206 lines
4.9 KiB
Go
206 lines
4.9 KiB
Go
package crypto
|
|
|
|
// limit = 2^252 + 27742317777372353535851937790883648493.
|
|
// limit fits 15 times in 32 bytes (iow, 15 l is the highest multiple of l that fits in 32 bytes)
|
|
var limit = []byte{0xe3, 0x6a, 0x67, 0x72, 0x8b, 0xce, 0x13, 0x29, 0x8f, 0x30, 0x82, 0x8c, 0x0b, 0xa4, 0x10, 0x39, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xf0}
|
|
|
|
// less32 each input must be at least 32 bytes long
|
|
func less32(a, b []byte) bool {
|
|
_ = b[31] // bounds check hint to compiler; see golang.org/issue/14808
|
|
|
|
for n := 31; n >= 0; n-- {
|
|
if a[n] < b[n] {
|
|
return true
|
|
} else if a[n] > b[n] {
|
|
return false
|
|
}
|
|
}
|
|
|
|
return false
|
|
}
|
|
|
|
func load3(in []byte) (result int64) {
|
|
_ = in[2] // bounds check hint to compiler; see golang.org/issue/14808
|
|
result = int64(in[0]) | (int64(in[1]) << 8) | (int64(in[2]) << 16)
|
|
return
|
|
}
|
|
|
|
func load4(in []byte) (result int64) {
|
|
_ = in[3] // bounds check hint to compiler; see golang.org/issue/14808
|
|
result = int64(in[0]) | (int64(in[1]) << 8) | (int64(in[2]) << 16) | (int64(in[3]) << 24)
|
|
return
|
|
}
|
|
|
|
func scReduce32(s []byte) {
|
|
_ = s[31] // bounds check hint to compiler; see golang.org/issue/14808
|
|
|
|
s0 := 2097151 & load3(s[:])
|
|
s1 := 2097151 & (load4(s[2:]) >> 5)
|
|
s2 := 2097151 & (load3(s[5:]) >> 2)
|
|
s3 := 2097151 & (load4(s[7:]) >> 7)
|
|
s4 := 2097151 & (load4(s[10:]) >> 4)
|
|
s5 := 2097151 & (load3(s[13:]) >> 1)
|
|
s6 := 2097151 & (load4(s[15:]) >> 6)
|
|
s7 := 2097151 & (load3(s[18:]) >> 3)
|
|
s8 := 2097151 & load3(s[21:])
|
|
s9 := 2097151 & (load4(s[23:]) >> 5)
|
|
s10 := 2097151 & (load3(s[26:]) >> 2)
|
|
s11 := load4(s[28:]) >> 7
|
|
s12 := int64(0)
|
|
var carry [12]int64
|
|
carry[0] = (s0 + (1 << 20)) >> 21
|
|
s1 += carry[0]
|
|
s0 -= carry[0] << 21
|
|
carry[2] = (s2 + (1 << 20)) >> 21
|
|
s3 += carry[2]
|
|
s2 -= carry[2] << 21
|
|
carry[4] = (s4 + (1 << 20)) >> 21
|
|
s5 += carry[4]
|
|
s4 -= carry[4] << 21
|
|
carry[6] = (s6 + (1 << 20)) >> 21
|
|
s7 += carry[6]
|
|
s6 -= carry[6] << 21
|
|
carry[8] = (s8 + (1 << 20)) >> 21
|
|
s9 += carry[8]
|
|
s8 -= carry[8] << 21
|
|
carry[10] = (s10 + (1 << 20)) >> 21
|
|
s11 += carry[10]
|
|
s10 -= carry[10] << 21
|
|
carry[1] = (s1 + (1 << 20)) >> 21
|
|
s2 += carry[1]
|
|
s1 -= carry[1] << 21
|
|
carry[3] = (s3 + (1 << 20)) >> 21
|
|
s4 += carry[3]
|
|
s3 -= carry[3] << 21
|
|
carry[5] = (s5 + (1 << 20)) >> 21
|
|
s6 += carry[5]
|
|
s5 -= carry[5] << 21
|
|
carry[7] = (s7 + (1 << 20)) >> 21
|
|
s8 += carry[7]
|
|
s7 -= carry[7] << 21
|
|
carry[9] = (s9 + (1 << 20)) >> 21
|
|
s10 += carry[9]
|
|
s9 -= carry[9] << 21
|
|
carry[11] = (s11 + (1 << 20)) >> 21
|
|
s12 += carry[11]
|
|
s11 -= carry[11] << 21
|
|
|
|
s0 += s12 * 666643
|
|
s1 += s12 * 470296
|
|
s2 += s12 * 654183
|
|
s3 -= s12 * 997805
|
|
s4 += s12 * 136657
|
|
s5 -= s12 * 683901
|
|
s12 = 0
|
|
|
|
carry[0] = s0 >> 21
|
|
s1 += carry[0]
|
|
s0 -= carry[0] << 21
|
|
carry[1] = s1 >> 21
|
|
s2 += carry[1]
|
|
s1 -= carry[1] << 21
|
|
carry[2] = s2 >> 21
|
|
s3 += carry[2]
|
|
s2 -= carry[2] << 21
|
|
carry[3] = s3 >> 21
|
|
s4 += carry[3]
|
|
s3 -= carry[3] << 21
|
|
carry[4] = s4 >> 21
|
|
s5 += carry[4]
|
|
s4 -= carry[4] << 21
|
|
carry[5] = s5 >> 21
|
|
s6 += carry[5]
|
|
s5 -= carry[5] << 21
|
|
carry[6] = s6 >> 21
|
|
s7 += carry[6]
|
|
s6 -= carry[6] << 21
|
|
carry[7] = s7 >> 21
|
|
s8 += carry[7]
|
|
s7 -= carry[7] << 21
|
|
carry[8] = s8 >> 21
|
|
s9 += carry[8]
|
|
s8 -= carry[8] << 21
|
|
carry[9] = s9 >> 21
|
|
s10 += carry[9]
|
|
s9 -= carry[9] << 21
|
|
carry[10] = s10 >> 21
|
|
s11 += carry[10]
|
|
s10 -= carry[10] << 21
|
|
carry[11] = s11 >> 21
|
|
s12 += carry[11]
|
|
s11 -= carry[11] << 21
|
|
|
|
s0 += s12 * 666643
|
|
s1 += s12 * 470296
|
|
s2 += s12 * 654183
|
|
s3 -= s12 * 997805
|
|
s4 += s12 * 136657
|
|
s5 -= s12 * 683901
|
|
|
|
carry[0] = s0 >> 21
|
|
s1 += carry[0]
|
|
s0 -= carry[0] << 21
|
|
carry[1] = s1 >> 21
|
|
s2 += carry[1]
|
|
s1 -= carry[1] << 21
|
|
carry[2] = s2 >> 21
|
|
s3 += carry[2]
|
|
s2 -= carry[2] << 21
|
|
carry[3] = s3 >> 21
|
|
s4 += carry[3]
|
|
s3 -= carry[3] << 21
|
|
carry[4] = s4 >> 21
|
|
s5 += carry[4]
|
|
s4 -= carry[4] << 21
|
|
carry[5] = s5 >> 21
|
|
s6 += carry[5]
|
|
s5 -= carry[5] << 21
|
|
carry[6] = s6 >> 21
|
|
s7 += carry[6]
|
|
s6 -= carry[6] << 21
|
|
carry[7] = s7 >> 21
|
|
s8 += carry[7]
|
|
s7 -= carry[7] << 21
|
|
carry[8] = s8 >> 21
|
|
s9 += carry[8]
|
|
s8 -= carry[8] << 21
|
|
carry[9] = s9 >> 21
|
|
s10 += carry[9]
|
|
s9 -= carry[9] << 21
|
|
carry[10] = s10 >> 21
|
|
s11 += carry[10]
|
|
s10 -= carry[10] << 21
|
|
|
|
s[0] = byte(s0 >> 0)
|
|
s[1] = byte(s0 >> 8)
|
|
s[2] = byte((s0 >> 16) | (s1 << 5))
|
|
s[3] = byte(s1 >> 3)
|
|
s[4] = byte(s1 >> 11)
|
|
s[5] = byte((s1 >> 19) | (s2 << 2))
|
|
s[6] = byte(s2 >> 6)
|
|
s[7] = byte((s2 >> 14) | (s3 << 7))
|
|
s[8] = byte(s3 >> 1)
|
|
s[9] = byte(s3 >> 9)
|
|
s[10] = byte((s3 >> 17) | (s4 << 4))
|
|
s[11] = byte(s4 >> 4)
|
|
s[12] = byte(s4 >> 12)
|
|
s[13] = byte((s4 >> 20) | (s5 << 1))
|
|
s[14] = byte(s5 >> 7)
|
|
s[15] = byte((s5 >> 15) | (s6 << 6))
|
|
s[16] = byte(s6 >> 2)
|
|
s[17] = byte(s6 >> 10)
|
|
s[18] = byte((s6 >> 18) | (s7 << 3))
|
|
s[19] = byte(s7 >> 5)
|
|
s[20] = byte(s7 >> 13)
|
|
s[21] = byte(s8 >> 0)
|
|
s[22] = byte(s8 >> 8)
|
|
s[23] = byte((s8 >> 16) | (s9 << 5))
|
|
s[24] = byte(s9 >> 3)
|
|
s[25] = byte(s9 >> 11)
|
|
s[26] = byte((s9 >> 19) | (s10 << 2))
|
|
s[27] = byte(s10 >> 6)
|
|
s[28] = byte((s10 >> 14) | (s11 << 7))
|
|
s[29] = byte(s11 >> 1)
|
|
s[30] = byte(s11 >> 9)
|
|
s[31] = byte(s11 >> 17)
|
|
} |