github.com/0xsequence/ethkit@v1.25.0/go-ethereum/crypto/bls12381/arithmetic_fallback.go (about)

     1  // Native go field arithmetic code is generated with 'goff'
     2  // https://github.com/ConsenSys/goff
     3  // Many function signature of field operations are renamed.
     4  
     5  // Copyright 2020 ConsenSys AG
     6  //
     7  // Licensed under the Apache License, Version 2.0 (the "License");
     8  // you may not use this file except in compliance with the License.
     9  // You may obtain a copy of the License at
    10  //
    11  //     http://www.apache.org/licenses/LICENSE-2.0
    12  //
    13  // Unless required by applicable law or agreed to in writing, software
    14  // distributed under the License is distributed on an "AS IS" BASIS,
    15  // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    16  // See the License for the specific language governing permissions and
    17  // limitations under the License.
    18  
    19  // field modulus q =
    20  //
    21  // 4002409555221667393417789825735904156556882819939007885332058136124031650490837864442687629129015664037894272559787
    22  // Code generated by goff DO NOT EDIT
    23  // goff version: v0.1.0 - build: 790f1f56eac432441e043abff8819eacddd1d668
    24  // fe are assumed to be in Montgomery form in all methods
    25  
    26  // /!\ WARNING /!\
    27  // this code has not been audited and is provided as-is. In particular,
    28  // there is no security guarantees such as constant time implementation
    29  // or side-channel attack resistance
    30  // /!\ WARNING /!\
    31  
    32  // Package bls (generated by goff) contains field arithmetics operations
    33  
    34  //go:build !amd64 || (!blsasm && !blsadx)
    35  // +build !amd64 !blsasm,!blsadx
    36  
    37  package bls12381
    38  
    39  import (
    40  	"math/bits"
    41  )
    42  
    43  func add(z, x, y *fe) {
    44  	var carry uint64
    45  
    46  	z[0], carry = bits.Add64(x[0], y[0], 0)
    47  	z[1], carry = bits.Add64(x[1], y[1], carry)
    48  	z[2], carry = bits.Add64(x[2], y[2], carry)
    49  	z[3], carry = bits.Add64(x[3], y[3], carry)
    50  	z[4], carry = bits.Add64(x[4], y[4], carry)
    51  	z[5], _ = bits.Add64(x[5], y[5], carry)
    52  
    53  	// if z > q --> z -= q
    54  	// note: this is NOT constant time
    55  	if !(z[5] < 1873798617647539866 || (z[5] == 1873798617647539866 && (z[4] < 5412103778470702295 || (z[4] == 5412103778470702295 && (z[3] < 7239337960414712511 || (z[3] == 7239337960414712511 && (z[2] < 7435674573564081700 || (z[2] == 7435674573564081700 && (z[1] < 2210141511517208575 || (z[1] == 2210141511517208575 && (z[0] < 13402431016077863595))))))))))) {
    56  		var b uint64
    57  		z[0], b = bits.Sub64(z[0], 13402431016077863595, 0)
    58  		z[1], b = bits.Sub64(z[1], 2210141511517208575, b)
    59  		z[2], b = bits.Sub64(z[2], 7435674573564081700, b)
    60  		z[3], b = bits.Sub64(z[3], 7239337960414712511, b)
    61  		z[4], b = bits.Sub64(z[4], 5412103778470702295, b)
    62  		z[5], _ = bits.Sub64(z[5], 1873798617647539866, b)
    63  	}
    64  }
    65  
    66  func addAssign(x, y *fe) {
    67  	var carry uint64
    68  
    69  	x[0], carry = bits.Add64(x[0], y[0], 0)
    70  	x[1], carry = bits.Add64(x[1], y[1], carry)
    71  	x[2], carry = bits.Add64(x[2], y[2], carry)
    72  	x[3], carry = bits.Add64(x[3], y[3], carry)
    73  	x[4], carry = bits.Add64(x[4], y[4], carry)
    74  	x[5], _ = bits.Add64(x[5], y[5], carry)
    75  
    76  	// if z > q --> z -= q
    77  	// note: this is NOT constant time
    78  	if !(x[5] < 1873798617647539866 || (x[5] == 1873798617647539866 && (x[4] < 5412103778470702295 || (x[4] == 5412103778470702295 && (x[3] < 7239337960414712511 || (x[3] == 7239337960414712511 && (x[2] < 7435674573564081700 || (x[2] == 7435674573564081700 && (x[1] < 2210141511517208575 || (x[1] == 2210141511517208575 && (x[0] < 13402431016077863595))))))))))) {
    79  		var b uint64
    80  		x[0], b = bits.Sub64(x[0], 13402431016077863595, 0)
    81  		x[1], b = bits.Sub64(x[1], 2210141511517208575, b)
    82  		x[2], b = bits.Sub64(x[2], 7435674573564081700, b)
    83  		x[3], b = bits.Sub64(x[3], 7239337960414712511, b)
    84  		x[4], b = bits.Sub64(x[4], 5412103778470702295, b)
    85  		x[5], _ = bits.Sub64(x[5], 1873798617647539866, b)
    86  	}
    87  }
    88  
    89  func ladd(z, x, y *fe) {
    90  	var carry uint64
    91  	z[0], carry = bits.Add64(x[0], y[0], 0)
    92  	z[1], carry = bits.Add64(x[1], y[1], carry)
    93  	z[2], carry = bits.Add64(x[2], y[2], carry)
    94  	z[3], carry = bits.Add64(x[3], y[3], carry)
    95  	z[4], carry = bits.Add64(x[4], y[4], carry)
    96  	z[5], _ = bits.Add64(x[5], y[5], carry)
    97  }
    98  
    99  func laddAssign(x, y *fe) {
   100  	var carry uint64
   101  	x[0], carry = bits.Add64(x[0], y[0], 0)
   102  	x[1], carry = bits.Add64(x[1], y[1], carry)
   103  	x[2], carry = bits.Add64(x[2], y[2], carry)
   104  	x[3], carry = bits.Add64(x[3], y[3], carry)
   105  	x[4], carry = bits.Add64(x[4], y[4], carry)
   106  	x[5], _ = bits.Add64(x[5], y[5], carry)
   107  }
   108  
   109  func double(z, x *fe) {
   110  	var carry uint64
   111  
   112  	z[0], carry = bits.Add64(x[0], x[0], 0)
   113  	z[1], carry = bits.Add64(x[1], x[1], carry)
   114  	z[2], carry = bits.Add64(x[2], x[2], carry)
   115  	z[3], carry = bits.Add64(x[3], x[3], carry)
   116  	z[4], carry = bits.Add64(x[4], x[4], carry)
   117  	z[5], _ = bits.Add64(x[5], x[5], carry)
   118  
   119  	// if z > q --> z -= q
   120  	// note: this is NOT constant time
   121  	if !(z[5] < 1873798617647539866 || (z[5] == 1873798617647539866 && (z[4] < 5412103778470702295 || (z[4] == 5412103778470702295 && (z[3] < 7239337960414712511 || (z[3] == 7239337960414712511 && (z[2] < 7435674573564081700 || (z[2] == 7435674573564081700 && (z[1] < 2210141511517208575 || (z[1] == 2210141511517208575 && (z[0] < 13402431016077863595))))))))))) {
   122  		var b uint64
   123  		z[0], b = bits.Sub64(z[0], 13402431016077863595, 0)
   124  		z[1], b = bits.Sub64(z[1], 2210141511517208575, b)
   125  		z[2], b = bits.Sub64(z[2], 7435674573564081700, b)
   126  		z[3], b = bits.Sub64(z[3], 7239337960414712511, b)
   127  		z[4], b = bits.Sub64(z[4], 5412103778470702295, b)
   128  		z[5], _ = bits.Sub64(z[5], 1873798617647539866, b)
   129  	}
   130  }
   131  
   132  func doubleAssign(z *fe) {
   133  	var carry uint64
   134  
   135  	z[0], carry = bits.Add64(z[0], z[0], 0)
   136  	z[1], carry = bits.Add64(z[1], z[1], carry)
   137  	z[2], carry = bits.Add64(z[2], z[2], carry)
   138  	z[3], carry = bits.Add64(z[3], z[3], carry)
   139  	z[4], carry = bits.Add64(z[4], z[4], carry)
   140  	z[5], _ = bits.Add64(z[5], z[5], carry)
   141  
   142  	// if z > q --> z -= q
   143  	// note: this is NOT constant time
   144  	if !(z[5] < 1873798617647539866 || (z[5] == 1873798617647539866 && (z[4] < 5412103778470702295 || (z[4] == 5412103778470702295 && (z[3] < 7239337960414712511 || (z[3] == 7239337960414712511 && (z[2] < 7435674573564081700 || (z[2] == 7435674573564081700 && (z[1] < 2210141511517208575 || (z[1] == 2210141511517208575 && (z[0] < 13402431016077863595))))))))))) {
   145  		var b uint64
   146  		z[0], b = bits.Sub64(z[0], 13402431016077863595, 0)
   147  		z[1], b = bits.Sub64(z[1], 2210141511517208575, b)
   148  		z[2], b = bits.Sub64(z[2], 7435674573564081700, b)
   149  		z[3], b = bits.Sub64(z[3], 7239337960414712511, b)
   150  		z[4], b = bits.Sub64(z[4], 5412103778470702295, b)
   151  		z[5], _ = bits.Sub64(z[5], 1873798617647539866, b)
   152  	}
   153  }
   154  
   155  func ldouble(z, x *fe) {
   156  	var carry uint64
   157  
   158  	z[0], carry = bits.Add64(x[0], x[0], 0)
   159  	z[1], carry = bits.Add64(x[1], x[1], carry)
   160  	z[2], carry = bits.Add64(x[2], x[2], carry)
   161  	z[3], carry = bits.Add64(x[3], x[3], carry)
   162  	z[4], carry = bits.Add64(x[4], x[4], carry)
   163  	z[5], _ = bits.Add64(x[5], x[5], carry)
   164  }
   165  
   166  func sub(z, x, y *fe) {
   167  	var b uint64
   168  	z[0], b = bits.Sub64(x[0], y[0], 0)
   169  	z[1], b = bits.Sub64(x[1], y[1], b)
   170  	z[2], b = bits.Sub64(x[2], y[2], b)
   171  	z[3], b = bits.Sub64(x[3], y[3], b)
   172  	z[4], b = bits.Sub64(x[4], y[4], b)
   173  	z[5], b = bits.Sub64(x[5], y[5], b)
   174  	if b != 0 {
   175  		var c uint64
   176  		z[0], c = bits.Add64(z[0], 13402431016077863595, 0)
   177  		z[1], c = bits.Add64(z[1], 2210141511517208575, c)
   178  		z[2], c = bits.Add64(z[2], 7435674573564081700, c)
   179  		z[3], c = bits.Add64(z[3], 7239337960414712511, c)
   180  		z[4], c = bits.Add64(z[4], 5412103778470702295, c)
   181  		z[5], _ = bits.Add64(z[5], 1873798617647539866, c)
   182  	}
   183  }
   184  
   185  func subAssign(z, x *fe) {
   186  	var b uint64
   187  	z[0], b = bits.Sub64(z[0], x[0], 0)
   188  	z[1], b = bits.Sub64(z[1], x[1], b)
   189  	z[2], b = bits.Sub64(z[2], x[2], b)
   190  	z[3], b = bits.Sub64(z[3], x[3], b)
   191  	z[4], b = bits.Sub64(z[4], x[4], b)
   192  	z[5], b = bits.Sub64(z[5], x[5], b)
   193  	if b != 0 {
   194  		var c uint64
   195  		z[0], c = bits.Add64(z[0], 13402431016077863595, 0)
   196  		z[1], c = bits.Add64(z[1], 2210141511517208575, c)
   197  		z[2], c = bits.Add64(z[2], 7435674573564081700, c)
   198  		z[3], c = bits.Add64(z[3], 7239337960414712511, c)
   199  		z[4], c = bits.Add64(z[4], 5412103778470702295, c)
   200  		z[5], _ = bits.Add64(z[5], 1873798617647539866, c)
   201  	}
   202  }
   203  
   204  func lsubAssign(z, x *fe) {
   205  	var b uint64
   206  	z[0], b = bits.Sub64(z[0], x[0], 0)
   207  	z[1], b = bits.Sub64(z[1], x[1], b)
   208  	z[2], b = bits.Sub64(z[2], x[2], b)
   209  	z[3], b = bits.Sub64(z[3], x[3], b)
   210  	z[4], b = bits.Sub64(z[4], x[4], b)
   211  	z[5], _ = bits.Sub64(z[5], x[5], b)
   212  }
   213  
   214  func neg(z *fe, x *fe) {
   215  	if x.isZero() {
   216  		z.zero()
   217  		return
   218  	}
   219  	var borrow uint64
   220  	z[0], borrow = bits.Sub64(13402431016077863595, x[0], 0)
   221  	z[1], borrow = bits.Sub64(2210141511517208575, x[1], borrow)
   222  	z[2], borrow = bits.Sub64(7435674573564081700, x[2], borrow)
   223  	z[3], borrow = bits.Sub64(7239337960414712511, x[3], borrow)
   224  	z[4], borrow = bits.Sub64(5412103778470702295, x[4], borrow)
   225  	z[5], _ = bits.Sub64(1873798617647539866, x[5], borrow)
   226  }
   227  
   228  func mul(z, x, y *fe) {
   229  	var t [6]uint64
   230  	var c [3]uint64
   231  	{
   232  		// round 0
   233  		v := x[0]
   234  		c[1], c[0] = bits.Mul64(v, y[0])
   235  		m := c[0] * 9940570264628428797
   236  		c[2] = madd0(m, 13402431016077863595, c[0])
   237  		c[1], c[0] = madd1(v, y[1], c[1])
   238  		c[2], t[0] = madd2(m, 2210141511517208575, c[2], c[0])
   239  		c[1], c[0] = madd1(v, y[2], c[1])
   240  		c[2], t[1] = madd2(m, 7435674573564081700, c[2], c[0])
   241  		c[1], c[0] = madd1(v, y[3], c[1])
   242  		c[2], t[2] = madd2(m, 7239337960414712511, c[2], c[0])
   243  		c[1], c[0] = madd1(v, y[4], c[1])
   244  		c[2], t[3] = madd2(m, 5412103778470702295, c[2], c[0])
   245  		c[1], c[0] = madd1(v, y[5], c[1])
   246  		t[5], t[4] = madd3(m, 1873798617647539866, c[0], c[2], c[1])
   247  	}
   248  	{
   249  		// round 1
   250  		v := x[1]
   251  		c[1], c[0] = madd1(v, y[0], t[0])
   252  		m := c[0] * 9940570264628428797
   253  		c[2] = madd0(m, 13402431016077863595, c[0])
   254  		c[1], c[0] = madd2(v, y[1], c[1], t[1])
   255  		c[2], t[0] = madd2(m, 2210141511517208575, c[2], c[0])
   256  		c[1], c[0] = madd2(v, y[2], c[1], t[2])
   257  		c[2], t[1] = madd2(m, 7435674573564081700, c[2], c[0])
   258  		c[1], c[0] = madd2(v, y[3], c[1], t[3])
   259  		c[2], t[2] = madd2(m, 7239337960414712511, c[2], c[0])
   260  		c[1], c[0] = madd2(v, y[4], c[1], t[4])
   261  		c[2], t[3] = madd2(m, 5412103778470702295, c[2], c[0])
   262  		c[1], c[0] = madd2(v, y[5], c[1], t[5])
   263  		t[5], t[4] = madd3(m, 1873798617647539866, c[0], c[2], c[1])
   264  	}
   265  	{
   266  		// round 2
   267  		v := x[2]
   268  		c[1], c[0] = madd1(v, y[0], t[0])
   269  		m := c[0] * 9940570264628428797
   270  		c[2] = madd0(m, 13402431016077863595, c[0])
   271  		c[1], c[0] = madd2(v, y[1], c[1], t[1])
   272  		c[2], t[0] = madd2(m, 2210141511517208575, c[2], c[0])
   273  		c[1], c[0] = madd2(v, y[2], c[1], t[2])
   274  		c[2], t[1] = madd2(m, 7435674573564081700, c[2], c[0])
   275  		c[1], c[0] = madd2(v, y[3], c[1], t[3])
   276  		c[2], t[2] = madd2(m, 7239337960414712511, c[2], c[0])
   277  		c[1], c[0] = madd2(v, y[4], c[1], t[4])
   278  		c[2], t[3] = madd2(m, 5412103778470702295, c[2], c[0])
   279  		c[1], c[0] = madd2(v, y[5], c[1], t[5])
   280  		t[5], t[4] = madd3(m, 1873798617647539866, c[0], c[2], c[1])
   281  	}
   282  	{
   283  		// round 3
   284  		v := x[3]
   285  		c[1], c[0] = madd1(v, y[0], t[0])
   286  		m := c[0] * 9940570264628428797
   287  		c[2] = madd0(m, 13402431016077863595, c[0])
   288  		c[1], c[0] = madd2(v, y[1], c[1], t[1])
   289  		c[2], t[0] = madd2(m, 2210141511517208575, c[2], c[0])
   290  		c[1], c[0] = madd2(v, y[2], c[1], t[2])
   291  		c[2], t[1] = madd2(m, 7435674573564081700, c[2], c[0])
   292  		c[1], c[0] = madd2(v, y[3], c[1], t[3])
   293  		c[2], t[2] = madd2(m, 7239337960414712511, c[2], c[0])
   294  		c[1], c[0] = madd2(v, y[4], c[1], t[4])
   295  		c[2], t[3] = madd2(m, 5412103778470702295, c[2], c[0])
   296  		c[1], c[0] = madd2(v, y[5], c[1], t[5])
   297  		t[5], t[4] = madd3(m, 1873798617647539866, c[0], c[2], c[1])
   298  	}
   299  	{
   300  		// round 4
   301  		v := x[4]
   302  		c[1], c[0] = madd1(v, y[0], t[0])
   303  		m := c[0] * 9940570264628428797
   304  		c[2] = madd0(m, 13402431016077863595, c[0])
   305  		c[1], c[0] = madd2(v, y[1], c[1], t[1])
   306  		c[2], t[0] = madd2(m, 2210141511517208575, c[2], c[0])
   307  		c[1], c[0] = madd2(v, y[2], c[1], t[2])
   308  		c[2], t[1] = madd2(m, 7435674573564081700, c[2], c[0])
   309  		c[1], c[0] = madd2(v, y[3], c[1], t[3])
   310  		c[2], t[2] = madd2(m, 7239337960414712511, c[2], c[0])
   311  		c[1], c[0] = madd2(v, y[4], c[1], t[4])
   312  		c[2], t[3] = madd2(m, 5412103778470702295, c[2], c[0])
   313  		c[1], c[0] = madd2(v, y[5], c[1], t[5])
   314  		t[5], t[4] = madd3(m, 1873798617647539866, c[0], c[2], c[1])
   315  	}
   316  	{
   317  		// round 5
   318  		v := x[5]
   319  		c[1], c[0] = madd1(v, y[0], t[0])
   320  		m := c[0] * 9940570264628428797
   321  		c[2] = madd0(m, 13402431016077863595, c[0])
   322  		c[1], c[0] = madd2(v, y[1], c[1], t[1])
   323  		c[2], z[0] = madd2(m, 2210141511517208575, c[2], c[0])
   324  		c[1], c[0] = madd2(v, y[2], c[1], t[2])
   325  		c[2], z[1] = madd2(m, 7435674573564081700, c[2], c[0])
   326  		c[1], c[0] = madd2(v, y[3], c[1], t[3])
   327  		c[2], z[2] = madd2(m, 7239337960414712511, c[2], c[0])
   328  		c[1], c[0] = madd2(v, y[4], c[1], t[4])
   329  		c[2], z[3] = madd2(m, 5412103778470702295, c[2], c[0])
   330  		c[1], c[0] = madd2(v, y[5], c[1], t[5])
   331  		z[5], z[4] = madd3(m, 1873798617647539866, c[0], c[2], c[1])
   332  	}
   333  
   334  	// if z > q --> z -= q
   335  	// note: this is NOT constant time
   336  	if !(z[5] < 1873798617647539866 || (z[5] == 1873798617647539866 && (z[4] < 5412103778470702295 || (z[4] == 5412103778470702295 && (z[3] < 7239337960414712511 || (z[3] == 7239337960414712511 && (z[2] < 7435674573564081700 || (z[2] == 7435674573564081700 && (z[1] < 2210141511517208575 || (z[1] == 2210141511517208575 && (z[0] < 13402431016077863595))))))))))) {
   337  		var b uint64
   338  		z[0], b = bits.Sub64(z[0], 13402431016077863595, 0)
   339  		z[1], b = bits.Sub64(z[1], 2210141511517208575, b)
   340  		z[2], b = bits.Sub64(z[2], 7435674573564081700, b)
   341  		z[3], b = bits.Sub64(z[3], 7239337960414712511, b)
   342  		z[4], b = bits.Sub64(z[4], 5412103778470702295, b)
   343  		z[5], _ = bits.Sub64(z[5], 1873798617647539866, b)
   344  	}
   345  }
   346  
   347  func square(z, x *fe) {
   348  
   349  	var p [6]uint64
   350  
   351  	var u, v uint64
   352  	{
   353  		// round 0
   354  		u, p[0] = bits.Mul64(x[0], x[0])
   355  		m := p[0] * 9940570264628428797
   356  		C := madd0(m, 13402431016077863595, p[0])
   357  		var t uint64
   358  		t, u, v = madd1sb(x[0], x[1], u)
   359  		C, p[0] = madd2(m, 2210141511517208575, v, C)
   360  		t, u, v = madd1s(x[0], x[2], t, u)
   361  		C, p[1] = madd2(m, 7435674573564081700, v, C)
   362  		t, u, v = madd1s(x[0], x[3], t, u)
   363  		C, p[2] = madd2(m, 7239337960414712511, v, C)
   364  		t, u, v = madd1s(x[0], x[4], t, u)
   365  		C, p[3] = madd2(m, 5412103778470702295, v, C)
   366  		_, u, v = madd1s(x[0], x[5], t, u)
   367  		p[5], p[4] = madd3(m, 1873798617647539866, v, C, u)
   368  	}
   369  	{
   370  		// round 1
   371  		m := p[0] * 9940570264628428797
   372  		C := madd0(m, 13402431016077863595, p[0])
   373  		u, v = madd1(x[1], x[1], p[1])
   374  		C, p[0] = madd2(m, 2210141511517208575, v, C)
   375  		var t uint64
   376  		t, u, v = madd2sb(x[1], x[2], p[2], u)
   377  		C, p[1] = madd2(m, 7435674573564081700, v, C)
   378  		t, u, v = madd2s(x[1], x[3], p[3], t, u)
   379  		C, p[2] = madd2(m, 7239337960414712511, v, C)
   380  		t, u, v = madd2s(x[1], x[4], p[4], t, u)
   381  		C, p[3] = madd2(m, 5412103778470702295, v, C)
   382  		_, u, v = madd2s(x[1], x[5], p[5], t, u)
   383  		p[5], p[4] = madd3(m, 1873798617647539866, v, C, u)
   384  	}
   385  	{
   386  		// round 2
   387  		m := p[0] * 9940570264628428797
   388  		C := madd0(m, 13402431016077863595, p[0])
   389  		C, p[0] = madd2(m, 2210141511517208575, p[1], C)
   390  		u, v = madd1(x[2], x[2], p[2])
   391  		C, p[1] = madd2(m, 7435674573564081700, v, C)
   392  		var t uint64
   393  		t, u, v = madd2sb(x[2], x[3], p[3], u)
   394  		C, p[2] = madd2(m, 7239337960414712511, v, C)
   395  		t, u, v = madd2s(x[2], x[4], p[4], t, u)
   396  		C, p[3] = madd2(m, 5412103778470702295, v, C)
   397  		_, u, v = madd2s(x[2], x[5], p[5], t, u)
   398  		p[5], p[4] = madd3(m, 1873798617647539866, v, C, u)
   399  	}
   400  	{
   401  		// round 3
   402  		m := p[0] * 9940570264628428797
   403  		C := madd0(m, 13402431016077863595, p[0])
   404  		C, p[0] = madd2(m, 2210141511517208575, p[1], C)
   405  		C, p[1] = madd2(m, 7435674573564081700, p[2], C)
   406  		u, v = madd1(x[3], x[3], p[3])
   407  		C, p[2] = madd2(m, 7239337960414712511, v, C)
   408  		var t uint64
   409  		t, u, v = madd2sb(x[3], x[4], p[4], u)
   410  		C, p[3] = madd2(m, 5412103778470702295, v, C)
   411  		_, u, v = madd2s(x[3], x[5], p[5], t, u)
   412  		p[5], p[4] = madd3(m, 1873798617647539866, v, C, u)
   413  	}
   414  	{
   415  		// round 4
   416  		m := p[0] * 9940570264628428797
   417  		C := madd0(m, 13402431016077863595, p[0])
   418  		C, p[0] = madd2(m, 2210141511517208575, p[1], C)
   419  		C, p[1] = madd2(m, 7435674573564081700, p[2], C)
   420  		C, p[2] = madd2(m, 7239337960414712511, p[3], C)
   421  		u, v = madd1(x[4], x[4], p[4])
   422  		C, p[3] = madd2(m, 5412103778470702295, v, C)
   423  		_, u, v = madd2sb(x[4], x[5], p[5], u)
   424  		p[5], p[4] = madd3(m, 1873798617647539866, v, C, u)
   425  	}
   426  	{
   427  		// round 5
   428  		m := p[0] * 9940570264628428797
   429  		C := madd0(m, 13402431016077863595, p[0])
   430  		C, z[0] = madd2(m, 2210141511517208575, p[1], C)
   431  		C, z[1] = madd2(m, 7435674573564081700, p[2], C)
   432  		C, z[2] = madd2(m, 7239337960414712511, p[3], C)
   433  		C, z[3] = madd2(m, 5412103778470702295, p[4], C)
   434  		u, v = madd1(x[5], x[5], p[5])
   435  		z[5], z[4] = madd3(m, 1873798617647539866, v, C, u)
   436  	}
   437  
   438  	// if z > q --> z -= q
   439  	// note: this is NOT constant time
   440  	if !(z[5] < 1873798617647539866 || (z[5] == 1873798617647539866 && (z[4] < 5412103778470702295 || (z[4] == 5412103778470702295 && (z[3] < 7239337960414712511 || (z[3] == 7239337960414712511 && (z[2] < 7435674573564081700 || (z[2] == 7435674573564081700 && (z[1] < 2210141511517208575 || (z[1] == 2210141511517208575 && (z[0] < 13402431016077863595))))))))))) {
   441  		var b uint64
   442  		z[0], b = bits.Sub64(z[0], 13402431016077863595, 0)
   443  		z[1], b = bits.Sub64(z[1], 2210141511517208575, b)
   444  		z[2], b = bits.Sub64(z[2], 7435674573564081700, b)
   445  		z[3], b = bits.Sub64(z[3], 7239337960414712511, b)
   446  		z[4], b = bits.Sub64(z[4], 5412103778470702295, b)
   447  		z[5], _ = bits.Sub64(z[5], 1873798617647539866, b)
   448  	}
   449  }
   450  
   451  // arith.go
   452  // Copyright 2020 ConsenSys AG
   453  //
   454  // Licensed under the Apache License, Version 2.0 (the "License");
   455  // you may not use this file except in compliance with the License.
   456  // You may obtain a copy of the License at
   457  //
   458  //     http://www.apache.org/licenses/LICENSE-2.0
   459  //
   460  // Unless required by applicable law or agreed to in writing, software
   461  // distributed under the License is distributed on an "AS IS" BASIS,
   462  // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
   463  // See the License for the specific language governing permissions and
   464  // limitations under the License.
   465  
   466  // Code generated by goff DO NOT EDIT
   467  
   468  func madd(a, b, t, u, v uint64) (uint64, uint64, uint64) {
   469  	var carry uint64
   470  	hi, lo := bits.Mul64(a, b)
   471  	v, carry = bits.Add64(lo, v, 0)
   472  	u, carry = bits.Add64(hi, u, carry)
   473  	t, _ = bits.Add64(t, 0, carry)
   474  	return t, u, v
   475  }
   476  
   477  // madd0 hi = a*b + c (discards lo bits)
   478  func madd0(a, b, c uint64) (hi uint64) {
   479  	var carry, lo uint64
   480  	hi, lo = bits.Mul64(a, b)
   481  	_, carry = bits.Add64(lo, c, 0)
   482  	hi, _ = bits.Add64(hi, 0, carry)
   483  	return
   484  }
   485  
   486  // madd1 hi, lo = a*b + c
   487  func madd1(a, b, c uint64) (hi uint64, lo uint64) {
   488  	var carry uint64
   489  	hi, lo = bits.Mul64(a, b)
   490  	lo, carry = bits.Add64(lo, c, 0)
   491  	hi, _ = bits.Add64(hi, 0, carry)
   492  	return
   493  }
   494  
   495  // madd2 hi, lo = a*b + c + d
   496  func madd2(a, b, c, d uint64) (hi uint64, lo uint64) {
   497  	var carry uint64
   498  	hi, lo = bits.Mul64(a, b)
   499  	c, carry = bits.Add64(c, d, 0)
   500  	hi, _ = bits.Add64(hi, 0, carry)
   501  	lo, carry = bits.Add64(lo, c, 0)
   502  	hi, _ = bits.Add64(hi, 0, carry)
   503  	return
   504  }
   505  
   506  // madd2s superhi, hi, lo = 2*a*b + c + d + e
   507  func madd2s(a, b, c, d, e uint64) (superhi, hi, lo uint64) {
   508  	var carry, sum uint64
   509  
   510  	hi, lo = bits.Mul64(a, b)
   511  	lo, carry = bits.Add64(lo, lo, 0)
   512  	hi, superhi = bits.Add64(hi, hi, carry)
   513  
   514  	sum, carry = bits.Add64(c, e, 0)
   515  	hi, _ = bits.Add64(hi, 0, carry)
   516  	lo, carry = bits.Add64(lo, sum, 0)
   517  	hi, _ = bits.Add64(hi, 0, carry)
   518  	hi, _ = bits.Add64(hi, 0, d)
   519  	return
   520  }
   521  
   522  func madd1s(a, b, d, e uint64) (superhi, hi, lo uint64) {
   523  	var carry uint64
   524  
   525  	hi, lo = bits.Mul64(a, b)
   526  	lo, carry = bits.Add64(lo, lo, 0)
   527  	hi, superhi = bits.Add64(hi, hi, carry)
   528  	lo, carry = bits.Add64(lo, e, 0)
   529  	hi, _ = bits.Add64(hi, 0, carry)
   530  	hi, _ = bits.Add64(hi, 0, d)
   531  	return
   532  }
   533  
   534  func madd2sb(a, b, c, e uint64) (superhi, hi, lo uint64) {
   535  	var carry, sum uint64
   536  
   537  	hi, lo = bits.Mul64(a, b)
   538  	lo, carry = bits.Add64(lo, lo, 0)
   539  	hi, superhi = bits.Add64(hi, hi, carry)
   540  
   541  	sum, carry = bits.Add64(c, e, 0)
   542  	hi, _ = bits.Add64(hi, 0, carry)
   543  	lo, carry = bits.Add64(lo, sum, 0)
   544  	hi, _ = bits.Add64(hi, 0, carry)
   545  	return
   546  }
   547  
   548  func madd1sb(a, b, e uint64) (superhi, hi, lo uint64) {
   549  	var carry uint64
   550  
   551  	hi, lo = bits.Mul64(a, b)
   552  	lo, carry = bits.Add64(lo, lo, 0)
   553  	hi, superhi = bits.Add64(hi, hi, carry)
   554  	lo, carry = bits.Add64(lo, e, 0)
   555  	hi, _ = bits.Add64(hi, 0, carry)
   556  	return
   557  }
   558  
   559  func madd3(a, b, c, d, e uint64) (hi uint64, lo uint64) {
   560  	var carry uint64
   561  	hi, lo = bits.Mul64(a, b)
   562  	c, carry = bits.Add64(c, d, 0)
   563  	hi, _ = bits.Add64(hi, 0, carry)
   564  	lo, carry = bits.Add64(lo, c, 0)
   565  	hi, _ = bits.Add64(hi, e, carry)
   566  	return
   567  }