github.com/twelsh-aw/go/src@v0.0.0-20230516233729-a56fe86a7c81/crypto/internal/nistec/fiat/p256_fiat64.go (about) 1 // Code generated by Fiat Cryptography. DO NOT EDIT. 2 // 3 // Autogenerated: word_by_word_montgomery --lang Go --no-wide-int --cmovznz-by-mul --relax-primitive-carry-to-bitwidth 32,64 --internal-static --public-function-case camelCase --public-type-case camelCase --private-function-case camelCase --private-type-case camelCase --doc-text-before-function-name '' --doc-newline-before-package-declaration --doc-prepend-header 'Code generated by Fiat Cryptography. DO NOT EDIT.' --package-name fiat --no-prefix-fiat p256 64 '2^256 - 2^224 + 2^192 + 2^96 - 1' mul square add sub one from_montgomery to_montgomery selectznz to_bytes from_bytes 4 // 5 // curve description: p256 6 // 7 // machine_wordsize = 64 (from "64") 8 // 9 // requested operations: mul, square, add, sub, one, from_montgomery, to_montgomery, selectznz, to_bytes, from_bytes 10 // 11 // m = 0xffffffff00000001000000000000000000000000ffffffffffffffffffffffff (from "2^256 - 2^224 + 2^192 + 2^96 - 1") 12 // 13 // 14 // 15 // NOTE: In addition to the bounds specified above each function, all 16 // 17 // functions synthesized for this Montgomery arithmetic require the 18 // 19 // input to be strictly less than the prime modulus (m), and also 20 // 21 // require the input to be in the unique saturated representation. 22 // 23 // All functions also ensure that these two properties are true of 24 // 25 // return values. 26 // 27 // 28 // 29 // Computed values: 30 // 31 // eval z = z[0] + (z[1] << 64) + (z[2] << 128) + (z[3] << 192) 32 // 33 // bytes_eval z = z[0] + (z[1] << 8) + (z[2] << 16) + (z[3] << 24) + (z[4] << 32) + (z[5] << 40) + (z[6] << 48) + (z[7] << 56) + (z[8] << 64) + (z[9] << 72) + (z[10] << 80) + (z[11] << 88) + (z[12] << 96) + (z[13] << 104) + (z[14] << 112) + (z[15] << 120) + (z[16] << 128) + (z[17] << 136) + (z[18] << 144) + (z[19] << 152) + (z[20] << 160) + (z[21] << 168) + (z[22] << 176) + (z[23] << 184) + (z[24] << 192) + (z[25] << 200) + (z[26] << 208) + (z[27] << 216) + (z[28] << 224) + (z[29] << 232) + (z[30] << 240) + (z[31] << 248) 34 // 35 // twos_complement_eval z = let x1 := z[0] + (z[1] << 64) + (z[2] << 128) + (z[3] << 192) in 36 // 37 // if x1 & (2^256-1) < 2^255 then x1 & (2^256-1) else (x1 & (2^256-1)) - 2^256 38 39 package fiat 40 41 import "math/bits" 42 43 type p256Uint1 uint64 // We use uint64 instead of a more narrow type for performance reasons; see https://github.com/mit-plv/fiat-crypto/pull/1006#issuecomment-892625927 44 type p256Int1 int64 // We use uint64 instead of a more narrow type for performance reasons; see https://github.com/mit-plv/fiat-crypto/pull/1006#issuecomment-892625927 45 46 // The type p256MontgomeryDomainFieldElement is a field element in the Montgomery domain. 47 // 48 // Bounds: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] 49 type p256MontgomeryDomainFieldElement [4]uint64 50 51 // The type p256NonMontgomeryDomainFieldElement is a field element NOT in the Montgomery domain. 52 // 53 // Bounds: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] 54 type p256NonMontgomeryDomainFieldElement [4]uint64 55 56 // p256CmovznzU64 is a single-word conditional move. 57 // 58 // Postconditions: 59 // 60 // out1 = (if arg1 = 0 then arg2 else arg3) 61 // 62 // Input Bounds: 63 // 64 // arg1: [0x0 ~> 0x1] 65 // arg2: [0x0 ~> 0xffffffffffffffff] 66 // arg3: [0x0 ~> 0xffffffffffffffff] 67 // 68 // Output Bounds: 69 // 70 // out1: [0x0 ~> 0xffffffffffffffff] 71 func p256CmovznzU64(out1 *uint64, arg1 p256Uint1, arg2 uint64, arg3 uint64) { 72 x1 := (uint64(arg1) * 0xffffffffffffffff) 73 x2 := ((x1 & arg3) | ((^x1) & arg2)) 74 *out1 = x2 75 } 76 77 // p256Mul multiplies two field elements in the Montgomery domain. 78 // 79 // Preconditions: 80 // 81 // 0 ≤ eval arg1 < m 82 // 0 ≤ eval arg2 < m 83 // 84 // Postconditions: 85 // 86 // eval (from_montgomery out1) mod m = (eval (from_montgomery arg1) * eval (from_montgomery arg2)) mod m 87 // 0 ≤ eval out1 < m 88 func p256Mul(out1 *p256MontgomeryDomainFieldElement, arg1 *p256MontgomeryDomainFieldElement, arg2 *p256MontgomeryDomainFieldElement) { 89 x1 := arg1[1] 90 x2 := arg1[2] 91 x3 := arg1[3] 92 x4 := arg1[0] 93 var x5 uint64 94 var x6 uint64 95 x6, x5 = bits.Mul64(x4, arg2[3]) 96 var x7 uint64 97 var x8 uint64 98 x8, x7 = bits.Mul64(x4, arg2[2]) 99 var x9 uint64 100 var x10 uint64 101 x10, x9 = bits.Mul64(x4, arg2[1]) 102 var x11 uint64 103 var x12 uint64 104 x12, x11 = bits.Mul64(x4, arg2[0]) 105 var x13 uint64 106 var x14 uint64 107 x13, x14 = bits.Add64(x12, x9, uint64(0x0)) 108 var x15 uint64 109 var x16 uint64 110 x15, x16 = bits.Add64(x10, x7, uint64(p256Uint1(x14))) 111 var x17 uint64 112 var x18 uint64 113 x17, x18 = bits.Add64(x8, x5, uint64(p256Uint1(x16))) 114 x19 := (uint64(p256Uint1(x18)) + x6) 115 var x20 uint64 116 var x21 uint64 117 x21, x20 = bits.Mul64(x11, 0xffffffff00000001) 118 var x22 uint64 119 var x23 uint64 120 x23, x22 = bits.Mul64(x11, 0xffffffff) 121 var x24 uint64 122 var x25 uint64 123 x25, x24 = bits.Mul64(x11, 0xffffffffffffffff) 124 var x26 uint64 125 var x27 uint64 126 x26, x27 = bits.Add64(x25, x22, uint64(0x0)) 127 x28 := (uint64(p256Uint1(x27)) + x23) 128 var x30 uint64 129 _, x30 = bits.Add64(x11, x24, uint64(0x0)) 130 var x31 uint64 131 var x32 uint64 132 x31, x32 = bits.Add64(x13, x26, uint64(p256Uint1(x30))) 133 var x33 uint64 134 var x34 uint64 135 x33, x34 = bits.Add64(x15, x28, uint64(p256Uint1(x32))) 136 var x35 uint64 137 var x36 uint64 138 x35, x36 = bits.Add64(x17, x20, uint64(p256Uint1(x34))) 139 var x37 uint64 140 var x38 uint64 141 x37, x38 = bits.Add64(x19, x21, uint64(p256Uint1(x36))) 142 var x39 uint64 143 var x40 uint64 144 x40, x39 = bits.Mul64(x1, arg2[3]) 145 var x41 uint64 146 var x42 uint64 147 x42, x41 = bits.Mul64(x1, arg2[2]) 148 var x43 uint64 149 var x44 uint64 150 x44, x43 = bits.Mul64(x1, arg2[1]) 151 var x45 uint64 152 var x46 uint64 153 x46, x45 = bits.Mul64(x1, arg2[0]) 154 var x47 uint64 155 var x48 uint64 156 x47, x48 = bits.Add64(x46, x43, uint64(0x0)) 157 var x49 uint64 158 var x50 uint64 159 x49, x50 = bits.Add64(x44, x41, uint64(p256Uint1(x48))) 160 var x51 uint64 161 var x52 uint64 162 x51, x52 = bits.Add64(x42, x39, uint64(p256Uint1(x50))) 163 x53 := (uint64(p256Uint1(x52)) + x40) 164 var x54 uint64 165 var x55 uint64 166 x54, x55 = bits.Add64(x31, x45, uint64(0x0)) 167 var x56 uint64 168 var x57 uint64 169 x56, x57 = bits.Add64(x33, x47, uint64(p256Uint1(x55))) 170 var x58 uint64 171 var x59 uint64 172 x58, x59 = bits.Add64(x35, x49, uint64(p256Uint1(x57))) 173 var x60 uint64 174 var x61 uint64 175 x60, x61 = bits.Add64(x37, x51, uint64(p256Uint1(x59))) 176 var x62 uint64 177 var x63 uint64 178 x62, x63 = bits.Add64(uint64(p256Uint1(x38)), x53, uint64(p256Uint1(x61))) 179 var x64 uint64 180 var x65 uint64 181 x65, x64 = bits.Mul64(x54, 0xffffffff00000001) 182 var x66 uint64 183 var x67 uint64 184 x67, x66 = bits.Mul64(x54, 0xffffffff) 185 var x68 uint64 186 var x69 uint64 187 x69, x68 = bits.Mul64(x54, 0xffffffffffffffff) 188 var x70 uint64 189 var x71 uint64 190 x70, x71 = bits.Add64(x69, x66, uint64(0x0)) 191 x72 := (uint64(p256Uint1(x71)) + x67) 192 var x74 uint64 193 _, x74 = bits.Add64(x54, x68, uint64(0x0)) 194 var x75 uint64 195 var x76 uint64 196 x75, x76 = bits.Add64(x56, x70, uint64(p256Uint1(x74))) 197 var x77 uint64 198 var x78 uint64 199 x77, x78 = bits.Add64(x58, x72, uint64(p256Uint1(x76))) 200 var x79 uint64 201 var x80 uint64 202 x79, x80 = bits.Add64(x60, x64, uint64(p256Uint1(x78))) 203 var x81 uint64 204 var x82 uint64 205 x81, x82 = bits.Add64(x62, x65, uint64(p256Uint1(x80))) 206 x83 := (uint64(p256Uint1(x82)) + uint64(p256Uint1(x63))) 207 var x84 uint64 208 var x85 uint64 209 x85, x84 = bits.Mul64(x2, arg2[3]) 210 var x86 uint64 211 var x87 uint64 212 x87, x86 = bits.Mul64(x2, arg2[2]) 213 var x88 uint64 214 var x89 uint64 215 x89, x88 = bits.Mul64(x2, arg2[1]) 216 var x90 uint64 217 var x91 uint64 218 x91, x90 = bits.Mul64(x2, arg2[0]) 219 var x92 uint64 220 var x93 uint64 221 x92, x93 = bits.Add64(x91, x88, uint64(0x0)) 222 var x94 uint64 223 var x95 uint64 224 x94, x95 = bits.Add64(x89, x86, uint64(p256Uint1(x93))) 225 var x96 uint64 226 var x97 uint64 227 x96, x97 = bits.Add64(x87, x84, uint64(p256Uint1(x95))) 228 x98 := (uint64(p256Uint1(x97)) + x85) 229 var x99 uint64 230 var x100 uint64 231 x99, x100 = bits.Add64(x75, x90, uint64(0x0)) 232 var x101 uint64 233 var x102 uint64 234 x101, x102 = bits.Add64(x77, x92, uint64(p256Uint1(x100))) 235 var x103 uint64 236 var x104 uint64 237 x103, x104 = bits.Add64(x79, x94, uint64(p256Uint1(x102))) 238 var x105 uint64 239 var x106 uint64 240 x105, x106 = bits.Add64(x81, x96, uint64(p256Uint1(x104))) 241 var x107 uint64 242 var x108 uint64 243 x107, x108 = bits.Add64(x83, x98, uint64(p256Uint1(x106))) 244 var x109 uint64 245 var x110 uint64 246 x110, x109 = bits.Mul64(x99, 0xffffffff00000001) 247 var x111 uint64 248 var x112 uint64 249 x112, x111 = bits.Mul64(x99, 0xffffffff) 250 var x113 uint64 251 var x114 uint64 252 x114, x113 = bits.Mul64(x99, 0xffffffffffffffff) 253 var x115 uint64 254 var x116 uint64 255 x115, x116 = bits.Add64(x114, x111, uint64(0x0)) 256 x117 := (uint64(p256Uint1(x116)) + x112) 257 var x119 uint64 258 _, x119 = bits.Add64(x99, x113, uint64(0x0)) 259 var x120 uint64 260 var x121 uint64 261 x120, x121 = bits.Add64(x101, x115, uint64(p256Uint1(x119))) 262 var x122 uint64 263 var x123 uint64 264 x122, x123 = bits.Add64(x103, x117, uint64(p256Uint1(x121))) 265 var x124 uint64 266 var x125 uint64 267 x124, x125 = bits.Add64(x105, x109, uint64(p256Uint1(x123))) 268 var x126 uint64 269 var x127 uint64 270 x126, x127 = bits.Add64(x107, x110, uint64(p256Uint1(x125))) 271 x128 := (uint64(p256Uint1(x127)) + uint64(p256Uint1(x108))) 272 var x129 uint64 273 var x130 uint64 274 x130, x129 = bits.Mul64(x3, arg2[3]) 275 var x131 uint64 276 var x132 uint64 277 x132, x131 = bits.Mul64(x3, arg2[2]) 278 var x133 uint64 279 var x134 uint64 280 x134, x133 = bits.Mul64(x3, arg2[1]) 281 var x135 uint64 282 var x136 uint64 283 x136, x135 = bits.Mul64(x3, arg2[0]) 284 var x137 uint64 285 var x138 uint64 286 x137, x138 = bits.Add64(x136, x133, uint64(0x0)) 287 var x139 uint64 288 var x140 uint64 289 x139, x140 = bits.Add64(x134, x131, uint64(p256Uint1(x138))) 290 var x141 uint64 291 var x142 uint64 292 x141, x142 = bits.Add64(x132, x129, uint64(p256Uint1(x140))) 293 x143 := (uint64(p256Uint1(x142)) + x130) 294 var x144 uint64 295 var x145 uint64 296 x144, x145 = bits.Add64(x120, x135, uint64(0x0)) 297 var x146 uint64 298 var x147 uint64 299 x146, x147 = bits.Add64(x122, x137, uint64(p256Uint1(x145))) 300 var x148 uint64 301 var x149 uint64 302 x148, x149 = bits.Add64(x124, x139, uint64(p256Uint1(x147))) 303 var x150 uint64 304 var x151 uint64 305 x150, x151 = bits.Add64(x126, x141, uint64(p256Uint1(x149))) 306 var x152 uint64 307 var x153 uint64 308 x152, x153 = bits.Add64(x128, x143, uint64(p256Uint1(x151))) 309 var x154 uint64 310 var x155 uint64 311 x155, x154 = bits.Mul64(x144, 0xffffffff00000001) 312 var x156 uint64 313 var x157 uint64 314 x157, x156 = bits.Mul64(x144, 0xffffffff) 315 var x158 uint64 316 var x159 uint64 317 x159, x158 = bits.Mul64(x144, 0xffffffffffffffff) 318 var x160 uint64 319 var x161 uint64 320 x160, x161 = bits.Add64(x159, x156, uint64(0x0)) 321 x162 := (uint64(p256Uint1(x161)) + x157) 322 var x164 uint64 323 _, x164 = bits.Add64(x144, x158, uint64(0x0)) 324 var x165 uint64 325 var x166 uint64 326 x165, x166 = bits.Add64(x146, x160, uint64(p256Uint1(x164))) 327 var x167 uint64 328 var x168 uint64 329 x167, x168 = bits.Add64(x148, x162, uint64(p256Uint1(x166))) 330 var x169 uint64 331 var x170 uint64 332 x169, x170 = bits.Add64(x150, x154, uint64(p256Uint1(x168))) 333 var x171 uint64 334 var x172 uint64 335 x171, x172 = bits.Add64(x152, x155, uint64(p256Uint1(x170))) 336 x173 := (uint64(p256Uint1(x172)) + uint64(p256Uint1(x153))) 337 var x174 uint64 338 var x175 uint64 339 x174, x175 = bits.Sub64(x165, 0xffffffffffffffff, uint64(0x0)) 340 var x176 uint64 341 var x177 uint64 342 x176, x177 = bits.Sub64(x167, 0xffffffff, uint64(p256Uint1(x175))) 343 var x178 uint64 344 var x179 uint64 345 x178, x179 = bits.Sub64(x169, uint64(0x0), uint64(p256Uint1(x177))) 346 var x180 uint64 347 var x181 uint64 348 x180, x181 = bits.Sub64(x171, 0xffffffff00000001, uint64(p256Uint1(x179))) 349 var x183 uint64 350 _, x183 = bits.Sub64(x173, uint64(0x0), uint64(p256Uint1(x181))) 351 var x184 uint64 352 p256CmovznzU64(&x184, p256Uint1(x183), x174, x165) 353 var x185 uint64 354 p256CmovznzU64(&x185, p256Uint1(x183), x176, x167) 355 var x186 uint64 356 p256CmovznzU64(&x186, p256Uint1(x183), x178, x169) 357 var x187 uint64 358 p256CmovznzU64(&x187, p256Uint1(x183), x180, x171) 359 out1[0] = x184 360 out1[1] = x185 361 out1[2] = x186 362 out1[3] = x187 363 } 364 365 // p256Square squares a field element in the Montgomery domain. 366 // 367 // Preconditions: 368 // 369 // 0 ≤ eval arg1 < m 370 // 371 // Postconditions: 372 // 373 // eval (from_montgomery out1) mod m = (eval (from_montgomery arg1) * eval (from_montgomery arg1)) mod m 374 // 0 ≤ eval out1 < m 375 func p256Square(out1 *p256MontgomeryDomainFieldElement, arg1 *p256MontgomeryDomainFieldElement) { 376 x1 := arg1[1] 377 x2 := arg1[2] 378 x3 := arg1[3] 379 x4 := arg1[0] 380 var x5 uint64 381 var x6 uint64 382 x6, x5 = bits.Mul64(x4, arg1[3]) 383 var x7 uint64 384 var x8 uint64 385 x8, x7 = bits.Mul64(x4, arg1[2]) 386 var x9 uint64 387 var x10 uint64 388 x10, x9 = bits.Mul64(x4, arg1[1]) 389 var x11 uint64 390 var x12 uint64 391 x12, x11 = bits.Mul64(x4, arg1[0]) 392 var x13 uint64 393 var x14 uint64 394 x13, x14 = bits.Add64(x12, x9, uint64(0x0)) 395 var x15 uint64 396 var x16 uint64 397 x15, x16 = bits.Add64(x10, x7, uint64(p256Uint1(x14))) 398 var x17 uint64 399 var x18 uint64 400 x17, x18 = bits.Add64(x8, x5, uint64(p256Uint1(x16))) 401 x19 := (uint64(p256Uint1(x18)) + x6) 402 var x20 uint64 403 var x21 uint64 404 x21, x20 = bits.Mul64(x11, 0xffffffff00000001) 405 var x22 uint64 406 var x23 uint64 407 x23, x22 = bits.Mul64(x11, 0xffffffff) 408 var x24 uint64 409 var x25 uint64 410 x25, x24 = bits.Mul64(x11, 0xffffffffffffffff) 411 var x26 uint64 412 var x27 uint64 413 x26, x27 = bits.Add64(x25, x22, uint64(0x0)) 414 x28 := (uint64(p256Uint1(x27)) + x23) 415 var x30 uint64 416 _, x30 = bits.Add64(x11, x24, uint64(0x0)) 417 var x31 uint64 418 var x32 uint64 419 x31, x32 = bits.Add64(x13, x26, uint64(p256Uint1(x30))) 420 var x33 uint64 421 var x34 uint64 422 x33, x34 = bits.Add64(x15, x28, uint64(p256Uint1(x32))) 423 var x35 uint64 424 var x36 uint64 425 x35, x36 = bits.Add64(x17, x20, uint64(p256Uint1(x34))) 426 var x37 uint64 427 var x38 uint64 428 x37, x38 = bits.Add64(x19, x21, uint64(p256Uint1(x36))) 429 var x39 uint64 430 var x40 uint64 431 x40, x39 = bits.Mul64(x1, arg1[3]) 432 var x41 uint64 433 var x42 uint64 434 x42, x41 = bits.Mul64(x1, arg1[2]) 435 var x43 uint64 436 var x44 uint64 437 x44, x43 = bits.Mul64(x1, arg1[1]) 438 var x45 uint64 439 var x46 uint64 440 x46, x45 = bits.Mul64(x1, arg1[0]) 441 var x47 uint64 442 var x48 uint64 443 x47, x48 = bits.Add64(x46, x43, uint64(0x0)) 444 var x49 uint64 445 var x50 uint64 446 x49, x50 = bits.Add64(x44, x41, uint64(p256Uint1(x48))) 447 var x51 uint64 448 var x52 uint64 449 x51, x52 = bits.Add64(x42, x39, uint64(p256Uint1(x50))) 450 x53 := (uint64(p256Uint1(x52)) + x40) 451 var x54 uint64 452 var x55 uint64 453 x54, x55 = bits.Add64(x31, x45, uint64(0x0)) 454 var x56 uint64 455 var x57 uint64 456 x56, x57 = bits.Add64(x33, x47, uint64(p256Uint1(x55))) 457 var x58 uint64 458 var x59 uint64 459 x58, x59 = bits.Add64(x35, x49, uint64(p256Uint1(x57))) 460 var x60 uint64 461 var x61 uint64 462 x60, x61 = bits.Add64(x37, x51, uint64(p256Uint1(x59))) 463 var x62 uint64 464 var x63 uint64 465 x62, x63 = bits.Add64(uint64(p256Uint1(x38)), x53, uint64(p256Uint1(x61))) 466 var x64 uint64 467 var x65 uint64 468 x65, x64 = bits.Mul64(x54, 0xffffffff00000001) 469 var x66 uint64 470 var x67 uint64 471 x67, x66 = bits.Mul64(x54, 0xffffffff) 472 var x68 uint64 473 var x69 uint64 474 x69, x68 = bits.Mul64(x54, 0xffffffffffffffff) 475 var x70 uint64 476 var x71 uint64 477 x70, x71 = bits.Add64(x69, x66, uint64(0x0)) 478 x72 := (uint64(p256Uint1(x71)) + x67) 479 var x74 uint64 480 _, x74 = bits.Add64(x54, x68, uint64(0x0)) 481 var x75 uint64 482 var x76 uint64 483 x75, x76 = bits.Add64(x56, x70, uint64(p256Uint1(x74))) 484 var x77 uint64 485 var x78 uint64 486 x77, x78 = bits.Add64(x58, x72, uint64(p256Uint1(x76))) 487 var x79 uint64 488 var x80 uint64 489 x79, x80 = bits.Add64(x60, x64, uint64(p256Uint1(x78))) 490 var x81 uint64 491 var x82 uint64 492 x81, x82 = bits.Add64(x62, x65, uint64(p256Uint1(x80))) 493 x83 := (uint64(p256Uint1(x82)) + uint64(p256Uint1(x63))) 494 var x84 uint64 495 var x85 uint64 496 x85, x84 = bits.Mul64(x2, arg1[3]) 497 var x86 uint64 498 var x87 uint64 499 x87, x86 = bits.Mul64(x2, arg1[2]) 500 var x88 uint64 501 var x89 uint64 502 x89, x88 = bits.Mul64(x2, arg1[1]) 503 var x90 uint64 504 var x91 uint64 505 x91, x90 = bits.Mul64(x2, arg1[0]) 506 var x92 uint64 507 var x93 uint64 508 x92, x93 = bits.Add64(x91, x88, uint64(0x0)) 509 var x94 uint64 510 var x95 uint64 511 x94, x95 = bits.Add64(x89, x86, uint64(p256Uint1(x93))) 512 var x96 uint64 513 var x97 uint64 514 x96, x97 = bits.Add64(x87, x84, uint64(p256Uint1(x95))) 515 x98 := (uint64(p256Uint1(x97)) + x85) 516 var x99 uint64 517 var x100 uint64 518 x99, x100 = bits.Add64(x75, x90, uint64(0x0)) 519 var x101 uint64 520 var x102 uint64 521 x101, x102 = bits.Add64(x77, x92, uint64(p256Uint1(x100))) 522 var x103 uint64 523 var x104 uint64 524 x103, x104 = bits.Add64(x79, x94, uint64(p256Uint1(x102))) 525 var x105 uint64 526 var x106 uint64 527 x105, x106 = bits.Add64(x81, x96, uint64(p256Uint1(x104))) 528 var x107 uint64 529 var x108 uint64 530 x107, x108 = bits.Add64(x83, x98, uint64(p256Uint1(x106))) 531 var x109 uint64 532 var x110 uint64 533 x110, x109 = bits.Mul64(x99, 0xffffffff00000001) 534 var x111 uint64 535 var x112 uint64 536 x112, x111 = bits.Mul64(x99, 0xffffffff) 537 var x113 uint64 538 var x114 uint64 539 x114, x113 = bits.Mul64(x99, 0xffffffffffffffff) 540 var x115 uint64 541 var x116 uint64 542 x115, x116 = bits.Add64(x114, x111, uint64(0x0)) 543 x117 := (uint64(p256Uint1(x116)) + x112) 544 var x119 uint64 545 _, x119 = bits.Add64(x99, x113, uint64(0x0)) 546 var x120 uint64 547 var x121 uint64 548 x120, x121 = bits.Add64(x101, x115, uint64(p256Uint1(x119))) 549 var x122 uint64 550 var x123 uint64 551 x122, x123 = bits.Add64(x103, x117, uint64(p256Uint1(x121))) 552 var x124 uint64 553 var x125 uint64 554 x124, x125 = bits.Add64(x105, x109, uint64(p256Uint1(x123))) 555 var x126 uint64 556 var x127 uint64 557 x126, x127 = bits.Add64(x107, x110, uint64(p256Uint1(x125))) 558 x128 := (uint64(p256Uint1(x127)) + uint64(p256Uint1(x108))) 559 var x129 uint64 560 var x130 uint64 561 x130, x129 = bits.Mul64(x3, arg1[3]) 562 var x131 uint64 563 var x132 uint64 564 x132, x131 = bits.Mul64(x3, arg1[2]) 565 var x133 uint64 566 var x134 uint64 567 x134, x133 = bits.Mul64(x3, arg1[1]) 568 var x135 uint64 569 var x136 uint64 570 x136, x135 = bits.Mul64(x3, arg1[0]) 571 var x137 uint64 572 var x138 uint64 573 x137, x138 = bits.Add64(x136, x133, uint64(0x0)) 574 var x139 uint64 575 var x140 uint64 576 x139, x140 = bits.Add64(x134, x131, uint64(p256Uint1(x138))) 577 var x141 uint64 578 var x142 uint64 579 x141, x142 = bits.Add64(x132, x129, uint64(p256Uint1(x140))) 580 x143 := (uint64(p256Uint1(x142)) + x130) 581 var x144 uint64 582 var x145 uint64 583 x144, x145 = bits.Add64(x120, x135, uint64(0x0)) 584 var x146 uint64 585 var x147 uint64 586 x146, x147 = bits.Add64(x122, x137, uint64(p256Uint1(x145))) 587 var x148 uint64 588 var x149 uint64 589 x148, x149 = bits.Add64(x124, x139, uint64(p256Uint1(x147))) 590 var x150 uint64 591 var x151 uint64 592 x150, x151 = bits.Add64(x126, x141, uint64(p256Uint1(x149))) 593 var x152 uint64 594 var x153 uint64 595 x152, x153 = bits.Add64(x128, x143, uint64(p256Uint1(x151))) 596 var x154 uint64 597 var x155 uint64 598 x155, x154 = bits.Mul64(x144, 0xffffffff00000001) 599 var x156 uint64 600 var x157 uint64 601 x157, x156 = bits.Mul64(x144, 0xffffffff) 602 var x158 uint64 603 var x159 uint64 604 x159, x158 = bits.Mul64(x144, 0xffffffffffffffff) 605 var x160 uint64 606 var x161 uint64 607 x160, x161 = bits.Add64(x159, x156, uint64(0x0)) 608 x162 := (uint64(p256Uint1(x161)) + x157) 609 var x164 uint64 610 _, x164 = bits.Add64(x144, x158, uint64(0x0)) 611 var x165 uint64 612 var x166 uint64 613 x165, x166 = bits.Add64(x146, x160, uint64(p256Uint1(x164))) 614 var x167 uint64 615 var x168 uint64 616 x167, x168 = bits.Add64(x148, x162, uint64(p256Uint1(x166))) 617 var x169 uint64 618 var x170 uint64 619 x169, x170 = bits.Add64(x150, x154, uint64(p256Uint1(x168))) 620 var x171 uint64 621 var x172 uint64 622 x171, x172 = bits.Add64(x152, x155, uint64(p256Uint1(x170))) 623 x173 := (uint64(p256Uint1(x172)) + uint64(p256Uint1(x153))) 624 var x174 uint64 625 var x175 uint64 626 x174, x175 = bits.Sub64(x165, 0xffffffffffffffff, uint64(0x0)) 627 var x176 uint64 628 var x177 uint64 629 x176, x177 = bits.Sub64(x167, 0xffffffff, uint64(p256Uint1(x175))) 630 var x178 uint64 631 var x179 uint64 632 x178, x179 = bits.Sub64(x169, uint64(0x0), uint64(p256Uint1(x177))) 633 var x180 uint64 634 var x181 uint64 635 x180, x181 = bits.Sub64(x171, 0xffffffff00000001, uint64(p256Uint1(x179))) 636 var x183 uint64 637 _, x183 = bits.Sub64(x173, uint64(0x0), uint64(p256Uint1(x181))) 638 var x184 uint64 639 p256CmovznzU64(&x184, p256Uint1(x183), x174, x165) 640 var x185 uint64 641 p256CmovznzU64(&x185, p256Uint1(x183), x176, x167) 642 var x186 uint64 643 p256CmovznzU64(&x186, p256Uint1(x183), x178, x169) 644 var x187 uint64 645 p256CmovznzU64(&x187, p256Uint1(x183), x180, x171) 646 out1[0] = x184 647 out1[1] = x185 648 out1[2] = x186 649 out1[3] = x187 650 } 651 652 // p256Add adds two field elements in the Montgomery domain. 653 // 654 // Preconditions: 655 // 656 // 0 ≤ eval arg1 < m 657 // 0 ≤ eval arg2 < m 658 // 659 // Postconditions: 660 // 661 // eval (from_montgomery out1) mod m = (eval (from_montgomery arg1) + eval (from_montgomery arg2)) mod m 662 // 0 ≤ eval out1 < m 663 func p256Add(out1 *p256MontgomeryDomainFieldElement, arg1 *p256MontgomeryDomainFieldElement, arg2 *p256MontgomeryDomainFieldElement) { 664 var x1 uint64 665 var x2 uint64 666 x1, x2 = bits.Add64(arg1[0], arg2[0], uint64(0x0)) 667 var x3 uint64 668 var x4 uint64 669 x3, x4 = bits.Add64(arg1[1], arg2[1], uint64(p256Uint1(x2))) 670 var x5 uint64 671 var x6 uint64 672 x5, x6 = bits.Add64(arg1[2], arg2[2], uint64(p256Uint1(x4))) 673 var x7 uint64 674 var x8 uint64 675 x7, x8 = bits.Add64(arg1[3], arg2[3], uint64(p256Uint1(x6))) 676 var x9 uint64 677 var x10 uint64 678 x9, x10 = bits.Sub64(x1, 0xffffffffffffffff, uint64(0x0)) 679 var x11 uint64 680 var x12 uint64 681 x11, x12 = bits.Sub64(x3, 0xffffffff, uint64(p256Uint1(x10))) 682 var x13 uint64 683 var x14 uint64 684 x13, x14 = bits.Sub64(x5, uint64(0x0), uint64(p256Uint1(x12))) 685 var x15 uint64 686 var x16 uint64 687 x15, x16 = bits.Sub64(x7, 0xffffffff00000001, uint64(p256Uint1(x14))) 688 var x18 uint64 689 _, x18 = bits.Sub64(uint64(p256Uint1(x8)), uint64(0x0), uint64(p256Uint1(x16))) 690 var x19 uint64 691 p256CmovznzU64(&x19, p256Uint1(x18), x9, x1) 692 var x20 uint64 693 p256CmovznzU64(&x20, p256Uint1(x18), x11, x3) 694 var x21 uint64 695 p256CmovznzU64(&x21, p256Uint1(x18), x13, x5) 696 var x22 uint64 697 p256CmovznzU64(&x22, p256Uint1(x18), x15, x7) 698 out1[0] = x19 699 out1[1] = x20 700 out1[2] = x21 701 out1[3] = x22 702 } 703 704 // p256Sub subtracts two field elements in the Montgomery domain. 705 // 706 // Preconditions: 707 // 708 // 0 ≤ eval arg1 < m 709 // 0 ≤ eval arg2 < m 710 // 711 // Postconditions: 712 // 713 // eval (from_montgomery out1) mod m = (eval (from_montgomery arg1) - eval (from_montgomery arg2)) mod m 714 // 0 ≤ eval out1 < m 715 func p256Sub(out1 *p256MontgomeryDomainFieldElement, arg1 *p256MontgomeryDomainFieldElement, arg2 *p256MontgomeryDomainFieldElement) { 716 var x1 uint64 717 var x2 uint64 718 x1, x2 = bits.Sub64(arg1[0], arg2[0], uint64(0x0)) 719 var x3 uint64 720 var x4 uint64 721 x3, x4 = bits.Sub64(arg1[1], arg2[1], uint64(p256Uint1(x2))) 722 var x5 uint64 723 var x6 uint64 724 x5, x6 = bits.Sub64(arg1[2], arg2[2], uint64(p256Uint1(x4))) 725 var x7 uint64 726 var x8 uint64 727 x7, x8 = bits.Sub64(arg1[3], arg2[3], uint64(p256Uint1(x6))) 728 var x9 uint64 729 p256CmovznzU64(&x9, p256Uint1(x8), uint64(0x0), 0xffffffffffffffff) 730 var x10 uint64 731 var x11 uint64 732 x10, x11 = bits.Add64(x1, x9, uint64(0x0)) 733 var x12 uint64 734 var x13 uint64 735 x12, x13 = bits.Add64(x3, (x9 & 0xffffffff), uint64(p256Uint1(x11))) 736 var x14 uint64 737 var x15 uint64 738 x14, x15 = bits.Add64(x5, uint64(0x0), uint64(p256Uint1(x13))) 739 var x16 uint64 740 x16, _ = bits.Add64(x7, (x9 & 0xffffffff00000001), uint64(p256Uint1(x15))) 741 out1[0] = x10 742 out1[1] = x12 743 out1[2] = x14 744 out1[3] = x16 745 } 746 747 // p256SetOne returns the field element one in the Montgomery domain. 748 // 749 // Postconditions: 750 // 751 // eval (from_montgomery out1) mod m = 1 mod m 752 // 0 ≤ eval out1 < m 753 func p256SetOne(out1 *p256MontgomeryDomainFieldElement) { 754 out1[0] = uint64(0x1) 755 out1[1] = 0xffffffff00000000 756 out1[2] = 0xffffffffffffffff 757 out1[3] = 0xfffffffe 758 } 759 760 // p256FromMontgomery translates a field element out of the Montgomery domain. 761 // 762 // Preconditions: 763 // 764 // 0 ≤ eval arg1 < m 765 // 766 // Postconditions: 767 // 768 // eval out1 mod m = (eval arg1 * ((2^64)⁻¹ mod m)^4) mod m 769 // 0 ≤ eval out1 < m 770 func p256FromMontgomery(out1 *p256NonMontgomeryDomainFieldElement, arg1 *p256MontgomeryDomainFieldElement) { 771 x1 := arg1[0] 772 var x2 uint64 773 var x3 uint64 774 x3, x2 = bits.Mul64(x1, 0xffffffff00000001) 775 var x4 uint64 776 var x5 uint64 777 x5, x4 = bits.Mul64(x1, 0xffffffff) 778 var x6 uint64 779 var x7 uint64 780 x7, x6 = bits.Mul64(x1, 0xffffffffffffffff) 781 var x8 uint64 782 var x9 uint64 783 x8, x9 = bits.Add64(x7, x4, uint64(0x0)) 784 var x11 uint64 785 _, x11 = bits.Add64(x1, x6, uint64(0x0)) 786 var x12 uint64 787 var x13 uint64 788 x12, x13 = bits.Add64(uint64(0x0), x8, uint64(p256Uint1(x11))) 789 var x14 uint64 790 var x15 uint64 791 x14, x15 = bits.Add64(x12, arg1[1], uint64(0x0)) 792 var x16 uint64 793 var x17 uint64 794 x17, x16 = bits.Mul64(x14, 0xffffffff00000001) 795 var x18 uint64 796 var x19 uint64 797 x19, x18 = bits.Mul64(x14, 0xffffffff) 798 var x20 uint64 799 var x21 uint64 800 x21, x20 = bits.Mul64(x14, 0xffffffffffffffff) 801 var x22 uint64 802 var x23 uint64 803 x22, x23 = bits.Add64(x21, x18, uint64(0x0)) 804 var x25 uint64 805 _, x25 = bits.Add64(x14, x20, uint64(0x0)) 806 var x26 uint64 807 var x27 uint64 808 x26, x27 = bits.Add64((uint64(p256Uint1(x15)) + (uint64(p256Uint1(x13)) + (uint64(p256Uint1(x9)) + x5))), x22, uint64(p256Uint1(x25))) 809 var x28 uint64 810 var x29 uint64 811 x28, x29 = bits.Add64(x2, (uint64(p256Uint1(x23)) + x19), uint64(p256Uint1(x27))) 812 var x30 uint64 813 var x31 uint64 814 x30, x31 = bits.Add64(x3, x16, uint64(p256Uint1(x29))) 815 var x32 uint64 816 var x33 uint64 817 x32, x33 = bits.Add64(x26, arg1[2], uint64(0x0)) 818 var x34 uint64 819 var x35 uint64 820 x34, x35 = bits.Add64(x28, uint64(0x0), uint64(p256Uint1(x33))) 821 var x36 uint64 822 var x37 uint64 823 x36, x37 = bits.Add64(x30, uint64(0x0), uint64(p256Uint1(x35))) 824 var x38 uint64 825 var x39 uint64 826 x39, x38 = bits.Mul64(x32, 0xffffffff00000001) 827 var x40 uint64 828 var x41 uint64 829 x41, x40 = bits.Mul64(x32, 0xffffffff) 830 var x42 uint64 831 var x43 uint64 832 x43, x42 = bits.Mul64(x32, 0xffffffffffffffff) 833 var x44 uint64 834 var x45 uint64 835 x44, x45 = bits.Add64(x43, x40, uint64(0x0)) 836 var x47 uint64 837 _, x47 = bits.Add64(x32, x42, uint64(0x0)) 838 var x48 uint64 839 var x49 uint64 840 x48, x49 = bits.Add64(x34, x44, uint64(p256Uint1(x47))) 841 var x50 uint64 842 var x51 uint64 843 x50, x51 = bits.Add64(x36, (uint64(p256Uint1(x45)) + x41), uint64(p256Uint1(x49))) 844 var x52 uint64 845 var x53 uint64 846 x52, x53 = bits.Add64((uint64(p256Uint1(x37)) + (uint64(p256Uint1(x31)) + x17)), x38, uint64(p256Uint1(x51))) 847 var x54 uint64 848 var x55 uint64 849 x54, x55 = bits.Add64(x48, arg1[3], uint64(0x0)) 850 var x56 uint64 851 var x57 uint64 852 x56, x57 = bits.Add64(x50, uint64(0x0), uint64(p256Uint1(x55))) 853 var x58 uint64 854 var x59 uint64 855 x58, x59 = bits.Add64(x52, uint64(0x0), uint64(p256Uint1(x57))) 856 var x60 uint64 857 var x61 uint64 858 x61, x60 = bits.Mul64(x54, 0xffffffff00000001) 859 var x62 uint64 860 var x63 uint64 861 x63, x62 = bits.Mul64(x54, 0xffffffff) 862 var x64 uint64 863 var x65 uint64 864 x65, x64 = bits.Mul64(x54, 0xffffffffffffffff) 865 var x66 uint64 866 var x67 uint64 867 x66, x67 = bits.Add64(x65, x62, uint64(0x0)) 868 var x69 uint64 869 _, x69 = bits.Add64(x54, x64, uint64(0x0)) 870 var x70 uint64 871 var x71 uint64 872 x70, x71 = bits.Add64(x56, x66, uint64(p256Uint1(x69))) 873 var x72 uint64 874 var x73 uint64 875 x72, x73 = bits.Add64(x58, (uint64(p256Uint1(x67)) + x63), uint64(p256Uint1(x71))) 876 var x74 uint64 877 var x75 uint64 878 x74, x75 = bits.Add64((uint64(p256Uint1(x59)) + (uint64(p256Uint1(x53)) + x39)), x60, uint64(p256Uint1(x73))) 879 x76 := (uint64(p256Uint1(x75)) + x61) 880 var x77 uint64 881 var x78 uint64 882 x77, x78 = bits.Sub64(x70, 0xffffffffffffffff, uint64(0x0)) 883 var x79 uint64 884 var x80 uint64 885 x79, x80 = bits.Sub64(x72, 0xffffffff, uint64(p256Uint1(x78))) 886 var x81 uint64 887 var x82 uint64 888 x81, x82 = bits.Sub64(x74, uint64(0x0), uint64(p256Uint1(x80))) 889 var x83 uint64 890 var x84 uint64 891 x83, x84 = bits.Sub64(x76, 0xffffffff00000001, uint64(p256Uint1(x82))) 892 var x86 uint64 893 _, x86 = bits.Sub64(uint64(0x0), uint64(0x0), uint64(p256Uint1(x84))) 894 var x87 uint64 895 p256CmovznzU64(&x87, p256Uint1(x86), x77, x70) 896 var x88 uint64 897 p256CmovznzU64(&x88, p256Uint1(x86), x79, x72) 898 var x89 uint64 899 p256CmovznzU64(&x89, p256Uint1(x86), x81, x74) 900 var x90 uint64 901 p256CmovznzU64(&x90, p256Uint1(x86), x83, x76) 902 out1[0] = x87 903 out1[1] = x88 904 out1[2] = x89 905 out1[3] = x90 906 } 907 908 // p256ToMontgomery translates a field element into the Montgomery domain. 909 // 910 // Preconditions: 911 // 912 // 0 ≤ eval arg1 < m 913 // 914 // Postconditions: 915 // 916 // eval (from_montgomery out1) mod m = eval arg1 mod m 917 // 0 ≤ eval out1 < m 918 func p256ToMontgomery(out1 *p256MontgomeryDomainFieldElement, arg1 *p256NonMontgomeryDomainFieldElement) { 919 x1 := arg1[1] 920 x2 := arg1[2] 921 x3 := arg1[3] 922 x4 := arg1[0] 923 var x5 uint64 924 var x6 uint64 925 x6, x5 = bits.Mul64(x4, 0x4fffffffd) 926 var x7 uint64 927 var x8 uint64 928 x8, x7 = bits.Mul64(x4, 0xfffffffffffffffe) 929 var x9 uint64 930 var x10 uint64 931 x10, x9 = bits.Mul64(x4, 0xfffffffbffffffff) 932 var x11 uint64 933 var x12 uint64 934 x12, x11 = bits.Mul64(x4, 0x3) 935 var x13 uint64 936 var x14 uint64 937 x13, x14 = bits.Add64(x12, x9, uint64(0x0)) 938 var x15 uint64 939 var x16 uint64 940 x15, x16 = bits.Add64(x10, x7, uint64(p256Uint1(x14))) 941 var x17 uint64 942 var x18 uint64 943 x17, x18 = bits.Add64(x8, x5, uint64(p256Uint1(x16))) 944 var x19 uint64 945 var x20 uint64 946 x20, x19 = bits.Mul64(x11, 0xffffffff00000001) 947 var x21 uint64 948 var x22 uint64 949 x22, x21 = bits.Mul64(x11, 0xffffffff) 950 var x23 uint64 951 var x24 uint64 952 x24, x23 = bits.Mul64(x11, 0xffffffffffffffff) 953 var x25 uint64 954 var x26 uint64 955 x25, x26 = bits.Add64(x24, x21, uint64(0x0)) 956 var x28 uint64 957 _, x28 = bits.Add64(x11, x23, uint64(0x0)) 958 var x29 uint64 959 var x30 uint64 960 x29, x30 = bits.Add64(x13, x25, uint64(p256Uint1(x28))) 961 var x31 uint64 962 var x32 uint64 963 x31, x32 = bits.Add64(x15, (uint64(p256Uint1(x26)) + x22), uint64(p256Uint1(x30))) 964 var x33 uint64 965 var x34 uint64 966 x33, x34 = bits.Add64(x17, x19, uint64(p256Uint1(x32))) 967 var x35 uint64 968 var x36 uint64 969 x35, x36 = bits.Add64((uint64(p256Uint1(x18)) + x6), x20, uint64(p256Uint1(x34))) 970 var x37 uint64 971 var x38 uint64 972 x38, x37 = bits.Mul64(x1, 0x4fffffffd) 973 var x39 uint64 974 var x40 uint64 975 x40, x39 = bits.Mul64(x1, 0xfffffffffffffffe) 976 var x41 uint64 977 var x42 uint64 978 x42, x41 = bits.Mul64(x1, 0xfffffffbffffffff) 979 var x43 uint64 980 var x44 uint64 981 x44, x43 = bits.Mul64(x1, 0x3) 982 var x45 uint64 983 var x46 uint64 984 x45, x46 = bits.Add64(x44, x41, uint64(0x0)) 985 var x47 uint64 986 var x48 uint64 987 x47, x48 = bits.Add64(x42, x39, uint64(p256Uint1(x46))) 988 var x49 uint64 989 var x50 uint64 990 x49, x50 = bits.Add64(x40, x37, uint64(p256Uint1(x48))) 991 var x51 uint64 992 var x52 uint64 993 x51, x52 = bits.Add64(x29, x43, uint64(0x0)) 994 var x53 uint64 995 var x54 uint64 996 x53, x54 = bits.Add64(x31, x45, uint64(p256Uint1(x52))) 997 var x55 uint64 998 var x56 uint64 999 x55, x56 = bits.Add64(x33, x47, uint64(p256Uint1(x54))) 1000 var x57 uint64 1001 var x58 uint64 1002 x57, x58 = bits.Add64(x35, x49, uint64(p256Uint1(x56))) 1003 var x59 uint64 1004 var x60 uint64 1005 x60, x59 = bits.Mul64(x51, 0xffffffff00000001) 1006 var x61 uint64 1007 var x62 uint64 1008 x62, x61 = bits.Mul64(x51, 0xffffffff) 1009 var x63 uint64 1010 var x64 uint64 1011 x64, x63 = bits.Mul64(x51, 0xffffffffffffffff) 1012 var x65 uint64 1013 var x66 uint64 1014 x65, x66 = bits.Add64(x64, x61, uint64(0x0)) 1015 var x68 uint64 1016 _, x68 = bits.Add64(x51, x63, uint64(0x0)) 1017 var x69 uint64 1018 var x70 uint64 1019 x69, x70 = bits.Add64(x53, x65, uint64(p256Uint1(x68))) 1020 var x71 uint64 1021 var x72 uint64 1022 x71, x72 = bits.Add64(x55, (uint64(p256Uint1(x66)) + x62), uint64(p256Uint1(x70))) 1023 var x73 uint64 1024 var x74 uint64 1025 x73, x74 = bits.Add64(x57, x59, uint64(p256Uint1(x72))) 1026 var x75 uint64 1027 var x76 uint64 1028 x75, x76 = bits.Add64(((uint64(p256Uint1(x58)) + uint64(p256Uint1(x36))) + (uint64(p256Uint1(x50)) + x38)), x60, uint64(p256Uint1(x74))) 1029 var x77 uint64 1030 var x78 uint64 1031 x78, x77 = bits.Mul64(x2, 0x4fffffffd) 1032 var x79 uint64 1033 var x80 uint64 1034 x80, x79 = bits.Mul64(x2, 0xfffffffffffffffe) 1035 var x81 uint64 1036 var x82 uint64 1037 x82, x81 = bits.Mul64(x2, 0xfffffffbffffffff) 1038 var x83 uint64 1039 var x84 uint64 1040 x84, x83 = bits.Mul64(x2, 0x3) 1041 var x85 uint64 1042 var x86 uint64 1043 x85, x86 = bits.Add64(x84, x81, uint64(0x0)) 1044 var x87 uint64 1045 var x88 uint64 1046 x87, x88 = bits.Add64(x82, x79, uint64(p256Uint1(x86))) 1047 var x89 uint64 1048 var x90 uint64 1049 x89, x90 = bits.Add64(x80, x77, uint64(p256Uint1(x88))) 1050 var x91 uint64 1051 var x92 uint64 1052 x91, x92 = bits.Add64(x69, x83, uint64(0x0)) 1053 var x93 uint64 1054 var x94 uint64 1055 x93, x94 = bits.Add64(x71, x85, uint64(p256Uint1(x92))) 1056 var x95 uint64 1057 var x96 uint64 1058 x95, x96 = bits.Add64(x73, x87, uint64(p256Uint1(x94))) 1059 var x97 uint64 1060 var x98 uint64 1061 x97, x98 = bits.Add64(x75, x89, uint64(p256Uint1(x96))) 1062 var x99 uint64 1063 var x100 uint64 1064 x100, x99 = bits.Mul64(x91, 0xffffffff00000001) 1065 var x101 uint64 1066 var x102 uint64 1067 x102, x101 = bits.Mul64(x91, 0xffffffff) 1068 var x103 uint64 1069 var x104 uint64 1070 x104, x103 = bits.Mul64(x91, 0xffffffffffffffff) 1071 var x105 uint64 1072 var x106 uint64 1073 x105, x106 = bits.Add64(x104, x101, uint64(0x0)) 1074 var x108 uint64 1075 _, x108 = bits.Add64(x91, x103, uint64(0x0)) 1076 var x109 uint64 1077 var x110 uint64 1078 x109, x110 = bits.Add64(x93, x105, uint64(p256Uint1(x108))) 1079 var x111 uint64 1080 var x112 uint64 1081 x111, x112 = bits.Add64(x95, (uint64(p256Uint1(x106)) + x102), uint64(p256Uint1(x110))) 1082 var x113 uint64 1083 var x114 uint64 1084 x113, x114 = bits.Add64(x97, x99, uint64(p256Uint1(x112))) 1085 var x115 uint64 1086 var x116 uint64 1087 x115, x116 = bits.Add64(((uint64(p256Uint1(x98)) + uint64(p256Uint1(x76))) + (uint64(p256Uint1(x90)) + x78)), x100, uint64(p256Uint1(x114))) 1088 var x117 uint64 1089 var x118 uint64 1090 x118, x117 = bits.Mul64(x3, 0x4fffffffd) 1091 var x119 uint64 1092 var x120 uint64 1093 x120, x119 = bits.Mul64(x3, 0xfffffffffffffffe) 1094 var x121 uint64 1095 var x122 uint64 1096 x122, x121 = bits.Mul64(x3, 0xfffffffbffffffff) 1097 var x123 uint64 1098 var x124 uint64 1099 x124, x123 = bits.Mul64(x3, 0x3) 1100 var x125 uint64 1101 var x126 uint64 1102 x125, x126 = bits.Add64(x124, x121, uint64(0x0)) 1103 var x127 uint64 1104 var x128 uint64 1105 x127, x128 = bits.Add64(x122, x119, uint64(p256Uint1(x126))) 1106 var x129 uint64 1107 var x130 uint64 1108 x129, x130 = bits.Add64(x120, x117, uint64(p256Uint1(x128))) 1109 var x131 uint64 1110 var x132 uint64 1111 x131, x132 = bits.Add64(x109, x123, uint64(0x0)) 1112 var x133 uint64 1113 var x134 uint64 1114 x133, x134 = bits.Add64(x111, x125, uint64(p256Uint1(x132))) 1115 var x135 uint64 1116 var x136 uint64 1117 x135, x136 = bits.Add64(x113, x127, uint64(p256Uint1(x134))) 1118 var x137 uint64 1119 var x138 uint64 1120 x137, x138 = bits.Add64(x115, x129, uint64(p256Uint1(x136))) 1121 var x139 uint64 1122 var x140 uint64 1123 x140, x139 = bits.Mul64(x131, 0xffffffff00000001) 1124 var x141 uint64 1125 var x142 uint64 1126 x142, x141 = bits.Mul64(x131, 0xffffffff) 1127 var x143 uint64 1128 var x144 uint64 1129 x144, x143 = bits.Mul64(x131, 0xffffffffffffffff) 1130 var x145 uint64 1131 var x146 uint64 1132 x145, x146 = bits.Add64(x144, x141, uint64(0x0)) 1133 var x148 uint64 1134 _, x148 = bits.Add64(x131, x143, uint64(0x0)) 1135 var x149 uint64 1136 var x150 uint64 1137 x149, x150 = bits.Add64(x133, x145, uint64(p256Uint1(x148))) 1138 var x151 uint64 1139 var x152 uint64 1140 x151, x152 = bits.Add64(x135, (uint64(p256Uint1(x146)) + x142), uint64(p256Uint1(x150))) 1141 var x153 uint64 1142 var x154 uint64 1143 x153, x154 = bits.Add64(x137, x139, uint64(p256Uint1(x152))) 1144 var x155 uint64 1145 var x156 uint64 1146 x155, x156 = bits.Add64(((uint64(p256Uint1(x138)) + uint64(p256Uint1(x116))) + (uint64(p256Uint1(x130)) + x118)), x140, uint64(p256Uint1(x154))) 1147 var x157 uint64 1148 var x158 uint64 1149 x157, x158 = bits.Sub64(x149, 0xffffffffffffffff, uint64(0x0)) 1150 var x159 uint64 1151 var x160 uint64 1152 x159, x160 = bits.Sub64(x151, 0xffffffff, uint64(p256Uint1(x158))) 1153 var x161 uint64 1154 var x162 uint64 1155 x161, x162 = bits.Sub64(x153, uint64(0x0), uint64(p256Uint1(x160))) 1156 var x163 uint64 1157 var x164 uint64 1158 x163, x164 = bits.Sub64(x155, 0xffffffff00000001, uint64(p256Uint1(x162))) 1159 var x166 uint64 1160 _, x166 = bits.Sub64(uint64(p256Uint1(x156)), uint64(0x0), uint64(p256Uint1(x164))) 1161 var x167 uint64 1162 p256CmovznzU64(&x167, p256Uint1(x166), x157, x149) 1163 var x168 uint64 1164 p256CmovznzU64(&x168, p256Uint1(x166), x159, x151) 1165 var x169 uint64 1166 p256CmovznzU64(&x169, p256Uint1(x166), x161, x153) 1167 var x170 uint64 1168 p256CmovznzU64(&x170, p256Uint1(x166), x163, x155) 1169 out1[0] = x167 1170 out1[1] = x168 1171 out1[2] = x169 1172 out1[3] = x170 1173 } 1174 1175 // p256Selectznz is a multi-limb conditional select. 1176 // 1177 // Postconditions: 1178 // 1179 // eval out1 = (if arg1 = 0 then eval arg2 else eval arg3) 1180 // 1181 // Input Bounds: 1182 // 1183 // arg1: [0x0 ~> 0x1] 1184 // arg2: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] 1185 // arg3: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] 1186 // 1187 // Output Bounds: 1188 // 1189 // out1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] 1190 func p256Selectznz(out1 *[4]uint64, arg1 p256Uint1, arg2 *[4]uint64, arg3 *[4]uint64) { 1191 var x1 uint64 1192 p256CmovznzU64(&x1, arg1, arg2[0], arg3[0]) 1193 var x2 uint64 1194 p256CmovznzU64(&x2, arg1, arg2[1], arg3[1]) 1195 var x3 uint64 1196 p256CmovznzU64(&x3, arg1, arg2[2], arg3[2]) 1197 var x4 uint64 1198 p256CmovznzU64(&x4, arg1, arg2[3], arg3[3]) 1199 out1[0] = x1 1200 out1[1] = x2 1201 out1[2] = x3 1202 out1[3] = x4 1203 } 1204 1205 // p256ToBytes serializes a field element NOT in the Montgomery domain to bytes in little-endian order. 1206 // 1207 // Preconditions: 1208 // 1209 // 0 ≤ eval arg1 < m 1210 // 1211 // Postconditions: 1212 // 1213 // out1 = map (λ x, ⌊((eval arg1 mod m) mod 2^(8 * (x + 1))) / 2^(8 * x)⌋) [0..31] 1214 // 1215 // Input Bounds: 1216 // 1217 // arg1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] 1218 // 1219 // Output Bounds: 1220 // 1221 // out1: [[0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff]] 1222 func p256ToBytes(out1 *[32]uint8, arg1 *[4]uint64) { 1223 x1 := arg1[3] 1224 x2 := arg1[2] 1225 x3 := arg1[1] 1226 x4 := arg1[0] 1227 x5 := (uint8(x4) & 0xff) 1228 x6 := (x4 >> 8) 1229 x7 := (uint8(x6) & 0xff) 1230 x8 := (x6 >> 8) 1231 x9 := (uint8(x8) & 0xff) 1232 x10 := (x8 >> 8) 1233 x11 := (uint8(x10) & 0xff) 1234 x12 := (x10 >> 8) 1235 x13 := (uint8(x12) & 0xff) 1236 x14 := (x12 >> 8) 1237 x15 := (uint8(x14) & 0xff) 1238 x16 := (x14 >> 8) 1239 x17 := (uint8(x16) & 0xff) 1240 x18 := uint8((x16 >> 8)) 1241 x19 := (uint8(x3) & 0xff) 1242 x20 := (x3 >> 8) 1243 x21 := (uint8(x20) & 0xff) 1244 x22 := (x20 >> 8) 1245 x23 := (uint8(x22) & 0xff) 1246 x24 := (x22 >> 8) 1247 x25 := (uint8(x24) & 0xff) 1248 x26 := (x24 >> 8) 1249 x27 := (uint8(x26) & 0xff) 1250 x28 := (x26 >> 8) 1251 x29 := (uint8(x28) & 0xff) 1252 x30 := (x28 >> 8) 1253 x31 := (uint8(x30) & 0xff) 1254 x32 := uint8((x30 >> 8)) 1255 x33 := (uint8(x2) & 0xff) 1256 x34 := (x2 >> 8) 1257 x35 := (uint8(x34) & 0xff) 1258 x36 := (x34 >> 8) 1259 x37 := (uint8(x36) & 0xff) 1260 x38 := (x36 >> 8) 1261 x39 := (uint8(x38) & 0xff) 1262 x40 := (x38 >> 8) 1263 x41 := (uint8(x40) & 0xff) 1264 x42 := (x40 >> 8) 1265 x43 := (uint8(x42) & 0xff) 1266 x44 := (x42 >> 8) 1267 x45 := (uint8(x44) & 0xff) 1268 x46 := uint8((x44 >> 8)) 1269 x47 := (uint8(x1) & 0xff) 1270 x48 := (x1 >> 8) 1271 x49 := (uint8(x48) & 0xff) 1272 x50 := (x48 >> 8) 1273 x51 := (uint8(x50) & 0xff) 1274 x52 := (x50 >> 8) 1275 x53 := (uint8(x52) & 0xff) 1276 x54 := (x52 >> 8) 1277 x55 := (uint8(x54) & 0xff) 1278 x56 := (x54 >> 8) 1279 x57 := (uint8(x56) & 0xff) 1280 x58 := (x56 >> 8) 1281 x59 := (uint8(x58) & 0xff) 1282 x60 := uint8((x58 >> 8)) 1283 out1[0] = x5 1284 out1[1] = x7 1285 out1[2] = x9 1286 out1[3] = x11 1287 out1[4] = x13 1288 out1[5] = x15 1289 out1[6] = x17 1290 out1[7] = x18 1291 out1[8] = x19 1292 out1[9] = x21 1293 out1[10] = x23 1294 out1[11] = x25 1295 out1[12] = x27 1296 out1[13] = x29 1297 out1[14] = x31 1298 out1[15] = x32 1299 out1[16] = x33 1300 out1[17] = x35 1301 out1[18] = x37 1302 out1[19] = x39 1303 out1[20] = x41 1304 out1[21] = x43 1305 out1[22] = x45 1306 out1[23] = x46 1307 out1[24] = x47 1308 out1[25] = x49 1309 out1[26] = x51 1310 out1[27] = x53 1311 out1[28] = x55 1312 out1[29] = x57 1313 out1[30] = x59 1314 out1[31] = x60 1315 } 1316 1317 // p256FromBytes deserializes a field element NOT in the Montgomery domain from bytes in little-endian order. 1318 // 1319 // Preconditions: 1320 // 1321 // 0 ≤ bytes_eval arg1 < m 1322 // 1323 // Postconditions: 1324 // 1325 // eval out1 mod m = bytes_eval arg1 mod m 1326 // 0 ≤ eval out1 < m 1327 // 1328 // Input Bounds: 1329 // 1330 // arg1: [[0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff]] 1331 // 1332 // Output Bounds: 1333 // 1334 // out1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] 1335 func p256FromBytes(out1 *[4]uint64, arg1 *[32]uint8) { 1336 x1 := (uint64(arg1[31]) << 56) 1337 x2 := (uint64(arg1[30]) << 48) 1338 x3 := (uint64(arg1[29]) << 40) 1339 x4 := (uint64(arg1[28]) << 32) 1340 x5 := (uint64(arg1[27]) << 24) 1341 x6 := (uint64(arg1[26]) << 16) 1342 x7 := (uint64(arg1[25]) << 8) 1343 x8 := arg1[24] 1344 x9 := (uint64(arg1[23]) << 56) 1345 x10 := (uint64(arg1[22]) << 48) 1346 x11 := (uint64(arg1[21]) << 40) 1347 x12 := (uint64(arg1[20]) << 32) 1348 x13 := (uint64(arg1[19]) << 24) 1349 x14 := (uint64(arg1[18]) << 16) 1350 x15 := (uint64(arg1[17]) << 8) 1351 x16 := arg1[16] 1352 x17 := (uint64(arg1[15]) << 56) 1353 x18 := (uint64(arg1[14]) << 48) 1354 x19 := (uint64(arg1[13]) << 40) 1355 x20 := (uint64(arg1[12]) << 32) 1356 x21 := (uint64(arg1[11]) << 24) 1357 x22 := (uint64(arg1[10]) << 16) 1358 x23 := (uint64(arg1[9]) << 8) 1359 x24 := arg1[8] 1360 x25 := (uint64(arg1[7]) << 56) 1361 x26 := (uint64(arg1[6]) << 48) 1362 x27 := (uint64(arg1[5]) << 40) 1363 x28 := (uint64(arg1[4]) << 32) 1364 x29 := (uint64(arg1[3]) << 24) 1365 x30 := (uint64(arg1[2]) << 16) 1366 x31 := (uint64(arg1[1]) << 8) 1367 x32 := arg1[0] 1368 x33 := (x31 + uint64(x32)) 1369 x34 := (x30 + x33) 1370 x35 := (x29 + x34) 1371 x36 := (x28 + x35) 1372 x37 := (x27 + x36) 1373 x38 := (x26 + x37) 1374 x39 := (x25 + x38) 1375 x40 := (x23 + uint64(x24)) 1376 x41 := (x22 + x40) 1377 x42 := (x21 + x41) 1378 x43 := (x20 + x42) 1379 x44 := (x19 + x43) 1380 x45 := (x18 + x44) 1381 x46 := (x17 + x45) 1382 x47 := (x15 + uint64(x16)) 1383 x48 := (x14 + x47) 1384 x49 := (x13 + x48) 1385 x50 := (x12 + x49) 1386 x51 := (x11 + x50) 1387 x52 := (x10 + x51) 1388 x53 := (x9 + x52) 1389 x54 := (x7 + uint64(x8)) 1390 x55 := (x6 + x54) 1391 x56 := (x5 + x55) 1392 x57 := (x4 + x56) 1393 x58 := (x3 + x57) 1394 x59 := (x2 + x58) 1395 x60 := (x1 + x59) 1396 out1[0] = x39 1397 out1[1] = x46 1398 out1[2] = x53 1399 out1[3] = x60 1400 }