-rw-r--r-- 982 lib25519-20240928/crypto_nG/merged25519/amd64-51/nG.c raw
// 20240926 djb: use cryptoint
#include <string.h>
#include "crypto_nG.h"
#include "crypto_hash_sha512.h"
#include "randombytes.h"
#include "fe25519.h"
#include "sc25519.h"
#include "ge25519.h"
#include "crypto_uint8.h"
void crypto_nG(unsigned char *pk,const unsigned char *sk)
{
unsigned char e[32];
sc25519 scsk;
ge25519 gepk;
fe25519 ZplusY;
fe25519 ZminusY;
fe25519 recip;
fe25519 x;
fe25519 y;
int wantmont;
for (int i = 0;i < 32;++i) e[i] = sk[i];
wantmont = crypto_uint8_topbit_01(e[31]);
e[31] &= 127;
sc25519_from32bytes(&scsk,e);
ge25519_scalarmult_base(&gepk, &scsk);
fe25519_add(&ZplusY,&gepk.z,&gepk.y);
fe25519_sub(&ZminusY,&gepk.z,&gepk.y);
fe25519_cmov(&gepk.y,&ZplusY,wantmont);
fe25519_cmov(&gepk.z,&ZminusY,wantmont);
fe25519_invert(&recip,&gepk.z);
fe25519_mul(&y,&gepk.y,&recip);
fe25519_pack(pk,&y);
fe25519_mul(&x,&gepk.x,&recip);
pk[31] ^= crypto_uint8_shlmod((1-wantmont) & fe25519_getparity(&x),7);
}