Got stuck with Ed25519

[NIIBE Yutaka]

On 2013-09-10 at 09:43 +0200, Werner Koch wrote:
> The expected output is .x=0,.y=1.  I really don't understand what's
> going on wrong here.

Here is the change over your patch.  It works fine for me.

(1) Z1 should be p1->z.  I think that it's a kind of typo.
(2) Comment fix Z_3 should be Z_2.
(3) X3 might be same place where X2 refers.  Need to use TMP, at first.
(4) NBITS should not be number of bits of SCALAR minus 1, but 
    number of bits itself.

diff --git a/mpi/ec.c b/mpi/ec.c
index d0f25c4..1d6a6a7 100644
--- a/mpi/ec.c
+++ b/mpi/ec.c
@@ -1081,7 +1081,7 @@ add_points_twistededwards (mpi_point_t result,
 {
 #define X1 (p1->x)
 #define Y1 (p1->y)
-#define Z1 (p2->z)
+#define Z1 (p1->z)
 #define X2 (p2->x)
 #define Y2 (p2->y)
 #define Z2 (p2->z)
@@ -1097,7 +1097,7 @@ add_points_twistededwards (mpi_point_t result,
 #define G (ctx->t.scratch[6])
 #define tmp (ctx->t.scratch[7])
 
-  /* Compute: (X_3 : Y_3 : Z_3) = (X_1 : Y_1 : Z_1) + (X_2 : Y_2 : Z_3)  */
+  /* Compute: (X_3 : Y_3 : Z_3) = (X_1 : Y_1 : Z_1) + (X_2 : Y_2 : Z_2)  */
 
   /* A = Z1 · Z2 */
   ec_mulm (A, Z1, Z2, ctx);
@@ -1122,8 +1122,8 @@ add_points_twistededwards (mpi_point_t result,
   ec_addm (G, B, E, ctx);
 
   /* X_3 = A · F · ((X_1 + Y_1) · (X_2 + Y_2) - C - D) */
-  ec_addm (X3, X1, Y1, ctx);
-  ec_addm (tmp, X2, Y2, ctx);
+  ec_addm (tmp, X1, Y1, ctx);
+  ec_addm (X3, X2, Y2, ctx);
   ec_mulm (X3, X3, tmp, ctx);
   ec_subm (X3, X3, C, ctx);
   ec_subm (X3, X3, D, ctx);
@@ -1230,7 +1230,7 @@ _gcry_mpi_ec_mul_point (mpi_point_t result,
       unsigned int nbits;
       int j;
 
-      nbits = mpi_get_nbits (scalar) - 1;
+      nbits = mpi_get_nbits (scalar);
       mpi_set_ui (result->x, 0);
       mpi_set_ui (result->y, 1);
       mpi_set_ui (result->z, 1);
--