crypto/internal/edwards25519: replace scalar field with fiat-crypto
This was the last piece of ref10 code, including the infamous "Christmas
tree" in scMulAdd, that approximately all
Ed25519 implementations
inherited. Replace the whole scalar field implementation with a
fiat-crypto generated one, like those in crypto/internal/nistec/fiat.
The only complexity is the wide reduction (both for the 64-byte one and
for the clamped input). For that we do a limbed reduction suggested by
Frank Denis.
Some minor housekeeping and test changes from filippo.io/edwards25519
are included, as part of syncing with downstream.
Ignoring the autogenerated file, the diff is
268 insertions(+), 893 deletions(-)
George Tankersley signed the Individual CLA and authorized me to submit
this change on his behalf at the time he contributed it to
filippo.io/edwards25519.
Co-authored-by: George Tankersley <george.tankersley@gmail.com>
Change-Id: I4084b4d3813f36e16b3d8839df75da1b4fd7846b
Reviewed-on: https://go-review.googlesource.com/c/go/+/420454
Run-TryBot: Filippo Valsorda <filippo@golang.org>
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Michael Knyszek <mknyszek@google.com>
Auto-Submit: Filippo Valsorda <filippo@golang.org>
Reviewed-by: Roland Shoemaker <roland@golang.org>