package com.google.crypto.tink.subtle;

import com.google.common.base.Ascii;
import com.google.common.primitives.SignedBytes;
import com.google.common.primitives.UnsignedBytes;
import java.security.GeneralSecurityException;
import java.security.MessageDigest;
import java.util.Arrays;

/* JADX INFO: Access modifiers changed from: package-private */
/* loaded from: classes2.dex */
public final class Ed25519 {
    public static final int PUBLIC_KEY_LEN = 32;
    public static final int SECRET_KEY_LEN = 32;
    public static final int SIGNATURE_LEN = 64;
    private static final CachedXYT CACHED_NEUTRAL = new CachedXYT(new long[]{1, 0, 0, 0, 0, 0, 0, 0, 0, 0}, new long[]{1, 0, 0, 0, 0, 0, 0, 0, 0, 0}, new long[]{0, 0, 0, 0, 0, 0, 0, 0, 0, 0});
    private static final PartialXYZT NEUTRAL = new PartialXYZT(new XYZ(new long[]{0, 0, 0, 0, 0, 0, 0, 0, 0, 0}, new long[]{1, 0, 0, 0, 0, 0, 0, 0, 0, 0}, new long[]{1, 0, 0, 0, 0, 0, 0, 0, 0, 0}), new long[]{1, 0, 0, 0, 0, 0, 0, 0, 0, 0});
    static final byte[] GROUP_ORDER = {-19, -45, -11, 92, Ascii.SUB, 99, Ascii.DC2, 88, -42, -100, -9, -94, -34, -7, -34, Ascii.DC4, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, Ascii.DLE};

    /* loaded from: classes2.dex */
    public static class CachedXYT {
        final long[] t2d;
        final long[] yMinusX;
        final long[] yPlusX;

        public CachedXYT() {
            this(new long[10], new long[10], new long[10]);
        }

        public CachedXYT(CachedXYT cachedXYT) {
            this.yPlusX = Arrays.copyOf(cachedXYT.yPlusX, 10);
            this.yMinusX = Arrays.copyOf(cachedXYT.yMinusX, 10);
            this.t2d = Arrays.copyOf(cachedXYT.t2d, 10);
        }

        public CachedXYT(long[] jArr, long[] jArr2, long[] jArr3) {
            this.yPlusX = jArr;
            this.yMinusX = jArr2;
            this.t2d = jArr3;
        }

        public void copyConditional(CachedXYT cachedXYT, int i5) {
            Curve25519.copyConditional(this.yPlusX, cachedXYT.yPlusX, i5);
            Curve25519.copyConditional(this.yMinusX, cachedXYT.yMinusX, i5);
            Curve25519.copyConditional(this.t2d, cachedXYT.t2d, i5);
        }

        public void multByZ(long[] jArr, long[] jArr2) {
            System.arraycopy(jArr2, 0, jArr, 0, 10);
        }
    }

    /* loaded from: classes2.dex */
    public static class CachedXYZT extends CachedXYT {

        /* renamed from: z, reason: collision with root package name */
        private final long[] f7056z;

        public CachedXYZT() {
            this(new long[10], new long[10], new long[10], new long[10]);
        }

        public CachedXYZT(XYZT xyzt) {
            this();
            long[] jArr = this.yPlusX;
            XYZ xyz = xyzt.xyz;
            Field25519.sum(jArr, xyz.y, xyz.x);
            long[] jArr2 = this.yMinusX;
            XYZ xyz2 = xyzt.xyz;
            Field25519.sub(jArr2, xyz2.y, xyz2.x);
            System.arraycopy(xyzt.xyz.f7058z, 0, this.f7056z, 0, 10);
            Field25519.mult(this.t2d, xyzt.f7059t, Ed25519Constants.D2);
        }

        public CachedXYZT(long[] jArr, long[] jArr2, long[] jArr3, long[] jArr4) {
            super(jArr, jArr2, jArr4);
            this.f7056z = jArr3;
        }

        @Override // com.google.crypto.tink.subtle.Ed25519.CachedXYT
        public void multByZ(long[] jArr, long[] jArr2) {
            Field25519.mult(jArr, jArr2, this.f7056z);
        }
    }

    /* loaded from: classes2.dex */
    public static class PartialXYZT {

        /* renamed from: t, reason: collision with root package name */
        final long[] f7057t;
        final XYZ xyz;

        public PartialXYZT() {
            this(new XYZ(), new long[10]);
        }

        public PartialXYZT(PartialXYZT partialXYZT) {
            this.xyz = new XYZ(partialXYZT.xyz);
            this.f7057t = Arrays.copyOf(partialXYZT.f7057t, 10);
        }

        public PartialXYZT(XYZ xyz, long[] jArr) {
            this.xyz = xyz;
            this.f7057t = jArr;
        }
    }

    /* loaded from: classes2.dex */
    public static class XYZ {
        final long[] x;
        final long[] y;

        /* renamed from: z, reason: collision with root package name */
        final long[] f7058z;

        public XYZ() {
            this(new long[10], new long[10], new long[10]);
        }

        public XYZ(PartialXYZT partialXYZT) {
            this();
            fromPartialXYZT(this, partialXYZT);
        }

        public XYZ(XYZ xyz) {
            this.x = Arrays.copyOf(xyz.x, 10);
            this.y = Arrays.copyOf(xyz.y, 10);
            this.f7058z = Arrays.copyOf(xyz.f7058z, 10);
        }

        public XYZ(long[] jArr, long[] jArr2, long[] jArr3) {
            this.x = jArr;
            this.y = jArr2;
            this.f7058z = jArr3;
        }

        public static XYZ fromPartialXYZT(XYZ xyz, PartialXYZT partialXYZT) {
            Field25519.mult(xyz.x, partialXYZT.xyz.x, partialXYZT.f7057t);
            long[] jArr = xyz.y;
            XYZ xyz2 = partialXYZT.xyz;
            Field25519.mult(jArr, xyz2.y, xyz2.f7058z);
            Field25519.mult(xyz.f7058z, partialXYZT.xyz.f7058z, partialXYZT.f7057t);
            return xyz;
        }

        public boolean isOnCurve() {
            long[] jArr = new long[10];
            Field25519.square(jArr, this.x);
            long[] jArr2 = new long[10];
            Field25519.square(jArr2, this.y);
            long[] jArr3 = new long[10];
            Field25519.square(jArr3, this.f7058z);
            long[] jArr4 = new long[10];
            Field25519.square(jArr4, jArr3);
            long[] jArr5 = new long[10];
            Field25519.sub(jArr5, jArr2, jArr);
            Field25519.mult(jArr5, jArr5, jArr3);
            long[] jArr6 = new long[10];
            Field25519.mult(jArr6, jArr, jArr2);
            Field25519.mult(jArr6, jArr6, Ed25519Constants.D);
            Field25519.sum(jArr6, jArr4);
            Field25519.reduce(jArr6, jArr6);
            return Bytes.equal(Field25519.contract(jArr5), Field25519.contract(jArr6));
        }

        public byte[] toBytes() {
            long[] jArr = new long[10];
            long[] jArr2 = new long[10];
            long[] jArr3 = new long[10];
            Field25519.inverse(jArr, this.f7058z);
            Field25519.mult(jArr2, this.x, jArr);
            Field25519.mult(jArr3, this.y, jArr);
            byte[] contract = Field25519.contract(jArr3);
            contract[31] = (byte) ((Ed25519.getLsb(jArr2) << 7) ^ contract[31]);
            return contract;
        }
    }

    /* loaded from: classes2.dex */
    public static class XYZT {

        /* renamed from: t, reason: collision with root package name */
        final long[] f7059t;
        final XYZ xyz;

        public XYZT() {
            this(new XYZ(), new long[10]);
        }

        public XYZT(PartialXYZT partialXYZT) {
            this();
            fromPartialXYZT(this, partialXYZT);
        }

        public XYZT(XYZ xyz, long[] jArr) {
            this.xyz = xyz;
            this.f7059t = jArr;
        }

        /* JADX INFO: Access modifiers changed from: private */
        public static XYZT fromBytesNegateVarTime(byte[] bArr) throws GeneralSecurityException {
            long[] jArr = new long[10];
            long[] expand = Field25519.expand(bArr);
            long[] jArr2 = new long[10];
            jArr2[0] = 1;
            long[] jArr3 = new long[10];
            long[] jArr4 = new long[10];
            long[] jArr5 = new long[10];
            long[] jArr6 = new long[10];
            long[] jArr7 = new long[10];
            Field25519.square(jArr4, expand);
            Field25519.mult(jArr5, jArr4, Ed25519Constants.D);
            Field25519.sub(jArr4, jArr4, jArr2);
            Field25519.sum(jArr5, jArr5, jArr2);
            long[] jArr8 = new long[10];
            Field25519.square(jArr8, jArr5);
            Field25519.mult(jArr8, jArr8, jArr5);
            Field25519.square(jArr, jArr8);
            Field25519.mult(jArr, jArr, jArr5);
            Field25519.mult(jArr, jArr, jArr4);
            Ed25519.pow2252m3(jArr, jArr);
            Field25519.mult(jArr, jArr, jArr8);
            Field25519.mult(jArr, jArr, jArr4);
            Field25519.square(jArr6, jArr);
            Field25519.mult(jArr6, jArr6, jArr5);
            Field25519.sub(jArr7, jArr6, jArr4);
            if (Ed25519.isNonZeroVarTime(jArr7)) {
                Field25519.sum(jArr7, jArr6, jArr4);
                if (Ed25519.isNonZeroVarTime(jArr7)) {
                    throw new GeneralSecurityException("Cannot convert given bytes to extended projective coordinates. No square root exists for modulo 2^255-19");
                }
                Field25519.mult(jArr, jArr, Ed25519Constants.SQRTM1);
            }
            if (!Ed25519.isNonZeroVarTime(jArr) && ((bArr[31] & UnsignedBytes.MAX_VALUE) >> 7) != 0) {
                throw new GeneralSecurityException("Cannot convert given bytes to extended projective coordinates. Computed x is zero and encoded x's least significant bit is not zero");
            }
            if (Ed25519.getLsb(jArr) == ((bArr[31] & UnsignedBytes.MAX_VALUE) >> 7)) {
                Ed25519.neg(jArr, jArr);
            }
            Field25519.mult(jArr3, jArr, expand);
            return new XYZT(new XYZ(jArr, expand, jArr2), jArr3);
        }

        /* JADX INFO: Access modifiers changed from: private */
        public static XYZT fromPartialXYZT(XYZT xyzt, PartialXYZT partialXYZT) {
            Field25519.mult(xyzt.xyz.x, partialXYZT.xyz.x, partialXYZT.f7057t);
            long[] jArr = xyzt.xyz.y;
            XYZ xyz = partialXYZT.xyz;
            Field25519.mult(jArr, xyz.y, xyz.f7058z);
            Field25519.mult(xyzt.xyz.f7058z, partialXYZT.xyz.f7058z, partialXYZT.f7057t);
            long[] jArr2 = xyzt.f7059t;
            XYZ xyz2 = partialXYZT.xyz;
            Field25519.mult(jArr2, xyz2.x, xyz2.y);
            return xyzt;
        }
    }

    private static void add(PartialXYZT partialXYZT, XYZT xyzt, CachedXYT cachedXYT) {
        long[] jArr = new long[10];
        long[] jArr2 = partialXYZT.xyz.x;
        XYZ xyz = xyzt.xyz;
        Field25519.sum(jArr2, xyz.y, xyz.x);
        long[] jArr3 = partialXYZT.xyz.y;
        XYZ xyz2 = xyzt.xyz;
        Field25519.sub(jArr3, xyz2.y, xyz2.x);
        long[] jArr4 = partialXYZT.xyz.y;
        Field25519.mult(jArr4, jArr4, cachedXYT.yMinusX);
        XYZ xyz3 = partialXYZT.xyz;
        Field25519.mult(xyz3.f7058z, xyz3.x, cachedXYT.yPlusX);
        Field25519.mult(partialXYZT.f7057t, xyzt.f7059t, cachedXYT.t2d);
        cachedXYT.multByZ(partialXYZT.xyz.x, xyzt.xyz.f7058z);
        long[] jArr5 = partialXYZT.xyz.x;
        Field25519.sum(jArr, jArr5, jArr5);
        XYZ xyz4 = partialXYZT.xyz;
        Field25519.sub(xyz4.x, xyz4.f7058z, xyz4.y);
        XYZ xyz5 = partialXYZT.xyz;
        long[] jArr6 = xyz5.y;
        Field25519.sum(jArr6, xyz5.f7058z, jArr6);
        Field25519.sum(partialXYZT.xyz.f7058z, jArr, partialXYZT.f7057t);
        long[] jArr7 = partialXYZT.f7057t;
        Field25519.sub(jArr7, jArr, jArr7);
    }

    private static XYZ doubleScalarMultVarTime(byte[] bArr, XYZT xyzt, byte[] bArr2) {
        CachedXYZT[] cachedXYZTArr = new CachedXYZT[8];
        cachedXYZTArr[0] = new CachedXYZT(xyzt);
        PartialXYZT partialXYZT = new PartialXYZT();
        doubleXYZT(partialXYZT, xyzt);
        XYZT xyzt2 = new XYZT(partialXYZT);
        for (int i5 = 1; i5 < 8; i5++) {
            add(partialXYZT, xyzt2, cachedXYZTArr[i5 - 1]);
            cachedXYZTArr[i5] = new CachedXYZT(new XYZT(partialXYZT));
        }
        byte[] slide = slide(bArr);
        byte[] slide2 = slide(bArr2);
        PartialXYZT partialXYZT2 = new PartialXYZT(NEUTRAL);
        XYZT xyzt3 = new XYZT();
        int i8 = 255;
        while (i8 >= 0 && slide[i8] == 0 && slide2[i8] == 0) {
            i8--;
        }
        while (i8 >= 0) {
            doubleXYZ(partialXYZT2, new XYZ(partialXYZT2));
            byte b8 = slide[i8];
            if (b8 > 0) {
                add(partialXYZT2, XYZT.fromPartialXYZT(xyzt3, partialXYZT2), cachedXYZTArr[slide[i8] / 2]);
            } else if (b8 < 0) {
                sub(partialXYZT2, XYZT.fromPartialXYZT(xyzt3, partialXYZT2), cachedXYZTArr[(-slide[i8]) / 2]);
            }
            byte b9 = slide2[i8];
            if (b9 > 0) {
                add(partialXYZT2, XYZT.fromPartialXYZT(xyzt3, partialXYZT2), Ed25519Constants.B2[slide2[i8] / 2]);
            } else if (b9 < 0) {
                sub(partialXYZT2, XYZT.fromPartialXYZT(xyzt3, partialXYZT2), Ed25519Constants.B2[(-slide2[i8]) / 2]);
            }
            i8--;
        }
        return new XYZ(partialXYZT2);
    }

    private static void doubleXYZ(PartialXYZT partialXYZT, XYZ xyz) {
        long[] jArr = new long[10];
        Field25519.square(partialXYZT.xyz.x, xyz.x);
        Field25519.square(partialXYZT.xyz.f7058z, xyz.y);
        Field25519.square(partialXYZT.f7057t, xyz.f7058z);
        long[] jArr2 = partialXYZT.f7057t;
        Field25519.sum(jArr2, jArr2, jArr2);
        Field25519.sum(partialXYZT.xyz.y, xyz.x, xyz.y);
        Field25519.square(jArr, partialXYZT.xyz.y);
        XYZ xyz2 = partialXYZT.xyz;
        Field25519.sum(xyz2.y, xyz2.f7058z, xyz2.x);
        XYZ xyz3 = partialXYZT.xyz;
        long[] jArr3 = xyz3.f7058z;
        Field25519.sub(jArr3, jArr3, xyz3.x);
        XYZ xyz4 = partialXYZT.xyz;
        Field25519.sub(xyz4.x, jArr, xyz4.y);
        long[] jArr4 = partialXYZT.f7057t;
        Field25519.sub(jArr4, jArr4, partialXYZT.xyz.f7058z);
    }

    private static void doubleXYZT(PartialXYZT partialXYZT, XYZT xyzt) {
        doubleXYZ(partialXYZT, xyzt.xyz);
    }

    private static int eq(int i5, int i8) {
        int i9 = (~(i5 ^ i8)) & 255;
        int i10 = i9 & (i9 << 4);
        int i11 = i10 & (i10 << 2);
        return ((i11 & (i11 << 1)) >> 7) & 1;
    }

    public static byte[] getHashedScalar(byte[] bArr) throws GeneralSecurityException {
        MessageDigest engineFactory = EngineFactory.MESSAGE_DIGEST.getInstance("SHA-512");
        engineFactory.update(bArr, 0, 32);
        byte[] digest = engineFactory.digest();
        digest[0] = (byte) (digest[0] & 248);
        byte b8 = (byte) (digest[31] & Ascii.DEL);
        digest[31] = b8;
        digest[31] = (byte) (b8 | SignedBytes.MAX_POWER_OF_TWO);
        return digest;
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static int getLsb(long[] jArr) {
        return Field25519.contract(jArr)[0] & 1;
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static boolean isNonZeroVarTime(long[] jArr) {
        long[] jArr2 = new long[jArr.length + 1];
        System.arraycopy(jArr, 0, jArr2, 0, jArr.length);
        Field25519.reduceCoefficients(jArr2);
        for (byte b8 : Field25519.contract(jArr2)) {
            if (b8 != 0) {
                return true;
            }
        }
        return false;
    }

    private static boolean isSmallerThanGroupOrder(byte[] bArr) {
        for (int i5 = 31; i5 >= 0; i5--) {
            int i8 = bArr[i5] & UnsignedBytes.MAX_VALUE;
            int i9 = GROUP_ORDER[i5] & UnsignedBytes.MAX_VALUE;
            if (i8 != i9) {
                return i8 < i9;
            }
        }
        return false;
    }

    private static long load3(byte[] bArr, int i5) {
        return ((bArr[i5 + 2] & UnsignedBytes.MAX_VALUE) << 16) | (bArr[i5] & 255) | ((bArr[i5 + 1] & UnsignedBytes.MAX_VALUE) << 8);
    }

    private static long load4(byte[] bArr, int i5) {
        return ((bArr[i5 + 3] & UnsignedBytes.MAX_VALUE) << 24) | load3(bArr, i5);
    }

    private static void mulAdd(byte[] bArr, byte[] bArr2, byte[] bArr3, byte[] bArr4) {
        long load3 = load3(bArr2, 0) & 2097151;
        long load4 = (load4(bArr2, 2) >> 5) & 2097151;
        long load32 = (load3(bArr2, 5) >> 2) & 2097151;
        long load42 = (load4(bArr2, 7) >> 7) & 2097151;
        long load43 = (load4(bArr2, 10) >> 4) & 2097151;
        long load33 = (load3(bArr2, 13) >> 1) & 2097151;
        long load44 = (load4(bArr2, 15) >> 6) & 2097151;
        long load34 = (load3(bArr2, 18) >> 3) & 2097151;
        long load35 = load3(bArr2, 21) & 2097151;
        long load45 = (load4(bArr2, 23) >> 5) & 2097151;
        long load36 = (load3(bArr2, 26) >> 2) & 2097151;
        long load46 = load4(bArr2, 28) >> 7;
        long load37 = load3(bArr3, 0) & 2097151;
        long load47 = (load4(bArr3, 2) >> 5) & 2097151;
        long load38 = (load3(bArr3, 5) >> 2) & 2097151;
        long load48 = (load4(bArr3, 7) >> 7) & 2097151;
        long load49 = (load4(bArr3, 10) >> 4) & 2097151;
        long load39 = (load3(bArr3, 13) >> 1) & 2097151;
        long load410 = (load4(bArr3, 15) >> 6) & 2097151;
        long load310 = (load3(bArr3, 18) >> 3) & 2097151;
        long load311 = load3(bArr3, 21) & 2097151;
        long load411 = (load4(bArr3, 23) >> 5) & 2097151;
        long load312 = (load3(bArr3, 26) >> 2) & 2097151;
        long load412 = load4(bArr3, 28) >> 7;
        long load313 = load3(bArr4, 0) & 2097151;
        long load413 = (load4(bArr4, 2) >> 5) & 2097151;
        long load314 = (load3(bArr4, 5) >> 2) & 2097151;
        long load414 = (load4(bArr4, 7) >> 7) & 2097151;
        long load415 = (load4(bArr4, 10) >> 4) & 2097151;
        long load315 = (load3(bArr4, 13) >> 1) & 2097151;
        long load416 = (load4(bArr4, 15) >> 6) & 2097151;
        long load316 = (load3(bArr4, 18) >> 3) & 2097151;
        long load317 = load3(bArr4, 21) & 2097151;
        long j = (load3 * load37) + load313;
        long j8 = (load4 * load37) + (load3 * load47) + load413;
        long j9 = (load32 * load37) + (load4 * load47) + (load3 * load38) + load314;
        long j10 = (load42 * load37) + (load32 * load47) + (load4 * load38) + (load3 * load48) + load414;
        long j11 = (load43 * load37) + (load42 * load47) + (load32 * load38) + (load4 * load48) + (load3 * load49) + load415;
        long j12 = (load33 * load37) + (load43 * load47) + (load42 * load38) + (load32 * load48) + (load4 * load49) + (load3 * load39) + load315;
        long j13 = (load44 * load37) + (load33 * load47) + (load43 * load38) + (load42 * load48) + (load32 * load49) + (load4 * load39) + (load3 * load410) + load416;
        long j14 = (load34 * load37) + (load44 * load47) + (load33 * load38) + (load43 * load48) + (load42 * load49) + (load32 * load39) + (load4 * load410) + (load3 * load310) + load316;
        long j15 = (load35 * load37) + (load34 * load47) + (load44 * load38) + (load33 * load48) + (load43 * load49) + (load42 * load39) + (load32 * load410) + (load4 * load310) + (load3 * load311) + load317;
        long load417 = (load45 * load37) + (load35 * load47) + (load34 * load38) + (load44 * load48) + (load33 * load49) + (load43 * load39) + (load42 * load410) + (load32 * load310) + (load4 * load311) + (load3 * load411) + ((load4(bArr4, 23) >> 5) & 2097151);
        long load318 = (load36 * load37) + (load45 * load47) + (load35 * load38) + (load34 * load48) + (load44 * load49) + (load33 * load39) + (load43 * load410) + (load42 * load310) + (load32 * load311) + (load4 * load411) + (load3 * load312) + ((load3(bArr4, 26) >> 2) & 2097151);
        long load418 = (load37 * load46) + (load36 * load47) + (load45 * load38) + (load35 * load48) + (load34 * load49) + (load44 * load39) + (load33 * load410) + (load43 * load310) + (load42 * load311) + (load32 * load411) + (load4 * load312) + (load3 * load412) + (load4(bArr4, 28) >> 7);
        long j16 = load47 * load46;
        long j17 = j16 + (load36 * load38) + (load45 * load48) + (load35 * load49) + (load34 * load39) + (load44 * load410) + (load33 * load310) + (load43 * load311) + (load42 * load411) + (load32 * load312) + (load4 * load412);
        long j18 = load38 * load46;
        long j19 = j18 + (load36 * load48) + (load45 * load49) + (load35 * load39) + (load34 * load410) + (load44 * load310) + (load33 * load311) + (load43 * load411) + (load42 * load312) + (load32 * load412);
        long j20 = load48 * load46;
        long j21 = j20 + (load36 * load49) + (load45 * load39) + (load35 * load410) + (load34 * load310) + (load44 * load311) + (load33 * load411) + (load43 * load312) + (load42 * load412);
        long j22 = load49 * load46;
        long j23 = j22 + (load36 * load39) + (load45 * load410) + (load35 * load310) + (load34 * load311) + (load44 * load411) + (load33 * load312) + (load43 * load412);
        long j24 = load39 * load46;
        long j25 = j24 + (load36 * load410) + (load45 * load310) + (load35 * load311) + (load34 * load411) + (load44 * load312) + (load33 * load412);
        long j26 = load410 * load46;
        long j27 = j26 + (load36 * load310) + (load45 * load311) + (load35 * load411) + (load34 * load312) + (load44 * load412);
        long j28 = load310 * load46;
        long j29 = j28 + (load36 * load311) + (load45 * load411) + (load35 * load312) + (load34 * load412);
        long j30 = load311 * load46;
        long j31 = j30 + (load36 * load411) + (load45 * load312) + (load35 * load412);
        long j32 = (load411 * load46) + (load36 * load312) + (load45 * load412);
        long j33 = load312 * load46;
        long j34 = load46 * load412;
        long j35 = (j + 1048576) >> 21;
        long j36 = j8 + j35;
        long j37 = j - (j35 << 21);
        long j38 = (j9 + 1048576) >> 21;
        long j39 = j10 + j38;
        long j40 = j9 - (j38 << 21);
        long j41 = (j11 + 1048576) >> 21;
        long j42 = j12 + j41;
        long j43 = j11 - (j41 << 21);
        long j44 = (j13 + 1048576) >> 21;
        long j45 = j14 + j44;
        long j46 = j13 - (j44 << 21);
        long j47 = (j15 + 1048576) >> 21;
        long j48 = load417 + j47;
        long j49 = j15 - (j47 << 21);
        long j50 = (load318 + 1048576) >> 21;
        long j51 = load418 + j50;
        long j52 = load318 - (j50 << 21);
        long j53 = (j17 + 1048576) >> 21;
        long j54 = j19 + j53;
        long j55 = j17 - (j53 << 21);
        long j56 = (j21 + 1048576) >> 21;
        long j57 = j23 + j56;
        long j58 = j21 - (j56 << 21);
        long j59 = (j25 + 1048576) >> 21;
        long j60 = j27 + j59;
        long j61 = j25 - (j59 << 21);
        long j62 = (j29 + 1048576) >> 21;
        long j63 = j31 + j62;
        long j64 = j29 - (j62 << 21);
        long j65 = (j32 + 1048576) >> 21;
        long j66 = j33 + (load36 * load412) + j65;
        long j67 = j32 - (j65 << 21);
        long j68 = (j34 + 1048576) >> 21;
        long j69 = (j36 + 1048576) >> 21;
        long j70 = j40 + j69;
        long j71 = j36 - (j69 << 21);
        long j72 = (j39 + 1048576) >> 21;
        long j73 = j43 + j72;
        long j74 = j39 - (j72 << 21);
        long j75 = (j42 + 1048576) >> 21;
        long j76 = j46 + j75;
        long j77 = j42 - (j75 << 21);
        long j78 = (j45 + 1048576) >> 21;
        long j79 = j49 + j78;
        long j80 = j45 - (j78 << 21);
        long j81 = (j48 + 1048576) >> 21;
        long j82 = j52 + j81;
        long j83 = j48 - (j81 << 21);
        long j84 = (j51 + 1048576) >> 21;
        long j85 = j55 + j84;
        long j86 = j51 - (j84 << 21);
        long j87 = (j54 + 1048576) >> 21;
        long j88 = j58 + j87;
        long j89 = j54 - (j87 << 21);
        long j90 = (j57 + 1048576) >> 21;
        long j91 = j61 + j90;
        long j92 = j57 - (j90 << 21);
        long j93 = (j60 + 1048576) >> 21;
        long j94 = j64 + j93;
        long j95 = j60 - (j93 << 21);
        long j96 = (j63 + 1048576) >> 21;
        long j97 = j67 + j96;
        long j98 = j63 - (j96 << 21);
        long j99 = (j66 + 1048576) >> 21;
        long j100 = (j34 - (j68 << 21)) + j99;
        long j101 = j66 - (j99 << 21);
        long j102 = j91 - (j68 * 683901);
        long j103 = (j100 * 470296) + (j68 * 666643) + j86;
        long j104 = (j100 * 654183) + (j68 * 470296) + j85;
        long j105 = ((j68 * 654183) + j89) - (j100 * 997805);
        long j106 = (j100 * 136657) + (j88 - (j68 * 997805));
        long j107 = ((j68 * 136657) + j92) - (j100 * 683901);
        long j108 = (j101 * 654183) + j103;
        long j109 = (j101 * 136657) + j105;
        long j110 = j106 - (j101 * 683901);
        long j111 = (j97 * 654183) + (j101 * 470296) + (j100 * 666643) + j82;
        long j112 = (j98 * 654183) + (j97 * 470296) + (j101 * 666643) + j83;
        long j113 = (j98 * 136657) + (j108 - (j97 * 997805));
        long j114 = ((j97 * 136657) + (j104 - (j101 * 997805))) - (j98 * 683901);
        long j115 = (j94 * 666643) + j76;
        long j116 = (j94 * 654183) + (j98 * 470296) + (j97 * 666643) + j79;
        long j117 = (j94 * 136657) + (j111 - (j98 * 997805));
        long j118 = (j115 + 1048576) >> 21;
        long j119 = (j94 * 470296) + (j98 * 666643) + j80 + j118;
        long j120 = j115 - (j118 << 21);
        long j121 = (j116 + 1048576) >> 21;
        long j122 = (j112 - (j94 * 997805)) + j121;
        long j123 = j116 - (j121 << 21);
        long j124 = (j117 + 1048576) >> 21;
        long j125 = (j113 - (j94 * 683901)) + j124;
        long j126 = j117 - (j124 << 21);
        long j127 = (j114 + 1048576) >> 21;
        long j128 = (j109 - (j97 * 683901)) + j127;
        long j129 = j114 - (j127 << 21);
        long j130 = (j110 + 1048576) >> 21;
        long j131 = j107 + j130;
        long j132 = j110 - (j130 << 21);
        long j133 = (j102 + 1048576) >> 21;
        long j134 = j95 + j133;
        long j135 = j102 - (j133 << 21);
        long j136 = (j119 + 1048576) >> 21;
        long j137 = j123 + j136;
        long j138 = j119 - (j136 << 21);
        long j139 = (j122 + 1048576) >> 21;
        long j140 = j126 + j139;
        long j141 = j122 - (j139 << 21);
        long j142 = (j125 + 1048576) >> 21;
        long j143 = j129 + j142;
        long j144 = j125 - (j142 << 21);
        long j145 = (j128 + 1048576) >> 21;
        long j146 = j132 + j145;
        long j147 = j128 - (j145 << 21);
        long j148 = (j131 + 1048576) >> 21;
        long j149 = j135 + j148;
        long j150 = j131 - (j148 << 21);
        long j151 = (j134 * 470296) + j120;
        long j152 = (j134 * 654183) + j138;
        long j153 = j140 - (j134 * 683901);
        long j154 = (j149 * 470296) + (j134 * 666643) + j77;
        long j155 = (j149 * 654183) + j151;
        long j156 = j152 - (j149 * 997805);
        long j157 = (j149 * 136657) + (j137 - (j134 * 997805));
        long j158 = ((j134 * 136657) + j141) - (j149 * 683901);
        long j159 = (j150 * 470296) + (j149 * 666643) + j73;
        long j160 = (j150 * 654183) + j154;
        long j161 = j155 - (j150 * 997805);
        long j162 = (j150 * 136657) + j156;
        long j163 = j157 - (j150 * 683901);
        long j164 = (j146 * 654183) + j159;
        long j165 = (j146 * 136657) + j161;
        long j166 = j162 - (j146 * 683901);
        long j167 = (j147 * 470296) + (j146 * 666643) + j70;
        long j168 = (j147 * 654183) + (j146 * 470296) + (j150 * 666643) + j74;
        long j169 = j164 - (j147 * 997805);
        long j170 = (j147 * 136657) + (j160 - (j146 * 997805));
        long j171 = j165 - (j147 * 683901);
        long j172 = (j143 * 666643) + j37;
        long j173 = (j143 * 654183) + j167;
        long j174 = (j143 * 136657) + j169;
        long j175 = (j172 + 1048576) >> 21;
        long j176 = (j143 * 470296) + (j147 * 666643) + j71 + j175;
        long j177 = j172 - (j175 << 21);
        long j178 = (j173 + 1048576) >> 21;
        long j179 = (j168 - (j143 * 997805)) + j178;
        long j180 = j173 - (j178 << 21);
        long j181 = (j174 + 1048576) >> 21;
        long j182 = (j170 - (j143 * 683901)) + j181;
        long j183 = j174 - (j181 << 21);
        long j184 = (j171 + 1048576) >> 21;
        long j185 = j166 + j184;
        long j186 = j171 - (j184 << 21);
        long j187 = (j163 + 1048576) >> 21;
        long j188 = j158 + j187;
        long j189 = j163 - (j187 << 21);
        long j190 = (j153 + 1048576) >> 21;
        long j191 = j144 + j190;
        long j192 = j153 - (j190 << 21);
        long j193 = (j176 + 1048576) >> 21;
        long j194 = j180 + j193;
        long j195 = j176 - (j193 << 21);
        long j196 = (j179 + 1048576) >> 21;
        long j197 = j183 + j196;
        long j198 = j179 - (j196 << 21);
        long j199 = (j182 + 1048576) >> 21;
        long j200 = j186 + j199;
        long j201 = j182 - (j199 << 21);
        long j202 = (j185 + 1048576) >> 21;
        long j203 = j189 + j202;
        long j204 = j185 - (j202 << 21);
        long j205 = (j188 + 1048576) >> 21;
        long j206 = j192 + j205;
        long j207 = j188 - (j205 << 21);
        long j208 = (j191 + 1048576) >> 21;
        long j209 = (j208 * 666643) + j177;
        long j210 = (j208 * 470296) + j195;
        long j211 = (j208 * 654183) + j194;
        long j212 = (j208 * 136657) + j197;
        long j213 = j209 >> 21;
        long j214 = j210 + j213;
        long j215 = j209 - (j213 << 21);
        long j216 = j214 >> 21;
        long j217 = j211 + j216;
        long j218 = j214 - (j216 << 21);
        long j219 = j217 >> 21;
        long j220 = (j198 - (j208 * 997805)) + j219;
        long j221 = j217 - (j219 << 21);
        long j222 = j220 >> 21;
        long j223 = j212 + j222;
        long j224 = j220 - (j222 << 21);
        long j225 = j223 >> 21;
        long j226 = (j201 - (j208 * 683901)) + j225;
        long j227 = j223 - (j225 << 21);
        long j228 = j226 >> 21;
        long j229 = j200 + j228;
        long j230 = j226 - (j228 << 21);
        long j231 = j229 >> 21;
        long j232 = j204 + j231;
        long j233 = j229 - (j231 << 21);
        long j234 = j232 >> 21;
        long j235 = j203 + j234;
        long j236 = j232 - (j234 << 21);
        long j237 = j235 >> 21;
        long j238 = j207 + j237;
        long j239 = j235 - (j237 << 21);
        long j240 = j238 >> 21;
        long j241 = j206 + j240;
        long j242 = j238 - (j240 << 21);
        long j243 = j241 >> 21;
        long j244 = (j191 - (j208 << 21)) + j243;
        long j245 = j241 - (j243 << 21);
        long j246 = j244 >> 21;
        long j247 = (666643 * j246) + j215;
        long j248 = j247 >> 21;
        long j249 = (470296 * j246) + j218 + j248;
        long j250 = j247 - (j248 << 21);
        long j251 = j249 >> 21;
        long j252 = (654183 * j246) + j221 + j251;
        long j253 = j249 - (j251 << 21);
        long j254 = j252 >> 21;
        long j255 = (j224 - (997805 * j246)) + j254;
        long j256 = j252 - (j254 << 21);
        long j257 = j255 >> 21;
        long j258 = (136657 * j246) + j227 + j257;
        long j259 = j255 - (j257 << 21);
        long j260 = j258 >> 21;
        long j261 = (j230 - (j246 * 683901)) + j260;
        long j262 = j258 - (j260 << 21);
        long j263 = j261 >> 21;
        long j264 = j233 + j263;
        long j265 = j261 - (j263 << 21);
        long j266 = j264 >> 21;
        long j267 = j236 + j266;
        long j268 = j264 - (j266 << 21);
        long j269 = j267 >> 21;
        long j270 = j239 + j269;
        long j271 = j267 - (j269 << 21);
        long j272 = j270 >> 21;
        long j273 = j242 + j272;
        long j274 = j273 >> 21;
        long j275 = j245 + j274;
        long j276 = j273 - (j274 << 21);
        long j277 = j275 >> 21;
        long j278 = (j244 - (j246 << 21)) + j277;
        long j279 = j275 - (j277 << 21);
        bArr[0] = (byte) j250;
        bArr[1] = (byte) (j250 >> 8);
        bArr[2] = (byte) ((j250 >> 16) | (j253 << 5));
        bArr[3] = (byte) (j253 >> 3);
        bArr[4] = (byte) (j253 >> 11);
        bArr[5] = (byte) ((j253 >> 19) | (j256 << 2));
        bArr[6] = (byte) (j256 >> 6);
        bArr[7] = (byte) ((j256 >> 14) | (j259 << 7));
        bArr[8] = (byte) (j259 >> 1);
        bArr[9] = (byte) (j259 >> 9);
        bArr[10] = (byte) ((j259 >> 17) | (j262 << 4));
        bArr[11] = (byte) (j262 >> 4);
        bArr[12] = (byte) (j262 >> 12);
        bArr[13] = (byte) ((j262 >> 20) | (j265 << 1));
        bArr[14] = (byte) (j265 >> 7);
        bArr[15] = (byte) ((j265 >> 15) | (j268 << 6));
        bArr[16] = (byte) (j268 >> 2);
        bArr[17] = (byte) (j268 >> 10);
        bArr[18] = (byte) ((j268 >> 18) | (j271 << 3));
        bArr[19] = (byte) (j271 >> 5);
        bArr[20] = (byte) (j271 >> 13);
        bArr[21] = (byte) (j270 - (j272 << 21));
        bArr[22] = (byte) (r6 >> 8);
        bArr[23] = (byte) ((r6 >> 16) | (j276 << 5));
        bArr[24] = (byte) (j276 >> 3);
        bArr[25] = (byte) (j276 >> 11);
        bArr[26] = (byte) ((j276 >> 19) | (j279 << 2));
        bArr[27] = (byte) (j279 >> 6);
        bArr[28] = (byte) ((j279 >> 14) | (j278 << 7));
        bArr[29] = (byte) (j278 >> 1);
        bArr[30] = (byte) (j278 >> 9);
        bArr[31] = (byte) (j278 >> 17);
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static void neg(long[] jArr, long[] jArr2) {
        for (int i5 = 0; i5 < jArr2.length; i5++) {
            jArr[i5] = -jArr2[i5];
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static void pow2252m3(long[] jArr, long[] jArr2) {
        long[] jArr3 = new long[10];
        long[] jArr4 = new long[10];
        long[] jArr5 = new long[10];
        Field25519.square(jArr3, jArr2);
        Field25519.square(jArr4, jArr3);
        Field25519.square(jArr4, jArr4);
        Field25519.mult(jArr4, jArr2, jArr4);
        Field25519.mult(jArr3, jArr3, jArr4);
        Field25519.square(jArr3, jArr3);
        Field25519.mult(jArr3, jArr4, jArr3);
        Field25519.square(jArr4, jArr3);
        for (int i5 = 1; i5 < 5; i5++) {
            Field25519.square(jArr4, jArr4);
        }
        Field25519.mult(jArr3, jArr4, jArr3);
        Field25519.square(jArr4, jArr3);
        for (int i8 = 1; i8 < 10; i8++) {
            Field25519.square(jArr4, jArr4);
        }
        Field25519.mult(jArr4, jArr4, jArr3);
        Field25519.square(jArr5, jArr4);
        for (int i9 = 1; i9 < 20; i9++) {
            Field25519.square(jArr5, jArr5);
        }
        Field25519.mult(jArr4, jArr5, jArr4);
        Field25519.square(jArr4, jArr4);
        for (int i10 = 1; i10 < 10; i10++) {
            Field25519.square(jArr4, jArr4);
        }
        Field25519.mult(jArr3, jArr4, jArr3);
        Field25519.square(jArr4, jArr3);
        for (int i11 = 1; i11 < 50; i11++) {
            Field25519.square(jArr4, jArr4);
        }
        Field25519.mult(jArr4, jArr4, jArr3);
        Field25519.square(jArr5, jArr4);
        for (int i12 = 1; i12 < 100; i12++) {
            Field25519.square(jArr5, jArr5);
        }
        Field25519.mult(jArr4, jArr5, jArr4);
        Field25519.square(jArr4, jArr4);
        for (int i13 = 1; i13 < 50; i13++) {
            Field25519.square(jArr4, jArr4);
        }
        Field25519.mult(jArr3, jArr4, jArr3);
        Field25519.square(jArr3, jArr3);
        Field25519.square(jArr3, jArr3);
        Field25519.mult(jArr, jArr3, jArr2);
    }

    private static void reduce(byte[] bArr) {
        long load3 = load3(bArr, 0) & 2097151;
        long load4 = (load4(bArr, 2) >> 5) & 2097151;
        long load32 = (load3(bArr, 5) >> 2) & 2097151;
        long load42 = (load4(bArr, 7) >> 7) & 2097151;
        long load43 = (load4(bArr, 10) >> 4) & 2097151;
        long load33 = (load3(bArr, 13) >> 1) & 2097151;
        long load44 = (load4(bArr, 15) >> 6) & 2097151;
        long load34 = (load3(bArr, 18) >> 3) & 2097151;
        long load35 = load3(bArr, 21) & 2097151;
        long load45 = (load4(bArr, 23) >> 5) & 2097151;
        long load36 = (load3(bArr, 26) >> 2) & 2097151;
        long load46 = (load4(bArr, 28) >> 7) & 2097151;
        long load47 = (load4(bArr, 31) >> 4) & 2097151;
        long load37 = (load3(bArr, 34) >> 1) & 2097151;
        long load48 = (load4(bArr, 36) >> 6) & 2097151;
        long load38 = (load3(bArr, 39) >> 3) & 2097151;
        long load39 = load3(bArr, 42) & 2097151;
        long load49 = (load4(bArr, 44) >> 5) & 2097151;
        long load310 = (load3(bArr, 47) >> 2) & 2097151;
        long load410 = (load4(bArr, 49) >> 7) & 2097151;
        long load411 = (load4(bArr, 52) >> 4) & 2097151;
        long load311 = (load3(bArr, 55) >> 1) & 2097151;
        long load412 = (load4(bArr, 57) >> 6) & 2097151;
        long load413 = load4(bArr, 60) >> 3;
        long j = (load413 * 666643) + load46;
        long j8 = (load413 * 470296) + load47;
        long j9 = (load413 * 654183) + load37;
        long j10 = load48 - (load413 * 997805);
        long j11 = (load413 * 136657) + load38;
        long j12 = load39 - (load413 * 683901);
        long j13 = (load412 * 666643) + load36;
        long j14 = (load412 * 470296) + j;
        long j15 = (load412 * 654183) + j8;
        long j16 = j9 - (load412 * 997805);
        long j17 = (load412 * 136657) + j10;
        long j18 = j11 - (load412 * 683901);
        long j19 = (load311 * 666643) + load45;
        long j20 = (load311 * 470296) + j13;
        long j21 = (load311 * 654183) + j14;
        long j22 = j15 - (load311 * 997805);
        long j23 = (load311 * 136657) + j16;
        long j24 = j17 - (load311 * 683901);
        long j25 = (load411 * 666643) + load35;
        long j26 = (load411 * 470296) + j19;
        long j27 = (load411 * 654183) + j20;
        long j28 = j21 - (load411 * 997805);
        long j29 = (load411 * 136657) + j22;
        long j30 = j23 - (load411 * 683901);
        long j31 = (load410 * 666643) + load34;
        long j32 = (load410 * 470296) + j25;
        long j33 = (load410 * 654183) + j26;
        long j34 = j27 - (load410 * 997805);
        long j35 = (load410 * 136657) + j28;
        long j36 = j29 - (load410 * 683901);
        long j37 = (load310 * 666643) + load44;
        long j38 = (load310 * 470296) + j31;
        long j39 = (load310 * 654183) + j32;
        long j40 = j33 - (load310 * 997805);
        long j41 = (load310 * 136657) + j34;
        long j42 = j35 - (load310 * 683901);
        long j43 = (j37 + 1048576) >> 21;
        long j44 = j38 + j43;
        long j45 = j37 - (j43 << 21);
        long j46 = (j39 + 1048576) >> 21;
        long j47 = j40 + j46;
        long j48 = j39 - (j46 << 21);
        long j49 = (j41 + 1048576) >> 21;
        long j50 = j42 + j49;
        long j51 = j41 - (j49 << 21);
        long j52 = (j36 + 1048576) >> 21;
        long j53 = j30 + j52;
        long j54 = j36 - (j52 << 21);
        long j55 = (j24 + 1048576) >> 21;
        long j56 = j18 + j55;
        long j57 = j24 - (j55 << 21);
        long j58 = (j12 + 1048576) >> 21;
        long j59 = load49 + j58;
        long j60 = j12 - (j58 << 21);
        long j61 = (j44 + 1048576) >> 21;
        long j62 = j48 + j61;
        long j63 = j44 - (j61 << 21);
        long j64 = (j47 + 1048576) >> 21;
        long j65 = j51 + j64;
        long j66 = j47 - (j64 << 21);
        long j67 = (j50 + 1048576) >> 21;
        long j68 = j54 + j67;
        long j69 = j50 - (j67 << 21);
        long j70 = (j53 + 1048576) >> 21;
        long j71 = j57 + j70;
        long j72 = j53 - (j70 << 21);
        long j73 = (j56 + 1048576) >> 21;
        long j74 = j60 + j73;
        long j75 = j56 - (j73 << 21);
        long j76 = (j59 * 666643) + load33;
        long j77 = (j59 * 470296) + j45;
        long j78 = (j59 * 654183) + j63;
        long j79 = j62 - (j59 * 997805);
        long j80 = (j59 * 136657) + j66;
        long j81 = j65 - (j59 * 683901);
        long j82 = (j74 * 666643) + load43;
        long j83 = (j74 * 470296) + j76;
        long j84 = (j74 * 654183) + j77;
        long j85 = j78 - (j74 * 997805);
        long j86 = (j74 * 136657) + j79;
        long j87 = j80 - (j74 * 683901);
        long j88 = (j75 * 666643) + load42;
        long j89 = (j75 * 470296) + j82;
        long j90 = (j75 * 654183) + j83;
        long j91 = (j75 * 136657) + j85;
        long j92 = j86 - (j75 * 683901);
        long j93 = (j71 * 666643) + load32;
        long j94 = (j71 * 470296) + j88;
        long j95 = (j71 * 654183) + j89;
        long j96 = (j71 * 136657) + (j84 - (j75 * 997805));
        long j97 = (j72 * 666643) + load4;
        long j98 = (j72 * 470296) + j93;
        long j99 = (j72 * 654183) + j94;
        long j100 = j95 - (j72 * 997805);
        long j101 = (j72 * 136657) + (j90 - (j71 * 997805));
        long j102 = j96 - (j72 * 683901);
        long j103 = (j68 * 666643) + load3;
        long j104 = (j68 * 654183) + j98;
        long j105 = (j68 * 136657) + j100;
        long j106 = (j103 + 1048576) >> 21;
        long j107 = (j68 * 470296) + j97 + j106;
        long j108 = j103 - (j106 << 21);
        long j109 = (j104 + 1048576) >> 21;
        long j110 = (j99 - (j68 * 997805)) + j109;
        long j111 = j104 - (j109 << 21);
        long j112 = (j105 + 1048576) >> 21;
        long j113 = (j101 - (j68 * 683901)) + j112;
        long j114 = j105 - (j112 << 21);
        long j115 = (j102 + 1048576) >> 21;
        long j116 = (j91 - (j71 * 683901)) + j115;
        long j117 = j102 - (j115 << 21);
        long j118 = (j92 + 1048576) >> 21;
        long j119 = j87 + j118;
        long j120 = j92 - (j118 << 21);
        long j121 = (j81 + 1048576) >> 21;
        long j122 = j69 + j121;
        long j123 = j81 - (j121 << 21);
        long j124 = (j107 + 1048576) >> 21;
        long j125 = j111 + j124;
        long j126 = j107 - (j124 << 21);
        long j127 = (j110 + 1048576) >> 21;
        long j128 = j114 + j127;
        long j129 = j110 - (j127 << 21);
        long j130 = (j113 + 1048576) >> 21;
        long j131 = j117 + j130;
        long j132 = j113 - (j130 << 21);
        long j133 = (j116 + 1048576) >> 21;
        long j134 = j120 + j133;
        long j135 = j116 - (j133 << 21);
        long j136 = (j119 + 1048576) >> 21;
        long j137 = (j122 + 1048576) >> 21;
        long j138 = (j137 * 666643) + j108;
        long j139 = (j137 * 136657) + j128;
        long j140 = j138 >> 21;
        long j141 = (j137 * 470296) + j126 + j140;
        long j142 = j138 - (j140 << 21);
        long j143 = j141 >> 21;
        long j144 = (j137 * 654183) + j125 + j143;
        long j145 = j141 - (j143 << 21);
        long j146 = j144 >> 21;
        long j147 = (j129 - (j137 * 997805)) + j146;
        long j148 = j144 - (j146 << 21);
        long j149 = j147 >> 21;
        long j150 = j139 + j149;
        long j151 = j147 - (j149 << 21);
        long j152 = j150 >> 21;
        long j153 = (j132 - (j137 * 683901)) + j152;
        long j154 = j150 - (j152 << 21);
        long j155 = j153 >> 21;
        long j156 = j131 + j155;
        long j157 = j153 - (j155 << 21);
        long j158 = j156 >> 21;
        long j159 = j135 + j158;
        long j160 = j156 - (j158 << 21);
        long j161 = j159 >> 21;
        long j162 = j134 + j161;
        long j163 = j159 - (j161 << 21);
        long j164 = j162 >> 21;
        long j165 = (j119 - (j136 << 21)) + j164;
        long j166 = j162 - (j164 << 21);
        long j167 = j165 >> 21;
        long j168 = j123 + j136 + j167;
        long j169 = j165 - (j167 << 21);
        long j170 = j168 >> 21;
        long j171 = (j122 - (j137 << 21)) + j170;
        long j172 = j168 - (j170 << 21);
        long j173 = j171 >> 21;
        long j174 = j171 - (j173 << 21);
        long j175 = (666643 * j173) + j142;
        long j176 = (654183 * j173) + j148;
        long j177 = j151 - (997805 * j173);
        long j178 = (136657 * j173) + j154;
        long j179 = j157 - (j173 * 683901);
        long j180 = j175 >> 21;
        long j181 = (470296 * j173) + j145 + j180;
        long j182 = j181 >> 21;
        long j183 = j176 + j182;
        long j184 = j181 - (j182 << 21);
        long j185 = j183 >> 21;
        long j186 = j177 + j185;
        long j187 = j183 - (j185 << 21);
        long j188 = j186 >> 21;
        long j189 = j178 + j188;
        long j190 = j186 - (j188 << 21);
        long j191 = j189 >> 21;
        long j192 = j179 + j191;
        long j193 = j189 - (j191 << 21);
        long j194 = j192 >> 21;
        long j195 = j160 + j194;
        long j196 = j192 - (j194 << 21);
        long j197 = j195 >> 21;
        long j198 = j163 + j197;
        long j199 = j195 - (j197 << 21);
        long j200 = j198 >> 21;
        long j201 = j166 + j200;
        long j202 = j198 - (j200 << 21);
        long j203 = j201 >> 21;
        long j204 = j169 + j203;
        long j205 = j201 - (j203 << 21);
        long j206 = j204 >> 21;
        long j207 = j172 + j206;
        long j208 = j204 - (j206 << 21);
        long j209 = j207 >> 21;
        long j210 = j174 + j209;
        long j211 = j207 - (j209 << 21);
        bArr[0] = (byte) (j175 - (j180 << 21));
        bArr[1] = (byte) (r2 >> 8);
        bArr[2] = (byte) ((r2 >> 16) | (j184 << 5));
        bArr[3] = (byte) (j184 >> 3);
        bArr[4] = (byte) (j184 >> 11);
        bArr[5] = (byte) ((j184 >> 19) | (j187 << 2));
        bArr[6] = (byte) (j187 >> 6);
        bArr[7] = (byte) ((j187 >> 14) | (j190 << 7));
        bArr[8] = (byte) (j190 >> 1);
        bArr[9] = (byte) (j190 >> 9);
        bArr[10] = (byte) ((j190 >> 17) | (j193 << 4));
        bArr[11] = (byte) (j193 >> 4);
        bArr[12] = (byte) (j193 >> 12);
        bArr[13] = (byte) ((j193 >> 20) | (j196 << 1));
        bArr[14] = (byte) (j196 >> 7);
        bArr[15] = (byte) ((j196 >> 15) | (j199 << 6));
        bArr[16] = (byte) (j199 >> 2);
        bArr[17] = (byte) (j199 >> 10);
        bArr[18] = (byte) ((j199 >> 18) | (j202 << 3));
        bArr[19] = (byte) (j202 >> 5);
        bArr[20] = (byte) (j202 >> 13);
        bArr[21] = (byte) j205;
        bArr[22] = (byte) (j205 >> 8);
        bArr[23] = (byte) ((j205 >> 16) | (j208 << 5));
        bArr[24] = (byte) (j208 >> 3);
        bArr[25] = (byte) (j208 >> 11);
        bArr[26] = (byte) ((j208 >> 19) | (j211 << 2));
        bArr[27] = (byte) (j211 >> 6);
        bArr[28] = (byte) ((j211 >> 14) | (j210 << 7));
        bArr[29] = (byte) (j210 >> 1);
        bArr[30] = (byte) (j210 >> 9);
        bArr[31] = (byte) (j210 >> 17);
    }

    private static XYZ scalarMultWithBase(byte[] bArr) {
        int i5;
        byte[] bArr2 = new byte[64];
        int i8 = 0;
        while (true) {
            if (i8 >= 32) {
                break;
            }
            int i9 = i8 * 2;
            bArr2[i9] = (byte) (bArr[i8] & Ascii.SI);
            bArr2[i9 + 1] = (byte) (((bArr[i8] & UnsignedBytes.MAX_VALUE) >> 4) & 15);
            i8++;
        }
        int i10 = 0;
        int i11 = 0;
        while (i10 < 63) {
            byte b8 = (byte) (bArr2[i10] + i11);
            bArr2[i10] = b8;
            int i12 = (b8 + 8) >> 4;
            bArr2[i10] = (byte) (b8 - (i12 << 4));
            i10++;
            i11 = i12;
        }
        bArr2[63] = (byte) (bArr2[63] + i11);
        PartialXYZT partialXYZT = new PartialXYZT(NEUTRAL);
        XYZT xyzt = new XYZT();
        for (i5 = 1; i5 < 64; i5 += 2) {
            CachedXYT cachedXYT = new CachedXYT(CACHED_NEUTRAL);
            select(cachedXYT, i5 / 2, bArr2[i5]);
            add(partialXYZT, XYZT.fromPartialXYZT(xyzt, partialXYZT), cachedXYT);
        }
        XYZ xyz = new XYZ();
        doubleXYZ(partialXYZT, XYZ.fromPartialXYZT(xyz, partialXYZT));
        doubleXYZ(partialXYZT, XYZ.fromPartialXYZT(xyz, partialXYZT));
        doubleXYZ(partialXYZT, XYZ.fromPartialXYZT(xyz, partialXYZT));
        doubleXYZ(partialXYZT, XYZ.fromPartialXYZT(xyz, partialXYZT));
        for (int i13 = 0; i13 < 64; i13 += 2) {
            CachedXYT cachedXYT2 = new CachedXYT(CACHED_NEUTRAL);
            select(cachedXYT2, i13 / 2, bArr2[i13]);
            add(partialXYZT, XYZT.fromPartialXYZT(xyzt, partialXYZT), cachedXYT2);
        }
        XYZ xyz2 = new XYZ(partialXYZT);
        if (xyz2.isOnCurve()) {
            return xyz2;
        }
        throw new IllegalStateException("arithmetic error in scalar multiplication");
    }

    public static byte[] scalarMultWithBaseToBytes(byte[] bArr) {
        return scalarMultWithBase(bArr).toBytes();
    }

    private static void select(CachedXYT cachedXYT, int i5, byte b8) {
        int i8 = (b8 & UnsignedBytes.MAX_VALUE) >> 7;
        int i9 = b8 - (((-i8) & b8) << 1);
        CachedXYT[][] cachedXYTArr = Ed25519Constants.B_TABLE;
        cachedXYT.copyConditional(cachedXYTArr[i5][0], eq(i9, 1));
        cachedXYT.copyConditional(cachedXYTArr[i5][1], eq(i9, 2));
        cachedXYT.copyConditional(cachedXYTArr[i5][2], eq(i9, 3));
        cachedXYT.copyConditional(cachedXYTArr[i5][3], eq(i9, 4));
        cachedXYT.copyConditional(cachedXYTArr[i5][4], eq(i9, 5));
        cachedXYT.copyConditional(cachedXYTArr[i5][5], eq(i9, 6));
        cachedXYT.copyConditional(cachedXYTArr[i5][6], eq(i9, 7));
        cachedXYT.copyConditional(cachedXYTArr[i5][7], eq(i9, 8));
        long[] copyOf = Arrays.copyOf(cachedXYT.yMinusX, 10);
        long[] copyOf2 = Arrays.copyOf(cachedXYT.yPlusX, 10);
        long[] copyOf3 = Arrays.copyOf(cachedXYT.t2d, 10);
        neg(copyOf3, copyOf3);
        cachedXYT.copyConditional(new CachedXYT(copyOf, copyOf2, copyOf3), i8);
    }

    public static byte[] sign(byte[] bArr, byte[] bArr2, byte[] bArr3) throws GeneralSecurityException {
        byte[] copyOfRange = Arrays.copyOfRange(bArr, 0, bArr.length);
        MessageDigest engineFactory = EngineFactory.MESSAGE_DIGEST.getInstance("SHA-512");
        engineFactory.update(bArr3, 32, 32);
        engineFactory.update(copyOfRange);
        byte[] digest = engineFactory.digest();
        reduce(digest);
        byte[] copyOfRange2 = Arrays.copyOfRange(scalarMultWithBase(digest).toBytes(), 0, 32);
        engineFactory.reset();
        engineFactory.update(copyOfRange2);
        engineFactory.update(bArr2);
        engineFactory.update(copyOfRange);
        byte[] digest2 = engineFactory.digest();
        reduce(digest2);
        byte[] bArr4 = new byte[32];
        mulAdd(bArr4, digest2, bArr3, digest);
        return Bytes.concat(copyOfRange2, bArr4);
    }

    private static byte[] slide(byte[] bArr) {
        int i5;
        byte[] bArr2 = new byte[256];
        for (int i8 = 0; i8 < 256; i8++) {
            bArr2[i8] = (byte) (1 & ((bArr[i8 >> 3] & UnsignedBytes.MAX_VALUE) >> (i8 & 7)));
        }
        for (int i9 = 0; i9 < 256; i9++) {
            if (bArr2[i9] != 0) {
                for (int i10 = 1; i10 <= 6 && (i5 = i9 + i10) < 256; i10++) {
                    byte b8 = bArr2[i5];
                    if (b8 != 0) {
                        byte b9 = bArr2[i9];
                        if ((b8 << i10) + b9 <= 15) {
                            bArr2[i9] = (byte) (b9 + (b8 << i10));
                            bArr2[i5] = 0;
                        } else if (b9 - (b8 << i10) >= -15) {
                            bArr2[i9] = (byte) (b9 - (b8 << i10));
                            while (true) {
                                if (i5 >= 256) {
                                    break;
                                }
                                if (bArr2[i5] == 0) {
                                    bArr2[i5] = 1;
                                    break;
                                }
                                bArr2[i5] = 0;
                                i5++;
                            }
                        }
                    }
                }
            }
        }
        return bArr2;
    }

    private static void sub(PartialXYZT partialXYZT, XYZT xyzt, CachedXYT cachedXYT) {
        long[] jArr = new long[10];
        long[] jArr2 = partialXYZT.xyz.x;
        XYZ xyz = xyzt.xyz;
        Field25519.sum(jArr2, xyz.y, xyz.x);
        long[] jArr3 = partialXYZT.xyz.y;
        XYZ xyz2 = xyzt.xyz;
        Field25519.sub(jArr3, xyz2.y, xyz2.x);
        long[] jArr4 = partialXYZT.xyz.y;
        Field25519.mult(jArr4, jArr4, cachedXYT.yPlusX);
        XYZ xyz3 = partialXYZT.xyz;
        Field25519.mult(xyz3.f7058z, xyz3.x, cachedXYT.yMinusX);
        Field25519.mult(partialXYZT.f7057t, xyzt.f7059t, cachedXYT.t2d);
        cachedXYT.multByZ(partialXYZT.xyz.x, xyzt.xyz.f7058z);
        long[] jArr5 = partialXYZT.xyz.x;
        Field25519.sum(jArr, jArr5, jArr5);
        XYZ xyz4 = partialXYZT.xyz;
        Field25519.sub(xyz4.x, xyz4.f7058z, xyz4.y);
        XYZ xyz5 = partialXYZT.xyz;
        long[] jArr6 = xyz5.y;
        Field25519.sum(jArr6, xyz5.f7058z, jArr6);
        Field25519.sub(partialXYZT.xyz.f7058z, jArr, partialXYZT.f7057t);
        long[] jArr7 = partialXYZT.f7057t;
        Field25519.sum(jArr7, jArr, jArr7);
    }

    public static boolean verify(byte[] bArr, byte[] bArr2, byte[] bArr3) throws GeneralSecurityException {
        if (bArr2.length != 64) {
            return false;
        }
        byte[] copyOfRange = Arrays.copyOfRange(bArr2, 32, 64);
        if (!isSmallerThanGroupOrder(copyOfRange)) {
            return false;
        }
        MessageDigest engineFactory = EngineFactory.MESSAGE_DIGEST.getInstance("SHA-512");
        engineFactory.update(bArr2, 0, 32);
        engineFactory.update(bArr3);
        engineFactory.update(bArr);
        byte[] digest = engineFactory.digest();
        reduce(digest);
        byte[] bytes = doubleScalarMultVarTime(digest, XYZT.fromBytesNegateVarTime(bArr3), copyOfRange).toBytes();
        for (int i5 = 0; i5 < 32; i5++) {
            if (bytes[i5] != bArr2[i5]) {
                return false;
            }
        }
        return true;
    }
}
