github.com/aquanetwork/aquachain@v1.7.8/crypto/secp256k1/libsecp256k1/src/field_5x52_impl.h (about) 1 /********************************************************************** 2 * Copyright (c) 2013, 2014 Pieter Wuille * 3 * Distributed under the MIT software license, see the accompanying * 4 * file COPYING or http://www.opensource.org/licenses/mit-license.php.* 5 **********************************************************************/ 6 7 #ifndef SECP256K1_FIELD_REPR_IMPL_H 8 #define SECP256K1_FIELD_REPR_IMPL_H 9 10 #if defined HAVE_CONFIG_H 11 #include "libsecp256k1-config.h" 12 #endif 13 14 #include "util.h" 15 #include "num.h" 16 #include "field.h" 17 18 #if defined(USE_ASM_X86_64) 19 #include "field_5x52_asm_impl.h" 20 #else 21 #include "field_5x52_int128_impl.h" 22 #endif 23 24 /** Implements arithmetic modulo FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFE FFFFFC2F, 25 * represented as 5 uint64_t's in base 2^52. The values are allowed to contain >52 each. In particular, 26 * each FieldElem has a 'magnitude' associated with it. Internally, a magnitude M means each element 27 * is at most M*(2^53-1), except the most significant one, which is limited to M*(2^49-1). All operations 28 * accept any input with magnitude at most M, and have different rules for propagating magnitude to their 29 * output. 30 */ 31 32 #ifdef VERIFY 33 static void secp256k1_fe_verify(const secp256k1_fe *a) { 34 const uint64_t *d = a->n; 35 int m = a->normalized ? 1 : 2 * a->magnitude, r = 1; 36 /* secp256k1 'p' value defined in "Standards for Efficient Cryptography" (SEC2) 2.7.1. */ 37 r &= (d[0] <= 0xFFFFFFFFFFFFFULL * m); 38 r &= (d[1] <= 0xFFFFFFFFFFFFFULL * m); 39 r &= (d[2] <= 0xFFFFFFFFFFFFFULL * m); 40 r &= (d[3] <= 0xFFFFFFFFFFFFFULL * m); 41 r &= (d[4] <= 0x0FFFFFFFFFFFFULL * m); 42 r &= (a->magnitude >= 0); 43 r &= (a->magnitude <= 2048); 44 if (a->normalized) { 45 r &= (a->magnitude <= 1); 46 if (r && (d[4] == 0x0FFFFFFFFFFFFULL) && ((d[3] & d[2] & d[1]) == 0xFFFFFFFFFFFFFULL)) { 47 r &= (d[0] < 0xFFFFEFFFFFC2FULL); 48 } 49 } 50 VERIFY_CHECK(r == 1); 51 } 52 #endif 53 54 static void secp256k1_fe_normalize(secp256k1_fe *r) { 55 uint64_t t0 = r->n[0], t1 = r->n[1], t2 = r->n[2], t3 = r->n[3], t4 = r->n[4]; 56 57 /* Reduce t4 at the start so there will be at most a single carry from the first pass */ 58 uint64_t m; 59 uint64_t x = t4 >> 48; t4 &= 0x0FFFFFFFFFFFFULL; 60 61 /* The first pass ensures the magnitude is 1, ... */ 62 t0 += x * 0x1000003D1ULL; 63 t1 += (t0 >> 52); t0 &= 0xFFFFFFFFFFFFFULL; 64 t2 += (t1 >> 52); t1 &= 0xFFFFFFFFFFFFFULL; m = t1; 65 t3 += (t2 >> 52); t2 &= 0xFFFFFFFFFFFFFULL; m &= t2; 66 t4 += (t3 >> 52); t3 &= 0xFFFFFFFFFFFFFULL; m &= t3; 67 68 /* ... except for a possible carry at bit 48 of t4 (i.e. bit 256 of the field element) */ 69 VERIFY_CHECK(t4 >> 49 == 0); 70 71 /* At most a single final reduction is needed; check if the value is >= the field characteristic */ 72 x = (t4 >> 48) | ((t4 == 0x0FFFFFFFFFFFFULL) & (m == 0xFFFFFFFFFFFFFULL) 73 & (t0 >= 0xFFFFEFFFFFC2FULL)); 74 75 /* Apply the final reduction (for constant-time behaviour, we do it always) */ 76 t0 += x * 0x1000003D1ULL; 77 t1 += (t0 >> 52); t0 &= 0xFFFFFFFFFFFFFULL; 78 t2 += (t1 >> 52); t1 &= 0xFFFFFFFFFFFFFULL; 79 t3 += (t2 >> 52); t2 &= 0xFFFFFFFFFFFFFULL; 80 t4 += (t3 >> 52); t3 &= 0xFFFFFFFFFFFFFULL; 81 82 /* If t4 didn't carry to bit 48 already, then it should have after any final reduction */ 83 VERIFY_CHECK(t4 >> 48 == x); 84 85 /* Mask off the possible multiple of 2^256 from the final reduction */ 86 t4 &= 0x0FFFFFFFFFFFFULL; 87 88 r->n[0] = t0; r->n[1] = t1; r->n[2] = t2; r->n[3] = t3; r->n[4] = t4; 89 90 #ifdef VERIFY 91 r->magnitude = 1; 92 r->normalized = 1; 93 secp256k1_fe_verify(r); 94 #endif 95 } 96 97 static void secp256k1_fe_normalize_weak(secp256k1_fe *r) { 98 uint64_t t0 = r->n[0], t1 = r->n[1], t2 = r->n[2], t3 = r->n[3], t4 = r->n[4]; 99 100 /* Reduce t4 at the start so there will be at most a single carry from the first pass */ 101 uint64_t x = t4 >> 48; t4 &= 0x0FFFFFFFFFFFFULL; 102 103 /* The first pass ensures the magnitude is 1, ... */ 104 t0 += x * 0x1000003D1ULL; 105 t1 += (t0 >> 52); t0 &= 0xFFFFFFFFFFFFFULL; 106 t2 += (t1 >> 52); t1 &= 0xFFFFFFFFFFFFFULL; 107 t3 += (t2 >> 52); t2 &= 0xFFFFFFFFFFFFFULL; 108 t4 += (t3 >> 52); t3 &= 0xFFFFFFFFFFFFFULL; 109 110 /* ... except for a possible carry at bit 48 of t4 (i.e. bit 256 of the field element) */ 111 VERIFY_CHECK(t4 >> 49 == 0); 112 113 r->n[0] = t0; r->n[1] = t1; r->n[2] = t2; r->n[3] = t3; r->n[4] = t4; 114 115 #ifdef VERIFY 116 r->magnitude = 1; 117 secp256k1_fe_verify(r); 118 #endif 119 } 120 121 static void secp256k1_fe_normalize_var(secp256k1_fe *r) { 122 uint64_t t0 = r->n[0], t1 = r->n[1], t2 = r->n[2], t3 = r->n[3], t4 = r->n[4]; 123 124 /* Reduce t4 at the start so there will be at most a single carry from the first pass */ 125 uint64_t m; 126 uint64_t x = t4 >> 48; t4 &= 0x0FFFFFFFFFFFFULL; 127 128 /* The first pass ensures the magnitude is 1, ... */ 129 t0 += x * 0x1000003D1ULL; 130 t1 += (t0 >> 52); t0 &= 0xFFFFFFFFFFFFFULL; 131 t2 += (t1 >> 52); t1 &= 0xFFFFFFFFFFFFFULL; m = t1; 132 t3 += (t2 >> 52); t2 &= 0xFFFFFFFFFFFFFULL; m &= t2; 133 t4 += (t3 >> 52); t3 &= 0xFFFFFFFFFFFFFULL; m &= t3; 134 135 /* ... except for a possible carry at bit 48 of t4 (i.e. bit 256 of the field element) */ 136 VERIFY_CHECK(t4 >> 49 == 0); 137 138 /* At most a single final reduction is needed; check if the value is >= the field characteristic */ 139 x = (t4 >> 48) | ((t4 == 0x0FFFFFFFFFFFFULL) & (m == 0xFFFFFFFFFFFFFULL) 140 & (t0 >= 0xFFFFEFFFFFC2FULL)); 141 142 if (x) { 143 t0 += 0x1000003D1ULL; 144 t1 += (t0 >> 52); t0 &= 0xFFFFFFFFFFFFFULL; 145 t2 += (t1 >> 52); t1 &= 0xFFFFFFFFFFFFFULL; 146 t3 += (t2 >> 52); t2 &= 0xFFFFFFFFFFFFFULL; 147 t4 += (t3 >> 52); t3 &= 0xFFFFFFFFFFFFFULL; 148 149 /* If t4 didn't carry to bit 48 already, then it should have after any final reduction */ 150 VERIFY_CHECK(t4 >> 48 == x); 151 152 /* Mask off the possible multiple of 2^256 from the final reduction */ 153 t4 &= 0x0FFFFFFFFFFFFULL; 154 } 155 156 r->n[0] = t0; r->n[1] = t1; r->n[2] = t2; r->n[3] = t3; r->n[4] = t4; 157 158 #ifdef VERIFY 159 r->magnitude = 1; 160 r->normalized = 1; 161 secp256k1_fe_verify(r); 162 #endif 163 } 164 165 static int secp256k1_fe_normalizes_to_zero(secp256k1_fe *r) { 166 uint64_t t0 = r->n[0], t1 = r->n[1], t2 = r->n[2], t3 = r->n[3], t4 = r->n[4]; 167 168 /* z0 tracks a possible raw value of 0, z1 tracks a possible raw value of P */ 169 uint64_t z0, z1; 170 171 /* Reduce t4 at the start so there will be at most a single carry from the first pass */ 172 uint64_t x = t4 >> 48; t4 &= 0x0FFFFFFFFFFFFULL; 173 174 /* The first pass ensures the magnitude is 1, ... */ 175 t0 += x * 0x1000003D1ULL; 176 t1 += (t0 >> 52); t0 &= 0xFFFFFFFFFFFFFULL; z0 = t0; z1 = t0 ^ 0x1000003D0ULL; 177 t2 += (t1 >> 52); t1 &= 0xFFFFFFFFFFFFFULL; z0 |= t1; z1 &= t1; 178 t3 += (t2 >> 52); t2 &= 0xFFFFFFFFFFFFFULL; z0 |= t2; z1 &= t2; 179 t4 += (t3 >> 52); t3 &= 0xFFFFFFFFFFFFFULL; z0 |= t3; z1 &= t3; 180 z0 |= t4; z1 &= t4 ^ 0xF000000000000ULL; 181 182 /* ... except for a possible carry at bit 48 of t4 (i.e. bit 256 of the field element) */ 183 VERIFY_CHECK(t4 >> 49 == 0); 184 185 return (z0 == 0) | (z1 == 0xFFFFFFFFFFFFFULL); 186 } 187 188 static int secp256k1_fe_normalizes_to_zero_var(secp256k1_fe *r) { 189 uint64_t t0, t1, t2, t3, t4; 190 uint64_t z0, z1; 191 uint64_t x; 192 193 t0 = r->n[0]; 194 t4 = r->n[4]; 195 196 /* Reduce t4 at the start so there will be at most a single carry from the first pass */ 197 x = t4 >> 48; 198 199 /* The first pass ensures the magnitude is 1, ... */ 200 t0 += x * 0x1000003D1ULL; 201 202 /* z0 tracks a possible raw value of 0, z1 tracks a possible raw value of P */ 203 z0 = t0 & 0xFFFFFFFFFFFFFULL; 204 z1 = z0 ^ 0x1000003D0ULL; 205 206 /* Fast return path should catch the majority of cases */ 207 if ((z0 != 0ULL) & (z1 != 0xFFFFFFFFFFFFFULL)) { 208 return 0; 209 } 210 211 t1 = r->n[1]; 212 t2 = r->n[2]; 213 t3 = r->n[3]; 214 215 t4 &= 0x0FFFFFFFFFFFFULL; 216 217 t1 += (t0 >> 52); 218 t2 += (t1 >> 52); t1 &= 0xFFFFFFFFFFFFFULL; z0 |= t1; z1 &= t1; 219 t3 += (t2 >> 52); t2 &= 0xFFFFFFFFFFFFFULL; z0 |= t2; z1 &= t2; 220 t4 += (t3 >> 52); t3 &= 0xFFFFFFFFFFFFFULL; z0 |= t3; z1 &= t3; 221 z0 |= t4; z1 &= t4 ^ 0xF000000000000ULL; 222 223 /* ... except for a possible carry at bit 48 of t4 (i.e. bit 256 of the field element) */ 224 VERIFY_CHECK(t4 >> 49 == 0); 225 226 return (z0 == 0) | (z1 == 0xFFFFFFFFFFFFFULL); 227 } 228 229 SECP256K1_INLINE static void secp256k1_fe_set_int(secp256k1_fe *r, int a) { 230 r->n[0] = a; 231 r->n[1] = r->n[2] = r->n[3] = r->n[4] = 0; 232 #ifdef VERIFY 233 r->magnitude = 1; 234 r->normalized = 1; 235 secp256k1_fe_verify(r); 236 #endif 237 } 238 239 SECP256K1_INLINE static int secp256k1_fe_is_zero(const secp256k1_fe *a) { 240 const uint64_t *t = a->n; 241 #ifdef VERIFY 242 VERIFY_CHECK(a->normalized); 243 secp256k1_fe_verify(a); 244 #endif 245 return (t[0] | t[1] | t[2] | t[3] | t[4]) == 0; 246 } 247 248 SECP256K1_INLINE static int secp256k1_fe_is_odd(const secp256k1_fe *a) { 249 #ifdef VERIFY 250 VERIFY_CHECK(a->normalized); 251 secp256k1_fe_verify(a); 252 #endif 253 return a->n[0] & 1; 254 } 255 256 SECP256K1_INLINE static void secp256k1_fe_clear(secp256k1_fe *a) { 257 int i; 258 #ifdef VERIFY 259 a->magnitude = 0; 260 a->normalized = 1; 261 #endif 262 for (i=0; i<5; i++) { 263 a->n[i] = 0; 264 } 265 } 266 267 static int secp256k1_fe_cmp_var(const secp256k1_fe *a, const secp256k1_fe *b) { 268 int i; 269 #ifdef VERIFY 270 VERIFY_CHECK(a->normalized); 271 VERIFY_CHECK(b->normalized); 272 secp256k1_fe_verify(a); 273 secp256k1_fe_verify(b); 274 #endif 275 for (i = 4; i >= 0; i--) { 276 if (a->n[i] > b->n[i]) { 277 return 1; 278 } 279 if (a->n[i] < b->n[i]) { 280 return -1; 281 } 282 } 283 return 0; 284 } 285 286 static int secp256k1_fe_set_b32(secp256k1_fe *r, const unsigned char *a) { 287 r->n[0] = (uint64_t)a[31] 288 | ((uint64_t)a[30] << 8) 289 | ((uint64_t)a[29] << 16) 290 | ((uint64_t)a[28] << 24) 291 | ((uint64_t)a[27] << 32) 292 | ((uint64_t)a[26] << 40) 293 | ((uint64_t)(a[25] & 0xF) << 48); 294 r->n[1] = (uint64_t)((a[25] >> 4) & 0xF) 295 | ((uint64_t)a[24] << 4) 296 | ((uint64_t)a[23] << 12) 297 | ((uint64_t)a[22] << 20) 298 | ((uint64_t)a[21] << 28) 299 | ((uint64_t)a[20] << 36) 300 | ((uint64_t)a[19] << 44); 301 r->n[2] = (uint64_t)a[18] 302 | ((uint64_t)a[17] << 8) 303 | ((uint64_t)a[16] << 16) 304 | ((uint64_t)a[15] << 24) 305 | ((uint64_t)a[14] << 32) 306 | ((uint64_t)a[13] << 40) 307 | ((uint64_t)(a[12] & 0xF) << 48); 308 r->n[3] = (uint64_t)((a[12] >> 4) & 0xF) 309 | ((uint64_t)a[11] << 4) 310 | ((uint64_t)a[10] << 12) 311 | ((uint64_t)a[9] << 20) 312 | ((uint64_t)a[8] << 28) 313 | ((uint64_t)a[7] << 36) 314 | ((uint64_t)a[6] << 44); 315 r->n[4] = (uint64_t)a[5] 316 | ((uint64_t)a[4] << 8) 317 | ((uint64_t)a[3] << 16) 318 | ((uint64_t)a[2] << 24) 319 | ((uint64_t)a[1] << 32) 320 | ((uint64_t)a[0] << 40); 321 if (r->n[4] == 0x0FFFFFFFFFFFFULL && (r->n[3] & r->n[2] & r->n[1]) == 0xFFFFFFFFFFFFFULL && r->n[0] >= 0xFFFFEFFFFFC2FULL) { 322 return 0; 323 } 324 #ifdef VERIFY 325 r->magnitude = 1; 326 r->normalized = 1; 327 secp256k1_fe_verify(r); 328 #endif 329 return 1; 330 } 331 332 /** Convert a field element to a 32-byte big endian value. Requires the input to be normalized */ 333 static void secp256k1_fe_get_b32(unsigned char *r, const secp256k1_fe *a) { 334 #ifdef VERIFY 335 VERIFY_CHECK(a->normalized); 336 secp256k1_fe_verify(a); 337 #endif 338 r[0] = (a->n[4] >> 40) & 0xFF; 339 r[1] = (a->n[4] >> 32) & 0xFF; 340 r[2] = (a->n[4] >> 24) & 0xFF; 341 r[3] = (a->n[4] >> 16) & 0xFF; 342 r[4] = (a->n[4] >> 8) & 0xFF; 343 r[5] = a->n[4] & 0xFF; 344 r[6] = (a->n[3] >> 44) & 0xFF; 345 r[7] = (a->n[3] >> 36) & 0xFF; 346 r[8] = (a->n[3] >> 28) & 0xFF; 347 r[9] = (a->n[3] >> 20) & 0xFF; 348 r[10] = (a->n[3] >> 12) & 0xFF; 349 r[11] = (a->n[3] >> 4) & 0xFF; 350 r[12] = ((a->n[2] >> 48) & 0xF) | ((a->n[3] & 0xF) << 4); 351 r[13] = (a->n[2] >> 40) & 0xFF; 352 r[14] = (a->n[2] >> 32) & 0xFF; 353 r[15] = (a->n[2] >> 24) & 0xFF; 354 r[16] = (a->n[2] >> 16) & 0xFF; 355 r[17] = (a->n[2] >> 8) & 0xFF; 356 r[18] = a->n[2] & 0xFF; 357 r[19] = (a->n[1] >> 44) & 0xFF; 358 r[20] = (a->n[1] >> 36) & 0xFF; 359 r[21] = (a->n[1] >> 28) & 0xFF; 360 r[22] = (a->n[1] >> 20) & 0xFF; 361 r[23] = (a->n[1] >> 12) & 0xFF; 362 r[24] = (a->n[1] >> 4) & 0xFF; 363 r[25] = ((a->n[0] >> 48) & 0xF) | ((a->n[1] & 0xF) << 4); 364 r[26] = (a->n[0] >> 40) & 0xFF; 365 r[27] = (a->n[0] >> 32) & 0xFF; 366 r[28] = (a->n[0] >> 24) & 0xFF; 367 r[29] = (a->n[0] >> 16) & 0xFF; 368 r[30] = (a->n[0] >> 8) & 0xFF; 369 r[31] = a->n[0] & 0xFF; 370 } 371 372 SECP256K1_INLINE static void secp256k1_fe_negate(secp256k1_fe *r, const secp256k1_fe *a, int m) { 373 #ifdef VERIFY 374 VERIFY_CHECK(a->magnitude <= m); 375 secp256k1_fe_verify(a); 376 #endif 377 r->n[0] = 0xFFFFEFFFFFC2FULL * 2 * (m + 1) - a->n[0]; 378 r->n[1] = 0xFFFFFFFFFFFFFULL * 2 * (m + 1) - a->n[1]; 379 r->n[2] = 0xFFFFFFFFFFFFFULL * 2 * (m + 1) - a->n[2]; 380 r->n[3] = 0xFFFFFFFFFFFFFULL * 2 * (m + 1) - a->n[3]; 381 r->n[4] = 0x0FFFFFFFFFFFFULL * 2 * (m + 1) - a->n[4]; 382 #ifdef VERIFY 383 r->magnitude = m + 1; 384 r->normalized = 0; 385 secp256k1_fe_verify(r); 386 #endif 387 } 388 389 SECP256K1_INLINE static void secp256k1_fe_mul_int(secp256k1_fe *r, int a) { 390 r->n[0] *= a; 391 r->n[1] *= a; 392 r->n[2] *= a; 393 r->n[3] *= a; 394 r->n[4] *= a; 395 #ifdef VERIFY 396 r->magnitude *= a; 397 r->normalized = 0; 398 secp256k1_fe_verify(r); 399 #endif 400 } 401 402 SECP256K1_INLINE static void secp256k1_fe_add(secp256k1_fe *r, const secp256k1_fe *a) { 403 #ifdef VERIFY 404 secp256k1_fe_verify(a); 405 #endif 406 r->n[0] += a->n[0]; 407 r->n[1] += a->n[1]; 408 r->n[2] += a->n[2]; 409 r->n[3] += a->n[3]; 410 r->n[4] += a->n[4]; 411 #ifdef VERIFY 412 r->magnitude += a->magnitude; 413 r->normalized = 0; 414 secp256k1_fe_verify(r); 415 #endif 416 } 417 418 static void secp256k1_fe_mul(secp256k1_fe *r, const secp256k1_fe *a, const secp256k1_fe * SECP256K1_RESTRICT b) { 419 #ifdef VERIFY 420 VERIFY_CHECK(a->magnitude <= 8); 421 VERIFY_CHECK(b->magnitude <= 8); 422 secp256k1_fe_verify(a); 423 secp256k1_fe_verify(b); 424 VERIFY_CHECK(r != b); 425 #endif 426 secp256k1_fe_mul_inner(r->n, a->n, b->n); 427 #ifdef VERIFY 428 r->magnitude = 1; 429 r->normalized = 0; 430 secp256k1_fe_verify(r); 431 #endif 432 } 433 434 static void secp256k1_fe_sqr(secp256k1_fe *r, const secp256k1_fe *a) { 435 #ifdef VERIFY 436 VERIFY_CHECK(a->magnitude <= 8); 437 secp256k1_fe_verify(a); 438 #endif 439 secp256k1_fe_sqr_inner(r->n, a->n); 440 #ifdef VERIFY 441 r->magnitude = 1; 442 r->normalized = 0; 443 secp256k1_fe_verify(r); 444 #endif 445 } 446 447 static SECP256K1_INLINE void secp256k1_fe_cmov(secp256k1_fe *r, const secp256k1_fe *a, int flag) { 448 uint64_t mask0, mask1; 449 mask0 = flag + ~((uint64_t)0); 450 mask1 = ~mask0; 451 r->n[0] = (r->n[0] & mask0) | (a->n[0] & mask1); 452 r->n[1] = (r->n[1] & mask0) | (a->n[1] & mask1); 453 r->n[2] = (r->n[2] & mask0) | (a->n[2] & mask1); 454 r->n[3] = (r->n[3] & mask0) | (a->n[3] & mask1); 455 r->n[4] = (r->n[4] & mask0) | (a->n[4] & mask1); 456 #ifdef VERIFY 457 if (a->magnitude > r->magnitude) { 458 r->magnitude = a->magnitude; 459 } 460 r->normalized &= a->normalized; 461 #endif 462 } 463 464 static SECP256K1_INLINE void secp256k1_fe_storage_cmov(secp256k1_fe_storage *r, const secp256k1_fe_storage *a, int flag) { 465 uint64_t mask0, mask1; 466 mask0 = flag + ~((uint64_t)0); 467 mask1 = ~mask0; 468 r->n[0] = (r->n[0] & mask0) | (a->n[0] & mask1); 469 r->n[1] = (r->n[1] & mask0) | (a->n[1] & mask1); 470 r->n[2] = (r->n[2] & mask0) | (a->n[2] & mask1); 471 r->n[3] = (r->n[3] & mask0) | (a->n[3] & mask1); 472 } 473 474 static void secp256k1_fe_to_storage(secp256k1_fe_storage *r, const secp256k1_fe *a) { 475 #ifdef VERIFY 476 VERIFY_CHECK(a->normalized); 477 #endif 478 r->n[0] = a->n[0] | a->n[1] << 52; 479 r->n[1] = a->n[1] >> 12 | a->n[2] << 40; 480 r->n[2] = a->n[2] >> 24 | a->n[3] << 28; 481 r->n[3] = a->n[3] >> 36 | a->n[4] << 16; 482 } 483 484 static SECP256K1_INLINE void secp256k1_fe_from_storage(secp256k1_fe *r, const secp256k1_fe_storage *a) { 485 r->n[0] = a->n[0] & 0xFFFFFFFFFFFFFULL; 486 r->n[1] = a->n[0] >> 52 | ((a->n[1] << 12) & 0xFFFFFFFFFFFFFULL); 487 r->n[2] = a->n[1] >> 40 | ((a->n[2] << 24) & 0xFFFFFFFFFFFFFULL); 488 r->n[3] = a->n[2] >> 28 | ((a->n[3] << 36) & 0xFFFFFFFFFFFFFULL); 489 r->n[4] = a->n[3] >> 16; 490 #ifdef VERIFY 491 r->magnitude = 1; 492 r->normalized = 1; 493 #endif 494 } 495 496 #endif /* SECP256K1_FIELD_REPR_IMPL_H */