ucis.core: NaCl/crypto_sign/ed25519.cs comparison

comparison NaCl/crypto_sign/ed25519.cs @ 73:6aca18ee4ec6

NaCl: improved ed25519 implementation, added simple API for ed25519 and sha512

author	Ivo Smits <Ivo@UCIS.nl>
date	Sat, 02 Nov 2013 16:01:09 +0100
parents	7e9d1cfcc562
children

comparison

equal deleted inserted replaced

-:b7d981ccd434
+:6aca18ee4ec6
 using System;
 using System.Text;
+using UCIS.NaCl.crypto_hash;
 namespace UCIS.NaCl.crypto_sign {
 	public static class ed25519 {
 		public const int SECRETKEYBYTES = 64;
 		public const int PUBLICKEYBYTES = 32;
 		public const int SEEDBYTES = 32;
 		public const int BYTES = 64;
 		unsafe struct fe {
-			fixed Int32 v[10];
+			Int32 v0, v1, v2, v3, v4, v5, v6, v7, v8, v9;
-			public int this[int index] {
-				get { fixed (Int32* vp = v) return vp[index]; }
-				set { fixed (Int32* vp = v) vp[index] = value; }
-			}
 			public override string ToString() {
-				return String.Format("{0}, {1}, {2}, {3}, {4}, {5}, {6}, {7}, {8}, {9}", this[0], this[1], this[2], this[3], this[4], this[5], this[6], this[7], this[8], this[9]);
+				return String.Format("{0}, {1}, {2}, {3}, {4}, {5}, {6}, {7}, {8}, {9}", v0, v1, v2, v3, v4, v5, v6, v7, v8, v9);
+			}
+			public fe(int offset, Int32[] data) {
+				v0 = data[offset + 0];
+				v1 = data[offset + 1];
+				v2 = data[offset + 2];
+				v3 = data[offset + 3];
+				v4 = data[offset + 4];
+				v5 = data[offset + 5];
+				v6 = data[offset + 6];
+				v7 = data[offset + 7];
+				v8 = data[offset + 8];
+				v9 = data[offset + 9];
+			}
+			public void set_zero() {
+				v0 = v1 = v2 = v3 = v4 = v5 = v6 = v7 = v8 = v9 = 0;
+			}
+			public void set_one() {
+				v0 = 1;
+				v1 = v2 = v3 = v4 = v5 = v6 = v7 = v8 = v9 = 0;
+			}
+			public void cmov(ref fe g, Int32 b) {
+				b = -b;
+				v0 ^= (v0 ^ g.v0) & b;
+				v1 ^= (v1 ^ g.v1) & b;
+				v2 ^= (v2 ^ g.v2) & b;
+				v3 ^= (v3 ^ g.v3) & b;
+				v4 ^= (v4 ^ g.v4) & b;
+				v5 ^= (v5 ^ g.v5) & b;
+				v6 ^= (v6 ^ g.v6) & b;
+				v7 ^= (v7 ^ g.v7) & b;
+				v8 ^= (v8 ^ g.v8) & b;
+				v9 ^= (v9 ^ g.v9) & b;
+			}
+			public void neg() {
+				v0 = -v0;
+				v1 = -v1;
+				v2 = -v2;
+				v3 = -v3;
+				v4 = -v4;
+				v5 = -v5;
+				v6 = -v6;
+				v7 = -v7;
+				v8 = -v8;
+				v9 = -v9;
+			}
+			public void add(ref fe g) {
+				v0 += g.v0;
+				v1 += g.v1;
+				v2 += g.v2;
+				v3 += g.v3;
+				v4 += g.v4;
+				v5 += g.v5;
+				v6 += g.v6;
+				v7 += g.v7;
+				v8 += g.v8;
+				v9 += g.v9;
+			}
+			public void sub(ref fe g) {
+				v0 -= g.v0;
+				v1 -= g.v1;
+				v2 -= g.v2;
+				v3 -= g.v3;
+				v4 -= g.v4;
+				v5 -= g.v5;
+				v6 -= g.v6;
+				v7 -= g.v7;
+				v8 -= g.v8;
+				v9 -= g.v9;
+			}
+			public void mul(ref fe g) {
+				Int32 f0 = v0;
+				Int32 f1 = v1;
+				Int32 f2 = v2;
+				Int32 f3 = v3;
+				Int32 f4 = v4;
+				Int32 f5 = v5;
+				Int32 f6 = v6;
+				Int32 f7 = v7;
+				Int32 f8 = v8;
+				Int32 f9 = v9;
+				Int32 g0 = g.v0;
+				Int32 g1 = g.v1;
+				Int32 g2 = g.v2;
+				Int32 g3 = g.v3;
+				Int32 g4 = g.v4;
+				Int32 g5 = g.v5;
+				Int32 g6 = g.v6;
+				Int32 g7 = g.v7;
+				Int32 g8 = g.v8;
+				Int32 g9 = g.v9;
+				Int32 g1_19 = 19 * g1; /* 1.959375*2^29 */
+				Int32 g2_19 = 19 * g2; /* 1.959375*2^30; still ok */
+				Int32 g3_19 = 19 * g3;
+				Int32 g4_19 = 19 * g4;
+				Int32 g5_19 = 19 * g5;
+				Int32 g6_19 = 19 * g6;
+				Int32 g7_19 = 19 * g7;
+				Int32 g8_19 = 19 * g8;
+				Int32 g9_19 = 19 * g9;
+				Int32 f1_2 = 2 * f1;
+				Int32 f3_2 = 2 * f3;
+				Int32 f5_2 = 2 * f5;
+				Int32 f7_2 = 2 * f7;
+				Int32 f9_2 = 2 * f9;
+				Int64 f0g0 = f0 * (Int64)g0;
+				Int64 f0g1 = f0 * (Int64)g1;
+				Int64 f0g2 = f0 * (Int64)g2;
+				Int64 f0g3 = f0 * (Int64)g3;
+				Int64 f0g4 = f0 * (Int64)g4;
+				Int64 f0g5 = f0 * (Int64)g5;
+				Int64 f0g6 = f0 * (Int64)g6;
+				Int64 f0g7 = f0 * (Int64)g7;
+				Int64 f0g8 = f0 * (Int64)g8;
+				Int64 f0g9 = f0 * (Int64)g9;
+				Int64 f1g0 = f1 * (Int64)g0;
+				Int64 f1g1_2 = f1_2 * (Int64)g1;
+				Int64 f1g2 = f1 * (Int64)g2;
+				Int64 f1g3_2 = f1_2 * (Int64)g3;
+				Int64 f1g4 = f1 * (Int64)g4;
+				Int64 f1g5_2 = f1_2 * (Int64)g5;
+				Int64 f1g6 = f1 * (Int64)g6;
+				Int64 f1g7_2 = f1_2 * (Int64)g7;
+				Int64 f1g8 = f1 * (Int64)g8;
+				Int64 f1g9_38 = f1_2 * (Int64)g9_19;
+				Int64 f2g0 = f2 * (Int64)g0;
+				Int64 f2g1 = f2 * (Int64)g1;
+				Int64 f2g2 = f2 * (Int64)g2;
+				Int64 f2g3 = f2 * (Int64)g3;
+				Int64 f2g4 = f2 * (Int64)g4;
+				Int64 f2g5 = f2 * (Int64)g5;
+				Int64 f2g6 = f2 * (Int64)g6;
+				Int64 f2g7 = f2 * (Int64)g7;
+				Int64 f2g8_19 = f2 * (Int64)g8_19;
+				Int64 f2g9_19 = f2 * (Int64)g9_19;
+				Int64 f3g0 = f3 * (Int64)g0;
+				Int64 f3g1_2 = f3_2 * (Int64)g1;
+				Int64 f3g2 = f3 * (Int64)g2;
+				Int64 f3g3_2 = f3_2 * (Int64)g3;
+				Int64 f3g4 = f3 * (Int64)g4;
+				Int64 f3g5_2 = f3_2 * (Int64)g5;
+				Int64 f3g6 = f3 * (Int64)g6;
+				Int64 f3g7_38 = f3_2 * (Int64)g7_19;
+				Int64 f3g8_19 = f3 * (Int64)g8_19;
+				Int64 f3g9_38 = f3_2 * (Int64)g9_19;
+				Int64 f4g0 = f4 * (Int64)g0;
+				Int64 f4g1 = f4 * (Int64)g1;
+				Int64 f4g2 = f4 * (Int64)g2;
+				Int64 f4g3 = f4 * (Int64)g3;
+				Int64 f4g4 = f4 * (Int64)g4;
+				Int64 f4g5 = f4 * (Int64)g5;
+				Int64 f4g6_19 = f4 * (Int64)g6_19;
+				Int64 f4g7_19 = f4 * (Int64)g7_19;
+				Int64 f4g8_19 = f4 * (Int64)g8_19;
+				Int64 f4g9_19 = f4 * (Int64)g9_19;
+				Int64 f5g0 = f5 * (Int64)g0;
+				Int64 f5g1_2 = f5_2 * (Int64)g1;
+				Int64 f5g2 = f5 * (Int64)g2;
+				Int64 f5g3_2 = f5_2 * (Int64)g3;
+				Int64 f5g4 = f5 * (Int64)g4;
+				Int64 f5g5_38 = f5_2 * (Int64)g5_19;
+				Int64 f5g6_19 = f5 * (Int64)g6_19;
+				Int64 f5g7_38 = f5_2 * (Int64)g7_19;
+				Int64 f5g8_19 = f5 * (Int64)g8_19;
+				Int64 f5g9_38 = f5_2 * (Int64)g9_19;
+				Int64 f6g0 = f6 * (Int64)g0;
+				Int64 f6g1 = f6 * (Int64)g1;
+				Int64 f6g2 = f6 * (Int64)g2;
+				Int64 f6g3 = f6 * (Int64)g3;
+				Int64 f6g4_19 = f6 * (Int64)g4_19;
+				Int64 f6g5_19 = f6 * (Int64)g5_19;
+				Int64 f6g6_19 = f6 * (Int64)g6_19;
+				Int64 f6g7_19 = f6 * (Int64)g7_19;
+				Int64 f6g8_19 = f6 * (Int64)g8_19;
+				Int64 f6g9_19 = f6 * (Int64)g9_19;
+				Int64 f7g0 = f7 * (Int64)g0;
+				Int64 f7g1_2 = f7_2 * (Int64)g1;
+				Int64 f7g2 = f7 * (Int64)g2;
+				Int64 f7g3_38 = f7_2 * (Int64)g3_19;
+				Int64 f7g4_19 = f7 * (Int64)g4_19;
+				Int64 f7g5_38 = f7_2 * (Int64)g5_19;
+				Int64 f7g6_19 = f7 * (Int64)g6_19;
+				Int64 f7g7_38 = f7_2 * (Int64)g7_19;
+				Int64 f7g8_19 = f7 * (Int64)g8_19;
+				Int64 f7g9_38 = f7_2 * (Int64)g9_19;
+				Int64 f8g0 = f8 * (Int64)g0;
+				Int64 f8g1 = f8 * (Int64)g1;
+				Int64 f8g2_19 = f8 * (Int64)g2_19;
+				Int64 f8g3_19 = f8 * (Int64)g3_19;
+				Int64 f8g4_19 = f8 * (Int64)g4_19;
+				Int64 f8g5_19 = f8 * (Int64)g5_19;
+				Int64 f8g6_19 = f8 * (Int64)g6_19;
+				Int64 f8g7_19 = f8 * (Int64)g7_19;
+				Int64 f8g8_19 = f8 * (Int64)g8_19;
+				Int64 f8g9_19 = f8 * (Int64)g9_19;
+				Int64 f9g0 = f9 * (Int64)g0;
+				Int64 f9g1_38 = f9_2 * (Int64)g1_19;
+				Int64 f9g2_19 = f9 * (Int64)g2_19;
+				Int64 f9g3_38 = f9_2 * (Int64)g3_19;
+				Int64 f9g4_19 = f9 * (Int64)g4_19;
+				Int64 f9g5_38 = f9_2 * (Int64)g5_19;
+				Int64 f9g6_19 = f9 * (Int64)g6_19;
+				Int64 f9g7_38 = f9_2 * (Int64)g7_19;
+				Int64 f9g8_19 = f9 * (Int64)g8_19;
+				Int64 f9g9_38 = f9_2 * (Int64)g9_19;
+				Int64 h0 = f0g0 + f1g9_38 + f2g8_19 + f3g7_38 + f4g6_19 + f5g5_38 + f6g4_19 + f7g3_38 + f8g2_19 + f9g1_38;
+				Int64 h1 = f0g1 + f1g0 + f2g9_19 + f3g8_19 + f4g7_19 + f5g6_19 + f6g5_19 + f7g4_19 + f8g3_19 + f9g2_19;
+				Int64 h2 = f0g2 + f1g1_2 + f2g0 + f3g9_38 + f4g8_19 + f5g7_38 + f6g6_19 + f7g5_38 + f8g4_19 + f9g3_38;
+				Int64 h3 = f0g3 + f1g2 + f2g1 + f3g0 + f4g9_19 + f5g8_19 + f6g7_19 + f7g6_19 + f8g5_19 + f9g4_19;
+				Int64 h4 = f0g4 + f1g3_2 + f2g2 + f3g1_2 + f4g0 + f5g9_38 + f6g8_19 + f7g7_38 + f8g6_19 + f9g5_38;
+				Int64 h5 = f0g5 + f1g4 + f2g3 + f3g2 + f4g1 + f5g0 + f6g9_19 + f7g8_19 + f8g7_19 + f9g6_19;
+				Int64 h6 = f0g6 + f1g5_2 + f2g4 + f3g3_2 + f4g2 + f5g1_2 + f6g0 + f7g9_38 + f8g8_19 + f9g7_38;
+				Int64 h7 = f0g7 + f1g6 + f2g5 + f3g4 + f4g3 + f5g2 + f6g1 + f7g0 + f8g9_19 + f9g8_19;
+				Int64 h8 = f0g8 + f1g7_2 + f2g6 + f3g5_2 + f4g4 + f5g3_2 + f6g2 + f7g1_2 + f8g0 + f9g9_38;
+				Int64 h9 = f0g9 + f1g8 + f2g7 + f3g6 + f4g5 + f5g4 + f6g3 + f7g2 + f8g1 + f9g0;
+				Int64 carry0;
+				Int64 carry1;
+				Int64 carry2;
+				Int64 carry3;
+				Int64 carry4;
+				Int64 carry5;
+				Int64 carry6;
+				Int64 carry7;
+				Int64 carry8;
+				Int64 carry9;
+				carry0 = (h0 + (Int64)(1 << 25)) >> 26; h1 += carry0; h0 -= carry0 << 26;
+				carry4 = (h4 + (Int64)(1 << 25)) >> 26; h5 += carry4; h4 -= carry4 << 26;
+				carry1 = (h1 + (Int64)(1 << 24)) >> 25; h2 += carry1; h1 -= carry1 << 25;
+				carry5 = (h5 + (Int64)(1 << 24)) >> 25; h6 += carry5; h5 -= carry5 << 25;
+				carry2 = (h2 + (Int64)(1 << 25)) >> 26; h3 += carry2; h2 -= carry2 << 26;
+				carry6 = (h6 + (Int64)(1 << 25)) >> 26; h7 += carry6; h6 -= carry6 << 26;
+				carry3 = (h3 + (Int64)(1 << 24)) >> 25; h4 += carry3; h3 -= carry3 << 25;
+				carry7 = (h7 + (Int64)(1 << 24)) >> 25; h8 += carry7; h7 -= carry7 << 25;
+				carry4 = (h4 + (Int64)(1 << 25)) >> 26; h5 += carry4; h4 -= carry4 << 26;
+				carry8 = (h8 + (Int64)(1 << 25)) >> 26; h9 += carry8; h8 -= carry8 << 26;
+				carry9 = (h9 + (Int64)(1 << 24)) >> 25; h0 += carry9 * 19; h9 -= carry9 << 25;
+				carry0 = (h0 + (Int64)(1 << 25)) >> 26; h1 += carry0; h0 -= carry0 << 26;
+				v0 = (Int32)h0;
+				v1 = (Int32)h1;
+				v2 = (Int32)h2;
+				v3 = (Int32)h3;
+				v4 = (Int32)h4;
+				v5 = (Int32)h5;
+				v6 = (Int32)h6;
+				v7 = (Int32)h7;
+				v8 = (Int32)h8;
+				v9 = (Int32)h9;
+			}
+			public void sq() {
+				Int32 f0 = v0;
+				Int32 f1 = v1;
+				Int32 f2 = v2;
+				Int32 f3 = v3;
+				Int32 f4 = v4;
+				Int32 f5 = v5;
+				Int32 f6 = v6;
+				Int32 f7 = v7;
+				Int32 f8 = v8;
+				Int32 f9 = v9;
+				Int32 f0_2 = 2 * f0;
+				Int32 f1_2 = 2 * f1;
+				Int32 f2_2 = 2 * f2;
+				Int32 f3_2 = 2 * f3;
+				Int32 f4_2 = 2 * f4;
+				Int32 f5_2 = 2 * f5;
+				Int32 f6_2 = 2 * f6;
+				Int32 f7_2 = 2 * f7;
+				Int32 f5_38 = 38 * f5; /* 1.959375*2^30 */
+				Int32 f6_19 = 19 * f6; /* 1.959375*2^30 */
+				Int32 f7_38 = 38 * f7; /* 1.959375*2^30 */
+				Int32 f8_19 = 19 * f8; /* 1.959375*2^30 */
+				Int32 f9_38 = 38 * f9; /* 1.959375*2^30 */
+				Int64 f0f0 = f0 * (Int64)f0;
+				Int64 f0f1_2 = f0_2 * (Int64)f1;
+				Int64 f0f2_2 = f0_2 * (Int64)f2;
+				Int64 f0f3_2 = f0_2 * (Int64)f3;
+				Int64 f0f4_2 = f0_2 * (Int64)f4;
+				Int64 f0f5_2 = f0_2 * (Int64)f5;
+				Int64 f0f6_2 = f0_2 * (Int64)f6;
+				Int64 f0f7_2 = f0_2 * (Int64)f7;
+				Int64 f0f8_2 = f0_2 * (Int64)f8;
+				Int64 f0f9_2 = f0_2 * (Int64)f9;
+				Int64 f1f1_2 = f1_2 * (Int64)f1;
+				Int64 f1f2_2 = f1_2 * (Int64)f2;
+				Int64 f1f3_4 = f1_2 * (Int64)f3_2;
+				Int64 f1f4_2 = f1_2 * (Int64)f4;
+				Int64 f1f5_4 = f1_2 * (Int64)f5_2;
+				Int64 f1f6_2 = f1_2 * (Int64)f6;
+				Int64 f1f7_4 = f1_2 * (Int64)f7_2;
+				Int64 f1f8_2 = f1_2 * (Int64)f8;
+				Int64 f1f9_76 = f1_2 * (Int64)f9_38;
+				Int64 f2f2 = f2 * (Int64)f2;
+				Int64 f2f3_2 = f2_2 * (Int64)f3;
+				Int64 f2f4_2 = f2_2 * (Int64)f4;
+				Int64 f2f5_2 = f2_2 * (Int64)f5;
+				Int64 f2f6_2 = f2_2 * (Int64)f6;
+				Int64 f2f7_2 = f2_2 * (Int64)f7;
+				Int64 f2f8_38 = f2_2 * (Int64)f8_19;
+				Int64 f2f9_38 = f2 * (Int64)f9_38;
+				Int64 f3f3_2 = f3_2 * (Int64)f3;
+				Int64 f3f4_2 = f3_2 * (Int64)f4;
+				Int64 f3f5_4 = f3_2 * (Int64)f5_2;
+				Int64 f3f6_2 = f3_2 * (Int64)f6;
+				Int64 f3f7_76 = f3_2 * (Int64)f7_38;
+				Int64 f3f8_38 = f3_2 * (Int64)f8_19;
+				Int64 f3f9_76 = f3_2 * (Int64)f9_38;
+				Int64 f4f4 = f4 * (Int64)f4;
+				Int64 f4f5_2 = f4_2 * (Int64)f5;
+				Int64 f4f6_38 = f4_2 * (Int64)f6_19;
+				Int64 f4f7_38 = f4 * (Int64)f7_38;
+				Int64 f4f8_38 = f4_2 * (Int64)f8_19;
+				Int64 f4f9_38 = f4 * (Int64)f9_38;
+				Int64 f5f5_38 = f5 * (Int64)f5_38;
+				Int64 f5f6_38 = f5_2 * (Int64)f6_19;
+				Int64 f5f7_76 = f5_2 * (Int64)f7_38;
+				Int64 f5f8_38 = f5_2 * (Int64)f8_19;
+				Int64 f5f9_76 = f5_2 * (Int64)f9_38;
+				Int64 f6f6_19 = f6 * (Int64)f6_19;
+				Int64 f6f7_38 = f6 * (Int64)f7_38;
+				Int64 f6f8_38 = f6_2 * (Int64)f8_19;
+				Int64 f6f9_38 = f6 * (Int64)f9_38;
+				Int64 f7f7_38 = f7 * (Int64)f7_38;
+				Int64 f7f8_38 = f7_2 * (Int64)f8_19;
+				Int64 f7f9_76 = f7_2 * (Int64)f9_38;
+				Int64 f8f8_19 = f8 * (Int64)f8_19;
+				Int64 f8f9_38 = f8 * (Int64)f9_38;
+				Int64 f9f9_38 = f9 * (Int64)f9_38;
+				Int64 h0 = f0f0 + f1f9_76 + f2f8_38 + f3f7_76 + f4f6_38 + f5f5_38;
+				Int64 h1 = f0f1_2 + f2f9_38 + f3f8_38 + f4f7_38 + f5f6_38;
+				Int64 h2 = f0f2_2 + f1f1_2 + f3f9_76 + f4f8_38 + f5f7_76 + f6f6_19;
+				Int64 h3 = f0f3_2 + f1f2_2 + f4f9_38 + f5f8_38 + f6f7_38;
+				Int64 h4 = f0f4_2 + f1f3_4 + f2f2 + f5f9_76 + f6f8_38 + f7f7_38;
+				Int64 h5 = f0f5_2 + f1f4_2 + f2f3_2 + f6f9_38 + f7f8_38;
+				Int64 h6 = f0f6_2 + f1f5_4 + f2f4_2 + f3f3_2 + f7f9_76 + f8f8_19;
+				Int64 h7 = f0f7_2 + f1f6_2 + f2f5_2 + f3f4_2 + f8f9_38;
+				Int64 h8 = f0f8_2 + f1f7_4 + f2f6_2 + f3f5_4 + f4f4 + f9f9_38;
+				Int64 h9 = f0f9_2 + f1f8_2 + f2f7_2 + f3f6_2 + f4f5_2;
+				Int64 carry0;
+				Int64 carry1;
+				Int64 carry2;
+				Int64 carry3;
+				Int64 carry4;
+				Int64 carry5;
+				Int64 carry6;
+				Int64 carry7;
+				Int64 carry8;
+				Int64 carry9;
+				carry0 = (h0 + (Int64)(1 << 25)) >> 26; h1 += carry0; h0 -= carry0 << 26;
+				carry4 = (h4 + (Int64)(1 << 25)) >> 26; h5 += carry4; h4 -= carry4 << 26;
+				carry1 = (h1 + (Int64)(1 << 24)) >> 25; h2 += carry1; h1 -= carry1 << 25;
+				carry5 = (h5 + (Int64)(1 << 24)) >> 25; h6 += carry5; h5 -= carry5 << 25;
+				carry2 = (h2 + (Int64)(1 << 25)) >> 26; h3 += carry2; h2 -= carry2 << 26;
+				carry6 = (h6 + (Int64)(1 << 25)) >> 26; h7 += carry6; h6 -= carry6 << 26;
+				carry3 = (h3 + (Int64)(1 << 24)) >> 25; h4 += carry3; h3 -= carry3 << 25;
+				carry7 = (h7 + (Int64)(1 << 24)) >> 25; h8 += carry7; h7 -= carry7 << 25;
+				carry4 = (h4 + (Int64)(1 << 25)) >> 26; h5 += carry4; h4 -= carry4 << 26;
+				carry8 = (h8 + (Int64)(1 << 25)) >> 26; h9 += carry8; h8 -= carry8 << 26;
+				carry9 = (h9 + (Int64)(1 << 24)) >> 25; h0 += carry9 * 19; h9 -= carry9 << 25;
+				carry0 = (h0 + (Int64)(1 << 25)) >> 26; h1 += carry0; h0 -= carry0 << 26;
+				v0 = (Int32)h0;
+				v1 = (Int32)h1;
+				v2 = (Int32)h2;
+				v3 = (Int32)h3;
+				v4 = (Int32)h4;
+				v5 = (Int32)h5;
+				v6 = (Int32)h6;
+				v7 = (Int32)h7;
+				v8 = (Int32)h8;
+				v9 = (Int32)h9;
+			}
+			public void sq2() {
+				Int32 f0 = v0;
+				Int32 f1 = v1;
+				Int32 f2 = v2;
+				Int32 f3 = v3;
+				Int32 f4 = v4;
+				Int32 f5 = v5;
+				Int32 f6 = v6;
+				Int32 f7 = v7;
+				Int32 f8 = v8;
+				Int32 f9 = v9;
+				Int32 f0_2 = 2 * f0;
+				Int32 f1_2 = 2 * f1;
+				Int32 f2_2 = 2 * f2;
+				Int32 f3_2 = 2 * f3;
+				Int32 f4_2 = 2 * f4;
+				Int32 f5_2 = 2 * f5;
+				Int32 f6_2 = 2 * f6;
+				Int32 f7_2 = 2 * f7;
+				Int32 f5_38 = 38 * f5; /* 1.959375*2^30 */
+				Int32 f6_19 = 19 * f6; /* 1.959375*2^30 */
+				Int32 f7_38 = 38 * f7; /* 1.959375*2^30 */
+				Int32 f8_19 = 19 * f8; /* 1.959375*2^30 */
+				Int32 f9_38 = 38 * f9; /* 1.959375*2^30 */
+				Int64 f0f0 = f0 * (Int64)f0;
+				Int64 f0f1_2 = f0_2 * (Int64)f1;
+				Int64 f0f2_2 = f0_2 * (Int64)f2;
+				Int64 f0f3_2 = f0_2 * (Int64)f3;
+				Int64 f0f4_2 = f0_2 * (Int64)f4;
+				Int64 f0f5_2 = f0_2 * (Int64)f5;
+				Int64 f0f6_2 = f0_2 * (Int64)f6;
+				Int64 f0f7_2 = f0_2 * (Int64)f7;
+				Int64 f0f8_2 = f0_2 * (Int64)f8;
+				Int64 f0f9_2 = f0_2 * (Int64)f9;
+				Int64 f1f1_2 = f1_2 * (Int64)f1;
+				Int64 f1f2_2 = f1_2 * (Int64)f2;
+				Int64 f1f3_4 = f1_2 * (Int64)f3_2;
+				Int64 f1f4_2 = f1_2 * (Int64)f4;
+				Int64 f1f5_4 = f1_2 * (Int64)f5_2;
+				Int64 f1f6_2 = f1_2 * (Int64)f6;
+				Int64 f1f7_4 = f1_2 * (Int64)f7_2;
+				Int64 f1f8_2 = f1_2 * (Int64)f8;
+				Int64 f1f9_76 = f1_2 * (Int64)f9_38;
+				Int64 f2f2 = f2 * (Int64)f2;
+				Int64 f2f3_2 = f2_2 * (Int64)f3;
+				Int64 f2f4_2 = f2_2 * (Int64)f4;
+				Int64 f2f5_2 = f2_2 * (Int64)f5;
+				Int64 f2f6_2 = f2_2 * (Int64)f6;
+				Int64 f2f7_2 = f2_2 * (Int64)f7;
+				Int64 f2f8_38 = f2_2 * (Int64)f8_19;
+				Int64 f2f9_38 = f2 * (Int64)f9_38;
+				Int64 f3f3_2 = f3_2 * (Int64)f3;
+				Int64 f3f4_2 = f3_2 * (Int64)f4;
+				Int64 f3f5_4 = f3_2 * (Int64)f5_2;
+				Int64 f3f6_2 = f3_2 * (Int64)f6;
+				Int64 f3f7_76 = f3_2 * (Int64)f7_38;
+				Int64 f3f8_38 = f3_2 * (Int64)f8_19;
+				Int64 f3f9_76 = f3_2 * (Int64)f9_38;
+				Int64 f4f4 = f4 * (Int64)f4;
+				Int64 f4f5_2 = f4_2 * (Int64)f5;
+				Int64 f4f6_38 = f4_2 * (Int64)f6_19;
+				Int64 f4f7_38 = f4 * (Int64)f7_38;
+				Int64 f4f8_38 = f4_2 * (Int64)f8_19;
+				Int64 f4f9_38 = f4 * (Int64)f9_38;
+				Int64 f5f5_38 = f5 * (Int64)f5_38;
+				Int64 f5f6_38 = f5_2 * (Int64)f6_19;
+				Int64 f5f7_76 = f5_2 * (Int64)f7_38;
+				Int64 f5f8_38 = f5_2 * (Int64)f8_19;
+				Int64 f5f9_76 = f5_2 * (Int64)f9_38;
+				Int64 f6f6_19 = f6 * (Int64)f6_19;
+				Int64 f6f7_38 = f6 * (Int64)f7_38;
+				Int64 f6f8_38 = f6_2 * (Int64)f8_19;
+				Int64 f6f9_38 = f6 * (Int64)f9_38;
+				Int64 f7f7_38 = f7 * (Int64)f7_38;
+				Int64 f7f8_38 = f7_2 * (Int64)f8_19;
+				Int64 f7f9_76 = f7_2 * (Int64)f9_38;
+				Int64 f8f8_19 = f8 * (Int64)f8_19;
+				Int64 f8f9_38 = f8 * (Int64)f9_38;
+				Int64 f9f9_38 = f9 * (Int64)f9_38;
+				Int64 h0 = f0f0 + f1f9_76 + f2f8_38 + f3f7_76 + f4f6_38 + f5f5_38;
+				Int64 h1 = f0f1_2 + f2f9_38 + f3f8_38 + f4f7_38 + f5f6_38;
+				Int64 h2 = f0f2_2 + f1f1_2 + f3f9_76 + f4f8_38 + f5f7_76 + f6f6_19;
+				Int64 h3 = f0f3_2 + f1f2_2 + f4f9_38 + f5f8_38 + f6f7_38;
+				Int64 h4 = f0f4_2 + f1f3_4 + f2f2 + f5f9_76 + f6f8_38 + f7f7_38;
+				Int64 h5 = f0f5_2 + f1f4_2 + f2f3_2 + f6f9_38 + f7f8_38;
+				Int64 h6 = f0f6_2 + f1f5_4 + f2f4_2 + f3f3_2 + f7f9_76 + f8f8_19;
+				Int64 h7 = f0f7_2 + f1f6_2 + f2f5_2 + f3f4_2 + f8f9_38;
+				Int64 h8 = f0f8_2 + f1f7_4 + f2f6_2 + f3f5_4 + f4f4 + f9f9_38;
+				Int64 h9 = f0f9_2 + f1f8_2 + f2f7_2 + f3f6_2 + f4f5_2;
+				Int64 carry0;
+				Int64 carry1;
+				Int64 carry2;
+				Int64 carry3;
+				Int64 carry4;
+				Int64 carry5;
+				Int64 carry6;
+				Int64 carry7;
+				Int64 carry8;
+				Int64 carry9;
+				h0 += h0;
+				h1 += h1;
+				h2 += h2;
+				h3 += h3;
+				h4 += h4;
+				h5 += h5;
+				h6 += h6;
+				h7 += h7;
+				h8 += h8;
+				h9 += h9;
+				carry0 = (h0 + (Int64)(1 << 25)) >> 26; h1 += carry0; h0 -= carry0 << 26;
+				carry4 = (h4 + (Int64)(1 << 25)) >> 26; h5 += carry4; h4 -= carry4 << 26;
+				carry1 = (h1 + (Int64)(1 << 24)) >> 25; h2 += carry1; h1 -= carry1 << 25;
+				carry5 = (h5 + (Int64)(1 << 24)) >> 25; h6 += carry5; h5 -= carry5 << 25;
+				carry2 = (h2 + (Int64)(1 << 25)) >> 26; h3 += carry2; h2 -= carry2 << 26;
+				carry6 = (h6 + (Int64)(1 << 25)) >> 26; h7 += carry6; h6 -= carry6 << 26;
+				carry3 = (h3 + (Int64)(1 << 24)) >> 25; h4 += carry3; h3 -= carry3 << 25;
+				carry7 = (h7 + (Int64)(1 << 24)) >> 25; h8 += carry7; h7 -= carry7 << 25;
+				carry4 = (h4 + (Int64)(1 << 25)) >> 26; h5 += carry4; h4 -= carry4 << 26;
+				carry8 = (h8 + (Int64)(1 << 25)) >> 26; h9 += carry8; h8 -= carry8 << 26;
+				carry9 = (h9 + (Int64)(1 << 24)) >> 25; h0 += carry9 * 19; h9 -= carry9 << 25;
+				carry0 = (h0 + (Int64)(1 << 25)) >> 26; h1 += carry0; h0 -= carry0 << 26;
+				v0 = (Int32)h0;
+				v1 = (Int32)h1;
+				v2 = (Int32)h2;
+				v3 = (Int32)h3;
+				v4 = (Int32)h4;
+				v5 = (Int32)h5;
+				v6 = (Int32)h6;
+				v7 = (Int32)h7;
+				v8 = (Int32)h8;
+				v9 = (Int32)h9;
+			}
+			public void invert() {
+				fe t0 = this;
+				t0.sq();
+				fe t1 = t0;
+				t1.sq();
+				t1.sq();
+				mul(ref t1);
+				t0.mul(ref this);
+				fe t2 = t0;
+				t2.sq();
+				mul(ref t2);
+				t1 = this;
+				for (int i = 1; i < 6; i++) sq();
+				mul(ref t1);
+				t1 = this;
+				for (int i = 1; i < 11; i++) sq();
+				mul(ref t1);
+				t2 = this;
+				for (int i = 1; i < 21; i++) sq();
+				mul(ref t2);
+				for (int i = 1; i < 11; ++i) sq();
+				this.mul(ref t1);
+				t1 = this;
+				for (int i = 1; i < 51; i++) sq();
+				mul(ref t1);
+				t2 = this;
+				for (int i = 1; i < 101; i++) sq();
+				mul(ref t2);
+				for (int i = 1; i < 51; i++) sq();
+				mul(ref t1);
+				for (int i = 1; i < 6; i++) sq();
+				mul(ref t0);
+			}
+			public unsafe void tobytes(Byte* s) {
+				Int32 h0 = v0, h1 = v1, h2 = v2, h3 = v3, h4 = v4, h5 = v5, h6 = v6, h7 = v7, h8 = v8, h9 = v9;
+				Int32 q = (19 * h9 + (((Int32)1) << 24)) >> 25;
+				q = (h0 + q) >> 26;
+				q = (h1 + q) >> 25;
+				q = (h2 + q) >> 26;
+				q = (h3 + q) >> 25;
+				q = (h4 + q) >> 26;
+				q = (h5 + q) >> 25;
+				q = (h6 + q) >> 26;
+				q = (h7 + q) >> 25;
+				q = (h8 + q) >> 26;
+				q = (h9 + q) >> 25;
+				h0 += 19 * q;
+				Int32 carry0 = h0 >> 26; h1 += carry0; h0 -= carry0 << 26;
+				Int32 carry1 = h1 >> 25; h2 += carry1; h1 -= carry1 << 25;
+				Int32 carry2 = h2 >> 26; h3 += carry2; h2 -= carry2 << 26;
+				Int32 carry3 = h3 >> 25; h4 += carry3; h3 -= carry3 << 25;
+				Int32 carry4 = h4 >> 26; h5 += carry4; h4 -= carry4 << 26;
+				Int32 carry5 = h5 >> 25; h6 += carry5; h5 -= carry5 << 25;
+				Int32 carry6 = h6 >> 26; h7 += carry6; h6 -= carry6 << 26;
+				Int32 carry7 = h7 >> 25; h8 += carry7; h7 -= carry7 << 25;
+				Int32 carry8 = h8 >> 26; h9 += carry8; h8 -= carry8 << 26;
+				Int32 carry9 = h9 >> 25; h9 -= carry9 << 25;
+				s[0] = (Byte)(h0 >> 0);
+				s[1] = (Byte)(h0 >> 8);
+				s[2] = (Byte)(h0 >> 16);
+				s[3] = (Byte)((h0 >> 24) | (h1 << 2));
+				s[4] = (Byte)(h1 >> 6);
+				s[5] = (Byte)(h1 >> 14);
+				s[6] = (Byte)((h1 >> 22) | (h2 << 3));
+				s[7] = (Byte)(h2 >> 5);
+				s[8] = (Byte)(h2 >> 13);
+				s[9] = (Byte)((h2 >> 21) | (h3 << 5));
+				s[10] = (Byte)(h3 >> 3);
+				s[11] = (Byte)(h3 >> 11);
+				s[12] = (Byte)((h3 >> 19) | (h4 << 6));
+				s[13] = (Byte)(h4 >> 2);
+				s[14] = (Byte)(h4 >> 10);
+				s[15] = (Byte)(h4 >> 18);
+				s[16] = (Byte)(h5 >> 0);
+				s[17] = (Byte)(h5 >> 8);
+				s[18] = (Byte)(h5 >> 16);
+				s[19] = (Byte)((h5 >> 24) | (h6 << 1));
+				s[20] = (Byte)(h6 >> 7);
+				s[21] = (Byte)(h6 >> 15);
+				s[22] = (Byte)((h6 >> 23) | (h7 << 3));
+				s[23] = (Byte)(h7 >> 5);
+				s[24] = (Byte)(h7 >> 13);
+				s[25] = (Byte)((h7 >> 21) | (h8 << 4));
+				s[26] = (Byte)(h8 >> 4);
+				s[27] = (Byte)(h8 >> 12);
+				s[28] = (Byte)((h8 >> 20) | (h9 << 6));
+				s[29] = (Byte)(h9 >> 2);
+				s[30] = (Byte)(h9 >> 10);
+				s[31] = (Byte)(h9 >> 18);
+			}
+			public int isnegative() {
+				Int32 h0 = v0, h9 = v9;
+				Int32 q = (19 * h9 + (1 << 24)) >> 25;
+				q = (h0 + q) >> 26;
+				q = (v1 + q) >> 25;
+				q = (v2 + q) >> 26;
+				q = (v3 + q) >> 25;
+				q = (v4 + q) >> 26;
+				q = (v5 + q) >> 25;
+				q = (v6 + q) >> 26;
+				q = (v7 + q) >> 25;
+				q = (v8 + q) >> 26;
+				q = (h9 + q) >> 25;
+				h0 += 19 * q;
+				h0 -= (h0 >> 26) << 26;
+				return (h0 >> 0) & 1;
+			}
+			public unsafe void frombytes(Byte* s) {
+				Int64 h0 = load_4(s);
+				Int64 h1 = load_3(s + 4) << 6;
+				Int64 h2 = load_3(s + 7) << 5;
+				Int64 h3 = load_3(s + 10) << 3;
+				Int64 h4 = load_3(s + 13) << 2;
+				Int64 h5 = load_4(s + 16);
+				Int64 h6 = load_3(s + 20) << 7;
+				Int64 h7 = load_3(s + 23) << 5;
+				Int64 h8 = load_3(s + 26) << 4;
+				Int64 h9 = (load_3(s + 29) & 8388607) << 2;
+				Int64 carry9 = (h9 + (Int64)(1 << 24)) >> 25; h0 += carry9 * 19; h9 -= carry9 << 25;
+				Int64 carry1 = (h1 + (Int64)(1 << 24)) >> 25; h2 += carry1; h1 -= carry1 << 25;
+				Int64 carry3 = (h3 + (Int64)(1 << 24)) >> 25; h4 += carry3; h3 -= carry3 << 25;
+				Int64 carry5 = (h5 + (Int64)(1 << 24)) >> 25; h6 += carry5; h5 -= carry5 << 25;
+				Int64 carry7 = (h7 + (Int64)(1 << 24)) >> 25; h8 += carry7; h7 -= carry7 << 25;
+				Int64 carry0 = (h0 + (Int64)(1 << 25)) >> 26; h1 += carry0; h0 -= carry0 << 26;
+				Int64 carry2 = (h2 + (Int64)(1 << 25)) >> 26; h3 += carry2; h2 -= carry2 << 26;
+				Int64 carry4 = (h4 + (Int64)(1 << 25)) >> 26; h5 += carry4; h4 -= carry4 << 26;
+				Int64 carry6 = (h6 + (Int64)(1 << 25)) >> 26; h7 += carry6; h6 -= carry6 << 26;
+				Int64 carry8 = (h8 + (Int64)(1 << 25)) >> 26; h9 += carry8; h8 -= carry8 << 26;
+				v0 = (Int32)h0;
+				v1 = (Int32)h1;
+				v2 = (Int32)h2;
+				v3 = (Int32)h3;
+				v4 = (Int32)h4;
+				v5 = (Int32)h5;
+				v6 = (Int32)h6;
+				v7 = (Int32)h7;
+				v8 = (Int32)h8;
+				v9 = (Int32)h9;
+			}
+			public int isnonzero() {
+				Int32 h0 = v0, h1 = v1, h2 = v2, h3 = v3, h4 = v4, h5 = v5, h6 = v6, h7 = v7, h8 = v8, h9 = v9;
+				Int32 q = (19 * h9 + (((Int32)1) << 24)) >> 25;
+				q = (h0 + q) >> 26;
+				q = (h1 + q) >> 25;
+				q = (h2 + q) >> 26;
+				q = (h3 + q) >> 25;
+				q = (h4 + q) >> 26;
+				q = (h5 + q) >> 25;
+				q = (h6 + q) >> 26;
+				q = (h7 + q) >> 25;
+				q = (h8 + q) >> 26;
+				q = (h9 + q) >> 25;
+				h0 += 19 * q;
+				Int32 carry0 = h0 >> 26; h1 += carry0; h0 -= carry0 << 26;
+				Int32 carry1 = h1 >> 25; h2 += carry1; h1 -= carry1 << 25;
+				Int32 carry2 = h2 >> 26; h3 += carry2; h2 -= carry2 << 26;
+				Int32 carry3 = h3 >> 25; h4 += carry3; h3 -= carry3 << 25;
+				Int32 carry4 = h4 >> 26; h5 += carry4; h4 -= carry4 << 26;
+				Int32 carry5 = h5 >> 25; h6 += carry5; h5 -= carry5 << 25;
+				Int32 carry6 = h6 >> 26; h7 += carry6; h6 -= carry6 << 26;
+				Int32 carry7 = h7 >> 25; h8 += carry7; h7 -= carry7 << 25;
+				Int32 carry8 = h8 >> 26; h9 += carry8; h8 -= carry8 << 26;
+				Int32 carry9 = h9 >> 25; h9 -= carry9 << 25;
+				Int32 b = h0 | h1 | h2 | h3 | h4 | h5 | h6 | h7 | h8 | h9;
+				b = (b | (b >> 8) | (b >> 16) | (b >> 24)) & 0xff;
+				return (1 & ((b - 1) >> 8)) - 1;
+			}
+			public void pow22523() {
+				fe t0 = this;
+				t0.sq();
+				fe t1 = t0;
+				for (int i = 1; i < 3; i++) t1.sq();
+				fe t2 = this;
+				mul(ref t1);
+				t0.mul(ref this);
+				t0.sq();
+				mul(ref t0);
+				t0 = this;
+				for (int i = 1; i < 6; i++) sq();
+				mul(ref t0);
+				t0 = this;
+				for (int i = 1; i < 11; i++) sq();
+				mul(ref t0);
+				t1 = this;
+				for (int i = 1; i < 21; i++) sq();
+				mul(ref t1);
+				for (int i = 1; i < 11; i++) sq();
+				mul(ref t0);
+				t0 = this;
+				for (int i = 1; i < 51; i++) sq();
+				mul(ref t0);
+				t1 = this;
+				for (int i = 1; i < 101; i++) sq();
+				mul(ref t1);
+				for (int i = 1; i < 51; i++) sq();
+				mul(ref t0);
+				for (int i = 1; i < 3; i++) sq();
+				mul(ref t2);
 			}
 		}
 		struct ge_precomp {
 			public fe yplusx;
 			public fe yminusx;
 			public fe xy2d;
 			public ge_precomp(Int32[] data, int offset)
 				: this() {
-				yplusx = fe_unpack(offset + 0 * 10, data);
+				yplusx = new fe(offset + 0 * 10, data);
-				yminusx = fe_unpack(offset + 1 * 10, data);
+				yminusx = new fe(offset + 1 * 10, data);
-				xy2d = fe_unpack(offset + 2 * 10, data);
+				xy2d = new fe(offset + 2 * 10, data);
+			}
+			public void set_zero() {
+				yplusx.set_one();
+				yminusx.set_one();
+				xy2d.set_zero();
+			}
+			public void cmov(ref ge_precomp u, Byte b) {
+				yplusx.cmov(ref u.yplusx, b);
+				yminusx.cmov(ref u.yminusx, b);
+				xy2d.cmov(ref u.xy2d, b);
 			}
 		}
 		struct ge_p1p1 {
 			public fe X;
 			public fe Y;
 		}
 		struct ge_p2 {
 			public fe X;
 			public fe Y;
 			public fe Z;
+			public void set_zero() {
+				X.set_zero();
+				Y.set_one();
+				Z.set_one();
+			}
 		}
 		struct ge_p3 {
 			public fe X;
 			public fe Y;
 			public fe Z;
 			public fe T;
-		}
+			public void set_zero() {
+				X.set_zero();
-		static fe fe_unpack(int offset, Int32[] data) {
+				Y.set_one();
-			fe ret = new fe();
+				Z.set_one();
-			for (int i = 0; i < 10; i++) ret[i] = data[offset + i];
+				T.set_zero();
+			}
+		}
+		struct ge_cached {
+			public fe YplusX;
+			public fe YminusX;
+			public fe Z;
+			public fe T2d;
+		}
+		static ge_precomp[] base_unpack(int n, Int32[] data) {
+			ge_precomp[] ret = new ge_precomp[n];
+			for (int i = 0; i < n; i++) ret[i] = new ge_precomp(data, i * 3 * 10);
 			return ret;
 		}
-		static ge_precomp[] base_unpack(int n, int offset, Int32[] data) {
+		static ge_precomp[] basev = base_unpack(32 * 8,
-			ge_precomp[] ret = new ge_precomp[n];
-			for (int i = 0; i < n; i++) ret[i] = new ge_precomp(data, offset + i * 3 * 10);
-			return ret;
-		}
-		static ge_precomp[][] base_unpack_a(int a, int b, Int32[] data) {
-			ge_precomp[][] ret = new ge_precomp[a][];
-			for (int i = 0; i < a; i++) ret[i] = base_unpack(b, i * b * 3 * 10, data);
-			return ret;
-		}
-		static ge_precomp[][] basev = base_unpack_a(32, 8,
 			new Int32[32 * 8 * 3 * 10] {
 #region base point data
 			25967493,-14356035,29566456,3660896,-12694345,4014787,27544626,-11754271,-6079156,2047605,
 -12545711,934262,-2722910,3049990,-727428,9406986,12720692,5043384,19500929,-15469378,
 -8738181,4489570,9688441,-14785194,10184609,-12363380,29287919,11864899,-24514362,-4438546,
 29701166,-14373934,-10878120,9279288,-17568,13127210,21382910,11042292,25838796,4642684,
 -20430234,14955537,-24126347,8124619,-5369288,-5990470,30468147,-13900640,18423289,4177476,
 #endregion
 		});
-		static void fe_0(out fe h) {
-			h = new fe();
-			h[0] = 0;
-			h[1] = 0;
-			h[2] = 0;
-			h[3] = 0;
-			h[4] = 0;
-			h[5] = 0;
-			h[6] = 0;
-			h[7] = 0;
-			h[8] = 0;
-			h[9] = 0;
-		}
-		static void fe_1(out fe h) {
-			h = new fe();
-			h[0] = 1;
-			h[1] = 0;
-			h[2] = 0;
-			h[3] = 0;
-			h[4] = 0;
-			h[5] = 0;
-			h[6] = 0;
-			h[7] = 0;
-			h[8] = 0;
-			h[9] = 0;
-		}
-		static void ge_p3_0(out ge_p3 h) {
-			fe_0(out h.X);
-			fe_1(out h.Y);
-			fe_1(out h.Z);
-			fe_0(out h.T);
-		}
 		static Byte negative(SByte b) {
 			UInt64 x = (UInt64)(Int64)b; /* 18446744073709551361..18446744073709551615: yes; 0..255: no */
 			x >>= 63; /* 1: yes; 0: no */
 			return (Byte)x;
 		}
-		static void ge_precomp_0(out ge_precomp h) {
+		static Byte equal(Byte b, Byte c) {
-			fe_1(out h.yplusx);
+			UInt32 y = (UInt32)(b ^ c); /* 0: yes; 1..255: no */
-			fe_1(out h.yminusx);
-			fe_0(out h.xy2d);
-		}
-		static void fe_cmov(ref fe f, ref fe g, Int32 b) {
-			Int32 f0 = f[0];
-			Int32 f1 = f[1];
-			Int32 f2 = f[2];
-			Int32 f3 = f[3];
-			Int32 f4 = f[4];
-			Int32 f5 = f[5];
-			Int32 f6 = f[6];
-			Int32 f7 = f[7];
-			Int32 f8 = f[8];
-			Int32 f9 = f[9];
-			Int32 g0 = g[0];
-			Int32 g1 = g[1];
-			Int32 g2 = g[2];
-			Int32 g3 = g[3];
-			Int32 g4 = g[4];
-			Int32 g5 = g[5];
-			Int32 g6 = g[6];
-			Int32 g7 = g[7];
-			Int32 g8 = g[8];
-			Int32 g9 = g[9];
-			Int32 x0 = f0 ^ g0;
-			Int32 x1 = f1 ^ g1;
-			Int32 x2 = f2 ^ g2;
-			Int32 x3 = f3 ^ g3;
-			Int32 x4 = f4 ^ g4;
-			Int32 x5 = f5 ^ g5;
-			Int32 x6 = f6 ^ g6;
-			Int32 x7 = f7 ^ g7;
-			Int32 x8 = f8 ^ g8;
-			Int32 x9 = f9 ^ g9;
-			b = -b;
-			x0 &= b;
-			x1 &= b;
-			x2 &= b;
-			x3 &= b;
-			x4 &= b;
-			x5 &= b;
-			x6 &= b;
-			x7 &= b;
-			x8 &= b;
-			x9 &= b;
-			f[0] = f0 ^ x0;
-			f[1] = f1 ^ x1;
-			f[2] = f2 ^ x2;
-			f[3] = f3 ^ x3;
-			f[4] = f4 ^ x4;
-			f[5] = f5 ^ x5;
-			f[6] = f6 ^ x6;
-			f[7] = f7 ^ x7;
-			f[8] = f8 ^ x8;
-			f[9] = f9 ^ x9;
-		}
-		static void cmov(ref ge_precomp t, ref ge_precomp u, Byte b) {
-			fe_cmov(ref t.yplusx, ref u.yplusx, b);
-			fe_cmov(ref t.yminusx, ref u.yminusx, b);
-			fe_cmov(ref t.xy2d, ref u.xy2d, b);
-		}
-		static Byte equal(Byte b, SByte c) {
-			Byte ub = (Byte)b;
-			Byte uc = (Byte)c;
-			Byte x = (Byte)(ub ^ uc); /* 0: yes; 1..255: no */
-			UInt32 y = x; /* 0: yes; 1..255: no */
 			y -= 1; /* 4294967295: yes; 0..254: no */
 			y >>= 31; /* 1: yes; 0: no */
 			return (Byte)y;
-		}
-		static void fe_copy(out fe h, ref fe f) {
-			Int32 f0 = f[0];
-			Int32 f1 = f[1];
-			Int32 f2 = f[2];
-			Int32 f3 = f[3];
-			Int32 f4 = f[4];
-			Int32 f5 = f[5];
-			Int32 f6 = f[6];
-			Int32 f7 = f[7];
-			Int32 f8 = f[8];
-			Int32 f9 = f[9];
-			h = new fe();
-			h[0] = f0;
-			h[1] = f1;
-			h[2] = f2;
-			h[3] = f3;
-			h[4] = f4;
-			h[5] = f5;
-			h[6] = f6;
-			h[7] = f7;
-			h[8] = f8;
-			h[9] = f9;
-		}
-		static void fe_neg(out fe h, ref fe f) {
-			Int32 f0 = f[0];
-			Int32 f1 = f[1];
-			Int32 f2 = f[2];
-			Int32 f3 = f[3];
-			Int32 f4 = f[4];
-			Int32 f5 = f[5];
-			Int32 f6 = f[6];
-			Int32 f7 = f[7];
-			Int32 f8 = f[8];
-			Int32 f9 = f[9];
-			Int32 h0 = -f0;
-			Int32 h1 = -f1;
-			Int32 h2 = -f2;
-			Int32 h3 = -f3;
-			Int32 h4 = -f4;
-			Int32 h5 = -f5;
-			Int32 h6 = -f6;
-			Int32 h7 = -f7;
-			Int32 h8 = -f8;
-			Int32 h9 = -f9;
-			h = new fe();
-			h[0] = h0;
-			h[1] = h1;
-			h[2] = h2;
-			h[3] = h3;
-			h[4] = h4;
-			h[5] = h5;
-			h[6] = h6;
-			h[7] = h7;
-			h[8] = h8;
-			h[9] = h9;
 		}
 		static void select(out ge_precomp t, int pos, SByte b) {
 			ge_precomp minust;
 			Byte bnegative = negative(b);
 			Byte babs = (Byte)(b - (((-bnegative) & b) << 1));
-			ge_precomp_0(out t);
+			t = new ge_precomp();
-			cmov(ref t, ref basev[pos][0], equal(babs, 1));
+			t.set_zero();
-			cmov(ref t, ref basev[pos][1], equal(babs, 2));
+			int basei = pos * 8;
-			cmov(ref t, ref basev[pos][2], equal(babs, 3));
+			t.cmov(ref basev[basei + 0], equal(babs, 1));
-			cmov(ref t, ref basev[pos][3], equal(babs, 4));
+			t.cmov(ref basev[basei + 1], equal(babs, 2));
-			cmov(ref t, ref basev[pos][4], equal(babs, 5));
+			t.cmov(ref basev[basei + 2], equal(babs, 3));
-			cmov(ref t, ref basev[pos][5], equal(babs, 6));
+			t.cmov(ref basev[basei + 3], equal(babs, 4));
-			cmov(ref t, ref basev[pos][6], equal(babs, 7));
+			t.cmov(ref basev[basei + 4], equal(babs, 5));
-			cmov(ref t, ref basev[pos][7], equal(babs, 8));
+			t.cmov(ref basev[basei + 5], equal(babs, 6));
-			fe_copy(out minust.yplusx, ref t.yminusx);
+			t.cmov(ref basev[basei + 6], equal(babs, 7));
-			fe_copy(out minust.yminusx, ref t.yplusx);
+			t.cmov(ref basev[basei + 7], equal(babs, 8));
-			fe_neg(out minust.xy2d, ref t.xy2d);
+			minust.yplusx = t.yminusx;
-			cmov(ref t, ref minust, bnegative);
+			minust.yminusx = t.yplusx;
+			minust.xy2d = t.xy2d; minust.xy2d.neg();
+			t.cmov(ref minust, bnegative);
 		}
 		static void fe_add(out fe h, ref fe f, ref fe g) {
-			Int32 f0 = f[0];
+			fe r = f;
-			Int32 f1 = f[1];
+			r.add(ref g);
-			Int32 f2 = f[2];
+			h = r;
-			Int32 f3 = f[3];
-			Int32 f4 = f[4];
-			Int32 f5 = f[5];
-			Int32 f6 = f[6];
-			Int32 f7 = f[7];
-			Int32 f8 = f[8];
-			Int32 f9 = f[9];
-			Int32 g0 = g[0];
-			Int32 g1 = g[1];
-			Int32 g2 = g[2];
-			Int32 g3 = g[3];
-			Int32 g4 = g[4];
-			Int32 g5 = g[5];
-			Int32 g6 = g[6];
-			Int32 g7 = g[7];
-			Int32 g8 = g[8];
-			Int32 g9 = g[9];
-			Int32 h0 = f0 + g0;
-			Int32 h1 = f1 + g1;
-			Int32 h2 = f2 + g2;
-			Int32 h3 = f3 + g3;
-			Int32 h4 = f4 + g4;
-			Int32 h5 = f5 + g5;
-			Int32 h6 = f6 + g6;
-			Int32 h7 = f7 + g7;
-			Int32 h8 = f8 + g8;
-			Int32 h9 = f9 + g9;
-			h = new fe();
-			h[0] = h0;
-			h[1] = h1;
-			h[2] = h2;
-			h[3] = h3;
-			h[4] = h4;
-			h[5] = h5;
-			h[6] = h6;
-			h[7] = h7;
-			h[8] = h8;
-			h[9] = h9;
 		}
 		static void fe_sub(out fe h, ref fe f, ref fe g) {
-			Int32 f0 = f[0];
+			fe r = f;
-			Int32 f1 = f[1];
+			r.sub(ref g);
-			Int32 f2 = f[2];
+			h = r;
-			Int32 f3 = f[3];
-			Int32 f4 = f[4];
-			Int32 f5 = f[5];
-			Int32 f6 = f[6];
-			Int32 f7 = f[7];
-			Int32 f8 = f[8];
-			Int32 f9 = f[9];
-			Int32 g0 = g[0];
-			Int32 g1 = g[1];
-			Int32 g2 = g[2];
-			Int32 g3 = g[3];
-			Int32 g4 = g[4];
-			Int32 g5 = g[5];
-			Int32 g6 = g[6];
-			Int32 g7 = g[7];
-			Int32 g8 = g[8];
-			Int32 g9 = g[9];
-			Int32 h0 = f0 - g0;
-			Int32 h1 = f1 - g1;
-			Int32 h2 = f2 - g2;
-			Int32 h3 = f3 - g3;
-			Int32 h4 = f4 - g4;
-			Int32 h5 = f5 - g5;
-			Int32 h6 = f6 - g6;
-			Int32 h7 = f7 - g7;
-			Int32 h8 = f8 - g8;
-			Int32 h9 = f9 - g9;
-			h = new fe();
-			h[0] = h0;
-			h[1] = h1;
-			h[2] = h2;
-			h[3] = h3;
-			h[4] = h4;
-			h[5] = h5;
-			h[6] = h6;
-			h[7] = h7;
-			h[8] = h8;
-			h[9] = h9;
 		}
 		static void fe_mul(out fe h, ref fe f, ref fe g) {
-			Int32 f0 = f[0];
+			fe r = f;
-			Int32 f1 = f[1];
+			r.mul(ref g);
-			Int32 f2 = f[2];
+			h = r;
-			Int32 f3 = f[3];
-			Int32 f4 = f[4];
-			Int32 f5 = f[5];
-			Int32 f6 = f[6];
-			Int32 f7 = f[7];
-			Int32 f8 = f[8];
-			Int32 f9 = f[9];
-			Int32 g0 = g[0];
-			Int32 g1 = g[1];
-			Int32 g2 = g[2];
-			Int32 g3 = g[3];
-			Int32 g4 = g[4];
-			Int32 g5 = g[5];
-			Int32 g6 = g[6];
-			Int32 g7 = g[7];
-			Int32 g8 = g[8];
-			Int32 g9 = g[9];
-			Int32 g1_19 = 19 * g1; /* 1.959375*2^29 */
-			Int32 g2_19 = 19 * g2; /* 1.959375*2^30; still ok */
-			Int32 g3_19 = 19 * g3;
-			Int32 g4_19 = 19 * g4;
-			Int32 g5_19 = 19 * g5;
-			Int32 g6_19 = 19 * g6;
-			Int32 g7_19 = 19 * g7;
-			Int32 g8_19 = 19 * g8;
-			Int32 g9_19 = 19 * g9;
-			Int32 f1_2 = 2 * f1;
-			Int32 f3_2 = 2 * f3;
-			Int32 f5_2 = 2 * f5;
-			Int32 f7_2 = 2 * f7;
-			Int32 f9_2 = 2 * f9;
-			Int64 f0g0 = f0 * (Int64)g0;
-			Int64 f0g1 = f0 * (Int64)g1;
-			Int64 f0g2 = f0 * (Int64)g2;
-			Int64 f0g3 = f0 * (Int64)g3;
-			Int64 f0g4 = f0 * (Int64)g4;
-			Int64 f0g5 = f0 * (Int64)g5;
-			Int64 f0g6 = f0 * (Int64)g6;
-			Int64 f0g7 = f0 * (Int64)g7;
-			Int64 f0g8 = f0 * (Int64)g8;
-			Int64 f0g9 = f0 * (Int64)g9;
-			Int64 f1g0 = f1 * (Int64)g0;
-			Int64 f1g1_2 = f1_2 * (Int64)g1;
-			Int64 f1g2 = f1 * (Int64)g2;
-			Int64 f1g3_2 = f1_2 * (Int64)g3;
-			Int64 f1g4 = f1 * (Int64)g4;
-			Int64 f1g5_2 = f1_2 * (Int64)g5;
-			Int64 f1g6 = f1 * (Int64)g6;
-			Int64 f1g7_2 = f1_2 * (Int64)g7;
-			Int64 f1g8 = f1 * (Int64)g8;
-			Int64 f1g9_38 = f1_2 * (Int64)g9_19;
-			Int64 f2g0 = f2 * (Int64)g0;
-			Int64 f2g1 = f2 * (Int64)g1;
-			Int64 f2g2 = f2 * (Int64)g2;
-			Int64 f2g3 = f2 * (Int64)g3;
-			Int64 f2g4 = f2 * (Int64)g4;
-			Int64 f2g5 = f2 * (Int64)g5;
-			Int64 f2g6 = f2 * (Int64)g6;
-			Int64 f2g7 = f2 * (Int64)g7;
-			Int64 f2g8_19 = f2 * (Int64)g8_19;
-			Int64 f2g9_19 = f2 * (Int64)g9_19;
-			Int64 f3g0 = f3 * (Int64)g0;
-			Int64 f3g1_2 = f3_2 * (Int64)g1;
-			Int64 f3g2 = f3 * (Int64)g2;
-			Int64 f3g3_2 = f3_2 * (Int64)g3;
-			Int64 f3g4 = f3 * (Int64)g4;
-			Int64 f3g5_2 = f3_2 * (Int64)g5;
-			Int64 f3g6 = f3 * (Int64)g6;
-			Int64 f3g7_38 = f3_2 * (Int64)g7_19;
-			Int64 f3g8_19 = f3 * (Int64)g8_19;
-			Int64 f3g9_38 = f3_2 * (Int64)g9_19;
-			Int64 f4g0 = f4 * (Int64)g0;
-			Int64 f4g1 = f4 * (Int64)g1;
-			Int64 f4g2 = f4 * (Int64)g2;
-			Int64 f4g3 = f4 * (Int64)g3;
-			Int64 f4g4 = f4 * (Int64)g4;
-			Int64 f4g5 = f4 * (Int64)g5;
-			Int64 f4g6_19 = f4 * (Int64)g6_19;
-			Int64 f4g7_19 = f4 * (Int64)g7_19;
-			Int64 f4g8_19 = f4 * (Int64)g8_19;
-			Int64 f4g9_19 = f4 * (Int64)g9_19;
-			Int64 f5g0 = f5 * (Int64)g0;
-			Int64 f5g1_2 = f5_2 * (Int64)g1;
-			Int64 f5g2 = f5 * (Int64)g2;
-			Int64 f5g3_2 = f5_2 * (Int64)g3;
-			Int64 f5g4 = f5 * (Int64)g4;
-			Int64 f5g5_38 = f5_2 * (Int64)g5_19;
-			Int64 f5g6_19 = f5 * (Int64)g6_19;
-			Int64 f5g7_38 = f5_2 * (Int64)g7_19;
-			Int64 f5g8_19 = f5 * (Int64)g8_19;
-			Int64 f5g9_38 = f5_2 * (Int64)g9_19;
-			Int64 f6g0 = f6 * (Int64)g0;
-			Int64 f6g1 = f6 * (Int64)g1;
-			Int64 f6g2 = f6 * (Int64)g2;
-			Int64 f6g3 = f6 * (Int64)g3;
-			Int64 f6g4_19 = f6 * (Int64)g4_19;
-			Int64 f6g5_19 = f6 * (Int64)g5_19;
-			Int64 f6g6_19 = f6 * (Int64)g6_19;
-			Int64 f6g7_19 = f6 * (Int64)g7_19;
-			Int64 f6g8_19 = f6 * (Int64)g8_19;
-			Int64 f6g9_19 = f6 * (Int64)g9_19;
-			Int64 f7g0 = f7 * (Int64)g0;
-			Int64 f7g1_2 = f7_2 * (Int64)g1;
-			Int64 f7g2 = f7 * (Int64)g2;
-			Int64 f7g3_38 = f7_2 * (Int64)g3_19;
-			Int64 f7g4_19 = f7 * (Int64)g4_19;
-			Int64 f7g5_38 = f7_2 * (Int64)g5_19;
-			Int64 f7g6_19 = f7 * (Int64)g6_19;
-			Int64 f7g7_38 = f7_2 * (Int64)g7_19;
-			Int64 f7g8_19 = f7 * (Int64)g8_19;
-			Int64 f7g9_38 = f7_2 * (Int64)g9_19;
-			Int64 f8g0 = f8 * (Int64)g0;
-			Int64 f8g1 = f8 * (Int64)g1;
-			Int64 f8g2_19 = f8 * (Int64)g2_19;
-			Int64 f8g3_19 = f8 * (Int64)g3_19;
-			Int64 f8g4_19 = f8 * (Int64)g4_19;
-			Int64 f8g5_19 = f8 * (Int64)g5_19;
-			Int64 f8g6_19 = f8 * (Int64)g6_19;
-			Int64 f8g7_19 = f8 * (Int64)g7_19;
-			Int64 f8g8_19 = f8 * (Int64)g8_19;
-			Int64 f8g9_19 = f8 * (Int64)g9_19;
-			Int64 f9g0 = f9 * (Int64)g0;
-			Int64 f9g1_38 = f9_2 * (Int64)g1_19;
-			Int64 f9g2_19 = f9 * (Int64)g2_19;
-			Int64 f9g3_38 = f9_2 * (Int64)g3_19;
-			Int64 f9g4_19 = f9 * (Int64)g4_19;
-			Int64 f9g5_38 = f9_2 * (Int64)g5_19;
-			Int64 f9g6_19 = f9 * (Int64)g6_19;
-			Int64 f9g7_38 = f9_2 * (Int64)g7_19;
-			Int64 f9g8_19 = f9 * (Int64)g8_19;
-			Int64 f9g9_38 = f9_2 * (Int64)g9_19;
-			Int64 h0 = f0g0 + f1g9_38 + f2g8_19 + f3g7_38 + f4g6_19 + f5g5_38 + f6g4_19 + f7g3_38 + f8g2_19 + f9g1_38;
-			Int64 h1 = f0g1 + f1g0 + f2g9_19 + f3g8_19 + f4g7_19 + f5g6_19 + f6g5_19 + f7g4_19 + f8g3_19 + f9g2_19;
-			Int64 h2 = f0g2 + f1g1_2 + f2g0 + f3g9_38 + f4g8_19 + f5g7_38 + f6g6_19 + f7g5_38 + f8g4_19 + f9g3_38;
-			Int64 h3 = f0g3 + f1g2 + f2g1 + f3g0 + f4g9_19 + f5g8_19 + f6g7_19 + f7g6_19 + f8g5_19 + f9g4_19;
-			Int64 h4 = f0g4 + f1g3_2 + f2g2 + f3g1_2 + f4g0 + f5g9_38 + f6g8_19 + f7g7_38 + f8g6_19 + f9g5_38;
-			Int64 h5 = f0g5 + f1g4 + f2g3 + f3g2 + f4g1 + f5g0 + f6g9_19 + f7g8_19 + f8g7_19 + f9g6_19;
-			Int64 h6 = f0g6 + f1g5_2 + f2g4 + f3g3_2 + f4g2 + f5g1_2 + f6g0 + f7g9_38 + f8g8_19 + f9g7_38;
-			Int64 h7 = f0g7 + f1g6 + f2g5 + f3g4 + f4g3 + f5g2 + f6g1 + f7g0 + f8g9_19 + f9g8_19;
-			Int64 h8 = f0g8 + f1g7_2 + f2g6 + f3g5_2 + f4g4 + f5g3_2 + f6g2 + f7g1_2 + f8g0 + f9g9_38;
-			Int64 h9 = f0g9 + f1g8 + f2g7 + f3g6 + f4g5 + f5g4 + f6g3 + f7g2 + f8g1 + f9g0;
-			Int64 carry0;
-			Int64 carry1;
-			Int64 carry2;
-			Int64 carry3;
-			Int64 carry4;
-			Int64 carry5;
-			Int64 carry6;
-			Int64 carry7;
-			Int64 carry8;
-			Int64 carry9;
-			carry0 = (h0 + (Int64)(1 << 25)) >> 26; h1 += carry0; h0 -= carry0 << 26;
-			carry4 = (h4 + (Int64)(1 << 25)) >> 26; h5 += carry4; h4 -= carry4 << 26;
-			carry1 = (h1 + (Int64)(1 << 24)) >> 25; h2 += carry1; h1 -= carry1 << 25;
-			carry5 = (h5 + (Int64)(1 << 24)) >> 25; h6 += carry5; h5 -= carry5 << 25;
-			carry2 = (h2 + (Int64)(1 << 25)) >> 26; h3 += carry2; h2 -= carry2 << 26;
-			carry6 = (h6 + (Int64)(1 << 25)) >> 26; h7 += carry6; h6 -= carry6 << 26;
-			carry3 = (h3 + (Int64)(1 << 24)) >> 25; h4 += carry3; h3 -= carry3 << 25;
-			carry7 = (h7 + (Int64)(1 << 24)) >> 25; h8 += carry7; h7 -= carry7 << 25;
-			carry4 = (h4 + (Int64)(1 << 25)) >> 26; h5 += carry4; h4 -= carry4 << 26;
-			carry8 = (h8 + (Int64)(1 << 25)) >> 26; h9 += carry8; h8 -= carry8 << 26;
-			carry9 = (h9 + (Int64)(1 << 24)) >> 25; h0 += carry9 * 19; h9 -= carry9 << 25;
-			carry0 = (h0 + (Int64)(1 << 25)) >> 26; h1 += carry0; h0 -= carry0 << 26;
-			h = new fe();
-			h[0] = (Int32)h0;
-			h[1] = (Int32)h1;
-			h[2] = (Int32)h2;
-			h[3] = (Int32)h3;
-			h[4] = (Int32)h4;
-			h[5] = (Int32)h5;
-			h[6] = (Int32)h6;
-			h[7] = (Int32)h7;
-			h[8] = (Int32)h8;
-			h[9] = (Int32)h9;
 		}
 		static void ge_madd(out ge_p1p1 r, ref ge_p3 p, ref ge_precomp q) {
 			fe t0;
 			fe_add(out r.X, ref p.Y, ref p.X);
 			fe_sub(out r.Y, ref p.Y, ref p.X);
 			fe_mul(out r.Y, ref p.Y, ref p.Z);
 			fe_mul(out r.Z, ref p.Z, ref p.T);
 			fe_mul(out r.T, ref p.X, ref p.Y);
 		}
 		static void ge_p3_to_p2(out ge_p2 r, ref ge_p3 p) {
-			fe_copy(out r.X, ref p.X);
+			r.X = p.X;
-			fe_copy(out r.Y, ref p.Y);
+			r.Y = p.Y;
-			fe_copy(out r.Z, ref p.Z);
+			r.Z = p.Z;
 		}
 		static void fe_sq(out fe h, ref fe f) {
-			Int32 f0 = f[0];
+			h = f;
-			Int32 f1 = f[1];
+			h.sq();
-			Int32 f2 = f[2];
-			Int32 f3 = f[3];
-			Int32 f4 = f[4];
-			Int32 f5 = f[5];
-			Int32 f6 = f[6];
-			Int32 f7 = f[7];
-			Int32 f8 = f[8];
-			Int32 f9 = f[9];
-			Int32 f0_2 = 2 * f0;
-			Int32 f1_2 = 2 * f1;
-			Int32 f2_2 = 2 * f2;
-			Int32 f3_2 = 2 * f3;
-			Int32 f4_2 = 2 * f4;
-			Int32 f5_2 = 2 * f5;
-			Int32 f6_2 = 2 * f6;
-			Int32 f7_2 = 2 * f7;
-			Int32 f5_38 = 38 * f5; /* 1.959375*2^30 */
-			Int32 f6_19 = 19 * f6; /* 1.959375*2^30 */
-			Int32 f7_38 = 38 * f7; /* 1.959375*2^30 */
-			Int32 f8_19 = 19 * f8; /* 1.959375*2^30 */
-			Int32 f9_38 = 38 * f9; /* 1.959375*2^30 */
-			Int64 f0f0 = f0 * (Int64)f0;
-			Int64 f0f1_2 = f0_2 * (Int64)f1;
-			Int64 f0f2_2 = f0_2 * (Int64)f2;
-			Int64 f0f3_2 = f0_2 * (Int64)f3;
-			Int64 f0f4_2 = f0_2 * (Int64)f4;
-			Int64 f0f5_2 = f0_2 * (Int64)f5;
-			Int64 f0f6_2 = f0_2 * (Int64)f6;
-			Int64 f0f7_2 = f0_2 * (Int64)f7;
-			Int64 f0f8_2 = f0_2 * (Int64)f8;
-			Int64 f0f9_2 = f0_2 * (Int64)f9;
-			Int64 f1f1_2 = f1_2 * (Int64)f1;
-			Int64 f1f2_2 = f1_2 * (Int64)f2;
-			Int64 f1f3_4 = f1_2 * (Int64)f3_2;
-			Int64 f1f4_2 = f1_2 * (Int64)f4;
-			Int64 f1f5_4 = f1_2 * (Int64)f5_2;
-			Int64 f1f6_2 = f1_2 * (Int64)f6;
-			Int64 f1f7_4 = f1_2 * (Int64)f7_2;
-			Int64 f1f8_2 = f1_2 * (Int64)f8;
-			Int64 f1f9_76 = f1_2 * (Int64)f9_38;
-			Int64 f2f2 = f2 * (Int64)f2;
-			Int64 f2f3_2 = f2_2 * (Int64)f3;
-			Int64 f2f4_2 = f2_2 * (Int64)f4;
-			Int64 f2f5_2 = f2_2 * (Int64)f5;
-			Int64 f2f6_2 = f2_2 * (Int64)f6;
-			Int64 f2f7_2 = f2_2 * (Int64)f7;
-			Int64 f2f8_38 = f2_2 * (Int64)f8_19;
-			Int64 f2f9_38 = f2 * (Int64)f9_38;
-			Int64 f3f3_2 = f3_2 * (Int64)f3;
-			Int64 f3f4_2 = f3_2 * (Int64)f4;
-			Int64 f3f5_4 = f3_2 * (Int64)f5_2;
-			Int64 f3f6_2 = f3_2 * (Int64)f6;
-			Int64 f3f7_76 = f3_2 * (Int64)f7_38;
-			Int64 f3f8_38 = f3_2 * (Int64)f8_19;
-			Int64 f3f9_76 = f3_2 * (Int64)f9_38;
-			Int64 f4f4 = f4 * (Int64)f4;
-			Int64 f4f5_2 = f4_2 * (Int64)f5;
-			Int64 f4f6_38 = f4_2 * (Int64)f6_19;
-			Int64 f4f7_38 = f4 * (Int64)f7_38;
-			Int64 f4f8_38 = f4_2 * (Int64)f8_19;
-			Int64 f4f9_38 = f4 * (Int64)f9_38;
-			Int64 f5f5_38 = f5 * (Int64)f5_38;
-			Int64 f5f6_38 = f5_2 * (Int64)f6_19;
-			Int64 f5f7_76 = f5_2 * (Int64)f7_38;
-			Int64 f5f8_38 = f5_2 * (Int64)f8_19;
-			Int64 f5f9_76 = f5_2 * (Int64)f9_38;
-			Int64 f6f6_19 = f6 * (Int64)f6_19;
-			Int64 f6f7_38 = f6 * (Int64)f7_38;
-			Int64 f6f8_38 = f6_2 * (Int64)f8_19;
-			Int64 f6f9_38 = f6 * (Int64)f9_38;
-			Int64 f7f7_38 = f7 * (Int64)f7_38;
-			Int64 f7f8_38 = f7_2 * (Int64)f8_19;
-			Int64 f7f9_76 = f7_2 * (Int64)f9_38;
-			Int64 f8f8_19 = f8 * (Int64)f8_19;
-			Int64 f8f9_38 = f8 * (Int64)f9_38;
-			Int64 f9f9_38 = f9 * (Int64)f9_38;
-			Int64 h0 = f0f0 + f1f9_76 + f2f8_38 + f3f7_76 + f4f6_38 + f5f5_38;
-			Int64 h1 = f0f1_2 + f2f9_38 + f3f8_38 + f4f7_38 + f5f6_38;
-			Int64 h2 = f0f2_2 + f1f1_2 + f3f9_76 + f4f8_38 + f5f7_76 + f6f6_19;
-			Int64 h3 = f0f3_2 + f1f2_2 + f4f9_38 + f5f8_38 + f6f7_38;
-			Int64 h4 = f0f4_2 + f1f3_4 + f2f2 + f5f9_76 + f6f8_38 + f7f7_38;
-			Int64 h5 = f0f5_2 + f1f4_2 + f2f3_2 + f6f9_38 + f7f8_38;
-			Int64 h6 = f0f6_2 + f1f5_4 + f2f4_2 + f3f3_2 + f7f9_76 + f8f8_19;
-			Int64 h7 = f0f7_2 + f1f6_2 + f2f5_2 + f3f4_2 + f8f9_38;
-			Int64 h8 = f0f8_2 + f1f7_4 + f2f6_2 + f3f5_4 + f4f4 + f9f9_38;
-			Int64 h9 = f0f9_2 + f1f8_2 + f2f7_2 + f3f6_2 + f4f5_2;
-			Int64 carry0;
-			Int64 carry1;
-			Int64 carry2;
-			Int64 carry3;
-			Int64 carry4;
-			Int64 carry5;
-			Int64 carry6;
-			Int64 carry7;
-			Int64 carry8;
-			Int64 carry9;
-			carry0 = (h0 + (Int64)(1 << 25)) >> 26; h1 += carry0; h0 -= carry0 << 26;
-			carry4 = (h4 + (Int64)(1 << 25)) >> 26; h5 += carry4; h4 -= carry4 << 26;
-			carry1 = (h1 + (Int64)(1 << 24)) >> 25; h2 += carry1; h1 -= carry1 << 25;
-			carry5 = (h5 + (Int64)(1 << 24)) >> 25; h6 += carry5; h5 -= carry5 << 25;
-			carry2 = (h2 + (Int64)(1 << 25)) >> 26; h3 += carry2; h2 -= carry2 << 26;
-			carry6 = (h6 + (Int64)(1 << 25)) >> 26; h7 += carry6; h6 -= carry6 << 26;
-			carry3 = (h3 + (Int64)(1 << 24)) >> 25; h4 += carry3; h3 -= carry3 << 25;
-			carry7 = (h7 + (Int64)(1 << 24)) >> 25; h8 += carry7; h7 -= carry7 << 25;
-			carry4 = (h4 + (Int64)(1 << 25)) >> 26; h5 += carry4; h4 -= carry4 << 26;
-			carry8 = (h8 + (Int64)(1 << 25)) >> 26; h9 += carry8; h8 -= carry8 << 26;
-			carry9 = (h9 + (Int64)(1 << 24)) >> 25; h0 += carry9 * 19; h9 -= carry9 << 25;
-			carry0 = (h0 + (Int64)(1 << 25)) >> 26; h1 += carry0; h0 -= carry0 << 26;
-			h = new fe();
-			h[0] = (Int32)h0;
-			h[1] = (Int32)h1;
-			h[2] = (Int32)h2;
-			h[3] = (Int32)h3;
-			h[4] = (Int32)h4;
-			h[5] = (Int32)h5;
-			h[6] = (Int32)h6;
-			h[7] = (Int32)h7;
-			h[8] = (Int32)h8;
-			h[9] = (Int32)h9;
-		}
-		static void fe_sq2(out fe h, ref fe f) {
-			Int32 f0 = f[0];
-			Int32 f1 = f[1];
-			Int32 f2 = f[2];
-			Int32 f3 = f[3];
-			Int32 f4 = f[4];
-			Int32 f5 = f[5];
-			Int32 f6 = f[6];
-			Int32 f7 = f[7];
-			Int32 f8 = f[8];
-			Int32 f9 = f[9];
-			Int32 f0_2 = 2 * f0;
-			Int32 f1_2 = 2 * f1;
-			Int32 f2_2 = 2 * f2;
-			Int32 f3_2 = 2 * f3;
-			Int32 f4_2 = 2 * f4;
-			Int32 f5_2 = 2 * f5;
-			Int32 f6_2 = 2 * f6;
-			Int32 f7_2 = 2 * f7;
-			Int32 f5_38 = 38 * f5; /* 1.959375*2^30 */
-			Int32 f6_19 = 19 * f6; /* 1.959375*2^30 */
-			Int32 f7_38 = 38 * f7; /* 1.959375*2^30 */
-			Int32 f8_19 = 19 * f8; /* 1.959375*2^30 */
-			Int32 f9_38 = 38 * f9; /* 1.959375*2^30 */
-			Int64 f0f0 = f0 * (Int64)f0;
-			Int64 f0f1_2 = f0_2 * (Int64)f1;
-			Int64 f0f2_2 = f0_2 * (Int64)f2;
-			Int64 f0f3_2 = f0_2 * (Int64)f3;
-			Int64 f0f4_2 = f0_2 * (Int64)f4;
-			Int64 f0f5_2 = f0_2 * (Int64)f5;
-			Int64 f0f6_2 = f0_2 * (Int64)f6;
-			Int64 f0f7_2 = f0_2 * (Int64)f7;
-			Int64 f0f8_2 = f0_2 * (Int64)f8;
-			Int64 f0f9_2 = f0_2 * (Int64)f9;
-			Int64 f1f1_2 = f1_2 * (Int64)f1;
-			Int64 f1f2_2 = f1_2 * (Int64)f2;
-			Int64 f1f3_4 = f1_2 * (Int64)f3_2;
-			Int64 f1f4_2 = f1_2 * (Int64)f4;
-			Int64 f1f5_4 = f1_2 * (Int64)f5_2;
-			Int64 f1f6_2 = f1_2 * (Int64)f6;
-			Int64 f1f7_4 = f1_2 * (Int64)f7_2;
-			Int64 f1f8_2 = f1_2 * (Int64)f8;
-			Int64 f1f9_76 = f1_2 * (Int64)f9_38;
-			Int64 f2f2 = f2 * (Int64)f2;
-			Int64 f2f3_2 = f2_2 * (Int64)f3;
-			Int64 f2f4_2 = f2_2 * (Int64)f4;
-			Int64 f2f5_2 = f2_2 * (Int64)f5;
-			Int64 f2f6_2 = f2_2 * (Int64)f6;
-			Int64 f2f7_2 = f2_2 * (Int64)f7;
-			Int64 f2f8_38 = f2_2 * (Int64)f8_19;
-			Int64 f2f9_38 = f2 * (Int64)f9_38;
-			Int64 f3f3_2 = f3_2 * (Int64)f3;
-			Int64 f3f4_2 = f3_2 * (Int64)f4;
-			Int64 f3f5_4 = f3_2 * (Int64)f5_2;
-			Int64 f3f6_2 = f3_2 * (Int64)f6;
-			Int64 f3f7_76 = f3_2 * (Int64)f7_38;
-			Int64 f3f8_38 = f3_2 * (Int64)f8_19;
-			Int64 f3f9_76 = f3_2 * (Int64)f9_38;
-			Int64 f4f4 = f4 * (Int64)f4;
-			Int64 f4f5_2 = f4_2 * (Int64)f5;
-			Int64 f4f6_38 = f4_2 * (Int64)f6_19;
-			Int64 f4f7_38 = f4 * (Int64)f7_38;
-			Int64 f4f8_38 = f4_2 * (Int64)f8_19;
-			Int64 f4f9_38 = f4 * (Int64)f9_38;
-			Int64 f5f5_38 = f5 * (Int64)f5_38;
-			Int64 f5f6_38 = f5_2 * (Int64)f6_19;
-			Int64 f5f7_76 = f5_2 * (Int64)f7_38;
-			Int64 f5f8_38 = f5_2 * (Int64)f8_19;
-			Int64 f5f9_76 = f5_2 * (Int64)f9_38;
-			Int64 f6f6_19 = f6 * (Int64)f6_19;
-			Int64 f6f7_38 = f6 * (Int64)f7_38;
-			Int64 f6f8_38 = f6_2 * (Int64)f8_19;
-			Int64 f6f9_38 = f6 * (Int64)f9_38;
-			Int64 f7f7_38 = f7 * (Int64)f7_38;
-			Int64 f7f8_38 = f7_2 * (Int64)f8_19;
-			Int64 f7f9_76 = f7_2 * (Int64)f9_38;
-			Int64 f8f8_19 = f8 * (Int64)f8_19;
-			Int64 f8f9_38 = f8 * (Int64)f9_38;
-			Int64 f9f9_38 = f9 * (Int64)f9_38;
-			Int64 h0 = f0f0 + f1f9_76 + f2f8_38 + f3f7_76 + f4f6_38 + f5f5_38;
-			Int64 h1 = f0f1_2 + f2f9_38 + f3f8_38 + f4f7_38 + f5f6_38;
-			Int64 h2 = f0f2_2 + f1f1_2 + f3f9_76 + f4f8_38 + f5f7_76 + f6f6_19;
-			Int64 h3 = f0f3_2 + f1f2_2 + f4f9_38 + f5f8_38 + f6f7_38;
-			Int64 h4 = f0f4_2 + f1f3_4 + f2f2 + f5f9_76 + f6f8_38 + f7f7_38;
-			Int64 h5 = f0f5_2 + f1f4_2 + f2f3_2 + f6f9_38 + f7f8_38;
-			Int64 h6 = f0f6_2 + f1f5_4 + f2f4_2 + f3f3_2 + f7f9_76 + f8f8_19;
-			Int64 h7 = f0f7_2 + f1f6_2 + f2f5_2 + f3f4_2 + f8f9_38;
-			Int64 h8 = f0f8_2 + f1f7_4 + f2f6_2 + f3f5_4 + f4f4 + f9f9_38;
-			Int64 h9 = f0f9_2 + f1f8_2 + f2f7_2 + f3f6_2 + f4f5_2;
-			Int64 carry0;
-			Int64 carry1;
-			Int64 carry2;
-			Int64 carry3;
-			Int64 carry4;
-			Int64 carry5;
-			Int64 carry6;
-			Int64 carry7;
-			Int64 carry8;
-			Int64 carry9;
-			h0 += h0;
-			h1 += h1;
-			h2 += h2;
-			h3 += h3;
-			h4 += h4;
-			h5 += h5;
-			h6 += h6;
-			h7 += h7;
-			h8 += h8;
-			h9 += h9;
-			carry0 = (h0 + (Int64)(1 << 25)) >> 26; h1 += carry0; h0 -= carry0 << 26;
-			carry4 = (h4 + (Int64)(1 << 25)) >> 26; h5 += carry4; h4 -= carry4 << 26;
-			carry1 = (h1 + (Int64)(1 << 24)) >> 25; h2 += carry1; h1 -= carry1 << 25;
-			carry5 = (h5 + (Int64)(1 << 24)) >> 25; h6 += carry5; h5 -= carry5 << 25;
-			carry2 = (h2 + (Int64)(1 << 25)) >> 26; h3 += carry2; h2 -= carry2 << 26;
-			carry6 = (h6 + (Int64)(1 << 25)) >> 26; h7 += carry6; h6 -= carry6 << 26;
-			carry3 = (h3 + (Int64)(1 << 24)) >> 25; h4 += carry3; h3 -= carry3 << 25;
-			carry7 = (h7 + (Int64)(1 << 24)) >> 25; h8 += carry7; h7 -= carry7 << 25;
-			carry4 = (h4 + (Int64)(1 << 25)) >> 26; h5 += carry4; h4 -= carry4 << 26;
-			carry8 = (h8 + (Int64)(1 << 25)) >> 26; h9 += carry8; h8 -= carry8 << 26;
-			carry9 = (h9 + (Int64)(1 << 24)) >> 25; h0 += carry9 * 19; h9 -= carry9 << 25;
-			carry0 = (h0 + (Int64)(1 << 25)) >> 26; h1 += carry0; h0 -= carry0 << 26;
-			h = new fe();
-			h[0] = (Int32)h0;
-			h[1] = (Int32)h1;
-			h[2] = (Int32)h2;
-			h[3] = (Int32)h3;
-			h[4] = (Int32)h4;
-			h[5] = (Int32)h5;
-			h[6] = (Int32)h6;
-			h[7] = (Int32)h7;
-			h[8] = (Int32)h8;
-			h[9] = (Int32)h9;
 		}
 		static void ge_p2_dbl(out ge_p1p1 r, ref ge_p2 p) {
-			fe t0;
+			r.X = p.X; r.X.sq();
-			fe_sq(out r.X, ref p.X);
+			r.Z = p.Y; r.Z.sq();
-			fe_sq(out r.Z, ref p.Y);
+			r.T = p.Z; r.T.sq2();
-			fe_sq2(out r.T, ref p.Z);
+			r.Y = p.X; r.Y.add(ref p.Y);
-			fe_add(out r.Y, ref p.X, ref p.Y);
+			fe t0 = r.Y; t0.sq();
-			fe_sq(out t0, ref r.Y);
+			r.Y = r.Z; r.Y.add(ref r.X);
-			fe_add(out r.Y, ref r.Z, ref r.X);
+			r.Z.sub(ref r.X);
-			fe_sub(out r.Z, ref r.Z, ref r.X);
+			r.X = t0; r.X.sub(ref r.Y);
-			fe_sub(out r.X, ref t0, ref r.Y);
+			r.T.sub(ref r.Z);
-			fe_sub(out r.T, ref r.T, ref r.Z);
 		}
 		static void ge_p3_dbl(out ge_p1p1 r, ref ge_p3 p) {
 			ge_p2 q;
 			ge_p3_to_p2(out q, ref p);
 			ge_p2_dbl(out r, ref q);
 				carry >>= 4;
 				e[i] -= (sbyte)(carry << 4);
 			}
 			e[63] += carry;
-			ge_p3_0(out h);
+			h = new ge_p3();
+			h.set_zero();
 			ge_precomp t;
 			ge_p1p1 r;
 			for (int i = 1; i < 64; i += 2) {
 				select(out t, i / 2, e[i]);
 				ge_madd(out r, ref h, ref t); ge_p1p1_to_p3(out h, ref r);
 			for (int i = 0; i < 64; i += 2) {
 				select(out t, i / 2, e[i]);
 				ge_madd(out r, ref h, ref t); ge_p1p1_to_p3(out h, ref r);
 			}
 		}
-		static void fe_invert(out fe outv, ref fe z) {
-			fe t0;
-			fe t1;
-			fe t2;
-			fe t3;
-			fe_sq(out t0, ref z); for (int i = 1; i < 1; ++i) fe_sq(out t0, ref t0);
-			fe_sq(out t1, ref t0); for (int i = 1; i < 2; ++i) fe_sq(out t1, ref t1);
-			fe_mul(out t1, ref z, ref t1);
-			fe_mul(out t0, ref t0, ref t1);
-			fe_sq(out t2, ref t0); for (int i = 1; i < 1; ++i) fe_sq(out t2, ref t2);
-			fe_mul(out t1, ref t1, ref t2);
-			fe_sq(out t2, ref t1); for (int i = 1; i < 5; ++i) fe_sq(out t2, ref t2);
-			fe_mul(out t1, ref t2, ref t1);
-			fe_sq(out t2, ref t1); for (int i = 1; i < 10; ++i) fe_sq(out t2, ref t2);
-			fe_mul(out t2, ref t2, ref t1);
-			fe_sq(out t3, ref t2); for (int i = 1; i < 20; ++i) fe_sq(out t3, ref t3);
-			fe_mul(out t2, ref t3, ref t2);
-			fe_sq(out t2, ref t2); for (int i = 1; i < 10; ++i) fe_sq(out t2, ref t2);
-			fe_mul(out t1, ref t2, ref t1);
-			fe_sq(out t2, ref t1); for (int i = 1; i < 50; ++i) fe_sq(out t2, ref t2);
-			fe_mul(out t2, ref t2, ref t1);
-			fe_sq(out t3, ref t2); for (int i = 1; i < 100; ++i) fe_sq(out t3, ref t3);
-			fe_mul(out t2, ref t3, ref t2);
-			fe_sq(out t2, ref t2); for (int i = 1; i < 50; ++i) fe_sq(out t2, ref t2);
-			fe_mul(out t1, ref t2, ref t1);
-			fe_sq(out t1, ref t1); for (int i = 1; i < 5; ++i) fe_sq(out t1, ref t1);
-			fe_mul(out outv, ref t1, ref t0);
-		}
-		static unsafe void fe_tobytes(Byte* s, ref fe h) {
-			Int32 h0 = h[0];
-			Int32 h1 = h[1];
-			Int32 h2 = h[2];
-			Int32 h3 = h[3];
-			Int32 h4 = h[4];
-			Int32 h5 = h[5];
-			Int32 h6 = h[6];
-			Int32 h7 = h[7];
-			Int32 h8 = h[8];
-			Int32 h9 = h[9];
-			Int32 q;
-			Int32 carry0;
-			Int32 carry1;
-			Int32 carry2;
-			Int32 carry3;
-			Int32 carry4;
-			Int32 carry5;
-			Int32 carry6;
-			Int32 carry7;
-			Int32 carry8;
-			Int32 carry9;
-			q = (19 * h9 + (((Int32)1) << 24)) >> 25;
-			q = (h0 + q) >> 26;
-			q = (h1 + q) >> 25;
-			q = (h2 + q) >> 26;
-			q = (h3 + q) >> 25;
-			q = (h4 + q) >> 26;
-			q = (h5 + q) >> 25;
-			q = (h6 + q) >> 26;
-			q = (h7 + q) >> 25;
-			q = (h8 + q) >> 26;
-			q = (h9 + q) >> 25;
-			h0 += 19 * q;
-			carry0 = h0 >> 26; h1 += carry0; h0 -= carry0 << 26;
-			carry1 = h1 >> 25; h2 += carry1; h1 -= carry1 << 25;
-			carry2 = h2 >> 26; h3 += carry2; h2 -= carry2 << 26;
-			carry3 = h3 >> 25; h4 += carry3; h3 -= carry3 << 25;
-			carry4 = h4 >> 26; h5 += carry4; h4 -= carry4 << 26;
-			carry5 = h5 >> 25; h6 += carry5; h5 -= carry5 << 25;
-			carry6 = h6 >> 26; h7 += carry6; h6 -= carry6 << 26;
-			carry7 = h7 >> 25; h8 += carry7; h7 -= carry7 << 25;
-			carry8 = h8 >> 26; h9 += carry8; h8 -= carry8 << 26;
-			carry9 = h9 >> 25; h9 -= carry9 << 25;
-			/* h10 = carry9 */
-			s[0] = (Byte)(h0 >> 0);
-			s[1] = (Byte)(h0 >> 8);
-			s[2] = (Byte)(h0 >> 16);
-			s[3] = (Byte)((h0 >> 24) | (h1 << 2));
-			s[4] = (Byte)(h1 >> 6);
-			s[5] = (Byte)(h1 >> 14);
-			s[6] = (Byte)((h1 >> 22) | (h2 << 3));
-			s[7] = (Byte)(h2 >> 5);
-			s[8] = (Byte)(h2 >> 13);
-			s[9] = (Byte)((h2 >> 21) | (h3 << 5));
-			s[10] = (Byte)(h3 >> 3);
-			s[11] = (Byte)(h3 >> 11);
-			s[12] = (Byte)((h3 >> 19) | (h4 << 6));
-			s[13] = (Byte)(h4 >> 2);
-			s[14] = (Byte)(h4 >> 10);
-			s[15] = (Byte)(h4 >> 18);
-			s[16] = (Byte)(h5 >> 0);
-			s[17] = (Byte)(h5 >> 8);
-			s[18] = (Byte)(h5 >> 16);
-			s[19] = (Byte)((h5 >> 24) | (h6 << 1));
-			s[20] = (Byte)(h6 >> 7);
-			s[21] = (Byte)(h6 >> 15);
-			s[22] = (Byte)((h6 >> 23) | (h7 << 3));
-			s[23] = (Byte)(h7 >> 5);
-			s[24] = (Byte)(h7 >> 13);
-			s[25] = (Byte)((h7 >> 21) | (h8 << 4));
-			s[26] = (Byte)(h8 >> 4);
-			s[27] = (Byte)(h8 >> 12);
-			s[28] = (Byte)((h8 >> 20) | (h9 << 6));
-			s[29] = (Byte)(h9 >> 2);
-			s[30] = (Byte)(h9 >> 10);
-			s[31] = (Byte)(h9 >> 18);
-		}
-		static unsafe int fe_isnegative(ref fe f) {
-			Byte* s = stackalloc Byte[32];
-			fe_tobytes(s, ref f);
-			return s[0] & 1;
-		}
 		static unsafe void ge_p3_tobytes(Byte* s, ref ge_p3 h) {
-			fe recip;
+			fe recip = h.Z; recip.invert();
-			fe x;
+			fe x = h.X; x.mul(ref recip);
-			fe y;
+			fe y = h.Y; y.mul(ref recip);
-			fe_invert(out recip, ref h.Z);
+			y.tobytes(s);
-			fe_mul(out x, ref h.X, ref recip);
+			s[31] ^= (Byte)(x.isnegative() << 7);
-			fe_mul(out y, ref h.Y, ref recip);
-			fe_tobytes(s, ref y);
-			s[31] ^= (Byte)(fe_isnegative(ref x) << 7);
 		}
 		public static unsafe void crypto_sign_seed_keypair(out Byte[] pk, out Byte[] sk, Byte[] seed) {
 			if (seed.Length < SEEDBYTES) throw new ArgumentException("seed.Length < SEEDBYTES");
 			sk = new Byte[SECRETKEYBYTES];
 		public static unsafe void crypto_sign_getpublickey(out Byte[] pk, Byte[] sk) {
 			pk = UCIS.Util.ArrayUtil.Slice(sk, 32, 32);
 		}
-		static unsafe Int64 load_3(Byte* inv) {
+		static unsafe UInt32 load_3(Byte* inv) {
-			UInt64 result;
+			return (UInt32)inv[0] | ((UInt32)inv[1] << 8) | ((UInt32)inv[2] << 16);
-			result = (UInt64)inv[0];
+		}
-			result |= ((UInt64)inv[1]) << 8;
+		static unsafe UInt32 load_4(Byte* inv) {
-			result |= ((UInt64)inv[2]) << 16;
+			return (UInt32)inv[0] | ((UInt32)inv[1] << 8) | ((UInt32)inv[2] << 16) | ((UInt32)inv[3] << 24);
-			return (Int64)result;
-		}
-		static unsafe Int64 load_4(Byte* inv) {
-			UInt64 result;
-			result = (UInt64)inv[0];
-			result |= ((UInt64)inv[1]) << 8;
-			result |= ((UInt64)inv[2]) << 16;
-			result |= ((UInt64)inv[3]) << 24;
-			return (Int64)result;
 		}
 		static unsafe void sc_reduce(Byte* s) {
 			Int64 s0 = 2097151 & load_3(s);
 			Int64 s1 = 2097151 & (load_4(s + 2) >> 5);
 			Int64 s2 = 2097151 & (load_3(s + 5) >> 2);
 			Int64 s19 = 2097151 & (load_4(s + 49) >> 7);
 			Int64 s20 = 2097151 & (load_4(s + 52) >> 4);
 			Int64 s21 = 2097151 & (load_3(s + 55) >> 1);
 			Int64 s22 = 2097151 & (load_4(s + 57) >> 6);
 			Int64 s23 = (load_4(s + 60) >> 3);
-			Int64 carry0;
-			Int64 carry1;
-			Int64 carry2;
-			Int64 carry3;
-			Int64 carry4;
-			Int64 carry5;
-			Int64 carry6;
-			Int64 carry7;
-			Int64 carry8;
-			Int64 carry9;
-			Int64 carry10;
-			Int64 carry11;
-			Int64 carry12;
-			Int64 carry13;
-			Int64 carry14;
-			Int64 carry15;
-			Int64 carry16;
 			s11 += s23 * 666643;
 			s12 += s23 * 470296;
 			s13 += s23 * 654183;
 			s14 -= s23 * 997805;
 			s12 += s22 * 654183;
 			s13 -= s22 * 997805;
 			s14 += s22 * 136657;
 			s15 -= s22 * 683901;
 			s9 += s21 * 666643;
 			s10 += s21 * 470296;
 			s11 += s21 * 654183;
 			s12 -= s21 * 997805;
 			s13 += s21 * 136657;
 			s14 -= s21 * 683901;
 			s8 += s20 * 666643;
 			s9 += s20 * 470296;
 			s10 += s20 * 654183;
 			s11 -= s20 * 997805;
 			s12 += s20 * 136657;
 			s13 -= s20 * 683901;
 			s7 += s19 * 666643;
 			s8 += s19 * 470296;
 			s9 += s19 * 654183;
 			s10 -= s19 * 997805;
 			s11 += s19 * 136657;
 			s8 += s18 * 654183;
 			s9 -= s18 * 997805;
 			s10 += s18 * 136657;
 			s11 -= s18 * 683901;
-			carry6 = (s6 + (1 << 20)) >> 21; s7 += carry6; s6 -= carry6 << 21;
+			Int64 carry6 = (s6 + (1 << 20)) >> 21; s7 += carry6; s6 -= carry6 << 21;
-			carry8 = (s8 + (1 << 20)) >> 21; s9 += carry8; s8 -= carry8 << 21;
+			Int64 carry8 = (s8 + (1 << 20)) >> 21; s9 += carry8; s8 -= carry8 << 21;
-			carry10 = (s10 + (1 << 20)) >> 21; s11 += carry10; s10 -= carry10 << 21;
+			Int64 carry10 = (s10 + (1 << 20)) >> 21; s11 += carry10; s10 -= carry10 << 21;
-			carry12 = (s12 + (1 << 20)) >> 21; s13 += carry12; s12 -= carry12 << 21;
+			Int64 carry12 = (s12 + (1 << 20)) >> 21; s13 += carry12; s12 -= carry12 << 21;
-			carry14 = (s14 + (1 << 20)) >> 21; s15 += carry14; s14 -= carry14 << 21;
+			Int64 carry14 = (s14 + (1 << 20)) >> 21; s15 += carry14; s14 -= carry14 << 21;
-			carry16 = (s16 + (1 << 20)) >> 21; s17 += carry16; s16 -= carry16 << 21;
+			Int64 carry16 = (s16 + (1 << 20)) >> 21; s17 += carry16; s16 -= carry16 << 21;
-			carry7 = (s7 + (1 << 20)) >> 21; s8 += carry7; s7 -= carry7 << 21;
+			Int64 carry7 = (s7 + (1 << 20)) >> 21; s8 += carry7; s7 -= carry7 << 21;
-			carry9 = (s9 + (1 << 20)) >> 21; s10 += carry9; s9 -= carry9 << 21;
+			Int64 carry9 = (s9 + (1 << 20)) >> 21; s10 += carry9; s9 -= carry9 << 21;
-			carry11 = (s11 + (1 << 20)) >> 21; s12 += carry11; s11 -= carry11 << 21;
+			Int64 carry11 = (s11 + (1 << 20)) >> 21; s12 += carry11; s11 -= carry11 << 21;
-			carry13 = (s13 + (1 << 20)) >> 21; s14 += carry13; s13 -= carry13 << 21;
+			Int64 carry13 = (s13 + (1 << 20)) >> 21; s14 += carry13; s13 -= carry13 << 21;
-			carry15 = (s15 + (1 << 20)) >> 21; s16 += carry15; s15 -= carry15 << 21;
+			Int64 carry15 = (s15 + (1 << 20)) >> 21; s16 += carry15; s15 -= carry15 << 21;
 			s5 += s17 * 666643;
 			s6 += s17 * 470296;
 			s7 += s17 * 654183;
 			s8 -= s17 * 997805;
 			s3 -= s12 * 997805;
 			s4 += s12 * 136657;
 			s5 -= s12 * 683901;
 			s12 = 0;
-			carry0 = (s0 + (1 << 20)) >> 21; s1 += carry0; s0 -= carry0 << 21;
+			Int64 carry0 = (s0 + (1 << 20)) >> 21; s1 += carry0; s0 -= carry0 << 21;
-			carry2 = (s2 + (1 << 20)) >> 21; s3 += carry2; s2 -= carry2 << 21;
+			Int64 carry2 = (s2 + (1 << 20)) >> 21; s3 += carry2; s2 -= carry2 << 21;
-			carry4 = (s4 + (1 << 20)) >> 21; s5 += carry4; s4 -= carry4 << 21;
+			Int64 carry4 = (s4 + (1 << 20)) >> 21; s5 += carry4; s4 -= carry4 << 21;
 			carry6 = (s6 + (1 << 20)) >> 21; s7 += carry6; s6 -= carry6 << 21;
 			carry8 = (s8 + (1 << 20)) >> 21; s9 += carry8; s8 -= carry8 << 21;
 			carry10 = (s10 + (1 << 20)) >> 21; s11 += carry10; s10 -= carry10 << 21;
-			carry1 = (s1 + (1 << 20)) >> 21; s2 += carry1; s1 -= carry1 << 21;
+			Int64 carry1 = (s1 + (1 << 20)) >> 21; s2 += carry1; s1 -= carry1 << 21;
-			carry3 = (s3 + (1 << 20)) >> 21; s4 += carry3; s3 -= carry3 << 21;
+			Int64 carry3 = (s3 + (1 << 20)) >> 21; s4 += carry3; s3 -= carry3 << 21;
-			carry5 = (s5 + (1 << 20)) >> 21; s6 += carry5; s5 -= carry5 << 21;
+			Int64 carry5 = (s5 + (1 << 20)) >> 21; s6 += carry5; s5 -= carry5 << 21;
 			carry7 = (s7 + (1 << 20)) >> 21; s8 += carry7; s7 -= carry7 << 21;
 			carry9 = (s9 + (1 << 20)) >> 21; s10 += carry9; s9 -= carry9 << 21;
 			carry11 = (s11 + (1 << 20)) >> 21; s12 += carry11; s11 -= carry11 << 21;
 			s0 += s12 * 666643;
 			s1 += s12 * 470296;
 			s2 += s12 * 654183;
 			s3 -= s12 * 997805;
 			s4 += s12 * 136657;
 			s5 -= s12 * 683901;
 			carry0 = s0 >> 21; s1 += carry0; s0 -= carry0 << 21;
 			carry1 = s1 >> 21; s2 += carry1; s1 -= carry1 << 21;
 			carry2 = s2 >> 21; s3 += carry2; s2 -= carry2 << 21;
 			carry3 = s3 >> 21; s4 += carry3; s3 -= carry3 << 21;
 			carry4 = s4 >> 21; s5 += carry4; s4 -= carry4 << 21;
 			Int64 c7 = 2097151 & (load_3(c + 18) >> 3);
 			Int64 c8 = 2097151 & load_3(c + 21);
 			Int64 c9 = 2097151 & (load_4(c + 23) >> 5);
 			Int64 c10 = 2097151 & (load_3(c + 26) >> 2);
 			Int64 c11 = (load_4(c + 28) >> 7);
-			Int64 s0;
-			Int64 s1;
+			Int64 s0 = c0 + a0 * b0;
-			Int64 s2;
+			Int64 s1 = c1 + a0 * b1 + a1 * b0;
-			Int64 s3;
+			Int64 s2 = c2 + a0 * b2 + a1 * b1 + a2 * b0;
-			Int64 s4;
+			Int64 s3 = c3 + a0 * b3 + a1 * b2 + a2 * b1 + a3 * b0;
-			Int64 s5;
+			Int64 s4 = c4 + a0 * b4 + a1 * b3 + a2 * b2 + a3 * b1 + a4 * b0;
-			Int64 s6;
+			Int64 s5 = c5 + a0 * b5 + a1 * b4 + a2 * b3 + a3 * b2 + a4 * b1 + a5 * b0;
-			Int64 s7;
+			Int64 s6 = c6 + a0 * b6 + a1 * b5 + a2 * b4 + a3 * b3 + a4 * b2 + a5 * b1 + a6 * b0;
-			Int64 s8;
+			Int64 s7 = c7 + a0 * b7 + a1 * b6 + a2 * b5 + a3 * b4 + a4 * b3 + a5 * b2 + a6 * b1 + a7 * b0;
-			Int64 s9;
+			Int64 s8 = c8 + a0 * b8 + a1 * b7 + a2 * b6 + a3 * b5 + a4 * b4 + a5 * b3 + a6 * b2 + a7 * b1 + a8 * b0;
-			Int64 s10;
+			Int64 s9 = c9 + a0 * b9 + a1 * b8 + a2 * b7 + a3 * b6 + a4 * b5 + a5 * b4 + a6 * b3 + a7 * b2 + a8 * b1 + a9 * b0;
-			Int64 s11;
+			Int64 s10 = c10 + a0 * b10 + a1 * b9 + a2 * b8 + a3 * b7 + a4 * b6 + a5 * b5 + a6 * b4 + a7 * b3 + a8 * b2 + a9 * b1 + a10 * b0;
-			Int64 s12;
+			Int64 s11 = c11 + a0 * b11 + a1 * b10 + a2 * b9 + a3 * b8 + a4 * b7 + a5 * b6 + a6 * b5 + a7 * b4 + a8 * b3 + a9 * b2 + a10 * b1 + a11 * b0;
-			Int64 s13;
+			Int64 s12 = a1 * b11 + a2 * b10 + a3 * b9 + a4 * b8 + a5 * b7 + a6 * b6 + a7 * b5 + a8 * b4 + a9 * b3 + a10 * b2 + a11 * b1;
-			Int64 s14;
+			Int64 s13 = a2 * b11 + a3 * b10 + a4 * b9 + a5 * b8 + a6 * b7 + a7 * b6 + a8 * b5 + a9 * b4 + a10 * b3 + a11 * b2;
-			Int64 s15;
+			Int64 s14 = a3 * b11 + a4 * b10 + a5 * b9 + a6 * b8 + a7 * b7 + a8 * b6 + a9 * b5 + a10 * b4 + a11 * b3;
-			Int64 s16;
+			Int64 s15 = a4 * b11 + a5 * b10 + a6 * b9 + a7 * b8 + a8 * b7 + a9 * b6 + a10 * b5 + a11 * b4;
-			Int64 s17;
+			Int64 s16 = a5 * b11 + a6 * b10 + a7 * b9 + a8 * b8 + a9 * b7 + a10 * b6 + a11 * b5;
-			Int64 s18;
+			Int64 s17 = a6 * b11 + a7 * b10 + a8 * b9 + a9 * b8 + a10 * b7 + a11 * b6;
-			Int64 s19;
+			Int64 s18 = a7 * b11 + a8 * b10 + a9 * b9 + a10 * b8 + a11 * b7;
-			Int64 s20;
+			Int64 s19 = a8 * b11 + a9 * b10 + a10 * b9 + a11 * b8;
-			Int64 s21;
+			Int64 s20 = a9 * b11 + a10 * b10 + a11 * b9;
-			Int64 s22;
+			Int64 s21 = a10 * b11 + a11 * b10;
-			Int64 s23;
+			Int64 s22 = a11 * b11;
-			Int64 carry0;
+			Int64 s23 = 0;
-			Int64 carry1;
-			Int64 carry2;
+			Int64 carry0 = (s0 + (1 << 20)) >> 21; s1 += carry0; s0 -= carry0 << 21;
-			Int64 carry3;
+			Int64 carry2 = (s2 + (1 << 20)) >> 21; s3 += carry2; s2 -= carry2 << 21;
-			Int64 carry4;
+			Int64 carry4 = (s4 + (1 << 20)) >> 21; s5 += carry4; s4 -= carry4 << 21;
-			Int64 carry5;
+			Int64 carry6 = (s6 + (1 << 20)) >> 21; s7 += carry6; s6 -= carry6 << 21;
-			Int64 carry6;
+			Int64 carry8 = (s8 + (1 << 20)) >> 21; s9 += carry8; s8 -= carry8 << 21;
-			Int64 carry7;
+			Int64 carry10 = (s10 + (1 << 20)) >> 21; s11 += carry10; s10 -= carry10 << 21;
-			Int64 carry8;
+			Int64 carry12 = (s12 + (1 << 20)) >> 21; s13 += carry12; s12 -= carry12 << 21;
-			Int64 carry9;
+			Int64 carry14 = (s14 + (1 << 20)) >> 21; s15 += carry14; s14 -= carry14 << 21;
-			Int64 carry10;
+			Int64 carry16 = (s16 + (1 << 20)) >> 21; s17 += carry16; s16 -= carry16 << 21;
-			Int64 carry11;
+			Int64 carry18 = (s18 + (1 << 20)) >> 21; s19 += carry18; s18 -= carry18 << 21;
-			Int64 carry12;
+			Int64 carry20 = (s20 + (1 << 20)) >> 21; s21 += carry20; s20 -= carry20 << 21;
-			Int64 carry13;
+			Int64 carry22 = (s22 + (1 << 20)) >> 21; s23 += carry22; s22 -= carry22 << 21;
-			Int64 carry14;
-			Int64 carry15;
+			Int64 carry1 = (s1 + (1 << 20)) >> 21; s2 += carry1; s1 -= carry1 << 21;
-			Int64 carry16;
+			Int64 carry3 = (s3 + (1 << 20)) >> 21; s4 += carry3; s3 -= carry3 << 21;
-			Int64 carry17;
+			Int64 carry5 = (s5 + (1 << 20)) >> 21; s6 += carry5; s5 -= carry5 << 21;
-			Int64 carry18;
+			Int64 carry7 = (s7 + (1 << 20)) >> 21; s8 += carry7; s7 -= carry7 << 21;
-			Int64 carry19;
+			Int64 carry9 = (s9 + (1 << 20)) >> 21; s10 += carry9; s9 -= carry9 << 21;
-			Int64 carry20;
+			Int64 carry11 = (s11 + (1 << 20)) >> 21; s12 += carry11; s11 -= carry11 << 21;
-			Int64 carry21;
+			Int64 carry13 = (s13 + (1 << 20)) >> 21; s14 += carry13; s13 -= carry13 << 21;
-			Int64 carry22;
+			Int64 carry15 = (s15 + (1 << 20)) >> 21; s16 += carry15; s15 -= carry15 << 21;
+			Int64 carry17 = (s17 + (1 << 20)) >> 21; s18 += carry17; s17 -= carry17 << 21;
-			s0 = c0 + a0 * b0;
+			Int64 carry19 = (s19 + (1 << 20)) >> 21; s20 += carry19; s19 -= carry19 << 21;
-			s1 = c1 + a0 * b1 + a1 * b0;
+			Int64 carry21 = (s21 + (1 << 20)) >> 21; s22 += carry21; s21 -= carry21 << 21;
-			s2 = c2 + a0 * b2 + a1 * b1 + a2 * b0;
-			s3 = c3 + a0 * b3 + a1 * b2 + a2 * b1 + a3 * b0;
+			s11 += s23 * 666643;
-			s4 = c4 + a0 * b4 + a1 * b3 + a2 * b2 + a3 * b1 + a4 * b0;
+			s12 += s23 * 470296;
-			s5 = c5 + a0 * b5 + a1 * b4 + a2 * b3 + a3 * b2 + a4 * b1 + a5 * b0;
+			s13 += s23 * 654183;
-			s6 = c6 + a0 * b6 + a1 * b5 + a2 * b4 + a3 * b3 + a4 * b2 + a5 * b1 + a6 * b0;
+			s14 -= s23 * 997805;
-			s7 = c7 + a0 * b7 + a1 * b6 + a2 * b5 + a3 * b4 + a4 * b3 + a5 * b2 + a6 * b1 + a7 * b0;
+			s15 += s23 * 136657;
-			s8 = c8 + a0 * b8 + a1 * b7 + a2 * b6 + a3 * b5 + a4 * b4 + a5 * b3 + a6 * b2 + a7 * b1 + a8 * b0;
+			s16 -= s23 * 683901;
-			s9 = c9 + a0 * b9 + a1 * b8 + a2 * b7 + a3 * b6 + a4 * b5 + a5 * b4 + a6 * b3 + a7 * b2 + a8 * b1 + a9 * b0;
-			s10 = c10 + a0 * b10 + a1 * b9 + a2 * b8 + a3 * b7 + a4 * b6 + a5 * b5 + a6 * b4 + a7 * b3 + a8 * b2 + a9 * b1 + a10 * b0;
+			s10 += s22 * 666643;
-			s11 = c11 + a0 * b11 + a1 * b10 + a2 * b9 + a3 * b8 + a4 * b7 + a5 * b6 + a6 * b5 + a7 * b4 + a8 * b3 + a9 * b2 + a10 * b1 + a11 * b0;
+			s11 += s22 * 470296;
-			s12 = a1 * b11 + a2 * b10 + a3 * b9 + a4 * b8 + a5 * b7 + a6 * b6 + a7 * b5 + a8 * b4 + a9 * b3 + a10 * b2 + a11 * b1;
+			s12 += s22 * 654183;
-			s13 = a2 * b11 + a3 * b10 + a4 * b9 + a5 * b8 + a6 * b7 + a7 * b6 + a8 * b5 + a9 * b4 + a10 * b3 + a11 * b2;
+			s13 -= s22 * 997805;
-			s14 = a3 * b11 + a4 * b10 + a5 * b9 + a6 * b8 + a7 * b7 + a8 * b6 + a9 * b5 + a10 * b4 + a11 * b3;
+			s14 += s22 * 136657;
-			s15 = a4 * b11 + a5 * b10 + a6 * b9 + a7 * b8 + a8 * b7 + a9 * b6 + a10 * b5 + a11 * b4;
+			s15 -= s22 * 683901;
-			s16 = a5 * b11 + a6 * b10 + a7 * b9 + a8 * b8 + a9 * b7 + a10 * b6 + a11 * b5;
-			s17 = a6 * b11 + a7 * b10 + a8 * b9 + a9 * b8 + a10 * b7 + a11 * b6;
+			s9 += s21 * 666643;
-			s18 = a7 * b11 + a8 * b10 + a9 * b9 + a10 * b8 + a11 * b7;
+			s10 += s21 * 470296;
-			s19 = a8 * b11 + a9 * b10 + a10 * b9 + a11 * b8;
+			s11 += s21 * 654183;
-			s20 = a9 * b11 + a10 * b10 + a11 * b9;
+			s12 -= s21 * 997805;
-			s21 = a10 * b11 + a11 * b10;
+			s13 += s21 * 136657;
-			s22 = a11 * b11;
+			s14 -= s21 * 683901;
-			s23 = 0;
+			s8 += s20 * 666643;
-			carry0 = (s0 + (1 << 20)) >> 21; s1 += carry0; s0 -= carry0 << 21;
+			s9 += s20 * 470296;
-			carry2 = (s2 + (1 << 20)) >> 21; s3 += carry2; s2 -= carry2 << 21;
+			s10 += s20 * 654183;
-			carry4 = (s4 + (1 << 20)) >> 21; s5 += carry4; s4 -= carry4 << 21;
+			s11 -= s20 * 997805;
+			s12 += s20 * 136657;
+			s13 -= s20 * 683901;
+			s7 += s19 * 666643;
+			s8 += s19 * 470296;
+			s9 += s19 * 654183;
+			s10 -= s19 * 997805;
+			s11 += s19 * 136657;
+			s12 -= s19 * 683901;
+			s6 += s18 * 666643;
+			s7 += s18 * 470296;
+			s8 += s18 * 654183;
+			s9 -= s18 * 997805;
+			s10 += s18 * 136657;
+			s11 -= s18 * 683901;
 			carry6 = (s6 + (1 << 20)) >> 21; s7 += carry6; s6 -= carry6 << 21;
 			carry8 = (s8 + (1 << 20)) >> 21; s9 += carry8; s8 -= carry8 << 21;
 			carry10 = (s10 + (1 << 20)) >> 21; s11 += carry10; s10 -= carry10 << 21;
 			carry12 = (s12 + (1 << 20)) >> 21; s13 += carry12; s12 -= carry12 << 21;
 			carry14 = (s14 + (1 << 20)) >> 21; s15 += carry14; s14 -= carry14 << 21;
 			carry16 = (s16 + (1 << 20)) >> 21; s17 += carry16; s16 -= carry16 << 21;
-			carry18 = (s18 + (1 << 20)) >> 21; s19 += carry18; s18 -= carry18 << 21;
-			carry20 = (s20 + (1 << 20)) >> 21; s21 += carry20; s20 -= carry20 << 21;
-			carry22 = (s22 + (1 << 20)) >> 21; s23 += carry22; s22 -= carry22 << 21;
-			carry1 = (s1 + (1 << 20)) >> 21; s2 += carry1; s1 -= carry1 << 21;
-			carry3 = (s3 + (1 << 20)) >> 21; s4 += carry3; s3 -= carry3 << 21;
-			carry5 = (s5 + (1 << 20)) >> 21; s6 += carry5; s5 -= carry5 << 21;
-			carry7 = (s7 + (1 << 20)) >> 21; s8 += carry7; s7 -= carry7 << 21;
-			carry9 = (s9 + (1 << 20)) >> 21; s10 += carry9; s9 -= carry9 << 21;
-			carry11 = (s11 + (1 << 20)) >> 21; s12 += carry11; s11 -= carry11 << 21;
-			carry13 = (s13 + (1 << 20)) >> 21; s14 += carry13; s13 -= carry13 << 21;
-			carry15 = (s15 + (1 << 20)) >> 21; s16 += carry15; s15 -= carry15 << 21;
-			carry17 = (s17 + (1 << 20)) >> 21; s18 += carry17; s17 -= carry17 << 21;
-			carry19 = (s19 + (1 << 20)) >> 21; s20 += carry19; s19 -= carry19 << 21;
-			carry21 = (s21 + (1 << 20)) >> 21; s22 += carry21; s21 -= carry21 << 21;
-			s11 += s23 * 666643;
-			s12 += s23 * 470296;
-			s13 += s23 * 654183;
-			s14 -= s23 * 997805;
-			s15 += s23 * 136657;
-			s16 -= s23 * 683901;
-			s10 += s22 * 666643;
-			s11 += s22 * 470296;
-			s12 += s22 * 654183;
-			s13 -= s22 * 997805;
-			s14 += s22 * 136657;
-			s15 -= s22 * 683901;
-			s9 += s21 * 666643;
-			s10 += s21 * 470296;
-			s11 += s21 * 654183;
-			s12 -= s21 * 997805;
-			s13 += s21 * 136657;
-			s14 -= s21 * 683901;
-			s8 += s20 * 666643;
-			s9 += s20 * 470296;
-			s10 += s20 * 654183;
-			s11 -= s20 * 997805;
-			s12 += s20 * 136657;
-			s13 -= s20 * 683901;
-			s7 += s19 * 666643;
-			s8 += s19 * 470296;
-			s9 += s19 * 654183;
-			s10 -= s19 * 997805;
-			s11 += s19 * 136657;
-			s12 -= s19 * 683901;
-			s6 += s18 * 666643;
-			s7 += s18 * 470296;
-			s8 += s18 * 654183;
-			s9 -= s18 * 997805;
-			s10 += s18 * 136657;
-			s11 -= s18 * 683901;
-			carry6 = (s6 + (1 << 20)) >> 21; s7 += carry6; s6 -= carry6 << 21;
-			carry8 = (s8 + (1 << 20)) >> 21; s9 += carry8; s8 -= carry8 << 21;
-			carry10 = (s10 + (1 << 20)) >> 21; s11 += carry10; s10 -= carry10 << 21;
-			carry12 = (s12 + (1 << 20)) >> 21; s13 += carry12; s12 -= carry12 << 21;
-			carry14 = (s14 + (1 << 20)) >> 21; s15 += carry14; s14 -= carry14 << 21;
-			carry16 = (s16 + (1 << 20)) >> 21; s17 += carry16; s16 -= carry16 << 21;
 			carry7 = (s7 + (1 << 20)) >> 21; s8 += carry7; s7 -= carry7 << 21;
 			carry9 = (s9 + (1 << 20)) >> 21; s10 += carry9; s9 -= carry9 << 21;
 			carry11 = (s11 + (1 << 20)) >> 21; s12 += carry11; s11 -= carry11 << 21;
 			carry13 = (s13 + (1 << 20)) >> 21; s14 += carry13; s13 -= carry13 << 21;
 			s6 += s17 * 470296;
 			s7 += s17 * 654183;
 			s8 -= s17 * 997805;
 			s9 += s17 * 136657;
 			s10 -= s17 * 683901;
 			s4 += s16 * 666643;
 			s5 += s16 * 470296;
 			s6 += s16 * 654183;
 			s7 -= s16 * 997805;
 			s8 += s16 * 136657;
 			s9 -= s16 * 683901;
 			s3 += s15 * 666643;
 			s4 += s15 * 470296;
 			s5 += s15 * 654183;
 			s6 -= s15 * 997805;
 			s7 += s15 * 136657;
 			s8 -= s15 * 683901;
 			s2 += s14 * 666643;
 			s3 += s14 * 470296;
 			s4 += s14 * 654183;
 			s5 -= s14 * 997805;
 			s6 += s14 * 136657;
 			s7 -= s14 * 683901;
 			s1 += s13 * 666643;
 			s2 += s13 * 470296;
 			s3 += s13 * 654183;
 			s4 -= s13 * 997805;
 			s5 += s13 * 136657;
 			s6 -= s13 * 683901;
 			s0 += s12 * 666643;
 			s1 += s12 * 470296;
 			s2 += s12 * 654183;
 			s3 -= s12 * 997805;
 			s4 += s12 * 136657;
 			s1 += s12 * 470296;
 			s2 += s12 * 654183;
 			s3 -= s12 * 997805;
 			s4 += s12 * 136657;
 			s5 -= s12 * 683901;
 			carry0 = s0 >> 21; s1 += carry0; s0 -= carry0 << 21;
 			carry1 = s1 >> 21; s2 += carry1; s1 -= carry1 << 21;
 			carry2 = s2 >> 21; s3 += carry2; s2 -= carry2 << 21;
 			carry3 = s3 >> 21; s4 += carry3; s3 -= carry3 << 21;
 			carry4 = s4 >> 21; s5 += carry4; s4 -= carry4 << 21;
 			s[28] = (Byte)((s10 >> 14) | (s11 << 7));
 			s[29] = (Byte)(s11 >> 1);
 			s[30] = (Byte)(s11 >> 9);
 			s[31] = (Byte)(s11 >> 17);
 		}
-		public static unsafe void crypto_sign(Byte[] sm, int smoffset, out UInt64 smlen, Byte[] m, int moffset, UInt64 mlen, Byte[] sk) {
+		public static unsafe void crypto_sign(Byte[] sm, int smoffset, out int smlen, Byte[] m, int moffset, int mlen, Byte[] sk) {
 			if (smoffset + (int)mlen + 64 > sm.Length) throw new ArgumentException("signed message buffer is too small");
 			if (moffset + (int)mlen > m.Length) throw new ArgumentException("message buffer is too small");
 			if (64 > sk.Length) throw new ArgumentException("key buffer is too small");
 			fixed (Byte* smp = sm, mp = m, skp = sk) crypto_sign(smp + smoffset, out smlen, mp + moffset, mlen, skp);
 		}
-		public static unsafe void crypto_sign(Byte* sm, out UInt64 smlen, Byte* m, UInt64 mlen, Byte* sk) {
+		public static unsafe void crypto_sign(Byte* sm, out int smlen, Byte* m, int mlen, Byte* sk) {
+			smlen = mlen + 64;
+			for (int i = 0; i < mlen; ++i) sm[64 + i] = m[i];
+			crypto_getsignature(sm, m, mlen, sk);
+		}
+		public static unsafe void crypto_getsignature(Byte* sig, Byte* m, int mlen, Byte* sk) {
 			Byte* az = stackalloc Byte[64];
-			Byte* r = stackalloc Byte[64];
+			sha512.crypto_hash(az, sk, 32);
-			Byte* hram = stackalloc Byte[64];
-			crypto_hash.sha512.crypto_hash(az, sk, 32);
 			az[0] &= 248;
 			az[31] &= 63;
 			az[31] |= 64;
-			smlen = mlen + 64;
+			sha512.sha512state hashstate = new sha512.sha512state();
-			for (UInt64 i = 0; i < mlen; ++i) sm[64 + i] = m[i];
+			hashstate.init();
-			for (UInt64 i = 0; i < 32; ++i) sm[32 + i] = az[32 + i];
+			hashstate.process(az + 32, 32);
-			crypto_hash.sha512.crypto_hash(r, sm + 32, mlen + 32);
+			hashstate.process(m, (int)mlen);
-			for (UInt64 i = 0; i < 32; ++i) sm[32 + i] = sk[32 + i];
+			Byte* r = stackalloc Byte[64];
+			hashstate.finish(r);
 			sc_reduce(r);
 			ge_p3 R;
 			ge_scalarmult_base(out R, r);
-			ge_p3_tobytes(sm, ref R);
+			ge_p3_tobytes(sig, ref R);
-			crypto_hash.sha512.crypto_hash(hram, sm, mlen + 64);
+			hashstate.init();
+			hashstate.process(sig, 32);
+			hashstate.process(sk + 32, 32);
+			hashstate.process(m, (int)mlen);
+			Byte* hram = stackalloc Byte[64];
+			hashstate.finish(hram);
 			sc_reduce(hram);
-			sc_muladd(sm + 32, hram, az, r);
+			sc_muladd(sig + 32, hram, az, r);
 		}
-		static unsafe void fe_frombytes(out fe h, Byte* s) {
+		static fe d = new fe(0, new Int32[10] { -10913610, 13857413, -15372611, 6949391, 114729, -8787816, -6275908, -3247719, -18696448, -12055116 });
-			Int64 h0 = load_4(s);
+		static fe sqrtm1 = new fe(0, new Int32[10] { -32595792, -7943725, 9377950, 3500415, 12389472, -272473, -25146209, -2005654, 326686, 11406482 });
-			Int64 h1 = load_3(s + 4) << 6;
-			Int64 h2 = load_3(s + 7) << 5;
-			Int64 h3 = load_3(s + 10) << 3;
-			Int64 h4 = load_3(s + 13) << 2;
-			Int64 h5 = load_4(s + 16);
-			Int64 h6 = load_3(s + 20) << 7;
-			Int64 h7 = load_3(s + 23) << 5;
-			Int64 h8 = load_3(s + 26) << 4;
-			Int64 h9 = (load_3(s + 29) & 8388607) << 2;
-			Int64 carry0;
-			Int64 carry1;
-			Int64 carry2;
-			Int64 carry3;
-			Int64 carry4;
-			Int64 carry5;
-			Int64 carry6;
-			Int64 carry7;
-			Int64 carry8;
-			Int64 carry9;
-			carry9 = (h9 + (Int64)(1 << 24)) >> 25; h0 += carry9 * 19; h9 -= carry9 << 25;
-			carry1 = (h1 + (Int64)(1 << 24)) >> 25; h2 += carry1; h1 -= carry1 << 25;
-			carry3 = (h3 + (Int64)(1 << 24)) >> 25; h4 += carry3; h3 -= carry3 << 25;
-			carry5 = (h5 + (Int64)(1 << 24)) >> 25; h6 += carry5; h5 -= carry5 << 25;
-			carry7 = (h7 + (Int64)(1 << 24)) >> 25; h8 += carry7; h7 -= carry7 << 25;
-			carry0 = (h0 + (Int64)(1 << 25)) >> 26; h1 += carry0; h0 -= carry0 << 26;
-			carry2 = (h2 + (Int64)(1 << 25)) >> 26; h3 += carry2; h2 -= carry2 << 26;
-			carry4 = (h4 + (Int64)(1 << 25)) >> 26; h5 += carry4; h4 -= carry4 << 26;
-			carry6 = (h6 + (Int64)(1 << 25)) >> 26; h7 += carry6; h6 -= carry6 << 26;
-			carry8 = (h8 + (Int64)(1 << 25)) >> 26; h9 += carry8; h8 -= carry8 << 26;
-			h = new fe();
-			h[0] = (Int32)h0;
-			h[1] = (Int32)h1;
-			h[2] = (Int32)h2;
-			h[3] = (Int32)h3;
-			h[4] = (Int32)h4;
-			h[5] = (Int32)h5;
-			h[6] = (Int32)h6;
-			h[7] = (Int32)h7;
-			h[8] = (Int32)h8;
-			h[9] = (Int32)h9;
-		}
-		static Byte[] zero = new Byte[32];
-		static unsafe int fe_isnonzero(ref fe f) {
-			Byte* s = stackalloc Byte[32];
-			fe_tobytes(s, ref f);
-			fixed (Byte* zerop = zero) return crypto_verify._32.crypto_verify(s, zerop);
-		}
-		static fe d = fe_unpack(0, new Int32[10] { -10913610, 13857413, -15372611, 6949391, 114729, -8787816, -6275908, -3247719, -18696448, -12055116 });
-		static fe sqrtm1 = fe_unpack(0, new Int32[10] { -32595792, -7943725, 9377950, 3500415, 12389472, -272473, -25146209, -2005654, 326686, 11406482 });
-		static void fe_pow22523(out fe outv, ref fe z) {
-			fe t0;
-			fe t1;
-			fe t2;
-			fe_sq(out t0, ref z); for (int i = 1; i < 1; ++i) fe_sq(out t0, ref t0);
-			fe_sq(out t1, ref t0); for (int i = 1; i < 2; ++i) fe_sq(out t1, ref t1);
-			fe_mul(out t1, ref z, ref t1);
-			fe_mul(out t0, ref t0, ref t1);
-			fe_sq(out t0, ref t0); for (int i = 1; i < 1; ++i) fe_sq(out t0, ref t0);
-			fe_mul(out t0, ref t1, ref t0);
-			fe_sq(out t1, ref t0); for (int i = 1; i < 5; ++i) fe_sq(out t1, ref t1);
-			fe_mul(out t0, ref t1, ref t0);
-			fe_sq(out t1, ref t0); for (int i = 1; i < 10; ++i) fe_sq(out t1, ref t1);
-			fe_mul(out t1, ref t1, ref t0);
-			fe_sq(out t2, ref t1); for (int i = 1; i < 20; ++i) fe_sq(out t2, ref t2);
-			fe_mul(out t1, ref t2, ref t1);
-			fe_sq(out t1, ref t1); for (int i = 1; i < 10; ++i) fe_sq(out t1, ref t1);
-			fe_mul(out t0, ref t1, ref t0);
-			fe_sq(out t1, ref t0); for (int i = 1; i < 50; ++i) fe_sq(out t1, ref t1);
-			fe_mul(out t1, ref t1, ref t0);
-			fe_sq(out t2, ref t1); for (int i = 1; i < 100; ++i) fe_sq(out t2, ref t2);
-			fe_mul(out t1, ref t2, ref t1);
-			fe_sq(out t1, ref t1); for (int i = 1; i < 50; ++i) fe_sq(out t1, ref t1);
-			fe_mul(out t0, ref t1, ref t0);
-			fe_sq(out t0, ref t0); for (int i = 1; i < 2; ++i) fe_sq(out t0, ref t0);
-			fe_mul(out outv, ref t0, ref z);
-		}
 		static unsafe Boolean ge_frombytes_negate_vartime(out ge_p3 h, Byte* s) {
 			fe u;
 			fe v;
 			fe v3;
 			fe vxx;
 			fe check;
-			fe_frombytes(out h.Y, s);
+			h = new ge_p3();
-			fe_1(out h.Z);
+			h.Y.frombytes(s);
+			h.Z.set_one();
 			fe_sq(out u, ref h.Y);
 			fe_mul(out v, ref u, ref d);
-			fe_sub(out u, ref u, ref h.Z); /* u = y^2-1 */
+			u.sub(ref h.Z); /* u = y^2-1 */
-			fe_add(out v, ref v, ref h.Z); /* v = dy^2+1 */
+			v.add(ref h.Z); /* v = dy^2+1 */
 			fe_sq(out v3, ref v);
-			fe_mul(out v3, ref v3, ref v); /* v3 = v^3 */
+			v3.mul(ref v); /* v3 = v^3 */
 			fe_sq(out h.X, ref v3);
-			fe_mul(out h.X, ref h.X, ref v);
+			h.X.mul(ref v);
-			fe_mul(out h.X, ref h.X, ref u); /* x = uv^7 */
+			h.X.mul(ref u); /* x = uv^7 */
-			fe_pow22523(out h.X, ref h.X); /* x = (uv^7)^((q-5)/8) */
+			h.X.pow22523(); /* x = (uv^7)^((q-5)/8) */
-			fe_mul(out h.X, ref h.X, ref v3);
+			h.X.mul(ref v3);
-			fe_mul(out h.X, ref h.X, ref u); /* x = uv^3(uv^7)^((q-5)/8) */
+			h.X.mul(ref u); /* x = uv^3(uv^7)^((q-5)/8) */
 			fe_sq(out vxx, ref h.X);
-			fe_mul(out vxx, ref vxx, ref v);
+			vxx.mul(ref v);
 			fe_sub(out check, ref vxx, ref u); /* vx^2-u */
-			if (fe_isnonzero(ref check) != 0) {
+			if (check.isnonzero() != 0) {
 				fe_add(out check, ref vxx, ref u); /* vx^2+u */
-				if (fe_isnonzero(ref check) != 0) return false;
+				if (check.isnonzero() != 0) return false;
-				fe_mul(out h.X, ref h.X, ref sqrtm1);
+				h.X.mul(ref sqrtm1);
 			}
-			if (fe_isnegative(ref h.X) == (s[31] >> 7))
+			if (h.X.isnegative() == (s[31] >> 7)) h.X.neg();
-				fe_neg(out h.X, ref h.X);
 			fe_mul(out h.T, ref h.X, ref h.Y);
 			return true;
-		}
-		struct ge_cached {
-			public fe YplusX;
-			public fe YminusX;
-			public fe Z;
-			public fe T2d;
 		}
 		static unsafe void slide(SByte* r, Byte* a) {
 			for (int i = 0; i < 256; ++i) r[i] = (SByte)(1 & (a[i >> 3] >> (i & 7)));
 			for (int i = 0; i < 256; ++i)
 								break;
 						}
 					}
 				}
 		}
-		static ge_precomp[] Bi = base_unpack(8, 0, new Int32[8 * 3 * 10] {
+		static ge_precomp[] Bi = base_unpack(8, new Int32[8 * 3 * 10] {
 #region Base number
 25967493,-14356035,29566456,3660896,-12694345,4014787,27544626,-11754271,-6079156,2047605,
 -12545711,934262,-2722910,3049990,-727428,9406986,12720692,5043384,19500929,-15469378,
 -8738181,4489570,9688441,-14785194,10184609,-12363380,29287919,11864899,-24514362,-4438546,
 15636291,-9688557,24204773,-7912398,616977,-16685262,27787600,-14772189,28944400,-1550024,
 -3151181,-5046075,9282714,6866145,-31907062,-863023,-18940575,15033784,25105118,-7894876,
 -24326370,15950226,-31801215,-14592823,-11662737,-5090925,1573892,-2625887,2198790,-15804619,
 -3099351,10324967,-2241613,7453183,-5446979,-2735503,-13812022,-16236442,-32461234,-12290683,
 #endregion
 });
-		static fe d2 = fe_unpack(0, new Int32[10] { -21827239, -5839606, -30745221, 13898782, 229458, 15978800, -12551817, -6495438, 29715968, 9444199 });
+		static fe d2 = new fe(0, new Int32[10] { -21827239, -5839606, -30745221, 13898782, 229458, 15978800, -12551817, -6495438, 29715968, 9444199 });
 		static void ge_p3_to_cached(out ge_cached r, ref ge_p3 p) {
 			fe_add(out r.YplusX, ref p.Y, ref p.X);
 			fe_sub(out r.YminusX, ref p.Y, ref p.X);
-			fe_copy(out r.Z, ref p.Z);
+			r.Z = p.Z;
 			fe_mul(out r.T2d, ref p.T, ref d2);
 		}
 		static void ge_add(out ge_p1p1 r, ref ge_p3 p, ref ge_cached q) {
 			fe t0;
 			fe_add(out r.X, ref p.Y, ref p.X);
 			fe_sub(out r.X, ref r.Z, ref r.Y);
 			fe_add(out r.Y, ref r.Z, ref r.Y);
 			fe_add(out r.Z, ref t0, ref r.T);
 			fe_sub(out r.T, ref t0, ref r.T);
 		}
-		static void ge_p2_0(out ge_p2 h) {
-			fe_0(out h.X);
-			fe_1(out h.Y);
-			fe_1(out h.Z);
-		}
 		static void ge_sub(out ge_p1p1 r, ref ge_p3 p, ref ge_cached q) {
 			fe t0;
 			fe_add(out r.X, ref p.Y, ref p.X);
 			fe_sub(out r.Y, ref p.Y, ref p.X);
 			fe_mul(out r.Z, ref r.X, ref q.YminusX);
 			SByte* bslide = stackalloc SByte[256];
 			ge_cached* Ai = stackalloc ge_cached[8]; /* A,3A,5A,7A,9A,11A,13A,15A */
 			ge_p1p1 t;
 			ge_p3 u;
 			ge_p3 A2;
-			int i;
 			slide(aslide, a);
 			slide(bslide, b);
 			ge_p3_to_cached(out Ai[0], ref A);
 			ge_add(out t, ref A2, ref Ai[3]); ge_p1p1_to_p3(out u, ref t); ge_p3_to_cached(out Ai[4], ref u);
 			ge_add(out t, ref A2, ref Ai[4]); ge_p1p1_to_p3(out u, ref t); ge_p3_to_cached(out Ai[5], ref u);
 			ge_add(out t, ref A2, ref Ai[5]); ge_p1p1_to_p3(out u, ref t); ge_p3_to_cached(out Ai[6], ref u);
 			ge_add(out t, ref A2, ref Ai[6]); ge_p1p1_to_p3(out u, ref t); ge_p3_to_cached(out Ai[7], ref u);
-			ge_p2_0(out r);
+			r = new ge_p2(); r.set_zero();
-			for (i = 255; i >= 0; --i) {
+			int i;
-				if ((aslide[i] != 0) || (bslide[i] != 0)) break;
+			for (i = 255; i >= 0 && aslide[i] == 0 && bslide[i] == 0; i--);
-			}
+			for (; i >= 0; i--) {
-			for (; i >= 0; --i) {
 				ge_p2_dbl(out t, ref r);
 				if (aslide[i] > 0) {
 					ge_p1p1_to_p3(out u, ref t);
 					ge_add(out t, ref u, ref Ai[aslide[i] / 2]);
 				ge_p1p1_to_p2(out r, ref t);
 			}
 		}
 		static unsafe void ge_tobytes(Byte* s, ref ge_p2 h) {
-			fe recip;
+			fe recip = h.Z; recip.invert();
-			fe x;
+			fe x = h.X; x.mul(ref recip);
-			fe y;
+			fe y = h.Y; y.mul(ref recip);
-			fe_invert(out recip, ref h.Z);
+			y.tobytes(s);
-			fe_mul(out x, ref h.X, ref recip);
+			s[31] ^= (Byte)(x.isnegative() << 7);
-			fe_mul(out y, ref h.Y, ref recip);
+		}
-			fe_tobytes(s, ref y);
+		public static unsafe Boolean crypto_sign_open(Byte[] m, int moffset, out int mlen, Byte[] sm, int smoffset, int smlen, Byte[] pk) {
-			s[31] ^= (Byte)(fe_isnegative(ref x) << 7);
-		}
-		public static unsafe Boolean crypto_sign_open(Byte[] m, int moffset, out UInt64 mlen, Byte[] sm, int smoffset, UInt64 smlen, Byte[] pk) {
 			if (smoffset + (int)smlen > sm.Length) throw new ArgumentException("signed message buffer is too small");
 			if (moffset + (int)smlen > m.Length) throw new ArgumentException("message buffer is too small");
 			if (32 > pk.Length) throw new ArgumentException("key buffer is too small");
 			fixed (Byte* mp = m, smp = sm, pkp = pk) return crypto_sign_open(mp + moffset, out mlen, smp + smoffset, smlen, pkp);
 		}
-		public static unsafe Boolean crypto_sign_open(Byte* m, out UInt64 mlen, Byte* sm, UInt64 smlen, Byte* pk) {
+		public static unsafe Boolean crypto_sign_open(Byte* m, out int mlen, Byte* sm, int smlen, Byte* pk) {
-			Byte* h = stackalloc Byte[64];
+			mlen = 0;
-			Byte* checkr = stackalloc Byte[32];
+			if (!crypto_sign_verify(sm, sm + 64, (int)smlen - 64, pk)) return false;
-			ge_p3 A;
+			for (int i = 0; i < smlen - 64; ++i) m[i] = sm[64 + i];
-			ge_p2 R;
-			mlen = unchecked((UInt64)(-1));
-			if (smlen < 64) return false;
-			if ((sm[63] & 224) != 0) return false;
-			if (!ge_frombytes_negate_vartime(out A, pk)) return false;
-			for (UInt64 i = 0; i < smlen; ++i) m[i] = sm[i];
-			for (UInt64 i = 0; i < 32; ++i) m[32 + i] = pk[i];
-			crypto_hash.sha512.crypto_hash(h, m, smlen);
-			sc_reduce(h);
-			ge_double_scalarmult_vartime(out R, h, ref A, sm + 32);
-			ge_tobytes(checkr, ref R);
-			if (crypto_verify._32.crypto_verify(checkr, sm) != 0) {
-				for (UInt64 i = 0; i < smlen; ++i) m[i] = 0;
-				return false;
-			}
-			for (UInt64 i = 0; i < smlen - 64; ++i) m[i] = sm[64 + i];
-			for (UInt64 i = smlen - 64; i < smlen; ++i) m[i] = 0;
 			mlen = smlen - 64;
 			return true;
 		}
+		public static unsafe Boolean crypto_sign_verify(Byte* sig, Byte* m, int mlen, Byte* pk) {
+			if (mlen < 0) return false;
+			if ((sig[63] & 224) != 0) return false;
+			ge_p3 A;
+			if (!ge_frombytes_negate_vartime(out A, pk)) return false;
+			sha512.sha512state hashstate = new sha512.sha512state();
+			hashstate.init();
+			hashstate.process(sig, 32);
+			hashstate.process(pk, 32);
+			hashstate.process(m, mlen);
+			Byte* h = stackalloc Byte[64];
+			hashstate.finish(h);
+			sc_reduce(h);
+			ge_p2 R;
+			ge_double_scalarmult_vartime(out R, h, ref A, sig + 32);
+			ge_tobytes(h, ref R);
+			return crypto_verify._32.crypto_verify(h, sig) == 0;
+		}
 	}
 }

Mercurial > hg > ucis.core

comparison NaCl/crypto_sign/ed25519.cs @ 73:6aca18ee4ec6