Mercurial > hg > ucis.core
changeset 20:c873e3dd73fe
Added NaCl cryptography code
author | Ivo Smits <Ivo@UCIS.nl> |
---|---|
date | Mon, 15 Apr 2013 00:43:48 +0200 |
parents | b9ef273964fd |
children | dcfec2be27c9 |
files | NaCl/APIv2.cs NaCl/Native.cs NaCl/crypto_box/curve25519xsalsa20poly1305.cs NaCl/crypto_core/hsalsa20.cs NaCl/crypto_core/salsa20.cs NaCl/crypto_hash/sha512.cs NaCl/crypto_hashblocks/sha512.cs NaCl/crypto_onetimeauth/poly1305.cs NaCl/crypto_scalarmult/curve25519.cs NaCl/crypto_secretbox/xsalsa20poly1305.cs NaCl/crypto_sign/edwards25519sha512batch.cs NaCl/crypto_stream/salsa20.cs NaCl/crypto_stream/xsalsa20.cs NaCl/crypto_verify/16.cs NaCl/crypto_verify/32.cs NaCl/randombytes.cs UCIS.csproj |
diffstat | 17 files changed, 2355 insertions(+), 0 deletions(-) [+] |
line wrap: on
line diff
--- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/NaCl/APIv2.cs Mon Apr 15 00:43:48 2013 +0200 @@ -0,0 +1,202 @@ +using System; +using curve25519xsalsa20poly1305impl = UCIS.NaCl.crypto_box.curve25519xsalsa20poly1305; +using edwards25519sha512batchimpl = UCIS.NaCl.crypto_sign.edwards25519sha512batch; +using xsalsa20poly1305impl = UCIS.NaCl.crypto_secretbox.xsalsa20poly1305; + +namespace UCIS.NaCl.v2 { + public class curve25519keypair { + private Byte[] publickey, secretkey; + + public curve25519keypair() { + curve25519xsalsa20poly1305impl.crypto_box_keypair(out publickey, out secretkey); + } + public curve25519keypair(Byte[] secretkey) { + this.publickey = curve25519xsalsa20poly1305impl.crypto_box_getpublickey(secretkey); + this.secretkey = secretkey; + } + public curve25519keypair(Byte[] secretkey, Byte[] publickey) { + if (publickey.Length != curve25519xsalsa20poly1305impl.PUBLICKEYBYTES) throw new ArgumentOutOfRangeException("publickey"); + if (secretkey.Length != curve25519xsalsa20poly1305impl.SECRETKEYBYTES) throw new ArgumentOutOfRangeException("secretkey"); + this.secretkey = secretkey; + this.publickey = publickey; + } + public Byte[] PublicKey { get { return publickey; } } + public Byte[] SecretKey { get { return secretkey; } } + } + public class curve25519xsalsa20poly1305 : xsalsa20poly1305 { + public curve25519xsalsa20poly1305(Byte[] publickey, curve25519keypair secretkey) + : this(publickey, secretkey.SecretKey) { + } + public curve25519xsalsa20poly1305(Byte[] publickey, Byte[] secretkey) + : base(curve25519xsalsa20poly1305impl.crypto_box_beforenm(publickey, secretkey)) { + } + } + public class xsalsa20poly1305 { + Byte[] sharedkey; + Byte[] nonce; + + public int SharedKeySize { get { return xsalsa20poly1305impl.KEYBYTES; } } + + public xsalsa20poly1305(Byte[] sharedkey) : this(sharedkey, null) { } + public xsalsa20poly1305(Byte[] sharedkey, Byte[] nonce) { + if (ReferenceEquals(sharedkey, null)) throw new ArgumentNullException("secretkey"); + if (sharedkey.Length != xsalsa20poly1305impl.KEYBYTES) throw new ArgumentOutOfRangeException("secretkey", "The key size does not match the expected key length"); + this.sharedkey = sharedkey; + this.nonce = new Byte[xsalsa20poly1305impl.NONCEBYTES]; + if (!ReferenceEquals(nonce, null)) this.Nonce = nonce; + } + + public Byte[] Nonce { + get { return this.nonce; } + set { + if (ReferenceEquals(value, null)) throw new ArgumentNullException("value"); + if (value.Length > xsalsa20poly1305impl.NONCEBYTES) throw new ArgumentOutOfRangeException("value", "Nonce is too big"); + value.CopyTo(nonce, 0); + Array.Clear(this.nonce, value.Length, this.nonce.Length - value.Length); + } + } + + public Byte[] SharedKey { + get { return sharedkey; } + } + + public unsafe Byte[] Encrypt(Byte[] data) { + return Encrypt(data, 0, data.Length); + } + public unsafe Byte[] Encrypt(Byte[] data, int offset, int count) { + if (ReferenceEquals(data, null)) throw new ArgumentNullException("data"); + if (offset < 0) throw new ArgumentOutOfRangeException("offset", "Offset can not be negative"); + if (data.Length < offset + count) throw new ArgumentOutOfRangeException("count", "The specified range is outside of the array"); + Byte[] ret = new Byte[GetEncryptedSize(count)]; + fixed (Byte* mp = data, cp = ret, np = nonce, kp = sharedkey) { + if (xsalsa20poly1305impl.crypto_secretbox_nopad(cp, mp + offset, (ulong)count, np, kp) != 0) throw new InvalidOperationException("Encryption failed"); + } + return ret; + } + public unsafe int EncryptTo(Byte[] data, int offset, int count, Byte[] outdata, int outoffset, int outcount) { + if (ReferenceEquals(data, null)) throw new ArgumentNullException("data"); + if (offset < 0) throw new ArgumentOutOfRangeException("offset", "Offset can not be negative"); + if (data.Length < offset + count) throw new ArgumentOutOfRangeException("count", "The specified range is outside of the array"); + if (ReferenceEquals(outdata, null)) throw new ArgumentNullException("outdata"); + if (outoffset < 0) throw new ArgumentOutOfRangeException("outoffset", "Offset can not be negative"); + if (outdata.Length < outoffset + outcount) throw new ArgumentOutOfRangeException("outcount", "The specified range is outside of the array"); + int retcount = GetEncryptedSize(count); + if (outcount < retcount) throw new ArgumentOutOfRangeException("outcount", "The output buffer is too small"); + fixed (Byte* mp = data, cp = outdata, np = nonce, kp = sharedkey) { + if (xsalsa20poly1305impl.crypto_secretbox_nopad(cp + outoffset, mp + offset, (ulong)count, np, kp) != 0) throw new InvalidOperationException("Encryption failed"); + } + return outcount; + } + /*public unsafe void EncryptInplace(Byte[] data, int offset, int count) { + if (ReferenceEquals(data, null)) throw new ArgumentNullException("data"); + if (offset < 0) throw new ArgumentOutOfRangeException("offset", "Offset can not be negative"); + if (data.Length < offset + count) throw new ArgumentOutOfRangeException("count", "The specified range is outside of the array"); + if (count < 16) throw new ArgumentOutOfRangeException("count", "count should be at least 16"); + fixed (Byte* mp = data, np = nonce, kp = sharedkey) { + if (xsalsa20poly1305impl.crypto_secretbox_inplace_nopad(mp + offset, (ulong)count, np, kp) != 0) throw new InvalidOperationException("Encryption failed"); + } + }*/ + public int GetEncryptedSize(int size) { + return size + 16; + } + + public unsafe Byte[] Decrypt(Byte[] data) { + return Decrypt(data, 0, data.Length); + } + public unsafe Byte[] Decrypt(Byte[] data, int offset, int count) { + if (ReferenceEquals(data, null)) throw new ArgumentNullException("data"); + if (offset < 0) throw new ArgumentOutOfRangeException("offset", "Offset can not be negative"); + if (data.Length < offset + count) throw new ArgumentOutOfRangeException("count", "The specified range is outside of the array"); + if (count < 16) return null; + Byte[] ret = new Byte[GetDecryptedSize(count)]; + fixed (Byte* cp = data, mp = ret, np = nonce, kp = sharedkey) { + if (xsalsa20poly1305impl.crypto_secretbox_open_nopad(mp, cp + offset, (ulong)count, np, kp) != 0) return null; + } + return ret; + } + public unsafe int? DecryptTo(Byte[] data, int offset, int count, Byte[] outdata, int outoffset, int outcount) { + if (ReferenceEquals(data, null)) throw new ArgumentNullException("data"); + if (offset < 0) throw new ArgumentOutOfRangeException("offset", "Offset can not be negative"); + if (data.Length < offset + count) throw new ArgumentOutOfRangeException("count", "The specified range is outside of the array"); + if (count < 16) return null; + if (ReferenceEquals(outdata, null)) throw new ArgumentNullException("outdata"); + if (outoffset < 0) throw new ArgumentOutOfRangeException("outoffset", "Offset can not be negative"); + if (outdata.Length < outoffset + outcount) throw new ArgumentOutOfRangeException("outcount", "The specified range is outside of the array"); + int retcount = GetDecryptedSize(count); + if (outcount < retcount) throw new ArgumentOutOfRangeException("outcount", "The output buffer is too small"); + fixed (Byte* cp = data, mp = outdata, np = nonce, kp = sharedkey) { + if (xsalsa20poly1305impl.crypto_secretbox_open_nopad(mp + outoffset, cp + offset, (ulong)count, np, kp) != 0) return null; + } + return retcount; + } + public unsafe ArraySegment<Byte>? DecryptInplace(Byte[] data, int offset, int count) { + if (ReferenceEquals(data, null)) throw new ArgumentNullException("data"); + if (offset < 0) throw new ArgumentOutOfRangeException("offset", "Offset can not be negative"); + if (data.Length < offset + count) throw new ArgumentOutOfRangeException("count", "The specified range is outside of the array"); + if (count < 16) return null; + fixed (Byte* cp = data, np = nonce, kp = sharedkey) { + if (xsalsa20poly1305impl.crypto_secretbox_open_inplace_nopad(cp + offset, (ulong)count, np, kp) != 0) return null; + } + return new ArraySegment<byte>(data, offset + 16, count - 16); + } + public int GetDecryptedSize(int size) { + if (size < 16) return -1; + return size - 16; + } + + public Boolean Verify(Byte[] data) { + return Verify(data, 0, data.Length); + } + public unsafe Boolean Verify(Byte[] data, int offset, int count) { + if (ReferenceEquals(data, null)) throw new ArgumentNullException("data"); + if (offset < 0) throw new ArgumentOutOfRangeException("offset", "Offset can not be negative"); + if (data.Length < offset + count) throw new ArgumentOutOfRangeException("count", "The specified range is outside of the array"); + if (count < 16) return false; + Byte[] ret = new Byte[GetDecryptedSize(count)]; + fixed (Byte* cp = data, np = nonce, kp = sharedkey) { + return xsalsa20poly1305impl.crypto_secretbox_verify(cp + offset, (ulong)count, np, kp); + } + } + + public Byte[] GenerateRandomNonce() { + randombytes.generate(nonce); + return nonce; + } + public void IncrementNonceLE() { + for (int i = 0; i < nonce.Length && ++nonce[i] == 0; i++) ; + } + public void IncrementNonceBE() { + for (int i = nonce.Length - 1; i >= 0 && ++nonce[i] == 0; i--) ; + } + + public xsalsa20poly1305 Clone() { + return new xsalsa20poly1305(sharedkey, nonce); + } + } + public class edwards25519sha512batch { + public Byte[] Sign(Byte[] message, Byte[] secretkey) { + return edwards25519sha512batchimpl.crypto_sign(message, secretkey); + } + public int GetSignedSize(int size) { + return size + 64; + } + public Byte[] Open(Byte[] signed, Byte[] publickey) { + return edwards25519sha512batchimpl.crypto_sign_open(signed, publickey); + } + public unsafe Boolean Verify(Byte[] signed, Byte[] publickey) { + if (publickey.Length != edwards25519sha512batchimpl.PUBLICKEYBYTES) throw new ArgumentException("publickey.Length != PUBLICKEYBYTES"); + UInt64 mlen; + fixed (Byte* smp = signed, pkp = publickey) return edwards25519sha512batchimpl.crypto_sign_open(null, out mlen, smp, (ulong)signed.Length, pkp) == 0; + } + public Byte[] Extract(Byte[] signed) { + if (signed.Length < 64) return null; + Byte[] ret = new Byte[signed.Length - 64]; + Buffer.BlockCopy(signed, 32, ret, 0, ret.Length); + return ret; + } + public int GetExtractedSize(int size) { + if (size < 64) return -1; + return size - 64; + } + } +}
--- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/NaCl/Native.cs Mon Apr 15 00:43:48 2013 +0200 @@ -0,0 +1,23 @@ +using System; +using System.Runtime.InteropServices; + +namespace UCIS.NaCl { + public static class Native { + [DllImport("nacl")] public static unsafe extern int crypto_onetimeauth_poly1305(Byte* outv, Byte* inv, UInt64 inlen, Byte* k); + [DllImport("nacl")] public static unsafe extern int crypto_core_salsa20(Byte* outv, Byte* inv, Byte* k, Byte* c); + [DllImport("nacl")] public static unsafe extern int crypto_core_hsalsa20(Byte* outv, Byte* inv, Byte* k, Byte* c); + [DllImport("nacl")] public static unsafe extern int crypto_box_curve25519xsalsa20poly1305_afternm(Byte* c, Byte* m, UInt64 mlen, Byte* n, Byte* k); + [DllImport("nacl")] public static unsafe extern int crypto_box_curve25519xsalsa20poly1305_afternm(Byte[] c, Byte[] m, UInt64 mlen, Byte[] n, Byte[] k); + [DllImport("nacl")] public static unsafe extern int crypto_box_curve25519xsalsa20poly1305_open_afternm(Byte* m, Byte* c, UInt64 clen, Byte* n, Byte* k); + [DllImport("nacl")] public static unsafe extern int crypto_box_curve25519xsalsa20poly1305_open_afternm(Byte[] m, Byte[] c, UInt64 clen, Byte[] n, Byte[] k); + + public static Boolean EnableNativeImplementation() { + //Todo: check if the library exists at all before probing for functions + return + UCIS.NaCl.crypto_onetimeauth.poly1305.EnableNativeImplementation() | + UCIS.NaCl.crypto_core.salsa20.EnableNativeImplementation() | + UCIS.NaCl.crypto_core.hsalsa20.EnableNativeImplementation() | + false; + } + } +}
--- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/NaCl/crypto_box/curve25519xsalsa20poly1305.cs Mon Apr 15 00:43:48 2013 +0200 @@ -0,0 +1,106 @@ +using System; +using UCIS.NaCl; +using System.Runtime.InteropServices; + +namespace UCIS.NaCl.crypto_box { + public static class curve25519xsalsa20poly1305 { + /* constants */ + public const int PUBLICKEYBYTES = 32; + public const int SECRETKEYBYTES = 32; + public const int BEFORENMBYTES = 32; + public const int NONCEBYTES = 24; + public const int ZEROBYTES = 32; + public const int BOXZEROBYTES = 16; + + //Never written to + static Byte[] sigma = new Byte[16] {(Byte)'e', (Byte)'x', (Byte)'p', (Byte)'a', //[16] = "expand 32-byte k"; + (Byte)'n', (Byte)'d', (Byte)' ', (Byte)'3', + (Byte)'2', (Byte)'-', (Byte)'b', (Byte)'y', + (Byte)'t', (Byte)'e', (Byte)' ', (Byte)'k', }; + + /* static pointer based methods */ + static unsafe public void crypto_box_getpublickey(Byte* pk, Byte* sk) { + crypto_scalarmult.curve25519.crypto_scalarmult_base(pk, sk); + } + static unsafe public int crypto_box_afternm(Byte* c, Byte* m, UInt64 mlen, Byte* n, Byte* k) { + return crypto_secretbox.xsalsa20poly1305.crypto_secretbox(c, m, mlen, n, k); + } + static unsafe public int crypto_box_open_afternm(Byte* m, Byte* c, UInt64 clen, Byte* n, Byte* k) { + return crypto_secretbox.xsalsa20poly1305.crypto_secretbox_open(m, c, clen, n, k); + } + static unsafe public void crypto_box_beforenm(Byte* k, Byte* pk, Byte* sk) { + Byte[] s = new Byte[32]; + fixed (Byte* sp = s, sigmap = sigma) { //, np = n + crypto_scalarmult.curve25519.crypto_scalarmult(sp, sk, pk); + crypto_core.hsalsa20.crypto_core(k, null, sp, sigmap); //k, np, sp, sigmap + } + } + static unsafe public int crypto_box(Byte* c, Byte* m, UInt64 mlen, Byte* n, Byte* pk, Byte* sk) { + Byte[] k = new Byte[BEFORENMBYTES]; + fixed (Byte* kp = k) { + crypto_box_beforenm(kp, pk, sk); + return crypto_box_afternm(c, m, mlen, n, kp); + } + } + static unsafe public int crypto_box_open(Byte* m, Byte* c, UInt64 clen, Byte* n, Byte* pk, Byte* sk) { + Byte[] k = new Byte[BEFORENMBYTES]; + fixed (Byte* kp = k) { + crypto_box_beforenm(kp, pk, sk); + return crypto_box_open_afternm(m, c, clen, n, kp); + } + } + + /* static array based methods */ + static unsafe public void crypto_box_keypair(out Byte[] pk, out Byte[] sk) { + sk = new Byte[32]; + pk = new Byte[32]; + randombytes.generate(sk); //randombytes(sk, 32); + fixed (Byte* skp = sk, pkp = pk) crypto_scalarmult.curve25519.crypto_scalarmult_base(pkp, skp); + } + static unsafe public Byte[] crypto_box_getpublickey(Byte[] sk) { + Byte[] pk; + crypto_box_getpublickey(out pk, sk); + return pk; + } + static unsafe public void crypto_box_getpublickey(out Byte[] pk, Byte[] sk) { + if (sk.Length != SECRETKEYBYTES) throw new ArgumentOutOfRangeException("sk"); + pk = new Byte[32]; + fixed (Byte* skp = sk, pkp = pk) crypto_box_getpublickey(pkp, skp); + } + static unsafe public void crypto_box_beforenm(Byte[] k, Byte[] pk, Byte[] sk) { + fixed (Byte* kp = k, pkp = pk, skp = sk) crypto_box_beforenm(kp, pkp, skp); + } + static unsafe public Byte[] crypto_box_beforenm(Byte[] pk, Byte[] sk) { + if (pk.Length != PUBLICKEYBYTES) throw new ArgumentOutOfRangeException("pk"); + if (sk.Length != SECRETKEYBYTES) throw new ArgumentOutOfRangeException("sk"); + Byte[] k = new Byte[BEFORENMBYTES]; + fixed (Byte* kp = k, pkp = pk, skp = sk) crypto_box_beforenm(kp, pkp, skp); + return k; + } + static unsafe public int crypto_box_afternm(Byte[] c, Byte[] m, Byte[] n, Byte[] k) { + fixed (Byte* cp = c, mp = m, np = n, kp = k) return crypto_box_afternm(cp, mp, (ulong)m.Length, np, kp); + } + static unsafe public int crypto_box_open_afternm(Byte[] m, Byte[] c, Byte[] n, Byte[] k) { + fixed (Byte* cp = c, mp = m, np = n, kp = k) return crypto_box_open_afternm(mp, cp, (ulong)c.Length, np, kp); + } + static unsafe public int crypto_box(Byte[] c, Byte[] m, Byte[] n, Byte[] pk, Byte[] sk) { + fixed (Byte* cp = c, mp = m, np = n, pkp = pk, skp = sk) return crypto_box(cp, mp, (ulong)m.Length, np, pkp, skp); + } + static unsafe public int crypto_box_open(Byte[] m, Byte[] c, Byte[] n, Byte[] pk, Byte[] sk) { + fixed (Byte* cp = c, mp = m, np = n, pkp = pk, skp = sk) return crypto_box_open(mp, cp, (ulong)c.Length, np, pkp, skp); + } + + static unsafe public int crypto_box_afternm(Byte[] c, int coffset, Byte[] m, int moffset, int mlen, Byte[] n, Byte[] k) { + fixed (Byte* cp = c, mp = m, np = n, kp = k) return crypto_box_afternm(cp + coffset, mp + moffset, (ulong)mlen, np, kp); + } + static unsafe public int crypto_box_open_afternm(Byte[] m, int moffset, Byte[] c, int coffset, int clen, Byte[] n, Byte[] k) { + fixed (Byte* cp = c, mp = m, np = n, kp = k) return crypto_box_open_afternm(mp + moffset, cp + coffset, (ulong)clen, np, kp); + } + static unsafe public int crypto_box(Byte[] c, int coffset, Byte[] m, int moffset, int mlen, Byte[] n, Byte[] pk, Byte[] sk) { + fixed (Byte* cp = c, mp = m, np = n, pkp = pk, skp = sk) return crypto_box(cp + coffset, mp + moffset, (ulong)mlen, np, pkp, skp); + } + static unsafe public int crypto_box_open(Byte[] m, int moffset, Byte[] c, int coffset, int clen, Byte[] n, Byte[] pk, Byte[] sk) { + fixed (Byte* cp = c, mp = m, np = n, pkp = pk, skp = sk) return crypto_box_open(mp + moffset, cp + coffset, (ulong)clen, np, pkp, skp); + } + } +} \ No newline at end of file
--- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/NaCl/crypto_core/hsalsa20.cs Mon Apr 15 00:43:48 2013 +0200 @@ -0,0 +1,114 @@ +using System; + +namespace UCIS.NaCl.crypto_core { + unsafe static class hsalsa20 { + static Boolean UseNativeFunctions = false; + static unsafe internal Boolean EnableNativeImplementation() { + UseNativeFunctions = false; + Byte* dummy = stackalloc Byte[32]; + try { + if (Native.crypto_core_hsalsa20(dummy, dummy, dummy, dummy) != 0) return false; + } catch (Exception) { + return false; + } + return UseNativeFunctions = true; + } + + const int ROUNDS = 20; + + static UInt32 rotate(UInt32 u, int c) { + return (u << c) | (u >> (32 - c)); + } + + static UInt32 load_littleendian(Byte* x) { + return (UInt32)(x[0] | (x[1] << 8) | (x[2] << 16) | (x[3] << 24)); + } + + static void store_littleendian(Byte* x, UInt32 u) { + x[0] = (Byte)u; u >>= 8; + x[1] = (Byte)u; u >>= 8; + x[2] = (Byte)u; u >>= 8; + x[3] = (Byte)u; + } + + public static void crypto_core(Byte* outv, Byte* inv, Byte* k, Byte[] c) { + fixed (byte* cp = c) crypto_core(outv, inv, k, cp); + } + public static void crypto_core(Byte* outv, Byte* inv, Byte* k, Byte* c) { + if (UseNativeFunctions) { + UInt64* invp = stackalloc UInt64[2]; + invp[0] = invp[1] = 0; + if (inv == null) inv = (Byte*)invp; + Native.crypto_core_hsalsa20(outv, inv, k, c); + return; + } + + UInt32 x0, x1, x2, x3, x4, x5, x6, x7, x8, x9, x10, x11, x12, x13, x14, x15; + + x0 = load_littleendian(c + 0); + x1 = load_littleendian(k + 0); + x2 = load_littleendian(k + 4); + x3 = load_littleendian(k + 8); + x4 = load_littleendian(k + 12); + x5 = load_littleendian(c + 4); + if (inv != null) { + x6 = load_littleendian(inv + 0); + x7 = load_littleendian(inv + 4); + x8 = load_littleendian(inv + 8); + x9 = load_littleendian(inv + 12); + } else { + x6 = x7 = x8 = x9 = 0; + } + x10 = load_littleendian(c + 8); + x11 = load_littleendian(k + 16); + x12 = load_littleendian(k + 20); + x13 = load_littleendian(k + 24); + x14 = load_littleendian(k + 28); + x15 = load_littleendian(c + 12); + + for (int i = ROUNDS; i > 0; i -= 2) { + x4 ^= rotate(x0 + x12, 7); + x8 ^= rotate(x4 + x0, 9); + x12 ^= rotate(x8 + x4, 13); + x0 ^= rotate(x12 + x8, 18); + x9 ^= rotate(x5 + x1, 7); + x13 ^= rotate(x9 + x5, 9); + x1 ^= rotate(x13 + x9, 13); + x5 ^= rotate(x1 + x13, 18); + x14 ^= rotate(x10 + x6, 7); + x2 ^= rotate(x14 + x10, 9); + x6 ^= rotate(x2 + x14, 13); + x10 ^= rotate(x6 + x2, 18); + x3 ^= rotate(x15 + x11, 7); + x7 ^= rotate(x3 + x15, 9); + x11 ^= rotate(x7 + x3, 13); + x15 ^= rotate(x11 + x7, 18); + x1 ^= rotate(x0 + x3, 7); + x2 ^= rotate(x1 + x0, 9); + x3 ^= rotate(x2 + x1, 13); + x0 ^= rotate(x3 + x2, 18); + x6 ^= rotate(x5 + x4, 7); + x7 ^= rotate(x6 + x5, 9); + x4 ^= rotate(x7 + x6, 13); + x5 ^= rotate(x4 + x7, 18); + x11 ^= rotate(x10 + x9, 7); + x8 ^= rotate(x11 + x10, 9); + x9 ^= rotate(x8 + x11, 13); + x10 ^= rotate(x9 + x8, 18); + x12 ^= rotate(x15 + x14, 7); + x13 ^= rotate(x12 + x15, 9); + x14 ^= rotate(x13 + x12, 13); + x15 ^= rotate(x14 + x13, 18); + } + + store_littleendian(outv + 0, x0); + store_littleendian(outv + 4, x5); + store_littleendian(outv + 8, x10); + store_littleendian(outv + 12, x15); + store_littleendian(outv + 16, x6); + store_littleendian(outv + 20, x7); + store_littleendian(outv + 24, x8); + store_littleendian(outv + 28, x9); + } + } +} \ No newline at end of file
--- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/NaCl/crypto_core/salsa20.cs Mon Apr 15 00:43:48 2013 +0200 @@ -0,0 +1,136 @@ +using System; + +namespace UCIS.NaCl.crypto_core { + static unsafe class salsa20 { + static Boolean UseNativeFunctions = false; + static unsafe internal Boolean EnableNativeImplementation() { + UseNativeFunctions = false; + Byte* dummy = stackalloc Byte[64]; + try { + if (Native.crypto_core_salsa20(dummy, dummy, dummy, dummy) != 0) return false; + } catch (Exception) { + return false; + } + return UseNativeFunctions = true; + } + + public const int OUTPUTBYTES = 64; + public const int INPUTBYTES = 16; + public const int KEYBYTES = 32; + public const int CONSTBYTES = 16; + + public const int ROUNDS = 20; + + static UInt32 load_littleendian(Byte* x) { + return (UInt32)(x[0] | (x[1] << 8) | (x[2] << 16) | (x[3] << 24)); + } + + static void store_littleendian(Byte* x, UInt32 u) { + x[0] = (Byte)u; u >>= 8; + x[1] = (Byte)u; u >>= 8; + x[2] = (Byte)u; u >>= 8; + x[3] = (Byte)u; + } + + public static void crypto_core(Byte* outv, Byte* inv, Byte* k, Byte[] c) { + fixed (Byte* cp = c) crypto_core(outv, inv, k, cp); + } + + public static void crypto_core(Byte* outv, Byte* inv, Byte* k, Byte* c) { + if (UseNativeFunctions) { + Native.crypto_core_salsa20(outv, inv, k, c); + return; + } + + UInt32 x0, x1, x2, x3, x4, x5, x6, x7, x8, x9, x10, x11, x12, x13, x14, x15; + UInt32 j0, j1, j2, j3, j4, j5, j6, j7, j8, j9, j10, j11, j12, j13, j14, j15; + + j0 = x0 = load_littleendian(c + 0); + j1 = x1 = load_littleendian(k + 0); + j2 = x2 = load_littleendian(k + 4); + j3 = x3 = load_littleendian(k + 8); + j4 = x4 = load_littleendian(k + 12); + j5 = x5 = load_littleendian(c + 4); + j6 = x6 = load_littleendian(inv + 0); + j7 = x7 = load_littleendian(inv + 4); + j8 = x8 = load_littleendian(inv + 8); + j9 = x9 = load_littleendian(inv + 12); + j10 = x10 = load_littleendian(c + 8); + j11 = x11 = load_littleendian(k + 16); + j12 = x12 = load_littleendian(k + 20); + j13 = x13 = load_littleendian(k + 24); + j14 = x14 = load_littleendian(k + 28); + j15 = x15 = load_littleendian(c + 12); + + for (int i = ROUNDS; i > 0; i -= 2) { + UInt32 tsum; + tsum = x0 + x12; x4 ^= (tsum << 7) | (tsum >> (32 - 7)); + tsum = x4 + x0; x8 ^= (tsum << 9) | (tsum >> (32 - 9)); + tsum = x8 + x4; x12 ^= (tsum << 13) | (tsum >> (32 - 13)); + tsum = x12 + x8; x0 ^= (tsum << 18) | (tsum >> (32 - 18)); + tsum = x5 + x1; x9 ^= (tsum << 7) | (tsum >> (32 - 7)); + tsum = x9 + x5; x13 ^= (tsum << 9) | (tsum >> (32 - 9)); + tsum = x13 + x9; x1 ^= (tsum << 13) | (tsum >> (32 - 13)); + tsum = x1 + x13; x5 ^= (tsum << 18) | (tsum >> (32 - 18)); + tsum = x10 + x6; x14 ^= (tsum << 7) | (tsum >> (32 - 7)); + tsum = x14 + x10; x2 ^= (tsum << 9) | (tsum >> (32 - 9)); + tsum = x2 + x14; x6 ^= (tsum << 13) | (tsum >> (32 - 13)); + tsum = x6 + x2; x10 ^= (tsum << 18) | (tsum >> (32 - 18)); + tsum = x15 + x11; x3 ^= (tsum << 7) | (tsum >> (32 - 7)); + tsum = x3 + x15; x7 ^= (tsum << 9) | (tsum >> (32 - 9)); + tsum = x7 + x3; x11 ^= (tsum << 13) | (tsum >> (32 - 13)); + tsum = x11 + x7; x15 ^= (tsum << 18) | (tsum >> (32 - 18)); + tsum = x0 + x3; x1 ^= (tsum << 7) | (tsum >> (32 - 7)); + tsum = x1 + x0; x2 ^= (tsum << 9) | (tsum >> (32 - 9)); + tsum = x2 + x1; x3 ^= (tsum << 13) | (tsum >> (32 - 13)); + tsum = x3 + x2; x0 ^= (tsum << 18) | (tsum >> (32 - 18)); + tsum = x5 + x4; x6 ^= (tsum << 7) | (tsum >> (32 - 7)); + tsum = x6 + x5; x7 ^= (tsum << 9) | (tsum >> (32 - 9)); + tsum = x7 + x6; x4 ^= (tsum << 13) | (tsum >> (32 - 13)); + tsum = x4 + x7; x5 ^= (tsum << 18) | (tsum >> (32 - 18)); + tsum = x10 + x9; x11 ^= (tsum << 7) | (tsum >> (32 - 7)); + tsum = x11 + x10; x8 ^= (tsum << 9) | (tsum >> (32 - 9)); + tsum = x8 + x11; x9 ^= (tsum << 13) | (tsum >> (32 - 13)); + tsum = x9 + x8; x10 ^= (tsum << 18) | (tsum >> (32 - 18)); + tsum = x15 + x14; x12 ^= (tsum << 7) | (tsum >> (32 - 7)); + tsum = x12 + x15; x13 ^= (tsum << 9) | (tsum >> (32 - 9)); + tsum = x13 + x12; x14 ^= (tsum << 13) | (tsum >> (32 - 13)); + tsum = x14 + x13; x15 ^= (tsum << 18) | (tsum >> (32 - 18)); + } + + x0 += j0; + x1 += j1; + x2 += j2; + x3 += j3; + x4 += j4; + x5 += j5; + x6 += j6; + x7 += j7; + x8 += j8; + x9 += j9; + x10 += j10; + x11 += j11; + x12 += j12; + x13 += j13; + x14 += j14; + x15 += j15; + + store_littleendian(outv + 0, x0); + store_littleendian(outv + 4, x1); + store_littleendian(outv + 8, x2); + store_littleendian(outv + 12, x3); + store_littleendian(outv + 16, x4); + store_littleendian(outv + 20, x5); + store_littleendian(outv + 24, x6); + store_littleendian(outv + 28, x7); + store_littleendian(outv + 32, x8); + store_littleendian(outv + 36, x9); + store_littleendian(outv + 40, x10); + store_littleendian(outv + 44, x11); + store_littleendian(outv + 48, x12); + store_littleendian(outv + 52, x13); + store_littleendian(outv + 56, x14); + store_littleendian(outv + 60, x15); + } + } +} \ No newline at end of file
--- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/NaCl/crypto_hash/sha512.cs Mon Apr 15 00:43:48 2013 +0200 @@ -0,0 +1,73 @@ +using System; + +namespace UCIS.NaCl.crypto_hash { + public static class sha512 { + public static int BYTES = 64; + +/* static Byte[] iv = new Byte[64] { + 0x6a,0x09,0xe6,0x67,0xf3,0xbc,0xc9,0x08, + 0xbb,0x67,0xae,0x85,0x84,0xca,0xa7,0x3b, + 0x3c,0x6e,0xf3,0x72,0xfe,0x94,0xf8,0x2b, + 0xa5,0x4f,0xf5,0x3a,0x5f,0x1d,0x36,0xf1, + 0x51,0x0e,0x52,0x7f,0xad,0xe6,0x82,0xd1, + 0x9b,0x05,0x68,0x8c,0x2b,0x3e,0x6c,0x1f, + 0x1f,0x83,0xd9,0xab,0xfb,0x41,0xbd,0x6b, + 0x5b,0xe0,0xcd,0x19,0x13,0x7e,0x21,0x79 +};*/ + + public static unsafe void crypto_hash(Byte* outp, Byte* inp, UInt64 inlen) { +// Byte[] h = new Byte[64]; + Byte[] padded = new Byte[256]; + UInt64 i; + UInt64 bytes = inlen; + Byte[] h = new Byte[64] { + 0x6a,0x09,0xe6,0x67,0xf3,0xbc,0xc9,0x08, + 0xbb,0x67,0xae,0x85,0x84,0xca,0xa7,0x3b, + 0x3c,0x6e,0xf3,0x72,0xfe,0x94,0xf8,0x2b, + 0xa5,0x4f,0xf5,0x3a,0x5f,0x1d,0x36,0xf1, + 0x51,0x0e,0x52,0x7f,0xad,0xe6,0x82,0xd1, + 0x9b,0x05,0x68,0x8c,0x2b,0x3e,0x6c,0x1f, + 0x1f,0x83,0xd9,0xab,0xfb,0x41,0xbd,0x6b, + 0x5b,0xe0,0xcd,0x19,0x13,0x7e,0x21,0x79 + }; + +// for (i = 0; i < 64; ++i) h[i] = iv[i]; + + fixed (Byte* hp = h) crypto_hashblocks.sha512.crypto_hashblocks(hp, inp, inlen); + inp += inlen; + inlen &= 127; + inp -= inlen; + + for (i = 0; i < inlen; ++i) padded[i] = inp[i]; + padded[inlen] = 0x80; + + if (inlen < 112) { + for (i = inlen + 1; i < 119; ++i) padded[i] = 0; + padded[119] = (Byte)(bytes >> 61); + padded[120] = (Byte)(bytes >> 53); + padded[121] = (Byte)(bytes >> 45); + padded[122] = (Byte)(bytes >> 37); + padded[123] = (Byte)(bytes >> 29); + padded[124] = (Byte)(bytes >> 21); + padded[125] = (Byte)(bytes >> 13); + padded[126] = (Byte)(bytes >> 5); + padded[127] = (Byte)(bytes << 3); + fixed (Byte* hp = h, paddedp = padded) crypto_hashblocks.sha512.crypto_hashblocks(hp, paddedp, 128); + } else { + for (i = inlen + 1; i < 247; ++i) padded[i] = 0; + padded[247] = (Byte)(bytes >> 61); + padded[248] = (Byte)(bytes >> 53); + padded[249] = (Byte)(bytes >> 45); + padded[250] = (Byte)(bytes >> 37); + padded[251] = (Byte)(bytes >> 29); + padded[252] = (Byte)(bytes >> 21); + padded[253] = (Byte)(bytes >> 13); + padded[254] = (Byte)(bytes >> 5); + padded[255] = (Byte)(bytes << 3); + fixed (Byte* hp = h, paddedp = padded) crypto_hashblocks.sha512.crypto_hashblocks(hp, paddedp, 256); + } + + for (i = 0; i < 64; ++i) outp[i] = h[i]; + } + } +}
--- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/NaCl/crypto_hashblocks/sha512.cs Mon Apr 15 00:43:48 2013 +0200 @@ -0,0 +1,197 @@ +using System; + +namespace UCIS.NaCl.crypto_hashblocks { + public static class sha512 { + public const int STATEBYTES = 64; + public const int BLOCKBYTES = 128; + + unsafe static UInt64 load_bigendian(Byte* x) { + return + (UInt64)(x[7]) | (((UInt64)(x[6])) << 8) | (((UInt64)(x[5])) << 16) | (((UInt64)(x[4])) << 24) | (((UInt64)(x[3])) << 32) + | (((UInt64)(x[2])) << 40) | (((UInt64)(x[1])) << 48) | (((UInt64)(x[0])) << 56); + } + + unsafe static void store_bigendian(Byte* x, UInt64 u) { + x[7] = (Byte)u; u >>= 8; + x[6] = (Byte)u; u >>= 8; + x[5] = (Byte)u; u >>= 8; + x[4] = (Byte)u; u >>= 8; + x[3] = (Byte)u; u >>= 8; + x[2] = (Byte)u; u >>= 8; + x[1] = (Byte)u; u >>= 8; + x[0] = (Byte)u; + } + + private static int dummyvar = 0; + private static void dummymethod() { dummyvar++; } + + public unsafe static void crypto_hashblocks(Byte* statebytes, Byte* inp, UInt64 inlen) { + UInt64[] state = new UInt64[8]; + UInt64 a; + UInt64 b; + UInt64 c; + UInt64 d; + UInt64 e; + UInt64 f; + UInt64 g; + UInt64 h; + UInt64 T1; + UInt64 T2; + + a = load_bigendian(statebytes + 0); state[0] = a; + b = load_bigendian(statebytes + 8); state[1] = b; + c = load_bigendian(statebytes + 16); state[2] = c; + d = load_bigendian(statebytes + 24); state[3] = d; + e = load_bigendian(statebytes + 32); state[4] = e; + f = load_bigendian(statebytes + 40); state[5] = f; + g = load_bigendian(statebytes + 48); state[6] = g; + h = load_bigendian(statebytes + 56); state[7] = h; + + while (inlen >= 128) { + UInt64 w0 = load_bigendian(inp + 0); + UInt64 w1 = load_bigendian(inp + 8); + UInt64 w2 = load_bigendian(inp + 16); + UInt64 w3 = load_bigendian(inp + 24); + UInt64 w4 = load_bigendian(inp + 32); + UInt64 w5 = load_bigendian(inp + 40); + UInt64 w6 = load_bigendian(inp + 48); + UInt64 w7 = load_bigendian(inp + 56); + UInt64 w8 = load_bigendian(inp + 64); + UInt64 w9 = load_bigendian(inp + 72); + UInt64 w10 = load_bigendian(inp + 80); + UInt64 w11 = load_bigendian(inp + 88); + UInt64 w12 = load_bigendian(inp + 96); + UInt64 w13 = load_bigendian(inp + 104); + UInt64 w14 = load_bigendian(inp + 112); + UInt64 w15 = load_bigendian(inp + 120); + + T1 = h + ((((e) >> (14)) | ((e) << (64 - (14)))) ^ (((e) >> (18)) | ((e) << (64 - (18)))) ^ (((e) >> (41)) | ((e) << (64 - (41))))) + ((e & f) ^ (~e & g)) + 0x428a2f98d728ae22 + w0; T2 = ((((a) >> (28)) | ((a) << (64 - (28)))) ^ (((a) >> (34)) | ((a) << (64 - (34)))) ^ (((a) >> (39)) | ((a) << (64 - (39))))) + ((a & b) ^ (a & c) ^ (b & c)); h = g; g = f; f = e; e = d + T1; d = c; c = b; b = a; a = T1 + T2; + T1 = h + ((((e) >> (14)) | ((e) << (64 - (14)))) ^ (((e) >> (18)) | ((e) << (64 - (18)))) ^ (((e) >> (41)) | ((e) << (64 - (41))))) + ((e & f) ^ (~e & g)) + 0x7137449123ef65cd + w1; T2 = ((((a) >> (28)) | ((a) << (64 - (28)))) ^ (((a) >> (34)) | ((a) << (64 - (34)))) ^ (((a) >> (39)) | ((a) << (64 - (39))))) + ((a & b) ^ (a & c) ^ (b & c)); h = g; g = f; f = e; e = d + T1; d = c; c = b; b = a; a = T1 + T2; + T1 = h + ((((e) >> (14)) | ((e) << (64 - (14)))) ^ (((e) >> (18)) | ((e) << (64 - (18)))) ^ (((e) >> (41)) | ((e) << (64 - (41))))) + ((e & f) ^ (~e & g)) + 0xb5c0fbcfec4d3b2f + w2; T2 = ((((a) >> (28)) | ((a) << (64 - (28)))) ^ (((a) >> (34)) | ((a) << (64 - (34)))) ^ (((a) >> (39)) | ((a) << (64 - (39))))) + ((a & b) ^ (a & c) ^ (b & c)); h = g; g = f; f = e; e = d + T1; d = c; c = b; b = a; a = T1 + T2; + T1 = h + ((((e) >> (14)) | ((e) << (64 - (14)))) ^ (((e) >> (18)) | ((e) << (64 - (18)))) ^ (((e) >> (41)) | ((e) << (64 - (41))))) + ((e & f) ^ (~e & g)) + 0xe9b5dba58189dbbc + w3; T2 = ((((a) >> (28)) | ((a) << (64 - (28)))) ^ (((a) >> (34)) | ((a) << (64 - (34)))) ^ (((a) >> (39)) | ((a) << (64 - (39))))) + ((a & b) ^ (a & c) ^ (b & c)); h = g; g = f; f = e; e = d + T1; d = c; c = b; b = a; a = T1 + T2; + T1 = h + ((((e) >> (14)) | ((e) << (64 - (14)))) ^ (((e) >> (18)) | ((e) << (64 - (18)))) ^ (((e) >> (41)) | ((e) << (64 - (41))))) + ((e & f) ^ (~e & g)) + 0x3956c25bf348b538 + w4; T2 = ((((a) >> (28)) | ((a) << (64 - (28)))) ^ (((a) >> (34)) | ((a) << (64 - (34)))) ^ (((a) >> (39)) | ((a) << (64 - (39))))) + ((a & b) ^ (a & c) ^ (b & c)); h = g; g = f; f = e; e = d + T1; d = c; c = b; b = a; a = T1 + T2; + T1 = h + ((((e) >> (14)) | ((e) << (64 - (14)))) ^ (((e) >> (18)) | ((e) << (64 - (18)))) ^ (((e) >> (41)) | ((e) << (64 - (41))))) + ((e & f) ^ (~e & g)) + 0x59f111f1b605d019 + w5; T2 = ((((a) >> (28)) | ((a) << (64 - (28)))) ^ (((a) >> (34)) | ((a) << (64 - (34)))) ^ (((a) >> (39)) | ((a) << (64 - (39))))) + ((a & b) ^ (a & c) ^ (b & c)); h = g; g = f; f = e; e = d + T1; d = c; c = b; b = a; a = T1 + T2; + T1 = h + ((((e) >> (14)) | ((e) << (64 - (14)))) ^ (((e) >> (18)) | ((e) << (64 - (18)))) ^ (((e) >> (41)) | ((e) << (64 - (41))))) + ((e & f) ^ (~e & g)) + 0x923f82a4af194f9b + w6; T2 = ((((a) >> (28)) | ((a) << (64 - (28)))) ^ (((a) >> (34)) | ((a) << (64 - (34)))) ^ (((a) >> (39)) | ((a) << (64 - (39))))) + ((a & b) ^ (a & c) ^ (b & c)); h = g; g = f; f = e; e = d + T1; d = c; c = b; b = a; a = T1 + T2; + T1 = h + ((((e) >> (14)) | ((e) << (64 - (14)))) ^ (((e) >> (18)) | ((e) << (64 - (18)))) ^ (((e) >> (41)) | ((e) << (64 - (41))))) + ((e & f) ^ (~e & g)) + 0xab1c5ed5da6d8118 + w7; T2 = ((((a) >> (28)) | ((a) << (64 - (28)))) ^ (((a) >> (34)) | ((a) << (64 - (34)))) ^ (((a) >> (39)) | ((a) << (64 - (39))))) + ((a & b) ^ (a & c) ^ (b & c)); h = g; g = f; f = e; e = d + T1; d = c; c = b; b = a; a = T1 + T2; + T1 = h + ((((e) >> (14)) | ((e) << (64 - (14)))) ^ (((e) >> (18)) | ((e) << (64 - (18)))) ^ (((e) >> (41)) | ((e) << (64 - (41))))) + ((e & f) ^ (~e & g)) + 0xd807aa98a3030242 + w8; T2 = ((((a) >> (28)) | ((a) << (64 - (28)))) ^ (((a) >> (34)) | ((a) << (64 - (34)))) ^ (((a) >> (39)) | ((a) << (64 - (39))))) + ((a & b) ^ (a & c) ^ (b & c)); h = g; g = f; f = e; e = d + T1; d = c; c = b; b = a; a = T1 + T2; + T1 = h + ((((e) >> (14)) | ((e) << (64 - (14)))) ^ (((e) >> (18)) | ((e) << (64 - (18)))) ^ (((e) >> (41)) | ((e) << (64 - (41))))) + ((e & f) ^ (~e & g)) + 0x12835b0145706fbe + w9; T2 = ((((a) >> (28)) | ((a) << (64 - (28)))) ^ (((a) >> (34)) | ((a) << (64 - (34)))) ^ (((a) >> (39)) | ((a) << (64 - (39))))) + ((a & b) ^ (a & c) ^ (b & c)); h = g; g = f; f = e; e = d + T1; d = c; c = b; b = a; a = T1 + T2; + T1 = h + ((((e) >> (14)) | ((e) << (64 - (14)))) ^ (((e) >> (18)) | ((e) << (64 - (18)))) ^ (((e) >> (41)) | ((e) << (64 - (41))))) + ((e & f) ^ (~e & g)) + 0x243185be4ee4b28c + w10; T2 = ((((a) >> (28)) | ((a) << (64 - (28)))) ^ (((a) >> (34)) | ((a) << (64 - (34)))) ^ (((a) >> (39)) | ((a) << (64 - (39))))) + ((a & b) ^ (a & c) ^ (b & c)); h = g; g = f; f = e; e = d + T1; d = c; c = b; b = a; a = T1 + T2; + T1 = h + ((((e) >> (14)) | ((e) << (64 - (14)))) ^ (((e) >> (18)) | ((e) << (64 - (18)))) ^ (((e) >> (41)) | ((e) << (64 - (41))))) + ((e & f) ^ (~e & g)) + 0x550c7dc3d5ffb4e2 + w11; T2 = ((((a) >> (28)) | ((a) << (64 - (28)))) ^ (((a) >> (34)) | ((a) << (64 - (34)))) ^ (((a) >> (39)) | ((a) << (64 - (39))))) + ((a & b) ^ (a & c) ^ (b & c)); h = g; g = f; f = e; e = d + T1; d = c; c = b; b = a; a = T1 + T2; + T1 = h + ((((e) >> (14)) | ((e) << (64 - (14)))) ^ (((e) >> (18)) | ((e) << (64 - (18)))) ^ (((e) >> (41)) | ((e) << (64 - (41))))) + ((e & f) ^ (~e & g)) + 0x72be5d74f27b896f + w12; T2 = ((((a) >> (28)) | ((a) << (64 - (28)))) ^ (((a) >> (34)) | ((a) << (64 - (34)))) ^ (((a) >> (39)) | ((a) << (64 - (39))))) + ((a & b) ^ (a & c) ^ (b & c)); h = g; g = f; f = e; e = d + T1; d = c; c = b; b = a; a = T1 + T2; + T1 = h + ((((e) >> (14)) | ((e) << (64 - (14)))) ^ (((e) >> (18)) | ((e) << (64 - (18)))) ^ (((e) >> (41)) | ((e) << (64 - (41))))) + ((e & f) ^ (~e & g)) + 0x80deb1fe3b1696b1 + w13; T2 = ((((a) >> (28)) | ((a) << (64 - (28)))) ^ (((a) >> (34)) | ((a) << (64 - (34)))) ^ (((a) >> (39)) | ((a) << (64 - (39))))) + ((a & b) ^ (a & c) ^ (b & c)); h = g; g = f; f = e; e = d + T1; d = c; c = b; b = a; a = T1 + T2; + T1 = h + ((((e) >> (14)) | ((e) << (64 - (14)))) ^ (((e) >> (18)) | ((e) << (64 - (18)))) ^ (((e) >> (41)) | ((e) << (64 - (41))))) + ((e & f) ^ (~e & g)) + 0x9bdc06a725c71235 + w14; T2 = ((((a) >> (28)) | ((a) << (64 - (28)))) ^ (((a) >> (34)) | ((a) << (64 - (34)))) ^ (((a) >> (39)) | ((a) << (64 - (39))))) + ((a & b) ^ (a & c) ^ (b & c)); h = g; g = f; f = e; e = d + T1; d = c; c = b; b = a; a = T1 + T2; + T1 = h + ((((e) >> (14)) | ((e) << (64 - (14)))) ^ (((e) >> (18)) | ((e) << (64 - (18)))) ^ (((e) >> (41)) | ((e) << (64 - (41))))) + ((e & f) ^ (~e & g)) + 0xc19bf174cf692694 + w15; T2 = ((((a) >> (28)) | ((a) << (64 - (28)))) ^ (((a) >> (34)) | ((a) << (64 - (34)))) ^ (((a) >> (39)) | ((a) << (64 - (39))))) + ((a & b) ^ (a & c) ^ (b & c)); h = g; g = f; f = e; e = d + T1; d = c; c = b; b = a; a = T1 + T2; + + dummymethod(); //Workaround for Mono on OS X, breaks up the spans where registers are used + w0 = ((((w14) >> (19)) | ((w14) << (64 - (19)))) ^ (((w14) >> (61)) | ((w14) << (64 - (61)))) ^ ((w14) >> (6))) + w9 + ((((w1) >> (1)) | ((w1) << (64 - (1)))) ^ (((w1) >> (8)) | ((w1) << (64 - (8)))) ^ ((w1) >> (7))) + w0; w1 = ((((w15) >> (19)) | ((w15) << (64 - (19)))) ^ (((w15) >> (61)) | ((w15) << (64 - (61)))) ^ ((w15) >> (6))) + w10 + ((((w2) >> (1)) | ((w2) << (64 - (1)))) ^ (((w2) >> (8)) | ((w2) << (64 - (8)))) ^ ((w2) >> (7))) + w1; w2 = ((((w0) >> (19)) | ((w0) << (64 - (19)))) ^ (((w0) >> (61)) | ((w0) << (64 - (61)))) ^ ((w0) >> (6))) + w11 + ((((w3) >> (1)) | ((w3) << (64 - (1)))) ^ (((w3) >> (8)) | ((w3) << (64 - (8)))) ^ ((w3) >> (7))) + w2; w3 = ((((w1) >> (19)) | ((w1) << (64 - (19)))) ^ (((w1) >> (61)) | ((w1) << (64 - (61)))) ^ ((w1) >> (6))) + w12 + ((((w4) >> (1)) | ((w4) << (64 - (1)))) ^ (((w4) >> (8)) | ((w4) << (64 - (8)))) ^ ((w4) >> (7))) + w3; w4 = ((((w2) >> (19)) | ((w2) << (64 - (19)))) ^ (((w2) >> (61)) | ((w2) << (64 - (61)))) ^ ((w2) >> (6))) + w13 + ((((w5) >> (1)) | ((w5) << (64 - (1)))) ^ (((w5) >> (8)) | ((w5) << (64 - (8)))) ^ ((w5) >> (7))) + w4; w5 = ((((w3) >> (19)) | ((w3) << (64 - (19)))) ^ (((w3) >> (61)) | ((w3) << (64 - (61)))) ^ ((w3) >> (6))) + w14 + ((((w6) >> (1)) | ((w6) << (64 - (1)))) ^ (((w6) >> (8)) | ((w6) << (64 - (8)))) ^ ((w6) >> (7))) + w5; w6 = ((((w4) >> (19)) | ((w4) << (64 - (19)))) ^ (((w4) >> (61)) | ((w4) << (64 - (61)))) ^ ((w4) >> (6))) + w15 + ((((w7) >> (1)) | ((w7) << (64 - (1)))) ^ (((w7) >> (8)) | ((w7) << (64 - (8)))) ^ ((w7) >> (7))) + w6; w7 = ((((w5) >> (19)) | ((w5) << (64 - (19)))) ^ (((w5) >> (61)) | ((w5) << (64 - (61)))) ^ ((w5) >> (6))) + w0 + ((((w8) >> (1)) | ((w8) << (64 - (1)))) ^ (((w8) >> (8)) | ((w8) << (64 - (8)))) ^ ((w8) >> (7))) + w7; w8 = ((((w6) >> (19)) | ((w6) << (64 - (19)))) ^ (((w6) >> (61)) | ((w6) << (64 - (61)))) ^ ((w6) >> (6))) + w1 + ((((w9) >> (1)) | ((w9) << (64 - (1)))) ^ (((w9) >> (8)) | ((w9) << (64 - (8)))) ^ ((w9) >> (7))) + w8; w9 = ((((w7) >> (19)) | ((w7) << (64 - (19)))) ^ (((w7) >> (61)) | ((w7) << (64 - (61)))) ^ ((w7) >> (6))) + w2 + ((((w10) >> (1)) | ((w10) << (64 - (1)))) ^ (((w10) >> (8)) | ((w10) << (64 - (8)))) ^ ((w10) >> (7))) + w9; w10 = ((((w8) >> (19)) | ((w8) << (64 - (19)))) ^ (((w8) >> (61)) | ((w8) << (64 - (61)))) ^ ((w8) >> (6))) + w3 + ((((w11) >> (1)) | ((w11) << (64 - (1)))) ^ (((w11) >> (8)) | ((w11) << (64 - (8)))) ^ ((w11) >> (7))) + w10; w11 = ((((w9) >> (19)) | ((w9) << (64 - (19)))) ^ (((w9) >> (61)) | ((w9) << (64 - (61)))) ^ ((w9) >> (6))) + w4 + ((((w12) >> (1)) | ((w12) << (64 - (1)))) ^ (((w12) >> (8)) | ((w12) << (64 - (8)))) ^ ((w12) >> (7))) + w11; w12 = ((((w10) >> (19)) | ((w10) << (64 - (19)))) ^ (((w10) >> (61)) | ((w10) << (64 - (61)))) ^ ((w10) >> (6))) + w5 + ((((w13) >> (1)) | ((w13) << (64 - (1)))) ^ (((w13) >> (8)) | ((w13) << (64 - (8)))) ^ ((w13) >> (7))) + w12; w13 = ((((w11) >> (19)) | ((w11) << (64 - (19)))) ^ (((w11) >> (61)) | ((w11) << (64 - (61)))) ^ ((w11) >> (6))) + w6 + ((((w14) >> (1)) | ((w14) << (64 - (1)))) ^ (((w14) >> (8)) | ((w14) << (64 - (8)))) ^ ((w14) >> (7))) + w13; w14 = ((((w12) >> (19)) | ((w12) << (64 - (19)))) ^ (((w12) >> (61)) | ((w12) << (64 - (61)))) ^ ((w12) >> (6))) + w7 + ((((w15) >> (1)) | ((w15) << (64 - (1)))) ^ (((w15) >> (8)) | ((w15) << (64 - (8)))) ^ ((w15) >> (7))) + w14; w15 = ((((w13) >> (19)) | ((w13) << (64 - (19)))) ^ (((w13) >> (61)) | ((w13) << (64 - (61)))) ^ ((w13) >> (6))) + w8 + ((((w0) >> (1)) | ((w0) << (64 - (1)))) ^ (((w0) >> (8)) | ((w0) << (64 - (8)))) ^ ((w0) >> (7))) + w15; + + T1 = h + ((((e) >> (14)) | ((e) << (64 - (14)))) ^ (((e) >> (18)) | ((e) << (64 - (18)))) ^ (((e) >> (41)) | ((e) << (64 - (41))))) + ((e & f) ^ (~e & g)) + 0xe49b69c19ef14ad2 + w0; T2 = ((((a) >> (28)) | ((a) << (64 - (28)))) ^ (((a) >> (34)) | ((a) << (64 - (34)))) ^ (((a) >> (39)) | ((a) << (64 - (39))))) + ((a & b) ^ (a & c) ^ (b & c)); h = g; g = f; f = e; e = d + T1; d = c; c = b; b = a; a = T1 + T2; + T1 = h + ((((e) >> (14)) | ((e) << (64 - (14)))) ^ (((e) >> (18)) | ((e) << (64 - (18)))) ^ (((e) >> (41)) | ((e) << (64 - (41))))) + ((e & f) ^ (~e & g)) + 0xefbe4786384f25e3 + w1; T2 = ((((a) >> (28)) | ((a) << (64 - (28)))) ^ (((a) >> (34)) | ((a) << (64 - (34)))) ^ (((a) >> (39)) | ((a) << (64 - (39))))) + ((a & b) ^ (a & c) ^ (b & c)); h = g; g = f; f = e; e = d + T1; d = c; c = b; b = a; a = T1 + T2; + T1 = h + ((((e) >> (14)) | ((e) << (64 - (14)))) ^ (((e) >> (18)) | ((e) << (64 - (18)))) ^ (((e) >> (41)) | ((e) << (64 - (41))))) + ((e & f) ^ (~e & g)) + 0x0fc19dc68b8cd5b5 + w2; T2 = ((((a) >> (28)) | ((a) << (64 - (28)))) ^ (((a) >> (34)) | ((a) << (64 - (34)))) ^ (((a) >> (39)) | ((a) << (64 - (39))))) + ((a & b) ^ (a & c) ^ (b & c)); h = g; g = f; f = e; e = d + T1; d = c; c = b; b = a; a = T1 + T2; + T1 = h + ((((e) >> (14)) | ((e) << (64 - (14)))) ^ (((e) >> (18)) | ((e) << (64 - (18)))) ^ (((e) >> (41)) | ((e) << (64 - (41))))) + ((e & f) ^ (~e & g)) + 0x240ca1cc77ac9c65 + w3; T2 = ((((a) >> (28)) | ((a) << (64 - (28)))) ^ (((a) >> (34)) | ((a) << (64 - (34)))) ^ (((a) >> (39)) | ((a) << (64 - (39))))) + ((a & b) ^ (a & c) ^ (b & c)); h = g; g = f; f = e; e = d + T1; d = c; c = b; b = a; a = T1 + T2; + T1 = h + ((((e) >> (14)) | ((e) << (64 - (14)))) ^ (((e) >> (18)) | ((e) << (64 - (18)))) ^ (((e) >> (41)) | ((e) << (64 - (41))))) + ((e & f) ^ (~e & g)) + 0x2de92c6f592b0275 + w4; T2 = ((((a) >> (28)) | ((a) << (64 - (28)))) ^ (((a) >> (34)) | ((a) << (64 - (34)))) ^ (((a) >> (39)) | ((a) << (64 - (39))))) + ((a & b) ^ (a & c) ^ (b & c)); h = g; g = f; f = e; e = d + T1; d = c; c = b; b = a; a = T1 + T2; + T1 = h + ((((e) >> (14)) | ((e) << (64 - (14)))) ^ (((e) >> (18)) | ((e) << (64 - (18)))) ^ (((e) >> (41)) | ((e) << (64 - (41))))) + ((e & f) ^ (~e & g)) + 0x4a7484aa6ea6e483 + w5; T2 = ((((a) >> (28)) | ((a) << (64 - (28)))) ^ (((a) >> (34)) | ((a) << (64 - (34)))) ^ (((a) >> (39)) | ((a) << (64 - (39))))) + ((a & b) ^ (a & c) ^ (b & c)); h = g; g = f; f = e; e = d + T1; d = c; c = b; b = a; a = T1 + T2; + T1 = h + ((((e) >> (14)) | ((e) << (64 - (14)))) ^ (((e) >> (18)) | ((e) << (64 - (18)))) ^ (((e) >> (41)) | ((e) << (64 - (41))))) + ((e & f) ^ (~e & g)) + 0x5cb0a9dcbd41fbd4 + w6; T2 = ((((a) >> (28)) | ((a) << (64 - (28)))) ^ (((a) >> (34)) | ((a) << (64 - (34)))) ^ (((a) >> (39)) | ((a) << (64 - (39))))) + ((a & b) ^ (a & c) ^ (b & c)); h = g; g = f; f = e; e = d + T1; d = c; c = b; b = a; a = T1 + T2; + T1 = h + ((((e) >> (14)) | ((e) << (64 - (14)))) ^ (((e) >> (18)) | ((e) << (64 - (18)))) ^ (((e) >> (41)) | ((e) << (64 - (41))))) + ((e & f) ^ (~e & g)) + 0x76f988da831153b5 + w7; T2 = ((((a) >> (28)) | ((a) << (64 - (28)))) ^ (((a) >> (34)) | ((a) << (64 - (34)))) ^ (((a) >> (39)) | ((a) << (64 - (39))))) + ((a & b) ^ (a & c) ^ (b & c)); h = g; g = f; f = e; e = d + T1; d = c; c = b; b = a; a = T1 + T2; + T1 = h + ((((e) >> (14)) | ((e) << (64 - (14)))) ^ (((e) >> (18)) | ((e) << (64 - (18)))) ^ (((e) >> (41)) | ((e) << (64 - (41))))) + ((e & f) ^ (~e & g)) + 0x983e5152ee66dfab + w8; T2 = ((((a) >> (28)) | ((a) << (64 - (28)))) ^ (((a) >> (34)) | ((a) << (64 - (34)))) ^ (((a) >> (39)) | ((a) << (64 - (39))))) + ((a & b) ^ (a & c) ^ (b & c)); h = g; g = f; f = e; e = d + T1; d = c; c = b; b = a; a = T1 + T2; + T1 = h + ((((e) >> (14)) | ((e) << (64 - (14)))) ^ (((e) >> (18)) | ((e) << (64 - (18)))) ^ (((e) >> (41)) | ((e) << (64 - (41))))) + ((e & f) ^ (~e & g)) + 0xa831c66d2db43210 + w9; T2 = ((((a) >> (28)) | ((a) << (64 - (28)))) ^ (((a) >> (34)) | ((a) << (64 - (34)))) ^ (((a) >> (39)) | ((a) << (64 - (39))))) + ((a & b) ^ (a & c) ^ (b & c)); h = g; g = f; f = e; e = d + T1; d = c; c = b; b = a; a = T1 + T2; + T1 = h + ((((e) >> (14)) | ((e) << (64 - (14)))) ^ (((e) >> (18)) | ((e) << (64 - (18)))) ^ (((e) >> (41)) | ((e) << (64 - (41))))) + ((e & f) ^ (~e & g)) + 0xb00327c898fb213f + w10; T2 = ((((a) >> (28)) | ((a) << (64 - (28)))) ^ (((a) >> (34)) | ((a) << (64 - (34)))) ^ (((a) >> (39)) | ((a) << (64 - (39))))) + ((a & b) ^ (a & c) ^ (b & c)); h = g; g = f; f = e; e = d + T1; d = c; c = b; b = a; a = T1 + T2; + T1 = h + ((((e) >> (14)) | ((e) << (64 - (14)))) ^ (((e) >> (18)) | ((e) << (64 - (18)))) ^ (((e) >> (41)) | ((e) << (64 - (41))))) + ((e & f) ^ (~e & g)) + 0xbf597fc7beef0ee4 + w11; T2 = ((((a) >> (28)) | ((a) << (64 - (28)))) ^ (((a) >> (34)) | ((a) << (64 - (34)))) ^ (((a) >> (39)) | ((a) << (64 - (39))))) + ((a & b) ^ (a & c) ^ (b & c)); h = g; g = f; f = e; e = d + T1; d = c; c = b; b = a; a = T1 + T2; + T1 = h + ((((e) >> (14)) | ((e) << (64 - (14)))) ^ (((e) >> (18)) | ((e) << (64 - (18)))) ^ (((e) >> (41)) | ((e) << (64 - (41))))) + ((e & f) ^ (~e & g)) + 0xc6e00bf33da88fc2 + w12; T2 = ((((a) >> (28)) | ((a) << (64 - (28)))) ^ (((a) >> (34)) | ((a) << (64 - (34)))) ^ (((a) >> (39)) | ((a) << (64 - (39))))) + ((a & b) ^ (a & c) ^ (b & c)); h = g; g = f; f = e; e = d + T1; d = c; c = b; b = a; a = T1 + T2; + T1 = h + ((((e) >> (14)) | ((e) << (64 - (14)))) ^ (((e) >> (18)) | ((e) << (64 - (18)))) ^ (((e) >> (41)) | ((e) << (64 - (41))))) + ((e & f) ^ (~e & g)) + 0xd5a79147930aa725 + w13; T2 = ((((a) >> (28)) | ((a) << (64 - (28)))) ^ (((a) >> (34)) | ((a) << (64 - (34)))) ^ (((a) >> (39)) | ((a) << (64 - (39))))) + ((a & b) ^ (a & c) ^ (b & c)); h = g; g = f; f = e; e = d + T1; d = c; c = b; b = a; a = T1 + T2; + T1 = h + ((((e) >> (14)) | ((e) << (64 - (14)))) ^ (((e) >> (18)) | ((e) << (64 - (18)))) ^ (((e) >> (41)) | ((e) << (64 - (41))))) + ((e & f) ^ (~e & g)) + 0x06ca6351e003826f + w14; T2 = ((((a) >> (28)) | ((a) << (64 - (28)))) ^ (((a) >> (34)) | ((a) << (64 - (34)))) ^ (((a) >> (39)) | ((a) << (64 - (39))))) + ((a & b) ^ (a & c) ^ (b & c)); h = g; g = f; f = e; e = d + T1; d = c; c = b; b = a; a = T1 + T2; + T1 = h + ((((e) >> (14)) | ((e) << (64 - (14)))) ^ (((e) >> (18)) | ((e) << (64 - (18)))) ^ (((e) >> (41)) | ((e) << (64 - (41))))) + ((e & f) ^ (~e & g)) + 0x142929670a0e6e70 + w15; T2 = ((((a) >> (28)) | ((a) << (64 - (28)))) ^ (((a) >> (34)) | ((a) << (64 - (34)))) ^ (((a) >> (39)) | ((a) << (64 - (39))))) + ((a & b) ^ (a & c) ^ (b & c)); h = g; g = f; f = e; e = d + T1; d = c; c = b; b = a; a = T1 + T2; + + dummymethod(); + w0 = ((((w14) >> (19)) | ((w14) << (64 - (19)))) ^ (((w14) >> (61)) | ((w14) << (64 - (61)))) ^ ((w14) >> (6))) + w9 + ((((w1) >> (1)) | ((w1) << (64 - (1)))) ^ (((w1) >> (8)) | ((w1) << (64 - (8)))) ^ ((w1) >> (7))) + w0; w1 = ((((w15) >> (19)) | ((w15) << (64 - (19)))) ^ (((w15) >> (61)) | ((w15) << (64 - (61)))) ^ ((w15) >> (6))) + w10 + ((((w2) >> (1)) | ((w2) << (64 - (1)))) ^ (((w2) >> (8)) | ((w2) << (64 - (8)))) ^ ((w2) >> (7))) + w1; w2 = ((((w0) >> (19)) | ((w0) << (64 - (19)))) ^ (((w0) >> (61)) | ((w0) << (64 - (61)))) ^ ((w0) >> (6))) + w11 + ((((w3) >> (1)) | ((w3) << (64 - (1)))) ^ (((w3) >> (8)) | ((w3) << (64 - (8)))) ^ ((w3) >> (7))) + w2; w3 = ((((w1) >> (19)) | ((w1) << (64 - (19)))) ^ (((w1) >> (61)) | ((w1) << (64 - (61)))) ^ ((w1) >> (6))) + w12 + ((((w4) >> (1)) | ((w4) << (64 - (1)))) ^ (((w4) >> (8)) | ((w4) << (64 - (8)))) ^ ((w4) >> (7))) + w3; w4 = ((((w2) >> (19)) | ((w2) << (64 - (19)))) ^ (((w2) >> (61)) | ((w2) << (64 - (61)))) ^ ((w2) >> (6))) + w13 + ((((w5) >> (1)) | ((w5) << (64 - (1)))) ^ (((w5) >> (8)) | ((w5) << (64 - (8)))) ^ ((w5) >> (7))) + w4; w5 = ((((w3) >> (19)) | ((w3) << (64 - (19)))) ^ (((w3) >> (61)) | ((w3) << (64 - (61)))) ^ ((w3) >> (6))) + w14 + ((((w6) >> (1)) | ((w6) << (64 - (1)))) ^ (((w6) >> (8)) | ((w6) << (64 - (8)))) ^ ((w6) >> (7))) + w5; w6 = ((((w4) >> (19)) | ((w4) << (64 - (19)))) ^ (((w4) >> (61)) | ((w4) << (64 - (61)))) ^ ((w4) >> (6))) + w15 + ((((w7) >> (1)) | ((w7) << (64 - (1)))) ^ (((w7) >> (8)) | ((w7) << (64 - (8)))) ^ ((w7) >> (7))) + w6; w7 = ((((w5) >> (19)) | ((w5) << (64 - (19)))) ^ (((w5) >> (61)) | ((w5) << (64 - (61)))) ^ ((w5) >> (6))) + w0 + ((((w8) >> (1)) | ((w8) << (64 - (1)))) ^ (((w8) >> (8)) | ((w8) << (64 - (8)))) ^ ((w8) >> (7))) + w7; w8 = ((((w6) >> (19)) | ((w6) << (64 - (19)))) ^ (((w6) >> (61)) | ((w6) << (64 - (61)))) ^ ((w6) >> (6))) + w1 + ((((w9) >> (1)) | ((w9) << (64 - (1)))) ^ (((w9) >> (8)) | ((w9) << (64 - (8)))) ^ ((w9) >> (7))) + w8; w9 = ((((w7) >> (19)) | ((w7) << (64 - (19)))) ^ (((w7) >> (61)) | ((w7) << (64 - (61)))) ^ ((w7) >> (6))) + w2 + ((((w10) >> (1)) | ((w10) << (64 - (1)))) ^ (((w10) >> (8)) | ((w10) << (64 - (8)))) ^ ((w10) >> (7))) + w9; w10 = ((((w8) >> (19)) | ((w8) << (64 - (19)))) ^ (((w8) >> (61)) | ((w8) << (64 - (61)))) ^ ((w8) >> (6))) + w3 + ((((w11) >> (1)) | ((w11) << (64 - (1)))) ^ (((w11) >> (8)) | ((w11) << (64 - (8)))) ^ ((w11) >> (7))) + w10; w11 = ((((w9) >> (19)) | ((w9) << (64 - (19)))) ^ (((w9) >> (61)) | ((w9) << (64 - (61)))) ^ ((w9) >> (6))) + w4 + ((((w12) >> (1)) | ((w12) << (64 - (1)))) ^ (((w12) >> (8)) | ((w12) << (64 - (8)))) ^ ((w12) >> (7))) + w11; w12 = ((((w10) >> (19)) | ((w10) << (64 - (19)))) ^ (((w10) >> (61)) | ((w10) << (64 - (61)))) ^ ((w10) >> (6))) + w5 + ((((w13) >> (1)) | ((w13) << (64 - (1)))) ^ (((w13) >> (8)) | ((w13) << (64 - (8)))) ^ ((w13) >> (7))) + w12; w13 = ((((w11) >> (19)) | ((w11) << (64 - (19)))) ^ (((w11) >> (61)) | ((w11) << (64 - (61)))) ^ ((w11) >> (6))) + w6 + ((((w14) >> (1)) | ((w14) << (64 - (1)))) ^ (((w14) >> (8)) | ((w14) << (64 - (8)))) ^ ((w14) >> (7))) + w13; w14 = ((((w12) >> (19)) | ((w12) << (64 - (19)))) ^ (((w12) >> (61)) | ((w12) << (64 - (61)))) ^ ((w12) >> (6))) + w7 + ((((w15) >> (1)) | ((w15) << (64 - (1)))) ^ (((w15) >> (8)) | ((w15) << (64 - (8)))) ^ ((w15) >> (7))) + w14; w15 = ((((w13) >> (19)) | ((w13) << (64 - (19)))) ^ (((w13) >> (61)) | ((w13) << (64 - (61)))) ^ ((w13) >> (6))) + w8 + ((((w0) >> (1)) | ((w0) << (64 - (1)))) ^ (((w0) >> (8)) | ((w0) << (64 - (8)))) ^ ((w0) >> (7))) + w15; + + T1 = h + ((((e) >> (14)) | ((e) << (64 - (14)))) ^ (((e) >> (18)) | ((e) << (64 - (18)))) ^ (((e) >> (41)) | ((e) << (64 - (41))))) + ((e & f) ^ (~e & g)) + 0x27b70a8546d22ffc + w0; T2 = ((((a) >> (28)) | ((a) << (64 - (28)))) ^ (((a) >> (34)) | ((a) << (64 - (34)))) ^ (((a) >> (39)) | ((a) << (64 - (39))))) + ((a & b) ^ (a & c) ^ (b & c)); h = g; g = f; f = e; e = d + T1; d = c; c = b; b = a; a = T1 + T2; + T1 = h + ((((e) >> (14)) | ((e) << (64 - (14)))) ^ (((e) >> (18)) | ((e) << (64 - (18)))) ^ (((e) >> (41)) | ((e) << (64 - (41))))) + ((e & f) ^ (~e & g)) + 0x2e1b21385c26c926 + w1; T2 = ((((a) >> (28)) | ((a) << (64 - (28)))) ^ (((a) >> (34)) | ((a) << (64 - (34)))) ^ (((a) >> (39)) | ((a) << (64 - (39))))) + ((a & b) ^ (a & c) ^ (b & c)); h = g; g = f; f = e; e = d + T1; d = c; c = b; b = a; a = T1 + T2; + T1 = h + ((((e) >> (14)) | ((e) << (64 - (14)))) ^ (((e) >> (18)) | ((e) << (64 - (18)))) ^ (((e) >> (41)) | ((e) << (64 - (41))))) + ((e & f) ^ (~e & g)) + 0x4d2c6dfc5ac42aed + w2; T2 = ((((a) >> (28)) | ((a) << (64 - (28)))) ^ (((a) >> (34)) | ((a) << (64 - (34)))) ^ (((a) >> (39)) | ((a) << (64 - (39))))) + ((a & b) ^ (a & c) ^ (b & c)); h = g; g = f; f = e; e = d + T1; d = c; c = b; b = a; a = T1 + T2; + T1 = h + ((((e) >> (14)) | ((e) << (64 - (14)))) ^ (((e) >> (18)) | ((e) << (64 - (18)))) ^ (((e) >> (41)) | ((e) << (64 - (41))))) + ((e & f) ^ (~e & g)) + 0x53380d139d95b3df + w3; T2 = ((((a) >> (28)) | ((a) << (64 - (28)))) ^ (((a) >> (34)) | ((a) << (64 - (34)))) ^ (((a) >> (39)) | ((a) << (64 - (39))))) + ((a & b) ^ (a & c) ^ (b & c)); h = g; g = f; f = e; e = d + T1; d = c; c = b; b = a; a = T1 + T2; + T1 = h + ((((e) >> (14)) | ((e) << (64 - (14)))) ^ (((e) >> (18)) | ((e) << (64 - (18)))) ^ (((e) >> (41)) | ((e) << (64 - (41))))) + ((e & f) ^ (~e & g)) + 0x650a73548baf63de + w4; T2 = ((((a) >> (28)) | ((a) << (64 - (28)))) ^ (((a) >> (34)) | ((a) << (64 - (34)))) ^ (((a) >> (39)) | ((a) << (64 - (39))))) + ((a & b) ^ (a & c) ^ (b & c)); h = g; g = f; f = e; e = d + T1; d = c; c = b; b = a; a = T1 + T2; + T1 = h + ((((e) >> (14)) | ((e) << (64 - (14)))) ^ (((e) >> (18)) | ((e) << (64 - (18)))) ^ (((e) >> (41)) | ((e) << (64 - (41))))) + ((e & f) ^ (~e & g)) + 0x766a0abb3c77b2a8 + w5; T2 = ((((a) >> (28)) | ((a) << (64 - (28)))) ^ (((a) >> (34)) | ((a) << (64 - (34)))) ^ (((a) >> (39)) | ((a) << (64 - (39))))) + ((a & b) ^ (a & c) ^ (b & c)); h = g; g = f; f = e; e = d + T1; d = c; c = b; b = a; a = T1 + T2; + T1 = h + ((((e) >> (14)) | ((e) << (64 - (14)))) ^ (((e) >> (18)) | ((e) << (64 - (18)))) ^ (((e) >> (41)) | ((e) << (64 - (41))))) + ((e & f) ^ (~e & g)) + 0x81c2c92e47edaee6 + w6; T2 = ((((a) >> (28)) | ((a) << (64 - (28)))) ^ (((a) >> (34)) | ((a) << (64 - (34)))) ^ (((a) >> (39)) | ((a) << (64 - (39))))) + ((a & b) ^ (a & c) ^ (b & c)); h = g; g = f; f = e; e = d + T1; d = c; c = b; b = a; a = T1 + T2; + T1 = h + ((((e) >> (14)) | ((e) << (64 - (14)))) ^ (((e) >> (18)) | ((e) << (64 - (18)))) ^ (((e) >> (41)) | ((e) << (64 - (41))))) + ((e & f) ^ (~e & g)) + 0x92722c851482353b + w7; T2 = ((((a) >> (28)) | ((a) << (64 - (28)))) ^ (((a) >> (34)) | ((a) << (64 - (34)))) ^ (((a) >> (39)) | ((a) << (64 - (39))))) + ((a & b) ^ (a & c) ^ (b & c)); h = g; g = f; f = e; e = d + T1; d = c; c = b; b = a; a = T1 + T2; + T1 = h + ((((e) >> (14)) | ((e) << (64 - (14)))) ^ (((e) >> (18)) | ((e) << (64 - (18)))) ^ (((e) >> (41)) | ((e) << (64 - (41))))) + ((e & f) ^ (~e & g)) + 0xa2bfe8a14cf10364 + w8; T2 = ((((a) >> (28)) | ((a) << (64 - (28)))) ^ (((a) >> (34)) | ((a) << (64 - (34)))) ^ (((a) >> (39)) | ((a) << (64 - (39))))) + ((a & b) ^ (a & c) ^ (b & c)); h = g; g = f; f = e; e = d + T1; d = c; c = b; b = a; a = T1 + T2; + T1 = h + ((((e) >> (14)) | ((e) << (64 - (14)))) ^ (((e) >> (18)) | ((e) << (64 - (18)))) ^ (((e) >> (41)) | ((e) << (64 - (41))))) + ((e & f) ^ (~e & g)) + 0xa81a664bbc423001 + w9; T2 = ((((a) >> (28)) | ((a) << (64 - (28)))) ^ (((a) >> (34)) | ((a) << (64 - (34)))) ^ (((a) >> (39)) | ((a) << (64 - (39))))) + ((a & b) ^ (a & c) ^ (b & c)); h = g; g = f; f = e; e = d + T1; d = c; c = b; b = a; a = T1 + T2; + T1 = h + ((((e) >> (14)) | ((e) << (64 - (14)))) ^ (((e) >> (18)) | ((e) << (64 - (18)))) ^ (((e) >> (41)) | ((e) << (64 - (41))))) + ((e & f) ^ (~e & g)) + 0xc24b8b70d0f89791 + w10; T2 = ((((a) >> (28)) | ((a) << (64 - (28)))) ^ (((a) >> (34)) | ((a) << (64 - (34)))) ^ (((a) >> (39)) | ((a) << (64 - (39))))) + ((a & b) ^ (a & c) ^ (b & c)); h = g; g = f; f = e; e = d + T1; d = c; c = b; b = a; a = T1 + T2; + T1 = h + ((((e) >> (14)) | ((e) << (64 - (14)))) ^ (((e) >> (18)) | ((e) << (64 - (18)))) ^ (((e) >> (41)) | ((e) << (64 - (41))))) + ((e & f) ^ (~e & g)) + 0xc76c51a30654be30 + w11; T2 = ((((a) >> (28)) | ((a) << (64 - (28)))) ^ (((a) >> (34)) | ((a) << (64 - (34)))) ^ (((a) >> (39)) | ((a) << (64 - (39))))) + ((a & b) ^ (a & c) ^ (b & c)); h = g; g = f; f = e; e = d + T1; d = c; c = b; b = a; a = T1 + T2; + T1 = h + ((((e) >> (14)) | ((e) << (64 - (14)))) ^ (((e) >> (18)) | ((e) << (64 - (18)))) ^ (((e) >> (41)) | ((e) << (64 - (41))))) + ((e & f) ^ (~e & g)) + 0xd192e819d6ef5218 + w12; T2 = ((((a) >> (28)) | ((a) << (64 - (28)))) ^ (((a) >> (34)) | ((a) << (64 - (34)))) ^ (((a) >> (39)) | ((a) << (64 - (39))))) + ((a & b) ^ (a & c) ^ (b & c)); h = g; g = f; f = e; e = d + T1; d = c; c = b; b = a; a = T1 + T2; + T1 = h + ((((e) >> (14)) | ((e) << (64 - (14)))) ^ (((e) >> (18)) | ((e) << (64 - (18)))) ^ (((e) >> (41)) | ((e) << (64 - (41))))) + ((e & f) ^ (~e & g)) + 0xd69906245565a910 + w13; T2 = ((((a) >> (28)) | ((a) << (64 - (28)))) ^ (((a) >> (34)) | ((a) << (64 - (34)))) ^ (((a) >> (39)) | ((a) << (64 - (39))))) + ((a & b) ^ (a & c) ^ (b & c)); h = g; g = f; f = e; e = d + T1; d = c; c = b; b = a; a = T1 + T2; + T1 = h + ((((e) >> (14)) | ((e) << (64 - (14)))) ^ (((e) >> (18)) | ((e) << (64 - (18)))) ^ (((e) >> (41)) | ((e) << (64 - (41))))) + ((e & f) ^ (~e & g)) + 0xf40e35855771202a + w14; T2 = ((((a) >> (28)) | ((a) << (64 - (28)))) ^ (((a) >> (34)) | ((a) << (64 - (34)))) ^ (((a) >> (39)) | ((a) << (64 - (39))))) + ((a & b) ^ (a & c) ^ (b & c)); h = g; g = f; f = e; e = d + T1; d = c; c = b; b = a; a = T1 + T2; + T1 = h + ((((e) >> (14)) | ((e) << (64 - (14)))) ^ (((e) >> (18)) | ((e) << (64 - (18)))) ^ (((e) >> (41)) | ((e) << (64 - (41))))) + ((e & f) ^ (~e & g)) + 0x106aa07032bbd1b8 + w15; T2 = ((((a) >> (28)) | ((a) << (64 - (28)))) ^ (((a) >> (34)) | ((a) << (64 - (34)))) ^ (((a) >> (39)) | ((a) << (64 - (39))))) + ((a & b) ^ (a & c) ^ (b & c)); h = g; g = f; f = e; e = d + T1; d = c; c = b; b = a; a = T1 + T2; + + dummymethod(); + w0 = ((((w14) >> (19)) | ((w14) << (64 - (19)))) ^ (((w14) >> (61)) | ((w14) << (64 - (61)))) ^ ((w14) >> (6))) + w9 + ((((w1) >> (1)) | ((w1) << (64 - (1)))) ^ (((w1) >> (8)) | ((w1) << (64 - (8)))) ^ ((w1) >> (7))) + w0; w1 = ((((w15) >> (19)) | ((w15) << (64 - (19)))) ^ (((w15) >> (61)) | ((w15) << (64 - (61)))) ^ ((w15) >> (6))) + w10 + ((((w2) >> (1)) | ((w2) << (64 - (1)))) ^ (((w2) >> (8)) | ((w2) << (64 - (8)))) ^ ((w2) >> (7))) + w1; w2 = ((((w0) >> (19)) | ((w0) << (64 - (19)))) ^ (((w0) >> (61)) | ((w0) << (64 - (61)))) ^ ((w0) >> (6))) + w11 + ((((w3) >> (1)) | ((w3) << (64 - (1)))) ^ (((w3) >> (8)) | ((w3) << (64 - (8)))) ^ ((w3) >> (7))) + w2; w3 = ((((w1) >> (19)) | ((w1) << (64 - (19)))) ^ (((w1) >> (61)) | ((w1) << (64 - (61)))) ^ ((w1) >> (6))) + w12 + ((((w4) >> (1)) | ((w4) << (64 - (1)))) ^ (((w4) >> (8)) | ((w4) << (64 - (8)))) ^ ((w4) >> (7))) + w3; w4 = ((((w2) >> (19)) | ((w2) << (64 - (19)))) ^ (((w2) >> (61)) | ((w2) << (64 - (61)))) ^ ((w2) >> (6))) + w13 + ((((w5) >> (1)) | ((w5) << (64 - (1)))) ^ (((w5) >> (8)) | ((w5) << (64 - (8)))) ^ ((w5) >> (7))) + w4; w5 = ((((w3) >> (19)) | ((w3) << (64 - (19)))) ^ (((w3) >> (61)) | ((w3) << (64 - (61)))) ^ ((w3) >> (6))) + w14 + ((((w6) >> (1)) | ((w6) << (64 - (1)))) ^ (((w6) >> (8)) | ((w6) << (64 - (8)))) ^ ((w6) >> (7))) + w5; w6 = ((((w4) >> (19)) | ((w4) << (64 - (19)))) ^ (((w4) >> (61)) | ((w4) << (64 - (61)))) ^ ((w4) >> (6))) + w15 + ((((w7) >> (1)) | ((w7) << (64 - (1)))) ^ (((w7) >> (8)) | ((w7) << (64 - (8)))) ^ ((w7) >> (7))) + w6; w7 = ((((w5) >> (19)) | ((w5) << (64 - (19)))) ^ (((w5) >> (61)) | ((w5) << (64 - (61)))) ^ ((w5) >> (6))) + w0 + ((((w8) >> (1)) | ((w8) << (64 - (1)))) ^ (((w8) >> (8)) | ((w8) << (64 - (8)))) ^ ((w8) >> (7))) + w7; w8 = ((((w6) >> (19)) | ((w6) << (64 - (19)))) ^ (((w6) >> (61)) | ((w6) << (64 - (61)))) ^ ((w6) >> (6))) + w1 + ((((w9) >> (1)) | ((w9) << (64 - (1)))) ^ (((w9) >> (8)) | ((w9) << (64 - (8)))) ^ ((w9) >> (7))) + w8; w9 = ((((w7) >> (19)) | ((w7) << (64 - (19)))) ^ (((w7) >> (61)) | ((w7) << (64 - (61)))) ^ ((w7) >> (6))) + w2 + ((((w10) >> (1)) | ((w10) << (64 - (1)))) ^ (((w10) >> (8)) | ((w10) << (64 - (8)))) ^ ((w10) >> (7))) + w9; w10 = ((((w8) >> (19)) | ((w8) << (64 - (19)))) ^ (((w8) >> (61)) | ((w8) << (64 - (61)))) ^ ((w8) >> (6))) + w3 + ((((w11) >> (1)) | ((w11) << (64 - (1)))) ^ (((w11) >> (8)) | ((w11) << (64 - (8)))) ^ ((w11) >> (7))) + w10; w11 = ((((w9) >> (19)) | ((w9) << (64 - (19)))) ^ (((w9) >> (61)) | ((w9) << (64 - (61)))) ^ ((w9) >> (6))) + w4 + ((((w12) >> (1)) | ((w12) << (64 - (1)))) ^ (((w12) >> (8)) | ((w12) << (64 - (8)))) ^ ((w12) >> (7))) + w11; w12 = ((((w10) >> (19)) | ((w10) << (64 - (19)))) ^ (((w10) >> (61)) | ((w10) << (64 - (61)))) ^ ((w10) >> (6))) + w5 + ((((w13) >> (1)) | ((w13) << (64 - (1)))) ^ (((w13) >> (8)) | ((w13) << (64 - (8)))) ^ ((w13) >> (7))) + w12; w13 = ((((w11) >> (19)) | ((w11) << (64 - (19)))) ^ (((w11) >> (61)) | ((w11) << (64 - (61)))) ^ ((w11) >> (6))) + w6 + ((((w14) >> (1)) | ((w14) << (64 - (1)))) ^ (((w14) >> (8)) | ((w14) << (64 - (8)))) ^ ((w14) >> (7))) + w13; w14 = ((((w12) >> (19)) | ((w12) << (64 - (19)))) ^ (((w12) >> (61)) | ((w12) << (64 - (61)))) ^ ((w12) >> (6))) + w7 + ((((w15) >> (1)) | ((w15) << (64 - (1)))) ^ (((w15) >> (8)) | ((w15) << (64 - (8)))) ^ ((w15) >> (7))) + w14; w15 = ((((w13) >> (19)) | ((w13) << (64 - (19)))) ^ (((w13) >> (61)) | ((w13) << (64 - (61)))) ^ ((w13) >> (6))) + w8 + ((((w0) >> (1)) | ((w0) << (64 - (1)))) ^ (((w0) >> (8)) | ((w0) << (64 - (8)))) ^ ((w0) >> (7))) + w15; + + T1 = h + ((((e) >> (14)) | ((e) << (64 - (14)))) ^ (((e) >> (18)) | ((e) << (64 - (18)))) ^ (((e) >> (41)) | ((e) << (64 - (41))))) + ((e & f) ^ (~e & g)) + 0x19a4c116b8d2d0c8 + w0; T2 = ((((a) >> (28)) | ((a) << (64 - (28)))) ^ (((a) >> (34)) | ((a) << (64 - (34)))) ^ (((a) >> (39)) | ((a) << (64 - (39))))) + ((a & b) ^ (a & c) ^ (b & c)); h = g; g = f; f = e; e = d + T1; d = c; c = b; b = a; a = T1 + T2; + T1 = h + ((((e) >> (14)) | ((e) << (64 - (14)))) ^ (((e) >> (18)) | ((e) << (64 - (18)))) ^ (((e) >> (41)) | ((e) << (64 - (41))))) + ((e & f) ^ (~e & g)) + 0x1e376c085141ab53 + w1; T2 = ((((a) >> (28)) | ((a) << (64 - (28)))) ^ (((a) >> (34)) | ((a) << (64 - (34)))) ^ (((a) >> (39)) | ((a) << (64 - (39))))) + ((a & b) ^ (a & c) ^ (b & c)); h = g; g = f; f = e; e = d + T1; d = c; c = b; b = a; a = T1 + T2; + T1 = h + ((((e) >> (14)) | ((e) << (64 - (14)))) ^ (((e) >> (18)) | ((e) << (64 - (18)))) ^ (((e) >> (41)) | ((e) << (64 - (41))))) + ((e & f) ^ (~e & g)) + 0x2748774cdf8eeb99 + w2; T2 = ((((a) >> (28)) | ((a) << (64 - (28)))) ^ (((a) >> (34)) | ((a) << (64 - (34)))) ^ (((a) >> (39)) | ((a) << (64 - (39))))) + ((a & b) ^ (a & c) ^ (b & c)); h = g; g = f; f = e; e = d + T1; d = c; c = b; b = a; a = T1 + T2; + T1 = h + ((((e) >> (14)) | ((e) << (64 - (14)))) ^ (((e) >> (18)) | ((e) << (64 - (18)))) ^ (((e) >> (41)) | ((e) << (64 - (41))))) + ((e & f) ^ (~e & g)) + 0x34b0bcb5e19b48a8 + w3; T2 = ((((a) >> (28)) | ((a) << (64 - (28)))) ^ (((a) >> (34)) | ((a) << (64 - (34)))) ^ (((a) >> (39)) | ((a) << (64 - (39))))) + ((a & b) ^ (a & c) ^ (b & c)); h = g; g = f; f = e; e = d + T1; d = c; c = b; b = a; a = T1 + T2; + T1 = h + ((((e) >> (14)) | ((e) << (64 - (14)))) ^ (((e) >> (18)) | ((e) << (64 - (18)))) ^ (((e) >> (41)) | ((e) << (64 - (41))))) + ((e & f) ^ (~e & g)) + 0x391c0cb3c5c95a63 + w4; T2 = ((((a) >> (28)) | ((a) << (64 - (28)))) ^ (((a) >> (34)) | ((a) << (64 - (34)))) ^ (((a) >> (39)) | ((a) << (64 - (39))))) + ((a & b) ^ (a & c) ^ (b & c)); h = g; g = f; f = e; e = d + T1; d = c; c = b; b = a; a = T1 + T2; + T1 = h + ((((e) >> (14)) | ((e) << (64 - (14)))) ^ (((e) >> (18)) | ((e) << (64 - (18)))) ^ (((e) >> (41)) | ((e) << (64 - (41))))) + ((e & f) ^ (~e & g)) + 0x4ed8aa4ae3418acb + w5; T2 = ((((a) >> (28)) | ((a) << (64 - (28)))) ^ (((a) >> (34)) | ((a) << (64 - (34)))) ^ (((a) >> (39)) | ((a) << (64 - (39))))) + ((a & b) ^ (a & c) ^ (b & c)); h = g; g = f; f = e; e = d + T1; d = c; c = b; b = a; a = T1 + T2; + T1 = h + ((((e) >> (14)) | ((e) << (64 - (14)))) ^ (((e) >> (18)) | ((e) << (64 - (18)))) ^ (((e) >> (41)) | ((e) << (64 - (41))))) + ((e & f) ^ (~e & g)) + 0x5b9cca4f7763e373 + w6; T2 = ((((a) >> (28)) | ((a) << (64 - (28)))) ^ (((a) >> (34)) | ((a) << (64 - (34)))) ^ (((a) >> (39)) | ((a) << (64 - (39))))) + ((a & b) ^ (a & c) ^ (b & c)); h = g; g = f; f = e; e = d + T1; d = c; c = b; b = a; a = T1 + T2; + T1 = h + ((((e) >> (14)) | ((e) << (64 - (14)))) ^ (((e) >> (18)) | ((e) << (64 - (18)))) ^ (((e) >> (41)) | ((e) << (64 - (41))))) + ((e & f) ^ (~e & g)) + 0x682e6ff3d6b2b8a3 + w7; T2 = ((((a) >> (28)) | ((a) << (64 - (28)))) ^ (((a) >> (34)) | ((a) << (64 - (34)))) ^ (((a) >> (39)) | ((a) << (64 - (39))))) + ((a & b) ^ (a & c) ^ (b & c)); h = g; g = f; f = e; e = d + T1; d = c; c = b; b = a; a = T1 + T2; + T1 = h + ((((e) >> (14)) | ((e) << (64 - (14)))) ^ (((e) >> (18)) | ((e) << (64 - (18)))) ^ (((e) >> (41)) | ((e) << (64 - (41))))) + ((e & f) ^ (~e & g)) + 0x748f82ee5defb2fc + w8; T2 = ((((a) >> (28)) | ((a) << (64 - (28)))) ^ (((a) >> (34)) | ((a) << (64 - (34)))) ^ (((a) >> (39)) | ((a) << (64 - (39))))) + ((a & b) ^ (a & c) ^ (b & c)); h = g; g = f; f = e; e = d + T1; d = c; c = b; b = a; a = T1 + T2; + T1 = h + ((((e) >> (14)) | ((e) << (64 - (14)))) ^ (((e) >> (18)) | ((e) << (64 - (18)))) ^ (((e) >> (41)) | ((e) << (64 - (41))))) + ((e & f) ^ (~e & g)) + 0x78a5636f43172f60 + w9; T2 = ((((a) >> (28)) | ((a) << (64 - (28)))) ^ (((a) >> (34)) | ((a) << (64 - (34)))) ^ (((a) >> (39)) | ((a) << (64 - (39))))) + ((a & b) ^ (a & c) ^ (b & c)); h = g; g = f; f = e; e = d + T1; d = c; c = b; b = a; a = T1 + T2; + T1 = h + ((((e) >> (14)) | ((e) << (64 - (14)))) ^ (((e) >> (18)) | ((e) << (64 - (18)))) ^ (((e) >> (41)) | ((e) << (64 - (41))))) + ((e & f) ^ (~e & g)) + 0x84c87814a1f0ab72 + w10; T2 = ((((a) >> (28)) | ((a) << (64 - (28)))) ^ (((a) >> (34)) | ((a) << (64 - (34)))) ^ (((a) >> (39)) | ((a) << (64 - (39))))) + ((a & b) ^ (a & c) ^ (b & c)); h = g; g = f; f = e; e = d + T1; d = c; c = b; b = a; a = T1 + T2; + T1 = h + ((((e) >> (14)) | ((e) << (64 - (14)))) ^ (((e) >> (18)) | ((e) << (64 - (18)))) ^ (((e) >> (41)) | ((e) << (64 - (41))))) + ((e & f) ^ (~e & g)) + 0x8cc702081a6439ec + w11; T2 = ((((a) >> (28)) | ((a) << (64 - (28)))) ^ (((a) >> (34)) | ((a) << (64 - (34)))) ^ (((a) >> (39)) | ((a) << (64 - (39))))) + ((a & b) ^ (a & c) ^ (b & c)); h = g; g = f; f = e; e = d + T1; d = c; c = b; b = a; a = T1 + T2; + T1 = h + ((((e) >> (14)) | ((e) << (64 - (14)))) ^ (((e) >> (18)) | ((e) << (64 - (18)))) ^ (((e) >> (41)) | ((e) << (64 - (41))))) + ((e & f) ^ (~e & g)) + 0x90befffa23631e28 + w12; T2 = ((((a) >> (28)) | ((a) << (64 - (28)))) ^ (((a) >> (34)) | ((a) << (64 - (34)))) ^ (((a) >> (39)) | ((a) << (64 - (39))))) + ((a & b) ^ (a & c) ^ (b & c)); h = g; g = f; f = e; e = d + T1; d = c; c = b; b = a; a = T1 + T2; + T1 = h + ((((e) >> (14)) | ((e) << (64 - (14)))) ^ (((e) >> (18)) | ((e) << (64 - (18)))) ^ (((e) >> (41)) | ((e) << (64 - (41))))) + ((e & f) ^ (~e & g)) + 0xa4506cebde82bde9 + w13; T2 = ((((a) >> (28)) | ((a) << (64 - (28)))) ^ (((a) >> (34)) | ((a) << (64 - (34)))) ^ (((a) >> (39)) | ((a) << (64 - (39))))) + ((a & b) ^ (a & c) ^ (b & c)); h = g; g = f; f = e; e = d + T1; d = c; c = b; b = a; a = T1 + T2; + T1 = h + ((((e) >> (14)) | ((e) << (64 - (14)))) ^ (((e) >> (18)) | ((e) << (64 - (18)))) ^ (((e) >> (41)) | ((e) << (64 - (41))))) + ((e & f) ^ (~e & g)) + 0xbef9a3f7b2c67915 + w14; T2 = ((((a) >> (28)) | ((a) << (64 - (28)))) ^ (((a) >> (34)) | ((a) << (64 - (34)))) ^ (((a) >> (39)) | ((a) << (64 - (39))))) + ((a & b) ^ (a & c) ^ (b & c)); h = g; g = f; f = e; e = d + T1; d = c; c = b; b = a; a = T1 + T2; + T1 = h + ((((e) >> (14)) | ((e) << (64 - (14)))) ^ (((e) >> (18)) | ((e) << (64 - (18)))) ^ (((e) >> (41)) | ((e) << (64 - (41))))) + ((e & f) ^ (~e & g)) + 0xc67178f2e372532b + w15; T2 = ((((a) >> (28)) | ((a) << (64 - (28)))) ^ (((a) >> (34)) | ((a) << (64 - (34)))) ^ (((a) >> (39)) | ((a) << (64 - (39))))) + ((a & b) ^ (a & c) ^ (b & c)); h = g; g = f; f = e; e = d + T1; d = c; c = b; b = a; a = T1 + T2; + + dummymethod(); + w0 = ((((w14) >> (19)) | ((w14) << (64 - (19)))) ^ (((w14) >> (61)) | ((w14) << (64 - (61)))) ^ ((w14) >> (6))) + w9 + ((((w1) >> (1)) | ((w1) << (64 - (1)))) ^ (((w1) >> (8)) | ((w1) << (64 - (8)))) ^ ((w1) >> (7))) + w0; w1 = ((((w15) >> (19)) | ((w15) << (64 - (19)))) ^ (((w15) >> (61)) | ((w15) << (64 - (61)))) ^ ((w15) >> (6))) + w10 + ((((w2) >> (1)) | ((w2) << (64 - (1)))) ^ (((w2) >> (8)) | ((w2) << (64 - (8)))) ^ ((w2) >> (7))) + w1; w2 = ((((w0) >> (19)) | ((w0) << (64 - (19)))) ^ (((w0) >> (61)) | ((w0) << (64 - (61)))) ^ ((w0) >> (6))) + w11 + ((((w3) >> (1)) | ((w3) << (64 - (1)))) ^ (((w3) >> (8)) | ((w3) << (64 - (8)))) ^ ((w3) >> (7))) + w2; w3 = ((((w1) >> (19)) | ((w1) << (64 - (19)))) ^ (((w1) >> (61)) | ((w1) << (64 - (61)))) ^ ((w1) >> (6))) + w12 + ((((w4) >> (1)) | ((w4) << (64 - (1)))) ^ (((w4) >> (8)) | ((w4) << (64 - (8)))) ^ ((w4) >> (7))) + w3; w4 = ((((w2) >> (19)) | ((w2) << (64 - (19)))) ^ (((w2) >> (61)) | ((w2) << (64 - (61)))) ^ ((w2) >> (6))) + w13 + ((((w5) >> (1)) | ((w5) << (64 - (1)))) ^ (((w5) >> (8)) | ((w5) << (64 - (8)))) ^ ((w5) >> (7))) + w4; w5 = ((((w3) >> (19)) | ((w3) << (64 - (19)))) ^ (((w3) >> (61)) | ((w3) << (64 - (61)))) ^ ((w3) >> (6))) + w14 + ((((w6) >> (1)) | ((w6) << (64 - (1)))) ^ (((w6) >> (8)) | ((w6) << (64 - (8)))) ^ ((w6) >> (7))) + w5; w6 = ((((w4) >> (19)) | ((w4) << (64 - (19)))) ^ (((w4) >> (61)) | ((w4) << (64 - (61)))) ^ ((w4) >> (6))) + w15 + ((((w7) >> (1)) | ((w7) << (64 - (1)))) ^ (((w7) >> (8)) | ((w7) << (64 - (8)))) ^ ((w7) >> (7))) + w6; w7 = ((((w5) >> (19)) | ((w5) << (64 - (19)))) ^ (((w5) >> (61)) | ((w5) << (64 - (61)))) ^ ((w5) >> (6))) + w0 + ((((w8) >> (1)) | ((w8) << (64 - (1)))) ^ (((w8) >> (8)) | ((w8) << (64 - (8)))) ^ ((w8) >> (7))) + w7; w8 = ((((w6) >> (19)) | ((w6) << (64 - (19)))) ^ (((w6) >> (61)) | ((w6) << (64 - (61)))) ^ ((w6) >> (6))) + w1 + ((((w9) >> (1)) | ((w9) << (64 - (1)))) ^ (((w9) >> (8)) | ((w9) << (64 - (8)))) ^ ((w9) >> (7))) + w8; w9 = ((((w7) >> (19)) | ((w7) << (64 - (19)))) ^ (((w7) >> (61)) | ((w7) << (64 - (61)))) ^ ((w7) >> (6))) + w2 + ((((w10) >> (1)) | ((w10) << (64 - (1)))) ^ (((w10) >> (8)) | ((w10) << (64 - (8)))) ^ ((w10) >> (7))) + w9; w10 = ((((w8) >> (19)) | ((w8) << (64 - (19)))) ^ (((w8) >> (61)) | ((w8) << (64 - (61)))) ^ ((w8) >> (6))) + w3 + ((((w11) >> (1)) | ((w11) << (64 - (1)))) ^ (((w11) >> (8)) | ((w11) << (64 - (8)))) ^ ((w11) >> (7))) + w10; w11 = ((((w9) >> (19)) | ((w9) << (64 - (19)))) ^ (((w9) >> (61)) | ((w9) << (64 - (61)))) ^ ((w9) >> (6))) + w4 + ((((w12) >> (1)) | ((w12) << (64 - (1)))) ^ (((w12) >> (8)) | ((w12) << (64 - (8)))) ^ ((w12) >> (7))) + w11; w12 = ((((w10) >> (19)) | ((w10) << (64 - (19)))) ^ (((w10) >> (61)) | ((w10) << (64 - (61)))) ^ ((w10) >> (6))) + w5 + ((((w13) >> (1)) | ((w13) << (64 - (1)))) ^ (((w13) >> (8)) | ((w13) << (64 - (8)))) ^ ((w13) >> (7))) + w12; w13 = ((((w11) >> (19)) | ((w11) << (64 - (19)))) ^ (((w11) >> (61)) | ((w11) << (64 - (61)))) ^ ((w11) >> (6))) + w6 + ((((w14) >> (1)) | ((w14) << (64 - (1)))) ^ (((w14) >> (8)) | ((w14) << (64 - (8)))) ^ ((w14) >> (7))) + w13; w14 = ((((w12) >> (19)) | ((w12) << (64 - (19)))) ^ (((w12) >> (61)) | ((w12) << (64 - (61)))) ^ ((w12) >> (6))) + w7 + ((((w15) >> (1)) | ((w15) << (64 - (1)))) ^ (((w15) >> (8)) | ((w15) << (64 - (8)))) ^ ((w15) >> (7))) + w14; w15 = ((((w13) >> (19)) | ((w13) << (64 - (19)))) ^ (((w13) >> (61)) | ((w13) << (64 - (61)))) ^ ((w13) >> (6))) + w8 + ((((w0) >> (1)) | ((w0) << (64 - (1)))) ^ (((w0) >> (8)) | ((w0) << (64 - (8)))) ^ ((w0) >> (7))) + w15; + + T1 = h + ((((e) >> (14)) | ((e) << (64 - (14)))) ^ (((e) >> (18)) | ((e) << (64 - (18)))) ^ (((e) >> (41)) | ((e) << (64 - (41))))) + ((e & f) ^ (~e & g)) + 0xca273eceea26619c + w0; T2 = ((((a) >> (28)) | ((a) << (64 - (28)))) ^ (((a) >> (34)) | ((a) << (64 - (34)))) ^ (((a) >> (39)) | ((a) << (64 - (39))))) + ((a & b) ^ (a & c) ^ (b & c)); h = g; g = f; f = e; e = d + T1; d = c; c = b; b = a; a = T1 + T2; + T1 = h + ((((e) >> (14)) | ((e) << (64 - (14)))) ^ (((e) >> (18)) | ((e) << (64 - (18)))) ^ (((e) >> (41)) | ((e) << (64 - (41))))) + ((e & f) ^ (~e & g)) + 0xd186b8c721c0c207 + w1; T2 = ((((a) >> (28)) | ((a) << (64 - (28)))) ^ (((a) >> (34)) | ((a) << (64 - (34)))) ^ (((a) >> (39)) | ((a) << (64 - (39))))) + ((a & b) ^ (a & c) ^ (b & c)); h = g; g = f; f = e; e = d + T1; d = c; c = b; b = a; a = T1 + T2; + T1 = h + ((((e) >> (14)) | ((e) << (64 - (14)))) ^ (((e) >> (18)) | ((e) << (64 - (18)))) ^ (((e) >> (41)) | ((e) << (64 - (41))))) + ((e & f) ^ (~e & g)) + 0xeada7dd6cde0eb1e + w2; T2 = ((((a) >> (28)) | ((a) << (64 - (28)))) ^ (((a) >> (34)) | ((a) << (64 - (34)))) ^ (((a) >> (39)) | ((a) << (64 - (39))))) + ((a & b) ^ (a & c) ^ (b & c)); h = g; g = f; f = e; e = d + T1; d = c; c = b; b = a; a = T1 + T2; + T1 = h + ((((e) >> (14)) | ((e) << (64 - (14)))) ^ (((e) >> (18)) | ((e) << (64 - (18)))) ^ (((e) >> (41)) | ((e) << (64 - (41))))) + ((e & f) ^ (~e & g)) + 0xf57d4f7fee6ed178 + w3; T2 = ((((a) >> (28)) | ((a) << (64 - (28)))) ^ (((a) >> (34)) | ((a) << (64 - (34)))) ^ (((a) >> (39)) | ((a) << (64 - (39))))) + ((a & b) ^ (a & c) ^ (b & c)); h = g; g = f; f = e; e = d + T1; d = c; c = b; b = a; a = T1 + T2; + T1 = h + ((((e) >> (14)) | ((e) << (64 - (14)))) ^ (((e) >> (18)) | ((e) << (64 - (18)))) ^ (((e) >> (41)) | ((e) << (64 - (41))))) + ((e & f) ^ (~e & g)) + 0x06f067aa72176fba + w4; T2 = ((((a) >> (28)) | ((a) << (64 - (28)))) ^ (((a) >> (34)) | ((a) << (64 - (34)))) ^ (((a) >> (39)) | ((a) << (64 - (39))))) + ((a & b) ^ (a & c) ^ (b & c)); h = g; g = f; f = e; e = d + T1; d = c; c = b; b = a; a = T1 + T2; + T1 = h + ((((e) >> (14)) | ((e) << (64 - (14)))) ^ (((e) >> (18)) | ((e) << (64 - (18)))) ^ (((e) >> (41)) | ((e) << (64 - (41))))) + ((e & f) ^ (~e & g)) + 0x0a637dc5a2c898a6 + w5; T2 = ((((a) >> (28)) | ((a) << (64 - (28)))) ^ (((a) >> (34)) | ((a) << (64 - (34)))) ^ (((a) >> (39)) | ((a) << (64 - (39))))) + ((a & b) ^ (a & c) ^ (b & c)); h = g; g = f; f = e; e = d + T1; d = c; c = b; b = a; a = T1 + T2; + T1 = h + ((((e) >> (14)) | ((e) << (64 - (14)))) ^ (((e) >> (18)) | ((e) << (64 - (18)))) ^ (((e) >> (41)) | ((e) << (64 - (41))))) + ((e & f) ^ (~e & g)) + 0x113f9804bef90dae + w6; T2 = ((((a) >> (28)) | ((a) << (64 - (28)))) ^ (((a) >> (34)) | ((a) << (64 - (34)))) ^ (((a) >> (39)) | ((a) << (64 - (39))))) + ((a & b) ^ (a & c) ^ (b & c)); h = g; g = f; f = e; e = d + T1; d = c; c = b; b = a; a = T1 + T2; + T1 = h + ((((e) >> (14)) | ((e) << (64 - (14)))) ^ (((e) >> (18)) | ((e) << (64 - (18)))) ^ (((e) >> (41)) | ((e) << (64 - (41))))) + ((e & f) ^ (~e & g)) + 0x1b710b35131c471b + w7; T2 = ((((a) >> (28)) | ((a) << (64 - (28)))) ^ (((a) >> (34)) | ((a) << (64 - (34)))) ^ (((a) >> (39)) | ((a) << (64 - (39))))) + ((a & b) ^ (a & c) ^ (b & c)); h = g; g = f; f = e; e = d + T1; d = c; c = b; b = a; a = T1 + T2; + T1 = h + ((((e) >> (14)) | ((e) << (64 - (14)))) ^ (((e) >> (18)) | ((e) << (64 - (18)))) ^ (((e) >> (41)) | ((e) << (64 - (41))))) + ((e & f) ^ (~e & g)) + 0x28db77f523047d84 + w8; T2 = ((((a) >> (28)) | ((a) << (64 - (28)))) ^ (((a) >> (34)) | ((a) << (64 - (34)))) ^ (((a) >> (39)) | ((a) << (64 - (39))))) + ((a & b) ^ (a & c) ^ (b & c)); h = g; g = f; f = e; e = d + T1; d = c; c = b; b = a; a = T1 + T2; + T1 = h + ((((e) >> (14)) | ((e) << (64 - (14)))) ^ (((e) >> (18)) | ((e) << (64 - (18)))) ^ (((e) >> (41)) | ((e) << (64 - (41))))) + ((e & f) ^ (~e & g)) + 0x32caab7b40c72493 + w9; T2 = ((((a) >> (28)) | ((a) << (64 - (28)))) ^ (((a) >> (34)) | ((a) << (64 - (34)))) ^ (((a) >> (39)) | ((a) << (64 - (39))))) + ((a & b) ^ (a & c) ^ (b & c)); h = g; g = f; f = e; e = d + T1; d = c; c = b; b = a; a = T1 + T2; + T1 = h + ((((e) >> (14)) | ((e) << (64 - (14)))) ^ (((e) >> (18)) | ((e) << (64 - (18)))) ^ (((e) >> (41)) | ((e) << (64 - (41))))) + ((e & f) ^ (~e & g)) + 0x3c9ebe0a15c9bebc + w10; T2 = ((((a) >> (28)) | ((a) << (64 - (28)))) ^ (((a) >> (34)) | ((a) << (64 - (34)))) ^ (((a) >> (39)) | ((a) << (64 - (39))))) + ((a & b) ^ (a & c) ^ (b & c)); h = g; g = f; f = e; e = d + T1; d = c; c = b; b = a; a = T1 + T2; + T1 = h + ((((e) >> (14)) | ((e) << (64 - (14)))) ^ (((e) >> (18)) | ((e) << (64 - (18)))) ^ (((e) >> (41)) | ((e) << (64 - (41))))) + ((e & f) ^ (~e & g)) + 0x431d67c49c100d4c + w11; T2 = ((((a) >> (28)) | ((a) << (64 - (28)))) ^ (((a) >> (34)) | ((a) << (64 - (34)))) ^ (((a) >> (39)) | ((a) << (64 - (39))))) + ((a & b) ^ (a & c) ^ (b & c)); h = g; g = f; f = e; e = d + T1; d = c; c = b; b = a; a = T1 + T2; + T1 = h + ((((e) >> (14)) | ((e) << (64 - (14)))) ^ (((e) >> (18)) | ((e) << (64 - (18)))) ^ (((e) >> (41)) | ((e) << (64 - (41))))) + ((e & f) ^ (~e & g)) + 0x4cc5d4becb3e42b6 + w12; T2 = ((((a) >> (28)) | ((a) << (64 - (28)))) ^ (((a) >> (34)) | ((a) << (64 - (34)))) ^ (((a) >> (39)) | ((a) << (64 - (39))))) + ((a & b) ^ (a & c) ^ (b & c)); h = g; g = f; f = e; e = d + T1; d = c; c = b; b = a; a = T1 + T2; + T1 = h + ((((e) >> (14)) | ((e) << (64 - (14)))) ^ (((e) >> (18)) | ((e) << (64 - (18)))) ^ (((e) >> (41)) | ((e) << (64 - (41))))) + ((e & f) ^ (~e & g)) + 0x597f299cfc657e2a + w13; T2 = ((((a) >> (28)) | ((a) << (64 - (28)))) ^ (((a) >> (34)) | ((a) << (64 - (34)))) ^ (((a) >> (39)) | ((a) << (64 - (39))))) + ((a & b) ^ (a & c) ^ (b & c)); h = g; g = f; f = e; e = d + T1; d = c; c = b; b = a; a = T1 + T2; + T1 = h + ((((e) >> (14)) | ((e) << (64 - (14)))) ^ (((e) >> (18)) | ((e) << (64 - (18)))) ^ (((e) >> (41)) | ((e) << (64 - (41))))) + ((e & f) ^ (~e & g)) + 0x5fcb6fab3ad6faec + w14; T2 = ((((a) >> (28)) | ((a) << (64 - (28)))) ^ (((a) >> (34)) | ((a) << (64 - (34)))) ^ (((a) >> (39)) | ((a) << (64 - (39))))) + ((a & b) ^ (a & c) ^ (b & c)); h = g; g = f; f = e; e = d + T1; d = c; c = b; b = a; a = T1 + T2; + T1 = h + ((((e) >> (14)) | ((e) << (64 - (14)))) ^ (((e) >> (18)) | ((e) << (64 - (18)))) ^ (((e) >> (41)) | ((e) << (64 - (41))))) + ((e & f) ^ (~e & g)) + 0x6c44198c4a475817 + w15; T2 = ((((a) >> (28)) | ((a) << (64 - (28)))) ^ (((a) >> (34)) | ((a) << (64 - (34)))) ^ (((a) >> (39)) | ((a) << (64 - (39))))) + ((a & b) ^ (a & c) ^ (b & c)); h = g; g = f; f = e; e = d + T1; d = c; c = b; b = a; a = T1 + T2; + + a += state[0]; + b += state[1]; + c += state[2]; + d += state[3]; + e += state[4]; + f += state[5]; + g += state[6]; + h += state[7]; + + state[0] = a; + state[1] = b; + state[2] = c; + state[3] = d; + state[4] = e; + state[5] = f; + state[6] = g; + state[7] = h; + + inp += 128; + inlen -= 128; + } + + store_bigendian(statebytes + 0, state[0]); + store_bigendian(statebytes + 8, state[1]); + store_bigendian(statebytes + 16, state[2]); + store_bigendian(statebytes + 24, state[3]); + store_bigendian(statebytes + 32, state[4]); + store_bigendian(statebytes + 40, state[5]); + store_bigendian(statebytes + 48, state[6]); + store_bigendian(statebytes + 56, state[7]); + } + } +} \ No newline at end of file
--- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/NaCl/crypto_onetimeauth/poly1305.cs Mon Apr 15 00:43:48 2013 +0200 @@ -0,0 +1,113 @@ +using System; + +namespace UCIS.NaCl.crypto_onetimeauth { + unsafe static class poly1305 { + static Boolean UseNativeFunctions = false; + static unsafe internal Boolean EnableNativeImplementation() { + UseNativeFunctions = false; + Byte* dummy = stackalloc Byte[32]; + try { + if (Native.crypto_onetimeauth_poly1305(dummy, dummy, 0, dummy) != 0) return false; + } catch (Exception) { + return false; + } + return UseNativeFunctions = true; + } + + const int CRYPTO_BYTES = 16; + const int CRYPTO_KEYBYTES = 32; + + //Never written to + static UInt32[] minusp = new UInt32[17] { 5, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 252 }; + + public static int crypto_onetimeauth_verify(Byte* h, Byte* inv, UInt64 inlen, Byte* k) { + Byte* correct = stackalloc Byte[16]; + crypto_onetimeauth(correct, inv, inlen, k); + return crypto_verify._16.crypto_verify(h, correct); + } + + static void add(UInt32* h, UInt32* c) { //h[17], c[17] + UInt32 u = 0; + for (int j = 0; j < 17; ++j) { u += h[j] + c[j]; h[j] = u & 255; u >>= 8; } + } + + static void squeeze(UInt32* h) { //h[17] + UInt32 u = 0; + for (int j = 0; j < 16; ++j) { u += h[j]; h[j] = u & 255; u >>= 8; } + u += h[16]; h[16] = u & 3; + u = 5 * (u >> 2); + for (int j = 0; j < 16; ++j) { u += h[j]; h[j] = u & 255; u >>= 8; } + u += h[16]; h[16] = u; + } + + static void freeze(UInt32* h) { //h[17] + UInt32* horig = stackalloc UInt32[17]; + for (int j = 0; j < 17; ++j) horig[j] = h[j]; + fixed (uint* minuspp = minusp) add(h, minuspp); + UInt32 negative = (UInt32)(-(h[16] >> 7)); + for (int j = 0; j < 17; ++j) h[j] ^= negative & (horig[j] ^ h[j]); + } + + static void mulmod(UInt32* h, UInt32* r) { //h[17], r[17] + UInt32* hr = stackalloc UInt32[17]; + for (uint i = 0; i < 17; ++i) { + UInt32 u = 0; + for (uint j = i + 1; j < 17; ++j) u += h[j] * r[i + 17 - j]; + u *= 320; + for (uint j = 0; j <= i; ++j) u += h[j] * r[i - j]; + hr[i] = u; + } + for (int i = 0; i < 17; ++i) h[i] = hr[i]; + squeeze(h); + } + + public static void crypto_onetimeauth(Byte* outv, Byte* inv, UInt64 inlen, Byte* k) { + if (UseNativeFunctions) { + Native.crypto_onetimeauth_poly1305(outv, inv, inlen, k); + return; + } + + UInt32* r = stackalloc UInt32[17]; + UInt32* h = stackalloc UInt32[17]; + UInt32* c = stackalloc UInt32[17]; + + r[0] = k[0]; + r[1] = k[1]; + r[2] = k[2]; + r[3] = (UInt32)(k[3] & 15); + r[4] = (UInt32)(k[4] & 252); + r[5] = k[5]; + r[6] = k[6]; + r[7] = (UInt32)(k[7] & 15); + r[8] = (UInt32)(k[8] & 252); + r[9] = k[9]; + r[10] = k[10]; + r[11] = (UInt32)(k[11] & 15); + r[12] = (UInt32)(k[12] & 252); + r[13] = k[13]; + r[14] = k[14]; + r[15] = (UInt32)(k[15] & 15); + r[16] = 0; + + for (int j = 0; j < 17; ++j) h[j] = 0; + + while (inlen > 0) { + int m = (int)Math.Min(16, inlen); + for (int j = 0; j < m; ++j) c[j] = inv[j]; + c[m] = 1; + inv += m; + inlen -= (ulong)m; + for (int j = m + 1; j < 17; ++j) c[j] = 0; + add(h, c); + mulmod(h, r); + } + + freeze(h); + + for (int j = 0; j < 16; ++j) c[j] = k[j + 16]; + c[16] = 0; + add(h, c); + for (int j = 0; j < 16; ++j) outv[j] = (Byte)h[j]; + } + } +} \ No newline at end of file
--- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/NaCl/crypto_scalarmult/curve25519.cs Mon Apr 15 00:43:48 2013 +0200 @@ -0,0 +1,290 @@ +using System; + +namespace UCIS.NaCl.crypto_scalarmult { + unsafe public static class curve25519 { + const int CRYPTO_BYTES = 32; + const int CRYPTO_SCALARBYTES = 32; + + //Never written to (both) + static Byte[] basev = new Byte[32] { 9, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 }; //[32] = {9}; + static UInt32[] minusp = new UInt32[32] { 19, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 128 }; + + public static void crypto_scalarmult_base(Byte* q, Byte* n) { + fixed (Byte* basevp = basev) crypto_scalarmult(q, n, basevp); + } + public static void crypto_scalarmult_base(Byte[] q, Byte[] n) { + fixed (Byte* basevp = basev, qp = q, np = n) crypto_scalarmult(qp, np, basevp); + } + + static void add(UInt32[] outv, UInt32[] a, UInt32[] b) { //outv[32],a[32],b[32] + fixed (UInt32* outvp = outv, ap = a, bp = b) add(outvp, ap, bp); + } + static void add(UInt32[] outv, UInt32[] a, UInt32* b) { + fixed (UInt32* outvp = outv, ap = a) add(outvp, ap, b); + } + static void add(UInt32* outv, UInt32* a, UInt32* b) { + UInt32 u = 0; + for (int j = 0; j < 31; ++j) { u += a[j] + b[j]; outv[j] = u & 255; u >>= 8; } + u += a[31] + b[31]; outv[31] = u; + } + + static void sub(UInt32* outv, UInt32[] a, UInt32* b) {//outv[32], a[32], b[32] + UInt32 u = 218; + for (int j = 0; j < 31; ++j) { + u += a[j] + 65280 - b[j]; + outv[j] = u & 255; + u >>= 8; + } + u += a[31] - b[31]; + outv[31] = u; + } + + static void squeeze(UInt32* a) { //a[32] + UInt32 u = 0; + for (int j = 0; j < 31; ++j) { u += a[j]; a[j] = u & 255; u >>= 8; } + u += a[31]; a[31] = u & 127; + u = 19 * (u >> 7); + for (int j = 0; j < 31; ++j) { u += a[j]; a[j] = u & 255; u >>= 8; } + u += a[31]; a[31] = u; + } + + static void freeze(UInt32* a) { //a[32] + UInt32[] aorig = new UInt32[32]; + for (int j = 0; j < 32; ++j) aorig[j] = a[j]; + fixed (UInt32* minuspp = minusp) add(a, a, minuspp); + UInt32 negative = (UInt32)(-((a[31] >> 7) & 1)); + for (int j = 0; j < 32; ++j) a[j] ^= negative & (aorig[j] ^ a[j]); + } + + static void mult(UInt32[] outv, UInt32[] a, UInt32[] b) { //outv[32], a[32], b[32] + fixed (UInt32* outvp = outv, ap = a, bp = b) mult(outvp, ap, bp); + } + static void mult(UInt32* outv, UInt32* a, UInt32* b) { + UInt32 j; + for (uint i = 0; i < 32; ++i) { + UInt32 u = 0; + for (j = 0; j <= i; ++j) u += a[j] * b[i - j]; + for (j = i + 1; j < 32; ++j) u += 38 * a[j] * b[i + 32 - j]; + outv[i] = u; + } + squeeze(outv); + } + + static void mult121665(UInt32[] outv, UInt32[] a) { //outv[32], a[32] + UInt32 j; + UInt32 u = 0; + for (j = 0; j < 31; ++j) { u += 121665 * a[j]; outv[j] = u & 255; u >>= 8; } + u += 121665 * a[31]; outv[31] = u & 127; + u = 19 * (u >> 7); + for (j = 0; j < 31; ++j) { u += outv[j]; outv[j] = u & 255; u >>= 8; } + u += outv[j]; outv[j] = u; + } + + static void square(UInt32[] outv, UInt32[] a) { //outv[32], a[32] + fixed (UInt32* outvp = outv, ap = a) square(outvp, ap); + } + static void square(UInt32* outv, UInt32* a) { + UInt32 j; + for (uint i = 0; i < 32; ++i) { + UInt32 u = 0; + for (j = 0; j < i - j; ++j) u += a[j] * a[i - j]; + for (j = i + 1; j < i + 32 - j; ++j) u += 38 * a[j] * a[i + 32 - j]; + u *= 2; + if ((i & 1) == 0) { + u += a[i / 2] * a[i / 2]; + u += 38 * a[i / 2 + 16] * a[i / 2 + 16]; + } + outv[i] = u; + } + squeeze(outv); + } + + static void select(UInt32[] p, UInt32[] q, UInt32[] r, UInt32[] s, UInt32 b) { //p[64], q[64], r[64], s[64] + UInt32 bminus1 = b - 1; + for (int j = 0; j < 64; ++j) { + UInt32 t = bminus1 & (r[j] ^ s[j]); + p[j] = s[j] ^ t; + q[j] = r[j] ^ t; + } + } + + static void mainloop(UInt32[] work, Byte[] e) { //work[64], e[32] + UInt32[] xzm1 = new UInt32[64]; + UInt32[] xzm = new UInt32[64]; + UInt32[] xzmb = new UInt32[64]; + UInt32[] xzm1b = new UInt32[64]; + UInt32[] xznb = new UInt32[64]; + UInt32[] xzn1b = new UInt32[64]; + UInt32[] a0 = new UInt32[64]; + UInt32[] a1 = new UInt32[64]; + UInt32[] b0 = new UInt32[64]; + UInt32[] b1 = new UInt32[64]; + UInt32[] c1 = new UInt32[64]; + UInt32[] r = new UInt32[32]; + UInt32[] s = new UInt32[32]; + UInt32[] t = new UInt32[32]; + UInt32[] u = new UInt32[32]; + + for (int j = 0; j < 32; ++j) xzm1[j] = work[j]; + xzm1[32] = 1; + for (int j = 33; j < 64; ++j) xzm1[j] = 0; + + xzm[0] = 1; + for (int j = 1; j < 64; ++j) xzm[j] = 0; + + fixed (UInt32* xzmbp = xzmb, a0p = a0, xzm1bp = xzm1b, a1p = a1, b0p = b0, b1p = b1, c1p = c1, xznbp = xznb, up = u, xzn1bp = xzn1b, workp = work, sp = s, rp = r) { + for (int pos = 254; pos >= 0; --pos) { + UInt32 b = (UInt32)(e[pos / 8] >> (pos & 7)); + b &= 1; + select(xzmb, xzm1b, xzm, xzm1, b); + add(a0, xzmb, xzmbp + 32); + sub(a0p + 32, xzmb, xzmbp + 32); + add(a1, xzm1b, xzm1bp + 32); + sub(a1p + 32, xzm1b, xzm1bp + 32); + square(b0p, a0p); + square(b0p + 32, a0p + 32); + mult(b1p, a1p, a0p + 32); + mult(b1p + 32, a1p + 32, a0p); + add(c1, b1, b1p + 32); + sub(c1p + 32, b1, b1p + 32); + square(rp, c1p + 32); + sub(sp, b0, b0p + 32); + mult121665(t, s); + add(u, t, b0p); + mult(xznbp, b0p, b0p + 32); + mult(xznbp + 32, sp, up); + square(xzn1bp, c1p); + mult(xzn1bp + 32, rp, workp); + select(xzm, xzm1, xznb, xzn1b, b); + } + } + + for (int j = 0; j < 64; ++j) work[j] = xzm[j]; + } + + static void recip(UInt32* outv, UInt32* z) { //outv[32], z[32] + UInt32[] z2 = new UInt32[32]; + UInt32[] z9 = new UInt32[32]; + UInt32[] z11 = new UInt32[32]; + UInt32[] z2_5_0 = new UInt32[32]; + UInt32[] z2_10_0 = new UInt32[32]; + UInt32[] z2_20_0 = new UInt32[32]; + UInt32[] z2_50_0 = new UInt32[32]; + UInt32[] z2_100_0 = new UInt32[32]; + UInt32[] t0 = new UInt32[32]; + UInt32[] t1 = new UInt32[32]; + + /* 2 */ + fixed (UInt32* z2p = z2) square(z2p, z); + /* 4 */ + square(t1, z2); + /* 8 */ + square(t0, t1); + /* 9 */ + fixed (UInt32* z9p = z9, t0p = t0) mult(z9p, t0p, z); + /* 11 */ + mult(z11, z9, z2); + /* 22 */ + square(t0, z11); + /* 2^5 - 2^0 = 31 */ + mult(z2_5_0, t0, z9); + + /* 2^6 - 2^1 */ + square(t0, z2_5_0); + /* 2^7 - 2^2 */ + square(t1, t0); + /* 2^8 - 2^3 */ + square(t0, t1); + /* 2^9 - 2^4 */ + square(t1, t0); + /* 2^10 - 2^5 */ + square(t0, t1); + /* 2^10 - 2^0 */ + mult(z2_10_0, t0, z2_5_0); + + /* 2^11 - 2^1 */ + square(t0, z2_10_0); + /* 2^12 - 2^2 */ + square(t1, t0); + /* 2^20 - 2^10 */ + for (int i = 2; i < 10; i += 2) { square(t0, t1); square(t1, t0); } + /* 2^20 - 2^0 */ + mult(z2_20_0, t1, z2_10_0); + + /* 2^21 - 2^1 */ + square(t0, z2_20_0); + /* 2^22 - 2^2 */ + square(t1, t0); + /* 2^40 - 2^20 */ + for (int i = 2; i < 20; i += 2) { square(t0, t1); square(t1, t0); } + /* 2^40 - 2^0 */ + mult(t0, t1, z2_20_0); + + /* 2^41 - 2^1 */ + square(t1, t0); + /* 2^42 - 2^2 */ + square(t0, t1); + /* 2^50 - 2^10 */ + for (int i = 2; i < 10; i += 2) { square(t1, t0); square(t0, t1); } + /* 2^50 - 2^0 */ + mult(z2_50_0, t0, z2_10_0); + + /* 2^51 - 2^1 */ + square(t0, z2_50_0); + /* 2^52 - 2^2 */ + square(t1, t0); + /* 2^100 - 2^50 */ + for (int i = 2; i < 50; i += 2) { square(t0, t1); square(t1, t0); } + /* 2^100 - 2^0 */ + mult(z2_100_0, t1, z2_50_0); + + /* 2^101 - 2^1 */ + square(t1, z2_100_0); + /* 2^102 - 2^2 */ + square(t0, t1); + /* 2^200 - 2^100 */ + for (int i = 2; i < 100; i += 2) { square(t1, t0); square(t0, t1); } + /* 2^200 - 2^0 */ + mult(t1, t0, z2_100_0); + + /* 2^201 - 2^1 */ + square(t0, t1); + /* 2^202 - 2^2 */ + square(t1, t0); + /* 2^250 - 2^50 */ + for (int i = 2; i < 50; i += 2) { square(t0, t1); square(t1, t0); } + /* 2^250 - 2^0 */ + mult(t0, t1, z2_50_0); + + /* 2^251 - 2^1 */ + square(t1, t0); + /* 2^252 - 2^2 */ + square(t0, t1); + /* 2^253 - 2^3 */ + square(t1, t0); + /* 2^254 - 2^4 */ + square(t0, t1); + /* 2^255 - 2^5 */ + square(t1, t0); + /* 2^255 - 21 */ + fixed (UInt32* t1p = t1, z11p = z11) mult(outv, t1p, z11p); + } + + public static void crypto_scalarmult(Byte* q, Byte* n, Byte* p) { + UInt32[] work = new UInt32[96]; + Byte[] e = new Byte[32]; + for (int i = 0; i < 32; ++i) e[i] = n[i]; + e[0] &= 248; + e[31] &= 127; + e[31] |= 64; + for (int i = 0; i < 32; ++i) work[i] = p[i]; + mainloop(work, e); + fixed (UInt32* workp = work) { + recip(workp + 32, workp + 32); + mult(workp + 64, workp, workp + 32); + freeze(workp + 64); + } + for (int i = 0; i < 32; ++i) q[i] = (Byte)work[64 + i]; + } + } +} \ No newline at end of file
--- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/NaCl/crypto_secretbox/xsalsa20poly1305.cs Mon Apr 15 00:43:48 2013 +0200 @@ -0,0 +1,77 @@ +using System; + +namespace UCIS.NaCl.crypto_secretbox { + unsafe static class xsalsa20poly1305 { + public const int KEYBYTES = 32; + public const int NONCEBYTES = 24; + public const int ZEROBYTES = 32; + public const int BOXZEROBYTES = 16; + + static public int crypto_secretbox(Byte* c, Byte* m, UInt64 mlen, Byte* n, Byte* k) { + if (mlen < 32) return -1; + crypto_stream.xsalsa20.crypto_stream_xor(c, m, mlen, n, k); + crypto_onetimeauth.poly1305.crypto_onetimeauth(c + 16, c + 32, mlen - 32, c); + for (int i = 0; i < 16; ++i) c[i] = 0; + return 0; + } + + static public int crypto_secretbox_open(Byte* m, Byte* c, UInt64 clen, Byte* n, Byte* k) { + if (clen < 32) return -1; + Byte[] subkey = new Byte[32]; + fixed (Byte* subkeyp = subkey) { + crypto_stream.xsalsa20.crypto_stream(subkeyp, 32, n, k); + if (crypto_onetimeauth.poly1305.crypto_onetimeauth_verify(c + 16, c + 32, clen - 32, subkeyp) != 0) return -1; + } + crypto_stream.xsalsa20.crypto_stream_xor(m, c, clen, n, k); + for (int i = 0; i < 32; ++i) m[i] = 0; + return 0; + } + + static internal int crypto_secretbox_nopad(Byte* c, Byte* m, UInt64 mlen, Byte* n, Byte* k) { + if (mlen < 0) return -1; + Byte* mc32 = stackalloc Byte[32]; + for (int i = 0; i < 32; i += 4) *(int*)(mc32 + i) = 0; + crypto_stream.xsalsa20.crypto_stream_xor_split(mc32, 32, c + 16, m, mlen, n, k); + crypto_onetimeauth.poly1305.crypto_onetimeauth(mc32 + 16, c + 16, mlen, mc32); + for (int i = 0; i < 16; ++i) c[i] = mc32[i + 16]; + return 0; + } + + static internal Boolean crypto_secretbox_verify(Byte* c, UInt64 clen, Byte* n, Byte* k) { + if (clen < 16) return false; + Byte* subkey = stackalloc Byte[32]; + for (int i = 0; i < 32; i += 4) *(int*)(subkey + i) = 0; + crypto_stream.xsalsa20.crypto_stream(subkey, 32, n, k); + return crypto_onetimeauth.poly1305.crypto_onetimeauth_verify(c, c + 16, clen - 16, subkey) == 0; + } + + static internal int crypto_secretbox_open_nopad(Byte* m, Byte* c, UInt64 clen, Byte* n, Byte* k) { + if (!crypto_secretbox_verify(c, clen, n, k)) return -1; + if (clen < 16) return -1; + Byte* mc32 = stackalloc Byte[32]; + for (int i = 0; i < 16; i += 4) *(int*)(mc32 + i) = 0; + for (int i = 0; i < 16; i += 4) *(int*)(mc32 + i + 16) = *(int*)(c + i); + crypto_stream.xsalsa20.crypto_stream_xor_split(mc32, 32, m, c + 16, clen - 16, n, k); + return 0; + } + + static internal int crypto_secretbox_inplace_nopad(Byte* c, UInt64 mlen, Byte* n, Byte* k) { + if (mlen < 0) return -1; + Byte* mc16 = stackalloc Byte[16]; + for (int i = 0; i < 16; i += 4) *(int*)(mc16 + i) = 0; + crypto_stream.xsalsa20.crypto_stream_xor_split(mc16, 16, c, c, mlen, n, k); + crypto_onetimeauth.poly1305.crypto_onetimeauth(c, c + 16, mlen, mc16); + return 0; + } + + static internal int crypto_secretbox_open_inplace_nopad(Byte* c, UInt64 clen, Byte* n, Byte* k) { + if (clen < 16) return -1; + Byte* subkey = stackalloc Byte[32]; + for (int i = 0; i < 32; i += 4) *(int*)(subkey + i) = 0; + crypto_stream.xsalsa20.crypto_stream(subkey, 32, n, k); + if (crypto_onetimeauth.poly1305.crypto_onetimeauth_verify(c, c + 16, clen - 16, subkey) != 0) return -1; + crypto_stream.xsalsa20.crypto_stream_xor_split(null, 16, c, c, clen, n, k); + return 0; + } + } +} \ No newline at end of file
--- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/NaCl/crypto_sign/edwards25519sha512batch.cs Mon Apr 15 00:43:48 2013 +0200 @@ -0,0 +1,780 @@ +using System; +using UCIS.NaCl; +using System.Runtime.InteropServices; + +namespace UCIS.NaCl.crypto_sign { + public static class edwards25519sha512batch { + public const int SECRETKEYBYTES = 64; + public const int PUBLICKEYBYTES = 32; + public const int CRYPTO_BYTES = 64; + + /*Arithmetic modulo the group order n = 2^252 + 27742317777372353535851937790883648493 = 7237005577332262213973186563042994240857116359379907606001950938285454250989 */ + + unsafe struct sc25519 { + public fixed UInt32 v[32]; //crypto_uint32 v[32]; + + static UInt32[] m = new UInt32[32] {0xED, 0xD3, 0xF5, 0x5C, 0x1A, 0x63, 0x12, 0x58, 0xD6, 0x9C, 0xF7, 0xA2, 0xDE, 0xF9, 0xDE, 0x14, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x10}; + + static UInt32[] mu = new UInt32[33] {0x1B, 0x13, 0x2C, 0x0A, 0xA3, 0xE5, 0x9C, 0xED, 0xA7, 0x29, 0x63, 0x08, 0x5D, 0x21, 0x06, 0x21, + 0xEB, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0x0F}; + + /* Reduce coefficients of r before calling reduce_add_sub */ + static unsafe void reduce_add_sub(sc25519* r) { + int i, b = 0, pb = 0, nb; + Byte* t = stackalloc Byte[32]; + + for (i = 0; i < 32; i++) { + b = (r->v[i] < pb + m[i]) ? 1 : 0; + t[i] = (Byte)(r->v[i] - pb - m[i] + b * 256); + pb = b; + } + nb = 1 - b; + for (i = 0; i < 32; i++) r->v[i] = (uint)(r->v[i] * b + t[i] * nb); + } + + /* Reduce coefficients of x before calling barrett_reduce */ + static unsafe void barrett_reduce(sc25519* r, UInt32* x) { // const crypto_uint32 x[64] + /* See HAC, Alg. 14.42 */ + UInt32* q2 = stackalloc UInt32[66]; // { 0 }; + for (int z = 0; z < 66; z++) q2[z] = 0; + UInt32* q3 = q2 + 33; + UInt32* r1 = stackalloc UInt32[33]; + UInt32* r2 = stackalloc UInt32[33]; // { 0 }; + for (int z = 0; z < 33; z++) r2[z] = 0; + UInt32 carry; + int b, pb = 0; + + for (int i = 0; i < 33; i++) + for (int j = 0; j < 33; j++) + if (i + j >= 31) q2[i + j] += mu[i] * x[j + 31]; + carry = q2[31] >> 8; + q2[32] += carry; + carry = q2[32] >> 8; + q2[33] += carry; + + for (int i = 0; i < 33; i++) r1[i] = x[i]; + for (int i = 0; i < 32; i++) + for (int j = 0; j < 33; j++) + if (i + j < 33) r2[i + j] += m[i] * q3[j]; + + for (int i = 0; i < 32; i++) { + carry = r2[i] >> 8; + r2[i + 1] += carry; + r2[i] &= 0xff; + } + + for (int i = 0; i < 32; i++) { + b = (r1[i] < pb + r2[i]) ? 1 : 0; + r->v[i] = (uint)(r1[i] - pb - r2[i] + b * 256); + pb = b; + } + + /* XXX: Can it really happen that r<0?, See HAC, Alg 14.42, Step 3 + * If so: Handle it here! + */ + + reduce_add_sub(r); + reduce_add_sub(r); + } + + /* + static int iszero(const sc25519 *x) + { + // Implement + return 0; + } + */ + + public static unsafe void sc25519_from32bytes(sc25519* r, Byte* x) { //const unsigned char x[32] + UInt32* t = stackalloc UInt32[64]; // { 0 }; + for (int i = 0; i < 32; i++) t[i] = x[i]; + for (int i = 32; i < 64; i++) t[i] = 0; + barrett_reduce(r, t); + } + + public static unsafe void sc25519_from64bytes(sc25519* r, Byte* x) { //const unsigned char x[64] + UInt32* t = stackalloc UInt32[64]; // { 0 }; + for (int i = 0; i < 64; i++) t[i] = x[i]; + barrett_reduce(r, t); + } + + /* XXX: What we actually want for crypto_group is probably just something like + * void sc25519_frombytes(sc25519 *r, const unsigned char *x, size_t xlen) + */ + + public static unsafe void sc25519_to32bytes(Byte* r, sc25519* x) { //unsigned char r[32] + for (int i = 0; i < 32; i++) r[i] = (Byte)x->v[i]; + } + + public static unsafe void sc25519_add(sc25519* r, sc25519* x, sc25519* y) { + for (int i = 0; i < 32; i++) r->v[i] = x->v[i] + y->v[i]; + for (int i = 0; i < 31; i++) { + uint carry = r->v[i] >> 8; + r->v[i + 1] += carry; + r->v[i] &= 0xff; + } + reduce_add_sub(r); + } + + public static unsafe void sc25519_mul(sc25519* r, sc25519* x, sc25519* y) { + UInt32* t = stackalloc UInt32[64]; + for (int i = 0; i < 64; i++) t[i] = 0; + + for (int i = 0; i < 32; i++) + for (int j = 0; j < 32; j++) + t[i + j] += x->v[i] * y->v[j]; + + /* Reduce coefficients */ + for (int i = 0; i < 63; i++) { + uint carry = t[i] >> 8; + t[i + 1] += carry; + t[i] &= 0xff; + } + + barrett_reduce(r, t); + } + + public static unsafe void sc25519_square(sc25519* r, sc25519* x) { + sc25519_mul(r, x, x); + } + } + struct ge25519 { + public fe25519 x; + public fe25519 y; + public fe25519 z; + public fe25519 t; + + struct ge25519_p1p1 { + public fe25519 x; + public fe25519 z; + public fe25519 y; + public fe25519 t; + } + struct ge25519_p2 { + public fe25519 x; + public fe25519 y; + public fe25519 z; + } + + /* Windowsize for fixed-window scalar multiplication */ + const int WINDOWSIZE = 2; //#define WINDOWSIZE 2 /* Should be 1,2, or 4 */ + const int WINDOWMASK = ((1 << WINDOWSIZE) - 1); //#define WINDOWMASK ((1<<WINDOWSIZE)-1) + + /* packed parameter d in the Edwards curve equation */ + static Byte[] ecd = new Byte[32] {0xA3, 0x78, 0x59, 0x13, 0xCA, 0x4D, 0xEB, 0x75, 0xAB, 0xD8, 0x41, 0x41, 0x4D, 0x0A, 0x70, 0x00, + 0x98, 0xE8, 0x79, 0x77, 0x79, 0x40, 0xC7, 0x8C, 0x73, 0xFE, 0x6F, 0x2B, 0xEE, 0x6C, 0x03, 0x52}; + + /* Packed coordinates of the base point */ + static Byte[] ge25519_base_x = new Byte[32] {0x1A, 0xD5, 0x25, 0x8F, 0x60, 0x2D, 0x56, 0xC9, 0xB2, 0xA7, 0x25, 0x95, 0x60, 0xC7, 0x2C, 0x69, + 0x5C, 0xDC, 0xD6, 0xFD, 0x31, 0xE2, 0xA4, 0xC0, 0xFE, 0x53, 0x6E, 0xCD, 0xD3, 0x36, 0x69, 0x21}; + static Byte[] ge25519_base_y = new Byte[32] {0x58, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, + 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66}; + static Byte[] ge25519_base_z = new Byte[32] { 1, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 }; + static Byte[] ge25519_base_t = new Byte[32] {0xA3, 0xDD, 0xB7, 0xA5, 0xB3, 0x8A, 0xDE, 0x6D, 0xF5, 0x52, 0x51, 0x77, 0x80, 0x9F, 0xF0, 0x20, + 0x7D, 0xE3, 0xAB, 0x64, 0x8E, 0x4E, 0xEA, 0x66, 0x65, 0x76, 0x8B, 0xD7, 0x0F, 0x5F, 0x87, 0x67}; + + /* Packed coordinates of the neutral element */ + static Byte[] ge25519_neutral_x = new Byte[32]; // { 0 }; + static Byte[] ge25519_neutral_y = new Byte[32] { 1, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 }; + static Byte[] ge25519_neutral_z = new Byte[32] { 1, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 }; + static Byte[] ge25519_neutral_t = new Byte[32]; // { 0 }; + + static unsafe void p1p1_to_p2(ge25519_p2* r, ge25519_p1p1* p) { + fe25519.fe25519_mul(&r->x, &p->x, &p->t); + fe25519.fe25519_mul(&r->y, &p->y, &p->z); + fe25519.fe25519_mul(&r->z, &p->z, &p->t); + } + + static unsafe void p1p1_to_p3(ge25519* r, ge25519_p1p1* p) { + p1p1_to_p2((ge25519_p2*)r, p); + fe25519.fe25519_mul(&r->t, &p->x, &p->y); + } + + /* Constant-time version of: if(b) r = p */ + static unsafe void cmov_p3(ge25519* r, ge25519* p, Byte b) { + fe25519.fe25519_cmov(&r->x, &p->x, b); + fe25519.fe25519_cmov(&r->y, &p->y, b); + fe25519.fe25519_cmov(&r->z, &p->z, b); + fe25519.fe25519_cmov(&r->t, &p->t, b); + } + + /* See http://www.hyperelliptic.org/EFD/g1p/auto-twisted-extended-1.html#doubling-dbl-2008-hwcd */ + static unsafe void dbl_p1p1(ge25519_p1p1* r, ge25519_p2* p) { + fe25519 a, b, c, d; + fe25519.fe25519_square(&a, &p->x); + fe25519.fe25519_square(&b, &p->y); + fe25519.fe25519_square(&c, &p->z); + fe25519.fe25519_add(&c, &c, &c); + fe25519.fe25519_neg(&d, &a); + + fe25519.fe25519_add(&r->x, &p->x, &p->y); + fe25519.fe25519_square(&r->x, &r->x); + fe25519.fe25519_sub(&r->x, &r->x, &a); + fe25519.fe25519_sub(&r->x, &r->x, &b); + fe25519.fe25519_add(&r->z, &d, &b); + fe25519.fe25519_sub(&r->t, &r->z, &c); + fe25519.fe25519_sub(&r->y, &d, &b); + } + + static unsafe void add_p1p1(ge25519_p1p1* r, ge25519* p, ge25519* q) { + fe25519 a, b, c, d, t, fd; + fixed (Byte* ecdp = ecd) fe25519.fe25519_unpack(&fd, ecdp); + + fe25519.fe25519_sub(&a, &p->y, &p->x); // A = (Y1-X1)*(Y2-X2) + fe25519.fe25519_sub(&t, &q->y, &q->x); + fe25519.fe25519_mul(&a, &a, &t); + fe25519.fe25519_add(&b, &p->x, &p->y); // B = (Y1+X1)*(Y2+X2) + fe25519.fe25519_add(&t, &q->x, &q->y); + fe25519.fe25519_mul(&b, &b, &t); + fe25519.fe25519_mul(&c, &p->t, &q->t); //C = T1*k*T2 + fe25519.fe25519_mul(&c, &c, &fd); + fe25519.fe25519_add(&c, &c, &c); //XXX: Can save this addition by precomputing 2*ecd + fe25519.fe25519_mul(&d, &p->z, &q->z); //D = Z1*2*Z2 + fe25519.fe25519_add(&d, &d, &d); + fe25519.fe25519_sub(&r->x, &b, &a); // E = B-A + fe25519.fe25519_sub(&r->t, &d, &c); // F = D-C + fe25519.fe25519_add(&r->z, &d, &c); // G = D+C + fe25519.fe25519_add(&r->y, &b, &a); // H = B+A + } + + /* ******************************************************************** + * EXPORTED FUNCTIONS + ******************************************************************** */ + + /* return 0 on success, -1 otherwise */ + public unsafe static Boolean ge25519_unpack_vartime(ge25519* r, Byte* p) { //const unsigned char p[32] + Boolean ret; + fe25519 t, fd; + fe25519.fe25519_setone(&r->z); + fixed (Byte* ecdp = ecd) fe25519.fe25519_unpack(&fd, ecdp); + Byte par = (Byte)(p[31] >> 7); + fe25519.fe25519_unpack(&r->y, p); + fe25519.fe25519_square(&r->x, &r->y); + fe25519.fe25519_mul(&t, &r->x, &fd); + fe25519.fe25519_sub(&r->x, &r->x, &r->z); + fe25519.fe25519_add(&t, &r->z, &t); + fe25519.fe25519_invert(&t, &t); + fe25519.fe25519_mul(&r->x, &r->x, &t); + ret = fe25519.fe25519_sqrt_vartime(&r->x, &r->x, par); + fe25519.fe25519_mul(&r->t, &r->x, &r->y); + return ret; + } + + public static unsafe void ge25519_pack(Byte* r, ge25519* p) { //unsigned char r[32] + fe25519 tx, ty, zi; + fe25519.fe25519_invert(&zi, &p->z); + fe25519.fe25519_mul(&tx, &p->x, &zi); + fe25519.fe25519_mul(&ty, &p->y, &zi); + fe25519.fe25519_pack(r, &ty); + r[31] ^= (Byte)(fe25519.fe25519_getparity(&tx) << 7); + } + + public static unsafe void ge25519_add(ge25519* r, ge25519* p, ge25519* q) { + ge25519_p1p1 grp1p1; + add_p1p1(&grp1p1, p, q); + p1p1_to_p3(r, &grp1p1); + } + + public static unsafe void ge25519_double(ge25519* r, ge25519* p) { + ge25519_p1p1 grp1p1; + dbl_p1p1(&grp1p1, (ge25519_p2*)p); + p1p1_to_p3(r, &grp1p1); + } + + public static unsafe void ge25519_scalarmult(ge25519* r, ge25519* p, sc25519* s) { + int i, j, k; + ge25519 g; + fixed (Byte* ge25519_neutral_xp = ge25519_neutral_x) fe25519.fe25519_unpack(&g.x, ge25519_neutral_xp); + fixed (Byte* ge25519_neutral_yp = ge25519_neutral_y) fe25519.fe25519_unpack(&g.y, ge25519_neutral_yp); + fixed (Byte* ge25519_neutral_zp = ge25519_neutral_z) fe25519.fe25519_unpack(&g.z, ge25519_neutral_zp); + fixed (Byte* ge25519_neutral_tp = ge25519_neutral_t) fe25519.fe25519_unpack(&g.t, ge25519_neutral_tp); + + ge25519[] pre = new ge25519[(1 << WINDOWSIZE)]; + ge25519 t; + ge25519_p1p1 tp1p1; + Byte w; + Byte* sb = stackalloc Byte[32]; + sc25519.sc25519_to32bytes(sb, s); + + // Precomputation + pre[0] = g; + pre[1] = *p; + for (i = 2; i < (1 << WINDOWSIZE); i += 2) { + fixed (ge25519* prep = pre) { + dbl_p1p1(&tp1p1, (ge25519_p2*)(prep + i / 2)); + p1p1_to_p3(prep + i, &tp1p1); + add_p1p1(&tp1p1, prep + i, prep + 1); + p1p1_to_p3(prep + i + 1, &tp1p1); + } + } + + // Fixed-window scalar multiplication + for (i = 32; i > 0; i--) { + for (j = 8 - WINDOWSIZE; j >= 0; j -= WINDOWSIZE) { + for (k = 0; k < WINDOWSIZE - 1; k++) { + dbl_p1p1(&tp1p1, (ge25519_p2*)&g); + p1p1_to_p2((ge25519_p2*)&g, &tp1p1); + } + dbl_p1p1(&tp1p1, (ge25519_p2*)&g); + p1p1_to_p3(&g, &tp1p1); + // Cache-timing resistant loading of precomputed value: + w = (Byte)((sb[i - 1] >> j) & WINDOWMASK); + t = pre[0]; + for (k = 1; k < (1 << WINDOWSIZE); k++) + fixed (ge25519* prekp = &pre[k]) cmov_p3(&t, prekp, (k == w) ? (Byte)1 : (Byte)0); + + add_p1p1(&tp1p1, &g, &t); + if (j != 0) p1p1_to_p2((ge25519_p2*)&g, &tp1p1); + else p1p1_to_p3(&g, &tp1p1); /* convert to p3 representation at the end */ + } + } + r->x = g.x; + r->y = g.y; + r->z = g.z; + r->t = g.t; + } + + public unsafe static void ge25519_scalarmult_base(ge25519* r, sc25519* s) { + /* XXX: Better algorithm for known-base-point scalar multiplication */ + ge25519 t; + fixed (Byte* ge25519_base_xp = ge25519_base_x) fe25519.fe25519_unpack(&t.x, ge25519_base_xp); + fixed (Byte* ge25519_base_yp = ge25519_base_y) fe25519.fe25519_unpack(&t.y, ge25519_base_yp); + fixed (Byte* ge25519_base_zp = ge25519_base_z) fe25519.fe25519_unpack(&t.z, ge25519_base_zp); + fixed (Byte* ge25519_base_tp = ge25519_base_t) fe25519.fe25519_unpack(&t.t, ge25519_base_tp); + ge25519_scalarmult(r, &t, s); + } + } + unsafe struct fe25519 { + public fixed UInt32 v[32]; // crypto_uint32 v[32]; + + const int WINDOWSIZE = 4; //#define WINDOWSIZE 4 /* Should be 1,2, or 4 */ + const int WINDOWMASK = ((1 << WINDOWSIZE) - 1); //#define WINDOWMASK ((1<<WINDOWSIZE)-1) + + static unsafe void reduce_add_sub(fe25519* r) { + for (int rep = 0; rep < 4; rep++) { + UInt32 t = r->v[31] >> 7; + r->v[31] &= 127; + t *= 19; + r->v[0] += t; + for (int i = 0; i < 31; i++) { + t = r->v[i] >> 8; + r->v[i + 1] += t; + r->v[i] &= 255; + } + } + } + + unsafe static void reduce_mul(fe25519* r) { + for (int rep = 0; rep < 2; rep++) { + UInt32 t = r->v[31] >> 7; + r->v[31] &= 127; + t *= 19; + r->v[0] += t; + for (int i = 0; i < 31; i++) { + t = r->v[i] >> 8; + r->v[i + 1] += t; + r->v[i] &= 255; + } + } + } + + /* reduction modulo 2^255-19 */ + unsafe static void freeze(fe25519* r) { + UInt32 m = (r->v[31] == 127) ? 1u : 0; + for (int i = 30; i > 1; i--) + m *= (r->v[i] == 255) ? 1u : 0; + m *= (r->v[0] >= 237) ? 1u : 0; + + r->v[31] -= m * 127; + for (int i = 30; i > 0; i--) + r->v[i] -= m * 255; + r->v[0] -= m * 237; + } + + /*freeze input before calling isone*/ + unsafe static Boolean isone(fe25519* x) { + bool r = x->v[0] == 1; + for (int i = 1; i < 32; i++) r &= (x->v[i] == 0); + return r; + } + + /*freeze input before calling iszero*/ + unsafe static Boolean iszero(fe25519* x) { + bool r = (x->v[0] == 0); + for (int i = 1; i < 32; i++) r &= (x->v[i] == 0); + return r; + } + + + unsafe static Boolean issquare(fe25519* x) { + Byte[] e = new Byte[32] { 0xf6, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x3f }; /* (p-1)/2 */ + fe25519 t; + + fixed (Byte* ep = e) fe25519_pow(&t, x, ep); + freeze(&t); + return isone(&t) || iszero(&t); + } + + public static unsafe void fe25519_unpack(fe25519* r, Byte* x) { //const unsigned char x[32] + for (int i = 0; i < 32; i++) r->v[i] = x[i]; + r->v[31] &= 127; + } + + /* Assumes input x being reduced mod 2^255 */ + public static unsafe void fe25519_pack(Byte* r, fe25519* x) { //unsigned char r[32] + for (int i = 0; i < 32; i++) + r[i] = (byte)x->v[i]; + + /* freeze byte array */ + UInt32 m = (r[31] == 127) ? 1u : 0; /* XXX: some compilers might use branches; fix */ + for (int i = 30; i > 1; i--) + m *= (r[i] == 255) ? 1u : 0; + m *= (r[0] >= 237) ? 1u : 0; + r[31] -= (byte)(m * 127); + for (int i = 30; i > 0; i--) + r[i] -= (byte)(m * 255); + r[0] -= (byte)(m * 237); + } + + public static unsafe void fe25519_cmov(fe25519* r, fe25519* x, Byte b) { + Byte nb = (Byte)(1 - b); + for (int i = 0; i < 32; i++) r->v[i] = nb * r->v[i] + b * x->v[i]; + } + + public static unsafe Byte fe25519_getparity(fe25519* x) { + fe25519 t = new fe25519(); + for (int i = 0; i < 32; i++) t.v[i] = x->v[i]; + freeze(&t); + return (Byte)(t.v[0] & 1); + } + + public static unsafe void fe25519_setone(fe25519* r) { + r->v[0] = 1; + for (int i = 1; i < 32; i++) r->v[i] = 0; + } + + static unsafe void fe25519_setzero(fe25519* r) { + for (int i = 0; i < 32; i++) r->v[i] = 0; + } + + public static unsafe void fe25519_neg(fe25519* r, fe25519* x) { + fe25519 t = new fe25519(); + for (int i = 0; i < 32; i++) t.v[i] = x->v[i]; + fe25519_setzero(r); + fe25519_sub(r, r, &t); + } + + public static unsafe void fe25519_add(fe25519* r, fe25519* x, fe25519* y) { + for (int i = 0; i < 32; i++) r->v[i] = x->v[i] + y->v[i]; + reduce_add_sub(r); + } + + public static unsafe void fe25519_sub(fe25519* r, fe25519* x, fe25519* y) { + UInt32* t = stackalloc UInt32[32]; + t[0] = x->v[0] + 0x1da; + t[31] = x->v[31] + 0xfe; + for (int i = 1; i < 31; i++) t[i] = x->v[i] + 0x1fe; + for (int i = 0; i < 32; i++) r->v[i] = t[i] - y->v[i]; + reduce_add_sub(r); + } + + public static unsafe void fe25519_mul(fe25519* r, fe25519* x, fe25519* y) { + UInt32* t = stackalloc UInt32[63]; + for (int i = 0; i < 63; i++) t[i] = 0; + for (int i = 0; i < 32; i++) + for (int j = 0; j < 32; j++) + t[i + j] += x->v[i] * y->v[j]; + + for (int i = 32; i < 63; i++) + r->v[i - 32] = t[i - 32] + 38 * t[i]; + r->v[31] = t[31]; /* result now in r[0]...r[31] */ + + reduce_mul(r); + } + + public static unsafe void fe25519_square(fe25519* r, fe25519* x) { + fe25519_mul(r, x, x); + } + + /*XXX: Make constant time! */ + public static unsafe void fe25519_pow(fe25519* r, fe25519* x, Byte* e) { + /* + fe25519 g; + fe25519_setone(&g); + int i; + unsigned char j; + for(i=32;i>0;i--) + { + for(j=128;j>0;j>>=1) + { + fe25519_square(&g,&g); + if(e[i-1] & j) + fe25519_mul(&g,&g,x); + } + } + for(i=0;i<32;i++) r->v[i] = g.v[i]; + */ + fe25519 g; + fe25519_setone(&g); + fe25519[] pre = new fe25519[(1 << WINDOWSIZE)]; + fe25519 t; + Byte w; + + // Precomputation + fixed (fe25519* prep = pre) fe25519_setone(prep); + pre[1] = *x; + for (int i = 2; i < (1 << WINDOWSIZE); i += 2) { + fixed (fe25519* prep = pre) { + fe25519_square(prep + i, prep + i / 2); + fe25519_mul(prep + i + 1, prep + i, prep + 1); + } + } + + // Fixed-window scalar multiplication + for (int i = 32; i > 0; i--) { + for (int j = 8 - WINDOWSIZE; j >= 0; j -= WINDOWSIZE) { + for (int k = 0; k < WINDOWSIZE; k++) + fe25519_square(&g, &g); + // Cache-timing resistant loading of precomputed value: + w = (Byte)((e[i - 1] >> j) & WINDOWMASK); + t = pre[0]; + for (int k = 1; k < (1 << WINDOWSIZE); k++) fixed (fe25519* prekp = &pre[k]) fe25519_cmov(&t, prekp, (k == w) ? (Byte)1 : (Byte)0); + fe25519_mul(&g, &g, &t); + } + } + *r = g; + } + + /* Return 0 on success, 1 otherwise */ + public static unsafe Boolean fe25519_sqrt_vartime(fe25519* r, fe25519* x, Byte parity) { + /* See HAC, Alg. 3.37 */ + if (!issquare(x)) return true; + Byte[] e = new Byte[32] { 0xfb, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x1f }; /* (p-1)/4 */ + Byte[] e2 = new Byte[32] { 0xfe, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x0f }; /* (p+3)/8 */ + Byte[] e3 = new Byte[32] { 0xfd, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x0f }; /* (p-5)/8 */ + fe25519 p = new fe25519(); // { { 0 } }; + fe25519 d; + fixed (Byte* ep = e) fe25519.fe25519_pow(&d, x, ep); + freeze(&d); + if (isone(&d)) + fixed (Byte* e2p = e2) fe25519.fe25519_pow(r, x, e2p); + else { + for (int i = 0; i < 32; i++) + d.v[i] = 4 * x->v[i]; + fixed (Byte* e3p = e3) fe25519.fe25519_pow(&d, &d, e3p); + for (int i = 0; i < 32; i++) + r->v[i] = 2 * x->v[i]; + fe25519_mul(r, r, &d); + } + freeze(r); + if ((r->v[0] & 1) != (parity & 1)) { + fe25519_sub(r, &p, r); + } + return false; + } + + public static unsafe void fe25519_invert(fe25519* r, fe25519* x) { + fe25519 z2; + fe25519 z9; + fe25519 z11; + fe25519 z2_5_0; + fe25519 z2_10_0; + fe25519 z2_20_0; + fe25519 z2_50_0; + fe25519 z2_100_0; + fe25519 t0; + fe25519 t1; + + /* 2 */ + fe25519_square(&z2, x); + /* 4 */ + fe25519_square(&t1, &z2); + /* 8 */ + fe25519_square(&t0, &t1); + /* 9 */ + fe25519_mul(&z9, &t0, x); + /* 11 */ + fe25519_mul(&z11, &z9, &z2); + /* 22 */ + fe25519_square(&t0, &z11); + /* 2^5 - 2^0 = 31 */ + fe25519_mul(&z2_5_0, &t0, &z9); + + /* 2^6 - 2^1 */ + fe25519_square(&t0, &z2_5_0); + /* 2^7 - 2^2 */ + fe25519_square(&t1, &t0); + /* 2^8 - 2^3 */ + fe25519_square(&t0, &t1); + /* 2^9 - 2^4 */ + fe25519_square(&t1, &t0); + /* 2^10 - 2^5 */ + fe25519_square(&t0, &t1); + /* 2^10 - 2^0 */ + fe25519_mul(&z2_10_0, &t0, &z2_5_0); + + /* 2^11 - 2^1 */ + fe25519_square(&t0, &z2_10_0); + /* 2^12 - 2^2 */ + fe25519_square(&t1, &t0); + /* 2^20 - 2^10 */ + for (int i = 2; i < 10; i += 2) { fe25519_square(&t0, &t1); fe25519_square(&t1, &t0); } + /* 2^20 - 2^0 */ + fe25519_mul(&z2_20_0, &t1, &z2_10_0); + + /* 2^21 - 2^1 */ + fe25519_square(&t0, &z2_20_0); + /* 2^22 - 2^2 */ + fe25519_square(&t1, &t0); + /* 2^40 - 2^20 */ + for (int i = 2; i < 20; i += 2) { fe25519_square(&t0, &t1); fe25519_square(&t1, &t0); } + /* 2^40 - 2^0 */ + fe25519_mul(&t0, &t1, &z2_20_0); + + /* 2^41 - 2^1 */ + fe25519_square(&t1, &t0); + /* 2^42 - 2^2 */ + fe25519_square(&t0, &t1); + /* 2^50 - 2^10 */ + for (int i = 2; i < 10; i += 2) { fe25519_square(&t1, &t0); fe25519_square(&t0, &t1); } + /* 2^50 - 2^0 */ + fe25519_mul(&z2_50_0, &t0, &z2_10_0); + + /* 2^51 - 2^1 */ + fe25519_square(&t0, &z2_50_0); + /* 2^52 - 2^2 */ + fe25519_square(&t1, &t0); + /* 2^100 - 2^50 */ + for (int i = 2; i < 50; i += 2) { fe25519_square(&t0, &t1); fe25519_square(&t1, &t0); } + /* 2^100 - 2^0 */ + fe25519_mul(&z2_100_0, &t1, &z2_50_0); + + /* 2^101 - 2^1 */ + fe25519_square(&t1, &z2_100_0); + /* 2^102 - 2^2 */ + fe25519_square(&t0, &t1); + /* 2^200 - 2^100 */ + for (int i = 2; i < 100; i += 2) { fe25519_square(&t1, &t0); fe25519_square(&t0, &t1); } + /* 2^200 - 2^0 */ + fe25519_mul(&t1, &t0, &z2_100_0); + + /* 2^201 - 2^1 */ + fe25519_square(&t0, &t1); + /* 2^202 - 2^2 */ + fe25519_square(&t1, &t0); + /* 2^250 - 2^50 */ + for (int i = 2; i < 50; i += 2) { fe25519_square(&t0, &t1); fe25519_square(&t1, &t0); } + /* 2^250 - 2^0 */ + fe25519_mul(&t0, &t1, &z2_50_0); + + /* 2^251 - 2^1 */ + fe25519_square(&t1, &t0); + /* 2^252 - 2^2 */ + fe25519_square(&t0, &t1); + /* 2^253 - 2^3 */ + fe25519_square(&t1, &t0); + /* 2^254 - 2^4 */ + fe25519_square(&t0, &t1); + /* 2^255 - 2^5 */ + fe25519_square(&t1, &t0); + /* 2^255 - 21 */ + fe25519_mul(r, &t1, &z11); + } + } + + public static unsafe void crypto_sign_keypair(out Byte[] pk, out Byte[] sk) { + sc25519 scsk; + ge25519 gepk; + + sk = new Byte[SECRETKEYBYTES]; + pk = new Byte[PUBLICKEYBYTES]; + randombytes.generate(sk); + fixed (Byte* skp = sk) crypto_hash.sha512.crypto_hash(skp, skp, 32); + sk[0] &= 248; + sk[31] &= 127; + sk[31] |= 64; + + fixed (Byte* skp = sk) sc25519.sc25519_from32bytes(&scsk, skp); + + ge25519.ge25519_scalarmult_base(&gepk, &scsk); + fixed (Byte* pkp = pk) ge25519.ge25519_pack(pkp, &gepk); + } + + public static unsafe Byte[] crypto_sign(Byte[] m, Byte[] sk) { + if (sk.Length != SECRETKEYBYTES) throw new ArgumentException("sk.Length != SECRETKEYBYTES"); + Byte[] sm = new Byte[m.Length + 64]; + UInt64 smlen; + fixed (Byte* smp = sm, mp = m, skp = sk) crypto_sign(smp, out smlen, mp, (ulong)m.Length, skp); + return sm; + } + public static unsafe void crypto_sign(Byte* sm, out UInt64 smlen, Byte* m, UInt64 mlen, Byte* sk) { + sc25519 sck, scs, scsk; + ge25519 ger; + Byte* r = stackalloc Byte[32]; + Byte* s = stackalloc Byte[32]; + Byte* hmg = stackalloc Byte[crypto_hash.sha512.BYTES]; + Byte* hmr = stackalloc Byte[crypto_hash.sha512.BYTES]; + + smlen = mlen + 64; + for (UInt64 i = 0; i < mlen; i++) sm[32 + i] = m[i]; + for (int i = 0; i < 32; i++) sm[i] = sk[32 + i]; + crypto_hash.sha512.crypto_hash(hmg, sm, mlen + 32); /* Generate k as h(m,sk[32],...,sk[63]) */ + + sc25519.sc25519_from64bytes(&sck, hmg); + ge25519.ge25519_scalarmult_base(&ger, &sck); + ge25519.ge25519_pack(r, &ger); + + for (int i = 0; i < 32; i++) sm[i] = r[i]; + + crypto_hash.sha512.crypto_hash(hmr, sm, mlen + 32); /* Compute h(m,r) */ + sc25519.sc25519_from64bytes(&scs, hmr); + sc25519.sc25519_mul(&scs, &scs, &sck); + + sc25519.sc25519_from32bytes(&scsk, sk); + sc25519.sc25519_add(&scs, &scs, &scsk); + + sc25519.sc25519_to32bytes(s, &scs); /* cat s */ + for (UInt64 i = 0; i < 32; i++) + sm[mlen + 32 + i] = s[i]; + } + + public static unsafe Byte[] crypto_sign_open(Byte[] sm, Byte[] pk) { + if (pk.Length != PUBLICKEYBYTES) throw new ArgumentException("pk.Length != PUBLICKEYBYTES"); + Byte[] m = new Byte[sm.Length - 64]; + UInt64 mlen; + fixed (Byte* smp = sm, mp = m, pkp = pk) { + if (crypto_sign_open(mp, out mlen, smp, (ulong)sm.Length, pkp) != 0) return null; + } + return m; + } + public static unsafe int crypto_sign_open(Byte* m, out UInt64 mlen, Byte* sm, UInt64 smlen, Byte* pk) { + mlen = 0; + if (smlen < 64) return -1; + + Byte* t1 = stackalloc Byte[32], t2 = stackalloc Byte[32]; + ge25519 get1, get2, gepk; + sc25519 schmr, scs; + Byte* hmr = stackalloc Byte[crypto_hash.sha512.BYTES]; + + if (ge25519.ge25519_unpack_vartime(&get1, sm)) return -1; + if (ge25519.ge25519_unpack_vartime(&gepk, pk)) return -1; + + crypto_hash.sha512.crypto_hash(hmr, sm, smlen - 32); + + sc25519.sc25519_from64bytes(&schmr, hmr); + ge25519.ge25519_scalarmult(&get1, &get1, &schmr); + ge25519.ge25519_add(&get1, &get1, &gepk); + ge25519.ge25519_pack(t1, &get1); + + sc25519.sc25519_from32bytes(&scs, &sm[smlen - 32]); + ge25519.ge25519_scalarmult_base(&get2, &scs); + ge25519.ge25519_pack(t2, &get2); + + if (m != null) for (UInt64 i = 0; i < smlen - 64; i++) m[i] = sm[i + 32]; + mlen = smlen - 64; + + return crypto_verify._32.crypto_verify(t1, t2); + } + } +} \ No newline at end of file
--- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/NaCl/crypto_stream/salsa20.cs Mon Apr 15 00:43:48 2013 +0200 @@ -0,0 +1,123 @@ +using System; + +namespace UCIS.NaCl.crypto_stream { + static unsafe class salsa20 { + public const int KEYBYTES = 32; + public const int NONCEBYTES = 8; + + static Byte[] sigma = new Byte[16] {(Byte)'e', (Byte)'x', (Byte)'p', (Byte)'a', //[16] = "expand 32-byte k"; + (Byte)'n', (Byte)'d', (Byte)' ', (Byte)'3', + (Byte)'2', (Byte)'-', (Byte)'b', (Byte)'y', + (Byte)'t', (Byte)'e', (Byte)' ', (Byte)'k', }; + + public static void crypto_stream(Byte* c, int clen, Byte* n, Byte* k) { + Byte[] inv = new Byte[16]; + Byte[] block = new Byte[64]; + if (clen == 0) return; + + for (int i = 0; i < 8; ++i) inv[i] = n[i]; + for (int i = 8; i < 16; ++i) inv[i] = 0; + + while (clen >= 64) { + fixed (Byte* invp = inv, sigmap = sigma) crypto_core.salsa20.crypto_core(c, invp, k, sigmap); + + UInt32 u = 1; + for (int i = 8; i < 16; ++i) { + u += inv[i]; + inv[i] = (Byte)u; + u >>= 8; + } + + clen -= 64; + c += 64; + } + + if (clen != 0) { + fixed (Byte* invp = inv, sigmap = sigma, blockp = block) crypto_core.salsa20.crypto_core(blockp, invp, k, sigmap); + for (int i = 0; i < clen; ++i) c[i] = block[i]; + } + } + + public static void crypto_stream_xor(Byte* c, Byte* m, int mlen, Byte* n, Byte* k) { + Byte[] inv = new Byte[16]; + Byte[] block = new Byte[64]; + if (mlen == 0) return; + + for (int i = 0; i < 8; ++i) inv[i] = n[i]; + for (int i = 8; i < 16; ++i) inv[i] = 0; + + while (mlen >= 64) { + fixed (Byte* invp = inv, sigmap = sigma, blockp = block) crypto_core.salsa20.crypto_core(blockp, invp, k, sigmap); + for (int i = 0; i < 64; ++i) c[i] = (Byte)(m[i] ^ block[i]); + + UInt32 u = 1; + for (int i = 8; i < 16; ++i) { + u += inv[i]; + inv[i] = (Byte)u; + u >>= 8; + } + + mlen -= 64; + c += 64; + m += 64; + } + + if (mlen != 0) { + fixed (Byte* invp = inv, sigmap = sigma, blockp = block) crypto_core.salsa20.crypto_core(blockp, invp, k, sigmap); + for (int i = 0; i < mlen; ++i) c[i] = (Byte)(m[i] ^ block[i]); + } + } + + internal static void crypto_stream_xor_split(Byte* mcpad, int padbytes, Byte* c, Byte* m, int mlen, Byte* n, Byte* k) { + Byte* inv = stackalloc Byte[16]; + Byte* block = stackalloc Byte[64]; + + for (int i = 0; i < 8; ++i) inv[i] = n[i]; + for (int i = 8; i < 16; ++i) inv[i] = 0; + + if (padbytes > 0) { + if (padbytes > 64) throw new ArgumentOutOfRangeException("padbytes"); + crypto_core.salsa20.crypto_core(block, inv, k, sigma); + if (mcpad != null) for (int i = 0; i < padbytes; ++i) mcpad[i] ^= block[i]; + if (mlen > 0) { + int bleft = 64 - padbytes; + if (bleft > mlen) bleft = mlen; + for (int i = 0; i < bleft; ++i) c[i] = (Byte)(m[i] ^ block[i + padbytes]); + c += bleft; + m += bleft; + mlen -= bleft; + if (mlen >= 0) { + UInt32 u = 1; + for (int i = 8; i < 16; ++i) { + u += inv[i]; + inv[i] = (Byte)u; + u >>= 8; + } + } + } + } + + while (mlen >= 64) { + crypto_core.salsa20.crypto_core(block, inv, k, sigma); + //for (int i = 0; i < 64; ++i) c[i] = (Byte)(m[i] ^ block[i]); + for (int i = 0; i < 64; i += 4) *(int*)(c + i) = *(int*)(m + i) ^ *(int*)(block + i); + + UInt32 u = 1; + for (int i = 8; i < 16; ++i) { + u += inv[i]; + inv[i] = (Byte)u; + u >>= 8; + } + + mlen -= 64; + c += 64; + m += 64; + } + + if (mlen > 0) { + crypto_core.salsa20.crypto_core(block, inv, k, sigma); + for (int i = 0; i < mlen; ++i) c[i] = (Byte)(m[i] ^ block[i]); + } + } + } +} \ No newline at end of file
--- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/NaCl/crypto_stream/xsalsa20.cs Mon Apr 15 00:43:48 2013 +0200 @@ -0,0 +1,32 @@ +using System; + +namespace UCIS.NaCl.crypto_stream { + static unsafe class xsalsa20 { + public const int KEYBYTES = 32; + public const int NONCEBYTES = 24; + + //Never written to + static Byte[] sigma = new Byte[16] {(Byte)'e', (Byte)'x', (Byte)'p', (Byte)'a', //[16] = "expand 32-byte k"; + (Byte)'n', (Byte)'d', (Byte)' ', (Byte)'3', + (Byte)'2', (Byte)'-', (Byte)'b', (Byte)'y', + (Byte)'t', (Byte)'e', (Byte)' ', (Byte)'k', }; + + public static void crypto_stream(Byte* c, int clen, Byte* n, Byte* k) { + Byte* subkey = stackalloc Byte[32]; + crypto_core.hsalsa20.crypto_core(subkey, n, k, sigma); + salsa20.crypto_stream(c, clen, n + 16, subkey); + } + + public static void crypto_stream_xor(Byte* c, Byte* m, UInt64 mlen, Byte* n, Byte* k) { + Byte* subkey = stackalloc Byte[32]; + crypto_core.hsalsa20.crypto_core(subkey, n, k, sigma); + salsa20.crypto_stream_xor(c, m, (int)mlen, n + 16, subkey); + } + + internal static void crypto_stream_xor_split(Byte* mcpad, int padbytes, Byte* c, Byte* m, UInt64 mlen, Byte* n, Byte* k) { + Byte* subkey = stackalloc Byte[32]; + crypto_core.hsalsa20.crypto_core(subkey, n, k, sigma); + salsa20.crypto_stream_xor_split(mcpad, padbytes, c, m, (int)mlen, n + 16, subkey); + } + } +} \ No newline at end of file
--- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/NaCl/crypto_verify/16.cs Mon Apr 15 00:43:48 2013 +0200 @@ -0,0 +1,12 @@ +using System; + +namespace UCIS.NaCl.crypto_verify { + unsafe static class _16 { + const int BYTES = 16; + public static int crypto_verify(Byte* x, Byte* y) { + Int32 differentbits = 0; + for (int i = 0; i < 15; i++) differentbits |= x[i] ^ y[i]; + return (1 & ((differentbits - 1) >> 8)) - 1; + } + } +} \ No newline at end of file
--- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/NaCl/crypto_verify/32.cs Mon Apr 15 00:43:48 2013 +0200 @@ -0,0 +1,12 @@ +using System; + +namespace UCIS.NaCl.crypto_verify { + unsafe static class _32 { + const int BYTES = 32; + public static int crypto_verify(Byte* x, Byte* y) { + Int32 differentbits = 0; + for (int i = 0; i < 31; i++) differentbits |= x[i] ^ y[i]; + return (1 & ((differentbits - 1) >> 8)) - 1; + } + } +} \ No newline at end of file
--- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/NaCl/randombytes.cs Mon Apr 15 00:43:48 2013 +0200 @@ -0,0 +1,16 @@ +using System; +using System.Security.Cryptography; + +namespace UCIS.NaCl { + public static class randombytes { + public static void generate(Byte[] x) { + RNGCryptoServiceProvider rnd = new RNGCryptoServiceProvider(); + rnd.GetBytes(x); + } + public static Byte[] generate(int count) { + Byte[] bytes = new Byte[count]; + generate(bytes); + return bytes; + } + } +} \ No newline at end of file
--- a/UCIS.csproj Wed Apr 10 01:34:05 2013 +0200 +++ b/UCIS.csproj Mon Apr 15 00:43:48 2013 +0200 @@ -23,6 +23,7 @@ <DefineConstants>DEBUG;TRACE</DefineConstants> <ErrorReport>prompt</ErrorReport> <WarningLevel>4</WarningLevel> + <AllowUnsafeBlocks>true</AllowUnsafeBlocks> </PropertyGroup> <PropertyGroup Condition=" '$(Configuration)|$(Platform)' == 'Release|AnyCPU' "> <DebugType>pdbonly</DebugType> @@ -43,6 +44,54 @@ <Compile Include="Cci\CciCommand.cs" /> <Compile Include="Database.cs" /> <None Include="DBReader.cs" /> + <Compile Include="NaCl\APIv2.cs"> + <SubType>Code</SubType> + </Compile> + <Compile Include="NaCl\crypto_box\curve25519xsalsa20poly1305.cs"> + <SubType>Code</SubType> + </Compile> + <Compile Include="NaCl\crypto_core\hsalsa20.cs"> + <SubType>Code</SubType> + </Compile> + <Compile Include="NaCl\crypto_core\salsa20.cs"> + <SubType>Code</SubType> + </Compile> + <Compile Include="NaCl\crypto_hashblocks\sha512.cs"> + <SubType>Code</SubType> + </Compile> + <Compile Include="NaCl\crypto_hash\sha512.cs"> + <SubType>Code</SubType> + </Compile> + <Compile Include="NaCl\crypto_onetimeauth\poly1305.cs"> + <SubType>Code</SubType> + </Compile> + <Compile Include="NaCl\crypto_scalarmult\curve25519.cs"> + <SubType>Code</SubType> + </Compile> + <Compile Include="NaCl\crypto_secretbox\xsalsa20poly1305.cs"> + <SubType>Code</SubType> + </Compile> + <Compile Include="NaCl\crypto_sign\edwards25519sha512batch.cs"> + <SubType>Code</SubType> + </Compile> + <Compile Include="NaCl\crypto_stream\salsa20.cs"> + <SubType>Code</SubType> + </Compile> + <Compile Include="NaCl\crypto_stream\xsalsa20.cs"> + <SubType>Code</SubType> + </Compile> + <Compile Include="NaCl\crypto_verify\16.cs"> + <SubType>Code</SubType> + </Compile> + <Compile Include="NaCl\crypto_verify\32.cs"> + <SubType>Code</SubType> + </Compile> + <Compile Include="NaCl\Native.cs"> + <SubType>Code</SubType> + </Compile> + <Compile Include="NaCl\randombytes.cs"> + <SubType>Code</SubType> + </Compile> <Compile Include="Net\ConnectionList.cs" /> <Compile Include="Net\HTTP.cs" /> <Compile Include="Net\INetworkConnection.cs" />