diff --git a/source-code/RuffCT-java/c/crypto-ops-data.c b/source-code/RuffCT-java/c/crypto-ops-data.c new file mode 100644 index 0000000..246808a --- /dev/null +++ b/source-code/RuffCT-java/c/crypto-ops-data.c @@ -0,0 +1,872 @@ +// Copyright (c) 2014-2017, The Monero Project +// +// All rights reserved. +// +// Redistribution and use in source and binary forms, with or without modification, are +// permitted provided that the following conditions are met: +// +// 1. Redistributions of source code must retain the above copyright notice, this list of +// conditions and the following disclaimer. +// +// 2. Redistributions in binary form must reproduce the above copyright notice, this list +// of conditions and the following disclaimer in the documentation and/or other +// materials provided with the distribution. +// +// 3. Neither the name of the copyright holder nor the names of its contributors may be +// used to endorse or promote products derived from this software without specific +// prior written permission. +// +// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY +// EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF +// MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL +// THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, +// SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, +// PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS +// INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, +// STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF +// THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. +// +// Parts of this file are originally copyright (c) 2012-2013 The Cryptonote developers + +#include <stdint.h> + +#include "crypto-ops.h" + +/* sqrt(x) is such an integer y that 0 <= y <= p - 1, y % 2 = 0, and y^2 = x (mod p). */ +/* d = -121665 / 121666 */ +const fe fe_d = {-10913610, 13857413, -15372611, 6949391, 114729, -8787816, -6275908, -3247719, -18696448, -12055116}; /* d */ +const fe fe_sqrtm1 = {-32595792, -7943725, 9377950, 3500415, 12389472, -272473, -25146209, -2005654, 326686, 11406482}; /* sqrt(-1) */ +const fe fe_d2 = {-21827239, -5839606, -30745221, 13898782, 229458, 15978800, -12551817, -6495438, 29715968, 9444199}; /* 2 * d */ + +/* base[i][j] = (j+1)*256^i*B */ +const ge_precomp ge_base[32][8] = { + { + {{25967493, -14356035, 29566456, 3660896, -12694345, 4014787, 27544626, -11754271, -6079156, 2047605}, + {-12545711, 934262, -2722910, 3049990, -727428, 9406986, 12720692, 5043384, 19500929, -15469378}, + {-8738181, 4489570, 9688441, -14785194, 10184609, -12363380, 29287919, 11864899, -24514362, -4438546}}, + {{-12815894, -12976347, -21581243, 11784320, -25355658, -2750717, -11717903, -3814571, -358445, -10211303}, + {-21703237, 6903825, 27185491, 6451973, -29577724, -9554005, -15616551, 11189268, -26829678, -5319081}, + {26966642, 11152617, 32442495, 15396054, 14353839, -12752335, -3128826, -9541118, -15472047, -4166697}}, + {{15636291, -9688557, 24204773, -7912398, 616977, -16685262, 27787600, -14772189, 28944400, -1550024}, + {16568933, 4717097, -11556148, -1102322, 15682896, -11807043, 16354577, -11775962, 7689662, 11199574}, + {30464156, -5976125, -11779434, -15670865, 23220365, 15915852, 7512774, 10017326, -17749093, -9920357}}, + {{-17036878, 13921892, 10945806, -6033431, 27105052, -16084379, -28926210, 15006023, 3284568, -6276540}, + {23599295, -8306047, -11193664, -7687416, 13236774, 10506355, 7464579, 9656445, 13059162, 10374397}, + {7798556, 16710257, 3033922, 2874086, 28997861, 2835604, 32406664, -3839045, -641708, -101325}}, + {{10861363, 11473154, 27284546, 1981175, -30064349, 12577861, 32867885, 14515107, -15438304, 10819380}, + {4708026, 6336745, 20377586, 9066809, -11272109, 6594696, -25653668, 12483688, -12668491, 5581306}, + {19563160, 16186464, -29386857, 4097519, 10237984, -4348115, 28542350, 13850243, -23678021, -15815942}}, + {{-15371964, -12862754, 32573250, 4720197, -26436522, 5875511, -19188627, -15224819, -9818940, -12085777}, + {-8549212, 109983, 15149363, 2178705, 22900618, 4543417, 3044240, -15689887, 1762328, 14866737}, + {-18199695, -15951423, -10473290, 1707278, -17185920, 3916101, -28236412, 3959421, 27914454, 4383652}}, + {{5153746, 9909285, 1723747, -2777874, 30523605, 5516873, 19480852, 5230134, -23952439, -15175766}, + {-30269007, -3463509, 7665486, 10083793, 28475525, 1649722, 20654025, 16520125, 30598449, 7715701}, + {28881845, 14381568, 9657904, 3680757, -20181635, 7843316, -31400660, 1370708, 29794553, -1409300}}, + {{14499471, -2729599, -33191113, -4254652, 28494862, 14271267, 30290735, 10876454, -33154098, 2381726}, + {-7195431, -2655363, -14730155, 462251, -27724326, 3941372, -6236617, 3696005, -32300832, 15351955}, + {27431194, 8222322, 16448760, -3907995, -18707002, 11938355, -32961401, -2970515, 29551813, 10109425}} + }, { + {{-13657040, -13155431, -31283750, 11777098, 21447386, 6519384, -2378284, -1627556, 10092783, -4764171}, + {27939166, 14210322, 4677035, 16277044, -22964462, -12398139, -32508754, 12005538, -17810127, 12803510}, + {17228999, -15661624, -1233527, 300140, -1224870, -11714777, 30364213, -9038194, 18016357, 4397660}}, + {{-10958843, -7690207, 4776341, -14954238, 27850028, -15602212, -26619106, 14544525, -17477504, 982639}, + {29253598, 15796703, -2863982, -9908884, 10057023, 3163536, 7332899, -4120128, -21047696, 9934963}, + {5793303, 16271923, -24131614, -10116404, 29188560, 1206517, -14747930, 4559895, -30123922, -10897950}}, + {{-27643952, -11493006, 16282657, -11036493, 28414021, -15012264, 24191034, 4541697, -13338309, 5500568}, + {12650548, -1497113, 9052871, 11355358, -17680037, -8400164, -17430592, 12264343, 10874051, 13524335}, + {25556948, -3045990, 714651, 2510400, 23394682, -10415330, 33119038, 5080568, -22528059, 5376628}}, + {{-26088264, -4011052, -17013699, -3537628, -6726793, 1920897, -22321305, -9447443, 4535768, 1569007}, + {-2255422, 14606630, -21692440, -8039818, 28430649, 8775819, -30494562, 3044290, 31848280, 12543772}, + {-22028579, 2943893, -31857513, 6777306, 13784462, -4292203, -27377195, -2062731, 7718482, 14474653}}, + {{2385315, 2454213, -22631320, 46603, -4437935, -15680415, 656965, -7236665, 24316168, -5253567}, + {13741529, 10911568, -33233417, -8603737, -20177830, -1033297, 33040651, -13424532, -20729456, 8321686}, + {21060490, -2212744, 15712757, -4336099, 1639040, 10656336, 23845965, -11874838, -9984458, 608372}}, + {{-13672732, -15087586, -10889693, -7557059, -6036909, 11305547, 1123968, -6780577, 27229399, 23887}, + {-23244140, -294205, -11744728, 14712571, -29465699, -2029617, 12797024, -6440308, -1633405, 16678954}, + {-29500620, 4770662, -16054387, 14001338, 7830047, 9564805, -1508144, -4795045, -17169265, 4904953}}, + {{24059557, 14617003, 19037157, -15039908, 19766093, -14906429, 5169211, 16191880, 2128236, -4326833}, + {-16981152, 4124966, -8540610, -10653797, 30336522, -14105247, -29806336, 916033, -6882542, -2986532}, + {-22630907, 12419372, -7134229, -7473371, -16478904, 16739175, 285431, 2763829, 15736322, 4143876}}, + {{2379352, 11839345, -4110402, -5988665, 11274298, 794957, 212801, -14594663, 23527084, -16458268}, + {33431127, -11130478, -17838966, -15626900, 8909499, 8376530, -32625340, 4087881, -15188911, -14416214}, + {1767683, 7197987, -13205226, -2022635, -13091350, 448826, 5799055, 4357868, -4774191, -16323038}} + }, { + {{6721966, 13833823, -23523388, -1551314, 26354293, -11863321, 23365147, -3949732, 7390890, 2759800}, + {4409041, 2052381, 23373853, 10530217, 7676779, -12885954, 21302353, -4264057, 1244380, -12919645}, + {-4421239, 7169619, 4982368, -2957590, 30256825, -2777540, 14086413, 9208236, 15886429, 16489664}}, + {{1996075, 10375649, 14346367, 13311202, -6874135, -16438411, -13693198, 398369, -30606455, -712933}, + {-25307465, 9795880, -2777414, 14878809, -33531835, 14780363, 13348553, 12076947, -30836462, 5113182}, + {-17770784, 11797796, 31950843, 13929123, -25888302, 12288344, -30341101, -7336386, 13847711, 5387222}}, + {{-18582163, -3416217, 17824843, -2340966, 22744343, -10442611, 8763061, 3617786, -19600662, 10370991}, + {20246567, -14369378, 22358229, -543712, 18507283, -10413996, 14554437, -8746092, 32232924, 16763880}, + {9648505, 10094563, 26416693, 14745928, -30374318, -6472621, 11094161, 15689506, 3140038, -16510092}}, + {{-16160072, 5472695, 31895588, 4744994, 8823515, 10365685, -27224800, 9448613, -28774454, 366295}, + {19153450, 11523972, -11096490, -6503142, -24647631, 5420647, 28344573, 8041113, 719605, 11671788}, + {8678025, 2694440, -6808014, 2517372, 4964326, 11152271, -15432916, -15266516, 27000813, -10195553}}, + {{-15157904, 7134312, 8639287, -2814877, -7235688, 10421742, 564065, 5336097, 6750977, -14521026}, + {11836410, -3979488, 26297894, 16080799, 23455045, 15735944, 1695823, -8819122, 8169720, 16220347}, + {-18115838, 8653647, 17578566, -6092619, -8025777, -16012763, -11144307, -2627664, -5990708, -14166033}}, + {{-23308498, -10968312, 15213228, -10081214, -30853605, -11050004, 27884329, 2847284, 2655861, 1738395}, + {-27537433, -14253021, -25336301, -8002780, -9370762, 8129821, 21651608, -3239336, -19087449, -11005278}, + {1533110, 3437855, 23735889, 459276, 29970501, 11335377, 26030092, 5821408, 10478196, 8544890}}, + {{32173121, -16129311, 24896207, 3921497, 22579056, -3410854, 19270449, 12217473, 17789017, -3395995}, + {-30552961, -2228401, -15578829, -10147201, 13243889, 517024, 15479401, -3853233, 30460520, 1052596}, + {-11614875, 13323618, 32618793, 8175907, -15230173, 12596687, 27491595, -4612359, 3179268, -9478891}}, + {{31947069, -14366651, -4640583, -15339921, -15125977, -6039709, -14756777, -16411740, 19072640, -9511060}, + {11685058, 11822410, 3158003, -13952594, 33402194, -4165066, 5977896, -5215017, 473099, 5040608}, + {-20290863, 8198642, -27410132, 11602123, 1290375, -2799760, 28326862, 1721092, -19558642, -3131606}} + }, { + {{7881532, 10687937, 7578723, 7738378, -18951012, -2553952, 21820786, 8076149, -27868496, 11538389}, + {-19935666, 3899861, 18283497, -6801568, -15728660, -11249211, 8754525, 7446702, -5676054, 5797016}, + {-11295600, -3793569, -15782110, -7964573, 12708869, -8456199, 2014099, -9050574, -2369172, -5877341}}, + {{-22472376, -11568741, -27682020, 1146375, 18956691, 16640559, 1192730, -3714199, 15123619, 10811505}, + {14352098, -3419715, -18942044, 10822655, 32750596, 4699007, -70363, 15776356, -28886779, -11974553}, + {-28241164, -8072475, -4978962, -5315317, 29416931, 1847569, -20654173, -16484855, 4714547, -9600655}}, + {{15200332, 8368572, 19679101, 15970074, -31872674, 1959451, 24611599, -4543832, -11745876, 12340220}, + {12876937, -10480056, 33134381, 6590940, -6307776, 14872440, 9613953, 8241152, 15370987, 9608631}, + {-4143277, -12014408, 8446281, -391603, 4407738, 13629032, -7724868, 15866074, -28210621, -8814099}}, + {{26660628, -15677655, 8393734, 358047, -7401291, 992988, -23904233, 858697, 20571223, 8420556}, + {14620715, 13067227, -15447274, 8264467, 14106269, 15080814, 33531827, 12516406, -21574435, -12476749}, + {236881, 10476226, 57258, -14677024, 6472998, 2466984, 17258519, 7256740, 8791136, 15069930}}, + {{1276410, -9371918, 22949635, -16322807, -23493039, -5702186, 14711875, 4874229, -30663140, -2331391}, + {5855666, 4990204, -13711848, 7294284, -7804282, 1924647, -1423175, -7912378, -33069337, 9234253}, + {20590503, -9018988, 31529744, -7352666, -2706834, 10650548, 31559055, -11609587, 18979186, 13396066}}, + {{24474287, 4968103, 22267082, 4407354, 24063882, -8325180, -18816887, 13594782, 33514650, 7021958}, + {-11566906, -6565505, -21365085, 15928892, -26158305, 4315421, -25948728, -3916677, -21480480, 12868082}, + {-28635013, 13504661, 19988037, -2132761, 21078225, 6443208, -21446107, 2244500, -12455797, -8089383}}, + {{-30595528, 13793479, -5852820, 319136, -25723172, -6263899, 33086546, 8957937, -15233648, 5540521}, + {-11630176, -11503902, -8119500, -7643073, 2620056, 1022908, -23710744, -1568984, -16128528, -14962807}, + {23152971, 775386, 27395463, 14006635, -9701118, 4649512, 1689819, 892185, -11513277, -15205948}}, + {{9770129, 9586738, 26496094, 4324120, 1556511, -3550024, 27453819, 4763127, -19179614, 5867134}, + {-32765025, 1927590, 31726409, -4753295, 23962434, -16019500, 27846559, 5931263, -29749703, -16108455}, + {27461885, -2977536, 22380810, 1815854, -23033753, -3031938, 7283490, -15148073, -19526700, 7734629}} + }, { + {{-8010264, -9590817, -11120403, 6196038, 29344158, -13430885, 7585295, -3176626, 18549497, 15302069}, + {-32658337, -6171222, -7672793, -11051681, 6258878, 13504381, 10458790, -6418461, -8872242, 8424746}, + {24687205, 8613276, -30667046, -3233545, 1863892, -1830544, 19206234, 7134917, -11284482, -828919}}, + {{11334899, -9218022, 8025293, 12707519, 17523892, -10476071, 10243738, -14685461, -5066034, 16498837}, + {8911542, 6887158, -9584260, -6958590, 11145641, -9543680, 17303925, -14124238, 6536641, 10543906}, + {-28946384, 15479763, -17466835, 568876, -1497683, 11223454, -2669190, -16625574, -27235709, 8876771}}, + {{-25742899, -12566864, -15649966, -846607, -33026686, -796288, -33481822, 15824474, -604426, -9039817}, + {10330056, 70051, 7957388, -9002667, 9764902, 15609756, 27698697, -4890037, 1657394, 3084098}, + {10477963, -7470260, 12119566, -13250805, 29016247, -5365589, 31280319, 14396151, -30233575, 15272409}}, + {{-12288309, 3169463, 28813183, 16658753, 25116432, -5630466, -25173957, -12636138, -25014757, 1950504}, + {-26180358, 9489187, 11053416, -14746161, -31053720, 5825630, -8384306, -8767532, 15341279, 8373727}, + {28685821, 7759505, -14378516, -12002860, -31971820, 4079242, 298136, -10232602, -2878207, 15190420}}, + {{-32932876, 13806336, -14337485, -15794431, -24004620, 10940928, 8669718, 2742393, -26033313, -6875003}, + {-1580388, -11729417, -25979658, -11445023, -17411874, -10912854, 9291594, -16247779, -12154742, 6048605}, + {-30305315, 14843444, 1539301, 11864366, 20201677, 1900163, 13934231, 5128323, 11213262, 9168384}}, + {{-26280513, 11007847, 19408960, -940758, -18592965, -4328580, -5088060, -11105150, 20470157, -16398701}, + {-23136053, 9282192, 14855179, -15390078, -7362815, -14408560, -22783952, 14461608, 14042978, 5230683}, + {29969567, -2741594, -16711867, -8552442, 9175486, -2468974, 21556951, 3506042, -5933891, -12449708}}, + {{-3144746, 8744661, 19704003, 4581278, -20430686, 6830683, -21284170, 8971513, -28539189, 15326563}, + {-19464629, 10110288, -17262528, -3503892, -23500387, 1355669, -15523050, 15300988, -20514118, 9168260}, + {-5353335, 4488613, -23803248, 16314347, 7780487, -15638939, -28948358, 9601605, 33087103, -9011387}}, + {{-19443170, -15512900, -20797467, -12445323, -29824447, 10229461, -27444329, -15000531, -5996870, 15664672}, + {23294591, -16632613, -22650781, -8470978, 27844204, 11461195, 13099750, -2460356, 18151676, 13417686}, + {-24722913, -4176517, -31150679, 5988919, -26858785, 6685065, 1661597, -12551441, 15271676, -15452665}} + }, { + {{11433042, -13228665, 8239631, -5279517, -1985436, -725718, -18698764, 2167544, -6921301, -13440182}, + {-31436171, 15575146, 30436815, 12192228, -22463353, 9395379, -9917708, -8638997, 12215110, 12028277}, + {14098400, 6555944, 23007258, 5757252, -15427832, -12950502, 30123440, 4617780, -16900089, -655628}}, + {{-4026201, -15240835, 11893168, 13718664, -14809462, 1847385, -15819999, 10154009, 23973261, -12684474}, + {-26531820, -3695990, -1908898, 2534301, -31870557, -16550355, 18341390, -11419951, 32013174, -10103539}, + {-25479301, 10876443, -11771086, -14625140, -12369567, 1838104, 21911214, 6354752, 4425632, -837822}}, + {{-10433389, -14612966, 22229858, -3091047, -13191166, 776729, -17415375, -12020462, 4725005, 14044970}, + {19268650, -7304421, 1555349, 8692754, -21474059, -9910664, 6347390, -1411784, -19522291, -16109756}, + {-24864089, 12986008, -10898878, -5558584, -11312371, -148526, 19541418, 8180106, 9282262, 10282508}}, + {{-26205082, 4428547, -8661196, -13194263, 4098402, -14165257, 15522535, 8372215, 5542595, -10702683}, + {-10562541, 14895633, 26814552, -16673850, -17480754, -2489360, -2781891, 6993761, -18093885, 10114655}, + {-20107055, -929418, 31422704, 10427861, -7110749, 6150669, -29091755, -11529146, 25953725, -106158}}, + {{-4234397, -8039292, -9119125, 3046000, 2101609, -12607294, 19390020, 6094296, -3315279, 12831125}, + {-15998678, 7578152, 5310217, 14408357, -33548620, -224739, 31575954, 6326196, 7381791, -2421839}, + {-20902779, 3296811, 24736065, -16328389, 18374254, 7318640, 6295303, 8082724, -15362489, 12339664}}, + {{27724736, 2291157, 6088201, -14184798, 1792727, 5857634, 13848414, 15768922, 25091167, 14856294}, + {-18866652, 8331043, 24373479, 8541013, -701998, -9269457, 12927300, -12695493, -22182473, -9012899}, + {-11423429, -5421590, 11632845, 3405020, 30536730, -11674039, -27260765, 13866390, 30146206, 9142070}}, + {{3924129, -15307516, -13817122, -10054960, 12291820, -668366, -27702774, 9326384, -8237858, 4171294}, + {-15921940, 16037937, 6713787, 16606682, -21612135, 2790944, 26396185, 3731949, 345228, -5462949}, + {-21327538, 13448259, 25284571, 1143661, 20614966, -8849387, 2031539, -12391231, -16253183, -13582083}}, + {{31016211, -16722429, 26371392, -14451233, -5027349, 14854137, 17477601, 3842657, 28012650, -16405420}, + {-5075835, 9368966, -8562079, -4600902, -15249953, 6970560, -9189873, 16292057, -8867157, 3507940}, + {29439664, 3537914, 23333589, 6997794, -17555561, -11018068, -15209202, -15051267, -9164929, 6580396}} + }, { + {{-12185861, -7679788, 16438269, 10826160, -8696817, -6235611, 17860444, -9273846, -2095802, 9304567}, + {20714564, -4336911, 29088195, 7406487, 11426967, -5095705, 14792667, -14608617, 5289421, -477127}, + {-16665533, -10650790, -6160345, -13305760, 9192020, -1802462, 17271490, 12349094, 26939669, -3752294}}, + {{-12889898, 9373458, 31595848, 16374215, 21471720, 13221525, -27283495, -12348559, -3698806, 117887}, + {22263325, -6560050, 3984570, -11174646, -15114008, -566785, 28311253, 5358056, -23319780, 541964}, + {16259219, 3261970, 2309254, -15534474, -16885711, -4581916, 24134070, -16705829, -13337066, -13552195}}, + {{9378160, -13140186, -22845982, -12745264, 28198281, -7244098, -2399684, -717351, 690426, 14876244}, + {24977353, -314384, -8223969, -13465086, 28432343, -1176353, -13068804, -12297348, -22380984, 6618999}, + {-1538174, 11685646, 12944378, 13682314, -24389511, -14413193, 8044829, -13817328, 32239829, -5652762}}, + {{-18603066, 4762990, -926250, 8885304, -28412480, -3187315, 9781647, -10350059, 32779359, 5095274}, + {-33008130, -5214506, -32264887, -3685216, 9460461, -9327423, -24601656, 14506724, 21639561, -2630236}, + {-16400943, -13112215, 25239338, 15531969, 3987758, -4499318, -1289502, -6863535, 17874574, 558605}}, + {{-13600129, 10240081, 9171883, 16131053, -20869254, 9599700, 33499487, 5080151, 2085892, 5119761}, + {-22205145, -2519528, -16381601, 414691, -25019550, 2170430, 30634760, -8363614, -31999993, -5759884}, + {-6845704, 15791202, 8550074, -1312654, 29928809, -12092256, 27534430, -7192145, -22351378, 12961482}}, + {{-24492060, -9570771, 10368194, 11582341, -23397293, -2245287, 16533930, 8206996, -30194652, -5159638}, + {-11121496, -3382234, 2307366, 6362031, -135455, 8868177, -16835630, 7031275, 7589640, 8945490}, + {-32152748, 8917967, 6661220, -11677616, -1192060, -15793393, 7251489, -11182180, 24099109, -14456170}}, + {{5019558, -7907470, 4244127, -14714356, -26933272, 6453165, -19118182, -13289025, -6231896, -10280736}, + {10853594, 10721687, 26480089, 5861829, -22995819, 1972175, -1866647, -10557898, -3363451, -6441124}, + {-17002408, 5906790, 221599, -6563147, 7828208, -13248918, 24362661, -2008168, -13866408, 7421392}}, + {{8139927, -6546497, 32257646, -5890546, 30375719, 1886181, -21175108, 15441252, 28826358, -4123029}, + {6267086, 9695052, 7709135, -16603597, -32869068, -1886135, 14795160, -7840124, 13746021, -1742048}, + {28584902, 7787108, -6732942, -15050729, 22846041, -7571236, -3181936, -363524, 4771362, -8419958}} + }, { + {{24949256, 6376279, -27466481, -8174608, -18646154, -9930606, 33543569, -12141695, 3569627, 11342593}, + {26514989, 4740088, 27912651, 3697550, 19331575, -11472339, 6809886, 4608608, 7325975, -14801071}, + {-11618399, -14554430, -24321212, 7655128, -1369274, 5214312, -27400540, 10258390, -17646694, -8186692}}, + {{11431204, 15823007, 26570245, 14329124, 18029990, 4796082, -31446179, 15580664, 9280358, -3973687}, + {-160783, -10326257, -22855316, -4304997, -20861367, -13621002, -32810901, -11181622, -15545091, 4387441}, + {-20799378, 12194512, 3937617, -5805892, -27154820, 9340370, -24513992, 8548137, 20617071, -7482001}}, + {{-938825, -3930586, -8714311, 16124718, 24603125, -6225393, -13775352, -11875822, 24345683, 10325460}, + {-19855277, -1568885, -22202708, 8714034, 14007766, 6928528, 16318175, -1010689, 4766743, 3552007}, + {-21751364, -16730916, 1351763, -803421, -4009670, 3950935, 3217514, 14481909, 10988822, -3994762}}, + {{15564307, -14311570, 3101243, 5684148, 30446780, -8051356, 12677127, -6505343, -8295852, 13296005}, + {-9442290, 6624296, -30298964, -11913677, -4670981, -2057379, 31521204, 9614054, -30000824, 12074674}, + {4771191, -135239, 14290749, -13089852, 27992298, 14998318, -1413936, -1556716, 29832613, -16391035}}, + {{7064884, -7541174, -19161962, -5067537, -18891269, -2912736, 25825242, 5293297, -27122660, 13101590}, + {-2298563, 2439670, -7466610, 1719965, -27267541, -16328445, 32512469, -5317593, -30356070, -4190957}, + {-30006540, 10162316, -33180176, 3981723, -16482138, -13070044, 14413974, 9515896, 19568978, 9628812}}, + {{33053803, 199357, 15894591, 1583059, 27380243, -4580435, -17838894, -6106839, -6291786, 3437740}, + {-18978877, 3884493, 19469877, 12726490, 15913552, 13614290, -22961733, 70104, 7463304, 4176122}, + {-27124001, 10659917, 11482427, -16070381, 12771467, -6635117, -32719404, -5322751, 24216882, 5944158}}, + {{8894125, 7450974, -2664149, -9765752, -28080517, -12389115, 19345746, 14680796, 11632993, 5847885}, + {26942781, -2315317, 9129564, -4906607, 26024105, 11769399, -11518837, 6367194, -9727230, 4782140}, + {19916461, -4828410, -22910704, -11414391, 25606324, -5972441, 33253853, 8220911, 6358847, -1873857}}, + {{801428, -2081702, 16569428, 11065167, 29875704, 96627, 7908388, -4480480, -13538503, 1387155}, + {19646058, 5720633, -11416706, 12814209, 11607948, 12749789, 14147075, 15156355, -21866831, 11835260}, + {19299512, 1155910, 28703737, 14890794, 2925026, 7269399, 26121523, 15467869, -26560550, 5052483}} + }, { + {{-3017432, 10058206, 1980837, 3964243, 22160966, 12322533, -6431123, -12618185, 12228557, -7003677}, + {32944382, 14922211, -22844894, 5188528, 21913450, -8719943, 4001465, 13238564, -6114803, 8653815}, + {22865569, -4652735, 27603668, -12545395, 14348958, 8234005, 24808405, 5719875, 28483275, 2841751}}, + {{-16420968, -1113305, -327719, -12107856, 21886282, -15552774, -1887966, -315658, 19932058, -12739203}, + {-11656086, 10087521, -8864888, -5536143, -19278573, -3055912, 3999228, 13239134, -4777469, -13910208}, + {1382174, -11694719, 17266790, 9194690, -13324356, 9720081, 20403944, 11284705, -14013818, 3093230}}, + {{16650921, -11037932, -1064178, 1570629, -8329746, 7352753, -302424, 16271225, -24049421, -6691850}, + {-21911077, -5927941, -4611316, -5560156, -31744103, -10785293, 24123614, 15193618, -21652117, -16739389}, + {-9935934, -4289447, -25279823, 4372842, 2087473, 10399484, 31870908, 14690798, 17361620, 11864968}}, + {{-11307610, 6210372, 13206574, 5806320, -29017692, -13967200, -12331205, -7486601, -25578460, -16240689}, + {14668462, -12270235, 26039039, 15305210, 25515617, 4542480, 10453892, 6577524, 9145645, -6443880}, + {5974874, 3053895, -9433049, -10385191, -31865124, 3225009, -7972642, 3936128, -5652273, -3050304}}, + {{30625386, -4729400, -25555961, -12792866, -20484575, 7695099, 17097188, -16303496, -27999779, 1803632}, + {-3553091, 9865099, -5228566, 4272701, -5673832, -16689700, 14911344, 12196514, -21405489, 7047412}, + {20093277, 9920966, -11138194, -5343857, 13161587, 12044805, -32856851, 4124601, -32343828, -10257566}}, + {{-20788824, 14084654, -13531713, 7842147, 19119038, -13822605, 4752377, -8714640, -21679658, 2288038}, + {-26819236, -3283715, 29965059, 3039786, -14473765, 2540457, 29457502, 14625692, -24819617, 12570232}, + {-1063558, -11551823, 16920318, 12494842, 1278292, -5869109, -21159943, -3498680, -11974704, 4724943}}, + {{17960970, -11775534, -4140968, -9702530, -8876562, -1410617, -12907383, -8659932, -29576300, 1903856}, + {23134274, -14279132, -10681997, -1611936, 20684485, 15770816, -12989750, 3190296, 26955097, 14109738}, + {15308788, 5320727, -30113809, -14318877, 22902008, 7767164, 29425325, -11277562, 31960942, 11934971}}, + {{-27395711, 8435796, 4109644, 12222639, -24627868, 14818669, 20638173, 4875028, 10491392, 1379718}, + {-13159415, 9197841, 3875503, -8936108, -1383712, -5879801, 33518459, 16176658, 21432314, 12180697}, + {-11787308, 11500838, 13787581, -13832590, -22430679, 10140205, 1465425, 12689540, -10301319, -13872883}} + }, { + {{5414091, -15386041, -21007664, 9643570, 12834970, 1186149, -2622916, -1342231, 26128231, 6032912}, + {-26337395, -13766162, 32496025, -13653919, 17847801, -12669156, 3604025, 8316894, -25875034, -10437358}, + {3296484, 6223048, 24680646, -12246460, -23052020, 5903205, -8862297, -4639164, 12376617, 3188849}}, + {{29190488, -14659046, 27549113, -1183516, 3520066, -10697301, 32049515, -7309113, -16109234, -9852307}, + {-14744486, -9309156, 735818, -598978, -20407687, -5057904, 25246078, -15795669, 18640741, -960977}, + {-6928835, -16430795, 10361374, 5642961, 4910474, 12345252, -31638386, -494430, 10530747, 1053335}}, + {{-29265967, -14186805, -13538216, -12117373, -19457059, -10655384, -31462369, -2948985, 24018831, 15026644}, + {-22592535, -3145277, -2289276, 5953843, -13440189, 9425631, 25310643, 13003497, -2314791, -15145616}, + {-27419985, -603321, -8043984, -1669117, -26092265, 13987819, -27297622, 187899, -23166419, -2531735}}, + {{-21744398, -13810475, 1844840, 5021428, -10434399, -15911473, 9716667, 16266922, -5070217, 726099}, + {29370922, -6053998, 7334071, -15342259, 9385287, 2247707, -13661962, -4839461, 30007388, -15823341}, + {-936379, 16086691, 23751945, -543318, -1167538, -5189036, 9137109, 730663, 9835848, 4555336}}, + {{-23376435, 1410446, -22253753, -12899614, 30867635, 15826977, 17693930, 544696, -11985298, 12422646}, + {31117226, -12215734, -13502838, 6561947, -9876867, -12757670, -5118685, -4096706, 29120153, 13924425}, + {-17400879, -14233209, 19675799, -2734756, -11006962, -5858820, -9383939, -11317700, 7240931, -237388}}, + {{-31361739, -11346780, -15007447, -5856218, -22453340, -12152771, 1222336, 4389483, 3293637, -15551743}, + {-16684801, -14444245, 11038544, 11054958, -13801175, -3338533, -24319580, 7733547, 12796905, -6335822}, + {-8759414, -10817836, -25418864, 10783769, -30615557, -9746811, -28253339, 3647836, 3222231, -11160462}}, + {{18606113, 1693100, -25448386, -15170272, 4112353, 10045021, 23603893, -2048234, -7550776, 2484985}, + {9255317, -3131197, -12156162, -1004256, 13098013, -9214866, 16377220, -2102812, -19802075, -3034702}, + {-22729289, 7496160, -5742199, 11329249, 19991973, -3347502, -31718148, 9936966, -30097688, -10618797}}, + {{21878590, -5001297, 4338336, 13643897, -3036865, 13160960, 19708896, 5415497, -7360503, -4109293}, + {27736861, 10103576, 12500508, 8502413, -3413016, -9633558, 10436918, -1550276, -23659143, -8132100}, + {19492550, -12104365, -29681976, -852630, -3208171, 12403437, 30066266, 8367329, 13243957, 8709688}} + }, { + {{12015105, 2801261, 28198131, 10151021, 24818120, -4743133, -11194191, -5645734, 5150968, 7274186}, + {2831366, -12492146, 1478975, 6122054, 23825128, -12733586, 31097299, 6083058, 31021603, -9793610}, + {-2529932, -2229646, 445613, 10720828, -13849527, -11505937, -23507731, 16354465, 15067285, -14147707}}, + {{7840942, 14037873, -33364863, 15934016, -728213, -3642706, 21403988, 1057586, -19379462, -12403220}, + {915865, -16469274, 15608285, -8789130, -24357026, 6060030, -17371319, 8410997, -7220461, 16527025}, + {32922597, -556987, 20336074, -16184568, 10903705, -5384487, 16957574, 52992, 23834301, 6588044}}, + {{32752030, 11232950, 3381995, -8714866, 22652988, -10744103, 17159699, 16689107, -20314580, -1305992}, + {-4689649, 9166776, -25710296, -10847306, 11576752, 12733943, 7924251, -2752281, 1976123, -7249027}, + {21251222, 16309901, -2983015, -6783122, 30810597, 12967303, 156041, -3371252, 12331345, -8237197}}, + {{8651614, -4477032, -16085636, -4996994, 13002507, 2950805, 29054427, -5106970, 10008136, -4667901}, + {31486080, 15114593, -14261250, 12951354, 14369431, -7387845, 16347321, -13662089, 8684155, -10532952}, + {19443825, 11385320, 24468943, -9659068, -23919258, 2187569, -26263207, -6086921, 31316348, 14219878}}, + {{-28594490, 1193785, 32245219, 11392485, 31092169, 15722801, 27146014, 6992409, 29126555, 9207390}, + {32382935, 1110093, 18477781, 11028262, -27411763, -7548111, -4980517, 10843782, -7957600, -14435730}, + {2814918, 7836403, 27519878, -7868156, -20894015, -11553689, -21494559, 8550130, 28346258, 1994730}}, + {{-19578299, 8085545, -14000519, -3948622, 2785838, -16231307, -19516951, 7174894, 22628102, 8115180}, + {-30405132, 955511, -11133838, -15078069, -32447087, -13278079, -25651578, 3317160, -9943017, 930272}, + {-15303681, -6833769, 28856490, 1357446, 23421993, 1057177, 24091212, -1388970, -22765376, -10650715}}, + {{-22751231, -5303997, -12907607, -12768866, -15811511, -7797053, -14839018, -16554220, -1867018, 8398970}, + {-31969310, 2106403, -4736360, 1362501, 12813763, 16200670, 22981545, -6291273, 18009408, -15772772}, + {-17220923, -9545221, -27784654, 14166835, 29815394, 7444469, 29551787, -3727419, 19288549, 1325865}}, + {{15100157, -15835752, -23923978, -1005098, -26450192, 15509408, 12376730, -3479146, 33166107, -8042750}, + {20909231, 13023121, -9209752, 16251778, -5778415, -8094914, 12412151, 10018715, 2213263, -13878373}, + {32529814, -11074689, 30361439, -16689753, -9135940, 1513226, 22922121, 6382134, -5766928, 8371348}} + }, { + {{9923462, 11271500, 12616794, 3544722, -29998368, -1721626, 12891687, -8193132, -26442943, 10486144}, + {-22597207, -7012665, 8587003, -8257861, 4084309, -12970062, 361726, 2610596, -23921530, -11455195}, + {5408411, -1136691, -4969122, 10561668, 24145918, 14240566, 31319731, -4235541, 19985175, -3436086}}, + {{-13994457, 16616821, 14549246, 3341099, 32155958, 13648976, -17577068, 8849297, 65030, 8370684}, + {-8320926, -12049626, 31204563, 5839400, -20627288, -1057277, -19442942, 6922164, 12743482, -9800518}, + {-2361371, 12678785, 28815050, 4759974, -23893047, 4884717, 23783145, 11038569, 18800704, 255233}}, + {{-5269658, -1773886, 13957886, 7990715, 23132995, 728773, 13393847, 9066957, 19258688, -14753793}, + {-2936654, -10827535, -10432089, 14516793, -3640786, 4372541, -31934921, 2209390, -1524053, 2055794}, + {580882, 16705327, 5468415, -2683018, -30926419, -14696000, -7203346, -8994389, -30021019, 7394435}}, + {{23838809, 1822728, -15738443, 15242727, 8318092, -3733104, -21672180, -3492205, -4821741, 14799921}, + {13345610, 9759151, 3371034, -16137791, 16353039, 8577942, 31129804, 13496856, -9056018, 7402518}, + {2286874, -4435931, -20042458, -2008336, -13696227, 5038122, 11006906, -15760352, 8205061, 1607563}}, + {{14414086, -8002132, 3331830, -3208217, 22249151, -5594188, 18364661, -2906958, 30019587, -9029278}, + {-27688051, 1585953, -10775053, 931069, -29120221, -11002319, -14410829, 12029093, 9944378, 8024}, + {4368715, -3709630, 29874200, -15022983, -20230386, -11410704, -16114594, -999085, -8142388, 5640030}}, + {{10299610, 13746483, 11661824, 16234854, 7630238, 5998374, 9809887, -16694564, 15219798, -14327783}, + {27425505, -5719081, 3055006, 10660664, 23458024, 595578, -15398605, -1173195, -18342183, 9742717}, + {6744077, 2427284, 26042789, 2720740, -847906, 1118974, 32324614, 7406442, 12420155, 1994844}}, + {{14012521, -5024720, -18384453, -9578469, -26485342, -3936439, -13033478, -10909803, 24319929, -6446333}, + {16412690, -4507367, 10772641, 15929391, -17068788, -4658621, 10555945, -10484049, -30102368, -4739048}, + {22397382, -7767684, -9293161, -12792868, 17166287, -9755136, -27333065, 6199366, 21880021, -12250760}}, + {{-4283307, 5368523, -31117018, 8163389, -30323063, 3209128, 16557151, 8890729, 8840445, 4957760}, + {-15447727, 709327, -6919446, -10870178, -29777922, 6522332, -21720181, 12130072, -14796503, 5005757}, + {-2114751, -14308128, 23019042, 15765735, -25269683, 6002752, 10183197, -13239326, -16395286, -2176112}} + }, { + {{-19025756, 1632005, 13466291, -7995100, -23640451, 16573537, -32013908, -3057104, 22208662, 2000468}, + {3065073, -1412761, -25598674, -361432, -17683065, -5703415, -8164212, 11248527, -3691214, -7414184}, + {10379208, -6045554, 8877319, 1473647, -29291284, -12507580, 16690915, 2553332, -3132688, 16400289}}, + {{15716668, 1254266, -18472690, 7446274, -8448918, 6344164, -22097271, -7285580, 26894937, 9132066}, + {24158887, 12938817, 11085297, -8177598, -28063478, -4457083, -30576463, 64452, -6817084, -2692882}, + {13488534, 7794716, 22236231, 5989356, 25426474, -12578208, 2350710, -3418511, -4688006, 2364226}}, + {{16335052, 9132434, 25640582, 6678888, 1725628, 8517937, -11807024, -11697457, 15445875, -7798101}, + {29004207, -7867081, 28661402, -640412, -12794003, -7943086, 31863255, -4135540, -278050, -15759279}, + {-6122061, -14866665, -28614905, 14569919, -10857999, -3591829, 10343412, -6976290, -29828287, -10815811}}, + {{27081650, 3463984, 14099042, -4517604, 1616303, -6205604, 29542636, 15372179, 17293797, 960709}, + {20263915, 11434237, -5765435, 11236810, 13505955, -10857102, -16111345, 6493122, -19384511, 7639714}, + {-2830798, -14839232, 25403038, -8215196, -8317012, -16173699, 18006287, -16043750, 29994677, -15808121}}, + {{9769828, 5202651, -24157398, -13631392, -28051003, -11561624, -24613141, -13860782, -31184575, 709464}, + {12286395, 13076066, -21775189, -1176622, -25003198, 4057652, -32018128, -8890874, 16102007, 13205847}, + {13733362, 5599946, 10557076, 3195751, -5557991, 8536970, -25540170, 8525972, 10151379, 10394400}}, + {{4024660, -16137551, 22436262, 12276534, -9099015, -2686099, 19698229, 11743039, -33302334, 8934414}, + {-15879800, -4525240, -8580747, -2934061, 14634845, -698278, -9449077, 3137094, -11536886, 11721158}, + {17555939, -5013938, 8268606, 2331751, -22738815, 9761013, 9319229, 8835153, -9205489, -1280045}}, + {{-461409, -7830014, 20614118, 16688288, -7514766, -4807119, 22300304, 505429, 6108462, -6183415}, + {-5070281, 12367917, -30663534, 3234473, 32617080, -8422642, 29880583, -13483331, -26898490, -7867459}, + {-31975283, 5726539, 26934134, 10237677, -3173717, -605053, 24199304, 3795095, 7592688, -14992079}}, + {{21594432, -14964228, 17466408, -4077222, 32537084, 2739898, 6407723, 12018833, -28256052, 4298412}, + {-20650503, -11961496, -27236275, 570498, 3767144, -1717540, 13891942, -1569194, 13717174, 10805743}, + {-14676630, -15644296, 15287174, 11927123, 24177847, -8175568, -796431, 14860609, -26938930, -5863836}} + }, { + {{12962541, 5311799, -10060768, 11658280, 18855286, -7954201, 13286263, -12808704, -4381056, 9882022}, + {18512079, 11319350, -20123124, 15090309, 18818594, 5271736, -22727904, 3666879, -23967430, -3299429}, + {-6789020, -3146043, 16192429, 13241070, 15898607, -14206114, -10084880, -6661110, -2403099, 5276065}}, + {{30169808, -5317648, 26306206, -11750859, 27814964, 7069267, 7152851, 3684982, 1449224, 13082861}, + {10342826, 3098505, 2119311, 193222, 25702612, 12233820, 23697382, 15056736, -21016438, -8202000}, + {-33150110, 3261608, 22745853, 7948688, 19370557, -15177665, -26171976, 6482814, -10300080, -11060101}}, + {{32869458, -5408545, 25609743, 15678670, -10687769, -15471071, 26112421, 2521008, -22664288, 6904815}, + {29506923, 4457497, 3377935, -9796444, -30510046, 12935080, 1561737, 3841096, -29003639, -6657642}, + {10340844, -6630377, -18656632, -2278430, 12621151, -13339055, 30878497, -11824370, -25584551, 5181966}}, + {{25940115, -12658025, 17324188, -10307374, -8671468, 15029094, 24396252, -16450922, -2322852, -12388574}, + {-21765684, 9916823, -1300409, 4079498, -1028346, 11909559, 1782390, 12641087, 20603771, -6561742}, + {-18882287, -11673380, 24849422, 11501709, 13161720, -4768874, 1925523, 11914390, 4662781, 7820689}}, + {{12241050, -425982, 8132691, 9393934, 32846760, -1599620, 29749456, 12172924, 16136752, 15264020}, + {-10349955, -14680563, -8211979, 2330220, -17662549, -14545780, 10658213, 6671822, 19012087, 3772772}, + {3753511, -3421066, 10617074, 2028709, 14841030, -6721664, 28718732, -15762884, 20527771, 12988982}}, + {{-14822485, -5797269, -3707987, 12689773, -898983, -10914866, -24183046, -10564943, 3299665, -12424953}, + {-16777703, -15253301, -9642417, 4978983, 3308785, 8755439, 6943197, 6461331, -25583147, 8991218}, + {-17226263, 1816362, -1673288, -6086439, 31783888, -8175991, -32948145, 7417950, -30242287, 1507265}}, + {{29692663, 6829891, -10498800, 4334896, 20945975, -11906496, -28887608, 8209391, 14606362, -10647073}, + {-3481570, 8707081, 32188102, 5672294, 22096700, 1711240, -33020695, 9761487, 4170404, -2085325}, + {-11587470, 14855945, -4127778, -1531857, -26649089, 15084046, 22186522, 16002000, -14276837, -8400798}}, + {{-4811456, 13761029, -31703877, -2483919, -3312471, 7869047, -7113572, -9620092, 13240845, 10965870}, + {-7742563, -8256762, -14768334, -13656260, -23232383, 12387166, 4498947, 14147411, 29514390, 4302863}, + {-13413405, -12407859, 20757302, -13801832, 14785143, 8976368, -5061276, -2144373, 17846988, -13971927}} + }, { + {{-2244452, -754728, -4597030, -1066309, -6247172, 1455299, -21647728, -9214789, -5222701, 12650267}, + {-9906797, -16070310, 21134160, 12198166, -27064575, 708126, 387813, 13770293, -19134326, 10958663}, + {22470984, 12369526, 23446014, -5441109, -21520802, -9698723, -11772496, -11574455, -25083830, 4271862}}, + {{-25169565, -10053642, -19909332, 15361595, -5984358, 2159192, 75375, -4278529, -32526221, 8469673}, + {15854970, 4148314, -8893890, 7259002, 11666551, 13824734, -30531198, 2697372, 24154791, -9460943}, + {15446137, -15806644, 29759747, 14019369, 30811221, -9610191, -31582008, 12840104, 24913809, 9815020}}, + {{-4709286, -5614269, -31841498, -12288893, -14443537, 10799414, -9103676, 13438769, 18735128, 9466238}, + {11933045, 9281483, 5081055, -5183824, -2628162, -4905629, -7727821, -10896103, -22728655, 16199064}, + {14576810, 379472, -26786533, -8317236, -29426508, -10812974, -102766, 1876699, 30801119, 2164795}}, + {{15995086, 3199873, 13672555, 13712240, -19378835, -4647646, -13081610, -15496269, -13492807, 1268052}, + {-10290614, -3659039, -3286592, 10948818, 23037027, 3794475, -3470338, -12600221, -17055369, 3565904}, + {29210088, -9419337, -5919792, -4952785, 10834811, -13327726, -16512102, -10820713, -27162222, -14030531}}, + {{-13161890, 15508588, 16663704, -8156150, -28349942, 9019123, -29183421, -3769423, 2244111, -14001979}, + {-5152875, -3800936, -9306475, -6071583, 16243069, 14684434, -25673088, -16180800, 13491506, 4641841}, + {10813417, 643330, -19188515, -728916, 30292062, -16600078, 27548447, -7721242, 14476989, -12767431}}, + {{10292079, 9984945, 6481436, 8279905, -7251514, 7032743, 27282937, -1644259, -27912810, 12651324}, + {-31185513, -813383, 22271204, 11835308, 10201545, 15351028, 17099662, 3988035, 21721536, -3148940}, + {10202177, -6545839, -31373232, -9574638, -32150642, -8119683, -12906320, 3852694, 13216206, 14842320}}, + {{-15815640, -10601066, -6538952, -7258995, -6984659, -6581778, -31500847, 13765824, -27434397, 9900184}, + {14465505, -13833331, -32133984, -14738873, -27443187, 12990492, 33046193, 15796406, -7051866, -8040114}, + {30924417, -8279620, 6359016, -12816335, 16508377, 9071735, -25488601, 15413635, 9524356, -7018878}}, + {{12274201, -13175547, 32627641, -1785326, 6736625, 13267305, 5237659, -5109483, 15663516, 4035784}, + {-2951309, 8903985, 17349946, 601635, -16432815, -4612556, -13732739, -15889334, -22258478, 4659091}, + {-16916263, -4952973, -30393711, -15158821, 20774812, 15897498, 5736189, 15026997, -2178256, -13455585}} + }, { + {{-8858980, -2219056, 28571666, -10155518, -474467, -10105698, -3801496, 278095, 23440562, -290208}, + {10226241, -5928702, 15139956, 120818, -14867693, 5218603, 32937275, 11551483, -16571960, -7442864}, + {17932739, -12437276, -24039557, 10749060, 11316803, 7535897, 22503767, 5561594, -3646624, 3898661}}, + {{7749907, -969567, -16339731, -16464, -25018111, 15122143, -1573531, 7152530, 21831162, 1245233}, + {26958459, -14658026, 4314586, 8346991, -5677764, 11960072, -32589295, -620035, -30402091, -16716212}, + {-12165896, 9166947, 33491384, 13673479, 29787085, 13096535, 6280834, 14587357, -22338025, 13987525}}, + {{-24349909, 7778775, 21116000, 15572597, -4833266, -5357778, -4300898, -5124639, -7469781, -2858068}, + {9681908, -6737123, -31951644, 13591838, -6883821, 386950, 31622781, 6439245, -14581012, 4091397}, + {-8426427, 1470727, -28109679, -1596990, 3978627, -5123623, -19622683, 12092163, 29077877, -14741988}}, + {{5269168, -6859726, -13230211, -8020715, 25932563, 1763552, -5606110, -5505881, -20017847, 2357889}, + {32264008, -15407652, -5387735, -1160093, -2091322, -3946900, 23104804, -12869908, 5727338, 189038}, + {14609123, -8954470, -6000566, -16622781, -14577387, -7743898, -26745169, 10942115, -25888931, -14884697}}, + {{20513500, 5557931, -15604613, 7829531, 26413943, -2019404, -21378968, 7471781, 13913677, -5137875}, + {-25574376, 11967826, 29233242, 12948236, -6754465, 4713227, -8940970, 14059180, 12878652, 8511905}, + {-25656801, 3393631, -2955415, -7075526, -2250709, 9366908, -30223418, 6812974, 5568676, -3127656}}, + {{11630004, 12144454, 2116339, 13606037, 27378885, 15676917, -17408753, -13504373, -14395196, 8070818}, + {27117696, -10007378, -31282771, -5570088, 1127282, 12772488, -29845906, 10483306, -11552749, -1028714}, + {10637467, -5688064, 5674781, 1072708, -26343588, -6982302, -1683975, 9177853, -27493162, 15431203}}, + {{20525145, 10892566, -12742472, 12779443, -29493034, 16150075, -28240519, 14943142, -15056790, -7935931}, + {-30024462, 5626926, -551567, -9981087, 753598, 11981191, 25244767, -3239766, -3356550, 9594024}, + {-23752644, 2636870, -5163910, -10103818, 585134, 7877383, 11345683, -6492290, 13352335, -10977084}}, + {{-1931799, -5407458, 3304649, -12884869, 17015806, -4877091, -29783850, -7752482, -13215537, -319204}, + {20239939, 6607058, 6203985, 3483793, -18386976, -779229, -20723742, 15077870, -22750759, 14523817}, + {27406042, -6041657, 27423596, -4497394, 4996214, 10002360, -28842031, -4545494, -30172742, -4805667}} + }, { + {{11374242, 12660715, 17861383, -12540833, 10935568, 1099227, -13886076, -9091740, -27727044, 11358504}, + {-12730809, 10311867, 1510375, 10778093, -2119455, -9145702, 32676003, 11149336, -26123651, 4985768}, + {-19096303, 341147, -6197485, -239033, 15756973, -8796662, -983043, 13794114, -19414307, -15621255}}, + {{6490081, 11940286, 25495923, -7726360, 8668373, -8751316, 3367603, 6970005, -1691065, -9004790}, + {1656497, 13457317, 15370807, 6364910, 13605745, 8362338, -19174622, -5475723, -16796596, -5031438}, + {-22273315, -13524424, -64685, -4334223, -18605636, -10921968, -20571065, -7007978, -99853, -10237333}}, + {{17747465, 10039260, 19368299, -4050591, -20630635, -16041286, 31992683, -15857976, -29260363, -5511971}, + {31932027, -4986141, -19612382, 16366580, 22023614, 88450, 11371999, -3744247, 4882242, -10626905}, + {29796507, 37186, 19818052, 10115756, -11829032, 3352736, 18551198, 3272828, -5190932, -4162409}}, + {{12501286, 4044383, -8612957, -13392385, -32430052, 5136599, -19230378, -3529697, 330070, -3659409}, + {6384877, 2899513, 17807477, 7663917, -2358888, 12363165, 25366522, -8573892, -271295, 12071499}, + {-8365515, -4042521, 25133448, -4517355, -6211027, 2265927, -32769618, 1936675, -5159697, 3829363}}, + {{28425966, -5835433, -577090, -4697198, -14217555, 6870930, 7921550, -6567787, 26333140, 14267664}, + {-11067219, 11871231, 27385719, -10559544, -4585914, -11189312, 10004786, -8709488, -21761224, 8930324}, + {-21197785, -16396035, 25654216, -1725397, 12282012, 11008919, 1541940, 4757911, -26491501, -16408940}}, + {{13537262, -7759490, -20604840, 10961927, -5922820, -13218065, -13156584, 6217254, -15943699, 13814990}, + {-17422573, 15157790, 18705543, 29619, 24409717, -260476, 27361681, 9257833, -1956526, -1776914}, + {-25045300, -10191966, 15366585, 15166509, -13105086, 8423556, -29171540, 12361135, -18685978, 4578290}}, + {{24579768, 3711570, 1342322, -11180126, -27005135, 14124956, -22544529, 14074919, 21964432, 8235257}, + {-6528613, -2411497, 9442966, -5925588, 12025640, -1487420, -2981514, -1669206, 13006806, 2355433}, + {-16304899, -13605259, -6632427, -5142349, 16974359, -10911083, 27202044, 1719366, 1141648, -12796236}}, + {{-12863944, -13219986, -8318266, -11018091, -6810145, -4843894, 13475066, -3133972, 32674895, 13715045}, + {11423335, -5468059, 32344216, 8962751, 24989809, 9241752, -13265253, 16086212, -28740881, -15642093}, + {-1409668, 12530728, -6368726, 10847387, 19531186, -14132160, -11709148, 7791794, -27245943, 4383347}} + }, { + {{-28970898, 5271447, -1266009, -9736989, -12455236, 16732599, -4862407, -4906449, 27193557, 6245191}, + {-15193956, 5362278, -1783893, 2695834, 4960227, 12840725, 23061898, 3260492, 22510453, 8577507}, + {-12632451, 11257346, -32692994, 13548177, -721004, 10879011, 31168030, 13952092, -29571492, -3635906}}, + {{3877321, -9572739, 32416692, 5405324, -11004407, -13656635, 3759769, 11935320, 5611860, 8164018}, + {-16275802, 14667797, 15906460, 12155291, -22111149, -9039718, 32003002, -8832289, 5773085, -8422109}, + {-23788118, -8254300, 1950875, 8937633, 18686727, 16459170, -905725, 12376320, 31632953, 190926}}, + {{-24593607, -16138885, -8423991, 13378746, 14162407, 6901328, -8288749, 4508564, -25341555, -3627528}, + {8884438, -5884009, 6023974, 10104341, -6881569, -4941533, 18722941, -14786005, -1672488, 827625}, + {-32720583, -16289296, -32503547, 7101210, 13354605, 2659080, -1800575, -14108036, -24878478, 1541286}}, + {{2901347, -1117687, 3880376, -10059388, -17620940, -3612781, -21802117, -3567481, 20456845, -1885033}, + {27019610, 12299467, -13658288, -1603234, -12861660, -4861471, -19540150, -5016058, 29439641, 15138866}, + {21536104, -6626420, -32447818, -10690208, -22408077, 5175814, -5420040, -16361163, 7779328, 109896}}, + {{30279744, 14648750, -8044871, 6425558, 13639621, -743509, 28698390, 12180118, 23177719, -554075}, + {26572847, 3405927, -31701700, 12890905, -19265668, 5335866, -6493768, 2378492, 4439158, -13279347}, + {-22716706, 3489070, -9225266, -332753, 18875722, -1140095, 14819434, -12731527, -17717757, -5461437}}, + {{-5056483, 16566551, 15953661, 3767752, -10436499, 15627060, -820954, 2177225, 8550082, -15114165}, + {-18473302, 16596775, -381660, 15663611, 22860960, 15585581, -27844109, -3582739, -23260460, -8428588}, + {-32480551, 15707275, -8205912, -5652081, 29464558, 2713815, -22725137, 15860482, -21902570, 1494193}}, + {{-19562091, -14087393, -25583872, -9299552, 13127842, 759709, 21923482, 16529112, 8742704, 12967017}, + {-28464899, 1553205, 32536856, -10473729, -24691605, -406174, -8914625, -2933896, -29903758, 15553883}, + {21877909, 3230008, 9881174, 10539357, -4797115, 2841332, 11543572, 14513274, 19375923, -12647961}}, + {{8832269, -14495485, 13253511, 5137575, 5037871, 4078777, 24880818, -6222716, 2862653, 9455043}, + {29306751, 5123106, 20245049, -14149889, 9592566, 8447059, -2077124, -2990080, 15511449, 4789663}, + {-20679756, 7004547, 8824831, -9434977, -4045704, -3750736, -5754762, 108893, 23513200, 16652362}} + }, { + {{-33256173, 4144782, -4476029, -6579123, 10770039, -7155542, -6650416, -12936300, -18319198, 10212860}, + {2756081, 8598110, 7383731, -6859892, 22312759, -1105012, 21179801, 2600940, -9988298, -12506466}, + {-24645692, 13317462, -30449259, -15653928, 21365574, -10869657, 11344424, 864440, -2499677, -16710063}}, + {{-26432803, 6148329, -17184412, -14474154, 18782929, -275997, -22561534, 211300, 2719757, 4940997}, + {-1323882, 3911313, -6948744, 14759765, -30027150, 7851207, 21690126, 8518463, 26699843, 5276295}, + {-13149873, -6429067, 9396249, 365013, 24703301, -10488939, 1321586, 149635, -15452774, 7159369}}, + {{9987780, -3404759, 17507962, 9505530, 9731535, -2165514, 22356009, 8312176, 22477218, -8403385}, + {18155857, -16504990, 19744716, 9006923, 15154154, -10538976, 24256460, -4864995, -22548173, 9334109}, + {2986088, -4911893, 10776628, -3473844, 10620590, -7083203, -21413845, 14253545, -22587149, 536906}}, + {{4377756, 8115836, 24567078, 15495314, 11625074, 13064599, 7390551, 10589625, 10838060, -15420424}, + {-19342404, 867880, 9277171, -3218459, -14431572, -1986443, 19295826, -15796950, 6378260, 699185}, + {7895026, 4057113, -7081772, -13077756, -17886831, -323126, -716039, 15693155, -5045064, -13373962}}, + {{-7737563, -5869402, -14566319, -7406919, 11385654, 13201616, 31730678, -10962840, -3918636, -9669325}, + {10188286, -15770834, -7336361, 13427543, 22223443, 14896287, 30743455, 7116568, -21786507, 5427593}, + {696102, 13206899, 27047647, -10632082, 15285305, -9853179, 10798490, -4578720, 19236243, 12477404}}, + {{-11229439, 11243796, -17054270, -8040865, -788228, -8167967, -3897669, 11180504, -23169516, 7733644}, + {17800790, -14036179, -27000429, -11766671, 23887827, 3149671, 23466177, -10538171, 10322027, 15313801}, + {26246234, 11968874, 32263343, -5468728, 6830755, -13323031, -15794704, -101982, -24449242, 10890804}}, + {{-31365647, 10271363, -12660625, -6267268, 16690207, -13062544, -14982212, 16484931, 25180797, -5334884}, + {-586574, 10376444, -32586414, -11286356, 19801893, 10997610, 2276632, 9482883, 316878, 13820577}, + {-9882808, -4510367, -2115506, 16457136, -11100081, 11674996, 30756178, -7515054, 30696930, -3712849}}, + {{32988917, -9603412, 12499366, 7910787, -10617257, -11931514, -7342816, -9985397, -32349517, 7392473}, + {-8855661, 15927861, 9866406, -3649411, -2396914, -16655781, -30409476, -9134995, 25112947, -2926644}, + {-2504044, -436966, 25621774, -5678772, 15085042, -5479877, -24884878, -13526194, 5537438, -13914319}} + }, { + {{-11225584, 2320285, -9584280, 10149187, -33444663, 5808648, -14876251, -1729667, 31234590, 6090599}, + {-9633316, 116426, 26083934, 2897444, -6364437, -2688086, 609721, 15878753, -6970405, -9034768}, + {-27757857, 247744, -15194774, -9002551, 23288161, -10011936, -23869595, 6503646, 20650474, 1804084}}, + {{-27589786, 15456424, 8972517, 8469608, 15640622, 4439847, 3121995, -10329713, 27842616, -202328}, + {-15306973, 2839644, 22530074, 10026331, 4602058, 5048462, 28248656, 5031932, -11375082, 12714369}, + {20807691, -7270825, 29286141, 11421711, -27876523, -13868230, -21227475, 1035546, -19733229, 12796920}}, + {{12076899, -14301286, -8785001, -11848922, -25012791, 16400684, -17591495, -12899438, 3480665, -15182815}, + {-32361549, 5457597, 28548107, 7833186, 7303070, -11953545, -24363064, -15921875, -33374054, 2771025}, + {-21389266, 421932, 26597266, 6860826, 22486084, -6737172, -17137485, -4210226, -24552282, 15673397}}, + {{-20184622, 2338216, 19788685, -9620956, -4001265, -8740893, -20271184, 4733254, 3727144, -12934448}, + {6120119, 814863, -11794402, -622716, 6812205, -15747771, 2019594, 7975683, 31123697, -10958981}, + {30069250, -11435332, 30434654, 2958439, 18399564, -976289, 12296869, 9204260, -16432438, 9648165}}, + {{32705432, -1550977, 30705658, 7451065, -11805606, 9631813, 3305266, 5248604, -26008332, -11377501}, + {17219865, 2375039, -31570947, -5575615, -19459679, 9219903, 294711, 15298639, 2662509, -16297073}, + {-1172927, -7558695, -4366770, -4287744, -21346413, -8434326, 32087529, -1222777, 32247248, -14389861}}, + {{14312628, 1221556, 17395390, -8700143, -4945741, -8684635, -28197744, -9637817, -16027623, -13378845}, + {-1428825, -9678990, -9235681, 6549687, -7383069, -468664, 23046502, 9803137, 17597934, 2346211}, + {18510800, 15337574, 26171504, 981392, -22241552, 7827556, -23491134, -11323352, 3059833, -11782870}}, + {{10141598, 6082907, 17829293, -1947643, 9830092, 13613136, -25556636, -5544586, -33502212, 3592096}, + {33114168, -15889352, -26525686, -13343397, 33076705, 8716171, 1151462, 1521897, -982665, -6837803}, + {-32939165, -4255815, 23947181, -324178, -33072974, -12305637, -16637686, 3891704, 26353178, 693168}}, + {{30374239, 1595580, -16884039, 13186931, 4600344, 406904, 9585294, -400668, 31375464, 14369965}, + {-14370654, -7772529, 1510301, 6434173, -18784789, -6262728, 32732230, -13108839, 17901441, 16011505}, + {18171223, -11934626, -12500402, 15197122, -11038147, -15230035, -19172240, -16046376, 8764035, 12309598}} + }, { + {{5975908, -5243188, -19459362, -9681747, -11541277, 14015782, -23665757, 1228319, 17544096, -10593782}, + {5811932, -1715293, 3442887, -2269310, -18367348, -8359541, -18044043, -15410127, -5565381, 12348900}, + {-31399660, 11407555, 25755363, 6891399, -3256938, 14872274, -24849353, 8141295, -10632534, -585479}}, + {{-12675304, 694026, -5076145, 13300344, 14015258, -14451394, -9698672, -11329050, 30944593, 1130208}, + {8247766, -6710942, -26562381, -7709309, -14401939, -14648910, 4652152, 2488540, 23550156, -271232}, + {17294316, -3788438, 7026748, 15626851, 22990044, 113481, 2267737, -5908146, -408818, -137719}}, + {{16091085, -16253926, 18599252, 7340678, 2137637, -1221657, -3364161, 14550936, 3260525, -7166271}, + {-4910104, -13332887, 18550887, 10864893, -16459325, -7291596, -23028869, -13204905, -12748722, 2701326}, + {-8574695, 16099415, 4629974, -16340524, -20786213, -6005432, -10018363, 9276971, 11329923, 1862132}}, + {{14763076, -15903608, -30918270, 3689867, 3511892, 10313526, -21951088, 12219231, -9037963, -940300}, + {8894987, -3446094, 6150753, 3013931, 301220, 15693451, -31981216, -2909717, -15438168, 11595570}, + {15214962, 3537601, -26238722, -14058872, 4418657, -15230761, 13947276, 10730794, -13489462, -4363670}}, + {{-2538306, 7682793, 32759013, 263109, -29984731, -7955452, -22332124, -10188635, 977108, 699994}, + {-12466472, 4195084, -9211532, 550904, -15565337, 12917920, 19118110, -439841, -30534533, -14337913}, + {31788461, -14507657, 4799989, 7372237, 8808585, -14747943, 9408237, -10051775, 12493932, -5409317}}, + {{-25680606, 5260744, -19235809, -6284470, -3695942, 16566087, 27218280, 2607121, 29375955, 6024730}, + {842132, -2794693, -4763381, -8722815, 26332018, -12405641, 11831880, 6985184, -9940361, 2854096}, + {-4847262, -7969331, 2516242, -5847713, 9695691, -7221186, 16512645, 960770, 12121869, 16648078}}, + {{-15218652, 14667096, -13336229, 2013717, 30598287, -464137, -31504922, -7882064, 20237806, 2838411}, + {-19288047, 4453152, 15298546, -16178388, 22115043, -15972604, 12544294, -13470457, 1068881, -12499905}, + {-9558883, -16518835, 33238498, 13506958, 30505848, -1114596, -8486907, -2630053, 12521378, 4845654}}, + {{-28198521, 10744108, -2958380, 10199664, 7759311, -13088600, 3409348, -873400, -6482306, -12885870}, + {-23561822, 6230156, -20382013, 10655314, -24040585, -11621172, 10477734, -1240216, -3113227, 13974498}, + {12966261, 15550616, -32038948, -1615346, 21025980, -629444, 5642325, 7188737, 18895762, 12629579}} + }, { + {{14741879, -14946887, 22177208, -11721237, 1279741, 8058600, 11758140, 789443, 32195181, 3895677}, + {10758205, 15755439, -4509950, 9243698, -4879422, 6879879, -2204575, -3566119, -8982069, 4429647}, + {-2453894, 15725973, -20436342, -10410672, -5803908, -11040220, -7135870, -11642895, 18047436, -15281743}}, + {{-25173001, -11307165, 29759956, 11776784, -22262383, -15820455, 10993114, -12850837, -17620701, -9408468}, + {21987233, 700364, -24505048, 14972008, -7774265, -5718395, 32155026, 2581431, -29958985, 8773375}, + {-25568350, 454463, -13211935, 16126715, 25240068, 8594567, 20656846, 12017935, -7874389, -13920155}}, + {{6028182, 6263078, -31011806, -11301710, -818919, 2461772, -31841174, -5468042, -1721788, -2776725}, + {-12278994, 16624277, 987579, -5922598, 32908203, 1248608, 7719845, -4166698, 28408820, 6816612}, + {-10358094, -8237829, 19549651, -12169222, 22082623, 16147817, 20613181, 13982702, -10339570, 5067943}}, + {{-30505967, -3821767, 12074681, 13582412, -19877972, 2443951, -19719286, 12746132, 5331210, -10105944}, + {30528811, 3601899, -1957090, 4619785, -27361822, -15436388, 24180793, -12570394, 27679908, -1648928}, + {9402404, -13957065, 32834043, 10838634, -26580150, -13237195, 26653274, -8685565, 22611444, -12715406}}, + {{22190590, 1118029, 22736441, 15130463, -30460692, -5991321, 19189625, -4648942, 4854859, 6622139}, + {-8310738, -2953450, -8262579, -3388049, -10401731, -271929, 13424426, -3567227, 26404409, 13001963}, + {-31241838, -15415700, -2994250, 8939346, 11562230, -12840670, -26064365, -11621720, -15405155, 11020693}}, + {{1866042, -7949489, -7898649, -10301010, 12483315, 13477547, 3175636, -12424163, 28761762, 1406734}, + {-448555, -1777666, 13018551, 3194501, -9580420, -11161737, 24760585, -4347088, 25577411, -13378680}, + {-24290378, 4759345, -690653, -1852816, 2066747, 10693769, -29595790, 9884936, -9368926, 4745410}}, + {{-9141284, 6049714, -19531061, -4341411, -31260798, 9944276, -15462008, -11311852, 10931924, -11931931}, + {-16561513, 14112680, -8012645, 4817318, -8040464, -11414606, -22853429, 10856641, -20470770, 13434654}, + {22759489, -10073434, -16766264, -1871422, 13637442, -10168091, 1765144, -12654326, 28445307, -5364710}}, + {{29875063, 12493613, 2795536, -3786330, 1710620, 15181182, -10195717, -8788675, 9074234, 1167180}, + {-26205683, 11014233, -9842651, -2635485, -26908120, 7532294, -18716888, -9535498, 3843903, 9367684}, + {-10969595, -6403711, 9591134, 9582310, 11349256, 108879, 16235123, 8601684, -139197, 4242895}} + }, { + {{22092954, -13191123, -2042793, -11968512, 32186753, -11517388, -6574341, 2470660, -27417366, 16625501}, + {-11057722, 3042016, 13770083, -9257922, 584236, -544855, -7770857, 2602725, -27351616, 14247413}, + {6314175, -10264892, -32772502, 15957557, -10157730, 168750, -8618807, 14290061, 27108877, -1180880}}, + {{-8586597, -7170966, 13241782, 10960156, -32991015, -13794596, 33547976, -11058889, -27148451, 981874}, + {22833440, 9293594, -32649448, -13618667, -9136966, 14756819, -22928859, -13970780, -10479804, -16197962}, + {-7768587, 3326786, -28111797, 10783824, 19178761, 14905060, 22680049, 13906969, -15933690, 3797899}}, + {{21721356, -4212746, -12206123, 9310182, -3882239, -13653110, 23740224, -2709232, 20491983, -8042152}, + {9209270, -15135055, -13256557, -6167798, -731016, 15289673, 25947805, 15286587, 30997318, -6703063}, + {7392032, 16618386, 23946583, -8039892, -13265164, -1533858, -14197445, -2321576, 17649998, -250080}}, + {{-9301088, -14193827, 30609526, -3049543, -25175069, -1283752, -15241566, -9525724, -2233253, 7662146}, + {-17558673, 1763594, -33114336, 15908610, -30040870, -12174295, 7335080, -8472199, -3174674, 3440183}, + {-19889700, -5977008, -24111293, -9688870, 10799743, -16571957, 40450, -4431835, 4862400, 1133}}, + {{-32856209, -7873957, -5422389, 14860950, -16319031, 7956142, 7258061, 311861, -30594991, -7379421}, + {-3773428, -1565936, 28985340, 7499440, 24445838, 9325937, 29727763, 16527196, 18278453, 15405622}, + {-4381906, 8508652, -19898366, -3674424, -5984453, 15149970, -13313598, 843523, -21875062, 13626197}}, + {{2281448, -13487055, -10915418, -2609910, 1879358, 16164207, -10783882, 3953792, 13340839, 15928663}, + {31727126, -7179855, -18437503, -8283652, 2875793, -16390330, -25269894, -7014826, -23452306, 5964753}, + {4100420, -5959452, -17179337, 6017714, -18705837, 12227141, -26684835, 11344144, 2538215, -7570755}}, + {{-9433605, 6123113, 11159803, -2156608, 30016280, 14966241, -20474983, 1485421, -629256, -15958862}, + {-26804558, 4260919, 11851389, 9658551, -32017107, 16367492, -20205425, -13191288, 11659922, -11115118}, + {26180396, 10015009, -30844224, -8581293, 5418197, 9480663, 2231568, -10170080, 33100372, -1306171}}, + {{15121113, -5201871, -10389905, 15427821, -27509937, -15992507, 21670947, 4486675, -5931810, -14466380}, + {16166486, -9483733, -11104130, 6023908, -31926798, -1364923, 2340060, -16254968, -10735770, -10039824}, + {28042865, -3557089, -12126526, 12259706, -3717498, -6945899, 6766453, -8689599, 18036436, 5803270}} + }, { + {{-817581, 6763912, 11803561, 1585585, 10958447, -2671165, 23855391, 4598332, -6159431, -14117438}, + {-31031306, -14256194, 17332029, -2383520, 31312682, -5967183, 696309, 50292, -20095739, 11763584}, + {-594563, -2514283, -32234153, 12643980, 12650761, 14811489, 665117, -12613632, -19773211, -10713562}}, + {{30464590, -11262872, -4127476, -12734478, 19835327, -7105613, -24396175, 2075773, -17020157, 992471}, + {18357185, -6994433, 7766382, 16342475, -29324918, 411174, 14578841, 8080033, -11574335, -10601610}, + {19598397, 10334610, 12555054, 2555664, 18821899, -10339780, 21873263, 16014234, 26224780, 16452269}}, + {{-30223925, 5145196, 5944548, 16385966, 3976735, 2009897, -11377804, -7618186, -20533829, 3698650}, + {14187449, 3448569, -10636236, -10810935, -22663880, -3433596, 7268410, -10890444, 27394301, 12015369}, + {19695761, 16087646, 28032085, 12999827, 6817792, 11427614, 20244189, -1312777, -13259127, -3402461}}, + {{30860103, 12735208, -1888245, -4699734, -16974906, 2256940, -8166013, 12298312, -8550524, -10393462}, + {-5719826, -11245325, -1910649, 15569035, 26642876, -7587760, -5789354, -15118654, -4976164, 12651793}, + {-2848395, 9953421, 11531313, -5282879, 26895123, -12697089, -13118820, -16517902, 9768698, -2533218}}, + {{-24719459, 1894651, -287698, -4704085, 15348719, -8156530, 32767513, 12765450, 4940095, 10678226}, + {18860224, 15980149, -18987240, -1562570, -26233012, -11071856, -7843882, 13944024, -24372348, 16582019}, + {-15504260, 4970268, -29893044, 4175593, -20993212, -2199756, -11704054, 15444560, -11003761, 7989037}}, + {{31490452, 5568061, -2412803, 2182383, -32336847, 4531686, -32078269, 6200206, -19686113, -14800171}, + {-17308668, -15879940, -31522777, -2831, -32887382, 16375549, 8680158, -16371713, 28550068, -6857132}, + {-28126887, -5688091, 16837845, -1820458, -6850681, 12700016, -30039981, 4364038, 1155602, 5988841}}, + {{21890435, -13272907, -12624011, 12154349, -7831873, 15300496, 23148983, -4470481, 24618407, 8283181}, + {-33136107, -10512751, 9975416, 6841041, -31559793, 16356536, 3070187, -7025928, 1466169, 10740210}, + {-1509399, -15488185, -13503385, -10655916, 32799044, 909394, -13938903, -5779719, -32164649, -15327040}}, + {{3960823, -14267803, -28026090, -15918051, -19404858, 13146868, 15567327, 951507, -3260321, -573935}, + {24740841, 5052253, -30094131, 8961361, 25877428, 6165135, -24368180, 14397372, -7380369, -6144105}, + {-28888365, 3510803, -28103278, -1158478, -11238128, -10631454, -15441463, -14453128, -1625486, -6494814}} + }, { + {{793299, -9230478, 8836302, -6235707, -27360908, -2369593, 33152843, -4885251, -9906200, -621852}, + {5666233, 525582, 20782575, -8038419, -24538499, 14657740, 16099374, 1468826, -6171428, -15186581}, + {-4859255, -3779343, -2917758, -6748019, 7778750, 11688288, -30404353, -9871238, -1558923, -9863646}}, + {{10896332, -7719704, 824275, 472601, -19460308, 3009587, 25248958, 14783338, -30581476, -15757844}, + {10566929, 12612572, -31944212, 11118703, -12633376, 12362879, 21752402, 8822496, 24003793, 14264025}, + {27713862, -7355973, -11008240, 9227530, 27050101, 2504721, 23886875, -13117525, 13958495, -5732453}}, + {{-23481610, 4867226, -27247128, 3900521, 29838369, -8212291, -31889399, -10041781, 7340521, -15410068}, + {4646514, -8011124, -22766023, -11532654, 23184553, 8566613, 31366726, -1381061, -15066784, -10375192}, + {-17270517, 12723032, -16993061, 14878794, 21619651, -6197576, 27584817, 3093888, -8843694, 3849921}}, + {{-9064912, 2103172, 25561640, -15125738, -5239824, 9582958, 32477045, -9017955, 5002294, -15550259}, + {-12057553, -11177906, 21115585, -13365155, 8808712, -12030708, 16489530, 13378448, -25845716, 12741426}, + {-5946367, 10645103, -30911586, 15390284, -3286982, -7118677, 24306472, 15852464, 28834118, -7646072}}, + {{-17335748, -9107057, -24531279, 9434953, -8472084, -583362, -13090771, 455841, 20461858, 5491305}, + {13669248, -16095482, -12481974, -10203039, -14569770, -11893198, -24995986, 11293807, -28588204, -9421832}, + {28497928, 6272777, -33022994, 14470570, 8906179, -1225630, 18504674, -14165166, 29867745, -8795943}}, + {{-16207023, 13517196, -27799630, -13697798, 24009064, -6373891, -6367600, -13175392, 22853429, -4012011}, + {24191378, 16712145, -13931797, 15217831, 14542237, 1646131, 18603514, -11037887, 12876623, -2112447}, + {17902668, 4518229, -411702, -2829247, 26878217, 5258055, -12860753, 608397, 16031844, 3723494}}, + {{-28632773, 12763728, -20446446, 7577504, 33001348, -13017745, 17558842, -7872890, 23896954, -4314245}, + {-20005381, -12011952, 31520464, 605201, 2543521, 5991821, -2945064, 7229064, -9919646, -8826859}, + {28816045, 298879, -28165016, -15920938, 19000928, -1665890, -12680833, -2949325, -18051778, -2082915}}, + {{16000882, -344896, 3493092, -11447198, -29504595, -13159789, 12577740, 16041268, -19715240, 7847707}, + {10151868, 10572098, 27312476, 7922682, 14825339, 4723128, -32855931, -6519018, -10020567, 3852848}, + {-11430470, 15697596, -21121557, -4420647, 5386314, 15063598, 16514493, -15932110, 29330899, -15076224}} + }, { + {{-25499735, -4378794, -15222908, -6901211, 16615731, 2051784, 3303702, 15490, -27548796, 12314391}, + {15683520, -6003043, 18109120, -9980648, 15337968, -5997823, -16717435, 15921866, 16103996, -3731215}, + {-23169824, -10781249, 13588192, -1628807, -3798557, -1074929, -19273607, 5402699, -29815713, -9841101}}, + {{23190676, 2384583, -32714340, 3462154, -29903655, -1529132, -11266856, 8911517, -25205859, 2739713}, + {21374101, -3554250, -33524649, 9874411, 15377179, 11831242, -33529904, 6134907, 4931255, 11987849}, + {-7732, -2978858, -16223486, 7277597, 105524, -322051, -31480539, 13861388, -30076310, 10117930}}, + {{-29501170, -10744872, -26163768, 13051539, -25625564, 5089643, -6325503, 6704079, 12890019, 15728940}, + {-21972360, -11771379, -951059, -4418840, 14704840, 2695116, 903376, -10428139, 12885167, 8311031}, + {-17516482, 5352194, 10384213, -13811658, 7506451, 13453191, 26423267, 4384730, 1888765, -5435404}}, + {{-25817338, -3107312, -13494599, -3182506, 30896459, -13921729, -32251644, -12707869, -19464434, -3340243}, + {-23607977, -2665774, -526091, 4651136, 5765089, 4618330, 6092245, 14845197, 17151279, -9854116}, + {-24830458, -12733720, -15165978, 10367250, -29530908, -265356, 22825805, -7087279, -16866484, 16176525}}, + {{-23583256, 6564961, 20063689, 3798228, -4740178, 7359225, 2006182, -10363426, -28746253, -10197509}, + {-10626600, -4486402, -13320562, -5125317, 3432136, -6393229, 23632037, -1940610, 32808310, 1099883}, + {15030977, 5768825, -27451236, -2887299, -6427378, -15361371, -15277896, -6809350, 2051441, -15225865}}, + {{-3362323, -7239372, 7517890, 9824992, 23555850, 295369, 5148398, -14154188, -22686354, 16633660}, + {4577086, -16752288, 13249841, -15304328, 19958763, -14537274, 18559670, -10759549, 8402478, -9864273}, + {-28406330, -1051581, -26790155, -907698, -17212414, -11030789, 9453451, -14980072, 17983010, 9967138}}, + {{-25762494, 6524722, 26585488, 9969270, 24709298, 1220360, -1677990, 7806337, 17507396, 3651560}, + {-10420457, -4118111, 14584639, 15971087, -15768321, 8861010, 26556809, -5574557, -18553322, -11357135}, + {2839101, 14284142, 4029895, 3472686, 14402957, 12689363, -26642121, 8459447, -5605463, -7621941}}, + {{-4839289, -3535444, 9744961, 2871048, 25113978, 3187018, -25110813, -849066, 17258084, -7977739}, + {18164541, -10595176, -17154882, -1542417, 19237078, -9745295, 23357533, -15217008, 26908270, 12150756}, + {-30264870, -7647865, 5112249, -7036672, -1499807, -6974257, 43168, -5537701, -32302074, 16215819}} + }, { + {{-6898905, 9824394, -12304779, -4401089, -31397141, -6276835, 32574489, 12532905, -7503072, -8675347}, + {-27343522, -16515468, -27151524, -10722951, 946346, 16291093, 254968, 7168080, 21676107, -1943028}, + {21260961, -8424752, -16831886, -11920822, -23677961, 3968121, -3651949, -6215466, -3556191, -7913075}}, + {{16544754, 13250366, -16804428, 15546242, -4583003, 12757258, -2462308, -8680336, -18907032, -9662799}, + {-2415239, -15577728, 18312303, 4964443, -15272530, -12653564, 26820651, 16690659, 25459437, -4564609}, + {-25144690, 11425020, 28423002, -11020557, -6144921, -15826224, 9142795, -2391602, -6432418, -1644817}}, + {{-23104652, 6253476, 16964147, -3768872, -25113972, -12296437, -27457225, -16344658, 6335692, 7249989}, + {-30333227, 13979675, 7503222, -12368314, -11956721, -4621693, -30272269, 2682242, 25993170, -12478523}, + {4364628, 5930691, 32304656, -10044554, -8054781, 15091131, 22857016, -10598955, 31820368, 15075278}}, + {{31879134, -8918693, 17258761, 90626, -8041836, -4917709, 24162788, -9650886, -17970238, 12833045}, + {19073683, 14851414, -24403169, -11860168, 7625278, 11091125, -19619190, 2074449, -9413939, 14905377}, + {24483667, -11935567, -2518866, -11547418, -1553130, 15355506, -25282080, 9253129, 27628530, -7555480}}, + {{17597607, 8340603, 19355617, 552187, 26198470, -3176583, 4593324, -9157582, -14110875, 15297016}, + {510886, 14337390, -31785257, 16638632, 6328095, 2713355, -20217417, -11864220, 8683221, 2921426}, + {18606791, 11874196, 27155355, -5281482, -24031742, 6265446, -25178240, -1278924, 4674690, 13890525}}, + {{13609624, 13069022, -27372361, -13055908, 24360586, 9592974, 14977157, 9835105, 4389687, 288396}, + {9922506, -519394, 13613107, 5883594, -18758345, -434263, -12304062, 8317628, 23388070, 16052080}, + {12720016, 11937594, -31970060, -5028689, 26900120, 8561328, -20155687, -11632979, -14754271, -10812892}}, + {{15961858, 14150409, 26716931, -665832, -22794328, 13603569, 11829573, 7467844, -28822128, 929275}, + {11038231, -11582396, -27310482, -7316562, -10498527, -16307831, -23479533, -9371869, -21393143, 2465074}, + {20017163, -4323226, 27915242, 1529148, 12396362, 15675764, 13817261, -9658066, 2463391, -4622140}}, + {{-16358878, -12663911, -12065183, 4996454, -1256422, 1073572, 9583558, 12851107, 4003896, 12673717}, + {-1731589, -15155870, -3262930, 16143082, 19294135, 13385325, 14741514, -9103726, 7903886, 2348101}, + {24536016, -16515207, 12715592, -3862155, 1511293, 10047386, -3842346, -7129159, -28377538, 10048127}} + }, { + {{-12622226, -6204820, 30718825, 2591312, -10617028, 12192840, 18873298, -7297090, -32297756, 15221632}, + {-26478122, -11103864, 11546244, -1852483, 9180880, 7656409, -21343950, 2095755, 29769758, 6593415}, + {-31994208, -2907461, 4176912, 3264766, 12538965, -868111, 26312345, -6118678, 30958054, 8292160}}, + {{31429822, -13959116, 29173532, 15632448, 12174511, -2760094, 32808831, 3977186, 26143136, -3148876}, + {22648901, 1402143, -22799984, 13746059, 7936347, 365344, -8668633, -1674433, -3758243, -2304625}, + {-15491917, 8012313, -2514730, -12702462, -23965846, -10254029, -1612713, -1535569, -16664475, 8194478}}, + {{27338066, -7507420, -7414224, 10140405, -19026427, -6589889, 27277191, 8855376, 28572286, 3005164}, + {26287124, 4821776, 25476601, -4145903, -3764513, -15788984, -18008582, 1182479, -26094821, -13079595}, + {-7171154, 3178080, 23970071, 6201893, -17195577, -4489192, -21876275, -13982627, 32208683, -1198248}}, + {{-16657702, 2817643, -10286362, 14811298, 6024667, 13349505, -27315504, -10497842, -27672585, -11539858}, + {15941029, -9405932, -21367050, 8062055, 31876073, -238629, -15278393, -1444429, 15397331, -4130193}, + {8934485, -13485467, -23286397, -13423241, -32446090, 14047986, 31170398, -1441021, -27505566, 15087184}}, + {{-18357243, -2156491, 24524913, -16677868, 15520427, -6360776, -15502406, 11461896, 16788528, -5868942}, + {-1947386, 16013773, 21750665, 3714552, -17401782, -16055433, -3770287, -10323320, 31322514, -11615635}, + {21426655, -5650218, -13648287, -5347537, -28812189, -4920970, -18275391, -14621414, 13040862, -12112948}}, + {{11293895, 12478086, -27136401, 15083750, -29307421, 14748872, 14555558, -13417103, 1613711, 4896935}, + {-25894883, 15323294, -8489791, -8057900, 25967126, -13425460, 2825960, -4897045, -23971776, -11267415}, + {-15924766, -5229880, -17443532, 6410664, 3622847, 10243618, 20615400, 12405433, -23753030, -8436416}}, + {{-7091295, 12556208, -20191352, 9025187, -17072479, 4333801, 4378436, 2432030, 23097949, -566018}, + {4565804, -16025654, 20084412, -7842817, 1724999, 189254, 24767264, 10103221, -18512313, 2424778}, + {366633, -11976806, 8173090, -6890119, 30788634, 5745705, -7168678, 1344109, -3642553, 12412659}}, + {{-24001791, 7690286, 14929416, -168257, -32210835, -13412986, 24162697, -15326504, -3141501, 11179385}, + {18289522, -14724954, 8056945, 16430056, -21729724, 7842514, -6001441, -1486897, -18684645, -11443503}, + {476239, 6601091, -6152790, -9723375, 17503545, -4863900, 27672959, 13403813, 11052904, 5219329}} + }, { + {{20678546, -8375738, -32671898, 8849123, -5009758, 14574752, 31186971, -3973730, 9014762, -8579056}, + {-13644050, -10350239, -15962508, 5075808, -1514661, -11534600, -33102500, 9160280, 8473550, -3256838}, + {24900749, 14435722, 17209120, -15292541, -22592275, 9878983, -7689309, -16335821, -24568481, 11788948}}, + {{-3118155, -11395194, -13802089, 14797441, 9652448, -6845904, -20037437, 10410733, -24568470, -1458691}, + {-15659161, 16736706, -22467150, 10215878, -9097177, 7563911, 11871841, -12505194, -18513325, 8464118}, + {-23400612, 8348507, -14585951, -861714, -3950205, -6373419, 14325289, 8628612, 33313881, -8370517}}, + {{-20186973, -4967935, 22367356, 5271547, -1097117, -4788838, -24805667, -10236854, -8940735, -5818269}, + {-6948785, -1795212, -32625683, -16021179, 32635414, -7374245, 15989197, -12838188, 28358192, -4253904}, + {-23561781, -2799059, -32351682, -1661963, -9147719, 10429267, -16637684, 4072016, -5351664, 5596589}}, + {{-28236598, -3390048, 12312896, 6213178, 3117142, 16078565, 29266239, 2557221, 1768301, 15373193}, + {-7243358, -3246960, -4593467, -7553353, -127927, -912245, -1090902, -4504991, -24660491, 3442910}, + {-30210571, 5124043, 14181784, 8197961, 18964734, -11939093, 22597931, 7176455, -18585478, 13365930}}, + {{-7877390, -1499958, 8324673, 4690079, 6261860, 890446, 24538107, -8570186, -9689599, -3031667}, + {25008904, -10771599, -4305031, -9638010, 16265036, 15721635, 683793, -11823784, 15723479, -15163481}, + {-9660625, 12374379, -27006999, -7026148, -7724114, -12314514, 11879682, 5400171, 519526, -1235876}}, + {{22258397, -16332233, -7869817, 14613016, -22520255, -2950923, -20353881, 7315967, 16648397, 7605640}, + {-8081308, -8464597, -8223311, 9719710, 19259459, -15348212, 23994942, -5281555, -9468848, 4763278}, + {-21699244, 9220969, -15730624, 1084137, -25476107, -2852390, 31088447, -7764523, -11356529, 728112}}, + {{26047220, -11751471, -6900323, -16521798, 24092068, 9158119, -4273545, -12555558, -29365436, -5498272}, + {17510331, -322857, 5854289, 8403524, 17133918, -3112612, -28111007, 12327945, 10750447, 10014012}, + {-10312768, 3936952, 9156313, -8897683, 16498692, -994647, -27481051, -666732, 3424691, 7540221}}, + {{30322361, -6964110, 11361005, -4143317, 7433304, 4989748, -7071422, -16317219, -9244265, 15258046}, + {13054562, -2779497, 19155474, 469045, -12482797, 4566042, 5631406, 2711395, 1062915, -5136345}, + {-19240248, -11254599, -29509029, -7499965, -5835763, 13005411, -6066489, 12194497, 32960380, 1459310}} + }, { + {{19852034, 7027924, 23669353, 10020366, 8586503, -6657907, 394197, -6101885, 18638003, -11174937}, + {31395534, 15098109, 26581030, 8030562, -16527914, -5007134, 9012486, -7584354, -6643087, -5442636}, + {-9192165, -2347377, -1997099, 4529534, 25766844, 607986, -13222, 9677543, -32294889, -6456008}}, + {{-2444496, -149937, 29348902, 8186665, 1873760, 12489863, -30934579, -7839692, -7852844, -8138429}, + {-15236356, -15433509, 7766470, 746860, 26346930, -10221762, -27333451, 10754588, -9431476, 5203576}, + {31834314, 14135496, -770007, 5159118, 20917671, -16768096, -7467973, -7337524, 31809243, 7347066}}, + {{-9606723, -11874240, 20414459, 13033986, 13716524, -11691881, 19797970, -12211255, 15192876, -2087490}, + {-12663563, -2181719, 1168162, -3804809, 26747877, -14138091, 10609330, 12694420, 33473243, -13382104}, + {33184999, 11180355, 15832085, -11385430, -1633671, 225884, 15089336, -11023903, -6135662, 14480053}}, + {{31308717, -5619998, 31030840, -1897099, 15674547, -6582883, 5496208, 13685227, 27595050, 8737275}, + {-20318852, -15150239, 10933843, -16178022, 8335352, -7546022, -31008351, -12610604, 26498114, 66511}, + {22644454, -8761729, -16671776, 4884562, -3105614, -13559366, 30540766, -4286747, -13327787, -7515095}}, + {{-28017847, 9834845, 18617207, -2681312, -3401956, -13307506, 8205540, 13585437, -17127465, 15115439}, + {23711543, -672915, 31206561, -8362711, 6164647, -9709987, -33535882, -1426096, 8236921, 16492939}, + {-23910559, -13515526, -26299483, -4503841, 25005590, -7687270, 19574902, 10071562, 6708380, -6222424}}, + {{2101391, -4930054, 19702731, 2367575, -15427167, 1047675, 5301017, 9328700, 29955601, -11678310}, + {3096359, 9271816, -21620864, -15521844, -14847996, -7592937, -25892142, -12635595, -9917575, 6216608}, + {-32615849, 338663, -25195611, 2510422, -29213566, -13820213, 24822830, -6146567, -26767480, 7525079}}, + {{-23066649, -13985623, 16133487, -7896178, -3389565, 778788, -910336, -2782495, -19386633, 11994101}, + {21691500, -13624626, -641331, -14367021, 3285881, -3483596, -25064666, 9718258, -7477437, 13381418}, + {18445390, -4202236, 14979846, 11622458, -1727110, -3582980, 23111648, -6375247, 28535282, 15779576}}, + {{30098053, 3089662, -9234387, 16662135, -21306940, 11308411, -14068454, 12021730, 9955285, -16303356}, + {9734894, -14576830, -7473633, -9138735, 2060392, 11313496, -18426029, 9924399, 20194861, 13380996}, + {-26378102, -7965207, -22167821, 15789297, -18055342, -6168792, -1984914, 15707771, 26342023, 10146099}} + }, { + {{-26016874, -219943, 21339191, -41388, 19745256, -2878700, -29637280, 2227040, 21612326, -545728}, + {-13077387, 1184228, 23562814, -5970442, -20351244, -6348714, 25764461, 12243797, -20856566, 11649658}, + {-10031494, 11262626, 27384172, 2271902, 26947504, -15997771, 39944, 6114064, 33514190, 2333242}}, + {{-21433588, -12421821, 8119782, 7219913, -21830522, -9016134, -6679750, -12670638, 24350578, -13450001}, + {-4116307, -11271533, -23886186, 4843615, -30088339, 690623, -31536088, -10406836, 8317860, 12352766}, + {18200138, -14475911, -33087759, -2696619, -23702521, -9102511, -23552096, -2287550, 20712163, 6719373}}, + {{26656208, 6075253, -7858556, 1886072, -28344043, 4262326, 11117530, -3763210, 26224235, -3297458}, + {-17168938, -14854097, -3395676, -16369877, -19954045, 14050420, 21728352, 9493610, 18620611, -16428628}, + {-13323321, 13325349, 11432106, 5964811, 18609221, 6062965, -5269471, -9725556, -30701573, -16479657}}, + {{-23860538, -11233159, 26961357, 1640861, -32413112, -16737940, 12248509, -5240639, 13735342, 1934062}, + {25089769, 6742589, 17081145, -13406266, 21909293, -16067981, -15136294, -3765346, -21277997, 5473616}, + {31883677, -7961101, 1083432, -11572403, 22828471, 13290673, -7125085, 12469656, 29111212, -5451014}}, + {{24244947, -15050407, -26262976, 2791540, -14997599, 16666678, 24367466, 6388839, -10295587, 452383}, + {-25640782, -3417841, 5217916, 16224624, 19987036, -4082269, -24236251, -5915248, 15766062, 8407814}, + {-20406999, 13990231, 15495425, 16395525, 5377168, 15166495, -8917023, -4388953, -8067909, 2276718}}, + {{30157918, 12924066, -17712050, 9245753, 19895028, 3368142, -23827587, 5096219, 22740376, -7303417}, + {2041139, -14256350, 7783687, 13876377, -25946985, -13352459, 24051124, 13742383, -15637599, 13295222}, + {33338237, -8505733, 12532113, 7977527, 9106186, -1715251, -17720195, -4612972, -4451357, -14669444}}, + {{-20045281, 5454097, -14346548, 6447146, 28862071, 1883651, -2469266, -4141880, 7770569, 9620597}, + {23208068, 7979712, 33071466, 8149229, 1758231, -10834995, 30945528, -1694323, -33502340, -14767970}, + {1439958, -16270480, -1079989, -793782, 4625402, 10647766, -5043801, 1220118, 30494170, -11440799}}, + {{-5037580, -13028295, -2970559, -3061767, 15640974, -6701666, -26739026, 926050, -1684339, -13333647}, + {13908495, -3549272, 30919928, -6273825, -21521863, 7989039, 9021034, 9078865, 3353509, 4033511}, + {-29663431, -15113610, 32259991, -344482, 24295849, -12912123, 23161163, 8839127, 27485041, 7356032}} + }, { + {{9661027, 705443, 11980065, -5370154, -1628543, 14661173, -6346142, 2625015, 28431036, -16771834}, + {-23839233, -8311415, -25945511, 7480958, -17681669, -8354183, -22545972, 14150565, 15970762, 4099461}, + {29262576, 16756590, 26350592, -8793563, 8529671, -11208050, 13617293, -9937143, 11465739, 8317062}}, + {{-25493081, -6962928, 32500200, -9419051, -23038724, -2302222, 14898637, 3848455, 20969334, -5157516}, + {-20384450, -14347713, -18336405, 13884722, -33039454, 2842114, -21610826, -3649888, 11177095, 14989547}, + {-24496721, -11716016, 16959896, 2278463, 12066309, 10137771, 13515641, 2581286, -28487508, 9930240}}, + {{-17751622, -2097826, 16544300, -13009300, -15914807, -14949081, 18345767, -13403753, 16291481, -5314038}, + {-33229194, 2553288, 32678213, 9875984, 8534129, 6889387, -9676774, 6957617, 4368891, 9788741}, + {16660756, 7281060, -10830758, 12911820, 20108584, -8101676, -21722536, -8613148, 16250552, -11111103}}, + {{-19765507, 2390526, -16551031, 14161980, 1905286, 6414907, 4689584, 10604807, -30190403, 4782747}, + {-1354539, 14736941, -7367442, -13292886, 7710542, -14155590, -9981571, 4383045, 22546403, 437323}, + {31665577, -12180464, -16186830, 1491339, -18368625, 3294682, 27343084, 2786261, -30633590, -14097016}}, + {{-14467279, -683715, -33374107, 7448552, 19294360, 14334329, -19690631, 2355319, -19284671, -6114373}, + {15121312, -15796162, 6377020, -6031361, -10798111, -12957845, 18952177, 15496498, -29380133, 11754228}, + {-2637277, -13483075, 8488727, -14303896, 12728761, -1622493, 7141596, 11724556, 22761615, -10134141}}, + {{16918416, 11729663, -18083579, 3022987, -31015732, -13339659, -28741185, -12227393, 32851222, 11717399}, + {11166634, 7338049, -6722523, 4531520, -29468672, -7302055, 31474879, 3483633, -1193175, -4030831}, + {-185635, 9921305, 31456609, -13536438, -12013818, 13348923, 33142652, 6546660, -19985279, -3948376}}, + {{-32460596, 11266712, -11197107, -7899103, 31703694, 3855903, -8537131, -12833048, -30772034, -15486313}, + {-18006477, 12709068, 3991746, -6479188, -21491523, -10550425, -31135347, -16049879, 10928917, 3011958}, + {-6957757, -15594337, 31696059, 334240, 29576716, 14796075, -30831056, -12805180, 18008031, 10258577}}, + {{-22448644, 15655569, 7018479, -4410003, -30314266, -1201591, -1853465, 1367120, 25127874, 6671743}, + {29701166, -14373934, -10878120, 9279288, -17568, 13127210, 21382910, 11042292, 25838796, 4642684}, + {-20430234, 14955537, -24126347, 8124619, -5369288, -5990470, 30468147, -13900640, 18423289, 4177476}} + } +}; + +const ge_precomp ge_Bi[8] = { + {{25967493, -14356035, 29566456, 3660896, -12694345, 4014787, 27544626, -11754271, -6079156, 2047605}, + {-12545711, 934262, -2722910, 3049990, -727428, 9406986, 12720692, 5043384, 19500929, -15469378}, + {-8738181, 4489570, 9688441, -14785194, 10184609, -12363380, 29287919, 11864899, -24514362, -4438546}}, {{15636291, -9688557, 24204773, -7912398, 616977, -16685262, 27787600, -14772189, 28944400, -1550024}, + {16568933, 4717097, -11556148, -1102322, 15682896, -11807043, 16354577, -11775962, 7689662, 11199574}, + {30464156, -5976125, -11779434, -15670865, 23220365, 15915852, 7512774, 10017326, -17749093, -9920357}}, {{10861363, 11473154, 27284546, 1981175, -30064349, 12577861, 32867885, 14515107, -15438304, 10819380}, + {4708026, 6336745, 20377586, 9066809, -11272109, 6594696, -25653668, 12483688, -12668491, 5581306}, + {19563160, 16186464, -29386857, 4097519, 10237984, -4348115, 28542350, 13850243, -23678021, -15815942}}, {{5153746, 9909285, 1723747, -2777874, 30523605, 5516873, 19480852, 5230134, -23952439, -15175766}, + {-30269007, -3463509, 7665486, 10083793, 28475525, 1649722, 20654025, 16520125, 30598449, 7715701}, + {28881845, 14381568, 9657904, 3680757, -20181635, 7843316, -31400660, 1370708, 29794553, -1409300}}, {{-22518993, -6692182, 14201702, -8745502, -23510406, 8844726, 18474211, -1361450, -13062696, 13821877}, + {-6455177, -7839871, 3374702, -4740862, -27098617, -10571707, 31655028, -7212327, 18853322, -14220951}, + {4566830, -12963868, -28974889, -12240689, -7602672, -2830569, -8514358, -10431137, 2207753, -3209784}}, {{-25154831, -4185821, 29681144, 7868801, -6854661, -9423865, -12437364, -663000, -31111463, -16132436}, + {25576264, -2703214, 7349804, -11814844, 16472782, 9300885, 3844789, 15725684, 171356, 6466918}, + {23103977, 13316479, 9739013, -16149481, 817875, -15038942, 8965339, -14088058, -30714912, 16193877}}, {{-33521811, 3180713, -2394130, 14003687, -16903474, -16270840, 17238398, 4729455, -18074513, 9256800}, + {-25182317, -4174131, 32336398, 5036987, -21236817, 11360617, 22616405, 9761698, -19827198, 630305}, + {-13720693, 2639453, -24237460, -7406481, 9494427, -5774029, -6554551, -15960994, -2449256, -14291300}}, {{-3151181, -5046075, 9282714, 6866145, -31907062, -863023, -18940575, 15033784, 25105118, -7894876}, + {-24326370, 15950226, -31801215, -14592823, -11662737, -5090925, 1573892, -2625887, 2198790, -15804619}, + {-3099351, 10324967, -2241613, 7453183, -5446979, -2735503, -13812022, -16236442, -32461234, -12290683}} +}; + +/* A = 2 * (1 - d) / (1 + d) = 486662 */ +const fe fe_ma2 = {-12721188, -3529, 0, 0, 0, 0, 0, 0, 0, 0}; /* -A^2 */ +const fe fe_ma = {-486662, 0, 0, 0, 0, 0, 0, 0, 0, 0}; /* -A */ +const fe fe_fffb1 = {-31702527, -2466483, -26106795, -12203692, -12169197, -321052, 14850977, -10296299, -16929438, -407568}; /* sqrt(-2 * A * (A + 2)) */ +const fe fe_fffb2 = {8166131, -6741800, -17040804, 3154616, 21461005, 1466302, -30876704, -6368709, 10503587, -13363080}; /* sqrt(2 * A * (A + 2)) */ +const fe fe_fffb3 = {-13620103, 14639558, 4532995, 7679154, 16815101, -15883539, -22863840, -14813421, 13716513, -6477756}; /* sqrt(-sqrt(-1) * A * (A + 2)) */ +const fe fe_fffb4 = {-21786234, -12173074, 21573800, 4524538, -4645904, 16204591, 8012863, -8444712, 3212926, 6885324}; /* sqrt(sqrt(-1) * A * (A + 2)) */ diff --git a/source-code/RuffCT-java/c/crypto-ops.c b/source-code/RuffCT-java/c/crypto-ops.c new file mode 100644 index 0000000..e104825 --- /dev/null +++ b/source-code/RuffCT-java/c/crypto-ops.c @@ -0,0 +1,2923 @@ +// Copyright (c) 2014-2017, The Monero Project +// +// All rights reserved. +// +// Redistribution and use in source and binary forms, with or without modification, are +// permitted provided that the following conditions are met: +// +// 1. Redistributions of source code must retain the above copyright notice, this list of +// conditions and the following disclaimer. +// +// 2. Redistributions in binary form must reproduce the above copyright notice, this list +// of conditions and the following disclaimer in the documentation and/or other +// materials provided with the distribution. +// +// 3. Neither the name of the copyright holder nor the names of its contributors may be +// used to endorse or promote products derived from this software without specific +// prior written permission. +// +// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY +// EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF +// MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL +// THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, +// SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, +// PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS +// INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, +// STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF +// THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. +// +// Parts of this file are originally copyright (c) 2012-2013 The Cryptonote developers + +#include <assert.h> +#include <stdint.h> + +/*#include "warnings.h"*/ +#include "crypto-ops.h" + +// DISABLE_VS_WARNINGS(4146 4244) + +/* Predeclarations */ + +static void fe_mul(fe, const fe, const fe); +static void fe_sq(fe, const fe); +static void ge_madd(ge_p1p1 *, const ge_p3 *, const ge_precomp *); +static void ge_msub(ge_p1p1 *, const ge_p3 *, const ge_precomp *); +static void ge_p2_0(ge_p2 *); +static void ge_p3_dbl(ge_p1p1 *, const ge_p3 *); +static void fe_divpowm1(fe, const fe, const fe); + +/* Common functions */ + +uint64_t load_3(const unsigned char *in) { + uint64_t result; + result = (uint64_t) in[0]; + result |= ((uint64_t) in[1]) << 8; + result |= ((uint64_t) in[2]) << 16; + return result; +} + +uint64_t load_4(const unsigned char *in) +{ + uint64_t result; + result = (uint64_t) in[0]; + result |= ((uint64_t) in[1]) << 8; + result |= ((uint64_t) in[2]) << 16; + result |= ((uint64_t) in[3]) << 24; + return result; +} + +/* From fe_0.c */ + +/* +h = 0 +*/ + +static void fe_0(fe h) { + h[0] = 0; + h[1] = 0; + h[2] = 0; + h[3] = 0; + h[4] = 0; + h[5] = 0; + h[6] = 0; + h[7] = 0; + h[8] = 0; + h[9] = 0; +} + +/* From fe_1.c */ + +/* +h = 1 +*/ + +static void fe_1(fe h) { + h[0] = 1; + h[1] = 0; + h[2] = 0; + h[3] = 0; + h[4] = 0; + h[5] = 0; + h[6] = 0; + h[7] = 0; + h[8] = 0; + h[9] = 0; +} + +/* From fe_add.c */ + +/* +h = f + g +Can overlap h with f or g. + +Preconditions: + |f| bounded by 1.1*2^25,1.1*2^24,1.1*2^25,1.1*2^24,etc. + |g| bounded by 1.1*2^25,1.1*2^24,1.1*2^25,1.1*2^24,etc. + +Postconditions: + |h| bounded by 1.1*2^26,1.1*2^25,1.1*2^26,1.1*2^25,etc. +*/ + +void fe_add(fe h, const fe f, const fe g) { + int32_t f0 = f[0]; + int32_t f1 = f[1]; + int32_t f2 = f[2]; + int32_t f3 = f[3]; + int32_t f4 = f[4]; + int32_t f5 = f[5]; + int32_t f6 = f[6]; + int32_t f7 = f[7]; + int32_t f8 = f[8]; + int32_t f9 = f[9]; + int32_t g0 = g[0]; + int32_t g1 = g[1]; + int32_t g2 = g[2]; + int32_t g3 = g[3]; + int32_t g4 = g[4]; + int32_t g5 = g[5]; + int32_t g6 = g[6]; + int32_t g7 = g[7]; + int32_t g8 = g[8]; + int32_t g9 = g[9]; + int32_t h0 = f0 + g0; + int32_t h1 = f1 + g1; + int32_t h2 = f2 + g2; + int32_t h3 = f3 + g3; + int32_t h4 = f4 + g4; + int32_t h5 = f5 + g5; + int32_t h6 = f6 + g6; + int32_t h7 = f7 + g7; + int32_t h8 = f8 + g8; + int32_t h9 = f9 + g9; + h[0] = h0; + h[1] = h1; + h[2] = h2; + h[3] = h3; + h[4] = h4; + h[5] = h5; + h[6] = h6; + h[7] = h7; + h[8] = h8; + h[9] = h9; +} + +/* From fe_cmov.c */ + +/* +Replace (f,g) with (g,g) if b == 1; +replace (f,g) with (f,g) if b == 0. + +Preconditions: b in {0,1}. +*/ + +static void fe_cmov(fe f, const fe g, unsigned int b) { + int32_t f0 = f[0]; + int32_t f1 = f[1]; + int32_t f2 = f[2]; + int32_t f3 = f[3]; + int32_t f4 = f[4]; + int32_t f5 = f[5]; + int32_t f6 = f[6]; + int32_t f7 = f[7]; + int32_t f8 = f[8]; + int32_t f9 = f[9]; + int32_t g0 = g[0]; + int32_t g1 = g[1]; + int32_t g2 = g[2]; + int32_t g3 = g[3]; + int32_t g4 = g[4]; + int32_t g5 = g[5]; + int32_t g6 = g[6]; + int32_t g7 = g[7]; + int32_t g8 = g[8]; + int32_t g9 = g[9]; + int32_t x0 = f0 ^ g0; + int32_t x1 = f1 ^ g1; + int32_t x2 = f2 ^ g2; + int32_t x3 = f3 ^ g3; + int32_t x4 = f4 ^ g4; + int32_t x5 = f5 ^ g5; + int32_t x6 = f6 ^ g6; + int32_t x7 = f7 ^ g7; + int32_t x8 = f8 ^ g8; + int32_t x9 = f9 ^ g9; + assert((((b - 1) & ~b) | ((b - 2) & ~(b - 1))) == (unsigned int) -1); + b = -b; + x0 &= b; + x1 &= b; + x2 &= b; + x3 &= b; + x4 &= b; + x5 &= b; + x6 &= b; + x7 &= b; + x8 &= b; + x9 &= b; + f[0] = f0 ^ x0; + f[1] = f1 ^ x1; + f[2] = f2 ^ x2; + f[3] = f3 ^ x3; + f[4] = f4 ^ x4; + f[5] = f5 ^ x5; + f[6] = f6 ^ x6; + f[7] = f7 ^ x7; + f[8] = f8 ^ x8; + f[9] = f9 ^ x9; +} + +/* From fe_copy.c */ + +/* +h = f +*/ + +static void fe_copy(fe h, const fe f) { + int32_t f0 = f[0]; + int32_t f1 = f[1]; + int32_t f2 = f[2]; + int32_t f3 = f[3]; + int32_t f4 = f[4]; + int32_t f5 = f[5]; + int32_t f6 = f[6]; + int32_t f7 = f[7]; + int32_t f8 = f[8]; + int32_t f9 = f[9]; + h[0] = f0; + h[1] = f1; + h[2] = f2; + h[3] = f3; + h[4] = f4; + h[5] = f5; + h[6] = f6; + h[7] = f7; + h[8] = f8; + h[9] = f9; +} + +/* From fe_invert.c */ + +void fe_invert(fe out, const fe z) { + fe t0; + fe t1; + fe t2; + fe t3; + int i; + + fe_sq(t0, z); + fe_sq(t1, t0); + fe_sq(t1, t1); + fe_mul(t1, z, t1); + fe_mul(t0, t0, t1); + fe_sq(t2, t0); + fe_mul(t1, t1, t2); + fe_sq(t2, t1); + for (i = 0; i < 4; ++i) { + fe_sq(t2, t2); + } + fe_mul(t1, t2, t1); + fe_sq(t2, t1); + for (i = 0; i < 9; ++i) { + fe_sq(t2, t2); + } + fe_mul(t2, t2, t1); + fe_sq(t3, t2); + for (i = 0; i < 19; ++i) { + fe_sq(t3, t3); + } + fe_mul(t2, t3, t2); + fe_sq(t2, t2); + for (i = 0; i < 9; ++i) { + fe_sq(t2, t2); + } + fe_mul(t1, t2, t1); + fe_sq(t2, t1); + for (i = 0; i < 49; ++i) { + fe_sq(t2, t2); + } + fe_mul(t2, t2, t1); + fe_sq(t3, t2); + for (i = 0; i < 99; ++i) { + fe_sq(t3, t3); + } + fe_mul(t2, t3, t2); + fe_sq(t2, t2); + for (i = 0; i < 49; ++i) { + fe_sq(t2, t2); + } + fe_mul(t1, t2, t1); + fe_sq(t1, t1); + for (i = 0; i < 4; ++i) { + fe_sq(t1, t1); + } + fe_mul(out, t1, t0); + + return; +} + +/* From fe_isnegative.c */ + +/* +return 1 if f is in {1,3,5,...,q-2} +return 0 if f is in {0,2,4,...,q-1} + +Preconditions: + |f| bounded by 1.1*2^26,1.1*2^25,1.1*2^26,1.1*2^25,etc. +*/ + +static int fe_isnegative(const fe f) { + unsigned char s[32]; + fe_tobytes(s, f); + return s[0] & 1; +} + +/* From fe_isnonzero.c, modified */ + +static int fe_isnonzero(const fe f) { + unsigned char s[32]; + fe_tobytes(s, f); + return (((int) (s[0] | s[1] | s[2] | s[3] | s[4] | s[5] | s[6] | s[7] | s[8] | + s[9] | s[10] | s[11] | s[12] | s[13] | s[14] | s[15] | s[16] | s[17] | + s[18] | s[19] | s[20] | s[21] | s[22] | s[23] | s[24] | s[25] | s[26] | + s[27] | s[28] | s[29] | s[30] | s[31]) - 1) >> 8) + 1; +} + +/* From fe_mul.c */ + +/* +h = f * g +Can overlap h with f or g. + +Preconditions: + |f| bounded by 1.65*2^26,1.65*2^25,1.65*2^26,1.65*2^25,etc. + |g| bounded by 1.65*2^26,1.65*2^25,1.65*2^26,1.65*2^25,etc. + +Postconditions: + |h| bounded by 1.01*2^25,1.01*2^24,1.01*2^25,1.01*2^24,etc. +*/ + +/* +Notes on implementation strategy: + +Using schoolbook multiplication. +Karatsuba would save a little in some cost models. + +Most multiplications by 2 and 19 are 32-bit precomputations; +cheaper than 64-bit postcomputations. + +There is one remaining multiplication by 19 in the carry chain; +one *19 precomputation can be merged into this, +but the resulting data flow is considerably less clean. + +There are 12 carries below. +10 of them are 2-way parallelizable and vectorizable. +Can get away with 11 carries, but then data flow is much deeper. + +With tighter constraints on inputs can squeeze carries into int32. +*/ + +static void fe_mul(fe h, const fe f, const fe g) { + int32_t f0 = f[0]; + int32_t f1 = f[1]; + int32_t f2 = f[2]; + int32_t f3 = f[3]; + int32_t f4 = f[4]; + int32_t f5 = f[5]; + int32_t f6 = f[6]; + int32_t f7 = f[7]; + int32_t f8 = f[8]; + int32_t f9 = f[9]; + int32_t g0 = g[0]; + int32_t g1 = g[1]; + int32_t g2 = g[2]; + int32_t g3 = g[3]; + int32_t g4 = g[4]; + int32_t g5 = g[5]; + int32_t g6 = g[6]; + int32_t g7 = g[7]; + int32_t g8 = g[8]; + int32_t g9 = g[9]; + int32_t g1_19 = 19 * g1; /* 1.959375*2^29 */ + int32_t g2_19 = 19 * g2; /* 1.959375*2^30; still ok */ + int32_t g3_19 = 19 * g3; + int32_t g4_19 = 19 * g4; + int32_t g5_19 = 19 * g5; + int32_t g6_19 = 19 * g6; + int32_t g7_19 = 19 * g7; + int32_t g8_19 = 19 * g8; + int32_t g9_19 = 19 * g9; + int32_t f1_2 = 2 * f1; + int32_t f3_2 = 2 * f3; + int32_t f5_2 = 2 * f5; + int32_t f7_2 = 2 * f7; + int32_t f9_2 = 2 * f9; + int64_t f0g0 = f0 * (int64_t) g0; + int64_t f0g1 = f0 * (int64_t) g1; + int64_t f0g2 = f0 * (int64_t) g2; + int64_t f0g3 = f0 * (int64_t) g3; + int64_t f0g4 = f0 * (int64_t) g4; + int64_t f0g5 = f0 * (int64_t) g5; + int64_t f0g6 = f0 * (int64_t) g6; + int64_t f0g7 = f0 * (int64_t) g7; + int64_t f0g8 = f0 * (int64_t) g8; + int64_t f0g9 = f0 * (int64_t) g9; + int64_t f1g0 = f1 * (int64_t) g0; + int64_t f1g1_2 = f1_2 * (int64_t) g1; + int64_t f1g2 = f1 * (int64_t) g2; + int64_t f1g3_2 = f1_2 * (int64_t) g3; + int64_t f1g4 = f1 * (int64_t) g4; + int64_t f1g5_2 = f1_2 * (int64_t) g5; + int64_t f1g6 = f1 * (int64_t) g6; + int64_t f1g7_2 = f1_2 * (int64_t) g7; + int64_t f1g8 = f1 * (int64_t) g8; + int64_t f1g9_38 = f1_2 * (int64_t) g9_19; + int64_t f2g0 = f2 * (int64_t) g0; + int64_t f2g1 = f2 * (int64_t) g1; + int64_t f2g2 = f2 * (int64_t) g2; + int64_t f2g3 = f2 * (int64_t) g3; + int64_t f2g4 = f2 * (int64_t) g4; + int64_t f2g5 = f2 * (int64_t) g5; + int64_t f2g6 = f2 * (int64_t) g6; + int64_t f2g7 = f2 * (int64_t) g7; + int64_t f2g8_19 = f2 * (int64_t) g8_19; + int64_t f2g9_19 = f2 * (int64_t) g9_19; + int64_t f3g0 = f3 * (int64_t) g0; + int64_t f3g1_2 = f3_2 * (int64_t) g1; + int64_t f3g2 = f3 * (int64_t) g2; + int64_t f3g3_2 = f3_2 * (int64_t) g3; + int64_t f3g4 = f3 * (int64_t) g4; + int64_t f3g5_2 = f3_2 * (int64_t) g5; + int64_t f3g6 = f3 * (int64_t) g6; + int64_t f3g7_38 = f3_2 * (int64_t) g7_19; + int64_t f3g8_19 = f3 * (int64_t) g8_19; + int64_t f3g9_38 = f3_2 * (int64_t) g9_19; + int64_t f4g0 = f4 * (int64_t) g0; + int64_t f4g1 = f4 * (int64_t) g1; + int64_t f4g2 = f4 * (int64_t) g2; + int64_t f4g3 = f4 * (int64_t) g3; + int64_t f4g4 = f4 * (int64_t) g4; + int64_t f4g5 = f4 * (int64_t) g5; + int64_t f4g6_19 = f4 * (int64_t) g6_19; + int64_t f4g7_19 = f4 * (int64_t) g7_19; + int64_t f4g8_19 = f4 * (int64_t) g8_19; + int64_t f4g9_19 = f4 * (int64_t) g9_19; + int64_t f5g0 = f5 * (int64_t) g0; + int64_t f5g1_2 = f5_2 * (int64_t) g1; + int64_t f5g2 = f5 * (int64_t) g2; + int64_t f5g3_2 = f5_2 * (int64_t) g3; + int64_t f5g4 = f5 * (int64_t) g4; + int64_t f5g5_38 = f5_2 * (int64_t) g5_19; + int64_t f5g6_19 = f5 * (int64_t) g6_19; + int64_t f5g7_38 = f5_2 * (int64_t) g7_19; + int64_t f5g8_19 = f5 * (int64_t) g8_19; + int64_t f5g9_38 = f5_2 * (int64_t) g9_19; + int64_t f6g0 = f6 * (int64_t) g0; + int64_t f6g1 = f6 * (int64_t) g1; + int64_t f6g2 = f6 * (int64_t) g2; + int64_t f6g3 = f6 * (int64_t) g3; + int64_t f6g4_19 = f6 * (int64_t) g4_19; + int64_t f6g5_19 = f6 * (int64_t) g5_19; + int64_t f6g6_19 = f6 * (int64_t) g6_19; + int64_t f6g7_19 = f6 * (int64_t) g7_19; + int64_t f6g8_19 = f6 * (int64_t) g8_19; + int64_t f6g9_19 = f6 * (int64_t) g9_19; + int64_t f7g0 = f7 * (int64_t) g0; + int64_t f7g1_2 = f7_2 * (int64_t) g1; + int64_t f7g2 = f7 * (int64_t) g2; + int64_t f7g3_38 = f7_2 * (int64_t) g3_19; + int64_t f7g4_19 = f7 * (int64_t) g4_19; + int64_t f7g5_38 = f7_2 * (int64_t) g5_19; + int64_t f7g6_19 = f7 * (int64_t) g6_19; + int64_t f7g7_38 = f7_2 * (int64_t) g7_19; + int64_t f7g8_19 = f7 * (int64_t) g8_19; + int64_t f7g9_38 = f7_2 * (int64_t) g9_19; + int64_t f8g0 = f8 * (int64_t) g0; + int64_t f8g1 = f8 * (int64_t) g1; + int64_t f8g2_19 = f8 * (int64_t) g2_19; + int64_t f8g3_19 = f8 * (int64_t) g3_19; + int64_t f8g4_19 = f8 * (int64_t) g4_19; + int64_t f8g5_19 = f8 * (int64_t) g5_19; + int64_t f8g6_19 = f8 * (int64_t) g6_19; + int64_t f8g7_19 = f8 * (int64_t) g7_19; + int64_t f8g8_19 = f8 * (int64_t) g8_19; + int64_t f8g9_19 = f8 * (int64_t) g9_19; + int64_t f9g0 = f9 * (int64_t) g0; + int64_t f9g1_38 = f9_2 * (int64_t) g1_19; + int64_t f9g2_19 = f9 * (int64_t) g2_19; + int64_t f9g3_38 = f9_2 * (int64_t) g3_19; + int64_t f9g4_19 = f9 * (int64_t) g4_19; + int64_t f9g5_38 = f9_2 * (int64_t) g5_19; + int64_t f9g6_19 = f9 * (int64_t) g6_19; + int64_t f9g7_38 = f9_2 * (int64_t) g7_19; + int64_t f9g8_19 = f9 * (int64_t) g8_19; + int64_t f9g9_38 = f9_2 * (int64_t) g9_19; + int64_t h0 = f0g0+f1g9_38+f2g8_19+f3g7_38+f4g6_19+f5g5_38+f6g4_19+f7g3_38+f8g2_19+f9g1_38; + int64_t h1 = f0g1+f1g0 +f2g9_19+f3g8_19+f4g7_19+f5g6_19+f6g5_19+f7g4_19+f8g3_19+f9g2_19; + int64_t h2 = f0g2+f1g1_2 +f2g0 +f3g9_38+f4g8_19+f5g7_38+f6g6_19+f7g5_38+f8g4_19+f9g3_38; + int64_t h3 = f0g3+f1g2 +f2g1 +f3g0 +f4g9_19+f5g8_19+f6g7_19+f7g6_19+f8g5_19+f9g4_19; + int64_t h4 = f0g4+f1g3_2 +f2g2 +f3g1_2 +f4g0 +f5g9_38+f6g8_19+f7g7_38+f8g6_19+f9g5_38; + int64_t h5 = f0g5+f1g4 +f2g3 +f3g2 +f4g1 +f5g0 +f6g9_19+f7g8_19+f8g7_19+f9g6_19; + int64_t h6 = f0g6+f1g5_2 +f2g4 +f3g3_2 +f4g2 +f5g1_2 +f6g0 +f7g9_38+f8g8_19+f9g7_38; + int64_t h7 = f0g7+f1g6 +f2g5 +f3g4 +f4g3 +f5g2 +f6g1 +f7g0 +f8g9_19+f9g8_19; + int64_t h8 = f0g8+f1g7_2 +f2g6 +f3g5_2 +f4g4 +f5g3_2 +f6g2 +f7g1_2 +f8g0 +f9g9_38; + int64_t h9 = f0g9+f1g8 +f2g7 +f3g6 +f4g5 +f5g4 +f6g3 +f7g2 +f8g1 +f9g0 ; + int64_t carry0; + int64_t carry1; + int64_t carry2; + int64_t carry3; + int64_t carry4; + int64_t carry5; + int64_t carry6; + int64_t carry7; + int64_t carry8; + int64_t carry9; + + /* + |h0| <= (1.65*1.65*2^52*(1+19+19+19+19)+1.65*1.65*2^50*(38+38+38+38+38)) + i.e. |h0| <= 1.4*2^60; narrower ranges for h2, h4, h6, h8 + |h1| <= (1.65*1.65*2^51*(1+1+19+19+19+19+19+19+19+19)) + i.e. |h1| <= 1.7*2^59; narrower ranges for h3, h5, h7, h9 + */ + + carry0 = (h0 + (int64_t) (1<<25)) >> 26; h1 += carry0; h0 -= carry0 << 26; + carry4 = (h4 + (int64_t) (1<<25)) >> 26; h5 += carry4; h4 -= carry4 << 26; + /* |h0| <= 2^25 */ + /* |h4| <= 2^25 */ + /* |h1| <= 1.71*2^59 */ + /* |h5| <= 1.71*2^59 */ + + carry1 = (h1 + (int64_t) (1<<24)) >> 25; h2 += carry1; h1 -= carry1 << 25; + carry5 = (h5 + (int64_t) (1<<24)) >> 25; h6 += carry5; h5 -= carry5 << 25; + /* |h1| <= 2^24; from now on fits into int32 */ + /* |h5| <= 2^24; from now on fits into int32 */ + /* |h2| <= 1.41*2^60 */ + /* |h6| <= 1.41*2^60 */ + + carry2 = (h2 + (int64_t) (1<<25)) >> 26; h3 += carry2; h2 -= carry2 << 26; + carry6 = (h6 + (int64_t) (1<<25)) >> 26; h7 += carry6; h6 -= carry6 << 26; + /* |h2| <= 2^25; from now on fits into int32 unchanged */ + /* |h6| <= 2^25; from now on fits into int32 unchanged */ + /* |h3| <= 1.71*2^59 */ + /* |h7| <= 1.71*2^59 */ + + carry3 = (h3 + (int64_t) (1<<24)) >> 25; h4 += carry3; h3 -= carry3 << 25; + carry7 = (h7 + (int64_t) (1<<24)) >> 25; h8 += carry7; h7 -= carry7 << 25; + /* |h3| <= 2^24; from now on fits into int32 unchanged */ + /* |h7| <= 2^24; from now on fits into int32 unchanged */ + /* |h4| <= 1.72*2^34 */ + /* |h8| <= 1.41*2^60 */ + + carry4 = (h4 + (int64_t) (1<<25)) >> 26; h5 += carry4; h4 -= carry4 << 26; + carry8 = (h8 + (int64_t) (1<<25)) >> 26; h9 += carry8; h8 -= carry8 << 26; + /* |h4| <= 2^25; from now on fits into int32 unchanged */ + /* |h8| <= 2^25; from now on fits into int32 unchanged */ + /* |h5| <= 1.01*2^24 */ + /* |h9| <= 1.71*2^59 */ + + carry9 = (h9 + (int64_t) (1<<24)) >> 25; h0 += carry9 * 19; h9 -= carry9 << 25; + /* |h9| <= 2^24; from now on fits into int32 unchanged */ + /* |h0| <= 1.1*2^39 */ + + carry0 = (h0 + (int64_t) (1<<25)) >> 26; h1 += carry0; h0 -= carry0 << 26; + /* |h0| <= 2^25; from now on fits into int32 unchanged */ + /* |h1| <= 1.01*2^24 */ + + h[0] = h0; + h[1] = h1; + h[2] = h2; + h[3] = h3; + h[4] = h4; + h[5] = h5; + h[6] = h6; + h[7] = h7; + h[8] = h8; + h[9] = h9; +} + +/* From fe_neg.c */ + +/* +h = -f + +Preconditions: + |f| bounded by 1.1*2^25,1.1*2^24,1.1*2^25,1.1*2^24,etc. + +Postconditions: + |h| bounded by 1.1*2^25,1.1*2^24,1.1*2^25,1.1*2^24,etc. +*/ + +static void fe_neg(fe h, const fe f) { + int32_t f0 = f[0]; + int32_t f1 = f[1]; + int32_t f2 = f[2]; + int32_t f3 = f[3]; + int32_t f4 = f[4]; + int32_t f5 = f[5]; + int32_t f6 = f[6]; + int32_t f7 = f[7]; + int32_t f8 = f[8]; + int32_t f9 = f[9]; + int32_t h0 = -f0; + int32_t h1 = -f1; + int32_t h2 = -f2; + int32_t h3 = -f3; + int32_t h4 = -f4; + int32_t h5 = -f5; + int32_t h6 = -f6; + int32_t h7 = -f7; + int32_t h8 = -f8; + int32_t h9 = -f9; + h[0] = h0; + h[1] = h1; + h[2] = h2; + h[3] = h3; + h[4] = h4; + h[5] = h5; + h[6] = h6; + h[7] = h7; + h[8] = h8; + h[9] = h9; +} + +/* From fe_sq.c */ + +/* +h = f * f +Can overlap h with f. + +Preconditions: + |f| bounded by 1.65*2^26,1.65*2^25,1.65*2^26,1.65*2^25,etc. + +Postconditions: + |h| bounded by 1.01*2^25,1.01*2^24,1.01*2^25,1.01*2^24,etc. +*/ + +/* +See fe_mul.c for discussion of implementation strategy. +*/ + +static void fe_sq(fe h, const fe f) { + int32_t f0 = f[0]; + int32_t f1 = f[1]; + int32_t f2 = f[2]; + int32_t f3 = f[3]; + int32_t f4 = f[4]; + int32_t f5 = f[5]; + int32_t f6 = f[6]; + int32_t f7 = f[7]; + int32_t f8 = f[8]; + int32_t f9 = f[9]; + int32_t f0_2 = 2 * f0; + int32_t f1_2 = 2 * f1; + int32_t f2_2 = 2 * f2; + int32_t f3_2 = 2 * f3; + int32_t f4_2 = 2 * f4; + int32_t f5_2 = 2 * f5; + int32_t f6_2 = 2 * f6; + int32_t f7_2 = 2 * f7; + int32_t f5_38 = 38 * f5; /* 1.959375*2^30 */ + int32_t f6_19 = 19 * f6; /* 1.959375*2^30 */ + int32_t f7_38 = 38 * f7; /* 1.959375*2^30 */ + int32_t f8_19 = 19 * f8; /* 1.959375*2^30 */ + int32_t f9_38 = 38 * f9; /* 1.959375*2^30 */ + int64_t f0f0 = f0 * (int64_t) f0; + int64_t f0f1_2 = f0_2 * (int64_t) f1; + int64_t f0f2_2 = f0_2 * (int64_t) f2; + int64_t f0f3_2 = f0_2 * (int64_t) f3; + int64_t f0f4_2 = f0_2 * (int64_t) f4; + int64_t f0f5_2 = f0_2 * (int64_t) f5; + int64_t f0f6_2 = f0_2 * (int64_t) f6; + int64_t f0f7_2 = f0_2 * (int64_t) f7; + int64_t f0f8_2 = f0_2 * (int64_t) f8; + int64_t f0f9_2 = f0_2 * (int64_t) f9; + int64_t f1f1_2 = f1_2 * (int64_t) f1; + int64_t f1f2_2 = f1_2 * (int64_t) f2; + int64_t f1f3_4 = f1_2 * (int64_t) f3_2; + int64_t f1f4_2 = f1_2 * (int64_t) f4; + int64_t f1f5_4 = f1_2 * (int64_t) f5_2; + int64_t f1f6_2 = f1_2 * (int64_t) f6; + int64_t f1f7_4 = f1_2 * (int64_t) f7_2; + int64_t f1f8_2 = f1_2 * (int64_t) f8; + int64_t f1f9_76 = f1_2 * (int64_t) f9_38; + int64_t f2f2 = f2 * (int64_t) f2; + int64_t f2f3_2 = f2_2 * (int64_t) f3; + int64_t f2f4_2 = f2_2 * (int64_t) f4; + int64_t f2f5_2 = f2_2 * (int64_t) f5; + int64_t f2f6_2 = f2_2 * (int64_t) f6; + int64_t f2f7_2 = f2_2 * (int64_t) f7; + int64_t f2f8_38 = f2_2 * (int64_t) f8_19; + int64_t f2f9_38 = f2 * (int64_t) f9_38; + int64_t f3f3_2 = f3_2 * (int64_t) f3; + int64_t f3f4_2 = f3_2 * (int64_t) f4; + int64_t f3f5_4 = f3_2 * (int64_t) f5_2; + int64_t f3f6_2 = f3_2 * (int64_t) f6; + int64_t f3f7_76 = f3_2 * (int64_t) f7_38; + int64_t f3f8_38 = f3_2 * (int64_t) f8_19; + int64_t f3f9_76 = f3_2 * (int64_t) f9_38; + int64_t f4f4 = f4 * (int64_t) f4; + int64_t f4f5_2 = f4_2 * (int64_t) f5; + int64_t f4f6_38 = f4_2 * (int64_t) f6_19; + int64_t f4f7_38 = f4 * (int64_t) f7_38; + int64_t f4f8_38 = f4_2 * (int64_t) f8_19; + int64_t f4f9_38 = f4 * (int64_t) f9_38; + int64_t f5f5_38 = f5 * (int64_t) f5_38; + int64_t f5f6_38 = f5_2 * (int64_t) f6_19; + int64_t f5f7_76 = f5_2 * (int64_t) f7_38; + int64_t f5f8_38 = f5_2 * (int64_t) f8_19; + int64_t f5f9_76 = f5_2 * (int64_t) f9_38; + int64_t f6f6_19 = f6 * (int64_t) f6_19; + int64_t f6f7_38 = f6 * (int64_t) f7_38; + int64_t f6f8_38 = f6_2 * (int64_t) f8_19; + int64_t f6f9_38 = f6 * (int64_t) f9_38; + int64_t f7f7_38 = f7 * (int64_t) f7_38; + int64_t f7f8_38 = f7_2 * (int64_t) f8_19; + int64_t f7f9_76 = f7_2 * (int64_t) f9_38; + int64_t f8f8_19 = f8 * (int64_t) f8_19; + int64_t f8f9_38 = f8 * (int64_t) f9_38; + int64_t f9f9_38 = f9 * (int64_t) f9_38; + int64_t h0 = f0f0 +f1f9_76+f2f8_38+f3f7_76+f4f6_38+f5f5_38; + int64_t h1 = f0f1_2+f2f9_38+f3f8_38+f4f7_38+f5f6_38; + int64_t h2 = f0f2_2+f1f1_2 +f3f9_76+f4f8_38+f5f7_76+f6f6_19; + int64_t h3 = f0f3_2+f1f2_2 +f4f9_38+f5f8_38+f6f7_38; + int64_t h4 = f0f4_2+f1f3_4 +f2f2 +f5f9_76+f6f8_38+f7f7_38; + int64_t h5 = f0f5_2+f1f4_2 +f2f3_2 +f6f9_38+f7f8_38; + int64_t h6 = f0f6_2+f1f5_4 +f2f4_2 +f3f3_2 +f7f9_76+f8f8_19; + int64_t h7 = f0f7_2+f1f6_2 +f2f5_2 +f3f4_2 +f8f9_38; + int64_t h8 = f0f8_2+f1f7_4 +f2f6_2 +f3f5_4 +f4f4 +f9f9_38; + int64_t h9 = f0f9_2+f1f8_2 +f2f7_2 +f3f6_2 +f4f5_2; + int64_t carry0; + int64_t carry1; + int64_t carry2; + int64_t carry3; + int64_t carry4; + int64_t carry5; + int64_t carry6; + int64_t carry7; + int64_t carry8; + int64_t carry9; + + carry0 = (h0 + (int64_t) (1<<25)) >> 26; h1 += carry0; h0 -= carry0 << 26; + carry4 = (h4 + (int64_t) (1<<25)) >> 26; h5 += carry4; h4 -= carry4 << 26; + + carry1 = (h1 + (int64_t) (1<<24)) >> 25; h2 += carry1; h1 -= carry1 << 25; + carry5 = (h5 + (int64_t) (1<<24)) >> 25; h6 += carry5; h5 -= carry5 << 25; + + carry2 = (h2 + (int64_t) (1<<25)) >> 26; h3 += carry2; h2 -= carry2 << 26; + carry6 = (h6 + (int64_t) (1<<25)) >> 26; h7 += carry6; h6 -= carry6 << 26; + + carry3 = (h3 + (int64_t) (1<<24)) >> 25; h4 += carry3; h3 -= carry3 << 25; + carry7 = (h7 + (int64_t) (1<<24)) >> 25; h8 += carry7; h7 -= carry7 << 25; + + carry4 = (h4 + (int64_t) (1<<25)) >> 26; h5 += carry4; h4 -= carry4 << 26; + carry8 = (h8 + (int64_t) (1<<25)) >> 26; h9 += carry8; h8 -= carry8 << 26; + + carry9 = (h9 + (int64_t) (1<<24)) >> 25; h0 += carry9 * 19; h9 -= carry9 << 25; + + carry0 = (h0 + (int64_t) (1<<25)) >> 26; h1 += carry0; h0 -= carry0 << 26; + + h[0] = h0; + h[1] = h1; + h[2] = h2; + h[3] = h3; + h[4] = h4; + h[5] = h5; + h[6] = h6; + h[7] = h7; + h[8] = h8; + h[9] = h9; +} + +/* From fe_sq2.c */ + +/* +h = 2 * f * f +Can overlap h with f. + +Preconditions: + |f| bounded by 1.65*2^26,1.65*2^25,1.65*2^26,1.65*2^25,etc. + +Postconditions: + |h| bounded by 1.01*2^25,1.01*2^24,1.01*2^25,1.01*2^24,etc. +*/ + +/* +See fe_mul.c for discussion of implementation strategy. +*/ + +static void fe_sq2(fe h, const fe f) { + int32_t f0 = f[0]; + int32_t f1 = f[1]; + int32_t f2 = f[2]; + int32_t f3 = f[3]; + int32_t f4 = f[4]; + int32_t f5 = f[5]; + int32_t f6 = f[6]; + int32_t f7 = f[7]; + int32_t f8 = f[8]; + int32_t f9 = f[9]; + int32_t f0_2 = 2 * f0; + int32_t f1_2 = 2 * f1; + int32_t f2_2 = 2 * f2; + int32_t f3_2 = 2 * f3; + int32_t f4_2 = 2 * f4; + int32_t f5_2 = 2 * f5; + int32_t f6_2 = 2 * f6; + int32_t f7_2 = 2 * f7; + int32_t f5_38 = 38 * f5; /* 1.959375*2^30 */ + int32_t f6_19 = 19 * f6; /* 1.959375*2^30 */ + int32_t f7_38 = 38 * f7; /* 1.959375*2^30 */ + int32_t f8_19 = 19 * f8; /* 1.959375*2^30 */ + int32_t f9_38 = 38 * f9; /* 1.959375*2^30 */ + int64_t f0f0 = f0 * (int64_t) f0; + int64_t f0f1_2 = f0_2 * (int64_t) f1; + int64_t f0f2_2 = f0_2 * (int64_t) f2; + int64_t f0f3_2 = f0_2 * (int64_t) f3; + int64_t f0f4_2 = f0_2 * (int64_t) f4; + int64_t f0f5_2 = f0_2 * (int64_t) f5; + int64_t f0f6_2 = f0_2 * (int64_t) f6; + int64_t f0f7_2 = f0_2 * (int64_t) f7; + int64_t f0f8_2 = f0_2 * (int64_t) f8; + int64_t f0f9_2 = f0_2 * (int64_t) f9; + int64_t f1f1_2 = f1_2 * (int64_t) f1; + int64_t f1f2_2 = f1_2 * (int64_t) f2; + int64_t f1f3_4 = f1_2 * (int64_t) f3_2; + int64_t f1f4_2 = f1_2 * (int64_t) f4; + int64_t f1f5_4 = f1_2 * (int64_t) f5_2; + int64_t f1f6_2 = f1_2 * (int64_t) f6; + int64_t f1f7_4 = f1_2 * (int64_t) f7_2; + int64_t f1f8_2 = f1_2 * (int64_t) f8; + int64_t f1f9_76 = f1_2 * (int64_t) f9_38; + int64_t f2f2 = f2 * (int64_t) f2; + int64_t f2f3_2 = f2_2 * (int64_t) f3; + int64_t f2f4_2 = f2_2 * (int64_t) f4; + int64_t f2f5_2 = f2_2 * (int64_t) f5; + int64_t f2f6_2 = f2_2 * (int64_t) f6; + int64_t f2f7_2 = f2_2 * (int64_t) f7; + int64_t f2f8_38 = f2_2 * (int64_t) f8_19; + int64_t f2f9_38 = f2 * (int64_t) f9_38; + int64_t f3f3_2 = f3_2 * (int64_t) f3; + int64_t f3f4_2 = f3_2 * (int64_t) f4; + int64_t f3f5_4 = f3_2 * (int64_t) f5_2; + int64_t f3f6_2 = f3_2 * (int64_t) f6; + int64_t f3f7_76 = f3_2 * (int64_t) f7_38; + int64_t f3f8_38 = f3_2 * (int64_t) f8_19; + int64_t f3f9_76 = f3_2 * (int64_t) f9_38; + int64_t f4f4 = f4 * (int64_t) f4; + int64_t f4f5_2 = f4_2 * (int64_t) f5; + int64_t f4f6_38 = f4_2 * (int64_t) f6_19; + int64_t f4f7_38 = f4 * (int64_t) f7_38; + int64_t f4f8_38 = f4_2 * (int64_t) f8_19; + int64_t f4f9_38 = f4 * (int64_t) f9_38; + int64_t f5f5_38 = f5 * (int64_t) f5_38; + int64_t f5f6_38 = f5_2 * (int64_t) f6_19; + int64_t f5f7_76 = f5_2 * (int64_t) f7_38; + int64_t f5f8_38 = f5_2 * (int64_t) f8_19; + int64_t f5f9_76 = f5_2 * (int64_t) f9_38; + int64_t f6f6_19 = f6 * (int64_t) f6_19; + int64_t f6f7_38 = f6 * (int64_t) f7_38; + int64_t f6f8_38 = f6_2 * (int64_t) f8_19; + int64_t f6f9_38 = f6 * (int64_t) f9_38; + int64_t f7f7_38 = f7 * (int64_t) f7_38; + int64_t f7f8_38 = f7_2 * (int64_t) f8_19; + int64_t f7f9_76 = f7_2 * (int64_t) f9_38; + int64_t f8f8_19 = f8 * (int64_t) f8_19; + int64_t f8f9_38 = f8 * (int64_t) f9_38; + int64_t f9f9_38 = f9 * (int64_t) f9_38; + int64_t h0 = f0f0 +f1f9_76+f2f8_38+f3f7_76+f4f6_38+f5f5_38; + int64_t h1 = f0f1_2+f2f9_38+f3f8_38+f4f7_38+f5f6_38; + int64_t h2 = f0f2_2+f1f1_2 +f3f9_76+f4f8_38+f5f7_76+f6f6_19; + int64_t h3 = f0f3_2+f1f2_2 +f4f9_38+f5f8_38+f6f7_38; + int64_t h4 = f0f4_2+f1f3_4 +f2f2 +f5f9_76+f6f8_38+f7f7_38; + int64_t h5 = f0f5_2+f1f4_2 +f2f3_2 +f6f9_38+f7f8_38; + int64_t h6 = f0f6_2+f1f5_4 +f2f4_2 +f3f3_2 +f7f9_76+f8f8_19; + int64_t h7 = f0f7_2+f1f6_2 +f2f5_2 +f3f4_2 +f8f9_38; + int64_t h8 = f0f8_2+f1f7_4 +f2f6_2 +f3f5_4 +f4f4 +f9f9_38; + int64_t h9 = f0f9_2+f1f8_2 +f2f7_2 +f3f6_2 +f4f5_2; + int64_t carry0; + int64_t carry1; + int64_t carry2; + int64_t carry3; + int64_t carry4; + int64_t carry5; + int64_t carry6; + int64_t carry7; + int64_t carry8; + int64_t carry9; + + h0 += h0; + h1 += h1; + h2 += h2; + h3 += h3; + h4 += h4; + h5 += h5; + h6 += h6; + h7 += h7; + h8 += h8; + h9 += h9; + + carry0 = (h0 + (int64_t) (1<<25)) >> 26; h1 += carry0; h0 -= carry0 << 26; + carry4 = (h4 + (int64_t) (1<<25)) >> 26; h5 += carry4; h4 -= carry4 << 26; + + carry1 = (h1 + (int64_t) (1<<24)) >> 25; h2 += carry1; h1 -= carry1 << 25; + carry5 = (h5 + (int64_t) (1<<24)) >> 25; h6 += carry5; h5 -= carry5 << 25; + + carry2 = (h2 + (int64_t) (1<<25)) >> 26; h3 += carry2; h2 -= carry2 << 26; + carry6 = (h6 + (int64_t) (1<<25)) >> 26; h7 += carry6; h6 -= carry6 << 26; + + carry3 = (h3 + (int64_t) (1<<24)) >> 25; h4 += carry3; h3 -= carry3 << 25; + carry7 = (h7 + (int64_t) (1<<24)) >> 25; h8 += carry7; h7 -= carry7 << 25; + + carry4 = (h4 + (int64_t) (1<<25)) >> 26; h5 += carry4; h4 -= carry4 << 26; + carry8 = (h8 + (int64_t) (1<<25)) >> 26; h9 += carry8; h8 -= carry8 << 26; + + carry9 = (h9 + (int64_t) (1<<24)) >> 25; h0 += carry9 * 19; h9 -= carry9 << 25; + + carry0 = (h0 + (int64_t) (1<<25)) >> 26; h1 += carry0; h0 -= carry0 << 26; + + h[0] = h0; + h[1] = h1; + h[2] = h2; + h[3] = h3; + h[4] = h4; + h[5] = h5; + h[6] = h6; + h[7] = h7; + h[8] = h8; + h[9] = h9; +} + +/* From fe_sub.c */ + +/* +h = f - g +Can overlap h with f or g. + +Preconditions: + |f| bounded by 1.1*2^25,1.1*2^24,1.1*2^25,1.1*2^24,etc. + |g| bounded by 1.1*2^25,1.1*2^24,1.1*2^25,1.1*2^24,etc. + +Postconditions: + |h| bounded by 1.1*2^26,1.1*2^25,1.1*2^26,1.1*2^25,etc. +*/ + +static void fe_sub(fe h, const fe f, const fe g) { + int32_t f0 = f[0]; + int32_t f1 = f[1]; + int32_t f2 = f[2]; + int32_t f3 = f[3]; + int32_t f4 = f[4]; + int32_t f5 = f[5]; + int32_t f6 = f[6]; + int32_t f7 = f[7]; + int32_t f8 = f[8]; + int32_t f9 = f[9]; + int32_t g0 = g[0]; + int32_t g1 = g[1]; + int32_t g2 = g[2]; + int32_t g3 = g[3]; + int32_t g4 = g[4]; + int32_t g5 = g[5]; + int32_t g6 = g[6]; + int32_t g7 = g[7]; + int32_t g8 = g[8]; + int32_t g9 = g[9]; + int32_t h0 = f0 - g0; + int32_t h1 = f1 - g1; + int32_t h2 = f2 - g2; + int32_t h3 = f3 - g3; + int32_t h4 = f4 - g4; + int32_t h5 = f5 - g5; + int32_t h6 = f6 - g6; + int32_t h7 = f7 - g7; + int32_t h8 = f8 - g8; + int32_t h9 = f9 - g9; + h[0] = h0; + h[1] = h1; + h[2] = h2; + h[3] = h3; + h[4] = h4; + h[5] = h5; + h[6] = h6; + h[7] = h7; + h[8] = h8; + h[9] = h9; +} + +/* From fe_tobytes.c */ + +/* +Preconditions: + |h| bounded by 1.1*2^26,1.1*2^25,1.1*2^26,1.1*2^25,etc. + +Write p=2^255-19; q=floor(h/p). +Basic claim: q = floor(2^(-255)(h + 19 2^(-25)h9 + 2^(-1))). + +Proof: + Have |h|<=p so |q|<=1 so |19^2 2^(-255) q|<1/4. + Also have |h-2^230 h9|<2^231 so |19 2^(-255)(h-2^230 h9)|<1/4. + + Write y=2^(-1)-19^2 2^(-255)q-19 2^(-255)(h-2^230 h9). + Then 0<y<1. + + Write r=h-pq. + Have 0<=r<=p-1=2^255-20. + Thus 0<=r+19(2^-255)r<r+19(2^-255)2^255<=2^255-1. + + Write x=r+19(2^-255)r+y. + Then 0<x<2^255 so floor(2^(-255)x) = 0 so floor(q+2^(-255)x) = q. + + Have q+2^(-255)x = 2^(-255)(h + 19 2^(-25) h9 + 2^(-1)) + so floor(2^(-255)(h + 19 2^(-25) h9 + 2^(-1))) = q. +*/ + +void fe_tobytes(unsigned char *s, const fe h) { + int32_t h0 = h[0]; + int32_t h1 = h[1]; + int32_t h2 = h[2]; + int32_t h3 = h[3]; + int32_t h4 = h[4]; + int32_t h5 = h[5]; + int32_t h6 = h[6]; + int32_t h7 = h[7]; + int32_t h8 = h[8]; + int32_t h9 = h[9]; + int32_t q; + int32_t carry0; + int32_t carry1; + int32_t carry2; + int32_t carry3; + int32_t carry4; + int32_t carry5; + int32_t carry6; + int32_t carry7; + int32_t carry8; + int32_t carry9; + + q = (19 * h9 + (((int32_t) 1) << 24)) >> 25; + q = (h0 + q) >> 26; + q = (h1 + q) >> 25; + q = (h2 + q) >> 26; + q = (h3 + q) >> 25; + q = (h4 + q) >> 26; + q = (h5 + q) >> 25; + q = (h6 + q) >> 26; + q = (h7 + q) >> 25; + q = (h8 + q) >> 26; + q = (h9 + q) >> 25; + + /* Goal: Output h-(2^255-19)q, which is between 0 and 2^255-20. */ + h0 += 19 * q; + /* Goal: Output h-2^255 q, which is between 0 and 2^255-20. */ + + carry0 = h0 >> 26; h1 += carry0; h0 -= carry0 << 26; + carry1 = h1 >> 25; h2 += carry1; h1 -= carry1 << 25; + carry2 = h2 >> 26; h3 += carry2; h2 -= carry2 << 26; + carry3 = h3 >> 25; h4 += carry3; h3 -= carry3 << 25; + carry4 = h4 >> 26; h5 += carry4; h4 -= carry4 << 26; + carry5 = h5 >> 25; h6 += carry5; h5 -= carry5 << 25; + carry6 = h6 >> 26; h7 += carry6; h6 -= carry6 << 26; + carry7 = h7 >> 25; h8 += carry7; h7 -= carry7 << 25; + carry8 = h8 >> 26; h9 += carry8; h8 -= carry8 << 26; + carry9 = h9 >> 25; h9 -= carry9 << 25; + /* h10 = carry9 */ + + /* + Goal: Output h0+...+2^255 h10-2^255 q, which is between 0 and 2^255-20. + Have h0+...+2^230 h9 between 0 and 2^255-1; + evidently 2^255 h10-2^255 q = 0. + Goal: Output h0+...+2^230 h9. + */ + + s[0] = h0 >> 0; + s[1] = h0 >> 8; + s[2] = h0 >> 16; + s[3] = (h0 >> 24) | (h1 << 2); + s[4] = h1 >> 6; + s[5] = h1 >> 14; + s[6] = (h1 >> 22) | (h2 << 3); + s[7] = h2 >> 5; + s[8] = h2 >> 13; + s[9] = (h2 >> 21) | (h3 << 5); + s[10] = h3 >> 3; + s[11] = h3 >> 11; + s[12] = (h3 >> 19) | (h4 << 6); + s[13] = h4 >> 2; + s[14] = h4 >> 10; + s[15] = h4 >> 18; + s[16] = h5 >> 0; + s[17] = h5 >> 8; + s[18] = h5 >> 16; + s[19] = (h5 >> 24) | (h6 << 1); + s[20] = h6 >> 7; + s[21] = h6 >> 15; + s[22] = (h6 >> 23) | (h7 << 3); + s[23] = h7 >> 5; + s[24] = h7 >> 13; + s[25] = (h7 >> 21) | (h8 << 4); + s[26] = h8 >> 4; + s[27] = h8 >> 12; + s[28] = (h8 >> 20) | (h9 << 6); + s[29] = h9 >> 2; + s[30] = h9 >> 10; + s[31] = h9 >> 18; +} + +/* From ge_add.c */ + +void ge_add(ge_p1p1 *r, const ge_p3 *p, const ge_cached *q) { + fe t0; + fe_add(r->X, p->Y, p->X); + fe_sub(r->Y, p->Y, p->X); + fe_mul(r->Z, r->X, q->YplusX); + fe_mul(r->Y, r->Y, q->YminusX); + fe_mul(r->T, q->T2d, p->T); + fe_mul(r->X, p->Z, q->Z); + fe_add(t0, r->X, r->X); + fe_sub(r->X, r->Z, r->Y); + fe_add(r->Y, r->Z, r->Y); + fe_add(r->Z, t0, r->T); + fe_sub(r->T, t0, r->T); +} + +/* From ge_double_scalarmult.c, modified */ + +static void slide(signed char *r, const unsigned char *a) { + int i; + int b; + int k; + + for (i = 0; i < 256; ++i) { + r[i] = 1 & (a[i >> 3] >> (i & 7)); + } + + for (i = 0; i < 256; ++i) { + if (r[i]) { + for (b = 1; b <= 6 && i + b < 256; ++b) { + if (r[i + b]) { + if (r[i] + (r[i + b] << b) <= 15) { + r[i] += r[i + b] << b; r[i + b] = 0; + } else if (r[i] - (r[i + b] << b) >= -15) { + r[i] -= r[i + b] << b; + for (k = i + b; k < 256; ++k) { + if (!r[k]) { + r[k] = 1; + break; + } + r[k] = 0; + } + } else + break; + } + } + } + } +} + +void ge_dsm_precomp(ge_dsmp r, const ge_p3 *s) { + ge_p1p1 t; + ge_p3 s2, u; + ge_p3_to_cached(&r[0], s); + ge_p3_dbl(&t, s); ge_p1p1_to_p3(&s2, &t); + ge_add(&t, &s2, &r[0]); ge_p1p1_to_p3(&u, &t); ge_p3_to_cached(&r[1], &u); + ge_add(&t, &s2, &r[1]); ge_p1p1_to_p3(&u, &t); ge_p3_to_cached(&r[2], &u); + ge_add(&t, &s2, &r[2]); ge_p1p1_to_p3(&u, &t); ge_p3_to_cached(&r[3], &u); + ge_add(&t, &s2, &r[3]); ge_p1p1_to_p3(&u, &t); ge_p3_to_cached(&r[4], &u); + ge_add(&t, &s2, &r[4]); ge_p1p1_to_p3(&u, &t); ge_p3_to_cached(&r[5], &u); + ge_add(&t, &s2, &r[5]); ge_p1p1_to_p3(&u, &t); ge_p3_to_cached(&r[6], &u); + ge_add(&t, &s2, &r[6]); ge_p1p1_to_p3(&u, &t); ge_p3_to_cached(&r[7], &u); +} + +/* +r = a * A + b * B +where a = a[0]+256*a[1]+...+256^31 a[31]. +and b = b[0]+256*b[1]+...+256^31 b[31]. +B is the Ed25519 base point (x,4/5) with x positive. +*/ + +void ge_double_scalarmult_base_vartime(ge_p2 *r, const unsigned char *a, const ge_p3 *A, const unsigned char *b) { + signed char aslide[256]; + signed char bslide[256]; + ge_dsmp Ai; /* A, 3A, 5A, 7A, 9A, 11A, 13A, 15A */ + ge_p1p1 t; + ge_p3 u; + int i; + + slide(aslide, a); + slide(bslide, b); + ge_dsm_precomp(Ai, A); + + ge_p2_0(r); + + for (i = 255; i >= 0; --i) { + if (aslide[i] || bslide[i]) break; + } + + for (; i >= 0; --i) { + ge_p2_dbl(&t, r); + + if (aslide[i] > 0) { + ge_p1p1_to_p3(&u, &t); + ge_add(&t, &u, &Ai[aslide[i]/2]); + } else if (aslide[i] < 0) { + ge_p1p1_to_p3(&u, &t); + ge_sub(&t, &u, &Ai[(-aslide[i])/2]); + } + + if (bslide[i] > 0) { + ge_p1p1_to_p3(&u, &t); + ge_madd(&t, &u, &ge_Bi[bslide[i]/2]); + } else if (bslide[i] < 0) { + ge_p1p1_to_p3(&u, &t); + ge_msub(&t, &u, &ge_Bi[(-bslide[i])/2]); + } + + ge_p1p1_to_p2(r, &t); + } +} + +/* From ge_frombytes.c, modified */ + +int ge_frombytes_vartime(ge_p3 *h, const unsigned char *s) { + fe u; + fe v; + fe vxx; + fe check; + + /* From fe_frombytes.c */ + + int64_t h0 = load_4(s); + int64_t h1 = load_3(s + 4) << 6; + int64_t h2 = load_3(s + 7) << 5; + int64_t h3 = load_3(s + 10) << 3; + int64_t h4 = load_3(s + 13) << 2; + int64_t h5 = load_4(s + 16); + int64_t h6 = load_3(s + 20) << 7; + int64_t h7 = load_3(s + 23) << 5; + int64_t h8 = load_3(s + 26) << 4; + int64_t h9 = (load_3(s + 29) & 8388607) << 2; + int64_t carry0; + int64_t carry1; + int64_t carry2; + int64_t carry3; + int64_t carry4; + int64_t carry5; + int64_t carry6; + int64_t carry7; + int64_t carry8; + int64_t carry9; + + /* Validate the number to be canonical */ + if (h9 == 33554428 && h8 == 268435440 && h7 == 536870880 && h6 == 2147483520 && + h5 == 4294967295 && h4 == 67108860 && h3 == 134217720 && h2 == 536870880 && + h1 == 1073741760 && h0 >= 4294967277) { + return -1; + } + + carry9 = (h9 + (int64_t) (1<<24)) >> 25; h0 += carry9 * 19; h9 -= carry9 << 25; + carry1 = (h1 + (int64_t) (1<<24)) >> 25; h2 += carry1; h1 -= carry1 << 25; + carry3 = (h3 + (int64_t) (1<<24)) >> 25; h4 += carry3; h3 -= carry3 << 25; + carry5 = (h5 + (int64_t) (1<<24)) >> 25; h6 += carry5; h5 -= carry5 << 25; + carry7 = (h7 + (int64_t) (1<<24)) >> 25; h8 += carry7; h7 -= carry7 << 25; + + carry0 = (h0 + (int64_t) (1<<25)) >> 26; h1 += carry0; h0 -= carry0 << 26; + carry2 = (h2 + (int64_t) (1<<25)) >> 26; h3 += carry2; h2 -= carry2 << 26; + carry4 = (h4 + (int64_t) (1<<25)) >> 26; h5 += carry4; h4 -= carry4 << 26; + carry6 = (h6 + (int64_t) (1<<25)) >> 26; h7 += carry6; h6 -= carry6 << 26; + carry8 = (h8 + (int64_t) (1<<25)) >> 26; h9 += carry8; h8 -= carry8 << 26; + + h->Y[0] = h0; + h->Y[1] = h1; + h->Y[2] = h2; + h->Y[3] = h3; + h->Y[4] = h4; + h->Y[5] = h5; + h->Y[6] = h6; + h->Y[7] = h7; + h->Y[8] = h8; + h->Y[9] = h9; + + /* End fe_frombytes.c */ + + fe_1(h->Z); + fe_sq(u, h->Y); + fe_mul(v, u, fe_d); + fe_sub(u, u, h->Z); /* u = y^2-1 */ + fe_add(v, v, h->Z); /* v = dy^2+1 */ + + fe_divpowm1(h->X, u, v); /* x = uv^3(uv^7)^((q-5)/8) */ + + fe_sq(vxx, h->X); + fe_mul(vxx, vxx, v); + fe_sub(check, vxx, u); /* vx^2-u */ + if (fe_isnonzero(check)) { + fe_add(check, vxx, u); /* vx^2+u */ + if (fe_isnonzero(check)) { + return -1; + } + fe_mul(h->X, h->X, fe_sqrtm1); + } + + if (fe_isnegative(h->X) != (s[31] >> 7)) { + /* If x = 0, the sign must be positive */ + if (!fe_isnonzero(h->X)) { + return -1; + } + fe_neg(h->X, h->X); + } + + fe_mul(h->T, h->X, h->Y); + return 0; +} + +/* From ge_madd.c */ + +/* +r = p + q +*/ + +static void ge_madd(ge_p1p1 *r, const ge_p3 *p, const ge_precomp *q) { + fe t0; + fe_add(r->X, p->Y, p->X); + fe_sub(r->Y, p->Y, p->X); + fe_mul(r->Z, r->X, q->yplusx); + fe_mul(r->Y, r->Y, q->yminusx); + fe_mul(r->T, q->xy2d, p->T); + fe_add(t0, p->Z, p->Z); + fe_sub(r->X, r->Z, r->Y); + fe_add(r->Y, r->Z, r->Y); + fe_add(r->Z, t0, r->T); + fe_sub(r->T, t0, r->T); +} + +/* From ge_msub.c */ + +/* +r = p - q +*/ + +static void ge_msub(ge_p1p1 *r, const ge_p3 *p, const ge_precomp *q) { + fe t0; + fe_add(r->X, p->Y, p->X); + fe_sub(r->Y, p->Y, p->X); + fe_mul(r->Z, r->X, q->yminusx); + fe_mul(r->Y, r->Y, q->yplusx); + fe_mul(r->T, q->xy2d, p->T); + fe_add(t0, p->Z, p->Z); + fe_sub(r->X, r->Z, r->Y); + fe_add(r->Y, r->Z, r->Y); + fe_sub(r->Z, t0, r->T); + fe_add(r->T, t0, r->T); +} + +/* From ge_p1p1_to_p2.c */ + +/* +r = p +*/ + +void ge_p1p1_to_p2(ge_p2 *r, const ge_p1p1 *p) { + fe_mul(r->X, p->X, p->T); + fe_mul(r->Y, p->Y, p->Z); + fe_mul(r->Z, p->Z, p->T); +} + +/* From ge_p1p1_to_p3.c */ + +/* +r = p +*/ + +void ge_p1p1_to_p3(ge_p3 *r, const ge_p1p1 *p) { + fe_mul(r->X, p->X, p->T); + fe_mul(r->Y, p->Y, p->Z); + fe_mul(r->Z, p->Z, p->T); + fe_mul(r->T, p->X, p->Y); +} + +/* From ge_p2_0.c */ + +static void ge_p2_0(ge_p2 *h) { + fe_0(h->X); + fe_1(h->Y); + fe_1(h->Z); +} + +/* From ge_p2_dbl.c */ + +/* +r = 2 * p +*/ + +void ge_p2_dbl(ge_p1p1 *r, const ge_p2 *p) { + fe t0; + fe_sq(r->X, p->X); + fe_sq(r->Z, p->Y); + fe_sq2(r->T, p->Z); + fe_add(r->Y, p->X, p->Y); + fe_sq(t0, r->Y); + fe_add(r->Y, r->Z, r->X); + fe_sub(r->Z, r->Z, r->X); + fe_sub(r->X, t0, r->Y); + fe_sub(r->T, r->T, r->Z); +} + +/* From ge_p3_0.c */ + +static void ge_p3_0(ge_p3 *h) { + fe_0(h->X); + fe_1(h->Y); + fe_1(h->Z); + fe_0(h->T); +} + +/* From ge_p3_dbl.c */ + +/* +r = 2 * p +*/ + +static void ge_p3_dbl(ge_p1p1 *r, const ge_p3 *p) { + ge_p2 q; + ge_p3_to_p2(&q, p); + ge_p2_dbl(r, &q); +} + +/* From ge_p3_to_cached.c */ + +/* +r = p +*/ + +void ge_p3_to_cached(ge_cached *r, const ge_p3 *p) { + fe_add(r->YplusX, p->Y, p->X); + fe_sub(r->YminusX, p->Y, p->X); + fe_copy(r->Z, p->Z); + fe_mul(r->T2d, p->T, fe_d2); +} + +/* From ge_p3_to_p2.c */ + +/* +r = p +*/ + +void ge_p3_to_p2(ge_p2 *r, const ge_p3 *p) { + fe_copy(r->X, p->X); + fe_copy(r->Y, p->Y); + fe_copy(r->Z, p->Z); +} + +/* From ge_p3_tobytes.c */ + +void ge_p3_tobytes(unsigned char *s, const ge_p3 *h) { + fe recip; + fe x; + fe y; + + fe_invert(recip, h->Z); + fe_mul(x, h->X, recip); + fe_mul(y, h->Y, recip); + fe_tobytes(s, y); + s[31] ^= fe_isnegative(x) << 7; +} + +/* From ge_precomp_0.c */ + +static void ge_precomp_0(ge_precomp *h) { + fe_1(h->yplusx); + fe_1(h->yminusx); + fe_0(h->xy2d); +} + +/* From ge_scalarmult_base.c */ + +static unsigned char equal(signed char b, signed char c) { + unsigned char ub = b; + unsigned char uc = c; + unsigned char x = ub ^ uc; /* 0: yes; 1..255: no */ + uint32_t y = x; /* 0: yes; 1..255: no */ + y -= 1; /* 4294967295: yes; 0..254: no */ + y >>= 31; /* 1: yes; 0: no */ + return y; +} + +static unsigned char negative(signed char b) { + unsigned long long x = b; /* 18446744073709551361..18446744073709551615: yes; 0..255: no */ + x >>= 63; /* 1: yes; 0: no */ + return x; +} + +static void ge_precomp_cmov(ge_precomp *t, const ge_precomp *u, unsigned char b) { + fe_cmov(t->yplusx, u->yplusx, b); + fe_cmov(t->yminusx, u->yminusx, b); + fe_cmov(t->xy2d, u->xy2d, b); +} + +static void select(ge_precomp *t, int pos, signed char b) { + ge_precomp minust; + unsigned char bnegative = negative(b); + unsigned char babs = b - (((-bnegative) & b) << 1); + + ge_precomp_0(t); + ge_precomp_cmov(t, &ge_base[pos][0], equal(babs, 1)); + ge_precomp_cmov(t, &ge_base[pos][1], equal(babs, 2)); + ge_precomp_cmov(t, &ge_base[pos][2], equal(babs, 3)); + ge_precomp_cmov(t, &ge_base[pos][3], equal(babs, 4)); + ge_precomp_cmov(t, &ge_base[pos][4], equal(babs, 5)); + ge_precomp_cmov(t, &ge_base[pos][5], equal(babs, 6)); + ge_precomp_cmov(t, &ge_base[pos][6], equal(babs, 7)); + ge_precomp_cmov(t, &ge_base[pos][7], equal(babs, 8)); + fe_copy(minust.yplusx, t->yminusx); + fe_copy(minust.yminusx, t->yplusx); + fe_neg(minust.xy2d, t->xy2d); + ge_precomp_cmov(t, &minust, bnegative); +} + +/* +h = a * B +where a = a[0]+256*a[1]+...+256^31 a[31] +B is the Ed25519 base point (x,4/5) with x positive. + +Preconditions: + a[31] <= 127 +*/ + +void ge_scalarmult_base(ge_p3 *h, const unsigned char *a) { + signed char e[64]; + signed char carry; + ge_p1p1 r; + ge_p2 s; + ge_precomp t; + int i; + + for (i = 0; i < 32; ++i) { + e[2 * i + 0] = (a[i] >> 0) & 15; + e[2 * i + 1] = (a[i] >> 4) & 15; + } + /* each e[i] is between 0 and 15 */ + /* e[63] is between 0 and 7 */ + + carry = 0; + for (i = 0; i < 63; ++i) { + e[i] += carry; + carry = e[i] + 8; + carry >>= 4; + e[i] -= carry << 4; + } + e[63] += carry; + /* each e[i] is between -8 and 8 */ + + ge_p3_0(h); + for (i = 1; i < 64; i += 2) { + select(&t, i / 2, e[i]); + ge_madd(&r, h, &t); ge_p1p1_to_p3(h, &r); + } + + ge_p3_dbl(&r, h); ge_p1p1_to_p2(&s, &r); + ge_p2_dbl(&r, &s); ge_p1p1_to_p2(&s, &r); + ge_p2_dbl(&r, &s); ge_p1p1_to_p2(&s, &r); + ge_p2_dbl(&r, &s); ge_p1p1_to_p3(h, &r); + + for (i = 0; i < 64; i += 2) { + select(&t, i / 2, e[i]); + ge_madd(&r, h, &t); ge_p1p1_to_p3(h, &r); + } +} + +/* From ge_sub.c */ + +/* +r = p - q +*/ + +void ge_sub(ge_p1p1 *r, const ge_p3 *p, const ge_cached *q) { + fe t0; + fe_add(r->X, p->Y, p->X); + fe_sub(r->Y, p->Y, p->X); + fe_mul(r->Z, r->X, q->YminusX); + fe_mul(r->Y, r->Y, q->YplusX); + fe_mul(r->T, q->T2d, p->T); + fe_mul(r->X, p->Z, q->Z); + fe_add(t0, r->X, r->X); + fe_sub(r->X, r->Z, r->Y); + fe_add(r->Y, r->Z, r->Y); + fe_sub(r->Z, t0, r->T); + fe_add(r->T, t0, r->T); +} + +/* From ge_tobytes.c */ + +void ge_tobytes(unsigned char *s, const ge_p2 *h) { + fe recip; + fe x; + fe y; + + fe_invert(recip, h->Z); + fe_mul(x, h->X, recip); + fe_mul(y, h->Y, recip); + fe_tobytes(s, y); + s[31] ^= fe_isnegative(x) << 7; +} + +/* From sc_reduce.c */ + +/* +Input: + s[0]+256*s[1]+...+256^63*s[63] = s + +Output: + s[0]+256*s[1]+...+256^31*s[31] = s mod l + where l = 2^252 + 27742317777372353535851937790883648493. + Overwrites s in place. +*/ + +void sc_reduce(unsigned char *s) { + int64_t s0 = 2097151 & load_3(s); + int64_t s1 = 2097151 & (load_4(s + 2) >> 5); + int64_t s2 = 2097151 & (load_3(s + 5) >> 2); + int64_t s3 = 2097151 & (load_4(s + 7) >> 7); + int64_t s4 = 2097151 & (load_4(s + 10) >> 4); + int64_t s5 = 2097151 & (load_3(s + 13) >> 1); + int64_t s6 = 2097151 & (load_4(s + 15) >> 6); + int64_t s7 = 2097151 & (load_3(s + 18) >> 3); + int64_t s8 = 2097151 & load_3(s + 21); + int64_t s9 = 2097151 & (load_4(s + 23) >> 5); + int64_t s10 = 2097151 & (load_3(s + 26) >> 2); + int64_t s11 = 2097151 & (load_4(s + 28) >> 7); + int64_t s12 = 2097151 & (load_4(s + 31) >> 4); + int64_t s13 = 2097151 & (load_3(s + 34) >> 1); + int64_t s14 = 2097151 & (load_4(s + 36) >> 6); + int64_t s15 = 2097151 & (load_3(s + 39) >> 3); + int64_t s16 = 2097151 & load_3(s + 42); + int64_t s17 = 2097151 & (load_4(s + 44) >> 5); + int64_t s18 = 2097151 & (load_3(s + 47) >> 2); + int64_t s19 = 2097151 & (load_4(s + 49) >> 7); + int64_t s20 = 2097151 & (load_4(s + 52) >> 4); + int64_t s21 = 2097151 & (load_3(s + 55) >> 1); + int64_t s22 = 2097151 & (load_4(s + 57) >> 6); + int64_t s23 = (load_4(s + 60) >> 3); + int64_t carry0; + int64_t carry1; + int64_t carry2; + int64_t carry3; + int64_t carry4; + int64_t carry5; + int64_t carry6; + int64_t carry7; + int64_t carry8; + int64_t carry9; + int64_t carry10; + int64_t carry11; + int64_t carry12; + int64_t carry13; + int64_t carry14; + int64_t carry15; + int64_t carry16; + + s11 += s23 * 666643; + s12 += s23 * 470296; + s13 += s23 * 654183; + s14 -= s23 * 997805; + s15 += s23 * 136657; + s16 -= s23 * 683901; + + s10 += s22 * 666643; + s11 += s22 * 470296; + s12 += s22 * 654183; + s13 -= s22 * 997805; + s14 += s22 * 136657; + s15 -= s22 * 683901; + + s9 += s21 * 666643; + s10 += s21 * 470296; + s11 += s21 * 654183; + s12 -= s21 * 997805; + s13 += s21 * 136657; + s14 -= s21 * 683901; + + s8 += s20 * 666643; + s9 += s20 * 470296; + s10 += s20 * 654183; + s11 -= s20 * 997805; + s12 += s20 * 136657; + s13 -= s20 * 683901; + + s7 += s19 * 666643; + s8 += s19 * 470296; + s9 += s19 * 654183; + s10 -= s19 * 997805; + s11 += s19 * 136657; + s12 -= s19 * 683901; + + s6 += s18 * 666643; + s7 += s18 * 470296; + s8 += s18 * 654183; + s9 -= s18 * 997805; + s10 += s18 * 136657; + s11 -= s18 * 683901; + + carry6 = (s6 + (1<<20)) >> 21; s7 += carry6; s6 -= carry6 << 21; + carry8 = (s8 + (1<<20)) >> 21; s9 += carry8; s8 -= carry8 << 21; + carry10 = (s10 + (1<<20)) >> 21; s11 += carry10; s10 -= carry10 << 21; + carry12 = (s12 + (1<<20)) >> 21; s13 += carry12; s12 -= carry12 << 21; + carry14 = (s14 + (1<<20)) >> 21; s15 += carry14; s14 -= carry14 << 21; + carry16 = (s16 + (1<<20)) >> 21; s17 += carry16; s16 -= carry16 << 21; + + carry7 = (s7 + (1<<20)) >> 21; s8 += carry7; s7 -= carry7 << 21; + carry9 = (s9 + (1<<20)) >> 21; s10 += carry9; s9 -= carry9 << 21; + carry11 = (s11 + (1<<20)) >> 21; s12 += carry11; s11 -= carry11 << 21; + carry13 = (s13 + (1<<20)) >> 21; s14 += carry13; s13 -= carry13 << 21; + carry15 = (s15 + (1<<20)) >> 21; s16 += carry15; s15 -= carry15 << 21; + + s5 += s17 * 666643; + s6 += s17 * 470296; + s7 += s17 * 654183; + s8 -= s17 * 997805; + s9 += s17 * 136657; + s10 -= s17 * 683901; + + s4 += s16 * 666643; + s5 += s16 * 470296; + s6 += s16 * 654183; + s7 -= s16 * 997805; + s8 += s16 * 136657; + s9 -= s16 * 683901; + + s3 += s15 * 666643; + s4 += s15 * 470296; + s5 += s15 * 654183; + s6 -= s15 * 997805; + s7 += s15 * 136657; + s8 -= s15 * 683901; + + s2 += s14 * 666643; + s3 += s14 * 470296; + s4 += s14 * 654183; + s5 -= s14 * 997805; + s6 += s14 * 136657; + s7 -= s14 * 683901; + + s1 += s13 * 666643; + s2 += s13 * 470296; + s3 += s13 * 654183; + s4 -= s13 * 997805; + s5 += s13 * 136657; + s6 -= s13 * 683901; + + s0 += s12 * 666643; + s1 += s12 * 470296; + s2 += s12 * 654183; + s3 -= s12 * 997805; + s4 += s12 * 136657; + s5 -= s12 * 683901; + s12 = 0; + + carry0 = (s0 + (1<<20)) >> 21; s1 += carry0; s0 -= carry0 << 21; + carry2 = (s2 + (1<<20)) >> 21; s3 += carry2; s2 -= carry2 << 21; + carry4 = (s4 + (1<<20)) >> 21; s5 += carry4; s4 -= carry4 << 21; + carry6 = (s6 + (1<<20)) >> 21; s7 += carry6; s6 -= carry6 << 21; + carry8 = (s8 + (1<<20)) >> 21; s9 += carry8; s8 -= carry8 << 21; + carry10 = (s10 + (1<<20)) >> 21; s11 += carry10; s10 -= carry10 << 21; + + carry1 = (s1 + (1<<20)) >> 21; s2 += carry1; s1 -= carry1 << 21; + carry3 = (s3 + (1<<20)) >> 21; s4 += carry3; s3 -= carry3 << 21; + carry5 = (s5 + (1<<20)) >> 21; s6 += carry5; s5 -= carry5 << 21; + carry7 = (s7 + (1<<20)) >> 21; s8 += carry7; s7 -= carry7 << 21; + carry9 = (s9 + (1<<20)) >> 21; s10 += carry9; s9 -= carry9 << 21; + carry11 = (s11 + (1<<20)) >> 21; s12 += carry11; s11 -= carry11 << 21; + + s0 += s12 * 666643; + s1 += s12 * 470296; + s2 += s12 * 654183; + s3 -= s12 * 997805; + s4 += s12 * 136657; + s5 -= s12 * 683901; + s12 = 0; + + carry0 = s0 >> 21; s1 += carry0; s0 -= carry0 << 21; + carry1 = s1 >> 21; s2 += carry1; s1 -= carry1 << 21; + carry2 = s2 >> 21; s3 += carry2; s2 -= carry2 << 21; + carry3 = s3 >> 21; s4 += carry3; s3 -= carry3 << 21; + carry4 = s4 >> 21; s5 += carry4; s4 -= carry4 << 21; + carry5 = s5 >> 21; s6 += carry5; s5 -= carry5 << 21; + carry6 = s6 >> 21; s7 += carry6; s6 -= carry6 << 21; + carry7 = s7 >> 21; s8 += carry7; s7 -= carry7 << 21; + carry8 = s8 >> 21; s9 += carry8; s8 -= carry8 << 21; + carry9 = s9 >> 21; s10 += carry9; s9 -= carry9 << 21; + carry10 = s10 >> 21; s11 += carry10; s10 -= carry10 << 21; + carry11 = s11 >> 21; s12 += carry11; s11 -= carry11 << 21; + + s0 += s12 * 666643; + s1 += s12 * 470296; + s2 += s12 * 654183; + s3 -= s12 * 997805; + s4 += s12 * 136657; + s5 -= s12 * 683901; + + carry0 = s0 >> 21; s1 += carry0; s0 -= carry0 << 21; + carry1 = s1 >> 21; s2 += carry1; s1 -= carry1 << 21; + carry2 = s2 >> 21; s3 += carry2; s2 -= carry2 << 21; + carry3 = s3 >> 21; s4 += carry3; s3 -= carry3 << 21; + carry4 = s4 >> 21; s5 += carry4; s4 -= carry4 << 21; + carry5 = s5 >> 21; s6 += carry5; s5 -= carry5 << 21; + carry6 = s6 >> 21; s7 += carry6; s6 -= carry6 << 21; + carry7 = s7 >> 21; s8 += carry7; s7 -= carry7 << 21; + carry8 = s8 >> 21; s9 += carry8; s8 -= carry8 << 21; + carry9 = s9 >> 21; s10 += carry9; s9 -= carry9 << 21; + carry10 = s10 >> 21; s11 += carry10; s10 -= carry10 << 21; + + s[0] = s0 >> 0; + s[1] = s0 >> 8; + s[2] = (s0 >> 16) | (s1 << 5); + s[3] = s1 >> 3; + s[4] = s1 >> 11; + s[5] = (s1 >> 19) | (s2 << 2); + s[6] = s2 >> 6; + s[7] = (s2 >> 14) | (s3 << 7); + s[8] = s3 >> 1; + s[9] = s3 >> 9; + s[10] = (s3 >> 17) | (s4 << 4); + s[11] = s4 >> 4; + s[12] = s4 >> 12; + s[13] = (s4 >> 20) | (s5 << 1); + s[14] = s5 >> 7; + s[15] = (s5 >> 15) | (s6 << 6); + s[16] = s6 >> 2; + s[17] = s6 >> 10; + s[18] = (s6 >> 18) | (s7 << 3); + s[19] = s7 >> 5; + s[20] = s7 >> 13; + s[21] = s8 >> 0; + s[22] = s8 >> 8; + s[23] = (s8 >> 16) | (s9 << 5); + s[24] = s9 >> 3; + s[25] = s9 >> 11; + s[26] = (s9 >> 19) | (s10 << 2); + s[27] = s10 >> 6; + s[28] = (s10 >> 14) | (s11 << 7); + s[29] = s11 >> 1; + s[30] = s11 >> 9; + s[31] = s11 >> 17; +} + +/* New code */ + +static void fe_divpowm1(fe r, const fe u, const fe v) { + fe v3, uv7, t0, t1, t2; + int i; + + fe_sq(v3, v); + fe_mul(v3, v3, v); /* v3 = v^3 */ + fe_sq(uv7, v3); + fe_mul(uv7, uv7, v); + fe_mul(uv7, uv7, u); /* uv7 = uv^7 */ + + /*fe_pow22523(uv7, uv7);*/ + + /* From fe_pow22523.c */ + + fe_sq(t0, uv7); + fe_sq(t1, t0); + fe_sq(t1, t1); + fe_mul(t1, uv7, t1); + fe_mul(t0, t0, t1); + fe_sq(t0, t0); + fe_mul(t0, t1, t0); + fe_sq(t1, t0); + for (i = 0; i < 4; ++i) { + fe_sq(t1, t1); + } + fe_mul(t0, t1, t0); + fe_sq(t1, t0); + for (i = 0; i < 9; ++i) { + fe_sq(t1, t1); + } + fe_mul(t1, t1, t0); + fe_sq(t2, t1); + for (i = 0; i < 19; ++i) { + fe_sq(t2, t2); + } + fe_mul(t1, t2, t1); + for (i = 0; i < 10; ++i) { + fe_sq(t1, t1); + } + fe_mul(t0, t1, t0); + fe_sq(t1, t0); + for (i = 0; i < 49; ++i) { + fe_sq(t1, t1); + } + fe_mul(t1, t1, t0); + fe_sq(t2, t1); + for (i = 0; i < 99; ++i) { + fe_sq(t2, t2); + } + fe_mul(t1, t2, t1); + for (i = 0; i < 50; ++i) { + fe_sq(t1, t1); + } + fe_mul(t0, t1, t0); + fe_sq(t0, t0); + fe_sq(t0, t0); + fe_mul(t0, t0, uv7); + + /* End fe_pow22523.c */ + /* t0 = (uv^7)^((q-5)/8) */ + fe_mul(t0, t0, v3); + fe_mul(r, t0, u); /* u^(m+1)v^(-(m+1)) */ +} + +static void ge_cached_0(ge_cached *r) { + fe_1(r->YplusX); + fe_1(r->YminusX); + fe_1(r->Z); + fe_0(r->T2d); +} + +static void ge_cached_cmov(ge_cached *t, const ge_cached *u, unsigned char b) { + fe_cmov(t->YplusX, u->YplusX, b); + fe_cmov(t->YminusX, u->YminusX, b); + fe_cmov(t->Z, u->Z, b); + fe_cmov(t->T2d, u->T2d, b); +} + +/* Assumes that a[31] <= 127 */ +void ge_scalarmult(ge_p2 *r, const unsigned char *a, const ge_p3 *A) { + signed char e[64]; + int carry, carry2, i; + ge_cached Ai[8]; /* 1 * A, 2 * A, ..., 8 * A */ + ge_p1p1 t; + ge_p3 u; + + carry = 0; /* 0..1 */ + for (i = 0; i < 31; i++) { + carry += a[i]; /* 0..256 */ + carry2 = (carry + 8) >> 4; /* 0..16 */ + e[2 * i] = carry - (carry2 << 4); /* -8..7 */ + carry = (carry2 + 8) >> 4; /* 0..1 */ + e[2 * i + 1] = carry2 - (carry << 4); /* -8..7 */ + } + carry += a[31]; /* 0..128 */ + carry2 = (carry + 8) >> 4; /* 0..8 */ + e[62] = carry - (carry2 << 4); /* -8..7 */ + e[63] = carry2; /* 0..8 */ + + ge_p3_to_cached(&Ai[0], A); + for (i = 0; i < 7; i++) { + ge_add(&t, A, &Ai[i]); + ge_p1p1_to_p3(&u, &t); + ge_p3_to_cached(&Ai[i + 1], &u); + } + + ge_p2_0(r); + for (i = 63; i >= 0; i--) { + signed char b = e[i]; + unsigned char bnegative = negative(b); + unsigned char babs = b - (((-bnegative) & b) << 1); + ge_cached cur, minuscur; + ge_p2_dbl(&t, r); + ge_p1p1_to_p2(r, &t); + ge_p2_dbl(&t, r); + ge_p1p1_to_p2(r, &t); + ge_p2_dbl(&t, r); + ge_p1p1_to_p2(r, &t); + ge_p2_dbl(&t, r); + ge_p1p1_to_p3(&u, &t); + ge_cached_0(&cur); + ge_cached_cmov(&cur, &Ai[0], equal(babs, 1)); + ge_cached_cmov(&cur, &Ai[1], equal(babs, 2)); + ge_cached_cmov(&cur, &Ai[2], equal(babs, 3)); + ge_cached_cmov(&cur, &Ai[3], equal(babs, 4)); + ge_cached_cmov(&cur, &Ai[4], equal(babs, 5)); + ge_cached_cmov(&cur, &Ai[5], equal(babs, 6)); + ge_cached_cmov(&cur, &Ai[6], equal(babs, 7)); + ge_cached_cmov(&cur, &Ai[7], equal(babs, 8)); + fe_copy(minuscur.YplusX, cur.YminusX); + fe_copy(minuscur.YminusX, cur.YplusX); + fe_copy(minuscur.Z, cur.Z); + fe_neg(minuscur.T2d, cur.T2d); + ge_cached_cmov(&cur, &minuscur, bnegative); + ge_add(&t, &u, &cur); + ge_p1p1_to_p2(r, &t); + } +} + +void ge_double_scalarmult_precomp_vartime(ge_p2 *r, const unsigned char *a, const ge_p3 *A, const unsigned char *b, const ge_dsmp Bi) { + signed char aslide[256]; + signed char bslide[256]; + ge_dsmp Ai; /* A, 3A, 5A, 7A, 9A, 11A, 13A, 15A */ + ge_p1p1 t; + ge_p3 u; + int i; + + slide(aslide, a); + slide(bslide, b); + ge_dsm_precomp(Ai, A); + + ge_p2_0(r); + + for (i = 255; i >= 0; --i) { + if (aslide[i] || bslide[i]) break; + } + + for (; i >= 0; --i) { + ge_p2_dbl(&t, r); + + if (aslide[i] > 0) { + ge_p1p1_to_p3(&u, &t); + ge_add(&t, &u, &Ai[aslide[i]/2]); + } else if (aslide[i] < 0) { + ge_p1p1_to_p3(&u, &t); + ge_sub(&t, &u, &Ai[(-aslide[i])/2]); + } + + if (bslide[i] > 0) { + ge_p1p1_to_p3(&u, &t); + ge_add(&t, &u, &Bi[bslide[i]/2]); + } else if (bslide[i] < 0) { + ge_p1p1_to_p3(&u, &t); + ge_sub(&t, &u, &Bi[(-bslide[i])/2]); + } + + ge_p1p1_to_p2(r, &t); + } +} + +void ge_mul8(ge_p1p1 *r, const ge_p2 *t) { + ge_p2 u; + ge_p2_dbl(r, t); + ge_p1p1_to_p2(&u, r); + ge_p2_dbl(r, &u); + ge_p1p1_to_p2(&u, r); + ge_p2_dbl(r, &u); +} + +void ge_fromfe_frombytes_vartime(ge_p2 *r, const unsigned char *s) { + fe u, v, w, x, y, z; + unsigned char sign; + + /* From fe_frombytes.c */ + + int64_t h0 = load_4(s); + int64_t h1 = load_3(s + 4) << 6; + int64_t h2 = load_3(s + 7) << 5; + int64_t h3 = load_3(s + 10) << 3; + int64_t h4 = load_3(s + 13) << 2; + int64_t h5 = load_4(s + 16); + int64_t h6 = load_3(s + 20) << 7; + int64_t h7 = load_3(s + 23) << 5; + int64_t h8 = load_3(s + 26) << 4; + int64_t h9 = load_3(s + 29) << 2; + int64_t carry0; + int64_t carry1; + int64_t carry2; + int64_t carry3; + int64_t carry4; + int64_t carry5; + int64_t carry6; + int64_t carry7; + int64_t carry8; + int64_t carry9; + + carry9 = (h9 + (int64_t) (1<<24)) >> 25; h0 += carry9 * 19; h9 -= carry9 << 25; + carry1 = (h1 + (int64_t) (1<<24)) >> 25; h2 += carry1; h1 -= carry1 << 25; + carry3 = (h3 + (int64_t) (1<<24)) >> 25; h4 += carry3; h3 -= carry3 << 25; + carry5 = (h5 + (int64_t) (1<<24)) >> 25; h6 += carry5; h5 -= carry5 << 25; + carry7 = (h7 + (int64_t) (1<<24)) >> 25; h8 += carry7; h7 -= carry7 << 25; + + carry0 = (h0 + (int64_t) (1<<25)) >> 26; h1 += carry0; h0 -= carry0 << 26; + carry2 = (h2 + (int64_t) (1<<25)) >> 26; h3 += carry2; h2 -= carry2 << 26; + carry4 = (h4 + (int64_t) (1<<25)) >> 26; h5 += carry4; h4 -= carry4 << 26; + carry6 = (h6 + (int64_t) (1<<25)) >> 26; h7 += carry6; h6 -= carry6 << 26; + carry8 = (h8 + (int64_t) (1<<25)) >> 26; h9 += carry8; h8 -= carry8 << 26; + + u[0] = h0; + u[1] = h1; + u[2] = h2; + u[3] = h3; + u[4] = h4; + u[5] = h5; + u[6] = h6; + u[7] = h7; + u[8] = h8; + u[9] = h9; + + /* End fe_frombytes.c */ + + fe_sq2(v, u); /* 2 * u^2 */ + fe_1(w); + fe_add(w, v, w); /* w = 2 * u^2 + 1 */ + fe_sq(x, w); /* w^2 */ + fe_mul(y, fe_ma2, v); /* -2 * A^2 * u^2 */ + fe_add(x, x, y); /* x = w^2 - 2 * A^2 * u^2 */ + fe_divpowm1(r->X, w, x); /* (w / x)^(m + 1) */ + fe_sq(y, r->X); + fe_mul(x, y, x); + fe_sub(y, w, x); + fe_copy(z, fe_ma); + if (fe_isnonzero(y)) { + fe_add(y, w, x); + if (fe_isnonzero(y)) { + goto negative; + } else { + fe_mul(r->X, r->X, fe_fffb1); + } + } else { + fe_mul(r->X, r->X, fe_fffb2); + } + fe_mul(r->X, r->X, u); /* u * sqrt(2 * A * (A + 2) * w / x) */ + fe_mul(z, z, v); /* -2 * A * u^2 */ + sign = 0; + goto setsign; +negative: + fe_mul(x, x, fe_sqrtm1); + fe_sub(y, w, x); + if (fe_isnonzero(y)) { + assert((fe_add(y, w, x), !fe_isnonzero(y))); + fe_mul(r->X, r->X, fe_fffb3); + } else { + fe_mul(r->X, r->X, fe_fffb4); + } + /* r->X = sqrt(A * (A + 2) * w / x) */ + /* z = -A */ + sign = 1; +setsign: + if (fe_isnegative(r->X) != sign) { + assert(fe_isnonzero(r->X)); + fe_neg(r->X, r->X); + } + fe_add(r->Z, z, w); + fe_sub(r->Y, z, w); + fe_mul(r->X, r->X, r->Z); +#if !defined(NDEBUG) + { + fe check_x, check_y, check_iz, check_v; + fe_invert(check_iz, r->Z); + fe_mul(check_x, r->X, check_iz); + fe_mul(check_y, r->Y, check_iz); + fe_sq(check_x, check_x); + fe_sq(check_y, check_y); + fe_mul(check_v, check_x, check_y); + fe_mul(check_v, fe_d, check_v); + fe_add(check_v, check_v, check_x); + fe_sub(check_v, check_v, check_y); + fe_1(check_x); + fe_add(check_v, check_v, check_x); + assert(!fe_isnonzero(check_v)); + } +#endif +} + +void sc_0(unsigned char *s) { + int i; + for (i = 0; i < 32; i++) { + s[i] = 0; + } +} + +void sc_reduce32(unsigned char *s) { + int64_t s0 = 2097151 & load_3(s); + int64_t s1 = 2097151 & (load_4(s + 2) >> 5); + int64_t s2 = 2097151 & (load_3(s + 5) >> 2); + int64_t s3 = 2097151 & (load_4(s + 7) >> 7); + int64_t s4 = 2097151 & (load_4(s + 10) >> 4); + int64_t s5 = 2097151 & (load_3(s + 13) >> 1); + int64_t s6 = 2097151 & (load_4(s + 15) >> 6); + int64_t s7 = 2097151 & (load_3(s + 18) >> 3); + int64_t s8 = 2097151 & load_3(s + 21); + int64_t s9 = 2097151 & (load_4(s + 23) >> 5); + int64_t s10 = 2097151 & (load_3(s + 26) >> 2); + int64_t s11 = (load_4(s + 28) >> 7); + int64_t s12 = 0; + int64_t carry0; + int64_t carry1; + int64_t carry2; + int64_t carry3; + int64_t carry4; + int64_t carry5; + int64_t carry6; + int64_t carry7; + int64_t carry8; + int64_t carry9; + int64_t carry10; + int64_t carry11; + + carry0 = (s0 + (1<<20)) >> 21; s1 += carry0; s0 -= carry0 << 21; + carry2 = (s2 + (1<<20)) >> 21; s3 += carry2; s2 -= carry2 << 21; + carry4 = (s4 + (1<<20)) >> 21; s5 += carry4; s4 -= carry4 << 21; + carry6 = (s6 + (1<<20)) >> 21; s7 += carry6; s6 -= carry6 << 21; + carry8 = (s8 + (1<<20)) >> 21; s9 += carry8; s8 -= carry8 << 21; + carry10 = (s10 + (1<<20)) >> 21; s11 += carry10; s10 -= carry10 << 21; + + carry1 = (s1 + (1<<20)) >> 21; s2 += carry1; s1 -= carry1 << 21; + carry3 = (s3 + (1<<20)) >> 21; s4 += carry3; s3 -= carry3 << 21; + carry5 = (s5 + (1<<20)) >> 21; s6 += carry5; s5 -= carry5 << 21; + carry7 = (s7 + (1<<20)) >> 21; s8 += carry7; s7 -= carry7 << 21; + carry9 = (s9 + (1<<20)) >> 21; s10 += carry9; s9 -= carry9 << 21; + carry11 = (s11 + (1<<20)) >> 21; s12 += carry11; s11 -= carry11 << 21; + + s0 += s12 * 666643; + s1 += s12 * 470296; + s2 += s12 * 654183; + s3 -= s12 * 997805; + s4 += s12 * 136657; + s5 -= s12 * 683901; + s12 = 0; + + carry0 = s0 >> 21; s1 += carry0; s0 -= carry0 << 21; + carry1 = s1 >> 21; s2 += carry1; s1 -= carry1 << 21; + carry2 = s2 >> 21; s3 += carry2; s2 -= carry2 << 21; + carry3 = s3 >> 21; s4 += carry3; s3 -= carry3 << 21; + carry4 = s4 >> 21; s5 += carry4; s4 -= carry4 << 21; + carry5 = s5 >> 21; s6 += carry5; s5 -= carry5 << 21; + carry6 = s6 >> 21; s7 += carry6; s6 -= carry6 << 21; + carry7 = s7 >> 21; s8 += carry7; s7 -= carry7 << 21; + carry8 = s8 >> 21; s9 += carry8; s8 -= carry8 << 21; + carry9 = s9 >> 21; s10 += carry9; s9 -= carry9 << 21; + carry10 = s10 >> 21; s11 += carry10; s10 -= carry10 << 21; + carry11 = s11 >> 21; s12 += carry11; s11 -= carry11 << 21; + + s0 += s12 * 666643; + s1 += s12 * 470296; + s2 += s12 * 654183; + s3 -= s12 * 997805; + s4 += s12 * 136657; + s5 -= s12 * 683901; + + carry0 = s0 >> 21; s1 += carry0; s0 -= carry0 << 21; + carry1 = s1 >> 21; s2 += carry1; s1 -= carry1 << 21; + carry2 = s2 >> 21; s3 += carry2; s2 -= carry2 << 21; + carry3 = s3 >> 21; s4 += carry3; s3 -= carry3 << 21; + carry4 = s4 >> 21; s5 += carry4; s4 -= carry4 << 21; + carry5 = s5 >> 21; s6 += carry5; s5 -= carry5 << 21; + carry6 = s6 >> 21; s7 += carry6; s6 -= carry6 << 21; + carry7 = s7 >> 21; s8 += carry7; s7 -= carry7 << 21; + carry8 = s8 >> 21; s9 += carry8; s8 -= carry8 << 21; + carry9 = s9 >> 21; s10 += carry9; s9 -= carry9 << 21; + carry10 = s10 >> 21; s11 += carry10; s10 -= carry10 << 21; + + s[0] = s0 >> 0; + s[1] = s0 >> 8; + s[2] = (s0 >> 16) | (s1 << 5); + s[3] = s1 >> 3; + s[4] = s1 >> 11; + s[5] = (s1 >> 19) | (s2 << 2); + s[6] = s2 >> 6; + s[7] = (s2 >> 14) | (s3 << 7); + s[8] = s3 >> 1; + s[9] = s3 >> 9; + s[10] = (s3 >> 17) | (s4 << 4); + s[11] = s4 >> 4; + s[12] = s4 >> 12; + s[13] = (s4 >> 20) | (s5 << 1); + s[14] = s5 >> 7; + s[15] = (s5 >> 15) | (s6 << 6); + s[16] = s6 >> 2; + s[17] = s6 >> 10; + s[18] = (s6 >> 18) | (s7 << 3); + s[19] = s7 >> 5; + s[20] = s7 >> 13; + s[21] = s8 >> 0; + s[22] = s8 >> 8; + s[23] = (s8 >> 16) | (s9 << 5); + s[24] = s9 >> 3; + s[25] = s9 >> 11; + s[26] = (s9 >> 19) | (s10 << 2); + s[27] = s10 >> 6; + s[28] = (s10 >> 14) | (s11 << 7); + s[29] = s11 >> 1; + s[30] = s11 >> 9; + s[31] = s11 >> 17; +} + +void sc_add(unsigned char *s, const unsigned char *a, const unsigned char *b) { + int64_t a0 = 2097151 & load_3(a); + int64_t a1 = 2097151 & (load_4(a + 2) >> 5); + int64_t a2 = 2097151 & (load_3(a + 5) >> 2); + int64_t a3 = 2097151 & (load_4(a + 7) >> 7); + int64_t a4 = 2097151 & (load_4(a + 10) >> 4); + int64_t a5 = 2097151 & (load_3(a + 13) >> 1); + int64_t a6 = 2097151 & (load_4(a + 15) >> 6); + int64_t a7 = 2097151 & (load_3(a + 18) >> 3); + int64_t a8 = 2097151 & load_3(a + 21); + int64_t a9 = 2097151 & (load_4(a + 23) >> 5); + int64_t a10 = 2097151 & (load_3(a + 26) >> 2); + int64_t a11 = (load_4(a + 28) >> 7); + int64_t b0 = 2097151 & load_3(b); + int64_t b1 = 2097151 & (load_4(b + 2) >> 5); + int64_t b2 = 2097151 & (load_3(b + 5) >> 2); + int64_t b3 = 2097151 & (load_4(b + 7) >> 7); + int64_t b4 = 2097151 & (load_4(b + 10) >> 4); + int64_t b5 = 2097151 & (load_3(b + 13) >> 1); + int64_t b6 = 2097151 & (load_4(b + 15) >> 6); + int64_t b7 = 2097151 & (load_3(b + 18) >> 3); + int64_t b8 = 2097151 & load_3(b + 21); + int64_t b9 = 2097151 & (load_4(b + 23) >> 5); + int64_t b10 = 2097151 & (load_3(b + 26) >> 2); + int64_t b11 = (load_4(b + 28) >> 7); + int64_t s0 = a0 + b0; + int64_t s1 = a1 + b1; + int64_t s2 = a2 + b2; + int64_t s3 = a3 + b3; + int64_t s4 = a4 + b4; + int64_t s5 = a5 + b5; + int64_t s6 = a6 + b6; + int64_t s7 = a7 + b7; + int64_t s8 = a8 + b8; + int64_t s9 = a9 + b9; + int64_t s10 = a10 + b10; + int64_t s11 = a11 + b11; + int64_t s12 = 0; + int64_t carry0; + int64_t carry1; + int64_t carry2; + int64_t carry3; + int64_t carry4; + int64_t carry5; + int64_t carry6; + int64_t carry7; + int64_t carry8; + int64_t carry9; + int64_t carry10; + int64_t carry11; + + carry0 = (s0 + (1<<20)) >> 21; s1 += carry0; s0 -= carry0 << 21; + carry2 = (s2 + (1<<20)) >> 21; s3 += carry2; s2 -= carry2 << 21; + carry4 = (s4 + (1<<20)) >> 21; s5 += carry4; s4 -= carry4 << 21; + carry6 = (s6 + (1<<20)) >> 21; s7 += carry6; s6 -= carry6 << 21; + carry8 = (s8 + (1<<20)) >> 21; s9 += carry8; s8 -= carry8 << 21; + carry10 = (s10 + (1<<20)) >> 21; s11 += carry10; s10 -= carry10 << 21; + + carry1 = (s1 + (1<<20)) >> 21; s2 += carry1; s1 -= carry1 << 21; + carry3 = (s3 + (1<<20)) >> 21; s4 += carry3; s3 -= carry3 << 21; + carry5 = (s5 + (1<<20)) >> 21; s6 += carry5; s5 -= carry5 << 21; + carry7 = (s7 + (1<<20)) >> 21; s8 += carry7; s7 -= carry7 << 21; + carry9 = (s9 + (1<<20)) >> 21; s10 += carry9; s9 -= carry9 << 21; + carry11 = (s11 + (1<<20)) >> 21; s12 += carry11; s11 -= carry11 << 21; + + s0 += s12 * 666643; + s1 += s12 * 470296; + s2 += s12 * 654183; + s3 -= s12 * 997805; + s4 += s12 * 136657; + s5 -= s12 * 683901; + s12 = 0; + + carry0 = s0 >> 21; s1 += carry0; s0 -= carry0 << 21; + carry1 = s1 >> 21; s2 += carry1; s1 -= carry1 << 21; + carry2 = s2 >> 21; s3 += carry2; s2 -= carry2 << 21; + carry3 = s3 >> 21; s4 += carry3; s3 -= carry3 << 21; + carry4 = s4 >> 21; s5 += carry4; s4 -= carry4 << 21; + carry5 = s5 >> 21; s6 += carry5; s5 -= carry5 << 21; + carry6 = s6 >> 21; s7 += carry6; s6 -= carry6 << 21; + carry7 = s7 >> 21; s8 += carry7; s7 -= carry7 << 21; + carry8 = s8 >> 21; s9 += carry8; s8 -= carry8 << 21; + carry9 = s9 >> 21; s10 += carry9; s9 -= carry9 << 21; + carry10 = s10 >> 21; s11 += carry10; s10 -= carry10 << 21; + carry11 = s11 >> 21; s12 += carry11; s11 -= carry11 << 21; + + s0 += s12 * 666643; + s1 += s12 * 470296; + s2 += s12 * 654183; + s3 -= s12 * 997805; + s4 += s12 * 136657; + s5 -= s12 * 683901; + + carry0 = s0 >> 21; s1 += carry0; s0 -= carry0 << 21; + carry1 = s1 >> 21; s2 += carry1; s1 -= carry1 << 21; + carry2 = s2 >> 21; s3 += carry2; s2 -= carry2 << 21; + carry3 = s3 >> 21; s4 += carry3; s3 -= carry3 << 21; + carry4 = s4 >> 21; s5 += carry4; s4 -= carry4 << 21; + carry5 = s5 >> 21; s6 += carry5; s5 -= carry5 << 21; + carry6 = s6 >> 21; s7 += carry6; s6 -= carry6 << 21; + carry7 = s7 >> 21; s8 += carry7; s7 -= carry7 << 21; + carry8 = s8 >> 21; s9 += carry8; s8 -= carry8 << 21; + carry9 = s9 >> 21; s10 += carry9; s9 -= carry9 << 21; + carry10 = s10 >> 21; s11 += carry10; s10 -= carry10 << 21; + + s[0] = s0 >> 0; + s[1] = s0 >> 8; + s[2] = (s0 >> 16) | (s1 << 5); + s[3] = s1 >> 3; + s[4] = s1 >> 11; + s[5] = (s1 >> 19) | (s2 << 2); + s[6] = s2 >> 6; + s[7] = (s2 >> 14) | (s3 << 7); + s[8] = s3 >> 1; + s[9] = s3 >> 9; + s[10] = (s3 >> 17) | (s4 << 4); + s[11] = s4 >> 4; + s[12] = s4 >> 12; + s[13] = (s4 >> 20) | (s5 << 1); + s[14] = s5 >> 7; + s[15] = (s5 >> 15) | (s6 << 6); + s[16] = s6 >> 2; + s[17] = s6 >> 10; + s[18] = (s6 >> 18) | (s7 << 3); + s[19] = s7 >> 5; + s[20] = s7 >> 13; + s[21] = s8 >> 0; + s[22] = s8 >> 8; + s[23] = (s8 >> 16) | (s9 << 5); + s[24] = s9 >> 3; + s[25] = s9 >> 11; + s[26] = (s9 >> 19) | (s10 << 2); + s[27] = s10 >> 6; + s[28] = (s10 >> 14) | (s11 << 7); + s[29] = s11 >> 1; + s[30] = s11 >> 9; + s[31] = s11 >> 17; +} + +void sc_sub(unsigned char *s, const unsigned char *a, const unsigned char *b) { + int64_t a0 = 2097151 & load_3(a); + int64_t a1 = 2097151 & (load_4(a + 2) >> 5); + int64_t a2 = 2097151 & (load_3(a + 5) >> 2); + int64_t a3 = 2097151 & (load_4(a + 7) >> 7); + int64_t a4 = 2097151 & (load_4(a + 10) >> 4); + int64_t a5 = 2097151 & (load_3(a + 13) >> 1); + int64_t a6 = 2097151 & (load_4(a + 15) >> 6); + int64_t a7 = 2097151 & (load_3(a + 18) >> 3); + int64_t a8 = 2097151 & load_3(a + 21); + int64_t a9 = 2097151 & (load_4(a + 23) >> 5); + int64_t a10 = 2097151 & (load_3(a + 26) >> 2); + int64_t a11 = (load_4(a + 28) >> 7); + int64_t b0 = 2097151 & load_3(b); + int64_t b1 = 2097151 & (load_4(b + 2) >> 5); + int64_t b2 = 2097151 & (load_3(b + 5) >> 2); + int64_t b3 = 2097151 & (load_4(b + 7) >> 7); + int64_t b4 = 2097151 & (load_4(b + 10) >> 4); + int64_t b5 = 2097151 & (load_3(b + 13) >> 1); + int64_t b6 = 2097151 & (load_4(b + 15) >> 6); + int64_t b7 = 2097151 & (load_3(b + 18) >> 3); + int64_t b8 = 2097151 & load_3(b + 21); + int64_t b9 = 2097151 & (load_4(b + 23) >> 5); + int64_t b10 = 2097151 & (load_3(b + 26) >> 2); + int64_t b11 = (load_4(b + 28) >> 7); + int64_t s0 = a0 - b0; + int64_t s1 = a1 - b1; + int64_t s2 = a2 - b2; + int64_t s3 = a3 - b3; + int64_t s4 = a4 - b4; + int64_t s5 = a5 - b5; + int64_t s6 = a6 - b6; + int64_t s7 = a7 - b7; + int64_t s8 = a8 - b8; + int64_t s9 = a9 - b9; + int64_t s10 = a10 - b10; + int64_t s11 = a11 - b11; + int64_t s12 = 0; + int64_t carry0; + int64_t carry1; + int64_t carry2; + int64_t carry3; + int64_t carry4; + int64_t carry5; + int64_t carry6; + int64_t carry7; + int64_t carry8; + int64_t carry9; + int64_t carry10; + int64_t carry11; + + carry0 = (s0 + (1<<20)) >> 21; s1 += carry0; s0 -= carry0 << 21; + carry2 = (s2 + (1<<20)) >> 21; s3 += carry2; s2 -= carry2 << 21; + carry4 = (s4 + (1<<20)) >> 21; s5 += carry4; s4 -= carry4 << 21; + carry6 = (s6 + (1<<20)) >> 21; s7 += carry6; s6 -= carry6 << 21; + carry8 = (s8 + (1<<20)) >> 21; s9 += carry8; s8 -= carry8 << 21; + carry10 = (s10 + (1<<20)) >> 21; s11 += carry10; s10 -= carry10 << 21; + + carry1 = (s1 + (1<<20)) >> 21; s2 += carry1; s1 -= carry1 << 21; + carry3 = (s3 + (1<<20)) >> 21; s4 += carry3; s3 -= carry3 << 21; + carry5 = (s5 + (1<<20)) >> 21; s6 += carry5; s5 -= carry5 << 21; + carry7 = (s7 + (1<<20)) >> 21; s8 += carry7; s7 -= carry7 << 21; + carry9 = (s9 + (1<<20)) >> 21; s10 += carry9; s9 -= carry9 << 21; + carry11 = (s11 + (1<<20)) >> 21; s12 += carry11; s11 -= carry11 << 21; + + s0 += s12 * 666643; + s1 += s12 * 470296; + s2 += s12 * 654183; + s3 -= s12 * 997805; + s4 += s12 * 136657; + s5 -= s12 * 683901; + s12 = 0; + + carry0 = s0 >> 21; s1 += carry0; s0 -= carry0 << 21; + carry1 = s1 >> 21; s2 += carry1; s1 -= carry1 << 21; + carry2 = s2 >> 21; s3 += carry2; s2 -= carry2 << 21; + carry3 = s3 >> 21; s4 += carry3; s3 -= carry3 << 21; + carry4 = s4 >> 21; s5 += carry4; s4 -= carry4 << 21; + carry5 = s5 >> 21; s6 += carry5; s5 -= carry5 << 21; + carry6 = s6 >> 21; s7 += carry6; s6 -= carry6 << 21; + carry7 = s7 >> 21; s8 += carry7; s7 -= carry7 << 21; + carry8 = s8 >> 21; s9 += carry8; s8 -= carry8 << 21; + carry9 = s9 >> 21; s10 += carry9; s9 -= carry9 << 21; + carry10 = s10 >> 21; s11 += carry10; s10 -= carry10 << 21; + carry11 = s11 >> 21; s12 += carry11; s11 -= carry11 << 21; + + s0 += s12 * 666643; + s1 += s12 * 470296; + s2 += s12 * 654183; + s3 -= s12 * 997805; + s4 += s12 * 136657; + s5 -= s12 * 683901; + + carry0 = s0 >> 21; s1 += carry0; s0 -= carry0 << 21; + carry1 = s1 >> 21; s2 += carry1; s1 -= carry1 << 21; + carry2 = s2 >> 21; s3 += carry2; s2 -= carry2 << 21; + carry3 = s3 >> 21; s4 += carry3; s3 -= carry3 << 21; + carry4 = s4 >> 21; s5 += carry4; s4 -= carry4 << 21; + carry5 = s5 >> 21; s6 += carry5; s5 -= carry5 << 21; + carry6 = s6 >> 21; s7 += carry6; s6 -= carry6 << 21; + carry7 = s7 >> 21; s8 += carry7; s7 -= carry7 << 21; + carry8 = s8 >> 21; s9 += carry8; s8 -= carry8 << 21; + carry9 = s9 >> 21; s10 += carry9; s9 -= carry9 << 21; + carry10 = s10 >> 21; s11 += carry10; s10 -= carry10 << 21; + + s[0] = s0 >> 0; + s[1] = s0 >> 8; + s[2] = (s0 >> 16) | (s1 << 5); + s[3] = s1 >> 3; + s[4] = s1 >> 11; + s[5] = (s1 >> 19) | (s2 << 2); + s[6] = s2 >> 6; + s[7] = (s2 >> 14) | (s3 << 7); + s[8] = s3 >> 1; + s[9] = s3 >> 9; + s[10] = (s3 >> 17) | (s4 << 4); + s[11] = s4 >> 4; + s[12] = s4 >> 12; + s[13] = (s4 >> 20) | (s5 << 1); + s[14] = s5 >> 7; + s[15] = (s5 >> 15) | (s6 << 6); + s[16] = s6 >> 2; + s[17] = s6 >> 10; + s[18] = (s6 >> 18) | (s7 << 3); + s[19] = s7 >> 5; + s[20] = s7 >> 13; + s[21] = s8 >> 0; + s[22] = s8 >> 8; + s[23] = (s8 >> 16) | (s9 << 5); + s[24] = s9 >> 3; + s[25] = s9 >> 11; + s[26] = (s9 >> 19) | (s10 << 2); + s[27] = s10 >> 6; + s[28] = (s10 >> 14) | (s11 << 7); + s[29] = s11 >> 1; + s[30] = s11 >> 9; + s[31] = s11 >> 17; +} + +/* +Input: + a[0]+256*a[1]+...+256^31*a[31] = a + b[0]+256*b[1]+...+256^31*b[31] = b + c[0]+256*c[1]+...+256^31*c[31] = c + +Output: + s[0]+256*s[1]+...+256^31*s[31] = (c-ab) mod l + where l = 2^252 + 27742317777372353535851937790883648493. +*/ + +void sc_mulsub(unsigned char *s, const unsigned char *a, const unsigned char *b, const unsigned char *c) { + int64_t a0 = 2097151 & load_3(a); + int64_t a1 = 2097151 & (load_4(a + 2) >> 5); + int64_t a2 = 2097151 & (load_3(a + 5) >> 2); + int64_t a3 = 2097151 & (load_4(a + 7) >> 7); + int64_t a4 = 2097151 & (load_4(a + 10) >> 4); + int64_t a5 = 2097151 & (load_3(a + 13) >> 1); + int64_t a6 = 2097151 & (load_4(a + 15) >> 6); + int64_t a7 = 2097151 & (load_3(a + 18) >> 3); + int64_t a8 = 2097151 & load_3(a + 21); + int64_t a9 = 2097151 & (load_4(a + 23) >> 5); + int64_t a10 = 2097151 & (load_3(a + 26) >> 2); + int64_t a11 = (load_4(a + 28) >> 7); + int64_t b0 = 2097151 & load_3(b); + int64_t b1 = 2097151 & (load_4(b + 2) >> 5); + int64_t b2 = 2097151 & (load_3(b + 5) >> 2); + int64_t b3 = 2097151 & (load_4(b + 7) >> 7); + int64_t b4 = 2097151 & (load_4(b + 10) >> 4); + int64_t b5 = 2097151 & (load_3(b + 13) >> 1); + int64_t b6 = 2097151 & (load_4(b + 15) >> 6); + int64_t b7 = 2097151 & (load_3(b + 18) >> 3); + int64_t b8 = 2097151 & load_3(b + 21); + int64_t b9 = 2097151 & (load_4(b + 23) >> 5); + int64_t b10 = 2097151 & (load_3(b + 26) >> 2); + int64_t b11 = (load_4(b + 28) >> 7); + int64_t c0 = 2097151 & load_3(c); + int64_t c1 = 2097151 & (load_4(c + 2) >> 5); + int64_t c2 = 2097151 & (load_3(c + 5) >> 2); + int64_t c3 = 2097151 & (load_4(c + 7) >> 7); + int64_t c4 = 2097151 & (load_4(c + 10) >> 4); + int64_t c5 = 2097151 & (load_3(c + 13) >> 1); + int64_t c6 = 2097151 & (load_4(c + 15) >> 6); + int64_t c7 = 2097151 & (load_3(c + 18) >> 3); + int64_t c8 = 2097151 & load_3(c + 21); + int64_t c9 = 2097151 & (load_4(c + 23) >> 5); + int64_t c10 = 2097151 & (load_3(c + 26) >> 2); + int64_t c11 = (load_4(c + 28) >> 7); + int64_t s0; + int64_t s1; + int64_t s2; + int64_t s3; + int64_t s4; + int64_t s5; + int64_t s6; + int64_t s7; + int64_t s8; + int64_t s9; + int64_t s10; + int64_t s11; + int64_t s12; + int64_t s13; + int64_t s14; + int64_t s15; + int64_t s16; + int64_t s17; + int64_t s18; + int64_t s19; + int64_t s20; + int64_t s21; + int64_t s22; + int64_t s23; + int64_t carry0; + int64_t carry1; + int64_t carry2; + int64_t carry3; + int64_t carry4; + int64_t carry5; + int64_t carry6; + int64_t carry7; + int64_t carry8; + int64_t carry9; + int64_t carry10; + int64_t carry11; + int64_t carry12; + int64_t carry13; + int64_t carry14; + int64_t carry15; + int64_t carry16; + int64_t carry17; + int64_t carry18; + int64_t carry19; + int64_t carry20; + int64_t carry21; + int64_t carry22; + + s0 = c0 - a0*b0; + s1 = c1 - (a0*b1 + a1*b0); + s2 = c2 - (a0*b2 + a1*b1 + a2*b0); + s3 = c3 - (a0*b3 + a1*b2 + a2*b1 + a3*b0); + s4 = c4 - (a0*b4 + a1*b3 + a2*b2 + a3*b1 + a4*b0); + s5 = c5 - (a0*b5 + a1*b4 + a2*b3 + a3*b2 + a4*b1 + a5*b0); + s6 = c6 - (a0*b6 + a1*b5 + a2*b4 + a3*b3 + a4*b2 + a5*b1 + a6*b0); + s7 = c7 - (a0*b7 + a1*b6 + a2*b5 + a3*b4 + a4*b3 + a5*b2 + a6*b1 + a7*b0); + s8 = c8 - (a0*b8 + a1*b7 + a2*b6 + a3*b5 + a4*b4 + a5*b3 + a6*b2 + a7*b1 + a8*b0); + s9 = c9 - (a0*b9 + a1*b8 + a2*b7 + a3*b6 + a4*b5 + a5*b4 + a6*b3 + a7*b2 + a8*b1 + a9*b0); + s10 = c10 - (a0*b10 + a1*b9 + a2*b8 + a3*b7 + a4*b6 + a5*b5 + a6*b4 + a7*b3 + a8*b2 + a9*b1 + a10*b0); + s11 = c11 - (a0*b11 + a1*b10 + a2*b9 + a3*b8 + a4*b7 + a5*b6 + a6*b5 + a7*b4 + a8*b3 + a9*b2 + a10*b1 + a11*b0); + s12 = -(a1*b11 + a2*b10 + a3*b9 + a4*b8 + a5*b7 + a6*b6 + a7*b5 + a8*b4 + a9*b3 + a10*b2 + a11*b1); + s13 = -(a2*b11 + a3*b10 + a4*b9 + a5*b8 + a6*b7 + a7*b6 + a8*b5 + a9*b4 + a10*b3 + a11*b2); + s14 = -(a3*b11 + a4*b10 + a5*b9 + a6*b8 + a7*b7 + a8*b6 + a9*b5 + a10*b4 + a11*b3); + s15 = -(a4*b11 + a5*b10 + a6*b9 + a7*b8 + a8*b7 + a9*b6 + a10*b5 + a11*b4); + s16 = -(a5*b11 + a6*b10 + a7*b9 + a8*b8 + a9*b7 + a10*b6 + a11*b5); + s17 = -(a6*b11 + a7*b10 + a8*b9 + a9*b8 + a10*b7 + a11*b6); + s18 = -(a7*b11 + a8*b10 + a9*b9 + a10*b8 + a11*b7); + s19 = -(a8*b11 + a9*b10 + a10*b9 + a11*b8); + s20 = -(a9*b11 + a10*b10 + a11*b9); + s21 = -(a10*b11 + a11*b10); + s22 = -a11*b11; + s23 = 0; + + carry0 = (s0 + (1<<20)) >> 21; s1 += carry0; s0 -= carry0 << 21; + carry2 = (s2 + (1<<20)) >> 21; s3 += carry2; s2 -= carry2 << 21; + carry4 = (s4 + (1<<20)) >> 21; s5 += carry4; s4 -= carry4 << 21; + carry6 = (s6 + (1<<20)) >> 21; s7 += carry6; s6 -= carry6 << 21; + carry8 = (s8 + (1<<20)) >> 21; s9 += carry8; s8 -= carry8 << 21; + carry10 = (s10 + (1<<20)) >> 21; s11 += carry10; s10 -= carry10 << 21; + carry12 = (s12 + (1<<20)) >> 21; s13 += carry12; s12 -= carry12 << 21; + carry14 = (s14 + (1<<20)) >> 21; s15 += carry14; s14 -= carry14 << 21; + carry16 = (s16 + (1<<20)) >> 21; s17 += carry16; s16 -= carry16 << 21; + carry18 = (s18 + (1<<20)) >> 21; s19 += carry18; s18 -= carry18 << 21; + carry20 = (s20 + (1<<20)) >> 21; s21 += carry20; s20 -= carry20 << 21; + carry22 = (s22 + (1<<20)) >> 21; s23 += carry22; s22 -= carry22 << 21; + + carry1 = (s1 + (1<<20)) >> 21; s2 += carry1; s1 -= carry1 << 21; + carry3 = (s3 + (1<<20)) >> 21; s4 += carry3; s3 -= carry3 << 21; + carry5 = (s5 + (1<<20)) >> 21; s6 += carry5; s5 -= carry5 << 21; + carry7 = (s7 + (1<<20)) >> 21; s8 += carry7; s7 -= carry7 << 21; + carry9 = (s9 + (1<<20)) >> 21; s10 += carry9; s9 -= carry9 << 21; + carry11 = (s11 + (1<<20)) >> 21; s12 += carry11; s11 -= carry11 << 21; + carry13 = (s13 + (1<<20)) >> 21; s14 += carry13; s13 -= carry13 << 21; + carry15 = (s15 + (1<<20)) >> 21; s16 += carry15; s15 -= carry15 << 21; + carry17 = (s17 + (1<<20)) >> 21; s18 += carry17; s17 -= carry17 << 21; + carry19 = (s19 + (1<<20)) >> 21; s20 += carry19; s19 -= carry19 << 21; + carry21 = (s21 + (1<<20)) >> 21; s22 += carry21; s21 -= carry21 << 21; + + s11 += s23 * 666643; + s12 += s23 * 470296; + s13 += s23 * 654183; + s14 -= s23 * 997805; + s15 += s23 * 136657; + s16 -= s23 * 683901; + + s10 += s22 * 666643; + s11 += s22 * 470296; + s12 += s22 * 654183; + s13 -= s22 * 997805; + s14 += s22 * 136657; + s15 -= s22 * 683901; + + s9 += s21 * 666643; + s10 += s21 * 470296; + s11 += s21 * 654183; + s12 -= s21 * 997805; + s13 += s21 * 136657; + s14 -= s21 * 683901; + + s8 += s20 * 666643; + s9 += s20 * 470296; + s10 += s20 * 654183; + s11 -= s20 * 997805; + s12 += s20 * 136657; + s13 -= s20 * 683901; + + s7 += s19 * 666643; + s8 += s19 * 470296; + s9 += s19 * 654183; + s10 -= s19 * 997805; + s11 += s19 * 136657; + s12 -= s19 * 683901; + + s6 += s18 * 666643; + s7 += s18 * 470296; + s8 += s18 * 654183; + s9 -= s18 * 997805; + s10 += s18 * 136657; + s11 -= s18 * 683901; + + carry6 = (s6 + (1<<20)) >> 21; s7 += carry6; s6 -= carry6 << 21; + carry8 = (s8 + (1<<20)) >> 21; s9 += carry8; s8 -= carry8 << 21; + carry10 = (s10 + (1<<20)) >> 21; s11 += carry10; s10 -= carry10 << 21; + carry12 = (s12 + (1<<20)) >> 21; s13 += carry12; s12 -= carry12 << 21; + carry14 = (s14 + (1<<20)) >> 21; s15 += carry14; s14 -= carry14 << 21; + carry16 = (s16 + (1<<20)) >> 21; s17 += carry16; s16 -= carry16 << 21; + + carry7 = (s7 + (1<<20)) >> 21; s8 += carry7; s7 -= carry7 << 21; + carry9 = (s9 + (1<<20)) >> 21; s10 += carry9; s9 -= carry9 << 21; + carry11 = (s11 + (1<<20)) >> 21; s12 += carry11; s11 -= carry11 << 21; + carry13 = (s13 + (1<<20)) >> 21; s14 += carry13; s13 -= carry13 << 21; + carry15 = (s15 + (1<<20)) >> 21; s16 += carry15; s15 -= carry15 << 21; + + s5 += s17 * 666643; + s6 += s17 * 470296; + s7 += s17 * 654183; + s8 -= s17 * 997805; + s9 += s17 * 136657; + s10 -= s17 * 683901; + + s4 += s16 * 666643; + s5 += s16 * 470296; + s6 += s16 * 654183; + s7 -= s16 * 997805; + s8 += s16 * 136657; + s9 -= s16 * 683901; + + s3 += s15 * 666643; + s4 += s15 * 470296; + s5 += s15 * 654183; + s6 -= s15 * 997805; + s7 += s15 * 136657; + s8 -= s15 * 683901; + + s2 += s14 * 666643; + s3 += s14 * 470296; + s4 += s14 * 654183; + s5 -= s14 * 997805; + s6 += s14 * 136657; + s7 -= s14 * 683901; + + s1 += s13 * 666643; + s2 += s13 * 470296; + s3 += s13 * 654183; + s4 -= s13 * 997805; + s5 += s13 * 136657; + s6 -= s13 * 683901; + + s0 += s12 * 666643; + s1 += s12 * 470296; + s2 += s12 * 654183; + s3 -= s12 * 997805; + s4 += s12 * 136657; + s5 -= s12 * 683901; + s12 = 0; + + carry0 = (s0 + (1<<20)) >> 21; s1 += carry0; s0 -= carry0 << 21; + carry2 = (s2 + (1<<20)) >> 21; s3 += carry2; s2 -= carry2 << 21; + carry4 = (s4 + (1<<20)) >> 21; s5 += carry4; s4 -= carry4 << 21; + carry6 = (s6 + (1<<20)) >> 21; s7 += carry6; s6 -= carry6 << 21; + carry8 = (s8 + (1<<20)) >> 21; s9 += carry8; s8 -= carry8 << 21; + carry10 = (s10 + (1<<20)) >> 21; s11 += carry10; s10 -= carry10 << 21; + + carry1 = (s1 + (1<<20)) >> 21; s2 += carry1; s1 -= carry1 << 21; + carry3 = (s3 + (1<<20)) >> 21; s4 += carry3; s3 -= carry3 << 21; + carry5 = (s5 + (1<<20)) >> 21; s6 += carry5; s5 -= carry5 << 21; + carry7 = (s7 + (1<<20)) >> 21; s8 += carry7; s7 -= carry7 << 21; + carry9 = (s9 + (1<<20)) >> 21; s10 += carry9; s9 -= carry9 << 21; + carry11 = (s11 + (1<<20)) >> 21; s12 += carry11; s11 -= carry11 << 21; + + s0 += s12 * 666643; + s1 += s12 * 470296; + s2 += s12 * 654183; + s3 -= s12 * 997805; + s4 += s12 * 136657; + s5 -= s12 * 683901; + s12 = 0; + + carry0 = s0 >> 21; s1 += carry0; s0 -= carry0 << 21; + carry1 = s1 >> 21; s2 += carry1; s1 -= carry1 << 21; + carry2 = s2 >> 21; s3 += carry2; s2 -= carry2 << 21; + carry3 = s3 >> 21; s4 += carry3; s3 -= carry3 << 21; + carry4 = s4 >> 21; s5 += carry4; s4 -= carry4 << 21; + carry5 = s5 >> 21; s6 += carry5; s5 -= carry5 << 21; + carry6 = s6 >> 21; s7 += carry6; s6 -= carry6 << 21; + carry7 = s7 >> 21; s8 += carry7; s7 -= carry7 << 21; + carry8 = s8 >> 21; s9 += carry8; s8 -= carry8 << 21; + carry9 = s9 >> 21; s10 += carry9; s9 -= carry9 << 21; + carry10 = s10 >> 21; s11 += carry10; s10 -= carry10 << 21; + carry11 = s11 >> 21; s12 += carry11; s11 -= carry11 << 21; + + s0 += s12 * 666643; + s1 += s12 * 470296; + s2 += s12 * 654183; + s3 -= s12 * 997805; + s4 += s12 * 136657; + s5 -= s12 * 683901; + + carry0 = s0 >> 21; s1 += carry0; s0 -= carry0 << 21; + carry1 = s1 >> 21; s2 += carry1; s1 -= carry1 << 21; + carry2 = s2 >> 21; s3 += carry2; s2 -= carry2 << 21; + carry3 = s3 >> 21; s4 += carry3; s3 -= carry3 << 21; + carry4 = s4 >> 21; s5 += carry4; s4 -= carry4 << 21; + carry5 = s5 >> 21; s6 += carry5; s5 -= carry5 << 21; + carry6 = s6 >> 21; s7 += carry6; s6 -= carry6 << 21; + carry7 = s7 >> 21; s8 += carry7; s7 -= carry7 << 21; + carry8 = s8 >> 21; s9 += carry8; s8 -= carry8 << 21; + carry9 = s9 >> 21; s10 += carry9; s9 -= carry9 << 21; + carry10 = s10 >> 21; s11 += carry10; s10 -= carry10 << 21; + + s[0] = s0 >> 0; + s[1] = s0 >> 8; + s[2] = (s0 >> 16) | (s1 << 5); + s[3] = s1 >> 3; + s[4] = s1 >> 11; + s[5] = (s1 >> 19) | (s2 << 2); + s[6] = s2 >> 6; + s[7] = (s2 >> 14) | (s3 << 7); + s[8] = s3 >> 1; + s[9] = s3 >> 9; + s[10] = (s3 >> 17) | (s4 << 4); + s[11] = s4 >> 4; + s[12] = s4 >> 12; + s[13] = (s4 >> 20) | (s5 << 1); + s[14] = s5 >> 7; + s[15] = (s5 >> 15) | (s6 << 6); + s[16] = s6 >> 2; + s[17] = s6 >> 10; + s[18] = (s6 >> 18) | (s7 << 3); + s[19] = s7 >> 5; + s[20] = s7 >> 13; + s[21] = s8 >> 0; + s[22] = s8 >> 8; + s[23] = (s8 >> 16) | (s9 << 5); + s[24] = s9 >> 3; + s[25] = s9 >> 11; + s[26] = (s9 >> 19) | (s10 << 2); + s[27] = s10 >> 6; + s[28] = (s10 >> 14) | (s11 << 7); + s[29] = s11 >> 1; + s[30] = s11 >> 9; + s[31] = s11 >> 17; +} + +/* Assumes that a != INT64_MIN */ +static int64_t signum(int64_t a) { + return (a >> 63) - ((-a) >> 63); +} + +int sc_check(const unsigned char *s) { + int64_t s0 = load_4(s); + int64_t s1 = load_4(s + 4); + int64_t s2 = load_4(s + 8); + int64_t s3 = load_4(s + 12); + int64_t s4 = load_4(s + 16); + int64_t s5 = load_4(s + 20); + int64_t s6 = load_4(s + 24); + int64_t s7 = load_4(s + 28); + return (signum(1559614444 - s0) + (signum(1477600026 - s1) << 1) + (signum(2734136534 - s2) << 2) + (signum(350157278 - s3) << 3) + (signum(-s4) << 4) + (signum(-s5) << 5) + (signum(-s6) << 6) + (signum(268435456 - s7) << 7)) >> 8; +} + +int sc_isnonzero(const unsigned char *s) { + return (((int) (s[0] | s[1] | s[2] | s[3] | s[4] | s[5] | s[6] | s[7] | s[8] | + s[9] | s[10] | s[11] | s[12] | s[13] | s[14] | s[15] | s[16] | s[17] | + s[18] | s[19] | s[20] | s[21] | s[22] | s[23] | s[24] | s[25] | s[26] | + s[27] | s[28] | s[29] | s[30] | s[31]) - 1) >> 8) + 1; +} \ No newline at end of file diff --git a/source-code/RuffCT-java/c/crypto-ops.h b/source-code/RuffCT-java/c/crypto-ops.h new file mode 100644 index 0000000..9a802ff --- /dev/null +++ b/source-code/RuffCT-java/c/crypto-ops.h @@ -0,0 +1,153 @@ +// Copyright (c) 2014-2017, The Monero Project +// +// All rights reserved. +// +// Redistribution and use in source and binary forms, with or without modification, are +// permitted provided that the following conditions are met: +// +// 1. Redistributions of source code must retain the above copyright notice, this list of +// conditions and the following disclaimer. +// +// 2. Redistributions in binary form must reproduce the above copyright notice, this list +// of conditions and the following disclaimer in the documentation and/or other +// materials provided with the distribution. +// +// 3. Neither the name of the copyright holder nor the names of its contributors may be +// used to endorse or promote products derived from this software without specific +// prior written permission. +// +// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY +// EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF +// MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL +// THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, +// SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, +// PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS +// INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, +// STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF +// THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. +// +// Parts of this file are originally copyright (c) 2012-2013 The Cryptonote developers + +#pragma once + +/* From fe.h */ + +typedef int32_t fe[10]; + +/* From ge.h */ + +typedef struct { + fe X; + fe Y; + fe Z; +} ge_p2; + +typedef struct { + fe X; + fe Y; + fe Z; + fe T; +} ge_p3; + +typedef struct { + fe X; + fe Y; + fe Z; + fe T; +} ge_p1p1; + +typedef struct { + fe yplusx; + fe yminusx; + fe xy2d; +} ge_precomp; + +typedef struct { + fe YplusX; + fe YminusX; + fe Z; + fe T2d; +} ge_cached; + +/* From ge_add.c */ + +void ge_add(ge_p1p1 *, const ge_p3 *, const ge_cached *); + +/* From ge_double_scalarmult.c, modified */ + +typedef ge_cached ge_dsmp[8]; +extern const ge_precomp ge_Bi[8]; +void ge_dsm_precomp(ge_dsmp r, const ge_p3 *s); +void ge_double_scalarmult_base_vartime(ge_p2 *, const unsigned char *, const ge_p3 *, const unsigned char *); + +/* From ge_frombytes.c, modified */ + +extern const fe fe_sqrtm1; +extern const fe fe_d; +int ge_frombytes_vartime(ge_p3 *, const unsigned char *); + +/* From ge_p1p1_to_p2.c */ + +void ge_p1p1_to_p2(ge_p2 *, const ge_p1p1 *); + +/* From ge_p1p1_to_p3.c */ + +void ge_p1p1_to_p3(ge_p3 *, const ge_p1p1 *); + +/* From ge_p2_dbl.c */ + +void ge_p2_dbl(ge_p1p1 *, const ge_p2 *); + +/* From ge_p3_to_cached.c */ + +extern const fe fe_d2; +void ge_p3_to_cached(ge_cached *, const ge_p3 *); + +/* From ge_p3_to_p2.c */ + +void ge_p3_to_p2(ge_p2 *, const ge_p3 *); + +/* From ge_p3_tobytes.c */ + +void ge_p3_tobytes(unsigned char *, const ge_p3 *); + +/* From ge_scalarmult_base.c */ + +extern const ge_precomp ge_base[32][8]; +void ge_scalarmult_base(ge_p3 *, const unsigned char *); + +/* From ge_tobytes.c */ + +void ge_tobytes(unsigned char *, const ge_p2 *); + +/* From sc_reduce.c */ + +void sc_reduce(unsigned char *); + +/* New code */ + +void ge_scalarmult(ge_p2 *, const unsigned char *, const ge_p3 *); +void ge_double_scalarmult_precomp_vartime(ge_p2 *, const unsigned char *, const ge_p3 *, const unsigned char *, const ge_dsmp); +void ge_mul8(ge_p1p1 *, const ge_p2 *); +extern const fe fe_ma2; +extern const fe fe_ma; +extern const fe fe_fffb1; +extern const fe fe_fffb2; +extern const fe fe_fffb3; +extern const fe fe_fffb4; +void ge_fromfe_frombytes_vartime(ge_p2 *, const unsigned char *); +void sc_0(unsigned char *); +void sc_reduce32(unsigned char *); +void sc_add(unsigned char *, const unsigned char *, const unsigned char *); +void sc_sub(unsigned char *, const unsigned char *, const unsigned char *); +void sc_mulsub(unsigned char *, const unsigned char *, const unsigned char *, const unsigned char *); +int sc_check(const unsigned char *); +int sc_isnonzero(const unsigned char *); /* Doesn't normalize */ + +// internal +uint64_t load_3(const unsigned char *in); +uint64_t load_4(const unsigned char *in); +void ge_sub(ge_p1p1 *r, const ge_p3 *p, const ge_cached *q); +void fe_add(fe h, const fe f, const fe g); +void fe_tobytes(unsigned char *, const fe); +void fe_invert(fe out, const fe z); \ No newline at end of file diff --git a/source-code/RuffCT-java/c/how_monero_hodl_jni_CryptoOpsUtil.c b/source-code/RuffCT-java/c/how_monero_hodl_jni_CryptoOpsUtil.c new file mode 100644 index 0000000..5a93fe9 --- /dev/null +++ b/source-code/RuffCT-java/c/how_monero_hodl_jni_CryptoOpsUtil.c @@ -0,0 +1,87 @@ +#include "how_monero_hodl_jni_CryptoOpsUtil.h" +#include <unistd.h> +#include <stdint.h> +#include "crypto-ops.h" + +JNIEXPORT jbyteArray JNICALL Java_how_monero_hodl_jni_CryptoOpsUtil_scalarMult + (JNIEnv *env, jclass cls, jbyteArray pointBytes, jbyteArray scalarBytes) { + + jbyte* pointBytesBuf = (*env)->GetByteArrayElements(env, pointBytes, NULL); + jbyte* scalarBytesBuf = (*env)->GetByteArrayElements(env, scalarBytes, NULL); + + ge_p3 pointp3; + ge_p2 pointp2; + ge_p2 pointp2result; + + ge_frombytes_vartime(&pointp3, (const unsigned char *) pointBytesBuf); + + ge_p3_to_p2(&pointp2, &pointp3); + + ge_scalarmult(&pointp2result, (const unsigned char *) scalarBytesBuf, &pointp3); + + unsigned char resultBytes[32]; + ge_tobytes(resultBytes, &pointp2result); + + + jbyteArray returnData = (*env)->NewByteArray(env, 32); + (*env)->SetByteArrayRegion(env, returnData, 0, 32, (jbyte *) resultBytes); + + return returnData; + +} + +//void ge_scalarmult_base(ge_p3 *h, const unsigned char *a) { +JNIEXPORT jbyteArray JNICALL Java_how_monero_hodl_jni_CryptoOpsUtil_scalarMultBase + (JNIEnv *env, jclass cls, jbyteArray scalarBytes) { + + jbyte* scalarBytesBuf = (*env)->GetByteArrayElements(env, scalarBytes, NULL); + + ge_p3 pointp3result; + ge_p2 pointp2result; + + ge_scalarmult_base(&pointp3result, (const unsigned char *) scalarBytesBuf); + + ge_p3_to_p2(&pointp2result, &pointp3result); + + unsigned char resultBytes[32]; + ge_tobytes(resultBytes, &pointp2result); + + + jbyteArray returnData = (*env)->NewByteArray(env, 32); + (*env)->SetByteArrayRegion(env, returnData, 0, 32, (jbyte *) resultBytes); + + return returnData; + +} + + + + +//ge_double_scalarmult_base_vartime(ge_p2 *r, const unsigned char *a, const ge_p3 *A, const unsigned char *b) +//r = a * A + b * B +JNIEXPORT jbyteArray JNICALL Java_how_monero_hodl_jni_CryptoOpsUtil_doubleScalarMultBaseVartime + (JNIEnv *env, jclass cls, jbyteArray aScalarBytes, jbyteArray pointBytes, jbyteArray bScalarBytes) { + + jbyte* pointBytesBuf = (*env)->GetByteArrayElements(env, pointBytes, NULL); + jbyte* aScalarBytesBuf = (*env)->GetByteArrayElements(env, aScalarBytes, NULL); + jbyte* bScalarBytesBuf = (*env)->GetByteArrayElements(env, bScalarBytes, NULL); + + ge_p3 pointp3; + ge_p2 pointp2; + ge_p2 pointp2result; + + ge_frombytes_vartime(&pointp3, (const unsigned char *) pointBytesBuf); + + ge_double_scalarmult_base_vartime(&pointp2result, (const unsigned char *) aScalarBytesBuf, &pointp3, (const unsigned char *) bScalarBytesBuf); + + unsigned char resultBytes[32]; + ge_tobytes(resultBytes, &pointp2result); + + + jbyteArray returnData = (*env)->NewByteArray(env, 32); + (*env)->SetByteArrayRegion(env, returnData, 0, 32, (jbyte *) resultBytes); + + return returnData; + +} + diff --git a/source-code/RuffCT-java/c/how_monero_hodl_jni_CryptoOpsUtil.h b/source-code/RuffCT-java/c/how_monero_hodl_jni_CryptoOpsUtil.h new file mode 100644 index 0000000..036a416 --- /dev/null +++ b/source-code/RuffCT-java/c/how_monero_hodl_jni_CryptoOpsUtil.h @@ -0,0 +1,29 @@ +/* DO NOT EDIT THIS FILE - it is machine generated */ +#include <jni.h> +/* Header for class how_monero_hodl_jni_CryptoOpsUtil */ + +#ifndef _Included_how_monero_hodl_jni_CryptoOpsUtil +#define _Included_how_monero_hodl_jni_CryptoOpsUtil +#ifdef __cplusplus +extern "C" { +#endif +/* + * Class: how_monero_hodl_jni_CryptoOpsUtil + * Method: scalarMult + * Signature: ([B[B)[B + */ +JNIEXPORT jbyteArray JNICALL Java_how_monero_hodl_jni_CryptoOpsUtil_scalarMult + (JNIEnv *, jclass, jbyteArray, jbyteArray); + +/* + * Class: how_monero_hodl_jni_CryptoOpsUtil + * Method: doubleScalarMultBaseVartime + * Signature: ([B[B[B)[B + */ +JNIEXPORT jbyteArray JNICALL Java_how_monero_hodl_jni_CryptoOpsUtil_doubleScalarMultBaseVartime + (JNIEnv *, jclass, jbyteArray, jbyteArray, jbyteArray); + +#ifdef __cplusplus +} +#endif +#endif diff --git a/source-code/RuffCT-java/c/warnings.h b/source-code/RuffCT-java/c/warnings.h new file mode 100644 index 0000000..df5c7d1 --- /dev/null +++ b/source-code/RuffCT-java/c/warnings.h @@ -0,0 +1,30 @@ +#pragma once + +#if defined(_MSC_VER) + +#define PUSH_WARNINGS __pragma(warning(push)) +#define POP_WARNINGS __pragma(warning(pop)) +#define DISABLE_VS_WARNINGS(w) __pragma(warning(disable: w)) +#define DISABLE_GCC_WARNING(w) +#define DISABLE_CLANG_WARNING(w) +#define DISABLE_GCC_AND_CLANG_WARNING(w) + +#else + +#include <boost/preprocessor/stringize.hpp> + +#define PUSH_WARNINGS _Pragma("GCC diagnostic push") +#define POP_WARNINGS _Pragma("GCC diagnostic pop") +#define DISABLE_VS_WARNINGS(w) + +#if defined(__clang__) +#define DISABLE_GCC_WARNING(w) +#define DISABLE_CLANG_WARNING DISABLE_GCC_AND_CLANG_WARNING +#else +#define DISABLE_GCC_WARNING DISABLE_GCC_AND_CLANG_WARNING +#define DISABLE_CLANG_WARNING(w) +#endif + +#define DISABLE_GCC_AND_CLANG_WARNING(w) _Pragma(BOOST_PP_STRINGIZE(GCC diagnostic ignored BOOST_PP_STRINGIZE(-W##w))) + +#endif diff --git a/source-code/RuffCT-java/doc/readme.txt b/source-code/RuffCT-java/doc/readme.txt new file mode 100644 index 0000000..bb328ce --- /dev/null +++ b/source-code/RuffCT-java/doc/readme.txt @@ -0,0 +1,19 @@ +Instructions for compiling the Ed25519 native library +----------------------------------------------------- + +Note: You don't need to do any of this if you don't want to. The code will automatically fall back to a pure Java Ed25519 implementation. + + +To compile the JNI C library: + +cd <path to RuffCT-java/c directory> + +# replace <OS> with darwin on OSX, or with linux on Linux. +gcc -fPIC -c how_monero_hodl_jni_CryptoOpsUtil.c crypto-ops.c crypto-ops-data.c -I /<path to jdk>/include/<OS>/ -I /<path to jdk>/include + +gcc -dynamiclib -o libcryptoopsutil.jnilib how_monero_hodl_jni_CryptoOpsUtil.o crypto-ops.o crypto-ops-data.o -framework JavaVM + +When running Java code that uses this JNI library, provide the following command line argument: + +-Djava.library.path=/<path to directory containing libcryptoopsutil.jnilib> + diff --git a/source-code/RuffCT-java/lib/commons-codec-1.10.jar b/source-code/RuffCT-java/lib/commons-codec-1.10.jar new file mode 100644 index 0000000..1d7417c Binary files /dev/null and b/source-code/RuffCT-java/lib/commons-codec-1.10.jar differ diff --git a/source-code/RuffCT-java/lib/commons-pool2-2.4.2.jar b/source-code/RuffCT-java/lib/commons-pool2-2.4.2.jar new file mode 100644 index 0000000..fdf8b6f Binary files /dev/null and b/source-code/RuffCT-java/lib/commons-pool2-2.4.2.jar differ diff --git a/source-code/RuffCT-java/src/com/joemelsha/crypto/hash/Keccak.java b/source-code/RuffCT-java/src/com/joemelsha/crypto/hash/Keccak.java new file mode 100755 index 0000000..1162750 --- /dev/null +++ b/source-code/RuffCT-java/src/com/joemelsha/crypto/hash/Keccak.java @@ -0,0 +1,449 @@ +package com.joemelsha.crypto.hash; + +import java.nio.*; + +/** + * @author Joseph Robert Melsha (jrmelsha@olivet.edu) + * + * Source: https://github.com/jrmelsha/keccak + * Created: Jun 23, 2016 + * + * Copyright 2016 Joseph Robert Melsha + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +public class Keccak { + private static final int MAX_STATE_SIZE = 1600; + private static final int MAX_STATE_SIZE_WORDS = MAX_STATE_SIZE / 64; + + protected int rateSizeBits, digestSizeBits; + private long[] state = new long[MAX_STATE_SIZE_WORDS]; + private int rateBits; + private boolean padded; + + public Keccak(int digestSizeBits) { + reset(digestSizeBits); + } + + public Keccak(Keccak other) { + System.arraycopy(other.state, 0, state, 0, other.state.length); + rateBits = other.rateBits; + rateSizeBits = other.rateSizeBits; + digestSizeBits = other.digestSizeBits; + padded = other.padded; + } + + @Override + public String toString() { + return "Keccak-" + digestSizeBits; + } + + public int rateSize() { + return rateSizeBits >>> 3; + } + + public int digestSize() { + return digestSizeBits >>> 3; + } + + public void reset() { + reset(rateSizeBits, digestSizeBits); + } + + protected int rateSizeBitsFor(int digestSizeBits) { + //@formatter:off + switch (digestSizeBits) { + case 288: return 1024; + case 128: return 1344; + case 224: return 1152; + case 256: return 1088; + case 384: return 832; + case 512: return 576; + default: throw new IllegalArgumentException("Invalid digestSizeBits: " + digestSizeBits + " ⊄ { 128, 224, 256, 288, 384, 512 }"); + } + //@formatter:on + } + + public void reset(int digestSizeBits) { + reset(rateSizeBitsFor(digestSizeBits), digestSizeBits); + } + + protected void reset(int rateSizebits, int digestSizeBits) { + if (rateSizebits + digestSizeBits * 2 != MAX_STATE_SIZE) + throw new IllegalArgumentException("Invalid rateSizebits + digestSizeBits * 2: " + rateSizebits + " + " + digestSizeBits + " * 2 != " + MAX_STATE_SIZE); + if (rateSizebits <= 0 || (rateSizebits & 0x3f) > 0) + throw new IllegalArgumentException("Invalid rateSizebits: " + rateSizebits); + + for (int i = 0; i < MAX_STATE_SIZE_WORDS; ++i) + state[i] = 0; + rateBits = 0; + + rateSizeBits = rateSizebits; + this.digestSizeBits = digestSizeBits; + padded = false; + } + + public void update(byte in) { + updateBits(in & 0xff, 8); + } + + public void update(byte[] in) { + update(ByteBuffer.wrap(in)); + } + + public void update(byte[] in, int offset, int length) { + update(ByteBuffer.wrap(in, offset, length)); + } + + public void update(ByteBuffer in) { + int inBytes = in.remaining(); + if (inBytes <= 0) + return; + + if (padded) + throw new IllegalStateException("Cannot update while padded"); + + int rateBits = this.rateBits; + if ((rateBits & 0x7) > 0) //this could be implemented but would introduce considerable performance degradation - also, it's never technically possible. + throw new IllegalStateException("Cannot update while in bit-mode"); + + long[] state = this.state; + int rateBytes = rateBits >>> 3; + + int rateBytesWord = rateBytes & 0x7; + if (rateBytesWord > 0) { + //logically must have space at this point + int c = 8 - rateBytesWord; + if (c > inBytes) + c = inBytes; + int i = rateBytes >>> 3; + long w = state[i]; + rateBytes += c; + inBytes -= c; + rateBytesWord <<= 3; + c = rateBytesWord + (c << 3); + do { + w ^= (long) (in.get() & 0xff) << rateBytesWord; + rateBytesWord += 8; + } while (rateBytesWord < c); + state[i] = w; + + if (inBytes > 0) { + this.rateBits = rateBytes << 3; + return; + } + } + + int rateWords = rateBytes >>> 3; + int rateSizeWords = rateSizeBits >>> 6; + + int inWords = inBytes >>> 3; + if (inWords > 0) { + ByteOrder order = in.order(); + try { + in.order(ByteOrder.LITTLE_ENDIAN); + do { + if (rateWords >= rateSizeWords) { + Keccak.keccak(state); + rateWords = 0; + } + int c = rateSizeWords - rateWords; + if (c > inWords) + c = inWords; + inWords -= c; + c += rateWords; + do { + state[rateWords] ^= in.getLong(); + rateWords++; + } while (rateWords < c); + } while (inWords > 0); + } finally { + in.order(order); + } + inBytes &= 0x7; + if (inBytes <= 0) { + this.rateBits = rateWords << 6; + return; + } + } + + if (rateWords >= rateSizeWords) { + Keccak.keccak(state); + rateWords = 0; + } + long w = state[rateWords]; + inBytes <<= 3; + int i = 0; + do { + w ^= (long) (in.get() & 0xff) << i; + i += 8; + } while (i < inBytes); + state[rateWords] = w; + + this.rateBits = (rateWords << 6) | inBytes; + } + + protected void updateBits(long in, int inBits) { + if (inBits < 0 || inBits > 64) + throw new IllegalArgumentException("Invalid valueBits: " + 0 + " < " + inBits + " > " + 64); + + if (inBits <= 0) + return; + + if (padded) + throw new IllegalStateException("Cannot update while padded"); + + long[] state = this.state; + int rateBits = this.rateBits; + int rateBitsWord = rateBits & 0x3f; + if (rateBitsWord > 0) { + //logically must have space at this point + int c = 64 - rateBitsWord; + if (c > inBits) + c = inBits; + state[rateBits >>> 6] ^= (in & (-1L >>> c)) << rateBitsWord; + rateBits += c; + inBits -= c; + if (inBits <= 0) { + this.rateBits = rateBits; + return; + } + in >>>= c; + } + if (rateBits >= rateSizeBits) { + Keccak.keccak(state); + rateBits = 0; + } + state[rateBits >>> 6] ^= in & (-1L >>> inBits); + this.rateBits = rateBits + inBits; + } + + public ByteBuffer digest() { + return digest(digestSize()); + } + + public ByteBuffer digest(int outSize) { + return digest(outSize, false); + } + + public ByteBuffer digest(int outSize, boolean direct) { + ByteBuffer buffer = direct ? ByteBuffer.allocateDirect(outSize) : ByteBuffer.allocate(outSize); + digest(buffer); + buffer.flip(); + return buffer; + } + + public byte[] digestArray() { + return digestArray(digestSize()); + } + + public byte[] digestArray(int outSize) { + byte[] array = new byte[outSize]; + digest(array, 0, outSize); + return array; + } + + public void digest(byte[] out) { + digest(ByteBuffer.wrap(out)); + } + + public void digest(byte[] out, int offset, int length) { + digest(ByteBuffer.wrap(out, offset, length)); + } + + public void digest(ByteBuffer out) { + int outBytes = out.remaining(); + if (outBytes <= 0) + return; + + long[] state = this.state; + int rateBits = this.rateBits; + int rateBytes; + if (!padded) { + pad(); + padded = true; + rateBits = 0; + rateBytes = 0; + } else { + if ((rateBits & 0x7) > 0) + throw new IllegalStateException("Cannot digest while in bit-mode"); //this could be implemented but would introduce considerable performance degradation - also, it's never technically possible. + + rateBytes = rateBits >>> 3; + int rateBytesWord = rateBytes & 0x7; + if (rateBytesWord > 0) { + int c = 8 - rateBytesWord; + if (c > outBytes) + c = outBytes; + long w = state[rateBytes >>> 3]; + outBytes -= c; + rateBytes += c; + rateBytesWord <<= 3; + c = (c << 3) + rateBytesWord; + do { + out.put((byte) (w >>> rateBytesWord)); + rateBytesWord += 8; + } while (rateBytesWord < c); + if (outBytes <= 0) { + this.rateBits = rateBytes << 3; + return; + } + } + } + + int rateSizeWords = rateSizeBits >>> 6; + int rateWords = rateBytes >>> 3; + + int outWords = outBytes >>> 3; + if (outWords > 0) { + ByteOrder order = out.order(); + try { + out.order(ByteOrder.LITTLE_ENDIAN); + do { + if (rateWords >= rateSizeWords) { + squeeze(); + rateWords = 0; + } + int c = rateSizeWords - rateWords; + if (c > outWords) + c = outWords; + outWords -= c; + c += rateWords; + do { + out.putLong(state[rateWords]); + rateWords++; + } while (rateWords < c); + } while (outWords > 0); + } finally { + out.order(order); + } + outBytes &= 0x7; + if (outBytes <= 0) { + this.rateBits = rateWords << 6; + return; + } + } + + if (rateWords >= rateSizeWords) { + squeeze(); + rateWords = 0; + } + long w = state[rateWords]; + outBytes <<= 3; + int i = 0; + do { + out.put((byte) (w >>> i)); + i += 8; + } while (i < outBytes); + this.rateBits = (rateWords << 6) | outBytes; + } + + protected void squeeze() { + Keccak.keccak(state); + } + + protected void pad() { + updateBits(0x1, 1); + if (rateBits >= rateSizeBits) { + Keccak.keccak(state); + rateBits = 0; + } + rateBits = rateSizeBits - 1; + updateBits(0x1, 1); + Keccak.keccak(state); + } + + /** + * @formatter:off + */ + private static void keccak(long[] a) { + //@formatter:off + int c, i; + long x, a_10_; + long x0, x1, x2, x3, x4; + long t0, t1, t2, t3, t4; + long c0, c1, c2, c3, c4; + long[] rc = RC; + + i = 0; + do { + //theta (precalculation part) + c0 = a[0] ^ a[5 + 0] ^ a[10 + 0] ^ a[15 + 0] ^ a[20 + 0]; + c1 = a[1] ^ a[5 + 1] ^ a[10 + 1] ^ a[15 + 1] ^ a[20 + 1]; + c2 = a[2] ^ a[5 + 2] ^ a[10 + 2] ^ a[15 + 2] ^ a[20 + 2]; + c3 = a[3] ^ a[5 + 3] ^ a[10 + 3] ^ a[15 + 3] ^ a[20 + 3]; + c4 = a[4] ^ a[5 + 4] ^ a[10 + 4] ^ a[15 + 4] ^ a[20 + 4]; + + t0 = (c0 << 1) ^ (c0 >>> (64 - 1)) ^ c3; + t1 = (c1 << 1) ^ (c1 >>> (64 - 1)) ^ c4; + t2 = (c2 << 1) ^ (c2 >>> (64 - 1)) ^ c0; + t3 = (c3 << 1) ^ (c3 >>> (64 - 1)) ^ c1; + t4 = (c4 << 1) ^ (c4 >>> (64 - 1)) ^ c2; + + //theta (xorring part) + rho + pi + a[ 0] ^= t1; + x = a[ 1] ^ t2; a_10_ = (x << 1) | (x >>> (64 - 1)); + x = a[ 6] ^ t2; a[ 1] = (x << 44) | (x >>> (64 - 44)); + x = a[ 9] ^ t0; a[ 6] = (x << 20) | (x >>> (64 - 20)); + x = a[22] ^ t3; a[ 9] = (x << 61) | (x >>> (64 - 61)); + + x = a[14] ^ t0; a[22] = (x << 39) | (x >>> (64 - 39)); + x = a[20] ^ t1; a[14] = (x << 18) | (x >>> (64 - 18)); + x = a[ 2] ^ t3; a[20] = (x << 62) | (x >>> (64 - 62)); + x = a[12] ^ t3; a[ 2] = (x << 43) | (x >>> (64 - 43)); + x = a[13] ^ t4; a[12] = (x << 25) | (x >>> (64 - 25)); + + x = a[19] ^ t0; a[13] = (x << 8) | (x >>> (64 - 8)); + x = a[23] ^ t4; a[19] = (x << 56) | (x >>> (64 - 56)); + x = a[15] ^ t1; a[23] = (x << 41) | (x >>> (64 - 41)); + x = a[ 4] ^ t0; a[15] = (x << 27) | (x >>> (64 - 27)); + x = a[24] ^ t0; a[ 4] = (x << 14) | (x >>> (64 - 14)); + + x = a[21] ^ t2; a[24] = (x << 2) | (x >>> (64 - 2)); + x = a[ 8] ^ t4; a[21] = (x << 55) | (x >>> (64 - 55)); + x = a[16] ^ t2; a[ 8] = (x << 45) | (x >>> (64 - 45)); + x = a[ 5] ^ t1; a[16] = (x << 36) | (x >>> (64 - 36)); + x = a[ 3] ^ t4; a[ 5] = (x << 28) | (x >>> (64 - 28)); + + x = a[18] ^ t4; a[ 3] = (x << 21) | (x >>> (64 - 21)); + x = a[17] ^ t3; a[18] = (x << 15) | (x >>> (64 - 15)); + x = a[11] ^ t2; a[17] = (x << 10) | (x >>> (64 - 10)); + x = a[ 7] ^ t3; a[11] = (x << 6) | (x >>> (64 - 6)); + x = a[10] ^ t1; a[ 7] = (x << 3) | (x >>> (64 - 3)); + a[10] = a_10_; + + //chi + c = 0; + do { + x0 = a[c + 0]; x1 = a[c + 1]; x2 = a[c + 2]; x3 = a[c + 3]; x4 = a[c + 4]; + a[c + 0] = x0 ^ ((~x1) & x2); + a[c + 1] = x1 ^ ((~x2) & x3); + a[c + 2] = x2 ^ ((~x3) & x4); + a[c + 3] = x3 ^ ((~x4) & x0); + a[c + 4] = x4 ^ ((~x0) & x1); + + c += 5; + } while (c < 25); + + //iota + a[0] ^= rc[i]; + + i++; + } while (i < 24); + //@formatter:on + } + + private static final long[] RC = { 0x0000000000000001L, 0x0000000000008082L, 0x800000000000808AL, 0x8000000080008000L, 0x000000000000808BL, 0x0000000080000001L, 0x8000000080008081L, + 0x8000000000008009L, 0x000000000000008AL, 0x0000000000000088L, 0x0000000080008009L, 0x000000008000000AL, 0x000000008000808BL, 0x800000000000008BL, + 0x8000000000008089L, 0x8000000000008003L, 0x8000000000008002L, 0x8000000000000080L, 0x000000000000800AL, 0x800000008000000AL, 0x8000000080008081L, + 0x8000000000008080L, 0x0000000080000001L, 0x8000000080008008L }; +} \ No newline at end of file diff --git a/source-code/RuffCT-java/src/how/monero/hodl/crypto/CryptoUtil.java b/source-code/RuffCT-java/src/how/monero/hodl/crypto/CryptoUtil.java new file mode 100644 index 0000000..266eb04 --- /dev/null +++ b/source-code/RuffCT-java/src/how/monero/hodl/crypto/CryptoUtil.java @@ -0,0 +1,155 @@ +package how.monero.hodl.crypto; + +import com.joemelsha.crypto.hash.Keccak; +import how.monero.hodl.util.ExceptionAdapter; +import org.apache.commons.pool2.BasePooledObjectFactory; +import org.apache.commons.pool2.PooledObject; +import org.apache.commons.pool2.impl.DefaultPooledObject; +import org.apache.commons.pool2.impl.GenericObjectPool; +import org.nem.core.crypto.ed25519.arithmetic.*; + +import java.math.BigInteger; +import java.security.SecureRandom; +import java.util.HashMap; +import java.util.Map; +import java.util.Random; + +import static how.monero.hodl.crypto.HashToPoint.hashToPoint; +import static how.monero.hodl.util.ByteUtil.*; + +public class CryptoUtil { + + public static GenericObjectPool<Keccak> keccakPool = new GenericObjectPool<Keccak>(new BasePooledObjectFactory<Keccak>() { + + @Override + public PooledObject<Keccak> wrap(Keccak keccak) { + return new DefaultPooledObject<>(keccak); + } + + @Override + public Keccak create() throws Exception { + return new Keccak(256); + } + }); + + public static final Ed25519GroupElement G = Ed25519Group.BASE_POINT; + public static final Ed25519GroupElement H = new Ed25519EncodedGroupElement(hexToBytes("8b655970153799af2aeadc9ff1add0ea6c7251d54154cfa92c173a0dd39c1f94")).decode(); + static { + H.precomputeForScalarMultiplication(); + } + + public static Scalar hashToScalar(byte[] a) { + return new Scalar(scReduce32(fastHash(a))); + } + + public static byte[] fastHash(byte[] a) { + try { + Keccak keccak = keccakPool.borrowObject(); + try { + keccak.reset(); + keccak.update(a); + return keccak.digestArray(); + } finally { + keccakPool.returnObject(keccak); + } + } catch (Exception e) { + throw ExceptionAdapter.toRuntimeException(e); + } + } + + public static BigInteger l = BigInteger.valueOf(2).pow(252).add(new BigInteger("27742317777372353535851937790883648493")); + + public static byte[] scReduce32(byte[] a) { + byte[] r = getBigIntegerFromUnsignedLittleEndianByteArray(a).mod(l).toByteArray(); + return ensure32BytesAndConvertToLittleEndian(r); + } + + public static byte[] ensure32BytesAndConvertToLittleEndian(byte[] r) { + byte[] s = new byte[32]; + if(r.length>32) System.arraycopy(r, 1, s, 0, s.length); + else System.arraycopy(r, 0, s, 32 - r.length, r.length); + reverseByteArrayInPlace(s); + return s; + } + + public static BigInteger getBigIntegerFromUnsignedLittleEndianByteArray(byte[] a1) { + byte[] a = new byte[a1.length]; + System.arraycopy(a1, 0, a, 0, 32); + reverseByteArrayInPlace(a); + byte[] a2 = new byte[33]; + System.arraycopy(a, 0, a2, 1, 32); + return new BigInteger(a2); + } + public static byte[] getUnsignedLittleEndianByteArrayFromBigInteger(BigInteger n) { + byte[] a = n.toByteArray(); + byte[] a2 = new byte[32]; + System.arraycopy(a, 0, a2, 32-a.length, a.length); + reverseByteArrayInPlace(a2); + return a2; + } + + public static final Random random = new SecureRandom(); + public static byte[] randomPointAsBytes() { + return randomPoint().encode().getRaw(); + } + public static Ed25519GroupElement randomPoint() { + return Ed25519Group.BASE_POINT.scalarMultiply(Scalar.randomScalar()); + } + public static byte[] randomMessage(int len) { + byte[] m = new byte[len]; + random.nextBytes(m); + return m; + } + + public static byte[] toBytes(Ed25519GroupElement[] a) { + byte[] r = new byte[0]; + for(Ed25519GroupElement ai : a) r = concat(r, ai.encode().getRaw()); + return r; + } + + public static Scalar sumArray(Scalar[] a) { + Scalar r = Scalar.ZERO; + for(Scalar ai : a) r = r.add(ai); + return r; + } + + + + public static PointPair COMeg(Scalar xAmount, Scalar rMask) { + return new PointPair(G.scalarMultiply(xAmount).add(getHpnGLookup(1).scalarMultiply(rMask).toCached()), G.scalarMultiply(rMask)); + } + + public static Ed25519GroupElement COMp(Scalar xAmount, Scalar rMask) { + return G.scalarMultiply(xAmount).add(getHpnGLookup(1).scalarMultiply(rMask).toCached()); + } + + public static Ed25519GroupElement COMb(Scalar[][] x, Scalar r) { + int m = x.length; + int n = x[0].length; + Ed25519GroupElement A = G.scalarMultiply(r); + for(int j=0; j<m; j++) { + for(int i=0; i<n; i++) { + A = A.toP3().add(getHpnGLookup(j * n + i + 1).scalarMultiply(x[j][i]).toCached()); + } + } + return A; + } + + + public static Map<Integer, Ed25519GroupElement> HpnGLookup = new HashMap<>(); + + public static Ed25519GroupElement getHpnGLookup(int n) { + if(!HpnGLookup.containsKey(n)) { + Ed25519GroupElement HpnG = hashToPoint(G.scalarMultiply(Scalar.intToScalar(n))); + //HpnG.precomputeForScalarMultiplication(); // try precomputed vs non-precomputed to check best performance + HpnGLookup.put(n, HpnG); + } + return HpnGLookup.get(n); + } + + public static PointPair ENCeg(Ed25519GroupElement X, Scalar r) { + return new PointPair(getHpnGLookup(1).scalarMultiply(r).toP3().add(X.toCached()), G.scalarMultiply(r)); + } + + +} diff --git a/source-code/RuffCT-java/src/how/monero/hodl/crypto/HashToPoint.java b/source-code/RuffCT-java/src/how/monero/hodl/crypto/HashToPoint.java new file mode 100644 index 0000000..2a463e6 --- /dev/null +++ b/source-code/RuffCT-java/src/how/monero/hodl/crypto/HashToPoint.java @@ -0,0 +1,136 @@ +package how.monero.hodl.crypto; + +import org.nem.core.crypto.ed25519.arithmetic.Ed25519EncodedGroupElement; +import org.nem.core.crypto.ed25519.arithmetic.Ed25519GroupElement; +import org.nem.core.utils.ArrayUtils; + +import java.math.BigInteger; + +import static how.monero.hodl.crypto.CryptoUtil.*; +import static how.monero.hodl.util.ByteUtil.*; + +public class HashToPoint { + + private static BigInteger b = BigInteger.valueOf(256); + private static BigInteger q = BigInteger.valueOf(2).pow(255).subtract(BigInteger.valueOf(19)); + private static BigInteger p = q; + private static BigInteger l = BigInteger.valueOf(2).pow(252).add(new BigInteger("27742317777372353535851937790883648493")); + private static BigInteger I = expmod(BigInteger.valueOf(2), (q.subtract(BigInteger.ONE)).divide(BigInteger.valueOf(4)), q); + + + public static Ed25519GroupElement hashToPoint(Ed25519GroupElement a) { + return hashToPoint(a.encode().getRaw()); + } + + public static Ed25519GroupElement hashToPoint(byte[] a) { + + byte[] hash = fastHash(a); + + BigInteger u = ArrayUtils.toBigInteger(hash).mod(q); + + BigInteger A = BigInteger.valueOf(486662); + + BigInteger sqrtm1 = ed25519Sqroot(BigInteger.valueOf(-1)); + + BigInteger w = (BigInteger.valueOf(2).multiply(u).multiply(u).add(BigInteger.ONE)).mod(q); + BigInteger xp = w.multiply(w).subtract(BigInteger.valueOf(2).multiply(A).multiply(A).multiply(u).multiply(u)).mod(q); + + BigInteger b = w.multiply(ed25519Inv(xp)); + BigInteger e = (q.add(BigInteger.valueOf(3)).divide(BigInteger.valueOf(8))); + BigInteger rx = expmod(b, e, q); + + BigInteger x = rx.multiply(rx).multiply(w.multiply(w).subtract(BigInteger.valueOf(2).multiply(A).multiply(A).multiply(u).multiply(u))).mod(q); + + BigInteger y = (BigInteger.valueOf(2).multiply(u).multiply(u).add(BigInteger.ONE).subtract(x)).mod(q); + + BigInteger z; + + boolean negative = false; + if (!y.equals(BigInteger.ZERO)) { + y = (w.add(x)).mod(q); + if (!y.equals(BigInteger.ZERO)) { + negative = true; + } else { + rx = rx.multiply(BigInteger.valueOf(-1)).multiply(ed25519Sqroot(BigInteger.valueOf(-2).multiply(A).multiply((A.add(BigInteger.valueOf(2)))))).mod(q); + negative = false; + } + } else { + rx = rx.multiply(BigInteger.valueOf(-1)).multiply(ed25519Sqroot(BigInteger.valueOf(2).multiply(A).multiply((A.add(BigInteger.valueOf(2)))))).mod(q); + } + + BigInteger sign; + if (!negative) { + rx = (rx.multiply(u)).mod(q); + z = (BigInteger.valueOf(-2).multiply(A).multiply(u).multiply(u)).mod(q); + sign = BigInteger.ZERO; + } else { + z = BigInteger.valueOf(-1).multiply(A); + x = x.multiply(sqrtm1).mod(q); + y = (w.subtract(x)).mod(q); + if (!y.equals(BigInteger.ZERO)) { + rx = rx.multiply(ed25519Sqroot(BigInteger.valueOf(-1).multiply(sqrtm1).multiply(A).multiply((A.add(BigInteger.valueOf(2)))))).mod(q); + } else { + rx = rx.multiply(BigInteger.valueOf(-1)).multiply(ed25519Sqroot(sqrtm1.multiply(A).multiply((A.add(BigInteger.valueOf(2)))))).mod(q); + } + sign = BigInteger.ONE; + } + if(!(rx.mod(BigInteger.valueOf(2)).equals(sign))) { + rx = rx.mod(q).negate(); + } + BigInteger rz = (z.add(w)).mod(q); + BigInteger ry = (z.subtract(w)).mod(q); + rx = (rx.multiply(rz)).mod(q); + + Ed25519GroupElement P = pointCompress(rx, ry, rz); + Ed25519GroupElement P8 = P.toP2().dbl().toP2().dbl().toP2().dbl().toP3(); + return P8; + + } + + private static Ed25519GroupElement pointCompress(BigInteger P0, BigInteger P1, BigInteger P2) { + BigInteger zinv = modpInv(P2); + BigInteger x = P0.multiply(zinv).mod(p); + BigInteger y = P1.multiply(zinv).mod(p); + + BigInteger r = y.or((x.and(BigInteger.ONE)).shiftLeft(255)); + + byte[] a = r.toByteArray(); + + byte[] b = new byte[32]; + + if(a.length>32) System.arraycopy(a, a.length-32, b, 0, 32); + else if(a.length<32) System.arraycopy(a, 0, b, 32-a.length, a.length); + else System.arraycopy(a, 0, b, 0, 32); + + reverseByteArrayInPlace(b); + return new Ed25519EncodedGroupElement(b).decode(); + } + + private static BigInteger modpInv(BigInteger x) { + return x.modPow(p.subtract(BigInteger.valueOf(2)), p); + } + + private static BigInteger ed25519Inv(BigInteger x) { + return expmod(x, q.subtract(BigInteger.valueOf(2)), q); + } + + private static BigInteger ed25519Sqroot(BigInteger xx) { + BigInteger x = expmod(xx, q.add(BigInteger.valueOf(3)).divide(BigInteger.valueOf(8)), q); + if (!x.multiply(x).subtract(xx).mod(q).equals(BigInteger.ZERO)) { + x = x.multiply(I).mod(q); + } + if (!x.multiply(x).subtract(xx).mod(q).equals(BigInteger.ZERO)) { + throw new RuntimeException("no square root!"); + } + return x; + } + + private static BigInteger expmod(BigInteger b, BigInteger e, BigInteger m) { + if (e.equals(BigInteger.ZERO)) return BigInteger.ONE; + BigInteger t = expmod(b, e.divide(BigInteger.valueOf(2)), m).pow(2).mod(m); + if(e.and(BigInteger.ONE).equals(BigInteger.ONE)) t = (t.multiply(b)).mod(m); + return t; + } + + +} diff --git a/source-code/RuffCT-java/src/how/monero/hodl/crypto/PointPair.java b/source-code/RuffCT-java/src/how/monero/hodl/crypto/PointPair.java new file mode 100644 index 0000000..eda3388 --- /dev/null +++ b/source-code/RuffCT-java/src/how/monero/hodl/crypto/PointPair.java @@ -0,0 +1,37 @@ +package how.monero.hodl.crypto; + +import org.nem.core.crypto.ed25519.arithmetic.Ed25519GroupElement; + +import static how.monero.hodl.util.ByteUtil.*; + +public class PointPair { + public Ed25519GroupElement P1; + public Ed25519GroupElement P2; + public PointPair(Ed25519GroupElement P1, Ed25519GroupElement P2) { + this.P1 = P1; + this.P2 = P2; + } + public byte[] toBytes() { + return concat(P1.encode().getRaw(), P2.encode().getRaw()); + } + public PointPair add(PointPair a) { + return new PointPair(P1.toP3().add(a.P1.toP3().toCached()), P2.toP3().add(a.P2.toP3().toCached())); + } + public PointPair subtract(PointPair a) { + return new PointPair(P1.toP3().subtract(a.P1.toCached()), P2.toP3().subtract(a.P2.toCached())); + } + public PointPair multiply(Scalar n) { + return new PointPair(P1.toP3().scalarMultiply(n), P2.toP3().scalarMultiply(n)); + } + + public boolean equals(PointPair obj) { + return P1.toP3().equals(obj.P1.toP3()) && P2.toP3().equals(obj.P2.toP3()); + } + + @Override + public String toString() { + return "(P1: " + bytesToHex(P1.encode().getRaw()) + ", P2: " + P2 + ")"; + } + +} + diff --git a/source-code/RuffCT-java/src/how/monero/hodl/crypto/Scalar.java b/source-code/RuffCT-java/src/how/monero/hodl/crypto/Scalar.java new file mode 100644 index 0000000..0f23602 --- /dev/null +++ b/source-code/RuffCT-java/src/how/monero/hodl/crypto/Scalar.java @@ -0,0 +1,100 @@ +package how.monero.hodl.crypto; + +import how.monero.hodl.util.ByteUtil; +import org.nem.core.crypto.ed25519.arithmetic.Ed25519EncodedFieldElement; +import org.nem.core.crypto.ed25519.arithmetic.Ed25519FieldElement; + +import java.math.BigInteger; +import java.util.Arrays; + +import static how.monero.hodl.crypto.CryptoUtil.*; +import static how.monero.hodl.util.ByteUtil.*; + +public class Scalar { + + public final static Scalar ZERO = intToScalar(0); + public final static Scalar ONE = intToScalar(1); + public final static Scalar TWO = intToScalar(2); + public final static Scalar MINUS_ONE = intToScalar(-1); + + // use only for small numbers + public static Scalar intToScalar(int a) { + return new Scalar(scReduce32(getUnsignedLittleEndianByteArrayFromBigInteger(BigInteger.valueOf(a).mod(l)))); + } + + public byte[] bytes; + public Scalar(byte[] bytes) { + this.bytes = bytes; + } + public Scalar(String hex) { + this.bytes = ByteUtil.hexToBytes(hex); + } + public Scalar(BigInteger a) { + this(scReduce32(getUnsignedLittleEndianByteArrayFromBigInteger(a.mod(l)))); + } + public Ed25519EncodedFieldElement toEd25519EncodedFieldElement() { + return new Ed25519EncodedFieldElement(bytes); + } + public Ed25519FieldElement toEd25519FieldElement() { + return new Ed25519EncodedFieldElement(bytes).decode(); + } + + public static Scalar randomScalar() { + byte[] s = new byte[32]; + random.nextBytes(s); + s = CryptoUtil.scReduce32(s); + return new Scalar(s); + } + + @Override + public String toString() { + return bytesToHex(bytes); + } + + public BigInteger toBigInteger() { + return getBigIntegerFromUnsignedLittleEndianByteArray(this.bytes); + } + + @Override + public boolean equals(Object obj) { + return Arrays.equals(this.bytes, ((Scalar)obj).bytes); + } + + public static BigInteger[] scalarArrayToBigIntegerArray(Scalar[] a) { + BigInteger[] r = new BigInteger[a.length]; + for(int i=0; i<a.length; i++) r[i] = a[i].toBigInteger(); + return r; + } + + public static void printScalarArray(Scalar[] a) { + for(int i=0; i<a.length; i++) { + System.out.print(a[i].toBigInteger()+""); + if(i==a.length-1) System.out.println(""); + else System.out.print(", "); + } + } + + public static Scalar[] bigIntegerArrayToScalarArray(BigInteger[] a) { + int len = a.length; + Scalar[] r = new Scalar[len]; + for(int i=0; i<len; i++) { + r[i] = new Scalar(a[i]); + } + return r; + } + + public Scalar add(Scalar a) { return new Scalar(ensure32BytesAndConvertToLittleEndian(getBigIntegerFromUnsignedLittleEndianByteArray(this.bytes).add(getBigIntegerFromUnsignedLittleEndianByteArray(a.bytes)).mod(l).toByteArray())); } + public Scalar sub(Scalar a) { return new Scalar(ensure32BytesAndConvertToLittleEndian(getBigIntegerFromUnsignedLittleEndianByteArray(this.bytes).subtract(getBigIntegerFromUnsignedLittleEndianByteArray(a.bytes)).mod(l).toByteArray())); } + public Scalar mul(Scalar a) { return new Scalar(ensure32BytesAndConvertToLittleEndian(getBigIntegerFromUnsignedLittleEndianByteArray(this.bytes).multiply(getBigIntegerFromUnsignedLittleEndianByteArray(a.bytes)).mod(l).toByteArray())); } + public Scalar sq() { return new Scalar(ensure32BytesAndConvertToLittleEndian(getBigIntegerFromUnsignedLittleEndianByteArray(this.bytes).multiply(getBigIntegerFromUnsignedLittleEndianByteArray(this.bytes)).mod(l).toByteArray())); } + + public Scalar pow(int b) { + Scalar result = Scalar.ONE; + for(int i=0; i<b; i++) { + result = result.mul(this); + } + return result; + } + + +} diff --git a/source-code/RuffCT-java/src/how/monero/hodl/crypto/ScalarPair.java b/source-code/RuffCT-java/src/how/monero/hodl/crypto/ScalarPair.java new file mode 100644 index 0000000..70dccca --- /dev/null +++ b/source-code/RuffCT-java/src/how/monero/hodl/crypto/ScalarPair.java @@ -0,0 +1,12 @@ +package how.monero.hodl.crypto; + +import org.nem.core.crypto.ed25519.arithmetic.Ed25519FieldElement; + +public class ScalarPair { + Ed25519FieldElement p1; + Ed25519FieldElement p2; + public ScalarPair(Ed25519FieldElement p1, Ed25519FieldElement p2) { + this.p1 = p1; + this.p2 = p2; + } + } diff --git a/source-code/RuffCT-java/src/how/monero/hodl/cursor/BootleRuffingCursor.java b/source-code/RuffCT-java/src/how/monero/hodl/cursor/BootleRuffingCursor.java new file mode 100644 index 0000000..9c932c9 --- /dev/null +++ b/source-code/RuffCT-java/src/how/monero/hodl/cursor/BootleRuffingCursor.java @@ -0,0 +1,38 @@ +package how.monero.hodl.cursor; + +import how.monero.hodl.crypto.PointPair; +import how.monero.hodl.crypto.Scalar; +import org.nem.core.crypto.ed25519.arithmetic.Ed25519EncodedFieldElement; +import org.nem.core.crypto.ed25519.arithmetic.Ed25519EncodedGroupElement; +import org.nem.core.crypto.ed25519.arithmetic.Ed25519FieldElement; +import org.nem.core.crypto.ed25519.arithmetic.Ed25519GroupElement; + +public class BootleRuffingCursor extends Cursor { + public byte[] data; + + public BootleRuffingCursor(byte[] data) { + super(data); + } + + public Ed25519GroupElement readGroupElement() { + return new Ed25519EncodedGroupElement(readBytes(32)).decode(); + } + public Ed25519FieldElement readFieldElement() { + return new Ed25519EncodedFieldElement(readBytes(32)).decode(); + } + public PointPair[] readPointPairArray(int len) { + PointPair[] result = new PointPair[len]; + for(int i=0; i<len; i++) result[i] = new PointPair(readGroupElement(), readGroupElement()); + return result; + } + public Scalar[][] readScalar2DArray(int m, int n) { + Scalar[][] result = new Scalar[m][n]; + for(int j=0; j<m; j++) { + for(int i=0; i<n; i++) { + result[j][i] = readScalar(); + } + } + return result; + } + +} diff --git a/source-code/RuffCT-java/src/how/monero/hodl/cursor/Cursor.java b/source-code/RuffCT-java/src/how/monero/hodl/cursor/Cursor.java new file mode 100644 index 0000000..2f63e3b --- /dev/null +++ b/source-code/RuffCT-java/src/how/monero/hodl/cursor/Cursor.java @@ -0,0 +1,75 @@ +package how.monero.hodl.cursor; + +import how.monero.hodl.crypto.Scalar; + +import java.math.BigInteger; + +public class Cursor { + + public int pos = 0; + protected byte[] data; + public Cursor(byte[] data) { + this.data = data; + } + + public long readVarInt() { + + long result = 0; + int c = 0; + + while(true) { + boolean isLastByteInVarInt = true; + int i = Byte.toUnsignedInt(data[pos]); + if(i>=128) { + isLastByteInVarInt = false; + i-=128; + } + result += Math.round(i * Math.pow(128, c)); + c++; + pos++; + if(isLastByteInVarInt) break; + } + return result; + } + public BigInteger readVarIntAsBigInteger() { + + BigInteger result = BigInteger.ZERO; + int c = 0; + + while(true) { + boolean isLastByteInVarInt = true; + int i = Byte.toUnsignedInt(data[pos]); + if(i>=128) { + isLastByteInVarInt = false; + i-=128; + } + result = result.add(BigInteger.valueOf(Math.round(i * Math.pow(128, c)))); + c++; + pos++; + if(isLastByteInVarInt) break; + } + return result; + } + + public byte[] readBytes(int len) { + byte[] bytes = new byte[len]; + System.arraycopy(data, pos, bytes, 0, len); + pos+=len; + return bytes; + } + public Scalar readScalar() { + return new Scalar(readBytes(32)); + } + + + public int readByte() { + pos++; + return Byte.toUnsignedInt(data[pos-1]); + } + + public byte[] readKey() { + return readBytes(32); + } + + +} diff --git a/source-code/RuffCT-java/src/how/monero/hodl/jni/CryptoOpsUtil.java b/source-code/RuffCT-java/src/how/monero/hodl/jni/CryptoOpsUtil.java new file mode 100644 index 0000000..7e89feb --- /dev/null +++ b/source-code/RuffCT-java/src/how/monero/hodl/jni/CryptoOpsUtil.java @@ -0,0 +1,11 @@ +package how.monero.hodl.jni; + +public class CryptoOpsUtil { + + static { System.loadLibrary("cryptoopsutil"); } + + public static native byte[] scalarMult(byte[] point, byte[] scalar); + public static native byte[] scalarMultBase(byte[] scalar); + public static native byte[] doubleScalarMultBaseVartime(byte[] aScalar, byte[] point, byte[] bScalar); + +} diff --git a/source-code/RuffCT-java/src/how/monero/hodl/ringSignature/BootleRuffing.java b/source-code/RuffCT-java/src/how/monero/hodl/ringSignature/BootleRuffing.java new file mode 100644 index 0000000..e8dcd33 --- /dev/null +++ b/source-code/RuffCT-java/src/how/monero/hodl/ringSignature/BootleRuffing.java @@ -0,0 +1,560 @@ +package how.monero.hodl.ringSignature; + +import how.monero.hodl.crypto.PointPair; +import how.monero.hodl.crypto.Scalar; +import how.monero.hodl.cursor.BootleRuffingCursor; +import how.monero.hodl.util.VarInt; +import org.nem.core.crypto.ed25519.arithmetic.*; + +import java.math.BigInteger; +import java.util.HashMap; +import java.util.Map; + +import static how.monero.hodl.crypto.CryptoUtil.*; +import static how.monero.hodl.crypto.HashToPoint.hashToPoint; +import static how.monero.hodl.crypto.Scalar.bigIntegerArrayToScalarArray; +import static how.monero.hodl.crypto.Scalar.randomScalar; +import static how.monero.hodl.util.ByteUtil.*; + + +public class BootleRuffing { + + public static class SK { + public Scalar r; + public Scalar r1; + public SK(Scalar r, Scalar r1) { + this.r = r; this.r1 = r1; + } + + @Override + public String toString() { + return "(r: " + bytesToHex(r) + ", r1: " + bytesToHex(r1) + ")"; + } + } + + public static KeyGenResult KEYGEN() { + SK sk = new SK(randomScalar(), randomScalar()); + Ed25519GroupElement ki = G.scalarMultiply(sk.r1); + PointPair pk = ENCeg(ki, sk.r); + return new KeyGenResult(sk, ki, pk); + } + public static class KeyGenResult { + public SK sk; + public Ed25519GroupElement ki; + public PointPair pk = null; + public KeyGenResult(SK sk, Ed25519GroupElement ki, PointPair pk) { + this.sk = sk; this.ki = ki; this.pk = pk; + } + + @Override + public String toString() { + return "sk: " + sk.toString() + ", ki: " + bytesToHex(ki.encode().getRaw()) + ", pk: " + (pk==null ? "(no pk)" : "pk: " + pk); + } + } + + public static class F { + public Ed25519GroupElement[] ki; + public PointPair[][] pk; + public Ed25519GroupElement[] co; + public Ed25519GroupElement co1; + byte[] M; + public F(Ed25519GroupElement[] ki, PointPair[][] pk, Ed25519GroupElement[] co, Ed25519GroupElement co1, byte[] M) { + this.ki = ki; this.pk = pk; this.co = co; this.co1 = co1; this.M = M; + } + byte[] toBytes() { + byte[] r = new byte[0]; + for(int i=0; i<ki.length; i++) r = concat(r, ki[i].encode().getRaw()); + for(int i=0; i<pk.length; i++) for(int j=0; j<pk[i].length; j++) r = concat(r, pk[i][j].toBytes()); + for(int i=0; i<co.length; i++) r = concat(r, co[i].encode().getRaw()); + r = concat(r, co1.encode().getRaw()); + r = concat(r, M); + return r; + } + } + + public static SpendSignature SPEND(SpendParams sp) { + + int iAsterisk = sp.iAsterisk; + PointPair[][] pk = sp.pk; + SK[] sk = sp.sk; + Ed25519GroupElement[] ki = sp.ki; + Ed25519GroupElement[] co = sp.co; + byte[] M = sp.M; + Scalar s = sp.s; + int decompositionBase = sp.decompositionBase; + int decompositionExponent = sp.decompositionExponent; + + Ed25519GroupElement co1 = G.scalarMultiply(s); + F f = new F(ki, pk, co, co1, M); + SubResult cf1 = SUB(f); + Scalar s1 = s; + for(int i=0; i<sk.length; i++) s1 = s1.add(sk[i].r.mul(cf1.f[i])); + Proof2 sigma1 = PROVE2(cf1.c, iAsterisk, s1, pk.length, decompositionBase, decompositionExponent); + + Scalar[] r1 = new Scalar[sk.length]; + for(int i=0; i<r1.length; i++) r1[i] = sk[i].r1; + + Multisignature.Signature sigma2 = Multisignature.sign(concat(sigma1.toBytes(decompositionBase, decompositionExponent), f.toBytes()), r1, null); + return new SpendSignature(decompositionBase, decompositionExponent, co1, sigma1, sigma2); + } + + public static class SpendSignature { + public int decompositionBase; + public int decompositionExponent; + public Ed25519GroupElement co1; + public Proof2 sigma1; + Multisignature.Signature sigma2; + public SpendSignature(int decompositionBase, int decompositionExponent, Ed25519GroupElement co1, Proof2 sigma1, Multisignature.Signature sigma2) { + this.decompositionBase = decompositionBase; this.decompositionExponent = decompositionExponent; this.co1 = co1; this.sigma1 = sigma1; this.sigma2 = sigma2; + } + public byte[] toBytes() { + byte[] result; + result = concat(VarInt.writeVarInt(decompositionBase), VarInt.writeVarInt(decompositionExponent)); + result = concat(result, co1.encode().getRaw(), sigma1.toBytes(decompositionBase, decompositionExponent), sigma2.toBytes()); + return result; + } + public static SpendSignature fromBytes(byte[] a) { + BootleRuffingCursor cursor = new BootleRuffingCursor(a); + int decompositionBase = (int) cursor.readVarInt(); + int decompositionExponent = (int) cursor.readVarInt(); + return new SpendSignature(decompositionBase, decompositionExponent, + cursor.readGroupElement(), + new Proof2( + new Proof1(cursor.readGroupElement(), cursor.readGroupElement(), cursor.readGroupElement(), + cursor.readScalar2DArray(decompositionExponent, decompositionBase-1), cursor.readScalar(), cursor.readScalar(), null), + cursor.readGroupElement(), + cursor.readPointPairArray(decompositionExponent), cursor.readScalar()), + new Multisignature.Signature(cursor.readGroupElement(), cursor.readScalar())); + } + } + + public static SubResult SUB(F fin) { + int L = fin.pk.length; // inputs + int N = fin.pk[0].length; // ring size + PointPair[] pkz = new PointPair[L]; + Scalar[] f = new Scalar[L]; + for(int j=0; j<L; j++) { + pkz[j] = new PointPair(fin.ki[j], Ed25519Group.ZERO_P3); + f[j] = hashToScalar(concat(fin.ki[j].encode().getRaw(), fin.toBytes(), longToLittleEndianUint32ByteArray(j))); + } + PointPair[] c = new PointPair[N]; + for(int i=0; i<N; i++) { + c[i] = new PointPair(fin.co[i], fin.co1); + for(int j=0; j<L; j++) { + c[i] = c[i].add( (fin.pk[j][i].subtract(pkz[j])).multiply(f[j]) ); + } + } + return new SubResult(c, f); + } + public static class SubResult { + public PointPair[] c; + public Scalar[] f; + public SubResult(PointPair[] c, Scalar[] f) { + this.c = c; this.f = f; + } + } + + public static Proof1 PROVE1(Scalar[][] b, Scalar r) { + + int m = b.length; // decompositionExponent + int n = b[0].length; // decompositionBase + + Scalar rA = randomScalar(); + Scalar rC = randomScalar(); + Scalar rD = randomScalar(); + + Scalar[][] a = new Scalar[m][n]; + for(int j=0; j<m; j++) { + for(int i=1; i<n; i++) { + a[j][i] = randomScalar(); + } + } + + for(int j=0; j<m; j++) { + a[j][0] = Scalar.ZERO; + for(int i=1; i<n; i++) { + a[j][0] = a[j][0].sub(a[j][i]); + } + } + + Ed25519GroupElement A = COMb(a, rA); + + Scalar[][] c = new Scalar[m][n]; + Scalar[][] d = new Scalar[m][n]; + for(int j=0; j<m; j++) { + for(int i=0; i<n; i++) { + c[j][i] = a[j][i].mul(Scalar.ONE.sub(b[j][i].mul(Scalar.TWO))); + d[j][i] = a[j][i].sq().mul(Scalar.MINUS_ONE); + } + } + + Ed25519GroupElement C = COMb(c, rC); + Ed25519GroupElement D = COMb(d, rD); + + Scalar x = hashToScalar(concat(A.encode().getRaw(), C.encode().getRaw(), D.encode().getRaw())); + + Scalar[][] f = new Scalar[m][n]; + for(int j=0; j<m; j++) { + for(int i=0; i<n; i++) { + f[j][i] = b[j][i].mul(x).add(a[j][i]); + } + } + + Scalar[][] fTrimmed = new Scalar[m][n-1]; + for(int j=0; j<m; j++) { + for(int i=1; i<n; i++) { + fTrimmed[j][i-1] = f[j][i]; + } + } + + Scalar zA = r.mul(x).add(rA); + Scalar zC = rC.mul(x).add(rD); + + return new Proof1(A, C, D, fTrimmed, zA, zC, a); + } + + public static class Proof1 { + public Ed25519GroupElement A; + public Ed25519GroupElement C; + public Ed25519GroupElement D; + private Scalar[][] fTrimmed; + private Scalar zA; + private Scalar zC; + public transient Scalar[][] a; + + private Proof1(Ed25519GroupElement A, Ed25519GroupElement C, Ed25519GroupElement D, Scalar[][] fTrimmed, + Scalar zA, Scalar zC, Scalar[][] a) { + this.A = A; this.C = C; this.D = D; this.fTrimmed = fTrimmed; this.zA = zA; this.zC = zC; this.a = a; + } + private byte[] toBytes(int decompositionBase, int decompositionExponent) { + byte[] result = concat(A.encode().getRaw(), C.encode().getRaw(), D.encode().getRaw()); + for(int j=0; j<decompositionExponent; j++) { + for(int i=0; i<decompositionBase-1; i++) { + result = concat(result, fTrimmed[j][i].bytes); + } + } + result = concat(result, zA.bytes, zC.bytes); + return result; + } + } + + public static Proof2 PROVE2(PointPair[] co, int iAsterisk, Scalar r, int inputs, int decompositionBase, int decompositionExponent) { + + int ringSize = (int) Math.pow(decompositionBase, decompositionExponent); + + Scalar[] u = new Scalar[decompositionExponent]; + for(int k=0; k<decompositionExponent; k++) u[k] = randomScalar(); + + Scalar rB = randomScalar(); + + int[] iAsteriskSequence = nAryDecompose(decompositionBase, iAsterisk, decompositionExponent); + + Scalar[][] d = new Scalar[decompositionExponent][decompositionBase]; + for(int j=0; j<decompositionExponent; j++) { + for(int i=0; i<decompositionBase; i++) { + d[j][i] = Scalar.intToScalar(delta(iAsteriskSequence[j], i)); + } + } + + Ed25519GroupElement B = COMb(d, rB); + + Proof1 P = PROVE1(d, rB); + + Scalar[][] coefs = COEFS(P.a, iAsterisk); + + PointPair[] G = new PointPair[decompositionExponent]; + + for(int k=0; k<decompositionExponent; k++) { + G[k] = ENCeg(Ed25519Group.ZERO_P3, u[k]); + for (int i = 0; i < ringSize; i++) { + G[k] = G[k].add(co[i].multiply(coefs[i][k])); + } + } + + byte[] bytes = concat(P.A.encode().getRaw(), P.C.encode().getRaw(), P.D.encode().getRaw()); + Scalar x1 = hashToScalar(bytes); + + Scalar z = r.mul(x1.pow(decompositionExponent)); + for(int i=decompositionExponent-1; i>=0; i--) { + z = z.sub(u[i].mul(x1.pow(i))); + } + return new Proof2(P, B, G, z); + } + + + public static class Proof2 { + Proof1 P; + public Ed25519GroupElement B; + public PointPair[] G; + public Scalar z; + + private Proof2(Proof1 P, Ed25519GroupElement B, PointPair[] G, Scalar z) { + this.P = P; + this.B = B; + this.G = G; + this.z = z; + } + + private byte[] toBytes(int decompositionBase, int decompositionExponent) { + byte[] bytes; + bytes = concat(P.toBytes(decompositionBase, decompositionExponent), B.encode().getRaw()); + for(PointPair g : G) bytes = concat(bytes, g.toBytes()); + bytes = concat(bytes, z.bytes); + return bytes; + } + + } + + private static int delta(int j, int i) { + return j==i ? 1 : 0; + } + private static int intPow(int a, int b) { + return (int) Math.round(Math.pow(a, b)); + } + public static int[] nAryDecompose(int base, int n, int decompositionExponent) { + int[] r = new int[decompositionExponent]; + for(int i=decompositionExponent-1; i>=0; i--) { + int basePow = intPow(base, i); + r[i] = n / basePow; + n-=basePow*r[i]; + } + return r; + } + + public static boolean VALID1(Ed25519GroupElement B, Proof1 P) { + boolean abcdOnCurve = + P.A.satisfiesCurveEquation() + && B.satisfiesCurveEquation() + && P.C.satisfiesCurveEquation() + && P.D.satisfiesCurveEquation(); + if(!abcdOnCurve) { + System.out.println("VALID1: ABCD not on curve"); + return false; + } + + int m = P.fTrimmed.length; + int n = P.fTrimmed[0].length + 1; + + Scalar[][] f = new Scalar[m][n]; + for(int j=0; j<m; j++) { + for(int i=1; i<n; i++) { + f[j][i] = P.fTrimmed[j][i-1]; + } + } + + Scalar x = hashToScalar(concat(P.A.encode().getRaw(), P.C.encode().getRaw(), P.D.encode().getRaw())); + + for(int j=0; j<m; j++) { + f[j][0] = x; + for(int i=1; i<n; i++) { + f[j][0] = f[j][0].sub(f[j][i]); + } + } + + Scalar[][] f1 = new Scalar[m][n]; + for(int j=0; j<m; j++) { + for(int i=0; i<n; i++) { + f1[j][i] = f[j][i].mul(x.sub(f[j][i])); + } + } + + for(int j=0; j<m; j++) { + Scalar colSum = x; + for(int i=1; i<n; i++) { + colSum = colSum.sub(f[j][i]); + } + if(!f[j][0].equals(colSum)) { + System.out.println("VALID1: FAILED For each j=0, ..., m-1, f[j][0] == x-f[j][1]-f[j][2]- ... -f[j][n-1]"); + return false; + } + } + + if(!B.toP3().scalarMultiply(x).toP3().add(P.A.toP3().toCached()).equals(COMb(f, P.zA))) { + System.out.println("VALID1: FAILED xB + A == COMp(f[0][0], ..., f[m-1][n-1]; z[A])"); + return false; + } + if(!P.C.toP3().scalarMultiply(x).toP3().add(P.D.toP3().toCached()).equals(COMb(f1, P.zC))) { + System.out.println("VALID1: FAILED xC + D == COMp(f'[0][0], ..., f'[m-1][n-1]; z[C])"); + return false; + } + + return true; + + } + + public static boolean VALID2(int decompositionBase, Proof2 P1, PointPair[] co) { + + boolean abcdOnCurve = + P1.P.A.satisfiesCurveEquation() + && P1.B.satisfiesCurveEquation() + && P1.P.C.satisfiesCurveEquation() + && P1.P.D.satisfiesCurveEquation(); + if(!abcdOnCurve) { + System.out.println("VALID2: FAILED: ABCD not on curve"); + return false; + } + + if(!VALID1(P1.B, P1.P)) { + System.out.println("VALID2: FAILED: VALID1 failed"); + return false; + } + + Scalar x1 = hashToScalar(concat(P1.P.A.encode().getRaw(), P1.P.C.encode().getRaw(), P1.P.D.encode().getRaw())); + + int decompositionExponent = P1.P.fTrimmed.length; + Scalar[][] f = new Scalar[decompositionExponent][decompositionBase]; + for(int j=0; j<decompositionExponent; j++) { + for(int i=1; i<decompositionBase; i++) { + f[j][i] = P1.P.fTrimmed[j][i-1]; + } + } + + int ringSize = (int) Math.pow(decompositionBase, decompositionExponent); + + PointPair c = ENCeg(Ed25519Group.ZERO_P3, P1.z); + + Scalar x = hashToScalar(concat(P1.P.A.encode().getRaw(), P1.P.C.encode().getRaw(), P1.P.D.encode().getRaw())); + for(int j=0; j<decompositionExponent; j++) { + f[j][0] = x; + for(int i=1; i<decompositionBase; i++) { + f[j][0] = f[j][0].sub(f[j][i]); + } + } + + Scalar[] g = new Scalar[ringSize]; + g[0] = f[0][0]; + for(int j=1; j<decompositionExponent; j++) { + g[0] = g[0].mul(f[j][0]); + } + + PointPair c1 = co[0].multiply(g[0]); + for(int i=1; i<ringSize; i++) { + int[] iSequence = nAryDecompose(decompositionBase, i, decompositionExponent); + g[i] = f[0][iSequence[0]]; + for(int j=1; j<decompositionExponent; j++) { + g[i] = g[i].mul(f[j][iSequence[j]]); + } + c1 = c1.add(co[i].multiply(g[i])); + } + + for(int k=0; k<decompositionExponent; k++) { + c1 = c1.subtract(P1.G[k].multiply(x1.pow(k))); + } + + + boolean result = c1.equals(c); + if(!result) { + System.out.println("VALID2: FAILED: c' != c"); + System.out.println("c: (" + bytesToHex(c.P1.encode().getRaw()) + ", " + bytesToHex(c.P2.encode().getRaw())); + System.out.println("c': (" + bytesToHex(c1.P1.encode().getRaw()) + ", " + bytesToHex(c1.P2.encode().getRaw())); + } + return result; + + } + + public static boolean VER(Ed25519GroupElement[] ki, PointPair[][] pk, Ed25519GroupElement[] co, Ed25519GroupElement co1, byte[] M, SpendSignature spendSignature) { + + F f = new F(ki, pk, co, co1, M); + + SubResult cf1 = SUB(f); + + if(!Multisignature.verify(concat(spendSignature.sigma1.toBytes(spendSignature.decompositionBase, spendSignature.decompositionExponent), f.toBytes()), ki, spendSignature.sigma2)) { + System.out.println("Multisignature.verify failed"); + return false; + } + + if(!VALID2(spendSignature.decompositionBase, spendSignature.sigma1, cf1.c)) { + System.out.println("VALID2 failed"); + return false; + } + + return true; + } + + public static class Output { + public SK sk; + public Ed25519GroupElement ki; + public PointPair pk; + + public Scalar mask; + public Ed25519GroupElement co; + public BigInteger amount; + public static Output genRandomOutput(BigInteger amount) { + Output o = new Output(); + KeyGenResult keyGenResult = KEYGEN(); + o.sk = keyGenResult.sk; + o.pk = keyGenResult.pk; + o.ki = keyGenResult.ki; + o.amount = amount; + o.mask = randomScalar(); + o.co = COMp(new Scalar(o.amount), o.mask); + return o; + } + } + + public static Scalar[][] COEFS(Scalar[][] a, int iAsterisk) { + int decompositionBase = a[0].length; // n + int decompositionExponent = a.length; // m + int ringSize = (int) Math.pow(decompositionBase, decompositionExponent); // N = n^m + + int[] iAsteriskSequence = nAryDecompose(decompositionBase, iAsterisk, decompositionExponent); + + Scalar[][] coefList = new Scalar[ringSize][decompositionExponent]; + + for(int k=0; k<ringSize; k++) { + int[] kSequence = nAryDecompose(decompositionBase, k, decompositionExponent); + coefList[k] = new Scalar[]{ + a[0][kSequence[0]], + Scalar.intToScalar(delta(iAsteriskSequence[0], kSequence[0])) + }; + + for(int j=1; j<decompositionExponent; j++) { + coefList[k] = COEFPROD(coefList[k], new Scalar[]{ + a[j][kSequence[j]], + Scalar.intToScalar(delta(iAsteriskSequence[j], kSequence[j])) + }); + } + } + for(int k=0; k<ringSize; k++) { + coefList[k] = trimScalarArray(coefList[k], decompositionExponent, decompositionExponent); + } + return coefList; + } + + private static Scalar[] trimScalarArray(Scalar[] a, int len, int indexWhere1ValueCanBeTrimmed) { + Scalar[] r = new Scalar[len]; + for(int i=0; i<a.length; i++) { + if(i<len) r[i] = a[i]; + else { + if(i==indexWhere1ValueCanBeTrimmed) { + if(!(a[i].equals(Scalar.ZERO) || a[i].equals(Scalar.ONE))) throw new RuntimeException("Attempt to trim non-zero or non-one in column " + i + ": value: " + a[i].toBigInteger()); + } + else { + if(!(a[i].equals(Scalar.ZERO))) throw new RuntimeException("Attempt to trim non-zero in column " + i + ": value: " + a[i].toBigInteger()); + } + } + } + return r; + } + + public static Scalar[] COEFPROD(Scalar[] c, Scalar[] d) { + int maxLen = Math.max(c.length, d.length); + int resultLen = 2*maxLen-1; + BigInteger[] result = new BigInteger[resultLen]; + + for (int i = 0; i<resultLen; i++) result[i] = BigInteger.ZERO; + for (int i=0; i<maxLen; i++) + { + for (int j=0; j<maxLen; j++) { + result[i+j] = result[i+j].add(getBigIntegerAtArrayIndex(c, i).multiply(getBigIntegerAtArrayIndex(d, j))); + } + } + return bigIntegerArrayToScalarArray(result); + } + + private static BigInteger getBigIntegerAtArrayIndex(Scalar[] a, int index) { + if(index>=a.length) return BigInteger.ZERO; + else return a[index].toBigInteger(); + } + +} diff --git a/source-code/RuffCT-java/src/how/monero/hodl/ringSignature/Multisignature.java b/source-code/RuffCT-java/src/how/monero/hodl/ringSignature/Multisignature.java new file mode 100644 index 0000000..4c0c02f --- /dev/null +++ b/source-code/RuffCT-java/src/how/monero/hodl/ringSignature/Multisignature.java @@ -0,0 +1,114 @@ +package how.monero.hodl.ringSignature; + +import how.monero.hodl.crypto.Scalar; +import org.nem.core.crypto.ed25519.arithmetic.Ed25519GroupElement; + +import java.util.*; + +import static how.monero.hodl.crypto.Scalar.randomScalar; +import static how.monero.hodl.util.ByteUtil.bytesToHex; +import static how.monero.hodl.util.ByteUtil.concat; +import static how.monero.hodl.crypto.CryptoUtil.*; + +public class Multisignature { + + public static Ed25519GroupElement[] lexicographicalSort(Ed25519GroupElement[] X) { + SortedMap<String, Ed25519GroupElement> hexToPoint = new TreeMap<>(); + for(Ed25519GroupElement Xi : X) hexToPoint.put(bytesToHex(Xi.encode().getRaw()), Xi); + return hexToPoint.values().stream().toArray(Ed25519GroupElement[]::new); + } + + /* + VER*: Take as input a message M, public keys L' = X[1], ..., X[n], and a + signature sigma = (R,s). + 1) Compute L* = H(L') + 2) For each i=1,2,...,n, compute c[i] = Hs(X[i], R, L*, M) + 3) Accept if and only if sG = R + c[1]*X[1] + ... + c[n]*X[n] + */ + public static boolean verify(byte[] M, Ed25519GroupElement[] X, Signature signature) { + int n = X.length; + + Scalar XAsterisk = hashToScalar(toBytes(lexicographicalSort(X))); + + Scalar[] c = new Scalar[n]; + for(int i=0; i<n; i++) { + c[i] = hashToScalar(concat(X[i].encode().getRaw(), signature.R.encode().getRaw(), XAsterisk.bytes, M)); + } + Ed25519GroupElement sG = G.scalarMultiply(signature.s); + Ed25519GroupElement sG1 = signature.R; + for(int i=0; i<n; i++) sG1 = sG1.toP3().add(X[i].scalarMultiply(c[i]).toCached()); + return sG.equals(sG1); + } + + /* + SIG*: Take as input a message M and a list of private keys L = x[0], x[1], + ..., x[n-1]. Let L' be the associated list of public keys X[0], ..., X[n-1], and + assume L' is lexicographically ordered. + 1) Compute L* = H(L'). + 2) For each i=0,1,...,n-1, select r[i] at random from Zq. + 3) Compute r=r[0]+r[1]+...+r[n-1] and R=rG. + 4) For each i=0,1,...,n-1: + i) Compute c[i] := Hs(X[i], R, L*, M) + ii) Compute s[i] := r[i] + x[i]*c[i] + 5) Compute s = s[1] + ... + s[n]. + 6) Output the signature sigma = (R, s) + */ + public static Signature sign(byte[] M, Scalar[] x, Ed25519GroupElement[] X) { + int n = x.length; + if(X==null) { + X = new Ed25519GroupElement[n]; + for(int i=0; i<n; i++) { + X[i] = G.scalarMultiply(x[i]); + } + + } + Scalar XAsterisk = hashToScalar(toBytes(lexicographicalSort(X))); + + Scalar[] rArray = new Scalar[n]; + for(int i=0; i<n; i++) rArray[i] = randomScalar(); + Scalar r = sumArray(rArray); + + Ed25519GroupElement R = G.scalarMultiply(r); + Scalar[] c = new Scalar[n]; + Scalar[] sArray = new Scalar[n]; + for(int i=0; i<n; i++) { + c[i] = hashToScalar(concat(X[i].encode().getRaw(), R.encode().getRaw(), XAsterisk.bytes, M)); + sArray[i] = rArray[i].add(x[i].mul(c[i])); + } + Scalar s = sumArray(sArray); + return new Signature(R, s); + } + + public static class Signature { + Ed25519GroupElement R; + Scalar s; + public Signature(Ed25519GroupElement R, Scalar s) { + this.R = R; this.s = s; + } + public byte[] toBytes() { + return concat(R.encode().getRaw(), s.bytes); + } + } + + /* + KEYGEN*: Each user selects x at random from Zq. The secret key is x. The + public key is X=xG. Output (sk,pk) = (x,X). + */ + public static KeyPair keygen() { + Scalar x = randomScalar(); + Ed25519GroupElement X = G.scalarMultiply(x); + return new KeyPair(x, X); + } + public static class KeyPair { + public Scalar x; + public Ed25519GroupElement X; + public KeyPair(Scalar x, Ed25519GroupElement X) { + this.x = x; this.X = X; + } + } + + + + + +} diff --git a/source-code/RuffCT-java/src/how/monero/hodl/ringSignature/SpendParams.java b/source-code/RuffCT-java/src/how/monero/hodl/ringSignature/SpendParams.java new file mode 100644 index 0000000..2d40c94 --- /dev/null +++ b/source-code/RuffCT-java/src/how/monero/hodl/ringSignature/SpendParams.java @@ -0,0 +1,19 @@ +package how.monero.hodl.ringSignature; + +import how.monero.hodl.crypto.PointPair; +import how.monero.hodl.crypto.Scalar; +import org.nem.core.crypto.ed25519.arithmetic.Ed25519GroupElement; + +public class SpendParams { + + public int iAsterisk; + public PointPair[][] pk; + public BootleRuffing.SK[] sk; + public Ed25519GroupElement[] ki; + public Ed25519GroupElement[] co; + public byte[] M; + public Scalar s; + public int decompositionBase; + public int decompositionExponent; + +} diff --git a/source-code/RuffCT-java/src/how/monero/hodl/util/ByteUtil.java b/source-code/RuffCT-java/src/how/monero/hodl/util/ByteUtil.java new file mode 100644 index 0000000..e3301ad --- /dev/null +++ b/source-code/RuffCT-java/src/how/monero/hodl/util/ByteUtil.java @@ -0,0 +1,83 @@ +package how.monero.hodl.util; + +import how.monero.hodl.crypto.Scalar; + +public class ByteUtil { + + public static String byteToHex(int v) { + byte[] array = new byte[1]; + array[0] = (byte) v; + return bytesToHex(array); + } + + final protected static char[] hexArray = "0123456789abcdef".toCharArray(); + public static String bytesToHex(Scalar a) { + return bytesToHex(a.bytes); + } + public static String bytesToHex(byte[] bytes) { + char[] hexChars = new char[bytes.length * 2]; + for ( int j = 0; j < bytes.length; j++ ) { + int v = bytes[j] & 0xFF; + hexChars[j * 2] = hexArray[v >>> 4]; + hexChars[j * 2 + 1] = hexArray[v & 0x0F]; + } + return new String(hexChars); + } + + public static byte[] hexToBytes(String s) { + int len = s.length(); + byte[] data = new byte[len / 2]; + for (int i = 0; i < len; i += 2) { + data[i / 2] = (byte) ((Character.digit(s.charAt(i), 16) << 4) + + Character.digit(s.charAt(i+1), 16)); + } + return data; + } + + public static void reverseByteArrayInPlace(byte[] array) { + for(int i = 0; i < array.length / 2; i++) + { + byte temp = array[i]; + array[i] = array[array.length - i - 1]; + array[array.length - i - 1] = temp; + } + } + + public static byte[] concat(byte a, byte[] b) { + byte[] r = new byte[1+b.length]; + r[0] = a; + System.arraycopy(b, 0, r, 1, b.length); + return r; + } + public static byte[] concat(byte[] a, byte[] b) { + byte[] r = new byte[a.length+b.length]; + System.arraycopy(a, 0, r, 0, a.length); + System.arraycopy(b, 0, r, a.length, b.length); + return r; + } + public static byte[] concat(byte[] a, byte[] b, byte[] c) { + return concat(concat(a, b), c); + } + public static byte[] concat(byte[] a, byte[] b, byte[] c, byte[] d) { + return concat(concat(a, b), concat(c, d)); + } + + public static byte[] subarray(byte[] a, int start, int end) { + byte[] r = new byte[end-start]; + System.arraycopy(a, start, r, 0, r.length); + return r; + } + + public static byte[] xor(byte[] a, byte[] b) { + byte[] r = new byte[a.length]; + for(int i=0; i<r.length; i++) r[i] = (byte) (a[i] ^ b[i]); + return r; + } + + public static byte[] longToLittleEndianUint32ByteArray(long value) { + byte[] array = new byte[4]; + for (int i=3; i>=0; i--) array[i] = (byte) (value >> i*8); + return array; + } + +} diff --git a/source-code/RuffCT-java/src/how/monero/hodl/util/ExceptionAdapter.java b/source-code/RuffCT-java/src/how/monero/hodl/util/ExceptionAdapter.java new file mode 100644 index 0000000..4628fdd --- /dev/null +++ b/source-code/RuffCT-java/src/how/monero/hodl/util/ExceptionAdapter.java @@ -0,0 +1,8 @@ +package how.monero.hodl.util; + +public class ExceptionAdapter { + public static RuntimeException toRuntimeException(Exception e) { + if(RuntimeException.class.isInstance(e)) return (RuntimeException) e; + else return new RuntimeException(e); + } +} diff --git a/source-code/RuffCT-java/src/how/monero/hodl/util/VarInt.java b/source-code/RuffCT-java/src/how/monero/hodl/util/VarInt.java new file mode 100644 index 0000000..ef21a50 --- /dev/null +++ b/source-code/RuffCT-java/src/how/monero/hodl/util/VarInt.java @@ -0,0 +1,45 @@ +package how.monero.hodl.util; + +public class VarInt { + + public static byte[] writeVarInt(long value) { + byte[] data = new byte[8]; + int pos = 0; + + while ((value & 0xFFFFFF80) != 0L) { + data[pos] = (byte) ((value & 0x7F) | 0x80); + pos++; + value >>>= 7; + } + data[pos] = (byte) (value & 0x7F); + pos++; + + byte[] result = new byte[pos]; + System.arraycopy(data, 0, result, 0, pos); + return result; + } + + public static long readVarInt(byte[] data) { + + long result = 0; + int c = 0; + int pos = 0; + + while(true) { + boolean isLastByteInVarInt = true; + int i = Byte.toUnsignedInt(data[pos]); + if(i>=128) { + isLastByteInVarInt = false; + i-=128; + } + result += Math.round(i * Math.pow(128, c)); + c++; + pos++; + if(isLastByteInVarInt) break; + } + + return result; + } + + +} diff --git a/source-code/RuffCT-java/src/org/nem/core/crypto/Curve.java b/source-code/RuffCT-java/src/org/nem/core/crypto/Curve.java new file mode 100755 index 0000000..5c89399 --- /dev/null +++ b/source-code/RuffCT-java/src/org/nem/core/crypto/Curve.java @@ -0,0 +1,30 @@ +package org.nem.core.crypto; + +import java.math.BigInteger; + +/** + * Interface for getting information for a curve. + */ +public interface Curve { + + /** + * Gets the name of the curve. + * + * @return The name of the curve. + */ + String getName(); + + /** + * Gets the group order. + * + * @return The group order. + */ + BigInteger getGroupOrder(); + + /** + * Gets the group order / 2. + * + * @return The group order / 2. + */ + BigInteger getHalfGroupOrder(); +} diff --git a/source-code/RuffCT-java/src/org/nem/core/crypto/ed25519/Ed25519Curve.java b/source-code/RuffCT-java/src/org/nem/core/crypto/ed25519/Ed25519Curve.java new file mode 100755 index 0000000..f49a61f --- /dev/null +++ b/source-code/RuffCT-java/src/org/nem/core/crypto/ed25519/Ed25519Curve.java @@ -0,0 +1,41 @@ +package org.nem.core.crypto.ed25519; + +import org.nem.core.crypto.ed25519.arithmetic.Ed25519Group; + +import java.math.BigInteger; + +/** + * Class that wraps the elliptic curve Ed25519. + */ +public class Ed25519Curve implements org.nem.core.crypto.Curve { + + private static final Ed25519Curve ED25519; + + static { + ED25519 = new Ed25519Curve(); + } + + @Override + public String getName() { + return "ed25519"; + } + + @Override + public BigInteger getGroupOrder() { + return Ed25519Group.GROUP_ORDER; + } + + @Override + public BigInteger getHalfGroupOrder() { + return Ed25519Group.GROUP_ORDER.shiftRight(1); + } + + /** + * Gets the Ed25519 instance. + * + * @return The Ed25519 instance. + */ + public static Ed25519Curve ed25519() { + return ED25519; + } +} diff --git a/source-code/RuffCT-java/src/org/nem/core/crypto/ed25519/arithmetic/CoordinateSystem.java b/source-code/RuffCT-java/src/org/nem/core/crypto/ed25519/arithmetic/CoordinateSystem.java new file mode 100755 index 0000000..29d6df1 --- /dev/null +++ b/source-code/RuffCT-java/src/org/nem/core/crypto/ed25519/arithmetic/CoordinateSystem.java @@ -0,0 +1,37 @@ +package org.nem.core.crypto.ed25519.arithmetic; + +/** + * Available coordinate systems for a group element. + */ +public enum CoordinateSystem { + + /** + * Affine coordinate system (x, y). + */ + AFFINE, + + /** + * Projective coordinate system (X:Y:Z) satisfying x=X/Z, y=Y/Z. + */ + P2, + + /** + * Extended projective coordinate system (X:Y:Z:T) satisfying x=X/Z, y=Y/Z, XY=ZT. + */ + P3, + + /** + * Completed coordinate system ((X:Z), (Y:T)) satisfying x=X/Z, y=Y/T. + */ + P1xP1, + + /** + * Precomputed coordinate system (y+x, y-x, 2dxy). + */ + PRECOMPUTED, + + /** + * Cached coordinate system (Y+X, Y-X, Z, 2dT). + */ + CACHED +} diff --git a/source-code/RuffCT-java/src/org/nem/core/crypto/ed25519/arithmetic/Ed25519EncodedFieldElement.java b/source-code/RuffCT-java/src/org/nem/core/crypto/ed25519/arithmetic/Ed25519EncodedFieldElement.java new file mode 100755 index 0000000..5acc2ef --- /dev/null +++ b/source-code/RuffCT-java/src/org/nem/core/crypto/ed25519/arithmetic/Ed25519EncodedFieldElement.java @@ -0,0 +1,1005 @@ +package org.nem.core.crypto.ed25519.arithmetic; + +import org.nem.core.utils.*; + +import java.util.Arrays; + +/** + * Represents a field element of the finite field with p=2^255-19 elements. + * The value of the field element is held in 2^8 bit representation, i.e. in a byte array. + * The length of the array must be 32 or 64. + */ +public class Ed25519EncodedFieldElement { + private final byte[] zero; + private final byte[] values; + + /** + * Creates a new encoded field element. + * + * @param values The byte array that holds the values. + */ + public Ed25519EncodedFieldElement(final byte[] values) { + switch (values.length) { + case 32: + this.zero = Ed25519Field.ZERO_SHORT; + break; + case 64: + this.zero = Ed25519Field.ZERO_LONG; + break; + default: + throw new IllegalArgumentException("Invalid 2^8 bit representation."); + } + + this.values = values; + } + + /** + * Gets the underlying byte array. + * + * @return The byte array. + */ + public byte[] getRaw() { + return this.values; + } + + /** + * Return true if this is in {1,3,5,...,q-2} + * Return false if this is in {0,2,4,...,q-1} + * <br> + * Preconditions: + * |x| bounded by 1.1*2^26,1.1*2^25,1.1*2^26,1.1*2^25,etc. + * + * @return true if this is in {1,3,5,...,q-2}, false otherwise. + */ + public boolean isNegative() { + return (this.values[0] & 1) != 0; + } + + /** + * Gets a value indicating whether or not the field element is non-zero. + * + * @return 1 if it is non-zero, 0 otherwise. + */ + public boolean isNonZero() { + return 0 == ArrayUtils.isEqualConstantTime(this.values, this.zero); + } + + /** + * Decodes this encoded (32 byte) representation to a field element in its 10 byte 2^25.5 representation. + * The most significant bit is discarded. + * + * @return The field element in its 2^25.5 bit representation. + */ + public Ed25519FieldElement decode() { + long h0 = fourBytesToLong(this.values, 0); + long h1 = threeBytesToLong(this.values, 4) << 6; + long h2 = threeBytesToLong(this.values, 7) << 5; + long h3 = threeBytesToLong(this.values, 10) << 3; + long h4 = threeBytesToLong(this.values, 13) << 2; + long h5 = fourBytesToLong(this.values, 16); + long h6 = threeBytesToLong(this.values, 20) << 7; + long h7 = threeBytesToLong(this.values, 23) << 5; + long h8 = threeBytesToLong(this.values, 26) << 4; + long h9 = (threeBytesToLong(this.values, 29) & 0x7FFFFF) << 2; + final long carry0; + final long carry1; + final long carry2; + final long carry3; + final long carry4; + final long carry5; + final long carry6; + final long carry7; + final long carry8; + final long carry9; + + // Remember: 2^255 congruent 19 modulo p + carry9 = (h9 + (long)(1 << 24)) >> 25; + h0 += carry9 * 19; + h9 -= carry9 << 25; + carry1 = (h1 + (long)(1 << 24)) >> 25; + h2 += carry1; + h1 -= carry1 << 25; + carry3 = (h3 + (long)(1 << 24)) >> 25; + h4 += carry3; + h3 -= carry3 << 25; + carry5 = (h5 + (long)(1 << 24)) >> 25; + h6 += carry5; + h5 -= carry5 << 25; + carry7 = (h7 + (long)(1 << 24)) >> 25; + h8 += carry7; + h7 -= carry7 << 25; + + carry0 = (h0 + (long)(1 << 25)) >> 26; + h1 += carry0; + h0 -= carry0 << 26; + carry2 = (h2 + (long)(1 << 25)) >> 26; + h3 += carry2; + h2 -= carry2 << 26; + carry4 = (h4 + (long)(1 << 25)) >> 26; + h5 += carry4; + h4 -= carry4 << 26; + carry6 = (h6 + (long)(1 << 25)) >> 26; + h7 += carry6; + h6 -= carry6 << 26; + carry8 = (h8 + (long)(1 << 25)) >> 26; + h9 += carry8; + h8 -= carry8 << 26; + + final int[] h = new int[10]; + h[0] = (int)h0; + h[1] = (int)h1; + h[2] = (int)h2; + h[3] = (int)h3; + h[4] = (int)h4; + h[5] = (int)h5; + h[6] = (int)h6; + h[7] = (int)h7; + h[8] = (int)h8; + h[9] = (int)h9; + + return new Ed25519FieldElement(h); + } + + /** + * Reduces this encoded field element (64 bytes) modulo the group order q. + * + * @return Encoded field element (32 bytes). + */ + public Ed25519EncodedFieldElement modQ() { + // s0, ..., s22 have 21 bits, s23 has 29 bits + long s0 = 0x1FFFFF & threeBytesToLong(this.values, 0); + long s1 = 0x1FFFFF & (fourBytesToLong(this.values, 2) >> 5); + long s2 = 0x1FFFFF & (threeBytesToLong(this.values, 5) >> 2); + long s3 = 0x1FFFFF & (fourBytesToLong(this.values, 7) >> 7); + long s4 = 0x1FFFFF & (fourBytesToLong(this.values, 10) >> 4); + long s5 = 0x1FFFFF & (threeBytesToLong(this.values, 13) >> 1); + long s6 = 0x1FFFFF & (fourBytesToLong(this.values, 15) >> 6); + long s7 = 0x1FFFFF & (threeBytesToLong(this.values, 18) >> 3); + long s8 = 0x1FFFFF & threeBytesToLong(this.values, 21); + long s9 = 0x1FFFFF & (fourBytesToLong(this.values, 23) >> 5); + long s10 = 0x1FFFFF & (threeBytesToLong(this.values, 26) >> 2); + long s11 = 0x1FFFFF & (fourBytesToLong(this.values, 28) >> 7); + long s12 = 0x1FFFFF & (fourBytesToLong(this.values, 31) >> 4); + long s13 = 0x1FFFFF & (threeBytesToLong(this.values, 34) >> 1); + long s14 = 0x1FFFFF & (fourBytesToLong(this.values, 36) >> 6); + long s15 = 0x1FFFFF & (threeBytesToLong(this.values, 39) >> 3); + long s16 = 0x1FFFFF & threeBytesToLong(this.values, 42); + long s17 = 0x1FFFFF & (fourBytesToLong(this.values, 44) >> 5); + final long s18 = 0x1FFFFF & (threeBytesToLong(this.values, 47) >> 2); + final long s19 = 0x1FFFFF & (fourBytesToLong(this.values, 49) >> 7); + final long s20 = 0x1FFFFF & (fourBytesToLong(this.values, 52) >> 4); + final long s21 = 0x1FFFFF & (threeBytesToLong(this.values, 55) >> 1); + final long s22 = 0x1FFFFF & (fourBytesToLong(this.values, 57) >> 6); + final long s23 = (fourBytesToLong(this.values, 60) >> 3); + long carry0; + long carry1; + long carry2; + long carry3; + long carry4; + long carry5; + long carry6; + long carry7; + long carry8; + long carry9; + long carry10; + long carry11; + final long carry12; + final long carry13; + final long carry14; + final long carry15; + final long carry16; + + /** + * Lots of magic numbers :) + * To understand what's going on below, note that + * + * (1) q = 2^252 + q0 where q0 = 27742317777372353535851937790883648493. + * (2) s11 is the coefficient of 2^(11*21), s23 is the coefficient of 2^(^23*21) and 2^252 = 2^((23-11) * 21)). + * (3) 2^252 congruent -q0 modulo q. + * (4) -q0 = 666643 * 2^0 + 470296 * 2^21 + 654183 * 2^(2*21) - 997805 * 2^(3*21) + 136657 * 2^(4*21) - 683901 * 2^(5*21) + * + * Thus + * s23 * 2^(23*11) = s23 * 2^(12*21) * 2^(11*21) = s3 * 2^252 * 2^(11*21) congruent + * s23 * (666643 * 2^0 + 470296 * 2^21 + 654183 * 2^(2*21) - 997805 * 2^(3*21) + 136657 * 2^(4*21) - 683901 * 2^(5*21)) * 2^(11*21) modulo q = + * s23 * (666643 * 2^(11*21) + 470296 * 2^(12*21) + 654183 * 2^(13*21) - 997805 * 2^(14*21) + 136657 * 2^(15*21) - 683901 * 2^(16*21)). + * + * The same procedure is then applied for s22,...,s18. + */ + s11 += s23 * 666643; + s12 += s23 * 470296; + s13 += s23 * 654183; + s14 -= s23 * 997805; + s15 += s23 * 136657; + s16 -= s23 * 683901; + + s10 += s22 * 666643; + s11 += s22 * 470296; + s12 += s22 * 654183; + s13 -= s22 * 997805; + s14 += s22 * 136657; + s15 -= s22 * 683901; + + s9 += s21 * 666643; + s10 += s21 * 470296; + s11 += s21 * 654183; + s12 -= s21 * 997805; + s13 += s21 * 136657; + s14 -= s21 * 683901; + + s8 += s20 * 666643; + s9 += s20 * 470296; + s10 += s20 * 654183; + s11 -= s20 * 997805; + s12 += s20 * 136657; + s13 -= s20 * 683901; + + s7 += s19 * 666643; + s8 += s19 * 470296; + s9 += s19 * 654183; + s10 -= s19 * 997805; + s11 += s19 * 136657; + s12 -= s19 * 683901; + + s6 += s18 * 666643; + s7 += s18 * 470296; + s8 += s18 * 654183; + s9 -= s18 * 997805; + s10 += s18 * 136657; + s11 -= s18 * 683901; + + /** + * Time to reduce the coefficient in order not to get an overflow. + */ + carry6 = (s6 + (1 << 20)) >> 21; + s7 += carry6; + s6 -= carry6 << 21; + carry8 = (s8 + (1 << 20)) >> 21; + s9 += carry8; + s8 -= carry8 << 21; + carry10 = (s10 + (1 << 20)) >> 21; + s11 += carry10; + s10 -= carry10 << 21; + carry12 = (s12 + (1 << 20)) >> 21; + s13 += carry12; + s12 -= carry12 << 21; + carry14 = (s14 + (1 << 20)) >> 21; + s15 += carry14; + s14 -= carry14 << 21; + carry16 = (s16 + (1 << 20)) >> 21; + s17 += carry16; + s16 -= carry16 << 21; + + carry7 = (s7 + (1 << 20)) >> 21; + s8 += carry7; + s7 -= carry7 << 21; + carry9 = (s9 + (1 << 20)) >> 21; + s10 += carry9; + s9 -= carry9 << 21; + carry11 = (s11 + (1 << 20)) >> 21; + s12 += carry11; + s11 -= carry11 << 21; + carry13 = (s13 + (1 << 20)) >> 21; + s14 += carry13; + s13 -= carry13 << 21; + carry15 = (s15 + (1 << 20)) >> 21; + s16 += carry15; + s15 -= carry15 << 21; + + /** + * Continue with above procedure. + */ + s5 += s17 * 666643; + s6 += s17 * 470296; + s7 += s17 * 654183; + s8 -= s17 * 997805; + s9 += s17 * 136657; + s10 -= s17 * 683901; + + s4 += s16 * 666643; + s5 += s16 * 470296; + s6 += s16 * 654183; + s7 -= s16 * 997805; + s8 += s16 * 136657; + s9 -= s16 * 683901; + + s3 += s15 * 666643; + s4 += s15 * 470296; + s5 += s15 * 654183; + s6 -= s15 * 997805; + s7 += s15 * 136657; + s8 -= s15 * 683901; + + s2 += s14 * 666643; + s3 += s14 * 470296; + s4 += s14 * 654183; + s5 -= s14 * 997805; + s6 += s14 * 136657; + s7 -= s14 * 683901; + + s1 += s13 * 666643; + s2 += s13 * 470296; + s3 += s13 * 654183; + s4 -= s13 * 997805; + s5 += s13 * 136657; + s6 -= s13 * 683901; + + s0 += s12 * 666643; + s1 += s12 * 470296; + s2 += s12 * 654183; + s3 -= s12 * 997805; + s4 += s12 * 136657; + s5 -= s12 * 683901; + s12 = 0; + + /** + * Reduce coefficients again. + */ + carry0 = (s0 + (1 << 20)) >> 21; + s1 += carry0; + s0 -= carry0 << 21; + carry2 = (s2 + (1 << 20)) >> 21; + s3 += carry2; + s2 -= carry2 << 21; + carry4 = (s4 + (1 << 20)) >> 21; + s5 += carry4; + s4 -= carry4 << 21; + carry6 = (s6 + (1 << 20)) >> 21; + s7 += carry6; + s6 -= carry6 << 21; + carry8 = (s8 + (1 << 20)) >> 21; + s9 += carry8; + s8 -= carry8 << 21; + carry10 = (s10 + (1 << 20)) >> 21; + s11 += carry10; + s10 -= carry10 << 21; + + carry1 = (s1 + (1 << 20)) >> 21; + s2 += carry1; + s1 -= carry1 << 21; + carry3 = (s3 + (1 << 20)) >> 21; + s4 += carry3; + s3 -= carry3 << 21; + carry5 = (s5 + (1 << 20)) >> 21; + s6 += carry5; + s5 -= carry5 << 21; + carry7 = (s7 + (1 << 20)) >> 21; + s8 += carry7; + s7 -= carry7 << 21; + carry9 = (s9 + (1 << 20)) >> 21; + s10 += carry9; + s9 -= carry9 << 21; + carry11 = (s11 + (1 << 20)) >> 21; + s12 += carry11; + s11 -= carry11 << 21; + + s0 += s12 * 666643; + s1 += s12 * 470296; + s2 += s12 * 654183; + s3 -= s12 * 997805; + s4 += s12 * 136657; + s5 -= s12 * 683901; + s12 = 0; + + carry0 = s0 >> 21; + s1 += carry0; + s0 -= carry0 << 21; + carry1 = s1 >> 21; + s2 += carry1; + s1 -= carry1 << 21; + carry2 = s2 >> 21; + s3 += carry2; + s2 -= carry2 << 21; + carry3 = s3 >> 21; + s4 += carry3; + s3 -= carry3 << 21; + carry4 = s4 >> 21; + s5 += carry4; + s4 -= carry4 << 21; + carry5 = s5 >> 21; + s6 += carry5; + s5 -= carry5 << 21; + carry6 = s6 >> 21; + s7 += carry6; + s6 -= carry6 << 21; + carry7 = s7 >> 21; + s8 += carry7; + s7 -= carry7 << 21; + carry8 = s8 >> 21; + s9 += carry8; + s8 -= carry8 << 21; + carry9 = s9 >> 21; + s10 += carry9; + s9 -= carry9 << 21; + carry10 = s10 >> 21; + s11 += carry10; + s10 -= carry10 << 21; + carry11 = s11 >> 21; + s12 += carry11; + s11 -= carry11 << 21; + + s0 += s12 * 666643; + s1 += s12 * 470296; + s2 += s12 * 654183; + s3 -= s12 * 997805; + s4 += s12 * 136657; + s5 -= s12 * 683901; + + carry0 = s0 >> 21; + s1 += carry0; + s0 -= carry0 << 21; + carry1 = s1 >> 21; + s2 += carry1; + s1 -= carry1 << 21; + carry2 = s2 >> 21; + s3 += carry2; + s2 -= carry2 << 21; + carry3 = s3 >> 21; + s4 += carry3; + s3 -= carry3 << 21; + carry4 = s4 >> 21; + s5 += carry4; + s4 -= carry4 << 21; + carry5 = s5 >> 21; + s6 += carry5; + s5 -= carry5 << 21; + carry6 = s6 >> 21; + s7 += carry6; + s6 -= carry6 << 21; + carry7 = s7 >> 21; + s8 += carry7; + s7 -= carry7 << 21; + carry8 = s8 >> 21; + s9 += carry8; + s8 -= carry8 << 21; + carry9 = s9 >> 21; + s10 += carry9; + s9 -= carry9 << 21; + carry10 = s10 >> 21; + s11 += carry10; + s10 -= carry10 << 21; + + // s0, ..., s11 got 21 bits each. + final byte[] result = new byte[32]; + result[0] = (byte)(s0); + result[1] = (byte)(s0 >> 8); + result[2] = (byte)((s0 >> 16) | (s1 << 5)); + result[3] = (byte)(s1 >> 3); + result[4] = (byte)(s1 >> 11); + result[5] = (byte)((s1 >> 19) | (s2 << 2)); + result[6] = (byte)(s2 >> 6); + result[7] = (byte)((s2 >> 14) | (s3 << 7)); + result[8] = (byte)(s3 >> 1); + result[9] = (byte)(s3 >> 9); + result[10] = (byte)((s3 >> 17) | (s4 << 4)); + result[11] = (byte)(s4 >> 4); + result[12] = (byte)(s4 >> 12); + result[13] = (byte)((s4 >> 20) | (s5 << 1)); + result[14] = (byte)(s5 >> 7); + result[15] = (byte)((s5 >> 15) | (s6 << 6)); + result[16] = (byte)(s6 >> 2); + result[17] = (byte)(s6 >> 10); + result[18] = (byte)((s6 >> 18) | (s7 << 3)); + result[19] = (byte)(s7 >> 5); + result[20] = (byte)(s7 >> 13); + result[21] = (byte)(s8); + result[22] = (byte)(s8 >> 8); + result[23] = (byte)((s8 >> 16) | (s9 << 5)); + result[24] = (byte)(s9 >> 3); + result[25] = (byte)(s9 >> 11); + result[26] = (byte)((s9 >> 19) | (s10 << 2)); + result[27] = (byte)(s10 >> 6); + result[28] = (byte)((s10 >> 14) | (s11 << 7)); + result[29] = (byte)(s11 >> 1); + result[30] = (byte)(s11 >> 9); + result[31] = (byte)(s11 >> 17); + + return new Ed25519EncodedFieldElement(result); + } + + /** + * Multiplies this encoded field element with another and adds a third. + * The result is reduced modulo the group order. + * <br> + * See the comments in the method modQ() for an explanation of the algorithm. + * + * @param b The encoded field element which is multiplied with this. + * @param c The third encoded field element which is added. + * @return The encoded field element (32 bytes). + */ + public Ed25519EncodedFieldElement multiplyAndAddModQ(final Ed25519EncodedFieldElement b, final Ed25519EncodedFieldElement c) { + final long a0 = 0x1FFFFF & threeBytesToLong(this.values, 0); + final long a1 = 0x1FFFFF & (fourBytesToLong(this.values, 2) >> 5); + final long a2 = 0x1FFFFF & (threeBytesToLong(this.values, 5) >> 2); + final long a3 = 0x1FFFFF & (fourBytesToLong(this.values, 7) >> 7); + final long a4 = 0x1FFFFF & (fourBytesToLong(this.values, 10) >> 4); + final long a5 = 0x1FFFFF & (threeBytesToLong(this.values, 13) >> 1); + final long a6 = 0x1FFFFF & (fourBytesToLong(this.values, 15) >> 6); + final long a7 = 0x1FFFFF & (threeBytesToLong(this.values, 18) >> 3); + final long a8 = 0x1FFFFF & threeBytesToLong(this.values, 21); + final long a9 = 0x1FFFFF & (fourBytesToLong(this.values, 23) >> 5); + final long a10 = 0x1FFFFF & (threeBytesToLong(this.values, 26) >> 2); + final long a11 = (fourBytesToLong(this.values, 28) >> 7); + final long b0 = 0x1FFFFF & threeBytesToLong(b.values, 0); + final long b1 = 0x1FFFFF & (fourBytesToLong(b.values, 2) >> 5); + final long b2 = 0x1FFFFF & (threeBytesToLong(b.values, 5) >> 2); + final long b3 = 0x1FFFFF & (fourBytesToLong(b.values, 7) >> 7); + final long b4 = 0x1FFFFF & (fourBytesToLong(b.values, 10) >> 4); + final long b5 = 0x1FFFFF & (threeBytesToLong(b.values, 13) >> 1); + final long b6 = 0x1FFFFF & (fourBytesToLong(b.values, 15) >> 6); + final long b7 = 0x1FFFFF & (threeBytesToLong(b.values, 18) >> 3); + final long b8 = 0x1FFFFF & threeBytesToLong(b.values, 21); + final long b9 = 0x1FFFFF & (fourBytesToLong(b.values, 23) >> 5); + final long b10 = 0x1FFFFF & (threeBytesToLong(b.values, 26) >> 2); + final long b11 = (fourBytesToLong(b.values, 28) >> 7); + final long c0 = 0x1FFFFF & threeBytesToLong(c.values, 0); + final long c1 = 0x1FFFFF & (fourBytesToLong(c.values, 2) >> 5); + final long c2 = 0x1FFFFF & (threeBytesToLong(c.values, 5) >> 2); + final long c3 = 0x1FFFFF & (fourBytesToLong(c.values, 7) >> 7); + final long c4 = 0x1FFFFF & (fourBytesToLong(c.values, 10) >> 4); + final long c5 = 0x1FFFFF & (threeBytesToLong(c.values, 13) >> 1); + final long c6 = 0x1FFFFF & (fourBytesToLong(c.values, 15) >> 6); + final long c7 = 0x1FFFFF & (threeBytesToLong(c.values, 18) >> 3); + final long c8 = 0x1FFFFF & threeBytesToLong(c.values, 21); + final long c9 = 0x1FFFFF & (fourBytesToLong(c.values, 23) >> 5); + final long c10 = 0x1FFFFF & (threeBytesToLong(c.values, 26) >> 2); + final long c11 = (fourBytesToLong(c.values, 28) >> 7); + long s0; + long s1; + long s2; + long s3; + long s4; + long s5; + long s6; + long s7; + long s8; + long s9; + long s10; + long s11; + long s12; + long s13; + long s14; + long s15; + long s16; + long s17; + long s18; + long s19; + long s20; + long s21; + long s22; + long s23; + long carry0; + long carry1; + long carry2; + long carry3; + long carry4; + long carry5; + long carry6; + long carry7; + long carry8; + long carry9; + long carry10; + long carry11; + long carry12; + long carry13; + long carry14; + long carry15; + long carry16; + final long carry17; + final long carry18; + final long carry19; + final long carry20; + final long carry21; + final long carry22; + + s0 = c0 + a0 * b0; + s1 = c1 + a0 * b1 + a1 * b0; + s2 = c2 + a0 * b2 + a1 * b1 + a2 * b0; + s3 = c3 + a0 * b3 + a1 * b2 + a2 * b1 + a3 * b0; + s4 = c4 + a0 * b4 + a1 * b3 + a2 * b2 + a3 * b1 + a4 * b0; + s5 = c5 + a0 * b5 + a1 * b4 + a2 * b3 + a3 * b2 + a4 * b1 + a5 * b0; + s6 = c6 + a0 * b6 + a1 * b5 + a2 * b4 + a3 * b3 + a4 * b2 + a5 * b1 + a6 * b0; + s7 = c7 + a0 * b7 + a1 * b6 + a2 * b5 + a3 * b4 + a4 * b3 + a5 * b2 + a6 * b1 + a7 * b0; + s8 = c8 + a0 * b8 + a1 * b7 + a2 * b6 + a3 * b5 + a4 * b4 + a5 * b3 + a6 * b2 + a7 * b1 + a8 * b0; + s9 = c9 + a0 * b9 + a1 * b8 + a2 * b7 + a3 * b6 + a4 * b5 + a5 * b4 + a6 * b3 + a7 * b2 + a8 * b1 + a9 * b0; + s10 = c10 + a0 * b10 + a1 * b9 + a2 * b8 + a3 * b7 + a4 * b6 + a5 * b5 + a6 * b4 + a7 * b3 + a8 * b2 + a9 * b1 + a10 * b0; + s11 = c11 + a0 * b11 + a1 * b10 + a2 * b9 + a3 * b8 + a4 * b7 + a5 * b6 + a6 * b5 + a7 * b4 + a8 * b3 + a9 * b2 + a10 * b1 + a11 * b0; + s12 = a1 * b11 + a2 * b10 + a3 * b9 + a4 * b8 + a5 * b7 + a6 * b6 + a7 * b5 + a8 * b4 + a9 * b3 + a10 * b2 + a11 * b1; + s13 = a2 * b11 + a3 * b10 + a4 * b9 + a5 * b8 + a6 * b7 + a7 * b6 + a8 * b5 + a9 * b4 + a10 * b3 + a11 * b2; + s14 = a3 * b11 + a4 * b10 + a5 * b9 + a6 * b8 + a7 * b7 + a8 * b6 + a9 * b5 + a10 * b4 + a11 * b3; + s15 = a4 * b11 + a5 * b10 + a6 * b9 + a7 * b8 + a8 * b7 + a9 * b6 + a10 * b5 + a11 * b4; + s16 = a5 * b11 + a6 * b10 + a7 * b9 + a8 * b8 + a9 * b7 + a10 * b6 + a11 * b5; + s17 = a6 * b11 + a7 * b10 + a8 * b9 + a9 * b8 + a10 * b7 + a11 * b6; + s18 = a7 * b11 + a8 * b10 + a9 * b9 + a10 * b8 + a11 * b7; + s19 = a8 * b11 + a9 * b10 + a10 * b9 + a11 * b8; + s20 = a9 * b11 + a10 * b10 + a11 * b9; + s21 = a10 * b11 + a11 * b10; + s22 = a11 * b11; + s23 = 0; + + carry0 = (s0 + (1 << 20)) >> 21; + s1 += carry0; + s0 -= carry0 << 21; + carry2 = (s2 + (1 << 20)) >> 21; + s3 += carry2; + s2 -= carry2 << 21; + carry4 = (s4 + (1 << 20)) >> 21; + s5 += carry4; + s4 -= carry4 << 21; + carry6 = (s6 + (1 << 20)) >> 21; + s7 += carry6; + s6 -= carry6 << 21; + carry8 = (s8 + (1 << 20)) >> 21; + s9 += carry8; + s8 -= carry8 << 21; + carry10 = (s10 + (1 << 20)) >> 21; + s11 += carry10; + s10 -= carry10 << 21; + carry12 = (s12 + (1 << 20)) >> 21; + s13 += carry12; + s12 -= carry12 << 21; + carry14 = (s14 + (1 << 20)) >> 21; + s15 += carry14; + s14 -= carry14 << 21; + carry16 = (s16 + (1 << 20)) >> 21; + s17 += carry16; + s16 -= carry16 << 21; + carry18 = (s18 + (1 << 20)) >> 21; + s19 += carry18; + s18 -= carry18 << 21; + carry20 = (s20 + (1 << 20)) >> 21; + s21 += carry20; + s20 -= carry20 << 21; + carry22 = (s22 + (1 << 20)) >> 21; + s23 += carry22; + s22 -= carry22 << 21; + + carry1 = (s1 + (1 << 20)) >> 21; + s2 += carry1; + s1 -= carry1 << 21; + carry3 = (s3 + (1 << 20)) >> 21; + s4 += carry3; + s3 -= carry3 << 21; + carry5 = (s5 + (1 << 20)) >> 21; + s6 += carry5; + s5 -= carry5 << 21; + carry7 = (s7 + (1 << 20)) >> 21; + s8 += carry7; + s7 -= carry7 << 21; + carry9 = (s9 + (1 << 20)) >> 21; + s10 += carry9; + s9 -= carry9 << 21; + carry11 = (s11 + (1 << 20)) >> 21; + s12 += carry11; + s11 -= carry11 << 21; + carry13 = (s13 + (1 << 20)) >> 21; + s14 += carry13; + s13 -= carry13 << 21; + carry15 = (s15 + (1 << 20)) >> 21; + s16 += carry15; + s15 -= carry15 << 21; + carry17 = (s17 + (1 << 20)) >> 21; + s18 += carry17; + s17 -= carry17 << 21; + carry19 = (s19 + (1 << 20)) >> 21; + s20 += carry19; + s19 -= carry19 << 21; + carry21 = (s21 + (1 << 20)) >> 21; + s22 += carry21; + s21 -= carry21 << 21; + + s11 += s23 * 666643; + s12 += s23 * 470296; + s13 += s23 * 654183; + s14 -= s23 * 997805; + s15 += s23 * 136657; + s16 -= s23 * 683901; + + s10 += s22 * 666643; + s11 += s22 * 470296; + s12 += s22 * 654183; + s13 -= s22 * 997805; + s14 += s22 * 136657; + s15 -= s22 * 683901; + + s9 += s21 * 666643; + s10 += s21 * 470296; + s11 += s21 * 654183; + s12 -= s21 * 997805; + s13 += s21 * 136657; + s14 -= s21 * 683901; + + s8 += s20 * 666643; + s9 += s20 * 470296; + s10 += s20 * 654183; + s11 -= s20 * 997805; + s12 += s20 * 136657; + s13 -= s20 * 683901; + + s7 += s19 * 666643; + s8 += s19 * 470296; + s9 += s19 * 654183; + s10 -= s19 * 997805; + s11 += s19 * 136657; + s12 -= s19 * 683901; + + s6 += s18 * 666643; + s7 += s18 * 470296; + s8 += s18 * 654183; + s9 -= s18 * 997805; + s10 += s18 * 136657; + s11 -= s18 * 683901; + + carry6 = (s6 + (1 << 20)) >> 21; + s7 += carry6; + s6 -= carry6 << 21; + carry8 = (s8 + (1 << 20)) >> 21; + s9 += carry8; + s8 -= carry8 << 21; + carry10 = (s10 + (1 << 20)) >> 21; + s11 += carry10; + s10 -= carry10 << 21; + carry12 = (s12 + (1 << 20)) >> 21; + s13 += carry12; + s12 -= carry12 << 21; + carry14 = (s14 + (1 << 20)) >> 21; + s15 += carry14; + s14 -= carry14 << 21; + carry16 = (s16 + (1 << 20)) >> 21; + s17 += carry16; + s16 -= carry16 << 21; + + carry7 = (s7 + (1 << 20)) >> 21; + s8 += carry7; + s7 -= carry7 << 21; + carry9 = (s9 + (1 << 20)) >> 21; + s10 += carry9; + s9 -= carry9 << 21; + carry11 = (s11 + (1 << 20)) >> 21; + s12 += carry11; + s11 -= carry11 << 21; + carry13 = (s13 + (1 << 20)) >> 21; + s14 += carry13; + s13 -= carry13 << 21; + carry15 = (s15 + (1 << 20)) >> 21; + s16 += carry15; + s15 -= carry15 << 21; + + s5 += s17 * 666643; + s6 += s17 * 470296; + s7 += s17 * 654183; + s8 -= s17 * 997805; + s9 += s17 * 136657; + s10 -= s17 * 683901; + + s4 += s16 * 666643; + s5 += s16 * 470296; + s6 += s16 * 654183; + s7 -= s16 * 997805; + s8 += s16 * 136657; + s9 -= s16 * 683901; + + s3 += s15 * 666643; + s4 += s15 * 470296; + s5 += s15 * 654183; + s6 -= s15 * 997805; + s7 += s15 * 136657; + s8 -= s15 * 683901; + + s2 += s14 * 666643; + s3 += s14 * 470296; + s4 += s14 * 654183; + s5 -= s14 * 997805; + s6 += s14 * 136657; + s7 -= s14 * 683901; + + s1 += s13 * 666643; + s2 += s13 * 470296; + s3 += s13 * 654183; + s4 -= s13 * 997805; + s5 += s13 * 136657; + s6 -= s13 * 683901; + + s0 += s12 * 666643; + s1 += s12 * 470296; + s2 += s12 * 654183; + s3 -= s12 * 997805; + s4 += s12 * 136657; + s5 -= s12 * 683901; + s12 = 0; + + carry0 = (s0 + (1 << 20)) >> 21; + s1 += carry0; + s0 -= carry0 << 21; + carry2 = (s2 + (1 << 20)) >> 21; + s3 += carry2; + s2 -= carry2 << 21; + carry4 = (s4 + (1 << 20)) >> 21; + s5 += carry4; + s4 -= carry4 << 21; + carry6 = (s6 + (1 << 20)) >> 21; + s7 += carry6; + s6 -= carry6 << 21; + carry8 = (s8 + (1 << 20)) >> 21; + s9 += carry8; + s8 -= carry8 << 21; + carry10 = (s10 + (1 << 20)) >> 21; + s11 += carry10; + s10 -= carry10 << 21; + + carry1 = (s1 + (1 << 20)) >> 21; + s2 += carry1; + s1 -= carry1 << 21; + carry3 = (s3 + (1 << 20)) >> 21; + s4 += carry3; + s3 -= carry3 << 21; + carry5 = (s5 + (1 << 20)) >> 21; + s6 += carry5; + s5 -= carry5 << 21; + carry7 = (s7 + (1 << 20)) >> 21; + s8 += carry7; + s7 -= carry7 << 21; + carry9 = (s9 + (1 << 20)) >> 21; + s10 += carry9; + s9 -= carry9 << 21; + carry11 = (s11 + (1 << 20)) >> 21; + s12 += carry11; + s11 -= carry11 << 21; + + s0 += s12 * 666643; + s1 += s12 * 470296; + s2 += s12 * 654183; + s3 -= s12 * 997805; + s4 += s12 * 136657; + s5 -= s12 * 683901; + s12 = 0; + + carry0 = s0 >> 21; + s1 += carry0; + s0 -= carry0 << 21; + carry1 = s1 >> 21; + s2 += carry1; + s1 -= carry1 << 21; + carry2 = s2 >> 21; + s3 += carry2; + s2 -= carry2 << 21; + carry3 = s3 >> 21; + s4 += carry3; + s3 -= carry3 << 21; + carry4 = s4 >> 21; + s5 += carry4; + s4 -= carry4 << 21; + carry5 = s5 >> 21; + s6 += carry5; + s5 -= carry5 << 21; + carry6 = s6 >> 21; + s7 += carry6; + s6 -= carry6 << 21; + carry7 = s7 >> 21; + s8 += carry7; + s7 -= carry7 << 21; + carry8 = s8 >> 21; + s9 += carry8; + s8 -= carry8 << 21; + carry9 = s9 >> 21; + s10 += carry9; + s9 -= carry9 << 21; + carry10 = s10 >> 21; + s11 += carry10; + s10 -= carry10 << 21; + carry11 = s11 >> 21; + s12 += carry11; + s11 -= carry11 << 21; + + s0 += s12 * 666643; + s1 += s12 * 470296; + s2 += s12 * 654183; + s3 -= s12 * 997805; + s4 += s12 * 136657; + s5 -= s12 * 683901; + + carry0 = s0 >> 21; + s1 += carry0; + s0 -= carry0 << 21; + carry1 = s1 >> 21; + s2 += carry1; + s1 -= carry1 << 21; + carry2 = s2 >> 21; + s3 += carry2; + s2 -= carry2 << 21; + carry3 = s3 >> 21; + s4 += carry3; + s3 -= carry3 << 21; + carry4 = s4 >> 21; + s5 += carry4; + s4 -= carry4 << 21; + carry5 = s5 >> 21; + s6 += carry5; + s5 -= carry5 << 21; + carry6 = s6 >> 21; + s7 += carry6; + s6 -= carry6 << 21; + carry7 = s7 >> 21; + s8 += carry7; + s7 -= carry7 << 21; + carry8 = s8 >> 21; + s9 += carry8; + s8 -= carry8 << 21; + carry9 = s9 >> 21; + s10 += carry9; + s9 -= carry9 << 21; + carry10 = s10 >> 21; + s11 += carry10; + s10 -= carry10 << 21; + + final byte[] result = new byte[32]; + result[0] = (byte)(s0); + result[1] = (byte)(s0 >> 8); + result[2] = (byte)((s0 >> 16) | (s1 << 5)); + result[3] = (byte)(s1 >> 3); + result[4] = (byte)(s1 >> 11); + result[5] = (byte)((s1 >> 19) | (s2 << 2)); + result[6] = (byte)(s2 >> 6); + result[7] = (byte)((s2 >> 14) | (s3 << 7)); + result[8] = (byte)(s3 >> 1); + result[9] = (byte)(s3 >> 9); + result[10] = (byte)((s3 >> 17) | (s4 << 4)); + result[11] = (byte)(s4 >> 4); + result[12] = (byte)(s4 >> 12); + result[13] = (byte)((s4 >> 20) | (s5 << 1)); + result[14] = (byte)(s5 >> 7); + result[15] = (byte)((s5 >> 15) | (s6 << 6)); + result[16] = (byte)(s6 >> 2); + result[17] = (byte)(s6 >> 10); + result[18] = (byte)((s6 >> 18) | (s7 << 3)); + result[19] = (byte)(s7 >> 5); + result[20] = (byte)(s7 >> 13); + result[21] = (byte)(s8); + result[22] = (byte)(s8 >> 8); + result[23] = (byte)((s8 >> 16) | (s9 << 5)); + result[24] = (byte)(s9 >> 3); + result[25] = (byte)(s9 >> 11); + result[26] = (byte)((s9 >> 19) | (s10 << 2)); + result[27] = (byte)(s10 >> 6); + result[28] = (byte)((s10 >> 14) | (s11 << 7)); + result[29] = (byte)(s11 >> 1); + result[30] = (byte)(s11 >> 9); + result[31] = (byte)(s11 >> 17); + + return new Ed25519EncodedFieldElement(result); + } + + private static long threeBytesToLong(final byte[] in, int offset) { + int result = in[offset++] & 0xff; + result |= (in[offset++] & 0xff) << 8; + result |= (in[offset] & 0xff) << 16; + return result; + } + + private static long fourBytesToLong(final byte[] in, int offset) { + int result = in[offset++] & 0xff; + result |= (in[offset++] & 0xff) << 8; + result |= (in[offset++] & 0xff) << 16; + result |= in[offset] << 24; + return ((long)result) & 0xffffffffL; + } + + @Override + public int hashCode() { + return Arrays.hashCode(this.values); + } + + @Override + public boolean equals(final Object obj) { + if (!(obj instanceof Ed25519EncodedFieldElement)) { + return false; + } + + final Ed25519EncodedFieldElement encoded = (Ed25519EncodedFieldElement)obj; + return 1 == ArrayUtils.isEqualConstantTime(this.values, encoded.values); + } + + @Override + public String toString() { + return HexEncoder.getString(this.values); + } +} diff --git a/source-code/RuffCT-java/src/org/nem/core/crypto/ed25519/arithmetic/Ed25519EncodedGroupElement.java b/source-code/RuffCT-java/src/org/nem/core/crypto/ed25519/arithmetic/Ed25519EncodedGroupElement.java new file mode 100755 index 0000000..b8cb4ec --- /dev/null +++ b/source-code/RuffCT-java/src/org/nem/core/crypto/ed25519/arithmetic/Ed25519EncodedGroupElement.java @@ -0,0 +1,129 @@ +package org.nem.core.crypto.ed25519.arithmetic; + +import org.nem.core.utils.ArrayUtils; + +import java.util.Arrays; + +public class Ed25519EncodedGroupElement { + + private final byte[] values; + + /** + * Creates a new encoded group element. + * + * @param values The values. + */ + public Ed25519EncodedGroupElement(final byte[] values) { + if (32 != values.length) { + throw new IllegalArgumentException("Invalid encoded group element."); + } + + this.values = values; + } + + /** + * Gets the underlying byte array. + * + * @return The byte array. + */ + public byte[] getRaw() { + return this.values; + } + + /** + * Decodes this encoded group element and returns a new group element in P3 coordinates. + * + * @return The group element. + */ + public Ed25519GroupElement decode() { + final Ed25519FieldElement x = this.getAffineX(); + final Ed25519FieldElement y = this.getAffineY(); + return Ed25519GroupElement.p3(x, y, Ed25519Field.ONE, x.multiply(y)); + } + + /** + * Gets the affine x-coordinate. + * x is recovered in the following way (p = field size): + * <br> + * x = sign(x) * sqrt((y^2 - 1) / (d * y^2 + 1)) = sign(x) * sqrt(u / v) with u = y^2 - 1 and v = d * y^2 + 1. + * Setting β = (u * v^3) * (u * v^7)^((p - 5) / 8) one has β^2 = +-(u / v). + * If v * β = -u multiply β with i=sqrt(-1). + * Set x := β. + * If sign(x) != bit 255 of s then negate x. + * + * @return the affine x-coordinate. + */ + public Ed25519FieldElement getAffineX() { + Ed25519FieldElement x; + final Ed25519FieldElement y; + final Ed25519FieldElement ySquare; + final Ed25519FieldElement u; + final Ed25519FieldElement v; + final Ed25519FieldElement vxSquare; + Ed25519FieldElement checkForZero; + y = this.getAffineY(); + ySquare = y.square(); + + // u = y^2 - 1 + u = ySquare.subtract(Ed25519Field.ONE); + + // v = d * y^2 + 1 + v = ySquare.multiply(Ed25519Field.D).add(Ed25519Field.ONE); + + // x = sqrt(u / v) + x = Ed25519FieldElement.sqrt(u, v); + + vxSquare = x.square().multiply(v); + checkForZero = vxSquare.subtract(u); + if (checkForZero.isNonZero()) { + checkForZero = vxSquare.add(u); + if (checkForZero.isNonZero()) { + throw new IllegalArgumentException("not a valid Ed25519EncodedGroupElement."); + } + + x = x.multiply(Ed25519Field.I); + } + + if ((x.isNegative() ? 1 : 0) != ArrayUtils.getBit(this.values, 255)) { + x = x.negate(); + } + + return x; + } + + /** + * Gets the affine y-coordinate. + * + * @return the affine y-coordinate. + */ + public Ed25519FieldElement getAffineY() { + // The affine y-coordinate is in bits 0 to 254. + // Since the decode() method of Ed25519EncodedFieldElement ignores bit 255, + // we can use that method without problems. + final Ed25519EncodedFieldElement encoded = new Ed25519EncodedFieldElement(this.values); + return encoded.decode(); + } + + @Override + public int hashCode() { + return Arrays.hashCode(this.values); + } + + @Override + public boolean equals(final Object obj) { + if (!(obj instanceof Ed25519EncodedGroupElement)) { + return false; + } + + final Ed25519EncodedGroupElement encoded = (Ed25519EncodedGroupElement)obj; + return 1 == ArrayUtils.isEqualConstantTime(this.values, encoded.values); + } + + @Override + public String toString() { + return String.format( + "x=%s\ny=%s\n", + this.getAffineX().toString(), + this.getAffineY().toString()); + } +} diff --git a/source-code/RuffCT-java/src/org/nem/core/crypto/ed25519/arithmetic/Ed25519Field.java b/source-code/RuffCT-java/src/org/nem/core/crypto/ed25519/arithmetic/Ed25519Field.java new file mode 100755 index 0000000..12ac16c --- /dev/null +++ b/source-code/RuffCT-java/src/org/nem/core/crypto/ed25519/arithmetic/Ed25519Field.java @@ -0,0 +1,43 @@ +package org.nem.core.crypto.ed25519.arithmetic; + +import org.nem.core.utils.*; + +import java.math.BigInteger; + +/** + * Represents the underlying finite field for Ed25519. + * The field has p = 2^255 - 19 elements. + */ +public class Ed25519Field { + + /** + * P: 2^255 - 19 + */ + public static final BigInteger P = new BigInteger(HexEncoder.getBytes("7fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffed")); + public static final Ed25519FieldElement ZERO = getFieldElement(0); + public static final Ed25519FieldElement ONE = getFieldElement(1); + public static final Ed25519FieldElement TWO = getFieldElement(2); + public static final Ed25519FieldElement D = getD(); + public static final Ed25519FieldElement D_Times_TWO = D.multiply(TWO); + public static final byte[] ZERO_SHORT = new byte[32]; + public static final byte[] ZERO_LONG = new byte[64]; + + /** + * I ^ 2 = -1 + */ + public static final Ed25519FieldElement I = new Ed25519EncodedFieldElement(HexEncoder.getBytes( + "b0a00e4a271beec478e42fad0618432fa7d7fb3d99004d2b0bdfc14f8024832b")).decode(); + + private static Ed25519FieldElement getFieldElement(final int value) { + final int[] f = new int[10]; + f[0] = value; + return new Ed25519FieldElement(f); + } + + private static Ed25519FieldElement getD() { + final BigInteger d = new BigInteger("-121665") + .multiply(new BigInteger("121666").modInverse(Ed25519Field.P)) + .mod(Ed25519Field.P); + return new Ed25519EncodedFieldElement(ArrayUtils.toByteArray(d, 32)).decode(); + } +} diff --git a/source-code/RuffCT-java/src/org/nem/core/crypto/ed25519/arithmetic/Ed25519FieldElement.java b/source-code/RuffCT-java/src/org/nem/core/crypto/ed25519/arithmetic/Ed25519FieldElement.java new file mode 100755 index 0000000..b611c81 --- /dev/null +++ b/source-code/RuffCT-java/src/org/nem/core/crypto/ed25519/arithmetic/Ed25519FieldElement.java @@ -0,0 +1,1026 @@ +package org.nem.core.crypto.ed25519.arithmetic; + +import java.util.Arrays; + +/** + * Represents a element of the finite field with p=2^255-19 elements. + * <p> + * values[0] ... values[9], represent the integer <br> + * values[0] + 2^26 * values[1] + 2^51 * values[2] + 2^77 * values[3] + 2^102 * values[4] + ... + 2^230 * values[9]. <br> + * Bounds on each values[i] vary depending on context. + * </p> + * This implementation is based on the ref10 implementation of SUPERCOP. + */ +public class Ed25519FieldElement { + private final int[] values; + + /** + * Creates a field element. + * + * @param values The 2^25.5 bit representation of the field element. + */ + public Ed25519FieldElement(final int[] values) { + if (values.length != 10) { + throw new IllegalArgumentException("Invalid 2^25.5 bit representation."); + } + + this.values = values; + } + + /** + * Gets the underlying int array. + * + * @return The int array. + */ + public int[] getRaw() { + return this.values; + } + + /** + * Gets a value indicating whether or not the field element is non-zero. + * + * @return 1 if it is non-zero, 0 otherwise. + */ + public boolean isNonZero() { + return this.encode().isNonZero(); + } + + /** + * Adds the given field element to this and returns the result. + * <b>h = this + g</b> + * <pre> + * Preconditions: + * |this| bounded by 1.1*2^25,1.1*2^24,1.1*2^25,1.1*2^24,etc. + * |g| bounded by 1.1*2^25,1.1*2^24,1.1*2^25,1.1*2^24,etc. + * Postconditions: + * |h| bounded by 1.1*2^26,1.1*2^25,1.1*2^26,1.1*2^25,etc. + * </pre> + * + * @param g The field element to add. + * @return The field element this + val. + */ + public Ed25519FieldElement add(final Ed25519FieldElement g) { + final int[] gValues = g.values; + final int[] h = new int[10]; + for (int i = 0; i < 10; i++) { + h[i] = this.values[i] + gValues[i]; + } + + return new Ed25519FieldElement(h); + } + + /** + * Subtract the given field element from this and returns the result. + * <b>h = this - g</b> + * <pre> + * Preconditions: + * |this| bounded by 1.1*2^25,1.1*2^24,1.1*2^25,1.1*2^24,etc. + * |g| bounded by 1.1*2^25,1.1*2^24,1.1*2^25,1.1*2^24,etc. + * Postconditions: + * |h| bounded by 1.1*2^26,1.1*2^25,1.1*2^26,1.1*2^25,etc. + * </pre> + * + * @param g The field element to subtract. + * @return The field element this - val. + */ + public Ed25519FieldElement subtract(final Ed25519FieldElement g) { + final int[] gValues = g.values; + final int[] h = new int[10]; + for (int i = 0; i < 10; i++) { + h[i] = this.values[i] - gValues[i]; + } + + return new Ed25519FieldElement(h); + } + + /** + * Negates this field element and return the result. + * <b>h = -this</b> + * <pre> + * Preconditions: + * |this| bounded by 1.1*2^25,1.1*2^24,1.1*2^25,1.1*2^24,etc. + * Postconditions: + * |h| bounded by 1.1*2^25,1.1*2^24,1.1*2^25,1.1*2^24,etc. + * </pre> + * + * @return The field element (-1) * this. + */ + public Ed25519FieldElement negate() { + final int[] h = new int[10]; + for (int i = 0; i < 10; i++) { + h[i] = -this.values[i]; + } + + return new Ed25519FieldElement(h); + } + + /** + * Multiplies this field element with the given field element and returns the result. + * <b>h = this * g</b> + * Preconditions: + * <pre> + * |this| bounded by 1.65*2^26,1.65*2^25,1.65*2^26,1.65*2^25,etc. + * |g| bounded by 1.65*2^26,1.65*2^25,1.65*2^26,1.65*2^25,etc. + * Postconditions: + * |h| bounded by 1.01*2^25,1.01*2^24,1.01*2^25,1.01*2^24,etc. + * </pre> + * Notes on implementation strategy: + * <br> + * Using schoolbook multiplication. Karatsuba would save a little in some + * cost models. + * <br> + * Most multiplications by 2 and 19 are 32-bit precomputations; cheaper than + * 64-bit postcomputations. + * <br> + * There is one remaining multiplication by 19 in the carry chain; one *19 + * precomputation can be merged into this, but the resulting data flow is + * considerably less clean. + * <br> + * There are 12 carries below. 10 of them are 2-way parallelizable and + * vectorizable. Can get away with 11 carries, but then data flow is much + * deeper. + * <br> + * With tighter constraints on inputs can squeeze carries into int32. + * + * @param g The field element to multiply. + * @return The (reasonably reduced) field element this * val. + */ + public Ed25519FieldElement multiply(final Ed25519FieldElement g) { + final int[] gValues = g.values; + final int f0 = this.values[0]; + final int f1 = this.values[1]; + final int f2 = this.values[2]; + final int f3 = this.values[3]; + final int f4 = this.values[4]; + final int f5 = this.values[5]; + final int f6 = this.values[6]; + final int f7 = this.values[7]; + final int f8 = this.values[8]; + final int f9 = this.values[9]; + final int g0 = gValues[0]; + final int g1 = gValues[1]; + final int g2 = gValues[2]; + final int g3 = gValues[3]; + final int g4 = gValues[4]; + final int g5 = gValues[5]; + final int g6 = gValues[6]; + final int g7 = gValues[7]; + final int g8 = gValues[8]; + final int g9 = gValues[9]; + final int g1_19 = 19 * g1; /* 1.959375*2^29 */ + final int g2_19 = 19 * g2; /* 1.959375*2^30; still ok */ + final int g3_19 = 19 * g3; + final int g4_19 = 19 * g4; + final int g5_19 = 19 * g5; + final int g6_19 = 19 * g6; + final int g7_19 = 19 * g7; + final int g8_19 = 19 * g8; + final int g9_19 = 19 * g9; + final int f1_2 = 2 * f1; + final int f3_2 = 2 * f3; + final int f5_2 = 2 * f5; + final int f7_2 = 2 * f7; + final int f9_2 = 2 * f9; + final long f0g0 = f0 * (long)g0; + final long f0g1 = f0 * (long)g1; + final long f0g2 = f0 * (long)g2; + final long f0g3 = f0 * (long)g3; + final long f0g4 = f0 * (long)g4; + final long f0g5 = f0 * (long)g5; + final long f0g6 = f0 * (long)g6; + final long f0g7 = f0 * (long)g7; + final long f0g8 = f0 * (long)g8; + final long f0g9 = f0 * (long)g9; + final long f1g0 = f1 * (long)g0; + final long f1g1_2 = f1_2 * (long)g1; + final long f1g2 = f1 * (long)g2; + final long f1g3_2 = f1_2 * (long)g3; + final long f1g4 = f1 * (long)g4; + final long f1g5_2 = f1_2 * (long)g5; + final long f1g6 = f1 * (long)g6; + final long f1g7_2 = f1_2 * (long)g7; + final long f1g8 = f1 * (long)g8; + final long f1g9_38 = f1_2 * (long)g9_19; + final long f2g0 = f2 * (long)g0; + final long f2g1 = f2 * (long)g1; + final long f2g2 = f2 * (long)g2; + final long f2g3 = f2 * (long)g3; + final long f2g4 = f2 * (long)g4; + final long f2g5 = f2 * (long)g5; + final long f2g6 = f2 * (long)g6; + final long f2g7 = f2 * (long)g7; + final long f2g8_19 = f2 * (long)g8_19; + final long f2g9_19 = f2 * (long)g9_19; + final long f3g0 = f3 * (long)g0; + final long f3g1_2 = f3_2 * (long)g1; + final long f3g2 = f3 * (long)g2; + final long f3g3_2 = f3_2 * (long)g3; + final long f3g4 = f3 * (long)g4; + final long f3g5_2 = f3_2 * (long)g5; + final long f3g6 = f3 * (long)g6; + final long f3g7_38 = f3_2 * (long)g7_19; + final long f3g8_19 = f3 * (long)g8_19; + final long f3g9_38 = f3_2 * (long)g9_19; + final long f4g0 = f4 * (long)g0; + final long f4g1 = f4 * (long)g1; + final long f4g2 = f4 * (long)g2; + final long f4g3 = f4 * (long)g3; + final long f4g4 = f4 * (long)g4; + final long f4g5 = f4 * (long)g5; + final long f4g6_19 = f4 * (long)g6_19; + final long f4g7_19 = f4 * (long)g7_19; + final long f4g8_19 = f4 * (long)g8_19; + final long f4g9_19 = f4 * (long)g9_19; + final long f5g0 = f5 * (long)g0; + final long f5g1_2 = f5_2 * (long)g1; + final long f5g2 = f5 * (long)g2; + final long f5g3_2 = f5_2 * (long)g3; + final long f5g4 = f5 * (long)g4; + final long f5g5_38 = f5_2 * (long)g5_19; + final long f5g6_19 = f5 * (long)g6_19; + final long f5g7_38 = f5_2 * (long)g7_19; + final long f5g8_19 = f5 * (long)g8_19; + final long f5g9_38 = f5_2 * (long)g9_19; + final long f6g0 = f6 * (long)g0; + final long f6g1 = f6 * (long)g1; + final long f6g2 = f6 * (long)g2; + final long f6g3 = f6 * (long)g3; + final long f6g4_19 = f6 * (long)g4_19; + final long f6g5_19 = f6 * (long)g5_19; + final long f6g6_19 = f6 * (long)g6_19; + final long f6g7_19 = f6 * (long)g7_19; + final long f6g8_19 = f6 * (long)g8_19; + final long f6g9_19 = f6 * (long)g9_19; + final long f7g0 = f7 * (long)g0; + final long f7g1_2 = f7_2 * (long)g1; + final long f7g2 = f7 * (long)g2; + final long f7g3_38 = f7_2 * (long)g3_19; + final long f7g4_19 = f7 * (long)g4_19; + final long f7g5_38 = f7_2 * (long)g5_19; + final long f7g6_19 = f7 * (long)g6_19; + final long f7g7_38 = f7_2 * (long)g7_19; + final long f7g8_19 = f7 * (long)g8_19; + final long f7g9_38 = f7_2 * (long)g9_19; + final long f8g0 = f8 * (long)g0; + final long f8g1 = f8 * (long)g1; + final long f8g2_19 = f8 * (long)g2_19; + final long f8g3_19 = f8 * (long)g3_19; + final long f8g4_19 = f8 * (long)g4_19; + final long f8g5_19 = f8 * (long)g5_19; + final long f8g6_19 = f8 * (long)g6_19; + final long f8g7_19 = f8 * (long)g7_19; + final long f8g8_19 = f8 * (long)g8_19; + final long f8g9_19 = f8 * (long)g9_19; + final long f9g0 = f9 * (long)g0; + final long f9g1_38 = f9_2 * (long)g1_19; + final long f9g2_19 = f9 * (long)g2_19; + final long f9g3_38 = f9_2 * (long)g3_19; + final long f9g4_19 = f9 * (long)g4_19; + final long f9g5_38 = f9_2 * (long)g5_19; + final long f9g6_19 = f9 * (long)g6_19; + final long f9g7_38 = f9_2 * (long)g7_19; + final long f9g8_19 = f9 * (long)g8_19; + final long f9g9_38 = f9_2 * (long)g9_19; + + /** + * Remember: 2^255 congruent 19 modulo p. + * h = h0 * 2^0 + h1 * 2^26 + h2 * 2^(26+25) + h3 * 2^(26+25+26) + ... + h9 * 2^(5*26+5*25). + * So to get the real number we would have to multiply the coefficients with the corresponding powers of 2. + * To get an idea what is going on below, look at the calculation of h0: + * h0 is the coefficient to the power 2^0 so it collects (sums) all products that have the power 2^0. + * f0 * g0 really is f0 * 2^0 * g0 * 2^0 = (f0 * g0) * 2^0. + * f1 * g9 really is f1 * 2^26 * g9 * 2^230 = f1 * g9 * 2^256 = 2 * f1 * g9 * 2^255 congruent 2 * 19 * f1 * g9 * 2^0 modulo p. + * f2 * g8 really is f2 * 2^51 * g8 * 2^204 = f2 * g8 * 2^255 congruent 19 * f2 * g8 * 2^0 modulo p. + * and so on... + */ + long h0 = f0g0 + f1g9_38 + f2g8_19 + f3g7_38 + f4g6_19 + f5g5_38 + f6g4_19 + f7g3_38 + f8g2_19 + f9g1_38; + long h1 = f0g1 + f1g0 + f2g9_19 + f3g8_19 + f4g7_19 + f5g6_19 + f6g5_19 + f7g4_19 + f8g3_19 + f9g2_19; + long h2 = f0g2 + f1g1_2 + f2g0 + f3g9_38 + f4g8_19 + f5g7_38 + f6g6_19 + f7g5_38 + f8g4_19 + f9g3_38; + long h3 = f0g3 + f1g2 + f2g1 + f3g0 + f4g9_19 + f5g8_19 + f6g7_19 + f7g6_19 + f8g5_19 + f9g4_19; + long h4 = f0g4 + f1g3_2 + f2g2 + f3g1_2 + f4g0 + f5g9_38 + f6g8_19 + f7g7_38 + f8g6_19 + f9g5_38; + long h5 = f0g5 + f1g4 + f2g3 + f3g2 + f4g1 + f5g0 + f6g9_19 + f7g8_19 + f8g7_19 + f9g6_19; + long h6 = f0g6 + f1g5_2 + f2g4 + f3g3_2 + f4g2 + f5g1_2 + f6g0 + f7g9_38 + f8g8_19 + f9g7_38; + long h7 = f0g7 + f1g6 + f2g5 + f3g4 + f4g3 + f5g2 + f6g1 + f7g0 + f8g9_19 + f9g8_19; + long h8 = f0g8 + f1g7_2 + f2g6 + f3g5_2 + f4g4 + f5g3_2 + f6g2 + f7g1_2 + f8g0 + f9g9_38; + long h9 = f0g9 + f1g8 + f2g7 + f3g6 + f4g5 + f5g4 + f6g3 + f7g2 + f8g1 + f9g0; + long carry0; + final long carry1; + final long carry2; + final long carry3; + long carry4; + final long carry5; + final long carry6; + final long carry7; + final long carry8; + final long carry9; + + /** + * |h0| <= (1.65*1.65*2^52*(1+19+19+19+19)+1.65*1.65*2^50*(38+38+38+38+38)) + * i.e. |h0| <= 1.4*2^60; narrower ranges for h2, h4, h6, h8 + * |h1| <= (1.65*1.65*2^51*(1+1+19+19+19+19+19+19+19+19)) + * i.e. |h1| <= 1.7*2^59; narrower ranges for h3, h5, h7, h9 + */ + + carry0 = (h0 + (long)(1 << 25)) >> 26; + h1 += carry0; + h0 -= carry0 << 26; + carry4 = (h4 + (long)(1 << 25)) >> 26; + h5 += carry4; + h4 -= carry4 << 26; + /* |h0| <= 2^25 */ + /* |h4| <= 2^25 */ + /* |h1| <= 1.71*2^59 */ + /* |h5| <= 1.71*2^59 */ + + carry1 = (h1 + (long)(1 << 24)) >> 25; + h2 += carry1; + h1 -= carry1 << 25; + carry5 = (h5 + (long)(1 << 24)) >> 25; + h6 += carry5; + h5 -= carry5 << 25; + /* |h1| <= 2^24; from now on fits into int32 */ + /* |h5| <= 2^24; from now on fits into int32 */ + /* |h2| <= 1.41*2^60 */ + /* |h6| <= 1.41*2^60 */ + + carry2 = (h2 + (long)(1 << 25)) >> 26; + h3 += carry2; + h2 -= carry2 << 26; + carry6 = (h6 + (long)(1 << 25)) >> 26; + h7 += carry6; + h6 -= carry6 << 26; + /* |h2| <= 2^25; from now on fits into int32 unchanged */ + /* |h6| <= 2^25; from now on fits into int32 unchanged */ + /* |h3| <= 1.71*2^59 */ + /* |h7| <= 1.71*2^59 */ + + carry3 = (h3 + (long)(1 << 24)) >> 25; + h4 += carry3; + h3 -= carry3 << 25; + carry7 = (h7 + (long)(1 << 24)) >> 25; + h8 += carry7; + h7 -= carry7 << 25; + /* |h3| <= 2^24; from now on fits into int32 unchanged */ + /* |h7| <= 2^24; from now on fits into int32 unchanged */ + /* |h4| <= 1.72*2^34 */ + /* |h8| <= 1.41*2^60 */ + + carry4 = (h4 + (long)(1 << 25)) >> 26; + h5 += carry4; + h4 -= carry4 << 26; + carry8 = (h8 + (long)(1 << 25)) >> 26; + h9 += carry8; + h8 -= carry8 << 26; + /* |h4| <= 2^25; from now on fits into int32 unchanged */ + /* |h8| <= 2^25; from now on fits into int32 unchanged */ + /* |h5| <= 1.01*2^24 */ + /* |h9| <= 1.71*2^59 */ + + carry9 = (h9 + (long)(1 << 24)) >> 25; + h0 += carry9 * 19; + h9 -= carry9 << 25; + /* |h9| <= 2^24; from now on fits into int32 unchanged */ + /* |h0| <= 1.1*2^39 */ + + carry0 = (h0 + (long)(1 << 25)) >> 26; + h1 += carry0; + h0 -= carry0 << 26; + /* |h0| <= 2^25; from now on fits into int32 unchanged */ + /* |h1| <= 1.01*2^24 */ + + final int[] h = new int[10]; + h[0] = (int)h0; + h[1] = (int)h1; + h[2] = (int)h2; + h[3] = (int)h3; + h[4] = (int)h4; + h[5] = (int)h5; + h[6] = (int)h6; + h[7] = (int)h7; + h[8] = (int)h8; + h[9] = (int)h9; + + return new Ed25519FieldElement(h); + } + + /** + * Squares this field element and returns the result. + * <b>h = this * this</b> + * <pre> + * Preconditions: + * |this| bounded by 1.65*2^26,1.65*2^25,1.65*2^26,1.65*2^25,etc. + * Postconditions: + * |h| bounded by 1.01*2^25,1.01*2^24,1.01*2^25,1.01*2^24,etc. + * </pre> + * See multiply for discussion of implementation strategy. + * + * @return The square of this field element. + */ + public Ed25519FieldElement square() { + return this.squareAndOptionalDouble(false); + } + + /** + * Squares this field element, multiplies by two and returns the result. + * <b>h = 2 * this * this</b> + * <pre> + * Preconditions: + * |this| bounded by 1.65*2^26,1.65*2^25,1.65*2^26,1.65*2^25,etc. + * Postconditions: + * |h| bounded by 1.01*2^25,1.01*2^24,1.01*2^25,1.01*2^24,etc. + * </pre> + * See multiply for discussion of implementation strategy. + * + * @return The square of this field element times 2. + */ + public Ed25519FieldElement squareAndDouble() { + return this.squareAndOptionalDouble(true); + } + + /** + * Squares this field element, optionally multiplies by two and returns the result. + * <b>h = 2 * this * this</b> if dbl is true or + * <b>h = this * this</b> if dbl is false. + * <pre> + * Preconditions: + * |this| bounded by 1.65*2^26,1.65*2^25,1.65*2^26,1.65*2^25,etc. + * Postconditions: + * |h| bounded by 1.01*2^25,1.01*2^24,1.01*2^25,1.01*2^24,etc. + * </pre> + * See multiply for discussion of implementation strategy. + * + * @return The square of this field element times 2. + */ + private Ed25519FieldElement squareAndOptionalDouble(final boolean dbl) { + final int f0 = this.values[0]; + final int f1 = this.values[1]; + final int f2 = this.values[2]; + final int f3 = this.values[3]; + final int f4 = this.values[4]; + final int f5 = this.values[5]; + final int f6 = this.values[6]; + final int f7 = this.values[7]; + final int f8 = this.values[8]; + final int f9 = this.values[9]; + final int f0_2 = 2 * f0; + final int f1_2 = 2 * f1; + final int f2_2 = 2 * f2; + final int f3_2 = 2 * f3; + final int f4_2 = 2 * f4; + final int f5_2 = 2 * f5; + final int f6_2 = 2 * f6; + final int f7_2 = 2 * f7; + final int f5_38 = 38 * f5; /* 1.959375*2^30 */ + final int f6_19 = 19 * f6; /* 1.959375*2^30 */ + final int f7_38 = 38 * f7; /* 1.959375*2^30 */ + final int f8_19 = 19 * f8; /* 1.959375*2^30 */ + final int f9_38 = 38 * f9; /* 1.959375*2^30 */ + final long f0f0 = f0 * (long)f0; + final long f0f1_2 = f0_2 * (long)f1; + final long f0f2_2 = f0_2 * (long)f2; + final long f0f3_2 = f0_2 * (long)f3; + final long f0f4_2 = f0_2 * (long)f4; + final long f0f5_2 = f0_2 * (long)f5; + final long f0f6_2 = f0_2 * (long)f6; + final long f0f7_2 = f0_2 * (long)f7; + final long f0f8_2 = f0_2 * (long)f8; + final long f0f9_2 = f0_2 * (long)f9; + final long f1f1_2 = f1_2 * (long)f1; + final long f1f2_2 = f1_2 * (long)f2; + final long f1f3_4 = f1_2 * (long)f3_2; + final long f1f4_2 = f1_2 * (long)f4; + final long f1f5_4 = f1_2 * (long)f5_2; + final long f1f6_2 = f1_2 * (long)f6; + final long f1f7_4 = f1_2 * (long)f7_2; + final long f1f8_2 = f1_2 * (long)f8; + final long f1f9_76 = f1_2 * (long)f9_38; + final long f2f2 = f2 * (long)f2; + final long f2f3_2 = f2_2 * (long)f3; + final long f2f4_2 = f2_2 * (long)f4; + final long f2f5_2 = f2_2 * (long)f5; + final long f2f6_2 = f2_2 * (long)f6; + final long f2f7_2 = f2_2 * (long)f7; + final long f2f8_38 = f2_2 * (long)f8_19; + final long f2f9_38 = f2 * (long)f9_38; + final long f3f3_2 = f3_2 * (long)f3; + final long f3f4_2 = f3_2 * (long)f4; + final long f3f5_4 = f3_2 * (long)f5_2; + final long f3f6_2 = f3_2 * (long)f6; + final long f3f7_76 = f3_2 * (long)f7_38; + final long f3f8_38 = f3_2 * (long)f8_19; + final long f3f9_76 = f3_2 * (long)f9_38; + final long f4f4 = f4 * (long)f4; + final long f4f5_2 = f4_2 * (long)f5; + final long f4f6_38 = f4_2 * (long)f6_19; + final long f4f7_38 = f4 * (long)f7_38; + final long f4f8_38 = f4_2 * (long)f8_19; + final long f4f9_38 = f4 * (long)f9_38; + final long f5f5_38 = f5 * (long)f5_38; + final long f5f6_38 = f5_2 * (long)f6_19; + final long f5f7_76 = f5_2 * (long)f7_38; + final long f5f8_38 = f5_2 * (long)f8_19; + final long f5f9_76 = f5_2 * (long)f9_38; + final long f6f6_19 = f6 * (long)f6_19; + final long f6f7_38 = f6 * (long)f7_38; + final long f6f8_38 = f6_2 * (long)f8_19; + final long f6f9_38 = f6 * (long)f9_38; + final long f7f7_38 = f7 * (long)f7_38; + final long f7f8_38 = f7_2 * (long)f8_19; + final long f7f9_76 = f7_2 * (long)f9_38; + final long f8f8_19 = f8 * (long)f8_19; + final long f8f9_38 = f8 * (long)f9_38; + final long f9f9_38 = f9 * (long)f9_38; + long h0 = f0f0 + f1f9_76 + f2f8_38 + f3f7_76 + f4f6_38 + f5f5_38; + long h1 = f0f1_2 + f2f9_38 + f3f8_38 + f4f7_38 + f5f6_38; + long h2 = f0f2_2 + f1f1_2 + f3f9_76 + f4f8_38 + f5f7_76 + f6f6_19; + long h3 = f0f3_2 + f1f2_2 + f4f9_38 + f5f8_38 + f6f7_38; + long h4 = f0f4_2 + f1f3_4 + f2f2 + f5f9_76 + f6f8_38 + f7f7_38; + long h5 = f0f5_2 + f1f4_2 + f2f3_2 + f6f9_38 + f7f8_38; + long h6 = f0f6_2 + f1f5_4 + f2f4_2 + f3f3_2 + f7f9_76 + f8f8_19; + long h7 = f0f7_2 + f1f6_2 + f2f5_2 + f3f4_2 + f8f9_38; + long h8 = f0f8_2 + f1f7_4 + f2f6_2 + f3f5_4 + f4f4 + f9f9_38; + long h9 = f0f9_2 + f1f8_2 + f2f7_2 + f3f6_2 + f4f5_2; + long carry0; + final long carry1; + final long carry2; + final long carry3; + long carry4; + final long carry5; + final long carry6; + final long carry7; + final long carry8; + final long carry9; + + if (dbl) { + h0 += h0; + h1 += h1; + h2 += h2; + h3 += h3; + h4 += h4; + h5 += h5; + h6 += h6; + h7 += h7; + h8 += h8; + h9 += h9; + } + + carry0 = (h0 + (long)(1 << 25)) >> 26; + h1 += carry0; + h0 -= carry0 << 26; + carry4 = (h4 + (long)(1 << 25)) >> 26; + h5 += carry4; + h4 -= carry4 << 26; + + carry1 = (h1 + (long)(1 << 24)) >> 25; + h2 += carry1; + h1 -= carry1 << 25; + carry5 = (h5 + (long)(1 << 24)) >> 25; + h6 += carry5; + h5 -= carry5 << 25; + + carry2 = (h2 + (long)(1 << 25)) >> 26; + h3 += carry2; + h2 -= carry2 << 26; + carry6 = (h6 + (long)(1 << 25)) >> 26; + h7 += carry6; + h6 -= carry6 << 26; + + carry3 = (h3 + (long)(1 << 24)) >> 25; + h4 += carry3; + h3 -= carry3 << 25; + carry7 = (h7 + (long)(1 << 24)) >> 25; + h8 += carry7; + h7 -= carry7 << 25; + + carry4 = (h4 + (long)(1 << 25)) >> 26; + h5 += carry4; + h4 -= carry4 << 26; + carry8 = (h8 + (long)(1 << 25)) >> 26; + h9 += carry8; + h8 -= carry8 << 26; + + carry9 = (h9 + (long)(1 << 24)) >> 25; + h0 += carry9 * 19; + h9 -= carry9 << 25; + + carry0 = (h0 + (long)(1 << 25)) >> 26; + h1 += carry0; + h0 -= carry0 << 26; + + final int[] h = new int[10]; + h[0] = (int)h0; + h[1] = (int)h1; + h[2] = (int)h2; + h[3] = (int)h3; + h[4] = (int)h4; + h[5] = (int)h5; + h[6] = (int)h6; + h[7] = (int)h7; + h[8] = (int)h8; + h[9] = (int)h9; + return new Ed25519FieldElement(h); + } + + /** + * Invert this field element and return the result. + * The inverse is found via Fermat's little theorem: + * a^p congruent a mod p and therefore a^(p-2) congruent a^-1 mod p + * + * @return The inverse of this field element. + */ + public Ed25519FieldElement invert() { + Ed25519FieldElement f0, f1; + + // comments describe how exponent is created + + // 2 == 2 * 1 + f0 = this.square(); + + // 9 == 9 + f1 = this.pow2to9(); + + // 11 == 9 + 2 + f0 = f0.multiply(f1); + + // 2^252 - 2^2 + f1 = this.pow2to252sub4(); + + // 2^255 - 2^5 + for (int i = 1; i < 4; ++i) { + f1 = f1.square(); + } + + // 2^255 - 21 + return f1.multiply(f0); + } + + /** + * Computes this field element to the power of (2^9) and returns the result. + * + * @return This field element to the power of (2^9). + */ + private Ed25519FieldElement pow2to9() { + Ed25519FieldElement f; + + // 2 == 2 * 1 + f = this.square(); + + // 4 == 2 * 2 + f = f.square(); + + // 8 == 2 * 4 + f = f.square(); + + // 9 == 1 + 8 + return this.multiply(f); + } + + /** + * Computes this field element to the power of (2^252 - 4) and returns the result. + * This is a helper function for calculating the square root. + * + * @return This field element to the power of (2^252 - 4). + */ + private Ed25519FieldElement pow2to252sub4() { + Ed25519FieldElement f0, f1, f2; + + // 2 == 2 * 1 + f0 = this.square(); + + // 9 + f1 = this.pow2to9(); + + // 11 == 9 + 2 + f0 = f0.multiply(f1); + + // 22 == 2 * 11 + f0 = f0.square(); + + // 31 == 22 + 9 + f0 = f1.multiply(f0); + + // 2^6 - 2^1 + f1 = f0.square(); + + // 2^10 - 2^5 + for (int i = 1; i < 5; ++i) { + f1 = f1.square(); + } + + // 2^10 - 2^0 + f0 = f1.multiply(f0); + + // 2^11 - 2^1 + f1 = f0.square(); + + // 2^20 - 2^10 + for (int i = 1; i < 10; ++i) { + f1 = f1.square(); + } + + // 2^20 - 2^0 + f1 = f1.multiply(f0); + + // 2^21 - 2^1 + f2 = f1.square(); + + // 2^40 - 2^20 + for (int i = 1; i < 20; ++i) { + f2 = f2.square(); + } + + // 2^40 - 2^0 + f1 = f2.multiply(f1); + + // 2^41 - 2^1 + f1 = f1.square(); + + // 2^50 - 2^10 + for (int i = 1; i < 10; ++i) { + f1 = f1.square(); + } + + // 2^50 - 2^0 + f0 = f1.multiply(f0); + + // 2^51 - 2^1 + f1 = f0.square(); + + // 2^100 - 2^50 + for (int i = 1; i < 50; ++i) { + f1 = f1.square(); + } + + // 2^100 - 2^0 + f1 = f1.multiply(f0); + + // 2^101 - 2^1 + f2 = f1.square(); + + // 2^200 - 2^100 + for (int i = 1; i < 100; ++i) { + f2 = f2.square(); + } + + // 2^200 - 2^0 + f1 = f2.multiply(f1); + + // 2^201 - 2^1 + f1 = f1.square(); + + // 2^250 - 2^50 + for (int i = 1; i < 50; ++i) { + f1 = f1.square(); + } + + // 2^250 - 2^0 + f0 = f1.multiply(f0); + + // 2^251 - 2^1 + f0 = f0.square(); + + // 2^252 - 2^2 + return f0.square(); + } + + /** + * Calculates and returns one of the square roots of u / v. + * <pre>{@code + * x = (u * v^3) * (u * v^7)^((p - 5) / 8) ==> x^2 = +-(u / v). + * }</pre> + * Note that this means x can be sqrt(u / v), -sqrt(u / v), +i * sqrt(u / v), -i * sqrt(u / v). + * + * @param u The nominator of the fraction. + * @param v The denominator of the fraction. + * @return The square root of u / v. + */ + public static Ed25519FieldElement sqrt(final Ed25519FieldElement u, final Ed25519FieldElement v) { + Ed25519FieldElement x; + final Ed25519FieldElement v3; + + // v3 = v^3 + v3 = v.square().multiply(v); + + // x = (v3^2) * v * u = u * v^7 + x = v3.square().multiply(v).multiply(u); + + // x = (u * v^7)^((q - 5) / 8) + x = x.pow2to252sub4().multiply(x); // 2^252 - 3 + + // x = u * v^3 * (u * v^7)^((q - 5) / 8) + x = v3.multiply(u).multiply(x); + + return x; + } + + /** + * Reduce this field element modulo field size p = 2^255 - 19 and return the result. + * The idea for the modulo p reduction algorithm is as follows: + * <pre> + * {@code + * Assumption: + * p = 2^255 - 19 + * h = h0 + 2^25 * h1 + 2^(26+25) * h2 + ... + 2^230 * h9 where 0 <= |hi| < 2^27 for all i=0,...,9. + * h congruent r modulo p, i.e. h = r + q * p for some suitable 0 <= r < p and an integer q. + * <br> + * Then q = [2^-255 * (h + 19 * 2^-25 * h9 + 1/2)] where [x] = floor(x). + * <br> + * Proof: + * We begin with some very raw estimation for the bounds of some expressions: + * |h| < 2^230 * 2^30 = 2^260 ==> |r + q * p| < 2^260 ==> |q| < 2^10. + * ==> -1/4 <= a := 19^2 * 2^-255 * q < 1/4. + * |h - 2^230 * h9| = |h0 + ... + 2^204 * h8| < 2^204 * 2^30 = 2^234. + * ==> -1/4 <= b := 19 * 2^-255 * (h - 2^230 * h9) < 1/4 + * Therefore 0 < 1/2 - a - b < 1. + * Set x := r + 19 * 2^-255 * r + 1/2 - a - b then + * 0 <= x < 255 - 20 + 19 + 1 = 2^255 ==> 0 <= 2^-255 * x < 1. Since q is an integer we have + * [q + 2^-255 * x] = q (1) + * Have a closer look at x: + * x = h - q * (2^255 - 19) + 19 * 2^-255 * (h - q * (2^255 - 19)) + 1/2 - 19^2 * 2^-255 * q - 19 * 2^-255 * (h - 2^230 * h9) + * = h - q * 2^255 + 19 * q + 19 * 2^-255 * h - 19 * q + 19^2 * 2^-255 * q + 1/2 - 19^2 * 2^-255 * q - 19 * 2^-255 * h + 19 * 2^-25 * h9 + * = h + 19 * 2^-25 * h9 + 1/2 - q^255. + * Inserting the expression for x into (1) we get the desired expression for q. + * } + * </pre> + * + * @return The mod p reduced field element; + */ + private Ed25519FieldElement modP() { + int h0 = this.values[0]; + int h1 = this.values[1]; + int h2 = this.values[2]; + int h3 = this.values[3]; + int h4 = this.values[4]; + int h5 = this.values[5]; + int h6 = this.values[6]; + int h7 = this.values[7]; + int h8 = this.values[8]; + int h9 = this.values[9]; + int q; + final int carry0; + final int carry1; + final int carry2; + final int carry3; + final int carry4; + final int carry5; + final int carry6; + final int carry7; + final int carry8; + final int carry9; + + // Calculate q + q = (19 * h9 + (1 << 24)) >> 25; + q = (h0 + q) >> 26; + q = (h1 + q) >> 25; + q = (h2 + q) >> 26; + q = (h3 + q) >> 25; + q = (h4 + q) >> 26; + q = (h5 + q) >> 25; + q = (h6 + q) >> 26; + q = (h7 + q) >> 25; + q = (h8 + q) >> 26; + q = (h9 + q) >> 25; + + // r = h - q * p = h - 2^255 * q + 19 * q + // First add 19 * q then discard the bit 255 + h0 += 19 * q; + + carry0 = h0 >> 26; + h1 += carry0; + h0 -= carry0 << 26; + carry1 = h1 >> 25; + h2 += carry1; + h1 -= carry1 << 25; + carry2 = h2 >> 26; + h3 += carry2; + h2 -= carry2 << 26; + carry3 = h3 >> 25; + h4 += carry3; + h3 -= carry3 << 25; + carry4 = h4 >> 26; + h5 += carry4; + h4 -= carry4 << 26; + carry5 = h5 >> 25; + h6 += carry5; + h5 -= carry5 << 25; + carry6 = h6 >> 26; + h7 += carry6; + h6 -= carry6 << 26; + carry7 = h7 >> 25; + h8 += carry7; + h7 -= carry7 << 25; + carry8 = h8 >> 26; + h9 += carry8; + h8 -= carry8 << 26; + carry9 = h9 >> 25; + h9 -= carry9 << 25; + + final int[] h = new int[10]; + h[0] = h0; + h[1] = h1; + h[2] = h2; + h[3] = h3; + h[4] = h4; + h[5] = h5; + h[6] = h6; + h[7] = h7; + h[8] = h8; + h[9] = h9; + + return new Ed25519FieldElement(h); + } + + /** + * Encodes a given field element in its 32 byte 2^8 bit representation. This is done in two steps. + * Step 1: Reduce the value of the field element modulo p. + * Step 2: Convert the field element to the 32 byte representation. + * + * @return Encoded field element (32 bytes). + */ + public Ed25519EncodedFieldElement encode() { + // Step 1: + final Ed25519FieldElement g = this.modP(); + final int[] gValues = g.getRaw(); + final int h0 = gValues[0]; + final int h1 = gValues[1]; + final int h2 = gValues[2]; + final int h3 = gValues[3]; + final int h4 = gValues[4]; + final int h5 = gValues[5]; + final int h6 = gValues[6]; + final int h7 = gValues[7]; + final int h8 = gValues[8]; + final int h9 = gValues[9]; + + // Step 2: + final byte[] s = new byte[32]; + s[0] = (byte)(h0); + s[1] = (byte)(h0 >> 8); + s[2] = (byte)(h0 >> 16); + s[3] = (byte)((h0 >> 24) | (h1 << 2)); + s[4] = (byte)(h1 >> 6); + s[5] = (byte)(h1 >> 14); + s[6] = (byte)((h1 >> 22) | (h2 << 3)); + s[7] = (byte)(h2 >> 5); + s[8] = (byte)(h2 >> 13); + s[9] = (byte)((h2 >> 21) | (h3 << 5)); + s[10] = (byte)(h3 >> 3); + s[11] = (byte)(h3 >> 11); + s[12] = (byte)((h3 >> 19) | (h4 << 6)); + s[13] = (byte)(h4 >> 2); + s[14] = (byte)(h4 >> 10); + s[15] = (byte)(h4 >> 18); + s[16] = (byte)(h5); + s[17] = (byte)(h5 >> 8); + s[18] = (byte)(h5 >> 16); + s[19] = (byte)((h5 >> 24) | (h6 << 1)); + s[20] = (byte)(h6 >> 7); + s[21] = (byte)(h6 >> 15); + s[22] = (byte)((h6 >> 23) | (h7 << 3)); + s[23] = (byte)(h7 >> 5); + s[24] = (byte)(h7 >> 13); + s[25] = (byte)((h7 >> 21) | (h8 << 4)); + s[26] = (byte)(h8 >> 4); + s[27] = (byte)(h8 >> 12); + s[28] = (byte)((h8 >> 20) | (h9 << 6)); + s[29] = (byte)(h9 >> 2); + s[30] = (byte)(h9 >> 10); + s[31] = (byte)(h9 >> 18); + + return new Ed25519EncodedFieldElement(s); + } + + /** + * Return true if this is in {1,3,5,...,q-2} + * Return false if this is in {0,2,4,...,q-1} + * <pre> + * Preconditions: + * |x| bounded by 1.1*2^26,1.1*2^25,1.1*2^26,1.1*2^25,etc. + * </pre> + * + * @return true if this is in {1,3,5,...,q-2}, false otherwise. + */ + public boolean isNegative() { + return this.encode().isNegative(); + } + + @Override + public int hashCode() { + return Arrays.hashCode(this.values); + } + + @Override + public boolean equals(final Object obj) { + if (!(obj instanceof Ed25519FieldElement)) { + return false; + } + + final Ed25519FieldElement f = (Ed25519FieldElement)obj; + return this.encode().equals(f.encode()); + } + + @Override + public String toString() { + return this.encode().toString(); + } +} diff --git a/source-code/RuffCT-java/src/org/nem/core/crypto/ed25519/arithmetic/Ed25519Group.java b/source-code/RuffCT-java/src/org/nem/core/crypto/ed25519/arithmetic/Ed25519Group.java new file mode 100755 index 0000000..ca222e0 --- /dev/null +++ b/source-code/RuffCT-java/src/org/nem/core/crypto/ed25519/arithmetic/Ed25519Group.java @@ -0,0 +1,36 @@ +package org.nem.core.crypto.ed25519.arithmetic; + +import org.nem.core.utils.HexEncoder; + +import java.math.BigInteger; + +/** + * Represents the underlying group for Ed25519. + */ +public class Ed25519Group { + + /** + * 2^252 - 27742317777372353535851937790883648493 + */ + public static final BigInteger GROUP_ORDER = BigInteger.ONE.shiftLeft(252).add(new BigInteger("27742317777372353535851937790883648493")); + + /** + * <pre>{@code + * (x, 4/5); x > 0 + * }</pre> + */ + public static final Ed25519GroupElement BASE_POINT = getBasePoint(); + + // different representations of zero + public static final Ed25519GroupElement ZERO_P3 = Ed25519GroupElement.p3(Ed25519Field.ZERO, Ed25519Field.ONE, Ed25519Field.ONE, Ed25519Field.ZERO); + public static final Ed25519GroupElement ZERO_P2 = Ed25519GroupElement.p2(Ed25519Field.ZERO, Ed25519Field.ONE, Ed25519Field.ONE); + public static final Ed25519GroupElement ZERO_PRECOMPUTED = Ed25519GroupElement.precomputed(Ed25519Field.ONE, Ed25519Field.ONE, Ed25519Field.ZERO); + + private static Ed25519GroupElement getBasePoint() { + final byte[] rawEncodedGroupElement = HexEncoder.getBytes("5866666666666666666666666666666666666666666666666666666666666666"); + final Ed25519GroupElement basePoint = new Ed25519EncodedGroupElement(rawEncodedGroupElement).decode(); + basePoint.precomputeForScalarMultiplication(); + basePoint.precomputeForDoubleScalarMultiplication(); + return basePoint; + } +} diff --git a/source-code/RuffCT-java/src/org/nem/core/crypto/ed25519/arithmetic/Ed25519GroupElement.java b/source-code/RuffCT-java/src/org/nem/core/crypto/ed25519/arithmetic/Ed25519GroupElement.java new file mode 100755 index 0000000..19a7d58 --- /dev/null +++ b/source-code/RuffCT-java/src/org/nem/core/crypto/ed25519/arithmetic/Ed25519GroupElement.java @@ -0,0 +1,1012 @@ +package org.nem.core.crypto.ed25519.arithmetic; + +import how.monero.hodl.crypto.Scalar; +import how.monero.hodl.jni.CryptoOpsUtil; +import org.nem.core.utils.ByteUtils; + +import java.io.Serializable; +import java.util.*; + +/** + * A point on the ED25519 curve which represents a group element. + * This implementation is based on the ref10 implementation of SUPERCOP. + * <br> + * Literature: + * [1] Daniel J. Bernstein, Niels Duif, Tanja Lange, Peter Schwabe and Bo-Yin Yang : High-speed high-security signatures + * [2] Huseyin Hisil, Kenneth Koon-Ho Wong, Gary Carter, Ed Dawson: Twisted Edwards Curves Revisited + * [3] Daniel J. Bernsteina, Tanja Lange: A complete set of addition laws for incomplete Edwards curves + * [4] Daniel J. Bernstein, Peter Birkner, Marc Joye, Tanja Lange and Christiane Peters: Twisted Edwards Curves + * [5] Christiane Pascale Peters: Curves, Codes, and Cryptography (PhD thesis) + * [6] Daniel J. Bernstein, Peter Birkner, Tanja Lange and Christiane Peters: Optimizing double-base elliptic-curve single-scalar multiplication + */ +public class Ed25519GroupElement implements Serializable { + + private final CoordinateSystem coordinateSystem; + @SuppressWarnings("NonConstantFieldWithUpperCaseName") + private final Ed25519FieldElement X; + @SuppressWarnings("NonConstantFieldWithUpperCaseName") + private final Ed25519FieldElement Y; + @SuppressWarnings("NonConstantFieldWithUpperCaseName") + private final Ed25519FieldElement Z; + @SuppressWarnings("NonConstantFieldWithUpperCaseName") + private final Ed25519FieldElement T; + + /** + * Precomputed table for a single scalar multiplication. + */ + private Ed25519GroupElement[][] precomputedForSingle; + + /** + * Precomputed table for a double scalar multiplication + */ + private Ed25519GroupElement[] precomputedForDouble; + + //region constructors + + /** + * Creates a new group element using the AFFINE coordinate system. + * + * @param x The x coordinate. + * @param y The y coordinate. + * @param Z The Z coordinate. + * @return The group element using the P2 coordinate system. + */ + public static Ed25519GroupElement affine( + final Ed25519FieldElement x, + final Ed25519FieldElement y, + final Ed25519FieldElement Z) { + return new Ed25519GroupElement(CoordinateSystem.AFFINE, x, y, Z, null); + } + + /** + * Creates a new group element using the P2 coordinate system. + * + * @param X The X coordinate. + * @param Y The Y coordinate. + * @param Z The Z coordinate. + * @return The group element using the P2 coordinate system. + */ + public static Ed25519GroupElement p2( + final Ed25519FieldElement X, + final Ed25519FieldElement Y, + final Ed25519FieldElement Z) { + return new Ed25519GroupElement(CoordinateSystem.P2, X, Y, Z, null); + } + + /** + * Creates a new group element using the P3 coordinate system. + * + * @param X The X coordinate. + * @param Y The Y coordinate. + * @param Z The Z coordinate. + * @param T The T coordinate. + * @return The group element using the P3 coordinate system. + */ + public static Ed25519GroupElement p3( + final Ed25519FieldElement X, + final Ed25519FieldElement Y, + final Ed25519FieldElement Z, + final Ed25519FieldElement T) { + return new Ed25519GroupElement(CoordinateSystem.P3, X, Y, Z, T); + } + + /** + * Creates a new group element using the P1xP1 coordinate system. + * + * @param X The X coordinate. + * @param Y The Y coordinate. + * @param Z The Z coordinate. + * @param T The T coordinate. + * @return The group element using the P1xP1 coordinate system. + */ + public static Ed25519GroupElement p1xp1( + final Ed25519FieldElement X, + final Ed25519FieldElement Y, + final Ed25519FieldElement Z, + final Ed25519FieldElement T) { + return new Ed25519GroupElement(CoordinateSystem.P1xP1, X, Y, Z, T); + } + + /** + * Creates a new group element using the PRECOMPUTED coordinate system. + * + * @param yPlusx The y + x value. + * @param yMinusx The y - x value. + * @param xy2d The 2 * d * x * y value. + * @return The group element using the PRECOMPUTED coordinate system. + */ + public static Ed25519GroupElement precomputed( + final Ed25519FieldElement yPlusx, + final Ed25519FieldElement yMinusx, + final Ed25519FieldElement xy2d) { + //noinspection SuspiciousNameCombination + return new Ed25519GroupElement(CoordinateSystem.PRECOMPUTED, yPlusx, yMinusx, xy2d, null); + } + + /** + * Creates a new group element using the CACHED coordinate system. + * + * @param YPlusX The Y + X value. + * @param YMinusX The Y - X value. + * @param Z The Z coordinate. + * @param T2d The 2 * d * T value. + * @return The group element using the CACHED coordinate system. + */ + public static Ed25519GroupElement cached( + final Ed25519FieldElement YPlusX, + final Ed25519FieldElement YMinusX, + final Ed25519FieldElement Z, + final Ed25519FieldElement T2d) { + return new Ed25519GroupElement(CoordinateSystem.CACHED, YPlusX, YMinusX, Z, T2d); + } + + /** + * Creates a group element for a curve. + * + * @param coordinateSystem The coordinate system used for the group element. + * @param X The X coordinate. + * @param Y The Y coordinate. + * @param Z The Z coordinate. + * @param T The T coordinate. + */ + public Ed25519GroupElement( + final CoordinateSystem coordinateSystem, + final Ed25519FieldElement X, + final Ed25519FieldElement Y, + final Ed25519FieldElement Z, + final Ed25519FieldElement T) { + this.coordinateSystem = coordinateSystem; + this.X = X; + this.Y = Y; + this.Z = Z; + this.T = T; + } + + //endregion + + //region accessors + + /** + * Gets the coordinate system for the group element. + * + * @return The coordinate system. + */ + public CoordinateSystem getCoordinateSystem() { + return this.coordinateSystem; + } + + /** + * Gets the X value of the group element. + * This is for most coordinate systems the projective X coordinate. + * + * @return The X value. + */ + public Ed25519FieldElement getX() { + return this.X; + } + + /** + * Gets the Y value of the group element. + * This is for most coordinate systems the projective Y coordinate. + * + * @return The Y value. + */ + public Ed25519FieldElement getY() { + return this.Y; + } + + /** + * Gets the Z value of the group element. + * This is for most coordinate systems the projective Z coordinate. + * + * @return The Z value. + */ + public Ed25519FieldElement getZ() { + return this.Z; + } + + /** + * Gets the T value of the group element. + * This is for most coordinate systems the projective T coordinate. + * + * @return The T value. + */ + public Ed25519FieldElement getT() { + return this.T; + } + + /** + * Gets a value indicating whether or not the group element has a + * precomputed table for double scalar multiplication. + * + * @return true if it has the table, false otherwise. + */ + public boolean isPrecomputedForDoubleScalarMultiplication() { + return null != this.precomputedForDouble; + } + + /** + * Gets the table with the precomputed group elements for single scalar multiplication. + * + * @return The precomputed table. + */ + public Ed25519GroupElement[][] getPrecomputedForSingle() { + return this.precomputedForSingle; + } + + /** + * Gets the table with the precomputed group elements for double scalar multiplication. + * + * @return The precomputed table. + */ + public Ed25519GroupElement[] getPrecomputedForDouble() { + return this.precomputedForDouble; + } + + //endregion + + /** + * Converts the group element to an encoded point on the curve. + * + * @return The encoded point as byte array. + */ + public Ed25519EncodedGroupElement encode() { + switch (this.coordinateSystem) { + case P2: + case P3: + final Ed25519FieldElement inverse = this.Z.invert(); + final Ed25519FieldElement x = this.X.multiply(inverse); + final Ed25519FieldElement y = this.Y.multiply(inverse); + final byte[] s = y.encode().getRaw(); + s[s.length - 1] |= (x.isNegative() ? (byte)0x80 : 0); + + return new Ed25519EncodedGroupElement(s); + default: + return this.toP2().encode(); + } + } + + /** + * Converts the group element to the P2 coordinate system. + * + * @return The group element in the P2 coordinate system. + */ + public Ed25519GroupElement toP2() { + return this.toCoordinateSystem(CoordinateSystem.P2); + } + + /** + * Converts the group element to the P3 coordinate system. + * + * @return The group element in the P3 coordinate system. + */ + public Ed25519GroupElement toP3() { + return this.toCoordinateSystem(CoordinateSystem.P3); + } + + /** + * Converts the group element to the CACHED coordinate system. + * + * @return The group element in the CACHED coordinate system. + */ + public Ed25519GroupElement toCached() { + return this.toCoordinateSystem(CoordinateSystem.CACHED); + } + + /** + * Convert a Ed25519GroupElement from one coordinate system to another. + * <br> + * Supported conversions: + * - P3 -> P2 + * - P3 -> CACHED (1 multiply, 1 add, 1 subtract) + * - P1xP1 -> P2 (3 multiply) + * - P1xP1 -> P3 (4 multiply) + * + * @param newCoordinateSystem The coordinate system to convert to. + * @return A new group element in the new coordinate system. + */ + private Ed25519GroupElement toCoordinateSystem(final CoordinateSystem newCoordinateSystem) { + switch (this.coordinateSystem) { + case P2: + switch (newCoordinateSystem) { + case P2: + return p2(this.X, this.Y, this.Z); + default: + throw new IllegalArgumentException(); + } + case P3: + switch (newCoordinateSystem) { + case P2: + return p2(this.X, this.Y, this.Z); + case P3: + return p3(this.X, this.Y, this.Z, this.T); + case CACHED: + return cached(this.Y.add(this.X), this.Y.subtract(this.X), this.Z, this.T.multiply(Ed25519Field.D_Times_TWO)); + default: + throw new IllegalArgumentException(); + } + case P1xP1: + switch (newCoordinateSystem) { + case P2: + return p2(this.X.multiply(this.T), this.Y.multiply(this.Z), this.Z.multiply(this.T)); + case P3: + return p3(this.X.multiply(this.T), this.Y.multiply(this.Z), this.Z.multiply(this.T), this.X.multiply(this.Y)); + case P1xP1: + return p1xp1(this.X, this.Y, this.Z, this.T); + default: + throw new IllegalArgumentException(); + } + case PRECOMPUTED: + switch (newCoordinateSystem) { + case PRECOMPUTED: + //noinspection SuspiciousNameCombination + return precomputed(this.X, this.Y, this.Z); + default: + throw new IllegalArgumentException(); + } + case CACHED: + switch (newCoordinateSystem) { + case CACHED: + return cached(this.X, this.Y, this.Z, this.T); + default: + throw new IllegalArgumentException(); + } + default: + throw new UnsupportedOperationException(); + } + } + + /** + * Precomputes the group elements needed to speed up a scalar multiplication. + */ + public void precomputeForScalarMultiplication() { + if (null != this.precomputedForSingle) { + return; + } + + Ed25519GroupElement Bi = this; + this.precomputedForSingle = new Ed25519GroupElement[32][8]; + + for (int i = 0; i < 32; i++) { + Ed25519GroupElement Bij = Bi; + for (int j = 0; j < 8; j++) { + final Ed25519FieldElement inverse = Bij.Z.invert(); + final Ed25519FieldElement x = Bij.X.multiply(inverse); + final Ed25519FieldElement y = Bij.Y.multiply(inverse); + this.precomputedForSingle[i][j] = precomputed(y.add(x), y.subtract(x), x.multiply(y).multiply(Ed25519Field.D_Times_TWO)); + Bij = Bij.add(Bi.toCached()).toP3(); + } + // Only every second summand is precomputed (16^2 = 256). + for (int k = 0; k < 8; k++) { + Bi = Bi.add(Bi.toCached()).toP3(); + } + } + } + + /** + * Precomputes the group elements used to speed up a double scalar multiplication. + */ + public void precomputeForDoubleScalarMultiplication() { + if (null != this.precomputedForDouble) { + return; + } + Ed25519GroupElement Bi = this; + this.precomputedForDouble = new Ed25519GroupElement[8]; + for (int i = 0; i < 8; i++) { + final Ed25519FieldElement inverse = Bi.Z.invert(); + final Ed25519FieldElement x = Bi.X.multiply(inverse); + final Ed25519FieldElement y = Bi.Y.multiply(inverse); + this.precomputedForDouble[i] = precomputed(y.add(x), y.subtract(x), x.multiply(y).multiply(Ed25519Field.D_Times_TWO)); + Bi = this.add(this.add(Bi.toCached()).toP3().toCached()).toP3(); + } + } + + /** + * Doubles a given group element p in P^2 or P^3 coordinate system and returns the result in P x P coordinate system. + * r = 2 * p where p = (X : Y : Z) or p = (X : Y : Z : T) + * <br> + * r in P x P coordinate system: + * <br> + * r = ((X' : Z'), (Y' : T')) where + * X' = (X + Y)^2 - (Y^2 + X^2) + * Y' = Y^2 + X^2 + * Z' = y^2 - X^2 + * T' = 2 * Z^2 - (y^2 - X^2) + * <br> + * r converted from P x P to P^2 coordinate system: + * <br> + * r = (X'' : Y'' : Z'') where + * X'' = X' * T' = ((X + Y)^2 - Y^2 - X^2) * (2 * Z^2 - (y^2 - X^2)) + * Y'' = Y' * Z' = (Y^2 + X^2) * (y^2 - X^2) + * Z'' = Z' * T' = (y^2 - X^2) * (2 * Z^2 - (y^2 - X^2)) + * <br> + * Formula for the P^2 coordinate system is in agreement with the formula given in [4] page 12 (with a = -1) + * (up to a common factor -1 which does not matter): + * <br> + * B = (X + Y)^2; C = X^2; D = Y^2; E = -C = -X^2; F := E + D = Y^2 - X^2; H = Z^2; J = F − 2 * H; + * X3 = (B − C − D) · J = X' * (-T'); + * Y3 = F · (E − D) = Z' * (-Y'); + * Z3 = F · J = Z' * (-T'). + * + * @return The doubled group element in the P x P coordinate system. + */ + public Ed25519GroupElement dbl() { + switch (this.coordinateSystem) { + case P2: + case P3: + final Ed25519FieldElement XSquare; + final Ed25519FieldElement YSquare; + final Ed25519FieldElement B; + final Ed25519FieldElement A; + final Ed25519FieldElement ASquare; + final Ed25519FieldElement YSquarePlusXSquare; + final Ed25519FieldElement YSquareMinusXSquare; + XSquare = this.X.square(); + YSquare = this.Y.square(); + B = this.Z.squareAndDouble(); + A = this.X.add(this.Y); + ASquare = A.square(); + YSquarePlusXSquare = YSquare.add(XSquare); + YSquareMinusXSquare = YSquare.subtract(XSquare); + return p1xp1(ASquare.subtract(YSquarePlusXSquare), YSquarePlusXSquare, YSquareMinusXSquare, B.subtract(YSquareMinusXSquare)); + default: + throw new UnsupportedOperationException(); + } + } + + /** + * Ed25519GroupElement addition using the twisted Edwards addition law for extended coordinates. + * this must be given in P^3 coordinate system and g in PRECOMPUTED coordinate system. + * r = this + g where this = (X1 : Y1 : Z1 : T1), g = (g.X, g.Y, g.Z) = (Y2/Z2 + X2/Z2, Y2/Z2 - X2/Z2, 2 * d * X2/Z2 * Y2/Z2) + * <br> + * r in P x P coordinate system: + * <br> + * r = ((X' : Z'), (Y' : T')) where + * X' = (Y1 + X1) * g.X - (Y1 - X1) * q.Y = ((Y1 + X1) * (Y2 + X2) - (Y1 - X1) * (Y2 - X2)) * 1/Z2 + * Y' = (Y1 + X1) * g.X + (Y1 - X1) * q.Y = ((Y1 + X1) * (Y2 + X2) + (Y1 - X1) * (Y2 - X2)) * 1/Z2 + * Z' = 2 * Z1 + T1 * g.Z = 2 * Z1 + T1 * 2 * d * X2 * Y2 * 1/Z2^2 = (2 * Z1 * Z2 + 2 * d * T1 * T2) * 1/Z2 + * T' = 2 * Z1 - T1 * g.Z = 2 * Z1 - T1 * 2 * d * X2 * Y2 * 1/Z2^2 = (2 * Z1 * Z2 - 2 * d * T1 * T2) * 1/Z2 + * <br> + * Formula for the P x P coordinate system is in agreement with the formula given in + * file ge25519.c method add_p1p1() in ref implementation. + * Setting A = (Y1 - X1) * (Y2 - X2), B = (Y1 + X1) * (Y2 + X2), C = 2 * d * T1 * T2, D = 2 * Z1 * Z2 we get + * X' = (B - A) * 1/Z2 + * Y' = (B + A) * 1/Z2 + * Z' = (D + C) * 1/Z2 + * T' = (D - C) * 1/Z2 + * <br> + * r converted from P x P to P^2 coordinate system: + * <br> + * r = (X'' : Y'' : Z'' : T'') where + * X'' = X' * T' = (B - A) * (D - C) * 1/Z2^2 + * Y'' = Y' * Z' = (B + A) * (D + C) * 1/Z2^2 + * Z'' = Z' * T' = (D + C) * (D - C) * 1/Z2^2 + * T'' = X' * Y' = (B - A) * (B + A) * 1/Z2^2 + * <br> + * Formula above for the P^2 coordinate system is in agreement with the formula given in [2] page 6 + * (the common factor 1/Z2^2 does not matter) + * E = B - A, F = D - C, G = D + C, H = B + A + * X3 = E * F = (B - A) * (D - C); + * Y3 = G * H = (D + C) * (B + A); + * Z3 = F * G = (D - C) * (D + C); + * T3 = E * H = (B - A) * (B + A); + * + * @param g The group element to add. + * @return The resulting group element in the P x P coordinate system. + */ + private Ed25519GroupElement precomputedAdd(final Ed25519GroupElement g) { + if (this.coordinateSystem != CoordinateSystem.P3) { + throw new UnsupportedOperationException(); + } + if (g.coordinateSystem != CoordinateSystem.PRECOMPUTED) { + throw new IllegalArgumentException(); + } + + final Ed25519FieldElement YPlusX; + final Ed25519FieldElement YMinusX; + final Ed25519FieldElement A; + final Ed25519FieldElement B; + final Ed25519FieldElement C; + final Ed25519FieldElement D; + YPlusX = this.Y.add(this.X); + YMinusX = this.Y.subtract(this.X); + A = YPlusX.multiply(g.X); + B = YMinusX.multiply(g.Y); + C = g.Z.multiply(this.T); + D = this.Z.add(this.Z); + + return p1xp1(A.subtract(B), A.add(B), D.add(C), D.subtract(C)); + } + + /** + * Ed25519GroupElement subtraction using the twisted Edwards addition law for extended coordinates. + * this must be given in P^3 coordinate system and g in PRECOMPUTED coordinate system. + * r = this - g where this = (X1 : Y1 : Z1 : T1), g = (g.X, g.Y, g.Z) = (Y2/Z2 + X2/Z2, Y2/Z2 - X2/Z2, 2 * d * X2/Z2 * Y2/Z2) + * <br> + * Negating g means negating the value of X2 and T2 (the latter is irrelevant here). + * The formula is in accordance to the above addition. + * + * @param g he group element to subtract. + * @return The result in the P x P coordinate system. + */ + private Ed25519GroupElement precomputedSubtract(final Ed25519GroupElement g) { + if (this.coordinateSystem != CoordinateSystem.P3) { + throw new UnsupportedOperationException(); + } + if (g.coordinateSystem != CoordinateSystem.PRECOMPUTED) { + throw new IllegalArgumentException(); + } + + final Ed25519FieldElement YPlusX; + final Ed25519FieldElement YMinusX; + final Ed25519FieldElement A; + final Ed25519FieldElement B; + final Ed25519FieldElement C; + final Ed25519FieldElement D; + YPlusX = this.Y.add(this.X); + YMinusX = this.Y.subtract(this.X); + A = YPlusX.multiply(g.Y); + B = YMinusX.multiply(g.X); + C = g.Z.multiply(this.T); + D = this.Z.add(this.Z); + + return p1xp1(A.subtract(B), A.add(B), D.subtract(C), D.add(C)); + } + + /** + * Ed25519GroupElement addition using the twisted Edwards addition law for extended coordinates. + * this must be given in P^3 coordinate system and g in CACHED coordinate system. + * r = this + g where this = (X1 : Y1 : Z1 : T1), g = (g.X, g.Y, g.Z, g.T) = (Y2 + X2, Y2 - X2, Z2, 2 * d * T2) + * <br> + * r in P x P coordinate system.: + * X' = (Y1 + X1) * (Y2 + X2) - (Y1 - X1) * (Y2 - X2) + * Y' = (Y1 + X1) * (Y2 + X2) + (Y1 - X1) * (Y2 - X2) + * Z' = 2 * Z1 * Z2 + 2 * d * T1 * T2 + * T' = 2 * Z1 * T2 - 2 * d * T1 * T2 + * <br> + * Setting A = (Y1 - X1) * (Y2 - X2), B = (Y1 + X1) * (Y2 + X2), C = 2 * d * T1 * T2, D = 2 * Z1 * Z2 we get + * X' = (B - A) + * Y' = (B + A) + * Z' = (D + C) + * T' = (D - C) + * <br> + * Same result as in precomputedAdd() (up to a common factor which does not matter). + * + * @param g The group element to add. + * @return The result in the P x P coordinate system. + */ + public Ed25519GroupElement add(final Ed25519GroupElement g) { + if (this.coordinateSystem != CoordinateSystem.P3) { + throw new UnsupportedOperationException(); + } + if (g.coordinateSystem != CoordinateSystem.CACHED) { + throw new IllegalArgumentException(); + } + + final Ed25519FieldElement YPlusX; + final Ed25519FieldElement YMinusX; + final Ed25519FieldElement ZSquare; + final Ed25519FieldElement A; + final Ed25519FieldElement B; + final Ed25519FieldElement C; + final Ed25519FieldElement D; + YPlusX = this.Y.add(this.X); + YMinusX = this.Y.subtract(this.X); + A = YPlusX.multiply(g.X); + B = YMinusX.multiply(g.Y); + C = g.T.multiply(this.T); + ZSquare = this.Z.multiply(g.Z); + D = ZSquare.add(ZSquare); + + return p1xp1(A.subtract(B), A.add(B), D.add(C), D.subtract(C)); + } + + /** + * Ed25519GroupElement subtraction using the twisted Edwards addition law for extended coordinates. + * <br> + * Negating g means negating the value of the coordinate X2 and T2. + * The formula is in accordance to the above addition. + * + * @param g The group element to subtract. + * @return The result in the P x P coordinate system. + */ + public Ed25519GroupElement subtract(final Ed25519GroupElement g) { + if (this.coordinateSystem != CoordinateSystem.P3) { + throw new UnsupportedOperationException(); + } + if (g.coordinateSystem != CoordinateSystem.CACHED) { + throw new IllegalArgumentException(); + } + + final Ed25519FieldElement YPlusX; + final Ed25519FieldElement YMinusX; + final Ed25519FieldElement ZSquare; + final Ed25519FieldElement A; + final Ed25519FieldElement B; + final Ed25519FieldElement C; + final Ed25519FieldElement D; + YPlusX = this.Y.add(this.X); + YMinusX = this.Y.subtract(this.X); + A = YPlusX.multiply(g.Y); + B = YMinusX.multiply(g.X); + C = g.T.multiply(this.T); + ZSquare = this.Z.multiply(g.Z); + D = ZSquare.add(ZSquare); + + return p1xp1(A.subtract(B), A.add(B), D.subtract(C), D.add(C)); + } + + /** + * Negates this group element by subtracting it from the neutral group element. + * (only used in MathUtils so it doesn't have to be fast) + * + * @return The negative of this group element. + */ + public Ed25519GroupElement negate() { + if (this.coordinateSystem != CoordinateSystem.P3) { + throw new UnsupportedOperationException(); + } + + return Ed25519Group.ZERO_P3.subtract(this.toCached()).toP3(); + } + + @Override + public int hashCode() { + return this.encode().hashCode(); + } + + @Override + public boolean equals(final Object obj) { + if (!(obj instanceof Ed25519GroupElement)) { + return false; + } + Ed25519GroupElement ge = (Ed25519GroupElement)obj; + if (!this.coordinateSystem.equals(ge.coordinateSystem)) { + try { + ge = ge.toCoordinateSystem(this.coordinateSystem); + } catch (final Exception e) { + return false; + } + } + switch (this.coordinateSystem) { + case P2: + case P3: + if (this.Z.equals(ge.Z)) { + return this.X.equals(ge.X) && this.Y.equals(ge.Y); + } + + final Ed25519FieldElement x1 = this.X.multiply(ge.Z); + final Ed25519FieldElement y1 = this.Y.multiply(ge.Z); + final Ed25519FieldElement x2 = ge.X.multiply(this.Z); + final Ed25519FieldElement y2 = ge.Y.multiply(this.Z); + + return x1.equals(x2) && y1.equals(y2); + case P1xP1: + return this.toP2().equals(ge); + case PRECOMPUTED: + return this.X.equals(ge.X) && this.Y.equals(ge.Y) && this.Z.equals(ge.Z); + case CACHED: + if (this.Z.equals(ge.Z)) { + return this.X.equals(ge.X) && this.Y.equals(ge.Y) && this.T.equals(ge.T); + } + + final Ed25519FieldElement x3 = this.X.multiply(ge.Z); + final Ed25519FieldElement y3 = this.Y.multiply(ge.Z); + final Ed25519FieldElement t3 = this.T.multiply(ge.Z); + final Ed25519FieldElement x4 = ge.X.multiply(this.Z); + final Ed25519FieldElement y4 = ge.Y.multiply(this.Z); + final Ed25519FieldElement t4 = ge.T.multiply(this.Z); + + return x3.equals(x4) && y3.equals(y4) && t3.equals(t4); + default: + //return false; + throw new RuntimeException("Coordinate system problem"); + } + } + + /** + * Convert a to 2^16 bit representation. + * + * @param encoded The encode field element. + * @return 64 bytes, each between -8 and 7 + */ + private static byte[] toRadix16(final Ed25519EncodedFieldElement encoded) { + final byte[] a = encoded.getRaw(); + final byte[] e = new byte[64]; + int i; + for (i = 0; i < 32; i++) { + e[2 * i] = (byte)(a[i] & 15); + e[2 * i + 1] = (byte)((a[i] >> 4) & 15); + } + /* each e[i] is between 0 and 15 */ + /* e[63] is between 0 and 7 */ + int carry = 0; + for (i = 0; i < 63; i++) { + e[i] += carry; + carry = e[i] + 8; + carry >>= 4; + e[i] -= carry << 4; + } + e[63] += carry; + + return e; + } + + /** + * Constant-time conditional move. + * Replaces this with u if b == 1. + * Replaces this with this if b == 0. + * + * @param u The group element to return if b == 1. + * @param b in {0, 1} + * @return u if b == 1; this if b == 0; null otherwise. + */ + private Ed25519GroupElement cmov(final Ed25519GroupElement u, final int b) { + Ed25519GroupElement ret = null; + for (int i = 0; i < b; i++) { + // Only for b == 1 + ret = u; + } + for (int i = 0; i < 1 - b; i++) { + // Only for b == 0 + ret = this; + } + return ret; + } + + /** + * Look up 16^i r_i B in the precomputed table. + * No secret array indices, no secret branching. + * Constant time. + * <br> + * Must have previously precomputed. + * + * @param pos = i/2 for i in {0, 2, 4,..., 62} + * @param b = r_i + * @return The Ed25519GroupElement + */ + private Ed25519GroupElement select(final int pos, final int b) { + // Is r_i negative? + final int bNegative = ByteUtils.isNegativeConstantTime(b); + // |r_i| + final int bAbs = b - (((-bNegative) & b) << 1); + + // 16^i |r_i| B + final Ed25519GroupElement t = Ed25519Group.ZERO_PRECOMPUTED + .cmov(this.precomputedForSingle[pos][0], ByteUtils.isEqualConstantTime(bAbs, 1)) + .cmov(this.precomputedForSingle[pos][1], ByteUtils.isEqualConstantTime(bAbs, 2)) + .cmov(this.precomputedForSingle[pos][2], ByteUtils.isEqualConstantTime(bAbs, 3)) + .cmov(this.precomputedForSingle[pos][3], ByteUtils.isEqualConstantTime(bAbs, 4)) + .cmov(this.precomputedForSingle[pos][4], ByteUtils.isEqualConstantTime(bAbs, 5)) + .cmov(this.precomputedForSingle[pos][5], ByteUtils.isEqualConstantTime(bAbs, 6)) + .cmov(this.precomputedForSingle[pos][6], ByteUtils.isEqualConstantTime(bAbs, 7)) + .cmov(this.precomputedForSingle[pos][7], ByteUtils.isEqualConstantTime(bAbs, 8)); + // -16^i |r_i| B + //noinspection SuspiciousNameCombination + final Ed25519GroupElement tMinus = precomputed(t.Y, t.X, t.Z.negate()); + // 16^i r_i B + return t.cmov(tMinus, bNegative); + } + + public static int precomps = 0; + public static int scalarMults = 0; + public static int scalarBaseMults = 0; + + public Ed25519GroupElement scalarMultiply(final Ed25519EncodedFieldElement a) { + return scalarMultiply(a, true); + } + /** + * h = a * B where a = a[0]+256*a[1]+...+256^31 a[31] and + * B is this point. If its lookup table has not been precomputed, it + * will be at the start of the method (and cached for later calls). + * Constant time. + * + * @param a The encoded field element. + * @return The resulting group element. + */ + public static String lineRecordingSourceFile = null; + public static boolean enableLineRecording = false; + private static boolean noNativeLibraryAvailable = false; + public static Map<Integer, Integer> lineNumberCallFrequencyMap = new TreeMap<>((a,b)->a.compareTo(b)); + public Ed25519GroupElement scalarMultiply(final Ed25519EncodedFieldElement a, boolean useNativeImplementation) { + + if(enableLineRecording) { + Optional<StackTraceElement> optionalCaller = Arrays.stream(new Exception().getStackTrace()).filter(e -> e.getFileName().equals(lineRecordingSourceFile)).findFirst(); + if (optionalCaller.isPresent()) { + StackTraceElement caller = optionalCaller.get(); + lineNumberCallFrequencyMap.putIfAbsent(caller.getLineNumber(), 0); + lineNumberCallFrequencyMap.computeIfPresent(caller.getLineNumber(), (key, oldValue) -> oldValue + 1); + } + } + + scalarMults++; + + if(this==Ed25519Group.BASE_POINT) scalarBaseMults++; + + try { + if(!noNativeLibraryAvailable && this==Ed25519Group.BASE_POINT) return new Ed25519EncodedGroupElement(CryptoOpsUtil.scalarMultBase(a.getRaw())).decode(); + } + catch (java.lang.UnsatisfiedLinkError e) { + System.err.println("WARNING: No C library available for native Ed25519"); + noNativeLibraryAvailable = true; + } + + + if(precomputedForSingle==null) { + + // there is only a performance advantage to using native code if the element has not been precomputed + if(useNativeImplementation && !noNativeLibraryAvailable) { + try { + return new Ed25519EncodedGroupElement(CryptoOpsUtil.scalarMult(this.encode().getRaw(), a.getRaw())).decode(); + } + catch (java.lang.UnsatisfiedLinkError e) { + System.err.println("WARNING: No C library available for native Ed25519"); + noNativeLibraryAvailable = true; + } + } + + precomps++; + precomputeForScalarMultiplication(); + } + + Ed25519GroupElement g; + int i; + final byte[] e = toRadix16(a); + Ed25519GroupElement h = Ed25519Group.ZERO_P3; + for (i = 1; i < 64; i += 2) { + g = this.select(i / 2, e[i]); + h = h.precomputedAdd(g).toP3(); + } + + h = h.dbl().toP2().dbl().toP2().dbl().toP2().dbl().toP3(); + + for (i = 0; i < 64; i += 2) { + g = this.select(i / 2, e[i]); + h = h.precomputedAdd(g).toP3(); + } + + return h; + } + + public Ed25519GroupElement scalarMultiply(final Ed25519FieldElement a) { + return scalarMultiply(a.encode()); + } + public Ed25519GroupElement scalarMultiply(final byte[] a) { + return scalarMultiply(new Ed25519EncodedFieldElement(a)); + } + public Ed25519GroupElement scalarMultiply(final Scalar a) { + return scalarMultiply(a, true); + } + public Ed25519GroupElement scalarMultiply(final Scalar a, boolean useNativeImplementation) { + return scalarMultiply(new Ed25519EncodedFieldElement(a.bytes), useNativeImplementation); + } + + /** + * Calculates a sliding-windows base 2 representation for a given encoded field element a. + * To learn more about it see [6] page 8. + * <br> + * Output: r which satisfies + * a = r0 * 2^0 + r1 * 2^1 + ... + r255 * 2^255 with ri in {-15, -13, -11, -9, -7, -5, -3, -1, 0, 1, 3, 5, 7, 9, 11, 13, 15} + * <br> + * Method is package private only so that tests run. + * + * @param encoded The encoded field element. + * @return The byte array r in the above described form. + */ + private static byte[] slide(final Ed25519EncodedFieldElement encoded) { + final byte[] a = encoded.getRaw(); + final byte[] r = new byte[256]; + + // Put each bit of 'a' into a separate byte, 0 or 1 + for (int i = 0; i < 256; ++i) { + r[i] = (byte)(1 & (a[i >> 3] >> (i & 7))); + } + + // Note: r[i] will always be odd. + for (int i = 0; i < 256; ++i) { + if (r[i] != 0) { + for (int b = 1; b <= 6 && i + b < 256; ++b) { + // Accumulate bits if possible + if (r[i + b] != 0) { + if (r[i] + (r[i + b] << b) <= 15) { + r[i] += r[i + b] << b; + r[i + b] = 0; + } else if (r[i] - (r[i + b] << b) >= -15) { + r[i] -= r[i + b] << b; + for (int k = i + b; k < 256; ++k) { + if (r[k] == 0) { + r[k] = 1; + break; + } + r[k] = 0; + } + } else { + break; + } + } + } + } + } + + return r; + } + + /** + * r = b * B - a * A where + * a and b are encoded field elements and + * B is this point. + * A must have been previously precomputed for double scalar multiplication. + * + * @param A in P3 coordinate system. + * @param a = The first encoded field element. + * @param b = The second encoded field element. + * @return The resulting group element. + */ + public Ed25519GroupElement doubleScalarMultiplyVariableTime( + final Ed25519GroupElement A, + final Ed25519EncodedFieldElement a, + final Ed25519EncodedFieldElement b) { + final byte[] aSlide = slide(a); + final byte[] bSlide = slide(b); + Ed25519GroupElement r = Ed25519Group.ZERO_P2; + + int i; + for (i = 255; i >= 0; --i) { + if (aSlide[i] != 0 || bSlide[i] != 0) { + break; + } + } + + for (; i >= 0; --i) { + Ed25519GroupElement t = r.dbl(); + + if (aSlide[i] > 0) { + t = t.toP3().precomputedSubtract(A.precomputedForDouble[aSlide[i] / 2]); + } else if (aSlide[i] < 0) { + t = t.toP3().precomputedAdd(A.precomputedForDouble[(-aSlide[i]) / 2]); + } + + if (bSlide[i] > 0) { + t = t.toP3().precomputedAdd(this.precomputedForDouble[bSlide[i] / 2]); + } else if (bSlide[i] < 0) { + t = t.toP3().precomputedSubtract(this.precomputedForDouble[(-bSlide[i]) / 2]); + } + + r = t.toP2(); + } + + return r; + } + + /** + * Verify that the group element satisfies the curve equation. + * + * @return true if the group element satisfies the curve equation, false otherwise. + */ + public boolean satisfiesCurveEquation() { + switch (this.coordinateSystem) { + case P2: + case P3: + final Ed25519FieldElement inverse = this.Z.invert(); + final Ed25519FieldElement x = this.X.multiply(inverse); + final Ed25519FieldElement y = this.Y.multiply(inverse); + final Ed25519FieldElement xSquare = x.square(); + final Ed25519FieldElement ySquare = y.square(); + final Ed25519FieldElement dXSquareYSquare = Ed25519Field.D.multiply(xSquare).multiply(ySquare); + return Ed25519Field.ONE.add(dXSquareYSquare).add(xSquare).equals(ySquare); + + default: + return this.toP2().satisfiesCurveEquation(); + } + } + + @Override + public String toString() { + return String.format( + "X=%s\nY=%s\nZ=%s\nT=%s\n", + this.X.toString(), + this.Y.toString(), + this.Z.toString(), + this.T.toString()); + } +} diff --git a/source-code/RuffCT-java/src/org/nem/core/utils/AbstractTwoLevelMap.java b/source-code/RuffCT-java/src/org/nem/core/utils/AbstractTwoLevelMap.java new file mode 100755 index 0000000..30fdfea --- /dev/null +++ b/source-code/RuffCT-java/src/org/nem/core/utils/AbstractTwoLevelMap.java @@ -0,0 +1,74 @@ +package org.nem.core.utils; + +import java.util.*; +import java.util.concurrent.ConcurrentHashMap; + +/** + * A two-level map of items. + * <br> + * Items are automatically created on access. + * Item associations are order-dependent. + */ +public abstract class AbstractTwoLevelMap<TKey, TValue> { + private final Map<TKey, Map<TKey, TValue>> impl = new ConcurrentHashMap<>(); + + /** + * Gets the TValue associated with key1 and key2. + * + * @param key1 The first key. + * @param key2 The second key. + * @return The value associated with key and key2. + */ + public TValue getItem(final TKey key1, final TKey key2) { + final Map<TKey, TValue> keyOneValues = this.getItems(key1); + + TValue value = keyOneValues.get(key2); + if (null == value) { + value = this.createValue(); + keyOneValues.put(key2, value); + } + + return value; + } + + /** + * Gets the (TKey, TValue) map associated with key. + * + * @param key The first key. + * @return The map associated with key. + */ + public Map<TKey, TValue> getItems(final TKey key) { + Map<TKey, TValue> keyValues = this.impl.get(key); + if (null == keyValues) { + keyValues = new ConcurrentHashMap<>(); + this.impl.put(key, keyValues); + } + + return keyValues; + } + + /** + * Removes a key from the map. + * + * @param key The key to remove. + */ + public void remove(final TKey key) { + this.impl.remove(key); + } + + /** + * Gets the key set of this map. + * + * @return The key set. + */ + public Set<TKey> keySet() { + return this.impl.keySet(); + } + + /** + * Creates a new blank value. + * + * @return A new value. + */ + protected abstract TValue createValue(); +} diff --git a/source-code/RuffCT-java/src/org/nem/core/utils/ArrayUtils.java b/source-code/RuffCT-java/src/org/nem/core/utils/ArrayUtils.java new file mode 100755 index 0000000..5e9170c --- /dev/null +++ b/source-code/RuffCT-java/src/org/nem/core/utils/ArrayUtils.java @@ -0,0 +1,156 @@ +package org.nem.core.utils; + +import java.math.BigInteger; + +/** + * Static class that contains a handful of array helper functions. + */ +public class ArrayUtils { + + /** + * Creates duplicate of given array + * + * @param src The array to duplicate. + * @return A copy of the array. + */ + public static byte[] duplicate(final byte[] src) { + final byte[] result = new byte[src.length]; + System.arraycopy(src, 0, result, 0, src.length); + return result; + } + + /** + * Concatenates byte arrays and returns the result. + * + * @param arrays The arrays. + * @return A single array containing all elements in all arrays. + */ + public static byte[] concat(final byte[]... arrays) { + int totalSize = 0; + for (final byte[] array : arrays) { + totalSize += array.length; + } + + int startIndex = 0; + final byte[] result = new byte[totalSize]; + for (final byte[] array : arrays) { + System.arraycopy(array, 0, result, startIndex, array.length); + startIndex += array.length; + } + + return result; + } + + /** + * Splits a single array into two arrays. + * + * @param bytes The input array. + * @param splitIndex The index at which the array should be split. + * @return Two arrays split at the splitIndex. + * The first array will contain the first splitIndex elements. + * The second array will contain all trailing elements. + */ + public static byte[][] split(final byte[] bytes, final int splitIndex) { + if (splitIndex < 0 || bytes.length < splitIndex) { + throw new IllegalArgumentException("split index is out of range"); + } + + final byte[] lhs = new byte[splitIndex]; + final byte[] rhs = new byte[bytes.length - splitIndex]; + + System.arraycopy(bytes, 0, lhs, 0, lhs.length); + System.arraycopy(bytes, splitIndex, rhs, 0, rhs.length); + return new byte[][] { lhs, rhs }; + } + + /** + * Converts a BigInteger to a little endian byte array. + * + * @param value The value to convert. + * @param numBytes The number of bytes in the destination array. + * @return The resulting little endian byte array. + */ + public static byte[] toByteArray(final BigInteger value, final int numBytes) { + final byte[] outputBytes = new byte[numBytes]; + final byte[] bigIntegerBytes = value.toByteArray(); + + int copyStartIndex = (0x00 == bigIntegerBytes[0]) ? 1 : 0; + int numBytesToCopy = bigIntegerBytes.length - copyStartIndex; + if (numBytesToCopy > numBytes) { + copyStartIndex += numBytesToCopy - numBytes; + numBytesToCopy = numBytes; + } + + for (int i = 0; i < numBytesToCopy; ++i) { + outputBytes[i] = bigIntegerBytes[copyStartIndex + numBytesToCopy - i - 1]; + } + + return outputBytes; + } + + /** + * Converts a little endian byte array to a BigInteger. + * + * @param bytes The bytes to convert. + * @return The resulting BigInteger. + */ + public static BigInteger toBigInteger(final byte[] bytes) { + final byte[] bigEndianBytes = new byte[bytes.length + 1]; + for (int i = 0; i < bytes.length; ++i) { + bigEndianBytes[i + 1] = bytes[bytes.length - i - 1]; + } + + return new BigInteger(bigEndianBytes); + } + + /** + * Constant-time byte[] comparison. The constant time behavior eliminates side channel attacks. + * + * @param b An array. + * @param c An array. + * @return 1 if b and c are equal, 0 otherwise. + */ + public static int isEqualConstantTime(final byte[] b, final byte[] c) { + int result = 0; + result |= b.length - c.length; + for (int i = 0; i < b.length; i++) { + result |= b[i] ^ c[i]; + } + + return ByteUtils.isEqualConstantTime(result, 0); + } + + /** + * NON constant-time lexicographical byte[] comparison. + * + * @param b first of arrays to compare. + * @param c second of arrays to compare. + * @return 1, -1, or 0 depending on comparison result. + */ + public static int compare(final byte[] b, final byte[] c) { + int result = b.length - c.length; + if (0 != result) { + return result; + } + + for (int i = 0; i < b.length; i++) { + result = b[i] - c[i]; + if (0 != result) { + return result; + } + } + + return 0; + } + + /** + * Gets the i'th bit of a byte array. + * + * @param h The byte array. + * @param i The bit index. + * @return The value of the i'th bit in h + */ + public static int getBit(final byte[] h, final int i) { + return (h[i >> 3] >> (i & 7)) & 1; + } +} diff --git a/source-code/RuffCT-java/src/org/nem/core/utils/Base32Encoder.java b/source-code/RuffCT-java/src/org/nem/core/utils/Base32Encoder.java new file mode 100755 index 0000000..74b33d6 --- /dev/null +++ b/source-code/RuffCT-java/src/org/nem/core/utils/Base32Encoder.java @@ -0,0 +1,37 @@ +package org.nem.core.utils; + +import org.apache.commons.codec.binary.Base32; + +/** + * Static class that contains utility functions for converting Base32 strings to and from bytes. + */ +public class Base32Encoder { + + /** + * Converts a string to a byte array. + * + * @param base32String The input Base32 string. + * @return The output byte array. + */ + public static byte[] getBytes(final String base32String) { + final Base32 codec = new Base32(); + final byte[] encodedBytes = StringEncoder.getBytes(base32String); + if (!codec.isInAlphabet(encodedBytes, true)) { + throw new IllegalArgumentException("malformed base32 string passed to getBytes"); + } + + return codec.decode(encodedBytes); + } + + /** + * Converts a byte array to a Base32 string. + * + * @param bytes The input byte array. + * @return The output Base32 string. + */ + public static String getString(final byte[] bytes) { + final Base32 codec = new Base32(); + final byte[] decodedBytes = codec.encode(bytes); + return StringEncoder.getString(decodedBytes); + } +} diff --git a/source-code/RuffCT-java/src/org/nem/core/utils/Base64Encoder.java b/source-code/RuffCT-java/src/org/nem/core/utils/Base64Encoder.java new file mode 100755 index 0000000..e8aeaf1 --- /dev/null +++ b/source-code/RuffCT-java/src/org/nem/core/utils/Base64Encoder.java @@ -0,0 +1,37 @@ +package org.nem.core.utils; + +import org.apache.commons.codec.binary.Base64; + +/** + * Static class that contains utility functions for converting Base64 strings to and from bytes. + */ +public class Base64Encoder { + + /** + * Converts a string to a byte array. + * + * @param base64String The input Base64 string. + * @return The output byte array. + */ + public static byte[] getBytes(final String base64String) { + final Base64 codec = new Base64(); + final byte[] encodedBytes = StringEncoder.getBytes(base64String); + if (!codec.isInAlphabet(encodedBytes, true)) { + throw new IllegalArgumentException("malformed base64 string passed to getBytes"); + } + + return codec.decode(encodedBytes); + } + + /** + * Converts a byte array to a Base64 string. + * + * @param bytes The input byte array. + * @return The output Base64 string. + */ + public static String getString(final byte[] bytes) { + final Base64 codec = new Base64(); + final byte[] decodedBytes = codec.encode(bytes); + return StringEncoder.getString(decodedBytes); + } +} diff --git a/source-code/RuffCT-java/src/org/nem/core/utils/ByteUtils.java b/source-code/RuffCT-java/src/org/nem/core/utils/ByteUtils.java new file mode 100755 index 0000000..b5087c7 --- /dev/null +++ b/source-code/RuffCT-java/src/org/nem/core/utils/ByteUtils.java @@ -0,0 +1,100 @@ +package org.nem.core.utils; + +import java.nio.ByteBuffer; + +public class ByteUtils { + + /** + * Converts an array of 8 bytes into a long. + * + * @param bytes The bytes. + * @return The long. + */ + public static long bytesToLong(final byte[] bytes) { + final ByteBuffer buffer = ByteBuffer.allocate(8); + buffer.put(bytes, 0, 8); + buffer.flip(); + return buffer.getLong(); + } + + /** + * Converts a long value into an array of 8 bytes. + * + * @param x The long. + * @return The bytes. + */ + public static byte[] longToBytes(final long x) { + final ByteBuffer buffer = ByteBuffer.allocate(8); + buffer.putLong(x); + return buffer.array(); + } + + /** + * Converts an array of 4 bytes into a int. + * + * @param bytes The bytes. + * @return The int. + */ + public static int bytesToInt(final byte[] bytes) { + final ByteBuffer buffer = ByteBuffer.allocate(4); + buffer.put(bytes, 0, 4); + buffer.flip(); + return buffer.getInt(); + } + + /** + * Converts an int value into an array of 4 bytes. + * + * @param x The int. + * @return The bytes. + */ + public static byte[] intToBytes(final int x) { + final ByteBuffer buffer = ByteBuffer.allocate(4); + buffer.putInt(x); + return buffer.array(); + } + + /** + * Constant-time byte comparison. The constant time behavior eliminates side channel attacks. + * + * @param b One byte. + * @param c Another byte. + * @return 1 if b and c are equal, 0 otherwise. + */ + public static int isEqualConstantTime(final int b, final int c) { + int result = 0; + final int xor = b ^ c; + for (int i = 0; i < 8; i++) { + result |= xor >> i; + } + + return (result ^ 0x01) & 0x01; + } + + /** + * Constant-time check if byte is negative. The constant time behavior eliminates side channel attacks. + * + * @param b The byte to check. + * @return 1 if the byte is negative, 0 otherwise. + */ + public static int isNegativeConstantTime(final int b) { + return (b >> 8) & 1; + } + + /** + * Creates a human readable representation of an array of bytes. + * + * @param bytes The bytes. + * @return An string representation of the bytes. + */ + public static String toString(final byte[] bytes) { + final StringBuilder builder = new StringBuilder(); + builder.append("{ "); + for (final byte b : bytes) { + builder.append(String.format("%02X ", (byte)(0xFF & b))); + } + + builder.append("}"); + return builder.toString(); + } +} diff --git a/source-code/RuffCT-java/src/org/nem/core/utils/CircularStack.java b/source-code/RuffCT-java/src/org/nem/core/utils/CircularStack.java new file mode 100755 index 0000000..19ff1b9 --- /dev/null +++ b/source-code/RuffCT-java/src/org/nem/core/utils/CircularStack.java @@ -0,0 +1,88 @@ +package org.nem.core.utils; + +import java.util.*; + +/** + * Circular stack is a last in first out buffer with fixed size that replace its oldest element if full. + * The removal order is inverse of insertion order. The iteration order is the same as insertion order. + * <strong>Note that implementation is not synchronized.</strong> + * + * @param <E> Type of elements on the stack. + */ +public class CircularStack<E> implements Iterable<E> { + private final List<E> elements; + private final int limit; + + /** + * Creates circular stack with at most limit elements. + * + * @param limit Maximum number of elements on the stack. + */ + public CircularStack(final int limit) { + this.elements = new ArrayList<>(limit); + this.limit = limit; + } + + /** + * Creates shallow copy in destination. + * + * @param destination CircularStack to which elements should be copied. + */ + public void shallowCopyTo(final CircularStack<E> destination) { + destination.elements.clear(); + destination.pushAll(this); + } + + private void pushAll(final CircularStack<E> rhs) { + int i = 0; + for (final E element : rhs) { + if (i >= rhs.size() - this.limit) { + this.push(element); + } + + ++i; + } + } + + /** + * Adds element to the stack. + * + * @param element Element to be added. + */ + public void push(final E element) { + this.elements.add(element); + if (this.elements.size() > this.limit) { + this.elements.remove(0); + } + } + + /** + * Gets most recently added element. + * + * @return Most recently added element. + */ + public E peek() { + return this.elements.get(this.elements.size() - 1); + } + + /** + * Removes most recently added element. + */ + public void pop() { + this.elements.remove(this.elements.size() - 1); + } + + /** + * Returns size of a stack. + * + * @return Size of a stack (can be smaller than limit). + */ + public int size() { + return this.elements.size(); + } + + @Override + public Iterator<E> iterator() { + return this.elements.iterator(); + } +} diff --git a/source-code/RuffCT-java/src/org/nem/core/utils/ExceptionUtils.java b/source-code/RuffCT-java/src/org/nem/core/utils/ExceptionUtils.java new file mode 100755 index 0000000..d1dac1a --- /dev/null +++ b/source-code/RuffCT-java/src/org/nem/core/utils/ExceptionUtils.java @@ -0,0 +1,102 @@ +package org.nem.core.utils; + +import java.util.concurrent.*; +import java.util.function.Function; + +/** + * Static class that contains helper functions for dealing with exceptions. + */ +public class ExceptionUtils { + + private ExceptionUtils() { + } + + /** + * Interface that mimics Runnable but can additionally throw checked exceptions. + */ + public interface CheckedRunnable { + + /** + * Executes the runnable. + * + * @throws Exception Any exception. + */ + void call() throws Exception; + } + + /** + * Propagates checked exceptions as a runtime exception. + * + * @param runnable The checked runnable. + */ + public static void propagateVoid(final CheckedRunnable runnable) { + propagateVoid(runnable, RuntimeException::new); + } + + /** + * Propagates checked exceptions as a specific runtime exception. + * + * @param runnable The checked runnable. + * @param wrap A function that wraps an exception in a runtime exception. + * @param <E> The specific exception type. + */ + public static <E extends RuntimeException> void propagateVoid( + final CheckedRunnable runnable, + final Function<Exception, E> wrap) { + propagate(new CheckedRuntimeToCallableAdapter(runnable), wrap); + } + + /** + * Propagates checked exceptions as a runtime exception. + * + * @param callable The function. + * @param <T> The function return type. + * @return The function result. + */ + public static <T> T propagate(final Callable<T> callable) { + return propagate(callable, RuntimeException::new); + } + + /** + * Propagates checked exceptions as a specific runtime exception. + * + * @param callable The function. + * @param wrap A function that wraps an exception in a runtime exception. + * @param <T> The function return type. + * @param <E> The specific exception type. + * @return The function result. + */ + public static <T, E extends RuntimeException> T propagate( + final Callable<T> callable, + final Function<Exception, E> wrap) { + try { + return callable.call(); + } catch (final ExecutionException e) { + if (RuntimeException.class.isAssignableFrom(e.getCause().getClass())) { + throw (RuntimeException)e.getCause(); + } + throw wrap.apply(e); + } catch (final RuntimeException e) { + throw e; + } catch (final InterruptedException e) { + Thread.currentThread().interrupt(); + throw new IllegalStateException(e); + } catch (final Exception e) { + throw wrap.apply(e); + } + } + + private static class CheckedRuntimeToCallableAdapter implements Callable<Void> { + private final CheckedRunnable runnable; + + public CheckedRuntimeToCallableAdapter(final CheckedRunnable runnable) { + this.runnable = runnable; + } + + @Override + public Void call() throws Exception { + this.runnable.call(); + return null; + } + } +} diff --git a/source-code/RuffCT-java/src/org/nem/core/utils/FormatUtils.java b/source-code/RuffCT-java/src/org/nem/core/utils/FormatUtils.java new file mode 100755 index 0000000..5fc4383 --- /dev/null +++ b/source-code/RuffCT-java/src/org/nem/core/utils/FormatUtils.java @@ -0,0 +1,63 @@ +package org.nem.core.utils; + +import java.text.*; +import java.util.Arrays; + +/** + * Static class containing helper functions for formatting. + */ +public class FormatUtils { + + /** + * Gets a default decimal format that should be used for formatting decimal values. + * + * @return A default decimal format. + */ + public static DecimalFormat getDefaultDecimalFormat() { + final DecimalFormatSymbols decimalFormatSymbols = new DecimalFormatSymbols(); + decimalFormatSymbols.setDecimalSeparator('.'); + final DecimalFormat format = new DecimalFormat("#0.000", decimalFormatSymbols); + format.setGroupingUsed(false); + return format; + } + + /** + * Gets a decimal format that with the desired number of decimal places. + * + * @param decimalPlaces The number of decimal places. + * @return The desired decimal format. + */ + public static DecimalFormat getDecimalFormat(final int decimalPlaces) { + if (decimalPlaces < 0) { + throw new IllegalArgumentException("decimalPlaces must be non-negative"); + } + + final DecimalFormatSymbols decimalFormatSymbols = new DecimalFormatSymbols(); + decimalFormatSymbols.setDecimalSeparator('.'); + final StringBuilder builder = new StringBuilder(); + builder.append("#0"); + + if (decimalPlaces > 0) { + builder.append('.'); + final char[] zeros = new char[decimalPlaces]; + Arrays.fill(zeros, '0'); + builder.append(zeros); + } + + final DecimalFormat format = new DecimalFormat(builder.toString(), decimalFormatSymbols); + format.setGroupingUsed(false); + return format; + } + + /** + * Formats a double value with a given number of decimal places. + * + * @param value The value to format. + * @param decimalPlaces The desired number of decimal places. + * @return The formatted string. + */ + public static String format(final double value, final int decimalPlaces) { + final DecimalFormat formatter = getDecimalFormat(decimalPlaces); + return formatter.format(value); + } +} diff --git a/source-code/RuffCT-java/src/org/nem/core/utils/HexEncoder.java b/source-code/RuffCT-java/src/org/nem/core/utils/HexEncoder.java new file mode 100755 index 0000000..a8d380e --- /dev/null +++ b/source-code/RuffCT-java/src/org/nem/core/utils/HexEncoder.java @@ -0,0 +1,57 @@ +package org.nem.core.utils; + +import org.apache.commons.codec.DecoderException; +import org.apache.commons.codec.binary.Hex; + +/** + * Static class that contains utility functions for converting hex strings to and from bytes. + */ +public class HexEncoder { + + /** + * Converts a hex string to a byte array. + * + * @param hexString The input hex string. + * @return The output byte array. + */ + public static byte[] getBytes(final String hexString) { + try { + return getBytesInternal(hexString); + } catch (final DecoderException e) { + throw new IllegalArgumentException(e); + } + } + + /** + * Tries to convert a hex string to a byte array. + * + * @param hexString The input hex string. + * @return The output byte array or null if the input string is malformed. + */ + public static byte[] tryGetBytes(final String hexString) { + try { + return getBytesInternal(hexString); + } catch (final DecoderException e) { + return null; + } + } + + private static byte[] getBytesInternal(final String hexString) throws DecoderException { + final Hex codec = new Hex(); + final String paddedHexString = 0 == hexString.length() % 2 ? hexString : "0" + hexString; + final byte[] encodedBytes = StringEncoder.getBytes(paddedHexString); + return codec.decode(encodedBytes); + } + + /** + * Converts a byte array to a hex string. + * + * @param bytes The input byte array. + * @return The output hex string. + */ + public static String getString(final byte[] bytes) { + final Hex codec = new Hex(); + final byte[] decodedBytes = codec.encode(bytes); + return StringEncoder.getString(decodedBytes); + } +} diff --git a/source-code/RuffCT-java/src/org/nem/core/utils/HttpStatus.java b/source-code/RuffCT-java/src/org/nem/core/utils/HttpStatus.java new file mode 100755 index 0000000..dc48d5c --- /dev/null +++ b/source-code/RuffCT-java/src/org/nem/core/utils/HttpStatus.java @@ -0,0 +1,494 @@ +package org.nem.core.utils; + +/* We don't want to get spring dependancy just to get this... */ + +/* + * Copyright 2002-2014 the original author or authors. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +/** + * Java 5 enumeration of HTTP status codes. + * + * @author Arjen Poutsma + * @author Sebastien Deleuze + * @see <a href="http://www.iana.org/assignments/http-status-codes">HTTP Status Code Registry</a> + * @see <a href="http://en.wikipedia.org/wiki/List_of_HTTP_status_codes">List of HTTP status codes - Wikipedia</a> + */ +public enum HttpStatus { + + // 1xx Informational + + /** + * {@code 100 Continue}. + * + * @see <a href="http://tools.ietf.org/html/rfc7231#section-6.2.1">HTTP/1.1: Semantics and Content, section 6.2.1</a> + */ + CONTINUE(100, "Continue"), + /** + * {@code 101 Switching Protocols}. + * + * @see <a href="http://tools.ietf.org/html/rfc7231#section-6.2.2">HTTP/1.1: Semantics and Content, section 6.2.2</a> + */ + SWITCHING_PROTOCOLS(101, "Switching Protocols"), + /** + * {@code 102 Processing}. + * + * @see <a href="http://tools.ietf.org/html/rfc2518#section-10.1">WebDAV</a> + */ + PROCESSING(102, "Processing"), + /** + * {@code 103 Checkpoint}. + * + * @see <a href="http://code.google.com/p/gears/wiki/ResumableHttpRequestsProposal">A proposal for supporting + * resumable POST/PUT HTTP requests in HTTP/1.0</a> + */ + CHECKPOINT(103, "Checkpoint"), + + // 2xx Success + + /** + * {@code 200 OK}. + * + * @see <a href="http://tools.ietf.org/html/rfc7231#section-6.3.1">HTTP/1.1: Semantics and Content, section 6.3.1</a> + */ + OK(200, "OK"), + /** + * {@code 201 Created}. + * + * @see <a href="http://tools.ietf.org/html/rfc7231#section-6.3.2">HTTP/1.1: Semantics and Content, section 6.3.2</a> + */ + CREATED(201, "Created"), + /** + * {@code 202 Accepted}. + * + * @see <a href="http://tools.ietf.org/html/rfc7231#section-6.3.3">HTTP/1.1: Semantics and Content, section 6.3.3</a> + */ + ACCEPTED(202, "Accepted"), + /** + * {@code 203 Non-Authoritative Information}. + * + * @see <a href="http://tools.ietf.org/html/rfc7231#section-6.3.4">HTTP/1.1: Semantics and Content, section 6.3.4</a> + */ + NON_AUTHORITATIVE_INFORMATION(203, "Non-Authoritative Information"), + /** + * {@code 204 No Content}. + * + * @see <a href="http://tools.ietf.org/html/rfc7231#section-6.3.5">HTTP/1.1: Semantics and Content, section 6.3.5</a> + */ + NO_CONTENT(204, "No Content"), + /** + * {@code 205 Reset Content}. + * + * @see <a href="http://tools.ietf.org/html/rfc7231#section-6.3.6">HTTP/1.1: Semantics and Content, section 6.3.6</a> + */ + RESET_CONTENT(205, "Reset Content"), + /** + * {@code 206 Partial Content}. + * + * @see <a href="http://tools.ietf.org/html/rfc7233#section-4.1">HTTP/1.1: Range Requests, section 4.1</a> + */ + PARTIAL_CONTENT(206, "Partial Content"), + /** + * {@code 207 Multi-Status}. + * + * @see <a href="http://tools.ietf.org/html/rfc4918#section-13">WebDAV</a> + */ + MULTI_STATUS(207, "Multi-Status"), + /** + * {@code 208 Already Reported}. + * + * @see <a href="http://tools.ietf.org/html/rfc5842#section-7.1">WebDAV Binding Extensions</a> + */ + ALREADY_REPORTED(208, "Already Reported"), + /** + * {@code 226 IM Used}. + * + * @see <a href="http://tools.ietf.org/html/rfc3229#section-10.4.1">Delta encoding in HTTP</a> + */ + IM_USED(226, "IM Used"), + + // 3xx Redirection + + /** + * {@code 300 Multiple Choices}. + * + * @see <a href="http://tools.ietf.org/html/rfc7231#section-6.4.1">HTTP/1.1: Semantics and Content, section 6.4.1</a> + */ + MULTIPLE_CHOICES(300, "Multiple Choices"), + /** + * {@code 301 Moved Permanently}. + * + * @see <a href="http://tools.ietf.org/html/rfc7231#section-6.4.2">HTTP/1.1: Semantics and Content, section 6.4.2</a> + */ + MOVED_PERMANENTLY(301, "Moved Permanently"), + /** + * {@code 302 Found}. + * + * @see <a href="http://tools.ietf.org/html/rfc7231#section-6.4.3">HTTP/1.1: Semantics and Content, section 6.4.3</a> + */ + FOUND(302, "Found"), + /** + * {@code 302 Moved Temporarily}. + * + * @see <a href="http://tools.ietf.org/html/rfc1945#section-9.3">HTTP/1.0, section 9.3</a> + * @deprecated In favor of {@link #FOUND} which will be returned from {@code HttpStatus.valueOf(302)} + */ + @Deprecated + MOVED_TEMPORARILY(302, "Moved Temporarily"), + /** + * {@code 303 See Other}. + * + * @see <a href="http://tools.ietf.org/html/rfc7231#section-6.4.4">HTTP/1.1: Semantics and Content, section 6.4.4</a> + */ + SEE_OTHER(303, "See Other"), + /** + * {@code 304 Not Modified}. + * + * @see <a href="http://tools.ietf.org/html/rfc7232#section-4.1">HTTP/1.1: Conditional Requests, section 4.1</a> + */ + NOT_MODIFIED(304, "Not Modified"), + /** + * {@code 305 Use Proxy}. + * + * @see <a href="http://tools.ietf.org/html/rfc7231#section-6.4.5">HTTP/1.1: Semantics and Content, section 6.4.5</a> + * @deprecated due to security concerns regarding in-band configuration of a proxy + */ + @Deprecated + USE_PROXY(305, "Use Proxy"), + /** + * {@code 307 Temporary Redirect}. + * + * @see <a href="http://tools.ietf.org/html/rfc7231#section-6.4.7">HTTP/1.1: Semantics and Content, section 6.4.7</a> + */ + TEMPORARY_REDIRECT(307, "Temporary Redirect"), + /** + * {@code 308 Permanent Redirect}. + * + * @see <a href="http://tools.ietf.org/html/rfc7238">RFC 7238</a> + */ + PERMANENT_REDIRECT(308, "Permanent Redirect"), + + // --- 4xx Client Error --- + + /** + * {@code 400 Bad Request}. + * + * @see <a href="http://tools.ietf.org/html/rfc7231#section-6.5.1">HTTP/1.1: Semantics and Content, section 6.5.1</a> + */ + BAD_REQUEST(400, "Bad Request"), + /** + * {@code 401 Unauthorized}. + * + * @see <a href="http://tools.ietf.org/html/rfc7235#section-3.1">HTTP/1.1: Authentication, section 3.1</a> + */ + UNAUTHORIZED(401, "Unauthorized"), + /** + * {@code 402 Payment Required}. + * + * @see <a href="http://tools.ietf.org/html/rfc7231#section-6.5.2">HTTP/1.1: Semantics and Content, section 6.5.2</a> + */ + PAYMENT_REQUIRED(402, "Payment Required"), + /** + * {@code 403 Forbidden}. + * + * @see <a href="http://tools.ietf.org/html/rfc7231#section-6.5.3">HTTP/1.1: Semantics and Content, section 6.5.3</a> + */ + FORBIDDEN(403, "Forbidden"), + /** + * {@code 404 Not Found}. + * + * @see <a href="http://tools.ietf.org/html/rfc7231#section-6.5.4">HTTP/1.1: Semantics and Content, section 6.5.4</a> + */ + NOT_FOUND(404, "Not Found"), + /** + * {@code 405 Method Not Allowed}. + * + * @see <a href="http://tools.ietf.org/html/rfc7231#section-6.5.5">HTTP/1.1: Semantics and Content, section 6.5.5</a> + */ + METHOD_NOT_ALLOWED(405, "Method Not Allowed"), + /** + * {@code 406 Not Acceptable}. + * + * @see <a href="http://tools.ietf.org/html/rfc7231#section-6.5.6">HTTP/1.1: Semantics and Content, section 6.5.6</a> + */ + NOT_ACCEPTABLE(406, "Not Acceptable"), + /** + * {@code 407 Proxy Authentication Required}. + * + * @see <a href="http://tools.ietf.org/html/rfc7235#section-3.2">HTTP/1.1: Authentication, section 3.2</a> + */ + PROXY_AUTHENTICATION_REQUIRED(407, "Proxy Authentication Required"), + /** + * {@code 408 Request Timeout}. + * + * @see <a href="http://tools.ietf.org/html/rfc7231#section-6.5.7">HTTP/1.1: Semantics and Content, section 6.5.7</a> + */ + REQUEST_TIMEOUT(408, "Request Timeout"), + /** + * {@code 409 Conflict}. + * + * @see <a href="http://tools.ietf.org/html/rfc7231#section-6.5.8">HTTP/1.1: Semantics and Content, section 6.5.8</a> + */ + CONFLICT(409, "Conflict"), + /** + * {@code 410 Gone}. + * + * @see <a href="http://tools.ietf.org/html/rfc7231#section-6.5.9">HTTP/1.1: Semantics and Content, section 6.5.9</a> + */ + GONE(410, "Gone"), + /** + * {@code 411 Length Required}. + * + * @see <a href="http://tools.ietf.org/html/rfc7231#section-6.5.10">HTTP/1.1: Semantics and Content, section 6.5.10</a> + */ + LENGTH_REQUIRED(411, "Length Required"), + /** + * {@code 412 Precondition failed}. + * + * @see <a href="http://tools.ietf.org/html/rfc7232#section-4.2">HTTP/1.1: Conditional Requests, section 4.2</a> + */ + PRECONDITION_FAILED(412, "Precondition Failed"), + /** + * {@code 413 Payload Too Large}. + * + * @see <a href="http://tools.ietf.org/html/rfc7231#section-6.5.11">HTTP/1.1: Semantics and Content, section 6.5.11</a> + * @since 4.1 + */ + PAYLOAD_TOO_LARGE(413, "Payload Too Large"), + /** + * {@code 413 Request Entity Too Large}. + * + * @see <a href="http://tools.ietf.org/html/rfc2616#section-10.4.14">HTTP/1.1, section 10.4.14</a> + * @deprecated In favor of {@link #PAYLOAD_TOO_LARGE} which will be returned from {@code HttpStatus.valueOf(413)} + */ + @Deprecated + REQUEST_ENTITY_TOO_LARGE(413, "Request Entity Too Large"), + /** + * {@code 414 URI Too Long}. + * + * @see <a href="http://tools.ietf.org/html/rfc7231#section-6.5.12">HTTP/1.1: Semantics and Content, section 6.5.12</a> + * @since 4.1 + */ + URI_TOO_LONG(414, "URI Too Long"), + /** + * {@code 414 Request-URI Too Long}. + * + * @see <a href="http://tools.ietf.org/html/rfc2616#section-10.4.15">HTTP/1.1, section 10.4.15</a> + * @deprecated In favor of {@link #URI_TOO_LONG} which will be returned from {@code HttpStatus.valueOf(414)} + */ + @Deprecated + REQUEST_URI_TOO_LONG(414, "Request-URI Too Long"), + /** + * {@code 415 Unsupported Media Type}. + * + * @see <a href="http://tools.ietf.org/html/rfc7231#section-6.5.13">HTTP/1.1: Semantics and Content, section 6.5.13</a> + */ + UNSUPPORTED_MEDIA_TYPE(415, "Unsupported Media Type"), + /** + * {@code 416 Requested Range Not Satisfiable}. + * + * @see <a href="http://tools.ietf.org/html/rfc7233#section-4.4">HTTP/1.1: Range Requests, section 4.4</a> + */ + REQUESTED_RANGE_NOT_SATISFIABLE(416, "Requested range not satisfiable"), + /** + * {@code 417 Expectation Failed}. + * + * @see <a href="http://tools.ietf.org/html/rfc7231#section-6.5.14">HTTP/1.1: Semantics and Content, section 6.5.14</a> + */ + EXPECTATION_FAILED(417, "Expectation Failed"), + /** + * {@code 418 I'm a teapot}. + * + * @see <a href="http://tools.ietf.org/html/rfc2324#section-2.3.2">HTCPCP/1.0</a> + */ + I_AM_A_TEAPOT(418, "I'm a teapot"), + /** + * @deprecated See <a href="http://tools.ietf.org/rfcdiff?difftype=--hwdiff&url2=draft-ietf-webdav-protocol-06.txt">WebDAV Draft Changes</a> + */ + @Deprecated + INSUFFICIENT_SPACE_ON_RESOURCE(419, "Insufficient Space On Resource"), + /** + * @deprecated See <a href="http://tools.ietf.org/rfcdiff?difftype=--hwdiff&url2=draft-ietf-webdav-protocol-06.txt">WebDAV Draft Changes</a> + */ + @Deprecated + METHOD_FAILURE(420, "Method Failure"), + /** + * @deprecated See <a href="http://tools.ietf.org/rfcdiff?difftype=--hwdiff&url2=draft-ietf-webdav-protocol-06.txt">WebDAV Draft Changes</a> + */ + @Deprecated + DESTINATION_LOCKED(421, "Destination Locked"), + /** + * {@code 422 Unprocessable Entity}. + * + * @see <a href="http://tools.ietf.org/html/rfc4918#section-11.2">WebDAV</a> + */ + UNPROCESSABLE_ENTITY(422, "Unprocessable Entity"), + /** + * {@code 423 Locked}. + * + * @see <a href="http://tools.ietf.org/html/rfc4918#section-11.3">WebDAV</a> + */ + LOCKED(423, "Locked"), + /** + * {@code 424 Failed Dependency}. + * + * @see <a href="http://tools.ietf.org/html/rfc4918#section-11.4">WebDAV</a> + */ + FAILED_DEPENDENCY(424, "Failed Dependency"), + /** + * {@code 426 Upgrade Required}. + * + * @see <a href="http://tools.ietf.org/html/rfc2817#section-6">Upgrading to TLS Within HTTP/1.1</a> + */ + UPGRADE_REQUIRED(426, "Upgrade Required"), + /** + * {@code 428 Precondition Required}. + * + * @see <a href="http://tools.ietf.org/html/rfc6585#section-3">Additional HTTP Status Codes</a> + */ + PRECONDITION_REQUIRED(428, "Precondition Required"), + /** + * {@code 429 Too Many Requests}. + * + * @see <a href="http://tools.ietf.org/html/rfc6585#section-4">Additional HTTP Status Codes</a> + */ + TOO_MANY_REQUESTS(429, "Too Many Requests"), + /** + * {@code 431 Request Header Fields Too Large}. + * + * @see <a href="http://tools.ietf.org/html/rfc6585#section-5">Additional HTTP Status Codes</a> + */ + REQUEST_HEADER_FIELDS_TOO_LARGE(431, "Request Header Fields Too Large"), + + // --- 5xx Server Error --- + + /** + * {@code 500 Internal Server Error}. + * + * @see <a href="http://tools.ietf.org/html/rfc7231#section-6.6.1">HTTP/1.1: Semantics and Content, section 6.6.1</a> + */ + INTERNAL_SERVER_ERROR(500, "Internal Server Error"), + /** + * {@code 501 Not Implemented}. + * + * @see <a href="http://tools.ietf.org/html/rfc7231#section-6.6.2">HTTP/1.1: Semantics and Content, section 6.6.2</a> + */ + NOT_IMPLEMENTED(501, "Not Implemented"), + /** + * {@code 502 Bad Gateway}. + * + * @see <a href="http://tools.ietf.org/html/rfc7231#section-6.6.3">HTTP/1.1: Semantics and Content, section 6.6.3</a> + */ + BAD_GATEWAY(502, "Bad Gateway"), + /** + * {@code 503 Service Unavailable}. + * + * @see <a href="http://tools.ietf.org/html/rfc7231#section-6.6.4">HTTP/1.1: Semantics and Content, section 6.6.4</a> + */ + SERVICE_UNAVAILABLE(503, "Service Unavailable"), + /** + * {@code 504 Gateway Timeout}. + * + * @see <a href="http://tools.ietf.org/html/rfc7231#section-6.6.5">HTTP/1.1: Semantics and Content, section 6.6.5</a> + */ + GATEWAY_TIMEOUT(504, "Gateway Timeout"), + /** + * {@code 505 HTTP Version Not Supported}. + * + * @see <a href="http://tools.ietf.org/html/rfc7231#section-6.6.6">HTTP/1.1: Semantics and Content, section 6.6.6</a> + */ + HTTP_VERSION_NOT_SUPPORTED(505, "HTTP Version not supported"), + /** + * {@code 506 Variant Also Negotiates} + * + * @see <a href="http://tools.ietf.org/html/rfc2295#section-8.1">Transparent Content Negotiation</a> + */ + VARIANT_ALSO_NEGOTIATES(506, "Variant Also Negotiates"), + /** + * {@code 507 Insufficient Storage} + * + * @see <a href="http://tools.ietf.org/html/rfc4918#section-11.5">WebDAV</a> + */ + INSUFFICIENT_STORAGE(507, "Insufficient Storage"), + /** + * {@code 508 Loop Detected} + * + * @see <a href="http://tools.ietf.org/html/rfc5842#section-7.2">WebDAV Binding Extensions</a> + */ + LOOP_DETECTED(508, "Loop Detected"), + /** + * {@code 509 Bandwidth Limit Exceeded} + */ + BANDWIDTH_LIMIT_EXCEEDED(509, "Bandwidth Limit Exceeded"), + /** + * {@code 510 Not Extended} + * + * @see <a href="http://tools.ietf.org/html/rfc2774#section-7">HTTP Extension Framework</a> + */ + NOT_EXTENDED(510, "Not Extended"), + /** + * {@code 511 Network Authentication Required}. + * + * @see <a href="http://tools.ietf.org/html/rfc6585#section-6">Additional HTTP Status Codes</a> + */ + NETWORK_AUTHENTICATION_REQUIRED(511, "Network Authentication Required"); + + private final int value; + + private final String reasonPhrase; + + HttpStatus(final int value, final String reasonPhrase) { + this.value = value; + this.reasonPhrase = reasonPhrase; + } + + /** + * Return the integer value of this status code. + */ + public int value() { + return this.value; + } + + /** + * Return the reason phrase of this status code. + */ + public String getReasonPhrase() { + return this.reasonPhrase; + } + + /** + * Return a string representation of this status code. + */ + @Override + public String toString() { + return Integer.toString(this.value); + } + + /** + * Return the enum constant of this type with the specified numeric value. + * + * @param statusCode the numeric value of the enum to be returned + * @return the enum constant with the specified numeric value + * @throws IllegalArgumentException if this enum has no constant for the specified numeric value + */ + public static HttpStatus valueOf(final int statusCode) { + for (final HttpStatus status : values()) { + if (status.value == statusCode) { + return status; + } + } + throw new IllegalArgumentException("No matching constant for [" + statusCode + "]"); + } +} \ No newline at end of file diff --git a/source-code/RuffCT-java/src/org/nem/core/utils/LockFile.java b/source-code/RuffCT-java/src/org/nem/core/utils/LockFile.java new file mode 100755 index 0000000..941d015 --- /dev/null +++ b/source-code/RuffCT-java/src/org/nem/core/utils/LockFile.java @@ -0,0 +1,82 @@ +package org.nem.core.utils; + +import java.io.*; +import java.nio.channels.*; + +/** + * Static class that exposes functions for interacting with lock files. + */ +public class LockFile { + + /** + * Tries to acquire a file lock for the specified file. + * + * @param lockFile The lock file. + * @return A handle to the file lock if acquired, or null otherwise. + */ + public static Closeable tryAcquireLock(final File lockFile) { + FileLockHandle handle = null; + try { + handle = new FileLockHandle(lockFile); + + // try to acquire the lock 5 times + for (int i = 0; i < 5; ++i) { + if (handle.tryLock()) { + return handle; + } + + ExceptionUtils.propagateVoid(() -> Thread.sleep(10)); + } + + return null; + } catch (final IOException | OverlappingFileLockException e) { + return null; + } finally { + if (null != handle && null == handle.lock) { + try { + handle.close(); + } catch (final IOException ignored) { + } + } + } + } + + /** + * Determines whether or not the specified file is locked. + * + * @param lockFile The lock file. + * @return true if the file is locked, false otherwise. + */ + public static boolean isLocked(final File lockFile) { + try (final FileLockHandle handle = new FileLockHandle(lockFile)) { + return !handle.tryLock(); + } catch (final OverlappingFileLockException e) { + return true; + } catch (final IOException e) { + return false; + } + } + + private static class FileLockHandle implements Closeable { + private final RandomAccessFile file; + private FileLock lock; + + public FileLockHandle(final File lockFile) throws IOException { + this.file = new RandomAccessFile(lockFile, "rw"); + } + + private boolean tryLock() throws IOException { + this.lock = this.file.getChannel().tryLock(); + return null != this.lock; + } + + @Override + public void close() throws IOException { + if (null != this.lock) { + this.lock.close(); + } + + this.file.close(); + } + } +} diff --git a/source-code/RuffCT-java/src/org/nem/core/utils/MustBe.java b/source-code/RuffCT-java/src/org/nem/core/utils/MustBe.java new file mode 100755 index 0000000..cd5e65d --- /dev/null +++ b/source-code/RuffCT-java/src/org/nem/core/utils/MustBe.java @@ -0,0 +1,118 @@ +package org.nem.core.utils; + +import java.util.Collection; +import java.util.regex.Pattern; + +/** + * Helper class for validating parameters. + */ +public class MustBe { + + /** + * Throws an exception if the specified object is null. + * + * @param obj The object. + * @param name The object name. + */ + public static void notNull(final Object obj, final String name) { + if (null == obj) { + final String message = String.format("%s cannot be null", name); + throw new IllegalArgumentException(message); + } + } + + /** + * Throws an exception if the specified string contains no non-whitespace characters. + * + * @param str The string. + * @param name The string name. + * @param maxLength The max length. + */ + public static void notWhitespace(final String str, final String name, final int maxLength) { + if (StringUtils.isNullOrWhitespace(str) || str.length() > maxLength) { + final String message = String.format("%s cannot be null, empty, or whitespace, or have length greater than %d", name, maxLength); + throw new IllegalArgumentException(message); + } + } + + /** + * Throws an exception if the specified string does not match the pattern, is empty, or longer than the max length. + * + * @param str The string. + * @param name The string name. + * @param pattern The pattern to match. + * @param maxLength The max length. + */ + public static void match(final String str, final String name, final Pattern pattern, final int maxLength) { + if (null == str || str.isEmpty() || str.length() > maxLength || !pattern.matcher(str).matches()) { + final String message = String.format("%s does not match the desired pattern", name); + throw new IllegalArgumentException(message); + } + } + + /** + * Throws an exception if the specified integer value is not in the specified inclusive range. + * + * @param value The integer value. + * @param name The value name. + * @param minInclusive The min allowed value (inclusive). + * @param maxInclusive The max allowed value (inclusive). + */ + public static void inRange(final int value, final String name, final int minInclusive, final int maxInclusive) { + inRange((long)value, name, minInclusive, maxInclusive); + } + + /** + * Throws an exception if the specified long value is not in the specified inclusive range. + * + * @param value The long value. + * @param name The value name. + * @param minInclusive The min allowed value (inclusive). + * @param maxInclusive The max allowed value (inclusive). + */ + public static void inRange(final long value, final String name, final long minInclusive, final long maxInclusive) { + if (value < minInclusive || value > maxInclusive) { + final String message = String.format("%s must be between %d and %d inclusive", name, minInclusive, maxInclusive); + throw new IllegalArgumentException(message); + } + } + + /** + * Throws an exception if the specified collection is not empty. + * + * @param collection The collection. + * @param name The collection name. + */ + public static void empty(final Collection<?> collection, final String name) { + if (!collection.isEmpty()) { + final String message = String.format("%s must be empty", name); + throw new IllegalArgumentException(message); + } + } + + /** + * Throws an exception if the specified value is not true. + * + * @param value The value. + * @param name The value name. + */ + public static void trueValue(final boolean value, final String name) { + if (!value) { + final String message = String.format("%s must be true", name); + throw new IllegalArgumentException(message); + } + } + + /** + * Throws an exception if the specified value is not false. + * + * @param value The value. + * @param name The value name. + */ + public static void falseValue(final boolean value, final String name) { + if (value) { + final String message = String.format("%s must be false", name); + throw new IllegalArgumentException(message); + } + } +} diff --git a/source-code/RuffCT-java/src/org/nem/core/utils/SetOnce.java b/source-code/RuffCT-java/src/org/nem/core/utils/SetOnce.java new file mode 100755 index 0000000..7704d02 --- /dev/null +++ b/source-code/RuffCT-java/src/org/nem/core/utils/SetOnce.java @@ -0,0 +1,42 @@ +package org.nem.core.utils; + +/** + * Wrapper that allows an object to be set once (or reset and set again). + * + * @param <T> The inner type. + */ +public class SetOnce<T> { + private final T defaultValue; + private T value; + + /** + * Creates a wrapper. + * + * @param defaultValue The default value. + */ + public SetOnce(final T defaultValue) { + this.defaultValue = defaultValue; + } + + /** + * Gets the inner object. + * + * @return The inner object. + */ + public T get() { + return null == this.value ? this.defaultValue : this.value; + } + + /** + * Sets the inner object. + * + * @param value The inner object. + */ + public void set(final T value) { + if (null != this.value && null != value) { + throw new IllegalStateException("cannot change value because it is already set"); + } + + this.value = value; + } +} diff --git a/source-code/RuffCT-java/src/org/nem/core/utils/StringEncoder.java b/source-code/RuffCT-java/src/org/nem/core/utils/StringEncoder.java new file mode 100755 index 0000000..25bb127 --- /dev/null +++ b/source-code/RuffCT-java/src/org/nem/core/utils/StringEncoder.java @@ -0,0 +1,31 @@ +package org.nem.core.utils; + +import java.nio.charset.Charset; + +/** + * Static class that contains utility functions for converting strings to and from UTF-8 bytes. + */ +public class StringEncoder { + + private static final Charset ENCODING_CHARSET = Charset.forName("UTF-8"); + + /** + * Converts a string to a UTF-8 byte array. + * + * @param s The input string. + * @return The output byte array. + */ + public static byte[] getBytes(final String s) { + return s.getBytes(ENCODING_CHARSET); + } + + /** + * Converts a UTF-8 byte array to a string. + * + * @param bytes The input byte array. + * @return The output string. + */ + public static String getString(final byte[] bytes) { + return new String(bytes, ENCODING_CHARSET); + } +} diff --git a/source-code/RuffCT-java/src/org/nem/core/utils/StringUtils.java b/source-code/RuffCT-java/src/org/nem/core/utils/StringUtils.java new file mode 100755 index 0000000..b721bc7 --- /dev/null +++ b/source-code/RuffCT-java/src/org/nem/core/utils/StringUtils.java @@ -0,0 +1,50 @@ +package org.nem.core.utils; + +/** + * Static class that contains string utility functions. + */ +public class StringUtils { + + /** + * Determines if the specified string is null or empty. + * + * @param str The string. + * @return true if the string is null or empty. + */ + public static boolean isNullOrEmpty(final String str) { + return null == str || str.isEmpty(); + } + + /** + * Determines if the specified string is null or whitespace. + * + * @param str The string. + * @return true if the string is null or whitespace. + */ + public static boolean isNullOrWhitespace(final String str) { + if (isNullOrEmpty(str)) { + return true; + } + + for (int i = 0; i < str.length(); i++) { + if (!Character.isWhitespace(str.charAt(i))) { + return false; + } + } + + return true; + } + + /** + * Replaces a variable contained in a string with a value. A variable is defined as ${variable}. + * This pattern is replaced by the given value. + * + * @param string String that contains variables. + * @param name Name of the variable to be replaced with its value. + * @param value Value that will replace the variable. + * @return string with value replacing the variable with the given name + */ + public static String replaceVariable(final String string, final String name, final String value) { + return string.replace(String.format("${%s}", name), value); + } +} diff --git a/source-code/RuffCT-java/src/test/how/monero/hodl/BootleRuffingBenchmarks.java b/source-code/RuffCT-java/src/test/how/monero/hodl/BootleRuffingBenchmarks.java new file mode 100644 index 0000000..1db643d --- /dev/null +++ b/source-code/RuffCT-java/src/test/how/monero/hodl/BootleRuffingBenchmarks.java @@ -0,0 +1,126 @@ +package test.how.monero.hodl; + +import how.monero.hodl.ringSignature.SpendParams; +import org.nem.core.crypto.ed25519.arithmetic.Ed25519GroupElement; + +import java.io.File; +import java.io.IOException; +import java.nio.file.Files; +import java.util.ArrayList; +import java.util.Date; +import java.util.List; + +import static how.monero.hodl.ringSignature.BootleRuffing.*; +import static test.how.monero.hodl.BootleRuffingSpendTest.createTestSpendParams; + +public class BootleRuffingBenchmarks { + + public static void spendTest() throws IOException { + + int[] inputsVariants = new int[]{1, 2, 3, 4, 5, 10, 20}; + int[] decompositionExponentVariants = new int[]{2, 3, 4, 5, 6, 7, 8, 9, 10}; + + List<List<String>> sheet = new ArrayList<>(); + List<String> sheetColTitles = new ArrayList<>(); + sheetColTitles.add("Inputs"); + sheetColTitles.add("Base"); + sheetColTitles.add("Exponent"); + sheetColTitles.add("Ring size"); + sheetColTitles.add("Generation time (ms)"); + sheetColTitles.add("Generation scalar mults"); + sheetColTitles.add("Generation G scalar mults"); + sheetColTitles.add("Verification time (ms)"); + sheetColTitles.add("Verification scalar mults"); + sheetColTitles.add("Verification G scalar mults"); + sheetColTitles.add("Signature length excl. vins (bytes)"); + sheetColTitles.add("MLSAG equiv. length excl. vins (bytes)"); + sheet.add(sheetColTitles); + + int testIterations = 1; + int decompositionBase = 2; + + for(int inputs : inputsVariants) { + for(int decompositionExponent : decompositionExponentVariants) { + + System.out.println("******* inputs: " + inputs + ", decompositionExponent: " + decompositionExponent); + + long startMs = new Date().getTime(); + SpendParams[] sp = new SpendParams[testIterations]; + for (int i=0; i<testIterations; i++) sp[i] = createTestSpendParams(decompositionBase, decompositionExponent, inputs); + long spendParamsGenerationDuration = (new Date().getTime()-startMs); + System.out.println("Spend params generation duration: " + spendParamsGenerationDuration + " ms"); + + startMs = new Date().getTime(); + // create a transaction to spend the outputs, resulting in a signature that proves the authority to send them + SpendSignature[] spendSignature = new SpendSignature[testIterations]; + for (int i=0; i<testIterations; i++) { + Ed25519GroupElement.scalarMults = 0; + Ed25519GroupElement.scalarBaseMults = 0; + spendSignature[i] = SPEND(sp[i]); + } + int spendScalarMults = Ed25519GroupElement.scalarMults; + int spendScalarBaseMults = Ed25519GroupElement.scalarBaseMults; + + long spendSignatureGenerationDuration = (new Date().getTime()-startMs); + System.out.println("Spend signature generation duration: " + spendSignatureGenerationDuration + " ms"); + + byte[][] spendSignatureBytes = new byte[testIterations][]; + spendSignatureBytes[0] = spendSignature[0].toBytes(); + System.out.println("Spend Signature length (bytes):" + spendSignatureBytes[0].length); + + startMs = new Date().getTime(); + + // verify the spend transaction + for (int i=0; i<testIterations; i++) { + Ed25519GroupElement.scalarMults = 0; + Ed25519GroupElement.scalarBaseMults = 0; + boolean verified = VER(sp[i].ki, sp[i].pk, sp[i].co, spendSignature[i].co1, sp[i].M, spendSignature[i]); + System.out.println("verified: " + verified); + } + int verifyScalarMults = Ed25519GroupElement.scalarMults; + int verifyScalarBaseMults = Ed25519GroupElement.scalarBaseMults; + + + long spendSignatureVerificationDuration = (new Date().getTime()-startMs); + System.out.println("Signature verification duration: " + spendSignatureVerificationDuration + " ms"); + + + List<String> sheetCols = new ArrayList<>(); + sheetCols.add(inputs+""); + sheetCols.add(decompositionBase+""); + sheetCols.add(decompositionExponent+""); + sheetCols.add(((int)Math.pow(decompositionBase, decompositionExponent))+""); + sheetCols.add((spendSignatureGenerationDuration/testIterations)+""); + sheetCols.add((spendScalarMults)+""); + sheetCols.add((spendScalarBaseMults)+""); + sheetCols.add((spendSignatureVerificationDuration/testIterations)+""); + sheetCols.add((verifyScalarMults)+""); + sheetCols.add((verifyScalarBaseMults)+""); + sheetCols.add((spendSignatureBytes[0].length)+""); + sheetCols.add((inputs * (32 + 64 * ((int) Math.pow(decompositionBase, decompositionExponent))))+""); + sheet.add(sheetCols); + + } + } + + String csv = ""; + for(List<String> row : sheet) { + for(int i=0; i<row.size(); i++) { + csv+=row.get(i); + if(i!=(row.size()-1)) csv+=","; + else csv+="\n"; + } + } + System.out.println(csv); + Files.write(new File(System.getProperty("user.home"), "bootleruffing-benchmarks.csv").toPath(), csv.getBytes()); + + } + + + public static void main(String[] args) throws Exception { + long startTime = new Date().getTime(); + spendTest(); + System.out.println("\nTotal duration: " + (new Date().getTime()-startTime) + " ms"); + } + +} diff --git a/source-code/RuffCT-java/src/test/how/monero/hodl/BootleRuffingSpendTest.java b/source-code/RuffCT-java/src/test/how/monero/hodl/BootleRuffingSpendTest.java new file mode 100644 index 0000000..d2ff27f --- /dev/null +++ b/source-code/RuffCT-java/src/test/how/monero/hodl/BootleRuffingSpendTest.java @@ -0,0 +1,168 @@ +package test.how.monero.hodl; + +import how.monero.hodl.crypto.PointPair; +import how.monero.hodl.crypto.Scalar; +import how.monero.hodl.ringSignature.SpendParams; +import org.nem.core.crypto.ed25519.arithmetic.Ed25519GroupElement; + +import java.math.BigInteger; +import java.util.Arrays; +import java.util.Date; +import java.util.HashMap; + +import static how.monero.hodl.crypto.CryptoUtil.*; +import static how.monero.hodl.ringSignature.BootleRuffing.*; + +public class BootleRuffingSpendTest { + + public static SpendParams createTestSpendParams(int decompositionBase, int decompositionExponent, int inputs) { + + // ring size must be a power of the decomposition base + int ringSize = (int) Math.pow(decompositionBase, decompositionExponent); + + SpendParams sp = new SpendParams(); + + sp.decompositionBase = decompositionBase; + sp.decompositionExponent = decompositionExponent; + + // The owned inputs that are going to be spent + Output[] realInputs = new Output[inputs]; + for(int i=0; i<inputs; i++) realInputs[i] = Output.genRandomOutput(BigInteger.valueOf((long)(Math.random()*1000+1000))); + + // The new outputs to be created (typically one for the recipient one for change) + BigInteger fee = BigInteger.valueOf(0); //keep fee as zero for now, to avoid overcomplicating things + Output[] outputs = new Output[2]; + outputs[0] = Output.genRandomOutput(realInputs[0].amount.divide(BigInteger.valueOf(2))); + outputs[1] = Output.genRandomOutput(BigInteger.valueOf(Arrays.stream(realInputs).mapToLong(i->i.amount.longValue()).sum()).subtract(fee).subtract(outputs[0].amount)); + + sp.iAsterisk = (int) Math.floor(Math.random()*ringSize); // the ring index of the sender's owned inputs + + // input commitments + // commitments to the amounts of all inputs referenced in the transaction (real inputs and decoys) + Ed25519GroupElement[][] inputCommitments = new Ed25519GroupElement[inputs][ringSize]; + for(int j=0; j<inputs; j++) { + for(int i=0; i<ringSize; i++) { + if(i==sp.iAsterisk) inputCommitments[j][i] = realInputs[j].co; + else inputCommitments[j][i] = randomPoint(); + } + } + + // there is a co commitment for each ring + // each member of co is sum(COMp(input amt i)) - sum(COMp(output amt i)) + sp.co = new Ed25519GroupElement[ringSize]; + for(int i=0; i<ringSize; i++) { + sp.co[i] = inputCommitments[0][i]; + for(int j=1; j<inputs; j++) { + sp.co[i] = sp.co[i].toP3().add(inputCommitments[j][i].toP3().toCached()); + } + for(int k=0; k<outputs.length; k++) { + sp.co[i] = sp.co[i].toP3().subtract(outputs[k].co.toP3().toCached()); + } + } + + // the public keys for every input referenced (including real inputs and decoys) + sp.pk = new PointPair[inputs][ringSize]; + + // the secret key for every real input referenced + sp.sk = new SK[inputs]; + + // the key image for every real input referenced + sp.ki = new Ed25519GroupElement[inputs]; + + for(int j=0; j<inputs; j++) { + for(int i=0; i<ringSize; i++) { + sp.pk[j][i] = (i==sp.iAsterisk) ? realInputs[j].pk : KEYGEN().pk; + } + sp.sk[j] = realInputs[j].sk; + sp.ki[j] = realInputs[j].ki; + } + + // the message being signed is a hash of the transaction, as defined in the C codebase as get_pre_mlsag_hash + sp.M = fastHash(randomMessage(100)); + + sp.s = Scalar.ZERO; + for(int i=0; i<realInputs.length; i++) sp.s = sp.s.add(realInputs[i].mask); + for(int i=0; i<outputs.length; i++) sp.s = sp.s.sub(outputs[i].mask); + + Ed25519GroupElement S = realInputs[0].co; + for(int i=1; i<realInputs.length; i++) S = S.toP3().add(realInputs[i].co.toP3().toCached()); + S = S.toP3().subtract(G.scalarMultiply(new Scalar(fee)).toP3().toCached()); + for(int i=0; i<outputs.length; i++) S = S.toP3().subtract(outputs[i].co.toP3().toCached()); + + Ed25519GroupElement S1 = getHpnGLookup(1).scalarMultiply(sp.s); + + if(!S.toP3().equals(S1)) throw new RuntimeException("S != S'"); + + return sp; + } + + public static void spendTest() { + + boolean pauseAtEachStage = false; + int testIterations = 1; + int decompositionBase = 2; + int decompositionExponent = 8; + int inputs = 2; + + System.out.println("Ring size: " + Math.pow(decompositionBase, decompositionExponent)); + System.out.println("Inputs: " + inputs); + + long startMs = new Date().getTime(); + SpendParams[] sp = new SpendParams[testIterations]; + for (int i=0; i<testIterations; i++) sp[i] = createTestSpendParams(decompositionBase, decompositionExponent, inputs); + System.out.println("Spend params generation duration: " + (new Date().getTime()-startMs) + " ms"); + + if(pauseAtEachStage) { System.out.println("Press enter to continue"); try { System.in.read(); } catch (Exception e) {}; System.out.println("Continuing..."); } + + Ed25519GroupElement.scalarMults = 0; + Ed25519GroupElement.scalarBaseMults = 0; + + startMs = new Date().getTime(); + // create a transaction to spend the outputs, resulting in a signature that proves the authority to send them + SpendSignature[] spendSignature = new SpendSignature[testIterations]; + for (int i=0; i<testIterations; i++) spendSignature[i] = SPEND(sp[i]); + + System.out.println("Spend signature generation duration: " + (new Date().getTime()-startMs) + " ms"); + + byte[][] spendSignatureBytes = new byte[testIterations][]; + for (int i=0; i<testIterations; i++) { + spendSignatureBytes[i] = spendSignature[i].toBytes(); + System.out.println("Spend Signature length (bytes):" + spendSignatureBytes[i].length); + } + + if(pauseAtEachStage) { System.out.println("Press enter to continue"); try { System.in.read(); } catch (Exception e) {}; System.out.println("Continuing..."); } + startMs = new Date().getTime(); + + System.out.println("Spend ScalarMults: " + Ed25519GroupElement.scalarMults); + System.out.println("Spend BaseScalarMults: " + Ed25519GroupElement.scalarBaseMults); + Ed25519GroupElement.scalarMults = 0; + Ed25519GroupElement.scalarBaseMults = 0; + + //Ed25519GroupElement.enableLineRecording = true; + Ed25519GroupElement.lineRecordingSourceFile = "BootleRuffing.java"; + + // verify the spend transaction + for (int i=0; i<testIterations; i++) { + + spendSignature[i] = SpendSignature.fromBytes(spendSignatureBytes[i]); + + boolean verified = VER(sp[i].ki, sp[i].pk, sp[i].co, spendSignature[i].co1, sp[i].M, spendSignature[i]); + System.out.println("verified: " + verified); + } + + System.out.println("Verify ScalarMults: " + Ed25519GroupElement.scalarMults); + System.out.println("Verify BaseScalarMults: " + Ed25519GroupElement.scalarBaseMults); + + System.out.println("Signature verification duration: " + (new Date().getTime()-startMs) + " ms"); + + if(Ed25519GroupElement.enableLineRecording) Ed25519GroupElement.lineNumberCallFrequencyMap.entrySet().stream().forEach(e->{System.out.println("line: " + e.getKey() + ", calls: " + e.getValue());}); + + } + + public static void main(String[] args) { + long startTime = new Date().getTime(); + spendTest(); + System.out.println("Total duration: " + (new Date().getTime()-startTime) + " ms"); + } + +} diff --git a/source-code/RuffCT-java/src/test/how/monero/hodl/Prove1Valid1Test1.java b/source-code/RuffCT-java/src/test/how/monero/hodl/Prove1Valid1Test1.java new file mode 100644 index 0000000..9427c18 --- /dev/null +++ b/source-code/RuffCT-java/src/test/how/monero/hodl/Prove1Valid1Test1.java @@ -0,0 +1,29 @@ +package test.how.monero.hodl; + +import how.monero.hodl.crypto.Scalar; +import org.nem.core.crypto.ed25519.arithmetic.Ed25519GroupElement; + +import static how.monero.hodl.crypto.CryptoUtil.COMb; +import static how.monero.hodl.ringSignature.BootleRuffing.*; + +public class Prove1Valid1Test1 { + + public static void main(String[] args) { + + Scalar[][] b = new Scalar[][] { + new Scalar[]{Scalar.ONE, Scalar.ZERO}, + new Scalar[]{Scalar.ZERO, Scalar.ONE} + }; + + Scalar r = Scalar.ONE; + + Proof1 P = PROVE1(b, r); + + Ed25519GroupElement B = COMb(b, r); + + System.out.println("VALID1 returns " + VALID1(B, P)); + + } + + +} diff --git a/source-code/RuffCT-java/src/test/how/monero/hodl/Prove2Valid2Test1.java b/source-code/RuffCT-java/src/test/how/monero/hodl/Prove2Valid2Test1.java new file mode 100644 index 0000000..a21b373 --- /dev/null +++ b/source-code/RuffCT-java/src/test/how/monero/hodl/Prove2Valid2Test1.java @@ -0,0 +1,37 @@ +package test.how.monero.hodl; + +import how.monero.hodl.crypto.PointPair; +import how.monero.hodl.crypto.Scalar; + +import static how.monero.hodl.crypto.CryptoUtil.COMeg; +import static how.monero.hodl.ringSignature.BootleRuffing.*; + +public class Prove2Valid2Test1 { + + public static void main(String[] args) { + + System.out.println("Test: " + new Object(){}.getClass().getEnclosingClass().getName()); + + // [c[0], c[1]] = [ COMeg(0, r), COMeg(1, s) ] with secret index 0 should PASS + Scalar r = Scalar.ONE; + Scalar s = Scalar.ONE; + + PointPair[] co = new PointPair[]{ + COMeg(Scalar.ZERO, r), + COMeg(Scalar.ONE, s) + }; + + int iAsterisk = 0; + + int inputs = 1; + int decompositionBase = 2; + int decompositionExponent = 1; + + Proof2 P2 = PROVE2(co, iAsterisk, r, inputs, decompositionBase, decompositionExponent); + + System.out.println("VALID2 result: " + VALID2(decompositionBase, P2, co)); + + } + + +} diff --git a/source-code/RuffCT-java/src/test/how/monero/hodl/Prove2Valid2Test1a.java b/source-code/RuffCT-java/src/test/how/monero/hodl/Prove2Valid2Test1a.java new file mode 100644 index 0000000..9f0cee7 --- /dev/null +++ b/source-code/RuffCT-java/src/test/how/monero/hodl/Prove2Valid2Test1a.java @@ -0,0 +1,42 @@ +package test.how.monero.hodl; + +import how.monero.hodl.crypto.PointPair; +import how.monero.hodl.crypto.Scalar; + +import static how.monero.hodl.crypto.CryptoUtil.COMeg; +import static how.monero.hodl.ringSignature.BootleRuffing.*; + +public class Prove2Valid2Test1a { + + public static void main(String[] args) { + + System.out.println("Test: " + new Object(){}.getClass().getEnclosingClass().getName()); + + Scalar r = Scalar.ONE; + + PointPair[] co = new PointPair[]{ + COMeg(Scalar.ONE,Scalar.ONE), + COMeg(Scalar.ONE,Scalar.ONE), + COMeg(Scalar.ONE,Scalar.ONE), + COMeg(Scalar.ONE,Scalar.ONE), + COMeg(Scalar.ONE,Scalar.ONE), + COMeg(Scalar.ZERO, Scalar.ONE), + COMeg(Scalar.ONE,Scalar.ONE), + COMeg(Scalar.ONE,Scalar.ONE), + COMeg(Scalar.ONE,Scalar.ONE), + }; + + int iAsterisk = 5; + + int inputs = 1; + int decompositionBase = 3; + int decompositionExponent = 2; + + Proof2 P2 = PROVE2(co, iAsterisk, r, inputs, decompositionBase, decompositionExponent); + + System.out.println("VALID2 result: " + VALID2(decompositionBase, P2, co)); + + } + + +} diff --git a/source-code/RuffCT-java/src/test/how/monero/hodl/Prove2Valid2Test1b.java b/source-code/RuffCT-java/src/test/how/monero/hodl/Prove2Valid2Test1b.java new file mode 100644 index 0000000..891b464 --- /dev/null +++ b/source-code/RuffCT-java/src/test/how/monero/hodl/Prove2Valid2Test1b.java @@ -0,0 +1,61 @@ +package test.how.monero.hodl; + +import how.monero.hodl.crypto.PointPair; +import how.monero.hodl.crypto.Scalar; +import org.nem.core.crypto.ed25519.arithmetic.Ed25519GroupElement; + +import java.util.Date; + +import static how.monero.hodl.crypto.CryptoUtil.COMeg; +import static how.monero.hodl.ringSignature.BootleRuffing.*; + +public class Prove2Valid2Test1b { + + public static void main(String[] args) { + + System.out.println("Test: " + new Object(){}.getClass().getEnclosingClass().getName()); + + Scalar r = Scalar.ONE; + + for(int k=1; k<=64; k++) { + + System.out.println("---------------------------------------------------------------------------"); + int len = (int) Math.pow(2, k); + PointPair[] co = new PointPair[len]; + for (int i = 0; i < len; i++) co[i] = COMeg(Scalar.intToScalar(i), Scalar.ONE); + + int iAsterisk = 0; + + int inputs = 1; + int decompositionBase = 2; + int decompositionExponent = k; + + System.out.println("k: " + k); + System.out.println("decompositionBase: " + decompositionBase); + System.out.println("decompositionExponent: " + decompositionExponent); + + Ed25519GroupElement.scalarMults = 0; + Ed25519GroupElement.scalarBaseMults = 0; + long startMs = new Date().getTime(); + + Proof2 P2 = PROVE2(co, iAsterisk, r, inputs, decompositionBase, decompositionExponent); + + System.out.println("PROVE2 duration: " + (new Date().getTime() - startMs) + " ms"); + System.out.println("PROVE2 ScalarMults: " + Ed25519GroupElement.scalarMults); + System.out.println("PROVE2 BaseScalarMults: " + Ed25519GroupElement.scalarBaseMults); + Ed25519GroupElement.scalarMults = 0; + Ed25519GroupElement.scalarBaseMults = 0; + startMs = new Date().getTime(); + + System.out.println("VALID2 result: " + VALID2(decompositionBase, P2, co)); + + System.out.println("VALID2 ScalarMults: " + Ed25519GroupElement.scalarMults); + System.out.println("VALID2 BaseScalarMults: " + Ed25519GroupElement.scalarBaseMults); + + System.out.println("VALID2 duration: " + (new Date().getTime() - startMs) + " ms"); + } + + } + + +}