Line data Source code
1 : /* Autogenerated: 'src/ExtractionOCaml/unsaturated_solinas' --inline --static --use-value-barrier 25519 64 '(auto)' '2^255 - 19' carry_mul carry_square carry add sub opp selectznz to_bytes from_bytes relax carry_scmul121666 */
2 : /* curve description: 25519 */
3 : /* machine_wordsize = 64 (from "64") */
4 : /* requested operations: carry_mul, carry_square, carry, add, sub, opp, selectznz, to_bytes, from_bytes, relax, carry_scmul121666 */
5 : /* n = 5 (from "(auto)") */
6 : /* s-c = 2^255 - [(1, 19)] (from "2^255 - 19") */
7 : /* tight_bounds_multiplier = 1 (from "") */
8 : /* */
9 : /* Computed values: */
10 : /* carry_chain = [0, 1, 2, 3, 4, 0, 1] */
11 : /* eval z = z[0] + (z[1] << 51) + (z[2] << 102) + (z[3] << 153) + (z[4] << 204) */
12 : /* bytes_eval z = z[0] + (z[1] << 8) + (z[2] << 16) + (z[3] << 24) + (z[4] << 32) + (z[5] << 40) + (z[6] << 48) + (z[7] << 56) + (z[8] << 64) + (z[9] << 72) + (z[10] << 80) + (z[11] << 88) + (z[12] << 96) + (z[13] << 104) + (z[14] << 112) + (z[15] << 120) + (z[16] << 128) + (z[17] << 136) + (z[18] << 144) + (z[19] << 152) + (z[20] << 160) + (z[21] << 168) + (z[22] << 176) + (z[23] << 184) + (z[24] << 192) + (z[25] << 200) + (z[26] << 208) + (z[27] << 216) + (z[28] << 224) + (z[29] << 232) + (z[30] << 240) + (z[31] << 248) */
13 : /* balance = [0xfffffffffffda, 0xffffffffffffe, 0xffffffffffffe, 0xffffffffffffe, 0xffffffffffffe] */
14 :
15 : #include <stdint.h>
16 : typedef unsigned char fiat_25519_uint1;
17 : typedef signed char fiat_25519_int1;
18 : #if defined(__GNUC__) || defined(__clang__)
19 : # define FIAT_25519_FIAT_EXTENSION __extension__
20 : # define FIAT_25519_FIAT_INLINE __inline__
21 : #else
22 : # define FIAT_25519_FIAT_EXTENSION
23 : # define FIAT_25519_FIAT_INLINE
24 : #endif
25 :
26 : FIAT_25519_FIAT_EXTENSION typedef signed __int128 fiat_25519_int128;
27 : FIAT_25519_FIAT_EXTENSION typedef unsigned __int128 fiat_25519_uint128;
28 :
29 : /* The type fiat_25519_loose_field_element is a field element with loose bounds. */
30 : /* Bounds: [[0x0 ~> 0x18000000000000], [0x0 ~> 0x18000000000000], [0x0 ~> 0x18000000000000], [0x0 ~> 0x18000000000000], [0x0 ~> 0x18000000000000]] */
31 : typedef uint64_t fiat_25519_loose_field_element[5];
32 :
33 : /* The type fiat_25519_tight_field_element is a field element with tight bounds. */
34 : /* Bounds: [[0x0 ~> 0x8000000000000], [0x0 ~> 0x8000000000000], [0x0 ~> 0x8000000000000], [0x0 ~> 0x8000000000000], [0x0 ~> 0x8000000000000]] */
35 : typedef uint64_t fiat_25519_tight_field_element[5];
36 :
37 : #if (-1 & 3) != 3
38 : #error "This code only works on a two's complement system"
39 : #endif
40 :
41 : #if !defined(FIAT_25519_NO_ASM) && (defined(__GNUC__) || defined(__clang__))
42 20339720272 : static __inline__ uint64_t fiat_25519_value_barrier_u64(uint64_t a) {
43 20339720272 : __asm__("" : "+r"(a) : /* no inputs */);
44 20339720272 : return a;
45 20339720272 : }
46 : #else
47 : # define fiat_25519_value_barrier_u64(x) (x)
48 : #endif
49 :
50 :
51 : /*
52 : * The function fiat_25519_addcarryx_u51 is an addition with carry.
53 : *
54 : * Postconditions:
55 : * out1 = (arg1 + arg2 + arg3) mod 2^51
56 : * out2 = ⌊(arg1 + arg2 + arg3) / 2^51⌋
57 : *
58 : * Input Bounds:
59 : * arg1: [0x0 ~> 0x1]
60 : * arg2: [0x0 ~> 0x7ffffffffffff]
61 : * arg3: [0x0 ~> 0x7ffffffffffff]
62 : * Output Bounds:
63 : * out1: [0x0 ~> 0x7ffffffffffff]
64 : * out2: [0x0 ~> 0x1]
65 : */
66 43027380 : static FIAT_25519_FIAT_INLINE void fiat_25519_addcarryx_u51(uint64_t* out1, fiat_25519_uint1* out2, fiat_25519_uint1 arg1, uint64_t arg2, uint64_t arg3) {
67 43027380 : uint64_t x1;
68 43027380 : uint64_t x2;
69 43027380 : fiat_25519_uint1 x3;
70 43027380 : x1 = ((arg1 + arg2) + arg3);
71 43027380 : x2 = (x1 & UINT64_C(0x7ffffffffffff));
72 43027380 : x3 = (fiat_25519_uint1)(x1 >> 51);
73 43027380 : *out1 = x2;
74 43027380 : *out2 = x3;
75 43027380 : }
76 :
77 : /*
78 : * The function fiat_25519_subborrowx_u51 is a subtraction with borrow.
79 : *
80 : * Postconditions:
81 : * out1 = (-arg1 + arg2 + -arg3) mod 2^51
82 : * out2 = -⌊(-arg1 + arg2 + -arg3) / 2^51⌋
83 : *
84 : * Input Bounds:
85 : * arg1: [0x0 ~> 0x1]
86 : * arg2: [0x0 ~> 0x7ffffffffffff]
87 : * arg3: [0x0 ~> 0x7ffffffffffff]
88 : * Output Bounds:
89 : * out1: [0x0 ~> 0x7ffffffffffff]
90 : * out2: [0x0 ~> 0x1]
91 : */
92 43027380 : static FIAT_25519_FIAT_INLINE void fiat_25519_subborrowx_u51(uint64_t* out1, fiat_25519_uint1* out2, fiat_25519_uint1 arg1, uint64_t arg2, uint64_t arg3) {
93 43027380 : int64_t x1;
94 43027380 : fiat_25519_int1 x2;
95 43027380 : uint64_t x3;
96 43027380 : x1 = ((int64_t)((int64_t)arg2 - (int64_t)arg1) - (int64_t)arg3);
97 43027380 : x2 = (fiat_25519_int1)(x1 >> 51);
98 43027380 : x3 = ((uint64_t)x1 & UINT64_C(0x7ffffffffffff));
99 43027380 : *out1 = x3;
100 43027380 : *out2 = (fiat_25519_uint1)(0x0 - x2);
101 43027380 : }
102 :
103 : /*
104 : * The function fiat_25519_cmovznz_u64 is a single-word conditional move.
105 : *
106 : * Postconditions:
107 : * out1 = (if arg1 = 0 then arg2 else arg3)
108 : *
109 : * Input Bounds:
110 : * arg1: [0x0 ~> 0x1]
111 : * arg2: [0x0 ~> 0xffffffffffffffff]
112 : * arg3: [0x0 ~> 0xffffffffffffffff]
113 : * Output Bounds:
114 : * out1: [0x0 ~> 0xffffffffffffffff]
115 : */
116 10169860136 : static FIAT_25519_FIAT_INLINE void fiat_25519_cmovznz_u64(uint64_t* out1, fiat_25519_uint1 arg1, uint64_t arg2, uint64_t arg3) {
117 10169860136 : fiat_25519_uint1 x1;
118 10169860136 : uint64_t x2;
119 10169860136 : uint64_t x3;
120 10169860136 : x1 = (!(!arg1));
121 10169860136 : x2 = ((uint64_t)(fiat_25519_int1)(0x0 - x1) & UINT64_C(0xffffffffffffffff));
122 10169860136 : x3 = ((fiat_25519_value_barrier_u64(x2) & arg3) | (fiat_25519_value_barrier_u64((~x2)) & arg2));
123 10169860136 : *out1 = x3;
124 10169860136 : }
125 :
126 : /*
127 : * The function fiat_25519_carry_mul multiplies two field elements and reduces the result.
128 : *
129 : * Postconditions:
130 : * eval out1 mod m = (eval arg1 * eval arg2) mod m
131 : *
132 : */
133 1571732784 : static FIAT_25519_FIAT_INLINE void fiat_25519_carry_mul(fiat_25519_tight_field_element out1, const fiat_25519_loose_field_element arg1, const fiat_25519_loose_field_element arg2) {
134 1571732784 : fiat_25519_uint128 x1;
135 1571732784 : fiat_25519_uint128 x2;
136 1571732784 : fiat_25519_uint128 x3;
137 1571732784 : fiat_25519_uint128 x4;
138 1571732784 : fiat_25519_uint128 x5;
139 1571732784 : fiat_25519_uint128 x6;
140 1571732784 : fiat_25519_uint128 x7;
141 1571732784 : fiat_25519_uint128 x8;
142 1571732784 : fiat_25519_uint128 x9;
143 1571732784 : fiat_25519_uint128 x10;
144 1571732784 : fiat_25519_uint128 x11;
145 1571732784 : fiat_25519_uint128 x12;
146 1571732784 : fiat_25519_uint128 x13;
147 1571732784 : fiat_25519_uint128 x14;
148 1571732784 : fiat_25519_uint128 x15;
149 1571732784 : fiat_25519_uint128 x16;
150 1571732784 : fiat_25519_uint128 x17;
151 1571732784 : fiat_25519_uint128 x18;
152 1571732784 : fiat_25519_uint128 x19;
153 1571732784 : fiat_25519_uint128 x20;
154 1571732784 : fiat_25519_uint128 x21;
155 1571732784 : fiat_25519_uint128 x22;
156 1571732784 : fiat_25519_uint128 x23;
157 1571732784 : fiat_25519_uint128 x24;
158 1571732784 : fiat_25519_uint128 x25;
159 1571732784 : fiat_25519_uint128 x26;
160 1571732784 : uint64_t x27;
161 1571732784 : uint64_t x28;
162 1571732784 : fiat_25519_uint128 x29;
163 1571732784 : fiat_25519_uint128 x30;
164 1571732784 : fiat_25519_uint128 x31;
165 1571732784 : fiat_25519_uint128 x32;
166 1571732784 : fiat_25519_uint128 x33;
167 1571732784 : uint64_t x34;
168 1571732784 : uint64_t x35;
169 1571732784 : fiat_25519_uint128 x36;
170 1571732784 : uint64_t x37;
171 1571732784 : uint64_t x38;
172 1571732784 : fiat_25519_uint128 x39;
173 1571732784 : uint64_t x40;
174 1571732784 : uint64_t x41;
175 1571732784 : fiat_25519_uint128 x42;
176 1571732784 : uint64_t x43;
177 1571732784 : uint64_t x44;
178 1571732784 : uint64_t x45;
179 1571732784 : uint64_t x46;
180 1571732784 : uint64_t x47;
181 1571732784 : uint64_t x48;
182 1571732784 : uint64_t x49;
183 1571732784 : fiat_25519_uint1 x50;
184 1571732784 : uint64_t x51;
185 1571732784 : uint64_t x52;
186 1571732784 : x1 = ((fiat_25519_uint128)(arg1[4]) * ((arg2[4]) * UINT8_C(0x13)));
187 1571732784 : x2 = ((fiat_25519_uint128)(arg1[4]) * ((arg2[3]) * UINT8_C(0x13)));
188 1571732784 : x3 = ((fiat_25519_uint128)(arg1[4]) * ((arg2[2]) * UINT8_C(0x13)));
189 1571732784 : x4 = ((fiat_25519_uint128)(arg1[4]) * ((arg2[1]) * UINT8_C(0x13)));
190 1571732784 : x5 = ((fiat_25519_uint128)(arg1[3]) * ((arg2[4]) * UINT8_C(0x13)));
191 1571732784 : x6 = ((fiat_25519_uint128)(arg1[3]) * ((arg2[3]) * UINT8_C(0x13)));
192 1571732784 : x7 = ((fiat_25519_uint128)(arg1[3]) * ((arg2[2]) * UINT8_C(0x13)));
193 1571732784 : x8 = ((fiat_25519_uint128)(arg1[2]) * ((arg2[4]) * UINT8_C(0x13)));
194 1571732784 : x9 = ((fiat_25519_uint128)(arg1[2]) * ((arg2[3]) * UINT8_C(0x13)));
195 1571732784 : x10 = ((fiat_25519_uint128)(arg1[1]) * ((arg2[4]) * UINT8_C(0x13)));
196 1571732784 : x11 = ((fiat_25519_uint128)(arg1[4]) * (arg2[0]));
197 1571732784 : x12 = ((fiat_25519_uint128)(arg1[3]) * (arg2[1]));
198 1571732784 : x13 = ((fiat_25519_uint128)(arg1[3]) * (arg2[0]));
199 1571732784 : x14 = ((fiat_25519_uint128)(arg1[2]) * (arg2[2]));
200 1571732784 : x15 = ((fiat_25519_uint128)(arg1[2]) * (arg2[1]));
201 1571732784 : x16 = ((fiat_25519_uint128)(arg1[2]) * (arg2[0]));
202 1571732784 : x17 = ((fiat_25519_uint128)(arg1[1]) * (arg2[3]));
203 1571732784 : x18 = ((fiat_25519_uint128)(arg1[1]) * (arg2[2]));
204 1571732784 : x19 = ((fiat_25519_uint128)(arg1[1]) * (arg2[1]));
205 1571732784 : x20 = ((fiat_25519_uint128)(arg1[1]) * (arg2[0]));
206 1571732784 : x21 = ((fiat_25519_uint128)(arg1[0]) * (arg2[4]));
207 1571732784 : x22 = ((fiat_25519_uint128)(arg1[0]) * (arg2[3]));
208 1571732784 : x23 = ((fiat_25519_uint128)(arg1[0]) * (arg2[2]));
209 1571732784 : x24 = ((fiat_25519_uint128)(arg1[0]) * (arg2[1]));
210 1571732784 : x25 = ((fiat_25519_uint128)(arg1[0]) * (arg2[0]));
211 1571732784 : x26 = (x25 + (x10 + (x9 + (x7 + x4))));
212 1571732784 : x27 = (uint64_t)(x26 >> 51);
213 1571732784 : x28 = (uint64_t)(x26 & UINT64_C(0x7ffffffffffff));
214 1571732784 : x29 = (x21 + (x17 + (x14 + (x12 + x11))));
215 1571732784 : x30 = (x22 + (x18 + (x15 + (x13 + x1))));
216 1571732784 : x31 = (x23 + (x19 + (x16 + (x5 + x2))));
217 1571732784 : x32 = (x24 + (x20 + (x8 + (x6 + x3))));
218 1571732784 : x33 = (x27 + x32);
219 1571732784 : x34 = (uint64_t)(x33 >> 51);
220 1571732784 : x35 = (uint64_t)(x33 & UINT64_C(0x7ffffffffffff));
221 1571732784 : x36 = (x34 + x31);
222 1571732784 : x37 = (uint64_t)(x36 >> 51);
223 1571732784 : x38 = (uint64_t)(x36 & UINT64_C(0x7ffffffffffff));
224 1571732784 : x39 = (x37 + x30);
225 1571732784 : x40 = (uint64_t)(x39 >> 51);
226 1571732784 : x41 = (uint64_t)(x39 & UINT64_C(0x7ffffffffffff));
227 1571732784 : x42 = (x40 + x29);
228 1571732784 : x43 = (uint64_t)(x42 >> 51);
229 1571732784 : x44 = (uint64_t)(x42 & UINT64_C(0x7ffffffffffff));
230 1571732784 : x45 = (x43 * UINT8_C(0x13));
231 1571732784 : x46 = (x28 + x45);
232 1571732784 : x47 = (x46 >> 51);
233 1571732784 : x48 = (x46 & UINT64_C(0x7ffffffffffff));
234 1571732784 : x49 = (x47 + x35);
235 1571732784 : x50 = (fiat_25519_uint1)(x49 >> 51);
236 1571732784 : x51 = (x49 & UINT64_C(0x7ffffffffffff));
237 1571732784 : x52 = (x50 + x38);
238 1571732784 : out1[0] = x48;
239 1571732784 : out1[1] = x51;
240 1571732784 : out1[2] = x52;
241 1571732784 : out1[3] = x41;
242 1571732784 : out1[4] = x44;
243 1571732784 : }
244 :
245 : /*
246 : * The function fiat_25519_carry_square squares a field element and reduces the result.
247 : *
248 : * Postconditions:
249 : * eval out1 mod m = (eval arg1 * eval arg1) mod m
250 : *
251 : */
252 1494659838 : static FIAT_25519_FIAT_INLINE void fiat_25519_carry_square(fiat_25519_tight_field_element out1, const fiat_25519_loose_field_element arg1) {
253 1494659838 : uint64_t x1;
254 1494659838 : uint64_t x2;
255 1494659838 : uint64_t x3;
256 1494659838 : uint64_t x4;
257 1494659838 : uint64_t x5;
258 1494659838 : uint64_t x6;
259 1494659838 : uint64_t x7;
260 1494659838 : uint64_t x8;
261 1494659838 : fiat_25519_uint128 x9;
262 1494659838 : fiat_25519_uint128 x10;
263 1494659838 : fiat_25519_uint128 x11;
264 1494659838 : fiat_25519_uint128 x12;
265 1494659838 : fiat_25519_uint128 x13;
266 1494659838 : fiat_25519_uint128 x14;
267 1494659838 : fiat_25519_uint128 x15;
268 1494659838 : fiat_25519_uint128 x16;
269 1494659838 : fiat_25519_uint128 x17;
270 1494659838 : fiat_25519_uint128 x18;
271 1494659838 : fiat_25519_uint128 x19;
272 1494659838 : fiat_25519_uint128 x20;
273 1494659838 : fiat_25519_uint128 x21;
274 1494659838 : fiat_25519_uint128 x22;
275 1494659838 : fiat_25519_uint128 x23;
276 1494659838 : fiat_25519_uint128 x24;
277 1494659838 : uint64_t x25;
278 1494659838 : uint64_t x26;
279 1494659838 : fiat_25519_uint128 x27;
280 1494659838 : fiat_25519_uint128 x28;
281 1494659838 : fiat_25519_uint128 x29;
282 1494659838 : fiat_25519_uint128 x30;
283 1494659838 : fiat_25519_uint128 x31;
284 1494659838 : uint64_t x32;
285 1494659838 : uint64_t x33;
286 1494659838 : fiat_25519_uint128 x34;
287 1494659838 : uint64_t x35;
288 1494659838 : uint64_t x36;
289 1494659838 : fiat_25519_uint128 x37;
290 1494659838 : uint64_t x38;
291 1494659838 : uint64_t x39;
292 1494659838 : fiat_25519_uint128 x40;
293 1494659838 : uint64_t x41;
294 1494659838 : uint64_t x42;
295 1494659838 : uint64_t x43;
296 1494659838 : uint64_t x44;
297 1494659838 : uint64_t x45;
298 1494659838 : uint64_t x46;
299 1494659838 : uint64_t x47;
300 1494659838 : fiat_25519_uint1 x48;
301 1494659838 : uint64_t x49;
302 1494659838 : uint64_t x50;
303 1494659838 : x1 = ((arg1[4]) * UINT8_C(0x13));
304 1494659838 : x2 = (x1 * 0x2);
305 1494659838 : x3 = ((arg1[4]) * 0x2);
306 1494659838 : x4 = ((arg1[3]) * UINT8_C(0x13));
307 1494659838 : x5 = (x4 * 0x2);
308 1494659838 : x6 = ((arg1[3]) * 0x2);
309 1494659838 : x7 = ((arg1[2]) * 0x2);
310 1494659838 : x8 = ((arg1[1]) * 0x2);
311 1494659838 : x9 = ((fiat_25519_uint128)(arg1[4]) * x1);
312 1494659838 : x10 = ((fiat_25519_uint128)(arg1[3]) * x2);
313 1494659838 : x11 = ((fiat_25519_uint128)(arg1[3]) * x4);
314 1494659838 : x12 = ((fiat_25519_uint128)(arg1[2]) * x2);
315 1494659838 : x13 = ((fiat_25519_uint128)(arg1[2]) * x5);
316 1494659838 : x14 = ((fiat_25519_uint128)(arg1[2]) * (arg1[2]));
317 1494659838 : x15 = ((fiat_25519_uint128)(arg1[1]) * x2);
318 1494659838 : x16 = ((fiat_25519_uint128)(arg1[1]) * x6);
319 1494659838 : x17 = ((fiat_25519_uint128)(arg1[1]) * x7);
320 1494659838 : x18 = ((fiat_25519_uint128)(arg1[1]) * (arg1[1]));
321 1494659838 : x19 = ((fiat_25519_uint128)(arg1[0]) * x3);
322 1494659838 : x20 = ((fiat_25519_uint128)(arg1[0]) * x6);
323 1494659838 : x21 = ((fiat_25519_uint128)(arg1[0]) * x7);
324 1494659838 : x22 = ((fiat_25519_uint128)(arg1[0]) * x8);
325 1494659838 : x23 = ((fiat_25519_uint128)(arg1[0]) * (arg1[0]));
326 1494659838 : x24 = (x23 + (x15 + x13));
327 1494659838 : x25 = (uint64_t)(x24 >> 51);
328 1494659838 : x26 = (uint64_t)(x24 & UINT64_C(0x7ffffffffffff));
329 1494659838 : x27 = (x19 + (x16 + x14));
330 1494659838 : x28 = (x20 + (x17 + x9));
331 1494659838 : x29 = (x21 + (x18 + x10));
332 1494659838 : x30 = (x22 + (x12 + x11));
333 1494659838 : x31 = (x25 + x30);
334 1494659838 : x32 = (uint64_t)(x31 >> 51);
335 1494659838 : x33 = (uint64_t)(x31 & UINT64_C(0x7ffffffffffff));
336 1494659838 : x34 = (x32 + x29);
337 1494659838 : x35 = (uint64_t)(x34 >> 51);
338 1494659838 : x36 = (uint64_t)(x34 & UINT64_C(0x7ffffffffffff));
339 1494659838 : x37 = (x35 + x28);
340 1494659838 : x38 = (uint64_t)(x37 >> 51);
341 1494659838 : x39 = (uint64_t)(x37 & UINT64_C(0x7ffffffffffff));
342 1494659838 : x40 = (x38 + x27);
343 1494659838 : x41 = (uint64_t)(x40 >> 51);
344 1494659838 : x42 = (uint64_t)(x40 & UINT64_C(0x7ffffffffffff));
345 1494659838 : x43 = (x41 * UINT8_C(0x13));
346 1494659838 : x44 = (x26 + x43);
347 1494659838 : x45 = (x44 >> 51);
348 1494659838 : x46 = (x44 & UINT64_C(0x7ffffffffffff));
349 1494659838 : x47 = (x45 + x33);
350 1494659838 : x48 = (fiat_25519_uint1)(x47 >> 51);
351 1494659838 : x49 = (x47 & UINT64_C(0x7ffffffffffff));
352 1494659838 : x50 = (x48 + x36);
353 1494659838 : out1[0] = x46;
354 1494659838 : out1[1] = x49;
355 1494659838 : out1[2] = x50;
356 1494659838 : out1[3] = x39;
357 1494659838 : out1[4] = x42;
358 1494659838 : }
359 :
360 : /*
361 : * The function fiat_25519_carry reduces a field element.
362 : *
363 : * Postconditions:
364 : * eval out1 mod m = eval arg1 mod m
365 : *
366 : */
367 530664210 : static FIAT_25519_FIAT_INLINE void fiat_25519_carry(fiat_25519_tight_field_element out1, const fiat_25519_loose_field_element arg1) {
368 530664210 : uint64_t x1;
369 530664210 : uint64_t x2;
370 530664210 : uint64_t x3;
371 530664210 : uint64_t x4;
372 530664210 : uint64_t x5;
373 530664210 : uint64_t x6;
374 530664210 : uint64_t x7;
375 530664210 : uint64_t x8;
376 530664210 : uint64_t x9;
377 530664210 : uint64_t x10;
378 530664210 : uint64_t x11;
379 530664210 : uint64_t x12;
380 530664210 : x1 = (arg1[0]);
381 530664210 : x2 = ((x1 >> 51) + (arg1[1]));
382 530664210 : x3 = ((x2 >> 51) + (arg1[2]));
383 530664210 : x4 = ((x3 >> 51) + (arg1[3]));
384 530664210 : x5 = ((x4 >> 51) + (arg1[4]));
385 530664210 : x6 = ((x1 & UINT64_C(0x7ffffffffffff)) + ((x5 >> 51) * UINT8_C(0x13)));
386 530664210 : x7 = ((fiat_25519_uint1)(x6 >> 51) + (x2 & UINT64_C(0x7ffffffffffff)));
387 530664210 : x8 = (x6 & UINT64_C(0x7ffffffffffff));
388 530664210 : x9 = (x7 & UINT64_C(0x7ffffffffffff));
389 530664210 : x10 = ((fiat_25519_uint1)(x7 >> 51) + (x3 & UINT64_C(0x7ffffffffffff)));
390 530664210 : x11 = (x4 & UINT64_C(0x7ffffffffffff));
391 530664210 : x12 = (x5 & UINT64_C(0x7ffffffffffff));
392 530664210 : out1[0] = x8;
393 530664210 : out1[1] = x9;
394 530664210 : out1[2] = x10;
395 530664210 : out1[3] = x11;
396 530664210 : out1[4] = x12;
397 530664210 : }
398 :
399 : /*
400 : * The function fiat_25519_add adds two field elements.
401 : *
402 : * Postconditions:
403 : * eval out1 mod m = (eval arg1 + eval arg2) mod m
404 : *
405 : */
406 1211489764 : static FIAT_25519_FIAT_INLINE void fiat_25519_add(fiat_25519_loose_field_element out1, const fiat_25519_tight_field_element arg1, const fiat_25519_tight_field_element arg2) {
407 1211489764 : uint64_t x1;
408 1211489764 : uint64_t x2;
409 1211489764 : uint64_t x3;
410 1211489764 : uint64_t x4;
411 1211489764 : uint64_t x5;
412 1211489764 : x1 = ((arg1[0]) + (arg2[0]));
413 1211489764 : x2 = ((arg1[1]) + (arg2[1]));
414 1211489764 : x3 = ((arg1[2]) + (arg2[2]));
415 1211489764 : x4 = ((arg1[3]) + (arg2[3]));
416 1211489764 : x5 = ((arg1[4]) + (arg2[4]));
417 1211489764 : out1[0] = x1;
418 1211489764 : out1[1] = x2;
419 1211489764 : out1[2] = x3;
420 1211489764 : out1[3] = x4;
421 1211489764 : out1[4] = x5;
422 1211489764 : }
423 :
424 : /*
425 : * The function fiat_25519_sub subtracts two field elements.
426 : *
427 : * Postconditions:
428 : * eval out1 mod m = (eval arg1 - eval arg2) mod m
429 : *
430 : */
431 812928087 : static FIAT_25519_FIAT_INLINE void fiat_25519_sub(fiat_25519_loose_field_element out1, const fiat_25519_tight_field_element arg1, const fiat_25519_tight_field_element arg2) {
432 812928087 : uint64_t x1;
433 812928087 : uint64_t x2;
434 812928087 : uint64_t x3;
435 812928087 : uint64_t x4;
436 812928087 : uint64_t x5;
437 812928087 : x1 = ((UINT64_C(0xfffffffffffda) + (arg1[0])) - (arg2[0]));
438 812928087 : x2 = ((UINT64_C(0xffffffffffffe) + (arg1[1])) - (arg2[1]));
439 812928087 : x3 = ((UINT64_C(0xffffffffffffe) + (arg1[2])) - (arg2[2]));
440 812928087 : x4 = ((UINT64_C(0xffffffffffffe) + (arg1[3])) - (arg2[3]));
441 812928087 : x5 = ((UINT64_C(0xffffffffffffe) + (arg1[4])) - (arg2[4]));
442 812928087 : out1[0] = x1;
443 812928087 : out1[1] = x2;
444 812928087 : out1[2] = x3;
445 812928087 : out1[3] = x4;
446 812928087 : out1[4] = x5;
447 812928087 : }
448 :
449 : /*
450 : * The function fiat_25519_opp negates a field element.
451 : *
452 : * Postconditions:
453 : * eval out1 mod m = -eval arg1 mod m
454 : *
455 : */
456 81034392 : static FIAT_25519_FIAT_INLINE void fiat_25519_opp(fiat_25519_loose_field_element out1, const fiat_25519_tight_field_element arg1) {
457 81034392 : uint64_t x1;
458 81034392 : uint64_t x2;
459 81034392 : uint64_t x3;
460 81034392 : uint64_t x4;
461 81034392 : uint64_t x5;
462 81034392 : x1 = (UINT64_C(0xfffffffffffda) - (arg1[0]));
463 81034392 : x2 = (UINT64_C(0xffffffffffffe) - (arg1[1]));
464 81034392 : x3 = (UINT64_C(0xffffffffffffe) - (arg1[2]));
465 81034392 : x4 = (UINT64_C(0xffffffffffffe) - (arg1[3]));
466 81034392 : x5 = (UINT64_C(0xffffffffffffe) - (arg1[4]));
467 81034392 : out1[0] = x1;
468 81034392 : out1[1] = x2;
469 81034392 : out1[2] = x3;
470 81034392 : out1[3] = x4;
471 81034392 : out1[4] = x5;
472 81034392 : }
473 :
474 : /*
475 : * The function fiat_25519_selectznz is a multi-limb conditional select.
476 : *
477 : * Postconditions:
478 : * out1 = (if arg1 = 0 then arg2 else arg3)
479 : *
480 : * Input Bounds:
481 : * arg1: [0x0 ~> 0x1]
482 : * arg2: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]]
483 : * arg3: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]]
484 : * Output Bounds:
485 : * out1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]]
486 : */
487 2032250932 : static FIAT_25519_FIAT_INLINE void fiat_25519_selectznz(uint64_t out1[5], fiat_25519_uint1 arg1, const uint64_t arg2[5], const uint64_t arg3[5]) {
488 2032250932 : uint64_t x1;
489 2032250932 : uint64_t x2;
490 2032250932 : uint64_t x3;
491 2032250932 : uint64_t x4;
492 2032250932 : uint64_t x5;
493 2032250932 : fiat_25519_cmovznz_u64(&x1, arg1, (arg2[0]), (arg3[0]));
494 2032250932 : fiat_25519_cmovznz_u64(&x2, arg1, (arg2[1]), (arg3[1]));
495 2032250932 : fiat_25519_cmovznz_u64(&x3, arg1, (arg2[2]), (arg3[2]));
496 2032250932 : fiat_25519_cmovznz_u64(&x4, arg1, (arg2[3]), (arg3[3]));
497 2032250932 : fiat_25519_cmovznz_u64(&x5, arg1, (arg2[4]), (arg3[4]));
498 2032250932 : out1[0] = x1;
499 2032250932 : out1[1] = x2;
500 2032250932 : out1[2] = x3;
501 2032250932 : out1[3] = x4;
502 2032250932 : out1[4] = x5;
503 2032250932 : }
504 :
505 : /*
506 : * The function fiat_25519_to_bytes serializes a field element to bytes in little-endian order.
507 : *
508 : * Postconditions:
509 : * out1 = map (λ x, ⌊((eval arg1 mod m) mod 2^(8 * (x + 1))) / 2^(8 * x)⌋) [0..31]
510 : *
511 : * Output Bounds:
512 : * out1: [[0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0x7f]]
513 : */
514 8605476 : static FIAT_25519_FIAT_INLINE void fiat_25519_to_bytes(uint8_t out1[32], const fiat_25519_tight_field_element arg1) {
515 8605476 : uint64_t x1;
516 8605476 : fiat_25519_uint1 x2;
517 8605476 : uint64_t x3;
518 8605476 : fiat_25519_uint1 x4;
519 8605476 : uint64_t x5;
520 8605476 : fiat_25519_uint1 x6;
521 8605476 : uint64_t x7;
522 8605476 : fiat_25519_uint1 x8;
523 8605476 : uint64_t x9;
524 8605476 : fiat_25519_uint1 x10;
525 8605476 : uint64_t x11;
526 8605476 : uint64_t x12;
527 8605476 : fiat_25519_uint1 x13;
528 8605476 : uint64_t x14;
529 8605476 : fiat_25519_uint1 x15;
530 8605476 : uint64_t x16;
531 8605476 : fiat_25519_uint1 x17;
532 8605476 : uint64_t x18;
533 8605476 : fiat_25519_uint1 x19;
534 8605476 : uint64_t x20;
535 8605476 : fiat_25519_uint1 x21;
536 8605476 : uint64_t x22;
537 8605476 : uint64_t x23;
538 8605476 : uint64_t x24;
539 8605476 : uint64_t x25;
540 8605476 : uint8_t x26;
541 8605476 : uint64_t x27;
542 8605476 : uint8_t x28;
543 8605476 : uint64_t x29;
544 8605476 : uint8_t x30;
545 8605476 : uint64_t x31;
546 8605476 : uint8_t x32;
547 8605476 : uint64_t x33;
548 8605476 : uint8_t x34;
549 8605476 : uint64_t x35;
550 8605476 : uint8_t x36;
551 8605476 : uint8_t x37;
552 8605476 : uint64_t x38;
553 8605476 : uint8_t x39;
554 8605476 : uint64_t x40;
555 8605476 : uint8_t x41;
556 8605476 : uint64_t x42;
557 8605476 : uint8_t x43;
558 8605476 : uint64_t x44;
559 8605476 : uint8_t x45;
560 8605476 : uint64_t x46;
561 8605476 : uint8_t x47;
562 8605476 : uint64_t x48;
563 8605476 : uint8_t x49;
564 8605476 : uint8_t x50;
565 8605476 : uint64_t x51;
566 8605476 : uint8_t x52;
567 8605476 : uint64_t x53;
568 8605476 : uint8_t x54;
569 8605476 : uint64_t x55;
570 8605476 : uint8_t x56;
571 8605476 : uint64_t x57;
572 8605476 : uint8_t x58;
573 8605476 : uint64_t x59;
574 8605476 : uint8_t x60;
575 8605476 : uint64_t x61;
576 8605476 : uint8_t x62;
577 8605476 : uint64_t x63;
578 8605476 : uint8_t x64;
579 8605476 : fiat_25519_uint1 x65;
580 8605476 : uint64_t x66;
581 8605476 : uint8_t x67;
582 8605476 : uint64_t x68;
583 8605476 : uint8_t x69;
584 8605476 : uint64_t x70;
585 8605476 : uint8_t x71;
586 8605476 : uint64_t x72;
587 8605476 : uint8_t x73;
588 8605476 : uint64_t x74;
589 8605476 : uint8_t x75;
590 8605476 : uint64_t x76;
591 8605476 : uint8_t x77;
592 8605476 : uint8_t x78;
593 8605476 : uint64_t x79;
594 8605476 : uint8_t x80;
595 8605476 : uint64_t x81;
596 8605476 : uint8_t x82;
597 8605476 : uint64_t x83;
598 8605476 : uint8_t x84;
599 8605476 : uint64_t x85;
600 8605476 : uint8_t x86;
601 8605476 : uint64_t x87;
602 8605476 : uint8_t x88;
603 8605476 : uint64_t x89;
604 8605476 : uint8_t x90;
605 8605476 : uint8_t x91;
606 8605476 : fiat_25519_subborrowx_u51(&x1, &x2, 0x0, (arg1[0]), UINT64_C(0x7ffffffffffed));
607 8605476 : fiat_25519_subborrowx_u51(&x3, &x4, x2, (arg1[1]), UINT64_C(0x7ffffffffffff));
608 8605476 : fiat_25519_subborrowx_u51(&x5, &x6, x4, (arg1[2]), UINT64_C(0x7ffffffffffff));
609 8605476 : fiat_25519_subborrowx_u51(&x7, &x8, x6, (arg1[3]), UINT64_C(0x7ffffffffffff));
610 8605476 : fiat_25519_subborrowx_u51(&x9, &x10, x8, (arg1[4]), UINT64_C(0x7ffffffffffff));
611 8605476 : fiat_25519_cmovznz_u64(&x11, x10, 0x0, UINT64_C(0xffffffffffffffff));
612 8605476 : fiat_25519_addcarryx_u51(&x12, &x13, 0x0, x1, (x11 & UINT64_C(0x7ffffffffffed)));
613 8605476 : fiat_25519_addcarryx_u51(&x14, &x15, x13, x3, (x11 & UINT64_C(0x7ffffffffffff)));
614 8605476 : fiat_25519_addcarryx_u51(&x16, &x17, x15, x5, (x11 & UINT64_C(0x7ffffffffffff)));
615 8605476 : fiat_25519_addcarryx_u51(&x18, &x19, x17, x7, (x11 & UINT64_C(0x7ffffffffffff)));
616 8605476 : fiat_25519_addcarryx_u51(&x20, &x21, x19, x9, (x11 & UINT64_C(0x7ffffffffffff)));
617 8605476 : x22 = (x20 << 4);
618 8605476 : x23 = (x18 * (uint64_t)0x2);
619 8605476 : x24 = (x16 << 6);
620 8605476 : x25 = (x14 << 3);
621 8605476 : x26 = (uint8_t)(x12 & UINT8_C(0xff));
622 8605476 : x27 = (x12 >> 8);
623 8605476 : x28 = (uint8_t)(x27 & UINT8_C(0xff));
624 8605476 : x29 = (x27 >> 8);
625 8605476 : x30 = (uint8_t)(x29 & UINT8_C(0xff));
626 8605476 : x31 = (x29 >> 8);
627 8605476 : x32 = (uint8_t)(x31 & UINT8_C(0xff));
628 8605476 : x33 = (x31 >> 8);
629 8605476 : x34 = (uint8_t)(x33 & UINT8_C(0xff));
630 8605476 : x35 = (x33 >> 8);
631 8605476 : x36 = (uint8_t)(x35 & UINT8_C(0xff));
632 8605476 : x37 = (uint8_t)(x35 >> 8);
633 8605476 : x38 = (x25 + (uint64_t)x37);
634 8605476 : x39 = (uint8_t)(x38 & UINT8_C(0xff));
635 8605476 : x40 = (x38 >> 8);
636 8605476 : x41 = (uint8_t)(x40 & UINT8_C(0xff));
637 8605476 : x42 = (x40 >> 8);
638 8605476 : x43 = (uint8_t)(x42 & UINT8_C(0xff));
639 8605476 : x44 = (x42 >> 8);
640 8605476 : x45 = (uint8_t)(x44 & UINT8_C(0xff));
641 8605476 : x46 = (x44 >> 8);
642 8605476 : x47 = (uint8_t)(x46 & UINT8_C(0xff));
643 8605476 : x48 = (x46 >> 8);
644 8605476 : x49 = (uint8_t)(x48 & UINT8_C(0xff));
645 8605476 : x50 = (uint8_t)(x48 >> 8);
646 8605476 : x51 = (x24 + (uint64_t)x50);
647 8605476 : x52 = (uint8_t)(x51 & UINT8_C(0xff));
648 8605476 : x53 = (x51 >> 8);
649 8605476 : x54 = (uint8_t)(x53 & UINT8_C(0xff));
650 8605476 : x55 = (x53 >> 8);
651 8605476 : x56 = (uint8_t)(x55 & UINT8_C(0xff));
652 8605476 : x57 = (x55 >> 8);
653 8605476 : x58 = (uint8_t)(x57 & UINT8_C(0xff));
654 8605476 : x59 = (x57 >> 8);
655 8605476 : x60 = (uint8_t)(x59 & UINT8_C(0xff));
656 8605476 : x61 = (x59 >> 8);
657 8605476 : x62 = (uint8_t)(x61 & UINT8_C(0xff));
658 8605476 : x63 = (x61 >> 8);
659 8605476 : x64 = (uint8_t)(x63 & UINT8_C(0xff));
660 8605476 : x65 = (fiat_25519_uint1)(x63 >> 8);
661 8605476 : x66 = (x23 + (uint64_t)x65);
662 8605476 : x67 = (uint8_t)(x66 & UINT8_C(0xff));
663 8605476 : x68 = (x66 >> 8);
664 8605476 : x69 = (uint8_t)(x68 & UINT8_C(0xff));
665 8605476 : x70 = (x68 >> 8);
666 8605476 : x71 = (uint8_t)(x70 & UINT8_C(0xff));
667 8605476 : x72 = (x70 >> 8);
668 8605476 : x73 = (uint8_t)(x72 & UINT8_C(0xff));
669 8605476 : x74 = (x72 >> 8);
670 8605476 : x75 = (uint8_t)(x74 & UINT8_C(0xff));
671 8605476 : x76 = (x74 >> 8);
672 8605476 : x77 = (uint8_t)(x76 & UINT8_C(0xff));
673 8605476 : x78 = (uint8_t)(x76 >> 8);
674 8605476 : x79 = (x22 + (uint64_t)x78);
675 8605476 : x80 = (uint8_t)(x79 & UINT8_C(0xff));
676 8605476 : x81 = (x79 >> 8);
677 8605476 : x82 = (uint8_t)(x81 & UINT8_C(0xff));
678 8605476 : x83 = (x81 >> 8);
679 8605476 : x84 = (uint8_t)(x83 & UINT8_C(0xff));
680 8605476 : x85 = (x83 >> 8);
681 8605476 : x86 = (uint8_t)(x85 & UINT8_C(0xff));
682 8605476 : x87 = (x85 >> 8);
683 8605476 : x88 = (uint8_t)(x87 & UINT8_C(0xff));
684 8605476 : x89 = (x87 >> 8);
685 8605476 : x90 = (uint8_t)(x89 & UINT8_C(0xff));
686 8605476 : x91 = (uint8_t)(x89 >> 8);
687 8605476 : out1[0] = x26;
688 8605476 : out1[1] = x28;
689 8605476 : out1[2] = x30;
690 8605476 : out1[3] = x32;
691 8605476 : out1[4] = x34;
692 8605476 : out1[5] = x36;
693 8605476 : out1[6] = x39;
694 8605476 : out1[7] = x41;
695 8605476 : out1[8] = x43;
696 8605476 : out1[9] = x45;
697 8605476 : out1[10] = x47;
698 8605476 : out1[11] = x49;
699 8605476 : out1[12] = x52;
700 8605476 : out1[13] = x54;
701 8605476 : out1[14] = x56;
702 8605476 : out1[15] = x58;
703 8605476 : out1[16] = x60;
704 8605476 : out1[17] = x62;
705 8605476 : out1[18] = x64;
706 8605476 : out1[19] = x67;
707 8605476 : out1[20] = x69;
708 8605476 : out1[21] = x71;
709 8605476 : out1[22] = x73;
710 8605476 : out1[23] = x75;
711 8605476 : out1[24] = x77;
712 8605476 : out1[25] = x80;
713 8605476 : out1[26] = x82;
714 8605476 : out1[27] = x84;
715 8605476 : out1[28] = x86;
716 8605476 : out1[29] = x88;
717 8605476 : out1[30] = x90;
718 8605476 : out1[31] = x91;
719 8605476 : }
720 :
721 : /*
722 : * The function fiat_25519_from_bytes deserializes a field element from bytes in little-endian order.
723 : *
724 : * Postconditions:
725 : * eval out1 mod m = bytes_eval arg1 mod m
726 : *
727 : * Input Bounds:
728 : * arg1: [[0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0x7f]]
729 : */
730 3534468 : static FIAT_25519_FIAT_INLINE void fiat_25519_from_bytes(fiat_25519_tight_field_element out1, const uint8_t arg1[32]) {
731 3534468 : uint64_t x1;
732 3534468 : uint64_t x2;
733 3534468 : uint64_t x3;
734 3534468 : uint64_t x4;
735 3534468 : uint64_t x5;
736 3534468 : uint64_t x6;
737 3534468 : uint64_t x7;
738 3534468 : uint64_t x8;
739 3534468 : uint64_t x9;
740 3534468 : uint64_t x10;
741 3534468 : uint64_t x11;
742 3534468 : uint64_t x12;
743 3534468 : uint64_t x13;
744 3534468 : uint64_t x14;
745 3534468 : uint64_t x15;
746 3534468 : uint64_t x16;
747 3534468 : uint64_t x17;
748 3534468 : uint64_t x18;
749 3534468 : uint64_t x19;
750 3534468 : uint64_t x20;
751 3534468 : uint64_t x21;
752 3534468 : uint64_t x22;
753 3534468 : uint64_t x23;
754 3534468 : uint64_t x24;
755 3534468 : uint64_t x25;
756 3534468 : uint64_t x26;
757 3534468 : uint64_t x27;
758 3534468 : uint64_t x28;
759 3534468 : uint64_t x29;
760 3534468 : uint64_t x30;
761 3534468 : uint64_t x31;
762 3534468 : uint8_t x32;
763 3534468 : uint64_t x33;
764 3534468 : uint64_t x34;
765 3534468 : uint64_t x35;
766 3534468 : uint64_t x36;
767 3534468 : uint64_t x37;
768 3534468 : uint64_t x38;
769 3534468 : uint64_t x39;
770 3534468 : uint8_t x40;
771 3534468 : uint64_t x41;
772 3534468 : uint64_t x42;
773 3534468 : uint64_t x43;
774 3534468 : uint64_t x44;
775 3534468 : uint64_t x45;
776 3534468 : uint64_t x46;
777 3534468 : uint64_t x47;
778 3534468 : uint8_t x48;
779 3534468 : uint64_t x49;
780 3534468 : uint64_t x50;
781 3534468 : uint64_t x51;
782 3534468 : uint64_t x52;
783 3534468 : uint64_t x53;
784 3534468 : uint64_t x54;
785 3534468 : uint64_t x55;
786 3534468 : uint64_t x56;
787 3534468 : uint8_t x57;
788 3534468 : uint64_t x58;
789 3534468 : uint64_t x59;
790 3534468 : uint64_t x60;
791 3534468 : uint64_t x61;
792 3534468 : uint64_t x62;
793 3534468 : uint64_t x63;
794 3534468 : uint64_t x64;
795 3534468 : uint8_t x65;
796 3534468 : uint64_t x66;
797 3534468 : uint64_t x67;
798 3534468 : uint64_t x68;
799 3534468 : uint64_t x69;
800 3534468 : uint64_t x70;
801 3534468 : uint64_t x71;
802 3534468 : x1 = ((uint64_t)(arg1[31] & 0x7F) << 44);
803 3534468 : x2 = ((uint64_t)(arg1[30]) << 36);
804 3534468 : x3 = ((uint64_t)(arg1[29]) << 28);
805 3534468 : x4 = ((uint64_t)(arg1[28]) << 20);
806 3534468 : x5 = ((uint64_t)(arg1[27]) << 12);
807 3534468 : x6 = ((uint64_t)(arg1[26]) << 4);
808 3534468 : x7 = ((uint64_t)(arg1[25]) << 47);
809 3534468 : x8 = ((uint64_t)(arg1[24]) << 39);
810 3534468 : x9 = ((uint64_t)(arg1[23]) << 31);
811 3534468 : x10 = ((uint64_t)(arg1[22]) << 23);
812 3534468 : x11 = ((uint64_t)(arg1[21]) << 15);
813 3534468 : x12 = ((uint64_t)(arg1[20]) << 7);
814 3534468 : x13 = ((uint64_t)(arg1[19]) << 50);
815 3534468 : x14 = ((uint64_t)(arg1[18]) << 42);
816 3534468 : x15 = ((uint64_t)(arg1[17]) << 34);
817 3534468 : x16 = ((uint64_t)(arg1[16]) << 26);
818 3534468 : x17 = ((uint64_t)(arg1[15]) << 18);
819 3534468 : x18 = ((uint64_t)(arg1[14]) << 10);
820 3534468 : x19 = ((uint64_t)(arg1[13]) << 2);
821 3534468 : x20 = ((uint64_t)(arg1[12]) << 45);
822 3534468 : x21 = ((uint64_t)(arg1[11]) << 37);
823 3534468 : x22 = ((uint64_t)(arg1[10]) << 29);
824 3534468 : x23 = ((uint64_t)(arg1[9]) << 21);
825 3534468 : x24 = ((uint64_t)(arg1[8]) << 13);
826 3534468 : x25 = ((uint64_t)(arg1[7]) << 5);
827 3534468 : x26 = ((uint64_t)(arg1[6]) << 48);
828 3534468 : x27 = ((uint64_t)(arg1[5]) << 40);
829 3534468 : x28 = ((uint64_t)(arg1[4]) << 32);
830 3534468 : x29 = ((uint64_t)(arg1[3]) << 24);
831 3534468 : x30 = ((uint64_t)(arg1[2]) << 16);
832 3534468 : x31 = ((uint64_t)(arg1[1]) << 8);
833 3534468 : x32 = (arg1[0]);
834 3534468 : x33 = (x31 + (uint64_t)x32);
835 3534468 : x34 = (x30 + x33);
836 3534468 : x35 = (x29 + x34);
837 3534468 : x36 = (x28 + x35);
838 3534468 : x37 = (x27 + x36);
839 3534468 : x38 = (x26 + x37);
840 3534468 : x39 = (x38 & UINT64_C(0x7ffffffffffff));
841 3534468 : x40 = (uint8_t)(x38 >> 51);
842 3534468 : x41 = (x25 + (uint64_t)x40);
843 3534468 : x42 = (x24 + x41);
844 3534468 : x43 = (x23 + x42);
845 3534468 : x44 = (x22 + x43);
846 3534468 : x45 = (x21 + x44);
847 3534468 : x46 = (x20 + x45);
848 3534468 : x47 = (x46 & UINT64_C(0x7ffffffffffff));
849 3534468 : x48 = (uint8_t)(x46 >> 51);
850 3534468 : x49 = (x19 + (uint64_t)x48);
851 3534468 : x50 = (x18 + x49);
852 3534468 : x51 = (x17 + x50);
853 3534468 : x52 = (x16 + x51);
854 3534468 : x53 = (x15 + x52);
855 3534468 : x54 = (x14 + x53);
856 3534468 : x55 = (x13 + x54);
857 3534468 : x56 = (x55 & UINT64_C(0x7ffffffffffff));
858 3534468 : x57 = (uint8_t)(x55 >> 51);
859 3534468 : x58 = (x12 + (uint64_t)x57);
860 3534468 : x59 = (x11 + x58);
861 3534468 : x60 = (x10 + x59);
862 3534468 : x61 = (x9 + x60);
863 3534468 : x62 = (x8 + x61);
864 3534468 : x63 = (x7 + x62);
865 3534468 : x64 = (x63 & UINT64_C(0x7ffffffffffff));
866 3534468 : x65 = (uint8_t)(x63 >> 51);
867 3534468 : x66 = (x6 + (uint64_t)x65);
868 3534468 : x67 = (x5 + x66);
869 3534468 : x68 = (x4 + x67);
870 3534468 : x69 = (x3 + x68);
871 3534468 : x70 = (x2 + x69);
872 3534468 : x71 = (x1 + x70);
873 3534468 : out1[0] = x39;
874 3534468 : out1[1] = x47;
875 3534468 : out1[2] = x56;
876 3534468 : out1[3] = x64;
877 3534468 : out1[4] = x71;
878 3534468 : }
879 :
880 : /*
881 : * The function fiat_25519_relax is the identity function converting from tight field elements to loose field elements.
882 : *
883 : * Postconditions:
884 : * out1 = arg1
885 : *
886 : */
887 0 : static FIAT_25519_FIAT_INLINE void fiat_25519_relax(fiat_25519_loose_field_element out1, const fiat_25519_tight_field_element arg1) {
888 0 : uint64_t x1;
889 0 : uint64_t x2;
890 0 : uint64_t x3;
891 0 : uint64_t x4;
892 0 : uint64_t x5;
893 0 : x1 = (arg1[0]);
894 0 : x2 = (arg1[1]);
895 0 : x3 = (arg1[2]);
896 0 : x4 = (arg1[3]);
897 0 : x5 = (arg1[4]);
898 0 : out1[0] = x1;
899 0 : out1[1] = x2;
900 0 : out1[2] = x3;
901 0 : out1[3] = x4;
902 0 : out1[4] = x5;
903 0 : }
904 :
905 : /*
906 : * The function fiat_25519_carry_scmul_121666 multiplies a field element by 121666 and reduces the result.
907 : *
908 : * Postconditions:
909 : * eval out1 mod m = (121666 * eval arg1) mod m
910 : *
911 : */
912 33479970 : static FIAT_25519_FIAT_INLINE void fiat_25519_carry_scmul_121666(fiat_25519_tight_field_element out1, const fiat_25519_loose_field_element arg1) {
913 33479970 : fiat_25519_uint128 x1;
914 33479970 : fiat_25519_uint128 x2;
915 33479970 : fiat_25519_uint128 x3;
916 33479970 : fiat_25519_uint128 x4;
917 33479970 : fiat_25519_uint128 x5;
918 33479970 : uint64_t x6;
919 33479970 : uint64_t x7;
920 33479970 : fiat_25519_uint128 x8;
921 33479970 : uint64_t x9;
922 33479970 : uint64_t x10;
923 33479970 : fiat_25519_uint128 x11;
924 33479970 : uint64_t x12;
925 33479970 : uint64_t x13;
926 33479970 : fiat_25519_uint128 x14;
927 33479970 : uint64_t x15;
928 33479970 : uint64_t x16;
929 33479970 : fiat_25519_uint128 x17;
930 33479970 : uint64_t x18;
931 33479970 : uint64_t x19;
932 33479970 : uint64_t x20;
933 33479970 : uint64_t x21;
934 33479970 : fiat_25519_uint1 x22;
935 33479970 : uint64_t x23;
936 33479970 : uint64_t x24;
937 33479970 : fiat_25519_uint1 x25;
938 33479970 : uint64_t x26;
939 33479970 : uint64_t x27;
940 33479970 : x1 = ((fiat_25519_uint128)UINT32_C(0x1db42) * (arg1[4]));
941 33479970 : x2 = ((fiat_25519_uint128)UINT32_C(0x1db42) * (arg1[3]));
942 33479970 : x3 = ((fiat_25519_uint128)UINT32_C(0x1db42) * (arg1[2]));
943 33479970 : x4 = ((fiat_25519_uint128)UINT32_C(0x1db42) * (arg1[1]));
944 33479970 : x5 = ((fiat_25519_uint128)UINT32_C(0x1db42) * (arg1[0]));
945 33479970 : x6 = (uint64_t)(x5 >> 51);
946 33479970 : x7 = (uint64_t)(x5 & UINT64_C(0x7ffffffffffff));
947 33479970 : x8 = (x6 + x4);
948 33479970 : x9 = (uint64_t)(x8 >> 51);
949 33479970 : x10 = (uint64_t)(x8 & UINT64_C(0x7ffffffffffff));
950 33479970 : x11 = (x9 + x3);
951 33479970 : x12 = (uint64_t)(x11 >> 51);
952 33479970 : x13 = (uint64_t)(x11 & UINT64_C(0x7ffffffffffff));
953 33479970 : x14 = (x12 + x2);
954 33479970 : x15 = (uint64_t)(x14 >> 51);
955 33479970 : x16 = (uint64_t)(x14 & UINT64_C(0x7ffffffffffff));
956 33479970 : x17 = (x15 + x1);
957 33479970 : x18 = (uint64_t)(x17 >> 51);
958 33479970 : x19 = (uint64_t)(x17 & UINT64_C(0x7ffffffffffff));
959 33479970 : x20 = (x18 * UINT8_C(0x13));
960 33479970 : x21 = (x7 + x20);
961 33479970 : x22 = (fiat_25519_uint1)(x21 >> 51);
962 33479970 : x23 = (x21 & UINT64_C(0x7ffffffffffff));
963 33479970 : x24 = (x22 + x10);
964 33479970 : x25 = (fiat_25519_uint1)(x24 >> 51);
965 33479970 : x26 = (x24 & UINT64_C(0x7ffffffffffff));
966 33479970 : x27 = (x25 + x13);
967 33479970 : out1[0] = x23;
968 33479970 : out1[1] = x26;
969 33479970 : out1[2] = x27;
970 33479970 : out1[3] = x16;
971 33479970 : out1[4] = x19;
972 33479970 : }
|
