github.com/bcskill/bcschain/v3@v3.4.9-beta2/crypto/bls12381/arithmetic_fallback.go (about)

     1  // Native go field arithmetic code is generated with 'goff'
     2  // https://github.com/ConsenSys/goff
     3  // Many function signature of field operations are renamed.
     4  
     5  // Copyright 2020 ConsenSys AG
     6  //
     7  // Licensed under the Apache License, Version 2.0 (the "License");
     8  // you may not use this file except in compliance with the License.
     9  // You may obtain a copy of the License at
    10  //
    11  //     http://www.apache.org/licenses/LICENSE-2.0
    12  //
    13  // Unless required by applicable law or agreed to in writing, software
    14  // distributed under the License is distributed on an "AS IS" BASIS,
    15  // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    16  // See the License for the specific language governing permissions and
    17  // limitations under the License.
    18  
    19  // field modulus q =
    20  //
    21  // 4002409555221667393417789825735904156556882819939007885332058136124031650490837864442687629129015664037894272559787
    22  // Code generated by goff DO NOT EDIT
    23  // goff version: v0.1.0 - build: 790f1f56eac432441e043abff8819eacddd1d668
    24  // fe are assumed to be in Montgomery form in all methods
    25  
    26  // /!\ WARNING /!\
    27  // this code has not been audited and is provided as-is. In particular,
    28  // there is no security guarantees such as constant time implementation
    29  // or side-channel attack resistance
    30  // /!\ WARNING /!\
    31  
    32  // Package bls (generated by goff) contains field arithmetics operations
    33  
    34  // +build !amd64 !blsasm,!blsadx
    35  
    36  package bls12381
    37  
    38  import (
    39  	"math/bits"
    40  )
    41  
    42  func add(z, x, y *fe) {
    43  	var carry uint64
    44  
    45  	z[0], carry = bits.Add64(x[0], y[0], 0)
    46  	z[1], carry = bits.Add64(x[1], y[1], carry)
    47  	z[2], carry = bits.Add64(x[2], y[2], carry)
    48  	z[3], carry = bits.Add64(x[3], y[3], carry)
    49  	z[4], carry = bits.Add64(x[4], y[4], carry)
    50  	z[5], _ = bits.Add64(x[5], y[5], carry)
    51  
    52  	// if z > q --> z -= q
    53  	// note: this is NOT constant time
    54  	if !(z[5] < 1873798617647539866 || (z[5] == 1873798617647539866 && (z[4] < 5412103778470702295 || (z[4] == 5412103778470702295 && (z[3] < 7239337960414712511 || (z[3] == 7239337960414712511 && (z[2] < 7435674573564081700 || (z[2] == 7435674573564081700 && (z[1] < 2210141511517208575 || (z[1] == 2210141511517208575 && (z[0] < 13402431016077863595))))))))))) {
    55  		var b uint64
    56  		z[0], b = bits.Sub64(z[0], 13402431016077863595, 0)
    57  		z[1], b = bits.Sub64(z[1], 2210141511517208575, b)
    58  		z[2], b = bits.Sub64(z[2], 7435674573564081700, b)
    59  		z[3], b = bits.Sub64(z[3], 7239337960414712511, b)
    60  		z[4], b = bits.Sub64(z[4], 5412103778470702295, b)
    61  		z[5], _ = bits.Sub64(z[5], 1873798617647539866, b)
    62  	}
    63  }
    64  
    65  func addAssign(x, y *fe) {
    66  	var carry uint64
    67  
    68  	x[0], carry = bits.Add64(x[0], y[0], 0)
    69  	x[1], carry = bits.Add64(x[1], y[1], carry)
    70  	x[2], carry = bits.Add64(x[2], y[2], carry)
    71  	x[3], carry = bits.Add64(x[3], y[3], carry)
    72  	x[4], carry = bits.Add64(x[4], y[4], carry)
    73  	x[5], _ = bits.Add64(x[5], y[5], carry)
    74  
    75  	// if z > q --> z -= q
    76  	// note: this is NOT constant time
    77  	if !(x[5] < 1873798617647539866 || (x[5] == 1873798617647539866 && (x[4] < 5412103778470702295 || (x[4] == 5412103778470702295 && (x[3] < 7239337960414712511 || (x[3] == 7239337960414712511 && (x[2] < 7435674573564081700 || (x[2] == 7435674573564081700 && (x[1] < 2210141511517208575 || (x[1] == 2210141511517208575 && (x[0] < 13402431016077863595))))))))))) {
    78  		var b uint64
    79  		x[0], b = bits.Sub64(x[0], 13402431016077863595, 0)
    80  		x[1], b = bits.Sub64(x[1], 2210141511517208575, b)
    81  		x[2], b = bits.Sub64(x[2], 7435674573564081700, b)
    82  		x[3], b = bits.Sub64(x[3], 7239337960414712511, b)
    83  		x[4], b = bits.Sub64(x[4], 5412103778470702295, b)
    84  		x[5], _ = bits.Sub64(x[5], 1873798617647539866, b)
    85  	}
    86  }
    87  
    88  func ladd(z, x, y *fe) {
    89  	var carry uint64
    90  	z[0], carry = bits.Add64(x[0], y[0], 0)
    91  	z[1], carry = bits.Add64(x[1], y[1], carry)
    92  	z[2], carry = bits.Add64(x[2], y[2], carry)
    93  	z[3], carry = bits.Add64(x[3], y[3], carry)
    94  	z[4], carry = bits.Add64(x[4], y[4], carry)
    95  	z[5], _ = bits.Add64(x[5], y[5], carry)
    96  }
    97  
    98  func laddAssign(x, y *fe) {
    99  	var carry uint64
   100  	x[0], carry = bits.Add64(x[0], y[0], 0)
   101  	x[1], carry = bits.Add64(x[1], y[1], carry)
   102  	x[2], carry = bits.Add64(x[2], y[2], carry)
   103  	x[3], carry = bits.Add64(x[3], y[3], carry)
   104  	x[4], carry = bits.Add64(x[4], y[4], carry)
   105  	x[5], _ = bits.Add64(x[5], y[5], carry)
   106  }
   107  
   108  func double(z, x *fe) {
   109  	var carry uint64
   110  
   111  	z[0], carry = bits.Add64(x[0], x[0], 0)
   112  	z[1], carry = bits.Add64(x[1], x[1], carry)
   113  	z[2], carry = bits.Add64(x[2], x[2], carry)
   114  	z[3], carry = bits.Add64(x[3], x[3], carry)
   115  	z[4], carry = bits.Add64(x[4], x[4], carry)
   116  	z[5], _ = bits.Add64(x[5], x[5], carry)
   117  
   118  	// if z > q --> z -= q
   119  	// note: this is NOT constant time
   120  	if !(z[5] < 1873798617647539866 || (z[5] == 1873798617647539866 && (z[4] < 5412103778470702295 || (z[4] == 5412103778470702295 && (z[3] < 7239337960414712511 || (z[3] == 7239337960414712511 && (z[2] < 7435674573564081700 || (z[2] == 7435674573564081700 && (z[1] < 2210141511517208575 || (z[1] == 2210141511517208575 && (z[0] < 13402431016077863595))))))))))) {
   121  		var b uint64
   122  		z[0], b = bits.Sub64(z[0], 13402431016077863595, 0)
   123  		z[1], b = bits.Sub64(z[1], 2210141511517208575, b)
   124  		z[2], b = bits.Sub64(z[2], 7435674573564081700, b)
   125  		z[3], b = bits.Sub64(z[3], 7239337960414712511, b)
   126  		z[4], b = bits.Sub64(z[4], 5412103778470702295, b)
   127  		z[5], _ = bits.Sub64(z[5], 1873798617647539866, b)
   128  	}
   129  }
   130  
   131  func doubleAssign(z *fe) {
   132  	var carry uint64
   133  
   134  	z[0], carry = bits.Add64(z[0], z[0], 0)
   135  	z[1], carry = bits.Add64(z[1], z[1], carry)
   136  	z[2], carry = bits.Add64(z[2], z[2], carry)
   137  	z[3], carry = bits.Add64(z[3], z[3], carry)
   138  	z[4], carry = bits.Add64(z[4], z[4], carry)
   139  	z[5], _ = bits.Add64(z[5], z[5], carry)
   140  
   141  	// if z > q --> z -= q
   142  	// note: this is NOT constant time
   143  	if !(z[5] < 1873798617647539866 || (z[5] == 1873798617647539866 && (z[4] < 5412103778470702295 || (z[4] == 5412103778470702295 && (z[3] < 7239337960414712511 || (z[3] == 7239337960414712511 && (z[2] < 7435674573564081700 || (z[2] == 7435674573564081700 && (z[1] < 2210141511517208575 || (z[1] == 2210141511517208575 && (z[0] < 13402431016077863595))))))))))) {
   144  		var b uint64
   145  		z[0], b = bits.Sub64(z[0], 13402431016077863595, 0)
   146  		z[1], b = bits.Sub64(z[1], 2210141511517208575, b)
   147  		z[2], b = bits.Sub64(z[2], 7435674573564081700, b)
   148  		z[3], b = bits.Sub64(z[3], 7239337960414712511, b)
   149  		z[4], b = bits.Sub64(z[4], 5412103778470702295, b)
   150  		z[5], _ = bits.Sub64(z[5], 1873798617647539866, b)
   151  	}
   152  }
   153  
   154  func ldouble(z, x *fe) {
   155  	var carry uint64
   156  
   157  	z[0], carry = bits.Add64(x[0], x[0], 0)
   158  	z[1], carry = bits.Add64(x[1], x[1], carry)
   159  	z[2], carry = bits.Add64(x[2], x[2], carry)
   160  	z[3], carry = bits.Add64(x[3], x[3], carry)
   161  	z[4], carry = bits.Add64(x[4], x[4], carry)
   162  	z[5], _ = bits.Add64(x[5], x[5], carry)
   163  }
   164  
   165  func sub(z, x, y *fe) {
   166  	var b uint64
   167  	z[0], b = bits.Sub64(x[0], y[0], 0)
   168  	z[1], b = bits.Sub64(x[1], y[1], b)
   169  	z[2], b = bits.Sub64(x[2], y[2], b)
   170  	z[3], b = bits.Sub64(x[3], y[3], b)
   171  	z[4], b = bits.Sub64(x[4], y[4], b)
   172  	z[5], b = bits.Sub64(x[5], y[5], b)
   173  	if b != 0 {
   174  		var c uint64
   175  		z[0], c = bits.Add64(z[0], 13402431016077863595, 0)
   176  		z[1], c = bits.Add64(z[1], 2210141511517208575, c)
   177  		z[2], c = bits.Add64(z[2], 7435674573564081700, c)
   178  		z[3], c = bits.Add64(z[3], 7239337960414712511, c)
   179  		z[4], c = bits.Add64(z[4], 5412103778470702295, c)
   180  		z[5], _ = bits.Add64(z[5], 1873798617647539866, c)
   181  	}
   182  }
   183  
   184  func subAssign(z, x *fe) {
   185  	var b uint64
   186  	z[0], b = bits.Sub64(z[0], x[0], 0)
   187  	z[1], b = bits.Sub64(z[1], x[1], b)
   188  	z[2], b = bits.Sub64(z[2], x[2], b)
   189  	z[3], b = bits.Sub64(z[3], x[3], b)
   190  	z[4], b = bits.Sub64(z[4], x[4], b)
   191  	z[5], b = bits.Sub64(z[5], x[5], b)
   192  	if b != 0 {
   193  		var c uint64
   194  		z[0], c = bits.Add64(z[0], 13402431016077863595, 0)
   195  		z[1], c = bits.Add64(z[1], 2210141511517208575, c)
   196  		z[2], c = bits.Add64(z[2], 7435674573564081700, c)
   197  		z[3], c = bits.Add64(z[3], 7239337960414712511, c)
   198  		z[4], c = bits.Add64(z[4], 5412103778470702295, c)
   199  		z[5], _ = bits.Add64(z[5], 1873798617647539866, c)
   200  	}
   201  }
   202  
   203  func lsubAssign(z, x *fe) {
   204  	var b uint64
   205  	z[0], b = bits.Sub64(z[0], x[0], 0)
   206  	z[1], b = bits.Sub64(z[1], x[1], b)
   207  	z[2], b = bits.Sub64(z[2], x[2], b)
   208  	z[3], b = bits.Sub64(z[3], x[3], b)
   209  	z[4], b = bits.Sub64(z[4], x[4], b)
   210  	z[5], _ = bits.Sub64(z[5], x[5], b)
   211  }
   212  
   213  func neg(z *fe, x *fe) {
   214  	if x.isZero() {
   215  		z.zero()
   216  		return
   217  	}
   218  	var borrow uint64
   219  	z[0], borrow = bits.Sub64(13402431016077863595, x[0], 0)
   220  	z[1], borrow = bits.Sub64(2210141511517208575, x[1], borrow)
   221  	z[2], borrow = bits.Sub64(7435674573564081700, x[2], borrow)
   222  	z[3], borrow = bits.Sub64(7239337960414712511, x[3], borrow)
   223  	z[4], borrow = bits.Sub64(5412103778470702295, x[4], borrow)
   224  	z[5], _ = bits.Sub64(1873798617647539866, x[5], borrow)
   225  }
   226  
   227  func mul(z, x, y *fe) {
   228  	var t [6]uint64
   229  	var c [3]uint64
   230  	{
   231  		// round 0
   232  		v := x[0]
   233  		c[1], c[0] = bits.Mul64(v, y[0])
   234  		m := c[0] * 9940570264628428797
   235  		c[2] = madd0(m, 13402431016077863595, c[0])
   236  		c[1], c[0] = madd1(v, y[1], c[1])
   237  		c[2], t[0] = madd2(m, 2210141511517208575, c[2], c[0])
   238  		c[1], c[0] = madd1(v, y[2], c[1])
   239  		c[2], t[1] = madd2(m, 7435674573564081700, c[2], c[0])
   240  		c[1], c[0] = madd1(v, y[3], c[1])
   241  		c[2], t[2] = madd2(m, 7239337960414712511, c[2], c[0])
   242  		c[1], c[0] = madd1(v, y[4], c[1])
   243  		c[2], t[3] = madd2(m, 5412103778470702295, c[2], c[0])
   244  		c[1], c[0] = madd1(v, y[5], c[1])
   245  		t[5], t[4] = madd3(m, 1873798617647539866, c[0], c[2], c[1])
   246  	}
   247  	{
   248  		// round 1
   249  		v := x[1]
   250  		c[1], c[0] = madd1(v, y[0], t[0])
   251  		m := c[0] * 9940570264628428797
   252  		c[2] = madd0(m, 13402431016077863595, c[0])
   253  		c[1], c[0] = madd2(v, y[1], c[1], t[1])
   254  		c[2], t[0] = madd2(m, 2210141511517208575, c[2], c[0])
   255  		c[1], c[0] = madd2(v, y[2], c[1], t[2])
   256  		c[2], t[1] = madd2(m, 7435674573564081700, c[2], c[0])
   257  		c[1], c[0] = madd2(v, y[3], c[1], t[3])
   258  		c[2], t[2] = madd2(m, 7239337960414712511, c[2], c[0])
   259  		c[1], c[0] = madd2(v, y[4], c[1], t[4])
   260  		c[2], t[3] = madd2(m, 5412103778470702295, c[2], c[0])
   261  		c[1], c[0] = madd2(v, y[5], c[1], t[5])
   262  		t[5], t[4] = madd3(m, 1873798617647539866, c[0], c[2], c[1])
   263  	}
   264  	{
   265  		// round 2
   266  		v := x[2]
   267  		c[1], c[0] = madd1(v, y[0], t[0])
   268  		m := c[0] * 9940570264628428797
   269  		c[2] = madd0(m, 13402431016077863595, c[0])
   270  		c[1], c[0] = madd2(v, y[1], c[1], t[1])
   271  		c[2], t[0] = madd2(m, 2210141511517208575, c[2], c[0])
   272  		c[1], c[0] = madd2(v, y[2], c[1], t[2])
   273  		c[2], t[1] = madd2(m, 7435674573564081700, c[2], c[0])
   274  		c[1], c[0] = madd2(v, y[3], c[1], t[3])
   275  		c[2], t[2] = madd2(m, 7239337960414712511, c[2], c[0])
   276  		c[1], c[0] = madd2(v, y[4], c[1], t[4])
   277  		c[2], t[3] = madd2(m, 5412103778470702295, c[2], c[0])
   278  		c[1], c[0] = madd2(v, y[5], c[1], t[5])
   279  		t[5], t[4] = madd3(m, 1873798617647539866, c[0], c[2], c[1])
   280  	}
   281  	{
   282  		// round 3
   283  		v := x[3]
   284  		c[1], c[0] = madd1(v, y[0], t[0])
   285  		m := c[0] * 9940570264628428797
   286  		c[2] = madd0(m, 13402431016077863595, c[0])
   287  		c[1], c[0] = madd2(v, y[1], c[1], t[1])
   288  		c[2], t[0] = madd2(m, 2210141511517208575, c[2], c[0])
   289  		c[1], c[0] = madd2(v, y[2], c[1], t[2])
   290  		c[2], t[1] = madd2(m, 7435674573564081700, c[2], c[0])
   291  		c[1], c[0] = madd2(v, y[3], c[1], t[3])
   292  		c[2], t[2] = madd2(m, 7239337960414712511, c[2], c[0])
   293  		c[1], c[0] = madd2(v, y[4], c[1], t[4])
   294  		c[2], t[3] = madd2(m, 5412103778470702295, c[2], c[0])
   295  		c[1], c[0] = madd2(v, y[5], c[1], t[5])
   296  		t[5], t[4] = madd3(m, 1873798617647539866, c[0], c[2], c[1])
   297  	}
   298  	{
   299  		// round 4
   300  		v := x[4]
   301  		c[1], c[0] = madd1(v, y[0], t[0])
   302  		m := c[0] * 9940570264628428797
   303  		c[2] = madd0(m, 13402431016077863595, c[0])
   304  		c[1], c[0] = madd2(v, y[1], c[1], t[1])
   305  		c[2], t[0] = madd2(m, 2210141511517208575, c[2], c[0])
   306  		c[1], c[0] = madd2(v, y[2], c[1], t[2])
   307  		c[2], t[1] = madd2(m, 7435674573564081700, c[2], c[0])
   308  		c[1], c[0] = madd2(v, y[3], c[1], t[3])
   309  		c[2], t[2] = madd2(m, 7239337960414712511, c[2], c[0])
   310  		c[1], c[0] = madd2(v, y[4], c[1], t[4])
   311  		c[2], t[3] = madd2(m, 5412103778470702295, c[2], c[0])
   312  		c[1], c[0] = madd2(v, y[5], c[1], t[5])
   313  		t[5], t[4] = madd3(m, 1873798617647539866, c[0], c[2], c[1])
   314  	}
   315  	{
   316  		// round 5
   317  		v := x[5]
   318  		c[1], c[0] = madd1(v, y[0], t[0])
   319  		m := c[0] * 9940570264628428797
   320  		c[2] = madd0(m, 13402431016077863595, c[0])
   321  		c[1], c[0] = madd2(v, y[1], c[1], t[1])
   322  		c[2], z[0] = madd2(m, 2210141511517208575, c[2], c[0])
   323  		c[1], c[0] = madd2(v, y[2], c[1], t[2])
   324  		c[2], z[1] = madd2(m, 7435674573564081700, c[2], c[0])
   325  		c[1], c[0] = madd2(v, y[3], c[1], t[3])
   326  		c[2], z[2] = madd2(m, 7239337960414712511, c[2], c[0])
   327  		c[1], c[0] = madd2(v, y[4], c[1], t[4])
   328  		c[2], z[3] = madd2(m, 5412103778470702295, c[2], c[0])
   329  		c[1], c[0] = madd2(v, y[5], c[1], t[5])
   330  		z[5], z[4] = madd3(m, 1873798617647539866, c[0], c[2], c[1])
   331  	}
   332  
   333  	// if z > q --> z -= q
   334  	// note: this is NOT constant time
   335  	if !(z[5] < 1873798617647539866 || (z[5] == 1873798617647539866 && (z[4] < 5412103778470702295 || (z[4] == 5412103778470702295 && (z[3] < 7239337960414712511 || (z[3] == 7239337960414712511 && (z[2] < 7435674573564081700 || (z[2] == 7435674573564081700 && (z[1] < 2210141511517208575 || (z[1] == 2210141511517208575 && (z[0] < 13402431016077863595))))))))))) {
   336  		var b uint64
   337  		z[0], b = bits.Sub64(z[0], 13402431016077863595, 0)
   338  		z[1], b = bits.Sub64(z[1], 2210141511517208575, b)
   339  		z[2], b = bits.Sub64(z[2], 7435674573564081700, b)
   340  		z[3], b = bits.Sub64(z[3], 7239337960414712511, b)
   341  		z[4], b = bits.Sub64(z[4], 5412103778470702295, b)
   342  		z[5], _ = bits.Sub64(z[5], 1873798617647539866, b)
   343  	}
   344  }
   345  
   346  func square(z, x *fe) {
   347  
   348  	var p [6]uint64
   349  
   350  	var u, v uint64
   351  	{
   352  		// round 0
   353  		u, p[0] = bits.Mul64(x[0], x[0])
   354  		m := p[0] * 9940570264628428797
   355  		C := madd0(m, 13402431016077863595, p[0])
   356  		var t uint64
   357  		t, u, v = madd1sb(x[0], x[1], u)
   358  		C, p[0] = madd2(m, 2210141511517208575, v, C)
   359  		t, u, v = madd1s(x[0], x[2], t, u)
   360  		C, p[1] = madd2(m, 7435674573564081700, v, C)
   361  		t, u, v = madd1s(x[0], x[3], t, u)
   362  		C, p[2] = madd2(m, 7239337960414712511, v, C)
   363  		t, u, v = madd1s(x[0], x[4], t, u)
   364  		C, p[3] = madd2(m, 5412103778470702295, v, C)
   365  		_, u, v = madd1s(x[0], x[5], t, u)
   366  		p[5], p[4] = madd3(m, 1873798617647539866, v, C, u)
   367  	}
   368  	{
   369  		// round 1
   370  		m := p[0] * 9940570264628428797
   371  		C := madd0(m, 13402431016077863595, p[0])
   372  		u, v = madd1(x[1], x[1], p[1])
   373  		C, p[0] = madd2(m, 2210141511517208575, v, C)
   374  		var t uint64
   375  		t, u, v = madd2sb(x[1], x[2], p[2], u)
   376  		C, p[1] = madd2(m, 7435674573564081700, v, C)
   377  		t, u, v = madd2s(x[1], x[3], p[3], t, u)
   378  		C, p[2] = madd2(m, 7239337960414712511, v, C)
   379  		t, u, v = madd2s(x[1], x[4], p[4], t, u)
   380  		C, p[3] = madd2(m, 5412103778470702295, v, C)
   381  		_, u, v = madd2s(x[1], x[5], p[5], t, u)
   382  		p[5], p[4] = madd3(m, 1873798617647539866, v, C, u)
   383  	}
   384  	{
   385  		// round 2
   386  		m := p[0] * 9940570264628428797
   387  		C := madd0(m, 13402431016077863595, p[0])
   388  		C, p[0] = madd2(m, 2210141511517208575, p[1], C)
   389  		u, v = madd1(x[2], x[2], p[2])
   390  		C, p[1] = madd2(m, 7435674573564081700, v, C)
   391  		var t uint64
   392  		t, u, v = madd2sb(x[2], x[3], p[3], u)
   393  		C, p[2] = madd2(m, 7239337960414712511, v, C)
   394  		t, u, v = madd2s(x[2], x[4], p[4], t, u)
   395  		C, p[3] = madd2(m, 5412103778470702295, v, C)
   396  		_, u, v = madd2s(x[2], x[5], p[5], t, u)
   397  		p[5], p[4] = madd3(m, 1873798617647539866, v, C, u)
   398  	}
   399  	{
   400  		// round 3
   401  		m := p[0] * 9940570264628428797
   402  		C := madd0(m, 13402431016077863595, p[0])
   403  		C, p[0] = madd2(m, 2210141511517208575, p[1], C)
   404  		C, p[1] = madd2(m, 7435674573564081700, p[2], C)
   405  		u, v = madd1(x[3], x[3], p[3])
   406  		C, p[2] = madd2(m, 7239337960414712511, v, C)
   407  		var t uint64
   408  		t, u, v = madd2sb(x[3], x[4], p[4], u)
   409  		C, p[3] = madd2(m, 5412103778470702295, v, C)
   410  		_, u, v = madd2s(x[3], x[5], p[5], t, u)
   411  		p[5], p[4] = madd3(m, 1873798617647539866, v, C, u)
   412  	}
   413  	{
   414  		// round 4
   415  		m := p[0] * 9940570264628428797
   416  		C := madd0(m, 13402431016077863595, p[0])
   417  		C, p[0] = madd2(m, 2210141511517208575, p[1], C)
   418  		C, p[1] = madd2(m, 7435674573564081700, p[2], C)
   419  		C, p[2] = madd2(m, 7239337960414712511, p[3], C)
   420  		u, v = madd1(x[4], x[4], p[4])
   421  		C, p[3] = madd2(m, 5412103778470702295, v, C)
   422  		_, u, v = madd2sb(x[4], x[5], p[5], u)
   423  		p[5], p[4] = madd3(m, 1873798617647539866, v, C, u)
   424  	}
   425  	{
   426  		// round 5
   427  		m := p[0] * 9940570264628428797
   428  		C := madd0(m, 13402431016077863595, p[0])
   429  		C, z[0] = madd2(m, 2210141511517208575, p[1], C)
   430  		C, z[1] = madd2(m, 7435674573564081700, p[2], C)
   431  		C, z[2] = madd2(m, 7239337960414712511, p[3], C)
   432  		C, z[3] = madd2(m, 5412103778470702295, p[4], C)
   433  		u, v = madd1(x[5], x[5], p[5])
   434  		z[5], z[4] = madd3(m, 1873798617647539866, v, C, u)
   435  	}
   436  
   437  	// if z > q --> z -= q
   438  	// note: this is NOT constant time
   439  	if !(z[5] < 1873798617647539866 || (z[5] == 1873798617647539866 && (z[4] < 5412103778470702295 || (z[4] == 5412103778470702295 && (z[3] < 7239337960414712511 || (z[3] == 7239337960414712511 && (z[2] < 7435674573564081700 || (z[2] == 7435674573564081700 && (z[1] < 2210141511517208575 || (z[1] == 2210141511517208575 && (z[0] < 13402431016077863595))))))))))) {
   440  		var b uint64
   441  		z[0], b = bits.Sub64(z[0], 13402431016077863595, 0)
   442  		z[1], b = bits.Sub64(z[1], 2210141511517208575, b)
   443  		z[2], b = bits.Sub64(z[2], 7435674573564081700, b)
   444  		z[3], b = bits.Sub64(z[3], 7239337960414712511, b)
   445  		z[4], b = bits.Sub64(z[4], 5412103778470702295, b)
   446  		z[5], _ = bits.Sub64(z[5], 1873798617647539866, b)
   447  	}
   448  }
   449  
   450  // arith.go
   451  // Copyright 2020 ConsenSys AG
   452  //
   453  // Licensed under the Apache License, Version 2.0 (the "License");
   454  // you may not use this file except in compliance with the License.
   455  // You may obtain a copy of the License at
   456  //
   457  //     http://www.apache.org/licenses/LICENSE-2.0
   458  //
   459  // Unless required by applicable law or agreed to in writing, software
   460  // distributed under the License is distributed on an "AS IS" BASIS,
   461  // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
   462  // See the License for the specific language governing permissions and
   463  // limitations under the License.
   464  
   465  // Code generated by goff DO NOT EDIT
   466  
   467  func madd(a, b, t, u, v uint64) (uint64, uint64, uint64) {
   468  	var carry uint64
   469  	hi, lo := bits.Mul64(a, b)
   470  	v, carry = bits.Add64(lo, v, 0)
   471  	u, carry = bits.Add64(hi, u, carry)
   472  	t, _ = bits.Add64(t, 0, carry)
   473  	return t, u, v
   474  }
   475  
   476  // madd0 hi = a*b + c (discards lo bits)
   477  func madd0(a, b, c uint64) (hi uint64) {
   478  	var carry, lo uint64
   479  	hi, lo = bits.Mul64(a, b)
   480  	_, carry = bits.Add64(lo, c, 0)
   481  	hi, _ = bits.Add64(hi, 0, carry)
   482  	return
   483  }
   484  
   485  // madd1 hi, lo = a*b + c
   486  func madd1(a, b, c uint64) (hi uint64, lo uint64) {
   487  	var carry uint64
   488  	hi, lo = bits.Mul64(a, b)
   489  	lo, carry = bits.Add64(lo, c, 0)
   490  	hi, _ = bits.Add64(hi, 0, carry)
   491  	return
   492  }
   493  
   494  // madd2 hi, lo = a*b + c + d
   495  func madd2(a, b, c, d uint64) (hi uint64, lo uint64) {
   496  	var carry uint64
   497  	hi, lo = bits.Mul64(a, b)
   498  	c, carry = bits.Add64(c, d, 0)
   499  	hi, _ = bits.Add64(hi, 0, carry)
   500  	lo, carry = bits.Add64(lo, c, 0)
   501  	hi, _ = bits.Add64(hi, 0, carry)
   502  	return
   503  }
   504  
   505  // madd2s superhi, hi, lo = 2*a*b + c + d + e
   506  func madd2s(a, b, c, d, e uint64) (superhi, hi, lo uint64) {
   507  	var carry, sum uint64
   508  
   509  	hi, lo = bits.Mul64(a, b)
   510  	lo, carry = bits.Add64(lo, lo, 0)
   511  	hi, superhi = bits.Add64(hi, hi, carry)
   512  
   513  	sum, carry = bits.Add64(c, e, 0)
   514  	hi, _ = bits.Add64(hi, 0, carry)
   515  	lo, carry = bits.Add64(lo, sum, 0)
   516  	hi, _ = bits.Add64(hi, 0, carry)
   517  	hi, _ = bits.Add64(hi, 0, d)
   518  	return
   519  }
   520  
   521  func madd1s(a, b, d, e uint64) (superhi, hi, lo uint64) {
   522  	var carry uint64
   523  
   524  	hi, lo = bits.Mul64(a, b)
   525  	lo, carry = bits.Add64(lo, lo, 0)
   526  	hi, superhi = bits.Add64(hi, hi, carry)
   527  	lo, carry = bits.Add64(lo, e, 0)
   528  	hi, _ = bits.Add64(hi, 0, carry)
   529  	hi, _ = bits.Add64(hi, 0, d)
   530  	return
   531  }
   532  
   533  func madd2sb(a, b, c, e uint64) (superhi, hi, lo uint64) {
   534  	var carry, sum uint64
   535  
   536  	hi, lo = bits.Mul64(a, b)
   537  	lo, carry = bits.Add64(lo, lo, 0)
   538  	hi, superhi = bits.Add64(hi, hi, carry)
   539  
   540  	sum, carry = bits.Add64(c, e, 0)
   541  	hi, _ = bits.Add64(hi, 0, carry)
   542  	lo, carry = bits.Add64(lo, sum, 0)
   543  	hi, _ = bits.Add64(hi, 0, carry)
   544  	return
   545  }
   546  
   547  func madd1sb(a, b, e uint64) (superhi, hi, lo uint64) {
   548  	var carry uint64
   549  
   550  	hi, lo = bits.Mul64(a, b)
   551  	lo, carry = bits.Add64(lo, lo, 0)
   552  	hi, superhi = bits.Add64(hi, hi, carry)
   553  	lo, carry = bits.Add64(lo, e, 0)
   554  	hi, _ = bits.Add64(hi, 0, carry)
   555  	return
   556  }
   557  
   558  func madd3(a, b, c, d, e uint64) (hi uint64, lo uint64) {
   559  	var carry uint64
   560  	hi, lo = bits.Mul64(a, b)
   561  	c, carry = bits.Add64(c, d, 0)
   562  	hi, _ = bits.Add64(hi, 0, carry)
   563  	lo, carry = bits.Add64(lo, c, 0)
   564  	hi, _ = bits.Add64(hi, e, carry)
   565  	return
   566  }