From 5ab69633b712914cccdf2f08d717387864d6c4c7 Mon Sep 17 00:00:00 2001
From: Frank Denis <github@pureftpd.org>
Date: Sat, 15 Aug 2020 11:48:34 +0200
Subject: [PATCH] Constify the ladder

---
 lib/std/crypto/25519/curve25519.zig   | 35 +++++++++++----------------
 lib/std/crypto/25519/edwards25519.zig |  4 +--
 2 files changed, 16 insertions(+), 23 deletions(-)

diff --git a/lib/std/crypto/25519/curve25519.zig b/lib/std/crypto/25519/curve25519.zig
index 3a4871a1f3..46d7b9a3a6 100644
--- a/lib/std/crypto/25519/curve25519.zig
+++ b/lib/std/crypto/25519/curve25519.zig
@@ -43,28 +43,21 @@ pub const Curve25519 = struct {
         var swap: u8 = 0;
         var pos: usize = bits - 1;
         while (true) : (pos -= 1) {
-            const b = (s[pos >> 3] >> @truncate(u3, pos)) & 1;
-            swap ^= b;
+            const bit = (s[pos >> 3] >> @truncate(u3, pos)) & 1;
+            swap ^= bit;
             Fe.cSwap2(&x2, &x3, &z2, &z3, swap);
-            swap = b;
-            var tmp0 = x3.sub(z3);
-            var tmp1 = x2.sub(z2);
-            x2 = x2.add(z2);
-            z2 = x3.add(z3);
-            z3 = tmp0.mul(x2);
-            z2 = z2.mul(tmp1);
-            tmp0 = tmp1.sq();
-            tmp1 = x2.sq();
-            x3 = z3.add(z2);
-            z2 = z3.sub(z2);
-            x2 = tmp1.mul(tmp0);
-            tmp1 = tmp1.sub(tmp0);
-            z2 = z2.sq();
-            z3 = tmp1.mul32(121666);
-            x3 = x3.sq();
-            tmp0 = tmp0.add(z3);
-            z3 = x1.mul(z2);
-            z2 = tmp1.mul(tmp0);
+            swap = bit;
+            const a = x2.add(z2);
+            const b = x2.sub(z2);
+            const aa = a.sq();
+            const bb = b.sq();
+            x2 = aa.mul(bb);
+            const e = aa.sub(bb);
+            const da = x3.sub(z3).mul(a);
+            const cb = x3.add(z3).mul(b);
+            x3 = da.add(cb).sq();
+            z3 = x1.mul(da.sub(cb).sq());
+            z2 = e.mul(bb.add(e.mul32(121666)));
             if (pos == 0) break;
         }
         Fe.cSwap2(&x2, &x3, &z2, &z3, swap);
diff --git a/lib/std/crypto/25519/edwards25519.zig b/lib/std/crypto/25519/edwards25519.zig
index 93b1a69d17..5d70122921 100644
--- a/lib/std/crypto/25519/edwards25519.zig
+++ b/lib/std/crypto/25519/edwards25519.zig
@@ -130,8 +130,8 @@ pub const Edwards25519 = struct {
         var pos: usize = 252;
         while (true) : (pos -= 4) {
             q = q.dbl().dbl().dbl().dbl();
-            const b = (s[pos >> 3] >> @truncate(u3, pos)) & 0xf;
-            q = q.add(pcSelect(pc, b));
+            const bit = (s[pos >> 3] >> @truncate(u3, pos)) & 0xf;
+            q = q.add(pcSelect(pc, bit));
             if (pos == 0) break;
         }
         try q.rejectIdentity();