github.com/klaytn/klaytn@v1.12.1/crypto/bls12381/arithmetic_fallback.go (about)

     1  // Native go field arithmetic code is generated with 'goff'
     2  // https://github.com/ConsenSys/goff
     3  // Many function signature of field operations are renamed.
     4  
     5  // Copyright 2020 ConsenSys AG
     6  //
     7  // Licensed under the Apache License, Version 2.0 (the "License");
     8  // you may not use this file except in compliance with the License.
     9  // You may obtain a copy of the License at
    10  //
    11  //     http://www.apache.org/licenses/LICENSE-2.0
    12  //
    13  // Unless required by applicable law or agreed to in writing, software
    14  // distributed under the License is distributed on an "AS IS" BASIS,
    15  // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    16  // See the License for the specific language governing permissions and
    17  // limitations under the License.
    18  
    19  // field modulus q =
    20  //
    21  // 4002409555221667393417789825735904156556882819939007885332058136124031650490837864442687629129015664037894272559787
    22  // Code generated by goff DO NOT EDIT
    23  // goff version: v0.1.0 - build: 790f1f56eac432441e043abff8819eacddd1d668
    24  // fe are assumed to be in Montgomery form in all methods
    25  
    26  // /!\ WARNING /!\
    27  // this code has not been audited and is provided as-is. In particular,
    28  // there is no security guarantees such as constant time implementation
    29  // or side-channel attack resistance
    30  // /!\ WARNING /!\
    31  
    32  // Package bls (generated by goff) contains field arithmetics operations
    33  
    34  //go:build !amd64 || (!blsasm && !blsadx)
    35  // +build !amd64 !blsasm,!blsadx
    36  
    37  package bls12381
    38  
    39  import (
    40  	"math/bits"
    41  )
    42  
    43  func add(z, x, y *fe) {
    44  	var carry uint64
    45  
    46  	z[0], carry = bits.Add64(x[0], y[0], 0)
    47  	z[1], carry = bits.Add64(x[1], y[1], carry)
    48  	z[2], carry = bits.Add64(x[2], y[2], carry)
    49  	z[3], carry = bits.Add64(x[3], y[3], carry)
    50  	z[4], carry = bits.Add64(x[4], y[4], carry)
    51  	z[5], _ = bits.Add64(x[5], y[5], carry)
    52  
    53  	// if z > q --> z -= q
    54  	// note: this is NOT constant time
    55  	if !(z[5] < 1873798617647539866 || (z[5] == 1873798617647539866 && (z[4] < 5412103778470702295 || (z[4] == 5412103778470702295 && (z[3] < 7239337960414712511 || (z[3] == 7239337960414712511 && (z[2] < 7435674573564081700 || (z[2] == 7435674573564081700 && (z[1] < 2210141511517208575 || (z[1] == 2210141511517208575 && (z[0] < 13402431016077863595))))))))))) {
    56  		var b uint64
    57  		z[0], b = bits.Sub64(z[0], 13402431016077863595, 0)
    58  		z[1], b = bits.Sub64(z[1], 2210141511517208575, b)
    59  		z[2], b = bits.Sub64(z[2], 7435674573564081700, b)
    60  		z[3], b = bits.Sub64(z[3], 7239337960414712511, b)
    61  		z[4], b = bits.Sub64(z[4], 5412103778470702295, b)
    62  		z[5], _ = bits.Sub64(z[5], 1873798617647539866, b)
    63  	}
    64  }
    65  
    66  func addAssign(x, y *fe) {
    67  	var carry uint64
    68  
    69  	x[0], carry = bits.Add64(x[0], y[0], 0)
    70  	x[1], carry = bits.Add64(x[1], y[1], carry)
    71  	x[2], carry = bits.Add64(x[2], y[2], carry)
    72  	x[3], carry = bits.Add64(x[3], y[3], carry)
    73  	x[4], carry = bits.Add64(x[4], y[4], carry)
    74  	x[5], _ = bits.Add64(x[5], y[5], carry)
    75  
    76  	// if z > q --> z -= q
    77  	// note: this is NOT constant time
    78  	if !(x[5] < 1873798617647539866 || (x[5] == 1873798617647539866 && (x[4] < 5412103778470702295 || (x[4] == 5412103778470702295 && (x[3] < 7239337960414712511 || (x[3] == 7239337960414712511 && (x[2] < 7435674573564081700 || (x[2] == 7435674573564081700 && (x[1] < 2210141511517208575 || (x[1] == 2210141511517208575 && (x[0] < 13402431016077863595))))))))))) {
    79  		var b uint64
    80  		x[0], b = bits.Sub64(x[0], 13402431016077863595, 0)
    81  		x[1], b = bits.Sub64(x[1], 2210141511517208575, b)
    82  		x[2], b = bits.Sub64(x[2], 7435674573564081700, b)
    83  		x[3], b = bits.Sub64(x[3], 7239337960414712511, b)
    84  		x[4], b = bits.Sub64(x[4], 5412103778470702295, b)
    85  		x[5], _ = bits.Sub64(x[5], 1873798617647539866, b)
    86  	}
    87  }
    88  
    89  func ladd(z, x, y *fe) {
    90  	var carry uint64
    91  	z[0], carry = bits.Add64(x[0], y[0], 0)
    92  	z[1], carry = bits.Add64(x[1], y[1], carry)
    93  	z[2], carry = bits.Add64(x[2], y[2], carry)
    94  	z[3], carry = bits.Add64(x[3], y[3], carry)
    95  	z[4], carry = bits.Add64(x[4], y[4], carry)
    96  	z[5], _ = bits.Add64(x[5], y[5], carry)
    97  }
    98  
    99  func laddAssign(x, y *fe) {
   100  	var carry uint64
   101  	x[0], carry = bits.Add64(x[0], y[0], 0)
   102  	x[1], carry = bits.Add64(x[1], y[1], carry)
   103  	x[2], carry = bits.Add64(x[2], y[2], carry)
   104  	x[3], carry = bits.Add64(x[3], y[3], carry)
   105  	x[4], carry = bits.Add64(x[4], y[4], carry)
   106  	x[5], _ = bits.Add64(x[5], y[5], carry)
   107  }
   108  
   109  func double(z, x *fe) {
   110  	var carry uint64
   111  
   112  	z[0], carry = bits.Add64(x[0], x[0], 0)
   113  	z[1], carry = bits.Add64(x[1], x[1], carry)
   114  	z[2], carry = bits.Add64(x[2], x[2], carry)
   115  	z[3], carry = bits.Add64(x[3], x[3], carry)
   116  	z[4], carry = bits.Add64(x[4], x[4], carry)
   117  	z[5], _ = bits.Add64(x[5], x[5], carry)
   118  
   119  	// if z > q --> z -= q
   120  	// note: this is NOT constant time
   121  	if !(z[5] < 1873798617647539866 || (z[5] == 1873798617647539866 && (z[4] < 5412103778470702295 || (z[4] == 5412103778470702295 && (z[3] < 7239337960414712511 || (z[3] == 7239337960414712511 && (z[2] < 7435674573564081700 || (z[2] == 7435674573564081700 && (z[1] < 2210141511517208575 || (z[1] == 2210141511517208575 && (z[0] < 13402431016077863595))))))))))) {
   122  		var b uint64
   123  		z[0], b = bits.Sub64(z[0], 13402431016077863595, 0)
   124  		z[1], b = bits.Sub64(z[1], 2210141511517208575, b)
   125  		z[2], b = bits.Sub64(z[2], 7435674573564081700, b)
   126  		z[3], b = bits.Sub64(z[3], 7239337960414712511, b)
   127  		z[4], b = bits.Sub64(z[4], 5412103778470702295, b)
   128  		z[5], _ = bits.Sub64(z[5], 1873798617647539866, b)
   129  	}
   130  }
   131  
   132  func doubleAssign(z *fe) {
   133  	var carry uint64
   134  
   135  	z[0], carry = bits.Add64(z[0], z[0], 0)
   136  	z[1], carry = bits.Add64(z[1], z[1], carry)
   137  	z[2], carry = bits.Add64(z[2], z[2], carry)
   138  	z[3], carry = bits.Add64(z[3], z[3], carry)
   139  	z[4], carry = bits.Add64(z[4], z[4], carry)
   140  	z[5], _ = bits.Add64(z[5], z[5], carry)
   141  
   142  	// if z > q --> z -= q
   143  	// note: this is NOT constant time
   144  	if !(z[5] < 1873798617647539866 || (z[5] == 1873798617647539866 && (z[4] < 5412103778470702295 || (z[4] == 5412103778470702295 && (z[3] < 7239337960414712511 || (z[3] == 7239337960414712511 && (z[2] < 7435674573564081700 || (z[2] == 7435674573564081700 && (z[1] < 2210141511517208575 || (z[1] == 2210141511517208575 && (z[0] < 13402431016077863595))))))))))) {
   145  		var b uint64
   146  		z[0], b = bits.Sub64(z[0], 13402431016077863595, 0)
   147  		z[1], b = bits.Sub64(z[1], 2210141511517208575, b)
   148  		z[2], b = bits.Sub64(z[2], 7435674573564081700, b)
   149  		z[3], b = bits.Sub64(z[3], 7239337960414712511, b)
   150  		z[4], b = bits.Sub64(z[4], 5412103778470702295, b)
   151  		z[5], _ = bits.Sub64(z[5], 1873798617647539866, b)
   152  	}
   153  }
   154  
   155  func ldouble(z, x *fe) {
   156  	var carry uint64
   157  
   158  	z[0], carry = bits.Add64(x[0], x[0], 0)
   159  	z[1], carry = bits.Add64(x[1], x[1], carry)
   160  	z[2], carry = bits.Add64(x[2], x[2], carry)
   161  	z[3], carry = bits.Add64(x[3], x[3], carry)
   162  	z[4], carry = bits.Add64(x[4], x[4], carry)
   163  	z[5], _ = bits.Add64(x[5], x[5], carry)
   164  }
   165  
   166  func sub(z, x, y *fe) {
   167  	var b uint64
   168  	z[0], b = bits.Sub64(x[0], y[0], 0)
   169  	z[1], b = bits.Sub64(x[1], y[1], b)
   170  	z[2], b = bits.Sub64(x[2], y[2], b)
   171  	z[3], b = bits.Sub64(x[3], y[3], b)
   172  	z[4], b = bits.Sub64(x[4], y[4], b)
   173  	z[5], b = bits.Sub64(x[5], y[5], b)
   174  	if b != 0 {
   175  		var c uint64
   176  		z[0], c = bits.Add64(z[0], 13402431016077863595, 0)
   177  		z[1], c = bits.Add64(z[1], 2210141511517208575, c)
   178  		z[2], c = bits.Add64(z[2], 7435674573564081700, c)
   179  		z[3], c = bits.Add64(z[3], 7239337960414712511, c)
   180  		z[4], c = bits.Add64(z[4], 5412103778470702295, c)
   181  		z[5], _ = bits.Add64(z[5], 1873798617647539866, c)
   182  	}
   183  }
   184  
   185  func subAssign(z, x *fe) {
   186  	var b uint64
   187  	z[0], b = bits.Sub64(z[0], x[0], 0)
   188  	z[1], b = bits.Sub64(z[1], x[1], b)
   189  	z[2], b = bits.Sub64(z[2], x[2], b)
   190  	z[3], b = bits.Sub64(z[3], x[3], b)
   191  	z[4], b = bits.Sub64(z[4], x[4], b)
   192  	z[5], b = bits.Sub64(z[5], x[5], b)
   193  	if b != 0 {
   194  		var c uint64
   195  		z[0], c = bits.Add64(z[0], 13402431016077863595, 0)
   196  		z[1], c = bits.Add64(z[1], 2210141511517208575, c)
   197  		z[2], c = bits.Add64(z[2], 7435674573564081700, c)
   198  		z[3], c = bits.Add64(z[3], 7239337960414712511, c)
   199  		z[4], c = bits.Add64(z[4], 5412103778470702295, c)
   200  		z[5], _ = bits.Add64(z[5], 1873798617647539866, c)
   201  	}
   202  }
   203  
   204  func lsubAssign(z, x *fe) {
   205  	var b uint64
   206  	z[0], b = bits.Sub64(z[0], x[0], 0)
   207  	z[1], b = bits.Sub64(z[1], x[1], b)
   208  	z[2], b = bits.Sub64(z[2], x[2], b)
   209  	z[3], b = bits.Sub64(z[3], x[3], b)
   210  	z[4], b = bits.Sub64(z[4], x[4], b)
   211  	z[5], _ = bits.Sub64(z[5], x[5], b)
   212  }
   213  
   214  func neg(z *fe, x *fe) {
   215  	if x.isZero() {
   216  		z.zero()
   217  		return
   218  	}
   219  	var borrow uint64
   220  	z[0], borrow = bits.Sub64(13402431016077863595, x[0], 0)
   221  	z[1], borrow = bits.Sub64(2210141511517208575, x[1], borrow)
   222  	z[2], borrow = bits.Sub64(7435674573564081700, x[2], borrow)
   223  	z[3], borrow = bits.Sub64(7239337960414712511, x[3], borrow)
   224  	z[4], borrow = bits.Sub64(5412103778470702295, x[4], borrow)
   225  	z[5], _ = bits.Sub64(1873798617647539866, x[5], borrow)
   226  }
   227  
   228  func mul(z, x, y *fe) {
   229  	var t [6]uint64
   230  	var c [3]uint64
   231  	{
   232  		// round 0
   233  		v := x[0]
   234  		c[1], c[0] = bits.Mul64(v, y[0])
   235  		m := c[0] * 9940570264628428797
   236  		c[2] = madd0(m, 13402431016077863595, c[0])
   237  		c[1], c[0] = madd1(v, y[1], c[1])
   238  		c[2], t[0] = madd2(m, 2210141511517208575, c[2], c[0])
   239  		c[1], c[0] = madd1(v, y[2], c[1])
   240  		c[2], t[1] = madd2(m, 7435674573564081700, c[2], c[0])
   241  		c[1], c[0] = madd1(v, y[3], c[1])
   242  		c[2], t[2] = madd2(m, 7239337960414712511, c[2], c[0])
   243  		c[1], c[0] = madd1(v, y[4], c[1])
   244  		c[2], t[3] = madd2(m, 5412103778470702295, c[2], c[0])
   245  		c[1], c[0] = madd1(v, y[5], c[1])
   246  		t[5], t[4] = madd3(m, 1873798617647539866, c[0], c[2], c[1])
   247  	}
   248  	{
   249  		// round 1
   250  		v := x[1]
   251  		c[1], c[0] = madd1(v, y[0], t[0])
   252  		m := c[0] * 9940570264628428797
   253  		c[2] = madd0(m, 13402431016077863595, c[0])
   254  		c[1], c[0] = madd2(v, y[1], c[1], t[1])
   255  		c[2], t[0] = madd2(m, 2210141511517208575, c[2], c[0])
   256  		c[1], c[0] = madd2(v, y[2], c[1], t[2])
   257  		c[2], t[1] = madd2(m, 7435674573564081700, c[2], c[0])
   258  		c[1], c[0] = madd2(v, y[3], c[1], t[3])
   259  		c[2], t[2] = madd2(m, 7239337960414712511, c[2], c[0])
   260  		c[1], c[0] = madd2(v, y[4], c[1], t[4])
   261  		c[2], t[3] = madd2(m, 5412103778470702295, c[2], c[0])
   262  		c[1], c[0] = madd2(v, y[5], c[1], t[5])
   263  		t[5], t[4] = madd3(m, 1873798617647539866, c[0], c[2], c[1])
   264  	}
   265  	{
   266  		// round 2
   267  		v := x[2]
   268  		c[1], c[0] = madd1(v, y[0], t[0])
   269  		m := c[0] * 9940570264628428797
   270  		c[2] = madd0(m, 13402431016077863595, c[0])
   271  		c[1], c[0] = madd2(v, y[1], c[1], t[1])
   272  		c[2], t[0] = madd2(m, 2210141511517208575, c[2], c[0])
   273  		c[1], c[0] = madd2(v, y[2], c[1], t[2])
   274  		c[2], t[1] = madd2(m, 7435674573564081700, c[2], c[0])
   275  		c[1], c[0] = madd2(v, y[3], c[1], t[3])
   276  		c[2], t[2] = madd2(m, 7239337960414712511, c[2], c[0])
   277  		c[1], c[0] = madd2(v, y[4], c[1], t[4])
   278  		c[2], t[3] = madd2(m, 5412103778470702295, c[2], c[0])
   279  		c[1], c[0] = madd2(v, y[5], c[1], t[5])
   280  		t[5], t[4] = madd3(m, 1873798617647539866, c[0], c[2], c[1])
   281  	}
   282  	{
   283  		// round 3
   284  		v := x[3]
   285  		c[1], c[0] = madd1(v, y[0], t[0])
   286  		m := c[0] * 9940570264628428797
   287  		c[2] = madd0(m, 13402431016077863595, c[0])
   288  		c[1], c[0] = madd2(v, y[1], c[1], t[1])
   289  		c[2], t[0] = madd2(m, 2210141511517208575, c[2], c[0])
   290  		c[1], c[0] = madd2(v, y[2], c[1], t[2])
   291  		c[2], t[1] = madd2(m, 7435674573564081700, c[2], c[0])
   292  		c[1], c[0] = madd2(v, y[3], c[1], t[3])
   293  		c[2], t[2] = madd2(m, 7239337960414712511, c[2], c[0])
   294  		c[1], c[0] = madd2(v, y[4], c[1], t[4])
   295  		c[2], t[3] = madd2(m, 5412103778470702295, c[2], c[0])
   296  		c[1], c[0] = madd2(v, y[5], c[1], t[5])
   297  		t[5], t[4] = madd3(m, 1873798617647539866, c[0], c[2], c[1])
   298  	}
   299  	{
   300  		// round 4
   301  		v := x[4]
   302  		c[1], c[0] = madd1(v, y[0], t[0])
   303  		m := c[0] * 9940570264628428797
   304  		c[2] = madd0(m, 13402431016077863595, c[0])
   305  		c[1], c[0] = madd2(v, y[1], c[1], t[1])
   306  		c[2], t[0] = madd2(m, 2210141511517208575, c[2], c[0])
   307  		c[1], c[0] = madd2(v, y[2], c[1], t[2])
   308  		c[2], t[1] = madd2(m, 7435674573564081700, c[2], c[0])
   309  		c[1], c[0] = madd2(v, y[3], c[1], t[3])
   310  		c[2], t[2] = madd2(m, 7239337960414712511, c[2], c[0])
   311  		c[1], c[0] = madd2(v, y[4], c[1], t[4])
   312  		c[2], t[3] = madd2(m, 5412103778470702295, c[2], c[0])
   313  		c[1], c[0] = madd2(v, y[5], c[1], t[5])
   314  		t[5], t[4] = madd3(m, 1873798617647539866, c[0], c[2], c[1])
   315  	}
   316  	{
   317  		// round 5
   318  		v := x[5]
   319  		c[1], c[0] = madd1(v, y[0], t[0])
   320  		m := c[0] * 9940570264628428797
   321  		c[2] = madd0(m, 13402431016077863595, c[0])
   322  		c[1], c[0] = madd2(v, y[1], c[1], t[1])
   323  		c[2], z[0] = madd2(m, 2210141511517208575, c[2], c[0])
   324  		c[1], c[0] = madd2(v, y[2], c[1], t[2])
   325  		c[2], z[1] = madd2(m, 7435674573564081700, c[2], c[0])
   326  		c[1], c[0] = madd2(v, y[3], c[1], t[3])
   327  		c[2], z[2] = madd2(m, 7239337960414712511, c[2], c[0])
   328  		c[1], c[0] = madd2(v, y[4], c[1], t[4])
   329  		c[2], z[3] = madd2(m, 5412103778470702295, c[2], c[0])
   330  		c[1], c[0] = madd2(v, y[5], c[1], t[5])
   331  		z[5], z[4] = madd3(m, 1873798617647539866, c[0], c[2], c[1])
   332  	}
   333  
   334  	// if z > q --> z -= q
   335  	// note: this is NOT constant time
   336  	if !(z[5] < 1873798617647539866 || (z[5] == 1873798617647539866 && (z[4] < 5412103778470702295 || (z[4] == 5412103778470702295 && (z[3] < 7239337960414712511 || (z[3] == 7239337960414712511 && (z[2] < 7435674573564081700 || (z[2] == 7435674573564081700 && (z[1] < 2210141511517208575 || (z[1] == 2210141511517208575 && (z[0] < 13402431016077863595))))))))))) {
   337  		var b uint64
   338  		z[0], b = bits.Sub64(z[0], 13402431016077863595, 0)
   339  		z[1], b = bits.Sub64(z[1], 2210141511517208575, b)
   340  		z[2], b = bits.Sub64(z[2], 7435674573564081700, b)
   341  		z[3], b = bits.Sub64(z[3], 7239337960414712511, b)
   342  		z[4], b = bits.Sub64(z[4], 5412103778470702295, b)
   343  		z[5], _ = bits.Sub64(z[5], 1873798617647539866, b)
   344  	}
   345  }
   346  
   347  func square(z, x *fe) {
   348  	var p [6]uint64
   349  
   350  	var u, v uint64
   351  	{
   352  		// round 0
   353  		u, p[0] = bits.Mul64(x[0], x[0])
   354  		m := p[0] * 9940570264628428797
   355  		C := madd0(m, 13402431016077863595, p[0])
   356  		var t uint64
   357  		t, u, v = madd1sb(x[0], x[1], u)
   358  		C, p[0] = madd2(m, 2210141511517208575, v, C)
   359  		t, u, v = madd1s(x[0], x[2], t, u)
   360  		C, p[1] = madd2(m, 7435674573564081700, v, C)
   361  		t, u, v = madd1s(x[0], x[3], t, u)
   362  		C, p[2] = madd2(m, 7239337960414712511, v, C)
   363  		t, u, v = madd1s(x[0], x[4], t, u)
   364  		C, p[3] = madd2(m, 5412103778470702295, v, C)
   365  		_, u, v = madd1s(x[0], x[5], t, u)
   366  		p[5], p[4] = madd3(m, 1873798617647539866, v, C, u)
   367  	}
   368  	{
   369  		// round 1
   370  		m := p[0] * 9940570264628428797
   371  		C := madd0(m, 13402431016077863595, p[0])
   372  		u, v = madd1(x[1], x[1], p[1])
   373  		C, p[0] = madd2(m, 2210141511517208575, v, C)
   374  		var t uint64
   375  		t, u, v = madd2sb(x[1], x[2], p[2], u)
   376  		C, p[1] = madd2(m, 7435674573564081700, v, C)
   377  		t, u, v = madd2s(x[1], x[3], p[3], t, u)
   378  		C, p[2] = madd2(m, 7239337960414712511, v, C)
   379  		t, u, v = madd2s(x[1], x[4], p[4], t, u)
   380  		C, p[3] = madd2(m, 5412103778470702295, v, C)
   381  		_, u, v = madd2s(x[1], x[5], p[5], t, u)
   382  		p[5], p[4] = madd3(m, 1873798617647539866, v, C, u)
   383  	}
   384  	{
   385  		// round 2
   386  		m := p[0] * 9940570264628428797
   387  		C := madd0(m, 13402431016077863595, p[0])
   388  		C, p[0] = madd2(m, 2210141511517208575, p[1], C)
   389  		u, v = madd1(x[2], x[2], p[2])
   390  		C, p[1] = madd2(m, 7435674573564081700, v, C)
   391  		var t uint64
   392  		t, u, v = madd2sb(x[2], x[3], p[3], u)
   393  		C, p[2] = madd2(m, 7239337960414712511, v, C)
   394  		t, u, v = madd2s(x[2], x[4], p[4], t, u)
   395  		C, p[3] = madd2(m, 5412103778470702295, v, C)
   396  		_, u, v = madd2s(x[2], x[5], p[5], t, u)
   397  		p[5], p[4] = madd3(m, 1873798617647539866, v, C, u)
   398  	}
   399  	{
   400  		// round 3
   401  		m := p[0] * 9940570264628428797
   402  		C := madd0(m, 13402431016077863595, p[0])
   403  		C, p[0] = madd2(m, 2210141511517208575, p[1], C)
   404  		C, p[1] = madd2(m, 7435674573564081700, p[2], C)
   405  		u, v = madd1(x[3], x[3], p[3])
   406  		C, p[2] = madd2(m, 7239337960414712511, v, C)
   407  		var t uint64
   408  		t, u, v = madd2sb(x[3], x[4], p[4], u)
   409  		C, p[3] = madd2(m, 5412103778470702295, v, C)
   410  		_, u, v = madd2s(x[3], x[5], p[5], t, u)
   411  		p[5], p[4] = madd3(m, 1873798617647539866, v, C, u)
   412  	}
   413  	{
   414  		// round 4
   415  		m := p[0] * 9940570264628428797
   416  		C := madd0(m, 13402431016077863595, p[0])
   417  		C, p[0] = madd2(m, 2210141511517208575, p[1], C)
   418  		C, p[1] = madd2(m, 7435674573564081700, p[2], C)
   419  		C, p[2] = madd2(m, 7239337960414712511, p[3], C)
   420  		u, v = madd1(x[4], x[4], p[4])
   421  		C, p[3] = madd2(m, 5412103778470702295, v, C)
   422  		_, u, v = madd2sb(x[4], x[5], p[5], u)
   423  		p[5], p[4] = madd3(m, 1873798617647539866, v, C, u)
   424  	}
   425  	{
   426  		// round 5
   427  		m := p[0] * 9940570264628428797
   428  		C := madd0(m, 13402431016077863595, p[0])
   429  		C, z[0] = madd2(m, 2210141511517208575, p[1], C)
   430  		C, z[1] = madd2(m, 7435674573564081700, p[2], C)
   431  		C, z[2] = madd2(m, 7239337960414712511, p[3], C)
   432  		C, z[3] = madd2(m, 5412103778470702295, p[4], C)
   433  		u, v = madd1(x[5], x[5], p[5])
   434  		z[5], z[4] = madd3(m, 1873798617647539866, v, C, u)
   435  	}
   436  
   437  	// if z > q --> z -= q
   438  	// note: this is NOT constant time
   439  	if !(z[5] < 1873798617647539866 || (z[5] == 1873798617647539866 && (z[4] < 5412103778470702295 || (z[4] == 5412103778470702295 && (z[3] < 7239337960414712511 || (z[3] == 7239337960414712511 && (z[2] < 7435674573564081700 || (z[2] == 7435674573564081700 && (z[1] < 2210141511517208575 || (z[1] == 2210141511517208575 && (z[0] < 13402431016077863595))))))))))) {
   440  		var b uint64
   441  		z[0], b = bits.Sub64(z[0], 13402431016077863595, 0)
   442  		z[1], b = bits.Sub64(z[1], 2210141511517208575, b)
   443  		z[2], b = bits.Sub64(z[2], 7435674573564081700, b)
   444  		z[3], b = bits.Sub64(z[3], 7239337960414712511, b)
   445  		z[4], b = bits.Sub64(z[4], 5412103778470702295, b)
   446  		z[5], _ = bits.Sub64(z[5], 1873798617647539866, b)
   447  	}
   448  }
   449  
   450  // arith.go
   451  // Copyright 2020 ConsenSys AG
   452  //
   453  // Licensed under the Apache License, Version 2.0 (the "License");
   454  // you may not use this file except in compliance with the License.
   455  // You may obtain a copy of the License at
   456  //
   457  //     http://www.apache.org/licenses/LICENSE-2.0
   458  //
   459  // Unless required by applicable law or agreed to in writing, software
   460  // distributed under the License is distributed on an "AS IS" BASIS,
   461  // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
   462  // See the License for the specific language governing permissions and
   463  // limitations under the License.
   464  
   465  // Code generated by goff DO NOT EDIT
   466  
   467  func madd(a, b, t, u, v uint64) (uint64, uint64, uint64) {
   468  	var carry uint64
   469  	hi, lo := bits.Mul64(a, b)
   470  	v, carry = bits.Add64(lo, v, 0)
   471  	u, carry = bits.Add64(hi, u, carry)
   472  	t, _ = bits.Add64(t, 0, carry)
   473  	return t, u, v
   474  }
   475  
   476  // madd0 hi = a*b + c (discards lo bits)
   477  func madd0(a, b, c uint64) (hi uint64) {
   478  	var carry, lo uint64
   479  	hi, lo = bits.Mul64(a, b)
   480  	_, carry = bits.Add64(lo, c, 0)
   481  	hi, _ = bits.Add64(hi, 0, carry)
   482  	return
   483  }
   484  
   485  // madd1 hi, lo = a*b + c
   486  func madd1(a, b, c uint64) (hi uint64, lo uint64) {
   487  	var carry uint64
   488  	hi, lo = bits.Mul64(a, b)
   489  	lo, carry = bits.Add64(lo, c, 0)
   490  	hi, _ = bits.Add64(hi, 0, carry)
   491  	return
   492  }
   493  
   494  // madd2 hi, lo = a*b + c + d
   495  func madd2(a, b, c, d uint64) (hi uint64, lo uint64) {
   496  	var carry uint64
   497  	hi, lo = bits.Mul64(a, b)
   498  	c, carry = bits.Add64(c, d, 0)
   499  	hi, _ = bits.Add64(hi, 0, carry)
   500  	lo, carry = bits.Add64(lo, c, 0)
   501  	hi, _ = bits.Add64(hi, 0, carry)
   502  	return
   503  }
   504  
   505  // madd2s superhi, hi, lo = 2*a*b + c + d + e
   506  func madd2s(a, b, c, d, e uint64) (superhi, hi, lo uint64) {
   507  	var carry, sum uint64
   508  
   509  	hi, lo = bits.Mul64(a, b)
   510  	lo, carry = bits.Add64(lo, lo, 0)
   511  	hi, superhi = bits.Add64(hi, hi, carry)
   512  
   513  	sum, carry = bits.Add64(c, e, 0)
   514  	hi, _ = bits.Add64(hi, 0, carry)
   515  	lo, carry = bits.Add64(lo, sum, 0)
   516  	hi, _ = bits.Add64(hi, 0, carry)
   517  	hi, _ = bits.Add64(hi, 0, d)
   518  	return
   519  }
   520  
   521  func madd1s(a, b, d, e uint64) (superhi, hi, lo uint64) {
   522  	var carry uint64
   523  
   524  	hi, lo = bits.Mul64(a, b)
   525  	lo, carry = bits.Add64(lo, lo, 0)
   526  	hi, superhi = bits.Add64(hi, hi, carry)
   527  	lo, carry = bits.Add64(lo, e, 0)
   528  	hi, _ = bits.Add64(hi, 0, carry)
   529  	hi, _ = bits.Add64(hi, 0, d)
   530  	return
   531  }
   532  
   533  func madd2sb(a, b, c, e uint64) (superhi, hi, lo uint64) {
   534  	var carry, sum uint64
   535  
   536  	hi, lo = bits.Mul64(a, b)
   537  	lo, carry = bits.Add64(lo, lo, 0)
   538  	hi, superhi = bits.Add64(hi, hi, carry)
   539  
   540  	sum, carry = bits.Add64(c, e, 0)
   541  	hi, _ = bits.Add64(hi, 0, carry)
   542  	lo, carry = bits.Add64(lo, sum, 0)
   543  	hi, _ = bits.Add64(hi, 0, carry)
   544  	return
   545  }
   546  
   547  func madd1sb(a, b, e uint64) (superhi, hi, lo uint64) {
   548  	var carry uint64
   549  
   550  	hi, lo = bits.Mul64(a, b)
   551  	lo, carry = bits.Add64(lo, lo, 0)
   552  	hi, superhi = bits.Add64(hi, hi, carry)
   553  	lo, carry = bits.Add64(lo, e, 0)
   554  	hi, _ = bits.Add64(hi, 0, carry)
   555  	return
   556  }
   557  
   558  func madd3(a, b, c, d, e uint64) (hi uint64, lo uint64) {
   559  	var carry uint64
   560  	hi, lo = bits.Mul64(a, b)
   561  	c, carry = bits.Add64(c, d, 0)
   562  	hi, _ = bits.Add64(hi, 0, carry)
   563  	lo, carry = bits.Add64(lo, c, 0)
   564  	hi, _ = bits.Add64(hi, e, carry)
   565  	return
   566  }