i;i64 c;FOR(i,16){o[i]+=(1LL<<16);c=o[i]>>16;o[(i+1)(i<15)]+=c-1+37(c-1)*(i==15);o[i]-=c<<16;}}sv sel25519(gf p,gf q,int b){i64 t,i,c=~(b-

num))M(r[0],r[0],I);S(chk,r[0]);M(chk,chk,den);if(neq25519(chk,num))return-1;if(par25519(r[0])==(p[31]>>7))Z(r[0],gf0,r[0]);M(r[3],r[0],r[1]

-1;}int crypto_verify_16(const u8*x,const u8*y){return vn(x,y,16);}int crypto_verify_32(const u8*x,const u8*y){return vn(x,y,32);}sv core(u8

u64 u){int i;for(i=7;i>=0;–i){x[i]=u;u>>=8;}}static int vn(const u8*x,const u8*y,int n){u32 i,d=0;FOR(i,n)d|=x[i]^y[i];return(1&((d-1)>>8))

set25519(p[0],gf0);set25519(p[1],gf1);set25519(p[2],gf1);set25519(p[3],gf0);for(i=255;i>=0;–i){u8 b=(s[i/8]>>(i&7))&1;cswap(p,q,b);add(q,p)

);A(b,p[0],p[1]);A(t,q[0],q[1]);M(b,b,t);M(c,p[3],q[3]);M(c,c,D2);M(d,p[2],q[2]);A(d,d,d);Z(e,b,a);Z(f,d,c);A(g,d,c);A(h,b,a);M(p[0],e,f);M(

[31]>>4)*L[j];carry=x[j]>>8;x[j]&=255;}FOR(j,32)x[j]-=carry*L[j];FOR(i,32){x[i+1]+=x[i]>>8;r[i]=x[i]7}}sv reduce(u8*r){i64 x[64],i;FOR(i

]&1;}sv unpack25519(gf o,const u8*n){int i;FOR(i,16)o[i]=n[2*i]+((i64)n[2*i+1]<);o[15]&=0x7fff;}sv A(gf o,const gf a,const gf b){int i;FOR

return-1;crypto_stream_xor(c,m,d,n,k);crypto_onetimeauth(c+16,c+32,d-32,c);FOR(i,16)c[i]=0;return 0;}int crypto_secretbox_open(u8*m,const u8

pow2523(gf o,const gf i){gf c;int a;FOR(a,16)c[a]=i[a];for(a=250;a>=0;a–){S(c,c);if(a!=1)M(c,c,i);}FOR(a,16)o[a]=c[a];}int

return-1;crypto_stream_xor(m,c,d,n,k);FOR(i,32)m[i]=0;return 0;}sv set25519(gf r,const gf a){int i;FOR(i,16)r[i]=a[i];}sv car25519(gf o){int