• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1 /* Copyright (c) 2015, Google Inc.
2  *
3  * Permission to use, copy, modify, and/or distribute this software for any
4  * purpose with or without fee is hereby granted, provided that the above
5  * copyright notice and this permission notice appear in all copies.
6  *
7  * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
8  * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
9  * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
10  * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
11  * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
12  * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
13  * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
14 
15 /* This code is mostly taken from the ref10 version of Ed25519 in SUPERCOP
16  * 20141124 (http://bench.cr.yp.to/supercop.html). That code is released as
17  * public domain but this file has the ISC license just to keep licencing
18  * simple.
19  *
20  * The field functions are shared by Ed25519 and X25519 where possible. */
21 
22 #include <openssl/curve25519.h>
23 
24 #include <string.h>
25 
26 #include <openssl/cpu.h>
27 #include <openssl/mem.h>
28 #include <openssl/rand.h>
29 #include <openssl/sha.h>
30 
31 #include "internal.h"
32 #include "../internal.h"
33 
34 
35 static const int64_t kBottom25Bits = INT64_C(0x1ffffff);
36 static const int64_t kBottom26Bits = INT64_C(0x3ffffff);
37 static const int64_t kTop39Bits = INT64_C(0xfffffffffe000000);
38 static const int64_t kTop38Bits = INT64_C(0xfffffffffc000000);
39 
load_3(const uint8_t * in)40 static uint64_t load_3(const uint8_t *in) {
41   uint64_t result;
42   result = (uint64_t)in[0];
43   result |= ((uint64_t)in[1]) << 8;
44   result |= ((uint64_t)in[2]) << 16;
45   return result;
46 }
47 
load_4(const uint8_t * in)48 static uint64_t load_4(const uint8_t *in) {
49   uint64_t result;
50   result = (uint64_t)in[0];
51   result |= ((uint64_t)in[1]) << 8;
52   result |= ((uint64_t)in[2]) << 16;
53   result |= ((uint64_t)in[3]) << 24;
54   return result;
55 }
56 
fe_frombytes(fe h,const uint8_t * s)57 static void fe_frombytes(fe h, const uint8_t *s) {
58   /* Ignores top bit of h. */
59   int64_t h0 = load_4(s);
60   int64_t h1 = load_3(s + 4) << 6;
61   int64_t h2 = load_3(s + 7) << 5;
62   int64_t h3 = load_3(s + 10) << 3;
63   int64_t h4 = load_3(s + 13) << 2;
64   int64_t h5 = load_4(s + 16);
65   int64_t h6 = load_3(s + 20) << 7;
66   int64_t h7 = load_3(s + 23) << 5;
67   int64_t h8 = load_3(s + 26) << 4;
68   int64_t h9 = (load_3(s + 29) & 8388607) << 2;
69   int64_t carry0;
70   int64_t carry1;
71   int64_t carry2;
72   int64_t carry3;
73   int64_t carry4;
74   int64_t carry5;
75   int64_t carry6;
76   int64_t carry7;
77   int64_t carry8;
78   int64_t carry9;
79 
80   carry9 = h9 + (1 << 24); h0 += (carry9 >> 25) * 19; h9 -= carry9 & kTop39Bits;
81   carry1 = h1 + (1 << 24); h2 += carry1 >> 25; h1 -= carry1 & kTop39Bits;
82   carry3 = h3 + (1 << 24); h4 += carry3 >> 25; h3 -= carry3 & kTop39Bits;
83   carry5 = h5 + (1 << 24); h6 += carry5 >> 25; h5 -= carry5 & kTop39Bits;
84   carry7 = h7 + (1 << 24); h8 += carry7 >> 25; h7 -= carry7 & kTop39Bits;
85 
86   carry0 = h0 + (1 << 25); h1 += carry0 >> 26; h0 -= carry0 & kTop38Bits;
87   carry2 = h2 + (1 << 25); h3 += carry2 >> 26; h2 -= carry2 & kTop38Bits;
88   carry4 = h4 + (1 << 25); h5 += carry4 >> 26; h4 -= carry4 & kTop38Bits;
89   carry6 = h6 + (1 << 25); h7 += carry6 >> 26; h6 -= carry6 & kTop38Bits;
90   carry8 = h8 + (1 << 25); h9 += carry8 >> 26; h8 -= carry8 & kTop38Bits;
91 
92   h[0] = h0;
93   h[1] = h1;
94   h[2] = h2;
95   h[3] = h3;
96   h[4] = h4;
97   h[5] = h5;
98   h[6] = h6;
99   h[7] = h7;
100   h[8] = h8;
101   h[9] = h9;
102 }
103 
104 /* Preconditions:
105  *  |h| bounded by 1.1*2^26,1.1*2^25,1.1*2^26,1.1*2^25,etc.
106  *
107  * Write p=2^255-19; q=floor(h/p).
108  * Basic claim: q = floor(2^(-255)(h + 19 2^(-25)h9 + 2^(-1))).
109  *
110  * Proof:
111  *   Have |h|<=p so |q|<=1 so |19^2 2^(-255) q|<1/4.
112  *   Also have |h-2^230 h9|<2^231 so |19 2^(-255)(h-2^230 h9)|<1/4.
113  *
114  *   Write y=2^(-1)-19^2 2^(-255)q-19 2^(-255)(h-2^230 h9).
115  *   Then 0<y<1.
116  *
117  *   Write r=h-pq.
118  *   Have 0<=r<=p-1=2^255-20.
119  *   Thus 0<=r+19(2^-255)r<r+19(2^-255)2^255<=2^255-1.
120  *
121  *   Write x=r+19(2^-255)r+y.
122  *   Then 0<x<2^255 so floor(2^(-255)x) = 0 so floor(q+2^(-255)x) = q.
123  *
124  *   Have q+2^(-255)x = 2^(-255)(h + 19 2^(-25) h9 + 2^(-1))
125  *   so floor(2^(-255)(h + 19 2^(-25) h9 + 2^(-1))) = q. */
fe_tobytes(uint8_t * s,const fe h)126 static void fe_tobytes(uint8_t *s, const fe h) {
127   int32_t h0 = h[0];
128   int32_t h1 = h[1];
129   int32_t h2 = h[2];
130   int32_t h3 = h[3];
131   int32_t h4 = h[4];
132   int32_t h5 = h[5];
133   int32_t h6 = h[6];
134   int32_t h7 = h[7];
135   int32_t h8 = h[8];
136   int32_t h9 = h[9];
137   int32_t q;
138 
139   q = (19 * h9 + (((int32_t) 1) << 24)) >> 25;
140   q = (h0 + q) >> 26;
141   q = (h1 + q) >> 25;
142   q = (h2 + q) >> 26;
143   q = (h3 + q) >> 25;
144   q = (h4 + q) >> 26;
145   q = (h5 + q) >> 25;
146   q = (h6 + q) >> 26;
147   q = (h7 + q) >> 25;
148   q = (h8 + q) >> 26;
149   q = (h9 + q) >> 25;
150 
151   /* Goal: Output h-(2^255-19)q, which is between 0 and 2^255-20. */
152   h0 += 19 * q;
153   /* Goal: Output h-2^255 q, which is between 0 and 2^255-20. */
154 
155   h1 += h0 >> 26; h0 &= kBottom26Bits;
156   h2 += h1 >> 25; h1 &= kBottom25Bits;
157   h3 += h2 >> 26; h2 &= kBottom26Bits;
158   h4 += h3 >> 25; h3 &= kBottom25Bits;
159   h5 += h4 >> 26; h4 &= kBottom26Bits;
160   h6 += h5 >> 25; h5 &= kBottom25Bits;
161   h7 += h6 >> 26; h6 &= kBottom26Bits;
162   h8 += h7 >> 25; h7 &= kBottom25Bits;
163   h9 += h8 >> 26; h8 &= kBottom26Bits;
164                   h9 &= kBottom25Bits;
165                   /* h10 = carry9 */
166 
167   /* Goal: Output h0+...+2^255 h10-2^255 q, which is between 0 and 2^255-20.
168    * Have h0+...+2^230 h9 between 0 and 2^255-1;
169    * evidently 2^255 h10-2^255 q = 0.
170    * Goal: Output h0+...+2^230 h9.  */
171 
172   s[0] = h0 >> 0;
173   s[1] = h0 >> 8;
174   s[2] = h0 >> 16;
175   s[3] = (h0 >> 24) | ((uint32_t)(h1) << 2);
176   s[4] = h1 >> 6;
177   s[5] = h1 >> 14;
178   s[6] = (h1 >> 22) | ((uint32_t)(h2) << 3);
179   s[7] = h2 >> 5;
180   s[8] = h2 >> 13;
181   s[9] = (h2 >> 21) | ((uint32_t)(h3) << 5);
182   s[10] = h3 >> 3;
183   s[11] = h3 >> 11;
184   s[12] = (h3 >> 19) | ((uint32_t)(h4) << 6);
185   s[13] = h4 >> 2;
186   s[14] = h4 >> 10;
187   s[15] = h4 >> 18;
188   s[16] = h5 >> 0;
189   s[17] = h5 >> 8;
190   s[18] = h5 >> 16;
191   s[19] = (h5 >> 24) | ((uint32_t)(h6) << 1);
192   s[20] = h6 >> 7;
193   s[21] = h6 >> 15;
194   s[22] = (h6 >> 23) | ((uint32_t)(h7) << 3);
195   s[23] = h7 >> 5;
196   s[24] = h7 >> 13;
197   s[25] = (h7 >> 21) | ((uint32_t)(h8) << 4);
198   s[26] = h8 >> 4;
199   s[27] = h8 >> 12;
200   s[28] = (h8 >> 20) | ((uint32_t)(h9) << 6);
201   s[29] = h9 >> 2;
202   s[30] = h9 >> 10;
203   s[31] = h9 >> 18;
204 }
205 
206 /* h = f */
fe_copy(fe h,const fe f)207 static void fe_copy(fe h, const fe f) {
208   OPENSSL_memmove(h, f, sizeof(int32_t) * 10);
209 }
210 
211 /* h = 0 */
fe_0(fe h)212 static void fe_0(fe h) { OPENSSL_memset(h, 0, sizeof(int32_t) * 10); }
213 
214 /* h = 1 */
fe_1(fe h)215 static void fe_1(fe h) {
216   OPENSSL_memset(h, 0, sizeof(int32_t) * 10);
217   h[0] = 1;
218 }
219 
220 /* h = f + g
221  * Can overlap h with f or g.
222  *
223  * Preconditions:
224  *    |f| bounded by 1.1*2^25,1.1*2^24,1.1*2^25,1.1*2^24,etc.
225  *    |g| bounded by 1.1*2^25,1.1*2^24,1.1*2^25,1.1*2^24,etc.
226  *
227  * Postconditions:
228  *    |h| bounded by 1.1*2^26,1.1*2^25,1.1*2^26,1.1*2^25,etc. */
fe_add(fe h,const fe f,const fe g)229 static void fe_add(fe h, const fe f, const fe g) {
230   unsigned i;
231   for (i = 0; i < 10; i++) {
232     h[i] = f[i] + g[i];
233   }
234 }
235 
236 /* h = f - g
237  * Can overlap h with f or g.
238  *
239  * Preconditions:
240  *    |f| bounded by 1.1*2^25,1.1*2^24,1.1*2^25,1.1*2^24,etc.
241  *    |g| bounded by 1.1*2^25,1.1*2^24,1.1*2^25,1.1*2^24,etc.
242  *
243  * Postconditions:
244  *    |h| bounded by 1.1*2^26,1.1*2^25,1.1*2^26,1.1*2^25,etc. */
fe_sub(fe h,const fe f,const fe g)245 static void fe_sub(fe h, const fe f, const fe g) {
246   unsigned i;
247   for (i = 0; i < 10; i++) {
248     h[i] = f[i] - g[i];
249   }
250 }
251 
252 /* h = f * g
253  * Can overlap h with f or g.
254  *
255  * Preconditions:
256  *    |f| bounded by 1.65*2^26,1.65*2^25,1.65*2^26,1.65*2^25,etc.
257  *    |g| bounded by 1.65*2^26,1.65*2^25,1.65*2^26,1.65*2^25,etc.
258  *
259  * Postconditions:
260  *    |h| bounded by 1.01*2^25,1.01*2^24,1.01*2^25,1.01*2^24,etc.
261  *
262  * Notes on implementation strategy:
263  *
264  * Using schoolbook multiplication.
265  * Karatsuba would save a little in some cost models.
266  *
267  * Most multiplications by 2 and 19 are 32-bit precomputations;
268  * cheaper than 64-bit postcomputations.
269  *
270  * There is one remaining multiplication by 19 in the carry chain;
271  * one *19 precomputation can be merged into this,
272  * but the resulting data flow is considerably less clean.
273  *
274  * There are 12 carries below.
275  * 10 of them are 2-way parallelizable and vectorizable.
276  * Can get away with 11 carries, but then data flow is much deeper.
277  *
278  * With tighter constraints on inputs can squeeze carries into int32. */
fe_mul(fe h,const fe f,const fe g)279 static void fe_mul(fe h, const fe f, const fe g) {
280   int32_t f0 = f[0];
281   int32_t f1 = f[1];
282   int32_t f2 = f[2];
283   int32_t f3 = f[3];
284   int32_t f4 = f[4];
285   int32_t f5 = f[5];
286   int32_t f6 = f[6];
287   int32_t f7 = f[7];
288   int32_t f8 = f[8];
289   int32_t f9 = f[9];
290   int32_t g0 = g[0];
291   int32_t g1 = g[1];
292   int32_t g2 = g[2];
293   int32_t g3 = g[3];
294   int32_t g4 = g[4];
295   int32_t g5 = g[5];
296   int32_t g6 = g[6];
297   int32_t g7 = g[7];
298   int32_t g8 = g[8];
299   int32_t g9 = g[9];
300   int32_t g1_19 = 19 * g1; /* 1.959375*2^29 */
301   int32_t g2_19 = 19 * g2; /* 1.959375*2^30; still ok */
302   int32_t g3_19 = 19 * g3;
303   int32_t g4_19 = 19 * g4;
304   int32_t g5_19 = 19 * g5;
305   int32_t g6_19 = 19 * g6;
306   int32_t g7_19 = 19 * g7;
307   int32_t g8_19 = 19 * g8;
308   int32_t g9_19 = 19 * g9;
309   int32_t f1_2 = 2 * f1;
310   int32_t f3_2 = 2 * f3;
311   int32_t f5_2 = 2 * f5;
312   int32_t f7_2 = 2 * f7;
313   int32_t f9_2 = 2 * f9;
314   int64_t f0g0    = f0   * (int64_t) g0;
315   int64_t f0g1    = f0   * (int64_t) g1;
316   int64_t f0g2    = f0   * (int64_t) g2;
317   int64_t f0g3    = f0   * (int64_t) g3;
318   int64_t f0g4    = f0   * (int64_t) g4;
319   int64_t f0g5    = f0   * (int64_t) g5;
320   int64_t f0g6    = f0   * (int64_t) g6;
321   int64_t f0g7    = f0   * (int64_t) g7;
322   int64_t f0g8    = f0   * (int64_t) g8;
323   int64_t f0g9    = f0   * (int64_t) g9;
324   int64_t f1g0    = f1   * (int64_t) g0;
325   int64_t f1g1_2  = f1_2 * (int64_t) g1;
326   int64_t f1g2    = f1   * (int64_t) g2;
327   int64_t f1g3_2  = f1_2 * (int64_t) g3;
328   int64_t f1g4    = f1   * (int64_t) g4;
329   int64_t f1g5_2  = f1_2 * (int64_t) g5;
330   int64_t f1g6    = f1   * (int64_t) g6;
331   int64_t f1g7_2  = f1_2 * (int64_t) g7;
332   int64_t f1g8    = f1   * (int64_t) g8;
333   int64_t f1g9_38 = f1_2 * (int64_t) g9_19;
334   int64_t f2g0    = f2   * (int64_t) g0;
335   int64_t f2g1    = f2   * (int64_t) g1;
336   int64_t f2g2    = f2   * (int64_t) g2;
337   int64_t f2g3    = f2   * (int64_t) g3;
338   int64_t f2g4    = f2   * (int64_t) g4;
339   int64_t f2g5    = f2   * (int64_t) g5;
340   int64_t f2g6    = f2   * (int64_t) g6;
341   int64_t f2g7    = f2   * (int64_t) g7;
342   int64_t f2g8_19 = f2   * (int64_t) g8_19;
343   int64_t f2g9_19 = f2   * (int64_t) g9_19;
344   int64_t f3g0    = f3   * (int64_t) g0;
345   int64_t f3g1_2  = f3_2 * (int64_t) g1;
346   int64_t f3g2    = f3   * (int64_t) g2;
347   int64_t f3g3_2  = f3_2 * (int64_t) g3;
348   int64_t f3g4    = f3   * (int64_t) g4;
349   int64_t f3g5_2  = f3_2 * (int64_t) g5;
350   int64_t f3g6    = f3   * (int64_t) g6;
351   int64_t f3g7_38 = f3_2 * (int64_t) g7_19;
352   int64_t f3g8_19 = f3   * (int64_t) g8_19;
353   int64_t f3g9_38 = f3_2 * (int64_t) g9_19;
354   int64_t f4g0    = f4   * (int64_t) g0;
355   int64_t f4g1    = f4   * (int64_t) g1;
356   int64_t f4g2    = f4   * (int64_t) g2;
357   int64_t f4g3    = f4   * (int64_t) g3;
358   int64_t f4g4    = f4   * (int64_t) g4;
359   int64_t f4g5    = f4   * (int64_t) g5;
360   int64_t f4g6_19 = f4   * (int64_t) g6_19;
361   int64_t f4g7_19 = f4   * (int64_t) g7_19;
362   int64_t f4g8_19 = f4   * (int64_t) g8_19;
363   int64_t f4g9_19 = f4   * (int64_t) g9_19;
364   int64_t f5g0    = f5   * (int64_t) g0;
365   int64_t f5g1_2  = f5_2 * (int64_t) g1;
366   int64_t f5g2    = f5   * (int64_t) g2;
367   int64_t f5g3_2  = f5_2 * (int64_t) g3;
368   int64_t f5g4    = f5   * (int64_t) g4;
369   int64_t f5g5_38 = f5_2 * (int64_t) g5_19;
370   int64_t f5g6_19 = f5   * (int64_t) g6_19;
371   int64_t f5g7_38 = f5_2 * (int64_t) g7_19;
372   int64_t f5g8_19 = f5   * (int64_t) g8_19;
373   int64_t f5g9_38 = f5_2 * (int64_t) g9_19;
374   int64_t f6g0    = f6   * (int64_t) g0;
375   int64_t f6g1    = f6   * (int64_t) g1;
376   int64_t f6g2    = f6   * (int64_t) g2;
377   int64_t f6g3    = f6   * (int64_t) g3;
378   int64_t f6g4_19 = f6   * (int64_t) g4_19;
379   int64_t f6g5_19 = f6   * (int64_t) g5_19;
380   int64_t f6g6_19 = f6   * (int64_t) g6_19;
381   int64_t f6g7_19 = f6   * (int64_t) g7_19;
382   int64_t f6g8_19 = f6   * (int64_t) g8_19;
383   int64_t f6g9_19 = f6   * (int64_t) g9_19;
384   int64_t f7g0    = f7   * (int64_t) g0;
385   int64_t f7g1_2  = f7_2 * (int64_t) g1;
386   int64_t f7g2    = f7   * (int64_t) g2;
387   int64_t f7g3_38 = f7_2 * (int64_t) g3_19;
388   int64_t f7g4_19 = f7   * (int64_t) g4_19;
389   int64_t f7g5_38 = f7_2 * (int64_t) g5_19;
390   int64_t f7g6_19 = f7   * (int64_t) g6_19;
391   int64_t f7g7_38 = f7_2 * (int64_t) g7_19;
392   int64_t f7g8_19 = f7   * (int64_t) g8_19;
393   int64_t f7g9_38 = f7_2 * (int64_t) g9_19;
394   int64_t f8g0    = f8   * (int64_t) g0;
395   int64_t f8g1    = f8   * (int64_t) g1;
396   int64_t f8g2_19 = f8   * (int64_t) g2_19;
397   int64_t f8g3_19 = f8   * (int64_t) g3_19;
398   int64_t f8g4_19 = f8   * (int64_t) g4_19;
399   int64_t f8g5_19 = f8   * (int64_t) g5_19;
400   int64_t f8g6_19 = f8   * (int64_t) g6_19;
401   int64_t f8g7_19 = f8   * (int64_t) g7_19;
402   int64_t f8g8_19 = f8   * (int64_t) g8_19;
403   int64_t f8g9_19 = f8   * (int64_t) g9_19;
404   int64_t f9g0    = f9   * (int64_t) g0;
405   int64_t f9g1_38 = f9_2 * (int64_t) g1_19;
406   int64_t f9g2_19 = f9   * (int64_t) g2_19;
407   int64_t f9g3_38 = f9_2 * (int64_t) g3_19;
408   int64_t f9g4_19 = f9   * (int64_t) g4_19;
409   int64_t f9g5_38 = f9_2 * (int64_t) g5_19;
410   int64_t f9g6_19 = f9   * (int64_t) g6_19;
411   int64_t f9g7_38 = f9_2 * (int64_t) g7_19;
412   int64_t f9g8_19 = f9   * (int64_t) g8_19;
413   int64_t f9g9_38 = f9_2 * (int64_t) g9_19;
414   int64_t h0 = f0g0+f1g9_38+f2g8_19+f3g7_38+f4g6_19+f5g5_38+f6g4_19+f7g3_38+f8g2_19+f9g1_38;
415   int64_t h1 = f0g1+f1g0   +f2g9_19+f3g8_19+f4g7_19+f5g6_19+f6g5_19+f7g4_19+f8g3_19+f9g2_19;
416   int64_t h2 = f0g2+f1g1_2 +f2g0   +f3g9_38+f4g8_19+f5g7_38+f6g6_19+f7g5_38+f8g4_19+f9g3_38;
417   int64_t h3 = f0g3+f1g2   +f2g1   +f3g0   +f4g9_19+f5g8_19+f6g7_19+f7g6_19+f8g5_19+f9g4_19;
418   int64_t h4 = f0g4+f1g3_2 +f2g2   +f3g1_2 +f4g0   +f5g9_38+f6g8_19+f7g7_38+f8g6_19+f9g5_38;
419   int64_t h5 = f0g5+f1g4   +f2g3   +f3g2   +f4g1   +f5g0   +f6g9_19+f7g8_19+f8g7_19+f9g6_19;
420   int64_t h6 = f0g6+f1g5_2 +f2g4   +f3g3_2 +f4g2   +f5g1_2 +f6g0   +f7g9_38+f8g8_19+f9g7_38;
421   int64_t h7 = f0g7+f1g6   +f2g5   +f3g4   +f4g3   +f5g2   +f6g1   +f7g0   +f8g9_19+f9g8_19;
422   int64_t h8 = f0g8+f1g7_2 +f2g6   +f3g5_2 +f4g4   +f5g3_2 +f6g2   +f7g1_2 +f8g0   +f9g9_38;
423   int64_t h9 = f0g9+f1g8   +f2g7   +f3g6   +f4g5   +f5g4   +f6g3   +f7g2   +f8g1   +f9g0   ;
424   int64_t carry0;
425   int64_t carry1;
426   int64_t carry2;
427   int64_t carry3;
428   int64_t carry4;
429   int64_t carry5;
430   int64_t carry6;
431   int64_t carry7;
432   int64_t carry8;
433   int64_t carry9;
434 
435   /* |h0| <= (1.65*1.65*2^52*(1+19+19+19+19)+1.65*1.65*2^50*(38+38+38+38+38))
436    *   i.e. |h0| <= 1.4*2^60; narrower ranges for h2, h4, h6, h8
437    * |h1| <= (1.65*1.65*2^51*(1+1+19+19+19+19+19+19+19+19))
438    *   i.e. |h1| <= 1.7*2^59; narrower ranges for h3, h5, h7, h9 */
439 
440   carry0 = h0 + (1 << 25); h1 += carry0 >> 26; h0 -= carry0 & kTop38Bits;
441   carry4 = h4 + (1 << 25); h5 += carry4 >> 26; h4 -= carry4 & kTop38Bits;
442   /* |h0| <= 2^25 */
443   /* |h4| <= 2^25 */
444   /* |h1| <= 1.71*2^59 */
445   /* |h5| <= 1.71*2^59 */
446 
447   carry1 = h1 + (1 << 24); h2 += carry1 >> 25; h1 -= carry1 & kTop39Bits;
448   carry5 = h5 + (1 << 24); h6 += carry5 >> 25; h5 -= carry5 & kTop39Bits;
449   /* |h1| <= 2^24; from now on fits into int32 */
450   /* |h5| <= 2^24; from now on fits into int32 */
451   /* |h2| <= 1.41*2^60 */
452   /* |h6| <= 1.41*2^60 */
453 
454   carry2 = h2 + (1 << 25); h3 += carry2 >> 26; h2 -= carry2 & kTop38Bits;
455   carry6 = h6 + (1 << 25); h7 += carry6 >> 26; h6 -= carry6 & kTop38Bits;
456   /* |h2| <= 2^25; from now on fits into int32 unchanged */
457   /* |h6| <= 2^25; from now on fits into int32 unchanged */
458   /* |h3| <= 1.71*2^59 */
459   /* |h7| <= 1.71*2^59 */
460 
461   carry3 = h3 + (1 << 24); h4 += carry3 >> 25; h3 -= carry3 & kTop39Bits;
462   carry7 = h7 + (1 << 24); h8 += carry7 >> 25; h7 -= carry7 & kTop39Bits;
463   /* |h3| <= 2^24; from now on fits into int32 unchanged */
464   /* |h7| <= 2^24; from now on fits into int32 unchanged */
465   /* |h4| <= 1.72*2^34 */
466   /* |h8| <= 1.41*2^60 */
467 
468   carry4 = h4 + (1 << 25); h5 += carry4 >> 26; h4 -= carry4 & kTop38Bits;
469   carry8 = h8 + (1 << 25); h9 += carry8 >> 26; h8 -= carry8 & kTop38Bits;
470   /* |h4| <= 2^25; from now on fits into int32 unchanged */
471   /* |h8| <= 2^25; from now on fits into int32 unchanged */
472   /* |h5| <= 1.01*2^24 */
473   /* |h9| <= 1.71*2^59 */
474 
475   carry9 = h9 + (1 << 24); h0 += (carry9 >> 25) * 19; h9 -= carry9 & kTop39Bits;
476   /* |h9| <= 2^24; from now on fits into int32 unchanged */
477   /* |h0| <= 1.1*2^39 */
478 
479   carry0 = h0 + (1 << 25); h1 += carry0 >> 26; h0 -= carry0 & kTop38Bits;
480   /* |h0| <= 2^25; from now on fits into int32 unchanged */
481   /* |h1| <= 1.01*2^24 */
482 
483   h[0] = h0;
484   h[1] = h1;
485   h[2] = h2;
486   h[3] = h3;
487   h[4] = h4;
488   h[5] = h5;
489   h[6] = h6;
490   h[7] = h7;
491   h[8] = h8;
492   h[9] = h9;
493 }
494 
495 /* h = f * f
496  * Can overlap h with f.
497  *
498  * Preconditions:
499  *    |f| bounded by 1.65*2^26,1.65*2^25,1.65*2^26,1.65*2^25,etc.
500  *
501  * Postconditions:
502  *    |h| bounded by 1.01*2^25,1.01*2^24,1.01*2^25,1.01*2^24,etc.
503  *
504  * See fe_mul.c for discussion of implementation strategy. */
fe_sq(fe h,const fe f)505 static void fe_sq(fe h, const fe f) {
506   int32_t f0 = f[0];
507   int32_t f1 = f[1];
508   int32_t f2 = f[2];
509   int32_t f3 = f[3];
510   int32_t f4 = f[4];
511   int32_t f5 = f[5];
512   int32_t f6 = f[6];
513   int32_t f7 = f[7];
514   int32_t f8 = f[8];
515   int32_t f9 = f[9];
516   int32_t f0_2 = 2 * f0;
517   int32_t f1_2 = 2 * f1;
518   int32_t f2_2 = 2 * f2;
519   int32_t f3_2 = 2 * f3;
520   int32_t f4_2 = 2 * f4;
521   int32_t f5_2 = 2 * f5;
522   int32_t f6_2 = 2 * f6;
523   int32_t f7_2 = 2 * f7;
524   int32_t f5_38 = 38 * f5; /* 1.959375*2^30 */
525   int32_t f6_19 = 19 * f6; /* 1.959375*2^30 */
526   int32_t f7_38 = 38 * f7; /* 1.959375*2^30 */
527   int32_t f8_19 = 19 * f8; /* 1.959375*2^30 */
528   int32_t f9_38 = 38 * f9; /* 1.959375*2^30 */
529   int64_t f0f0    = f0   * (int64_t) f0;
530   int64_t f0f1_2  = f0_2 * (int64_t) f1;
531   int64_t f0f2_2  = f0_2 * (int64_t) f2;
532   int64_t f0f3_2  = f0_2 * (int64_t) f3;
533   int64_t f0f4_2  = f0_2 * (int64_t) f4;
534   int64_t f0f5_2  = f0_2 * (int64_t) f5;
535   int64_t f0f6_2  = f0_2 * (int64_t) f6;
536   int64_t f0f7_2  = f0_2 * (int64_t) f7;
537   int64_t f0f8_2  = f0_2 * (int64_t) f8;
538   int64_t f0f9_2  = f0_2 * (int64_t) f9;
539   int64_t f1f1_2  = f1_2 * (int64_t) f1;
540   int64_t f1f2_2  = f1_2 * (int64_t) f2;
541   int64_t f1f3_4  = f1_2 * (int64_t) f3_2;
542   int64_t f1f4_2  = f1_2 * (int64_t) f4;
543   int64_t f1f5_4  = f1_2 * (int64_t) f5_2;
544   int64_t f1f6_2  = f1_2 * (int64_t) f6;
545   int64_t f1f7_4  = f1_2 * (int64_t) f7_2;
546   int64_t f1f8_2  = f1_2 * (int64_t) f8;
547   int64_t f1f9_76 = f1_2 * (int64_t) f9_38;
548   int64_t f2f2    = f2   * (int64_t) f2;
549   int64_t f2f3_2  = f2_2 * (int64_t) f3;
550   int64_t f2f4_2  = f2_2 * (int64_t) f4;
551   int64_t f2f5_2  = f2_2 * (int64_t) f5;
552   int64_t f2f6_2  = f2_2 * (int64_t) f6;
553   int64_t f2f7_2  = f2_2 * (int64_t) f7;
554   int64_t f2f8_38 = f2_2 * (int64_t) f8_19;
555   int64_t f2f9_38 = f2   * (int64_t) f9_38;
556   int64_t f3f3_2  = f3_2 * (int64_t) f3;
557   int64_t f3f4_2  = f3_2 * (int64_t) f4;
558   int64_t f3f5_4  = f3_2 * (int64_t) f5_2;
559   int64_t f3f6_2  = f3_2 * (int64_t) f6;
560   int64_t f3f7_76 = f3_2 * (int64_t) f7_38;
561   int64_t f3f8_38 = f3_2 * (int64_t) f8_19;
562   int64_t f3f9_76 = f3_2 * (int64_t) f9_38;
563   int64_t f4f4    = f4   * (int64_t) f4;
564   int64_t f4f5_2  = f4_2 * (int64_t) f5;
565   int64_t f4f6_38 = f4_2 * (int64_t) f6_19;
566   int64_t f4f7_38 = f4   * (int64_t) f7_38;
567   int64_t f4f8_38 = f4_2 * (int64_t) f8_19;
568   int64_t f4f9_38 = f4   * (int64_t) f9_38;
569   int64_t f5f5_38 = f5   * (int64_t) f5_38;
570   int64_t f5f6_38 = f5_2 * (int64_t) f6_19;
571   int64_t f5f7_76 = f5_2 * (int64_t) f7_38;
572   int64_t f5f8_38 = f5_2 * (int64_t) f8_19;
573   int64_t f5f9_76 = f5_2 * (int64_t) f9_38;
574   int64_t f6f6_19 = f6   * (int64_t) f6_19;
575   int64_t f6f7_38 = f6   * (int64_t) f7_38;
576   int64_t f6f8_38 = f6_2 * (int64_t) f8_19;
577   int64_t f6f9_38 = f6   * (int64_t) f9_38;
578   int64_t f7f7_38 = f7   * (int64_t) f7_38;
579   int64_t f7f8_38 = f7_2 * (int64_t) f8_19;
580   int64_t f7f9_76 = f7_2 * (int64_t) f9_38;
581   int64_t f8f8_19 = f8   * (int64_t) f8_19;
582   int64_t f8f9_38 = f8   * (int64_t) f9_38;
583   int64_t f9f9_38 = f9   * (int64_t) f9_38;
584   int64_t h0 = f0f0  +f1f9_76+f2f8_38+f3f7_76+f4f6_38+f5f5_38;
585   int64_t h1 = f0f1_2+f2f9_38+f3f8_38+f4f7_38+f5f6_38;
586   int64_t h2 = f0f2_2+f1f1_2 +f3f9_76+f4f8_38+f5f7_76+f6f6_19;
587   int64_t h3 = f0f3_2+f1f2_2 +f4f9_38+f5f8_38+f6f7_38;
588   int64_t h4 = f0f4_2+f1f3_4 +f2f2   +f5f9_76+f6f8_38+f7f7_38;
589   int64_t h5 = f0f5_2+f1f4_2 +f2f3_2 +f6f9_38+f7f8_38;
590   int64_t h6 = f0f6_2+f1f5_4 +f2f4_2 +f3f3_2 +f7f9_76+f8f8_19;
591   int64_t h7 = f0f7_2+f1f6_2 +f2f5_2 +f3f4_2 +f8f9_38;
592   int64_t h8 = f0f8_2+f1f7_4 +f2f6_2 +f3f5_4 +f4f4   +f9f9_38;
593   int64_t h9 = f0f9_2+f1f8_2 +f2f7_2 +f3f6_2 +f4f5_2;
594   int64_t carry0;
595   int64_t carry1;
596   int64_t carry2;
597   int64_t carry3;
598   int64_t carry4;
599   int64_t carry5;
600   int64_t carry6;
601   int64_t carry7;
602   int64_t carry8;
603   int64_t carry9;
604 
605   carry0 = h0 + (1 << 25); h1 += carry0 >> 26; h0 -= carry0 & kTop38Bits;
606   carry4 = h4 + (1 << 25); h5 += carry4 >> 26; h4 -= carry4 & kTop38Bits;
607 
608   carry1 = h1 + (1 << 24); h2 += carry1 >> 25; h1 -= carry1 & kTop39Bits;
609   carry5 = h5 + (1 << 24); h6 += carry5 >> 25; h5 -= carry5 & kTop39Bits;
610 
611   carry2 = h2 + (1 << 25); h3 += carry2 >> 26; h2 -= carry2 & kTop38Bits;
612   carry6 = h6 + (1 << 25); h7 += carry6 >> 26; h6 -= carry6 & kTop38Bits;
613 
614   carry3 = h3 + (1 << 24); h4 += carry3 >> 25; h3 -= carry3 & kTop39Bits;
615   carry7 = h7 + (1 << 24); h8 += carry7 >> 25; h7 -= carry7 & kTop39Bits;
616 
617   carry4 = h4 + (1 << 25); h5 += carry4 >> 26; h4 -= carry4 & kTop38Bits;
618   carry8 = h8 + (1 << 25); h9 += carry8 >> 26; h8 -= carry8 & kTop38Bits;
619 
620   carry9 = h9 + (1 << 24); h0 += (carry9 >> 25) * 19; h9 -= carry9 & kTop39Bits;
621 
622   carry0 = h0 + (1 << 25); h1 += carry0 >> 26; h0 -= carry0 & kTop38Bits;
623 
624   h[0] = h0;
625   h[1] = h1;
626   h[2] = h2;
627   h[3] = h3;
628   h[4] = h4;
629   h[5] = h5;
630   h[6] = h6;
631   h[7] = h7;
632   h[8] = h8;
633   h[9] = h9;
634 }
635 
fe_invert(fe out,const fe z)636 static void fe_invert(fe out, const fe z) {
637   fe t0;
638   fe t1;
639   fe t2;
640   fe t3;
641   int i;
642 
643   fe_sq(t0, z);
644   fe_sq(t1, t0);
645   for (i = 1; i < 2; ++i) {
646     fe_sq(t1, t1);
647   }
648   fe_mul(t1, z, t1);
649   fe_mul(t0, t0, t1);
650   fe_sq(t2, t0);
651   fe_mul(t1, t1, t2);
652   fe_sq(t2, t1);
653   for (i = 1; i < 5; ++i) {
654     fe_sq(t2, t2);
655   }
656   fe_mul(t1, t2, t1);
657   fe_sq(t2, t1);
658   for (i = 1; i < 10; ++i) {
659     fe_sq(t2, t2);
660   }
661   fe_mul(t2, t2, t1);
662   fe_sq(t3, t2);
663   for (i = 1; i < 20; ++i) {
664     fe_sq(t3, t3);
665   }
666   fe_mul(t2, t3, t2);
667   fe_sq(t2, t2);
668   for (i = 1; i < 10; ++i) {
669     fe_sq(t2, t2);
670   }
671   fe_mul(t1, t2, t1);
672   fe_sq(t2, t1);
673   for (i = 1; i < 50; ++i) {
674     fe_sq(t2, t2);
675   }
676   fe_mul(t2, t2, t1);
677   fe_sq(t3, t2);
678   for (i = 1; i < 100; ++i) {
679     fe_sq(t3, t3);
680   }
681   fe_mul(t2, t3, t2);
682   fe_sq(t2, t2);
683   for (i = 1; i < 50; ++i) {
684     fe_sq(t2, t2);
685   }
686   fe_mul(t1, t2, t1);
687   fe_sq(t1, t1);
688   for (i = 1; i < 5; ++i) {
689     fe_sq(t1, t1);
690   }
691   fe_mul(out, t1, t0);
692 }
693 
694 /* h = -f
695  *
696  * Preconditions:
697  *    |f| bounded by 1.1*2^25,1.1*2^24,1.1*2^25,1.1*2^24,etc.
698  *
699  * Postconditions:
700  *    |h| bounded by 1.1*2^25,1.1*2^24,1.1*2^25,1.1*2^24,etc. */
fe_neg(fe h,const fe f)701 static void fe_neg(fe h, const fe f) {
702   unsigned i;
703   for (i = 0; i < 10; i++) {
704     h[i] = -f[i];
705   }
706 }
707 
708 /* Replace (f,g) with (g,g) if b == 1;
709  * replace (f,g) with (f,g) if b == 0.
710  *
711  * Preconditions: b in {0,1}. */
fe_cmov(fe f,const fe g,unsigned b)712 static void fe_cmov(fe f, const fe g, unsigned b) {
713   b = 0-b;
714   unsigned i;
715   for (i = 0; i < 10; i++) {
716     int32_t x = f[i] ^ g[i];
717     x &= b;
718     f[i] ^= x;
719   }
720 }
721 
722 /* return 0 if f == 0
723  * return 1 if f != 0
724  *
725  * Preconditions:
726  *    |f| bounded by 1.1*2^26,1.1*2^25,1.1*2^26,1.1*2^25,etc. */
fe_isnonzero(const fe f)727 static int fe_isnonzero(const fe f) {
728   uint8_t s[32];
729   fe_tobytes(s, f);
730 
731   static const uint8_t zero[32] = {0};
732   return CRYPTO_memcmp(s, zero, sizeof(zero)) != 0;
733 }
734 
735 /* return 1 if f is in {1,3,5,...,q-2}
736  * return 0 if f is in {0,2,4,...,q-1}
737  *
738  * Preconditions:
739  *    |f| bounded by 1.1*2^26,1.1*2^25,1.1*2^26,1.1*2^25,etc. */
fe_isnegative(const fe f)740 static int fe_isnegative(const fe f) {
741   uint8_t s[32];
742   fe_tobytes(s, f);
743   return s[0] & 1;
744 }
745 
746 /* h = 2 * f * f
747  * Can overlap h with f.
748  *
749  * Preconditions:
750  *    |f| bounded by 1.65*2^26,1.65*2^25,1.65*2^26,1.65*2^25,etc.
751  *
752  * Postconditions:
753  *    |h| bounded by 1.01*2^25,1.01*2^24,1.01*2^25,1.01*2^24,etc.
754  *
755  * See fe_mul.c for discussion of implementation strategy. */
fe_sq2(fe h,const fe f)756 static void fe_sq2(fe h, const fe f) {
757   int32_t f0 = f[0];
758   int32_t f1 = f[1];
759   int32_t f2 = f[2];
760   int32_t f3 = f[3];
761   int32_t f4 = f[4];
762   int32_t f5 = f[5];
763   int32_t f6 = f[6];
764   int32_t f7 = f[7];
765   int32_t f8 = f[8];
766   int32_t f9 = f[9];
767   int32_t f0_2 = 2 * f0;
768   int32_t f1_2 = 2 * f1;
769   int32_t f2_2 = 2 * f2;
770   int32_t f3_2 = 2 * f3;
771   int32_t f4_2 = 2 * f4;
772   int32_t f5_2 = 2 * f5;
773   int32_t f6_2 = 2 * f6;
774   int32_t f7_2 = 2 * f7;
775   int32_t f5_38 = 38 * f5; /* 1.959375*2^30 */
776   int32_t f6_19 = 19 * f6; /* 1.959375*2^30 */
777   int32_t f7_38 = 38 * f7; /* 1.959375*2^30 */
778   int32_t f8_19 = 19 * f8; /* 1.959375*2^30 */
779   int32_t f9_38 = 38 * f9; /* 1.959375*2^30 */
780   int64_t f0f0    = f0   * (int64_t) f0;
781   int64_t f0f1_2  = f0_2 * (int64_t) f1;
782   int64_t f0f2_2  = f0_2 * (int64_t) f2;
783   int64_t f0f3_2  = f0_2 * (int64_t) f3;
784   int64_t f0f4_2  = f0_2 * (int64_t) f4;
785   int64_t f0f5_2  = f0_2 * (int64_t) f5;
786   int64_t f0f6_2  = f0_2 * (int64_t) f6;
787   int64_t f0f7_2  = f0_2 * (int64_t) f7;
788   int64_t f0f8_2  = f0_2 * (int64_t) f8;
789   int64_t f0f9_2  = f0_2 * (int64_t) f9;
790   int64_t f1f1_2  = f1_2 * (int64_t) f1;
791   int64_t f1f2_2  = f1_2 * (int64_t) f2;
792   int64_t f1f3_4  = f1_2 * (int64_t) f3_2;
793   int64_t f1f4_2  = f1_2 * (int64_t) f4;
794   int64_t f1f5_4  = f1_2 * (int64_t) f5_2;
795   int64_t f1f6_2  = f1_2 * (int64_t) f6;
796   int64_t f1f7_4  = f1_2 * (int64_t) f7_2;
797   int64_t f1f8_2  = f1_2 * (int64_t) f8;
798   int64_t f1f9_76 = f1_2 * (int64_t) f9_38;
799   int64_t f2f2    = f2   * (int64_t) f2;
800   int64_t f2f3_2  = f2_2 * (int64_t) f3;
801   int64_t f2f4_2  = f2_2 * (int64_t) f4;
802   int64_t f2f5_2  = f2_2 * (int64_t) f5;
803   int64_t f2f6_2  = f2_2 * (int64_t) f6;
804   int64_t f2f7_2  = f2_2 * (int64_t) f7;
805   int64_t f2f8_38 = f2_2 * (int64_t) f8_19;
806   int64_t f2f9_38 = f2   * (int64_t) f9_38;
807   int64_t f3f3_2  = f3_2 * (int64_t) f3;
808   int64_t f3f4_2  = f3_2 * (int64_t) f4;
809   int64_t f3f5_4  = f3_2 * (int64_t) f5_2;
810   int64_t f3f6_2  = f3_2 * (int64_t) f6;
811   int64_t f3f7_76 = f3_2 * (int64_t) f7_38;
812   int64_t f3f8_38 = f3_2 * (int64_t) f8_19;
813   int64_t f3f9_76 = f3_2 * (int64_t) f9_38;
814   int64_t f4f4    = f4   * (int64_t) f4;
815   int64_t f4f5_2  = f4_2 * (int64_t) f5;
816   int64_t f4f6_38 = f4_2 * (int64_t) f6_19;
817   int64_t f4f7_38 = f4   * (int64_t) f7_38;
818   int64_t f4f8_38 = f4_2 * (int64_t) f8_19;
819   int64_t f4f9_38 = f4   * (int64_t) f9_38;
820   int64_t f5f5_38 = f5   * (int64_t) f5_38;
821   int64_t f5f6_38 = f5_2 * (int64_t) f6_19;
822   int64_t f5f7_76 = f5_2 * (int64_t) f7_38;
823   int64_t f5f8_38 = f5_2 * (int64_t) f8_19;
824   int64_t f5f9_76 = f5_2 * (int64_t) f9_38;
825   int64_t f6f6_19 = f6   * (int64_t) f6_19;
826   int64_t f6f7_38 = f6   * (int64_t) f7_38;
827   int64_t f6f8_38 = f6_2 * (int64_t) f8_19;
828   int64_t f6f9_38 = f6   * (int64_t) f9_38;
829   int64_t f7f7_38 = f7   * (int64_t) f7_38;
830   int64_t f7f8_38 = f7_2 * (int64_t) f8_19;
831   int64_t f7f9_76 = f7_2 * (int64_t) f9_38;
832   int64_t f8f8_19 = f8   * (int64_t) f8_19;
833   int64_t f8f9_38 = f8   * (int64_t) f9_38;
834   int64_t f9f9_38 = f9   * (int64_t) f9_38;
835   int64_t h0 = f0f0  +f1f9_76+f2f8_38+f3f7_76+f4f6_38+f5f5_38;
836   int64_t h1 = f0f1_2+f2f9_38+f3f8_38+f4f7_38+f5f6_38;
837   int64_t h2 = f0f2_2+f1f1_2 +f3f9_76+f4f8_38+f5f7_76+f6f6_19;
838   int64_t h3 = f0f3_2+f1f2_2 +f4f9_38+f5f8_38+f6f7_38;
839   int64_t h4 = f0f4_2+f1f3_4 +f2f2   +f5f9_76+f6f8_38+f7f7_38;
840   int64_t h5 = f0f5_2+f1f4_2 +f2f3_2 +f6f9_38+f7f8_38;
841   int64_t h6 = f0f6_2+f1f5_4 +f2f4_2 +f3f3_2 +f7f9_76+f8f8_19;
842   int64_t h7 = f0f7_2+f1f6_2 +f2f5_2 +f3f4_2 +f8f9_38;
843   int64_t h8 = f0f8_2+f1f7_4 +f2f6_2 +f3f5_4 +f4f4   +f9f9_38;
844   int64_t h9 = f0f9_2+f1f8_2 +f2f7_2 +f3f6_2 +f4f5_2;
845   int64_t carry0;
846   int64_t carry1;
847   int64_t carry2;
848   int64_t carry3;
849   int64_t carry4;
850   int64_t carry5;
851   int64_t carry6;
852   int64_t carry7;
853   int64_t carry8;
854   int64_t carry9;
855 
856   h0 += h0;
857   h1 += h1;
858   h2 += h2;
859   h3 += h3;
860   h4 += h4;
861   h5 += h5;
862   h6 += h6;
863   h7 += h7;
864   h8 += h8;
865   h9 += h9;
866 
867   carry0 = h0 + (1 << 25); h1 += carry0 >> 26; h0 -= carry0 & kTop38Bits;
868   carry4 = h4 + (1 << 25); h5 += carry4 >> 26; h4 -= carry4 & kTop38Bits;
869 
870   carry1 = h1 + (1 << 24); h2 += carry1 >> 25; h1 -= carry1 & kTop39Bits;
871   carry5 = h5 + (1 << 24); h6 += carry5 >> 25; h5 -= carry5 & kTop39Bits;
872 
873   carry2 = h2 + (1 << 25); h3 += carry2 >> 26; h2 -= carry2 & kTop38Bits;
874   carry6 = h6 + (1 << 25); h7 += carry6 >> 26; h6 -= carry6 & kTop38Bits;
875 
876   carry3 = h3 + (1 << 24); h4 += carry3 >> 25; h3 -= carry3 & kTop39Bits;
877   carry7 = h7 + (1 << 24); h8 += carry7 >> 25; h7 -= carry7 & kTop39Bits;
878 
879   carry4 = h4 + (1 << 25); h5 += carry4 >> 26; h4 -= carry4 & kTop38Bits;
880   carry8 = h8 + (1 << 25); h9 += carry8 >> 26; h8 -= carry8 & kTop38Bits;
881 
882   carry9 = h9 + (1 << 24); h0 += (carry9 >> 25) * 19; h9 -= carry9 & kTop39Bits;
883 
884   carry0 = h0 + (1 << 25); h1 += carry0 >> 26; h0 -= carry0 & kTop38Bits;
885 
886   h[0] = h0;
887   h[1] = h1;
888   h[2] = h2;
889   h[3] = h3;
890   h[4] = h4;
891   h[5] = h5;
892   h[6] = h6;
893   h[7] = h7;
894   h[8] = h8;
895   h[9] = h9;
896 }
897 
fe_pow22523(fe out,const fe z)898 static void fe_pow22523(fe out, const fe z) {
899   fe t0;
900   fe t1;
901   fe t2;
902   int i;
903 
904   fe_sq(t0, z);
905   fe_sq(t1, t0);
906   for (i = 1; i < 2; ++i) {
907     fe_sq(t1, t1);
908   }
909   fe_mul(t1, z, t1);
910   fe_mul(t0, t0, t1);
911   fe_sq(t0, t0);
912   fe_mul(t0, t1, t0);
913   fe_sq(t1, t0);
914   for (i = 1; i < 5; ++i) {
915     fe_sq(t1, t1);
916   }
917   fe_mul(t0, t1, t0);
918   fe_sq(t1, t0);
919   for (i = 1; i < 10; ++i) {
920     fe_sq(t1, t1);
921   }
922   fe_mul(t1, t1, t0);
923   fe_sq(t2, t1);
924   for (i = 1; i < 20; ++i) {
925     fe_sq(t2, t2);
926   }
927   fe_mul(t1, t2, t1);
928   fe_sq(t1, t1);
929   for (i = 1; i < 10; ++i) {
930     fe_sq(t1, t1);
931   }
932   fe_mul(t0, t1, t0);
933   fe_sq(t1, t0);
934   for (i = 1; i < 50; ++i) {
935     fe_sq(t1, t1);
936   }
937   fe_mul(t1, t1, t0);
938   fe_sq(t2, t1);
939   for (i = 1; i < 100; ++i) {
940     fe_sq(t2, t2);
941   }
942   fe_mul(t1, t2, t1);
943   fe_sq(t1, t1);
944   for (i = 1; i < 50; ++i) {
945     fe_sq(t1, t1);
946   }
947   fe_mul(t0, t1, t0);
948   fe_sq(t0, t0);
949   for (i = 1; i < 2; ++i) {
950     fe_sq(t0, t0);
951   }
952   fe_mul(out, t0, z);
953 }
954 
x25519_ge_tobytes(uint8_t * s,const ge_p2 * h)955 void x25519_ge_tobytes(uint8_t *s, const ge_p2 *h) {
956   fe recip;
957   fe x;
958   fe y;
959 
960   fe_invert(recip, h->Z);
961   fe_mul(x, h->X, recip);
962   fe_mul(y, h->Y, recip);
963   fe_tobytes(s, y);
964   s[31] ^= fe_isnegative(x) << 7;
965 }
966 
ge_p3_tobytes(uint8_t * s,const ge_p3 * h)967 static void ge_p3_tobytes(uint8_t *s, const ge_p3 *h) {
968   fe recip;
969   fe x;
970   fe y;
971 
972   fe_invert(recip, h->Z);
973   fe_mul(x, h->X, recip);
974   fe_mul(y, h->Y, recip);
975   fe_tobytes(s, y);
976   s[31] ^= fe_isnegative(x) << 7;
977 }
978 
979 static const fe d = {-10913610, 13857413, -15372611, 6949391,   114729,
980                      -8787816,  -6275908, -3247719,  -18696448, -12055116};
981 
982 static const fe sqrtm1 = {-32595792, -7943725,  9377950,  3500415, 12389472,
983                           -272473,   -25146209, -2005654, 326686,  11406482};
984 
x25519_ge_frombytes_vartime(ge_p3 * h,const uint8_t * s)985 int x25519_ge_frombytes_vartime(ge_p3 *h, const uint8_t *s) {
986   fe u;
987   fe v;
988   fe v3;
989   fe vxx;
990   fe check;
991 
992   fe_frombytes(h->Y, s);
993   fe_1(h->Z);
994   fe_sq(u, h->Y);
995   fe_mul(v, u, d);
996   fe_sub(u, u, h->Z); /* u = y^2-1 */
997   fe_add(v, v, h->Z); /* v = dy^2+1 */
998 
999   fe_sq(v3, v);
1000   fe_mul(v3, v3, v); /* v3 = v^3 */
1001   fe_sq(h->X, v3);
1002   fe_mul(h->X, h->X, v);
1003   fe_mul(h->X, h->X, u); /* x = uv^7 */
1004 
1005   fe_pow22523(h->X, h->X); /* x = (uv^7)^((q-5)/8) */
1006   fe_mul(h->X, h->X, v3);
1007   fe_mul(h->X, h->X, u); /* x = uv^3(uv^7)^((q-5)/8) */
1008 
1009   fe_sq(vxx, h->X);
1010   fe_mul(vxx, vxx, v);
1011   fe_sub(check, vxx, u); /* vx^2-u */
1012   if (fe_isnonzero(check)) {
1013     fe_add(check, vxx, u); /* vx^2+u */
1014     if (fe_isnonzero(check)) {
1015       return -1;
1016     }
1017     fe_mul(h->X, h->X, sqrtm1);
1018   }
1019 
1020   if (fe_isnegative(h->X) != (s[31] >> 7)) {
1021     fe_neg(h->X, h->X);
1022   }
1023 
1024   fe_mul(h->T, h->X, h->Y);
1025   return 0;
1026 }
1027 
ge_p2_0(ge_p2 * h)1028 static void ge_p2_0(ge_p2 *h) {
1029   fe_0(h->X);
1030   fe_1(h->Y);
1031   fe_1(h->Z);
1032 }
1033 
ge_p3_0(ge_p3 * h)1034 static void ge_p3_0(ge_p3 *h) {
1035   fe_0(h->X);
1036   fe_1(h->Y);
1037   fe_1(h->Z);
1038   fe_0(h->T);
1039 }
1040 
ge_cached_0(ge_cached * h)1041 static void ge_cached_0(ge_cached *h) {
1042   fe_1(h->YplusX);
1043   fe_1(h->YminusX);
1044   fe_1(h->Z);
1045   fe_0(h->T2d);
1046 }
1047 
ge_precomp_0(ge_precomp * h)1048 static void ge_precomp_0(ge_precomp *h) {
1049   fe_1(h->yplusx);
1050   fe_1(h->yminusx);
1051   fe_0(h->xy2d);
1052 }
1053 
1054 /* r = p */
ge_p3_to_p2(ge_p2 * r,const ge_p3 * p)1055 static void ge_p3_to_p2(ge_p2 *r, const ge_p3 *p) {
1056   fe_copy(r->X, p->X);
1057   fe_copy(r->Y, p->Y);
1058   fe_copy(r->Z, p->Z);
1059 }
1060 
1061 static const fe d2 = {-21827239, -5839606,  -30745221, 13898782, 229458,
1062                       15978800,  -12551817, -6495438,  29715968, 9444199};
1063 
1064 /* r = p */
x25519_ge_p3_to_cached(ge_cached * r,const ge_p3 * p)1065 void x25519_ge_p3_to_cached(ge_cached *r, const ge_p3 *p) {
1066   fe_add(r->YplusX, p->Y, p->X);
1067   fe_sub(r->YminusX, p->Y, p->X);
1068   fe_copy(r->Z, p->Z);
1069   fe_mul(r->T2d, p->T, d2);
1070 }
1071 
1072 /* r = p */
x25519_ge_p1p1_to_p2(ge_p2 * r,const ge_p1p1 * p)1073 void x25519_ge_p1p1_to_p2(ge_p2 *r, const ge_p1p1 *p) {
1074   fe_mul(r->X, p->X, p->T);
1075   fe_mul(r->Y, p->Y, p->Z);
1076   fe_mul(r->Z, p->Z, p->T);
1077 }
1078 
1079 /* r = p */
x25519_ge_p1p1_to_p3(ge_p3 * r,const ge_p1p1 * p)1080 void x25519_ge_p1p1_to_p3(ge_p3 *r, const ge_p1p1 *p) {
1081   fe_mul(r->X, p->X, p->T);
1082   fe_mul(r->Y, p->Y, p->Z);
1083   fe_mul(r->Z, p->Z, p->T);
1084   fe_mul(r->T, p->X, p->Y);
1085 }
1086 
1087 /* r = p */
ge_p1p1_to_cached(ge_cached * r,const ge_p1p1 * p)1088 static void ge_p1p1_to_cached(ge_cached *r, const ge_p1p1 *p) {
1089   ge_p3 t;
1090   x25519_ge_p1p1_to_p3(&t, p);
1091   x25519_ge_p3_to_cached(r, &t);
1092 }
1093 
1094 /* r = 2 * p */
ge_p2_dbl(ge_p1p1 * r,const ge_p2 * p)1095 static void ge_p2_dbl(ge_p1p1 *r, const ge_p2 *p) {
1096   fe t0;
1097 
1098   fe_sq(r->X, p->X);
1099   fe_sq(r->Z, p->Y);
1100   fe_sq2(r->T, p->Z);
1101   fe_add(r->Y, p->X, p->Y);
1102   fe_sq(t0, r->Y);
1103   fe_add(r->Y, r->Z, r->X);
1104   fe_sub(r->Z, r->Z, r->X);
1105   fe_sub(r->X, t0, r->Y);
1106   fe_sub(r->T, r->T, r->Z);
1107 }
1108 
1109 /* r = 2 * p */
ge_p3_dbl(ge_p1p1 * r,const ge_p3 * p)1110 static void ge_p3_dbl(ge_p1p1 *r, const ge_p3 *p) {
1111   ge_p2 q;
1112   ge_p3_to_p2(&q, p);
1113   ge_p2_dbl(r, &q);
1114 }
1115 
1116 /* r = p + q */
ge_madd(ge_p1p1 * r,const ge_p3 * p,const ge_precomp * q)1117 static void ge_madd(ge_p1p1 *r, const ge_p3 *p, const ge_precomp *q) {
1118   fe t0;
1119 
1120   fe_add(r->X, p->Y, p->X);
1121   fe_sub(r->Y, p->Y, p->X);
1122   fe_mul(r->Z, r->X, q->yplusx);
1123   fe_mul(r->Y, r->Y, q->yminusx);
1124   fe_mul(r->T, q->xy2d, p->T);
1125   fe_add(t0, p->Z, p->Z);
1126   fe_sub(r->X, r->Z, r->Y);
1127   fe_add(r->Y, r->Z, r->Y);
1128   fe_add(r->Z, t0, r->T);
1129   fe_sub(r->T, t0, r->T);
1130 }
1131 
1132 /* r = p - q */
ge_msub(ge_p1p1 * r,const ge_p3 * p,const ge_precomp * q)1133 static void ge_msub(ge_p1p1 *r, const ge_p3 *p, const ge_precomp *q) {
1134   fe t0;
1135 
1136   fe_add(r->X, p->Y, p->X);
1137   fe_sub(r->Y, p->Y, p->X);
1138   fe_mul(r->Z, r->X, q->yminusx);
1139   fe_mul(r->Y, r->Y, q->yplusx);
1140   fe_mul(r->T, q->xy2d, p->T);
1141   fe_add(t0, p->Z, p->Z);
1142   fe_sub(r->X, r->Z, r->Y);
1143   fe_add(r->Y, r->Z, r->Y);
1144   fe_sub(r->Z, t0, r->T);
1145   fe_add(r->T, t0, r->T);
1146 }
1147 
1148 /* r = p + q */
x25519_ge_add(ge_p1p1 * r,const ge_p3 * p,const ge_cached * q)1149 void x25519_ge_add(ge_p1p1 *r, const ge_p3 *p, const ge_cached *q) {
1150   fe t0;
1151 
1152   fe_add(r->X, p->Y, p->X);
1153   fe_sub(r->Y, p->Y, p->X);
1154   fe_mul(r->Z, r->X, q->YplusX);
1155   fe_mul(r->Y, r->Y, q->YminusX);
1156   fe_mul(r->T, q->T2d, p->T);
1157   fe_mul(r->X, p->Z, q->Z);
1158   fe_add(t0, r->X, r->X);
1159   fe_sub(r->X, r->Z, r->Y);
1160   fe_add(r->Y, r->Z, r->Y);
1161   fe_add(r->Z, t0, r->T);
1162   fe_sub(r->T, t0, r->T);
1163 }
1164 
1165 /* r = p - q */
x25519_ge_sub(ge_p1p1 * r,const ge_p3 * p,const ge_cached * q)1166 void x25519_ge_sub(ge_p1p1 *r, const ge_p3 *p, const ge_cached *q) {
1167   fe t0;
1168 
1169   fe_add(r->X, p->Y, p->X);
1170   fe_sub(r->Y, p->Y, p->X);
1171   fe_mul(r->Z, r->X, q->YminusX);
1172   fe_mul(r->Y, r->Y, q->YplusX);
1173   fe_mul(r->T, q->T2d, p->T);
1174   fe_mul(r->X, p->Z, q->Z);
1175   fe_add(t0, r->X, r->X);
1176   fe_sub(r->X, r->Z, r->Y);
1177   fe_add(r->Y, r->Z, r->Y);
1178   fe_sub(r->Z, t0, r->T);
1179   fe_add(r->T, t0, r->T);
1180 }
1181 
equal(signed char b,signed char c)1182 static uint8_t equal(signed char b, signed char c) {
1183   uint8_t ub = b;
1184   uint8_t uc = c;
1185   uint8_t x = ub ^ uc; /* 0: yes; 1..255: no */
1186   uint32_t y = x;      /* 0: yes; 1..255: no */
1187   y -= 1;              /* 4294967295: yes; 0..254: no */
1188   y >>= 31;            /* 1: yes; 0: no */
1189   return y;
1190 }
1191 
cmov(ge_precomp * t,const ge_precomp * u,uint8_t b)1192 static void cmov(ge_precomp *t, const ge_precomp *u, uint8_t b) {
1193   fe_cmov(t->yplusx, u->yplusx, b);
1194   fe_cmov(t->yminusx, u->yminusx, b);
1195   fe_cmov(t->xy2d, u->xy2d, b);
1196 }
1197 
x25519_ge_scalarmult_small_precomp(ge_p3 * h,const uint8_t a[32],const uint8_t precomp_table[15* 2* 32])1198 void x25519_ge_scalarmult_small_precomp(
1199     ge_p3 *h, const uint8_t a[32], const uint8_t precomp_table[15 * 2 * 32]) {
1200   /* precomp_table is first expanded into matching |ge_precomp|
1201    * elements. */
1202   ge_precomp multiples[15];
1203 
1204   unsigned i;
1205   for (i = 0; i < 15; i++) {
1206     const uint8_t *bytes = &precomp_table[i*(2 * 32)];
1207     fe x, y;
1208     fe_frombytes(x, bytes);
1209     fe_frombytes(y, bytes + 32);
1210 
1211     ge_precomp *out = &multiples[i];
1212     fe_add(out->yplusx, y, x);
1213     fe_sub(out->yminusx, y, x);
1214     fe_mul(out->xy2d, x, y);
1215     fe_mul(out->xy2d, out->xy2d, d2);
1216   }
1217 
1218   /* See the comment above |k25519SmallPrecomp| about the structure of the
1219    * precomputed elements. This loop does 64 additions and 64 doublings to
1220    * calculate the result. */
1221   ge_p3_0(h);
1222 
1223   for (i = 63; i < 64; i--) {
1224     unsigned j;
1225     signed char index = 0;
1226 
1227     for (j = 0; j < 4; j++) {
1228       const uint8_t bit = 1 & (a[(8 * j) + (i / 8)] >> (i & 7));
1229       index |= (bit << j);
1230     }
1231 
1232     ge_precomp e;
1233     ge_precomp_0(&e);
1234 
1235     for (j = 1; j < 16; j++) {
1236       cmov(&e, &multiples[j-1], equal(index, j));
1237     }
1238 
1239     ge_cached cached;
1240     ge_p1p1 r;
1241     x25519_ge_p3_to_cached(&cached, h);
1242     x25519_ge_add(&r, h, &cached);
1243     x25519_ge_p1p1_to_p3(h, &r);
1244 
1245     ge_madd(&r, h, &e);
1246     x25519_ge_p1p1_to_p3(h, &r);
1247   }
1248 }
1249 
1250 #if defined(OPENSSL_SMALL)
1251 
1252 /* This block of code replaces the standard base-point table with a much smaller
1253  * one. The standard table is 30,720 bytes while this one is just 960.
1254  *
1255  * This table contains 15 pairs of group elements, (x, y), where each field
1256  * element is serialised with |fe_tobytes|. If |i| is the index of the group
1257  * element then consider i+1 as a four-bit number: (i₀, i₁, i₂, i₃) (where i₀
1258  * is the most significant bit). The value of the group element is then:
1259  * (i₀×2^192 + i₁×2^128 + i₂×2^64 + i₃)G, where G is the generator. */
1260 static const uint8_t k25519SmallPrecomp[15 * 2 * 32] = {
1261     0x1a, 0xd5, 0x25, 0x8f, 0x60, 0x2d, 0x56, 0xc9, 0xb2, 0xa7, 0x25, 0x95,
1262     0x60, 0xc7, 0x2c, 0x69, 0x5c, 0xdc, 0xd6, 0xfd, 0x31, 0xe2, 0xa4, 0xc0,
1263     0xfe, 0x53, 0x6e, 0xcd, 0xd3, 0x36, 0x69, 0x21, 0x58, 0x66, 0x66, 0x66,
1264     0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66,
1265     0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66,
1266     0x66, 0x66, 0x66, 0x66, 0x02, 0xa2, 0xed, 0xf4, 0x8f, 0x6b, 0x0b, 0x3e,
1267     0xeb, 0x35, 0x1a, 0xd5, 0x7e, 0xdb, 0x78, 0x00, 0x96, 0x8a, 0xa0, 0xb4,
1268     0xcf, 0x60, 0x4b, 0xd4, 0xd5, 0xf9, 0x2d, 0xbf, 0x88, 0xbd, 0x22, 0x62,
1269     0x13, 0x53, 0xe4, 0x82, 0x57, 0xfa, 0x1e, 0x8f, 0x06, 0x2b, 0x90, 0xba,
1270     0x08, 0xb6, 0x10, 0x54, 0x4f, 0x7c, 0x1b, 0x26, 0xed, 0xda, 0x6b, 0xdd,
1271     0x25, 0xd0, 0x4e, 0xea, 0x42, 0xbb, 0x25, 0x03, 0xa2, 0xfb, 0xcc, 0x61,
1272     0x67, 0x06, 0x70, 0x1a, 0xc4, 0x78, 0x3a, 0xff, 0x32, 0x62, 0xdd, 0x2c,
1273     0xab, 0x50, 0x19, 0x3b, 0xf2, 0x9b, 0x7d, 0xb8, 0xfd, 0x4f, 0x29, 0x9c,
1274     0xa7, 0x91, 0xba, 0x0e, 0x46, 0x5e, 0x51, 0xfe, 0x1d, 0xbf, 0xe5, 0xe5,
1275     0x9b, 0x95, 0x0d, 0x67, 0xf8, 0xd1, 0xb5, 0x5a, 0xa1, 0x93, 0x2c, 0xc3,
1276     0xde, 0x0e, 0x97, 0x85, 0x2d, 0x7f, 0xea, 0xab, 0x3e, 0x47, 0x30, 0x18,
1277     0x24, 0xe8, 0xb7, 0x60, 0xae, 0x47, 0x80, 0xfc, 0xe5, 0x23, 0xe7, 0xc2,
1278     0xc9, 0x85, 0xe6, 0x98, 0xa0, 0x29, 0x4e, 0xe1, 0x84, 0x39, 0x2d, 0x95,
1279     0x2c, 0xf3, 0x45, 0x3c, 0xff, 0xaf, 0x27, 0x4c, 0x6b, 0xa6, 0xf5, 0x4b,
1280     0x11, 0xbd, 0xba, 0x5b, 0x9e, 0xc4, 0xa4, 0x51, 0x1e, 0xbe, 0xd0, 0x90,
1281     0x3a, 0x9c, 0xc2, 0x26, 0xb6, 0x1e, 0xf1, 0x95, 0x7d, 0xc8, 0x6d, 0x52,
1282     0xe6, 0x99, 0x2c, 0x5f, 0x9a, 0x96, 0x0c, 0x68, 0x29, 0xfd, 0xe2, 0xfb,
1283     0xe6, 0xbc, 0xec, 0x31, 0x08, 0xec, 0xe6, 0xb0, 0x53, 0x60, 0xc3, 0x8c,
1284     0xbe, 0xc1, 0xb3, 0x8a, 0x8f, 0xe4, 0x88, 0x2b, 0x55, 0xe5, 0x64, 0x6e,
1285     0x9b, 0xd0, 0xaf, 0x7b, 0x64, 0x2a, 0x35, 0x25, 0x10, 0x52, 0xc5, 0x9e,
1286     0x58, 0x11, 0x39, 0x36, 0x45, 0x51, 0xb8, 0x39, 0x93, 0xfc, 0x9d, 0x6a,
1287     0xbe, 0x58, 0xcb, 0xa4, 0x0f, 0x51, 0x3c, 0x38, 0x05, 0xca, 0xab, 0x43,
1288     0x63, 0x0e, 0xf3, 0x8b, 0x41, 0xa6, 0xf8, 0x9b, 0x53, 0x70, 0x80, 0x53,
1289     0x86, 0x5e, 0x8f, 0xe3, 0xc3, 0x0d, 0x18, 0xc8, 0x4b, 0x34, 0x1f, 0xd8,
1290     0x1d, 0xbc, 0xf2, 0x6d, 0x34, 0x3a, 0xbe, 0xdf, 0xd9, 0xf6, 0xf3, 0x89,
1291     0xa1, 0xe1, 0x94, 0x9f, 0x5d, 0x4c, 0x5d, 0xe9, 0xa1, 0x49, 0x92, 0xef,
1292     0x0e, 0x53, 0x81, 0x89, 0x58, 0x87, 0xa6, 0x37, 0xf1, 0xdd, 0x62, 0x60,
1293     0x63, 0x5a, 0x9d, 0x1b, 0x8c, 0xc6, 0x7d, 0x52, 0xea, 0x70, 0x09, 0x6a,
1294     0xe1, 0x32, 0xf3, 0x73, 0x21, 0x1f, 0x07, 0x7b, 0x7c, 0x9b, 0x49, 0xd8,
1295     0xc0, 0xf3, 0x25, 0x72, 0x6f, 0x9d, 0xed, 0x31, 0x67, 0x36, 0x36, 0x54,
1296     0x40, 0x92, 0x71, 0xe6, 0x11, 0x28, 0x11, 0xad, 0x93, 0x32, 0x85, 0x7b,
1297     0x3e, 0xb7, 0x3b, 0x49, 0x13, 0x1c, 0x07, 0xb0, 0x2e, 0x93, 0xaa, 0xfd,
1298     0xfd, 0x28, 0x47, 0x3d, 0x8d, 0xd2, 0xda, 0xc7, 0x44, 0xd6, 0x7a, 0xdb,
1299     0x26, 0x7d, 0x1d, 0xb8, 0xe1, 0xde, 0x9d, 0x7a, 0x7d, 0x17, 0x7e, 0x1c,
1300     0x37, 0x04, 0x8d, 0x2d, 0x7c, 0x5e, 0x18, 0x38, 0x1e, 0xaf, 0xc7, 0x1b,
1301     0x33, 0x48, 0x31, 0x00, 0x59, 0xf6, 0xf2, 0xca, 0x0f, 0x27, 0x1b, 0x63,
1302     0x12, 0x7e, 0x02, 0x1d, 0x49, 0xc0, 0x5d, 0x79, 0x87, 0xef, 0x5e, 0x7a,
1303     0x2f, 0x1f, 0x66, 0x55, 0xd8, 0x09, 0xd9, 0x61, 0x38, 0x68, 0xb0, 0x07,
1304     0xa3, 0xfc, 0xcc, 0x85, 0x10, 0x7f, 0x4c, 0x65, 0x65, 0xb3, 0xfa, 0xfa,
1305     0xa5, 0x53, 0x6f, 0xdb, 0x74, 0x4c, 0x56, 0x46, 0x03, 0xe2, 0xd5, 0x7a,
1306     0x29, 0x1c, 0xc6, 0x02, 0xbc, 0x59, 0xf2, 0x04, 0x75, 0x63, 0xc0, 0x84,
1307     0x2f, 0x60, 0x1c, 0x67, 0x76, 0xfd, 0x63, 0x86, 0xf3, 0xfa, 0xbf, 0xdc,
1308     0xd2, 0x2d, 0x90, 0x91, 0xbd, 0x33, 0xa9, 0xe5, 0x66, 0x0c, 0xda, 0x42,
1309     0x27, 0xca, 0xf4, 0x66, 0xc2, 0xec, 0x92, 0x14, 0x57, 0x06, 0x63, 0xd0,
1310     0x4d, 0x15, 0x06, 0xeb, 0x69, 0x58, 0x4f, 0x77, 0xc5, 0x8b, 0xc7, 0xf0,
1311     0x8e, 0xed, 0x64, 0xa0, 0xb3, 0x3c, 0x66, 0x71, 0xc6, 0x2d, 0xda, 0x0a,
1312     0x0d, 0xfe, 0x70, 0x27, 0x64, 0xf8, 0x27, 0xfa, 0xf6, 0x5f, 0x30, 0xa5,
1313     0x0d, 0x6c, 0xda, 0xf2, 0x62, 0x5e, 0x78, 0x47, 0xd3, 0x66, 0x00, 0x1c,
1314     0xfd, 0x56, 0x1f, 0x5d, 0x3f, 0x6f, 0xf4, 0x4c, 0xd8, 0xfd, 0x0e, 0x27,
1315     0xc9, 0x5c, 0x2b, 0xbc, 0xc0, 0xa4, 0xe7, 0x23, 0x29, 0x02, 0x9f, 0x31,
1316     0xd6, 0xe9, 0xd7, 0x96, 0xf4, 0xe0, 0x5e, 0x0b, 0x0e, 0x13, 0xee, 0x3c,
1317     0x09, 0xed, 0xf2, 0x3d, 0x76, 0x91, 0xc3, 0xa4, 0x97, 0xae, 0xd4, 0x87,
1318     0xd0, 0x5d, 0xf6, 0x18, 0x47, 0x1f, 0x1d, 0x67, 0xf2, 0xcf, 0x63, 0xa0,
1319     0x91, 0x27, 0xf8, 0x93, 0x45, 0x75, 0x23, 0x3f, 0xd1, 0xf1, 0xad, 0x23,
1320     0xdd, 0x64, 0x93, 0x96, 0x41, 0x70, 0x7f, 0xf7, 0xf5, 0xa9, 0x89, 0xa2,
1321     0x34, 0xb0, 0x8d, 0x1b, 0xae, 0x19, 0x15, 0x49, 0x58, 0x23, 0x6d, 0x87,
1322     0x15, 0x4f, 0x81, 0x76, 0xfb, 0x23, 0xb5, 0xea, 0xcf, 0xac, 0x54, 0x8d,
1323     0x4e, 0x42, 0x2f, 0xeb, 0x0f, 0x63, 0xdb, 0x68, 0x37, 0xa8, 0xcf, 0x8b,
1324     0xab, 0xf5, 0xa4, 0x6e, 0x96, 0x2a, 0xb2, 0xd6, 0xbe, 0x9e, 0xbd, 0x0d,
1325     0xb4, 0x42, 0xa9, 0xcf, 0x01, 0x83, 0x8a, 0x17, 0x47, 0x76, 0xc4, 0xc6,
1326     0x83, 0x04, 0x95, 0x0b, 0xfc, 0x11, 0xc9, 0x62, 0xb8, 0x0c, 0x76, 0x84,
1327     0xd9, 0xb9, 0x37, 0xfa, 0xfc, 0x7c, 0xc2, 0x6d, 0x58, 0x3e, 0xb3, 0x04,
1328     0xbb, 0x8c, 0x8f, 0x48, 0xbc, 0x91, 0x27, 0xcc, 0xf9, 0xb7, 0x22, 0x19,
1329     0x83, 0x2e, 0x09, 0xb5, 0x72, 0xd9, 0x54, 0x1c, 0x4d, 0xa1, 0xea, 0x0b,
1330     0xf1, 0xc6, 0x08, 0x72, 0x46, 0x87, 0x7a, 0x6e, 0x80, 0x56, 0x0a, 0x8a,
1331     0xc0, 0xdd, 0x11, 0x6b, 0xd6, 0xdd, 0x47, 0xdf, 0x10, 0xd9, 0xd8, 0xea,
1332     0x7c, 0xb0, 0x8f, 0x03, 0x00, 0x2e, 0xc1, 0x8f, 0x44, 0xa8, 0xd3, 0x30,
1333     0x06, 0x89, 0xa2, 0xf9, 0x34, 0xad, 0xdc, 0x03, 0x85, 0xed, 0x51, 0xa7,
1334     0x82, 0x9c, 0xe7, 0x5d, 0x52, 0x93, 0x0c, 0x32, 0x9a, 0x5b, 0xe1, 0xaa,
1335     0xca, 0xb8, 0x02, 0x6d, 0x3a, 0xd4, 0xb1, 0x3a, 0xf0, 0x5f, 0xbe, 0xb5,
1336     0x0d, 0x10, 0x6b, 0x38, 0x32, 0xac, 0x76, 0x80, 0xbd, 0xca, 0x94, 0x71,
1337     0x7a, 0xf2, 0xc9, 0x35, 0x2a, 0xde, 0x9f, 0x42, 0x49, 0x18, 0x01, 0xab,
1338     0xbc, 0xef, 0x7c, 0x64, 0x3f, 0x58, 0x3d, 0x92, 0x59, 0xdb, 0x13, 0xdb,
1339     0x58, 0x6e, 0x0a, 0xe0, 0xb7, 0x91, 0x4a, 0x08, 0x20, 0xd6, 0x2e, 0x3c,
1340     0x45, 0xc9, 0x8b, 0x17, 0x79, 0xe7, 0xc7, 0x90, 0x99, 0x3a, 0x18, 0x25,
1341 };
1342 
x25519_ge_scalarmult_base(ge_p3 * h,const uint8_t a[32])1343 void x25519_ge_scalarmult_base(ge_p3 *h, const uint8_t a[32]) {
1344   x25519_ge_scalarmult_small_precomp(h, a, k25519SmallPrecomp);
1345 }
1346 
1347 #else
1348 
1349 /* k25519Precomp[i][j] = (j+1)*256^i*B */
1350 static const ge_precomp k25519Precomp[32][8] = {
1351     {
1352         {
1353             {25967493, -14356035, 29566456, 3660896, -12694345, 4014787,
1354              27544626, -11754271, -6079156, 2047605},
1355             {-12545711, 934262, -2722910, 3049990, -727428, 9406986, 12720692,
1356              5043384, 19500929, -15469378},
1357             {-8738181, 4489570, 9688441, -14785194, 10184609, -12363380,
1358              29287919, 11864899, -24514362, -4438546},
1359         },
1360         {
1361             {-12815894, -12976347, -21581243, 11784320, -25355658, -2750717,
1362              -11717903, -3814571, -358445, -10211303},
1363             {-21703237, 6903825, 27185491, 6451973, -29577724, -9554005,
1364              -15616551, 11189268, -26829678, -5319081},
1365             {26966642, 11152617, 32442495, 15396054, 14353839, -12752335,
1366              -3128826, -9541118, -15472047, -4166697},
1367         },
1368         {
1369             {15636291, -9688557, 24204773, -7912398, 616977, -16685262,
1370              27787600, -14772189, 28944400, -1550024},
1371             {16568933, 4717097, -11556148, -1102322, 15682896, -11807043,
1372              16354577, -11775962, 7689662, 11199574},
1373             {30464156, -5976125, -11779434, -15670865, 23220365, 15915852,
1374              7512774, 10017326, -17749093, -9920357},
1375         },
1376         {
1377             {-17036878, 13921892, 10945806, -6033431, 27105052, -16084379,
1378              -28926210, 15006023, 3284568, -6276540},
1379             {23599295, -8306047, -11193664, -7687416, 13236774, 10506355,
1380              7464579, 9656445, 13059162, 10374397},
1381             {7798556, 16710257, 3033922, 2874086, 28997861, 2835604, 32406664,
1382              -3839045, -641708, -101325},
1383         },
1384         {
1385             {10861363, 11473154, 27284546, 1981175, -30064349, 12577861,
1386              32867885, 14515107, -15438304, 10819380},
1387             {4708026, 6336745, 20377586, 9066809, -11272109, 6594696, -25653668,
1388              12483688, -12668491, 5581306},
1389             {19563160, 16186464, -29386857, 4097519, 10237984, -4348115,
1390              28542350, 13850243, -23678021, -15815942},
1391         },
1392         {
1393             {-15371964, -12862754, 32573250, 4720197, -26436522, 5875511,
1394              -19188627, -15224819, -9818940, -12085777},
1395             {-8549212, 109983, 15149363, 2178705, 22900618, 4543417, 3044240,
1396              -15689887, 1762328, 14866737},
1397             {-18199695, -15951423, -10473290, 1707278, -17185920, 3916101,
1398              -28236412, 3959421, 27914454, 4383652},
1399         },
1400         {
1401             {5153746, 9909285, 1723747, -2777874, 30523605, 5516873, 19480852,
1402              5230134, -23952439, -15175766},
1403             {-30269007, -3463509, 7665486, 10083793, 28475525, 1649722,
1404              20654025, 16520125, 30598449, 7715701},
1405             {28881845, 14381568, 9657904, 3680757, -20181635, 7843316,
1406              -31400660, 1370708, 29794553, -1409300},
1407         },
1408         {
1409             {14499471, -2729599, -33191113, -4254652, 28494862, 14271267,
1410              30290735, 10876454, -33154098, 2381726},
1411             {-7195431, -2655363, -14730155, 462251, -27724326, 3941372,
1412              -6236617, 3696005, -32300832, 15351955},
1413             {27431194, 8222322, 16448760, -3907995, -18707002, 11938355,
1414              -32961401, -2970515, 29551813, 10109425},
1415         },
1416     },
1417     {
1418         {
1419             {-13657040, -13155431, -31283750, 11777098, 21447386, 6519384,
1420              -2378284, -1627556, 10092783, -4764171},
1421             {27939166, 14210322, 4677035, 16277044, -22964462, -12398139,
1422              -32508754, 12005538, -17810127, 12803510},
1423             {17228999, -15661624, -1233527, 300140, -1224870, -11714777,
1424              30364213, -9038194, 18016357, 4397660},
1425         },
1426         {
1427             {-10958843, -7690207, 4776341, -14954238, 27850028, -15602212,
1428              -26619106, 14544525, -17477504, 982639},
1429             {29253598, 15796703, -2863982, -9908884, 10057023, 3163536, 7332899,
1430              -4120128, -21047696, 9934963},
1431             {5793303, 16271923, -24131614, -10116404, 29188560, 1206517,
1432              -14747930, 4559895, -30123922, -10897950},
1433         },
1434         {
1435             {-27643952, -11493006, 16282657, -11036493, 28414021, -15012264,
1436              24191034, 4541697, -13338309, 5500568},
1437             {12650548, -1497113, 9052871, 11355358, -17680037, -8400164,
1438              -17430592, 12264343, 10874051, 13524335},
1439             {25556948, -3045990, 714651, 2510400, 23394682, -10415330, 33119038,
1440              5080568, -22528059, 5376628},
1441         },
1442         {
1443             {-26088264, -4011052, -17013699, -3537628, -6726793, 1920897,
1444              -22321305, -9447443, 4535768, 1569007},
1445             {-2255422, 14606630, -21692440, -8039818, 28430649, 8775819,
1446              -30494562, 3044290, 31848280, 12543772},
1447             {-22028579, 2943893, -31857513, 6777306, 13784462, -4292203,
1448              -27377195, -2062731, 7718482, 14474653},
1449         },
1450         {
1451             {2385315, 2454213, -22631320, 46603, -4437935, -15680415, 656965,
1452              -7236665, 24316168, -5253567},
1453             {13741529, 10911568, -33233417, -8603737, -20177830, -1033297,
1454              33040651, -13424532, -20729456, 8321686},
1455             {21060490, -2212744, 15712757, -4336099, 1639040, 10656336,
1456              23845965, -11874838, -9984458, 608372},
1457         },
1458         {
1459             {-13672732, -15087586, -10889693, -7557059, -6036909, 11305547,
1460              1123968, -6780577, 27229399, 23887},
1461             {-23244140, -294205, -11744728, 14712571, -29465699, -2029617,
1462              12797024, -6440308, -1633405, 16678954},
1463             {-29500620, 4770662, -16054387, 14001338, 7830047, 9564805,
1464              -1508144, -4795045, -17169265, 4904953},
1465         },
1466         {
1467             {24059557, 14617003, 19037157, -15039908, 19766093, -14906429,
1468              5169211, 16191880, 2128236, -4326833},
1469             {-16981152, 4124966, -8540610, -10653797, 30336522, -14105247,
1470              -29806336, 916033, -6882542, -2986532},
1471             {-22630907, 12419372, -7134229, -7473371, -16478904, 16739175,
1472              285431, 2763829, 15736322, 4143876},
1473         },
1474         {
1475             {2379352, 11839345, -4110402, -5988665, 11274298, 794957, 212801,
1476              -14594663, 23527084, -16458268},
1477             {33431127, -11130478, -17838966, -15626900, 8909499, 8376530,
1478              -32625340, 4087881, -15188911, -14416214},
1479             {1767683, 7197987, -13205226, -2022635, -13091350, 448826, 5799055,
1480              4357868, -4774191, -16323038},
1481         },
1482     },
1483     {
1484         {
1485             {6721966, 13833823, -23523388, -1551314, 26354293, -11863321,
1486              23365147, -3949732, 7390890, 2759800},
1487             {4409041, 2052381, 23373853, 10530217, 7676779, -12885954, 21302353,
1488              -4264057, 1244380, -12919645},
1489             {-4421239, 7169619, 4982368, -2957590, 30256825, -2777540, 14086413,
1490              9208236, 15886429, 16489664},
1491         },
1492         {
1493             {1996075, 10375649, 14346367, 13311202, -6874135, -16438411,
1494              -13693198, 398369, -30606455, -712933},
1495             {-25307465, 9795880, -2777414, 14878809, -33531835, 14780363,
1496              13348553, 12076947, -30836462, 5113182},
1497             {-17770784, 11797796, 31950843, 13929123, -25888302, 12288344,
1498              -30341101, -7336386, 13847711, 5387222},
1499         },
1500         {
1501             {-18582163, -3416217, 17824843, -2340966, 22744343, -10442611,
1502              8763061, 3617786, -19600662, 10370991},
1503             {20246567, -14369378, 22358229, -543712, 18507283, -10413996,
1504              14554437, -8746092, 32232924, 16763880},
1505             {9648505, 10094563, 26416693, 14745928, -30374318, -6472621,
1506              11094161, 15689506, 3140038, -16510092},
1507         },
1508         {
1509             {-16160072, 5472695, 31895588, 4744994, 8823515, 10365685,
1510              -27224800, 9448613, -28774454, 366295},
1511             {19153450, 11523972, -11096490, -6503142, -24647631, 5420647,
1512              28344573, 8041113, 719605, 11671788},
1513             {8678025, 2694440, -6808014, 2517372, 4964326, 11152271, -15432916,
1514              -15266516, 27000813, -10195553},
1515         },
1516         {
1517             {-15157904, 7134312, 8639287, -2814877, -7235688, 10421742, 564065,
1518              5336097, 6750977, -14521026},
1519             {11836410, -3979488, 26297894, 16080799, 23455045, 15735944,
1520              1695823, -8819122, 8169720, 16220347},
1521             {-18115838, 8653647, 17578566, -6092619, -8025777, -16012763,
1522              -11144307, -2627664, -5990708, -14166033},
1523         },
1524         {
1525             {-23308498, -10968312, 15213228, -10081214, -30853605, -11050004,
1526              27884329, 2847284, 2655861, 1738395},
1527             {-27537433, -14253021, -25336301, -8002780, -9370762, 8129821,
1528              21651608, -3239336, -19087449, -11005278},
1529             {1533110, 3437855, 23735889, 459276, 29970501, 11335377, 26030092,
1530              5821408, 10478196, 8544890},
1531         },
1532         {
1533             {32173121, -16129311, 24896207, 3921497, 22579056, -3410854,
1534              19270449, 12217473, 17789017, -3395995},
1535             {-30552961, -2228401, -15578829, -10147201, 13243889, 517024,
1536              15479401, -3853233, 30460520, 1052596},
1537             {-11614875, 13323618, 32618793, 8175907, -15230173, 12596687,
1538              27491595, -4612359, 3179268, -9478891},
1539         },
1540         {
1541             {31947069, -14366651, -4640583, -15339921, -15125977, -6039709,
1542              -14756777, -16411740, 19072640, -9511060},
1543             {11685058, 11822410, 3158003, -13952594, 33402194, -4165066,
1544              5977896, -5215017, 473099, 5040608},
1545             {-20290863, 8198642, -27410132, 11602123, 1290375, -2799760,
1546              28326862, 1721092, -19558642, -3131606},
1547         },
1548     },
1549     {
1550         {
1551             {7881532, 10687937, 7578723, 7738378, -18951012, -2553952, 21820786,
1552              8076149, -27868496, 11538389},
1553             {-19935666, 3899861, 18283497, -6801568, -15728660, -11249211,
1554              8754525, 7446702, -5676054, 5797016},
1555             {-11295600, -3793569, -15782110, -7964573, 12708869, -8456199,
1556              2014099, -9050574, -2369172, -5877341},
1557         },
1558         {
1559             {-22472376, -11568741, -27682020, 1146375, 18956691, 16640559,
1560              1192730, -3714199, 15123619, 10811505},
1561             {14352098, -3419715, -18942044, 10822655, 32750596, 4699007, -70363,
1562              15776356, -28886779, -11974553},
1563             {-28241164, -8072475, -4978962, -5315317, 29416931, 1847569,
1564              -20654173, -16484855, 4714547, -9600655},
1565         },
1566         {
1567             {15200332, 8368572, 19679101, 15970074, -31872674, 1959451,
1568              24611599, -4543832, -11745876, 12340220},
1569             {12876937, -10480056, 33134381, 6590940, -6307776, 14872440,
1570              9613953, 8241152, 15370987, 9608631},
1571             {-4143277, -12014408, 8446281, -391603, 4407738, 13629032, -7724868,
1572              15866074, -28210621, -8814099},
1573         },
1574         {
1575             {26660628, -15677655, 8393734, 358047, -7401291, 992988, -23904233,
1576              858697, 20571223, 8420556},
1577             {14620715, 13067227, -15447274, 8264467, 14106269, 15080814,
1578              33531827, 12516406, -21574435, -12476749},
1579             {236881, 10476226, 57258, -14677024, 6472998, 2466984, 17258519,
1580              7256740, 8791136, 15069930},
1581         },
1582         {
1583             {1276410, -9371918, 22949635, -16322807, -23493039, -5702186,
1584              14711875, 4874229, -30663140, -2331391},
1585             {5855666, 4990204, -13711848, 7294284, -7804282, 1924647, -1423175,
1586              -7912378, -33069337, 9234253},
1587             {20590503, -9018988, 31529744, -7352666, -2706834, 10650548,
1588              31559055, -11609587, 18979186, 13396066},
1589         },
1590         {
1591             {24474287, 4968103, 22267082, 4407354, 24063882, -8325180,
1592              -18816887, 13594782, 33514650, 7021958},
1593             {-11566906, -6565505, -21365085, 15928892, -26158305, 4315421,
1594              -25948728, -3916677, -21480480, 12868082},
1595             {-28635013, 13504661, 19988037, -2132761, 21078225, 6443208,
1596              -21446107, 2244500, -12455797, -8089383},
1597         },
1598         {
1599             {-30595528, 13793479, -5852820, 319136, -25723172, -6263899,
1600              33086546, 8957937, -15233648, 5540521},
1601             {-11630176, -11503902, -8119500, -7643073, 2620056, 1022908,
1602              -23710744, -1568984, -16128528, -14962807},
1603             {23152971, 775386, 27395463, 14006635, -9701118, 4649512, 1689819,
1604              892185, -11513277, -15205948},
1605         },
1606         {
1607             {9770129, 9586738, 26496094, 4324120, 1556511, -3550024, 27453819,
1608              4763127, -19179614, 5867134},
1609             {-32765025, 1927590, 31726409, -4753295, 23962434, -16019500,
1610              27846559, 5931263, -29749703, -16108455},
1611             {27461885, -2977536, 22380810, 1815854, -23033753, -3031938,
1612              7283490, -15148073, -19526700, 7734629},
1613         },
1614     },
1615     {
1616         {
1617             {-8010264, -9590817, -11120403, 6196038, 29344158, -13430885,
1618              7585295, -3176626, 18549497, 15302069},
1619             {-32658337, -6171222, -7672793, -11051681, 6258878, 13504381,
1620              10458790, -6418461, -8872242, 8424746},
1621             {24687205, 8613276, -30667046, -3233545, 1863892, -1830544,
1622              19206234, 7134917, -11284482, -828919},
1623         },
1624         {
1625             {11334899, -9218022, 8025293, 12707519, 17523892, -10476071,
1626              10243738, -14685461, -5066034, 16498837},
1627             {8911542, 6887158, -9584260, -6958590, 11145641, -9543680, 17303925,
1628              -14124238, 6536641, 10543906},
1629             {-28946384, 15479763, -17466835, 568876, -1497683, 11223454,
1630              -2669190, -16625574, -27235709, 8876771},
1631         },
1632         {
1633             {-25742899, -12566864, -15649966, -846607, -33026686, -796288,
1634              -33481822, 15824474, -604426, -9039817},
1635             {10330056, 70051, 7957388, -9002667, 9764902, 15609756, 27698697,
1636              -4890037, 1657394, 3084098},
1637             {10477963, -7470260, 12119566, -13250805, 29016247, -5365589,
1638              31280319, 14396151, -30233575, 15272409},
1639         },
1640         {
1641             {-12288309, 3169463, 28813183, 16658753, 25116432, -5630466,
1642              -25173957, -12636138, -25014757, 1950504},
1643             {-26180358, 9489187, 11053416, -14746161, -31053720, 5825630,
1644              -8384306, -8767532, 15341279, 8373727},
1645             {28685821, 7759505, -14378516, -12002860, -31971820, 4079242,
1646              298136, -10232602, -2878207, 15190420},
1647         },
1648         {
1649             {-32932876, 13806336, -14337485, -15794431, -24004620, 10940928,
1650              8669718, 2742393, -26033313, -6875003},
1651             {-1580388, -11729417, -25979658, -11445023, -17411874, -10912854,
1652              9291594, -16247779, -12154742, 6048605},
1653             {-30305315, 14843444, 1539301, 11864366, 20201677, 1900163,
1654              13934231, 5128323, 11213262, 9168384},
1655         },
1656         {
1657             {-26280513, 11007847, 19408960, -940758, -18592965, -4328580,
1658              -5088060, -11105150, 20470157, -16398701},
1659             {-23136053, 9282192, 14855179, -15390078, -7362815, -14408560,
1660              -22783952, 14461608, 14042978, 5230683},
1661             {29969567, -2741594, -16711867, -8552442, 9175486, -2468974,
1662              21556951, 3506042, -5933891, -12449708},
1663         },
1664         {
1665             {-3144746, 8744661, 19704003, 4581278, -20430686, 6830683,
1666              -21284170, 8971513, -28539189, 15326563},
1667             {-19464629, 10110288, -17262528, -3503892, -23500387, 1355669,
1668              -15523050, 15300988, -20514118, 9168260},
1669             {-5353335, 4488613, -23803248, 16314347, 7780487, -15638939,
1670              -28948358, 9601605, 33087103, -9011387},
1671         },
1672         {
1673             {-19443170, -15512900, -20797467, -12445323, -29824447, 10229461,
1674              -27444329, -15000531, -5996870, 15664672},
1675             {23294591, -16632613, -22650781, -8470978, 27844204, 11461195,
1676              13099750, -2460356, 18151676, 13417686},
1677             {-24722913, -4176517, -31150679, 5988919, -26858785, 6685065,
1678              1661597, -12551441, 15271676, -15452665},
1679         },
1680     },
1681     {
1682         {
1683             {11433042, -13228665, 8239631, -5279517, -1985436, -725718,
1684              -18698764, 2167544, -6921301, -13440182},
1685             {-31436171, 15575146, 30436815, 12192228, -22463353, 9395379,
1686              -9917708, -8638997, 12215110, 12028277},
1687             {14098400, 6555944, 23007258, 5757252, -15427832, -12950502,
1688              30123440, 4617780, -16900089, -655628},
1689         },
1690         {
1691             {-4026201, -15240835, 11893168, 13718664, -14809462, 1847385,
1692              -15819999, 10154009, 23973261, -12684474},
1693             {-26531820, -3695990, -1908898, 2534301, -31870557, -16550355,
1694              18341390, -11419951, 32013174, -10103539},
1695             {-25479301, 10876443, -11771086, -14625140, -12369567, 1838104,
1696              21911214, 6354752, 4425632, -837822},
1697         },
1698         {
1699             {-10433389, -14612966, 22229858, -3091047, -13191166, 776729,
1700              -17415375, -12020462, 4725005, 14044970},
1701             {19268650, -7304421, 1555349, 8692754, -21474059, -9910664, 6347390,
1702              -1411784, -19522291, -16109756},
1703             {-24864089, 12986008, -10898878, -5558584, -11312371, -148526,
1704              19541418, 8180106, 9282262, 10282508},
1705         },
1706         {
1707             {-26205082, 4428547, -8661196, -13194263, 4098402, -14165257,
1708              15522535, 8372215, 5542595, -10702683},
1709             {-10562541, 14895633, 26814552, -16673850, -17480754, -2489360,
1710              -2781891, 6993761, -18093885, 10114655},
1711             {-20107055, -929418, 31422704, 10427861, -7110749, 6150669,
1712              -29091755, -11529146, 25953725, -106158},
1713         },
1714         {
1715             {-4234397, -8039292, -9119125, 3046000, 2101609, -12607294,
1716              19390020, 6094296, -3315279, 12831125},
1717             {-15998678, 7578152, 5310217, 14408357, -33548620, -224739,
1718              31575954, 6326196, 7381791, -2421839},
1719             {-20902779, 3296811, 24736065, -16328389, 18374254, 7318640,
1720              6295303, 8082724, -15362489, 12339664},
1721         },
1722         {
1723             {27724736, 2291157, 6088201, -14184798, 1792727, 5857634, 13848414,
1724              15768922, 25091167, 14856294},
1725             {-18866652, 8331043, 24373479, 8541013, -701998, -9269457, 12927300,
1726              -12695493, -22182473, -9012899},
1727             {-11423429, -5421590, 11632845, 3405020, 30536730, -11674039,
1728              -27260765, 13866390, 30146206, 9142070},
1729         },
1730         {
1731             {3924129, -15307516, -13817122, -10054960, 12291820, -668366,
1732              -27702774, 9326384, -8237858, 4171294},
1733             {-15921940, 16037937, 6713787, 16606682, -21612135, 2790944,
1734              26396185, 3731949, 345228, -5462949},
1735             {-21327538, 13448259, 25284571, 1143661, 20614966, -8849387,
1736              2031539, -12391231, -16253183, -13582083},
1737         },
1738         {
1739             {31016211, -16722429, 26371392, -14451233, -5027349, 14854137,
1740              17477601, 3842657, 28012650, -16405420},
1741             {-5075835, 9368966, -8562079, -4600902, -15249953, 6970560,
1742              -9189873, 16292057, -8867157, 3507940},
1743             {29439664, 3537914, 23333589, 6997794, -17555561, -11018068,
1744              -15209202, -15051267, -9164929, 6580396},
1745         },
1746     },
1747     {
1748         {
1749             {-12185861, -7679788, 16438269, 10826160, -8696817, -6235611,
1750              17860444, -9273846, -2095802, 9304567},
1751             {20714564, -4336911, 29088195, 7406487, 11426967, -5095705,
1752              14792667, -14608617, 5289421, -477127},
1753             {-16665533, -10650790, -6160345, -13305760, 9192020, -1802462,
1754              17271490, 12349094, 26939669, -3752294},
1755         },
1756         {
1757             {-12889898, 9373458, 31595848, 16374215, 21471720, 13221525,
1758              -27283495, -12348559, -3698806, 117887},
1759             {22263325, -6560050, 3984570, -11174646, -15114008, -566785,
1760              28311253, 5358056, -23319780, 541964},
1761             {16259219, 3261970, 2309254, -15534474, -16885711, -4581916,
1762              24134070, -16705829, -13337066, -13552195},
1763         },
1764         {
1765             {9378160, -13140186, -22845982, -12745264, 28198281, -7244098,
1766              -2399684, -717351, 690426, 14876244},
1767             {24977353, -314384, -8223969, -13465086, 28432343, -1176353,
1768              -13068804, -12297348, -22380984, 6618999},
1769             {-1538174, 11685646, 12944378, 13682314, -24389511, -14413193,
1770              8044829, -13817328, 32239829, -5652762},
1771         },
1772         {
1773             {-18603066, 4762990, -926250, 8885304, -28412480, -3187315, 9781647,
1774              -10350059, 32779359, 5095274},
1775             {-33008130, -5214506, -32264887, -3685216, 9460461, -9327423,
1776              -24601656, 14506724, 21639561, -2630236},
1777             {-16400943, -13112215, 25239338, 15531969, 3987758, -4499318,
1778              -1289502, -6863535, 17874574, 558605},
1779         },
1780         {
1781             {-13600129, 10240081, 9171883, 16131053, -20869254, 9599700,
1782              33499487, 5080151, 2085892, 5119761},
1783             {-22205145, -2519528, -16381601, 414691, -25019550, 2170430,
1784              30634760, -8363614, -31999993, -5759884},
1785             {-6845704, 15791202, 8550074, -1312654, 29928809, -12092256,
1786              27534430, -7192145, -22351378, 12961482},
1787         },
1788         {
1789             {-24492060, -9570771, 10368194, 11582341, -23397293, -2245287,
1790              16533930, 8206996, -30194652, -5159638},
1791             {-11121496, -3382234, 2307366, 6362031, -135455, 8868177, -16835630,
1792              7031275, 7589640, 8945490},
1793             {-32152748, 8917967, 6661220, -11677616, -1192060, -15793393,
1794              7251489, -11182180, 24099109, -14456170},
1795         },
1796         {
1797             {5019558, -7907470, 4244127, -14714356, -26933272, 6453165,
1798              -19118182, -13289025, -6231896, -10280736},
1799             {10853594, 10721687, 26480089, 5861829, -22995819, 1972175,
1800              -1866647, -10557898, -3363451, -6441124},
1801             {-17002408, 5906790, 221599, -6563147, 7828208, -13248918, 24362661,
1802              -2008168, -13866408, 7421392},
1803         },
1804         {
1805             {8139927, -6546497, 32257646, -5890546, 30375719, 1886181,
1806              -21175108, 15441252, 28826358, -4123029},
1807             {6267086, 9695052, 7709135, -16603597, -32869068, -1886135,
1808              14795160, -7840124, 13746021, -1742048},
1809             {28584902, 7787108, -6732942, -15050729, 22846041, -7571236,
1810              -3181936, -363524, 4771362, -8419958},
1811         },
1812     },
1813     {
1814         {
1815             {24949256, 6376279, -27466481, -8174608, -18646154, -9930606,
1816              33543569, -12141695, 3569627, 11342593},
1817             {26514989, 4740088, 27912651, 3697550, 19331575, -11472339, 6809886,
1818              4608608, 7325975, -14801071},
1819             {-11618399, -14554430, -24321212, 7655128, -1369274, 5214312,
1820              -27400540, 10258390, -17646694, -8186692},
1821         },
1822         {
1823             {11431204, 15823007, 26570245, 14329124, 18029990, 4796082,
1824              -31446179, 15580664, 9280358, -3973687},
1825             {-160783, -10326257, -22855316, -4304997, -20861367, -13621002,
1826              -32810901, -11181622, -15545091, 4387441},
1827             {-20799378, 12194512, 3937617, -5805892, -27154820, 9340370,
1828              -24513992, 8548137, 20617071, -7482001},
1829         },
1830         {
1831             {-938825, -3930586, -8714311, 16124718, 24603125, -6225393,
1832              -13775352, -11875822, 24345683, 10325460},
1833             {-19855277, -1568885, -22202708, 8714034, 14007766, 6928528,
1834              16318175, -1010689, 4766743, 3552007},
1835             {-21751364, -16730916, 1351763, -803421, -4009670, 3950935, 3217514,
1836              14481909, 10988822, -3994762},
1837         },
1838         {
1839             {15564307, -14311570, 3101243, 5684148, 30446780, -8051356,
1840              12677127, -6505343, -8295852, 13296005},
1841             {-9442290, 6624296, -30298964, -11913677, -4670981, -2057379,
1842              31521204, 9614054, -30000824, 12074674},
1843             {4771191, -135239, 14290749, -13089852, 27992298, 14998318,
1844              -1413936, -1556716, 29832613, -16391035},
1845         },
1846         {
1847             {7064884, -7541174, -19161962, -5067537, -18891269, -2912736,
1848              25825242, 5293297, -27122660, 13101590},
1849             {-2298563, 2439670, -7466610, 1719965, -27267541, -16328445,
1850              32512469, -5317593, -30356070, -4190957},
1851             {-30006540, 10162316, -33180176, 3981723, -16482138, -13070044,
1852              14413974, 9515896, 19568978, 9628812},
1853         },
1854         {
1855             {33053803, 199357, 15894591, 1583059, 27380243, -4580435, -17838894,
1856              -6106839, -6291786, 3437740},
1857             {-18978877, 3884493, 19469877, 12726490, 15913552, 13614290,
1858              -22961733, 70104, 7463304, 4176122},
1859             {-27124001, 10659917, 11482427, -16070381, 12771467, -6635117,
1860              -32719404, -5322751, 24216882, 5944158},
1861         },
1862         {
1863             {8894125, 7450974, -2664149, -9765752, -28080517, -12389115,
1864              19345746, 14680796, 11632993, 5847885},
1865             {26942781, -2315317, 9129564, -4906607, 26024105, 11769399,
1866              -11518837, 6367194, -9727230, 4782140},
1867             {19916461, -4828410, -22910704, -11414391, 25606324, -5972441,
1868              33253853, 8220911, 6358847, -1873857},
1869         },
1870         {
1871             {801428, -2081702, 16569428, 11065167, 29875704, 96627, 7908388,
1872              -4480480, -13538503, 1387155},
1873             {19646058, 5720633, -11416706, 12814209, 11607948, 12749789,
1874              14147075, 15156355, -21866831, 11835260},
1875             {19299512, 1155910, 28703737, 14890794, 2925026, 7269399, 26121523,
1876              15467869, -26560550, 5052483},
1877         },
1878     },
1879     {
1880         {
1881             {-3017432, 10058206, 1980837, 3964243, 22160966, 12322533, -6431123,
1882              -12618185, 12228557, -7003677},
1883             {32944382, 14922211, -22844894, 5188528, 21913450, -8719943,
1884              4001465, 13238564, -6114803, 8653815},
1885             {22865569, -4652735, 27603668, -12545395, 14348958, 8234005,
1886              24808405, 5719875, 28483275, 2841751},
1887         },
1888         {
1889             {-16420968, -1113305, -327719, -12107856, 21886282, -15552774,
1890              -1887966, -315658, 19932058, -12739203},
1891             {-11656086, 10087521, -8864888, -5536143, -19278573, -3055912,
1892              3999228, 13239134, -4777469, -13910208},
1893             {1382174, -11694719, 17266790, 9194690, -13324356, 9720081,
1894              20403944, 11284705, -14013818, 3093230},
1895         },
1896         {
1897             {16650921, -11037932, -1064178, 1570629, -8329746, 7352753, -302424,
1898              16271225, -24049421, -6691850},
1899             {-21911077, -5927941, -4611316, -5560156, -31744103, -10785293,
1900              24123614, 15193618, -21652117, -16739389},
1901             {-9935934, -4289447, -25279823, 4372842, 2087473, 10399484,
1902              31870908, 14690798, 17361620, 11864968},
1903         },
1904         {
1905             {-11307610, 6210372, 13206574, 5806320, -29017692, -13967200,
1906              -12331205, -7486601, -25578460, -16240689},
1907             {14668462, -12270235, 26039039, 15305210, 25515617, 4542480,
1908              10453892, 6577524, 9145645, -6443880},
1909             {5974874, 3053895, -9433049, -10385191, -31865124, 3225009,
1910              -7972642, 3936128, -5652273, -3050304},
1911         },
1912         {
1913             {30625386, -4729400, -25555961, -12792866, -20484575, 7695099,
1914              17097188, -16303496, -27999779, 1803632},
1915             {-3553091, 9865099, -5228566, 4272701, -5673832, -16689700,
1916              14911344, 12196514, -21405489, 7047412},
1917             {20093277, 9920966, -11138194, -5343857, 13161587, 12044805,
1918              -32856851, 4124601, -32343828, -10257566},
1919         },
1920         {
1921             {-20788824, 14084654, -13531713, 7842147, 19119038, -13822605,
1922              4752377, -8714640, -21679658, 2288038},
1923             {-26819236, -3283715, 29965059, 3039786, -14473765, 2540457,
1924              29457502, 14625692, -24819617, 12570232},
1925             {-1063558, -11551823, 16920318, 12494842, 1278292, -5869109,
1926              -21159943, -3498680, -11974704, 4724943},
1927         },
1928         {
1929             {17960970, -11775534, -4140968, -9702530, -8876562, -1410617,
1930              -12907383, -8659932, -29576300, 1903856},
1931             {23134274, -14279132, -10681997, -1611936, 20684485, 15770816,
1932              -12989750, 3190296, 26955097, 14109738},
1933             {15308788, 5320727, -30113809, -14318877, 22902008, 7767164,
1934              29425325, -11277562, 31960942, 11934971},
1935         },
1936         {
1937             {-27395711, 8435796, 4109644, 12222639, -24627868, 14818669,
1938              20638173, 4875028, 10491392, 1379718},
1939             {-13159415, 9197841, 3875503, -8936108, -1383712, -5879801,
1940              33518459, 16176658, 21432314, 12180697},
1941             {-11787308, 11500838, 13787581, -13832590, -22430679, 10140205,
1942              1465425, 12689540, -10301319, -13872883},
1943         },
1944     },
1945     {
1946         {
1947             {5414091, -15386041, -21007664, 9643570, 12834970, 1186149,
1948              -2622916, -1342231, 26128231, 6032912},
1949             {-26337395, -13766162, 32496025, -13653919, 17847801, -12669156,
1950              3604025, 8316894, -25875034, -10437358},
1951             {3296484, 6223048, 24680646, -12246460, -23052020, 5903205,
1952              -8862297, -4639164, 12376617, 3188849},
1953         },
1954         {
1955             {29190488, -14659046, 27549113, -1183516, 3520066, -10697301,
1956              32049515, -7309113, -16109234, -9852307},
1957             {-14744486, -9309156, 735818, -598978, -20407687, -5057904,
1958              25246078, -15795669, 18640741, -960977},
1959             {-6928835, -16430795, 10361374, 5642961, 4910474, 12345252,
1960              -31638386, -494430, 10530747, 1053335},
1961         },
1962         {
1963             {-29265967, -14186805, -13538216, -12117373, -19457059, -10655384,
1964              -31462369, -2948985, 24018831, 15026644},
1965             {-22592535, -3145277, -2289276, 5953843, -13440189, 9425631,
1966              25310643, 13003497, -2314791, -15145616},
1967             {-27419985, -603321, -8043984, -1669117, -26092265, 13987819,
1968              -27297622, 187899, -23166419, -2531735},
1969         },
1970         {
1971             {-21744398, -13810475, 1844840, 5021428, -10434399, -15911473,
1972              9716667, 16266922, -5070217, 726099},
1973             {29370922, -6053998, 7334071, -15342259, 9385287, 2247707,
1974              -13661962, -4839461, 30007388, -15823341},
1975             {-936379, 16086691, 23751945, -543318, -1167538, -5189036, 9137109,
1976              730663, 9835848, 4555336},
1977         },
1978         {
1979             {-23376435, 1410446, -22253753, -12899614, 30867635, 15826977,
1980              17693930, 544696, -11985298, 12422646},
1981             {31117226, -12215734, -13502838, 6561947, -9876867, -12757670,
1982              -5118685, -4096706, 29120153, 13924425},
1983             {-17400879, -14233209, 19675799, -2734756, -11006962, -5858820,
1984              -9383939, -11317700, 7240931, -237388},
1985         },
1986         {
1987             {-31361739, -11346780, -15007447, -5856218, -22453340, -12152771,
1988              1222336, 4389483, 3293637, -15551743},
1989             {-16684801, -14444245, 11038544, 11054958, -13801175, -3338533,
1990              -24319580, 7733547, 12796905, -6335822},
1991             {-8759414, -10817836, -25418864, 10783769, -30615557, -9746811,
1992              -28253339, 3647836, 3222231, -11160462},
1993         },
1994         {
1995             {18606113, 1693100, -25448386, -15170272, 4112353, 10045021,
1996              23603893, -2048234, -7550776, 2484985},
1997             {9255317, -3131197, -12156162, -1004256, 13098013, -9214866,
1998              16377220, -2102812, -19802075, -3034702},
1999             {-22729289, 7496160, -5742199, 11329249, 19991973, -3347502,
2000              -31718148, 9936966, -30097688, -10618797},
2001         },
2002         {
2003             {21878590, -5001297, 4338336, 13643897, -3036865, 13160960,
2004              19708896, 5415497, -7360503, -4109293},
2005             {27736861, 10103576, 12500508, 8502413, -3413016, -9633558,
2006              10436918, -1550276, -23659143, -8132100},
2007             {19492550, -12104365, -29681976, -852630, -3208171, 12403437,
2008              30066266, 8367329, 13243957, 8709688},
2009         },
2010     },
2011     {
2012         {
2013             {12015105, 2801261, 28198131, 10151021, 24818120, -4743133,
2014              -11194191, -5645734, 5150968, 7274186},
2015             {2831366, -12492146, 1478975, 6122054, 23825128, -12733586,
2016              31097299, 6083058, 31021603, -9793610},
2017             {-2529932, -2229646, 445613, 10720828, -13849527, -11505937,
2018              -23507731, 16354465, 15067285, -14147707},
2019         },
2020         {
2021             {7840942, 14037873, -33364863, 15934016, -728213, -3642706,
2022              21403988, 1057586, -19379462, -12403220},
2023             {915865, -16469274, 15608285, -8789130, -24357026, 6060030,
2024              -17371319, 8410997, -7220461, 16527025},
2025             {32922597, -556987, 20336074, -16184568, 10903705, -5384487,
2026              16957574, 52992, 23834301, 6588044},
2027         },
2028         {
2029             {32752030, 11232950, 3381995, -8714866, 22652988, -10744103,
2030              17159699, 16689107, -20314580, -1305992},
2031             {-4689649, 9166776, -25710296, -10847306, 11576752, 12733943,
2032              7924251, -2752281, 1976123, -7249027},
2033             {21251222, 16309901, -2983015, -6783122, 30810597, 12967303, 156041,
2034              -3371252, 12331345, -8237197},
2035         },
2036         {
2037             {8651614, -4477032, -16085636, -4996994, 13002507, 2950805,
2038              29054427, -5106970, 10008136, -4667901},
2039             {31486080, 15114593, -14261250, 12951354, 14369431, -7387845,
2040              16347321, -13662089, 8684155, -10532952},
2041             {19443825, 11385320, 24468943, -9659068, -23919258, 2187569,
2042              -26263207, -6086921, 31316348, 14219878},
2043         },
2044         {
2045             {-28594490, 1193785, 32245219, 11392485, 31092169, 15722801,
2046              27146014, 6992409, 29126555, 9207390},
2047             {32382935, 1110093, 18477781, 11028262, -27411763, -7548111,
2048              -4980517, 10843782, -7957600, -14435730},
2049             {2814918, 7836403, 27519878, -7868156, -20894015, -11553689,
2050              -21494559, 8550130, 28346258, 1994730},
2051         },
2052         {
2053             {-19578299, 8085545, -14000519, -3948622, 2785838, -16231307,
2054              -19516951, 7174894, 22628102, 8115180},
2055             {-30405132, 955511, -11133838, -15078069, -32447087, -13278079,
2056              -25651578, 3317160, -9943017, 930272},
2057             {-15303681, -6833769, 28856490, 1357446, 23421993, 1057177,
2058              24091212, -1388970, -22765376, -10650715},
2059         },
2060         {
2061             {-22751231, -5303997, -12907607, -12768866, -15811511, -7797053,
2062              -14839018, -16554220, -1867018, 8398970},
2063             {-31969310, 2106403, -4736360, 1362501, 12813763, 16200670,
2064              22981545, -6291273, 18009408, -15772772},
2065             {-17220923, -9545221, -27784654, 14166835, 29815394, 7444469,
2066              29551787, -3727419, 19288549, 1325865},
2067         },
2068         {
2069             {15100157, -15835752, -23923978, -1005098, -26450192, 15509408,
2070              12376730, -3479146, 33166107, -8042750},
2071             {20909231, 13023121, -9209752, 16251778, -5778415, -8094914,
2072              12412151, 10018715, 2213263, -13878373},
2073             {32529814, -11074689, 30361439, -16689753, -9135940, 1513226,
2074              22922121, 6382134, -5766928, 8371348},
2075         },
2076     },
2077     {
2078         {
2079             {9923462, 11271500, 12616794, 3544722, -29998368, -1721626,
2080              12891687, -8193132, -26442943, 10486144},
2081             {-22597207, -7012665, 8587003, -8257861, 4084309, -12970062, 361726,
2082              2610596, -23921530, -11455195},
2083             {5408411, -1136691, -4969122, 10561668, 24145918, 14240566,
2084              31319731, -4235541, 19985175, -3436086},
2085         },
2086         {
2087             {-13994457, 16616821, 14549246, 3341099, 32155958, 13648976,
2088              -17577068, 8849297, 65030, 8370684},
2089             {-8320926, -12049626, 31204563, 5839400, -20627288, -1057277,
2090              -19442942, 6922164, 12743482, -9800518},
2091             {-2361371, 12678785, 28815050, 4759974, -23893047, 4884717,
2092              23783145, 11038569, 18800704, 255233},
2093         },
2094         {
2095             {-5269658, -1773886, 13957886, 7990715, 23132995, 728773, 13393847,
2096              9066957, 19258688, -14753793},
2097             {-2936654, -10827535, -10432089, 14516793, -3640786, 4372541,
2098              -31934921, 2209390, -1524053, 2055794},
2099             {580882, 16705327, 5468415, -2683018, -30926419, -14696000,
2100              -7203346, -8994389, -30021019, 7394435},
2101         },
2102         {
2103             {23838809, 1822728, -15738443, 15242727, 8318092, -3733104,
2104              -21672180, -3492205, -4821741, 14799921},
2105             {13345610, 9759151, 3371034, -16137791, 16353039, 8577942, 31129804,
2106              13496856, -9056018, 7402518},
2107             {2286874, -4435931, -20042458, -2008336, -13696227, 5038122,
2108              11006906, -15760352, 8205061, 1607563},
2109         },
2110         {
2111             {14414086, -8002132, 3331830, -3208217, 22249151, -5594188,
2112              18364661, -2906958, 30019587, -9029278},
2113             {-27688051, 1585953, -10775053, 931069, -29120221, -11002319,
2114              -14410829, 12029093, 9944378, 8024},
2115             {4368715, -3709630, 29874200, -15022983, -20230386, -11410704,
2116              -16114594, -999085, -8142388, 5640030},
2117         },
2118         {
2119             {10299610, 13746483, 11661824, 16234854, 7630238, 5998374, 9809887,
2120              -16694564, 15219798, -14327783},
2121             {27425505, -5719081, 3055006, 10660664, 23458024, 595578, -15398605,
2122              -1173195, -18342183, 9742717},
2123             {6744077, 2427284, 26042789, 2720740, -847906, 1118974, 32324614,
2124              7406442, 12420155, 1994844},
2125         },
2126         {
2127             {14012521, -5024720, -18384453, -9578469, -26485342, -3936439,
2128              -13033478, -10909803, 24319929, -6446333},
2129             {16412690, -4507367, 10772641, 15929391, -17068788, -4658621,
2130              10555945, -10484049, -30102368, -4739048},
2131             {22397382, -7767684, -9293161, -12792868, 17166287, -9755136,
2132              -27333065, 6199366, 21880021, -12250760},
2133         },
2134         {
2135             {-4283307, 5368523, -31117018, 8163389, -30323063, 3209128,
2136              16557151, 8890729, 8840445, 4957760},
2137             {-15447727, 709327, -6919446, -10870178, -29777922, 6522332,
2138              -21720181, 12130072, -14796503, 5005757},
2139             {-2114751, -14308128, 23019042, 15765735, -25269683, 6002752,
2140              10183197, -13239326, -16395286, -2176112},
2141         },
2142     },
2143     {
2144         {
2145             {-19025756, 1632005, 13466291, -7995100, -23640451, 16573537,
2146              -32013908, -3057104, 22208662, 2000468},
2147             {3065073, -1412761, -25598674, -361432, -17683065, -5703415,
2148              -8164212, 11248527, -3691214, -7414184},
2149             {10379208, -6045554, 8877319, 1473647, -29291284, -12507580,
2150              16690915, 2553332, -3132688, 16400289},
2151         },
2152         {
2153             {15716668, 1254266, -18472690, 7446274, -8448918, 6344164,
2154              -22097271, -7285580, 26894937, 9132066},
2155             {24158887, 12938817, 11085297, -8177598, -28063478, -4457083,
2156              -30576463, 64452, -6817084, -2692882},
2157             {13488534, 7794716, 22236231, 5989356, 25426474, -12578208, 2350710,
2158              -3418511, -4688006, 2364226},
2159         },
2160         {
2161             {16335052, 9132434, 25640582, 6678888, 1725628, 8517937, -11807024,
2162              -11697457, 15445875, -7798101},
2163             {29004207, -7867081, 28661402, -640412, -12794003, -7943086,
2164              31863255, -4135540, -278050, -15759279},
2165             {-6122061, -14866665, -28614905, 14569919, -10857999, -3591829,
2166              10343412, -6976290, -29828287, -10815811},
2167         },
2168         {
2169             {27081650, 3463984, 14099042, -4517604, 1616303, -6205604, 29542636,
2170              15372179, 17293797, 960709},
2171             {20263915, 11434237, -5765435, 11236810, 13505955, -10857102,
2172              -16111345, 6493122, -19384511, 7639714},
2173             {-2830798, -14839232, 25403038, -8215196, -8317012, -16173699,
2174              18006287, -16043750, 29994677, -15808121},
2175         },
2176         {
2177             {9769828, 5202651, -24157398, -13631392, -28051003, -11561624,
2178              -24613141, -13860782, -31184575, 709464},
2179             {12286395, 13076066, -21775189, -1176622, -25003198, 4057652,
2180              -32018128, -8890874, 16102007, 13205847},
2181             {13733362, 5599946, 10557076, 3195751, -5557991, 8536970, -25540170,
2182              8525972, 10151379, 10394400},
2183         },
2184         {
2185             {4024660, -16137551, 22436262, 12276534, -9099015, -2686099,
2186              19698229, 11743039, -33302334, 8934414},
2187             {-15879800, -4525240, -8580747, -2934061, 14634845, -698278,
2188              -9449077, 3137094, -11536886, 11721158},
2189             {17555939, -5013938, 8268606, 2331751, -22738815, 9761013, 9319229,
2190              8835153, -9205489, -1280045},
2191         },
2192         {
2193             {-461409, -7830014, 20614118, 16688288, -7514766, -4807119,
2194              22300304, 505429, 6108462, -6183415},
2195             {-5070281, 12367917, -30663534, 3234473, 32617080, -8422642,
2196              29880583, -13483331, -26898490, -7867459},
2197             {-31975283, 5726539, 26934134, 10237677, -3173717, -605053,
2198              24199304, 3795095, 7592688, -14992079},
2199         },
2200         {
2201             {21594432, -14964228, 17466408, -4077222, 32537084, 2739898,
2202              6407723, 12018833, -28256052, 4298412},
2203             {-20650503, -11961496, -27236275, 570498, 3767144, -1717540,
2204              13891942, -1569194, 13717174, 10805743},
2205             {-14676630, -15644296, 15287174, 11927123, 24177847, -8175568,
2206              -796431, 14860609, -26938930, -5863836},
2207         },
2208     },
2209     {
2210         {
2211             {12962541, 5311799, -10060768, 11658280, 18855286, -7954201,
2212              13286263, -12808704, -4381056, 9882022},
2213             {18512079, 11319350, -20123124, 15090309, 18818594, 5271736,
2214              -22727904, 3666879, -23967430, -3299429},
2215             {-6789020, -3146043, 16192429, 13241070, 15898607, -14206114,
2216              -10084880, -6661110, -2403099, 5276065},
2217         },
2218         {
2219             {30169808, -5317648, 26306206, -11750859, 27814964, 7069267,
2220              7152851, 3684982, 1449224, 13082861},
2221             {10342826, 3098505, 2119311, 193222, 25702612, 12233820, 23697382,
2222              15056736, -21016438, -8202000},
2223             {-33150110, 3261608, 22745853, 7948688, 19370557, -15177665,
2224              -26171976, 6482814, -10300080, -11060101},
2225         },
2226         {
2227             {32869458, -5408545, 25609743, 15678670, -10687769, -15471071,
2228              26112421, 2521008, -22664288, 6904815},
2229             {29506923, 4457497, 3377935, -9796444, -30510046, 12935080, 1561737,
2230              3841096, -29003639, -6657642},
2231             {10340844, -6630377, -18656632, -2278430, 12621151, -13339055,
2232              30878497, -11824370, -25584551, 5181966},
2233         },
2234         {
2235             {25940115, -12658025, 17324188, -10307374, -8671468, 15029094,
2236              24396252, -16450922, -2322852, -12388574},
2237             {-21765684, 9916823, -1300409, 4079498, -1028346, 11909559, 1782390,
2238              12641087, 20603771, -6561742},
2239             {-18882287, -11673380, 24849422, 11501709, 13161720, -4768874,
2240              1925523, 11914390, 4662781, 7820689},
2241         },
2242         {
2243             {12241050, -425982, 8132691, 9393934, 32846760, -1599620, 29749456,
2244              12172924, 16136752, 15264020},
2245             {-10349955, -14680563, -8211979, 2330220, -17662549, -14545780,
2246              10658213, 6671822, 19012087, 3772772},
2247             {3753511, -3421066, 10617074, 2028709, 14841030, -6721664, 28718732,
2248              -15762884, 20527771, 12988982},
2249         },
2250         {
2251             {-14822485, -5797269, -3707987, 12689773, -898983, -10914866,
2252              -24183046, -10564943, 3299665, -12424953},
2253             {-16777703, -15253301, -9642417, 4978983, 3308785, 8755439, 6943197,
2254              6461331, -25583147, 8991218},
2255             {-17226263, 1816362, -1673288, -6086439, 31783888, -8175991,
2256              -32948145, 7417950, -30242287, 1507265},
2257         },
2258         {
2259             {29692663, 6829891, -10498800, 4334896, 20945975, -11906496,
2260              -28887608, 8209391, 14606362, -10647073},
2261             {-3481570, 8707081, 32188102, 5672294, 22096700, 1711240, -33020695,
2262              9761487, 4170404, -2085325},
2263             {-11587470, 14855945, -4127778, -1531857, -26649089, 15084046,
2264              22186522, 16002000, -14276837, -8400798},
2265         },
2266         {
2267             {-4811456, 13761029, -31703877, -2483919, -3312471, 7869047,
2268              -7113572, -9620092, 13240845, 10965870},
2269             {-7742563, -8256762, -14768334, -13656260, -23232383, 12387166,
2270              4498947, 14147411, 29514390, 4302863},
2271             {-13413405, -12407859, 20757302, -13801832, 14785143, 8976368,
2272              -5061276, -2144373, 17846988, -13971927},
2273         },
2274     },
2275     {
2276         {
2277             {-2244452, -754728, -4597030, -1066309, -6247172, 1455299,
2278              -21647728, -9214789, -5222701, 12650267},
2279             {-9906797, -16070310, 21134160, 12198166, -27064575, 708126, 387813,
2280              13770293, -19134326, 10958663},
2281             {22470984, 12369526, 23446014, -5441109, -21520802, -9698723,
2282              -11772496, -11574455, -25083830, 4271862},
2283         },
2284         {
2285             {-25169565, -10053642, -19909332, 15361595, -5984358, 2159192,
2286              75375, -4278529, -32526221, 8469673},
2287             {15854970, 4148314, -8893890, 7259002, 11666551, 13824734,
2288              -30531198, 2697372, 24154791, -9460943},
2289             {15446137, -15806644, 29759747, 14019369, 30811221, -9610191,
2290              -31582008, 12840104, 24913809, 9815020},
2291         },
2292         {
2293             {-4709286, -5614269, -31841498, -12288893, -14443537, 10799414,
2294              -9103676, 13438769, 18735128, 9466238},
2295             {11933045, 9281483, 5081055, -5183824, -2628162, -4905629, -7727821,
2296              -10896103, -22728655, 16199064},
2297             {14576810, 379472, -26786533, -8317236, -29426508, -10812974,
2298              -102766, 1876699, 30801119, 2164795},
2299         },
2300         {
2301             {15995086, 3199873, 13672555, 13712240, -19378835, -4647646,
2302              -13081610, -15496269, -13492807, 1268052},
2303             {-10290614, -3659039, -3286592, 10948818, 23037027, 3794475,
2304              -3470338, -12600221, -17055369, 3565904},
2305             {29210088, -9419337, -5919792, -4952785, 10834811, -13327726,
2306              -16512102, -10820713, -27162222, -14030531},
2307         },
2308         {
2309             {-13161890, 15508588, 16663704, -8156150, -28349942, 9019123,
2310              -29183421, -3769423, 2244111, -14001979},
2311             {-5152875, -3800936, -9306475, -6071583, 16243069, 14684434,
2312              -25673088, -16180800, 13491506, 4641841},
2313             {10813417, 643330, -19188515, -728916, 30292062, -16600078,
2314              27548447, -7721242, 14476989, -12767431},
2315         },
2316         {
2317             {10292079, 9984945, 6481436, 8279905, -7251514, 7032743, 27282937,
2318              -1644259, -27912810, 12651324},
2319             {-31185513, -813383, 22271204, 11835308, 10201545, 15351028,
2320              17099662, 3988035, 21721536, -3148940},
2321             {10202177, -6545839, -31373232, -9574638, -32150642, -8119683,
2322              -12906320, 3852694, 13216206, 14842320},
2323         },
2324         {
2325             {-15815640, -10601066, -6538952, -7258995, -6984659, -6581778,
2326              -31500847, 13765824, -27434397, 9900184},
2327             {14465505, -13833331, -32133984, -14738873, -27443187, 12990492,
2328              33046193, 15796406, -7051866, -8040114},
2329             {30924417, -8279620, 6359016, -12816335, 16508377, 9071735,
2330              -25488601, 15413635, 9524356, -7018878},
2331         },
2332         {
2333             {12274201, -13175547, 32627641, -1785326, 6736625, 13267305,
2334              5237659, -5109483, 15663516, 4035784},
2335             {-2951309, 8903985, 17349946, 601635, -16432815, -4612556,
2336              -13732739, -15889334, -22258478, 4659091},
2337             {-16916263, -4952973, -30393711, -15158821, 20774812, 15897498,
2338              5736189, 15026997, -2178256, -13455585},
2339         },
2340     },
2341     {
2342         {
2343             {-8858980, -2219056, 28571666, -10155518, -474467, -10105698,
2344              -3801496, 278095, 23440562, -290208},
2345             {10226241, -5928702, 15139956, 120818, -14867693, 5218603, 32937275,
2346              11551483, -16571960, -7442864},
2347             {17932739, -12437276, -24039557, 10749060, 11316803, 7535897,
2348              22503767, 5561594, -3646624, 3898661},
2349         },
2350         {
2351             {7749907, -969567, -16339731, -16464, -25018111, 15122143, -1573531,
2352              7152530, 21831162, 1245233},
2353             {26958459, -14658026, 4314586, 8346991, -5677764, 11960072,
2354              -32589295, -620035, -30402091, -16716212},
2355             {-12165896, 9166947, 33491384, 13673479, 29787085, 13096535,
2356              6280834, 14587357, -22338025, 13987525},
2357         },
2358         {
2359             {-24349909, 7778775, 21116000, 15572597, -4833266, -5357778,
2360              -4300898, -5124639, -7469781, -2858068},
2361             {9681908, -6737123, -31951644, 13591838, -6883821, 386950, 31622781,
2362              6439245, -14581012, 4091397},
2363             {-8426427, 1470727, -28109679, -1596990, 3978627, -5123623,
2364              -19622683, 12092163, 29077877, -14741988},
2365         },
2366         {
2367             {5269168, -6859726, -13230211, -8020715, 25932563, 1763552,
2368              -5606110, -5505881, -20017847, 2357889},
2369             {32264008, -15407652, -5387735, -1160093, -2091322, -3946900,
2370              23104804, -12869908, 5727338, 189038},
2371             {14609123, -8954470, -6000566, -16622781, -14577387, -7743898,
2372              -26745169, 10942115, -25888931, -14884697},
2373         },
2374         {
2375             {20513500, 5557931, -15604613, 7829531, 26413943, -2019404,
2376              -21378968, 7471781, 13913677, -5137875},
2377             {-25574376, 11967826, 29233242, 12948236, -6754465, 4713227,
2378              -8940970, 14059180, 12878652, 8511905},
2379             {-25656801, 3393631, -2955415, -7075526, -2250709, 9366908,
2380              -30223418, 6812974, 5568676, -3127656},
2381         },
2382         {
2383             {11630004, 12144454, 2116339, 13606037, 27378885, 15676917,
2384              -17408753, -13504373, -14395196, 8070818},
2385             {27117696, -10007378, -31282771, -5570088, 1127282, 12772488,
2386              -29845906, 10483306, -11552749, -1028714},
2387             {10637467, -5688064, 5674781, 1072708, -26343588, -6982302,
2388              -1683975, 9177853, -27493162, 15431203},
2389         },
2390         {
2391             {20525145, 10892566, -12742472, 12779443, -29493034, 16150075,
2392              -28240519, 14943142, -15056790, -7935931},
2393             {-30024462, 5626926, -551567, -9981087, 753598, 11981191, 25244767,
2394              -3239766, -3356550, 9594024},
2395             {-23752644, 2636870, -5163910, -10103818, 585134, 7877383, 11345683,
2396              -6492290, 13352335, -10977084},
2397         },
2398         {
2399             {-1931799, -5407458, 3304649, -12884869, 17015806, -4877091,
2400              -29783850, -7752482, -13215537, -319204},
2401             {20239939, 6607058, 6203985, 3483793, -18386976, -779229, -20723742,
2402              15077870, -22750759, 14523817},
2403             {27406042, -6041657, 27423596, -4497394, 4996214, 10002360,
2404              -28842031, -4545494, -30172742, -4805667},
2405         },
2406     },
2407     {
2408         {
2409             {11374242, 12660715, 17861383, -12540833, 10935568, 1099227,
2410              -13886076, -9091740, -27727044, 11358504},
2411             {-12730809, 10311867, 1510375, 10778093, -2119455, -9145702,
2412              32676003, 11149336, -26123651, 4985768},
2413             {-19096303, 341147, -6197485, -239033, 15756973, -8796662, -983043,
2414              13794114, -19414307, -15621255},
2415         },
2416         {
2417             {6490081, 11940286, 25495923, -7726360, 8668373, -8751316, 3367603,
2418              6970005, -1691065, -9004790},
2419             {1656497, 13457317, 15370807, 6364910, 13605745, 8362338, -19174622,
2420              -5475723, -16796596, -5031438},
2421             {-22273315, -13524424, -64685, -4334223, -18605636, -10921968,
2422              -20571065, -7007978, -99853, -10237333},
2423         },
2424         {
2425             {17747465, 10039260, 19368299, -4050591, -20630635, -16041286,
2426              31992683, -15857976, -29260363, -5511971},
2427             {31932027, -4986141, -19612382, 16366580, 22023614, 88450, 11371999,
2428              -3744247, 4882242, -10626905},
2429             {29796507, 37186, 19818052, 10115756, -11829032, 3352736, 18551198,
2430              3272828, -5190932, -4162409},
2431         },
2432         {
2433             {12501286, 4044383, -8612957, -13392385, -32430052, 5136599,
2434              -19230378, -3529697, 330070, -3659409},
2435             {6384877, 2899513, 17807477, 7663917, -2358888, 12363165, 25366522,
2436              -8573892, -271295, 12071499},
2437             {-8365515, -4042521, 25133448, -4517355, -6211027, 2265927,
2438              -32769618, 1936675, -5159697, 3829363},
2439         },
2440         {
2441             {28425966, -5835433, -577090, -4697198, -14217555, 6870930, 7921550,
2442              -6567787, 26333140, 14267664},
2443             {-11067219, 11871231, 27385719, -10559544, -4585914, -11189312,
2444              10004786, -8709488, -21761224, 8930324},
2445             {-21197785, -16396035, 25654216, -1725397, 12282012, 11008919,
2446              1541940, 4757911, -26491501, -16408940},
2447         },
2448         {
2449             {13537262, -7759490, -20604840, 10961927, -5922820, -13218065,
2450              -13156584, 6217254, -15943699, 13814990},
2451             {-17422573, 15157790, 18705543, 29619, 24409717, -260476, 27361681,
2452              9257833, -1956526, -1776914},
2453             {-25045300, -10191966, 15366585, 15166509, -13105086, 8423556,
2454              -29171540, 12361135, -18685978, 4578290},
2455         },
2456         {
2457             {24579768, 3711570, 1342322, -11180126, -27005135, 14124956,
2458              -22544529, 14074919, 21964432, 8235257},
2459             {-6528613, -2411497, 9442966, -5925588, 12025640, -1487420,
2460              -2981514, -1669206, 13006806, 2355433},
2461             {-16304899, -13605259, -6632427, -5142349, 16974359, -10911083,
2462              27202044, 1719366, 1141648, -12796236},
2463         },
2464         {
2465             {-12863944, -13219986, -8318266, -11018091, -6810145, -4843894,
2466              13475066, -3133972, 32674895, 13715045},
2467             {11423335, -5468059, 32344216, 8962751, 24989809, 9241752,
2468              -13265253, 16086212, -28740881, -15642093},
2469             {-1409668, 12530728, -6368726, 10847387, 19531186, -14132160,
2470              -11709148, 7791794, -27245943, 4383347},
2471         },
2472     },
2473     {
2474         {
2475             {-28970898, 5271447, -1266009, -9736989, -12455236, 16732599,
2476              -4862407, -4906449, 27193557, 6245191},
2477             {-15193956, 5362278, -1783893, 2695834, 4960227, 12840725, 23061898,
2478              3260492, 22510453, 8577507},
2479             {-12632451, 11257346, -32692994, 13548177, -721004, 10879011,
2480              31168030, 13952092, -29571492, -3635906},
2481         },
2482         {
2483             {3877321, -9572739, 32416692, 5405324, -11004407, -13656635,
2484              3759769, 11935320, 5611860, 8164018},
2485             {-16275802, 14667797, 15906460, 12155291, -22111149, -9039718,
2486              32003002, -8832289, 5773085, -8422109},
2487             {-23788118, -8254300, 1950875, 8937633, 18686727, 16459170, -905725,
2488              12376320, 31632953, 190926},
2489         },
2490         {
2491             {-24593607, -16138885, -8423991, 13378746, 14162407, 6901328,
2492              -8288749, 4508564, -25341555, -3627528},
2493             {8884438, -5884009, 6023974, 10104341, -6881569, -4941533, 18722941,
2494              -14786005, -1672488, 827625},
2495             {-32720583, -16289296, -32503547, 7101210, 13354605, 2659080,
2496              -1800575, -14108036, -24878478, 1541286},
2497         },
2498         {
2499             {2901347, -1117687, 3880376, -10059388, -17620940, -3612781,
2500              -21802117, -3567481, 20456845, -1885033},
2501             {27019610, 12299467, -13658288, -1603234, -12861660, -4861471,
2502              -19540150, -5016058, 29439641, 15138866},
2503             {21536104, -6626420, -32447818, -10690208, -22408077, 5175814,
2504              -5420040, -16361163, 7779328, 109896},
2505         },
2506         {
2507             {30279744, 14648750, -8044871, 6425558, 13639621, -743509, 28698390,
2508              12180118, 23177719, -554075},
2509             {26572847, 3405927, -31701700, 12890905, -19265668, 5335866,
2510              -6493768, 2378492, 4439158, -13279347},
2511             {-22716706, 3489070, -9225266, -332753, 18875722, -1140095,
2512              14819434, -12731527, -17717757, -5461437},
2513         },
2514         {
2515             {-5056483, 16566551, 15953661, 3767752, -10436499, 15627060,
2516              -820954, 2177225, 8550082, -15114165},
2517             {-18473302, 16596775, -381660, 15663611, 22860960, 15585581,
2518              -27844109, -3582739, -23260460, -8428588},
2519             {-32480551, 15707275, -8205912, -5652081, 29464558, 2713815,
2520              -22725137, 15860482, -21902570, 1494193},
2521         },
2522         {
2523             {-19562091, -14087393, -25583872, -9299552, 13127842, 759709,
2524              21923482, 16529112, 8742704, 12967017},
2525             {-28464899, 1553205, 32536856, -10473729, -24691605, -406174,
2526              -8914625, -2933896, -29903758, 15553883},
2527             {21877909, 3230008, 9881174, 10539357, -4797115, 2841332, 11543572,
2528              14513274, 19375923, -12647961},
2529         },
2530         {
2531             {8832269, -14495485, 13253511, 5137575, 5037871, 4078777, 24880818,
2532              -6222716, 2862653, 9455043},
2533             {29306751, 5123106, 20245049, -14149889, 9592566, 8447059, -2077124,
2534              -2990080, 15511449, 4789663},
2535             {-20679756, 7004547, 8824831, -9434977, -4045704, -3750736,
2536              -5754762, 108893, 23513200, 16652362},
2537         },
2538     },
2539     {
2540         {
2541             {-33256173, 4144782, -4476029, -6579123, 10770039, -7155542,
2542              -6650416, -12936300, -18319198, 10212860},
2543             {2756081, 8598110, 7383731, -6859892, 22312759, -1105012, 21179801,
2544              2600940, -9988298, -12506466},
2545             {-24645692, 13317462, -30449259, -15653928, 21365574, -10869657,
2546              11344424, 864440, -2499677, -16710063},
2547         },
2548         {
2549             {-26432803, 6148329, -17184412, -14474154, 18782929, -275997,
2550              -22561534, 211300, 2719757, 4940997},
2551             {-1323882, 3911313, -6948744, 14759765, -30027150, 7851207,
2552              21690126, 8518463, 26699843, 5276295},
2553             {-13149873, -6429067, 9396249, 365013, 24703301, -10488939, 1321586,
2554              149635, -15452774, 7159369},
2555         },
2556         {
2557             {9987780, -3404759, 17507962, 9505530, 9731535, -2165514, 22356009,
2558              8312176, 22477218, -8403385},
2559             {18155857, -16504990, 19744716, 9006923, 15154154, -10538976,
2560              24256460, -4864995, -22548173, 9334109},
2561             {2986088, -4911893, 10776628, -3473844, 10620590, -7083203,
2562              -21413845, 14253545, -22587149, 536906},
2563         },
2564         {
2565             {4377756, 8115836, 24567078, 15495314, 11625074, 13064599, 7390551,
2566              10589625, 10838060, -15420424},
2567             {-19342404, 867880, 9277171, -3218459, -14431572, -1986443,
2568              19295826, -15796950, 6378260, 699185},
2569             {7895026, 4057113, -7081772, -13077756, -17886831, -323126, -716039,
2570              15693155, -5045064, -13373962},
2571         },
2572         {
2573             {-7737563, -5869402, -14566319, -7406919, 11385654, 13201616,
2574              31730678, -10962840, -3918636, -9669325},
2575             {10188286, -15770834, -7336361, 13427543, 22223443, 14896287,
2576              30743455, 7116568, -21786507, 5427593},
2577             {696102, 13206899, 27047647, -10632082, 15285305, -9853179,
2578              10798490, -4578720, 19236243, 12477404},
2579         },
2580         {
2581             {-11229439, 11243796, -17054270, -8040865, -788228, -8167967,
2582              -3897669, 11180504, -23169516, 7733644},
2583             {17800790, -14036179, -27000429, -11766671, 23887827, 3149671,
2584              23466177, -10538171, 10322027, 15313801},
2585             {26246234, 11968874, 32263343, -5468728, 6830755, -13323031,
2586              -15794704, -101982, -24449242, 10890804},
2587         },
2588         {
2589             {-31365647, 10271363, -12660625, -6267268, 16690207, -13062544,
2590              -14982212, 16484931, 25180797, -5334884},
2591             {-586574, 10376444, -32586414, -11286356, 19801893, 10997610,
2592              2276632, 9482883, 316878, 13820577},
2593             {-9882808, -4510367, -2115506, 16457136, -11100081, 11674996,
2594              30756178, -7515054, 30696930, -3712849},
2595         },
2596         {
2597             {32988917, -9603412, 12499366, 7910787, -10617257, -11931514,
2598              -7342816, -9985397, -32349517, 7392473},
2599             {-8855661, 15927861, 9866406, -3649411, -2396914, -16655781,
2600              -30409476, -9134995, 25112947, -2926644},
2601             {-2504044, -436966, 25621774, -5678772, 15085042, -5479877,
2602              -24884878, -13526194, 5537438, -13914319},
2603         },
2604     },
2605     {
2606         {
2607             {-11225584, 2320285, -9584280, 10149187, -33444663, 5808648,
2608              -14876251, -1729667, 31234590, 6090599},
2609             {-9633316, 116426, 26083934, 2897444, -6364437, -2688086, 609721,
2610              15878753, -6970405, -9034768},
2611             {-27757857, 247744, -15194774, -9002551, 23288161, -10011936,
2612              -23869595, 6503646, 20650474, 1804084},
2613         },
2614         {
2615             {-27589786, 15456424, 8972517, 8469608, 15640622, 4439847, 3121995,
2616              -10329713, 27842616, -202328},
2617             {-15306973, 2839644, 22530074, 10026331, 4602058, 5048462, 28248656,
2618              5031932, -11375082, 12714369},
2619             {20807691, -7270825, 29286141, 11421711, -27876523, -13868230,
2620              -21227475, 1035546, -19733229, 12796920},
2621         },
2622         {
2623             {12076899, -14301286, -8785001, -11848922, -25012791, 16400684,
2624              -17591495, -12899438, 3480665, -15182815},
2625             {-32361549, 5457597, 28548107, 7833186, 7303070, -11953545,
2626              -24363064, -15921875, -33374054, 2771025},
2627             {-21389266, 421932, 26597266, 6860826, 22486084, -6737172,
2628              -17137485, -4210226, -24552282, 15673397},
2629         },
2630         {
2631             {-20184622, 2338216, 19788685, -9620956, -4001265, -8740893,
2632              -20271184, 4733254, 3727144, -12934448},
2633             {6120119, 814863, -11794402, -622716, 6812205, -15747771, 2019594,
2634              7975683, 31123697, -10958981},
2635             {30069250, -11435332, 30434654, 2958439, 18399564, -976289,
2636              12296869, 9204260, -16432438, 9648165},
2637         },
2638         {
2639             {32705432, -1550977, 30705658, 7451065, -11805606, 9631813, 3305266,
2640              5248604, -26008332, -11377501},
2641             {17219865, 2375039, -31570947, -5575615, -19459679, 9219903, 294711,
2642              15298639, 2662509, -16297073},
2643             {-1172927, -7558695, -4366770, -4287744, -21346413, -8434326,
2644              32087529, -1222777, 32247248, -14389861},
2645         },
2646         {
2647             {14312628, 1221556, 17395390, -8700143, -4945741, -8684635,
2648              -28197744, -9637817, -16027623, -13378845},
2649             {-1428825, -9678990, -9235681, 6549687, -7383069, -468664, 23046502,
2650              9803137, 17597934, 2346211},
2651             {18510800, 15337574, 26171504, 981392, -22241552, 7827556,
2652              -23491134, -11323352, 3059833, -11782870},
2653         },
2654         {
2655             {10141598, 6082907, 17829293, -1947643, 9830092, 13613136,
2656              -25556636, -5544586, -33502212, 3592096},
2657             {33114168, -15889352, -26525686, -13343397, 33076705, 8716171,
2658              1151462, 1521897, -982665, -6837803},
2659             {-32939165, -4255815, 23947181, -324178, -33072974, -12305637,
2660              -16637686, 3891704, 26353178, 693168},
2661         },
2662         {
2663             {30374239, 1595580, -16884039, 13186931, 4600344, 406904, 9585294,
2664              -400668, 31375464, 14369965},
2665             {-14370654, -7772529, 1510301, 6434173, -18784789, -6262728,
2666              32732230, -13108839, 17901441, 16011505},
2667             {18171223, -11934626, -12500402, 15197122, -11038147, -15230035,
2668              -19172240, -16046376, 8764035, 12309598},
2669         },
2670     },
2671     {
2672         {
2673             {5975908, -5243188, -19459362, -9681747, -11541277, 14015782,
2674              -23665757, 1228319, 17544096, -10593782},
2675             {5811932, -1715293, 3442887, -2269310, -18367348, -8359541,
2676              -18044043, -15410127, -5565381, 12348900},
2677             {-31399660, 11407555, 25755363, 6891399, -3256938, 14872274,
2678              -24849353, 8141295, -10632534, -585479},
2679         },
2680         {
2681             {-12675304, 694026, -5076145, 13300344, 14015258, -14451394,
2682              -9698672, -11329050, 30944593, 1130208},
2683             {8247766, -6710942, -26562381, -7709309, -14401939, -14648910,
2684              4652152, 2488540, 23550156, -271232},
2685             {17294316, -3788438, 7026748, 15626851, 22990044, 113481, 2267737,
2686              -5908146, -408818, -137719},
2687         },
2688         {
2689             {16091085, -16253926, 18599252, 7340678, 2137637, -1221657,
2690              -3364161, 14550936, 3260525, -7166271},
2691             {-4910104, -13332887, 18550887, 10864893, -16459325, -7291596,
2692              -23028869, -13204905, -12748722, 2701326},
2693             {-8574695, 16099415, 4629974, -16340524, -20786213, -6005432,
2694              -10018363, 9276971, 11329923, 1862132},
2695         },
2696         {
2697             {14763076, -15903608, -30918270, 3689867, 3511892, 10313526,
2698              -21951088, 12219231, -9037963, -940300},
2699             {8894987, -3446094, 6150753, 3013931, 301220, 15693451, -31981216,
2700              -2909717, -15438168, 11595570},
2701             {15214962, 3537601, -26238722, -14058872, 4418657, -15230761,
2702              13947276, 10730794, -13489462, -4363670},
2703         },
2704         {
2705             {-2538306, 7682793, 32759013, 263109, -29984731, -7955452,
2706              -22332124, -10188635, 977108, 699994},
2707             {-12466472, 4195084, -9211532, 550904, -15565337, 12917920,
2708              19118110, -439841, -30534533, -14337913},
2709             {31788461, -14507657, 4799989, 7372237, 8808585, -14747943, 9408237,
2710              -10051775, 12493932, -5409317},
2711         },
2712         {
2713             {-25680606, 5260744, -19235809, -6284470, -3695942, 16566087,
2714              27218280, 2607121, 29375955, 6024730},
2715             {842132, -2794693, -4763381, -8722815, 26332018, -12405641,
2716              11831880, 6985184, -9940361, 2854096},
2717             {-4847262, -7969331, 2516242, -5847713, 9695691, -7221186, 16512645,
2718              960770, 12121869, 16648078},
2719         },
2720         {
2721             {-15218652, 14667096, -13336229, 2013717, 30598287, -464137,
2722              -31504922, -7882064, 20237806, 2838411},
2723             {-19288047, 4453152, 15298546, -16178388, 22115043, -15972604,
2724              12544294, -13470457, 1068881, -12499905},
2725             {-9558883, -16518835, 33238498, 13506958, 30505848, -1114596,
2726              -8486907, -2630053, 12521378, 4845654},
2727         },
2728         {
2729             {-28198521, 10744108, -2958380, 10199664, 7759311, -13088600,
2730              3409348, -873400, -6482306, -12885870},
2731             {-23561822, 6230156, -20382013, 10655314, -24040585, -11621172,
2732              10477734, -1240216, -3113227, 13974498},
2733             {12966261, 15550616, -32038948, -1615346, 21025980, -629444,
2734              5642325, 7188737, 18895762, 12629579},
2735         },
2736     },
2737     {
2738         {
2739             {14741879, -14946887, 22177208, -11721237, 1279741, 8058600,
2740              11758140, 789443, 32195181, 3895677},
2741             {10758205, 15755439, -4509950, 9243698, -4879422, 6879879, -2204575,
2742              -3566119, -8982069, 4429647},
2743             {-2453894, 15725973, -20436342, -10410672, -5803908, -11040220,
2744              -7135870, -11642895, 18047436, -15281743},
2745         },
2746         {
2747             {-25173001, -11307165, 29759956, 11776784, -22262383, -15820455,
2748              10993114, -12850837, -17620701, -9408468},
2749             {21987233, 700364, -24505048, 14972008, -7774265, -5718395,
2750              32155026, 2581431, -29958985, 8773375},
2751             {-25568350, 454463, -13211935, 16126715, 25240068, 8594567,
2752              20656846, 12017935, -7874389, -13920155},
2753         },
2754         {
2755             {6028182, 6263078, -31011806, -11301710, -818919, 2461772,
2756              -31841174, -5468042, -1721788, -2776725},
2757             {-12278994, 16624277, 987579, -5922598, 32908203, 1248608, 7719845,
2758              -4166698, 28408820, 6816612},
2759             {-10358094, -8237829, 19549651, -12169222, 22082623, 16147817,
2760              20613181, 13982702, -10339570, 5067943},
2761         },
2762         {
2763             {-30505967, -3821767, 12074681, 13582412, -19877972, 2443951,
2764              -19719286, 12746132, 5331210, -10105944},
2765             {30528811, 3601899, -1957090, 4619785, -27361822, -15436388,
2766              24180793, -12570394, 27679908, -1648928},
2767             {9402404, -13957065, 32834043, 10838634, -26580150, -13237195,
2768              26653274, -8685565, 22611444, -12715406},
2769         },
2770         {
2771             {22190590, 1118029, 22736441, 15130463, -30460692, -5991321,
2772              19189625, -4648942, 4854859, 6622139},
2773             {-8310738, -2953450, -8262579, -3388049, -10401731, -271929,
2774              13424426, -3567227, 26404409, 13001963},
2775             {-31241838, -15415700, -2994250, 8939346, 11562230, -12840670,
2776              -26064365, -11621720, -15405155, 11020693},
2777         },
2778         {
2779             {1866042, -7949489, -7898649, -10301010, 12483315, 13477547,
2780              3175636, -12424163, 28761762, 1406734},
2781             {-448555, -1777666, 13018551, 3194501, -9580420, -11161737,
2782              24760585, -4347088, 25577411, -13378680},
2783             {-24290378, 4759345, -690653, -1852816, 2066747, 10693769,
2784              -29595790, 9884936, -9368926, 4745410},
2785         },
2786         {
2787             {-9141284, 6049714, -19531061, -4341411, -31260798, 9944276,
2788              -15462008, -11311852, 10931924, -11931931},
2789             {-16561513, 14112680, -8012645, 4817318, -8040464, -11414606,
2790              -22853429, 10856641, -20470770, 13434654},
2791             {22759489, -10073434, -16766264, -1871422, 13637442, -10168091,
2792              1765144, -12654326, 28445307, -5364710},
2793         },
2794         {
2795             {29875063, 12493613, 2795536, -3786330, 1710620, 15181182,
2796              -10195717, -8788675, 9074234, 1167180},
2797             {-26205683, 11014233, -9842651, -2635485, -26908120, 7532294,
2798              -18716888, -9535498, 3843903, 9367684},
2799             {-10969595, -6403711, 9591134, 9582310, 11349256, 108879, 16235123,
2800              8601684, -139197, 4242895},
2801         },
2802     },
2803     {
2804         {
2805             {22092954, -13191123, -2042793, -11968512, 32186753, -11517388,
2806              -6574341, 2470660, -27417366, 16625501},
2807             {-11057722, 3042016, 13770083, -9257922, 584236, -544855, -7770857,
2808              2602725, -27351616, 14247413},
2809             {6314175, -10264892, -32772502, 15957557, -10157730, 168750,
2810              -8618807, 14290061, 27108877, -1180880},
2811         },
2812         {
2813             {-8586597, -7170966, 13241782, 10960156, -32991015, -13794596,
2814              33547976, -11058889, -27148451, 981874},
2815             {22833440, 9293594, -32649448, -13618667, -9136966, 14756819,
2816              -22928859, -13970780, -10479804, -16197962},
2817             {-7768587, 3326786, -28111797, 10783824, 19178761, 14905060,
2818              22680049, 13906969, -15933690, 3797899},
2819         },
2820         {
2821             {21721356, -4212746, -12206123, 9310182, -3882239, -13653110,
2822              23740224, -2709232, 20491983, -8042152},
2823             {9209270, -15135055, -13256557, -6167798, -731016, 15289673,
2824              25947805, 15286587, 30997318, -6703063},
2825             {7392032, 16618386, 23946583, -8039892, -13265164, -1533858,
2826              -14197445, -2321576, 17649998, -250080},
2827         },
2828         {
2829             {-9301088, -14193827, 30609526, -3049543, -25175069, -1283752,
2830              -15241566, -9525724, -2233253, 7662146},
2831             {-17558673, 1763594, -33114336, 15908610, -30040870, -12174295,
2832              7335080, -8472199, -3174674, 3440183},
2833             {-19889700, -5977008, -24111293, -9688870, 10799743, -16571957,
2834              40450, -4431835, 4862400, 1133},
2835         },
2836         {
2837             {-32856209, -7873957, -5422389, 14860950, -16319031, 7956142,
2838              7258061, 311861, -30594991, -7379421},
2839             {-3773428, -1565936, 28985340, 7499440, 24445838, 9325937, 29727763,
2840              16527196, 18278453, 15405622},
2841             {-4381906, 8508652, -19898366, -3674424, -5984453, 15149970,
2842              -13313598, 843523, -21875062, 13626197},
2843         },
2844         {
2845             {2281448, -13487055, -10915418, -2609910, 1879358, 16164207,
2846              -10783882, 3953792, 13340839, 15928663},
2847             {31727126, -7179855, -18437503, -8283652, 2875793, -16390330,
2848              -25269894, -7014826, -23452306, 5964753},
2849             {4100420, -5959452, -17179337, 6017714, -18705837, 12227141,
2850              -26684835, 11344144, 2538215, -7570755},
2851         },
2852         {
2853             {-9433605, 6123113, 11159803, -2156608, 30016280, 14966241,
2854              -20474983, 1485421, -629256, -15958862},
2855             {-26804558, 4260919, 11851389, 9658551, -32017107, 16367492,
2856              -20205425, -13191288, 11659922, -11115118},
2857             {26180396, 10015009, -30844224, -8581293, 5418197, 9480663, 2231568,
2858              -10170080, 33100372, -1306171},
2859         },
2860         {
2861             {15121113, -5201871, -10389905, 15427821, -27509937, -15992507,
2862              21670947, 4486675, -5931810, -14466380},
2863             {16166486, -9483733, -11104130, 6023908, -31926798, -1364923,
2864              2340060, -16254968, -10735770, -10039824},
2865             {28042865, -3557089, -12126526, 12259706, -3717498, -6945899,
2866              6766453, -8689599, 18036436, 5803270},
2867         },
2868     },
2869     {
2870         {
2871             {-817581, 6763912, 11803561, 1585585, 10958447, -2671165, 23855391,
2872              4598332, -6159431, -14117438},
2873             {-31031306, -14256194, 17332029, -2383520, 31312682, -5967183,
2874              696309, 50292, -20095739, 11763584},
2875             {-594563, -2514283, -32234153, 12643980, 12650761, 14811489, 665117,
2876              -12613632, -19773211, -10713562},
2877         },
2878         {
2879             {30464590, -11262872, -4127476, -12734478, 19835327, -7105613,
2880              -24396175, 2075773, -17020157, 992471},
2881             {18357185, -6994433, 7766382, 16342475, -29324918, 411174, 14578841,
2882              8080033, -11574335, -10601610},
2883             {19598397, 10334610, 12555054, 2555664, 18821899, -10339780,
2884              21873263, 16014234, 26224780, 16452269},
2885         },
2886         {
2887             {-30223925, 5145196, 5944548, 16385966, 3976735, 2009897, -11377804,
2888              -7618186, -20533829, 3698650},
2889             {14187449, 3448569, -10636236, -10810935, -22663880, -3433596,
2890              7268410, -10890444, 27394301, 12015369},
2891             {19695761, 16087646, 28032085, 12999827, 6817792, 11427614,
2892              20244189, -1312777, -13259127, -3402461},
2893         },
2894         {
2895             {30860103, 12735208, -1888245, -4699734, -16974906, 2256940,
2896              -8166013, 12298312, -8550524, -10393462},
2897             {-5719826, -11245325, -1910649, 15569035, 26642876, -7587760,
2898              -5789354, -15118654, -4976164, 12651793},
2899             {-2848395, 9953421, 11531313, -5282879, 26895123, -12697089,
2900              -13118820, -16517902, 9768698, -2533218},
2901         },
2902         {
2903             {-24719459, 1894651, -287698, -4704085, 15348719, -8156530,
2904              32767513, 12765450, 4940095, 10678226},
2905             {18860224, 15980149, -18987240, -1562570, -26233012, -11071856,
2906              -7843882, 13944024, -24372348, 16582019},
2907             {-15504260, 4970268, -29893044, 4175593, -20993212, -2199756,
2908              -11704054, 15444560, -11003761, 7989037},
2909         },
2910         {
2911             {31490452, 5568061, -2412803, 2182383, -32336847, 4531686,
2912              -32078269, 6200206, -19686113, -14800171},
2913             {-17308668, -15879940, -31522777, -2831, -32887382, 16375549,
2914              8680158, -16371713, 28550068, -6857132},
2915             {-28126887, -5688091, 16837845, -1820458, -6850681, 12700016,
2916              -30039981, 4364038, 1155602, 5988841},
2917         },
2918         {
2919             {21890435, -13272907, -12624011, 12154349, -7831873, 15300496,
2920              23148983, -4470481, 24618407, 8283181},
2921             {-33136107, -10512751, 9975416, 6841041, -31559793, 16356536,
2922              3070187, -7025928, 1466169, 10740210},
2923             {-1509399, -15488185, -13503385, -10655916, 32799044, 909394,
2924              -13938903, -5779719, -32164649, -15327040},
2925         },
2926         {
2927             {3960823, -14267803, -28026090, -15918051, -19404858, 13146868,
2928              15567327, 951507, -3260321, -573935},
2929             {24740841, 5052253, -30094131, 8961361, 25877428, 6165135,
2930              -24368180, 14397372, -7380369, -6144105},
2931             {-28888365, 3510803, -28103278, -1158478, -11238128, -10631454,
2932              -15441463, -14453128, -1625486, -6494814},
2933         },
2934     },
2935     {
2936         {
2937             {793299, -9230478, 8836302, -6235707, -27360908, -2369593, 33152843,
2938              -4885251, -9906200, -621852},
2939             {5666233, 525582, 20782575, -8038419, -24538499, 14657740, 16099374,
2940              1468826, -6171428, -15186581},
2941             {-4859255, -3779343, -2917758, -6748019, 7778750, 11688288,
2942              -30404353, -9871238, -1558923, -9863646},
2943         },
2944         {
2945             {10896332, -7719704, 824275, 472601, -19460308, 3009587, 25248958,
2946              14783338, -30581476, -15757844},
2947             {10566929, 12612572, -31944212, 11118703, -12633376, 12362879,
2948              21752402, 8822496, 24003793, 14264025},
2949             {27713862, -7355973, -11008240, 9227530, 27050101, 2504721,
2950              23886875, -13117525, 13958495, -5732453},
2951         },
2952         {
2953             {-23481610, 4867226, -27247128, 3900521, 29838369, -8212291,
2954              -31889399, -10041781, 7340521, -15410068},
2955             {4646514, -8011124, -22766023, -11532654, 23184553, 8566613,
2956              31366726, -1381061, -15066784, -10375192},
2957             {-17270517, 12723032, -16993061, 14878794, 21619651, -6197576,
2958              27584817, 3093888, -8843694, 3849921},
2959         },
2960         {
2961             {-9064912, 2103172, 25561640, -15125738, -5239824, 9582958,
2962              32477045, -9017955, 5002294, -15550259},
2963             {-12057553, -11177906, 21115585, -13365155, 8808712, -12030708,
2964              16489530, 13378448, -25845716, 12741426},
2965             {-5946367, 10645103, -30911586, 15390284, -3286982, -7118677,
2966              24306472, 15852464, 28834118, -7646072},
2967         },
2968         {
2969             {-17335748, -9107057, -24531279, 9434953, -8472084, -583362,
2970              -13090771, 455841, 20461858, 5491305},
2971             {13669248, -16095482, -12481974, -10203039, -14569770, -11893198,
2972              -24995986, 11293807, -28588204, -9421832},
2973             {28497928, 6272777, -33022994, 14470570, 8906179, -1225630,
2974              18504674, -14165166, 29867745, -8795943},
2975         },
2976         {
2977             {-16207023, 13517196, -27799630, -13697798, 24009064, -6373891,
2978              -6367600, -13175392, 22853429, -4012011},
2979             {24191378, 16712145, -13931797, 15217831, 14542237, 1646131,
2980              18603514, -11037887, 12876623, -2112447},
2981             {17902668, 4518229, -411702, -2829247, 26878217, 5258055, -12860753,
2982              608397, 16031844, 3723494},
2983         },
2984         {
2985             {-28632773, 12763728, -20446446, 7577504, 33001348, -13017745,
2986              17558842, -7872890, 23896954, -4314245},
2987             {-20005381, -12011952, 31520464, 605201, 2543521, 5991821, -2945064,
2988              7229064, -9919646, -8826859},
2989             {28816045, 298879, -28165016, -15920938, 19000928, -1665890,
2990              -12680833, -2949325, -18051778, -2082915},
2991         },
2992         {
2993             {16000882, -344896, 3493092, -11447198, -29504595, -13159789,
2994              12577740, 16041268, -19715240, 7847707},
2995             {10151868, 10572098, 27312476, 7922682, 14825339, 4723128,
2996              -32855931, -6519018, -10020567, 3852848},
2997             {-11430470, 15697596, -21121557, -4420647, 5386314, 15063598,
2998              16514493, -15932110, 29330899, -15076224},
2999         },
3000     },
3001     {
3002         {
3003             {-25499735, -4378794, -15222908, -6901211, 16615731, 2051784,
3004              3303702, 15490, -27548796, 12314391},
3005             {15683520, -6003043, 18109120, -9980648, 15337968, -5997823,
3006              -16717435, 15921866, 16103996, -3731215},
3007             {-23169824, -10781249, 13588192, -1628807, -3798557, -1074929,
3008              -19273607, 5402699, -29815713, -9841101},
3009         },
3010         {
3011             {23190676, 2384583, -32714340, 3462154, -29903655, -1529132,
3012              -11266856, 8911517, -25205859, 2739713},
3013             {21374101, -3554250, -33524649, 9874411, 15377179, 11831242,
3014              -33529904, 6134907, 4931255, 11987849},
3015             {-7732, -2978858, -16223486, 7277597, 105524, -322051, -31480539,
3016              13861388, -30076310, 10117930},
3017         },
3018         {
3019             {-29501170, -10744872, -26163768, 13051539, -25625564, 5089643,
3020              -6325503, 6704079, 12890019, 15728940},
3021             {-21972360, -11771379, -951059, -4418840, 14704840, 2695116, 903376,
3022              -10428139, 12885167, 8311031},
3023             {-17516482, 5352194, 10384213, -13811658, 7506451, 13453191,
3024              26423267, 4384730, 1888765, -5435404},
3025         },
3026         {
3027             {-25817338, -3107312, -13494599, -3182506, 30896459, -13921729,
3028              -32251644, -12707869, -19464434, -3340243},
3029             {-23607977, -2665774, -526091, 4651136, 5765089, 4618330, 6092245,
3030              14845197, 17151279, -9854116},
3031             {-24830458, -12733720, -15165978, 10367250, -29530908, -265356,
3032              22825805, -7087279, -16866484, 16176525},
3033         },
3034         {
3035             {-23583256, 6564961, 20063689, 3798228, -4740178, 7359225, 2006182,
3036              -10363426, -28746253, -10197509},
3037             {-10626600, -4486402, -13320562, -5125317, 3432136, -6393229,
3038              23632037, -1940610, 32808310, 1099883},
3039             {15030977, 5768825, -27451236, -2887299, -6427378, -15361371,
3040              -15277896, -6809350, 2051441, -15225865},
3041         },
3042         {
3043             {-3362323, -7239372, 7517890, 9824992, 23555850, 295369, 5148398,
3044              -14154188, -22686354, 16633660},
3045             {4577086, -16752288, 13249841, -15304328, 19958763, -14537274,
3046              18559670, -10759549, 8402478, -9864273},
3047             {-28406330, -1051581, -26790155, -907698, -17212414, -11030789,
3048              9453451, -14980072, 17983010, 9967138},
3049         },
3050         {
3051             {-25762494, 6524722, 26585488, 9969270, 24709298, 1220360, -1677990,
3052              7806337, 17507396, 3651560},
3053             {-10420457, -4118111, 14584639, 15971087, -15768321, 8861010,
3054              26556809, -5574557, -18553322, -11357135},
3055             {2839101, 14284142, 4029895, 3472686, 14402957, 12689363, -26642121,
3056              8459447, -5605463, -7621941},
3057         },
3058         {
3059             {-4839289, -3535444, 9744961, 2871048, 25113978, 3187018, -25110813,
3060              -849066, 17258084, -7977739},
3061             {18164541, -10595176, -17154882, -1542417, 19237078, -9745295,
3062              23357533, -15217008, 26908270, 12150756},
3063             {-30264870, -7647865, 5112249, -7036672, -1499807, -6974257, 43168,
3064              -5537701, -32302074, 16215819},
3065         },
3066     },
3067     {
3068         {
3069             {-6898905, 9824394, -12304779, -4401089, -31397141, -6276835,
3070              32574489, 12532905, -7503072, -8675347},
3071             {-27343522, -16515468, -27151524, -10722951, 946346, 16291093,
3072              254968, 7168080, 21676107, -1943028},
3073             {21260961, -8424752, -16831886, -11920822, -23677961, 3968121,
3074              -3651949, -6215466, -3556191, -7913075},
3075         },
3076         {
3077             {16544754, 13250366, -16804428, 15546242, -4583003, 12757258,
3078              -2462308, -8680336, -18907032, -9662799},
3079             {-2415239, -15577728, 18312303, 4964443, -15272530, -12653564,
3080              26820651, 16690659, 25459437, -4564609},
3081             {-25144690, 11425020, 28423002, -11020557, -6144921, -15826224,
3082              9142795, -2391602, -6432418, -1644817},
3083         },
3084         {
3085             {-23104652, 6253476, 16964147, -3768872, -25113972, -12296437,
3086              -27457225, -16344658, 6335692, 7249989},
3087             {-30333227, 13979675, 7503222, -12368314, -11956721, -4621693,
3088              -30272269, 2682242, 25993170, -12478523},
3089             {4364628, 5930691, 32304656, -10044554, -8054781, 15091131,
3090              22857016, -10598955, 31820368, 15075278},
3091         },
3092         {
3093             {31879134, -8918693, 17258761, 90626, -8041836, -4917709, 24162788,
3094              -9650886, -17970238, 12833045},
3095             {19073683, 14851414, -24403169, -11860168, 7625278, 11091125,
3096              -19619190, 2074449, -9413939, 14905377},
3097             {24483667, -11935567, -2518866, -11547418, -1553130, 15355506,
3098              -25282080, 9253129, 27628530, -7555480},
3099         },
3100         {
3101             {17597607, 8340603, 19355617, 552187, 26198470, -3176583, 4593324,
3102              -9157582, -14110875, 15297016},
3103             {510886, 14337390, -31785257, 16638632, 6328095, 2713355, -20217417,
3104              -11864220, 8683221, 2921426},
3105             {18606791, 11874196, 27155355, -5281482, -24031742, 6265446,
3106              -25178240, -1278924, 4674690, 13890525},
3107         },
3108         {
3109             {13609624, 13069022, -27372361, -13055908, 24360586, 9592974,
3110              14977157, 9835105, 4389687, 288396},
3111             {9922506, -519394, 13613107, 5883594, -18758345, -434263, -12304062,
3112              8317628, 23388070, 16052080},
3113             {12720016, 11937594, -31970060, -5028689, 26900120, 8561328,
3114              -20155687, -11632979, -14754271, -10812892},
3115         },
3116         {
3117             {15961858, 14150409, 26716931, -665832, -22794328, 13603569,
3118              11829573, 7467844, -28822128, 929275},
3119             {11038231, -11582396, -27310482, -7316562, -10498527, -16307831,
3120              -23479533, -9371869, -21393143, 2465074},
3121             {20017163, -4323226, 27915242, 1529148, 12396362, 15675764,
3122              13817261, -9658066, 2463391, -4622140},
3123         },
3124         {
3125             {-16358878, -12663911, -12065183, 4996454, -1256422, 1073572,
3126              9583558, 12851107, 4003896, 12673717},
3127             {-1731589, -15155870, -3262930, 16143082, 19294135, 13385325,
3128              14741514, -9103726, 7903886, 2348101},
3129             {24536016, -16515207, 12715592, -3862155, 1511293, 10047386,
3130              -3842346, -7129159, -28377538, 10048127},
3131         },
3132     },
3133     {
3134         {
3135             {-12622226, -6204820, 30718825, 2591312, -10617028, 12192840,
3136              18873298, -7297090, -32297756, 15221632},
3137             {-26478122, -11103864, 11546244, -1852483, 9180880, 7656409,
3138              -21343950, 2095755, 29769758, 6593415},
3139             {-31994208, -2907461, 4176912, 3264766, 12538965, -868111, 26312345,
3140              -6118678, 30958054, 8292160},
3141         },
3142         {
3143             {31429822, -13959116, 29173532, 15632448, 12174511, -2760094,
3144              32808831, 3977186, 26143136, -3148876},
3145             {22648901, 1402143, -22799984, 13746059, 7936347, 365344, -8668633,
3146              -1674433, -3758243, -2304625},
3147             {-15491917, 8012313, -2514730, -12702462, -23965846, -10254029,
3148              -1612713, -1535569, -16664475, 8194478},
3149         },
3150         {
3151             {27338066, -7507420, -7414224, 10140405, -19026427, -6589889,
3152              27277191, 8855376, 28572286, 3005164},
3153             {26287124, 4821776, 25476601, -4145903, -3764513, -15788984,
3154              -18008582, 1182479, -26094821, -13079595},
3155             {-7171154, 3178080, 23970071, 6201893, -17195577, -4489192,
3156              -21876275, -13982627, 32208683, -1198248},
3157         },
3158         {
3159             {-16657702, 2817643, -10286362, 14811298, 6024667, 13349505,
3160              -27315504, -10497842, -27672585, -11539858},
3161             {15941029, -9405932, -21367050, 8062055, 31876073, -238629,
3162              -15278393, -1444429, 15397331, -4130193},
3163             {8934485, -13485467, -23286397, -13423241, -32446090, 14047986,
3164              31170398, -1441021, -27505566, 15087184},
3165         },
3166         {
3167             {-18357243, -2156491, 24524913, -16677868, 15520427, -6360776,
3168              -15502406, 11461896, 16788528, -5868942},
3169             {-1947386, 16013773, 21750665, 3714552, -17401782, -16055433,
3170              -3770287, -10323320, 31322514, -11615635},
3171             {21426655, -5650218, -13648287, -5347537, -28812189, -4920970,
3172              -18275391, -14621414, 13040862, -12112948},
3173         },
3174         {
3175             {11293895, 12478086, -27136401, 15083750, -29307421, 14748872,
3176              14555558, -13417103, 1613711, 4896935},
3177             {-25894883, 15323294, -8489791, -8057900, 25967126, -13425460,
3178              2825960, -4897045, -23971776, -11267415},
3179             {-15924766, -5229880, -17443532, 6410664, 3622847, 10243618,
3180              20615400, 12405433, -23753030, -8436416},
3181         },
3182         {
3183             {-7091295, 12556208, -20191352, 9025187, -17072479, 4333801,
3184              4378436, 2432030, 23097949, -566018},
3185             {4565804, -16025654, 20084412, -7842817, 1724999, 189254, 24767264,
3186              10103221, -18512313, 2424778},
3187             {366633, -11976806, 8173090, -6890119, 30788634, 5745705, -7168678,
3188              1344109, -3642553, 12412659},
3189         },
3190         {
3191             {-24001791, 7690286, 14929416, -168257, -32210835, -13412986,
3192              24162697, -15326504, -3141501, 11179385},
3193             {18289522, -14724954, 8056945, 16430056, -21729724, 7842514,
3194              -6001441, -1486897, -18684645, -11443503},
3195             {476239, 6601091, -6152790, -9723375, 17503545, -4863900, 27672959,
3196              13403813, 11052904, 5219329},
3197         },
3198     },
3199     {
3200         {
3201             {20678546, -8375738, -32671898, 8849123, -5009758, 14574752,
3202              31186971, -3973730, 9014762, -8579056},
3203             {-13644050, -10350239, -15962508, 5075808, -1514661, -11534600,
3204              -33102500, 9160280, 8473550, -3256838},
3205             {24900749, 14435722, 17209120, -15292541, -22592275, 9878983,
3206              -7689309, -16335821, -24568481, 11788948},
3207         },
3208         {
3209             {-3118155, -11395194, -13802089, 14797441, 9652448, -6845904,
3210              -20037437, 10410733, -24568470, -1458691},
3211             {-15659161, 16736706, -22467150, 10215878, -9097177, 7563911,
3212              11871841, -12505194, -18513325, 8464118},
3213             {-23400612, 8348507, -14585951, -861714, -3950205, -6373419,
3214              14325289, 8628612, 33313881, -8370517},
3215         },
3216         {
3217             {-20186973, -4967935, 22367356, 5271547, -1097117, -4788838,
3218              -24805667, -10236854, -8940735, -5818269},
3219             {-6948785, -1795212, -32625683, -16021179, 32635414, -7374245,
3220              15989197, -12838188, 28358192, -4253904},
3221             {-23561781, -2799059, -32351682, -1661963, -9147719, 10429267,
3222              -16637684, 4072016, -5351664, 5596589},
3223         },
3224         {
3225             {-28236598, -3390048, 12312896, 6213178, 3117142, 16078565,
3226              29266239, 2557221, 1768301, 15373193},
3227             {-7243358, -3246960, -4593467, -7553353, -127927, -912245, -1090902,
3228              -4504991, -24660491, 3442910},
3229             {-30210571, 5124043, 14181784, 8197961, 18964734, -11939093,
3230              22597931, 7176455, -18585478, 13365930},
3231         },
3232         {
3233             {-7877390, -1499958, 8324673, 4690079, 6261860, 890446, 24538107,
3234              -8570186, -9689599, -3031667},
3235             {25008904, -10771599, -4305031, -9638010, 16265036, 15721635,
3236              683793, -11823784, 15723479, -15163481},
3237             {-9660625, 12374379, -27006999, -7026148, -7724114, -12314514,
3238              11879682, 5400171, 519526, -1235876},
3239         },
3240         {
3241             {22258397, -16332233, -7869817, 14613016, -22520255, -2950923,
3242              -20353881, 7315967, 16648397, 7605640},
3243             {-8081308, -8464597, -8223311, 9719710, 19259459, -15348212,
3244              23994942, -5281555, -9468848, 4763278},
3245             {-21699244, 9220969, -15730624, 1084137, -25476107, -2852390,
3246              31088447, -7764523, -11356529, 728112},
3247         },
3248         {
3249             {26047220, -11751471, -6900323, -16521798, 24092068, 9158119,
3250              -4273545, -12555558, -29365436, -5498272},
3251             {17510331, -322857, 5854289, 8403524, 17133918, -3112612, -28111007,
3252              12327945, 10750447, 10014012},
3253             {-10312768, 3936952, 9156313, -8897683, 16498692, -994647,
3254              -27481051, -666732, 3424691, 7540221},
3255         },
3256         {
3257             {30322361, -6964110, 11361005, -4143317, 7433304, 4989748, -7071422,
3258              -16317219, -9244265, 15258046},
3259             {13054562, -2779497, 19155474, 469045, -12482797, 4566042, 5631406,
3260              2711395, 1062915, -5136345},
3261             {-19240248, -11254599, -29509029, -7499965, -5835763, 13005411,
3262              -6066489, 12194497, 32960380, 1459310},
3263         },
3264     },
3265     {
3266         {
3267             {19852034, 7027924, 23669353, 10020366, 8586503, -6657907, 394197,
3268              -6101885, 18638003, -11174937},
3269             {31395534, 15098109, 26581030, 8030562, -16527914, -5007134,
3270              9012486, -7584354, -6643087, -5442636},
3271             {-9192165, -2347377, -1997099, 4529534, 25766844, 607986, -13222,
3272              9677543, -32294889, -6456008},
3273         },
3274         {
3275             {-2444496, -149937, 29348902, 8186665, 1873760, 12489863, -30934579,
3276              -7839692, -7852844, -8138429},
3277             {-15236356, -15433509, 7766470, 746860, 26346930, -10221762,
3278              -27333451, 10754588, -9431476, 5203576},
3279             {31834314, 14135496, -770007, 5159118, 20917671, -16768096,
3280              -7467973, -7337524, 31809243, 7347066},
3281         },
3282         {
3283             {-9606723, -11874240, 20414459, 13033986, 13716524, -11691881,
3284              19797970, -12211255, 15192876, -2087490},
3285             {-12663563, -2181719, 1168162, -3804809, 26747877, -14138091,
3286              10609330, 12694420, 33473243, -13382104},
3287             {33184999, 11180355, 15832085, -11385430, -1633671, 225884,
3288              15089336, -11023903, -6135662, 14480053},
3289         },
3290         {
3291             {31308717, -5619998, 31030840, -1897099, 15674547, -6582883,
3292              5496208, 13685227, 27595050, 8737275},
3293             {-20318852, -15150239, 10933843, -16178022, 8335352, -7546022,
3294              -31008351, -12610604, 26498114, 66511},
3295             {22644454, -8761729, -16671776, 4884562, -3105614, -13559366,
3296              30540766, -4286747, -13327787, -7515095},
3297         },
3298         {
3299             {-28017847, 9834845, 18617207, -2681312, -3401956, -13307506,
3300              8205540, 13585437, -17127465, 15115439},
3301             {23711543, -672915, 31206561, -8362711, 6164647, -9709987,
3302              -33535882, -1426096, 8236921, 16492939},
3303             {-23910559, -13515526, -26299483, -4503841, 25005590, -7687270,
3304              19574902, 10071562, 6708380, -6222424},
3305         },
3306         {
3307             {2101391, -4930054, 19702731, 2367575, -15427167, 1047675, 5301017,
3308              9328700, 29955601, -11678310},
3309             {3096359, 9271816, -21620864, -15521844, -14847996, -7592937,
3310              -25892142, -12635595, -9917575, 6216608},
3311             {-32615849, 338663, -25195611, 2510422, -29213566, -13820213,
3312              24822830, -6146567, -26767480, 7525079},
3313         },
3314         {
3315             {-23066649, -13985623, 16133487, -7896178, -3389565, 778788,
3316              -910336, -2782495, -19386633, 11994101},
3317             {21691500, -13624626, -641331, -14367021, 3285881, -3483596,
3318              -25064666, 9718258, -7477437, 13381418},
3319             {18445390, -4202236, 14979846, 11622458, -1727110, -3582980,
3320              23111648, -6375247, 28535282, 15779576},
3321         },
3322         {
3323             {30098053, 3089662, -9234387, 16662135, -21306940, 11308411,
3324              -14068454, 12021730, 9955285, -16303356},
3325             {9734894, -14576830, -7473633, -9138735, 2060392, 11313496,
3326              -18426029, 9924399, 20194861, 13380996},
3327             {-26378102, -7965207, -22167821, 15789297, -18055342, -6168792,
3328              -1984914, 15707771, 26342023, 10146099},
3329         },
3330     },
3331     {
3332         {
3333             {-26016874, -219943, 21339191, -41388, 19745256, -2878700,
3334              -29637280, 2227040, 21612326, -545728},
3335             {-13077387, 1184228, 23562814, -5970442, -20351244, -6348714,
3336              25764461, 12243797, -20856566, 11649658},
3337             {-10031494, 11262626, 27384172, 2271902, 26947504, -15997771, 39944,
3338              6114064, 33514190, 2333242},
3339         },
3340         {
3341             {-21433588, -12421821, 8119782, 7219913, -21830522, -9016134,
3342              -6679750, -12670638, 24350578, -13450001},
3343             {-4116307, -11271533, -23886186, 4843615, -30088339, 690623,
3344              -31536088, -10406836, 8317860, 12352766},
3345             {18200138, -14475911, -33087759, -2696619, -23702521, -9102511,
3346              -23552096, -2287550, 20712163, 6719373},
3347         },
3348         {
3349             {26656208, 6075253, -7858556, 1886072, -28344043, 4262326, 11117530,
3350              -3763210, 26224235, -3297458},
3351             {-17168938, -14854097, -3395676, -16369877, -19954045, 14050420,
3352              21728352, 9493610, 18620611, -16428628},
3353             {-13323321, 13325349, 11432106, 5964811, 18609221, 6062965,
3354              -5269471, -9725556, -30701573, -16479657},
3355         },
3356         {
3357             {-23860538, -11233159, 26961357, 1640861, -32413112, -16737940,
3358              12248509, -5240639, 13735342, 1934062},
3359             {25089769, 6742589, 17081145, -13406266, 21909293, -16067981,
3360              -15136294, -3765346, -21277997, 5473616},
3361             {31883677, -7961101, 1083432, -11572403, 22828471, 13290673,
3362              -7125085, 12469656, 29111212, -5451014},
3363         },
3364         {
3365             {24244947, -15050407, -26262976, 2791540, -14997599, 16666678,
3366              24367466, 6388839, -10295587, 452383},
3367             {-25640782, -3417841, 5217916, 16224624, 19987036, -4082269,
3368              -24236251, -5915248, 15766062, 8407814},
3369             {-20406999, 13990231, 15495425, 16395525, 5377168, 15166495,
3370              -8917023, -4388953, -8067909, 2276718},
3371         },
3372         {
3373             {30157918, 12924066, -17712050, 9245753, 19895028, 3368142,
3374              -23827587, 5096219, 22740376, -7303417},
3375             {2041139, -14256350, 7783687, 13876377, -25946985, -13352459,
3376              24051124, 13742383, -15637599, 13295222},
3377             {33338237, -8505733, 12532113, 7977527, 9106186, -1715251,
3378              -17720195, -4612972, -4451357, -14669444},
3379         },
3380         {
3381             {-20045281, 5454097, -14346548, 6447146, 28862071, 1883651,
3382              -2469266, -4141880, 7770569, 9620597},
3383             {23208068, 7979712, 33071466, 8149229, 1758231, -10834995, 30945528,
3384              -1694323, -33502340, -14767970},
3385             {1439958, -16270480, -1079989, -793782, 4625402, 10647766, -5043801,
3386              1220118, 30494170, -11440799},
3387         },
3388         {
3389             {-5037580, -13028295, -2970559, -3061767, 15640974, -6701666,
3390              -26739026, 926050, -1684339, -13333647},
3391             {13908495, -3549272, 30919928, -6273825, -21521863, 7989039,
3392              9021034, 9078865, 3353509, 4033511},
3393             {-29663431, -15113610, 32259991, -344482, 24295849, -12912123,
3394              23161163, 8839127, 27485041, 7356032},
3395         },
3396     },
3397     {
3398         {
3399             {9661027, 705443, 11980065, -5370154, -1628543, 14661173, -6346142,
3400              2625015, 28431036, -16771834},
3401             {-23839233, -8311415, -25945511, 7480958, -17681669, -8354183,
3402              -22545972, 14150565, 15970762, 4099461},
3403             {29262576, 16756590, 26350592, -8793563, 8529671, -11208050,
3404              13617293, -9937143, 11465739, 8317062},
3405         },
3406         {
3407             {-25493081, -6962928, 32500200, -9419051, -23038724, -2302222,
3408              14898637, 3848455, 20969334, -5157516},
3409             {-20384450, -14347713, -18336405, 13884722, -33039454, 2842114,
3410              -21610826, -3649888, 11177095, 14989547},
3411             {-24496721, -11716016, 16959896, 2278463, 12066309, 10137771,
3412              13515641, 2581286, -28487508, 9930240},
3413         },
3414         {
3415             {-17751622, -2097826, 16544300, -13009300, -15914807, -14949081,
3416              18345767, -13403753, 16291481, -5314038},
3417             {-33229194, 2553288, 32678213, 9875984, 8534129, 6889387, -9676774,
3418              6957617, 4368891, 9788741},
3419             {16660756, 7281060, -10830758, 12911820, 20108584, -8101676,
3420              -21722536, -8613148, 16250552, -11111103},
3421         },
3422         {
3423             {-19765507, 2390526, -16551031, 14161980, 1905286, 6414907, 4689584,
3424              10604807, -30190403, 4782747},
3425             {-1354539, 14736941, -7367442, -13292886, 7710542, -14155590,
3426              -9981571, 4383045, 22546403, 437323},
3427             {31665577, -12180464, -16186830, 1491339, -18368625, 3294682,
3428              27343084, 2786261, -30633590, -14097016},
3429         },
3430         {
3431             {-14467279, -683715, -33374107, 7448552, 19294360, 14334329,
3432              -19690631, 2355319, -19284671, -6114373},
3433             {15121312, -15796162, 6377020, -6031361, -10798111, -12957845,
3434              18952177, 15496498, -29380133, 11754228},
3435             {-2637277, -13483075, 8488727, -14303896, 12728761, -1622493,
3436              7141596, 11724556, 22761615, -10134141},
3437         },
3438         {
3439             {16918416, 11729663, -18083579, 3022987, -31015732, -13339659,
3440              -28741185, -12227393, 32851222, 11717399},
3441             {11166634, 7338049, -6722523, 4531520, -29468672, -7302055,
3442              31474879, 3483633, -1193175, -4030831},
3443             {-185635, 9921305, 31456609, -13536438, -12013818, 13348923,
3444              33142652, 6546660, -19985279, -3948376},
3445         },
3446         {
3447             {-32460596, 11266712, -11197107, -7899103, 31703694, 3855903,
3448              -8537131, -12833048, -30772034, -15486313},
3449             {-18006477, 12709068, 3991746, -6479188, -21491523, -10550425,
3450              -31135347, -16049879, 10928917, 3011958},
3451             {-6957757, -15594337, 31696059, 334240, 29576716, 14796075,
3452              -30831056, -12805180, 18008031, 10258577},
3453         },
3454         {
3455             {-22448644, 15655569, 7018479, -4410003, -30314266, -1201591,
3456              -1853465, 1367120, 25127874, 6671743},
3457             {29701166, -14373934, -10878120, 9279288, -17568, 13127210,
3458              21382910, 11042292, 25838796, 4642684},
3459             {-20430234, 14955537, -24126347, 8124619, -5369288, -5990470,
3460              30468147, -13900640, 18423289, 4177476},
3461         },
3462     },
3463 };
3464 
negative(signed char b)3465 static uint8_t negative(signed char b) {
3466   uint32_t x = b;
3467   x >>= 31; /* 1: yes; 0: no */
3468   return x;
3469 }
3470 
table_select(ge_precomp * t,int pos,signed char b)3471 static void table_select(ge_precomp *t, int pos, signed char b) {
3472   ge_precomp minust;
3473   uint8_t bnegative = negative(b);
3474   uint8_t babs = b - ((uint8_t)((-bnegative) & b) << 1);
3475 
3476   ge_precomp_0(t);
3477   cmov(t, &k25519Precomp[pos][0], equal(babs, 1));
3478   cmov(t, &k25519Precomp[pos][1], equal(babs, 2));
3479   cmov(t, &k25519Precomp[pos][2], equal(babs, 3));
3480   cmov(t, &k25519Precomp[pos][3], equal(babs, 4));
3481   cmov(t, &k25519Precomp[pos][4], equal(babs, 5));
3482   cmov(t, &k25519Precomp[pos][5], equal(babs, 6));
3483   cmov(t, &k25519Precomp[pos][6], equal(babs, 7));
3484   cmov(t, &k25519Precomp[pos][7], equal(babs, 8));
3485   fe_copy(minust.yplusx, t->yminusx);
3486   fe_copy(minust.yminusx, t->yplusx);
3487   fe_neg(minust.xy2d, t->xy2d);
3488   cmov(t, &minust, bnegative);
3489 }
3490 
3491 /* h = a * B
3492  * where a = a[0]+256*a[1]+...+256^31 a[31]
3493  * B is the Ed25519 base point (x,4/5) with x positive.
3494  *
3495  * Preconditions:
3496  *   a[31] <= 127 */
x25519_ge_scalarmult_base(ge_p3 * h,const uint8_t * a)3497 void x25519_ge_scalarmult_base(ge_p3 *h, const uint8_t *a) {
3498   signed char e[64];
3499   signed char carry;
3500   ge_p1p1 r;
3501   ge_p2 s;
3502   ge_precomp t;
3503   int i;
3504 
3505   for (i = 0; i < 32; ++i) {
3506     e[2 * i + 0] = (a[i] >> 0) & 15;
3507     e[2 * i + 1] = (a[i] >> 4) & 15;
3508   }
3509   /* each e[i] is between 0 and 15 */
3510   /* e[63] is between 0 and 7 */
3511 
3512   carry = 0;
3513   for (i = 0; i < 63; ++i) {
3514     e[i] += carry;
3515     carry = e[i] + 8;
3516     carry >>= 4;
3517     e[i] -= carry << 4;
3518   }
3519   e[63] += carry;
3520   /* each e[i] is between -8 and 8 */
3521 
3522   ge_p3_0(h);
3523   for (i = 1; i < 64; i += 2) {
3524     table_select(&t, i / 2, e[i]);
3525     ge_madd(&r, h, &t);
3526     x25519_ge_p1p1_to_p3(h, &r);
3527   }
3528 
3529   ge_p3_dbl(&r, h);
3530   x25519_ge_p1p1_to_p2(&s, &r);
3531   ge_p2_dbl(&r, &s);
3532   x25519_ge_p1p1_to_p2(&s, &r);
3533   ge_p2_dbl(&r, &s);
3534   x25519_ge_p1p1_to_p2(&s, &r);
3535   ge_p2_dbl(&r, &s);
3536   x25519_ge_p1p1_to_p3(h, &r);
3537 
3538   for (i = 0; i < 64; i += 2) {
3539     table_select(&t, i / 2, e[i]);
3540     ge_madd(&r, h, &t);
3541     x25519_ge_p1p1_to_p3(h, &r);
3542   }
3543 }
3544 
3545 #endif
3546 
cmov_cached(ge_cached * t,ge_cached * u,uint8_t b)3547 static void cmov_cached(ge_cached *t, ge_cached *u, uint8_t b) {
3548   fe_cmov(t->YplusX, u->YplusX, b);
3549   fe_cmov(t->YminusX, u->YminusX, b);
3550   fe_cmov(t->Z, u->Z, b);
3551   fe_cmov(t->T2d, u->T2d, b);
3552 }
3553 
3554 /* r = scalar * A.
3555  * where a = a[0]+256*a[1]+...+256^31 a[31]. */
x25519_ge_scalarmult(ge_p2 * r,const uint8_t * scalar,const ge_p3 * A)3556 void x25519_ge_scalarmult(ge_p2 *r, const uint8_t *scalar, const ge_p3 *A) {
3557   ge_p2 Ai_p2[8];
3558   ge_cached Ai[16];
3559   ge_p1p1 t;
3560 
3561   ge_cached_0(&Ai[0]);
3562   x25519_ge_p3_to_cached(&Ai[1], A);
3563   ge_p3_to_p2(&Ai_p2[1], A);
3564 
3565   unsigned i;
3566   for (i = 2; i < 16; i += 2) {
3567     ge_p2_dbl(&t, &Ai_p2[i / 2]);
3568     ge_p1p1_to_cached(&Ai[i], &t);
3569     if (i < 8) {
3570       x25519_ge_p1p1_to_p2(&Ai_p2[i], &t);
3571     }
3572     x25519_ge_add(&t, A, &Ai[i]);
3573     ge_p1p1_to_cached(&Ai[i + 1], &t);
3574     if (i < 7) {
3575       x25519_ge_p1p1_to_p2(&Ai_p2[i + 1], &t);
3576     }
3577   }
3578 
3579   ge_p2_0(r);
3580   ge_p3 u;
3581 
3582   for (i = 0; i < 256; i += 4) {
3583     ge_p2_dbl(&t, r);
3584     x25519_ge_p1p1_to_p2(r, &t);
3585     ge_p2_dbl(&t, r);
3586     x25519_ge_p1p1_to_p2(r, &t);
3587     ge_p2_dbl(&t, r);
3588     x25519_ge_p1p1_to_p2(r, &t);
3589     ge_p2_dbl(&t, r);
3590     x25519_ge_p1p1_to_p3(&u, &t);
3591 
3592     uint8_t index = scalar[31 - i/8];
3593     index >>= 4 - (i & 4);
3594     index &= 0xf;
3595 
3596     unsigned j;
3597     ge_cached selected;
3598     ge_cached_0(&selected);
3599     for (j = 0; j < 16; j++) {
3600       cmov_cached(&selected, &Ai[j], equal(j, index));
3601     }
3602 
3603     x25519_ge_add(&t, &u, &selected);
3604     x25519_ge_p1p1_to_p2(r, &t);
3605   }
3606 }
3607 
slide(signed char * r,const uint8_t * a)3608 static void slide(signed char *r, const uint8_t *a) {
3609   int i;
3610   int b;
3611   int k;
3612 
3613   for (i = 0; i < 256; ++i) {
3614     r[i] = 1 & (a[i >> 3] >> (i & 7));
3615   }
3616 
3617   for (i = 0; i < 256; ++i) {
3618     if (r[i]) {
3619       for (b = 1; b <= 6 && i + b < 256; ++b) {
3620         if (r[i + b]) {
3621           if (r[i] + (r[i + b] << b) <= 15) {
3622             r[i] += r[i + b] << b;
3623             r[i + b] = 0;
3624           } else if (r[i] - (r[i + b] << b) >= -15) {
3625             r[i] -= r[i + b] << b;
3626             for (k = i + b; k < 256; ++k) {
3627               if (!r[k]) {
3628                 r[k] = 1;
3629                 break;
3630               }
3631               r[k] = 0;
3632             }
3633           } else {
3634             break;
3635           }
3636         }
3637       }
3638     }
3639   }
3640 }
3641 
3642 static const ge_precomp Bi[8] = {
3643     {
3644         {25967493, -14356035, 29566456, 3660896, -12694345, 4014787, 27544626,
3645          -11754271, -6079156, 2047605},
3646         {-12545711, 934262, -2722910, 3049990, -727428, 9406986, 12720692,
3647          5043384, 19500929, -15469378},
3648         {-8738181, 4489570, 9688441, -14785194, 10184609, -12363380, 29287919,
3649          11864899, -24514362, -4438546},
3650     },
3651     {
3652         {15636291, -9688557, 24204773, -7912398, 616977, -16685262, 27787600,
3653          -14772189, 28944400, -1550024},
3654         {16568933, 4717097, -11556148, -1102322, 15682896, -11807043, 16354577,
3655          -11775962, 7689662, 11199574},
3656         {30464156, -5976125, -11779434, -15670865, 23220365, 15915852, 7512774,
3657          10017326, -17749093, -9920357},
3658     },
3659     {
3660         {10861363, 11473154, 27284546, 1981175, -30064349, 12577861, 32867885,
3661          14515107, -15438304, 10819380},
3662         {4708026, 6336745, 20377586, 9066809, -11272109, 6594696, -25653668,
3663          12483688, -12668491, 5581306},
3664         {19563160, 16186464, -29386857, 4097519, 10237984, -4348115, 28542350,
3665          13850243, -23678021, -15815942},
3666     },
3667     {
3668         {5153746, 9909285, 1723747, -2777874, 30523605, 5516873, 19480852,
3669          5230134, -23952439, -15175766},
3670         {-30269007, -3463509, 7665486, 10083793, 28475525, 1649722, 20654025,
3671          16520125, 30598449, 7715701},
3672         {28881845, 14381568, 9657904, 3680757, -20181635, 7843316, -31400660,
3673          1370708, 29794553, -1409300},
3674     },
3675     {
3676         {-22518993, -6692182, 14201702, -8745502, -23510406, 8844726, 18474211,
3677          -1361450, -13062696, 13821877},
3678         {-6455177, -7839871, 3374702, -4740862, -27098617, -10571707, 31655028,
3679          -7212327, 18853322, -14220951},
3680         {4566830, -12963868, -28974889, -12240689, -7602672, -2830569, -8514358,
3681          -10431137, 2207753, -3209784},
3682     },
3683     {
3684         {-25154831, -4185821, 29681144, 7868801, -6854661, -9423865, -12437364,
3685          -663000, -31111463, -16132436},
3686         {25576264, -2703214, 7349804, -11814844, 16472782, 9300885, 3844789,
3687          15725684, 171356, 6466918},
3688         {23103977, 13316479, 9739013, -16149481, 817875, -15038942, 8965339,
3689          -14088058, -30714912, 16193877},
3690     },
3691     {
3692         {-33521811, 3180713, -2394130, 14003687, -16903474, -16270840, 17238398,
3693          4729455, -18074513, 9256800},
3694         {-25182317, -4174131, 32336398, 5036987, -21236817, 11360617, 22616405,
3695          9761698, -19827198, 630305},
3696         {-13720693, 2639453, -24237460, -7406481, 9494427, -5774029, -6554551,
3697          -15960994, -2449256, -14291300},
3698     },
3699     {
3700         {-3151181, -5046075, 9282714, 6866145, -31907062, -863023, -18940575,
3701          15033784, 25105118, -7894876},
3702         {-24326370, 15950226, -31801215, -14592823, -11662737, -5090925,
3703          1573892, -2625887, 2198790, -15804619},
3704         {-3099351, 10324967, -2241613, 7453183, -5446979, -2735503, -13812022,
3705          -16236442, -32461234, -12290683},
3706     },
3707 };
3708 
3709 /* r = a * A + b * B
3710  * where a = a[0]+256*a[1]+...+256^31 a[31].
3711  * and b = b[0]+256*b[1]+...+256^31 b[31].
3712  * B is the Ed25519 base point (x,4/5) with x positive. */
ge_double_scalarmult_vartime(ge_p2 * r,const uint8_t * a,const ge_p3 * A,const uint8_t * b)3713 static void ge_double_scalarmult_vartime(ge_p2 *r, const uint8_t *a,
3714                                          const ge_p3 *A, const uint8_t *b) {
3715   signed char aslide[256];
3716   signed char bslide[256];
3717   ge_cached Ai[8]; /* A,3A,5A,7A,9A,11A,13A,15A */
3718   ge_p1p1 t;
3719   ge_p3 u;
3720   ge_p3 A2;
3721   int i;
3722 
3723   slide(aslide, a);
3724   slide(bslide, b);
3725 
3726   x25519_ge_p3_to_cached(&Ai[0], A);
3727   ge_p3_dbl(&t, A);
3728   x25519_ge_p1p1_to_p3(&A2, &t);
3729   x25519_ge_add(&t, &A2, &Ai[0]);
3730   x25519_ge_p1p1_to_p3(&u, &t);
3731   x25519_ge_p3_to_cached(&Ai[1], &u);
3732   x25519_ge_add(&t, &A2, &Ai[1]);
3733   x25519_ge_p1p1_to_p3(&u, &t);
3734   x25519_ge_p3_to_cached(&Ai[2], &u);
3735   x25519_ge_add(&t, &A2, &Ai[2]);
3736   x25519_ge_p1p1_to_p3(&u, &t);
3737   x25519_ge_p3_to_cached(&Ai[3], &u);
3738   x25519_ge_add(&t, &A2, &Ai[3]);
3739   x25519_ge_p1p1_to_p3(&u, &t);
3740   x25519_ge_p3_to_cached(&Ai[4], &u);
3741   x25519_ge_add(&t, &A2, &Ai[4]);
3742   x25519_ge_p1p1_to_p3(&u, &t);
3743   x25519_ge_p3_to_cached(&Ai[5], &u);
3744   x25519_ge_add(&t, &A2, &Ai[5]);
3745   x25519_ge_p1p1_to_p3(&u, &t);
3746   x25519_ge_p3_to_cached(&Ai[6], &u);
3747   x25519_ge_add(&t, &A2, &Ai[6]);
3748   x25519_ge_p1p1_to_p3(&u, &t);
3749   x25519_ge_p3_to_cached(&Ai[7], &u);
3750 
3751   ge_p2_0(r);
3752 
3753   for (i = 255; i >= 0; --i) {
3754     if (aslide[i] || bslide[i]) {
3755       break;
3756     }
3757   }
3758 
3759   for (; i >= 0; --i) {
3760     ge_p2_dbl(&t, r);
3761 
3762     if (aslide[i] > 0) {
3763       x25519_ge_p1p1_to_p3(&u, &t);
3764       x25519_ge_add(&t, &u, &Ai[aslide[i] / 2]);
3765     } else if (aslide[i] < 0) {
3766       x25519_ge_p1p1_to_p3(&u, &t);
3767       x25519_ge_sub(&t, &u, &Ai[(-aslide[i]) / 2]);
3768     }
3769 
3770     if (bslide[i] > 0) {
3771       x25519_ge_p1p1_to_p3(&u, &t);
3772       ge_madd(&t, &u, &Bi[bslide[i] / 2]);
3773     } else if (bslide[i] < 0) {
3774       x25519_ge_p1p1_to_p3(&u, &t);
3775       ge_msub(&t, &u, &Bi[(-bslide[i]) / 2]);
3776     }
3777 
3778     x25519_ge_p1p1_to_p2(r, &t);
3779   }
3780 }
3781 
3782 /* The set of scalars is \Z/l
3783  * where l = 2^252 + 27742317777372353535851937790883648493. */
3784 
3785 /* Input:
3786  *   s[0]+256*s[1]+...+256^63*s[63] = s
3787  *
3788  * Output:
3789  *   s[0]+256*s[1]+...+256^31*s[31] = s mod l
3790  *   where l = 2^252 + 27742317777372353535851937790883648493.
3791  *   Overwrites s in place. */
x25519_sc_reduce(uint8_t * s)3792 void x25519_sc_reduce(uint8_t *s) {
3793   int64_t s0 = 2097151 & load_3(s);
3794   int64_t s1 = 2097151 & (load_4(s + 2) >> 5);
3795   int64_t s2 = 2097151 & (load_3(s + 5) >> 2);
3796   int64_t s3 = 2097151 & (load_4(s + 7) >> 7);
3797   int64_t s4 = 2097151 & (load_4(s + 10) >> 4);
3798   int64_t s5 = 2097151 & (load_3(s + 13) >> 1);
3799   int64_t s6 = 2097151 & (load_4(s + 15) >> 6);
3800   int64_t s7 = 2097151 & (load_3(s + 18) >> 3);
3801   int64_t s8 = 2097151 & load_3(s + 21);
3802   int64_t s9 = 2097151 & (load_4(s + 23) >> 5);
3803   int64_t s10 = 2097151 & (load_3(s + 26) >> 2);
3804   int64_t s11 = 2097151 & (load_4(s + 28) >> 7);
3805   int64_t s12 = 2097151 & (load_4(s + 31) >> 4);
3806   int64_t s13 = 2097151 & (load_3(s + 34) >> 1);
3807   int64_t s14 = 2097151 & (load_4(s + 36) >> 6);
3808   int64_t s15 = 2097151 & (load_3(s + 39) >> 3);
3809   int64_t s16 = 2097151 & load_3(s + 42);
3810   int64_t s17 = 2097151 & (load_4(s + 44) >> 5);
3811   int64_t s18 = 2097151 & (load_3(s + 47) >> 2);
3812   int64_t s19 = 2097151 & (load_4(s + 49) >> 7);
3813   int64_t s20 = 2097151 & (load_4(s + 52) >> 4);
3814   int64_t s21 = 2097151 & (load_3(s + 55) >> 1);
3815   int64_t s22 = 2097151 & (load_4(s + 57) >> 6);
3816   int64_t s23 = (load_4(s + 60) >> 3);
3817   int64_t carry0;
3818   int64_t carry1;
3819   int64_t carry2;
3820   int64_t carry3;
3821   int64_t carry4;
3822   int64_t carry5;
3823   int64_t carry6;
3824   int64_t carry7;
3825   int64_t carry8;
3826   int64_t carry9;
3827   int64_t carry10;
3828   int64_t carry11;
3829   int64_t carry12;
3830   int64_t carry13;
3831   int64_t carry14;
3832   int64_t carry15;
3833   int64_t carry16;
3834 
3835   s11 += s23 * 666643;
3836   s12 += s23 * 470296;
3837   s13 += s23 * 654183;
3838   s14 -= s23 * 997805;
3839   s15 += s23 * 136657;
3840   s16 -= s23 * 683901;
3841   s23 = 0;
3842 
3843   s10 += s22 * 666643;
3844   s11 += s22 * 470296;
3845   s12 += s22 * 654183;
3846   s13 -= s22 * 997805;
3847   s14 += s22 * 136657;
3848   s15 -= s22 * 683901;
3849   s22 = 0;
3850 
3851   s9 += s21 * 666643;
3852   s10 += s21 * 470296;
3853   s11 += s21 * 654183;
3854   s12 -= s21 * 997805;
3855   s13 += s21 * 136657;
3856   s14 -= s21 * 683901;
3857   s21 = 0;
3858 
3859   s8 += s20 * 666643;
3860   s9 += s20 * 470296;
3861   s10 += s20 * 654183;
3862   s11 -= s20 * 997805;
3863   s12 += s20 * 136657;
3864   s13 -= s20 * 683901;
3865   s20 = 0;
3866 
3867   s7 += s19 * 666643;
3868   s8 += s19 * 470296;
3869   s9 += s19 * 654183;
3870   s10 -= s19 * 997805;
3871   s11 += s19 * 136657;
3872   s12 -= s19 * 683901;
3873   s19 = 0;
3874 
3875   s6 += s18 * 666643;
3876   s7 += s18 * 470296;
3877   s8 += s18 * 654183;
3878   s9 -= s18 * 997805;
3879   s10 += s18 * 136657;
3880   s11 -= s18 * 683901;
3881   s18 = 0;
3882 
3883   carry6 = (s6 + (1 << 20)) >> 21;
3884   s7 += carry6;
3885   s6 -= carry6 << 21;
3886   carry8 = (s8 + (1 << 20)) >> 21;
3887   s9 += carry8;
3888   s8 -= carry8 << 21;
3889   carry10 = (s10 + (1 << 20)) >> 21;
3890   s11 += carry10;
3891   s10 -= carry10 << 21;
3892   carry12 = (s12 + (1 << 20)) >> 21;
3893   s13 += carry12;
3894   s12 -= carry12 << 21;
3895   carry14 = (s14 + (1 << 20)) >> 21;
3896   s15 += carry14;
3897   s14 -= carry14 << 21;
3898   carry16 = (s16 + (1 << 20)) >> 21;
3899   s17 += carry16;
3900   s16 -= carry16 << 21;
3901 
3902   carry7 = (s7 + (1 << 20)) >> 21;
3903   s8 += carry7;
3904   s7 -= carry7 << 21;
3905   carry9 = (s9 + (1 << 20)) >> 21;
3906   s10 += carry9;
3907   s9 -= carry9 << 21;
3908   carry11 = (s11 + (1 << 20)) >> 21;
3909   s12 += carry11;
3910   s11 -= carry11 << 21;
3911   carry13 = (s13 + (1 << 20)) >> 21;
3912   s14 += carry13;
3913   s13 -= carry13 << 21;
3914   carry15 = (s15 + (1 << 20)) >> 21;
3915   s16 += carry15;
3916   s15 -= carry15 << 21;
3917 
3918   s5 += s17 * 666643;
3919   s6 += s17 * 470296;
3920   s7 += s17 * 654183;
3921   s8 -= s17 * 997805;
3922   s9 += s17 * 136657;
3923   s10 -= s17 * 683901;
3924   s17 = 0;
3925 
3926   s4 += s16 * 666643;
3927   s5 += s16 * 470296;
3928   s6 += s16 * 654183;
3929   s7 -= s16 * 997805;
3930   s8 += s16 * 136657;
3931   s9 -= s16 * 683901;
3932   s16 = 0;
3933 
3934   s3 += s15 * 666643;
3935   s4 += s15 * 470296;
3936   s5 += s15 * 654183;
3937   s6 -= s15 * 997805;
3938   s7 += s15 * 136657;
3939   s8 -= s15 * 683901;
3940   s15 = 0;
3941 
3942   s2 += s14 * 666643;
3943   s3 += s14 * 470296;
3944   s4 += s14 * 654183;
3945   s5 -= s14 * 997805;
3946   s6 += s14 * 136657;
3947   s7 -= s14 * 683901;
3948   s14 = 0;
3949 
3950   s1 += s13 * 666643;
3951   s2 += s13 * 470296;
3952   s3 += s13 * 654183;
3953   s4 -= s13 * 997805;
3954   s5 += s13 * 136657;
3955   s6 -= s13 * 683901;
3956   s13 = 0;
3957 
3958   s0 += s12 * 666643;
3959   s1 += s12 * 470296;
3960   s2 += s12 * 654183;
3961   s3 -= s12 * 997805;
3962   s4 += s12 * 136657;
3963   s5 -= s12 * 683901;
3964   s12 = 0;
3965 
3966   carry0 = (s0 + (1 << 20)) >> 21;
3967   s1 += carry0;
3968   s0 -= carry0 << 21;
3969   carry2 = (s2 + (1 << 20)) >> 21;
3970   s3 += carry2;
3971   s2 -= carry2 << 21;
3972   carry4 = (s4 + (1 << 20)) >> 21;
3973   s5 += carry4;
3974   s4 -= carry4 << 21;
3975   carry6 = (s6 + (1 << 20)) >> 21;
3976   s7 += carry6;
3977   s6 -= carry6 << 21;
3978   carry8 = (s8 + (1 << 20)) >> 21;
3979   s9 += carry8;
3980   s8 -= carry8 << 21;
3981   carry10 = (s10 + (1 << 20)) >> 21;
3982   s11 += carry10;
3983   s10 -= carry10 << 21;
3984 
3985   carry1 = (s1 + (1 << 20)) >> 21;
3986   s2 += carry1;
3987   s1 -= carry1 << 21;
3988   carry3 = (s3 + (1 << 20)) >> 21;
3989   s4 += carry3;
3990   s3 -= carry3 << 21;
3991   carry5 = (s5 + (1 << 20)) >> 21;
3992   s6 += carry5;
3993   s5 -= carry5 << 21;
3994   carry7 = (s7 + (1 << 20)) >> 21;
3995   s8 += carry7;
3996   s7 -= carry7 << 21;
3997   carry9 = (s9 + (1 << 20)) >> 21;
3998   s10 += carry9;
3999   s9 -= carry9 << 21;
4000   carry11 = (s11 + (1 << 20)) >> 21;
4001   s12 += carry11;
4002   s11 -= carry11 << 21;
4003 
4004   s0 += s12 * 666643;
4005   s1 += s12 * 470296;
4006   s2 += s12 * 654183;
4007   s3 -= s12 * 997805;
4008   s4 += s12 * 136657;
4009   s5 -= s12 * 683901;
4010   s12 = 0;
4011 
4012   carry0 = s0 >> 21;
4013   s1 += carry0;
4014   s0 -= carry0 << 21;
4015   carry1 = s1 >> 21;
4016   s2 += carry1;
4017   s1 -= carry1 << 21;
4018   carry2 = s2 >> 21;
4019   s3 += carry2;
4020   s2 -= carry2 << 21;
4021   carry3 = s3 >> 21;
4022   s4 += carry3;
4023   s3 -= carry3 << 21;
4024   carry4 = s4 >> 21;
4025   s5 += carry4;
4026   s4 -= carry4 << 21;
4027   carry5 = s5 >> 21;
4028   s6 += carry5;
4029   s5 -= carry5 << 21;
4030   carry6 = s6 >> 21;
4031   s7 += carry6;
4032   s6 -= carry6 << 21;
4033   carry7 = s7 >> 21;
4034   s8 += carry7;
4035   s7 -= carry7 << 21;
4036   carry8 = s8 >> 21;
4037   s9 += carry8;
4038   s8 -= carry8 << 21;
4039   carry9 = s9 >> 21;
4040   s10 += carry9;
4041   s9 -= carry9 << 21;
4042   carry10 = s10 >> 21;
4043   s11 += carry10;
4044   s10 -= carry10 << 21;
4045   carry11 = s11 >> 21;
4046   s12 += carry11;
4047   s11 -= carry11 << 21;
4048 
4049   s0 += s12 * 666643;
4050   s1 += s12 * 470296;
4051   s2 += s12 * 654183;
4052   s3 -= s12 * 997805;
4053   s4 += s12 * 136657;
4054   s5 -= s12 * 683901;
4055   s12 = 0;
4056 
4057   carry0 = s0 >> 21;
4058   s1 += carry0;
4059   s0 -= carry0 << 21;
4060   carry1 = s1 >> 21;
4061   s2 += carry1;
4062   s1 -= carry1 << 21;
4063   carry2 = s2 >> 21;
4064   s3 += carry2;
4065   s2 -= carry2 << 21;
4066   carry3 = s3 >> 21;
4067   s4 += carry3;
4068   s3 -= carry3 << 21;
4069   carry4 = s4 >> 21;
4070   s5 += carry4;
4071   s4 -= carry4 << 21;
4072   carry5 = s5 >> 21;
4073   s6 += carry5;
4074   s5 -= carry5 << 21;
4075   carry6 = s6 >> 21;
4076   s7 += carry6;
4077   s6 -= carry6 << 21;
4078   carry7 = s7 >> 21;
4079   s8 += carry7;
4080   s7 -= carry7 << 21;
4081   carry8 = s8 >> 21;
4082   s9 += carry8;
4083   s8 -= carry8 << 21;
4084   carry9 = s9 >> 21;
4085   s10 += carry9;
4086   s9 -= carry9 << 21;
4087   carry10 = s10 >> 21;
4088   s11 += carry10;
4089   s10 -= carry10 << 21;
4090 
4091   s[0] = s0 >> 0;
4092   s[1] = s0 >> 8;
4093   s[2] = (s0 >> 16) | (s1 << 5);
4094   s[3] = s1 >> 3;
4095   s[4] = s1 >> 11;
4096   s[5] = (s1 >> 19) | (s2 << 2);
4097   s[6] = s2 >> 6;
4098   s[7] = (s2 >> 14) | (s3 << 7);
4099   s[8] = s3 >> 1;
4100   s[9] = s3 >> 9;
4101   s[10] = (s3 >> 17) | (s4 << 4);
4102   s[11] = s4 >> 4;
4103   s[12] = s4 >> 12;
4104   s[13] = (s4 >> 20) | (s5 << 1);
4105   s[14] = s5 >> 7;
4106   s[15] = (s5 >> 15) | (s6 << 6);
4107   s[16] = s6 >> 2;
4108   s[17] = s6 >> 10;
4109   s[18] = (s6 >> 18) | (s7 << 3);
4110   s[19] = s7 >> 5;
4111   s[20] = s7 >> 13;
4112   s[21] = s8 >> 0;
4113   s[22] = s8 >> 8;
4114   s[23] = (s8 >> 16) | (s9 << 5);
4115   s[24] = s9 >> 3;
4116   s[25] = s9 >> 11;
4117   s[26] = (s9 >> 19) | (s10 << 2);
4118   s[27] = s10 >> 6;
4119   s[28] = (s10 >> 14) | (s11 << 7);
4120   s[29] = s11 >> 1;
4121   s[30] = s11 >> 9;
4122   s[31] = s11 >> 17;
4123 }
4124 
4125 /* Input:
4126  *   a[0]+256*a[1]+...+256^31*a[31] = a
4127  *   b[0]+256*b[1]+...+256^31*b[31] = b
4128  *   c[0]+256*c[1]+...+256^31*c[31] = c
4129  *
4130  * Output:
4131  *   s[0]+256*s[1]+...+256^31*s[31] = (ab+c) mod l
4132  *   where l = 2^252 + 27742317777372353535851937790883648493. */
sc_muladd(uint8_t * s,const uint8_t * a,const uint8_t * b,const uint8_t * c)4133 static void sc_muladd(uint8_t *s, const uint8_t *a, const uint8_t *b,
4134                       const uint8_t *c) {
4135   int64_t a0 = 2097151 & load_3(a);
4136   int64_t a1 = 2097151 & (load_4(a + 2) >> 5);
4137   int64_t a2 = 2097151 & (load_3(a + 5) >> 2);
4138   int64_t a3 = 2097151 & (load_4(a + 7) >> 7);
4139   int64_t a4 = 2097151 & (load_4(a + 10) >> 4);
4140   int64_t a5 = 2097151 & (load_3(a + 13) >> 1);
4141   int64_t a6 = 2097151 & (load_4(a + 15) >> 6);
4142   int64_t a7 = 2097151 & (load_3(a + 18) >> 3);
4143   int64_t a8 = 2097151 & load_3(a + 21);
4144   int64_t a9 = 2097151 & (load_4(a + 23) >> 5);
4145   int64_t a10 = 2097151 & (load_3(a + 26) >> 2);
4146   int64_t a11 = (load_4(a + 28) >> 7);
4147   int64_t b0 = 2097151 & load_3(b);
4148   int64_t b1 = 2097151 & (load_4(b + 2) >> 5);
4149   int64_t b2 = 2097151 & (load_3(b + 5) >> 2);
4150   int64_t b3 = 2097151 & (load_4(b + 7) >> 7);
4151   int64_t b4 = 2097151 & (load_4(b + 10) >> 4);
4152   int64_t b5 = 2097151 & (load_3(b + 13) >> 1);
4153   int64_t b6 = 2097151 & (load_4(b + 15) >> 6);
4154   int64_t b7 = 2097151 & (load_3(b + 18) >> 3);
4155   int64_t b8 = 2097151 & load_3(b + 21);
4156   int64_t b9 = 2097151 & (load_4(b + 23) >> 5);
4157   int64_t b10 = 2097151 & (load_3(b + 26) >> 2);
4158   int64_t b11 = (load_4(b + 28) >> 7);
4159   int64_t c0 = 2097151 & load_3(c);
4160   int64_t c1 = 2097151 & (load_4(c + 2) >> 5);
4161   int64_t c2 = 2097151 & (load_3(c + 5) >> 2);
4162   int64_t c3 = 2097151 & (load_4(c + 7) >> 7);
4163   int64_t c4 = 2097151 & (load_4(c + 10) >> 4);
4164   int64_t c5 = 2097151 & (load_3(c + 13) >> 1);
4165   int64_t c6 = 2097151 & (load_4(c + 15) >> 6);
4166   int64_t c7 = 2097151 & (load_3(c + 18) >> 3);
4167   int64_t c8 = 2097151 & load_3(c + 21);
4168   int64_t c9 = 2097151 & (load_4(c + 23) >> 5);
4169   int64_t c10 = 2097151 & (load_3(c + 26) >> 2);
4170   int64_t c11 = (load_4(c + 28) >> 7);
4171   int64_t s0;
4172   int64_t s1;
4173   int64_t s2;
4174   int64_t s3;
4175   int64_t s4;
4176   int64_t s5;
4177   int64_t s6;
4178   int64_t s7;
4179   int64_t s8;
4180   int64_t s9;
4181   int64_t s10;
4182   int64_t s11;
4183   int64_t s12;
4184   int64_t s13;
4185   int64_t s14;
4186   int64_t s15;
4187   int64_t s16;
4188   int64_t s17;
4189   int64_t s18;
4190   int64_t s19;
4191   int64_t s20;
4192   int64_t s21;
4193   int64_t s22;
4194   int64_t s23;
4195   int64_t carry0;
4196   int64_t carry1;
4197   int64_t carry2;
4198   int64_t carry3;
4199   int64_t carry4;
4200   int64_t carry5;
4201   int64_t carry6;
4202   int64_t carry7;
4203   int64_t carry8;
4204   int64_t carry9;
4205   int64_t carry10;
4206   int64_t carry11;
4207   int64_t carry12;
4208   int64_t carry13;
4209   int64_t carry14;
4210   int64_t carry15;
4211   int64_t carry16;
4212   int64_t carry17;
4213   int64_t carry18;
4214   int64_t carry19;
4215   int64_t carry20;
4216   int64_t carry21;
4217   int64_t carry22;
4218 
4219   s0 = c0 + a0 * b0;
4220   s1 = c1 + a0 * b1 + a1 * b0;
4221   s2 = c2 + a0 * b2 + a1 * b1 + a2 * b0;
4222   s3 = c3 + a0 * b3 + a1 * b2 + a2 * b1 + a3 * b0;
4223   s4 = c4 + a0 * b4 + a1 * b3 + a2 * b2 + a3 * b1 + a4 * b0;
4224   s5 = c5 + a0 * b5 + a1 * b4 + a2 * b3 + a3 * b2 + a4 * b1 + a5 * b0;
4225   s6 = c6 + a0 * b6 + a1 * b5 + a2 * b4 + a3 * b3 + a4 * b2 + a5 * b1 + a6 * b0;
4226   s7 = c7 + a0 * b7 + a1 * b6 + a2 * b5 + a3 * b4 + a4 * b3 + a5 * b2 +
4227        a6 * b1 + a7 * b0;
4228   s8 = c8 + a0 * b8 + a1 * b7 + a2 * b6 + a3 * b5 + a4 * b4 + a5 * b3 +
4229        a6 * b2 + a7 * b1 + a8 * b0;
4230   s9 = c9 + a0 * b9 + a1 * b8 + a2 * b7 + a3 * b6 + a4 * b5 + a5 * b4 +
4231        a6 * b3 + a7 * b2 + a8 * b1 + a9 * b0;
4232   s10 = c10 + a0 * b10 + a1 * b9 + a2 * b8 + a3 * b7 + a4 * b6 + a5 * b5 +
4233         a6 * b4 + a7 * b3 + a8 * b2 + a9 * b1 + a10 * b0;
4234   s11 = c11 + a0 * b11 + a1 * b10 + a2 * b9 + a3 * b8 + a4 * b7 + a5 * b6 +
4235         a6 * b5 + a7 * b4 + a8 * b3 + a9 * b2 + a10 * b1 + a11 * b0;
4236   s12 = a1 * b11 + a2 * b10 + a3 * b9 + a4 * b8 + a5 * b7 + a6 * b6 + a7 * b5 +
4237         a8 * b4 + a9 * b3 + a10 * b2 + a11 * b1;
4238   s13 = a2 * b11 + a3 * b10 + a4 * b9 + a5 * b8 + a6 * b7 + a7 * b6 + a8 * b5 +
4239         a9 * b4 + a10 * b3 + a11 * b2;
4240   s14 = a3 * b11 + a4 * b10 + a5 * b9 + a6 * b8 + a7 * b7 + a8 * b6 + a9 * b5 +
4241         a10 * b4 + a11 * b3;
4242   s15 = a4 * b11 + a5 * b10 + a6 * b9 + a7 * b8 + a8 * b7 + a9 * b6 + a10 * b5 +
4243         a11 * b4;
4244   s16 = a5 * b11 + a6 * b10 + a7 * b9 + a8 * b8 + a9 * b7 + a10 * b6 + a11 * b5;
4245   s17 = a6 * b11 + a7 * b10 + a8 * b9 + a9 * b8 + a10 * b7 + a11 * b6;
4246   s18 = a7 * b11 + a8 * b10 + a9 * b9 + a10 * b8 + a11 * b7;
4247   s19 = a8 * b11 + a9 * b10 + a10 * b9 + a11 * b8;
4248   s20 = a9 * b11 + a10 * b10 + a11 * b9;
4249   s21 = a10 * b11 + a11 * b10;
4250   s22 = a11 * b11;
4251   s23 = 0;
4252 
4253   carry0 = (s0 + (1 << 20)) >> 21;
4254   s1 += carry0;
4255   s0 -= carry0 << 21;
4256   carry2 = (s2 + (1 << 20)) >> 21;
4257   s3 += carry2;
4258   s2 -= carry2 << 21;
4259   carry4 = (s4 + (1 << 20)) >> 21;
4260   s5 += carry4;
4261   s4 -= carry4 << 21;
4262   carry6 = (s6 + (1 << 20)) >> 21;
4263   s7 += carry6;
4264   s6 -= carry6 << 21;
4265   carry8 = (s8 + (1 << 20)) >> 21;
4266   s9 += carry8;
4267   s8 -= carry8 << 21;
4268   carry10 = (s10 + (1 << 20)) >> 21;
4269   s11 += carry10;
4270   s10 -= carry10 << 21;
4271   carry12 = (s12 + (1 << 20)) >> 21;
4272   s13 += carry12;
4273   s12 -= carry12 << 21;
4274   carry14 = (s14 + (1 << 20)) >> 21;
4275   s15 += carry14;
4276   s14 -= carry14 << 21;
4277   carry16 = (s16 + (1 << 20)) >> 21;
4278   s17 += carry16;
4279   s16 -= carry16 << 21;
4280   carry18 = (s18 + (1 << 20)) >> 21;
4281   s19 += carry18;
4282   s18 -= carry18 << 21;
4283   carry20 = (s20 + (1 << 20)) >> 21;
4284   s21 += carry20;
4285   s20 -= carry20 << 21;
4286   carry22 = (s22 + (1 << 20)) >> 21;
4287   s23 += carry22;
4288   s22 -= carry22 << 21;
4289 
4290   carry1 = (s1 + (1 << 20)) >> 21;
4291   s2 += carry1;
4292   s1 -= carry1 << 21;
4293   carry3 = (s3 + (1 << 20)) >> 21;
4294   s4 += carry3;
4295   s3 -= carry3 << 21;
4296   carry5 = (s5 + (1 << 20)) >> 21;
4297   s6 += carry5;
4298   s5 -= carry5 << 21;
4299   carry7 = (s7 + (1 << 20)) >> 21;
4300   s8 += carry7;
4301   s7 -= carry7 << 21;
4302   carry9 = (s9 + (1 << 20)) >> 21;
4303   s10 += carry9;
4304   s9 -= carry9 << 21;
4305   carry11 = (s11 + (1 << 20)) >> 21;
4306   s12 += carry11;
4307   s11 -= carry11 << 21;
4308   carry13 = (s13 + (1 << 20)) >> 21;
4309   s14 += carry13;
4310   s13 -= carry13 << 21;
4311   carry15 = (s15 + (1 << 20)) >> 21;
4312   s16 += carry15;
4313   s15 -= carry15 << 21;
4314   carry17 = (s17 + (1 << 20)) >> 21;
4315   s18 += carry17;
4316   s17 -= carry17 << 21;
4317   carry19 = (s19 + (1 << 20)) >> 21;
4318   s20 += carry19;
4319   s19 -= carry19 << 21;
4320   carry21 = (s21 + (1 << 20)) >> 21;
4321   s22 += carry21;
4322   s21 -= carry21 << 21;
4323 
4324   s11 += s23 * 666643;
4325   s12 += s23 * 470296;
4326   s13 += s23 * 654183;
4327   s14 -= s23 * 997805;
4328   s15 += s23 * 136657;
4329   s16 -= s23 * 683901;
4330   s23 = 0;
4331 
4332   s10 += s22 * 666643;
4333   s11 += s22 * 470296;
4334   s12 += s22 * 654183;
4335   s13 -= s22 * 997805;
4336   s14 += s22 * 136657;
4337   s15 -= s22 * 683901;
4338   s22 = 0;
4339 
4340   s9 += s21 * 666643;
4341   s10 += s21 * 470296;
4342   s11 += s21 * 654183;
4343   s12 -= s21 * 997805;
4344   s13 += s21 * 136657;
4345   s14 -= s21 * 683901;
4346   s21 = 0;
4347 
4348   s8 += s20 * 666643;
4349   s9 += s20 * 470296;
4350   s10 += s20 * 654183;
4351   s11 -= s20 * 997805;
4352   s12 += s20 * 136657;
4353   s13 -= s20 * 683901;
4354   s20 = 0;
4355 
4356   s7 += s19 * 666643;
4357   s8 += s19 * 470296;
4358   s9 += s19 * 654183;
4359   s10 -= s19 * 997805;
4360   s11 += s19 * 136657;
4361   s12 -= s19 * 683901;
4362   s19 = 0;
4363 
4364   s6 += s18 * 666643;
4365   s7 += s18 * 470296;
4366   s8 += s18 * 654183;
4367   s9 -= s18 * 997805;
4368   s10 += s18 * 136657;
4369   s11 -= s18 * 683901;
4370   s18 = 0;
4371 
4372   carry6 = (s6 + (1 << 20)) >> 21;
4373   s7 += carry6;
4374   s6 -= carry6 << 21;
4375   carry8 = (s8 + (1 << 20)) >> 21;
4376   s9 += carry8;
4377   s8 -= carry8 << 21;
4378   carry10 = (s10 + (1 << 20)) >> 21;
4379   s11 += carry10;
4380   s10 -= carry10 << 21;
4381   carry12 = (s12 + (1 << 20)) >> 21;
4382   s13 += carry12;
4383   s12 -= carry12 << 21;
4384   carry14 = (s14 + (1 << 20)) >> 21;
4385   s15 += carry14;
4386   s14 -= carry14 << 21;
4387   carry16 = (s16 + (1 << 20)) >> 21;
4388   s17 += carry16;
4389   s16 -= carry16 << 21;
4390 
4391   carry7 = (s7 + (1 << 20)) >> 21;
4392   s8 += carry7;
4393   s7 -= carry7 << 21;
4394   carry9 = (s9 + (1 << 20)) >> 21;
4395   s10 += carry9;
4396   s9 -= carry9 << 21;
4397   carry11 = (s11 + (1 << 20)) >> 21;
4398   s12 += carry11;
4399   s11 -= carry11 << 21;
4400   carry13 = (s13 + (1 << 20)) >> 21;
4401   s14 += carry13;
4402   s13 -= carry13 << 21;
4403   carry15 = (s15 + (1 << 20)) >> 21;
4404   s16 += carry15;
4405   s15 -= carry15 << 21;
4406 
4407   s5 += s17 * 666643;
4408   s6 += s17 * 470296;
4409   s7 += s17 * 654183;
4410   s8 -= s17 * 997805;
4411   s9 += s17 * 136657;
4412   s10 -= s17 * 683901;
4413   s17 = 0;
4414 
4415   s4 += s16 * 666643;
4416   s5 += s16 * 470296;
4417   s6 += s16 * 654183;
4418   s7 -= s16 * 997805;
4419   s8 += s16 * 136657;
4420   s9 -= s16 * 683901;
4421   s16 = 0;
4422 
4423   s3 += s15 * 666643;
4424   s4 += s15 * 470296;
4425   s5 += s15 * 654183;
4426   s6 -= s15 * 997805;
4427   s7 += s15 * 136657;
4428   s8 -= s15 * 683901;
4429   s15 = 0;
4430 
4431   s2 += s14 * 666643;
4432   s3 += s14 * 470296;
4433   s4 += s14 * 654183;
4434   s5 -= s14 * 997805;
4435   s6 += s14 * 136657;
4436   s7 -= s14 * 683901;
4437   s14 = 0;
4438 
4439   s1 += s13 * 666643;
4440   s2 += s13 * 470296;
4441   s3 += s13 * 654183;
4442   s4 -= s13 * 997805;
4443   s5 += s13 * 136657;
4444   s6 -= s13 * 683901;
4445   s13 = 0;
4446 
4447   s0 += s12 * 666643;
4448   s1 += s12 * 470296;
4449   s2 += s12 * 654183;
4450   s3 -= s12 * 997805;
4451   s4 += s12 * 136657;
4452   s5 -= s12 * 683901;
4453   s12 = 0;
4454 
4455   carry0 = (s0 + (1 << 20)) >> 21;
4456   s1 += carry0;
4457   s0 -= carry0 << 21;
4458   carry2 = (s2 + (1 << 20)) >> 21;
4459   s3 += carry2;
4460   s2 -= carry2 << 21;
4461   carry4 = (s4 + (1 << 20)) >> 21;
4462   s5 += carry4;
4463   s4 -= carry4 << 21;
4464   carry6 = (s6 + (1 << 20)) >> 21;
4465   s7 += carry6;
4466   s6 -= carry6 << 21;
4467   carry8 = (s8 + (1 << 20)) >> 21;
4468   s9 += carry8;
4469   s8 -= carry8 << 21;
4470   carry10 = (s10 + (1 << 20)) >> 21;
4471   s11 += carry10;
4472   s10 -= carry10 << 21;
4473 
4474   carry1 = (s1 + (1 << 20)) >> 21;
4475   s2 += carry1;
4476   s1 -= carry1 << 21;
4477   carry3 = (s3 + (1 << 20)) >> 21;
4478   s4 += carry3;
4479   s3 -= carry3 << 21;
4480   carry5 = (s5 + (1 << 20)) >> 21;
4481   s6 += carry5;
4482   s5 -= carry5 << 21;
4483   carry7 = (s7 + (1 << 20)) >> 21;
4484   s8 += carry7;
4485   s7 -= carry7 << 21;
4486   carry9 = (s9 + (1 << 20)) >> 21;
4487   s10 += carry9;
4488   s9 -= carry9 << 21;
4489   carry11 = (s11 + (1 << 20)) >> 21;
4490   s12 += carry11;
4491   s11 -= carry11 << 21;
4492 
4493   s0 += s12 * 666643;
4494   s1 += s12 * 470296;
4495   s2 += s12 * 654183;
4496   s3 -= s12 * 997805;
4497   s4 += s12 * 136657;
4498   s5 -= s12 * 683901;
4499   s12 = 0;
4500 
4501   carry0 = s0 >> 21;
4502   s1 += carry0;
4503   s0 -= carry0 << 21;
4504   carry1 = s1 >> 21;
4505   s2 += carry1;
4506   s1 -= carry1 << 21;
4507   carry2 = s2 >> 21;
4508   s3 += carry2;
4509   s2 -= carry2 << 21;
4510   carry3 = s3 >> 21;
4511   s4 += carry3;
4512   s3 -= carry3 << 21;
4513   carry4 = s4 >> 21;
4514   s5 += carry4;
4515   s4 -= carry4 << 21;
4516   carry5 = s5 >> 21;
4517   s6 += carry5;
4518   s5 -= carry5 << 21;
4519   carry6 = s6 >> 21;
4520   s7 += carry6;
4521   s6 -= carry6 << 21;
4522   carry7 = s7 >> 21;
4523   s8 += carry7;
4524   s7 -= carry7 << 21;
4525   carry8 = s8 >> 21;
4526   s9 += carry8;
4527   s8 -= carry8 << 21;
4528   carry9 = s9 >> 21;
4529   s10 += carry9;
4530   s9 -= carry9 << 21;
4531   carry10 = s10 >> 21;
4532   s11 += carry10;
4533   s10 -= carry10 << 21;
4534   carry11 = s11 >> 21;
4535   s12 += carry11;
4536   s11 -= carry11 << 21;
4537 
4538   s0 += s12 * 666643;
4539   s1 += s12 * 470296;
4540   s2 += s12 * 654183;
4541   s3 -= s12 * 997805;
4542   s4 += s12 * 136657;
4543   s5 -= s12 * 683901;
4544   s12 = 0;
4545 
4546   carry0 = s0 >> 21;
4547   s1 += carry0;
4548   s0 -= carry0 << 21;
4549   carry1 = s1 >> 21;
4550   s2 += carry1;
4551   s1 -= carry1 << 21;
4552   carry2 = s2 >> 21;
4553   s3 += carry2;
4554   s2 -= carry2 << 21;
4555   carry3 = s3 >> 21;
4556   s4 += carry3;
4557   s3 -= carry3 << 21;
4558   carry4 = s4 >> 21;
4559   s5 += carry4;
4560   s4 -= carry4 << 21;
4561   carry5 = s5 >> 21;
4562   s6 += carry5;
4563   s5 -= carry5 << 21;
4564   carry6 = s6 >> 21;
4565   s7 += carry6;
4566   s6 -= carry6 << 21;
4567   carry7 = s7 >> 21;
4568   s8 += carry7;
4569   s7 -= carry7 << 21;
4570   carry8 = s8 >> 21;
4571   s9 += carry8;
4572   s8 -= carry8 << 21;
4573   carry9 = s9 >> 21;
4574   s10 += carry9;
4575   s9 -= carry9 << 21;
4576   carry10 = s10 >> 21;
4577   s11 += carry10;
4578   s10 -= carry10 << 21;
4579 
4580   s[0] = s0 >> 0;
4581   s[1] = s0 >> 8;
4582   s[2] = (s0 >> 16) | (s1 << 5);
4583   s[3] = s1 >> 3;
4584   s[4] = s1 >> 11;
4585   s[5] = (s1 >> 19) | (s2 << 2);
4586   s[6] = s2 >> 6;
4587   s[7] = (s2 >> 14) | (s3 << 7);
4588   s[8] = s3 >> 1;
4589   s[9] = s3 >> 9;
4590   s[10] = (s3 >> 17) | (s4 << 4);
4591   s[11] = s4 >> 4;
4592   s[12] = s4 >> 12;
4593   s[13] = (s4 >> 20) | (s5 << 1);
4594   s[14] = s5 >> 7;
4595   s[15] = (s5 >> 15) | (s6 << 6);
4596   s[16] = s6 >> 2;
4597   s[17] = s6 >> 10;
4598   s[18] = (s6 >> 18) | (s7 << 3);
4599   s[19] = s7 >> 5;
4600   s[20] = s7 >> 13;
4601   s[21] = s8 >> 0;
4602   s[22] = s8 >> 8;
4603   s[23] = (s8 >> 16) | (s9 << 5);
4604   s[24] = s9 >> 3;
4605   s[25] = s9 >> 11;
4606   s[26] = (s9 >> 19) | (s10 << 2);
4607   s[27] = s10 >> 6;
4608   s[28] = (s10 >> 14) | (s11 << 7);
4609   s[29] = s11 >> 1;
4610   s[30] = s11 >> 9;
4611   s[31] = s11 >> 17;
4612 }
4613 
ED25519_keypair(uint8_t out_public_key[32],uint8_t out_private_key[64])4614 void ED25519_keypair(uint8_t out_public_key[32], uint8_t out_private_key[64]) {
4615   uint8_t seed[32];
4616   RAND_bytes(seed, 32);
4617   ED25519_keypair_from_seed(out_public_key, out_private_key, seed);
4618 }
4619 
ED25519_sign(uint8_t * out_sig,const uint8_t * message,size_t message_len,const uint8_t private_key[64])4620 int ED25519_sign(uint8_t *out_sig, const uint8_t *message, size_t message_len,
4621                  const uint8_t private_key[64]) {
4622   uint8_t az[SHA512_DIGEST_LENGTH];
4623   SHA512(private_key, 32, az);
4624 
4625   az[0] &= 248;
4626   az[31] &= 63;
4627   az[31] |= 64;
4628 
4629   SHA512_CTX hash_ctx;
4630   SHA512_Init(&hash_ctx);
4631   SHA512_Update(&hash_ctx, az + 32, 32);
4632   SHA512_Update(&hash_ctx, message, message_len);
4633   uint8_t nonce[SHA512_DIGEST_LENGTH];
4634   SHA512_Final(nonce, &hash_ctx);
4635 
4636   x25519_sc_reduce(nonce);
4637   ge_p3 R;
4638   x25519_ge_scalarmult_base(&R, nonce);
4639   ge_p3_tobytes(out_sig, &R);
4640 
4641   SHA512_Init(&hash_ctx);
4642   SHA512_Update(&hash_ctx, out_sig, 32);
4643   SHA512_Update(&hash_ctx, private_key + 32, 32);
4644   SHA512_Update(&hash_ctx, message, message_len);
4645   uint8_t hram[SHA512_DIGEST_LENGTH];
4646   SHA512_Final(hram, &hash_ctx);
4647 
4648   x25519_sc_reduce(hram);
4649   sc_muladd(out_sig + 32, hram, az, nonce);
4650 
4651   return 1;
4652 }
4653 
ED25519_verify(const uint8_t * message,size_t message_len,const uint8_t signature[64],const uint8_t public_key[32])4654 int ED25519_verify(const uint8_t *message, size_t message_len,
4655                    const uint8_t signature[64], const uint8_t public_key[32]) {
4656   ge_p3 A;
4657   if ((signature[63] & 224) != 0 ||
4658       x25519_ge_frombytes_vartime(&A, public_key) != 0) {
4659     return 0;
4660   }
4661 
4662   fe_neg(A.X, A.X);
4663   fe_neg(A.T, A.T);
4664 
4665   uint8_t pkcopy[32];
4666   OPENSSL_memcpy(pkcopy, public_key, 32);
4667   uint8_t rcopy[32];
4668   OPENSSL_memcpy(rcopy, signature, 32);
4669   uint8_t scopy[32];
4670   OPENSSL_memcpy(scopy, signature + 32, 32);
4671 
4672   SHA512_CTX hash_ctx;
4673   SHA512_Init(&hash_ctx);
4674   SHA512_Update(&hash_ctx, signature, 32);
4675   SHA512_Update(&hash_ctx, public_key, 32);
4676   SHA512_Update(&hash_ctx, message, message_len);
4677   uint8_t h[SHA512_DIGEST_LENGTH];
4678   SHA512_Final(h, &hash_ctx);
4679 
4680   x25519_sc_reduce(h);
4681 
4682   ge_p2 R;
4683   ge_double_scalarmult_vartime(&R, h, &A, scopy);
4684 
4685   uint8_t rcheck[32];
4686   x25519_ge_tobytes(rcheck, &R);
4687 
4688   return CRYPTO_memcmp(rcheck, rcopy, sizeof(rcheck)) == 0;
4689 }
4690 
ED25519_keypair_from_seed(uint8_t out_public_key[32],uint8_t out_private_key[64],const uint8_t seed[32])4691 void ED25519_keypair_from_seed(uint8_t out_public_key[32],
4692                                uint8_t out_private_key[64],
4693                                const uint8_t seed[32]) {
4694   uint8_t az[SHA512_DIGEST_LENGTH];
4695   SHA512(seed, 32, az);
4696 
4697   az[0] &= 248;
4698   az[31] &= 63;
4699   az[31] |= 64;
4700 
4701   ge_p3 A;
4702   x25519_ge_scalarmult_base(&A, az);
4703   ge_p3_tobytes(out_public_key, &A);
4704 
4705   OPENSSL_memcpy(out_private_key, seed, 32);
4706   OPENSSL_memcpy(out_private_key + 32, out_public_key, 32);
4707 }
4708 
4709 
4710 #if defined(BORINGSSL_X25519_X86_64)
4711 
x25519_scalar_mult(uint8_t out[32],const uint8_t scalar[32],const uint8_t point[32])4712 static void x25519_scalar_mult(uint8_t out[32], const uint8_t scalar[32],
4713                                const uint8_t point[32]) {
4714   x25519_x86_64(out, scalar, point);
4715 }
4716 
4717 #else
4718 
4719 /* Replace (f,g) with (g,f) if b == 1;
4720  * replace (f,g) with (f,g) if b == 0.
4721  *
4722  * Preconditions: b in {0,1}. */
fe_cswap(fe f,fe g,unsigned int b)4723 static void fe_cswap(fe f, fe g, unsigned int b) {
4724   b = 0-b;
4725   unsigned i;
4726   for (i = 0; i < 10; i++) {
4727     int32_t x = f[i] ^ g[i];
4728     x &= b;
4729     f[i] ^= x;
4730     g[i] ^= x;
4731   }
4732 }
4733 
4734 /* h = f * 121666
4735  * Can overlap h with f.
4736  *
4737  * Preconditions:
4738  *    |f| bounded by 1.1*2^26,1.1*2^25,1.1*2^26,1.1*2^25,etc.
4739  *
4740  * Postconditions:
4741  *    |h| bounded by 1.1*2^25,1.1*2^24,1.1*2^25,1.1*2^24,etc. */
fe_mul121666(fe h,fe f)4742 static void fe_mul121666(fe h, fe f) {
4743   int32_t f0 = f[0];
4744   int32_t f1 = f[1];
4745   int32_t f2 = f[2];
4746   int32_t f3 = f[3];
4747   int32_t f4 = f[4];
4748   int32_t f5 = f[5];
4749   int32_t f6 = f[6];
4750   int32_t f7 = f[7];
4751   int32_t f8 = f[8];
4752   int32_t f9 = f[9];
4753   int64_t h0 = f0 * (int64_t) 121666;
4754   int64_t h1 = f1 * (int64_t) 121666;
4755   int64_t h2 = f2 * (int64_t) 121666;
4756   int64_t h3 = f3 * (int64_t) 121666;
4757   int64_t h4 = f4 * (int64_t) 121666;
4758   int64_t h5 = f5 * (int64_t) 121666;
4759   int64_t h6 = f6 * (int64_t) 121666;
4760   int64_t h7 = f7 * (int64_t) 121666;
4761   int64_t h8 = f8 * (int64_t) 121666;
4762   int64_t h9 = f9 * (int64_t) 121666;
4763   int64_t carry0;
4764   int64_t carry1;
4765   int64_t carry2;
4766   int64_t carry3;
4767   int64_t carry4;
4768   int64_t carry5;
4769   int64_t carry6;
4770   int64_t carry7;
4771   int64_t carry8;
4772   int64_t carry9;
4773 
4774   carry9 = h9 + (1 << 24); h0 += (carry9 >> 25) * 19; h9 -= carry9 & kTop39Bits;
4775   carry1 = h1 + (1 << 24); h2 += carry1 >> 25; h1 -= carry1 & kTop39Bits;
4776   carry3 = h3 + (1 << 24); h4 += carry3 >> 25; h3 -= carry3 & kTop39Bits;
4777   carry5 = h5 + (1 << 24); h6 += carry5 >> 25; h5 -= carry5 & kTop39Bits;
4778   carry7 = h7 + (1 << 24); h8 += carry7 >> 25; h7 -= carry7 & kTop39Bits;
4779 
4780   carry0 = h0 + (1 << 25); h1 += carry0 >> 26; h0 -= carry0 & kTop38Bits;
4781   carry2 = h2 + (1 << 25); h3 += carry2 >> 26; h2 -= carry2 & kTop38Bits;
4782   carry4 = h4 + (1 << 25); h5 += carry4 >> 26; h4 -= carry4 & kTop38Bits;
4783   carry6 = h6 + (1 << 25); h7 += carry6 >> 26; h6 -= carry6 & kTop38Bits;
4784   carry8 = h8 + (1 << 25); h9 += carry8 >> 26; h8 -= carry8 & kTop38Bits;
4785 
4786   h[0] = h0;
4787   h[1] = h1;
4788   h[2] = h2;
4789   h[3] = h3;
4790   h[4] = h4;
4791   h[5] = h5;
4792   h[6] = h6;
4793   h[7] = h7;
4794   h[8] = h8;
4795   h[9] = h9;
4796 }
4797 
x25519_scalar_mult_generic(uint8_t out[32],const uint8_t scalar[32],const uint8_t point[32])4798 static void x25519_scalar_mult_generic(uint8_t out[32],
4799                                        const uint8_t scalar[32],
4800                                        const uint8_t point[32]) {
4801   fe x1, x2, z2, x3, z3, tmp0, tmp1;
4802 
4803   uint8_t e[32];
4804   OPENSSL_memcpy(e, scalar, 32);
4805   e[0] &= 248;
4806   e[31] &= 127;
4807   e[31] |= 64;
4808   fe_frombytes(x1, point);
4809   fe_1(x2);
4810   fe_0(z2);
4811   fe_copy(x3, x1);
4812   fe_1(z3);
4813 
4814   unsigned swap = 0;
4815   int pos;
4816   for (pos = 254; pos >= 0; --pos) {
4817     unsigned b = 1 & (e[pos / 8] >> (pos & 7));
4818     swap ^= b;
4819     fe_cswap(x2, x3, swap);
4820     fe_cswap(z2, z3, swap);
4821     swap = b;
4822     fe_sub(tmp0, x3, z3);
4823     fe_sub(tmp1, x2, z2);
4824     fe_add(x2, x2, z2);
4825     fe_add(z2, x3, z3);
4826     fe_mul(z3, tmp0, x2);
4827     fe_mul(z2, z2, tmp1);
4828     fe_sq(tmp0, tmp1);
4829     fe_sq(tmp1, x2);
4830     fe_add(x3, z3, z2);
4831     fe_sub(z2, z3, z2);
4832     fe_mul(x2, tmp1, tmp0);
4833     fe_sub(tmp1, tmp1, tmp0);
4834     fe_sq(z2, z2);
4835     fe_mul121666(z3, tmp1);
4836     fe_sq(x3, x3);
4837     fe_add(tmp0, tmp0, z3);
4838     fe_mul(z3, x1, z2);
4839     fe_mul(z2, tmp1, tmp0);
4840   }
4841   fe_cswap(x2, x3, swap);
4842   fe_cswap(z2, z3, swap);
4843 
4844   fe_invert(z2, z2);
4845   fe_mul(x2, x2, z2);
4846   fe_tobytes(out, x2);
4847 }
4848 
x25519_scalar_mult(uint8_t out[32],const uint8_t scalar[32],const uint8_t point[32])4849 static void x25519_scalar_mult(uint8_t out[32], const uint8_t scalar[32],
4850                                const uint8_t point[32]) {
4851 #if defined(BORINGSSL_X25519_NEON)
4852   if (CRYPTO_is_NEON_capable()) {
4853     x25519_NEON(out, scalar, point);
4854     return;
4855   }
4856 #endif
4857 
4858   x25519_scalar_mult_generic(out, scalar, point);
4859 }
4860 
4861 #endif  /* BORINGSSL_X25519_X86_64 */
4862 
4863 
X25519_keypair(uint8_t out_public_value[32],uint8_t out_private_key[32])4864 void X25519_keypair(uint8_t out_public_value[32], uint8_t out_private_key[32]) {
4865   RAND_bytes(out_private_key, 32);
4866 
4867   /* All X25519 implementations should decode scalars correctly (see
4868    * https://tools.ietf.org/html/rfc7748#section-5). However, if an
4869    * implementation doesn't then it might interoperate with random keys a
4870    * fraction of the time because they'll, randomly, happen to be correctly
4871    * formed.
4872    *
4873    * Thus we do the opposite of the masking here to make sure that our private
4874    * keys are never correctly masked and so, hopefully, any incorrect
4875    * implementations are deterministically broken.
4876    *
4877    * This does not affect security because, although we're throwing away
4878    * entropy, a valid implementation of scalarmult should throw away the exact
4879    * same bits anyway. */
4880   out_private_key[0] |= 7;
4881   out_private_key[31] &= 63;
4882   out_private_key[31] |= 128;
4883 
4884   X25519_public_from_private(out_public_value, out_private_key);
4885 }
4886 
X25519(uint8_t out_shared_key[32],const uint8_t private_key[32],const uint8_t peer_public_value[32])4887 int X25519(uint8_t out_shared_key[32], const uint8_t private_key[32],
4888            const uint8_t peer_public_value[32]) {
4889   static const uint8_t kZeros[32] = {0};
4890   x25519_scalar_mult(out_shared_key, private_key, peer_public_value);
4891   /* The all-zero output results when the input is a point of small order. */
4892   return CRYPTO_memcmp(kZeros, out_shared_key, 32) != 0;
4893 }
4894 
4895 #if defined(BORINGSSL_X25519_X86_64)
4896 
4897 /* When |BORINGSSL_X25519_X86_64| is set, base point multiplication is done with
4898  * the Montgomery ladder because it's faster. Otherwise it's done using the
4899  * Ed25519 tables. */
4900 
X25519_public_from_private(uint8_t out_public_value[32],const uint8_t private_key[32])4901 void X25519_public_from_private(uint8_t out_public_value[32],
4902                                 const uint8_t private_key[32]) {
4903   static const uint8_t kMongomeryBasePoint[32] = {9};
4904   x25519_scalar_mult(out_public_value, private_key, kMongomeryBasePoint);
4905 }
4906 
4907 #else
4908 
X25519_public_from_private(uint8_t out_public_value[32],const uint8_t private_key[32])4909 void X25519_public_from_private(uint8_t out_public_value[32],
4910                                 const uint8_t private_key[32]) {
4911 #if defined(BORINGSSL_X25519_NEON)
4912   if (CRYPTO_is_NEON_capable()) {
4913     static const uint8_t kMongomeryBasePoint[32] = {9};
4914     x25519_NEON(out_public_value, private_key, kMongomeryBasePoint);
4915     return;
4916   }
4917 #endif
4918 
4919   uint8_t e[32];
4920   OPENSSL_memcpy(e, private_key, 32);
4921   e[0] &= 248;
4922   e[31] &= 127;
4923   e[31] |= 64;
4924 
4925   ge_p3 A;
4926   x25519_ge_scalarmult_base(&A, e);
4927 
4928   /* We only need the u-coordinate of the curve25519 point. The map is
4929    * u=(y+1)/(1-y). Since y=Y/Z, this gives u=(Z+Y)/(Z-Y). */
4930   fe zplusy, zminusy, zminusy_inv;
4931   fe_add(zplusy, A.Z, A.Y);
4932   fe_sub(zminusy, A.Z, A.Y);
4933   fe_invert(zminusy_inv, zminusy);
4934   fe_mul(zplusy, zplusy, zminusy_inv);
4935   fe_tobytes(out_public_value, zplusy);
4936 }
4937 
4938 #endif  /* BORINGSSL_X25519_X86_64 */
4939