Add the ed25519 ref10 code verbatim from supercop-20140622

We might use libsodium or ed25519-donna later on, but for now, let's
see whether this is fast enough.  We should use it in all cases when
performance doesn't matter.

1 files changed, 63 insertions, 0 deletions

diff --git a/src/ext/ed25519/ref10/fe_cmov.c b/src/ext/ed25519/ref10/fe_cmov.c
new file mode 100644
index 0000000000..8ca584fb19
--- /dev/null
+++ b/src/ext/ed25519/ref10/fe_cmov.c
@@ -0,0 +1,63 @@
+#include "fe.h"
+
+/*
+Replace (f,g) with (g,g) if b == 1;
+replace (f,g) with (f,g) if b == 0.
+
+Preconditions: b in {0,1}.
+*/
+
+void fe_cmov(fe f,const fe g,unsigned int b)
+{
+  crypto_int32 f0 = f[0];
+  crypto_int32 f1 = f[1];
+  crypto_int32 f2 = f[2];
+  crypto_int32 f3 = f[3];
+  crypto_int32 f4 = f[4];
+  crypto_int32 f5 = f[5];
+  crypto_int32 f6 = f[6];
+  crypto_int32 f7 = f[7];
+  crypto_int32 f8 = f[8];
+  crypto_int32 f9 = f[9];
+  crypto_int32 g0 = g[0];
+  crypto_int32 g1 = g[1];
+  crypto_int32 g2 = g[2];
+  crypto_int32 g3 = g[3];
+  crypto_int32 g4 = g[4];
+  crypto_int32 g5 = g[5];
+  crypto_int32 g6 = g[6];
+  crypto_int32 g7 = g[7];
+  crypto_int32 g8 = g[8];
+  crypto_int32 g9 = g[9];
+  crypto_int32 x0 = f0 ^ g0;
+  crypto_int32 x1 = f1 ^ g1;
+  crypto_int32 x2 = f2 ^ g2;
+  crypto_int32 x3 = f3 ^ g3;
+  crypto_int32 x4 = f4 ^ g4;
+  crypto_int32 x5 = f5 ^ g5;
+  crypto_int32 x6 = f6 ^ g6;
+  crypto_int32 x7 = f7 ^ g7;
+  crypto_int32 x8 = f8 ^ g8;
+  crypto_int32 x9 = f9 ^ g9;
+  b = -b;
+  x0 &= b;
+  x1 &= b;
+  x2 &= b;
+  x3 &= b;
+  x4 &= b;
+  x5 &= b;
+  x6 &= b;
+  x7 &= b;
+  x8 &= b;
+  x9 &= b;
+  f[0] = f0 ^ x0;
+  f[1] = f1 ^ x1;
+  f[2] = f2 ^ x2;
+  f[3] = f3 ^ x3;
+  f[4] = f4 ^ x4;
+  f[5] = f5 ^ x5;
+  f[6] = f6 ^ x6;
+  f[7] = f7 ^ x7;
+  f[8] = f8 ^ x8;
+  f[9] = f9 ^ x9;
+}