v
Зеркало из https://github.com/vlang/v
1module edwards255192import rand4import encoding.binary5import crypto.internal.subtle6// A Scalar is an integer modulo8//9// l = 2^252 + 2774231777737235353585193779088364849310//11// which is the prime order of the edwards25519 group.12//13// This type works similarly to math/big.Int, and all arguments and14// receivers are allowed to alias.15//16// The zero value is a valid zero element.17struct Scalar {18mut:19// s is the Scalar value in little-endian. The value is always reduced20// between operations.21s [32]u822}23pub const sc_zero = Scalar{25s: [u8(0), 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,260, 0, 0, 0]!27}28pub const sc_one = Scalar{30s: [u8(1), 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,310, 0, 0, 0]!32}33pub const sc_minus_one = Scalar{35s: [u8(236), 211, 245, 92, 26, 99, 18, 88, 214, 156, 247, 162, 222, 249, 222, 20, 0, 0, 0,360, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 16]!37}38// new_scalar return new zero scalar40pub fn new_scalar() Scalar {41return Scalar{}42}43// add sets s = x + y mod l, and returns s.45pub fn (mut s Scalar) add(x Scalar, y Scalar) Scalar {46// s = 1 * x + y mod l47sc_mul_add(mut s.s, sc_one.s, x.s, y.s)48return s49}50// multiply_add sets s = x * y + z mod l, and returns s.52pub fn (mut s Scalar) multiply_add(x Scalar, y Scalar, z Scalar) Scalar {53sc_mul_add(mut s.s, x.s, y.s, z.s)54return s55}56// subtract sets s = x - y mod l, and returns s.58pub fn (mut s Scalar) subtract(x Scalar, y Scalar) Scalar {59// s = -1 * y + x mod l60sc_mul_add(mut s.s, sc_minus_one.s, y.s, x.s)61return s62}63// negate sets s = -x mod l, and returns s.65pub fn (mut s Scalar) negate(x Scalar) Scalar {66// s = -1 * x + 0 mod l67sc_mul_add(mut s.s, sc_minus_one.s, x.s, sc_zero.s)68return s69}70// multiply sets s = x * y mod l, and returns s.72pub fn (mut s Scalar) multiply(x Scalar, y Scalar) Scalar {73// s = x * y + 0 mod l74sc_mul_add(mut s.s, x.s, y.s, sc_zero.s)75return s76}77// set sets s = x, and returns s.79pub fn (mut s Scalar) set(x Scalar) Scalar {80s = x81return s82}83// set_uniform_bytes sets s to an uniformly distributed value given 64 uniformly85// distributed random bytes. If x is not of the right length, set_uniform_bytes86// returns an error, and the receiver is unchanged.87pub fn (mut s Scalar) set_uniform_bytes(x []u8) !Scalar {88if x.len != 64 {89return error('edwards25519: invalid set_uniform_bytes input length')90}91mut wide_bytes := []u8{len: 64}92copy(mut wide_bytes, x)93// for i, item in x {94// wide_bytes[i] = item95//}96sc_reduce(mut s.s, mut wide_bytes)97return s98}99// set_canonical_bytes sets s = x, where x is a 32-byte little-endian encoding of101// s, and returns s. If x is not a canonical encoding of s, set_canonical_bytes102// returns an error, and the receiver is unchanged.103pub fn (mut s Scalar) set_canonical_bytes(x []u8) !Scalar {104if x.len != 32 {105return error('invalid scalar length')106}107// mut bb := []u8{len:32}108mut ss := Scalar{}109for i, item in x {110ss.s[i] = item111}112//_ := copy(mut ss.s[..], x) //its not working114if !is_reduced(ss) {115return error('invalid scalar encoding')116}117s.s = ss.s118return s119}120// is_reduced returns whether the given scalar is reduced modulo l.122fn is_reduced(s Scalar) bool {123for i := s.s.len - 1; i >= 0; i-- {124if s.s[i] > sc_minus_one.s[i] {125return false126}127if s.s[i] < sc_minus_one.s[i] {128return true129}130/*131switch {132case s.s[i] > sc_minus_one.s[i]:133return false134case s.s[i] < sc_minus_one.s[i]:135return true136}137*/138}139return true140}141// set_bytes_with_clamping applies the buffer pruning described in RFC 8032,143// Section 5.1.5 (also known as clamping) and sets s to the result. The input144// must be 32 bytes, and it is not modified. If x is not of the right length,145// `set_bytes_with_clamping` returns an error, and the receiver is unchanged.146//147// Note that since Scalar values are always reduced modulo the prime order of148// the curve, the resulting value will not preserve any of the cofactor-clearing149// properties that clamping is meant to provide. It will however work as150// expected as long as it is applied to points on the prime order subgroup, like151// in Ed25519. In fact, it is lost to history why RFC 8032 adopted the152// irrelevant RFC 7748 clamping, but it is now required for compatibility.153pub fn (mut s Scalar) set_bytes_with_clamping(x []u8) !Scalar {154// The description above omits the purpose of the high bits of the clamping155// for brevity, but those are also lost to reductions, and are also156// irrelevant to edwards25519 as they protect against a specific157// implementation bug that was once observed in a generic Montgomery ladder.158if x.len != 32 {159return error('edwards25519: invalid set_bytes_with_clamping input length')160}161mut wide_bytes := []u8{len: 64, cap: 64}163copy(mut wide_bytes, x)164// for i, item in x {165// wide_bytes[i] = item166//}167wide_bytes[0] &= 248168wide_bytes[31] &= 63169wide_bytes[31] |= 64170sc_reduce(mut s.s, mut wide_bytes)171return s172}173// bytes returns the canonical 32-byte little-endian encoding of s.175pub fn (mut s Scalar) bytes() []u8 {176mut buf := []u8{len: 32}177copy(mut buf, s.s[..])178return buf179}180// equal returns 1 if s and t are equal, and 0 otherwise.182pub fn (s Scalar) equal(t Scalar) int {183return subtle.constant_time_compare(s.s[..], t.s[..])184}185// sc_mul_add and sc_reduce are ported from the public domain, “ref10”187// implementation of ed25519 from SUPERCOP.188fn load3(inp []u8) i64 {189mut r := i64(inp[0])190r |= i64(inp[1]) * 256 // << 8191r |= i64(inp[2]) * 65536 // << 16192return r193}194fn load4(inp []u8) i64 {196mut r := i64(inp[0])197r |= i64(inp[1]) * 256198r |= i64(inp[2]) * 65536199r |= i64(inp[3]) * 16777216200return r201}202// Input:204// a[0]+256*a[1]+...+256^31*a[31] = a205// b[0]+256*b[1]+...+256^31*b[31] = b206// c[0]+256*c[1]+...+256^31*c[31] = c207//208// Output:209// s[0]+256*s[1]+...+256^31*s[31] = (ab+c) mod l210// where l = 2^252 + 27742317777372353535851937790883648493.211fn sc_mul_add(mut s [32]u8, a [32]u8, b [32]u8, c [32]u8) {212a0 := 2097151 & load3(a[..])213a1 := 2097151 & (load4(a[2..]) >> 5)214a2 := 2097151 & (load3(a[5..]) >> 2)215a3 := 2097151 & (load4(a[7..]) >> 7)216a4 := 2097151 & (load4(a[10..]) >> 4)217a5 := 2097151 & (load3(a[13..]) >> 1)218a6 := 2097151 & (load4(a[15..]) >> 6)219a7 := 2097151 & (load3(a[18..]) >> 3)220a8 := 2097151 & load3(a[21..])221a9 := 2097151 & (load4(a[23..]) >> 5)222a10 := 2097151 & (load3(a[26..]) >> 2)223a11 := (load4(a[28..]) >> 7)224b0 := 2097151 & load3(b[..])225b1 := 2097151 & (load4(b[2..]) >> 5)226b2 := 2097151 & (load3(b[5..]) >> 2)227b3 := 2097151 & (load4(b[7..]) >> 7)228b4 := 2097151 & (load4(b[10..]) >> 4)229b5 := 2097151 & (load3(b[13..]) >> 1)230b6 := 2097151 & (load4(b[15..]) >> 6)231b7 := 2097151 & (load3(b[18..]) >> 3)232b8 := 2097151 & load3(b[21..])233b9 := 2097151 & (load4(b[23..]) >> 5)234b10 := 2097151 & (load3(b[26..]) >> 2)235b11 := (load4(b[28..]) >> 7)236c0 := 2097151 & load3(c[..])237c1 := 2097151 & (load4(c[2..]) >> 5)238c2 := 2097151 & (load3(c[5..]) >> 2)239c3 := 2097151 & (load4(c[7..]) >> 7)240c4 := 2097151 & (load4(c[10..]) >> 4)241c5 := 2097151 & (load3(c[13..]) >> 1)242c6 := 2097151 & (load4(c[15..]) >> 6)243c7 := 2097151 & (load3(c[18..]) >> 3)244c8 := 2097151 & load3(c[21..])245c9 := 2097151 & (load4(c[23..]) >> 5)246c10 := 2097151 & (load3(c[26..]) >> 2)247c11 := (load4(c[28..]) >> 7)248mut carry := [23]i64{} // original one250// mut carry := [23]u64{}251mut s0 := c0 + a0 * b0253mut s1 := c1 + a0 * b1 + a1 * b0254mut s2 := c2 + a0 * b2 + a1 * b1 + a2 * b0255mut s3 := c3 + a0 * b3 + a1 * b2 + a2 * b1 + a3 * b0256mut s4 := c4 + a0 * b4 + a1 * b3 + a2 * b2 + a3 * b1 + a4 * b0257mut s5 := c5 + a0 * b5 + a1 * b4 + a2 * b3 + a3 * b2 + a4 * b1 + a5 * b0258mut s6 := c6 + a0 * b6 + a1 * b5 + a2 * b4 + a3 * b3 + a4 * b2 + a5 * b1 + a6 * b0259mut s7 := c7 + a0 * b7 + a1 * b6 + a2 * b5 + a3 * b4 + a4 * b3 + a5 * b2 + a6 * b1 + a7 * b0260mut s8 := c8 + a0 * b8 + a1 * b7 + a2 * b6 + a3 * b5 + a4 * b4 + a5 * b3 + a6 * b2 + a7 * b1 +261a8 * b0262mut s9 := c9 + a0 * b9 + a1 * b8 + a2 * b7 + a3 * b6 + a4 * b5 + a5 * b4 + a6 * b3 + a7 * b2 +263a8 * b1 + a9 * b0264mut s10 := c10 + a0 * b10 + a1 * b9 + a2 * b8 + a3 * b7 + a4 * b6 + a5 * b5 + a6 * b4 +265a7 * b3 + a8 * b2 + a9 * b1 + a10 * b0266mut s11 := c11 + a0 * b11 + a1 * b10 + a2 * b9 + a3 * b8 + a4 * b7 + a5 * b6 + a6 * b5 +267a7 * b4 + a8 * b3 + a9 * b2 + a10 * b1 + a11 * b0268mut s12 := a1 * b11 + a2 * b10 + a3 * b9 + a4 * b8 + a5 * b7 + a6 * b6 + a7 * b5 + a8 * b4 +269a9 * b3 + a10 * b2 + a11 * b1270mut s13 := a2 * b11 + a3 * b10 + a4 * b9 + a5 * b8 + a6 * b7 + a7 * b6 + a8 * b5 + a9 * b4 +271a10 * b3 + a11 * b2272mut s14 := a3 * b11 + a4 * b10 + a5 * b9 + a6 * b8 + a7 * b7 + a8 * b6 + a9 * b5 + a10 * b4 +273a11 * b3274mut s15 := a4 * b11 + a5 * b10 + a6 * b9 + a7 * b8 + a8 * b7 + a9 * b6 + a10 * b5 + a11 * b4275mut s16 := a5 * b11 + a6 * b10 + a7 * b9 + a8 * b8 + a9 * b7 + a10 * b6 + a11 * b5276mut s17 := a6 * b11 + a7 * b10 + a8 * b9 + a9 * b8 + a10 * b7 + a11 * b6277mut s18 := a7 * b11 + a8 * b10 + a9 * b9 + a10 * b8 + a11 * b7278mut s19 := a8 * b11 + a9 * b10 + a10 * b9 + a11 * b8279mut s20 := a9 * b11 + a10 * b10 + a11 * b9280mut s21 := a10 * b11 + a11 * b10281mut s22 := a11 * b11282mut s23 := i64(0) // original284// mut s23 := u64(0)285// carry[0] = (s0 + (1048576)) >> 21287carry[0] = (s0 + (1048576)) >> 21288s1 += carry[0]289s0 -= carry[0] * 2097152290carry[2] = (s2 + (1048576)) >> 21291s3 += carry[2]292s2 -= carry[2] * 2097152293carry[4] = (s4 + (1048576)) >> 21294s5 += carry[4]295s4 -= carry[4] * 2097152296carry[6] = (s6 + (1048576)) >> 21297s7 += carry[6]298s6 -= carry[6] * 2097152299carry[8] = (s8 + (1048576)) >> 21300s9 += carry[8]301s8 -= carry[8] * 2097152302carry[10] = (s10 + (1048576)) >> 21303s11 += carry[10]304s10 -= carry[10] * 2097152305carry[12] = (s12 + (1048576)) >> 21306s13 += carry[12]307s12 -= carry[12] * 2097152308carry[14] = (s14 + (1048576)) >> 21309s15 += carry[14]310s14 -= carry[14] * 2097152311carry[16] = (s16 + (1048576)) >> 21312s17 += carry[16]313s16 -= carry[16] * 2097152314carry[18] = (s18 + (1048576)) >> 21315s19 += carry[18]316s18 -= carry[18] * 2097152317carry[20] = (s20 + (1048576)) >> 21318s21 += carry[20]319s20 -= carry[20] * 2097152320carry[22] = (s22 + (1048576)) >> 21321s23 += carry[22]322s22 -= carry[22] * 2097152323carry[1] = (s1 + (1048576)) >> 21325s2 += carry[1]326s1 -= carry[1] * 2097152327carry[3] = (s3 + (1048576)) >> 21328s4 += carry[3]329s3 -= carry[3] * 2097152330carry[5] = (s5 + (1048576)) >> 21331s6 += carry[5]332s5 -= carry[5] * 2097152333carry[7] = (s7 + (1048576)) >> 21334s8 += carry[7]335s7 -= carry[7] * 2097152336carry[9] = (s9 + (1048576)) >> 21337s10 += carry[9]338s9 -= carry[9] * 2097152339carry[11] = (s11 + (1048576)) >> 21340s12 += carry[11]341s11 -= carry[11] * 2097152342carry[13] = (s13 + (1048576)) >> 21343s14 += carry[13]344s13 -= carry[13] * 2097152345carry[15] = (s15 + (1048576)) >> 21346s16 += carry[15]347s15 -= carry[15] * 2097152348carry[17] = (s17 + (1048576)) >> 21349s18 += carry[17]350s17 -= carry[17] * 2097152351carry[19] = (s19 + (1048576)) >> 21352s20 += carry[19]353s19 -= carry[19] * 2097152354carry[21] = (s21 + (1048576)) >> 21355s22 += carry[21]356s21 -= carry[21] * 2097152357s11 += s23 * 666643359s12 += s23 * 470296360s13 += s23 * 654183361s14 -= s23 * 997805362s15 += s23 * 136657363s16 -= s23 * 683901364s23 = 0365s10 += s22 * 666643367s11 += s22 * 470296368s12 += s22 * 654183369s13 -= s22 * 997805370s14 += s22 * 136657371s15 -= s22 * 683901372s22 = 0373s9 += s21 * 666643375s10 += s21 * 470296376s11 += s21 * 654183377s12 -= s21 * 997805378s13 += s21 * 136657379s14 -= s21 * 683901380s21 = 0381s8 += s20 * 666643383s9 += s20 * 470296384s10 += s20 * 654183385s11 -= s20 * 997805386s12 += s20 * 136657387s13 -= s20 * 683901388s20 = 0389s7 += s19 * 666643391s8 += s19 * 470296392s9 += s19 * 654183393s10 -= s19 * 997805394s11 += s19 * 136657395s12 -= s19 * 683901396s19 = 0397s6 += s18 * 666643399s7 += s18 * 470296400s8 += s18 * 654183401s9 -= s18 * 997805402s10 += s18 * 136657403s11 -= s18 * 683901404s18 = 0405carry[6] = (s6 + (1048576)) >> 21407s7 += carry[6]408s6 -= carry[6] * 2097152409carry[8] = (s8 + (1048576)) >> 21410s9 += carry[8]411s8 -= carry[8] * 2097152412carry[10] = (s10 + (1048576)) >> 21413s11 += carry[10]414s10 -= carry[10] * 2097152415carry[12] = (s12 + (1048576)) >> 21416s13 += carry[12]417s12 -= carry[12] * 2097152418carry[14] = (s14 + (1048576)) >> 21419s15 += carry[14]420s14 -= carry[14] * 2097152421carry[16] = (s16 + (1048576)) >> 21422s17 += carry[16]423s16 -= carry[16] * 2097152424carry[7] = (s7 + (1048576)) >> 21426s8 += carry[7]427s7 -= carry[7] * 2097152428carry[9] = (s9 + (1048576)) >> 21429s10 += carry[9]430s9 -= carry[9] * 2097152431carry[11] = (s11 + (1048576)) >> 21432s12 += carry[11]433s11 -= carry[11] * 2097152434carry[13] = (s13 + (1048576)) >> 21435s14 += carry[13]436s13 -= carry[13] * 2097152437carry[15] = (s15 + (1048576)) >> 21438s16 += carry[15]439s15 -= carry[15] * 2097152440s5 += s17 * 666643442s6 += s17 * 470296443s7 += s17 * 654183444s8 -= s17 * 997805445s9 += s17 * 136657446s10 -= s17 * 683901447s17 = 0448s4 += s16 * 666643450s5 += s16 * 470296451s6 += s16 * 654183452s7 -= s16 * 997805453s8 += s16 * 136657454s9 -= s16 * 683901455s16 = 0456s3 += s15 * 666643458s4 += s15 * 470296459s5 += s15 * 654183460s6 -= s15 * 997805461s7 += s15 * 136657462s8 -= s15 * 683901463s15 = 0464s2 += s14 * 666643466s3 += s14 * 470296467s4 += s14 * 654183468s5 -= s14 * 997805469s6 += s14 * 136657470s7 -= s14 * 683901471s14 = 0472s1 += s13 * 666643474s2 += s13 * 470296475s3 += s13 * 654183476s4 -= s13 * 997805477s5 += s13 * 136657478s6 -= s13 * 683901479s13 = 0480s0 += s12 * 666643482s1 += s12 * 470296483s2 += s12 * 654183484s3 -= s12 * 997805485s4 += s12 * 136657486s5 -= s12 * 683901487s12 = 0488carry[0] = (s0 + (1048576)) >> 21490s1 += carry[0]491s0 -= carry[0] * 2097152492carry[2] = (s2 + (1048576)) >> 21493s3 += carry[2]494s2 -= carry[2] * 2097152495carry[4] = (s4 + (1048576)) >> 21496s5 += carry[4]497s4 -= carry[4] * 2097152498carry[6] = (s6 + (1048576)) >> 21499s7 += carry[6]500s6 -= carry[6] * 2097152501carry[8] = (s8 + (1048576)) >> 21502s9 += carry[8]503s8 -= carry[8] * 2097152504carry[10] = (s10 + (1048576)) >> 21505s11 += carry[10]506s10 -= carry[10] * 2097152507carry[1] = (s1 + (1048576)) >> 21509s2 += carry[1]510s1 -= carry[1] * 2097152511carry[3] = (s3 + (1048576)) >> 21512s4 += carry[3]513s3 -= carry[3] * 2097152514carry[5] = (s5 + (1048576)) >> 21515s6 += carry[5]516s5 -= carry[5] * 2097152517carry[7] = (s7 + (1048576)) >> 21518s8 += carry[7]519s7 -= carry[7] * 2097152520carry[9] = (s9 + (1048576)) >> 21521s10 += carry[9]522s9 -= carry[9] * 2097152523carry[11] = (s11 + (1048576)) >> 21524s12 += carry[11]525s11 -= carry[11] * 2097152526s0 += s12 * 666643528s1 += s12 * 470296529s2 += s12 * 654183530s3 -= s12 * 997805531s4 += s12 * 136657532s5 -= s12 * 683901533s12 = 0534carry[0] = s0 >> 21536s1 += carry[0]537s0 -= carry[0] * 2097152538carry[1] = s1 >> 21539s2 += carry[1]540s1 -= carry[1] * 2097152541carry[2] = s2 >> 21542s3 += carry[2]543s2 -= carry[2] * 2097152544carry[3] = s3 >> 21545s4 += carry[3]546s3 -= carry[3] * 2097152547carry[4] = s4 >> 21548s5 += carry[4]549s4 -= carry[4] * 2097152550carry[5] = s5 >> 21551s6 += carry[5]552s5 -= carry[5] * 2097152553carry[6] = s6 >> 21554s7 += carry[6]555s6 -= carry[6] * 2097152556carry[7] = s7 >> 21557s8 += carry[7]558s7 -= carry[7] * 2097152559carry[8] = s8 >> 21560s9 += carry[8]561s8 -= carry[8] * 2097152562carry[9] = s9 >> 21563s10 += carry[9]564s9 -= carry[9] * 2097152565carry[10] = s10 >> 21566s11 += carry[10]567s10 -= carry[10] * 2097152568carry[11] = s11 >> 21569s12 += carry[11]570s11 -= carry[11] * 2097152571s0 += s12 * 666643573s1 += s12 * 470296574s2 += s12 * 654183575s3 -= s12 * 997805576s4 += s12 * 136657577s5 -= s12 * 683901578s12 = 0579carry[0] = s0 >> 21581s1 += carry[0]582s0 -= carry[0] * 2097152583carry[1] = s1 >> 21584s2 += carry[1]585s1 -= carry[1] * 2097152586carry[2] = s2 >> 21587s3 += carry[2]588s2 -= carry[2] * 2097152589carry[3] = s3 >> 21590s4 += carry[3]591s3 -= carry[3] * 2097152592carry[4] = s4 >> 21593s5 += carry[4]594s4 -= carry[4] * 2097152595carry[5] = s5 >> 21596s6 += carry[5]597s5 -= carry[5] * 2097152598carry[6] = s6 >> 21599s7 += carry[6]600s6 -= carry[6] * 2097152601carry[7] = s7 >> 21602s8 += carry[7]603s7 -= carry[7] * 2097152604carry[8] = s8 >> 21605s9 += carry[8]606s8 -= carry[8] * 2097152607carry[9] = s9 >> 21608s10 += carry[9]609s9 -= carry[9] * 2097152610carry[10] = s10 >> 21611s11 += carry[10]612s10 -= carry[10] * 2097152613s[0] = u8(s0 >> 0)615s[1] = u8(s0 >> 8)616s[2] = u8((s0 >> 16) | (s1 * 32))617s[3] = u8(s1 >> 3)618s[4] = u8(s1 >> 11)619s[5] = u8((s1 >> 19) | (s2 * 4))620s[6] = u8(s2 >> 6)621s[7] = u8((s2 >> 14) | (s3 * 128))622s[8] = u8(s3 >> 1)623s[9] = u8(s3 >> 9)624s[10] = u8((s3 >> 17) | (s4 * 16))625s[11] = u8(s4 >> 4)626s[12] = u8(s4 >> 12)627s[13] = u8((s4 >> 20) | (s5 * 2))628s[14] = u8(s5 >> 7)629s[15] = u8((s5 >> 15) | (s6 * 64))630s[16] = u8(s6 >> 2)631s[17] = u8(s6 >> 10)632s[18] = u8((s6 >> 18) | (s7 * 8))633s[19] = u8(s7 >> 5)634s[20] = u8(s7 >> 13)635s[21] = u8(s8 >> 0)636s[22] = u8(s8 >> 8)637s[23] = u8((s8 >> 16) | (s9 * 32))638s[24] = u8(s9 >> 3)639s[25] = u8(s9 >> 11)640s[26] = u8((s9 >> 19) | (s10 * 4))641s[27] = u8(s10 >> 6)642s[28] = u8((s10 >> 14) | (s11 * 128))643s[29] = u8(s11 >> 1)644s[30] = u8(s11 >> 9)645s[31] = u8(s11 >> 17)646}647// Input:649// s[0]+256*s[1]+...+256^63*s[63] = s650//651// Output:652// s[0]+256*s[1]+...+256^31*s[31] = s mod l653// where l = 2^252 + 27742317777372353535851937790883648493.654fn sc_reduce(mut out [32]u8, mut s []u8) {655assert out.len == 32656assert s.len == 64657mut s0 := 2097151 & load3(s[..])658mut s1 := 2097151 & (load4(s[2..]) >> 5)659mut s2 := 2097151 & (load3(s[5..]) >> 2)660mut s3 := 2097151 & (load4(s[7..]) >> 7)661mut s4 := 2097151 & (load4(s[10..]) >> 4)662mut s5 := 2097151 & (load3(s[13..]) >> 1)663mut s6 := 2097151 & (load4(s[15..]) >> 6)664mut s7 := 2097151 & (load3(s[18..]) >> 3)665mut s8 := 2097151 & load3(s[21..])666mut s9 := 2097151 & (load4(s[23..]) >> 5)667mut s10 := 2097151 & (load3(s[26..]) >> 2)668mut s11 := 2097151 & (load4(s[28..]) >> 7)669mut s12 := 2097151 & (load4(s[31..]) >> 4)670mut s13 := 2097151 & (load3(s[34..]) >> 1)671mut s14 := 2097151 & (load4(s[36..]) >> 6)672mut s15 := 2097151 & (load3(s[39..]) >> 3)673mut s16 := 2097151 & load3(s[42..])674mut s17 := 2097151 & (load4(s[44..]) >> 5)675mut s18 := 2097151 & (load3(s[47..]) >> 2)676mut s19 := 2097151 & (load4(s[49..]) >> 7)677mut s20 := 2097151 & (load4(s[52..]) >> 4)678mut s21 := 2097151 & (load3(s[55..]) >> 1)679mut s22 := 2097151 & (load4(s[57..]) >> 6)680mut s23 := (load4(s[60..]) >> 3)681s11 += s23 * 666643683s12 += s23 * 470296684s13 += s23 * 654183685s14 -= s23 * 997805686s15 += s23 * 136657687s16 -= s23 * 683901688s23 = 0689s10 += s22 * 666643691s11 += s22 * 470296692s12 += s22 * 654183693s13 -= s22 * 997805694s14 += s22 * 136657695s15 -= s22 * 683901696s22 = 0697s9 += s21 * 666643699s10 += s21 * 470296700s11 += s21 * 654183701s12 -= s21 * 997805702s13 += s21 * 136657703s14 -= s21 * 683901704s21 = 0705s8 += s20 * 666643707s9 += s20 * 470296708s10 += s20 * 654183709s11 -= s20 * 997805710s12 += s20 * 136657711s13 -= s20 * 683901712s20 = 0713s7 += s19 * 666643715s8 += s19 * 470296716s9 += s19 * 654183717s10 -= s19 * 997805718s11 += s19 * 136657719s12 -= s19 * 683901720s19 = 0721s6 += s18 * 666643723s7 += s18 * 470296724s8 += s18 * 654183725s9 -= s18 * 997805726s10 += s18 * 136657727s11 -= s18 * 683901728s18 = 0729mut carry := [17]i64{} // original one731// mut carry := [17]u64{}732carry[6] = (s6 + (1048576)) >> 21734s7 += carry[6]735s6 -= carry[6] * 2097152736carry[8] = (s8 + (1048576)) >> 21737s9 += carry[8]738s8 -= carry[8] * 2097152739carry[10] = (s10 + (1048576)) >> 21740s11 += carry[10]741s10 -= carry[10] * 2097152742carry[12] = (s12 + (1048576)) >> 21743s13 += carry[12]744s12 -= carry[12] * 2097152745carry[14] = (s14 + (1048576)) >> 21746s15 += carry[14]747s14 -= carry[14] * 2097152748carry[16] = (s16 + (1048576)) >> 21749s17 += carry[16]750s16 -= carry[16] * 2097152751carry[7] = (s7 + (1048576)) >> 21753s8 += carry[7]754s7 -= carry[7] * 2097152755carry[9] = (s9 + (1048576)) >> 21756s10 += carry[9]757s9 -= carry[9] * 2097152758carry[11] = (s11 + (1048576)) >> 21759s12 += carry[11]760s11 -= carry[11] * 2097152761carry[13] = (s13 + (1048576)) >> 21762s14 += carry[13]763s13 -= carry[13] * 2097152764carry[15] = (s15 + (1048576)) >> 21765s16 += carry[15]766s15 -= carry[15] * 2097152767s5 += s17 * 666643769s6 += s17 * 470296770s7 += s17 * 654183771s8 -= s17 * 997805772s9 += s17 * 136657773s10 -= s17 * 683901774s17 = 0775s4 += s16 * 666643777s5 += s16 * 470296778s6 += s16 * 654183779s7 -= s16 * 997805780s8 += s16 * 136657781s9 -= s16 * 683901782s16 = 0783s3 += s15 * 666643785s4 += s15 * 470296786s5 += s15 * 654183787s6 -= s15 * 997805788s7 += s15 * 136657789s8 -= s15 * 683901790s15 = 0791s2 += s14 * 666643793s3 += s14 * 470296794s4 += s14 * 654183795s5 -= s14 * 997805796s6 += s14 * 136657797s7 -= s14 * 683901798s14 = 0799s1 += s13 * 666643801s2 += s13 * 470296802s3 += s13 * 654183803s4 -= s13 * 997805804s5 += s13 * 136657805s6 -= s13 * 683901806s13 = 0807s0 += s12 * 666643809s1 += s12 * 470296810s2 += s12 * 654183811s3 -= s12 * 997805812s4 += s12 * 136657813s5 -= s12 * 683901814s12 = 0815carry[0] = (s0 + (1048576)) >> 21817s1 += carry[0]818s0 -= carry[0] * 2097152819carry[2] = (s2 + (1048576)) >> 21820s3 += carry[2]821s2 -= carry[2] * 2097152822carry[4] = (s4 + (1048576)) >> 21823s5 += carry[4]824s4 -= carry[4] * 2097152825carry[6] = (s6 + (1048576)) >> 21826s7 += carry[6]827s6 -= carry[6] * 2097152828carry[8] = (s8 + (1048576)) >> 21829s9 += carry[8]830s8 -= carry[8] * 2097152831carry[10] = (s10 + (1048576)) >> 21832s11 += carry[10]833s10 -= carry[10] * 2097152834carry[1] = (s1 + (1048576)) >> 21836s2 += carry[1]837s1 -= carry[1] * 2097152838carry[3] = (s3 + (1048576)) >> 21839s4 += carry[3]840s3 -= carry[3] * 2097152841carry[5] = (s5 + (1048576)) >> 21842s6 += carry[5]843s5 -= carry[5] * 2097152844carry[7] = (s7 + (1048576)) >> 21845s8 += carry[7]846s7 -= carry[7] * 2097152847carry[9] = (s9 + (1048576)) >> 21848s10 += carry[9]849s9 -= carry[9] * 2097152850carry[11] = (s11 + (1048576)) >> 21851s12 += carry[11]852s11 -= carry[11] * 2097152853s0 += s12 * 666643855s1 += s12 * 470296856s2 += s12 * 654183857s3 -= s12 * 997805858s4 += s12 * 136657859s5 -= s12 * 683901860s12 = 0861carry[0] = s0 >> 21863s1 += carry[0]864s0 -= carry[0] * 2097152865carry[1] = s1 >> 21866s2 += carry[1]867s1 -= carry[1] * 2097152868carry[2] = s2 >> 21869s3 += carry[2]870s2 -= carry[2] * 2097152871carry[3] = s3 >> 21872s4 += carry[3]873s3 -= carry[3] * 2097152874carry[4] = s4 >> 21875s5 += carry[4]876s4 -= carry[4] * 2097152877carry[5] = s5 >> 21878s6 += carry[5]879s5 -= carry[5] * 2097152880carry[6] = s6 >> 21881s7 += carry[6]882s6 -= carry[6] * 2097152883carry[7] = s7 >> 21884s8 += carry[7]885s7 -= carry[7] * 2097152886carry[8] = s8 >> 21887s9 += carry[8]888s8 -= carry[8] * 2097152889carry[9] = s9 >> 21890s10 += carry[9]891s9 -= carry[9] * 2097152892carry[10] = s10 >> 21893s11 += carry[10]894s10 -= carry[10] * 2097152895carry[11] = s11 >> 21896s12 += carry[11]897s11 -= carry[11] * 2097152898s0 += s12 * 666643900s1 += s12 * 470296901s2 += s12 * 654183902s3 -= s12 * 997805903s4 += s12 * 136657904s5 -= s12 * 683901905s12 = 0906carry[0] = s0 >> 21908s1 += carry[0]909s0 -= carry[0] * 2097152910carry[1] = s1 >> 21911s2 += carry[1]912s1 -= carry[1] * 2097152913carry[2] = s2 >> 21914s3 += carry[2]915s2 -= carry[2] * 2097152916carry[3] = s3 >> 21917s4 += carry[3]918s3 -= carry[3] * 2097152919carry[4] = s4 >> 21920s5 += carry[4]921s4 -= carry[4] * 2097152922carry[5] = s5 >> 21923s6 += carry[5]924s5 -= carry[5] * 2097152925carry[6] = s6 >> 21926s7 += carry[6]927s6 -= carry[6] * 2097152928carry[7] = s7 >> 21929s8 += carry[7]930s7 -= carry[7] * 2097152931carry[8] = s8 >> 21932s9 += carry[8]933s8 -= carry[8] * 2097152934carry[9] = s9 >> 21935s10 += carry[9]936s9 -= carry[9] * 2097152937carry[10] = s10 >> 21938s11 += carry[10]939s10 -= carry[10] * 2097152940out[0] = u8(s0 >> 0)942out[1] = u8(s0 >> 8)943out[2] = u8((s0 >> 16) | (s1 * 32))944out[3] = u8(s1 >> 3)945out[4] = u8(s1 >> 11)946out[5] = u8((s1 >> 19) | (s2 * 4))947out[6] = u8(s2 >> 6)948out[7] = u8((s2 >> 14) | (s3 * 128))949out[8] = u8(s3 >> 1)950out[9] = u8(s3 >> 9)951out[10] = u8((s3 >> 17) | (s4 * 16))952out[11] = u8(s4 >> 4)953out[12] = u8(s4 >> 12)954out[13] = u8((s4 >> 20) | (s5 * 2))955out[14] = u8(s5 >> 7)956out[15] = u8((s5 >> 15) | (s6 * 64))957out[16] = u8(s6 >> 2)958out[17] = u8(s6 >> 10)959out[18] = u8((s6 >> 18) | (s7 * 8))960out[19] = u8(s7 >> 5)961out[20] = u8(s7 >> 13)962out[21] = u8(s8 >> 0)963out[22] = u8(s8 >> 8)964out[23] = u8((s8 >> 16) | (s9 * 32))965out[24] = u8(s9 >> 3)966out[25] = u8(s9 >> 11)967out[26] = u8((s9 >> 19) | (s10 * 4))968out[27] = u8(s10 >> 6)969out[28] = u8((s10 >> 14) | (s11 * 128))970out[29] = u8(s11 >> 1)971out[30] = u8(s11 >> 9)972out[31] = u8(s11 >> 17)973}974// non_adjacent_form computes a width-w non-adjacent form for this scalar.976//977// w must be between 2 and 8, or non_adjacent_form will panic.978pub fn (mut s Scalar) non_adjacent_form(w u32) []i8 {979// This implementation is adapted from the one980// in curve25519-dalek and is documented there:981// https://github.com/dalek-cryptography/curve25519-dalek/blob/f630041af28e9a405255f98a8a93adca18e4315b/src/scalar.rs#L800-L871982if s.s[31] > 127 {983panic('scalar has high bit set illegally')984}985if w < 2 {986panic('w must be at least 2 by the definition of NAF')987} else if w > 8 {988panic('NAF digits must fit in i8')989}990mut naf := []i8{len: 256}992mut digits := [5]u64{}993for i := 0; i < 4; i++ {995digits[i] = binary.little_endian_u64(s.s[i * 8..])996}997width := u64(1 << w)999window_mask := u64(width - 1)1000mut pos := u32(0)1002mut carry := u64(0)1003for pos < 256 {1004idx_64 := pos / 641005idx_bit := pos % 641006mut bitbuf := u64(0)1007if idx_bit < 64 - w {1008// This window's bits are contained in a single u641009bitbuf = digits[idx_64] >> idx_bit1010} else {1011// Combine the current 64 bits with bits from the next 641012bitbuf = (digits[idx_64] >> idx_bit) | (digits[1 + idx_64] << (64 - idx_bit))1013}1014// Add carry into the current window1016window := carry + (bitbuf & window_mask)1017if window & 1 == 0 {1019// If the window value is even, preserve the carry and continue.1020// Why is the carry preserved?1021// If carry == 0 and window & 1 == 0,1022// then the next carry should be 01023// If carry == 1 and window & 1 == 0,1024// then bit_buf & 1 == 1 so the next carry should be 11025pos += 11026continue1027}1028if window < width / 2 {1030carry = 01031naf[pos] = i8(window)1032} else {1033carry = 11034naf[pos] = i8(window) - i8(width)1035}1036pos += w1038}1039return naf1040}1041fn (mut s Scalar) signed_radix16() []i8 {1043if s.s[31] > 127 {1044panic('scalar has high bit set illegally')1045}1046mut digits := []i8{len: 64}1048// Compute unsigned radix-16 digits:1050for i := 0; i < 32; i++ {1051digits[2 * i] = i8(s.s[i] & 15)1052digits[2 * i + 1] = i8((s.s[i] >> 4) & 15)1053}1054// Recenter coefficients:1056for i := 0; i < 63; i++ {1057mut carry := (digits[i] + 8) >> 41058// digits[i] -= unsafe { carry * 16 } // original one1060digits[i] -= unsafe { carry * 16 } // carry * 16 == carry *1061digits[i + 1] += carry1063}1064return digits1066}1067// utility function1069// generate returns a valid (reduced modulo l) Scalar with a distribution1070// weighted towards high, low, and edge values.1071fn generate_scalar(size int) !Scalar {1072/*1073s := scZero1074diceRoll := rand.Intn(100)1075switch {1076case diceRoll == 0:1077case diceRoll == 1:1078s = scOne1079case diceRoll == 2:1080s = scMinusOne1081case diceRoll < 5:1082// Generate a low scalar in [0, 2^125).1083rand.Read(s.s[:16])1084s.s[15] &= (1 * 32) - 11085case diceRoll < 10:1086// Generate a high scalar in [2^252, 2^252 + 2^124).1087s.s[31] = 1 * 161088rand.Read(s.s[:16])1089s.s[15] &= (1 * 16) - 11090default:1091// Generate a valid scalar in [0, l) by returning [0, 2^252) which has a1092// negligibly different distribution (the former has a 2^-127.6 chance1093// of being out of the latter range).1094rand.Read(s.s[:])1095s.s[31] &= (1 * 16) - 11096}1097return reflect.ValueOf(s)1098*/1099mut s := sc_zero1100diceroll := rand.intn(100) or { 0 }1101match true {1102/*1103case diceroll == 0:1104case diceroll == 1:1105*/1106diceroll == 0 || diceroll == 1 {1107s = sc_one1108}1109diceroll == 2 {1110s = sc_minus_one1111}1112diceroll < 5 {1113// rand.Read(s.s[:16]) // read random bytes and fill buf1114// using builtin rand.read([]buf)1115rand.read(mut s.s[..16])1116// buf := rand.read(s.s[..16].len)!1117// copy(mut s.s[..16], buf)1118/*1120for i, item in buf {1121s.s[i] = item1122}1123*/1124s.s[15] &= (1 * 32) - 11125// generate a low scalar in [0, 2^125).1126}1127diceroll < 10 {1128// generate a high scalar in [2^252, 2^252 + 2^124).1129s.s[31] = 1 * 161130// Read generates len(p) random bytes and writes them into p1131// rand.Read(s.s[:16])1132rand.read(mut s.s[..16])1133// buf := rand.read(s.s[..16].len)!1134// copy(mut s.s[..16], buf)1135/*1137for i, item in buf {1138s.s[i] = item1139}1140*/1141s.s[15] &= (1 * 16) - 11142}1143else {1144// generate a valid scalar in [0, l) by returning [0, 2^252) which has a1145// negligibly different distribution (the former has a 2^-127.6 chance1146// of being out of the latter range).1147// rand.Read(s.s[:])1148rand.read(mut s.s[..])1149// buf := crand.read(s.s.len)!1150// copy(mut s.s[..], buf)1151/*1153for i, item in buf {1154s.s[i] = item1155}1156*/1157s.s[31] &= (1 * 16) - 11158}1159}1160return s1161}1162type NotZeroScalar = Scalar1164fn generate_notzero_scalar(size int) !NotZeroScalar {1166mut s := Scalar{}1167for s == sc_zero {1168s = generate_scalar(size)!1169}1170return NotZeroScalar(s)1171}1172