summary refs log tree commit diff
path: root/crypto
diff options
context:
space:
mode:
authorPeter Dettman <peter.dettman@bouncycastle.org>2022-11-17 00:10:42 +0700
committerPeter Dettman <peter.dettman@bouncycastle.org>2022-11-17 00:10:42 +0700
commitbc9d472a78f0780ddde00f524a07a39c9fccdf5b (patch)
tree72c5051ebd169e61ab87a5caa96d2f6e07a8de62 /crypto
parentPackageValidationBaselineVersion = 2.0.0 (diff)
downloadBouncyCastle.NET-ed25519-bc9d472a78f0780ddde00f524a07a39c9fccdf5b.tar.xz
EdDSA improvements
- better guards on context values
- add Verify method to public keys
- reduced allocation during verification
Diffstat (limited to 'crypto')
-rw-r--r--crypto/src/crypto/parameters/Ed25519PrivateKeyParameters.cs15
-rw-r--r--crypto/src/crypto/parameters/Ed25519PublicKeyParameters.cs39
-rw-r--r--crypto/src/crypto/parameters/Ed448PrivateKeyParameters.cs13
-rw-r--r--crypto/src/crypto/parameters/Ed448PublicKeyParameters.cs32
-rw-r--r--crypto/src/crypto/signers/Ed25519Signer.cs7
-rw-r--r--crypto/src/crypto/signers/Ed25519ctxSigner.cs11
-rw-r--r--crypto/src/crypto/signers/Ed25519phSigner.cs12
-rw-r--r--crypto/src/crypto/signers/Ed448Signer.cs10
-rw-r--r--crypto/src/crypto/signers/Ed448phSigner.cs12
-rw-r--r--crypto/src/math/ec/rfc7748/X25519Field.cs22
-rw-r--r--crypto/src/math/ec/rfc7748/X448Field.cs20
-rw-r--r--crypto/src/math/ec/rfc8032/Ed25519.cs341
-rw-r--r--crypto/src/math/ec/rfc8032/Ed448.cs551
-rw-r--r--crypto/test/src/math/ec/rfc8032/test/Ed25519Test.cs6
-rw-r--r--crypto/test/src/math/ec/rfc8032/test/Ed448Test.cs6
15 files changed, 988 insertions, 109 deletions
diff --git a/crypto/src/crypto/parameters/Ed25519PrivateKeyParameters.cs b/crypto/src/crypto/parameters/Ed25519PrivateKeyParameters.cs
index a50f71972..eeb782d8e 100644
--- a/crypto/src/crypto/parameters/Ed25519PrivateKeyParameters.cs
+++ b/crypto/src/crypto/parameters/Ed25519PrivateKeyParameters.cs
@@ -104,27 +104,36 @@ namespace Org.BouncyCastle.Crypto.Parameters
             case Ed25519.Algorithm.Ed25519:
             {
                 if (null != ctx)
-                    throw new ArgumentException("ctx");
+                    throw new ArgumentException(nameof(ctx));
 
                 Ed25519.Sign(data, 0, pk, 0, msg, msgOff, msgLen, sig, sigOff);
                 break;
             }
             case Ed25519.Algorithm.Ed25519ctx:
             {
+                if (null == ctx)
+                    throw new ArgumentNullException(nameof(ctx));
+                if (ctx.Length > 255)
+                    throw new ArgumentOutOfRangeException(nameof(ctx));
+
                 Ed25519.Sign(data, 0, pk, 0, ctx, msg, msgOff, msgLen, sig, sigOff);
                 break;
             }
             case Ed25519.Algorithm.Ed25519ph:
             {
+                if (null == ctx)
+                    throw new ArgumentNullException(nameof(ctx));
+                if (ctx.Length > 255)
+                    throw new ArgumentOutOfRangeException(nameof(ctx));
                 if (Ed25519.PrehashSize != msgLen)
-                    throw new ArgumentException("msgLen");
+                    throw new ArgumentException(nameof(msgLen));
 
                 Ed25519.SignPrehash(data, 0, pk, 0, ctx, msg, msgOff, sig, sigOff);
                 break;
             }
             default:
             {
-                throw new ArgumentException("algorithm");
+                throw new ArgumentOutOfRangeException(nameof(algorithm));
             }
             }
         }
diff --git a/crypto/src/crypto/parameters/Ed25519PublicKeyParameters.cs b/crypto/src/crypto/parameters/Ed25519PublicKeyParameters.cs
index 9b94635d5..5465543a8 100644
--- a/crypto/src/crypto/parameters/Ed25519PublicKeyParameters.cs
+++ b/crypto/src/crypto/parameters/Ed25519PublicKeyParameters.cs
@@ -60,6 +60,45 @@ namespace Org.BouncyCastle.Crypto.Parameters
             return Arrays.Clone(data);
         }
 
+        public bool Verify(Ed25519.Algorithm algorithm, byte[] ctx, byte[] msg, int msgOff, int msgLen,
+            byte[] sig, int sigOff)
+        {
+            switch (algorithm)
+            {
+            case Ed25519.Algorithm.Ed25519:
+            {
+                if (null != ctx)
+                    throw new ArgumentException(nameof(ctx));
+
+                return Ed25519.Verify(sig, sigOff, data, 0, msg, msgOff, msgLen);
+            }
+            case Ed25519.Algorithm.Ed25519ctx:
+            {
+                if (null == ctx)
+                    throw new ArgumentNullException(nameof(ctx));
+                if (ctx.Length > 255)
+                    throw new ArgumentOutOfRangeException(nameof(ctx));
+
+                return Ed25519.Verify(sig, sigOff, data, 0, ctx, msg, msgOff, msgLen);
+            }
+            case Ed25519.Algorithm.Ed25519ph:
+            {
+                if (null == ctx)
+                    throw new ArgumentNullException(nameof(ctx));
+                if (ctx.Length > 255)
+                    throw new ArgumentOutOfRangeException(nameof(ctx));
+                if (Ed25519.PrehashSize != msgLen)
+                    throw new ArgumentException(nameof(msgLen));
+
+                return Ed25519.VerifyPrehash(sig, sigOff, data, 0, ctx, msg, msgOff);
+            }
+            default:
+            {
+                throw new ArgumentOutOfRangeException(nameof(algorithm));
+            }
+            }
+        }
+
         private static byte[] Validate(byte[] buf)
         {
             if (buf.Length != KeySize)
diff --git a/crypto/src/crypto/parameters/Ed448PrivateKeyParameters.cs b/crypto/src/crypto/parameters/Ed448PrivateKeyParameters.cs
index ac12a2f1d..a9283761b 100644
--- a/crypto/src/crypto/parameters/Ed448PrivateKeyParameters.cs
+++ b/crypto/src/crypto/parameters/Ed448PrivateKeyParameters.cs
@@ -103,20 +103,29 @@ namespace Org.BouncyCastle.Crypto.Parameters
             {
             case Ed448.Algorithm.Ed448:
             {
+                if (null == ctx)
+                    throw new ArgumentNullException(nameof(ctx));
+                if (ctx.Length > 255)
+                    throw new ArgumentOutOfRangeException(nameof(ctx));
+
                 Ed448.Sign(data, 0, pk, 0, ctx, msg, msgOff, msgLen, sig, sigOff);
                 break;
             }
             case Ed448.Algorithm.Ed448ph:
             {
+                if (null == ctx)
+                    throw new ArgumentNullException(nameof(ctx));
+                if (ctx.Length > 255)
+                    throw new ArgumentOutOfRangeException(nameof(ctx));
                 if (Ed448.PrehashSize != msgLen)
-                    throw new ArgumentException("msgLen");
+                    throw new ArgumentException(nameof(msgLen));
 
                 Ed448.SignPrehash(data, 0, pk, 0, ctx, msg, msgOff, sig, sigOff);
                 break;
             }
             default:
             {
-                throw new ArgumentException("algorithm");
+                throw new ArgumentOutOfRangeException(nameof(algorithm));
             }
             }
         }
diff --git a/crypto/src/crypto/parameters/Ed448PublicKeyParameters.cs b/crypto/src/crypto/parameters/Ed448PublicKeyParameters.cs
index 26f6b5ba9..2b12f37e5 100644
--- a/crypto/src/crypto/parameters/Ed448PublicKeyParameters.cs
+++ b/crypto/src/crypto/parameters/Ed448PublicKeyParameters.cs
@@ -60,6 +60,38 @@ namespace Org.BouncyCastle.Crypto.Parameters
             return Arrays.Clone(data);
         }
 
+        public bool Verify(Ed448.Algorithm algorithm, byte[] ctx, byte[] msg, int msgOff, int msgLen,
+            byte[] sig, int sigOff)
+        {
+            switch (algorithm)
+            {
+            case Ed448.Algorithm.Ed448:
+            {
+                if (null == ctx)
+                    throw new ArgumentNullException(nameof(ctx));
+                if (ctx.Length > 255)
+                    throw new ArgumentOutOfRangeException(nameof(ctx));
+
+                return Ed448.Verify(sig, sigOff, data, 0, ctx, msg, msgOff, msgLen);
+            }
+            case Ed448.Algorithm.Ed448ph:
+            {
+                if (null == ctx)
+                    throw new ArgumentNullException(nameof(ctx));
+                if (ctx.Length > 255)
+                    throw new ArgumentOutOfRangeException(nameof(ctx));
+                if (Ed448.PrehashSize != msgLen)
+                    throw new ArgumentException(nameof(msgLen));
+
+                return Ed448.VerifyPrehash(sig, sigOff, data, 0, ctx, msg, msgOff);
+            }
+            default:
+            {
+                throw new ArgumentOutOfRangeException(nameof(algorithm));
+            }
+            }
+        }
+
         private static byte[] Validate(byte[] buf)
         {
             if (buf.Length != KeySize)
diff --git a/crypto/src/crypto/signers/Ed25519Signer.cs b/crypto/src/crypto/signers/Ed25519Signer.cs
index 79a2b1202..450eb2913 100644
--- a/crypto/src/crypto/signers/Ed25519Signer.cs
+++ b/crypto/src/crypto/signers/Ed25519Signer.cs
@@ -82,7 +82,7 @@ namespace Org.BouncyCastle.Crypto.Signers
             buffer.Reset();
         }
 
-        private class Buffer : MemoryStream
+        private sealed class Buffer : MemoryStream
         {
             internal byte[] GenerateSignature(Ed25519PrivateKeyParameters privateKey)
             {
@@ -92,7 +92,7 @@ namespace Org.BouncyCastle.Crypto.Signers
                     int count = Convert.ToInt32(Length);
 
                     byte[] signature = new byte[Ed25519PrivateKeyParameters.SignatureSize];
-                    privateKey.Sign(Ed25519.Algorithm.Ed25519, null, buf, 0, count, signature, 0);
+                    privateKey.Sign(Ed25519.Algorithm.Ed25519, ctx: null, buf, 0, count, signature, 0);
                     Reset();
                     return signature;
                 }
@@ -111,8 +111,7 @@ namespace Org.BouncyCastle.Crypto.Signers
                     byte[] buf = GetBuffer();
                     int count = Convert.ToInt32(Length);
 
-                    byte[] pk = publicKey.GetEncoded();
-                    bool result = Ed25519.Verify(signature, 0, pk, 0, buf, 0, count);
+                    bool result = publicKey.Verify(Ed25519.Algorithm.Ed25519, ctx: null, buf, 0, count, signature, 0);
                     Reset();
                     return result;
                 }
diff --git a/crypto/src/crypto/signers/Ed25519ctxSigner.cs b/crypto/src/crypto/signers/Ed25519ctxSigner.cs
index 90deb84ef..af813be32 100644
--- a/crypto/src/crypto/signers/Ed25519ctxSigner.cs
+++ b/crypto/src/crypto/signers/Ed25519ctxSigner.cs
@@ -3,7 +3,6 @@ using System.IO;
 
 using Org.BouncyCastle.Crypto.Parameters;
 using Org.BouncyCastle.Math.EC.Rfc8032;
-using Org.BouncyCastle.Utilities;
 
 namespace Org.BouncyCastle.Crypto.Signers
 {
@@ -19,7 +18,10 @@ namespace Org.BouncyCastle.Crypto.Signers
 
         public Ed25519ctxSigner(byte[] context)
         {
-            this.context = Arrays.Clone(context);
+            if (null == context)
+                throw new ArgumentNullException(nameof(context));
+
+            this.context = (byte[])context.Clone();
         }
 
         public virtual string AlgorithmName
@@ -85,7 +87,7 @@ namespace Org.BouncyCastle.Crypto.Signers
             buffer.Reset();
         }
 
-        private class Buffer : MemoryStream
+        private sealed class Buffer : MemoryStream
         {
             internal byte[] GenerateSignature(Ed25519PrivateKeyParameters privateKey, byte[] ctx)
             {
@@ -114,8 +116,7 @@ namespace Org.BouncyCastle.Crypto.Signers
                     byte[] buf = GetBuffer();
                     int count = Convert.ToInt32(Length);
 
-                    byte[] pk = publicKey.GetEncoded();
-                    bool result = Ed25519.Verify(signature, 0, pk, 0, ctx, buf, 0, count);
+                    bool result = publicKey.Verify(Ed25519.Algorithm.Ed25519ctx, ctx, buf, 0, count, signature, 0);
                     Reset();
                     return result;
                 }
diff --git a/crypto/src/crypto/signers/Ed25519phSigner.cs b/crypto/src/crypto/signers/Ed25519phSigner.cs
index c0fb04ddf..d4ff2aae9 100644
--- a/crypto/src/crypto/signers/Ed25519phSigner.cs
+++ b/crypto/src/crypto/signers/Ed25519phSigner.cs
@@ -19,7 +19,10 @@ namespace Org.BouncyCastle.Crypto.Signers
 
         public Ed25519phSigner(byte[] context)
         {
-            this.context = Arrays.Clone(context);
+            if (null == context)
+                throw new ArgumentNullException(nameof(context));
+
+            this.context = (byte[])context.Clone();
         }
 
         public virtual string AlgorithmName
@@ -88,8 +91,11 @@ namespace Org.BouncyCastle.Crypto.Signers
                 return false;
             }
 
-            byte[] pk = publicKey.GetEncoded();
-            return Ed25519.VerifyPrehash(signature, 0, pk, 0, context, prehash);
+            byte[] msg = new byte[Ed25519.PrehashSize];
+            if (Ed25519.PrehashSize != prehash.DoFinal(msg, 0))
+                throw new InvalidOperationException("Prehash digest failed");
+
+            return publicKey.Verify(Ed25519.Algorithm.Ed25519ph, context, msg, 0, Ed25519.PrehashSize, signature, 0);
         }
 
         public void Reset()
diff --git a/crypto/src/crypto/signers/Ed448Signer.cs b/crypto/src/crypto/signers/Ed448Signer.cs
index 647a4b451..79c0fefce 100644
--- a/crypto/src/crypto/signers/Ed448Signer.cs
+++ b/crypto/src/crypto/signers/Ed448Signer.cs
@@ -19,7 +19,10 @@ namespace Org.BouncyCastle.Crypto.Signers
 
         public Ed448Signer(byte[] context)
         {
-            this.context = Arrays.Clone(context);
+            if (null == context)
+                throw new ArgumentNullException(nameof(context));
+
+            this.context = (byte[])context.Clone();
         }
 
         public virtual string AlgorithmName
@@ -85,7 +88,7 @@ namespace Org.BouncyCastle.Crypto.Signers
             buffer.Reset();
         }
 
-        private class Buffer : MemoryStream
+        private sealed class Buffer : MemoryStream
         {
             internal byte[] GenerateSignature(Ed448PrivateKeyParameters privateKey, byte[] ctx)
             {
@@ -114,8 +117,7 @@ namespace Org.BouncyCastle.Crypto.Signers
                     byte[] buf = GetBuffer();
                     int count = Convert.ToInt32(Length);
 
-                    byte[] pk = publicKey.GetEncoded();
-                    bool result = Ed448.Verify(signature, 0, pk, 0, ctx, buf, 0, count);
+                    bool result = publicKey.Verify(Ed448.Algorithm.Ed448, ctx, buf, 0, count, signature, 0);
                     Reset();
                     return result;
                 }
diff --git a/crypto/src/crypto/signers/Ed448phSigner.cs b/crypto/src/crypto/signers/Ed448phSigner.cs
index 197ac1aaa..75f841923 100644
--- a/crypto/src/crypto/signers/Ed448phSigner.cs
+++ b/crypto/src/crypto/signers/Ed448phSigner.cs
@@ -19,7 +19,10 @@ namespace Org.BouncyCastle.Crypto.Signers
 
         public Ed448phSigner(byte[] context)
         {
-            this.context = Arrays.Clone(context);
+            if (null == context)
+                throw new ArgumentNullException(nameof(context));
+
+            this.context = (byte[])context.Clone();
         }
 
         public virtual string AlgorithmName
@@ -88,8 +91,11 @@ namespace Org.BouncyCastle.Crypto.Signers
                 return false;
             }
 
-            byte[] pk = publicKey.GetEncoded();
-            return Ed448.VerifyPrehash(signature, 0, pk, 0, context, prehash);
+            byte[] msg = new byte[Ed448.PrehashSize];
+            if (Ed448.PrehashSize != prehash.OutputFinal(msg, 0, Ed448.PrehashSize))
+                throw new InvalidOperationException("Prehash digest failed");
+
+            return publicKey.Verify(Ed448.Algorithm.Ed448ph, context, msg, 0, Ed448.PrehashSize, signature, 0);
         }
 
         public void Reset()
diff --git a/crypto/src/math/ec/rfc7748/X25519Field.cs b/crypto/src/math/ec/rfc7748/X25519Field.cs
index cddf03faa..241710fe9 100644
--- a/crypto/src/math/ec/rfc7748/X25519Field.cs
+++ b/crypto/src/math/ec/rfc7748/X25519Field.cs
@@ -1,4 +1,7 @@
 using System;
+#if NETCOREAPP2_1_OR_GREATER || NETSTANDARD2_1_OR_GREATER
+using System.Buffers.Binary;
+#endif
 using System.Diagnostics;
 #if NETSTANDARD1_0_OR_GREATER || NETCOREAPP1_0_OR_GREATER
 using System.Runtime.CompilerServices;
@@ -388,21 +391,21 @@ namespace Org.BouncyCastle.Math.EC.Rfc7748
 
         private static uint Decode32(byte[] bs, int off)
         {
+#if NETCOREAPP2_1_OR_GREATER || NETSTANDARD2_1_OR_GREATER
+            return BinaryPrimitives.ReadUInt32LittleEndian(bs.AsSpan(off));
+#else
             uint n = bs[off];
             n |= (uint)bs[++off] << 8;
             n |= (uint)bs[++off] << 16;
             n |= (uint)bs[++off] << 24;
             return n;
+#endif
         }
 
 #if NETCOREAPP2_1_OR_GREATER || NETSTANDARD2_1_OR_GREATER
         private static uint Decode32(ReadOnlySpan<byte> bs)
         {
-            uint n = bs[0];
-            n |= (uint)bs[1] << 8;
-            n |= (uint)bs[2] << 16;
-            n |= (uint)bs[3] << 24;
-            return n;
+            return BinaryPrimitives.ReadUInt32LittleEndian(bs);
         }
 #endif
 
@@ -485,19 +488,20 @@ namespace Org.BouncyCastle.Math.EC.Rfc7748
 
         private static void Encode32(uint n, byte[] bs, int off)
         {
+#if NETCOREAPP2_1_OR_GREATER || NETSTANDARD2_1_OR_GREATER
+            BinaryPrimitives.WriteUInt32LittleEndian(bs.AsSpan(off), n);
+#else
             bs[  off] = (byte)(n      );
             bs[++off] = (byte)(n >>  8);
             bs[++off] = (byte)(n >> 16);
             bs[++off] = (byte)(n >> 24);
+#endif
         }
 
 #if NETCOREAPP2_1_OR_GREATER || NETSTANDARD2_1_OR_GREATER
         private static void Encode32(uint n, Span<byte> bs)
         {
-            bs[0] = (byte)(n      );
-            bs[1] = (byte)(n >>  8);
-            bs[2] = (byte)(n >> 16);
-            bs[3] = (byte)(n >> 24);
+            BinaryPrimitives.WriteUInt32LittleEndian(bs, n);
         }
 #endif
 
diff --git a/crypto/src/math/ec/rfc7748/X448Field.cs b/crypto/src/math/ec/rfc7748/X448Field.cs
index 67e71afa8..1df837d3a 100644
--- a/crypto/src/math/ec/rfc7748/X448Field.cs
+++ b/crypto/src/math/ec/rfc7748/X448Field.cs
@@ -4,6 +4,7 @@ using System.Diagnostics;
 using System.Runtime.CompilerServices;
 #endif
 #if NETCOREAPP2_1_OR_GREATER || NETSTANDARD2_1_OR_GREATER
+using System.Buffers.Binary;
 using System.Numerics;
 #endif
 #if NETCOREAPP3_0_OR_GREATER
@@ -318,21 +319,21 @@ namespace Org.BouncyCastle.Math.EC.Rfc7748
 
         private static uint Decode32(byte[] bs, int off)
         {
+#if NETCOREAPP2_1_OR_GREATER || NETSTANDARD2_1_OR_GREATER
+            return BinaryPrimitives.ReadUInt32LittleEndian(bs.AsSpan(off));
+#else
             uint n = bs[off];
             n |= (uint)bs[++off] << 8;
             n |= (uint)bs[++off] << 16;
             n |= (uint)bs[++off] << 24;
             return n;
+#endif
         }
 
 #if NETCOREAPP2_1_OR_GREATER || NETSTANDARD2_1_OR_GREATER
         private static uint Decode32(ReadOnlySpan<byte> bs)
         {
-            uint n = bs[0];
-            n |= (uint)bs[1] << 8;
-            n |= (uint)bs[2] << 16;
-            n |= (uint)bs[3] << 24;
-            return n;
+            return BinaryPrimitives.ReadUInt32LittleEndian(bs);
         }
 #endif
 
@@ -442,19 +443,20 @@ namespace Org.BouncyCastle.Math.EC.Rfc7748
 
         private static void Encode32(uint n, byte[] bs, int off)
         {
+#if NETCOREAPP2_1_OR_GREATER || NETSTANDARD2_1_OR_GREATER
+            BinaryPrimitives.WriteUInt32LittleEndian(bs.AsSpan(off), n);
+#else
             bs[  off] = (byte)(n      );
             bs[++off] = (byte)(n >>  8);
             bs[++off] = (byte)(n >> 16);
             bs[++off] = (byte)(n >> 24);
+#endif
         }
 
 #if NETCOREAPP2_1_OR_GREATER || NETSTANDARD2_1_OR_GREATER
         private static void Encode32(uint n, Span<byte> bs)
         {
-            bs[0] = (byte)(n      );
-            bs[1] = (byte)(n >>  8);
-            bs[2] = (byte)(n >> 16);
-            bs[3] = (byte)(n >> 24);
+            BinaryPrimitives.WriteUInt32LittleEndian(bs, n);
         }
 #endif
 
diff --git a/crypto/src/math/ec/rfc8032/Ed25519.cs b/crypto/src/math/ec/rfc8032/Ed25519.cs
index f3b63f3b3..82e46aa1f 100644
--- a/crypto/src/math/ec/rfc8032/Ed25519.cs
+++ b/crypto/src/math/ec/rfc8032/Ed25519.cs
@@ -1,4 +1,7 @@
 using System;
+#if NETCOREAPP2_1_OR_GREATER || NETSTANDARD2_1_OR_GREATER
+using System.Buffers.Binary;
+#endif
 using System.Diagnostics;
 
 using Org.BouncyCastle.Crypto;
@@ -190,12 +193,35 @@ namespace Org.BouncyCastle.Math.EC.Rfc8032
             return F.IsZero(t);
         }
 
+#if NETCOREAPP2_1_OR_GREATER || NETSTANDARD2_1_OR_GREATER
+        private static bool CheckPointVar(ReadOnlySpan<byte> p)
+        {
+            if ((Decode32(p[28..]) & 0x7FFFFFFFU) < P[7])
+                return true;
+            for (int i = CoordUints - 2; i >= 0; --i)
+            {
+                if (Decode32(p[(i * 4)..]) < P[i])
+                    return true;
+            }
+            return false;
+        }
+
+        private static bool CheckScalarVar(ReadOnlySpan<byte> s, Span<uint> n)
+        {
+            DecodeScalar(s, n);
+            return !Nat.Gte(ScalarUints, n, L);
+        }
+#else
         private static bool CheckPointVar(byte[] p)
         {
-            uint[] t = new uint[CoordUints];
-            Decode32(p, 0, t, 0, CoordUints);
-            t[CoordUints - 1] &= 0x7FFFFFFFU;
-            return !Nat256.Gte(t, P);
+            if ((Decode32(p, 28) & 0x7FFFFFFFU) < P[7])
+                return true;
+            for (int i = CoordUints - 2; i >= 0; --i)
+            {
+                if (Decode32(p, i * 4) < P[i])
+                    return true;
+            }
+            return false;
         }
 
         private static bool CheckScalarVar(byte[] s, uint[] n)
@@ -203,6 +229,7 @@ namespace Org.BouncyCastle.Math.EC.Rfc8032
             DecodeScalar(s, 0, n);
             return !Nat256.Gte(n, L);
         }
+#endif
 
         private static byte[] Copy(byte[] buf, int off, int len)
         {
@@ -213,7 +240,10 @@ namespace Org.BouncyCastle.Math.EC.Rfc8032
 
         private static IDigest CreateDigest()
         {
-            return new Sha512Digest();
+            var d = new Sha512Digest();
+            if (d.GetDigestSize() != 64)
+                throw new InvalidOperationException();
+            return d;
         }
 
         public static IDigest CreatePrehash()
@@ -229,23 +259,33 @@ namespace Org.BouncyCastle.Math.EC.Rfc8032
             return n;
         }
 
+#if NETCOREAPP2_1_OR_GREATER || NETSTANDARD2_1_OR_GREATER
+        private static uint Decode24(ReadOnlySpan<byte> bs)
+        {
+            uint n = bs[0];
+            n |= (uint)bs[1] << 8;
+            n |= (uint)bs[2] << 16;
+            return n;
+        }
+#endif
+
         private static uint Decode32(byte[] bs, int off)
         {
+#if NETCOREAPP2_1_OR_GREATER || NETSTANDARD2_1_OR_GREATER
+            return BinaryPrimitives.ReadUInt32LittleEndian(bs.AsSpan(off));
+#else
             uint n = bs[off];
             n |= (uint)bs[++off] << 8;
             n |= (uint)bs[++off] << 16;
             n |= (uint)bs[++off] << 24;
             return n;
+#endif
         }
 
 #if NETCOREAPP2_1_OR_GREATER || NETSTANDARD2_1_OR_GREATER
         private static uint Decode32(ReadOnlySpan<byte> bs)
         {
-            uint n = bs[0];
-            n |= (uint)bs[1] << 8;
-            n |= (uint)bs[2] << 16;
-            n |= (uint)bs[3] << 24;
-            return n;
+            return BinaryPrimitives.ReadUInt32LittleEndian(bs);
         }
 #endif
 
@@ -335,20 +375,48 @@ namespace Org.BouncyCastle.Math.EC.Rfc8032
             bs[++off] = (byte)(n >> 16);
         }
 
+#if NETCOREAPP2_1_OR_GREATER || NETSTANDARD2_1_OR_GREATER
+        private static void Encode24(uint n, Span<byte> bs)
+        {
+            bs[0] = (byte)(n);
+            bs[1] = (byte)(n >> 8);
+            bs[2] = (byte)(n >> 16);
+        }
+#endif
+
         private static void Encode32(uint n, byte[] bs, int off)
         {
-            bs[off] = (byte)(n);
-            bs[++off] = (byte)(n >> 8);
+#if NETCOREAPP2_1_OR_GREATER || NETSTANDARD2_1_OR_GREATER
+            BinaryPrimitives.WriteUInt32LittleEndian(bs.AsSpan(off), n);
+#else
+            bs[  off] = (byte)(n      );
+            bs[++off] = (byte)(n >>  8);
             bs[++off] = (byte)(n >> 16);
             bs[++off] = (byte)(n >> 24);
+#endif
         }
 
+#if NETCOREAPP2_1_OR_GREATER || NETSTANDARD2_1_OR_GREATER
+        private static void Encode32(uint n, Span<byte> bs)
+        {
+            BinaryPrimitives.WriteUInt32LittleEndian(bs, n);
+        }
+#endif
+
         private static void Encode56(ulong n, byte[] bs, int off)
         {
             Encode32((uint)n, bs, off);
             Encode24((uint)(n >> 32), bs, off + 4);
         }
 
+#if NETCOREAPP2_1_OR_GREATER || NETSTANDARD2_1_OR_GREATER
+        private static void Encode56(ulong n, Span<byte> bs)
+        {
+            Encode32((uint)n, bs);
+            Encode24((uint)(n >> 32), bs[4..]);
+        }
+#endif
+
         private static int EncodePoint(ref PointAccum p, byte[] r, int rOff)
         {
 #if NETCOREAPP2_1_OR_GREATER || NETSTANDARD2_1_OR_GREATER
@@ -417,7 +485,7 @@ namespace Org.BouncyCastle.Math.EC.Rfc8032
             GeneratePublicKey(sk.AsSpan(skOff), pk.AsSpan(pkOff));
 #else
             IDigest d = CreateDigest();
-            byte[] h = new byte[d.GetDigestSize()];
+            byte[] h = new byte[64];
 
             d.BlockUpdate(sk, skOff, SecretKeySize);
             d.DoFinal(h, 0);
@@ -433,10 +501,7 @@ namespace Org.BouncyCastle.Math.EC.Rfc8032
         public static void GeneratePublicKey(ReadOnlySpan<byte> sk, Span<byte> pk)
         {
             IDigest d = CreateDigest();
-            int digestSize = d.GetDigestSize();
-            Span<byte> h = digestSize <= 128
-                ? stackalloc byte[digestSize]
-                : new byte[digestSize];
+            Span<byte> h = stackalloc byte[64];
 
             d.BlockUpdate(sk[..SecretKeySize]);
             d.DoFinal(h);
@@ -458,7 +523,11 @@ namespace Org.BouncyCastle.Math.EC.Rfc8032
             return (x[w] >> b) & 15U;
         }
 
+#if NETCOREAPP2_1_OR_GREATER || NETSTANDARD2_1_OR_GREATER
+        private static sbyte[] GetWnafVar(ReadOnlySpan<uint> n, int width)
+#else
         private static sbyte[] GetWnafVar(uint[] n, int width)
+#endif
         {
             Debug.Assert(n[ScalarUints - 1] <= L[ScalarUints - 1]);
             Debug.Assert(2 <= width && width <= 8);
@@ -541,7 +610,7 @@ namespace Org.BouncyCastle.Math.EC.Rfc8032
                 throw new ArgumentException("ctx");
 
             IDigest d = CreateDigest();
-            byte[] h = new byte[d.GetDigestSize()];
+            byte[] h = new byte[64];
 
             d.BlockUpdate(sk, skOff, SecretKeySize);
             d.DoFinal(h, 0);
@@ -562,7 +631,7 @@ namespace Org.BouncyCastle.Math.EC.Rfc8032
                 throw new ArgumentException("ctx");
 
             IDigest d = CreateDigest();
-            byte[] h = new byte[d.GetDigestSize()];
+            byte[] h = new byte[64];
 
             d.BlockUpdate(sk, skOff, SecretKeySize);
             d.DoFinal(h, 0);
@@ -579,6 +648,45 @@ namespace Org.BouncyCastle.Math.EC.Rfc8032
             if (!CheckContextVar(ctx, phflag))
                 throw new ArgumentException("ctx");
 
+#if NETCOREAPP2_1_OR_GREATER || NETSTANDARD2_1_OR_GREATER
+            Span<byte> RS = stackalloc byte[PointBytes + ScalarBytes];
+            RS.CopyFrom(sig.AsSpan(sigOff, PointBytes + ScalarBytes));
+
+            var R = RS[..PointBytes];
+            var S = RS[PointBytes..];
+
+            if (!CheckPointVar(R))
+                return false;
+
+            Span<uint> nS = stackalloc uint[ScalarUints];
+            if (!CheckScalarVar(S, nS))
+                return false;
+
+            Init(out PointAffine pA);
+            if (!DecodePointVar(pk, pkOff, true, ref pA))
+                return false;
+
+            IDigest d = CreateDigest();
+            Span<byte> h = stackalloc byte[64];
+
+            Dom2(d, phflag, ctx);
+            d.BlockUpdate(R);
+            d.BlockUpdate(pk.AsSpan(pkOff, PointBytes));
+            d.BlockUpdate(m.AsSpan(mOff, mLen));
+            d.DoFinal(h);
+
+            Span<byte> k = stackalloc byte[ScalarBytes];
+            ReduceScalar(h, k);
+
+            Span<uint> nA = stackalloc uint[ScalarUints];
+            DecodeScalar(k, nA);
+
+            Init(out PointAccum pR);
+            ScalarMultStrausVar(nS, nA, ref pA, ref pR);
+
+            Span<byte> check = stackalloc byte[PointBytes];
+            return 0 != EncodePoint(ref pR, check) && check.SequenceEqual(R);
+#else
             byte[] R = Copy(sig, sigOff, PointBytes);
             byte[] S = Copy(sig, sigOff + PointBytes, ScalarBytes);
 
@@ -594,7 +702,7 @@ namespace Org.BouncyCastle.Math.EC.Rfc8032
                 return false;
 
             IDigest d = CreateDigest();
-            byte[] h = new byte[d.GetDigestSize()];
+            byte[] h = new byte[64];
 
             Dom2(d, phflag, ctx);
             d.BlockUpdate(R, 0, PointBytes);
@@ -612,6 +720,7 @@ namespace Org.BouncyCastle.Math.EC.Rfc8032
 
             byte[] check = new byte[PointBytes];
             return 0 != EncodePoint(ref pR, check, 0) && Arrays.AreEqual(check, R);
+#endif
         }
 
         private static void Init(out PointAccum r)
@@ -1203,6 +1312,11 @@ namespace Org.BouncyCastle.Math.EC.Rfc8032
 
         private static byte[] ReduceScalar(byte[] n)
         {
+            byte[] r = new byte[ScalarBytes];
+
+#if NETCOREAPP2_1_OR_GREATER || NETSTANDARD2_1_OR_GREATER
+            ReduceScalar(n, r);
+#else
             long x00 = Decode32(n,  0) & M32L;          // x00:32/--
             long x01 = (Decode24(n, 4) << 4) & M32L;    // x01:28/--
             long x02 = Decode32(n,  7) & M32L;          // x02:32/--
@@ -1328,15 +1442,152 @@ namespace Org.BouncyCastle.Math.EC.Rfc8032
             x07 += (x06 >> 28); x06 &= M28L;
             x08 += (x07 >> 28); x07 &= M28L;
 
-            byte[] r = new byte[ScalarBytes];
             Encode56((ulong)(x00 | (x01 << 28)), r, 0);
             Encode56((ulong)(x02 | (x03 << 28)), r, 7);
             Encode56((ulong)(x04 | (x05 << 28)), r, 14);
             Encode56((ulong)(x06 | (x07 << 28)), r, 21);
             Encode32((uint)x08, r, 28);
+#endif
+
             return r;
         }
 
+#if NETCOREAPP2_1_OR_GREATER || NETSTANDARD2_1_OR_GREATER
+        private static void ReduceScalar(ReadOnlySpan<byte> n, Span<byte> r)
+        {
+            long x00 = Decode32(n[0..]) & M32L;         // x00:32/--
+            long x01 = (Decode24(n[4..]) << 4) & M32L;  // x01:28/--
+            long x02 = Decode32(n[7..]) & M32L;         // x02:32/--
+            long x03 = (Decode24(n[11..]) << 4) & M32L; // x03:28/--
+            long x04 = Decode32(n[14..]) & M32L;        // x04:32/--
+            long x05 = (Decode24(n[18..]) << 4) & M32L; // x05:28/--
+            long x06 = Decode32(n[21..]) & M32L;        // x06:32/--
+            long x07 = (Decode24(n[25..]) << 4) & M32L; // x07:28/--
+            long x08 = Decode32(n[28..]) & M32L;        // x08:32/--
+            long x09 = (Decode24(n[32..]) << 4) & M32L; // x09:28/--
+            long x10 = Decode32(n[35..]) & M32L;        // x10:32/--
+            long x11 = (Decode24(n[39..]) << 4) & M32L; // x11:28/--
+            long x12 = Decode32(n[42..]) & M32L;        // x12:32/--
+            long x13 = (Decode24(n[46..]) << 4) & M32L; // x13:28/--
+            long x14 = Decode32(n[49..]) & M32L;        // x14:32/--
+            long x15 = (Decode24(n[53..]) << 4) & M32L; // x15:28/--
+            long x16 = Decode32(n[56..]) & M32L;        // x16:32/--
+            long x17 = (Decode24(n[60..]) << 4) & M32L; // x17:28/--
+            long x18 = n[63]                  & M08L;   // x18:08/--
+            long t;
+
+            //x18 += (x17 >> 28); x17 &= M28L;
+            x09 -= x18 * L0;                            // x09:34/28
+            x10 -= x18 * L1;                            // x10:33/30
+            x11 -= x18 * L2;                            // x11:35/28
+            x12 -= x18 * L3;                            // x12:32/31
+            x13 -= x18 * L4;                            // x13:28/21
+
+            x17 += (x16 >> 28); x16 &= M28L;            // x17:28/--, x16:28/--
+            x08 -= x17 * L0;                            // x08:54/32
+            x09 -= x17 * L1;                            // x09:52/51
+            x10 -= x17 * L2;                            // x10:55/34
+            x11 -= x17 * L3;                            // x11:51/36
+            x12 -= x17 * L4;                            // x12:41/--
+
+            //x16 += (x15 >> 28); x15 &= M28L;
+            x07 -= x16 * L0;                            // x07:54/28
+            x08 -= x16 * L1;                            // x08:54/53
+            x09 -= x16 * L2;                            // x09:55/53
+            x10 -= x16 * L3;                            // x10:55/52
+            x11 -= x16 * L4;                            // x11:51/41
+
+            x15 += (x14 >> 28); x14 &= M28L;            // x15:28/--, x14:28/--
+            x06 -= x15 * L0;                            // x06:54/32
+            x07 -= x15 * L1;                            // x07:54/53
+            x08 -= x15 * L2;                            // x08:56/--
+            x09 -= x15 * L3;                            // x09:55/54
+            x10 -= x15 * L4;                            // x10:55/53
+
+            //x14 += (x13 >> 28); x13 &= M28L;
+            x05 -= x14 * L0;                            // x05:54/28
+            x06 -= x14 * L1;                            // x06:54/53
+            x07 -= x14 * L2;                            // x07:56/--
+            x08 -= x14 * L3;                            // x08:56/51
+            x09 -= x14 * L4;                            // x09:56/--
+
+            x13 += (x12 >> 28); x12 &= M28L;            // x13:28/22, x12:28/--
+            x04 -= x13 * L0;                            // x04:54/49
+            x05 -= x13 * L1;                            // x05:54/53
+            x06 -= x13 * L2;                            // x06:56/--
+            x07 -= x13 * L3;                            // x07:56/52
+            x08 -= x13 * L4;                            // x08:56/52
+
+            x12 += (x11 >> 28); x11 &= M28L;            // x12:28/24, x11:28/--
+            x03 -= x12 * L0;                            // x03:54/49
+            x04 -= x12 * L1;                            // x04:54/51
+            x05 -= x12 * L2;                            // x05:56/--
+            x06 -= x12 * L3;                            // x06:56/52
+            x07 -= x12 * L4;                            // x07:56/53
+
+            x11 += (x10 >> 28); x10 &= M28L;            // x11:29/--, x10:28/--
+            x02 -= x11 * L0;                            // x02:55/32
+            x03 -= x11 * L1;                            // x03:55/--
+            x04 -= x11 * L2;                            // x04:56/55
+            x05 -= x11 * L3;                            // x05:56/52
+            x06 -= x11 * L4;                            // x06:56/53
+
+            x10 += (x09 >> 28); x09 &= M28L;            // x10:29/--, x09:28/--
+            x01 -= x10 * L0;                            // x01:55/28
+            x02 -= x10 * L1;                            // x02:55/54
+            x03 -= x10 * L2;                            // x03:56/55
+            x04 -= x10 * L3;                            // x04:57/--
+            x05 -= x10 * L4;                            // x05:56/53
+
+            x08 += (x07 >> 28); x07 &= M28L;            // x08:56/53, x07:28/--
+            x09 += (x08 >> 28); x08 &= M28L;            // x09:29/25, x08:28/--
+
+            t    = (x08 >> 27) & 1L;
+            x09 += t;                                   // x09:29/26
+
+            x00 -= x09 * L0;                            // x00:55/53
+            x01 -= x09 * L1;                            // x01:55/54
+            x02 -= x09 * L2;                            // x02:57/--
+            x03 -= x09 * L3;                            // x03:57/--
+            x04 -= x09 * L4;                            // x04:57/42
+
+            x01 += (x00 >> 28); x00 &= M28L;
+            x02 += (x01 >> 28); x01 &= M28L;
+            x03 += (x02 >> 28); x02 &= M28L;
+            x04 += (x03 >> 28); x03 &= M28L;
+            x05 += (x04 >> 28); x04 &= M28L;
+            x06 += (x05 >> 28); x05 &= M28L;
+            x07 += (x06 >> 28); x06 &= M28L;
+            x08 += (x07 >> 28); x07 &= M28L;
+            x09  = (x08 >> 28); x08 &= M28L;
+
+            x09 -= t;
+
+            Debug.Assert(x09 == 0L || x09 == -1L);
+
+            x00 += x09 & L0;
+            x01 += x09 & L1;
+            x02 += x09 & L2;
+            x03 += x09 & L3;
+            x04 += x09 & L4;
+
+            x01 += (x00 >> 28); x00 &= M28L;
+            x02 += (x01 >> 28); x01 &= M28L;
+            x03 += (x02 >> 28); x02 &= M28L;
+            x04 += (x03 >> 28); x03 &= M28L;
+            x05 += (x04 >> 28); x04 &= M28L;
+            x06 += (x05 >> 28); x05 &= M28L;
+            x07 += (x06 >> 28); x06 &= M28L;
+            x08 += (x07 >> 28); x07 &= M28L;
+
+            Encode56((ulong)(x00 | (x01 << 28)), r);
+            Encode56((ulong)(x02 | (x03 << 28)), r[7..]);
+            Encode56((ulong)(x04 | (x05 << 28)), r[14..]);
+            Encode56((ulong)(x06 | (x07 << 28)), r[21..]);
+            Encode32((uint)x08, r[28..]);
+        }
+#endif
+
         private static void ScalarMult(byte[] k, ref PointAffine p, ref PointAccum r)
         {
 #if NETCOREAPP2_1_OR_GREATER || NETSTANDARD2_1_OR_GREATER
@@ -1634,6 +1885,9 @@ namespace Org.BouncyCastle.Math.EC.Rfc8032
 
         private static void ScalarMultStrausVar(uint[] nb, uint[] np, ref PointAffine p, ref PointAccum r)
         {
+#if NETCOREAPP2_1_OR_GREATER || NETSTANDARD2_1_OR_GREATER
+            ScalarMultStrausVar(nb.AsSpan(), np.AsSpan(), ref p, ref r);
+#else
             Precompute();
 
             sbyte[] ws_b = GetWnafVar(nb, WnafWidthBase);
@@ -1671,7 +1925,52 @@ namespace Org.BouncyCastle.Math.EC.Rfc8032
 
                 PointDouble(ref r);
             }
+#endif
+        }
+
+#if NETCOREAPP2_1_OR_GREATER || NETSTANDARD2_1_OR_GREATER
+        private static void ScalarMultStrausVar(ReadOnlySpan<uint> nb, ReadOnlySpan<uint> np, ref PointAffine p,
+            ref PointAccum r)
+        {
+            Precompute();
+
+            sbyte[] ws_b = GetWnafVar(nb, WnafWidthBase);
+            sbyte[] ws_p = GetWnafVar(np, WnafWidth);
+
+            int count = 1 << (WnafWidth - 2);
+            PointPrecompZ[] tp = new PointPrecompZ[count];
+            Init(out PointTemp t);
+            PointPrecomputeZ(ref p, tp, count, ref t);
+
+            PointSetNeutral(ref r);
+
+            for (int bit = 252; ;)
+            {
+                int wb = ws_b[bit];
+                if (wb != 0)
+                {
+                    int sign = wb >> 31;
+                    int index = (wb ^ sign) >> 1;
+
+                    PointAddVar(sign != 0, ref PrecompBaseWnaf[index], ref r, ref t);
+                }
+
+                int wp = ws_p[bit];
+                if (wp != 0)
+                {
+                    int sign = wp >> 31;
+                    int index = (wp ^ sign) >> 1;
+
+                    PointAddVar(sign != 0, ref tp[index], ref r, ref t);
+                }
+
+                if (--bit < 0)
+                    break;
+
+                PointDouble(ref r);
+            }
         }
+#endif
 
         public static void Sign(byte[] sk, int skOff, byte[] m, int mOff, int mLen, byte[] sig, int sigOff)
         {
diff --git a/crypto/src/math/ec/rfc8032/Ed448.cs b/crypto/src/math/ec/rfc8032/Ed448.cs
index b73aaa7f8..aadb974e4 100644
--- a/crypto/src/math/ec/rfc8032/Ed448.cs
+++ b/crypto/src/math/ec/rfc8032/Ed448.cs
@@ -1,4 +1,7 @@
 using System;
+#if NETCOREAPP2_1_OR_GREATER || NETSTANDARD2_1_OR_GREATER
+using System.Buffers.Binary;
+#endif
 using System.Diagnostics;
 
 using Org.BouncyCastle.Crypto;
@@ -162,14 +165,46 @@ namespace Org.BouncyCastle.Math.EC.Rfc8032
             return F.IsZero(t);
         }
 
+#if NETCOREAPP2_1_OR_GREATER || NETSTANDARD2_1_OR_GREATER
+        private static bool CheckPointVar(ReadOnlySpan<byte> p)
+        {
+            if ((p[PointBytes - 1] & 0x7F) != 0x00)
+                return false;
+            if (Decode32(p[52..]) < P[13])
+                return true;
+
+            int last = p[28] == 0xFF ? 7 : 0;
+            for (int i = CoordUints - 2; i >= last; --i)
+            {
+                if (Decode32(p[(i * 4)..]) < P[i])
+                    return true;
+            }
+            return false;
+        }
+
+        private static bool CheckScalarVar(ReadOnlySpan<byte> s, Span<uint> n)
+        {
+            if (s[ScalarBytes - 1] != 0x00)
+                return false;
+
+            DecodeScalar(s, n);
+            return !Nat.Gte(ScalarUints, n, L);
+        }
+#else
         private static bool CheckPointVar(byte[] p)
         {
             if ((p[PointBytes - 1] & 0x7F) != 0x00)
                 return false;
+            if (Decode32(p, 52) < P[13])
+                return true;
 
-            uint[] t = new uint[CoordUints];
-            Decode32(p, 0, t, 0, CoordUints);
-            return !Nat.Gte(CoordUints, t, P);
+            int last = p[28] == 0xFF ? 7 : 0;
+            for (int i = CoordUints - 2; i >= last; --i)
+            {
+                if (Decode32(p, i * 4) < P[i])
+                    return true;
+            }
+            return false;
         }
 
         private static bool CheckScalarVar(byte[] s, uint[] n)
@@ -180,6 +215,7 @@ namespace Org.BouncyCastle.Math.EC.Rfc8032
             DecodeScalar(s, 0, n);
             return !Nat.Gte(ScalarUints, n, L);
         }
+#endif
 
         private static byte[] Copy(byte[] buf, int off, int len)
         {
@@ -200,11 +236,22 @@ namespace Org.BouncyCastle.Math.EC.Rfc8032
 
         private static uint Decode16(byte[] bs, int off)
         {
+#if NETCOREAPP2_1_OR_GREATER || NETSTANDARD2_1_OR_GREATER
+            return BinaryPrimitives.ReadUInt16LittleEndian(bs.AsSpan(off));
+#else
             uint n = bs[off];
             n |= (uint)bs[++off] << 8;
             return n;
+#endif
         }
 
+#if NETCOREAPP2_1_OR_GREATER || NETSTANDARD2_1_OR_GREATER
+        private static uint Decode16(ReadOnlySpan<byte> bs)
+        {
+            return BinaryPrimitives.ReadUInt16LittleEndian(bs);
+        }
+#endif
+
         private static uint Decode24(byte[] bs, int off)
         {
             uint n = bs[off];
@@ -213,23 +260,33 @@ namespace Org.BouncyCastle.Math.EC.Rfc8032
             return n;
         }
 
+#if NETCOREAPP2_1_OR_GREATER || NETSTANDARD2_1_OR_GREATER
+        private static uint Decode24(ReadOnlySpan<byte> bs)
+        {
+            uint n = bs[0];
+            n |= (uint)bs[1] << 8;
+            n |= (uint)bs[2] << 16;
+            return n;
+        }
+#endif
+
         private static uint Decode32(byte[] bs, int off)
         {
+#if NETCOREAPP2_1_OR_GREATER || NETSTANDARD2_1_OR_GREATER
+            return BinaryPrimitives.ReadUInt32LittleEndian(bs.AsSpan(off));
+#else
             uint n = bs[off];
             n |= (uint)bs[++off] << 8;
             n |= (uint)bs[++off] << 16;
             n |= (uint)bs[++off] << 24;
             return n;
+#endif
         }
 
 #if NETCOREAPP2_1_OR_GREATER || NETSTANDARD2_1_OR_GREATER
         private static uint Decode32(ReadOnlySpan<byte> bs)
         {
-            uint n = bs[0];
-            n |= (uint)bs[1] << 8;
-            n |= (uint)bs[2] << 16;
-            n |= (uint)bs[3] << 24;
-            return n;
+            return BinaryPrimitives.ReadUInt32LittleEndian(bs);
         }
 #endif
 
@@ -322,13 +379,33 @@ namespace Org.BouncyCastle.Math.EC.Rfc8032
             bs[++off] = (byte)(n >> 16);
         }
 
+#if NETCOREAPP2_1_OR_GREATER || NETSTANDARD2_1_OR_GREATER
+        private static void Encode24(uint n, Span<byte> bs)
+        {
+            bs[0] = (byte)(n);
+            bs[1] = (byte)(n >> 8);
+            bs[2] = (byte)(n >> 16);
+        }
+#endif
+
         private static void Encode32(uint n, byte[] bs, int off)
         {
-            bs[off] = (byte)(n);
-            bs[++off] = (byte)(n >> 8);
+#if NETCOREAPP2_1_OR_GREATER || NETSTANDARD2_1_OR_GREATER
+            BinaryPrimitives.WriteUInt32LittleEndian(bs.AsSpan(off), n);
+#else
+            bs[  off] = (byte)(n      );
+            bs[++off] = (byte)(n >>  8);
             bs[++off] = (byte)(n >> 16);
             bs[++off] = (byte)(n >> 24);
+#endif
+        }
+
+#if NETCOREAPP2_1_OR_GREATER || NETSTANDARD2_1_OR_GREATER
+        private static void Encode32(uint n, Span<byte> bs)
+        {
+            BinaryPrimitives.WriteUInt32LittleEndian(bs, n);
         }
+#endif
 
         private static void Encode56(ulong n, byte[] bs, int off)
         {
@@ -336,6 +413,14 @@ namespace Org.BouncyCastle.Math.EC.Rfc8032
             Encode24((uint)(n >> 32), bs, off + 4);
         }
 
+#if NETCOREAPP2_1_OR_GREATER || NETSTANDARD2_1_OR_GREATER
+        private static void Encode56(ulong n, Span<byte> bs)
+        {
+            Encode32((uint)n, bs);
+            Encode24((uint)(n >> 32), bs[4..]);
+        }
+#endif
+
         private static int EncodePoint(ref PointProjective p, byte[] r, int rOff)
         {
             uint[] x = F.Create();
@@ -438,7 +523,11 @@ namespace Org.BouncyCastle.Math.EC.Rfc8032
             return (x[w] >> b) & 15U;
         }
 
+#if NETCOREAPP2_1_OR_GREATER || NETSTANDARD2_1_OR_GREATER
+        private static sbyte[] GetWnafVar(ReadOnlySpan<uint> n, int width)
+#else
         private static sbyte[] GetWnafVar(uint[] n, int width)
+#endif
         {
             Debug.Assert(n[ScalarUints - 1] <= L[ScalarUints - 1]);
             Debug.Assert(2 <= width && width <= 8);
@@ -559,6 +648,45 @@ namespace Org.BouncyCastle.Math.EC.Rfc8032
             if (!CheckContextVar(ctx))
                 throw new ArgumentException("ctx");
 
+#if NETCOREAPP2_1_OR_GREATER || NETSTANDARD2_1_OR_GREATER
+            Span<byte> RS = stackalloc byte[PointBytes + ScalarBytes];
+            RS.CopyFrom(sig.AsSpan(sigOff, PointBytes + ScalarBytes));
+
+            var R = RS[..PointBytes];
+            var S = RS[PointBytes..];
+
+            if (!CheckPointVar(R))
+                return false;
+
+            Span<uint> nS = stackalloc uint[ScalarUints];
+            if (!CheckScalarVar(S, nS))
+                return false;
+
+            Init(out PointProjective pA);
+            if (!DecodePointVar(pk, pkOff, true, ref pA))
+                return false;
+
+            IXof d = CreateXof();
+            Span<byte> h = stackalloc byte[ScalarBytes * 2];
+
+            Dom4(d, phflag, ctx);
+            d.BlockUpdate(R);
+            d.BlockUpdate(pk.AsSpan(pkOff, PointBytes));
+            d.BlockUpdate(m.AsSpan(mOff, mLen));
+            d.OutputFinal(h);
+
+            Span<byte> k = stackalloc byte[ScalarBytes];
+            ReduceScalar(h, k);
+
+            Span<uint> nA = stackalloc uint[ScalarUints];
+            DecodeScalar(k, nA);
+
+            Init(out PointProjective pR);
+            ScalarMultStrausVar(nS, nA, ref pA, ref pR);
+
+            Span<byte> check = stackalloc byte[PointBytes];
+            return 0 != EncodePoint(ref pR, check) && check.SequenceEqual(R);
+#else
             byte[] R = Copy(sig, sigOff, PointBytes);
             byte[] S = Copy(sig, sigOff + PointBytes, ScalarBytes);
 
@@ -592,6 +720,7 @@ namespace Org.BouncyCastle.Math.EC.Rfc8032
 
             byte[] check = new byte[PointBytes];
             return 0 != EncodePoint(ref pR, check, 0) && Arrays.AreEqual(check, R);
+#endif
         }
 
         private static void Init(out PointAffine r)
@@ -1086,41 +1215,46 @@ namespace Org.BouncyCastle.Math.EC.Rfc8032
 
         private static byte[] ReduceScalar(byte[] n)
         {
-            ulong x00 =  Decode32(n,   0);          // x00:32/--
-            ulong x01 = (Decode24(n,   4) << 4);    // x01:28/--
-            ulong x02 =  Decode32(n,   7);          // x02:32/--
-            ulong x03 = (Decode24(n,  11) << 4);    // x03:28/--
-            ulong x04 =  Decode32(n,  14);          // x04:32/--
-            ulong x05 = (Decode24(n,  18) << 4);    // x05:28/--
-            ulong x06 =  Decode32(n,  21);          // x06:32/--
-            ulong x07 = (Decode24(n,  25) << 4);    // x07:28/--
-            ulong x08 =  Decode32(n,  28);          // x08:32/--
-            ulong x09 = (Decode24(n,  32) << 4);    // x09:28/--
-            ulong x10 =  Decode32(n,  35);          // x10:32/--
-            ulong x11 = (Decode24(n,  39) << 4);    // x11:28/--
-            ulong x12 =  Decode32(n,  42);          // x12:32/--
-            ulong x13 = (Decode24(n,  46) << 4);    // x13:28/--
-            ulong x14 =  Decode32(n,  49);          // x14:32/--
-            ulong x15 = (Decode24(n,  53) << 4);    // x15:28/--
-            ulong x16 =  Decode32(n,  56);          // x16:32/--
-            ulong x17 = (Decode24(n,  60) << 4);    // x17:28/--
-            ulong x18 =  Decode32(n,  63);          // x18:32/--
-            ulong x19 = (Decode24(n,  67) << 4);    // x19:28/--
-            ulong x20 =  Decode32(n,  70);          // x20:32/--
-            ulong x21 = (Decode24(n,  74) << 4);    // x21:28/--
-            ulong x22 =  Decode32(n,  77);          // x22:32/--
-            ulong x23 = (Decode24(n,  81) << 4);    // x23:28/--
-            ulong x24 =  Decode32(n,  84);          // x24:32/--
-            ulong x25 = (Decode24(n,  88) << 4);    // x25:28/--
-            ulong x26 =  Decode32(n,  91);          // x26:32/--
-            ulong x27 = (Decode24(n,  95) << 4);    // x27:28/--
-            ulong x28 =  Decode32(n,  98);          // x28:32/--
-            ulong x29 = (Decode24(n, 102) << 4);    // x29:28/--
-            ulong x30 =  Decode32(n, 105);          // x30:32/--
-            ulong x31 = (Decode24(n, 109) << 4);    // x31:28/--
-            ulong x32 =  Decode16(n, 112);          // x32:16/--
-
-    //        x32 += (x31 >> 28); x31 &= M28UL;
+            byte[] r = new byte[ScalarBytes];
+
+#if NETCOREAPP2_1_OR_GREATER || NETSTANDARD2_1_OR_GREATER
+            ReduceScalar(n, r);
+#else
+            ulong x00 =  Decode32(n,   0);              // x00:32/--
+            ulong x01 = (Decode24(n,   4) << 4);        // x01:28/--
+            ulong x02 =  Decode32(n,   7);              // x02:32/--
+            ulong x03 = (Decode24(n,  11) << 4);        // x03:28/--
+            ulong x04 =  Decode32(n,  14);              // x04:32/--
+            ulong x05 = (Decode24(n,  18) << 4);        // x05:28/--
+            ulong x06 =  Decode32(n,  21);              // x06:32/--
+            ulong x07 = (Decode24(n,  25) << 4);        // x07:28/--
+            ulong x08 =  Decode32(n,  28);              // x08:32/--
+            ulong x09 = (Decode24(n,  32) << 4);        // x09:28/--
+            ulong x10 =  Decode32(n,  35);              // x10:32/--
+            ulong x11 = (Decode24(n,  39) << 4);        // x11:28/--
+            ulong x12 =  Decode32(n,  42);              // x12:32/--
+            ulong x13 = (Decode24(n,  46) << 4);        // x13:28/--
+            ulong x14 =  Decode32(n,  49);              // x14:32/--
+            ulong x15 = (Decode24(n,  53) << 4);        // x15:28/--
+            ulong x16 =  Decode32(n,  56);              // x16:32/--
+            ulong x17 = (Decode24(n,  60) << 4);        // x17:28/--
+            ulong x18 =  Decode32(n,  63);              // x18:32/--
+            ulong x19 = (Decode24(n,  67) << 4);        // x19:28/--
+            ulong x20 =  Decode32(n,  70);              // x20:32/--
+            ulong x21 = (Decode24(n,  74) << 4);        // x21:28/--
+            ulong x22 =  Decode32(n,  77);              // x22:32/--
+            ulong x23 = (Decode24(n,  81) << 4);        // x23:28/--
+            ulong x24 =  Decode32(n,  84);              // x24:32/--
+            ulong x25 = (Decode24(n,  88) << 4);        // x25:28/--
+            ulong x26 =  Decode32(n,  91);              // x26:32/--
+            ulong x27 = (Decode24(n,  95) << 4);        // x27:28/--
+            ulong x28 =  Decode32(n,  98);              // x28:32/--
+            ulong x29 = (Decode24(n, 102) << 4);        // x29:28/--
+            ulong x30 =  Decode32(n, 105);              // x30:32/--
+            ulong x31 = (Decode24(n, 109) << 4);        // x31:28/--
+            ulong x32 =  Decode16(n, 112);              // x32:16/--
+
+            //x32 += (x31 >> 28); x31 &= M28UL;
             x16 += x32 * L4_0;                          // x16:42/--
             x17 += x32 * L4_1;                          // x17:41/28
             x18 += x32 * L4_2;                          // x18:43/42
@@ -1348,7 +1482,6 @@ namespace Org.BouncyCastle.Math.EC.Rfc8032
 
             Debug.Assert(x15 >> 26 == 0UL);
 
-            byte[] r = new byte[ScalarBytes];
             Encode56(x00 | (x01 << 28), r,  0);
             Encode56(x02 | (x03 << 28), r,  7);
             Encode56(x04 | (x05 << 28), r, 14);
@@ -1358,9 +1491,288 @@ namespace Org.BouncyCastle.Math.EC.Rfc8032
             Encode56(x12 | (x13 << 28), r, 42);
             Encode56(x14 | (x15 << 28), r, 49);
             //r[ScalarBytes - 1] = 0;
+#endif
+
             return r;
         }
 
+#if NETCOREAPP2_1_OR_GREATER || NETSTANDARD2_1_OR_GREATER
+        private static void ReduceScalar(ReadOnlySpan<byte> n, Span<byte> r)
+        {
+            ulong x00 =  Decode32(n[ 0..]);             // x00:32/--
+            ulong x01 = (Decode24(n[ 4..]) << 4);       // x01:28/--
+            ulong x02 =  Decode32(n[ 7..]);             // x02:32/--
+            ulong x03 = (Decode24(n[11..]) << 4);       // x03:28/--
+            ulong x04 =  Decode32(n[14..]);             // x04:32/--
+            ulong x05 = (Decode24(n[18..]) << 4);       // x05:28/--
+            ulong x06 =  Decode32(n[21..]);             // x06:32/--
+            ulong x07 = (Decode24(n[25..]) << 4);       // x07:28/--
+            ulong x08 =  Decode32(n[28..]);             // x08:32/--
+            ulong x09 = (Decode24(n[32..]) << 4);       // x09:28/--
+            ulong x10 =  Decode32(n[35..]);             // x10:32/--
+            ulong x11 = (Decode24(n[39..]) << 4);       // x11:28/--
+            ulong x12 =  Decode32(n[42..]);             // x12:32/--
+            ulong x13 = (Decode24(n[46..]) << 4);       // x13:28/--
+            ulong x14 =  Decode32(n[49..]);             // x14:32/--
+            ulong x15 = (Decode24(n[53..]) << 4);       // x15:28/--
+            ulong x16 =  Decode32(n[56..]);             // x16:32/--
+            ulong x17 = (Decode24(n[60..]) << 4);       // x17:28/--
+            ulong x18 =  Decode32(n[63..]);             // x18:32/--
+            ulong x19 = (Decode24(n[67..]) << 4);       // x19:28/--
+            ulong x20 =  Decode32(n[70..]);             // x20:32/--
+            ulong x21 = (Decode24(n[74..]) << 4);       // x21:28/--
+            ulong x22 =  Decode32(n[77..]);             // x22:32/--
+            ulong x23 = (Decode24(n[81..]) << 4);       // x23:28/--
+            ulong x24 =  Decode32(n[84..]);             // x24:32/--
+            ulong x25 = (Decode24(n[88..]) << 4);       // x25:28/--
+            ulong x26 =  Decode32(n[91..]);             // x26:32/--
+            ulong x27 = (Decode24(n[95..]) << 4);       // x27:28/--
+            ulong x28 =  Decode32(n[98..]);             // x28:32/--
+            ulong x29 = (Decode24(n[102..]) << 4);      // x29:28/--
+            ulong x30 =  Decode32(n[105..]);            // x30:32/--
+            ulong x31 = (Decode24(n[109..]) << 4);      // x31:28/--
+            ulong x32 =  Decode16(n[112..]);            // x32:16/--
+
+            //x32 += (x31 >> 28); x31 &= M28UL;
+            x16 += x32 * L4_0;                          // x16:42/--
+            x17 += x32 * L4_1;                          // x17:41/28
+            x18 += x32 * L4_2;                          // x18:43/42
+            x19 += x32 * L4_3;                          // x19:44/28
+            x20 += x32 * L4_4;                          // x20:43/--
+            x21 += x32 * L4_5;                          // x21:44/28
+            x22 += x32 * L4_6;                          // x22:43/41
+            x23 += x32 * L4_7;                          // x23:45/41
+
+            x31 += (x30 >> 28); x30 &= M28UL;           // x31:28/--, x30:28/--
+            x15 += x31 * L4_0;                          // x15:54/--
+            x16 += x31 * L4_1;                          // x16:53/42
+            x17 += x31 * L4_2;                          // x17:55/54
+            x18 += x31 * L4_3;                          // x18:56/44
+            x19 += x31 * L4_4;                          // x19:55/--
+            x20 += x31 * L4_5;                          // x20:56/43
+            x21 += x31 * L4_6;                          // x21:55/53
+            x22 += x31 * L4_7;                          // x22:57/53
+
+            //x30 += (x29 >> 28); x29 &= M28UL;
+            x14 += x30 * L4_0;                          // x14:54/--
+            x15 += x30 * L4_1;                          // x15:54/53
+            x16 += x30 * L4_2;                          // x16:56/--
+            x17 += x30 * L4_3;                          // x17:57/--
+            x18 += x30 * L4_4;                          // x18:56/55
+            x19 += x30 * L4_5;                          // x19:56/55
+            x20 += x30 * L4_6;                          // x20:57/--
+            x21 += x30 * L4_7;                          // x21:57/56
+
+            x29 += (x28 >> 28); x28 &= M28UL;           // x29:28/--, x28:28/--
+            x13 += x29 * L4_0;                          // x13:54/--
+            x14 += x29 * L4_1;                          // x14:54/53
+            x15 += x29 * L4_2;                          // x15:56/--
+            x16 += x29 * L4_3;                          // x16:57/--
+            x17 += x29 * L4_4;                          // x17:57/55
+            x18 += x29 * L4_5;                          // x18:57/55
+            x19 += x29 * L4_6;                          // x19:57/52
+            x20 += x29 * L4_7;                          // x20:58/52
+
+            //x28 += (x27 >> 28); x27 &= M28UL;
+            x12 += x28 * L4_0;                          // x12:54/--
+            x13 += x28 * L4_1;                          // x13:54/53
+            x14 += x28 * L4_2;                          // x14:56/--
+            x15 += x28 * L4_3;                          // x15:57/--
+            x16 += x28 * L4_4;                          // x16:57/55
+            x17 += x28 * L4_5;                          // x17:58/--
+            x18 += x28 * L4_6;                          // x18:58/--
+            x19 += x28 * L4_7;                          // x19:58/53
+
+            x27 += (x26 >> 28); x26 &= M28UL;           // x27:28/--, x26:28/--
+            x11 += x27 * L4_0;                          // x11:54/--
+            x12 += x27 * L4_1;                          // x12:54/53
+            x13 += x27 * L4_2;                          // x13:56/--
+            x14 += x27 * L4_3;                          // x14:57/--
+            x15 += x27 * L4_4;                          // x15:57/55
+            x16 += x27 * L4_5;                          // x16:58/--
+            x17 += x27 * L4_6;                          // x17:58/56
+            x18 += x27 * L4_7;                          // x18:59/--
+
+            //x26 += (x25 >> 28); x25 &= M28UL;
+            x10 += x26 * L4_0;                          // x10:54/--
+            x11 += x26 * L4_1;                          // x11:54/53
+            x12 += x26 * L4_2;                          // x12:56/--
+            x13 += x26 * L4_3;                          // x13:57/--
+            x14 += x26 * L4_4;                          // x14:57/55
+            x15 += x26 * L4_5;                          // x15:58/--
+            x16 += x26 * L4_6;                          // x16:58/56
+            x17 += x26 * L4_7;                          // x17:59/--
+
+            x25 += (x24 >> 28); x24 &= M28UL;           // x25:28/--, x24:28/--
+            x09 += x25 * L4_0;                          // x09:54/--
+            x10 += x25 * L4_1;                          // x10:54/53
+            x11 += x25 * L4_2;                          // x11:56/--
+            x12 += x25 * L4_3;                          // x12:57/--
+            x13 += x25 * L4_4;                          // x13:57/55
+            x14 += x25 * L4_5;                          // x14:58/--
+            x15 += x25 * L4_6;                          // x15:58/56
+            x16 += x25 * L4_7;                          // x16:59/--
+
+            x21 += (x20 >> 28); x20 &= M28UL;           // x21:58/--, x20:28/--
+            x22 += (x21 >> 28); x21 &= M28UL;           // x22:57/54, x21:28/--
+            x23 += (x22 >> 28); x22 &= M28UL;           // x23:45/42, x22:28/--
+            x24 += (x23 >> 28); x23 &= M28UL;           // x24:28/18, x23:28/--
+
+            x08 += x24 * L4_0;                          // x08:54/--
+            x09 += x24 * L4_1;                          // x09:55/--
+            x10 += x24 * L4_2;                          // x10:56/46
+            x11 += x24 * L4_3;                          // x11:57/46
+            x12 += x24 * L4_4;                          // x12:57/55
+            x13 += x24 * L4_5;                          // x13:58/--
+            x14 += x24 * L4_6;                          // x14:58/56
+            x15 += x24 * L4_7;                          // x15:59/--
+
+            x07 += x23 * L4_0;                          // x07:54/--
+            x08 += x23 * L4_1;                          // x08:54/53
+            x09 += x23 * L4_2;                          // x09:56/53
+            x10 += x23 * L4_3;                          // x10:57/46
+            x11 += x23 * L4_4;                          // x11:57/55
+            x12 += x23 * L4_5;                          // x12:58/--
+            x13 += x23 * L4_6;                          // x13:58/56
+            x14 += x23 * L4_7;                          // x14:59/--
+
+            x06 += x22 * L4_0;                          // x06:54/--
+            x07 += x22 * L4_1;                          // x07:54/53
+            x08 += x22 * L4_2;                          // x08:56/--
+            x09 += x22 * L4_3;                          // x09:57/53
+            x10 += x22 * L4_4;                          // x10:57/55
+            x11 += x22 * L4_5;                          // x11:58/--
+            x12 += x22 * L4_6;                          // x12:58/56
+            x13 += x22 * L4_7;                          // x13:59/--
+
+            x18 += (x17 >> 28); x17 &= M28UL;           // x18:59/31, x17:28/--
+            x19 += (x18 >> 28); x18 &= M28UL;           // x19:58/54, x18:28/--
+            x20 += (x19 >> 28); x19 &= M28UL;           // x20:30/29, x19:28/--
+            x21 += (x20 >> 28); x20 &= M28UL;           // x21:28/03, x20:28/--
+
+            x05 += x21 * L4_0;                          // x05:54/--
+            x06 += x21 * L4_1;                          // x06:55/--
+            x07 += x21 * L4_2;                          // x07:56/31
+            x08 += x21 * L4_3;                          // x08:57/31
+            x09 += x21 * L4_4;                          // x09:57/56
+            x10 += x21 * L4_5;                          // x10:58/--
+            x11 += x21 * L4_6;                          // x11:58/56
+            x12 += x21 * L4_7;                          // x12:59/--
+
+            x04 += x20 * L4_0;                          // x04:54/--
+            x05 += x20 * L4_1;                          // x05:54/53
+            x06 += x20 * L4_2;                          // x06:56/53
+            x07 += x20 * L4_3;                          // x07:57/31
+            x08 += x20 * L4_4;                          // x08:57/55
+            x09 += x20 * L4_5;                          // x09:58/--
+            x10 += x20 * L4_6;                          // x10:58/56
+            x11 += x20 * L4_7;                          // x11:59/--
+
+            x03 += x19 * L4_0;                          // x03:54/--
+            x04 += x19 * L4_1;                          // x04:54/53
+            x05 += x19 * L4_2;                          // x05:56/--
+            x06 += x19 * L4_3;                          // x06:57/53
+            x07 += x19 * L4_4;                          // x07:57/55
+            x08 += x19 * L4_5;                          // x08:58/--
+            x09 += x19 * L4_6;                          // x09:58/56
+            x10 += x19 * L4_7;                          // x10:59/--
+
+            x15 += (x14 >> 28); x14 &= M28UL;           // x15:59/31, x14:28/--
+            x16 += (x15 >> 28); x15 &= M28UL;           // x16:59/32, x15:28/--
+            x17 += (x16 >> 28); x16 &= M28UL;           // x17:31/29, x16:28/--
+            x18 += (x17 >> 28); x17 &= M28UL;           // x18:28/04, x17:28/--
+
+            x02 += x18 * L4_0;                          // x02:54/--
+            x03 += x18 * L4_1;                          // x03:55/--
+            x04 += x18 * L4_2;                          // x04:56/32
+            x05 += x18 * L4_3;                          // x05:57/32
+            x06 += x18 * L4_4;                          // x06:57/56
+            x07 += x18 * L4_5;                          // x07:58/--
+            x08 += x18 * L4_6;                          // x08:58/56
+            x09 += x18 * L4_7;                          // x09:59/--
+
+            x01 += x17 * L4_0;                          // x01:54/--
+            x02 += x17 * L4_1;                          // x02:54/53
+            x03 += x17 * L4_2;                          // x03:56/53
+            x04 += x17 * L4_3;                          // x04:57/32
+            x05 += x17 * L4_4;                          // x05:57/55
+            x06 += x17 * L4_5;                          // x06:58/--
+            x07 += x17 * L4_6;                          // x07:58/56
+            x08 += x17 * L4_7;                          // x08:59/--
+
+            x16 *= 4;
+            x16 += (x15 >> 26); x15 &= M26UL;
+            x16 += 1;                                   // x16:30/01
+
+            x00 += x16 * L_0;
+            x01 += x16 * L_1;
+            x02 += x16 * L_2;
+            x03 += x16 * L_3;
+            x04 += x16 * L_4;
+            x05 += x16 * L_5;
+            x06 += x16 * L_6;
+            x07 += x16 * L_7;
+
+            x01 += (x00 >> 28); x00 &= M28UL;
+            x02 += (x01 >> 28); x01 &= M28UL;
+            x03 += (x02 >> 28); x02 &= M28UL;
+            x04 += (x03 >> 28); x03 &= M28UL;
+            x05 += (x04 >> 28); x04 &= M28UL;
+            x06 += (x05 >> 28); x05 &= M28UL;
+            x07 += (x06 >> 28); x06 &= M28UL;
+            x08 += (x07 >> 28); x07 &= M28UL;
+            x09 += (x08 >> 28); x08 &= M28UL;
+            x10 += (x09 >> 28); x09 &= M28UL;
+            x11 += (x10 >> 28); x10 &= M28UL;
+            x12 += (x11 >> 28); x11 &= M28UL;
+            x13 += (x12 >> 28); x12 &= M28UL;
+            x14 += (x13 >> 28); x13 &= M28UL;
+            x15 += (x14 >> 28); x14 &= M28UL;
+            x16  = (x15 >> 26); x15 &= M26UL;
+
+            x16 -= 1;
+
+            Debug.Assert(x16 == 0UL || x16 == ulong.MaxValue);
+
+            x00 -= x16 & L_0;
+            x01 -= x16 & L_1;
+            x02 -= x16 & L_2;
+            x03 -= x16 & L_3;
+            x04 -= x16 & L_4;
+            x05 -= x16 & L_5;
+            x06 -= x16 & L_6;
+            x07 -= x16 & L_7;
+
+            x01 += (ulong)((long)x00 >> 28); x00 &= M28UL;
+            x02 += (ulong)((long)x01 >> 28); x01 &= M28UL;
+            x03 += (ulong)((long)x02 >> 28); x02 &= M28UL;
+            x04 += (ulong)((long)x03 >> 28); x03 &= M28UL;
+            x05 += (ulong)((long)x04 >> 28); x04 &= M28UL;
+            x06 += (ulong)((long)x05 >> 28); x05 &= M28UL;
+            x07 += (ulong)((long)x06 >> 28); x06 &= M28UL;
+            x08 += (ulong)((long)x07 >> 28); x07 &= M28UL;
+            x09 += (ulong)((long)x08 >> 28); x08 &= M28UL;
+            x10 += (ulong)((long)x09 >> 28); x09 &= M28UL;
+            x11 += (ulong)((long)x10 >> 28); x10 &= M28UL;
+            x12 += (ulong)((long)x11 >> 28); x11 &= M28UL;
+            x13 += (ulong)((long)x12 >> 28); x12 &= M28UL;
+            x14 += (ulong)((long)x13 >> 28); x13 &= M28UL;
+            x15 += (ulong)((long)x14 >> 28); x14 &= M28UL;
+
+            Debug.Assert(x15 >> 26 == 0UL);
+
+            Encode56(x00 | (x01 << 28), r);
+            Encode56(x02 | (x03 << 28), r[7..]);
+            Encode56(x04 | (x05 << 28), r[14..]);
+            Encode56(x06 | (x07 << 28), r[21..]);
+            Encode56(x08 | (x09 << 28), r[28..]);
+            Encode56(x10 | (x11 << 28), r[35..]);
+            Encode56(x12 | (x13 << 28), r[42..]);
+            Encode56(x14 | (x15 << 28), r[49..]);
+            //r[ScalarBytes - 1] = 0;
+        }
+#endif
+
         private static void ScalarMult(byte[] k, ref PointProjective p, ref PointProjective r)
         {
 #if NETCOREAPP2_1_OR_GREATER || NETSTANDARD2_1_OR_GREATER
@@ -1657,6 +2069,9 @@ namespace Org.BouncyCastle.Math.EC.Rfc8032
 
         private static void ScalarMultStrausVar(uint[] nb, uint[] np, ref PointProjective p, ref PointProjective r)
         {
+#if NETCOREAPP2_1_OR_GREATER || NETSTANDARD2_1_OR_GREATER
+            ScalarMultStrausVar(nb.AsSpan(), np.AsSpan(), ref p, ref r);
+#else
             Precompute();
 
             sbyte[] ws_b = GetWnafVar(nb, WnafWidthBase);
@@ -1693,8 +2108,52 @@ namespace Org.BouncyCastle.Math.EC.Rfc8032
 
                 PointDouble(ref r);
             }
+#endif
         }
 
+#if NETCOREAPP2_1_OR_GREATER || NETSTANDARD2_1_OR_GREATER
+        private static void ScalarMultStrausVar(ReadOnlySpan<uint> nb, ReadOnlySpan<uint> np, ref PointProjective p,
+            ref PointProjective r)
+        {
+            Precompute();
+
+            sbyte[] ws_b = GetWnafVar(nb, WnafWidthBase);
+            sbyte[] ws_p = GetWnafVar(np, WnafWidth);
+
+            int count = 1 << (WnafWidth - 2);
+            PointProjective[] tp = new PointProjective[count];
+            PointPrecomputeVar(ref p, tp, count);
+
+            PointSetNeutral(ref r);
+
+            for (int bit = 446;;)
+            {
+                int wb = ws_b[bit];
+                if (wb != 0)
+                {
+                    int sign = wb >> 31;
+                    int index = (wb ^ sign) >> 1;
+
+                    PointAddVar(sign != 0, ref PrecompBaseWnaf[index], ref r);
+                }
+
+                int wp = ws_p[bit];
+                if (wp != 0)
+                {
+                    int sign = wp >> 31;
+                    int index = (wp ^ sign) >> 1;
+
+                    PointAddVar(sign != 0, ref tp[index], ref r);
+                }
+
+                if (--bit < 0)
+                    break;
+
+                PointDouble(ref r);
+            }
+        }
+#endif
+
         public static void Sign(byte[] sk, int skOff, byte[] ctx, byte[] m, int mOff, int mLen, byte[] sig, int sigOff)
         {
             byte phflag = 0x00;
diff --git a/crypto/test/src/math/ec/rfc8032/test/Ed25519Test.cs b/crypto/test/src/math/ec/rfc8032/test/Ed25519Test.cs
index 29ff67191..db468a046 100644
--- a/crypto/test/src/math/ec/rfc8032/test/Ed25519Test.cs
+++ b/crypto/test/src/math/ec/rfc8032/test/Ed25519Test.cs
@@ -384,6 +384,9 @@ namespace Org.BouncyCastle.Math.EC.Rfc8032.Tests
 
             Assert.IsFalse(Ed25519.ValidatePublicKeyFull(Hex.DecodeStrict("0100000000000000000000000000000000000000000000000000000000000080"), 0));
 
+            Assert.IsFalse(Ed25519.ValidatePublicKeyFull(Hex.DecodeStrict("ECFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF7F"), 0));
+            Assert.IsFalse(Ed25519.ValidatePublicKeyFull(Hex.DecodeStrict("EDFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF7F"), 0));
+            Assert.IsFalse(Ed25519.ValidatePublicKeyFull(Hex.DecodeStrict("EDFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"), 0));
             Assert.IsFalse(Ed25519.ValidatePublicKeyFull(Hex.DecodeStrict("FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF7F"), 0));
             Assert.IsFalse(Ed25519.ValidatePublicKeyFull(Hex.DecodeStrict("FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"), 0));
 
@@ -427,6 +430,9 @@ namespace Org.BouncyCastle.Math.EC.Rfc8032.Tests
 
             Assert.IsFalse(Ed25519.ValidatePublicKeyPartial(Hex.DecodeStrict("0100000000000000000000000000000000000000000000000000000000000080"), 0));
 
+            Assert.IsTrue (Ed25519.ValidatePublicKeyPartial(Hex.DecodeStrict("ECFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF7F"), 0));
+            Assert.IsFalse(Ed25519.ValidatePublicKeyPartial(Hex.DecodeStrict("EDFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF7F"), 0));
+            Assert.IsFalse(Ed25519.ValidatePublicKeyPartial(Hex.DecodeStrict("EDFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"), 0));
             Assert.IsFalse(Ed25519.ValidatePublicKeyPartial(Hex.DecodeStrict("FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF7F"), 0));
             Assert.IsFalse(Ed25519.ValidatePublicKeyPartial(Hex.DecodeStrict("FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"), 0));
 
diff --git a/crypto/test/src/math/ec/rfc8032/test/Ed448Test.cs b/crypto/test/src/math/ec/rfc8032/test/Ed448Test.cs
index 2cfc57016..b4797af26 100644
--- a/crypto/test/src/math/ec/rfc8032/test/Ed448Test.cs
+++ b/crypto/test/src/math/ec/rfc8032/test/Ed448Test.cs
@@ -481,6 +481,9 @@ namespace Org.BouncyCastle.Math.EC.Rfc8032.Tests
 
             Assert.IsFalse(Ed448.ValidatePublicKeyFull(Hex.DecodeStrict("010000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000080"), 0));
 
+            Assert.IsFalse(Ed448.ValidatePublicKeyFull(Hex.DecodeStrict("FEFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF00"), 0));
+            Assert.IsFalse(Ed448.ValidatePublicKeyFull(Hex.DecodeStrict("FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF00"), 0));
+            Assert.IsFalse(Ed448.ValidatePublicKeyFull(Hex.DecodeStrict("FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF80"), 0));
             Assert.IsFalse(Ed448.ValidatePublicKeyFull(Hex.DecodeStrict("FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF00"), 0));
             Assert.IsFalse(Ed448.ValidatePublicKeyFull(Hex.DecodeStrict("FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF80"), 0));
             Assert.IsFalse(Ed448.ValidatePublicKeyFull(Hex.DecodeStrict("000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001"), 0));
@@ -526,6 +529,9 @@ namespace Org.BouncyCastle.Math.EC.Rfc8032.Tests
 
             Assert.IsFalse(Ed448.ValidatePublicKeyPartial(Hex.DecodeStrict("010000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000080"), 0));
 
+            Assert.IsTrue (Ed448.ValidatePublicKeyPartial(Hex.DecodeStrict("FEFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF00"), 0));
+            Assert.IsFalse(Ed448.ValidatePublicKeyPartial(Hex.DecodeStrict("FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF00"), 0));
+            Assert.IsFalse(Ed448.ValidatePublicKeyPartial(Hex.DecodeStrict("FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF80"), 0));
             Assert.IsFalse(Ed448.ValidatePublicKeyPartial(Hex.DecodeStrict("FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF00"), 0));
             Assert.IsFalse(Ed448.ValidatePublicKeyPartial(Hex.DecodeStrict("FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF80"), 0));
             Assert.IsFalse(Ed448.ValidatePublicKeyPartial(Hex.DecodeStrict("000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001"), 0));