Curve25519 design, X25519 design: Daniel J. Bernstein. "Curve25519: new
Diffie-Hellman speed records." Pages 207–228 in Public key
cryptography—PKC 2006, 9th international conference on theory and
practice in public-key cryptography, New York, NY, USA, April 24–26,
2006, proceedings, edited by Moti Yung, Yevgeniy Dodis, Aggelos Kiayias,
Tal Malkin, Lecture Notes in Computer Science 3958, Springer, 2006, ISBN
3-540-33851-9. (The 32-bit implementations from that paper are not
included in lib25519.)

crypto_dh/x25519/ref10: Copied from public-domain
supercop/crypto_scalarmult/curve25519/ref10 code by Daniel J. Bernstein.
Tweaked in lib25519 to provide crypto_dh instead of crypto_scalarmult
(which is done as a separate wrapper in SUPERCOP), and to return void
instead of int (these functions never fail in lib25519).
crypto_sign/x25519/ref10 is similarly copied from SUPERCOP. SUPERCOP
releases: https://bench.cr.yp.to/supercop.html

crypto_dh/x25519/donna_c64: Copied from public-domain
supercop/crypto_scalarmult/curve25519/donna_c64 code by Adam Langley.
Tweaked in lib25519 to provide crypto_dh instead of crypto_scalarmult,
and to return void instead of int.

crypto_dh/x25519/amd64*: Copied from public-domain
supercop/crypto_scalarmult/curve25519/amd64* code by
Daniel J. Bernstein, Niels Duif, Tanja Lange, lead: Peter Schwabe,
Bo-Yin Yang. Tweaked in lib25519 to provide crypto_dh instead of
crypto_scalarmult, to return void instead of int, and to use consts.c
(for easy PIC) instead of consts.S.

crypto_sign/ed25519/amd64*: Copied from public-domain
supercop/crypto_sign/ed25519/amd64* code by Daniel J. Bernstein,
Niels Duif, Tanja Lange, lead: Peter Schwabe, Bo-Yin Yang. Tweaked in
lib25519 to return void from sign_keypair and sign, to use consts.c
instead of consts.S, and to eliminate some compiler warnings (window
size 64 in amd64-64-24k/sc25519.h; #ifdef SMALLTABLES around ecd).

crypto_dh/x25519/sandy2x: Copied from public-domain
supercop/crypto_scalarmult/curve25519/sandy2x code by Tung Chou.
Tweaked in lib25519 to provide crypto_dh instead of crypto_scalarmult,
to return void instead of int, and to use consts.c instead of consts.S.

crypto_dh/x25519/amd64-maa4/fe25519_{mul,square,nsquare}.S,
crypto_dh/x25519/amd64-avx2-ns9l-maa4/fe25519_{mul,square,nsquare}.S,
crypto_dh/x25519/amd64-avx2-ns10l-maa4/fe25519_{mul,square,nsquare}.S,
crypto_dh/x25519/amd64-avx2-hey9l-maa4/fe25519_{mul,square,nsquare}.S,
crypto_dh/x25519/amd64-avx2-hey10l-maa4/fe25519_{mul,square,nsquare}.S,
crypto_sign/ed25519/amd64-maa4/fe25519_{mul,square,nsquare}.S,
crypto_sign/ed25519/amd64-avx2-9l-maa4/fe25519_{mul,square,nsquare}.S,
crypto_sign/ed25519/amd64-avx2-10l-maa4/fe25519_{mul,square,nsquare}.S:
Kaushik Nath and Palash Sarkar, "Efficient arithmetic in (pseudo-)Mersenne 
prime order fields", Advances in Mathematics of Communications 16 (2022), pages
303–348. Original release:
https://github.com/kn-cs/pmp-farith/tree/master/gf-p2-255-19/SL

crypto_dh/x25519/amd64-avx2-ns9l-maa5/fe25519_{mul,nsquare}.S,
crypto_dh/x25519/amd64-avx2-ns10l-maa5/fe25519_{mul,nsquare}.S
crypto_dh/x25519/amd64-avx2-hey9l-maa5/fe25519_{mul,nsquare}.S,
crypto_dh/x25519/amd64-avx2-hey10l-maa5/fe25519_{mul,nsquare}.S:
Kaushik Nath and Palash Sarkar, "Efficient arithmetic in (pseudo-)Mersenne 
prime order fields", Advances in Mathematics of Communications 16 (2022), pages
303–348. Original release:
https://github.com/kn-cs/pmp-farith/tree/master/gf-p2-255-19/USL1

crypto_dh/x25519/amd64-mxaa/fe25519_{mul,nsquare}.S,
crypto_dh/x25519/amd64-avx2-ns9l-mxaa/fe25519_{mul,nsquare}.S,
crypto_dh/x25519/amd64-avx2-ns10l-mxaa/fe25519_{mul,nsquare}.S,
crypto_dh/x25519/amd64-avx2-hey9l-mxaa/fe25519_{mul,nsquare}.S,
crypto_dh/x25519/amd64-avx2-hey10l-mxaa/fe25519_{mul,nsquare}.S,
crypto_sign/ed25519/amd64-mxaa/fe25519_{mul,nsquare}.S,
crypto_sign/ed25519/amd64-avx2-9l-mxaa/fe25519_{mul,nsquare}.S,
crypto_sign/ed25519/amd64-avx2-10l-mxaa/fe25519_{mul,nsquare}.S:
Kaushik Nath and Palash Sarkar, "Security and efficiency trade-offs for elliptic 
curve Diffie-Hellman at the 128-bit and 224-bit security levels." J. Cryptogr. 
Eng. 12(1): 107-121 (2022). Original release:
https://github.com/kn-cs/x25519/tree/master/intel64-mxaa-4limb

crypto_dh/x25519/amd64-maax/fe25519_{mul,square,nsquare}.S,
crypto_dh/x25519/amd64-avx2-ns9l-maax/fe25519_{mul,square,nsquare}.S,
crypto_dh/x25519/amd64-avx2-ns10l-maax/fe25519_{mul,square,nsquare}.S,
crypto_dh/x25519/amd64-avx2-hey9l-maax/fe25519_{mul,square,nsquare}.S,
crypto_dh/x25519/amd64-avx2-hey10l-maax/fe25519_{mul,square,nsquare}.S,
crypto_dh/x25519/amd64-avx512ifma-ns5l-maax/fe25519_{mul,square,nsquare}.S,
crypto_dh/x25519/amd64-avx512ifma-hey5l-maax/fe25519_{mul,square,nsquare}.S,
crypto_sign/ed25519/amd64-maax/fe25519_{mul,square,nsquare}.S,
crypto_sign/ed25519/amd64-avx2-9l-maax/fe25519_{mul,square,nsquare}.S,
crypto_sign/ed25519/amd64-avx2-10l-maax/fe25519_{mul,square,nsquare}.S,
crypto_sign/ed25519/amd64-avx512ifma-5l-maax/fe25519_{mul,square,nsquare}.S:
Kaushik Nath and Palash Sarkar, "Efficient arithmetic in (pseudo-)Mersenne prime 
order fields", Advances in Mathematics of Communications 16 (2022), pages
303–348. Original release:
https://github.com/kn-cs/pmp-farith/tree/master/gf-p2-255-19/SLDCC

crypto_dh/x25519/amd64-maa4/mladder.S,
crypto_dh/x25519/amd64-mxaa/mladder.S,
crypto_dh/x25519/amd64-maax/mladder.S: Kaushik Nath and Palash Sarkar,
"Security and efficiency trade-offs for elliptic curve Diffie-Hellman 
at the 128-bit and 224-bit security levels." J. Cryptogr. Eng. 12(1): 
107-121 (2022). Original release: https://github.com/kn-cs/x25519
See "implementors" file for other code.

crypto_dh/x25519/amd64-avx2-ns9l-maa4/mladder.S,
crypto_dh/x25519/amd64-avx2-ns9l-maa5/mladder.S,
crypto_dh/x25519/amd64-avx2-ns9l-mxaa/mladder.S,
crypto_dh/x25519/amd64-avx2-ns9l-maax/mladder.S,
crypto_dh/x25519/amd64-avx2-ns10l-maa4/mladder.S,
crypto_dh/x25519/amd64-avx2-ns10l-maa5/mladder.S,
crypto_dh/x25519/amd64-avx2-ns10l-mxaa/mladder.S,
crypto_dh/x25519/amd64-avx2-ns10l-maax/mladder.S,
crypto_dh/x25519/amd64-avx2-hey9l-maa4/mladder.S,
crypto_dh/x25519/amd64-avx2-hey9l-maa5/mladder.S,
crypto_dh/x25519/amd64-avx2-hey9l-mxaa/mladder.S,
crypto_dh/x25519/amd64-avx2-hey9l-maax/mladder.S,
crypto_dh/x25519/amd64-avx2-hey10l-maa4/mladder.S,
crypto_dh/x25519/amd64-avx2-hey10l-maa5/mladder.S,
crypto_dh/x25519/amd64-avx2-hey10l-mxaa/mladder.S,
crypto_dh/x25519/amd64-avx2-hey10l-maax/mladder.S: Kaushik Nath 
and Palash Sarkar, "Efficient 4-Way Vectorizations of the Montgomery Ladder". 
IEEE Trans. Computers 71(3): 712-723 (2022). Original release:
https://github.com/kn-cs/vec-ladder/tree/master/Curve25519
See "implementors" file for other code.

crypto_dh/x25519/amd64-avx512ifma-ns5l-maax/mladder.S,
crypto_dh/x25519/amd64-avx512ifma-hey5l-maax/mladder.S: New code in 
lib25519 from Kaushik Nath. See "implementors" file for other code.

crypto_sign/ed25519/amd64-maa4/ge25519_base.S,
crypto_sign/ed25519/amd64-mxaa/ge25519_base.S,
crypto_sign/ed25519/amd64-maax/ge25519_base.S,
crypto_sign/ed25519/amd64-avx2-9l-maa4/ge25519_base.S,
crypto_sign/ed25519/amd64-avx2-10l-maa4/ge25519_base.S,
crypto_sign/ed25519/amd64-avx2-9l-mxaa/ge25519_base.S,
crypto_sign/ed25519/amd64-avx2-10l-mxaa/ge25519_base.S,
crypto_sign/ed25519/amd64-avx2-9l-maax/ge25519_base.S,
crypto_sign/ed25519/amd64-avx2-10l-maax/ge25519_base.S,
crypto_sign/ed25519/amd64-avx512ifma-5l-maax/ge25519_base.S: New code in lib25519 
from Kaushik Nath. See "implementors" file for other code.

crypto_hash*/sha512/*: Copied from public-domain
supercop/crypto_hash*/sha512/* code by Daniel J. Bernstein. Tweaked in
lib25519 to have crypto_hash() return void instead of int.

lib25519-speed.c: Portions based on public-domain benchmarking software
in SUPERCOP by Daniel J. Bernstein.

lib25519-test.c: Portions based on public-domain testing software in
SUPERCOP by Daniel J. Bernstein. The symmetric-cryptography code in
lib25519-test.c for generating pseudorandom test inputs and hashing test
outputs is adapted from TweetNaCl, a public-domain library by
Daniel J. Bernstein, Wesley Janssen, Tanja Lange, and Peter Schwabe.