limb 42 crypto/curve25519-donna.c static void fsum(limb *output, const limb *in) { limb 53 crypto/curve25519-donna.c static void fdifference(limb *output, const limb *in) { limb 61 crypto/curve25519-donna.c static void fscalar_product(limb *output, const limb *in, const limb scalar) { limb 73 crypto/curve25519-donna.c static void fproduct(limb *output, const limb *in2, const limb *in) { limb 74 crypto/curve25519-donna.c output[0] = ((limb) ((s32) in2[0])) * ((s32) in[0]); limb 75 crypto/curve25519-donna.c output[1] = ((limb) ((s32) in2[0])) * ((s32) in[1]) + limb 76 crypto/curve25519-donna.c ((limb) ((s32) in2[1])) * ((s32) in[0]); limb 77 crypto/curve25519-donna.c output[2] = 2 * ((limb) ((s32) in2[1])) * ((s32) in[1]) + limb 78 crypto/curve25519-donna.c ((limb) ((s32) in2[0])) * ((s32) in[2]) + limb 79 crypto/curve25519-donna.c ((limb) ((s32) in2[2])) * ((s32) in[0]); limb 80 crypto/curve25519-donna.c output[3] = ((limb) ((s32) in2[1])) * ((s32) in[2]) + limb 81 crypto/curve25519-donna.c ((limb) ((s32) in2[2])) * ((s32) in[1]) + limb 82 crypto/curve25519-donna.c ((limb) ((s32) in2[0])) * ((s32) in[3]) + limb 83 crypto/curve25519-donna.c ((limb) ((s32) in2[3])) * ((s32) in[0]); limb 84 crypto/curve25519-donna.c output[4] = ((limb) ((s32) in2[2])) * ((s32) in[2]) + limb 85 crypto/curve25519-donna.c 2 * (((limb) ((s32) in2[1])) * ((s32) in[3]) + limb 86 crypto/curve25519-donna.c ((limb) ((s32) in2[3])) * ((s32) in[1])) + limb 87 crypto/curve25519-donna.c ((limb) ((s32) in2[0])) * ((s32) in[4]) + limb 88 crypto/curve25519-donna.c ((limb) ((s32) in2[4])) * ((s32) in[0]); limb 89 crypto/curve25519-donna.c output[5] = ((limb) ((s32) in2[2])) * ((s32) in[3]) + limb 90 crypto/curve25519-donna.c ((limb) ((s32) in2[3])) * ((s32) in[2]) + limb 91 crypto/curve25519-donna.c ((limb) ((s32) in2[1])) * ((s32) in[4]) + limb 92 crypto/curve25519-donna.c ((limb) ((s32) in2[4])) * ((s32) in[1]) + limb 93 crypto/curve25519-donna.c ((limb) ((s32) in2[0])) * ((s32) in[5]) + limb 94 crypto/curve25519-donna.c ((limb) ((s32) in2[5])) * ((s32) in[0]); limb 95 crypto/curve25519-donna.c output[6] = 2 * (((limb) ((s32) in2[3])) * ((s32) in[3]) + limb 96 crypto/curve25519-donna.c ((limb) ((s32) in2[1])) * ((s32) in[5]) + limb 97 crypto/curve25519-donna.c ((limb) ((s32) in2[5])) * ((s32) in[1])) + limb 98 crypto/curve25519-donna.c ((limb) ((s32) in2[2])) * ((s32) in[4]) + limb 99 crypto/curve25519-donna.c ((limb) ((s32) in2[4])) * ((s32) in[2]) + limb 100 crypto/curve25519-donna.c ((limb) ((s32) in2[0])) * ((s32) in[6]) + limb 101 crypto/curve25519-donna.c ((limb) ((s32) in2[6])) * ((s32) in[0]); limb 102 crypto/curve25519-donna.c output[7] = ((limb) ((s32) in2[3])) * ((s32) in[4]) + limb 103 crypto/curve25519-donna.c ((limb) ((s32) in2[4])) * ((s32) in[3]) + limb 104 crypto/curve25519-donna.c ((limb) ((s32) in2[2])) * ((s32) in[5]) + limb 105 crypto/curve25519-donna.c ((limb) ((s32) in2[5])) * ((s32) in[2]) + limb 106 crypto/curve25519-donna.c ((limb) ((s32) in2[1])) * ((s32) in[6]) + limb 107 crypto/curve25519-donna.c ((limb) ((s32) in2[6])) * ((s32) in[1]) + limb 108 crypto/curve25519-donna.c ((limb) ((s32) in2[0])) * ((s32) in[7]) + limb 109 crypto/curve25519-donna.c ((limb) ((s32) in2[7])) * ((s32) in[0]); limb 110 crypto/curve25519-donna.c output[8] = ((limb) ((s32) in2[4])) * ((s32) in[4]) + limb 111 crypto/curve25519-donna.c 2 * (((limb) ((s32) in2[3])) * ((s32) in[5]) + limb 112 crypto/curve25519-donna.c ((limb) ((s32) in2[5])) * ((s32) in[3]) + limb 113 crypto/curve25519-donna.c ((limb) ((s32) in2[1])) * ((s32) in[7]) + limb 114 crypto/curve25519-donna.c ((limb) ((s32) in2[7])) * ((s32) in[1])) + limb 115 crypto/curve25519-donna.c ((limb) ((s32) in2[2])) * ((s32) in[6]) + limb 116 crypto/curve25519-donna.c ((limb) ((s32) in2[6])) * ((s32) in[2]) + limb 117 crypto/curve25519-donna.c ((limb) ((s32) in2[0])) * ((s32) in[8]) + limb 118 crypto/curve25519-donna.c ((limb) ((s32) in2[8])) * ((s32) in[0]); limb 119 crypto/curve25519-donna.c output[9] = ((limb) ((s32) in2[4])) * ((s32) in[5]) + limb 120 crypto/curve25519-donna.c ((limb) ((s32) in2[5])) * ((s32) in[4]) + limb 121 crypto/curve25519-donna.c ((limb) ((s32) in2[3])) * ((s32) in[6]) + limb 122 crypto/curve25519-donna.c ((limb) ((s32) in2[6])) * ((s32) in[3]) + limb 123 crypto/curve25519-donna.c ((limb) ((s32) in2[2])) * ((s32) in[7]) + limb 124 crypto/curve25519-donna.c ((limb) ((s32) in2[7])) * ((s32) in[2]) + limb 125 crypto/curve25519-donna.c ((limb) ((s32) in2[1])) * ((s32) in[8]) + limb 126 crypto/curve25519-donna.c ((limb) ((s32) in2[8])) * ((s32) in[1]) + limb 127 crypto/curve25519-donna.c ((limb) ((s32) in2[0])) * ((s32) in[9]) + limb 128 crypto/curve25519-donna.c ((limb) ((s32) in2[9])) * ((s32) in[0]); limb 129 crypto/curve25519-donna.c output[10] = 2 * (((limb) ((s32) in2[5])) * ((s32) in[5]) + limb 130 crypto/curve25519-donna.c ((limb) ((s32) in2[3])) * ((s32) in[7]) + limb 131 crypto/curve25519-donna.c ((limb) ((s32) in2[7])) * ((s32) in[3]) + limb 132 crypto/curve25519-donna.c ((limb) ((s32) in2[1])) * ((s32) in[9]) + limb 133 crypto/curve25519-donna.c ((limb) ((s32) in2[9])) * ((s32) in[1])) + limb 134 crypto/curve25519-donna.c ((limb) ((s32) in2[4])) * ((s32) in[6]) + limb 135 crypto/curve25519-donna.c ((limb) ((s32) in2[6])) * ((s32) in[4]) + limb 136 crypto/curve25519-donna.c ((limb) ((s32) in2[2])) * ((s32) in[8]) + limb 137 crypto/curve25519-donna.c ((limb) ((s32) in2[8])) * ((s32) in[2]); limb 138 crypto/curve25519-donna.c output[11] = ((limb) ((s32) in2[5])) * ((s32) in[6]) + limb 139 crypto/curve25519-donna.c ((limb) ((s32) in2[6])) * ((s32) in[5]) + limb 140 crypto/curve25519-donna.c ((limb) ((s32) in2[4])) * ((s32) in[7]) + limb 141 crypto/curve25519-donna.c ((limb) ((s32) in2[7])) * ((s32) in[4]) + limb 142 crypto/curve25519-donna.c ((limb) ((s32) in2[3])) * ((s32) in[8]) + limb 143 crypto/curve25519-donna.c ((limb) ((s32) in2[8])) * ((s32) in[3]) + limb 144 crypto/curve25519-donna.c ((limb) ((s32) in2[2])) * ((s32) in[9]) + limb 145 crypto/curve25519-donna.c ((limb) ((s32) in2[9])) * ((s32) in[2]); limb 146 crypto/curve25519-donna.c output[12] = ((limb) ((s32) in2[6])) * ((s32) in[6]) + limb 147 crypto/curve25519-donna.c 2 * (((limb) ((s32) in2[5])) * ((s32) in[7]) + limb 148 crypto/curve25519-donna.c ((limb) ((s32) in2[7])) * ((s32) in[5]) + limb 149 crypto/curve25519-donna.c ((limb) ((s32) in2[3])) * ((s32) in[9]) + limb 150 crypto/curve25519-donna.c ((limb) ((s32) in2[9])) * ((s32) in[3])) + limb 151 crypto/curve25519-donna.c ((limb) ((s32) in2[4])) * ((s32) in[8]) + limb 152 crypto/curve25519-donna.c ((limb) ((s32) in2[8])) * ((s32) in[4]); limb 153 crypto/curve25519-donna.c output[13] = ((limb) ((s32) in2[6])) * ((s32) in[7]) + limb 154 crypto/curve25519-donna.c ((limb) ((s32) in2[7])) * ((s32) in[6]) + limb 155 crypto/curve25519-donna.c ((limb) ((s32) in2[5])) * ((s32) in[8]) + limb 156 crypto/curve25519-donna.c ((limb) ((s32) in2[8])) * ((s32) in[5]) + limb 157 crypto/curve25519-donna.c ((limb) ((s32) in2[4])) * ((s32) in[9]) + limb 158 crypto/curve25519-donna.c ((limb) ((s32) in2[9])) * ((s32) in[4]); limb 159 crypto/curve25519-donna.c output[14] = 2 * (((limb) ((s32) in2[7])) * ((s32) in[7]) + limb 160 crypto/curve25519-donna.c ((limb) ((s32) in2[5])) * ((s32) in[9]) + limb 161 crypto/curve25519-donna.c ((limb) ((s32) in2[9])) * ((s32) in[5])) + limb 162 crypto/curve25519-donna.c ((limb) ((s32) in2[6])) * ((s32) in[8]) + limb 163 crypto/curve25519-donna.c ((limb) ((s32) in2[8])) * ((s32) in[6]); limb 164 crypto/curve25519-donna.c output[15] = ((limb) ((s32) in2[7])) * ((s32) in[8]) + limb 165 crypto/curve25519-donna.c ((limb) ((s32) in2[8])) * ((s32) in[7]) + limb 166 crypto/curve25519-donna.c ((limb) ((s32) in2[6])) * ((s32) in[9]) + limb 167 crypto/curve25519-donna.c ((limb) ((s32) in2[9])) * ((s32) in[6]); limb 168 crypto/curve25519-donna.c output[16] = ((limb) ((s32) in2[8])) * ((s32) in[8]) + limb 169 crypto/curve25519-donna.c 2 * (((limb) ((s32) in2[7])) * ((s32) in[9]) + limb 170 crypto/curve25519-donna.c ((limb) ((s32) in2[9])) * ((s32) in[7])); limb 171 crypto/curve25519-donna.c output[17] = ((limb) ((s32) in2[8])) * ((s32) in[9]) + limb 172 crypto/curve25519-donna.c ((limb) ((s32) in2[9])) * ((s32) in[8]); limb 173 crypto/curve25519-donna.c output[18] = 2 * ((limb) ((s32) in2[9])) * ((s32) in[9]); limb 177 crypto/curve25519-donna.c static void freduce_degree(limb *output) { limb 212 crypto/curve25519-donna.c static void freduce_coefficients(limb *output) { limb 218 crypto/curve25519-donna.c limb over = output[i] / 0x4000000l; limb 236 crypto/curve25519-donna.c fmul(limb *output, const limb *in, const limb *in2) { limb 237 crypto/curve25519-donna.c limb t[19]; limb 241 crypto/curve25519-donna.c memcpy(output, t, sizeof(limb) * 10); limb 244 crypto/curve25519-donna.c static void fsquare_inner(limb *output, const limb *in) { limb 245 crypto/curve25519-donna.c output[0] = ((limb) ((s32) in[0])) * ((s32) in[0]); limb 246 crypto/curve25519-donna.c output[1] = 2 * ((limb) ((s32) in[0])) * ((s32) in[1]); limb 247 crypto/curve25519-donna.c output[2] = 2 * (((limb) ((s32) in[1])) * ((s32) in[1]) + limb 248 crypto/curve25519-donna.c ((limb) ((s32) in[0])) * ((s32) in[2])); limb 249 crypto/curve25519-donna.c output[3] = 2 * (((limb) ((s32) in[1])) * ((s32) in[2]) + limb 250 crypto/curve25519-donna.c ((limb) ((s32) in[0])) * ((s32) in[3])); limb 251 crypto/curve25519-donna.c output[4] = ((limb) ((s32) in[2])) * ((s32) in[2]) + limb 252 crypto/curve25519-donna.c 4 * ((limb) ((s32) in[1])) * ((s32) in[3]) + limb 253 crypto/curve25519-donna.c 2 * ((limb) ((s32) in[0])) * ((s32) in[4]); limb 254 crypto/curve25519-donna.c output[5] = 2 * (((limb) ((s32) in[2])) * ((s32) in[3]) + limb 255 crypto/curve25519-donna.c ((limb) ((s32) in[1])) * ((s32) in[4]) + limb 256 crypto/curve25519-donna.c ((limb) ((s32) in[0])) * ((s32) in[5])); limb 257 crypto/curve25519-donna.c output[6] = 2 * (((limb) ((s32) in[3])) * ((s32) in[3]) + limb 258 crypto/curve25519-donna.c ((limb) ((s32) in[2])) * ((s32) in[4]) + limb 259 crypto/curve25519-donna.c ((limb) ((s32) in[0])) * ((s32) in[6]) + limb 260 crypto/curve25519-donna.c 2 * ((limb) ((s32) in[1])) * ((s32) in[5])); limb 261 crypto/curve25519-donna.c output[7] = 2 * (((limb) ((s32) in[3])) * ((s32) in[4]) + limb 262 crypto/curve25519-donna.c ((limb) ((s32) in[2])) * ((s32) in[5]) + limb 263 crypto/curve25519-donna.c ((limb) ((s32) in[1])) * ((s32) in[6]) + limb 264 crypto/curve25519-donna.c ((limb) ((s32) in[0])) * ((s32) in[7])); limb 265 crypto/curve25519-donna.c output[8] = ((limb) ((s32) in[4])) * ((s32) in[4]) + limb 266 crypto/curve25519-donna.c 2 * (((limb) ((s32) in[2])) * ((s32) in[6]) + limb 267 crypto/curve25519-donna.c ((limb) ((s32) in[0])) * ((s32) in[8]) + limb 268 crypto/curve25519-donna.c 2 * (((limb) ((s32) in[1])) * ((s32) in[7]) + limb 269 crypto/curve25519-donna.c ((limb) ((s32) in[3])) * ((s32) in[5]))); limb 270 crypto/curve25519-donna.c output[9] = 2 * (((limb) ((s32) in[4])) * ((s32) in[5]) + limb 271 crypto/curve25519-donna.c ((limb) ((s32) in[3])) * ((s32) in[6]) + limb 272 crypto/curve25519-donna.c ((limb) ((s32) in[2])) * ((s32) in[7]) + limb 273 crypto/curve25519-donna.c ((limb) ((s32) in[1])) * ((s32) in[8]) + limb 274 crypto/curve25519-donna.c ((limb) ((s32) in[0])) * ((s32) in[9])); limb 275 crypto/curve25519-donna.c output[10] = 2 * (((limb) ((s32) in[5])) * ((s32) in[5]) + limb 276 crypto/curve25519-donna.c ((limb) ((s32) in[4])) * ((s32) in[6]) + limb 277 crypto/curve25519-donna.c ((limb) ((s32) in[2])) * ((s32) in[8]) + limb 278 crypto/curve25519-donna.c 2 * (((limb) ((s32) in[3])) * ((s32) in[7]) + limb 279 crypto/curve25519-donna.c ((limb) ((s32) in[1])) * ((s32) in[9]))); limb 280 crypto/curve25519-donna.c output[11] = 2 * (((limb) ((s32) in[5])) * ((s32) in[6]) + limb 281 crypto/curve25519-donna.c ((limb) ((s32) in[4])) * ((s32) in[7]) + limb 282 crypto/curve25519-donna.c ((limb) ((s32) in[3])) * ((s32) in[8]) + limb 283 crypto/curve25519-donna.c ((limb) ((s32) in[2])) * ((s32) in[9])); limb 284 crypto/curve25519-donna.c output[12] = ((limb) ((s32) in[6])) * ((s32) in[6]) + limb 285 crypto/curve25519-donna.c 2 * (((limb) ((s32) in[4])) * ((s32) in[8]) + limb 286 crypto/curve25519-donna.c 2 * (((limb) ((s32) in[5])) * ((s32) in[7]) + limb 287 crypto/curve25519-donna.c ((limb) ((s32) in[3])) * ((s32) in[9]))); limb 288 crypto/curve25519-donna.c output[13] = 2 * (((limb) ((s32) in[6])) * ((s32) in[7]) + limb 289 crypto/curve25519-donna.c ((limb) ((s32) in[5])) * ((s32) in[8]) + limb 290 crypto/curve25519-donna.c ((limb) ((s32) in[4])) * ((s32) in[9])); limb 291 crypto/curve25519-donna.c output[14] = 2 * (((limb) ((s32) in[7])) * ((s32) in[7]) + limb 292 crypto/curve25519-donna.c ((limb) ((s32) in[6])) * ((s32) in[8]) + limb 293 crypto/curve25519-donna.c 2 * ((limb) ((s32) in[5])) * ((s32) in[9])); limb 294 crypto/curve25519-donna.c output[15] = 2 * (((limb) ((s32) in[7])) * ((s32) in[8]) + limb 295 crypto/curve25519-donna.c ((limb) ((s32) in[6])) * ((s32) in[9])); limb 296 crypto/curve25519-donna.c output[16] = ((limb) ((s32) in[8])) * ((s32) in[8]) + limb 297 crypto/curve25519-donna.c 4 * ((limb) ((s32) in[7])) * ((s32) in[9]); limb 298 crypto/curve25519-donna.c output[17] = 2 * ((limb) ((s32) in[8])) * ((s32) in[9]); limb 299 crypto/curve25519-donna.c output[18] = 2 * ((limb) ((s32) in[9])) * ((s32) in[9]); limb 303 crypto/curve25519-donna.c fsquare(limb *output, const limb *in) { limb 304 crypto/curve25519-donna.c limb t[19]; limb 308 crypto/curve25519-donna.c memcpy(output, t, sizeof(limb) * 10); limb 313 crypto/curve25519-donna.c fexpand(limb *output, const u8 *input) { limb 315 crypto/curve25519-donna.c output[n] = ((((limb) input[start + 0]) | \ limb 316 crypto/curve25519-donna.c ((limb) input[start + 1]) << 8 | \ limb 317 crypto/curve25519-donna.c ((limb) input[start + 2]) << 16 | \ limb 318 crypto/curve25519-donna.c ((limb) input[start + 3]) << 24) >> shift) & mask; limb 336 crypto/curve25519-donna.c fcontract(u8 *output, limb *input) { limb 396 crypto/curve25519-donna.c static void fmonty(limb *x2, limb *z2, /* output 2Q */ limb 397 crypto/curve25519-donna.c limb *x3, limb *z3, /* output Q + Q' */ limb 398 crypto/curve25519-donna.c limb *x, limb *z, /* input Q */ limb 399 crypto/curve25519-donna.c limb *xprime, limb *zprime, /* input Q' */ limb 400 crypto/curve25519-donna.c const limb *qmqp /* input Q - Q' */) { limb 401 crypto/curve25519-donna.c limb origx[10], origxprime[10], zzz[19], xx[19], zz[19], xxprime[19], limb 404 crypto/curve25519-donna.c memcpy(origx, x, 10 * sizeof(limb)); limb 408 crypto/curve25519-donna.c memcpy(origxprime, xprime, sizeof(limb) * 10); limb 417 crypto/curve25519-donna.c memcpy(origxprime, xxprime, sizeof(limb) * 10); limb 425 crypto/curve25519-donna.c memcpy(x3, xxxprime, sizeof(limb) * 10); limb 426 crypto/curve25519-donna.c memcpy(z3, zzprime, sizeof(limb) * 10); limb 434 crypto/curve25519-donna.c memset(zzz + 10, 0, sizeof(limb) * 9); limb 451 crypto/curve25519-donna.c cmult(limb *resultx, limb *resultz, const u8 *n, const limb *q) { limb 452 crypto/curve25519-donna.c limb a[19] = {0}, b[19] = {1}, c[19] = {1}, d[19] = {0}; limb 453 crypto/curve25519-donna.c limb *nqpqx = a, *nqpqz = b, *nqx = c, *nqz = d, *t; limb 454 crypto/curve25519-donna.c limb e[19] = {0}, f[19] = {1}, g[19] = {0}, h[19] = {1}; limb 455 crypto/curve25519-donna.c limb *nqpqx2 = e, *nqpqz2 = f, *nqx2 = g, *nqz2 = h; limb 459 crypto/curve25519-donna.c memcpy(nqpqx, q, sizeof(limb) * 10); limb 495 crypto/curve25519-donna.c memcpy(resultx, nqx, sizeof(limb) * 10); limb 496 crypto/curve25519-donna.c memcpy(resultz, nqz, sizeof(limb) * 10); limb 503 crypto/curve25519-donna.c crecip(limb *out, const limb *z) { limb 504 crypto/curve25519-donna.c limb z2[10]; limb 505 crypto/curve25519-donna.c limb z9[10]; limb 506 crypto/curve25519-donna.c limb z11[10]; limb 507 crypto/curve25519-donna.c limb z2_5_0[10]; limb 508 crypto/curve25519-donna.c limb z2_10_0[10]; limb 509 crypto/curve25519-donna.c limb z2_20_0[10]; limb 510 crypto/curve25519-donna.c limb z2_50_0[10]; limb 511 crypto/curve25519-donna.c limb z2_100_0[10]; limb 512 crypto/curve25519-donna.c limb t0[10]; limb 513 crypto/curve25519-donna.c limb t1[10]; limb 577 crypto/curve25519-donna.c limb bp[10], x[10], z[10], zmone[10];