// +build !amd64 noasm package sidh var three238m1 = []uint8{ 0xf8, 0x84, 0x83, 0x82, 0x8a, 0x71, 0xcd, 0xed, 0x14, 0x7a, 0x42, 0xd4, 0xbf, 0x35, 0x3b, 0x73, 0x38, 0xcf, 0xd7, 0x94, 0xcf, 0x29, 0x82, 0xf8, 0xd6, 0x2a, 0x7c, 0x0c, 0x99, 0x6c, 0xc5, 0x63, 0xc7, 0x22, 0x42, 0x8f, 0x7e, 0xa8, 0x58, 0xb8, 0xf5, 0xea, 0x25, 0xb5, 0xc6, 0xc9, 0x54, 0x02} func addc8(cin, a, b uint8) (ret, cout uint8) { t := a + cin ret = b + t cout = ((a & b) | ((a | b) & (^ret))) >> 7 return } func subc8(bIn, a, b uint8) (ret, bOut uint8) { var tmp1 = a - b ret = tmp1 - bIn // Set bOut if bIn!=0 and tmp1==0 in constant time bOut = bIn & (1 ^ ((tmp1 | uint8(0-tmp1)) >> 7)) // Constant time check if a> 7 return } // Set result to zero if the input scalar is <= 3^238, otherwise result is 1. // Scalar must be array of 48 bytes. This function is specific to P751. func checkLessThanThree238(scalar []byte) uint8 { var borrow uint8 for i := 0; i < len(three238m1); i++ { _, borrow = subc8(borrow, three238m1[i], scalar[i]) } return borrow } // Multiply 48-byte scalar by 3 to get a scalar in 3*[0,3^238). This // function is specific to P751. func multiplyByThree(scalar []byte) { var carry uint8 var dbl [48]uint8 for i := 0; i < len(scalar); i++ { dbl[i], carry = addc8(carry, scalar[i], scalar[i]) } for i := 0; i < len(scalar); i++ { scalar[i], carry = addc8(carry, dbl[i], scalar[i]) } }