3 = f[3]; crypto_int32 f4 = f[4]; crypto_int32 f5 = f[5]; crypto_int32 f6 = f[6]; crypto_int32 f7 = f[7]; crypto_int32 f8 = f[8]; crypto_int32 f9 = f[9]; crypto_int64 h0 = f0 * (crypto_int64) 121666; crypto_int64 h1 = f1 * (crypto_int64) 121666; crypto_int64 h2 = f2 * (crypto_int64) 121666; crypto_int64 h3 = f3 * (crypto_int64) 121666; crypto_int64 h4 = f4 * (crypto_int64) 121666; crypto_int64 h5 = f5 * (crypto_int64) 121666; crypto_int64 h6 = f6 * (crypto_int64) 121666; crypto_int64 h7 = f7 * (crypto_int64) 121666; crypto_int64 h8 = f8 * (crypto_int64) 121666; crypto_int64 h9 = f9 * (crypto_int64) 121666; crypto_int64 carry0; crypto_int64 carry1; crypto_int64 carry2; crypto_int64 carry3; crypto_int64 carry4; crypto_int64 carry5; crypto_int64 carry6; crypto_int64 carry7; crypto_int64 carry8; crypto_int64 carry9; carry9 = (h9 + (crypto_int64) (1<<24)) >> 25; h0 += carry9 * 19; h9 -= carry9 << 25; carry1 = (h1 + (crypto_int64) (1<<24)) >> 25; h2 += carry1; h1 -= carry1 << 25; carry3 = (h3 + (crypto_int64) (1<<24)) >> 25; h4 += carry3; h3 -= carry3 << 25; carry5 = (h5 + (crypto_int64) (1<<24)) >> 25; h6 += carry5; h5 -= carry5 << 25; carry7 = (h7 + (crypto_int64) (1<<24)) >> 25; h8 += carry7; h7 -= carry7 << 25; carry0 = (h0 + (crypto_int64) (1<<25)) >> 26; h1 += carry0; h0 -= carry0 << 26; carry2 = (h2 + (crypto_int64) (1<<25)) >> 26; h3 += carry2; h2 -= carry2 << 26; carry4 = (h4 + (crypto_int64) (1<<25)) >> 26; h5 += carry4; h4 -= carry4 << 26; carry6 = (h6 + (crypto_int64) (1<<25)) >> 26; h7 += carry6; h6 -= carry6 << 26; carry8 = (h8 + (crypto_int64) (1<<25)) >> 26; h9 += carry8; h8 -= carry8 << 26; h[0] = h0; h[1] = h1; h[2] = h2; h[3] = h3; h[4] = h4; h[5] = h5; h[6] = h6; h[7] = h7; h[8] = h8; h[9] = h9; } XEdDSA-0.4.6/ref10/crypto_scalarmult/README0000644000175000017500000000001713372774360020065 0ustar useruser00000000000000Public domain. XEdDSA-0.4.6/ref10/crypto_scalarmult/fe_mul.c0000644000175000017500000002472013372774360020627 0ustar useruser00000000000000#include "fe.h" #include "crypto_int64.h" /* h = f * g Can overlap h with f or g. Preconditions: |f| bounded by 1.1*2^26,1.1*2^25,1.1*2^26,1.1*2^25,etc. |g| bounded by 1.1*2^26,1.1*2^25,1.1*2^26,1.1*2^25,etc. Postconditions: |h| bounded by 1.1*2^25,1.1*2^24,1.1*2^25,1.1*2^24,etc. */ /* Notes on implementation strategy: Using schoolbook multiplication. Karatsuba would save a little in some cost models. Most multiplications by 2 and 19 are 32-bit precomputations; cheaper than 64-bit postcomputations. There is one remaining multiplication by 19 in the carry chain; one *19 precomputation can be merged into this, but the resulting data flow is considerably less clean. There are 12 carries below. 10 of them are 2-way parallelizable and vectorizable. Can get away with 11 carries, but then data flow is much deeper. With tighter constraints on inputs can squeeze carries into int32. */ void fe_mul(fe h,fe f,fe g) { crypto_int32 f0 = f[0]; crypto_int32 f1 = f[1]; crypto_int32 f2 = f[2]; crypto_int32 f3 = f[3]; crypto_int32 f4 = f[4]; crypto_int32 f5 = f[5]; crypto_int32 f6 = f[6]; crypto_int32 f7 = f[7]; crypto_int32 f8 = f[8]; crypto_int32 f9 = f[9]; crypto_int32 g0 = g[0]; crypto_int32 g1 = g[1]; crypto_int32 g2 = g[2]; crypto_int32 g3 = g[3]; crypto_int32 g4 = g[4]; crypto_int32 g5 = g[5]; crypto_int32 g6 = g[6]; crypto_int32 g7 = g[7]; crypto_int32 g8 = g[8]; crypto_int32 g9 = g[9]; crypto_int32 g1_19 = 19 * g1; /* 1.4*2^29 */ crypto_int32 g2_19 = 19 * g2; /* 1.4*2^30; still ok */ crypto_int32 g3_19 = 19 * g3; crypto_int32 g4_19 = 19 * g4; crypto_int32 g5_19 = 19 * g5; crypto_int32 g6_19 = 19 * g6; crypto_int32 g7_19 = 19 * g7; crypto_int32 g8_19 = 19 * g8; crypto_int32 g9_19 = 19 * g9; crypto_int32 f1_2 = 2 * f1; crypto_int32 f3_2 = 2 * f3; crypto_int32 f5_2 = 2 * f5; crypto_int32 f7_2 = 2 * f7; crypto_int32 f9_2 = 2 * f9; crypto_int64 f0g0 = f0 * (crypto_int64) g0; crypto_int64 f0g1 = f0 * (crypto_int64) g1; crypto_int64 f0g2 = f0 * (crypto_int64) g2; crypto_int64 f0g3 = f0 * (crypto_int64) g3; crypto_int64 f0g4 = f0 * (crypto_int64) g4; crypto_int64 f0g5 = f0 * (crypto_int64) g5; crypto_int64 f0g6 = f0 * (crypto_int64) g6; crypto_int64 f0g7 = f0 * (crypto_int64) g7; crypto_int64 f0g8 = f0 * (crypto_int64) g8; crypto_int64 f0g9 = f0 * (crypto_int64) g9; crypto_int64 f1g0 = f1 * (crypto_int64) g0; crypto_int64 f1g1_2 = f1_2 * (crypto_int64) g1; crypto_int64 f1g2 = f1 * (crypto_int64) g2; crypto_int64 f1g3_2 = f1_2 * (crypto_int64) g3; crypto_int64 f1g4 = f1 * (crypto_int64) g4; crypto_int64 f1g5_2 = f1_2 * (crypto_int64) g5; crypto_int64 f1g6 = f1 * (crypto_int64) g6; crypto_int64 f1g7_2 = f1_2 * (crypto_int64) g7; crypto_int64 f1g8 = f1 * (crypto_int64) g8; crypto_int64 f1g9_38 = f1_2 * (crypto_int64) g9_19; crypto_int64 f2g0 = f2 * (crypto_int64) g0; crypto_int64 f2g1 = f2 * (crypto_int64) g1; crypto_int64 f2g2 = f2 * (crypto_int64) g2; crypto_int64 f2g3 = f2 * (crypto_int64) g3; crypto_int64 f2g4 = f2 * (crypto_int64) g4; crypto_int64 f2g5 = f2 * (crypto_int64) g5; crypto_int64 f2g6 = f2 * (crypto_int64) g6; crypto_int64 f2g7 = f2 * (crypto_int64) g7; crypto_int64 f2g8_19 = f2 * (crypto_int64) g8_19; crypto_int64 f2g9_19 = f2 * (crypto_int64) g9_19; crypto_int64 f3g0 = f3 * (crypto_int64) g0; crypto_int64 f3g1_2 = f3_2 * (crypto_int64) g1; crypto_int64 f3g2 = f3 * (crypto_int64) g2; crypto_int64 f3g3_2 = f3_2 * (crypto_int64) g3; crypto_int64 f3g4 = f3 * (crypto_int64) g4; crypto_int64 f3g5_2 = f3_2 * (crypto_int64) g5; crypto_int64 f3g6 = f3 * (crypto_int64) g6; crypto_int64 f3g7_38 = f3_2 * (crypto_int64) g7_19; crypto_int64 f3g8_19 = f3 * (crypto_int64) g8_19; crypto_int64 f3g9_38 = f3_2 * (crypto_int64) g9_19; crypto_int64 f4g0 = f4 * (crypto_int64) g0; crypto_int64 f4g1 = f4 * (crypto_int64) g1; crypto_int64 f4g2 = f4 * (crypto_int64) g2; crypto_int64 f4g3 = f4 * (crypto_int64) g3; crypto_int64 f4g4 = f4 * (crypto_int64) g4; crypto_int64 f4g5 = f4 * (crypto_int64) g5; crypto_int64 f4g6_19 = f4 * (crypto_int64) g6_19; crypto_int64 f4g7_19 = f4 * (crypto_int64) g7_19; crypto_int64 f4g8_19 = f4 * (crypto_int64) g8_19; crypto_int64 f4g9_19 = f4 * (crypto_int64) g9_19; crypto_int64 f5g0 = f5 * (crypto_int64) g0; crypto_int64 f5g1_2 = f5_2 * (crypto_int64) g1; crypto_int64 f5g2 = f5 * (crypto_int64) g2; crypto_int64 f5g3_2 = f5_2 * (crypto_int64) g3; crypto_int64 f5g4 = f5 * (crypto_int64) g4; crypto_int64 f5g5_38 = f5_2 * (crypto_int64) g5_19; crypto_int64 f5g6_19 = f5 * (crypto_int64) g6_19; crypto_int64 f5g7_38 = f5_2 * (crypto_int64) g7_19; crypto_int64 f5g8_19 = f5 * (crypto_int64) g8_19; crypto_int64 f5g9_38 = f5_2 * (crypto_int64) g9_19; crypto_int64 f6g0 = f6 * (crypto_int64) g0; crypto_int64 f6g1 = f6 * (crypto_int64) g1; crypto_int64 f6g2 = f6 * (crypto_int64) g2; crypto_int64 f6g3 = f6 * (crypto_int64) g3; crypto_int64 f6g4_19 = f6 * (crypto_int64) g4_19; crypto_int64 f6g5_19 = f6 * (crypto_int64) g5_19; crypto_int64 f6g6_19 = f6 * (crypto_int64) g6_19; crypto_int64 f6g7_19 = f6 * (crypto_int64) g7_19; crypto_int64 f6g8_19 = f6 * (crypto_int64) g8_19; crypto_int64 f6g9_19 = f6 * (crypto_int64) g9_19; crypto_int64 f7g0 = f7 * (crypto_int64) g0; crypto_int64 f7g1_2 = f7_2 * (crypto_int64) g1; crypto_int64 f7g2 = f7 * (crypto_int64) g2; crypto_int64 f7g3_38 = f7_2 * (crypto_int64) g3_19; crypto_int64 f7g4_19 = f7 * (crypto_int64) g4_19; crypto_int64 f7g5_38 = f7_2 * (crypto_int64) g5_19; crypto_int64 f7g6_19 = f7 * (crypto_int64) g6_19; crypto_int64 f7g7_38 = f7_2 * (crypto_int64) g7_19; crypto_int64 f7g8_19 = f7 * (crypto_int64) g8_19; crypto_int64 f7g9_38 = f7_2 * (crypto_int64) g9_19; crypto_int64 f8g0 = f8 * (crypto_int64) g0; crypto_int64 f8g1 = f8 * (crypto_int64) g1; crypto_int64 f8g2_19 = f8 * (crypto_int64) g2_19; crypto_int64 f8g3_19 = f8 * (crypto_int64) g3_19; crypto_int64 f8g4_19 = f8 * (crypto_int64) g4_19; crypto_int64 f8g5_19 = f8 * (crypto_int64) g5_19; crypto_int64 f8g6_19 = f8 * (crypto_int64) g6_19; crypto_int64 f8g7_19 = f8 * (crypto_int64) g7_19; crypto_int64 f8g8_19 = f8 * (crypto_int64) g8_19; crypto_int64 f8g9_19 = f8 * (crypto_int64) g9_19; crypto_int64 f9g0 = f9 * (crypto_int64) g0; crypto_int64 f9g1_38 = f9_2 * (crypto_int64) g1_19; crypto_int64 f9g2_19 = f9 * (crypto_int64) g2_19; crypto_int64 f9g3_38 = f9_2 * (crypto_int64) g3_19; crypto_int64 f9g4_19 = f9 * (crypto_int64) g4_19; crypto_int64 f9g5_38 = f9_2 * (crypto_int64) g5_19; crypto_int64 f9g6_19 = f9 * (crypto_int64) g6_19; crypto_int64 f9g7_38 = f9_2 * (crypto_int64) g7_19; crypto_int64 f9g8_19 = f9 * (crypto_int64) g8_19; crypto_int64 f9g9_38 = f9_2 * (crypto_int64) g9_19; crypto_int64 h0 = f0g0+f1g9_38+f2g8_19+f3g7_38+f4g6_19+f5g5_38+f6g4_19+f7g3_38+f8g2_19+f9g1_38; crypto_int64 h1 = f0g1+f1g0 +f2g9_19+f3g8_19+f4g7_19+f5g6_19+f6g5_19+f7g4_19+f8g3_19+f9g2_19; crypto_int64 h2 = f0g2+f1g1_2 +f2g0 +f3g9_38+f4g8_19+f5g7_38+f6g6_19+f7g5_38+f8g4_19+f9g3_38; crypto_int64 h3 = f0g3+f1g2 +f2g1 +f3g0 +f4g9_19+f5g8_19+f6g7_19+f7g6_19+f8g5_19+f9g4_19; crypto_int64 h4 = f0g4+f1g3_2 +f2g2 +f3g1_2 +f4g0 +f5g9_38+f6g8_19+f7g7_38+f8g6_19+f9g5_38; crypto_int64 h5 = f0g5+f1g4 +f2g3 +f3g2 +f4g1 +f5g0 +f6g9_19+f7g8_19+f8g7_19+f9g6_19; crypto_int64 h6 = f0g6+f1g5_2 +f2g4 +f3g3_2 +f4g2 +f5g1_2 +f6g0 +f7g9_38+f8g8_19+f9g7_38; crypto_int64 h7 = f0g7+f1g6 +f2g5 +f3g4 +f4g3 +f5g2 +f6g1 +f7g0 +f8g9_19+f9g8_19; crypto_int64 h8 = f0g8+f1g7_2 +f2g6 +f3g5_2 +f4g4 +f5g3_2 +f6g2 +f7g1_2 +f8g0 +f9g9_38; crypto_int64 h9 = f0g9+f1g8 +f2g7 +f3g6 +f4g5 +f5g4 +f6g3 +f7g2 +f8g1 +f9g0 ; crypto_int64 carry0; crypto_int64 carry1; crypto_int64 carry2; crypto_int64 carry3; crypto_int64 carry4; crypto_int64 carry5; crypto_int64 carry6; crypto_int64 carry7; crypto_int64 carry8; crypto_int64 carry9; /* |h0| <= (1.1*1.1*2^52*(1+19+19+19+19)+1.1*1.1*2^50*(38+38+38+38+38)) i.e. |h0| <= 1.2*2^59; narrower ranges for h2, h4, h6, h8 |h1| <= (1.1*1.1*2^51*(1+1+19+19+19+19+19+19+19+19)) i.e. |h1| <= 1.5*2^58; narrower ranges for h3, h5, h7, h9 */ carry0 = (h0 + (crypto_int64) (1<<25)) >> 26; h1 += carry0; h0 -= carry0 << 26; carry4 = (h4 + (crypto_int64) (1<<25)) >> 26; h5 += carry4; h4 -= carry4 << 26; /* |h0| <= 2^25 */ /* |h4| <= 2^25 */ /* |h1| <= 1.51*2^58 */ /* |h5| <= 1.51*2^58 */ carry1 = (h1 + (crypto_int64) (1<<24)) >> 25; h2 += carry1; h1 -= carry1 << 25; carry5 = (h5 + (crypto_int64) (1<<24)) >> 25; h6 += carry5; h5 -= carry5 << 25; /* |h1| <= 2^24; from now on fits into int32 */ /* |h5| <= 2^24; from now on fits into int32 */ /* |h2| <= 1.21*2^59 */ /* |h6| <= 1.21*2^59 */ carry2 = (h2 + (crypto_int64) (1<<25)) >> 26; h3 += carry2; h2 -= carry2 << 26; carry6 = (h6 + (crypto_int64) (1<<25)) >> 26; h7 += carry6; h6 -= carry6 << 26; /* |h2| <= 2^25; from now on fits into int32 unchanged */ /* |h6| <= 2^25; from now on fits into int32 unchanged */ /* |h3| <= 1.51*2^58 */ /* |h7| <= 1.51*2^58 */ carry3 = (h3 + (crypto_int64) (1<<24)) >> 25; h4 += carry3; h3 -= carry3 << 25; carry7 = (h7 + (crypto_int64) (1<<24)) >> 25; h8 += carry7; h7 -= carry7 << 25; /* |h3| <= 2^24; from now on fits into int32 unchanged */ /* |h7| <= 2^24; from now on fits into int32 unchanged */ /* |h4| <= 1.52*2^33 */ /* |h8| <= 1.52*2^33 */ carry4 = (h4 + (crypto_int64) (1<<25)) >> 26; h5 += carry4; h4 -= carry4 << 26; carry8 = (h8 + (crypto_int64) (1<<25)) >> 26; h9 += carry8; h8 -= carry8 << 26; /* |h4| <= 2^25; from now on fits into int32 unchanged */ /* |h8| <= 2^25; from now on fits into int32 unchanged */ /* |h5| <= 1.01*2^24 */ /* |h9| <= 1.51*2^58 */ carry9 = (h9 + (crypto_int64) (1<<24)) >> 25; h0 += carry9 * 19; h9 -= carry9 << 25; /* |h9| <= 2^24; from now on fits into int32 unchanged */ /* |h0| <= 1.8*2^37 */ carry0 = (h0 + (crypto_int64) (1<<25)) >> 26; h1 += carry0; h0 -= carry0 << 26; /* |h0| <= 2^25; from now on fits into int32 unchanged */ /* |h1| <= 1.01*2^24 */ h[0] = h0; h[1] = h1; h[2] = h2; h[3] = h3; h[4] = h4; h[5] = h5; h[6] = h6; h[7] = h7; h[8] = h8; h[9] = h9; } XEdDSA-0.4.6/ref10/crypto_scalarmult/fe_tobytes.c0000644000175000017500000000615713372774360021527 0ustar useruser00000000000000#include "fe.h" /* Preconditions: |h| bounded by 1.1*2^25,1.1*2^24,1.1*2^25,1.1*2^24,etc. Write p=2^255-19; q=floor(h/p). Basic claim: q = floor(2^(-255)(h + 19 2^(-25)h9 + 2^(-1))). Proof: Have |h|<=p so |q|<=1 so |19^2 2^(-255) q|<1/4. Also have |h-2^230 h9|<2^230 so |19 2^(-255)(h-2^230 h9)|<1/4. Write y=2^(-1)-19^2 2^(-255)q-19 2^(-255)(h-2^230 h9). Then 0> 25; q = (h0 + q) >> 26; q = (h1 + q) >> 25; q = (h2 + q) >> 26; q = (h3 + q) >> 25; q = (h4 + q) >> 26; q = (h5 + q) >> 25; q = (h6 + q) >> 26; q = (h7 + q) >> 25; q = (h8 + q) >> 26; q = (h9 + q) >> 25; /* Goal: Output h-(2^255-19)q, which is between 0 and 2^255-20. */ h0 += 19 * q; /* Goal: Output h-2^255 q, which is between 0 and 2^255-20. */ carry0 = h0 >> 26; h1 += carry0; h0 -= carry0 << 26; carry1 = h1 >> 25; h2 += carry1; h1 -= carry1 << 25; carry2 = h2 >> 26; h3 += carry2; h2 -= carry2 << 26; carry3 = h3 >> 25; h4 += carry3; h3 -= carry3 << 25; carry4 = h4 >> 26; h5 += carry4; h4 -= carry4 << 26; carry5 = h5 >> 25; h6 += carry5; h5 -= carry5 << 25; carry6 = h6 >> 26; h7 += carry6; h6 -= carry6 << 26; carry7 = h7 >> 25; h8 += carry7; h7 -= carry7 << 25; carry8 = h8 >> 26; h9 += carry8; h8 -= carry8 << 26; carry9 = h9 >> 25; h9 -= carry9 << 25; /* h10 = carry9 */ /* Goal: Output h0+...+2^255 h10-2^255 q, which is between 0 and 2^255-20. Have h0+...+2^230 h9 between 0 and 2^255-1; evidently 2^255 h10-2^255 q = 0. Goal: Output h0+...+2^230 h9. */ s[0] = h0 >> 0; s[1] = h0 >> 8; s[2] = h0 >> 16; s[3] = (h0 >> 24) | (h1 << 2); s[4] = h1 >> 6; s[5] = h1 >> 14; s[6] = (h1 >> 22) | (h2 << 3); s[7] = h2 >> 5; s[8] = h2 >> 13; s[9] = (h2 >> 21) | (h3 << 5); s[10] = h3 >> 3; s[11] = h3 >> 11; s[12] = (h3 >> 19) | (h4 << 6); s[13] = h4 >> 2; s[14] = h4 >> 10; s[15] = h4 >> 18; s[16] = h5 >> 0; s[17] = h5 >> 8; s[18] = h5 >> 16; s[19] = (h5 >> 24) | (h6 << 1); s[20] = h6 >> 7; s[21] = h6 >> 15; s[22] = (h6 >> 23) | (h7 << 3); s[23] = h7 >> 5; s[24] = h7 >> 13; s[25] = (h7 >> 21) | (h8 << 4); s[26] = h8 >> 4; s[27] = h8 >> 12; s[28] = (h8 >> 20) | (h9 << 6); s[29] = h9 >> 2; s[30] = h9 >> 10; s[31] = h9 >> 18; } XEdDSA-0.4.6/ref10/crypto_scalarmult/fe_copy.c0000644000175000017500000000070013372774360020774 0ustar useruser00000000000000#include "fe.h" /* h = f */ void fe_copy(fe h,fe f) { crypto_int32 f0 = f[0]; crypto_int32 f1 = f[1]; crypto_int32 f2 = f[2]; crypto_int32 f3 = f[3]; crypto_int32 f4 = f[4]; crypto_int32 f5 = f[5]; crypto_int32 f6 = f[6]; crypto_int32 f7 = f[7]; crypto_int32 f8 = f[8]; crypto_int32 f9 = f[9]; h[0] = f0; h[1] = f1; h[2] = f2; h[3] = f3; h[4] = f4; h[5] = f5; h[6] = f6; h[7] = f7; h[8] = f8; h[9] = f9; } XEdDSA-0.4.6/ref10/crypto_scalarmult/fe_invert.c0000644000175000017500000000020113372774360021325 0ustar useruser00000000000000#include "fe.h" void fe_invert(fe out,fe z) { fe t0; fe t1; fe t2; fe t3; int i; #include "pow225521.h" return; } XEdDSA-0.4.6/ref10/CMakeLists.txt0000644000175000017500000003544713372774360016215 0ustar useruser00000000000000cmake_minimum_required(VERSION 3.5) include(CheckSymbolExists) if (UNIX) CHECK_SYMBOL_EXISTS(getentropy "sys/random.h" RANDOM_SOURCE_getentropy) CHECK_SYMBOL_EXISTS(getentropy "unistd.h" RANDOM_SOURCE_getentropy2) CHECK_SYMBOL_EXISTS(getrandom "unistd.h;sys/random.h" RANDOM_SOURCE_getrandom) CHECK_SYMBOL_EXISTS(getrandom "unistd.h;linux/random.h" RANDOM_SOURCE_getrandom2) CHECK_SYMBOL_EXISTS(SYS_getrandom "unistd.h;syscall.h" RANDOM_SOURCE_getrandom3) if (RANDOM_SOURCE_getentropy OR RANDOM_SOURCE_getentropy2 OR RANDOM_SOURCE_getrandom OR RANDOM_SOURCE_getrandom2 OR RANDOM_SOURCE_getrandom3) set(RANDOM_SOURCE_urandom FALSE) else () set(RANDOM_SOURCE_urandom TRUE) endif () else (UNIX) set(RANDOM_SOURCE_getentropy FALSE) set(RANDOM_SOURCE_getentropy2 FALSE) set(RANDOM_SOURCE_getrandom FALSE) set(RANDOM_SOURCE_getrandom2 FALSE) set(RANDOM_SOURCE_getrandom3 FALSE) set(RANDOM_SOURCE_urandom FALSE) endif (UNIX) if (WIN32) set(RANDOM_SOURCE_rtlgenrandom TRUE) else (WIN32) set(RANDOM_SOURCE_rtlgenrandom FALSE) endif (WIN32) if (NOT (UNIX OR WIN32)) message(FATAL_ERROR "Unsupported operating system (neither UNIX nor Windows). CMake will exit.") endif () set(CMAKE_ARCHIVE_OUTPUT_DIRECTORY ${PROJECT_SOURCE_DIR}/bin) set(CMAKE_LIBRARY_OUTPUT_DIRECTORY ${PROJECT_SOURCE_DIR}/bin) set(CMAKE_RUNTIME_OUTPUT_DIRECTORY ${PROJECT_SOURCE_DIR}/bin) foreach (OUTPUTCONFIG ${CMAKE_CONFIGURATION_TYPES}) string(TOUPPER ${OUTPUTCONFIG} OUTPUTCONFIG) set(CMAKE_RUNTIME_OUTPUT_DIRECTORY_${OUTPUTCONFIG} ${PROJECT_SOURCE_DIR}/bin) set(CMAKE_LIBRARY_OUTPUT_DIRECTORY_${OUTPUTCONFIG} ${PROJECT_SOURCE_DIR}/bin) set(CMAKE_ARCHIVE_OUTPUT_DIRECTORY_${OUTPUTCONFIG} ${PROJECT_SOURCE_DIR}/bin) endforeach () if (WIN32) # When using the MinGW generator on Windows, the generated files are prefixed with # "lib" and use the extension ".a" instead of ".lib". This is not Windows convention. # Using following global settings it is possible to correct most of these issues. # Sadly, these global settings don't apply to import libraries. These have to be # corrected for each single target. set(CMAKE_STATIC_LIBRARY_PREFIX "") set(CMAKE_SHARED_LIBRARY_PREFIX "") set(CMAKE_STATIC_LIBRARY_SUFFIX ".lib") endif (WIN32) include_directories(include) ############### # crypto_core # ############### set(crypto_core_sources crypto_core/core.c ) add_library(crypto_core_objects OBJECT ${crypto_core_sources}) set_property(TARGET crypto_core_objects PROPERTY POSITION_INDEPENDENT_CODE TRUE) target_compile_definitions(crypto_core_objects PRIVATE BUILD) add_library(crypto_core_static STATIC $) add_library(crypto_core_dynamic SHARED $) if (WIN32) # Correct the import library. set_target_properties(crypto_core_dynamic PROPERTIES IMPORT_PREFIX "") set_target_properties(crypto_core_dynamic PROPERTIES IMPORT_SUFFIX ".lib") endif (WIN32) ############### # crypto_hash # ############### set(crypto_hash_sources crypto_hash/hash.c ) add_library(crypto_hash_objects OBJECT ${crypto_hash_sources}) set_property(TARGET crypto_hash_objects PROPERTY POSITION_INDEPENDENT_CODE TRUE) target_compile_definitions(crypto_hash_objects PRIVATE BUILD) add_library(crypto_hash_static STATIC $) add_library(crypto_hash_dynamic SHARED $) if (WIN32) # Correct the import library. set_target_properties(crypto_hash_dynamic PROPERTIES IMPORT_PREFIX "") set_target_properties(crypto_hash_dynamic PROPERTIES IMPORT_SUFFIX ".lib") endif (WIN32) ##################### # crypto_hashblocks # ##################### set(crypto_hashblocks_sources crypto_hashblocks/blocks.c ) add_library(crypto_hashblocks_objects OBJECT ${crypto_hashblocks_sources}) set_property(TARGET crypto_hashblocks_objects PROPERTY POSITION_INDEPENDENT_CODE TRUE) target_compile_definitions(crypto_hashblocks_objects PRIVATE BUILD) add_library(crypto_hashblocks_static STATIC $) add_library(crypto_hashblocks_dynamic SHARED $) if (WIN32) # Correct the import library. set_target_properties(crypto_hashblocks_dynamic PROPERTIES IMPORT_PREFIX "") set_target_properties(crypto_hashblocks_dynamic PROPERTIES IMPORT_SUFFIX ".lib") endif (WIN32) ############## # crypto_rng # ############## set(crypto_rng_sources crypto_rng/rng.c ) add_library(crypto_rng_objects OBJECT ${crypto_rng_sources}) set_property(TARGET crypto_rng_objects PROPERTY POSITION_INDEPENDENT_CODE TRUE) target_compile_definitions(crypto_rng_objects PRIVATE BUILD) add_library(crypto_rng_static STATIC $) add_library(crypto_rng_dynamic SHARED $) if (WIN32) # Correct the import library. set_target_properties(crypto_rng_dynamic PROPERTIES IMPORT_PREFIX "") set_target_properties(crypto_rng_dynamic PROPERTIES IMPORT_SUFFIX ".lib") endif (WIN32) ##################### # crypto_scalarmult # ##################### set(crypto_scalarmult_sources crypto_scalarmult/base.c crypto_scalarmult/fe_0.c crypto_scalarmult/fe_1.c crypto_scalarmult/fe_add.c crypto_scalarmult/fe_copy.c crypto_scalarmult/fe_cswap.c crypto_scalarmult/fe_frombytes.c crypto_scalarmult/fe_invert.c crypto_scalarmult/fe_mul121666.c crypto_scalarmult/fe_mul.c crypto_scalarmult/fe_sq.c crypto_scalarmult/fe_sub.c crypto_scalarmult/fe_tobytes.c crypto_scalarmult/scalarmult.c ) add_library(crypto_scalarmult_objects OBJECT ${crypto_scalarmult_sources}) set_property(TARGET crypto_scalarmult_objects PROPERTY POSITION_INDEPENDENT_CODE TRUE) target_compile_definitions(crypto_scalarmult_objects PRIVATE BUILD) add_library(crypto_scalarmult_static STATIC $) add_library(crypto_scalarmult_dynamic SHARED $) if (WIN32) # Correct the import library. set_target_properties(crypto_scalarmult_dynamic PROPERTIES IMPORT_PREFIX "") set_target_properties(crypto_scalarmult_dynamic PROPERTIES IMPORT_SUFFIX ".lib") endif (WIN32) ############### # crypto_sign # ############### set(crypto_sign_sources crypto_sign/fe_0.c crypto_sign/fe_1.c crypto_sign/fe_add.c crypto_sign/fe_cmov.c crypto_sign/fe_copy.c crypto_sign/fe_frombytes.c crypto_sign/fe_invert.c crypto_sign/fe_isnegative.c crypto_sign/fe_isnonzero.c crypto_sign/fe_mul.c crypto_sign/fe_neg.c crypto_sign/fe_pow22523.c crypto_sign/fe_sq2.c crypto_sign/fe_sq.c crypto_sign/fe_sub.c crypto_sign/fe_tobytes.c crypto_sign/ge_add.c crypto_sign/ge_double_scalarmult.c crypto_sign/ge_frombytes.c crypto_sign/ge_madd.c crypto_sign/ge_msub.c crypto_sign/ge_p1p1_to_p2.c crypto_sign/ge_p1p1_to_p3.c crypto_sign/ge_p2_0.c crypto_sign/ge_p2_dbl.c crypto_sign/ge_p3_0.c crypto_sign/ge_p3_dbl.c crypto_sign/ge_p3_tobytes.c crypto_sign/ge_p3_to_cached.c crypto_sign/ge_p3_to_p2.c crypto_sign/ge_precomp_0.c crypto_sign/ge_scalarmult_base.c crypto_sign/ge_sub.c crypto_sign/ge_tobytes.c crypto_sign/keypair.c crypto_sign/open.c crypto_sign/sc_muladd.c crypto_sign/sc_reduce.c crypto_sign/sign.c ) add_library(crypto_sign_objects OBJECT ${crypto_sign_sources}) set_property(TARGET crypto_sign_objects PROPERTY POSITION_INDEPENDENT_CODE TRUE) target_compile_definitions(crypto_sign_objects PRIVATE BUILD) add_library(crypto_sign_static STATIC $) add_library(crypto_sign_dynamic SHARED $) if (WIN32) # Correct the import library. set_target_properties(crypto_sign_dynamic PROPERTIES IMPORT_PREFIX "") set_target_properties(crypto_sign_dynamic PROPERTIES IMPORT_SUFFIX ".lib") endif (WIN32) ################# # crypto_stream # ################# set(crypto_stream_sources crypto_stream/stream.c crypto_stream/xor.c ) add_library(crypto_stream_objects OBJECT ${crypto_stream_sources}) set_property(TARGET crypto_stream_objects PROPERTY POSITION_INDEPENDENT_CODE TRUE) target_compile_definitions(crypto_stream_objects PRIVATE BUILD) add_library(crypto_stream_static STATIC $) add_library(crypto_stream_dynamic SHARED $) if (WIN32) # Correct the import library. set_target_properties(crypto_stream_dynamic PROPERTIES IMPORT_PREFIX "") set_target_properties(crypto_stream_dynamic PROPERTIES IMPORT_SUFFIX ".lib") endif (WIN32) ################# # crypto_verify # ################# set(crypto_verify_sources crypto_verify/verify.c ) add_library(crypto_verify_objects OBJECT ${crypto_verify_sources}) set_property(TARGET crypto_verify_objects PROPERTY POSITION_INDEPENDENT_CODE TRUE) target_compile_definitions(crypto_verify_objects PRIVATE BUILD) add_library(crypto_verify_static STATIC $) add_library(crypto_verify_dynamic SHARED $) if (WIN32) # Correct the import library. set_target_properties(crypto_verify_dynamic PROPERTIES IMPORT_PREFIX "") set_target_properties(crypto_verify_dynamic PROPERTIES IMPORT_SUFFIX ".lib") endif (WIN32) ################### # fastrandombytes # ################### set(fastrandombytes_sources fastrandombytes/fastrandombytes.c ) add_library(fastrandombytes_objects OBJECT ${fastrandombytes_sources}) set_property(TARGET fastrandombytes_objects PROPERTY POSITION_INDEPENDENT_CODE TRUE) target_compile_definitions(fastrandombytes_objects PRIVATE BUILD) add_library(fastrandombytes_static STATIC $) add_library(fastrandombytes_dynamic SHARED $) if (WIN32) # Correct the import library. set_target_properties(fastrandombytes_dynamic PROPERTIES IMPORT_PREFIX "") set_target_properties(fastrandombytes_dynamic PROPERTIES IMPORT_SUFFIX ".lib") endif (WIN32) ##################### # kernelrandombytes # ##################### set(RANDOM_SOURCE_ADDED FALSE) if (NOT RANDOM_SOURCE_ADDED) if (RANDOM_SOURCE_getentropy) set(kernelrandombytes_sources kernelrandombytes/getentropy.c) set(RANDOM_SOURCE_ADDED TRUE) endif () endif () if (NOT RANDOM_SOURCE_ADDED) if (RANDOM_SOURCE_getentropy2) set(kernelrandombytes_sources kernelrandombytes/getentropy2.c) set(RANDOM_SOURCE_ADDED TRUE) endif () endif () if (NOT RANDOM_SOURCE_ADDED) if (RANDOM_SOURCE_getrandom) set(kernelrandombytes_sources kernelrandombytes/getrandom.c) set(RANDOM_SOURCE_ADDED TRUE) endif () endif () if (NOT RANDOM_SOURCE_ADDED) if (RANDOM_SOURCE_getrandom2) set(kernelrandombytes_sources kernelrandombytes/getrandom2.c) set(RANDOM_SOURCE_ADDED TRUE) endif () endif () if (NOT RANDOM_SOURCE_ADDED) if (RANDOM_SOURCE_getrandom3) set(kernelrandombytes_sources kernelrandombytes/getrandom3.c) set(RANDOM_SOURCE_ADDED TRUE) endif () endif () if (NOT RANDOM_SOURCE_ADDED) if (RANDOM_SOURCE_rtlgenrandom) set(kernelrandombytes_sources kernelrandombytes/rtlgenrandom.c) set(RANDOM_SOURCE_ADDED TRUE) endif () endif () if (NOT RANDOM_SOURCE_ADDED) if (RANDOM_SOURCE_urandom) set(kernelrandombytes_sources kernelrandombytes/urandom.c) set(RANDOM_SOURCE_ADDED TRUE) endif () endif () if (NOT RANDOM_SOURCE_ADDED) message(FATAL_ERROR "No secure random source found. CMake will exit.") endif () add_library(kernelrandombytes_objects OBJECT ${kernelrandombytes_sources}) set_property(TARGET kernelrandombytes_objects PROPERTY POSITION_INDEPENDENT_CODE TRUE) target_compile_definitions(kernelrandombytes_objects PRIVATE BUILD) add_library(kernelrandombytes_static STATIC $) add_library(kernelrandombytes_dynamic SHARED $) if (WIN32) # Correct the import library. set_target_properties(kernelrandombytes_dynamic PROPERTIES IMPORT_PREFIX "") set_target_properties(kernelrandombytes_dynamic PROPERTIES IMPORT_SUFFIX ".lib") endif (WIN32) if (RANDOM_SOURCE_rtlgenrandom) target_link_libraries(kernelrandombytes_static ADVAPI32) target_link_libraries(kernelrandombytes_dynamic ADVAPI32) endif () ##################################### # kernelrandombytes test executable # ##################################### add_library(kernelrandombytes_test_objects OBJECT kernelrandombytes/test.c) target_compile_definitions(kernelrandombytes_test_objects PRIVATE BUILD) add_executable(kernelrandombytes_test_static $) add_executable(kernelrandombytes_test_dynamic $) target_link_libraries(kernelrandombytes_test_static kernelrandombytes_static) target_link_libraries(kernelrandombytes_test_dynamic kernelrandombytes_dynamic) ################ # DEPENDENCIES # ################ target_link_libraries(crypto_sign_static crypto_hash_static crypto_hashblocks_static crypto_verify_static fastrandombytes_static crypto_rng_static crypto_stream_static crypto_core_static kernelrandombytes_static ) target_link_libraries(crypto_sign_dynamic crypto_hash_dynamic crypto_hashblocks_dynamic crypto_verify_dynamic fastrandombytes_dynamic crypto_rng_dynamic crypto_stream_dynamic crypto_core_dynamic kernelrandombytes_dynamic ) target_include_directories(crypto_sign_objects PRIVATE crypto_hash crypto_hashblocks crypto_verify fastrandombytes crypto_rng crypto_stream crypto_core kernelrandombytes ) target_link_libraries(crypto_hash_static crypto_hashblocks_static) target_link_libraries(crypto_hash_dynamic crypto_hashblocks_dynamic) target_include_directories(crypto_hash_objects PRIVATE crypto_hashblocks) target_link_libraries(fastrandombytes_static crypto_rng_static crypto_stream_static crypto_core_static kernelrandombytes_static) target_link_libraries(fastrandombytes_dynamic crypto_rng_dynamic crypto_stream_dynamic crypto_core_dynamic kernelrandombytes_dynamic) target_include_directories(fastrandombytes_objects PRIVATE crypto_rng crypto_stream crypto_core kernelrandombytes) target_link_libraries(crypto_rng_static crypto_stream_static crypto_core_static) target_link_libraries(crypto_rng_dynamic crypto_stream_dynamic crypto_core_dynamic) target_include_directories(crypto_rng_objects PRIVATE crypto_stream crypto_core) target_link_libraries(crypto_stream_static crypto_core_static) target_link_libraries(crypto_stream_dynamic crypto_core_dynamic) target_include_directories(crypto_stream_objects PRIVATE crypto_core) XEdDSA-0.4.6/ref10/build.py0000644000175000017500000001174713407027427015115 0ustar useruser00000000000000from __future__ import absolute_import from __future__ import print_function import cffi import os import subprocess import sys import zipfile try: # Python 3 from urllib.request import urlopen except: # Python 2 from urllib2 import urlopen ref10_dir = os.path.abspath("ref10") module_dir = os.path.join(ref10_dir, "crypto_sign") bin_dir = os.path.join(ref10_dir, "bin") build_dir = os.path.join(ref10_dir, "build") library_header = os.path.join(module_dir, "module.h") try: os.mkdir(build_dir) except OSError: pass libraries = [ "crypto_sign_static", "crypto_hash_static", "crypto_hashblocks_static", "crypto_verify_static", "fastrandombytes_static", "kernelrandombytes_static", "crypto_rng_static", "crypto_stream_static", "crypto_core_static" ] class UnknownSystemException(Exception): pass def call_cmake(output): try: # Try to call CMake subprocess.check_call([ "cmake", "-G", output, ".." ], cwd = build_dir) except FileNotFoundError: # If that call fails, try to install CMake using the "cmake" package. # First, try to install it with --user try: subprocess.check_call([ sys.executable, "-m", "pip", "install", "cmake", "--user" ]) # Make sure the newly installed CMake executables can be found in the path os.path.append(os.path.expanduser("~/.local/bin")) except subprocess.CalledProcessError: # If installing with --user fails, try a global installation subprocess.check_call([ sys.executable, "-m", "pip", "install", "cmake" ]) # If either of the local or global installations worked, try again. subprocess.check_call([ "cmake", "-G", output, ".." ], cwd = build_dir) if os.name == "posix": # On UNIX, we HAVE to make the ref10 libraries, because the kernelrandombytes module # can vary between different UNIX systems. print("Attempting to compile the ref10 library...") print("The compilation requires CMake and the \"make\" tool.") print("The \"cmake\" and \"make\" commands are used.") call_cmake("Unix Makefiles") subprocess.check_call([ "make" ], cwd = build_dir) print("Library built successfully!") elif os.name == "nt": libraries += [ "ADVAPI32" ] # On Windows, there is only one possible version of the kernelrandombytes module: # rtlgenrandom. Thus, precompiled binaries can be used. print("Attempting to compile the ref10 library...") print("The compilation requires CMake and a MinGW environment.") print("The \"cmake\" and \"mingw32-make\" commands are used.") try: call_cmake("MinGW Makefiles") subprocess.check_call([ "mingw32-make" ], cwd = build_dir) print("Library built successfully!") except subprocess.CalledProcessError: print("Compiling the ref10 library failed.") print("Attempting to download precompiled binaries...") # The recommended way to detect 64-bit and 32-bit systems according to # https://docs.python.org/3/library/platform.html#cross-platform is_32bit = sys.maxsize == 2 ** 31 - 1 is_64bit = sys.maxsize == 2 ** 63 - 1 if not is_32bit and not is_64bit: raise UnknownSystemException( "This system was detected as neither 32-bit nor 64-bit." ) precompiled_windows_32bit = ( "https://github.com/Syndace/python-xeddsa/releases/download/v0.4.3-beta/" + "bin-windows-x86.zip" ) precompiled_windows_64bit = ( "https://github.com/Syndace/python-xeddsa/releases/download/v0.4.3-beta/" + "bin-windows-amd64.zip" ) url = precompiled_windows_64bit if is_64bit else precompiled_windows_32bit zip_location = os.path.join(ref10_dir, "bin.zip") print("Downloading precompiled binaries...") print("Make sure the system can access https://github.com.") zip_memory = urlopen(url) with open(zip_location, "wb") as zip_file: zip_file.write(zip_memory.read()) zip_memory.close() binaries_zipfile = zipfile.ZipFile(zip_location) binaries_zipfile.extractall(ref10_dir) binaries_zipfile.close() os.remove(zip_location) print("Precompiled binaries downloaded!") else: raise UnknownSystemException( "Unsupported operating system (neither UNIX nor Windows)." ) ffibuilder = cffi.FFI() # Load the header. with open(library_header) as f: ffibuilder.cdef(f.read()) # Define how to compile the python module. ffibuilder.set_source( "_crypto_sign", '#include "' + library_header + '"', library_dirs = [ bin_dir ], libraries = libraries ) if __name__ == "__main__": # Compile the code into a python module. ffibuilder.compile() XEdDSA-0.4.6/ref10/include/0000755000175000017500000000000013407120556015052 5ustar useruser00000000000000XEdDSA-0.4.6/ref10/include/crypto_uint64.h0000644000175000017500000000015613372774360017767 0ustar useruser00000000000000#ifndef crypto_uint64_h #define crypto_uint64_h #include typedef uint64_t crypto_uint64; #endif XEdDSA-0.4.6/ref10/include/crypto_uint8.h0000644000175000017500000000015213372774360017701 0ustar useruser00000000000000#ifndef crypto_uint8_h #define crypto_uint8_h #include typedef uint8_t crypto_uint8; #endif XEdDSA-0.4.6/ref10/include/crypto_uint32.h0000644000175000017500000000015613372774360017762 0ustar useruser00000000000000#ifndef crypto_uint32_h #define crypto_uint32_h #include typedef uint32_t crypto_uint32; #endif XEdDSA-0.4.6/ref10/include/crypto_int64.h0000644000175000017500000000015213372774360017576 0ustar useruser00000000000000#ifndef crypto_int64_h #define crypto_int64_h #include typedef int64_t crypto_int64; #endif XEdDSA-0.4.6/ref10/include/crypto_int32.h0000644000175000017500000000015213372774360017571 0ustar useruser00000000000000#ifndef crypto_int32_h #define crypto_int32_h #include typedef int32_t crypto_int32; #endif XEdDSA-0.4.6/ref10/include/crypto_int16.h0000644000175000017500000000015213372774360017573 0ustar useruser00000000000000#ifndef crypto_int16_h #define crypto_int16_h #include typedef int16_t crypto_int16; #endif XEdDSA-0.4.6/ref10/include/crypto_int8.h0000644000175000017500000000014613372774360017517 0ustar useruser00000000000000#ifndef crypto_int8_h #define crypto_int8_h #include typedef int8_t crypto_int8; #endif XEdDSA-0.4.6/ref10/include/cross_platform.h0000644000175000017500000000114113372774360020266 0ustar useruser00000000000000#ifndef cross_platform_h #define cross_platform_h #if defined(_WIN32) // On Windows, the functions needs to explicitly be marked as import/export. # define IMPORT __declspec(dllimport) # define EXPORT __declspec(dllexport) #elif defined(__APPLE__) || defined(__linux__) || defined(__unix__) || defined(_POSIX_VERSION) // On Apple, Linux, UNIX or POSIX (using gcc) no such marking is required. # define IMPORT # define EXPORT #else # error "Unsupported operating system (neither UNIX nor Windows)." #endif #ifdef BUILD # define INTERFACE EXPORT #else # define INTERFACE IMPORT #endif #endif XEdDSA-0.4.6/ref10/include/crypto_uint16.h0000644000175000017500000000015613372774360017764 0ustar useruser00000000000000#ifndef crypto_uint16_h #define crypto_uint16_h #include typedef uint16_t crypto_uint16; #endif XEdDSA-0.4.6/ref10/crypto_verify/0000755000175000017500000000000013407120556016333 5ustar useruser00000000000000XEdDSA-0.4.6/ref10/crypto_verify/verify.c0000644000175000017500000000072313372774360020016 0ustar useruser00000000000000#include "crypto_verify.h" int crypto_verify(const unsigned char *x,const unsigned char *y) { unsigned int differentbits = 0; #define F(i) differentbits |= x[i] ^ y[i]; F(0) F(1) F(2) F(3) F(4) F(5) F(6) F(7) F(8) F(9) F(10) F(11) F(12) F(13) F(14) F(15) F(16) F(17) F(18) F(19) F(20) F(21) F(22) F(23) F(24) F(25) F(26) F(27) F(28) F(29) F(30) F(31) return (1 & ((differentbits - 1) >> 8)) - 1; } XEdDSA-0.4.6/ref10/crypto_verify/crypto_verify_32.h0000644000175000017500000000113213372774360021722 0ustar useruser00000000000000#include "cross_platform.h" #ifndef crypto_verify_32_H #define crypto_verify_32_H #define crypto_verify_32_ref_BYTES 32 #ifdef __cplusplus extern "C" { #endif extern int INTERFACE crypto_verify_32_ref(const unsigned char *,const unsigned char *); #ifdef __cplusplus } #endif #define crypto_verify_32 crypto_verify_32_ref #define crypto_verify_32_BYTES crypto_verify_32_ref_BYTES #define crypto_verify_32_IMPLEMENTATION "crypto_verify/32/ref" #ifndef crypto_verify_32_ref_VERSION #define crypto_verify_32_ref_VERSION "-" #endif #define crypto_verify_32_VERSION crypto_verify_32_ref_VERSION #endif XEdDSA-0.4.6/ref10/crypto_verify/crypto_verify.h0000644000175000017500000000052313372774360021421 0ustar useruser00000000000000#ifndef crypto_verify_H #define crypto_verify_H #include "crypto_verify_32.h" #define crypto_verify crypto_verify_32 #define crypto_verify_BYTES crypto_verify_32_BYTES #define crypto_verify_PRIMITIVE "32" #define crypto_verify_IMPLEMENTATION crypto_verify_32_IMPLEMENTATION #define crypto_verify_VERSION crypto_verify_32_VERSION #endif XEdDSA-0.4.6/ref10/crypto_verify/api.h0000644000175000017500000000003013372774360017257 0ustar useruser00000000000000#define CRYPTO_BYTES 32 XEdDSA-0.4.6/ref10/crypto_verify/module.h0000644000175000017500000000034313372774360020002 0ustar useruser00000000000000// #include "api.h" #define CRYPTO_BYTES 32 // #include "crypto_verify_32.h" #define crypto_verify_32_ref_BYTES 32 extern int crypto_verify_32_ref(const unsigned char *,const unsigned char *); // #include "crypto_verify.h" XEdDSA-0.4.6/ref10/crypto_verify/README0000644000175000017500000000005013372774360017217 0ustar useruser00000000000000This is the "ref" implementation of 32. XEdDSA-0.4.6/ref10/README.md0000644000175000017500000003772713372774360014737 0ustar useruser00000000000000# Extracting ref10 from SUPERCOP To implement XEdDSA, access to low-level cryptographic functions is required, which are usually not exported by crypto-libraries. ref10 by D. J. Bernstein is a solid implementation of these low-level functions. It comes as part of the [SUPERCOP](https://bench.cr.yp.to/supercop.html) benchmark and is not available as a standalone library. This guide explains the steps to extract the ref10 implementation from the SUPERCOP benchmarking system. __NOTE__: You do __NOT__ have to follow this guide to use python-xeddsa. __NOTE__: The SUPERCOP benchmark assumes a UNIX-like system and so does the first part of this guide. The following steps explain how to extract the required C source code and how to compile it into static libraries and shared object files. Section `3. Making the code portable` contains notes about cross-platform usage. ### 1. Download and run the benchmark The first step is to download and run the benchmark. The benchmark generates some files on-the-fly, based on the hosts os/system architecture. Some of these generated files are required to build ref10 standalone, that's why the benchmark has to run first. Note that the benchmark is HUGE and it may take multiple days to finish one run. Follow the instructions [here](https://bench.cr.yp.to/supercop.html) to run the "Alternative: Incremental benchmarks". __NOTE__: Consider actually closing all other applications and running the benchmark as intended, look at the SUPERCOP website for additional information. ### 2. Extract the ref10 source code After running the benchmark there is a `supercop-YYYYMMDD` directory with the original benchmark files and a `supercop-data` directory with the results of the run. The first one will be referred to as the base directory and the second one as the data directory. Only one module is required to implement XEdDSA: The `crypto_sign` module for the ed25519 signature scheme. For completeness this guide also covers how to extract the second part of the ref10 implementation: `crypto_scalarmult` for curve25519. The following steps explain how to compile static libraries and shared object files for each of these two modules. ### 2.1. crypto_scalarmult The ref10 source code for the `crypto_scalarmult` module can be found in the base directory, following `crypto_scalarmult/curve25519/ref10`. D. J. Bernstein uses scripts to generate some of his files, one of the tools he's using is called `qhasm`. Other files are generated by Python scripts. Luckily, he uploaded the generated files, so there is no need to install qhasm and reproduce this step. For that reason, it is safe to delete his Makefiles and everything else related to qhasm and Python: - All `*.do` files - All `*.q` files - All `*.py` files - The Makefiles The remaining files are almost enough to generate the shared object for this module, just a few files generated by the benchmark are missing. A couple of files that define fixed-size integers are missing. Those are located inside of your data directory, following the path `inttypes/include/`. Now just two more header files are missing: `crypto_scalarmult.h` and `crypto_scalarmult_curve25519.h`. The benchmark runs each module with a set of different compiler arguments, e.g. with different optimization levels. It creates a unique directory for each of the configurations, located inside of the data directory. The benchmark puts additional generated header files into these directores, including the two headers for the `crypto_scalarmult` module. The full path to the header files looks like this: `/try/c//crypto_scalarmult/curve25519/ref10/compiled`. It does not matter which architecture or configuration, the headers are the same for all of them. This guide uses the `amd64` architecture and the `gcc` configuration. These are the three locations that contain all the code required to build the static library and the shared object file. The compiler needs to know where to find these files. This can be accomplished by either copying all files into one common directory or by using the `-I` option to tell `gcc` about the locations. Possible commands to build the shared object: ```bash $ # Compile the sources to object files. $ gcc -Wall -Werror -Iinttypes -c -fpic -x c *.c $ # Link the object files into a shared object. $ gcc -Wall -Werror -shared -Wl,--no-undefined -o libcrypto_scalarmult.so *.o $ # Pack the object files into a static library. $ ar rcs libcrypto_scalarmult.a *.o ``` ### 2.2. crypto_sign The `crypto_sign` module is a lot trickier, because it has quite a few dependencies. Most of these are easy to build though. `crypto_sign` needs: - An implementation of sha512 - An implementation of 32 byte verification - A random number source The benchmark comes with multiple implementations for each of these dependencies and automatically selects the best performing one. This guide focusses on portable implementations, using ref10 or its predecessor ref whenever possible. ### 2.2.1. Collecting dependencies Some of the dependencies have more dependencies themselves. The next section creates a summary of all modules that need to be built. #### sha512 The benchmark comes with a ref implementation of sha512, which is located in `crypto_hash/sha512/ref`. This implementation uses another module: sha512 hashblocks, which comes with a ref implementation aswell (`crypto_hashblocks/sha512/ref`). #### 32 byte verification The only implementation available for 32 byte verification is a ref implementation found in `crypto_verify/32/ref`. #### random number source The `fastrandombytes` module generates random data by initializing a stream cipher using just a few secure bytes retrieved from the os. It depends on `kernelrandombytes` to get secure bytes from the os and on `crypto_rng` to generate more random data from the kernel bytes. `fastrandombytes` and `kernelrandombytes` each are fixed implementations. `crypto_rng` comes with multiple different implementations again. #### crypto_rng This guide uses the salsa20 rng, because all dependencies are available as ref implementations. The module path is `crypto_rng/salsa20/ref`, which depends on a salsa20 stream cipher implementation. #### salsa20 stream cipher Again, a ref implementation, located at `crypto_stream/salsa20/ref`, which depends on a salsa20 implementation. #### salsa20 This is the last one! Another ref implementation, located at `crypto_core/salsa20/ref`. ### 2.2.2. Dependencies summarized Following modules can all be compiled the same way: - `crypto_hash/sha512/ref` - `crypto_hashblocks/sha512/ref` - `crypto_verify/32/ref` - `crypto_rng/salsa20/ref` - `crypto_stream/salsa20/ref` - `crypto_core/salsa20/ref` - `fastrandombytes` The only module that needs special treatment is `kernelrandombytes`. ### 2.2.3. The easy ones __NOTE__: To keep things simple, this guide only shows, how to pack the dependencies into static libraries. Because static libraries are not linked, static libraries do not check references at build-time, which simplifies the following steps a lot. The source code of each of these modules is split into two locations, with the exception of `fastrandombytes`, which has all of its sources in the base directory: - The main sources in the base directory - The additional generated sources in the data directory These commands show how to build the static library for `crypto_hash/sha512/ref`, it works just the same way for the other modules: ```bash $ # Copy the main source files into a new directory $ cp -r /crypto_hash/sha512/ref/ sha512 $ cd sha512 $ # Copy the additional generated source, if necessary $ cp /amd64/try/c/gcc/crypto_hash/sha512/ref/compiled/crypto_hash.h . $ cp /amd64/try/c/gcc/crypto_hash/sha512/ref/compiled/crypto_hash_sha512.h . $ # Compile the source files into object files $ gcc -Wall -Werror -c -fpic -x c *.c $ # Package the object files into a static library $ ar rcs libcrypto_hash.a *.o ``` Use the `-I` option to tell gcc where to find missing headers. ### 2.2.4. `kernelrandombytes` The `kernelrandombytes` module is the only one containing os-dependent code. It contains different implementations of the same function, where each implementation uses different APIs that may be available on some operating system and may not be available on other ones. The idea is to just use the first file that compiles successfully. Only use the `urandom.c` file if all other options fail on your os, it is the least stable/secure one. [This article](https://lwn.net/Articles/606141/) has an interesting explanation, why using system calls is better then relying on `/dev/urandom`. ### 2.2.5. Putting it all together As usual the `crypto_sign` module has its main sources in the base directory, located at `crypto_sign/ed25519/ref10` and some benchmark generated source found in your data directory. The sources include a `fe.h` header file. This file contains declarations for two external functions `fe_cswap` and `fe_mul121666`, which neither exist nor are being used by the remaining code. These were probably included by accident. Some systems, such as [cffi](https://bitbucket.org/cffi/cffi/), may get confused by these orphaned declarations. To fix this, the following lines have to be deleted: ```cpp ... #define fe_cswap crypto_sign_ed25519_ref10_fe_cswap ... #define fe_mul121666 crypto_sign_ed25519_ref10_fe_mul121666 ... extern void fe_cswap(fe,fe,unsigned int); ... extern void fe_mul121666(fe,const fe); ... ``` Finally, all the dependencies can be linked together using following commands: ```bash $ gcc -Wall -Werror -Iinttypes -Icrypto_hash -c -fpic -x c *.c $ gcc -Wall -Werror -shared -Wl,--no-undefined -o libcrypto_sign.so *.o -lcrypto_hash -lcrypto_hashblocks -lcrypto_verify -lfastrandombytes -lkernelrandombytes -lcrypto_rng -lcrypto_stream -lcrypto_core ``` Or another static library can be built: ```bash $ ar rcs libcrypto_sign.so *.o ``` __NOTE__: When using the static library, ALL the static libraries of ALL recursive dependencies have to be linked aswell, e.g.: ```bash $ gcc -c someCodeUsingLibCryptoSign.c $ gcc -o out *.o -lcrypto_sign -lcrypto_hash -lcrypto_hashblocks -lcrypto_verify -lfastrandombytes -lkernelrandombytes -lcrypto_rng -lcrypto_stream -lcrypto_core ``` ### 3. Making the code portable This section addresses the topic of making the code portable/platform-independent. ### 3.1. Fixed-width integers The first step is to replace the hardcoded int-type headers that were generated by the SUPERCOP benchmarking system with platform-independent int-type definitions. The `stdint.h` header is available for all major C-toolchains and offers fixed-width integer types. As an example this guide shows the refactoring of the `crypto_uint64.h` header. Before refactoring the file looks something like this: ```cpp #ifndef crypto_uint64_h #define crypto_uint64_h typedef unsigned long long crypto_uint64; #endif ``` This code can be made platform-independent be replacing it with following: ```cpp #ifndef crypto_uint64_h #define crypto_uint64_h #include typedef uint64_t crypto_uint64; #endif ``` In the same way all int-type headers can be refactored, using following type-table: | header | stdint type | |:----------------|:------------| | crypto_int8.h | int8_t | | crypto_int16.h | int16_t | | crypto_int32.h | int32_t | | crypto_int64.h | int64_t | | crypto_uint8.h | uint8_t | | crypto_uint16.h | uint16_t | | crypto_uint32.h | uint32_t | | crypto_uint64.h | uint64_t | ### 3.2. Cross-platform kernelrandombytes The kernelrandombytes module uses system-dependent code to retrieve cryptographically secure random bytes. The version shipped with SUPERCOP only contains implementations for UNIX-like systems. This section covers adding an implementation for Windows. On Windows there are two main sources for cryptographically secure random bytes: `CryptGenRandom` and `rand_s`. Both have major disadvantages: - `CryptGenRandom` requires to load the whole Windows CryptoAPI. It requires to create a crypto context first which is a lot of overhead. - `rand_s` is part of the Windows CRT, thus requires to load the whole CRT. Also, `rand_s` yields only one random integer, which creates a lot of call overhead to get larger amounts of random bytes. Both methods have one thing in common: Under the hood they both use `RtlGenRandom`, which is the most convenient way to get random data. It neither has extensive call overhead nor does it only return a small number of bytes. The `RtlGenRandom` [documentation](https://docs.microsoft.com/en-us/windows/desktop/api/ntsecapi/nf-ntsecapi-rtlgenrandom) includes a warning that the function "may be altered or unavailable in subsequent versions". [Various](https://bugzilla.mozilla.org/show_bug.cgi?id=504270) [sources](https://blogs.msdn.microsoft.com/michael_howard/2005/01/14/cryptographically-secure-random-number-on-windows-without-using-cryptoapi/) [state](https://github.com/jedisct1/libsodium/blob/master/src/libsodium/randombytes/sysrandom/randombytes_sysrandom.c), that the `RtlGenRandom` function is indeed safe to use and will not disappear (note: some of the sources are from 2005 and 2009 and the function is still here). Also Firefox and Chrome/Chromium are said to use the function. The function is available from Windows XP SP3 on, a requirement which I rate acceptable for this guide. An implementation of the `kernelrandombytes` function using `RtlGenRandom` could look like this (has to be linked with `-lADVAPI32`): ```cpp #include #define RtlGenRandom SystemFunction036 #ifdef __cplusplus extern "C" { #endif BOOLEAN NTAPI RtlGenRandom(PVOID RandomBuffer, ULONG RandomBufferLength); #ifdef __cplusplus } #endif void kernelrandombytes(unsigned char *x,unsigned long long xlen) { int i; while (xlen > 0) { if (xlen < 256) i = xlen; else i = 256; RtlGenRandom(x, i); x += i; xlen -= i; } } ``` __NOTE__: The documentation of `RtlGenRandom` states, that the function could fail. Sadly, the documentation does not state, WHY the function could fail. This makes it impossible to react to the failure, thus the possible failure gets ignored in the example above. ### 3.3. Cross-platform dynamic libraries The guide uses `gcc` to compile the sources into shared object files and `ar` to create static libraries. This section covers the required commands to build static and dynamic versions of the libraries on Windows and Mac. ### 3.3.1 Windows On Windows, [MinGW](http://www.mingw.org/) or it's 64-bit pendant [MinGW-w64](https://mingw-w64.org/doku.php) offers an open source `gcc` environment, which allows to use slightly modified UNIX commands to compile Windows-native static and dynamic libraries. The file extension for dynamic libraries is `.dll` and for static libraries `.lib`. Dynamic libraries come with an additional static library called "import library", which contains the code to load the corresponding dynamic library. Import libraries don't have a specific extension, this guide will use `.dll.lib`. #### Adjusting the code All C code needs to be extended to tell Windows which functions to export/import into/from the library. `__declspec(dllexport)` marks a function as exported: ```cpp // some_header.h extern void __declspec(dllexport) myExportedFunction(); ``` To use the library, the function has to be marked as imported using `__declspec(dllimport)`: ```cpp // some_header.h extern void __declspec(dllimport) myExportedFunction(); ``` #### Static libraries MinGW comes with the `ar` tool, which can be used just the same way as on some unixes to build static libraries: ```bash $ gcc -c -fpic *.c $ ar rcs mylib.lib *.o ``` #### Dynamic libraries These are example commands for UNIX: ```bash $ gcc -c -fpic *.c $ gcc -shared -Wl,--no-undefined -o libmylib.so *.o ``` To build the same on Windows, the file extensions have to be adjusted and `gcc` has to be told to build an import library aswell: ```bash $ gcc -c -fpic *.c $ gcc -shared -Wl,--no-undefined -Wl,--out-implib,mylib.dll.lib -o mylib.dll *.o ``` ### 3.3.2 Mac OS I'll add this section as soon as I get access to a system running Mac OS. XEdDSA-0.4.6/ref10/crypto_rng/0000755000175000017500000000000013407120556015615 5ustar useruser00000000000000XEdDSA-0.4.6/ref10/crypto_rng/crypto_rng_salsa20.h0000644000175000017500000000140213372774360021507 0ustar useruser00000000000000#include "cross_platform.h" #ifndef crypto_rng_salsa20_H #define crypto_rng_salsa20_H #define crypto_rng_salsa20_ref_KEYBYTES 32 #define crypto_rng_salsa20_ref_OUTPUTBYTES 736 #ifdef __cplusplus extern "C" { #endif extern int INTERFACE crypto_rng_salsa20_ref(unsigned char *,unsigned char *,const unsigned char *); #ifdef __cplusplus } #endif #define crypto_rng_salsa20 crypto_rng_salsa20_ref #define crypto_rng_salsa20_KEYBYTES crypto_rng_salsa20_ref_KEYBYTES #define crypto_rng_salsa20_OUTPUTBYTES crypto_rng_salsa20_ref_OUTPUTBYTES #define crypto_rng_salsa20_IMPLEMENTATION "crypto_rng/salsa20/ref" #ifndef crypto_rng_salsa20_ref_VERSION #define crypto_rng_salsa20_ref_VERSION "-" #endif #define crypto_rng_salsa20_VERSION crypto_rng_salsa20_ref_VERSION #endif XEdDSA-0.4.6/ref10/crypto_rng/api.h0000644000175000017500000000007213372774360016547 0ustar useruser00000000000000#define CRYPTO_KEYBYTES 32 #define CRYPTO_OUTPUTBYTES 736 XEdDSA-0.4.6/ref10/crypto_rng/crypto_rng.h0000644000175000017500000000062113372774360020164 0ustar useruser00000000000000#ifndef crypto_rng_H #define crypto_rng_H #include "crypto_rng_salsa20.h" #define crypto_rng crypto_rng_salsa20 #define crypto_rng_KEYBYTES crypto_rng_salsa20_KEYBYTES #define crypto_rng_OUTPUTBYTES crypto_rng_salsa20_OUTPUTBYTES #define crypto_rng_PRIMITIVE "salsa20" #define crypto_rng_IMPLEMENTATION crypto_rng_salsa20_IMPLEMENTATION #define crypto_rng_VERSION crypto_rng_salsa20_VERSION #endif XEdDSA-0.4.6/ref10/crypto_rng/module.h0000644000175000017500000000050413372774360017263 0ustar useruser00000000000000// #include "api.h" #define CRYPTO_KEYBYTES 32 #define CRYPTO_OUTPUTBYTES 736 // #include "crypto_rng_salsa20.h" #define crypto_rng_salsa20_ref_KEYBYTES 32 #define crypto_rng_salsa20_ref_OUTPUTBYTES 736 extern int crypto_rng_salsa20_ref(unsigned char *,unsigned char *,const unsigned char *); // #include "crypto_rng.h" XEdDSA-0.4.6/ref10/crypto_rng/README0000644000175000017500000000005513372774360016506 0ustar useruser00000000000000This is the "ref" implementation of salsa20. XEdDSA-0.4.6/ref10/crypto_rng/rng.c0000644000175000017500000000126013372774360016557 0ustar useruser00000000000000#include #include "crypto_stream_salsa20.h" #include "crypto_rng.h" #define crypto_stream crypto_stream_salsa20 #define KEYBYTES crypto_stream_salsa20_KEYBYTES #define NONCEBYTES crypto_stream_salsa20_NONCEBYTES #define OUTPUTBYTES crypto_rng_OUTPUTBYTES #if KEYBYTES != crypto_rng_KEYBYTES KEYBYTES mismatch! #endif static const unsigned char nonce[NONCEBYTES] = {0}; int crypto_rng( unsigned char *r, /* random output */ unsigned char *n, /* new key */ const unsigned char *g /* old key */ ) { unsigned char x[KEYBYTES + OUTPUTBYTES]; crypto_stream(x,sizeof x,nonce,g); memcpy(n,x,KEYBYTES); memcpy(r,x + KEYBYTES,OUTPUTBYTES); return 0; } XEdDSA-0.4.6/ref10/crypto_stream/0000755000175000017500000000000013407120556016322 5ustar useruser00000000000000XEdDSA-0.4.6/ref10/crypto_stream/crypto_stream_salsa20.h0000644000175000017500000000204313372774360022723 0ustar useruser00000000000000#include "cross_platform.h" #ifndef crypto_stream_salsa20_H #define crypto_stream_salsa20_H #define crypto_stream_salsa20_ref_KEYBYTES 32 #define crypto_stream_salsa20_ref_NONCEBYTES 8 #ifdef __cplusplus extern "C" { #endif extern int INTERFACE crypto_stream_salsa20_ref(unsigned char *,unsigned long long,const unsigned char *,const unsigned char *); extern int INTERFACE crypto_stream_salsa20_ref_xor(unsigned char *,const unsigned char *,unsigned long long,const unsigned char *,const unsigned char *); #ifdef __cplusplus } #endif #define crypto_stream_salsa20 crypto_stream_salsa20_ref #define crypto_stream_salsa20_xor crypto_stream_salsa20_ref_xor #define crypto_stream_salsa20_KEYBYTES crypto_stream_salsa20_ref_KEYBYTES #define crypto_stream_salsa20_NONCEBYTES crypto_stream_salsa20_ref_NONCEBYTES #define crypto_stream_salsa20_IMPLEMENTATION "crypto_stream/salsa20/ref" #ifndef crypto_stream_salsa20_ref_VERSION #define crypto_stream_salsa20_ref_VERSION "-" #endif #define crypto_stream_salsa20_VERSION crypto_stream_salsa20_ref_VERSION #endif XEdDSA-0.4.6/ref10/crypto_stream/crypto_stream.h0000644000175000017500000000075513372774360021406 0ustar useruser00000000000000#ifndef crypto_stream_H #define crypto_stream_H #include "crypto_stream_salsa20.h" #define crypto_stream crypto_stream_salsa20 #define crypto_stream_xor crypto_stream_salsa20_xor #define crypto_stream_KEYBYTES crypto_stream_salsa20_KEYBYTES #define crypto_stream_NONCEBYTES crypto_stream_salsa20_NONCEBYTES #define crypto_stream_PRIMITIVE "salsa20" #define crypto_stream_IMPLEMENTATION crypto_stream_salsa20_IMPLEMENTATION #define crypto_stream_VERSION crypto_stream_salsa20_VERSION #endif XEdDSA-0.4.6/ref10/crypto_stream/stream.c0000644000175000017500000000162313372774360017774 0ustar useruser00000000000000/* version 20140420 D. J. Bernstein Public domain. */ #include "crypto_core_salsa20.h" #include "crypto_stream.h" typedef unsigned int uint32; static const unsigned char sigma[16] = "expand 32-byte k"; int crypto_stream( unsigned char *c,unsigned long long clen, const unsigned char *n, const unsigned char *k ) { unsigned char in[16]; unsigned char block[64]; unsigned char kcopy[32]; int i; unsigned int u; if (!clen) return 0; for (i = 0;i < 32;++i) kcopy[i] = k[i]; for (i = 0;i < 8;++i) in[i] = n[i]; for (i = 8;i < 16;++i) in[i] = 0; while (clen >= 64) { crypto_core_salsa20(c,in,kcopy,sigma); u = 1; for (i = 8;i < 16;++i) { u += (unsigned int) in[i]; in[i] = u; u >>= 8; } clen -= 64; c += 64; } if (clen) { crypto_core_salsa20(block,in,kcopy,sigma); for (i = 0;i < clen;++i) c[i] = block[i]; } return 0; } XEdDSA-0.4.6/ref10/crypto_stream/api.h0000644000175000017500000000006713372774360017260 0ustar useruser00000000000000#define CRYPTO_KEYBYTES 32 #define CRYPTO_NONCEBYTES 8 XEdDSA-0.4.6/ref10/crypto_stream/module.h0000644000175000017500000000076613372774360020002 0ustar useruser00000000000000// #include "api.h" #define CRYPTO_KEYBYTES 32 #define CRYPTO_NONCEBYTES 8 // #include "crypto_stream_salsa20.h" #define crypto_stream_salsa20_ref_KEYBYTES 32 #define crypto_stream_salsa20_ref_NONCEBYTES 8 extern int crypto_stream_salsa20_ref(unsigned char *,unsigned long long,const unsigned char *,const unsigned char *); extern int crypto_stream_salsa20_ref_xor(unsigned char *,const unsigned char *,unsigned long long,const unsigned char *,const unsigned char *); // #include "crypto_stream.h" XEdDSA-0.4.6/ref10/crypto_stream/README0000644000175000017500000000005513372774360017213 0ustar useruser00000000000000This is the "ref" implementation of salsa20. XEdDSA-0.4.6/ref10/crypto_stream/xor.c0000644000175000017500000000177413372774360017320 0ustar useruser00000000000000/* version 20140420 D. J. Bernstein Public domain. */ #include "crypto_core_salsa20.h" #include "crypto_stream.h" typedef unsigned int uint32; static const unsigned char sigma[16] = "expand 32-byte k"; int crypto_stream_xor( unsigned char *c, const unsigned char *m,unsigned long long mlen, const unsigned char *n, const unsigned char *k ) { unsigned char in[16]; unsigned char block[64]; unsigned char kcopy[32]; int i; unsigned int u; if (!mlen) return 0; for (i = 0;i < 32;++i) kcopy[i] = k[i]; for (i = 0;i < 8;++i) in[i] = n[i]; for (i = 8;i < 16;++i) in[i] = 0; while (mlen >= 64) { crypto_core_salsa20(block,in,kcopy,sigma); for (i = 0;i < 64;++i) c[i] = m[i] ^ block[i]; u = 1; for (i = 8;i < 16;++i) { u += (unsigned int) in[i]; in[i] = u; u >>= 8; } mlen -= 64; c += 64; m += 64; } if (mlen) { crypto_core_salsa20(block,in,kcopy,sigma); for (i = 0;i < mlen;++i) c[i] = m[i] ^ block[i]; } return 0; } XEdDSA-0.4.6/ref10/crypto_sign/0000755000175000017500000000000013407120556015767 5ustar useruser00000000000000XEdDSA-0.4.6/ref10/crypto_sign/ge_frombytes.c0000644000175000017500000000173313372774360020635 0ustar useruser00000000000000#include "ge.h" static const fe d = { #include "d.h" } ; static const fe sqrtm1 = { #include "sqrtm1.h" } ; int ge_frombytes_negate_vartime(ge_p3 *h,const unsigned char *s) { fe u; fe v; fe v3; fe vxx; fe check; fe_frombytes(h->Y,s); fe_1(h->Z); fe_sq(u,h->Y); fe_mul(v,u,d); fe_sub(u,u,h->Z); /* u = y^2-1 */ fe_add(v,v,h->Z); /* v = dy^2+1 */ fe_sq(v3,v); fe_mul(v3,v3,v); /* v3 = v^3 */ fe_sq(h->X,v3); fe_mul(h->X,h->X,v); fe_mul(h->X,h->X,u); /* x = uv^7 */ fe_pow22523(h->X,h->X); /* x = (uv^7)^((q-5)/8) */ fe_mul(h->X,h->X,v3); fe_mul(h->X,h->X,u); /* x = uv^3(uv^7)^((q-5)/8) */ fe_sq(vxx,h->X); fe_mul(vxx,vxx,v); fe_sub(check,vxx,u); /* vx^2-u */ if (fe_isnonzero(check)) { fe_add(check,vxx,u); /* vx^2+u */ if (fe_isnonzero(check)) return -1; fe_mul(h->X,h->X,sqrtm1); } if (fe_isnegative(h->X) == (s[31] >> 7)) fe_neg(h->X,h->X); fe_mul(h->T,h->X,h->Y); return 0; } XEdDSA-0.4.6/ref10/crypto_sign/fe_add.c0000644000175000017500000000234713372774360017354 0ustar useruser00000000000000#include "fe.h" /* h = f + g Can overlap h with f or g. Preconditions: |f| bounded by 1.1*2^25,1.1*2^24,1.1*2^25,1.1*2^24,etc. |g| bounded by 1.1*2^25,1.1*2^24,1.1*2^25,1.1*2^24,etc. Postconditions: |h| bounded by 1.1*2^26,1.1*2^25,1.1*2^26,1.1*2^25,etc. */ void fe_add(fe h,const fe f,const fe g) { crypto_int32 f0 = f[0]; crypto_int32 f1 = f[1]; crypto_int32 f2 = f[2]; crypto_int32 f3 = f[3]; crypto_int32 f4 = f[4]; crypto_int32 f5 = f[5]; crypto_int32 f6 = f[6]; crypto_int32 f7 = f[7]; crypto_int32 f8 = f[8]; crypto_int32 f9 = f[9]; crypto_int32 g0 = g[0]; crypto_int32 g1 = g[1]; crypto_int32 g2 = g[2]; crypto_int32 g3 = g[3]; crypto_int32 g4 = g[4]; crypto_int32 g5 = g[5]; crypto_int32 g6 = g[6]; crypto_int32 g7 = g[7]; crypto_int32 g8 = g[8]; crypto_int32 g9 = g[9]; crypto_int32 h0 = f0 + g0; crypto_int32 h1 = f1 + g1; crypto_int32 h2 = f2 + g2; crypto_int32 h3 = f3 + g3; crypto_int32 h4 = f4 + g4; crypto_int32 h5 = f5 + g5; crypto_int32 h6 = f6 + g6; crypto_int32 h7 = f7 + g7; crypto_int32 h8 = f8 + g8; crypto_int32 h9 = f9 + g9; h[0] = h0; h[1] = h1; h[2] = h2; h[3] = h3; h[4] = h4; h[5] = h5; h[6] = h6; h[7] = h7; h[8] = h8; h[9] = h9; } XEdDSA-0.4.6/ref10/crypto_sign/ge_add.h0000644000175000017500000000404013372774360017352 0ustar useruser00000000000000 /* qhasm: enter ge_add */ /* qhasm: fe X1 */ /* qhasm: fe Y1 */ /* qhasm: fe Z1 */ /* qhasm: fe Z2 */ /* qhasm: fe T1 */ /* qhasm: fe ZZ */ /* qhasm: fe YpX2 */ /* qhasm: fe YmX2 */ /* qhasm: fe T2d2 */ /* qhasm: fe X3 */ /* qhasm: fe Y3 */ /* qhasm: fe Z3 */ /* qhasm: fe T3 */ /* qhasm: fe YpX1 */ /* qhasm: fe YmX1 */ /* qhasm: fe A */ /* qhasm: fe B */ /* qhasm: fe C */ /* qhasm: fe D */ /* qhasm: YpX1 = Y1+X1 */ /* asm 1: fe_add(>YpX1=fe#1,YpX1=r->X,Y,X); */ fe_add(r->X,p->Y,p->X); /* qhasm: YmX1 = Y1-X1 */ /* asm 1: fe_sub(>YmX1=fe#2,YmX1=r->Y,Y,X); */ fe_sub(r->Y,p->Y,p->X); /* qhasm: A = YpX1*YpX2 */ /* asm 1: fe_mul(>A=fe#3,A=r->Z,X,YplusX); */ fe_mul(r->Z,r->X,q->YplusX); /* qhasm: B = YmX1*YmX2 */ /* asm 1: fe_mul(>B=fe#2,B=r->Y,Y,YminusX); */ fe_mul(r->Y,r->Y,q->YminusX); /* qhasm: C = T2d2*T1 */ /* asm 1: fe_mul(>C=fe#4,C=r->T,T2d,T); */ fe_mul(r->T,q->T2d,p->T); /* qhasm: ZZ = Z1*Z2 */ /* asm 1: fe_mul(>ZZ=fe#1,ZZ=r->X,Z,Z); */ fe_mul(r->X,p->Z,q->Z); /* qhasm: D = 2*ZZ */ /* asm 1: fe_add(>D=fe#5,D=t0,X,X); */ fe_add(t0,r->X,r->X); /* qhasm: X3 = A-B */ /* asm 1: fe_sub(>X3=fe#1,X3=r->X,Z,Y); */ fe_sub(r->X,r->Z,r->Y); /* qhasm: Y3 = A+B */ /* asm 1: fe_add(>Y3=fe#2,Y3=r->Y,Z,Y); */ fe_add(r->Y,r->Z,r->Y); /* qhasm: Z3 = D+C */ /* asm 1: fe_add(>Z3=fe#3,Z3=r->Z,T); */ fe_add(r->Z,t0,r->T); /* qhasm: T3 = D-C */ /* asm 1: fe_sub(>T3=fe#4,T3=r->T,T); */ fe_sub(r->T,t0,r->T); /* qhasm: return */ XEdDSA-0.4.6/ref10/crypto_sign/ge_sub.c0000644000175000017500000000017513372774360017413 0ustar useruser00000000000000#include "ge.h" /* r = p - q */ void ge_sub(ge_p1p1 *r,const ge_p3 *p,const ge_cached *q) { fe t0; #include "ge_sub.h" } XEdDSA-0.4.6/ref10/crypto_sign/ge_double_scalarmult.c0000644000175000017500000000450313372774360022322 0ustar useruser00000000000000#include "ge.h" static void slide(signed char *r,const unsigned char *a) { int i; int b; int k; for (i = 0;i < 256;++i) r[i] = 1 & (a[i >> 3] >> (i & 7)); for (i = 0;i < 256;++i) if (r[i]) { for (b = 1;b <= 6 && i + b < 256;++b) { if (r[i + b]) { if (r[i] + (r[i + b] << b) <= 15) { r[i] += r[i + b] << b; r[i + b] = 0; } else if (r[i] - (r[i + b] << b) >= -15) { r[i] -= r[i + b] << b; for (k = i + b;k < 256;++k) { if (!r[k]) { r[k] = 1; break; } r[k] = 0; } } else break; } } } } static ge_precomp Bi[8] = { #include "base2.h" } ; /* r = a * A + b * B where a = a[0]+256*a[1]+...+256^31 a[31]. and b = b[0]+256*b[1]+...+256^31 b[31]. B is the Ed25519 base point (x,4/5) with x positive. */ void ge_double_scalarmult_vartime(ge_p2 *r,const unsigned char *a,const ge_p3 *A,const unsigned char *b) { signed char aslide[256]; signed char bslide[256]; ge_cached Ai[8]; /* A,3A,5A,7A,9A,11A,13A,15A */ ge_p1p1 t; ge_p3 u; ge_p3 A2; int i; slide(aslide,a); slide(bslide,b); ge_p3_to_cached(&Ai[0],A); ge_p3_dbl(&t,A); ge_p1p1_to_p3(&A2,&t); ge_add(&t,&A2,&Ai[0]); ge_p1p1_to_p3(&u,&t); ge_p3_to_cached(&Ai[1],&u); ge_add(&t,&A2,&Ai[1]); ge_p1p1_to_p3(&u,&t); ge_p3_to_cached(&Ai[2],&u); ge_add(&t,&A2,&Ai[2]); ge_p1p1_to_p3(&u,&t); ge_p3_to_cached(&Ai[3],&u); ge_add(&t,&A2,&Ai[3]); ge_p1p1_to_p3(&u,&t); ge_p3_to_cached(&Ai[4],&u); ge_add(&t,&A2,&Ai[4]); ge_p1p1_to_p3(&u,&t); ge_p3_to_cached(&Ai[5],&u); ge_add(&t,&A2,&Ai[5]); ge_p1p1_to_p3(&u,&t); ge_p3_to_cached(&Ai[6],&u); ge_add(&t,&A2,&Ai[6]); ge_p1p1_to_p3(&u,&t); ge_p3_to_cached(&Ai[7],&u); ge_p2_0(r); for (i = 255;i >= 0;--i) { if (aslide[i] || bslide[i]) break; } for (;i >= 0;--i) { ge_p2_dbl(&t,r); if (aslide[i] > 0) { ge_p1p1_to_p3(&u,&t); ge_add(&t,&u,&Ai[aslide[i]/2]); } else if (aslide[i] < 0) { ge_p1p1_to_p3(&u,&t); ge_sub(&t,&u,&Ai[(-aslide[i])/2]); } if (bslide[i] > 0) { ge_p1p1_to_p3(&u,&t); ge_madd(&t,&u,&Bi[bslide[i]/2]); } else if (bslide[i] < 0) { ge_p1p1_to_p3(&u,&t); ge_msub(&t,&u,&Bi[(-bslide[i])/2]); } ge_p1p1_to_p2(r,&t); } } XEdDSA-0.4.6/ref10/crypto_sign/fe_sq2.c0000644000175000017500000001373213372774360017331 0ustar useruser00000000000000#include "fe.h" #include "crypto_int64.h" /* h = 2 * f * f Can overlap h with f. Preconditions: |f| bounded by 1.65*2^26,1.65*2^25,1.65*2^26,1.65*2^25,etc. Postconditions: |h| bounded by 1.01*2^25,1.01*2^24,1.01*2^25,1.01*2^24,etc. */ /* See fe_mul.c for discussion of implementation strategy. */ void fe_sq2(fe h,const fe f) { crypto_int32 f0 = f[0]; crypto_int32 f1 = f[1]; crypto_int32 f2 = f[2]; crypto_int32 f3 = f[3]; crypto_int32 f4 = f[4]; crypto_int32 f5 = f[5]; crypto_int32 f6 = f[6]; crypto_int32 f7 = f[7]; crypto_int32 f8 = f[8]; crypto_int32 f9 = f[9]; crypto_int32 f0_2 = 2 * f0; crypto_int32 f1_2 = 2 * f1; crypto_int32 f2_2 = 2 * f2; crypto_int32 f3_2 = 2 * f3; crypto_int32 f4_2 = 2 * f4; crypto_int32 f5_2 = 2 * f5; crypto_int32 f6_2 = 2 * f6; crypto_int32 f7_2 = 2 * f7; crypto_int32 f5_38 = 38 * f5; /* 1.959375*2^30 */ crypto_int32 f6_19 = 19 * f6; /* 1.959375*2^30 */ crypto_int32 f7_38 = 38 * f7; /* 1.959375*2^30 */ crypto_int32 f8_19 = 19 * f8; /* 1.959375*2^30 */ crypto_int32 f9_38 = 38 * f9; /* 1.959375*2^30 */ crypto_int64 f0f0 = f0 * (crypto_int64) f0; crypto_int64 f0f1_2 = f0_2 * (crypto_int64) f1; crypto_int64 f0f2_2 = f0_2 * (crypto_int64) f2; crypto_int64 f0f3_2 = f0_2 * (crypto_int64) f3; crypto_int64 f0f4_2 = f0_2 * (crypto_int64) f4; crypto_int64 f0f5_2 = f0_2 * (crypto_int64) f5; crypto_int64 f0f6_2 = f0_2 * (crypto_int64) f6; crypto_int64 f0f7_2 = f0_2 * (crypto_int64) f7; crypto_int64 f0f8_2 = f0_2 * (crypto_int64) f8; crypto_int64 f0f9_2 = f0_2 * (crypto_int64) f9; crypto_int64 f1f1_2 = f1_2 * (crypto_int64) f1; crypto_int64 f1f2_2 = f1_2 * (crypto_int64) f2; crypto_int64 f1f3_4 = f1_2 * (crypto_int64) f3_2; crypto_int64 f1f4_2 = f1_2 * (crypto_int64) f4; crypto_int64 f1f5_4 = f1_2 * (crypto_int64) f5_2; crypto_int64 f1f6_2 = f1_2 * (crypto_int64) f6; crypto_int64 f1f7_4 = f1_2 * (crypto_int64) f7_2; crypto_int64 f1f8_2 = f1_2 * (crypto_int64) f8; crypto_int64 f1f9_76 = f1_2 * (crypto_int64) f9_38; crypto_int64 f2f2 = f2 * (crypto_int64) f2; crypto_int64 f2f3_2 = f2_2 * (crypto_int64) f3; crypto_int64 f2f4_2 = f2_2 * (crypto_int64) f4; crypto_int64 f2f5_2 = f2_2 * (crypto_int64) f5; crypto_int64 f2f6_2 = f2_2 * (crypto_int64) f6; crypto_int64 f2f7_2 = f2_2 * (crypto_int64) f7; crypto_int64 f2f8_38 = f2_2 * (crypto_int64) f8_19; crypto_int64 f2f9_38 = f2 * (crypto_int64) f9_38; crypto_int64 f3f3_2 = f3_2 * (crypto_int64) f3; crypto_int64 f3f4_2 = f3_2 * (crypto_int64) f4; crypto_int64 f3f5_4 = f3_2 * (crypto_int64) f5_2; crypto_int64 f3f6_2 = f3_2 * (crypto_int64) f6; crypto_int64 f3f7_76 = f3_2 * (crypto_int64) f7_38; crypto_int64 f3f8_38 = f3_2 * (crypto_int64) f8_19; crypto_int64 f3f9_76 = f3_2 * (crypto_int64) f9_38; crypto_int64 f4f4 = f4 * (crypto_int64) f4; crypto_int64 f4f5_2 = f4_2 * (crypto_int64) f5; crypto_int64 f4f6_38 = f4_2 * (crypto_int64) f6_19; crypto_int64 f4f7_38 = f4 * (crypto_int64) f7_38; crypto_int64 f4f8_38 = f4_2 * (crypto_int64) f8_19; crypto_int64 f4f9_38 = f4 * (crypto_int64) f9_38; crypto_int64 f5f5_38 = f5 * (crypto_int64) f5_38; crypto_int64 f5f6_38 = f5_2 * (crypto_int64) f6_19; crypto_int64 f5f7_76 = f5_2 * (crypto_int64) f7_38; crypto_int64 f5f8_38 = f5_2 * (crypto_int64) f8_19; crypto_int64 f5f9_76 = f5_2 * (crypto_int64) f9_38; crypto_int64 f6f6_19 = f6 * (crypto_int64) f6_19; crypto_int64 f6f7_38 = f6 * (crypto_int64) f7_38; crypto_int64 f6f8_38 = f6_2 * (crypto_int64) f8_19; crypto_int64 f6f9_38 = f6 * (crypto_int64) f9_38; crypto_int64 f7f7_38 = f7 * (crypto_int64) f7_38; crypto_int64 f7f8_38 = f7_2 * (crypto_int64) f8_19; crypto_int64 f7f9_76 = f7_2 * (crypto_int64) f9_38; crypto_int64 f8f8_19 = f8 * (crypto_int64) f8_19; crypto_int64 f8f9_38 = f8 * (crypto_int64) f9_38; crypto_int64 f9f9_38 = f9 * (crypto_int64) f9_38; crypto_int64 h0 = f0f0 +f1f9_76+f2f8_38+f3f7_76+f4f6_38+f5f5_38; crypto_int64 h1 = f0f1_2+f2f9_38+f3f8_38+f4f7_38+f5f6_38; crypto_int64 h2 = f0f2_2+f1f1_2 +f3f9_76+f4f8_38+f5f7_76+f6f6_19; crypto_int64 h3 = f0f3_2+f1f2_2 +f4f9_38+f5f8_38+f6f7_38; crypto_int64 h4 = f0f4_2+f1f3_4 +f2f2 +f5f9_76+f6f8_38+f7f7_38; crypto_int64 h5 = f0f5_2+f1f4_2 +f2f3_2 +f6f9_38+f7f8_38; crypto_int64 h6 = f0f6_2+f1f5_4 +f2f4_2 +f3f3_2 +f7f9_76+f8f8_19; crypto_int64 h7 = f0f7_2+f1f6_2 +f2f5_2 +f3f4_2 +f8f9_38; crypto_int64 h8 = f0f8_2+f1f7_4 +f2f6_2 +f3f5_4 +f4f4 +f9f9_38; crypto_int64 h9 = f0f9_2+f1f8_2 +f2f7_2 +f3f6_2 +f4f5_2; crypto_int64 carry0; crypto_int64 carry1; crypto_int64 carry2; crypto_int64 carry3; crypto_int64 carry4; crypto_int64 carry5; crypto_int64 carry6; crypto_int64 carry7; crypto_int64 carry8; crypto_int64 carry9; h0 += h0; h1 += h1; h2 += h2; h3 += h3; h4 += h4; h5 += h5; h6 += h6; h7 += h7; h8 += h8; h9 += h9; carry0 = (h0 + (crypto_int64) (1<<25)) >> 26; h1 += carry0; h0 -= carry0 << 26; carry4 = (h4 + (crypto_int64) (1<<25)) >> 26; h5 += carry4; h4 -= carry4 << 26; carry1 = (h1 + (crypto_int64) (1<<24)) >> 25; h2 += carry1; h1 -= carry1 << 25; carry5 = (h5 + (crypto_int64) (1<<24)) >> 25; h6 += carry5; h5 -= carry5 << 25; carry2 = (h2 + (crypto_int64) (1<<25)) >> 26; h3 += carry2; h2 -= carry2 << 26; carry6 = (h6 + (crypto_int64) (1<<25)) >> 26; h7 += carry6; h6 -= carry6 << 26; carry3 = (h3 + (crypto_int64) (1<<24)) >> 25; h4 += carry3; h3 -= carry3 << 25; carry7 = (h7 + (crypto_int64) (1<<24)) >> 25; h8 += carry7; h7 -= carry7 << 25; carry4 = (h4 + (crypto_int64) (1<<25)) >> 26; h5 += carry4; h4 -= carry4 << 26; carry8 = (h8 + (crypto_int64) (1<<25)) >> 26; h9 += carry8; h8 -= carry8 << 26; carry9 = (h9 + (crypto_int64) (1<<24)) >> 25; h0 += carry9 * 19; h9 -= carry9 << 25; carry0 = (h0 + (crypto_int64) (1<<25)) >> 26; h1 += carry0; h0 -= carry0 << 26; h[0] = h0; h[1] = h1; h[2] = h2; h[3] = h3; h[4] = h4; h[5] = h5; h[6] = h6; h[7] = h7; h[8] = h8; h[9] = h9; } XEdDSA-0.4.6/ref10/crypto_sign/pow22523.h0000644000175000017500000001261613372774360017362 0ustar useruser00000000000000 /* qhasm: fe z1 */ /* qhasm: fe z2 */ /* qhasm: fe z8 */ /* qhasm: fe z9 */ /* qhasm: fe z11 */ /* qhasm: fe z22 */ /* qhasm: fe z_5_0 */ /* qhasm: fe z_10_5 */ /* qhasm: fe z_10_0 */ /* qhasm: fe z_20_10 */ /* qhasm: fe z_20_0 */ /* qhasm: fe z_40_20 */ /* qhasm: fe z_40_0 */ /* qhasm: fe z_50_10 */ /* qhasm: fe z_50_0 */ /* qhasm: fe z_100_50 */ /* qhasm: fe z_100_0 */ /* qhasm: fe z_200_100 */ /* qhasm: fe z_200_0 */ /* qhasm: fe z_250_50 */ /* qhasm: fe z_250_0 */ /* qhasm: fe z_252_2 */ /* qhasm: fe z_252_3 */ /* qhasm: enter pow22523 */ /* qhasm: z2 = z1^2^1 */ /* asm 1: fe_sq(>z2=fe#1,z2=fe#1,>z2=fe#1); */ /* asm 2: fe_sq(>z2=t0,z2=t0,>z2=t0); */ fe_sq(t0,z); for (i = 1;i < 1;++i) fe_sq(t0,t0); /* qhasm: z8 = z2^2^2 */ /* asm 1: fe_sq(>z8=fe#2,z8=fe#2,>z8=fe#2); */ /* asm 2: fe_sq(>z8=t1,z8=t1,>z8=t1); */ fe_sq(t1,t0); for (i = 1;i < 2;++i) fe_sq(t1,t1); /* qhasm: z9 = z1*z8 */ /* asm 1: fe_mul(>z9=fe#2,z9=t1,z11=fe#1,z11=t0,z22=fe#1,z22=fe#1,>z22=fe#1); */ /* asm 2: fe_sq(>z22=t0,z22=t0,>z22=t0); */ fe_sq(t0,t0); for (i = 1;i < 1;++i) fe_sq(t0,t0); /* qhasm: z_5_0 = z9*z22 */ /* asm 1: fe_mul(>z_5_0=fe#1,z_5_0=t0,z_10_5=fe#2,z_10_5=fe#2,>z_10_5=fe#2); */ /* asm 2: fe_sq(>z_10_5=t1,z_10_5=t1,>z_10_5=t1); */ fe_sq(t1,t0); for (i = 1;i < 5;++i) fe_sq(t1,t1); /* qhasm: z_10_0 = z_10_5*z_5_0 */ /* asm 1: fe_mul(>z_10_0=fe#1,z_10_0=t0,z_20_10=fe#2,z_20_10=fe#2,>z_20_10=fe#2); */ /* asm 2: fe_sq(>z_20_10=t1,z_20_10=t1,>z_20_10=t1); */ fe_sq(t1,t0); for (i = 1;i < 10;++i) fe_sq(t1,t1); /* qhasm: z_20_0 = z_20_10*z_10_0 */ /* asm 1: fe_mul(>z_20_0=fe#2,z_20_0=t1,z_40_20=fe#3,z_40_20=fe#3,>z_40_20=fe#3); */ /* asm 2: fe_sq(>z_40_20=t2,z_40_20=t2,>z_40_20=t2); */ fe_sq(t2,t1); for (i = 1;i < 20;++i) fe_sq(t2,t2); /* qhasm: z_40_0 = z_40_20*z_20_0 */ /* asm 1: fe_mul(>z_40_0=fe#2,z_40_0=t1,z_50_10=fe#2,z_50_10=fe#2,>z_50_10=fe#2); */ /* asm 2: fe_sq(>z_50_10=t1,z_50_10=t1,>z_50_10=t1); */ fe_sq(t1,t1); for (i = 1;i < 10;++i) fe_sq(t1,t1); /* qhasm: z_50_0 = z_50_10*z_10_0 */ /* asm 1: fe_mul(>z_50_0=fe#1,z_50_0=t0,z_100_50=fe#2,z_100_50=fe#2,>z_100_50=fe#2); */ /* asm 2: fe_sq(>z_100_50=t1,z_100_50=t1,>z_100_50=t1); */ fe_sq(t1,t0); for (i = 1;i < 50;++i) fe_sq(t1,t1); /* qhasm: z_100_0 = z_100_50*z_50_0 */ /* asm 1: fe_mul(>z_100_0=fe#2,z_100_0=t1,z_200_100=fe#3,z_200_100=fe#3,>z_200_100=fe#3); */ /* asm 2: fe_sq(>z_200_100=t2,z_200_100=t2,>z_200_100=t2); */ fe_sq(t2,t1); for (i = 1;i < 100;++i) fe_sq(t2,t2); /* qhasm: z_200_0 = z_200_100*z_100_0 */ /* asm 1: fe_mul(>z_200_0=fe#2,z_200_0=t1,z_250_50=fe#2,z_250_50=fe#2,>z_250_50=fe#2); */ /* asm 2: fe_sq(>z_250_50=t1,z_250_50=t1,>z_250_50=t1); */ fe_sq(t1,t1); for (i = 1;i < 50;++i) fe_sq(t1,t1); /* qhasm: z_250_0 = z_250_50*z_50_0 */ /* asm 1: fe_mul(>z_250_0=fe#1,z_250_0=t0,z_252_2=fe#1,z_252_2=fe#1,>z_252_2=fe#1); */ /* asm 2: fe_sq(>z_252_2=t0,z_252_2=t0,>z_252_2=t0); */ fe_sq(t0,t0); for (i = 1;i < 2;++i) fe_sq(t0,t0); /* qhasm: z_252_3 = z_252_2*z1 */ /* asm 1: fe_mul(>z_252_3=fe#12,z_252_3=out,> 5); crypto_int64 a2 = 2097151 & (load_3(a + 5) >> 2); crypto_int64 a3 = 2097151 & (load_4(a + 7) >> 7); crypto_int64 a4 = 2097151 & (load_4(a + 10) >> 4); crypto_int64 a5 = 2097151 & (load_3(a + 13) >> 1); crypto_int64 a6 = 2097151 & (load_4(a + 15) >> 6); crypto_int64 a7 = 2097151 & (load_3(a + 18) >> 3); crypto_int64 a8 = 2097151 & load_3(a + 21); crypto_int64 a9 = 2097151 & (load_4(a + 23) >> 5); crypto_int64 a10 = 2097151 & (load_3(a + 26) >> 2); crypto_int64 a11 = (load_4(a + 28) >> 7); crypto_int64 b0 = 2097151 & load_3(b); crypto_int64 b1 = 2097151 & (load_4(b + 2) >> 5); crypto_int64 b2 = 2097151 & (load_3(b + 5) >> 2); crypto_int64 b3 = 2097151 & (load_4(b + 7) >> 7); crypto_int64 b4 = 2097151 & (load_4(b + 10) >> 4); crypto_int64 b5 = 2097151 & (load_3(b + 13) >> 1); crypto_int64 b6 = 2097151 & (load_4(b + 15) >> 6); crypto_int64 b7 = 2097151 & (load_3(b + 18) >> 3); crypto_int64 b8 = 2097151 & load_3(b + 21); crypto_int64 b9 = 2097151 & (load_4(b + 23) >> 5); crypto_int64 b10 = 2097151 & (load_3(b + 26) >> 2); crypto_int64 b11 = (load_4(b + 28) >> 7); crypto_int64 c0 = 2097151 & load_3(c); crypto_int64 c1 = 2097151 & (load_4(c + 2) >> 5); crypto_int64 c2 = 2097151 & (load_3(c + 5) >> 2); crypto_int64 c3 = 2097151 & (load_4(c + 7) >> 7); crypto_int64 c4 = 2097151 & (load_4(c + 10) >> 4); crypto_int64 c5 = 2097151 & (load_3(c + 13) >> 1); crypto_int64 c6 = 2097151 & (load_4(c + 15) >> 6); crypto_int64 c7 = 2097151 & (load_3(c + 18) >> 3); crypto_int64 c8 = 2097151 & load_3(c + 21); crypto_int64 c9 = 2097151 & (load_4(c + 23) >> 5); crypto_int64 c10 = 2097151 & (load_3(c + 26) >> 2); crypto_int64 c11 = (load_4(c + 28) >> 7); crypto_int64 s0; crypto_int64 s1; crypto_int64 s2; crypto_int64 s3; crypto_int64 s4; crypto_int64 s5; crypto_int64 s6; crypto_int64 s7; crypto_int64 s8; crypto_int64 s9; crypto_int64 s10; crypto_int64 s11; crypto_int64 s12; crypto_int64 s13; crypto_int64 s14; crypto_int64 s15; crypto_int64 s16; crypto_int64 s17; crypto_int64 s18; crypto_int64 s19; crypto_int64 s20; crypto_int64 s21; crypto_int64 s22; crypto_int64 s23; crypto_int64 carry0; crypto_int64 carry1; crypto_int64 carry2; crypto_int64 carry3; crypto_int64 carry4; crypto_int64 carry5; crypto_int64 carry6; crypto_int64 carry7; crypto_int64 carry8; crypto_int64 carry9; crypto_int64 carry10; crypto_int64 carry11; crypto_int64 carry12; crypto_int64 carry13; crypto_int64 carry14; crypto_int64 carry15; crypto_int64 carry16; crypto_int64 carry17; crypto_int64 carry18; crypto_int64 carry19; crypto_int64 carry20; crypto_int64 carry21; crypto_int64 carry22; s0 = c0 + a0*b0; s1 = c1 + a0*b1 + a1*b0; s2 = c2 + a0*b2 + a1*b1 + a2*b0; s3 = c3 + a0*b3 + a1*b2 + a2*b1 + a3*b0; s4 = c4 + a0*b4 + a1*b3 + a2*b2 + a3*b1 + a4*b0; s5 = c5 + a0*b5 + a1*b4 + a2*b3 + a3*b2 + a4*b1 + a5*b0; s6 = c6 + a0*b6 + a1*b5 + a2*b4 + a3*b3 + a4*b2 + a5*b1 + a6*b0; s7 = c7 + a0*b7 + a1*b6 + a2*b5 + a3*b4 + a4*b3 + a5*b2 + a6*b1 + a7*b0; s8 = c8 + a0*b8 + a1*b7 + a2*b6 + a3*b5 + a4*b4 + a5*b3 + a6*b2 + a7*b1 + a8*b0; s9 = c9 + a0*b9 + a1*b8 + a2*b7 + a3*b6 + a4*b5 + a5*b4 + a6*b3 + a7*b2 + a8*b1 + a9*b0; s10 = c10 + a0*b10 + a1*b9 + a2*b8 + a3*b7 + a4*b6 + a5*b5 + a6*b4 + a7*b3 + a8*b2 + a9*b1 + a10*b0; s11 = c11 + a0*b11 + a1*b10 + a2*b9 + a3*b8 + a4*b7 + a5*b6 + a6*b5 + a7*b4 + a8*b3 + a9*b2 + a10*b1 + a11*b0; s12 = a1*b11 + a2*b10 + a3*b9 + a4*b8 + a5*b7 + a6*b6 + a7*b5 + a8*b4 + a9*b3 + a10*b2 + a11*b1; s13 = a2*b11 + a3*b10 + a4*b9 + a5*b8 + a6*b7 + a7*b6 + a8*b5 + a9*b4 + a10*b3 + a11*b2; s14 = a3*b11 + a4*b10 + a5*b9 + a6*b8 + a7*b7 + a8*b6 + a9*b5 + a10*b4 + a11*b3; s15 = a4*b11 + a5*b10 + a6*b9 + a7*b8 + a8*b7 + a9*b6 + a10*b5 + a11*b4; s16 = a5*b11 + a6*b10 + a7*b9 + a8*b8 + a9*b7 + a10*b6 + a11*b5; s17 = a6*b11 + a7*b10 + a8*b9 + a9*b8 + a10*b7 + a11*b6; s18 = a7*b11 + a8*b10 + a9*b9 + a10*b8 + a11*b7; s19 = a8*b11 + a9*b10 + a10*b9 + a11*b8; s20 = a9*b11 + a10*b10 + a11*b9; s21 = a10*b11 + a11*b10; s22 = a11*b11; s23 = 0; carry0 = (s0 + (1<<20)) >> 21; s1 += carry0; s0 -= carry0 << 21; carry2 = (s2 + (1<<20)) >> 21; s3 += carry2; s2 -= carry2 << 21; carry4 = (s4 + (1<<20)) >> 21; s5 += carry4; s4 -= carry4 << 21; carry6 = (s6 + (1<<20)) >> 21; s7 += carry6; s6 -= carry6 << 21; carry8 = (s8 + (1<<20)) >> 21; s9 += carry8; s8 -= carry8 << 21; carry10 = (s10 + (1<<20)) >> 21; s11 += carry10; s10 -= carry10 << 21; carry12 = (s12 + (1<<20)) >> 21; s13 += carry12; s12 -= carry12 << 21; carry14 = (s14 + (1<<20)) >> 21; s15 += carry14; s14 -= carry14 << 21; carry16 = (s16 + (1<<20)) >> 21; s17 += carry16; s16 -= carry16 << 21; carry18 = (s18 + (1<<20)) >> 21; s19 += carry18; s18 -= carry18 << 21; carry20 = (s20 + (1<<20)) >> 21; s21 += carry20; s20 -= carry20 << 21; carry22 = (s22 + (1<<20)) >> 21; s23 += carry22; s22 -= carry22 << 21; carry1 = (s1 + (1<<20)) >> 21; s2 += carry1; s1 -= carry1 << 21; carry3 = (s3 + (1<<20)) >> 21; s4 += carry3; s3 -= carry3 << 21; carry5 = (s5 + (1<<20)) >> 21; s6 += carry5; s5 -= carry5 << 21; carry7 = (s7 + (1<<20)) >> 21; s8 += carry7; s7 -= carry7 << 21; carry9 = (s9 + (1<<20)) >> 21; s10 += carry9; s9 -= carry9 << 21; carry11 = (s11 + (1<<20)) >> 21; s12 += carry11; s11 -= carry11 << 21; carry13 = (s13 + (1<<20)) >> 21; s14 += carry13; s13 -= carry13 << 21; carry15 = (s15 + (1<<20)) >> 21; s16 += carry15; s15 -= carry15 << 21; carry17 = (s17 + (1<<20)) >> 21; s18 += carry17; s17 -= carry17 << 21; carry19 = (s19 + (1<<20)) >> 21; s20 += carry19; s19 -= carry19 << 21; carry21 = (s21 + (1<<20)) >> 21; s22 += carry21; s21 -= carry21 << 21; s11 += s23 * 666643; s12 += s23 * 470296; s13 += s23 * 654183; s14 -= s23 * 997805; s15 += s23 * 136657; s16 -= s23 * 683901; s23 = 0; s10 += s22 * 666643; s11 += s22 * 470296; s12 += s22 * 654183; s13 -= s22 * 997805; s14 += s22 * 136657; s15 -= s22 * 683901; s22 = 0; s9 += s21 * 666643; s10 += s21 * 470296; s11 += s21 * 654183; s12 -= s21 * 997805; s13 += s21 * 136657; s14 -= s21 * 683901; s21 = 0; s8 += s20 * 666643; s9 += s20 * 470296; s10 += s20 * 654183; s11 -= s20 * 997805; s12 += s20 * 136657; s13 -= s20 * 683901; s20 = 0; s7 += s19 * 666643; s8 += s19 * 470296; s9 += s19 * 654183; s10 -= s19 * 997805; s11 += s19 * 136657; s12 -= s19 * 683901; s19 = 0; s6 += s18 * 666643; s7 += s18 * 470296; s8 += s18 * 654183; s9 -= s18 * 997805; s10 += s18 * 136657; s11 -= s18 * 683901; s18 = 0; carry6 = (s6 + (1<<20)) >> 21; s7 += carry6; s6 -= carry6 << 21; carry8 = (s8 + (1<<20)) >> 21; s9 += carry8; s8 -= carry8 << 21; carry10 = (s10 + (1<<20)) >> 21; s11 += carry10; s10 -= carry10 << 21; carry12 = (s12 + (1<<20)) >> 21; s13 += carry12; s12 -= carry12 << 21; carry14 = (s14 + (1<<20)) >> 21; s15 += carry14; s14 -= carry14 << 21; carry16 = (s16 + (1<<20)) >> 21; s17 += carry16; s16 -= carry16 << 21; carry7 = (s7 + (1<<20)) >> 21; s8 += carry7; s7 -= carry7 << 21; carry9 = (s9 + (1<<20)) >> 21; s10 += carry9; s9 -= carry9 << 21; carry11 = (s11 + (1<<20)) >> 21; s12 += carry11; s11 -= carry11 << 21; carry13 = (s13 + (1<<20)) >> 21; s14 += carry13; s13 -= carry13 << 21; carry15 = (s15 + (1<<20)) >> 21; s16 += carry15; s15 -= carry15 << 21; s5 += s17 * 666643; s6 += s17 * 470296; s7 += s17 * 654183; s8 -= s17 * 997805; s9 += s17 * 136657; s10 -= s17 * 683901; s17 = 0; s4 += s16 * 666643; s5 += s16 * 470296; s6 += s16 * 654183; s7 -= s16 * 997805; s8 += s16 * 136657; s9 -= s16 * 683901; s16 = 0; s3 += s15 * 666643; s4 += s15 * 470296; s5 += s15 * 654183; s6 -= s15 * 997805; s7 += s15 * 136657; s8 -= s15 * 683901; s15 = 0; s2 += s14 * 666643; s3 += s14 * 470296; s4 += s14 * 654183; s5 -= s14 * 997805; s6 += s14 * 136657; s7 -= s14 * 683901; s14 = 0; s1 += s13 * 666643; s2 += s13 * 470296; s3 += s13 * 654183; s4 -= s13 * 997805; s5 += s13 * 136657; s6 -= s13 * 683901; s13 = 0; s0 += s12 * 666643; s1 += s12 * 470296; s2 += s12 * 654183; s3 -= s12 * 997805; s4 += s12 * 136657; s5 -= s12 * 683901; s12 = 0; carry0 = (s0 + (1<<20)) >> 21; s1 += carry0; s0 -= carry0 << 21; carry2 = (s2 + (1<<20)) >> 21; s3 += carry2; s2 -= carry2 << 21; carry4 = (s4 + (1<<20)) >> 21; s5 += carry4; s4 -= carry4 << 21; carry6 = (s6 + (1<<20)) >> 21; s7 += carry6; s6 -= carry6 << 21; carry8 = (s8 + (1<<20)) >> 21; s9 += carry8; s8 -= carry8 << 21; carry10 = (s10 + (1<<20)) >> 21; s11 += carry10; s10 -= carry10 << 21; carry1 = (s1 + (1<<20)) >> 21; s2 += carry1; s1 -= carry1 << 21; carry3 = (s3 + (1<<20)) >> 21; s4 += carry3; s3 -= carry3 << 21; carry5 = (s5 + (1<<20)) >> 21; s6 += carry5; s5 -= carry5 << 21; carry7 = (s7 + (1<<20)) >> 21; s8 += carry7; s7 -= carry7 << 21; carry9 = (s9 + (1<<20)) >> 21; s10 += carry9; s9 -= carry9 << 21; carry11 = (s11 + (1<<20)) >> 21; s12 += carry11; s11 -= carry11 << 21; s0 += s12 * 666643; s1 += s12 * 470296; s2 += s12 * 654183; s3 -= s12 * 997805; s4 += s12 * 136657; s5 -= s12 * 683901; s12 = 0; carry0 = s0 >> 21; s1 += carry0; s0 -= carry0 << 21; carry1 = s1 >> 21; s2 += carry1; s1 -= carry1 << 21; carry2 = s2 >> 21; s3 += carry2; s2 -= carry2 << 21; carry3 = s3 >> 21; s4 += carry3; s3 -= carry3 << 21; carry4 = s4 >> 21; s5 += carry4; s4 -= carry4 << 21; carry5 = s5 >> 21; s6 += carry5; s5 -= carry5 << 21; carry6 = s6 >> 21; s7 += carry6; s6 -= carry6 << 21; carry7 = s7 >> 21; s8 += carry7; s7 -= carry7 << 21; carry8 = s8 >> 21; s9 += carry8; s8 -= carry8 << 21; carry9 = s9 >> 21; s10 += carry9; s9 -= carry9 << 21; carry10 = s10 >> 21; s11 += carry10; s10 -= carry10 << 21; carry11 = s11 >> 21; s12 += carry11; s11 -= carry11 << 21; s0 += s12 * 666643; s1 += s12 * 470296; s2 += s12 * 654183; s3 -= s12 * 997805; s4 += s12 * 136657; s5 -= s12 * 683901; s12 = 0; carry0 = s0 >> 21; s1 += carry0; s0 -= carry0 << 21; carry1 = s1 >> 21; s2 += carry1; s1 -= carry1 << 21; carry2 = s2 >> 21; s3 += carry2; s2 -= carry2 << 21; carry3 = s3 >> 21; s4 += carry3; s3 -= carry3 << 21; carry4 = s4 >> 21; s5 += carry4; s4 -= carry4 << 21; carry5 = s5 >> 21; s6 += carry5; s5 -= carry5 << 21; carry6 = s6 >> 21; s7 += carry6; s6 -= carry6 << 21; carry7 = s7 >> 21; s8 += carry7; s7 -= carry7 << 21; carry8 = s8 >> 21; s9 += carry8; s8 -= carry8 << 21; carry9 = s9 >> 21; s10 += carry9; s9 -= carry9 << 21; carry10 = s10 >> 21; s11 += carry10; s10 -= carry10 << 21; s[0] = s0 >> 0; s[1] = s0 >> 8; s[2] = (s0 >> 16) | (s1 << 5); s[3] = s1 >> 3; s[4] = s1 >> 11; s[5] = (s1 >> 19) | (s2 << 2); s[6] = s2 >> 6; s[7] = (s2 >> 14) | (s3 << 7); s[8] = s3 >> 1; s[9] = s3 >> 9; s[10] = (s3 >> 17) | (s4 << 4); s[11] = s4 >> 4; s[12] = s4 >> 12; s[13] = (s4 >> 20) | (s5 << 1); s[14] = s5 >> 7; s[15] = (s5 >> 15) | (s6 << 6); s[16] = s6 >> 2; s[17] = s6 >> 10; s[18] = (s6 >> 18) | (s7 << 3); s[19] = s7 >> 5; s[20] = s7 >> 13; s[21] = s8 >> 0; s[22] = s8 >> 8; s[23] = (s8 >> 16) | (s9 << 5); s[24] = s9 >> 3; s[25] = s9 >> 11; s[26] = (s9 >> 19) | (s10 << 2); s[27] = s10 >> 6; s[28] = (s10 >> 14) | (s11 << 7); s[29] = s11 >> 1; s[30] = s11 >> 9; s[31] = s11 >> 17; } XEdDSA-0.4.6/ref10/crypto_sign/ge_add.c0000644000175000017500000000017513372774360017352 0ustar useruser00000000000000#include "ge.h" /* r = p + q */ void ge_add(ge_p1p1 *r,const ge_p3 *p,const ge_cached *q) { fe t0; #include "ge_add.h" } XEdDSA-0.4.6/ref10/crypto_sign/ge_p2_dbl.c0000644000175000017500000000016013372774360017756 0ustar useruser00000000000000#include "ge.h" /* r = 2 * p */ void ge_p2_dbl(ge_p1p1 *r,const ge_p2 *p) { fe t0; #include "ge_p2_dbl.h" } XEdDSA-0.4.6/ref10/crypto_sign/fe_neg.c0000644000175000017500000000152713372774360017374 0ustar useruser00000000000000#include "fe.h" /* h = -f Preconditions: |f| bounded by 1.1*2^25,1.1*2^24,1.1*2^25,1.1*2^24,etc. Postconditions: |h| bounded by 1.1*2^25,1.1*2^24,1.1*2^25,1.1*2^24,etc. */ void fe_neg(fe h,const fe f) { crypto_int32 f0 = f[0]; crypto_int32 f1 = f[1]; crypto_int32 f2 = f[2]; crypto_int32 f3 = f[3]; crypto_int32 f4 = f[4]; crypto_int32 f5 = f[5]; crypto_int32 f6 = f[6]; crypto_int32 f7 = f[7]; crypto_int32 f8 = f[8]; crypto_int32 f9 = f[9]; crypto_int32 h0 = -f0; crypto_int32 h1 = -f1; crypto_int32 h2 = -f2; crypto_int32 h3 = -f3; crypto_int32 h4 = -f4; crypto_int32 h5 = -f5; crypto_int32 h6 = -f6; crypto_int32 h7 = -f7; crypto_int32 h8 = -f8; crypto_int32 h9 = -f9; h[0] = h0; h[1] = h1; h[2] = h2; h[3] = h3; h[4] = h4; h[5] = h5; h[6] = h6; h[7] = h7; h[8] = h8; h[9] = h9; } XEdDSA-0.4.6/ref10/crypto_sign/fe_1.c0000644000175000017500000000025213372774360016755 0ustar useruser00000000000000#include "fe.h" /* h = 1 */ void fe_1(fe h) { h[0] = 1; h[1] = 0; h[2] = 0; h[3] = 0; h[4] = 0; h[5] = 0; h[6] = 0; h[7] = 0; h[8] = 0; h[9] = 0; } XEdDSA-0.4.6/ref10/crypto_sign/ge_sub.h0000644000175000017500000000404013372774360017413 0ustar useruser00000000000000 /* qhasm: enter ge_sub */ /* qhasm: fe X1 */ /* qhasm: fe Y1 */ /* qhasm: fe Z1 */ /* qhasm: fe Z2 */ /* qhasm: fe T1 */ /* qhasm: fe ZZ */ /* qhasm: fe YpX2 */ /* qhasm: fe YmX2 */ /* qhasm: fe T2d2 */ /* qhasm: fe X3 */ /* qhasm: fe Y3 */ /* qhasm: fe Z3 */ /* qhasm: fe T3 */ /* qhasm: fe YpX1 */ /* qhasm: fe YmX1 */ /* qhasm: fe A */ /* qhasm: fe B */ /* qhasm: fe C */ /* qhasm: fe D */ /* qhasm: YpX1 = Y1+X1 */ /* asm 1: fe_add(>YpX1=fe#1,YpX1=r->X,Y,X); */ fe_add(r->X,p->Y,p->X); /* qhasm: YmX1 = Y1-X1 */ /* asm 1: fe_sub(>YmX1=fe#2,YmX1=r->Y,Y,X); */ fe_sub(r->Y,p->Y,p->X); /* qhasm: A = YpX1*YmX2 */ /* asm 1: fe_mul(>A=fe#3,A=r->Z,X,YminusX); */ fe_mul(r->Z,r->X,q->YminusX); /* qhasm: B = YmX1*YpX2 */ /* asm 1: fe_mul(>B=fe#2,B=r->Y,Y,YplusX); */ fe_mul(r->Y,r->Y,q->YplusX); /* qhasm: C = T2d2*T1 */ /* asm 1: fe_mul(>C=fe#4,C=r->T,T2d,T); */ fe_mul(r->T,q->T2d,p->T); /* qhasm: ZZ = Z1*Z2 */ /* asm 1: fe_mul(>ZZ=fe#1,ZZ=r->X,Z,Z); */ fe_mul(r->X,p->Z,q->Z); /* qhasm: D = 2*ZZ */ /* asm 1: fe_add(>D=fe#5,D=t0,X,X); */ fe_add(t0,r->X,r->X); /* qhasm: X3 = A-B */ /* asm 1: fe_sub(>X3=fe#1,X3=r->X,Z,Y); */ fe_sub(r->X,r->Z,r->Y); /* qhasm: Y3 = A+B */ /* asm 1: fe_add(>Y3=fe#2,Y3=r->Y,Z,Y); */ fe_add(r->Y,r->Z,r->Y); /* qhasm: Z3 = D-C */ /* asm 1: fe_sub(>Z3=fe#3,Z3=r->Z,T); */ fe_sub(r->Z,t0,r->T); /* qhasm: T3 = D+C */ /* asm 1: fe_add(>T3=fe#4,T3=r->T,T); */ fe_add(r->T,t0,r->T); /* qhasm: return */ XEdDSA-0.4.6/ref10/crypto_sign/ge_msub.h0000644000175000017500000000355413372774360017601 0ustar useruser00000000000000 /* qhasm: enter ge_msub */ /* qhasm: fe X1 */ /* qhasm: fe Y1 */ /* qhasm: fe Z1 */ /* qhasm: fe T1 */ /* qhasm: fe ypx2 */ /* qhasm: fe ymx2 */ /* qhasm: fe xy2d2 */ /* qhasm: fe X3 */ /* qhasm: fe Y3 */ /* qhasm: fe Z3 */ /* qhasm: fe T3 */ /* qhasm: fe YpX1 */ /* qhasm: fe YmX1 */ /* qhasm: fe A */ /* qhasm: fe B */ /* qhasm: fe C */ /* qhasm: fe D */ /* qhasm: YpX1 = Y1+X1 */ /* asm 1: fe_add(>YpX1=fe#1,YpX1=r->X,Y,X); */ fe_add(r->X,p->Y,p->X); /* qhasm: YmX1 = Y1-X1 */ /* asm 1: fe_sub(>YmX1=fe#2,YmX1=r->Y,Y,X); */ fe_sub(r->Y,p->Y,p->X); /* qhasm: A = YpX1*ymx2 */ /* asm 1: fe_mul(>A=fe#3,A=r->Z,X,yminusx); */ fe_mul(r->Z,r->X,q->yminusx); /* qhasm: B = YmX1*ypx2 */ /* asm 1: fe_mul(>B=fe#2,B=r->Y,Y,yplusx); */ fe_mul(r->Y,r->Y,q->yplusx); /* qhasm: C = xy2d2*T1 */ /* asm 1: fe_mul(>C=fe#4,C=r->T,xy2d,T); */ fe_mul(r->T,q->xy2d,p->T); /* qhasm: D = 2*Z1 */ /* asm 1: fe_add(>D=fe#5,D=t0,Z,Z); */ fe_add(t0,p->Z,p->Z); /* qhasm: X3 = A-B */ /* asm 1: fe_sub(>X3=fe#1,X3=r->X,Z,Y); */ fe_sub(r->X,r->Z,r->Y); /* qhasm: Y3 = A+B */ /* asm 1: fe_add(>Y3=fe#2,Y3=r->Y,Z,Y); */ fe_add(r->Y,r->Z,r->Y); /* qhasm: Z3 = D-C */ /* asm 1: fe_sub(>Z3=fe#3,Z3=r->Z,T); */ fe_sub(r->Z,t0,r->T); /* qhasm: T3 = D+C */ /* asm 1: fe_add(>T3=fe#4,T3=r->T,T); */ fe_add(r->T,t0,r->T); /* qhasm: return */ XEdDSA-0.4.6/ref10/crypto_sign/fe_0.c0000644000175000017500000000025213372774360016754 0ustar useruser00000000000000#include "fe.h" /* h = 0 */ void fe_0(fe h) { h[0] = 0; h[1] = 0; h[2] = 0; h[3] = 0; h[4] = 0; h[5] = 0; h[6] = 0; h[7] = 0; h[8] = 0; h[9] = 0; } XEdDSA-0.4.6/ref10/crypto_sign/fe.h0000644000175000017500000000372413372774360016551 0ustar useruser00000000000000#include "cross_platform.h" #ifndef FE_H #define FE_H #include "crypto_int32.h" typedef crypto_int32 fe[10]; /* fe means field element. Here the field is \Z/(2^255-19). An element t, entries t[0]...t[9], represents the integer t[0]+2^26 t[1]+2^51 t[2]+2^77 t[3]+2^102 t[4]+...+2^230 t[9]. Bounds on each t[i] vary depending on context. */ #define fe_frombytes crypto_sign_ed25519_ref10_fe_frombytes #define fe_tobytes crypto_sign_ed25519_ref10_fe_tobytes #define fe_copy crypto_sign_ed25519_ref10_fe_copy #define fe_isnonzero crypto_sign_ed25519_ref10_fe_isnonzero #define fe_isnegative crypto_sign_ed25519_ref10_fe_isnegative #define fe_0 crypto_sign_ed25519_ref10_fe_0 #define fe_1 crypto_sign_ed25519_ref10_fe_1 #define fe_cmov crypto_sign_ed25519_ref10_fe_cmov #define fe_add crypto_sign_ed25519_ref10_fe_add #define fe_sub crypto_sign_ed25519_ref10_fe_sub #define fe_neg crypto_sign_ed25519_ref10_fe_neg #define fe_mul crypto_sign_ed25519_ref10_fe_mul #define fe_sq crypto_sign_ed25519_ref10_fe_sq #define fe_sq2 crypto_sign_ed25519_ref10_fe_sq2 #define fe_invert crypto_sign_ed25519_ref10_fe_invert #define fe_pow22523 crypto_sign_ed25519_ref10_fe_pow22523 #ifdef __cplusplus extern "C" { #endif extern void INTERFACE fe_frombytes(fe,const unsigned char *); extern void INTERFACE fe_tobytes(unsigned char *,const fe); extern void INTERFACE fe_copy(fe,const fe); extern int INTERFACE fe_isnonzero(const fe); extern int INTERFACE fe_isnegative(const fe); extern void INTERFACE fe_0(fe); extern void INTERFACE fe_1(fe); extern void INTERFACE fe_cmov(fe,const fe,unsigned int); extern void INTERFACE fe_add(fe,const fe,const fe); extern void INTERFACE fe_sub(fe,const fe,const fe); extern void INTERFACE fe_neg(fe,const fe); extern void INTERFACE fe_mul(fe,const fe,const fe); extern void INTERFACE fe_sq(fe,const fe); extern void INTERFACE fe_sq2(fe,const fe); extern void INTERFACE fe_invert(fe,const fe); extern void INTERFACE fe_pow22523(fe,const fe); #ifdef __cplusplus } #endif #endif XEdDSA-0.4.6/ref10/crypto_sign/fe_frombytes.c0000644000175000017500000000425613372774360020637 0ustar useruser00000000000000#include "fe.h" #include "crypto_int64.h" #include "crypto_uint64.h" static crypto_uint64 load_3(const unsigned char *in) { crypto_uint64 result; result = (crypto_uint64) in[0]; result |= ((crypto_uint64) in[1]) << 8; result |= ((crypto_uint64) in[2]) << 16; return result; } static crypto_uint64 load_4(const unsigned char *in) { crypto_uint64 result; result = (crypto_uint64) in[0]; result |= ((crypto_uint64) in[1]) << 8; result |= ((crypto_uint64) in[2]) << 16; result |= ((crypto_uint64) in[3]) << 24; return result; } /* Ignores top bit of h. */ void fe_frombytes(fe h,const unsigned char *s) { crypto_int64 h0 = load_4(s); crypto_int64 h1 = load_3(s + 4) << 6; crypto_int64 h2 = load_3(s + 7) << 5; crypto_int64 h3 = load_3(s + 10) << 3; crypto_int64 h4 = load_3(s + 13) << 2; crypto_int64 h5 = load_4(s + 16); crypto_int64 h6 = load_3(s + 20) << 7; crypto_int64 h7 = load_3(s + 23) << 5; crypto_int64 h8 = load_3(s + 26) << 4; crypto_int64 h9 = (load_3(s + 29) & 8388607) << 2; crypto_int64 carry0; crypto_int64 carry1; crypto_int64 carry2; crypto_int64 carry3; crypto_int64 carry4; crypto_int64 carry5; crypto_int64 carry6; crypto_int64 carry7; crypto_int64 carry8; crypto_int64 carry9; carry9 = (h9 + (crypto_int64) (1<<24)) >> 25; h0 += carry9 * 19; h9 -= carry9 << 25; carry1 = (h1 + (crypto_int64) (1<<24)) >> 25; h2 += carry1; h1 -= carry1 << 25; carry3 = (h3 + (crypto_int64) (1<<24)) >> 25; h4 += carry3; h3 -= carry3 << 25; carry5 = (h5 + (crypto_int64) (1<<24)) >> 25; h6 += carry5; h5 -= carry5 << 25; carry7 = (h7 + (crypto_int64) (1<<24)) >> 25; h8 += carry7; h7 -= carry7 << 25; carry0 = (h0 + (crypto_int64) (1<<25)) >> 26; h1 += carry0; h0 -= carry0 << 26; carry2 = (h2 + (crypto_int64) (1<<25)) >> 26; h3 += carry2; h2 -= carry2 << 26; carry4 = (h4 + (crypto_int64) (1<<25)) >> 26; h5 += carry4; h4 -= carry4 << 26; carry6 = (h6 + (crypto_int64) (1<<25)) >> 26; h7 += carry6; h6 -= carry6 << 26; carry8 = (h8 + (crypto_int64) (1<<25)) >> 26; h9 += carry8; h8 -= carry8 << 26; h[0] = h0; h[1] = h1; h[2] = h2; h[3] = h3; h[4] = h4; h[5] = h5; h[6] = h6; h[7] = h7; h[8] = h8; h[9] = h9; } XEdDSA-0.4.6/ref10/crypto_sign/ge_p1p1_to_p3.c0000644000175000017500000000027713372774360020512 0ustar useruser00000000000000#include "ge.h" /* r = p */ extern void ge_p1p1_to_p3(ge_p3 *r,const ge_p1p1 *p) { fe_mul(r->X,p->X,p->T); fe_mul(r->Y,p->Y,p->Z); fe_mul(r->Z,p->Z,p->T); fe_mul(r->T,p->X,p->Y); } XEdDSA-0.4.6/ref10/crypto_sign/ge_p3_tobytes.c0000644000175000017500000000034413372774360020713 0ustar useruser00000000000000#include "ge.h" void ge_p3_tobytes(unsigned char *s,const ge_p3 *h) { fe recip; fe x; fe y; fe_invert(recip,h->Z); fe_mul(x,h->X,recip); fe_mul(y,h->Y,recip); fe_tobytes(s,y); s[31] ^= fe_isnegative(x) << 7; } XEdDSA-0.4.6/ref10/crypto_sign/fe_isnonzero.c0000644000175000017500000000047313372774360020650 0ustar useruser00000000000000#include "fe.h" #include "crypto_verify_32.h" /* return 1 if f == 0 return 0 if f != 0 Preconditions: |f| bounded by 1.1*2^26,1.1*2^25,1.1*2^26,1.1*2^25,etc. */ static const unsigned char zero[32]; int fe_isnonzero(const fe f) { unsigned char s[32]; fe_tobytes(s,f); return crypto_verify_32(s,zero); } XEdDSA-0.4.6/ref10/crypto_sign/ge_p3_dbl.c0000644000175000017500000000020313372774360017755 0ustar useruser00000000000000#include "ge.h" /* r = 2 * p */ void ge_p3_dbl(ge_p1p1 *r,const ge_p3 *p) { ge_p2 q; ge_p3_to_p2(&q,p); ge_p2_dbl(r,&q); } XEdDSA-0.4.6/ref10/crypto_sign/fe_sub.c0000644000175000017500000000234713372774360017415 0ustar useruser00000000000000#include "fe.h" /* h = f - g Can overlap h with f or g. Preconditions: |f| bounded by 1.1*2^25,1.1*2^24,1.1*2^25,1.1*2^24,etc. |g| bounded by 1.1*2^25,1.1*2^24,1.1*2^25,1.1*2^24,etc. Postconditions: |h| bounded by 1.1*2^26,1.1*2^25,1.1*2^26,1.1*2^25,etc. */ void fe_sub(fe h,const fe f,const fe g) { crypto_int32 f0 = f[0]; crypto_int32 f1 = f[1]; crypto_int32 f2 = f[2]; crypto_int32 f3 = f[3]; crypto_int32 f4 = f[4]; crypto_int32 f5 = f[5]; crypto_int32 f6 = f[6]; crypto_int32 f7 = f[7]; crypto_int32 f8 = f[8]; crypto_int32 f9 = f[9]; crypto_int32 g0 = g[0]; crypto_int32 g1 = g[1]; crypto_int32 g2 = g[2]; crypto_int32 g3 = g[3]; crypto_int32 g4 = g[4]; crypto_int32 g5 = g[5]; crypto_int32 g6 = g[6]; crypto_int32 g7 = g[7]; crypto_int32 g8 = g[8]; crypto_int32 g9 = g[9]; crypto_int32 h0 = f0 - g0; crypto_int32 h1 = f1 - g1; crypto_int32 h2 = f2 - g2; crypto_int32 h3 = f3 - g3; crypto_int32 h4 = f4 - g4; crypto_int32 h5 = f5 - g5; crypto_int32 h6 = f6 - g6; crypto_int32 h7 = f7 - g7; crypto_int32 h8 = f8 - g8; crypto_int32 h9 = f9 - g9; h[0] = h0; h[1] = h1; h[2] = h2; h[3] = h3; h[4] = h4; h[5] = h5; h[6] = h6; h[7] = h7; h[8] = h8; h[9] = h9; } XEdDSA-0.4.6/ref10/crypto_sign/sign.c0000644000175000017500000000146113372774360017106 0ustar useruser00000000000000#include #include "crypto_sign.h" #include "crypto_hash_sha512.h" #include "ge.h" #include "sc.h" int crypto_sign( unsigned char *sm,unsigned long long *smlen, const unsigned char *m,unsigned long long mlen, const unsigned char *sk ) { unsigned char pk[32]; unsigned char az[64]; unsigned char nonce[64]; unsigned char hram[64]; ge_p3 R; memmove(pk,sk + 32,32); crypto_hash_sha512(az,sk,32); az[0] &= 248; az[31] &= 63; az[31] |= 64; *smlen = mlen + 64; memmove(sm + 64,m,mlen); memmove(sm + 32,az + 32,32); crypto_hash_sha512(nonce,sm + 32,mlen + 32); memmove(sm + 32,pk,32); sc_reduce(nonce); ge_scalarmult_base(&R,nonce); ge_p3_tobytes(sm,&R); crypto_hash_sha512(hram,sm,mlen + 64); sc_reduce(hram); sc_muladd(sm + 32,hram,az,nonce); return 0; } XEdDSA-0.4.6/ref10/crypto_sign/fe_isnegative.c0000644000175000017500000000041213372774360020751 0ustar useruser00000000000000#include "fe.h" /* return 1 if f is in {1,3,5,...,q-2} return 0 if f is in {0,2,4,...,q-1} Preconditions: |f| bounded by 1.1*2^26,1.1*2^25,1.1*2^26,1.1*2^25,etc. */ int fe_isnegative(const fe f) { unsigned char s[32]; fe_tobytes(s,f); return s[0] & 1; } XEdDSA-0.4.6/ref10/crypto_sign/sc_reduce.c0000644000175000017500000001771313372774360020111 0ustar useruser00000000000000#include "sc.h" #include "crypto_int64.h" #include "crypto_uint32.h" #include "crypto_uint64.h" static crypto_uint64 load_3(const unsigned char *in) { crypto_uint64 result; result = (crypto_uint64) in[0]; result |= ((crypto_uint64) in[1]) << 8; result |= ((crypto_uint64) in[2]) << 16; return result; } static crypto_uint64 load_4(const unsigned char *in) { crypto_uint64 result; result = (crypto_uint64) in[0]; result |= ((crypto_uint64) in[1]) << 8; result |= ((crypto_uint64) in[2]) << 16; result |= ((crypto_uint64) in[3]) << 24; return result; } /* Input: s[0]+256*s[1]+...+256^63*s[63] = s Output: s[0]+256*s[1]+...+256^31*s[31] = s mod l where l = 2^252 + 27742317777372353535851937790883648493. Overwrites s in place. */ void sc_reduce(unsigned char *s) { crypto_int64 s0 = 2097151 & load_3(s); crypto_int64 s1 = 2097151 & (load_4(s + 2) >> 5); crypto_int64 s2 = 2097151 & (load_3(s + 5) >> 2); crypto_int64 s3 = 2097151 & (load_4(s + 7) >> 7); crypto_int64 s4 = 2097151 & (load_4(s + 10) >> 4); crypto_int64 s5 = 2097151 & (load_3(s + 13) >> 1); crypto_int64 s6 = 2097151 & (load_4(s + 15) >> 6); crypto_int64 s7 = 2097151 & (load_3(s + 18) >> 3); crypto_int64 s8 = 2097151 & load_3(s + 21); crypto_int64 s9 = 2097151 & (load_4(s + 23) >> 5); crypto_int64 s10 = 2097151 & (load_3(s + 26) >> 2); crypto_int64 s11 = 2097151 & (load_4(s + 28) >> 7); crypto_int64 s12 = 2097151 & (load_4(s + 31) >> 4); crypto_int64 s13 = 2097151 & (load_3(s + 34) >> 1); crypto_int64 s14 = 2097151 & (load_4(s + 36) >> 6); crypto_int64 s15 = 2097151 & (load_3(s + 39) >> 3); crypto_int64 s16 = 2097151 & load_3(s + 42); crypto_int64 s17 = 2097151 & (load_4(s + 44) >> 5); crypto_int64 s18 = 2097151 & (load_3(s + 47) >> 2); crypto_int64 s19 = 2097151 & (load_4(s + 49) >> 7); crypto_int64 s20 = 2097151 & (load_4(s + 52) >> 4); crypto_int64 s21 = 2097151 & (load_3(s + 55) >> 1); crypto_int64 s22 = 2097151 & (load_4(s + 57) >> 6); crypto_int64 s23 = (load_4(s + 60) >> 3); crypto_int64 carry0; crypto_int64 carry1; crypto_int64 carry2; crypto_int64 carry3; crypto_int64 carry4; crypto_int64 carry5; crypto_int64 carry6; crypto_int64 carry7; crypto_int64 carry8; crypto_int64 carry9; crypto_int64 carry10; crypto_int64 carry11; crypto_int64 carry12; crypto_int64 carry13; crypto_int64 carry14; crypto_int64 carry15; crypto_int64 carry16; s11 += s23 * 666643; s12 += s23 * 470296; s13 += s23 * 654183; s14 -= s23 * 997805; s15 += s23 * 136657; s16 -= s23 * 683901; s23 = 0; s10 += s22 * 666643; s11 += s22 * 470296; s12 += s22 * 654183; s13 -= s22 * 997805; s14 += s22 * 136657; s15 -= s22 * 683901; s22 = 0; s9 += s21 * 666643; s10 += s21 * 470296; s11 += s21 * 654183; s12 -= s21 * 997805; s13 += s21 * 136657; s14 -= s21 * 683901; s21 = 0; s8 += s20 * 666643; s9 += s20 * 470296; s10 += s20 * 654183; s11 -= s20 * 997805; s12 += s20 * 136657; s13 -= s20 * 683901; s20 = 0; s7 += s19 * 666643; s8 += s19 * 470296; s9 += s19 * 654183; s10 -= s19 * 997805; s11 += s19 * 136657; s12 -= s19 * 683901; s19 = 0; s6 += s18 * 666643; s7 += s18 * 470296; s8 += s18 * 654183; s9 -= s18 * 997805; s10 += s18 * 136657; s11 -= s18 * 683901; s18 = 0; carry6 = (s6 + (1<<20)) >> 21; s7 += carry6; s6 -= carry6 << 21; carry8 = (s8 + (1<<20)) >> 21; s9 += carry8; s8 -= carry8 << 21; carry10 = (s10 + (1<<20)) >> 21; s11 += carry10; s10 -= carry10 << 21; carry12 = (s12 + (1<<20)) >> 21; s13 += carry12; s12 -= carry12 << 21; carry14 = (s14 + (1<<20)) >> 21; s15 += carry14; s14 -= carry14 << 21; carry16 = (s16 + (1<<20)) >> 21; s17 += carry16; s16 -= carry16 << 21; carry7 = (s7 + (1<<20)) >> 21; s8 += carry7; s7 -= carry7 << 21; carry9 = (s9 + (1<<20)) >> 21; s10 += carry9; s9 -= carry9 << 21; carry11 = (s11 + (1<<20)) >> 21; s12 += carry11; s11 -= carry11 << 21; carry13 = (s13 + (1<<20)) >> 21; s14 += carry13; s13 -= carry13 << 21; carry15 = (s15 + (1<<20)) >> 21; s16 += carry15; s15 -= carry15 << 21; s5 += s17 * 666643; s6 += s17 * 470296; s7 += s17 * 654183; s8 -= s17 * 997805; s9 += s17 * 136657; s10 -= s17 * 683901; s17 = 0; s4 += s16 * 666643; s5 += s16 * 470296; s6 += s16 * 654183; s7 -= s16 * 997805; s8 += s16 * 136657; s9 -= s16 * 683901; s16 = 0; s3 += s15 * 666643; s4 += s15 * 470296; s5 += s15 * 654183; s6 -= s15 * 997805; s7 += s15 * 136657; s8 -= s15 * 683901; s15 = 0; s2 += s14 * 666643; s3 += s14 * 470296; s4 += s14 * 654183; s5 -= s14 * 997805; s6 += s14 * 136657; s7 -= s14 * 683901; s14 = 0; s1 += s13 * 666643; s2 += s13 * 470296; s3 += s13 * 654183; s4 -= s13 * 997805; s5 += s13 * 136657; s6 -= s13 * 683901; s13 = 0; s0 += s12 * 666643; s1 += s12 * 470296; s2 += s12 * 654183; s3 -= s12 * 997805; s4 += s12 * 136657; s5 -= s12 * 683901; s12 = 0; carry0 = (s0 + (1<<20)) >> 21; s1 += carry0; s0 -= carry0 << 21; carry2 = (s2 + (1<<20)) >> 21; s3 += carry2; s2 -= carry2 << 21; carry4 = (s4 + (1<<20)) >> 21; s5 += carry4; s4 -= carry4 << 21; carry6 = (s6 + (1<<20)) >> 21; s7 += carry6; s6 -= carry6 << 21; carry8 = (s8 + (1<<20)) >> 21; s9 += carry8; s8 -= carry8 << 21; carry10 = (s10 + (1<<20)) >> 21; s11 += carry10; s10 -= carry10 << 21; carry1 = (s1 + (1<<20)) >> 21; s2 += carry1; s1 -= carry1 << 21; carry3 = (s3 + (1<<20)) >> 21; s4 += carry3; s3 -= carry3 << 21; carry5 = (s5 + (1<<20)) >> 21; s6 += carry5; s5 -= carry5 << 21; carry7 = (s7 + (1<<20)) >> 21; s8 += carry7; s7 -= carry7 << 21; carry9 = (s9 + (1<<20)) >> 21; s10 += carry9; s9 -= carry9 << 21; carry11 = (s11 + (1<<20)) >> 21; s12 += carry11; s11 -= carry11 << 21; s0 += s12 * 666643; s1 += s12 * 470296; s2 += s12 * 654183; s3 -= s12 * 997805; s4 += s12 * 136657; s5 -= s12 * 683901; s12 = 0; carry0 = s0 >> 21; s1 += carry0; s0 -= carry0 << 21; carry1 = s1 >> 21; s2 += carry1; s1 -= carry1 << 21; carry2 = s2 >> 21; s3 += carry2; s2 -= carry2 << 21; carry3 = s3 >> 21; s4 += carry3; s3 -= carry3 << 21; carry4 = s4 >> 21; s5 += carry4; s4 -= carry4 << 21; carry5 = s5 >> 21; s6 += carry5; s5 -= carry5 << 21; carry6 = s6 >> 21; s7 += carry6; s6 -= carry6 << 21; carry7 = s7 >> 21; s8 += carry7; s7 -= carry7 << 21; carry8 = s8 >> 21; s9 += carry8; s8 -= carry8 << 21; carry9 = s9 >> 21; s10 += carry9; s9 -= carry9 << 21; carry10 = s10 >> 21; s11 += carry10; s10 -= carry10 << 21; carry11 = s11 >> 21; s12 += carry11; s11 -= carry11 << 21; s0 += s12 * 666643; s1 += s12 * 470296; s2 += s12 * 654183; s3 -= s12 * 997805; s4 += s12 * 136657; s5 -= s12 * 683901; s12 = 0; carry0 = s0 >> 21; s1 += carry0; s0 -= carry0 << 21; carry1 = s1 >> 21; s2 += carry1; s1 -= carry1 << 21; carry2 = s2 >> 21; s3 += carry2; s2 -= carry2 << 21; carry3 = s3 >> 21; s4 += carry3; s3 -= carry3 << 21; carry4 = s4 >> 21; s5 += carry4; s4 -= carry4 << 21; carry5 = s5 >> 21; s6 += carry5; s5 -= carry5 << 21; carry6 = s6 >> 21; s7 += carry6; s6 -= carry6 << 21; carry7 = s7 >> 21; s8 += carry7; s7 -= carry7 << 21; carry8 = s8 >> 21; s9 += carry8; s8 -= carry8 << 21; carry9 = s9 >> 21; s10 += carry9; s9 -= carry9 << 21; carry10 = s10 >> 21; s11 += carry10; s10 -= carry10 << 21; s[0] = s0 >> 0; s[1] = s0 >> 8; s[2] = (s0 >> 16) | (s1 << 5); s[3] = s1 >> 3; s[4] = s1 >> 11; s[5] = (s1 >> 19) | (s2 << 2); s[6] = s2 >> 6; s[7] = (s2 >> 14) | (s3 << 7); s[8] = s3 >> 1; s[9] = s3 >> 9; s[10] = (s3 >> 17) | (s4 << 4); s[11] = s4 >> 4; s[12] = s4 >> 12; s[13] = (s4 >> 20) | (s5 << 1); s[14] = s5 >> 7; s[15] = (s5 >> 15) | (s6 << 6); s[16] = s6 >> 2; s[17] = s6 >> 10; s[18] = (s6 >> 18) | (s7 << 3); s[19] = s7 >> 5; s[20] = s7 >> 13; s[21] = s8 >> 0; s[22] = s8 >> 8; s[23] = (s8 >> 16) | (s9 << 5); s[24] = s9 >> 3; s[25] = s9 >> 11; s[26] = (s9 >> 19) | (s10 << 2); s[27] = s10 >> 6; s[28] = (s10 >> 14) | (s11 << 7); s[29] = s11 >> 1; s[30] = s11 >> 9; s[31] = s11 >> 17; } XEdDSA-0.4.6/ref10/crypto_sign/ge.h0000644000175000017500000000611213372774360016544 0ustar useruser00000000000000#include "cross_platform.h" #ifndef GE_H #define GE_H /* ge means group element. Here the group is the set of pairs (x,y) of field elements (see fe.h) satisfying -x^2 + y^2 = 1 + d x^2y^2 where d = -121665/121666. Representations: ge_p2 (projective): (X:Y:Z) satisfying x=X/Z, y=Y/Z ge_p3 (extended): (X:Y:Z:T) satisfying x=X/Z, y=Y/Z, XY=ZT ge_p1p1 (completed): ((X:Z),(Y:T)) satisfying x=X/Z, y=Y/T ge_precomp (Duif): (y+x,y-x,2dxy) */ #include "fe.h" typedef struct { fe X; fe Y; fe Z; } ge_p2; typedef struct { fe X; fe Y; fe Z; fe T; } ge_p3; typedef struct { fe X; fe Y; fe Z; fe T; } ge_p1p1; typedef struct { fe yplusx; fe yminusx; fe xy2d; } ge_precomp; typedef struct { fe YplusX; fe YminusX; fe Z; fe T2d; } ge_cached; #define ge_frombytes_negate_vartime crypto_sign_ed25519_ref10_ge_frombytes_negate_vartime #define ge_tobytes crypto_sign_ed25519_ref10_ge_tobytes #define ge_p3_tobytes crypto_sign_ed25519_ref10_ge_p3_tobytes #define ge_p2_0 crypto_sign_ed25519_ref10_ge_p2_0 #define ge_p3_0 crypto_sign_ed25519_ref10_ge_p3_0 #define ge_precomp_0 crypto_sign_ed25519_ref10_ge_precomp_0 #define ge_p3_to_p2 crypto_sign_ed25519_ref10_ge_p3_to_p2 #define ge_p3_to_cached crypto_sign_ed25519_ref10_ge_p3_to_cached #define ge_p1p1_to_p2 crypto_sign_ed25519_ref10_ge_p1p1_to_p2 #define ge_p1p1_to_p3 crypto_sign_ed25519_ref10_ge_p1p1_to_p3 #define ge_p2_dbl crypto_sign_ed25519_ref10_ge_p2_dbl #define ge_p3_dbl crypto_sign_ed25519_ref10_ge_p3_dbl #define ge_madd crypto_sign_ed25519_ref10_ge_madd #define ge_msub crypto_sign_ed25519_ref10_ge_msub #define ge_add crypto_sign_ed25519_ref10_ge_add #define ge_sub crypto_sign_ed25519_ref10_ge_sub #define ge_scalarmult_base crypto_sign_ed25519_ref10_ge_scalarmult_base #define ge_double_scalarmult_vartime crypto_sign_ed25519_ref10_ge_double_scalarmult_vartime #ifdef __cplusplus extern "C" { #endif extern void INTERFACE ge_tobytes(unsigned char *,const ge_p2 *); extern void INTERFACE ge_p3_tobytes(unsigned char *,const ge_p3 *); extern int INTERFACE ge_frombytes_negate_vartime(ge_p3 *,const unsigned char *); extern void INTERFACE ge_p2_0(ge_p2 *); extern void INTERFACE ge_p3_0(ge_p3 *); extern void INTERFACE ge_precomp_0(ge_precomp *); extern void INTERFACE ge_p3_to_p2(ge_p2 *,const ge_p3 *); extern void INTERFACE ge_p3_to_cached(ge_cached *,const ge_p3 *); extern void INTERFACE ge_p1p1_to_p2(ge_p2 *,const ge_p1p1 *); extern void INTERFACE ge_p1p1_to_p3(ge_p3 *,const ge_p1p1 *); extern void INTERFACE ge_p2_dbl(ge_p1p1 *,const ge_p2 *); extern void INTERFACE ge_p3_dbl(ge_p1p1 *,const ge_p3 *); extern void INTERFACE ge_madd(ge_p1p1 *,const ge_p3 *,const ge_precomp *); extern void INTERFACE ge_msub(ge_p1p1 *,const ge_p3 *,const ge_precomp *); extern void INTERFACE ge_add(ge_p1p1 *,const ge_p3 *,const ge_cached *); extern void INTERFACE ge_sub(ge_p1p1 *,const ge_p3 *,const ge_cached *); extern void INTERFACE ge_scalarmult_base(ge_p3 *,const unsigned char *); extern void INTERFACE ge_double_scalarmult_vartime(ge_p2 *,const unsigned char *,const ge_p3 *,const unsigned char *); #ifdef __cplusplus } #endif #endif XEdDSA-0.4.6/ref10/crypto_sign/pow225521.h0000644000175000017500000001262713372774360017447 0ustar useruser00000000000000 /* qhasm: fe z1 */ /* qhasm: fe z2 */ /* qhasm: fe z8 */ /* qhasm: fe z9 */ /* qhasm: fe z11 */ /* qhasm: fe z22 */ /* qhasm: fe z_5_0 */ /* qhasm: fe z_10_5 */ /* qhasm: fe z_10_0 */ /* qhasm: fe z_20_10 */ /* qhasm: fe z_20_0 */ /* qhasm: fe z_40_20 */ /* qhasm: fe z_40_0 */ /* qhasm: fe z_50_10 */ /* qhasm: fe z_50_0 */ /* qhasm: fe z_100_50 */ /* qhasm: fe z_100_0 */ /* qhasm: fe z_200_100 */ /* qhasm: fe z_200_0 */ /* qhasm: fe z_250_50 */ /* qhasm: fe z_250_0 */ /* qhasm: fe z_255_5 */ /* qhasm: fe z_255_21 */ /* qhasm: enter pow225521 */ /* qhasm: z2 = z1^2^1 */ /* asm 1: fe_sq(>z2=fe#1,z2=fe#1,>z2=fe#1); */ /* asm 2: fe_sq(>z2=t0,z2=t0,>z2=t0); */ fe_sq(t0,z); for (i = 1;i < 1;++i) fe_sq(t0,t0); /* qhasm: z8 = z2^2^2 */ /* asm 1: fe_sq(>z8=fe#2,z8=fe#2,>z8=fe#2); */ /* asm 2: fe_sq(>z8=t1,z8=t1,>z8=t1); */ fe_sq(t1,t0); for (i = 1;i < 2;++i) fe_sq(t1,t1); /* qhasm: z9 = z1*z8 */ /* asm 1: fe_mul(>z9=fe#2,z9=t1,z11=fe#1,z11=t0,z22=fe#3,z22=fe#3,>z22=fe#3); */ /* asm 2: fe_sq(>z22=t2,z22=t2,>z22=t2); */ fe_sq(t2,t0); for (i = 1;i < 1;++i) fe_sq(t2,t2); /* qhasm: z_5_0 = z9*z22 */ /* asm 1: fe_mul(>z_5_0=fe#2,z_5_0=t1,z_10_5=fe#3,z_10_5=fe#3,>z_10_5=fe#3); */ /* asm 2: fe_sq(>z_10_5=t2,z_10_5=t2,>z_10_5=t2); */ fe_sq(t2,t1); for (i = 1;i < 5;++i) fe_sq(t2,t2); /* qhasm: z_10_0 = z_10_5*z_5_0 */ /* asm 1: fe_mul(>z_10_0=fe#2,z_10_0=t1,z_20_10=fe#3,z_20_10=fe#3,>z_20_10=fe#3); */ /* asm 2: fe_sq(>z_20_10=t2,z_20_10=t2,>z_20_10=t2); */ fe_sq(t2,t1); for (i = 1;i < 10;++i) fe_sq(t2,t2); /* qhasm: z_20_0 = z_20_10*z_10_0 */ /* asm 1: fe_mul(>z_20_0=fe#3,z_20_0=t2,z_40_20=fe#4,z_40_20=fe#4,>z_40_20=fe#4); */ /* asm 2: fe_sq(>z_40_20=t3,z_40_20=t3,>z_40_20=t3); */ fe_sq(t3,t2); for (i = 1;i < 20;++i) fe_sq(t3,t3); /* qhasm: z_40_0 = z_40_20*z_20_0 */ /* asm 1: fe_mul(>z_40_0=fe#3,z_40_0=t2,z_50_10=fe#3,z_50_10=fe#3,>z_50_10=fe#3); */ /* asm 2: fe_sq(>z_50_10=t2,z_50_10=t2,>z_50_10=t2); */ fe_sq(t2,t2); for (i = 1;i < 10;++i) fe_sq(t2,t2); /* qhasm: z_50_0 = z_50_10*z_10_0 */ /* asm 1: fe_mul(>z_50_0=fe#2,z_50_0=t1,z_100_50=fe#3,z_100_50=fe#3,>z_100_50=fe#3); */ /* asm 2: fe_sq(>z_100_50=t2,z_100_50=t2,>z_100_50=t2); */ fe_sq(t2,t1); for (i = 1;i < 50;++i) fe_sq(t2,t2); /* qhasm: z_100_0 = z_100_50*z_50_0 */ /* asm 1: fe_mul(>z_100_0=fe#3,z_100_0=t2,z_200_100=fe#4,z_200_100=fe#4,>z_200_100=fe#4); */ /* asm 2: fe_sq(>z_200_100=t3,z_200_100=t3,>z_200_100=t3); */ fe_sq(t3,t2); for (i = 1;i < 100;++i) fe_sq(t3,t3); /* qhasm: z_200_0 = z_200_100*z_100_0 */ /* asm 1: fe_mul(>z_200_0=fe#3,z_200_0=t2,z_250_50=fe#3,z_250_50=fe#3,>z_250_50=fe#3); */ /* asm 2: fe_sq(>z_250_50=t2,z_250_50=t2,>z_250_50=t2); */ fe_sq(t2,t2); for (i = 1;i < 50;++i) fe_sq(t2,t2); /* qhasm: z_250_0 = z_250_50*z_50_0 */ /* asm 1: fe_mul(>z_250_0=fe#2,z_250_0=t1,z_255_5=fe#2,z_255_5=fe#2,>z_255_5=fe#2); */ /* asm 2: fe_sq(>z_255_5=t1,z_255_5=t1,>z_255_5=t1); */ fe_sq(t1,t1); for (i = 1;i < 5;++i) fe_sq(t1,t1); /* qhasm: z_255_21 = z_255_5*z11 */ /* asm 1: fe_mul(>z_255_21=fe#12,z_255_21=out,YpX1=fe#1,YpX1=r->X,Y,X); */ fe_add(r->X,p->Y,p->X); /* qhasm: YmX1 = Y1-X1 */ /* asm 1: fe_sub(>YmX1=fe#2,YmX1=r->Y,Y,X); */ fe_sub(r->Y,p->Y,p->X); /* qhasm: A = YpX1*ypx2 */ /* asm 1: fe_mul(>A=fe#3,A=r->Z,X,yplusx); */ fe_mul(r->Z,r->X,q->yplusx); /* qhasm: B = YmX1*ymx2 */ /* asm 1: fe_mul(>B=fe#2,B=r->Y,Y,yminusx); */ fe_mul(r->Y,r->Y,q->yminusx); /* qhasm: C = xy2d2*T1 */ /* asm 1: fe_mul(>C=fe#4,C=r->T,xy2d,T); */ fe_mul(r->T,q->xy2d,p->T); /* qhasm: D = 2*Z1 */ /* asm 1: fe_add(>D=fe#5,D=t0,Z,Z); */ fe_add(t0,p->Z,p->Z); /* qhasm: X3 = A-B */ /* asm 1: fe_sub(>X3=fe#1,X3=r->X,Z,Y); */ fe_sub(r->X,r->Z,r->Y); /* qhasm: Y3 = A+B */ /* asm 1: fe_add(>Y3=fe#2,Y3=r->Y,Z,Y); */ fe_add(r->Y,r->Z,r->Y); /* qhasm: Z3 = D+C */ /* asm 1: fe_add(>Z3=fe#3,Z3=r->Z,T); */ fe_add(r->Z,t0,r->T); /* qhasm: T3 = D-C */ /* asm 1: fe_sub(>T3=fe#4,T3=r->T,T); */ fe_sub(r->T,t0,r->T); /* qhasm: return */ XEdDSA-0.4.6/ref10/crypto_sign/ge_p3_0.c0000644000175000017500000000014413372774360017357 0ustar useruser00000000000000#include "ge.h" void ge_p3_0(ge_p3 *h) { fe_0(h->X); fe_1(h->Y); fe_1(h->Z); fe_0(h->T); } XEdDSA-0.4.6/ref10/crypto_sign/fe_cmov.c0000644000175000017500000000240313372774360017561 0ustar useruser00000000000000#include "fe.h" /* Replace (f,g) with (g,g) if b == 1; replace (f,g) with (f,g) if b == 0. Preconditions: b in {0,1}. */ void fe_cmov(fe f,const fe g,unsigned int b) { crypto_int32 f0 = f[0]; crypto_int32 f1 = f[1]; crypto_int32 f2 = f[2]; crypto_int32 f3 = f[3]; crypto_int32 f4 = f[4]; crypto_int32 f5 = f[5]; crypto_int32 f6 = f[6]; crypto_int32 f7 = f[7]; crypto_int32 f8 = f[8]; crypto_int32 f9 = f[9]; crypto_int32 g0 = g[0]; crypto_int32 g1 = g[1]; crypto_int32 g2 = g[2]; crypto_int32 g3 = g[3]; crypto_int32 g4 = g[4]; crypto_int32 g5 = g[5]; crypto_int32 g6 = g[6]; crypto_int32 g7 = g[7]; crypto_int32 g8 = g[8]; crypto_int32 g9 = g[9]; crypto_int32 x0 = f0 ^ g0; crypto_int32 x1 = f1 ^ g1; crypto_int32 x2 = f2 ^ g2; crypto_int32 x3 = f3 ^ g3; crypto_int32 x4 = f4 ^ g4; crypto_int32 x5 = f5 ^ g5; crypto_int32 x6 = f6 ^ g6; crypto_int32 x7 = f7 ^ g7; crypto_int32 x8 = f8 ^ g8; crypto_int32 x9 = f9 ^ g9; b = -b; x0 &= b; x1 &= b; x2 &= b; x3 &= b; x4 &= b; x5 &= b; x6 &= b; x7 &= b; x8 &= b; x9 &= b; f[0] = f0 ^ x0; f[1] = f1 ^ x1; f[2] = f2 ^ x2; f[3] = f3 ^ x3; f[4] = f4 ^ x4; f[5] = f5 ^ x5; f[6] = f6 ^ x6; f[7] = f7 ^ x7; f[8] = f8 ^ x8; f[9] = f9 ^ x9; } XEdDSA-0.4.6/ref10/crypto_sign/crypto_sign.h0000644000175000017500000000122313372774360020507 0ustar useruser00000000000000#ifndef crypto_sign_H #define crypto_sign_H #include "crypto_sign_ed25519.h" #define crypto_sign crypto_sign_ed25519 #define crypto_sign_open crypto_sign_ed25519_open #define crypto_sign_keypair crypto_sign_ed25519_keypair #define crypto_sign_BYTES crypto_sign_ed25519_BYTES #define crypto_sign_SECRETKEYBYTES crypto_sign_ed25519_SECRETKEYBYTES #define crypto_sign_PUBLICKEYBYTES crypto_sign_ed25519_PUBLICKEYBYTES #define crypto_sign_DETERMINISTIC crypto_sign_ed25519_DETERMINISTIC #define crypto_sign_PRIMITIVE "ed25519" #define crypto_sign_IMPLEMENTATION crypto_sign_ed25519_IMPLEMENTATION #define crypto_sign_VERSION crypto_sign_ed25519_VERSION #endif XEdDSA-0.4.6/ref10/crypto_sign/ge_tobytes.c0000644000175000017500000000034113372774360020306 0ustar useruser00000000000000#include "ge.h" void ge_tobytes(unsigned char *s,const ge_p2 *h) { fe recip; fe x; fe y; fe_invert(recip,h->Z); fe_mul(x,h->X,recip); fe_mul(y,h->Y,recip); fe_tobytes(s,y); s[31] ^= fe_isnegative(x) << 7; } XEdDSA-0.4.6/ref10/crypto_sign/api.h0000644000175000017500000000017113372774360016721 0ustar useruser00000000000000#define CRYPTO_SECRETKEYBYTES 64 #define CRYPTO_PUBLICKEYBYTES 32 #define CRYPTO_BYTES 64 #define CRYPTO_DETERMINISTIC 1 XEdDSA-0.4.6/ref10/crypto_sign/open.c0000644000175000017500000000201413372774360017102 0ustar useruser00000000000000#include #include "crypto_sign.h" #include "crypto_hash_sha512.h" #include "crypto_verify_32.h" #include "ge.h" #include "sc.h" int crypto_sign_open( unsigned char *m,unsigned long long *mlen, const unsigned char *sm,unsigned long long smlen, const unsigned char *pk ) { unsigned char pkcopy[32]; unsigned char rcopy[32]; unsigned char scopy[32]; unsigned char h[64]; unsigned char rcheck[32]; ge_p3 A; ge_p2 R; if (smlen < 64) goto badsig; if (sm[63] & 224) goto badsig; if (ge_frombytes_negate_vartime(&A,pk) != 0) goto badsig; memmove(pkcopy,pk,32); memmove(rcopy,sm,32); memmove(scopy,sm + 32,32); memmove(m,sm,smlen); memmove(m + 32,pkcopy,32); crypto_hash_sha512(h,m,smlen); sc_reduce(h); ge_double_scalarmult_vartime(&R,h,&A,scopy); ge_tobytes(rcheck,&R); if (crypto_verify_32(rcheck,rcopy) == 0) { memmove(m,m + 64,smlen - 64); memset(m + smlen - 64,0,64); *mlen = smlen - 64; return 0; } badsig: *mlen = -1; memset(m,0,smlen); return -1; } XEdDSA-0.4.6/ref10/crypto_sign/base2.h0000644000175000017500000000452413372774360017152 0ustar useruser00000000000000 { { 25967493,-14356035,29566456,3660896,-12694345,4014787,27544626,-11754271,-6079156,2047605 }, { -12545711,934262,-2722910,3049990,-727428,9406986,12720692,5043384,19500929,-15469378 }, { -8738181,4489570,9688441,-14785194,10184609,-12363380,29287919,11864899,-24514362,-4438546 }, }, { { 15636291,-9688557,24204773,-7912398,616977,-16685262,27787600,-14772189,28944400,-1550024 }, { 16568933,4717097,-11556148,-1102322,15682896,-11807043,16354577,-11775962,7689662,11199574 }, { 30464156,-5976125,-11779434,-15670865,23220365,15915852,7512774,10017326,-17749093,-9920357 }, }, { { 10861363,11473154,27284546,1981175,-30064349,12577861,32867885,14515107,-15438304,10819380 }, { 4708026,6336745,20377586,9066809,-11272109,6594696,-25653668,12483688,-12668491,5581306 }, { 19563160,16186464,-29386857,4097519,10237984,-4348115,28542350,13850243,-23678021,-15815942 }, }, { { 5153746,9909285,1723747,-2777874,30523605,5516873,19480852,5230134,-23952439,-15175766 }, { -30269007,-3463509,7665486,10083793,28475525,1649722,20654025,16520125,30598449,7715701 }, { 28881845,14381568,9657904,3680757,-20181635,7843316,-31400660,1370708,29794553,-1409300 }, }, { { -22518993,-6692182,14201702,-8745502,-23510406,8844726,18474211,-1361450,-13062696,13821877 }, { -6455177,-7839871,3374702,-4740862,-27098617,-10571707,31655028,-7212327,18853322,-14220951 }, { 4566830,-12963868,-28974889,-12240689,-7602672,-2830569,-8514358,-10431137,2207753,-3209784 }, }, { { -25154831,-4185821,29681144,7868801,-6854661,-9423865,-12437364,-663000,-31111463,-16132436 }, { 25576264,-2703214,7349804,-11814844,16472782,9300885,3844789,15725684,171356,6466918 }, { 23103977,13316479,9739013,-16149481,817875,-15038942,8965339,-14088058,-30714912,16193877 }, }, { { -33521811,3180713,-2394130,14003687,-16903474,-16270840,17238398,4729455,-18074513,9256800 }, { -25182317,-4174131,32336398,5036987,-21236817,11360617,22616405,9761698,-19827198,630305 }, { -13720693,2639453,-24237460,-7406481,9494427,-5774029,-6554551,-15960994,-2449256,-14291300 }, }, { { -3151181,-5046075,9282714,6866145,-31907062,-863023,-18940575,15033784,25105118,-7894876 }, { -24326370,15950226,-31801215,-14592823,-11662737,-5090925,1573892,-2625887,2198790,-15804619 }, { -3099351,10324967,-2241613,7453183,-5446979,-2735503,-13812022,-16236442,-32461234,-12290683 }, }, XEdDSA-0.4.6/ref10/crypto_sign/ge_p1p1_to_p2.c0000644000175000017500000000024513372774360020504 0ustar useruser00000000000000#include "ge.h" /* r = p */ extern void ge_p1p1_to_p2(ge_p2 *r,const ge_p1p1 *p) { fe_mul(r->X,p->X,p->T); fe_mul(r->Y,p->Y,p->Z); fe_mul(r->Z,p->Z,p->T); } XEdDSA-0.4.6/ref10/crypto_sign/fe_sq.c0000644000175000017500000001353413372774360017247 0ustar useruser00000000000000#include "fe.h" #include "crypto_int64.h" /* h = f * f Can overlap h with f. Preconditions: |f| bounded by 1.65*2^26,1.65*2^25,1.65*2^26,1.65*2^25,etc. Postconditions: |h| bounded by 1.01*2^25,1.01*2^24,1.01*2^25,1.01*2^24,etc. */ /* See fe_mul.c for discussion of implementation strategy. */ void fe_sq(fe h,const fe f) { crypto_int32 f0 = f[0]; crypto_int32 f1 = f[1]; crypto_int32 f2 = f[2]; crypto_int32 f3 = f[3]; crypto_int32 f4 = f[4]; crypto_int32 f5 = f[5]; crypto_int32 f6 = f[6]; crypto_int32 f7 = f[7]; crypto_int32 f8 = f[8]; crypto_int32 f9 = f[9]; crypto_int32 f0_2 = 2 * f0; crypto_int32 f1_2 = 2 * f1; crypto_int32 f2_2 = 2 * f2; crypto_int32 f3_2 = 2 * f3; crypto_int32 f4_2 = 2 * f4; crypto_int32 f5_2 = 2 * f5; crypto_int32 f6_2 = 2 * f6; crypto_int32 f7_2 = 2 * f7; crypto_int32 f5_38 = 38 * f5; /* 1.959375*2^30 */ crypto_int32 f6_19 = 19 * f6; /* 1.959375*2^30 */ crypto_int32 f7_38 = 38 * f7; /* 1.959375*2^30 */ crypto_int32 f8_19 = 19 * f8; /* 1.959375*2^30 */ crypto_int32 f9_38 = 38 * f9; /* 1.959375*2^30 */ crypto_int64 f0f0 = f0 * (crypto_int64) f0; crypto_int64 f0f1_2 = f0_2 * (crypto_int64) f1; crypto_int64 f0f2_2 = f0_2 * (crypto_int64) f2; crypto_int64 f0f3_2 = f0_2 * (crypto_int64) f3; crypto_int64 f0f4_2 = f0_2 * (crypto_int64) f4; crypto_int64 f0f5_2 = f0_2 * (crypto_int64) f5; crypto_int64 f0f6_2 = f0_2 * (crypto_int64) f6; crypto_int64 f0f7_2 = f0_2 * (crypto_int64) f7; crypto_int64 f0f8_2 = f0_2 * (crypto_int64) f8; crypto_int64 f0f9_2 = f0_2 * (crypto_int64) f9; crypto_int64 f1f1_2 = f1_2 * (crypto_int64) f1; crypto_int64 f1f2_2 = f1_2 * (crypto_int64) f2; crypto_int64 f1f3_4 = f1_2 * (crypto_int64) f3_2; crypto_int64 f1f4_2 = f1_2 * (crypto_int64) f4; crypto_int64 f1f5_4 = f1_2 * (crypto_int64) f5_2; crypto_int64 f1f6_2 = f1_2 * (crypto_int64) f6; crypto_int64 f1f7_4 = f1_2 * (crypto_int64) f7_2; crypto_int64 f1f8_2 = f1_2 * (crypto_int64) f8; crypto_int64 f1f9_76 = f1_2 * (crypto_int64) f9_38; crypto_int64 f2f2 = f2 * (crypto_int64) f2; crypto_int64 f2f3_2 = f2_2 * (crypto_int64) f3; crypto_int64 f2f4_2 = f2_2 * (crypto_int64) f4; crypto_int64 f2f5_2 = f2_2 * (crypto_int64) f5; crypto_int64 f2f6_2 = f2_2 * (crypto_int64) f6; crypto_int64 f2f7_2 = f2_2 * (crypto_int64) f7; crypto_int64 f2f8_38 = f2_2 * (crypto_int64) f8_19; crypto_int64 f2f9_38 = f2 * (crypto_int64) f9_38; crypto_int64 f3f3_2 = f3_2 * (crypto_int64) f3; crypto_int64 f3f4_2 = f3_2 * (crypto_int64) f4; crypto_int64 f3f5_4 = f3_2 * (crypto_int64) f5_2; crypto_int64 f3f6_2 = f3_2 * (crypto_int64) f6; crypto_int64 f3f7_76 = f3_2 * (crypto_int64) f7_38; crypto_int64 f3f8_38 = f3_2 * (crypto_int64) f8_19; crypto_int64 f3f9_76 = f3_2 * (crypto_int64) f9_38; crypto_int64 f4f4 = f4 * (crypto_int64) f4; crypto_int64 f4f5_2 = f4_2 * (crypto_int64) f5; crypto_int64 f4f6_38 = f4_2 * (crypto_int64) f6_19; crypto_int64 f4f7_38 = f4 * (crypto_int64) f7_38; crypto_int64 f4f8_38 = f4_2 * (crypto_int64) f8_19; crypto_int64 f4f9_38 = f4 * (crypto_int64) f9_38; crypto_int64 f5f5_38 = f5 * (crypto_int64) f5_38; crypto_int64 f5f6_38 = f5_2 * (crypto_int64) f6_19; crypto_int64 f5f7_76 = f5_2 * (crypto_int64) f7_38; crypto_int64 f5f8_38 = f5_2 * (crypto_int64) f8_19; crypto_int64 f5f9_76 = f5_2 * (crypto_int64) f9_38; crypto_int64 f6f6_19 = f6 * (crypto_int64) f6_19; crypto_int64 f6f7_38 = f6 * (crypto_int64) f7_38; crypto_int64 f6f8_38 = f6_2 * (crypto_int64) f8_19; crypto_int64 f6f9_38 = f6 * (crypto_int64) f9_38; crypto_int64 f7f7_38 = f7 * (crypto_int64) f7_38; crypto_int64 f7f8_38 = f7_2 * (crypto_int64) f8_19; crypto_int64 f7f9_76 = f7_2 * (crypto_int64) f9_38; crypto_int64 f8f8_19 = f8 * (crypto_int64) f8_19; crypto_int64 f8f9_38 = f8 * (crypto_int64) f9_38; crypto_int64 f9f9_38 = f9 * (crypto_int64) f9_38; crypto_int64 h0 = f0f0 +f1f9_76+f2f8_38+f3f7_76+f4f6_38+f5f5_38; crypto_int64 h1 = f0f1_2+f2f9_38+f3f8_38+f4f7_38+f5f6_38; crypto_int64 h2 = f0f2_2+f1f1_2 +f3f9_76+f4f8_38+f5f7_76+f6f6_19; crypto_int64 h3 = f0f3_2+f1f2_2 +f4f9_38+f5f8_38+f6f7_38; crypto_int64 h4 = f0f4_2+f1f3_4 +f2f2 +f5f9_76+f6f8_38+f7f7_38; crypto_int64 h5 = f0f5_2+f1f4_2 +f2f3_2 +f6f9_38+f7f8_38; crypto_int64 h6 = f0f6_2+f1f5_4 +f2f4_2 +f3f3_2 +f7f9_76+f8f8_19; crypto_int64 h7 = f0f7_2+f1f6_2 +f2f5_2 +f3f4_2 +f8f9_38; crypto_int64 h8 = f0f8_2+f1f7_4 +f2f6_2 +f3f5_4 +f4f4 +f9f9_38; crypto_int64 h9 = f0f9_2+f1f8_2 +f2f7_2 +f3f6_2 +f4f5_2; crypto_int64 carry0; crypto_int64 carry1; crypto_int64 carry2; crypto_int64 carry3; crypto_int64 carry4; crypto_int64 carry5; crypto_int64 carry6; crypto_int64 carry7; crypto_int64 carry8; crypto_int64 carry9; carry0 = (h0 + (crypto_int64) (1<<25)) >> 26; h1 += carry0; h0 -= carry0 << 26; carry4 = (h4 + (crypto_int64) (1<<25)) >> 26; h5 += carry4; h4 -= carry4 << 26; carry1 = (h1 + (crypto_int64) (1<<24)) >> 25; h2 += carry1; h1 -= carry1 << 25; carry5 = (h5 + (crypto_int64) (1<<24)) >> 25; h6 += carry5; h5 -= carry5 << 25; carry2 = (h2 + (crypto_int64) (1<<25)) >> 26; h3 += carry2; h2 -= carry2 << 26; carry6 = (h6 + (crypto_int64) (1<<25)) >> 26; h7 += carry6; h6 -= carry6 << 26; carry3 = (h3 + (crypto_int64) (1<<24)) >> 25; h4 += carry3; h3 -= carry3 << 25; carry7 = (h7 + (crypto_int64) (1<<24)) >> 25; h8 += carry7; h7 -= carry7 << 25; carry4 = (h4 + (crypto_int64) (1<<25)) >> 26; h5 += carry4; h4 -= carry4 << 26; carry8 = (h8 + (crypto_int64) (1<<25)) >> 26; h9 += carry8; h8 -= carry8 << 26; carry9 = (h9 + (crypto_int64) (1<<24)) >> 25; h0 += carry9 * 19; h9 -= carry9 << 25; carry0 = (h0 + (crypto_int64) (1<<25)) >> 26; h1 += carry0; h0 -= carry0 << 26; h[0] = h0; h[1] = h1; h[2] = h2; h[3] = h3; h[4] = h4; h[5] = h5; h[6] = h6; h[7] = h7; h[8] = h8; h[9] = h9; } XEdDSA-0.4.6/ref10/crypto_sign/module.h0000644000175000017500000001076513372774360017447 0ustar useruser00000000000000// #include "api.h" #define CRYPTO_SECRETKEYBYTES 64 #define CRYPTO_PUBLICKEYBYTES 32 #define CRYPTO_BYTES 64 // #include // #include "crypto_int32.h" typedef int32_t crypto_int32; // #include "crypto_sign_ed25519.h" #define crypto_sign_ed25519_ref10_SECRETKEYBYTES 64 #define crypto_sign_ed25519_ref10_PUBLICKEYBYTES 32 #define crypto_sign_ed25519_ref10_BYTES 64 extern int crypto_sign_ed25519_ref10(unsigned char *,unsigned long long *,const unsigned char *,unsigned long long,const unsigned char *); extern int crypto_sign_ed25519_ref10_open(unsigned char *,unsigned long long *,const unsigned char *,unsigned long long,const unsigned char *); extern int crypto_sign_ed25519_ref10_keypair(unsigned char *,unsigned char *); // #include "crypto_sign.h" // #include "fe.h" typedef crypto_int32 fe[10]; /* fe means field element. Here the field is \Z/(2^255-19). An element t, entries t[0]...t[9], represents the integer t[0]+2^26 t[1]+2^51 t[2]+2^77 t[3]+2^102 t[4]+...+2^230 t[9]. Bounds on each t[i] vary depending on context. */ extern void crypto_sign_ed25519_ref10_fe_frombytes(fe,const unsigned char *); extern void crypto_sign_ed25519_ref10_fe_tobytes(unsigned char *,const fe); extern void crypto_sign_ed25519_ref10_fe_copy(fe,const fe); extern int crypto_sign_ed25519_ref10_fe_isnonzero(const fe); extern int crypto_sign_ed25519_ref10_fe_isnegative(const fe); extern void crypto_sign_ed25519_ref10_fe_0(fe); extern void crypto_sign_ed25519_ref10_fe_1(fe); extern void crypto_sign_ed25519_ref10_fe_cmov(fe,const fe,unsigned int); extern void crypto_sign_ed25519_ref10_fe_add(fe,const fe,const fe); extern void crypto_sign_ed25519_ref10_fe_sub(fe,const fe,const fe); extern void crypto_sign_ed25519_ref10_fe_neg(fe,const fe); extern void crypto_sign_ed25519_ref10_fe_mul(fe,const fe,const fe); extern void crypto_sign_ed25519_ref10_fe_sq(fe,const fe); extern void crypto_sign_ed25519_ref10_fe_sq2(fe,const fe); extern void crypto_sign_ed25519_ref10_fe_invert(fe,const fe); extern void crypto_sign_ed25519_ref10_fe_pow22523(fe,const fe); // #include "ge.h" /* ge means group element. Here the group is the set of pairs (x,y) of field elements (see fe.h) satisfying -x^2 + y^2 = 1 + d x^2y^2 where d = -121665/121666. Representations: ge_p2 (projective): (X:Y:Z) satisfying x=X/Z, y=Y/Z ge_p3 (extended): (X:Y:Z:T) satisfying x=X/Z, y=Y/Z, XY=ZT ge_p1p1 (completed): ((X:Z),(Y:T)) satisfying x=X/Z, y=Y/T ge_precomp (Duif): (y+x,y-x,2dxy) */ typedef struct { fe X; fe Y; fe Z; } ge_p2; typedef struct { fe X; fe Y; fe Z; fe T; } ge_p3; typedef struct { fe X; fe Y; fe Z; fe T; } ge_p1p1; typedef struct { fe yplusx; fe yminusx; fe xy2d; } ge_precomp; typedef struct { fe YplusX; fe YminusX; fe Z; fe T2d; } ge_cached; extern void crypto_sign_ed25519_ref10_ge_tobytes(unsigned char *,const ge_p2 *); extern void crypto_sign_ed25519_ref10_ge_p3_tobytes(unsigned char *,const ge_p3 *); extern int crypto_sign_ed25519_ref10_ge_frombytes_negate_vartime(ge_p3 *,const unsigned char *); extern void crypto_sign_ed25519_ref10_ge_p2_0(ge_p2 *); extern void crypto_sign_ed25519_ref10_ge_p3_0(ge_p3 *); extern void crypto_sign_ed25519_ref10_ge_precomp_0(ge_precomp *); extern void crypto_sign_ed25519_ref10_ge_p3_to_p2(ge_p2 *,const ge_p3 *); extern void crypto_sign_ed25519_ref10_ge_p3_to_cached(ge_cached *,const ge_p3 *); extern void crypto_sign_ed25519_ref10_ge_p1p1_to_p2(ge_p2 *,const ge_p1p1 *); extern void crypto_sign_ed25519_ref10_ge_p1p1_to_p3(ge_p3 *,const ge_p1p1 *); extern void crypto_sign_ed25519_ref10_ge_p2_dbl(ge_p1p1 *,const ge_p2 *); extern void crypto_sign_ed25519_ref10_ge_p3_dbl(ge_p1p1 *,const ge_p3 *); extern void crypto_sign_ed25519_ref10_ge_madd(ge_p1p1 *,const ge_p3 *,const ge_precomp *); extern void crypto_sign_ed25519_ref10_ge_msub(ge_p1p1 *,const ge_p3 *,const ge_precomp *); extern void crypto_sign_ed25519_ref10_ge_add(ge_p1p1 *,const ge_p3 *,const ge_cached *); extern void crypto_sign_ed25519_ref10_ge_sub(ge_p1p1 *,const ge_p3 *,const ge_cached *); extern void crypto_sign_ed25519_ref10_ge_scalarmult_base(ge_p3 *,const unsigned char *); extern void crypto_sign_ed25519_ref10_ge_double_scalarmult_vartime(ge_p2 *,const unsigned char *,const ge_p3 *,const unsigned char *); // #include "sc.h" /* The set of scalars is \Z/l where l = 2^252 + 27742317777372353535851937790883648493. */ extern void crypto_sign_ed25519_ref10_sc_reduce(unsigned char *); extern void crypto_sign_ed25519_ref10_sc_muladd(unsigned char *,const unsigned char *,const unsigned char *,const unsigned char *); XEdDSA-0.4.6/ref10/crypto_sign/sqrtm1.h0000644000175000017500000000012713372774360017400 0ustar useruser00000000000000-32595792,-7943725,9377950,3500415,12389472,-272473,-25146209,-2005654,326686,11406482 XEdDSA-0.4.6/ref10/crypto_sign/d.h0000644000175000017500000000013313372774360016371 0ustar useruser00000000000000-10913610,13857413,-15372611,6949391,114729,-8787816,-6275908,-3247719,-18696448,-12055116 XEdDSA-0.4.6/ref10/crypto_sign/ge_p2_dbl.h0000644000175000017500000000270413372774360017771 0ustar useruser00000000000000 /* qhasm: enter ge_p2_dbl */ /* qhasm: fe X1 */ /* qhasm: fe Y1 */ /* qhasm: fe Z1 */ /* qhasm: fe A */ /* qhasm: fe AA */ /* qhasm: fe XX */ /* qhasm: fe YY */ /* qhasm: fe B */ /* qhasm: fe X3 */ /* qhasm: fe Y3 */ /* qhasm: fe Z3 */ /* qhasm: fe T3 */ /* qhasm: XX=X1^2 */ /* asm 1: fe_sq(>XX=fe#1,XX=r->X,X); */ fe_sq(r->X,p->X); /* qhasm: YY=Y1^2 */ /* asm 1: fe_sq(>YY=fe#3,YY=r->Z,Y); */ fe_sq(r->Z,p->Y); /* qhasm: B=2*Z1^2 */ /* asm 1: fe_sq2(>B=fe#4,B=r->T,Z); */ fe_sq2(r->T,p->Z); /* qhasm: A=X1+Y1 */ /* asm 1: fe_add(>A=fe#2,A=r->Y,X,Y); */ fe_add(r->Y,p->X,p->Y); /* qhasm: AA=A^2 */ /* asm 1: fe_sq(>AA=fe#5,AA=t0,Y); */ fe_sq(t0,r->Y); /* qhasm: Y3=YY+XX */ /* asm 1: fe_add(>Y3=fe#2,Y3=r->Y,Z,X); */ fe_add(r->Y,r->Z,r->X); /* qhasm: Z3=YY-XX */ /* asm 1: fe_sub(>Z3=fe#3,Z3=r->Z,Z,X); */ fe_sub(r->Z,r->Z,r->X); /* qhasm: X3=AA-Y3 */ /* asm 1: fe_sub(>X3=fe#1,X3=r->X,Y); */ fe_sub(r->X,t0,r->Y); /* qhasm: T3=B-Z3 */ /* asm 1: fe_sub(>T3=fe#4,T3=r->T,T,Z); */ fe_sub(r->T,r->T,r->Z); /* qhasm: return */ XEdDSA-0.4.6/ref10/crypto_sign/ge_precomp_0.c0000644000175000017500000000015613372774360020505 0ustar useruser00000000000000#include "ge.h" void ge_precomp_0(ge_precomp *h) { fe_1(h->yplusx); fe_1(h->yminusx); fe_0(h->xy2d); } XEdDSA-0.4.6/ref10/crypto_sign/fe_pow22523.c0000644000175000017500000000017713372774360020026 0ustar useruser00000000000000#include "fe.h" void fe_pow22523(fe out,const fe z) { fe t0; fe t1; fe t2; int i; #include "pow22523.h" return; } XEdDSA-0.4.6/ref10/crypto_sign/README0000644000175000017500000000001713372774360016656 0ustar useruser00000000000000Public domain. XEdDSA-0.4.6/ref10/crypto_sign/ge_msub.c0000644000175000017500000000020013372774360017555 0ustar useruser00000000000000#include "ge.h" /* r = p - q */ void ge_msub(ge_p1p1 *r,const ge_p3 *p,const ge_precomp *q) { fe t0; #include "ge_msub.h" } XEdDSA-0.4.6/ref10/crypto_sign/base.h0000644000175000017500000022525113372774360017072 0ustar useruser00000000000000{ { { 25967493,-14356035,29566456,3660896,-12694345,4014787,27544626,-11754271,-6079156,2047605 }, { -12545711,934262,-2722910,3049990,-727428,9406986,12720692,5043384,19500929,-15469378 }, { -8738181,4489570,9688441,-14785194,10184609,-12363380,29287919,11864899,-24514362,-4438546 }, }, { { -12815894,-12976347,-21581243,11784320,-25355658,-2750717,-11717903,-3814571,-358445,-10211303 }, { -21703237,6903825,27185491,6451973,-29577724,-9554005,-15616551,11189268,-26829678,-5319081 }, { 26966642,11152617,32442495,15396054,14353839,-12752335,-3128826,-9541118,-15472047,-4166697 }, }, { { 15636291,-9688557,24204773,-7912398,616977,-16685262,27787600,-14772189,28944400,-1550024 }, { 16568933,4717097,-11556148,-1102322,15682896,-11807043,16354577,-11775962,7689662,11199574 }, { 30464156,-5976125,-11779434,-15670865,23220365,15915852,7512774,10017326,-17749093,-9920357 }, }, { { -17036878,13921892,10945806,-6033431,27105052,-16084379,-28926210,15006023,3284568,-6276540 }, { 23599295,-8306047,-11193664,-7687416,13236774,10506355,7464579,9656445,13059162,10374397 }, { 7798556,16710257,3033922,2874086,28997861,2835604,32406664,-3839045,-641708,-101325 }, }, { { 10861363,11473154,27284546,1981175,-30064349,12577861,32867885,14515107,-15438304,10819380 }, { 4708026,6336745,20377586,9066809,-11272109,6594696,-25653668,12483688,-12668491,5581306 }, { 19563160,16186464,-29386857,4097519,10237984,-4348115,28542350,13850243,-23678021,-15815942 }, }, { { -15371964,-12862754,32573250,4720197,-26436522,5875511,-19188627,-15224819,-9818940,-12085777 }, { -8549212,109983,15149363,2178705,22900618,4543417,3044240,-15689887,1762328,14866737 }, { -18199695,-15951423,-10473290,1707278,-17185920,3916101,-28236412,3959421,27914454,4383652 }, }, { { 5153746,9909285,1723747,-2777874,30523605,5516873,19480852,5230134,-23952439,-15175766 }, { -30269007,-3463509,7665486,10083793,28475525,1649722,20654025,16520125,30598449,7715701 }, { 28881845,14381568,9657904,3680757,-20181635,7843316,-31400660,1370708,29794553,-1409300 }, }, { { 14499471,-2729599,-33191113,-4254652,28494862,14271267,30290735,10876454,-33154098,2381726 }, { -7195431,-2655363,-14730155,462251,-27724326,3941372,-6236617,3696005,-32300832,15351955 }, { 27431194,8222322,16448760,-3907995,-18707002,11938355,-32961401,-2970515,29551813,10109425 }, }, }, { { { -13657040,-13155431,-31283750,11777098,21447386,6519384,-2378284,-1627556,10092783,-4764171 }, { 27939166,14210322,4677035,16277044,-22964462,-12398139,-32508754,12005538,-17810127,12803510 }, { 17228999,-15661624,-1233527,300140,-1224870,-11714777,30364213,-9038194,18016357,4397660 }, }, { { -10958843,-7690207,4776341,-14954238,27850028,-15602212,-26619106,14544525,-17477504,982639 }, { 29253598,15796703,-2863982,-9908884,10057023,3163536,7332899,-4120128,-21047696,9934963 }, { 5793303,16271923,-24131614,-10116404,29188560,1206517,-14747930,4559895,-30123922,-10897950 }, }, { { -27643952,-11493006,16282657,-11036493,28414021,-15012264,24191034,4541697,-13338309,5500568 }, { 12650548,-1497113,9052871,11355358,-17680037,-8400164,-17430592,12264343,10874051,13524335 }, { 25556948,-3045990,714651,2510400,23394682,-10415330,33119038,5080568,-22528059,5376628 }, }, { { -26088264,-4011052,-17013699,-3537628,-6726793,1920897,-22321305,-9447443,4535768,1569007 }, { -2255422,14606630,-21692440,-8039818,28430649,8775819,-30494562,3044290,31848280,12543772 }, { -22028579,2943893,-31857513,6777306,13784462,-4292203,-27377195,-2062731,7718482,14474653 }, }, { { 2385315,2454213,-22631320,46603,-4437935,-15680415,656965,-7236665,24316168,-5253567 }, { 13741529,10911568,-33233417,-8603737,-20177830,-1033297,33040651,-13424532,-20729456,8321686 }, { 21060490,-2212744,15712757,-4336099,1639040,10656336,23845965,-11874838,-9984458,608372 }, }, { { -13672732,-15087586,-10889693,-7557059,-6036909,11305547,1123968,-6780577,27229399,23887 }, { -23244140,-294205,-11744728,14712571,-29465699,-2029617,12797024,-6440308,-1633405,16678954 }, { -29500620,4770662,-16054387,14001338,7830047,9564805,-1508144,-4795045,-17169265,4904953 }, }, { { 24059557,14617003,19037157,-15039908,19766093,-14906429,5169211,16191880,2128236,-4326833 }, { -16981152,4124966,-8540610,-10653797,30336522,-14105247,-29806336,916033,-6882542,-2986532 }, { -22630907,12419372,-7134229,-7473371,-16478904,16739175,285431,2763829,15736322,4143876 }, }, { { 2379352,11839345,-4110402,-5988665,11274298,794957,212801,-14594663,23527084,-16458268 }, { 33431127,-11130478,-17838966,-15626900,8909499,8376530,-32625340,4087881,-15188911,-14416214 }, { 1767683,7197987,-13205226,-2022635,-13091350,448826,5799055,4357868,-4774191,-16323038 }, }, }, { { { 6721966,13833823,-23523388,-1551314,26354293,-11863321,23365147,-3949732,7390890,2759800 }, { 4409041,2052381,23373853,10530217,7676779,-12885954,21302353,-4264057,1244380,-12919645 }, { -4421239,7169619,4982368,-2957590,30256825,-2777540,14086413,9208236,15886429,16489664 }, }, { { 1996075,10375649,14346367,13311202,-6874135,-16438411,-13693198,398369,-30606455,-712933 }, { -25307465,9795880,-2777414,14878809,-33531835,14780363,13348553,12076947,-30836462,5113182 }, { -17770784,11797796,31950843,13929123,-25888302,12288344,-30341101,-7336386,13847711,5387222 }, }, { { -18582163,-3416217,17824843,-2340966,22744343,-10442611,8763061,3617786,-19600662,10370991 }, { 20246567,-14369378,22358229,-543712,18507283,-10413996,14554437,-8746092,32232924,16763880 }, { 9648505,10094563,26416693,14745928,-30374318,-6472621,11094161,15689506,3140038,-16510092 }, }, { { -16160072,5472695,31895588,4744994,8823515,10365685,-27224800,9448613,-28774454,366295 }, { 19153450,11523972,-11096490,-6503142,-24647631,5420647,28344573,8041113,719605,11671788 }, { 8678025,2694440,-6808014,2517372,4964326,11152271,-15432916,-15266516,27000813,-10195553 }, }, { { -15157904,7134312,8639287,-2814877,-7235688,10421742,564065,5336097,6750977,-14521026 }, { 11836410,-3979488,26297894,16080799,23455045,15735944,1695823,-8819122,8169720,16220347 }, { -18115838,8653647,17578566,-6092619,-8025777,-16012763,-11144307,-2627664,-5990708,-14166033 }, }, { { -23308498,-10968312,15213228,-10081214,-30853605,-11050004,27884329,2847284,2655861,1738395 }, { -27537433,-14253021,-25336301,-8002780,-9370762,8129821,21651608,-3239336,-19087449,-11005278 }, { 1533110,3437855,23735889,459276,29970501,11335377,26030092,5821408,10478196,8544890 }, }, { { 32173121,-16129311,24896207,3921497,22579056,-3410854,19270449,12217473,17789017,-3395995 }, { -30552961,-2228401,-15578829,-10147201,13243889,517024,15479401,-3853233,30460520,1052596 }, { -11614875,13323618,32618793,8175907,-15230173,12596687,27491595,-4612359,3179268,-9478891 }, }, { { 31947069,-14366651,-4640583,-15339921,-15125977,-6039709,-14756777,-16411740,19072640,-9511060 }, { 11685058,11822410,3158003,-13952594,33402194,-4165066,5977896,-5215017,473099,5040608 }, { -20290863,8198642,-27410132,11602123,1290375,-2799760,28326862,1721092,-19558642,-3131606 }, }, }, { { { 7881532,10687937,7578723,7738378,-18951012,-2553952,21820786,8076149,-27868496,11538389 }, { -19935666,3899861,18283497,-6801568,-15728660,-11249211,8754525,7446702,-5676054,5797016 }, { -11295600,-3793569,-15782110,-7964573,12708869,-8456199,2014099,-9050574,-2369172,-5877341 }, }, { { -22472376,-11568741,-27682020,1146375,18956691,16640559,1192730,-3714199,15123619,10811505 }, { 14352098,-3419715,-18942044,10822655,32750596,4699007,-70363,15776356,-28886779,-11974553 }, { -28241164,-8072475,-4978962,-5315317,29416931,1847569,-20654173,-16484855,4714547,-9600655 }, }, { { 15200332,8368572,19679101,15970074,-31872674,1959451,24611599,-4543832,-11745876,12340220 }, { 12876937,-10480056,33134381,6590940,-6307776,14872440,9613953,8241152,15370987,9608631 }, { -4143277,-12014408,8446281,-391603,4407738,13629032,-7724868,15866074,-28210621,-8814099 }, }, { { 26660628,-15677655,8393734,358047,-7401291,992988,-23904233,858697,20571223,8420556 }, { 14620715,13067227,-15447274,8264467,14106269,15080814,33531827,12516406,-21574435,-12476749 }, { 236881,10476226,57258,-14677024,6472998,2466984,17258519,7256740,8791136,15069930 }, }, { { 1276410,-9371918,22949635,-16322807,-23493039,-5702186,14711875,4874229,-30663140,-2331391 }, { 5855666,4990204,-13711848,7294284,-7804282,1924647,-1423175,-7912378,-33069337,9234253 }, { 20590503,-9018988,31529744,-7352666,-2706834,10650548,31559055,-11609587,18979186,13396066 }, }, { { 24474287,4968103,22267082,4407354,24063882,-8325180,-18816887,13594782,33514650,7021958 }, { -11566906,-6565505,-21365085,15928892,-26158305,4315421,-25948728,-3916677,-21480480,12868082 }, { -28635013,13504661,19988037,-2132761,21078225,6443208,-21446107,2244500,-12455797,-8089383 }, }, { { -30595528,13793479,-5852820,319136,-25723172,-6263899,33086546,8957937,-15233648,5540521 }, { -11630176,-11503902,-8119500,-7643073,2620056,1022908,-23710744,-1568984,-16128528,-14962807 }, { 23152971,775386,27395463,14006635,-9701118,4649512,1689819,892185,-11513277,-15205948 }, }, { { 9770129,9586738,26496094,4324120,1556511,-3550024,27453819,4763127,-19179614,5867134 }, { -32765025,1927590,31726409,-4753295,23962434,-16019500,27846559,5931263,-29749703,-16108455 }, { 27461885,-2977536,22380810,1815854,-23033753,-3031938,7283490,-15148073,-19526700,7734629 }, }, }, { { { -8010264,-9590817,-11120403,6196038,29344158,-13430885,7585295,-3176626,18549497,15302069 }, { -32658337,-6171222,-7672793,-11051681,6258878,13504381,10458790,-6418461,-8872242,8424746 }, { 24687205,8613276,-30667046,-3233545,1863892,-1830544,19206234,7134917,-11284482,-828919 }, }, { { 11334899,-9218022,8025293,12707519,17523892,-10476071,10243738,-14685461,-5066034,16498837 }, { 8911542,6887158,-9584260,-6958590,11145641,-9543680,17303925,-14124238,6536641,10543906 }, { -28946384,15479763,-17466835,568876,-1497683,11223454,-2669190,-16625574,-27235709,8876771 }, }, { { -25742899,-12566864,-15649966,-846607,-33026686,-796288,-33481822,15824474,-604426,-9039817 }, { 10330056,70051,7957388,-9002667,9764902,15609756,27698697,-4890037,1657394,3084098 }, { 10477963,-7470260,12119566,-13250805,29016247,-5365589,31280319,14396151,-30233575,15272409 }, }, { { -12288309,3169463,28813183,16658753,25116432,-5630466,-25173957,-12636138,-25014757,1950504 }, { -26180358,9489187,11053416,-14746161,-31053720,5825630,-8384306,-8767532,15341279,8373727 }, { 28685821,7759505,-14378516,-12002860,-31971820,4079242,298136,-10232602,-2878207,15190420 }, }, { { -32932876,13806336,-14337485,-15794431,-24004620,10940928,8669718,2742393,-26033313,-6875003 }, { -1580388,-11729417,-25979658,-11445023,-17411874,-10912854,9291594,-16247779,-12154742,6048605 }, { -30305315,14843444,1539301,11864366,20201677,1900163,13934231,5128323,11213262,9168384 }, }, { { -26280513,11007847,19408960,-940758,-18592965,-4328580,-5088060,-11105150,20470157,-16398701 }, { -23136053,9282192,14855179,-15390078,-7362815,-14408560,-22783952,14461608,14042978,5230683 }, { 29969567,-2741594,-16711867,-8552442,9175486,-2468974,21556951,3506042,-5933891,-12449708 }, }, { { -3144746,8744661,19704003,4581278,-20430686,6830683,-21284170,8971513,-28539189,15326563 }, { -19464629,10110288,-17262528,-3503892,-23500387,1355669,-15523050,15300988,-20514118,9168260 }, { -5353335,4488613,-23803248,16314347,7780487,-15638939,-28948358,9601605,33087103,-9011387 }, }, { { -19443170,-15512900,-20797467,-12445323,-29824447,10229461,-27444329,-15000531,-5996870,15664672 }, { 23294591,-16632613,-22650781,-8470978,27844204,11461195,13099750,-2460356,18151676,13417686 }, { -24722913,-4176517,-31150679,5988919,-26858785,6685065,1661597,-12551441,15271676,-15452665 }, }, }, { { { 11433042,-13228665,8239631,-5279517,-1985436,-725718,-18698764,2167544,-6921301,-13440182 }, { -31436171,15575146,30436815,12192228,-22463353,9395379,-9917708,-8638997,12215110,12028277 }, { 14098400,6555944,23007258,5757252,-15427832,-12950502,30123440,4617780,-16900089,-655628 }, }, { { -4026201,-15240835,11893168,13718664,-14809462,1847385,-15819999,10154009,23973261,-12684474 }, { -26531820,-3695990,-1908898,2534301,-31870557,-16550355,18341390,-11419951,32013174,-10103539 }, { -25479301,10876443,-11771086,-14625140,-12369567,1838104,21911214,6354752,4425632,-837822 }, }, { { -10433389,-14612966,22229858,-3091047,-13191166,776729,-17415375,-12020462,4725005,14044970 }, { 19268650,-7304421,1555349,8692754,-21474059,-9910664,6347390,-1411784,-19522291,-16109756 }, { -24864089,12986008,-10898878,-5558584,-11312371,-148526,19541418,8180106,9282262,10282508 }, }, { { -26205082,4428547,-8661196,-13194263,4098402,-14165257,15522535,8372215,5542595,-10702683 }, { -10562541,14895633,26814552,-16673850,-17480754,-2489360,-2781891,6993761,-18093885,10114655 }, { -20107055,-929418,31422704,10427861,-7110749,6150669,-29091755,-11529146,25953725,-106158 }, }, { { -4234397,-8039292,-9119125,3046000,2101609,-12607294,19390020,6094296,-3315279,12831125 }, { -15998678,7578152,5310217,14408357,-33548620,-224739,31575954,6326196,7381791,-2421839 }, { -20902779,3296811,24736065,-16328389,18374254,7318640,6295303,8082724,-15362489,12339664 }, }, { { 27724736,2291157,6088201,-14184798,1792727,5857634,13848414,15768922,25091167,14856294 }, { -18866652,8331043,24373479,8541013,-701998,-9269457,12927300,-12695493,-22182473,-9012899 }, { -11423429,-5421590,11632845,3405020,30536730,-11674039,-27260765,13866390,30146206,9142070 }, }, { { 3924129,-15307516,-13817122,-10054960,12291820,-668366,-27702774,9326384,-8237858,4171294 }, { -15921940,16037937,6713787,16606682,-21612135,2790944,26396185,3731949,345228,-5462949 }, { -21327538,13448259,25284571,1143661,20614966,-8849387,2031539,-12391231,-16253183,-13582083 }, }, { { 31016211,-16722429,26371392,-14451233,-5027349,14854137,17477601,3842657,28012650,-16405420 }, { -5075835,9368966,-8562079,-4600902,-15249953,6970560,-9189873,16292057,-8867157,3507940 }, { 29439664,3537914,23333589,6997794,-17555561,-11018068,-15209202,-15051267,-9164929,6580396 }, }, }, { { { -12185861,-7679788,16438269,10826160,-8696817,-6235611,17860444,-9273846,-2095802,9304567 }, { 20714564,-4336911,29088195,7406487,11426967,-5095705,14792667,-14608617,5289421,-477127 }, { -16665533,-10650790,-6160345,-13305760,9192020,-1802462,17271490,12349094,26939669,-3752294 }, }, { { -12889898,9373458,31595848,16374215,21471720,13221525,-27283495,-12348559,-3698806,117887 }, { 22263325,-6560050,3984570,-11174646,-15114008,-566785,28311253,5358056,-23319780,541964 }, { 16259219,3261970,2309254,-15534474,-16885711,-4581916,24134070,-16705829,-13337066,-13552195 }, }, { { 9378160,-13140186,-22845982,-12745264,28198281,-7244098,-2399684,-717351,690426,14876244 }, { 24977353,-314384,-8223969,-13465086,28432343,-1176353,-13068804,-12297348,-22380984,6618999 }, { -1538174,11685646,12944378,13682314,-24389511,-14413193,8044829,-13817328,32239829,-5652762 }, }, { { -18603066,4762990,-926250,8885304,-28412480,-3187315,9781647,-10350059,32779359,5095274 }, { -33008130,-5214506,-32264887,-3685216,9460461,-9327423,-24601656,14506724,21639561,-2630236 }, { -16400943,-13112215,25239338,15531969,3987758,-4499318,-1289502,-6863535,17874574,558605 }, }, { { -13600129,10240081,9171883,16131053,-20869254,9599700,33499487,5080151,2085892,5119761 }, { -22205145,-2519528,-16381601,414691,-25019550,2170430,30634760,-8363614,-31999993,-5759884 }, { -6845704,15791202,8550074,-1312654,29928809,-12092256,27534430,-7192145,-22351378,12961482 }, }, { { -24492060,-9570771,10368194,11582341,-23397293,-2245287,16533930,8206996,-30194652,-5159638 }, { -11121496,-3382234,2307366,6362031,-135455,8868177,-16835630,7031275,7589640,8945490 }, { -32152748,8917967,6661220,-11677616,-1192060,-15793393,7251489,-11182180,24099109,-14456170 }, }, { { 5019558,-7907470,4244127,-14714356,-26933272,6453165,-19118182,-13289025,-6231896,-10280736 }, { 10853594,10721687,26480089,5861829,-22995819,1972175,-1866647,-10557898,-3363451,-6441124 }, { -17002408,5906790,221599,-6563147,7828208,-13248918,24362661,-2008168,-13866408,7421392 }, }, { { 8139927,-6546497,32257646,-5890546,30375719,1886181,-21175108,15441252,28826358,-4123029 }, { 6267086,9695052,7709135,-16603597,-32869068,-1886135,14795160,-7840124,13746021,-1742048 }, { 28584902,7787108,-6732942,-15050729,22846041,-7571236,-3181936,-363524,4771362,-8419958 }, }, }, { { { 24949256,6376279,-27466481,-8174608,-18646154,-9930606,33543569,-12141695,3569627,11342593 }, { 26514989,4740088,27912651,3697550,19331575,-11472339,6809886,4608608,7325975,-14801071 }, { -11618399,-14554430,-24321212,7655128,-1369274,5214312,-27400540,10258390,-17646694,-8186692 }, }, { { 11431204,15823007,26570245,14329124,18029990,4796082,-31446179,15580664,9280358,-3973687 }, { -160783,-10326257,-22855316,-4304997,-20861367,-13621002,-32810901,-11181622,-15545091,4387441 }, { -20799378,12194512,3937617,-5805892,-27154820,9340370,-24513992,8548137,20617071,-7482001 }, }, { { -938825,-3930586,-8714311,16124718,24603125,-6225393,-13775352,-11875822,24345683,10325460 }, { -19855277,-1568885,-22202708,8714034,14007766,6928528,16318175,-1010689,4766743,3552007 }, { -21751364,-16730916,1351763,-803421,-4009670,3950935,3217514,14481909,10988822,-3994762 }, }, { { 15564307,-14311570,3101243,5684148,30446780,-8051356,12677127,-6505343,-8295852,13296005 }, { -9442290,6624296,-30298964,-11913677,-4670981,-2057379,31521204,9614054,-30000824,12074674 }, { 4771191,-135239,14290749,-13089852,27992298,14998318,-1413936,-1556716,29832613,-16391035 }, }, { { 7064884,-7541174,-19161962,-5067537,-18891269,-2912736,25825242,5293297,-27122660,13101590 }, { -2298563,2439670,-7466610,1719965,-27267541,-16328445,32512469,-5317593,-30356070,-4190957 }, { -30006540,10162316,-33180176,3981723,-16482138,-13070044,14413974,9515896,19568978,9628812 }, }, { { 33053803,199357,15894591,1583059,27380243,-4580435,-17838894,-6106839,-6291786,3437740 }, { -18978877,3884493,19469877,12726490,15913552,13614290,-22961733,70104,7463304,4176122 }, { -27124001,10659917,11482427,-16070381,12771467,-6635117,-32719404,-5322751,24216882,5944158 }, }, { { 8894125,7450974,-2664149,-9765752,-28080517,-12389115,19345746,14680796,11632993,5847885 }, { 26942781,-2315317,9129564,-4906607,26024105,11769399,-11518837,6367194,-9727230,4782140 }, { 19916461,-4828410,-22910704,-11414391,25606324,-5972441,33253853,8220911,6358847,-1873857 }, }, { { 801428,-2081702,16569428,11065167,29875704,96627,7908388,-4480480,-13538503,1387155 }, { 19646058,5720633,-11416706,12814209,11607948,12749789,14147075,15156355,-21866831,11835260 }, { 19299512,1155910,28703737,14890794,2925026,7269399,26121523,15467869,-26560550,5052483 }, }, }, { { { -3017432,10058206,1980837,3964243,22160966,12322533,-6431123,-12618185,12228557,-7003677 }, { 32944382,14922211,-22844894,5188528,21913450,-8719943,4001465,13238564,-6114803,8653815 }, { 22865569,-4652735,27603668,-12545395,14348958,8234005,24808405,5719875,28483275,2841751 }, }, { { -16420968,-1113305,-327719,-12107856,21886282,-15552774,-1887966,-315658,19932058,-12739203 }, { -11656086,10087521,-8864888,-5536143,-19278573,-3055912,3999228,13239134,-4777469,-13910208 }, { 1382174,-11694719,17266790,9194690,-13324356,9720081,20403944,11284705,-14013818,3093230 }, }, { { 16650921,-11037932,-1064178,1570629,-8329746,7352753,-302424,16271225,-24049421,-6691850 }, { -21911077,-5927941,-4611316,-5560156,-31744103,-10785293,24123614,15193618,-21652117,-16739389 }, { -9935934,-4289447,-25279823,4372842,2087473,10399484,31870908,14690798,17361620,11864968 }, }, { { -11307610,6210372,13206574,5806320,-29017692,-13967200,-12331205,-7486601,-25578460,-16240689 }, { 14668462,-12270235,26039039,15305210,25515617,4542480,10453892,6577524,9145645,-6443880 }, { 5974874,3053895,-9433049,-10385191,-31865124,3225009,-7972642,3936128,-5652273,-3050304 }, }, { { 30625386,-4729400,-25555961,-12792866,-20484575,7695099,17097188,-16303496,-27999779,1803632 }, { -3553091,9865099,-5228566,4272701,-5673832,-16689700,14911344,12196514,-21405489,7047412 }, { 20093277,9920966,-11138194,-5343857,13161587,12044805,-32856851,4124601,-32343828,-10257566 }, }, { { -20788824,14084654,-13531713,7842147,19119038,-13822605,4752377,-8714640,-21679658,2288038 }, { -26819236,-3283715,29965059,3039786,-14473765,2540457,29457502,14625692,-24819617,12570232 }, { -1063558,-11551823,16920318,12494842,1278292,-5869109,-21159943,-3498680,-11974704,4724943 }, }, { { 17960970,-11775534,-4140968,-9702530,-8876562,-1410617,-12907383,-8659932,-29576300,1903856 }, { 23134274,-14279132,-10681997,-1611936,20684485,15770816,-12989750,3190296,26955097,14109738 }, { 15308788,5320727,-30113809,-14318877,22902008,7767164,29425325,-11277562,31960942,11934971 }, }, { { -27395711,8435796,4109644,12222639,-24627868,14818669,20638173,4875028,10491392,1379718 }, { -13159415,9197841,3875503,-8936108,-1383712,-5879801,33518459,16176658,21432314,12180697 }, { -11787308,11500838,13787581,-13832590,-22430679,10140205,1465425,12689540,-10301319,-13872883 }, }, }, { { { 5414091,-15386041,-21007664,9643570,12834970,1186149,-2622916,-1342231,26128231,6032912 }, { -26337395,-13766162,32496025,-13653919,17847801,-12669156,3604025,8316894,-25875034,-10437358 }, { 3296484,6223048,24680646,-12246460,-23052020,5903205,-8862297,-4639164,12376617,3188849 }, }, { { 29190488,-14659046,27549113,-1183516,3520066,-10697301,32049515,-7309113,-16109234,-9852307 }, { -14744486,-9309156,735818,-598978,-20407687,-5057904,25246078,-15795669,18640741,-960977 }, { -6928835,-16430795,10361374,5642961,4910474,12345252,-31638386,-494430,10530747,1053335 }, }, { { -29265967,-14186805,-13538216,-12117373,-19457059,-10655384,-31462369,-2948985,24018831,15026644 }, { -22592535,-3145277,-2289276,5953843,-13440189,9425631,25310643,13003497,-2314791,-15145616 }, { -27419985,-603321,-8043984,-1669117,-26092265,13987819,-27297622,187899,-23166419,-2531735 }, }, { { -21744398,-13810475,1844840,5021428,-10434399,-15911473,9716667,16266922,-5070217,726099 }, { 29370922,-6053998,7334071,-15342259,9385287,2247707,-13661962,-4839461,30007388,-15823341 }, { -936379,16086691,23751945,-543318,-1167538,-5189036,9137109,730663,9835848,4555336 }, }, { { -23376435,1410446,-22253753,-12899614,30867635,15826977,17693930,544696,-11985298,12422646 }, { 31117226,-12215734,-13502838,6561947,-9876867,-12757670,-5118685,-4096706,29120153,13924425 }, { -17400879,-14233209,19675799,-2734756,-11006962,-5858820,-9383939,-11317700,7240931,-237388 }, }, { { -31361739,-11346780,-15007447,-5856218,-22453340,-12152771,1222336,4389483,3293637,-15551743 }, { -16684801,-14444245,11038544,11054958,-13801175,-3338533,-24319580,7733547,12796905,-6335822 }, { -8759414,-10817836,-25418864,10783769,-30615557,-9746811,-28253339,3647836,3222231,-11160462 }, }, { { 18606113,1693100,-25448386,-15170272,4112353,10045021,23603893,-2048234,-7550776,2484985 }, { 9255317,-3131197,-12156162,-1004256,13098013,-9214866,16377220,-2102812,-19802075,-3034702 }, { -22729289,7496160,-5742199,11329249,19991973,-3347502,-31718148,9936966,-30097688,-10618797 }, }, { { 21878590,-5001297,4338336,13643897,-3036865,13160960,19708896,5415497,-7360503,-4109293 }, { 27736861,10103576,12500508,8502413,-3413016,-9633558,10436918,-1550276,-23659143,-8132100 }, { 19492550,-12104365,-29681976,-852630,-3208171,12403437,30066266,8367329,13243957,8709688 }, }, }, { { { 12015105,2801261,28198131,10151021,24818120,-4743133,-11194191,-5645734,5150968,7274186 }, { 2831366,-12492146,1478975,6122054,23825128,-12733586,31097299,6083058,31021603,-9793610 }, { -2529932,-2229646,445613,10720828,-13849527,-11505937,-23507731,16354465,15067285,-14147707 }, }, { { 7840942,14037873,-33364863,15934016,-728213,-3642706,21403988,1057586,-19379462,-12403220 }, { 915865,-16469274,15608285,-8789130,-24357026,6060030,-17371319,8410997,-7220461,16527025 }, { 32922597,-556987,20336074,-16184568,10903705,-5384487,16957574,52992,23834301,6588044 }, }, { { 32752030,11232950,3381995,-8714866,22652988,-10744103,17159699,16689107,-20314580,-1305992 }, { -4689649,9166776,-25710296,-10847306,11576752,12733943,7924251,-2752281,1976123,-7249027 }, { 21251222,16309901,-2983015,-6783122,30810597,12967303,156041,-3371252,12331345,-8237197 }, }, { { 8651614,-4477032,-16085636,-4996994,13002507,2950805,29054427,-5106970,10008136,-4667901 }, { 31486080,15114593,-14261250,12951354,14369431,-7387845,16347321,-13662089,8684155,-10532952 }, { 19443825,11385320,24468943,-9659068,-23919258,2187569,-26263207,-6086921,31316348,14219878 }, }, { { -28594490,1193785,32245219,11392485,31092169,15722801,27146014,6992409,29126555,9207390 }, { 32382935,1110093,18477781,11028262,-27411763,-7548111,-4980517,10843782,-7957600,-14435730 }, { 2814918,7836403,27519878,-7868156,-20894015,-11553689,-21494559,8550130,28346258,1994730 }, }, { { -19578299,8085545,-14000519,-3948622,2785838,-16231307,-19516951,7174894,22628102,8115180 }, { -30405132,955511,-11133838,-15078069,-32447087,-13278079,-25651578,3317160,-9943017,930272 }, { -15303681,-6833769,28856490,1357446,23421993,1057177,24091212,-1388970,-22765376,-10650715 }, }, { { -22751231,-5303997,-12907607,-12768866,-15811511,-7797053,-14839018,-16554220,-1867018,8398970 }, { -31969310,2106403,-4736360,1362501,12813763,16200670,22981545,-6291273,18009408,-15772772 }, { -17220923,-9545221,-27784654,14166835,29815394,7444469,29551787,-3727419,19288549,1325865 }, }, { { 15100157,-15835752,-23923978,-1005098,-26450192,15509408,12376730,-3479146,33166107,-8042750 }, { 20909231,13023121,-9209752,16251778,-5778415,-8094914,12412151,10018715,2213263,-13878373 }, { 32529814,-11074689,30361439,-16689753,-9135940,1513226,22922121,6382134,-5766928,8371348 }, }, }, { { { 9923462,11271500,12616794,3544722,-29998368,-1721626,12891687,-8193132,-26442943,10486144 }, { -22597207,-7012665,8587003,-8257861,4084309,-12970062,361726,2610596,-23921530,-11455195 }, { 5408411,-1136691,-4969122,10561668,24145918,14240566,31319731,-4235541,19985175,-3436086 }, }, { { -13994457,16616821,14549246,3341099,32155958,13648976,-17577068,8849297,65030,8370684 }, { -8320926,-12049626,31204563,5839400,-20627288,-1057277,-19442942,6922164,12743482,-9800518 }, { -2361371,12678785,28815050,4759974,-23893047,4884717,23783145,11038569,18800704,255233 }, }, { { -5269658,-1773886,13957886,7990715,23132995,728773,13393847,9066957,19258688,-14753793 }, { -2936654,-10827535,-10432089,14516793,-3640786,4372541,-31934921,2209390,-1524053,2055794 }, { 580882,16705327,5468415,-2683018,-30926419,-14696000,-7203346,-8994389,-30021019,7394435 }, }, { { 23838809,1822728,-15738443,15242727,8318092,-3733104,-21672180,-3492205,-4821741,14799921 }, { 13345610,9759151,3371034,-16137791,16353039,8577942,31129804,13496856,-9056018,7402518 }, { 2286874,-4435931,-20042458,-2008336,-13696227,5038122,11006906,-15760352,8205061,1607563 }, }, { { 14414086,-8002132,3331830,-3208217,22249151,-5594188,18364661,-2906958,30019587,-9029278 }, { -27688051,1585953,-10775053,931069,-29120221,-11002319,-14410829,12029093,9944378,8024 }, { 4368715,-3709630,29874200,-15022983,-20230386,-11410704,-16114594,-999085,-8142388,5640030 }, }, { { 10299610,13746483,11661824,16234854,7630238,5998374,9809887,-16694564,15219798,-14327783 }, { 27425505,-5719081,3055006,10660664,23458024,595578,-15398605,-1173195,-18342183,9742717 }, { 6744077,2427284,26042789,2720740,-847906,1118974,32324614,7406442,12420155,1994844 }, }, { { 14012521,-5024720,-18384453,-9578469,-26485342,-3936439,-13033478,-10909803,24319929,-6446333 }, { 16412690,-4507367,10772641,15929391,-17068788,-4658621,10555945,-10484049,-30102368,-4739048 }, { 22397382,-7767684,-9293161,-12792868,17166287,-9755136,-27333065,6199366,21880021,-12250760 }, }, { { -4283307,5368523,-31117018,8163389,-30323063,3209128,16557151,8890729,8840445,4957760 }, { -15447727,709327,-6919446,-10870178,-29777922,6522332,-21720181,12130072,-14796503,5005757 }, { -2114751,-14308128,23019042,15765735,-25269683,6002752,10183197,-13239326,-16395286,-2176112 }, }, }, { { { -19025756,1632005,13466291,-7995100,-23640451,16573537,-32013908,-3057104,22208662,2000468 }, { 3065073,-1412761,-25598674,-361432,-17683065,-5703415,-8164212,11248527,-3691214,-7414184 }, { 10379208,-6045554,8877319,1473647,-29291284,-12507580,16690915,2553332,-3132688,16400289 }, }, { { 15716668,1254266,-18472690,7446274,-8448918,6344164,-22097271,-7285580,26894937,9132066 }, { 24158887,12938817,11085297,-8177598,-28063478,-4457083,-30576463,64452,-6817084,-2692882 }, { 13488534,7794716,22236231,5989356,25426474,-12578208,2350710,-3418511,-4688006,2364226 }, }, { { 16335052,9132434,25640582,6678888,1725628,8517937,-11807024,-11697457,15445875,-7798101 }, { 29004207,-7867081,28661402,-640412,-12794003,-7943086,31863255,-4135540,-278050,-15759279 }, { -6122061,-14866665,-28614905,14569919,-10857999,-3591829,10343412,-6976290,-29828287,-10815811 }, }, { { 27081650,3463984,14099042,-4517604,1616303,-6205604,29542636,15372179,17293797,960709 }, { 20263915,11434237,-5765435,11236810,13505955,-10857102,-16111345,6493122,-19384511,7639714 }, { -2830798,-14839232,25403038,-8215196,-8317012,-16173699,18006287,-16043750,29994677,-15808121 }, }, { { 9769828,5202651,-24157398,-13631392,-28051003,-11561624,-24613141,-13860782,-31184575,709464 }, { 12286395,13076066,-21775189,-1176622,-25003198,4057652,-32018128,-8890874,16102007,13205847 }, { 13733362,5599946,10557076,3195751,-5557991,8536970,-25540170,8525972,10151379,10394400 }, }, { { 4024660,-16137551,22436262,12276534,-9099015,-2686099,19698229,11743039,-33302334,8934414 }, { -15879800,-4525240,-8580747,-2934061,14634845,-698278,-9449077,3137094,-11536886,11721158 }, { 17555939,-5013938,8268606,2331751,-22738815,9761013,9319229,8835153,-9205489,-1280045 }, }, { { -461409,-7830014,20614118,16688288,-7514766,-4807119,22300304,505429,6108462,-6183415 }, { -5070281,12367917,-30663534,3234473,32617080,-8422642,29880583,-13483331,-26898490,-7867459 }, { -31975283,5726539,26934134,10237677,-3173717,-605053,24199304,3795095,7592688,-14992079 }, }, { { 21594432,-14964228,17466408,-4077222,32537084,2739898,6407723,12018833,-28256052,4298412 }, { -20650503,-11961496,-27236275,570498,3767144,-1717540,13891942,-1569194,13717174,10805743 }, { -14676630,-15644296,15287174,11927123,24177847,-8175568,-796431,14860609,-26938930,-5863836 }, }, }, { { { 12962541,5311799,-10060768,11658280,18855286,-7954201,13286263,-12808704,-4381056,9882022 }, { 18512079,11319350,-20123124,15090309,18818594,5271736,-22727904,3666879,-23967430,-3299429 }, { -6789020,-3146043,16192429,13241070,15898607,-14206114,-10084880,-6661110,-2403099,5276065 }, }, { { 30169808,-5317648,26306206,-11750859,27814964,7069267,7152851,3684982,1449224,13082861 }, { 10342826,3098505,2119311,193222,25702612,12233820,23697382,15056736,-21016438,-8202000 }, { -33150110,3261608,22745853,7948688,19370557,-15177665,-26171976,6482814,-10300080,-11060101 }, }, { { 32869458,-5408545,25609743,15678670,-10687769,-15471071,26112421,2521008,-22664288,6904815 }, { 29506923,4457497,3377935,-9796444,-30510046,12935080,1561737,3841096,-29003639,-6657642 }, { 10340844,-6630377,-18656632,-2278430,12621151,-13339055,30878497,-11824370,-25584551,5181966 }, }, { { 25940115,-12658025,17324188,-10307374,-8671468,15029094,24396252,-16450922,-2322852,-12388574 }, { -21765684,9916823,-1300409,4079498,-1028346,11909559,1782390,12641087,20603771,-6561742 }, { -18882287,-11673380,24849422,11501709,13161720,-4768874,1925523,11914390,4662781,7820689 }, }, { { 12241050,-425982,8132691,9393934,32846760,-1599620,29749456,12172924,16136752,15264020 }, { -10349955,-14680563,-8211979,2330220,-17662549,-14545780,10658213,6671822,19012087,3772772 }, { 3753511,-3421066,10617074,2028709,14841030,-6721664,28718732,-15762884,20527771,12988982 }, }, { { -14822485,-5797269,-3707987,12689773,-898983,-10914866,-24183046,-10564943,3299665,-12424953 }, { -16777703,-15253301,-9642417,4978983,3308785,8755439,6943197,6461331,-25583147,8991218 }, { -17226263,1816362,-1673288,-6086439,31783888,-8175991,-32948145,7417950,-30242287,1507265 }, }, { { 29692663,6829891,-10498800,4334896,20945975,-11906496,-28887608,8209391,14606362,-10647073 }, { -3481570,8707081,32188102,5672294,22096700,1711240,-33020695,9761487,4170404,-2085325 }, { -11587470,14855945,-4127778,-1531857,-26649089,15084046,22186522,16002000,-14276837,-8400798 }, }, { { -4811456,13761029,-31703877,-2483919,-3312471,7869047,-7113572,-9620092,13240845,10965870 }, { -7742563,-8256762,-14768334,-13656260,-23232383,12387166,4498947,14147411,29514390,4302863 }, { -13413405,-12407859,20757302,-13801832,14785143,8976368,-5061276,-2144373,17846988,-13971927 }, }, }, { { { -2244452,-754728,-4597030,-1066309,-6247172,1455299,-21647728,-9214789,-5222701,12650267 }, { -9906797,-16070310,21134160,12198166,-27064575,708126,387813,13770293,-19134326,10958663 }, { 22470984,12369526,23446014,-5441109,-21520802,-9698723,-11772496,-11574455,-25083830,4271862 }, }, { { -25169565,-10053642,-19909332,15361595,-5984358,2159192,75375,-4278529,-32526221,8469673 }, { 15854970,4148314,-8893890,7259002,11666551,13824734,-30531198,2697372,24154791,-9460943 }, { 15446137,-15806644,29759747,14019369,30811221,-9610191,-31582008,12840104,24913809,9815020 }, }, { { -4709286,-5614269,-31841498,-12288893,-14443537,10799414,-9103676,13438769,18735128,9466238 }, { 11933045,9281483,5081055,-5183824,-2628162,-4905629,-7727821,-10896103,-22728655,16199064 }, { 14576810,379472,-26786533,-8317236,-29426508,-10812974,-102766,1876699,30801119,2164795 }, }, { { 15995086,3199873,13672555,13712240,-19378835,-4647646,-13081610,-15496269,-13492807,1268052 }, { -10290614,-3659039,-3286592,10948818,23037027,3794475,-3470338,-12600221,-17055369,3565904 }, { 29210088,-9419337,-5919792,-4952785,10834811,-13327726,-16512102,-10820713,-27162222,-14030531 }, }, { { -13161890,15508588,16663704,-8156150,-28349942,9019123,-29183421,-3769423,2244111,-14001979 }, { -5152875,-3800936,-9306475,-6071583,16243069,14684434,-25673088,-16180800,13491506,4641841 }, { 10813417,643330,-19188515,-728916,30292062,-16600078,27548447,-7721242,14476989,-12767431 }, }, { { 10292079,9984945,6481436,8279905,-7251514,7032743,27282937,-1644259,-27912810,12651324 }, { -31185513,-813383,22271204,11835308,10201545,15351028,17099662,3988035,21721536,-3148940 }, { 10202177,-6545839,-31373232,-9574638,-32150642,-8119683,-12906320,3852694,13216206,14842320 }, }, { { -15815640,-10601066,-6538952,-7258995,-6984659,-6581778,-31500847,13765824,-27434397,9900184 }, { 14465505,-13833331,-32133984,-14738873,-27443187,12990492,33046193,15796406,-7051866,-8040114 }, { 30924417,-8279620,6359016,-12816335,16508377,9071735,-25488601,15413635,9524356,-7018878 }, }, { { 12274201,-13175547,32627641,-1785326,6736625,13267305,5237659,-5109483,15663516,4035784 }, { -2951309,8903985,17349946,601635,-16432815,-4612556,-13732739,-15889334,-22258478,4659091 }, { -16916263,-4952973,-30393711,-15158821,20774812,15897498,5736189,15026997,-2178256,-13455585 }, }, }, { { { -8858980,-2219056,28571666,-10155518,-474467,-10105698,-3801496,278095,23440562,-290208 }, { 10226241,-5928702,15139956,120818,-14867693,5218603,32937275,11551483,-16571960,-7442864 }, { 17932739,-12437276,-24039557,10749060,11316803,7535897,22503767,5561594,-3646624,3898661 }, }, { { 7749907,-969567,-16339731,-16464,-25018111,15122143,-1573531,7152530,21831162,1245233 }, { 26958459,-14658026,4314586,8346991,-5677764,11960072,-32589295,-620035,-30402091,-16716212 }, { -12165896,9166947,33491384,13673479,29787085,13096535,6280834,14587357,-22338025,13987525 }, }, { { -24349909,7778775,21116000,15572597,-4833266,-5357778,-4300898,-5124639,-7469781,-2858068 }, { 9681908,-6737123,-31951644,13591838,-6883821,386950,31622781,6439245,-14581012,4091397 }, { -8426427,1470727,-28109679,-1596990,3978627,-5123623,-19622683,12092163,29077877,-14741988 }, }, { { 5269168,-6859726,-13230211,-8020715,25932563,1763552,-5606110,-5505881,-20017847,2357889 }, { 32264008,-15407652,-5387735,-1160093,-2091322,-3946900,23104804,-12869908,5727338,189038 }, { 14609123,-8954470,-6000566,-16622781,-14577387,-7743898,-26745169,10942115,-25888931,-14884697 }, }, { { 20513500,5557931,-15604613,7829531,26413943,-2019404,-21378968,7471781,13913677,-5137875 }, { -25574376,11967826,29233242,12948236,-6754465,4713227,-8940970,14059180,12878652,8511905 }, { -25656801,3393631,-2955415,-7075526,-2250709,9366908,-30223418,6812974,5568676,-3127656 }, }, { { 11630004,12144454,2116339,13606037,27378885,15676917,-17408753,-13504373,-14395196,8070818 }, { 27117696,-10007378,-31282771,-5570088,1127282,12772488,-29845906,10483306,-11552749,-1028714 }, { 10637467,-5688064,5674781,1072708,-26343588,-6982302,-1683975,9177853,-27493162,15431203 }, }, { { 20525145,10892566,-12742472,12779443,-29493034,16150075,-28240519,14943142,-15056790,-7935931 }, { -30024462,5626926,-551567,-9981087,753598,11981191,25244767,-3239766,-3356550,9594024 }, { -23752644,2636870,-5163910,-10103818,585134,7877383,11345683,-6492290,13352335,-10977084 }, }, { { -1931799,-5407458,3304649,-12884869,17015806,-4877091,-29783850,-7752482,-13215537,-319204 }, { 20239939,6607058,6203985,3483793,-18386976,-779229,-20723742,15077870,-22750759,14523817 }, { 27406042,-6041657,27423596,-4497394,4996214,10002360,-28842031,-4545494,-30172742,-4805667 }, }, }, { { { 11374242,12660715,17861383,-12540833,10935568,1099227,-13886076,-9091740,-27727044,11358504 }, { -12730809,10311867,1510375,10778093,-2119455,-9145702,32676003,11149336,-26123651,4985768 }, { -19096303,341147,-6197485,-239033,15756973,-8796662,-983043,13794114,-19414307,-15621255 }, }, { { 6490081,11940286,25495923,-7726360,8668373,-8751316,3367603,6970005,-1691065,-9004790 }, { 1656497,13457317,15370807,6364910,13605745,8362338,-19174622,-5475723,-16796596,-5031438 }, { -22273315,-13524424,-64685,-4334223,-18605636,-10921968,-20571065,-7007978,-99853,-10237333 }, }, { { 17747465,10039260,19368299,-4050591,-20630635,-16041286,31992683,-15857976,-29260363,-5511971 }, { 31932027,-4986141,-19612382,16366580,22023614,88450,11371999,-3744247,4882242,-10626905 }, { 29796507,37186,19818052,10115756,-11829032,3352736,18551198,3272828,-5190932,-4162409 }, }, { { 12501286,4044383,-8612957,-13392385,-32430052,5136599,-19230378,-3529697,330070,-3659409 }, { 6384877,2899513,17807477,7663917,-2358888,12363165,25366522,-8573892,-271295,12071499 }, { -8365515,-4042521,25133448,-4517355,-6211027,2265927,-32769618,1936675,-5159697,3829363 }, }, { { 28425966,-5835433,-577090,-4697198,-14217555,6870930,7921550,-6567787,26333140,14267664 }, { -11067219,11871231,27385719,-10559544,-4585914,-11189312,10004786,-8709488,-21761224,8930324 }, { -21197785,-16396035,25654216,-1725397,12282012,11008919,1541940,4757911,-26491501,-16408940 }, }, { { 13537262,-7759490,-20604840,10961927,-5922820,-13218065,-13156584,6217254,-15943699,13814990 }, { -17422573,15157790,18705543,29619,24409717,-260476,27361681,9257833,-1956526,-1776914 }, { -25045300,-10191966,15366585,15166509,-13105086,8423556,-29171540,12361135,-18685978,4578290 }, }, { { 24579768,3711570,1342322,-11180126,-27005135,14124956,-22544529,14074919,21964432,8235257 }, { -6528613,-2411497,9442966,-5925588,12025640,-1487420,-2981514,-1669206,13006806,2355433 }, { -16304899,-13605259,-6632427,-5142349,16974359,-10911083,27202044,1719366,1141648,-12796236 }, }, { { -12863944,-13219986,-8318266,-11018091,-6810145,-4843894,13475066,-3133972,32674895,13715045 }, { 11423335,-5468059,32344216,8962751,24989809,9241752,-13265253,16086212,-28740881,-15642093 }, { -1409668,12530728,-6368726,10847387,19531186,-14132160,-11709148,7791794,-27245943,4383347 }, }, }, { { { -28970898,5271447,-1266009,-9736989,-12455236,16732599,-4862407,-4906449,27193557,6245191 }, { -15193956,5362278,-1783893,2695834,4960227,12840725,23061898,3260492,22510453,8577507 }, { -12632451,11257346,-32692994,13548177,-721004,10879011,31168030,13952092,-29571492,-3635906 }, }, { { 3877321,-9572739,32416692,5405324,-11004407,-13656635,3759769,11935320,5611860,8164018 }, { -16275802,14667797,15906460,12155291,-22111149,-9039718,32003002,-8832289,5773085,-8422109 }, { -23788118,-8254300,1950875,8937633,18686727,16459170,-905725,12376320,31632953,190926 }, }, { { -24593607,-16138885,-8423991,13378746,14162407,6901328,-8288749,4508564,-25341555,-3627528 }, { 8884438,-5884009,6023974,10104341,-6881569,-4941533,18722941,-14786005,-1672488,827625 }, { -32720583,-16289296,-32503547,7101210,13354605,2659080,-1800575,-14108036,-24878478,1541286 }, }, { { 2901347,-1117687,3880376,-10059388,-17620940,-3612781,-21802117,-3567481,20456845,-1885033 }, { 27019610,12299467,-13658288,-1603234,-12861660,-4861471,-19540150,-5016058,29439641,15138866 }, { 21536104,-6626420,-32447818,-10690208,-22408077,5175814,-5420040,-16361163,7779328,109896 }, }, { { 30279744,14648750,-8044871,6425558,13639621,-743509,28698390,12180118,23177719,-554075 }, { 26572847,3405927,-31701700,12890905,-19265668,5335866,-6493768,2378492,4439158,-13279347 }, { -22716706,3489070,-9225266,-332753,18875722,-1140095,14819434,-12731527,-17717757,-5461437 }, }, { { -5056483,16566551,15953661,3767752,-10436499,15627060,-820954,2177225,8550082,-15114165 }, { -18473302,16596775,-381660,15663611,22860960,15585581,-27844109,-3582739,-23260460,-8428588 }, { -32480551,15707275,-8205912,-5652081,29464558,2713815,-22725137,15860482,-21902570,1494193 }, }, { { -19562091,-14087393,-25583872,-9299552,13127842,759709,21923482,16529112,8742704,12967017 }, { -28464899,1553205,32536856,-10473729,-24691605,-406174,-8914625,-2933896,-29903758,15553883 }, { 21877909,3230008,9881174,10539357,-4797115,2841332,11543572,14513274,19375923,-12647961 }, }, { { 8832269,-14495485,13253511,5137575,5037871,4078777,24880818,-6222716,2862653,9455043 }, { 29306751,5123106,20245049,-14149889,9592566,8447059,-2077124,-2990080,15511449,4789663 }, { -20679756,7004547,8824831,-9434977,-4045704,-3750736,-5754762,108893,23513200,16652362 }, }, }, { { { -33256173,4144782,-4476029,-6579123,10770039,-7155542,-6650416,-12936300,-18319198,10212860 }, { 2756081,8598110,7383731,-6859892,22312759,-1105012,21179801,2600940,-9988298,-12506466 }, { -24645692,13317462,-30449259,-15653928,21365574,-10869657,11344424,864440,-2499677,-16710063 }, }, { { -26432803,6148329,-17184412,-14474154,18782929,-275997,-22561534,211300,2719757,4940997 }, { -1323882,3911313,-6948744,14759765,-30027150,7851207,21690126,8518463,26699843,5276295 }, { -13149873,-6429067,9396249,365013,24703301,-10488939,1321586,149635,-15452774,7159369 }, }, { { 9987780,-3404759,17507962,9505530,9731535,-2165514,22356009,8312176,22477218,-8403385 }, { 18155857,-16504990,19744716,9006923,15154154,-10538976,24256460,-4864995,-22548173,9334109 }, { 2986088,-4911893,10776628,-3473844,10620590,-7083203,-21413845,14253545,-22587149,536906 }, }, { { 4377756,8115836,24567078,15495314,11625074,13064599,7390551,10589625,10838060,-15420424 }, { -19342404,867880,9277171,-3218459,-14431572,-1986443,19295826,-15796950,6378260,699185 }, { 7895026,4057113,-7081772,-13077756,-17886831,-323126,-716039,15693155,-5045064,-13373962 }, }, { { -7737563,-5869402,-14566319,-7406919,11385654,13201616,31730678,-10962840,-3918636,-9669325 }, { 10188286,-15770834,-7336361,13427543,22223443,14896287,30743455,7116568,-21786507,5427593 }, { 696102,13206899,27047647,-10632082,15285305,-9853179,10798490,-4578720,19236243,12477404 }, }, { { -11229439,11243796,-17054270,-8040865,-788228,-8167967,-3897669,11180504,-23169516,7733644 }, { 17800790,-14036179,-27000429,-11766671,23887827,3149671,23466177,-10538171,10322027,15313801 }, { 26246234,11968874,32263343,-5468728,6830755,-13323031,-15794704,-101982,-24449242,10890804 }, }, { { -31365647,10271363,-12660625,-6267268,16690207,-13062544,-14982212,16484931,25180797,-5334884 }, { -586574,10376444,-32586414,-11286356,19801893,10997610,2276632,9482883,316878,13820577 }, { -9882808,-4510367,-2115506,16457136,-11100081,11674996,30756178,-7515054,30696930,-3712849 }, }, { { 32988917,-9603412,12499366,7910787,-10617257,-11931514,-7342816,-9985397,-32349517,7392473 }, { -8855661,15927861,9866406,-3649411,-2396914,-16655781,-30409476,-9134995,25112947,-2926644 }, { -2504044,-436966,25621774,-5678772,15085042,-5479877,-24884878,-13526194,5537438,-13914319 }, }, }, { { { -11225584,2320285,-9584280,10149187,-33444663,5808648,-14876251,-1729667,31234590,6090599 }, { -9633316,116426,26083934,2897444,-6364437,-2688086,609721,15878753,-6970405,-9034768 }, { -27757857,247744,-15194774,-9002551,23288161,-10011936,-23869595,6503646,20650474,1804084 }, }, { { -27589786,15456424,8972517,8469608,15640622,4439847,3121995,-10329713,27842616,-202328 }, { -15306973,2839644,22530074,10026331,4602058,5048462,28248656,5031932,-11375082,12714369 }, { 20807691,-7270825,29286141,11421711,-27876523,-13868230,-21227475,1035546,-19733229,12796920 }, }, { { 12076899,-14301286,-8785001,-11848922,-25012791,16400684,-17591495,-12899438,3480665,-15182815 }, { -32361549,5457597,28548107,7833186,7303070,-11953545,-24363064,-15921875,-33374054,2771025 }, { -21389266,421932,26597266,6860826,22486084,-6737172,-17137485,-4210226,-24552282,15673397 }, }, { { -20184622,2338216,19788685,-9620956,-4001265,-8740893,-20271184,4733254,3727144,-12934448 }, { 6120119,814863,-11794402,-622716,6812205,-15747771,2019594,7975683,31123697,-10958981 }, { 30069250,-11435332,30434654,2958439,18399564,-976289,12296869,9204260,-16432438,9648165 }, }, { { 32705432,-1550977,30705658,7451065,-11805606,9631813,3305266,5248604,-26008332,-11377501 }, { 17219865,2375039,-31570947,-5575615,-19459679,9219903,294711,15298639,2662509,-16297073 }, { -1172927,-7558695,-4366770,-4287744,-21346413,-8434326,32087529,-1222777,32247248,-14389861 }, }, { { 14312628,1221556,17395390,-8700143,-4945741,-8684635,-28197744,-9637817,-16027623,-13378845 }, { -1428825,-9678990,-9235681,6549687,-7383069,-468664,23046502,9803137,17597934,2346211 }, { 18510800,15337574,26171504,981392,-22241552,7827556,-23491134,-11323352,3059833,-11782870 }, }, { { 10141598,6082907,17829293,-1947643,9830092,13613136,-25556636,-5544586,-33502212,3592096 }, { 33114168,-15889352,-26525686,-13343397,33076705,8716171,1151462,1521897,-982665,-6837803 }, { -32939165,-4255815,23947181,-324178,-33072974,-12305637,-16637686,3891704,26353178,693168 }, }, { { 30374239,1595580,-16884039,13186931,4600344,406904,9585294,-400668,31375464,14369965 }, { -14370654,-7772529,1510301,6434173,-18784789,-6262728,32732230,-13108839,17901441,16011505 }, { 18171223,-11934626,-12500402,15197122,-11038147,-15230035,-19172240,-16046376,8764035,12309598 }, }, }, { { { 5975908,-5243188,-19459362,-9681747,-11541277,14015782,-23665757,1228319,17544096,-10593782 }, { 5811932,-1715293,3442887,-2269310,-18367348,-8359541,-18044043,-15410127,-5565381,12348900 }, { -31399660,11407555,25755363,6891399,-3256938,14872274,-24849353,8141295,-10632534,-585479 }, }, { { -12675304,694026,-5076145,13300344,14015258,-14451394,-9698672,-11329050,30944593,1130208 }, { 8247766,-6710942,-26562381,-7709309,-14401939,-14648910,4652152,2488540,23550156,-271232 }, { 17294316,-3788438,7026748,15626851,22990044,113481,2267737,-5908146,-408818,-137719 }, }, { { 16091085,-16253926,18599252,7340678,2137637,-1221657,-3364161,14550936,3260525,-7166271 }, { -4910104,-13332887,18550887,10864893,-16459325,-7291596,-23028869,-13204905,-12748722,2701326 }, { -8574695,16099415,4629974,-16340524,-20786213,-6005432,-10018363,9276971,11329923,1862132 }, }, { { 14763076,-15903608,-30918270,3689867,3511892,10313526,-21951088,12219231,-9037963,-940300 }, { 8894987,-3446094,6150753,3013931,301220,15693451,-31981216,-2909717,-15438168,11595570 }, { 15214962,3537601,-26238722,-14058872,4418657,-15230761,13947276,10730794,-13489462,-4363670 }, }, { { -2538306,7682793,32759013,263109,-29984731,-7955452,-22332124,-10188635,977108,699994 }, { -12466472,4195084,-9211532,550904,-15565337,12917920,19118110,-439841,-30534533,-14337913 }, { 31788461,-14507657,4799989,7372237,8808585,-14747943,9408237,-10051775,12493932,-5409317 }, }, { { -25680606,5260744,-19235809,-6284470,-3695942,16566087,27218280,2607121,29375955,6024730 }, { 842132,-2794693,-4763381,-8722815,26332018,-12405641,11831880,6985184,-9940361,2854096 }, { -4847262,-7969331,2516242,-5847713,9695691,-7221186,16512645,960770,12121869,16648078 }, }, { { -15218652,14667096,-13336229,2013717,30598287,-464137,-31504922,-7882064,20237806,2838411 }, { -19288047,4453152,15298546,-16178388,22115043,-15972604,12544294,-13470457,1068881,-12499905 }, { -9558883,-16518835,33238498,13506958,30505848,-1114596,-8486907,-2630053,12521378,4845654 }, }, { { -28198521,10744108,-2958380,10199664,7759311,-13088600,3409348,-873400,-6482306,-12885870 }, { -23561822,6230156,-20382013,10655314,-24040585,-11621172,10477734,-1240216,-3113227,13974498 }, { 12966261,15550616,-32038948,-1615346,21025980,-629444,5642325,7188737,18895762,12629579 }, }, }, { { { 14741879,-14946887,22177208,-11721237,1279741,8058600,11758140,789443,32195181,3895677 }, { 10758205,15755439,-4509950,9243698,-4879422,6879879,-2204575,-3566119,-8982069,4429647 }, { -2453894,15725973,-20436342,-10410672,-5803908,-11040220,-7135870,-11642895,18047436,-15281743 }, }, { { -25173001,-11307165,29759956,11776784,-22262383,-15820455,10993114,-12850837,-17620701,-9408468 }, { 21987233,700364,-24505048,14972008,-7774265,-5718395,32155026,2581431,-29958985,8773375 }, { -25568350,454463,-13211935,16126715,25240068,8594567,20656846,12017935,-7874389,-13920155 }, }, { { 6028182,6263078,-31011806,-11301710,-818919,2461772,-31841174,-5468042,-1721788,-2776725 }, { -12278994,16624277,987579,-5922598,32908203,1248608,7719845,-4166698,28408820,6816612 }, { -10358094,-8237829,19549651,-12169222,22082623,16147817,20613181,13982702,-10339570,5067943 }, }, { { -30505967,-3821767,12074681,13582412,-19877972,2443951,-19719286,12746132,5331210,-10105944 }, { 30528811,3601899,-1957090,4619785,-27361822,-15436388,24180793,-12570394,27679908,-1648928 }, { 9402404,-13957065,32834043,10838634,-26580150,-13237195,26653274,-8685565,22611444,-12715406 }, }, { { 22190590,1118029,22736441,15130463,-30460692,-5991321,19189625,-4648942,4854859,6622139 }, { -8310738,-2953450,-8262579,-3388049,-10401731,-271929,13424426,-3567227,26404409,13001963 }, { -31241838,-15415700,-2994250,8939346,11562230,-12840670,-26064365,-11621720,-15405155,11020693 }, }, { { 1866042,-7949489,-7898649,-10301010,12483315,13477547,3175636,-12424163,28761762,1406734 }, { -448555,-1777666,13018551,3194501,-9580420,-11161737,24760585,-4347088,25577411,-13378680 }, { -24290378,4759345,-690653,-1852816,2066747,10693769,-29595790,9884936,-9368926,4745410 }, }, { { -9141284,6049714,-19531061,-4341411,-31260798,9944276,-15462008,-11311852,10931924,-11931931 }, { -16561513,14112680,-8012645,4817318,-8040464,-11414606,-22853429,10856641,-20470770,13434654 }, { 22759489,-10073434,-16766264,-1871422,13637442,-10168091,1765144,-12654326,28445307,-5364710 }, }, { { 29875063,12493613,2795536,-3786330,1710620,15181182,-10195717,-8788675,9074234,1167180 }, { -26205683,11014233,-9842651,-2635485,-26908120,7532294,-18716888,-9535498,3843903,9367684 }, { -10969595,-6403711,9591134,9582310,11349256,108879,16235123,8601684,-139197,4242895 }, }, }, { { { 22092954,-13191123,-2042793,-11968512,32186753,-11517388,-6574341,2470660,-27417366,16625501 }, { -11057722,3042016,13770083,-9257922,584236,-544855,-7770857,2602725,-27351616,14247413 }, { 6314175,-10264892,-32772502,15957557,-10157730,168750,-8618807,14290061,27108877,-1180880 }, }, { { -8586597,-7170966,13241782,10960156,-32991015,-13794596,33547976,-11058889,-27148451,981874 }, { 22833440,9293594,-32649448,-13618667,-9136966,14756819,-22928859,-13970780,-10479804,-16197962 }, { -7768587,3326786,-28111797,10783824,19178761,14905060,22680049,13906969,-15933690,3797899 }, }, { { 21721356,-4212746,-12206123,9310182,-3882239,-13653110,23740224,-2709232,20491983,-8042152 }, { 9209270,-15135055,-13256557,-6167798,-731016,15289673,25947805,15286587,30997318,-6703063 }, { 7392032,16618386,23946583,-8039892,-13265164,-1533858,-14197445,-2321576,17649998,-250080 }, }, { { -9301088,-14193827,30609526,-3049543,-25175069,-1283752,-15241566,-9525724,-2233253,7662146 }, { -17558673,1763594,-33114336,15908610,-30040870,-12174295,7335080,-8472199,-3174674,3440183 }, { -19889700,-5977008,-24111293,-9688870,10799743,-16571957,40450,-4431835,4862400,1133 }, }, { { -32856209,-7873957,-5422389,14860950,-16319031,7956142,7258061,311861,-30594991,-7379421 }, { -3773428,-1565936,28985340,7499440,24445838,9325937,29727763,16527196,18278453,15405622 }, { -4381906,8508652,-19898366,-3674424,-5984453,15149970,-13313598,843523,-21875062,13626197 }, }, { { 2281448,-13487055,-10915418,-2609910,1879358,16164207,-10783882,3953792,13340839,15928663 }, { 31727126,-7179855,-18437503,-8283652,2875793,-16390330,-25269894,-7014826,-23452306,5964753 }, { 4100420,-5959452,-17179337,6017714,-18705837,12227141,-26684835,11344144,2538215,-7570755 }, }, { { -9433605,6123113,11159803,-2156608,30016280,14966241,-20474983,1485421,-629256,-15958862 }, { -26804558,4260919,11851389,9658551,-32017107,16367492,-20205425,-13191288,11659922,-11115118 }, { 26180396,10015009,-30844224,-8581293,5418197,9480663,2231568,-10170080,33100372,-1306171 }, }, { { 15121113,-5201871,-10389905,15427821,-27509937,-15992507,21670947,4486675,-5931810,-14466380 }, { 16166486,-9483733,-11104130,6023908,-31926798,-1364923,2340060,-16254968,-10735770,-10039824 }, { 28042865,-3557089,-12126526,12259706,-3717498,-6945899,6766453,-8689599,18036436,5803270 }, }, }, { { { -817581,6763912,11803561,1585585,10958447,-2671165,23855391,4598332,-6159431,-14117438 }, { -31031306,-14256194,17332029,-2383520,31312682,-5967183,696309,50292,-20095739,11763584 }, { -594563,-2514283,-32234153,12643980,12650761,14811489,665117,-12613632,-19773211,-10713562 }, }, { { 30464590,-11262872,-4127476,-12734478,19835327,-7105613,-24396175,2075773,-17020157,992471 }, { 18357185,-6994433,7766382,16342475,-29324918,411174,14578841,8080033,-11574335,-10601610 }, { 19598397,10334610,12555054,2555664,18821899,-10339780,21873263,16014234,26224780,16452269 }, }, { { -30223925,5145196,5944548,16385966,3976735,2009897,-11377804,-7618186,-20533829,3698650 }, { 14187449,3448569,-10636236,-10810935,-22663880,-3433596,7268410,-10890444,27394301,12015369 }, { 19695761,16087646,28032085,12999827,6817792,11427614,20244189,-1312777,-13259127,-3402461 }, }, { { 30860103,12735208,-1888245,-4699734,-16974906,2256940,-8166013,12298312,-8550524,-10393462 }, { -5719826,-11245325,-1910649,15569035,26642876,-7587760,-5789354,-15118654,-4976164,12651793 }, { -2848395,9953421,11531313,-5282879,26895123,-12697089,-13118820,-16517902,9768698,-2533218 }, }, { { -24719459,1894651,-287698,-4704085,15348719,-8156530,32767513,12765450,4940095,10678226 }, { 18860224,15980149,-18987240,-1562570,-26233012,-11071856,-7843882,13944024,-24372348,16582019 }, { -15504260,4970268,-29893044,4175593,-20993212,-2199756,-11704054,15444560,-11003761,7989037 }, }, { { 31490452,5568061,-2412803,2182383,-32336847,4531686,-32078269,6200206,-19686113,-14800171 }, { -17308668,-15879940,-31522777,-2831,-32887382,16375549,8680158,-16371713,28550068,-6857132 }, { -28126887,-5688091,16837845,-1820458,-6850681,12700016,-30039981,4364038,1155602,5988841 }, }, { { 21890435,-13272907,-12624011,12154349,-7831873,15300496,23148983,-4470481,24618407,8283181 }, { -33136107,-10512751,9975416,6841041,-31559793,16356536,3070187,-7025928,1466169,10740210 }, { -1509399,-15488185,-13503385,-10655916,32799044,909394,-13938903,-5779719,-32164649,-15327040 }, }, { { 3960823,-14267803,-28026090,-15918051,-19404858,13146868,15567327,951507,-3260321,-573935 }, { 24740841,5052253,-30094131,8961361,25877428,6165135,-24368180,14397372,-7380369,-6144105 }, { -28888365,3510803,-28103278,-1158478,-11238128,-10631454,-15441463,-14453128,-1625486,-6494814 }, }, }, { { { 793299,-9230478,8836302,-6235707,-27360908,-2369593,33152843,-4885251,-9906200,-621852 }, { 5666233,525582,20782575,-8038419,-24538499,14657740,16099374,1468826,-6171428,-15186581 }, { -4859255,-3779343,-2917758,-6748019,7778750,11688288,-30404353,-9871238,-1558923,-9863646 }, }, { { 10896332,-7719704,824275,472601,-19460308,3009587,25248958,14783338,-30581476,-15757844 }, { 10566929,12612572,-31944212,11118703,-12633376,12362879,21752402,8822496,24003793,14264025 }, { 27713862,-7355973,-11008240,9227530,27050101,2504721,23886875,-13117525,13958495,-5732453 }, }, { { -23481610,4867226,-27247128,3900521,29838369,-8212291,-31889399,-10041781,7340521,-15410068 }, { 4646514,-8011124,-22766023,-11532654,23184553,8566613,31366726,-1381061,-15066784,-10375192 }, { -17270517,12723032,-16993061,14878794,21619651,-6197576,27584817,3093888,-8843694,3849921 }, }, { { -9064912,2103172,25561640,-15125738,-5239824,9582958,32477045,-9017955,5002294,-15550259 }, { -12057553,-11177906,21115585,-13365155,8808712,-12030708,16489530,13378448,-25845716,12741426 }, { -5946367,10645103,-30911586,15390284,-3286982,-7118677,24306472,15852464,28834118,-7646072 }, }, { { -17335748,-9107057,-24531279,9434953,-8472084,-583362,-13090771,455841,20461858,5491305 }, { 13669248,-16095482,-12481974,-10203039,-14569770,-11893198,-24995986,11293807,-28588204,-9421832 }, { 28497928,6272777,-33022994,14470570,8906179,-1225630,18504674,-14165166,29867745,-8795943 }, }, { { -16207023,13517196,-27799630,-13697798,24009064,-6373891,-6367600,-13175392,22853429,-4012011 }, { 24191378,16712145,-13931797,15217831,14542237,1646131,18603514,-11037887,12876623,-2112447 }, { 17902668,4518229,-411702,-2829247,26878217,5258055,-12860753,608397,16031844,3723494 }, }, { { -28632773,12763728,-20446446,7577504,33001348,-13017745,17558842,-7872890,23896954,-4314245 }, { -20005381,-12011952,31520464,605201,2543521,5991821,-2945064,7229064,-9919646,-8826859 }, { 28816045,298879,-28165016,-15920938,19000928,-1665890,-12680833,-2949325,-18051778,-2082915 }, }, { { 16000882,-344896,3493092,-11447198,-29504595,-13159789,12577740,16041268,-19715240,7847707 }, { 10151868,10572098,27312476,7922682,14825339,4723128,-32855931,-6519018,-10020567,3852848 }, { -11430470,15697596,-21121557,-4420647,5386314,15063598,16514493,-15932110,29330899,-15076224 }, }, }, { { { -25499735,-4378794,-15222908,-6901211,16615731,2051784,3303702,15490,-27548796,12314391 }, { 15683520,-6003043,18109120,-9980648,15337968,-5997823,-16717435,15921866,16103996,-3731215 }, { -23169824,-10781249,13588192,-1628807,-3798557,-1074929,-19273607,5402699,-29815713,-9841101 }, }, { { 23190676,2384583,-32714340,3462154,-29903655,-1529132,-11266856,8911517,-25205859,2739713 }, { 21374101,-3554250,-33524649,9874411,15377179,11831242,-33529904,6134907,4931255,11987849 }, { -7732,-2978858,-16223486,7277597,105524,-322051,-31480539,13861388,-30076310,10117930 }, }, { { -29501170,-10744872,-26163768,13051539,-25625564,5089643,-6325503,6704079,12890019,15728940 }, { -21972360,-11771379,-951059,-4418840,14704840,2695116,903376,-10428139,12885167,8311031 }, { -17516482,5352194,10384213,-13811658,7506451,13453191,26423267,4384730,1888765,-5435404 }, }, { { -25817338,-3107312,-13494599,-3182506,30896459,-13921729,-32251644,-12707869,-19464434,-3340243 }, { -23607977,-2665774,-526091,4651136,5765089,4618330,6092245,14845197,17151279,-9854116 }, { -24830458,-12733720,-15165978,10367250,-29530908,-265356,22825805,-7087279,-16866484,16176525 }, }, { { -23583256,6564961,20063689,3798228,-4740178,7359225,2006182,-10363426,-28746253,-10197509 }, { -10626600,-4486402,-13320562,-5125317,3432136,-6393229,23632037,-1940610,32808310,1099883 }, { 15030977,5768825,-27451236,-2887299,-6427378,-15361371,-15277896,-6809350,2051441,-15225865 }, }, { { -3362323,-7239372,7517890,9824992,23555850,295369,5148398,-14154188,-22686354,16633660 }, { 4577086,-16752288,13249841,-15304328,19958763,-14537274,18559670,-10759549,8402478,-9864273 }, { -28406330,-1051581,-26790155,-907698,-17212414,-11030789,9453451,-14980072,17983010,9967138 }, }, { { -25762494,6524722,26585488,9969270,24709298,1220360,-1677990,7806337,17507396,3651560 }, { -10420457,-4118111,14584639,15971087,-15768321,8861010,26556809,-5574557,-18553322,-11357135 }, { 2839101,14284142,4029895,3472686,14402957,12689363,-26642121,8459447,-5605463,-7621941 }, }, { { -4839289,-3535444,9744961,2871048,25113978,3187018,-25110813,-849066,17258084,-7977739 }, { 18164541,-10595176,-17154882,-1542417,19237078,-9745295,23357533,-15217008,26908270,12150756 }, { -30264870,-7647865,5112249,-7036672,-1499807,-6974257,43168,-5537701,-32302074,16215819 }, }, }, { { { -6898905,9824394,-12304779,-4401089,-31397141,-6276835,32574489,12532905,-7503072,-8675347 }, { -27343522,-16515468,-27151524,-10722951,946346,16291093,254968,7168080,21676107,-1943028 }, { 21260961,-8424752,-16831886,-11920822,-23677961,3968121,-3651949,-6215466,-3556191,-7913075 }, }, { { 16544754,13250366,-16804428,15546242,-4583003,12757258,-2462308,-8680336,-18907032,-9662799 }, { -2415239,-15577728,18312303,4964443,-15272530,-12653564,26820651,16690659,25459437,-4564609 }, { -25144690,11425020,28423002,-11020557,-6144921,-15826224,9142795,-2391602,-6432418,-1644817 }, }, { { -23104652,6253476,16964147,-3768872,-25113972,-12296437,-27457225,-16344658,6335692,7249989 }, { -30333227,13979675,7503222,-12368314,-11956721,-4621693,-30272269,2682242,25993170,-12478523 }, { 4364628,5930691,32304656,-10044554,-8054781,15091131,22857016,-10598955,31820368,15075278 }, }, { { 31879134,-8918693,17258761,90626,-8041836,-4917709,24162788,-9650886,-17970238,12833045 }, { 19073683,14851414,-24403169,-11860168,7625278,11091125,-19619190,2074449,-9413939,14905377 }, { 24483667,-11935567,-2518866,-11547418,-1553130,15355506,-25282080,9253129,27628530,-7555480 }, }, { { 17597607,8340603,19355617,552187,26198470,-3176583,4593324,-9157582,-14110875,15297016 }, { 510886,14337390,-31785257,16638632,6328095,2713355,-20217417,-11864220,8683221,2921426 }, { 18606791,11874196,27155355,-5281482,-24031742,6265446,-25178240,-1278924,4674690,13890525 }, }, { { 13609624,13069022,-27372361,-13055908,24360586,9592974,14977157,9835105,4389687,288396 }, { 9922506,-519394,13613107,5883594,-18758345,-434263,-12304062,8317628,23388070,16052080 }, { 12720016,11937594,-31970060,-5028689,26900120,8561328,-20155687,-11632979,-14754271,-10812892 }, }, { { 15961858,14150409,26716931,-665832,-22794328,13603569,11829573,7467844,-28822128,929275 }, { 11038231,-11582396,-27310482,-7316562,-10498527,-16307831,-23479533,-9371869,-21393143,2465074 }, { 20017163,-4323226,27915242,1529148,12396362,15675764,13817261,-9658066,2463391,-4622140 }, }, { { -16358878,-12663911,-12065183,4996454,-1256422,1073572,9583558,12851107,4003896,12673717 }, { -1731589,-15155870,-3262930,16143082,19294135,13385325,14741514,-9103726,7903886,2348101 }, { 24536016,-16515207,12715592,-3862155,1511293,10047386,-3842346,-7129159,-28377538,10048127 }, }, }, { { { -12622226,-6204820,30718825,2591312,-10617028,12192840,18873298,-7297090,-32297756,15221632 }, { -26478122,-11103864,11546244,-1852483,9180880,7656409,-21343950,2095755,29769758,6593415 }, { -31994208,-2907461,4176912,3264766,12538965,-868111,26312345,-6118678,30958054,8292160 }, }, { { 31429822,-13959116,29173532,15632448,12174511,-2760094,32808831,3977186,26143136,-3148876 }, { 22648901,1402143,-22799984,13746059,7936347,365344,-8668633,-1674433,-3758243,-2304625 }, { -15491917,8012313,-2514730,-12702462,-23965846,-10254029,-1612713,-1535569,-16664475,8194478 }, }, { { 27338066,-7507420,-7414224,10140405,-19026427,-6589889,27277191,8855376,28572286,3005164 }, { 26287124,4821776,25476601,-4145903,-3764513,-15788984,-18008582,1182479,-26094821,-13079595 }, { -7171154,3178080,23970071,6201893,-17195577,-4489192,-21876275,-13982627,32208683,-1198248 }, }, { { -16657702,2817643,-10286362,14811298,6024667,13349505,-27315504,-10497842,-27672585,-11539858 }, { 15941029,-9405932,-21367050,8062055,31876073,-238629,-15278393,-1444429,15397331,-4130193 }, { 8934485,-13485467,-23286397,-13423241,-32446090,14047986,31170398,-1441021,-27505566,15087184 }, }, { { -18357243,-2156491,24524913,-16677868,15520427,-6360776,-15502406,11461896,16788528,-5868942 }, { -1947386,16013773,21750665,3714552,-17401782,-16055433,-3770287,-10323320,31322514,-11615635 }, { 21426655,-5650218,-13648287,-5347537,-28812189,-4920970,-18275391,-14621414,13040862,-12112948 }, }, { { 11293895,12478086,-27136401,15083750,-29307421,14748872,14555558,-13417103,1613711,4896935 }, { -25894883,15323294,-8489791,-8057900,25967126,-13425460,2825960,-4897045,-23971776,-11267415 }, { -15924766,-5229880,-17443532,6410664,3622847,10243618,20615400,12405433,-23753030,-8436416 }, }, { { -7091295,12556208,-20191352,9025187,-17072479,4333801,4378436,2432030,23097949,-566018 }, { 4565804,-16025654,20084412,-7842817,1724999,189254,24767264,10103221,-18512313,2424778 }, { 366633,-11976806,8173090,-6890119,30788634,5745705,-7168678,1344109,-3642553,12412659 }, }, { { -24001791,7690286,14929416,-168257,-32210835,-13412986,24162697,-15326504,-3141501,11179385 }, { 18289522,-14724954,8056945,16430056,-21729724,7842514,-6001441,-1486897,-18684645,-11443503 }, { 476239,6601091,-6152790,-9723375,17503545,-4863900,27672959,13403813,11052904,5219329 }, }, }, { { { 20678546,-8375738,-32671898,8849123,-5009758,14574752,31186971,-3973730,9014762,-8579056 }, { -13644050,-10350239,-15962508,5075808,-1514661,-11534600,-33102500,9160280,8473550,-3256838 }, { 24900749,14435722,17209120,-15292541,-22592275,9878983,-7689309,-16335821,-24568481,11788948 }, }, { { -3118155,-11395194,-13802089,14797441,9652448,-6845904,-20037437,10410733,-24568470,-1458691 }, { -15659161,16736706,-22467150,10215878,-9097177,7563911,11871841,-12505194,-18513325,8464118 }, { -23400612,8348507,-14585951,-861714,-3950205,-6373419,14325289,8628612,33313881,-8370517 }, }, { { -20186973,-4967935,22367356,5271547,-1097117,-4788838,-24805667,-10236854,-8940735,-5818269 }, { -6948785,-1795212,-32625683,-16021179,32635414,-7374245,15989197,-12838188,28358192,-4253904 }, { -23561781,-2799059,-32351682,-1661963,-9147719,10429267,-16637684,4072016,-5351664,5596589 }, }, { { -28236598,-3390048,12312896,6213178,3117142,16078565,29266239,2557221,1768301,15373193 }, { -7243358,-3246960,-4593467,-7553353,-127927,-912245,-1090902,-4504991,-24660491,3442910 }, { -30210571,5124043,14181784,8197961,18964734,-11939093,22597931,7176455,-18585478,13365930 }, }, { { -7877390,-1499958,8324673,4690079,6261860,890446,24538107,-8570186,-9689599,-3031667 }, { 25008904,-10771599,-4305031,-9638010,16265036,15721635,683793,-11823784,15723479,-15163481 }, { -9660625,12374379,-27006999,-7026148,-7724114,-12314514,11879682,5400171,519526,-1235876 }, }, { { 22258397,-16332233,-7869817,14613016,-22520255,-2950923,-20353881,7315967,16648397,7605640 }, { -8081308,-8464597,-8223311,9719710,19259459,-15348212,23994942,-5281555,-9468848,4763278 }, { -21699244,9220969,-15730624,1084137,-25476107,-2852390,31088447,-7764523,-11356529,728112 }, }, { { 26047220,-11751471,-6900323,-16521798,24092068,9158119,-4273545,-12555558,-29365436,-5498272 }, { 17510331,-322857,5854289,8403524,17133918,-3112612,-28111007,12327945,10750447,10014012 }, { -10312768,3936952,9156313,-8897683,16498692,-994647,-27481051,-666732,3424691,7540221 }, }, { { 30322361,-6964110,11361005,-4143317,7433304,4989748,-7071422,-16317219,-9244265,15258046 }, { 13054562,-2779497,19155474,469045,-12482797,4566042,5631406,2711395,1062915,-5136345 }, { -19240248,-11254599,-29509029,-7499965,-5835763,13005411,-6066489,12194497,32960380,1459310 }, }, }, { { { 19852034,7027924,23669353,10020366,8586503,-6657907,394197,-6101885,18638003,-11174937 }, { 31395534,15098109,26581030,8030562,-16527914,-5007134,9012486,-7584354,-6643087,-5442636 }, { -9192165,-2347377,-1997099,4529534,25766844,607986,-13222,9677543,-32294889,-6456008 }, }, { { -2444496,-149937,29348902,8186665,1873760,12489863,-30934579,-7839692,-7852844,-8138429 }, { -15236356,-15433509,7766470,746860,26346930,-10221762,-27333451,10754588,-9431476,5203576 }, { 31834314,14135496,-770007,5159118,20917671,-16768096,-7467973,-7337524,31809243,7347066 }, }, { { -9606723,-11874240,20414459,13033986,13716524,-11691881,19797970,-12211255,15192876,-2087490 }, { -12663563,-2181719,1168162,-3804809,26747877,-14138091,10609330,12694420,33473243,-13382104 }, { 33184999,11180355,15832085,-11385430,-1633671,225884,15089336,-11023903,-6135662,14480053 }, }, { { 31308717,-5619998,31030840,-1897099,15674547,-6582883,5496208,13685227,27595050,8737275 }, { -20318852,-15150239,10933843,-16178022,8335352,-7546022,-31008351,-12610604,26498114,66511 }, { 22644454,-8761729,-16671776,4884562,-3105614,-13559366,30540766,-4286747,-13327787,-7515095 }, }, { { -28017847,9834845,18617207,-2681312,-3401956,-13307506,8205540,13585437,-17127465,15115439 }, { 23711543,-672915,31206561,-8362711,6164647,-9709987,-33535882,-1426096,8236921,16492939 }, { -23910559,-13515526,-26299483,-4503841,25005590,-7687270,19574902,10071562,6708380,-6222424 }, }, { { 2101391,-4930054,19702731,2367575,-15427167,1047675,5301017,9328700,29955601,-11678310 }, { 3096359,9271816,-21620864,-15521844,-14847996,-7592937,-25892142,-12635595,-9917575,6216608 }, { -32615849,338663,-25195611,2510422,-29213566,-13820213,24822830,-6146567,-26767480,7525079 }, }, { { -23066649,-13985623,16133487,-7896178,-3389565,778788,-910336,-2782495,-19386633,11994101 }, { 21691500,-13624626,-641331,-14367021,3285881,-3483596,-25064666,9718258,-7477437,13381418 }, { 18445390,-4202236,14979846,11622458,-1727110,-3582980,23111648,-6375247,28535282,15779576 }, }, { { 30098053,3089662,-9234387,16662135,-21306940,11308411,-14068454,12021730,9955285,-16303356 }, { 9734894,-14576830,-7473633,-9138735,2060392,11313496,-18426029,9924399,20194861,13380996 }, { -26378102,-7965207,-22167821,15789297,-18055342,-6168792,-1984914,15707771,26342023,10146099 }, }, }, { { { -26016874,-219943,21339191,-41388,19745256,-2878700,-29637280,2227040,21612326,-545728 }, { -13077387,1184228,23562814,-5970442,-20351244,-6348714,25764461,12243797,-20856566,11649658 }, { -10031494,11262626,27384172,2271902,26947504,-15997771,39944,6114064,33514190,2333242 }, }, { { -21433588,-12421821,8119782,7219913,-21830522,-9016134,-6679750,-12670638,24350578,-13450001 }, { -4116307,-11271533,-23886186,4843615,-30088339,690623,-31536088,-10406836,8317860,12352766 }, { 18200138,-14475911,-33087759,-2696619,-23702521,-9102511,-23552096,-2287550,20712163,6719373 }, }, { { 26656208,6075253,-7858556,1886072,-28344043,4262326,11117530,-3763210,26224235,-3297458 }, { -17168938,-14854097,-3395676,-16369877,-19954045,14050420,21728352,9493610,18620611,-16428628 }, { -13323321,13325349,11432106,5964811,18609221,6062965,-5269471,-9725556,-30701573,-16479657 }, }, { { -23860538,-11233159,26961357,1640861,-32413112,-16737940,12248509,-5240639,13735342,1934062 }, { 25089769,6742589,17081145,-13406266,21909293,-16067981,-15136294,-3765346,-21277997,5473616 }, { 31883677,-7961101,1083432,-11572403,22828471,13290673,-7125085,12469656,29111212,-5451014 }, }, { { 24244947,-15050407,-26262976,2791540,-14997599,16666678,24367466,6388839,-10295587,452383 }, { -25640782,-3417841,5217916,16224624,19987036,-4082269,-24236251,-5915248,15766062,8407814 }, { -20406999,13990231,15495425,16395525,5377168,15166495,-8917023,-4388953,-8067909,2276718 }, }, { { 30157918,12924066,-17712050,9245753,19895028,3368142,-23827587,5096219,22740376,-7303417 }, { 2041139,-14256350,7783687,13876377,-25946985,-13352459,24051124,13742383,-15637599,13295222 }, { 33338237,-8505733,12532113,7977527,9106186,-1715251,-17720195,-4612972,-4451357,-14669444 }, }, { { -20045281,5454097,-14346548,6447146,28862071,1883651,-2469266,-4141880,7770569,9620597 }, { 23208068,7979712,33071466,8149229,1758231,-10834995,30945528,-1694323,-33502340,-14767970 }, { 1439958,-16270480,-1079989,-793782,4625402,10647766,-5043801,1220118,30494170,-11440799 }, }, { { -5037580,-13028295,-2970559,-3061767,15640974,-6701666,-26739026,926050,-1684339,-13333647 }, { 13908495,-3549272,30919928,-6273825,-21521863,7989039,9021034,9078865,3353509,4033511 }, { -29663431,-15113610,32259991,-344482,24295849,-12912123,23161163,8839127,27485041,7356032 }, }, }, { { { 9661027,705443,11980065,-5370154,-1628543,14661173,-6346142,2625015,28431036,-16771834 }, { -23839233,-8311415,-25945511,7480958,-17681669,-8354183,-22545972,14150565,15970762,4099461 }, { 29262576,16756590,26350592,-8793563,8529671,-11208050,13617293,-9937143,11465739,8317062 }, }, { { -25493081,-6962928,32500200,-9419051,-23038724,-2302222,14898637,3848455,20969334,-5157516 }, { -20384450,-14347713,-18336405,13884722,-33039454,2842114,-21610826,-3649888,11177095,14989547 }, { -24496721,-11716016,16959896,2278463,12066309,10137771,13515641,2581286,-28487508,9930240 }, }, { { -17751622,-2097826,16544300,-13009300,-15914807,-14949081,18345767,-13403753,16291481,-5314038 }, { -33229194,2553288,32678213,9875984,8534129,6889387,-9676774,6957617,4368891,9788741 }, { 16660756,7281060,-10830758,12911820,20108584,-8101676,-21722536,-8613148,16250552,-11111103 }, }, { { -19765507,2390526,-16551031,14161980,1905286,6414907,4689584,10604807,-30190403,4782747 }, { -1354539,14736941,-7367442,-13292886,7710542,-14155590,-9981571,4383045,22546403,437323 }, { 31665577,-12180464,-16186830,1491339,-18368625,3294682,27343084,2786261,-30633590,-14097016 }, }, { { -14467279,-683715,-33374107,7448552,19294360,14334329,-19690631,2355319,-19284671,-6114373 }, { 15121312,-15796162,6377020,-6031361,-10798111,-12957845,18952177,15496498,-29380133,11754228 }, { -2637277,-13483075,8488727,-14303896,12728761,-1622493,7141596,11724556,22761615,-10134141 }, }, { { 16918416,11729663,-18083579,3022987,-31015732,-13339659,-28741185,-12227393,32851222,11717399 }, { 11166634,7338049,-6722523,4531520,-29468672,-7302055,31474879,3483633,-1193175,-4030831 }, { -185635,9921305,31456609,-13536438,-12013818,13348923,33142652,6546660,-19985279,-3948376 }, }, { { -32460596,11266712,-11197107,-7899103,31703694,3855903,-8537131,-12833048,-30772034,-15486313 }, { -18006477,12709068,3991746,-6479188,-21491523,-10550425,-31135347,-16049879,10928917,3011958 }, { -6957757,-15594337,31696059,334240,29576716,14796075,-30831056,-12805180,18008031,10258577 }, }, { { -22448644,15655569,7018479,-4410003,-30314266,-1201591,-1853465,1367120,25127874,6671743 }, { 29701166,-14373934,-10878120,9279288,-17568,13127210,21382910,11042292,25838796,4642684 }, { -20430234,14955537,-24126347,8124619,-5369288,-5990470,30468147,-13900640,18423289,4177476 }, }, }, XEdDSA-0.4.6/ref10/crypto_sign/ge_p3_to_cached.c0000644000175000017500000000036613372774360021137 0ustar useruser00000000000000#include "ge.h" /* r = p */ static const fe d2 = { #include "d2.h" } ; extern void ge_p3_to_cached(ge_cached *r,const ge_p3 *p) { fe_add(r->YplusX,p->Y,p->X); fe_sub(r->YminusX,p->Y,p->X); fe_copy(r->Z,p->Z); fe_mul(r->T2d,p->T,d2); } XEdDSA-0.4.6/ref10/crypto_sign/fe_mul.c0000644000175000017500000002477013372774360017425 0ustar useruser00000000000000#include "fe.h" #include "crypto_int64.h" /* h = f * g Can overlap h with f or g. Preconditions: |f| bounded by 1.65*2^26,1.65*2^25,1.65*2^26,1.65*2^25,etc. |g| bounded by 1.65*2^26,1.65*2^25,1.65*2^26,1.65*2^25,etc. Postconditions: |h| bounded by 1.01*2^25,1.01*2^24,1.01*2^25,1.01*2^24,etc. */ /* Notes on implementation strategy: Using schoolbook multiplication. Karatsuba would save a little in some cost models. Most multiplications by 2 and 19 are 32-bit precomputations; cheaper than 64-bit postcomputations. There is one remaining multiplication by 19 in the carry chain; one *19 precomputation can be merged into this, but the resulting data flow is considerably less clean. There are 12 carries below. 10 of them are 2-way parallelizable and vectorizable. Can get away with 11 carries, but then data flow is much deeper. With tighter constraints on inputs can squeeze carries into int32. */ void fe_mul(fe h,const fe f,const fe g) { crypto_int32 f0 = f[0]; crypto_int32 f1 = f[1]; crypto_int32 f2 = f[2]; crypto_int32 f3 = f[3]; crypto_int32 f4 = f[4]; crypto_int32 f5 = f[5]; crypto_int32 f6 = f[6]; crypto_int32 f7 = f[7]; crypto_int32 f8 = f[8]; crypto_int32 f9 = f[9]; crypto_int32 g0 = g[0]; crypto_int32 g1 = g[1]; crypto_int32 g2 = g[2]; crypto_int32 g3 = g[3]; crypto_int32 g4 = g[4]; crypto_int32 g5 = g[5]; crypto_int32 g6 = g[6]; crypto_int32 g7 = g[7]; crypto_int32 g8 = g[8]; crypto_int32 g9 = g[9]; crypto_int32 g1_19 = 19 * g1; /* 1.959375*2^29 */ crypto_int32 g2_19 = 19 * g2; /* 1.959375*2^30; still ok */ crypto_int32 g3_19 = 19 * g3; crypto_int32 g4_19 = 19 * g4; crypto_int32 g5_19 = 19 * g5; crypto_int32 g6_19 = 19 * g6; crypto_int32 g7_19 = 19 * g7; crypto_int32 g8_19 = 19 * g8; crypto_int32 g9_19 = 19 * g9; crypto_int32 f1_2 = 2 * f1; crypto_int32 f3_2 = 2 * f3; crypto_int32 f5_2 = 2 * f5; crypto_int32 f7_2 = 2 * f7; crypto_int32 f9_2 = 2 * f9; crypto_int64 f0g0 = f0 * (crypto_int64) g0; crypto_int64 f0g1 = f0 * (crypto_int64) g1; crypto_int64 f0g2 = f0 * (crypto_int64) g2; crypto_int64 f0g3 = f0 * (crypto_int64) g3; crypto_int64 f0g4 = f0 * (crypto_int64) g4; crypto_int64 f0g5 = f0 * (crypto_int64) g5; crypto_int64 f0g6 = f0 * (crypto_int64) g6; crypto_int64 f0g7 = f0 * (crypto_int64) g7; crypto_int64 f0g8 = f0 * (crypto_int64) g8; crypto_int64 f0g9 = f0 * (crypto_int64) g9; crypto_int64 f1g0 = f1 * (crypto_int64) g0; crypto_int64 f1g1_2 = f1_2 * (crypto_int64) g1; crypto_int64 f1g2 = f1 * (crypto_int64) g2; crypto_int64 f1g3_2 = f1_2 * (crypto_int64) g3; crypto_int64 f1g4 = f1 * (crypto_int64) g4; crypto_int64 f1g5_2 = f1_2 * (crypto_int64) g5; crypto_int64 f1g6 = f1 * (crypto_int64) g6; crypto_int64 f1g7_2 = f1_2 * (crypto_int64) g7; crypto_int64 f1g8 = f1 * (crypto_int64) g8; crypto_int64 f1g9_38 = f1_2 * (crypto_int64) g9_19; crypto_int64 f2g0 = f2 * (crypto_int64) g0; crypto_int64 f2g1 = f2 * (crypto_int64) g1; crypto_int64 f2g2 = f2 * (crypto_int64) g2; crypto_int64 f2g3 = f2 * (crypto_int64) g3; crypto_int64 f2g4 = f2 * (crypto_int64) g4; crypto_int64 f2g5 = f2 * (crypto_int64) g5; crypto_int64 f2g6 = f2 * (crypto_int64) g6; crypto_int64 f2g7 = f2 * (crypto_int64) g7; crypto_int64 f2g8_19 = f2 * (crypto_int64) g8_19; crypto_int64 f2g9_19 = f2 * (crypto_int64) g9_19; crypto_int64 f3g0 = f3 * (crypto_int64) g0; crypto_int64 f3g1_2 = f3_2 * (crypto_int64) g1; crypto_int64 f3g2 = f3 * (crypto_int64) g2; crypto_int64 f3g3_2 = f3_2 * (crypto_int64) g3; crypto_int64 f3g4 = f3 * (crypto_int64) g4; crypto_int64 f3g5_2 = f3_2 * (crypto_int64) g5; crypto_int64 f3g6 = f3 * (crypto_int64) g6; crypto_int64 f3g7_38 = f3_2 * (crypto_int64) g7_19; crypto_int64 f3g8_19 = f3 * (crypto_int64) g8_19; crypto_int64 f3g9_38 = f3_2 * (crypto_int64) g9_19; crypto_int64 f4g0 = f4 * (crypto_int64) g0; crypto_int64 f4g1 = f4 * (crypto_int64) g1; crypto_int64 f4g2 = f4 * (crypto_int64) g2; crypto_int64 f4g3 = f4 * (crypto_int64) g3; crypto_int64 f4g4 = f4 * (crypto_int64) g4; crypto_int64 f4g5 = f4 * (crypto_int64) g5; crypto_int64 f4g6_19 = f4 * (crypto_int64) g6_19; crypto_int64 f4g7_19 = f4 * (crypto_int64) g7_19; crypto_int64 f4g8_19 = f4 * (crypto_int64) g8_19; crypto_int64 f4g9_19 = f4 * (crypto_int64) g9_19; crypto_int64 f5g0 = f5 * (crypto_int64) g0; crypto_int64 f5g1_2 = f5_2 * (crypto_int64) g1; crypto_int64 f5g2 = f5 * (crypto_int64) g2; crypto_int64 f5g3_2 = f5_2 * (crypto_int64) g3; crypto_int64 f5g4 = f5 * (crypto_int64) g4; crypto_int64 f5g5_38 = f5_2 * (crypto_int64) g5_19; crypto_int64 f5g6_19 = f5 * (crypto_int64) g6_19; crypto_int64 f5g7_38 = f5_2 * (crypto_int64) g7_19; crypto_int64 f5g8_19 = f5 * (crypto_int64) g8_19; crypto_int64 f5g9_38 = f5_2 * (crypto_int64) g9_19; crypto_int64 f6g0 = f6 * (crypto_int64) g0; crypto_int64 f6g1 = f6 * (crypto_int64) g1; crypto_int64 f6g2 = f6 * (crypto_int64) g2; crypto_int64 f6g3 = f6 * (crypto_int64) g3; crypto_int64 f6g4_19 = f6 * (crypto_int64) g4_19; crypto_int64 f6g5_19 = f6 * (crypto_int64) g5_19; crypto_int64 f6g6_19 = f6 * (crypto_int64) g6_19; crypto_int64 f6g7_19 = f6 * (crypto_int64) g7_19; crypto_int64 f6g8_19 = f6 * (crypto_int64) g8_19; crypto_int64 f6g9_19 = f6 * (crypto_int64) g9_19; crypto_int64 f7g0 = f7 * (crypto_int64) g0; crypto_int64 f7g1_2 = f7_2 * (crypto_int64) g1; crypto_int64 f7g2 = f7 * (crypto_int64) g2; crypto_int64 f7g3_38 = f7_2 * (crypto_int64) g3_19; crypto_int64 f7g4_19 = f7 * (crypto_int64) g4_19; crypto_int64 f7g5_38 = f7_2 * (crypto_int64) g5_19; crypto_int64 f7g6_19 = f7 * (crypto_int64) g6_19; crypto_int64 f7g7_38 = f7_2 * (crypto_int64) g7_19; crypto_int64 f7g8_19 = f7 * (crypto_int64) g8_19; crypto_int64 f7g9_38 = f7_2 * (crypto_int64) g9_19; crypto_int64 f8g0 = f8 * (crypto_int64) g0; crypto_int64 f8g1 = f8 * (crypto_int64) g1; crypto_int64 f8g2_19 = f8 * (crypto_int64) g2_19; crypto_int64 f8g3_19 = f8 * (crypto_int64) g3_19; crypto_int64 f8g4_19 = f8 * (crypto_int64) g4_19; crypto_int64 f8g5_19 = f8 * (crypto_int64) g5_19; crypto_int64 f8g6_19 = f8 * (crypto_int64) g6_19; crypto_int64 f8g7_19 = f8 * (crypto_int64) g7_19; crypto_int64 f8g8_19 = f8 * (crypto_int64) g8_19; crypto_int64 f8g9_19 = f8 * (crypto_int64) g9_19; crypto_int64 f9g0 = f9 * (crypto_int64) g0; crypto_int64 f9g1_38 = f9_2 * (crypto_int64) g1_19; crypto_int64 f9g2_19 = f9 * (crypto_int64) g2_19; crypto_int64 f9g3_38 = f9_2 * (crypto_int64) g3_19; crypto_int64 f9g4_19 = f9 * (crypto_int64) g4_19; crypto_int64 f9g5_38 = f9_2 * (crypto_int64) g5_19; crypto_int64 f9g6_19 = f9 * (crypto_int64) g6_19; crypto_int64 f9g7_38 = f9_2 * (crypto_int64) g7_19; crypto_int64 f9g8_19 = f9 * (crypto_int64) g8_19; crypto_int64 f9g9_38 = f9_2 * (crypto_int64) g9_19; crypto_int64 h0 = f0g0+f1g9_38+f2g8_19+f3g7_38+f4g6_19+f5g5_38+f6g4_19+f7g3_38+f8g2_19+f9g1_38; crypto_int64 h1 = f0g1+f1g0 +f2g9_19+f3g8_19+f4g7_19+f5g6_19+f6g5_19+f7g4_19+f8g3_19+f9g2_19; crypto_int64 h2 = f0g2+f1g1_2 +f2g0 +f3g9_38+f4g8_19+f5g7_38+f6g6_19+f7g5_38+f8g4_19+f9g3_38; crypto_int64 h3 = f0g3+f1g2 +f2g1 +f3g0 +f4g9_19+f5g8_19+f6g7_19+f7g6_19+f8g5_19+f9g4_19; crypto_int64 h4 = f0g4+f1g3_2 +f2g2 +f3g1_2 +f4g0 +f5g9_38+f6g8_19+f7g7_38+f8g6_19+f9g5_38; crypto_int64 h5 = f0g5+f1g4 +f2g3 +f3g2 +f4g1 +f5g0 +f6g9_19+f7g8_19+f8g7_19+f9g6_19; crypto_int64 h6 = f0g6+f1g5_2 +f2g4 +f3g3_2 +f4g2 +f5g1_2 +f6g0 +f7g9_38+f8g8_19+f9g7_38; crypto_int64 h7 = f0g7+f1g6 +f2g5 +f3g4 +f4g3 +f5g2 +f6g1 +f7g0 +f8g9_19+f9g8_19; crypto_int64 h8 = f0g8+f1g7_2 +f2g6 +f3g5_2 +f4g4 +f5g3_2 +f6g2 +f7g1_2 +f8g0 +f9g9_38; crypto_int64 h9 = f0g9+f1g8 +f2g7 +f3g6 +f4g5 +f5g4 +f6g3 +f7g2 +f8g1 +f9g0 ; crypto_int64 carry0; crypto_int64 carry1; crypto_int64 carry2; crypto_int64 carry3; crypto_int64 carry4; crypto_int64 carry5; crypto_int64 carry6; crypto_int64 carry7; crypto_int64 carry8; crypto_int64 carry9; /* |h0| <= (1.65*1.65*2^52*(1+19+19+19+19)+1.65*1.65*2^50*(38+38+38+38+38)) i.e. |h0| <= 1.4*2^60; narrower ranges for h2, h4, h6, h8 |h1| <= (1.65*1.65*2^51*(1+1+19+19+19+19+19+19+19+19)) i.e. |h1| <= 1.7*2^59; narrower ranges for h3, h5, h7, h9 */ carry0 = (h0 + (crypto_int64) (1<<25)) >> 26; h1 += carry0; h0 -= carry0 << 26; carry4 = (h4 + (crypto_int64) (1<<25)) >> 26; h5 += carry4; h4 -= carry4 << 26; /* |h0| <= 2^25 */ /* |h4| <= 2^25 */ /* |h1| <= 1.71*2^59 */ /* |h5| <= 1.71*2^59 */ carry1 = (h1 + (crypto_int64) (1<<24)) >> 25; h2 += carry1; h1 -= carry1 << 25; carry5 = (h5 + (crypto_int64) (1<<24)) >> 25; h6 += carry5; h5 -= carry5 << 25; /* |h1| <= 2^24; from now on fits into int32 */ /* |h5| <= 2^24; from now on fits into int32 */ /* |h2| <= 1.41*2^60 */ /* |h6| <= 1.41*2^60 */ carry2 = (h2 + (crypto_int64) (1<<25)) >> 26; h3 += carry2; h2 -= carry2 << 26; carry6 = (h6 + (crypto_int64) (1<<25)) >> 26; h7 += carry6; h6 -= carry6 << 26; /* |h2| <= 2^25; from now on fits into int32 unchanged */ /* |h6| <= 2^25; from now on fits into int32 unchanged */ /* |h3| <= 1.71*2^59 */ /* |h7| <= 1.71*2^59 */ carry3 = (h3 + (crypto_int64) (1<<24)) >> 25; h4 += carry3; h3 -= carry3 << 25; carry7 = (h7 + (crypto_int64) (1<<24)) >> 25; h8 += carry7; h7 -= carry7 << 25; /* |h3| <= 2^24; from now on fits into int32 unchanged */ /* |h7| <= 2^24; from now on fits into int32 unchanged */ /* |h4| <= 1.72*2^34 */ /* |h8| <= 1.41*2^60 */ carry4 = (h4 + (crypto_int64) (1<<25)) >> 26; h5 += carry4; h4 -= carry4 << 26; carry8 = (h8 + (crypto_int64) (1<<25)) >> 26; h9 += carry8; h8 -= carry8 << 26; /* |h4| <= 2^25; from now on fits into int32 unchanged */ /* |h8| <= 2^25; from now on fits into int32 unchanged */ /* |h5| <= 1.01*2^24 */ /* |h9| <= 1.71*2^59 */ carry9 = (h9 + (crypto_int64) (1<<24)) >> 25; h0 += carry9 * 19; h9 -= carry9 << 25; /* |h9| <= 2^24; from now on fits into int32 unchanged */ /* |h0| <= 1.1*2^39 */ carry0 = (h0 + (crypto_int64) (1<<25)) >> 26; h1 += carry0; h0 -= carry0 << 26; /* |h0| <= 2^25; from now on fits into int32 unchanged */ /* |h1| <= 1.01*2^24 */ h[0] = h0; h[1] = h1; h[2] = h2; h[3] = h3; h[4] = h4; h[5] = h5; h[6] = h6; h[7] = h7; h[8] = h8; h[9] = h9; } XEdDSA-0.4.6/ref10/crypto_sign/keypair.c0000644000175000017500000000063713372774360017616 0ustar useruser00000000000000#include #include "randombytes.h" #include "crypto_sign.h" #include "crypto_hash_sha512.h" #include "ge.h" int crypto_sign_keypair(unsigned char *pk,unsigned char *sk) { unsigned char az[64]; ge_p3 A; randombytes(sk,32); crypto_hash_sha512(az,sk,32); az[0] &= 248; az[31] &= 63; az[31] |= 64; ge_scalarmult_base(&A,az); ge_p3_tobytes(pk,&A); memmove(sk + 32,pk,32); return 0; } XEdDSA-0.4.6/ref10/crypto_sign/ge_p3_to_p2.c0000644000175000017500000000022513372774360020243 0ustar useruser00000000000000#include "ge.h" /* r = p */ extern void ge_p3_to_p2(ge_p2 *r,const ge_p3 *p) { fe_copy(r->X,p->X); fe_copy(r->Y,p->Y); fe_copy(r->Z,p->Z); } XEdDSA-0.4.6/ref10/crypto_sign/fe_tobytes.c0000644000175000017500000000616513372774360020317 0ustar useruser00000000000000#include "fe.h" /* Preconditions: |h| bounded by 1.1*2^26,1.1*2^25,1.1*2^26,1.1*2^25,etc. Write p=2^255-19; q=floor(h/p). Basic claim: q = floor(2^(-255)(h + 19 2^(-25)h9 + 2^(-1))). Proof: Have |h|<=p so |q|<=1 so |19^2 2^(-255) q|<1/4. Also have |h-2^230 h9|<2^231 so |19 2^(-255)(h-2^230 h9)|<1/4. Write y=2^(-1)-19^2 2^(-255)q-19 2^(-255)(h-2^230 h9). Then 0> 25; q = (h0 + q) >> 26; q = (h1 + q) >> 25; q = (h2 + q) >> 26; q = (h3 + q) >> 25; q = (h4 + q) >> 26; q = (h5 + q) >> 25; q = (h6 + q) >> 26; q = (h7 + q) >> 25; q = (h8 + q) >> 26; q = (h9 + q) >> 25; /* Goal: Output h-(2^255-19)q, which is between 0 and 2^255-20. */ h0 += 19 * q; /* Goal: Output h-2^255 q, which is between 0 and 2^255-20. */ carry0 = h0 >> 26; h1 += carry0; h0 -= carry0 << 26; carry1 = h1 >> 25; h2 += carry1; h1 -= carry1 << 25; carry2 = h2 >> 26; h3 += carry2; h2 -= carry2 << 26; carry3 = h3 >> 25; h4 += carry3; h3 -= carry3 << 25; carry4 = h4 >> 26; h5 += carry4; h4 -= carry4 << 26; carry5 = h5 >> 25; h6 += carry5; h5 -= carry5 << 25; carry6 = h6 >> 26; h7 += carry6; h6 -= carry6 << 26; carry7 = h7 >> 25; h8 += carry7; h7 -= carry7 << 25; carry8 = h8 >> 26; h9 += carry8; h8 -= carry8 << 26; carry9 = h9 >> 25; h9 -= carry9 << 25; /* h10 = carry9 */ /* Goal: Output h0+...+2^255 h10-2^255 q, which is between 0 and 2^255-20. Have h0+...+2^230 h9 between 0 and 2^255-1; evidently 2^255 h10-2^255 q = 0. Goal: Output h0+...+2^230 h9. */ s[0] = h0 >> 0; s[1] = h0 >> 8; s[2] = h0 >> 16; s[3] = (h0 >> 24) | (h1 << 2); s[4] = h1 >> 6; s[5] = h1 >> 14; s[6] = (h1 >> 22) | (h2 << 3); s[7] = h2 >> 5; s[8] = h2 >> 13; s[9] = (h2 >> 21) | (h3 << 5); s[10] = h3 >> 3; s[11] = h3 >> 11; s[12] = (h3 >> 19) | (h4 << 6); s[13] = h4 >> 2; s[14] = h4 >> 10; s[15] = h4 >> 18; s[16] = h5 >> 0; s[17] = h5 >> 8; s[18] = h5 >> 16; s[19] = (h5 >> 24) | (h6 << 1); s[20] = h6 >> 7; s[21] = h6 >> 15; s[22] = (h6 >> 23) | (h7 << 3); s[23] = h7 >> 5; s[24] = h7 >> 13; s[25] = (h7 >> 21) | (h8 << 4); s[26] = h8 >> 4; s[27] = h8 >> 12; s[28] = (h8 >> 20) | (h9 << 6); s[29] = h9 >> 2; s[30] = h9 >> 10; s[31] = h9 >> 18; } XEdDSA-0.4.6/ref10/crypto_sign/ge_scalarmult_base.c0000644000175000017500000000465513372774360021772 0ustar useruser00000000000000#include "ge.h" #include "crypto_uint32.h" static unsigned char equal(signed char b,signed char c) { unsigned char ub = b; unsigned char uc = c; unsigned char x = ub ^ uc; /* 0: yes; 1..255: no */ crypto_uint32 y = x; /* 0: yes; 1..255: no */ y -= 1; /* 4294967295: yes; 0..254: no */ y >>= 31; /* 1: yes; 0: no */ return y; } static unsigned char negative(signed char b) { unsigned long long x = b; /* 18446744073709551361..18446744073709551615: yes; 0..255: no */ x >>= 63; /* 1: yes; 0: no */ return x; } static void cmov(ge_precomp *t,ge_precomp *u,unsigned char b) { fe_cmov(t->yplusx,u->yplusx,b); fe_cmov(t->yminusx,u->yminusx,b); fe_cmov(t->xy2d,u->xy2d,b); } /* base[i][j] = (j+1)*256^i*B */ static ge_precomp base[32][8] = { #include "base.h" } ; static void select(ge_precomp *t,int pos,signed char b) { ge_precomp minust; unsigned char bnegative = negative(b); unsigned char babs = b - (((-bnegative) & b) << 1); ge_precomp_0(t); cmov(t,&base[pos][0],equal(babs,1)); cmov(t,&base[pos][1],equal(babs,2)); cmov(t,&base[pos][2],equal(babs,3)); cmov(t,&base[pos][3],equal(babs,4)); cmov(t,&base[pos][4],equal(babs,5)); cmov(t,&base[pos][5],equal(babs,6)); cmov(t,&base[pos][6],equal(babs,7)); cmov(t,&base[pos][7],equal(babs,8)); fe_copy(minust.yplusx,t->yminusx); fe_copy(minust.yminusx,t->yplusx); fe_neg(minust.xy2d,t->xy2d); cmov(t,&minust,bnegative); } /* h = a * B where a = a[0]+256*a[1]+...+256^31 a[31] B is the Ed25519 base point (x,4/5) with x positive. Preconditions: a[31] <= 127 */ void ge_scalarmult_base(ge_p3 *h,const unsigned char *a) { signed char e[64]; signed char carry; ge_p1p1 r; ge_p2 s; ge_precomp t; int i; for (i = 0;i < 32;++i) { e[2 * i + 0] = (a[i] >> 0) & 15; e[2 * i + 1] = (a[i] >> 4) & 15; } /* each e[i] is between 0 and 15 */ /* e[63] is between 0 and 7 */ carry = 0; for (i = 0;i < 63;++i) { e[i] += carry; carry = e[i] + 8; carry >>= 4; e[i] -= carry << 4; } e[63] += carry; /* each e[i] is between -8 and 8 */ ge_p3_0(h); for (i = 1;i < 64;i += 2) { select(&t,i / 2,e[i]); ge_madd(&r,h,&t); ge_p1p1_to_p3(h,&r); } ge_p3_dbl(&r,h); ge_p1p1_to_p2(&s,&r); ge_p2_dbl(&r,&s); ge_p1p1_to_p2(&s,&r); ge_p2_dbl(&r,&s); ge_p1p1_to_p2(&s,&r); ge_p2_dbl(&r,&s); ge_p1p1_to_p3(h,&r); for (i = 0;i < 64;i += 2) { select(&t,i / 2,e[i]); ge_madd(&r,h,&t); ge_p1p1_to_p3(h,&r); } } XEdDSA-0.4.6/ref10/crypto_sign/fe_copy.c0000644000175000017500000000070613372774360017573 0ustar useruser00000000000000#include "fe.h" /* h = f */ void fe_copy(fe h,const fe f) { crypto_int32 f0 = f[0]; crypto_int32 f1 = f[1]; crypto_int32 f2 = f[2]; crypto_int32 f3 = f[3]; crypto_int32 f4 = f[4]; crypto_int32 f5 = f[5]; crypto_int32 f6 = f[6]; crypto_int32 f7 = f[7]; crypto_int32 f8 = f[8]; crypto_int32 f9 = f[9]; h[0] = f0; h[1] = f1; h[2] = f2; h[3] = f3; h[4] = f4; h[5] = f5; h[6] = f6; h[7] = f7; h[8] = f8; h[9] = f9; } XEdDSA-0.4.6/ref10/crypto_sign/fe_invert.c0000644000175000017500000000020713372774360020124 0ustar useruser00000000000000#include "fe.h" void fe_invert(fe out,const fe z) { fe t0; fe t1; fe t2; fe t3; int i; #include "pow225521.h" return; } XEdDSA-0.4.6/ref10/crypto_sign/ge_madd.c0000644000175000017500000000020013372774360017514 0ustar useruser00000000000000#include "ge.h" /* r = p + q */ void ge_madd(ge_p1p1 *r,const ge_p3 *p,const ge_precomp *q) { fe t0; #include "ge_madd.h" } XEdDSA-0.4.6/ref10/crypto_sign/sc.h0000644000175000017500000000076213372774360016563 0ustar useruser00000000000000#include "cross_platform.h" #ifndef SC_H #define SC_H /* The set of scalars is \Z/l where l = 2^252 + 27742317777372353535851937790883648493. */ #define sc_reduce crypto_sign_ed25519_ref10_sc_reduce #define sc_muladd crypto_sign_ed25519_ref10_sc_muladd #ifdef __cplusplus extern "C" { #endif extern void INTERFACE sc_reduce(unsigned char *); extern void INTERFACE sc_muladd(unsigned char *,const unsigned char *,const unsigned char *,const unsigned char *); #ifdef __cplusplus } #endif #endif XEdDSA-0.4.6/ref10/crypto_sign/d2.h0000644000175000017500000000013213372774360016452 0ustar useruser00000000000000-21827239,-5839606,-30745221,13898782,229458,15978800,-12551817,-6495438,29715968,9444199 XEdDSA-0.4.6/ref10/crypto_sign/ge_p2_0.c0000644000175000017500000000012613372774360017356 0ustar useruser00000000000000#include "ge.h" void ge_p2_0(ge_p2 *h) { fe_0(h->X); fe_1(h->Y); fe_1(h->Z); } XEdDSA-0.4.6/ref10/kernelrandombytes/0000755000175000017500000000000013407120556017157 5ustar useruser00000000000000XEdDSA-0.4.6/ref10/kernelrandombytes/getrandom2.c0000644000175000017500000000053013372774360021374 0ustar useruser00000000000000#include "kernelrandombytes.h" #include #include void kernelrandombytes(unsigned char *x,unsigned long long xlen) { int i; while (xlen > 0) { if (xlen < 1048576) i = xlen; else i = 1048576; i = getrandom(x,i,0); if (i < 1) { sleep(1); continue; } x += i; xlen -= i; } } XEdDSA-0.4.6/ref10/kernelrandombytes/getrandom3.c0000644000175000017500000000053713372774360021404 0ustar useruser00000000000000#include "kernelrandombytes.h" #include #include void kernelrandombytes(unsigned char *x,unsigned long long xlen) { int i; while (xlen > 0) { if (xlen < 1048576) i = xlen; else i = 1048576; i = syscall(SYS_getrandom,x,i,0); if (i < 1) { sleep(1); continue; } x += i; xlen -= i; } } XEdDSA-0.4.6/ref10/kernelrandombytes/getentropy2.c0000644000175000017500000000037013372774360021616 0ustar useruser00000000000000#include "kernelrandombytes.h" #include void kernelrandombytes(unsigned char *x,unsigned long long xlen) { int i; while (xlen > 0) { if (xlen < 256) i = xlen; else i = 256; getentropy(x,i); x += i; xlen -= i; } } XEdDSA-0.4.6/ref10/kernelrandombytes/getentropy.c0000644000175000017500000000037413372774360021540 0ustar useruser00000000000000#include "kernelrandombytes.h" #include void kernelrandombytes(unsigned char *x,unsigned long long xlen) { int i; while (xlen > 0) { if (xlen < 256) i = xlen; else i = 256; getentropy(x,i); x += i; xlen -= i; } } XEdDSA-0.4.6/ref10/kernelrandombytes/kernelrandombytes.h0000644000175000017500000000036013372774360023070 0ustar useruser00000000000000#include "cross_platform.h" #ifndef kernelrandombytes_h #define kernelrandombytes_h #ifdef __cplusplus extern "C" { #endif extern void INTERFACE kernelrandombytes(unsigned char *,unsigned long long); #ifdef __cplusplus } #endif #endif XEdDSA-0.4.6/ref10/kernelrandombytes/test.c0000644000175000017500000000057613372774360020323 0ustar useruser00000000000000#include "kernelrandombytes.h" unsigned char x[65536]; unsigned long long freq[256]; int main() { unsigned long long i; unsigned long long j; for (j = 0;j < 3;++j) { kernelrandombytes(x,sizeof x); for (i = 0;i < 256;++i) freq[i] = 0; for (i = 0;i < sizeof x;++i) ++freq[255 & (int) x[i]]; for (i = 0;i < 256;++i) if (!freq[i]) return 111; } return 0; } XEdDSA-0.4.6/ref10/kernelrandombytes/getrandom.c0000644000175000017500000000052613372774360021317 0ustar useruser00000000000000#include "kernelrandombytes.h" #include #include void kernelrandombytes(unsigned char *x,unsigned long long xlen) { int i; while (xlen > 0) { if (xlen < 1048576) i = xlen; else i = 1048576; i = getrandom(x,i,0); if (i < 1) { sleep(1); continue; } x += i; xlen -= i; } } XEdDSA-0.4.6/ref10/kernelrandombytes/module.h0000644000175000017500000000014513372774360020626 0ustar useruser00000000000000// #include "kernelrandombytes.h" extern void kernelrandombytes(unsigned char *,unsigned long long); XEdDSA-0.4.6/ref10/kernelrandombytes/rtlgenrandom.c0000644000175000017500000000066213372774360022034 0ustar useruser00000000000000#include "kernelrandombytes.h" #include #define RtlGenRandom SystemFunction036 #ifdef __cplusplus extern "C" { #endif BOOLEAN NTAPI RtlGenRandom(PVOID RandomBuffer, ULONG RandomBufferLength); #ifdef __cplusplus } #endif void kernelrandombytes(unsigned char *x,unsigned long long xlen) { int i; while (xlen > 0) { if (xlen < 256) i = xlen; else i = 256; RtlGenRandom(x, i); x += i; xlen -= i; } } XEdDSA-0.4.6/ref10/kernelrandombytes/urandom.c0000644000175000017500000000102013372774360020772 0ustar useruser00000000000000#include "kernelrandombytes.h" #include #include #include #include static int fd = -1; void kernelrandombytes(unsigned char *x,unsigned long long xlen) { int i; if (fd == -1) { for (;;) { fd = open("/dev/urandom",O_RDONLY); if (fd != -1) break; sleep(1); } } while (xlen > 0) { if (xlen < 1048576) i = xlen; else i = 1048576; i = read(fd,x,i); if (i < 1) { sleep(1); continue; } x += i; xlen -= i; } } XEdDSA-0.4.6/ref10/crypto_hashblocks/0000755000175000017500000000000013407120556017150 5ustar useruser00000000000000XEdDSA-0.4.6/ref10/crypto_hashblocks/blocks.c0000644000175000017500000001444313372774360020610 0ustar useruser00000000000000#include "crypto_hashblocks.h" typedef unsigned long long uint64; static uint64 load_bigendian(const unsigned char *x) { return (uint64) (x[7]) \ | (((uint64) (x[6])) << 8) \ | (((uint64) (x[5])) << 16) \ | (((uint64) (x[4])) << 24) \ | (((uint64) (x[3])) << 32) \ | (((uint64) (x[2])) << 40) \ | (((uint64) (x[1])) << 48) \ | (((uint64) (x[0])) << 56) ; } static void store_bigendian(unsigned char *x,uint64 u) { x[7] = u; u >>= 8; x[6] = u; u >>= 8; x[5] = u; u >>= 8; x[4] = u; u >>= 8; x[3] = u; u >>= 8; x[2] = u; u >>= 8; x[1] = u; u >>= 8; x[0] = u; } #define SHR(x,c) ((x) >> (c)) #define ROTR(x,c) (((x) >> (c)) | ((x) << (64 - (c)))) #define Ch(x,y,z) ((x & y) ^ (~x & z)) #define Maj(x,y,z) ((x & y) ^ (x & z) ^ (y & z)) #define Sigma0(x) (ROTR(x,28) ^ ROTR(x,34) ^ ROTR(x,39)) #define Sigma1(x) (ROTR(x,14) ^ ROTR(x,18) ^ ROTR(x,41)) #define sigma0(x) (ROTR(x, 1) ^ ROTR(x, 8) ^ SHR(x,7)) #define sigma1(x) (ROTR(x,19) ^ ROTR(x,61) ^ SHR(x,6)) #define M(w0,w14,w9,w1) w0 = sigma1(w14) + w9 + sigma0(w1) + w0; #define EXPAND \ M(w0 ,w14,w9 ,w1 ) \ M(w1 ,w15,w10,w2 ) \ M(w2 ,w0 ,w11,w3 ) \ M(w3 ,w1 ,w12,w4 ) \ M(w4 ,w2 ,w13,w5 ) \ M(w5 ,w3 ,w14,w6 ) \ M(w6 ,w4 ,w15,w7 ) \ M(w7 ,w5 ,w0 ,w8 ) \ M(w8 ,w6 ,w1 ,w9 ) \ M(w9 ,w7 ,w2 ,w10) \ M(w10,w8 ,w3 ,w11) \ M(w11,w9 ,w4 ,w12) \ M(w12,w10,w5 ,w13) \ M(w13,w11,w6 ,w14) \ M(w14,w12,w7 ,w15) \ M(w15,w13,w8 ,w0 ) #define F(w,k) \ T1 = h + Sigma1(e) + Ch(e,f,g) + k + w; \ T2 = Sigma0(a) + Maj(a,b,c); \ h = g; \ g = f; \ f = e; \ e = d + T1; \ d = c; \ c = b; \ b = a; \ a = T1 + T2; int crypto_hashblocks(unsigned char *statebytes,const unsigned char *in,unsigned long long inlen) { uint64 state[8]; uint64 a; uint64 b; uint64 c; uint64 d; uint64 e; uint64 f; uint64 g; uint64 h; uint64 T1; uint64 T2; a = load_bigendian(statebytes + 0); state[0] = a; b = load_bigendian(statebytes + 8); state[1] = b; c = load_bigendian(statebytes + 16); state[2] = c; d = load_bigendian(statebytes + 24); state[3] = d; e = load_bigendian(statebytes + 32); state[4] = e; f = load_bigendian(statebytes + 40); state[5] = f; g = load_bigendian(statebytes + 48); state[6] = g; h = load_bigendian(statebytes + 56); state[7] = h; while (inlen >= 128) { uint64 w0 = load_bigendian(in + 0); uint64 w1 = load_bigendian(in + 8); uint64 w2 = load_bigendian(in + 16); uint64 w3 = load_bigendian(in + 24); uint64 w4 = load_bigendian(in + 32); uint64 w5 = load_bigendian(in + 40); uint64 w6 = load_bigendian(in + 48); uint64 w7 = load_bigendian(in + 56); uint64 w8 = load_bigendian(in + 64); uint64 w9 = load_bigendian(in + 72); uint64 w10 = load_bigendian(in + 80); uint64 w11 = load_bigendian(in + 88); uint64 w12 = load_bigendian(in + 96); uint64 w13 = load_bigendian(in + 104); uint64 w14 = load_bigendian(in + 112); uint64 w15 = load_bigendian(in + 120); F(w0 ,0x428a2f98d728ae22ULL) F(w1 ,0x7137449123ef65cdULL) F(w2 ,0xb5c0fbcfec4d3b2fULL) F(w3 ,0xe9b5dba58189dbbcULL) F(w4 ,0x3956c25bf348b538ULL) F(w5 ,0x59f111f1b605d019ULL) F(w6 ,0x923f82a4af194f9bULL) F(w7 ,0xab1c5ed5da6d8118ULL) F(w8 ,0xd807aa98a3030242ULL) F(w9 ,0x12835b0145706fbeULL) F(w10,0x243185be4ee4b28cULL) F(w11,0x550c7dc3d5ffb4e2ULL) F(w12,0x72be5d74f27b896fULL) F(w13,0x80deb1fe3b1696b1ULL) F(w14,0x9bdc06a725c71235ULL) F(w15,0xc19bf174cf692694ULL) EXPAND F(w0 ,0xe49b69c19ef14ad2ULL) F(w1 ,0xefbe4786384f25e3ULL) F(w2 ,0x0fc19dc68b8cd5b5ULL) F(w3 ,0x240ca1cc77ac9c65ULL) F(w4 ,0x2de92c6f592b0275ULL) F(w5 ,0x4a7484aa6ea6e483ULL) F(w6 ,0x5cb0a9dcbd41fbd4ULL) F(w7 ,0x76f988da831153b5ULL) F(w8 ,0x983e5152ee66dfabULL) F(w9 ,0xa831c66d2db43210ULL) F(w10,0xb00327c898fb213fULL) F(w11,0xbf597fc7beef0ee4ULL) F(w12,0xc6e00bf33da88fc2ULL) F(w13,0xd5a79147930aa725ULL) F(w14,0x06ca6351e003826fULL) F(w15,0x142929670a0e6e70ULL) EXPAND F(w0 ,0x27b70a8546d22ffcULL) F(w1 ,0x2e1b21385c26c926ULL) F(w2 ,0x4d2c6dfc5ac42aedULL) F(w3 ,0x53380d139d95b3dfULL) F(w4 ,0x650a73548baf63deULL) F(w5 ,0x766a0abb3c77b2a8ULL) F(w6 ,0x81c2c92e47edaee6ULL) F(w7 ,0x92722c851482353bULL) F(w8 ,0xa2bfe8a14cf10364ULL) F(w9 ,0xa81a664bbc423001ULL) F(w10,0xc24b8b70d0f89791ULL) F(w11,0xc76c51a30654be30ULL) F(w12,0xd192e819d6ef5218ULL) F(w13,0xd69906245565a910ULL) F(w14,0xf40e35855771202aULL) F(w15,0x106aa07032bbd1b8ULL) EXPAND F(w0 ,0x19a4c116b8d2d0c8ULL) F(w1 ,0x1e376c085141ab53ULL) F(w2 ,0x2748774cdf8eeb99ULL) F(w3 ,0x34b0bcb5e19b48a8ULL) F(w4 ,0x391c0cb3c5c95a63ULL) F(w5 ,0x4ed8aa4ae3418acbULL) F(w6 ,0x5b9cca4f7763e373ULL) F(w7 ,0x682e6ff3d6b2b8a3ULL) F(w8 ,0x748f82ee5defb2fcULL) F(w9 ,0x78a5636f43172f60ULL) F(w10,0x84c87814a1f0ab72ULL) F(w11,0x8cc702081a6439ecULL) F(w12,0x90befffa23631e28ULL) F(w13,0xa4506cebde82bde9ULL) F(w14,0xbef9a3f7b2c67915ULL) F(w15,0xc67178f2e372532bULL) EXPAND F(w0 ,0xca273eceea26619cULL) F(w1 ,0xd186b8c721c0c207ULL) F(w2 ,0xeada7dd6cde0eb1eULL) F(w3 ,0xf57d4f7fee6ed178ULL) F(w4 ,0x06f067aa72176fbaULL) F(w5 ,0x0a637dc5a2c898a6ULL) F(w6 ,0x113f9804bef90daeULL) F(w7 ,0x1b710b35131c471bULL) F(w8 ,0x28db77f523047d84ULL) F(w9 ,0x32caab7b40c72493ULL) F(w10,0x3c9ebe0a15c9bebcULL) F(w11,0x431d67c49c100d4cULL) F(w12,0x4cc5d4becb3e42b6ULL) F(w13,0x597f299cfc657e2aULL) F(w14,0x5fcb6fab3ad6faecULL) F(w15,0x6c44198c4a475817ULL) a += state[0]; b += state[1]; c += state[2]; d += state[3]; e += state[4]; f += state[5]; g += state[6]; h += state[7]; state[0] = a; state[1] = b; state[2] = c; state[3] = d; state[4] = e; state[5] = f; state[6] = g; state[7] = h; in += 128; inlen -= 128; } store_bigendian(statebytes + 0,state[0]); store_bigendian(statebytes + 8,state[1]); store_bigendian(statebytes + 16,state[2]); store_bigendian(statebytes + 24,state[3]); store_bigendian(statebytes + 32,state[4]); store_bigendian(statebytes + 40,state[5]); store_bigendian(statebytes + 48,state[6]); store_bigendian(statebytes + 56,state[7]); return inlen; } XEdDSA-0.4.6/ref10/crypto_hashblocks/api.h0000644000175000017500000000007313372774360020103 0ustar useruser00000000000000#define CRYPTO_STATEBYTES 64 #define CRYPTO_BLOCKBYTES 128 XEdDSA-0.4.6/ref10/crypto_hashblocks/module.h0000644000175000017500000000055013372774360020617 0ustar useruser00000000000000// #include "api.h" #define CRYPTO_STATEBYTES 64 #define CRYPTO_BLOCKBYTES 128 // #include "crypto_hashblocks_sha512.h" #define crypto_hashblocks_sha512_ref_STATEBYTES 64 #define crypto_hashblocks_sha512_ref_BLOCKBYTES 128 extern int crypto_hashblocks_sha512_ref(unsigned char *,const unsigned char *,unsigned long long); // #include "crypto_hashblocks.h" XEdDSA-0.4.6/ref10/crypto_hashblocks/crypto_hashblocks.h0000644000175000017500000000075613372774360023063 0ustar useruser00000000000000#ifndef crypto_hashblocks_H #define crypto_hashblocks_H #include "crypto_hashblocks_sha512.h" #define crypto_hashblocks crypto_hashblocks_sha512 #define crypto_hashblocks_STATEBYTES crypto_hashblocks_sha512_STATEBYTES #define crypto_hashblocks_BLOCKBYTES crypto_hashblocks_sha512_BLOCKBYTES #define crypto_hashblocks_PRIMITIVE "sha512" #define crypto_hashblocks_IMPLEMENTATION crypto_hashblocks_sha512_IMPLEMENTATION #define crypto_hashblocks_VERSION crypto_hashblocks_sha512_VERSION #endif XEdDSA-0.4.6/ref10/crypto_hashblocks/crypto_hashblocks_sha512.h0000644000175000017500000000155613372774360024145 0ustar useruser00000000000000#include "cross_platform.h" #ifndef crypto_hashblocks_sha512_H #define crypto_hashblocks_sha512_H #define crypto_hashblocks_sha512_ref_STATEBYTES 64 #define crypto_hashblocks_sha512_ref_BLOCKBYTES 128 #ifdef __cplusplus extern "C" { #endif extern int INTERFACE crypto_hashblocks_sha512_ref(unsigned char *,const unsigned char *,unsigned long long); #ifdef __cplusplus } #endif #define crypto_hashblocks_sha512 crypto_hashblocks_sha512_ref #define crypto_hashblocks_sha512_STATEBYTES crypto_hashblocks_sha512_ref_STATEBYTES #define crypto_hashblocks_sha512_BLOCKBYTES crypto_hashblocks_sha512_ref_BLOCKBYTES #define crypto_hashblocks_sha512_IMPLEMENTATION "crypto_hashblocks/sha512/ref" #ifndef crypto_hashblocks_sha512_ref_VERSION #define crypto_hashblocks_sha512_ref_VERSION "-" #endif #define crypto_hashblocks_sha512_VERSION crypto_hashblocks_sha512_ref_VERSION #endif XEdDSA-0.4.6/ref10/crypto_hashblocks/README0000644000175000017500000000005413372774360020040 0ustar useruser00000000000000This is the "ref" implementation of sha512. XEdDSA-0.4.6/ref10/crypto_hash/0000755000175000017500000000000013407120556015752 5ustar useruser00000000000000XEdDSA-0.4.6/ref10/crypto_hash/hash.c0000644000175000017500000000331413372774360017053 0ustar useruser00000000000000/* 20080913 D. J. Bernstein Public domain. */ #include "crypto_hashblocks_sha512.h" #include "crypto_hash.h" #define blocks crypto_hashblocks_sha512 static const unsigned char iv[64] = { 0x6a,0x09,0xe6,0x67,0xf3,0xbc,0xc9,0x08, 0xbb,0x67,0xae,0x85,0x84,0xca,0xa7,0x3b, 0x3c,0x6e,0xf3,0x72,0xfe,0x94,0xf8,0x2b, 0xa5,0x4f,0xf5,0x3a,0x5f,0x1d,0x36,0xf1, 0x51,0x0e,0x52,0x7f,0xad,0xe6,0x82,0xd1, 0x9b,0x05,0x68,0x8c,0x2b,0x3e,0x6c,0x1f, 0x1f,0x83,0xd9,0xab,0xfb,0x41,0xbd,0x6b, 0x5b,0xe0,0xcd,0x19,0x13,0x7e,0x21,0x79 } ; typedef unsigned long long uint64; int crypto_hash(unsigned char *out,const unsigned char *in,unsigned long long inlen) { unsigned char h[64]; unsigned char padded[256]; int i; unsigned long long bytes = inlen; for (i = 0;i < 64;++i) h[i] = iv[i]; blocks(h,in,inlen); in += inlen; inlen &= 127; in -= inlen; for (i = 0;i < inlen;++i) padded[i] = in[i]; padded[inlen] = 0x80; if (inlen < 112) { for (i = inlen + 1;i < 119;++i) padded[i] = 0; padded[119] = bytes >> 61; padded[120] = bytes >> 53; padded[121] = bytes >> 45; padded[122] = bytes >> 37; padded[123] = bytes >> 29; padded[124] = bytes >> 21; padded[125] = bytes >> 13; padded[126] = bytes >> 5; padded[127] = bytes << 3; blocks(h,padded,128); } else { for (i = inlen + 1;i < 247;++i) padded[i] = 0; padded[247] = bytes >> 61; padded[248] = bytes >> 53; padded[249] = bytes >> 45; padded[250] = bytes >> 37; padded[251] = bytes >> 29; padded[252] = bytes >> 21; padded[253] = bytes >> 13; padded[254] = bytes >> 5; padded[255] = bytes << 3; blocks(h,padded,256); } for (i = 0;i < 64;++i) out[i] = h[i]; return 0; } XEdDSA-0.4.6/ref10/crypto_hash/api.h0000644000175000017500000000003013372774360016676 0ustar useruser00000000000000#define CRYPTO_BYTES 64 XEdDSA-0.4.6/ref10/crypto_hash/crypto_hash_sha512.h0000644000175000017500000000120313372774360021536 0ustar useruser00000000000000#include "cross_platform.h" #ifndef crypto_hash_sha512_H #define crypto_hash_sha512_H #define crypto_hash_sha512_ref_BYTES 64 #ifdef __cplusplus extern "C" { #endif extern int INTERFACE crypto_hash_sha512_ref(unsigned char *,const unsigned char *,unsigned long long); #ifdef __cplusplus } #endif #define crypto_hash_sha512 crypto_hash_sha512_ref #define crypto_hash_sha512_BYTES crypto_hash_sha512_ref_BYTES #define crypto_hash_sha512_IMPLEMENTATION "crypto_hash/sha512/ref" #ifndef crypto_hash_sha512_ref_VERSION #define crypto_hash_sha512_ref_VERSION "-" #endif #define crypto_hash_sha512_VERSION crypto_hash_sha512_ref_VERSION #endif XEdDSA-0.4.6/ref10/crypto_hash/module.h0000644000175000017500000000036413372774360017424 0ustar useruser00000000000000// #include "api.h" #define CRYPTO_BYTES 64 // #include "crypto_hash_sha512.h" #define crypto_hash_sha512_ref_BYTES 64 extern int crypto_hash_sha512_ref(unsigned char *,const unsigned char *,unsigned long long); // #include "crypto_hash.h" XEdDSA-0.4.6/ref10/crypto_hash/crypto_hash.h0000644000175000017500000000052313372774360020457 0ustar useruser00000000000000#ifndef crypto_hash_H #define crypto_hash_H #include "crypto_hash_sha512.h" #define crypto_hash crypto_hash_sha512 #define crypto_hash_BYTES crypto_hash_sha512_BYTES #define crypto_hash_PRIMITIVE "sha512" #define crypto_hash_IMPLEMENTATION crypto_hash_sha512_IMPLEMENTATION #define crypto_hash_VERSION crypto_hash_sha512_VERSION #endif XEdDSA-0.4.6/ref10/crypto_hash/README0000644000175000017500000000005413372774360016642 0ustar useruser00000000000000This is the "ref" implementation of sha512. XEdDSA-0.4.6/xeddsa/0000755000175000017500000000000013407120556013762 5ustar useruser00000000000000XEdDSA-0.4.6/xeddsa/version.py0000644000175000017500000000002613407120526016014 0ustar useruser00000000000000__version__ = "0.4.6" XEdDSA-0.4.6/xeddsa/__init__.py0000644000175000017500000000017713372774360016111 0ustar useruser00000000000000from __future__ import absolute_import from .version import __version__ from . import implementations from .xeddsa import * XEdDSA-0.4.6/xeddsa/implementations/0000755000175000017500000000000013407120556017172 5ustar useruser00000000000000XEdDSA-0.4.6/xeddsa/implementations/xeddsa25519.py0000644000175000017500000001145013372774360021434 0ustar useruser00000000000000from __future__ import absolute_import import copy import hashlib import os from ..xeddsa import XEdDSA from .ref10 import * from nacl.exceptions import BadSignatureError from nacl.public import PrivateKey as Curve25519DecryptionKey from nacl.signing import VerifyKey as Ed25519VerificationKey class XEdDSA25519(XEdDSA): """ An implementation of XEdDSA for Montgomery Curve25519 and Twisted Edwards Ed25519 keys. """ MONT_PRIV_KEY_SIZE = 32 MONT_PUB_KEY_SIZE = 32 ED_PRIV_KEY_SIZE = 32 ED_PUB_KEY_SIZE = 32 SIGNATURE_SIZE = 64 @staticmethod def _generate_mont_priv(): priv = bytearray(os.urandom(32)) # The following step is referred to as "clamping". # The following links to a mailing list discussion about what clamping does: # https://moderncrypto.org/mail-archive/curves/2017/000858.html # I am not sure why, but without clamping XEdDSA does not work. # Maybe the ref10 implementation expects all scalars to be clamped. priv[0] &= 248 priv[31] &= 63 priv[31] |= 64 return priv @staticmethod def _mont_pub_from_mont_priv(mont_priv): mont_priv_bytes = bytes(mont_priv) mont_pub_bytes = bytes(Curve25519DecryptionKey(mont_priv_bytes).public_key) return bytearray(mont_pub_bytes) @staticmethod def _mont_priv_to_ed_pair(mont_priv): # Prepare a buffer for the twisted Edwards private key ed_priv = copy.deepcopy(mont_priv) # Get the twisted edwards public key, including the sign bit ed_pub = ge_p3_tobytes(ge_scalarmult_base(mont_priv)) # Save the sign bit for later sign_bit = (ed_pub[31] >> 7) & 1 # Force the sign bit to zero ed_pub[31] &= 0x7F # Prepare the negated private key ed_priv_neg = sc_neg(ed_priv) # Get the correct private key based on the sign stored above sc_cmov(ed_priv, ed_priv_neg, sign_bit) return ed_priv, ed_pub @staticmethod def _mont_pub_to_ed_pub(mont_pub): # Read the public key as a field element mont_pub = fe_frombytes(mont_pub) # Convert the Montgomery public key to a twisted Edwards public key fe_ONE = fe_1() # Calculate the parameters (u - 1) and (u + 1) mont_pub_minus_one = fe_sub(mont_pub, fe_ONE) mont_pub_plus_one = fe_add(mont_pub, fe_ONE) # Prepare inv(u + 1) mont_pub_plus_one = fe_invert(mont_pub_plus_one) # Calculate y = (u - 1) * inv(u + 1) (mod p) ed_pub = fe_mul(mont_pub_minus_one, mont_pub_plus_one) ed_pub = fe_tobytes(ed_pub) return ed_pub @staticmethod def _sign(data, nonce, ed_priv, ed_pub): # Aliases for consistency with the specification M = data Z = nonce # A, a = calculate_key_pair(k) A = ed_pub a = ed_priv # r = hash_1(a || M || Z) (mod q) # If the hash has an index as above, that means, we are supposed to calculate: # hash(2 ^ b - 1 - i || X) # # If b = 256 (which is the case for 25519 XEdDSA), then 2 ^ b - 1 = [ 0xFF ] * 32 # Now, subtracting i from the result can be done by subtracting i from the first # byte (assuming i <= 0xFF). padding = bytearray(b"\xFF" * 32) padding[0] -= 1 r = bytearray(hashlib.sha512(bytes(padding + a + M + Z)).digest()) r = sc_reduce(r) # R = rB R = ge_p3_tobytes(ge_scalarmult_base(r)) # h = hash(R || A || M) (mod q) h = bytearray(hashlib.sha512(bytes(R + A + M)).digest()) h = sc_reduce(h) # s = r + ha (mod q) s = sc_muladd(h, a, r) return R + s @staticmethod def _verify(data, signature, ed_pub): # Create copies of the parameters to not modify the originals. signature = copy.deepcopy(signature) ed_pub = copy.deepcopy(ed_pub) # Get the sign bit from the s part of the signature. sign_bit = (signature[63] >> 7) & 1 # Set the sign bit to zero in the s part of the signature. signature[63] &= 0x7F # Restore the sign bit on the verification key, which should have 0 as its current # sign bit. ed_pub[31] |= sign_bit << 7 # Here we use the fact, that # "XEd25519 signatures are valid Ed25519 signatures [1] and vice versa, [...]." # (https://signal.org/docs/specifications/xeddsa/#curve25519) # to reduce the amount of security critical code we have to write ourselves. data = bytes(data) signature = bytes(signature) ed_pub = bytes(ed_pub) try: return Ed25519VerificationKey(ed_pub).verify(data, signature) == data except BadSignatureError: return False XEdDSA-0.4.6/xeddsa/implementations/__init__.py0000644000175000017500000000011513372774360021311 0ustar useruser00000000000000from __future__ import absolute_import from .xeddsa25519 import XEdDSA25519 XEdDSA-0.4.6/xeddsa/implementations/ref10.py0000644000175000017500000001667313372774360020507 0ustar useruser00000000000000from __future__ import absolute_import import _crypto_sign class Failed(Exception): pass def __wrap(ffi_type, x = None): if isinstance(x, _crypto_sign.ffi.CData): return x elif isinstance(x, bytearray): return _crypto_sign.ffi.new(ffi_type, bytes(x)) elif x == None: return _crypto_sign.ffi.new(ffi_type) else: raise TypeError("Wrong type: " + str(type(x))) def __toBytearray(x): if isinstance(x, _crypto_sign.ffi.CData): return bytearray(list(x)) else: raise TypeError("Wrong type: " + str(type(x))) ############################################################################### # fe.h # ############################################################################### def fe_bytes(fe_bytes_BYTES = None): return __wrap("unsigned char[32]", fe_bytes_BYTES) def fe(fe_FE = None): return __wrap("int32_t[10]", fe_FE) def fe_frombytes(fe_bytes_BYTES): result = fe() _crypto_sign.lib.crypto_sign_ed25519_ref10_fe_frombytes( result, fe_bytes(fe_bytes_BYTES) ) return result def fe_tobytes(fe_FE): result = fe_bytes() _crypto_sign.lib.crypto_sign_ed25519_ref10_fe_tobytes( result, fe(fe_FE) ) return __toBytearray(result) def fe_1(): result = fe() _crypto_sign.lib.crypto_sign_ed25519_ref10_fe_1( result ) return result def fe_add(fe_ADDEND_A, fe_ADDEND_B): result = fe() _crypto_sign.lib.crypto_sign_ed25519_ref10_fe_add( result, fe(fe_ADDEND_A), fe(fe_ADDEND_B) ) return result def fe_sub(fe_MINUEND, fe_SUBTRAHEND): result = fe() _crypto_sign.lib.crypto_sign_ed25519_ref10_fe_sub( result, fe(fe_MINUEND), fe(fe_SUBTRAHEND) ) return result def fe_mul(fe_MULTIPLICAND, fe_MULTIPLIER): result = fe() _crypto_sign.lib.crypto_sign_ed25519_ref10_fe_mul( result, fe(fe_MULTIPLICAND), fe(fe_MULTIPLIER) ) return result def fe_invert(fe_FE): result = fe() _crypto_sign.lib.crypto_sign_ed25519_ref10_fe_invert( result, fe(fe_FE) ) return result ############################################################################### # ge.h # ############################################################################### class ge_p2(object): def __init__(self, ge_p2_POINT = None): self.__point = ge_p2_POINT @classmethod def empty(cls): return cls(_crypto_sign.ffi.new("ge_p2 *")) @property def point(self): return self.__point def ge_p2_bytes(ge_p2_bytes_BYTES = None): return __wrap("unsigned char[32]", ge_p2_bytes_BYTES) def ge_tobytes(ge_p2_POINT): result = ge_p2_bytes() _crypto_sign.lib.crypto_sign_ed25519_ref10_ge_tobytes( result, ge_p2_POINT.point ) return __toBytearray(result) class ge_p3(object): def __init__(self, ge_p3_POINT = None): self.__point = ge_p3_POINT @classmethod def empty(cls): return cls(_crypto_sign.ffi.new("ge_p3 *")) @property def point(self): return self.__point def ge_p3_bytes(ge_p3_bytes_BYTES = None): return __wrap("unsigned char[32]", ge_p3_bytes_BYTES) def ge_p3_tobytes(ge_p3_POINT): result = ge_p3_bytes() _crypto_sign.lib.crypto_sign_ed25519_ref10_ge_p3_tobytes( result, ge_p3_POINT.point ) return __toBytearray(result) def ge_frombytes_negate_vartime(ge_p3_bytes_BYTES): result = ge_p3.empty() success = _crypto_sign.lib.crypto_sign_ed25519_ref10_ge_frombytes_negate_vartime( result.point, ge_p3_bytes(ge_p3_bytes_BYTES) ) if success != 0: raise Failed() return result def scalar_bytes(scalar_bytes_SCALAR = None): return __wrap("unsigned char[32]", scalar_bytes_SCALAR) def ge_scalarmult_base(scalar_bytes_SCALAR): result = ge_p3.empty() _crypto_sign.lib.crypto_sign_ed25519_ref10_ge_scalarmult_base( result.point, scalar_bytes(scalar_bytes_SCALAR) ) return result def ge_double_scalarmult_vartime(scalar_bytes_SCA, ge_p3_PA, scalar_bytes_SCB): result = ge_p2.empty() _crypto_sign.lib.crypto_sign_ed25519_ref10_ge_double_scalarmult_vartime( result.point, scalar_bytes(scalar_bytes_SCA), ge_p3_PA.point, scalar_bytes(scalar_bytes_SCB) ) return result ############################################################################### # sc.h # ############################################################################### def sc_bytes(sc_bytes_BYTES = None): return __wrap("unsigned char[32]", sc_bytes_BYTES) def sc_reduce_bytes(sc_reduce_bytes_BYTES): return __wrap("unsigned char[64]", sc_reduce_bytes_BYTES) def sc_reduce(sc_reduce_bytes_SC): sc_reduce_bytes_SC = sc_reduce_bytes(sc_reduce_bytes_SC) _crypto_sign.lib.crypto_sign_ed25519_ref10_sc_reduce( sc_reduce_bytes_SC ) sc_reduce_bytes_SC = __toBytearray(sc_reduce_bytes_SC)[:32] return __toBytearray(sc_bytes(sc_reduce_bytes_SC)) def sc_muladd(sc_bytes_MULTIPLICAND, sc_bytes_MULTIPLIER, sc_bytes_ADDEND): result = sc_bytes() _crypto_sign.lib.crypto_sign_ed25519_ref10_sc_muladd( result, sc_bytes(sc_bytes_MULTIPLICAND), sc_bytes(sc_bytes_MULTIPLIER), sc_bytes(sc_bytes_ADDEND) ) return __toBytearray(result) ############################################################################### # XEdDSA additions # ############################################################################### sc_bytes_BASE_POINT_ORDER_MINUS_ONE = sc_bytes(bytearray([ 0xEC, 0xD3, 0xF5, 0x5C, 0x1A, 0x63, 0x12, 0x58, 0xD6, 0x9C, 0xF7, 0xA2, 0xDE, 0xF9, 0xDE, 0x14, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x10 ])) sc_bytes_ZERO = sc_bytes(bytearray([ 0x00 ] * 32)) def sc_neg(sc_bytes_BYTES): return sc_muladd(sc_bytes_BASE_POINT_ORDER_MINUS_ONE, sc_bytes_BYTES, sc_bytes_ZERO) def sc_cmov(sc_bytes_A, sc_bytes_B, byte_CONDITION): # Make sure the condition is either a one or a zero condition = (byte_CONDITION & 0xFF) != 0x00 # Create an eight bit mask for the condition, either all ones or all zeros condition_mask = ( condition << 0 | condition << 1 | condition << 2 | condition << 3 | condition << 4 | condition << 5 | condition << 6 | condition << 7 ) for i in range(32): # Mix together the two scalars a and b by xor'ing them # tmp = a ^ b tmp = sc_bytes_A[i] ^ sc_bytes_B[i] # Now, apply the condition mask to the temporary result, which creates either of: # - tmp = (a ^ b) & 0xFF = a ^ b, if the condition is true # - tmp = (a ^ b) & 0x00 = 0 , if the condition is false tmp &= condition_mask # Finally, xor the temporary result with the bytes of a. # This results in either of the following based on the condition: # - a ^ tmp = a ^ (a ^ b) = b, if the condition is true # - a ^ tmp = a ^ (0 ) = a, if the condition is false sc_bytes_A[i] ^= tmp XEdDSA-0.4.6/xeddsa/xeddsa.py0000644000175000017500000002271713372774360015626 0ustar useruser00000000000000from __future__ import absolute_import import os class XEdDSA(object): """ The base class for all XEdDSA implementations. Do not use this class directly, use subclasses for specific key types instead. The xeddsa.implementations module ships such subclasses. """ MONT_PRIV_KEY_SIZE = NotImplemented MONT_PUB_KEY_SIZE = NotImplemented ED_PRIV_KEY_SIZE = NotImplemented ED_PUB_KEY_SIZE = NotImplemented SIGNATURE_SIZE = NotImplemented def __init__(self, mont_priv = None, mont_pub = None): """ Create an XEdDSA object from Montgomery key material, to encrypt AND sign data using just one Montgomery key pair. :param mont_priv: A bytes-like object encoding the private key with length MONT_PRIV_KEY_SIZE or None. :param mont_pub: A bytes-like object encoding the public key with length MONT_PUB_KEY_SIZE or None. If both mont_priv and mont_pub are None, a new key pair is generated. """ cls = self.__class__ if not ( isinstance(cls.MONT_PRIV_KEY_SIZE, int) and isinstance(cls.MONT_PUB_KEY_SIZE, int) and isinstance(cls.ED_PRIV_KEY_SIZE, int) and isinstance(cls.ED_PUB_KEY_SIZE, int) and isinstance(cls.SIGNATURE_SIZE, int) ): raise NotImplementedError("Can't instantiate the XEdDSA class directly.") if mont_priv == None and mont_pub == None: mont_priv = cls.generate_mont_priv() if not (mont_priv == None or isinstance(mont_priv, bytes)): raise TypeError("Wrong type passed for the mont_priv parameter.") if mont_priv != None and len(mont_priv) != cls.MONT_PRIV_KEY_SIZE: raise ValueError("Invalid value passed for the mont_priv parameter.") if mont_priv != None and mont_pub == None: mont_pub = cls.mont_pub_from_mont_priv(mont_priv) if not (mont_pub == None or isinstance(mont_pub, bytes)): raise TypeError("Wrong type passed for the mont_pub parameter.") if mont_pub != None and len(mont_pub) != cls.MONT_PUB_KEY_SIZE: raise ValueError("Invalid value passed for the mont_pub parameter.") self.__mont_priv = mont_priv self.__mont_pub = mont_pub @classmethod def generate_mont_priv(cls): """ Return a Montgomery private key to be used with XEdDSA. :returns: The private key as a bytes-like object with length MONT_PRIV_KEY_SIZE. """ return bytes(cls._generate_mont_priv()) @staticmethod def _generate_mont_priv(): """ Return a Montgomery private key to be used with XEdDSA. :returns: The private key as a bytearray with length MONT_PRIV_KEY_SIZE. """ raise NotImplementedError @classmethod def mont_pub_from_mont_priv(cls, mont_priv): """ Restore the Montgomery public key from a Montgomery private key. :param mont_priv: A bytes-like object encoding the private key with length MONT_PRIV_KEY_SIZE. :returns: A bytes-like object encoding the public key with length MONT_PUB_KEY_SIZE. """ if not isinstance(mont_priv, bytes): raise TypeError("Wrong type passed for the mont_priv parameter.") if len(mont_priv) != cls.MONT_PRIV_KEY_SIZE: raise ValueError("Invalid value passed for the mont_priv parameter.") return bytes(cls._mont_pub_from_mont_priv(bytearray(mont_priv))) @staticmethod def _mont_pub_from_mont_priv(mont_priv): """ Restore the Montgomery public key from a Montgomery private key. :param mont_priv: A bytearray encoding the private keywith length MONT_PRIV_KEY_SIZE. :returns: A bytearray encoding the public key with length MONT_PUB_KEY_SIZE. """ raise NotImplementedError @classmethod def mont_priv_to_ed_pair(cls, mont_priv): """ Derive a Twisted Edwards key pair from given Montgomery private key. :param mont_priv: A bytes-like object encoding the private key with length MONT_PRIV_KEY_SIZE. :returns: A tuple of bytes-like objects encoding the private key with length ED_PRIV_KEY_SIZE and the public key with length ED_PUB_KEY_SIZE. """ if not isinstance(mont_priv, bytes): raise TypeError("Wrong type passed for the mont_priv parameter.") if len(mont_priv) != cls.MONT_PRIV_KEY_SIZE: raise ValueError("Invalid value passed for the mont_priv parameter.") ed_priv, ed_pub = cls._mont_priv_to_ed_pair(bytearray(mont_priv)) return bytes(ed_priv), bytes(ed_pub) @staticmethod def _mont_priv_to_ed_pair(mont_priv): """ Derive a Twisted Edwards key pair from given Montgomery private key. :param mont_priv: A bytearray encoding the private key with length MONT_PRIV_KEY_SIZE. :returns: A tuple of bytearrays encoding the private key with length ED_PRIV_KEY_SIZE and the public key with length ED_PUB_KEY_SIZE. """ raise NotImplementedError @classmethod def mont_pub_to_ed_pub(cls, mont_pub): """ Derive a Twisted Edwards public key from given Montgomery public key. :param mont_pub: A bytes-like object encoding the public key with length MONT_PUB_KEY_SIZE. :returns: A bytes-like object encoding the public key with length ED_PUB_KEY_SIZE. """ if not isinstance(mont_pub, bytes): raise TypeError("Wrong type passed for the mont_pub parameter.") if len(mont_pub) != cls.MONT_PUB_KEY_SIZE: raise ValueError("Invalid value passed for the mont_pub parameter.") return bytes(cls._mont_pub_to_ed_pub(bytearray(mont_pub))) @staticmethod def _mont_pub_to_ed_pub(mont_pub): """ Derive a Twisted Edwards public key from given Montgomery public key. :param mont_pub: A bytearray encoding the public key with length MONT_PUB_KEY_SIZE. :returns: A bytearray encoding the public key with length ED_PUB_KEY_SIZE. """ raise NotImplementedError def sign(self, data, nonce = None): """ Sign data using the Montgomery private key stored by this XEdDSA instance. :param data: A bytes-like object containing the data to sign. :param nonce: A bytes-like object with length 64 or None. :returns: A bytes-like object encoding the signature with length SIGNATURE_SIZE. If the nonce parameter is None, a new nonce is generated and used. :raises MissingKeyException: If the Montgomery private key is not available. """ cls = self.__class__ if not self.__mont_priv: raise MissingKeyException( "Cannot sign using this XEdDSA instance, Montgomery private key missing." ) if not isinstance(data, bytes): raise TypeError("The data parameter must be a bytes-like object.") if nonce == None: nonce = os.urandom(64) if not isinstance(nonce, bytes): raise TypeError("Wrong type passed for the nonce parameter.") if len(nonce) != 64: raise ValueError("Invalid value passed for the nonce parameter.") ed_priv, ed_pub = cls._mont_priv_to_ed_pair(bytearray(self.__mont_priv)) return bytes(cls._sign( bytearray(data), bytearray(nonce), ed_priv, ed_pub )) @staticmethod def _sign(data, nonce, ed_priv, ed_pub): """ Sign data using given Twisted Edwards key pair. :param data: A bytearray containing the data to sign. :param nonce: A bytearray with length 64. :param ed_priv: A bytearray encoding the private key with length ED_PRIV_KEY_SIZE. :param ed_pub: A bytearray encoding the public key with length ED_PUB_KEY_SIZE. :returns: A bytearray encoding the signature with length SIGNATURE_SIZE. """ raise NotImplementedError def verify(self, data, signature): """ Verify signed data using the Montgomery public key stored by this XEdDSA instance. :param data: A bytes-like object containing the data that was signed. :param signature: A bytes-like object encoding the signature with length SIGNATURE_SIZE. :returns: A boolean indicating whether the signature was valid or not. """ cls = self.__class__ if not isinstance(data, bytes): raise TypeError("The data parameter must be a bytes-like object.") if not isinstance(signature, bytes): raise TypeError("Wrong type passed for the signature parameter.") if len(signature) != cls.SIGNATURE_SIZE: raise ValueError("Invalid value passed for the signature parameter.") return cls._verify( bytearray(data), bytearray(signature), cls._mont_pub_to_ed_pub(bytearray(self.__mont_pub)) ) @staticmethod def _verify(data, signature, ed_pub): """ Verify signed data using given Twisted Edwards public key. :param data: A bytearray containing the data that was signed. :param signature: A bytearray encoding the signature with length SIGNATURE_SIZE. :returns: A boolean indicating whether the signature was valid or not. """ raise NotImplementedError XEdDSA-0.4.6/setup.cfg0000644000175000017500000000004613407120556014333 0ustar useruser00000000000000[egg_info] tag_build = tag_date = 0 XEdDSA-0.4.6/README.md0000644000175000017500000000512213405214126013764 0ustar useruser00000000000000[![PyPI](https://img.shields.io/pypi/v/XEdDSA.svg)](https://pypi.org/project/XEdDSA/) [![PyPI - Python Version](https://img.shields.io/pypi/pyversions/XEdDSA.svg)](https://pypi.org/project/XEdDSA/) [![Build Status](https://travis-ci.org/Syndace/python-xeddsa.svg?branch=master)](https://travis-ci.org/Syndace/python-xeddsa) # python-xeddsa #### A python implementation of the XEdDSA signature scheme. This python library offers an open implementation of the XEdDSA signature scheme as specified [here](https://signal.org/docs/specifications/xeddsa/). ### !!! IMPORTANT WARNING !!! This code was not written by a cryptographer and is most probably **NOT SECURE**. ### Installation Install the package using pip (`pip install XEdDSA`) or manually using `python setup.py install`, as you're used to. __NOTE__: On UNIX, the installation uses the `cmake` and `make` tools. __NOTE__: On Windows, `cmake` is used and a MinGW environment is required. If compilation fails, precompiled binaries are downloaded during the installation. Make sure you have an active internet connection and access to `https://github.com`. The installation requires the Microsoft Visual C++ Build Tools. Those can be installed using the standalone version you can download [here](https://visualstudio.microsoft.com/downloads/), or as part of Visual Studio, for example the free [Community Edition](https://visualstudio.microsoft.com/vs/community/). ### Manually building ref10 Following section explains how to manually compile the ref10 library, which is __not__ required when using pip or `python setup.py install`. For detailed information on what the ref10 library is and how it was built, look at `ref10/README.md`. #### Building ref10 on UNIX On UNIX, run following commands to build the ref10 library: ```Bash $ cd ref10/ $ mkdir build $ cd build/ $ cmake -G "Unix Makefiles" .. $ make ``` To clean up the build artifacts, just delete the whole build and bin directories inside of the ref10 directory. #### Building ref10 on Windows On Windows, building ref10 is just as simple. Make sure you are in a MinGW environment an run: ```Bash $ cd ref10/ $ mkdir build $ cd build/ $ cmake -G "MinGW Makefiles" .. $ mingw32-make ``` To clean up the build artifacts, just delete the whole build and bin directories inside of the ref10 directory. ### NOTICE This implementation is meant as a transitional solution until one of the big crypto-libraries like libsodium picks up XEdDSA. The [version 1.0 roadmap](https://libsodium.gitbook.io/doc/roadmap) of libsodium lists XEdDSA, it might only take a few more months to get a stable and secure implementation. XEdDSA-0.4.6/PKG-INFO0000644000175000017500000000770013407120556013613 0ustar useruser00000000000000Metadata-Version: 2.1 Name: XEdDSA Version: 0.4.6 Summary: A python implementation of the XEdDSA signature scheme. Home-page: https://github.com/Syndace/python-xeddsa Author: Tim Henkes Author-email: tim@cifg.io License: MIT Description: [![PyPI](https://img.shields.io/pypi/v/XEdDSA.svg)](https://pypi.org/project/XEdDSA/) [![PyPI - Python Version](https://img.shields.io/pypi/pyversions/XEdDSA.svg)](https://pypi.org/project/XEdDSA/) [![Build Status](https://travis-ci.org/Syndace/python-xeddsa.svg?branch=master)](https://travis-ci.org/Syndace/python-xeddsa) # python-xeddsa #### A python implementation of the XEdDSA signature scheme. This python library offers an open implementation of the XEdDSA signature scheme as specified [here](https://signal.org/docs/specifications/xeddsa/). ### !!! IMPORTANT WARNING !!! This code was not written by a cryptographer and is most probably **NOT SECURE**. ### Installation Install the package using pip (`pip install XEdDSA`) or manually using `python setup.py install`, as you're used to. __NOTE__: On UNIX, the installation uses the `cmake` and `make` tools. __NOTE__: On Windows, `cmake` is used and a MinGW environment is required. If compilation fails, precompiled binaries are downloaded during the installation. Make sure you have an active internet connection and access to `https://github.com`. The installation requires the Microsoft Visual C++ Build Tools. Those can be installed using the standalone version you can download [here](https://visualstudio.microsoft.com/downloads/), or as part of Visual Studio, for example the free [Community Edition](https://visualstudio.microsoft.com/vs/community/). ### Manually building ref10 Following section explains how to manually compile the ref10 library, which is __not__ required when using pip or `python setup.py install`. For detailed information on what the ref10 library is and how it was built, look at `ref10/README.md`. #### Building ref10 on UNIX On UNIX, run following commands to build the ref10 library: ```Bash $ cd ref10/ $ mkdir build $ cd build/ $ cmake -G "Unix Makefiles" .. $ make ``` To clean up the build artifacts, just delete the whole build and bin directories inside of the ref10 directory. #### Building ref10 on Windows On Windows, building ref10 is just as simple. Make sure you are in a MinGW environment an run: ```Bash $ cd ref10/ $ mkdir build $ cd build/ $ cmake -G "MinGW Makefiles" .. $ mingw32-make ``` To clean up the build artifacts, just delete the whole build and bin directories inside of the ref10 directory. ### NOTICE This implementation is meant as a transitional solution until one of the big crypto-libraries like libsodium picks up XEdDSA. The [version 1.0 roadmap](https://libsodium.gitbook.io/doc/roadmap) of libsodium lists XEdDSA, it might only take a few more months to get a stable and secure implementation. Platform: UNKNOWN Classifier: Development Status :: 4 - Beta Classifier: Intended Audience :: Developers Classifier: Topic :: Communications :: Chat Classifier: Topic :: Security :: Cryptography Classifier: License :: OSI Approved :: MIT License Classifier: Programming Language :: Python :: 2 Classifier: Programming Language :: Python :: 2.7 Classifier: Programming Language :: Python :: 3 Classifier: Programming Language :: Python :: 3.4 Classifier: Programming Language :: Python :: 3.5 Classifier: Programming Language :: Python :: 3.6 Classifier: Programming Language :: Python :: 3.7 Requires-Python: >=2.7, !=3.0.*, !=3.1.*, !=3.2.*, !=3.3.*, <4 Description-Content-Type: text/markdown XEdDSA-0.4.6/setup.py0000644000175000017500000000334113407026165014226 0ustar useruser00000000000000from setuptools import setup, find_packages import os import sys version_file_path = os.path.join( os.path.dirname(os.path.abspath(__file__)), "xeddsa", "version.py" ) version = {} try: execfile(version_file_path, version) except: with open(version_file_path) as fp: exec(fp.read(), version) with open("README.md") as f: long_description = f.read() setup( name = "XEdDSA", # TODO: Don't forget to update the url's in the build.py file after updates to ref10! version = version["__version__"], description = "A python implementation of the XEdDSA signature scheme.", long_description = long_description, long_description_content_type = "text/markdown", url = "https://github.com/Syndace/python-xeddsa", author = "Tim Henkes", author_email = "tim@cifg.io", license = "MIT", packages = find_packages(), install_requires = [ "cffi>=1.9.1", "pynacl>=1.0.1" ], setup_requires = [ "cffi>=1.9.1" ], cffi_modules = [ os.path.join("ref10", "build.py") + ":ffibuilder" ], python_requires = ">=2.7, !=3.0.*, !=3.1.*, !=3.2.*, !=3.3.*, <4", include_package_data = True, zip_safe = False, classifiers = [ "Development Status :: 4 - Beta", "Intended Audience :: Developers", "Topic :: Communications :: Chat", "Topic :: Security :: Cryptography", "License :: OSI Approved :: MIT License", "Programming Language :: Python :: 2", "Programming Language :: Python :: 2.7", "Programming Language :: Python :: 3", "Programming Language :: Python :: 3.4", "Programming Language :: Python :: 3.5", "Programming Language :: Python :: 3.6", "Programming Language :: Python :: 3.7" ] ) XEdDSA-0.4.6/XEdDSA.egg-info/0000755000175000017500000000000013407120556015214 5ustar useruser00000000000000XEdDSA-0.4.6/XEdDSA.egg-info/not-zip-safe0000644000175000017500000000000113402760534017443 0ustar useruser00000000000000 XEdDSA-0.4.6/XEdDSA.egg-info/SOURCES.txt0000644000175000017500000001125113407120556017100 0ustar useruser00000000000000MANIFEST.in README.md setup.py XEdDSA.egg-info/PKG-INFO XEdDSA.egg-info/SOURCES.txt XEdDSA.egg-info/dependency_links.txt XEdDSA.egg-info/not-zip-safe XEdDSA.egg-info/requires.txt XEdDSA.egg-info/top_level.txt ref10/CMakeLists.txt ref10/README.md ref10/build.py ref10/crypto_core/README ref10/crypto_core/api.h ref10/crypto_core/core.c ref10/crypto_core/crypto_core.h ref10/crypto_core/crypto_core_salsa20.h ref10/crypto_core/module.h ref10/crypto_hash/README ref10/crypto_hash/api.h ref10/crypto_hash/crypto_hash.h ref10/crypto_hash/crypto_hash_sha512.h ref10/crypto_hash/hash.c ref10/crypto_hash/module.h ref10/crypto_hashblocks/README ref10/crypto_hashblocks/api.h ref10/crypto_hashblocks/blocks.c ref10/crypto_hashblocks/crypto_hashblocks.h ref10/crypto_hashblocks/crypto_hashblocks_sha512.h ref10/crypto_hashblocks/module.h ref10/crypto_rng/README ref10/crypto_rng/api.h ref10/crypto_rng/crypto_rng.h ref10/crypto_rng/crypto_rng_salsa20.h ref10/crypto_rng/module.h ref10/crypto_rng/rng.c ref10/crypto_scalarmult/README ref10/crypto_scalarmult/api.h ref10/crypto_scalarmult/base.c ref10/crypto_scalarmult/crypto_scalarmult.h ref10/crypto_scalarmult/crypto_scalarmult_curve25519.h ref10/crypto_scalarmult/fe.h ref10/crypto_scalarmult/fe_0.c ref10/crypto_scalarmult/fe_1.c ref10/crypto_scalarmult/fe_add.c ref10/crypto_scalarmult/fe_copy.c ref10/crypto_scalarmult/fe_cswap.c ref10/crypto_scalarmult/fe_frombytes.c ref10/crypto_scalarmult/fe_invert.c ref10/crypto_scalarmult/fe_mul.c ref10/crypto_scalarmult/fe_mul121666.c ref10/crypto_scalarmult/fe_sq.c ref10/crypto_scalarmult/fe_sub.c ref10/crypto_scalarmult/fe_tobytes.c ref10/crypto_scalarmult/module.h ref10/crypto_scalarmult/montgomery.h ref10/crypto_scalarmult/pow225521.h ref10/crypto_scalarmult/scalarmult.c ref10/crypto_sign/README ref10/crypto_sign/api.h ref10/crypto_sign/base.h ref10/crypto_sign/base2.h ref10/crypto_sign/crypto_sign.h ref10/crypto_sign/crypto_sign_ed25519.h ref10/crypto_sign/d.h ref10/crypto_sign/d2.h ref10/crypto_sign/fe.h ref10/crypto_sign/fe_0.c ref10/crypto_sign/fe_1.c ref10/crypto_sign/fe_add.c ref10/crypto_sign/fe_cmov.c ref10/crypto_sign/fe_copy.c ref10/crypto_sign/fe_frombytes.c ref10/crypto_sign/fe_invert.c ref10/crypto_sign/fe_isnegative.c ref10/crypto_sign/fe_isnonzero.c ref10/crypto_sign/fe_mul.c ref10/crypto_sign/fe_neg.c ref10/crypto_sign/fe_pow22523.c ref10/crypto_sign/fe_sq.c ref10/crypto_sign/fe_sq2.c ref10/crypto_sign/fe_sub.c ref10/crypto_sign/fe_tobytes.c ref10/crypto_sign/ge.h ref10/crypto_sign/ge_add.c ref10/crypto_sign/ge_add.h ref10/crypto_sign/ge_double_scalarmult.c ref10/crypto_sign/ge_frombytes.c ref10/crypto_sign/ge_madd.c ref10/crypto_sign/ge_madd.h ref10/crypto_sign/ge_msub.c ref10/crypto_sign/ge_msub.h ref10/crypto_sign/ge_p1p1_to_p2.c ref10/crypto_sign/ge_p1p1_to_p3.c ref10/crypto_sign/ge_p2_0.c ref10/crypto_sign/ge_p2_dbl.c ref10/crypto_sign/ge_p2_dbl.h ref10/crypto_sign/ge_p3_0.c ref10/crypto_sign/ge_p3_dbl.c ref10/crypto_sign/ge_p3_to_cached.c ref10/crypto_sign/ge_p3_to_p2.c ref10/crypto_sign/ge_p3_tobytes.c ref10/crypto_sign/ge_precomp_0.c ref10/crypto_sign/ge_scalarmult_base.c ref10/crypto_sign/ge_sub.c ref10/crypto_sign/ge_sub.h ref10/crypto_sign/ge_tobytes.c ref10/crypto_sign/keypair.c ref10/crypto_sign/module.h ref10/crypto_sign/open.c ref10/crypto_sign/pow22523.h ref10/crypto_sign/pow225521.h ref10/crypto_sign/sc.h ref10/crypto_sign/sc_muladd.c ref10/crypto_sign/sc_reduce.c ref10/crypto_sign/sign.c ref10/crypto_sign/sqrtm1.h ref10/crypto_stream/README ref10/crypto_stream/api.h ref10/crypto_stream/crypto_stream.h ref10/crypto_stream/crypto_stream_salsa20.h ref10/crypto_stream/module.h ref10/crypto_stream/stream.c ref10/crypto_stream/xor.c ref10/crypto_verify/README ref10/crypto_verify/api.h ref10/crypto_verify/crypto_verify.h ref10/crypto_verify/crypto_verify_32.h ref10/crypto_verify/module.h ref10/crypto_verify/verify.c ref10/fastrandombytes/fastrandombytes.c ref10/fastrandombytes/module.h ref10/fastrandombytes/randombytes.h ref10/include/cross_platform.h ref10/include/crypto_int16.h ref10/include/crypto_int32.h ref10/include/crypto_int64.h ref10/include/crypto_int8.h ref10/include/crypto_uint16.h ref10/include/crypto_uint32.h ref10/include/crypto_uint64.h ref10/include/crypto_uint8.h ref10/kernelrandombytes/getentropy.c ref10/kernelrandombytes/getentropy2.c ref10/kernelrandombytes/getrandom.c ref10/kernelrandombytes/getrandom2.c ref10/kernelrandombytes/getrandom3.c ref10/kernelrandombytes/kernelrandombytes.h ref10/kernelrandombytes/module.h ref10/kernelrandombytes/rtlgenrandom.c ref10/kernelrandombytes/test.c ref10/kernelrandombytes/urandom.c xeddsa/__init__.py xeddsa/version.py xeddsa/xeddsa.py xeddsa/implementations/__init__.py xeddsa/implementations/ref10.py xeddsa/implementations/xeddsa25519.pyXEdDSA-0.4.6/XEdDSA.egg-info/dependency_links.txt0000644000175000017500000000000113407120556021262 0ustar useruser00000000000000 XEdDSA-0.4.6/XEdDSA.egg-info/top_level.txt0000644000175000017500000000002413407120556017742 0ustar useruser00000000000000_crypto_sign xeddsa XEdDSA-0.4.6/XEdDSA.egg-info/requires.txt0000644000175000017500000000003213407120556017607 0ustar useruser00000000000000cffi>=1.9.1 pynacl>=1.0.1 XEdDSA-0.4.6/XEdDSA.egg-info/PKG-INFO0000644000175000017500000000770013407120556016315 0ustar useruser00000000000000Metadata-Version: 2.1 Name: XEdDSA Version: 0.4.6 Summary: A python implementation of the XEdDSA signature scheme. Home-page: https://github.com/Syndace/python-xeddsa Author: Tim Henkes Author-email: tim@cifg.io License: MIT Description: [![PyPI](https://img.shields.io/pypi/v/XEdDSA.svg)](https://pypi.org/project/XEdDSA/) [![PyPI - Python Version](https://img.shields.io/pypi/pyversions/XEdDSA.svg)](https://pypi.org/project/XEdDSA/) [![Build Status](https://travis-ci.org/Syndace/python-xeddsa.svg?branch=master)](https://travis-ci.org/Syndace/python-xeddsa) # python-xeddsa #### A python implementation of the XEdDSA signature scheme. This python library offers an open implementation of the XEdDSA signature scheme as specified [here](https://signal.org/docs/specifications/xeddsa/). ### !!! IMPORTANT WARNING !!! This code was not written by a cryptographer and is most probably **NOT SECURE**. ### Installation Install the package using pip (`pip install XEdDSA`) or manually using `python setup.py install`, as you're used to. __NOTE__: On UNIX, the installation uses the `cmake` and `make` tools. __NOTE__: On Windows, `cmake` is used and a MinGW environment is required. If compilation fails, precompiled binaries are downloaded during the installation. Make sure you have an active internet connection and access to `https://github.com`. The installation requires the Microsoft Visual C++ Build Tools. Those can be installed using the standalone version you can download [here](https://visualstudio.microsoft.com/downloads/), or as part of Visual Studio, for example the free [Community Edition](https://visualstudio.microsoft.com/vs/community/). ### Manually building ref10 Following section explains how to manually compile the ref10 library, which is __not__ required when using pip or `python setup.py install`. For detailed information on what the ref10 library is and how it was built, look at `ref10/README.md`. #### Building ref10 on UNIX On UNIX, run following commands to build the ref10 library: ```Bash $ cd ref10/ $ mkdir build $ cd build/ $ cmake -G "Unix Makefiles" .. $ make ``` To clean up the build artifacts, just delete the whole build and bin directories inside of the ref10 directory. #### Building ref10 on Windows On Windows, building ref10 is just as simple. Make sure you are in a MinGW environment an run: ```Bash $ cd ref10/ $ mkdir build $ cd build/ $ cmake -G "MinGW Makefiles" .. $ mingw32-make ``` To clean up the build artifacts, just delete the whole build and bin directories inside of the ref10 directory. ### NOTICE This implementation is meant as a transitional solution until one of the big crypto-libraries like libsodium picks up XEdDSA. The [version 1.0 roadmap](https://libsodium.gitbook.io/doc/roadmap) of libsodium lists XEdDSA, it might only take a few more months to get a stable and secure implementation. Platform: UNKNOWN Classifier: Development Status :: 4 - Beta Classifier: Intended Audience :: Developers Classifier: Topic :: Communications :: Chat Classifier: Topic :: Security :: Cryptography Classifier: License :: OSI Approved :: MIT License Classifier: Programming Language :: Python :: 2 Classifier: Programming Language :: Python :: 2.7 Classifier: Programming Language :: Python :: 3 Classifier: Programming Language :: Python :: 3.4 Classifier: Programming Language :: Python :: 3.5 Classifier: Programming Language :: Python :: 3.6 Classifier: Programming Language :: Python :: 3.7 Requires-Python: >=2.7, !=3.0.*, !=3.1.*, !=3.2.*, !=3.3.*, <4 Description-Content-Type: text/markdown