1 #include "fixedint.h" 2 #include "sc.h" 3 4 #ifndef ED25519_LOAD_BYTES 5 #define ED25519_LOAD_BYTES 6 load_3(const unsigned char * in)7static uint64_t load_3(const unsigned char *in) { 8 uint64_t result; 9 10 result = (uint64_t) in[0]; 11 result |= ((uint64_t) in[1]) << 8; 12 result |= ((uint64_t) in[2]) << 16; 13 14 return result; 15 } 16 load_4(const unsigned char * in)17static uint64_t load_4(const unsigned char *in) { 18 uint64_t result; 19 20 result = (uint64_t) in[0]; 21 result |= ((uint64_t) in[1]) << 8; 22 result |= ((uint64_t) in[2]) << 16; 23 result |= ((uint64_t) in[3]) << 24; 24 25 return result; 26 } 27 28 #endif 29 30 /* 31 Input: 32 s[0]+256*s[1]+...+256^63*s[63] = s 33 34 Output: 35 s[0]+256*s[1]+...+256^31*s[31] = s mod l 36 where l = 2^252 + 27742317777372353535851937790883648493. 37 Overwrites s in place. 38 */ 39 sc_reduce(unsigned char * s)40void sc_reduce(unsigned char *s) { 41 int64_t s0 = 2097151 & load_3(s); 42 int64_t s1 = 2097151 & (load_4(s + 2) >> 5); 43 int64_t s2 = 2097151 & (load_3(s + 5) >> 2); 44 int64_t s3 = 2097151 & (load_4(s + 7) >> 7); 45 int64_t s4 = 2097151 & (load_4(s + 10) >> 4); 46 int64_t s5 = 2097151 & (load_3(s + 13) >> 1); 47 int64_t s6 = 2097151 & (load_4(s + 15) >> 6); 48 int64_t s7 = 2097151 & (load_3(s + 18) >> 3); 49 int64_t s8 = 2097151 & load_3(s + 21); 50 int64_t s9 = 2097151 & (load_4(s + 23) >> 5); 51 int64_t s10 = 2097151 & (load_3(s + 26) >> 2); 52 int64_t s11 = 2097151 & (load_4(s + 28) >> 7); 53 int64_t s12 = 2097151 & (load_4(s + 31) >> 4); 54 int64_t s13 = 2097151 & (load_3(s + 34) >> 1); 55 int64_t s14 = 2097151 & (load_4(s + 36) >> 6); 56 int64_t s15 = 2097151 & (load_3(s + 39) >> 3); 57 int64_t s16 = 2097151 & load_3(s + 42); 58 int64_t s17 = 2097151 & (load_4(s + 44) >> 5); 59 int64_t s18 = 2097151 & (load_3(s + 47) >> 2); 60 int64_t s19 = 2097151 & (load_4(s + 49) >> 7); 61 int64_t s20 = 2097151 & (load_4(s + 52) >> 4); 62 int64_t s21 = 2097151 & (load_3(s + 55) >> 1); 63 int64_t s22 = 2097151 & (load_4(s + 57) >> 6); 64 int64_t s23 = (load_4(s + 60) >> 3); 65 int64_t carry0; 66 int64_t carry1; 67 int64_t carry2; 68 int64_t carry3; 69 int64_t carry4; 70 int64_t carry5; 71 int64_t carry6; 72 int64_t carry7; 73 int64_t carry8; 74 int64_t carry9; 75 int64_t carry10; 76 int64_t carry11; 77 int64_t carry12; 78 int64_t carry13; 79 int64_t carry14; 80 int64_t carry15; 81 int64_t carry16; 82 83 s11 += s23 * 666643; 84 s12 += s23 * 470296; 85 s13 += s23 * 654183; 86 s14 -= s23 * 997805; 87 s15 += s23 * 136657; 88 s16 -= s23 * 683901; 89 s23 = 0; 90 s10 += s22 * 666643; 91 s11 += s22 * 470296; 92 s12 += s22 * 654183; 93 s13 -= s22 * 997805; 94 s14 += s22 * 136657; 95 s15 -= s22 * 683901; 96 s22 = 0; 97 s9 += s21 * 666643; 98 s10 += s21 * 470296; 99 s11 += s21 * 654183; 100 s12 -= s21 * 997805; 101 s13 += s21 * 136657; 102 s14 -= s21 * 683901; 103 s21 = 0; 104 s8 += s20 * 666643; 105 s9 += s20 * 470296; 106 s10 += s20 * 654183; 107 s11 -= s20 * 997805; 108 s12 += s20 * 136657; 109 s13 -= s20 * 683901; 110 s20 = 0; 111 s7 += s19 * 666643; 112 s8 += s19 * 470296; 113 s9 += s19 * 654183; 114 s10 -= s19 * 997805; 115 s11 += s19 * 136657; 116 s12 -= s19 * 683901; 117 s19 = 0; 118 s6 += s18 * 666643; 119 s7 += s18 * 470296; 120 s8 += s18 * 654183; 121 s9 -= s18 * 997805; 122 s10 += s18 * 136657; 123 s11 -= s18 * 683901; 124 s18 = 0; 125 carry6 = (s6 + (1 << 20)) >> 21; 126 s7 += carry6; 127 s6 -= carry6 << 21; 128 carry8 = (s8 + (1 << 20)) >> 21; 129 s9 += carry8; 130 s8 -= carry8 << 21; 131 carry10 = (s10 + (1 << 20)) >> 21; 132 s11 += carry10; 133 s10 -= carry10 << 21; 134 carry12 = (s12 + (1 << 20)) >> 21; 135 s13 += carry12; 136 s12 -= carry12 << 21; 137 carry14 = (s14 + (1 << 20)) >> 21; 138 s15 += carry14; 139 s14 -= carry14 << 21; 140 carry16 = (s16 + (1 << 20)) >> 21; 141 s17 += carry16; 142 s16 -= carry16 << 21; 143 carry7 = (s7 + (1 << 20)) >> 21; 144 s8 += carry7; 145 s7 -= carry7 << 21; 146 carry9 = (s9 + (1 << 20)) >> 21; 147 s10 += carry9; 148 s9 -= carry9 << 21; 149 carry11 = (s11 + (1 << 20)) >> 21; 150 s12 += carry11; 151 s11 -= carry11 << 21; 152 carry13 = (s13 + (1 << 20)) >> 21; 153 s14 += carry13; 154 s13 -= carry13 << 21; 155 carry15 = (s15 + (1 << 20)) >> 21; 156 s16 += carry15; 157 s15 -= carry15 << 21; 158 s5 += s17 * 666643; 159 s6 += s17 * 470296; 160 s7 += s17 * 654183; 161 s8 -= s17 * 997805; 162 s9 += s17 * 136657; 163 s10 -= s17 * 683901; 164 s17 = 0; 165 s4 += s16 * 666643; 166 s5 += s16 * 470296; 167 s6 += s16 * 654183; 168 s7 -= s16 * 997805; 169 s8 += s16 * 136657; 170 s9 -= s16 * 683901; 171 s16 = 0; 172 s3 += s15 * 666643; 173 s4 += s15 * 470296; 174 s5 += s15 * 654183; 175 s6 -= s15 * 997805; 176 s7 += s15 * 136657; 177 s8 -= s15 * 683901; 178 s15 = 0; 179 s2 += s14 * 666643; 180 s3 += s14 * 470296; 181 s4 += s14 * 654183; 182 s5 -= s14 * 997805; 183 s6 += s14 * 136657; 184 s7 -= s14 * 683901; 185 s14 = 0; 186 s1 += s13 * 666643; 187 s2 += s13 * 470296; 188 s3 += s13 * 654183; 189 s4 -= s13 * 997805; 190 s5 += s13 * 136657; 191 s6 -= s13 * 683901; 192 s13 = 0; 193 s0 += s12 * 666643; 194 s1 += s12 * 470296; 195 s2 += s12 * 654183; 196 s3 -= s12 * 997805; 197 s4 += s12 * 136657; 198 s5 -= s12 * 683901; 199 s12 = 0; 200 carry0 = (s0 + (1 << 20)) >> 21; 201 s1 += carry0; 202 s0 -= carry0 << 21; 203 carry2 = (s2 + (1 << 20)) >> 21; 204 s3 += carry2; 205 s2 -= carry2 << 21; 206 carry4 = (s4 + (1 << 20)) >> 21; 207 s5 += carry4; 208 s4 -= carry4 << 21; 209 carry6 = (s6 + (1 << 20)) >> 21; 210 s7 += carry6; 211 s6 -= carry6 << 21; 212 carry8 = (s8 + (1 << 20)) >> 21; 213 s9 += carry8; 214 s8 -= carry8 << 21; 215 carry10 = (s10 + (1 << 20)) >> 21; 216 s11 += carry10; 217 s10 -= carry10 << 21; 218 carry1 = (s1 + (1 << 20)) >> 21; 219 s2 += carry1; 220 s1 -= carry1 << 21; 221 carry3 = (s3 + (1 << 20)) >> 21; 222 s4 += carry3; 223 s3 -= carry3 << 21; 224 carry5 = (s5 + (1 << 20)) >> 21; 225 s6 += carry5; 226 s5 -= carry5 << 21; 227 carry7 = (s7 + (1 << 20)) >> 21; 228 s8 += carry7; 229 s7 -= carry7 << 21; 230 carry9 = (s9 + (1 << 20)) >> 21; 231 s10 += carry9; 232 s9 -= carry9 << 21; 233 carry11 = (s11 + (1 << 20)) >> 21; 234 s12 += carry11; 235 s11 -= carry11 << 21; 236 s0 += s12 * 666643; 237 s1 += s12 * 470296; 238 s2 += s12 * 654183; 239 s3 -= s12 * 997805; 240 s4 += s12 * 136657; 241 s5 -= s12 * 683901; 242 s12 = 0; 243 carry0 = s0 >> 21; 244 s1 += carry0; 245 s0 -= carry0 << 21; 246 carry1 = s1 >> 21; 247 s2 += carry1; 248 s1 -= carry1 << 21; 249 carry2 = s2 >> 21; 250 s3 += carry2; 251 s2 -= carry2 << 21; 252 carry3 = s3 >> 21; 253 s4 += carry3; 254 s3 -= carry3 << 21; 255 carry4 = s4 >> 21; 256 s5 += carry4; 257 s4 -= carry4 << 21; 258 carry5 = s5 >> 21; 259 s6 += carry5; 260 s5 -= carry5 << 21; 261 carry6 = s6 >> 21; 262 s7 += carry6; 263 s6 -= carry6 << 21; 264 carry7 = s7 >> 21; 265 s8 += carry7; 266 s7 -= carry7 << 21; 267 carry8 = s8 >> 21; 268 s9 += carry8; 269 s8 -= carry8 << 21; 270 carry9 = s9 >> 21; 271 s10 += carry9; 272 s9 -= carry9 << 21; 273 carry10 = s10 >> 21; 274 s11 += carry10; 275 s10 -= carry10 << 21; 276 carry11 = s11 >> 21; 277 s12 += carry11; 278 s11 -= carry11 << 21; 279 s0 += s12 * 666643; 280 s1 += s12 * 470296; 281 s2 += s12 * 654183; 282 s3 -= s12 * 997805; 283 s4 += s12 * 136657; 284 s5 -= s12 * 683901; 285 s12 = 0; 286 carry0 = s0 >> 21; 287 s1 += carry0; 288 s0 -= carry0 << 21; 289 carry1 = s1 >> 21; 290 s2 += carry1; 291 s1 -= carry1 << 21; 292 carry2 = s2 >> 21; 293 s3 += carry2; 294 s2 -= carry2 << 21; 295 carry3 = s3 >> 21; 296 s4 += carry3; 297 s3 -= carry3 << 21; 298 carry4 = s4 >> 21; 299 s5 += carry4; 300 s4 -= carry4 << 21; 301 carry5 = s5 >> 21; 302 s6 += carry5; 303 s5 -= carry5 << 21; 304 carry6 = s6 >> 21; 305 s7 += carry6; 306 s6 -= carry6 << 21; 307 carry7 = s7 >> 21; 308 s8 += carry7; 309 s7 -= carry7 << 21; 310 carry8 = s8 >> 21; 311 s9 += carry8; 312 s8 -= carry8 << 21; 313 carry9 = s9 >> 21; 314 s10 += carry9; 315 s9 -= carry9 << 21; 316 carry10 = s10 >> 21; 317 s11 += carry10; 318 s10 -= carry10 << 21; 319 320 s[0] = (unsigned char) (s0 >> 0); 321 s[1] = (unsigned char) (s0 >> 8); 322 s[2] = (unsigned char) ((s0 >> 16) | (s1 << 5)); 323 s[3] = (unsigned char) (s1 >> 3); 324 s[4] = (unsigned char) (s1 >> 11); 325 s[5] = (unsigned char) ((s1 >> 19) | (s2 << 2)); 326 s[6] = (unsigned char) (s2 >> 6); 327 s[7] = (unsigned char) ((s2 >> 14) | (s3 << 7)); 328 s[8] = (unsigned char) (s3 >> 1); 329 s[9] = (unsigned char) (s3 >> 9); 330 s[10] = (unsigned char) ((s3 >> 17) | (s4 << 4)); 331 s[11] = (unsigned char) (s4 >> 4); 332 s[12] = (unsigned char) (s4 >> 12); 333 s[13] = (unsigned char) ((s4 >> 20) | (s5 << 1)); 334 s[14] = (unsigned char) (s5 >> 7); 335 s[15] = (unsigned char) ((s5 >> 15) | (s6 << 6)); 336 s[16] = (unsigned char) (s6 >> 2); 337 s[17] = (unsigned char) (s6 >> 10); 338 s[18] = (unsigned char) ((s6 >> 18) | (s7 << 3)); 339 s[19] = (unsigned char) (s7 >> 5); 340 s[20] = (unsigned char) (s7 >> 13); 341 s[21] = (unsigned char) (s8 >> 0); 342 s[22] = (unsigned char) (s8 >> 8); 343 s[23] = (unsigned char) ((s8 >> 16) | (s9 << 5)); 344 s[24] = (unsigned char) (s9 >> 3); 345 s[25] = (unsigned char) (s9 >> 11); 346 s[26] = (unsigned char) ((s9 >> 19) | (s10 << 2)); 347 s[27] = (unsigned char) (s10 >> 6); 348 s[28] = (unsigned char) ((s10 >> 14) | (s11 << 7)); 349 s[29] = (unsigned char) (s11 >> 1); 350 s[30] = (unsigned char) (s11 >> 9); 351 s[31] = (unsigned char) (s11 >> 17); 352 } 353 354 355 356 /* 357 Input: 358 a[0]+256*a[1]+...+256^31*a[31] = a 359 b[0]+256*b[1]+...+256^31*b[31] = b 360 c[0]+256*c[1]+...+256^31*c[31] = c 361 362 Output: 363 s[0]+256*s[1]+...+256^31*s[31] = (ab+c) mod l 364 where l = 2^252 + 27742317777372353535851937790883648493. 365 */ 366 sc_muladd(unsigned char * s,const unsigned char * a,const unsigned char * b,const unsigned char * c)367void sc_muladd(unsigned char *s, const unsigned char *a, const unsigned char *b, const unsigned char *c) { 368 int64_t a0 = 2097151 & load_3(a); 369 int64_t a1 = 2097151 & (load_4(a + 2) >> 5); 370 int64_t a2 = 2097151 & (load_3(a + 5) >> 2); 371 int64_t a3 = 2097151 & (load_4(a + 7) >> 7); 372 int64_t a4 = 2097151 & (load_4(a + 10) >> 4); 373 int64_t a5 = 2097151 & (load_3(a + 13) >> 1); 374 int64_t a6 = 2097151 & (load_4(a + 15) >> 6); 375 int64_t a7 = 2097151 & (load_3(a + 18) >> 3); 376 int64_t a8 = 2097151 & load_3(a + 21); 377 int64_t a9 = 2097151 & (load_4(a + 23) >> 5); 378 int64_t a10 = 2097151 & (load_3(a + 26) >> 2); 379 int64_t a11 = (load_4(a + 28) >> 7); 380 int64_t b0 = 2097151 & load_3(b); 381 int64_t b1 = 2097151 & (load_4(b + 2) >> 5); 382 int64_t b2 = 2097151 & (load_3(b + 5) >> 2); 383 int64_t b3 = 2097151 & (load_4(b + 7) >> 7); 384 int64_t b4 = 2097151 & (load_4(b + 10) >> 4); 385 int64_t b5 = 2097151 & (load_3(b + 13) >> 1); 386 int64_t b6 = 2097151 & (load_4(b + 15) >> 6); 387 int64_t b7 = 2097151 & (load_3(b + 18) >> 3); 388 int64_t b8 = 2097151 & load_3(b + 21); 389 int64_t b9 = 2097151 & (load_4(b + 23) >> 5); 390 int64_t b10 = 2097151 & (load_3(b + 26) >> 2); 391 int64_t b11 = (load_4(b + 28) >> 7); 392 int64_t c0 = 2097151 & load_3(c); 393 int64_t c1 = 2097151 & (load_4(c + 2) >> 5); 394 int64_t c2 = 2097151 & (load_3(c + 5) >> 2); 395 int64_t c3 = 2097151 & (load_4(c + 7) >> 7); 396 int64_t c4 = 2097151 & (load_4(c + 10) >> 4); 397 int64_t c5 = 2097151 & (load_3(c + 13) >> 1); 398 int64_t c6 = 2097151 & (load_4(c + 15) >> 6); 399 int64_t c7 = 2097151 & (load_3(c + 18) >> 3); 400 int64_t c8 = 2097151 & load_3(c + 21); 401 int64_t c9 = 2097151 & (load_4(c + 23) >> 5); 402 int64_t c10 = 2097151 & (load_3(c + 26) >> 2); 403 int64_t c11 = (load_4(c + 28) >> 7); 404 int64_t s0; 405 int64_t s1; 406 int64_t s2; 407 int64_t s3; 408 int64_t s4; 409 int64_t s5; 410 int64_t s6; 411 int64_t s7; 412 int64_t s8; 413 int64_t s9; 414 int64_t s10; 415 int64_t s11; 416 int64_t s12; 417 int64_t s13; 418 int64_t s14; 419 int64_t s15; 420 int64_t s16; 421 int64_t s17; 422 int64_t s18; 423 int64_t s19; 424 int64_t s20; 425 int64_t s21; 426 int64_t s22; 427 int64_t s23; 428 int64_t carry0; 429 int64_t carry1; 430 int64_t carry2; 431 int64_t carry3; 432 int64_t carry4; 433 int64_t carry5; 434 int64_t carry6; 435 int64_t carry7; 436 int64_t carry8; 437 int64_t carry9; 438 int64_t carry10; 439 int64_t carry11; 440 int64_t carry12; 441 int64_t carry13; 442 int64_t carry14; 443 int64_t carry15; 444 int64_t carry16; 445 int64_t carry17; 446 int64_t carry18; 447 int64_t carry19; 448 int64_t carry20; 449 int64_t carry21; 450 int64_t carry22; 451 452 s0 = c0 + a0 * b0; 453 s1 = c1 + a0 * b1 + a1 * b0; 454 s2 = c2 + a0 * b2 + a1 * b1 + a2 * b0; 455 s3 = c3 + a0 * b3 + a1 * b2 + a2 * b1 + a3 * b0; 456 s4 = c4 + a0 * b4 + a1 * b3 + a2 * b2 + a3 * b1 + a4 * b0; 457 s5 = c5 + a0 * b5 + a1 * b4 + a2 * b3 + a3 * b2 + a4 * b1 + a5 * b0; 458 s6 = c6 + a0 * b6 + a1 * b5 + a2 * b4 + a3 * b3 + a4 * b2 + a5 * b1 + a6 * b0; 459 s7 = c7 + a0 * b7 + a1 * b6 + a2 * b5 + a3 * b4 + a4 * b3 + a5 * b2 + a6 * b1 + a7 * b0; 460 s8 = c8 + a0 * b8 + a1 * b7 + a2 * b6 + a3 * b5 + a4 * b4 + a5 * b3 + a6 * b2 + a7 * b1 + a8 * b0; 461 s9 = c9 + a0 * b9 + a1 * b8 + a2 * b7 + a3 * b6 + a4 * b5 + a5 * b4 + a6 * b3 + a7 * b2 + a8 * b1 + a9 * b0; 462 s10 = c10 + a0 * b10 + a1 * b9 + a2 * b8 + a3 * b7 + a4 * b6 + a5 * b5 + a6 * b4 + a7 * b3 + a8 * b2 + a9 * b1 + a10 * b0; 463 s11 = c11 + a0 * b11 + a1 * b10 + a2 * b9 + a3 * b8 + a4 * b7 + a5 * b6 + a6 * b5 + a7 * b4 + a8 * b3 + a9 * b2 + a10 * b1 + a11 * b0; 464 s12 = a1 * b11 + a2 * b10 + a3 * b9 + a4 * b8 + a5 * b7 + a6 * b6 + a7 * b5 + a8 * b4 + a9 * b3 + a10 * b2 + a11 * b1; 465 s13 = a2 * b11 + a3 * b10 + a4 * b9 + a5 * b8 + a6 * b7 + a7 * b6 + a8 * b5 + a9 * b4 + a10 * b3 + a11 * b2; 466 s14 = a3 * b11 + a4 * b10 + a5 * b9 + a6 * b8 + a7 * b7 + a8 * b6 + a9 * b5 + a10 * b4 + a11 * b3; 467 s15 = a4 * b11 + a5 * b10 + a6 * b9 + a7 * b8 + a8 * b7 + a9 * b6 + a10 * b5 + a11 * b4; 468 s16 = a5 * b11 + a6 * b10 + a7 * b9 + a8 * b8 + a9 * b7 + a10 * b6 + a11 * b5; 469 s17 = a6 * b11 + a7 * b10 + a8 * b9 + a9 * b8 + a10 * b7 + a11 * b6; 470 s18 = a7 * b11 + a8 * b10 + a9 * b9 + a10 * b8 + a11 * b7; 471 s19 = a8 * b11 + a9 * b10 + a10 * b9 + a11 * b8; 472 s20 = a9 * b11 + a10 * b10 + a11 * b9; 473 s21 = a10 * b11 + a11 * b10; 474 s22 = a11 * b11; 475 s23 = 0; 476 carry0 = (s0 + (1 << 20)) >> 21; 477 s1 += carry0; 478 s0 -= carry0 << 21; 479 carry2 = (s2 + (1 << 20)) >> 21; 480 s3 += carry2; 481 s2 -= carry2 << 21; 482 carry4 = (s4 + (1 << 20)) >> 21; 483 s5 += carry4; 484 s4 -= carry4 << 21; 485 carry6 = (s6 + (1 << 20)) >> 21; 486 s7 += carry6; 487 s6 -= carry6 << 21; 488 carry8 = (s8 + (1 << 20)) >> 21; 489 s9 += carry8; 490 s8 -= carry8 << 21; 491 carry10 = (s10 + (1 << 20)) >> 21; 492 s11 += carry10; 493 s10 -= carry10 << 21; 494 carry12 = (s12 + (1 << 20)) >> 21; 495 s13 += carry12; 496 s12 -= carry12 << 21; 497 carry14 = (s14 + (1 << 20)) >> 21; 498 s15 += carry14; 499 s14 -= carry14 << 21; 500 carry16 = (s16 + (1 << 20)) >> 21; 501 s17 += carry16; 502 s16 -= carry16 << 21; 503 carry18 = (s18 + (1 << 20)) >> 21; 504 s19 += carry18; 505 s18 -= carry18 << 21; 506 carry20 = (s20 + (1 << 20)) >> 21; 507 s21 += carry20; 508 s20 -= carry20 << 21; 509 carry22 = (s22 + (1 << 20)) >> 21; 510 s23 += carry22; 511 s22 -= carry22 << 21; 512 carry1 = (s1 + (1 << 20)) >> 21; 513 s2 += carry1; 514 s1 -= carry1 << 21; 515 carry3 = (s3 + (1 << 20)) >> 21; 516 s4 += carry3; 517 s3 -= carry3 << 21; 518 carry5 = (s5 + (1 << 20)) >> 21; 519 s6 += carry5; 520 s5 -= carry5 << 21; 521 carry7 = (s7 + (1 << 20)) >> 21; 522 s8 += carry7; 523 s7 -= carry7 << 21; 524 carry9 = (s9 + (1 << 20)) >> 21; 525 s10 += carry9; 526 s9 -= carry9 << 21; 527 carry11 = (s11 + (1 << 20)) >> 21; 528 s12 += carry11; 529 s11 -= carry11 << 21; 530 carry13 = (s13 + (1 << 20)) >> 21; 531 s14 += carry13; 532 s13 -= carry13 << 21; 533 carry15 = (s15 + (1 << 20)) >> 21; 534 s16 += carry15; 535 s15 -= carry15 << 21; 536 carry17 = (s17 + (1 << 20)) >> 21; 537 s18 += carry17; 538 s17 -= carry17 << 21; 539 carry19 = (s19 + (1 << 20)) >> 21; 540 s20 += carry19; 541 s19 -= carry19 << 21; 542 carry21 = (s21 + (1 << 20)) >> 21; 543 s22 += carry21; 544 s21 -= carry21 << 21; 545 s11 += s23 * 666643; 546 s12 += s23 * 470296; 547 s13 += s23 * 654183; 548 s14 -= s23 * 997805; 549 s15 += s23 * 136657; 550 s16 -= s23 * 683901; 551 s23 = 0; 552 s10 += s22 * 666643; 553 s11 += s22 * 470296; 554 s12 += s22 * 654183; 555 s13 -= s22 * 997805; 556 s14 += s22 * 136657; 557 s15 -= s22 * 683901; 558 s22 = 0; 559 s9 += s21 * 666643; 560 s10 += s21 * 470296; 561 s11 += s21 * 654183; 562 s12 -= s21 * 997805; 563 s13 += s21 * 136657; 564 s14 -= s21 * 683901; 565 s21 = 0; 566 s8 += s20 * 666643; 567 s9 += s20 * 470296; 568 s10 += s20 * 654183; 569 s11 -= s20 * 997805; 570 s12 += s20 * 136657; 571 s13 -= s20 * 683901; 572 s20 = 0; 573 s7 += s19 * 666643; 574 s8 += s19 * 470296; 575 s9 += s19 * 654183; 576 s10 -= s19 * 997805; 577 s11 += s19 * 136657; 578 s12 -= s19 * 683901; 579 s19 = 0; 580 s6 += s18 * 666643; 581 s7 += s18 * 470296; 582 s8 += s18 * 654183; 583 s9 -= s18 * 997805; 584 s10 += s18 * 136657; 585 s11 -= s18 * 683901; 586 s18 = 0; 587 carry6 = (s6 + (1 << 20)) >> 21; 588 s7 += carry6; 589 s6 -= carry6 << 21; 590 carry8 = (s8 + (1 << 20)) >> 21; 591 s9 += carry8; 592 s8 -= carry8 << 21; 593 carry10 = (s10 + (1 << 20)) >> 21; 594 s11 += carry10; 595 s10 -= carry10 << 21; 596 carry12 = (s12 + (1 << 20)) >> 21; 597 s13 += carry12; 598 s12 -= carry12 << 21; 599 carry14 = (s14 + (1 << 20)) >> 21; 600 s15 += carry14; 601 s14 -= carry14 << 21; 602 carry16 = (s16 + (1 << 20)) >> 21; 603 s17 += carry16; 604 s16 -= carry16 << 21; 605 carry7 = (s7 + (1 << 20)) >> 21; 606 s8 += carry7; 607 s7 -= carry7 << 21; 608 carry9 = (s9 + (1 << 20)) >> 21; 609 s10 += carry9; 610 s9 -= carry9 << 21; 611 carry11 = (s11 + (1 << 20)) >> 21; 612 s12 += carry11; 613 s11 -= carry11 << 21; 614 carry13 = (s13 + (1 << 20)) >> 21; 615 s14 += carry13; 616 s13 -= carry13 << 21; 617 carry15 = (s15 + (1 << 20)) >> 21; 618 s16 += carry15; 619 s15 -= carry15 << 21; 620 s5 += s17 * 666643; 621 s6 += s17 * 470296; 622 s7 += s17 * 654183; 623 s8 -= s17 * 997805; 624 s9 += s17 * 136657; 625 s10 -= s17 * 683901; 626 s17 = 0; 627 s4 += s16 * 666643; 628 s5 += s16 * 470296; 629 s6 += s16 * 654183; 630 s7 -= s16 * 997805; 631 s8 += s16 * 136657; 632 s9 -= s16 * 683901; 633 s16 = 0; 634 s3 += s15 * 666643; 635 s4 += s15 * 470296; 636 s5 += s15 * 654183; 637 s6 -= s15 * 997805; 638 s7 += s15 * 136657; 639 s8 -= s15 * 683901; 640 s15 = 0; 641 s2 += s14 * 666643; 642 s3 += s14 * 470296; 643 s4 += s14 * 654183; 644 s5 -= s14 * 997805; 645 s6 += s14 * 136657; 646 s7 -= s14 * 683901; 647 s14 = 0; 648 s1 += s13 * 666643; 649 s2 += s13 * 470296; 650 s3 += s13 * 654183; 651 s4 -= s13 * 997805; 652 s5 += s13 * 136657; 653 s6 -= s13 * 683901; 654 s13 = 0; 655 s0 += s12 * 666643; 656 s1 += s12 * 470296; 657 s2 += s12 * 654183; 658 s3 -= s12 * 997805; 659 s4 += s12 * 136657; 660 s5 -= s12 * 683901; 661 s12 = 0; 662 carry0 = (s0 + (1 << 20)) >> 21; 663 s1 += carry0; 664 s0 -= carry0 << 21; 665 carry2 = (s2 + (1 << 20)) >> 21; 666 s3 += carry2; 667 s2 -= carry2 << 21; 668 carry4 = (s4 + (1 << 20)) >> 21; 669 s5 += carry4; 670 s4 -= carry4 << 21; 671 carry6 = (s6 + (1 << 20)) >> 21; 672 s7 += carry6; 673 s6 -= carry6 << 21; 674 carry8 = (s8 + (1 << 20)) >> 21; 675 s9 += carry8; 676 s8 -= carry8 << 21; 677 carry10 = (s10 + (1 << 20)) >> 21; 678 s11 += carry10; 679 s10 -= carry10 << 21; 680 carry1 = (s1 + (1 << 20)) >> 21; 681 s2 += carry1; 682 s1 -= carry1 << 21; 683 carry3 = (s3 + (1 << 20)) >> 21; 684 s4 += carry3; 685 s3 -= carry3 << 21; 686 carry5 = (s5 + (1 << 20)) >> 21; 687 s6 += carry5; 688 s5 -= carry5 << 21; 689 carry7 = (s7 + (1 << 20)) >> 21; 690 s8 += carry7; 691 s7 -= carry7 << 21; 692 carry9 = (s9 + (1 << 20)) >> 21; 693 s10 += carry9; 694 s9 -= carry9 << 21; 695 carry11 = (s11 + (1 << 20)) >> 21; 696 s12 += carry11; 697 s11 -= carry11 << 21; 698 s0 += s12 * 666643; 699 s1 += s12 * 470296; 700 s2 += s12 * 654183; 701 s3 -= s12 * 997805; 702 s4 += s12 * 136657; 703 s5 -= s12 * 683901; 704 s12 = 0; 705 carry0 = s0 >> 21; 706 s1 += carry0; 707 s0 -= carry0 << 21; 708 carry1 = s1 >> 21; 709 s2 += carry1; 710 s1 -= carry1 << 21; 711 carry2 = s2 >> 21; 712 s3 += carry2; 713 s2 -= carry2 << 21; 714 carry3 = s3 >> 21; 715 s4 += carry3; 716 s3 -= carry3 << 21; 717 carry4 = s4 >> 21; 718 s5 += carry4; 719 s4 -= carry4 << 21; 720 carry5 = s5 >> 21; 721 s6 += carry5; 722 s5 -= carry5 << 21; 723 carry6 = s6 >> 21; 724 s7 += carry6; 725 s6 -= carry6 << 21; 726 carry7 = s7 >> 21; 727 s8 += carry7; 728 s7 -= carry7 << 21; 729 carry8 = s8 >> 21; 730 s9 += carry8; 731 s8 -= carry8 << 21; 732 carry9 = s9 >> 21; 733 s10 += carry9; 734 s9 -= carry9 << 21; 735 carry10 = s10 >> 21; 736 s11 += carry10; 737 s10 -= carry10 << 21; 738 carry11 = s11 >> 21; 739 s12 += carry11; 740 s11 -= carry11 << 21; 741 s0 += s12 * 666643; 742 s1 += s12 * 470296; 743 s2 += s12 * 654183; 744 s3 -= s12 * 997805; 745 s4 += s12 * 136657; 746 s5 -= s12 * 683901; 747 s12 = 0; 748 carry0 = s0 >> 21; 749 s1 += carry0; 750 s0 -= carry0 << 21; 751 carry1 = s1 >> 21; 752 s2 += carry1; 753 s1 -= carry1 << 21; 754 carry2 = s2 >> 21; 755 s3 += carry2; 756 s2 -= carry2 << 21; 757 carry3 = s3 >> 21; 758 s4 += carry3; 759 s3 -= carry3 << 21; 760 carry4 = s4 >> 21; 761 s5 += carry4; 762 s4 -= carry4 << 21; 763 carry5 = s5 >> 21; 764 s6 += carry5; 765 s5 -= carry5 << 21; 766 carry6 = s6 >> 21; 767 s7 += carry6; 768 s6 -= carry6 << 21; 769 carry7 = s7 >> 21; 770 s8 += carry7; 771 s7 -= carry7 << 21; 772 carry8 = s8 >> 21; 773 s9 += carry8; 774 s8 -= carry8 << 21; 775 carry9 = s9 >> 21; 776 s10 += carry9; 777 s9 -= carry9 << 21; 778 carry10 = s10 >> 21; 779 s11 += carry10; 780 s10 -= carry10 << 21; 781 782 s[0] = (unsigned char) (s0 >> 0); 783 s[1] = (unsigned char) (s0 >> 8); 784 s[2] = (unsigned char) ((s0 >> 16) | (s1 << 5)); 785 s[3] = (unsigned char) (s1 >> 3); 786 s[4] = (unsigned char) (s1 >> 11); 787 s[5] = (unsigned char) ((s1 >> 19) | (s2 << 2)); 788 s[6] = (unsigned char) (s2 >> 6); 789 s[7] = (unsigned char) ((s2 >> 14) | (s3 << 7)); 790 s[8] = (unsigned char) (s3 >> 1); 791 s[9] = (unsigned char) (s3 >> 9); 792 s[10] = (unsigned char) ((s3 >> 17) | (s4 << 4)); 793 s[11] = (unsigned char) (s4 >> 4); 794 s[12] = (unsigned char) (s4 >> 12); 795 s[13] = (unsigned char) ((s4 >> 20) | (s5 << 1)); 796 s[14] = (unsigned char) (s5 >> 7); 797 s[15] = (unsigned char) ((s5 >> 15) | (s6 << 6)); 798 s[16] = (unsigned char) (s6 >> 2); 799 s[17] = (unsigned char) (s6 >> 10); 800 s[18] = (unsigned char) ((s6 >> 18) | (s7 << 3)); 801 s[19] = (unsigned char) (s7 >> 5); 802 s[20] = (unsigned char) (s7 >> 13); 803 s[21] = (unsigned char) (s8 >> 0); 804 s[22] = (unsigned char) (s8 >> 8); 805 s[23] = (unsigned char) ((s8 >> 16) | (s9 << 5)); 806 s[24] = (unsigned char) (s9 >> 3); 807 s[25] = (unsigned char) (s9 >> 11); 808 s[26] = (unsigned char) ((s9 >> 19) | (s10 << 2)); 809 s[27] = (unsigned char) (s10 >> 6); 810 s[28] = (unsigned char) ((s10 >> 14) | (s11 << 7)); 811 s[29] = (unsigned char) (s11 >> 1); 812 s[30] = (unsigned char) (s11 >> 9); 813 s[31] = (unsigned char) (s11 >> 17); 814 } 815