Line data Source code
1 : /* Autogenerated: 'src/ExtractionOCaml/unsaturated_solinas' --inline --static --use-value-barrier 25519 64 '(auto)' '2^255 - 19' carry_mul carry_square carry add sub opp selectznz to_bytes from_bytes relax carry_scmul121666 */
2 : /* curve description: 25519 */
3 : /* machine_wordsize = 64 (from "64") */
4 : /* requested operations: carry_mul, carry_square, carry, add, sub, opp, selectznz, to_bytes, from_bytes, relax, carry_scmul121666 */
5 : /* n = 5 (from "(auto)") */
6 : /* s-c = 2^255 - [(1, 19)] (from "2^255 - 19") */
7 : /* tight_bounds_multiplier = 1 (from "") */
8 : /* */
9 : /* Computed values: */
10 : /* carry_chain = [0, 1, 2, 3, 4, 0, 1] */
11 : /* eval z = z[0] + (z[1] << 51) + (z[2] << 102) + (z[3] << 153) + (z[4] << 204) */
12 : /* bytes_eval z = z[0] + (z[1] << 8) + (z[2] << 16) + (z[3] << 24) + (z[4] << 32) + (z[5] << 40) + (z[6] << 48) + (z[7] << 56) + (z[8] << 64) + (z[9] << 72) + (z[10] << 80) + (z[11] << 88) + (z[12] << 96) + (z[13] << 104) + (z[14] << 112) + (z[15] << 120) + (z[16] << 128) + (z[17] << 136) + (z[18] << 144) + (z[19] << 152) + (z[20] << 160) + (z[21] << 168) + (z[22] << 176) + (z[23] << 184) + (z[24] << 192) + (z[25] << 200) + (z[26] << 208) + (z[27] << 216) + (z[28] << 224) + (z[29] << 232) + (z[30] << 240) + (z[31] << 248) */
13 : /* balance = [0xfffffffffffda, 0xffffffffffffe, 0xffffffffffffe, 0xffffffffffffe, 0xffffffffffffe] */
14 :
15 : #include <stdint.h>
16 : typedef unsigned char fiat_25519_uint1;
17 : typedef signed char fiat_25519_int1;
18 : #if defined(__GNUC__) || defined(__clang__)
19 : # define FIAT_25519_FIAT_EXTENSION __extension__
20 : # define FIAT_25519_FIAT_INLINE __inline__
21 : #else
22 : # define FIAT_25519_FIAT_EXTENSION
23 : # define FIAT_25519_FIAT_INLINE
24 : #endif
25 :
26 : FIAT_25519_FIAT_EXTENSION typedef signed __int128 fiat_25519_int128;
27 : FIAT_25519_FIAT_EXTENSION typedef unsigned __int128 fiat_25519_uint128;
28 :
29 : /* The type fiat_25519_loose_field_element is a field element with loose bounds. */
30 : /* Bounds: [[0x0 ~> 0x18000000000000], [0x0 ~> 0x18000000000000], [0x0 ~> 0x18000000000000], [0x0 ~> 0x18000000000000], [0x0 ~> 0x18000000000000]] */
31 : typedef uint64_t fiat_25519_loose_field_element[5];
32 :
33 : /* The type fiat_25519_tight_field_element is a field element with tight bounds. */
34 : /* Bounds: [[0x0 ~> 0x8000000000000], [0x0 ~> 0x8000000000000], [0x0 ~> 0x8000000000000], [0x0 ~> 0x8000000000000], [0x0 ~> 0x8000000000000]] */
35 : typedef uint64_t fiat_25519_tight_field_element[5];
36 :
37 : #if (-1 & 3) != 3
38 : #error "This code only works on a two's complement system"
39 : #endif
40 :
41 : #if !defined(FIAT_25519_NO_ASM) && (defined(__GNUC__) || defined(__clang__))
42 19755437404 : static __inline__ uint64_t fiat_25519_value_barrier_u64(uint64_t a) {
43 19755437404 : __asm__("" : "+r"(a) : /* no inputs */);
44 19755437404 : return a;
45 19755437404 : }
46 : #else
47 : # define fiat_25519_value_barrier_u64(x) (x)
48 : #endif
49 :
50 :
51 : /*
52 : * The function fiat_25519_addcarryx_u51 is an addition with carry.
53 : *
54 : * Postconditions:
55 : * out1 = (arg1 + arg2 + arg3) mod 2^51
56 : * out2 = ⌊(arg1 + arg2 + arg3) / 2^51⌋
57 : *
58 : * Input Bounds:
59 : * arg1: [0x0 ~> 0x1]
60 : * arg2: [0x0 ~> 0x7ffffffffffff]
61 : * arg3: [0x0 ~> 0x7ffffffffffff]
62 : * Output Bounds:
63 : * out1: [0x0 ~> 0x7ffffffffffff]
64 : * out2: [0x0 ~> 0x1]
65 : */
66 42538260 : static FIAT_25519_FIAT_INLINE void fiat_25519_addcarryx_u51(uint64_t* out1, fiat_25519_uint1* out2, fiat_25519_uint1 arg1, uint64_t arg2, uint64_t arg3) {
67 42538260 : uint64_t x1;
68 42538260 : uint64_t x2;
69 42538260 : fiat_25519_uint1 x3;
70 42538260 : x1 = ((arg1 + arg2) + arg3);
71 42538260 : x2 = (x1 & UINT64_C(0x7ffffffffffff));
72 42538260 : x3 = (fiat_25519_uint1)(x1 >> 51);
73 42538260 : *out1 = x2;
74 42538260 : *out2 = x3;
75 42538260 : }
76 :
77 : /*
78 : * The function fiat_25519_subborrowx_u51 is a subtraction with borrow.
79 : *
80 : * Postconditions:
81 : * out1 = (-arg1 + arg2 + -arg3) mod 2^51
82 : * out2 = -⌊(-arg1 + arg2 + -arg3) / 2^51⌋
83 : *
84 : * Input Bounds:
85 : * arg1: [0x0 ~> 0x1]
86 : * arg2: [0x0 ~> 0x7ffffffffffff]
87 : * arg3: [0x0 ~> 0x7ffffffffffff]
88 : * Output Bounds:
89 : * out1: [0x0 ~> 0x7ffffffffffff]
90 : * out2: [0x0 ~> 0x1]
91 : */
92 42538260 : static FIAT_25519_FIAT_INLINE void fiat_25519_subborrowx_u51(uint64_t* out1, fiat_25519_uint1* out2, fiat_25519_uint1 arg1, uint64_t arg2, uint64_t arg3) {
93 42538260 : int64_t x1;
94 42538260 : fiat_25519_int1 x2;
95 42538260 : uint64_t x3;
96 42538260 : x1 = ((int64_t)((int64_t)arg2 - (int64_t)arg1) - (int64_t)arg3);
97 42538260 : x2 = (fiat_25519_int1)(x1 >> 51);
98 42538260 : x3 = ((uint64_t)x1 & UINT64_C(0x7ffffffffffff));
99 42538260 : *out1 = x3;
100 42538260 : *out2 = (fiat_25519_uint1)(0x0 - x2);
101 42538260 : }
102 :
103 : /*
104 : * The function fiat_25519_cmovznz_u64 is a single-word conditional move.
105 : *
106 : * Postconditions:
107 : * out1 = (if arg1 = 0 then arg2 else arg3)
108 : *
109 : * Input Bounds:
110 : * arg1: [0x0 ~> 0x1]
111 : * arg2: [0x0 ~> 0xffffffffffffffff]
112 : * arg3: [0x0 ~> 0xffffffffffffffff]
113 : * Output Bounds:
114 : * out1: [0x0 ~> 0xffffffffffffffff]
115 : */
116 9877718702 : static FIAT_25519_FIAT_INLINE void fiat_25519_cmovznz_u64(uint64_t* out1, fiat_25519_uint1 arg1, uint64_t arg2, uint64_t arg3) {
117 9877718702 : fiat_25519_uint1 x1;
118 9877718702 : uint64_t x2;
119 9877718702 : uint64_t x3;
120 9877718702 : x1 = (!(!arg1));
121 9877718702 : x2 = ((uint64_t)(fiat_25519_int1)(0x0 - x1) & UINT64_C(0xffffffffffffffff));
122 9877718702 : x3 = ((fiat_25519_value_barrier_u64(x2) & arg3) | (fiat_25519_value_barrier_u64((~x2)) & arg2));
123 9877718702 : *out1 = x3;
124 9877718702 : }
125 :
126 : /*
127 : * The function fiat_25519_carry_mul multiplies two field elements and reduces the result.
128 : *
129 : * Postconditions:
130 : * eval out1 mod m = (eval arg1 * eval arg2) mod m
131 : *
132 : */
133 1541581150 : static FIAT_25519_FIAT_INLINE void fiat_25519_carry_mul(fiat_25519_tight_field_element out1, const fiat_25519_loose_field_element arg1, const fiat_25519_loose_field_element arg2) {
134 1541581150 : fiat_25519_uint128 x1;
135 1541581150 : fiat_25519_uint128 x2;
136 1541581150 : fiat_25519_uint128 x3;
137 1541581150 : fiat_25519_uint128 x4;
138 1541581150 : fiat_25519_uint128 x5;
139 1541581150 : fiat_25519_uint128 x6;
140 1541581150 : fiat_25519_uint128 x7;
141 1541581150 : fiat_25519_uint128 x8;
142 1541581150 : fiat_25519_uint128 x9;
143 1541581150 : fiat_25519_uint128 x10;
144 1541581150 : fiat_25519_uint128 x11;
145 1541581150 : fiat_25519_uint128 x12;
146 1541581150 : fiat_25519_uint128 x13;
147 1541581150 : fiat_25519_uint128 x14;
148 1541581150 : fiat_25519_uint128 x15;
149 1541581150 : fiat_25519_uint128 x16;
150 1541581150 : fiat_25519_uint128 x17;
151 1541581150 : fiat_25519_uint128 x18;
152 1541581150 : fiat_25519_uint128 x19;
153 1541581150 : fiat_25519_uint128 x20;
154 1541581150 : fiat_25519_uint128 x21;
155 1541581150 : fiat_25519_uint128 x22;
156 1541581150 : fiat_25519_uint128 x23;
157 1541581150 : fiat_25519_uint128 x24;
158 1541581150 : fiat_25519_uint128 x25;
159 1541581150 : fiat_25519_uint128 x26;
160 1541581150 : uint64_t x27;
161 1541581150 : uint64_t x28;
162 1541581150 : fiat_25519_uint128 x29;
163 1541581150 : fiat_25519_uint128 x30;
164 1541581150 : fiat_25519_uint128 x31;
165 1541581150 : fiat_25519_uint128 x32;
166 1541581150 : fiat_25519_uint128 x33;
167 1541581150 : uint64_t x34;
168 1541581150 : uint64_t x35;
169 1541581150 : fiat_25519_uint128 x36;
170 1541581150 : uint64_t x37;
171 1541581150 : uint64_t x38;
172 1541581150 : fiat_25519_uint128 x39;
173 1541581150 : uint64_t x40;
174 1541581150 : uint64_t x41;
175 1541581150 : fiat_25519_uint128 x42;
176 1541581150 : uint64_t x43;
177 1541581150 : uint64_t x44;
178 1541581150 : uint64_t x45;
179 1541581150 : uint64_t x46;
180 1541581150 : uint64_t x47;
181 1541581150 : uint64_t x48;
182 1541581150 : uint64_t x49;
183 1541581150 : fiat_25519_uint1 x50;
184 1541581150 : uint64_t x51;
185 1541581150 : uint64_t x52;
186 1541581150 : x1 = ((fiat_25519_uint128)(arg1[4]) * ((arg2[4]) * UINT8_C(0x13)));
187 1541581150 : x2 = ((fiat_25519_uint128)(arg1[4]) * ((arg2[3]) * UINT8_C(0x13)));
188 1541581150 : x3 = ((fiat_25519_uint128)(arg1[4]) * ((arg2[2]) * UINT8_C(0x13)));
189 1541581150 : x4 = ((fiat_25519_uint128)(arg1[4]) * ((arg2[1]) * UINT8_C(0x13)));
190 1541581150 : x5 = ((fiat_25519_uint128)(arg1[3]) * ((arg2[4]) * UINT8_C(0x13)));
191 1541581150 : x6 = ((fiat_25519_uint128)(arg1[3]) * ((arg2[3]) * UINT8_C(0x13)));
192 1541581150 : x7 = ((fiat_25519_uint128)(arg1[3]) * ((arg2[2]) * UINT8_C(0x13)));
193 1541581150 : x8 = ((fiat_25519_uint128)(arg1[2]) * ((arg2[4]) * UINT8_C(0x13)));
194 1541581150 : x9 = ((fiat_25519_uint128)(arg1[2]) * ((arg2[3]) * UINT8_C(0x13)));
195 1541581150 : x10 = ((fiat_25519_uint128)(arg1[1]) * ((arg2[4]) * UINT8_C(0x13)));
196 1541581150 : x11 = ((fiat_25519_uint128)(arg1[4]) * (arg2[0]));
197 1541581150 : x12 = ((fiat_25519_uint128)(arg1[3]) * (arg2[1]));
198 1541581150 : x13 = ((fiat_25519_uint128)(arg1[3]) * (arg2[0]));
199 1541581150 : x14 = ((fiat_25519_uint128)(arg1[2]) * (arg2[2]));
200 1541581150 : x15 = ((fiat_25519_uint128)(arg1[2]) * (arg2[1]));
201 1541581150 : x16 = ((fiat_25519_uint128)(arg1[2]) * (arg2[0]));
202 1541581150 : x17 = ((fiat_25519_uint128)(arg1[1]) * (arg2[3]));
203 1541581150 : x18 = ((fiat_25519_uint128)(arg1[1]) * (arg2[2]));
204 1541581150 : x19 = ((fiat_25519_uint128)(arg1[1]) * (arg2[1]));
205 1541581150 : x20 = ((fiat_25519_uint128)(arg1[1]) * (arg2[0]));
206 1541581150 : x21 = ((fiat_25519_uint128)(arg1[0]) * (arg2[4]));
207 1541581150 : x22 = ((fiat_25519_uint128)(arg1[0]) * (arg2[3]));
208 1541581150 : x23 = ((fiat_25519_uint128)(arg1[0]) * (arg2[2]));
209 1541581150 : x24 = ((fiat_25519_uint128)(arg1[0]) * (arg2[1]));
210 1541581150 : x25 = ((fiat_25519_uint128)(arg1[0]) * (arg2[0]));
211 1541581150 : x26 = (x25 + (x10 + (x9 + (x7 + x4))));
212 1541581150 : x27 = (uint64_t)(x26 >> 51);
213 1541581150 : x28 = (uint64_t)(x26 & UINT64_C(0x7ffffffffffff));
214 1541581150 : x29 = (x21 + (x17 + (x14 + (x12 + x11))));
215 1541581150 : x30 = (x22 + (x18 + (x15 + (x13 + x1))));
216 1541581150 : x31 = (x23 + (x19 + (x16 + (x5 + x2))));
217 1541581150 : x32 = (x24 + (x20 + (x8 + (x6 + x3))));
218 1541581150 : x33 = (x27 + x32);
219 1541581150 : x34 = (uint64_t)(x33 >> 51);
220 1541581150 : x35 = (uint64_t)(x33 & UINT64_C(0x7ffffffffffff));
221 1541581150 : x36 = (x34 + x31);
222 1541581150 : x37 = (uint64_t)(x36 >> 51);
223 1541581150 : x38 = (uint64_t)(x36 & UINT64_C(0x7ffffffffffff));
224 1541581150 : x39 = (x37 + x30);
225 1541581150 : x40 = (uint64_t)(x39 >> 51);
226 1541581150 : x41 = (uint64_t)(x39 & UINT64_C(0x7ffffffffffff));
227 1541581150 : x42 = (x40 + x29);
228 1541581150 : x43 = (uint64_t)(x42 >> 51);
229 1541581150 : x44 = (uint64_t)(x42 & UINT64_C(0x7ffffffffffff));
230 1541581150 : x45 = (x43 * UINT8_C(0x13));
231 1541581150 : x46 = (x28 + x45);
232 1541581150 : x47 = (x46 >> 51);
233 1541581150 : x48 = (x46 & UINT64_C(0x7ffffffffffff));
234 1541581150 : x49 = (x47 + x35);
235 1541581150 : x50 = (fiat_25519_uint1)(x49 >> 51);
236 1541581150 : x51 = (x49 & UINT64_C(0x7ffffffffffff));
237 1541581150 : x52 = (x50 + x38);
238 1541581150 : out1[0] = x48;
239 1541581150 : out1[1] = x51;
240 1541581150 : out1[2] = x52;
241 1541581150 : out1[3] = x41;
242 1541581150 : out1[4] = x44;
243 1541581150 : }
244 :
245 : /*
246 : * The function fiat_25519_carry_square squares a field element and reduces the result.
247 : *
248 : * Postconditions:
249 : * eval out1 mod m = (eval arg1 * eval arg1) mod m
250 : *
251 : */
252 1480081470 : static FIAT_25519_FIAT_INLINE void fiat_25519_carry_square(fiat_25519_tight_field_element out1, const fiat_25519_loose_field_element arg1) {
253 1480081470 : uint64_t x1;
254 1480081470 : uint64_t x2;
255 1480081470 : uint64_t x3;
256 1480081470 : uint64_t x4;
257 1480081470 : uint64_t x5;
258 1480081470 : uint64_t x6;
259 1480081470 : uint64_t x7;
260 1480081470 : uint64_t x8;
261 1480081470 : fiat_25519_uint128 x9;
262 1480081470 : fiat_25519_uint128 x10;
263 1480081470 : fiat_25519_uint128 x11;
264 1480081470 : fiat_25519_uint128 x12;
265 1480081470 : fiat_25519_uint128 x13;
266 1480081470 : fiat_25519_uint128 x14;
267 1480081470 : fiat_25519_uint128 x15;
268 1480081470 : fiat_25519_uint128 x16;
269 1480081470 : fiat_25519_uint128 x17;
270 1480081470 : fiat_25519_uint128 x18;
271 1480081470 : fiat_25519_uint128 x19;
272 1480081470 : fiat_25519_uint128 x20;
273 1480081470 : fiat_25519_uint128 x21;
274 1480081470 : fiat_25519_uint128 x22;
275 1480081470 : fiat_25519_uint128 x23;
276 1480081470 : fiat_25519_uint128 x24;
277 1480081470 : uint64_t x25;
278 1480081470 : uint64_t x26;
279 1480081470 : fiat_25519_uint128 x27;
280 1480081470 : fiat_25519_uint128 x28;
281 1480081470 : fiat_25519_uint128 x29;
282 1480081470 : fiat_25519_uint128 x30;
283 1480081470 : fiat_25519_uint128 x31;
284 1480081470 : uint64_t x32;
285 1480081470 : uint64_t x33;
286 1480081470 : fiat_25519_uint128 x34;
287 1480081470 : uint64_t x35;
288 1480081470 : uint64_t x36;
289 1480081470 : fiat_25519_uint128 x37;
290 1480081470 : uint64_t x38;
291 1480081470 : uint64_t x39;
292 1480081470 : fiat_25519_uint128 x40;
293 1480081470 : uint64_t x41;
294 1480081470 : uint64_t x42;
295 1480081470 : uint64_t x43;
296 1480081470 : uint64_t x44;
297 1480081470 : uint64_t x45;
298 1480081470 : uint64_t x46;
299 1480081470 : uint64_t x47;
300 1480081470 : fiat_25519_uint1 x48;
301 1480081470 : uint64_t x49;
302 1480081470 : uint64_t x50;
303 1480081470 : x1 = ((arg1[4]) * UINT8_C(0x13));
304 1480081470 : x2 = (x1 * 0x2);
305 1480081470 : x3 = ((arg1[4]) * 0x2);
306 1480081470 : x4 = ((arg1[3]) * UINT8_C(0x13));
307 1480081470 : x5 = (x4 * 0x2);
308 1480081470 : x6 = ((arg1[3]) * 0x2);
309 1480081470 : x7 = ((arg1[2]) * 0x2);
310 1480081470 : x8 = ((arg1[1]) * 0x2);
311 1480081470 : x9 = ((fiat_25519_uint128)(arg1[4]) * x1);
312 1480081470 : x10 = ((fiat_25519_uint128)(arg1[3]) * x2);
313 1480081470 : x11 = ((fiat_25519_uint128)(arg1[3]) * x4);
314 1480081470 : x12 = ((fiat_25519_uint128)(arg1[2]) * x2);
315 1480081470 : x13 = ((fiat_25519_uint128)(arg1[2]) * x5);
316 1480081470 : x14 = ((fiat_25519_uint128)(arg1[2]) * (arg1[2]));
317 1480081470 : x15 = ((fiat_25519_uint128)(arg1[1]) * x2);
318 1480081470 : x16 = ((fiat_25519_uint128)(arg1[1]) * x6);
319 1480081470 : x17 = ((fiat_25519_uint128)(arg1[1]) * x7);
320 1480081470 : x18 = ((fiat_25519_uint128)(arg1[1]) * (arg1[1]));
321 1480081470 : x19 = ((fiat_25519_uint128)(arg1[0]) * x3);
322 1480081470 : x20 = ((fiat_25519_uint128)(arg1[0]) * x6);
323 1480081470 : x21 = ((fiat_25519_uint128)(arg1[0]) * x7);
324 1480081470 : x22 = ((fiat_25519_uint128)(arg1[0]) * x8);
325 1480081470 : x23 = ((fiat_25519_uint128)(arg1[0]) * (arg1[0]));
326 1480081470 : x24 = (x23 + (x15 + x13));
327 1480081470 : x25 = (uint64_t)(x24 >> 51);
328 1480081470 : x26 = (uint64_t)(x24 & UINT64_C(0x7ffffffffffff));
329 1480081470 : x27 = (x19 + (x16 + x14));
330 1480081470 : x28 = (x20 + (x17 + x9));
331 1480081470 : x29 = (x21 + (x18 + x10));
332 1480081470 : x30 = (x22 + (x12 + x11));
333 1480081470 : x31 = (x25 + x30);
334 1480081470 : x32 = (uint64_t)(x31 >> 51);
335 1480081470 : x33 = (uint64_t)(x31 & UINT64_C(0x7ffffffffffff));
336 1480081470 : x34 = (x32 + x29);
337 1480081470 : x35 = (uint64_t)(x34 >> 51);
338 1480081470 : x36 = (uint64_t)(x34 & UINT64_C(0x7ffffffffffff));
339 1480081470 : x37 = (x35 + x28);
340 1480081470 : x38 = (uint64_t)(x37 >> 51);
341 1480081470 : x39 = (uint64_t)(x37 & UINT64_C(0x7ffffffffffff));
342 1480081470 : x40 = (x38 + x27);
343 1480081470 : x41 = (uint64_t)(x40 >> 51);
344 1480081470 : x42 = (uint64_t)(x40 & UINT64_C(0x7ffffffffffff));
345 1480081470 : x43 = (x41 * UINT8_C(0x13));
346 1480081470 : x44 = (x26 + x43);
347 1480081470 : x45 = (x44 >> 51);
348 1480081470 : x46 = (x44 & UINT64_C(0x7ffffffffffff));
349 1480081470 : x47 = (x45 + x33);
350 1480081470 : x48 = (fiat_25519_uint1)(x47 >> 51);
351 1480081470 : x49 = (x47 & UINT64_C(0x7ffffffffffff));
352 1480081470 : x50 = (x48 + x36);
353 1480081470 : out1[0] = x46;
354 1480081470 : out1[1] = x49;
355 1480081470 : out1[2] = x50;
356 1480081470 : out1[3] = x39;
357 1480081470 : out1[4] = x42;
358 1480081470 : }
359 :
360 : /*
361 : * The function fiat_25519_carry reduces a field element.
362 : *
363 : * Postconditions:
364 : * eval out1 mod m = eval arg1 mod m
365 : *
366 : */
367 525786882 : static FIAT_25519_FIAT_INLINE void fiat_25519_carry(fiat_25519_tight_field_element out1, const fiat_25519_loose_field_element arg1) {
368 525786882 : uint64_t x1;
369 525786882 : uint64_t x2;
370 525786882 : uint64_t x3;
371 525786882 : uint64_t x4;
372 525786882 : uint64_t x5;
373 525786882 : uint64_t x6;
374 525786882 : uint64_t x7;
375 525786882 : uint64_t x8;
376 525786882 : uint64_t x9;
377 525786882 : uint64_t x10;
378 525786882 : uint64_t x11;
379 525786882 : uint64_t x12;
380 525786882 : x1 = (arg1[0]);
381 525786882 : x2 = ((x1 >> 51) + (arg1[1]));
382 525786882 : x3 = ((x2 >> 51) + (arg1[2]));
383 525786882 : x4 = ((x3 >> 51) + (arg1[3]));
384 525786882 : x5 = ((x4 >> 51) + (arg1[4]));
385 525786882 : x6 = ((x1 & UINT64_C(0x7ffffffffffff)) + ((x5 >> 51) * UINT8_C(0x13)));
386 525786882 : x7 = ((fiat_25519_uint1)(x6 >> 51) + (x2 & UINT64_C(0x7ffffffffffff)));
387 525786882 : x8 = (x6 & UINT64_C(0x7ffffffffffff));
388 525786882 : x9 = (x7 & UINT64_C(0x7ffffffffffff));
389 525786882 : x10 = ((fiat_25519_uint1)(x7 >> 51) + (x3 & UINT64_C(0x7ffffffffffff)));
390 525786882 : x11 = (x4 & UINT64_C(0x7ffffffffffff));
391 525786882 : x12 = (x5 & UINT64_C(0x7ffffffffffff));
392 525786882 : out1[0] = x8;
393 525786882 : out1[1] = x9;
394 525786882 : out1[2] = x10;
395 525786882 : out1[3] = x11;
396 525786882 : out1[4] = x12;
397 525786882 : }
398 :
399 : /*
400 : * The function fiat_25519_add adds two field elements.
401 : *
402 : * Postconditions:
403 : * eval out1 mod m = (eval arg1 + eval arg2) mod m
404 : *
405 : */
406 1193485934 : static FIAT_25519_FIAT_INLINE void fiat_25519_add(fiat_25519_loose_field_element out1, const fiat_25519_tight_field_element arg1, const fiat_25519_tight_field_element arg2) {
407 1193485934 : uint64_t x1;
408 1193485934 : uint64_t x2;
409 1193485934 : uint64_t x3;
410 1193485934 : uint64_t x4;
411 1193485934 : uint64_t x5;
412 1193485934 : x1 = ((arg1[0]) + (arg2[0]));
413 1193485934 : x2 = ((arg1[1]) + (arg2[1]));
414 1193485934 : x3 = ((arg1[2]) + (arg2[2]));
415 1193485934 : x4 = ((arg1[3]) + (arg2[3]));
416 1193485934 : x5 = ((arg1[4]) + (arg2[4]));
417 1193485934 : out1[0] = x1;
418 1193485934 : out1[1] = x2;
419 1193485934 : out1[2] = x3;
420 1193485934 : out1[3] = x4;
421 1193485934 : out1[4] = x5;
422 1193485934 : }
423 :
424 : /*
425 : * The function fiat_25519_sub subtracts two field elements.
426 : *
427 : * Postconditions:
428 : * eval out1 mod m = (eval arg1 - eval arg2) mod m
429 : *
430 : */
431 800128263 : static FIAT_25519_FIAT_INLINE void fiat_25519_sub(fiat_25519_loose_field_element out1, const fiat_25519_tight_field_element arg1, const fiat_25519_tight_field_element arg2) {
432 800128263 : uint64_t x1;
433 800128263 : uint64_t x2;
434 800128263 : uint64_t x3;
435 800128263 : uint64_t x4;
436 800128263 : uint64_t x5;
437 800128263 : x1 = ((UINT64_C(0xfffffffffffda) + (arg1[0])) - (arg2[0]));
438 800128263 : x2 = ((UINT64_C(0xffffffffffffe) + (arg1[1])) - (arg2[1]));
439 800128263 : x3 = ((UINT64_C(0xffffffffffffe) + (arg1[2])) - (arg2[2]));
440 800128263 : x4 = ((UINT64_C(0xffffffffffffe) + (arg1[3])) - (arg2[3]));
441 800128263 : x5 = ((UINT64_C(0xffffffffffffe) + (arg1[4])) - (arg2[4]));
442 800128263 : out1[0] = x1;
443 800128263 : out1[1] = x2;
444 800128263 : out1[2] = x3;
445 800128263 : out1[3] = x4;
446 800128263 : out1[4] = x5;
447 800128263 : }
448 :
449 : /*
450 : * The function fiat_25519_opp negates a field element.
451 : *
452 : * Postconditions:
453 : * eval out1 mod m = -eval arg1 mod m
454 : *
455 : */
456 78834213 : static FIAT_25519_FIAT_INLINE void fiat_25519_opp(fiat_25519_loose_field_element out1, const fiat_25519_tight_field_element arg1) {
457 78834213 : uint64_t x1;
458 78834213 : uint64_t x2;
459 78834213 : uint64_t x3;
460 78834213 : uint64_t x4;
461 78834213 : uint64_t x5;
462 78834213 : x1 = (UINT64_C(0xfffffffffffda) - (arg1[0]));
463 78834213 : x2 = (UINT64_C(0xffffffffffffe) - (arg1[1]));
464 78834213 : x3 = (UINT64_C(0xffffffffffffe) - (arg1[2]));
465 78834213 : x4 = (UINT64_C(0xffffffffffffe) - (arg1[3]));
466 78834213 : x5 = (UINT64_C(0xffffffffffffe) - (arg1[4]));
467 78834213 : out1[0] = x1;
468 78834213 : out1[1] = x2;
469 78834213 : out1[2] = x3;
470 78834213 : out1[3] = x4;
471 78834213 : out1[4] = x5;
472 78834213 : }
473 :
474 : /*
475 : * The function fiat_25519_selectznz is a multi-limb conditional select.
476 : *
477 : * Postconditions:
478 : * out1 = (if arg1 = 0 then arg2 else arg3)
479 : *
480 : * Input Bounds:
481 : * arg1: [0x0 ~> 0x1]
482 : * arg2: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]]
483 : * arg3: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]]
484 : * Output Bounds:
485 : * out1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]]
486 : */
487 1973842210 : static FIAT_25519_FIAT_INLINE void fiat_25519_selectznz(uint64_t out1[5], fiat_25519_uint1 arg1, const uint64_t arg2[5], const uint64_t arg3[5]) {
488 1973842210 : uint64_t x1;
489 1973842210 : uint64_t x2;
490 1973842210 : uint64_t x3;
491 1973842210 : uint64_t x4;
492 1973842210 : uint64_t x5;
493 1973842210 : fiat_25519_cmovznz_u64(&x1, arg1, (arg2[0]), (arg3[0]));
494 1973842210 : fiat_25519_cmovznz_u64(&x2, arg1, (arg2[1]), (arg3[1]));
495 1973842210 : fiat_25519_cmovznz_u64(&x3, arg1, (arg2[2]), (arg3[2]));
496 1973842210 : fiat_25519_cmovznz_u64(&x4, arg1, (arg2[3]), (arg3[3]));
497 1973842210 : fiat_25519_cmovznz_u64(&x5, arg1, (arg2[4]), (arg3[4]));
498 1973842210 : out1[0] = x1;
499 1973842210 : out1[1] = x2;
500 1973842210 : out1[2] = x3;
501 1973842210 : out1[3] = x4;
502 1973842210 : out1[4] = x5;
503 1973842210 : }
504 :
505 : /*
506 : * The function fiat_25519_to_bytes serializes a field element to bytes in little-endian order.
507 : *
508 : * Postconditions:
509 : * out1 = map (λ x, ⌊((eval arg1 mod m) mod 2^(8 * (x + 1))) / 2^(8 * x)⌋) [0..31]
510 : *
511 : * Output Bounds:
512 : * out1: [[0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0x7f]]
513 : */
514 8507652 : static FIAT_25519_FIAT_INLINE void fiat_25519_to_bytes(uint8_t out1[32], const fiat_25519_tight_field_element arg1) {
515 8507652 : uint64_t x1;
516 8507652 : fiat_25519_uint1 x2;
517 8507652 : uint64_t x3;
518 8507652 : fiat_25519_uint1 x4;
519 8507652 : uint64_t x5;
520 8507652 : fiat_25519_uint1 x6;
521 8507652 : uint64_t x7;
522 8507652 : fiat_25519_uint1 x8;
523 8507652 : uint64_t x9;
524 8507652 : fiat_25519_uint1 x10;
525 8507652 : uint64_t x11;
526 8507652 : uint64_t x12;
527 8507652 : fiat_25519_uint1 x13;
528 8507652 : uint64_t x14;
529 8507652 : fiat_25519_uint1 x15;
530 8507652 : uint64_t x16;
531 8507652 : fiat_25519_uint1 x17;
532 8507652 : uint64_t x18;
533 8507652 : fiat_25519_uint1 x19;
534 8507652 : uint64_t x20;
535 8507652 : fiat_25519_uint1 x21;
536 8507652 : uint64_t x22;
537 8507652 : uint64_t x23;
538 8507652 : uint64_t x24;
539 8507652 : uint64_t x25;
540 8507652 : uint8_t x26;
541 8507652 : uint64_t x27;
542 8507652 : uint8_t x28;
543 8507652 : uint64_t x29;
544 8507652 : uint8_t x30;
545 8507652 : uint64_t x31;
546 8507652 : uint8_t x32;
547 8507652 : uint64_t x33;
548 8507652 : uint8_t x34;
549 8507652 : uint64_t x35;
550 8507652 : uint8_t x36;
551 8507652 : uint8_t x37;
552 8507652 : uint64_t x38;
553 8507652 : uint8_t x39;
554 8507652 : uint64_t x40;
555 8507652 : uint8_t x41;
556 8507652 : uint64_t x42;
557 8507652 : uint8_t x43;
558 8507652 : uint64_t x44;
559 8507652 : uint8_t x45;
560 8507652 : uint64_t x46;
561 8507652 : uint8_t x47;
562 8507652 : uint64_t x48;
563 8507652 : uint8_t x49;
564 8507652 : uint8_t x50;
565 8507652 : uint64_t x51;
566 8507652 : uint8_t x52;
567 8507652 : uint64_t x53;
568 8507652 : uint8_t x54;
569 8507652 : uint64_t x55;
570 8507652 : uint8_t x56;
571 8507652 : uint64_t x57;
572 8507652 : uint8_t x58;
573 8507652 : uint64_t x59;
574 8507652 : uint8_t x60;
575 8507652 : uint64_t x61;
576 8507652 : uint8_t x62;
577 8507652 : uint64_t x63;
578 8507652 : uint8_t x64;
579 8507652 : fiat_25519_uint1 x65;
580 8507652 : uint64_t x66;
581 8507652 : uint8_t x67;
582 8507652 : uint64_t x68;
583 8507652 : uint8_t x69;
584 8507652 : uint64_t x70;
585 8507652 : uint8_t x71;
586 8507652 : uint64_t x72;
587 8507652 : uint8_t x73;
588 8507652 : uint64_t x74;
589 8507652 : uint8_t x75;
590 8507652 : uint64_t x76;
591 8507652 : uint8_t x77;
592 8507652 : uint8_t x78;
593 8507652 : uint64_t x79;
594 8507652 : uint8_t x80;
595 8507652 : uint64_t x81;
596 8507652 : uint8_t x82;
597 8507652 : uint64_t x83;
598 8507652 : uint8_t x84;
599 8507652 : uint64_t x85;
600 8507652 : uint8_t x86;
601 8507652 : uint64_t x87;
602 8507652 : uint8_t x88;
603 8507652 : uint64_t x89;
604 8507652 : uint8_t x90;
605 8507652 : uint8_t x91;
606 8507652 : fiat_25519_subborrowx_u51(&x1, &x2, 0x0, (arg1[0]), UINT64_C(0x7ffffffffffed));
607 8507652 : fiat_25519_subborrowx_u51(&x3, &x4, x2, (arg1[1]), UINT64_C(0x7ffffffffffff));
608 8507652 : fiat_25519_subborrowx_u51(&x5, &x6, x4, (arg1[2]), UINT64_C(0x7ffffffffffff));
609 8507652 : fiat_25519_subborrowx_u51(&x7, &x8, x6, (arg1[3]), UINT64_C(0x7ffffffffffff));
610 8507652 : fiat_25519_subborrowx_u51(&x9, &x10, x8, (arg1[4]), UINT64_C(0x7ffffffffffff));
611 8507652 : fiat_25519_cmovznz_u64(&x11, x10, 0x0, UINT64_C(0xffffffffffffffff));
612 8507652 : fiat_25519_addcarryx_u51(&x12, &x13, 0x0, x1, (x11 & UINT64_C(0x7ffffffffffed)));
613 8507652 : fiat_25519_addcarryx_u51(&x14, &x15, x13, x3, (x11 & UINT64_C(0x7ffffffffffff)));
614 8507652 : fiat_25519_addcarryx_u51(&x16, &x17, x15, x5, (x11 & UINT64_C(0x7ffffffffffff)));
615 8507652 : fiat_25519_addcarryx_u51(&x18, &x19, x17, x7, (x11 & UINT64_C(0x7ffffffffffff)));
616 8507652 : fiat_25519_addcarryx_u51(&x20, &x21, x19, x9, (x11 & UINT64_C(0x7ffffffffffff)));
617 8507652 : x22 = (x20 << 4);
618 8507652 : x23 = (x18 * (uint64_t)0x2);
619 8507652 : x24 = (x16 << 6);
620 8507652 : x25 = (x14 << 3);
621 8507652 : x26 = (uint8_t)(x12 & UINT8_C(0xff));
622 8507652 : x27 = (x12 >> 8);
623 8507652 : x28 = (uint8_t)(x27 & UINT8_C(0xff));
624 8507652 : x29 = (x27 >> 8);
625 8507652 : x30 = (uint8_t)(x29 & UINT8_C(0xff));
626 8507652 : x31 = (x29 >> 8);
627 8507652 : x32 = (uint8_t)(x31 & UINT8_C(0xff));
628 8507652 : x33 = (x31 >> 8);
629 8507652 : x34 = (uint8_t)(x33 & UINT8_C(0xff));
630 8507652 : x35 = (x33 >> 8);
631 8507652 : x36 = (uint8_t)(x35 & UINT8_C(0xff));
632 8507652 : x37 = (uint8_t)(x35 >> 8);
633 8507652 : x38 = (x25 + (uint64_t)x37);
634 8507652 : x39 = (uint8_t)(x38 & UINT8_C(0xff));
635 8507652 : x40 = (x38 >> 8);
636 8507652 : x41 = (uint8_t)(x40 & UINT8_C(0xff));
637 8507652 : x42 = (x40 >> 8);
638 8507652 : x43 = (uint8_t)(x42 & UINT8_C(0xff));
639 8507652 : x44 = (x42 >> 8);
640 8507652 : x45 = (uint8_t)(x44 & UINT8_C(0xff));
641 8507652 : x46 = (x44 >> 8);
642 8507652 : x47 = (uint8_t)(x46 & UINT8_C(0xff));
643 8507652 : x48 = (x46 >> 8);
644 8507652 : x49 = (uint8_t)(x48 & UINT8_C(0xff));
645 8507652 : x50 = (uint8_t)(x48 >> 8);
646 8507652 : x51 = (x24 + (uint64_t)x50);
647 8507652 : x52 = (uint8_t)(x51 & UINT8_C(0xff));
648 8507652 : x53 = (x51 >> 8);
649 8507652 : x54 = (uint8_t)(x53 & UINT8_C(0xff));
650 8507652 : x55 = (x53 >> 8);
651 8507652 : x56 = (uint8_t)(x55 & UINT8_C(0xff));
652 8507652 : x57 = (x55 >> 8);
653 8507652 : x58 = (uint8_t)(x57 & UINT8_C(0xff));
654 8507652 : x59 = (x57 >> 8);
655 8507652 : x60 = (uint8_t)(x59 & UINT8_C(0xff));
656 8507652 : x61 = (x59 >> 8);
657 8507652 : x62 = (uint8_t)(x61 & UINT8_C(0xff));
658 8507652 : x63 = (x61 >> 8);
659 8507652 : x64 = (uint8_t)(x63 & UINT8_C(0xff));
660 8507652 : x65 = (fiat_25519_uint1)(x63 >> 8);
661 8507652 : x66 = (x23 + (uint64_t)x65);
662 8507652 : x67 = (uint8_t)(x66 & UINT8_C(0xff));
663 8507652 : x68 = (x66 >> 8);
664 8507652 : x69 = (uint8_t)(x68 & UINT8_C(0xff));
665 8507652 : x70 = (x68 >> 8);
666 8507652 : x71 = (uint8_t)(x70 & UINT8_C(0xff));
667 8507652 : x72 = (x70 >> 8);
668 8507652 : x73 = (uint8_t)(x72 & UINT8_C(0xff));
669 8507652 : x74 = (x72 >> 8);
670 8507652 : x75 = (uint8_t)(x74 & UINT8_C(0xff));
671 8507652 : x76 = (x74 >> 8);
672 8507652 : x77 = (uint8_t)(x76 & UINT8_C(0xff));
673 8507652 : x78 = (uint8_t)(x76 >> 8);
674 8507652 : x79 = (x22 + (uint64_t)x78);
675 8507652 : x80 = (uint8_t)(x79 & UINT8_C(0xff));
676 8507652 : x81 = (x79 >> 8);
677 8507652 : x82 = (uint8_t)(x81 & UINT8_C(0xff));
678 8507652 : x83 = (x81 >> 8);
679 8507652 : x84 = (uint8_t)(x83 & UINT8_C(0xff));
680 8507652 : x85 = (x83 >> 8);
681 8507652 : x86 = (uint8_t)(x85 & UINT8_C(0xff));
682 8507652 : x87 = (x85 >> 8);
683 8507652 : x88 = (uint8_t)(x87 & UINT8_C(0xff));
684 8507652 : x89 = (x87 >> 8);
685 8507652 : x90 = (uint8_t)(x89 & UINT8_C(0xff));
686 8507652 : x91 = (uint8_t)(x89 >> 8);
687 8507652 : out1[0] = x26;
688 8507652 : out1[1] = x28;
689 8507652 : out1[2] = x30;
690 8507652 : out1[3] = x32;
691 8507652 : out1[4] = x34;
692 8507652 : out1[5] = x36;
693 8507652 : out1[6] = x39;
694 8507652 : out1[7] = x41;
695 8507652 : out1[8] = x43;
696 8507652 : out1[9] = x45;
697 8507652 : out1[10] = x47;
698 8507652 : out1[11] = x49;
699 8507652 : out1[12] = x52;
700 8507652 : out1[13] = x54;
701 8507652 : out1[14] = x56;
702 8507652 : out1[15] = x58;
703 8507652 : out1[16] = x60;
704 8507652 : out1[17] = x62;
705 8507652 : out1[18] = x64;
706 8507652 : out1[19] = x67;
707 8507652 : out1[20] = x69;
708 8507652 : out1[21] = x71;
709 8507652 : out1[22] = x73;
710 8507652 : out1[23] = x75;
711 8507652 : out1[24] = x77;
712 8507652 : out1[25] = x80;
713 8507652 : out1[26] = x82;
714 8507652 : out1[27] = x84;
715 8507652 : out1[28] = x86;
716 8507652 : out1[29] = x88;
717 8507652 : out1[30] = x90;
718 8507652 : out1[31] = x91;
719 8507652 : }
720 :
721 : /*
722 : * The function fiat_25519_from_bytes deserializes a field element from bytes in little-endian order.
723 : *
724 : * Postconditions:
725 : * eval out1 mod m = bytes_eval arg1 mod m
726 : *
727 : * Input Bounds:
728 : * arg1: [[0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0x7f]]
729 : */
730 3523362 : static FIAT_25519_FIAT_INLINE void fiat_25519_from_bytes(fiat_25519_tight_field_element out1, const uint8_t arg1[32]) {
731 3523362 : uint64_t x1;
732 3523362 : uint64_t x2;
733 3523362 : uint64_t x3;
734 3523362 : uint64_t x4;
735 3523362 : uint64_t x5;
736 3523362 : uint64_t x6;
737 3523362 : uint64_t x7;
738 3523362 : uint64_t x8;
739 3523362 : uint64_t x9;
740 3523362 : uint64_t x10;
741 3523362 : uint64_t x11;
742 3523362 : uint64_t x12;
743 3523362 : uint64_t x13;
744 3523362 : uint64_t x14;
745 3523362 : uint64_t x15;
746 3523362 : uint64_t x16;
747 3523362 : uint64_t x17;
748 3523362 : uint64_t x18;
749 3523362 : uint64_t x19;
750 3523362 : uint64_t x20;
751 3523362 : uint64_t x21;
752 3523362 : uint64_t x22;
753 3523362 : uint64_t x23;
754 3523362 : uint64_t x24;
755 3523362 : uint64_t x25;
756 3523362 : uint64_t x26;
757 3523362 : uint64_t x27;
758 3523362 : uint64_t x28;
759 3523362 : uint64_t x29;
760 3523362 : uint64_t x30;
761 3523362 : uint64_t x31;
762 3523362 : uint8_t x32;
763 3523362 : uint64_t x33;
764 3523362 : uint64_t x34;
765 3523362 : uint64_t x35;
766 3523362 : uint64_t x36;
767 3523362 : uint64_t x37;
768 3523362 : uint64_t x38;
769 3523362 : uint64_t x39;
770 3523362 : uint8_t x40;
771 3523362 : uint64_t x41;
772 3523362 : uint64_t x42;
773 3523362 : uint64_t x43;
774 3523362 : uint64_t x44;
775 3523362 : uint64_t x45;
776 3523362 : uint64_t x46;
777 3523362 : uint64_t x47;
778 3523362 : uint8_t x48;
779 3523362 : uint64_t x49;
780 3523362 : uint64_t x50;
781 3523362 : uint64_t x51;
782 3523362 : uint64_t x52;
783 3523362 : uint64_t x53;
784 3523362 : uint64_t x54;
785 3523362 : uint64_t x55;
786 3523362 : uint64_t x56;
787 3523362 : uint8_t x57;
788 3523362 : uint64_t x58;
789 3523362 : uint64_t x59;
790 3523362 : uint64_t x60;
791 3523362 : uint64_t x61;
792 3523362 : uint64_t x62;
793 3523362 : uint64_t x63;
794 3523362 : uint64_t x64;
795 3523362 : uint8_t x65;
796 3523362 : uint64_t x66;
797 3523362 : uint64_t x67;
798 3523362 : uint64_t x68;
799 3523362 : uint64_t x69;
800 3523362 : uint64_t x70;
801 3523362 : uint64_t x71;
802 3523362 : x1 = ((uint64_t)(arg1[31] & 0x7F) << 44);
803 3523362 : x2 = ((uint64_t)(arg1[30]) << 36);
804 3523362 : x3 = ((uint64_t)(arg1[29]) << 28);
805 3523362 : x4 = ((uint64_t)(arg1[28]) << 20);
806 3523362 : x5 = ((uint64_t)(arg1[27]) << 12);
807 3523362 : x6 = ((uint64_t)(arg1[26]) << 4);
808 3523362 : x7 = ((uint64_t)(arg1[25]) << 47);
809 3523362 : x8 = ((uint64_t)(arg1[24]) << 39);
810 3523362 : x9 = ((uint64_t)(arg1[23]) << 31);
811 3523362 : x10 = ((uint64_t)(arg1[22]) << 23);
812 3523362 : x11 = ((uint64_t)(arg1[21]) << 15);
813 3523362 : x12 = ((uint64_t)(arg1[20]) << 7);
814 3523362 : x13 = ((uint64_t)(arg1[19]) << 50);
815 3523362 : x14 = ((uint64_t)(arg1[18]) << 42);
816 3523362 : x15 = ((uint64_t)(arg1[17]) << 34);
817 3523362 : x16 = ((uint64_t)(arg1[16]) << 26);
818 3523362 : x17 = ((uint64_t)(arg1[15]) << 18);
819 3523362 : x18 = ((uint64_t)(arg1[14]) << 10);
820 3523362 : x19 = ((uint64_t)(arg1[13]) << 2);
821 3523362 : x20 = ((uint64_t)(arg1[12]) << 45);
822 3523362 : x21 = ((uint64_t)(arg1[11]) << 37);
823 3523362 : x22 = ((uint64_t)(arg1[10]) << 29);
824 3523362 : x23 = ((uint64_t)(arg1[9]) << 21);
825 3523362 : x24 = ((uint64_t)(arg1[8]) << 13);
826 3523362 : x25 = ((uint64_t)(arg1[7]) << 5);
827 3523362 : x26 = ((uint64_t)(arg1[6]) << 48);
828 3523362 : x27 = ((uint64_t)(arg1[5]) << 40);
829 3523362 : x28 = ((uint64_t)(arg1[4]) << 32);
830 3523362 : x29 = ((uint64_t)(arg1[3]) << 24);
831 3523362 : x30 = ((uint64_t)(arg1[2]) << 16);
832 3523362 : x31 = ((uint64_t)(arg1[1]) << 8);
833 3523362 : x32 = (arg1[0]);
834 3523362 : x33 = (x31 + (uint64_t)x32);
835 3523362 : x34 = (x30 + x33);
836 3523362 : x35 = (x29 + x34);
837 3523362 : x36 = (x28 + x35);
838 3523362 : x37 = (x27 + x36);
839 3523362 : x38 = (x26 + x37);
840 3523362 : x39 = (x38 & UINT64_C(0x7ffffffffffff));
841 3523362 : x40 = (uint8_t)(x38 >> 51);
842 3523362 : x41 = (x25 + (uint64_t)x40);
843 3523362 : x42 = (x24 + x41);
844 3523362 : x43 = (x23 + x42);
845 3523362 : x44 = (x22 + x43);
846 3523362 : x45 = (x21 + x44);
847 3523362 : x46 = (x20 + x45);
848 3523362 : x47 = (x46 & UINT64_C(0x7ffffffffffff));
849 3523362 : x48 = (uint8_t)(x46 >> 51);
850 3523362 : x49 = (x19 + (uint64_t)x48);
851 3523362 : x50 = (x18 + x49);
852 3523362 : x51 = (x17 + x50);
853 3523362 : x52 = (x16 + x51);
854 3523362 : x53 = (x15 + x52);
855 3523362 : x54 = (x14 + x53);
856 3523362 : x55 = (x13 + x54);
857 3523362 : x56 = (x55 & UINT64_C(0x7ffffffffffff));
858 3523362 : x57 = (uint8_t)(x55 >> 51);
859 3523362 : x58 = (x12 + (uint64_t)x57);
860 3523362 : x59 = (x11 + x58);
861 3523362 : x60 = (x10 + x59);
862 3523362 : x61 = (x9 + x60);
863 3523362 : x62 = (x8 + x61);
864 3523362 : x63 = (x7 + x62);
865 3523362 : x64 = (x63 & UINT64_C(0x7ffffffffffff));
866 3523362 : x65 = (uint8_t)(x63 >> 51);
867 3523362 : x66 = (x6 + (uint64_t)x65);
868 3523362 : x67 = (x5 + x66);
869 3523362 : x68 = (x4 + x67);
870 3523362 : x69 = (x3 + x68);
871 3523362 : x70 = (x2 + x69);
872 3523362 : x71 = (x1 + x70);
873 3523362 : out1[0] = x39;
874 3523362 : out1[1] = x47;
875 3523362 : out1[2] = x56;
876 3523362 : out1[3] = x64;
877 3523362 : out1[4] = x71;
878 3523362 : }
879 :
880 : /*
881 : * The function fiat_25519_relax is the identity function converting from tight field elements to loose field elements.
882 : *
883 : * Postconditions:
884 : * out1 = arg1
885 : *
886 : */
887 0 : static FIAT_25519_FIAT_INLINE void fiat_25519_relax(fiat_25519_loose_field_element out1, const fiat_25519_tight_field_element arg1) {
888 0 : uint64_t x1;
889 0 : uint64_t x2;
890 0 : uint64_t x3;
891 0 : uint64_t x4;
892 0 : uint64_t x5;
893 0 : x1 = (arg1[0]);
894 0 : x2 = (arg1[1]);
895 0 : x3 = (arg1[2]);
896 0 : x4 = (arg1[3]);
897 0 : x5 = (arg1[4]);
898 0 : out1[0] = x1;
899 0 : out1[1] = x2;
900 0 : out1[2] = x3;
901 0 : out1[3] = x4;
902 0 : out1[4] = x5;
903 0 : }
904 :
905 : /*
906 : * The function fiat_25519_carry_scmul_121666 multiplies a field element by 121666 and reduces the result.
907 : *
908 : * Postconditions:
909 : * eval out1 mod m = (121666 * eval arg1) mod m
910 : *
911 : */
912 33493230 : static FIAT_25519_FIAT_INLINE void fiat_25519_carry_scmul_121666(fiat_25519_tight_field_element out1, const fiat_25519_loose_field_element arg1) {
913 33493230 : fiat_25519_uint128 x1;
914 33493230 : fiat_25519_uint128 x2;
915 33493230 : fiat_25519_uint128 x3;
916 33493230 : fiat_25519_uint128 x4;
917 33493230 : fiat_25519_uint128 x5;
918 33493230 : uint64_t x6;
919 33493230 : uint64_t x7;
920 33493230 : fiat_25519_uint128 x8;
921 33493230 : uint64_t x9;
922 33493230 : uint64_t x10;
923 33493230 : fiat_25519_uint128 x11;
924 33493230 : uint64_t x12;
925 33493230 : uint64_t x13;
926 33493230 : fiat_25519_uint128 x14;
927 33493230 : uint64_t x15;
928 33493230 : uint64_t x16;
929 33493230 : fiat_25519_uint128 x17;
930 33493230 : uint64_t x18;
931 33493230 : uint64_t x19;
932 33493230 : uint64_t x20;
933 33493230 : uint64_t x21;
934 33493230 : fiat_25519_uint1 x22;
935 33493230 : uint64_t x23;
936 33493230 : uint64_t x24;
937 33493230 : fiat_25519_uint1 x25;
938 33493230 : uint64_t x26;
939 33493230 : uint64_t x27;
940 33493230 : x1 = ((fiat_25519_uint128)UINT32_C(0x1db42) * (arg1[4]));
941 33493230 : x2 = ((fiat_25519_uint128)UINT32_C(0x1db42) * (arg1[3]));
942 33493230 : x3 = ((fiat_25519_uint128)UINT32_C(0x1db42) * (arg1[2]));
943 33493230 : x4 = ((fiat_25519_uint128)UINT32_C(0x1db42) * (arg1[1]));
944 33493230 : x5 = ((fiat_25519_uint128)UINT32_C(0x1db42) * (arg1[0]));
945 33493230 : x6 = (uint64_t)(x5 >> 51);
946 33493230 : x7 = (uint64_t)(x5 & UINT64_C(0x7ffffffffffff));
947 33493230 : x8 = (x6 + x4);
948 33493230 : x9 = (uint64_t)(x8 >> 51);
949 33493230 : x10 = (uint64_t)(x8 & UINT64_C(0x7ffffffffffff));
950 33493230 : x11 = (x9 + x3);
951 33493230 : x12 = (uint64_t)(x11 >> 51);
952 33493230 : x13 = (uint64_t)(x11 & UINT64_C(0x7ffffffffffff));
953 33493230 : x14 = (x12 + x2);
954 33493230 : x15 = (uint64_t)(x14 >> 51);
955 33493230 : x16 = (uint64_t)(x14 & UINT64_C(0x7ffffffffffff));
956 33493230 : x17 = (x15 + x1);
957 33493230 : x18 = (uint64_t)(x17 >> 51);
958 33493230 : x19 = (uint64_t)(x17 & UINT64_C(0x7ffffffffffff));
959 33493230 : x20 = (x18 * UINT8_C(0x13));
960 33493230 : x21 = (x7 + x20);
961 33493230 : x22 = (fiat_25519_uint1)(x21 >> 51);
962 33493230 : x23 = (x21 & UINT64_C(0x7ffffffffffff));
963 33493230 : x24 = (x22 + x10);
964 33493230 : x25 = (fiat_25519_uint1)(x24 >> 51);
965 33493230 : x26 = (x24 & UINT64_C(0x7ffffffffffff));
966 33493230 : x27 = (x25 + x13);
967 33493230 : out1[0] = x23;
968 33493230 : out1[1] = x26;
969 33493230 : out1[2] = x27;
970 33493230 : out1[3] = x16;
971 33493230 : out1[4] = x19;
972 33493230 : }
|
