github.com/deroproject/derosuite@v2.1.6-1.0.20200307070847-0f2e589c7a2b+incompatible/crypto/edwards_25519_scalar.go (about) 1 // Copyright 2016 The Go Authors. All rights reserved. 2 // Use of this source code is governed by a BSD-style 3 // license that can be found in the LICENSE file. 4 5 package crypto 6 7 // The scalars are GF(2^252 + 27742317777372353535851937790883648493). 8 9 // Input: 10 // a[0]+256*a[1]+...+256^31*a[31] = a 11 // b[0]+256*b[1]+...+256^31*b[31] = b 12 // c[0]+256*c[1]+...+256^31*c[31] = c 13 // 14 // Output: 15 // s[0]+256*s[1]+...+256^31*s[31] = (ab+c) mod l 16 // where l = 2^252 + 27742317777372353535851937790883648493. 17 func ScMulAdd(s, a, b, c *Key) { 18 a0 := 2097151 & load3(a[:]) 19 a1 := 2097151 & (load4(a[2:]) >> 5) 20 a2 := 2097151 & (load3(a[5:]) >> 2) 21 a3 := 2097151 & (load4(a[7:]) >> 7) 22 a4 := 2097151 & (load4(a[10:]) >> 4) 23 a5 := 2097151 & (load3(a[13:]) >> 1) 24 a6 := 2097151 & (load4(a[15:]) >> 6) 25 a7 := 2097151 & (load3(a[18:]) >> 3) 26 a8 := 2097151 & load3(a[21:]) 27 a9 := 2097151 & (load4(a[23:]) >> 5) 28 a10 := 2097151 & (load3(a[26:]) >> 2) 29 a11 := (load4(a[28:]) >> 7) 30 b0 := 2097151 & load3(b[:]) 31 b1 := 2097151 & (load4(b[2:]) >> 5) 32 b2 := 2097151 & (load3(b[5:]) >> 2) 33 b3 := 2097151 & (load4(b[7:]) >> 7) 34 b4 := 2097151 & (load4(b[10:]) >> 4) 35 b5 := 2097151 & (load3(b[13:]) >> 1) 36 b6 := 2097151 & (load4(b[15:]) >> 6) 37 b7 := 2097151 & (load3(b[18:]) >> 3) 38 b8 := 2097151 & load3(b[21:]) 39 b9 := 2097151 & (load4(b[23:]) >> 5) 40 b10 := 2097151 & (load3(b[26:]) >> 2) 41 b11 := (load4(b[28:]) >> 7) 42 c0 := 2097151 & load3(c[:]) 43 c1 := 2097151 & (load4(c[2:]) >> 5) 44 c2 := 2097151 & (load3(c[5:]) >> 2) 45 c3 := 2097151 & (load4(c[7:]) >> 7) 46 c4 := 2097151 & (load4(c[10:]) >> 4) 47 c5 := 2097151 & (load3(c[13:]) >> 1) 48 c6 := 2097151 & (load4(c[15:]) >> 6) 49 c7 := 2097151 & (load3(c[18:]) >> 3) 50 c8 := 2097151 & load3(c[21:]) 51 c9 := 2097151 & (load4(c[23:]) >> 5) 52 c10 := 2097151 & (load3(c[26:]) >> 2) 53 c11 := (load4(c[28:]) >> 7) 54 var carry [23]int64 55 56 s0 := c0 + a0*b0 57 s1 := c1 + a0*b1 + a1*b0 58 s2 := c2 + a0*b2 + a1*b1 + a2*b0 59 s3 := c3 + a0*b3 + a1*b2 + a2*b1 + a3*b0 60 s4 := c4 + a0*b4 + a1*b3 + a2*b2 + a3*b1 + a4*b0 61 s5 := c5 + a0*b5 + a1*b4 + a2*b3 + a3*b2 + a4*b1 + a5*b0 62 s6 := c6 + a0*b6 + a1*b5 + a2*b4 + a3*b3 + a4*b2 + a5*b1 + a6*b0 63 s7 := c7 + a0*b7 + a1*b6 + a2*b5 + a3*b4 + a4*b3 + a5*b2 + a6*b1 + a7*b0 64 s8 := c8 + a0*b8 + a1*b7 + a2*b6 + a3*b5 + a4*b4 + a5*b3 + a6*b2 + a7*b1 + a8*b0 65 s9 := c9 + a0*b9 + a1*b8 + a2*b7 + a3*b6 + a4*b5 + a5*b4 + a6*b3 + a7*b2 + a8*b1 + a9*b0 66 s10 := c10 + a0*b10 + a1*b9 + a2*b8 + a3*b7 + a4*b6 + a5*b5 + a6*b4 + a7*b3 + a8*b2 + a9*b1 + a10*b0 67 s11 := c11 + a0*b11 + a1*b10 + a2*b9 + a3*b8 + a4*b7 + a5*b6 + a6*b5 + a7*b4 + a8*b3 + a9*b2 + a10*b1 + a11*b0 68 s12 := a1*b11 + a2*b10 + a3*b9 + a4*b8 + a5*b7 + a6*b6 + a7*b5 + a8*b4 + a9*b3 + a10*b2 + a11*b1 69 s13 := a2*b11 + a3*b10 + a4*b9 + a5*b8 + a6*b7 + a7*b6 + a8*b5 + a9*b4 + a10*b3 + a11*b2 70 s14 := a3*b11 + a4*b10 + a5*b9 + a6*b8 + a7*b7 + a8*b6 + a9*b5 + a10*b4 + a11*b3 71 s15 := a4*b11 + a5*b10 + a6*b9 + a7*b8 + a8*b7 + a9*b6 + a10*b5 + a11*b4 72 s16 := a5*b11 + a6*b10 + a7*b9 + a8*b8 + a9*b7 + a10*b6 + a11*b5 73 s17 := a6*b11 + a7*b10 + a8*b9 + a9*b8 + a10*b7 + a11*b6 74 s18 := a7*b11 + a8*b10 + a9*b9 + a10*b8 + a11*b7 75 s19 := a8*b11 + a9*b10 + a10*b9 + a11*b8 76 s20 := a9*b11 + a10*b10 + a11*b9 77 s21 := a10*b11 + a11*b10 78 s22 := a11 * b11 79 s23 := int64(0) 80 81 carry[0] = (s0 + (1 << 20)) >> 21 82 s1 += carry[0] 83 s0 -= carry[0] << 21 84 carry[2] = (s2 + (1 << 20)) >> 21 85 s3 += carry[2] 86 s2 -= carry[2] << 21 87 carry[4] = (s4 + (1 << 20)) >> 21 88 s5 += carry[4] 89 s4 -= carry[4] << 21 90 carry[6] = (s6 + (1 << 20)) >> 21 91 s7 += carry[6] 92 s6 -= carry[6] << 21 93 carry[8] = (s8 + (1 << 20)) >> 21 94 s9 += carry[8] 95 s8 -= carry[8] << 21 96 carry[10] = (s10 + (1 << 20)) >> 21 97 s11 += carry[10] 98 s10 -= carry[10] << 21 99 carry[12] = (s12 + (1 << 20)) >> 21 100 s13 += carry[12] 101 s12 -= carry[12] << 21 102 carry[14] = (s14 + (1 << 20)) >> 21 103 s15 += carry[14] 104 s14 -= carry[14] << 21 105 carry[16] = (s16 + (1 << 20)) >> 21 106 s17 += carry[16] 107 s16 -= carry[16] << 21 108 carry[18] = (s18 + (1 << 20)) >> 21 109 s19 += carry[18] 110 s18 -= carry[18] << 21 111 carry[20] = (s20 + (1 << 20)) >> 21 112 s21 += carry[20] 113 s20 -= carry[20] << 21 114 carry[22] = (s22 + (1 << 20)) >> 21 115 s23 += carry[22] 116 s22 -= carry[22] << 21 117 118 carry[1] = (s1 + (1 << 20)) >> 21 119 s2 += carry[1] 120 s1 -= carry[1] << 21 121 carry[3] = (s3 + (1 << 20)) >> 21 122 s4 += carry[3] 123 s3 -= carry[3] << 21 124 carry[5] = (s5 + (1 << 20)) >> 21 125 s6 += carry[5] 126 s5 -= carry[5] << 21 127 carry[7] = (s7 + (1 << 20)) >> 21 128 s8 += carry[7] 129 s7 -= carry[7] << 21 130 carry[9] = (s9 + (1 << 20)) >> 21 131 s10 += carry[9] 132 s9 -= carry[9] << 21 133 carry[11] = (s11 + (1 << 20)) >> 21 134 s12 += carry[11] 135 s11 -= carry[11] << 21 136 carry[13] = (s13 + (1 << 20)) >> 21 137 s14 += carry[13] 138 s13 -= carry[13] << 21 139 carry[15] = (s15 + (1 << 20)) >> 21 140 s16 += carry[15] 141 s15 -= carry[15] << 21 142 carry[17] = (s17 + (1 << 20)) >> 21 143 s18 += carry[17] 144 s17 -= carry[17] << 21 145 carry[19] = (s19 + (1 << 20)) >> 21 146 s20 += carry[19] 147 s19 -= carry[19] << 21 148 carry[21] = (s21 + (1 << 20)) >> 21 149 s22 += carry[21] 150 s21 -= carry[21] << 21 151 152 s11 += s23 * 666643 153 s12 += s23 * 470296 154 s13 += s23 * 654183 155 s14 -= s23 * 997805 156 s15 += s23 * 136657 157 s16 -= s23 * 683901 158 s23 = 0 159 160 s10 += s22 * 666643 161 s11 += s22 * 470296 162 s12 += s22 * 654183 163 s13 -= s22 * 997805 164 s14 += s22 * 136657 165 s15 -= s22 * 683901 166 s22 = 0 167 168 s9 += s21 * 666643 169 s10 += s21 * 470296 170 s11 += s21 * 654183 171 s12 -= s21 * 997805 172 s13 += s21 * 136657 173 s14 -= s21 * 683901 174 s21 = 0 175 176 s8 += s20 * 666643 177 s9 += s20 * 470296 178 s10 += s20 * 654183 179 s11 -= s20 * 997805 180 s12 += s20 * 136657 181 s13 -= s20 * 683901 182 s20 = 0 183 184 s7 += s19 * 666643 185 s8 += s19 * 470296 186 s9 += s19 * 654183 187 s10 -= s19 * 997805 188 s11 += s19 * 136657 189 s12 -= s19 * 683901 190 s19 = 0 191 192 s6 += s18 * 666643 193 s7 += s18 * 470296 194 s8 += s18 * 654183 195 s9 -= s18 * 997805 196 s10 += s18 * 136657 197 s11 -= s18 * 683901 198 s18 = 0 199 200 carry[6] = (s6 + (1 << 20)) >> 21 201 s7 += carry[6] 202 s6 -= carry[6] << 21 203 carry[8] = (s8 + (1 << 20)) >> 21 204 s9 += carry[8] 205 s8 -= carry[8] << 21 206 carry[10] = (s10 + (1 << 20)) >> 21 207 s11 += carry[10] 208 s10 -= carry[10] << 21 209 carry[12] = (s12 + (1 << 20)) >> 21 210 s13 += carry[12] 211 s12 -= carry[12] << 21 212 carry[14] = (s14 + (1 << 20)) >> 21 213 s15 += carry[14] 214 s14 -= carry[14] << 21 215 carry[16] = (s16 + (1 << 20)) >> 21 216 s17 += carry[16] 217 s16 -= carry[16] << 21 218 219 carry[7] = (s7 + (1 << 20)) >> 21 220 s8 += carry[7] 221 s7 -= carry[7] << 21 222 carry[9] = (s9 + (1 << 20)) >> 21 223 s10 += carry[9] 224 s9 -= carry[9] << 21 225 carry[11] = (s11 + (1 << 20)) >> 21 226 s12 += carry[11] 227 s11 -= carry[11] << 21 228 carry[13] = (s13 + (1 << 20)) >> 21 229 s14 += carry[13] 230 s13 -= carry[13] << 21 231 carry[15] = (s15 + (1 << 20)) >> 21 232 s16 += carry[15] 233 s15 -= carry[15] << 21 234 235 s5 += s17 * 666643 236 s6 += s17 * 470296 237 s7 += s17 * 654183 238 s8 -= s17 * 997805 239 s9 += s17 * 136657 240 s10 -= s17 * 683901 241 s17 = 0 242 243 s4 += s16 * 666643 244 s5 += s16 * 470296 245 s6 += s16 * 654183 246 s7 -= s16 * 997805 247 s8 += s16 * 136657 248 s9 -= s16 * 683901 249 s16 = 0 250 251 s3 += s15 * 666643 252 s4 += s15 * 470296 253 s5 += s15 * 654183 254 s6 -= s15 * 997805 255 s7 += s15 * 136657 256 s8 -= s15 * 683901 257 s15 = 0 258 259 s2 += s14 * 666643 260 s3 += s14 * 470296 261 s4 += s14 * 654183 262 s5 -= s14 * 997805 263 s6 += s14 * 136657 264 s7 -= s14 * 683901 265 s14 = 0 266 267 s1 += s13 * 666643 268 s2 += s13 * 470296 269 s3 += s13 * 654183 270 s4 -= s13 * 997805 271 s5 += s13 * 136657 272 s6 -= s13 * 683901 273 s13 = 0 274 275 s0 += s12 * 666643 276 s1 += s12 * 470296 277 s2 += s12 * 654183 278 s3 -= s12 * 997805 279 s4 += s12 * 136657 280 s5 -= s12 * 683901 281 s12 = 0 282 283 carry[0] = (s0 + (1 << 20)) >> 21 284 s1 += carry[0] 285 s0 -= carry[0] << 21 286 carry[2] = (s2 + (1 << 20)) >> 21 287 s3 += carry[2] 288 s2 -= carry[2] << 21 289 carry[4] = (s4 + (1 << 20)) >> 21 290 s5 += carry[4] 291 s4 -= carry[4] << 21 292 carry[6] = (s6 + (1 << 20)) >> 21 293 s7 += carry[6] 294 s6 -= carry[6] << 21 295 carry[8] = (s8 + (1 << 20)) >> 21 296 s9 += carry[8] 297 s8 -= carry[8] << 21 298 carry[10] = (s10 + (1 << 20)) >> 21 299 s11 += carry[10] 300 s10 -= carry[10] << 21 301 302 carry[1] = (s1 + (1 << 20)) >> 21 303 s2 += carry[1] 304 s1 -= carry[1] << 21 305 carry[3] = (s3 + (1 << 20)) >> 21 306 s4 += carry[3] 307 s3 -= carry[3] << 21 308 carry[5] = (s5 + (1 << 20)) >> 21 309 s6 += carry[5] 310 s5 -= carry[5] << 21 311 carry[7] = (s7 + (1 << 20)) >> 21 312 s8 += carry[7] 313 s7 -= carry[7] << 21 314 carry[9] = (s9 + (1 << 20)) >> 21 315 s10 += carry[9] 316 s9 -= carry[9] << 21 317 carry[11] = (s11 + (1 << 20)) >> 21 318 s12 += carry[11] 319 s11 -= carry[11] << 21 320 321 s0 += s12 * 666643 322 s1 += s12 * 470296 323 s2 += s12 * 654183 324 s3 -= s12 * 997805 325 s4 += s12 * 136657 326 s5 -= s12 * 683901 327 s12 = 0 328 329 carry[0] = s0 >> 21 330 s1 += carry[0] 331 s0 -= carry[0] << 21 332 carry[1] = s1 >> 21 333 s2 += carry[1] 334 s1 -= carry[1] << 21 335 carry[2] = s2 >> 21 336 s3 += carry[2] 337 s2 -= carry[2] << 21 338 carry[3] = s3 >> 21 339 s4 += carry[3] 340 s3 -= carry[3] << 21 341 carry[4] = s4 >> 21 342 s5 += carry[4] 343 s4 -= carry[4] << 21 344 carry[5] = s5 >> 21 345 s6 += carry[5] 346 s5 -= carry[5] << 21 347 carry[6] = s6 >> 21 348 s7 += carry[6] 349 s6 -= carry[6] << 21 350 carry[7] = s7 >> 21 351 s8 += carry[7] 352 s7 -= carry[7] << 21 353 carry[8] = s8 >> 21 354 s9 += carry[8] 355 s8 -= carry[8] << 21 356 carry[9] = s9 >> 21 357 s10 += carry[9] 358 s9 -= carry[9] << 21 359 carry[10] = s10 >> 21 360 s11 += carry[10] 361 s10 -= carry[10] << 21 362 carry[11] = s11 >> 21 363 s12 += carry[11] 364 s11 -= carry[11] << 21 365 366 s0 += s12 * 666643 367 s1 += s12 * 470296 368 s2 += s12 * 654183 369 s3 -= s12 * 997805 370 s4 += s12 * 136657 371 s5 -= s12 * 683901 372 s12 = 0 373 374 carry[0] = s0 >> 21 375 s1 += carry[0] 376 s0 -= carry[0] << 21 377 carry[1] = s1 >> 21 378 s2 += carry[1] 379 s1 -= carry[1] << 21 380 carry[2] = s2 >> 21 381 s3 += carry[2] 382 s2 -= carry[2] << 21 383 carry[3] = s3 >> 21 384 s4 += carry[3] 385 s3 -= carry[3] << 21 386 carry[4] = s4 >> 21 387 s5 += carry[4] 388 s4 -= carry[4] << 21 389 carry[5] = s5 >> 21 390 s6 += carry[5] 391 s5 -= carry[5] << 21 392 carry[6] = s6 >> 21 393 s7 += carry[6] 394 s6 -= carry[6] << 21 395 carry[7] = s7 >> 21 396 s8 += carry[7] 397 s7 -= carry[7] << 21 398 carry[8] = s8 >> 21 399 s9 += carry[8] 400 s8 -= carry[8] << 21 401 carry[9] = s9 >> 21 402 s10 += carry[9] 403 s9 -= carry[9] << 21 404 carry[10] = s10 >> 21 405 s11 += carry[10] 406 s10 -= carry[10] << 21 407 408 s[0] = byte(s0 >> 0) 409 s[1] = byte(s0 >> 8) 410 s[2] = byte((s0 >> 16) | (s1 << 5)) 411 s[3] = byte(s1 >> 3) 412 s[4] = byte(s1 >> 11) 413 s[5] = byte((s1 >> 19) | (s2 << 2)) 414 s[6] = byte(s2 >> 6) 415 s[7] = byte((s2 >> 14) | (s3 << 7)) 416 s[8] = byte(s3 >> 1) 417 s[9] = byte(s3 >> 9) 418 s[10] = byte((s3 >> 17) | (s4 << 4)) 419 s[11] = byte(s4 >> 4) 420 s[12] = byte(s4 >> 12) 421 s[13] = byte((s4 >> 20) | (s5 << 1)) 422 s[14] = byte(s5 >> 7) 423 s[15] = byte((s5 >> 15) | (s6 << 6)) 424 s[16] = byte(s6 >> 2) 425 s[17] = byte(s6 >> 10) 426 s[18] = byte((s6 >> 18) | (s7 << 3)) 427 s[19] = byte(s7 >> 5) 428 s[20] = byte(s7 >> 13) 429 s[21] = byte(s8 >> 0) 430 s[22] = byte(s8 >> 8) 431 s[23] = byte((s8 >> 16) | (s9 << 5)) 432 s[24] = byte(s9 >> 3) 433 s[25] = byte(s9 >> 11) 434 s[26] = byte((s9 >> 19) | (s10 << 2)) 435 s[27] = byte(s10 >> 6) 436 s[28] = byte((s10 >> 14) | (s11 << 7)) 437 s[29] = byte(s11 >> 1) 438 s[30] = byte(s11 >> 9) 439 s[31] = byte(s11 >> 17) 440 } 441 442 // Input: 443 // s[0]+256*s[1]+...+256^63*s[63] = s 444 // 445 // Output: 446 // s[0]+256*s[1]+...+256^31*s[31] = s mod l 447 // where l = 2^252 + 27742317777372353535851937790883648493. 448 func ScReduce(out *Key, s *[64]byte) { 449 s0 := 2097151 & load3(s[:]) 450 s1 := 2097151 & (load4(s[2:]) >> 5) 451 s2 := 2097151 & (load3(s[5:]) >> 2) 452 s3 := 2097151 & (load4(s[7:]) >> 7) 453 s4 := 2097151 & (load4(s[10:]) >> 4) 454 s5 := 2097151 & (load3(s[13:]) >> 1) 455 s6 := 2097151 & (load4(s[15:]) >> 6) 456 s7 := 2097151 & (load3(s[18:]) >> 3) 457 s8 := 2097151 & load3(s[21:]) 458 s9 := 2097151 & (load4(s[23:]) >> 5) 459 s10 := 2097151 & (load3(s[26:]) >> 2) 460 s11 := 2097151 & (load4(s[28:]) >> 7) 461 s12 := 2097151 & (load4(s[31:]) >> 4) 462 s13 := 2097151 & (load3(s[34:]) >> 1) 463 s14 := 2097151 & (load4(s[36:]) >> 6) 464 s15 := 2097151 & (load3(s[39:]) >> 3) 465 s16 := 2097151 & load3(s[42:]) 466 s17 := 2097151 & (load4(s[44:]) >> 5) 467 s18 := 2097151 & (load3(s[47:]) >> 2) 468 s19 := 2097151 & (load4(s[49:]) >> 7) 469 s20 := 2097151 & (load4(s[52:]) >> 4) 470 s21 := 2097151 & (load3(s[55:]) >> 1) 471 s22 := 2097151 & (load4(s[57:]) >> 6) 472 s23 := (load4(s[60:]) >> 3) 473 474 s11 += s23 * 666643 475 s12 += s23 * 470296 476 s13 += s23 * 654183 477 s14 -= s23 * 997805 478 s15 += s23 * 136657 479 s16 -= s23 * 683901 480 s23 = 0 481 482 s10 += s22 * 666643 483 s11 += s22 * 470296 484 s12 += s22 * 654183 485 s13 -= s22 * 997805 486 s14 += s22 * 136657 487 s15 -= s22 * 683901 488 s22 = 0 489 490 s9 += s21 * 666643 491 s10 += s21 * 470296 492 s11 += s21 * 654183 493 s12 -= s21 * 997805 494 s13 += s21 * 136657 495 s14 -= s21 * 683901 496 s21 = 0 497 498 s8 += s20 * 666643 499 s9 += s20 * 470296 500 s10 += s20 * 654183 501 s11 -= s20 * 997805 502 s12 += s20 * 136657 503 s13 -= s20 * 683901 504 s20 = 0 505 506 s7 += s19 * 666643 507 s8 += s19 * 470296 508 s9 += s19 * 654183 509 s10 -= s19 * 997805 510 s11 += s19 * 136657 511 s12 -= s19 * 683901 512 s19 = 0 513 514 s6 += s18 * 666643 515 s7 += s18 * 470296 516 s8 += s18 * 654183 517 s9 -= s18 * 997805 518 s10 += s18 * 136657 519 s11 -= s18 * 683901 520 s18 = 0 521 522 var carry [17]int64 523 524 carry[6] = (s6 + (1 << 20)) >> 21 525 s7 += carry[6] 526 s6 -= carry[6] << 21 527 carry[8] = (s8 + (1 << 20)) >> 21 528 s9 += carry[8] 529 s8 -= carry[8] << 21 530 carry[10] = (s10 + (1 << 20)) >> 21 531 s11 += carry[10] 532 s10 -= carry[10] << 21 533 carry[12] = (s12 + (1 << 20)) >> 21 534 s13 += carry[12] 535 s12 -= carry[12] << 21 536 carry[14] = (s14 + (1 << 20)) >> 21 537 s15 += carry[14] 538 s14 -= carry[14] << 21 539 carry[16] = (s16 + (1 << 20)) >> 21 540 s17 += carry[16] 541 s16 -= carry[16] << 21 542 543 carry[7] = (s7 + (1 << 20)) >> 21 544 s8 += carry[7] 545 s7 -= carry[7] << 21 546 carry[9] = (s9 + (1 << 20)) >> 21 547 s10 += carry[9] 548 s9 -= carry[9] << 21 549 carry[11] = (s11 + (1 << 20)) >> 21 550 s12 += carry[11] 551 s11 -= carry[11] << 21 552 carry[13] = (s13 + (1 << 20)) >> 21 553 s14 += carry[13] 554 s13 -= carry[13] << 21 555 carry[15] = (s15 + (1 << 20)) >> 21 556 s16 += carry[15] 557 s15 -= carry[15] << 21 558 559 s5 += s17 * 666643 560 s6 += s17 * 470296 561 s7 += s17 * 654183 562 s8 -= s17 * 997805 563 s9 += s17 * 136657 564 s10 -= s17 * 683901 565 s17 = 0 566 567 s4 += s16 * 666643 568 s5 += s16 * 470296 569 s6 += s16 * 654183 570 s7 -= s16 * 997805 571 s8 += s16 * 136657 572 s9 -= s16 * 683901 573 s16 = 0 574 575 s3 += s15 * 666643 576 s4 += s15 * 470296 577 s5 += s15 * 654183 578 s6 -= s15 * 997805 579 s7 += s15 * 136657 580 s8 -= s15 * 683901 581 s15 = 0 582 583 s2 += s14 * 666643 584 s3 += s14 * 470296 585 s4 += s14 * 654183 586 s5 -= s14 * 997805 587 s6 += s14 * 136657 588 s7 -= s14 * 683901 589 s14 = 0 590 591 s1 += s13 * 666643 592 s2 += s13 * 470296 593 s3 += s13 * 654183 594 s4 -= s13 * 997805 595 s5 += s13 * 136657 596 s6 -= s13 * 683901 597 s13 = 0 598 599 s0 += s12 * 666643 600 s1 += s12 * 470296 601 s2 += s12 * 654183 602 s3 -= s12 * 997805 603 s4 += s12 * 136657 604 s5 -= s12 * 683901 605 s12 = 0 606 607 carry[0] = (s0 + (1 << 20)) >> 21 608 s1 += carry[0] 609 s0 -= carry[0] << 21 610 carry[2] = (s2 + (1 << 20)) >> 21 611 s3 += carry[2] 612 s2 -= carry[2] << 21 613 carry[4] = (s4 + (1 << 20)) >> 21 614 s5 += carry[4] 615 s4 -= carry[4] << 21 616 carry[6] = (s6 + (1 << 20)) >> 21 617 s7 += carry[6] 618 s6 -= carry[6] << 21 619 carry[8] = (s8 + (1 << 20)) >> 21 620 s9 += carry[8] 621 s8 -= carry[8] << 21 622 carry[10] = (s10 + (1 << 20)) >> 21 623 s11 += carry[10] 624 s10 -= carry[10] << 21 625 626 carry[1] = (s1 + (1 << 20)) >> 21 627 s2 += carry[1] 628 s1 -= carry[1] << 21 629 carry[3] = (s3 + (1 << 20)) >> 21 630 s4 += carry[3] 631 s3 -= carry[3] << 21 632 carry[5] = (s5 + (1 << 20)) >> 21 633 s6 += carry[5] 634 s5 -= carry[5] << 21 635 carry[7] = (s7 + (1 << 20)) >> 21 636 s8 += carry[7] 637 s7 -= carry[7] << 21 638 carry[9] = (s9 + (1 << 20)) >> 21 639 s10 += carry[9] 640 s9 -= carry[9] << 21 641 carry[11] = (s11 + (1 << 20)) >> 21 642 s12 += carry[11] 643 s11 -= carry[11] << 21 644 645 s0 += s12 * 666643 646 s1 += s12 * 470296 647 s2 += s12 * 654183 648 s3 -= s12 * 997805 649 s4 += s12 * 136657 650 s5 -= s12 * 683901 651 s12 = 0 652 653 carry[0] = s0 >> 21 654 s1 += carry[0] 655 s0 -= carry[0] << 21 656 carry[1] = s1 >> 21 657 s2 += carry[1] 658 s1 -= carry[1] << 21 659 carry[2] = s2 >> 21 660 s3 += carry[2] 661 s2 -= carry[2] << 21 662 carry[3] = s3 >> 21 663 s4 += carry[3] 664 s3 -= carry[3] << 21 665 carry[4] = s4 >> 21 666 s5 += carry[4] 667 s4 -= carry[4] << 21 668 carry[5] = s5 >> 21 669 s6 += carry[5] 670 s5 -= carry[5] << 21 671 carry[6] = s6 >> 21 672 s7 += carry[6] 673 s6 -= carry[6] << 21 674 carry[7] = s7 >> 21 675 s8 += carry[7] 676 s7 -= carry[7] << 21 677 carry[8] = s8 >> 21 678 s9 += carry[8] 679 s8 -= carry[8] << 21 680 carry[9] = s9 >> 21 681 s10 += carry[9] 682 s9 -= carry[9] << 21 683 carry[10] = s10 >> 21 684 s11 += carry[10] 685 s10 -= carry[10] << 21 686 carry[11] = s11 >> 21 687 s12 += carry[11] 688 s11 -= carry[11] << 21 689 690 s0 += s12 * 666643 691 s1 += s12 * 470296 692 s2 += s12 * 654183 693 s3 -= s12 * 997805 694 s4 += s12 * 136657 695 s5 -= s12 * 683901 696 s12 = 0 697 698 carry[0] = s0 >> 21 699 s1 += carry[0] 700 s0 -= carry[0] << 21 701 carry[1] = s1 >> 21 702 s2 += carry[1] 703 s1 -= carry[1] << 21 704 carry[2] = s2 >> 21 705 s3 += carry[2] 706 s2 -= carry[2] << 21 707 carry[3] = s3 >> 21 708 s4 += carry[3] 709 s3 -= carry[3] << 21 710 carry[4] = s4 >> 21 711 s5 += carry[4] 712 s4 -= carry[4] << 21 713 carry[5] = s5 >> 21 714 s6 += carry[5] 715 s5 -= carry[5] << 21 716 carry[6] = s6 >> 21 717 s7 += carry[6] 718 s6 -= carry[6] << 21 719 carry[7] = s7 >> 21 720 s8 += carry[7] 721 s7 -= carry[7] << 21 722 carry[8] = s8 >> 21 723 s9 += carry[8] 724 s8 -= carry[8] << 21 725 carry[9] = s9 >> 21 726 s10 += carry[9] 727 s9 -= carry[9] << 21 728 carry[10] = s10 >> 21 729 s11 += carry[10] 730 s10 -= carry[10] << 21 731 732 out[0] = byte(s0 >> 0) 733 out[1] = byte(s0 >> 8) 734 out[2] = byte((s0 >> 16) | (s1 << 5)) 735 out[3] = byte(s1 >> 3) 736 out[4] = byte(s1 >> 11) 737 out[5] = byte((s1 >> 19) | (s2 << 2)) 738 out[6] = byte(s2 >> 6) 739 out[7] = byte((s2 >> 14) | (s3 << 7)) 740 out[8] = byte(s3 >> 1) 741 out[9] = byte(s3 >> 9) 742 out[10] = byte((s3 >> 17) | (s4 << 4)) 743 out[11] = byte(s4 >> 4) 744 out[12] = byte(s4 >> 12) 745 out[13] = byte((s4 >> 20) | (s5 << 1)) 746 out[14] = byte(s5 >> 7) 747 out[15] = byte((s5 >> 15) | (s6 << 6)) 748 out[16] = byte(s6 >> 2) 749 out[17] = byte(s6 >> 10) 750 out[18] = byte((s6 >> 18) | (s7 << 3)) 751 out[19] = byte(s7 >> 5) 752 out[20] = byte(s7 >> 13) 753 out[21] = byte(s8 >> 0) 754 out[22] = byte(s8 >> 8) 755 out[23] = byte((s8 >> 16) | (s9 << 5)) 756 out[24] = byte(s9 >> 3) 757 out[25] = byte(s9 >> 11) 758 out[26] = byte((s9 >> 19) | (s10 << 2)) 759 out[27] = byte(s10 >> 6) 760 out[28] = byte((s10 >> 14) | (s11 << 7)) 761 out[29] = byte(s11 >> 1) 762 out[30] = byte(s11 >> 9) 763 out[31] = byte(s11 >> 17) 764 } 765 766 func ScReduce32(s *Key) { 767 s0 := 2097151 & load3(s[:]) 768 s1 := 2097151 & (load4(s[2:]) >> 5) 769 s2 := 2097151 & (load3(s[5:]) >> 2) 770 s3 := 2097151 & (load4(s[7:]) >> 7) 771 s4 := 2097151 & (load4(s[10:]) >> 4) 772 s5 := 2097151 & (load3(s[13:]) >> 1) 773 s6 := 2097151 & (load4(s[15:]) >> 6) 774 s7 := 2097151 & (load3(s[18:]) >> 3) 775 s8 := 2097151 & load3(s[21:]) 776 s9 := 2097151 & (load4(s[23:]) >> 5) 777 s10 := 2097151 & (load3(s[26:]) >> 2) 778 s11 := (load4(s[28:]) >> 7) 779 s12 := int64(0) 780 var carry [12]int64 781 carry[0] = (s0 + (1 << 20)) >> 21 782 s1 += carry[0] 783 s0 -= carry[0] << 21 784 carry[2] = (s2 + (1 << 20)) >> 21 785 s3 += carry[2] 786 s2 -= carry[2] << 21 787 carry[4] = (s4 + (1 << 20)) >> 21 788 s5 += carry[4] 789 s4 -= carry[4] << 21 790 carry[6] = (s6 + (1 << 20)) >> 21 791 s7 += carry[6] 792 s6 -= carry[6] << 21 793 carry[8] = (s8 + (1 << 20)) >> 21 794 s9 += carry[8] 795 s8 -= carry[8] << 21 796 carry[10] = (s10 + (1 << 20)) >> 21 797 s11 += carry[10] 798 s10 -= carry[10] << 21 799 carry[1] = (s1 + (1 << 20)) >> 21 800 s2 += carry[1] 801 s1 -= carry[1] << 21 802 carry[3] = (s3 + (1 << 20)) >> 21 803 s4 += carry[3] 804 s3 -= carry[3] << 21 805 carry[5] = (s5 + (1 << 20)) >> 21 806 s6 += carry[5] 807 s5 -= carry[5] << 21 808 carry[7] = (s7 + (1 << 20)) >> 21 809 s8 += carry[7] 810 s7 -= carry[7] << 21 811 carry[9] = (s9 + (1 << 20)) >> 21 812 s10 += carry[9] 813 s9 -= carry[9] << 21 814 carry[11] = (s11 + (1 << 20)) >> 21 815 s12 += carry[11] 816 s11 -= carry[11] << 21 817 818 s0 += s12 * 666643 819 s1 += s12 * 470296 820 s2 += s12 * 654183 821 s3 -= s12 * 997805 822 s4 += s12 * 136657 823 s5 -= s12 * 683901 824 s12 = 0 825 826 carry[0] = s0 >> 21 827 s1 += carry[0] 828 s0 -= carry[0] << 21 829 carry[1] = s1 >> 21 830 s2 += carry[1] 831 s1 -= carry[1] << 21 832 carry[2] = s2 >> 21 833 s3 += carry[2] 834 s2 -= carry[2] << 21 835 carry[3] = s3 >> 21 836 s4 += carry[3] 837 s3 -= carry[3] << 21 838 carry[4] = s4 >> 21 839 s5 += carry[4] 840 s4 -= carry[4] << 21 841 carry[5] = s5 >> 21 842 s6 += carry[5] 843 s5 -= carry[5] << 21 844 carry[6] = s6 >> 21 845 s7 += carry[6] 846 s6 -= carry[6] << 21 847 carry[7] = s7 >> 21 848 s8 += carry[7] 849 s7 -= carry[7] << 21 850 carry[8] = s8 >> 21 851 s9 += carry[8] 852 s8 -= carry[8] << 21 853 carry[9] = s9 >> 21 854 s10 += carry[9] 855 s9 -= carry[9] << 21 856 carry[10] = s10 >> 21 857 s11 += carry[10] 858 s10 -= carry[10] << 21 859 carry[11] = s11 >> 21 860 s12 += carry[11] 861 s11 -= carry[11] << 21 862 863 s0 += s12 * 666643 864 s1 += s12 * 470296 865 s2 += s12 * 654183 866 s3 -= s12 * 997805 867 s4 += s12 * 136657 868 s5 -= s12 * 683901 869 870 carry[0] = s0 >> 21 871 s1 += carry[0] 872 s0 -= carry[0] << 21 873 carry[1] = s1 >> 21 874 s2 += carry[1] 875 s1 -= carry[1] << 21 876 carry[2] = s2 >> 21 877 s3 += carry[2] 878 s2 -= carry[2] << 21 879 carry[3] = s3 >> 21 880 s4 += carry[3] 881 s3 -= carry[3] << 21 882 carry[4] = s4 >> 21 883 s5 += carry[4] 884 s4 -= carry[4] << 21 885 carry[5] = s5 >> 21 886 s6 += carry[5] 887 s5 -= carry[5] << 21 888 carry[6] = s6 >> 21 889 s7 += carry[6] 890 s6 -= carry[6] << 21 891 carry[7] = s7 >> 21 892 s8 += carry[7] 893 s7 -= carry[7] << 21 894 carry[8] = s8 >> 21 895 s9 += carry[8] 896 s8 -= carry[8] << 21 897 carry[9] = s9 >> 21 898 s10 += carry[9] 899 s9 -= carry[9] << 21 900 carry[10] = s10 >> 21 901 s11 += carry[10] 902 s10 -= carry[10] << 21 903 904 s[0] = byte(s0 >> 0) 905 s[1] = byte(s0 >> 8) 906 s[2] = byte((s0 >> 16) | (s1 << 5)) 907 s[3] = byte(s1 >> 3) 908 s[4] = byte(s1 >> 11) 909 s[5] = byte((s1 >> 19) | (s2 << 2)) 910 s[6] = byte(s2 >> 6) 911 s[7] = byte((s2 >> 14) | (s3 << 7)) 912 s[8] = byte(s3 >> 1) 913 s[9] = byte(s3 >> 9) 914 s[10] = byte((s3 >> 17) | (s4 << 4)) 915 s[11] = byte(s4 >> 4) 916 s[12] = byte(s4 >> 12) 917 s[13] = byte((s4 >> 20) | (s5 << 1)) 918 s[14] = byte(s5 >> 7) 919 s[15] = byte((s5 >> 15) | (s6 << 6)) 920 s[16] = byte(s6 >> 2) 921 s[17] = byte(s6 >> 10) 922 s[18] = byte((s6 >> 18) | (s7 << 3)) 923 s[19] = byte(s7 >> 5) 924 s[20] = byte(s7 >> 13) 925 s[21] = byte(s8 >> 0) 926 s[22] = byte(s8 >> 8) 927 s[23] = byte((s8 >> 16) | (s9 << 5)) 928 s[24] = byte(s9 >> 3) 929 s[25] = byte(s9 >> 11) 930 s[26] = byte((s9 >> 19) | (s10 << 2)) 931 s[27] = byte(s10 >> 6) 932 s[28] = byte((s10 >> 14) | (s11 << 7)) 933 s[29] = byte(s11 >> 1) 934 s[30] = byte(s11 >> 9) 935 s[31] = byte(s11 >> 17) 936 } 937 938 func signum(a int64) int64 { 939 return a>>63 - ((-a) >> 63) 940 } 941 942 // equivalent to sc_check 943 func Sc_check(s *Key) bool { 944 return ScValid(s) 945 } 946 func ScValid(s *Key) bool { 947 s0 := load4(s[:]) 948 s1 := load4(s[4:]) 949 s2 := load4(s[8:]) 950 s3 := load4(s[12:]) 951 s4 := load4(s[16:]) 952 s5 := load4(s[20:]) 953 s6 := load4(s[24:]) 954 s7 := load4(s[28:]) 955 return (signum(1559614444-s0)+(signum(1477600026-s1)<<1)+(signum(2734136534-s2)<<2)+(signum(350157278-s3)<<3)+(signum(-s4)<<4)+(signum(-s5)<<5)+(signum(-s6)<<6)+(signum(268435456-s7)<<7))>>8 == 0 956 957 } 958 959 // GeScalarMult computes h = a*A, where 960 // a = a[0]+256*a[1]+...+256^31 a[31] 961 // A is a point on the curve 962 // 963 // Preconditions: 964 // a[31] <= 127 965 func GeScalarMult(r *ProjectiveGroupElement, a *Key, A *ExtendedGroupElement) { 966 // Break the exponent into 4-bit nybbles. 967 var e [64]int8 968 for i, v := range a { 969 e[2*i] = int8(v & 15) 970 e[2*i+1] = int8((v >> 4) & 15) 971 } 972 // each e[i] is between 0 and 15 and e[63] is between 0 and 7. 973 974 carry := int8(0) 975 for i := 0; i < 63; i++ { 976 e[i] += carry 977 carry = (e[i] + 8) >> 4 978 e[i] -= carry << 4 979 } 980 e[63] += carry 981 982 var Ai [8]CachedGroupElement // A,2A,3A,4A,5A,6A,7A,8A 983 t := new(CompletedGroupElement) 984 u := new(ExtendedGroupElement) 985 A.ToCached(&Ai[0]) 986 for i := 0; i < 7; i++ { 987 geAdd(t, A, &Ai[i]) 988 t.ToExtended(u) 989 u.ToCached(&Ai[i+1]) 990 } 991 r.Zero() 992 cur := new(CachedGroupElement) 993 minusCur := new(CachedGroupElement) 994 for i := 63; i >= 0; i-- { 995 b := e[i] 996 bNegative := int8(negative(int32(b))) 997 bAbs := b - (((-bNegative) & b) << 1) 998 r.Double(t) 999 t.ToProjective(r) 1000 r.Double(t) 1001 t.ToProjective(r) 1002 r.Double(t) 1003 t.ToProjective(r) 1004 r.Double(t) 1005 t.ToExtended(u) 1006 1007 cur.Zero() 1008 for j := int32(0); j < 8; j++ { 1009 if equal(int32(bAbs), j+1) == 1 { // optimisation 1010 CachedGroupElementCMove(cur, &Ai[j], equal(int32(bAbs), j+1)) 1011 } 1012 } 1013 1014 FeCopy(&minusCur.yPlusX, &cur.yMinusX) 1015 FeCopy(&minusCur.yMinusX, &cur.yPlusX) 1016 FeCopy(&minusCur.Z, &cur.Z) 1017 FeNeg(&minusCur.T2d, &cur.T2d) 1018 1019 CachedGroupElementCMove(cur, minusCur, int32(bNegative)) 1020 1021 geAdd(t, u, cur) 1022 t.ToProjective(r) 1023 1024 } 1025 } 1026 1027 func ScAdd(s, a, b *Key) { 1028 a0 := 2097151 & load3(a[:]) 1029 a1 := 2097151 & (load4(a[2:]) >> 5) 1030 a2 := 2097151 & (load3(a[5:]) >> 2) 1031 a3 := 2097151 & (load4(a[7:]) >> 7) 1032 a4 := 2097151 & (load4(a[10:]) >> 4) 1033 a5 := 2097151 & (load3(a[13:]) >> 1) 1034 a6 := 2097151 & (load4(a[15:]) >> 6) 1035 a7 := 2097151 & (load3(a[18:]) >> 3) 1036 a8 := 2097151 & load3(a[21:]) 1037 a9 := 2097151 & (load4(a[23:]) >> 5) 1038 a10 := 2097151 & (load3(a[26:]) >> 2) 1039 a11 := (load4(a[28:]) >> 7) 1040 b0 := 2097151 & load3(b[:]) 1041 b1 := 2097151 & (load4(b[2:]) >> 5) 1042 b2 := 2097151 & (load3(b[5:]) >> 2) 1043 b3 := 2097151 & (load4(b[7:]) >> 7) 1044 b4 := 2097151 & (load4(b[10:]) >> 4) 1045 b5 := 2097151 & (load3(b[13:]) >> 1) 1046 b6 := 2097151 & (load4(b[15:]) >> 6) 1047 b7 := 2097151 & (load3(b[18:]) >> 3) 1048 b8 := 2097151 & load3(b[21:]) 1049 b9 := 2097151 & (load4(b[23:]) >> 5) 1050 b10 := 2097151 & (load3(b[26:]) >> 2) 1051 b11 := (load4(b[28:]) >> 7) 1052 s0 := a0 + b0 1053 s1 := a1 + b1 1054 s2 := a2 + b2 1055 s3 := a3 + b3 1056 s4 := a4 + b4 1057 s5 := a5 + b5 1058 s6 := a6 + b6 1059 s7 := a7 + b7 1060 s8 := a8 + b8 1061 s9 := a9 + b9 1062 s10 := a10 + b10 1063 s11 := a11 + b11 1064 s12 := int64(0) 1065 var carry [12]int64 1066 1067 carry[0] = (s0 + (1 << 20)) >> 21 1068 s1 += carry[0] 1069 s0 -= carry[0] << 21 1070 carry[2] = (s2 + (1 << 20)) >> 21 1071 s3 += carry[2] 1072 s2 -= carry[2] << 21 1073 carry[4] = (s4 + (1 << 20)) >> 21 1074 s5 += carry[4] 1075 s4 -= carry[4] << 21 1076 carry[6] = (s6 + (1 << 20)) >> 21 1077 s7 += carry[6] 1078 s6 -= carry[6] << 21 1079 carry[8] = (s8 + (1 << 20)) >> 21 1080 s9 += carry[8] 1081 s8 -= carry[8] << 21 1082 carry[10] = (s10 + (1 << 20)) >> 21 1083 s11 += carry[10] 1084 s10 -= carry[10] << 21 1085 1086 carry[1] = (s1 + (1 << 20)) >> 21 1087 s2 += carry[1] 1088 s1 -= carry[1] << 21 1089 carry[3] = (s3 + (1 << 20)) >> 21 1090 s4 += carry[3] 1091 s3 -= carry[3] << 21 1092 carry[5] = (s5 + (1 << 20)) >> 21 1093 s6 += carry[5] 1094 s5 -= carry[5] << 21 1095 carry[7] = (s7 + (1 << 20)) >> 21 1096 s8 += carry[7] 1097 s7 -= carry[7] << 21 1098 carry[9] = (s9 + (1 << 20)) >> 21 1099 s10 += carry[9] 1100 s9 -= carry[9] << 21 1101 carry[11] = (s11 + (1 << 20)) >> 21 1102 s12 += carry[11] 1103 s11 -= carry[11] << 21 1104 1105 s0 += s12 * 666643 1106 s1 += s12 * 470296 1107 s2 += s12 * 654183 1108 s3 -= s12 * 997805 1109 s4 += s12 * 136657 1110 s5 -= s12 * 683901 1111 s12 = 0 1112 1113 carry[0] = s0 >> 21 1114 s1 += carry[0] 1115 s0 -= carry[0] << 21 1116 carry[1] = s1 >> 21 1117 s2 += carry[1] 1118 s1 -= carry[1] << 21 1119 carry[2] = s2 >> 21 1120 s3 += carry[2] 1121 s2 -= carry[2] << 21 1122 carry[3] = s3 >> 21 1123 s4 += carry[3] 1124 s3 -= carry[3] << 21 1125 carry[4] = s4 >> 21 1126 s5 += carry[4] 1127 s4 -= carry[4] << 21 1128 carry[5] = s5 >> 21 1129 s6 += carry[5] 1130 s5 -= carry[5] << 21 1131 carry[6] = s6 >> 21 1132 s7 += carry[6] 1133 s6 -= carry[6] << 21 1134 carry[7] = s7 >> 21 1135 s8 += carry[7] 1136 s7 -= carry[7] << 21 1137 carry[8] = s8 >> 21 1138 s9 += carry[8] 1139 s8 -= carry[8] << 21 1140 carry[9] = s9 >> 21 1141 s10 += carry[9] 1142 s9 -= carry[9] << 21 1143 carry[10] = s10 >> 21 1144 s11 += carry[10] 1145 s10 -= carry[10] << 21 1146 carry[11] = s11 >> 21 1147 s12 += carry[11] 1148 s11 -= carry[11] << 21 1149 1150 s0 += s12 * 666643 1151 s1 += s12 * 470296 1152 s2 += s12 * 654183 1153 s3 -= s12 * 997805 1154 s4 += s12 * 136657 1155 s5 -= s12 * 683901 1156 1157 carry[0] = s0 >> 21 1158 s1 += carry[0] 1159 s0 -= carry[0] << 21 1160 carry[1] = s1 >> 21 1161 s2 += carry[1] 1162 s1 -= carry[1] << 21 1163 carry[2] = s2 >> 21 1164 s3 += carry[2] 1165 s2 -= carry[2] << 21 1166 carry[3] = s3 >> 21 1167 s4 += carry[3] 1168 s3 -= carry[3] << 21 1169 carry[4] = s4 >> 21 1170 s5 += carry[4] 1171 s4 -= carry[4] << 21 1172 carry[5] = s5 >> 21 1173 s6 += carry[5] 1174 s5 -= carry[5] << 21 1175 carry[6] = s6 >> 21 1176 s7 += carry[6] 1177 s6 -= carry[6] << 21 1178 carry[7] = s7 >> 21 1179 s8 += carry[7] 1180 s7 -= carry[7] << 21 1181 carry[8] = s8 >> 21 1182 s9 += carry[8] 1183 s8 -= carry[8] << 21 1184 carry[9] = s9 >> 21 1185 s10 += carry[9] 1186 s9 -= carry[9] << 21 1187 carry[10] = s10 >> 21 1188 s11 += carry[10] 1189 s10 -= carry[10] << 21 1190 1191 s[0] = byte(s0 >> 0) 1192 s[1] = byte(s0 >> 8) 1193 s[2] = byte((s0 >> 16) | (s1 << 5)) 1194 s[3] = byte(s1 >> 3) 1195 s[4] = byte(s1 >> 11) 1196 s[5] = byte((s1 >> 19) | (s2 << 2)) 1197 s[6] = byte(s2 >> 6) 1198 s[7] = byte((s2 >> 14) | (s3 << 7)) 1199 s[8] = byte(s3 >> 1) 1200 s[9] = byte(s3 >> 9) 1201 s[10] = byte((s3 >> 17) | (s4 << 4)) 1202 s[11] = byte(s4 >> 4) 1203 s[12] = byte(s4 >> 12) 1204 s[13] = byte((s4 >> 20) | (s5 << 1)) 1205 s[14] = byte(s5 >> 7) 1206 s[15] = byte((s5 >> 15) | (s6 << 6)) 1207 s[16] = byte(s6 >> 2) 1208 s[17] = byte(s6 >> 10) 1209 s[18] = byte((s6 >> 18) | (s7 << 3)) 1210 s[19] = byte(s7 >> 5) 1211 s[20] = byte(s7 >> 13) 1212 s[21] = byte(s8 >> 0) 1213 s[22] = byte(s8 >> 8) 1214 s[23] = byte((s8 >> 16) | (s9 << 5)) 1215 s[24] = byte(s9 >> 3) 1216 s[25] = byte(s9 >> 11) 1217 s[26] = byte((s9 >> 19) | (s10 << 2)) 1218 s[27] = byte(s10 >> 6) 1219 s[28] = byte((s10 >> 14) | (s11 << 7)) 1220 s[29] = byte(s11 >> 1) 1221 s[30] = byte(s11 >> 9) 1222 s[31] = byte(s11 >> 17) 1223 } 1224 1225 func ScSub(s, a, b *Key) { 1226 a0 := 2097151 & load3(a[:]) 1227 a1 := 2097151 & (load4(a[2:]) >> 5) 1228 a2 := 2097151 & (load3(a[5:]) >> 2) 1229 a3 := 2097151 & (load4(a[7:]) >> 7) 1230 a4 := 2097151 & (load4(a[10:]) >> 4) 1231 a5 := 2097151 & (load3(a[13:]) >> 1) 1232 a6 := 2097151 & (load4(a[15:]) >> 6) 1233 a7 := 2097151 & (load3(a[18:]) >> 3) 1234 a8 := 2097151 & load3(a[21:]) 1235 a9 := 2097151 & (load4(a[23:]) >> 5) 1236 a10 := 2097151 & (load3(a[26:]) >> 2) 1237 a11 := (load4(a[28:]) >> 7) 1238 b0 := 2097151 & load3(b[:]) 1239 b1 := 2097151 & (load4(b[2:]) >> 5) 1240 b2 := 2097151 & (load3(b[5:]) >> 2) 1241 b3 := 2097151 & (load4(b[7:]) >> 7) 1242 b4 := 2097151 & (load4(b[10:]) >> 4) 1243 b5 := 2097151 & (load3(b[13:]) >> 1) 1244 b6 := 2097151 & (load4(b[15:]) >> 6) 1245 b7 := 2097151 & (load3(b[18:]) >> 3) 1246 b8 := 2097151 & load3(b[21:]) 1247 b9 := 2097151 & (load4(b[23:]) >> 5) 1248 b10 := 2097151 & (load3(b[26:]) >> 2) 1249 b11 := (load4(b[28:]) >> 7) 1250 s0 := a0 - b0 1251 s1 := a1 - b1 1252 s2 := a2 - b2 1253 s3 := a3 - b3 1254 s4 := a4 - b4 1255 s5 := a5 - b5 1256 s6 := a6 - b6 1257 s7 := a7 - b7 1258 s8 := a8 - b8 1259 s9 := a9 - b9 1260 s10 := a10 - b10 1261 s11 := a11 - b11 1262 s12 := int64(0) 1263 var carry [12]int64 1264 1265 carry[0] = (s0 + (1 << 20)) >> 21 1266 s1 += carry[0] 1267 s0 -= carry[0] << 21 1268 carry[2] = (s2 + (1 << 20)) >> 21 1269 s3 += carry[2] 1270 s2 -= carry[2] << 21 1271 carry[4] = (s4 + (1 << 20)) >> 21 1272 s5 += carry[4] 1273 s4 -= carry[4] << 21 1274 carry[6] = (s6 + (1 << 20)) >> 21 1275 s7 += carry[6] 1276 s6 -= carry[6] << 21 1277 carry[8] = (s8 + (1 << 20)) >> 21 1278 s9 += carry[8] 1279 s8 -= carry[8] << 21 1280 carry[10] = (s10 + (1 << 20)) >> 21 1281 s11 += carry[10] 1282 s10 -= carry[10] << 21 1283 1284 carry[1] = (s1 + (1 << 20)) >> 21 1285 s2 += carry[1] 1286 s1 -= carry[1] << 21 1287 carry[3] = (s3 + (1 << 20)) >> 21 1288 s4 += carry[3] 1289 s3 -= carry[3] << 21 1290 carry[5] = (s5 + (1 << 20)) >> 21 1291 s6 += carry[5] 1292 s5 -= carry[5] << 21 1293 carry[7] = (s7 + (1 << 20)) >> 21 1294 s8 += carry[7] 1295 s7 -= carry[7] << 21 1296 carry[9] = (s9 + (1 << 20)) >> 21 1297 s10 += carry[9] 1298 s9 -= carry[9] << 21 1299 carry[11] = (s11 + (1 << 20)) >> 21 1300 s12 += carry[11] 1301 s11 -= carry[11] << 21 1302 1303 s0 += s12 * 666643 1304 s1 += s12 * 470296 1305 s2 += s12 * 654183 1306 s3 -= s12 * 997805 1307 s4 += s12 * 136657 1308 s5 -= s12 * 683901 1309 s12 = 0 1310 1311 carry[0] = s0 >> 21 1312 s1 += carry[0] 1313 s0 -= carry[0] << 21 1314 carry[1] = s1 >> 21 1315 s2 += carry[1] 1316 s1 -= carry[1] << 21 1317 carry[2] = s2 >> 21 1318 s3 += carry[2] 1319 s2 -= carry[2] << 21 1320 carry[3] = s3 >> 21 1321 s4 += carry[3] 1322 s3 -= carry[3] << 21 1323 carry[4] = s4 >> 21 1324 s5 += carry[4] 1325 s4 -= carry[4] << 21 1326 carry[5] = s5 >> 21 1327 s6 += carry[5] 1328 s5 -= carry[5] << 21 1329 carry[6] = s6 >> 21 1330 s7 += carry[6] 1331 s6 -= carry[6] << 21 1332 carry[7] = s7 >> 21 1333 s8 += carry[7] 1334 s7 -= carry[7] << 21 1335 carry[8] = s8 >> 21 1336 s9 += carry[8] 1337 s8 -= carry[8] << 21 1338 carry[9] = s9 >> 21 1339 s10 += carry[9] 1340 s9 -= carry[9] << 21 1341 carry[10] = s10 >> 21 1342 s11 += carry[10] 1343 s10 -= carry[10] << 21 1344 carry[11] = s11 >> 21 1345 s12 += carry[11] 1346 s11 -= carry[11] << 21 1347 1348 s0 += s12 * 666643 1349 s1 += s12 * 470296 1350 s2 += s12 * 654183 1351 s3 -= s12 * 997805 1352 s4 += s12 * 136657 1353 s5 -= s12 * 683901 1354 1355 carry[0] = s0 >> 21 1356 s1 += carry[0] 1357 s0 -= carry[0] << 21 1358 carry[1] = s1 >> 21 1359 s2 += carry[1] 1360 s1 -= carry[1] << 21 1361 carry[2] = s2 >> 21 1362 s3 += carry[2] 1363 s2 -= carry[2] << 21 1364 carry[3] = s3 >> 21 1365 s4 += carry[3] 1366 s3 -= carry[3] << 21 1367 carry[4] = s4 >> 21 1368 s5 += carry[4] 1369 s4 -= carry[4] << 21 1370 carry[5] = s5 >> 21 1371 s6 += carry[5] 1372 s5 -= carry[5] << 21 1373 carry[6] = s6 >> 21 1374 s7 += carry[6] 1375 s6 -= carry[6] << 21 1376 carry[7] = s7 >> 21 1377 s8 += carry[7] 1378 s7 -= carry[7] << 21 1379 carry[8] = s8 >> 21 1380 s9 += carry[8] 1381 s8 -= carry[8] << 21 1382 carry[9] = s9 >> 21 1383 s10 += carry[9] 1384 s9 -= carry[9] << 21 1385 carry[10] = s10 >> 21 1386 s11 += carry[10] 1387 s10 -= carry[10] << 21 1388 1389 s[0] = byte(s0 >> 0) 1390 s[1] = byte(s0 >> 8) 1391 s[2] = byte((s0 >> 16) | (s1 << 5)) 1392 s[3] = byte(s1 >> 3) 1393 s[4] = byte(s1 >> 11) 1394 s[5] = byte((s1 >> 19) | (s2 << 2)) 1395 s[6] = byte(s2 >> 6) 1396 s[7] = byte((s2 >> 14) | (s3 << 7)) 1397 s[8] = byte(s3 >> 1) 1398 s[9] = byte(s3 >> 9) 1399 s[10] = byte((s3 >> 17) | (s4 << 4)) 1400 s[11] = byte(s4 >> 4) 1401 s[12] = byte(s4 >> 12) 1402 s[13] = byte((s4 >> 20) | (s5 << 1)) 1403 s[14] = byte(s5 >> 7) 1404 s[15] = byte((s5 >> 15) | (s6 << 6)) 1405 s[16] = byte(s6 >> 2) 1406 s[17] = byte(s6 >> 10) 1407 s[18] = byte((s6 >> 18) | (s7 << 3)) 1408 s[19] = byte(s7 >> 5) 1409 s[20] = byte(s7 >> 13) 1410 s[21] = byte(s8 >> 0) 1411 s[22] = byte(s8 >> 8) 1412 s[23] = byte((s8 >> 16) | (s9 << 5)) 1413 s[24] = byte(s9 >> 3) 1414 s[25] = byte(s9 >> 11) 1415 s[26] = byte((s9 >> 19) | (s10 << 2)) 1416 s[27] = byte(s10 >> 6) 1417 s[28] = byte((s10 >> 14) | (s11 << 7)) 1418 s[29] = byte(s11 >> 1) 1419 s[30] = byte(s11 >> 9) 1420 s[31] = byte(s11 >> 17) 1421 } 1422 1423 // Input: 1424 // a[0]+256*a[1]+...+256^31*a[31] = a 1425 // b[0]+256*b[1]+...+256^31*b[31] = b 1426 // c[0]+256*c[1]+...+256^31*c[31] = c 1427 // 1428 // Output: 1429 // s[0]+256*s[1]+...+256^31*s[31] = (c-ab) mod l 1430 // where l = 2^252 + 27742317777372353535851937790883648493. 1431 func ScMulSub(s, a, b, c *Key) { 1432 a0 := 2097151 & load3(a[:]) 1433 a1 := 2097151 & (load4(a[2:]) >> 5) 1434 a2 := 2097151 & (load3(a[5:]) >> 2) 1435 a3 := 2097151 & (load4(a[7:]) >> 7) 1436 a4 := 2097151 & (load4(a[10:]) >> 4) 1437 a5 := 2097151 & (load3(a[13:]) >> 1) 1438 a6 := 2097151 & (load4(a[15:]) >> 6) 1439 a7 := 2097151 & (load3(a[18:]) >> 3) 1440 a8 := 2097151 & load3(a[21:]) 1441 a9 := 2097151 & (load4(a[23:]) >> 5) 1442 a10 := 2097151 & (load3(a[26:]) >> 2) 1443 a11 := (load4(a[28:]) >> 7) 1444 b0 := 2097151 & load3(b[:]) 1445 b1 := 2097151 & (load4(b[2:]) >> 5) 1446 b2 := 2097151 & (load3(b[5:]) >> 2) 1447 b3 := 2097151 & (load4(b[7:]) >> 7) 1448 b4 := 2097151 & (load4(b[10:]) >> 4) 1449 b5 := 2097151 & (load3(b[13:]) >> 1) 1450 b6 := 2097151 & (load4(b[15:]) >> 6) 1451 b7 := 2097151 & (load3(b[18:]) >> 3) 1452 b8 := 2097151 & load3(b[21:]) 1453 b9 := 2097151 & (load4(b[23:]) >> 5) 1454 b10 := 2097151 & (load3(b[26:]) >> 2) 1455 b11 := (load4(b[28:]) >> 7) 1456 c0 := 2097151 & load3(c[:]) 1457 c1 := 2097151 & (load4(c[2:]) >> 5) 1458 c2 := 2097151 & (load3(c[5:]) >> 2) 1459 c3 := 2097151 & (load4(c[7:]) >> 7) 1460 c4 := 2097151 & (load4(c[10:]) >> 4) 1461 c5 := 2097151 & (load3(c[13:]) >> 1) 1462 c6 := 2097151 & (load4(c[15:]) >> 6) 1463 c7 := 2097151 & (load3(c[18:]) >> 3) 1464 c8 := 2097151 & load3(c[21:]) 1465 c9 := 2097151 & (load4(c[23:]) >> 5) 1466 c10 := 2097151 & (load3(c[26:]) >> 2) 1467 c11 := (load4(c[28:]) >> 7) 1468 var carry [23]int64 1469 1470 s0 := c0 - a0*b0 1471 s1 := c1 - a0*b1 - a1*b0 1472 s2 := c2 - a0*b2 - a1*b1 - a2*b0 1473 s3 := c3 - a0*b3 - a1*b2 - a2*b1 - a3*b0 1474 s4 := c4 - a0*b4 - a1*b3 - a2*b2 - a3*b1 - a4*b0 1475 s5 := c5 - a0*b5 - a1*b4 - a2*b3 - a3*b2 - a4*b1 - a5*b0 1476 s6 := c6 - a0*b6 - a1*b5 - a2*b4 - a3*b3 - a4*b2 - a5*b1 - a6*b0 1477 s7 := c7 - a0*b7 - a1*b6 - a2*b5 - a3*b4 - a4*b3 - a5*b2 - a6*b1 - a7*b0 1478 s8 := c8 - a0*b8 - a1*b7 - a2*b6 - a3*b5 - a4*b4 - a5*b3 - a6*b2 - a7*b1 - a8*b0 1479 s9 := c9 - a0*b9 - a1*b8 - a2*b7 - a3*b6 - a4*b5 - a5*b4 - a6*b3 - a7*b2 - a8*b1 - a9*b0 1480 s10 := c10 - a0*b10 - a1*b9 - a2*b8 - a3*b7 - a4*b6 - a5*b5 - a6*b4 - a7*b3 - a8*b2 - a9*b1 - a10*b0 1481 s11 := c11 - a0*b11 - a1*b10 - a2*b9 - a3*b8 - a4*b7 - a5*b6 - a6*b5 - a7*b4 - a8*b3 - a9*b2 - a10*b1 - a11*b0 1482 s12 := -a1*b11 - a2*b10 - a3*b9 - a4*b8 - a5*b7 - a6*b6 - a7*b5 - a8*b4 - a9*b3 - a10*b2 - a11*b1 1483 s13 := -a2*b11 - a3*b10 - a4*b9 - a5*b8 - a6*b7 - a7*b6 - a8*b5 - a9*b4 - a10*b3 - a11*b2 1484 s14 := -a3*b11 - a4*b10 - a5*b9 - a6*b8 - a7*b7 - a8*b6 - a9*b5 - a10*b4 - a11*b3 1485 s15 := -a4*b11 - a5*b10 - a6*b9 - a7*b8 - a8*b7 - a9*b6 - a10*b5 - a11*b4 1486 s16 := -a5*b11 - a6*b10 - a7*b9 - a8*b8 - a9*b7 - a10*b6 - a11*b5 1487 s17 := -a6*b11 - a7*b10 - a8*b9 - a9*b8 - a10*b7 - a11*b6 1488 s18 := -a7*b11 - a8*b10 - a9*b9 - a10*b8 - a11*b7 1489 s19 := -a8*b11 - a9*b10 - a10*b9 - a11*b8 1490 s20 := -a9*b11 - a10*b10 - a11*b9 1491 s21 := -a10*b11 - a11*b10 1492 s22 := -a11 * b11 1493 s23 := int64(0) 1494 1495 carry[0] = (s0 + (1 << 20)) >> 21 1496 s1 += carry[0] 1497 s0 -= carry[0] << 21 1498 carry[2] = (s2 + (1 << 20)) >> 21 1499 s3 += carry[2] 1500 s2 -= carry[2] << 21 1501 carry[4] = (s4 + (1 << 20)) >> 21 1502 s5 += carry[4] 1503 s4 -= carry[4] << 21 1504 carry[6] = (s6 + (1 << 20)) >> 21 1505 s7 += carry[6] 1506 s6 -= carry[6] << 21 1507 carry[8] = (s8 + (1 << 20)) >> 21 1508 s9 += carry[8] 1509 s8 -= carry[8] << 21 1510 carry[10] = (s10 + (1 << 20)) >> 21 1511 s11 += carry[10] 1512 s10 -= carry[10] << 21 1513 carry[12] = (s12 + (1 << 20)) >> 21 1514 s13 += carry[12] 1515 s12 -= carry[12] << 21 1516 carry[14] = (s14 + (1 << 20)) >> 21 1517 s15 += carry[14] 1518 s14 -= carry[14] << 21 1519 carry[16] = (s16 + (1 << 20)) >> 21 1520 s17 += carry[16] 1521 s16 -= carry[16] << 21 1522 carry[18] = (s18 + (1 << 20)) >> 21 1523 s19 += carry[18] 1524 s18 -= carry[18] << 21 1525 carry[20] = (s20 + (1 << 20)) >> 21 1526 s21 += carry[20] 1527 s20 -= carry[20] << 21 1528 carry[22] = (s22 + (1 << 20)) >> 21 1529 s23 += carry[22] 1530 s22 -= carry[22] << 21 1531 1532 carry[1] = (s1 + (1 << 20)) >> 21 1533 s2 += carry[1] 1534 s1 -= carry[1] << 21 1535 carry[3] = (s3 + (1 << 20)) >> 21 1536 s4 += carry[3] 1537 s3 -= carry[3] << 21 1538 carry[5] = (s5 + (1 << 20)) >> 21 1539 s6 += carry[5] 1540 s5 -= carry[5] << 21 1541 carry[7] = (s7 + (1 << 20)) >> 21 1542 s8 += carry[7] 1543 s7 -= carry[7] << 21 1544 carry[9] = (s9 + (1 << 20)) >> 21 1545 s10 += carry[9] 1546 s9 -= carry[9] << 21 1547 carry[11] = (s11 + (1 << 20)) >> 21 1548 s12 += carry[11] 1549 s11 -= carry[11] << 21 1550 carry[13] = (s13 + (1 << 20)) >> 21 1551 s14 += carry[13] 1552 s13 -= carry[13] << 21 1553 carry[15] = (s15 + (1 << 20)) >> 21 1554 s16 += carry[15] 1555 s15 -= carry[15] << 21 1556 carry[17] = (s17 + (1 << 20)) >> 21 1557 s18 += carry[17] 1558 s17 -= carry[17] << 21 1559 carry[19] = (s19 + (1 << 20)) >> 21 1560 s20 += carry[19] 1561 s19 -= carry[19] << 21 1562 carry[21] = (s21 + (1 << 20)) >> 21 1563 s22 += carry[21] 1564 s21 -= carry[21] << 21 1565 1566 s11 += s23 * 666643 1567 s12 += s23 * 470296 1568 s13 += s23 * 654183 1569 s14 -= s23 * 997805 1570 s15 += s23 * 136657 1571 s16 -= s23 * 683901 1572 s23 = 0 1573 1574 s10 += s22 * 666643 1575 s11 += s22 * 470296 1576 s12 += s22 * 654183 1577 s13 -= s22 * 997805 1578 s14 += s22 * 136657 1579 s15 -= s22 * 683901 1580 s22 = 0 1581 1582 s9 += s21 * 666643 1583 s10 += s21 * 470296 1584 s11 += s21 * 654183 1585 s12 -= s21 * 997805 1586 s13 += s21 * 136657 1587 s14 -= s21 * 683901 1588 s21 = 0 1589 1590 s8 += s20 * 666643 1591 s9 += s20 * 470296 1592 s10 += s20 * 654183 1593 s11 -= s20 * 997805 1594 s12 += s20 * 136657 1595 s13 -= s20 * 683901 1596 s20 = 0 1597 1598 s7 += s19 * 666643 1599 s8 += s19 * 470296 1600 s9 += s19 * 654183 1601 s10 -= s19 * 997805 1602 s11 += s19 * 136657 1603 s12 -= s19 * 683901 1604 s19 = 0 1605 1606 s6 += s18 * 666643 1607 s7 += s18 * 470296 1608 s8 += s18 * 654183 1609 s9 -= s18 * 997805 1610 s10 += s18 * 136657 1611 s11 -= s18 * 683901 1612 s18 = 0 1613 1614 carry[6] = (s6 + (1 << 20)) >> 21 1615 s7 += carry[6] 1616 s6 -= carry[6] << 21 1617 carry[8] = (s8 + (1 << 20)) >> 21 1618 s9 += carry[8] 1619 s8 -= carry[8] << 21 1620 carry[10] = (s10 + (1 << 20)) >> 21 1621 s11 += carry[10] 1622 s10 -= carry[10] << 21 1623 carry[12] = (s12 + (1 << 20)) >> 21 1624 s13 += carry[12] 1625 s12 -= carry[12] << 21 1626 carry[14] = (s14 + (1 << 20)) >> 21 1627 s15 += carry[14] 1628 s14 -= carry[14] << 21 1629 carry[16] = (s16 + (1 << 20)) >> 21 1630 s17 += carry[16] 1631 s16 -= carry[16] << 21 1632 1633 carry[7] = (s7 + (1 << 20)) >> 21 1634 s8 += carry[7] 1635 s7 -= carry[7] << 21 1636 carry[9] = (s9 + (1 << 20)) >> 21 1637 s10 += carry[9] 1638 s9 -= carry[9] << 21 1639 carry[11] = (s11 + (1 << 20)) >> 21 1640 s12 += carry[11] 1641 s11 -= carry[11] << 21 1642 carry[13] = (s13 + (1 << 20)) >> 21 1643 s14 += carry[13] 1644 s13 -= carry[13] << 21 1645 carry[15] = (s15 + (1 << 20)) >> 21 1646 s16 += carry[15] 1647 s15 -= carry[15] << 21 1648 1649 s5 += s17 * 666643 1650 s6 += s17 * 470296 1651 s7 += s17 * 654183 1652 s8 -= s17 * 997805 1653 s9 += s17 * 136657 1654 s10 -= s17 * 683901 1655 s17 = 0 1656 1657 s4 += s16 * 666643 1658 s5 += s16 * 470296 1659 s6 += s16 * 654183 1660 s7 -= s16 * 997805 1661 s8 += s16 * 136657 1662 s9 -= s16 * 683901 1663 s16 = 0 1664 1665 s3 += s15 * 666643 1666 s4 += s15 * 470296 1667 s5 += s15 * 654183 1668 s6 -= s15 * 997805 1669 s7 += s15 * 136657 1670 s8 -= s15 * 683901 1671 s15 = 0 1672 1673 s2 += s14 * 666643 1674 s3 += s14 * 470296 1675 s4 += s14 * 654183 1676 s5 -= s14 * 997805 1677 s6 += s14 * 136657 1678 s7 -= s14 * 683901 1679 s14 = 0 1680 1681 s1 += s13 * 666643 1682 s2 += s13 * 470296 1683 s3 += s13 * 654183 1684 s4 -= s13 * 997805 1685 s5 += s13 * 136657 1686 s6 -= s13 * 683901 1687 s13 = 0 1688 1689 s0 += s12 * 666643 1690 s1 += s12 * 470296 1691 s2 += s12 * 654183 1692 s3 -= s12 * 997805 1693 s4 += s12 * 136657 1694 s5 -= s12 * 683901 1695 s12 = 0 1696 1697 carry[0] = (s0 + (1 << 20)) >> 21 1698 s1 += carry[0] 1699 s0 -= carry[0] << 21 1700 carry[2] = (s2 + (1 << 20)) >> 21 1701 s3 += carry[2] 1702 s2 -= carry[2] << 21 1703 carry[4] = (s4 + (1 << 20)) >> 21 1704 s5 += carry[4] 1705 s4 -= carry[4] << 21 1706 carry[6] = (s6 + (1 << 20)) >> 21 1707 s7 += carry[6] 1708 s6 -= carry[6] << 21 1709 carry[8] = (s8 + (1 << 20)) >> 21 1710 s9 += carry[8] 1711 s8 -= carry[8] << 21 1712 carry[10] = (s10 + (1 << 20)) >> 21 1713 s11 += carry[10] 1714 s10 -= carry[10] << 21 1715 1716 carry[1] = (s1 + (1 << 20)) >> 21 1717 s2 += carry[1] 1718 s1 -= carry[1] << 21 1719 carry[3] = (s3 + (1 << 20)) >> 21 1720 s4 += carry[3] 1721 s3 -= carry[3] << 21 1722 carry[5] = (s5 + (1 << 20)) >> 21 1723 s6 += carry[5] 1724 s5 -= carry[5] << 21 1725 carry[7] = (s7 + (1 << 20)) >> 21 1726 s8 += carry[7] 1727 s7 -= carry[7] << 21 1728 carry[9] = (s9 + (1 << 20)) >> 21 1729 s10 += carry[9] 1730 s9 -= carry[9] << 21 1731 carry[11] = (s11 + (1 << 20)) >> 21 1732 s12 += carry[11] 1733 s11 -= carry[11] << 21 1734 1735 s0 += s12 * 666643 1736 s1 += s12 * 470296 1737 s2 += s12 * 654183 1738 s3 -= s12 * 997805 1739 s4 += s12 * 136657 1740 s5 -= s12 * 683901 1741 s12 = 0 1742 1743 carry[0] = s0 >> 21 1744 s1 += carry[0] 1745 s0 -= carry[0] << 21 1746 carry[1] = s1 >> 21 1747 s2 += carry[1] 1748 s1 -= carry[1] << 21 1749 carry[2] = s2 >> 21 1750 s3 += carry[2] 1751 s2 -= carry[2] << 21 1752 carry[3] = s3 >> 21 1753 s4 += carry[3] 1754 s3 -= carry[3] << 21 1755 carry[4] = s4 >> 21 1756 s5 += carry[4] 1757 s4 -= carry[4] << 21 1758 carry[5] = s5 >> 21 1759 s6 += carry[5] 1760 s5 -= carry[5] << 21 1761 carry[6] = s6 >> 21 1762 s7 += carry[6] 1763 s6 -= carry[6] << 21 1764 carry[7] = s7 >> 21 1765 s8 += carry[7] 1766 s7 -= carry[7] << 21 1767 carry[8] = s8 >> 21 1768 s9 += carry[8] 1769 s8 -= carry[8] << 21 1770 carry[9] = s9 >> 21 1771 s10 += carry[9] 1772 s9 -= carry[9] << 21 1773 carry[10] = s10 >> 21 1774 s11 += carry[10] 1775 s10 -= carry[10] << 21 1776 carry[11] = s11 >> 21 1777 s12 += carry[11] 1778 s11 -= carry[11] << 21 1779 1780 s0 += s12 * 666643 1781 s1 += s12 * 470296 1782 s2 += s12 * 654183 1783 s3 -= s12 * 997805 1784 s4 += s12 * 136657 1785 s5 -= s12 * 683901 1786 s12 = 0 1787 1788 carry[0] = s0 >> 21 1789 s1 += carry[0] 1790 s0 -= carry[0] << 21 1791 carry[1] = s1 >> 21 1792 s2 += carry[1] 1793 s1 -= carry[1] << 21 1794 carry[2] = s2 >> 21 1795 s3 += carry[2] 1796 s2 -= carry[2] << 21 1797 carry[3] = s3 >> 21 1798 s4 += carry[3] 1799 s3 -= carry[3] << 21 1800 carry[4] = s4 >> 21 1801 s5 += carry[4] 1802 s4 -= carry[4] << 21 1803 carry[5] = s5 >> 21 1804 s6 += carry[5] 1805 s5 -= carry[5] << 21 1806 carry[6] = s6 >> 21 1807 s7 += carry[6] 1808 s6 -= carry[6] << 21 1809 carry[7] = s7 >> 21 1810 s8 += carry[7] 1811 s7 -= carry[7] << 21 1812 carry[8] = s8 >> 21 1813 s9 += carry[8] 1814 s8 -= carry[8] << 21 1815 carry[9] = s9 >> 21 1816 s10 += carry[9] 1817 s9 -= carry[9] << 21 1818 carry[10] = s10 >> 21 1819 s11 += carry[10] 1820 s10 -= carry[10] << 21 1821 1822 s[0] = byte(s0 >> 0) 1823 s[1] = byte(s0 >> 8) 1824 s[2] = byte((s0 >> 16) | (s1 << 5)) 1825 s[3] = byte(s1 >> 3) 1826 s[4] = byte(s1 >> 11) 1827 s[5] = byte((s1 >> 19) | (s2 << 2)) 1828 s[6] = byte(s2 >> 6) 1829 s[7] = byte((s2 >> 14) | (s3 << 7)) 1830 s[8] = byte(s3 >> 1) 1831 s[9] = byte(s3 >> 9) 1832 s[10] = byte((s3 >> 17) | (s4 << 4)) 1833 s[11] = byte(s4 >> 4) 1834 s[12] = byte(s4 >> 12) 1835 s[13] = byte((s4 >> 20) | (s5 << 1)) 1836 s[14] = byte(s5 >> 7) 1837 s[15] = byte((s5 >> 15) | (s6 << 6)) 1838 s[16] = byte(s6 >> 2) 1839 s[17] = byte(s6 >> 10) 1840 s[18] = byte((s6 >> 18) | (s7 << 3)) 1841 s[19] = byte(s7 >> 5) 1842 s[20] = byte(s7 >> 13) 1843 s[21] = byte(s8 >> 0) 1844 s[22] = byte(s8 >> 8) 1845 s[23] = byte((s8 >> 16) | (s9 << 5)) 1846 s[24] = byte(s9 >> 3) 1847 s[25] = byte(s9 >> 11) 1848 s[26] = byte((s9 >> 19) | (s10 << 2)) 1849 s[27] = byte(s10 >> 6) 1850 s[28] = byte((s10 >> 14) | (s11 << 7)) 1851 s[29] = byte(s11 >> 1) 1852 s[30] = byte(s11 >> 9) 1853 s[31] = byte(s11 >> 17) 1854 } 1855 1856 //copied from above and modified 1857 /*Input: 1858 a[0]+256*a[1]+...+256^31*a[31] = a 1859 b[0]+256*b[1]+...+256^31*b[31] = b 1860 1861 Output: 1862 s[0]+256*s[1]+...+256^31*s[31] = (ab) mod l 1863 where l = 2^252 + 27742317777372353535851937790883648493. 1864 */ 1865 func ScMul(s, a, b *Key) { 1866 a0 := 2097151 & load3(a[:]) 1867 a1 := 2097151 & (load4(a[2:]) >> 5) 1868 a2 := 2097151 & (load3(a[5:]) >> 2) 1869 a3 := 2097151 & (load4(a[7:]) >> 7) 1870 a4 := 2097151 & (load4(a[10:]) >> 4) 1871 a5 := 2097151 & (load3(a[13:]) >> 1) 1872 a6 := 2097151 & (load4(a[15:]) >> 6) 1873 a7 := 2097151 & (load3(a[18:]) >> 3) 1874 a8 := 2097151 & load3(a[21:]) 1875 a9 := 2097151 & (load4(a[23:]) >> 5) 1876 a10 := 2097151 & (load3(a[26:]) >> 2) 1877 a11 := (load4(a[28:]) >> 7) 1878 b0 := 2097151 & load3(b[:]) 1879 b1 := 2097151 & (load4(b[2:]) >> 5) 1880 b2 := 2097151 & (load3(b[5:]) >> 2) 1881 b3 := 2097151 & (load4(b[7:]) >> 7) 1882 b4 := 2097151 & (load4(b[10:]) >> 4) 1883 b5 := 2097151 & (load3(b[13:]) >> 1) 1884 b6 := 2097151 & (load4(b[15:]) >> 6) 1885 b7 := 2097151 & (load3(b[18:]) >> 3) 1886 b8 := 2097151 & load3(b[21:]) 1887 b9 := 2097151 & (load4(b[23:]) >> 5) 1888 b10 := 2097151 & (load3(b[26:]) >> 2) 1889 b11 := (load4(b[28:]) >> 7) 1890 1891 var carry [23]int64 1892 1893 s0 := a0 * b0 1894 s1 := (a0*b1 + a1*b0) 1895 s2 := (a0*b2 + a1*b1 + a2*b0) 1896 s3 := (a0*b3 + a1*b2 + a2*b1 + a3*b0) 1897 s4 := (a0*b4 + a1*b3 + a2*b2 + a3*b1 + a4*b0) 1898 s5 := (a0*b5 + a1*b4 + a2*b3 + a3*b2 + a4*b1 + a5*b0) 1899 s6 := (a0*b6 + a1*b5 + a2*b4 + a3*b3 + a4*b2 + a5*b1 + a6*b0) 1900 s7 := (a0*b7 + a1*b6 + a2*b5 + a3*b4 + a4*b3 + a5*b2 + a6*b1 + a7*b0) 1901 s8 := (a0*b8 + a1*b7 + a2*b6 + a3*b5 + a4*b4 + a5*b3 + a6*b2 + a7*b1 + a8*b0) 1902 s9 := (a0*b9 + a1*b8 + a2*b7 + a3*b6 + a4*b5 + a5*b4 + a6*b3 + a7*b2 + a8*b1 + a9*b0) 1903 s10 := (a0*b10 + a1*b9 + a2*b8 + a3*b7 + a4*b6 + a5*b5 + a6*b4 + a7*b3 + a8*b2 + a9*b1 + a10*b0) 1904 s11 := (a0*b11 + a1*b10 + a2*b9 + a3*b8 + a4*b7 + a5*b6 + a6*b5 + a7*b4 + a8*b3 + a9*b2 + a10*b1 + a11*b0) 1905 s12 := (a1*b11 + a2*b10 + a3*b9 + a4*b8 + a5*b7 + a6*b6 + a7*b5 + a8*b4 + a9*b3 + a10*b2 + a11*b1) 1906 s13 := (a2*b11 + a3*b10 + a4*b9 + a5*b8 + a6*b7 + a7*b6 + a8*b5 + a9*b4 + a10*b3 + a11*b2) 1907 s14 := (a3*b11 + a4*b10 + a5*b9 + a6*b8 + a7*b7 + a8*b6 + a9*b5 + a10*b4 + a11*b3) 1908 s15 := (a4*b11 + a5*b10 + a6*b9 + a7*b8 + a8*b7 + a9*b6 + a10*b5 + a11*b4) 1909 s16 := (a5*b11 + a6*b10 + a7*b9 + a8*b8 + a9*b7 + a10*b6 + a11*b5) 1910 s17 := (a6*b11 + a7*b10 + a8*b9 + a9*b8 + a10*b7 + a11*b6) 1911 s18 := (a7*b11 + a8*b10 + a9*b9 + a10*b8 + a11*b7) 1912 s19 := (a8*b11 + a9*b10 + a10*b9 + a11*b8) 1913 s20 := (a9*b11 + a10*b10 + a11*b9) 1914 s21 := (a10*b11 + a11*b10) 1915 s22 := a11 * b11 1916 s23 := int64(0) 1917 1918 carry[0] = (s0 + (1 << 20)) >> 21 1919 s1 += carry[0] 1920 s0 -= carry[0] << 21 1921 carry[2] = (s2 + (1 << 20)) >> 21 1922 s3 += carry[2] 1923 s2 -= carry[2] << 21 1924 carry[4] = (s4 + (1 << 20)) >> 21 1925 s5 += carry[4] 1926 s4 -= carry[4] << 21 1927 carry[6] = (s6 + (1 << 20)) >> 21 1928 s7 += carry[6] 1929 s6 -= carry[6] << 21 1930 carry[8] = (s8 + (1 << 20)) >> 21 1931 s9 += carry[8] 1932 s8 -= carry[8] << 21 1933 carry[10] = (s10 + (1 << 20)) >> 21 1934 s11 += carry[10] 1935 s10 -= carry[10] << 21 1936 carry[12] = (s12 + (1 << 20)) >> 21 1937 s13 += carry[12] 1938 s12 -= carry[12] << 21 1939 carry[14] = (s14 + (1 << 20)) >> 21 1940 s15 += carry[14] 1941 s14 -= carry[14] << 21 1942 carry[16] = (s16 + (1 << 20)) >> 21 1943 s17 += carry[16] 1944 s16 -= carry[16] << 21 1945 carry[18] = (s18 + (1 << 20)) >> 21 1946 s19 += carry[18] 1947 s18 -= carry[18] << 21 1948 carry[20] = (s20 + (1 << 20)) >> 21 1949 s21 += carry[20] 1950 s20 -= carry[20] << 21 1951 carry[22] = (s22 + (1 << 20)) >> 21 1952 s23 += carry[22] 1953 s22 -= carry[22] << 21 1954 1955 carry[1] = (s1 + (1 << 20)) >> 21 1956 s2 += carry[1] 1957 s1 -= carry[1] << 21 1958 carry[3] = (s3 + (1 << 20)) >> 21 1959 s4 += carry[3] 1960 s3 -= carry[3] << 21 1961 carry[5] = (s5 + (1 << 20)) >> 21 1962 s6 += carry[5] 1963 s5 -= carry[5] << 21 1964 carry[7] = (s7 + (1 << 20)) >> 21 1965 s8 += carry[7] 1966 s7 -= carry[7] << 21 1967 carry[9] = (s9 + (1 << 20)) >> 21 1968 s10 += carry[9] 1969 s9 -= carry[9] << 21 1970 carry[11] = (s11 + (1 << 20)) >> 21 1971 s12 += carry[11] 1972 s11 -= carry[11] << 21 1973 carry[13] = (s13 + (1 << 20)) >> 21 1974 s14 += carry[13] 1975 s13 -= carry[13] << 21 1976 carry[15] = (s15 + (1 << 20)) >> 21 1977 s16 += carry[15] 1978 s15 -= carry[15] << 21 1979 carry[17] = (s17 + (1 << 20)) >> 21 1980 s18 += carry[17] 1981 s17 -= carry[17] << 21 1982 carry[19] = (s19 + (1 << 20)) >> 21 1983 s20 += carry[19] 1984 s19 -= carry[19] << 21 1985 carry[21] = (s21 + (1 << 20)) >> 21 1986 s22 += carry[21] 1987 s21 -= carry[21] << 21 1988 1989 s11 += s23 * 666643 1990 s12 += s23 * 470296 1991 s13 += s23 * 654183 1992 s14 -= s23 * 997805 1993 s15 += s23 * 136657 1994 s16 -= s23 * 683901 1995 s23 = 0 1996 1997 s10 += s22 * 666643 1998 s11 += s22 * 470296 1999 s12 += s22 * 654183 2000 s13 -= s22 * 997805 2001 s14 += s22 * 136657 2002 s15 -= s22 * 683901 2003 s22 = 0 2004 2005 s9 += s21 * 666643 2006 s10 += s21 * 470296 2007 s11 += s21 * 654183 2008 s12 -= s21 * 997805 2009 s13 += s21 * 136657 2010 s14 -= s21 * 683901 2011 s21 = 0 2012 2013 s8 += s20 * 666643 2014 s9 += s20 * 470296 2015 s10 += s20 * 654183 2016 s11 -= s20 * 997805 2017 s12 += s20 * 136657 2018 s13 -= s20 * 683901 2019 s20 = 0 2020 2021 s7 += s19 * 666643 2022 s8 += s19 * 470296 2023 s9 += s19 * 654183 2024 s10 -= s19 * 997805 2025 s11 += s19 * 136657 2026 s12 -= s19 * 683901 2027 s19 = 0 2028 2029 s6 += s18 * 666643 2030 s7 += s18 * 470296 2031 s8 += s18 * 654183 2032 s9 -= s18 * 997805 2033 s10 += s18 * 136657 2034 s11 -= s18 * 683901 2035 s18 = 0 2036 2037 carry[6] = (s6 + (1 << 20)) >> 21 2038 s7 += carry[6] 2039 s6 -= carry[6] << 21 2040 carry[8] = (s8 + (1 << 20)) >> 21 2041 s9 += carry[8] 2042 s8 -= carry[8] << 21 2043 carry[10] = (s10 + (1 << 20)) >> 21 2044 s11 += carry[10] 2045 s10 -= carry[10] << 21 2046 carry[12] = (s12 + (1 << 20)) >> 21 2047 s13 += carry[12] 2048 s12 -= carry[12] << 21 2049 carry[14] = (s14 + (1 << 20)) >> 21 2050 s15 += carry[14] 2051 s14 -= carry[14] << 21 2052 carry[16] = (s16 + (1 << 20)) >> 21 2053 s17 += carry[16] 2054 s16 -= carry[16] << 21 2055 2056 carry[7] = (s7 + (1 << 20)) >> 21 2057 s8 += carry[7] 2058 s7 -= carry[7] << 21 2059 carry[9] = (s9 + (1 << 20)) >> 21 2060 s10 += carry[9] 2061 s9 -= carry[9] << 21 2062 carry[11] = (s11 + (1 << 20)) >> 21 2063 s12 += carry[11] 2064 s11 -= carry[11] << 21 2065 carry[13] = (s13 + (1 << 20)) >> 21 2066 s14 += carry[13] 2067 s13 -= carry[13] << 21 2068 carry[15] = (s15 + (1 << 20)) >> 21 2069 s16 += carry[15] 2070 s15 -= carry[15] << 21 2071 2072 s5 += s17 * 666643 2073 s6 += s17 * 470296 2074 s7 += s17 * 654183 2075 s8 -= s17 * 997805 2076 s9 += s17 * 136657 2077 s10 -= s17 * 683901 2078 s17 = 0 2079 2080 s4 += s16 * 666643 2081 s5 += s16 * 470296 2082 s6 += s16 * 654183 2083 s7 -= s16 * 997805 2084 s8 += s16 * 136657 2085 s9 -= s16 * 683901 2086 s16 = 0 2087 2088 s3 += s15 * 666643 2089 s4 += s15 * 470296 2090 s5 += s15 * 654183 2091 s6 -= s15 * 997805 2092 s7 += s15 * 136657 2093 s8 -= s15 * 683901 2094 s15 = 0 2095 2096 s2 += s14 * 666643 2097 s3 += s14 * 470296 2098 s4 += s14 * 654183 2099 s5 -= s14 * 997805 2100 s6 += s14 * 136657 2101 s7 -= s14 * 683901 2102 s14 = 0 2103 2104 s1 += s13 * 666643 2105 s2 += s13 * 470296 2106 s3 += s13 * 654183 2107 s4 -= s13 * 997805 2108 s5 += s13 * 136657 2109 s6 -= s13 * 683901 2110 s13 = 0 2111 2112 s0 += s12 * 666643 2113 s1 += s12 * 470296 2114 s2 += s12 * 654183 2115 s3 -= s12 * 997805 2116 s4 += s12 * 136657 2117 s5 -= s12 * 683901 2118 s12 = 0 2119 2120 carry[0] = (s0 + (1 << 20)) >> 21 2121 s1 += carry[0] 2122 s0 -= carry[0] << 21 2123 carry[2] = (s2 + (1 << 20)) >> 21 2124 s3 += carry[2] 2125 s2 -= carry[2] << 21 2126 carry[4] = (s4 + (1 << 20)) >> 21 2127 s5 += carry[4] 2128 s4 -= carry[4] << 21 2129 carry[6] = (s6 + (1 << 20)) >> 21 2130 s7 += carry[6] 2131 s6 -= carry[6] << 21 2132 carry[8] = (s8 + (1 << 20)) >> 21 2133 s9 += carry[8] 2134 s8 -= carry[8] << 21 2135 carry[10] = (s10 + (1 << 20)) >> 21 2136 s11 += carry[10] 2137 s10 -= carry[10] << 21 2138 2139 carry[1] = (s1 + (1 << 20)) >> 21 2140 s2 += carry[1] 2141 s1 -= carry[1] << 21 2142 carry[3] = (s3 + (1 << 20)) >> 21 2143 s4 += carry[3] 2144 s3 -= carry[3] << 21 2145 carry[5] = (s5 + (1 << 20)) >> 21 2146 s6 += carry[5] 2147 s5 -= carry[5] << 21 2148 carry[7] = (s7 + (1 << 20)) >> 21 2149 s8 += carry[7] 2150 s7 -= carry[7] << 21 2151 carry[9] = (s9 + (1 << 20)) >> 21 2152 s10 += carry[9] 2153 s9 -= carry[9] << 21 2154 carry[11] = (s11 + (1 << 20)) >> 21 2155 s12 += carry[11] 2156 s11 -= carry[11] << 21 2157 2158 s0 += s12 * 666643 2159 s1 += s12 * 470296 2160 s2 += s12 * 654183 2161 s3 -= s12 * 997805 2162 s4 += s12 * 136657 2163 s5 -= s12 * 683901 2164 s12 = 0 2165 2166 carry[0] = s0 >> 21 2167 s1 += carry[0] 2168 s0 -= carry[0] << 21 2169 carry[1] = s1 >> 21 2170 s2 += carry[1] 2171 s1 -= carry[1] << 21 2172 carry[2] = s2 >> 21 2173 s3 += carry[2] 2174 s2 -= carry[2] << 21 2175 carry[3] = s3 >> 21 2176 s4 += carry[3] 2177 s3 -= carry[3] << 21 2178 carry[4] = s4 >> 21 2179 s5 += carry[4] 2180 s4 -= carry[4] << 21 2181 carry[5] = s5 >> 21 2182 s6 += carry[5] 2183 s5 -= carry[5] << 21 2184 carry[6] = s6 >> 21 2185 s7 += carry[6] 2186 s6 -= carry[6] << 21 2187 carry[7] = s7 >> 21 2188 s8 += carry[7] 2189 s7 -= carry[7] << 21 2190 carry[8] = s8 >> 21 2191 s9 += carry[8] 2192 s8 -= carry[8] << 21 2193 carry[9] = s9 >> 21 2194 s10 += carry[9] 2195 s9 -= carry[9] << 21 2196 carry[10] = s10 >> 21 2197 s11 += carry[10] 2198 s10 -= carry[10] << 21 2199 carry[11] = s11 >> 21 2200 s12 += carry[11] 2201 s11 -= carry[11] << 21 2202 2203 s0 += s12 * 666643 2204 s1 += s12 * 470296 2205 s2 += s12 * 654183 2206 s3 -= s12 * 997805 2207 s4 += s12 * 136657 2208 s5 -= s12 * 683901 2209 s12 = 0 2210 2211 carry[0] = s0 >> 21 2212 s1 += carry[0] 2213 s0 -= carry[0] << 21 2214 carry[1] = s1 >> 21 2215 s2 += carry[1] 2216 s1 -= carry[1] << 21 2217 carry[2] = s2 >> 21 2218 s3 += carry[2] 2219 s2 -= carry[2] << 21 2220 carry[3] = s3 >> 21 2221 s4 += carry[3] 2222 s3 -= carry[3] << 21 2223 carry[4] = s4 >> 21 2224 s5 += carry[4] 2225 s4 -= carry[4] << 21 2226 carry[5] = s5 >> 21 2227 s6 += carry[5] 2228 s5 -= carry[5] << 21 2229 carry[6] = s6 >> 21 2230 s7 += carry[6] 2231 s6 -= carry[6] << 21 2232 carry[7] = s7 >> 21 2233 s8 += carry[7] 2234 s7 -= carry[7] << 21 2235 carry[8] = s8 >> 21 2236 s9 += carry[8] 2237 s8 -= carry[8] << 21 2238 carry[9] = s9 >> 21 2239 s10 += carry[9] 2240 s9 -= carry[9] << 21 2241 carry[10] = s10 >> 21 2242 s11 += carry[10] 2243 s10 -= carry[10] << 21 2244 2245 s[0] = byte(s0 >> 0) 2246 s[1] = byte(s0 >> 8) 2247 s[2] = byte((s0 >> 16) | (s1 << 5)) 2248 s[3] = byte(s1 >> 3) 2249 s[4] = byte(s1 >> 11) 2250 s[5] = byte((s1 >> 19) | (s2 << 2)) 2251 s[6] = byte(s2 >> 6) 2252 s[7] = byte((s2 >> 14) | (s3 << 7)) 2253 s[8] = byte(s3 >> 1) 2254 s[9] = byte(s3 >> 9) 2255 s[10] = byte((s3 >> 17) | (s4 << 4)) 2256 s[11] = byte(s4 >> 4) 2257 s[12] = byte(s4 >> 12) 2258 s[13] = byte((s4 >> 20) | (s5 << 1)) 2259 s[14] = byte(s5 >> 7) 2260 s[15] = byte((s5 >> 15) | (s6 << 6)) 2261 s[16] = byte(s6 >> 2) 2262 s[17] = byte(s6 >> 10) 2263 s[18] = byte((s6 >> 18) | (s7 << 3)) 2264 s[19] = byte(s7 >> 5) 2265 s[20] = byte(s7 >> 13) 2266 s[21] = byte(s8 >> 0) 2267 s[22] = byte(s8 >> 8) 2268 s[23] = byte((s8 >> 16) | (s9 << 5)) 2269 s[24] = byte(s9 >> 3) 2270 s[25] = byte(s9 >> 11) 2271 s[26] = byte((s9 >> 19) | (s10 << 2)) 2272 s[27] = byte(s10 >> 6) 2273 s[28] = byte((s10 >> 14) | (s11 << 7)) 2274 s[29] = byte(s11 >> 1) 2275 s[30] = byte(s11 >> 9) 2276 s[31] = byte(s11 >> 17) 2277 2278 } 2279 2280 func ScIsZero(s *Key) bool { 2281 return ((int(s[0]|s[1]|s[2]|s[3]|s[4]|s[5]|s[6]|s[7]|s[8]| 2282 s[9]|s[10]|s[11]|s[12]|s[13]|s[14]|s[15]|s[16]|s[17]| 2283 s[18]|s[19]|s[20]|s[21]|s[22]|s[23]|s[24]|s[25]|s[26]| 2284 s[27]|s[28]|s[29]|s[30]|s[31])-1)>>8)+1 == 0 2285 }