Faster sc25519 inversion, with one less squaring

src/libsodium/crypto_core/ed25519/ref10/ed25519_ref10.c

@@ -2071,46 +2071,52 @@ sc25519_sqmul(unsigned char s[32], const int n, const unsigned char a[32])
 void
 sc25519_invert(unsigned char recip[32], const unsigned char s[32])
 {
-    unsigned char _10[32], _100[32], _11[32], _101[32], _111[32],
-        _1001[32], _1011[32], _1111[32];
+    unsigned char _10[32], _100[32], _1000[32], _10000[32], _100000[32],
+        _1000000[32], _10010011[32], _10010111[32], _100110[32], _1010[32],
+        _1010000[32], _1010011[32], _1011[32], _10110[32], _10111101[32],
+        _11[32], _1100011[32], _1100111[32], _11010011[32], _1101011[32],
+        _11100111[32], _11101011[32], _11110101[32];
 
     sc25519_sq(_10, s);
-    sc25519_sq(_100, _10);
-    sc25519_mul(_11, _10, s);
-    sc25519_mul(_101, _10, _11);
-    sc25519_mul(_111, _10, _101);
-    sc25519_mul(_1001, _10, _111);
-    sc25519_mul(_1011, _10, _1001);
-    sc25519_mul(_1111, _100, _1011);
-    sc25519_mul(recip, _1111, s);
+    sc25519_mul(_11, s, _10);
+    sc25519_mul(_100, s, _11);
+    sc25519_sq(_1000, _100);
+    sc25519_mul(_1010, _10, _1000);
+    sc25519_mul(_1011, s, _1010);
+    sc25519_sq(_10000, _1000);
+    sc25519_sq(_10110, _1011);
+    sc25519_mul(_100000, _1010, _10110);
+    sc25519_mul(_100110, _10000, _10110);
+    sc25519_sq(_1000000, _100000);
+    sc25519_mul(_1010000, _10000, _1000000);
+    sc25519_mul(_1010011, _11, _1010000);
+    sc25519_mul(_1100011, _10000, _1010011);
+    sc25519_mul(_1100111, _100, _1100011);
+    sc25519_mul(_1101011, _100, _1100111);
+    sc25519_mul(_10010011, _1000000, _1010011);
+    sc25519_mul(_10010111, _100, _10010011);
+    sc25519_mul(_10111101, _100110, _10010111);
+    sc25519_mul(_11010011, _10110, _10111101);
+    sc25519_mul(_11100111, _1010000, _10010111);
+    sc25519_mul(_11101011, _100, _11100111);
+    sc25519_mul(_11110101, _1010, _11101011);
 
-    sc25519_sqmul(recip, 123 + 3, _101);
-    sc25519_sqmul(recip, 2 + 2, _11);
-    sc25519_sqmul(recip, 1 + 4, _1111);
-    sc25519_sqmul(recip, 1 + 4, _1111);
-    sc25519_sqmul(recip, 4, _1001);
-    sc25519_sqmul(recip, 2, _11);
-    sc25519_sqmul(recip, 1 + 4, _1111);
-    sc25519_sqmul(recip, 1 + 3, _101);
-    sc25519_sqmul(recip, 3 + 3, _101);
-    sc25519_sqmul(recip, 3, _111);
-    sc25519_sqmul(recip, 1 + 4, _1111);
-    sc25519_sqmul(recip, 2 + 3, _111);
-    sc25519_sqmul(recip, 2 + 2, _11);
-    sc25519_sqmul(recip, 1 + 4, _1011);
-    sc25519_sqmul(recip, 2 + 4, _1011);
-    sc25519_sqmul(recip, 6 + 4, _1001);
-    sc25519_sqmul(recip, 2 + 2, _11);
-    sc25519_sqmul(recip, 3 + 2, _11);
-    sc25519_sqmul(recip, 3 + 2, _11);
-    sc25519_sqmul(recip, 1 + 4, _1001);
-    sc25519_sqmul(recip, 1 + 3, _111);
-    sc25519_sqmul(recip, 2 + 4, _1111);
-    sc25519_sqmul(recip, 1 + 4, _1011);
-    sc25519_sqmul(recip, 3, _101);
-    sc25519_sqmul(recip, 2 + 4, _1111);
-    sc25519_sqmul(recip, 3, _101);
-    sc25519_sqmul(recip, 1 + 2, _11);
+    sc25519_mul(recip, _1011, _11110101);
+    sc25519_sqmul(recip, 126, _1010011);
+    sc25519_sqmul(recip, 9, _10);
+    sc25519_mul(recip, recip, _11110101);
+    sc25519_sqmul(recip, 7, _1100111);
+    sc25519_sqmul(recip, 9, _11110101);
+    sc25519_sqmul(recip, 11, _10111101);
+    sc25519_sqmul(recip, 8, _11100111);
+    sc25519_sqmul(recip, 9, _1101011);
+    sc25519_sqmul(recip, 6, _1011);
+    sc25519_sqmul(recip, 14, _10010011);
+    sc25519_sqmul(recip, 10, _1100011);
+    sc25519_sqmul(recip, 9, _10010111);
+    sc25519_sqmul(recip, 10, _11110101);
+    sc25519_sqmul(recip, 8, _11010011);
+    sc25519_sqmul(recip, 8, _11101011);
 }
 
 /*