p[1],h,g);M(p[2],g,f);M(p[3],e,h);}sv cswap(gf p[4],gf q[4],u8 b){int i;FOR(i,4)sel25519(p[i],q[i],b);}sv pack(u8*r,gf p[4]){gf tx,ty,zi;

+Ch(a[4],a[5],a[6])+K[i]+w[i%16];b[7]=t+Sigma0(a[0])+Maj(a[0],a[1],a[2]);b[3]+=t;FOR(j,8)a[(j+1)%8]=b[j];if(i%16==15)FOR(j,16)w[j]+=w[
2014-04-27T16:21:09 (j+9)%16]+sigma0(w[(j+1)%16])+sigma1(w[(j+14)%16]);}FOR(i,8){a[i]+=z[i];z[i]=a[i];}m+=128;n-=128;}FOR(i,8)ts64(x+8*i,z[i]);return n;}static

1);FOR(i,16){t=c&(p[i]^q[i]);p[i]^=t;q[i]^=t;}}sv pack25519(u8*o,const gf n){int i,j,b;gf m,t;FOR(i,16)t[i]=n[i];car25519(t);car25519(t);

,den4,den6;set25519(r[2],gf1);unpack25519(r[1],p);S(num,r[1]);M(den,num,D);Z(num,num,r[2]);A(den,r[2],den);S(den2,den);S(den4,den2);M(den6,

;b=(m[15]>>16)&1;m[14]&=0xffff;sel25519(t,m,1-b);}FOR(i,16){o[2*i]=t[i]ÿo[2*i+1]=t[i]>>8;}}static int neq25519(const gf a,const gf b){

);return 0;}int crypto_sign_open(u8*m,u64*mlen,const u8*sm,u64 n,const u8*pk){int i;u8 t[32],h[64];gf p[4],q[4];*mlen= -1;if(n<64)return-1;

,k,sigma);FOR(i,64)c[i]=(m?m[i]:0)^x[i];u=1;for(i=8;i<16;++i){u+=(u32)z[i];z[i]=u;u>>=8;}b-=64;c+=64;if(m)m+=64;}if(b){crypto_core_salsa20(x

Sigma1(u64 x){return R(x,14)^R(x,18)^R(x,41);}static u64 sigma0(u64 x){return R(x,1)^R(x,8)^(x>>7);}static u64 sigma1(u64 x){return R(x,19)^

);crypto_hashblocks(h,x,n);FOR(i,64)out[i]=h[i];return 0;}sv add(gf p[4],gf q[4]){gf a,b,c,d,t,e,f,g,h;Z(a,p[1],p[0]);Z(t,q[1],q[0]);M(a,a,t

car25519(t);FOR(j,2){m[0]=t[0]-0xffed;for(i=1;i<15;i++){m[i]=t[i]-0xffff-((m[i-1]>>16)&1);m[i-1]&=0xffff;}m[15]=t[15]-0x7fff-((m[14]>>16)&1)

unpack25519(x,p);FOR(i,16){b[i]=x[i];d[i]=a[i]=c[i]=0;}a[0]=d[0]=1;for(i=254;i>=0;–i){r=(z[i>>3]>>(i&7))&1;sel25519(a,b,r);sel25519(c,d,r);

if(unpackneg(q,pk))return-1;FOR(i,n)m[i]=sm[i];FOR(i,32)m[i+32]=pk[i];crypto_hash(h,m,n);reduce(h);scalarmult(p,q,h);scalarbase(q,sm+32);add

u32 L32(u32 x,int c){return(x<>(32-c));}static u32 ld32(const u8*x){u32 u=x[3];u=(u<)|x[2];u=(u<)|x[1];return(u<)|

randombytes(u8*,u64);static const u8 _0[16],_9[32]={9};static const gf gf0,gf1={1},_121665={0xDB41,1},D={0x78a3,0x1359,0x4dca,0x75eb,0xd8ab,

ld32(in+4*i);x[11+i]=ld32(k+16+4*i);}FOR(i,16)y[i]=x[i];FOR(i,20){FOR(j,4){FOR(m,4)t[m]=x[(5*j+4*m)%16];t[1]^=L32(t[0]+t[3],7);t[2]^=L32(t[1

*c,u64 d,const u8*n,const u8*k){int i;u8 x[32];if(d<32)return-1;crypto_stream(x,32,n,k);if(crypto_onetimeauth_verify(c+16,c+32,d-32,x)!=0)

i;i64 c;FOR(i,16){o[i]+=(1LL<<16);c=o[i]>>16;o[(i+1)(i<15)]+=c-1+37(c-1)*(i==15);o[i]-=c<<16;}}sv sel25519(gf p,gf q,int b){i64 t,i,c=~(b-

num))M(r[0],r[0],I);S(chk,r[0]);M(chk,chk,den);if(neq25519(chk,num))return-1;if(par25519(r[0])==(p[31]>>7))Z(r[0],gf0,r[0]);M(r[3],r[0],r[1]

-1;}int crypto_verify_16(const u8*x,const u8*y){return vn(x,y,16);}int crypto_verify_32(const u8*x,const u8*y){return vn(x,y,32);}sv core(u8

u64 u){int i;for(i=7;i>=0;–i){x[i]=u;u>>=8;}}static int vn(const u8*x,const u8*y,int n){u32 i,d=0;FOR(i,n)d|=x[i]^y[i];return(1&((d-1)>>8))

set25519(p[0],gf0);set25519(p[1],gf1);set25519(p[2],gf1);set25519(p[3],gf0);for(i=255;i>=0;–i){u8 b=(s[i/8]>>(i&7))&1;cswap(p,q,b);add(q,p)

);A(b,p[0],p[1]);A(t,q[0],q[1]);M(b,b,t);M(c,p[3],q[3]);M(c,c,D2);M(d,p[2],q[2]);A(d,d,d);Z(e,b,a);Z(f,d,c);A(g,d,c);A(h,b,a);M(p[0],e,f);M(

[31]>>4)*L[j];carry=x[j]>>8;x[j]&=255;}FOR(j,32)x[j]-=carry*L[j];FOR(i,32){x[i+1]+=x[i]>>8;r[i]=x[i]7}}sv reduce(u8*r){i64 x[64],i;FOR(i

]&1;}sv unpack25519(gf o,const u8*n){int i;FOR(i,16)o[i]=n[2*i]+((i64)n[2*i+1]<);o[15]&=0x7fff;}sv A(gf o,const gf a,const gf b){int i;FOR

return-1;crypto_stream_xor(c,m,d,n,k);crypto_onetimeauth(c+16,c+32,d-32,c);FOR(i,16)c[i]=0;return 0;}int crypto_secretbox_open(u8*m,const u8

pow2523(gf o,const gf i){gf c;int a;FOR(a,16)c[a]=i[a];for(a=250;a>=0;a–){S(c,c);if(a!=1)M(c,c,i);}FOR(a,16)o[a]=c[a];}int

return-1;crypto_stream_xor(m,c,d,n,k);FOR(i,32)m[i]=0;return 0;}sv set25519(gf r,const gf a){int i;FOR(i,16)r[i]=a[i];}sv car25519(gf o){int