Ticket #13280: 0001-Stop-signed-left-shifts-overflowing-in-ed25519.patch

File 0001-Stop-signed-left-shifts-overflowing-in-ed25519.patch, 33.2 KB (added by teor, 5 years ago)

Perform all left shifts on potentially negative values using unsigned types

  • new file changes/bug13280-ed25519-signed-left-shift-overflow

    From 559f2b2b3e26f9bf1c7858296c4f1fed36b890b6 Mon Sep 17 00:00:00 2001
    From: teor <teor2345@gmail.com>
    Date: Sun, 28 Sep 2014 20:27:09 +1000
    Subject: [PATCH] Stop signed left shifts overflowing in ed25519 Use unsigned
     types for potentially overflowing left shifts. Create SHL32() and SHL64()
     macros for convenience, and use them for all left shifts on potentially
     negative signed values.
    
    ---
     .../bug13280-ed25519-signed-left-shift-overflow    |   3 +
     src/ext/ed25519/ref10/crypto_int32.h               |  20 +++
     src/ext/ed25519/ref10/crypto_int64.h               |  20 +++
     src/ext/ed25519/ref10/fe_mul.c                     |  24 ++--
     src/ext/ed25519/ref10/fe_sq.c                      |  24 ++--
     src/ext/ed25519/ref10/fe_sq2.c                     |  24 ++--
     src/ext/ed25519/ref10/fe_tobytes.c                 |  36 ++---
     src/ext/ed25519/ref10/ge_scalarmult_base.c         |   2 +-
     src/ext/ed25519/ref10/sc_muladd.c                  | 158 ++++++++++-----------
     src/ext/ed25519/ref10/sc_reduce.c                  | 112 +++++++--------
     10 files changed, 233 insertions(+), 190 deletions(-)
     create mode 100644 changes/bug13280-ed25519-signed-left-shift-overflow
    
    diff --git a/changes/bug13280-ed25519-signed-left-shift-overflow b/changes/bug13280-ed25519-signed-left-shift-overflow
    new file mode 100644
    index 0000000..190022c
    - +  
     1  o Minor bugfixes:
     2    - Avoid signed left shift overflows in ed25519 arithmetic
     3      using unsigned bitwise operations. Fixes bug 13280.
  • src/ext/ed25519/ref10/crypto_int32.h

    diff --git a/src/ext/ed25519/ref10/crypto_int32.h b/src/ext/ed25519/ref10/crypto_int32.h
    index cd5c7c2..46a2a2b 100644
    a b  
    11/* Added for Tor. */
     2
     3#ifndef CRYPTO_INT32_H
     4#define CRYPTO_INT32_H
     5
    26#include "torint.h"
    37#define crypto_int32 int32_t
     8#define crypto_uint32 uint32_t
     9
     10/*
     11 Stop signed left shifts overflowing
     12 by using unsigned types for bitwise operations
     13 */
     14
     15#ifndef OVERFLOW_SAFE_SIGNED_LSHIFT
     16#define OVERFLOW_SAFE_SIGNED_LSHIFT(s, lshift, utype, stype) \
     17  ((stype)((utype)(s) << (utype)(lshift)))
     18#endif
     19
     20#define SHL32(s, lshift) \
     21  OVERFLOW_SAFE_SIGNED_LSHIFT(s, lshift, crypto_uint32, crypto_int32)
     22
     23#endif /* CRYPTO_INT32_H */
  • src/ext/ed25519/ref10/crypto_int64.h

    diff --git a/src/ext/ed25519/ref10/crypto_int64.h b/src/ext/ed25519/ref10/crypto_int64.h
    index de0b602..46e8852 100644
    a b  
    11/* Added for Tor. */
     2
     3#ifndef CRYPTO_INT64_H
     4#define CRYPTO_INT64_H
     5
    26#include "torint.h"
    37#define crypto_int64 int64_t
     8#define crypto_uint64 uint64_t
     9
     10/*
     11 Stop signed left shifts overflowing
     12 by using unsigned types for bitwise operations
     13 */
     14
     15#ifndef OVERFLOW_SAFE_SIGNED_LSHIFT
     16#define OVERFLOW_SAFE_SIGNED_LSHIFT(s, lshift, utype, stype) \
     17  ((stype)((utype)(s) << (utype)(lshift)))
     18#endif
     19
     20#define SHL64(s, lshift) \
     21  OVERFLOW_SAFE_SIGNED_LSHIFT(s, lshift, crypto_uint64, crypto_int64)
     22
     23#endif /* CRYPTO_INT64_H */
  • src/ext/ed25519/ref10/fe_mul.c

    diff --git a/src/ext/ed25519/ref10/fe_mul.c b/src/ext/ed25519/ref10/fe_mul.c
    index d68e210..ace63e6 100644
    a b void fe_mul(fe h,const fe f,const fe g) 
    197197    i.e. |h1| <= 1.7*2^59; narrower ranges for h3, h5, h7, h9
    198198  */
    199199
    200   carry0 = (h0 + (crypto_int64) (1<<25)) >> 26; h1 += carry0; h0 -= carry0 << 26;
    201   carry4 = (h4 + (crypto_int64) (1<<25)) >> 26; h5 += carry4; h4 -= carry4 << 26;
     200  carry0 = (h0 + (crypto_int64) (1<<25)) >> 26; h1 += carry0; h0 -= SHL64(carry0,26);
     201  carry4 = (h4 + (crypto_int64) (1<<25)) >> 26; h5 += carry4; h4 -= SHL64(carry4,26);
    202202  /* |h0| <= 2^25 */
    203203  /* |h4| <= 2^25 */
    204204  /* |h1| <= 1.71*2^59 */
    205205  /* |h5| <= 1.71*2^59 */
    206206
    207   carry1 = (h1 + (crypto_int64) (1<<24)) >> 25; h2 += carry1; h1 -= carry1 << 25;
    208   carry5 = (h5 + (crypto_int64) (1<<24)) >> 25; h6 += carry5; h5 -= carry5 << 25;
     207  carry1 = (h1 + (crypto_int64) (1<<24)) >> 25; h2 += carry1; h1 -= SHL64(carry1,25);
     208  carry5 = (h5 + (crypto_int64) (1<<24)) >> 25; h6 += carry5; h5 -= SHL64(carry5,25);
    209209  /* |h1| <= 2^24; from now on fits into int32 */
    210210  /* |h5| <= 2^24; from now on fits into int32 */
    211211  /* |h2| <= 1.41*2^60 */
    212212  /* |h6| <= 1.41*2^60 */
    213213
    214   carry2 = (h2 + (crypto_int64) (1<<25)) >> 26; h3 += carry2; h2 -= carry2 << 26;
    215   carry6 = (h6 + (crypto_int64) (1<<25)) >> 26; h7 += carry6; h6 -= carry6 << 26;
     214  carry2 = (h2 + (crypto_int64) (1<<25)) >> 26; h3 += carry2; h2 -= SHL64(carry2,26);
     215  carry6 = (h6 + (crypto_int64) (1<<25)) >> 26; h7 += carry6; h6 -= SHL64(carry6,26);
    216216  /* |h2| <= 2^25; from now on fits into int32 unchanged */
    217217  /* |h6| <= 2^25; from now on fits into int32 unchanged */
    218218  /* |h3| <= 1.71*2^59 */
    219219  /* |h7| <= 1.71*2^59 */
    220220
    221   carry3 = (h3 + (crypto_int64) (1<<24)) >> 25; h4 += carry3; h3 -= carry3 << 25;
    222   carry7 = (h7 + (crypto_int64) (1<<24)) >> 25; h8 += carry7; h7 -= carry7 << 25;
     221  carry3 = (h3 + (crypto_int64) (1<<24)) >> 25; h4 += carry3; h3 -= SHL64(carry3,25);
     222  carry7 = (h7 + (crypto_int64) (1<<24)) >> 25; h8 += carry7; h7 -= SHL64(carry7,25);
    223223  /* |h3| <= 2^24; from now on fits into int32 unchanged */
    224224  /* |h7| <= 2^24; from now on fits into int32 unchanged */
    225225  /* |h4| <= 1.72*2^34 */
    226226  /* |h8| <= 1.41*2^60 */
    227227
    228   carry4 = (h4 + (crypto_int64) (1<<25)) >> 26; h5 += carry4; h4 -= carry4 << 26;
    229   carry8 = (h8 + (crypto_int64) (1<<25)) >> 26; h9 += carry8; h8 -= carry8 << 26;
     228  carry4 = (h4 + (crypto_int64) (1<<25)) >> 26; h5 += carry4; h4 -= SHL64(carry4,26);
     229  carry8 = (h8 + (crypto_int64) (1<<25)) >> 26; h9 += carry8; h8 -= SHL64(carry8,26);
    230230  /* |h4| <= 2^25; from now on fits into int32 unchanged */
    231231  /* |h8| <= 2^25; from now on fits into int32 unchanged */
    232232  /* |h5| <= 1.01*2^24 */
    233233  /* |h9| <= 1.71*2^59 */
    234234
    235   carry9 = (h9 + (crypto_int64) (1<<24)) >> 25; h0 += carry9 * 19; h9 -= carry9 << 25;
     235  carry9 = (h9 + (crypto_int64) (1<<24)) >> 25; h0 += carry9 * 19; h9 -= SHL64(carry9,25);
    236236  /* |h9| <= 2^24; from now on fits into int32 unchanged */
    237237  /* |h0| <= 1.1*2^39 */
    238238
    239   carry0 = (h0 + (crypto_int64) (1<<25)) >> 26; h1 += carry0; h0 -= carry0 << 26;
     239  carry0 = (h0 + (crypto_int64) (1<<25)) >> 26; h1 += carry0; h0 -= SHL64(carry0,26);
    240240  /* |h0| <= 2^25; from now on fits into int32 unchanged */
    241241  /* |h1| <= 1.01*2^24 */
    242242
  • src/ext/ed25519/ref10/fe_sq.c

    diff --git a/src/ext/ed25519/ref10/fe_sq.c b/src/ext/ed25519/ref10/fe_sq.c
    index 54a3949..0022a17 100644
    a b void fe_sq(fe h,const fe f) 
    117117  crypto_int64 carry8;
    118118  crypto_int64 carry9;
    119119
    120   carry0 = (h0 + (crypto_int64) (1<<25)) >> 26; h1 += carry0; h0 -= carry0 << 26;
    121   carry4 = (h4 + (crypto_int64) (1<<25)) >> 26; h5 += carry4; h4 -= carry4 << 26;
     120  carry0 = (h0 + (crypto_int64) (1<<25)) >> 26; h1 += carry0; h0 -= SHL64(carry0,26);
     121  carry4 = (h4 + (crypto_int64) (1<<25)) >> 26; h5 += carry4; h4 -= SHL64(carry4,26);
    122122
    123   carry1 = (h1 + (crypto_int64) (1<<24)) >> 25; h2 += carry1; h1 -= carry1 << 25;
    124   carry5 = (h5 + (crypto_int64) (1<<24)) >> 25; h6 += carry5; h5 -= carry5 << 25;
     123  carry1 = (h1 + (crypto_int64) (1<<24)) >> 25; h2 += carry1; h1 -= SHL64(carry1,25);
     124  carry5 = (h5 + (crypto_int64) (1<<24)) >> 25; h6 += carry5; h5 -= SHL64(carry5,25);
    125125
    126   carry2 = (h2 + (crypto_int64) (1<<25)) >> 26; h3 += carry2; h2 -= carry2 << 26;
    127   carry6 = (h6 + (crypto_int64) (1<<25)) >> 26; h7 += carry6; h6 -= carry6 << 26;
     126  carry2 = (h2 + (crypto_int64) (1<<25)) >> 26; h3 += carry2; h2 -= SHL64(carry2,26);
     127  carry6 = (h6 + (crypto_int64) (1<<25)) >> 26; h7 += carry6; h6 -= SHL64(carry6,26);
    128128
    129   carry3 = (h3 + (crypto_int64) (1<<24)) >> 25; h4 += carry3; h3 -= carry3 << 25;
    130   carry7 = (h7 + (crypto_int64) (1<<24)) >> 25; h8 += carry7; h7 -= carry7 << 25;
     129  carry3 = (h3 + (crypto_int64) (1<<24)) >> 25; h4 += carry3; h3 -= SHL64(carry3,25);
     130  carry7 = (h7 + (crypto_int64) (1<<24)) >> 25; h8 += carry7; h7 -= SHL64(carry7,25);
    131131
    132   carry4 = (h4 + (crypto_int64) (1<<25)) >> 26; h5 += carry4; h4 -= carry4 << 26;
    133   carry8 = (h8 + (crypto_int64) (1<<25)) >> 26; h9 += carry8; h8 -= carry8 << 26;
     132  carry4 = (h4 + (crypto_int64) (1<<25)) >> 26; h5 += carry4; h4 -= SHL64(carry4,26);
     133  carry8 = (h8 + (crypto_int64) (1<<25)) >> 26; h9 += carry8; h8 -= SHL64(carry8,26);
    134134
    135   carry9 = (h9 + (crypto_int64) (1<<24)) >> 25; h0 += carry9 * 19; h9 -= carry9 << 25;
     135  carry9 = (h9 + (crypto_int64) (1<<24)) >> 25; h0 += carry9 * 19; h9 -= SHL64(carry9,25);
    136136
    137   carry0 = (h0 + (crypto_int64) (1<<25)) >> 26; h1 += carry0; h0 -= carry0 << 26;
     137  carry0 = (h0 + (crypto_int64) (1<<25)) >> 26; h1 += carry0; h0 -= SHL64(carry0,26);
    138138
    139139  h[0] = (crypto_int32) h0;
    140140  h[1] = (crypto_int32) h1;
  • src/ext/ed25519/ref10/fe_sq2.c

    diff --git a/src/ext/ed25519/ref10/fe_sq2.c b/src/ext/ed25519/ref10/fe_sq2.c
    index 01b149f..e8faa69 100644
    a b void fe_sq2(fe h,const fe f) 
    128128  h8 += h8;
    129129  h9 += h9;
    130130
    131   carry0 = (h0 + (crypto_int64) (1<<25)) >> 26; h1 += carry0; h0 -= carry0 << 26;
    132   carry4 = (h4 + (crypto_int64) (1<<25)) >> 26; h5 += carry4; h4 -= carry4 << 26;
     131  carry0 = (h0 + (crypto_int64) (1<<25)) >> 26; h1 += carry0; h0 -= SHL64(carry0,26);
     132  carry4 = (h4 + (crypto_int64) (1<<25)) >> 26; h5 += carry4; h4 -= SHL64(carry4,26);
    133133
    134   carry1 = (h1 + (crypto_int64) (1<<24)) >> 25; h2 += carry1; h1 -= carry1 << 25;
    135   carry5 = (h5 + (crypto_int64) (1<<24)) >> 25; h6 += carry5; h5 -= carry5 << 25;
     134  carry1 = (h1 + (crypto_int64) (1<<24)) >> 25; h2 += carry1; h1 -= SHL64(carry1,25);
     135  carry5 = (h5 + (crypto_int64) (1<<24)) >> 25; h6 += carry5; h5 -= SHL64(carry5,25);
    136136
    137   carry2 = (h2 + (crypto_int64) (1<<25)) >> 26; h3 += carry2; h2 -= carry2 << 26;
    138   carry6 = (h6 + (crypto_int64) (1<<25)) >> 26; h7 += carry6; h6 -= carry6 << 26;
     137  carry2 = (h2 + (crypto_int64) (1<<25)) >> 26; h3 += carry2; h2 -= SHL64(carry2,26);
     138  carry6 = (h6 + (crypto_int64) (1<<25)) >> 26; h7 += carry6; h6 -= SHL64(carry6,26);
    139139
    140   carry3 = (h3 + (crypto_int64) (1<<24)) >> 25; h4 += carry3; h3 -= carry3 << 25;
    141   carry7 = (h7 + (crypto_int64) (1<<24)) >> 25; h8 += carry7; h7 -= carry7 << 25;
     140  carry3 = (h3 + (crypto_int64) (1<<24)) >> 25; h4 += carry3; h3 -= SHL64(carry3,25);
     141  carry7 = (h7 + (crypto_int64) (1<<24)) >> 25; h8 += carry7; h7 -= SHL64(carry7,25);
    142142
    143   carry4 = (h4 + (crypto_int64) (1<<25)) >> 26; h5 += carry4; h4 -= carry4 << 26;
    144   carry8 = (h8 + (crypto_int64) (1<<25)) >> 26; h9 += carry8; h8 -= carry8 << 26;
     143  carry4 = (h4 + (crypto_int64) (1<<25)) >> 26; h5 += carry4; h4 -= SHL64(carry4,26);
     144  carry8 = (h8 + (crypto_int64) (1<<25)) >> 26; h9 += carry8; h8 -= SHL64(carry8,26);
    145145
    146   carry9 = (h9 + (crypto_int64) (1<<24)) >> 25; h0 += carry9 * 19; h9 -= carry9 << 25;
     146  carry9 = (h9 + (crypto_int64) (1<<24)) >> 25; h0 += carry9 * 19; h9 -= SHL64(carry9,25);
    147147
    148   carry0 = (h0 + (crypto_int64) (1<<25)) >> 26; h1 += carry0; h0 -= carry0 << 26;
     148  carry0 = (h0 + (crypto_int64) (1<<25)) >> 26; h1 += carry0; h0 -= SHL64(carry0,26);
    149149
    150150  h[0] = (crypto_int32) h0;
    151151  h[1] = (crypto_int32) h1;
  • src/ext/ed25519/ref10/fe_tobytes.c

    diff --git a/src/ext/ed25519/ref10/fe_tobytes.c b/src/ext/ed25519/ref10/fe_tobytes.c
    index 0a63baf..3c7f389 100644
    a b void fe_tobytes(unsigned char *s,const fe h) 
    6565  h0 += 19 * q;
    6666  /* Goal: Output h-2^255 q, which is between 0 and 2^255-20. */
    6767
    68   carry0 = h0 >> 26; h1 += carry0; h0 -= carry0 << 26;
    69   carry1 = h1 >> 25; h2 += carry1; h1 -= carry1 << 25;
    70   carry2 = h2 >> 26; h3 += carry2; h2 -= carry2 << 26;
    71   carry3 = h3 >> 25; h4 += carry3; h3 -= carry3 << 25;
    72   carry4 = h4 >> 26; h5 += carry4; h4 -= carry4 << 26;
    73   carry5 = h5 >> 25; h6 += carry5; h5 -= carry5 << 25;
    74   carry6 = h6 >> 26; h7 += carry6; h6 -= carry6 << 26;
    75   carry7 = h7 >> 25; h8 += carry7; h7 -= carry7 << 25;
    76   carry8 = h8 >> 26; h9 += carry8; h8 -= carry8 << 26;
    77   carry9 = h9 >> 25;               h9 -= carry9 << 25;
     68  carry0 = h0 >> 26; h1 += carry0; h0 -= SHL32(carry0,26);
     69  carry1 = h1 >> 25; h2 += carry1; h1 -= SHL32(carry1,25);
     70  carry2 = h2 >> 26; h3 += carry2; h2 -= SHL32(carry2,26);
     71  carry3 = h3 >> 25; h4 += carry3; h3 -= SHL32(carry3,25);
     72  carry4 = h4 >> 26; h5 += carry4; h4 -= SHL32(carry4,26);
     73  carry5 = h5 >> 25; h6 += carry5; h5 -= SHL32(carry5,25);
     74  carry6 = h6 >> 26; h7 += carry6; h6 -= SHL32(carry6,26);
     75  carry7 = h7 >> 25; h8 += carry7; h7 -= SHL32(carry7,25);
     76  carry8 = h8 >> 26; h9 += carry8; h8 -= SHL32(carry8,26);
     77  carry9 = h9 >> 25;               h9 -= SHL32(carry9,25);
    7878                  /* h10 = carry9 */
    7979
    8080  /*
    void fe_tobytes(unsigned char *s,const fe h) 
    8787  s[0] = h0 >> 0;
    8888  s[1] = h0 >> 8;
    8989  s[2] = h0 >> 16;
    90   s[3] = (h0 >> 24) | (h1 << 2);
     90  s[3] = (h0 >> 24) | SHL32(h1,2);
    9191  s[4] = h1 >> 6;
    9292  s[5] = h1 >> 14;
    93   s[6] = (h1 >> 22) | (h2 << 3);
     93  s[6] = (h1 >> 22) | SHL32(h2,3);
    9494  s[7] = h2 >> 5;
    9595  s[8] = h2 >> 13;
    96   s[9] = (h2 >> 21) | (h3 << 5);
     96  s[9] = (h2 >> 21) | SHL32(h3,5);
    9797  s[10] = h3 >> 3;
    9898  s[11] = h3 >> 11;
    99   s[12] = (h3 >> 19) | (h4 << 6);
     99  s[12] = (h3 >> 19) | SHL32(h4,6);
    100100  s[13] = h4 >> 2;
    101101  s[14] = h4 >> 10;
    102102  s[15] = h4 >> 18;
    103103  s[16] = h5 >> 0;
    104104  s[17] = h5 >> 8;
    105105  s[18] = h5 >> 16;
    106   s[19] = (h5 >> 24) | (h6 << 1);
     106  s[19] = (h5 >> 24) | SHL32(h6,1);
    107107  s[20] = h6 >> 7;
    108108  s[21] = h6 >> 15;
    109   s[22] = (h6 >> 23) | (h7 << 3);
     109  s[22] = (h6 >> 23) | SHL32(h7,3);
    110110  s[23] = h7 >> 5;
    111111  s[24] = h7 >> 13;
    112   s[25] = (h7 >> 21) | (h8 << 4);
     112  s[25] = (h7 >> 21) | SHL32(h8,4);
    113113  s[26] = h8 >> 4;
    114114  s[27] = h8 >> 12;
    115   s[28] = (h8 >> 20) | (h9 << 6);
     115  s[28] = (h8 >> 20) | SHL32(h9,6);
    116116  s[29] = h9 >> 2;
    117117  s[30] = h9 >> 10;
    118118  s[31] = h9 >> 18;
  • src/ext/ed25519/ref10/ge_scalarmult_base.c

    diff --git a/src/ext/ed25519/ref10/ge_scalarmult_base.c b/src/ext/ed25519/ref10/ge_scalarmult_base.c
    index ad7aae4..b74655f 100644
    a b static void select(ge_precomp *t,int pos,signed char b) 
    3939{
    4040  ge_precomp minust;
    4141  unsigned char bnegative = negative(b);
    42   unsigned char babs = b - (((-bnegative) & b) << 1);
     42  unsigned char babs = b - (((-bnegative) & (unsigned char)b) << 1);
    4343
    4444  ge_precomp_0(t);
    4545  cmov(t,&base[pos][0],equal(babs,1));
  • src/ext/ed25519/ref10/sc_muladd.c

    diff --git a/src/ext/ed25519/ref10/sc_muladd.c b/src/ext/ed25519/ref10/sc_muladd.c
    index 6f1e9d0..20b94c1 100644
    a b void sc_muladd(unsigned char *s,const unsigned char *a,const unsigned char *b,co 
    144144  s22 = a11*b11;
    145145  s23 = 0;
    146146
    147   carry0 = (s0 + (1<<20)) >> 21; s1 += carry0; s0 -= carry0 << 21;
    148   carry2 = (s2 + (1<<20)) >> 21; s3 += carry2; s2 -= carry2 << 21;
    149   carry4 = (s4 + (1<<20)) >> 21; s5 += carry4; s4 -= carry4 << 21;
    150   carry6 = (s6 + (1<<20)) >> 21; s7 += carry6; s6 -= carry6 << 21;
    151   carry8 = (s8 + (1<<20)) >> 21; s9 += carry8; s8 -= carry8 << 21;
    152   carry10 = (s10 + (1<<20)) >> 21; s11 += carry10; s10 -= carry10 << 21;
    153   carry12 = (s12 + (1<<20)) >> 21; s13 += carry12; s12 -= carry12 << 21;
    154   carry14 = (s14 + (1<<20)) >> 21; s15 += carry14; s14 -= carry14 << 21;
    155   carry16 = (s16 + (1<<20)) >> 21; s17 += carry16; s16 -= carry16 << 21;
    156   carry18 = (s18 + (1<<20)) >> 21; s19 += carry18; s18 -= carry18 << 21;
    157   carry20 = (s20 + (1<<20)) >> 21; s21 += carry20; s20 -= carry20 << 21;
    158   carry22 = (s22 + (1<<20)) >> 21; s23 += carry22; s22 -= carry22 << 21;
     147  carry0 = (s0 + (1<<20)) >> 21; s1 += carry0; s0 -= SHL64(carry0,21);
     148  carry2 = (s2 + (1<<20)) >> 21; s3 += carry2; s2 -= SHL64(carry2,21);
     149  carry4 = (s4 + (1<<20)) >> 21; s5 += carry4; s4 -= SHL64(carry4,21);
     150  carry6 = (s6 + (1<<20)) >> 21; s7 += carry6; s6 -= SHL64(carry6,21);
     151  carry8 = (s8 + (1<<20)) >> 21; s9 += carry8; s8 -= SHL64(carry8,21);
     152  carry10 = (s10 + (1<<20)) >> 21; s11 += carry10; s10 -= SHL64(carry10,21);
     153  carry12 = (s12 + (1<<20)) >> 21; s13 += carry12; s12 -= SHL64(carry12,21);
     154  carry14 = (s14 + (1<<20)) >> 21; s15 += carry14; s14 -= SHL64(carry14,21);
     155  carry16 = (s16 + (1<<20)) >> 21; s17 += carry16; s16 -= SHL64(carry16,21);
     156  carry18 = (s18 + (1<<20)) >> 21; s19 += carry18; s18 -= SHL64(carry18,21);
     157  carry20 = (s20 + (1<<20)) >> 21; s21 += carry20; s20 -= SHL64(carry20,21);
     158  carry22 = (s22 + (1<<20)) >> 21; s23 += carry22; s22 -= SHL64(carry22,21);
    159159
    160   carry1 = (s1 + (1<<20)) >> 21; s2 += carry1; s1 -= carry1 << 21;
    161   carry3 = (s3 + (1<<20)) >> 21; s4 += carry3; s3 -= carry3 << 21;
    162   carry5 = (s5 + (1<<20)) >> 21; s6 += carry5; s5 -= carry5 << 21;
    163   carry7 = (s7 + (1<<20)) >> 21; s8 += carry7; s7 -= carry7 << 21;
    164   carry9 = (s9 + (1<<20)) >> 21; s10 += carry9; s9 -= carry9 << 21;
    165   carry11 = (s11 + (1<<20)) >> 21; s12 += carry11; s11 -= carry11 << 21;
    166   carry13 = (s13 + (1<<20)) >> 21; s14 += carry13; s13 -= carry13 << 21;
    167   carry15 = (s15 + (1<<20)) >> 21; s16 += carry15; s15 -= carry15 << 21;
    168   carry17 = (s17 + (1<<20)) >> 21; s18 += carry17; s17 -= carry17 << 21;
    169   carry19 = (s19 + (1<<20)) >> 21; s20 += carry19; s19 -= carry19 << 21;
    170   carry21 = (s21 + (1<<20)) >> 21; s22 += carry21; s21 -= carry21 << 21;
     160  carry1 = (s1 + (1<<20)) >> 21; s2 += carry1; s1 -= SHL64(carry1,21);
     161  carry3 = (s3 + (1<<20)) >> 21; s4 += carry3; s3 -= SHL64(carry3,21);
     162  carry5 = (s5 + (1<<20)) >> 21; s6 += carry5; s5 -= SHL64(carry5,21);
     163  carry7 = (s7 + (1<<20)) >> 21; s8 += carry7; s7 -= SHL64(carry7,21);
     164  carry9 = (s9 + (1<<20)) >> 21; s10 += carry9; s9 -= SHL64(carry9,21);
     165  carry11 = (s11 + (1<<20)) >> 21; s12 += carry11; s11 -= SHL64(carry11,21);
     166  carry13 = (s13 + (1<<20)) >> 21; s14 += carry13; s13 -= SHL64(carry13,21);
     167  carry15 = (s15 + (1<<20)) >> 21; s16 += carry15; s15 -= SHL64(carry15,21);
     168  carry17 = (s17 + (1<<20)) >> 21; s18 += carry17; s17 -= SHL64(carry17,21);
     169  carry19 = (s19 + (1<<20)) >> 21; s20 += carry19; s19 -= SHL64(carry19,21);
     170  carry21 = (s21 + (1<<20)) >> 21; s22 += carry21; s21 -= SHL64(carry21,21);
    171171
    172172  s11 += s23 * 666643;
    173173  s12 += s23 * 470296;
    void sc_muladd(unsigned char *s,const unsigned char *a,const unsigned char *b,co 
    217217  s11 -= s18 * 683901;
    218218  s18 = 0;
    219219
    220   carry6 = (s6 + (1<<20)) >> 21; s7 += carry6; s6 -= carry6 << 21;
    221   carry8 = (s8 + (1<<20)) >> 21; s9 += carry8; s8 -= carry8 << 21;
    222   carry10 = (s10 + (1<<20)) >> 21; s11 += carry10; s10 -= carry10 << 21;
    223   carry12 = (s12 + (1<<20)) >> 21; s13 += carry12; s12 -= carry12 << 21;
    224   carry14 = (s14 + (1<<20)) >> 21; s15 += carry14; s14 -= carry14 << 21;
    225   carry16 = (s16 + (1<<20)) >> 21; s17 += carry16; s16 -= carry16 << 21;
     220  carry6 = (s6 + (1<<20)) >> 21; s7 += carry6; s6 -= SHL64(carry6,21);
     221  carry8 = (s8 + (1<<20)) >> 21; s9 += carry8; s8 -= SHL64(carry8,21);
     222  carry10 = (s10 + (1<<20)) >> 21; s11 += carry10; s10 -= SHL64(carry10,21);
     223  carry12 = (s12 + (1<<20)) >> 21; s13 += carry12; s12 -= SHL64(carry12,21);
     224  carry14 = (s14 + (1<<20)) >> 21; s15 += carry14; s14 -= SHL64(carry14,21);
     225  carry16 = (s16 + (1<<20)) >> 21; s17 += carry16; s16 -= SHL64(carry16,21);
    226226
    227   carry7 = (s7 + (1<<20)) >> 21; s8 += carry7; s7 -= carry7 << 21;
    228   carry9 = (s9 + (1<<20)) >> 21; s10 += carry9; s9 -= carry9 << 21;
    229   carry11 = (s11 + (1<<20)) >> 21; s12 += carry11; s11 -= carry11 << 21;
    230   carry13 = (s13 + (1<<20)) >> 21; s14 += carry13; s13 -= carry13 << 21;
    231   carry15 = (s15 + (1<<20)) >> 21; s16 += carry15; s15 -= carry15 << 21;
     227  carry7 = (s7 + (1<<20)) >> 21; s8 += carry7; s7 -= SHL64(carry7,21);
     228  carry9 = (s9 + (1<<20)) >> 21; s10 += carry9; s9 -= SHL64(carry9,21);
     229  carry11 = (s11 + (1<<20)) >> 21; s12 += carry11; s11 -= SHL64(carry11,21);
     230  carry13 = (s13 + (1<<20)) >> 21; s14 += carry13; s13 -= SHL64(carry13,21);
     231  carry15 = (s15 + (1<<20)) >> 21; s16 += carry15; s15 -= SHL64(carry15,21);
    232232
    233233  s5 += s17 * 666643;
    234234  s6 += s17 * 470296;
    void sc_muladd(unsigned char *s,const unsigned char *a,const unsigned char *b,co 
    278278  s5 -= s12 * 683901;
    279279  s12 = 0;
    280280
    281   carry0 = (s0 + (1<<20)) >> 21; s1 += carry0; s0 -= carry0 << 21;
    282   carry2 = (s2 + (1<<20)) >> 21; s3 += carry2; s2 -= carry2 << 21;
    283   carry4 = (s4 + (1<<20)) >> 21; s5 += carry4; s4 -= carry4 << 21;
    284   carry6 = (s6 + (1<<20)) >> 21; s7 += carry6; s6 -= carry6 << 21;
    285   carry8 = (s8 + (1<<20)) >> 21; s9 += carry8; s8 -= carry8 << 21;
    286   carry10 = (s10 + (1<<20)) >> 21; s11 += carry10; s10 -= carry10 << 21;
     281  carry0 = (s0 + (1<<20)) >> 21; s1 += carry0; s0 -= SHL64(carry0,21);
     282  carry2 = (s2 + (1<<20)) >> 21; s3 += carry2; s2 -= SHL64(carry2,21);
     283  carry4 = (s4 + (1<<20)) >> 21; s5 += carry4; s4 -= SHL64(carry4,21);
     284  carry6 = (s6 + (1<<20)) >> 21; s7 += carry6; s6 -= SHL64(carry6,21);
     285  carry8 = (s8 + (1<<20)) >> 21; s9 += carry8; s8 -= SHL64(carry8,21);
     286  carry10 = (s10 + (1<<20)) >> 21; s11 += carry10; s10 -= SHL64(carry10,21);
    287287
    288   carry1 = (s1 + (1<<20)) >> 21; s2 += carry1; s1 -= carry1 << 21;
    289   carry3 = (s3 + (1<<20)) >> 21; s4 += carry3; s3 -= carry3 << 21;
    290   carry5 = (s5 + (1<<20)) >> 21; s6 += carry5; s5 -= carry5 << 21;
    291   carry7 = (s7 + (1<<20)) >> 21; s8 += carry7; s7 -= carry7 << 21;
    292   carry9 = (s9 + (1<<20)) >> 21; s10 += carry9; s9 -= carry9 << 21;
    293   carry11 = (s11 + (1<<20)) >> 21; s12 += carry11; s11 -= carry11 << 21;
     288  carry1 = (s1 + (1<<20)) >> 21; s2 += carry1; s1 -= SHL64(carry1,21);
     289  carry3 = (s3 + (1<<20)) >> 21; s4 += carry3; s3 -= SHL64(carry3,21);
     290  carry5 = (s5 + (1<<20)) >> 21; s6 += carry5; s5 -= SHL64(carry5,21);
     291  carry7 = (s7 + (1<<20)) >> 21; s8 += carry7; s7 -= SHL64(carry7,21);
     292  carry9 = (s9 + (1<<20)) >> 21; s10 += carry9; s9 -= SHL64(carry9,21);
     293  carry11 = (s11 + (1<<20)) >> 21; s12 += carry11; s11 -= SHL64(carry11,21);
    294294
    295295  s0 += s12 * 666643;
    296296  s1 += s12 * 470296;
    void sc_muladd(unsigned char *s,const unsigned char *a,const unsigned char *b,co 
    300300  s5 -= s12 * 683901;
    301301  s12 = 0;
    302302
    303   carry0 = s0 >> 21; s1 += carry0; s0 -= carry0 << 21;
    304   carry1 = s1 >> 21; s2 += carry1; s1 -= carry1 << 21;
    305   carry2 = s2 >> 21; s3 += carry2; s2 -= carry2 << 21;
    306   carry3 = s3 >> 21; s4 += carry3; s3 -= carry3 << 21;
    307   carry4 = s4 >> 21; s5 += carry4; s4 -= carry4 << 21;
    308   carry5 = s5 >> 21; s6 += carry5; s5 -= carry5 << 21;
    309   carry6 = s6 >> 21; s7 += carry6; s6 -= carry6 << 21;
    310   carry7 = s7 >> 21; s8 += carry7; s7 -= carry7 << 21;
    311   carry8 = s8 >> 21; s9 += carry8; s8 -= carry8 << 21;
    312   carry9 = s9 >> 21; s10 += carry9; s9 -= carry9 << 21;
    313   carry10 = s10 >> 21; s11 += carry10; s10 -= carry10 << 21;
    314   carry11 = s11 >> 21; s12 += carry11; s11 -= carry11 << 21;
     303  carry0 = s0 >> 21; s1 += carry0; s0 -= SHL64(carry0,21);
     304  carry1 = s1 >> 21; s2 += carry1; s1 -= SHL64(carry1,21);
     305  carry2 = s2 >> 21; s3 += carry2; s2 -= SHL64(carry2,21);
     306  carry3 = s3 >> 21; s4 += carry3; s3 -= SHL64(carry3,21);
     307  carry4 = s4 >> 21; s5 += carry4; s4 -= SHL64(carry4,21);
     308  carry5 = s5 >> 21; s6 += carry5; s5 -= SHL64(carry5,21);
     309  carry6 = s6 >> 21; s7 += carry6; s6 -= SHL64(carry6,21);
     310  carry7 = s7 >> 21; s8 += carry7; s7 -= SHL64(carry7,21);
     311  carry8 = s8 >> 21; s9 += carry8; s8 -= SHL64(carry8,21);
     312  carry9 = s9 >> 21; s10 += carry9; s9 -= SHL64(carry9,21);
     313  carry10 = s10 >> 21; s11 += carry10; s10 -= SHL64(carry10,21);
     314  carry11 = s11 >> 21; s12 += carry11; s11 -= SHL64(carry11,21);
    315315
    316316  s0 += s12 * 666643;
    317317  s1 += s12 * 470296;
    void sc_muladd(unsigned char *s,const unsigned char *a,const unsigned char *b,co 
    321321  s5 -= s12 * 683901;
    322322  s12 = 0;
    323323
    324   carry0 = s0 >> 21; s1 += carry0; s0 -= carry0 << 21;
    325   carry1 = s1 >> 21; s2 += carry1; s1 -= carry1 << 21;
    326   carry2 = s2 >> 21; s3 += carry2; s2 -= carry2 << 21;
    327   carry3 = s3 >> 21; s4 += carry3; s3 -= carry3 << 21;
    328   carry4 = s4 >> 21; s5 += carry4; s4 -= carry4 << 21;
    329   carry5 = s5 >> 21; s6 += carry5; s5 -= carry5 << 21;
    330   carry6 = s6 >> 21; s7 += carry6; s6 -= carry6 << 21;
    331   carry7 = s7 >> 21; s8 += carry7; s7 -= carry7 << 21;
    332   carry8 = s8 >> 21; s9 += carry8; s8 -= carry8 << 21;
    333   carry9 = s9 >> 21; s10 += carry9; s9 -= carry9 << 21;
    334   carry10 = s10 >> 21; s11 += carry10; s10 -= carry10 << 21;
     324  carry0 = s0 >> 21; s1 += carry0; s0 -= SHL64(carry0,21);
     325  carry1 = s1 >> 21; s2 += carry1; s1 -= SHL64(carry1,21);
     326  carry2 = s2 >> 21; s3 += carry2; s2 -= SHL64(carry2,21);
     327  carry3 = s3 >> 21; s4 += carry3; s3 -= SHL64(carry3,21);
     328  carry4 = s4 >> 21; s5 += carry4; s4 -= SHL64(carry4,21);
     329  carry5 = s5 >> 21; s6 += carry5; s5 -= SHL64(carry5,21);
     330  carry6 = s6 >> 21; s7 += carry6; s6 -= SHL64(carry6,21);
     331  carry7 = s7 >> 21; s8 += carry7; s7 -= SHL64(carry7,21);
     332  carry8 = s8 >> 21; s9 += carry8; s8 -= SHL64(carry8,21);
     333  carry9 = s9 >> 21; s10 += carry9; s9 -= SHL64(carry9,21);
     334  carry10 = s10 >> 21; s11 += carry10; s10 -= SHL64(carry10,21);
    335335
    336336  s[0] = s0 >> 0;
    337337  s[1] = s0 >> 8;
    338   s[2] = (s0 >> 16) | (s1 << 5);
     338  s[2] = (s0 >> 16) | SHL64(s1,5);
    339339  s[3] = s1 >> 3;
    340340  s[4] = s1 >> 11;
    341   s[5] = (s1 >> 19) | (s2 << 2);
     341  s[5] = (s1 >> 19) | SHL64(s2,2);
    342342  s[6] = s2 >> 6;
    343   s[7] = (s2 >> 14) | (s3 << 7);
     343  s[7] = (s2 >> 14) | SHL64(s3,7);
    344344  s[8] = s3 >> 1;
    345345  s[9] = s3 >> 9;
    346   s[10] = (s3 >> 17) | (s4 << 4);
     346  s[10] = (s3 >> 17) | SHL64(s4,4);
    347347  s[11] = s4 >> 4;
    348348  s[12] = s4 >> 12;
    349   s[13] = (s4 >> 20) | (s5 << 1);
     349  s[13] = (s4 >> 20) | SHL64(s5,1);
    350350  s[14] = s5 >> 7;
    351   s[15] = (s5 >> 15) | (s6 << 6);
     351  s[15] = (s5 >> 15) | SHL64(s6,6);
    352352  s[16] = s6 >> 2;
    353353  s[17] = s6 >> 10;
    354   s[18] = (s6 >> 18) | (s7 << 3);
     354  s[18] = (s6 >> 18) | SHL64(s7,3);
    355355  s[19] = s7 >> 5;
    356356  s[20] = s7 >> 13;
    357357  s[21] = s8 >> 0;
    358358  s[22] = s8 >> 8;
    359   s[23] = (s8 >> 16) | (s9 << 5);
     359  s[23] = (s8 >> 16) | SHL64(s9,5);
    360360  s[24] = s9 >> 3;
    361361  s[25] = s9 >> 11;
    362   s[26] = (s9 >> 19) | (s10 << 2);
     362  s[26] = (s9 >> 19) | SHL64(s10,2);
    363363  s[27] = s10 >> 6;
    364   s[28] = (s10 >> 14) | (s11 << 7);
     364  s[28] = (s10 >> 14) | SHL64(s11,7);
    365365  s[29] = s11 >> 1;
    366366  s[30] = s11 >> 9;
    367367  s[31] = s11 >> 17;
  • src/ext/ed25519/ref10/sc_reduce.c

    diff --git a/src/ext/ed25519/ref10/sc_reduce.c b/src/ext/ed25519/ref10/sc_reduce.c
    index d01f5a5..c5afa53 100644
    a b void sc_reduce(unsigned char *s) 
    124124  s11 -= s18 * 683901;
    125125  s18 = 0;
    126126
    127   carry6 = (s6 + (1<<20)) >> 21; s7 += carry6; s6 -= carry6 << 21;
    128   carry8 = (s8 + (1<<20)) >> 21; s9 += carry8; s8 -= carry8 << 21;
    129   carry10 = (s10 + (1<<20)) >> 21; s11 += carry10; s10 -= carry10 << 21;
    130   carry12 = (s12 + (1<<20)) >> 21; s13 += carry12; s12 -= carry12 << 21;
    131   carry14 = (s14 + (1<<20)) >> 21; s15 += carry14; s14 -= carry14 << 21;
    132   carry16 = (s16 + (1<<20)) >> 21; s17 += carry16; s16 -= carry16 << 21;
     127  carry6 = (s6 + (1<<20)) >> 21; s7 += carry6; s6 -= SHL64(carry6,21);
     128  carry8 = (s8 + (1<<20)) >> 21; s9 += carry8; s8 -= SHL64(carry8,21);
     129  carry10 = (s10 + (1<<20)) >> 21; s11 += carry10; s10 -= SHL64(carry10,21);
     130  carry12 = (s12 + (1<<20)) >> 21; s13 += carry12; s12 -= SHL64(carry12,21);
     131  carry14 = (s14 + (1<<20)) >> 21; s15 += carry14; s14 -= SHL64(carry14,21);
     132  carry16 = (s16 + (1<<20)) >> 21; s17 += carry16; s16 -= SHL64(carry16,21);
    133133
    134   carry7 = (s7 + (1<<20)) >> 21; s8 += carry7; s7 -= carry7 << 21;
    135   carry9 = (s9 + (1<<20)) >> 21; s10 += carry9; s9 -= carry9 << 21;
    136   carry11 = (s11 + (1<<20)) >> 21; s12 += carry11; s11 -= carry11 << 21;
    137   carry13 = (s13 + (1<<20)) >> 21; s14 += carry13; s13 -= carry13 << 21;
    138   carry15 = (s15 + (1<<20)) >> 21; s16 += carry15; s15 -= carry15 << 21;
     134  carry7 = (s7 + (1<<20)) >> 21; s8 += carry7; s7 -= SHL64(carry7,21);
     135  carry9 = (s9 + (1<<20)) >> 21; s10 += carry9; s9 -= SHL64(carry9,21);
     136  carry11 = (s11 + (1<<20)) >> 21; s12 += carry11; s11 -= SHL64(carry11,21);
     137  carry13 = (s13 + (1<<20)) >> 21; s14 += carry13; s13 -= SHL64(carry13,21);
     138  carry15 = (s15 + (1<<20)) >> 21; s16 += carry15; s15 -= SHL64(carry15,21);
    139139
    140140  s5 += s17 * 666643;
    141141  s6 += s17 * 470296;
    void sc_reduce(unsigned char *s) 
    185185  s5 -= s12 * 683901;
    186186  s12 = 0;
    187187
    188   carry0 = (s0 + (1<<20)) >> 21; s1 += carry0; s0 -= carry0 << 21;
    189   carry2 = (s2 + (1<<20)) >> 21; s3 += carry2; s2 -= carry2 << 21;
    190   carry4 = (s4 + (1<<20)) >> 21; s5 += carry4; s4 -= carry4 << 21;
    191   carry6 = (s6 + (1<<20)) >> 21; s7 += carry6; s6 -= carry6 << 21;
    192   carry8 = (s8 + (1<<20)) >> 21; s9 += carry8; s8 -= carry8 << 21;
    193   carry10 = (s10 + (1<<20)) >> 21; s11 += carry10; s10 -= carry10 << 21;
     188  carry0 = (s0 + (1<<20)) >> 21; s1 += carry0; s0 -= SHL64(carry0,21);
     189  carry2 = (s2 + (1<<20)) >> 21; s3 += carry2; s2 -= SHL64(carry2,21);
     190  carry4 = (s4 + (1<<20)) >> 21; s5 += carry4; s4 -= SHL64(carry4,21);
     191  carry6 = (s6 + (1<<20)) >> 21; s7 += carry6; s6 -= SHL64(carry6,21);
     192  carry8 = (s8 + (1<<20)) >> 21; s9 += carry8; s8 -= SHL64(carry8,21);
     193  carry10 = (s10 + (1<<20)) >> 21; s11 += carry10; s10 -= SHL64(carry10,21);
    194194
    195   carry1 = (s1 + (1<<20)) >> 21; s2 += carry1; s1 -= carry1 << 21;
    196   carry3 = (s3 + (1<<20)) >> 21; s4 += carry3; s3 -= carry3 << 21;
    197   carry5 = (s5 + (1<<20)) >> 21; s6 += carry5; s5 -= carry5 << 21;
    198   carry7 = (s7 + (1<<20)) >> 21; s8 += carry7; s7 -= carry7 << 21;
    199   carry9 = (s9 + (1<<20)) >> 21; s10 += carry9; s9 -= carry9 << 21;
    200   carry11 = (s11 + (1<<20)) >> 21; s12 += carry11; s11 -= carry11 << 21;
     195  carry1 = (s1 + (1<<20)) >> 21; s2 += carry1; s1 -= SHL64(carry1,21);
     196  carry3 = (s3 + (1<<20)) >> 21; s4 += carry3; s3 -= SHL64(carry3,21);
     197  carry5 = (s5 + (1<<20)) >> 21; s6 += carry5; s5 -= SHL64(carry5,21);
     198  carry7 = (s7 + (1<<20)) >> 21; s8 += carry7; s7 -= SHL64(carry7,21);
     199  carry9 = (s9 + (1<<20)) >> 21; s10 += carry9; s9 -= SHL64(carry9,21);
     200  carry11 = (s11 + (1<<20)) >> 21; s12 += carry11; s11 -= SHL64(carry11,21);
    201201
    202202  s0 += s12 * 666643;
    203203  s1 += s12 * 470296;
    void sc_reduce(unsigned char *s) 
    207207  s5 -= s12 * 683901;
    208208  s12 = 0;
    209209
    210   carry0 = s0 >> 21; s1 += carry0; s0 -= carry0 << 21;
    211   carry1 = s1 >> 21; s2 += carry1; s1 -= carry1 << 21;
    212   carry2 = s2 >> 21; s3 += carry2; s2 -= carry2 << 21;
    213   carry3 = s3 >> 21; s4 += carry3; s3 -= carry3 << 21;
    214   carry4 = s4 >> 21; s5 += carry4; s4 -= carry4 << 21;
    215   carry5 = s5 >> 21; s6 += carry5; s5 -= carry5 << 21;
    216   carry6 = s6 >> 21; s7 += carry6; s6 -= carry6 << 21;
    217   carry7 = s7 >> 21; s8 += carry7; s7 -= carry7 << 21;
    218   carry8 = s8 >> 21; s9 += carry8; s8 -= carry8 << 21;
    219   carry9 = s9 >> 21; s10 += carry9; s9 -= carry9 << 21;
    220   carry10 = s10 >> 21; s11 += carry10; s10 -= carry10 << 21;
    221   carry11 = s11 >> 21; s12 += carry11; s11 -= carry11 << 21;
     210  carry0 = s0 >> 21; s1 += carry0; s0 -= SHL64(carry0,21);
     211  carry1 = s1 >> 21; s2 += carry1; s1 -= SHL64(carry1,21);
     212  carry2 = s2 >> 21; s3 += carry2; s2 -= SHL64(carry2,21);
     213  carry3 = s3 >> 21; s4 += carry3; s3 -= SHL64(carry3,21);
     214  carry4 = s4 >> 21; s5 += carry4; s4 -= SHL64(carry4,21);
     215  carry5 = s5 >> 21; s6 += carry5; s5 -= SHL64(carry5,21);
     216  carry6 = s6 >> 21; s7 += carry6; s6 -= SHL64(carry6,21);
     217  carry7 = s7 >> 21; s8 += carry7; s7 -= SHL64(carry7,21);
     218  carry8 = s8 >> 21; s9 += carry8; s8 -= SHL64(carry8,21);
     219  carry9 = s9 >> 21; s10 += carry9; s9 -= SHL64(carry9,21);
     220  carry10 = s10 >> 21; s11 += carry10; s10 -= SHL64(carry10,21);
     221  carry11 = s11 >> 21; s12 += carry11; s11 -= SHL64(carry11,21);
    222222
    223223  s0 += s12 * 666643;
    224224  s1 += s12 * 470296;
    void sc_reduce(unsigned char *s) 
    228228  s5 -= s12 * 683901;
    229229  s12 = 0;
    230230
    231   carry0 = s0 >> 21; s1 += carry0; s0 -= carry0 << 21;
    232   carry1 = s1 >> 21; s2 += carry1; s1 -= carry1 << 21;
    233   carry2 = s2 >> 21; s3 += carry2; s2 -= carry2 << 21;
    234   carry3 = s3 >> 21; s4 += carry3; s3 -= carry3 << 21;
    235   carry4 = s4 >> 21; s5 += carry4; s4 -= carry4 << 21;
    236   carry5 = s5 >> 21; s6 += carry5; s5 -= carry5 << 21;
    237   carry6 = s6 >> 21; s7 += carry6; s6 -= carry6 << 21;
    238   carry7 = s7 >> 21; s8 += carry7; s7 -= carry7 << 21;
    239   carry8 = s8 >> 21; s9 += carry8; s8 -= carry8 << 21;
    240   carry9 = s9 >> 21; s10 += carry9; s9 -= carry9 << 21;
    241   carry10 = s10 >> 21; s11 += carry10; s10 -= carry10 << 21;
     231  carry0 = s0 >> 21; s1 += carry0; s0 -= SHL64(carry0,21);
     232  carry1 = s1 >> 21; s2 += carry1; s1 -= SHL64(carry1,21);
     233  carry2 = s2 >> 21; s3 += carry2; s2 -= SHL64(carry2,21);
     234  carry3 = s3 >> 21; s4 += carry3; s3 -= SHL64(carry3,21);
     235  carry4 = s4 >> 21; s5 += carry4; s4 -= SHL64(carry4,21);
     236  carry5 = s5 >> 21; s6 += carry5; s5 -= SHL64(carry5,21);
     237  carry6 = s6 >> 21; s7 += carry6; s6 -= SHL64(carry6,21);
     238  carry7 = s7 >> 21; s8 += carry7; s7 -= SHL64(carry7,21);
     239  carry8 = s8 >> 21; s9 += carry8; s8 -= SHL64(carry8,21);
     240  carry9 = s9 >> 21; s10 += carry9; s9 -= SHL64(carry9,21);
     241  carry10 = s10 >> 21; s11 += carry10; s10 -= SHL64(carry10,21);
    242242
    243243  s[0] = s0 >> 0;
    244244  s[1] = s0 >> 8;
    245   s[2] = (s0 >> 16) | (s1 << 5);
     245  s[2] = (s0 >> 16) | SHL64(s1,5);
    246246  s[3] = s1 >> 3;
    247247  s[4] = s1 >> 11;
    248   s[5] = (s1 >> 19) | (s2 << 2);
     248  s[5] = (s1 >> 19) | SHL64(s2,2);
    249249  s[6] = s2 >> 6;
    250   s[7] = (s2 >> 14) | (s3 << 7);
     250  s[7] = (s2 >> 14) | SHL64(s3,7);
    251251  s[8] = s3 >> 1;
    252252  s[9] = s3 >> 9;
    253   s[10] = (s3 >> 17) | (s4 << 4);
     253  s[10] = (s3 >> 17) | SHL64(s4,4);
    254254  s[11] = s4 >> 4;
    255255  s[12] = s4 >> 12;
    256   s[13] = (s4 >> 20) | (s5 << 1);
     256  s[13] = (s4 >> 20) | SHL64(s5,1);
    257257  s[14] = s5 >> 7;
    258   s[15] = (s5 >> 15) | (s6 << 6);
     258  s[15] = (s5 >> 15) | SHL64(s6,6);
    259259  s[16] = s6 >> 2;
    260260  s[17] = s6 >> 10;
    261   s[18] = (s6 >> 18) | (s7 << 3);
     261  s[18] = (s6 >> 18) | SHL64(s7,3);
    262262  s[19] = s7 >> 5;
    263263  s[20] = s7 >> 13;
    264264  s[21] = s8 >> 0;
    265265  s[22] = s8 >> 8;
    266   s[23] = (s8 >> 16) | (s9 << 5);
     266  s[23] = (s8 >> 16) | SHL64(s9,5);
    267267  s[24] = s9 >> 3;
    268268  s[25] = s9 >> 11;
    269   s[26] = (s9 >> 19) | (s10 << 2);
     269  s[26] = (s9 >> 19) | SHL64(s10,2);
    270270  s[27] = s10 >> 6;
    271   s[28] = (s10 >> 14) | (s11 << 7);
     271  s[28] = (s10 >> 14) | SHL64(s11,7);
    272272  s[29] = s11 >> 1;
    273273  s[30] = s11 >> 9;
    274274  s[31] = s11 >> 17;