1 /* 2 * Copyright (c) 2015, Google Inc. 3 * 4 * Permission to use, copy, modify, and/or distribute this software for any 5 * purpose with or without fee is hereby granted, provided that the above 6 * copyright notice and this permission notice appear in all copies. 7 * 8 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 9 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 10 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY 11 * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 12 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION 13 * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN 14 * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 15 */ 16 17 /* 18 * This code is mostly taken from the ref10 version of Ed25519 in SUPERCOP 19 * 20141124 (http://bench.cr.yp.to/supercop.html). That code is released as 20 * public domain but this file has the ISC license just to keep licencing 21 * simple. 22 * 23 * The field functions are shared by Ed25519 and X25519 where possible. 24 */ 25 26 #include <stdlib.h> 27 #include <string.h> 28 29 #include <openssl/curve25519.h> 30 31 #ifdef ED25519 32 #include <openssl/sha.h> 33 #endif 34 35 #include "curve25519_internal.h" 36 37 static const int64_t kBottom25Bits = 0x1ffffffLL; 38 static const int64_t kBottom26Bits = 0x3ffffffLL; 39 static const int64_t kTop39Bits = 0xfffffffffe000000LL; 40 static const int64_t kTop38Bits = 0xfffffffffc000000LL; 41 42 static uint64_t load_3(const uint8_t *in) { 43 uint64_t result; 44 result = (uint64_t)in[0]; 45 result |= ((uint64_t)in[1]) << 8; 46 result |= ((uint64_t)in[2]) << 16; 47 return result; 48 } 49 50 static uint64_t load_4(const uint8_t *in) { 51 uint64_t result; 52 result = (uint64_t)in[0]; 53 result |= ((uint64_t)in[1]) << 8; 54 result |= ((uint64_t)in[2]) << 16; 55 result |= ((uint64_t)in[3]) << 24; 56 return result; 57 } 58 59 static void fe_frombytes(fe h, const uint8_t *s) { 60 /* Ignores top bit of h. */ 61 int64_t h0 = load_4(s); 62 int64_t h1 = load_3(s + 4) << 6; 63 int64_t h2 = load_3(s + 7) << 5; 64 int64_t h3 = load_3(s + 10) << 3; 65 int64_t h4 = load_3(s + 13) << 2; 66 int64_t h5 = load_4(s + 16); 67 int64_t h6 = load_3(s + 20) << 7; 68 int64_t h7 = load_3(s + 23) << 5; 69 int64_t h8 = load_3(s + 26) << 4; 70 int64_t h9 = (load_3(s + 29) & 8388607) << 2; 71 int64_t carry0; 72 int64_t carry1; 73 int64_t carry2; 74 int64_t carry3; 75 int64_t carry4; 76 int64_t carry5; 77 int64_t carry6; 78 int64_t carry7; 79 int64_t carry8; 80 int64_t carry9; 81 82 carry9 = h9 + (1 << 24); h0 += (carry9 >> 25) * 19; h9 -= carry9 & kTop39Bits; 83 carry1 = h1 + (1 << 24); h2 += carry1 >> 25; h1 -= carry1 & kTop39Bits; 84 carry3 = h3 + (1 << 24); h4 += carry3 >> 25; h3 -= carry3 & kTop39Bits; 85 carry5 = h5 + (1 << 24); h6 += carry5 >> 25; h5 -= carry5 & kTop39Bits; 86 carry7 = h7 + (1 << 24); h8 += carry7 >> 25; h7 -= carry7 & kTop39Bits; 87 88 carry0 = h0 + (1 << 25); h1 += carry0 >> 26; h0 -= carry0 & kTop38Bits; 89 carry2 = h2 + (1 << 25); h3 += carry2 >> 26; h2 -= carry2 & kTop38Bits; 90 carry4 = h4 + (1 << 25); h5 += carry4 >> 26; h4 -= carry4 & kTop38Bits; 91 carry6 = h6 + (1 << 25); h7 += carry6 >> 26; h6 -= carry6 & kTop38Bits; 92 carry8 = h8 + (1 << 25); h9 += carry8 >> 26; h8 -= carry8 & kTop38Bits; 93 94 h[0] = h0; 95 h[1] = h1; 96 h[2] = h2; 97 h[3] = h3; 98 h[4] = h4; 99 h[5] = h5; 100 h[6] = h6; 101 h[7] = h7; 102 h[8] = h8; 103 h[9] = h9; 104 } 105 106 /* Preconditions: 107 * |h| bounded by 1.1*2^26,1.1*2^25,1.1*2^26,1.1*2^25,etc. 108 * 109 * Write p=2^255-19; q=floor(h/p). 110 * Basic claim: q = floor(2^(-255)(h + 19 2^(-25)h9 + 2^(-1))). 111 * 112 * Proof: 113 * Have |h|<=p so |q|<=1 so |19^2 2^(-255) q|<1/4. 114 * Also have |h-2^230 h9|<2^231 so |19 2^(-255)(h-2^230 h9)|<1/4. 115 * 116 * Write y=2^(-1)-19^2 2^(-255)q-19 2^(-255)(h-2^230 h9). 117 * Then 0<y<1. 118 * 119 * Write r=h-pq. 120 * Have 0<=r<=p-1=2^255-20. 121 * Thus 0<=r+19(2^-255)r<r+19(2^-255)2^255<=2^255-1. 122 * 123 * Write x=r+19(2^-255)r+y. 124 * Then 0<x<2^255 so floor(2^(-255)x) = 0 so floor(q+2^(-255)x) = q. 125 * 126 * Have q+2^(-255)x = 2^(-255)(h + 19 2^(-25) h9 + 2^(-1)) 127 * so floor(2^(-255)(h + 19 2^(-25) h9 + 2^(-1))) = q. */ 128 static void fe_tobytes(uint8_t *s, const fe h) { 129 int32_t h0 = h[0]; 130 int32_t h1 = h[1]; 131 int32_t h2 = h[2]; 132 int32_t h3 = h[3]; 133 int32_t h4 = h[4]; 134 int32_t h5 = h[5]; 135 int32_t h6 = h[6]; 136 int32_t h7 = h[7]; 137 int32_t h8 = h[8]; 138 int32_t h9 = h[9]; 139 int32_t q; 140 141 q = (19 * h9 + (((int32_t) 1) << 24)) >> 25; 142 q = (h0 + q) >> 26; 143 q = (h1 + q) >> 25; 144 q = (h2 + q) >> 26; 145 q = (h3 + q) >> 25; 146 q = (h4 + q) >> 26; 147 q = (h5 + q) >> 25; 148 q = (h6 + q) >> 26; 149 q = (h7 + q) >> 25; 150 q = (h8 + q) >> 26; 151 q = (h9 + q) >> 25; 152 153 /* Goal: Output h-(2^255-19)q, which is between 0 and 2^255-20. */ 154 h0 += 19 * q; 155 /* Goal: Output h-2^255 q, which is between 0 and 2^255-20. */ 156 157 h1 += h0 >> 26; h0 &= kBottom26Bits; 158 h2 += h1 >> 25; h1 &= kBottom25Bits; 159 h3 += h2 >> 26; h2 &= kBottom26Bits; 160 h4 += h3 >> 25; h3 &= kBottom25Bits; 161 h5 += h4 >> 26; h4 &= kBottom26Bits; 162 h6 += h5 >> 25; h5 &= kBottom25Bits; 163 h7 += h6 >> 26; h6 &= kBottom26Bits; 164 h8 += h7 >> 25; h7 &= kBottom25Bits; 165 h9 += h8 >> 26; h8 &= kBottom26Bits; 166 h9 &= kBottom25Bits; 167 /* h10 = carry9 */ 168 169 /* Goal: Output h0+...+2^255 h10-2^255 q, which is between 0 and 2^255-20. 170 * Have h0+...+2^230 h9 between 0 and 2^255-1; 171 * evidently 2^255 h10-2^255 q = 0. 172 * Goal: Output h0+...+2^230 h9. */ 173 174 s[0] = h0 >> 0; 175 s[1] = h0 >> 8; 176 s[2] = h0 >> 16; 177 s[3] = (h0 >> 24) | ((uint32_t)(h1) << 2); 178 s[4] = h1 >> 6; 179 s[5] = h1 >> 14; 180 s[6] = (h1 >> 22) | ((uint32_t)(h2) << 3); 181 s[7] = h2 >> 5; 182 s[8] = h2 >> 13; 183 s[9] = (h2 >> 21) | ((uint32_t)(h3) << 5); 184 s[10] = h3 >> 3; 185 s[11] = h3 >> 11; 186 s[12] = (h3 >> 19) | ((uint32_t)(h4) << 6); 187 s[13] = h4 >> 2; 188 s[14] = h4 >> 10; 189 s[15] = h4 >> 18; 190 s[16] = h5 >> 0; 191 s[17] = h5 >> 8; 192 s[18] = h5 >> 16; 193 s[19] = (h5 >> 24) | ((uint32_t)(h6) << 1); 194 s[20] = h6 >> 7; 195 s[21] = h6 >> 15; 196 s[22] = (h6 >> 23) | ((uint32_t)(h7) << 3); 197 s[23] = h7 >> 5; 198 s[24] = h7 >> 13; 199 s[25] = (h7 >> 21) | ((uint32_t)(h8) << 4); 200 s[26] = h8 >> 4; 201 s[27] = h8 >> 12; 202 s[28] = (h8 >> 20) | ((uint32_t)(h9) << 6); 203 s[29] = h9 >> 2; 204 s[30] = h9 >> 10; 205 s[31] = h9 >> 18; 206 } 207 208 /* h = f */ 209 static void fe_copy(fe h, const fe f) { 210 memmove(h, f, sizeof(int32_t) * 10); 211 } 212 213 /* h = 0 */ 214 static void fe_0(fe h) { memset(h, 0, sizeof(int32_t) * 10); } 215 216 /* h = 1 */ 217 static void fe_1(fe h) { 218 memset(h, 0, sizeof(int32_t) * 10); 219 h[0] = 1; 220 } 221 222 /* h = f + g 223 * Can overlap h with f or g. 224 * 225 * Preconditions: 226 * |f| bounded by 1.1*2^25,1.1*2^24,1.1*2^25,1.1*2^24,etc. 227 * |g| bounded by 1.1*2^25,1.1*2^24,1.1*2^25,1.1*2^24,etc. 228 * 229 * Postconditions: 230 * |h| bounded by 1.1*2^26,1.1*2^25,1.1*2^26,1.1*2^25,etc. */ 231 static void fe_add(fe h, const fe f, const fe g) { 232 unsigned i; 233 for (i = 0; i < 10; i++) { 234 h[i] = f[i] + g[i]; 235 } 236 } 237 238 /* h = f - g 239 * Can overlap h with f or g. 240 * 241 * Preconditions: 242 * |f| bounded by 1.1*2^25,1.1*2^24,1.1*2^25,1.1*2^24,etc. 243 * |g| bounded by 1.1*2^25,1.1*2^24,1.1*2^25,1.1*2^24,etc. 244 * 245 * Postconditions: 246 * |h| bounded by 1.1*2^26,1.1*2^25,1.1*2^26,1.1*2^25,etc. */ 247 static void fe_sub(fe h, const fe f, const fe g) { 248 unsigned i; 249 for (i = 0; i < 10; i++) { 250 h[i] = f[i] - g[i]; 251 } 252 } 253 254 /* h = f * g 255 * Can overlap h with f or g. 256 * 257 * Preconditions: 258 * |f| bounded by 1.65*2^26,1.65*2^25,1.65*2^26,1.65*2^25,etc. 259 * |g| bounded by 1.65*2^26,1.65*2^25,1.65*2^26,1.65*2^25,etc. 260 * 261 * Postconditions: 262 * |h| bounded by 1.01*2^25,1.01*2^24,1.01*2^25,1.01*2^24,etc. 263 * 264 * Notes on implementation strategy: 265 * 266 * Using schoolbook multiplication. 267 * Karatsuba would save a little in some cost models. 268 * 269 * Most multiplications by 2 and 19 are 32-bit precomputations; 270 * cheaper than 64-bit postcomputations. 271 * 272 * There is one remaining multiplication by 19 in the carry chain; 273 * one *19 precomputation can be merged into this, 274 * but the resulting data flow is considerably less clean. 275 * 276 * There are 12 carries below. 277 * 10 of them are 2-way parallelizable and vectorizable. 278 * Can get away with 11 carries, but then data flow is much deeper. 279 * 280 * With tighter constraints on inputs can squeeze carries into int32. */ 281 static void fe_mul(fe h, const fe f, const fe g) { 282 int32_t f0 = f[0]; 283 int32_t f1 = f[1]; 284 int32_t f2 = f[2]; 285 int32_t f3 = f[3]; 286 int32_t f4 = f[4]; 287 int32_t f5 = f[5]; 288 int32_t f6 = f[6]; 289 int32_t f7 = f[7]; 290 int32_t f8 = f[8]; 291 int32_t f9 = f[9]; 292 int32_t g0 = g[0]; 293 int32_t g1 = g[1]; 294 int32_t g2 = g[2]; 295 int32_t g3 = g[3]; 296 int32_t g4 = g[4]; 297 int32_t g5 = g[5]; 298 int32_t g6 = g[6]; 299 int32_t g7 = g[7]; 300 int32_t g8 = g[8]; 301 int32_t g9 = g[9]; 302 int32_t g1_19 = 19 * g1; /* 1.959375*2^29 */ 303 int32_t g2_19 = 19 * g2; /* 1.959375*2^30; still ok */ 304 int32_t g3_19 = 19 * g3; 305 int32_t g4_19 = 19 * g4; 306 int32_t g5_19 = 19 * g5; 307 int32_t g6_19 = 19 * g6; 308 int32_t g7_19 = 19 * g7; 309 int32_t g8_19 = 19 * g8; 310 int32_t g9_19 = 19 * g9; 311 int32_t f1_2 = 2 * f1; 312 int32_t f3_2 = 2 * f3; 313 int32_t f5_2 = 2 * f5; 314 int32_t f7_2 = 2 * f7; 315 int32_t f9_2 = 2 * f9; 316 int64_t f0g0 = f0 * (int64_t) g0; 317 int64_t f0g1 = f0 * (int64_t) g1; 318 int64_t f0g2 = f0 * (int64_t) g2; 319 int64_t f0g3 = f0 * (int64_t) g3; 320 int64_t f0g4 = f0 * (int64_t) g4; 321 int64_t f0g5 = f0 * (int64_t) g5; 322 int64_t f0g6 = f0 * (int64_t) g6; 323 int64_t f0g7 = f0 * (int64_t) g7; 324 int64_t f0g8 = f0 * (int64_t) g8; 325 int64_t f0g9 = f0 * (int64_t) g9; 326 int64_t f1g0 = f1 * (int64_t) g0; 327 int64_t f1g1_2 = f1_2 * (int64_t) g1; 328 int64_t f1g2 = f1 * (int64_t) g2; 329 int64_t f1g3_2 = f1_2 * (int64_t) g3; 330 int64_t f1g4 = f1 * (int64_t) g4; 331 int64_t f1g5_2 = f1_2 * (int64_t) g5; 332 int64_t f1g6 = f1 * (int64_t) g6; 333 int64_t f1g7_2 = f1_2 * (int64_t) g7; 334 int64_t f1g8 = f1 * (int64_t) g8; 335 int64_t f1g9_38 = f1_2 * (int64_t) g9_19; 336 int64_t f2g0 = f2 * (int64_t) g0; 337 int64_t f2g1 = f2 * (int64_t) g1; 338 int64_t f2g2 = f2 * (int64_t) g2; 339 int64_t f2g3 = f2 * (int64_t) g3; 340 int64_t f2g4 = f2 * (int64_t) g4; 341 int64_t f2g5 = f2 * (int64_t) g5; 342 int64_t f2g6 = f2 * (int64_t) g6; 343 int64_t f2g7 = f2 * (int64_t) g7; 344 int64_t f2g8_19 = f2 * (int64_t) g8_19; 345 int64_t f2g9_19 = f2 * (int64_t) g9_19; 346 int64_t f3g0 = f3 * (int64_t) g0; 347 int64_t f3g1_2 = f3_2 * (int64_t) g1; 348 int64_t f3g2 = f3 * (int64_t) g2; 349 int64_t f3g3_2 = f3_2 * (int64_t) g3; 350 int64_t f3g4 = f3 * (int64_t) g4; 351 int64_t f3g5_2 = f3_2 * (int64_t) g5; 352 int64_t f3g6 = f3 * (int64_t) g6; 353 int64_t f3g7_38 = f3_2 * (int64_t) g7_19; 354 int64_t f3g8_19 = f3 * (int64_t) g8_19; 355 int64_t f3g9_38 = f3_2 * (int64_t) g9_19; 356 int64_t f4g0 = f4 * (int64_t) g0; 357 int64_t f4g1 = f4 * (int64_t) g1; 358 int64_t f4g2 = f4 * (int64_t) g2; 359 int64_t f4g3 = f4 * (int64_t) g3; 360 int64_t f4g4 = f4 * (int64_t) g4; 361 int64_t f4g5 = f4 * (int64_t) g5; 362 int64_t f4g6_19 = f4 * (int64_t) g6_19; 363 int64_t f4g7_19 = f4 * (int64_t) g7_19; 364 int64_t f4g8_19 = f4 * (int64_t) g8_19; 365 int64_t f4g9_19 = f4 * (int64_t) g9_19; 366 int64_t f5g0 = f5 * (int64_t) g0; 367 int64_t f5g1_2 = f5_2 * (int64_t) g1; 368 int64_t f5g2 = f5 * (int64_t) g2; 369 int64_t f5g3_2 = f5_2 * (int64_t) g3; 370 int64_t f5g4 = f5 * (int64_t) g4; 371 int64_t f5g5_38 = f5_2 * (int64_t) g5_19; 372 int64_t f5g6_19 = f5 * (int64_t) g6_19; 373 int64_t f5g7_38 = f5_2 * (int64_t) g7_19; 374 int64_t f5g8_19 = f5 * (int64_t) g8_19; 375 int64_t f5g9_38 = f5_2 * (int64_t) g9_19; 376 int64_t f6g0 = f6 * (int64_t) g0; 377 int64_t f6g1 = f6 * (int64_t) g1; 378 int64_t f6g2 = f6 * (int64_t) g2; 379 int64_t f6g3 = f6 * (int64_t) g3; 380 int64_t f6g4_19 = f6 * (int64_t) g4_19; 381 int64_t f6g5_19 = f6 * (int64_t) g5_19; 382 int64_t f6g6_19 = f6 * (int64_t) g6_19; 383 int64_t f6g7_19 = f6 * (int64_t) g7_19; 384 int64_t f6g8_19 = f6 * (int64_t) g8_19; 385 int64_t f6g9_19 = f6 * (int64_t) g9_19; 386 int64_t f7g0 = f7 * (int64_t) g0; 387 int64_t f7g1_2 = f7_2 * (int64_t) g1; 388 int64_t f7g2 = f7 * (int64_t) g2; 389 int64_t f7g3_38 = f7_2 * (int64_t) g3_19; 390 int64_t f7g4_19 = f7 * (int64_t) g4_19; 391 int64_t f7g5_38 = f7_2 * (int64_t) g5_19; 392 int64_t f7g6_19 = f7 * (int64_t) g6_19; 393 int64_t f7g7_38 = f7_2 * (int64_t) g7_19; 394 int64_t f7g8_19 = f7 * (int64_t) g8_19; 395 int64_t f7g9_38 = f7_2 * (int64_t) g9_19; 396 int64_t f8g0 = f8 * (int64_t) g0; 397 int64_t f8g1 = f8 * (int64_t) g1; 398 int64_t f8g2_19 = f8 * (int64_t) g2_19; 399 int64_t f8g3_19 = f8 * (int64_t) g3_19; 400 int64_t f8g4_19 = f8 * (int64_t) g4_19; 401 int64_t f8g5_19 = f8 * (int64_t) g5_19; 402 int64_t f8g6_19 = f8 * (int64_t) g6_19; 403 int64_t f8g7_19 = f8 * (int64_t) g7_19; 404 int64_t f8g8_19 = f8 * (int64_t) g8_19; 405 int64_t f8g9_19 = f8 * (int64_t) g9_19; 406 int64_t f9g0 = f9 * (int64_t) g0; 407 int64_t f9g1_38 = f9_2 * (int64_t) g1_19; 408 int64_t f9g2_19 = f9 * (int64_t) g2_19; 409 int64_t f9g3_38 = f9_2 * (int64_t) g3_19; 410 int64_t f9g4_19 = f9 * (int64_t) g4_19; 411 int64_t f9g5_38 = f9_2 * (int64_t) g5_19; 412 int64_t f9g6_19 = f9 * (int64_t) g6_19; 413 int64_t f9g7_38 = f9_2 * (int64_t) g7_19; 414 int64_t f9g8_19 = f9 * (int64_t) g8_19; 415 int64_t f9g9_38 = f9_2 * (int64_t) g9_19; 416 int64_t h0 = f0g0+f1g9_38+f2g8_19+f3g7_38+f4g6_19+f5g5_38+f6g4_19+f7g3_38+f8g2_19+f9g1_38; 417 int64_t h1 = f0g1+f1g0 +f2g9_19+f3g8_19+f4g7_19+f5g6_19+f6g5_19+f7g4_19+f8g3_19+f9g2_19; 418 int64_t h2 = f0g2+f1g1_2 +f2g0 +f3g9_38+f4g8_19+f5g7_38+f6g6_19+f7g5_38+f8g4_19+f9g3_38; 419 int64_t h3 = f0g3+f1g2 +f2g1 +f3g0 +f4g9_19+f5g8_19+f6g7_19+f7g6_19+f8g5_19+f9g4_19; 420 int64_t h4 = f0g4+f1g3_2 +f2g2 +f3g1_2 +f4g0 +f5g9_38+f6g8_19+f7g7_38+f8g6_19+f9g5_38; 421 int64_t h5 = f0g5+f1g4 +f2g3 +f3g2 +f4g1 +f5g0 +f6g9_19+f7g8_19+f8g7_19+f9g6_19; 422 int64_t h6 = f0g6+f1g5_2 +f2g4 +f3g3_2 +f4g2 +f5g1_2 +f6g0 +f7g9_38+f8g8_19+f9g7_38; 423 int64_t h7 = f0g7+f1g6 +f2g5 +f3g4 +f4g3 +f5g2 +f6g1 +f7g0 +f8g9_19+f9g8_19; 424 int64_t h8 = f0g8+f1g7_2 +f2g6 +f3g5_2 +f4g4 +f5g3_2 +f6g2 +f7g1_2 +f8g0 +f9g9_38; 425 int64_t h9 = f0g9+f1g8 +f2g7 +f3g6 +f4g5 +f5g4 +f6g3 +f7g2 +f8g1 +f9g0 ; 426 int64_t carry0; 427 int64_t carry1; 428 int64_t carry2; 429 int64_t carry3; 430 int64_t carry4; 431 int64_t carry5; 432 int64_t carry6; 433 int64_t carry7; 434 int64_t carry8; 435 int64_t carry9; 436 437 /* |h0| <= (1.65*1.65*2^52*(1+19+19+19+19)+1.65*1.65*2^50*(38+38+38+38+38)) 438 * i.e. |h0| <= 1.4*2^60; narrower ranges for h2, h4, h6, h8 439 * |h1| <= (1.65*1.65*2^51*(1+1+19+19+19+19+19+19+19+19)) 440 * i.e. |h1| <= 1.7*2^59; narrower ranges for h3, h5, h7, h9 */ 441 442 carry0 = h0 + (1 << 25); h1 += carry0 >> 26; h0 -= carry0 & kTop38Bits; 443 carry4 = h4 + (1 << 25); h5 += carry4 >> 26; h4 -= carry4 & kTop38Bits; 444 /* |h0| <= 2^25 */ 445 /* |h4| <= 2^25 */ 446 /* |h1| <= 1.71*2^59 */ 447 /* |h5| <= 1.71*2^59 */ 448 449 carry1 = h1 + (1 << 24); h2 += carry1 >> 25; h1 -= carry1 & kTop39Bits; 450 carry5 = h5 + (1 << 24); h6 += carry5 >> 25; h5 -= carry5 & kTop39Bits; 451 /* |h1| <= 2^24; from now on fits into int32 */ 452 /* |h5| <= 2^24; from now on fits into int32 */ 453 /* |h2| <= 1.41*2^60 */ 454 /* |h6| <= 1.41*2^60 */ 455 456 carry2 = h2 + (1 << 25); h3 += carry2 >> 26; h2 -= carry2 & kTop38Bits; 457 carry6 = h6 + (1 << 25); h7 += carry6 >> 26; h6 -= carry6 & kTop38Bits; 458 /* |h2| <= 2^25; from now on fits into int32 unchanged */ 459 /* |h6| <= 2^25; from now on fits into int32 unchanged */ 460 /* |h3| <= 1.71*2^59 */ 461 /* |h7| <= 1.71*2^59 */ 462 463 carry3 = h3 + (1 << 24); h4 += carry3 >> 25; h3 -= carry3 & kTop39Bits; 464 carry7 = h7 + (1 << 24); h8 += carry7 >> 25; h7 -= carry7 & kTop39Bits; 465 /* |h3| <= 2^24; from now on fits into int32 unchanged */ 466 /* |h7| <= 2^24; from now on fits into int32 unchanged */ 467 /* |h4| <= 1.72*2^34 */ 468 /* |h8| <= 1.41*2^60 */ 469 470 carry4 = h4 + (1 << 25); h5 += carry4 >> 26; h4 -= carry4 & kTop38Bits; 471 carry8 = h8 + (1 << 25); h9 += carry8 >> 26; h8 -= carry8 & kTop38Bits; 472 /* |h4| <= 2^25; from now on fits into int32 unchanged */ 473 /* |h8| <= 2^25; from now on fits into int32 unchanged */ 474 /* |h5| <= 1.01*2^24 */ 475 /* |h9| <= 1.71*2^59 */ 476 477 carry9 = h9 + (1 << 24); h0 += (carry9 >> 25) * 19; h9 -= carry9 & kTop39Bits; 478 /* |h9| <= 2^24; from now on fits into int32 unchanged */ 479 /* |h0| <= 1.1*2^39 */ 480 481 carry0 = h0 + (1 << 25); h1 += carry0 >> 26; h0 -= carry0 & kTop38Bits; 482 /* |h0| <= 2^25; from now on fits into int32 unchanged */ 483 /* |h1| <= 1.01*2^24 */ 484 485 h[0] = h0; 486 h[1] = h1; 487 h[2] = h2; 488 h[3] = h3; 489 h[4] = h4; 490 h[5] = h5; 491 h[6] = h6; 492 h[7] = h7; 493 h[8] = h8; 494 h[9] = h9; 495 } 496 497 /* h = f * f 498 * Can overlap h with f. 499 * 500 * Preconditions: 501 * |f| bounded by 1.65*2^26,1.65*2^25,1.65*2^26,1.65*2^25,etc. 502 * 503 * Postconditions: 504 * |h| bounded by 1.01*2^25,1.01*2^24,1.01*2^25,1.01*2^24,etc. 505 * 506 * See fe_mul.c for discussion of implementation strategy. */ 507 static void fe_sq(fe h, const fe f) { 508 int32_t f0 = f[0]; 509 int32_t f1 = f[1]; 510 int32_t f2 = f[2]; 511 int32_t f3 = f[3]; 512 int32_t f4 = f[4]; 513 int32_t f5 = f[5]; 514 int32_t f6 = f[6]; 515 int32_t f7 = f[7]; 516 int32_t f8 = f[8]; 517 int32_t f9 = f[9]; 518 int32_t f0_2 = 2 * f0; 519 int32_t f1_2 = 2 * f1; 520 int32_t f2_2 = 2 * f2; 521 int32_t f3_2 = 2 * f3; 522 int32_t f4_2 = 2 * f4; 523 int32_t f5_2 = 2 * f5; 524 int32_t f6_2 = 2 * f6; 525 int32_t f7_2 = 2 * f7; 526 int32_t f5_38 = 38 * f5; /* 1.959375*2^30 */ 527 int32_t f6_19 = 19 * f6; /* 1.959375*2^30 */ 528 int32_t f7_38 = 38 * f7; /* 1.959375*2^30 */ 529 int32_t f8_19 = 19 * f8; /* 1.959375*2^30 */ 530 int32_t f9_38 = 38 * f9; /* 1.959375*2^30 */ 531 int64_t f0f0 = f0 * (int64_t) f0; 532 int64_t f0f1_2 = f0_2 * (int64_t) f1; 533 int64_t f0f2_2 = f0_2 * (int64_t) f2; 534 int64_t f0f3_2 = f0_2 * (int64_t) f3; 535 int64_t f0f4_2 = f0_2 * (int64_t) f4; 536 int64_t f0f5_2 = f0_2 * (int64_t) f5; 537 int64_t f0f6_2 = f0_2 * (int64_t) f6; 538 int64_t f0f7_2 = f0_2 * (int64_t) f7; 539 int64_t f0f8_2 = f0_2 * (int64_t) f8; 540 int64_t f0f9_2 = f0_2 * (int64_t) f9; 541 int64_t f1f1_2 = f1_2 * (int64_t) f1; 542 int64_t f1f2_2 = f1_2 * (int64_t) f2; 543 int64_t f1f3_4 = f1_2 * (int64_t) f3_2; 544 int64_t f1f4_2 = f1_2 * (int64_t) f4; 545 int64_t f1f5_4 = f1_2 * (int64_t) f5_2; 546 int64_t f1f6_2 = f1_2 * (int64_t) f6; 547 int64_t f1f7_4 = f1_2 * (int64_t) f7_2; 548 int64_t f1f8_2 = f1_2 * (int64_t) f8; 549 int64_t f1f9_76 = f1_2 * (int64_t) f9_38; 550 int64_t f2f2 = f2 * (int64_t) f2; 551 int64_t f2f3_2 = f2_2 * (int64_t) f3; 552 int64_t f2f4_2 = f2_2 * (int64_t) f4; 553 int64_t f2f5_2 = f2_2 * (int64_t) f5; 554 int64_t f2f6_2 = f2_2 * (int64_t) f6; 555 int64_t f2f7_2 = f2_2 * (int64_t) f7; 556 int64_t f2f8_38 = f2_2 * (int64_t) f8_19; 557 int64_t f2f9_38 = f2 * (int64_t) f9_38; 558 int64_t f3f3_2 = f3_2 * (int64_t) f3; 559 int64_t f3f4_2 = f3_2 * (int64_t) f4; 560 int64_t f3f5_4 = f3_2 * (int64_t) f5_2; 561 int64_t f3f6_2 = f3_2 * (int64_t) f6; 562 int64_t f3f7_76 = f3_2 * (int64_t) f7_38; 563 int64_t f3f8_38 = f3_2 * (int64_t) f8_19; 564 int64_t f3f9_76 = f3_2 * (int64_t) f9_38; 565 int64_t f4f4 = f4 * (int64_t) f4; 566 int64_t f4f5_2 = f4_2 * (int64_t) f5; 567 int64_t f4f6_38 = f4_2 * (int64_t) f6_19; 568 int64_t f4f7_38 = f4 * (int64_t) f7_38; 569 int64_t f4f8_38 = f4_2 * (int64_t) f8_19; 570 int64_t f4f9_38 = f4 * (int64_t) f9_38; 571 int64_t f5f5_38 = f5 * (int64_t) f5_38; 572 int64_t f5f6_38 = f5_2 * (int64_t) f6_19; 573 int64_t f5f7_76 = f5_2 * (int64_t) f7_38; 574 int64_t f5f8_38 = f5_2 * (int64_t) f8_19; 575 int64_t f5f9_76 = f5_2 * (int64_t) f9_38; 576 int64_t f6f6_19 = f6 * (int64_t) f6_19; 577 int64_t f6f7_38 = f6 * (int64_t) f7_38; 578 int64_t f6f8_38 = f6_2 * (int64_t) f8_19; 579 int64_t f6f9_38 = f6 * (int64_t) f9_38; 580 int64_t f7f7_38 = f7 * (int64_t) f7_38; 581 int64_t f7f8_38 = f7_2 * (int64_t) f8_19; 582 int64_t f7f9_76 = f7_2 * (int64_t) f9_38; 583 int64_t f8f8_19 = f8 * (int64_t) f8_19; 584 int64_t f8f9_38 = f8 * (int64_t) f9_38; 585 int64_t f9f9_38 = f9 * (int64_t) f9_38; 586 int64_t h0 = f0f0 +f1f9_76+f2f8_38+f3f7_76+f4f6_38+f5f5_38; 587 int64_t h1 = f0f1_2+f2f9_38+f3f8_38+f4f7_38+f5f6_38; 588 int64_t h2 = f0f2_2+f1f1_2 +f3f9_76+f4f8_38+f5f7_76+f6f6_19; 589 int64_t h3 = f0f3_2+f1f2_2 +f4f9_38+f5f8_38+f6f7_38; 590 int64_t h4 = f0f4_2+f1f3_4 +f2f2 +f5f9_76+f6f8_38+f7f7_38; 591 int64_t h5 = f0f5_2+f1f4_2 +f2f3_2 +f6f9_38+f7f8_38; 592 int64_t h6 = f0f6_2+f1f5_4 +f2f4_2 +f3f3_2 +f7f9_76+f8f8_19; 593 int64_t h7 = f0f7_2+f1f6_2 +f2f5_2 +f3f4_2 +f8f9_38; 594 int64_t h8 = f0f8_2+f1f7_4 +f2f6_2 +f3f5_4 +f4f4 +f9f9_38; 595 int64_t h9 = f0f9_2+f1f8_2 +f2f7_2 +f3f6_2 +f4f5_2; 596 int64_t carry0; 597 int64_t carry1; 598 int64_t carry2; 599 int64_t carry3; 600 int64_t carry4; 601 int64_t carry5; 602 int64_t carry6; 603 int64_t carry7; 604 int64_t carry8; 605 int64_t carry9; 606 607 carry0 = h0 + (1 << 25); h1 += carry0 >> 26; h0 -= carry0 & kTop38Bits; 608 carry4 = h4 + (1 << 25); h5 += carry4 >> 26; h4 -= carry4 & kTop38Bits; 609 610 carry1 = h1 + (1 << 24); h2 += carry1 >> 25; h1 -= carry1 & kTop39Bits; 611 carry5 = h5 + (1 << 24); h6 += carry5 >> 25; h5 -= carry5 & kTop39Bits; 612 613 carry2 = h2 + (1 << 25); h3 += carry2 >> 26; h2 -= carry2 & kTop38Bits; 614 carry6 = h6 + (1 << 25); h7 += carry6 >> 26; h6 -= carry6 & kTop38Bits; 615 616 carry3 = h3 + (1 << 24); h4 += carry3 >> 25; h3 -= carry3 & kTop39Bits; 617 carry7 = h7 + (1 << 24); h8 += carry7 >> 25; h7 -= carry7 & kTop39Bits; 618 619 carry4 = h4 + (1 << 25); h5 += carry4 >> 26; h4 -= carry4 & kTop38Bits; 620 carry8 = h8 + (1 << 25); h9 += carry8 >> 26; h8 -= carry8 & kTop38Bits; 621 622 carry9 = h9 + (1 << 24); h0 += (carry9 >> 25) * 19; h9 -= carry9 & kTop39Bits; 623 624 carry0 = h0 + (1 << 25); h1 += carry0 >> 26; h0 -= carry0 & kTop38Bits; 625 626 h[0] = h0; 627 h[1] = h1; 628 h[2] = h2; 629 h[3] = h3; 630 h[4] = h4; 631 h[5] = h5; 632 h[6] = h6; 633 h[7] = h7; 634 h[8] = h8; 635 h[9] = h9; 636 } 637 638 static void fe_invert(fe out, const fe z) { 639 fe t0; 640 fe t1; 641 fe t2; 642 fe t3; 643 int i; 644 645 fe_sq(t0, z); 646 for (i = 1; i < 1; ++i) { 647 fe_sq(t0, t0); 648 } 649 fe_sq(t1, t0); 650 for (i = 1; i < 2; ++i) { 651 fe_sq(t1, t1); 652 } 653 fe_mul(t1, z, t1); 654 fe_mul(t0, t0, t1); 655 fe_sq(t2, t0); 656 for (i = 1; i < 1; ++i) { 657 fe_sq(t2, t2); 658 } 659 fe_mul(t1, t1, t2); 660 fe_sq(t2, t1); 661 for (i = 1; i < 5; ++i) { 662 fe_sq(t2, t2); 663 } 664 fe_mul(t1, t2, t1); 665 fe_sq(t2, t1); 666 for (i = 1; i < 10; ++i) { 667 fe_sq(t2, t2); 668 } 669 fe_mul(t2, t2, t1); 670 fe_sq(t3, t2); 671 for (i = 1; i < 20; ++i) { 672 fe_sq(t3, t3); 673 } 674 fe_mul(t2, t3, t2); 675 fe_sq(t2, t2); 676 for (i = 1; i < 10; ++i) { 677 fe_sq(t2, t2); 678 } 679 fe_mul(t1, t2, t1); 680 fe_sq(t2, t1); 681 for (i = 1; i < 50; ++i) { 682 fe_sq(t2, t2); 683 } 684 fe_mul(t2, t2, t1); 685 fe_sq(t3, t2); 686 for (i = 1; i < 100; ++i) { 687 fe_sq(t3, t3); 688 } 689 fe_mul(t2, t3, t2); 690 fe_sq(t2, t2); 691 for (i = 1; i < 50; ++i) { 692 fe_sq(t2, t2); 693 } 694 fe_mul(t1, t2, t1); 695 fe_sq(t1, t1); 696 for (i = 1; i < 5; ++i) { 697 fe_sq(t1, t1); 698 } 699 fe_mul(out, t1, t0); 700 } 701 702 /* h = -f 703 * 704 * Preconditions: 705 * |f| bounded by 1.1*2^25,1.1*2^24,1.1*2^25,1.1*2^24,etc. 706 * 707 * Postconditions: 708 * |h| bounded by 1.1*2^25,1.1*2^24,1.1*2^25,1.1*2^24,etc. */ 709 static void fe_neg(fe h, const fe f) { 710 unsigned i; 711 for (i = 0; i < 10; i++) { 712 h[i] = -f[i]; 713 } 714 } 715 716 /* Replace (f,g) with (g,g) if b == 1; 717 * replace (f,g) with (f,g) if b == 0. 718 * 719 * Preconditions: b in {0,1}. */ 720 static void fe_cmov(fe f, const fe g, unsigned b) { 721 b = 0-b; 722 unsigned i; 723 for (i = 0; i < 10; i++) { 724 int32_t x = f[i] ^ g[i]; 725 x &= b; 726 f[i] ^= x; 727 } 728 } 729 730 /* return 0 if f == 0 731 * return 1 if f != 0 732 * 733 * Preconditions: 734 * |f| bounded by 1.1*2^26,1.1*2^25,1.1*2^26,1.1*2^25,etc. */ 735 static int fe_isnonzero(const fe f) { 736 uint8_t s[32]; 737 fe_tobytes(s, f); 738 739 static const uint8_t zero[32] = {0}; 740 return timingsafe_memcmp(s, zero, sizeof(zero)) != 0; 741 } 742 743 /* return 1 if f is in {1,3,5,...,q-2} 744 * return 0 if f is in {0,2,4,...,q-1} 745 * 746 * Preconditions: 747 * |f| bounded by 1.1*2^26,1.1*2^25,1.1*2^26,1.1*2^25,etc. */ 748 static int fe_isnegative(const fe f) { 749 uint8_t s[32]; 750 fe_tobytes(s, f); 751 return s[0] & 1; 752 } 753 754 /* h = 2 * f * f 755 * Can overlap h with f. 756 * 757 * Preconditions: 758 * |f| bounded by 1.65*2^26,1.65*2^25,1.65*2^26,1.65*2^25,etc. 759 * 760 * Postconditions: 761 * |h| bounded by 1.01*2^25,1.01*2^24,1.01*2^25,1.01*2^24,etc. 762 * 763 * See fe_mul.c for discussion of implementation strategy. */ 764 static void fe_sq2(fe h, const fe f) { 765 int32_t f0 = f[0]; 766 int32_t f1 = f[1]; 767 int32_t f2 = f[2]; 768 int32_t f3 = f[3]; 769 int32_t f4 = f[4]; 770 int32_t f5 = f[5]; 771 int32_t f6 = f[6]; 772 int32_t f7 = f[7]; 773 int32_t f8 = f[8]; 774 int32_t f9 = f[9]; 775 int32_t f0_2 = 2 * f0; 776 int32_t f1_2 = 2 * f1; 777 int32_t f2_2 = 2 * f2; 778 int32_t f3_2 = 2 * f3; 779 int32_t f4_2 = 2 * f4; 780 int32_t f5_2 = 2 * f5; 781 int32_t f6_2 = 2 * f6; 782 int32_t f7_2 = 2 * f7; 783 int32_t f5_38 = 38 * f5; /* 1.959375*2^30 */ 784 int32_t f6_19 = 19 * f6; /* 1.959375*2^30 */ 785 int32_t f7_38 = 38 * f7; /* 1.959375*2^30 */ 786 int32_t f8_19 = 19 * f8; /* 1.959375*2^30 */ 787 int32_t f9_38 = 38 * f9; /* 1.959375*2^30 */ 788 int64_t f0f0 = f0 * (int64_t) f0; 789 int64_t f0f1_2 = f0_2 * (int64_t) f1; 790 int64_t f0f2_2 = f0_2 * (int64_t) f2; 791 int64_t f0f3_2 = f0_2 * (int64_t) f3; 792 int64_t f0f4_2 = f0_2 * (int64_t) f4; 793 int64_t f0f5_2 = f0_2 * (int64_t) f5; 794 int64_t f0f6_2 = f0_2 * (int64_t) f6; 795 int64_t f0f7_2 = f0_2 * (int64_t) f7; 796 int64_t f0f8_2 = f0_2 * (int64_t) f8; 797 int64_t f0f9_2 = f0_2 * (int64_t) f9; 798 int64_t f1f1_2 = f1_2 * (int64_t) f1; 799 int64_t f1f2_2 = f1_2 * (int64_t) f2; 800 int64_t f1f3_4 = f1_2 * (int64_t) f3_2; 801 int64_t f1f4_2 = f1_2 * (int64_t) f4; 802 int64_t f1f5_4 = f1_2 * (int64_t) f5_2; 803 int64_t f1f6_2 = f1_2 * (int64_t) f6; 804 int64_t f1f7_4 = f1_2 * (int64_t) f7_2; 805 int64_t f1f8_2 = f1_2 * (int64_t) f8; 806 int64_t f1f9_76 = f1_2 * (int64_t) f9_38; 807 int64_t f2f2 = f2 * (int64_t) f2; 808 int64_t f2f3_2 = f2_2 * (int64_t) f3; 809 int64_t f2f4_2 = f2_2 * (int64_t) f4; 810 int64_t f2f5_2 = f2_2 * (int64_t) f5; 811 int64_t f2f6_2 = f2_2 * (int64_t) f6; 812 int64_t f2f7_2 = f2_2 * (int64_t) f7; 813 int64_t f2f8_38 = f2_2 * (int64_t) f8_19; 814 int64_t f2f9_38 = f2 * (int64_t) f9_38; 815 int64_t f3f3_2 = f3_2 * (int64_t) f3; 816 int64_t f3f4_2 = f3_2 * (int64_t) f4; 817 int64_t f3f5_4 = f3_2 * (int64_t) f5_2; 818 int64_t f3f6_2 = f3_2 * (int64_t) f6; 819 int64_t f3f7_76 = f3_2 * (int64_t) f7_38; 820 int64_t f3f8_38 = f3_2 * (int64_t) f8_19; 821 int64_t f3f9_76 = f3_2 * (int64_t) f9_38; 822 int64_t f4f4 = f4 * (int64_t) f4; 823 int64_t f4f5_2 = f4_2 * (int64_t) f5; 824 int64_t f4f6_38 = f4_2 * (int64_t) f6_19; 825 int64_t f4f7_38 = f4 * (int64_t) f7_38; 826 int64_t f4f8_38 = f4_2 * (int64_t) f8_19; 827 int64_t f4f9_38 = f4 * (int64_t) f9_38; 828 int64_t f5f5_38 = f5 * (int64_t) f5_38; 829 int64_t f5f6_38 = f5_2 * (int64_t) f6_19; 830 int64_t f5f7_76 = f5_2 * (int64_t) f7_38; 831 int64_t f5f8_38 = f5_2 * (int64_t) f8_19; 832 int64_t f5f9_76 = f5_2 * (int64_t) f9_38; 833 int64_t f6f6_19 = f6 * (int64_t) f6_19; 834 int64_t f6f7_38 = f6 * (int64_t) f7_38; 835 int64_t f6f8_38 = f6_2 * (int64_t) f8_19; 836 int64_t f6f9_38 = f6 * (int64_t) f9_38; 837 int64_t f7f7_38 = f7 * (int64_t) f7_38; 838 int64_t f7f8_38 = f7_2 * (int64_t) f8_19; 839 int64_t f7f9_76 = f7_2 * (int64_t) f9_38; 840 int64_t f8f8_19 = f8 * (int64_t) f8_19; 841 int64_t f8f9_38 = f8 * (int64_t) f9_38; 842 int64_t f9f9_38 = f9 * (int64_t) f9_38; 843 int64_t h0 = f0f0 +f1f9_76+f2f8_38+f3f7_76+f4f6_38+f5f5_38; 844 int64_t h1 = f0f1_2+f2f9_38+f3f8_38+f4f7_38+f5f6_38; 845 int64_t h2 = f0f2_2+f1f1_2 +f3f9_76+f4f8_38+f5f7_76+f6f6_19; 846 int64_t h3 = f0f3_2+f1f2_2 +f4f9_38+f5f8_38+f6f7_38; 847 int64_t h4 = f0f4_2+f1f3_4 +f2f2 +f5f9_76+f6f8_38+f7f7_38; 848 int64_t h5 = f0f5_2+f1f4_2 +f2f3_2 +f6f9_38+f7f8_38; 849 int64_t h6 = f0f6_2+f1f5_4 +f2f4_2 +f3f3_2 +f7f9_76+f8f8_19; 850 int64_t h7 = f0f7_2+f1f6_2 +f2f5_2 +f3f4_2 +f8f9_38; 851 int64_t h8 = f0f8_2+f1f7_4 +f2f6_2 +f3f5_4 +f4f4 +f9f9_38; 852 int64_t h9 = f0f9_2+f1f8_2 +f2f7_2 +f3f6_2 +f4f5_2; 853 int64_t carry0; 854 int64_t carry1; 855 int64_t carry2; 856 int64_t carry3; 857 int64_t carry4; 858 int64_t carry5; 859 int64_t carry6; 860 int64_t carry7; 861 int64_t carry8; 862 int64_t carry9; 863 864 h0 += h0; 865 h1 += h1; 866 h2 += h2; 867 h3 += h3; 868 h4 += h4; 869 h5 += h5; 870 h6 += h6; 871 h7 += h7; 872 h8 += h8; 873 h9 += h9; 874 875 carry0 = h0 + (1 << 25); h1 += carry0 >> 26; h0 -= carry0 & kTop38Bits; 876 carry4 = h4 + (1 << 25); h5 += carry4 >> 26; h4 -= carry4 & kTop38Bits; 877 878 carry1 = h1 + (1 << 24); h2 += carry1 >> 25; h1 -= carry1 & kTop39Bits; 879 carry5 = h5 + (1 << 24); h6 += carry5 >> 25; h5 -= carry5 & kTop39Bits; 880 881 carry2 = h2 + (1 << 25); h3 += carry2 >> 26; h2 -= carry2 & kTop38Bits; 882 carry6 = h6 + (1 << 25); h7 += carry6 >> 26; h6 -= carry6 & kTop38Bits; 883 884 carry3 = h3 + (1 << 24); h4 += carry3 >> 25; h3 -= carry3 & kTop39Bits; 885 carry7 = h7 + (1 << 24); h8 += carry7 >> 25; h7 -= carry7 & kTop39Bits; 886 887 carry4 = h4 + (1 << 25); h5 += carry4 >> 26; h4 -= carry4 & kTop38Bits; 888 carry8 = h8 + (1 << 25); h9 += carry8 >> 26; h8 -= carry8 & kTop38Bits; 889 890 carry9 = h9 + (1 << 24); h0 += (carry9 >> 25) * 19; h9 -= carry9 & kTop39Bits; 891 892 carry0 = h0 + (1 << 25); h1 += carry0 >> 26; h0 -= carry0 & kTop38Bits; 893 894 h[0] = h0; 895 h[1] = h1; 896 h[2] = h2; 897 h[3] = h3; 898 h[4] = h4; 899 h[5] = h5; 900 h[6] = h6; 901 h[7] = h7; 902 h[8] = h8; 903 h[9] = h9; 904 } 905 906 static void fe_pow22523(fe out, const fe z) { 907 fe t0; 908 fe t1; 909 fe t2; 910 int i; 911 912 fe_sq(t0, z); 913 for (i = 1; i < 1; ++i) { 914 fe_sq(t0, t0); 915 } 916 fe_sq(t1, t0); 917 for (i = 1; i < 2; ++i) { 918 fe_sq(t1, t1); 919 } 920 fe_mul(t1, z, t1); 921 fe_mul(t0, t0, t1); 922 fe_sq(t0, t0); 923 for (i = 1; i < 1; ++i) { 924 fe_sq(t0, t0); 925 } 926 fe_mul(t0, t1, t0); 927 fe_sq(t1, t0); 928 for (i = 1; i < 5; ++i) { 929 fe_sq(t1, t1); 930 } 931 fe_mul(t0, t1, t0); 932 fe_sq(t1, t0); 933 for (i = 1; i < 10; ++i) { 934 fe_sq(t1, t1); 935 } 936 fe_mul(t1, t1, t0); 937 fe_sq(t2, t1); 938 for (i = 1; i < 20; ++i) { 939 fe_sq(t2, t2); 940 } 941 fe_mul(t1, t2, t1); 942 fe_sq(t1, t1); 943 for (i = 1; i < 10; ++i) { 944 fe_sq(t1, t1); 945 } 946 fe_mul(t0, t1, t0); 947 fe_sq(t1, t0); 948 for (i = 1; i < 50; ++i) { 949 fe_sq(t1, t1); 950 } 951 fe_mul(t1, t1, t0); 952 fe_sq(t2, t1); 953 for (i = 1; i < 100; ++i) { 954 fe_sq(t2, t2); 955 } 956 fe_mul(t1, t2, t1); 957 fe_sq(t1, t1); 958 for (i = 1; i < 50; ++i) { 959 fe_sq(t1, t1); 960 } 961 fe_mul(t0, t1, t0); 962 fe_sq(t0, t0); 963 for (i = 1; i < 2; ++i) { 964 fe_sq(t0, t0); 965 } 966 fe_mul(out, t0, z); 967 } 968 969 void x25519_ge_tobytes(uint8_t *s, const ge_p2 *h) { 970 fe recip; 971 fe x; 972 fe y; 973 974 fe_invert(recip, h->Z); 975 fe_mul(x, h->X, recip); 976 fe_mul(y, h->Y, recip); 977 fe_tobytes(s, y); 978 s[31] ^= fe_isnegative(x) << 7; 979 } 980 981 #ifdef ED25519 982 static void ge_p3_tobytes(uint8_t *s, const ge_p3 *h) { 983 fe recip; 984 fe x; 985 fe y; 986 987 fe_invert(recip, h->Z); 988 fe_mul(x, h->X, recip); 989 fe_mul(y, h->Y, recip); 990 fe_tobytes(s, y); 991 s[31] ^= fe_isnegative(x) << 7; 992 } 993 #endif 994 995 static const fe d = {-10913610, 13857413, -15372611, 6949391, 114729, 996 -8787816, -6275908, -3247719, -18696448, -12055116}; 997 998 static const fe sqrtm1 = {-32595792, -7943725, 9377950, 3500415, 12389472, 999 -272473, -25146209, -2005654, 326686, 11406482}; 1000 1001 int x25519_ge_frombytes_vartime(ge_p3 *h, const uint8_t *s) { 1002 fe u; 1003 fe v; 1004 fe v3; 1005 fe vxx; 1006 fe check; 1007 1008 fe_frombytes(h->Y, s); 1009 fe_1(h->Z); 1010 fe_sq(u, h->Y); 1011 fe_mul(v, u, d); 1012 fe_sub(u, u, h->Z); /* u = y^2-1 */ 1013 fe_add(v, v, h->Z); /* v = dy^2+1 */ 1014 1015 fe_sq(v3, v); 1016 fe_mul(v3, v3, v); /* v3 = v^3 */ 1017 fe_sq(h->X, v3); 1018 fe_mul(h->X, h->X, v); 1019 fe_mul(h->X, h->X, u); /* x = uv^7 */ 1020 1021 fe_pow22523(h->X, h->X); /* x = (uv^7)^((q-5)/8) */ 1022 fe_mul(h->X, h->X, v3); 1023 fe_mul(h->X, h->X, u); /* x = uv^3(uv^7)^((q-5)/8) */ 1024 1025 fe_sq(vxx, h->X); 1026 fe_mul(vxx, vxx, v); 1027 fe_sub(check, vxx, u); /* vx^2-u */ 1028 if (fe_isnonzero(check)) { 1029 fe_add(check, vxx, u); /* vx^2+u */ 1030 if (fe_isnonzero(check)) { 1031 return -1; 1032 } 1033 fe_mul(h->X, h->X, sqrtm1); 1034 } 1035 1036 if (fe_isnegative(h->X) != (s[31] >> 7)) { 1037 fe_neg(h->X, h->X); 1038 } 1039 1040 fe_mul(h->T, h->X, h->Y); 1041 return 0; 1042 } 1043 1044 static void ge_p2_0(ge_p2 *h) { 1045 fe_0(h->X); 1046 fe_1(h->Y); 1047 fe_1(h->Z); 1048 } 1049 1050 static void ge_p3_0(ge_p3 *h) { 1051 fe_0(h->X); 1052 fe_1(h->Y); 1053 fe_1(h->Z); 1054 fe_0(h->T); 1055 } 1056 1057 static void ge_cached_0(ge_cached *h) { 1058 fe_1(h->YplusX); 1059 fe_1(h->YminusX); 1060 fe_1(h->Z); 1061 fe_0(h->T2d); 1062 } 1063 1064 static void ge_precomp_0(ge_precomp *h) { 1065 fe_1(h->yplusx); 1066 fe_1(h->yminusx); 1067 fe_0(h->xy2d); 1068 } 1069 1070 /* r = p */ 1071 static void ge_p3_to_p2(ge_p2 *r, const ge_p3 *p) { 1072 fe_copy(r->X, p->X); 1073 fe_copy(r->Y, p->Y); 1074 fe_copy(r->Z, p->Z); 1075 } 1076 1077 static const fe d2 = {-21827239, -5839606, -30745221, 13898782, 229458, 1078 15978800, -12551817, -6495438, 29715968, 9444199}; 1079 1080 /* r = p */ 1081 void x25519_ge_p3_to_cached(ge_cached *r, const ge_p3 *p) { 1082 fe_add(r->YplusX, p->Y, p->X); 1083 fe_sub(r->YminusX, p->Y, p->X); 1084 fe_copy(r->Z, p->Z); 1085 fe_mul(r->T2d, p->T, d2); 1086 } 1087 1088 /* r = p */ 1089 void x25519_ge_p1p1_to_p2(ge_p2 *r, const ge_p1p1 *p) { 1090 fe_mul(r->X, p->X, p->T); 1091 fe_mul(r->Y, p->Y, p->Z); 1092 fe_mul(r->Z, p->Z, p->T); 1093 } 1094 1095 /* r = p */ 1096 void x25519_ge_p1p1_to_p3(ge_p3 *r, const ge_p1p1 *p) { 1097 fe_mul(r->X, p->X, p->T); 1098 fe_mul(r->Y, p->Y, p->Z); 1099 fe_mul(r->Z, p->Z, p->T); 1100 fe_mul(r->T, p->X, p->Y); 1101 } 1102 1103 /* r = p */ 1104 static void ge_p1p1_to_cached(ge_cached *r, const ge_p1p1 *p) { 1105 ge_p3 t; 1106 x25519_ge_p1p1_to_p3(&t, p); 1107 x25519_ge_p3_to_cached(r, &t); 1108 } 1109 1110 /* r = 2 * p */ 1111 static void ge_p2_dbl(ge_p1p1 *r, const ge_p2 *p) { 1112 fe t0; 1113 1114 fe_sq(r->X, p->X); 1115 fe_sq(r->Z, p->Y); 1116 fe_sq2(r->T, p->Z); 1117 fe_add(r->Y, p->X, p->Y); 1118 fe_sq(t0, r->Y); 1119 fe_add(r->Y, r->Z, r->X); 1120 fe_sub(r->Z, r->Z, r->X); 1121 fe_sub(r->X, t0, r->Y); 1122 fe_sub(r->T, r->T, r->Z); 1123 } 1124 1125 /* r = 2 * p */ 1126 static void ge_p3_dbl(ge_p1p1 *r, const ge_p3 *p) { 1127 ge_p2 q; 1128 ge_p3_to_p2(&q, p); 1129 ge_p2_dbl(r, &q); 1130 } 1131 1132 /* r = p + q */ 1133 static void ge_madd(ge_p1p1 *r, const ge_p3 *p, const ge_precomp *q) { 1134 fe t0; 1135 1136 fe_add(r->X, p->Y, p->X); 1137 fe_sub(r->Y, p->Y, p->X); 1138 fe_mul(r->Z, r->X, q->yplusx); 1139 fe_mul(r->Y, r->Y, q->yminusx); 1140 fe_mul(r->T, q->xy2d, p->T); 1141 fe_add(t0, p->Z, p->Z); 1142 fe_sub(r->X, r->Z, r->Y); 1143 fe_add(r->Y, r->Z, r->Y); 1144 fe_add(r->Z, t0, r->T); 1145 fe_sub(r->T, t0, r->T); 1146 } 1147 1148 #ifdef ED25519 1149 /* r = p - q */ 1150 static void ge_msub(ge_p1p1 *r, const ge_p3 *p, const ge_precomp *q) { 1151 fe t0; 1152 1153 fe_add(r->X, p->Y, p->X); 1154 fe_sub(r->Y, p->Y, p->X); 1155 fe_mul(r->Z, r->X, q->yminusx); 1156 fe_mul(r->Y, r->Y, q->yplusx); 1157 fe_mul(r->T, q->xy2d, p->T); 1158 fe_add(t0, p->Z, p->Z); 1159 fe_sub(r->X, r->Z, r->Y); 1160 fe_add(r->Y, r->Z, r->Y); 1161 fe_sub(r->Z, t0, r->T); 1162 fe_add(r->T, t0, r->T); 1163 } 1164 #endif 1165 1166 /* r = p + q */ 1167 void x25519_ge_add(ge_p1p1 *r, const ge_p3 *p, const ge_cached *q) { 1168 fe t0; 1169 1170 fe_add(r->X, p->Y, p->X); 1171 fe_sub(r->Y, p->Y, p->X); 1172 fe_mul(r->Z, r->X, q->YplusX); 1173 fe_mul(r->Y, r->Y, q->YminusX); 1174 fe_mul(r->T, q->T2d, p->T); 1175 fe_mul(r->X, p->Z, q->Z); 1176 fe_add(t0, r->X, r->X); 1177 fe_sub(r->X, r->Z, r->Y); 1178 fe_add(r->Y, r->Z, r->Y); 1179 fe_add(r->Z, t0, r->T); 1180 fe_sub(r->T, t0, r->T); 1181 } 1182 1183 /* r = p - q */ 1184 void x25519_ge_sub(ge_p1p1 *r, const ge_p3 *p, const ge_cached *q) { 1185 fe t0; 1186 1187 fe_add(r->X, p->Y, p->X); 1188 fe_sub(r->Y, p->Y, p->X); 1189 fe_mul(r->Z, r->X, q->YminusX); 1190 fe_mul(r->Y, r->Y, q->YplusX); 1191 fe_mul(r->T, q->T2d, p->T); 1192 fe_mul(r->X, p->Z, q->Z); 1193 fe_add(t0, r->X, r->X); 1194 fe_sub(r->X, r->Z, r->Y); 1195 fe_add(r->Y, r->Z, r->Y); 1196 fe_sub(r->Z, t0, r->T); 1197 fe_add(r->T, t0, r->T); 1198 } 1199 1200 static uint8_t equal(signed char b, signed char c) { 1201 uint8_t ub = b; 1202 uint8_t uc = c; 1203 uint8_t x = ub ^ uc; /* 0: yes; 1..255: no */ 1204 uint32_t y = x; /* 0: yes; 1..255: no */ 1205 y -= 1; /* 4294967295: yes; 0..254: no */ 1206 y >>= 31; /* 1: yes; 0: no */ 1207 return y; 1208 } 1209 1210 static void cmov(ge_precomp *t, const ge_precomp *u, uint8_t b) { 1211 fe_cmov(t->yplusx, u->yplusx, b); 1212 fe_cmov(t->yminusx, u->yminusx, b); 1213 fe_cmov(t->xy2d, u->xy2d, b); 1214 } 1215 1216 void x25519_ge_scalarmult_small_precomp( 1217 ge_p3 *h, const uint8_t a[32], const uint8_t precomp_table[15 * 2 * 32]) { 1218 /* precomp_table is first expanded into matching |ge_precomp| 1219 * elements. */ 1220 ge_precomp multiples[15]; 1221 1222 unsigned i; 1223 for (i = 0; i < 15; i++) { 1224 const uint8_t *bytes = &precomp_table[i*(2 * 32)]; 1225 fe x, y; 1226 fe_frombytes(x, bytes); 1227 fe_frombytes(y, bytes + 32); 1228 1229 ge_precomp *out = &multiples[i]; 1230 fe_add(out->yplusx, y, x); 1231 fe_sub(out->yminusx, y, x); 1232 fe_mul(out->xy2d, x, y); 1233 fe_mul(out->xy2d, out->xy2d, d2); 1234 } 1235 1236 /* See the comment above |k25519SmallPrecomp| about the structure of the 1237 * precomputed elements. This loop does 64 additions and 64 doublings to 1238 * calculate the result. */ 1239 ge_p3_0(h); 1240 1241 for (i = 63; i < 64; i--) { 1242 unsigned j; 1243 signed char index = 0; 1244 1245 for (j = 0; j < 4; j++) { 1246 const uint8_t bit = 1 & (a[(8 * j) + (i / 8)] >> (i & 7)); 1247 index |= (bit << j); 1248 } 1249 1250 ge_precomp e; 1251 ge_precomp_0(&e); 1252 1253 for (j = 1; j < 16; j++) { 1254 cmov(&e, &multiples[j-1], equal(index, j)); 1255 } 1256 1257 ge_cached cached; 1258 ge_p1p1 r; 1259 x25519_ge_p3_to_cached(&cached, h); 1260 x25519_ge_add(&r, h, &cached); 1261 x25519_ge_p1p1_to_p3(h, &r); 1262 1263 ge_madd(&r, h, &e); 1264 x25519_ge_p1p1_to_p3(h, &r); 1265 } 1266 } 1267 1268 #if defined(OPENSSL_SMALL) 1269 1270 /* This block of code replaces the standard base-point table with a much smaller 1271 * one. The standard table is 30,720 bytes while this one is just 960. 1272 * 1273 * This table contains 15 pairs of group elements, (x, y), where each field 1274 * element is serialised with |fe_tobytes|. If |i| is the index of the group 1275 * element then consider i+1 as a four-bit number: (i₀, i₁, i₂, i₃) (where i₀ 1276 * is the most significant bit). The value of the group element is then: 1277 * (i₀×2^192 + i₁×2^128 + i₂×2^64 + i₃)G, where G is the generator. */ 1278 static const uint8_t k25519SmallPrecomp[15 * 2 * 32] = { 1279 0x1a, 0xd5, 0x25, 0x8f, 0x60, 0x2d, 0x56, 0xc9, 0xb2, 0xa7, 0x25, 0x95, 1280 0x60, 0xc7, 0x2c, 0x69, 0x5c, 0xdc, 0xd6, 0xfd, 0x31, 0xe2, 0xa4, 0xc0, 1281 0xfe, 0x53, 0x6e, 0xcd, 0xd3, 0x36, 0x69, 0x21, 0x58, 0x66, 0x66, 0x66, 1282 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 1283 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 1284 0x66, 0x66, 0x66, 0x66, 0x02, 0xa2, 0xed, 0xf4, 0x8f, 0x6b, 0x0b, 0x3e, 1285 0xeb, 0x35, 0x1a, 0xd5, 0x7e, 0xdb, 0x78, 0x00, 0x96, 0x8a, 0xa0, 0xb4, 1286 0xcf, 0x60, 0x4b, 0xd4, 0xd5, 0xf9, 0x2d, 0xbf, 0x88, 0xbd, 0x22, 0x62, 1287 0x13, 0x53, 0xe4, 0x82, 0x57, 0xfa, 0x1e, 0x8f, 0x06, 0x2b, 0x90, 0xba, 1288 0x08, 0xb6, 0x10, 0x54, 0x4f, 0x7c, 0x1b, 0x26, 0xed, 0xda, 0x6b, 0xdd, 1289 0x25, 0xd0, 0x4e, 0xea, 0x42, 0xbb, 0x25, 0x03, 0xa2, 0xfb, 0xcc, 0x61, 1290 0x67, 0x06, 0x70, 0x1a, 0xc4, 0x78, 0x3a, 0xff, 0x32, 0x62, 0xdd, 0x2c, 1291 0xab, 0x50, 0x19, 0x3b, 0xf2, 0x9b, 0x7d, 0xb8, 0xfd, 0x4f, 0x29, 0x9c, 1292 0xa7, 0x91, 0xba, 0x0e, 0x46, 0x5e, 0x51, 0xfe, 0x1d, 0xbf, 0xe5, 0xe5, 1293 0x9b, 0x95, 0x0d, 0x67, 0xf8, 0xd1, 0xb5, 0x5a, 0xa1, 0x93, 0x2c, 0xc3, 1294 0xde, 0x0e, 0x97, 0x85, 0x2d, 0x7f, 0xea, 0xab, 0x3e, 0x47, 0x30, 0x18, 1295 0x24, 0xe8, 0xb7, 0x60, 0xae, 0x47, 0x80, 0xfc, 0xe5, 0x23, 0xe7, 0xc2, 1296 0xc9, 0x85, 0xe6, 0x98, 0xa0, 0x29, 0x4e, 0xe1, 0x84, 0x39, 0x2d, 0x95, 1297 0x2c, 0xf3, 0x45, 0x3c, 0xff, 0xaf, 0x27, 0x4c, 0x6b, 0xa6, 0xf5, 0x4b, 1298 0x11, 0xbd, 0xba, 0x5b, 0x9e, 0xc4, 0xa4, 0x51, 0x1e, 0xbe, 0xd0, 0x90, 1299 0x3a, 0x9c, 0xc2, 0x26, 0xb6, 0x1e, 0xf1, 0x95, 0x7d, 0xc8, 0x6d, 0x52, 1300 0xe6, 0x99, 0x2c, 0x5f, 0x9a, 0x96, 0x0c, 0x68, 0x29, 0xfd, 0xe2, 0xfb, 1301 0xe6, 0xbc, 0xec, 0x31, 0x08, 0xec, 0xe6, 0xb0, 0x53, 0x60, 0xc3, 0x8c, 1302 0xbe, 0xc1, 0xb3, 0x8a, 0x8f, 0xe4, 0x88, 0x2b, 0x55, 0xe5, 0x64, 0x6e, 1303 0x9b, 0xd0, 0xaf, 0x7b, 0x64, 0x2a, 0x35, 0x25, 0x10, 0x52, 0xc5, 0x9e, 1304 0x58, 0x11, 0x39, 0x36, 0x45, 0x51, 0xb8, 0x39, 0x93, 0xfc, 0x9d, 0x6a, 1305 0xbe, 0x58, 0xcb, 0xa4, 0x0f, 0x51, 0x3c, 0x38, 0x05, 0xca, 0xab, 0x43, 1306 0x63, 0x0e, 0xf3, 0x8b, 0x41, 0xa6, 0xf8, 0x9b, 0x53, 0x70, 0x80, 0x53, 1307 0x86, 0x5e, 0x8f, 0xe3, 0xc3, 0x0d, 0x18, 0xc8, 0x4b, 0x34, 0x1f, 0xd8, 1308 0x1d, 0xbc, 0xf2, 0x6d, 0x34, 0x3a, 0xbe, 0xdf, 0xd9, 0xf6, 0xf3, 0x89, 1309 0xa1, 0xe1, 0x94, 0x9f, 0x5d, 0x4c, 0x5d, 0xe9, 0xa1, 0x49, 0x92, 0xef, 1310 0x0e, 0x53, 0x81, 0x89, 0x58, 0x87, 0xa6, 0x37, 0xf1, 0xdd, 0x62, 0x60, 1311 0x63, 0x5a, 0x9d, 0x1b, 0x8c, 0xc6, 0x7d, 0x52, 0xea, 0x70, 0x09, 0x6a, 1312 0xe1, 0x32, 0xf3, 0x73, 0x21, 0x1f, 0x07, 0x7b, 0x7c, 0x9b, 0x49, 0xd8, 1313 0xc0, 0xf3, 0x25, 0x72, 0x6f, 0x9d, 0xed, 0x31, 0x67, 0x36, 0x36, 0x54, 1314 0x40, 0x92, 0x71, 0xe6, 0x11, 0x28, 0x11, 0xad, 0x93, 0x32, 0x85, 0x7b, 1315 0x3e, 0xb7, 0x3b, 0x49, 0x13, 0x1c, 0x07, 0xb0, 0x2e, 0x93, 0xaa, 0xfd, 1316 0xfd, 0x28, 0x47, 0x3d, 0x8d, 0xd2, 0xda, 0xc7, 0x44, 0xd6, 0x7a, 0xdb, 1317 0x26, 0x7d, 0x1d, 0xb8, 0xe1, 0xde, 0x9d, 0x7a, 0x7d, 0x17, 0x7e, 0x1c, 1318 0x37, 0x04, 0x8d, 0x2d, 0x7c, 0x5e, 0x18, 0x38, 0x1e, 0xaf, 0xc7, 0x1b, 1319 0x33, 0x48, 0x31, 0x00, 0x59, 0xf6, 0xf2, 0xca, 0x0f, 0x27, 0x1b, 0x63, 1320 0x12, 0x7e, 0x02, 0x1d, 0x49, 0xc0, 0x5d, 0x79, 0x87, 0xef, 0x5e, 0x7a, 1321 0x2f, 0x1f, 0x66, 0x55, 0xd8, 0x09, 0xd9, 0x61, 0x38, 0x68, 0xb0, 0x07, 1322 0xa3, 0xfc, 0xcc, 0x85, 0x10, 0x7f, 0x4c, 0x65, 0x65, 0xb3, 0xfa, 0xfa, 1323 0xa5, 0x53, 0x6f, 0xdb, 0x74, 0x4c, 0x56, 0x46, 0x03, 0xe2, 0xd5, 0x7a, 1324 0x29, 0x1c, 0xc6, 0x02, 0xbc, 0x59, 0xf2, 0x04, 0x75, 0x63, 0xc0, 0x84, 1325 0x2f, 0x60, 0x1c, 0x67, 0x76, 0xfd, 0x63, 0x86, 0xf3, 0xfa, 0xbf, 0xdc, 1326 0xd2, 0x2d, 0x90, 0x91, 0xbd, 0x33, 0xa9, 0xe5, 0x66, 0x0c, 0xda, 0x42, 1327 0x27, 0xca, 0xf4, 0x66, 0xc2, 0xec, 0x92, 0x14, 0x57, 0x06, 0x63, 0xd0, 1328 0x4d, 0x15, 0x06, 0xeb, 0x69, 0x58, 0x4f, 0x77, 0xc5, 0x8b, 0xc7, 0xf0, 1329 0x8e, 0xed, 0x64, 0xa0, 0xb3, 0x3c, 0x66, 0x71, 0xc6, 0x2d, 0xda, 0x0a, 1330 0x0d, 0xfe, 0x70, 0x27, 0x64, 0xf8, 0x27, 0xfa, 0xf6, 0x5f, 0x30, 0xa5, 1331 0x0d, 0x6c, 0xda, 0xf2, 0x62, 0x5e, 0x78, 0x47, 0xd3, 0x66, 0x00, 0x1c, 1332 0xfd, 0x56, 0x1f, 0x5d, 0x3f, 0x6f, 0xf4, 0x4c, 0xd8, 0xfd, 0x0e, 0x27, 1333 0xc9, 0x5c, 0x2b, 0xbc, 0xc0, 0xa4, 0xe7, 0x23, 0x29, 0x02, 0x9f, 0x31, 1334 0xd6, 0xe9, 0xd7, 0x96, 0xf4, 0xe0, 0x5e, 0x0b, 0x0e, 0x13, 0xee, 0x3c, 1335 0x09, 0xed, 0xf2, 0x3d, 0x76, 0x91, 0xc3, 0xa4, 0x97, 0xae, 0xd4, 0x87, 1336 0xd0, 0x5d, 0xf6, 0x18, 0x47, 0x1f, 0x1d, 0x67, 0xf2, 0xcf, 0x63, 0xa0, 1337 0x91, 0x27, 0xf8, 0x93, 0x45, 0x75, 0x23, 0x3f, 0xd1, 0xf1, 0xad, 0x23, 1338 0xdd, 0x64, 0x93, 0x96, 0x41, 0x70, 0x7f, 0xf7, 0xf5, 0xa9, 0x89, 0xa2, 1339 0x34, 0xb0, 0x8d, 0x1b, 0xae, 0x19, 0x15, 0x49, 0x58, 0x23, 0x6d, 0x87, 1340 0x15, 0x4f, 0x81, 0x76, 0xfb, 0x23, 0xb5, 0xea, 0xcf, 0xac, 0x54, 0x8d, 1341 0x4e, 0x42, 0x2f, 0xeb, 0x0f, 0x63, 0xdb, 0x68, 0x37, 0xa8, 0xcf, 0x8b, 1342 0xab, 0xf5, 0xa4, 0x6e, 0x96, 0x2a, 0xb2, 0xd6, 0xbe, 0x9e, 0xbd, 0x0d, 1343 0xb4, 0x42, 0xa9, 0xcf, 0x01, 0x83, 0x8a, 0x17, 0x47, 0x76, 0xc4, 0xc6, 1344 0x83, 0x04, 0x95, 0x0b, 0xfc, 0x11, 0xc9, 0x62, 0xb8, 0x0c, 0x76, 0x84, 1345 0xd9, 0xb9, 0x37, 0xfa, 0xfc, 0x7c, 0xc2, 0x6d, 0x58, 0x3e, 0xb3, 0x04, 1346 0xbb, 0x8c, 0x8f, 0x48, 0xbc, 0x91, 0x27, 0xcc, 0xf9, 0xb7, 0x22, 0x19, 1347 0x83, 0x2e, 0x09, 0xb5, 0x72, 0xd9, 0x54, 0x1c, 0x4d, 0xa1, 0xea, 0x0b, 1348 0xf1, 0xc6, 0x08, 0x72, 0x46, 0x87, 0x7a, 0x6e, 0x80, 0x56, 0x0a, 0x8a, 1349 0xc0, 0xdd, 0x11, 0x6b, 0xd6, 0xdd, 0x47, 0xdf, 0x10, 0xd9, 0xd8, 0xea, 1350 0x7c, 0xb0, 0x8f, 0x03, 0x00, 0x2e, 0xc1, 0x8f, 0x44, 0xa8, 0xd3, 0x30, 1351 0x06, 0x89, 0xa2, 0xf9, 0x34, 0xad, 0xdc, 0x03, 0x85, 0xed, 0x51, 0xa7, 1352 0x82, 0x9c, 0xe7, 0x5d, 0x52, 0x93, 0x0c, 0x32, 0x9a, 0x5b, 0xe1, 0xaa, 1353 0xca, 0xb8, 0x02, 0x6d, 0x3a, 0xd4, 0xb1, 0x3a, 0xf0, 0x5f, 0xbe, 0xb5, 1354 0x0d, 0x10, 0x6b, 0x38, 0x32, 0xac, 0x76, 0x80, 0xbd, 0xca, 0x94, 0x71, 1355 0x7a, 0xf2, 0xc9, 0x35, 0x2a, 0xde, 0x9f, 0x42, 0x49, 0x18, 0x01, 0xab, 1356 0xbc, 0xef, 0x7c, 0x64, 0x3f, 0x58, 0x3d, 0x92, 0x59, 0xdb, 0x13, 0xdb, 1357 0x58, 0x6e, 0x0a, 0xe0, 0xb7, 0x91, 0x4a, 0x08, 0x20, 0xd6, 0x2e, 0x3c, 1358 0x45, 0xc9, 0x8b, 0x17, 0x79, 0xe7, 0xc7, 0x90, 0x99, 0x3a, 0x18, 0x25, 1359 }; 1360 1361 void x25519_ge_scalarmult_base(ge_p3 *h, const uint8_t a[32]) { 1362 x25519_ge_scalarmult_small_precomp(h, a, k25519SmallPrecomp); 1363 } 1364 1365 #else 1366 1367 /* k25519Precomp[i][j] = (j+1)*256^i*B */ 1368 static const ge_precomp k25519Precomp[32][8] = { 1369 { 1370 { 1371 {25967493, -14356035, 29566456, 3660896, -12694345, 4014787, 1372 27544626, -11754271, -6079156, 2047605}, 1373 {-12545711, 934262, -2722910, 3049990, -727428, 9406986, 12720692, 1374 5043384, 19500929, -15469378}, 1375 {-8738181, 4489570, 9688441, -14785194, 10184609, -12363380, 1376 29287919, 11864899, -24514362, -4438546}, 1377 }, 1378 { 1379 {-12815894, -12976347, -21581243, 11784320, -25355658, -2750717, 1380 -11717903, -3814571, -358445, -10211303}, 1381 {-21703237, 6903825, 27185491, 6451973, -29577724, -9554005, 1382 -15616551, 11189268, -26829678, -5319081}, 1383 {26966642, 11152617, 32442495, 15396054, 14353839, -12752335, 1384 -3128826, -9541118, -15472047, -4166697}, 1385 }, 1386 { 1387 {15636291, -9688557, 24204773, -7912398, 616977, -16685262, 1388 27787600, -14772189, 28944400, -1550024}, 1389 {16568933, 4717097, -11556148, -1102322, 15682896, -11807043, 1390 16354577, -11775962, 7689662, 11199574}, 1391 {30464156, -5976125, -11779434, -15670865, 23220365, 15915852, 1392 7512774, 10017326, -17749093, -9920357}, 1393 }, 1394 { 1395 {-17036878, 13921892, 10945806, -6033431, 27105052, -16084379, 1396 -28926210, 15006023, 3284568, -6276540}, 1397 {23599295, -8306047, -11193664, -7687416, 13236774, 10506355, 1398 7464579, 9656445, 13059162, 10374397}, 1399 {7798556, 16710257, 3033922, 2874086, 28997861, 2835604, 32406664, 1400 -3839045, -641708, -101325}, 1401 }, 1402 { 1403 {10861363, 11473154, 27284546, 1981175, -30064349, 12577861, 1404 32867885, 14515107, -15438304, 10819380}, 1405 {4708026, 6336745, 20377586, 9066809, -11272109, 6594696, -25653668, 1406 12483688, -12668491, 5581306}, 1407 {19563160, 16186464, -29386857, 4097519, 10237984, -4348115, 1408 28542350, 13850243, -23678021, -15815942}, 1409 }, 1410 { 1411 {-15371964, -12862754, 32573250, 4720197, -26436522, 5875511, 1412 -19188627, -15224819, -9818940, -12085777}, 1413 {-8549212, 109983, 15149363, 2178705, 22900618, 4543417, 3044240, 1414 -15689887, 1762328, 14866737}, 1415 {-18199695, -15951423, -10473290, 1707278, -17185920, 3916101, 1416 -28236412, 3959421, 27914454, 4383652}, 1417 }, 1418 { 1419 {5153746, 9909285, 1723747, -2777874, 30523605, 5516873, 19480852, 1420 5230134, -23952439, -15175766}, 1421 {-30269007, -3463509, 7665486, 10083793, 28475525, 1649722, 1422 20654025, 16520125, 30598449, 7715701}, 1423 {28881845, 14381568, 9657904, 3680757, -20181635, 7843316, 1424 -31400660, 1370708, 29794553, -1409300}, 1425 }, 1426 { 1427 {14499471, -2729599, -33191113, -4254652, 28494862, 14271267, 1428 30290735, 10876454, -33154098, 2381726}, 1429 {-7195431, -2655363, -14730155, 462251, -27724326, 3941372, 1430 -6236617, 3696005, -32300832, 15351955}, 1431 {27431194, 8222322, 16448760, -3907995, -18707002, 11938355, 1432 -32961401, -2970515, 29551813, 10109425}, 1433 }, 1434 }, 1435 { 1436 { 1437 {-13657040, -13155431, -31283750, 11777098, 21447386, 6519384, 1438 -2378284, -1627556, 10092783, -4764171}, 1439 {27939166, 14210322, 4677035, 16277044, -22964462, -12398139, 1440 -32508754, 12005538, -17810127, 12803510}, 1441 {17228999, -15661624, -1233527, 300140, -1224870, -11714777, 1442 30364213, -9038194, 18016357, 4397660}, 1443 }, 1444 { 1445 {-10958843, -7690207, 4776341, -14954238, 27850028, -15602212, 1446 -26619106, 14544525, -17477504, 982639}, 1447 {29253598, 15796703, -2863982, -9908884, 10057023, 3163536, 7332899, 1448 -4120128, -21047696, 9934963}, 1449 {5793303, 16271923, -24131614, -10116404, 29188560, 1206517, 1450 -14747930, 4559895, -30123922, -10897950}, 1451 }, 1452 { 1453 {-27643952, -11493006, 16282657, -11036493, 28414021, -15012264, 1454 24191034, 4541697, -13338309, 5500568}, 1455 {12650548, -1497113, 9052871, 11355358, -17680037, -8400164, 1456 -17430592, 12264343, 10874051, 13524335}, 1457 {25556948, -3045990, 714651, 2510400, 23394682, -10415330, 33119038, 1458 5080568, -22528059, 5376628}, 1459 }, 1460 { 1461 {-26088264, -4011052, -17013699, -3537628, -6726793, 1920897, 1462 -22321305, -9447443, 4535768, 1569007}, 1463 {-2255422, 14606630, -21692440, -8039818, 28430649, 8775819, 1464 -30494562, 3044290, 31848280, 12543772}, 1465 {-22028579, 2943893, -31857513, 6777306, 13784462, -4292203, 1466 -27377195, -2062731, 7718482, 14474653}, 1467 }, 1468 { 1469 {2385315, 2454213, -22631320, 46603, -4437935, -15680415, 656965, 1470 -7236665, 24316168, -5253567}, 1471 {13741529, 10911568, -33233417, -8603737, -20177830, -1033297, 1472 33040651, -13424532, -20729456, 8321686}, 1473 {21060490, -2212744, 15712757, -4336099, 1639040, 10656336, 1474 23845965, -11874838, -9984458, 608372}, 1475 }, 1476 { 1477 {-13672732, -15087586, -10889693, -7557059, -6036909, 11305547, 1478 1123968, -6780577, 27229399, 23887}, 1479 {-23244140, -294205, -11744728, 14712571, -29465699, -2029617, 1480 12797024, -6440308, -1633405, 16678954}, 1481 {-29500620, 4770662, -16054387, 14001338, 7830047, 9564805, 1482 -1508144, -4795045, -17169265, 4904953}, 1483 }, 1484 { 1485 {24059557, 14617003, 19037157, -15039908, 19766093, -14906429, 1486 5169211, 16191880, 2128236, -4326833}, 1487 {-16981152, 4124966, -8540610, -10653797, 30336522, -14105247, 1488 -29806336, 916033, -6882542, -2986532}, 1489 {-22630907, 12419372, -7134229, -7473371, -16478904, 16739175, 1490 285431, 2763829, 15736322, 4143876}, 1491 }, 1492 { 1493 {2379352, 11839345, -4110402, -5988665, 11274298, 794957, 212801, 1494 -14594663, 23527084, -16458268}, 1495 {33431127, -11130478, -17838966, -15626900, 8909499, 8376530, 1496 -32625340, 4087881, -15188911, -14416214}, 1497 {1767683, 7197987, -13205226, -2022635, -13091350, 448826, 5799055, 1498 4357868, -4774191, -16323038}, 1499 }, 1500 }, 1501 { 1502 { 1503 {6721966, 13833823, -23523388, -1551314, 26354293, -11863321, 1504 23365147, -3949732, 7390890, 2759800}, 1505 {4409041, 2052381, 23373853, 10530217, 7676779, -12885954, 21302353, 1506 -4264057, 1244380, -12919645}, 1507 {-4421239, 7169619, 4982368, -2957590, 30256825, -2777540, 14086413, 1508 9208236, 15886429, 16489664}, 1509 }, 1510 { 1511 {1996075, 10375649, 14346367, 13311202, -6874135, -16438411, 1512 -13693198, 398369, -30606455, -712933}, 1513 {-25307465, 9795880, -2777414, 14878809, -33531835, 14780363, 1514 13348553, 12076947, -30836462, 5113182}, 1515 {-17770784, 11797796, 31950843, 13929123, -25888302, 12288344, 1516 -30341101, -7336386, 13847711, 5387222}, 1517 }, 1518 { 1519 {-18582163, -3416217, 17824843, -2340966, 22744343, -10442611, 1520 8763061, 3617786, -19600662, 10370991}, 1521 {20246567, -14369378, 22358229, -543712, 18507283, -10413996, 1522 14554437, -8746092, 32232924, 16763880}, 1523 {9648505, 10094563, 26416693, 14745928, -30374318, -6472621, 1524 11094161, 15689506, 3140038, -16510092}, 1525 }, 1526 { 1527 {-16160072, 5472695, 31895588, 4744994, 8823515, 10365685, 1528 -27224800, 9448613, -28774454, 366295}, 1529 {19153450, 11523972, -11096490, -6503142, -24647631, 5420647, 1530 28344573, 8041113, 719605, 11671788}, 1531 {8678025, 2694440, -6808014, 2517372, 4964326, 11152271, -15432916, 1532 -15266516, 27000813, -10195553}, 1533 }, 1534 { 1535 {-15157904, 7134312, 8639287, -2814877, -7235688, 10421742, 564065, 1536 5336097, 6750977, -14521026}, 1537 {11836410, -3979488, 26297894, 16080799, 23455045, 15735944, 1538 1695823, -8819122, 8169720, 16220347}, 1539 {-18115838, 8653647, 17578566, -6092619, -8025777, -16012763, 1540 -11144307, -2627664, -5990708, -14166033}, 1541 }, 1542 { 1543 {-23308498, -10968312, 15213228, -10081214, -30853605, -11050004, 1544 27884329, 2847284, 2655861, 1738395}, 1545 {-27537433, -14253021, -25336301, -8002780, -9370762, 8129821, 1546 21651608, -3239336, -19087449, -11005278}, 1547 {1533110, 3437855, 23735889, 459276, 29970501, 11335377, 26030092, 1548 5821408, 10478196, 8544890}, 1549 }, 1550 { 1551 {32173121, -16129311, 24896207, 3921497, 22579056, -3410854, 1552 19270449, 12217473, 17789017, -3395995}, 1553 {-30552961, -2228401, -15578829, -10147201, 13243889, 517024, 1554 15479401, -3853233, 30460520, 1052596}, 1555 {-11614875, 13323618, 32618793, 8175907, -15230173, 12596687, 1556 27491595, -4612359, 3179268, -9478891}, 1557 }, 1558 { 1559 {31947069, -14366651, -4640583, -15339921, -15125977, -6039709, 1560 -14756777, -16411740, 19072640, -9511060}, 1561 {11685058, 11822410, 3158003, -13952594, 33402194, -4165066, 1562 5977896, -5215017, 473099, 5040608}, 1563 {-20290863, 8198642, -27410132, 11602123, 1290375, -2799760, 1564 28326862, 1721092, -19558642, -3131606}, 1565 }, 1566 }, 1567 { 1568 { 1569 {7881532, 10687937, 7578723, 7738378, -18951012, -2553952, 21820786, 1570 8076149, -27868496, 11538389}, 1571 {-19935666, 3899861, 18283497, -6801568, -15728660, -11249211, 1572 8754525, 7446702, -5676054, 5797016}, 1573 {-11295600, -3793569, -15782110, -7964573, 12708869, -8456199, 1574 2014099, -9050574, -2369172, -5877341}, 1575 }, 1576 { 1577 {-22472376, -11568741, -27682020, 1146375, 18956691, 16640559, 1578 1192730, -3714199, 15123619, 10811505}, 1579 {14352098, -3419715, -18942044, 10822655, 32750596, 4699007, -70363, 1580 15776356, -28886779, -11974553}, 1581 {-28241164, -8072475, -4978962, -5315317, 29416931, 1847569, 1582 -20654173, -16484855, 4714547, -9600655}, 1583 }, 1584 { 1585 {15200332, 8368572, 19679101, 15970074, -31872674, 1959451, 1586 24611599, -4543832, -11745876, 12340220}, 1587 {12876937, -10480056, 33134381, 6590940, -6307776, 14872440, 1588 9613953, 8241152, 15370987, 9608631}, 1589 {-4143277, -12014408, 8446281, -391603, 4407738, 13629032, -7724868, 1590 15866074, -28210621, -8814099}, 1591 }, 1592 { 1593 {26660628, -15677655, 8393734, 358047, -7401291, 992988, -23904233, 1594 858697, 20571223, 8420556}, 1595 {14620715, 13067227, -15447274, 8264467, 14106269, 15080814, 1596 33531827, 12516406, -21574435, -12476749}, 1597 {236881, 10476226, 57258, -14677024, 6472998, 2466984, 17258519, 1598 7256740, 8791136, 15069930}, 1599 }, 1600 { 1601 {1276410, -9371918, 22949635, -16322807, -23493039, -5702186, 1602 14711875, 4874229, -30663140, -2331391}, 1603 {5855666, 4990204, -13711848, 7294284, -7804282, 1924647, -1423175, 1604 -7912378, -33069337, 9234253}, 1605 {20590503, -9018988, 31529744, -7352666, -2706834, 10650548, 1606 31559055, -11609587, 18979186, 13396066}, 1607 }, 1608 { 1609 {24474287, 4968103, 22267082, 4407354, 24063882, -8325180, 1610 -18816887, 13594782, 33514650, 7021958}, 1611 {-11566906, -6565505, -21365085, 15928892, -26158305, 4315421, 1612 -25948728, -3916677, -21480480, 12868082}, 1613 {-28635013, 13504661, 19988037, -2132761, 21078225, 6443208, 1614 -21446107, 2244500, -12455797, -8089383}, 1615 }, 1616 { 1617 {-30595528, 13793479, -5852820, 319136, -25723172, -6263899, 1618 33086546, 8957937, -15233648, 5540521}, 1619 {-11630176, -11503902, -8119500, -7643073, 2620056, 1022908, 1620 -23710744, -1568984, -16128528, -14962807}, 1621 {23152971, 775386, 27395463, 14006635, -9701118, 4649512, 1689819, 1622 892185, -11513277, -15205948}, 1623 }, 1624 { 1625 {9770129, 9586738, 26496094, 4324120, 1556511, -3550024, 27453819, 1626 4763127, -19179614, 5867134}, 1627 {-32765025, 1927590, 31726409, -4753295, 23962434, -16019500, 1628 27846559, 5931263, -29749703, -16108455}, 1629 {27461885, -2977536, 22380810, 1815854, -23033753, -3031938, 1630 7283490, -15148073, -19526700, 7734629}, 1631 }, 1632 }, 1633 { 1634 { 1635 {-8010264, -9590817, -11120403, 6196038, 29344158, -13430885, 1636 7585295, -3176626, 18549497, 15302069}, 1637 {-32658337, -6171222, -7672793, -11051681, 6258878, 13504381, 1638 10458790, -6418461, -8872242, 8424746}, 1639 {24687205, 8613276, -30667046, -3233545, 1863892, -1830544, 1640 19206234, 7134917, -11284482, -828919}, 1641 }, 1642 { 1643 {11334899, -9218022, 8025293, 12707519, 17523892, -10476071, 1644 10243738, -14685461, -5066034, 16498837}, 1645 {8911542, 6887158, -9584260, -6958590, 11145641, -9543680, 17303925, 1646 -14124238, 6536641, 10543906}, 1647 {-28946384, 15479763, -17466835, 568876, -1497683, 11223454, 1648 -2669190, -16625574, -27235709, 8876771}, 1649 }, 1650 { 1651 {-25742899, -12566864, -15649966, -846607, -33026686, -796288, 1652 -33481822, 15824474, -604426, -9039817}, 1653 {10330056, 70051, 7957388, -9002667, 9764902, 15609756, 27698697, 1654 -4890037, 1657394, 3084098}, 1655 {10477963, -7470260, 12119566, -13250805, 29016247, -5365589, 1656 31280319, 14396151, -30233575, 15272409}, 1657 }, 1658 { 1659 {-12288309, 3169463, 28813183, 16658753, 25116432, -5630466, 1660 -25173957, -12636138, -25014757, 1950504}, 1661 {-26180358, 9489187, 11053416, -14746161, -31053720, 5825630, 1662 -8384306, -8767532, 15341279, 8373727}, 1663 {28685821, 7759505, -14378516, -12002860, -31971820, 4079242, 1664 298136, -10232602, -2878207, 15190420}, 1665 }, 1666 { 1667 {-32932876, 13806336, -14337485, -15794431, -24004620, 10940928, 1668 8669718, 2742393, -26033313, -6875003}, 1669 {-1580388, -11729417, -25979658, -11445023, -17411874, -10912854, 1670 9291594, -16247779, -12154742, 6048605}, 1671 {-30305315, 14843444, 1539301, 11864366, 20201677, 1900163, 1672 13934231, 5128323, 11213262, 9168384}, 1673 }, 1674 { 1675 {-26280513, 11007847, 19408960, -940758, -18592965, -4328580, 1676 -5088060, -11105150, 20470157, -16398701}, 1677 {-23136053, 9282192, 14855179, -15390078, -7362815, -14408560, 1678 -22783952, 14461608, 14042978, 5230683}, 1679 {29969567, -2741594, -16711867, -8552442, 9175486, -2468974, 1680 21556951, 3506042, -5933891, -12449708}, 1681 }, 1682 { 1683 {-3144746, 8744661, 19704003, 4581278, -20430686, 6830683, 1684 -21284170, 8971513, -28539189, 15326563}, 1685 {-19464629, 10110288, -17262528, -3503892, -23500387, 1355669, 1686 -15523050, 15300988, -20514118, 9168260}, 1687 {-5353335, 4488613, -23803248, 16314347, 7780487, -15638939, 1688 -28948358, 9601605, 33087103, -9011387}, 1689 }, 1690 { 1691 {-19443170, -15512900, -20797467, -12445323, -29824447, 10229461, 1692 -27444329, -15000531, -5996870, 15664672}, 1693 {23294591, -16632613, -22650781, -8470978, 27844204, 11461195, 1694 13099750, -2460356, 18151676, 13417686}, 1695 {-24722913, -4176517, -31150679, 5988919, -26858785, 6685065, 1696 1661597, -12551441, 15271676, -15452665}, 1697 }, 1698 }, 1699 { 1700 { 1701 {11433042, -13228665, 8239631, -5279517, -1985436, -725718, 1702 -18698764, 2167544, -6921301, -13440182}, 1703 {-31436171, 15575146, 30436815, 12192228, -22463353, 9395379, 1704 -9917708, -8638997, 12215110, 12028277}, 1705 {14098400, 6555944, 23007258, 5757252, -15427832, -12950502, 1706 30123440, 4617780, -16900089, -655628}, 1707 }, 1708 { 1709 {-4026201, -15240835, 11893168, 13718664, -14809462, 1847385, 1710 -15819999, 10154009, 23973261, -12684474}, 1711 {-26531820, -3695990, -1908898, 2534301, -31870557, -16550355, 1712 18341390, -11419951, 32013174, -10103539}, 1713 {-25479301, 10876443, -11771086, -14625140, -12369567, 1838104, 1714 21911214, 6354752, 4425632, -837822}, 1715 }, 1716 { 1717 {-10433389, -14612966, 22229858, -3091047, -13191166, 776729, 1718 -17415375, -12020462, 4725005, 14044970}, 1719 {19268650, -7304421, 1555349, 8692754, -21474059, -9910664, 6347390, 1720 -1411784, -19522291, -16109756}, 1721 {-24864089, 12986008, -10898878, -5558584, -11312371, -148526, 1722 19541418, 8180106, 9282262, 10282508}, 1723 }, 1724 { 1725 {-26205082, 4428547, -8661196, -13194263, 4098402, -14165257, 1726 15522535, 8372215, 5542595, -10702683}, 1727 {-10562541, 14895633, 26814552, -16673850, -17480754, -2489360, 1728 -2781891, 6993761, -18093885, 10114655}, 1729 {-20107055, -929418, 31422704, 10427861, -7110749, 6150669, 1730 -29091755, -11529146, 25953725, -106158}, 1731 }, 1732 { 1733 {-4234397, -8039292, -9119125, 3046000, 2101609, -12607294, 1734 19390020, 6094296, -3315279, 12831125}, 1735 {-15998678, 7578152, 5310217, 14408357, -33548620, -224739, 1736 31575954, 6326196, 7381791, -2421839}, 1737 {-20902779, 3296811, 24736065, -16328389, 18374254, 7318640, 1738 6295303, 8082724, -15362489, 12339664}, 1739 }, 1740 { 1741 {27724736, 2291157, 6088201, -14184798, 1792727, 5857634, 13848414, 1742 15768922, 25091167, 14856294}, 1743 {-18866652, 8331043, 24373479, 8541013, -701998, -9269457, 12927300, 1744 -12695493, -22182473, -9012899}, 1745 {-11423429, -5421590, 11632845, 3405020, 30536730, -11674039, 1746 -27260765, 13866390, 30146206, 9142070}, 1747 }, 1748 { 1749 {3924129, -15307516, -13817122, -10054960, 12291820, -668366, 1750 -27702774, 9326384, -8237858, 4171294}, 1751 {-15921940, 16037937, 6713787, 16606682, -21612135, 2790944, 1752 26396185, 3731949, 345228, -5462949}, 1753 {-21327538, 13448259, 25284571, 1143661, 20614966, -8849387, 1754 2031539, -12391231, -16253183, -13582083}, 1755 }, 1756 { 1757 {31016211, -16722429, 26371392, -14451233, -5027349, 14854137, 1758 17477601, 3842657, 28012650, -16405420}, 1759 {-5075835, 9368966, -8562079, -4600902, -15249953, 6970560, 1760 -9189873, 16292057, -8867157, 3507940}, 1761 {29439664, 3537914, 23333589, 6997794, -17555561, -11018068, 1762 -15209202, -15051267, -9164929, 6580396}, 1763 }, 1764 }, 1765 { 1766 { 1767 {-12185861, -7679788, 16438269, 10826160, -8696817, -6235611, 1768 17860444, -9273846, -2095802, 9304567}, 1769 {20714564, -4336911, 29088195, 7406487, 11426967, -5095705, 1770 14792667, -14608617, 5289421, -477127}, 1771 {-16665533, -10650790, -6160345, -13305760, 9192020, -1802462, 1772 17271490, 12349094, 26939669, -3752294}, 1773 }, 1774 { 1775 {-12889898, 9373458, 31595848, 16374215, 21471720, 13221525, 1776 -27283495, -12348559, -3698806, 117887}, 1777 {22263325, -6560050, 3984570, -11174646, -15114008, -566785, 1778 28311253, 5358056, -23319780, 541964}, 1779 {16259219, 3261970, 2309254, -15534474, -16885711, -4581916, 1780 24134070, -16705829, -13337066, -13552195}, 1781 }, 1782 { 1783 {9378160, -13140186, -22845982, -12745264, 28198281, -7244098, 1784 -2399684, -717351, 690426, 14876244}, 1785 {24977353, -314384, -8223969, -13465086, 28432343, -1176353, 1786 -13068804, -12297348, -22380984, 6618999}, 1787 {-1538174, 11685646, 12944378, 13682314, -24389511, -14413193, 1788 8044829, -13817328, 32239829, -5652762}, 1789 }, 1790 { 1791 {-18603066, 4762990, -926250, 8885304, -28412480, -3187315, 9781647, 1792 -10350059, 32779359, 5095274}, 1793 {-33008130, -5214506, -32264887, -3685216, 9460461, -9327423, 1794 -24601656, 14506724, 21639561, -2630236}, 1795 {-16400943, -13112215, 25239338, 15531969, 3987758, -4499318, 1796 -1289502, -6863535, 17874574, 558605}, 1797 }, 1798 { 1799 {-13600129, 10240081, 9171883, 16131053, -20869254, 9599700, 1800 33499487, 5080151, 2085892, 5119761}, 1801 {-22205145, -2519528, -16381601, 414691, -25019550, 2170430, 1802 30634760, -8363614, -31999993, -5759884}, 1803 {-6845704, 15791202, 8550074, -1312654, 29928809, -12092256, 1804 27534430, -7192145, -22351378, 12961482}, 1805 }, 1806 { 1807 {-24492060, -9570771, 10368194, 11582341, -23397293, -2245287, 1808 16533930, 8206996, -30194652, -5159638}, 1809 {-11121496, -3382234, 2307366, 6362031, -135455, 8868177, -16835630, 1810 7031275, 7589640, 8945490}, 1811 {-32152748, 8917967, 6661220, -11677616, -1192060, -15793393, 1812 7251489, -11182180, 24099109, -14456170}, 1813 }, 1814 { 1815 {5019558, -7907470, 4244127, -14714356, -26933272, 6453165, 1816 -19118182, -13289025, -6231896, -10280736}, 1817 {10853594, 10721687, 26480089, 5861829, -22995819, 1972175, 1818 -1866647, -10557898, -3363451, -6441124}, 1819 {-17002408, 5906790, 221599, -6563147, 7828208, -13248918, 24362661, 1820 -2008168, -13866408, 7421392}, 1821 }, 1822 { 1823 {8139927, -6546497, 32257646, -5890546, 30375719, 1886181, 1824 -21175108, 15441252, 28826358, -4123029}, 1825 {6267086, 9695052, 7709135, -16603597, -32869068, -1886135, 1826 14795160, -7840124, 13746021, -1742048}, 1827 {28584902, 7787108, -6732942, -15050729, 22846041, -7571236, 1828 -3181936, -363524, 4771362, -8419958}, 1829 }, 1830 }, 1831 { 1832 { 1833 {24949256, 6376279, -27466481, -8174608, -18646154, -9930606, 1834 33543569, -12141695, 3569627, 11342593}, 1835 {26514989, 4740088, 27912651, 3697550, 19331575, -11472339, 6809886, 1836 4608608, 7325975, -14801071}, 1837 {-11618399, -14554430, -24321212, 7655128, -1369274, 5214312, 1838 -27400540, 10258390, -17646694, -8186692}, 1839 }, 1840 { 1841 {11431204, 15823007, 26570245, 14329124, 18029990, 4796082, 1842 -31446179, 15580664, 9280358, -3973687}, 1843 {-160783, -10326257, -22855316, -4304997, -20861367, -13621002, 1844 -32810901, -11181622, -15545091, 4387441}, 1845 {-20799378, 12194512, 3937617, -5805892, -27154820, 9340370, 1846 -24513992, 8548137, 20617071, -7482001}, 1847 }, 1848 { 1849 {-938825, -3930586, -8714311, 16124718, 24603125, -6225393, 1850 -13775352, -11875822, 24345683, 10325460}, 1851 {-19855277, -1568885, -22202708, 8714034, 14007766, 6928528, 1852 16318175, -1010689, 4766743, 3552007}, 1853 {-21751364, -16730916, 1351763, -803421, -4009670, 3950935, 3217514, 1854 14481909, 10988822, -3994762}, 1855 }, 1856 { 1857 {15564307, -14311570, 3101243, 5684148, 30446780, -8051356, 1858 12677127, -6505343, -8295852, 13296005}, 1859 {-9442290, 6624296, -30298964, -11913677, -4670981, -2057379, 1860 31521204, 9614054, -30000824, 12074674}, 1861 {4771191, -135239, 14290749, -13089852, 27992298, 14998318, 1862 -1413936, -1556716, 29832613, -16391035}, 1863 }, 1864 { 1865 {7064884, -7541174, -19161962, -5067537, -18891269, -2912736, 1866 25825242, 5293297, -27122660, 13101590}, 1867 {-2298563, 2439670, -7466610, 1719965, -27267541, -16328445, 1868 32512469, -5317593, -30356070, -4190957}, 1869 {-30006540, 10162316, -33180176, 3981723, -16482138, -13070044, 1870 14413974, 9515896, 19568978, 9628812}, 1871 }, 1872 { 1873 {33053803, 199357, 15894591, 1583059, 27380243, -4580435, -17838894, 1874 -6106839, -6291786, 3437740}, 1875 {-18978877, 3884493, 19469877, 12726490, 15913552, 13614290, 1876 -22961733, 70104, 7463304, 4176122}, 1877 {-27124001, 10659917, 11482427, -16070381, 12771467, -6635117, 1878 -32719404, -5322751, 24216882, 5944158}, 1879 }, 1880 { 1881 {8894125, 7450974, -2664149, -9765752, -28080517, -12389115, 1882 19345746, 14680796, 11632993, 5847885}, 1883 {26942781, -2315317, 9129564, -4906607, 26024105, 11769399, 1884 -11518837, 6367194, -9727230, 4782140}, 1885 {19916461, -4828410, -22910704, -11414391, 25606324, -5972441, 1886 33253853, 8220911, 6358847, -1873857}, 1887 }, 1888 { 1889 {801428, -2081702, 16569428, 11065167, 29875704, 96627, 7908388, 1890 -4480480, -13538503, 1387155}, 1891 {19646058, 5720633, -11416706, 12814209, 11607948, 12749789, 1892 14147075, 15156355, -21866831, 11835260}, 1893 {19299512, 1155910, 28703737, 14890794, 2925026, 7269399, 26121523, 1894 15467869, -26560550, 5052483}, 1895 }, 1896 }, 1897 { 1898 { 1899 {-3017432, 10058206, 1980837, 3964243, 22160966, 12322533, -6431123, 1900 -12618185, 12228557, -7003677}, 1901 {32944382, 14922211, -22844894, 5188528, 21913450, -8719943, 1902 4001465, 13238564, -6114803, 8653815}, 1903 {22865569, -4652735, 27603668, -12545395, 14348958, 8234005, 1904 24808405, 5719875, 28483275, 2841751}, 1905 }, 1906 { 1907 {-16420968, -1113305, -327719, -12107856, 21886282, -15552774, 1908 -1887966, -315658, 19932058, -12739203}, 1909 {-11656086, 10087521, -8864888, -5536143, -19278573, -3055912, 1910 3999228, 13239134, -4777469, -13910208}, 1911 {1382174, -11694719, 17266790, 9194690, -13324356, 9720081, 1912 20403944, 11284705, -14013818, 3093230}, 1913 }, 1914 { 1915 {16650921, -11037932, -1064178, 1570629, -8329746, 7352753, -302424, 1916 16271225, -24049421, -6691850}, 1917 {-21911077, -5927941, -4611316, -5560156, -31744103, -10785293, 1918 24123614, 15193618, -21652117, -16739389}, 1919 {-9935934, -4289447, -25279823, 4372842, 2087473, 10399484, 1920 31870908, 14690798, 17361620, 11864968}, 1921 }, 1922 { 1923 {-11307610, 6210372, 13206574, 5806320, -29017692, -13967200, 1924 -12331205, -7486601, -25578460, -16240689}, 1925 {14668462, -12270235, 26039039, 15305210, 25515617, 4542480, 1926 10453892, 6577524, 9145645, -6443880}, 1927 {5974874, 3053895, -9433049, -10385191, -31865124, 3225009, 1928 -7972642, 3936128, -5652273, -3050304}, 1929 }, 1930 { 1931 {30625386, -4729400, -25555961, -12792866, -20484575, 7695099, 1932 17097188, -16303496, -27999779, 1803632}, 1933 {-3553091, 9865099, -5228566, 4272701, -5673832, -16689700, 1934 14911344, 12196514, -21405489, 7047412}, 1935 {20093277, 9920966, -11138194, -5343857, 13161587, 12044805, 1936 -32856851, 4124601, -32343828, -10257566}, 1937 }, 1938 { 1939 {-20788824, 14084654, -13531713, 7842147, 19119038, -13822605, 1940 4752377, -8714640, -21679658, 2288038}, 1941 {-26819236, -3283715, 29965059, 3039786, -14473765, 2540457, 1942 29457502, 14625692, -24819617, 12570232}, 1943 {-1063558, -11551823, 16920318, 12494842, 1278292, -5869109, 1944 -21159943, -3498680, -11974704, 4724943}, 1945 }, 1946 { 1947 {17960970, -11775534, -4140968, -9702530, -8876562, -1410617, 1948 -12907383, -8659932, -29576300, 1903856}, 1949 {23134274, -14279132, -10681997, -1611936, 20684485, 15770816, 1950 -12989750, 3190296, 26955097, 14109738}, 1951 {15308788, 5320727, -30113809, -14318877, 22902008, 7767164, 1952 29425325, -11277562, 31960942, 11934971}, 1953 }, 1954 { 1955 {-27395711, 8435796, 4109644, 12222639, -24627868, 14818669, 1956 20638173, 4875028, 10491392, 1379718}, 1957 {-13159415, 9197841, 3875503, -8936108, -1383712, -5879801, 1958 33518459, 16176658, 21432314, 12180697}, 1959 {-11787308, 11500838, 13787581, -13832590, -22430679, 10140205, 1960 1465425, 12689540, -10301319, -13872883}, 1961 }, 1962 }, 1963 { 1964 { 1965 {5414091, -15386041, -21007664, 9643570, 12834970, 1186149, 1966 -2622916, -1342231, 26128231, 6032912}, 1967 {-26337395, -13766162, 32496025, -13653919, 17847801, -12669156, 1968 3604025, 8316894, -25875034, -10437358}, 1969 {3296484, 6223048, 24680646, -12246460, -23052020, 5903205, 1970 -8862297, -4639164, 12376617, 3188849}, 1971 }, 1972 { 1973 {29190488, -14659046, 27549113, -1183516, 3520066, -10697301, 1974 32049515, -7309113, -16109234, -9852307}, 1975 {-14744486, -9309156, 735818, -598978, -20407687, -5057904, 1976 25246078, -15795669, 18640741, -960977}, 1977 {-6928835, -16430795, 10361374, 5642961, 4910474, 12345252, 1978 -31638386, -494430, 10530747, 1053335}, 1979 }, 1980 { 1981 {-29265967, -14186805, -13538216, -12117373, -19457059, -10655384, 1982 -31462369, -2948985, 24018831, 15026644}, 1983 {-22592535, -3145277, -2289276, 5953843, -13440189, 9425631, 1984 25310643, 13003497, -2314791, -15145616}, 1985 {-27419985, -603321, -8043984, -1669117, -26092265, 13987819, 1986 -27297622, 187899, -23166419, -2531735}, 1987 }, 1988 { 1989 {-21744398, -13810475, 1844840, 5021428, -10434399, -15911473, 1990 9716667, 16266922, -5070217, 726099}, 1991 {29370922, -6053998, 7334071, -15342259, 9385287, 2247707, 1992 -13661962, -4839461, 30007388, -15823341}, 1993 {-936379, 16086691, 23751945, -543318, -1167538, -5189036, 9137109, 1994 730663, 9835848, 4555336}, 1995 }, 1996 { 1997 {-23376435, 1410446, -22253753, -12899614, 30867635, 15826977, 1998 17693930, 544696, -11985298, 12422646}, 1999 {31117226, -12215734, -13502838, 6561947, -9876867, -12757670, 2000 -5118685, -4096706, 29120153, 13924425}, 2001 {-17400879, -14233209, 19675799, -2734756, -11006962, -5858820, 2002 -9383939, -11317700, 7240931, -237388}, 2003 }, 2004 { 2005 {-31361739, -11346780, -15007447, -5856218, -22453340, -12152771, 2006 1222336, 4389483, 3293637, -15551743}, 2007 {-16684801, -14444245, 11038544, 11054958, -13801175, -3338533, 2008 -24319580, 7733547, 12796905, -6335822}, 2009 {-8759414, -10817836, -25418864, 10783769, -30615557, -9746811, 2010 -28253339, 3647836, 3222231, -11160462}, 2011 }, 2012 { 2013 {18606113, 1693100, -25448386, -15170272, 4112353, 10045021, 2014 23603893, -2048234, -7550776, 2484985}, 2015 {9255317, -3131197, -12156162, -1004256, 13098013, -9214866, 2016 16377220, -2102812, -19802075, -3034702}, 2017 {-22729289, 7496160, -5742199, 11329249, 19991973, -3347502, 2018 -31718148, 9936966, -30097688, -10618797}, 2019 }, 2020 { 2021 {21878590, -5001297, 4338336, 13643897, -3036865, 13160960, 2022 19708896, 5415497, -7360503, -4109293}, 2023 {27736861, 10103576, 12500508, 8502413, -3413016, -9633558, 2024 10436918, -1550276, -23659143, -8132100}, 2025 {19492550, -12104365, -29681976, -852630, -3208171, 12403437, 2026 30066266, 8367329, 13243957, 8709688}, 2027 }, 2028 }, 2029 { 2030 { 2031 {12015105, 2801261, 28198131, 10151021, 24818120, -4743133, 2032 -11194191, -5645734, 5150968, 7274186}, 2033 {2831366, -12492146, 1478975, 6122054, 23825128, -12733586, 2034 31097299, 6083058, 31021603, -9793610}, 2035 {-2529932, -2229646, 445613, 10720828, -13849527, -11505937, 2036 -23507731, 16354465, 15067285, -14147707}, 2037 }, 2038 { 2039 {7840942, 14037873, -33364863, 15934016, -728213, -3642706, 2040 21403988, 1057586, -19379462, -12403220}, 2041 {915865, -16469274, 15608285, -8789130, -24357026, 6060030, 2042 -17371319, 8410997, -7220461, 16527025}, 2043 {32922597, -556987, 20336074, -16184568, 10903705, -5384487, 2044 16957574, 52992, 23834301, 6588044}, 2045 }, 2046 { 2047 {32752030, 11232950, 3381995, -8714866, 22652988, -10744103, 2048 17159699, 16689107, -20314580, -1305992}, 2049 {-4689649, 9166776, -25710296, -10847306, 11576752, 12733943, 2050 7924251, -2752281, 1976123, -7249027}, 2051 {21251222, 16309901, -2983015, -6783122, 30810597, 12967303, 156041, 2052 -3371252, 12331345, -8237197}, 2053 }, 2054 { 2055 {8651614, -4477032, -16085636, -4996994, 13002507, 2950805, 2056 29054427, -5106970, 10008136, -4667901}, 2057 {31486080, 15114593, -14261250, 12951354, 14369431, -7387845, 2058 16347321, -13662089, 8684155, -10532952}, 2059 {19443825, 11385320, 24468943, -9659068, -23919258, 2187569, 2060 -26263207, -6086921, 31316348, 14219878}, 2061 }, 2062 { 2063 {-28594490, 1193785, 32245219, 11392485, 31092169, 15722801, 2064 27146014, 6992409, 29126555, 9207390}, 2065 {32382935, 1110093, 18477781, 11028262, -27411763, -7548111, 2066 -4980517, 10843782, -7957600, -14435730}, 2067 {2814918, 7836403, 27519878, -7868156, -20894015, -11553689, 2068 -21494559, 8550130, 28346258, 1994730}, 2069 }, 2070 { 2071 {-19578299, 8085545, -14000519, -3948622, 2785838, -16231307, 2072 -19516951, 7174894, 22628102, 8115180}, 2073 {-30405132, 955511, -11133838, -15078069, -32447087, -13278079, 2074 -25651578, 3317160, -9943017, 930272}, 2075 {-15303681, -6833769, 28856490, 1357446, 23421993, 1057177, 2076 24091212, -1388970, -22765376, -10650715}, 2077 }, 2078 { 2079 {-22751231, -5303997, -12907607, -12768866, -15811511, -7797053, 2080 -14839018, -16554220, -1867018, 8398970}, 2081 {-31969310, 2106403, -4736360, 1362501, 12813763, 16200670, 2082 22981545, -6291273, 18009408, -15772772}, 2083 {-17220923, -9545221, -27784654, 14166835, 29815394, 7444469, 2084 29551787, -3727419, 19288549, 1325865}, 2085 }, 2086 { 2087 {15100157, -15835752, -23923978, -1005098, -26450192, 15509408, 2088 12376730, -3479146, 33166107, -8042750}, 2089 {20909231, 13023121, -9209752, 16251778, -5778415, -8094914, 2090 12412151, 10018715, 2213263, -13878373}, 2091 {32529814, -11074689, 30361439, -16689753, -9135940, 1513226, 2092 22922121, 6382134, -5766928, 8371348}, 2093 }, 2094 }, 2095 { 2096 { 2097 {9923462, 11271500, 12616794, 3544722, -29998368, -1721626, 2098 12891687, -8193132, -26442943, 10486144}, 2099 {-22597207, -7012665, 8587003, -8257861, 4084309, -12970062, 361726, 2100 2610596, -23921530, -11455195}, 2101 {5408411, -1136691, -4969122, 10561668, 24145918, 14240566, 2102 31319731, -4235541, 19985175, -3436086}, 2103 }, 2104 { 2105 {-13994457, 16616821, 14549246, 3341099, 32155958, 13648976, 2106 -17577068, 8849297, 65030, 8370684}, 2107 {-8320926, -12049626, 31204563, 5839400, -20627288, -1057277, 2108 -19442942, 6922164, 12743482, -9800518}, 2109 {-2361371, 12678785, 28815050, 4759974, -23893047, 4884717, 2110 23783145, 11038569, 18800704, 255233}, 2111 }, 2112 { 2113 {-5269658, -1773886, 13957886, 7990715, 23132995, 728773, 13393847, 2114 9066957, 19258688, -14753793}, 2115 {-2936654, -10827535, -10432089, 14516793, -3640786, 4372541, 2116 -31934921, 2209390, -1524053, 2055794}, 2117 {580882, 16705327, 5468415, -2683018, -30926419, -14696000, 2118 -7203346, -8994389, -30021019, 7394435}, 2119 }, 2120 { 2121 {23838809, 1822728, -15738443, 15242727, 8318092, -3733104, 2122 -21672180, -3492205, -4821741, 14799921}, 2123 {13345610, 9759151, 3371034, -16137791, 16353039, 8577942, 31129804, 2124 13496856, -9056018, 7402518}, 2125 {2286874, -4435931, -20042458, -2008336, -13696227, 5038122, 2126 11006906, -15760352, 8205061, 1607563}, 2127 }, 2128 { 2129 {14414086, -8002132, 3331830, -3208217, 22249151, -5594188, 2130 18364661, -2906958, 30019587, -9029278}, 2131 {-27688051, 1585953, -10775053, 931069, -29120221, -11002319, 2132 -14410829, 12029093, 9944378, 8024}, 2133 {4368715, -3709630, 29874200, -15022983, -20230386, -11410704, 2134 -16114594, -999085, -8142388, 5640030}, 2135 }, 2136 { 2137 {10299610, 13746483, 11661824, 16234854, 7630238, 5998374, 9809887, 2138 -16694564, 15219798, -14327783}, 2139 {27425505, -5719081, 3055006, 10660664, 23458024, 595578, -15398605, 2140 -1173195, -18342183, 9742717}, 2141 {6744077, 2427284, 26042789, 2720740, -847906, 1118974, 32324614, 2142 7406442, 12420155, 1994844}, 2143 }, 2144 { 2145 {14012521, -5024720, -18384453, -9578469, -26485342, -3936439, 2146 -13033478, -10909803, 24319929, -6446333}, 2147 {16412690, -4507367, 10772641, 15929391, -17068788, -4658621, 2148 10555945, -10484049, -30102368, -4739048}, 2149 {22397382, -7767684, -9293161, -12792868, 17166287, -9755136, 2150 -27333065, 6199366, 21880021, -12250760}, 2151 }, 2152 { 2153 {-4283307, 5368523, -31117018, 8163389, -30323063, 3209128, 2154 16557151, 8890729, 8840445, 4957760}, 2155 {-15447727, 709327, -6919446, -10870178, -29777922, 6522332, 2156 -21720181, 12130072, -14796503, 5005757}, 2157 {-2114751, -14308128, 23019042, 15765735, -25269683, 6002752, 2158 10183197, -13239326, -16395286, -2176112}, 2159 }, 2160 }, 2161 { 2162 { 2163 {-19025756, 1632005, 13466291, -7995100, -23640451, 16573537, 2164 -32013908, -3057104, 22208662, 2000468}, 2165 {3065073, -1412761, -25598674, -361432, -17683065, -5703415, 2166 -8164212, 11248527, -3691214, -7414184}, 2167 {10379208, -6045554, 8877319, 1473647, -29291284, -12507580, 2168 16690915, 2553332, -3132688, 16400289}, 2169 }, 2170 { 2171 {15716668, 1254266, -18472690, 7446274, -8448918, 6344164, 2172 -22097271, -7285580, 26894937, 9132066}, 2173 {24158887, 12938817, 11085297, -8177598, -28063478, -4457083, 2174 -30576463, 64452, -6817084, -2692882}, 2175 {13488534, 7794716, 22236231, 5989356, 25426474, -12578208, 2350710, 2176 -3418511, -4688006, 2364226}, 2177 }, 2178 { 2179 {16335052, 9132434, 25640582, 6678888, 1725628, 8517937, -11807024, 2180 -11697457, 15445875, -7798101}, 2181 {29004207, -7867081, 28661402, -640412, -12794003, -7943086, 2182 31863255, -4135540, -278050, -15759279}, 2183 {-6122061, -14866665, -28614905, 14569919, -10857999, -3591829, 2184 10343412, -6976290, -29828287, -10815811}, 2185 }, 2186 { 2187 {27081650, 3463984, 14099042, -4517604, 1616303, -6205604, 29542636, 2188 15372179, 17293797, 960709}, 2189 {20263915, 11434237, -5765435, 11236810, 13505955, -10857102, 2190 -16111345, 6493122, -19384511, 7639714}, 2191 {-2830798, -14839232, 25403038, -8215196, -8317012, -16173699, 2192 18006287, -16043750, 29994677, -15808121}, 2193 }, 2194 { 2195 {9769828, 5202651, -24157398, -13631392, -28051003, -11561624, 2196 -24613141, -13860782, -31184575, 709464}, 2197 {12286395, 13076066, -21775189, -1176622, -25003198, 4057652, 2198 -32018128, -8890874, 16102007, 13205847}, 2199 {13733362, 5599946, 10557076, 3195751, -5557991, 8536970, -25540170, 2200 8525972, 10151379, 10394400}, 2201 }, 2202 { 2203 {4024660, -16137551, 22436262, 12276534, -9099015, -2686099, 2204 19698229, 11743039, -33302334, 8934414}, 2205 {-15879800, -4525240, -8580747, -2934061, 14634845, -698278, 2206 -9449077, 3137094, -11536886, 11721158}, 2207 {17555939, -5013938, 8268606, 2331751, -22738815, 9761013, 9319229, 2208 8835153, -9205489, -1280045}, 2209 }, 2210 { 2211 {-461409, -7830014, 20614118, 16688288, -7514766, -4807119, 2212 22300304, 505429, 6108462, -6183415}, 2213 {-5070281, 12367917, -30663534, 3234473, 32617080, -8422642, 2214 29880583, -13483331, -26898490, -7867459}, 2215 {-31975283, 5726539, 26934134, 10237677, -3173717, -605053, 2216 24199304, 3795095, 7592688, -14992079}, 2217 }, 2218 { 2219 {21594432, -14964228, 17466408, -4077222, 32537084, 2739898, 2220 6407723, 12018833, -28256052, 4298412}, 2221 {-20650503, -11961496, -27236275, 570498, 3767144, -1717540, 2222 13891942, -1569194, 13717174, 10805743}, 2223 {-14676630, -15644296, 15287174, 11927123, 24177847, -8175568, 2224 -796431, 14860609, -26938930, -5863836}, 2225 }, 2226 }, 2227 { 2228 { 2229 {12962541, 5311799, -10060768, 11658280, 18855286, -7954201, 2230 13286263, -12808704, -4381056, 9882022}, 2231 {18512079, 11319350, -20123124, 15090309, 18818594, 5271736, 2232 -22727904, 3666879, -23967430, -3299429}, 2233 {-6789020, -3146043, 16192429, 13241070, 15898607, -14206114, 2234 -10084880, -6661110, -2403099, 5276065}, 2235 }, 2236 { 2237 {30169808, -5317648, 26306206, -11750859, 27814964, 7069267, 2238 7152851, 3684982, 1449224, 13082861}, 2239 {10342826, 3098505, 2119311, 193222, 25702612, 12233820, 23697382, 2240 15056736, -21016438, -8202000}, 2241 {-33150110, 3261608, 22745853, 7948688, 19370557, -15177665, 2242 -26171976, 6482814, -10300080, -11060101}, 2243 }, 2244 { 2245 {32869458, -5408545, 25609743, 15678670, -10687769, -15471071, 2246 26112421, 2521008, -22664288, 6904815}, 2247 {29506923, 4457497, 3377935, -9796444, -30510046, 12935080, 1561737, 2248 3841096, -29003639, -6657642}, 2249 {10340844, -6630377, -18656632, -2278430, 12621151, -13339055, 2250 30878497, -11824370, -25584551, 5181966}, 2251 }, 2252 { 2253 {25940115, -12658025, 17324188, -10307374, -8671468, 15029094, 2254 24396252, -16450922, -2322852, -12388574}, 2255 {-21765684, 9916823, -1300409, 4079498, -1028346, 11909559, 1782390, 2256 12641087, 20603771, -6561742}, 2257 {-18882287, -11673380, 24849422, 11501709, 13161720, -4768874, 2258 1925523, 11914390, 4662781, 7820689}, 2259 }, 2260 { 2261 {12241050, -425982, 8132691, 9393934, 32846760, -1599620, 29749456, 2262 12172924, 16136752, 15264020}, 2263 {-10349955, -14680563, -8211979, 2330220, -17662549, -14545780, 2264 10658213, 6671822, 19012087, 3772772}, 2265 {3753511, -3421066, 10617074, 2028709, 14841030, -6721664, 28718732, 2266 -15762884, 20527771, 12988982}, 2267 }, 2268 { 2269 {-14822485, -5797269, -3707987, 12689773, -898983, -10914866, 2270 -24183046, -10564943, 3299665, -12424953}, 2271 {-16777703, -15253301, -9642417, 4978983, 3308785, 8755439, 6943197, 2272 6461331, -25583147, 8991218}, 2273 {-17226263, 1816362, -1673288, -6086439, 31783888, -8175991, 2274 -32948145, 7417950, -30242287, 1507265}, 2275 }, 2276 { 2277 {29692663, 6829891, -10498800, 4334896, 20945975, -11906496, 2278 -28887608, 8209391, 14606362, -10647073}, 2279 {-3481570, 8707081, 32188102, 5672294, 22096700, 1711240, -33020695, 2280 9761487, 4170404, -2085325}, 2281 {-11587470, 14855945, -4127778, -1531857, -26649089, 15084046, 2282 22186522, 16002000, -14276837, -8400798}, 2283 }, 2284 { 2285 {-4811456, 13761029, -31703877, -2483919, -3312471, 7869047, 2286 -7113572, -9620092, 13240845, 10965870}, 2287 {-7742563, -8256762, -14768334, -13656260, -23232383, 12387166, 2288 4498947, 14147411, 29514390, 4302863}, 2289 {-13413405, -12407859, 20757302, -13801832, 14785143, 8976368, 2290 -5061276, -2144373, 17846988, -13971927}, 2291 }, 2292 }, 2293 { 2294 { 2295 {-2244452, -754728, -4597030, -1066309, -6247172, 1455299, 2296 -21647728, -9214789, -5222701, 12650267}, 2297 {-9906797, -16070310, 21134160, 12198166, -27064575, 708126, 387813, 2298 13770293, -19134326, 10958663}, 2299 {22470984, 12369526, 23446014, -5441109, -21520802, -9698723, 2300 -11772496, -11574455, -25083830, 4271862}, 2301 }, 2302 { 2303 {-25169565, -10053642, -19909332, 15361595, -5984358, 2159192, 2304 75375, -4278529, -32526221, 8469673}, 2305 {15854970, 4148314, -8893890, 7259002, 11666551, 13824734, 2306 -30531198, 2697372, 24154791, -9460943}, 2307 {15446137, -15806644, 29759747, 14019369, 30811221, -9610191, 2308 -31582008, 12840104, 24913809, 9815020}, 2309 }, 2310 { 2311 {-4709286, -5614269, -31841498, -12288893, -14443537, 10799414, 2312 -9103676, 13438769, 18735128, 9466238}, 2313 {11933045, 9281483, 5081055, -5183824, -2628162, -4905629, -7727821, 2314 -10896103, -22728655, 16199064}, 2315 {14576810, 379472, -26786533, -8317236, -29426508, -10812974, 2316 -102766, 1876699, 30801119, 2164795}, 2317 }, 2318 { 2319 {15995086, 3199873, 13672555, 13712240, -19378835, -4647646, 2320 -13081610, -15496269, -13492807, 1268052}, 2321 {-10290614, -3659039, -3286592, 10948818, 23037027, 3794475, 2322 -3470338, -12600221, -17055369, 3565904}, 2323 {29210088, -9419337, -5919792, -4952785, 10834811, -13327726, 2324 -16512102, -10820713, -27162222, -14030531}, 2325 }, 2326 { 2327 {-13161890, 15508588, 16663704, -8156150, -28349942, 9019123, 2328 -29183421, -3769423, 2244111, -14001979}, 2329 {-5152875, -3800936, -9306475, -6071583, 16243069, 14684434, 2330 -25673088, -16180800, 13491506, 4641841}, 2331 {10813417, 643330, -19188515, -728916, 30292062, -16600078, 2332 27548447, -7721242, 14476989, -12767431}, 2333 }, 2334 { 2335 {10292079, 9984945, 6481436, 8279905, -7251514, 7032743, 27282937, 2336 -1644259, -27912810, 12651324}, 2337 {-31185513, -813383, 22271204, 11835308, 10201545, 15351028, 2338 17099662, 3988035, 21721536, -3148940}, 2339 {10202177, -6545839, -31373232, -9574638, -32150642, -8119683, 2340 -12906320, 3852694, 13216206, 14842320}, 2341 }, 2342 { 2343 {-15815640, -10601066, -6538952, -7258995, -6984659, -6581778, 2344 -31500847, 13765824, -27434397, 9900184}, 2345 {14465505, -13833331, -32133984, -14738873, -27443187, 12990492, 2346 33046193, 15796406, -7051866, -8040114}, 2347 {30924417, -8279620, 6359016, -12816335, 16508377, 9071735, 2348 -25488601, 15413635, 9524356, -7018878}, 2349 }, 2350 { 2351 {12274201, -13175547, 32627641, -1785326, 6736625, 13267305, 2352 5237659, -5109483, 15663516, 4035784}, 2353 {-2951309, 8903985, 17349946, 601635, -16432815, -4612556, 2354 -13732739, -15889334, -22258478, 4659091}, 2355 {-16916263, -4952973, -30393711, -15158821, 20774812, 15897498, 2356 5736189, 15026997, -2178256, -13455585}, 2357 }, 2358 }, 2359 { 2360 { 2361 {-8858980, -2219056, 28571666, -10155518, -474467, -10105698, 2362 -3801496, 278095, 23440562, -290208}, 2363 {10226241, -5928702, 15139956, 120818, -14867693, 5218603, 32937275, 2364 11551483, -16571960, -7442864}, 2365 {17932739, -12437276, -24039557, 10749060, 11316803, 7535897, 2366 22503767, 5561594, -3646624, 3898661}, 2367 }, 2368 { 2369 {7749907, -969567, -16339731, -16464, -25018111, 15122143, -1573531, 2370 7152530, 21831162, 1245233}, 2371 {26958459, -14658026, 4314586, 8346991, -5677764, 11960072, 2372 -32589295, -620035, -30402091, -16716212}, 2373 {-12165896, 9166947, 33491384, 13673479, 29787085, 13096535, 2374 6280834, 14587357, -22338025, 13987525}, 2375 }, 2376 { 2377 {-24349909, 7778775, 21116000, 15572597, -4833266, -5357778, 2378 -4300898, -5124639, -7469781, -2858068}, 2379 {9681908, -6737123, -31951644, 13591838, -6883821, 386950, 31622781, 2380 6439245, -14581012, 4091397}, 2381 {-8426427, 1470727, -28109679, -1596990, 3978627, -5123623, 2382 -19622683, 12092163, 29077877, -14741988}, 2383 }, 2384 { 2385 {5269168, -6859726, -13230211, -8020715, 25932563, 1763552, 2386 -5606110, -5505881, -20017847, 2357889}, 2387 {32264008, -15407652, -5387735, -1160093, -2091322, -3946900, 2388 23104804, -12869908, 5727338, 189038}, 2389 {14609123, -8954470, -6000566, -16622781, -14577387, -7743898, 2390 -26745169, 10942115, -25888931, -14884697}, 2391 }, 2392 { 2393 {20513500, 5557931, -15604613, 7829531, 26413943, -2019404, 2394 -21378968, 7471781, 13913677, -5137875}, 2395 {-25574376, 11967826, 29233242, 12948236, -6754465, 4713227, 2396 -8940970, 14059180, 12878652, 8511905}, 2397 {-25656801, 3393631, -2955415, -7075526, -2250709, 9366908, 2398 -30223418, 6812974, 5568676, -3127656}, 2399 }, 2400 { 2401 {11630004, 12144454, 2116339, 13606037, 27378885, 15676917, 2402 -17408753, -13504373, -14395196, 8070818}, 2403 {27117696, -10007378, -31282771, -5570088, 1127282, 12772488, 2404 -29845906, 10483306, -11552749, -1028714}, 2405 {10637467, -5688064, 5674781, 1072708, -26343588, -6982302, 2406 -1683975, 9177853, -27493162, 15431203}, 2407 }, 2408 { 2409 {20525145, 10892566, -12742472, 12779443, -29493034, 16150075, 2410 -28240519, 14943142, -15056790, -7935931}, 2411 {-30024462, 5626926, -551567, -9981087, 753598, 11981191, 25244767, 2412 -3239766, -3356550, 9594024}, 2413 {-23752644, 2636870, -5163910, -10103818, 585134, 7877383, 11345683, 2414 -6492290, 13352335, -10977084}, 2415 }, 2416 { 2417 {-1931799, -5407458, 3304649, -12884869, 17015806, -4877091, 2418 -29783850, -7752482, -13215537, -319204}, 2419 {20239939, 6607058, 6203985, 3483793, -18386976, -779229, -20723742, 2420 15077870, -22750759, 14523817}, 2421 {27406042, -6041657, 27423596, -4497394, 4996214, 10002360, 2422 -28842031, -4545494, -30172742, -4805667}, 2423 }, 2424 }, 2425 { 2426 { 2427 {11374242, 12660715, 17861383, -12540833, 10935568, 1099227, 2428 -13886076, -9091740, -27727044, 11358504}, 2429 {-12730809, 10311867, 1510375, 10778093, -2119455, -9145702, 2430 32676003, 11149336, -26123651, 4985768}, 2431 {-19096303, 341147, -6197485, -239033, 15756973, -8796662, -983043, 2432 13794114, -19414307, -15621255}, 2433 }, 2434 { 2435 {6490081, 11940286, 25495923, -7726360, 8668373, -8751316, 3367603, 2436 6970005, -1691065, -9004790}, 2437 {1656497, 13457317, 15370807, 6364910, 13605745, 8362338, -19174622, 2438 -5475723, -16796596, -5031438}, 2439 {-22273315, -13524424, -64685, -4334223, -18605636, -10921968, 2440 -20571065, -7007978, -99853, -10237333}, 2441 }, 2442 { 2443 {17747465, 10039260, 19368299, -4050591, -20630635, -16041286, 2444 31992683, -15857976, -29260363, -5511971}, 2445 {31932027, -4986141, -19612382, 16366580, 22023614, 88450, 11371999, 2446 -3744247, 4882242, -10626905}, 2447 {29796507, 37186, 19818052, 10115756, -11829032, 3352736, 18551198, 2448 3272828, -5190932, -4162409}, 2449 }, 2450 { 2451 {12501286, 4044383, -8612957, -13392385, -32430052, 5136599, 2452 -19230378, -3529697, 330070, -3659409}, 2453 {6384877, 2899513, 17807477, 7663917, -2358888, 12363165, 25366522, 2454 -8573892, -271295, 12071499}, 2455 {-8365515, -4042521, 25133448, -4517355, -6211027, 2265927, 2456 -32769618, 1936675, -5159697, 3829363}, 2457 }, 2458 { 2459 {28425966, -5835433, -577090, -4697198, -14217555, 6870930, 7921550, 2460 -6567787, 26333140, 14267664}, 2461 {-11067219, 11871231, 27385719, -10559544, -4585914, -11189312, 2462 10004786, -8709488, -21761224, 8930324}, 2463 {-21197785, -16396035, 25654216, -1725397, 12282012, 11008919, 2464 1541940, 4757911, -26491501, -16408940}, 2465 }, 2466 { 2467 {13537262, -7759490, -20604840, 10961927, -5922820, -13218065, 2468 -13156584, 6217254, -15943699, 13814990}, 2469 {-17422573, 15157790, 18705543, 29619, 24409717, -260476, 27361681, 2470 9257833, -1956526, -1776914}, 2471 {-25045300, -10191966, 15366585, 15166509, -13105086, 8423556, 2472 -29171540, 12361135, -18685978, 4578290}, 2473 }, 2474 { 2475 {24579768, 3711570, 1342322, -11180126, -27005135, 14124956, 2476 -22544529, 14074919, 21964432, 8235257}, 2477 {-6528613, -2411497, 9442966, -5925588, 12025640, -1487420, 2478 -2981514, -1669206, 13006806, 2355433}, 2479 {-16304899, -13605259, -6632427, -5142349, 16974359, -10911083, 2480 27202044, 1719366, 1141648, -12796236}, 2481 }, 2482 { 2483 {-12863944, -13219986, -8318266, -11018091, -6810145, -4843894, 2484 13475066, -3133972, 32674895, 13715045}, 2485 {11423335, -5468059, 32344216, 8962751, 24989809, 9241752, 2486 -13265253, 16086212, -28740881, -15642093}, 2487 {-1409668, 12530728, -6368726, 10847387, 19531186, -14132160, 2488 -11709148, 7791794, -27245943, 4383347}, 2489 }, 2490 }, 2491 { 2492 { 2493 {-28970898, 5271447, -1266009, -9736989, -12455236, 16732599, 2494 -4862407, -4906449, 27193557, 6245191}, 2495 {-15193956, 5362278, -1783893, 2695834, 4960227, 12840725, 23061898, 2496 3260492, 22510453, 8577507}, 2497 {-12632451, 11257346, -32692994, 13548177, -721004, 10879011, 2498 31168030, 13952092, -29571492, -3635906}, 2499 }, 2500 { 2501 {3877321, -9572739, 32416692, 5405324, -11004407, -13656635, 2502 3759769, 11935320, 5611860, 8164018}, 2503 {-16275802, 14667797, 15906460, 12155291, -22111149, -9039718, 2504 32003002, -8832289, 5773085, -8422109}, 2505 {-23788118, -8254300, 1950875, 8937633, 18686727, 16459170, -905725, 2506 12376320, 31632953, 190926}, 2507 }, 2508 { 2509 {-24593607, -16138885, -8423991, 13378746, 14162407, 6901328, 2510 -8288749, 4508564, -25341555, -3627528}, 2511 {8884438, -5884009, 6023974, 10104341, -6881569, -4941533, 18722941, 2512 -14786005, -1672488, 827625}, 2513 {-32720583, -16289296, -32503547, 7101210, 13354605, 2659080, 2514 -1800575, -14108036, -24878478, 1541286}, 2515 }, 2516 { 2517 {2901347, -1117687, 3880376, -10059388, -17620940, -3612781, 2518 -21802117, -3567481, 20456845, -1885033}, 2519 {27019610, 12299467, -13658288, -1603234, -12861660, -4861471, 2520 -19540150, -5016058, 29439641, 15138866}, 2521 {21536104, -6626420, -32447818, -10690208, -22408077, 5175814, 2522 -5420040, -16361163, 7779328, 109896}, 2523 }, 2524 { 2525 {30279744, 14648750, -8044871, 6425558, 13639621, -743509, 28698390, 2526 12180118, 23177719, -554075}, 2527 {26572847, 3405927, -31701700, 12890905, -19265668, 5335866, 2528 -6493768, 2378492, 4439158, -13279347}, 2529 {-22716706, 3489070, -9225266, -332753, 18875722, -1140095, 2530 14819434, -12731527, -17717757, -5461437}, 2531 }, 2532 { 2533 {-5056483, 16566551, 15953661, 3767752, -10436499, 15627060, 2534 -820954, 2177225, 8550082, -15114165}, 2535 {-18473302, 16596775, -381660, 15663611, 22860960, 15585581, 2536 -27844109, -3582739, -23260460, -8428588}, 2537 {-32480551, 15707275, -8205912, -5652081, 29464558, 2713815, 2538 -22725137, 15860482, -21902570, 1494193}, 2539 }, 2540 { 2541 {-19562091, -14087393, -25583872, -9299552, 13127842, 759709, 2542 21923482, 16529112, 8742704, 12967017}, 2543 {-28464899, 1553205, 32536856, -10473729, -24691605, -406174, 2544 -8914625, -2933896, -29903758, 15553883}, 2545 {21877909, 3230008, 9881174, 10539357, -4797115, 2841332, 11543572, 2546 14513274, 19375923, -12647961}, 2547 }, 2548 { 2549 {8832269, -14495485, 13253511, 5137575, 5037871, 4078777, 24880818, 2550 -6222716, 2862653, 9455043}, 2551 {29306751, 5123106, 20245049, -14149889, 9592566, 8447059, -2077124, 2552 -2990080, 15511449, 4789663}, 2553 {-20679756, 7004547, 8824831, -9434977, -4045704, -3750736, 2554 -5754762, 108893, 23513200, 16652362}, 2555 }, 2556 }, 2557 { 2558 { 2559 {-33256173, 4144782, -4476029, -6579123, 10770039, -7155542, 2560 -6650416, -12936300, -18319198, 10212860}, 2561 {2756081, 8598110, 7383731, -6859892, 22312759, -1105012, 21179801, 2562 2600940, -9988298, -12506466}, 2563 {-24645692, 13317462, -30449259, -15653928, 21365574, -10869657, 2564 11344424, 864440, -2499677, -16710063}, 2565 }, 2566 { 2567 {-26432803, 6148329, -17184412, -14474154, 18782929, -275997, 2568 -22561534, 211300, 2719757, 4940997}, 2569 {-1323882, 3911313, -6948744, 14759765, -30027150, 7851207, 2570 21690126, 8518463, 26699843, 5276295}, 2571 {-13149873, -6429067, 9396249, 365013, 24703301, -10488939, 1321586, 2572 149635, -15452774, 7159369}, 2573 }, 2574 { 2575 {9987780, -3404759, 17507962, 9505530, 9731535, -2165514, 22356009, 2576 8312176, 22477218, -8403385}, 2577 {18155857, -16504990, 19744716, 9006923, 15154154, -10538976, 2578 24256460, -4864995, -22548173, 9334109}, 2579 {2986088, -4911893, 10776628, -3473844, 10620590, -7083203, 2580 -21413845, 14253545, -22587149, 536906}, 2581 }, 2582 { 2583 {4377756, 8115836, 24567078, 15495314, 11625074, 13064599, 7390551, 2584 10589625, 10838060, -15420424}, 2585 {-19342404, 867880, 9277171, -3218459, -14431572, -1986443, 2586 19295826, -15796950, 6378260, 699185}, 2587 {7895026, 4057113, -7081772, -13077756, -17886831, -323126, -716039, 2588 15693155, -5045064, -13373962}, 2589 }, 2590 { 2591 {-7737563, -5869402, -14566319, -7406919, 11385654, 13201616, 2592 31730678, -10962840, -3918636, -9669325}, 2593 {10188286, -15770834, -7336361, 13427543, 22223443, 14896287, 2594 30743455, 7116568, -21786507, 5427593}, 2595 {696102, 13206899, 27047647, -10632082, 15285305, -9853179, 2596 10798490, -4578720, 19236243, 12477404}, 2597 }, 2598 { 2599 {-11229439, 11243796, -17054270, -8040865, -788228, -8167967, 2600 -3897669, 11180504, -23169516, 7733644}, 2601 {17800790, -14036179, -27000429, -11766671, 23887827, 3149671, 2602 23466177, -10538171, 10322027, 15313801}, 2603 {26246234, 11968874, 32263343, -5468728, 6830755, -13323031, 2604 -15794704, -101982, -24449242, 10890804}, 2605 }, 2606 { 2607 {-31365647, 10271363, -12660625, -6267268, 16690207, -13062544, 2608 -14982212, 16484931, 25180797, -5334884}, 2609 {-586574, 10376444, -32586414, -11286356, 19801893, 10997610, 2610 2276632, 9482883, 316878, 13820577}, 2611 {-9882808, -4510367, -2115506, 16457136, -11100081, 11674996, 2612 30756178, -7515054, 30696930, -3712849}, 2613 }, 2614 { 2615 {32988917, -9603412, 12499366, 7910787, -10617257, -11931514, 2616 -7342816, -9985397, -32349517, 7392473}, 2617 {-8855661, 15927861, 9866406, -3649411, -2396914, -16655781, 2618 -30409476, -9134995, 25112947, -2926644}, 2619 {-2504044, -436966, 25621774, -5678772, 15085042, -5479877, 2620 -24884878, -13526194, 5537438, -13914319}, 2621 }, 2622 }, 2623 { 2624 { 2625 {-11225584, 2320285, -9584280, 10149187, -33444663, 5808648, 2626 -14876251, -1729667, 31234590, 6090599}, 2627 {-9633316, 116426, 26083934, 2897444, -6364437, -2688086, 609721, 2628 15878753, -6970405, -9034768}, 2629 {-27757857, 247744, -15194774, -9002551, 23288161, -10011936, 2630 -23869595, 6503646, 20650474, 1804084}, 2631 }, 2632 { 2633 {-27589786, 15456424, 8972517, 8469608, 15640622, 4439847, 3121995, 2634 -10329713, 27842616, -202328}, 2635 {-15306973, 2839644, 22530074, 10026331, 4602058, 5048462, 28248656, 2636 5031932, -11375082, 12714369}, 2637 {20807691, -7270825, 29286141, 11421711, -27876523, -13868230, 2638 -21227475, 1035546, -19733229, 12796920}, 2639 }, 2640 { 2641 {12076899, -14301286, -8785001, -11848922, -25012791, 16400684, 2642 -17591495, -12899438, 3480665, -15182815}, 2643 {-32361549, 5457597, 28548107, 7833186, 7303070, -11953545, 2644 -24363064, -15921875, -33374054, 2771025}, 2645 {-21389266, 421932, 26597266, 6860826, 22486084, -6737172, 2646 -17137485, -4210226, -24552282, 15673397}, 2647 }, 2648 { 2649 {-20184622, 2338216, 19788685, -9620956, -4001265, -8740893, 2650 -20271184, 4733254, 3727144, -12934448}, 2651 {6120119, 814863, -11794402, -622716, 6812205, -15747771, 2019594, 2652 7975683, 31123697, -10958981}, 2653 {30069250, -11435332, 30434654, 2958439, 18399564, -976289, 2654 12296869, 9204260, -16432438, 9648165}, 2655 }, 2656 { 2657 {32705432, -1550977, 30705658, 7451065, -11805606, 9631813, 3305266, 2658 5248604, -26008332, -11377501}, 2659 {17219865, 2375039, -31570947, -5575615, -19459679, 9219903, 294711, 2660 15298639, 2662509, -16297073}, 2661 {-1172927, -7558695, -4366770, -4287744, -21346413, -8434326, 2662 32087529, -1222777, 32247248, -14389861}, 2663 }, 2664 { 2665 {14312628, 1221556, 17395390, -8700143, -4945741, -8684635, 2666 -28197744, -9637817, -16027623, -13378845}, 2667 {-1428825, -9678990, -9235681, 6549687, -7383069, -468664, 23046502, 2668 9803137, 17597934, 2346211}, 2669 {18510800, 15337574, 26171504, 981392, -22241552, 7827556, 2670 -23491134, -11323352, 3059833, -11782870}, 2671 }, 2672 { 2673 {10141598, 6082907, 17829293, -1947643, 9830092, 13613136, 2674 -25556636, -5544586, -33502212, 3592096}, 2675 {33114168, -15889352, -26525686, -13343397, 33076705, 8716171, 2676 1151462, 1521897, -982665, -6837803}, 2677 {-32939165, -4255815, 23947181, -324178, -33072974, -12305637, 2678 -16637686, 3891704, 26353178, 693168}, 2679 }, 2680 { 2681 {30374239, 1595580, -16884039, 13186931, 4600344, 406904, 9585294, 2682 -400668, 31375464, 14369965}, 2683 {-14370654, -7772529, 1510301, 6434173, -18784789, -6262728, 2684 32732230, -13108839, 17901441, 16011505}, 2685 {18171223, -11934626, -12500402, 15197122, -11038147, -15230035, 2686 -19172240, -16046376, 8764035, 12309598}, 2687 }, 2688 }, 2689 { 2690 { 2691 {5975908, -5243188, -19459362, -9681747, -11541277, 14015782, 2692 -23665757, 1228319, 17544096, -10593782}, 2693 {5811932, -1715293, 3442887, -2269310, -18367348, -8359541, 2694 -18044043, -15410127, -5565381, 12348900}, 2695 {-31399660, 11407555, 25755363, 6891399, -3256938, 14872274, 2696 -24849353, 8141295, -10632534, -585479}, 2697 }, 2698 { 2699 {-12675304, 694026, -5076145, 13300344, 14015258, -14451394, 2700 -9698672, -11329050, 30944593, 1130208}, 2701 {8247766, -6710942, -26562381, -7709309, -14401939, -14648910, 2702 4652152, 2488540, 23550156, -271232}, 2703 {17294316, -3788438, 7026748, 15626851, 22990044, 113481, 2267737, 2704 -5908146, -408818, -137719}, 2705 }, 2706 { 2707 {16091085, -16253926, 18599252, 7340678, 2137637, -1221657, 2708 -3364161, 14550936, 3260525, -7166271}, 2709 {-4910104, -13332887, 18550887, 10864893, -16459325, -7291596, 2710 -23028869, -13204905, -12748722, 2701326}, 2711 {-8574695, 16099415, 4629974, -16340524, -20786213, -6005432, 2712 -10018363, 9276971, 11329923, 1862132}, 2713 }, 2714 { 2715 {14763076, -15903608, -30918270, 3689867, 3511892, 10313526, 2716 -21951088, 12219231, -9037963, -940300}, 2717 {8894987, -3446094, 6150753, 3013931, 301220, 15693451, -31981216, 2718 -2909717, -15438168, 11595570}, 2719 {15214962, 3537601, -26238722, -14058872, 4418657, -15230761, 2720 13947276, 10730794, -13489462, -4363670}, 2721 }, 2722 { 2723 {-2538306, 7682793, 32759013, 263109, -29984731, -7955452, 2724 -22332124, -10188635, 977108, 699994}, 2725 {-12466472, 4195084, -9211532, 550904, -15565337, 12917920, 2726 19118110, -439841, -30534533, -14337913}, 2727 {31788461, -14507657, 4799989, 7372237, 8808585, -14747943, 9408237, 2728 -10051775, 12493932, -5409317}, 2729 }, 2730 { 2731 {-25680606, 5260744, -19235809, -6284470, -3695942, 16566087, 2732 27218280, 2607121, 29375955, 6024730}, 2733 {842132, -2794693, -4763381, -8722815, 26332018, -12405641, 2734 11831880, 6985184, -9940361, 2854096}, 2735 {-4847262, -7969331, 2516242, -5847713, 9695691, -7221186, 16512645, 2736 960770, 12121869, 16648078}, 2737 }, 2738 { 2739 {-15218652, 14667096, -13336229, 2013717, 30598287, -464137, 2740 -31504922, -7882064, 20237806, 2838411}, 2741 {-19288047, 4453152, 15298546, -16178388, 22115043, -15972604, 2742 12544294, -13470457, 1068881, -12499905}, 2743 {-9558883, -16518835, 33238498, 13506958, 30505848, -1114596, 2744 -8486907, -2630053, 12521378, 4845654}, 2745 }, 2746 { 2747 {-28198521, 10744108, -2958380, 10199664, 7759311, -13088600, 2748 3409348, -873400, -6482306, -12885870}, 2749 {-23561822, 6230156, -20382013, 10655314, -24040585, -11621172, 2750 10477734, -1240216, -3113227, 13974498}, 2751 {12966261, 15550616, -32038948, -1615346, 21025980, -629444, 2752 5642325, 7188737, 18895762, 12629579}, 2753 }, 2754 }, 2755 { 2756 { 2757 {14741879, -14946887, 22177208, -11721237, 1279741, 8058600, 2758 11758140, 789443, 32195181, 3895677}, 2759 {10758205, 15755439, -4509950, 9243698, -4879422, 6879879, -2204575, 2760 -3566119, -8982069, 4429647}, 2761 {-2453894, 15725973, -20436342, -10410672, -5803908, -11040220, 2762 -7135870, -11642895, 18047436, -15281743}, 2763 }, 2764 { 2765 {-25173001, -11307165, 29759956, 11776784, -22262383, -15820455, 2766 10993114, -12850837, -17620701, -9408468}, 2767 {21987233, 700364, -24505048, 14972008, -7774265, -5718395, 2768 32155026, 2581431, -29958985, 8773375}, 2769 {-25568350, 454463, -13211935, 16126715, 25240068, 8594567, 2770 20656846, 12017935, -7874389, -13920155}, 2771 }, 2772 { 2773 {6028182, 6263078, -31011806, -11301710, -818919, 2461772, 2774 -31841174, -5468042, -1721788, -2776725}, 2775 {-12278994, 16624277, 987579, -5922598, 32908203, 1248608, 7719845, 2776 -4166698, 28408820, 6816612}, 2777 {-10358094, -8237829, 19549651, -12169222, 22082623, 16147817, 2778 20613181, 13982702, -10339570, 5067943}, 2779 }, 2780 { 2781 {-30505967, -3821767, 12074681, 13582412, -19877972, 2443951, 2782 -19719286, 12746132, 5331210, -10105944}, 2783 {30528811, 3601899, -1957090, 4619785, -27361822, -15436388, 2784 24180793, -12570394, 27679908, -1648928}, 2785 {9402404, -13957065, 32834043, 10838634, -26580150, -13237195, 2786 26653274, -8685565, 22611444, -12715406}, 2787 }, 2788 { 2789 {22190590, 1118029, 22736441, 15130463, -30460692, -5991321, 2790 19189625, -4648942, 4854859, 6622139}, 2791 {-8310738, -2953450, -8262579, -3388049, -10401731, -271929, 2792 13424426, -3567227, 26404409, 13001963}, 2793 {-31241838, -15415700, -2994250, 8939346, 11562230, -12840670, 2794 -26064365, -11621720, -15405155, 11020693}, 2795 }, 2796 { 2797 {1866042, -7949489, -7898649, -10301010, 12483315, 13477547, 2798 3175636, -12424163, 28761762, 1406734}, 2799 {-448555, -1777666, 13018551, 3194501, -9580420, -11161737, 2800 24760585, -4347088, 25577411, -13378680}, 2801 {-24290378, 4759345, -690653, -1852816, 2066747, 10693769, 2802 -29595790, 9884936, -9368926, 4745410}, 2803 }, 2804 { 2805 {-9141284, 6049714, -19531061, -4341411, -31260798, 9944276, 2806 -15462008, -11311852, 10931924, -11931931}, 2807 {-16561513, 14112680, -8012645, 4817318, -8040464, -11414606, 2808 -22853429, 10856641, -20470770, 13434654}, 2809 {22759489, -10073434, -16766264, -1871422, 13637442, -10168091, 2810 1765144, -12654326, 28445307, -5364710}, 2811 }, 2812 { 2813 {29875063, 12493613, 2795536, -3786330, 1710620, 15181182, 2814 -10195717, -8788675, 9074234, 1167180}, 2815 {-26205683, 11014233, -9842651, -2635485, -26908120, 7532294, 2816 -18716888, -9535498, 3843903, 9367684}, 2817 {-10969595, -6403711, 9591134, 9582310, 11349256, 108879, 16235123, 2818 8601684, -139197, 4242895}, 2819 }, 2820 }, 2821 { 2822 { 2823 {22092954, -13191123, -2042793, -11968512, 32186753, -11517388, 2824 -6574341, 2470660, -27417366, 16625501}, 2825 {-11057722, 3042016, 13770083, -9257922, 584236, -544855, -7770857, 2826 2602725, -27351616, 14247413}, 2827 {6314175, -10264892, -32772502, 15957557, -10157730, 168750, 2828 -8618807, 14290061, 27108877, -1180880}, 2829 }, 2830 { 2831 {-8586597, -7170966, 13241782, 10960156, -32991015, -13794596, 2832 33547976, -11058889, -27148451, 981874}, 2833 {22833440, 9293594, -32649448, -13618667, -9136966, 14756819, 2834 -22928859, -13970780, -10479804, -16197962}, 2835 {-7768587, 3326786, -28111797, 10783824, 19178761, 14905060, 2836 22680049, 13906969, -15933690, 3797899}, 2837 }, 2838 { 2839 {21721356, -4212746, -12206123, 9310182, -3882239, -13653110, 2840 23740224, -2709232, 20491983, -8042152}, 2841 {9209270, -15135055, -13256557, -6167798, -731016, 15289673, 2842 25947805, 15286587, 30997318, -6703063}, 2843 {7392032, 16618386, 23946583, -8039892, -13265164, -1533858, 2844 -14197445, -2321576, 17649998, -250080}, 2845 }, 2846 { 2847 {-9301088, -14193827, 30609526, -3049543, -25175069, -1283752, 2848 -15241566, -9525724, -2233253, 7662146}, 2849 {-17558673, 1763594, -33114336, 15908610, -30040870, -12174295, 2850 7335080, -8472199, -3174674, 3440183}, 2851 {-19889700, -5977008, -24111293, -9688870, 10799743, -16571957, 2852 40450, -4431835, 4862400, 1133}, 2853 }, 2854 { 2855 {-32856209, -7873957, -5422389, 14860950, -16319031, 7956142, 2856 7258061, 311861, -30594991, -7379421}, 2857 {-3773428, -1565936, 28985340, 7499440, 24445838, 9325937, 29727763, 2858 16527196, 18278453, 15405622}, 2859 {-4381906, 8508652, -19898366, -3674424, -5984453, 15149970, 2860 -13313598, 843523, -21875062, 13626197}, 2861 }, 2862 { 2863 {2281448, -13487055, -10915418, -2609910, 1879358, 16164207, 2864 -10783882, 3953792, 13340839, 15928663}, 2865 {31727126, -7179855, -18437503, -8283652, 2875793, -16390330, 2866 -25269894, -7014826, -23452306, 5964753}, 2867 {4100420, -5959452, -17179337, 6017714, -18705837, 12227141, 2868 -26684835, 11344144, 2538215, -7570755}, 2869 }, 2870 { 2871 {-9433605, 6123113, 11159803, -2156608, 30016280, 14966241, 2872 -20474983, 1485421, -629256, -15958862}, 2873 {-26804558, 4260919, 11851389, 9658551, -32017107, 16367492, 2874 -20205425, -13191288, 11659922, -11115118}, 2875 {26180396, 10015009, -30844224, -8581293, 5418197, 9480663, 2231568, 2876 -10170080, 33100372, -1306171}, 2877 }, 2878 { 2879 {15121113, -5201871, -10389905, 15427821, -27509937, -15992507, 2880 21670947, 4486675, -5931810, -14466380}, 2881 {16166486, -9483733, -11104130, 6023908, -31926798, -1364923, 2882 2340060, -16254968, -10735770, -10039824}, 2883 {28042865, -3557089, -12126526, 12259706, -3717498, -6945899, 2884 6766453, -8689599, 18036436, 5803270}, 2885 }, 2886 }, 2887 { 2888 { 2889 {-817581, 6763912, 11803561, 1585585, 10958447, -2671165, 23855391, 2890 4598332, -6159431, -14117438}, 2891 {-31031306, -14256194, 17332029, -2383520, 31312682, -5967183, 2892 696309, 50292, -20095739, 11763584}, 2893 {-594563, -2514283, -32234153, 12643980, 12650761, 14811489, 665117, 2894 -12613632, -19773211, -10713562}, 2895 }, 2896 { 2897 {30464590, -11262872, -4127476, -12734478, 19835327, -7105613, 2898 -24396175, 2075773, -17020157, 992471}, 2899 {18357185, -6994433, 7766382, 16342475, -29324918, 411174, 14578841, 2900 8080033, -11574335, -10601610}, 2901 {19598397, 10334610, 12555054, 2555664, 18821899, -10339780, 2902 21873263, 16014234, 26224780, 16452269}, 2903 }, 2904 { 2905 {-30223925, 5145196, 5944548, 16385966, 3976735, 2009897, -11377804, 2906 -7618186, -20533829, 3698650}, 2907 {14187449, 3448569, -10636236, -10810935, -22663880, -3433596, 2908 7268410, -10890444, 27394301, 12015369}, 2909 {19695761, 16087646, 28032085, 12999827, 6817792, 11427614, 2910 20244189, -1312777, -13259127, -3402461}, 2911 }, 2912 { 2913 {30860103, 12735208, -1888245, -4699734, -16974906, 2256940, 2914 -8166013, 12298312, -8550524, -10393462}, 2915 {-5719826, -11245325, -1910649, 15569035, 26642876, -7587760, 2916 -5789354, -15118654, -4976164, 12651793}, 2917 {-2848395, 9953421, 11531313, -5282879, 26895123, -12697089, 2918 -13118820, -16517902, 9768698, -2533218}, 2919 }, 2920 { 2921 {-24719459, 1894651, -287698, -4704085, 15348719, -8156530, 2922 32767513, 12765450, 4940095, 10678226}, 2923 {18860224, 15980149, -18987240, -1562570, -26233012, -11071856, 2924 -7843882, 13944024, -24372348, 16582019}, 2925 {-15504260, 4970268, -29893044, 4175593, -20993212, -2199756, 2926 -11704054, 15444560, -11003761, 7989037}, 2927 }, 2928 { 2929 {31490452, 5568061, -2412803, 2182383, -32336847, 4531686, 2930 -32078269, 6200206, -19686113, -14800171}, 2931 {-17308668, -15879940, -31522777, -2831, -32887382, 16375549, 2932 8680158, -16371713, 28550068, -6857132}, 2933 {-28126887, -5688091, 16837845, -1820458, -6850681, 12700016, 2934 -30039981, 4364038, 1155602, 5988841}, 2935 }, 2936 { 2937 {21890435, -13272907, -12624011, 12154349, -7831873, 15300496, 2938 23148983, -4470481, 24618407, 8283181}, 2939 {-33136107, -10512751, 9975416, 6841041, -31559793, 16356536, 2940 3070187, -7025928, 1466169, 10740210}, 2941 {-1509399, -15488185, -13503385, -10655916, 32799044, 909394, 2942 -13938903, -5779719, -32164649, -15327040}, 2943 }, 2944 { 2945 {3960823, -14267803, -28026090, -15918051, -19404858, 13146868, 2946 15567327, 951507, -3260321, -573935}, 2947 {24740841, 5052253, -30094131, 8961361, 25877428, 6165135, 2948 -24368180, 14397372, -7380369, -6144105}, 2949 {-28888365, 3510803, -28103278, -1158478, -11238128, -10631454, 2950 -15441463, -14453128, -1625486, -6494814}, 2951 }, 2952 }, 2953 { 2954 { 2955 {793299, -9230478, 8836302, -6235707, -27360908, -2369593, 33152843, 2956 -4885251, -9906200, -621852}, 2957 {5666233, 525582, 20782575, -8038419, -24538499, 14657740, 16099374, 2958 1468826, -6171428, -15186581}, 2959 {-4859255, -3779343, -2917758, -6748019, 7778750, 11688288, 2960 -30404353, -9871238, -1558923, -9863646}, 2961 }, 2962 { 2963 {10896332, -7719704, 824275, 472601, -19460308, 3009587, 25248958, 2964 14783338, -30581476, -15757844}, 2965 {10566929, 12612572, -31944212, 11118703, -12633376, 12362879, 2966 21752402, 8822496, 24003793, 14264025}, 2967 {27713862, -7355973, -11008240, 9227530, 27050101, 2504721, 2968 23886875, -13117525, 13958495, -5732453}, 2969 }, 2970 { 2971 {-23481610, 4867226, -27247128, 3900521, 29838369, -8212291, 2972 -31889399, -10041781, 7340521, -15410068}, 2973 {4646514, -8011124, -22766023, -11532654, 23184553, 8566613, 2974 31366726, -1381061, -15066784, -10375192}, 2975 {-17270517, 12723032, -16993061, 14878794, 21619651, -6197576, 2976 27584817, 3093888, -8843694, 3849921}, 2977 }, 2978 { 2979 {-9064912, 2103172, 25561640, -15125738, -5239824, 9582958, 2980 32477045, -9017955, 5002294, -15550259}, 2981 {-12057553, -11177906, 21115585, -13365155, 8808712, -12030708, 2982 16489530, 13378448, -25845716, 12741426}, 2983 {-5946367, 10645103, -30911586, 15390284, -3286982, -7118677, 2984 24306472, 15852464, 28834118, -7646072}, 2985 }, 2986 { 2987 {-17335748, -9107057, -24531279, 9434953, -8472084, -583362, 2988 -13090771, 455841, 20461858, 5491305}, 2989 {13669248, -16095482, -12481974, -10203039, -14569770, -11893198, 2990 -24995986, 11293807, -28588204, -9421832}, 2991 {28497928, 6272777, -33022994, 14470570, 8906179, -1225630, 2992 18504674, -14165166, 29867745, -8795943}, 2993 }, 2994 { 2995 {-16207023, 13517196, -27799630, -13697798, 24009064, -6373891, 2996 -6367600, -13175392, 22853429, -4012011}, 2997 {24191378, 16712145, -13931797, 15217831, 14542237, 1646131, 2998 18603514, -11037887, 12876623, -2112447}, 2999 {17902668, 4518229, -411702, -2829247, 26878217, 5258055, -12860753, 3000 608397, 16031844, 3723494}, 3001 }, 3002 { 3003 {-28632773, 12763728, -20446446, 7577504, 33001348, -13017745, 3004 17558842, -7872890, 23896954, -4314245}, 3005 {-20005381, -12011952, 31520464, 605201, 2543521, 5991821, -2945064, 3006 7229064, -9919646, -8826859}, 3007 {28816045, 298879, -28165016, -15920938, 19000928, -1665890, 3008 -12680833, -2949325, -18051778, -2082915}, 3009 }, 3010 { 3011 {16000882, -344896, 3493092, -11447198, -29504595, -13159789, 3012 12577740, 16041268, -19715240, 7847707}, 3013 {10151868, 10572098, 27312476, 7922682, 14825339, 4723128, 3014 -32855931, -6519018, -10020567, 3852848}, 3015 {-11430470, 15697596, -21121557, -4420647, 5386314, 15063598, 3016 16514493, -15932110, 29330899, -15076224}, 3017 }, 3018 }, 3019 { 3020 { 3021 {-25499735, -4378794, -15222908, -6901211, 16615731, 2051784, 3022 3303702, 15490, -27548796, 12314391}, 3023 {15683520, -6003043, 18109120, -9980648, 15337968, -5997823, 3024 -16717435, 15921866, 16103996, -3731215}, 3025 {-23169824, -10781249, 13588192, -1628807, -3798557, -1074929, 3026 -19273607, 5402699, -29815713, -9841101}, 3027 }, 3028 { 3029 {23190676, 2384583, -32714340, 3462154, -29903655, -1529132, 3030 -11266856, 8911517, -25205859, 2739713}, 3031 {21374101, -3554250, -33524649, 9874411, 15377179, 11831242, 3032 -33529904, 6134907, 4931255, 11987849}, 3033 {-7732, -2978858, -16223486, 7277597, 105524, -322051, -31480539, 3034 13861388, -30076310, 10117930}, 3035 }, 3036 { 3037 {-29501170, -10744872, -26163768, 13051539, -25625564, 5089643, 3038 -6325503, 6704079, 12890019, 15728940}, 3039 {-21972360, -11771379, -951059, -4418840, 14704840, 2695116, 903376, 3040 -10428139, 12885167, 8311031}, 3041 {-17516482, 5352194, 10384213, -13811658, 7506451, 13453191, 3042 26423267, 4384730, 1888765, -5435404}, 3043 }, 3044 { 3045 {-25817338, -3107312, -13494599, -3182506, 30896459, -13921729, 3046 -32251644, -12707869, -19464434, -3340243}, 3047 {-23607977, -2665774, -526091, 4651136, 5765089, 4618330, 6092245, 3048 14845197, 17151279, -9854116}, 3049 {-24830458, -12733720, -15165978, 10367250, -29530908, -265356, 3050 22825805, -7087279, -16866484, 16176525}, 3051 }, 3052 { 3053 {-23583256, 6564961, 20063689, 3798228, -4740178, 7359225, 2006182, 3054 -10363426, -28746253, -10197509}, 3055 {-10626600, -4486402, -13320562, -5125317, 3432136, -6393229, 3056 23632037, -1940610, 32808310, 1099883}, 3057 {15030977, 5768825, -27451236, -2887299, -6427378, -15361371, 3058 -15277896, -6809350, 2051441, -15225865}, 3059 }, 3060 { 3061 {-3362323, -7239372, 7517890, 9824992, 23555850, 295369, 5148398, 3062 -14154188, -22686354, 16633660}, 3063 {4577086, -16752288, 13249841, -15304328, 19958763, -14537274, 3064 18559670, -10759549, 8402478, -9864273}, 3065 {-28406330, -1051581, -26790155, -907698, -17212414, -11030789, 3066 9453451, -14980072, 17983010, 9967138}, 3067 }, 3068 { 3069 {-25762494, 6524722, 26585488, 9969270, 24709298, 1220360, -1677990, 3070 7806337, 17507396, 3651560}, 3071 {-10420457, -4118111, 14584639, 15971087, -15768321, 8861010, 3072 26556809, -5574557, -18553322, -11357135}, 3073 {2839101, 14284142, 4029895, 3472686, 14402957, 12689363, -26642121, 3074 8459447, -5605463, -7621941}, 3075 }, 3076 { 3077 {-4839289, -3535444, 9744961, 2871048, 25113978, 3187018, -25110813, 3078 -849066, 17258084, -7977739}, 3079 {18164541, -10595176, -17154882, -1542417, 19237078, -9745295, 3080 23357533, -15217008, 26908270, 12150756}, 3081 {-30264870, -7647865, 5112249, -7036672, -1499807, -6974257, 43168, 3082 -5537701, -32302074, 16215819}, 3083 }, 3084 }, 3085 { 3086 { 3087 {-6898905, 9824394, -12304779, -4401089, -31397141, -6276835, 3088 32574489, 12532905, -7503072, -8675347}, 3089 {-27343522, -16515468, -27151524, -10722951, 946346, 16291093, 3090 254968, 7168080, 21676107, -1943028}, 3091 {21260961, -8424752, -16831886, -11920822, -23677961, 3968121, 3092 -3651949, -6215466, -3556191, -7913075}, 3093 }, 3094 { 3095 {16544754, 13250366, -16804428, 15546242, -4583003, 12757258, 3096 -2462308, -8680336, -18907032, -9662799}, 3097 {-2415239, -15577728, 18312303, 4964443, -15272530, -12653564, 3098 26820651, 16690659, 25459437, -4564609}, 3099 {-25144690, 11425020, 28423002, -11020557, -6144921, -15826224, 3100 9142795, -2391602, -6432418, -1644817}, 3101 }, 3102 { 3103 {-23104652, 6253476, 16964147, -3768872, -25113972, -12296437, 3104 -27457225, -16344658, 6335692, 7249989}, 3105 {-30333227, 13979675, 7503222, -12368314, -11956721, -4621693, 3106 -30272269, 2682242, 25993170, -12478523}, 3107 {4364628, 5930691, 32304656, -10044554, -8054781, 15091131, 3108 22857016, -10598955, 31820368, 15075278}, 3109 }, 3110 { 3111 {31879134, -8918693, 17258761, 90626, -8041836, -4917709, 24162788, 3112 -9650886, -17970238, 12833045}, 3113 {19073683, 14851414, -24403169, -11860168, 7625278, 11091125, 3114 -19619190, 2074449, -9413939, 14905377}, 3115 {24483667, -11935567, -2518866, -11547418, -1553130, 15355506, 3116 -25282080, 9253129, 27628530, -7555480}, 3117 }, 3118 { 3119 {17597607, 8340603, 19355617, 552187, 26198470, -3176583, 4593324, 3120 -9157582, -14110875, 15297016}, 3121 {510886, 14337390, -31785257, 16638632, 6328095, 2713355, -20217417, 3122 -11864220, 8683221, 2921426}, 3123 {18606791, 11874196, 27155355, -5281482, -24031742, 6265446, 3124 -25178240, -1278924, 4674690, 13890525}, 3125 }, 3126 { 3127 {13609624, 13069022, -27372361, -13055908, 24360586, 9592974, 3128 14977157, 9835105, 4389687, 288396}, 3129 {9922506, -519394, 13613107, 5883594, -18758345, -434263, -12304062, 3130 8317628, 23388070, 16052080}, 3131 {12720016, 11937594, -31970060, -5028689, 26900120, 8561328, 3132 -20155687, -11632979, -14754271, -10812892}, 3133 }, 3134 { 3135 {15961858, 14150409, 26716931, -665832, -22794328, 13603569, 3136 11829573, 7467844, -28822128, 929275}, 3137 {11038231, -11582396, -27310482, -7316562, -10498527, -16307831, 3138 -23479533, -9371869, -21393143, 2465074}, 3139 {20017163, -4323226, 27915242, 1529148, 12396362, 15675764, 3140 13817261, -9658066, 2463391, -4622140}, 3141 }, 3142 { 3143 {-16358878, -12663911, -12065183, 4996454, -1256422, 1073572, 3144 9583558, 12851107, 4003896, 12673717}, 3145 {-1731589, -15155870, -3262930, 16143082, 19294135, 13385325, 3146 14741514, -9103726, 7903886, 2348101}, 3147 {24536016, -16515207, 12715592, -3862155, 1511293, 10047386, 3148 -3842346, -7129159, -28377538, 10048127}, 3149 }, 3150 }, 3151 { 3152 { 3153 {-12622226, -6204820, 30718825, 2591312, -10617028, 12192840, 3154 18873298, -7297090, -32297756, 15221632}, 3155 {-26478122, -11103864, 11546244, -1852483, 9180880, 7656409, 3156 -21343950, 2095755, 29769758, 6593415}, 3157 {-31994208, -2907461, 4176912, 3264766, 12538965, -868111, 26312345, 3158 -6118678, 30958054, 8292160}, 3159 }, 3160 { 3161 {31429822, -13959116, 29173532, 15632448, 12174511, -2760094, 3162 32808831, 3977186, 26143136, -3148876}, 3163 {22648901, 1402143, -22799984, 13746059, 7936347, 365344, -8668633, 3164 -1674433, -3758243, -2304625}, 3165 {-15491917, 8012313, -2514730, -12702462, -23965846, -10254029, 3166 -1612713, -1535569, -16664475, 8194478}, 3167 }, 3168 { 3169 {27338066, -7507420, -7414224, 10140405, -19026427, -6589889, 3170 27277191, 8855376, 28572286, 3005164}, 3171 {26287124, 4821776, 25476601, -4145903, -3764513, -15788984, 3172 -18008582, 1182479, -26094821, -13079595}, 3173 {-7171154, 3178080, 23970071, 6201893, -17195577, -4489192, 3174 -21876275, -13982627, 32208683, -1198248}, 3175 }, 3176 { 3177 {-16657702, 2817643, -10286362, 14811298, 6024667, 13349505, 3178 -27315504, -10497842, -27672585, -11539858}, 3179 {15941029, -9405932, -21367050, 8062055, 31876073, -238629, 3180 -15278393, -1444429, 15397331, -4130193}, 3181 {8934485, -13485467, -23286397, -13423241, -32446090, 14047986, 3182 31170398, -1441021, -27505566, 15087184}, 3183 }, 3184 { 3185 {-18357243, -2156491, 24524913, -16677868, 15520427, -6360776, 3186 -15502406, 11461896, 16788528, -5868942}, 3187 {-1947386, 16013773, 21750665, 3714552, -17401782, -16055433, 3188 -3770287, -10323320, 31322514, -11615635}, 3189 {21426655, -5650218, -13648287, -5347537, -28812189, -4920970, 3190 -18275391, -14621414, 13040862, -12112948}, 3191 }, 3192 { 3193 {11293895, 12478086, -27136401, 15083750, -29307421, 14748872, 3194 14555558, -13417103, 1613711, 4896935}, 3195 {-25894883, 15323294, -8489791, -8057900, 25967126, -13425460, 3196 2825960, -4897045, -23971776, -11267415}, 3197 {-15924766, -5229880, -17443532, 6410664, 3622847, 10243618, 3198 20615400, 12405433, -23753030, -8436416}, 3199 }, 3200 { 3201 {-7091295, 12556208, -20191352, 9025187, -17072479, 4333801, 3202 4378436, 2432030, 23097949, -566018}, 3203 {4565804, -16025654, 20084412, -7842817, 1724999, 189254, 24767264, 3204 10103221, -18512313, 2424778}, 3205 {366633, -11976806, 8173090, -6890119, 30788634, 5745705, -7168678, 3206 1344109, -3642553, 12412659}, 3207 }, 3208 { 3209 {-24001791, 7690286, 14929416, -168257, -32210835, -13412986, 3210 24162697, -15326504, -3141501, 11179385}, 3211 {18289522, -14724954, 8056945, 16430056, -21729724, 7842514, 3212 -6001441, -1486897, -18684645, -11443503}, 3213 {476239, 6601091, -6152790, -9723375, 17503545, -4863900, 27672959, 3214 13403813, 11052904, 5219329}, 3215 }, 3216 }, 3217 { 3218 { 3219 {20678546, -8375738, -32671898, 8849123, -5009758, 14574752, 3220 31186971, -3973730, 9014762, -8579056}, 3221 {-13644050, -10350239, -15962508, 5075808, -1514661, -11534600, 3222 -33102500, 9160280, 8473550, -3256838}, 3223 {24900749, 14435722, 17209120, -15292541, -22592275, 9878983, 3224 -7689309, -16335821, -24568481, 11788948}, 3225 }, 3226 { 3227 {-3118155, -11395194, -13802089, 14797441, 9652448, -6845904, 3228 -20037437, 10410733, -24568470, -1458691}, 3229 {-15659161, 16736706, -22467150, 10215878, -9097177, 7563911, 3230 11871841, -12505194, -18513325, 8464118}, 3231 {-23400612, 8348507, -14585951, -861714, -3950205, -6373419, 3232 14325289, 8628612, 33313881, -8370517}, 3233 }, 3234 { 3235 {-20186973, -4967935, 22367356, 5271547, -1097117, -4788838, 3236 -24805667, -10236854, -8940735, -5818269}, 3237 {-6948785, -1795212, -32625683, -16021179, 32635414, -7374245, 3238 15989197, -12838188, 28358192, -4253904}, 3239 {-23561781, -2799059, -32351682, -1661963, -9147719, 10429267, 3240 -16637684, 4072016, -5351664, 5596589}, 3241 }, 3242 { 3243 {-28236598, -3390048, 12312896, 6213178, 3117142, 16078565, 3244 29266239, 2557221, 1768301, 15373193}, 3245 {-7243358, -3246960, -4593467, -7553353, -127927, -912245, -1090902, 3246 -4504991, -24660491, 3442910}, 3247 {-30210571, 5124043, 14181784, 8197961, 18964734, -11939093, 3248 22597931, 7176455, -18585478, 13365930}, 3249 }, 3250 { 3251 {-7877390, -1499958, 8324673, 4690079, 6261860, 890446, 24538107, 3252 -8570186, -9689599, -3031667}, 3253 {25008904, -10771599, -4305031, -9638010, 16265036, 15721635, 3254 683793, -11823784, 15723479, -15163481}, 3255 {-9660625, 12374379, -27006999, -7026148, -7724114, -12314514, 3256 11879682, 5400171, 519526, -1235876}, 3257 }, 3258 { 3259 {22258397, -16332233, -7869817, 14613016, -22520255, -2950923, 3260 -20353881, 7315967, 16648397, 7605640}, 3261 {-8081308, -8464597, -8223311, 9719710, 19259459, -15348212, 3262 23994942, -5281555, -9468848, 4763278}, 3263 {-21699244, 9220969, -15730624, 1084137, -25476107, -2852390, 3264 31088447, -7764523, -11356529, 728112}, 3265 }, 3266 { 3267 {26047220, -11751471, -6900323, -16521798, 24092068, 9158119, 3268 -4273545, -12555558, -29365436, -5498272}, 3269 {17510331, -322857, 5854289, 8403524, 17133918, -3112612, -28111007, 3270 12327945, 10750447, 10014012}, 3271 {-10312768, 3936952, 9156313, -8897683, 16498692, -994647, 3272 -27481051, -666732, 3424691, 7540221}, 3273 }, 3274 { 3275 {30322361, -6964110, 11361005, -4143317, 7433304, 4989748, -7071422, 3276 -16317219, -9244265, 15258046}, 3277 {13054562, -2779497, 19155474, 469045, -12482797, 4566042, 5631406, 3278 2711395, 1062915, -5136345}, 3279 {-19240248, -11254599, -29509029, -7499965, -5835763, 13005411, 3280 -6066489, 12194497, 32960380, 1459310}, 3281 }, 3282 }, 3283 { 3284 { 3285 {19852034, 7027924, 23669353, 10020366, 8586503, -6657907, 394197, 3286 -6101885, 18638003, -11174937}, 3287 {31395534, 15098109, 26581030, 8030562, -16527914, -5007134, 3288 9012486, -7584354, -6643087, -5442636}, 3289 {-9192165, -2347377, -1997099, 4529534, 25766844, 607986, -13222, 3290 9677543, -32294889, -6456008}, 3291 }, 3292 { 3293 {-2444496, -149937, 29348902, 8186665, 1873760, 12489863, -30934579, 3294 -7839692, -7852844, -8138429}, 3295 {-15236356, -15433509, 7766470, 746860, 26346930, -10221762, 3296 -27333451, 10754588, -9431476, 5203576}, 3297 {31834314, 14135496, -770007, 5159118, 20917671, -16768096, 3298 -7467973, -7337524, 31809243, 7347066}, 3299 }, 3300 { 3301 {-9606723, -11874240, 20414459, 13033986, 13716524, -11691881, 3302 19797970, -12211255, 15192876, -2087490}, 3303 {-12663563, -2181719, 1168162, -3804809, 26747877, -14138091, 3304 10609330, 12694420, 33473243, -13382104}, 3305 {33184999, 11180355, 15832085, -11385430, -1633671, 225884, 3306 15089336, -11023903, -6135662, 14480053}, 3307 }, 3308 { 3309 {31308717, -5619998, 31030840, -1897099, 15674547, -6582883, 3310 5496208, 13685227, 27595050, 8737275}, 3311 {-20318852, -15150239, 10933843, -16178022, 8335352, -7546022, 3312 -31008351, -12610604, 26498114, 66511}, 3313 {22644454, -8761729, -16671776, 4884562, -3105614, -13559366, 3314 30540766, -4286747, -13327787, -7515095}, 3315 }, 3316 { 3317 {-28017847, 9834845, 18617207, -2681312, -3401956, -13307506, 3318 8205540, 13585437, -17127465, 15115439}, 3319 {23711543, -672915, 31206561, -8362711, 6164647, -9709987, 3320 -33535882, -1426096, 8236921, 16492939}, 3321 {-23910559, -13515526, -26299483, -4503841, 25005590, -7687270, 3322 19574902, 10071562, 6708380, -6222424}, 3323 }, 3324 { 3325 {2101391, -4930054, 19702731, 2367575, -15427167, 1047675, 5301017, 3326 9328700, 29955601, -11678310}, 3327 {3096359, 9271816, -21620864, -15521844, -14847996, -7592937, 3328 -25892142, -12635595, -9917575, 6216608}, 3329 {-32615849, 338663, -25195611, 2510422, -29213566, -13820213, 3330 24822830, -6146567, -26767480, 7525079}, 3331 }, 3332 { 3333 {-23066649, -13985623, 16133487, -7896178, -3389565, 778788, 3334 -910336, -2782495, -19386633, 11994101}, 3335 {21691500, -13624626, -641331, -14367021, 3285881, -3483596, 3336 -25064666, 9718258, -7477437, 13381418}, 3337 {18445390, -4202236, 14979846, 11622458, -1727110, -3582980, 3338 23111648, -6375247, 28535282, 15779576}, 3339 }, 3340 { 3341 {30098053, 3089662, -9234387, 16662135, -21306940, 11308411, 3342 -14068454, 12021730, 9955285, -16303356}, 3343 {9734894, -14576830, -7473633, -9138735, 2060392, 11313496, 3344 -18426029, 9924399, 20194861, 13380996}, 3345 {-26378102, -7965207, -22167821, 15789297, -18055342, -6168792, 3346 -1984914, 15707771, 26342023, 10146099}, 3347 }, 3348 }, 3349 { 3350 { 3351 {-26016874, -219943, 21339191, -41388, 19745256, -2878700, 3352 -29637280, 2227040, 21612326, -545728}, 3353 {-13077387, 1184228, 23562814, -5970442, -20351244, -6348714, 3354 25764461, 12243797, -20856566, 11649658}, 3355 {-10031494, 11262626, 27384172, 2271902, 26947504, -15997771, 39944, 3356 6114064, 33514190, 2333242}, 3357 }, 3358 { 3359 {-21433588, -12421821, 8119782, 7219913, -21830522, -9016134, 3360 -6679750, -12670638, 24350578, -13450001}, 3361 {-4116307, -11271533, -23886186, 4843615, -30088339, 690623, 3362 -31536088, -10406836, 8317860, 12352766}, 3363 {18200138, -14475911, -33087759, -2696619, -23702521, -9102511, 3364 -23552096, -2287550, 20712163, 6719373}, 3365 }, 3366 { 3367 {26656208, 6075253, -7858556, 1886072, -28344043, 4262326, 11117530, 3368 -3763210, 26224235, -3297458}, 3369 {-17168938, -14854097, -3395676, -16369877, -19954045, 14050420, 3370 21728352, 9493610, 18620611, -16428628}, 3371 {-13323321, 13325349, 11432106, 5964811, 18609221, 6062965, 3372 -5269471, -9725556, -30701573, -16479657}, 3373 }, 3374 { 3375 {-23860538, -11233159, 26961357, 1640861, -32413112, -16737940, 3376 12248509, -5240639, 13735342, 1934062}, 3377 {25089769, 6742589, 17081145, -13406266, 21909293, -16067981, 3378 -15136294, -3765346, -21277997, 5473616}, 3379 {31883677, -7961101, 1083432, -11572403, 22828471, 13290673, 3380 -7125085, 12469656, 29111212, -5451014}, 3381 }, 3382 { 3383 {24244947, -15050407, -26262976, 2791540, -14997599, 16666678, 3384 24367466, 6388839, -10295587, 452383}, 3385 {-25640782, -3417841, 5217916, 16224624, 19987036, -4082269, 3386 -24236251, -5915248, 15766062, 8407814}, 3387 {-20406999, 13990231, 15495425, 16395525, 5377168, 15166495, 3388 -8917023, -4388953, -8067909, 2276718}, 3389 }, 3390 { 3391 {30157918, 12924066, -17712050, 9245753, 19895028, 3368142, 3392 -23827587, 5096219, 22740376, -7303417}, 3393 {2041139, -14256350, 7783687, 13876377, -25946985, -13352459, 3394 24051124, 13742383, -15637599, 13295222}, 3395 {33338237, -8505733, 12532113, 7977527, 9106186, -1715251, 3396 -17720195, -4612972, -4451357, -14669444}, 3397 }, 3398 { 3399 {-20045281, 5454097, -14346548, 6447146, 28862071, 1883651, 3400 -2469266, -4141880, 7770569, 9620597}, 3401 {23208068, 7979712, 33071466, 8149229, 1758231, -10834995, 30945528, 3402 -1694323, -33502340, -14767970}, 3403 {1439958, -16270480, -1079989, -793782, 4625402, 10647766, -5043801, 3404 1220118, 30494170, -11440799}, 3405 }, 3406 { 3407 {-5037580, -13028295, -2970559, -3061767, 15640974, -6701666, 3408 -26739026, 926050, -1684339, -13333647}, 3409 {13908495, -3549272, 30919928, -6273825, -21521863, 7989039, 3410 9021034, 9078865, 3353509, 4033511}, 3411 {-29663431, -15113610, 32259991, -344482, 24295849, -12912123, 3412 23161163, 8839127, 27485041, 7356032}, 3413 }, 3414 }, 3415 { 3416 { 3417 {9661027, 705443, 11980065, -5370154, -1628543, 14661173, -6346142, 3418 2625015, 28431036, -16771834}, 3419 {-23839233, -8311415, -25945511, 7480958, -17681669, -8354183, 3420 -22545972, 14150565, 15970762, 4099461}, 3421 {29262576, 16756590, 26350592, -8793563, 8529671, -11208050, 3422 13617293, -9937143, 11465739, 8317062}, 3423 }, 3424 { 3425 {-25493081, -6962928, 32500200, -9419051, -23038724, -2302222, 3426 14898637, 3848455, 20969334, -5157516}, 3427 {-20384450, -14347713, -18336405, 13884722, -33039454, 2842114, 3428 -21610826, -3649888, 11177095, 14989547}, 3429 {-24496721, -11716016, 16959896, 2278463, 12066309, 10137771, 3430 13515641, 2581286, -28487508, 9930240}, 3431 }, 3432 { 3433 {-17751622, -2097826, 16544300, -13009300, -15914807, -14949081, 3434 18345767, -13403753, 16291481, -5314038}, 3435 {-33229194, 2553288, 32678213, 9875984, 8534129, 6889387, -9676774, 3436 6957617, 4368891, 9788741}, 3437 {16660756, 7281060, -10830758, 12911820, 20108584, -8101676, 3438 -21722536, -8613148, 16250552, -11111103}, 3439 }, 3440 { 3441 {-19765507, 2390526, -16551031, 14161980, 1905286, 6414907, 4689584, 3442 10604807, -30190403, 4782747}, 3443 {-1354539, 14736941, -7367442, -13292886, 7710542, -14155590, 3444 -9981571, 4383045, 22546403, 437323}, 3445 {31665577, -12180464, -16186830, 1491339, -18368625, 3294682, 3446 27343084, 2786261, -30633590, -14097016}, 3447 }, 3448 { 3449 {-14467279, -683715, -33374107, 7448552, 19294360, 14334329, 3450 -19690631, 2355319, -19284671, -6114373}, 3451 {15121312, -15796162, 6377020, -6031361, -10798111, -12957845, 3452 18952177, 15496498, -29380133, 11754228}, 3453 {-2637277, -13483075, 8488727, -14303896, 12728761, -1622493, 3454 7141596, 11724556, 22761615, -10134141}, 3455 }, 3456 { 3457 {16918416, 11729663, -18083579, 3022987, -31015732, -13339659, 3458 -28741185, -12227393, 32851222, 11717399}, 3459 {11166634, 7338049, -6722523, 4531520, -29468672, -7302055, 3460 31474879, 3483633, -1193175, -4030831}, 3461 {-185635, 9921305, 31456609, -13536438, -12013818, 13348923, 3462 33142652, 6546660, -19985279, -3948376}, 3463 }, 3464 { 3465 {-32460596, 11266712, -11197107, -7899103, 31703694, 3855903, 3466 -8537131, -12833048, -30772034, -15486313}, 3467 {-18006477, 12709068, 3991746, -6479188, -21491523, -10550425, 3468 -31135347, -16049879, 10928917, 3011958}, 3469 {-6957757, -15594337, 31696059, 334240, 29576716, 14796075, 3470 -30831056, -12805180, 18008031, 10258577}, 3471 }, 3472 { 3473 {-22448644, 15655569, 7018479, -4410003, -30314266, -1201591, 3474 -1853465, 1367120, 25127874, 6671743}, 3475 {29701166, -14373934, -10878120, 9279288, -17568, 13127210, 3476 21382910, 11042292, 25838796, 4642684}, 3477 {-20430234, 14955537, -24126347, 8124619, -5369288, -5990470, 3478 30468147, -13900640, 18423289, 4177476}, 3479 }, 3480 }, 3481 }; 3482 3483 static uint8_t negative(signed char b) { 3484 uint32_t x = b; 3485 x >>= 31; /* 1: yes; 0: no */ 3486 return x; 3487 } 3488 3489 static void table_select(ge_precomp *t, int pos, signed char b) { 3490 ge_precomp minust; 3491 uint8_t bnegative = negative(b); 3492 uint8_t babs = b - ((uint8_t)((-bnegative) & b) << 1); 3493 3494 ge_precomp_0(t); 3495 cmov(t, &k25519Precomp[pos][0], equal(babs, 1)); 3496 cmov(t, &k25519Precomp[pos][1], equal(babs, 2)); 3497 cmov(t, &k25519Precomp[pos][2], equal(babs, 3)); 3498 cmov(t, &k25519Precomp[pos][3], equal(babs, 4)); 3499 cmov(t, &k25519Precomp[pos][4], equal(babs, 5)); 3500 cmov(t, &k25519Precomp[pos][5], equal(babs, 6)); 3501 cmov(t, &k25519Precomp[pos][6], equal(babs, 7)); 3502 cmov(t, &k25519Precomp[pos][7], equal(babs, 8)); 3503 fe_copy(minust.yplusx, t->yminusx); 3504 fe_copy(minust.yminusx, t->yplusx); 3505 fe_neg(minust.xy2d, t->xy2d); 3506 cmov(t, &minust, bnegative); 3507 } 3508 3509 /* h = a * B 3510 * where a = a[0]+256*a[1]+...+256^31 a[31] 3511 * B is the Ed25519 base point (x,4/5) with x positive. 3512 * 3513 * Preconditions: 3514 * a[31] <= 127 */ 3515 void x25519_ge_scalarmult_base(ge_p3 *h, const uint8_t *a) { 3516 signed char e[64]; 3517 signed char carry; 3518 ge_p1p1 r; 3519 ge_p2 s; 3520 ge_precomp t; 3521 int i; 3522 3523 for (i = 0; i < 32; ++i) { 3524 e[2 * i + 0] = (a[i] >> 0) & 15; 3525 e[2 * i + 1] = (a[i] >> 4) & 15; 3526 } 3527 /* each e[i] is between 0 and 15 */ 3528 /* e[63] is between 0 and 7 */ 3529 3530 carry = 0; 3531 for (i = 0; i < 63; ++i) { 3532 e[i] += carry; 3533 carry = e[i] + 8; 3534 carry >>= 4; 3535 e[i] -= carry << 4; 3536 } 3537 e[63] += carry; 3538 /* each e[i] is between -8 and 8 */ 3539 3540 ge_p3_0(h); 3541 for (i = 1; i < 64; i += 2) { 3542 table_select(&t, i / 2, e[i]); 3543 ge_madd(&r, h, &t); 3544 x25519_ge_p1p1_to_p3(h, &r); 3545 } 3546 3547 ge_p3_dbl(&r, h); 3548 x25519_ge_p1p1_to_p2(&s, &r); 3549 ge_p2_dbl(&r, &s); 3550 x25519_ge_p1p1_to_p2(&s, &r); 3551 ge_p2_dbl(&r, &s); 3552 x25519_ge_p1p1_to_p2(&s, &r); 3553 ge_p2_dbl(&r, &s); 3554 x25519_ge_p1p1_to_p3(h, &r); 3555 3556 for (i = 0; i < 64; i += 2) { 3557 table_select(&t, i / 2, e[i]); 3558 ge_madd(&r, h, &t); 3559 x25519_ge_p1p1_to_p3(h, &r); 3560 } 3561 } 3562 3563 #endif 3564 3565 static void cmov_cached(ge_cached *t, ge_cached *u, uint8_t b) { 3566 fe_cmov(t->YplusX, u->YplusX, b); 3567 fe_cmov(t->YminusX, u->YminusX, b); 3568 fe_cmov(t->Z, u->Z, b); 3569 fe_cmov(t->T2d, u->T2d, b); 3570 } 3571 3572 /* r = scalar * A. 3573 * where a = a[0]+256*a[1]+...+256^31 a[31]. */ 3574 void x25519_ge_scalarmult(ge_p2 *r, const uint8_t *scalar, const ge_p3 *A) { 3575 ge_p2 Ai_p2[8]; 3576 ge_cached Ai[16]; 3577 ge_p1p1 t; 3578 3579 ge_cached_0(&Ai[0]); 3580 x25519_ge_p3_to_cached(&Ai[1], A); 3581 ge_p3_to_p2(&Ai_p2[1], A); 3582 3583 unsigned i; 3584 for (i = 2; i < 16; i += 2) { 3585 ge_p2_dbl(&t, &Ai_p2[i / 2]); 3586 ge_p1p1_to_cached(&Ai[i], &t); 3587 if (i < 8) { 3588 x25519_ge_p1p1_to_p2(&Ai_p2[i], &t); 3589 } 3590 x25519_ge_add(&t, A, &Ai[i]); 3591 ge_p1p1_to_cached(&Ai[i + 1], &t); 3592 if (i < 7) { 3593 x25519_ge_p1p1_to_p2(&Ai_p2[i + 1], &t); 3594 } 3595 } 3596 3597 ge_p2_0(r); 3598 ge_p3 u; 3599 3600 for (i = 0; i < 256; i += 4) { 3601 ge_p2_dbl(&t, r); 3602 x25519_ge_p1p1_to_p2(r, &t); 3603 ge_p2_dbl(&t, r); 3604 x25519_ge_p1p1_to_p2(r, &t); 3605 ge_p2_dbl(&t, r); 3606 x25519_ge_p1p1_to_p2(r, &t); 3607 ge_p2_dbl(&t, r); 3608 x25519_ge_p1p1_to_p3(&u, &t); 3609 3610 uint8_t index = scalar[31 - i/8]; 3611 index >>= 4 - (i & 4); 3612 index &= 0xf; 3613 3614 unsigned j; 3615 ge_cached selected; 3616 ge_cached_0(&selected); 3617 for (j = 0; j < 16; j++) { 3618 cmov_cached(&selected, &Ai[j], equal(j, index)); 3619 } 3620 3621 x25519_ge_add(&t, &u, &selected); 3622 x25519_ge_p1p1_to_p2(r, &t); 3623 } 3624 } 3625 3626 #ifdef ED25519 3627 static void slide(signed char *r, const uint8_t *a) { 3628 int i; 3629 int b; 3630 int k; 3631 3632 for (i = 0; i < 256; ++i) { 3633 r[i] = 1 & (a[i >> 3] >> (i & 7)); 3634 } 3635 3636 for (i = 0; i < 256; ++i) { 3637 if (r[i]) { 3638 for (b = 1; b <= 6 && i + b < 256; ++b) { 3639 if (r[i + b]) { 3640 if (r[i] + (r[i + b] << b) <= 15) { 3641 r[i] += r[i + b] << b; 3642 r[i + b] = 0; 3643 } else if (r[i] - (r[i + b] << b) >= -15) { 3644 r[i] -= r[i + b] << b; 3645 for (k = i + b; k < 256; ++k) { 3646 if (!r[k]) { 3647 r[k] = 1; 3648 break; 3649 } 3650 r[k] = 0; 3651 } 3652 } else { 3653 break; 3654 } 3655 } 3656 } 3657 } 3658 } 3659 } 3660 #endif 3661 3662 static const ge_precomp Bi[8] = { 3663 { 3664 {25967493, -14356035, 29566456, 3660896, -12694345, 4014787, 27544626, 3665 -11754271, -6079156, 2047605}, 3666 {-12545711, 934262, -2722910, 3049990, -727428, 9406986, 12720692, 3667 5043384, 19500929, -15469378}, 3668 {-8738181, 4489570, 9688441, -14785194, 10184609, -12363380, 29287919, 3669 11864899, -24514362, -4438546}, 3670 }, 3671 { 3672 {15636291, -9688557, 24204773, -7912398, 616977, -16685262, 27787600, 3673 -14772189, 28944400, -1550024}, 3674 {16568933, 4717097, -11556148, -1102322, 15682896, -11807043, 16354577, 3675 -11775962, 7689662, 11199574}, 3676 {30464156, -5976125, -11779434, -15670865, 23220365, 15915852, 7512774, 3677 10017326, -17749093, -9920357}, 3678 }, 3679 { 3680 {10861363, 11473154, 27284546, 1981175, -30064349, 12577861, 32867885, 3681 14515107, -15438304, 10819380}, 3682 {4708026, 6336745, 20377586, 9066809, -11272109, 6594696, -25653668, 3683 12483688, -12668491, 5581306}, 3684 {19563160, 16186464, -29386857, 4097519, 10237984, -4348115, 28542350, 3685 13850243, -23678021, -15815942}, 3686 }, 3687 { 3688 {5153746, 9909285, 1723747, -2777874, 30523605, 5516873, 19480852, 3689 5230134, -23952439, -15175766}, 3690 {-30269007, -3463509, 7665486, 10083793, 28475525, 1649722, 20654025, 3691 16520125, 30598449, 7715701}, 3692 {28881845, 14381568, 9657904, 3680757, -20181635, 7843316, -31400660, 3693 1370708, 29794553, -1409300}, 3694 }, 3695 { 3696 {-22518993, -6692182, 14201702, -8745502, -23510406, 8844726, 18474211, 3697 -1361450, -13062696, 13821877}, 3698 {-6455177, -7839871, 3374702, -4740862, -27098617, -10571707, 31655028, 3699 -7212327, 18853322, -14220951}, 3700 {4566830, -12963868, -28974889, -12240689, -7602672, -2830569, -8514358, 3701 -10431137, 2207753, -3209784}, 3702 }, 3703 { 3704 {-25154831, -4185821, 29681144, 7868801, -6854661, -9423865, -12437364, 3705 -663000, -31111463, -16132436}, 3706 {25576264, -2703214, 7349804, -11814844, 16472782, 9300885, 3844789, 3707 15725684, 171356, 6466918}, 3708 {23103977, 13316479, 9739013, -16149481, 817875, -15038942, 8965339, 3709 -14088058, -30714912, 16193877}, 3710 }, 3711 { 3712 {-33521811, 3180713, -2394130, 14003687, -16903474, -16270840, 17238398, 3713 4729455, -18074513, 9256800}, 3714 {-25182317, -4174131, 32336398, 5036987, -21236817, 11360617, 22616405, 3715 9761698, -19827198, 630305}, 3716 {-13720693, 2639453, -24237460, -7406481, 9494427, -5774029, -6554551, 3717 -15960994, -2449256, -14291300}, 3718 }, 3719 { 3720 {-3151181, -5046075, 9282714, 6866145, -31907062, -863023, -18940575, 3721 15033784, 25105118, -7894876}, 3722 {-24326370, 15950226, -31801215, -14592823, -11662737, -5090925, 3723 1573892, -2625887, 2198790, -15804619}, 3724 {-3099351, 10324967, -2241613, 7453183, -5446979, -2735503, -13812022, 3725 -16236442, -32461234, -12290683}, 3726 }, 3727 }; 3728 3729 #ifdef ED25519 3730 /* r = a * A + b * B 3731 * where a = a[0]+256*a[1]+...+256^31 a[31]. 3732 * and b = b[0]+256*b[1]+...+256^31 b[31]. 3733 * B is the Ed25519 base point (x,4/5) with x positive. */ 3734 static void 3735 ge_double_scalarmult_vartime(ge_p2 *r, const uint8_t *a, 3736 const ge_p3 *A, const uint8_t *b) { 3737 signed char aslide[256]; 3738 signed char bslide[256]; 3739 ge_cached Ai[8]; /* A,3A,5A,7A,9A,11A,13A,15A */ 3740 ge_p1p1 t; 3741 ge_p3 u; 3742 ge_p3 A2; 3743 int i; 3744 3745 slide(aslide, a); 3746 slide(bslide, b); 3747 3748 x25519_ge_p3_to_cached(&Ai[0], A); 3749 ge_p3_dbl(&t, A); 3750 x25519_ge_p1p1_to_p3(&A2, &t); 3751 x25519_ge_add(&t, &A2, &Ai[0]); 3752 x25519_ge_p1p1_to_p3(&u, &t); 3753 x25519_ge_p3_to_cached(&Ai[1], &u); 3754 x25519_ge_add(&t, &A2, &Ai[1]); 3755 x25519_ge_p1p1_to_p3(&u, &t); 3756 x25519_ge_p3_to_cached(&Ai[2], &u); 3757 x25519_ge_add(&t, &A2, &Ai[2]); 3758 x25519_ge_p1p1_to_p3(&u, &t); 3759 x25519_ge_p3_to_cached(&Ai[3], &u); 3760 x25519_ge_add(&t, &A2, &Ai[3]); 3761 x25519_ge_p1p1_to_p3(&u, &t); 3762 x25519_ge_p3_to_cached(&Ai[4], &u); 3763 x25519_ge_add(&t, &A2, &Ai[4]); 3764 x25519_ge_p1p1_to_p3(&u, &t); 3765 x25519_ge_p3_to_cached(&Ai[5], &u); 3766 x25519_ge_add(&t, &A2, &Ai[5]); 3767 x25519_ge_p1p1_to_p3(&u, &t); 3768 x25519_ge_p3_to_cached(&Ai[6], &u); 3769 x25519_ge_add(&t, &A2, &Ai[6]); 3770 x25519_ge_p1p1_to_p3(&u, &t); 3771 x25519_ge_p3_to_cached(&Ai[7], &u); 3772 3773 ge_p2_0(r); 3774 3775 for (i = 255; i >= 0; --i) { 3776 if (aslide[i] || bslide[i]) { 3777 break; 3778 } 3779 } 3780 3781 for (; i >= 0; --i) { 3782 ge_p2_dbl(&t, r); 3783 3784 if (aslide[i] > 0) { 3785 x25519_ge_p1p1_to_p3(&u, &t); 3786 x25519_ge_add(&t, &u, &Ai[aslide[i] / 2]); 3787 } else if (aslide[i] < 0) { 3788 x25519_ge_p1p1_to_p3(&u, &t); 3789 x25519_ge_sub(&t, &u, &Ai[(-aslide[i]) / 2]); 3790 } 3791 3792 if (bslide[i] > 0) { 3793 x25519_ge_p1p1_to_p3(&u, &t); 3794 ge_madd(&t, &u, &Bi[bslide[i] / 2]); 3795 } else if (bslide[i] < 0) { 3796 x25519_ge_p1p1_to_p3(&u, &t); 3797 ge_msub(&t, &u, &Bi[(-bslide[i]) / 2]); 3798 } 3799 3800 x25519_ge_p1p1_to_p2(r, &t); 3801 } 3802 } 3803 #endif 3804 3805 /* The set of scalars is \Z/l 3806 * where l = 2^252 + 27742317777372353535851937790883648493. */ 3807 3808 /* Input: 3809 * s[0]+256*s[1]+...+256^63*s[63] = s 3810 * 3811 * Output: 3812 * s[0]+256*s[1]+...+256^31*s[31] = s mod l 3813 * where l = 2^252 + 27742317777372353535851937790883648493. 3814 * Overwrites s in place. */ 3815 void 3816 x25519_sc_reduce(uint8_t *s) { 3817 int64_t s0 = 2097151 & load_3(s); 3818 int64_t s1 = 2097151 & (load_4(s + 2) >> 5); 3819 int64_t s2 = 2097151 & (load_3(s + 5) >> 2); 3820 int64_t s3 = 2097151 & (load_4(s + 7) >> 7); 3821 int64_t s4 = 2097151 & (load_4(s + 10) >> 4); 3822 int64_t s5 = 2097151 & (load_3(s + 13) >> 1); 3823 int64_t s6 = 2097151 & (load_4(s + 15) >> 6); 3824 int64_t s7 = 2097151 & (load_3(s + 18) >> 3); 3825 int64_t s8 = 2097151 & load_3(s + 21); 3826 int64_t s9 = 2097151 & (load_4(s + 23) >> 5); 3827 int64_t s10 = 2097151 & (load_3(s + 26) >> 2); 3828 int64_t s11 = 2097151 & (load_4(s + 28) >> 7); 3829 int64_t s12 = 2097151 & (load_4(s + 31) >> 4); 3830 int64_t s13 = 2097151 & (load_3(s + 34) >> 1); 3831 int64_t s14 = 2097151 & (load_4(s + 36) >> 6); 3832 int64_t s15 = 2097151 & (load_3(s + 39) >> 3); 3833 int64_t s16 = 2097151 & load_3(s + 42); 3834 int64_t s17 = 2097151 & (load_4(s + 44) >> 5); 3835 int64_t s18 = 2097151 & (load_3(s + 47) >> 2); 3836 int64_t s19 = 2097151 & (load_4(s + 49) >> 7); 3837 int64_t s20 = 2097151 & (load_4(s + 52) >> 4); 3838 int64_t s21 = 2097151 & (load_3(s + 55) >> 1); 3839 int64_t s22 = 2097151 & (load_4(s + 57) >> 6); 3840 int64_t s23 = (load_4(s + 60) >> 3); 3841 int64_t carry0; 3842 int64_t carry1; 3843 int64_t carry2; 3844 int64_t carry3; 3845 int64_t carry4; 3846 int64_t carry5; 3847 int64_t carry6; 3848 int64_t carry7; 3849 int64_t carry8; 3850 int64_t carry9; 3851 int64_t carry10; 3852 int64_t carry11; 3853 int64_t carry12; 3854 int64_t carry13; 3855 int64_t carry14; 3856 int64_t carry15; 3857 int64_t carry16; 3858 3859 s11 += s23 * 666643; 3860 s12 += s23 * 470296; 3861 s13 += s23 * 654183; 3862 s14 -= s23 * 997805; 3863 s15 += s23 * 136657; 3864 s16 -= s23 * 683901; 3865 s23 = 0; 3866 3867 s10 += s22 * 666643; 3868 s11 += s22 * 470296; 3869 s12 += s22 * 654183; 3870 s13 -= s22 * 997805; 3871 s14 += s22 * 136657; 3872 s15 -= s22 * 683901; 3873 s22 = 0; 3874 3875 s9 += s21 * 666643; 3876 s10 += s21 * 470296; 3877 s11 += s21 * 654183; 3878 s12 -= s21 * 997805; 3879 s13 += s21 * 136657; 3880 s14 -= s21 * 683901; 3881 s21 = 0; 3882 3883 s8 += s20 * 666643; 3884 s9 += s20 * 470296; 3885 s10 += s20 * 654183; 3886 s11 -= s20 * 997805; 3887 s12 += s20 * 136657; 3888 s13 -= s20 * 683901; 3889 s20 = 0; 3890 3891 s7 += s19 * 666643; 3892 s8 += s19 * 470296; 3893 s9 += s19 * 654183; 3894 s10 -= s19 * 997805; 3895 s11 += s19 * 136657; 3896 s12 -= s19 * 683901; 3897 s19 = 0; 3898 3899 s6 += s18 * 666643; 3900 s7 += s18 * 470296; 3901 s8 += s18 * 654183; 3902 s9 -= s18 * 997805; 3903 s10 += s18 * 136657; 3904 s11 -= s18 * 683901; 3905 s18 = 0; 3906 3907 carry6 = (s6 + (1 << 20)) >> 21; 3908 s7 += carry6; 3909 s6 -= carry6 << 21; 3910 carry8 = (s8 + (1 << 20)) >> 21; 3911 s9 += carry8; 3912 s8 -= carry8 << 21; 3913 carry10 = (s10 + (1 << 20)) >> 21; 3914 s11 += carry10; 3915 s10 -= carry10 << 21; 3916 carry12 = (s12 + (1 << 20)) >> 21; 3917 s13 += carry12; 3918 s12 -= carry12 << 21; 3919 carry14 = (s14 + (1 << 20)) >> 21; 3920 s15 += carry14; 3921 s14 -= carry14 << 21; 3922 carry16 = (s16 + (1 << 20)) >> 21; 3923 s17 += carry16; 3924 s16 -= carry16 << 21; 3925 3926 carry7 = (s7 + (1 << 20)) >> 21; 3927 s8 += carry7; 3928 s7 -= carry7 << 21; 3929 carry9 = (s9 + (1 << 20)) >> 21; 3930 s10 += carry9; 3931 s9 -= carry9 << 21; 3932 carry11 = (s11 + (1 << 20)) >> 21; 3933 s12 += carry11; 3934 s11 -= carry11 << 21; 3935 carry13 = (s13 + (1 << 20)) >> 21; 3936 s14 += carry13; 3937 s13 -= carry13 << 21; 3938 carry15 = (s15 + (1 << 20)) >> 21; 3939 s16 += carry15; 3940 s15 -= carry15 << 21; 3941 3942 s5 += s17 * 666643; 3943 s6 += s17 * 470296; 3944 s7 += s17 * 654183; 3945 s8 -= s17 * 997805; 3946 s9 += s17 * 136657; 3947 s10 -= s17 * 683901; 3948 s17 = 0; 3949 3950 s4 += s16 * 666643; 3951 s5 += s16 * 470296; 3952 s6 += s16 * 654183; 3953 s7 -= s16 * 997805; 3954 s8 += s16 * 136657; 3955 s9 -= s16 * 683901; 3956 s16 = 0; 3957 3958 s3 += s15 * 666643; 3959 s4 += s15 * 470296; 3960 s5 += s15 * 654183; 3961 s6 -= s15 * 997805; 3962 s7 += s15 * 136657; 3963 s8 -= s15 * 683901; 3964 s15 = 0; 3965 3966 s2 += s14 * 666643; 3967 s3 += s14 * 470296; 3968 s4 += s14 * 654183; 3969 s5 -= s14 * 997805; 3970 s6 += s14 * 136657; 3971 s7 -= s14 * 683901; 3972 s14 = 0; 3973 3974 s1 += s13 * 666643; 3975 s2 += s13 * 470296; 3976 s3 += s13 * 654183; 3977 s4 -= s13 * 997805; 3978 s5 += s13 * 136657; 3979 s6 -= s13 * 683901; 3980 s13 = 0; 3981 3982 s0 += s12 * 666643; 3983 s1 += s12 * 470296; 3984 s2 += s12 * 654183; 3985 s3 -= s12 * 997805; 3986 s4 += s12 * 136657; 3987 s5 -= s12 * 683901; 3988 s12 = 0; 3989 3990 carry0 = (s0 + (1 << 20)) >> 21; 3991 s1 += carry0; 3992 s0 -= carry0 << 21; 3993 carry2 = (s2 + (1 << 20)) >> 21; 3994 s3 += carry2; 3995 s2 -= carry2 << 21; 3996 carry4 = (s4 + (1 << 20)) >> 21; 3997 s5 += carry4; 3998 s4 -= carry4 << 21; 3999 carry6 = (s6 + (1 << 20)) >> 21; 4000 s7 += carry6; 4001 s6 -= carry6 << 21; 4002 carry8 = (s8 + (1 << 20)) >> 21; 4003 s9 += carry8; 4004 s8 -= carry8 << 21; 4005 carry10 = (s10 + (1 << 20)) >> 21; 4006 s11 += carry10; 4007 s10 -= carry10 << 21; 4008 4009 carry1 = (s1 + (1 << 20)) >> 21; 4010 s2 += carry1; 4011 s1 -= carry1 << 21; 4012 carry3 = (s3 + (1 << 20)) >> 21; 4013 s4 += carry3; 4014 s3 -= carry3 << 21; 4015 carry5 = (s5 + (1 << 20)) >> 21; 4016 s6 += carry5; 4017 s5 -= carry5 << 21; 4018 carry7 = (s7 + (1 << 20)) >> 21; 4019 s8 += carry7; 4020 s7 -= carry7 << 21; 4021 carry9 = (s9 + (1 << 20)) >> 21; 4022 s10 += carry9; 4023 s9 -= carry9 << 21; 4024 carry11 = (s11 + (1 << 20)) >> 21; 4025 s12 += carry11; 4026 s11 -= carry11 << 21; 4027 4028 s0 += s12 * 666643; 4029 s1 += s12 * 470296; 4030 s2 += s12 * 654183; 4031 s3 -= s12 * 997805; 4032 s4 += s12 * 136657; 4033 s5 -= s12 * 683901; 4034 s12 = 0; 4035 4036 carry0 = s0 >> 21; 4037 s1 += carry0; 4038 s0 -= carry0 << 21; 4039 carry1 = s1 >> 21; 4040 s2 += carry1; 4041 s1 -= carry1 << 21; 4042 carry2 = s2 >> 21; 4043 s3 += carry2; 4044 s2 -= carry2 << 21; 4045 carry3 = s3 >> 21; 4046 s4 += carry3; 4047 s3 -= carry3 << 21; 4048 carry4 = s4 >> 21; 4049 s5 += carry4; 4050 s4 -= carry4 << 21; 4051 carry5 = s5 >> 21; 4052 s6 += carry5; 4053 s5 -= carry5 << 21; 4054 carry6 = s6 >> 21; 4055 s7 += carry6; 4056 s6 -= carry6 << 21; 4057 carry7 = s7 >> 21; 4058 s8 += carry7; 4059 s7 -= carry7 << 21; 4060 carry8 = s8 >> 21; 4061 s9 += carry8; 4062 s8 -= carry8 << 21; 4063 carry9 = s9 >> 21; 4064 s10 += carry9; 4065 s9 -= carry9 << 21; 4066 carry10 = s10 >> 21; 4067 s11 += carry10; 4068 s10 -= carry10 << 21; 4069 carry11 = s11 >> 21; 4070 s12 += carry11; 4071 s11 -= carry11 << 21; 4072 4073 s0 += s12 * 666643; 4074 s1 += s12 * 470296; 4075 s2 += s12 * 654183; 4076 s3 -= s12 * 997805; 4077 s4 += s12 * 136657; 4078 s5 -= s12 * 683901; 4079 s12 = 0; 4080 4081 carry0 = s0 >> 21; 4082 s1 += carry0; 4083 s0 -= carry0 << 21; 4084 carry1 = s1 >> 21; 4085 s2 += carry1; 4086 s1 -= carry1 << 21; 4087 carry2 = s2 >> 21; 4088 s3 += carry2; 4089 s2 -= carry2 << 21; 4090 carry3 = s3 >> 21; 4091 s4 += carry3; 4092 s3 -= carry3 << 21; 4093 carry4 = s4 >> 21; 4094 s5 += carry4; 4095 s4 -= carry4 << 21; 4096 carry5 = s5 >> 21; 4097 s6 += carry5; 4098 s5 -= carry5 << 21; 4099 carry6 = s6 >> 21; 4100 s7 += carry6; 4101 s6 -= carry6 << 21; 4102 carry7 = s7 >> 21; 4103 s8 += carry7; 4104 s7 -= carry7 << 21; 4105 carry8 = s8 >> 21; 4106 s9 += carry8; 4107 s8 -= carry8 << 21; 4108 carry9 = s9 >> 21; 4109 s10 += carry9; 4110 s9 -= carry9 << 21; 4111 carry10 = s10 >> 21; 4112 s11 += carry10; 4113 s10 -= carry10 << 21; 4114 4115 s[0] = s0 >> 0; 4116 s[1] = s0 >> 8; 4117 s[2] = (s0 >> 16) | (s1 << 5); 4118 s[3] = s1 >> 3; 4119 s[4] = s1 >> 11; 4120 s[5] = (s1 >> 19) | (s2 << 2); 4121 s[6] = s2 >> 6; 4122 s[7] = (s2 >> 14) | (s3 << 7); 4123 s[8] = s3 >> 1; 4124 s[9] = s3 >> 9; 4125 s[10] = (s3 >> 17) | (s4 << 4); 4126 s[11] = s4 >> 4; 4127 s[12] = s4 >> 12; 4128 s[13] = (s4 >> 20) | (s5 << 1); 4129 s[14] = s5 >> 7; 4130 s[15] = (s5 >> 15) | (s6 << 6); 4131 s[16] = s6 >> 2; 4132 s[17] = s6 >> 10; 4133 s[18] = (s6 >> 18) | (s7 << 3); 4134 s[19] = s7 >> 5; 4135 s[20] = s7 >> 13; 4136 s[21] = s8 >> 0; 4137 s[22] = s8 >> 8; 4138 s[23] = (s8 >> 16) | (s9 << 5); 4139 s[24] = s9 >> 3; 4140 s[25] = s9 >> 11; 4141 s[26] = (s9 >> 19) | (s10 << 2); 4142 s[27] = s10 >> 6; 4143 s[28] = (s10 >> 14) | (s11 << 7); 4144 s[29] = s11 >> 1; 4145 s[30] = s11 >> 9; 4146 s[31] = s11 >> 17; 4147 } 4148 4149 #ifdef ED25519 4150 /* Input: 4151 * a[0]+256*a[1]+...+256^31*a[31] = a 4152 * b[0]+256*b[1]+...+256^31*b[31] = b 4153 * c[0]+256*c[1]+...+256^31*c[31] = c 4154 * 4155 * Output: 4156 * s[0]+256*s[1]+...+256^31*s[31] = (ab+c) mod l 4157 * where l = 2^252 + 27742317777372353535851937790883648493. */ 4158 static void 4159 sc_muladd(uint8_t *s, const uint8_t *a, const uint8_t *b, 4160 const uint8_t *c) 4161 { 4162 int64_t a0 = 2097151 & load_3(a); 4163 int64_t a1 = 2097151 & (load_4(a + 2) >> 5); 4164 int64_t a2 = 2097151 & (load_3(a + 5) >> 2); 4165 int64_t a3 = 2097151 & (load_4(a + 7) >> 7); 4166 int64_t a4 = 2097151 & (load_4(a + 10) >> 4); 4167 int64_t a5 = 2097151 & (load_3(a + 13) >> 1); 4168 int64_t a6 = 2097151 & (load_4(a + 15) >> 6); 4169 int64_t a7 = 2097151 & (load_3(a + 18) >> 3); 4170 int64_t a8 = 2097151 & load_3(a + 21); 4171 int64_t a9 = 2097151 & (load_4(a + 23) >> 5); 4172 int64_t a10 = 2097151 & (load_3(a + 26) >> 2); 4173 int64_t a11 = (load_4(a + 28) >> 7); 4174 int64_t b0 = 2097151 & load_3(b); 4175 int64_t b1 = 2097151 & (load_4(b + 2) >> 5); 4176 int64_t b2 = 2097151 & (load_3(b + 5) >> 2); 4177 int64_t b3 = 2097151 & (load_4(b + 7) >> 7); 4178 int64_t b4 = 2097151 & (load_4(b + 10) >> 4); 4179 int64_t b5 = 2097151 & (load_3(b + 13) >> 1); 4180 int64_t b6 = 2097151 & (load_4(b + 15) >> 6); 4181 int64_t b7 = 2097151 & (load_3(b + 18) >> 3); 4182 int64_t b8 = 2097151 & load_3(b + 21); 4183 int64_t b9 = 2097151 & (load_4(b + 23) >> 5); 4184 int64_t b10 = 2097151 & (load_3(b + 26) >> 2); 4185 int64_t b11 = (load_4(b + 28) >> 7); 4186 int64_t c0 = 2097151 & load_3(c); 4187 int64_t c1 = 2097151 & (load_4(c + 2) >> 5); 4188 int64_t c2 = 2097151 & (load_3(c + 5) >> 2); 4189 int64_t c3 = 2097151 & (load_4(c + 7) >> 7); 4190 int64_t c4 = 2097151 & (load_4(c + 10) >> 4); 4191 int64_t c5 = 2097151 & (load_3(c + 13) >> 1); 4192 int64_t c6 = 2097151 & (load_4(c + 15) >> 6); 4193 int64_t c7 = 2097151 & (load_3(c + 18) >> 3); 4194 int64_t c8 = 2097151 & load_3(c + 21); 4195 int64_t c9 = 2097151 & (load_4(c + 23) >> 5); 4196 int64_t c10 = 2097151 & (load_3(c + 26) >> 2); 4197 int64_t c11 = (load_4(c + 28) >> 7); 4198 int64_t s0; 4199 int64_t s1; 4200 int64_t s2; 4201 int64_t s3; 4202 int64_t s4; 4203 int64_t s5; 4204 int64_t s6; 4205 int64_t s7; 4206 int64_t s8; 4207 int64_t s9; 4208 int64_t s10; 4209 int64_t s11; 4210 int64_t s12; 4211 int64_t s13; 4212 int64_t s14; 4213 int64_t s15; 4214 int64_t s16; 4215 int64_t s17; 4216 int64_t s18; 4217 int64_t s19; 4218 int64_t s20; 4219 int64_t s21; 4220 int64_t s22; 4221 int64_t s23; 4222 int64_t carry0; 4223 int64_t carry1; 4224 int64_t carry2; 4225 int64_t carry3; 4226 int64_t carry4; 4227 int64_t carry5; 4228 int64_t carry6; 4229 int64_t carry7; 4230 int64_t carry8; 4231 int64_t carry9; 4232 int64_t carry10; 4233 int64_t carry11; 4234 int64_t carry12; 4235 int64_t carry13; 4236 int64_t carry14; 4237 int64_t carry15; 4238 int64_t carry16; 4239 int64_t carry17; 4240 int64_t carry18; 4241 int64_t carry19; 4242 int64_t carry20; 4243 int64_t carry21; 4244 int64_t carry22; 4245 4246 s0 = c0 + a0 * b0; 4247 s1 = c1 + a0 * b1 + a1 * b0; 4248 s2 = c2 + a0 * b2 + a1 * b1 + a2 * b0; 4249 s3 = c3 + a0 * b3 + a1 * b2 + a2 * b1 + a3 * b0; 4250 s4 = c4 + a0 * b4 + a1 * b3 + a2 * b2 + a3 * b1 + a4 * b0; 4251 s5 = c5 + a0 * b5 + a1 * b4 + a2 * b3 + a3 * b2 + a4 * b1 + a5 * b0; 4252 s6 = c6 + a0 * b6 + a1 * b5 + a2 * b4 + a3 * b3 + a4 * b2 + a5 * b1 + a6 * b0; 4253 s7 = c7 + a0 * b7 + a1 * b6 + a2 * b5 + a3 * b4 + a4 * b3 + a5 * b2 + 4254 a6 * b1 + a7 * b0; 4255 s8 = c8 + a0 * b8 + a1 * b7 + a2 * b6 + a3 * b5 + a4 * b4 + a5 * b3 + 4256 a6 * b2 + a7 * b1 + a8 * b0; 4257 s9 = c9 + a0 * b9 + a1 * b8 + a2 * b7 + a3 * b6 + a4 * b5 + a5 * b4 + 4258 a6 * b3 + a7 * b2 + a8 * b1 + a9 * b0; 4259 s10 = c10 + a0 * b10 + a1 * b9 + a2 * b8 + a3 * b7 + a4 * b6 + a5 * b5 + 4260 a6 * b4 + a7 * b3 + a8 * b2 + a9 * b1 + a10 * b0; 4261 s11 = c11 + a0 * b11 + a1 * b10 + a2 * b9 + a3 * b8 + a4 * b7 + a5 * b6 + 4262 a6 * b5 + a7 * b4 + a8 * b3 + a9 * b2 + a10 * b1 + a11 * b0; 4263 s12 = a1 * b11 + a2 * b10 + a3 * b9 + a4 * b8 + a5 * b7 + a6 * b6 + a7 * b5 + 4264 a8 * b4 + a9 * b3 + a10 * b2 + a11 * b1; 4265 s13 = a2 * b11 + a3 * b10 + a4 * b9 + a5 * b8 + a6 * b7 + a7 * b6 + a8 * b5 + 4266 a9 * b4 + a10 * b3 + a11 * b2; 4267 s14 = a3 * b11 + a4 * b10 + a5 * b9 + a6 * b8 + a7 * b7 + a8 * b6 + a9 * b5 + 4268 a10 * b4 + a11 * b3; 4269 s15 = a4 * b11 + a5 * b10 + a6 * b9 + a7 * b8 + a8 * b7 + a9 * b6 + a10 * b5 + 4270 a11 * b4; 4271 s16 = a5 * b11 + a6 * b10 + a7 * b9 + a8 * b8 + a9 * b7 + a10 * b6 + a11 * b5; 4272 s17 = a6 * b11 + a7 * b10 + a8 * b9 + a9 * b8 + a10 * b7 + a11 * b6; 4273 s18 = a7 * b11 + a8 * b10 + a9 * b9 + a10 * b8 + a11 * b7; 4274 s19 = a8 * b11 + a9 * b10 + a10 * b9 + a11 * b8; 4275 s20 = a9 * b11 + a10 * b10 + a11 * b9; 4276 s21 = a10 * b11 + a11 * b10; 4277 s22 = a11 * b11; 4278 s23 = 0; 4279 4280 carry0 = (s0 + (1 << 20)) >> 21; 4281 s1 += carry0; 4282 s0 -= carry0 << 21; 4283 carry2 = (s2 + (1 << 20)) >> 21; 4284 s3 += carry2; 4285 s2 -= carry2 << 21; 4286 carry4 = (s4 + (1 << 20)) >> 21; 4287 s5 += carry4; 4288 s4 -= carry4 << 21; 4289 carry6 = (s6 + (1 << 20)) >> 21; 4290 s7 += carry6; 4291 s6 -= carry6 << 21; 4292 carry8 = (s8 + (1 << 20)) >> 21; 4293 s9 += carry8; 4294 s8 -= carry8 << 21; 4295 carry10 = (s10 + (1 << 20)) >> 21; 4296 s11 += carry10; 4297 s10 -= carry10 << 21; 4298 carry12 = (s12 + (1 << 20)) >> 21; 4299 s13 += carry12; 4300 s12 -= carry12 << 21; 4301 carry14 = (s14 + (1 << 20)) >> 21; 4302 s15 += carry14; 4303 s14 -= carry14 << 21; 4304 carry16 = (s16 + (1 << 20)) >> 21; 4305 s17 += carry16; 4306 s16 -= carry16 << 21; 4307 carry18 = (s18 + (1 << 20)) >> 21; 4308 s19 += carry18; 4309 s18 -= carry18 << 21; 4310 carry20 = (s20 + (1 << 20)) >> 21; 4311 s21 += carry20; 4312 s20 -= carry20 << 21; 4313 carry22 = (s22 + (1 << 20)) >> 21; 4314 s23 += carry22; 4315 s22 -= carry22 << 21; 4316 4317 carry1 = (s1 + (1 << 20)) >> 21; 4318 s2 += carry1; 4319 s1 -= carry1 << 21; 4320 carry3 = (s3 + (1 << 20)) >> 21; 4321 s4 += carry3; 4322 s3 -= carry3 << 21; 4323 carry5 = (s5 + (1 << 20)) >> 21; 4324 s6 += carry5; 4325 s5 -= carry5 << 21; 4326 carry7 = (s7 + (1 << 20)) >> 21; 4327 s8 += carry7; 4328 s7 -= carry7 << 21; 4329 carry9 = (s9 + (1 << 20)) >> 21; 4330 s10 += carry9; 4331 s9 -= carry9 << 21; 4332 carry11 = (s11 + (1 << 20)) >> 21; 4333 s12 += carry11; 4334 s11 -= carry11 << 21; 4335 carry13 = (s13 + (1 << 20)) >> 21; 4336 s14 += carry13; 4337 s13 -= carry13 << 21; 4338 carry15 = (s15 + (1 << 20)) >> 21; 4339 s16 += carry15; 4340 s15 -= carry15 << 21; 4341 carry17 = (s17 + (1 << 20)) >> 21; 4342 s18 += carry17; 4343 s17 -= carry17 << 21; 4344 carry19 = (s19 + (1 << 20)) >> 21; 4345 s20 += carry19; 4346 s19 -= carry19 << 21; 4347 carry21 = (s21 + (1 << 20)) >> 21; 4348 s22 += carry21; 4349 s21 -= carry21 << 21; 4350 4351 s11 += s23 * 666643; 4352 s12 += s23 * 470296; 4353 s13 += s23 * 654183; 4354 s14 -= s23 * 997805; 4355 s15 += s23 * 136657; 4356 s16 -= s23 * 683901; 4357 s23 = 0; 4358 4359 s10 += s22 * 666643; 4360 s11 += s22 * 470296; 4361 s12 += s22 * 654183; 4362 s13 -= s22 * 997805; 4363 s14 += s22 * 136657; 4364 s15 -= s22 * 683901; 4365 s22 = 0; 4366 4367 s9 += s21 * 666643; 4368 s10 += s21 * 470296; 4369 s11 += s21 * 654183; 4370 s12 -= s21 * 997805; 4371 s13 += s21 * 136657; 4372 s14 -= s21 * 683901; 4373 s21 = 0; 4374 4375 s8 += s20 * 666643; 4376 s9 += s20 * 470296; 4377 s10 += s20 * 654183; 4378 s11 -= s20 * 997805; 4379 s12 += s20 * 136657; 4380 s13 -= s20 * 683901; 4381 s20 = 0; 4382 4383 s7 += s19 * 666643; 4384 s8 += s19 * 470296; 4385 s9 += s19 * 654183; 4386 s10 -= s19 * 997805; 4387 s11 += s19 * 136657; 4388 s12 -= s19 * 683901; 4389 s19 = 0; 4390 4391 s6 += s18 * 666643; 4392 s7 += s18 * 470296; 4393 s8 += s18 * 654183; 4394 s9 -= s18 * 997805; 4395 s10 += s18 * 136657; 4396 s11 -= s18 * 683901; 4397 s18 = 0; 4398 4399 carry6 = (s6 + (1 << 20)) >> 21; 4400 s7 += carry6; 4401 s6 -= carry6 << 21; 4402 carry8 = (s8 + (1 << 20)) >> 21; 4403 s9 += carry8; 4404 s8 -= carry8 << 21; 4405 carry10 = (s10 + (1 << 20)) >> 21; 4406 s11 += carry10; 4407 s10 -= carry10 << 21; 4408 carry12 = (s12 + (1 << 20)) >> 21; 4409 s13 += carry12; 4410 s12 -= carry12 << 21; 4411 carry14 = (s14 + (1 << 20)) >> 21; 4412 s15 += carry14; 4413 s14 -= carry14 << 21; 4414 carry16 = (s16 + (1 << 20)) >> 21; 4415 s17 += carry16; 4416 s16 -= carry16 << 21; 4417 4418 carry7 = (s7 + (1 << 20)) >> 21; 4419 s8 += carry7; 4420 s7 -= carry7 << 21; 4421 carry9 = (s9 + (1 << 20)) >> 21; 4422 s10 += carry9; 4423 s9 -= carry9 << 21; 4424 carry11 = (s11 + (1 << 20)) >> 21; 4425 s12 += carry11; 4426 s11 -= carry11 << 21; 4427 carry13 = (s13 + (1 << 20)) >> 21; 4428 s14 += carry13; 4429 s13 -= carry13 << 21; 4430 carry15 = (s15 + (1 << 20)) >> 21; 4431 s16 += carry15; 4432 s15 -= carry15 << 21; 4433 4434 s5 += s17 * 666643; 4435 s6 += s17 * 470296; 4436 s7 += s17 * 654183; 4437 s8 -= s17 * 997805; 4438 s9 += s17 * 136657; 4439 s10 -= s17 * 683901; 4440 s17 = 0; 4441 4442 s4 += s16 * 666643; 4443 s5 += s16 * 470296; 4444 s6 += s16 * 654183; 4445 s7 -= s16 * 997805; 4446 s8 += s16 * 136657; 4447 s9 -= s16 * 683901; 4448 s16 = 0; 4449 4450 s3 += s15 * 666643; 4451 s4 += s15 * 470296; 4452 s5 += s15 * 654183; 4453 s6 -= s15 * 997805; 4454 s7 += s15 * 136657; 4455 s8 -= s15 * 683901; 4456 s15 = 0; 4457 4458 s2 += s14 * 666643; 4459 s3 += s14 * 470296; 4460 s4 += s14 * 654183; 4461 s5 -= s14 * 997805; 4462 s6 += s14 * 136657; 4463 s7 -= s14 * 683901; 4464 s14 = 0; 4465 4466 s1 += s13 * 666643; 4467 s2 += s13 * 470296; 4468 s3 += s13 * 654183; 4469 s4 -= s13 * 997805; 4470 s5 += s13 * 136657; 4471 s6 -= s13 * 683901; 4472 s13 = 0; 4473 4474 s0 += s12 * 666643; 4475 s1 += s12 * 470296; 4476 s2 += s12 * 654183; 4477 s3 -= s12 * 997805; 4478 s4 += s12 * 136657; 4479 s5 -= s12 * 683901; 4480 s12 = 0; 4481 4482 carry0 = (s0 + (1 << 20)) >> 21; 4483 s1 += carry0; 4484 s0 -= carry0 << 21; 4485 carry2 = (s2 + (1 << 20)) >> 21; 4486 s3 += carry2; 4487 s2 -= carry2 << 21; 4488 carry4 = (s4 + (1 << 20)) >> 21; 4489 s5 += carry4; 4490 s4 -= carry4 << 21; 4491 carry6 = (s6 + (1 << 20)) >> 21; 4492 s7 += carry6; 4493 s6 -= carry6 << 21; 4494 carry8 = (s8 + (1 << 20)) >> 21; 4495 s9 += carry8; 4496 s8 -= carry8 << 21; 4497 carry10 = (s10 + (1 << 20)) >> 21; 4498 s11 += carry10; 4499 s10 -= carry10 << 21; 4500 4501 carry1 = (s1 + (1 << 20)) >> 21; 4502 s2 += carry1; 4503 s1 -= carry1 << 21; 4504 carry3 = (s3 + (1 << 20)) >> 21; 4505 s4 += carry3; 4506 s3 -= carry3 << 21; 4507 carry5 = (s5 + (1 << 20)) >> 21; 4508 s6 += carry5; 4509 s5 -= carry5 << 21; 4510 carry7 = (s7 + (1 << 20)) >> 21; 4511 s8 += carry7; 4512 s7 -= carry7 << 21; 4513 carry9 = (s9 + (1 << 20)) >> 21; 4514 s10 += carry9; 4515 s9 -= carry9 << 21; 4516 carry11 = (s11 + (1 << 20)) >> 21; 4517 s12 += carry11; 4518 s11 -= carry11 << 21; 4519 4520 s0 += s12 * 666643; 4521 s1 += s12 * 470296; 4522 s2 += s12 * 654183; 4523 s3 -= s12 * 997805; 4524 s4 += s12 * 136657; 4525 s5 -= s12 * 683901; 4526 s12 = 0; 4527 4528 carry0 = s0 >> 21; 4529 s1 += carry0; 4530 s0 -= carry0 << 21; 4531 carry1 = s1 >> 21; 4532 s2 += carry1; 4533 s1 -= carry1 << 21; 4534 carry2 = s2 >> 21; 4535 s3 += carry2; 4536 s2 -= carry2 << 21; 4537 carry3 = s3 >> 21; 4538 s4 += carry3; 4539 s3 -= carry3 << 21; 4540 carry4 = s4 >> 21; 4541 s5 += carry4; 4542 s4 -= carry4 << 21; 4543 carry5 = s5 >> 21; 4544 s6 += carry5; 4545 s5 -= carry5 << 21; 4546 carry6 = s6 >> 21; 4547 s7 += carry6; 4548 s6 -= carry6 << 21; 4549 carry7 = s7 >> 21; 4550 s8 += carry7; 4551 s7 -= carry7 << 21; 4552 carry8 = s8 >> 21; 4553 s9 += carry8; 4554 s8 -= carry8 << 21; 4555 carry9 = s9 >> 21; 4556 s10 += carry9; 4557 s9 -= carry9 << 21; 4558 carry10 = s10 >> 21; 4559 s11 += carry10; 4560 s10 -= carry10 << 21; 4561 carry11 = s11 >> 21; 4562 s12 += carry11; 4563 s11 -= carry11 << 21; 4564 4565 s0 += s12 * 666643; 4566 s1 += s12 * 470296; 4567 s2 += s12 * 654183; 4568 s3 -= s12 * 997805; 4569 s4 += s12 * 136657; 4570 s5 -= s12 * 683901; 4571 s12 = 0; 4572 4573 carry0 = s0 >> 21; 4574 s1 += carry0; 4575 s0 -= carry0 << 21; 4576 carry1 = s1 >> 21; 4577 s2 += carry1; 4578 s1 -= carry1 << 21; 4579 carry2 = s2 >> 21; 4580 s3 += carry2; 4581 s2 -= carry2 << 21; 4582 carry3 = s3 >> 21; 4583 s4 += carry3; 4584 s3 -= carry3 << 21; 4585 carry4 = s4 >> 21; 4586 s5 += carry4; 4587 s4 -= carry4 << 21; 4588 carry5 = s5 >> 21; 4589 s6 += carry5; 4590 s5 -= carry5 << 21; 4591 carry6 = s6 >> 21; 4592 s7 += carry6; 4593 s6 -= carry6 << 21; 4594 carry7 = s7 >> 21; 4595 s8 += carry7; 4596 s7 -= carry7 << 21; 4597 carry8 = s8 >> 21; 4598 s9 += carry8; 4599 s8 -= carry8 << 21; 4600 carry9 = s9 >> 21; 4601 s10 += carry9; 4602 s9 -= carry9 << 21; 4603 carry10 = s10 >> 21; 4604 s11 += carry10; 4605 s10 -= carry10 << 21; 4606 4607 s[0] = s0 >> 0; 4608 s[1] = s0 >> 8; 4609 s[2] = (s0 >> 16) | (s1 << 5); 4610 s[3] = s1 >> 3; 4611 s[4] = s1 >> 11; 4612 s[5] = (s1 >> 19) | (s2 << 2); 4613 s[6] = s2 >> 6; 4614 s[7] = (s2 >> 14) | (s3 << 7); 4615 s[8] = s3 >> 1; 4616 s[9] = s3 >> 9; 4617 s[10] = (s3 >> 17) | (s4 << 4); 4618 s[11] = s4 >> 4; 4619 s[12] = s4 >> 12; 4620 s[13] = (s4 >> 20) | (s5 << 1); 4621 s[14] = s5 >> 7; 4622 s[15] = (s5 >> 15) | (s6 << 6); 4623 s[16] = s6 >> 2; 4624 s[17] = s6 >> 10; 4625 s[18] = (s6 >> 18) | (s7 << 3); 4626 s[19] = s7 >> 5; 4627 s[20] = s7 >> 13; 4628 s[21] = s8 >> 0; 4629 s[22] = s8 >> 8; 4630 s[23] = (s8 >> 16) | (s9 << 5); 4631 s[24] = s9 >> 3; 4632 s[25] = s9 >> 11; 4633 s[26] = (s9 >> 19) | (s10 << 2); 4634 s[27] = s10 >> 6; 4635 s[28] = (s10 >> 14) | (s11 << 7); 4636 s[29] = s11 >> 1; 4637 s[30] = s11 >> 9; 4638 s[31] = s11 >> 17; 4639 } 4640 #endif 4641 4642 #ifdef ED25519 4643 void ED25519_keypair(uint8_t out_public_key[32], uint8_t out_private_key[64]) { 4644 uint8_t seed[32]; 4645 arc4random_buf(seed, 32); 4646 4647 uint8_t az[SHA512_DIGEST_LENGTH]; 4648 SHA512(seed, 32, az); 4649 4650 az[0] &= 248; 4651 az[31] &= 63; 4652 az[31] |= 64; 4653 4654 ge_p3 A; 4655 x25519_ge_scalarmult_base(&A, az); 4656 ge_p3_tobytes(out_public_key, &A); 4657 4658 memcpy(out_private_key, seed, 32); 4659 memmove(out_private_key + 32, out_public_key, 32); 4660 } 4661 4662 int ED25519_sign(uint8_t *out_sig, const uint8_t *message, size_t message_len, 4663 const uint8_t private_key[64]) { 4664 uint8_t az[SHA512_DIGEST_LENGTH]; 4665 SHA512(private_key, 32, az); 4666 4667 az[0] &= 248; 4668 az[31] &= 63; 4669 az[31] |= 64; 4670 4671 SHA512_CTX hash_ctx; 4672 SHA512_Init(&hash_ctx); 4673 SHA512_Update(&hash_ctx, az + 32, 32); 4674 SHA512_Update(&hash_ctx, message, message_len); 4675 uint8_t nonce[SHA512_DIGEST_LENGTH]; 4676 SHA512_Final(nonce, &hash_ctx); 4677 4678 x25519_sc_reduce(nonce); 4679 ge_p3 R; 4680 x25519_ge_scalarmult_base(&R, nonce); 4681 ge_p3_tobytes(out_sig, &R); 4682 4683 SHA512_Init(&hash_ctx); 4684 SHA512_Update(&hash_ctx, out_sig, 32); 4685 SHA512_Update(&hash_ctx, private_key + 32, 32); 4686 SHA512_Update(&hash_ctx, message, message_len); 4687 uint8_t hram[SHA512_DIGEST_LENGTH]; 4688 SHA512_Final(hram, &hash_ctx); 4689 4690 x25519_sc_reduce(hram); 4691 sc_muladd(out_sig + 32, hram, az, nonce); 4692 4693 return 1; 4694 } 4695 4696 int ED25519_verify(const uint8_t *message, size_t message_len, 4697 const uint8_t signature[64], const uint8_t public_key[32]) { 4698 ge_p3 A; 4699 if ((signature[63] & 224) != 0 || 4700 x25519_ge_frombytes_vartime(&A, public_key) != 0) { 4701 return 0; 4702 } 4703 4704 fe_neg(A.X, A.X); 4705 fe_neg(A.T, A.T); 4706 4707 uint8_t pkcopy[32]; 4708 memcpy(pkcopy, public_key, 32); 4709 uint8_t rcopy[32]; 4710 memcpy(rcopy, signature, 32); 4711 uint8_t scopy[32]; 4712 memcpy(scopy, signature + 32, 32); 4713 4714 SHA512_CTX hash_ctx; 4715 SHA512_Init(&hash_ctx); 4716 SHA512_Update(&hash_ctx, signature, 32); 4717 SHA512_Update(&hash_ctx, public_key, 32); 4718 SHA512_Update(&hash_ctx, message, message_len); 4719 uint8_t h[SHA512_DIGEST_LENGTH]; 4720 SHA512_Final(h, &hash_ctx); 4721 4722 x25519_sc_reduce(h); 4723 4724 ge_p2 R; 4725 ge_double_scalarmult_vartime(&R, h, &A, scopy); 4726 4727 uint8_t rcheck[32]; 4728 x25519_ge_tobytes(rcheck, &R); 4729 4730 return timingsafe_memcmp(rcheck, rcopy, sizeof(rcheck)) == 0; 4731 } 4732 #endif 4733 4734 /* Replace (f,g) with (g,f) if b == 1; 4735 * replace (f,g) with (f,g) if b == 0. 4736 * 4737 * Preconditions: b in {0,1}. */ 4738 static void fe_cswap(fe f, fe g, unsigned int b) { 4739 b = 0-b; 4740 unsigned i; 4741 for (i = 0; i < 10; i++) { 4742 int32_t x = f[i] ^ g[i]; 4743 x &= b; 4744 f[i] ^= x; 4745 g[i] ^= x; 4746 } 4747 } 4748 4749 /* h = f * 121666 4750 * Can overlap h with f. 4751 * 4752 * Preconditions: 4753 * |f| bounded by 1.1*2^26,1.1*2^25,1.1*2^26,1.1*2^25,etc. 4754 * 4755 * Postconditions: 4756 * |h| bounded by 1.1*2^25,1.1*2^24,1.1*2^25,1.1*2^24,etc. */ 4757 static void fe_mul121666(fe h, fe f) { 4758 int32_t f0 = f[0]; 4759 int32_t f1 = f[1]; 4760 int32_t f2 = f[2]; 4761 int32_t f3 = f[3]; 4762 int32_t f4 = f[4]; 4763 int32_t f5 = f[5]; 4764 int32_t f6 = f[6]; 4765 int32_t f7 = f[7]; 4766 int32_t f8 = f[8]; 4767 int32_t f9 = f[9]; 4768 int64_t h0 = f0 * (int64_t) 121666; 4769 int64_t h1 = f1 * (int64_t) 121666; 4770 int64_t h2 = f2 * (int64_t) 121666; 4771 int64_t h3 = f3 * (int64_t) 121666; 4772 int64_t h4 = f4 * (int64_t) 121666; 4773 int64_t h5 = f5 * (int64_t) 121666; 4774 int64_t h6 = f6 * (int64_t) 121666; 4775 int64_t h7 = f7 * (int64_t) 121666; 4776 int64_t h8 = f8 * (int64_t) 121666; 4777 int64_t h9 = f9 * (int64_t) 121666; 4778 int64_t carry0; 4779 int64_t carry1; 4780 int64_t carry2; 4781 int64_t carry3; 4782 int64_t carry4; 4783 int64_t carry5; 4784 int64_t carry6; 4785 int64_t carry7; 4786 int64_t carry8; 4787 int64_t carry9; 4788 4789 carry9 = h9 + (1 << 24); h0 += (carry9 >> 25) * 19; h9 -= carry9 & kTop39Bits; 4790 carry1 = h1 + (1 << 24); h2 += carry1 >> 25; h1 -= carry1 & kTop39Bits; 4791 carry3 = h3 + (1 << 24); h4 += carry3 >> 25; h3 -= carry3 & kTop39Bits; 4792 carry5 = h5 + (1 << 24); h6 += carry5 >> 25; h5 -= carry5 & kTop39Bits; 4793 carry7 = h7 + (1 << 24); h8 += carry7 >> 25; h7 -= carry7 & kTop39Bits; 4794 4795 carry0 = h0 + (1 << 25); h1 += carry0 >> 26; h0 -= carry0 & kTop38Bits; 4796 carry2 = h2 + (1 << 25); h3 += carry2 >> 26; h2 -= carry2 & kTop38Bits; 4797 carry4 = h4 + (1 << 25); h5 += carry4 >> 26; h4 -= carry4 & kTop38Bits; 4798 carry6 = h6 + (1 << 25); h7 += carry6 >> 26; h6 -= carry6 & kTop38Bits; 4799 carry8 = h8 + (1 << 25); h9 += carry8 >> 26; h8 -= carry8 & kTop38Bits; 4800 4801 h[0] = h0; 4802 h[1] = h1; 4803 h[2] = h2; 4804 h[3] = h3; 4805 h[4] = h4; 4806 h[5] = h5; 4807 h[6] = h6; 4808 h[7] = h7; 4809 h[8] = h8; 4810 h[9] = h9; 4811 } 4812 4813 void 4814 x25519_scalar_mult_generic(uint8_t out[32], const uint8_t scalar[32], 4815 const uint8_t point[32]) { 4816 fe x1, x2, z2, x3, z3, tmp0, tmp1; 4817 4818 uint8_t e[32]; 4819 memcpy(e, scalar, 32); 4820 e[0] &= 248; 4821 e[31] &= 127; 4822 e[31] |= 64; 4823 fe_frombytes(x1, point); 4824 fe_1(x2); 4825 fe_0(z2); 4826 fe_copy(x3, x1); 4827 fe_1(z3); 4828 4829 unsigned swap = 0; 4830 int pos; 4831 for (pos = 254; pos >= 0; --pos) { 4832 unsigned b = 1 & (e[pos / 8] >> (pos & 7)); 4833 swap ^= b; 4834 fe_cswap(x2, x3, swap); 4835 fe_cswap(z2, z3, swap); 4836 swap = b; 4837 fe_sub(tmp0, x3, z3); 4838 fe_sub(tmp1, x2, z2); 4839 fe_add(x2, x2, z2); 4840 fe_add(z2, x3, z3); 4841 fe_mul(z3, tmp0, x2); 4842 fe_mul(z2, z2, tmp1); 4843 fe_sq(tmp0, tmp1); 4844 fe_sq(tmp1, x2); 4845 fe_add(x3, z3, z2); 4846 fe_sub(z2, z3, z2); 4847 fe_mul(x2, tmp1, tmp0); 4848 fe_sub(tmp1, tmp1, tmp0); 4849 fe_sq(z2, z2); 4850 fe_mul121666(z3, tmp1); 4851 fe_sq(x3, x3); 4852 fe_add(tmp0, tmp0, z3); 4853 fe_mul(z3, x1, z2); 4854 fe_mul(z2, tmp1, tmp0); 4855 } 4856 fe_cswap(x2, x3, swap); 4857 fe_cswap(z2, z3, swap); 4858 4859 fe_invert(z2, z2); 4860 fe_mul(x2, x2, z2); 4861 fe_tobytes(out, x2); 4862 } 4863 4864 void 4865 x25519_public_from_private_generic(uint8_t out_public_value[32], 4866 const uint8_t private_key[32]) 4867 { 4868 uint8_t e[32]; 4869 4870 memcpy(e, private_key, 32); 4871 e[0] &= 248; 4872 e[31] &= 127; 4873 e[31] |= 64; 4874 4875 ge_p3 A; 4876 x25519_ge_scalarmult_base(&A, e); 4877 4878 /* We only need the u-coordinate of the curve25519 point. The map is 4879 * u=(y+1)/(1-y). Since y=Y/Z, this gives u=(Z+Y)/(Z-Y). */ 4880 fe zplusy, zminusy, zminusy_inv; 4881 fe_add(zplusy, A.Z, A.Y); 4882 fe_sub(zminusy, A.Z, A.Y); 4883 fe_invert(zminusy_inv, zminusy); 4884 fe_mul(zplusy, zplusy, zminusy_inv); 4885 fe_tobytes(out_public_value, zplusy); 4886 } 4887 4888 void 4889 x25519_public_from_private(uint8_t out_public_value[32], 4890 const uint8_t private_key[32]) 4891 { 4892 static const uint8_t kMongomeryBasePoint[32] = {9}; 4893 4894 x25519_scalar_mult(out_public_value, private_key, kMongomeryBasePoint); 4895 } 4896 4897 void 4898 X25519_keypair(uint8_t out_public_value[32], uint8_t out_private_key[32]) 4899 { 4900 /* All X25519 implementations should decode scalars correctly (see 4901 * https://tools.ietf.org/html/rfc7748#section-5). However, if an 4902 * implementation doesn't then it might interoperate with random keys a 4903 * fraction of the time because they'll, randomly, happen to be correctly 4904 * formed. 4905 * 4906 * Thus we do the opposite of the masking here to make sure that our private 4907 * keys are never correctly masked and so, hopefully, any incorrect 4908 * implementations are deterministically broken. 4909 * 4910 * This does not affect security because, although we're throwing away 4911 * entropy, a valid implementation of scalarmult should throw away the exact 4912 * same bits anyway. */ 4913 arc4random_buf(out_private_key, 32); 4914 4915 out_private_key[0] |= 7; 4916 out_private_key[31] &= 63; 4917 out_private_key[31] |= 128; 4918 4919 x25519_public_from_private(out_public_value, out_private_key); 4920 } 4921 4922 int 4923 X25519(uint8_t out_shared_key[32], const uint8_t private_key[32], 4924 const uint8_t peer_public_value[32]) 4925 { 4926 static const uint8_t kZeros[32] = {0}; 4927 4928 x25519_scalar_mult(out_shared_key, private_key, peer_public_value); 4929 4930 /* The all-zero output results when the input is a point of small order. */ 4931 return timingsafe_memcmp(kZeros, out_shared_key, 32) != 0; 4932 } 4933