);A(b,p[0],p[1]);A(t,q[0],q[1]);M(b,b,t);M(c,p[3],q[3]);M(c,c,D2);M(d,p[2],q[2]);A(d,d,d);Z(e,b,a);Z(f,d,c);A(g,d,c);A(h,b,a);M(p[0],e,f);M(

p[1],h,g);M(p[2],g,f);M(p[3],e,h);}sv cswap(gf p[4],gf q[4],u8 b){int i;FOR(i,4)sel25519(p[i],q[i],b);}sv pack(u8*r,gf p[4]){gf tx,ty,zi;

inv25519(zi,p[2]);M(tx,p[0],zi);M(ty,p[1],zi);pack25519(r,ty);r[31]^=par25519(tx)<<7;}sv scalarmult(gf p[4],gf q[4],const u8*s){int i;

set25519(p[0],gf0);set25519(p[1],gf1);set25519(p[2],gf1);set25519(p[3],gf0);for(i=255;i>=0;--i){u8 b=(s[i/8]>>(i&7))&1;cswap(p,q,b);add(q,p)

;add(p,p);cswap(p,q,b);}}sv scalarbase(gf p[4],const u8*s){gf q[4];set25519(q[0],X);set25519(q[1],Y);set25519(q[2],gf1);M(q[3],X,Y);

scalarmult(p,q,s);}int crypto_sign_keypair(u8*pk,u8*sk){u8 d[64];gf p[4];int i;randombytes(sk,32);crypto_hash(d,sk,32);d[0]&=248;d[31]&=127;

d[31]|=64;scalarbase(p,d);pack(pk,p);FOR(i,32)sk[32+i]=pk[i];return 0;}static const u64 L[32]={0xed,0xd3,0xf5,0x5c,0x1a,0x63,0x12,0x58,0xd6,

0x9c,0xf7,0xa2,0xde,0xf9,0xde,0x14,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0x10};sv modL(u8*r,i64 x[64]){i64 carry,i,j;for(i=63;i>=32;--i){carry=0;for

(j=i-32;j<i-12;++j){x[j]+=carry-16*x[i]*L[j-(i-32)];carry=(x[j]+128)>>8;x[j]-=carry<<8;}x[j]+=carry;x[i]=0;}carry=0;FOR(j,32){x[j]+=carry-(x

[31]>>4)*L[j];carry=x[j]>>8;x[j]&=255;}FOR(j,32)x[j]-=carry*L[j];FOR(i,32){x[i+1]+=x[i]>>8;r[i]=x[i]&255;}}sv reduce(u8*r){i64 x[64],i;FOR(i

,64)x[i]=(u64)r[i];FOR(i,64)r[i]=0;modL(r,x);}int crypto_sign(u8*sm,u64*smlen,const u8*m,u64 n,const u8*sk){u8 d[64],h[64],r[64];i64 i,j,x[

64];gf p[4];crypto_hash(d,sk,32);d[0]&=248;d[31]&=127;d[31]|=64;*smlen=n+64;FOR(i,n)sm[64+i]=m[i];FOR(i,32)sm[32+i]=d[32+i];crypto_hash(r,sm

+32,n+32);reduce(r);scalarbase(p,r);pack(sm,p);FOR(i,32)sm[i+32]=sk[i+32];crypto_hash(h,sm,n+64);reduce(h);FOR(i,64)x[i]=0;FOR(i,32)x[i]=(

u64)r[i];FOR(i,32)FOR(j,32)x[i+j]+=h[i]*(u64)d[j];modL(sm+32,x);return 0;}static int unpackneg(gf r[4],const u8 p[32]){gf t,chk,num,den,den2

,den4,den6;set25519(r[2],gf1);unpack25519(r[1],p);S(num,r[1]);M(den,num,D);Z(num,num,r[2]);A(den,r[2],den);S(den2,den);S(den4,den2);M(den6,

den4,den2);M(t,den6,num);M(t,t,den);pow2523(t,t);M(t,t,num);M(t,t,den);M(t,t,den);M(r[0],t,den);S(chk,r[0]);M(chk,chk,den);if(neq25519(chk,

num))M(r[0],r[0],I);S(chk,r[0]);M(chk,chk,den);if(neq25519(chk,num))return-1;if(par25519(r[0])==(p[31]>>7))Z(r[0],gf0,r[0]);M(r[3],r[0],r[1]

);return 0;}int crypto_sign_open(u8*m,u64*mlen,const u8*sm,u64 n,const u8*pk){int i;u8 t[32],h[64];gf p[4],q[4];*mlen= -1;if(n<64)return-1;

if(unpackneg(q,pk))return-1;FOR(i,n)m[i]=sm[i];FOR(i,32)m[i+32]=pk[i];crypto_hash(h,m,n);reduce(h);scalarmult(p,q,h);scalarbase(q,sm+32);add

(p,q);pack(t,p);n-=64;if(crypto_verify_32(sm,t)){FOR(i,n)m[i]=0;return-1;}FOR(i,n)m[i]=sm[i+64];*mlen=n;return 0;}