diff --git a/src/Home/TweetNaCl/TweetNaCl.ZC b/src/Home/TweetNaCl/TweetNaCl.ZC index 8a6ca1d6..e7ad3400 100644 --- a/src/Home/TweetNaCl/TweetNaCl.ZC +++ b/src/Home/TweetNaCl/TweetNaCl.ZC @@ -600,7 +600,7 @@ I64 crypto_Scalarmult(U8 *q, U8 *n, U8 *p) { x[i + 48] = b[i]; x[i + 64] = d[i]; } - inv25519(x + 32, x + 32); + Inv25519(x + 32, x + 32); M(x + 16, x + 16, x + 32); Pack25519(q, x + 16); return 0; @@ -704,99 +704,99 @@ I64 crypto_hash(U8 *out, U8 *m, U64 n) { // FIXME: cant predefine p[4][16] like that!!! -U0 add(U16 p[4][16], U16 q[4][16]) -{ - U16 a[16], b[16], c[16], d[16], t[16], e[16], f[16], g[16], h[16]; - - Z(a, p[1], p[0]); - Z(t, q[1], q[0]); - M(a, a, t); - A(b, p[0], p[1]); - A(t, q[0], q[1]); - M(b, b, t); - M(c, p[3], q[3]); - M(c, c, D2); - M(d, p[2], q[2]); - A(d, d, d); - Z(e, b, a); - Z(f, d, c); - A(g, d, c); - A(h, b, a); - M(p[0], e, f); - M(p[1], h, g); - M(p[2], g, f); - M(p[3], e, h); +U0 Add(gf *p, gf *q) { + gf a, b, c, d, t, e, f, g, h; + + Z(a.data, p[1].data, p[0].data); + Z(t.data, q[1].data, q[0].data); + M(a.data, a.data, t.data); + A(b.data, p[0].data, p[1].data); + A(t.data, q[0].data, q[1].data); + M(b.data, b.data, t.data); + M(c.data, p[3].data, q[3].data); + M(c.data, c.data, D2.data); + M(d.data, p[2].data, q[2].data); + A(d.data, d.data, d.data); + Z(e.data, b.data, a.data); + Z(f.data, d.data, c.data); + A(g.data, d.data, c.data); + A(h.data, b.data, a.data); + + M(p[0].data, e.data, f.data); + M(p[1].data, h.data, g.data); + M(p[2].data, g.data, f.data); + M(p[3].data, e.data, h.data); } -U0 Cswap(U16 p[4][16], U16 q[4][16], U8 b) -{ - I64 i; - for (i = 0;i < 4;++i) Sel25519(p[i],q[i],b); -} - -U0 Pack(U8 *r, U16 p[4][16]) -{ - U16 tx[16], ty[16], zi[16]; - inv25519(zi, p[2]); - M(tx, p[0], zi); - M(ty, p[1], zi); - Pack25519(r, ty); - r[31] ^= Par25519(tx) << 7; -} - -U0 Scalarmult(U16 p[4][16], U16 q[4][16], U8 *s) -{ - I64 i; - Set25519(p[0],gf0); - Set25519(p[1],gf1); - Set25519(p[2],gf1); - Set25519(p[3],gf0); - for (i = 255;i >= 0;--i) { - U8 b = (s[i/8]>>(i&7))&1; - Cswap(p,q,b); - add(q,p); - add(p,p); - Cswap(p,q,b); - } -} - -U0 Scalarbase(U16 p[4][16], U8 *s) -{ - U16 q[4][16]; - Set25519(q[0],X); - Set25519(q[1],Y); - Set25519(q[2],gf1); - M(q[3],X,Y); - Scalarmult(p,q,s); -} - -U64 L[] = {0xed, 0xd3, 0xf5, 0x5c, 0x1a, 0x63, 0x12, 0x58, 0xd6, 0x9c, 0xf7, 0xa2, 0xde, 0xf9, 0xde, 0x14, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0x10}; - -U0 modL(U8 *r, I64 x[64]) -{ - I64 carry, i, j; - for (i = 63; i >= 32; --i) { - carry = 0; - for (j = i - 32; j < i - 12; ++j) { - x[j] += carry - 16 * x[i] * L[j - (i - 32)]; - carry = (x[j] + 128) >> 8; - x[j] -= carry << 8; +U0 Cswap(gf *p, gf *q, U8 b) { + I64 i; + for (i = 0; i < 4; ++i) { + Sel25519(p[i].data, q[i].data, b); + } +} + +U0 Pack(U8 *r, gf *p) { + gf tx, ty, zi; + Inv25519(&zi, p[2].data); + M(tx.data, p[0].data, zi.data); + M(ty.data, p[1].data, zi.data); + Pack25519(r, ty.data); + r[31] ^= Par25519(tx.data) << 7; +} + +U0 Scalarmult(gf *p, gf *q, U8 *s) { + I64 i; + Set25519(p[0].data, gf0.data); + Set25519(p[1].data, gf1.data); + Set25519(p[2].data, gf1.data); + Set25519(p[3].data, gf0.data); + for (i = 255; i >= 0; --i) { + U8 b = (s[i / 8] >> (i & 7)) & 1; + Cswap(p, q, b); + Add(p, q); + Add(p, p); + Cswap(p, q, b); + } +} + +U0 Scalarbase(gf *p, U8 *s) { + gf q[4]; + Set25519(q[0].data, X.data); + Set25519(q[1].data, Y.data); + Set25519(q[2].data, gf1.data); + M(q[3].data, X.data, Y.data); + Scalarmult(p, q, s); +} + +U64 L[32] = {0xed, 0xd3, 0xf5, 0x5c, 0x1a, 0x63, 0x12, 0x58, 0xd6, 0x9c, 0xf7, 0xa2, 0xde, 0xf9, 0xde, 0x14, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0x10}; + +U0 modL(U8 *r, I64 *x) { + I64 carry, i, j, index; + for (i = 63; i >= 32; --i) { + carry = 0; + for (j = i - 32; j < i - 12; ++j) { + index = j - (i - 32); + if (index >= 0 && index < 32) { + x[j] += carry - 16 * x[i] * L[index]; + } + carry = (x[j] + 128) >> 8; + x[j] -= carry << 8; + } + x[j] += carry; + x[i] = 0; + } + carry = 0; + for (j = 0; j < 32; j++) { + x[j] += carry - (x[31] >> 4) * L[j]; + carry = x[j] >> 8; + x[j] &= 255; + } + for (j = 0; j < 32; j++) x[j] -= carry * L[j]; + for (i = 0; i < 32; i++) { + x[i+1] += x[i] >> 8; + r[i] = x[i] & 255; } - x[j] += carry; - x[i] = 0; - } - carry = 0; - for (j = 0; j < 32; j++) { - x[j] += carry - (x[31] >> 4) * L[j]; - carry = x[j] >> 8; - x[j] &= 255; - } - for (j = 0; j < 32; j++) x[j] -= carry * L[j]; - for (i = 0; i < 32; i++) { - x[i+1] += x[i] >> 8; - r[i] = x[i] & 255; - } } U0 reduce(U8 *r) @@ -891,7 +891,7 @@ I64 crypto_sign_open(U8 *m, U64 *mlen, U8 *sm, U64 n, U8 *pk) Scalarmult(p, q, h); Scalarbase(q, sm + 32); - add(p, q); + Add(p, q); Pack(t, p); n -= 64;