Line data Source code
1 : /* Autogenerated: 'src/ExtractionOCaml/unsaturated_solinas' --inline --static --use-value-barrier 25519 64 '(auto)' '2^255 - 19' carry_mul carry_square carry add sub opp selectznz to_bytes from_bytes relax carry_scmul121666 */
2 : /* curve description: 25519 */
3 : /* machine_wordsize = 64 (from "64") */
4 : /* requested operations: carry_mul, carry_square, carry, add, sub, opp, selectznz, to_bytes, from_bytes, relax, carry_scmul121666 */
5 : /* n = 5 (from "(auto)") */
6 : /* s-c = 2^255 - [(1, 19)] (from "2^255 - 19") */
7 : /* tight_bounds_multiplier = 1 (from "") */
8 : /* */
9 : /* Computed values: */
10 : /* carry_chain = [0, 1, 2, 3, 4, 0, 1] */
11 : /* eval z = z[0] + (z[1] << 51) + (z[2] << 102) + (z[3] << 153) + (z[4] << 204) */
12 : /* bytes_eval z = z[0] + (z[1] << 8) + (z[2] << 16) + (z[3] << 24) + (z[4] << 32) + (z[5] << 40) + (z[6] << 48) + (z[7] << 56) + (z[8] << 64) + (z[9] << 72) + (z[10] << 80) + (z[11] << 88) + (z[12] << 96) + (z[13] << 104) + (z[14] << 112) + (z[15] << 120) + (z[16] << 128) + (z[17] << 136) + (z[18] << 144) + (z[19] << 152) + (z[20] << 160) + (z[21] << 168) + (z[22] << 176) + (z[23] << 184) + (z[24] << 192) + (z[25] << 200) + (z[26] << 208) + (z[27] << 216) + (z[28] << 224) + (z[29] << 232) + (z[30] << 240) + (z[31] << 248) */
13 : /* balance = [0xfffffffffffda, 0xffffffffffffe, 0xffffffffffffe, 0xffffffffffffe, 0xffffffffffffe] */
14 :
15 : #include <stdint.h>
16 : typedef unsigned char fiat_25519_uint1;
17 : typedef signed char fiat_25519_int1;
18 : #if defined(__GNUC__) || defined(__clang__)
19 : # define FIAT_25519_FIAT_EXTENSION __extension__
20 : # define FIAT_25519_FIAT_INLINE __inline__
21 : #else
22 : # define FIAT_25519_FIAT_EXTENSION
23 : # define FIAT_25519_FIAT_INLINE
24 : #endif
25 :
26 : FIAT_25519_FIAT_EXTENSION typedef signed __int128 fiat_25519_int128;
27 : FIAT_25519_FIAT_EXTENSION typedef unsigned __int128 fiat_25519_uint128;
28 :
29 : /* The type fiat_25519_loose_field_element is a field element with loose bounds. */
30 : /* Bounds: [[0x0 ~> 0x18000000000000], [0x0 ~> 0x18000000000000], [0x0 ~> 0x18000000000000], [0x0 ~> 0x18000000000000], [0x0 ~> 0x18000000000000]] */
31 : typedef uint64_t fiat_25519_loose_field_element[5];
32 :
33 : /* The type fiat_25519_tight_field_element is a field element with tight bounds. */
34 : /* Bounds: [[0x0 ~> 0x8000000000000], [0x0 ~> 0x8000000000000], [0x0 ~> 0x8000000000000], [0x0 ~> 0x8000000000000], [0x0 ~> 0x8000000000000]] */
35 : typedef uint64_t fiat_25519_tight_field_element[5];
36 :
37 : #if (-1 & 3) != 3
38 : #error "This code only works on a two's complement system"
39 : #endif
40 :
41 : #if !defined(FIAT_25519_NO_ASM) && (defined(__GNUC__) || defined(__clang__))
42 19755899880 : static __inline__ uint64_t fiat_25519_value_barrier_u64(uint64_t a) {
43 19755899880 : __asm__("" : "+r"(a) : /* no inputs */);
44 19755899880 : return a;
45 19755899880 : }
46 : #else
47 : # define fiat_25519_value_barrier_u64(x) (x)
48 : #endif
49 :
50 :
51 : /*
52 : * The function fiat_25519_addcarryx_u51 is an addition with carry.
53 : *
54 : * Postconditions:
55 : * out1 = (arg1 + arg2 + arg3) mod 2^51
56 : * out2 = ⌊(arg1 + arg2 + arg3) / 2^51⌋
57 : *
58 : * Input Bounds:
59 : * arg1: [0x0 ~> 0x1]
60 : * arg2: [0x0 ~> 0x7ffffffffffff]
61 : * arg3: [0x0 ~> 0x7ffffffffffff]
62 : * Output Bounds:
63 : * out1: [0x0 ~> 0x7ffffffffffff]
64 : * out2: [0x0 ~> 0x1]
65 : */
66 42543450 : static FIAT_25519_FIAT_INLINE void fiat_25519_addcarryx_u51(uint64_t* out1, fiat_25519_uint1* out2, fiat_25519_uint1 arg1, uint64_t arg2, uint64_t arg3) {
67 42543450 : uint64_t x1;
68 42543450 : uint64_t x2;
69 42543450 : fiat_25519_uint1 x3;
70 42543450 : x1 = ((arg1 + arg2) + arg3);
71 42543450 : x2 = (x1 & UINT64_C(0x7ffffffffffff));
72 42543450 : x3 = (fiat_25519_uint1)(x1 >> 51);
73 42543450 : *out1 = x2;
74 42543450 : *out2 = x3;
75 42543450 : }
76 :
77 : /*
78 : * The function fiat_25519_subborrowx_u51 is a subtraction with borrow.
79 : *
80 : * Postconditions:
81 : * out1 = (-arg1 + arg2 + -arg3) mod 2^51
82 : * out2 = -⌊(-arg1 + arg2 + -arg3) / 2^51⌋
83 : *
84 : * Input Bounds:
85 : * arg1: [0x0 ~> 0x1]
86 : * arg2: [0x0 ~> 0x7ffffffffffff]
87 : * arg3: [0x0 ~> 0x7ffffffffffff]
88 : * Output Bounds:
89 : * out1: [0x0 ~> 0x7ffffffffffff]
90 : * out2: [0x0 ~> 0x1]
91 : */
92 42543450 : static FIAT_25519_FIAT_INLINE void fiat_25519_subborrowx_u51(uint64_t* out1, fiat_25519_uint1* out2, fiat_25519_uint1 arg1, uint64_t arg2, uint64_t arg3) {
93 42543450 : int64_t x1;
94 42543450 : fiat_25519_int1 x2;
95 42543450 : uint64_t x3;
96 42543450 : x1 = ((int64_t)((int64_t)arg2 - (int64_t)arg1) - (int64_t)arg3);
97 42543450 : x2 = (fiat_25519_int1)(x1 >> 51);
98 42543450 : x3 = ((uint64_t)x1 & UINT64_C(0x7ffffffffffff));
99 42543450 : *out1 = x3;
100 42543450 : *out2 = (fiat_25519_uint1)(0x0 - x2);
101 42543450 : }
102 :
103 : /*
104 : * The function fiat_25519_cmovznz_u64 is a single-word conditional move.
105 : *
106 : * Postconditions:
107 : * out1 = (if arg1 = 0 then arg2 else arg3)
108 : *
109 : * Input Bounds:
110 : * arg1: [0x0 ~> 0x1]
111 : * arg2: [0x0 ~> 0xffffffffffffffff]
112 : * arg3: [0x0 ~> 0xffffffffffffffff]
113 : * Output Bounds:
114 : * out1: [0x0 ~> 0xffffffffffffffff]
115 : */
116 9877949940 : static FIAT_25519_FIAT_INLINE void fiat_25519_cmovznz_u64(uint64_t* out1, fiat_25519_uint1 arg1, uint64_t arg2, uint64_t arg3) {
117 9877949940 : fiat_25519_uint1 x1;
118 9877949940 : uint64_t x2;
119 9877949940 : uint64_t x3;
120 9877949940 : x1 = (!(!arg1));
121 9877949940 : x2 = ((uint64_t)(fiat_25519_int1)(0x0 - x1) & UINT64_C(0xffffffffffffffff));
122 9877949940 : x3 = ((fiat_25519_value_barrier_u64(x2) & arg3) | (fiat_25519_value_barrier_u64((~x2)) & arg2));
123 9877949940 : *out1 = x3;
124 9877949940 : }
125 :
126 : /*
127 : * The function fiat_25519_carry_mul multiplies two field elements and reduces the result.
128 : *
129 : * Postconditions:
130 : * eval out1 mod m = (eval arg1 * eval arg2) mod m
131 : *
132 : */
133 1541736558 : static FIAT_25519_FIAT_INLINE void fiat_25519_carry_mul(fiat_25519_tight_field_element out1, const fiat_25519_loose_field_element arg1, const fiat_25519_loose_field_element arg2) {
134 1541736558 : fiat_25519_uint128 x1;
135 1541736558 : fiat_25519_uint128 x2;
136 1541736558 : fiat_25519_uint128 x3;
137 1541736558 : fiat_25519_uint128 x4;
138 1541736558 : fiat_25519_uint128 x5;
139 1541736558 : fiat_25519_uint128 x6;
140 1541736558 : fiat_25519_uint128 x7;
141 1541736558 : fiat_25519_uint128 x8;
142 1541736558 : fiat_25519_uint128 x9;
143 1541736558 : fiat_25519_uint128 x10;
144 1541736558 : fiat_25519_uint128 x11;
145 1541736558 : fiat_25519_uint128 x12;
146 1541736558 : fiat_25519_uint128 x13;
147 1541736558 : fiat_25519_uint128 x14;
148 1541736558 : fiat_25519_uint128 x15;
149 1541736558 : fiat_25519_uint128 x16;
150 1541736558 : fiat_25519_uint128 x17;
151 1541736558 : fiat_25519_uint128 x18;
152 1541736558 : fiat_25519_uint128 x19;
153 1541736558 : fiat_25519_uint128 x20;
154 1541736558 : fiat_25519_uint128 x21;
155 1541736558 : fiat_25519_uint128 x22;
156 1541736558 : fiat_25519_uint128 x23;
157 1541736558 : fiat_25519_uint128 x24;
158 1541736558 : fiat_25519_uint128 x25;
159 1541736558 : fiat_25519_uint128 x26;
160 1541736558 : uint64_t x27;
161 1541736558 : uint64_t x28;
162 1541736558 : fiat_25519_uint128 x29;
163 1541736558 : fiat_25519_uint128 x30;
164 1541736558 : fiat_25519_uint128 x31;
165 1541736558 : fiat_25519_uint128 x32;
166 1541736558 : fiat_25519_uint128 x33;
167 1541736558 : uint64_t x34;
168 1541736558 : uint64_t x35;
169 1541736558 : fiat_25519_uint128 x36;
170 1541736558 : uint64_t x37;
171 1541736558 : uint64_t x38;
172 1541736558 : fiat_25519_uint128 x39;
173 1541736558 : uint64_t x40;
174 1541736558 : uint64_t x41;
175 1541736558 : fiat_25519_uint128 x42;
176 1541736558 : uint64_t x43;
177 1541736558 : uint64_t x44;
178 1541736558 : uint64_t x45;
179 1541736558 : uint64_t x46;
180 1541736558 : uint64_t x47;
181 1541736558 : uint64_t x48;
182 1541736558 : uint64_t x49;
183 1541736558 : fiat_25519_uint1 x50;
184 1541736558 : uint64_t x51;
185 1541736558 : uint64_t x52;
186 1541736558 : x1 = ((fiat_25519_uint128)(arg1[4]) * ((arg2[4]) * UINT8_C(0x13)));
187 1541736558 : x2 = ((fiat_25519_uint128)(arg1[4]) * ((arg2[3]) * UINT8_C(0x13)));
188 1541736558 : x3 = ((fiat_25519_uint128)(arg1[4]) * ((arg2[2]) * UINT8_C(0x13)));
189 1541736558 : x4 = ((fiat_25519_uint128)(arg1[4]) * ((arg2[1]) * UINT8_C(0x13)));
190 1541736558 : x5 = ((fiat_25519_uint128)(arg1[3]) * ((arg2[4]) * UINT8_C(0x13)));
191 1541736558 : x6 = ((fiat_25519_uint128)(arg1[3]) * ((arg2[3]) * UINT8_C(0x13)));
192 1541736558 : x7 = ((fiat_25519_uint128)(arg1[3]) * ((arg2[2]) * UINT8_C(0x13)));
193 1541736558 : x8 = ((fiat_25519_uint128)(arg1[2]) * ((arg2[4]) * UINT8_C(0x13)));
194 1541736558 : x9 = ((fiat_25519_uint128)(arg1[2]) * ((arg2[3]) * UINT8_C(0x13)));
195 1541736558 : x10 = ((fiat_25519_uint128)(arg1[1]) * ((arg2[4]) * UINT8_C(0x13)));
196 1541736558 : x11 = ((fiat_25519_uint128)(arg1[4]) * (arg2[0]));
197 1541736558 : x12 = ((fiat_25519_uint128)(arg1[3]) * (arg2[1]));
198 1541736558 : x13 = ((fiat_25519_uint128)(arg1[3]) * (arg2[0]));
199 1541736558 : x14 = ((fiat_25519_uint128)(arg1[2]) * (arg2[2]));
200 1541736558 : x15 = ((fiat_25519_uint128)(arg1[2]) * (arg2[1]));
201 1541736558 : x16 = ((fiat_25519_uint128)(arg1[2]) * (arg2[0]));
202 1541736558 : x17 = ((fiat_25519_uint128)(arg1[1]) * (arg2[3]));
203 1541736558 : x18 = ((fiat_25519_uint128)(arg1[1]) * (arg2[2]));
204 1541736558 : x19 = ((fiat_25519_uint128)(arg1[1]) * (arg2[1]));
205 1541736558 : x20 = ((fiat_25519_uint128)(arg1[1]) * (arg2[0]));
206 1541736558 : x21 = ((fiat_25519_uint128)(arg1[0]) * (arg2[4]));
207 1541736558 : x22 = ((fiat_25519_uint128)(arg1[0]) * (arg2[3]));
208 1541736558 : x23 = ((fiat_25519_uint128)(arg1[0]) * (arg2[2]));
209 1541736558 : x24 = ((fiat_25519_uint128)(arg1[0]) * (arg2[1]));
210 1541736558 : x25 = ((fiat_25519_uint128)(arg1[0]) * (arg2[0]));
211 1541736558 : x26 = (x25 + (x10 + (x9 + (x7 + x4))));
212 1541736558 : x27 = (uint64_t)(x26 >> 51);
213 1541736558 : x28 = (uint64_t)(x26 & UINT64_C(0x7ffffffffffff));
214 1541736558 : x29 = (x21 + (x17 + (x14 + (x12 + x11))));
215 1541736558 : x30 = (x22 + (x18 + (x15 + (x13 + x1))));
216 1541736558 : x31 = (x23 + (x19 + (x16 + (x5 + x2))));
217 1541736558 : x32 = (x24 + (x20 + (x8 + (x6 + x3))));
218 1541736558 : x33 = (x27 + x32);
219 1541736558 : x34 = (uint64_t)(x33 >> 51);
220 1541736558 : x35 = (uint64_t)(x33 & UINT64_C(0x7ffffffffffff));
221 1541736558 : x36 = (x34 + x31);
222 1541736558 : x37 = (uint64_t)(x36 >> 51);
223 1541736558 : x38 = (uint64_t)(x36 & UINT64_C(0x7ffffffffffff));
224 1541736558 : x39 = (x37 + x30);
225 1541736558 : x40 = (uint64_t)(x39 >> 51);
226 1541736558 : x41 = (uint64_t)(x39 & UINT64_C(0x7ffffffffffff));
227 1541736558 : x42 = (x40 + x29);
228 1541736558 : x43 = (uint64_t)(x42 >> 51);
229 1541736558 : x44 = (uint64_t)(x42 & UINT64_C(0x7ffffffffffff));
230 1541736558 : x45 = (x43 * UINT8_C(0x13));
231 1541736558 : x46 = (x28 + x45);
232 1541736558 : x47 = (x46 >> 51);
233 1541736558 : x48 = (x46 & UINT64_C(0x7ffffffffffff));
234 1541736558 : x49 = (x47 + x35);
235 1541736558 : x50 = (fiat_25519_uint1)(x49 >> 51);
236 1541736558 : x51 = (x49 & UINT64_C(0x7ffffffffffff));
237 1541736558 : x52 = (x50 + x38);
238 1541736558 : out1[0] = x48;
239 1541736558 : out1[1] = x51;
240 1541736558 : out1[2] = x52;
241 1541736558 : out1[3] = x41;
242 1541736558 : out1[4] = x44;
243 1541736558 : }
244 :
245 : /*
246 : * The function fiat_25519_carry_square squares a field element and reduces the result.
247 : *
248 : * Postconditions:
249 : * eval out1 mod m = (eval arg1 * eval arg1) mod m
250 : *
251 : */
252 1480344056 : static FIAT_25519_FIAT_INLINE void fiat_25519_carry_square(fiat_25519_tight_field_element out1, const fiat_25519_loose_field_element arg1) {
253 1480344056 : uint64_t x1;
254 1480344056 : uint64_t x2;
255 1480344056 : uint64_t x3;
256 1480344056 : uint64_t x4;
257 1480344056 : uint64_t x5;
258 1480344056 : uint64_t x6;
259 1480344056 : uint64_t x7;
260 1480344056 : uint64_t x8;
261 1480344056 : fiat_25519_uint128 x9;
262 1480344056 : fiat_25519_uint128 x10;
263 1480344056 : fiat_25519_uint128 x11;
264 1480344056 : fiat_25519_uint128 x12;
265 1480344056 : fiat_25519_uint128 x13;
266 1480344056 : fiat_25519_uint128 x14;
267 1480344056 : fiat_25519_uint128 x15;
268 1480344056 : fiat_25519_uint128 x16;
269 1480344056 : fiat_25519_uint128 x17;
270 1480344056 : fiat_25519_uint128 x18;
271 1480344056 : fiat_25519_uint128 x19;
272 1480344056 : fiat_25519_uint128 x20;
273 1480344056 : fiat_25519_uint128 x21;
274 1480344056 : fiat_25519_uint128 x22;
275 1480344056 : fiat_25519_uint128 x23;
276 1480344056 : fiat_25519_uint128 x24;
277 1480344056 : uint64_t x25;
278 1480344056 : uint64_t x26;
279 1480344056 : fiat_25519_uint128 x27;
280 1480344056 : fiat_25519_uint128 x28;
281 1480344056 : fiat_25519_uint128 x29;
282 1480344056 : fiat_25519_uint128 x30;
283 1480344056 : fiat_25519_uint128 x31;
284 1480344056 : uint64_t x32;
285 1480344056 : uint64_t x33;
286 1480344056 : fiat_25519_uint128 x34;
287 1480344056 : uint64_t x35;
288 1480344056 : uint64_t x36;
289 1480344056 : fiat_25519_uint128 x37;
290 1480344056 : uint64_t x38;
291 1480344056 : uint64_t x39;
292 1480344056 : fiat_25519_uint128 x40;
293 1480344056 : uint64_t x41;
294 1480344056 : uint64_t x42;
295 1480344056 : uint64_t x43;
296 1480344056 : uint64_t x44;
297 1480344056 : uint64_t x45;
298 1480344056 : uint64_t x46;
299 1480344056 : uint64_t x47;
300 1480344056 : fiat_25519_uint1 x48;
301 1480344056 : uint64_t x49;
302 1480344056 : uint64_t x50;
303 1480344056 : x1 = ((arg1[4]) * UINT8_C(0x13));
304 1480344056 : x2 = (x1 * 0x2);
305 1480344056 : x3 = ((arg1[4]) * 0x2);
306 1480344056 : x4 = ((arg1[3]) * UINT8_C(0x13));
307 1480344056 : x5 = (x4 * 0x2);
308 1480344056 : x6 = ((arg1[3]) * 0x2);
309 1480344056 : x7 = ((arg1[2]) * 0x2);
310 1480344056 : x8 = ((arg1[1]) * 0x2);
311 1480344056 : x9 = ((fiat_25519_uint128)(arg1[4]) * x1);
312 1480344056 : x10 = ((fiat_25519_uint128)(arg1[3]) * x2);
313 1480344056 : x11 = ((fiat_25519_uint128)(arg1[3]) * x4);
314 1480344056 : x12 = ((fiat_25519_uint128)(arg1[2]) * x2);
315 1480344056 : x13 = ((fiat_25519_uint128)(arg1[2]) * x5);
316 1480344056 : x14 = ((fiat_25519_uint128)(arg1[2]) * (arg1[2]));
317 1480344056 : x15 = ((fiat_25519_uint128)(arg1[1]) * x2);
318 1480344056 : x16 = ((fiat_25519_uint128)(arg1[1]) * x6);
319 1480344056 : x17 = ((fiat_25519_uint128)(arg1[1]) * x7);
320 1480344056 : x18 = ((fiat_25519_uint128)(arg1[1]) * (arg1[1]));
321 1480344056 : x19 = ((fiat_25519_uint128)(arg1[0]) * x3);
322 1480344056 : x20 = ((fiat_25519_uint128)(arg1[0]) * x6);
323 1480344056 : x21 = ((fiat_25519_uint128)(arg1[0]) * x7);
324 1480344056 : x22 = ((fiat_25519_uint128)(arg1[0]) * x8);
325 1480344056 : x23 = ((fiat_25519_uint128)(arg1[0]) * (arg1[0]));
326 1480344056 : x24 = (x23 + (x15 + x13));
327 1480344056 : x25 = (uint64_t)(x24 >> 51);
328 1480344056 : x26 = (uint64_t)(x24 & UINT64_C(0x7ffffffffffff));
329 1480344056 : x27 = (x19 + (x16 + x14));
330 1480344056 : x28 = (x20 + (x17 + x9));
331 1480344056 : x29 = (x21 + (x18 + x10));
332 1480344056 : x30 = (x22 + (x12 + x11));
333 1480344056 : x31 = (x25 + x30);
334 1480344056 : x32 = (uint64_t)(x31 >> 51);
335 1480344056 : x33 = (uint64_t)(x31 & UINT64_C(0x7ffffffffffff));
336 1480344056 : x34 = (x32 + x29);
337 1480344056 : x35 = (uint64_t)(x34 >> 51);
338 1480344056 : x36 = (uint64_t)(x34 & UINT64_C(0x7ffffffffffff));
339 1480344056 : x37 = (x35 + x28);
340 1480344056 : x38 = (uint64_t)(x37 >> 51);
341 1480344056 : x39 = (uint64_t)(x37 & UINT64_C(0x7ffffffffffff));
342 1480344056 : x40 = (x38 + x27);
343 1480344056 : x41 = (uint64_t)(x40 >> 51);
344 1480344056 : x42 = (uint64_t)(x40 & UINT64_C(0x7ffffffffffff));
345 1480344056 : x43 = (x41 * UINT8_C(0x13));
346 1480344056 : x44 = (x26 + x43);
347 1480344056 : x45 = (x44 >> 51);
348 1480344056 : x46 = (x44 & UINT64_C(0x7ffffffffffff));
349 1480344056 : x47 = (x45 + x33);
350 1480344056 : x48 = (fiat_25519_uint1)(x47 >> 51);
351 1480344056 : x49 = (x47 & UINT64_C(0x7ffffffffffff));
352 1480344056 : x50 = (x48 + x36);
353 1480344056 : out1[0] = x46;
354 1480344056 : out1[1] = x49;
355 1480344056 : out1[2] = x50;
356 1480344056 : out1[3] = x39;
357 1480344056 : out1[4] = x42;
358 1480344056 : }
359 :
360 : /*
361 : * The function fiat_25519_carry reduces a field element.
362 : *
363 : * Postconditions:
364 : * eval out1 mod m = eval arg1 mod m
365 : *
366 : */
367 525822820 : static FIAT_25519_FIAT_INLINE void fiat_25519_carry(fiat_25519_tight_field_element out1, const fiat_25519_loose_field_element arg1) {
368 525822820 : uint64_t x1;
369 525822820 : uint64_t x2;
370 525822820 : uint64_t x3;
371 525822820 : uint64_t x4;
372 525822820 : uint64_t x5;
373 525822820 : uint64_t x6;
374 525822820 : uint64_t x7;
375 525822820 : uint64_t x8;
376 525822820 : uint64_t x9;
377 525822820 : uint64_t x10;
378 525822820 : uint64_t x11;
379 525822820 : uint64_t x12;
380 525822820 : x1 = (arg1[0]);
381 525822820 : x2 = ((x1 >> 51) + (arg1[1]));
382 525822820 : x3 = ((x2 >> 51) + (arg1[2]));
383 525822820 : x4 = ((x3 >> 51) + (arg1[3]));
384 525822820 : x5 = ((x4 >> 51) + (arg1[4]));
385 525822820 : x6 = ((x1 & UINT64_C(0x7ffffffffffff)) + ((x5 >> 51) * UINT8_C(0x13)));
386 525822820 : x7 = ((fiat_25519_uint1)(x6 >> 51) + (x2 & UINT64_C(0x7ffffffffffff)));
387 525822820 : x8 = (x6 & UINT64_C(0x7ffffffffffff));
388 525822820 : x9 = (x7 & UINT64_C(0x7ffffffffffff));
389 525822820 : x10 = ((fiat_25519_uint1)(x7 >> 51) + (x3 & UINT64_C(0x7ffffffffffff)));
390 525822820 : x11 = (x4 & UINT64_C(0x7ffffffffffff));
391 525822820 : x12 = (x5 & UINT64_C(0x7ffffffffffff));
392 525822820 : out1[0] = x8;
393 525822820 : out1[1] = x9;
394 525822820 : out1[2] = x10;
395 525822820 : out1[3] = x11;
396 525822820 : out1[4] = x12;
397 525822820 : }
398 :
399 : /*
400 : * The function fiat_25519_add adds two field elements.
401 : *
402 : * Postconditions:
403 : * eval out1 mod m = (eval arg1 + eval arg2) mod m
404 : *
405 : */
406 1193607594 : static FIAT_25519_FIAT_INLINE void fiat_25519_add(fiat_25519_loose_field_element out1, const fiat_25519_tight_field_element arg1, const fiat_25519_tight_field_element arg2) {
407 1193607594 : uint64_t x1;
408 1193607594 : uint64_t x2;
409 1193607594 : uint64_t x3;
410 1193607594 : uint64_t x4;
411 1193607594 : uint64_t x5;
412 1193607594 : x1 = ((arg1[0]) + (arg2[0]));
413 1193607594 : x2 = ((arg1[1]) + (arg2[1]));
414 1193607594 : x3 = ((arg1[2]) + (arg2[2]));
415 1193607594 : x4 = ((arg1[3]) + (arg2[3]));
416 1193607594 : x5 = ((arg1[4]) + (arg2[4]));
417 1193607594 : out1[0] = x1;
418 1193607594 : out1[1] = x2;
419 1193607594 : out1[2] = x3;
420 1193607594 : out1[3] = x4;
421 1193607594 : out1[4] = x5;
422 1193607594 : }
423 :
424 : /*
425 : * The function fiat_25519_sub subtracts two field elements.
426 : *
427 : * Postconditions:
428 : * eval out1 mod m = (eval arg1 - eval arg2) mod m
429 : *
430 : */
431 800226792 : static FIAT_25519_FIAT_INLINE void fiat_25519_sub(fiat_25519_loose_field_element out1, const fiat_25519_tight_field_element arg1, const fiat_25519_tight_field_element arg2) {
432 800226792 : uint64_t x1;
433 800226792 : uint64_t x2;
434 800226792 : uint64_t x3;
435 800226792 : uint64_t x4;
436 800226792 : uint64_t x5;
437 800226792 : x1 = ((UINT64_C(0xfffffffffffda) + (arg1[0])) - (arg2[0]));
438 800226792 : x2 = ((UINT64_C(0xffffffffffffe) + (arg1[1])) - (arg2[1]));
439 800226792 : x3 = ((UINT64_C(0xffffffffffffe) + (arg1[2])) - (arg2[2]));
440 800226792 : x4 = ((UINT64_C(0xffffffffffffe) + (arg1[3])) - (arg2[3]));
441 800226792 : x5 = ((UINT64_C(0xffffffffffffe) + (arg1[4])) - (arg2[4]));
442 800226792 : out1[0] = x1;
443 800226792 : out1[1] = x2;
444 800226792 : out1[2] = x3;
445 800226792 : out1[3] = x4;
446 800226792 : out1[4] = x5;
447 800226792 : }
448 :
449 : /*
450 : * The function fiat_25519_opp negates a field element.
451 : *
452 : * Postconditions:
453 : * eval out1 mod m = -eval arg1 mod m
454 : *
455 : */
456 78837150 : static FIAT_25519_FIAT_INLINE void fiat_25519_opp(fiat_25519_loose_field_element out1, const fiat_25519_tight_field_element arg1) {
457 78837150 : uint64_t x1;
458 78837150 : uint64_t x2;
459 78837150 : uint64_t x3;
460 78837150 : uint64_t x4;
461 78837150 : uint64_t x5;
462 78837150 : x1 = (UINT64_C(0xfffffffffffda) - (arg1[0]));
463 78837150 : x2 = (UINT64_C(0xffffffffffffe) - (arg1[1]));
464 78837150 : x3 = (UINT64_C(0xffffffffffffe) - (arg1[2]));
465 78837150 : x4 = (UINT64_C(0xffffffffffffe) - (arg1[3]));
466 78837150 : x5 = (UINT64_C(0xffffffffffffe) - (arg1[4]));
467 78837150 : out1[0] = x1;
468 78837150 : out1[1] = x2;
469 78837150 : out1[2] = x3;
470 78837150 : out1[3] = x4;
471 78837150 : out1[4] = x5;
472 78837150 : }
473 :
474 : /*
475 : * The function fiat_25519_selectznz is a multi-limb conditional select.
476 : *
477 : * Postconditions:
478 : * out1 = (if arg1 = 0 then arg2 else arg3)
479 : *
480 : * Input Bounds:
481 : * arg1: [0x0 ~> 0x1]
482 : * arg2: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]]
483 : * arg3: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]]
484 : * Output Bounds:
485 : * out1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]]
486 : */
487 1973888250 : static FIAT_25519_FIAT_INLINE void fiat_25519_selectznz(uint64_t out1[5], fiat_25519_uint1 arg1, const uint64_t arg2[5], const uint64_t arg3[5]) {
488 1973888250 : uint64_t x1;
489 1973888250 : uint64_t x2;
490 1973888250 : uint64_t x3;
491 1973888250 : uint64_t x4;
492 1973888250 : uint64_t x5;
493 1973888250 : fiat_25519_cmovznz_u64(&x1, arg1, (arg2[0]), (arg3[0]));
494 1973888250 : fiat_25519_cmovznz_u64(&x2, arg1, (arg2[1]), (arg3[1]));
495 1973888250 : fiat_25519_cmovznz_u64(&x3, arg1, (arg2[2]), (arg3[2]));
496 1973888250 : fiat_25519_cmovznz_u64(&x4, arg1, (arg2[3]), (arg3[3]));
497 1973888250 : fiat_25519_cmovznz_u64(&x5, arg1, (arg2[4]), (arg3[4]));
498 1973888250 : out1[0] = x1;
499 1973888250 : out1[1] = x2;
500 1973888250 : out1[2] = x3;
501 1973888250 : out1[3] = x4;
502 1973888250 : out1[4] = x5;
503 1973888250 : }
504 :
505 : /*
506 : * The function fiat_25519_to_bytes serializes a field element to bytes in little-endian order.
507 : *
508 : * Postconditions:
509 : * out1 = map (λ x, ⌊((eval arg1 mod m) mod 2^(8 * (x + 1))) / 2^(8 * x)⌋) [0..31]
510 : *
511 : * Output Bounds:
512 : * out1: [[0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0x7f]]
513 : */
514 8508690 : static FIAT_25519_FIAT_INLINE void fiat_25519_to_bytes(uint8_t out1[32], const fiat_25519_tight_field_element arg1) {
515 8508690 : uint64_t x1;
516 8508690 : fiat_25519_uint1 x2;
517 8508690 : uint64_t x3;
518 8508690 : fiat_25519_uint1 x4;
519 8508690 : uint64_t x5;
520 8508690 : fiat_25519_uint1 x6;
521 8508690 : uint64_t x7;
522 8508690 : fiat_25519_uint1 x8;
523 8508690 : uint64_t x9;
524 8508690 : fiat_25519_uint1 x10;
525 8508690 : uint64_t x11;
526 8508690 : uint64_t x12;
527 8508690 : fiat_25519_uint1 x13;
528 8508690 : uint64_t x14;
529 8508690 : fiat_25519_uint1 x15;
530 8508690 : uint64_t x16;
531 8508690 : fiat_25519_uint1 x17;
532 8508690 : uint64_t x18;
533 8508690 : fiat_25519_uint1 x19;
534 8508690 : uint64_t x20;
535 8508690 : fiat_25519_uint1 x21;
536 8508690 : uint64_t x22;
537 8508690 : uint64_t x23;
538 8508690 : uint64_t x24;
539 8508690 : uint64_t x25;
540 8508690 : uint8_t x26;
541 8508690 : uint64_t x27;
542 8508690 : uint8_t x28;
543 8508690 : uint64_t x29;
544 8508690 : uint8_t x30;
545 8508690 : uint64_t x31;
546 8508690 : uint8_t x32;
547 8508690 : uint64_t x33;
548 8508690 : uint8_t x34;
549 8508690 : uint64_t x35;
550 8508690 : uint8_t x36;
551 8508690 : uint8_t x37;
552 8508690 : uint64_t x38;
553 8508690 : uint8_t x39;
554 8508690 : uint64_t x40;
555 8508690 : uint8_t x41;
556 8508690 : uint64_t x42;
557 8508690 : uint8_t x43;
558 8508690 : uint64_t x44;
559 8508690 : uint8_t x45;
560 8508690 : uint64_t x46;
561 8508690 : uint8_t x47;
562 8508690 : uint64_t x48;
563 8508690 : uint8_t x49;
564 8508690 : uint8_t x50;
565 8508690 : uint64_t x51;
566 8508690 : uint8_t x52;
567 8508690 : uint64_t x53;
568 8508690 : uint8_t x54;
569 8508690 : uint64_t x55;
570 8508690 : uint8_t x56;
571 8508690 : uint64_t x57;
572 8508690 : uint8_t x58;
573 8508690 : uint64_t x59;
574 8508690 : uint8_t x60;
575 8508690 : uint64_t x61;
576 8508690 : uint8_t x62;
577 8508690 : uint64_t x63;
578 8508690 : uint8_t x64;
579 8508690 : fiat_25519_uint1 x65;
580 8508690 : uint64_t x66;
581 8508690 : uint8_t x67;
582 8508690 : uint64_t x68;
583 8508690 : uint8_t x69;
584 8508690 : uint64_t x70;
585 8508690 : uint8_t x71;
586 8508690 : uint64_t x72;
587 8508690 : uint8_t x73;
588 8508690 : uint64_t x74;
589 8508690 : uint8_t x75;
590 8508690 : uint64_t x76;
591 8508690 : uint8_t x77;
592 8508690 : uint8_t x78;
593 8508690 : uint64_t x79;
594 8508690 : uint8_t x80;
595 8508690 : uint64_t x81;
596 8508690 : uint8_t x82;
597 8508690 : uint64_t x83;
598 8508690 : uint8_t x84;
599 8508690 : uint64_t x85;
600 8508690 : uint8_t x86;
601 8508690 : uint64_t x87;
602 8508690 : uint8_t x88;
603 8508690 : uint64_t x89;
604 8508690 : uint8_t x90;
605 8508690 : uint8_t x91;
606 8508690 : fiat_25519_subborrowx_u51(&x1, &x2, 0x0, (arg1[0]), UINT64_C(0x7ffffffffffed));
607 8508690 : fiat_25519_subborrowx_u51(&x3, &x4, x2, (arg1[1]), UINT64_C(0x7ffffffffffff));
608 8508690 : fiat_25519_subborrowx_u51(&x5, &x6, x4, (arg1[2]), UINT64_C(0x7ffffffffffff));
609 8508690 : fiat_25519_subborrowx_u51(&x7, &x8, x6, (arg1[3]), UINT64_C(0x7ffffffffffff));
610 8508690 : fiat_25519_subborrowx_u51(&x9, &x10, x8, (arg1[4]), UINT64_C(0x7ffffffffffff));
611 8508690 : fiat_25519_cmovznz_u64(&x11, x10, 0x0, UINT64_C(0xffffffffffffffff));
612 8508690 : fiat_25519_addcarryx_u51(&x12, &x13, 0x0, x1, (x11 & UINT64_C(0x7ffffffffffed)));
613 8508690 : fiat_25519_addcarryx_u51(&x14, &x15, x13, x3, (x11 & UINT64_C(0x7ffffffffffff)));
614 8508690 : fiat_25519_addcarryx_u51(&x16, &x17, x15, x5, (x11 & UINT64_C(0x7ffffffffffff)));
615 8508690 : fiat_25519_addcarryx_u51(&x18, &x19, x17, x7, (x11 & UINT64_C(0x7ffffffffffff)));
616 8508690 : fiat_25519_addcarryx_u51(&x20, &x21, x19, x9, (x11 & UINT64_C(0x7ffffffffffff)));
617 8508690 : x22 = (x20 << 4);
618 8508690 : x23 = (x18 * (uint64_t)0x2);
619 8508690 : x24 = (x16 << 6);
620 8508690 : x25 = (x14 << 3);
621 8508690 : x26 = (uint8_t)(x12 & UINT8_C(0xff));
622 8508690 : x27 = (x12 >> 8);
623 8508690 : x28 = (uint8_t)(x27 & UINT8_C(0xff));
624 8508690 : x29 = (x27 >> 8);
625 8508690 : x30 = (uint8_t)(x29 & UINT8_C(0xff));
626 8508690 : x31 = (x29 >> 8);
627 8508690 : x32 = (uint8_t)(x31 & UINT8_C(0xff));
628 8508690 : x33 = (x31 >> 8);
629 8508690 : x34 = (uint8_t)(x33 & UINT8_C(0xff));
630 8508690 : x35 = (x33 >> 8);
631 8508690 : x36 = (uint8_t)(x35 & UINT8_C(0xff));
632 8508690 : x37 = (uint8_t)(x35 >> 8);
633 8508690 : x38 = (x25 + (uint64_t)x37);
634 8508690 : x39 = (uint8_t)(x38 & UINT8_C(0xff));
635 8508690 : x40 = (x38 >> 8);
636 8508690 : x41 = (uint8_t)(x40 & UINT8_C(0xff));
637 8508690 : x42 = (x40 >> 8);
638 8508690 : x43 = (uint8_t)(x42 & UINT8_C(0xff));
639 8508690 : x44 = (x42 >> 8);
640 8508690 : x45 = (uint8_t)(x44 & UINT8_C(0xff));
641 8508690 : x46 = (x44 >> 8);
642 8508690 : x47 = (uint8_t)(x46 & UINT8_C(0xff));
643 8508690 : x48 = (x46 >> 8);
644 8508690 : x49 = (uint8_t)(x48 & UINT8_C(0xff));
645 8508690 : x50 = (uint8_t)(x48 >> 8);
646 8508690 : x51 = (x24 + (uint64_t)x50);
647 8508690 : x52 = (uint8_t)(x51 & UINT8_C(0xff));
648 8508690 : x53 = (x51 >> 8);
649 8508690 : x54 = (uint8_t)(x53 & UINT8_C(0xff));
650 8508690 : x55 = (x53 >> 8);
651 8508690 : x56 = (uint8_t)(x55 & UINT8_C(0xff));
652 8508690 : x57 = (x55 >> 8);
653 8508690 : x58 = (uint8_t)(x57 & UINT8_C(0xff));
654 8508690 : x59 = (x57 >> 8);
655 8508690 : x60 = (uint8_t)(x59 & UINT8_C(0xff));
656 8508690 : x61 = (x59 >> 8);
657 8508690 : x62 = (uint8_t)(x61 & UINT8_C(0xff));
658 8508690 : x63 = (x61 >> 8);
659 8508690 : x64 = (uint8_t)(x63 & UINT8_C(0xff));
660 8508690 : x65 = (fiat_25519_uint1)(x63 >> 8);
661 8508690 : x66 = (x23 + (uint64_t)x65);
662 8508690 : x67 = (uint8_t)(x66 & UINT8_C(0xff));
663 8508690 : x68 = (x66 >> 8);
664 8508690 : x69 = (uint8_t)(x68 & UINT8_C(0xff));
665 8508690 : x70 = (x68 >> 8);
666 8508690 : x71 = (uint8_t)(x70 & UINT8_C(0xff));
667 8508690 : x72 = (x70 >> 8);
668 8508690 : x73 = (uint8_t)(x72 & UINT8_C(0xff));
669 8508690 : x74 = (x72 >> 8);
670 8508690 : x75 = (uint8_t)(x74 & UINT8_C(0xff));
671 8508690 : x76 = (x74 >> 8);
672 8508690 : x77 = (uint8_t)(x76 & UINT8_C(0xff));
673 8508690 : x78 = (uint8_t)(x76 >> 8);
674 8508690 : x79 = (x22 + (uint64_t)x78);
675 8508690 : x80 = (uint8_t)(x79 & UINT8_C(0xff));
676 8508690 : x81 = (x79 >> 8);
677 8508690 : x82 = (uint8_t)(x81 & UINT8_C(0xff));
678 8508690 : x83 = (x81 >> 8);
679 8508690 : x84 = (uint8_t)(x83 & UINT8_C(0xff));
680 8508690 : x85 = (x83 >> 8);
681 8508690 : x86 = (uint8_t)(x85 & UINT8_C(0xff));
682 8508690 : x87 = (x85 >> 8);
683 8508690 : x88 = (uint8_t)(x87 & UINT8_C(0xff));
684 8508690 : x89 = (x87 >> 8);
685 8508690 : x90 = (uint8_t)(x89 & UINT8_C(0xff));
686 8508690 : x91 = (uint8_t)(x89 >> 8);
687 8508690 : out1[0] = x26;
688 8508690 : out1[1] = x28;
689 8508690 : out1[2] = x30;
690 8508690 : out1[3] = x32;
691 8508690 : out1[4] = x34;
692 8508690 : out1[5] = x36;
693 8508690 : out1[6] = x39;
694 8508690 : out1[7] = x41;
695 8508690 : out1[8] = x43;
696 8508690 : out1[9] = x45;
697 8508690 : out1[10] = x47;
698 8508690 : out1[11] = x49;
699 8508690 : out1[12] = x52;
700 8508690 : out1[13] = x54;
701 8508690 : out1[14] = x56;
702 8508690 : out1[15] = x58;
703 8508690 : out1[16] = x60;
704 8508690 : out1[17] = x62;
705 8508690 : out1[18] = x64;
706 8508690 : out1[19] = x67;
707 8508690 : out1[20] = x69;
708 8508690 : out1[21] = x71;
709 8508690 : out1[22] = x73;
710 8508690 : out1[23] = x75;
711 8508690 : out1[24] = x77;
712 8508690 : out1[25] = x80;
713 8508690 : out1[26] = x82;
714 8508690 : out1[27] = x84;
715 8508690 : out1[28] = x86;
716 8508690 : out1[29] = x88;
717 8508690 : out1[30] = x90;
718 8508690 : out1[31] = x91;
719 8508690 : }
720 :
721 : /*
722 : * The function fiat_25519_from_bytes deserializes a field element from bytes in little-endian order.
723 : *
724 : * Postconditions:
725 : * eval out1 mod m = bytes_eval arg1 mod m
726 : *
727 : * Input Bounds:
728 : * arg1: [[0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0x7f]]
729 : */
730 3523968 : static FIAT_25519_FIAT_INLINE void fiat_25519_from_bytes(fiat_25519_tight_field_element out1, const uint8_t arg1[32]) {
731 3523968 : uint64_t x1;
732 3523968 : uint64_t x2;
733 3523968 : uint64_t x3;
734 3523968 : uint64_t x4;
735 3523968 : uint64_t x5;
736 3523968 : uint64_t x6;
737 3523968 : uint64_t x7;
738 3523968 : uint64_t x8;
739 3523968 : uint64_t x9;
740 3523968 : uint64_t x10;
741 3523968 : uint64_t x11;
742 3523968 : uint64_t x12;
743 3523968 : uint64_t x13;
744 3523968 : uint64_t x14;
745 3523968 : uint64_t x15;
746 3523968 : uint64_t x16;
747 3523968 : uint64_t x17;
748 3523968 : uint64_t x18;
749 3523968 : uint64_t x19;
750 3523968 : uint64_t x20;
751 3523968 : uint64_t x21;
752 3523968 : uint64_t x22;
753 3523968 : uint64_t x23;
754 3523968 : uint64_t x24;
755 3523968 : uint64_t x25;
756 3523968 : uint64_t x26;
757 3523968 : uint64_t x27;
758 3523968 : uint64_t x28;
759 3523968 : uint64_t x29;
760 3523968 : uint64_t x30;
761 3523968 : uint64_t x31;
762 3523968 : uint8_t x32;
763 3523968 : uint64_t x33;
764 3523968 : uint64_t x34;
765 3523968 : uint64_t x35;
766 3523968 : uint64_t x36;
767 3523968 : uint64_t x37;
768 3523968 : uint64_t x38;
769 3523968 : uint64_t x39;
770 3523968 : uint8_t x40;
771 3523968 : uint64_t x41;
772 3523968 : uint64_t x42;
773 3523968 : uint64_t x43;
774 3523968 : uint64_t x44;
775 3523968 : uint64_t x45;
776 3523968 : uint64_t x46;
777 3523968 : uint64_t x47;
778 3523968 : uint8_t x48;
779 3523968 : uint64_t x49;
780 3523968 : uint64_t x50;
781 3523968 : uint64_t x51;
782 3523968 : uint64_t x52;
783 3523968 : uint64_t x53;
784 3523968 : uint64_t x54;
785 3523968 : uint64_t x55;
786 3523968 : uint64_t x56;
787 3523968 : uint8_t x57;
788 3523968 : uint64_t x58;
789 3523968 : uint64_t x59;
790 3523968 : uint64_t x60;
791 3523968 : uint64_t x61;
792 3523968 : uint64_t x62;
793 3523968 : uint64_t x63;
794 3523968 : uint64_t x64;
795 3523968 : uint8_t x65;
796 3523968 : uint64_t x66;
797 3523968 : uint64_t x67;
798 3523968 : uint64_t x68;
799 3523968 : uint64_t x69;
800 3523968 : uint64_t x70;
801 3523968 : uint64_t x71;
802 3523968 : x1 = ((uint64_t)(arg1[31] & 0x7F) << 44);
803 3523968 : x2 = ((uint64_t)(arg1[30]) << 36);
804 3523968 : x3 = ((uint64_t)(arg1[29]) << 28);
805 3523968 : x4 = ((uint64_t)(arg1[28]) << 20);
806 3523968 : x5 = ((uint64_t)(arg1[27]) << 12);
807 3523968 : x6 = ((uint64_t)(arg1[26]) << 4);
808 3523968 : x7 = ((uint64_t)(arg1[25]) << 47);
809 3523968 : x8 = ((uint64_t)(arg1[24]) << 39);
810 3523968 : x9 = ((uint64_t)(arg1[23]) << 31);
811 3523968 : x10 = ((uint64_t)(arg1[22]) << 23);
812 3523968 : x11 = ((uint64_t)(arg1[21]) << 15);
813 3523968 : x12 = ((uint64_t)(arg1[20]) << 7);
814 3523968 : x13 = ((uint64_t)(arg1[19]) << 50);
815 3523968 : x14 = ((uint64_t)(arg1[18]) << 42);
816 3523968 : x15 = ((uint64_t)(arg1[17]) << 34);
817 3523968 : x16 = ((uint64_t)(arg1[16]) << 26);
818 3523968 : x17 = ((uint64_t)(arg1[15]) << 18);
819 3523968 : x18 = ((uint64_t)(arg1[14]) << 10);
820 3523968 : x19 = ((uint64_t)(arg1[13]) << 2);
821 3523968 : x20 = ((uint64_t)(arg1[12]) << 45);
822 3523968 : x21 = ((uint64_t)(arg1[11]) << 37);
823 3523968 : x22 = ((uint64_t)(arg1[10]) << 29);
824 3523968 : x23 = ((uint64_t)(arg1[9]) << 21);
825 3523968 : x24 = ((uint64_t)(arg1[8]) << 13);
826 3523968 : x25 = ((uint64_t)(arg1[7]) << 5);
827 3523968 : x26 = ((uint64_t)(arg1[6]) << 48);
828 3523968 : x27 = ((uint64_t)(arg1[5]) << 40);
829 3523968 : x28 = ((uint64_t)(arg1[4]) << 32);
830 3523968 : x29 = ((uint64_t)(arg1[3]) << 24);
831 3523968 : x30 = ((uint64_t)(arg1[2]) << 16);
832 3523968 : x31 = ((uint64_t)(arg1[1]) << 8);
833 3523968 : x32 = (arg1[0]);
834 3523968 : x33 = (x31 + (uint64_t)x32);
835 3523968 : x34 = (x30 + x33);
836 3523968 : x35 = (x29 + x34);
837 3523968 : x36 = (x28 + x35);
838 3523968 : x37 = (x27 + x36);
839 3523968 : x38 = (x26 + x37);
840 3523968 : x39 = (x38 & UINT64_C(0x7ffffffffffff));
841 3523968 : x40 = (uint8_t)(x38 >> 51);
842 3523968 : x41 = (x25 + (uint64_t)x40);
843 3523968 : x42 = (x24 + x41);
844 3523968 : x43 = (x23 + x42);
845 3523968 : x44 = (x22 + x43);
846 3523968 : x45 = (x21 + x44);
847 3523968 : x46 = (x20 + x45);
848 3523968 : x47 = (x46 & UINT64_C(0x7ffffffffffff));
849 3523968 : x48 = (uint8_t)(x46 >> 51);
850 3523968 : x49 = (x19 + (uint64_t)x48);
851 3523968 : x50 = (x18 + x49);
852 3523968 : x51 = (x17 + x50);
853 3523968 : x52 = (x16 + x51);
854 3523968 : x53 = (x15 + x52);
855 3523968 : x54 = (x14 + x53);
856 3523968 : x55 = (x13 + x54);
857 3523968 : x56 = (x55 & UINT64_C(0x7ffffffffffff));
858 3523968 : x57 = (uint8_t)(x55 >> 51);
859 3523968 : x58 = (x12 + (uint64_t)x57);
860 3523968 : x59 = (x11 + x58);
861 3523968 : x60 = (x10 + x59);
862 3523968 : x61 = (x9 + x60);
863 3523968 : x62 = (x8 + x61);
864 3523968 : x63 = (x7 + x62);
865 3523968 : x64 = (x63 & UINT64_C(0x7ffffffffffff));
866 3523968 : x65 = (uint8_t)(x63 >> 51);
867 3523968 : x66 = (x6 + (uint64_t)x65);
868 3523968 : x67 = (x5 + x66);
869 3523968 : x68 = (x4 + x67);
870 3523968 : x69 = (x3 + x68);
871 3523968 : x70 = (x2 + x69);
872 3523968 : x71 = (x1 + x70);
873 3523968 : out1[0] = x39;
874 3523968 : out1[1] = x47;
875 3523968 : out1[2] = x56;
876 3523968 : out1[3] = x64;
877 3523968 : out1[4] = x71;
878 3523968 : }
879 :
880 : /*
881 : * The function fiat_25519_relax is the identity function converting from tight field elements to loose field elements.
882 : *
883 : * Postconditions:
884 : * out1 = arg1
885 : *
886 : */
887 0 : static FIAT_25519_FIAT_INLINE void fiat_25519_relax(fiat_25519_loose_field_element out1, const fiat_25519_tight_field_element arg1) {
888 0 : uint64_t x1;
889 0 : uint64_t x2;
890 0 : uint64_t x3;
891 0 : uint64_t x4;
892 0 : uint64_t x5;
893 0 : x1 = (arg1[0]);
894 0 : x2 = (arg1[1]);
895 0 : x3 = (arg1[2]);
896 0 : x4 = (arg1[3]);
897 0 : x5 = (arg1[4]);
898 0 : out1[0] = x1;
899 0 : out1[1] = x2;
900 0 : out1[2] = x3;
901 0 : out1[3] = x4;
902 0 : out1[4] = x5;
903 0 : }
904 :
905 : /*
906 : * The function fiat_25519_carry_scmul_121666 multiplies a field element by 121666 and reduces the result.
907 : *
908 : * Postconditions:
909 : * eval out1 mod m = (121666 * eval arg1) mod m
910 : *
911 : */
912 33508530 : static FIAT_25519_FIAT_INLINE void fiat_25519_carry_scmul_121666(fiat_25519_tight_field_element out1, const fiat_25519_loose_field_element arg1) {
913 33508530 : fiat_25519_uint128 x1;
914 33508530 : fiat_25519_uint128 x2;
915 33508530 : fiat_25519_uint128 x3;
916 33508530 : fiat_25519_uint128 x4;
917 33508530 : fiat_25519_uint128 x5;
918 33508530 : uint64_t x6;
919 33508530 : uint64_t x7;
920 33508530 : fiat_25519_uint128 x8;
921 33508530 : uint64_t x9;
922 33508530 : uint64_t x10;
923 33508530 : fiat_25519_uint128 x11;
924 33508530 : uint64_t x12;
925 33508530 : uint64_t x13;
926 33508530 : fiat_25519_uint128 x14;
927 33508530 : uint64_t x15;
928 33508530 : uint64_t x16;
929 33508530 : fiat_25519_uint128 x17;
930 33508530 : uint64_t x18;
931 33508530 : uint64_t x19;
932 33508530 : uint64_t x20;
933 33508530 : uint64_t x21;
934 33508530 : fiat_25519_uint1 x22;
935 33508530 : uint64_t x23;
936 33508530 : uint64_t x24;
937 33508530 : fiat_25519_uint1 x25;
938 33508530 : uint64_t x26;
939 33508530 : uint64_t x27;
940 33508530 : x1 = ((fiat_25519_uint128)UINT32_C(0x1db42) * (arg1[4]));
941 33508530 : x2 = ((fiat_25519_uint128)UINT32_C(0x1db42) * (arg1[3]));
942 33508530 : x3 = ((fiat_25519_uint128)UINT32_C(0x1db42) * (arg1[2]));
943 33508530 : x4 = ((fiat_25519_uint128)UINT32_C(0x1db42) * (arg1[1]));
944 33508530 : x5 = ((fiat_25519_uint128)UINT32_C(0x1db42) * (arg1[0]));
945 33508530 : x6 = (uint64_t)(x5 >> 51);
946 33508530 : x7 = (uint64_t)(x5 & UINT64_C(0x7ffffffffffff));
947 33508530 : x8 = (x6 + x4);
948 33508530 : x9 = (uint64_t)(x8 >> 51);
949 33508530 : x10 = (uint64_t)(x8 & UINT64_C(0x7ffffffffffff));
950 33508530 : x11 = (x9 + x3);
951 33508530 : x12 = (uint64_t)(x11 >> 51);
952 33508530 : x13 = (uint64_t)(x11 & UINT64_C(0x7ffffffffffff));
953 33508530 : x14 = (x12 + x2);
954 33508530 : x15 = (uint64_t)(x14 >> 51);
955 33508530 : x16 = (uint64_t)(x14 & UINT64_C(0x7ffffffffffff));
956 33508530 : x17 = (x15 + x1);
957 33508530 : x18 = (uint64_t)(x17 >> 51);
958 33508530 : x19 = (uint64_t)(x17 & UINT64_C(0x7ffffffffffff));
959 33508530 : x20 = (x18 * UINT8_C(0x13));
960 33508530 : x21 = (x7 + x20);
961 33508530 : x22 = (fiat_25519_uint1)(x21 >> 51);
962 33508530 : x23 = (x21 & UINT64_C(0x7ffffffffffff));
963 33508530 : x24 = (x22 + x10);
964 33508530 : x25 = (fiat_25519_uint1)(x24 >> 51);
965 : x26 = (x24 & UINT64_C(0x7ffffffffffff));
966 33508530 : x27 = (x25 + x13);
967 33508530 : out1[0] = x23;
968 33508530 : out1[1] = x26;
969 33508530 : out1[2] = x27;
970 33508530 : out1[3] = x16;
971 33508530 : out1[4] = x19;
972 33508530 : }
|
