Curve25519.php (134754B)
1 <?php 2 3 if (class_exists('ParagonIE_Sodium_Core32_Curve25519', false)) { 4 return; 5 } 6 7 /** 8 * Class ParagonIE_Sodium_Core32_Curve25519 9 * 10 * Implements Curve25519 core functions 11 * 12 * Based on the ref10 curve25519 code provided by libsodium 13 * 14 * @ref https://github.com/jedisct1/libsodium/blob/master/src/libsodium/crypto_core/curve25519/ref10/curve25519_ref10.c 15 */ 16 abstract class ParagonIE_Sodium_Core32_Curve25519 extends ParagonIE_Sodium_Core32_Curve25519_H 17 { 18 /** 19 * Get a field element of size 10 with a value of 0 20 * 21 * @internal You should not use this directly from another application 22 * 23 * @return ParagonIE_Sodium_Core32_Curve25519_Fe 24 * @throws SodiumException 25 * @throws TypeError 26 */ 27 public static function fe_0() 28 { 29 return ParagonIE_Sodium_Core32_Curve25519_Fe::fromArray( 30 array( 31 new ParagonIE_Sodium_Core32_Int32(), 32 new ParagonIE_Sodium_Core32_Int32(), 33 new ParagonIE_Sodium_Core32_Int32(), 34 new ParagonIE_Sodium_Core32_Int32(), 35 new ParagonIE_Sodium_Core32_Int32(), 36 new ParagonIE_Sodium_Core32_Int32(), 37 new ParagonIE_Sodium_Core32_Int32(), 38 new ParagonIE_Sodium_Core32_Int32(), 39 new ParagonIE_Sodium_Core32_Int32(), 40 new ParagonIE_Sodium_Core32_Int32() 41 ) 42 ); 43 } 44 45 /** 46 * Get a field element of size 10 with a value of 1 47 * 48 * @internal You should not use this directly from another application 49 * 50 * @return ParagonIE_Sodium_Core32_Curve25519_Fe 51 * @throws SodiumException 52 * @throws TypeError 53 */ 54 public static function fe_1() 55 { 56 return ParagonIE_Sodium_Core32_Curve25519_Fe::fromArray( 57 array( 58 ParagonIE_Sodium_Core32_Int32::fromInt(1), 59 new ParagonIE_Sodium_Core32_Int32(), 60 new ParagonIE_Sodium_Core32_Int32(), 61 new ParagonIE_Sodium_Core32_Int32(), 62 new ParagonIE_Sodium_Core32_Int32(), 63 new ParagonIE_Sodium_Core32_Int32(), 64 new ParagonIE_Sodium_Core32_Int32(), 65 new ParagonIE_Sodium_Core32_Int32(), 66 new ParagonIE_Sodium_Core32_Int32(), 67 new ParagonIE_Sodium_Core32_Int32() 68 ) 69 ); 70 } 71 72 /** 73 * Add two field elements. 74 * 75 * @internal You should not use this directly from another application 76 * 77 * @param ParagonIE_Sodium_Core32_Curve25519_Fe $f 78 * @param ParagonIE_Sodium_Core32_Curve25519_Fe $g 79 * @return ParagonIE_Sodium_Core32_Curve25519_Fe 80 * @throws SodiumException 81 * @throws TypeError 82 * @psalm-suppress MixedAssignment 83 * @psalm-suppress MixedMethodCall 84 */ 85 public static function fe_add( 86 ParagonIE_Sodium_Core32_Curve25519_Fe $f, 87 ParagonIE_Sodium_Core32_Curve25519_Fe $g 88 ) { 89 $arr = array(); 90 for ($i = 0; $i < 10; ++$i) { 91 $arr[$i] = $f[$i]->addInt32($g[$i]); 92 } 93 /** @var array<int, ParagonIE_Sodium_Core32_Int32> $arr */ 94 return ParagonIE_Sodium_Core32_Curve25519_Fe::fromArray($arr); 95 } 96 97 /** 98 * Constant-time conditional move. 99 * 100 * @internal You should not use this directly from another application 101 * 102 * @param ParagonIE_Sodium_Core32_Curve25519_Fe $f 103 * @param ParagonIE_Sodium_Core32_Curve25519_Fe $g 104 * @param int $b 105 * @return ParagonIE_Sodium_Core32_Curve25519_Fe 106 * @throws SodiumException 107 * @throws TypeError 108 * @psalm-suppress MixedAssignment 109 * @psalm-suppress MixedMethodCall 110 */ 111 public static function fe_cmov( 112 ParagonIE_Sodium_Core32_Curve25519_Fe $f, 113 ParagonIE_Sodium_Core32_Curve25519_Fe $g, 114 $b = 0 115 ) { 116 /** @var array<int, ParagonIE_Sodium_Core32_Int32> $h */ 117 $h = array(); 118 for ($i = 0; $i < 10; ++$i) { 119 if (!($f[$i] instanceof ParagonIE_Sodium_Core32_Int32)) { 120 throw new TypeError('Expected Int32'); 121 } 122 if (!($g[$i] instanceof ParagonIE_Sodium_Core32_Int32)) { 123 throw new TypeError('Expected Int32'); 124 } 125 $h[$i] = $f[$i]->xorInt32( 126 $f[$i]->xorInt32($g[$i])->mask($b) 127 ); 128 } 129 /** @var array<int, ParagonIE_Sodium_Core32_Int32> $h */ 130 return ParagonIE_Sodium_Core32_Curve25519_Fe::fromArray($h); 131 } 132 133 /** 134 * Create a copy of a field element. 135 * 136 * @internal You should not use this directly from another application 137 * 138 * @param ParagonIE_Sodium_Core32_Curve25519_Fe $f 139 * @return ParagonIE_Sodium_Core32_Curve25519_Fe 140 */ 141 public static function fe_copy(ParagonIE_Sodium_Core32_Curve25519_Fe $f) 142 { 143 $h = clone $f; 144 return $h; 145 } 146 147 /** 148 * Give: 32-byte string. 149 * Receive: A field element object to use for internal calculations. 150 * 151 * @internal You should not use this directly from another application 152 * 153 * @param string $s 154 * @return ParagonIE_Sodium_Core32_Curve25519_Fe 155 * @throws RangeException 156 * @throws SodiumException 157 * @throws TypeError 158 * @psalm-suppress MixedMethodCall 159 */ 160 public static function fe_frombytes($s) 161 { 162 if (self::strlen($s) !== 32) { 163 throw new RangeException('Expected a 32-byte string.'); 164 } 165 /** @var ParagonIE_Sodium_Core32_Int32 $h0 */ 166 $h0 = ParagonIE_Sodium_Core32_Int32::fromInt( 167 self::load_4($s) 168 ); 169 /** @var ParagonIE_Sodium_Core32_Int32 $h1 */ 170 $h1 = ParagonIE_Sodium_Core32_Int32::fromInt( 171 self::load_3(self::substr($s, 4, 3)) << 6 172 ); 173 /** @var ParagonIE_Sodium_Core32_Int32 $h2 */ 174 $h2 = ParagonIE_Sodium_Core32_Int32::fromInt( 175 self::load_3(self::substr($s, 7, 3)) << 5 176 ); 177 /** @var ParagonIE_Sodium_Core32_Int32 $h3 */ 178 $h3 = ParagonIE_Sodium_Core32_Int32::fromInt( 179 self::load_3(self::substr($s, 10, 3)) << 3 180 ); 181 /** @var ParagonIE_Sodium_Core32_Int32 $h4 */ 182 $h4 = ParagonIE_Sodium_Core32_Int32::fromInt( 183 self::load_3(self::substr($s, 13, 3)) << 2 184 ); 185 /** @var ParagonIE_Sodium_Core32_Int32 $h5 */ 186 $h5 = ParagonIE_Sodium_Core32_Int32::fromInt( 187 self::load_4(self::substr($s, 16, 4)) 188 ); 189 /** @var ParagonIE_Sodium_Core32_Int32 $h6 */ 190 $h6 = ParagonIE_Sodium_Core32_Int32::fromInt( 191 self::load_3(self::substr($s, 20, 3)) << 7 192 ); 193 /** @var ParagonIE_Sodium_Core32_Int32 $h7 */ 194 $h7 = ParagonIE_Sodium_Core32_Int32::fromInt( 195 self::load_3(self::substr($s, 23, 3)) << 5 196 ); 197 /** @var ParagonIE_Sodium_Core32_Int32 $h8 */ 198 $h8 = ParagonIE_Sodium_Core32_Int32::fromInt( 199 self::load_3(self::substr($s, 26, 3)) << 4 200 ); 201 /** @var ParagonIE_Sodium_Core32_Int32 $h9 */ 202 $h9 = ParagonIE_Sodium_Core32_Int32::fromInt( 203 (self::load_3(self::substr($s, 29, 3)) & 8388607) << 2 204 ); 205 206 $carry9 = $h9->addInt(1 << 24)->shiftRight(25); 207 $h0 = $h0->addInt32($carry9->mulInt(19, 5)); 208 $h9 = $h9->subInt32($carry9->shiftLeft(25)); 209 210 $carry1 = $h1->addInt(1 << 24)->shiftRight(25); 211 $h2 = $h2->addInt32($carry1); 212 $h1 = $h1->subInt32($carry1->shiftLeft(25)); 213 214 $carry3 = $h3->addInt(1 << 24)->shiftRight(25); 215 $h4 = $h4->addInt32($carry3); 216 $h3 = $h3->subInt32($carry3->shiftLeft(25)); 217 218 $carry5 = $h5->addInt(1 << 24)->shiftRight(25); 219 $h6 = $h6->addInt32($carry5); 220 $h5 = $h5->subInt32($carry5->shiftLeft(25)); 221 222 $carry7 = $h7->addInt(1 << 24)->shiftRight(25); 223 $h8 = $h8->addInt32($carry7); 224 $h7 = $h7->subInt32($carry7->shiftLeft(25)); 225 226 $carry0 = $h0->addInt(1 << 25)->shiftRight(26); 227 $h1 = $h1->addInt32($carry0); 228 $h0 = $h0->subInt32($carry0->shiftLeft(26)); 229 230 $carry2 = $h2->addInt(1 << 25)->shiftRight(26); 231 $h3 = $h3->addInt32($carry2); 232 $h2 = $h2->subInt32($carry2->shiftLeft(26)); 233 234 $carry4 = $h4->addInt(1 << 25)->shiftRight(26); 235 $h5 = $h5->addInt32($carry4); 236 $h4 = $h4->subInt32($carry4->shiftLeft(26)); 237 238 $carry6 = $h6->addInt(1 << 25)->shiftRight(26); 239 $h7 = $h7->addInt32($carry6); 240 $h6 = $h6->subInt32($carry6->shiftLeft(26)); 241 242 $carry8 = $h8->addInt(1 << 25)->shiftRight(26); 243 $h9 = $h9->addInt32($carry8); 244 $h8 = $h8->subInt32($carry8->shiftLeft(26)); 245 246 return ParagonIE_Sodium_Core32_Curve25519_Fe::fromArray( 247 array($h0, $h1, $h2,$h3, $h4, $h5, $h6, $h7, $h8, $h9) 248 ); 249 } 250 251 /** 252 * Convert a field element to a byte string. 253 * 254 * @internal You should not use this directly from another application 255 * 256 * @param ParagonIE_Sodium_Core32_Curve25519_Fe $h 257 * @return string 258 * @throws SodiumException 259 * @throws TypeError 260 * @psalm-suppress MixedAssignment 261 * @psalm-suppress MixedMethodCall 262 */ 263 public static function fe_tobytes(ParagonIE_Sodium_Core32_Curve25519_Fe $h) 264 { 265 /** 266 * @var ParagonIE_Sodium_Core32_Int64[] $f 267 * @var ParagonIE_Sodium_Core32_Int64 $q 268 */ 269 $f = array(); 270 271 for ($i = 0; $i < 10; ++$i) { 272 $f[$i] = $h[$i]->toInt64(); 273 } 274 275 $q = $f[9]->mulInt(19, 5)->addInt(1 << 14)->shiftRight(25) 276 ->addInt64($f[0])->shiftRight(26) 277 ->addInt64($f[1])->shiftRight(25) 278 ->addInt64($f[2])->shiftRight(26) 279 ->addInt64($f[3])->shiftRight(25) 280 ->addInt64($f[4])->shiftRight(26) 281 ->addInt64($f[5])->shiftRight(25) 282 ->addInt64($f[6])->shiftRight(26) 283 ->addInt64($f[7])->shiftRight(25) 284 ->addInt64($f[8])->shiftRight(26) 285 ->addInt64($f[9])->shiftRight(25); 286 287 $f[0] = $f[0]->addInt64($q->mulInt(19, 5)); 288 289 $carry0 = $f[0]->shiftRight(26); 290 $f[1] = $f[1]->addInt64($carry0); 291 $f[0] = $f[0]->subInt64($carry0->shiftLeft(26)); 292 293 $carry1 = $f[1]->shiftRight(25); 294 $f[2] = $f[2]->addInt64($carry1); 295 $f[1] = $f[1]->subInt64($carry1->shiftLeft(25)); 296 297 $carry2 = $f[2]->shiftRight(26); 298 $f[3] = $f[3]->addInt64($carry2); 299 $f[2] = $f[2]->subInt64($carry2->shiftLeft(26)); 300 301 $carry3 = $f[3]->shiftRight(25); 302 $f[4] = $f[4]->addInt64($carry3); 303 $f[3] = $f[3]->subInt64($carry3->shiftLeft(25)); 304 305 $carry4 = $f[4]->shiftRight(26); 306 $f[5] = $f[5]->addInt64($carry4); 307 $f[4] = $f[4]->subInt64($carry4->shiftLeft(26)); 308 309 $carry5 = $f[5]->shiftRight(25); 310 $f[6] = $f[6]->addInt64($carry5); 311 $f[5] = $f[5]->subInt64($carry5->shiftLeft(25)); 312 313 $carry6 = $f[6]->shiftRight(26); 314 $f[7] = $f[7]->addInt64($carry6); 315 $f[6] = $f[6]->subInt64($carry6->shiftLeft(26)); 316 317 $carry7 = $f[7]->shiftRight(25); 318 $f[8] = $f[8]->addInt64($carry7); 319 $f[7] = $f[7]->subInt64($carry7->shiftLeft(25)); 320 321 $carry8 = $f[8]->shiftRight(26); 322 $f[9] = $f[9]->addInt64($carry8); 323 $f[8] = $f[8]->subInt64($carry8->shiftLeft(26)); 324 325 $carry9 = $f[9]->shiftRight(25); 326 $f[9] = $f[9]->subInt64($carry9->shiftLeft(25)); 327 328 /** @var int $h0 */ 329 $h0 = $f[0]->toInt32()->toInt(); 330 /** @var int $h1 */ 331 $h1 = $f[1]->toInt32()->toInt(); 332 /** @var int $h2 */ 333 $h2 = $f[2]->toInt32()->toInt(); 334 /** @var int $h3 */ 335 $h3 = $f[3]->toInt32()->toInt(); 336 /** @var int $h4 */ 337 $h4 = $f[4]->toInt32()->toInt(); 338 /** @var int $h5 */ 339 $h5 = $f[5]->toInt32()->toInt(); 340 /** @var int $h6 */ 341 $h6 = $f[6]->toInt32()->toInt(); 342 /** @var int $h7 */ 343 $h7 = $f[7]->toInt32()->toInt(); 344 /** @var int $h8 */ 345 $h8 = $f[8]->toInt32()->toInt(); 346 /** @var int $h9 */ 347 $h9 = $f[9]->toInt32()->toInt(); 348 349 /** 350 * @var array<int, int> 351 */ 352 $s = array( 353 (int) (($h0 >> 0) & 0xff), 354 (int) (($h0 >> 8) & 0xff), 355 (int) (($h0 >> 16) & 0xff), 356 (int) ((($h0 >> 24) | ($h1 << 2)) & 0xff), 357 (int) (($h1 >> 6) & 0xff), 358 (int) (($h1 >> 14) & 0xff), 359 (int) ((($h1 >> 22) | ($h2 << 3)) & 0xff), 360 (int) (($h2 >> 5) & 0xff), 361 (int) (($h2 >> 13) & 0xff), 362 (int) ((($h2 >> 21) | ($h3 << 5)) & 0xff), 363 (int) (($h3 >> 3) & 0xff), 364 (int) (($h3 >> 11) & 0xff), 365 (int) ((($h3 >> 19) | ($h4 << 6)) & 0xff), 366 (int) (($h4 >> 2) & 0xff), 367 (int) (($h4 >> 10) & 0xff), 368 (int) (($h4 >> 18) & 0xff), 369 (int) (($h5 >> 0) & 0xff), 370 (int) (($h5 >> 8) & 0xff), 371 (int) (($h5 >> 16) & 0xff), 372 (int) ((($h5 >> 24) | ($h6 << 1)) & 0xff), 373 (int) (($h6 >> 7) & 0xff), 374 (int) (($h6 >> 15) & 0xff), 375 (int) ((($h6 >> 23) | ($h7 << 3)) & 0xff), 376 (int) (($h7 >> 5) & 0xff), 377 (int) (($h7 >> 13) & 0xff), 378 (int) ((($h7 >> 21) | ($h8 << 4)) & 0xff), 379 (int) (($h8 >> 4) & 0xff), 380 (int) (($h8 >> 12) & 0xff), 381 (int) ((($h8 >> 20) | ($h9 << 6)) & 0xff), 382 (int) (($h9 >> 2) & 0xff), 383 (int) (($h9 >> 10) & 0xff), 384 (int) (($h9 >> 18) & 0xff) 385 ); 386 return self::intArrayToString($s); 387 } 388 389 /** 390 * Is a field element negative? (1 = yes, 0 = no. Used in calculations.) 391 * 392 * @internal You should not use this directly from another application 393 * 394 * @param ParagonIE_Sodium_Core32_Curve25519_Fe $f 395 * @return int 396 * @throws SodiumException 397 * @throws TypeError 398 */ 399 public static function fe_isnegative(ParagonIE_Sodium_Core32_Curve25519_Fe $f) 400 { 401 $str = self::fe_tobytes($f); 402 return (int) (self::chrToInt($str[0]) & 1); 403 } 404 405 /** 406 * Returns 0 if this field element results in all NUL bytes. 407 * 408 * @internal You should not use this directly from another application 409 * 410 * @param ParagonIE_Sodium_Core32_Curve25519_Fe $f 411 * @return bool 412 * @throws SodiumException 413 * @throws TypeError 414 */ 415 public static function fe_isnonzero(ParagonIE_Sodium_Core32_Curve25519_Fe $f) 416 { 417 static $zero; 418 if ($zero === null) { 419 $zero = str_repeat("\x00", 32); 420 } 421 /** @var string $str */ 422 $str = self::fe_tobytes($f); 423 /** @var string $zero */ 424 return !self::verify_32($str, $zero); 425 } 426 427 /** 428 * Multiply two field elements 429 * 430 * h = f * g 431 * 432 * @internal You should not use this directly from another application 433 * 434 * @security Is multiplication a source of timing leaks? If so, can we do 435 * anything to prevent that from happening? 436 * 437 * @param ParagonIE_Sodium_Core32_Curve25519_Fe $f 438 * @param ParagonIE_Sodium_Core32_Curve25519_Fe $g 439 * @return ParagonIE_Sodium_Core32_Curve25519_Fe 440 * @throws SodiumException 441 * @throws TypeError 442 */ 443 public static function fe_mul( 444 ParagonIE_Sodium_Core32_Curve25519_Fe $f, 445 ParagonIE_Sodium_Core32_Curve25519_Fe $g 446 ) { 447 /** 448 * @var ParagonIE_Sodium_Core32_Int32[] $f 449 * @var ParagonIE_Sodium_Core32_Int32[] $g 450 * @var ParagonIE_Sodium_Core32_Int64 $f0 451 * @var ParagonIE_Sodium_Core32_Int64 $f1 452 * @var ParagonIE_Sodium_Core32_Int64 $f2 453 * @var ParagonIE_Sodium_Core32_Int64 $f3 454 * @var ParagonIE_Sodium_Core32_Int64 $f4 455 * @var ParagonIE_Sodium_Core32_Int64 $f5 456 * @var ParagonIE_Sodium_Core32_Int64 $f6 457 * @var ParagonIE_Sodium_Core32_Int64 $f7 458 * @var ParagonIE_Sodium_Core32_Int64 $f8 459 * @var ParagonIE_Sodium_Core32_Int64 $f9 460 * @var ParagonIE_Sodium_Core32_Int64 $g0 461 * @var ParagonIE_Sodium_Core32_Int64 $g1 462 * @var ParagonIE_Sodium_Core32_Int64 $g2 463 * @var ParagonIE_Sodium_Core32_Int64 $g3 464 * @var ParagonIE_Sodium_Core32_Int64 $g4 465 * @var ParagonIE_Sodium_Core32_Int64 $g5 466 * @var ParagonIE_Sodium_Core32_Int64 $g6 467 * @var ParagonIE_Sodium_Core32_Int64 $g7 468 * @var ParagonIE_Sodium_Core32_Int64 $g8 469 * @var ParagonIE_Sodium_Core32_Int64 $g9 470 */ 471 $f0 = $f[0]->toInt64(); 472 $f1 = $f[1]->toInt64(); 473 $f2 = $f[2]->toInt64(); 474 $f3 = $f[3]->toInt64(); 475 $f4 = $f[4]->toInt64(); 476 $f5 = $f[5]->toInt64(); 477 $f6 = $f[6]->toInt64(); 478 $f7 = $f[7]->toInt64(); 479 $f8 = $f[8]->toInt64(); 480 $f9 = $f[9]->toInt64(); 481 $g0 = $g[0]->toInt64(); 482 $g1 = $g[1]->toInt64(); 483 $g2 = $g[2]->toInt64(); 484 $g3 = $g[3]->toInt64(); 485 $g4 = $g[4]->toInt64(); 486 $g5 = $g[5]->toInt64(); 487 $g6 = $g[6]->toInt64(); 488 $g7 = $g[7]->toInt64(); 489 $g8 = $g[8]->toInt64(); 490 $g9 = $g[9]->toInt64(); 491 $g1_19 = $g1->mulInt(19, 5); /* 2^4 <= 19 <= 2^5, but we only want 5 bits */ 492 $g2_19 = $g2->mulInt(19, 5); 493 $g3_19 = $g3->mulInt(19, 5); 494 $g4_19 = $g4->mulInt(19, 5); 495 $g5_19 = $g5->mulInt(19, 5); 496 $g6_19 = $g6->mulInt(19, 5); 497 $g7_19 = $g7->mulInt(19, 5); 498 $g8_19 = $g8->mulInt(19, 5); 499 $g9_19 = $g9->mulInt(19, 5); 500 /** @var ParagonIE_Sodium_Core32_Int64 $f1_2 */ 501 $f1_2 = $f1->shiftLeft(1); 502 /** @var ParagonIE_Sodium_Core32_Int64 $f3_2 */ 503 $f3_2 = $f3->shiftLeft(1); 504 /** @var ParagonIE_Sodium_Core32_Int64 $f5_2 */ 505 $f5_2 = $f5->shiftLeft(1); 506 /** @var ParagonIE_Sodium_Core32_Int64 $f7_2 */ 507 $f7_2 = $f7->shiftLeft(1); 508 /** @var ParagonIE_Sodium_Core32_Int64 $f9_2 */ 509 $f9_2 = $f9->shiftLeft(1); 510 $f0g0 = $f0->mulInt64($g0, 27); 511 $f0g1 = $f0->mulInt64($g1, 27); 512 $f0g2 = $f0->mulInt64($g2, 27); 513 $f0g3 = $f0->mulInt64($g3, 27); 514 $f0g4 = $f0->mulInt64($g4, 27); 515 $f0g5 = $f0->mulInt64($g5, 27); 516 $f0g6 = $f0->mulInt64($g6, 27); 517 $f0g7 = $f0->mulInt64($g7, 27); 518 $f0g8 = $f0->mulInt64($g8, 27); 519 $f0g9 = $f0->mulInt64($g9, 27); 520 $f1g0 = $f1->mulInt64($g0, 27); 521 $f1g1_2 = $f1_2->mulInt64($g1, 27); 522 $f1g2 = $f1->mulInt64($g2, 27); 523 $f1g3_2 = $f1_2->mulInt64($g3, 27); 524 $f1g4 = $f1->mulInt64($g4, 30); 525 $f1g5_2 = $f1_2->mulInt64($g5, 30); 526 $f1g6 = $f1->mulInt64($g6, 30); 527 $f1g7_2 = $f1_2->mulInt64($g7, 30); 528 $f1g8 = $f1->mulInt64($g8, 30); 529 $f1g9_38 = $g9_19->mulInt64($f1_2, 30); 530 $f2g0 = $f2->mulInt64($g0, 30); 531 $f2g1 = $f2->mulInt64($g1, 29); 532 $f2g2 = $f2->mulInt64($g2, 30); 533 $f2g3 = $f2->mulInt64($g3, 29); 534 $f2g4 = $f2->mulInt64($g4, 30); 535 $f2g5 = $f2->mulInt64($g5, 29); 536 $f2g6 = $f2->mulInt64($g6, 30); 537 $f2g7 = $f2->mulInt64($g7, 29); 538 $f2g8_19 = $g8_19->mulInt64($f2, 30); 539 $f2g9_19 = $g9_19->mulInt64($f2, 30); 540 $f3g0 = $f3->mulInt64($g0, 30); 541 $f3g1_2 = $f3_2->mulInt64($g1, 30); 542 $f3g2 = $f3->mulInt64($g2, 30); 543 $f3g3_2 = $f3_2->mulInt64($g3, 30); 544 $f3g4 = $f3->mulInt64($g4, 30); 545 $f3g5_2 = $f3_2->mulInt64($g5, 30); 546 $f3g6 = $f3->mulInt64($g6, 30); 547 $f3g7_38 = $g7_19->mulInt64($f3_2, 30); 548 $f3g8_19 = $g8_19->mulInt64($f3, 30); 549 $f3g9_38 = $g9_19->mulInt64($f3_2, 30); 550 $f4g0 = $f4->mulInt64($g0, 30); 551 $f4g1 = $f4->mulInt64($g1, 30); 552 $f4g2 = $f4->mulInt64($g2, 30); 553 $f4g3 = $f4->mulInt64($g3, 30); 554 $f4g4 = $f4->mulInt64($g4, 30); 555 $f4g5 = $f4->mulInt64($g5, 30); 556 $f4g6_19 = $g6_19->mulInt64($f4, 30); 557 $f4g7_19 = $g7_19->mulInt64($f4, 30); 558 $f4g8_19 = $g8_19->mulInt64($f4, 30); 559 $f4g9_19 = $g9_19->mulInt64($f4, 30); 560 $f5g0 = $f5->mulInt64($g0, 30); 561 $f5g1_2 = $f5_2->mulInt64($g1, 30); 562 $f5g2 = $f5->mulInt64($g2, 30); 563 $f5g3_2 = $f5_2->mulInt64($g3, 30); 564 $f5g4 = $f5->mulInt64($g4, 30); 565 $f5g5_38 = $g5_19->mulInt64($f5_2, 30); 566 $f5g6_19 = $g6_19->mulInt64($f5, 30); 567 $f5g7_38 = $g7_19->mulInt64($f5_2, 30); 568 $f5g8_19 = $g8_19->mulInt64($f5, 30); 569 $f5g9_38 = $g9_19->mulInt64($f5_2, 30); 570 $f6g0 = $f6->mulInt64($g0, 30); 571 $f6g1 = $f6->mulInt64($g1, 30); 572 $f6g2 = $f6->mulInt64($g2, 30); 573 $f6g3 = $f6->mulInt64($g3, 30); 574 $f6g4_19 = $g4_19->mulInt64($f6, 30); 575 $f6g5_19 = $g5_19->mulInt64($f6, 30); 576 $f6g6_19 = $g6_19->mulInt64($f6, 30); 577 $f6g7_19 = $g7_19->mulInt64($f6, 30); 578 $f6g8_19 = $g8_19->mulInt64($f6, 30); 579 $f6g9_19 = $g9_19->mulInt64($f6, 30); 580 $f7g0 = $f7->mulInt64($g0, 30); 581 $f7g1_2 = $g1->mulInt64($f7_2, 30); 582 $f7g2 = $f7->mulInt64($g2, 30); 583 $f7g3_38 = $g3_19->mulInt64($f7_2, 30); 584 $f7g4_19 = $g4_19->mulInt64($f7, 30); 585 $f7g5_38 = $g5_19->mulInt64($f7_2, 30); 586 $f7g6_19 = $g6_19->mulInt64($f7, 30); 587 $f7g7_38 = $g7_19->mulInt64($f7_2, 30); 588 $f7g8_19 = $g8_19->mulInt64($f7, 30); 589 $f7g9_38 = $g9_19->mulInt64($f7_2, 30); 590 $f8g0 = $f8->mulInt64($g0, 30); 591 $f8g1 = $f8->mulInt64($g1, 29); 592 $f8g2_19 = $g2_19->mulInt64($f8, 30); 593 $f8g3_19 = $g3_19->mulInt64($f8, 30); 594 $f8g4_19 = $g4_19->mulInt64($f8, 30); 595 $f8g5_19 = $g5_19->mulInt64($f8, 30); 596 $f8g6_19 = $g6_19->mulInt64($f8, 30); 597 $f8g7_19 = $g7_19->mulInt64($f8, 30); 598 $f8g8_19 = $g8_19->mulInt64($f8, 30); 599 $f8g9_19 = $g9_19->mulInt64($f8, 30); 600 $f9g0 = $f9->mulInt64($g0, 30); 601 $f9g1_38 = $g1_19->mulInt64($f9_2, 30); 602 $f9g2_19 = $g2_19->mulInt64($f9, 30); 603 $f9g3_38 = $g3_19->mulInt64($f9_2, 30); 604 $f9g4_19 = $g4_19->mulInt64($f9, 30); 605 $f9g5_38 = $g5_19->mulInt64($f9_2, 30); 606 $f9g6_19 = $g6_19->mulInt64($f9, 30); 607 $f9g7_38 = $g7_19->mulInt64($f9_2, 30); 608 $f9g8_19 = $g8_19->mulInt64($f9, 30); 609 $f9g9_38 = $g9_19->mulInt64($f9_2, 30); 610 611 // $h0 = $f0g0 + $f1g9_38 + $f2g8_19 + $f3g7_38 + $f4g6_19 + $f5g5_38 + $f6g4_19 + $f7g3_38 + $f8g2_19 + $f9g1_38; 612 $h0 = $f0g0->addInt64($f1g9_38)->addInt64($f2g8_19)->addInt64($f3g7_38) 613 ->addInt64($f4g6_19)->addInt64($f5g5_38)->addInt64($f6g4_19) 614 ->addInt64($f7g3_38)->addInt64($f8g2_19)->addInt64($f9g1_38); 615 616 // $h1 = $f0g1 + $f1g0 + $f2g9_19 + $f3g8_19 + $f4g7_19 + $f5g6_19 + $f6g5_19 + $f7g4_19 + $f8g3_19 + $f9g2_19; 617 $h1 = $f0g1->addInt64($f1g0)->addInt64($f2g9_19)->addInt64($f3g8_19) 618 ->addInt64($f4g7_19)->addInt64($f5g6_19)->addInt64($f6g5_19) 619 ->addInt64($f7g4_19)->addInt64($f8g3_19)->addInt64($f9g2_19); 620 621 // $h2 = $f0g2 + $f1g1_2 + $f2g0 + $f3g9_38 + $f4g8_19 + $f5g7_38 + $f6g6_19 + $f7g5_38 + $f8g4_19 + $f9g3_38; 622 $h2 = $f0g2->addInt64($f1g1_2)->addInt64($f2g0)->addInt64($f3g9_38) 623 ->addInt64($f4g8_19)->addInt64($f5g7_38)->addInt64($f6g6_19) 624 ->addInt64($f7g5_38)->addInt64($f8g4_19)->addInt64($f9g3_38); 625 626 // $h3 = $f0g3 + $f1g2 + $f2g1 + $f3g0 + $f4g9_19 + $f5g8_19 + $f6g7_19 + $f7g6_19 + $f8g5_19 + $f9g4_19; 627 $h3 = $f0g3->addInt64($f1g2)->addInt64($f2g1)->addInt64($f3g0) 628 ->addInt64($f4g9_19)->addInt64($f5g8_19)->addInt64($f6g7_19) 629 ->addInt64($f7g6_19)->addInt64($f8g5_19)->addInt64($f9g4_19); 630 631 // $h4 = $f0g4 + $f1g3_2 + $f2g2 + $f3g1_2 + $f4g0 + $f5g9_38 + $f6g8_19 + $f7g7_38 + $f8g6_19 + $f9g5_38; 632 $h4 = $f0g4->addInt64($f1g3_2)->addInt64($f2g2)->addInt64($f3g1_2) 633 ->addInt64($f4g0)->addInt64($f5g9_38)->addInt64($f6g8_19) 634 ->addInt64($f7g7_38)->addInt64($f8g6_19)->addInt64($f9g5_38); 635 636 // $h5 = $f0g5 + $f1g4 + $f2g3 + $f3g2 + $f4g1 + $f5g0 + $f6g9_19 + $f7g8_19 + $f8g7_19 + $f9g6_19; 637 $h5 = $f0g5->addInt64($f1g4)->addInt64($f2g3)->addInt64($f3g2) 638 ->addInt64($f4g1)->addInt64($f5g0)->addInt64($f6g9_19) 639 ->addInt64($f7g8_19)->addInt64($f8g7_19)->addInt64($f9g6_19); 640 641 // $h6 = $f0g6 + $f1g5_2 + $f2g4 + $f3g3_2 + $f4g2 + $f5g1_2 + $f6g0 + $f7g9_38 + $f8g8_19 + $f9g7_38; 642 $h6 = $f0g6->addInt64($f1g5_2)->addInt64($f2g4)->addInt64($f3g3_2) 643 ->addInt64($f4g2)->addInt64($f5g1_2)->addInt64($f6g0) 644 ->addInt64($f7g9_38)->addInt64($f8g8_19)->addInt64($f9g7_38); 645 646 // $h7 = $f0g7 + $f1g6 + $f2g5 + $f3g4 + $f4g3 + $f5g2 + $f6g1 + $f7g0 + $f8g9_19 + $f9g8_19; 647 $h7 = $f0g7->addInt64($f1g6)->addInt64($f2g5)->addInt64($f3g4) 648 ->addInt64($f4g3)->addInt64($f5g2)->addInt64($f6g1) 649 ->addInt64($f7g0)->addInt64($f8g9_19)->addInt64($f9g8_19); 650 651 // $h8 = $f0g8 + $f1g7_2 + $f2g6 + $f3g5_2 + $f4g4 + $f5g3_2 + $f6g2 + $f7g1_2 + $f8g0 + $f9g9_38; 652 $h8 = $f0g8->addInt64($f1g7_2)->addInt64($f2g6)->addInt64($f3g5_2) 653 ->addInt64($f4g4)->addInt64($f5g3_2)->addInt64($f6g2) 654 ->addInt64($f7g1_2)->addInt64($f8g0)->addInt64($f9g9_38); 655 656 // $h9 = $f0g9 + $f1g8 + $f2g7 + $f3g6 + $f4g5 + $f5g4 + $f6g3 + $f7g2 + $f8g1 + $f9g0 ; 657 $h9 = $f0g9->addInt64($f1g8)->addInt64($f2g7)->addInt64($f3g6) 658 ->addInt64($f4g5)->addInt64($f5g4)->addInt64($f6g3) 659 ->addInt64($f7g2)->addInt64($f8g1)->addInt64($f9g0); 660 661 /** 662 * @var ParagonIE_Sodium_Core32_Int64 $h0 663 * @var ParagonIE_Sodium_Core32_Int64 $h1 664 * @var ParagonIE_Sodium_Core32_Int64 $h2 665 * @var ParagonIE_Sodium_Core32_Int64 $h3 666 * @var ParagonIE_Sodium_Core32_Int64 $h4 667 * @var ParagonIE_Sodium_Core32_Int64 $h5 668 * @var ParagonIE_Sodium_Core32_Int64 $h6 669 * @var ParagonIE_Sodium_Core32_Int64 $h7 670 * @var ParagonIE_Sodium_Core32_Int64 $h8 671 * @var ParagonIE_Sodium_Core32_Int64 $h9 672 * @var ParagonIE_Sodium_Core32_Int64 $carry0 673 * @var ParagonIE_Sodium_Core32_Int64 $carry1 674 * @var ParagonIE_Sodium_Core32_Int64 $carry2 675 * @var ParagonIE_Sodium_Core32_Int64 $carry3 676 * @var ParagonIE_Sodium_Core32_Int64 $carry4 677 * @var ParagonIE_Sodium_Core32_Int64 $carry5 678 * @var ParagonIE_Sodium_Core32_Int64 $carry6 679 * @var ParagonIE_Sodium_Core32_Int64 $carry7 680 * @var ParagonIE_Sodium_Core32_Int64 $carry8 681 * @var ParagonIE_Sodium_Core32_Int64 $carry9 682 */ 683 $carry0 = $h0->addInt(1 << 25)->shiftRight(26); 684 $h1 = $h1->addInt64($carry0); 685 $h0 = $h0->subInt64($carry0->shiftLeft(26)); 686 $carry4 = $h4->addInt(1 << 25)->shiftRight(26); 687 $h5 = $h5->addInt64($carry4); 688 $h4 = $h4->subInt64($carry4->shiftLeft(26)); 689 690 $carry1 = $h1->addInt(1 << 24)->shiftRight(25); 691 $h2 = $h2->addInt64($carry1); 692 $h1 = $h1->subInt64($carry1->shiftLeft(25)); 693 $carry5 = $h5->addInt(1 << 24)->shiftRight(25); 694 $h6 = $h6->addInt64($carry5); 695 $h5 = $h5->subInt64($carry5->shiftLeft(25)); 696 697 $carry2 = $h2->addInt(1 << 25)->shiftRight(26); 698 $h3 = $h3->addInt64($carry2); 699 $h2 = $h2->subInt64($carry2->shiftLeft(26)); 700 $carry6 = $h6->addInt(1 << 25)->shiftRight(26); 701 $h7 = $h7->addInt64($carry6); 702 $h6 = $h6->subInt64($carry6->shiftLeft(26)); 703 704 $carry3 = $h3->addInt(1 << 24)->shiftRight(25); 705 $h4 = $h4->addInt64($carry3); 706 $h3 = $h3->subInt64($carry3->shiftLeft(25)); 707 $carry7 = $h7->addInt(1 << 24)->shiftRight(25); 708 $h8 = $h8->addInt64($carry7); 709 $h7 = $h7->subInt64($carry7->shiftLeft(25)); 710 711 $carry4 = $h4->addInt(1 << 25)->shiftRight(26); 712 $h5 = $h5->addInt64($carry4); 713 $h4 = $h4->subInt64($carry4->shiftLeft(26)); 714 $carry8 = $h8->addInt(1 << 25)->shiftRight(26); 715 $h9 = $h9->addInt64($carry8); 716 $h8 = $h8->subInt64($carry8->shiftLeft(26)); 717 718 $carry9 = $h9->addInt(1 << 24)->shiftRight(25); 719 $h0 = $h0->addInt64($carry9->mulInt(19, 5)); 720 $h9 = $h9->subInt64($carry9->shiftLeft(25)); 721 722 $carry0 = $h0->addInt(1 << 25)->shiftRight(26); 723 $h1 = $h1->addInt64($carry0); 724 $h0 = $h0->subInt64($carry0->shiftLeft(26)); 725 726 return ParagonIE_Sodium_Core32_Curve25519_Fe::fromArray( 727 array( 728 $h0->toInt32(), 729 $h1->toInt32(), 730 $h2->toInt32(), 731 $h3->toInt32(), 732 $h4->toInt32(), 733 $h5->toInt32(), 734 $h6->toInt32(), 735 $h7->toInt32(), 736 $h8->toInt32(), 737 $h9->toInt32() 738 ) 739 ); 740 } 741 742 /** 743 * Get the negative values for each piece of the field element. 744 * 745 * h = -f 746 * 747 * @internal You should not use this directly from another application 748 * 749 * @param ParagonIE_Sodium_Core32_Curve25519_Fe $f 750 * @return ParagonIE_Sodium_Core32_Curve25519_Fe 751 * @psalm-suppress MixedAssignment 752 * @psalm-suppress MixedMethodCall 753 */ 754 public static function fe_neg(ParagonIE_Sodium_Core32_Curve25519_Fe $f) 755 { 756 $h = new ParagonIE_Sodium_Core32_Curve25519_Fe(); 757 for ($i = 0; $i < 10; ++$i) { 758 $h[$i] = $h[$i]->subInt32($f[$i]); 759 } 760 return $h; 761 } 762 763 /** 764 * Square a field element 765 * 766 * h = f * f 767 * 768 * @internal You should not use this directly from another application 769 * 770 * @param ParagonIE_Sodium_Core32_Curve25519_Fe $f 771 * @return ParagonIE_Sodium_Core32_Curve25519_Fe 772 * @throws SodiumException 773 * @throws TypeError 774 * @psalm-suppress MixedMethodCall 775 */ 776 public static function fe_sq(ParagonIE_Sodium_Core32_Curve25519_Fe $f) 777 { 778 /** @var ParagonIE_Sodium_Core32_Int64 $f0 */ 779 $f0 = $f[0]->toInt64(); 780 /** @var ParagonIE_Sodium_Core32_Int64 $f1 */ 781 $f1 = $f[1]->toInt64(); 782 /** @var ParagonIE_Sodium_Core32_Int64 $f2 */ 783 $f2 = $f[2]->toInt64(); 784 /** @var ParagonIE_Sodium_Core32_Int64 $f3 */ 785 $f3 = $f[3]->toInt64(); 786 /** @var ParagonIE_Sodium_Core32_Int64 $f4 */ 787 $f4 = $f[4]->toInt64(); 788 /** @var ParagonIE_Sodium_Core32_Int64 $f5 */ 789 $f5 = $f[5]->toInt64(); 790 /** @var ParagonIE_Sodium_Core32_Int64 $f6 */ 791 $f6 = $f[6]->toInt64(); 792 /** @var ParagonIE_Sodium_Core32_Int64 $f7 */ 793 $f7 = $f[7]->toInt64(); 794 /** @var ParagonIE_Sodium_Core32_Int64 $f8 */ 795 $f8 = $f[8]->toInt64(); 796 /** @var ParagonIE_Sodium_Core32_Int64 $f9 */ 797 $f9 = $f[9]->toInt64(); 798 799 /** @var ParagonIE_Sodium_Core32_Int64 $f0_2 */ 800 $f0_2 = $f0->shiftLeft(1); 801 $f1_2 = $f1->shiftLeft(1); 802 $f2_2 = $f2->shiftLeft(1); 803 $f3_2 = $f3->shiftLeft(1); 804 $f4_2 = $f4->shiftLeft(1); 805 $f5_2 = $f5->shiftLeft(1); 806 $f6_2 = $f6->shiftLeft(1); 807 $f7_2 = $f7->shiftLeft(1); 808 $f5_38 = $f5->mulInt(38, 6); 809 $f6_19 = $f6->mulInt(19, 5); 810 $f7_38 = $f7->mulInt(38, 6); 811 $f8_19 = $f8->mulInt(19, 5); 812 $f9_38 = $f9->mulInt(38, 6); 813 /** @var ParagonIE_Sodium_Core32_Int64 $f0f0*/ 814 $f0f0 = $f0->mulInt64($f0, 28); 815 $f0f1_2 = $f0_2->mulInt64($f1, 28); 816 $f0f2_2 = $f0_2->mulInt64($f2, 28); 817 $f0f3_2 = $f0_2->mulInt64($f3, 28); 818 $f0f4_2 = $f0_2->mulInt64($f4, 28); 819 $f0f5_2 = $f0_2->mulInt64($f5, 28); 820 $f0f6_2 = $f0_2->mulInt64($f6, 28); 821 $f0f7_2 = $f0_2->mulInt64($f7, 28); 822 $f0f8_2 = $f0_2->mulInt64($f8, 28); 823 $f0f9_2 = $f0_2->mulInt64($f9, 28); 824 825 $f1f1_2 = $f1_2->mulInt64($f1, 28); 826 $f1f2_2 = $f1_2->mulInt64($f2, 28); 827 $f1f3_4 = $f1_2->mulInt64($f3_2, 28); 828 $f1f4_2 = $f1_2->mulInt64($f4, 28); 829 $f1f5_4 = $f1_2->mulInt64($f5_2, 30); 830 $f1f6_2 = $f1_2->mulInt64($f6, 28); 831 $f1f7_4 = $f1_2->mulInt64($f7_2, 28); 832 $f1f8_2 = $f1_2->mulInt64($f8, 28); 833 $f1f9_76 = $f9_38->mulInt64($f1_2, 30); 834 835 $f2f2 = $f2->mulInt64($f2, 28); 836 $f2f3_2 = $f2_2->mulInt64($f3, 28); 837 $f2f4_2 = $f2_2->mulInt64($f4, 28); 838 $f2f5_2 = $f2_2->mulInt64($f5, 28); 839 $f2f6_2 = $f2_2->mulInt64($f6, 28); 840 $f2f7_2 = $f2_2->mulInt64($f7, 28); 841 $f2f8_38 = $f8_19->mulInt64($f2_2, 30); 842 $f2f9_38 = $f9_38->mulInt64($f2, 30); 843 844 $f3f3_2 = $f3_2->mulInt64($f3, 28); 845 $f3f4_2 = $f3_2->mulInt64($f4, 28); 846 $f3f5_4 = $f3_2->mulInt64($f5_2, 30); 847 $f3f6_2 = $f3_2->mulInt64($f6, 28); 848 $f3f7_76 = $f7_38->mulInt64($f3_2, 30); 849 $f3f8_38 = $f8_19->mulInt64($f3_2, 30); 850 $f3f9_76 = $f9_38->mulInt64($f3_2, 30); 851 852 $f4f4 = $f4->mulInt64($f4, 28); 853 $f4f5_2 = $f4_2->mulInt64($f5, 28); 854 $f4f6_38 = $f6_19->mulInt64($f4_2, 30); 855 $f4f7_38 = $f7_38->mulInt64($f4, 30); 856 $f4f8_38 = $f8_19->mulInt64($f4_2, 30); 857 $f4f9_38 = $f9_38->mulInt64($f4, 30); 858 859 $f5f5_38 = $f5_38->mulInt64($f5, 30); 860 $f5f6_38 = $f6_19->mulInt64($f5_2, 30); 861 $f5f7_76 = $f7_38->mulInt64($f5_2, 30); 862 $f5f8_38 = $f8_19->mulInt64($f5_2, 30); 863 $f5f9_76 = $f9_38->mulInt64($f5_2, 30); 864 865 $f6f6_19 = $f6_19->mulInt64($f6, 30); 866 $f6f7_38 = $f7_38->mulInt64($f6, 30); 867 $f6f8_38 = $f8_19->mulInt64($f6_2, 30); 868 $f6f9_38 = $f9_38->mulInt64($f6, 30); 869 870 $f7f7_38 = $f7_38->mulInt64($f7, 28); 871 $f7f8_38 = $f8_19->mulInt64($f7_2, 30); 872 $f7f9_76 = $f9_38->mulInt64($f7_2, 30); 873 874 $f8f8_19 = $f8_19->mulInt64($f8, 30); 875 $f8f9_38 = $f9_38->mulInt64($f8, 30); 876 877 $f9f9_38 = $f9_38->mulInt64($f9, 28); 878 879 $h0 = $f0f0->addInt64($f1f9_76)->addInt64($f2f8_38)->addInt64($f3f7_76)->addInt64($f4f6_38)->addInt64($f5f5_38); 880 $h1 = $f0f1_2->addInt64($f2f9_38)->addInt64($f3f8_38)->addInt64($f4f7_38)->addInt64($f5f6_38); 881 $h2 = $f0f2_2->addInt64($f1f1_2)->addInt64($f3f9_76)->addInt64($f4f8_38)->addInt64($f5f7_76)->addInt64($f6f6_19); 882 $h3 = $f0f3_2->addInt64($f1f2_2)->addInt64($f4f9_38)->addInt64($f5f8_38)->addInt64($f6f7_38); 883 $h4 = $f0f4_2->addInt64($f1f3_4)->addInt64($f2f2)->addInt64($f5f9_76)->addInt64($f6f8_38)->addInt64($f7f7_38); 884 $h5 = $f0f5_2->addInt64($f1f4_2)->addInt64($f2f3_2)->addInt64($f6f9_38)->addInt64($f7f8_38); 885 $h6 = $f0f6_2->addInt64($f1f5_4)->addInt64($f2f4_2)->addInt64($f3f3_2)->addInt64($f7f9_76)->addInt64($f8f8_19); 886 $h7 = $f0f7_2->addInt64($f1f6_2)->addInt64($f2f5_2)->addInt64($f3f4_2)->addInt64($f8f9_38); 887 $h8 = $f0f8_2->addInt64($f1f7_4)->addInt64($f2f6_2)->addInt64($f3f5_4)->addInt64($f4f4)->addInt64($f9f9_38); 888 $h9 = $f0f9_2->addInt64($f1f8_2)->addInt64($f2f7_2)->addInt64($f3f6_2)->addInt64($f4f5_2); 889 890 /** 891 * @var ParagonIE_Sodium_Core32_Int64 $h0 892 * @var ParagonIE_Sodium_Core32_Int64 $h1 893 * @var ParagonIE_Sodium_Core32_Int64 $h2 894 * @var ParagonIE_Sodium_Core32_Int64 $h3 895 * @var ParagonIE_Sodium_Core32_Int64 $h4 896 * @var ParagonIE_Sodium_Core32_Int64 $h5 897 * @var ParagonIE_Sodium_Core32_Int64 $h6 898 * @var ParagonIE_Sodium_Core32_Int64 $h7 899 * @var ParagonIE_Sodium_Core32_Int64 $h8 900 * @var ParagonIE_Sodium_Core32_Int64 $h9 901 */ 902 903 $carry0 = $h0->addInt(1 << 25)->shiftRight(26); 904 $h1 = $h1->addInt64($carry0); 905 $h0 = $h0->subInt64($carry0->shiftLeft(26)); 906 907 $carry4 = $h4->addInt(1 << 25)->shiftRight(26); 908 $h5 = $h5->addInt64($carry4); 909 $h4 = $h4->subInt64($carry4->shiftLeft(26)); 910 911 $carry1 = $h1->addInt(1 << 24)->shiftRight(25); 912 $h2 = $h2->addInt64($carry1); 913 $h1 = $h1->subInt64($carry1->shiftLeft(25)); 914 915 $carry5 = $h5->addInt(1 << 24)->shiftRight(25); 916 $h6 = $h6->addInt64($carry5); 917 $h5 = $h5->subInt64($carry5->shiftLeft(25)); 918 919 $carry2 = $h2->addInt(1 << 25)->shiftRight(26); 920 $h3 = $h3->addInt64($carry2); 921 $h2 = $h2->subInt64($carry2->shiftLeft(26)); 922 923 $carry6 = $h6->addInt(1 << 25)->shiftRight(26); 924 $h7 = $h7->addInt64($carry6); 925 $h6 = $h6->subInt64($carry6->shiftLeft(26)); 926 927 $carry3 = $h3->addInt(1 << 24)->shiftRight(25); 928 $h4 = $h4->addInt64($carry3); 929 $h3 = $h3->subInt64($carry3->shiftLeft(25)); 930 931 $carry7 = $h7->addInt(1 << 24)->shiftRight(25); 932 $h8 = $h8->addInt64($carry7); 933 $h7 = $h7->subInt64($carry7->shiftLeft(25)); 934 935 $carry4 = $h4->addInt(1 << 25)->shiftRight(26); 936 $h5 = $h5->addInt64($carry4); 937 $h4 = $h4->subInt64($carry4->shiftLeft(26)); 938 939 $carry8 = $h8->addInt(1 << 25)->shiftRight(26); 940 $h9 = $h9->addInt64($carry8); 941 $h8 = $h8->subInt64($carry8->shiftLeft(26)); 942 943 $carry9 = $h9->addInt(1 << 24)->shiftRight(25); 944 $h0 = $h0->addInt64($carry9->mulInt(19, 5)); 945 $h9 = $h9->subInt64($carry9->shiftLeft(25)); 946 947 $carry0 = $h0->addInt(1 << 25)->shiftRight(26); 948 $h1 = $h1->addInt64($carry0); 949 $h0 = $h0->subInt64($carry0->shiftLeft(26)); 950 951 return ParagonIE_Sodium_Core32_Curve25519_Fe::fromArray( 952 array( 953 $h0->toInt32(), 954 $h1->toInt32(), 955 $h2->toInt32(), 956 $h3->toInt32(), 957 $h4->toInt32(), 958 $h5->toInt32(), 959 $h6->toInt32(), 960 $h7->toInt32(), 961 $h8->toInt32(), 962 $h9->toInt32() 963 ) 964 ); 965 } 966 967 /** 968 * Square and double a field element 969 * 970 * h = 2 * f * f 971 * 972 * @internal You should not use this directly from another application 973 * 974 * @param ParagonIE_Sodium_Core32_Curve25519_Fe $f 975 * @return ParagonIE_Sodium_Core32_Curve25519_Fe 976 * @throws SodiumException 977 * @throws TypeError 978 * @psalm-suppress MixedMethodCall 979 */ 980 public static function fe_sq2(ParagonIE_Sodium_Core32_Curve25519_Fe $f) 981 { 982 /** @var ParagonIE_Sodium_Core32_Int64 $f0 */ 983 $f0 = $f[0]->toInt64(); 984 /** @var ParagonIE_Sodium_Core32_Int64 $f1 */ 985 $f1 = $f[1]->toInt64(); 986 /** @var ParagonIE_Sodium_Core32_Int64 $f2 */ 987 $f2 = $f[2]->toInt64(); 988 /** @var ParagonIE_Sodium_Core32_Int64 $f3 */ 989 $f3 = $f[3]->toInt64(); 990 /** @var ParagonIE_Sodium_Core32_Int64 $f4 */ 991 $f4 = $f[4]->toInt64(); 992 /** @var ParagonIE_Sodium_Core32_Int64 $f5 */ 993 $f5 = $f[5]->toInt64(); 994 /** @var ParagonIE_Sodium_Core32_Int64 $f6 */ 995 $f6 = $f[6]->toInt64(); 996 /** @var ParagonIE_Sodium_Core32_Int64 $f7 */ 997 $f7 = $f[7]->toInt64(); 998 /** @var ParagonIE_Sodium_Core32_Int64 $f8 */ 999 $f8 = $f[8]->toInt64(); 1000 /** @var ParagonIE_Sodium_Core32_Int64 $f9 */ 1001 $f9 = $f[9]->toInt64(); 1002 1003 $f0_2 = $f0->shiftLeft(1); 1004 $f1_2 = $f1->shiftLeft(1); 1005 $f2_2 = $f2->shiftLeft(1); 1006 $f3_2 = $f3->shiftLeft(1); 1007 $f4_2 = $f4->shiftLeft(1); 1008 $f5_2 = $f5->shiftLeft(1); 1009 $f6_2 = $f6->shiftLeft(1); 1010 $f7_2 = $f7->shiftLeft(1); 1011 $f5_38 = $f5->mulInt(38, 6); /* 1.959375*2^30 */ 1012 $f6_19 = $f6->mulInt(19, 5); /* 1.959375*2^30 */ 1013 $f7_38 = $f7->mulInt(38, 6); /* 1.959375*2^30 */ 1014 $f8_19 = $f8->mulInt(19, 5); /* 1.959375*2^30 */ 1015 $f9_38 = $f9->mulInt(38, 6); /* 1.959375*2^30 */ 1016 $f0f0 = $f0->mulInt64($f0, 28); 1017 $f0f1_2 = $f0_2->mulInt64($f1, 28); 1018 $f0f2_2 = $f0_2->mulInt64($f2, 28); 1019 $f0f3_2 = $f0_2->mulInt64($f3, 28); 1020 $f0f4_2 = $f0_2->mulInt64($f4, 28); 1021 $f0f5_2 = $f0_2->mulInt64($f5, 28); 1022 $f0f6_2 = $f0_2->mulInt64($f6, 28); 1023 $f0f7_2 = $f0_2->mulInt64($f7, 28); 1024 $f0f8_2 = $f0_2->mulInt64($f8, 28); 1025 $f0f9_2 = $f0_2->mulInt64($f9, 28); 1026 $f1f1_2 = $f1_2->mulInt64($f1, 28); 1027 $f1f2_2 = $f1_2->mulInt64($f2, 28); 1028 $f1f3_4 = $f1_2->mulInt64($f3_2, 29); 1029 $f1f4_2 = $f1_2->mulInt64($f4, 28); 1030 $f1f5_4 = $f1_2->mulInt64($f5_2, 29); 1031 $f1f6_2 = $f1_2->mulInt64($f6, 28); 1032 $f1f7_4 = $f1_2->mulInt64($f7_2, 29); 1033 $f1f8_2 = $f1_2->mulInt64($f8, 28); 1034 $f1f9_76 = $f9_38->mulInt64($f1_2, 29); 1035 $f2f2 = $f2->mulInt64($f2, 28); 1036 $f2f3_2 = $f2_2->mulInt64($f3, 28); 1037 $f2f4_2 = $f2_2->mulInt64($f4, 28); 1038 $f2f5_2 = $f2_2->mulInt64($f5, 28); 1039 $f2f6_2 = $f2_2->mulInt64($f6, 28); 1040 $f2f7_2 = $f2_2->mulInt64($f7, 28); 1041 $f2f8_38 = $f8_19->mulInt64($f2_2, 29); 1042 $f2f9_38 = $f9_38->mulInt64($f2, 29); 1043 $f3f3_2 = $f3_2->mulInt64($f3, 28); 1044 $f3f4_2 = $f3_2->mulInt64($f4, 28); 1045 $f3f5_4 = $f3_2->mulInt64($f5_2, 28); 1046 $f3f6_2 = $f3_2->mulInt64($f6, 28); 1047 $f3f7_76 = $f7_38->mulInt64($f3_2, 29); 1048 $f3f8_38 = $f8_19->mulInt64($f3_2, 29); 1049 $f3f9_76 = $f9_38->mulInt64($f3_2, 29); 1050 $f4f4 = $f4->mulInt64($f4, 28); 1051 $f4f5_2 = $f4_2->mulInt64($f5, 28); 1052 $f4f6_38 = $f6_19->mulInt64($f4_2, 29); 1053 $f4f7_38 = $f7_38->mulInt64($f4, 29); 1054 $f4f8_38 = $f8_19->mulInt64($f4_2, 29); 1055 $f4f9_38 = $f9_38->mulInt64($f4, 29); 1056 $f5f5_38 = $f5_38->mulInt64($f5, 29); 1057 $f5f6_38 = $f6_19->mulInt64($f5_2, 29); 1058 $f5f7_76 = $f7_38->mulInt64($f5_2, 29); 1059 $f5f8_38 = $f8_19->mulInt64($f5_2, 29); 1060 $f5f9_76 = $f9_38->mulInt64($f5_2, 29); 1061 $f6f6_19 = $f6_19->mulInt64($f6, 29); 1062 $f6f7_38 = $f7_38->mulInt64($f6, 29); 1063 $f6f8_38 = $f8_19->mulInt64($f6_2, 29); 1064 $f6f9_38 = $f9_38->mulInt64($f6, 29); 1065 $f7f7_38 = $f7_38->mulInt64($f7, 29); 1066 $f7f8_38 = $f8_19->mulInt64($f7_2, 29); 1067 $f7f9_76 = $f9_38->mulInt64($f7_2, 29); 1068 $f8f8_19 = $f8_19->mulInt64($f8, 29); 1069 $f8f9_38 = $f9_38->mulInt64($f8, 29); 1070 $f9f9_38 = $f9_38->mulInt64($f9, 29); 1071 1072 $h0 = $f0f0->addInt64($f1f9_76)->addInt64($f2f8_38)->addInt64($f3f7_76)->addInt64($f4f6_38)->addInt64($f5f5_38); 1073 $h1 = $f0f1_2->addInt64($f2f9_38)->addInt64($f3f8_38)->addInt64($f4f7_38)->addInt64($f5f6_38); 1074 $h2 = $f0f2_2->addInt64($f1f1_2)->addInt64($f3f9_76)->addInt64($f4f8_38)->addInt64($f5f7_76)->addInt64($f6f6_19); 1075 $h3 = $f0f3_2->addInt64($f1f2_2)->addInt64($f4f9_38)->addInt64($f5f8_38)->addInt64($f6f7_38); 1076 $h4 = $f0f4_2->addInt64($f1f3_4)->addInt64($f2f2)->addInt64($f5f9_76)->addInt64($f6f8_38)->addInt64($f7f7_38); 1077 $h5 = $f0f5_2->addInt64($f1f4_2)->addInt64($f2f3_2)->addInt64($f6f9_38)->addInt64($f7f8_38); 1078 $h6 = $f0f6_2->addInt64($f1f5_4)->addInt64($f2f4_2)->addInt64($f3f3_2)->addInt64($f7f9_76)->addInt64($f8f8_19); 1079 $h7 = $f0f7_2->addInt64($f1f6_2)->addInt64($f2f5_2)->addInt64($f3f4_2)->addInt64($f8f9_38); 1080 $h8 = $f0f8_2->addInt64($f1f7_4)->addInt64($f2f6_2)->addInt64($f3f5_4)->addInt64($f4f4)->addInt64($f9f9_38); 1081 $h9 = $f0f9_2->addInt64($f1f8_2)->addInt64($f2f7_2)->addInt64($f3f6_2)->addInt64($f4f5_2); 1082 1083 /** 1084 * @var ParagonIE_Sodium_Core32_Int64 $h0 1085 * @var ParagonIE_Sodium_Core32_Int64 $h1 1086 * @var ParagonIE_Sodium_Core32_Int64 $h2 1087 * @var ParagonIE_Sodium_Core32_Int64 $h3 1088 * @var ParagonIE_Sodium_Core32_Int64 $h4 1089 * @var ParagonIE_Sodium_Core32_Int64 $h5 1090 * @var ParagonIE_Sodium_Core32_Int64 $h6 1091 * @var ParagonIE_Sodium_Core32_Int64 $h7 1092 * @var ParagonIE_Sodium_Core32_Int64 $h8 1093 * @var ParagonIE_Sodium_Core32_Int64 $h9 1094 */ 1095 $h0 = $h0->shiftLeft(1); 1096 $h1 = $h1->shiftLeft(1); 1097 $h2 = $h2->shiftLeft(1); 1098 $h3 = $h3->shiftLeft(1); 1099 $h4 = $h4->shiftLeft(1); 1100 $h5 = $h5->shiftLeft(1); 1101 $h6 = $h6->shiftLeft(1); 1102 $h7 = $h7->shiftLeft(1); 1103 $h8 = $h8->shiftLeft(1); 1104 $h9 = $h9->shiftLeft(1); 1105 1106 $carry0 = $h0->addInt(1 << 25)->shiftRight(26); 1107 $h1 = $h1->addInt64($carry0); 1108 $h0 = $h0->subInt64($carry0->shiftLeft(26)); 1109 $carry4 = $h4->addInt(1 << 25)->shiftRight(26); 1110 $h5 = $h5->addInt64($carry4); 1111 $h4 = $h4->subInt64($carry4->shiftLeft(26)); 1112 1113 $carry1 = $h1->addInt(1 << 24)->shiftRight(25); 1114 $h2 = $h2->addInt64($carry1); 1115 $h1 = $h1->subInt64($carry1->shiftLeft(25)); 1116 $carry5 = $h5->addInt(1 << 24)->shiftRight(25); 1117 $h6 = $h6->addInt64($carry5); 1118 $h5 = $h5->subInt64($carry5->shiftLeft(25)); 1119 1120 $carry2 = $h2->addInt(1 << 25)->shiftRight(26); 1121 $h3 = $h3->addInt64($carry2); 1122 $h2 = $h2->subInt64($carry2->shiftLeft(26)); 1123 $carry6 = $h6->addInt(1 << 25)->shiftRight(26); 1124 $h7 = $h7->addInt64($carry6); 1125 $h6 = $h6->subInt64($carry6->shiftLeft(26)); 1126 1127 $carry3 = $h3->addInt(1 << 24)->shiftRight(25); 1128 $h4 = $h4->addInt64($carry3); 1129 $h3 = $h3->subInt64($carry3->shiftLeft(25)); 1130 $carry7 = $h7->addInt(1 << 24)->shiftRight(25); 1131 $h8 = $h8->addInt64($carry7); 1132 $h7 = $h7->subInt64($carry7->shiftLeft(25)); 1133 1134 $carry4 = $h4->addInt(1 << 25)->shiftRight(26); 1135 $h5 = $h5->addInt64($carry4); 1136 $h4 = $h4->subInt64($carry4->shiftLeft(26)); 1137 $carry8 = $h8->addInt(1 << 25)->shiftRight(26); 1138 $h9 = $h9->addInt64($carry8); 1139 $h8 = $h8->subInt64($carry8->shiftLeft(26)); 1140 1141 $carry9 = $h9->addInt(1 << 24)->shiftRight(25); 1142 $h0 = $h0->addInt64($carry9->mulInt(19, 5)); 1143 $h9 = $h9->subInt64($carry9->shiftLeft(25)); 1144 1145 $carry0 = $h0->addInt(1 << 25)->shiftRight(26); 1146 $h1 = $h1->addInt64($carry0); 1147 $h0 = $h0->subInt64($carry0->shiftLeft(26)); 1148 1149 return ParagonIE_Sodium_Core32_Curve25519_Fe::fromArray( 1150 array( 1151 $h0->toInt32(), 1152 $h1->toInt32(), 1153 $h2->toInt32(), 1154 $h3->toInt32(), 1155 $h4->toInt32(), 1156 $h5->toInt32(), 1157 $h6->toInt32(), 1158 $h7->toInt32(), 1159 $h8->toInt32(), 1160 $h9->toInt32() 1161 ) 1162 ); 1163 } 1164 1165 /** 1166 * @internal You should not use this directly from another application 1167 * 1168 * @param ParagonIE_Sodium_Core32_Curve25519_Fe $Z 1169 * @return ParagonIE_Sodium_Core32_Curve25519_Fe 1170 * @throws SodiumException 1171 * @throws TypeError 1172 */ 1173 public static function fe_invert(ParagonIE_Sodium_Core32_Curve25519_Fe $Z) 1174 { 1175 $z = clone $Z; 1176 $t0 = self::fe_sq($z); 1177 $t1 = self::fe_sq($t0); 1178 $t1 = self::fe_sq($t1); 1179 $t1 = self::fe_mul($z, $t1); 1180 $t0 = self::fe_mul($t0, $t1); 1181 $t2 = self::fe_sq($t0); 1182 $t1 = self::fe_mul($t1, $t2); 1183 $t2 = self::fe_sq($t1); 1184 for ($i = 1; $i < 5; ++$i) { 1185 $t2 = self::fe_sq($t2); 1186 } 1187 $t1 = self::fe_mul($t2, $t1); 1188 $t2 = self::fe_sq($t1); 1189 for ($i = 1; $i < 10; ++$i) { 1190 $t2 = self::fe_sq($t2); 1191 } 1192 $t2 = self::fe_mul($t2, $t1); 1193 $t3 = self::fe_sq($t2); 1194 for ($i = 1; $i < 20; ++$i) { 1195 $t3 = self::fe_sq($t3); 1196 } 1197 $t2 = self::fe_mul($t3, $t2); 1198 $t2 = self::fe_sq($t2); 1199 for ($i = 1; $i < 10; ++$i) { 1200 $t2 = self::fe_sq($t2); 1201 } 1202 $t1 = self::fe_mul($t2, $t1); 1203 $t2 = self::fe_sq($t1); 1204 for ($i = 1; $i < 50; ++$i) { 1205 $t2 = self::fe_sq($t2); 1206 } 1207 $t2 = self::fe_mul($t2, $t1); 1208 $t3 = self::fe_sq($t2); 1209 for ($i = 1; $i < 100; ++$i) { 1210 $t3 = self::fe_sq($t3); 1211 } 1212 $t2 = self::fe_mul($t3, $t2); 1213 $t2 = self::fe_sq($t2); 1214 for ($i = 1; $i < 50; ++$i) { 1215 $t2 = self::fe_sq($t2); 1216 } 1217 $t1 = self::fe_mul($t2, $t1); 1218 $t1 = self::fe_sq($t1); 1219 for ($i = 1; $i < 5; ++$i) { 1220 $t1 = self::fe_sq($t1); 1221 } 1222 return self::fe_mul($t1, $t0); 1223 } 1224 1225 /** 1226 * @internal You should not use this directly from another application 1227 * 1228 * @ref https://github.com/jedisct1/libsodium/blob/68564326e1e9dc57ef03746f85734232d20ca6fb/src/libsodium/crypto_core/curve25519/ref10/curve25519_ref10.c#L1054-L1106 1229 * 1230 * @param ParagonIE_Sodium_Core32_Curve25519_Fe $z 1231 * @return ParagonIE_Sodium_Core32_Curve25519_Fe 1232 * @throws SodiumException 1233 * @throws TypeError 1234 */ 1235 public static function fe_pow22523(ParagonIE_Sodium_Core32_Curve25519_Fe $z) 1236 { 1237 # fe_sq(t0, z); 1238 # fe_sq(t1, t0); 1239 # fe_sq(t1, t1); 1240 # fe_mul(t1, z, t1); 1241 # fe_mul(t0, t0, t1); 1242 # fe_sq(t0, t0); 1243 # fe_mul(t0, t1, t0); 1244 # fe_sq(t1, t0); 1245 $t0 = self::fe_sq($z); 1246 $t1 = self::fe_sq($t0); 1247 $t1 = self::fe_sq($t1); 1248 $t1 = self::fe_mul($z, $t1); 1249 $t0 = self::fe_mul($t0, $t1); 1250 $t0 = self::fe_sq($t0); 1251 $t0 = self::fe_mul($t1, $t0); 1252 $t1 = self::fe_sq($t0); 1253 1254 # for (i = 1; i < 5; ++i) { 1255 # fe_sq(t1, t1); 1256 # } 1257 for ($i = 1; $i < 5; ++$i) { 1258 $t1 = self::fe_sq($t1); 1259 } 1260 1261 # fe_mul(t0, t1, t0); 1262 # fe_sq(t1, t0); 1263 $t0 = self::fe_mul($t1, $t0); 1264 $t1 = self::fe_sq($t0); 1265 1266 # for (i = 1; i < 10; ++i) { 1267 # fe_sq(t1, t1); 1268 # } 1269 for ($i = 1; $i < 10; ++$i) { 1270 $t1 = self::fe_sq($t1); 1271 } 1272 1273 # fe_mul(t1, t1, t0); 1274 # fe_sq(t2, t1); 1275 $t1 = self::fe_mul($t1, $t0); 1276 $t2 = self::fe_sq($t1); 1277 1278 # for (i = 1; i < 20; ++i) { 1279 # fe_sq(t2, t2); 1280 # } 1281 for ($i = 1; $i < 20; ++$i) { 1282 $t2 = self::fe_sq($t2); 1283 } 1284 1285 # fe_mul(t1, t2, t1); 1286 # fe_sq(t1, t1); 1287 $t1 = self::fe_mul($t2, $t1); 1288 $t1 = self::fe_sq($t1); 1289 1290 # for (i = 1; i < 10; ++i) { 1291 # fe_sq(t1, t1); 1292 # } 1293 for ($i = 1; $i < 10; ++$i) { 1294 $t1 = self::fe_sq($t1); 1295 } 1296 1297 # fe_mul(t0, t1, t0); 1298 # fe_sq(t1, t0); 1299 $t0 = self::fe_mul($t1, $t0); 1300 $t1 = self::fe_sq($t0); 1301 1302 # for (i = 1; i < 50; ++i) { 1303 # fe_sq(t1, t1); 1304 # } 1305 for ($i = 1; $i < 50; ++$i) { 1306 $t1 = self::fe_sq($t1); 1307 } 1308 1309 # fe_mul(t1, t1, t0); 1310 # fe_sq(t2, t1); 1311 $t1 = self::fe_mul($t1, $t0); 1312 $t2 = self::fe_sq($t1); 1313 1314 # for (i = 1; i < 100; ++i) { 1315 # fe_sq(t2, t2); 1316 # } 1317 for ($i = 1; $i < 100; ++$i) { 1318 $t2 = self::fe_sq($t2); 1319 } 1320 1321 # fe_mul(t1, t2, t1); 1322 # fe_sq(t1, t1); 1323 $t1 = self::fe_mul($t2, $t1); 1324 $t1 = self::fe_sq($t1); 1325 1326 # for (i = 1; i < 50; ++i) { 1327 # fe_sq(t1, t1); 1328 # } 1329 for ($i = 1; $i < 50; ++$i) { 1330 $t1 = self::fe_sq($t1); 1331 } 1332 1333 # fe_mul(t0, t1, t0); 1334 # fe_sq(t0, t0); 1335 # fe_sq(t0, t0); 1336 # fe_mul(out, t0, z); 1337 $t0 = self::fe_mul($t1, $t0); 1338 $t0 = self::fe_sq($t0); 1339 $t0 = self::fe_sq($t0); 1340 return self::fe_mul($t0, $z); 1341 } 1342 1343 /** 1344 * Subtract two field elements. 1345 * 1346 * h = f - g 1347 * 1348 * Preconditions: 1349 * |f| bounded by 1.1*2^25,1.1*2^24,1.1*2^25,1.1*2^24,etc. 1350 * |g| bounded by 1.1*2^25,1.1*2^24,1.1*2^25,1.1*2^24,etc. 1351 * 1352 * Postconditions: 1353 * |h| bounded by 1.1*2^26,1.1*2^25,1.1*2^26,1.1*2^25,etc. 1354 * 1355 * @internal You should not use this directly from another application 1356 * 1357 * @param ParagonIE_Sodium_Core32_Curve25519_Fe $f 1358 * @param ParagonIE_Sodium_Core32_Curve25519_Fe $g 1359 * @return ParagonIE_Sodium_Core32_Curve25519_Fe 1360 * @throws SodiumException 1361 * @throws TypeError 1362 * @psalm-suppress MixedMethodCall 1363 * @psalm-suppress MixedTypeCoercion 1364 */ 1365 public static function fe_sub(ParagonIE_Sodium_Core32_Curve25519_Fe $f, ParagonIE_Sodium_Core32_Curve25519_Fe $g) 1366 { 1367 return ParagonIE_Sodium_Core32_Curve25519_Fe::fromArray( 1368 array( 1369 $f[0]->subInt32($g[0]), 1370 $f[1]->subInt32($g[1]), 1371 $f[2]->subInt32($g[2]), 1372 $f[3]->subInt32($g[3]), 1373 $f[4]->subInt32($g[4]), 1374 $f[5]->subInt32($g[5]), 1375 $f[6]->subInt32($g[6]), 1376 $f[7]->subInt32($g[7]), 1377 $f[8]->subInt32($g[8]), 1378 $f[9]->subInt32($g[9]) 1379 ) 1380 ); 1381 } 1382 1383 /** 1384 * Add two group elements. 1385 * 1386 * r = p + q 1387 * 1388 * @internal You should not use this directly from another application 1389 * 1390 * @param ParagonIE_Sodium_Core32_Curve25519_Ge_P3 $p 1391 * @param ParagonIE_Sodium_Core32_Curve25519_Ge_Cached $q 1392 * @return ParagonIE_Sodium_Core32_Curve25519_Ge_P1p1 1393 * @throws SodiumException 1394 * @throws TypeError 1395 */ 1396 public static function ge_add( 1397 ParagonIE_Sodium_Core32_Curve25519_Ge_P3 $p, 1398 ParagonIE_Sodium_Core32_Curve25519_Ge_Cached $q 1399 ) { 1400 $r = new ParagonIE_Sodium_Core32_Curve25519_Ge_P1p1(); 1401 $r->X = self::fe_add($p->Y, $p->X); 1402 $r->Y = self::fe_sub($p->Y, $p->X); 1403 $r->Z = self::fe_mul($r->X, $q->YplusX); 1404 $r->Y = self::fe_mul($r->Y, $q->YminusX); 1405 $r->T = self::fe_mul($q->T2d, $p->T); 1406 $r->X = self::fe_mul($p->Z, $q->Z); 1407 $t0 = self::fe_add($r->X, $r->X); 1408 $r->X = self::fe_sub($r->Z, $r->Y); 1409 $r->Y = self::fe_add($r->Z, $r->Y); 1410 $r->Z = self::fe_add($t0, $r->T); 1411 $r->T = self::fe_sub($t0, $r->T); 1412 return $r; 1413 } 1414 1415 /** 1416 * @internal You should not use this directly from another application 1417 * 1418 * @ref https://github.com/jedisct1/libsodium/blob/157c4a80c13b117608aeae12178b2d38825f9f8f/src/libsodium/crypto_core/curve25519/ref10/curve25519_ref10.c#L1185-L1215 1419 * @param string $a 1420 * @return array<int, mixed> 1421 * @throws SodiumException 1422 * @throws TypeError 1423 * @psalm-suppress MixedArrayOffset 1424 */ 1425 public static function slide($a) 1426 { 1427 if (self::strlen($a) < 256) { 1428 if (self::strlen($a) < 16) { 1429 $a = str_pad($a, 256, '0', STR_PAD_RIGHT); 1430 } 1431 } 1432 /** @var array<int, int> $r */ 1433 $r = array(); 1434 for ($i = 0; $i < 256; ++$i) { 1435 $r[$i] = (int) (1 & 1436 ( 1437 self::chrToInt($a[$i >> 3]) 1438 >> 1439 ($i & 7) 1440 ) 1441 ); 1442 } 1443 1444 for ($i = 0;$i < 256;++$i) { 1445 if ($r[$i]) { 1446 for ($b = 1;$b <= 6 && $i + $b < 256;++$b) { 1447 if ($r[$i + $b]) { 1448 if ($r[$i] + ($r[$i + $b] << $b) <= 15) { 1449 $r[$i] += $r[$i + $b] << $b; 1450 $r[$i + $b] = 0; 1451 } elseif ($r[$i] - ($r[$i + $b] << $b) >= -15) { 1452 $r[$i] -= $r[$i + $b] << $b; 1453 for ($k = $i + $b; $k < 256; ++$k) { 1454 if (!$r[$k]) { 1455 $r[$k] = 1; 1456 break; 1457 } 1458 $r[$k] = 0; 1459 } 1460 } else { 1461 break; 1462 } 1463 } 1464 } 1465 } 1466 } 1467 return $r; 1468 } 1469 1470 /** 1471 * @internal You should not use this directly from another application 1472 * 1473 * @param string $s 1474 * @return ParagonIE_Sodium_Core32_Curve25519_Ge_P3 1475 * @throws SodiumException 1476 * @throws TypeError 1477 */ 1478 public static function ge_frombytes_negate_vartime($s) 1479 { 1480 static $d = null; 1481 if (!$d) { 1482 /** @var ParagonIE_Sodium_Core32_Curve25519_Fe $d */ 1483 $d = ParagonIE_Sodium_Core32_Curve25519_Fe::fromArray( 1484 array( 1485 ParagonIE_Sodium_Core32_Int32::fromInt(self::$d[0]), 1486 ParagonIE_Sodium_Core32_Int32::fromInt(self::$d[1]), 1487 ParagonIE_Sodium_Core32_Int32::fromInt(self::$d[2]), 1488 ParagonIE_Sodium_Core32_Int32::fromInt(self::$d[3]), 1489 ParagonIE_Sodium_Core32_Int32::fromInt(self::$d[4]), 1490 ParagonIE_Sodium_Core32_Int32::fromInt(self::$d[5]), 1491 ParagonIE_Sodium_Core32_Int32::fromInt(self::$d[6]), 1492 ParagonIE_Sodium_Core32_Int32::fromInt(self::$d[7]), 1493 ParagonIE_Sodium_Core32_Int32::fromInt(self::$d[8]), 1494 ParagonIE_Sodium_Core32_Int32::fromInt(self::$d[9]) 1495 ) 1496 ); 1497 } 1498 1499 # fe_frombytes(h->Y,s); 1500 # fe_1(h->Z); 1501 $h = new ParagonIE_Sodium_Core32_Curve25519_Ge_P3( 1502 self::fe_0(), 1503 self::fe_frombytes($s), 1504 self::fe_1() 1505 ); 1506 1507 # fe_sq(u,h->Y); 1508 # fe_mul(v,u,d); 1509 # fe_sub(u,u,h->Z); /* u = y^2-1 */ 1510 # fe_add(v,v,h->Z); /* v = dy^2+1 */ 1511 $u = self::fe_sq($h->Y); 1512 /** @var ParagonIE_Sodium_Core32_Curve25519_Fe $d */ 1513 $v = self::fe_mul($u, $d); 1514 $u = self::fe_sub($u, $h->Z); /* u = y^2 - 1 */ 1515 $v = self::fe_add($v, $h->Z); /* v = dy^2 + 1 */ 1516 1517 # fe_sq(v3,v); 1518 # fe_mul(v3,v3,v); /* v3 = v^3 */ 1519 # fe_sq(h->X,v3); 1520 # fe_mul(h->X,h->X,v); 1521 # fe_mul(h->X,h->X,u); /* x = uv^7 */ 1522 $v3 = self::fe_sq($v); 1523 $v3 = self::fe_mul($v3, $v); /* v3 = v^3 */ 1524 $h->X = self::fe_sq($v3); 1525 $h->X = self::fe_mul($h->X, $v); 1526 $h->X = self::fe_mul($h->X, $u); /* x = uv^7 */ 1527 1528 # fe_pow22523(h->X,h->X); /* x = (uv^7)^((q-5)/8) */ 1529 # fe_mul(h->X,h->X,v3); 1530 # fe_mul(h->X,h->X,u); /* x = uv^3(uv^7)^((q-5)/8) */ 1531 $h->X = self::fe_pow22523($h->X); /* x = (uv^7)^((q-5)/8) */ 1532 $h->X = self::fe_mul($h->X, $v3); 1533 $h->X = self::fe_mul($h->X, $u); /* x = uv^3(uv^7)^((q-5)/8) */ 1534 1535 # fe_sq(vxx,h->X); 1536 # fe_mul(vxx,vxx,v); 1537 # fe_sub(check,vxx,u); /* vx^2-u */ 1538 $vxx = self::fe_sq($h->X); 1539 $vxx = self::fe_mul($vxx, $v); 1540 $check = self::fe_sub($vxx, $u); /* vx^2 - u */ 1541 1542 # if (fe_isnonzero(check)) { 1543 # fe_add(check,vxx,u); /* vx^2+u */ 1544 # if (fe_isnonzero(check)) { 1545 # return -1; 1546 # } 1547 # fe_mul(h->X,h->X,sqrtm1); 1548 # } 1549 if (self::fe_isnonzero($check)) { 1550 $check = self::fe_add($vxx, $u); /* vx^2 + u */ 1551 if (self::fe_isnonzero($check)) { 1552 throw new RangeException('Internal check failed.'); 1553 } 1554 $h->X = self::fe_mul( 1555 $h->X, 1556 ParagonIE_Sodium_Core32_Curve25519_Fe::fromIntArray(self::$sqrtm1) 1557 ); 1558 } 1559 1560 # if (fe_isnegative(h->X) == (s[31] >> 7)) { 1561 # fe_neg(h->X,h->X); 1562 # } 1563 $i = self::chrToInt($s[31]); 1564 if (self::fe_isnegative($h->X) === ($i >> 7)) { 1565 $h->X = self::fe_neg($h->X); 1566 } 1567 1568 # fe_mul(h->T,h->X,h->Y); 1569 $h->T = self::fe_mul($h->X, $h->Y); 1570 return $h; 1571 } 1572 1573 /** 1574 * @internal You should not use this directly from another application 1575 * 1576 * @param ParagonIE_Sodium_Core32_Curve25519_Ge_P1p1 $R 1577 * @param ParagonIE_Sodium_Core32_Curve25519_Ge_P3 $p 1578 * @param ParagonIE_Sodium_Core32_Curve25519_Ge_Precomp $q 1579 * @return ParagonIE_Sodium_Core32_Curve25519_Ge_P1p1 1580 * @throws SodiumException 1581 * @throws TypeError 1582 */ 1583 public static function ge_madd( 1584 ParagonIE_Sodium_Core32_Curve25519_Ge_P1p1 $R, 1585 ParagonIE_Sodium_Core32_Curve25519_Ge_P3 $p, 1586 ParagonIE_Sodium_Core32_Curve25519_Ge_Precomp $q 1587 ) { 1588 $r = clone $R; 1589 $r->X = self::fe_add($p->Y, $p->X); 1590 $r->Y = self::fe_sub($p->Y, $p->X); 1591 $r->Z = self::fe_mul($r->X, $q->yplusx); 1592 $r->Y = self::fe_mul($r->Y, $q->yminusx); 1593 $r->T = self::fe_mul($q->xy2d, $p->T); 1594 $t0 = self::fe_add(clone $p->Z, clone $p->Z); 1595 $r->X = self::fe_sub($r->Z, $r->Y); 1596 $r->Y = self::fe_add($r->Z, $r->Y); 1597 $r->Z = self::fe_add($t0, $r->T); 1598 $r->T = self::fe_sub($t0, $r->T); 1599 1600 return $r; 1601 } 1602 1603 /** 1604 * @internal You should not use this directly from another application 1605 * 1606 * @param ParagonIE_Sodium_Core32_Curve25519_Ge_P1p1 $R 1607 * @param ParagonIE_Sodium_Core32_Curve25519_Ge_P3 $p 1608 * @param ParagonIE_Sodium_Core32_Curve25519_Ge_Precomp $q 1609 * @return ParagonIE_Sodium_Core32_Curve25519_Ge_P1p1 1610 * @throws SodiumException 1611 * @throws TypeError 1612 */ 1613 public static function ge_msub( 1614 ParagonIE_Sodium_Core32_Curve25519_Ge_P1p1 $R, 1615 ParagonIE_Sodium_Core32_Curve25519_Ge_P3 $p, 1616 ParagonIE_Sodium_Core32_Curve25519_Ge_Precomp $q 1617 ) { 1618 $r = clone $R; 1619 1620 $r->X = self::fe_add($p->Y, $p->X); 1621 $r->Y = self::fe_sub($p->Y, $p->X); 1622 $r->Z = self::fe_mul($r->X, $q->yminusx); 1623 $r->Y = self::fe_mul($r->Y, $q->yplusx); 1624 $r->T = self::fe_mul($q->xy2d, $p->T); 1625 $t0 = self::fe_add($p->Z, $p->Z); 1626 $r->X = self::fe_sub($r->Z, $r->Y); 1627 $r->Y = self::fe_add($r->Z, $r->Y); 1628 $r->Z = self::fe_sub($t0, $r->T); 1629 $r->T = self::fe_add($t0, $r->T); 1630 1631 return $r; 1632 } 1633 1634 /** 1635 * @internal You should not use this directly from another application 1636 * 1637 * @param ParagonIE_Sodium_Core32_Curve25519_Ge_P1p1 $p 1638 * @return ParagonIE_Sodium_Core32_Curve25519_Ge_P2 1639 * @throws SodiumException 1640 * @throws TypeError 1641 */ 1642 public static function ge_p1p1_to_p2(ParagonIE_Sodium_Core32_Curve25519_Ge_P1p1 $p) 1643 { 1644 $r = new ParagonIE_Sodium_Core32_Curve25519_Ge_P2(); 1645 $r->X = self::fe_mul($p->X, $p->T); 1646 $r->Y = self::fe_mul($p->Y, $p->Z); 1647 $r->Z = self::fe_mul($p->Z, $p->T); 1648 return $r; 1649 } 1650 1651 /** 1652 * @internal You should not use this directly from another application 1653 * 1654 * @param ParagonIE_Sodium_Core32_Curve25519_Ge_P1p1 $p 1655 * @return ParagonIE_Sodium_Core32_Curve25519_Ge_P3 1656 * @throws SodiumException 1657 * @throws TypeError 1658 */ 1659 public static function ge_p1p1_to_p3(ParagonIE_Sodium_Core32_Curve25519_Ge_P1p1 $p) 1660 { 1661 $r = new ParagonIE_Sodium_Core32_Curve25519_Ge_P3(); 1662 $r->X = self::fe_mul($p->X, $p->T); 1663 $r->Y = self::fe_mul($p->Y, $p->Z); 1664 $r->Z = self::fe_mul($p->Z, $p->T); 1665 $r->T = self::fe_mul($p->X, $p->Y); 1666 return $r; 1667 } 1668 1669 /** 1670 * @internal You should not use this directly from another application 1671 * 1672 * @return ParagonIE_Sodium_Core32_Curve25519_Ge_P2 1673 * @throws SodiumException 1674 * @throws TypeError 1675 */ 1676 public static function ge_p2_0() 1677 { 1678 return new ParagonIE_Sodium_Core32_Curve25519_Ge_P2( 1679 self::fe_0(), 1680 self::fe_1(), 1681 self::fe_1() 1682 ); 1683 } 1684 1685 /** 1686 * @internal You should not use this directly from another application 1687 * 1688 * @param ParagonIE_Sodium_Core32_Curve25519_Ge_P2 $p 1689 * @return ParagonIE_Sodium_Core32_Curve25519_Ge_P1p1 1690 * @throws SodiumException 1691 * @throws TypeError 1692 */ 1693 public static function ge_p2_dbl(ParagonIE_Sodium_Core32_Curve25519_Ge_P2 $p) 1694 { 1695 $r = new ParagonIE_Sodium_Core32_Curve25519_Ge_P1p1(); 1696 1697 $r->X = self::fe_sq($p->X); 1698 $r->Z = self::fe_sq($p->Y); 1699 $r->T = self::fe_sq2($p->Z); 1700 $r->Y = self::fe_add($p->X, $p->Y); 1701 $t0 = self::fe_sq($r->Y); 1702 $r->Y = self::fe_add($r->Z, $r->X); 1703 $r->Z = self::fe_sub($r->Z, $r->X); 1704 $r->X = self::fe_sub($t0, $r->Y); 1705 $r->T = self::fe_sub($r->T, $r->Z); 1706 1707 return $r; 1708 } 1709 1710 /** 1711 * @internal You should not use this directly from another application 1712 * 1713 * @return ParagonIE_Sodium_Core32_Curve25519_Ge_P3 1714 * @throws SodiumException 1715 * @throws TypeError 1716 */ 1717 public static function ge_p3_0() 1718 { 1719 return new ParagonIE_Sodium_Core32_Curve25519_Ge_P3( 1720 self::fe_0(), 1721 self::fe_1(), 1722 self::fe_1(), 1723 self::fe_0() 1724 ); 1725 } 1726 1727 /** 1728 * @internal You should not use this directly from another application 1729 * 1730 * @param ParagonIE_Sodium_Core32_Curve25519_Ge_P3 $p 1731 * @return ParagonIE_Sodium_Core32_Curve25519_Ge_Cached 1732 * @throws SodiumException 1733 * @throws TypeError 1734 */ 1735 public static function ge_p3_to_cached(ParagonIE_Sodium_Core32_Curve25519_Ge_P3 $p) 1736 { 1737 static $d2 = null; 1738 if ($d2 === null) { 1739 $d2 = ParagonIE_Sodium_Core32_Curve25519_Fe::fromArray( 1740 array( 1741 ParagonIE_Sodium_Core32_Int32::fromInt(self::$d2[0]), 1742 ParagonIE_Sodium_Core32_Int32::fromInt(self::$d2[1]), 1743 ParagonIE_Sodium_Core32_Int32::fromInt(self::$d2[2]), 1744 ParagonIE_Sodium_Core32_Int32::fromInt(self::$d2[3]), 1745 ParagonIE_Sodium_Core32_Int32::fromInt(self::$d2[4]), 1746 ParagonIE_Sodium_Core32_Int32::fromInt(self::$d2[5]), 1747 ParagonIE_Sodium_Core32_Int32::fromInt(self::$d2[6]), 1748 ParagonIE_Sodium_Core32_Int32::fromInt(self::$d2[7]), 1749 ParagonIE_Sodium_Core32_Int32::fromInt(self::$d2[8]), 1750 ParagonIE_Sodium_Core32_Int32::fromInt(self::$d2[9]) 1751 ) 1752 ); 1753 } 1754 /** @var ParagonIE_Sodium_Core32_Curve25519_Fe $d2 */ 1755 $r = new ParagonIE_Sodium_Core32_Curve25519_Ge_Cached(); 1756 $r->YplusX = self::fe_add($p->Y, $p->X); 1757 $r->YminusX = self::fe_sub($p->Y, $p->X); 1758 $r->Z = self::fe_copy($p->Z); 1759 $r->T2d = self::fe_mul($p->T, $d2); 1760 return $r; 1761 } 1762 1763 /** 1764 * @internal You should not use this directly from another application 1765 * 1766 * @param ParagonIE_Sodium_Core32_Curve25519_Ge_P3 $p 1767 * @return ParagonIE_Sodium_Core32_Curve25519_Ge_P2 1768 */ 1769 public static function ge_p3_to_p2(ParagonIE_Sodium_Core32_Curve25519_Ge_P3 $p) 1770 { 1771 return new ParagonIE_Sodium_Core32_Curve25519_Ge_P2( 1772 $p->X, 1773 $p->Y, 1774 $p->Z 1775 ); 1776 } 1777 1778 /** 1779 * @internal You should not use this directly from another application 1780 * 1781 * @param ParagonIE_Sodium_Core32_Curve25519_Ge_P3 $h 1782 * @return string 1783 * @throws SodiumException 1784 * @throws TypeError 1785 */ 1786 public static function ge_p3_tobytes(ParagonIE_Sodium_Core32_Curve25519_Ge_P3 $h) 1787 { 1788 $recip = self::fe_invert($h->Z); 1789 $x = self::fe_mul($h->X, $recip); 1790 $y = self::fe_mul($h->Y, $recip); 1791 $s = self::fe_tobytes($y); 1792 $s[31] = self::intToChr( 1793 self::chrToInt($s[31]) ^ (self::fe_isnegative($x) << 7) 1794 ); 1795 return $s; 1796 } 1797 1798 /** 1799 * @internal You should not use this directly from another application 1800 * 1801 * @param ParagonIE_Sodium_Core32_Curve25519_Ge_P3 $p 1802 * @return ParagonIE_Sodium_Core32_Curve25519_Ge_P1p1 1803 * @throws SodiumException 1804 * @throws TypeError 1805 */ 1806 public static function ge_p3_dbl(ParagonIE_Sodium_Core32_Curve25519_Ge_P3 $p) 1807 { 1808 $q = self::ge_p3_to_p2($p); 1809 return self::ge_p2_dbl($q); 1810 } 1811 1812 /** 1813 * @return ParagonIE_Sodium_Core32_Curve25519_Ge_Precomp 1814 * @throws SodiumException 1815 * @throws TypeError 1816 */ 1817 public static function ge_precomp_0() 1818 { 1819 return new ParagonIE_Sodium_Core32_Curve25519_Ge_Precomp( 1820 self::fe_1(), 1821 self::fe_1(), 1822 self::fe_0() 1823 ); 1824 } 1825 1826 /** 1827 * @internal You should not use this directly from another application 1828 * 1829 * @param int $b 1830 * @param int $c 1831 * @return int 1832 * @psalm-suppress MixedReturnStatement 1833 */ 1834 public static function equal($b, $c) 1835 { 1836 return (int) ((($b ^ $c) - 1 & 0xffffffff) >> 31); 1837 } 1838 1839 /** 1840 * @internal You should not use this directly from another application 1841 * 1842 * @param string|int $char 1843 * @return int (1 = yes, 0 = no) 1844 * @throws SodiumException 1845 * @throws TypeError 1846 */ 1847 public static function negative($char) 1848 { 1849 if (is_int($char)) { 1850 return $char < 0 ? 1 : 0; 1851 } 1852 /** @var string $char */ 1853 /** @var int $x */ 1854 $x = self::chrToInt(self::substr($char, 0, 1)); 1855 return (int) ($x >> 31); 1856 } 1857 1858 /** 1859 * Conditional move 1860 * 1861 * @internal You should not use this directly from another application 1862 * 1863 * @param ParagonIE_Sodium_Core32_Curve25519_Ge_Precomp $t 1864 * @param ParagonIE_Sodium_Core32_Curve25519_Ge_Precomp $u 1865 * @param int $b 1866 * @return ParagonIE_Sodium_Core32_Curve25519_Ge_Precomp 1867 * @throws SodiumException 1868 * @throws TypeError 1869 */ 1870 public static function cmov( 1871 ParagonIE_Sodium_Core32_Curve25519_Ge_Precomp $t, 1872 ParagonIE_Sodium_Core32_Curve25519_Ge_Precomp $u, 1873 $b 1874 ) { 1875 if (!is_int($b)) { 1876 throw new InvalidArgumentException('Expected an integer.'); 1877 } 1878 return new ParagonIE_Sodium_Core32_Curve25519_Ge_Precomp( 1879 self::fe_cmov($t->yplusx, $u->yplusx, $b), 1880 self::fe_cmov($t->yminusx, $u->yminusx, $b), 1881 self::fe_cmov($t->xy2d, $u->xy2d, $b) 1882 ); 1883 } 1884 1885 /** 1886 * @internal You should not use this directly from another application 1887 * 1888 * @param int $pos 1889 * @param int $b 1890 * @return ParagonIE_Sodium_Core32_Curve25519_Ge_Precomp 1891 * @throws SodiumException 1892 * @throws TypeError 1893 * @psalm-suppress MixedArrayAccess 1894 * @psalm-suppress MixedArrayOffset 1895 * @psalm-suppress MixedArgument 1896 */ 1897 public static function ge_select($pos = 0, $b = 0) 1898 { 1899 static $base = null; 1900 if ($base === null) { 1901 $base = array(); 1902 foreach (self::$base as $i => $bas) { 1903 for ($j = 0; $j < 8; ++$j) { 1904 $base[$i][$j] = new ParagonIE_Sodium_Core32_Curve25519_Ge_Precomp( 1905 ParagonIE_Sodium_Core32_Curve25519_Fe::fromArray( 1906 array( 1907 ParagonIE_Sodium_Core32_Int32::fromInt($bas[$j][0][0]), 1908 ParagonIE_Sodium_Core32_Int32::fromInt($bas[$j][0][1]), 1909 ParagonIE_Sodium_Core32_Int32::fromInt($bas[$j][0][2]), 1910 ParagonIE_Sodium_Core32_Int32::fromInt($bas[$j][0][3]), 1911 ParagonIE_Sodium_Core32_Int32::fromInt($bas[$j][0][4]), 1912 ParagonIE_Sodium_Core32_Int32::fromInt($bas[$j][0][5]), 1913 ParagonIE_Sodium_Core32_Int32::fromInt($bas[$j][0][6]), 1914 ParagonIE_Sodium_Core32_Int32::fromInt($bas[$j][0][7]), 1915 ParagonIE_Sodium_Core32_Int32::fromInt($bas[$j][0][8]), 1916 ParagonIE_Sodium_Core32_Int32::fromInt($bas[$j][0][9]) 1917 ) 1918 ), 1919 ParagonIE_Sodium_Core32_Curve25519_Fe::fromArray( 1920 array( 1921 ParagonIE_Sodium_Core32_Int32::fromInt($bas[$j][1][0]), 1922 ParagonIE_Sodium_Core32_Int32::fromInt($bas[$j][1][1]), 1923 ParagonIE_Sodium_Core32_Int32::fromInt($bas[$j][1][2]), 1924 ParagonIE_Sodium_Core32_Int32::fromInt($bas[$j][1][3]), 1925 ParagonIE_Sodium_Core32_Int32::fromInt($bas[$j][1][4]), 1926 ParagonIE_Sodium_Core32_Int32::fromInt($bas[$j][1][5]), 1927 ParagonIE_Sodium_Core32_Int32::fromInt($bas[$j][1][6]), 1928 ParagonIE_Sodium_Core32_Int32::fromInt($bas[$j][1][7]), 1929 ParagonIE_Sodium_Core32_Int32::fromInt($bas[$j][1][8]), 1930 ParagonIE_Sodium_Core32_Int32::fromInt($bas[$j][1][9]) 1931 ) 1932 ), 1933 ParagonIE_Sodium_Core32_Curve25519_Fe::fromArray( 1934 array( 1935 ParagonIE_Sodium_Core32_Int32::fromInt($bas[$j][2][0]), 1936 ParagonIE_Sodium_Core32_Int32::fromInt($bas[$j][2][1]), 1937 ParagonIE_Sodium_Core32_Int32::fromInt($bas[$j][2][2]), 1938 ParagonIE_Sodium_Core32_Int32::fromInt($bas[$j][2][3]), 1939 ParagonIE_Sodium_Core32_Int32::fromInt($bas[$j][2][4]), 1940 ParagonIE_Sodium_Core32_Int32::fromInt($bas[$j][2][5]), 1941 ParagonIE_Sodium_Core32_Int32::fromInt($bas[$j][2][6]), 1942 ParagonIE_Sodium_Core32_Int32::fromInt($bas[$j][2][7]), 1943 ParagonIE_Sodium_Core32_Int32::fromInt($bas[$j][2][8]), 1944 ParagonIE_Sodium_Core32_Int32::fromInt($bas[$j][2][9]) 1945 ) 1946 ) 1947 ); 1948 } 1949 } 1950 } 1951 if (!is_int($pos)) { 1952 throw new InvalidArgumentException('Position must be an integer'); 1953 } 1954 if ($pos < 0 || $pos > 31) { 1955 throw new RangeException('Position is out of range [0, 31]'); 1956 } 1957 1958 $bnegative = self::negative($b); 1959 /** @var int $babs */ 1960 $babs = $b - (((-$bnegative) & $b) << 1); 1961 1962 $t = self::ge_precomp_0(); 1963 for ($i = 0; $i < 8; ++$i) { 1964 $t = self::cmov( 1965 $t, 1966 $base[$pos][$i], 1967 self::equal($babs, $i + 1) 1968 ); 1969 } 1970 $minusT = new ParagonIE_Sodium_Core32_Curve25519_Ge_Precomp( 1971 self::fe_copy($t->yminusx), 1972 self::fe_copy($t->yplusx), 1973 self::fe_neg($t->xy2d) 1974 ); 1975 return self::cmov($t, $minusT, -$bnegative); 1976 } 1977 1978 /** 1979 * Subtract two group elements. 1980 * 1981 * r = p - q 1982 * 1983 * @internal You should not use this directly from another application 1984 * 1985 * @param ParagonIE_Sodium_Core32_Curve25519_Ge_P3 $p 1986 * @param ParagonIE_Sodium_Core32_Curve25519_Ge_Cached $q 1987 * @return ParagonIE_Sodium_Core32_Curve25519_Ge_P1p1 1988 * @throws SodiumException 1989 * @throws TypeError 1990 */ 1991 public static function ge_sub( 1992 ParagonIE_Sodium_Core32_Curve25519_Ge_P3 $p, 1993 ParagonIE_Sodium_Core32_Curve25519_Ge_Cached $q 1994 ) { 1995 $r = new ParagonIE_Sodium_Core32_Curve25519_Ge_P1p1(); 1996 1997 $r->X = self::fe_add($p->Y, $p->X); 1998 $r->Y = self::fe_sub($p->Y, $p->X); 1999 $r->Z = self::fe_mul($r->X, $q->YminusX); 2000 $r->Y = self::fe_mul($r->Y, $q->YplusX); 2001 $r->T = self::fe_mul($q->T2d, $p->T); 2002 $r->X = self::fe_mul($p->Z, $q->Z); 2003 $t0 = self::fe_add($r->X, $r->X); 2004 $r->X = self::fe_sub($r->Z, $r->Y); 2005 $r->Y = self::fe_add($r->Z, $r->Y); 2006 $r->Z = self::fe_sub($t0, $r->T); 2007 $r->T = self::fe_add($t0, $r->T); 2008 2009 return $r; 2010 } 2011 2012 /** 2013 * Convert a group element to a byte string. 2014 * 2015 * @param ParagonIE_Sodium_Core32_Curve25519_Ge_P2 $h 2016 * @return string 2017 * @throws SodiumException 2018 * @throws TypeError 2019 */ 2020 public static function ge_tobytes(ParagonIE_Sodium_Core32_Curve25519_Ge_P2 $h) 2021 { 2022 $recip = self::fe_invert($h->Z); 2023 $x = self::fe_mul($h->X, $recip); 2024 $y = self::fe_mul($h->Y, $recip); 2025 $s = self::fe_tobytes($y); 2026 $s[31] = self::intToChr( 2027 self::chrToInt($s[31]) ^ (self::fe_isnegative($x) << 7) 2028 ); 2029 return $s; 2030 } 2031 2032 /** 2033 * @internal You should not use this directly from another application 2034 * 2035 * @param string $a 2036 * @param ParagonIE_Sodium_Core32_Curve25519_Ge_P3 $A 2037 * @param string $b 2038 * @return ParagonIE_Sodium_Core32_Curve25519_Ge_P2 2039 * @throws SodiumException 2040 * @throws TypeError 2041 * @psalm-suppress MixedArrayAccess 2042 */ 2043 public static function ge_double_scalarmult_vartime( 2044 $a, 2045 ParagonIE_Sodium_Core32_Curve25519_Ge_P3 $A, 2046 $b 2047 ) { 2048 /** @var array<int, ParagonIE_Sodium_Core32_Curve25519_Ge_Cached> $Ai */ 2049 $Ai = array(); 2050 2051 static $Bi = array(); 2052 /** @var array<int, ParagonIE_Sodium_Core32_Curve25519_Ge_Precomp> $Bi */ 2053 if (!$Bi) { 2054 for ($i = 0; $i < 8; ++$i) { 2055 $Bi[$i] = new ParagonIE_Sodium_Core32_Curve25519_Ge_Precomp( 2056 ParagonIE_Sodium_Core32_Curve25519_Fe::fromArray( 2057 array( 2058 ParagonIE_Sodium_Core32_Int32::fromInt(self::$base2[$i][0][0]), 2059 ParagonIE_Sodium_Core32_Int32::fromInt(self::$base2[$i][0][1]), 2060 ParagonIE_Sodium_Core32_Int32::fromInt(self::$base2[$i][0][2]), 2061 ParagonIE_Sodium_Core32_Int32::fromInt(self::$base2[$i][0][3]), 2062 ParagonIE_Sodium_Core32_Int32::fromInt(self::$base2[$i][0][4]), 2063 ParagonIE_Sodium_Core32_Int32::fromInt(self::$base2[$i][0][5]), 2064 ParagonIE_Sodium_Core32_Int32::fromInt(self::$base2[$i][0][6]), 2065 ParagonIE_Sodium_Core32_Int32::fromInt(self::$base2[$i][0][7]), 2066 ParagonIE_Sodium_Core32_Int32::fromInt(self::$base2[$i][0][8]), 2067 ParagonIE_Sodium_Core32_Int32::fromInt(self::$base2[$i][0][9]) 2068 ) 2069 ), 2070 ParagonIE_Sodium_Core32_Curve25519_Fe::fromArray( 2071 array( 2072 ParagonIE_Sodium_Core32_Int32::fromInt(self::$base2[$i][1][0]), 2073 ParagonIE_Sodium_Core32_Int32::fromInt(self::$base2[$i][1][1]), 2074 ParagonIE_Sodium_Core32_Int32::fromInt(self::$base2[$i][1][2]), 2075 ParagonIE_Sodium_Core32_Int32::fromInt(self::$base2[$i][1][3]), 2076 ParagonIE_Sodium_Core32_Int32::fromInt(self::$base2[$i][1][4]), 2077 ParagonIE_Sodium_Core32_Int32::fromInt(self::$base2[$i][1][5]), 2078 ParagonIE_Sodium_Core32_Int32::fromInt(self::$base2[$i][1][6]), 2079 ParagonIE_Sodium_Core32_Int32::fromInt(self::$base2[$i][1][7]), 2080 ParagonIE_Sodium_Core32_Int32::fromInt(self::$base2[$i][1][8]), 2081 ParagonIE_Sodium_Core32_Int32::fromInt(self::$base2[$i][1][9]) 2082 ) 2083 ), 2084 ParagonIE_Sodium_Core32_Curve25519_Fe::fromArray( 2085 array( 2086 ParagonIE_Sodium_Core32_Int32::fromInt(self::$base2[$i][2][0]), 2087 ParagonIE_Sodium_Core32_Int32::fromInt(self::$base2[$i][2][1]), 2088 ParagonIE_Sodium_Core32_Int32::fromInt(self::$base2[$i][2][2]), 2089 ParagonIE_Sodium_Core32_Int32::fromInt(self::$base2[$i][2][3]), 2090 ParagonIE_Sodium_Core32_Int32::fromInt(self::$base2[$i][2][4]), 2091 ParagonIE_Sodium_Core32_Int32::fromInt(self::$base2[$i][2][5]), 2092 ParagonIE_Sodium_Core32_Int32::fromInt(self::$base2[$i][2][6]), 2093 ParagonIE_Sodium_Core32_Int32::fromInt(self::$base2[$i][2][7]), 2094 ParagonIE_Sodium_Core32_Int32::fromInt(self::$base2[$i][2][8]), 2095 ParagonIE_Sodium_Core32_Int32::fromInt(self::$base2[$i][2][9]) 2096 ) 2097 ) 2098 ); 2099 } 2100 } 2101 2102 for ($i = 0; $i < 8; ++$i) { 2103 $Ai[$i] = new ParagonIE_Sodium_Core32_Curve25519_Ge_Cached( 2104 self::fe_0(), 2105 self::fe_0(), 2106 self::fe_0(), 2107 self::fe_0() 2108 ); 2109 } 2110 /** @var array<int, ParagonIE_Sodium_Core32_Curve25519_Ge_Cached> $Ai */ 2111 2112 # slide(aslide,a); 2113 # slide(bslide,b); 2114 /** @var array<int, int> $aslide */ 2115 $aslide = self::slide($a); 2116 /** @var array<int, int> $bslide */ 2117 $bslide = self::slide($b); 2118 2119 # ge_p3_to_cached(&Ai[0],A); 2120 # ge_p3_dbl(&t,A); ge_p1p1_to_p3(&A2,&t); 2121 $Ai[0] = self::ge_p3_to_cached($A); 2122 $t = self::ge_p3_dbl($A); 2123 $A2 = self::ge_p1p1_to_p3($t); 2124 2125 # ge_add(&t,&A2,&Ai[0]); ge_p1p1_to_p3(&u,&t); ge_p3_to_cached(&Ai[1],&u); 2126 # ge_add(&t,&A2,&Ai[1]); ge_p1p1_to_p3(&u,&t); ge_p3_to_cached(&Ai[2],&u); 2127 # ge_add(&t,&A2,&Ai[2]); ge_p1p1_to_p3(&u,&t); ge_p3_to_cached(&Ai[3],&u); 2128 # ge_add(&t,&A2,&Ai[3]); ge_p1p1_to_p3(&u,&t); ge_p3_to_cached(&Ai[4],&u); 2129 # ge_add(&t,&A2,&Ai[4]); ge_p1p1_to_p3(&u,&t); ge_p3_to_cached(&Ai[5],&u); 2130 # ge_add(&t,&A2,&Ai[5]); ge_p1p1_to_p3(&u,&t); ge_p3_to_cached(&Ai[6],&u); 2131 # ge_add(&t,&A2,&Ai[6]); ge_p1p1_to_p3(&u,&t); ge_p3_to_cached(&Ai[7],&u); 2132 for ($i = 0; $i < 7; ++$i) { 2133 $t = self::ge_add($A2, $Ai[$i]); 2134 $u = self::ge_p1p1_to_p3($t); 2135 $Ai[$i + 1] = self::ge_p3_to_cached($u); 2136 } 2137 2138 # ge_p2_0(r); 2139 $r = self::ge_p2_0(); 2140 2141 # for (i = 255;i >= 0;--i) { 2142 # if (aslide[i] || bslide[i]) break; 2143 # } 2144 $i = 255; 2145 for (; $i >= 0; --$i) { 2146 if ($aslide[$i] || $bslide[$i]) { 2147 break; 2148 } 2149 } 2150 2151 # for (;i >= 0;--i) { 2152 for (; $i >= 0; --$i) { 2153 # ge_p2_dbl(&t,r); 2154 $t = self::ge_p2_dbl($r); 2155 2156 # if (aslide[i] > 0) { 2157 if ($aslide[$i] > 0) { 2158 # ge_p1p1_to_p3(&u,&t); 2159 # ge_add(&t,&u,&Ai[aslide[i]/2]); 2160 $u = self::ge_p1p1_to_p3($t); 2161 $t = self::ge_add( 2162 $u, 2163 $Ai[(int) floor($aslide[$i] / 2)] 2164 ); 2165 # } else if (aslide[i] < 0) { 2166 } elseif ($aslide[$i] < 0) { 2167 # ge_p1p1_to_p3(&u,&t); 2168 # ge_sub(&t,&u,&Ai[(-aslide[i])/2]); 2169 $u = self::ge_p1p1_to_p3($t); 2170 $t = self::ge_sub( 2171 $u, 2172 $Ai[(int) floor(-$aslide[$i] / 2)] 2173 ); 2174 } 2175 /** @var array<int, ParagonIE_Sodium_Core32_Curve25519_Ge_Precomp> $Bi */ 2176 2177 # if (bslide[i] > 0) { 2178 if ($bslide[$i] > 0) { 2179 # ge_p1p1_to_p3(&u,&t); 2180 # ge_madd(&t,&u,&Bi[bslide[i]/2]); 2181 $u = self::ge_p1p1_to_p3($t); 2182 /** @var int $index */ 2183 $index = (int) floor($bslide[$i] / 2); 2184 /** @var ParagonIE_Sodium_Core32_Curve25519_Ge_Precomp $thisB */ 2185 $thisB = $Bi[$index]; 2186 $t = self::ge_madd($t, $u, $thisB); 2187 # } else if (bslide[i] < 0) { 2188 } elseif ($bslide[$i] < 0) { 2189 # ge_p1p1_to_p3(&u,&t); 2190 # ge_msub(&t,&u,&Bi[(-bslide[i])/2]); 2191 $u = self::ge_p1p1_to_p3($t); 2192 2193 /** @var int $index */ 2194 $index = (int) floor(-$bslide[$i] / 2); 2195 2196 /** @var ParagonIE_Sodium_Core32_Curve25519_Ge_Precomp $thisB */ 2197 $thisB = $Bi[$index]; 2198 $t = self::ge_msub($t, $u, $thisB); 2199 } 2200 # ge_p1p1_to_p2(r,&t); 2201 $r = self::ge_p1p1_to_p2($t); 2202 } 2203 return $r; 2204 } 2205 2206 /** 2207 * @internal You should not use this directly from another application 2208 * 2209 * @param string $a 2210 * @return ParagonIE_Sodium_Core32_Curve25519_Ge_P3 2211 * @psalm-suppress MixedAssignment 2212 * @psalm-suppress MixedOperand 2213 * @throws SodiumException 2214 * @throws TypeError 2215 */ 2216 public static function ge_scalarmult_base($a) 2217 { 2218 /** @var array<int, int> $e */ 2219 $e = array(); 2220 $r = new ParagonIE_Sodium_Core32_Curve25519_Ge_P1p1(); 2221 2222 for ($i = 0; $i < 32; ++$i) { 2223 /** @var int $dbl */ 2224 $dbl = (int) $i << 1; 2225 $e[$dbl] = (int) self::chrToInt($a[$i]) & 15; 2226 $e[$dbl + 1] = (int) (self::chrToInt($a[$i]) >> 4) & 15; 2227 } 2228 2229 /** @var int $carry */ 2230 $carry = 0; 2231 for ($i = 0; $i < 63; ++$i) { 2232 $e[$i] += $carry; 2233 /** @var int $carry */ 2234 $carry = $e[$i] + 8; 2235 /** @var int $carry */ 2236 $carry >>= 4; 2237 $e[$i] -= $carry << 4; 2238 } 2239 2240 /** @var array<int, int> $e */ 2241 $e[63] += (int) $carry; 2242 2243 $h = self::ge_p3_0(); 2244 2245 for ($i = 1; $i < 64; $i += 2) { 2246 $t = self::ge_select((int) floor($i / 2), (int) $e[$i]); 2247 $r = self::ge_madd($r, $h, $t); 2248 $h = self::ge_p1p1_to_p3($r); 2249 } 2250 2251 $r = self::ge_p3_dbl($h); 2252 2253 $s = self::ge_p1p1_to_p2($r); 2254 $r = self::ge_p2_dbl($s); 2255 $s = self::ge_p1p1_to_p2($r); 2256 $r = self::ge_p2_dbl($s); 2257 $s = self::ge_p1p1_to_p2($r); 2258 $r = self::ge_p2_dbl($s); 2259 2260 $h = self::ge_p1p1_to_p3($r); 2261 2262 for ($i = 0; $i < 64; $i += 2) { 2263 $t = self::ge_select($i >> 1, (int) $e[$i]); 2264 $r = self::ge_madd($r, $h, $t); 2265 $h = self::ge_p1p1_to_p3($r); 2266 } 2267 return $h; 2268 } 2269 2270 /** 2271 * Calculates (ab + c) mod l 2272 * where l = 2^252 + 27742317777372353535851937790883648493 2273 * 2274 * @internal You should not use this directly from another application 2275 * 2276 * @param string $a 2277 * @param string $b 2278 * @param string $c 2279 * @return string 2280 * @throws SodiumException 2281 * @throws TypeError 2282 */ 2283 public static function sc_muladd($a, $b, $c) 2284 { 2285 $a0 = ParagonIE_Sodium_Core32_Int64::fromInt(2097151 & self::load_3(self::substr($a, 0, 3))); 2286 $a1 = ParagonIE_Sodium_Core32_Int64::fromInt(2097151 & (self::load_4(self::substr($a, 2, 4)) >> 5)); 2287 $a2 = ParagonIE_Sodium_Core32_Int64::fromInt(2097151 & (self::load_3(self::substr($a, 5, 3)) >> 2)); 2288 $a3 = ParagonIE_Sodium_Core32_Int64::fromInt(2097151 & (self::load_4(self::substr($a, 7, 4)) >> 7)); 2289 $a4 = ParagonIE_Sodium_Core32_Int64::fromInt(2097151 & (self::load_4(self::substr($a, 10, 4)) >> 4)); 2290 $a5 = ParagonIE_Sodium_Core32_Int64::fromInt(2097151 & (self::load_3(self::substr($a, 13, 3)) >> 1)); 2291 $a6 = ParagonIE_Sodium_Core32_Int64::fromInt(2097151 & (self::load_4(self::substr($a, 15, 4)) >> 6)); 2292 $a7 = ParagonIE_Sodium_Core32_Int64::fromInt(2097151 & (self::load_3(self::substr($a, 18, 3)) >> 3)); 2293 $a8 = ParagonIE_Sodium_Core32_Int64::fromInt(2097151 & self::load_3(self::substr($a, 21, 3))); 2294 $a9 = ParagonIE_Sodium_Core32_Int64::fromInt(2097151 & (self::load_4(self::substr($a, 23, 4)) >> 5)); 2295 $a10 = ParagonIE_Sodium_Core32_Int64::fromInt(2097151 & (self::load_3(self::substr($a, 26, 3)) >> 2)); 2296 $a11 = ParagonIE_Sodium_Core32_Int64::fromInt(0x1fffffff & (self::load_4(self::substr($a, 28, 4)) >> 7)); 2297 $b0 = ParagonIE_Sodium_Core32_Int64::fromInt(2097151 & self::load_3(self::substr($b, 0, 3))); 2298 $b1 = ParagonIE_Sodium_Core32_Int64::fromInt(2097151 & (self::load_4(self::substr($b, 2, 4)) >> 5)); 2299 $b2 = ParagonIE_Sodium_Core32_Int64::fromInt(2097151 & (self::load_3(self::substr($b, 5, 3)) >> 2)); 2300 $b3 = ParagonIE_Sodium_Core32_Int64::fromInt(2097151 & (self::load_4(self::substr($b, 7, 4)) >> 7)); 2301 $b4 = ParagonIE_Sodium_Core32_Int64::fromInt(2097151 & (self::load_4(self::substr($b, 10, 4)) >> 4)); 2302 $b5 = ParagonIE_Sodium_Core32_Int64::fromInt(2097151 & (self::load_3(self::substr($b, 13, 3)) >> 1)); 2303 $b6 = ParagonIE_Sodium_Core32_Int64::fromInt(2097151 & (self::load_4(self::substr($b, 15, 4)) >> 6)); 2304 $b7 = ParagonIE_Sodium_Core32_Int64::fromInt(2097151 & (self::load_3(self::substr($b, 18, 3)) >> 3)); 2305 $b8 = ParagonIE_Sodium_Core32_Int64::fromInt(2097151 & self::load_3(self::substr($b, 21, 3))); 2306 $b9 = ParagonIE_Sodium_Core32_Int64::fromInt(2097151 & (self::load_4(self::substr($b, 23, 4)) >> 5)); 2307 $b10 = ParagonIE_Sodium_Core32_Int64::fromInt(2097151 & (self::load_3(self::substr($b, 26, 3)) >> 2)); 2308 $b11 = ParagonIE_Sodium_Core32_Int64::fromInt(0x1fffffff & (self::load_4(self::substr($b, 28, 4)) >> 7)); 2309 $c0 = ParagonIE_Sodium_Core32_Int64::fromInt(2097151 & self::load_3(self::substr($c, 0, 3))); 2310 $c1 = ParagonIE_Sodium_Core32_Int64::fromInt(2097151 & (self::load_4(self::substr($c, 2, 4)) >> 5)); 2311 $c2 = ParagonIE_Sodium_Core32_Int64::fromInt(2097151 & (self::load_3(self::substr($c, 5, 3)) >> 2)); 2312 $c3 = ParagonIE_Sodium_Core32_Int64::fromInt(2097151 & (self::load_4(self::substr($c, 7, 4)) >> 7)); 2313 $c4 = ParagonIE_Sodium_Core32_Int64::fromInt(2097151 & (self::load_4(self::substr($c, 10, 4)) >> 4)); 2314 $c5 = ParagonIE_Sodium_Core32_Int64::fromInt(2097151 & (self::load_3(self::substr($c, 13, 3)) >> 1)); 2315 $c6 = ParagonIE_Sodium_Core32_Int64::fromInt(2097151 & (self::load_4(self::substr($c, 15, 4)) >> 6)); 2316 $c7 = ParagonIE_Sodium_Core32_Int64::fromInt(2097151 & (self::load_3(self::substr($c, 18, 3)) >> 3)); 2317 $c8 = ParagonIE_Sodium_Core32_Int64::fromInt(2097151 & self::load_3(self::substr($c, 21, 3))); 2318 $c9 = ParagonIE_Sodium_Core32_Int64::fromInt(2097151 & (self::load_4(self::substr($c, 23, 4)) >> 5)); 2319 $c10 = ParagonIE_Sodium_Core32_Int64::fromInt(2097151 & (self::load_3(self::substr($c, 26, 3)) >> 2)); 2320 $c11 = ParagonIE_Sodium_Core32_Int64::fromInt(0x1fffffff & (self::load_4(self::substr($c, 28, 4)) >> 7)); 2321 2322 /* Can't really avoid the pyramid here: */ 2323 /** 2324 * @var ParagonIE_Sodium_Core32_Int64 $s0 2325 * @var ParagonIE_Sodium_Core32_Int64 $s1 2326 * @var ParagonIE_Sodium_Core32_Int64 $s2 2327 * @var ParagonIE_Sodium_Core32_Int64 $s3 2328 * @var ParagonIE_Sodium_Core32_Int64 $s4 2329 * @var ParagonIE_Sodium_Core32_Int64 $s5 2330 * @var ParagonIE_Sodium_Core32_Int64 $s6 2331 * @var ParagonIE_Sodium_Core32_Int64 $s7 2332 * @var ParagonIE_Sodium_Core32_Int64 $s8 2333 * @var ParagonIE_Sodium_Core32_Int64 $s9 2334 * @var ParagonIE_Sodium_Core32_Int64 $s10 2335 * @var ParagonIE_Sodium_Core32_Int64 $s11 2336 * @var ParagonIE_Sodium_Core32_Int64 $s12 2337 * @var ParagonIE_Sodium_Core32_Int64 $s13 2338 * @var ParagonIE_Sodium_Core32_Int64 $s14 2339 * @var ParagonIE_Sodium_Core32_Int64 $s15 2340 * @var ParagonIE_Sodium_Core32_Int64 $s16 2341 * @var ParagonIE_Sodium_Core32_Int64 $s17 2342 * @var ParagonIE_Sodium_Core32_Int64 $s18 2343 * @var ParagonIE_Sodium_Core32_Int64 $s19 2344 * @var ParagonIE_Sodium_Core32_Int64 $s20 2345 * @var ParagonIE_Sodium_Core32_Int64 $s21 2346 * @var ParagonIE_Sodium_Core32_Int64 $s22 2347 * @var ParagonIE_Sodium_Core32_Int64 $s23 2348 */ 2349 2350 $s0 = $c0->addInt64($a0->mulInt64($b0, 24)); 2351 $s1 = $c1->addInt64($a0->mulInt64($b1, 24))->addInt64($a1->mulInt64($b0, 24)); 2352 $s2 = $c2->addInt64($a0->mulInt64($b2, 24))->addInt64($a1->mulInt64($b1, 24))->addInt64($a2->mulInt64($b0, 24)); 2353 $s3 = $c3->addInt64($a0->mulInt64($b3, 24))->addInt64($a1->mulInt64($b2, 24))->addInt64($a2->mulInt64($b1, 24)) 2354 ->addInt64($a3->mulInt64($b0, 24)); 2355 $s4 = $c4->addInt64($a0->mulInt64($b4, 24))->addInt64($a1->mulInt64($b3, 24))->addInt64($a2->mulInt64($b2, 24)) 2356 ->addInt64($a3->mulInt64($b1, 24))->addInt64($a4->mulInt64($b0, 24)); 2357 $s5 = $c5->addInt64($a0->mulInt64($b5, 24))->addInt64($a1->mulInt64($b4, 24))->addInt64($a2->mulInt64($b3, 24)) 2358 ->addInt64($a3->mulInt64($b2, 24))->addInt64($a4->mulInt64($b1, 24))->addInt64($a5->mulInt64($b0, 24)); 2359 $s6 = $c6->addInt64($a0->mulInt64($b6, 24))->addInt64($a1->mulInt64($b5, 24))->addInt64($a2->mulInt64($b4, 24)) 2360 ->addInt64($a3->mulInt64($b3, 24))->addInt64($a4->mulInt64($b2, 24))->addInt64($a5->mulInt64($b1, 24)) 2361 ->addInt64($a6->mulInt64($b0, 24)); 2362 $s7 = $c7->addInt64($a0->mulInt64($b7, 24))->addInt64($a1->mulInt64($b6, 24))->addInt64($a2->mulInt64($b5, 24)) 2363 ->addInt64($a3->mulInt64($b4, 24))->addInt64($a4->mulInt64($b3, 24))->addInt64($a5->mulInt64($b2, 24)) 2364 ->addInt64($a6->mulInt64($b1, 24))->addInt64($a7->mulInt64($b0, 24)); 2365 $s8 = $c8->addInt64($a0->mulInt64($b8, 24))->addInt64($a1->mulInt64($b7, 24))->addInt64($a2->mulInt64($b6, 24)) 2366 ->addInt64($a3->mulInt64($b5, 24))->addInt64($a4->mulInt64($b4, 24))->addInt64($a5->mulInt64($b3, 24)) 2367 ->addInt64($a6->mulInt64($b2, 24))->addInt64($a7->mulInt64($b1, 24))->addInt64($a8->mulInt64($b0, 24)); 2368 $s9 = $c9->addInt64($a0->mulInt64($b9, 24))->addInt64($a1->mulInt64($b8, 24))->addInt64($a2->mulInt64($b7, 24)) 2369 ->addInt64($a3->mulInt64($b6, 24))->addInt64($a4->mulInt64($b5, 24))->addInt64($a5->mulInt64($b4, 24)) 2370 ->addInt64($a6->mulInt64($b3, 24))->addInt64($a7->mulInt64($b2, 24))->addInt64($a8->mulInt64($b1, 24)) 2371 ->addInt64($a9->mulInt64($b0, 24)); 2372 $s10 = $c10->addInt64($a0->mulInt64($b10, 24))->addInt64($a1->mulInt64($b9, 24))->addInt64($a2->mulInt64($b8, 24)) 2373 ->addInt64($a3->mulInt64($b7, 24))->addInt64($a4->mulInt64($b6, 24))->addInt64($a5->mulInt64($b5, 24)) 2374 ->addInt64($a6->mulInt64($b4, 24))->addInt64($a7->mulInt64($b3, 24))->addInt64($a8->mulInt64($b2, 24)) 2375 ->addInt64($a9->mulInt64($b1, 24))->addInt64($a10->mulInt64($b0, 24)); 2376 $s11 = $c11->addInt64($a0->mulInt64($b11, 24))->addInt64($a1->mulInt64($b10, 24))->addInt64($a2->mulInt64($b9, 24)) 2377 ->addInt64($a3->mulInt64($b8, 24))->addInt64($a4->mulInt64($b7, 24))->addInt64($a5->mulInt64($b6, 24)) 2378 ->addInt64($a6->mulInt64($b5, 24))->addInt64($a7->mulInt64($b4, 24))->addInt64($a8->mulInt64($b3, 24)) 2379 ->addInt64($a9->mulInt64($b2, 24))->addInt64($a10->mulInt64($b1, 24))->addInt64($a11->mulInt64($b0, 24)); 2380 $s12 = $a1->mulInt64($b11, 24)->addInt64($a2->mulInt64($b10, 24))->addInt64($a3->mulInt64($b9, 24)) 2381 ->addInt64($a4->mulInt64($b8, 24))->addInt64($a5->mulInt64($b7, 24))->addInt64($a6->mulInt64($b6, 24)) 2382 ->addInt64($a7->mulInt64($b5, 24))->addInt64($a8->mulInt64($b4, 24))->addInt64($a9->mulInt64($b3, 24)) 2383 ->addInt64($a10->mulInt64($b2, 24))->addInt64($a11->mulInt64($b1, 24)); 2384 $s13 = $a2->mulInt64($b11, 24)->addInt64($a3->mulInt64($b10, 24))->addInt64($a4->mulInt64($b9, 24)) 2385 ->addInt64($a5->mulInt64($b8, 24))->addInt64($a6->mulInt64($b7, 24))->addInt64($a7->mulInt64($b6, 24)) 2386 ->addInt64($a8->mulInt64($b5, 24))->addInt64($a9->mulInt64($b4, 24))->addInt64($a10->mulInt64($b3, 24)) 2387 ->addInt64($a11->mulInt64($b2, 24)); 2388 $s14 = $a3->mulInt64($b11, 24)->addInt64($a4->mulInt64($b10, 24))->addInt64($a5->mulInt64($b9, 24)) 2389 ->addInt64($a6->mulInt64($b8, 24))->addInt64($a7->mulInt64($b7, 24))->addInt64($a8->mulInt64($b6, 24)) 2390 ->addInt64($a9->mulInt64($b5, 24))->addInt64($a10->mulInt64($b4, 24))->addInt64($a11->mulInt64($b3, 24)); 2391 $s15 = $a4->mulInt64($b11, 24)->addInt64($a5->mulInt64($b10, 24))->addInt64($a6->mulInt64($b9, 24)) 2392 ->addInt64($a7->mulInt64($b8, 24))->addInt64($a8->mulInt64($b7, 24))->addInt64($a9->mulInt64($b6, 24)) 2393 ->addInt64($a10->mulInt64($b5, 24))->addInt64($a11->mulInt64($b4, 24)); 2394 $s16 = $a5->mulInt64($b11, 24)->addInt64($a6->mulInt64($b10, 24))->addInt64($a7->mulInt64($b9, 24)) 2395 ->addInt64($a8->mulInt64($b8, 24))->addInt64($a9->mulInt64($b7, 24))->addInt64($a10->mulInt64($b6, 24)) 2396 ->addInt64($a11->mulInt64($b5, 24)); 2397 $s17 = $a6->mulInt64($b11, 24)->addInt64($a7->mulInt64($b10, 24))->addInt64($a8->mulInt64($b9, 24)) 2398 ->addInt64($a9->mulInt64($b8, 24))->addInt64($a10->mulInt64($b7, 24))->addInt64($a11->mulInt64($b6, 24)); 2399 $s18 = $a7->mulInt64($b11, 24)->addInt64($a8->mulInt64($b10, 24))->addInt64($a9->mulInt64($b9, 24)) 2400 ->addInt64($a10->mulInt64($b8, 24))->addInt64($a11->mulInt64($b7, 24)); 2401 $s19 = $a8->mulInt64($b11, 24)->addInt64($a9->mulInt64($b10, 24))->addInt64($a10->mulInt64($b9, 24)) 2402 ->addInt64($a11->mulInt64($b8, 24)); 2403 $s20 = $a9->mulInt64($b11, 24)->addInt64($a10->mulInt64($b10, 24))->addInt64($a11->mulInt64($b9, 24)); 2404 $s21 = $a10->mulInt64($b11, 24)->addInt64($a11->mulInt64($b10, 24)); 2405 $s22 = $a11->mulInt64($b11, 24); 2406 $s23 = new ParagonIE_Sodium_Core32_Int64(); 2407 2408 $carry0 = $s0->addInt(1 << 20)->shiftRight(21); 2409 $s1 = $s1->addInt64($carry0); 2410 $s0 = $s0->subInt64($carry0->shiftLeft(21)); 2411 $carry2 = $s2->addInt(1 << 20)->shiftRight(21); 2412 $s3 = $s3->addInt64($carry2); 2413 $s2 = $s2->subInt64($carry2->shiftLeft(21)); 2414 $carry4 = $s4->addInt(1 << 20)->shiftRight(21); 2415 $s5 = $s5->addInt64($carry4); 2416 $s4 = $s4->subInt64($carry4->shiftLeft(21)); 2417 $carry6 = $s6->addInt(1 << 20)->shiftRight(21); 2418 $s7 = $s7->addInt64($carry6); 2419 $s6 = $s6->subInt64($carry6->shiftLeft(21)); 2420 $carry8 = $s8->addInt(1 << 20)->shiftRight(21); 2421 $s9 = $s9->addInt64($carry8); 2422 $s8 = $s8->subInt64($carry8->shiftLeft(21)); 2423 $carry10 = $s10->addInt(1 << 20)->shiftRight(21); 2424 $s11 = $s11->addInt64($carry10); 2425 $s10 = $s10->subInt64($carry10->shiftLeft(21)); 2426 $carry12 = $s12->addInt(1 << 20)->shiftRight(21); 2427 $s13 = $s13->addInt64($carry12); 2428 $s12 = $s12->subInt64($carry12->shiftLeft(21)); 2429 $carry14 = $s14->addInt(1 << 20)->shiftRight(21); 2430 $s15 = $s15->addInt64($carry14); 2431 $s14 = $s14->subInt64($carry14->shiftLeft(21)); 2432 $carry16 = $s16->addInt(1 << 20)->shiftRight(21); 2433 $s17 = $s17->addInt64($carry16); 2434 $s16 = $s16->subInt64($carry16->shiftLeft(21)); 2435 $carry18 = $s18->addInt(1 << 20)->shiftRight(21); 2436 $s19 = $s19->addInt64($carry18); 2437 $s18 = $s18->subInt64($carry18->shiftLeft(21)); 2438 $carry20 = $s20->addInt(1 << 20)->shiftRight(21); 2439 $s21 = $s21->addInt64($carry20); 2440 $s20 = $s20->subInt64($carry20->shiftLeft(21)); 2441 $carry22 = $s22->addInt(1 << 20)->shiftRight(21); 2442 $s23 = $s23->addInt64($carry22); 2443 $s22 = $s22->subInt64($carry22->shiftLeft(21)); 2444 2445 $carry1 = $s1->addInt(1 << 20)->shiftRight(21); 2446 $s2 = $s2->addInt64($carry1); 2447 $s1 = $s1->subInt64($carry1->shiftLeft(21)); 2448 $carry3 = $s3->addInt(1 << 20)->shiftRight(21); 2449 $s4 = $s4->addInt64($carry3); 2450 $s3 = $s3->subInt64($carry3->shiftLeft(21)); 2451 $carry5 = $s5->addInt(1 << 20)->shiftRight(21); 2452 $s6 = $s6->addInt64($carry5); 2453 $s5 = $s5->subInt64($carry5->shiftLeft(21)); 2454 $carry7 = $s7->addInt(1 << 20)->shiftRight(21); 2455 $s8 = $s8->addInt64($carry7); 2456 $s7 = $s7->subInt64($carry7->shiftLeft(21)); 2457 $carry9 = $s9->addInt(1 << 20)->shiftRight(21); 2458 $s10 = $s10->addInt64($carry9); 2459 $s9 = $s9->subInt64($carry9->shiftLeft(21)); 2460 $carry11 = $s11->addInt(1 << 20)->shiftRight(21); 2461 $s12 = $s12->addInt64($carry11); 2462 $s11 = $s11->subInt64($carry11->shiftLeft(21)); 2463 $carry13 = $s13->addInt(1 << 20)->shiftRight(21); 2464 $s14 = $s14->addInt64($carry13); 2465 $s13 = $s13->subInt64($carry13->shiftLeft(21)); 2466 $carry15 = $s15->addInt(1 << 20)->shiftRight(21); 2467 $s16 = $s16->addInt64($carry15); 2468 $s15 = $s15->subInt64($carry15->shiftLeft(21)); 2469 $carry17 = $s17->addInt(1 << 20)->shiftRight(21); 2470 $s18 = $s18->addInt64($carry17); 2471 $s17 = $s17->subInt64($carry17->shiftLeft(21)); 2472 $carry19 = $s19->addInt(1 << 20)->shiftRight(21); 2473 $s20 = $s20->addInt64($carry19); 2474 $s19 = $s19->subInt64($carry19->shiftLeft(21)); 2475 $carry21 = $s21->addInt(1 << 20)->shiftRight(21); 2476 $s22 = $s22->addInt64($carry21); 2477 $s21 = $s21->subInt64($carry21->shiftLeft(21)); 2478 2479 $s11 = $s11->addInt64($s23->mulInt(666643, 20)); 2480 $s12 = $s12->addInt64($s23->mulInt(470296, 19)); 2481 $s13 = $s13->addInt64($s23->mulInt(654183, 20)); 2482 $s14 = $s14->subInt64($s23->mulInt(997805, 20)); 2483 $s15 = $s15->addInt64($s23->mulInt(136657, 18)); 2484 $s16 = $s16->subInt64($s23->mulInt(683901, 20)); 2485 2486 $s10 = $s10->addInt64($s22->mulInt(666643, 20)); 2487 $s11 = $s11->addInt64($s22->mulInt(470296, 19)); 2488 $s12 = $s12->addInt64($s22->mulInt(654183, 20)); 2489 $s13 = $s13->subInt64($s22->mulInt(997805, 20)); 2490 $s14 = $s14->addInt64($s22->mulInt(136657, 18)); 2491 $s15 = $s15->subInt64($s22->mulInt(683901, 20)); 2492 2493 $s9 = $s9->addInt64($s21->mulInt(666643, 20)); 2494 $s10 = $s10->addInt64($s21->mulInt(470296, 19)); 2495 $s11 = $s11->addInt64($s21->mulInt(654183, 20)); 2496 $s12 = $s12->subInt64($s21->mulInt(997805, 20)); 2497 $s13 = $s13->addInt64($s21->mulInt(136657, 18)); 2498 $s14 = $s14->subInt64($s21->mulInt(683901, 20)); 2499 2500 $s8 = $s8->addInt64($s20->mulInt(666643, 20)); 2501 $s9 = $s9->addInt64($s20->mulInt(470296, 19)); 2502 $s10 = $s10->addInt64($s20->mulInt(654183, 20)); 2503 $s11 = $s11->subInt64($s20->mulInt(997805, 20)); 2504 $s12 = $s12->addInt64($s20->mulInt(136657, 18)); 2505 $s13 = $s13->subInt64($s20->mulInt(683901, 20)); 2506 2507 $s7 = $s7->addInt64($s19->mulInt(666643, 20)); 2508 $s8 = $s8->addInt64($s19->mulInt(470296, 19)); 2509 $s9 = $s9->addInt64($s19->mulInt(654183, 20)); 2510 $s10 = $s10->subInt64($s19->mulInt(997805, 20)); 2511 $s11 = $s11->addInt64($s19->mulInt(136657, 18)); 2512 $s12 = $s12->subInt64($s19->mulInt(683901, 20)); 2513 2514 $s6 = $s6->addInt64($s18->mulInt(666643, 20)); 2515 $s7 = $s7->addInt64($s18->mulInt(470296, 19)); 2516 $s8 = $s8->addInt64($s18->mulInt(654183, 20)); 2517 $s9 = $s9->subInt64($s18->mulInt(997805, 20)); 2518 $s10 = $s10->addInt64($s18->mulInt(136657, 18)); 2519 $s11 = $s11->subInt64($s18->mulInt(683901, 20)); 2520 2521 $carry6 = $s6->addInt(1 << 20)->shiftRight(21); 2522 $s7 = $s7->addInt64($carry6); 2523 $s6 = $s6->subInt64($carry6->shiftLeft(21)); 2524 $carry8 = $s8->addInt(1 << 20)->shiftRight(21); 2525 $s9 = $s9->addInt64($carry8); 2526 $s8 = $s8->subInt64($carry8->shiftLeft(21)); 2527 $carry10 = $s10->addInt(1 << 20)->shiftRight(21); 2528 $s11 = $s11->addInt64($carry10); 2529 $s10 = $s10->subInt64($carry10->shiftLeft(21)); 2530 $carry12 = $s12->addInt(1 << 20)->shiftRight(21); 2531 $s13 = $s13->addInt64($carry12); 2532 $s12 = $s12->subInt64($carry12->shiftLeft(21)); 2533 $carry14 = $s14->addInt(1 << 20)->shiftRight(21); 2534 $s15 = $s15->addInt64($carry14); 2535 $s14 = $s14->subInt64($carry14->shiftLeft(21)); 2536 $carry16 = $s16->addInt(1 << 20)->shiftRight(21); 2537 $s17 = $s17->addInt64($carry16); 2538 $s16 = $s16->subInt64($carry16->shiftLeft(21)); 2539 2540 $carry7 = $s7->addInt(1 << 20)->shiftRight(21); 2541 $s8 = $s8->addInt64($carry7); 2542 $s7 = $s7->subInt64($carry7->shiftLeft(21)); 2543 $carry9 = $s9->addInt(1 << 20)->shiftRight(21); 2544 $s10 = $s10->addInt64($carry9); 2545 $s9 = $s9->subInt64($carry9->shiftLeft(21)); 2546 $carry11 = $s11->addInt(1 << 20)->shiftRight(21); 2547 $s12 = $s12->addInt64($carry11); 2548 $s11 = $s11->subInt64($carry11->shiftLeft(21)); 2549 $carry13 = $s13->addInt(1 << 20)->shiftRight(21); 2550 $s14 = $s14->addInt64($carry13); 2551 $s13 = $s13->subInt64($carry13->shiftLeft(21)); 2552 $carry15 = $s15->addInt(1 << 20)->shiftRight(21); 2553 $s16 = $s16->addInt64($carry15); 2554 $s15 = $s15->subInt64($carry15->shiftLeft(21)); 2555 2556 $s5 = $s5->addInt64($s17->mulInt(666643, 20)); 2557 $s6 = $s6->addInt64($s17->mulInt(470296, 19)); 2558 $s7 = $s7->addInt64($s17->mulInt(654183, 20)); 2559 $s8 = $s8->subInt64($s17->mulInt(997805, 20)); 2560 $s9 = $s9->addInt64($s17->mulInt(136657, 18)); 2561 $s10 = $s10->subInt64($s17->mulInt(683901, 20)); 2562 2563 $s4 = $s4->addInt64($s16->mulInt(666643, 20)); 2564 $s5 = $s5->addInt64($s16->mulInt(470296, 19)); 2565 $s6 = $s6->addInt64($s16->mulInt(654183, 20)); 2566 $s7 = $s7->subInt64($s16->mulInt(997805, 20)); 2567 $s8 = $s8->addInt64($s16->mulInt(136657, 18)); 2568 $s9 = $s9->subInt64($s16->mulInt(683901, 20)); 2569 2570 $s3 = $s3->addInt64($s15->mulInt(666643, 20)); 2571 $s4 = $s4->addInt64($s15->mulInt(470296, 19)); 2572 $s5 = $s5->addInt64($s15->mulInt(654183, 20)); 2573 $s6 = $s6->subInt64($s15->mulInt(997805, 20)); 2574 $s7 = $s7->addInt64($s15->mulInt(136657, 18)); 2575 $s8 = $s8->subInt64($s15->mulInt(683901, 20)); 2576 2577 $s2 = $s2->addInt64($s14->mulInt(666643, 20)); 2578 $s3 = $s3->addInt64($s14->mulInt(470296, 19)); 2579 $s4 = $s4->addInt64($s14->mulInt(654183, 20)); 2580 $s5 = $s5->subInt64($s14->mulInt(997805, 20)); 2581 $s6 = $s6->addInt64($s14->mulInt(136657, 18)); 2582 $s7 = $s7->subInt64($s14->mulInt(683901, 20)); 2583 2584 $s1 = $s1->addInt64($s13->mulInt(666643, 20)); 2585 $s2 = $s2->addInt64($s13->mulInt(470296, 19)); 2586 $s3 = $s3->addInt64($s13->mulInt(654183, 20)); 2587 $s4 = $s4->subInt64($s13->mulInt(997805, 20)); 2588 $s5 = $s5->addInt64($s13->mulInt(136657, 18)); 2589 $s6 = $s6->subInt64($s13->mulInt(683901, 20)); 2590 2591 $s0 = $s0->addInt64($s12->mulInt(666643, 20)); 2592 $s1 = $s1->addInt64($s12->mulInt(470296, 19)); 2593 $s2 = $s2->addInt64($s12->mulInt(654183, 20)); 2594 $s3 = $s3->subInt64($s12->mulInt(997805, 20)); 2595 $s4 = $s4->addInt64($s12->mulInt(136657, 18)); 2596 $s5 = $s5->subInt64($s12->mulInt(683901, 20)); 2597 $s12 = new ParagonIE_Sodium_Core32_Int64(); 2598 2599 $carry0 = $s0->addInt(1 << 20)->shiftRight(21); 2600 $s1 = $s1->addInt64($carry0); 2601 $s0 = $s0->subInt64($carry0->shiftLeft(21)); 2602 $carry2 = $s2->addInt(1 << 20)->shiftRight(21); 2603 $s3 = $s3->addInt64($carry2); 2604 $s2 = $s2->subInt64($carry2->shiftLeft(21)); 2605 $carry4 = $s4->addInt(1 << 20)->shiftRight(21); 2606 $s5 = $s5->addInt64($carry4); 2607 $s4 = $s4->subInt64($carry4->shiftLeft(21)); 2608 $carry6 = $s6->addInt(1 << 20)->shiftRight(21); 2609 $s7 = $s7->addInt64($carry6); 2610 $s6 = $s6->subInt64($carry6->shiftLeft(21)); 2611 $carry8 = $s8->addInt(1 << 20)->shiftRight(21); 2612 $s9 = $s9->addInt64($carry8); 2613 $s8 = $s8->subInt64($carry8->shiftLeft(21)); 2614 $carry10 = $s10->addInt(1 << 20)->shiftRight(21); 2615 $s11 = $s11->addInt64($carry10); 2616 $s10 = $s10->subInt64($carry10->shiftLeft(21)); 2617 2618 $carry1 = $s1->addInt(1 << 20)->shiftRight(21); 2619 $s2 = $s2->addInt64($carry1); 2620 $s1 = $s1->subInt64($carry1->shiftLeft(21)); 2621 $carry3 = $s3->addInt(1 << 20)->shiftRight(21); 2622 $s4 = $s4->addInt64($carry3); 2623 $s3 = $s3->subInt64($carry3->shiftLeft(21)); 2624 $carry5 = $s5->addInt(1 << 20)->shiftRight(21); 2625 $s6 = $s6->addInt64($carry5); 2626 $s5 = $s5->subInt64($carry5->shiftLeft(21)); 2627 $carry7 = $s7->addInt(1 << 20)->shiftRight(21); 2628 $s8 = $s8->addInt64($carry7); 2629 $s7 = $s7->subInt64($carry7->shiftLeft(21)); 2630 $carry9 = $s9->addInt(1 << 20)->shiftRight(21); 2631 $s10 = $s10->addInt64($carry9); 2632 $s9 = $s9->subInt64($carry9->shiftLeft(21)); 2633 $carry11 = $s11->addInt(1 << 20)->shiftRight(21); 2634 $s12 = $s12->addInt64($carry11); 2635 $s11 = $s11->subInt64($carry11->shiftLeft(21)); 2636 2637 $s0 = $s0->addInt64($s12->mulInt(666643, 20)); 2638 $s1 = $s1->addInt64($s12->mulInt(470296, 19)); 2639 $s2 = $s2->addInt64($s12->mulInt(654183, 20)); 2640 $s3 = $s3->subInt64($s12->mulInt(997805, 20)); 2641 $s4 = $s4->addInt64($s12->mulInt(136657, 18)); 2642 $s5 = $s5->subInt64($s12->mulInt(683901, 20)); 2643 $s12 = new ParagonIE_Sodium_Core32_Int64(); 2644 2645 $carry0 = $s0->shiftRight(21); 2646 $s1 = $s1->addInt64($carry0); 2647 $s0 = $s0->subInt64($carry0->shiftLeft(21)); 2648 $carry1 = $s1->shiftRight(21); 2649 $s2 = $s2->addInt64($carry1); 2650 $s1 = $s1->subInt64($carry1->shiftLeft(21)); 2651 $carry2 = $s2->shiftRight(21); 2652 $s3 = $s3->addInt64($carry2); 2653 $s2 = $s2->subInt64($carry2->shiftLeft(21)); 2654 $carry3 = $s3->shiftRight(21); 2655 $s4 = $s4->addInt64($carry3); 2656 $s3 = $s3->subInt64($carry3->shiftLeft(21)); 2657 $carry4 = $s4->shiftRight(21); 2658 $s5 = $s5->addInt64($carry4); 2659 $s4 = $s4->subInt64($carry4->shiftLeft(21)); 2660 $carry5 = $s5->shiftRight(21); 2661 $s6 = $s6->addInt64($carry5); 2662 $s5 = $s5->subInt64($carry5->shiftLeft(21)); 2663 $carry6 = $s6->shiftRight(21); 2664 $s7 = $s7->addInt64($carry6); 2665 $s6 = $s6->subInt64($carry6->shiftLeft(21)); 2666 $carry7 = $s7->shiftRight(21); 2667 $s8 = $s8->addInt64($carry7); 2668 $s7 = $s7->subInt64($carry7->shiftLeft(21)); 2669 $carry8 = $s8->shiftRight(21); 2670 $s9 = $s9->addInt64($carry8); 2671 $s8 = $s8->subInt64($carry8->shiftLeft(21)); 2672 $carry9 = $s9->shiftRight(21); 2673 $s10 = $s10->addInt64($carry9); 2674 $s9 = $s9->subInt64($carry9->shiftLeft(21)); 2675 $carry10 = $s10->shiftRight(21); 2676 $s11 = $s11->addInt64($carry10); 2677 $s10 = $s10->subInt64($carry10->shiftLeft(21)); 2678 $carry11 = $s11->shiftRight(21); 2679 $s12 = $s12->addInt64($carry11); 2680 $s11 = $s11->subInt64($carry11->shiftLeft(21)); 2681 2682 $s0 = $s0->addInt64($s12->mulInt(666643, 20)); 2683 $s1 = $s1->addInt64($s12->mulInt(470296, 19)); 2684 $s2 = $s2->addInt64($s12->mulInt(654183, 20)); 2685 $s3 = $s3->subInt64($s12->mulInt(997805, 20)); 2686 $s4 = $s4->addInt64($s12->mulInt(136657, 18)); 2687 $s5 = $s5->subInt64($s12->mulInt(683901, 20)); 2688 2689 $carry0 = $s0->shiftRight(21); 2690 $s1 = $s1->addInt64($carry0); 2691 $s0 = $s0->subInt64($carry0->shiftLeft(21)); 2692 $carry1 = $s1->shiftRight(21); 2693 $s2 = $s2->addInt64($carry1); 2694 $s1 = $s1->subInt64($carry1->shiftLeft(21)); 2695 $carry2 = $s2->shiftRight(21); 2696 $s3 = $s3->addInt64($carry2); 2697 $s2 = $s2->subInt64($carry2->shiftLeft(21)); 2698 $carry3 = $s3->shiftRight(21); 2699 $s4 = $s4->addInt64($carry3); 2700 $s3 = $s3->subInt64($carry3->shiftLeft(21)); 2701 $carry4 = $s4->shiftRight(21); 2702 $s5 = $s5->addInt64($carry4); 2703 $s4 = $s4->subInt64($carry4->shiftLeft(21)); 2704 $carry5 = $s5->shiftRight(21); 2705 $s6 = $s6->addInt64($carry5); 2706 $s5 = $s5->subInt64($carry5->shiftLeft(21)); 2707 $carry6 = $s6->shiftRight(21); 2708 $s7 = $s7->addInt64($carry6); 2709 $s6 = $s6->subInt64($carry6->shiftLeft(21)); 2710 $carry7 = $s7->shiftRight(21); 2711 $s8 = $s8->addInt64($carry7); 2712 $s7 = $s7->subInt64($carry7->shiftLeft(21)); 2713 $carry8 = $s10->shiftRight(21); 2714 $s9 = $s9->addInt64($carry8); 2715 $s8 = $s8->subInt64($carry8->shiftLeft(21)); 2716 $carry9 = $s9->shiftRight(21); 2717 $s10 = $s10->addInt64($carry9); 2718 $s9 = $s9->subInt64($carry9->shiftLeft(21)); 2719 $carry10 = $s10->shiftRight(21); 2720 $s11 = $s11->addInt64($carry10); 2721 $s10 = $s10->subInt64($carry10->shiftLeft(21)); 2722 2723 $S0 = $s0->toInt(); 2724 $S1 = $s1->toInt(); 2725 $S2 = $s2->toInt(); 2726 $S3 = $s3->toInt(); 2727 $S4 = $s4->toInt(); 2728 $S5 = $s5->toInt(); 2729 $S6 = $s6->toInt(); 2730 $S7 = $s7->toInt(); 2731 $S8 = $s8->toInt(); 2732 $S9 = $s9->toInt(); 2733 $S10 = $s10->toInt(); 2734 $S11 = $s11->toInt(); 2735 2736 /** 2737 * @var array<int, int> 2738 */ 2739 $arr = array( 2740 (int) (0xff & ($S0 >> 0)), 2741 (int) (0xff & ($S0 >> 8)), 2742 (int) (0xff & (($S0 >> 16) | ($S1 << 5))), 2743 (int) (0xff & ($S1 >> 3)), 2744 (int) (0xff & ($S1 >> 11)), 2745 (int) (0xff & (($S1 >> 19) | ($S2 << 2))), 2746 (int) (0xff & ($S2 >> 6)), 2747 (int) (0xff & (($S2 >> 14) | ($S3 << 7))), 2748 (int) (0xff & ($S3 >> 1)), 2749 (int) (0xff & ($S3 >> 9)), 2750 (int) (0xff & (($S3 >> 17) | ($S4 << 4))), 2751 (int) (0xff & ($S4 >> 4)), 2752 (int) (0xff & ($S4 >> 12)), 2753 (int) (0xff & (($S4 >> 20) | ($S5 << 1))), 2754 (int) (0xff & ($S5 >> 7)), 2755 (int) (0xff & (($S5 >> 15) | ($S6 << 6))), 2756 (int) (0xff & ($S6 >> 2)), 2757 (int) (0xff & ($S6 >> 10)), 2758 (int) (0xff & (($S6 >> 18) | ($S7 << 3))), 2759 (int) (0xff & ($S7 >> 5)), 2760 (int) (0xff & ($S7 >> 13)), 2761 (int) (0xff & ($S8 >> 0)), 2762 (int) (0xff & ($S8 >> 8)), 2763 (int) (0xff & (($S8 >> 16) | ($S9 << 5))), 2764 (int) (0xff & ($S9 >> 3)), 2765 (int) (0xff & ($S9 >> 11)), 2766 (int) (0xff & (($S9 >> 19) | ($S10 << 2))), 2767 (int) (0xff & ($S10 >> 6)), 2768 (int) (0xff & (($S10 >> 14) | ($S11 << 7))), 2769 (int) (0xff & ($S11 >> 1)), 2770 (int) (0xff & ($S11 >> 9)), 2771 (int) (0xff & ($S11 >> 17)) 2772 ); 2773 return self::intArrayToString($arr); 2774 } 2775 2776 /** 2777 * @internal You should not use this directly from another application 2778 * 2779 * @param string $s 2780 * @return string 2781 * @throws SodiumException 2782 * @throws TypeError 2783 */ 2784 public static function sc_reduce($s) 2785 { 2786 /** 2787 * @var ParagonIE_Sodium_Core32_Int64 $s0 2788 * @var ParagonIE_Sodium_Core32_Int64 $s1 2789 * @var ParagonIE_Sodium_Core32_Int64 $s2 2790 * @var ParagonIE_Sodium_Core32_Int64 $s3 2791 * @var ParagonIE_Sodium_Core32_Int64 $s4 2792 * @var ParagonIE_Sodium_Core32_Int64 $s5 2793 * @var ParagonIE_Sodium_Core32_Int64 $s6 2794 * @var ParagonIE_Sodium_Core32_Int64 $s7 2795 * @var ParagonIE_Sodium_Core32_Int64 $s8 2796 * @var ParagonIE_Sodium_Core32_Int64 $s9 2797 * @var ParagonIE_Sodium_Core32_Int64 $s10 2798 * @var ParagonIE_Sodium_Core32_Int64 $s11 2799 * @var ParagonIE_Sodium_Core32_Int64 $s12 2800 * @var ParagonIE_Sodium_Core32_Int64 $s13 2801 * @var ParagonIE_Sodium_Core32_Int64 $s14 2802 * @var ParagonIE_Sodium_Core32_Int64 $s15 2803 * @var ParagonIE_Sodium_Core32_Int64 $s16 2804 * @var ParagonIE_Sodium_Core32_Int64 $s17 2805 * @var ParagonIE_Sodium_Core32_Int64 $s18 2806 * @var ParagonIE_Sodium_Core32_Int64 $s19 2807 * @var ParagonIE_Sodium_Core32_Int64 $s20 2808 * @var ParagonIE_Sodium_Core32_Int64 $s21 2809 * @var ParagonIE_Sodium_Core32_Int64 $s22 2810 * @var ParagonIE_Sodium_Core32_Int64 $s23 2811 */ 2812 $s0 = ParagonIE_Sodium_Core32_Int64::fromInt(2097151 & self::load_3(self::substr($s, 0, 3))); 2813 $s1 = ParagonIE_Sodium_Core32_Int64::fromInt(2097151 & (self::load_4(self::substr($s, 2, 4)) >> 5)); 2814 $s2 = ParagonIE_Sodium_Core32_Int64::fromInt(2097151 & (self::load_3(self::substr($s, 5, 3)) >> 2)); 2815 $s3 = ParagonIE_Sodium_Core32_Int64::fromInt(2097151 & (self::load_4(self::substr($s, 7, 4)) >> 7)); 2816 $s4 = ParagonIE_Sodium_Core32_Int64::fromInt(2097151 & (self::load_4(self::substr($s, 10, 4)) >> 4)); 2817 $s5 = ParagonIE_Sodium_Core32_Int64::fromInt(2097151 & (self::load_3(self::substr($s, 13, 3)) >> 1)); 2818 $s6 = ParagonIE_Sodium_Core32_Int64::fromInt(2097151 & (self::load_4(self::substr($s, 15, 4)) >> 6)); 2819 $s7 = ParagonIE_Sodium_Core32_Int64::fromInt(2097151 & (self::load_3(self::substr($s, 18, 4)) >> 3)); 2820 $s8 = ParagonIE_Sodium_Core32_Int64::fromInt(2097151 & self::load_3(self::substr($s, 21, 3))); 2821 $s9 = ParagonIE_Sodium_Core32_Int64::fromInt(2097151 & (self::load_4(self::substr($s, 23, 4)) >> 5)); 2822 $s10 = ParagonIE_Sodium_Core32_Int64::fromInt(2097151 & (self::load_3(self::substr($s, 26, 3)) >> 2)); 2823 $s11 = ParagonIE_Sodium_Core32_Int64::fromInt(2097151 & (self::load_4(self::substr($s, 28, 4)) >> 7)); 2824 $s12 = ParagonIE_Sodium_Core32_Int64::fromInt(2097151 & (self::load_4(self::substr($s, 31, 4)) >> 4)); 2825 $s13 = ParagonIE_Sodium_Core32_Int64::fromInt(2097151 & (self::load_3(self::substr($s, 34, 3)) >> 1)); 2826 $s14 = ParagonIE_Sodium_Core32_Int64::fromInt(2097151 & (self::load_4(self::substr($s, 36, 4)) >> 6)); 2827 $s15 = ParagonIE_Sodium_Core32_Int64::fromInt(2097151 & (self::load_3(self::substr($s, 39, 4)) >> 3)); 2828 $s16 = ParagonIE_Sodium_Core32_Int64::fromInt(2097151 & self::load_3(self::substr($s, 42, 3))); 2829 $s17 = ParagonIE_Sodium_Core32_Int64::fromInt(2097151 & (self::load_4(self::substr($s, 44, 4)) >> 5)); 2830 $s18 = ParagonIE_Sodium_Core32_Int64::fromInt(2097151 & (self::load_3(self::substr($s, 47, 3)) >> 2)); 2831 $s19 = ParagonIE_Sodium_Core32_Int64::fromInt(2097151 & (self::load_4(self::substr($s, 49, 4)) >> 7)); 2832 $s20 = ParagonIE_Sodium_Core32_Int64::fromInt(2097151 & (self::load_4(self::substr($s, 52, 4)) >> 4)); 2833 $s21 = ParagonIE_Sodium_Core32_Int64::fromInt(2097151 & (self::load_3(self::substr($s, 55, 3)) >> 1)); 2834 $s22 = ParagonIE_Sodium_Core32_Int64::fromInt(2097151 & (self::load_4(self::substr($s, 57, 4)) >> 6)); 2835 $s23 = ParagonIE_Sodium_Core32_Int64::fromInt(0x1fffffff & (self::load_4(self::substr($s, 60, 4)) >> 3)); 2836 2837 $s11 = $s11->addInt64($s23->mulInt(666643, 20)); 2838 $s12 = $s12->addInt64($s23->mulInt(470296, 19)); 2839 $s13 = $s13->addInt64($s23->mulInt(654183, 20)); 2840 $s14 = $s14->subInt64($s23->mulInt(997805, 20)); 2841 $s15 = $s15->addInt64($s23->mulInt(136657, 18)); 2842 $s16 = $s16->subInt64($s23->mulInt(683901, 20)); 2843 2844 $s10 = $s10->addInt64($s22->mulInt(666643, 20)); 2845 $s11 = $s11->addInt64($s22->mulInt(470296, 19)); 2846 $s12 = $s12->addInt64($s22->mulInt(654183, 20)); 2847 $s13 = $s13->subInt64($s22->mulInt(997805, 20)); 2848 $s14 = $s14->addInt64($s22->mulInt(136657, 18)); 2849 $s15 = $s15->subInt64($s22->mulInt(683901, 20)); 2850 2851 $s9 = $s9->addInt64($s21->mulInt(666643, 20)); 2852 $s10 = $s10->addInt64($s21->mulInt(470296, 19)); 2853 $s11 = $s11->addInt64($s21->mulInt(654183, 20)); 2854 $s12 = $s12->subInt64($s21->mulInt(997805, 20)); 2855 $s13 = $s13->addInt64($s21->mulInt(136657, 18)); 2856 $s14 = $s14->subInt64($s21->mulInt(683901, 20)); 2857 2858 $s8 = $s8->addInt64($s20->mulInt(666643, 20)); 2859 $s9 = $s9->addInt64($s20->mulInt(470296, 19)); 2860 $s10 = $s10->addInt64($s20->mulInt(654183, 20)); 2861 $s11 = $s11->subInt64($s20->mulInt(997805, 20)); 2862 $s12 = $s12->addInt64($s20->mulInt(136657, 18)); 2863 $s13 = $s13->subInt64($s20->mulInt(683901, 20)); 2864 2865 $s7 = $s7->addInt64($s19->mulInt(666643, 20)); 2866 $s8 = $s8->addInt64($s19->mulInt(470296, 19)); 2867 $s9 = $s9->addInt64($s19->mulInt(654183, 20)); 2868 $s10 = $s10->subInt64($s19->mulInt(997805, 20)); 2869 $s11 = $s11->addInt64($s19->mulInt(136657, 18)); 2870 $s12 = $s12->subInt64($s19->mulInt(683901, 20)); 2871 2872 $s6 = $s6->addInt64($s18->mulInt(666643, 20)); 2873 $s7 = $s7->addInt64($s18->mulInt(470296, 19)); 2874 $s8 = $s8->addInt64($s18->mulInt(654183, 20)); 2875 $s9 = $s9->subInt64($s18->mulInt(997805, 20)); 2876 $s10 = $s10->addInt64($s18->mulInt(136657, 18)); 2877 $s11 = $s11->subInt64($s18->mulInt(683901, 20)); 2878 2879 $carry6 = $s6->addInt(1 << 20)->shiftRight(21); 2880 $s7 = $s7->addInt64($carry6); 2881 $s6 = $s6->subInt64($carry6->shiftLeft(21)); 2882 $carry8 = $s8->addInt(1 << 20)->shiftRight(21); 2883 $s9 = $s9->addInt64($carry8); 2884 $s8 = $s8->subInt64($carry8->shiftLeft(21)); 2885 $carry10 = $s10->addInt(1 << 20)->shiftRight(21); 2886 $s11 = $s11->addInt64($carry10); 2887 $s10 = $s10->subInt64($carry10->shiftLeft(21)); 2888 $carry12 = $s12->addInt(1 << 20)->shiftRight(21); 2889 $s13 = $s13->addInt64($carry12); 2890 $s12 = $s12->subInt64($carry12->shiftLeft(21)); 2891 $carry14 = $s14->addInt(1 << 20)->shiftRight(21); 2892 $s15 = $s15->addInt64($carry14); 2893 $s14 = $s14->subInt64($carry14->shiftLeft(21)); 2894 $carry16 = $s16->addInt(1 << 20)->shiftRight(21); 2895 $s17 = $s17->addInt64($carry16); 2896 $s16 = $s16->subInt64($carry16->shiftLeft(21)); 2897 2898 $carry7 = $s7->addInt(1 << 20)->shiftRight(21); 2899 $s8 = $s8->addInt64($carry7); 2900 $s7 = $s7->subInt64($carry7->shiftLeft(21)); 2901 $carry9 = $s9->addInt(1 << 20)->shiftRight(21); 2902 $s10 = $s10->addInt64($carry9); 2903 $s9 = $s9->subInt64($carry9->shiftLeft(21)); 2904 $carry11 = $s11->addInt(1 << 20)->shiftRight(21); 2905 $s12 = $s12->addInt64($carry11); 2906 $s11 = $s11->subInt64($carry11->shiftLeft(21)); 2907 $carry13 = $s13->addInt(1 << 20)->shiftRight(21); 2908 $s14 = $s14->addInt64($carry13); 2909 $s13 = $s13->subInt64($carry13->shiftLeft(21)); 2910 $carry15 = $s15->addInt(1 << 20)->shiftRight(21); 2911 $s16 = $s16->addInt64($carry15); 2912 $s15 = $s15->subInt64($carry15->shiftLeft(21)); 2913 2914 $s5 = $s5->addInt64($s17->mulInt(666643, 20)); 2915 $s6 = $s6->addInt64($s17->mulInt(470296, 19)); 2916 $s7 = $s7->addInt64($s17->mulInt(654183, 20)); 2917 $s8 = $s8->subInt64($s17->mulInt(997805, 20)); 2918 $s9 = $s9->addInt64($s17->mulInt(136657, 18)); 2919 $s10 = $s10->subInt64($s17->mulInt(683901, 20)); 2920 2921 $s4 = $s4->addInt64($s16->mulInt(666643, 20)); 2922 $s5 = $s5->addInt64($s16->mulInt(470296, 19)); 2923 $s6 = $s6->addInt64($s16->mulInt(654183, 20)); 2924 $s7 = $s7->subInt64($s16->mulInt(997805, 20)); 2925 $s8 = $s8->addInt64($s16->mulInt(136657, 18)); 2926 $s9 = $s9->subInt64($s16->mulInt(683901, 20)); 2927 2928 $s3 = $s3->addInt64($s15->mulInt(666643, 20)); 2929 $s4 = $s4->addInt64($s15->mulInt(470296, 19)); 2930 $s5 = $s5->addInt64($s15->mulInt(654183, 20)); 2931 $s6 = $s6->subInt64($s15->mulInt(997805, 20)); 2932 $s7 = $s7->addInt64($s15->mulInt(136657, 18)); 2933 $s8 = $s8->subInt64($s15->mulInt(683901, 20)); 2934 2935 $s2 = $s2->addInt64($s14->mulInt(666643, 20)); 2936 $s3 = $s3->addInt64($s14->mulInt(470296, 19)); 2937 $s4 = $s4->addInt64($s14->mulInt(654183, 20)); 2938 $s5 = $s5->subInt64($s14->mulInt(997805, 20)); 2939 $s6 = $s6->addInt64($s14->mulInt(136657, 18)); 2940 $s7 = $s7->subInt64($s14->mulInt(683901, 20)); 2941 2942 $s1 = $s1->addInt64($s13->mulInt(666643, 20)); 2943 $s2 = $s2->addInt64($s13->mulInt(470296, 19)); 2944 $s3 = $s3->addInt64($s13->mulInt(654183, 20)); 2945 $s4 = $s4->subInt64($s13->mulInt(997805, 20)); 2946 $s5 = $s5->addInt64($s13->mulInt(136657, 18)); 2947 $s6 = $s6->subInt64($s13->mulInt(683901, 20)); 2948 2949 $s0 = $s0->addInt64($s12->mulInt(666643, 20)); 2950 $s1 = $s1->addInt64($s12->mulInt(470296, 19)); 2951 $s2 = $s2->addInt64($s12->mulInt(654183, 20)); 2952 $s3 = $s3->subInt64($s12->mulInt(997805, 20)); 2953 $s4 = $s4->addInt64($s12->mulInt(136657, 18)); 2954 $s5 = $s5->subInt64($s12->mulInt(683901, 20)); 2955 $s12 = new ParagonIE_Sodium_Core32_Int64(); 2956 2957 $carry0 = $s0->addInt(1 << 20)->shiftRight(21); 2958 $s1 = $s1->addInt64($carry0); 2959 $s0 = $s0->subInt64($carry0->shiftLeft(21)); 2960 $carry2 = $s2->addInt(1 << 20)->shiftRight(21); 2961 $s3 = $s3->addInt64($carry2); 2962 $s2 = $s2->subInt64($carry2->shiftLeft(21)); 2963 $carry4 = $s4->addInt(1 << 20)->shiftRight(21); 2964 $s5 = $s5->addInt64($carry4); 2965 $s4 = $s4->subInt64($carry4->shiftLeft(21)); 2966 $carry6 = $s6->addInt(1 << 20)->shiftRight(21); 2967 $s7 = $s7->addInt64($carry6); 2968 $s6 = $s6->subInt64($carry6->shiftLeft(21)); 2969 $carry8 = $s8->addInt(1 << 20)->shiftRight(21); 2970 $s9 = $s9->addInt64($carry8); 2971 $s8 = $s8->subInt64($carry8->shiftLeft(21)); 2972 $carry10 = $s10->addInt(1 << 20)->shiftRight(21); 2973 $s11 = $s11->addInt64($carry10); 2974 $s10 = $s10->subInt64($carry10->shiftLeft(21)); 2975 $carry1 = $s1->addInt(1 << 20)->shiftRight(21); 2976 $s2 = $s2->addInt64($carry1); 2977 $s1 = $s1->subInt64($carry1->shiftLeft(21)); 2978 $carry3 = $s3->addInt(1 << 20)->shiftRight(21); 2979 $s4 = $s4->addInt64($carry3); 2980 $s3 = $s3->subInt64($carry3->shiftLeft(21)); 2981 $carry5 = $s5->addInt(1 << 20)->shiftRight(21); 2982 $s6 = $s6->addInt64($carry5); 2983 $s5 = $s5->subInt64($carry5->shiftLeft(21)); 2984 $carry7 = $s7->addInt(1 << 20)->shiftRight(21); 2985 $s8 = $s8->addInt64($carry7); 2986 $s7 = $s7->subInt64($carry7->shiftLeft(21)); 2987 $carry9 = $s9->addInt(1 << 20)->shiftRight(21); 2988 $s10 = $s10->addInt64($carry9); 2989 $s9 = $s9->subInt64($carry9->shiftLeft(21)); 2990 $carry11 = $s11->addInt(1 << 20)->shiftRight(21); 2991 $s12 = $s12->addInt64($carry11); 2992 $s11 = $s11->subInt64($carry11->shiftLeft(21)); 2993 2994 $s0 = $s0->addInt64($s12->mulInt(666643, 20)); 2995 $s1 = $s1->addInt64($s12->mulInt(470296, 19)); 2996 $s2 = $s2->addInt64($s12->mulInt(654183, 20)); 2997 $s3 = $s3->subInt64($s12->mulInt(997805, 20)); 2998 $s4 = $s4->addInt64($s12->mulInt(136657, 18)); 2999 $s5 = $s5->subInt64($s12->mulInt(683901, 20)); 3000 $s12 = new ParagonIE_Sodium_Core32_Int64(); 3001 3002 $carry0 = $s0->shiftRight(21); 3003 $s1 = $s1->addInt64($carry0); 3004 $s0 = $s0->subInt64($carry0->shiftLeft(21)); 3005 $carry1 = $s1->shiftRight(21); 3006 $s2 = $s2->addInt64($carry1); 3007 $s1 = $s1->subInt64($carry1->shiftLeft(21)); 3008 $carry2 = $s2->shiftRight(21); 3009 $s3 = $s3->addInt64($carry2); 3010 $s2 = $s2->subInt64($carry2->shiftLeft(21)); 3011 $carry3 = $s3->shiftRight(21); 3012 $s4 = $s4->addInt64($carry3); 3013 $s3 = $s3->subInt64($carry3->shiftLeft(21)); 3014 $carry4 = $s4->shiftRight(21); 3015 $s5 = $s5->addInt64($carry4); 3016 $s4 = $s4->subInt64($carry4->shiftLeft(21)); 3017 $carry5 = $s5->shiftRight(21); 3018 $s6 = $s6->addInt64($carry5); 3019 $s5 = $s5->subInt64($carry5->shiftLeft(21)); 3020 $carry6 = $s6->shiftRight(21); 3021 $s7 = $s7->addInt64($carry6); 3022 $s6 = $s6->subInt64($carry6->shiftLeft(21)); 3023 $carry7 = $s7->shiftRight(21); 3024 $s8 = $s8->addInt64($carry7); 3025 $s7 = $s7->subInt64($carry7->shiftLeft(21)); 3026 $carry8 = $s8->shiftRight(21); 3027 $s9 = $s9->addInt64($carry8); 3028 $s8 = $s8->subInt64($carry8->shiftLeft(21)); 3029 $carry9 = $s9->shiftRight(21); 3030 $s10 = $s10->addInt64($carry9); 3031 $s9 = $s9->subInt64($carry9->shiftLeft(21)); 3032 $carry10 = $s10->shiftRight(21); 3033 $s11 = $s11->addInt64($carry10); 3034 $s10 = $s10->subInt64($carry10->shiftLeft(21)); 3035 $carry11 = $s11->shiftRight(21); 3036 $s12 = $s12->addInt64($carry11); 3037 $s11 = $s11->subInt64($carry11->shiftLeft(21)); 3038 3039 $s0 = $s0->addInt64($s12->mulInt(666643, 20)); 3040 $s1 = $s1->addInt64($s12->mulInt(470296, 19)); 3041 $s2 = $s2->addInt64($s12->mulInt(654183, 20)); 3042 $s3 = $s3->subInt64($s12->mulInt(997805, 20)); 3043 $s4 = $s4->addInt64($s12->mulInt(136657, 18)); 3044 $s5 = $s5->subInt64($s12->mulInt(683901, 20)); 3045 3046 $carry0 = $s0->shiftRight(21); 3047 $s1 = $s1->addInt64($carry0); 3048 $s0 = $s0->subInt64($carry0->shiftLeft(21)); 3049 $carry1 = $s1->shiftRight(21); 3050 $s2 = $s2->addInt64($carry1); 3051 $s1 = $s1->subInt64($carry1->shiftLeft(21)); 3052 $carry2 = $s2->shiftRight(21); 3053 $s3 = $s3->addInt64($carry2); 3054 $s2 = $s2->subInt64($carry2->shiftLeft(21)); 3055 $carry3 = $s3->shiftRight(21); 3056 $s4 = $s4->addInt64($carry3); 3057 $s3 = $s3->subInt64($carry3->shiftLeft(21)); 3058 $carry4 = $s4->shiftRight(21); 3059 $s5 = $s5->addInt64($carry4); 3060 $s4 = $s4->subInt64($carry4->shiftLeft(21)); 3061 $carry5 = $s5->shiftRight(21); 3062 $s6 = $s6->addInt64($carry5); 3063 $s5 = $s5->subInt64($carry5->shiftLeft(21)); 3064 $carry6 = $s6->shiftRight(21); 3065 $s7 = $s7->addInt64($carry6); 3066 $s6 = $s6->subInt64($carry6->shiftLeft(21)); 3067 $carry7 = $s7->shiftRight(21); 3068 $s8 = $s8->addInt64($carry7); 3069 $s7 = $s7->subInt64($carry7->shiftLeft(21)); 3070 $carry8 = $s8->shiftRight(21); 3071 $s9 = $s9->addInt64($carry8); 3072 $s8 = $s8->subInt64($carry8->shiftLeft(21)); 3073 $carry9 = $s9->shiftRight(21); 3074 $s10 = $s10->addInt64($carry9); 3075 $s9 = $s9->subInt64($carry9->shiftLeft(21)); 3076 $carry10 = $s10->shiftRight(21); 3077 $s11 = $s11->addInt64($carry10); 3078 $s10 = $s10->subInt64($carry10->shiftLeft(21)); 3079 3080 $S0 = $s0->toInt32()->toInt(); 3081 $S1 = $s1->toInt32()->toInt(); 3082 $S2 = $s2->toInt32()->toInt(); 3083 $S3 = $s3->toInt32()->toInt(); 3084 $S4 = $s4->toInt32()->toInt(); 3085 $S5 = $s5->toInt32()->toInt(); 3086 $S6 = $s6->toInt32()->toInt(); 3087 $S7 = $s7->toInt32()->toInt(); 3088 $S8 = $s8->toInt32()->toInt(); 3089 $S9 = $s9->toInt32()->toInt(); 3090 $S10 = $s10->toInt32()->toInt(); 3091 $S11 = $s11->toInt32()->toInt(); 3092 3093 /** 3094 * @var array<int, int> 3095 */ 3096 $arr = array( 3097 (int) ($S0 >> 0), 3098 (int) ($S0 >> 8), 3099 (int) (($S0 >> 16) | ($S1 << 5)), 3100 (int) ($S1 >> 3), 3101 (int) ($S1 >> 11), 3102 (int) (($S1 >> 19) | ($S2 << 2)), 3103 (int) ($S2 >> 6), 3104 (int) (($S2 >> 14) | ($S3 << 7)), 3105 (int) ($S3 >> 1), 3106 (int) ($S3 >> 9), 3107 (int) (($S3 >> 17) | ($S4 << 4)), 3108 (int) ($S4 >> 4), 3109 (int) ($S4 >> 12), 3110 (int) (($S4 >> 20) | ($S5 << 1)), 3111 (int) ($S5 >> 7), 3112 (int) (($S5 >> 15) | ($S6 << 6)), 3113 (int) ($S6 >> 2), 3114 (int) ($S6 >> 10), 3115 (int) (($S6 >> 18) | ($S7 << 3)), 3116 (int) ($S7 >> 5), 3117 (int) ($S7 >> 13), 3118 (int) ($S8 >> 0), 3119 (int) ($S8 >> 8), 3120 (int) (($S8 >> 16) | ($S9 << 5)), 3121 (int) ($S9 >> 3), 3122 (int) ($S9 >> 11), 3123 (int) (($S9 >> 19) | ($S10 << 2)), 3124 (int) ($S10 >> 6), 3125 (int) (($S10 >> 14) | ($S11 << 7)), 3126 (int) ($S11 >> 1), 3127 (int) ($S11 >> 9), 3128 (int) $S11 >> 17 3129 ); 3130 return self::intArrayToString($arr); 3131 } 3132 3133 /** 3134 * multiply by the order of the main subgroup l = 2^252+27742317777372353535851937790883648493 3135 * 3136 * @param ParagonIE_Sodium_Core32_Curve25519_Ge_P3 $A 3137 * @return ParagonIE_Sodium_Core32_Curve25519_Ge_P3 3138 * @throws SodiumException 3139 * @throws TypeError 3140 */ 3141 public static function ge_mul_l(ParagonIE_Sodium_Core32_Curve25519_Ge_P3 $A) 3142 { 3143 /** @var array<int, int> $aslide */ 3144 $aslide = array( 3145 13, 0, 0, 0, 0, -1, 0, 0, 0, 0, -11, 0, 0, 0, 0, 0, 0, -5, 0, 0, 0, 3146 0, 0, 0, -3, 0, 0, 0, 0, -13, 0, 0, 0, 0, 7, 0, 0, 0, 0, 0, 3, 0, 3147 0, 0, 0, -13, 0, 0, 0, 0, 5, 0, 0, 0, 0, 0, 0, 0, 0, 11, 0, 0, 0, 3148 0, 0, 11, 0, 0, 0, 0, -13, 0, 0, 0, 0, 0, 0, -3, 0, 0, 0, 0, 0, -1, 3149 0, 0, 0, 0, 3, 0, 0, 0, 0, -11, 0, 0, 0, 0, 0, 0, 0, 15, 0, 0, 0, 3150 0, 0, -1, 0, 0, 0, 0, -1, 0, 0, 0, 0, 7, 0, 0, 0, 0, 5, 0, 0, 0, 0, 3151 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 3152 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 3153 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 3154 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 3155 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 3156 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1 3157 ); 3158 3159 /** @var array<int, ParagonIE_Sodium_Core32_Curve25519_Ge_Cached> $Ai size 8 */ 3160 $Ai = array(); 3161 3162 # ge_p3_to_cached(&Ai[0], A); 3163 $Ai[0] = self::ge_p3_to_cached($A); 3164 # ge_p3_dbl(&t, A); 3165 $t = self::ge_p3_dbl($A); 3166 # ge_p1p1_to_p3(&A2, &t); 3167 $A2 = self::ge_p1p1_to_p3($t); 3168 3169 for ($i = 1; $i < 8; ++$i) { 3170 # ge_add(&t, &A2, &Ai[0]); 3171 $t = self::ge_add($A2, $Ai[$i - 1]); 3172 # ge_p1p1_to_p3(&u, &t); 3173 $u = self::ge_p1p1_to_p3($t); 3174 # ge_p3_to_cached(&Ai[i], &u); 3175 $Ai[$i] = self::ge_p3_to_cached($u); 3176 } 3177 3178 $r = self::ge_p3_0(); 3179 for ($i = 252; $i >= 0; --$i) { 3180 $t = self::ge_p3_dbl($r); 3181 if ($aslide[$i] > 0) { 3182 # ge_p1p1_to_p3(&u, &t); 3183 $u = self::ge_p1p1_to_p3($t); 3184 # ge_add(&t, &u, &Ai[aslide[i] / 2]); 3185 $t = self::ge_add($u, $Ai[(int)($aslide[$i] / 2)]); 3186 } elseif ($aslide[$i] < 0) { 3187 # ge_p1p1_to_p3(&u, &t); 3188 $u = self::ge_p1p1_to_p3($t); 3189 # ge_sub(&t, &u, &Ai[(-aslide[i]) / 2]); 3190 $t = self::ge_sub($u, $Ai[(int)(-$aslide[$i] / 2)]); 3191 } 3192 } 3193 # ge_p1p1_to_p3(r, &t); 3194 return self::ge_p1p1_to_p3($t); 3195 } 3196 }