1 /* Autogenerated: 'src/ExtractionOCaml/unsaturated_solinas' --inline --static --use-value-barrier 25519 32 '(auto)' '2^255 - 19' carry_mul carry_square carry add sub opp selectznz to_bytes from_bytes relax carry_scmul121666 */
2 /* curve description: 25519 */
3 /* machine_wordsize = 32 (from "32") */
4 /* requested operations: carry_mul, carry_square, carry, add, sub, opp, selectznz, to_bytes, from_bytes, relax, carry_scmul121666 */
5 /* n = 10 (from "(auto)") */
6 /* s-c = 2^255 - [(1, 19)] (from "2^255 - 19") */
7 /* tight_bounds_multiplier = 1 (from "") */
8 /* */
9 /* Computed values: */
10 /* carry_chain = [0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 0, 1] */
11 /* eval z = z[0] + (z[1] << 26) + (z[2] << 51) + (z[3] << 77) + (z[4] << 102) + (z[5] << 128) + (z[6] << 153) + (z[7] << 179) + (z[8] << 204) + (z[9] << 230) */
12 /* bytes_eval z = z[0] + (z[1] << 8) + (z[2] << 16) + (z[3] << 24) + (z[4] << 32) + (z[5] << 40) + (z[6] << 48) + (z[7] << 56) + (z[8] << 64) + (z[9] << 72) + (z[10] << 80) + (z[11] << 88) + (z[12] << 96) + (z[13] << 104) + (z[14] << 112) + (z[15] << 120) + (z[16] << 128) + (z[17] << 136) + (z[18] << 144) + (z[19] << 152) + (z[20] << 160) + (z[21] << 168) + (z[22] << 176) + (z[23] << 184) + (z[24] << 192) + (z[25] << 200) + (z[26] << 208) + (z[27] << 216) + (z[28] << 224) + (z[29] << 232) + (z[30] << 240) + (z[31] << 248) */
13 /* balance = [0x7ffffda, 0x3fffffe, 0x7fffffe, 0x3fffffe, 0x7fffffe, 0x3fffffe, 0x7fffffe, 0x3fffffe, 0x7fffffe, 0x3fffffe] */
14
15 #include <stdint.h>
16 typedef unsigned char fiat_25519_uint1;
17 typedef signed char fiat_25519_int1;
18 #if defined(__GNUC__) || defined(__clang__)
19 # define FIAT_25519_FIAT_INLINE __inline__
20 #else
21 # define FIAT_25519_FIAT_INLINE
22 #endif
23
24 /* The type fiat_25519_loose_field_element is a field element with loose bounds. */
25 /* Bounds: [[0x0 ~> 0xc000000], [0x0 ~> 0x6000000], [0x0 ~> 0xc000000], [0x0 ~> 0x6000000], [0x0 ~> 0xc000000], [0x0 ~> 0x6000000], [0x0 ~> 0xc000000], [0x0 ~> 0x6000000], [0x0 ~> 0xc000000], [0x0 ~> 0x6000000]] */
26 typedef uint32_t fiat_25519_loose_field_element[10];
27
28 /* The type fiat_25519_tight_field_element is a field element with tight bounds. */
29 /* Bounds: [[0x0 ~> 0x4000000], [0x0 ~> 0x2000000], [0x0 ~> 0x4000000], [0x0 ~> 0x2000000], [0x0 ~> 0x4000000], [0x0 ~> 0x2000000], [0x0 ~> 0x4000000], [0x0 ~> 0x2000000], [0x0 ~> 0x4000000], [0x0 ~> 0x2000000]] */
30 typedef uint32_t fiat_25519_tight_field_element[10];
31
32 #if (-1 & 3) != 3
33 #error "This code only works on a two's complement system"
34 #endif
35
36 #if !defined(FIAT_25519_NO_ASM) && (defined(__GNUC__) || defined(__clang__))
fiat_25519_value_barrier_u32(uint32_t a)37 static __inline__ uint32_t fiat_25519_value_barrier_u32(uint32_t a) {
38 __asm__("" : "+r"(a) : /* no inputs */);
39 return a;
40 }
41 #else
42 # define fiat_25519_value_barrier_u32(x) (x)
43 #endif
44
45
46 /*
47 * The function fiat_25519_addcarryx_u26 is an addition with carry.
48 *
49 * Postconditions:
50 * out1 = (arg1 + arg2 + arg3) mod 2^26
51 * out2 = ⌊(arg1 + arg2 + arg3) / 2^26⌋
52 *
53 * Input Bounds:
54 * arg1: [0x0 ~> 0x1]
55 * arg2: [0x0 ~> 0x3ffffff]
56 * arg3: [0x0 ~> 0x3ffffff]
57 * Output Bounds:
58 * out1: [0x0 ~> 0x3ffffff]
59 * out2: [0x0 ~> 0x1]
60 */
fiat_25519_addcarryx_u26(uint32_t * out1,fiat_25519_uint1 * out2,fiat_25519_uint1 arg1,uint32_t arg2,uint32_t arg3)61 static FIAT_25519_FIAT_INLINE void fiat_25519_addcarryx_u26(uint32_t* out1, fiat_25519_uint1* out2, fiat_25519_uint1 arg1, uint32_t arg2, uint32_t arg3) {
62 uint32_t x1;
63 uint32_t x2;
64 fiat_25519_uint1 x3;
65 x1 = ((arg1 + arg2) + arg3);
66 x2 = (x1 & UINT32_C(0x3ffffff));
67 x3 = (fiat_25519_uint1)(x1 >> 26);
68 *out1 = x2;
69 *out2 = x3;
70 }
71
72 /*
73 * The function fiat_25519_subborrowx_u26 is a subtraction with borrow.
74 *
75 * Postconditions:
76 * out1 = (-arg1 + arg2 + -arg3) mod 2^26
77 * out2 = -⌊(-arg1 + arg2 + -arg3) / 2^26⌋
78 *
79 * Input Bounds:
80 * arg1: [0x0 ~> 0x1]
81 * arg2: [0x0 ~> 0x3ffffff]
82 * arg3: [0x0 ~> 0x3ffffff]
83 * Output Bounds:
84 * out1: [0x0 ~> 0x3ffffff]
85 * out2: [0x0 ~> 0x1]
86 */
fiat_25519_subborrowx_u26(uint32_t * out1,fiat_25519_uint1 * out2,fiat_25519_uint1 arg1,uint32_t arg2,uint32_t arg3)87 static FIAT_25519_FIAT_INLINE void fiat_25519_subborrowx_u26(uint32_t* out1, fiat_25519_uint1* out2, fiat_25519_uint1 arg1, uint32_t arg2, uint32_t arg3) {
88 int32_t x1;
89 fiat_25519_int1 x2;
90 uint32_t x3;
91 x1 = ((int32_t)(arg2 - arg1) - (int32_t)arg3);
92 x2 = (fiat_25519_int1)(x1 >> 26);
93 x3 = (x1 & UINT32_C(0x3ffffff));
94 *out1 = x3;
95 *out2 = (fiat_25519_uint1)(0x0 - x2);
96 }
97
98 /*
99 * The function fiat_25519_addcarryx_u25 is an addition with carry.
100 *
101 * Postconditions:
102 * out1 = (arg1 + arg2 + arg3) mod 2^25
103 * out2 = ⌊(arg1 + arg2 + arg3) / 2^25⌋
104 *
105 * Input Bounds:
106 * arg1: [0x0 ~> 0x1]
107 * arg2: [0x0 ~> 0x1ffffff]
108 * arg3: [0x0 ~> 0x1ffffff]
109 * Output Bounds:
110 * out1: [0x0 ~> 0x1ffffff]
111 * out2: [0x0 ~> 0x1]
112 */
fiat_25519_addcarryx_u25(uint32_t * out1,fiat_25519_uint1 * out2,fiat_25519_uint1 arg1,uint32_t arg2,uint32_t arg3)113 static FIAT_25519_FIAT_INLINE void fiat_25519_addcarryx_u25(uint32_t* out1, fiat_25519_uint1* out2, fiat_25519_uint1 arg1, uint32_t arg2, uint32_t arg3) {
114 uint32_t x1;
115 uint32_t x2;
116 fiat_25519_uint1 x3;
117 x1 = ((arg1 + arg2) + arg3);
118 x2 = (x1 & UINT32_C(0x1ffffff));
119 x3 = (fiat_25519_uint1)(x1 >> 25);
120 *out1 = x2;
121 *out2 = x3;
122 }
123
124 /*
125 * The function fiat_25519_subborrowx_u25 is a subtraction with borrow.
126 *
127 * Postconditions:
128 * out1 = (-arg1 + arg2 + -arg3) mod 2^25
129 * out2 = -⌊(-arg1 + arg2 + -arg3) / 2^25⌋
130 *
131 * Input Bounds:
132 * arg1: [0x0 ~> 0x1]
133 * arg2: [0x0 ~> 0x1ffffff]
134 * arg3: [0x0 ~> 0x1ffffff]
135 * Output Bounds:
136 * out1: [0x0 ~> 0x1ffffff]
137 * out2: [0x0 ~> 0x1]
138 */
fiat_25519_subborrowx_u25(uint32_t * out1,fiat_25519_uint1 * out2,fiat_25519_uint1 arg1,uint32_t arg2,uint32_t arg3)139 static FIAT_25519_FIAT_INLINE void fiat_25519_subborrowx_u25(uint32_t* out1, fiat_25519_uint1* out2, fiat_25519_uint1 arg1, uint32_t arg2, uint32_t arg3) {
140 int32_t x1;
141 fiat_25519_int1 x2;
142 uint32_t x3;
143 x1 = ((int32_t)(arg2 - arg1) - (int32_t)arg3);
144 x2 = (fiat_25519_int1)(x1 >> 25);
145 x3 = (x1 & UINT32_C(0x1ffffff));
146 *out1 = x3;
147 *out2 = (fiat_25519_uint1)(0x0 - x2);
148 }
149
150 /*
151 * The function fiat_25519_cmovznz_u32 is a single-word conditional move.
152 *
153 * Postconditions:
154 * out1 = (if arg1 = 0 then arg2 else arg3)
155 *
156 * Input Bounds:
157 * arg1: [0x0 ~> 0x1]
158 * arg2: [0x0 ~> 0xffffffff]
159 * arg3: [0x0 ~> 0xffffffff]
160 * Output Bounds:
161 * out1: [0x0 ~> 0xffffffff]
162 */
fiat_25519_cmovznz_u32(uint32_t * out1,fiat_25519_uint1 arg1,uint32_t arg2,uint32_t arg3)163 static FIAT_25519_FIAT_INLINE void fiat_25519_cmovznz_u32(uint32_t* out1, fiat_25519_uint1 arg1, uint32_t arg2, uint32_t arg3) {
164 fiat_25519_uint1 x1;
165 uint32_t x2;
166 uint32_t x3;
167 x1 = (!(!arg1));
168 x2 = ((fiat_25519_int1)(0x0 - x1) & UINT32_C(0xffffffff));
169 x3 = ((fiat_25519_value_barrier_u32(x2) & arg3) | (fiat_25519_value_barrier_u32((~x2)) & arg2));
170 *out1 = x3;
171 }
172
173 /*
174 * The function fiat_25519_carry_mul multiplies two field elements and reduces the result.
175 *
176 * Postconditions:
177 * eval out1 mod m = (eval arg1 * eval arg2) mod m
178 *
179 */
fiat_25519_carry_mul(fiat_25519_tight_field_element out1,const fiat_25519_loose_field_element arg1,const fiat_25519_loose_field_element arg2)180 static FIAT_25519_FIAT_INLINE void fiat_25519_carry_mul(fiat_25519_tight_field_element out1, const fiat_25519_loose_field_element arg1, const fiat_25519_loose_field_element arg2) {
181 uint64_t x1;
182 uint64_t x2;
183 uint64_t x3;
184 uint64_t x4;
185 uint64_t x5;
186 uint64_t x6;
187 uint64_t x7;
188 uint64_t x8;
189 uint64_t x9;
190 uint64_t x10;
191 uint64_t x11;
192 uint64_t x12;
193 uint64_t x13;
194 uint64_t x14;
195 uint64_t x15;
196 uint64_t x16;
197 uint64_t x17;
198 uint64_t x18;
199 uint64_t x19;
200 uint64_t x20;
201 uint64_t x21;
202 uint64_t x22;
203 uint64_t x23;
204 uint64_t x24;
205 uint64_t x25;
206 uint64_t x26;
207 uint64_t x27;
208 uint64_t x28;
209 uint64_t x29;
210 uint64_t x30;
211 uint64_t x31;
212 uint64_t x32;
213 uint64_t x33;
214 uint64_t x34;
215 uint64_t x35;
216 uint64_t x36;
217 uint64_t x37;
218 uint64_t x38;
219 uint64_t x39;
220 uint64_t x40;
221 uint64_t x41;
222 uint64_t x42;
223 uint64_t x43;
224 uint64_t x44;
225 uint64_t x45;
226 uint64_t x46;
227 uint64_t x47;
228 uint64_t x48;
229 uint64_t x49;
230 uint64_t x50;
231 uint64_t x51;
232 uint64_t x52;
233 uint64_t x53;
234 uint64_t x54;
235 uint64_t x55;
236 uint64_t x56;
237 uint64_t x57;
238 uint64_t x58;
239 uint64_t x59;
240 uint64_t x60;
241 uint64_t x61;
242 uint64_t x62;
243 uint64_t x63;
244 uint64_t x64;
245 uint64_t x65;
246 uint64_t x66;
247 uint64_t x67;
248 uint64_t x68;
249 uint64_t x69;
250 uint64_t x70;
251 uint64_t x71;
252 uint64_t x72;
253 uint64_t x73;
254 uint64_t x74;
255 uint64_t x75;
256 uint64_t x76;
257 uint64_t x77;
258 uint64_t x78;
259 uint64_t x79;
260 uint64_t x80;
261 uint64_t x81;
262 uint64_t x82;
263 uint64_t x83;
264 uint64_t x84;
265 uint64_t x85;
266 uint64_t x86;
267 uint64_t x87;
268 uint64_t x88;
269 uint64_t x89;
270 uint64_t x90;
271 uint64_t x91;
272 uint64_t x92;
273 uint64_t x93;
274 uint64_t x94;
275 uint64_t x95;
276 uint64_t x96;
277 uint64_t x97;
278 uint64_t x98;
279 uint64_t x99;
280 uint64_t x100;
281 uint64_t x101;
282 uint64_t x102;
283 uint32_t x103;
284 uint64_t x104;
285 uint64_t x105;
286 uint64_t x106;
287 uint64_t x107;
288 uint64_t x108;
289 uint64_t x109;
290 uint64_t x110;
291 uint64_t x111;
292 uint64_t x112;
293 uint64_t x113;
294 uint64_t x114;
295 uint32_t x115;
296 uint64_t x116;
297 uint64_t x117;
298 uint32_t x118;
299 uint64_t x119;
300 uint64_t x120;
301 uint32_t x121;
302 uint64_t x122;
303 uint64_t x123;
304 uint32_t x124;
305 uint64_t x125;
306 uint64_t x126;
307 uint32_t x127;
308 uint64_t x128;
309 uint64_t x129;
310 uint32_t x130;
311 uint64_t x131;
312 uint64_t x132;
313 uint32_t x133;
314 uint64_t x134;
315 uint64_t x135;
316 uint32_t x136;
317 uint64_t x137;
318 uint64_t x138;
319 uint32_t x139;
320 uint64_t x140;
321 uint64_t x141;
322 uint32_t x142;
323 uint32_t x143;
324 uint32_t x144;
325 fiat_25519_uint1 x145;
326 uint32_t x146;
327 uint32_t x147;
328 x1 = ((uint64_t)(arg1[9]) * ((arg2[9]) * UINT8_C(0x26)));
329 x2 = ((uint64_t)(arg1[9]) * ((arg2[8]) * UINT8_C(0x13)));
330 x3 = ((uint64_t)(arg1[9]) * ((arg2[7]) * UINT8_C(0x26)));
331 x4 = ((uint64_t)(arg1[9]) * ((arg2[6]) * UINT8_C(0x13)));
332 x5 = ((uint64_t)(arg1[9]) * ((arg2[5]) * UINT8_C(0x26)));
333 x6 = ((uint64_t)(arg1[9]) * ((arg2[4]) * UINT8_C(0x13)));
334 x7 = ((uint64_t)(arg1[9]) * ((arg2[3]) * UINT8_C(0x26)));
335 x8 = ((uint64_t)(arg1[9]) * ((arg2[2]) * UINT8_C(0x13)));
336 x9 = ((uint64_t)(arg1[9]) * ((arg2[1]) * UINT8_C(0x26)));
337 x10 = ((uint64_t)(arg1[8]) * ((arg2[9]) * UINT8_C(0x13)));
338 x11 = ((uint64_t)(arg1[8]) * ((arg2[8]) * UINT8_C(0x13)));
339 x12 = ((uint64_t)(arg1[8]) * ((arg2[7]) * UINT8_C(0x13)));
340 x13 = ((uint64_t)(arg1[8]) * ((arg2[6]) * UINT8_C(0x13)));
341 x14 = ((uint64_t)(arg1[8]) * ((arg2[5]) * UINT8_C(0x13)));
342 x15 = ((uint64_t)(arg1[8]) * ((arg2[4]) * UINT8_C(0x13)));
343 x16 = ((uint64_t)(arg1[8]) * ((arg2[3]) * UINT8_C(0x13)));
344 x17 = ((uint64_t)(arg1[8]) * ((arg2[2]) * UINT8_C(0x13)));
345 x18 = ((uint64_t)(arg1[7]) * ((arg2[9]) * UINT8_C(0x26)));
346 x19 = ((uint64_t)(arg1[7]) * ((arg2[8]) * UINT8_C(0x13)));
347 x20 = ((uint64_t)(arg1[7]) * ((arg2[7]) * UINT8_C(0x26)));
348 x21 = ((uint64_t)(arg1[7]) * ((arg2[6]) * UINT8_C(0x13)));
349 x22 = ((uint64_t)(arg1[7]) * ((arg2[5]) * UINT8_C(0x26)));
350 x23 = ((uint64_t)(arg1[7]) * ((arg2[4]) * UINT8_C(0x13)));
351 x24 = ((uint64_t)(arg1[7]) * ((arg2[3]) * UINT8_C(0x26)));
352 x25 = ((uint64_t)(arg1[6]) * ((arg2[9]) * UINT8_C(0x13)));
353 x26 = ((uint64_t)(arg1[6]) * ((arg2[8]) * UINT8_C(0x13)));
354 x27 = ((uint64_t)(arg1[6]) * ((arg2[7]) * UINT8_C(0x13)));
355 x28 = ((uint64_t)(arg1[6]) * ((arg2[6]) * UINT8_C(0x13)));
356 x29 = ((uint64_t)(arg1[6]) * ((arg2[5]) * UINT8_C(0x13)));
357 x30 = ((uint64_t)(arg1[6]) * ((arg2[4]) * UINT8_C(0x13)));
358 x31 = ((uint64_t)(arg1[5]) * ((arg2[9]) * UINT8_C(0x26)));
359 x32 = ((uint64_t)(arg1[5]) * ((arg2[8]) * UINT8_C(0x13)));
360 x33 = ((uint64_t)(arg1[5]) * ((arg2[7]) * UINT8_C(0x26)));
361 x34 = ((uint64_t)(arg1[5]) * ((arg2[6]) * UINT8_C(0x13)));
362 x35 = ((uint64_t)(arg1[5]) * ((arg2[5]) * UINT8_C(0x26)));
363 x36 = ((uint64_t)(arg1[4]) * ((arg2[9]) * UINT8_C(0x13)));
364 x37 = ((uint64_t)(arg1[4]) * ((arg2[8]) * UINT8_C(0x13)));
365 x38 = ((uint64_t)(arg1[4]) * ((arg2[7]) * UINT8_C(0x13)));
366 x39 = ((uint64_t)(arg1[4]) * ((arg2[6]) * UINT8_C(0x13)));
367 x40 = ((uint64_t)(arg1[3]) * ((arg2[9]) * UINT8_C(0x26)));
368 x41 = ((uint64_t)(arg1[3]) * ((arg2[8]) * UINT8_C(0x13)));
369 x42 = ((uint64_t)(arg1[3]) * ((arg2[7]) * UINT8_C(0x26)));
370 x43 = ((uint64_t)(arg1[2]) * ((arg2[9]) * UINT8_C(0x13)));
371 x44 = ((uint64_t)(arg1[2]) * ((arg2[8]) * UINT8_C(0x13)));
372 x45 = ((uint64_t)(arg1[1]) * ((arg2[9]) * UINT8_C(0x26)));
373 x46 = ((uint64_t)(arg1[9]) * (arg2[0]));
374 x47 = ((uint64_t)(arg1[8]) * (arg2[1]));
375 x48 = ((uint64_t)(arg1[8]) * (arg2[0]));
376 x49 = ((uint64_t)(arg1[7]) * (arg2[2]));
377 x50 = ((uint64_t)(arg1[7]) * ((arg2[1]) * 0x2));
378 x51 = ((uint64_t)(arg1[7]) * (arg2[0]));
379 x52 = ((uint64_t)(arg1[6]) * (arg2[3]));
380 x53 = ((uint64_t)(arg1[6]) * (arg2[2]));
381 x54 = ((uint64_t)(arg1[6]) * (arg2[1]));
382 x55 = ((uint64_t)(arg1[6]) * (arg2[0]));
383 x56 = ((uint64_t)(arg1[5]) * (arg2[4]));
384 x57 = ((uint64_t)(arg1[5]) * ((arg2[3]) * 0x2));
385 x58 = ((uint64_t)(arg1[5]) * (arg2[2]));
386 x59 = ((uint64_t)(arg1[5]) * ((arg2[1]) * 0x2));
387 x60 = ((uint64_t)(arg1[5]) * (arg2[0]));
388 x61 = ((uint64_t)(arg1[4]) * (arg2[5]));
389 x62 = ((uint64_t)(arg1[4]) * (arg2[4]));
390 x63 = ((uint64_t)(arg1[4]) * (arg2[3]));
391 x64 = ((uint64_t)(arg1[4]) * (arg2[2]));
392 x65 = ((uint64_t)(arg1[4]) * (arg2[1]));
393 x66 = ((uint64_t)(arg1[4]) * (arg2[0]));
394 x67 = ((uint64_t)(arg1[3]) * (arg2[6]));
395 x68 = ((uint64_t)(arg1[3]) * ((arg2[5]) * 0x2));
396 x69 = ((uint64_t)(arg1[3]) * (arg2[4]));
397 x70 = ((uint64_t)(arg1[3]) * ((arg2[3]) * 0x2));
398 x71 = ((uint64_t)(arg1[3]) * (arg2[2]));
399 x72 = ((uint64_t)(arg1[3]) * ((arg2[1]) * 0x2));
400 x73 = ((uint64_t)(arg1[3]) * (arg2[0]));
401 x74 = ((uint64_t)(arg1[2]) * (arg2[7]));
402 x75 = ((uint64_t)(arg1[2]) * (arg2[6]));
403 x76 = ((uint64_t)(arg1[2]) * (arg2[5]));
404 x77 = ((uint64_t)(arg1[2]) * (arg2[4]));
405 x78 = ((uint64_t)(arg1[2]) * (arg2[3]));
406 x79 = ((uint64_t)(arg1[2]) * (arg2[2]));
407 x80 = ((uint64_t)(arg1[2]) * (arg2[1]));
408 x81 = ((uint64_t)(arg1[2]) * (arg2[0]));
409 x82 = ((uint64_t)(arg1[1]) * (arg2[8]));
410 x83 = ((uint64_t)(arg1[1]) * ((arg2[7]) * 0x2));
411 x84 = ((uint64_t)(arg1[1]) * (arg2[6]));
412 x85 = ((uint64_t)(arg1[1]) * ((arg2[5]) * 0x2));
413 x86 = ((uint64_t)(arg1[1]) * (arg2[4]));
414 x87 = ((uint64_t)(arg1[1]) * ((arg2[3]) * 0x2));
415 x88 = ((uint64_t)(arg1[1]) * (arg2[2]));
416 x89 = ((uint64_t)(arg1[1]) * ((arg2[1]) * 0x2));
417 x90 = ((uint64_t)(arg1[1]) * (arg2[0]));
418 x91 = ((uint64_t)(arg1[0]) * (arg2[9]));
419 x92 = ((uint64_t)(arg1[0]) * (arg2[8]));
420 x93 = ((uint64_t)(arg1[0]) * (arg2[7]));
421 x94 = ((uint64_t)(arg1[0]) * (arg2[6]));
422 x95 = ((uint64_t)(arg1[0]) * (arg2[5]));
423 x96 = ((uint64_t)(arg1[0]) * (arg2[4]));
424 x97 = ((uint64_t)(arg1[0]) * (arg2[3]));
425 x98 = ((uint64_t)(arg1[0]) * (arg2[2]));
426 x99 = ((uint64_t)(arg1[0]) * (arg2[1]));
427 x100 = ((uint64_t)(arg1[0]) * (arg2[0]));
428 x101 = (x100 + (x45 + (x44 + (x42 + (x39 + (x35 + (x30 + (x24 + (x17 + x9)))))))));
429 x102 = (x101 >> 26);
430 x103 = (uint32_t)(x101 & UINT32_C(0x3ffffff));
431 x104 = (x91 + (x82 + (x74 + (x67 + (x61 + (x56 + (x52 + (x49 + (x47 + x46)))))))));
432 x105 = (x92 + (x83 + (x75 + (x68 + (x62 + (x57 + (x53 + (x50 + (x48 + x1)))))))));
433 x106 = (x93 + (x84 + (x76 + (x69 + (x63 + (x58 + (x54 + (x51 + (x10 + x2)))))))));
434 x107 = (x94 + (x85 + (x77 + (x70 + (x64 + (x59 + (x55 + (x18 + (x11 + x3)))))))));
435 x108 = (x95 + (x86 + (x78 + (x71 + (x65 + (x60 + (x25 + (x19 + (x12 + x4)))))))));
436 x109 = (x96 + (x87 + (x79 + (x72 + (x66 + (x31 + (x26 + (x20 + (x13 + x5)))))))));
437 x110 = (x97 + (x88 + (x80 + (x73 + (x36 + (x32 + (x27 + (x21 + (x14 + x6)))))))));
438 x111 = (x98 + (x89 + (x81 + (x40 + (x37 + (x33 + (x28 + (x22 + (x15 + x7)))))))));
439 x112 = (x99 + (x90 + (x43 + (x41 + (x38 + (x34 + (x29 + (x23 + (x16 + x8)))))))));
440 x113 = (x102 + x112);
441 x114 = (x113 >> 25);
442 x115 = (uint32_t)(x113 & UINT32_C(0x1ffffff));
443 x116 = (x114 + x111);
444 x117 = (x116 >> 26);
445 x118 = (uint32_t)(x116 & UINT32_C(0x3ffffff));
446 x119 = (x117 + x110);
447 x120 = (x119 >> 25);
448 x121 = (uint32_t)(x119 & UINT32_C(0x1ffffff));
449 x122 = (x120 + x109);
450 x123 = (x122 >> 26);
451 x124 = (uint32_t)(x122 & UINT32_C(0x3ffffff));
452 x125 = (x123 + x108);
453 x126 = (x125 >> 25);
454 x127 = (uint32_t)(x125 & UINT32_C(0x1ffffff));
455 x128 = (x126 + x107);
456 x129 = (x128 >> 26);
457 x130 = (uint32_t)(x128 & UINT32_C(0x3ffffff));
458 x131 = (x129 + x106);
459 x132 = (x131 >> 25);
460 x133 = (uint32_t)(x131 & UINT32_C(0x1ffffff));
461 x134 = (x132 + x105);
462 x135 = (x134 >> 26);
463 x136 = (uint32_t)(x134 & UINT32_C(0x3ffffff));
464 x137 = (x135 + x104);
465 x138 = (x137 >> 25);
466 x139 = (uint32_t)(x137 & UINT32_C(0x1ffffff));
467 x140 = (x138 * UINT8_C(0x13));
468 x141 = (x103 + x140);
469 x142 = (uint32_t)(x141 >> 26);
470 x143 = (uint32_t)(x141 & UINT32_C(0x3ffffff));
471 x144 = (x142 + x115);
472 x145 = (fiat_25519_uint1)(x144 >> 25);
473 x146 = (x144 & UINT32_C(0x1ffffff));
474 x147 = (x145 + x118);
475 out1[0] = x143;
476 out1[1] = x146;
477 out1[2] = x147;
478 out1[3] = x121;
479 out1[4] = x124;
480 out1[5] = x127;
481 out1[6] = x130;
482 out1[7] = x133;
483 out1[8] = x136;
484 out1[9] = x139;
485 }
486
487 /*
488 * The function fiat_25519_carry_square squares a field element and reduces the result.
489 *
490 * Postconditions:
491 * eval out1 mod m = (eval arg1 * eval arg1) mod m
492 *
493 */
fiat_25519_carry_square(fiat_25519_tight_field_element out1,const fiat_25519_loose_field_element arg1)494 static FIAT_25519_FIAT_INLINE void fiat_25519_carry_square(fiat_25519_tight_field_element out1, const fiat_25519_loose_field_element arg1) {
495 uint32_t x1;
496 uint32_t x2;
497 uint32_t x3;
498 uint32_t x4;
499 uint64_t x5;
500 uint32_t x6;
501 uint32_t x7;
502 uint32_t x8;
503 uint32_t x9;
504 uint32_t x10;
505 uint64_t x11;
506 uint32_t x12;
507 uint32_t x13;
508 uint32_t x14;
509 uint32_t x15;
510 uint32_t x16;
511 uint32_t x17;
512 uint32_t x18;
513 uint64_t x19;
514 uint64_t x20;
515 uint64_t x21;
516 uint64_t x22;
517 uint64_t x23;
518 uint64_t x24;
519 uint64_t x25;
520 uint64_t x26;
521 uint64_t x27;
522 uint64_t x28;
523 uint64_t x29;
524 uint64_t x30;
525 uint64_t x31;
526 uint64_t x32;
527 uint64_t x33;
528 uint64_t x34;
529 uint64_t x35;
530 uint64_t x36;
531 uint64_t x37;
532 uint64_t x38;
533 uint64_t x39;
534 uint64_t x40;
535 uint64_t x41;
536 uint64_t x42;
537 uint64_t x43;
538 uint64_t x44;
539 uint64_t x45;
540 uint64_t x46;
541 uint64_t x47;
542 uint64_t x48;
543 uint64_t x49;
544 uint64_t x50;
545 uint64_t x51;
546 uint64_t x52;
547 uint64_t x53;
548 uint64_t x54;
549 uint64_t x55;
550 uint64_t x56;
551 uint64_t x57;
552 uint64_t x58;
553 uint64_t x59;
554 uint64_t x60;
555 uint64_t x61;
556 uint64_t x62;
557 uint64_t x63;
558 uint64_t x64;
559 uint64_t x65;
560 uint64_t x66;
561 uint64_t x67;
562 uint64_t x68;
563 uint64_t x69;
564 uint64_t x70;
565 uint64_t x71;
566 uint64_t x72;
567 uint64_t x73;
568 uint64_t x74;
569 uint64_t x75;
570 uint32_t x76;
571 uint64_t x77;
572 uint64_t x78;
573 uint64_t x79;
574 uint64_t x80;
575 uint64_t x81;
576 uint64_t x82;
577 uint64_t x83;
578 uint64_t x84;
579 uint64_t x85;
580 uint64_t x86;
581 uint64_t x87;
582 uint32_t x88;
583 uint64_t x89;
584 uint64_t x90;
585 uint32_t x91;
586 uint64_t x92;
587 uint64_t x93;
588 uint32_t x94;
589 uint64_t x95;
590 uint64_t x96;
591 uint32_t x97;
592 uint64_t x98;
593 uint64_t x99;
594 uint32_t x100;
595 uint64_t x101;
596 uint64_t x102;
597 uint32_t x103;
598 uint64_t x104;
599 uint64_t x105;
600 uint32_t x106;
601 uint64_t x107;
602 uint64_t x108;
603 uint32_t x109;
604 uint64_t x110;
605 uint64_t x111;
606 uint32_t x112;
607 uint64_t x113;
608 uint64_t x114;
609 uint32_t x115;
610 uint32_t x116;
611 uint32_t x117;
612 fiat_25519_uint1 x118;
613 uint32_t x119;
614 uint32_t x120;
615 x1 = ((arg1[9]) * UINT8_C(0x13));
616 x2 = (x1 * 0x2);
617 x3 = ((arg1[9]) * 0x2);
618 x4 = ((arg1[8]) * UINT8_C(0x13));
619 x5 = ((uint64_t)x4 * 0x2);
620 x6 = ((arg1[8]) * 0x2);
621 x7 = ((arg1[7]) * UINT8_C(0x13));
622 x8 = (x7 * 0x2);
623 x9 = ((arg1[7]) * 0x2);
624 x10 = ((arg1[6]) * UINT8_C(0x13));
625 x11 = ((uint64_t)x10 * 0x2);
626 x12 = ((arg1[6]) * 0x2);
627 x13 = ((arg1[5]) * UINT8_C(0x13));
628 x14 = ((arg1[5]) * 0x2);
629 x15 = ((arg1[4]) * 0x2);
630 x16 = ((arg1[3]) * 0x2);
631 x17 = ((arg1[2]) * 0x2);
632 x18 = ((arg1[1]) * 0x2);
633 x19 = ((uint64_t)(arg1[9]) * (x1 * 0x2));
634 x20 = ((uint64_t)(arg1[8]) * x2);
635 x21 = ((uint64_t)(arg1[8]) * x4);
636 x22 = ((arg1[7]) * ((uint64_t)x2 * 0x2));
637 x23 = ((arg1[7]) * x5);
638 x24 = ((uint64_t)(arg1[7]) * (x7 * 0x2));
639 x25 = ((uint64_t)(arg1[6]) * x2);
640 x26 = ((arg1[6]) * x5);
641 x27 = ((uint64_t)(arg1[6]) * x8);
642 x28 = ((uint64_t)(arg1[6]) * x10);
643 x29 = ((arg1[5]) * ((uint64_t)x2 * 0x2));
644 x30 = ((arg1[5]) * x5);
645 x31 = ((arg1[5]) * ((uint64_t)x8 * 0x2));
646 x32 = ((arg1[5]) * x11);
647 x33 = ((uint64_t)(arg1[5]) * (x13 * 0x2));
648 x34 = ((uint64_t)(arg1[4]) * x2);
649 x35 = ((arg1[4]) * x5);
650 x36 = ((uint64_t)(arg1[4]) * x8);
651 x37 = ((arg1[4]) * x11);
652 x38 = ((uint64_t)(arg1[4]) * x14);
653 x39 = ((uint64_t)(arg1[4]) * (arg1[4]));
654 x40 = ((arg1[3]) * ((uint64_t)x2 * 0x2));
655 x41 = ((arg1[3]) * x5);
656 x42 = ((arg1[3]) * ((uint64_t)x8 * 0x2));
657 x43 = ((uint64_t)(arg1[3]) * x12);
658 x44 = ((uint64_t)(arg1[3]) * (x14 * 0x2));
659 x45 = ((uint64_t)(arg1[3]) * x15);
660 x46 = ((uint64_t)(arg1[3]) * ((arg1[3]) * 0x2));
661 x47 = ((uint64_t)(arg1[2]) * x2);
662 x48 = ((arg1[2]) * x5);
663 x49 = ((uint64_t)(arg1[2]) * x9);
664 x50 = ((uint64_t)(arg1[2]) * x12);
665 x51 = ((uint64_t)(arg1[2]) * x14);
666 x52 = ((uint64_t)(arg1[2]) * x15);
667 x53 = ((uint64_t)(arg1[2]) * x16);
668 x54 = ((uint64_t)(arg1[2]) * (arg1[2]));
669 x55 = ((arg1[1]) * ((uint64_t)x2 * 0x2));
670 x56 = ((uint64_t)(arg1[1]) * x6);
671 x57 = ((uint64_t)(arg1[1]) * (x9 * 0x2));
672 x58 = ((uint64_t)(arg1[1]) * x12);
673 x59 = ((uint64_t)(arg1[1]) * (x14 * 0x2));
674 x60 = ((uint64_t)(arg1[1]) * x15);
675 x61 = ((uint64_t)(arg1[1]) * (x16 * 0x2));
676 x62 = ((uint64_t)(arg1[1]) * x17);
677 x63 = ((uint64_t)(arg1[1]) * ((arg1[1]) * 0x2));
678 x64 = ((uint64_t)(arg1[0]) * x3);
679 x65 = ((uint64_t)(arg1[0]) * x6);
680 x66 = ((uint64_t)(arg1[0]) * x9);
681 x67 = ((uint64_t)(arg1[0]) * x12);
682 x68 = ((uint64_t)(arg1[0]) * x14);
683 x69 = ((uint64_t)(arg1[0]) * x15);
684 x70 = ((uint64_t)(arg1[0]) * x16);
685 x71 = ((uint64_t)(arg1[0]) * x17);
686 x72 = ((uint64_t)(arg1[0]) * x18);
687 x73 = ((uint64_t)(arg1[0]) * (arg1[0]));
688 x74 = (x73 + (x55 + (x48 + (x42 + (x37 + x33)))));
689 x75 = (x74 >> 26);
690 x76 = (uint32_t)(x74 & UINT32_C(0x3ffffff));
691 x77 = (x64 + (x56 + (x49 + (x43 + x38))));
692 x78 = (x65 + (x57 + (x50 + (x44 + (x39 + x19)))));
693 x79 = (x66 + (x58 + (x51 + (x45 + x20))));
694 x80 = (x67 + (x59 + (x52 + (x46 + (x22 + x21)))));
695 x81 = (x68 + (x60 + (x53 + (x25 + x23))));
696 x82 = (x69 + (x61 + (x54 + (x29 + (x26 + x24)))));
697 x83 = (x70 + (x62 + (x34 + (x30 + x27))));
698 x84 = (x71 + (x63 + (x40 + (x35 + (x31 + x28)))));
699 x85 = (x72 + (x47 + (x41 + (x36 + x32))));
700 x86 = (x75 + x85);
701 x87 = (x86 >> 25);
702 x88 = (uint32_t)(x86 & UINT32_C(0x1ffffff));
703 x89 = (x87 + x84);
704 x90 = (x89 >> 26);
705 x91 = (uint32_t)(x89 & UINT32_C(0x3ffffff));
706 x92 = (x90 + x83);
707 x93 = (x92 >> 25);
708 x94 = (uint32_t)(x92 & UINT32_C(0x1ffffff));
709 x95 = (x93 + x82);
710 x96 = (x95 >> 26);
711 x97 = (uint32_t)(x95 & UINT32_C(0x3ffffff));
712 x98 = (x96 + x81);
713 x99 = (x98 >> 25);
714 x100 = (uint32_t)(x98 & UINT32_C(0x1ffffff));
715 x101 = (x99 + x80);
716 x102 = (x101 >> 26);
717 x103 = (uint32_t)(x101 & UINT32_C(0x3ffffff));
718 x104 = (x102 + x79);
719 x105 = (x104 >> 25);
720 x106 = (uint32_t)(x104 & UINT32_C(0x1ffffff));
721 x107 = (x105 + x78);
722 x108 = (x107 >> 26);
723 x109 = (uint32_t)(x107 & UINT32_C(0x3ffffff));
724 x110 = (x108 + x77);
725 x111 = (x110 >> 25);
726 x112 = (uint32_t)(x110 & UINT32_C(0x1ffffff));
727 x113 = (x111 * UINT8_C(0x13));
728 x114 = (x76 + x113);
729 x115 = (uint32_t)(x114 >> 26);
730 x116 = (uint32_t)(x114 & UINT32_C(0x3ffffff));
731 x117 = (x115 + x88);
732 x118 = (fiat_25519_uint1)(x117 >> 25);
733 x119 = (x117 & UINT32_C(0x1ffffff));
734 x120 = (x118 + x91);
735 out1[0] = x116;
736 out1[1] = x119;
737 out1[2] = x120;
738 out1[3] = x94;
739 out1[4] = x97;
740 out1[5] = x100;
741 out1[6] = x103;
742 out1[7] = x106;
743 out1[8] = x109;
744 out1[9] = x112;
745 }
746
747 /*
748 * The function fiat_25519_carry reduces a field element.
749 *
750 * Postconditions:
751 * eval out1 mod m = eval arg1 mod m
752 *
753 */
fiat_25519_carry(fiat_25519_tight_field_element out1,const fiat_25519_loose_field_element arg1)754 static FIAT_25519_FIAT_INLINE void fiat_25519_carry(fiat_25519_tight_field_element out1, const fiat_25519_loose_field_element arg1) {
755 uint32_t x1;
756 uint32_t x2;
757 uint32_t x3;
758 uint32_t x4;
759 uint32_t x5;
760 uint32_t x6;
761 uint32_t x7;
762 uint32_t x8;
763 uint32_t x9;
764 uint32_t x10;
765 uint32_t x11;
766 uint32_t x12;
767 uint32_t x13;
768 uint32_t x14;
769 uint32_t x15;
770 uint32_t x16;
771 uint32_t x17;
772 uint32_t x18;
773 uint32_t x19;
774 uint32_t x20;
775 uint32_t x21;
776 uint32_t x22;
777 x1 = (arg1[0]);
778 x2 = ((x1 >> 26) + (arg1[1]));
779 x3 = ((x2 >> 25) + (arg1[2]));
780 x4 = ((x3 >> 26) + (arg1[3]));
781 x5 = ((x4 >> 25) + (arg1[4]));
782 x6 = ((x5 >> 26) + (arg1[5]));
783 x7 = ((x6 >> 25) + (arg1[6]));
784 x8 = ((x7 >> 26) + (arg1[7]));
785 x9 = ((x8 >> 25) + (arg1[8]));
786 x10 = ((x9 >> 26) + (arg1[9]));
787 x11 = ((x1 & UINT32_C(0x3ffffff)) + ((x10 >> 25) * UINT8_C(0x13)));
788 x12 = ((fiat_25519_uint1)(x11 >> 26) + (x2 & UINT32_C(0x1ffffff)));
789 x13 = (x11 & UINT32_C(0x3ffffff));
790 x14 = (x12 & UINT32_C(0x1ffffff));
791 x15 = ((fiat_25519_uint1)(x12 >> 25) + (x3 & UINT32_C(0x3ffffff)));
792 x16 = (x4 & UINT32_C(0x1ffffff));
793 x17 = (x5 & UINT32_C(0x3ffffff));
794 x18 = (x6 & UINT32_C(0x1ffffff));
795 x19 = (x7 & UINT32_C(0x3ffffff));
796 x20 = (x8 & UINT32_C(0x1ffffff));
797 x21 = (x9 & UINT32_C(0x3ffffff));
798 x22 = (x10 & UINT32_C(0x1ffffff));
799 out1[0] = x13;
800 out1[1] = x14;
801 out1[2] = x15;
802 out1[3] = x16;
803 out1[4] = x17;
804 out1[5] = x18;
805 out1[6] = x19;
806 out1[7] = x20;
807 out1[8] = x21;
808 out1[9] = x22;
809 }
810
811 /*
812 * The function fiat_25519_add adds two field elements.
813 *
814 * Postconditions:
815 * eval out1 mod m = (eval arg1 + eval arg2) mod m
816 *
817 */
fiat_25519_add(fiat_25519_loose_field_element out1,const fiat_25519_tight_field_element arg1,const fiat_25519_tight_field_element arg2)818 static FIAT_25519_FIAT_INLINE void fiat_25519_add(fiat_25519_loose_field_element out1, const fiat_25519_tight_field_element arg1, const fiat_25519_tight_field_element arg2) {
819 uint32_t x1;
820 uint32_t x2;
821 uint32_t x3;
822 uint32_t x4;
823 uint32_t x5;
824 uint32_t x6;
825 uint32_t x7;
826 uint32_t x8;
827 uint32_t x9;
828 uint32_t x10;
829 x1 = ((arg1[0]) + (arg2[0]));
830 x2 = ((arg1[1]) + (arg2[1]));
831 x3 = ((arg1[2]) + (arg2[2]));
832 x4 = ((arg1[3]) + (arg2[3]));
833 x5 = ((arg1[4]) + (arg2[4]));
834 x6 = ((arg1[5]) + (arg2[5]));
835 x7 = ((arg1[6]) + (arg2[6]));
836 x8 = ((arg1[7]) + (arg2[7]));
837 x9 = ((arg1[8]) + (arg2[8]));
838 x10 = ((arg1[9]) + (arg2[9]));
839 out1[0] = x1;
840 out1[1] = x2;
841 out1[2] = x3;
842 out1[3] = x4;
843 out1[4] = x5;
844 out1[5] = x6;
845 out1[6] = x7;
846 out1[7] = x8;
847 out1[8] = x9;
848 out1[9] = x10;
849 }
850
851 /*
852 * The function fiat_25519_sub subtracts two field elements.
853 *
854 * Postconditions:
855 * eval out1 mod m = (eval arg1 - eval arg2) mod m
856 *
857 */
fiat_25519_sub(fiat_25519_loose_field_element out1,const fiat_25519_tight_field_element arg1,const fiat_25519_tight_field_element arg2)858 static FIAT_25519_FIAT_INLINE void fiat_25519_sub(fiat_25519_loose_field_element out1, const fiat_25519_tight_field_element arg1, const fiat_25519_tight_field_element arg2) {
859 uint32_t x1;
860 uint32_t x2;
861 uint32_t x3;
862 uint32_t x4;
863 uint32_t x5;
864 uint32_t x6;
865 uint32_t x7;
866 uint32_t x8;
867 uint32_t x9;
868 uint32_t x10;
869 x1 = ((UINT32_C(0x7ffffda) + (arg1[0])) - (arg2[0]));
870 x2 = ((UINT32_C(0x3fffffe) + (arg1[1])) - (arg2[1]));
871 x3 = ((UINT32_C(0x7fffffe) + (arg1[2])) - (arg2[2]));
872 x4 = ((UINT32_C(0x3fffffe) + (arg1[3])) - (arg2[3]));
873 x5 = ((UINT32_C(0x7fffffe) + (arg1[4])) - (arg2[4]));
874 x6 = ((UINT32_C(0x3fffffe) + (arg1[5])) - (arg2[5]));
875 x7 = ((UINT32_C(0x7fffffe) + (arg1[6])) - (arg2[6]));
876 x8 = ((UINT32_C(0x3fffffe) + (arg1[7])) - (arg2[7]));
877 x9 = ((UINT32_C(0x7fffffe) + (arg1[8])) - (arg2[8]));
878 x10 = ((UINT32_C(0x3fffffe) + (arg1[9])) - (arg2[9]));
879 out1[0] = x1;
880 out1[1] = x2;
881 out1[2] = x3;
882 out1[3] = x4;
883 out1[4] = x5;
884 out1[5] = x6;
885 out1[6] = x7;
886 out1[7] = x8;
887 out1[8] = x9;
888 out1[9] = x10;
889 }
890
891 /*
892 * The function fiat_25519_opp negates a field element.
893 *
894 * Postconditions:
895 * eval out1 mod m = -eval arg1 mod m
896 *
897 */
fiat_25519_opp(fiat_25519_loose_field_element out1,const fiat_25519_tight_field_element arg1)898 static FIAT_25519_FIAT_INLINE void fiat_25519_opp(fiat_25519_loose_field_element out1, const fiat_25519_tight_field_element arg1) {
899 uint32_t x1;
900 uint32_t x2;
901 uint32_t x3;
902 uint32_t x4;
903 uint32_t x5;
904 uint32_t x6;
905 uint32_t x7;
906 uint32_t x8;
907 uint32_t x9;
908 uint32_t x10;
909 x1 = (UINT32_C(0x7ffffda) - (arg1[0]));
910 x2 = (UINT32_C(0x3fffffe) - (arg1[1]));
911 x3 = (UINT32_C(0x7fffffe) - (arg1[2]));
912 x4 = (UINT32_C(0x3fffffe) - (arg1[3]));
913 x5 = (UINT32_C(0x7fffffe) - (arg1[4]));
914 x6 = (UINT32_C(0x3fffffe) - (arg1[5]));
915 x7 = (UINT32_C(0x7fffffe) - (arg1[6]));
916 x8 = (UINT32_C(0x3fffffe) - (arg1[7]));
917 x9 = (UINT32_C(0x7fffffe) - (arg1[8]));
918 x10 = (UINT32_C(0x3fffffe) - (arg1[9]));
919 out1[0] = x1;
920 out1[1] = x2;
921 out1[2] = x3;
922 out1[3] = x4;
923 out1[4] = x5;
924 out1[5] = x6;
925 out1[6] = x7;
926 out1[7] = x8;
927 out1[8] = x9;
928 out1[9] = x10;
929 }
930
931 /*
932 * The function fiat_25519_selectznz is a multi-limb conditional select.
933 *
934 * Postconditions:
935 * eval out1 = (if arg1 = 0 then eval arg2 else eval arg3)
936 *
937 * Input Bounds:
938 * arg1: [0x0 ~> 0x1]
939 * arg2: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]]
940 * arg3: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]]
941 * Output Bounds:
942 * out1: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]]
943 */
fiat_25519_selectznz(uint32_t out1[10],fiat_25519_uint1 arg1,const uint32_t arg2[10],const uint32_t arg3[10])944 static FIAT_25519_FIAT_INLINE void fiat_25519_selectznz(uint32_t out1[10], fiat_25519_uint1 arg1, const uint32_t arg2[10], const uint32_t arg3[10]) {
945 uint32_t x1;
946 uint32_t x2;
947 uint32_t x3;
948 uint32_t x4;
949 uint32_t x5;
950 uint32_t x6;
951 uint32_t x7;
952 uint32_t x8;
953 uint32_t x9;
954 uint32_t x10;
955 fiat_25519_cmovznz_u32(&x1, arg1, (arg2[0]), (arg3[0]));
956 fiat_25519_cmovznz_u32(&x2, arg1, (arg2[1]), (arg3[1]));
957 fiat_25519_cmovznz_u32(&x3, arg1, (arg2[2]), (arg3[2]));
958 fiat_25519_cmovznz_u32(&x4, arg1, (arg2[3]), (arg3[3]));
959 fiat_25519_cmovznz_u32(&x5, arg1, (arg2[4]), (arg3[4]));
960 fiat_25519_cmovznz_u32(&x6, arg1, (arg2[5]), (arg3[5]));
961 fiat_25519_cmovznz_u32(&x7, arg1, (arg2[6]), (arg3[6]));
962 fiat_25519_cmovznz_u32(&x8, arg1, (arg2[7]), (arg3[7]));
963 fiat_25519_cmovznz_u32(&x9, arg1, (arg2[8]), (arg3[8]));
964 fiat_25519_cmovznz_u32(&x10, arg1, (arg2[9]), (arg3[9]));
965 out1[0] = x1;
966 out1[1] = x2;
967 out1[2] = x3;
968 out1[3] = x4;
969 out1[4] = x5;
970 out1[5] = x6;
971 out1[6] = x7;
972 out1[7] = x8;
973 out1[8] = x9;
974 out1[9] = x10;
975 }
976
977 /*
978 * The function fiat_25519_to_bytes serializes a field element to bytes in little-endian order.
979 *
980 * Postconditions:
981 * out1 = map (λ x, ⌊((eval arg1 mod m) mod 2^(8 * (x + 1))) / 2^(8 * x)⌋) [0..31]
982 *
983 * Output Bounds:
984 * out1: [[0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0x7f]]
985 */
fiat_25519_to_bytes(uint8_t out1[32],const fiat_25519_tight_field_element arg1)986 static FIAT_25519_FIAT_INLINE void fiat_25519_to_bytes(uint8_t out1[32], const fiat_25519_tight_field_element arg1) {
987 uint32_t x1;
988 fiat_25519_uint1 x2;
989 uint32_t x3;
990 fiat_25519_uint1 x4;
991 uint32_t x5;
992 fiat_25519_uint1 x6;
993 uint32_t x7;
994 fiat_25519_uint1 x8;
995 uint32_t x9;
996 fiat_25519_uint1 x10;
997 uint32_t x11;
998 fiat_25519_uint1 x12;
999 uint32_t x13;
1000 fiat_25519_uint1 x14;
1001 uint32_t x15;
1002 fiat_25519_uint1 x16;
1003 uint32_t x17;
1004 fiat_25519_uint1 x18;
1005 uint32_t x19;
1006 fiat_25519_uint1 x20;
1007 uint32_t x21;
1008 uint32_t x22;
1009 fiat_25519_uint1 x23;
1010 uint32_t x24;
1011 fiat_25519_uint1 x25;
1012 uint32_t x26;
1013 fiat_25519_uint1 x27;
1014 uint32_t x28;
1015 fiat_25519_uint1 x29;
1016 uint32_t x30;
1017 fiat_25519_uint1 x31;
1018 uint32_t x32;
1019 fiat_25519_uint1 x33;
1020 uint32_t x34;
1021 fiat_25519_uint1 x35;
1022 uint32_t x36;
1023 fiat_25519_uint1 x37;
1024 uint32_t x38;
1025 fiat_25519_uint1 x39;
1026 uint32_t x40;
1027 fiat_25519_uint1 x41;
1028 uint32_t x42;
1029 uint32_t x43;
1030 uint32_t x44;
1031 uint32_t x45;
1032 uint32_t x46;
1033 uint32_t x47;
1034 uint32_t x48;
1035 uint32_t x49;
1036 uint8_t x50;
1037 uint32_t x51;
1038 uint8_t x52;
1039 uint32_t x53;
1040 uint8_t x54;
1041 uint8_t x55;
1042 uint32_t x56;
1043 uint8_t x57;
1044 uint32_t x58;
1045 uint8_t x59;
1046 uint32_t x60;
1047 uint8_t x61;
1048 uint8_t x62;
1049 uint32_t x63;
1050 uint8_t x64;
1051 uint32_t x65;
1052 uint8_t x66;
1053 uint32_t x67;
1054 uint8_t x68;
1055 uint8_t x69;
1056 uint32_t x70;
1057 uint8_t x71;
1058 uint32_t x72;
1059 uint8_t x73;
1060 uint32_t x74;
1061 uint8_t x75;
1062 uint8_t x76;
1063 uint32_t x77;
1064 uint8_t x78;
1065 uint32_t x79;
1066 uint8_t x80;
1067 uint32_t x81;
1068 uint8_t x82;
1069 uint8_t x83;
1070 uint8_t x84;
1071 uint32_t x85;
1072 uint8_t x86;
1073 uint32_t x87;
1074 uint8_t x88;
1075 fiat_25519_uint1 x89;
1076 uint32_t x90;
1077 uint8_t x91;
1078 uint32_t x92;
1079 uint8_t x93;
1080 uint32_t x94;
1081 uint8_t x95;
1082 uint8_t x96;
1083 uint32_t x97;
1084 uint8_t x98;
1085 uint32_t x99;
1086 uint8_t x100;
1087 uint32_t x101;
1088 uint8_t x102;
1089 uint8_t x103;
1090 uint32_t x104;
1091 uint8_t x105;
1092 uint32_t x106;
1093 uint8_t x107;
1094 uint32_t x108;
1095 uint8_t x109;
1096 uint8_t x110;
1097 uint32_t x111;
1098 uint8_t x112;
1099 uint32_t x113;
1100 uint8_t x114;
1101 uint32_t x115;
1102 uint8_t x116;
1103 uint8_t x117;
1104 fiat_25519_subborrowx_u26(&x1, &x2, 0x0, (arg1[0]), UINT32_C(0x3ffffed));
1105 fiat_25519_subborrowx_u25(&x3, &x4, x2, (arg1[1]), UINT32_C(0x1ffffff));
1106 fiat_25519_subborrowx_u26(&x5, &x6, x4, (arg1[2]), UINT32_C(0x3ffffff));
1107 fiat_25519_subborrowx_u25(&x7, &x8, x6, (arg1[3]), UINT32_C(0x1ffffff));
1108 fiat_25519_subborrowx_u26(&x9, &x10, x8, (arg1[4]), UINT32_C(0x3ffffff));
1109 fiat_25519_subborrowx_u25(&x11, &x12, x10, (arg1[5]), UINT32_C(0x1ffffff));
1110 fiat_25519_subborrowx_u26(&x13, &x14, x12, (arg1[6]), UINT32_C(0x3ffffff));
1111 fiat_25519_subborrowx_u25(&x15, &x16, x14, (arg1[7]), UINT32_C(0x1ffffff));
1112 fiat_25519_subborrowx_u26(&x17, &x18, x16, (arg1[8]), UINT32_C(0x3ffffff));
1113 fiat_25519_subborrowx_u25(&x19, &x20, x18, (arg1[9]), UINT32_C(0x1ffffff));
1114 fiat_25519_cmovznz_u32(&x21, x20, 0x0, UINT32_C(0xffffffff));
1115 fiat_25519_addcarryx_u26(&x22, &x23, 0x0, x1, (x21 & UINT32_C(0x3ffffed)));
1116 fiat_25519_addcarryx_u25(&x24, &x25, x23, x3, (x21 & UINT32_C(0x1ffffff)));
1117 fiat_25519_addcarryx_u26(&x26, &x27, x25, x5, (x21 & UINT32_C(0x3ffffff)));
1118 fiat_25519_addcarryx_u25(&x28, &x29, x27, x7, (x21 & UINT32_C(0x1ffffff)));
1119 fiat_25519_addcarryx_u26(&x30, &x31, x29, x9, (x21 & UINT32_C(0x3ffffff)));
1120 fiat_25519_addcarryx_u25(&x32, &x33, x31, x11, (x21 & UINT32_C(0x1ffffff)));
1121 fiat_25519_addcarryx_u26(&x34, &x35, x33, x13, (x21 & UINT32_C(0x3ffffff)));
1122 fiat_25519_addcarryx_u25(&x36, &x37, x35, x15, (x21 & UINT32_C(0x1ffffff)));
1123 fiat_25519_addcarryx_u26(&x38, &x39, x37, x17, (x21 & UINT32_C(0x3ffffff)));
1124 fiat_25519_addcarryx_u25(&x40, &x41, x39, x19, (x21 & UINT32_C(0x1ffffff)));
1125 x42 = (x40 << 6);
1126 x43 = (x38 << 4);
1127 x44 = (x36 << 3);
1128 x45 = (x34 * (uint32_t)0x2);
1129 x46 = (x30 << 6);
1130 x47 = (x28 << 5);
1131 x48 = (x26 << 3);
1132 x49 = (x24 << 2);
1133 x50 = (uint8_t)(x22 & UINT8_C(0xff));
1134 x51 = (x22 >> 8);
1135 x52 = (uint8_t)(x51 & UINT8_C(0xff));
1136 x53 = (x51 >> 8);
1137 x54 = (uint8_t)(x53 & UINT8_C(0xff));
1138 x55 = (uint8_t)(x53 >> 8);
1139 x56 = (x49 + (uint32_t)x55);
1140 x57 = (uint8_t)(x56 & UINT8_C(0xff));
1141 x58 = (x56 >> 8);
1142 x59 = (uint8_t)(x58 & UINT8_C(0xff));
1143 x60 = (x58 >> 8);
1144 x61 = (uint8_t)(x60 & UINT8_C(0xff));
1145 x62 = (uint8_t)(x60 >> 8);
1146 x63 = (x48 + (uint32_t)x62);
1147 x64 = (uint8_t)(x63 & UINT8_C(0xff));
1148 x65 = (x63 >> 8);
1149 x66 = (uint8_t)(x65 & UINT8_C(0xff));
1150 x67 = (x65 >> 8);
1151 x68 = (uint8_t)(x67 & UINT8_C(0xff));
1152 x69 = (uint8_t)(x67 >> 8);
1153 x70 = (x47 + (uint32_t)x69);
1154 x71 = (uint8_t)(x70 & UINT8_C(0xff));
1155 x72 = (x70 >> 8);
1156 x73 = (uint8_t)(x72 & UINT8_C(0xff));
1157 x74 = (x72 >> 8);
1158 x75 = (uint8_t)(x74 & UINT8_C(0xff));
1159 x76 = (uint8_t)(x74 >> 8);
1160 x77 = (x46 + (uint32_t)x76);
1161 x78 = (uint8_t)(x77 & UINT8_C(0xff));
1162 x79 = (x77 >> 8);
1163 x80 = (uint8_t)(x79 & UINT8_C(0xff));
1164 x81 = (x79 >> 8);
1165 x82 = (uint8_t)(x81 & UINT8_C(0xff));
1166 x83 = (uint8_t)(x81 >> 8);
1167 x84 = (uint8_t)(x32 & UINT8_C(0xff));
1168 x85 = (x32 >> 8);
1169 x86 = (uint8_t)(x85 & UINT8_C(0xff));
1170 x87 = (x85 >> 8);
1171 x88 = (uint8_t)(x87 & UINT8_C(0xff));
1172 x89 = (fiat_25519_uint1)(x87 >> 8);
1173 x90 = (x45 + (uint32_t)x89);
1174 x91 = (uint8_t)(x90 & UINT8_C(0xff));
1175 x92 = (x90 >> 8);
1176 x93 = (uint8_t)(x92 & UINT8_C(0xff));
1177 x94 = (x92 >> 8);
1178 x95 = (uint8_t)(x94 & UINT8_C(0xff));
1179 x96 = (uint8_t)(x94 >> 8);
1180 x97 = (x44 + (uint32_t)x96);
1181 x98 = (uint8_t)(x97 & UINT8_C(0xff));
1182 x99 = (x97 >> 8);
1183 x100 = (uint8_t)(x99 & UINT8_C(0xff));
1184 x101 = (x99 >> 8);
1185 x102 = (uint8_t)(x101 & UINT8_C(0xff));
1186 x103 = (uint8_t)(x101 >> 8);
1187 x104 = (x43 + (uint32_t)x103);
1188 x105 = (uint8_t)(x104 & UINT8_C(0xff));
1189 x106 = (x104 >> 8);
1190 x107 = (uint8_t)(x106 & UINT8_C(0xff));
1191 x108 = (x106 >> 8);
1192 x109 = (uint8_t)(x108 & UINT8_C(0xff));
1193 x110 = (uint8_t)(x108 >> 8);
1194 x111 = (x42 + (uint32_t)x110);
1195 x112 = (uint8_t)(x111 & UINT8_C(0xff));
1196 x113 = (x111 >> 8);
1197 x114 = (uint8_t)(x113 & UINT8_C(0xff));
1198 x115 = (x113 >> 8);
1199 x116 = (uint8_t)(x115 & UINT8_C(0xff));
1200 x117 = (uint8_t)(x115 >> 8);
1201 out1[0] = x50;
1202 out1[1] = x52;
1203 out1[2] = x54;
1204 out1[3] = x57;
1205 out1[4] = x59;
1206 out1[5] = x61;
1207 out1[6] = x64;
1208 out1[7] = x66;
1209 out1[8] = x68;
1210 out1[9] = x71;
1211 out1[10] = x73;
1212 out1[11] = x75;
1213 out1[12] = x78;
1214 out1[13] = x80;
1215 out1[14] = x82;
1216 out1[15] = x83;
1217 out1[16] = x84;
1218 out1[17] = x86;
1219 out1[18] = x88;
1220 out1[19] = x91;
1221 out1[20] = x93;
1222 out1[21] = x95;
1223 out1[22] = x98;
1224 out1[23] = x100;
1225 out1[24] = x102;
1226 out1[25] = x105;
1227 out1[26] = x107;
1228 out1[27] = x109;
1229 out1[28] = x112;
1230 out1[29] = x114;
1231 out1[30] = x116;
1232 out1[31] = x117;
1233 }
1234
1235 /*
1236 * The function fiat_25519_from_bytes deserializes a field element from bytes in little-endian order.
1237 *
1238 * Postconditions:
1239 * eval out1 mod m = bytes_eval arg1 mod m
1240 *
1241 * Input Bounds:
1242 * arg1: [[0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0x7f]]
1243 */
fiat_25519_from_bytes(fiat_25519_tight_field_element out1,const uint8_t arg1[32])1244 static FIAT_25519_FIAT_INLINE void fiat_25519_from_bytes(fiat_25519_tight_field_element out1, const uint8_t arg1[32]) {
1245 uint32_t x1;
1246 uint32_t x2;
1247 uint32_t x3;
1248 uint32_t x4;
1249 uint32_t x5;
1250 uint32_t x6;
1251 uint32_t x7;
1252 uint32_t x8;
1253 uint32_t x9;
1254 uint32_t x10;
1255 uint32_t x11;
1256 uint32_t x12;
1257 uint32_t x13;
1258 uint32_t x14;
1259 uint32_t x15;
1260 uint8_t x16;
1261 uint32_t x17;
1262 uint32_t x18;
1263 uint32_t x19;
1264 uint32_t x20;
1265 uint32_t x21;
1266 uint32_t x22;
1267 uint32_t x23;
1268 uint32_t x24;
1269 uint32_t x25;
1270 uint32_t x26;
1271 uint32_t x27;
1272 uint32_t x28;
1273 uint32_t x29;
1274 uint32_t x30;
1275 uint32_t x31;
1276 uint8_t x32;
1277 uint32_t x33;
1278 uint32_t x34;
1279 uint32_t x35;
1280 uint32_t x36;
1281 uint8_t x37;
1282 uint32_t x38;
1283 uint32_t x39;
1284 uint32_t x40;
1285 uint32_t x41;
1286 uint8_t x42;
1287 uint32_t x43;
1288 uint32_t x44;
1289 uint32_t x45;
1290 uint32_t x46;
1291 uint8_t x47;
1292 uint32_t x48;
1293 uint32_t x49;
1294 uint32_t x50;
1295 uint32_t x51;
1296 uint8_t x52;
1297 uint32_t x53;
1298 uint32_t x54;
1299 uint32_t x55;
1300 uint32_t x56;
1301 uint32_t x57;
1302 uint32_t x58;
1303 uint32_t x59;
1304 uint8_t x60;
1305 uint32_t x61;
1306 uint32_t x62;
1307 uint32_t x63;
1308 uint32_t x64;
1309 uint8_t x65;
1310 uint32_t x66;
1311 uint32_t x67;
1312 uint32_t x68;
1313 uint32_t x69;
1314 uint8_t x70;
1315 uint32_t x71;
1316 uint32_t x72;
1317 uint32_t x73;
1318 uint32_t x74;
1319 uint8_t x75;
1320 uint32_t x76;
1321 uint32_t x77;
1322 uint32_t x78;
1323 x1 = ((uint32_t)(arg1[31]) << 18);
1324 x2 = ((uint32_t)(arg1[30]) << 10);
1325 x3 = ((uint32_t)(arg1[29]) << 2);
1326 x4 = ((uint32_t)(arg1[28]) << 20);
1327 x5 = ((uint32_t)(arg1[27]) << 12);
1328 x6 = ((uint32_t)(arg1[26]) << 4);
1329 x7 = ((uint32_t)(arg1[25]) << 21);
1330 x8 = ((uint32_t)(arg1[24]) << 13);
1331 x9 = ((uint32_t)(arg1[23]) << 5);
1332 x10 = ((uint32_t)(arg1[22]) << 23);
1333 x11 = ((uint32_t)(arg1[21]) << 15);
1334 x12 = ((uint32_t)(arg1[20]) << 7);
1335 x13 = ((uint32_t)(arg1[19]) << 24);
1336 x14 = ((uint32_t)(arg1[18]) << 16);
1337 x15 = ((uint32_t)(arg1[17]) << 8);
1338 x16 = (arg1[16]);
1339 x17 = ((uint32_t)(arg1[15]) << 18);
1340 x18 = ((uint32_t)(arg1[14]) << 10);
1341 x19 = ((uint32_t)(arg1[13]) << 2);
1342 x20 = ((uint32_t)(arg1[12]) << 19);
1343 x21 = ((uint32_t)(arg1[11]) << 11);
1344 x22 = ((uint32_t)(arg1[10]) << 3);
1345 x23 = ((uint32_t)(arg1[9]) << 21);
1346 x24 = ((uint32_t)(arg1[8]) << 13);
1347 x25 = ((uint32_t)(arg1[7]) << 5);
1348 x26 = ((uint32_t)(arg1[6]) << 22);
1349 x27 = ((uint32_t)(arg1[5]) << 14);
1350 x28 = ((uint32_t)(arg1[4]) << 6);
1351 x29 = ((uint32_t)(arg1[3]) << 24);
1352 x30 = ((uint32_t)(arg1[2]) << 16);
1353 x31 = ((uint32_t)(arg1[1]) << 8);
1354 x32 = (arg1[0]);
1355 x33 = (x31 + (uint32_t)x32);
1356 x34 = (x30 + x33);
1357 x35 = (x29 + x34);
1358 x36 = (x35 & UINT32_C(0x3ffffff));
1359 x37 = (uint8_t)(x35 >> 26);
1360 x38 = (x28 + (uint32_t)x37);
1361 x39 = (x27 + x38);
1362 x40 = (x26 + x39);
1363 x41 = (x40 & UINT32_C(0x1ffffff));
1364 x42 = (uint8_t)(x40 >> 25);
1365 x43 = (x25 + (uint32_t)x42);
1366 x44 = (x24 + x43);
1367 x45 = (x23 + x44);
1368 x46 = (x45 & UINT32_C(0x3ffffff));
1369 x47 = (uint8_t)(x45 >> 26);
1370 x48 = (x22 + (uint32_t)x47);
1371 x49 = (x21 + x48);
1372 x50 = (x20 + x49);
1373 x51 = (x50 & UINT32_C(0x1ffffff));
1374 x52 = (uint8_t)(x50 >> 25);
1375 x53 = (x19 + (uint32_t)x52);
1376 x54 = (x18 + x53);
1377 x55 = (x17 + x54);
1378 x56 = (x15 + (uint32_t)x16);
1379 x57 = (x14 + x56);
1380 x58 = (x13 + x57);
1381 x59 = (x58 & UINT32_C(0x1ffffff));
1382 x60 = (uint8_t)(x58 >> 25);
1383 x61 = (x12 + (uint32_t)x60);
1384 x62 = (x11 + x61);
1385 x63 = (x10 + x62);
1386 x64 = (x63 & UINT32_C(0x3ffffff));
1387 x65 = (uint8_t)(x63 >> 26);
1388 x66 = (x9 + (uint32_t)x65);
1389 x67 = (x8 + x66);
1390 x68 = (x7 + x67);
1391 x69 = (x68 & UINT32_C(0x1ffffff));
1392 x70 = (uint8_t)(x68 >> 25);
1393 x71 = (x6 + (uint32_t)x70);
1394 x72 = (x5 + x71);
1395 x73 = (x4 + x72);
1396 x74 = (x73 & UINT32_C(0x3ffffff));
1397 x75 = (uint8_t)(x73 >> 26);
1398 x76 = (x3 + (uint32_t)x75);
1399 x77 = (x2 + x76);
1400 x78 = (x1 + x77);
1401 out1[0] = x36;
1402 out1[1] = x41;
1403 out1[2] = x46;
1404 out1[3] = x51;
1405 out1[4] = x55;
1406 out1[5] = x59;
1407 out1[6] = x64;
1408 out1[7] = x69;
1409 out1[8] = x74;
1410 out1[9] = x78;
1411 }
1412
1413 /*
1414 * The function fiat_25519_relax is the identity function converting from tight field elements to loose field elements.
1415 *
1416 * Postconditions:
1417 * out1 = arg1
1418 *
1419 */
fiat_25519_relax(fiat_25519_loose_field_element out1,const fiat_25519_tight_field_element arg1)1420 static FIAT_25519_FIAT_INLINE void fiat_25519_relax(fiat_25519_loose_field_element out1, const fiat_25519_tight_field_element arg1) {
1421 uint32_t x1;
1422 uint32_t x2;
1423 uint32_t x3;
1424 uint32_t x4;
1425 uint32_t x5;
1426 uint32_t x6;
1427 uint32_t x7;
1428 uint32_t x8;
1429 uint32_t x9;
1430 uint32_t x10;
1431 x1 = (arg1[0]);
1432 x2 = (arg1[1]);
1433 x3 = (arg1[2]);
1434 x4 = (arg1[3]);
1435 x5 = (arg1[4]);
1436 x6 = (arg1[5]);
1437 x7 = (arg1[6]);
1438 x8 = (arg1[7]);
1439 x9 = (arg1[8]);
1440 x10 = (arg1[9]);
1441 out1[0] = x1;
1442 out1[1] = x2;
1443 out1[2] = x3;
1444 out1[3] = x4;
1445 out1[4] = x5;
1446 out1[5] = x6;
1447 out1[6] = x7;
1448 out1[7] = x8;
1449 out1[8] = x9;
1450 out1[9] = x10;
1451 }
1452
1453 /*
1454 * The function fiat_25519_carry_scmul_121666 multiplies a field element by 121666 and reduces the result.
1455 *
1456 * Postconditions:
1457 * eval out1 mod m = (121666 * eval arg1) mod m
1458 *
1459 */
fiat_25519_carry_scmul_121666(fiat_25519_tight_field_element out1,const fiat_25519_loose_field_element arg1)1460 static FIAT_25519_FIAT_INLINE void fiat_25519_carry_scmul_121666(fiat_25519_tight_field_element out1, const fiat_25519_loose_field_element arg1) {
1461 uint64_t x1;
1462 uint64_t x2;
1463 uint64_t x3;
1464 uint64_t x4;
1465 uint64_t x5;
1466 uint64_t x6;
1467 uint64_t x7;
1468 uint64_t x8;
1469 uint64_t x9;
1470 uint64_t x10;
1471 uint32_t x11;
1472 uint32_t x12;
1473 uint64_t x13;
1474 uint32_t x14;
1475 uint32_t x15;
1476 uint64_t x16;
1477 uint32_t x17;
1478 uint32_t x18;
1479 uint64_t x19;
1480 uint32_t x20;
1481 uint32_t x21;
1482 uint64_t x22;
1483 uint32_t x23;
1484 uint32_t x24;
1485 uint64_t x25;
1486 uint32_t x26;
1487 uint32_t x27;
1488 uint64_t x28;
1489 uint32_t x29;
1490 uint32_t x30;
1491 uint64_t x31;
1492 uint32_t x32;
1493 uint32_t x33;
1494 uint64_t x34;
1495 uint32_t x35;
1496 uint32_t x36;
1497 uint64_t x37;
1498 uint32_t x38;
1499 uint32_t x39;
1500 uint32_t x40;
1501 uint32_t x41;
1502 fiat_25519_uint1 x42;
1503 uint32_t x43;
1504 uint32_t x44;
1505 fiat_25519_uint1 x45;
1506 uint32_t x46;
1507 uint32_t x47;
1508 x1 = ((uint64_t)UINT32_C(0x1db42) * (arg1[9]));
1509 x2 = ((uint64_t)UINT32_C(0x1db42) * (arg1[8]));
1510 x3 = ((uint64_t)UINT32_C(0x1db42) * (arg1[7]));
1511 x4 = ((uint64_t)UINT32_C(0x1db42) * (arg1[6]));
1512 x5 = ((uint64_t)UINT32_C(0x1db42) * (arg1[5]));
1513 x6 = ((uint64_t)UINT32_C(0x1db42) * (arg1[4]));
1514 x7 = ((uint64_t)UINT32_C(0x1db42) * (arg1[3]));
1515 x8 = ((uint64_t)UINT32_C(0x1db42) * (arg1[2]));
1516 x9 = ((uint64_t)UINT32_C(0x1db42) * (arg1[1]));
1517 x10 = ((uint64_t)UINT32_C(0x1db42) * (arg1[0]));
1518 x11 = (uint32_t)(x10 >> 26);
1519 x12 = (uint32_t)(x10 & UINT32_C(0x3ffffff));
1520 x13 = (x11 + x9);
1521 x14 = (uint32_t)(x13 >> 25);
1522 x15 = (uint32_t)(x13 & UINT32_C(0x1ffffff));
1523 x16 = (x14 + x8);
1524 x17 = (uint32_t)(x16 >> 26);
1525 x18 = (uint32_t)(x16 & UINT32_C(0x3ffffff));
1526 x19 = (x17 + x7);
1527 x20 = (uint32_t)(x19 >> 25);
1528 x21 = (uint32_t)(x19 & UINT32_C(0x1ffffff));
1529 x22 = (x20 + x6);
1530 x23 = (uint32_t)(x22 >> 26);
1531 x24 = (uint32_t)(x22 & UINT32_C(0x3ffffff));
1532 x25 = (x23 + x5);
1533 x26 = (uint32_t)(x25 >> 25);
1534 x27 = (uint32_t)(x25 & UINT32_C(0x1ffffff));
1535 x28 = (x26 + x4);
1536 x29 = (uint32_t)(x28 >> 26);
1537 x30 = (uint32_t)(x28 & UINT32_C(0x3ffffff));
1538 x31 = (x29 + x3);
1539 x32 = (uint32_t)(x31 >> 25);
1540 x33 = (uint32_t)(x31 & UINT32_C(0x1ffffff));
1541 x34 = (x32 + x2);
1542 x35 = (uint32_t)(x34 >> 26);
1543 x36 = (uint32_t)(x34 & UINT32_C(0x3ffffff));
1544 x37 = (x35 + x1);
1545 x38 = (uint32_t)(x37 >> 25);
1546 x39 = (uint32_t)(x37 & UINT32_C(0x1ffffff));
1547 x40 = (x38 * UINT8_C(0x13));
1548 x41 = (x12 + x40);
1549 x42 = (fiat_25519_uint1)(x41 >> 26);
1550 x43 = (x41 & UINT32_C(0x3ffffff));
1551 x44 = (x42 + x15);
1552 x45 = (fiat_25519_uint1)(x44 >> 25);
1553 x46 = (x44 & UINT32_C(0x1ffffff));
1554 x47 = (x45 + x18);
1555 out1[0] = x43;
1556 out1[1] = x46;
1557 out1[2] = x47;
1558 out1[3] = x21;
1559 out1[4] = x24;
1560 out1[5] = x27;
1561 out1[6] = x30;
1562 out1[7] = x33;
1563 out1[8] = x36;
1564 out1[9] = x39;
1565 }
1566