Added NaCl crypto library.

10 files changed, 963 insertions, 0 deletions

diff --git a/nacl/crypto_sign/edwards25519sha512batch/ref/api.h b/nacl/crypto_sign/edwards25519sha512batch/ref/api.h
new file mode 100644
index 00000000..352240c0
--- /dev/null
+++ b/nacl/crypto_sign/edwards25519sha512batch/ref/api.h
@@ -0,0 +1,3 @@
+#define CRYPTO_SECRETKEYBYTES 64
+#define CRYPTO_PUBLICKEYBYTES 32
+#define CRYPTO_BYTES 64
diff --git a/nacl/crypto_sign/edwards25519sha512batch/ref/fe25519.c b/nacl/crypto_sign/edwards25519sha512batch/ref/fe25519.c
new file mode 100644
index 00000000..a9f806d2
--- /dev/null
+++ b/nacl/crypto_sign/edwards25519sha512batch/ref/fe25519.c
@@ -0,0 +1,345 @@
+#include "fe25519.h"
+
+#define WINDOWSIZE 4 /* Should be 1,2, or 4 */
+#define WINDOWMASK ((1<<WINDOWSIZE)-1)
+
+static void reduce_add_sub(fe25519 *r)
+{
+  crypto_uint32 t;
+  int i,rep;
+
+  for(rep=0;rep<4;rep++)
+  {
+    t = r->v[31] >> 7;
+    r->v[31] &= 127;
+    t *= 19;
+    r->v[0] += t;
+    for(i=0;i<31;i++)
+    {
+      t = r->v[i] >> 8;
+      r->v[i+1] += t;
+      r->v[i] &= 255;
+    }
+  }
+}
+
+static void reduce_mul(fe25519 *r)
+{
+  crypto_uint32 t;
+  int i,rep;
+
+  for(rep=0;rep<2;rep++)
+  {
+    t = r->v[31] >> 7;
+    r->v[31] &= 127;
+    t *= 19;
+    r->v[0] += t;
+    for(i=0;i<31;i++)
+    {
+      t = r->v[i] >> 8;
+      r->v[i+1] += t;
+      r->v[i] &= 255;
+    }
+  }
+}
+
+/* reduction modulo 2^255-19 */
+static void freeze(fe25519 *r) 
+{
+  int i;
+  unsigned int m = (r->v[31] == 127);
+  for(i=30;i>1;i--)
+    m *= (r->v[i] == 255);
+  m *= (r->v[0] >= 237);
+
+  r->v[31] -= m*127;
+  for(i=30;i>0;i--)
+    r->v[i] -= m*255;
+  r->v[0] -= m*237;
+}
+
+/*freeze input before calling isone*/
+static int isone(const fe25519 *x)
+{
+  int i;
+  int r = (x->v[0] == 1);
+  for(i=1;i<32;i++) 
+    r *= (x->v[i] == 0);
+  return r;
+}
+
+/*freeze input before calling iszero*/
+static int iszero(const fe25519 *x)
+{
+  int i;
+  int r = (x->v[0] == 0);
+  for(i=1;i<32;i++) 
+    r *= (x->v[i] == 0);
+  return r;
+}
+
+
+static int issquare(const fe25519 *x)
+{
+  unsigned char e[32] = {0xf6,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0x3f}; /* (p-1)/2 */
+  fe25519 t;
+
+  fe25519_pow(&t,x,e);
+  freeze(&t);
+  return isone(&t) || iszero(&t);
+}
+
+void fe25519_unpack(fe25519 *r, const unsigned char x[32])
+{
+  int i;
+  for(i=0;i<32;i++) r->v[i] = x[i];
+  r->v[31] &= 127;
+}
+
+/* Assumes input x being reduced mod 2^255 */
+void fe25519_pack(unsigned char r[32], const fe25519 *x)
+{
+  int i;
+  for(i=0;i<32;i++) 
+    r[i] = x->v[i];
+  
+  /* freeze byte array */
+  unsigned int m = (r[31] == 127); /* XXX: some compilers might use branches; fix */
+  for(i=30;i>1;i--)
+    m *= (r[i] == 255);
+  m *= (r[0] >= 237);
+  r[31] -= m*127;
+  for(i=30;i>0;i--)
+    r[i] -= m*255;
+  r[0] -= m*237;
+}
+
+void fe25519_cmov(fe25519 *r, const fe25519 *x, unsigned char b)
+{
+  unsigned char nb = 1-b;
+  int i;
+  for(i=0;i<32;i++) r->v[i] = nb * r->v[i] + b * x->v[i];
+}
+
+unsigned char fe25519_getparity(const fe25519 *x)
+{
+  fe25519 t;
+  int i;
+  for(i=0;i<32;i++) t.v[i] = x->v[i];
+  freeze(&t);
+  return t.v[0] & 1;
+}
+
+void fe25519_setone(fe25519 *r)
+{
+  int i;
+  r->v[0] = 1;
+  for(i=1;i<32;i++) r->v[i]=0;
+}
+
+void fe25519_setzero(fe25519 *r)
+{
+  int i;
+  for(i=0;i<32;i++) r->v[i]=0;
+}
+
+void fe25519_neg(fe25519 *r, const fe25519 *x)
+{
+  fe25519 t;
+  int i;
+  for(i=0;i<32;i++) t.v[i]=x->v[i];
+  fe25519_setzero(r);
+  fe25519_sub(r, r, &t);
+}
+
+void fe25519_add(fe25519 *r, const fe25519 *x, const fe25519 *y)
+{
+  int i;
+  for(i=0;i<32;i++) r->v[i] = x->v[i] + y->v[i];
+  reduce_add_sub(r);
+}
+
+void fe25519_sub(fe25519 *r, const fe25519 *x, const fe25519 *y)
+{
+  int i;
+  crypto_uint32 t[32];
+  t[0] = x->v[0] + 0x1da;
+  t[31] = x->v[31] + 0xfe;
+  for(i=1;i<31;i++) t[i] = x->v[i] + 0x1fe;
+  for(i=0;i<32;i++) r->v[i] = t[i] - y->v[i];
+  reduce_add_sub(r);
+}
+
+void fe25519_mul(fe25519 *r, const fe25519 *x, const fe25519 *y)
+{
+  int i,j;
+  crypto_uint32 t[63];
+  for(i=0;i<63;i++)t[i] = 0;
+
+  for(i=0;i<32;i++)
+    for(j=0;j<32;j++)
+      t[i+j] += x->v[i] * y->v[j];
+
+  for(i=32;i<63;i++)
+    r->v[i-32] = t[i-32] + 38*t[i]; 
+  r->v[31] = t[31]; /* result now in r[0]...r[31] */
+
+  reduce_mul(r);
+}
+
+void fe25519_square(fe25519 *r, const fe25519 *x)
+{
+  fe25519_mul(r, x, x);
+}
+
+/*XXX: Make constant time! */
+void fe25519_pow(fe25519 *r, const fe25519 *x, const unsigned char *e)
+{
+  /*
+  fe25519 g;
+  fe25519_setone(&g);
+  int i;
+  unsigned char j;
+  for(i=32;i>0;i--)
+  {
+    for(j=128;j>0;j>>=1)
+    {
+      fe25519_square(&g,&g);
+      if(e[i-1] & j) 
+        fe25519_mul(&g,&g,x);
+    }
+  }
+  for(i=0;i<32;i++) r->v[i] = g.v[i];
+  */
+  fe25519 g;
+  fe25519_setone(&g);
+  int i,j,k;
+  fe25519 pre[(1 << WINDOWSIZE)];
+  fe25519 t;
+  unsigned char w;
+
+  // Precomputation
+  fe25519_setone(pre);
+  pre[1] = *x;
+  for(i=2;i<(1<<WINDOWSIZE);i+=2)
+  {
+    fe25519_square(pre+i, pre+i/2);
+    fe25519_mul(pre+i+1, pre+i, pre+1);
+  }
+
+  // Fixed-window scalar multiplication
+  for(i=32;i>0;i--)
+  {
+    for(j=8-WINDOWSIZE;j>=0;j-=WINDOWSIZE)
+    {
+      for(k=0;k<WINDOWSIZE;k++)
+        fe25519_square(&g, &g);
+      // Cache-timing resistant loading of precomputed value:
+      w = (e[i-1]>>j) & WINDOWMASK;
+      t = pre[0];
+      for(k=1;k<(1<<WINDOWSIZE);k++)
+        fe25519_cmov(&t, &pre[k], k==w);
+      fe25519_mul(&g, &g, &t);
+    }
+  }
+  *r = g;
+}
+
+/* Return 0 on success, 1 otherwise */
+int fe25519_sqrt_vartime(fe25519 *r, const fe25519 *x, unsigned char parity)
+{
+  /* See HAC, Alg. 3.37 */
+  if (!issquare(x)) return -1;
+  unsigned char e[32] = {0xfb,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0x1f}; /* (p-1)/4 */
+  unsigned char e2[32] = {0xfe,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0x0f}; /* (p+3)/8 */
+  unsigned char e3[32] = {0xfd,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0x0f}; /* (p-5)/8 */
+  fe25519 p = {{0}};
+  fe25519 d;
+  int i;
+  fe25519_pow(&d,x,e);
+  freeze(&d);
+  if(isone(&d))
+    fe25519_pow(r,x,e2);
+  else
+  {
+    for(i=0;i<32;i++)
+      d.v[i] = 4*x->v[i];
+    fe25519_pow(&d,&d,e3);
+    for(i=0;i<32;i++)
+      r->v[i] = 2*x->v[i];
+    fe25519_mul(r,r,&d);
+  }
+  freeze(r);
+  if((r->v[0] & 1) != (parity & 1))
+  {
+    fe25519_sub(r,&p,r);
+  }
+  return 0;
+}
+
+void fe25519_invert(fe25519 *r, const fe25519 *x)
+{
+        fe25519 z2;
+        fe25519 z9;
+        fe25519 z11;
+        fe25519 z2_5_0;
+        fe25519 z2_10_0;
+        fe25519 z2_20_0;
+        fe25519 z2_50_0;
+        fe25519 z2_100_0;
+        fe25519 t0;
+        fe25519 t1;
+        int i;
+        
+        /* 2 */ fe25519_square(&z2,x);
+        /* 4 */ fe25519_square(&t1,&z2);
+        /* 8 */ fe25519_square(&t0,&t1);
+        /* 9 */ fe25519_mul(&z9,&t0,x);
+        /* 11 */ fe25519_mul(&z11,&z9,&z2);
+        /* 22 */ fe25519_square(&t0,&z11);
+        /* 2^5 - 2^0 = 31 */ fe25519_mul(&z2_5_0,&t0,&z9);
+
+        /* 2^6 - 2^1 */ fe25519_square(&t0,&z2_5_0);
+        /* 2^7 - 2^2 */ fe25519_square(&t1,&t0);
+        /* 2^8 - 2^3 */ fe25519_square(&t0,&t1);
+        /* 2^9 - 2^4 */ fe25519_square(&t1,&t0);
+        /* 2^10 - 2^5 */ fe25519_square(&t0,&t1);
+        /* 2^10 - 2^0 */ fe25519_mul(&z2_10_0,&t0,&z2_5_0);
+
+        /* 2^11 - 2^1 */ fe25519_square(&t0,&z2_10_0);
+        /* 2^12 - 2^2 */ fe25519_square(&t1,&t0);
+        /* 2^20 - 2^10 */ for (i = 2;i < 10;i += 2) { fe25519_square(&t0,&t1); fe25519_square(&t1,&t0); }
+        /* 2^20 - 2^0 */ fe25519_mul(&z2_20_0,&t1,&z2_10_0);
+
+        /* 2^21 - 2^1 */ fe25519_square(&t0,&z2_20_0);
+        /* 2^22 - 2^2 */ fe25519_square(&t1,&t0);
+        /* 2^40 - 2^20 */ for (i = 2;i < 20;i += 2) { fe25519_square(&t0,&t1); fe25519_square(&t1,&t0); }
+        /* 2^40 - 2^0 */ fe25519_mul(&t0,&t1,&z2_20_0);
+
+        /* 2^41 - 2^1 */ fe25519_square(&t1,&t0);
+        /* 2^42 - 2^2 */ fe25519_square(&t0,&t1);
+        /* 2^50 - 2^10 */ for (i = 2;i < 10;i += 2) { fe25519_square(&t1,&t0); fe25519_square(&t0,&t1); }
+        /* 2^50 - 2^0 */ fe25519_mul(&z2_50_0,&t0,&z2_10_0);
+
+        /* 2^51 - 2^1 */ fe25519_square(&t0,&z2_50_0);
+        /* 2^52 - 2^2 */ fe25519_square(&t1,&t0);
+        /* 2^100 - 2^50 */ for (i = 2;i < 50;i += 2) { fe25519_square(&t0,&t1); fe25519_square(&t1,&t0); }
+        /* 2^100 - 2^0 */ fe25519_mul(&z2_100_0,&t1,&z2_50_0);
+
+        /* 2^101 - 2^1 */ fe25519_square(&t1,&z2_100_0);
+        /* 2^102 - 2^2 */ fe25519_square(&t0,&t1);
+        /* 2^200 - 2^100 */ for (i = 2;i < 100;i += 2) { fe25519_square(&t1,&t0); fe25519_square(&t0,&t1); }
+        /* 2^200 - 2^0 */ fe25519_mul(&t1,&t0,&z2_100_0);
+
+        /* 2^201 - 2^1 */ fe25519_square(&t0,&t1);
+        /* 2^202 - 2^2 */ fe25519_square(&t1,&t0);
+        /* 2^250 - 2^50 */ for (i = 2;i < 50;i += 2) { fe25519_square(&t0,&t1); fe25519_square(&t1,&t0); }
+        /* 2^250 - 2^0 */ fe25519_mul(&t0,&t1,&z2_50_0);
+
+        /* 2^251 - 2^1 */ fe25519_square(&t1,&t0);
+        /* 2^252 - 2^2 */ fe25519_square(&t0,&t1);
+        /* 2^253 - 2^3 */ fe25519_square(&t1,&t0);
+        /* 2^254 - 2^4 */ fe25519_square(&t0,&t1);
+        /* 2^255 - 2^5 */ fe25519_square(&t1,&t0);
+        /* 2^255 - 21 */ fe25519_mul(r,&t1,&z11);
+}
diff --git a/nacl/crypto_sign/edwards25519sha512batch/ref/fe25519.h b/nacl/crypto_sign/edwards25519sha512batch/ref/fe25519.h
new file mode 100644
index 00000000..e07ddba7
--- /dev/null
+++ b/nacl/crypto_sign/edwards25519sha512batch/ref/fe25519.h
@@ -0,0 +1,54 @@
+#ifndef FE25519_H
+#define FE25519_H
+
+#define fe25519 crypto_sign_edwards25519sha512batch_fe25519
+#define fe25519_unpack crypto_sign_edwards25519sha512batch_fe25519_unpack
+#define fe25519_pack crypto_sign_edwards25519sha512batch_fe25519_pack
+#define fe25519_cmov crypto_sign_edwards25519sha512batch_fe25519_cmov
+#define fe25519_setone crypto_sign_edwards25519sha512batch_fe25519_setone
+#define fe25519_setzero crypto_sign_edwards25519sha512batch_fe25519_setzero
+#define fe25519_neg crypto_sign_edwards25519sha512batch_fe25519_neg
+#define fe25519_getparity crypto_sign_edwards25519sha512batch_fe25519_getparity
+#define fe25519_add crypto_sign_edwards25519sha512batch_fe25519_add
+#define fe25519_sub crypto_sign_edwards25519sha512batch_fe25519_sub
+#define fe25519_mul crypto_sign_edwards25519sha512batch_fe25519_mul
+#define fe25519_square crypto_sign_edwards25519sha512batch_fe25519_square
+#define fe25519_pow crypto_sign_edwards25519sha512batch_fe25519_pow
+#define fe25519_sqrt_vartime crypto_sign_edwards25519sha512batch_fe25519_sqrt_vartime
+#define fe25519_invert crypto_sign_edwards25519sha512batch_fe25519_invert
+
+#include "crypto_uint32.h"
+
+typedef struct {
+  crypto_uint32 v[32]; 
+} fe25519;
+
+void fe25519_unpack(fe25519 *r, const unsigned char x[32]);
+
+void fe25519_pack(unsigned char r[32], const fe25519 *x);
+
+void fe25519_cmov(fe25519 *r, const fe25519 *x, unsigned char b);
+
+void fe25519_setone(fe25519 *r);
+
+void fe25519_setzero(fe25519 *r);
+
+void fe25519_neg(fe25519 *r, const fe25519 *x);
+
+unsigned char fe25519_getparity(const fe25519 *x);
+
+void fe25519_add(fe25519 *r, const fe25519 *x, const fe25519 *y);
+
+void fe25519_sub(fe25519 *r, const fe25519 *x, const fe25519 *y);
+
+void fe25519_mul(fe25519 *r, const fe25519 *x, const fe25519 *y);
+
+void fe25519_square(fe25519 *r, const fe25519 *x);
+
+void fe25519_pow(fe25519 *r, const fe25519 *x, const unsigned char *e);
+
+int fe25519_sqrt_vartime(fe25519 *r, const fe25519 *x, unsigned char parity);
+
+void fe25519_invert(fe25519 *r, const fe25519 *x);
+
+#endif
diff --git a/nacl/crypto_sign/edwards25519sha512batch/ref/ge25519.c b/nacl/crypto_sign/edwards25519sha512batch/ref/ge25519.c
new file mode 100644
index 00000000..a57b8f3c
--- /dev/null
+++ b/nacl/crypto_sign/edwards25519sha512batch/ref/ge25519.c
@@ -0,0 +1,227 @@
+#include "fe25519.h"
+#include "sc25519.h"
+#include "ge25519.h"
+
+/* 
+ * Arithmetic on the twisted Edwards curve -x^2 + y^2 = 1 + dx^2y^2 
+ * with d = -(121665/121666) = 37095705934669439343138083508754565189542113879843219016388785533085940283555
+ * Base point: (15112221349535400772501151409588531511454012693041857206046113283949847762202,46316835694926478169428394003475163141307993866256225615783033603165251855960);
+ */
+
+typedef struct
+{
+  fe25519 x;
+  fe25519 z;
+  fe25519 y;
+  fe25519 t;
+} ge25519_p1p1;
+
+typedef struct
+{
+  fe25519 x;
+  fe25519 y;
+  fe25519 z;
+} ge25519_p2;
+
+#define ge25519_p3 ge25519
+
+/* Windowsize for fixed-window scalar multiplication */
+#define WINDOWSIZE 2                      /* Should be 1,2, or 4 */
+#define WINDOWMASK ((1<<WINDOWSIZE)-1)
+
+/* packed parameter d in the Edwards curve equation */
+static const unsigned char ecd[32] = {0xA3, 0x78, 0x59, 0x13, 0xCA, 0x4D, 0xEB, 0x75, 0xAB, 0xD8, 0x41, 0x41, 0x4D, 0x0A, 0x70, 0x00, 
+                                      0x98, 0xE8, 0x79, 0x77, 0x79, 0x40, 0xC7, 0x8C, 0x73, 0xFE, 0x6F, 0x2B, 0xEE, 0x6C, 0x03, 0x52};
+
+/* Packed coordinates of the base point */
+static const unsigned char ge25519_base_x[32] = {0x1A, 0xD5, 0x25, 0x8F, 0x60, 0x2D, 0x56, 0xC9, 0xB2, 0xA7, 0x25, 0x95, 0x60, 0xC7, 0x2C, 0x69, 
+                                                 0x5C, 0xDC, 0xD6, 0xFD, 0x31, 0xE2, 0xA4, 0xC0, 0xFE, 0x53, 0x6E, 0xCD, 0xD3, 0x36, 0x69, 0x21};
+static const unsigned char ge25519_base_y[32] = {0x58, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 
+                                                 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66};
+static const unsigned char ge25519_base_z[32] = {1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0};
+static const unsigned char ge25519_base_t[32] = {0xA3, 0xDD, 0xB7, 0xA5, 0xB3, 0x8A, 0xDE, 0x6D, 0xF5, 0x52, 0x51, 0x77, 0x80, 0x9F, 0xF0, 0x20, 
+                                                 0x7D, 0xE3, 0xAB, 0x64, 0x8E, 0x4E, 0xEA, 0x66, 0x65, 0x76, 0x8B, 0xD7, 0x0F, 0x5F, 0x87, 0x67};
+
+/* Packed coordinates of the neutral element */
+static const unsigned char ge25519_neutral_x[32] = {0};
+static const unsigned char ge25519_neutral_y[32] = {1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0};
+static const unsigned char ge25519_neutral_z[32] = {1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0};
+static const unsigned char ge25519_neutral_t[32] = {0};
+
+static void p1p1_to_p2(ge25519_p2 *r, const ge25519_p1p1 *p)
+{
+  fe25519_mul(&r->x, &p->x, &p->t);
+  fe25519_mul(&r->y, &p->y, &p->z);
+  fe25519_mul(&r->z, &p->z, &p->t);
+}
+
+static void p1p1_to_p3(ge25519_p3 *r, const ge25519_p1p1 *p)
+{
+  p1p1_to_p2((ge25519_p2 *)r, p);
+  fe25519_mul(&r->t, &p->x, &p->y);
+}
+
+/* Constant-time version of: if(b) r = p */
+static void cmov_p3(ge25519_p3 *r, const ge25519_p3 *p, unsigned char b)
+{
+  fe25519_cmov(&r->x, &p->x, b);
+  fe25519_cmov(&r->y, &p->y, b);
+  fe25519_cmov(&r->z, &p->z, b);
+  fe25519_cmov(&r->t, &p->t, b);
+}
+
+/* See http://www.hyperelliptic.org/EFD/g1p/auto-twisted-extended-1.html#doubling-dbl-2008-hwcd */
+static void dbl_p1p1(ge25519_p1p1 *r, const ge25519_p2 *p)
+{
+  fe25519 a,b,c,d;
+  fe25519_square(&a, &p->x);
+  fe25519_square(&b, &p->y);
+  fe25519_square(&c, &p->z);
+  fe25519_add(&c, &c, &c);
+  fe25519_neg(&d, &a);
+
+  fe25519_add(&r->x, &p->x, &p->y);
+  fe25519_square(&r->x, &r->x);
+  fe25519_sub(&r->x, &r->x, &a);
+  fe25519_sub(&r->x, &r->x, &b);
+  fe25519_add(&r->z, &d, &b);
+  fe25519_sub(&r->t, &r->z, &c);
+  fe25519_sub(&r->y, &d, &b);
+}
+
+static void add_p1p1(ge25519_p1p1 *r, const ge25519_p3 *p, const ge25519_p3 *q)
+{
+  fe25519 a, b, c, d, t, fd;
+  fe25519_unpack(&fd, ecd);
+  
+  fe25519_sub(&a, &p->y, &p->x); // A = (Y1-X1)*(Y2-X2)
+  fe25519_sub(&t, &q->y, &q->x);
+  fe25519_mul(&a, &a, &t);
+  fe25519_add(&b, &p->x, &p->y); // B = (Y1+X1)*(Y2+X2)
+  fe25519_add(&t, &q->x, &q->y);
+  fe25519_mul(&b, &b, &t);
+  fe25519_mul(&c, &p->t, &q->t); //C = T1*k*T2
+  fe25519_mul(&c, &c, &fd);
+  fe25519_add(&c, &c, &c);       //XXX: Can save this addition by precomputing 2*ecd
+  fe25519_mul(&d, &p->z, &q->z); //D = Z1*2*Z2
+  fe25519_add(&d, &d, &d);
+  fe25519_sub(&r->x, &b, &a); // E = B-A
+  fe25519_sub(&r->t, &d, &c); // F = D-C
+  fe25519_add(&r->z, &d, &c); // G = D+C
+  fe25519_add(&r->y, &b, &a); // H = B+A
+}
+
+/* ********************************************************************
+ *                    EXPORTED FUNCTIONS
+ ******************************************************************** */
+
+/* return 0 on success, -1 otherwise */
+int ge25519_unpack_vartime(ge25519_p3 *r, const unsigned char p[32])
+{
+  int ret;
+  fe25519 t, fd;
+  fe25519_setone(&r->z);
+  fe25519_unpack(&fd, ecd);
+  unsigned char par = p[31] >> 7;
+  fe25519_unpack(&r->y, p);
+  fe25519_square(&r->x, &r->y);
+  fe25519_mul(&t, &r->x, &fd);
+  fe25519_sub(&r->x, &r->x, &r->z);
+  fe25519_add(&t, &r->z, &t);
+  fe25519_invert(&t, &t);
+  fe25519_mul(&r->x, &r->x, &t);
+  ret = fe25519_sqrt_vartime(&r->x, &r->x, par);
+  fe25519_mul(&r->t, &r->x, &r->y);
+  return ret;
+}
+
+void ge25519_pack(unsigned char r[32], const ge25519_p3 *p)
+{
+  fe25519 tx, ty, zi;
+  fe25519_invert(&zi, &p->z); 
+  fe25519_mul(&tx, &p->x, &zi);
+  fe25519_mul(&ty, &p->y, &zi);
+  fe25519_pack(r, &ty);
+  r[31] ^= fe25519_getparity(&tx) << 7;
+}
+
+void ge25519_add(ge25519_p3 *r, const ge25519_p3 *p, const ge25519_p3 *q)
+{
+  ge25519_p1p1 grp1p1;
+  add_p1p1(&grp1p1, p, q);
+  p1p1_to_p3(r, &grp1p1);
+}
+
+void ge25519_double(ge25519_p3 *r, const ge25519_p3 *p)
+{
+  ge25519_p1p1 grp1p1;
+  dbl_p1p1(&grp1p1, (ge25519_p2 *)p);
+  p1p1_to_p3(r, &grp1p1);
+}
+
+void ge25519_scalarmult(ge25519_p3 *r, const ge25519_p3 *p, const sc25519 *s)
+{
+  int i,j,k;
+  ge25519_p3 g;  
+  fe25519_unpack(&g.x, ge25519_neutral_x);
+  fe25519_unpack(&g.y, ge25519_neutral_y);
+  fe25519_unpack(&g.z, ge25519_neutral_z);
+  fe25519_unpack(&g.t, ge25519_neutral_t);
+
+  ge25519_p3 pre[(1 << WINDOWSIZE)];
+  ge25519_p3 t;
+  ge25519_p1p1 tp1p1;
+  unsigned char w;
+  unsigned char sb[32];
+  sc25519_to32bytes(sb, s);
+
+  // Precomputation
+  pre[0] = g;
+  pre[1] = *p;
+  for(i=2;i<(1<<WINDOWSIZE);i+=2)
+  {
+    dbl_p1p1(&tp1p1, (ge25519_p2 *)(pre+i/2));
+    p1p1_to_p3(pre+i, &tp1p1);
+    add_p1p1(&tp1p1, pre+i, pre+1);
+    p1p1_to_p3(pre+i+1, &tp1p1);
+  }
+
+  // Fixed-window scalar multiplication
+  for(i=32;i>0;i--)
+  {
+    for(j=8-WINDOWSIZE;j>=0;j-=WINDOWSIZE)
+    {
+      for(k=0;k<WINDOWSIZE-1;k++)
+      {
+        dbl_p1p1(&tp1p1, (ge25519_p2 *)&g);
+        p1p1_to_p2((ge25519_p2 *)&g, &tp1p1);
+      }
+      dbl_p1p1(&tp1p1, (ge25519_p2 *)&g);
+      p1p1_to_p3(&g, &tp1p1);
+      // Cache-timing resistant loading of precomputed value:
+      w = (sb[i-1]>>j) & WINDOWMASK;
+      t = pre[0];
+      for(k=1;k<(1<<WINDOWSIZE);k++)
+        cmov_p3(&t, &pre[k], k==w);
+
+      add_p1p1(&tp1p1, &g, &t);
+      if(j != 0) p1p1_to_p2((ge25519_p2 *)&g, &tp1p1);
+      else p1p1_to_p3(&g, &tp1p1); /* convert to p3 representation at the end */
+    }
+  }
+  r->x = g.x;
+  r->y = g.y;
+  r->z = g.z;
+  r->t = g.t;
+}
+
+void ge25519_scalarmult_base(ge25519_p3 *r, const sc25519 *s)
+{
+  /* XXX: Better algorithm for known-base-point scalar multiplication */
+  ge25519_p3 t;
+  fe25519_unpack(&t.x, ge25519_base_x);
+  fe25519_unpack(&t.y, ge25519_base_y);
+  fe25519_unpack(&t.z, ge25519_base_z);
+  fe25519_unpack(&t.t, ge25519_base_t);
+  ge25519_scalarmult(r, &t, s);          
+}
diff --git a/nacl/crypto_sign/edwards25519sha512batch/ref/ge25519.h b/nacl/crypto_sign/edwards25519sha512batch/ref/ge25519.h
new file mode 100644
index 00000000..49ad163a
--- /dev/null
+++ b/nacl/crypto_sign/edwards25519sha512batch/ref/ge25519.h
@@ -0,0 +1,34 @@
+#ifndef GE25519_H
+#define GE25519_H
+
+#include "fe25519.h"
+#include "sc25519.h"
+
+#define ge25519 crypto_sign_edwards25519sha512batch_ge25519
+#define ge25519_unpack_vartime crypto_sign_edwards25519sha512batch_ge25519_unpack_vartime
+#define ge25519_pack crypto_sign_edwards25519sha512batch_ge25519_pack
+#define ge25519_add crypto_sign_edwards25519sha512batch_ge25519_add
+#define ge25519_double crypto_sign_edwards25519sha512batch_ge25519_double
+#define ge25519_scalarmult crypto_sign_edwards25519sha512batch_ge25519_scalarmult
+#define ge25519_scalarmult_base crypto_sign_edwards25519sha512batch_ge25519_scalarmult_base
+
+typedef struct {
+  fe25519 x;
+  fe25519 y;
+  fe25519 z;
+  fe25519 t;
+} ge25519;
+
+int ge25519_unpack_vartime(ge25519 *r, const unsigned char p[32]);
+
+void ge25519_pack(unsigned char r[32], const ge25519 *p);
+
+void ge25519_add(ge25519 *r, const ge25519 *p, const ge25519 *q);
+
+void ge25519_double(ge25519 *r, const ge25519 *p);
+
+void ge25519_scalarmult(ge25519 *r, const ge25519 *p, const sc25519 *s);
+
+void ge25519_scalarmult_base(ge25519 *r, const sc25519 *s);
+
+#endif
diff --git a/nacl/crypto_sign/edwards25519sha512batch/ref/sc25519.c b/nacl/crypto_sign/edwards25519sha512batch/ref/sc25519.c
new file mode 100644
index 00000000..5f27eb1b
--- /dev/null
+++ b/nacl/crypto_sign/edwards25519sha512batch/ref/sc25519.c
@@ -0,0 +1,146 @@
+#include "sc25519.h"
+
+/*Arithmetic modulo the group order n = 2^252 +  27742317777372353535851937790883648493 = 7237005577332262213973186563042994240857116359379907606001950938285454250989 */
+
+static const crypto_uint32 m[32] = {0xED, 0xD3, 0xF5, 0x5C, 0x1A, 0x63, 0x12, 0x58, 0xD6, 0x9C, 0xF7, 0xA2, 0xDE, 0xF9, 0xDE, 0x14, 
+                                    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x10};
+
+static const crypto_uint32 mu[33] = {0x1B, 0x13, 0x2C, 0x0A, 0xA3, 0xE5, 0x9C, 0xED, 0xA7, 0x29, 0x63, 0x08, 0x5D, 0x21, 0x06, 0x21, 
+                                     0xEB, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0x0F};
+
+/* Reduce coefficients of r before calling reduce_add_sub */
+static void reduce_add_sub(sc25519 *r)
+{
+  int i, b, pb=0, nb;
+  unsigned char t[32];
+
+  for(i=0;i<32;i++) 
+  {
+    b = (r->v[i]<pb+m[i]);
+    t[i] = r->v[i]-pb-m[i]+b*256;
+    pb = b;
+  }
+  nb = 1-b;
+  for(i=0;i<32;i++) 
+    r->v[i] = r->v[i]*b + t[i]*nb;
+}
+
+/* Reduce coefficients of x before calling barrett_reduce */
+static void barrett_reduce(sc25519 *r, const crypto_uint32 x[64])
+{
+  /* See HAC, Alg. 14.42 */
+  int i,j;
+  crypto_uint32 q2[66] = {0};
+  crypto_uint32 *q3 = q2 + 33;
+  crypto_uint32 r1[33];
+  crypto_uint32 r2[33] = {0};
+  crypto_uint32 carry;
+  int b, pb=0;
+
+  for(i=0;i<33;i++)
+    for(j=0;j<33;j++)
+      if(i+j >= 31) q2[i+j] += mu[i]*x[j+31];
+  carry = q2[31] >> 8;
+  q2[32] += carry;
+  carry = q2[32] >> 8;
+  q2[33] += carry;
+
+  for(i=0;i<33;i++)r1[i] = x[i];
+  for(i=0;i<32;i++)
+    for(j=0;j<33;j++)
+      if(i+j < 33) r2[i+j] += m[i]*q3[j];
+
+  for(i=0;i<32;i++)
+  {
+    carry = r2[i] >> 8;
+    r2[i+1] += carry;
+    r2[i] &= 0xff;
+  }
+
+  for(i=0;i<32;i++) 
+  {
+    b = (r1[i]<pb+r2[i]);
+    r->v[i] = r1[i]-pb-r2[i]+b*256;
+    pb = b;
+  }
+
+  /* XXX: Can it really happen that r<0?, See HAC, Alg 14.42, Step 3 
+   * If so: Handle  it here!
+   */
+
+  reduce_add_sub(r);
+  reduce_add_sub(r);
+}
+
+/*
+static int iszero(const sc25519 *x)
+{
+  // Implement
+  return 0;
+}
+*/
+
+void sc25519_from32bytes(sc25519 *r, const unsigned char x[32])
+{
+  int i;
+  crypto_uint32 t[64] = {0};
+  for(i=0;i<32;i++) t[i] = x[i];
+  barrett_reduce(r, t);
+}
+
+void sc25519_from64bytes(sc25519 *r, const unsigned char x[64])
+{
+  int i;
+  crypto_uint32 t[64] = {0};
+  for(i=0;i<64;i++) t[i] = x[i];
+  barrett_reduce(r, t);
+}
+
+/* XXX: What we actually want for crypto_group is probably just something like
+ * void sc25519_frombytes(sc25519 *r, const unsigned char *x, size_t xlen)
+ */
+
+void sc25519_to32bytes(unsigned char r[32], const sc25519 *x)
+{
+  int i;
+  for(i=0;i<32;i++) r[i] = x->v[i];
+}
+
+void sc25519_add(sc25519 *r, const sc25519 *x, const sc25519 *y)
+{
+  int i, carry;
+  for(i=0;i<32;i++) r->v[i] = x->v[i] + y->v[i];
+  for(i=0;i<31;i++)
+  {
+    carry = r->v[i] >> 8;
+    r->v[i+1] += carry;
+    r->v[i] &= 0xff;
+  }
+  reduce_add_sub(r);
+}
+
+void sc25519_mul(sc25519 *r, const sc25519 *x, const sc25519 *y)
+{
+  int i,j,carry;
+  crypto_uint32 t[64];
+  for(i=0;i<64;i++)t[i] = 0;
+
+  for(i=0;i<32;i++)
+    for(j=0;j<32;j++)
+      t[i+j] += x->v[i] * y->v[j];
+
+  /* Reduce coefficients */
+  for(i=0;i<63;i++)
+  {
+    carry = t[i] >> 8;
+    t[i+1] += carry;
+    t[i] &= 0xff;
+  }
+
+  barrett_reduce(r, t);
+}
+
+void sc25519_square(sc25519 *r, const sc25519 *x)
+{
+  sc25519_mul(r, x, x);
+}
diff --git a/nacl/crypto_sign/edwards25519sha512batch/ref/sc25519.h b/nacl/crypto_sign/edwards25519sha512batch/ref/sc25519.h
new file mode 100644
index 00000000..48584a85
--- /dev/null
+++ b/nacl/crypto_sign/edwards25519sha512batch/ref/sc25519.h
@@ -0,0 +1,51 @@
+#ifndef SC25519_H
+#define SC25519_H
+
+#define sc25519 crypto_sign_edwards25519sha512batch_sc25519
+#define sc25519_from32bytes crypto_sign_edwards25519sha512batch_sc25519_from32bytes
+#define sc25519_from64bytes crypto_sign_edwards25519sha512batch_sc25519_from64bytes
+#define sc25519_to32bytes crypto_sign_edwards25519sha512batch_sc25519_to32bytes
+#define sc25519_pack crypto_sign_edwards25519sha512batch_sc25519_pack
+#define sc25519_getparity crypto_sign_edwards25519sha512batch_sc25519_getparity
+#define sc25519_setone crypto_sign_edwards25519sha512batch_sc25519_setone
+#define sc25519_setzero crypto_sign_edwards25519sha512batch_sc25519_setzero
+#define sc25519_neg crypto_sign_edwards25519sha512batch_sc25519_neg
+#define sc25519_add crypto_sign_edwards25519sha512batch_sc25519_add
+#define sc25519_sub crypto_sign_edwards25519sha512batch_sc25519_sub
+#define sc25519_mul crypto_sign_edwards25519sha512batch_sc25519_mul
+#define sc25519_square crypto_sign_edwards25519sha512batch_sc25519_square
+#define sc25519_invert crypto_sign_edwards25519sha512batch_sc25519_invert
+
+#include "crypto_uint32.h"
+
+typedef struct {
+  crypto_uint32 v[32]; 
+} sc25519;
+
+void sc25519_from32bytes(sc25519 *r, const unsigned char x[32]);
+
+void sc25519_from64bytes(sc25519 *r, const unsigned char x[64]);
+
+void sc25519_to32bytes(unsigned char r[32], const sc25519 *x);
+
+void sc25519_pack(unsigned char r[32], const sc25519 *x);
+
+unsigned char sc25519_getparity(const sc25519 *x);
+
+void sc25519_setone(sc25519 *r);
+
+void sc25519_setzero(sc25519 *r);
+
+void sc25519_neg(sc25519 *r, const sc25519 *x);
+
+void sc25519_add(sc25519 *r, const sc25519 *x, const sc25519 *y);
+
+void sc25519_sub(sc25519 *r, const sc25519 *x, const sc25519 *y);
+
+void sc25519_mul(sc25519 *r, const sc25519 *x, const sc25519 *y);
+
+void sc25519_square(sc25519 *r, const sc25519 *x);
+
+void sc25519_invert(sc25519 *r, const sc25519 *x);
+
+#endif
diff --git a/nacl/crypto_sign/edwards25519sha512batch/ref/sign.c b/nacl/crypto_sign/edwards25519sha512batch/ref/sign.c
new file mode 100644
index 00000000..f40e548b
--- /dev/null
+++ b/nacl/crypto_sign/edwards25519sha512batch/ref/sign.c
@@ -0,0 +1,103 @@
+#include "api.h"
+#include "crypto_sign.h"
+#include "crypto_hash_sha512.h"
+#include "randombytes.h"
+#include "crypto_verify_32.h"
+
+#include "ge25519.h"
+
+int crypto_sign_keypair(
+    unsigned char *pk,
+    unsigned char *sk
+    )
+{
+  sc25519 scsk;
+  ge25519 gepk;
+
+  randombytes(sk, 32);
+  crypto_hash_sha512(sk, sk, 32);
+  sk[0] &= 248;
+  sk[31] &= 127;
+  sk[31] |= 64;
+
+  sc25519_from32bytes(&scsk,sk);
+  
+  ge25519_scalarmult_base(&gepk, &scsk);
+  ge25519_pack(pk, &gepk);
+  return 0;
+}
+
+int crypto_sign(
+    unsigned char *sm,unsigned long long *smlen,
+    const unsigned char *m,unsigned long long mlen,
+    const unsigned char *sk
+    )
+{
+  sc25519 sck, scs, scsk;
+  ge25519 ger;
+  unsigned char r[32];
+  unsigned char s[32];
+  unsigned long long i;
+  unsigned char hmg[crypto_hash_sha512_BYTES];
+  unsigned char hmr[crypto_hash_sha512_BYTES];
+
+  *smlen = mlen+64;
+  for(i=0;i<mlen;i++)
+    sm[32 + i] = m[i];
+  for(i=0;i<32;i++)
+    sm[i] = sk[32+i];
+  crypto_hash_sha512(hmg, sm, mlen+32); /* Generate k as h(m,sk[32],...,sk[63]) */
+
+  sc25519_from64bytes(&sck, hmg);
+  ge25519_scalarmult_base(&ger, &sck);
+  ge25519_pack(r, &ger);
+  
+  for(i=0;i<32;i++)
+    sm[i] = r[i];
+
+  crypto_hash_sha512(hmr, sm, mlen+32); /* Compute h(m,r) */
+  sc25519_from64bytes(&scs, hmr);
+  sc25519_mul(&scs, &scs, &sck);
+  
+  sc25519_from32bytes(&scsk, sk);
+  sc25519_add(&scs, &scs, &scsk);
+
+  sc25519_to32bytes(s,&scs); /* cat s */
+  for(i=0;i<32;i++)
+    sm[mlen+32+i] = s[i]; 
+
+  return 0;
+}
+
+int crypto_sign_open(
+    unsigned char *m,unsigned long long *mlen,
+    const unsigned char *sm,unsigned long long smlen,
+    const unsigned char *pk
+    )
+{
+  int i;
+  unsigned char t1[32], t2[32];
+  ge25519 get1, get2, gepk;
+  sc25519 schmr, scs;
+  unsigned char hmr[crypto_hash_sha512_BYTES];
+
+  if (ge25519_unpack_vartime(&get1, sm)) return -1;
+  if (ge25519_unpack_vartime(&gepk, pk)) return -1;
+
+  crypto_hash_sha512(hmr,sm,smlen-32);
+
+  sc25519_from64bytes(&schmr, hmr);
+  ge25519_scalarmult(&get1, &get1, &schmr);
+  ge25519_add(&get1, &get1, &gepk);
+  ge25519_pack(t1, &get1);
+
+  sc25519_from32bytes(&scs, &sm[smlen-32]);
+  ge25519_scalarmult_base(&get2, &scs);
+  ge25519_pack(t2, &get2);
+
+  for(i=0;i<smlen-64;i++)
+    m[i] = sm[i + 32];
+  *mlen = smlen-64;
+
+  return crypto_verify_32(t1, t2);
+}
diff --git a/nacl/crypto_sign/edwards25519sha512batch/selected b/nacl/crypto_sign/edwards25519sha512batch/selected
new file mode 100644
index 00000000..e69de29b
--- /dev/null
+++ b/nacl/crypto_sign/edwards25519sha512batch/selected
diff --git a/nacl/crypto_sign/edwards25519sha512batch/used b/nacl/crypto_sign/edwards25519sha512batch/used
new file mode 100644
index 00000000..e69de29b
--- /dev/null
+++ b/nacl/crypto_sign/edwards25519sha512batch/used