clear torsion is working

src/crypto/crypto-ops-data.c

@@ -41,8 +41,9 @@ const fe fe_d2 = {-21827239, -5839606, -30745221, 13898782, 229458, 15978800, -1
 /* a = -1 */
 // TODO: double check these consts
 const fe fe_a_sub_d = {10913609, -13857413, 15372611, -6949391, -114729, 8787816, 6275908, 3247719, 18696448, 12055116}; /* a - d */
-const fe fe_a0 = {-21827222, 27714826, -30745222, 13898782, 229458, -17575632, -12551816, -6495438, -37392896, -24110232}; /* A0 = 2 * (a + d) */
-const fe fe_ap = {43654444, -55429652, 61490444, -27797564, -458916, 35151264, 25103632, 12990876, 74785792, 48220464}; /* Ap = -2 * A0 */
+const fe fe_a0 = {-21827241, -5839606, -30745221, 13898782, 229458, 15978800, -12551817, -6495438, 29715968, 9444199}; /* A0 = 2 * (a + d) */
+const fe fe_ap = {-23454401, 11679213, -5618422, 5756869, -458917, 1596832, 25103633, 12990876, 7676928, 14666033}; /* Ap = -2 * A0 */
+const fe fe_msqrt2b = {-1359796, -3165658, 8463188, -8916281, -9242332, 8801166, -2887120, 14417306, 28934311, 6371549};
 
 /* base[i][j] = (j+1)*256^i*B */
 const ge_precomp ge_base[32][8] = {

src/crypto/crypto-ops.c

@@ -1993,26 +1993,18 @@ void sc_reduce(unsigned char *s) {
   s[31] = s11 >> 17;
 }
 
-/* New code */
+/* From fe_pow22523.c */
 
-static void fe_divpowm1(fe r, const fe u, const fe v) {
-  fe v3, uv7, t0, t1, t2;
+void fe_pow22523(fe out, const fe z) {
+  fe t0;
+  fe t1;
+  fe t2;
   int i;
 
-  fe_sq(v3, v);
-  fe_mul(v3, v3, v); /* v3 = v^3 */
-  fe_sq(uv7, v3);
-  fe_mul(uv7, uv7, v);
-  fe_mul(uv7, uv7, u); /* uv7 = uv^7 */
-
-  /*fe_pow22523(uv7, uv7);*/
-
-  /* From fe_pow22523.c */
-
-  fe_sq(t0, uv7);
+  fe_sq(t0, z);
   fe_sq(t1, t0);
   fe_sq(t1, t1);
-  fe_mul(t1, uv7, t1);
+  fe_mul(t1, z, t1);
   fe_mul(t0, t0, t1);
   fe_sq(t0, t0);
   fe_mul(t0, t1, t0);
@@ -2051,12 +2043,24 @@ static void fe_divpowm1(fe r, const fe u, const fe v) {
   fe_mul(t0, t1, t0);
   fe_sq(t0, t0);
   fe_sq(t0, t0);
-  fe_mul(t0, t0, uv7);
+  fe_mul(out, t0, z);
+}
 
-  /* End fe_pow22523.c */
-  /* t0 = (uv^7)^((q-5)/8) */
-  fe_mul(t0, t0, v3);
-  fe_mul(r, t0, u); /* u^(m+1)v^(-(m+1)) */
+/* New code */
+
+static void fe_divpowm1(fe r, const fe u, const fe v) {
+  fe v3, uv7;
+
+  fe_sq(v3, v);
+  fe_mul(v3, v3, v); /* v3 = v^3 */
+  fe_sq(uv7, v3);
+  fe_mul(uv7, uv7, v);
+  fe_mul(uv7, uv7, u); /* uv7 = uv^7 */
+
+  fe_pow22523(r, uv7); /* (uv^7)^((q-5)/8) */
+
+  fe_mul(r, r, v3);
+  fe_mul(r, r, u); /* u^(m+1)v^(-(m+1)) */
 }
 
 static void ge_cached_0(ge_cached *r) {
@@ -3930,3 +3934,19 @@ void fe_ed_y_derivatives_to_wei_x(unsigned char *wei_x, const fe inv_one_minus_y
   fe_add(wei_x_fe, inv_one_minus_y_mul_one_plus_y, fe_a_inv_3);
   fe_tobytes(wei_x, wei_x_fe);
 }
+
+void fe_reduce(fe reduced_f, const fe f)
+{
+  unsigned char f_bytes[32];
+  fe_tobytes(f_bytes, f);
+  fe_frombytes_vartime(reduced_f, f_bytes);
+}
+
+void fe_dbl(fe h, const fe f)
+{
+  fe f_reduced;
+  fe_reduce(f_reduced, f);
+  fe h_res;
+  fe_add(h_res, f_reduced, f_reduced);
+  fe_reduce(h, h_res);
+}

src/crypto/crypto-ops.h

@@ -129,6 +129,10 @@ void ge_tobytes(unsigned char *, const ge_p2 *);
 
 void sc_reduce(unsigned char *);
 
+/* From fe_pow22523.c */
+
+void fe_pow22523(fe, const fe);
+
 /* New code */
 
 void ge_scalarmult(ge_p2 *, const unsigned char *, const ge_p3 *);
@@ -141,6 +145,7 @@ void ge_mul8(ge_p1p1 *, const ge_p2 *);
 extern const fe fe_a_sub_d;
 extern const fe fe_a0;
 extern const fe fe_ap;
+extern const fe fe_msqrt2b;
 extern const fe fe_ma2;
 extern const fe fe_ma;
 extern const fe fe_fffb1;
@@ -185,3 +190,6 @@ void fe_1(fe h);
 int ge_p3_is_point_at_infinity_vartime(const ge_p3 *p);
 
 void fe_ed_y_derivatives_to_wei_x(unsigned char *wei_x, const fe inv_one_minus_y, const fe one_plus_y);
+
+void fe_reduce(fe reduced_f, const fe f);
+void fe_dbl(fe h, const fe f);