-rw-r--r-- 1137 lib25519-20220726/crypto_dh/x25519/sandy2x/scalarmult.c raw
/*
This file is adapted from ref10/scalarmult.c:
The code for Mongomery ladder is replace by the ladder assembly function;
Inversion is done in the same way as amd64-51/.
(fe is first converted into fe51 after Mongomery ladder)
*/
#include "crypto_dh.h"
#include "fe.h"
#include "fe51.h"
#include "ladder.h"
#define x1 var[0]
#define x2 var[1]
#define z2 var[2]
void crypto_dh(unsigned char *q,
const unsigned char *p,
const unsigned char *n)
{
unsigned char e[32];
unsigned int i;
fe var[3];
fe51 x_51;
fe51 z_51;
for (i = 0;i < 32;++i) e[i] = n[i];
e[0] &= 248;
e[31] &= 127;
e[31] |= 64;
fe_frombytes(x1, p);
ladder(var, e);
z_51.v[0] = (z2[1] << 26) + z2[0];
z_51.v[1] = (z2[3] << 26) + z2[2];
z_51.v[2] = (z2[5] << 26) + z2[4];
z_51.v[3] = (z2[7] << 26) + z2[6];
z_51.v[4] = (z2[9] << 26) + z2[8];
x_51.v[0] = (x2[1] << 26) + x2[0];
x_51.v[1] = (x2[3] << 26) + x2[2];
x_51.v[2] = (x2[5] << 26) + x2[4];
x_51.v[3] = (x2[7] << 26) + x2[6];
x_51.v[4] = (x2[9] << 26) + x2[8];
fe51_invert(&z_51, &z_51);
fe51_mul(&x_51, &x_51, &z_51);
fe51_pack(q, &x_51);
}