This commit is contained in:
y4my4my4m 2023-12-27 23:16:42 -05:00
parent 835a239920
commit ef36afa82b

View file

@ -600,7 +600,7 @@ I64 crypto_Scalarmult(U8 *q, U8 *n, U8 *p) {
x[i + 48] = b[i]; x[i + 48] = b[i];
x[i + 64] = d[i]; x[i + 64] = d[i];
} }
inv25519(x + 32, x + 32); Inv25519(x + 32, x + 32);
M(x + 16, x + 16, x + 32); M(x + 16, x + 16, x + 32);
Pack25519(q, x + 16); Pack25519(q, x + 16);
return 0; return 0;
@ -704,99 +704,99 @@ I64 crypto_hash(U8 *out, U8 *m, U64 n) {
// FIXME: cant predefine p[4][16] like that!!! // FIXME: cant predefine p[4][16] like that!!!
U0 add(U16 p[4][16], U16 q[4][16])
{
U16 a[16], b[16], c[16], d[16], t[16], e[16], f[16], g[16], h[16];
Z(a, p[1], p[0]);
Z(t, q[1], q[0]);
M(a, a, t);
A(b, p[0], p[1]);
A(t, q[0], q[1]);
M(b, b, t);
M(c, p[3], q[3]);
M(c, c, D2);
M(d, p[2], q[2]);
A(d, d, d);
Z(e, b, a);
Z(f, d, c);
A(g, d, c);
A(h, b, a);
M(p[0], e, f); U0 Add(gf *p, gf *q) {
M(p[1], h, g); gf a, b, c, d, t, e, f, g, h;
M(p[2], g, f);
M(p[3], e, h); Z(a.data, p[1].data, p[0].data);
Z(t.data, q[1].data, q[0].data);
M(a.data, a.data, t.data);
A(b.data, p[0].data, p[1].data);
A(t.data, q[0].data, q[1].data);
M(b.data, b.data, t.data);
M(c.data, p[3].data, q[3].data);
M(c.data, c.data, D2.data);
M(d.data, p[2].data, q[2].data);
A(d.data, d.data, d.data);
Z(e.data, b.data, a.data);
Z(f.data, d.data, c.data);
A(g.data, d.data, c.data);
A(h.data, b.data, a.data);
M(p[0].data, e.data, f.data);
M(p[1].data, h.data, g.data);
M(p[2].data, g.data, f.data);
M(p[3].data, e.data, h.data);
} }
U0 Cswap(U16 p[4][16], U16 q[4][16], U8 b) U0 Cswap(gf *p, gf *q, U8 b) {
{ I64 i;
I64 i; for (i = 0; i < 4; ++i) {
for (i = 0;i < 4;++i) Sel25519(p[i],q[i],b); Sel25519(p[i].data, q[i].data, b);
} }
}
U0 Pack(U8 *r, U16 p[4][16])
{ U0 Pack(U8 *r, gf *p) {
U16 tx[16], ty[16], zi[16]; gf tx, ty, zi;
inv25519(zi, p[2]); Inv25519(&zi, p[2].data);
M(tx, p[0], zi); M(tx.data, p[0].data, zi.data);
M(ty, p[1], zi); M(ty.data, p[1].data, zi.data);
Pack25519(r, ty); Pack25519(r, ty.data);
r[31] ^= Par25519(tx) << 7; r[31] ^= Par25519(tx.data) << 7;
} }
U0 Scalarmult(U16 p[4][16], U16 q[4][16], U8 *s) U0 Scalarmult(gf *p, gf *q, U8 *s) {
{ I64 i;
I64 i; Set25519(p[0].data, gf0.data);
Set25519(p[0],gf0); Set25519(p[1].data, gf1.data);
Set25519(p[1],gf1); Set25519(p[2].data, gf1.data);
Set25519(p[2],gf1); Set25519(p[3].data, gf0.data);
Set25519(p[3],gf0); for (i = 255; i >= 0; --i) {
for (i = 255;i >= 0;--i) { U8 b = (s[i / 8] >> (i & 7)) & 1;
U8 b = (s[i/8]>>(i&7))&1; Cswap(p, q, b);
Cswap(p,q,b); Add(p, q);
add(q,p); Add(p, p);
add(p,p); Cswap(p, q, b);
Cswap(p,q,b); }
} }
}
U0 Scalarbase(gf *p, U8 *s) {
U0 Scalarbase(U16 p[4][16], U8 *s) gf q[4];
{ Set25519(q[0].data, X.data);
U16 q[4][16]; Set25519(q[1].data, Y.data);
Set25519(q[0],X); Set25519(q[2].data, gf1.data);
Set25519(q[1],Y); M(q[3].data, X.data, Y.data);
Set25519(q[2],gf1); Scalarmult(p, q, s);
M(q[3],X,Y); }
Scalarmult(p,q,s);
} U64 L[32] = {0xed, 0xd3, 0xf5, 0x5c, 0x1a, 0x63, 0x12, 0x58, 0xd6, 0x9c, 0xf7, 0xa2, 0xde, 0xf9, 0xde, 0x14, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0x10};
U64 L[] = {0xed, 0xd3, 0xf5, 0x5c, 0x1a, 0x63, 0x12, 0x58, 0xd6, 0x9c, 0xf7, 0xa2, 0xde, 0xf9, 0xde, 0x14, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0x10}; U0 modL(U8 *r, I64 *x) {
I64 carry, i, j, index;
U0 modL(U8 *r, I64 x[64]) for (i = 63; i >= 32; --i) {
{ carry = 0;
I64 carry, i, j; for (j = i - 32; j < i - 12; ++j) {
for (i = 63; i >= 32; --i) { index = j - (i - 32);
carry = 0; if (index >= 0 && index < 32) {
for (j = i - 32; j < i - 12; ++j) { x[j] += carry - 16 * x[i] * L[index];
x[j] += carry - 16 * x[i] * L[j - (i - 32)]; }
carry = (x[j] + 128) >> 8; carry = (x[j] + 128) >> 8;
x[j] -= carry << 8; x[j] -= carry << 8;
}
x[j] += carry;
x[i] = 0;
}
carry = 0;
for (j = 0; j < 32; j++) {
x[j] += carry - (x[31] >> 4) * L[j];
carry = x[j] >> 8;
x[j] &= 255;
}
for (j = 0; j < 32; j++) x[j] -= carry * L[j];
for (i = 0; i < 32; i++) {
x[i+1] += x[i] >> 8;
r[i] = x[i] & 255;
} }
x[j] += carry;
x[i] = 0;
}
carry = 0;
for (j = 0; j < 32; j++) {
x[j] += carry - (x[31] >> 4) * L[j];
carry = x[j] >> 8;
x[j] &= 255;
}
for (j = 0; j < 32; j++) x[j] -= carry * L[j];
for (i = 0; i < 32; i++) {
x[i+1] += x[i] >> 8;
r[i] = x[i] & 255;
}
} }
U0 reduce(U8 *r) U0 reduce(U8 *r)
@ -891,7 +891,7 @@ I64 crypto_sign_open(U8 *m, U64 *mlen, U8 *sm, U64 n, U8 *pk)
Scalarmult(p, q, h); Scalarmult(p, q, h);
Scalarbase(q, sm + 32); Scalarbase(q, sm + 32);
add(p, q); Add(p, q);
Pack(t, p); Pack(t, p);
n -= 64; n -= 64;