diff --git a/Makefile b/Makefile index 418d81a3cff..e63ec7d679e 100644 --- a/Makefile +++ b/Makefile @@ -256,7 +256,7 @@ BEDROCK2_WORD_BY_WORD_MONTGOMERY := src/ExtractionOCaml/bedrock2_word_by_word_mo BEDROCK2_ARGS := --no-wide-int --widen-carry --widen-bytes --split-multiret --no-select BEDROCK2_EXTRA_CFLAGS := -Wno-error=unused-but-set-variable -GO_EXTRA_ARGS_ALL := --cmovznz-by-mul --internal-static --package-case flatcase --public-function-case UpperCamelCase --private-function-case camelCase --public-type-case UpperCamelCase --private-type-case camelCase --no-prefix-fiat +GO_EXTRA_ARGS_ALL := --cmovznz-by-mul --internal-static --package-case flatcase --public-function-case UpperCamelCase --private-function-case camelCase --public-type-case UpperCamelCase --private-type-case camelCase --no-prefix-fiat --doc-prepend-header 'Code generated by Fiat Cryptography. DO NOT EDIT.' --doc-text-before-function-name '' GO_EXTRA_ARGS_64 := --no-wide-int $(GO_EXTRA_ARGS_ALL) GO_EXTRA_ARGS_32 := $(GO_EXTRA_ARGS_ALL) diff --git a/fiat-bedrock2/src/curve25519_32.c b/fiat-bedrock2/src/curve25519_32.c index 463caf52563..7fe58c1d92b 100644 --- a/fiat-bedrock2/src/curve25519_32.c +++ b/fiat-bedrock2/src/curve25519_32.c @@ -7,10 +7,10 @@ /* tight_bounds_multiplier = 1 (from "") */ /* */ /* Computed values: */ -/* carry_chain = [0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 0, 1] */ -/* eval z = z[0] + (z[1] << 26) + (z[2] << 51) + (z[3] << 77) + (z[4] << 102) + (z[5] << 128) + (z[6] << 153) + (z[7] << 179) + (z[8] << 204) + (z[9] << 230) */ -/* bytes_eval z = z[0] + (z[1] << 8) + (z[2] << 16) + (z[3] << 24) + (z[4] << 32) + (z[5] << 40) + (z[6] << 48) + (z[7] << 56) + (z[8] << 64) + (z[9] << 72) + (z[10] << 80) + (z[11] << 88) + (z[12] << 96) + (z[13] << 104) + (z[14] << 112) + (z[15] << 120) + (z[16] << 128) + (z[17] << 136) + (z[18] << 144) + (z[19] << 152) + (z[20] << 160) + (z[21] << 168) + (z[22] << 176) + (z[23] << 184) + (z[24] << 192) + (z[25] << 200) + (z[26] << 208) + (z[27] << 216) + (z[28] << 224) + (z[29] << 232) + (z[30] << 240) + (z[31] << 248) */ -/* balance = [0x7ffffda, 0x3fffffe, 0x7fffffe, 0x3fffffe, 0x7fffffe, 0x3fffffe, 0x7fffffe, 0x3fffffe, 0x7fffffe, 0x3fffffe] */ +/* carry_chain = [0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 0, 1] */ +/* eval z = z[0] + (z[1] << 26) + (z[2] << 51) + (z[3] << 77) + (z[4] << 102) + (z[5] << 128) + (z[6] << 153) + (z[7] << 179) + (z[8] << 204) + (z[9] << 230) */ +/* bytes_eval z = z[0] + (z[1] << 8) + (z[2] << 16) + (z[3] << 24) + (z[4] << 32) + (z[5] << 40) + (z[6] << 48) + (z[7] << 56) + (z[8] << 64) + (z[9] << 72) + (z[10] << 80) + (z[11] << 88) + (z[12] << 96) + (z[13] << 104) + (z[14] << 112) + (z[15] << 120) + (z[16] << 128) + (z[17] << 136) + (z[18] << 144) + (z[19] << 152) + (z[20] << 160) + (z[21] << 168) + (z[22] << 176) + (z[23] << 184) + (z[24] << 192) + (z[25] << 200) + (z[26] << 208) + (z[27] << 216) + (z[28] << 224) + (z[29] << 232) + (z[30] << 240) + (z[31] << 248) */ +/* balance = [0x7ffffda, 0x3fffffe, 0x7fffffe, 0x3fffffe, 0x7fffffe, 0x3fffffe, 0x7fffffe, 0x3fffffe, 0x7fffffe, 0x3fffffe] */ #include #include @@ -28,7 +28,6 @@ static inline void _br2_store(uintptr_t a, uintptr_t v, size_t sz) { } - /* * Input Bounds: * in0: [[0x0 ~> 0xc000000], [0x0 ~> 0x6000000], [0x0 ~> 0xc000000], [0x0 ~> 0x6000000], [0x0 ~> 0xc000000], [0x0 ~> 0x6000000], [0x0 ~> 0xc000000], [0x0 ~> 0x6000000], [0x0 ~> 0xc000000], [0x0 ~> 0x6000000]] @@ -2173,5 +2172,3 @@ void internal_fiat_25519_carry_scmul_121666(uintptr_t out0, uintptr_t in0) { static void fiat_25519_carry_scmul_121666(uint32_t out1[10], const uint32_t arg1[10]) { internal_fiat_25519_carry_scmul_121666((uintptr_t)out1, (uintptr_t)arg1); } - - diff --git a/fiat-bedrock2/src/curve25519_64.c b/fiat-bedrock2/src/curve25519_64.c index d5178251208..1825dd3ba59 100644 --- a/fiat-bedrock2/src/curve25519_64.c +++ b/fiat-bedrock2/src/curve25519_64.c @@ -7,10 +7,10 @@ /* tight_bounds_multiplier = 1 (from "") */ /* */ /* Computed values: */ -/* carry_chain = [0, 1, 2, 3, 4, 0, 1] */ -/* eval z = z[0] + (z[1] << 51) + (z[2] << 102) + (z[3] << 153) + (z[4] << 204) */ -/* bytes_eval z = z[0] + (z[1] << 8) + (z[2] << 16) + (z[3] << 24) + (z[4] << 32) + (z[5] << 40) + (z[6] << 48) + (z[7] << 56) + (z[8] << 64) + (z[9] << 72) + (z[10] << 80) + (z[11] << 88) + (z[12] << 96) + (z[13] << 104) + (z[14] << 112) + (z[15] << 120) + (z[16] << 128) + (z[17] << 136) + (z[18] << 144) + (z[19] << 152) + (z[20] << 160) + (z[21] << 168) + (z[22] << 176) + (z[23] << 184) + (z[24] << 192) + (z[25] << 200) + (z[26] << 208) + (z[27] << 216) + (z[28] << 224) + (z[29] << 232) + (z[30] << 240) + (z[31] << 248) */ -/* balance = [0xfffffffffffda, 0xffffffffffffe, 0xffffffffffffe, 0xffffffffffffe, 0xffffffffffffe] */ +/* carry_chain = [0, 1, 2, 3, 4, 0, 1] */ +/* eval z = z[0] + (z[1] << 51) + (z[2] << 102) + (z[3] << 153) + (z[4] << 204) */ +/* bytes_eval z = z[0] + (z[1] << 8) + (z[2] << 16) + (z[3] << 24) + (z[4] << 32) + (z[5] << 40) + (z[6] << 48) + (z[7] << 56) + (z[8] << 64) + (z[9] << 72) + (z[10] << 80) + (z[11] << 88) + (z[12] << 96) + (z[13] << 104) + (z[14] << 112) + (z[15] << 120) + (z[16] << 128) + (z[17] << 136) + (z[18] << 144) + (z[19] << 152) + (z[20] << 160) + (z[21] << 168) + (z[22] << 176) + (z[23] << 184) + (z[24] << 192) + (z[25] << 200) + (z[26] << 208) + (z[27] << 216) + (z[28] << 224) + (z[29] << 232) + (z[30] << 240) + (z[31] << 248) */ +/* balance = [0xfffffffffffda, 0xffffffffffffe, 0xffffffffffffe, 0xffffffffffffe, 0xffffffffffffe] */ #include #include @@ -28,7 +28,6 @@ static inline void _br2_store(uintptr_t a, uintptr_t v, size_t sz) { } - /* * Input Bounds: * in0: [[0x0 ~> 0x18000000000000], [0x0 ~> 0x18000000000000], [0x0 ~> 0x18000000000000], [0x0 ~> 0x18000000000000], [0x0 ~> 0x18000000000000]] @@ -1060,5 +1059,3 @@ void internal_fiat_25519_carry_scmul_121666(uintptr_t out0, uintptr_t in0) { static void fiat_25519_carry_scmul_121666(uint64_t out1[5], const uint64_t arg1[5]) { internal_fiat_25519_carry_scmul_121666((uintptr_t)out1, (uintptr_t)arg1); } - - diff --git a/fiat-bedrock2/src/p224_32.c b/fiat-bedrock2/src/p224_32.c index 59cce01a682..c42226464b4 100644 --- a/fiat-bedrock2/src/p224_32.c +++ b/fiat-bedrock2/src/p224_32.c @@ -12,10 +12,10 @@ /* return values. */ /* */ /* Computed values: */ -/* eval z = z[0] + (z[1] << 32) + (z[2] << 64) + (z[3] << 96) + (z[4] << 128) + (z[5] << 160) + (z[6] << 192) */ -/* bytes_eval z = z[0] + (z[1] << 8) + (z[2] << 16) + (z[3] << 24) + (z[4] << 32) + (z[5] << 40) + (z[6] << 48) + (z[7] << 56) + (z[8] << 64) + (z[9] << 72) + (z[10] << 80) + (z[11] << 88) + (z[12] << 96) + (z[13] << 104) + (z[14] << 112) + (z[15] << 120) + (z[16] << 128) + (z[17] << 136) + (z[18] << 144) + (z[19] << 152) + (z[20] << 160) + (z[21] << 168) + (z[22] << 176) + (z[23] << 184) + (z[24] << 192) + (z[25] << 200) + (z[26] << 208) + (z[27] << 216) */ -/* twos_complement_eval z = let x1 := z[0] + (z[1] << 32) + (z[2] << 64) + (z[3] << 96) + (z[4] << 128) + (z[5] << 160) + (z[6] << 192) in */ -/* if x1 & (2^224-1) < 2^223 then x1 & (2^224-1) else (x1 & (2^224-1)) - 2^224 */ +/* eval z = z[0] + (z[1] << 32) + (z[2] << 64) + (z[3] << 96) + (z[4] << 128) + (z[5] << 160) + (z[6] << 192) */ +/* bytes_eval z = z[0] + (z[1] << 8) + (z[2] << 16) + (z[3] << 24) + (z[4] << 32) + (z[5] << 40) + (z[6] << 48) + (z[7] << 56) + (z[8] << 64) + (z[9] << 72) + (z[10] << 80) + (z[11] << 88) + (z[12] << 96) + (z[13] << 104) + (z[14] << 112) + (z[15] << 120) + (z[16] << 128) + (z[17] << 136) + (z[18] << 144) + (z[19] << 152) + (z[20] << 160) + (z[21] << 168) + (z[22] << 176) + (z[23] << 184) + (z[24] << 192) + (z[25] << 200) + (z[26] << 208) + (z[27] << 216) */ +/* twos_complement_eval z = let x1 := z[0] + (z[1] << 32) + (z[2] << 64) + (z[3] << 96) + (z[4] << 128) + (z[5] << 160) + (z[6] << 192) in */ +/* if x1 & (2^224-1) < 2^223 then x1 & (2^224-1) else (x1 & (2^224-1)) - 2^224 */ #include #include @@ -33,7 +33,6 @@ static inline void _br2_store(uintptr_t a, uintptr_t v, size_t sz) { } - /* * Input Bounds: * in0: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] @@ -3962,5 +3961,3 @@ void internal_fiat_p224_divstep_precomp(uintptr_t out0) { static void fiat_p224_divstep_precomp(uint32_t out1[7]) { internal_fiat_p224_divstep_precomp((uintptr_t)out1); } - - diff --git a/fiat-bedrock2/src/p224_64.c b/fiat-bedrock2/src/p224_64.c index 29c4c07a704..c330e127774 100644 --- a/fiat-bedrock2/src/p224_64.c +++ b/fiat-bedrock2/src/p224_64.c @@ -12,10 +12,10 @@ /* return values. */ /* */ /* Computed values: */ -/* eval z = z[0] + (z[1] << 64) + (z[2] << 128) + (z[3] << 192) */ -/* bytes_eval z = z[0] + (z[1] << 8) + (z[2] << 16) + (z[3] << 24) + (z[4] << 32) + (z[5] << 40) + (z[6] << 48) + (z[7] << 56) + (z[8] << 64) + (z[9] << 72) + (z[10] << 80) + (z[11] << 88) + (z[12] << 96) + (z[13] << 104) + (z[14] << 112) + (z[15] << 120) + (z[16] << 128) + (z[17] << 136) + (z[18] << 144) + (z[19] << 152) + (z[20] << 160) + (z[21] << 168) + (z[22] << 176) + (z[23] << 184) + (z[24] << 192) + (z[25] << 200) + (z[26] << 208) + (z[27] << 216) */ -/* twos_complement_eval z = let x1 := z[0] + (z[1] << 64) + (z[2] << 128) + (z[3] << 192) in */ -/* if x1 & (2^256-1) < 2^255 then x1 & (2^256-1) else (x1 & (2^256-1)) - 2^256 */ +/* eval z = z[0] + (z[1] << 64) + (z[2] << 128) + (z[3] << 192) */ +/* bytes_eval z = z[0] + (z[1] << 8) + (z[2] << 16) + (z[3] << 24) + (z[4] << 32) + (z[5] << 40) + (z[6] << 48) + (z[7] << 56) + (z[8] << 64) + (z[9] << 72) + (z[10] << 80) + (z[11] << 88) + (z[12] << 96) + (z[13] << 104) + (z[14] << 112) + (z[15] << 120) + (z[16] << 128) + (z[17] << 136) + (z[18] << 144) + (z[19] << 152) + (z[20] << 160) + (z[21] << 168) + (z[22] << 176) + (z[23] << 184) + (z[24] << 192) + (z[25] << 200) + (z[26] << 208) + (z[27] << 216) */ +/* twos_complement_eval z = let x1 := z[0] + (z[1] << 64) + (z[2] << 128) + (z[3] << 192) in */ +/* if x1 & (2^256-1) < 2^255 then x1 & (2^256-1) else (x1 & (2^256-1)) - 2^256 */ #include #include @@ -33,7 +33,6 @@ static inline void _br2_store(uintptr_t a, uintptr_t v, size_t sz) { } - /* * Input Bounds: * in0: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] @@ -2029,5 +2028,3 @@ void internal_fiat_p224_divstep_precomp(uintptr_t out0) { static void fiat_p224_divstep_precomp(uint64_t out1[4]) { internal_fiat_p224_divstep_precomp((uintptr_t)out1); } - - diff --git a/fiat-bedrock2/src/p256_32.c b/fiat-bedrock2/src/p256_32.c index 47e9595ee30..deecd039c1c 100644 --- a/fiat-bedrock2/src/p256_32.c +++ b/fiat-bedrock2/src/p256_32.c @@ -12,10 +12,10 @@ /* return values. */ /* */ /* Computed values: */ -/* eval z = z[0] + (z[1] << 32) + (z[2] << 64) + (z[3] << 96) + (z[4] << 128) + (z[5] << 160) + (z[6] << 192) + (z[7] << 224) */ -/* bytes_eval z = z[0] + (z[1] << 8) + (z[2] << 16) + (z[3] << 24) + (z[4] << 32) + (z[5] << 40) + (z[6] << 48) + (z[7] << 56) + (z[8] << 64) + (z[9] << 72) + (z[10] << 80) + (z[11] << 88) + (z[12] << 96) + (z[13] << 104) + (z[14] << 112) + (z[15] << 120) + (z[16] << 128) + (z[17] << 136) + (z[18] << 144) + (z[19] << 152) + (z[20] << 160) + (z[21] << 168) + (z[22] << 176) + (z[23] << 184) + (z[24] << 192) + (z[25] << 200) + (z[26] << 208) + (z[27] << 216) + (z[28] << 224) + (z[29] << 232) + (z[30] << 240) + (z[31] << 248) */ -/* twos_complement_eval z = let x1 := z[0] + (z[1] << 32) + (z[2] << 64) + (z[3] << 96) + (z[4] << 128) + (z[5] << 160) + (z[6] << 192) + (z[7] << 224) in */ -/* if x1 & (2^256-1) < 2^255 then x1 & (2^256-1) else (x1 & (2^256-1)) - 2^256 */ +/* eval z = z[0] + (z[1] << 32) + (z[2] << 64) + (z[3] << 96) + (z[4] << 128) + (z[5] << 160) + (z[6] << 192) + (z[7] << 224) */ +/* bytes_eval z = z[0] + (z[1] << 8) + (z[2] << 16) + (z[3] << 24) + (z[4] << 32) + (z[5] << 40) + (z[6] << 48) + (z[7] << 56) + (z[8] << 64) + (z[9] << 72) + (z[10] << 80) + (z[11] << 88) + (z[12] << 96) + (z[13] << 104) + (z[14] << 112) + (z[15] << 120) + (z[16] << 128) + (z[17] << 136) + (z[18] << 144) + (z[19] << 152) + (z[20] << 160) + (z[21] << 168) + (z[22] << 176) + (z[23] << 184) + (z[24] << 192) + (z[25] << 200) + (z[26] << 208) + (z[27] << 216) + (z[28] << 224) + (z[29] << 232) + (z[30] << 240) + (z[31] << 248) */ +/* twos_complement_eval z = let x1 := z[0] + (z[1] << 32) + (z[2] << 64) + (z[3] << 96) + (z[4] << 128) + (z[5] << 160) + (z[6] << 192) + (z[7] << 224) in */ +/* if x1 & (2^256-1) < 2^255 then x1 & (2^256-1) else (x1 & (2^256-1)) - 2^256 */ #include #include @@ -33,7 +33,6 @@ static inline void _br2_store(uintptr_t a, uintptr_t v, size_t sz) { } - /* * Input Bounds: * in0: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] @@ -4755,5 +4754,3 @@ void internal_fiat_p256_divstep_precomp(uintptr_t out0) { static void fiat_p256_divstep_precomp(uint32_t out1[8]) { internal_fiat_p256_divstep_precomp((uintptr_t)out1); } - - diff --git a/fiat-bedrock2/src/p256_64.c b/fiat-bedrock2/src/p256_64.c index ba47bcacec4..69a38d25396 100644 --- a/fiat-bedrock2/src/p256_64.c +++ b/fiat-bedrock2/src/p256_64.c @@ -12,10 +12,10 @@ /* return values. */ /* */ /* Computed values: */ -/* eval z = z[0] + (z[1] << 64) + (z[2] << 128) + (z[3] << 192) */ -/* bytes_eval z = z[0] + (z[1] << 8) + (z[2] << 16) + (z[3] << 24) + (z[4] << 32) + (z[5] << 40) + (z[6] << 48) + (z[7] << 56) + (z[8] << 64) + (z[9] << 72) + (z[10] << 80) + (z[11] << 88) + (z[12] << 96) + (z[13] << 104) + (z[14] << 112) + (z[15] << 120) + (z[16] << 128) + (z[17] << 136) + (z[18] << 144) + (z[19] << 152) + (z[20] << 160) + (z[21] << 168) + (z[22] << 176) + (z[23] << 184) + (z[24] << 192) + (z[25] << 200) + (z[26] << 208) + (z[27] << 216) + (z[28] << 224) + (z[29] << 232) + (z[30] << 240) + (z[31] << 248) */ -/* twos_complement_eval z = let x1 := z[0] + (z[1] << 64) + (z[2] << 128) + (z[3] << 192) in */ -/* if x1 & (2^256-1) < 2^255 then x1 & (2^256-1) else (x1 & (2^256-1)) - 2^256 */ +/* eval z = z[0] + (z[1] << 64) + (z[2] << 128) + (z[3] << 192) */ +/* bytes_eval z = z[0] + (z[1] << 8) + (z[2] << 16) + (z[3] << 24) + (z[4] << 32) + (z[5] << 40) + (z[6] << 48) + (z[7] << 56) + (z[8] << 64) + (z[9] << 72) + (z[10] << 80) + (z[11] << 88) + (z[12] << 96) + (z[13] << 104) + (z[14] << 112) + (z[15] << 120) + (z[16] << 128) + (z[17] << 136) + (z[18] << 144) + (z[19] << 152) + (z[20] << 160) + (z[21] << 168) + (z[22] << 176) + (z[23] << 184) + (z[24] << 192) + (z[25] << 200) + (z[26] << 208) + (z[27] << 216) + (z[28] << 224) + (z[29] << 232) + (z[30] << 240) + (z[31] << 248) */ +/* twos_complement_eval z = let x1 := z[0] + (z[1] << 64) + (z[2] << 128) + (z[3] << 192) in */ +/* if x1 & (2^256-1) < 2^255 then x1 & (2^256-1) else (x1 & (2^256-1)) - 2^256 */ #include #include @@ -33,7 +33,6 @@ static inline void _br2_store(uintptr_t a, uintptr_t v, size_t sz) { } - /* * Input Bounds: * in0: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] @@ -1967,5 +1966,3 @@ void internal_fiat_p256_divstep_precomp(uintptr_t out0) { static void fiat_p256_divstep_precomp(uint64_t out1[4]) { internal_fiat_p256_divstep_precomp((uintptr_t)out1); } - - diff --git a/fiat-bedrock2/src/p384_32.c b/fiat-bedrock2/src/p384_32.c index 41fc2297aaf..808b09d5edc 100644 --- a/fiat-bedrock2/src/p384_32.c +++ b/fiat-bedrock2/src/p384_32.c @@ -12,10 +12,10 @@ /* return values. */ /* */ /* Computed values: */ -/* eval z = z[0] + (z[1] << 32) + (z[2] << 64) + (z[3] << 96) + (z[4] << 128) + (z[5] << 160) + (z[6] << 192) + (z[7] << 224) + (z[8] << 256) + (z[9] << 0x120) + (z[10] << 0x140) + (z[11] << 0x160) */ -/* bytes_eval z = z[0] + (z[1] << 8) + (z[2] << 16) + (z[3] << 24) + (z[4] << 32) + (z[5] << 40) + (z[6] << 48) + (z[7] << 56) + (z[8] << 64) + (z[9] << 72) + (z[10] << 80) + (z[11] << 88) + (z[12] << 96) + (z[13] << 104) + (z[14] << 112) + (z[15] << 120) + (z[16] << 128) + (z[17] << 136) + (z[18] << 144) + (z[19] << 152) + (z[20] << 160) + (z[21] << 168) + (z[22] << 176) + (z[23] << 184) + (z[24] << 192) + (z[25] << 200) + (z[26] << 208) + (z[27] << 216) + (z[28] << 224) + (z[29] << 232) + (z[30] << 240) + (z[31] << 248) + (z[32] << 256) + (z[33] << 0x108) + (z[34] << 0x110) + (z[35] << 0x118) + (z[36] << 0x120) + (z[37] << 0x128) + (z[38] << 0x130) + (z[39] << 0x138) + (z[40] << 0x140) + (z[41] << 0x148) + (z[42] << 0x150) + (z[43] << 0x158) + (z[44] << 0x160) + (z[45] << 0x168) + (z[46] << 0x170) + (z[47] << 0x178) */ -/* twos_complement_eval z = let x1 := z[0] + (z[1] << 32) + (z[2] << 64) + (z[3] << 96) + (z[4] << 128) + (z[5] << 160) + (z[6] << 192) + (z[7] << 224) + (z[8] << 256) + (z[9] << 0x120) + (z[10] << 0x140) + (z[11] << 0x160) in */ -/* if x1 & (2^384-1) < 2^383 then x1 & (2^384-1) else (x1 & (2^384-1)) - 2^384 */ +/* eval z = z[0] + (z[1] << 32) + (z[2] << 64) + (z[3] << 96) + (z[4] << 128) + (z[5] << 160) + (z[6] << 192) + (z[7] << 224) + (z[8] << 256) + (z[9] << 0x120) + (z[10] << 0x140) + (z[11] << 0x160) */ +/* bytes_eval z = z[0] + (z[1] << 8) + (z[2] << 16) + (z[3] << 24) + (z[4] << 32) + (z[5] << 40) + (z[6] << 48) + (z[7] << 56) + (z[8] << 64) + (z[9] << 72) + (z[10] << 80) + (z[11] << 88) + (z[12] << 96) + (z[13] << 104) + (z[14] << 112) + (z[15] << 120) + (z[16] << 128) + (z[17] << 136) + (z[18] << 144) + (z[19] << 152) + (z[20] << 160) + (z[21] << 168) + (z[22] << 176) + (z[23] << 184) + (z[24] << 192) + (z[25] << 200) + (z[26] << 208) + (z[27] << 216) + (z[28] << 224) + (z[29] << 232) + (z[30] << 240) + (z[31] << 248) + (z[32] << 256) + (z[33] << 0x108) + (z[34] << 0x110) + (z[35] << 0x118) + (z[36] << 0x120) + (z[37] << 0x128) + (z[38] << 0x130) + (z[39] << 0x138) + (z[40] << 0x140) + (z[41] << 0x148) + (z[42] << 0x150) + (z[43] << 0x158) + (z[44] << 0x160) + (z[45] << 0x168) + (z[46] << 0x170) + (z[47] << 0x178) */ +/* twos_complement_eval z = let x1 := z[0] + (z[1] << 32) + (z[2] << 64) + (z[3] << 96) + (z[4] << 128) + (z[5] << 160) + (z[6] << 192) + (z[7] << 224) + (z[8] << 256) + (z[9] << 0x120) + (z[10] << 0x140) + (z[11] << 0x160) in */ +/* if x1 & (2^384-1) < 2^383 then x1 & (2^384-1) else (x1 & (2^384-1)) - 2^384 */ #include #include @@ -33,7 +33,6 @@ static inline void _br2_store(uintptr_t a, uintptr_t v, size_t sz) { } - /* * Input Bounds: * in0: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] @@ -10471,5 +10470,3 @@ void internal_fiat_p384_divstep_precomp(uintptr_t out0) { static void fiat_p384_divstep_precomp(uint32_t out1[12]) { internal_fiat_p384_divstep_precomp((uintptr_t)out1); } - - diff --git a/fiat-bedrock2/src/p384_64.c b/fiat-bedrock2/src/p384_64.c index 2a8a3ae8d81..64890194754 100644 --- a/fiat-bedrock2/src/p384_64.c +++ b/fiat-bedrock2/src/p384_64.c @@ -12,10 +12,10 @@ /* return values. */ /* */ /* Computed values: */ -/* eval z = z[0] + (z[1] << 64) + (z[2] << 128) + (z[3] << 192) + (z[4] << 256) + (z[5] << 0x140) */ -/* bytes_eval z = z[0] + (z[1] << 8) + (z[2] << 16) + (z[3] << 24) + (z[4] << 32) + (z[5] << 40) + (z[6] << 48) + (z[7] << 56) + (z[8] << 64) + (z[9] << 72) + (z[10] << 80) + (z[11] << 88) + (z[12] << 96) + (z[13] << 104) + (z[14] << 112) + (z[15] << 120) + (z[16] << 128) + (z[17] << 136) + (z[18] << 144) + (z[19] << 152) + (z[20] << 160) + (z[21] << 168) + (z[22] << 176) + (z[23] << 184) + (z[24] << 192) + (z[25] << 200) + (z[26] << 208) + (z[27] << 216) + (z[28] << 224) + (z[29] << 232) + (z[30] << 240) + (z[31] << 248) + (z[32] << 256) + (z[33] << 0x108) + (z[34] << 0x110) + (z[35] << 0x118) + (z[36] << 0x120) + (z[37] << 0x128) + (z[38] << 0x130) + (z[39] << 0x138) + (z[40] << 0x140) + (z[41] << 0x148) + (z[42] << 0x150) + (z[43] << 0x158) + (z[44] << 0x160) + (z[45] << 0x168) + (z[46] << 0x170) + (z[47] << 0x178) */ -/* twos_complement_eval z = let x1 := z[0] + (z[1] << 64) + (z[2] << 128) + (z[3] << 192) + (z[4] << 256) + (z[5] << 0x140) in */ -/* if x1 & (2^384-1) < 2^383 then x1 & (2^384-1) else (x1 & (2^384-1)) - 2^384 */ +/* eval z = z[0] + (z[1] << 64) + (z[2] << 128) + (z[3] << 192) + (z[4] << 256) + (z[5] << 0x140) */ +/* bytes_eval z = z[0] + (z[1] << 8) + (z[2] << 16) + (z[3] << 24) + (z[4] << 32) + (z[5] << 40) + (z[6] << 48) + (z[7] << 56) + (z[8] << 64) + (z[9] << 72) + (z[10] << 80) + (z[11] << 88) + (z[12] << 96) + (z[13] << 104) + (z[14] << 112) + (z[15] << 120) + (z[16] << 128) + (z[17] << 136) + (z[18] << 144) + (z[19] << 152) + (z[20] << 160) + (z[21] << 168) + (z[22] << 176) + (z[23] << 184) + (z[24] << 192) + (z[25] << 200) + (z[26] << 208) + (z[27] << 216) + (z[28] << 224) + (z[29] << 232) + (z[30] << 240) + (z[31] << 248) + (z[32] << 256) + (z[33] << 0x108) + (z[34] << 0x110) + (z[35] << 0x118) + (z[36] << 0x120) + (z[37] << 0x128) + (z[38] << 0x130) + (z[39] << 0x138) + (z[40] << 0x140) + (z[41] << 0x148) + (z[42] << 0x150) + (z[43] << 0x158) + (z[44] << 0x160) + (z[45] << 0x168) + (z[46] << 0x170) + (z[47] << 0x178) */ +/* twos_complement_eval z = let x1 := z[0] + (z[1] << 64) + (z[2] << 128) + (z[3] << 192) + (z[4] << 256) + (z[5] << 0x140) in */ +/* if x1 & (2^384-1) < 2^383 then x1 & (2^384-1) else (x1 & (2^384-1)) - 2^384 */ #include #include @@ -33,7 +33,6 @@ static inline void _br2_store(uintptr_t a, uintptr_t v, size_t sz) { } - /* * Input Bounds: * in0: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] @@ -3817,5 +3816,3 @@ void internal_fiat_p384_divstep_precomp(uintptr_t out0) { static void fiat_p384_divstep_precomp(uint64_t out1[6]) { internal_fiat_p384_divstep_precomp((uintptr_t)out1); } - - diff --git a/fiat-bedrock2/src/p434_64.c b/fiat-bedrock2/src/p434_64.c index cb835c34e4f..c8b9b7802d9 100644 --- a/fiat-bedrock2/src/p434_64.c +++ b/fiat-bedrock2/src/p434_64.c @@ -12,10 +12,10 @@ /* return values. */ /* */ /* Computed values: */ -/* eval z = z[0] + (z[1] << 64) + (z[2] << 128) + (z[3] << 192) + (z[4] << 256) + (z[5] << 0x140) + (z[6] << 0x180) */ -/* bytes_eval z = z[0] + (z[1] << 8) + (z[2] << 16) + (z[3] << 24) + (z[4] << 32) + (z[5] << 40) + (z[6] << 48) + (z[7] << 56) + (z[8] << 64) + (z[9] << 72) + (z[10] << 80) + (z[11] << 88) + (z[12] << 96) + (z[13] << 104) + (z[14] << 112) + (z[15] << 120) + (z[16] << 128) + (z[17] << 136) + (z[18] << 144) + (z[19] << 152) + (z[20] << 160) + (z[21] << 168) + (z[22] << 176) + (z[23] << 184) + (z[24] << 192) + (z[25] << 200) + (z[26] << 208) + (z[27] << 216) + (z[28] << 224) + (z[29] << 232) + (z[30] << 240) + (z[31] << 248) + (z[32] << 256) + (z[33] << 0x108) + (z[34] << 0x110) + (z[35] << 0x118) + (z[36] << 0x120) + (z[37] << 0x128) + (z[38] << 0x130) + (z[39] << 0x138) + (z[40] << 0x140) + (z[41] << 0x148) + (z[42] << 0x150) + (z[43] << 0x158) + (z[44] << 0x160) + (z[45] << 0x168) + (z[46] << 0x170) + (z[47] << 0x178) + (z[48] << 0x180) + (z[49] << 0x188) + (z[50] << 0x190) + (z[51] << 0x198) + (z[52] << 0x1a0) + (z[53] << 0x1a8) + (z[54] << 0x1b0) */ -/* twos_complement_eval z = let x1 := z[0] + (z[1] << 64) + (z[2] << 128) + (z[3] << 192) + (z[4] << 256) + (z[5] << 0x140) + (z[6] << 0x180) in */ -/* if x1 & (2^448-1) < 2^447 then x1 & (2^448-1) else (x1 & (2^448-1)) - 2^448 */ +/* eval z = z[0] + (z[1] << 64) + (z[2] << 128) + (z[3] << 192) + (z[4] << 256) + (z[5] << 0x140) + (z[6] << 0x180) */ +/* bytes_eval z = z[0] + (z[1] << 8) + (z[2] << 16) + (z[3] << 24) + (z[4] << 32) + (z[5] << 40) + (z[6] << 48) + (z[7] << 56) + (z[8] << 64) + (z[9] << 72) + (z[10] << 80) + (z[11] << 88) + (z[12] << 96) + (z[13] << 104) + (z[14] << 112) + (z[15] << 120) + (z[16] << 128) + (z[17] << 136) + (z[18] << 144) + (z[19] << 152) + (z[20] << 160) + (z[21] << 168) + (z[22] << 176) + (z[23] << 184) + (z[24] << 192) + (z[25] << 200) + (z[26] << 208) + (z[27] << 216) + (z[28] << 224) + (z[29] << 232) + (z[30] << 240) + (z[31] << 248) + (z[32] << 256) + (z[33] << 0x108) + (z[34] << 0x110) + (z[35] << 0x118) + (z[36] << 0x120) + (z[37] << 0x128) + (z[38] << 0x130) + (z[39] << 0x138) + (z[40] << 0x140) + (z[41] << 0x148) + (z[42] << 0x150) + (z[43] << 0x158) + (z[44] << 0x160) + (z[45] << 0x168) + (z[46] << 0x170) + (z[47] << 0x178) + (z[48] << 0x180) + (z[49] << 0x188) + (z[50] << 0x190) + (z[51] << 0x198) + (z[52] << 0x1a0) + (z[53] << 0x1a8) + (z[54] << 0x1b0) */ +/* twos_complement_eval z = let x1 := z[0] + (z[1] << 64) + (z[2] << 128) + (z[3] << 192) + (z[4] << 256) + (z[5] << 0x140) + (z[6] << 0x180) in */ +/* if x1 & (2^448-1) < 2^447 then x1 & (2^448-1) else (x1 & (2^448-1)) - 2^448 */ #include #include @@ -33,7 +33,6 @@ static inline void _br2_store(uintptr_t a, uintptr_t v, size_t sz) { } - /* * Input Bounds: * in0: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] @@ -4826,5 +4825,3 @@ void internal_fiat_p434_divstep_precomp(uintptr_t out0) { static void fiat_p434_divstep_precomp(uint64_t out1[7]) { internal_fiat_p434_divstep_precomp((uintptr_t)out1); } - - diff --git a/fiat-bedrock2/src/p448_solinas_64.c b/fiat-bedrock2/src/p448_solinas_64.c index 40ac22682af..af37ea4dab0 100644 --- a/fiat-bedrock2/src/p448_solinas_64.c +++ b/fiat-bedrock2/src/p448_solinas_64.c @@ -7,10 +7,10 @@ /* tight_bounds_multiplier = 1 (from "") */ /* */ /* Computed values: */ -/* carry_chain = [3, 7, 4, 0, 5, 1, 6, 2, 7, 3, 4, 0] */ -/* eval z = z[0] + (z[1] << 56) + (z[2] << 112) + (z[3] << 168) + (z[4] << 224) + (z[5] << 0x118) + (z[6] << 0x150) + (z[7] << 0x188) */ -/* bytes_eval z = z[0] + (z[1] << 8) + (z[2] << 16) + (z[3] << 24) + (z[4] << 32) + (z[5] << 40) + (z[6] << 48) + (z[7] << 56) + (z[8] << 64) + (z[9] << 72) + (z[10] << 80) + (z[11] << 88) + (z[12] << 96) + (z[13] << 104) + (z[14] << 112) + (z[15] << 120) + (z[16] << 128) + (z[17] << 136) + (z[18] << 144) + (z[19] << 152) + (z[20] << 160) + (z[21] << 168) + (z[22] << 176) + (z[23] << 184) + (z[24] << 192) + (z[25] << 200) + (z[26] << 208) + (z[27] << 216) + (z[28] << 224) + (z[29] << 232) + (z[30] << 240) + (z[31] << 248) + (z[32] << 256) + (z[33] << 0x108) + (z[34] << 0x110) + (z[35] << 0x118) + (z[36] << 0x120) + (z[37] << 0x128) + (z[38] << 0x130) + (z[39] << 0x138) + (z[40] << 0x140) + (z[41] << 0x148) + (z[42] << 0x150) + (z[43] << 0x158) + (z[44] << 0x160) + (z[45] << 0x168) + (z[46] << 0x170) + (z[47] << 0x178) + (z[48] << 0x180) + (z[49] << 0x188) + (z[50] << 0x190) + (z[51] << 0x198) + (z[52] << 0x1a0) + (z[53] << 0x1a8) + (z[54] << 0x1b0) + (z[55] << 0x1b8) */ -/* balance = [0x1fffffffffffffe, 0x1fffffffffffffe, 0x1fffffffffffffe, 0x1fffffffffffffe, 0x1fffffffffffffc, 0x1fffffffffffffe, 0x1fffffffffffffe, 0x1fffffffffffffe] */ +/* carry_chain = [3, 7, 4, 0, 5, 1, 6, 2, 7, 3, 4, 0] */ +/* eval z = z[0] + (z[1] << 56) + (z[2] << 112) + (z[3] << 168) + (z[4] << 224) + (z[5] << 0x118) + (z[6] << 0x150) + (z[7] << 0x188) */ +/* bytes_eval z = z[0] + (z[1] << 8) + (z[2] << 16) + (z[3] << 24) + (z[4] << 32) + (z[5] << 40) + (z[6] << 48) + (z[7] << 56) + (z[8] << 64) + (z[9] << 72) + (z[10] << 80) + (z[11] << 88) + (z[12] << 96) + (z[13] << 104) + (z[14] << 112) + (z[15] << 120) + (z[16] << 128) + (z[17] << 136) + (z[18] << 144) + (z[19] << 152) + (z[20] << 160) + (z[21] << 168) + (z[22] << 176) + (z[23] << 184) + (z[24] << 192) + (z[25] << 200) + (z[26] << 208) + (z[27] << 216) + (z[28] << 224) + (z[29] << 232) + (z[30] << 240) + (z[31] << 248) + (z[32] << 256) + (z[33] << 0x108) + (z[34] << 0x110) + (z[35] << 0x118) + (z[36] << 0x120) + (z[37] << 0x128) + (z[38] << 0x130) + (z[39] << 0x138) + (z[40] << 0x140) + (z[41] << 0x148) + (z[42] << 0x150) + (z[43] << 0x158) + (z[44] << 0x160) + (z[45] << 0x168) + (z[46] << 0x170) + (z[47] << 0x178) + (z[48] << 0x180) + (z[49] << 0x188) + (z[50] << 0x190) + (z[51] << 0x198) + (z[52] << 0x1a0) + (z[53] << 0x1a8) + (z[54] << 0x1b0) + (z[55] << 0x1b8) */ +/* balance = [0x1fffffffffffffe, 0x1fffffffffffffe, 0x1fffffffffffffe, 0x1fffffffffffffe, 0x1fffffffffffffc, 0x1fffffffffffffe, 0x1fffffffffffffe, 0x1fffffffffffffe] */ #include #include @@ -28,7 +28,6 @@ static inline void _br2_store(uintptr_t a, uintptr_t v, size_t sz) { } - /* * Input Bounds: * in0: [[0x0 ~> 0x300000000000000], [0x0 ~> 0x300000000000000], [0x0 ~> 0x300000000000000], [0x0 ~> 0x300000000000000], [0x0 ~> 0x300000000000000], [0x0 ~> 0x300000000000000], [0x0 ~> 0x300000000000000], [0x0 ~> 0x300000000000000]] @@ -1985,5 +1984,3 @@ void internal_fiat_p448_from_bytes(uintptr_t out0, uintptr_t in0) { static void fiat_p448_from_bytes(uint64_t out1[8], const uint8_t arg1[56]) { internal_fiat_p448_from_bytes((uintptr_t)out1, (uintptr_t)arg1); } - - diff --git a/fiat-bedrock2/src/p521_64.c b/fiat-bedrock2/src/p521_64.c index 7fb4f1692dc..183fcf4e757 100644 --- a/fiat-bedrock2/src/p521_64.c +++ b/fiat-bedrock2/src/p521_64.c @@ -7,10 +7,10 @@ /* tight_bounds_multiplier = 1 (from "") */ /* */ /* Computed values: */ -/* carry_chain = [0, 1, 2, 3, 4, 5, 6, 7, 8, 0, 1] */ -/* eval z = z[0] + (z[1] << 58) + (z[2] << 116) + (z[3] << 174) + (z[4] << 232) + (z[5] << 0x122) + (z[6] << 0x15c) + (z[7] << 0x196) + (z[8] << 0x1d0) */ -/* bytes_eval z = z[0] + (z[1] << 8) + (z[2] << 16) + (z[3] << 24) + (z[4] << 32) + (z[5] << 40) + (z[6] << 48) + (z[7] << 56) + (z[8] << 64) + (z[9] << 72) + (z[10] << 80) + (z[11] << 88) + (z[12] << 96) + (z[13] << 104) + (z[14] << 112) + (z[15] << 120) + (z[16] << 128) + (z[17] << 136) + (z[18] << 144) + (z[19] << 152) + (z[20] << 160) + (z[21] << 168) + (z[22] << 176) + (z[23] << 184) + (z[24] << 192) + (z[25] << 200) + (z[26] << 208) + (z[27] << 216) + (z[28] << 224) + (z[29] << 232) + (z[30] << 240) + (z[31] << 248) + (z[32] << 256) + (z[33] << 0x108) + (z[34] << 0x110) + (z[35] << 0x118) + (z[36] << 0x120) + (z[37] << 0x128) + (z[38] << 0x130) + (z[39] << 0x138) + (z[40] << 0x140) + (z[41] << 0x148) + (z[42] << 0x150) + (z[43] << 0x158) + (z[44] << 0x160) + (z[45] << 0x168) + (z[46] << 0x170) + (z[47] << 0x178) + (z[48] << 0x180) + (z[49] << 0x188) + (z[50] << 0x190) + (z[51] << 0x198) + (z[52] << 0x1a0) + (z[53] << 0x1a8) + (z[54] << 0x1b0) + (z[55] << 0x1b8) + (z[56] << 0x1c0) + (z[57] << 0x1c8) + (z[58] << 0x1d0) + (z[59] << 0x1d8) + (z[60] << 0x1e0) + (z[61] << 0x1e8) + (z[62] << 0x1f0) + (z[63] << 0x1f8) + (z[64] << 2^9) + (z[65] << 0x208) */ -/* balance = [0x7fffffffffffffe, 0x7fffffffffffffe, 0x7fffffffffffffe, 0x7fffffffffffffe, 0x7fffffffffffffe, 0x7fffffffffffffe, 0x7fffffffffffffe, 0x7fffffffffffffe, 0x3fffffffffffffe] */ +/* carry_chain = [0, 1, 2, 3, 4, 5, 6, 7, 8, 0, 1] */ +/* eval z = z[0] + (z[1] << 58) + (z[2] << 116) + (z[3] << 174) + (z[4] << 232) + (z[5] << 0x122) + (z[6] << 0x15c) + (z[7] << 0x196) + (z[8] << 0x1d0) */ +/* bytes_eval z = z[0] + (z[1] << 8) + (z[2] << 16) + (z[3] << 24) + (z[4] << 32) + (z[5] << 40) + (z[6] << 48) + (z[7] << 56) + (z[8] << 64) + (z[9] << 72) + (z[10] << 80) + (z[11] << 88) + (z[12] << 96) + (z[13] << 104) + (z[14] << 112) + (z[15] << 120) + (z[16] << 128) + (z[17] << 136) + (z[18] << 144) + (z[19] << 152) + (z[20] << 160) + (z[21] << 168) + (z[22] << 176) + (z[23] << 184) + (z[24] << 192) + (z[25] << 200) + (z[26] << 208) + (z[27] << 216) + (z[28] << 224) + (z[29] << 232) + (z[30] << 240) + (z[31] << 248) + (z[32] << 256) + (z[33] << 0x108) + (z[34] << 0x110) + (z[35] << 0x118) + (z[36] << 0x120) + (z[37] << 0x128) + (z[38] << 0x130) + (z[39] << 0x138) + (z[40] << 0x140) + (z[41] << 0x148) + (z[42] << 0x150) + (z[43] << 0x158) + (z[44] << 0x160) + (z[45] << 0x168) + (z[46] << 0x170) + (z[47] << 0x178) + (z[48] << 0x180) + (z[49] << 0x188) + (z[50] << 0x190) + (z[51] << 0x198) + (z[52] << 0x1a0) + (z[53] << 0x1a8) + (z[54] << 0x1b0) + (z[55] << 0x1b8) + (z[56] << 0x1c0) + (z[57] << 0x1c8) + (z[58] << 0x1d0) + (z[59] << 0x1d8) + (z[60] << 0x1e0) + (z[61] << 0x1e8) + (z[62] << 0x1f0) + (z[63] << 0x1f8) + (z[64] << 2^9) + (z[65] << 0x208) */ +/* balance = [0x7fffffffffffffe, 0x7fffffffffffffe, 0x7fffffffffffffe, 0x7fffffffffffffe, 0x7fffffffffffffe, 0x7fffffffffffffe, 0x7fffffffffffffe, 0x7fffffffffffffe, 0x3fffffffffffffe] */ #include #include @@ -28,7 +28,6 @@ static inline void _br2_store(uintptr_t a, uintptr_t v, size_t sz) { } - /* * Input Bounds: * in0: [[0x0 ~> 0xc00000000000000], [0x0 ~> 0xc00000000000000], [0x0 ~> 0xc00000000000000], [0x0 ~> 0xc00000000000000], [0x0 ~> 0xc00000000000000], [0x0 ~> 0xc00000000000000], [0x0 ~> 0xc00000000000000], [0x0 ~> 0xc00000000000000], [0x0 ~> 0x600000000000000]] @@ -1991,5 +1990,3 @@ void internal_fiat_p521_from_bytes(uintptr_t out0, uintptr_t in0) { static void fiat_p521_from_bytes(uint64_t out1[9], const uint8_t arg1[66]) { internal_fiat_p521_from_bytes((uintptr_t)out1, (uintptr_t)arg1); } - - diff --git a/fiat-bedrock2/src/poly1305_32.c b/fiat-bedrock2/src/poly1305_32.c index df18d348a47..3ed0f3463e7 100644 --- a/fiat-bedrock2/src/poly1305_32.c +++ b/fiat-bedrock2/src/poly1305_32.c @@ -7,10 +7,10 @@ /* tight_bounds_multiplier = 1 (from "") */ /* */ /* Computed values: */ -/* carry_chain = [0, 1, 2, 3, 4, 0, 1] */ -/* eval z = z[0] + (z[1] << 26) + (z[2] << 52) + (z[3] << 78) + (z[4] << 104) */ -/* bytes_eval z = z[0] + (z[1] << 8) + (z[2] << 16) + (z[3] << 24) + (z[4] << 32) + (z[5] << 40) + (z[6] << 48) + (z[7] << 56) + (z[8] << 64) + (z[9] << 72) + (z[10] << 80) + (z[11] << 88) + (z[12] << 96) + (z[13] << 104) + (z[14] << 112) + (z[15] << 120) + (z[16] << 128) */ -/* balance = [0x7fffff6, 0x7fffffe, 0x7fffffe, 0x7fffffe, 0x7fffffe] */ +/* carry_chain = [0, 1, 2, 3, 4, 0, 1] */ +/* eval z = z[0] + (z[1] << 26) + (z[2] << 52) + (z[3] << 78) + (z[4] << 104) */ +/* bytes_eval z = z[0] + (z[1] << 8) + (z[2] << 16) + (z[3] << 24) + (z[4] << 32) + (z[5] << 40) + (z[6] << 48) + (z[7] << 56) + (z[8] << 64) + (z[9] << 72) + (z[10] << 80) + (z[11] << 88) + (z[12] << 96) + (z[13] << 104) + (z[14] << 112) + (z[15] << 120) + (z[16] << 128) */ +/* balance = [0x7fffff6, 0x7fffffe, 0x7fffffe, 0x7fffffe, 0x7fffffe] */ #include #include @@ -28,7 +28,6 @@ static inline void _br2_store(uintptr_t a, uintptr_t v, size_t sz) { } - /* * Input Bounds: * in0: [[0x0 ~> 0xc000000], [0x0 ~> 0xc000000], [0x0 ~> 0xc000000], [0x0 ~> 0xc000000], [0x0 ~> 0xc000000]] @@ -893,5 +892,3 @@ void internal_fiat_poly1305_from_bytes(uintptr_t out0, uintptr_t in0) { static void fiat_poly1305_from_bytes(uint32_t out1[5], const uint8_t arg1[17]) { internal_fiat_poly1305_from_bytes((uintptr_t)out1, (uintptr_t)arg1); } - - diff --git a/fiat-bedrock2/src/poly1305_64.c b/fiat-bedrock2/src/poly1305_64.c index 39af0283adc..3b92776e47d 100644 --- a/fiat-bedrock2/src/poly1305_64.c +++ b/fiat-bedrock2/src/poly1305_64.c @@ -7,10 +7,10 @@ /* tight_bounds_multiplier = 1 (from "") */ /* */ /* Computed values: */ -/* carry_chain = [0, 1, 2, 0, 1] */ -/* eval z = z[0] + (z[1] << 44) + (z[2] << 87) */ -/* bytes_eval z = z[0] + (z[1] << 8) + (z[2] << 16) + (z[3] << 24) + (z[4] << 32) + (z[5] << 40) + (z[6] << 48) + (z[7] << 56) + (z[8] << 64) + (z[9] << 72) + (z[10] << 80) + (z[11] << 88) + (z[12] << 96) + (z[13] << 104) + (z[14] << 112) + (z[15] << 120) + (z[16] << 128) */ -/* balance = [0x1ffffffffff6, 0xffffffffffe, 0xffffffffffe] */ +/* carry_chain = [0, 1, 2, 0, 1] */ +/* eval z = z[0] + (z[1] << 44) + (z[2] << 87) */ +/* bytes_eval z = z[0] + (z[1] << 8) + (z[2] << 16) + (z[3] << 24) + (z[4] << 32) + (z[5] << 40) + (z[6] << 48) + (z[7] << 56) + (z[8] << 64) + (z[9] << 72) + (z[10] << 80) + (z[11] << 88) + (z[12] << 96) + (z[13] << 104) + (z[14] << 112) + (z[15] << 120) + (z[16] << 128) */ +/* balance = [0x1ffffffffff6, 0xffffffffffe, 0xffffffffffe] */ #include #include @@ -28,7 +28,6 @@ static inline void _br2_store(uintptr_t a, uintptr_t v, size_t sz) { } - /* * Input Bounds: * in0: [[0x0 ~> 0x300000000000], [0x0 ~> 0x180000000000], [0x0 ~> 0x180000000000]] @@ -612,5 +611,3 @@ void internal_fiat_poly1305_from_bytes(uintptr_t out0, uintptr_t in0) { static void fiat_poly1305_from_bytes(uint64_t out1[3], const uint8_t arg1[17]) { internal_fiat_poly1305_from_bytes((uintptr_t)out1, (uintptr_t)arg1); } - - diff --git a/fiat-bedrock2/src/secp256k1_32.c b/fiat-bedrock2/src/secp256k1_32.c index 037236f13a3..217c83ec146 100644 --- a/fiat-bedrock2/src/secp256k1_32.c +++ b/fiat-bedrock2/src/secp256k1_32.c @@ -12,10 +12,10 @@ /* return values. */ /* */ /* Computed values: */ -/* eval z = z[0] + (z[1] << 32) + (z[2] << 64) + (z[3] << 96) + (z[4] << 128) + (z[5] << 160) + (z[6] << 192) + (z[7] << 224) */ -/* bytes_eval z = z[0] + (z[1] << 8) + (z[2] << 16) + (z[3] << 24) + (z[4] << 32) + (z[5] << 40) + (z[6] << 48) + (z[7] << 56) + (z[8] << 64) + (z[9] << 72) + (z[10] << 80) + (z[11] << 88) + (z[12] << 96) + (z[13] << 104) + (z[14] << 112) + (z[15] << 120) + (z[16] << 128) + (z[17] << 136) + (z[18] << 144) + (z[19] << 152) + (z[20] << 160) + (z[21] << 168) + (z[22] << 176) + (z[23] << 184) + (z[24] << 192) + (z[25] << 200) + (z[26] << 208) + (z[27] << 216) + (z[28] << 224) + (z[29] << 232) + (z[30] << 240) + (z[31] << 248) */ -/* twos_complement_eval z = let x1 := z[0] + (z[1] << 32) + (z[2] << 64) + (z[3] << 96) + (z[4] << 128) + (z[5] << 160) + (z[6] << 192) + (z[7] << 224) in */ -/* if x1 & (2^256-1) < 2^255 then x1 & (2^256-1) else (x1 & (2^256-1)) - 2^256 */ +/* eval z = z[0] + (z[1] << 32) + (z[2] << 64) + (z[3] << 96) + (z[4] << 128) + (z[5] << 160) + (z[6] << 192) + (z[7] << 224) */ +/* bytes_eval z = z[0] + (z[1] << 8) + (z[2] << 16) + (z[3] << 24) + (z[4] << 32) + (z[5] << 40) + (z[6] << 48) + (z[7] << 56) + (z[8] << 64) + (z[9] << 72) + (z[10] << 80) + (z[11] << 88) + (z[12] << 96) + (z[13] << 104) + (z[14] << 112) + (z[15] << 120) + (z[16] << 128) + (z[17] << 136) + (z[18] << 144) + (z[19] << 152) + (z[20] << 160) + (z[21] << 168) + (z[22] << 176) + (z[23] << 184) + (z[24] << 192) + (z[25] << 200) + (z[26] << 208) + (z[27] << 216) + (z[28] << 224) + (z[29] << 232) + (z[30] << 240) + (z[31] << 248) */ +/* twos_complement_eval z = let x1 := z[0] + (z[1] << 32) + (z[2] << 64) + (z[3] << 96) + (z[4] << 128) + (z[5] << 160) + (z[6] << 192) + (z[7] << 224) in */ +/* if x1 & (2^256-1) < 2^255 then x1 & (2^256-1) else (x1 & (2^256-1)) - 2^256 */ #include #include @@ -33,7 +33,6 @@ static inline void _br2_store(uintptr_t a, uintptr_t v, size_t sz) { } - /* * Input Bounds: * in0: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] @@ -5649,5 +5648,3 @@ void internal_fiat_secp256k1_divstep_precomp(uintptr_t out0) { static void fiat_secp256k1_divstep_precomp(uint32_t out1[8]) { internal_fiat_secp256k1_divstep_precomp((uintptr_t)out1); } - - diff --git a/fiat-bedrock2/src/secp256k1_64.c b/fiat-bedrock2/src/secp256k1_64.c index 17bf9771c70..1cae4076233 100644 --- a/fiat-bedrock2/src/secp256k1_64.c +++ b/fiat-bedrock2/src/secp256k1_64.c @@ -12,10 +12,10 @@ /* return values. */ /* */ /* Computed values: */ -/* eval z = z[0] + (z[1] << 64) + (z[2] << 128) + (z[3] << 192) */ -/* bytes_eval z = z[0] + (z[1] << 8) + (z[2] << 16) + (z[3] << 24) + (z[4] << 32) + (z[5] << 40) + (z[6] << 48) + (z[7] << 56) + (z[8] << 64) + (z[9] << 72) + (z[10] << 80) + (z[11] << 88) + (z[12] << 96) + (z[13] << 104) + (z[14] << 112) + (z[15] << 120) + (z[16] << 128) + (z[17] << 136) + (z[18] << 144) + (z[19] << 152) + (z[20] << 160) + (z[21] << 168) + (z[22] << 176) + (z[23] << 184) + (z[24] << 192) + (z[25] << 200) + (z[26] << 208) + (z[27] << 216) + (z[28] << 224) + (z[29] << 232) + (z[30] << 240) + (z[31] << 248) */ -/* twos_complement_eval z = let x1 := z[0] + (z[1] << 64) + (z[2] << 128) + (z[3] << 192) in */ -/* if x1 & (2^256-1) < 2^255 then x1 & (2^256-1) else (x1 & (2^256-1)) - 2^256 */ +/* eval z = z[0] + (z[1] << 64) + (z[2] << 128) + (z[3] << 192) */ +/* bytes_eval z = z[0] + (z[1] << 8) + (z[2] << 16) + (z[3] << 24) + (z[4] << 32) + (z[5] << 40) + (z[6] << 48) + (z[7] << 56) + (z[8] << 64) + (z[9] << 72) + (z[10] << 80) + (z[11] << 88) + (z[12] << 96) + (z[13] << 104) + (z[14] << 112) + (z[15] << 120) + (z[16] << 128) + (z[17] << 136) + (z[18] << 144) + (z[19] << 152) + (z[20] << 160) + (z[21] << 168) + (z[22] << 176) + (z[23] << 184) + (z[24] << 192) + (z[25] << 200) + (z[26] << 208) + (z[27] << 216) + (z[28] << 224) + (z[29] << 232) + (z[30] << 240) + (z[31] << 248) */ +/* twos_complement_eval z = let x1 := z[0] + (z[1] << 64) + (z[2] << 128) + (z[3] << 192) in */ +/* if x1 & (2^256-1) < 2^255 then x1 & (2^256-1) else (x1 & (2^256-1)) - 2^256 */ #include #include @@ -33,7 +33,6 @@ static inline void _br2_store(uintptr_t a, uintptr_t v, size_t sz) { } - /* * Input Bounds: * in0: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] @@ -2121,5 +2120,3 @@ void internal_fiat_secp256k1_divstep_precomp(uintptr_t out0) { static void fiat_secp256k1_divstep_precomp(uint64_t out1[4]) { internal_fiat_secp256k1_divstep_precomp((uintptr_t)out1); } - - diff --git a/fiat-c/src/curve25519_32.c b/fiat-c/src/curve25519_32.c index faf751ce9b5..6ad410da26a 100644 --- a/fiat-c/src/curve25519_32.c +++ b/fiat-c/src/curve25519_32.c @@ -7,10 +7,10 @@ /* tight_bounds_multiplier = 1 (from "") */ /* */ /* Computed values: */ -/* carry_chain = [0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 0, 1] */ -/* eval z = z[0] + (z[1] << 26) + (z[2] << 51) + (z[3] << 77) + (z[4] << 102) + (z[5] << 128) + (z[6] << 153) + (z[7] << 179) + (z[8] << 204) + (z[9] << 230) */ -/* bytes_eval z = z[0] + (z[1] << 8) + (z[2] << 16) + (z[3] << 24) + (z[4] << 32) + (z[5] << 40) + (z[6] << 48) + (z[7] << 56) + (z[8] << 64) + (z[9] << 72) + (z[10] << 80) + (z[11] << 88) + (z[12] << 96) + (z[13] << 104) + (z[14] << 112) + (z[15] << 120) + (z[16] << 128) + (z[17] << 136) + (z[18] << 144) + (z[19] << 152) + (z[20] << 160) + (z[21] << 168) + (z[22] << 176) + (z[23] << 184) + (z[24] << 192) + (z[25] << 200) + (z[26] << 208) + (z[27] << 216) + (z[28] << 224) + (z[29] << 232) + (z[30] << 240) + (z[31] << 248) */ -/* balance = [0x7ffffda, 0x3fffffe, 0x7fffffe, 0x3fffffe, 0x7fffffe, 0x3fffffe, 0x7fffffe, 0x3fffffe, 0x7fffffe, 0x3fffffe] */ +/* carry_chain = [0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 0, 1] */ +/* eval z = z[0] + (z[1] << 26) + (z[2] << 51) + (z[3] << 77) + (z[4] << 102) + (z[5] << 128) + (z[6] << 153) + (z[7] << 179) + (z[8] << 204) + (z[9] << 230) */ +/* bytes_eval z = z[0] + (z[1] << 8) + (z[2] << 16) + (z[3] << 24) + (z[4] << 32) + (z[5] << 40) + (z[6] << 48) + (z[7] << 56) + (z[8] << 64) + (z[9] << 72) + (z[10] << 80) + (z[11] << 88) + (z[12] << 96) + (z[13] << 104) + (z[14] << 112) + (z[15] << 120) + (z[16] << 128) + (z[17] << 136) + (z[18] << 144) + (z[19] << 152) + (z[20] << 160) + (z[21] << 168) + (z[22] << 176) + (z[23] << 184) + (z[24] << 192) + (z[25] << 200) + (z[26] << 208) + (z[27] << 216) + (z[28] << 224) + (z[29] << 232) + (z[30] << 240) + (z[31] << 248) */ +/* balance = [0x7ffffda, 0x3fffffe, 0x7fffffe, 0x3fffffe, 0x7fffffe, 0x3fffffe, 0x7fffffe, 0x3fffffe, 0x7fffffe, 0x3fffffe] */ #include typedef unsigned char fiat_25519_uint1; @@ -32,6 +32,7 @@ static __inline__ uint32_t fiat_25519_value_barrier_u32(uint32_t a) { /* * The function fiat_25519_addcarryx_u26 is an addition with carry. + * * Postconditions: * out1 = (arg1 + arg2 + arg3) mod 2^26 * out2 = ⌊(arg1 + arg2 + arg3) / 2^26⌋ @@ -57,6 +58,7 @@ static void fiat_25519_addcarryx_u26(uint32_t* out1, fiat_25519_uint1* out2, fia /* * The function fiat_25519_subborrowx_u26 is a subtraction with borrow. + * * Postconditions: * out1 = (-arg1 + arg2 + -arg3) mod 2^26 * out2 = -⌊(-arg1 + arg2 + -arg3) / 2^26⌋ @@ -82,6 +84,7 @@ static void fiat_25519_subborrowx_u26(uint32_t* out1, fiat_25519_uint1* out2, fi /* * The function fiat_25519_addcarryx_u25 is an addition with carry. + * * Postconditions: * out1 = (arg1 + arg2 + arg3) mod 2^25 * out2 = ⌊(arg1 + arg2 + arg3) / 2^25⌋ @@ -107,6 +110,7 @@ static void fiat_25519_addcarryx_u25(uint32_t* out1, fiat_25519_uint1* out2, fia /* * The function fiat_25519_subborrowx_u25 is a subtraction with borrow. + * * Postconditions: * out1 = (-arg1 + arg2 + -arg3) mod 2^25 * out2 = -⌊(-arg1 + arg2 + -arg3) / 2^25⌋ @@ -132,6 +136,7 @@ static void fiat_25519_subborrowx_u25(uint32_t* out1, fiat_25519_uint1* out2, fi /* * The function fiat_25519_cmovznz_u32 is a single-word conditional move. + * * Postconditions: * out1 = (if arg1 = 0 then arg2 else arg3) * @@ -154,6 +159,7 @@ static void fiat_25519_cmovznz_u32(uint32_t* out1, fiat_25519_uint1 arg1, uint32 /* * The function fiat_25519_carry_mul multiplies two field elements and reduces the result. + * * Postconditions: * eval out1 mod m = (eval arg1 * eval arg2) mod m * @@ -472,6 +478,7 @@ static void fiat_25519_carry_mul(uint32_t out1[10], const uint32_t arg1[10], con /* * The function fiat_25519_carry_square squares a field element and reduces the result. + * * Postconditions: * eval out1 mod m = (eval arg1 * eval arg1) mod m * @@ -735,6 +742,7 @@ static void fiat_25519_carry_square(uint32_t out1[10], const uint32_t arg1[10]) /* * The function fiat_25519_carry reduces a field element. + * * Postconditions: * eval out1 mod m = eval arg1 mod m * @@ -802,6 +810,7 @@ static void fiat_25519_carry(uint32_t out1[10], const uint32_t arg1[10]) { /* * The function fiat_25519_add adds two field elements. + * * Postconditions: * eval out1 mod m = (eval arg1 + eval arg2) mod m * @@ -846,6 +855,7 @@ static void fiat_25519_add(uint32_t out1[10], const uint32_t arg1[10], const uin /* * The function fiat_25519_sub subtracts two field elements. + * * Postconditions: * eval out1 mod m = (eval arg1 - eval arg2) mod m * @@ -890,6 +900,7 @@ static void fiat_25519_sub(uint32_t out1[10], const uint32_t arg1[10], const uin /* * The function fiat_25519_opp negates a field element. + * * Postconditions: * eval out1 mod m = -eval arg1 mod m * @@ -933,6 +944,7 @@ static void fiat_25519_opp(uint32_t out1[10], const uint32_t arg1[10]) { /* * The function fiat_25519_selectznz is a multi-limb conditional select. + * * Postconditions: * eval out1 = (if arg1 = 0 then eval arg2 else eval arg3) * @@ -978,6 +990,7 @@ static void fiat_25519_selectznz(uint32_t out1[10], fiat_25519_uint1 arg1, const /* * The function fiat_25519_to_bytes serializes a field element to bytes in little-endian order. + * * Postconditions: * out1 = map (λ x, ⌊((eval arg1 mod m) mod 2^(8 * (x + 1))) / 2^(8 * x)⌋) [0..31] * @@ -1237,6 +1250,7 @@ static void fiat_25519_to_bytes(uint8_t out1[32], const uint32_t arg1[10]) { /* * The function fiat_25519_from_bytes deserializes a field element from bytes in little-endian order. + * * Postconditions: * eval out1 mod m = bytes_eval arg1 mod m * @@ -1416,6 +1430,7 @@ static void fiat_25519_from_bytes(uint32_t out1[10], const uint8_t arg1[32]) { /* * The function fiat_25519_carry_scmul_121666 multiplies a field element by 121666 and reduces the result. + * * Postconditions: * eval out1 mod m = (121666 * eval arg1) mod m * @@ -1530,4 +1545,3 @@ static void fiat_25519_carry_scmul_121666(uint32_t out1[10], const uint32_t arg1 out1[8] = x36; out1[9] = x39; } - diff --git a/fiat-c/src/curve25519_64.c b/fiat-c/src/curve25519_64.c index 033cd59cf28..2c030ade10e 100644 --- a/fiat-c/src/curve25519_64.c +++ b/fiat-c/src/curve25519_64.c @@ -7,10 +7,10 @@ /* tight_bounds_multiplier = 1 (from "") */ /* */ /* Computed values: */ -/* carry_chain = [0, 1, 2, 3, 4, 0, 1] */ -/* eval z = z[0] + (z[1] << 51) + (z[2] << 102) + (z[3] << 153) + (z[4] << 204) */ -/* bytes_eval z = z[0] + (z[1] << 8) + (z[2] << 16) + (z[3] << 24) + (z[4] << 32) + (z[5] << 40) + (z[6] << 48) + (z[7] << 56) + (z[8] << 64) + (z[9] << 72) + (z[10] << 80) + (z[11] << 88) + (z[12] << 96) + (z[13] << 104) + (z[14] << 112) + (z[15] << 120) + (z[16] << 128) + (z[17] << 136) + (z[18] << 144) + (z[19] << 152) + (z[20] << 160) + (z[21] << 168) + (z[22] << 176) + (z[23] << 184) + (z[24] << 192) + (z[25] << 200) + (z[26] << 208) + (z[27] << 216) + (z[28] << 224) + (z[29] << 232) + (z[30] << 240) + (z[31] << 248) */ -/* balance = [0xfffffffffffda, 0xffffffffffffe, 0xffffffffffffe, 0xffffffffffffe, 0xffffffffffffe] */ +/* carry_chain = [0, 1, 2, 3, 4, 0, 1] */ +/* eval z = z[0] + (z[1] << 51) + (z[2] << 102) + (z[3] << 153) + (z[4] << 204) */ +/* bytes_eval z = z[0] + (z[1] << 8) + (z[2] << 16) + (z[3] << 24) + (z[4] << 32) + (z[5] << 40) + (z[6] << 48) + (z[7] << 56) + (z[8] << 64) + (z[9] << 72) + (z[10] << 80) + (z[11] << 88) + (z[12] << 96) + (z[13] << 104) + (z[14] << 112) + (z[15] << 120) + (z[16] << 128) + (z[17] << 136) + (z[18] << 144) + (z[19] << 152) + (z[20] << 160) + (z[21] << 168) + (z[22] << 176) + (z[23] << 184) + (z[24] << 192) + (z[25] << 200) + (z[26] << 208) + (z[27] << 216) + (z[28] << 224) + (z[29] << 232) + (z[30] << 240) + (z[31] << 248) */ +/* balance = [0xfffffffffffda, 0xffffffffffffe, 0xffffffffffffe, 0xffffffffffffe, 0xffffffffffffe] */ #include typedef unsigned char fiat_25519_uint1; @@ -40,6 +40,7 @@ static __inline__ uint64_t fiat_25519_value_barrier_u64(uint64_t a) { /* * The function fiat_25519_addcarryx_u51 is an addition with carry. + * * Postconditions: * out1 = (arg1 + arg2 + arg3) mod 2^51 * out2 = ⌊(arg1 + arg2 + arg3) / 2^51⌋ @@ -65,6 +66,7 @@ static void fiat_25519_addcarryx_u51(uint64_t* out1, fiat_25519_uint1* out2, fia /* * The function fiat_25519_subborrowx_u51 is a subtraction with borrow. + * * Postconditions: * out1 = (-arg1 + arg2 + -arg3) mod 2^51 * out2 = -⌊(-arg1 + arg2 + -arg3) / 2^51⌋ @@ -90,6 +92,7 @@ static void fiat_25519_subborrowx_u51(uint64_t* out1, fiat_25519_uint1* out2, fi /* * The function fiat_25519_cmovznz_u64 is a single-word conditional move. + * * Postconditions: * out1 = (if arg1 = 0 then arg2 else arg3) * @@ -112,6 +115,7 @@ static void fiat_25519_cmovznz_u64(uint64_t* out1, fiat_25519_uint1 arg1, uint64 /* * The function fiat_25519_carry_mul multiplies two field elements and reduces the result. + * * Postconditions: * eval out1 mod m = (eval arg1 * eval arg2) mod m * @@ -235,6 +239,7 @@ static void fiat_25519_carry_mul(uint64_t out1[5], const uint64_t arg1[5], const /* * The function fiat_25519_carry_square squares a field element and reduces the result. + * * Postconditions: * eval out1 mod m = (eval arg1 * eval arg1) mod m * @@ -353,6 +358,7 @@ static void fiat_25519_carry_square(uint64_t out1[5], const uint64_t arg1[5]) { /* * The function fiat_25519_carry reduces a field element. + * * Postconditions: * eval out1 mod m = eval arg1 mod m * @@ -395,6 +401,7 @@ static void fiat_25519_carry(uint64_t out1[5], const uint64_t arg1[5]) { /* * The function fiat_25519_add adds two field elements. + * * Postconditions: * eval out1 mod m = (eval arg1 + eval arg2) mod m * @@ -424,6 +431,7 @@ static void fiat_25519_add(uint64_t out1[5], const uint64_t arg1[5], const uint6 /* * The function fiat_25519_sub subtracts two field elements. + * * Postconditions: * eval out1 mod m = (eval arg1 - eval arg2) mod m * @@ -453,6 +461,7 @@ static void fiat_25519_sub(uint64_t out1[5], const uint64_t arg1[5], const uint6 /* * The function fiat_25519_opp negates a field element. + * * Postconditions: * eval out1 mod m = -eval arg1 mod m * @@ -481,6 +490,7 @@ static void fiat_25519_opp(uint64_t out1[5], const uint64_t arg1[5]) { /* * The function fiat_25519_selectznz is a multi-limb conditional select. + * * Postconditions: * eval out1 = (if arg1 = 0 then eval arg2 else eval arg3) * @@ -511,6 +521,7 @@ static void fiat_25519_selectznz(uint64_t out1[5], fiat_25519_uint1 arg1, const /* * The function fiat_25519_to_bytes serializes a field element to bytes in little-endian order. + * * Postconditions: * out1 = map (λ x, ⌊((eval arg1 mod m) mod 2^(8 * (x + 1))) / 2^(8 * x)⌋) [0..31] * @@ -728,6 +739,7 @@ static void fiat_25519_to_bytes(uint8_t out1[32], const uint64_t arg1[5]) { /* * The function fiat_25519_from_bytes deserializes a field element from bytes in little-endian order. + * * Postconditions: * eval out1 mod m = bytes_eval arg1 mod m * @@ -888,6 +900,7 @@ static void fiat_25519_from_bytes(uint64_t out1[5], const uint8_t arg1[32]) { /* * The function fiat_25519_carry_scmul_121666 multiplies a field element by 121666 and reduces the result. + * * Postconditions: * eval out1 mod m = (121666 * eval arg1) mod m * @@ -957,4 +970,3 @@ static void fiat_25519_carry_scmul_121666(uint64_t out1[5], const uint64_t arg1[ out1[3] = x16; out1[4] = x19; } - diff --git a/fiat-c/src/p224_32.c b/fiat-c/src/p224_32.c index 4aaf2d2c18e..2dcf91ddb73 100644 --- a/fiat-c/src/p224_32.c +++ b/fiat-c/src/p224_32.c @@ -12,10 +12,10 @@ /* return values. */ /* */ /* Computed values: */ -/* eval z = z[0] + (z[1] << 32) + (z[2] << 64) + (z[3] << 96) + (z[4] << 128) + (z[5] << 160) + (z[6] << 192) */ -/* bytes_eval z = z[0] + (z[1] << 8) + (z[2] << 16) + (z[3] << 24) + (z[4] << 32) + (z[5] << 40) + (z[6] << 48) + (z[7] << 56) + (z[8] << 64) + (z[9] << 72) + (z[10] << 80) + (z[11] << 88) + (z[12] << 96) + (z[13] << 104) + (z[14] << 112) + (z[15] << 120) + (z[16] << 128) + (z[17] << 136) + (z[18] << 144) + (z[19] << 152) + (z[20] << 160) + (z[21] << 168) + (z[22] << 176) + (z[23] << 184) + (z[24] << 192) + (z[25] << 200) + (z[26] << 208) + (z[27] << 216) */ -/* twos_complement_eval z = let x1 := z[0] + (z[1] << 32) + (z[2] << 64) + (z[3] << 96) + (z[4] << 128) + (z[5] << 160) + (z[6] << 192) in */ -/* if x1 & (2^224-1) < 2^223 then x1 & (2^224-1) else (x1 & (2^224-1)) - 2^224 */ +/* eval z = z[0] + (z[1] << 32) + (z[2] << 64) + (z[3] << 96) + (z[4] << 128) + (z[5] << 160) + (z[6] << 192) */ +/* bytes_eval z = z[0] + (z[1] << 8) + (z[2] << 16) + (z[3] << 24) + (z[4] << 32) + (z[5] << 40) + (z[6] << 48) + (z[7] << 56) + (z[8] << 64) + (z[9] << 72) + (z[10] << 80) + (z[11] << 88) + (z[12] << 96) + (z[13] << 104) + (z[14] << 112) + (z[15] << 120) + (z[16] << 128) + (z[17] << 136) + (z[18] << 144) + (z[19] << 152) + (z[20] << 160) + (z[21] << 168) + (z[22] << 176) + (z[23] << 184) + (z[24] << 192) + (z[25] << 200) + (z[26] << 208) + (z[27] << 216) */ +/* twos_complement_eval z = let x1 := z[0] + (z[1] << 32) + (z[2] << 64) + (z[3] << 96) + (z[4] << 128) + (z[5] << 160) + (z[6] << 192) in */ +/* if x1 & (2^224-1) < 2^223 then x1 & (2^224-1) else (x1 & (2^224-1)) - 2^224 */ #include typedef unsigned char fiat_p224_uint1; @@ -37,6 +37,7 @@ static __inline__ uint32_t fiat_p224_value_barrier_u32(uint32_t a) { /* * The function fiat_p224_addcarryx_u32 is an addition with carry. + * * Postconditions: * out1 = (arg1 + arg2 + arg3) mod 2^32 * out2 = ⌊(arg1 + arg2 + arg3) / 2^32⌋ @@ -62,6 +63,7 @@ static void fiat_p224_addcarryx_u32(uint32_t* out1, fiat_p224_uint1* out2, fiat_ /* * The function fiat_p224_subborrowx_u32 is a subtraction with borrow. + * * Postconditions: * out1 = (-arg1 + arg2 + -arg3) mod 2^32 * out2 = -⌊(-arg1 + arg2 + -arg3) / 2^32⌋ @@ -87,6 +89,7 @@ static void fiat_p224_subborrowx_u32(uint32_t* out1, fiat_p224_uint1* out2, fiat /* * The function fiat_p224_mulx_u32 is a multiplication, returning the full double-width result. + * * Postconditions: * out1 = (arg1 * arg2) mod 2^32 * out2 = ⌊arg1 * arg2 / 2^32⌋ @@ -111,6 +114,7 @@ static void fiat_p224_mulx_u32(uint32_t* out1, uint32_t* out2, uint32_t arg1, ui /* * The function fiat_p224_cmovznz_u32 is a single-word conditional move. + * * Postconditions: * out1 = (if arg1 = 0 then arg2 else arg3) * @@ -133,6 +137,7 @@ static void fiat_p224_cmovznz_u32(uint32_t* out1, fiat_p224_uint1 arg1, uint32_t /* * The function fiat_p224_mul multiplies two field elements in the Montgomery domain. + * * Preconditions: * 0 ≤ eval arg1 < m * 0 ≤ eval arg2 < m @@ -1003,6 +1008,7 @@ static void fiat_p224_mul(uint32_t out1[7], const uint32_t arg1[7], const uint32 /* * The function fiat_p224_square squares a field element in the Montgomery domain. + * * Preconditions: * 0 ≤ eval arg1 < m * Postconditions: @@ -1871,6 +1877,7 @@ static void fiat_p224_square(uint32_t out1[7], const uint32_t arg1[7]) { /* * The function fiat_p224_add adds two field elements in the Montgomery domain. + * * Preconditions: * 0 ≤ eval arg1 < m * 0 ≤ eval arg2 < m @@ -1955,6 +1962,7 @@ static void fiat_p224_add(uint32_t out1[7], const uint32_t arg1[7], const uint32 /* * The function fiat_p224_sub subtracts two field elements in the Montgomery domain. + * * Preconditions: * 0 ≤ eval arg1 < m * 0 ≤ eval arg2 < m @@ -2024,6 +2032,7 @@ static void fiat_p224_sub(uint32_t out1[7], const uint32_t arg1[7], const uint32 /* * The function fiat_p224_opp negates a field element in the Montgomery domain. + * * Preconditions: * 0 ≤ eval arg1 < m * Postconditions: @@ -2091,6 +2100,7 @@ static void fiat_p224_opp(uint32_t out1[7], const uint32_t arg1[7]) { /* * The function fiat_p224_from_montgomery translates a field element out of the Montgomery domain. + * * Preconditions: * 0 ≤ eval arg1 < m * Postconditions: @@ -2571,6 +2581,7 @@ static void fiat_p224_from_montgomery(uint32_t out1[7], const uint32_t arg1[7]) /* * The function fiat_p224_to_montgomery translates a field element into the Montgomery domain. + * * Preconditions: * 0 ≤ eval arg1 < m * Postconditions: @@ -3195,6 +3206,7 @@ static void fiat_p224_to_montgomery(uint32_t out1[7], const uint32_t arg1[7]) { /* * The function fiat_p224_nonzero outputs a single non-zero word if the input is non-zero and zero otherwise. + * * Preconditions: * 0 ≤ eval arg1 < m * Postconditions: @@ -3213,6 +3225,7 @@ static void fiat_p224_nonzero(uint32_t* out1, const uint32_t arg1[7]) { /* * The function fiat_p224_selectznz is a multi-limb conditional select. + * * Postconditions: * eval out1 = (if arg1 = 0 then eval arg2 else eval arg3) * @@ -3249,6 +3262,7 @@ static void fiat_p224_selectznz(uint32_t out1[7], fiat_p224_uint1 arg1, const ui /* * The function fiat_p224_to_bytes serializes a field element NOT in the Montgomery domain to bytes in little-endian order. + * * Preconditions: * 0 ≤ eval arg1 < m * Postconditions: @@ -3390,6 +3404,7 @@ static void fiat_p224_to_bytes(uint8_t out1[28], const uint32_t arg1[7]) { /* * The function fiat_p224_from_bytes deserializes a field element NOT in the Montgomery domain from bytes in little-endian order. + * * Preconditions: * 0 ≤ bytes_eval arg1 < m * Postconditions: @@ -3511,6 +3526,7 @@ static void fiat_p224_from_bytes(uint32_t out1[7], const uint8_t arg1[28]) { /* * The function fiat_p224_set_one returns the field element one in the Montgomery domain. + * * Postconditions: * eval (from_montgomery out1) mod m = 1 mod m * 0 ≤ eval out1 < m @@ -3531,6 +3547,7 @@ static void fiat_p224_set_one(uint32_t out1[7]) { /* * The function fiat_p224_msat returns the saturated representation of the prime modulus. + * * Postconditions: * twos_complement_eval out1 = m * 0 ≤ eval out1 < m @@ -3552,6 +3569,7 @@ static void fiat_p224_msat(uint32_t out1[8]) { /* * The function fiat_p224_divstep computes a divstep. + * * Preconditions: * 0 ≤ eval arg4 < m * 0 ≤ eval arg5 < m @@ -3960,6 +3978,7 @@ static void fiat_p224_divstep(uint32_t* out1, uint32_t out2[8], uint32_t out3[8] /* * The function fiat_p224_divstep_precomp returns the precomputed value for Bernstein-Yang-inversion (in montgomery form). + * * Postconditions: * eval (from_montgomery out1) = ⌊(m - 1) / 2⌋^(if (log2 m) + 1 < 46 then ⌊(49 * ((log2 m) + 1) + 80) / 17⌋ else ⌊(49 * ((log2 m) + 1) + 57) / 17⌋) * 0 ≤ eval out1 < m @@ -3977,4 +3996,3 @@ static void fiat_p224_divstep_precomp(uint32_t out1[7]) { out1[5] = UINT32_C(0xff800000); out1[6] = UINT32_C(0x17fffff); } - diff --git a/fiat-c/src/p224_64.c b/fiat-c/src/p224_64.c index d5e7161e634..4ea0db46c8c 100644 --- a/fiat-c/src/p224_64.c +++ b/fiat-c/src/p224_64.c @@ -12,10 +12,10 @@ /* return values. */ /* */ /* Computed values: */ -/* eval z = z[0] + (z[1] << 64) + (z[2] << 128) + (z[3] << 192) */ -/* bytes_eval z = z[0] + (z[1] << 8) + (z[2] << 16) + (z[3] << 24) + (z[4] << 32) + (z[5] << 40) + (z[6] << 48) + (z[7] << 56) + (z[8] << 64) + (z[9] << 72) + (z[10] << 80) + (z[11] << 88) + (z[12] << 96) + (z[13] << 104) + (z[14] << 112) + (z[15] << 120) + (z[16] << 128) + (z[17] << 136) + (z[18] << 144) + (z[19] << 152) + (z[20] << 160) + (z[21] << 168) + (z[22] << 176) + (z[23] << 184) + (z[24] << 192) + (z[25] << 200) + (z[26] << 208) + (z[27] << 216) */ -/* twos_complement_eval z = let x1 := z[0] + (z[1] << 64) + (z[2] << 128) + (z[3] << 192) in */ -/* if x1 & (2^256-1) < 2^255 then x1 & (2^256-1) else (x1 & (2^256-1)) - 2^256 */ +/* eval z = z[0] + (z[1] << 64) + (z[2] << 128) + (z[3] << 192) */ +/* bytes_eval z = z[0] + (z[1] << 8) + (z[2] << 16) + (z[3] << 24) + (z[4] << 32) + (z[5] << 40) + (z[6] << 48) + (z[7] << 56) + (z[8] << 64) + (z[9] << 72) + (z[10] << 80) + (z[11] << 88) + (z[12] << 96) + (z[13] << 104) + (z[14] << 112) + (z[15] << 120) + (z[16] << 128) + (z[17] << 136) + (z[18] << 144) + (z[19] << 152) + (z[20] << 160) + (z[21] << 168) + (z[22] << 176) + (z[23] << 184) + (z[24] << 192) + (z[25] << 200) + (z[26] << 208) + (z[27] << 216) */ +/* twos_complement_eval z = let x1 := z[0] + (z[1] << 64) + (z[2] << 128) + (z[3] << 192) in */ +/* if x1 & (2^256-1) < 2^255 then x1 & (2^256-1) else (x1 & (2^256-1)) - 2^256 */ #include typedef unsigned char fiat_p224_uint1; @@ -45,6 +45,7 @@ static __inline__ uint64_t fiat_p224_value_barrier_u64(uint64_t a) { /* * The function fiat_p224_addcarryx_u64 is an addition with carry. + * * Postconditions: * out1 = (arg1 + arg2 + arg3) mod 2^64 * out2 = ⌊(arg1 + arg2 + arg3) / 2^64⌋ @@ -70,6 +71,7 @@ static void fiat_p224_addcarryx_u64(uint64_t* out1, fiat_p224_uint1* out2, fiat_ /* * The function fiat_p224_subborrowx_u64 is a subtraction with borrow. + * * Postconditions: * out1 = (-arg1 + arg2 + -arg3) mod 2^64 * out2 = -⌊(-arg1 + arg2 + -arg3) / 2^64⌋ @@ -95,6 +97,7 @@ static void fiat_p224_subborrowx_u64(uint64_t* out1, fiat_p224_uint1* out2, fiat /* * The function fiat_p224_mulx_u64 is a multiplication, returning the full double-width result. + * * Postconditions: * out1 = (arg1 * arg2) mod 2^64 * out2 = ⌊arg1 * arg2 / 2^64⌋ @@ -119,6 +122,7 @@ static void fiat_p224_mulx_u64(uint64_t* out1, uint64_t* out2, uint64_t arg1, ui /* * The function fiat_p224_cmovznz_u64 is a single-word conditional move. + * * Postconditions: * out1 = (if arg1 = 0 then arg2 else arg3) * @@ -141,6 +145,7 @@ static void fiat_p224_cmovznz_u64(uint64_t* out1, fiat_p224_uint1 arg1, uint64_t /* * The function fiat_p224_mul multiplies two field elements in the Montgomery domain. + * * Preconditions: * 0 ≤ eval arg1 < m * 0 ≤ eval arg2 < m @@ -477,6 +482,7 @@ static void fiat_p224_mul(uint64_t out1[4], const uint64_t arg1[4], const uint64 /* * The function fiat_p224_square squares a field element in the Montgomery domain. + * * Preconditions: * 0 ≤ eval arg1 < m * Postconditions: @@ -811,6 +817,7 @@ static void fiat_p224_square(uint64_t out1[4], const uint64_t arg1[4]) { /* * The function fiat_p224_add adds two field elements in the Montgomery domain. + * * Preconditions: * 0 ≤ eval arg1 < m * 0 ≤ eval arg2 < m @@ -868,6 +875,7 @@ static void fiat_p224_add(uint64_t out1[4], const uint64_t arg1[4], const uint64 /* * The function fiat_p224_sub subtracts two field elements in the Montgomery domain. + * * Preconditions: * 0 ≤ eval arg1 < m * 0 ≤ eval arg2 < m @@ -916,6 +924,7 @@ static void fiat_p224_sub(uint64_t out1[4], const uint64_t arg1[4], const uint64 /* * The function fiat_p224_opp negates a field element in the Montgomery domain. + * * Preconditions: * 0 ≤ eval arg1 < m * Postconditions: @@ -962,6 +971,7 @@ static void fiat_p224_opp(uint64_t out1[4], const uint64_t arg1[4]) { /* * The function fiat_p224_from_montgomery translates a field element out of the Montgomery domain. + * * Preconditions: * 0 ≤ eval arg1 < m * Postconditions: @@ -1156,6 +1166,7 @@ static void fiat_p224_from_montgomery(uint64_t out1[4], const uint64_t arg1[4]) /* * The function fiat_p224_to_montgomery translates a field element into the Montgomery domain. + * * Preconditions: * 0 ≤ eval arg1 < m * Postconditions: @@ -1449,6 +1460,7 @@ static void fiat_p224_to_montgomery(uint64_t out1[4], const uint64_t arg1[4]) { /* * The function fiat_p224_nonzero outputs a single non-zero word if the input is non-zero and zero otherwise. + * * Preconditions: * 0 ≤ eval arg1 < m * Postconditions: @@ -1467,6 +1479,7 @@ static void fiat_p224_nonzero(uint64_t* out1, const uint64_t arg1[4]) { /* * The function fiat_p224_selectznz is a multi-limb conditional select. + * * Postconditions: * eval out1 = (if arg1 = 0 then eval arg2 else eval arg3) * @@ -1494,6 +1507,7 @@ static void fiat_p224_selectznz(uint64_t out1[4], fiat_p224_uint1 arg1, const ui /* * The function fiat_p224_to_bytes serializes a field element NOT in the Montgomery domain to bytes in little-endian order. + * * Preconditions: * 0 ≤ eval arg1 < m * Postconditions: @@ -1641,6 +1655,7 @@ static void fiat_p224_to_bytes(uint8_t out1[28], const uint64_t arg1[4]) { /* * The function fiat_p224_from_bytes deserializes a field element NOT in the Montgomery domain from bytes in little-endian order. + * * Preconditions: * 0 ≤ bytes_eval arg1 < m * Postconditions: @@ -1765,6 +1780,7 @@ static void fiat_p224_from_bytes(uint64_t out1[4], const uint8_t arg1[28]) { /* * The function fiat_p224_set_one returns the field element one in the Montgomery domain. + * * Postconditions: * eval (from_montgomery out1) mod m = 1 mod m * 0 ≤ eval out1 < m @@ -1782,6 +1798,7 @@ static void fiat_p224_set_one(uint64_t out1[4]) { /* * The function fiat_p224_msat returns the saturated representation of the prime modulus. + * * Postconditions: * twos_complement_eval out1 = m * 0 ≤ eval out1 < m @@ -1800,6 +1817,7 @@ static void fiat_p224_msat(uint64_t out1[5]) { /* * The function fiat_p224_divstep computes a divstep. + * * Preconditions: * 0 ≤ eval arg4 < m * 0 ≤ eval arg5 < m @@ -2064,6 +2082,7 @@ static void fiat_p224_divstep(uint64_t* out1, uint64_t out2[5], uint64_t out3[5] /* * The function fiat_p224_divstep_precomp returns the precomputed value for Bernstein-Yang-inversion (in montgomery form). + * * Postconditions: * eval (from_montgomery out1) = ⌊(m - 1) / 2⌋^(if (log2 m) + 1 < 46 then ⌊(49 * ((log2 m) + 1) + 80) / 17⌋ else ⌊(49 * ((log2 m) + 1) + 57) / 17⌋) * 0 ≤ eval out1 < m @@ -2078,4 +2097,3 @@ static void fiat_p224_divstep_precomp(uint64_t out1[4]) { out1[2] = UINT32_C(0xffffff); out1[3] = UINT32_C(0xff800000); } - diff --git a/fiat-c/src/p256_32.c b/fiat-c/src/p256_32.c index 81579a8aa8e..28d16a8eb5f 100644 --- a/fiat-c/src/p256_32.c +++ b/fiat-c/src/p256_32.c @@ -12,10 +12,10 @@ /* return values. */ /* */ /* Computed values: */ -/* eval z = z[0] + (z[1] << 32) + (z[2] << 64) + (z[3] << 96) + (z[4] << 128) + (z[5] << 160) + (z[6] << 192) + (z[7] << 224) */ -/* bytes_eval z = z[0] + (z[1] << 8) + (z[2] << 16) + (z[3] << 24) + (z[4] << 32) + (z[5] << 40) + (z[6] << 48) + (z[7] << 56) + (z[8] << 64) + (z[9] << 72) + (z[10] << 80) + (z[11] << 88) + (z[12] << 96) + (z[13] << 104) + (z[14] << 112) + (z[15] << 120) + (z[16] << 128) + (z[17] << 136) + (z[18] << 144) + (z[19] << 152) + (z[20] << 160) + (z[21] << 168) + (z[22] << 176) + (z[23] << 184) + (z[24] << 192) + (z[25] << 200) + (z[26] << 208) + (z[27] << 216) + (z[28] << 224) + (z[29] << 232) + (z[30] << 240) + (z[31] << 248) */ -/* twos_complement_eval z = let x1 := z[0] + (z[1] << 32) + (z[2] << 64) + (z[3] << 96) + (z[4] << 128) + (z[5] << 160) + (z[6] << 192) + (z[7] << 224) in */ -/* if x1 & (2^256-1) < 2^255 then x1 & (2^256-1) else (x1 & (2^256-1)) - 2^256 */ +/* eval z = z[0] + (z[1] << 32) + (z[2] << 64) + (z[3] << 96) + (z[4] << 128) + (z[5] << 160) + (z[6] << 192) + (z[7] << 224) */ +/* bytes_eval z = z[0] + (z[1] << 8) + (z[2] << 16) + (z[3] << 24) + (z[4] << 32) + (z[5] << 40) + (z[6] << 48) + (z[7] << 56) + (z[8] << 64) + (z[9] << 72) + (z[10] << 80) + (z[11] << 88) + (z[12] << 96) + (z[13] << 104) + (z[14] << 112) + (z[15] << 120) + (z[16] << 128) + (z[17] << 136) + (z[18] << 144) + (z[19] << 152) + (z[20] << 160) + (z[21] << 168) + (z[22] << 176) + (z[23] << 184) + (z[24] << 192) + (z[25] << 200) + (z[26] << 208) + (z[27] << 216) + (z[28] << 224) + (z[29] << 232) + (z[30] << 240) + (z[31] << 248) */ +/* twos_complement_eval z = let x1 := z[0] + (z[1] << 32) + (z[2] << 64) + (z[3] << 96) + (z[4] << 128) + (z[5] << 160) + (z[6] << 192) + (z[7] << 224) in */ +/* if x1 & (2^256-1) < 2^255 then x1 & (2^256-1) else (x1 & (2^256-1)) - 2^256 */ #include typedef unsigned char fiat_p256_uint1; @@ -37,6 +37,7 @@ static __inline__ uint32_t fiat_p256_value_barrier_u32(uint32_t a) { /* * The function fiat_p256_addcarryx_u32 is an addition with carry. + * * Postconditions: * out1 = (arg1 + arg2 + arg3) mod 2^32 * out2 = ⌊(arg1 + arg2 + arg3) / 2^32⌋ @@ -62,6 +63,7 @@ static void fiat_p256_addcarryx_u32(uint32_t* out1, fiat_p256_uint1* out2, fiat_ /* * The function fiat_p256_subborrowx_u32 is a subtraction with borrow. + * * Postconditions: * out1 = (-arg1 + arg2 + -arg3) mod 2^32 * out2 = -⌊(-arg1 + arg2 + -arg3) / 2^32⌋ @@ -87,6 +89,7 @@ static void fiat_p256_subborrowx_u32(uint32_t* out1, fiat_p256_uint1* out2, fiat /* * The function fiat_p256_mulx_u32 is a multiplication, returning the full double-width result. + * * Postconditions: * out1 = (arg1 * arg2) mod 2^32 * out2 = ⌊arg1 * arg2 / 2^32⌋ @@ -111,6 +114,7 @@ static void fiat_p256_mulx_u32(uint32_t* out1, uint32_t* out2, uint32_t arg1, ui /* * The function fiat_p256_cmovznz_u32 is a single-word conditional move. + * * Postconditions: * out1 = (if arg1 = 0 then arg2 else arg3) * @@ -133,6 +137,7 @@ static void fiat_p256_cmovznz_u32(uint32_t* out1, fiat_p256_uint1 arg1, uint32_t /* * The function fiat_p256_mul multiplies two field elements in the Montgomery domain. + * * Preconditions: * 0 ≤ eval arg1 < m * 0 ≤ eval arg2 < m @@ -1173,6 +1178,7 @@ static void fiat_p256_mul(uint32_t out1[8], const uint32_t arg1[8], const uint32 /* * The function fiat_p256_square squares a field element in the Montgomery domain. + * * Preconditions: * 0 ≤ eval arg1 < m * Postconditions: @@ -2211,6 +2217,7 @@ static void fiat_p256_square(uint32_t out1[8], const uint32_t arg1[8]) { /* * The function fiat_p256_add adds two field elements in the Montgomery domain. + * * Preconditions: * 0 ≤ eval arg1 < m * 0 ≤ eval arg2 < m @@ -2304,6 +2311,7 @@ static void fiat_p256_add(uint32_t out1[8], const uint32_t arg1[8], const uint32 /* * The function fiat_p256_sub subtracts two field elements in the Montgomery domain. + * * Preconditions: * 0 ≤ eval arg1 < m * 0 ≤ eval arg2 < m @@ -2380,6 +2388,7 @@ static void fiat_p256_sub(uint32_t out1[8], const uint32_t arg1[8], const uint32 /* * The function fiat_p256_opp negates a field element in the Montgomery domain. + * * Preconditions: * 0 ≤ eval arg1 < m * Postconditions: @@ -2454,6 +2463,7 @@ static void fiat_p256_opp(uint32_t out1[8], const uint32_t arg1[8]) { /* * The function fiat_p256_from_montgomery translates a field element out of the Montgomery domain. + * * Preconditions: * 0 ≤ eval arg1 < m * Postconditions: @@ -2994,6 +3004,7 @@ static void fiat_p256_from_montgomery(uint32_t out1[8], const uint32_t arg1[8]) /* * The function fiat_p256_to_montgomery translates a field element into the Montgomery domain. + * * Preconditions: * 0 ≤ eval arg1 < m * Postconditions: @@ -3893,6 +3904,7 @@ static void fiat_p256_to_montgomery(uint32_t out1[8], const uint32_t arg1[8]) { /* * The function fiat_p256_nonzero outputs a single non-zero word if the input is non-zero and zero otherwise. + * * Preconditions: * 0 ≤ eval arg1 < m * Postconditions: @@ -3911,6 +3923,7 @@ static void fiat_p256_nonzero(uint32_t* out1, const uint32_t arg1[8]) { /* * The function fiat_p256_selectznz is a multi-limb conditional select. + * * Postconditions: * eval out1 = (if arg1 = 0 then eval arg2 else eval arg3) * @@ -3950,6 +3963,7 @@ static void fiat_p256_selectznz(uint32_t out1[8], fiat_p256_uint1 arg1, const ui /* * The function fiat_p256_to_bytes serializes a field element NOT in the Montgomery domain to bytes in little-endian order. + * * Preconditions: * 0 ≤ eval arg1 < m * Postconditions: @@ -4109,6 +4123,7 @@ static void fiat_p256_to_bytes(uint8_t out1[32], const uint32_t arg1[8]) { /* * The function fiat_p256_from_bytes deserializes a field element NOT in the Montgomery domain from bytes in little-endian order. + * * Preconditions: * 0 ≤ bytes_eval arg1 < m * Postconditions: @@ -4245,6 +4260,7 @@ static void fiat_p256_from_bytes(uint32_t out1[8], const uint8_t arg1[32]) { /* * The function fiat_p256_set_one returns the field element one in the Montgomery domain. + * * Postconditions: * eval (from_montgomery out1) mod m = 1 mod m * 0 ≤ eval out1 < m @@ -4266,6 +4282,7 @@ static void fiat_p256_set_one(uint32_t out1[8]) { /* * The function fiat_p256_msat returns the saturated representation of the prime modulus. + * * Postconditions: * twos_complement_eval out1 = m * 0 ≤ eval out1 < m @@ -4288,6 +4305,7 @@ static void fiat_p256_msat(uint32_t out1[9]) { /* * The function fiat_p256_divstep computes a divstep. + * * Preconditions: * 0 ≤ eval arg4 < m * 0 ≤ eval arg5 < m @@ -4744,6 +4762,7 @@ static void fiat_p256_divstep(uint32_t* out1, uint32_t out2[9], uint32_t out3[9] /* * The function fiat_p256_divstep_precomp returns the precomputed value for Bernstein-Yang-inversion (in montgomery form). + * * Postconditions: * eval (from_montgomery out1) = ⌊(m - 1) / 2⌋^(if (log2 m) + 1 < 46 then ⌊(49 * ((log2 m) + 1) + 80) / 17⌋ else ⌊(49 * ((log2 m) + 1) + 57) / 17⌋) * 0 ≤ eval out1 < m @@ -4762,4 +4781,3 @@ static void fiat_p256_divstep_precomp(uint32_t out1[8]) { out1[6] = UINT32_C(0xffffffff); out1[7] = UINT32_C(0x2fffffff); } - diff --git a/fiat-c/src/p256_64.c b/fiat-c/src/p256_64.c index 7c52b2034fe..e3b84e74896 100644 --- a/fiat-c/src/p256_64.c +++ b/fiat-c/src/p256_64.c @@ -12,10 +12,10 @@ /* return values. */ /* */ /* Computed values: */ -/* eval z = z[0] + (z[1] << 64) + (z[2] << 128) + (z[3] << 192) */ -/* bytes_eval z = z[0] + (z[1] << 8) + (z[2] << 16) + (z[3] << 24) + (z[4] << 32) + (z[5] << 40) + (z[6] << 48) + (z[7] << 56) + (z[8] << 64) + (z[9] << 72) + (z[10] << 80) + (z[11] << 88) + (z[12] << 96) + (z[13] << 104) + (z[14] << 112) + (z[15] << 120) + (z[16] << 128) + (z[17] << 136) + (z[18] << 144) + (z[19] << 152) + (z[20] << 160) + (z[21] << 168) + (z[22] << 176) + (z[23] << 184) + (z[24] << 192) + (z[25] << 200) + (z[26] << 208) + (z[27] << 216) + (z[28] << 224) + (z[29] << 232) + (z[30] << 240) + (z[31] << 248) */ -/* twos_complement_eval z = let x1 := z[0] + (z[1] << 64) + (z[2] << 128) + (z[3] << 192) in */ -/* if x1 & (2^256-1) < 2^255 then x1 & (2^256-1) else (x1 & (2^256-1)) - 2^256 */ +/* eval z = z[0] + (z[1] << 64) + (z[2] << 128) + (z[3] << 192) */ +/* bytes_eval z = z[0] + (z[1] << 8) + (z[2] << 16) + (z[3] << 24) + (z[4] << 32) + (z[5] << 40) + (z[6] << 48) + (z[7] << 56) + (z[8] << 64) + (z[9] << 72) + (z[10] << 80) + (z[11] << 88) + (z[12] << 96) + (z[13] << 104) + (z[14] << 112) + (z[15] << 120) + (z[16] << 128) + (z[17] << 136) + (z[18] << 144) + (z[19] << 152) + (z[20] << 160) + (z[21] << 168) + (z[22] << 176) + (z[23] << 184) + (z[24] << 192) + (z[25] << 200) + (z[26] << 208) + (z[27] << 216) + (z[28] << 224) + (z[29] << 232) + (z[30] << 240) + (z[31] << 248) */ +/* twos_complement_eval z = let x1 := z[0] + (z[1] << 64) + (z[2] << 128) + (z[3] << 192) in */ +/* if x1 & (2^256-1) < 2^255 then x1 & (2^256-1) else (x1 & (2^256-1)) - 2^256 */ #include typedef unsigned char fiat_p256_uint1; @@ -45,6 +45,7 @@ static __inline__ uint64_t fiat_p256_value_barrier_u64(uint64_t a) { /* * The function fiat_p256_addcarryx_u64 is an addition with carry. + * * Postconditions: * out1 = (arg1 + arg2 + arg3) mod 2^64 * out2 = ⌊(arg1 + arg2 + arg3) / 2^64⌋ @@ -70,6 +71,7 @@ static void fiat_p256_addcarryx_u64(uint64_t* out1, fiat_p256_uint1* out2, fiat_ /* * The function fiat_p256_subborrowx_u64 is a subtraction with borrow. + * * Postconditions: * out1 = (-arg1 + arg2 + -arg3) mod 2^64 * out2 = -⌊(-arg1 + arg2 + -arg3) / 2^64⌋ @@ -95,6 +97,7 @@ static void fiat_p256_subborrowx_u64(uint64_t* out1, fiat_p256_uint1* out2, fiat /* * The function fiat_p256_mulx_u64 is a multiplication, returning the full double-width result. + * * Postconditions: * out1 = (arg1 * arg2) mod 2^64 * out2 = ⌊arg1 * arg2 / 2^64⌋ @@ -119,6 +122,7 @@ static void fiat_p256_mulx_u64(uint64_t* out1, uint64_t* out2, uint64_t arg1, ui /* * The function fiat_p256_cmovznz_u64 is a single-word conditional move. + * * Postconditions: * out1 = (if arg1 = 0 then arg2 else arg3) * @@ -141,6 +145,7 @@ static void fiat_p256_cmovznz_u64(uint64_t* out1, fiat_p256_uint1 arg1, uint64_t /* * The function fiat_p256_mul multiplies two field elements in the Montgomery domain. + * * Preconditions: * 0 ≤ eval arg1 < m * 0 ≤ eval arg2 < m @@ -453,6 +458,7 @@ static void fiat_p256_mul(uint64_t out1[4], const uint64_t arg1[4], const uint64 /* * The function fiat_p256_square squares a field element in the Montgomery domain. + * * Preconditions: * 0 ≤ eval arg1 < m * Postconditions: @@ -763,6 +769,7 @@ static void fiat_p256_square(uint64_t out1[4], const uint64_t arg1[4]) { /* * The function fiat_p256_add adds two field elements in the Montgomery domain. + * * Preconditions: * 0 ≤ eval arg1 < m * 0 ≤ eval arg2 < m @@ -820,6 +827,7 @@ static void fiat_p256_add(uint64_t out1[4], const uint64_t arg1[4], const uint64 /* * The function fiat_p256_sub subtracts two field elements in the Montgomery domain. + * * Preconditions: * 0 ≤ eval arg1 < m * 0 ≤ eval arg2 < m @@ -868,6 +876,7 @@ static void fiat_p256_sub(uint64_t out1[4], const uint64_t arg1[4], const uint64 /* * The function fiat_p256_opp negates a field element in the Montgomery domain. + * * Preconditions: * 0 ≤ eval arg1 < m * Postconditions: @@ -914,6 +923,7 @@ static void fiat_p256_opp(uint64_t out1[4], const uint64_t arg1[4]) { /* * The function fiat_p256_from_montgomery translates a field element out of the Montgomery domain. + * * Preconditions: * 0 ≤ eval arg1 < m * Postconditions: @@ -1072,6 +1082,7 @@ static void fiat_p256_from_montgomery(uint64_t out1[4], const uint64_t arg1[4]) /* * The function fiat_p256_to_montgomery translates a field element into the Montgomery domain. + * * Preconditions: * 0 ≤ eval arg1 < m * Postconditions: @@ -1351,6 +1362,7 @@ static void fiat_p256_to_montgomery(uint64_t out1[4], const uint64_t arg1[4]) { /* * The function fiat_p256_nonzero outputs a single non-zero word if the input is non-zero and zero otherwise. + * * Preconditions: * 0 ≤ eval arg1 < m * Postconditions: @@ -1369,6 +1381,7 @@ static void fiat_p256_nonzero(uint64_t* out1, const uint64_t arg1[4]) { /* * The function fiat_p256_selectznz is a multi-limb conditional select. + * * Postconditions: * eval out1 = (if arg1 = 0 then eval arg2 else eval arg3) * @@ -1396,6 +1409,7 @@ static void fiat_p256_selectznz(uint64_t out1[4], fiat_p256_uint1 arg1, const ui /* * The function fiat_p256_to_bytes serializes a field element NOT in the Montgomery domain to bytes in little-endian order. + * * Preconditions: * 0 ≤ eval arg1 < m * Postconditions: @@ -1563,6 +1577,7 @@ static void fiat_p256_to_bytes(uint8_t out1[32], const uint64_t arg1[4]) { /* * The function fiat_p256_from_bytes deserializes a field element NOT in the Montgomery domain from bytes in little-endian order. + * * Preconditions: * 0 ≤ bytes_eval arg1 < m * Postconditions: @@ -1703,6 +1718,7 @@ static void fiat_p256_from_bytes(uint64_t out1[4], const uint8_t arg1[32]) { /* * The function fiat_p256_set_one returns the field element one in the Montgomery domain. + * * Postconditions: * eval (from_montgomery out1) mod m = 1 mod m * 0 ≤ eval out1 < m @@ -1720,6 +1736,7 @@ static void fiat_p256_set_one(uint64_t out1[4]) { /* * The function fiat_p256_msat returns the saturated representation of the prime modulus. + * * Postconditions: * twos_complement_eval out1 = m * 0 ≤ eval out1 < m @@ -1738,6 +1755,7 @@ static void fiat_p256_msat(uint64_t out1[5]) { /* * The function fiat_p256_divstep computes a divstep. + * * Preconditions: * 0 ≤ eval arg4 < m * 0 ≤ eval arg5 < m @@ -2002,6 +2020,7 @@ static void fiat_p256_divstep(uint64_t* out1, uint64_t out2[5], uint64_t out3[5] /* * The function fiat_p256_divstep_precomp returns the precomputed value for Bernstein-Yang-inversion (in montgomery form). + * * Postconditions: * eval (from_montgomery out1) = ⌊(m - 1) / 2⌋^(if (log2 m) + 1 < 46 then ⌊(49 * ((log2 m) + 1) + 80) / 17⌋ else ⌊(49 * ((log2 m) + 1) + 57) / 17⌋) * 0 ≤ eval out1 < m @@ -2016,4 +2035,3 @@ static void fiat_p256_divstep_precomp(uint64_t out1[4]) { out1[2] = UINT64_C(0xd80000007fffffff); out1[3] = UINT64_C(0x2fffffffffffffff); } - diff --git a/fiat-c/src/p384_32.c b/fiat-c/src/p384_32.c index 398371e0a50..8859a1af667 100644 --- a/fiat-c/src/p384_32.c +++ b/fiat-c/src/p384_32.c @@ -12,10 +12,10 @@ /* return values. */ /* */ /* Computed values: */ -/* eval z = z[0] + (z[1] << 32) + (z[2] << 64) + (z[3] << 96) + (z[4] << 128) + (z[5] << 160) + (z[6] << 192) + (z[7] << 224) + (z[8] << 256) + (z[9] << 0x120) + (z[10] << 0x140) + (z[11] << 0x160) */ -/* bytes_eval z = z[0] + (z[1] << 8) + (z[2] << 16) + (z[3] << 24) + (z[4] << 32) + (z[5] << 40) + (z[6] << 48) + (z[7] << 56) + (z[8] << 64) + (z[9] << 72) + (z[10] << 80) + (z[11] << 88) + (z[12] << 96) + (z[13] << 104) + (z[14] << 112) + (z[15] << 120) + (z[16] << 128) + (z[17] << 136) + (z[18] << 144) + (z[19] << 152) + (z[20] << 160) + (z[21] << 168) + (z[22] << 176) + (z[23] << 184) + (z[24] << 192) + (z[25] << 200) + (z[26] << 208) + (z[27] << 216) + (z[28] << 224) + (z[29] << 232) + (z[30] << 240) + (z[31] << 248) + (z[32] << 256) + (z[33] << 0x108) + (z[34] << 0x110) + (z[35] << 0x118) + (z[36] << 0x120) + (z[37] << 0x128) + (z[38] << 0x130) + (z[39] << 0x138) + (z[40] << 0x140) + (z[41] << 0x148) + (z[42] << 0x150) + (z[43] << 0x158) + (z[44] << 0x160) + (z[45] << 0x168) + (z[46] << 0x170) + (z[47] << 0x178) */ -/* twos_complement_eval z = let x1 := z[0] + (z[1] << 32) + (z[2] << 64) + (z[3] << 96) + (z[4] << 128) + (z[5] << 160) + (z[6] << 192) + (z[7] << 224) + (z[8] << 256) + (z[9] << 0x120) + (z[10] << 0x140) + (z[11] << 0x160) in */ -/* if x1 & (2^384-1) < 2^383 then x1 & (2^384-1) else (x1 & (2^384-1)) - 2^384 */ +/* eval z = z[0] + (z[1] << 32) + (z[2] << 64) + (z[3] << 96) + (z[4] << 128) + (z[5] << 160) + (z[6] << 192) + (z[7] << 224) + (z[8] << 256) + (z[9] << 0x120) + (z[10] << 0x140) + (z[11] << 0x160) */ +/* bytes_eval z = z[0] + (z[1] << 8) + (z[2] << 16) + (z[3] << 24) + (z[4] << 32) + (z[5] << 40) + (z[6] << 48) + (z[7] << 56) + (z[8] << 64) + (z[9] << 72) + (z[10] << 80) + (z[11] << 88) + (z[12] << 96) + (z[13] << 104) + (z[14] << 112) + (z[15] << 120) + (z[16] << 128) + (z[17] << 136) + (z[18] << 144) + (z[19] << 152) + (z[20] << 160) + (z[21] << 168) + (z[22] << 176) + (z[23] << 184) + (z[24] << 192) + (z[25] << 200) + (z[26] << 208) + (z[27] << 216) + (z[28] << 224) + (z[29] << 232) + (z[30] << 240) + (z[31] << 248) + (z[32] << 256) + (z[33] << 0x108) + (z[34] << 0x110) + (z[35] << 0x118) + (z[36] << 0x120) + (z[37] << 0x128) + (z[38] << 0x130) + (z[39] << 0x138) + (z[40] << 0x140) + (z[41] << 0x148) + (z[42] << 0x150) + (z[43] << 0x158) + (z[44] << 0x160) + (z[45] << 0x168) + (z[46] << 0x170) + (z[47] << 0x178) */ +/* twos_complement_eval z = let x1 := z[0] + (z[1] << 32) + (z[2] << 64) + (z[3] << 96) + (z[4] << 128) + (z[5] << 160) + (z[6] << 192) + (z[7] << 224) + (z[8] << 256) + (z[9] << 0x120) + (z[10] << 0x140) + (z[11] << 0x160) in */ +/* if x1 & (2^384-1) < 2^383 then x1 & (2^384-1) else (x1 & (2^384-1)) - 2^384 */ #include typedef unsigned char fiat_p384_uint1; @@ -37,6 +37,7 @@ static __inline__ uint32_t fiat_p384_value_barrier_u32(uint32_t a) { /* * The function fiat_p384_addcarryx_u32 is an addition with carry. + * * Postconditions: * out1 = (arg1 + arg2 + arg3) mod 2^32 * out2 = ⌊(arg1 + arg2 + arg3) / 2^32⌋ @@ -62,6 +63,7 @@ static void fiat_p384_addcarryx_u32(uint32_t* out1, fiat_p384_uint1* out2, fiat_ /* * The function fiat_p384_subborrowx_u32 is a subtraction with borrow. + * * Postconditions: * out1 = (-arg1 + arg2 + -arg3) mod 2^32 * out2 = -⌊(-arg1 + arg2 + -arg3) / 2^32⌋ @@ -87,6 +89,7 @@ static void fiat_p384_subborrowx_u32(uint32_t* out1, fiat_p384_uint1* out2, fiat /* * The function fiat_p384_mulx_u32 is a multiplication, returning the full double-width result. + * * Postconditions: * out1 = (arg1 * arg2) mod 2^32 * out2 = ⌊arg1 * arg2 / 2^32⌋ @@ -111,6 +114,7 @@ static void fiat_p384_mulx_u32(uint32_t* out1, uint32_t* out2, uint32_t arg1, ui /* * The function fiat_p384_cmovznz_u32 is a single-word conditional move. + * * Postconditions: * out1 = (if arg1 = 0 then arg2 else arg3) * @@ -133,6 +137,7 @@ static void fiat_p384_cmovznz_u32(uint32_t* out1, fiat_p384_uint1 arg1, uint32_t /* * The function fiat_p384_mul multiplies two field elements in the Montgomery domain. + * * Preconditions: * 0 ≤ eval arg1 < m * 0 ≤ eval arg2 < m @@ -2693,6 +2698,7 @@ static void fiat_p384_mul(uint32_t out1[12], const uint32_t arg1[12], const uint /* * The function fiat_p384_square squares a field element in the Montgomery domain. + * * Preconditions: * 0 ≤ eval arg1 < m * Postconditions: @@ -5251,6 +5257,7 @@ static void fiat_p384_square(uint32_t out1[12], const uint32_t arg1[12]) { /* * The function fiat_p384_add adds two field elements in the Montgomery domain. + * * Preconditions: * 0 ≤ eval arg1 < m * 0 ≤ eval arg2 < m @@ -5380,6 +5387,7 @@ static void fiat_p384_add(uint32_t out1[12], const uint32_t arg1[12], const uint /* * The function fiat_p384_sub subtracts two field elements in the Montgomery domain. + * * Preconditions: * 0 ≤ eval arg1 < m * 0 ≤ eval arg2 < m @@ -5484,6 +5492,7 @@ static void fiat_p384_sub(uint32_t out1[12], const uint32_t arg1[12], const uint /* * The function fiat_p384_opp negates a field element in the Montgomery domain. + * * Preconditions: * 0 ≤ eval arg1 < m * Postconditions: @@ -5586,6 +5595,7 @@ static void fiat_p384_opp(uint32_t out1[12], const uint32_t arg1[12]) { /* * The function fiat_p384_from_montgomery translates a field element out of the Montgomery domain. + * * Preconditions: * 0 ≤ eval arg1 < m * Postconditions: @@ -7122,6 +7132,7 @@ static void fiat_p384_from_montgomery(uint32_t out1[12], const uint32_t arg1[12] /* * The function fiat_p384_to_montgomery translates a field element into the Montgomery domain. + * * Preconditions: * 0 ≤ eval arg1 < m * Postconditions: @@ -8926,6 +8937,7 @@ static void fiat_p384_to_montgomery(uint32_t out1[12], const uint32_t arg1[12]) /* * The function fiat_p384_nonzero outputs a single non-zero word if the input is non-zero and zero otherwise. + * * Preconditions: * 0 ≤ eval arg1 < m * Postconditions: @@ -8944,6 +8956,7 @@ static void fiat_p384_nonzero(uint32_t* out1, const uint32_t arg1[12]) { /* * The function fiat_p384_selectznz is a multi-limb conditional select. + * * Postconditions: * eval out1 = (if arg1 = 0 then eval arg2 else eval arg3) * @@ -8995,6 +9008,7 @@ static void fiat_p384_selectznz(uint32_t out1[12], fiat_p384_uint1 arg1, const u /* * The function fiat_p384_to_bytes serializes a field element NOT in the Montgomery domain to bytes in little-endian order. + * * Preconditions: * 0 ≤ eval arg1 < m * Postconditions: @@ -9226,6 +9240,7 @@ static void fiat_p384_to_bytes(uint8_t out1[48], const uint32_t arg1[12]) { /* * The function fiat_p384_from_bytes deserializes a field element NOT in the Montgomery domain from bytes in little-endian order. + * * Preconditions: * 0 ≤ bytes_eval arg1 < m * Postconditions: @@ -9422,6 +9437,7 @@ static void fiat_p384_from_bytes(uint32_t out1[12], const uint8_t arg1[48]) { /* * The function fiat_p384_set_one returns the field element one in the Montgomery domain. + * * Postconditions: * eval (from_montgomery out1) mod m = 1 mod m * 0 ≤ eval out1 < m @@ -9447,6 +9463,7 @@ static void fiat_p384_set_one(uint32_t out1[12]) { /* * The function fiat_p384_msat returns the saturated representation of the prime modulus. + * * Postconditions: * twos_complement_eval out1 = m * 0 ≤ eval out1 < m @@ -9473,6 +9490,7 @@ static void fiat_p384_msat(uint32_t out1[13]) { /* * The function fiat_p384_divstep computes a divstep. + * * Preconditions: * 0 ≤ eval arg4 < m * 0 ≤ eval arg5 < m @@ -10121,6 +10139,7 @@ static void fiat_p384_divstep(uint32_t* out1, uint32_t out2[13], uint32_t out3[1 /* * The function fiat_p384_divstep_precomp returns the precomputed value for Bernstein-Yang-inversion (in montgomery form). + * * Postconditions: * eval (from_montgomery out1) = ⌊(m - 1) / 2⌋^(if (log2 m) + 1 < 46 then ⌊(49 * ((log2 m) + 1) + 80) / 17⌋ else ⌊(49 * ((log2 m) + 1) + 57) / 17⌋) * 0 ≤ eval out1 < m @@ -10143,4 +10162,3 @@ static void fiat_p384_divstep_precomp(uint32_t out1[12]) { out1[10] = UINT32_C(0x38000); out1[11] = UINT32_C(0xfffc4800); } - diff --git a/fiat-c/src/p384_64.c b/fiat-c/src/p384_64.c index 924f37083e1..6f27a7fadb8 100644 --- a/fiat-c/src/p384_64.c +++ b/fiat-c/src/p384_64.c @@ -12,10 +12,10 @@ /* return values. */ /* */ /* Computed values: */ -/* eval z = z[0] + (z[1] << 64) + (z[2] << 128) + (z[3] << 192) + (z[4] << 256) + (z[5] << 0x140) */ -/* bytes_eval z = z[0] + (z[1] << 8) + (z[2] << 16) + (z[3] << 24) + (z[4] << 32) + (z[5] << 40) + (z[6] << 48) + (z[7] << 56) + (z[8] << 64) + (z[9] << 72) + (z[10] << 80) + (z[11] << 88) + (z[12] << 96) + (z[13] << 104) + (z[14] << 112) + (z[15] << 120) + (z[16] << 128) + (z[17] << 136) + (z[18] << 144) + (z[19] << 152) + (z[20] << 160) + (z[21] << 168) + (z[22] << 176) + (z[23] << 184) + (z[24] << 192) + (z[25] << 200) + (z[26] << 208) + (z[27] << 216) + (z[28] << 224) + (z[29] << 232) + (z[30] << 240) + (z[31] << 248) + (z[32] << 256) + (z[33] << 0x108) + (z[34] << 0x110) + (z[35] << 0x118) + (z[36] << 0x120) + (z[37] << 0x128) + (z[38] << 0x130) + (z[39] << 0x138) + (z[40] << 0x140) + (z[41] << 0x148) + (z[42] << 0x150) + (z[43] << 0x158) + (z[44] << 0x160) + (z[45] << 0x168) + (z[46] << 0x170) + (z[47] << 0x178) */ -/* twos_complement_eval z = let x1 := z[0] + (z[1] << 64) + (z[2] << 128) + (z[3] << 192) + (z[4] << 256) + (z[5] << 0x140) in */ -/* if x1 & (2^384-1) < 2^383 then x1 & (2^384-1) else (x1 & (2^384-1)) - 2^384 */ +/* eval z = z[0] + (z[1] << 64) + (z[2] << 128) + (z[3] << 192) + (z[4] << 256) + (z[5] << 0x140) */ +/* bytes_eval z = z[0] + (z[1] << 8) + (z[2] << 16) + (z[3] << 24) + (z[4] << 32) + (z[5] << 40) + (z[6] << 48) + (z[7] << 56) + (z[8] << 64) + (z[9] << 72) + (z[10] << 80) + (z[11] << 88) + (z[12] << 96) + (z[13] << 104) + (z[14] << 112) + (z[15] << 120) + (z[16] << 128) + (z[17] << 136) + (z[18] << 144) + (z[19] << 152) + (z[20] << 160) + (z[21] << 168) + (z[22] << 176) + (z[23] << 184) + (z[24] << 192) + (z[25] << 200) + (z[26] << 208) + (z[27] << 216) + (z[28] << 224) + (z[29] << 232) + (z[30] << 240) + (z[31] << 248) + (z[32] << 256) + (z[33] << 0x108) + (z[34] << 0x110) + (z[35] << 0x118) + (z[36] << 0x120) + (z[37] << 0x128) + (z[38] << 0x130) + (z[39] << 0x138) + (z[40] << 0x140) + (z[41] << 0x148) + (z[42] << 0x150) + (z[43] << 0x158) + (z[44] << 0x160) + (z[45] << 0x168) + (z[46] << 0x170) + (z[47] << 0x178) */ +/* twos_complement_eval z = let x1 := z[0] + (z[1] << 64) + (z[2] << 128) + (z[3] << 192) + (z[4] << 256) + (z[5] << 0x140) in */ +/* if x1 & (2^384-1) < 2^383 then x1 & (2^384-1) else (x1 & (2^384-1)) - 2^384 */ #include typedef unsigned char fiat_p384_uint1; @@ -45,6 +45,7 @@ static __inline__ uint64_t fiat_p384_value_barrier_u64(uint64_t a) { /* * The function fiat_p384_addcarryx_u64 is an addition with carry. + * * Postconditions: * out1 = (arg1 + arg2 + arg3) mod 2^64 * out2 = ⌊(arg1 + arg2 + arg3) / 2^64⌋ @@ -70,6 +71,7 @@ static void fiat_p384_addcarryx_u64(uint64_t* out1, fiat_p384_uint1* out2, fiat_ /* * The function fiat_p384_subborrowx_u64 is a subtraction with borrow. + * * Postconditions: * out1 = (-arg1 + arg2 + -arg3) mod 2^64 * out2 = -⌊(-arg1 + arg2 + -arg3) / 2^64⌋ @@ -95,6 +97,7 @@ static void fiat_p384_subborrowx_u64(uint64_t* out1, fiat_p384_uint1* out2, fiat /* * The function fiat_p384_mulx_u64 is a multiplication, returning the full double-width result. + * * Postconditions: * out1 = (arg1 * arg2) mod 2^64 * out2 = ⌊arg1 * arg2 / 2^64⌋ @@ -119,6 +122,7 @@ static void fiat_p384_mulx_u64(uint64_t* out1, uint64_t* out2, uint64_t arg1, ui /* * The function fiat_p384_cmovznz_u64 is a single-word conditional move. + * * Postconditions: * out1 = (if arg1 = 0 then arg2 else arg3) * @@ -141,6 +145,7 @@ static void fiat_p384_cmovznz_u64(uint64_t* out1, fiat_p384_uint1 arg1, uint64_t /* * The function fiat_p384_mul multiplies two field elements in the Montgomery domain. + * * Preconditions: * 0 ≤ eval arg1 < m * 0 ≤ eval arg2 < m @@ -889,6 +894,7 @@ static void fiat_p384_mul(uint64_t out1[6], const uint64_t arg1[6], const uint64 /* * The function fiat_p384_square squares a field element in the Montgomery domain. + * * Preconditions: * 0 ≤ eval arg1 < m * Postconditions: @@ -1635,6 +1641,7 @@ static void fiat_p384_square(uint64_t out1[6], const uint64_t arg1[6]) { /* * The function fiat_p384_add adds two field elements in the Montgomery domain. + * * Preconditions: * 0 ≤ eval arg1 < m * 0 ≤ eval arg2 < m @@ -1710,6 +1717,7 @@ static void fiat_p384_add(uint64_t out1[6], const uint64_t arg1[6], const uint64 /* * The function fiat_p384_sub subtracts two field elements in the Montgomery domain. + * * Preconditions: * 0 ≤ eval arg1 < m * 0 ≤ eval arg2 < m @@ -1772,6 +1780,7 @@ static void fiat_p384_sub(uint64_t out1[6], const uint64_t arg1[6], const uint64 /* * The function fiat_p384_opp negates a field element in the Montgomery domain. + * * Preconditions: * 0 ≤ eval arg1 < m * Postconditions: @@ -1832,6 +1841,7 @@ static void fiat_p384_opp(uint64_t out1[6], const uint64_t arg1[6]) { /* * The function fiat_p384_from_montgomery translates a field element out of the Montgomery domain. + * * Preconditions: * 0 ≤ eval arg1 < m * Postconditions: @@ -2321,6 +2331,7 @@ static void fiat_p384_from_montgomery(uint64_t out1[6], const uint64_t arg1[6]) /* * The function fiat_p384_to_montgomery translates a field element into the Montgomery domain. + * * Preconditions: * 0 ≤ eval arg1 < m * Postconditions: @@ -2964,6 +2975,7 @@ static void fiat_p384_to_montgomery(uint64_t out1[6], const uint64_t arg1[6]) { /* * The function fiat_p384_nonzero outputs a single non-zero word if the input is non-zero and zero otherwise. + * * Preconditions: * 0 ≤ eval arg1 < m * Postconditions: @@ -2982,6 +2994,7 @@ static void fiat_p384_nonzero(uint64_t* out1, const uint64_t arg1[6]) { /* * The function fiat_p384_selectznz is a multi-limb conditional select. + * * Postconditions: * eval out1 = (if arg1 = 0 then eval arg2 else eval arg3) * @@ -3015,6 +3028,7 @@ static void fiat_p384_selectznz(uint64_t out1[6], fiat_p384_uint1 arg1, const ui /* * The function fiat_p384_to_bytes serializes a field element NOT in the Montgomery domain to bytes in little-endian order. + * * Preconditions: * 0 ≤ eval arg1 < m * Postconditions: @@ -3258,6 +3272,7 @@ static void fiat_p384_to_bytes(uint8_t out1[48], const uint64_t arg1[6]) { /* * The function fiat_p384_from_bytes deserializes a field element NOT in the Montgomery domain from bytes in little-endian order. + * * Preconditions: * 0 ≤ bytes_eval arg1 < m * Postconditions: @@ -3460,6 +3475,7 @@ static void fiat_p384_from_bytes(uint64_t out1[6], const uint8_t arg1[48]) { /* * The function fiat_p384_set_one returns the field element one in the Montgomery domain. + * * Postconditions: * eval (from_montgomery out1) mod m = 1 mod m * 0 ≤ eval out1 < m @@ -3479,6 +3495,7 @@ static void fiat_p384_set_one(uint64_t out1[6]) { /* * The function fiat_p384_msat returns the saturated representation of the prime modulus. + * * Postconditions: * twos_complement_eval out1 = m * 0 ≤ eval out1 < m @@ -3499,6 +3516,7 @@ static void fiat_p384_msat(uint64_t out1[7]) { /* * The function fiat_p384_divstep computes a divstep. + * * Preconditions: * 0 ≤ eval arg4 < m * 0 ≤ eval arg5 < m @@ -3859,6 +3877,7 @@ static void fiat_p384_divstep(uint64_t* out1, uint64_t out2[7], uint64_t out3[7] /* * The function fiat_p384_divstep_precomp returns the precomputed value for Bernstein-Yang-inversion (in montgomery form). + * * Postconditions: * eval (from_montgomery out1) = ⌊(m - 1) / 2⌋^(if (log2 m) + 1 < 46 then ⌊(49 * ((log2 m) + 1) + 80) / 17⌋ else ⌊(49 * ((log2 m) + 1) + 57) / 17⌋) * 0 ≤ eval out1 < m @@ -3875,4 +3894,3 @@ static void fiat_p384_divstep_precomp(uint64_t out1[6]) { out1[4] = UINT64_C(0x6040000050400); out1[5] = UINT64_C(0xfffc480000038000); } - diff --git a/fiat-c/src/p434_64.c b/fiat-c/src/p434_64.c index f05a65c7ce9..08de27a4539 100644 --- a/fiat-c/src/p434_64.c +++ b/fiat-c/src/p434_64.c @@ -12,10 +12,10 @@ /* return values. */ /* */ /* Computed values: */ -/* eval z = z[0] + (z[1] << 64) + (z[2] << 128) + (z[3] << 192) + (z[4] << 256) + (z[5] << 0x140) + (z[6] << 0x180) */ -/* bytes_eval z = z[0] + (z[1] << 8) + (z[2] << 16) + (z[3] << 24) + (z[4] << 32) + (z[5] << 40) + (z[6] << 48) + (z[7] << 56) + (z[8] << 64) + (z[9] << 72) + (z[10] << 80) + (z[11] << 88) + (z[12] << 96) + (z[13] << 104) + (z[14] << 112) + (z[15] << 120) + (z[16] << 128) + (z[17] << 136) + (z[18] << 144) + (z[19] << 152) + (z[20] << 160) + (z[21] << 168) + (z[22] << 176) + (z[23] << 184) + (z[24] << 192) + (z[25] << 200) + (z[26] << 208) + (z[27] << 216) + (z[28] << 224) + (z[29] << 232) + (z[30] << 240) + (z[31] << 248) + (z[32] << 256) + (z[33] << 0x108) + (z[34] << 0x110) + (z[35] << 0x118) + (z[36] << 0x120) + (z[37] << 0x128) + (z[38] << 0x130) + (z[39] << 0x138) + (z[40] << 0x140) + (z[41] << 0x148) + (z[42] << 0x150) + (z[43] << 0x158) + (z[44] << 0x160) + (z[45] << 0x168) + (z[46] << 0x170) + (z[47] << 0x178) + (z[48] << 0x180) + (z[49] << 0x188) + (z[50] << 0x190) + (z[51] << 0x198) + (z[52] << 0x1a0) + (z[53] << 0x1a8) + (z[54] << 0x1b0) */ -/* twos_complement_eval z = let x1 := z[0] + (z[1] << 64) + (z[2] << 128) + (z[3] << 192) + (z[4] << 256) + (z[5] << 0x140) + (z[6] << 0x180) in */ -/* if x1 & (2^448-1) < 2^447 then x1 & (2^448-1) else (x1 & (2^448-1)) - 2^448 */ +/* eval z = z[0] + (z[1] << 64) + (z[2] << 128) + (z[3] << 192) + (z[4] << 256) + (z[5] << 0x140) + (z[6] << 0x180) */ +/* bytes_eval z = z[0] + (z[1] << 8) + (z[2] << 16) + (z[3] << 24) + (z[4] << 32) + (z[5] << 40) + (z[6] << 48) + (z[7] << 56) + (z[8] << 64) + (z[9] << 72) + (z[10] << 80) + (z[11] << 88) + (z[12] << 96) + (z[13] << 104) + (z[14] << 112) + (z[15] << 120) + (z[16] << 128) + (z[17] << 136) + (z[18] << 144) + (z[19] << 152) + (z[20] << 160) + (z[21] << 168) + (z[22] << 176) + (z[23] << 184) + (z[24] << 192) + (z[25] << 200) + (z[26] << 208) + (z[27] << 216) + (z[28] << 224) + (z[29] << 232) + (z[30] << 240) + (z[31] << 248) + (z[32] << 256) + (z[33] << 0x108) + (z[34] << 0x110) + (z[35] << 0x118) + (z[36] << 0x120) + (z[37] << 0x128) + (z[38] << 0x130) + (z[39] << 0x138) + (z[40] << 0x140) + (z[41] << 0x148) + (z[42] << 0x150) + (z[43] << 0x158) + (z[44] << 0x160) + (z[45] << 0x168) + (z[46] << 0x170) + (z[47] << 0x178) + (z[48] << 0x180) + (z[49] << 0x188) + (z[50] << 0x190) + (z[51] << 0x198) + (z[52] << 0x1a0) + (z[53] << 0x1a8) + (z[54] << 0x1b0) */ +/* twos_complement_eval z = let x1 := z[0] + (z[1] << 64) + (z[2] << 128) + (z[3] << 192) + (z[4] << 256) + (z[5] << 0x140) + (z[6] << 0x180) in */ +/* if x1 & (2^448-1) < 2^447 then x1 & (2^448-1) else (x1 & (2^448-1)) - 2^448 */ #include typedef unsigned char fiat_p434_uint1; @@ -45,6 +45,7 @@ static __inline__ uint64_t fiat_p434_value_barrier_u64(uint64_t a) { /* * The function fiat_p434_addcarryx_u64 is an addition with carry. + * * Postconditions: * out1 = (arg1 + arg2 + arg3) mod 2^64 * out2 = ⌊(arg1 + arg2 + arg3) / 2^64⌋ @@ -70,6 +71,7 @@ static void fiat_p434_addcarryx_u64(uint64_t* out1, fiat_p434_uint1* out2, fiat_ /* * The function fiat_p434_subborrowx_u64 is a subtraction with borrow. + * * Postconditions: * out1 = (-arg1 + arg2 + -arg3) mod 2^64 * out2 = -⌊(-arg1 + arg2 + -arg3) / 2^64⌋ @@ -95,6 +97,7 @@ static void fiat_p434_subborrowx_u64(uint64_t* out1, fiat_p434_uint1* out2, fiat /* * The function fiat_p434_mulx_u64 is a multiplication, returning the full double-width result. + * * Postconditions: * out1 = (arg1 * arg2) mod 2^64 * out2 = ⌊arg1 * arg2 / 2^64⌋ @@ -119,6 +122,7 @@ static void fiat_p434_mulx_u64(uint64_t* out1, uint64_t* out2, uint64_t arg1, ui /* * The function fiat_p434_cmovznz_u64 is a single-word conditional move. + * * Postconditions: * out1 = (if arg1 = 0 then arg2 else arg3) * @@ -141,6 +145,7 @@ static void fiat_p434_cmovznz_u64(uint64_t* out1, fiat_p434_uint1 arg1, uint64_t /* * The function fiat_p434_mul multiplies two field elements in the Montgomery domain. + * * Preconditions: * 0 ≤ eval arg1 < m * 0 ≤ eval arg2 < m @@ -1116,6 +1121,7 @@ static void fiat_p434_mul(uint64_t out1[7], const uint64_t arg1[7], const uint64 /* * The function fiat_p434_square squares a field element in the Montgomery domain. + * * Preconditions: * 0 ≤ eval arg1 < m * Postconditions: @@ -2089,6 +2095,7 @@ static void fiat_p434_square(uint64_t out1[7], const uint64_t arg1[7]) { /* * The function fiat_p434_add adds two field elements in the Montgomery domain. + * * Preconditions: * 0 ≤ eval arg1 < m * 0 ≤ eval arg2 < m @@ -2173,6 +2180,7 @@ static void fiat_p434_add(uint64_t out1[7], const uint64_t arg1[7], const uint64 /* * The function fiat_p434_sub subtracts two field elements in the Montgomery domain. + * * Preconditions: * 0 ≤ eval arg1 < m * 0 ≤ eval arg2 < m @@ -2242,6 +2250,7 @@ static void fiat_p434_sub(uint64_t out1[7], const uint64_t arg1[7], const uint64 /* * The function fiat_p434_opp negates a field element in the Montgomery domain. + * * Preconditions: * 0 ≤ eval arg1 < m * Postconditions: @@ -2309,6 +2318,7 @@ static void fiat_p434_opp(uint64_t out1[7], const uint64_t arg1[7]) { /* * The function fiat_p434_from_montgomery translates a field element out of the Montgomery domain. + * * Preconditions: * 0 ≤ eval arg1 < m * Postconditions: @@ -2902,6 +2912,7 @@ static void fiat_p434_from_montgomery(uint64_t out1[7], const uint64_t arg1[7]) /* * The function fiat_p434_to_montgomery translates a field element into the Montgomery domain. + * * Preconditions: * 0 ≤ eval arg1 < m * Postconditions: @@ -3798,6 +3809,7 @@ static void fiat_p434_to_montgomery(uint64_t out1[7], const uint64_t arg1[7]) { /* * The function fiat_p434_nonzero outputs a single non-zero word if the input is non-zero and zero otherwise. + * * Preconditions: * 0 ≤ eval arg1 < m * Postconditions: @@ -3816,6 +3828,7 @@ static void fiat_p434_nonzero(uint64_t* out1, const uint64_t arg1[7]) { /* * The function fiat_p434_selectznz is a multi-limb conditional select. + * * Postconditions: * eval out1 = (if arg1 = 0 then eval arg2 else eval arg3) * @@ -3852,6 +3865,7 @@ static void fiat_p434_selectznz(uint64_t out1[7], fiat_p434_uint1 arg1, const ui /* * The function fiat_p434_to_bytes serializes a field element NOT in the Montgomery domain to bytes in little-endian order. + * * Preconditions: * 0 ≤ eval arg1 < m * Postconditions: @@ -4128,6 +4142,7 @@ static void fiat_p434_to_bytes(uint8_t out1[55], const uint64_t arg1[7]) { /* * The function fiat_p434_from_bytes deserializes a field element NOT in the Montgomery domain from bytes in little-endian order. + * * Preconditions: * 0 ≤ bytes_eval arg1 < m * Postconditions: @@ -4357,6 +4372,7 @@ static void fiat_p434_from_bytes(uint64_t out1[7], const uint8_t arg1[55]) { /* * The function fiat_p434_set_one returns the field element one in the Montgomery domain. + * * Postconditions: * eval (from_montgomery out1) mod m = 1 mod m * 0 ≤ eval out1 < m @@ -4377,6 +4393,7 @@ static void fiat_p434_set_one(uint64_t out1[7]) { /* * The function fiat_p434_msat returns the saturated representation of the prime modulus. + * * Postconditions: * twos_complement_eval out1 = m * 0 ≤ eval out1 < m @@ -4398,6 +4415,7 @@ static void fiat_p434_msat(uint64_t out1[8]) { /* * The function fiat_p434_divstep computes a divstep. + * * Preconditions: * 0 ≤ eval arg4 < m * 0 ≤ eval arg5 < m @@ -4806,6 +4824,7 @@ static void fiat_p434_divstep(uint64_t* out1, uint64_t out2[8], uint64_t out3[8] /* * The function fiat_p434_divstep_precomp returns the precomputed value for Bernstein-Yang-inversion (in montgomery form). + * * Postconditions: * eval (from_montgomery out1) = ⌊(m - 1) / 2⌋^(if (log2 m) + 1 < 46 then ⌊(49 * ((log2 m) + 1) + 80) / 17⌋ else ⌊(49 * ((log2 m) + 1) + 57) / 17⌋) * 0 ≤ eval out1 < m @@ -4823,4 +4842,3 @@ static void fiat_p434_divstep_precomp(uint64_t out1[7]) { out1[5] = UINT64_C(0x6e1ddae1d9609ae1); out1[6] = UINT64_C(0x6df82285eec6); } - diff --git a/fiat-c/src/p448_solinas_32.c b/fiat-c/src/p448_solinas_32.c index a2a22913144..64230967bb9 100644 --- a/fiat-c/src/p448_solinas_32.c +++ b/fiat-c/src/p448_solinas_32.c @@ -7,10 +7,10 @@ /* tight_bounds_multiplier = 1 (from "") */ /* */ /* Computed values: */ -/* carry_chain = [7, 15, 8, 0, 9, 1, 10, 2, 11, 3, 12, 4, 13, 5, 14, 6, 15, 7, 8, 0] */ -/* eval z = z[0] + (z[1] << 28) + (z[2] << 56) + (z[3] << 84) + (z[4] << 112) + (z[5] << 140) + (z[6] << 168) + (z[7] << 196) + (z[8] << 224) + (z[9] << 252) + (z[10] << 0x118) + (z[11] << 0x134) + (z[12] << 0x150) + (z[13] << 0x16c) + (z[14] << 0x188) + (z[15] << 0x1a4) */ -/* bytes_eval z = z[0] + (z[1] << 8) + (z[2] << 16) + (z[3] << 24) + (z[4] << 32) + (z[5] << 40) + (z[6] << 48) + (z[7] << 56) + (z[8] << 64) + (z[9] << 72) + (z[10] << 80) + (z[11] << 88) + (z[12] << 96) + (z[13] << 104) + (z[14] << 112) + (z[15] << 120) + (z[16] << 128) + (z[17] << 136) + (z[18] << 144) + (z[19] << 152) + (z[20] << 160) + (z[21] << 168) + (z[22] << 176) + (z[23] << 184) + (z[24] << 192) + (z[25] << 200) + (z[26] << 208) + (z[27] << 216) + (z[28] << 224) + (z[29] << 232) + (z[30] << 240) + (z[31] << 248) + (z[32] << 256) + (z[33] << 0x108) + (z[34] << 0x110) + (z[35] << 0x118) + (z[36] << 0x120) + (z[37] << 0x128) + (z[38] << 0x130) + (z[39] << 0x138) + (z[40] << 0x140) + (z[41] << 0x148) + (z[42] << 0x150) + (z[43] << 0x158) + (z[44] << 0x160) + (z[45] << 0x168) + (z[46] << 0x170) + (z[47] << 0x178) + (z[48] << 0x180) + (z[49] << 0x188) + (z[50] << 0x190) + (z[51] << 0x198) + (z[52] << 0x1a0) + (z[53] << 0x1a8) + (z[54] << 0x1b0) + (z[55] << 0x1b8) */ -/* balance = [0x1ffffffe, 0x1ffffffe, 0x1ffffffe, 0x1ffffffe, 0x1ffffffe, 0x1ffffffe, 0x1ffffffe, 0x1ffffffe, 0x1ffffffc, 0x1ffffffe, 0x1ffffffe, 0x1ffffffe, 0x1ffffffe, 0x1ffffffe, 0x1ffffffe, 0x1ffffffe] */ +/* carry_chain = [7, 15, 8, 0, 9, 1, 10, 2, 11, 3, 12, 4, 13, 5, 14, 6, 15, 7, 8, 0] */ +/* eval z = z[0] + (z[1] << 28) + (z[2] << 56) + (z[3] << 84) + (z[4] << 112) + (z[5] << 140) + (z[6] << 168) + (z[7] << 196) + (z[8] << 224) + (z[9] << 252) + (z[10] << 0x118) + (z[11] << 0x134) + (z[12] << 0x150) + (z[13] << 0x16c) + (z[14] << 0x188) + (z[15] << 0x1a4) */ +/* bytes_eval z = z[0] + (z[1] << 8) + (z[2] << 16) + (z[3] << 24) + (z[4] << 32) + (z[5] << 40) + (z[6] << 48) + (z[7] << 56) + (z[8] << 64) + (z[9] << 72) + (z[10] << 80) + (z[11] << 88) + (z[12] << 96) + (z[13] << 104) + (z[14] << 112) + (z[15] << 120) + (z[16] << 128) + (z[17] << 136) + (z[18] << 144) + (z[19] << 152) + (z[20] << 160) + (z[21] << 168) + (z[22] << 176) + (z[23] << 184) + (z[24] << 192) + (z[25] << 200) + (z[26] << 208) + (z[27] << 216) + (z[28] << 224) + (z[29] << 232) + (z[30] << 240) + (z[31] << 248) + (z[32] << 256) + (z[33] << 0x108) + (z[34] << 0x110) + (z[35] << 0x118) + (z[36] << 0x120) + (z[37] << 0x128) + (z[38] << 0x130) + (z[39] << 0x138) + (z[40] << 0x140) + (z[41] << 0x148) + (z[42] << 0x150) + (z[43] << 0x158) + (z[44] << 0x160) + (z[45] << 0x168) + (z[46] << 0x170) + (z[47] << 0x178) + (z[48] << 0x180) + (z[49] << 0x188) + (z[50] << 0x190) + (z[51] << 0x198) + (z[52] << 0x1a0) + (z[53] << 0x1a8) + (z[54] << 0x1b0) + (z[55] << 0x1b8) */ +/* balance = [0x1ffffffe, 0x1ffffffe, 0x1ffffffe, 0x1ffffffe, 0x1ffffffe, 0x1ffffffe, 0x1ffffffe, 0x1ffffffe, 0x1ffffffc, 0x1ffffffe, 0x1ffffffe, 0x1ffffffe, 0x1ffffffe, 0x1ffffffe, 0x1ffffffe, 0x1ffffffe] */ #include typedef unsigned char fiat_p448_uint1; @@ -40,6 +40,7 @@ static __inline__ uint32_t fiat_p448_value_barrier_u32(uint32_t a) { /* * The function fiat_p448_addcarryx_u28 is an addition with carry. + * * Postconditions: * out1 = (arg1 + arg2 + arg3) mod 2^28 * out2 = ⌊(arg1 + arg2 + arg3) / 2^28⌋ @@ -65,6 +66,7 @@ static void fiat_p448_addcarryx_u28(uint32_t* out1, fiat_p448_uint1* out2, fiat_ /* * The function fiat_p448_subborrowx_u28 is a subtraction with borrow. + * * Postconditions: * out1 = (-arg1 + arg2 + -arg3) mod 2^28 * out2 = -⌊(-arg1 + arg2 + -arg3) / 2^28⌋ @@ -90,6 +92,7 @@ static void fiat_p448_subborrowx_u28(uint32_t* out1, fiat_p448_uint1* out2, fiat /* * The function fiat_p448_cmovznz_u32 is a single-word conditional move. + * * Postconditions: * out1 = (if arg1 = 0 then arg2 else arg3) * @@ -112,6 +115,7 @@ static void fiat_p448_cmovznz_u32(uint32_t* out1, fiat_p448_uint1 arg1, uint32_t /* * The function fiat_p448_carry_mul multiplies two field elements and reduces the result. + * * Postconditions: * eval out1 mod m = (eval arg1 * eval arg2) mod m * @@ -1106,6 +1110,7 @@ static void fiat_p448_carry_mul(uint32_t out1[16], const uint32_t arg1[16], cons /* * The function fiat_p448_carry_square squares a field element and reduces the result. + * * Postconditions: * eval out1 mod m = (eval arg1 * eval arg1) mod m * @@ -1813,6 +1818,7 @@ static void fiat_p448_carry_square(uint32_t out1[16], const uint32_t arg1[16]) { /* * The function fiat_p448_carry reduces a field element. + * * Postconditions: * eval out1 mod m = eval arg1 mod m * @@ -1918,6 +1924,7 @@ static void fiat_p448_carry(uint32_t out1[16], const uint32_t arg1[16]) { /* * The function fiat_p448_add adds two field elements. + * * Postconditions: * eval out1 mod m = (eval arg1 + eval arg2) mod m * @@ -1980,6 +1987,7 @@ static void fiat_p448_add(uint32_t out1[16], const uint32_t arg1[16], const uint /* * The function fiat_p448_sub subtracts two field elements. + * * Postconditions: * eval out1 mod m = (eval arg1 - eval arg2) mod m * @@ -2042,6 +2050,7 @@ static void fiat_p448_sub(uint32_t out1[16], const uint32_t arg1[16], const uint /* * The function fiat_p448_opp negates a field element. + * * Postconditions: * eval out1 mod m = -eval arg1 mod m * @@ -2103,6 +2112,7 @@ static void fiat_p448_opp(uint32_t out1[16], const uint32_t arg1[16]) { /* * The function fiat_p448_selectznz is a multi-limb conditional select. + * * Postconditions: * eval out1 = (if arg1 = 0 then eval arg2 else eval arg3) * @@ -2166,6 +2176,7 @@ static void fiat_p448_selectznz(uint32_t out1[16], fiat_p448_uint1 arg1, const u /* * The function fiat_p448_to_bytes serializes a field element to bytes in little-endian order. + * * Postconditions: * out1 = map (λ x, ⌊((eval arg1 mod m) mod 2^(8 * (x + 1))) / 2^(8 * x)⌋) [0..55] * @@ -2557,6 +2568,7 @@ static void fiat_p448_to_bytes(uint8_t out1[56], const uint32_t arg1[16]) { /* * The function fiat_p448_from_bytes deserializes a field element from bytes in little-endian order. + * * Postconditions: * eval out1 mod m = bytes_eval arg1 mod m * @@ -2823,4 +2835,3 @@ static void fiat_p448_from_bytes(uint32_t out1[16], const uint8_t arg1[56]) { out1[14] = x116; out1[15] = x120; } - diff --git a/fiat-c/src/p448_solinas_64.c b/fiat-c/src/p448_solinas_64.c index f25f7d320d1..c733278ecc7 100644 --- a/fiat-c/src/p448_solinas_64.c +++ b/fiat-c/src/p448_solinas_64.c @@ -7,10 +7,10 @@ /* tight_bounds_multiplier = 1 (from "") */ /* */ /* Computed values: */ -/* carry_chain = [3, 7, 4, 0, 5, 1, 6, 2, 7, 3, 4, 0] */ -/* eval z = z[0] + (z[1] << 56) + (z[2] << 112) + (z[3] << 168) + (z[4] << 224) + (z[5] << 0x118) + (z[6] << 0x150) + (z[7] << 0x188) */ -/* bytes_eval z = z[0] + (z[1] << 8) + (z[2] << 16) + (z[3] << 24) + (z[4] << 32) + (z[5] << 40) + (z[6] << 48) + (z[7] << 56) + (z[8] << 64) + (z[9] << 72) + (z[10] << 80) + (z[11] << 88) + (z[12] << 96) + (z[13] << 104) + (z[14] << 112) + (z[15] << 120) + (z[16] << 128) + (z[17] << 136) + (z[18] << 144) + (z[19] << 152) + (z[20] << 160) + (z[21] << 168) + (z[22] << 176) + (z[23] << 184) + (z[24] << 192) + (z[25] << 200) + (z[26] << 208) + (z[27] << 216) + (z[28] << 224) + (z[29] << 232) + (z[30] << 240) + (z[31] << 248) + (z[32] << 256) + (z[33] << 0x108) + (z[34] << 0x110) + (z[35] << 0x118) + (z[36] << 0x120) + (z[37] << 0x128) + (z[38] << 0x130) + (z[39] << 0x138) + (z[40] << 0x140) + (z[41] << 0x148) + (z[42] << 0x150) + (z[43] << 0x158) + (z[44] << 0x160) + (z[45] << 0x168) + (z[46] << 0x170) + (z[47] << 0x178) + (z[48] << 0x180) + (z[49] << 0x188) + (z[50] << 0x190) + (z[51] << 0x198) + (z[52] << 0x1a0) + (z[53] << 0x1a8) + (z[54] << 0x1b0) + (z[55] << 0x1b8) */ -/* balance = [0x1fffffffffffffe, 0x1fffffffffffffe, 0x1fffffffffffffe, 0x1fffffffffffffe, 0x1fffffffffffffc, 0x1fffffffffffffe, 0x1fffffffffffffe, 0x1fffffffffffffe] */ +/* carry_chain = [3, 7, 4, 0, 5, 1, 6, 2, 7, 3, 4, 0] */ +/* eval z = z[0] + (z[1] << 56) + (z[2] << 112) + (z[3] << 168) + (z[4] << 224) + (z[5] << 0x118) + (z[6] << 0x150) + (z[7] << 0x188) */ +/* bytes_eval z = z[0] + (z[1] << 8) + (z[2] << 16) + (z[3] << 24) + (z[4] << 32) + (z[5] << 40) + (z[6] << 48) + (z[7] << 56) + (z[8] << 64) + (z[9] << 72) + (z[10] << 80) + (z[11] << 88) + (z[12] << 96) + (z[13] << 104) + (z[14] << 112) + (z[15] << 120) + (z[16] << 128) + (z[17] << 136) + (z[18] << 144) + (z[19] << 152) + (z[20] << 160) + (z[21] << 168) + (z[22] << 176) + (z[23] << 184) + (z[24] << 192) + (z[25] << 200) + (z[26] << 208) + (z[27] << 216) + (z[28] << 224) + (z[29] << 232) + (z[30] << 240) + (z[31] << 248) + (z[32] << 256) + (z[33] << 0x108) + (z[34] << 0x110) + (z[35] << 0x118) + (z[36] << 0x120) + (z[37] << 0x128) + (z[38] << 0x130) + (z[39] << 0x138) + (z[40] << 0x140) + (z[41] << 0x148) + (z[42] << 0x150) + (z[43] << 0x158) + (z[44] << 0x160) + (z[45] << 0x168) + (z[46] << 0x170) + (z[47] << 0x178) + (z[48] << 0x180) + (z[49] << 0x188) + (z[50] << 0x190) + (z[51] << 0x198) + (z[52] << 0x1a0) + (z[53] << 0x1a8) + (z[54] << 0x1b0) + (z[55] << 0x1b8) */ +/* balance = [0x1fffffffffffffe, 0x1fffffffffffffe, 0x1fffffffffffffe, 0x1fffffffffffffe, 0x1fffffffffffffc, 0x1fffffffffffffe, 0x1fffffffffffffe, 0x1fffffffffffffe] */ #include typedef unsigned char fiat_p448_uint1; @@ -40,6 +40,7 @@ static __inline__ uint64_t fiat_p448_value_barrier_u64(uint64_t a) { /* * The function fiat_p448_addcarryx_u56 is an addition with carry. + * * Postconditions: * out1 = (arg1 + arg2 + arg3) mod 2^56 * out2 = ⌊(arg1 + arg2 + arg3) / 2^56⌋ @@ -65,6 +66,7 @@ static void fiat_p448_addcarryx_u56(uint64_t* out1, fiat_p448_uint1* out2, fiat_ /* * The function fiat_p448_subborrowx_u56 is a subtraction with borrow. + * * Postconditions: * out1 = (-arg1 + arg2 + -arg3) mod 2^56 * out2 = -⌊(-arg1 + arg2 + -arg3) / 2^56⌋ @@ -90,6 +92,7 @@ static void fiat_p448_subborrowx_u56(uint64_t* out1, fiat_p448_uint1* out2, fiat /* * The function fiat_p448_cmovznz_u64 is a single-word conditional move. + * * Postconditions: * out1 = (if arg1 = 0 then arg2 else arg3) * @@ -112,6 +115,7 @@ static void fiat_p448_cmovznz_u64(uint64_t* out1, fiat_p448_uint1 arg1, uint64_t /* * The function fiat_p448_carry_mul multiplies two field elements and reduces the result. + * * Postconditions: * eval out1 mod m = (eval arg1 * eval arg2) mod m * @@ -422,6 +426,7 @@ static void fiat_p448_carry_mul(uint64_t out1[8], const uint64_t arg1[8], const /* * The function fiat_p448_carry_square squares a field element and reduces the result. + * * Postconditions: * eval out1 mod m = (eval arg1 * eval arg1) mod m * @@ -689,6 +694,7 @@ static void fiat_p448_carry_square(uint64_t out1[8], const uint64_t arg1[8]) { /* * The function fiat_p448_carry reduces a field element. + * * Postconditions: * eval out1 mod m = eval arg1 mod m * @@ -754,6 +760,7 @@ static void fiat_p448_carry(uint64_t out1[8], const uint64_t arg1[8]) { /* * The function fiat_p448_add adds two field elements. + * * Postconditions: * eval out1 mod m = (eval arg1 + eval arg2) mod m * @@ -792,6 +799,7 @@ static void fiat_p448_add(uint64_t out1[8], const uint64_t arg1[8], const uint64 /* * The function fiat_p448_sub subtracts two field elements. + * * Postconditions: * eval out1 mod m = (eval arg1 - eval arg2) mod m * @@ -830,6 +838,7 @@ static void fiat_p448_sub(uint64_t out1[8], const uint64_t arg1[8], const uint64 /* * The function fiat_p448_opp negates a field element. + * * Postconditions: * eval out1 mod m = -eval arg1 mod m * @@ -867,6 +876,7 @@ static void fiat_p448_opp(uint64_t out1[8], const uint64_t arg1[8]) { /* * The function fiat_p448_selectznz is a multi-limb conditional select. + * * Postconditions: * eval out1 = (if arg1 = 0 then eval arg2 else eval arg3) * @@ -906,6 +916,7 @@ static void fiat_p448_selectznz(uint64_t out1[8], fiat_p448_uint1 arg1, const ui /* * The function fiat_p448_to_bytes serializes a field element to bytes in little-endian order. + * * Postconditions: * out1 = map (λ x, ⌊((eval arg1 mod m) mod 2^(8 * (x + 1))) / 2^(8 * x)⌋) [0..55] * @@ -1217,6 +1228,7 @@ static void fiat_p448_to_bytes(uint8_t out1[56], const uint64_t arg1[8]) { /* * The function fiat_p448_from_bytes deserializes a field element from bytes in little-endian order. + * * Postconditions: * eval out1 mod m = bytes_eval arg1 mod m * @@ -1443,4 +1455,3 @@ static void fiat_p448_from_bytes(uint64_t out1[8], const uint8_t arg1[56]) { out1[6] = x98; out1[7] = x104; } - diff --git a/fiat-c/src/p521_64.c b/fiat-c/src/p521_64.c index 9680cdce717..01527e7ee71 100644 --- a/fiat-c/src/p521_64.c +++ b/fiat-c/src/p521_64.c @@ -7,10 +7,10 @@ /* tight_bounds_multiplier = 1 (from "") */ /* */ /* Computed values: */ -/* carry_chain = [0, 1, 2, 3, 4, 5, 6, 7, 8, 0, 1] */ -/* eval z = z[0] + (z[1] << 58) + (z[2] << 116) + (z[3] << 174) + (z[4] << 232) + (z[5] << 0x122) + (z[6] << 0x15c) + (z[7] << 0x196) + (z[8] << 0x1d0) */ -/* bytes_eval z = z[0] + (z[1] << 8) + (z[2] << 16) + (z[3] << 24) + (z[4] << 32) + (z[5] << 40) + (z[6] << 48) + (z[7] << 56) + (z[8] << 64) + (z[9] << 72) + (z[10] << 80) + (z[11] << 88) + (z[12] << 96) + (z[13] << 104) + (z[14] << 112) + (z[15] << 120) + (z[16] << 128) + (z[17] << 136) + (z[18] << 144) + (z[19] << 152) + (z[20] << 160) + (z[21] << 168) + (z[22] << 176) + (z[23] << 184) + (z[24] << 192) + (z[25] << 200) + (z[26] << 208) + (z[27] << 216) + (z[28] << 224) + (z[29] << 232) + (z[30] << 240) + (z[31] << 248) + (z[32] << 256) + (z[33] << 0x108) + (z[34] << 0x110) + (z[35] << 0x118) + (z[36] << 0x120) + (z[37] << 0x128) + (z[38] << 0x130) + (z[39] << 0x138) + (z[40] << 0x140) + (z[41] << 0x148) + (z[42] << 0x150) + (z[43] << 0x158) + (z[44] << 0x160) + (z[45] << 0x168) + (z[46] << 0x170) + (z[47] << 0x178) + (z[48] << 0x180) + (z[49] << 0x188) + (z[50] << 0x190) + (z[51] << 0x198) + (z[52] << 0x1a0) + (z[53] << 0x1a8) + (z[54] << 0x1b0) + (z[55] << 0x1b8) + (z[56] << 0x1c0) + (z[57] << 0x1c8) + (z[58] << 0x1d0) + (z[59] << 0x1d8) + (z[60] << 0x1e0) + (z[61] << 0x1e8) + (z[62] << 0x1f0) + (z[63] << 0x1f8) + (z[64] << 2^9) + (z[65] << 0x208) */ -/* balance = [0x7fffffffffffffe, 0x7fffffffffffffe, 0x7fffffffffffffe, 0x7fffffffffffffe, 0x7fffffffffffffe, 0x7fffffffffffffe, 0x7fffffffffffffe, 0x7fffffffffffffe, 0x3fffffffffffffe] */ +/* carry_chain = [0, 1, 2, 3, 4, 5, 6, 7, 8, 0, 1] */ +/* eval z = z[0] + (z[1] << 58) + (z[2] << 116) + (z[3] << 174) + (z[4] << 232) + (z[5] << 0x122) + (z[6] << 0x15c) + (z[7] << 0x196) + (z[8] << 0x1d0) */ +/* bytes_eval z = z[0] + (z[1] << 8) + (z[2] << 16) + (z[3] << 24) + (z[4] << 32) + (z[5] << 40) + (z[6] << 48) + (z[7] << 56) + (z[8] << 64) + (z[9] << 72) + (z[10] << 80) + (z[11] << 88) + (z[12] << 96) + (z[13] << 104) + (z[14] << 112) + (z[15] << 120) + (z[16] << 128) + (z[17] << 136) + (z[18] << 144) + (z[19] << 152) + (z[20] << 160) + (z[21] << 168) + (z[22] << 176) + (z[23] << 184) + (z[24] << 192) + (z[25] << 200) + (z[26] << 208) + (z[27] << 216) + (z[28] << 224) + (z[29] << 232) + (z[30] << 240) + (z[31] << 248) + (z[32] << 256) + (z[33] << 0x108) + (z[34] << 0x110) + (z[35] << 0x118) + (z[36] << 0x120) + (z[37] << 0x128) + (z[38] << 0x130) + (z[39] << 0x138) + (z[40] << 0x140) + (z[41] << 0x148) + (z[42] << 0x150) + (z[43] << 0x158) + (z[44] << 0x160) + (z[45] << 0x168) + (z[46] << 0x170) + (z[47] << 0x178) + (z[48] << 0x180) + (z[49] << 0x188) + (z[50] << 0x190) + (z[51] << 0x198) + (z[52] << 0x1a0) + (z[53] << 0x1a8) + (z[54] << 0x1b0) + (z[55] << 0x1b8) + (z[56] << 0x1c0) + (z[57] << 0x1c8) + (z[58] << 0x1d0) + (z[59] << 0x1d8) + (z[60] << 0x1e0) + (z[61] << 0x1e8) + (z[62] << 0x1f0) + (z[63] << 0x1f8) + (z[64] << 2^9) + (z[65] << 0x208) */ +/* balance = [0x7fffffffffffffe, 0x7fffffffffffffe, 0x7fffffffffffffe, 0x7fffffffffffffe, 0x7fffffffffffffe, 0x7fffffffffffffe, 0x7fffffffffffffe, 0x7fffffffffffffe, 0x3fffffffffffffe] */ #include typedef unsigned char fiat_p521_uint1; @@ -40,6 +40,7 @@ static __inline__ uint64_t fiat_p521_value_barrier_u64(uint64_t a) { /* * The function fiat_p521_addcarryx_u58 is an addition with carry. + * * Postconditions: * out1 = (arg1 + arg2 + arg3) mod 2^58 * out2 = ⌊(arg1 + arg2 + arg3) / 2^58⌋ @@ -65,6 +66,7 @@ static void fiat_p521_addcarryx_u58(uint64_t* out1, fiat_p521_uint1* out2, fiat_ /* * The function fiat_p521_subborrowx_u58 is a subtraction with borrow. + * * Postconditions: * out1 = (-arg1 + arg2 + -arg3) mod 2^58 * out2 = -⌊(-arg1 + arg2 + -arg3) / 2^58⌋ @@ -90,6 +92,7 @@ static void fiat_p521_subborrowx_u58(uint64_t* out1, fiat_p521_uint1* out2, fiat /* * The function fiat_p521_addcarryx_u57 is an addition with carry. + * * Postconditions: * out1 = (arg1 + arg2 + arg3) mod 2^57 * out2 = ⌊(arg1 + arg2 + arg3) / 2^57⌋ @@ -115,6 +118,7 @@ static void fiat_p521_addcarryx_u57(uint64_t* out1, fiat_p521_uint1* out2, fiat_ /* * The function fiat_p521_subborrowx_u57 is a subtraction with borrow. + * * Postconditions: * out1 = (-arg1 + arg2 + -arg3) mod 2^57 * out2 = -⌊(-arg1 + arg2 + -arg3) / 2^57⌋ @@ -140,6 +144,7 @@ static void fiat_p521_subborrowx_u57(uint64_t* out1, fiat_p521_uint1* out2, fiat /* * The function fiat_p521_cmovznz_u64 is a single-word conditional move. + * * Postconditions: * out1 = (if arg1 = 0 then arg2 else arg3) * @@ -162,6 +167,7 @@ static void fiat_p521_cmovznz_u64(uint64_t* out1, fiat_p521_uint1 arg1, uint64_t /* * The function fiat_p521_carry_mul multiplies two field elements and reduces the result. + * * Postconditions: * eval out1 mod m = (eval arg1 * eval arg2) mod m * @@ -431,6 +437,7 @@ static void fiat_p521_carry_mul(uint64_t out1[9], const uint64_t arg1[9], const /* * The function fiat_p521_carry_square squares a field element and reduces the result. + * * Postconditions: * eval out1 mod m = (eval arg1 * eval arg1) mod m * @@ -659,6 +666,7 @@ static void fiat_p521_carry_square(uint64_t out1[9], const uint64_t arg1[9]) { /* * The function fiat_p521_carry reduces a field element. + * * Postconditions: * eval out1 mod m = eval arg1 mod m * @@ -721,6 +729,7 @@ static void fiat_p521_carry(uint64_t out1[9], const uint64_t arg1[9]) { /* * The function fiat_p521_add adds two field elements. + * * Postconditions: * eval out1 mod m = (eval arg1 + eval arg2) mod m * @@ -762,6 +771,7 @@ static void fiat_p521_add(uint64_t out1[9], const uint64_t arg1[9], const uint64 /* * The function fiat_p521_sub subtracts two field elements. + * * Postconditions: * eval out1 mod m = (eval arg1 - eval arg2) mod m * @@ -803,6 +813,7 @@ static void fiat_p521_sub(uint64_t out1[9], const uint64_t arg1[9], const uint64 /* * The function fiat_p521_opp negates a field element. + * * Postconditions: * eval out1 mod m = -eval arg1 mod m * @@ -843,6 +854,7 @@ static void fiat_p521_opp(uint64_t out1[9], const uint64_t arg1[9]) { /* * The function fiat_p521_selectznz is a multi-limb conditional select. + * * Postconditions: * eval out1 = (if arg1 = 0 then eval arg2 else eval arg3) * @@ -885,6 +897,7 @@ static void fiat_p521_selectznz(uint64_t out1[9], fiat_p521_uint1 arg1, const ui /* * The function fiat_p521_to_bytes serializes a field element to bytes in little-endian order. + * * Postconditions: * out1 = map (λ x, ⌊((eval arg1 mod m) mod 2^(8 * (x + 1))) / 2^(8 * x)⌋) [0..65] * @@ -1296,6 +1309,7 @@ static void fiat_p521_to_bytes(uint8_t out1[66], const uint64_t arg1[9]) { /* * The function fiat_p521_from_bytes deserializes a field element from bytes in little-endian order. + * * Postconditions: * eval out1 mod m = bytes_eval arg1 mod m * @@ -1597,4 +1611,3 @@ static void fiat_p521_from_bytes(uint64_t out1[9], const uint8_t arg1[66]) { out1[7] = x134; out1[8] = x141; } - diff --git a/fiat-c/src/poly1305_32.c b/fiat-c/src/poly1305_32.c index 61b9415f30f..502c6bb2a2b 100644 --- a/fiat-c/src/poly1305_32.c +++ b/fiat-c/src/poly1305_32.c @@ -7,10 +7,10 @@ /* tight_bounds_multiplier = 1 (from "") */ /* */ /* Computed values: */ -/* carry_chain = [0, 1, 2, 3, 4, 0, 1] */ -/* eval z = z[0] + (z[1] << 26) + (z[2] << 52) + (z[3] << 78) + (z[4] << 104) */ -/* bytes_eval z = z[0] + (z[1] << 8) + (z[2] << 16) + (z[3] << 24) + (z[4] << 32) + (z[5] << 40) + (z[6] << 48) + (z[7] << 56) + (z[8] << 64) + (z[9] << 72) + (z[10] << 80) + (z[11] << 88) + (z[12] << 96) + (z[13] << 104) + (z[14] << 112) + (z[15] << 120) + (z[16] << 128) */ -/* balance = [0x7fffff6, 0x7fffffe, 0x7fffffe, 0x7fffffe, 0x7fffffe] */ +/* carry_chain = [0, 1, 2, 3, 4, 0, 1] */ +/* eval z = z[0] + (z[1] << 26) + (z[2] << 52) + (z[3] << 78) + (z[4] << 104) */ +/* bytes_eval z = z[0] + (z[1] << 8) + (z[2] << 16) + (z[3] << 24) + (z[4] << 32) + (z[5] << 40) + (z[6] << 48) + (z[7] << 56) + (z[8] << 64) + (z[9] << 72) + (z[10] << 80) + (z[11] << 88) + (z[12] << 96) + (z[13] << 104) + (z[14] << 112) + (z[15] << 120) + (z[16] << 128) */ +/* balance = [0x7fffff6, 0x7fffffe, 0x7fffffe, 0x7fffffe, 0x7fffffe] */ #include typedef unsigned char fiat_poly1305_uint1; @@ -32,6 +32,7 @@ static __inline__ uint32_t fiat_poly1305_value_barrier_u32(uint32_t a) { /* * The function fiat_poly1305_addcarryx_u26 is an addition with carry. + * * Postconditions: * out1 = (arg1 + arg2 + arg3) mod 2^26 * out2 = ⌊(arg1 + arg2 + arg3) / 2^26⌋ @@ -57,6 +58,7 @@ static void fiat_poly1305_addcarryx_u26(uint32_t* out1, fiat_poly1305_uint1* out /* * The function fiat_poly1305_subborrowx_u26 is a subtraction with borrow. + * * Postconditions: * out1 = (-arg1 + arg2 + -arg3) mod 2^26 * out2 = -⌊(-arg1 + arg2 + -arg3) / 2^26⌋ @@ -82,6 +84,7 @@ static void fiat_poly1305_subborrowx_u26(uint32_t* out1, fiat_poly1305_uint1* ou /* * The function fiat_poly1305_cmovznz_u32 is a single-word conditional move. + * * Postconditions: * out1 = (if arg1 = 0 then arg2 else arg3) * @@ -104,6 +107,7 @@ static void fiat_poly1305_cmovznz_u32(uint32_t* out1, fiat_poly1305_uint1 arg1, /* * The function fiat_poly1305_carry_mul multiplies two field elements and reduces the result. + * * Postconditions: * eval out1 mod m = (eval arg1 * eval arg2) mod m * @@ -227,6 +231,7 @@ static void fiat_poly1305_carry_mul(uint32_t out1[5], const uint32_t arg1[5], co /* * The function fiat_poly1305_carry_square squares a field element and reduces the result. + * * Postconditions: * eval out1 mod m = (eval arg1 * eval arg1) mod m * @@ -345,6 +350,7 @@ static void fiat_poly1305_carry_square(uint32_t out1[5], const uint32_t arg1[5]) /* * The function fiat_poly1305_carry reduces a field element. + * * Postconditions: * eval out1 mod m = eval arg1 mod m * @@ -387,6 +393,7 @@ static void fiat_poly1305_carry(uint32_t out1[5], const uint32_t arg1[5]) { /* * The function fiat_poly1305_add adds two field elements. + * * Postconditions: * eval out1 mod m = (eval arg1 + eval arg2) mod m * @@ -416,6 +423,7 @@ static void fiat_poly1305_add(uint32_t out1[5], const uint32_t arg1[5], const ui /* * The function fiat_poly1305_sub subtracts two field elements. + * * Postconditions: * eval out1 mod m = (eval arg1 - eval arg2) mod m * @@ -445,6 +453,7 @@ static void fiat_poly1305_sub(uint32_t out1[5], const uint32_t arg1[5], const ui /* * The function fiat_poly1305_opp negates a field element. + * * Postconditions: * eval out1 mod m = -eval arg1 mod m * @@ -473,6 +482,7 @@ static void fiat_poly1305_opp(uint32_t out1[5], const uint32_t arg1[5]) { /* * The function fiat_poly1305_selectznz is a multi-limb conditional select. + * * Postconditions: * eval out1 = (if arg1 = 0 then eval arg2 else eval arg3) * @@ -503,6 +513,7 @@ static void fiat_poly1305_selectznz(uint32_t out1[5], fiat_poly1305_uint1 arg1, /* * The function fiat_poly1305_to_bytes serializes a field element to bytes in little-endian order. + * * Postconditions: * out1 = map (λ x, ⌊((eval arg1 mod m) mod 2^(8 * (x + 1))) / 2^(8 * x)⌋) [0..16] * @@ -637,6 +648,7 @@ static void fiat_poly1305_to_bytes(uint8_t out1[17], const uint32_t arg1[5]) { /* * The function fiat_poly1305_from_bytes deserializes a field element from bytes in little-endian order. + * * Postconditions: * eval out1 mod m = bytes_eval arg1 mod m * @@ -728,4 +740,3 @@ static void fiat_poly1305_from_bytes(uint32_t out1[5], const uint8_t arg1[17]) { out1[3] = x35; out1[4] = x38; } - diff --git a/fiat-c/src/poly1305_64.c b/fiat-c/src/poly1305_64.c index 8ece1cad59c..4e088e6f79d 100644 --- a/fiat-c/src/poly1305_64.c +++ b/fiat-c/src/poly1305_64.c @@ -7,10 +7,10 @@ /* tight_bounds_multiplier = 1 (from "") */ /* */ /* Computed values: */ -/* carry_chain = [0, 1, 2, 0, 1] */ -/* eval z = z[0] + (z[1] << 44) + (z[2] << 87) */ -/* bytes_eval z = z[0] + (z[1] << 8) + (z[2] << 16) + (z[3] << 24) + (z[4] << 32) + (z[5] << 40) + (z[6] << 48) + (z[7] << 56) + (z[8] << 64) + (z[9] << 72) + (z[10] << 80) + (z[11] << 88) + (z[12] << 96) + (z[13] << 104) + (z[14] << 112) + (z[15] << 120) + (z[16] << 128) */ -/* balance = [0x1ffffffffff6, 0xffffffffffe, 0xffffffffffe] */ +/* carry_chain = [0, 1, 2, 0, 1] */ +/* eval z = z[0] + (z[1] << 44) + (z[2] << 87) */ +/* bytes_eval z = z[0] + (z[1] << 8) + (z[2] << 16) + (z[3] << 24) + (z[4] << 32) + (z[5] << 40) + (z[6] << 48) + (z[7] << 56) + (z[8] << 64) + (z[9] << 72) + (z[10] << 80) + (z[11] << 88) + (z[12] << 96) + (z[13] << 104) + (z[14] << 112) + (z[15] << 120) + (z[16] << 128) */ +/* balance = [0x1ffffffffff6, 0xffffffffffe, 0xffffffffffe] */ #include typedef unsigned char fiat_poly1305_uint1; @@ -40,6 +40,7 @@ static __inline__ uint64_t fiat_poly1305_value_barrier_u64(uint64_t a) { /* * The function fiat_poly1305_addcarryx_u44 is an addition with carry. + * * Postconditions: * out1 = (arg1 + arg2 + arg3) mod 2^44 * out2 = ⌊(arg1 + arg2 + arg3) / 2^44⌋ @@ -65,6 +66,7 @@ static void fiat_poly1305_addcarryx_u44(uint64_t* out1, fiat_poly1305_uint1* out /* * The function fiat_poly1305_subborrowx_u44 is a subtraction with borrow. + * * Postconditions: * out1 = (-arg1 + arg2 + -arg3) mod 2^44 * out2 = -⌊(-arg1 + arg2 + -arg3) / 2^44⌋ @@ -90,6 +92,7 @@ static void fiat_poly1305_subborrowx_u44(uint64_t* out1, fiat_poly1305_uint1* ou /* * The function fiat_poly1305_addcarryx_u43 is an addition with carry. + * * Postconditions: * out1 = (arg1 + arg2 + arg3) mod 2^43 * out2 = ⌊(arg1 + arg2 + arg3) / 2^43⌋ @@ -115,6 +118,7 @@ static void fiat_poly1305_addcarryx_u43(uint64_t* out1, fiat_poly1305_uint1* out /* * The function fiat_poly1305_subborrowx_u43 is a subtraction with borrow. + * * Postconditions: * out1 = (-arg1 + arg2 + -arg3) mod 2^43 * out2 = -⌊(-arg1 + arg2 + -arg3) / 2^43⌋ @@ -140,6 +144,7 @@ static void fiat_poly1305_subborrowx_u43(uint64_t* out1, fiat_poly1305_uint1* ou /* * The function fiat_poly1305_cmovznz_u64 is a single-word conditional move. + * * Postconditions: * out1 = (if arg1 = 0 then arg2 else arg3) * @@ -162,6 +167,7 @@ static void fiat_poly1305_cmovznz_u64(uint64_t* out1, fiat_poly1305_uint1 arg1, /* * The function fiat_poly1305_carry_mul multiplies two field elements and reduces the result. + * * Postconditions: * eval out1 mod m = (eval arg1 * eval arg2) mod m * @@ -235,6 +241,7 @@ static void fiat_poly1305_carry_mul(uint64_t out1[3], const uint64_t arg1[3], co /* * The function fiat_poly1305_carry_square squares a field element and reduces the result. + * * Postconditions: * eval out1 mod m = (eval arg1 * eval arg1) mod m * @@ -309,6 +316,7 @@ static void fiat_poly1305_carry_square(uint64_t out1[3], const uint64_t arg1[3]) /* * The function fiat_poly1305_carry reduces a field element. + * * Postconditions: * eval out1 mod m = eval arg1 mod m * @@ -341,6 +349,7 @@ static void fiat_poly1305_carry(uint64_t out1[3], const uint64_t arg1[3]) { /* * The function fiat_poly1305_add adds two field elements. + * * Postconditions: * eval out1 mod m = (eval arg1 + eval arg2) mod m * @@ -364,6 +373,7 @@ static void fiat_poly1305_add(uint64_t out1[3], const uint64_t arg1[3], const ui /* * The function fiat_poly1305_sub subtracts two field elements. + * * Postconditions: * eval out1 mod m = (eval arg1 - eval arg2) mod m * @@ -387,6 +397,7 @@ static void fiat_poly1305_sub(uint64_t out1[3], const uint64_t arg1[3], const ui /* * The function fiat_poly1305_opp negates a field element. + * * Postconditions: * eval out1 mod m = -eval arg1 mod m * @@ -409,6 +420,7 @@ static void fiat_poly1305_opp(uint64_t out1[3], const uint64_t arg1[3]) { /* * The function fiat_poly1305_selectznz is a multi-limb conditional select. + * * Postconditions: * eval out1 = (if arg1 = 0 then eval arg2 else eval arg3) * @@ -433,6 +445,7 @@ static void fiat_poly1305_selectznz(uint64_t out1[3], fiat_poly1305_uint1 arg1, /* * The function fiat_poly1305_to_bytes serializes a field element to bytes in little-endian order. + * * Postconditions: * out1 = map (λ x, ⌊((eval arg1 mod m) mod 2^(8 * (x + 1))) / 2^(8 * x)⌋) [0..16] * @@ -555,6 +568,7 @@ static void fiat_poly1305_to_bytes(uint8_t out1[17], const uint64_t arg1[3]) { /* * The function fiat_poly1305_from_bytes deserializes a field element from bytes in little-endian order. + * * Postconditions: * eval out1 mod m = bytes_eval arg1 mod m * @@ -642,4 +656,3 @@ static void fiat_poly1305_from_bytes(uint64_t out1[3], const uint8_t arg1[17]) { out1[1] = x30; out1[2] = x37; } - diff --git a/fiat-c/src/secp256k1_32.c b/fiat-c/src/secp256k1_32.c index b4984e59274..31fc741baeb 100644 --- a/fiat-c/src/secp256k1_32.c +++ b/fiat-c/src/secp256k1_32.c @@ -12,10 +12,10 @@ /* return values. */ /* */ /* Computed values: */ -/* eval z = z[0] + (z[1] << 32) + (z[2] << 64) + (z[3] << 96) + (z[4] << 128) + (z[5] << 160) + (z[6] << 192) + (z[7] << 224) */ -/* bytes_eval z = z[0] + (z[1] << 8) + (z[2] << 16) + (z[3] << 24) + (z[4] << 32) + (z[5] << 40) + (z[6] << 48) + (z[7] << 56) + (z[8] << 64) + (z[9] << 72) + (z[10] << 80) + (z[11] << 88) + (z[12] << 96) + (z[13] << 104) + (z[14] << 112) + (z[15] << 120) + (z[16] << 128) + (z[17] << 136) + (z[18] << 144) + (z[19] << 152) + (z[20] << 160) + (z[21] << 168) + (z[22] << 176) + (z[23] << 184) + (z[24] << 192) + (z[25] << 200) + (z[26] << 208) + (z[27] << 216) + (z[28] << 224) + (z[29] << 232) + (z[30] << 240) + (z[31] << 248) */ -/* twos_complement_eval z = let x1 := z[0] + (z[1] << 32) + (z[2] << 64) + (z[3] << 96) + (z[4] << 128) + (z[5] << 160) + (z[6] << 192) + (z[7] << 224) in */ -/* if x1 & (2^256-1) < 2^255 then x1 & (2^256-1) else (x1 & (2^256-1)) - 2^256 */ +/* eval z = z[0] + (z[1] << 32) + (z[2] << 64) + (z[3] << 96) + (z[4] << 128) + (z[5] << 160) + (z[6] << 192) + (z[7] << 224) */ +/* bytes_eval z = z[0] + (z[1] << 8) + (z[2] << 16) + (z[3] << 24) + (z[4] << 32) + (z[5] << 40) + (z[6] << 48) + (z[7] << 56) + (z[8] << 64) + (z[9] << 72) + (z[10] << 80) + (z[11] << 88) + (z[12] << 96) + (z[13] << 104) + (z[14] << 112) + (z[15] << 120) + (z[16] << 128) + (z[17] << 136) + (z[18] << 144) + (z[19] << 152) + (z[20] << 160) + (z[21] << 168) + (z[22] << 176) + (z[23] << 184) + (z[24] << 192) + (z[25] << 200) + (z[26] << 208) + (z[27] << 216) + (z[28] << 224) + (z[29] << 232) + (z[30] << 240) + (z[31] << 248) */ +/* twos_complement_eval z = let x1 := z[0] + (z[1] << 32) + (z[2] << 64) + (z[3] << 96) + (z[4] << 128) + (z[5] << 160) + (z[6] << 192) + (z[7] << 224) in */ +/* if x1 & (2^256-1) < 2^255 then x1 & (2^256-1) else (x1 & (2^256-1)) - 2^256 */ #include typedef unsigned char fiat_secp256k1_uint1; @@ -37,6 +37,7 @@ static __inline__ uint32_t fiat_secp256k1_value_barrier_u32(uint32_t a) { /* * The function fiat_secp256k1_addcarryx_u32 is an addition with carry. + * * Postconditions: * out1 = (arg1 + arg2 + arg3) mod 2^32 * out2 = ⌊(arg1 + arg2 + arg3) / 2^32⌋ @@ -62,6 +63,7 @@ static void fiat_secp256k1_addcarryx_u32(uint32_t* out1, fiat_secp256k1_uint1* o /* * The function fiat_secp256k1_subborrowx_u32 is a subtraction with borrow. + * * Postconditions: * out1 = (-arg1 + arg2 + -arg3) mod 2^32 * out2 = -⌊(-arg1 + arg2 + -arg3) / 2^32⌋ @@ -87,6 +89,7 @@ static void fiat_secp256k1_subborrowx_u32(uint32_t* out1, fiat_secp256k1_uint1* /* * The function fiat_secp256k1_mulx_u32 is a multiplication, returning the full double-width result. + * * Postconditions: * out1 = (arg1 * arg2) mod 2^32 * out2 = ⌊arg1 * arg2 / 2^32⌋ @@ -111,6 +114,7 @@ static void fiat_secp256k1_mulx_u32(uint32_t* out1, uint32_t* out2, uint32_t arg /* * The function fiat_secp256k1_cmovznz_u32 is a single-word conditional move. + * * Postconditions: * out1 = (if arg1 = 0 then arg2 else arg3) * @@ -133,6 +137,7 @@ static void fiat_secp256k1_cmovznz_u32(uint32_t* out1, fiat_secp256k1_uint1 arg1 /* * The function fiat_secp256k1_mul multiplies two field elements in the Montgomery domain. + * * Preconditions: * 0 ≤ eval arg1 < m * 0 ≤ eval arg2 < m @@ -1413,6 +1418,7 @@ static void fiat_secp256k1_mul(uint32_t out1[8], const uint32_t arg1[8], const u /* * The function fiat_secp256k1_square squares a field element in the Montgomery domain. + * * Preconditions: * 0 ≤ eval arg1 < m * Postconditions: @@ -2691,6 +2697,7 @@ static void fiat_secp256k1_square(uint32_t out1[8], const uint32_t arg1[8]) { /* * The function fiat_secp256k1_add adds two field elements in the Montgomery domain. + * * Preconditions: * 0 ≤ eval arg1 < m * 0 ≤ eval arg2 < m @@ -2784,6 +2791,7 @@ static void fiat_secp256k1_add(uint32_t out1[8], const uint32_t arg1[8], const u /* * The function fiat_secp256k1_sub subtracts two field elements in the Montgomery domain. + * * Preconditions: * 0 ≤ eval arg1 < m * 0 ≤ eval arg2 < m @@ -2860,6 +2868,7 @@ static void fiat_secp256k1_sub(uint32_t out1[8], const uint32_t arg1[8], const u /* * The function fiat_secp256k1_opp negates a field element in the Montgomery domain. + * * Preconditions: * 0 ≤ eval arg1 < m * Postconditions: @@ -2934,6 +2943,7 @@ static void fiat_secp256k1_opp(uint32_t out1[8], const uint32_t arg1[8]) { /* * The function fiat_secp256k1_from_montgomery translates a field element out of the Montgomery domain. + * * Preconditions: * 0 ≤ eval arg1 < m * Postconditions: @@ -3771,6 +3781,7 @@ static void fiat_secp256k1_from_montgomery(uint32_t out1[8], const uint32_t arg1 /* * The function fiat_secp256k1_to_montgomery translates a field element into the Montgomery domain. + * * Preconditions: * 0 ≤ eval arg1 < m * Postconditions: @@ -4718,6 +4729,7 @@ static void fiat_secp256k1_to_montgomery(uint32_t out1[8], const uint32_t arg1[8 /* * The function fiat_secp256k1_nonzero outputs a single non-zero word if the input is non-zero and zero otherwise. + * * Preconditions: * 0 ≤ eval arg1 < m * Postconditions: @@ -4736,6 +4748,7 @@ static void fiat_secp256k1_nonzero(uint32_t* out1, const uint32_t arg1[8]) { /* * The function fiat_secp256k1_selectznz is a multi-limb conditional select. + * * Postconditions: * eval out1 = (if arg1 = 0 then eval arg2 else eval arg3) * @@ -4775,6 +4788,7 @@ static void fiat_secp256k1_selectznz(uint32_t out1[8], fiat_secp256k1_uint1 arg1 /* * The function fiat_secp256k1_to_bytes serializes a field element NOT in the Montgomery domain to bytes in little-endian order. + * * Preconditions: * 0 ≤ eval arg1 < m * Postconditions: @@ -4934,6 +4948,7 @@ static void fiat_secp256k1_to_bytes(uint8_t out1[32], const uint32_t arg1[8]) { /* * The function fiat_secp256k1_from_bytes deserializes a field element NOT in the Montgomery domain from bytes in little-endian order. + * * Preconditions: * 0 ≤ bytes_eval arg1 < m * Postconditions: @@ -5070,6 +5085,7 @@ static void fiat_secp256k1_from_bytes(uint32_t out1[8], const uint8_t arg1[32]) /* * The function fiat_secp256k1_set_one returns the field element one in the Montgomery domain. + * * Postconditions: * eval (from_montgomery out1) mod m = 1 mod m * 0 ≤ eval out1 < m @@ -5091,6 +5107,7 @@ static void fiat_secp256k1_set_one(uint32_t out1[8]) { /* * The function fiat_secp256k1_msat returns the saturated representation of the prime modulus. + * * Postconditions: * twos_complement_eval out1 = m * 0 ≤ eval out1 < m @@ -5113,6 +5130,7 @@ static void fiat_secp256k1_msat(uint32_t out1[9]) { /* * The function fiat_secp256k1_divstep computes a divstep. + * * Preconditions: * 0 ≤ eval arg4 < m * 0 ≤ eval arg5 < m @@ -5569,6 +5587,7 @@ static void fiat_secp256k1_divstep(uint32_t* out1, uint32_t out2[9], uint32_t ou /* * The function fiat_secp256k1_divstep_precomp returns the precomputed value for Bernstein-Yang-inversion (in montgomery form). + * * Postconditions: * eval (from_montgomery out1) = ⌊(m - 1) / 2⌋^(if (log2 m) + 1 < 46 then ⌊(49 * ((log2 m) + 1) + 80) / 17⌋ else ⌊(49 * ((log2 m) + 1) + 57) / 17⌋) * 0 ≤ eval out1 < m @@ -5587,4 +5606,3 @@ static void fiat_secp256k1_divstep_precomp(uint32_t out1[8]) { out1[6] = UINT32_C(0x4b03709); out1[7] = UINT32_C(0x24fb8a31); } - diff --git a/fiat-c/src/secp256k1_64.c b/fiat-c/src/secp256k1_64.c index b527d7f1413..505b319b0e8 100644 --- a/fiat-c/src/secp256k1_64.c +++ b/fiat-c/src/secp256k1_64.c @@ -12,10 +12,10 @@ /* return values. */ /* */ /* Computed values: */ -/* eval z = z[0] + (z[1] << 64) + (z[2] << 128) + (z[3] << 192) */ -/* bytes_eval z = z[0] + (z[1] << 8) + (z[2] << 16) + (z[3] << 24) + (z[4] << 32) + (z[5] << 40) + (z[6] << 48) + (z[7] << 56) + (z[8] << 64) + (z[9] << 72) + (z[10] << 80) + (z[11] << 88) + (z[12] << 96) + (z[13] << 104) + (z[14] << 112) + (z[15] << 120) + (z[16] << 128) + (z[17] << 136) + (z[18] << 144) + (z[19] << 152) + (z[20] << 160) + (z[21] << 168) + (z[22] << 176) + (z[23] << 184) + (z[24] << 192) + (z[25] << 200) + (z[26] << 208) + (z[27] << 216) + (z[28] << 224) + (z[29] << 232) + (z[30] << 240) + (z[31] << 248) */ -/* twos_complement_eval z = let x1 := z[0] + (z[1] << 64) + (z[2] << 128) + (z[3] << 192) in */ -/* if x1 & (2^256-1) < 2^255 then x1 & (2^256-1) else (x1 & (2^256-1)) - 2^256 */ +/* eval z = z[0] + (z[1] << 64) + (z[2] << 128) + (z[3] << 192) */ +/* bytes_eval z = z[0] + (z[1] << 8) + (z[2] << 16) + (z[3] << 24) + (z[4] << 32) + (z[5] << 40) + (z[6] << 48) + (z[7] << 56) + (z[8] << 64) + (z[9] << 72) + (z[10] << 80) + (z[11] << 88) + (z[12] << 96) + (z[13] << 104) + (z[14] << 112) + (z[15] << 120) + (z[16] << 128) + (z[17] << 136) + (z[18] << 144) + (z[19] << 152) + (z[20] << 160) + (z[21] << 168) + (z[22] << 176) + (z[23] << 184) + (z[24] << 192) + (z[25] << 200) + (z[26] << 208) + (z[27] << 216) + (z[28] << 224) + (z[29] << 232) + (z[30] << 240) + (z[31] << 248) */ +/* twos_complement_eval z = let x1 := z[0] + (z[1] << 64) + (z[2] << 128) + (z[3] << 192) in */ +/* if x1 & (2^256-1) < 2^255 then x1 & (2^256-1) else (x1 & (2^256-1)) - 2^256 */ #include typedef unsigned char fiat_secp256k1_uint1; @@ -45,6 +45,7 @@ static __inline__ uint64_t fiat_secp256k1_value_barrier_u64(uint64_t a) { /* * The function fiat_secp256k1_addcarryx_u64 is an addition with carry. + * * Postconditions: * out1 = (arg1 + arg2 + arg3) mod 2^64 * out2 = ⌊(arg1 + arg2 + arg3) / 2^64⌋ @@ -70,6 +71,7 @@ static void fiat_secp256k1_addcarryx_u64(uint64_t* out1, fiat_secp256k1_uint1* o /* * The function fiat_secp256k1_subborrowx_u64 is a subtraction with borrow. + * * Postconditions: * out1 = (-arg1 + arg2 + -arg3) mod 2^64 * out2 = -⌊(-arg1 + arg2 + -arg3) / 2^64⌋ @@ -95,6 +97,7 @@ static void fiat_secp256k1_subborrowx_u64(uint64_t* out1, fiat_secp256k1_uint1* /* * The function fiat_secp256k1_mulx_u64 is a multiplication, returning the full double-width result. + * * Postconditions: * out1 = (arg1 * arg2) mod 2^64 * out2 = ⌊arg1 * arg2 / 2^64⌋ @@ -119,6 +122,7 @@ static void fiat_secp256k1_mulx_u64(uint64_t* out1, uint64_t* out2, uint64_t arg /* * The function fiat_secp256k1_cmovznz_u64 is a single-word conditional move. + * * Postconditions: * out1 = (if arg1 = 0 then arg2 else arg3) * @@ -141,6 +145,7 @@ static void fiat_secp256k1_cmovznz_u64(uint64_t* out1, fiat_secp256k1_uint1 arg1 /* * The function fiat_secp256k1_mul multiplies two field elements in the Montgomery domain. + * * Preconditions: * 0 ≤ eval arg1 < m * 0 ≤ eval arg2 < m @@ -501,6 +506,7 @@ static void fiat_secp256k1_mul(uint64_t out1[4], const uint64_t arg1[4], const u /* * The function fiat_secp256k1_square squares a field element in the Montgomery domain. + * * Preconditions: * 0 ≤ eval arg1 < m * Postconditions: @@ -859,6 +865,7 @@ static void fiat_secp256k1_square(uint64_t out1[4], const uint64_t arg1[4]) { /* * The function fiat_secp256k1_add adds two field elements in the Montgomery domain. + * * Preconditions: * 0 ≤ eval arg1 < m * 0 ≤ eval arg2 < m @@ -916,6 +923,7 @@ static void fiat_secp256k1_add(uint64_t out1[4], const uint64_t arg1[4], const u /* * The function fiat_secp256k1_sub subtracts two field elements in the Montgomery domain. + * * Preconditions: * 0 ≤ eval arg1 < m * 0 ≤ eval arg2 < m @@ -964,6 +972,7 @@ static void fiat_secp256k1_sub(uint64_t out1[4], const uint64_t arg1[4], const u /* * The function fiat_secp256k1_opp negates a field element in the Montgomery domain. + * * Preconditions: * 0 ≤ eval arg1 < m * Postconditions: @@ -1010,6 +1019,7 @@ static void fiat_secp256k1_opp(uint64_t out1[4], const uint64_t arg1[4]) { /* * The function fiat_secp256k1_from_montgomery translates a field element out of the Montgomery domain. + * * Preconditions: * 0 ≤ eval arg1 < m * Postconditions: @@ -1247,6 +1257,7 @@ static void fiat_secp256k1_from_montgomery(uint64_t out1[4], const uint64_t arg1 /* * The function fiat_secp256k1_to_montgomery translates a field element into the Montgomery domain. + * * Preconditions: * 0 ≤ eval arg1 < m * Postconditions: @@ -1514,6 +1525,7 @@ static void fiat_secp256k1_to_montgomery(uint64_t out1[4], const uint64_t arg1[4 /* * The function fiat_secp256k1_nonzero outputs a single non-zero word if the input is non-zero and zero otherwise. + * * Preconditions: * 0 ≤ eval arg1 < m * Postconditions: @@ -1532,6 +1544,7 @@ static void fiat_secp256k1_nonzero(uint64_t* out1, const uint64_t arg1[4]) { /* * The function fiat_secp256k1_selectznz is a multi-limb conditional select. + * * Postconditions: * eval out1 = (if arg1 = 0 then eval arg2 else eval arg3) * @@ -1559,6 +1572,7 @@ static void fiat_secp256k1_selectznz(uint64_t out1[4], fiat_secp256k1_uint1 arg1 /* * The function fiat_secp256k1_to_bytes serializes a field element NOT in the Montgomery domain to bytes in little-endian order. + * * Preconditions: * 0 ≤ eval arg1 < m * Postconditions: @@ -1726,6 +1740,7 @@ static void fiat_secp256k1_to_bytes(uint8_t out1[32], const uint64_t arg1[4]) { /* * The function fiat_secp256k1_from_bytes deserializes a field element NOT in the Montgomery domain from bytes in little-endian order. + * * Preconditions: * 0 ≤ bytes_eval arg1 < m * Postconditions: @@ -1866,6 +1881,7 @@ static void fiat_secp256k1_from_bytes(uint64_t out1[4], const uint8_t arg1[32]) /* * The function fiat_secp256k1_set_one returns the field element one in the Montgomery domain. + * * Postconditions: * eval (from_montgomery out1) mod m = 1 mod m * 0 ≤ eval out1 < m @@ -1883,6 +1899,7 @@ static void fiat_secp256k1_set_one(uint64_t out1[4]) { /* * The function fiat_secp256k1_msat returns the saturated representation of the prime modulus. + * * Postconditions: * twos_complement_eval out1 = m * 0 ≤ eval out1 < m @@ -1901,6 +1918,7 @@ static void fiat_secp256k1_msat(uint64_t out1[5]) { /* * The function fiat_secp256k1_divstep computes a divstep. + * * Preconditions: * 0 ≤ eval arg4 < m * 0 ≤ eval arg5 < m @@ -2165,6 +2183,7 @@ static void fiat_secp256k1_divstep(uint64_t* out1, uint64_t out2[5], uint64_t ou /* * The function fiat_secp256k1_divstep_precomp returns the precomputed value for Bernstein-Yang-inversion (in montgomery form). + * * Postconditions: * eval (from_montgomery out1) = ⌊(m - 1) / 2⌋^(if (log2 m) + 1 < 46 then ⌊(49 * ((log2 m) + 1) + 80) / 17⌋ else ⌊(49 * ((log2 m) + 1) + 57) / 17⌋) * 0 ≤ eval out1 < m @@ -2179,4 +2198,3 @@ static void fiat_secp256k1_divstep_precomp(uint64_t out1[4]) { out1[2] = UINT64_C(0xe86029463db210a9); out1[3] = UINT64_C(0x24fb8a3104b03709); } - diff --git a/fiat-go/32/curve25519/curve25519.go b/fiat-go/32/curve25519/curve25519.go index 87119d8cf8f..9d8685526c3 100644 --- a/fiat-go/32/curve25519/curve25519.go +++ b/fiat-go/32/curve25519/curve25519.go @@ -1,1013 +1,981 @@ -/* - Autogenerated: 'src/ExtractionOCaml/unsaturated_solinas' --lang Go --cmovznz-by-mul --internal-static --package-case flatcase --public-function-case UpperCamelCase --private-function-case camelCase --public-type-case UpperCamelCase --private-type-case camelCase --no-prefix-fiat --package-name curve25519 '' 32 '(auto)' '2^255 - 19' carry_mul carry_square carry add sub opp selectznz to_bytes from_bytes carry_scmul121666 - - curve description (via package name): curve25519 - - machine_wordsize = 32 (from "32") - - requested operations: carry_mul, carry_square, carry, add, sub, opp, selectznz, to_bytes, from_bytes, carry_scmul121666 - - n = 10 (from "(auto)") - - s-c = 2^255 - [(1, 19)] (from "2^255 - 19") - - tight_bounds_multiplier = 1 (from "") - - - - Computed values: - - carry_chain = [0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 0, 1] - - eval z = z[0] + (z[1] << 26) + (z[2] << 51) + (z[3] << 77) + (z[4] << 102) + (z[5] << 128) + (z[6] << 153) + (z[7] << 179) + (z[8] << 204) + (z[9] << 230) - - bytes_eval z = z[0] + (z[1] << 8) + (z[2] << 16) + (z[3] << 24) + (z[4] << 32) + (z[5] << 40) + (z[6] << 48) + (z[7] << 56) + (z[8] << 64) + (z[9] << 72) + (z[10] << 80) + (z[11] << 88) + (z[12] << 96) + (z[13] << 104) + (z[14] << 112) + (z[15] << 120) + (z[16] << 128) + (z[17] << 136) + (z[18] << 144) + (z[19] << 152) + (z[20] << 160) + (z[21] << 168) + (z[22] << 176) + (z[23] << 184) + (z[24] << 192) + (z[25] << 200) + (z[26] << 208) + (z[27] << 216) + (z[28] << 224) + (z[29] << 232) + (z[30] << 240) + (z[31] << 248) - - balance = [0x7ffffda, 0x3fffffe, 0x7fffffe, 0x3fffffe, 0x7fffffe, 0x3fffffe, 0x7fffffe, 0x3fffffe, 0x7fffffe, 0x3fffffe] - */ +// Code generated by Fiat Cryptography. DO NOT EDIT. +// +// Autogenerated: 'src/ExtractionOCaml/unsaturated_solinas' --lang Go --cmovznz-by-mul --internal-static --package-case flatcase --public-function-case UpperCamelCase --private-function-case camelCase --public-type-case UpperCamelCase --private-type-case camelCase --no-prefix-fiat --doc-prepend-header 'Code generated by Fiat Cryptography. DO NOT EDIT.' --doc-text-before-function-name '' --package-name curve25519 '' 32 '(auto)' '2^255 - 19' carry_mul carry_square carry add sub opp selectznz to_bytes from_bytes carry_scmul121666 +// +// curve description (via package name): curve25519 +// +// machine_wordsize = 32 (from "32") +// +// requested operations: carry_mul, carry_square, carry, add, sub, opp, selectznz, to_bytes, from_bytes, carry_scmul121666 +// +// n = 10 (from "(auto)") +// +// s-c = 2^255 - [(1, 19)] (from "2^255 - 19") +// +// tight_bounds_multiplier = 1 (from "") +// +// +// +// Computed values: +// +// carry_chain = [0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 0, 1] +// +// eval z = z[0] + (z[1] << 26) + (z[2] << 51) + (z[3] << 77) + (z[4] << 102) + (z[5] << 128) + (z[6] << 153) + (z[7] << 179) + (z[8] << 204) + (z[9] << 230) +// +// bytes_eval z = z[0] + (z[1] << 8) + (z[2] << 16) + (z[3] << 24) + (z[4] << 32) + (z[5] << 40) + (z[6] << 48) + (z[7] << 56) + (z[8] << 64) + (z[9] << 72) + (z[10] << 80) + (z[11] << 88) + (z[12] << 96) + (z[13] << 104) + (z[14] << 112) + (z[15] << 120) + (z[16] << 128) + (z[17] << 136) + (z[18] << 144) + (z[19] << 152) + (z[20] << 160) + (z[21] << 168) + (z[22] << 176) + (z[23] << 184) + (z[24] << 192) + (z[25] << 200) + (z[26] << 208) + (z[27] << 216) + (z[28] << 224) + (z[29] << 232) + (z[30] << 240) + (z[31] << 248) +// +// balance = [0x7ffffda, 0x3fffffe, 0x7fffffe, 0x3fffffe, 0x7fffffe, 0x3fffffe, 0x7fffffe, 0x3fffffe, 0x7fffffe, 0x3fffffe] package curve25519 type uint1 uint8 type int1 int8 - -/* - The function addcarryxU26 is an addition with carry. - Postconditions: - out1 = (arg1 + arg2 + arg3) mod 2^26 - out2 = ⌊(arg1 + arg2 + arg3) / 2^26⌋ - - Input Bounds: - arg1: [0x0 ~> 0x1] - arg2: [0x0 ~> 0x3ffffff] - arg3: [0x0 ~> 0x3ffffff] - Output Bounds: - out1: [0x0 ~> 0x3ffffff] - out2: [0x0 ~> 0x1] - */ -/*inline*/ +// addcarryxU26 is an addition with carry. +// +// Postconditions: +// out1 = (arg1 + arg2 + arg3) mod 2^26 +// out2 = ⌊(arg1 + arg2 + arg3) / 2^26⌋ +// +// Input Bounds: +// arg1: [0x0 ~> 0x1] +// arg2: [0x0 ~> 0x3ffffff] +// arg3: [0x0 ~> 0x3ffffff] +// Output Bounds: +// out1: [0x0 ~> 0x3ffffff] +// out2: [0x0 ~> 0x1] func addcarryxU26(out1 *uint32, out2 *uint1, arg1 uint1, arg2 uint32, arg3 uint32) { - var x1 uint32 = ((uint32(arg1) + arg2) + arg3) - var x2 uint32 = (x1 & 0x3ffffff) - var x3 uint1 = uint1((x1 >> 26)) - *out1 = x2 - *out2 = x3 + x1 := ((uint32(arg1) + arg2) + arg3) + x2 := (x1 & 0x3ffffff) + x3 := uint1((x1 >> 26)) + *out1 = x2 + *out2 = x3 } -/* - The function subborrowxU26 is a subtraction with borrow. - Postconditions: - out1 = (-arg1 + arg2 + -arg3) mod 2^26 - out2 = -⌊(-arg1 + arg2 + -arg3) / 2^26⌋ - - Input Bounds: - arg1: [0x0 ~> 0x1] - arg2: [0x0 ~> 0x3ffffff] - arg3: [0x0 ~> 0x3ffffff] - Output Bounds: - out1: [0x0 ~> 0x3ffffff] - out2: [0x0 ~> 0x1] - */ -/*inline*/ +// subborrowxU26 is a subtraction with borrow. +// +// Postconditions: +// out1 = (-arg1 + arg2 + -arg3) mod 2^26 +// out2 = -⌊(-arg1 + arg2 + -arg3) / 2^26⌋ +// +// Input Bounds: +// arg1: [0x0 ~> 0x1] +// arg2: [0x0 ~> 0x3ffffff] +// arg3: [0x0 ~> 0x3ffffff] +// Output Bounds: +// out1: [0x0 ~> 0x3ffffff] +// out2: [0x0 ~> 0x1] func subborrowxU26(out1 *uint32, out2 *uint1, arg1 uint1, arg2 uint32, arg3 uint32) { - var x1 int32 = ((int32(arg2) - int32(arg1)) - int32(arg3)) - var x2 int1 = int1((x1 >> 26)) - var x3 uint32 = (uint32(x1) & 0x3ffffff) - *out1 = x3 - *out2 = (0x0 - uint1(x2)) + x1 := ((int32(arg2) - int32(arg1)) - int32(arg3)) + x2 := int1((x1 >> 26)) + x3 := (uint32(x1) & 0x3ffffff) + *out1 = x3 + *out2 = (0x0 - uint1(x2)) } -/* - The function addcarryxU25 is an addition with carry. - Postconditions: - out1 = (arg1 + arg2 + arg3) mod 2^25 - out2 = ⌊(arg1 + arg2 + arg3) / 2^25⌋ - - Input Bounds: - arg1: [0x0 ~> 0x1] - arg2: [0x0 ~> 0x1ffffff] - arg3: [0x0 ~> 0x1ffffff] - Output Bounds: - out1: [0x0 ~> 0x1ffffff] - out2: [0x0 ~> 0x1] - */ -/*inline*/ +// addcarryxU25 is an addition with carry. +// +// Postconditions: +// out1 = (arg1 + arg2 + arg3) mod 2^25 +// out2 = ⌊(arg1 + arg2 + arg3) / 2^25⌋ +// +// Input Bounds: +// arg1: [0x0 ~> 0x1] +// arg2: [0x0 ~> 0x1ffffff] +// arg3: [0x0 ~> 0x1ffffff] +// Output Bounds: +// out1: [0x0 ~> 0x1ffffff] +// out2: [0x0 ~> 0x1] func addcarryxU25(out1 *uint32, out2 *uint1, arg1 uint1, arg2 uint32, arg3 uint32) { - var x1 uint32 = ((uint32(arg1) + arg2) + arg3) - var x2 uint32 = (x1 & 0x1ffffff) - var x3 uint1 = uint1((x1 >> 25)) - *out1 = x2 - *out2 = x3 + x1 := ((uint32(arg1) + arg2) + arg3) + x2 := (x1 & 0x1ffffff) + x3 := uint1((x1 >> 25)) + *out1 = x2 + *out2 = x3 } -/* - The function subborrowxU25 is a subtraction with borrow. - Postconditions: - out1 = (-arg1 + arg2 + -arg3) mod 2^25 - out2 = -⌊(-arg1 + arg2 + -arg3) / 2^25⌋ - - Input Bounds: - arg1: [0x0 ~> 0x1] - arg2: [0x0 ~> 0x1ffffff] - arg3: [0x0 ~> 0x1ffffff] - Output Bounds: - out1: [0x0 ~> 0x1ffffff] - out2: [0x0 ~> 0x1] - */ -/*inline*/ +// subborrowxU25 is a subtraction with borrow. +// +// Postconditions: +// out1 = (-arg1 + arg2 + -arg3) mod 2^25 +// out2 = -⌊(-arg1 + arg2 + -arg3) / 2^25⌋ +// +// Input Bounds: +// arg1: [0x0 ~> 0x1] +// arg2: [0x0 ~> 0x1ffffff] +// arg3: [0x0 ~> 0x1ffffff] +// Output Bounds: +// out1: [0x0 ~> 0x1ffffff] +// out2: [0x0 ~> 0x1] func subborrowxU25(out1 *uint32, out2 *uint1, arg1 uint1, arg2 uint32, arg3 uint32) { - var x1 int32 = ((int32(arg2) - int32(arg1)) - int32(arg3)) - var x2 int1 = int1((x1 >> 25)) - var x3 uint32 = (uint32(x1) & 0x1ffffff) - *out1 = x3 - *out2 = (0x0 - uint1(x2)) + x1 := ((int32(arg2) - int32(arg1)) - int32(arg3)) + x2 := int1((x1 >> 25)) + x3 := (uint32(x1) & 0x1ffffff) + *out1 = x3 + *out2 = (0x0 - uint1(x2)) } -/* - The function cmovznzU32 is a single-word conditional move. - Postconditions: - out1 = (if arg1 = 0 then arg2 else arg3) - - Input Bounds: - arg1: [0x0 ~> 0x1] - arg2: [0x0 ~> 0xffffffff] - arg3: [0x0 ~> 0xffffffff] - Output Bounds: - out1: [0x0 ~> 0xffffffff] - */ -/*inline*/ +// cmovznzU32 is a single-word conditional move. +// +// Postconditions: +// out1 = (if arg1 = 0 then arg2 else arg3) +// +// Input Bounds: +// arg1: [0x0 ~> 0x1] +// arg2: [0x0 ~> 0xffffffff] +// arg3: [0x0 ~> 0xffffffff] +// Output Bounds: +// out1: [0x0 ~> 0xffffffff] func cmovznzU32(out1 *uint32, arg1 uint1, arg2 uint32, arg3 uint32) { - var x1 uint32 = (uint32(arg1) * 0xffffffff) - var x2 uint32 = ((x1 & arg3) | ((^x1) & arg2)) - *out1 = x2 + x1 := (uint32(arg1) * 0xffffffff) + x2 := ((x1 & arg3) | ((^x1) & arg2)) + *out1 = x2 } -/* - The function CarryMul multiplies two field elements and reduces the result. - Postconditions: - eval out1 mod m = (eval arg1 * eval arg2) mod m - - Input Bounds: - arg1: [[0x0 ~> 0xc000000], [0x0 ~> 0x6000000], [0x0 ~> 0xc000000], [0x0 ~> 0x6000000], [0x0 ~> 0xc000000], [0x0 ~> 0x6000000], [0x0 ~> 0xc000000], [0x0 ~> 0x6000000], [0x0 ~> 0xc000000], [0x0 ~> 0x6000000]] - arg2: [[0x0 ~> 0xc000000], [0x0 ~> 0x6000000], [0x0 ~> 0xc000000], [0x0 ~> 0x6000000], [0x0 ~> 0xc000000], [0x0 ~> 0x6000000], [0x0 ~> 0xc000000], [0x0 ~> 0x6000000], [0x0 ~> 0xc000000], [0x0 ~> 0x6000000]] - Output Bounds: - out1: [[0x0 ~> 0x4000000], [0x0 ~> 0x2000000], [0x0 ~> 0x4000000], [0x0 ~> 0x2000000], [0x0 ~> 0x4000000], [0x0 ~> 0x2000000], [0x0 ~> 0x4000000], [0x0 ~> 0x2000000], [0x0 ~> 0x4000000], [0x0 ~> 0x2000000]] - */ -/*inline*/ +// CarryMul multiplies two field elements and reduces the result. +// +// Postconditions: +// eval out1 mod m = (eval arg1 * eval arg2) mod m +// +// Input Bounds: +// arg1: [[0x0 ~> 0xc000000], [0x0 ~> 0x6000000], [0x0 ~> 0xc000000], [0x0 ~> 0x6000000], [0x0 ~> 0xc000000], [0x0 ~> 0x6000000], [0x0 ~> 0xc000000], [0x0 ~> 0x6000000], [0x0 ~> 0xc000000], [0x0 ~> 0x6000000]] +// arg2: [[0x0 ~> 0xc000000], [0x0 ~> 0x6000000], [0x0 ~> 0xc000000], [0x0 ~> 0x6000000], [0x0 ~> 0xc000000], [0x0 ~> 0x6000000], [0x0 ~> 0xc000000], [0x0 ~> 0x6000000], [0x0 ~> 0xc000000], [0x0 ~> 0x6000000]] +// Output Bounds: +// out1: [[0x0 ~> 0x4000000], [0x0 ~> 0x2000000], [0x0 ~> 0x4000000], [0x0 ~> 0x2000000], [0x0 ~> 0x4000000], [0x0 ~> 0x2000000], [0x0 ~> 0x4000000], [0x0 ~> 0x2000000], [0x0 ~> 0x4000000], [0x0 ~> 0x2000000]] func CarryMul(out1 *[10]uint32, arg1 *[10]uint32, arg2 *[10]uint32) { - var x1 uint64 = (uint64((arg1[9])) * uint64(((arg2[9]) * 0x26))) - var x2 uint64 = (uint64((arg1[9])) * uint64(((arg2[8]) * 0x13))) - var x3 uint64 = (uint64((arg1[9])) * uint64(((arg2[7]) * 0x26))) - var x4 uint64 = (uint64((arg1[9])) * uint64(((arg2[6]) * 0x13))) - var x5 uint64 = (uint64((arg1[9])) * uint64(((arg2[5]) * 0x26))) - var x6 uint64 = (uint64((arg1[9])) * uint64(((arg2[4]) * 0x13))) - var x7 uint64 = (uint64((arg1[9])) * uint64(((arg2[3]) * 0x26))) - var x8 uint64 = (uint64((arg1[9])) * uint64(((arg2[2]) * 0x13))) - var x9 uint64 = (uint64((arg1[9])) * uint64(((arg2[1]) * 0x26))) - var x10 uint64 = (uint64((arg1[8])) * uint64(((arg2[9]) * 0x13))) - var x11 uint64 = (uint64((arg1[8])) * uint64(((arg2[8]) * 0x13))) - var x12 uint64 = (uint64((arg1[8])) * uint64(((arg2[7]) * 0x13))) - var x13 uint64 = (uint64((arg1[8])) * uint64(((arg2[6]) * 0x13))) - var x14 uint64 = (uint64((arg1[8])) * uint64(((arg2[5]) * 0x13))) - var x15 uint64 = (uint64((arg1[8])) * uint64(((arg2[4]) * 0x13))) - var x16 uint64 = (uint64((arg1[8])) * uint64(((arg2[3]) * 0x13))) - var x17 uint64 = (uint64((arg1[8])) * uint64(((arg2[2]) * 0x13))) - var x18 uint64 = (uint64((arg1[7])) * uint64(((arg2[9]) * 0x26))) - var x19 uint64 = (uint64((arg1[7])) * uint64(((arg2[8]) * 0x13))) - var x20 uint64 = (uint64((arg1[7])) * uint64(((arg2[7]) * 0x26))) - var x21 uint64 = (uint64((arg1[7])) * uint64(((arg2[6]) * 0x13))) - var x22 uint64 = (uint64((arg1[7])) * uint64(((arg2[5]) * 0x26))) - var x23 uint64 = (uint64((arg1[7])) * uint64(((arg2[4]) * 0x13))) - var x24 uint64 = (uint64((arg1[7])) * uint64(((arg2[3]) * 0x26))) - var x25 uint64 = (uint64((arg1[6])) * uint64(((arg2[9]) * 0x13))) - var x26 uint64 = (uint64((arg1[6])) * uint64(((arg2[8]) * 0x13))) - var x27 uint64 = (uint64((arg1[6])) * uint64(((arg2[7]) * 0x13))) - var x28 uint64 = (uint64((arg1[6])) * uint64(((arg2[6]) * 0x13))) - var x29 uint64 = (uint64((arg1[6])) * uint64(((arg2[5]) * 0x13))) - var x30 uint64 = (uint64((arg1[6])) * uint64(((arg2[4]) * 0x13))) - var x31 uint64 = (uint64((arg1[5])) * uint64(((arg2[9]) * 0x26))) - var x32 uint64 = (uint64((arg1[5])) * uint64(((arg2[8]) * 0x13))) - var x33 uint64 = (uint64((arg1[5])) * uint64(((arg2[7]) * 0x26))) - var x34 uint64 = (uint64((arg1[5])) * uint64(((arg2[6]) * 0x13))) - var x35 uint64 = (uint64((arg1[5])) * uint64(((arg2[5]) * 0x26))) - var x36 uint64 = (uint64((arg1[4])) * uint64(((arg2[9]) * 0x13))) - var x37 uint64 = (uint64((arg1[4])) * uint64(((arg2[8]) * 0x13))) - var x38 uint64 = (uint64((arg1[4])) * uint64(((arg2[7]) * 0x13))) - var x39 uint64 = (uint64((arg1[4])) * uint64(((arg2[6]) * 0x13))) - var x40 uint64 = (uint64((arg1[3])) * uint64(((arg2[9]) * 0x26))) - var x41 uint64 = (uint64((arg1[3])) * uint64(((arg2[8]) * 0x13))) - var x42 uint64 = (uint64((arg1[3])) * uint64(((arg2[7]) * 0x26))) - var x43 uint64 = (uint64((arg1[2])) * uint64(((arg2[9]) * 0x13))) - var x44 uint64 = (uint64((arg1[2])) * uint64(((arg2[8]) * 0x13))) - var x45 uint64 = (uint64((arg1[1])) * uint64(((arg2[9]) * 0x26))) - var x46 uint64 = (uint64((arg1[9])) * uint64((arg2[0]))) - var x47 uint64 = (uint64((arg1[8])) * uint64((arg2[1]))) - var x48 uint64 = (uint64((arg1[8])) * uint64((arg2[0]))) - var x49 uint64 = (uint64((arg1[7])) * uint64((arg2[2]))) - var x50 uint64 = (uint64((arg1[7])) * uint64(((arg2[1]) * 0x2))) - var x51 uint64 = (uint64((arg1[7])) * uint64((arg2[0]))) - var x52 uint64 = (uint64((arg1[6])) * uint64((arg2[3]))) - var x53 uint64 = (uint64((arg1[6])) * uint64((arg2[2]))) - var x54 uint64 = (uint64((arg1[6])) * uint64((arg2[1]))) - var x55 uint64 = (uint64((arg1[6])) * uint64((arg2[0]))) - var x56 uint64 = (uint64((arg1[5])) * uint64((arg2[4]))) - var x57 uint64 = (uint64((arg1[5])) * uint64(((arg2[3]) * 0x2))) - var x58 uint64 = (uint64((arg1[5])) * uint64((arg2[2]))) - var x59 uint64 = (uint64((arg1[5])) * uint64(((arg2[1]) * 0x2))) - var x60 uint64 = (uint64((arg1[5])) * uint64((arg2[0]))) - var x61 uint64 = (uint64((arg1[4])) * uint64((arg2[5]))) - var x62 uint64 = (uint64((arg1[4])) * uint64((arg2[4]))) - var x63 uint64 = (uint64((arg1[4])) * uint64((arg2[3]))) - var x64 uint64 = (uint64((arg1[4])) * uint64((arg2[2]))) - var x65 uint64 = (uint64((arg1[4])) * uint64((arg2[1]))) - var x66 uint64 = (uint64((arg1[4])) * uint64((arg2[0]))) - var x67 uint64 = (uint64((arg1[3])) * uint64((arg2[6]))) - var x68 uint64 = (uint64((arg1[3])) * uint64(((arg2[5]) * 0x2))) - var x69 uint64 = (uint64((arg1[3])) * uint64((arg2[4]))) - var x70 uint64 = (uint64((arg1[3])) * uint64(((arg2[3]) * 0x2))) - var x71 uint64 = (uint64((arg1[3])) * uint64((arg2[2]))) - var x72 uint64 = (uint64((arg1[3])) * uint64(((arg2[1]) * 0x2))) - var x73 uint64 = (uint64((arg1[3])) * uint64((arg2[0]))) - var x74 uint64 = (uint64((arg1[2])) * uint64((arg2[7]))) - var x75 uint64 = (uint64((arg1[2])) * uint64((arg2[6]))) - var x76 uint64 = (uint64((arg1[2])) * uint64((arg2[5]))) - var x77 uint64 = (uint64((arg1[2])) * uint64((arg2[4]))) - var x78 uint64 = (uint64((arg1[2])) * uint64((arg2[3]))) - var x79 uint64 = (uint64((arg1[2])) * uint64((arg2[2]))) - var x80 uint64 = (uint64((arg1[2])) * uint64((arg2[1]))) - var x81 uint64 = (uint64((arg1[2])) * uint64((arg2[0]))) - var x82 uint64 = (uint64((arg1[1])) * uint64((arg2[8]))) - var x83 uint64 = (uint64((arg1[1])) * uint64(((arg2[7]) * 0x2))) - var x84 uint64 = (uint64((arg1[1])) * uint64((arg2[6]))) - var x85 uint64 = (uint64((arg1[1])) * uint64(((arg2[5]) * 0x2))) - var x86 uint64 = (uint64((arg1[1])) * uint64((arg2[4]))) - var x87 uint64 = (uint64((arg1[1])) * uint64(((arg2[3]) * 0x2))) - var x88 uint64 = (uint64((arg1[1])) * uint64((arg2[2]))) - var x89 uint64 = (uint64((arg1[1])) * uint64(((arg2[1]) * 0x2))) - var x90 uint64 = (uint64((arg1[1])) * uint64((arg2[0]))) - var x91 uint64 = (uint64((arg1[0])) * uint64((arg2[9]))) - var x92 uint64 = (uint64((arg1[0])) * uint64((arg2[8]))) - var x93 uint64 = (uint64((arg1[0])) * uint64((arg2[7]))) - var x94 uint64 = (uint64((arg1[0])) * uint64((arg2[6]))) - var x95 uint64 = (uint64((arg1[0])) * uint64((arg2[5]))) - var x96 uint64 = (uint64((arg1[0])) * uint64((arg2[4]))) - var x97 uint64 = (uint64((arg1[0])) * uint64((arg2[3]))) - var x98 uint64 = (uint64((arg1[0])) * uint64((arg2[2]))) - var x99 uint64 = (uint64((arg1[0])) * uint64((arg2[1]))) - var x100 uint64 = (uint64((arg1[0])) * uint64((arg2[0]))) - var x101 uint64 = (x100 + (x45 + (x44 + (x42 + (x39 + (x35 + (x30 + (x24 + (x17 + x9))))))))) - var x102 uint64 = (x101 >> 26) - var x103 uint32 = (uint32(x101) & 0x3ffffff) - var x104 uint64 = (x91 + (x82 + (x74 + (x67 + (x61 + (x56 + (x52 + (x49 + (x47 + x46))))))))) - var x105 uint64 = (x92 + (x83 + (x75 + (x68 + (x62 + (x57 + (x53 + (x50 + (x48 + x1))))))))) - var x106 uint64 = (x93 + (x84 + (x76 + (x69 + (x63 + (x58 + (x54 + (x51 + (x10 + x2))))))))) - var x107 uint64 = (x94 + (x85 + (x77 + (x70 + (x64 + (x59 + (x55 + (x18 + (x11 + x3))))))))) - var x108 uint64 = (x95 + (x86 + (x78 + (x71 + (x65 + (x60 + (x25 + (x19 + (x12 + x4))))))))) - var x109 uint64 = (x96 + (x87 + (x79 + (x72 + (x66 + (x31 + (x26 + (x20 + (x13 + x5))))))))) - var x110 uint64 = (x97 + (x88 + (x80 + (x73 + (x36 + (x32 + (x27 + (x21 + (x14 + x6))))))))) - var x111 uint64 = (x98 + (x89 + (x81 + (x40 + (x37 + (x33 + (x28 + (x22 + (x15 + x7))))))))) - var x112 uint64 = (x99 + (x90 + (x43 + (x41 + (x38 + (x34 + (x29 + (x23 + (x16 + x8))))))))) - var x113 uint64 = (x102 + x112) - var x114 uint64 = (x113 >> 25) - var x115 uint32 = (uint32(x113) & 0x1ffffff) - var x116 uint64 = (x114 + x111) - var x117 uint64 = (x116 >> 26) - var x118 uint32 = (uint32(x116) & 0x3ffffff) - var x119 uint64 = (x117 + x110) - var x120 uint64 = (x119 >> 25) - var x121 uint32 = (uint32(x119) & 0x1ffffff) - var x122 uint64 = (x120 + x109) - var x123 uint64 = (x122 >> 26) - var x124 uint32 = (uint32(x122) & 0x3ffffff) - var x125 uint64 = (x123 + x108) - var x126 uint64 = (x125 >> 25) - var x127 uint32 = (uint32(x125) & 0x1ffffff) - var x128 uint64 = (x126 + x107) - var x129 uint64 = (x128 >> 26) - var x130 uint32 = (uint32(x128) & 0x3ffffff) - var x131 uint64 = (x129 + x106) - var x132 uint64 = (x131 >> 25) - var x133 uint32 = (uint32(x131) & 0x1ffffff) - var x134 uint64 = (x132 + x105) - var x135 uint64 = (x134 >> 26) - var x136 uint32 = (uint32(x134) & 0x3ffffff) - var x137 uint64 = (x135 + x104) - var x138 uint64 = (x137 >> 25) - var x139 uint32 = (uint32(x137) & 0x1ffffff) - var x140 uint64 = (x138 * uint64(0x13)) - var x141 uint64 = (uint64(x103) + x140) - var x142 uint32 = uint32((x141 >> 26)) - var x143 uint32 = (uint32(x141) & 0x3ffffff) - var x144 uint32 = (x142 + x115) - var x145 uint1 = uint1((x144 >> 25)) - var x146 uint32 = (x144 & 0x1ffffff) - var x147 uint32 = (uint32(x145) + x118) - out1[0] = x143 - out1[1] = x146 - out1[2] = x147 - out1[3] = x121 - out1[4] = x124 - out1[5] = x127 - out1[6] = x130 - out1[7] = x133 - out1[8] = x136 - out1[9] = x139 + x1 := (uint64(arg1[9]) * uint64((arg2[9] * 0x26))) + x2 := (uint64(arg1[9]) * uint64((arg2[8] * 0x13))) + x3 := (uint64(arg1[9]) * uint64((arg2[7] * 0x26))) + x4 := (uint64(arg1[9]) * uint64((arg2[6] * 0x13))) + x5 := (uint64(arg1[9]) * uint64((arg2[5] * 0x26))) + x6 := (uint64(arg1[9]) * uint64((arg2[4] * 0x13))) + x7 := (uint64(arg1[9]) * uint64((arg2[3] * 0x26))) + x8 := (uint64(arg1[9]) * uint64((arg2[2] * 0x13))) + x9 := (uint64(arg1[9]) * uint64((arg2[1] * 0x26))) + x10 := (uint64(arg1[8]) * uint64((arg2[9] * 0x13))) + x11 := (uint64(arg1[8]) * uint64((arg2[8] * 0x13))) + x12 := (uint64(arg1[8]) * uint64((arg2[7] * 0x13))) + x13 := (uint64(arg1[8]) * uint64((arg2[6] * 0x13))) + x14 := (uint64(arg1[8]) * uint64((arg2[5] * 0x13))) + x15 := (uint64(arg1[8]) * uint64((arg2[4] * 0x13))) + x16 := (uint64(arg1[8]) * uint64((arg2[3] * 0x13))) + x17 := (uint64(arg1[8]) * uint64((arg2[2] * 0x13))) + x18 := (uint64(arg1[7]) * uint64((arg2[9] * 0x26))) + x19 := (uint64(arg1[7]) * uint64((arg2[8] * 0x13))) + x20 := (uint64(arg1[7]) * uint64((arg2[7] * 0x26))) + x21 := (uint64(arg1[7]) * uint64((arg2[6] * 0x13))) + x22 := (uint64(arg1[7]) * uint64((arg2[5] * 0x26))) + x23 := (uint64(arg1[7]) * uint64((arg2[4] * 0x13))) + x24 := (uint64(arg1[7]) * uint64((arg2[3] * 0x26))) + x25 := (uint64(arg1[6]) * uint64((arg2[9] * 0x13))) + x26 := (uint64(arg1[6]) * uint64((arg2[8] * 0x13))) + x27 := (uint64(arg1[6]) * uint64((arg2[7] * 0x13))) + x28 := (uint64(arg1[6]) * uint64((arg2[6] * 0x13))) + x29 := (uint64(arg1[6]) * uint64((arg2[5] * 0x13))) + x30 := (uint64(arg1[6]) * uint64((arg2[4] * 0x13))) + x31 := (uint64(arg1[5]) * uint64((arg2[9] * 0x26))) + x32 := (uint64(arg1[5]) * uint64((arg2[8] * 0x13))) + x33 := (uint64(arg1[5]) * uint64((arg2[7] * 0x26))) + x34 := (uint64(arg1[5]) * uint64((arg2[6] * 0x13))) + x35 := (uint64(arg1[5]) * uint64((arg2[5] * 0x26))) + x36 := (uint64(arg1[4]) * uint64((arg2[9] * 0x13))) + x37 := (uint64(arg1[4]) * uint64((arg2[8] * 0x13))) + x38 := (uint64(arg1[4]) * uint64((arg2[7] * 0x13))) + x39 := (uint64(arg1[4]) * uint64((arg2[6] * 0x13))) + x40 := (uint64(arg1[3]) * uint64((arg2[9] * 0x26))) + x41 := (uint64(arg1[3]) * uint64((arg2[8] * 0x13))) + x42 := (uint64(arg1[3]) * uint64((arg2[7] * 0x26))) + x43 := (uint64(arg1[2]) * uint64((arg2[9] * 0x13))) + x44 := (uint64(arg1[2]) * uint64((arg2[8] * 0x13))) + x45 := (uint64(arg1[1]) * uint64((arg2[9] * 0x26))) + x46 := (uint64(arg1[9]) * uint64(arg2[0])) + x47 := (uint64(arg1[8]) * uint64(arg2[1])) + x48 := (uint64(arg1[8]) * uint64(arg2[0])) + x49 := (uint64(arg1[7]) * uint64(arg2[2])) + x50 := (uint64(arg1[7]) * uint64((arg2[1] * 0x2))) + x51 := (uint64(arg1[7]) * uint64(arg2[0])) + x52 := (uint64(arg1[6]) * uint64(arg2[3])) + x53 := (uint64(arg1[6]) * uint64(arg2[2])) + x54 := (uint64(arg1[6]) * uint64(arg2[1])) + x55 := (uint64(arg1[6]) * uint64(arg2[0])) + x56 := (uint64(arg1[5]) * uint64(arg2[4])) + x57 := (uint64(arg1[5]) * uint64((arg2[3] * 0x2))) + x58 := (uint64(arg1[5]) * uint64(arg2[2])) + x59 := (uint64(arg1[5]) * uint64((arg2[1] * 0x2))) + x60 := (uint64(arg1[5]) * uint64(arg2[0])) + x61 := (uint64(arg1[4]) * uint64(arg2[5])) + x62 := (uint64(arg1[4]) * uint64(arg2[4])) + x63 := (uint64(arg1[4]) * uint64(arg2[3])) + x64 := (uint64(arg1[4]) * uint64(arg2[2])) + x65 := (uint64(arg1[4]) * uint64(arg2[1])) + x66 := (uint64(arg1[4]) * uint64(arg2[0])) + x67 := (uint64(arg1[3]) * uint64(arg2[6])) + x68 := (uint64(arg1[3]) * uint64((arg2[5] * 0x2))) + x69 := (uint64(arg1[3]) * uint64(arg2[4])) + x70 := (uint64(arg1[3]) * uint64((arg2[3] * 0x2))) + x71 := (uint64(arg1[3]) * uint64(arg2[2])) + x72 := (uint64(arg1[3]) * uint64((arg2[1] * 0x2))) + x73 := (uint64(arg1[3]) * uint64(arg2[0])) + x74 := (uint64(arg1[2]) * uint64(arg2[7])) + x75 := (uint64(arg1[2]) * uint64(arg2[6])) + x76 := (uint64(arg1[2]) * uint64(arg2[5])) + x77 := (uint64(arg1[2]) * uint64(arg2[4])) + x78 := (uint64(arg1[2]) * uint64(arg2[3])) + x79 := (uint64(arg1[2]) * uint64(arg2[2])) + x80 := (uint64(arg1[2]) * uint64(arg2[1])) + x81 := (uint64(arg1[2]) * uint64(arg2[0])) + x82 := (uint64(arg1[1]) * uint64(arg2[8])) + x83 := (uint64(arg1[1]) * uint64((arg2[7] * 0x2))) + x84 := (uint64(arg1[1]) * uint64(arg2[6])) + x85 := (uint64(arg1[1]) * uint64((arg2[5] * 0x2))) + x86 := (uint64(arg1[1]) * uint64(arg2[4])) + x87 := (uint64(arg1[1]) * uint64((arg2[3] * 0x2))) + x88 := (uint64(arg1[1]) * uint64(arg2[2])) + x89 := (uint64(arg1[1]) * uint64((arg2[1] * 0x2))) + x90 := (uint64(arg1[1]) * uint64(arg2[0])) + x91 := (uint64(arg1[0]) * uint64(arg2[9])) + x92 := (uint64(arg1[0]) * uint64(arg2[8])) + x93 := (uint64(arg1[0]) * uint64(arg2[7])) + x94 := (uint64(arg1[0]) * uint64(arg2[6])) + x95 := (uint64(arg1[0]) * uint64(arg2[5])) + x96 := (uint64(arg1[0]) * uint64(arg2[4])) + x97 := (uint64(arg1[0]) * uint64(arg2[3])) + x98 := (uint64(arg1[0]) * uint64(arg2[2])) + x99 := (uint64(arg1[0]) * uint64(arg2[1])) + x100 := (uint64(arg1[0]) * uint64(arg2[0])) + x101 := (x100 + (x45 + (x44 + (x42 + (x39 + (x35 + (x30 + (x24 + (x17 + x9))))))))) + x102 := (x101 >> 26) + x103 := (uint32(x101) & 0x3ffffff) + x104 := (x91 + (x82 + (x74 + (x67 + (x61 + (x56 + (x52 + (x49 + (x47 + x46))))))))) + x105 := (x92 + (x83 + (x75 + (x68 + (x62 + (x57 + (x53 + (x50 + (x48 + x1))))))))) + x106 := (x93 + (x84 + (x76 + (x69 + (x63 + (x58 + (x54 + (x51 + (x10 + x2))))))))) + x107 := (x94 + (x85 + (x77 + (x70 + (x64 + (x59 + (x55 + (x18 + (x11 + x3))))))))) + x108 := (x95 + (x86 + (x78 + (x71 + (x65 + (x60 + (x25 + (x19 + (x12 + x4))))))))) + x109 := (x96 + (x87 + (x79 + (x72 + (x66 + (x31 + (x26 + (x20 + (x13 + x5))))))))) + x110 := (x97 + (x88 + (x80 + (x73 + (x36 + (x32 + (x27 + (x21 + (x14 + x6))))))))) + x111 := (x98 + (x89 + (x81 + (x40 + (x37 + (x33 + (x28 + (x22 + (x15 + x7))))))))) + x112 := (x99 + (x90 + (x43 + (x41 + (x38 + (x34 + (x29 + (x23 + (x16 + x8))))))))) + x113 := (x102 + x112) + x114 := (x113 >> 25) + x115 := (uint32(x113) & 0x1ffffff) + x116 := (x114 + x111) + x117 := (x116 >> 26) + x118 := (uint32(x116) & 0x3ffffff) + x119 := (x117 + x110) + x120 := (x119 >> 25) + x121 := (uint32(x119) & 0x1ffffff) + x122 := (x120 + x109) + x123 := (x122 >> 26) + x124 := (uint32(x122) & 0x3ffffff) + x125 := (x123 + x108) + x126 := (x125 >> 25) + x127 := (uint32(x125) & 0x1ffffff) + x128 := (x126 + x107) + x129 := (x128 >> 26) + x130 := (uint32(x128) & 0x3ffffff) + x131 := (x129 + x106) + x132 := (x131 >> 25) + x133 := (uint32(x131) & 0x1ffffff) + x134 := (x132 + x105) + x135 := (x134 >> 26) + x136 := (uint32(x134) & 0x3ffffff) + x137 := (x135 + x104) + x138 := (x137 >> 25) + x139 := (uint32(x137) & 0x1ffffff) + x140 := (x138 * uint64(0x13)) + x141 := (uint64(x103) + x140) + x142 := uint32((x141 >> 26)) + x143 := (uint32(x141) & 0x3ffffff) + x144 := (x142 + x115) + x145 := uint1((x144 >> 25)) + x146 := (x144 & 0x1ffffff) + x147 := (uint32(x145) + x118) + out1[0] = x143 + out1[1] = x146 + out1[2] = x147 + out1[3] = x121 + out1[4] = x124 + out1[5] = x127 + out1[6] = x130 + out1[7] = x133 + out1[8] = x136 + out1[9] = x139 } -/* - The function CarrySquare squares a field element and reduces the result. - Postconditions: - eval out1 mod m = (eval arg1 * eval arg1) mod m - - Input Bounds: - arg1: [[0x0 ~> 0xc000000], [0x0 ~> 0x6000000], [0x0 ~> 0xc000000], [0x0 ~> 0x6000000], [0x0 ~> 0xc000000], [0x0 ~> 0x6000000], [0x0 ~> 0xc000000], [0x0 ~> 0x6000000], [0x0 ~> 0xc000000], [0x0 ~> 0x6000000]] - Output Bounds: - out1: [[0x0 ~> 0x4000000], [0x0 ~> 0x2000000], [0x0 ~> 0x4000000], [0x0 ~> 0x2000000], [0x0 ~> 0x4000000], [0x0 ~> 0x2000000], [0x0 ~> 0x4000000], [0x0 ~> 0x2000000], [0x0 ~> 0x4000000], [0x0 ~> 0x2000000]] - */ -/*inline*/ +// CarrySquare squares a field element and reduces the result. +// +// Postconditions: +// eval out1 mod m = (eval arg1 * eval arg1) mod m +// +// Input Bounds: +// arg1: [[0x0 ~> 0xc000000], [0x0 ~> 0x6000000], [0x0 ~> 0xc000000], [0x0 ~> 0x6000000], [0x0 ~> 0xc000000], [0x0 ~> 0x6000000], [0x0 ~> 0xc000000], [0x0 ~> 0x6000000], [0x0 ~> 0xc000000], [0x0 ~> 0x6000000]] +// Output Bounds: +// out1: [[0x0 ~> 0x4000000], [0x0 ~> 0x2000000], [0x0 ~> 0x4000000], [0x0 ~> 0x2000000], [0x0 ~> 0x4000000], [0x0 ~> 0x2000000], [0x0 ~> 0x4000000], [0x0 ~> 0x2000000], [0x0 ~> 0x4000000], [0x0 ~> 0x2000000]] func CarrySquare(out1 *[10]uint32, arg1 *[10]uint32) { - var x1 uint32 = ((arg1[9]) * 0x13) - var x2 uint32 = (x1 * 0x2) - var x3 uint32 = ((arg1[9]) * 0x2) - var x4 uint32 = ((arg1[8]) * 0x13) - var x5 uint64 = (uint64(x4) * uint64(0x2)) - var x6 uint32 = ((arg1[8]) * 0x2) - var x7 uint32 = ((arg1[7]) * 0x13) - var x8 uint32 = (x7 * 0x2) - var x9 uint32 = ((arg1[7]) * 0x2) - var x10 uint32 = ((arg1[6]) * 0x13) - var x11 uint64 = (uint64(x10) * uint64(0x2)) - var x12 uint32 = ((arg1[6]) * 0x2) - var x13 uint32 = ((arg1[5]) * 0x13) - var x14 uint32 = ((arg1[5]) * 0x2) - var x15 uint32 = ((arg1[4]) * 0x2) - var x16 uint32 = ((arg1[3]) * 0x2) - var x17 uint32 = ((arg1[2]) * 0x2) - var x18 uint32 = ((arg1[1]) * 0x2) - var x19 uint64 = (uint64((arg1[9])) * uint64((x1 * 0x2))) - var x20 uint64 = (uint64((arg1[8])) * uint64(x2)) - var x21 uint64 = (uint64((arg1[8])) * uint64(x4)) - var x22 uint64 = (uint64((arg1[7])) * (uint64(x2) * uint64(0x2))) - var x23 uint64 = (uint64((arg1[7])) * x5) - var x24 uint64 = (uint64((arg1[7])) * uint64((x7 * 0x2))) - var x25 uint64 = (uint64((arg1[6])) * uint64(x2)) - var x26 uint64 = (uint64((arg1[6])) * x5) - var x27 uint64 = (uint64((arg1[6])) * uint64(x8)) - var x28 uint64 = (uint64((arg1[6])) * uint64(x10)) - var x29 uint64 = (uint64((arg1[5])) * (uint64(x2) * uint64(0x2))) - var x30 uint64 = (uint64((arg1[5])) * x5) - var x31 uint64 = (uint64((arg1[5])) * (uint64(x8) * uint64(0x2))) - var x32 uint64 = (uint64((arg1[5])) * x11) - var x33 uint64 = (uint64((arg1[5])) * uint64((x13 * 0x2))) - var x34 uint64 = (uint64((arg1[4])) * uint64(x2)) - var x35 uint64 = (uint64((arg1[4])) * x5) - var x36 uint64 = (uint64((arg1[4])) * uint64(x8)) - var x37 uint64 = (uint64((arg1[4])) * x11) - var x38 uint64 = (uint64((arg1[4])) * uint64(x14)) - var x39 uint64 = (uint64((arg1[4])) * uint64((arg1[4]))) - var x40 uint64 = (uint64((arg1[3])) * (uint64(x2) * uint64(0x2))) - var x41 uint64 = (uint64((arg1[3])) * x5) - var x42 uint64 = (uint64((arg1[3])) * (uint64(x8) * uint64(0x2))) - var x43 uint64 = (uint64((arg1[3])) * uint64(x12)) - var x44 uint64 = (uint64((arg1[3])) * uint64((x14 * 0x2))) - var x45 uint64 = (uint64((arg1[3])) * uint64(x15)) - var x46 uint64 = (uint64((arg1[3])) * uint64(((arg1[3]) * 0x2))) - var x47 uint64 = (uint64((arg1[2])) * uint64(x2)) - var x48 uint64 = (uint64((arg1[2])) * x5) - var x49 uint64 = (uint64((arg1[2])) * uint64(x9)) - var x50 uint64 = (uint64((arg1[2])) * uint64(x12)) - var x51 uint64 = (uint64((arg1[2])) * uint64(x14)) - var x52 uint64 = (uint64((arg1[2])) * uint64(x15)) - var x53 uint64 = (uint64((arg1[2])) * uint64(x16)) - var x54 uint64 = (uint64((arg1[2])) * uint64((arg1[2]))) - var x55 uint64 = (uint64((arg1[1])) * (uint64(x2) * uint64(0x2))) - var x56 uint64 = (uint64((arg1[1])) * uint64(x6)) - var x57 uint64 = (uint64((arg1[1])) * uint64((x9 * 0x2))) - var x58 uint64 = (uint64((arg1[1])) * uint64(x12)) - var x59 uint64 = (uint64((arg1[1])) * uint64((x14 * 0x2))) - var x60 uint64 = (uint64((arg1[1])) * uint64(x15)) - var x61 uint64 = (uint64((arg1[1])) * uint64((x16 * 0x2))) - var x62 uint64 = (uint64((arg1[1])) * uint64(x17)) - var x63 uint64 = (uint64((arg1[1])) * uint64(((arg1[1]) * 0x2))) - var x64 uint64 = (uint64((arg1[0])) * uint64(x3)) - var x65 uint64 = (uint64((arg1[0])) * uint64(x6)) - var x66 uint64 = (uint64((arg1[0])) * uint64(x9)) - var x67 uint64 = (uint64((arg1[0])) * uint64(x12)) - var x68 uint64 = (uint64((arg1[0])) * uint64(x14)) - var x69 uint64 = (uint64((arg1[0])) * uint64(x15)) - var x70 uint64 = (uint64((arg1[0])) * uint64(x16)) - var x71 uint64 = (uint64((arg1[0])) * uint64(x17)) - var x72 uint64 = (uint64((arg1[0])) * uint64(x18)) - var x73 uint64 = (uint64((arg1[0])) * uint64((arg1[0]))) - var x74 uint64 = (x73 + (x55 + (x48 + (x42 + (x37 + x33))))) - var x75 uint64 = (x74 >> 26) - var x76 uint32 = (uint32(x74) & 0x3ffffff) - var x77 uint64 = (x64 + (x56 + (x49 + (x43 + x38)))) - var x78 uint64 = (x65 + (x57 + (x50 + (x44 + (x39 + x19))))) - var x79 uint64 = (x66 + (x58 + (x51 + (x45 + x20)))) - var x80 uint64 = (x67 + (x59 + (x52 + (x46 + (x22 + x21))))) - var x81 uint64 = (x68 + (x60 + (x53 + (x25 + x23)))) - var x82 uint64 = (x69 + (x61 + (x54 + (x29 + (x26 + x24))))) - var x83 uint64 = (x70 + (x62 + (x34 + (x30 + x27)))) - var x84 uint64 = (x71 + (x63 + (x40 + (x35 + (x31 + x28))))) - var x85 uint64 = (x72 + (x47 + (x41 + (x36 + x32)))) - var x86 uint64 = (x75 + x85) - var x87 uint64 = (x86 >> 25) - var x88 uint32 = (uint32(x86) & 0x1ffffff) - var x89 uint64 = (x87 + x84) - var x90 uint64 = (x89 >> 26) - var x91 uint32 = (uint32(x89) & 0x3ffffff) - var x92 uint64 = (x90 + x83) - var x93 uint64 = (x92 >> 25) - var x94 uint32 = (uint32(x92) & 0x1ffffff) - var x95 uint64 = (x93 + x82) - var x96 uint64 = (x95 >> 26) - var x97 uint32 = (uint32(x95) & 0x3ffffff) - var x98 uint64 = (x96 + x81) - var x99 uint64 = (x98 >> 25) - var x100 uint32 = (uint32(x98) & 0x1ffffff) - var x101 uint64 = (x99 + x80) - var x102 uint64 = (x101 >> 26) - var x103 uint32 = (uint32(x101) & 0x3ffffff) - var x104 uint64 = (x102 + x79) - var x105 uint64 = (x104 >> 25) - var x106 uint32 = (uint32(x104) & 0x1ffffff) - var x107 uint64 = (x105 + x78) - var x108 uint64 = (x107 >> 26) - var x109 uint32 = (uint32(x107) & 0x3ffffff) - var x110 uint64 = (x108 + x77) - var x111 uint64 = (x110 >> 25) - var x112 uint32 = (uint32(x110) & 0x1ffffff) - var x113 uint64 = (x111 * uint64(0x13)) - var x114 uint64 = (uint64(x76) + x113) - var x115 uint32 = uint32((x114 >> 26)) - var x116 uint32 = (uint32(x114) & 0x3ffffff) - var x117 uint32 = (x115 + x88) - var x118 uint1 = uint1((x117 >> 25)) - var x119 uint32 = (x117 & 0x1ffffff) - var x120 uint32 = (uint32(x118) + x91) - out1[0] = x116 - out1[1] = x119 - out1[2] = x120 - out1[3] = x94 - out1[4] = x97 - out1[5] = x100 - out1[6] = x103 - out1[7] = x106 - out1[8] = x109 - out1[9] = x112 + x1 := (arg1[9] * 0x13) + x2 := (x1 * 0x2) + x3 := (arg1[9] * 0x2) + x4 := (arg1[8] * 0x13) + x5 := (uint64(x4) * uint64(0x2)) + x6 := (arg1[8] * 0x2) + x7 := (arg1[7] * 0x13) + x8 := (x7 * 0x2) + x9 := (arg1[7] * 0x2) + x10 := (arg1[6] * 0x13) + x11 := (uint64(x10) * uint64(0x2)) + x12 := (arg1[6] * 0x2) + x13 := (arg1[5] * 0x13) + x14 := (arg1[5] * 0x2) + x15 := (arg1[4] * 0x2) + x16 := (arg1[3] * 0x2) + x17 := (arg1[2] * 0x2) + x18 := (arg1[1] * 0x2) + x19 := (uint64(arg1[9]) * uint64((x1 * 0x2))) + x20 := (uint64(arg1[8]) * uint64(x2)) + x21 := (uint64(arg1[8]) * uint64(x4)) + x22 := (uint64(arg1[7]) * (uint64(x2) * uint64(0x2))) + x23 := (uint64(arg1[7]) * x5) + x24 := (uint64(arg1[7]) * uint64((x7 * 0x2))) + x25 := (uint64(arg1[6]) * uint64(x2)) + x26 := (uint64(arg1[6]) * x5) + x27 := (uint64(arg1[6]) * uint64(x8)) + x28 := (uint64(arg1[6]) * uint64(x10)) + x29 := (uint64(arg1[5]) * (uint64(x2) * uint64(0x2))) + x30 := (uint64(arg1[5]) * x5) + x31 := (uint64(arg1[5]) * (uint64(x8) * uint64(0x2))) + x32 := (uint64(arg1[5]) * x11) + x33 := (uint64(arg1[5]) * uint64((x13 * 0x2))) + x34 := (uint64(arg1[4]) * uint64(x2)) + x35 := (uint64(arg1[4]) * x5) + x36 := (uint64(arg1[4]) * uint64(x8)) + x37 := (uint64(arg1[4]) * x11) + x38 := (uint64(arg1[4]) * uint64(x14)) + x39 := (uint64(arg1[4]) * uint64(arg1[4])) + x40 := (uint64(arg1[3]) * (uint64(x2) * uint64(0x2))) + x41 := (uint64(arg1[3]) * x5) + x42 := (uint64(arg1[3]) * (uint64(x8) * uint64(0x2))) + x43 := (uint64(arg1[3]) * uint64(x12)) + x44 := (uint64(arg1[3]) * uint64((x14 * 0x2))) + x45 := (uint64(arg1[3]) * uint64(x15)) + x46 := (uint64(arg1[3]) * uint64((arg1[3] * 0x2))) + x47 := (uint64(arg1[2]) * uint64(x2)) + x48 := (uint64(arg1[2]) * x5) + x49 := (uint64(arg1[2]) * uint64(x9)) + x50 := (uint64(arg1[2]) * uint64(x12)) + x51 := (uint64(arg1[2]) * uint64(x14)) + x52 := (uint64(arg1[2]) * uint64(x15)) + x53 := (uint64(arg1[2]) * uint64(x16)) + x54 := (uint64(arg1[2]) * uint64(arg1[2])) + x55 := (uint64(arg1[1]) * (uint64(x2) * uint64(0x2))) + x56 := (uint64(arg1[1]) * uint64(x6)) + x57 := (uint64(arg1[1]) * uint64((x9 * 0x2))) + x58 := (uint64(arg1[1]) * uint64(x12)) + x59 := (uint64(arg1[1]) * uint64((x14 * 0x2))) + x60 := (uint64(arg1[1]) * uint64(x15)) + x61 := (uint64(arg1[1]) * uint64((x16 * 0x2))) + x62 := (uint64(arg1[1]) * uint64(x17)) + x63 := (uint64(arg1[1]) * uint64((arg1[1] * 0x2))) + x64 := (uint64(arg1[0]) * uint64(x3)) + x65 := (uint64(arg1[0]) * uint64(x6)) + x66 := (uint64(arg1[0]) * uint64(x9)) + x67 := (uint64(arg1[0]) * uint64(x12)) + x68 := (uint64(arg1[0]) * uint64(x14)) + x69 := (uint64(arg1[0]) * uint64(x15)) + x70 := (uint64(arg1[0]) * uint64(x16)) + x71 := (uint64(arg1[0]) * uint64(x17)) + x72 := (uint64(arg1[0]) * uint64(x18)) + x73 := (uint64(arg1[0]) * uint64(arg1[0])) + x74 := (x73 + (x55 + (x48 + (x42 + (x37 + x33))))) + x75 := (x74 >> 26) + x76 := (uint32(x74) & 0x3ffffff) + x77 := (x64 + (x56 + (x49 + (x43 + x38)))) + x78 := (x65 + (x57 + (x50 + (x44 + (x39 + x19))))) + x79 := (x66 + (x58 + (x51 + (x45 + x20)))) + x80 := (x67 + (x59 + (x52 + (x46 + (x22 + x21))))) + x81 := (x68 + (x60 + (x53 + (x25 + x23)))) + x82 := (x69 + (x61 + (x54 + (x29 + (x26 + x24))))) + x83 := (x70 + (x62 + (x34 + (x30 + x27)))) + x84 := (x71 + (x63 + (x40 + (x35 + (x31 + x28))))) + x85 := (x72 + (x47 + (x41 + (x36 + x32)))) + x86 := (x75 + x85) + x87 := (x86 >> 25) + x88 := (uint32(x86) & 0x1ffffff) + x89 := (x87 + x84) + x90 := (x89 >> 26) + x91 := (uint32(x89) & 0x3ffffff) + x92 := (x90 + x83) + x93 := (x92 >> 25) + x94 := (uint32(x92) & 0x1ffffff) + x95 := (x93 + x82) + x96 := (x95 >> 26) + x97 := (uint32(x95) & 0x3ffffff) + x98 := (x96 + x81) + x99 := (x98 >> 25) + x100 := (uint32(x98) & 0x1ffffff) + x101 := (x99 + x80) + x102 := (x101 >> 26) + x103 := (uint32(x101) & 0x3ffffff) + x104 := (x102 + x79) + x105 := (x104 >> 25) + x106 := (uint32(x104) & 0x1ffffff) + x107 := (x105 + x78) + x108 := (x107 >> 26) + x109 := (uint32(x107) & 0x3ffffff) + x110 := (x108 + x77) + x111 := (x110 >> 25) + x112 := (uint32(x110) & 0x1ffffff) + x113 := (x111 * uint64(0x13)) + x114 := (uint64(x76) + x113) + x115 := uint32((x114 >> 26)) + x116 := (uint32(x114) & 0x3ffffff) + x117 := (x115 + x88) + x118 := uint1((x117 >> 25)) + x119 := (x117 & 0x1ffffff) + x120 := (uint32(x118) + x91) + out1[0] = x116 + out1[1] = x119 + out1[2] = x120 + out1[3] = x94 + out1[4] = x97 + out1[5] = x100 + out1[6] = x103 + out1[7] = x106 + out1[8] = x109 + out1[9] = x112 } -/* - The function Carry reduces a field element. - Postconditions: - eval out1 mod m = eval arg1 mod m - - Input Bounds: - arg1: [[0x0 ~> 0xc000000], [0x0 ~> 0x6000000], [0x0 ~> 0xc000000], [0x0 ~> 0x6000000], [0x0 ~> 0xc000000], [0x0 ~> 0x6000000], [0x0 ~> 0xc000000], [0x0 ~> 0x6000000], [0x0 ~> 0xc000000], [0x0 ~> 0x6000000]] - Output Bounds: - out1: [[0x0 ~> 0x4000000], [0x0 ~> 0x2000000], [0x0 ~> 0x4000000], [0x0 ~> 0x2000000], [0x0 ~> 0x4000000], [0x0 ~> 0x2000000], [0x0 ~> 0x4000000], [0x0 ~> 0x2000000], [0x0 ~> 0x4000000], [0x0 ~> 0x2000000]] - */ -/*inline*/ +// Carry reduces a field element. +// +// Postconditions: +// eval out1 mod m = eval arg1 mod m +// +// Input Bounds: +// arg1: [[0x0 ~> 0xc000000], [0x0 ~> 0x6000000], [0x0 ~> 0xc000000], [0x0 ~> 0x6000000], [0x0 ~> 0xc000000], [0x0 ~> 0x6000000], [0x0 ~> 0xc000000], [0x0 ~> 0x6000000], [0x0 ~> 0xc000000], [0x0 ~> 0x6000000]] +// Output Bounds: +// out1: [[0x0 ~> 0x4000000], [0x0 ~> 0x2000000], [0x0 ~> 0x4000000], [0x0 ~> 0x2000000], [0x0 ~> 0x4000000], [0x0 ~> 0x2000000], [0x0 ~> 0x4000000], [0x0 ~> 0x2000000], [0x0 ~> 0x4000000], [0x0 ~> 0x2000000]] func Carry(out1 *[10]uint32, arg1 *[10]uint32) { - var x1 uint32 = (arg1[0]) - var x2 uint32 = ((x1 >> 26) + (arg1[1])) - var x3 uint32 = ((x2 >> 25) + (arg1[2])) - var x4 uint32 = ((x3 >> 26) + (arg1[3])) - var x5 uint32 = ((x4 >> 25) + (arg1[4])) - var x6 uint32 = ((x5 >> 26) + (arg1[5])) - var x7 uint32 = ((x6 >> 25) + (arg1[6])) - var x8 uint32 = ((x7 >> 26) + (arg1[7])) - var x9 uint32 = ((x8 >> 25) + (arg1[8])) - var x10 uint32 = ((x9 >> 26) + (arg1[9])) - var x11 uint32 = ((x1 & 0x3ffffff) + ((x10 >> 25) * 0x13)) - var x12 uint32 = (uint32(uint1((x11 >> 26))) + (x2 & 0x1ffffff)) - var x13 uint32 = (x11 & 0x3ffffff) - var x14 uint32 = (x12 & 0x1ffffff) - var x15 uint32 = (uint32(uint1((x12 >> 25))) + (x3 & 0x3ffffff)) - var x16 uint32 = (x4 & 0x1ffffff) - var x17 uint32 = (x5 & 0x3ffffff) - var x18 uint32 = (x6 & 0x1ffffff) - var x19 uint32 = (x7 & 0x3ffffff) - var x20 uint32 = (x8 & 0x1ffffff) - var x21 uint32 = (x9 & 0x3ffffff) - var x22 uint32 = (x10 & 0x1ffffff) - out1[0] = x13 - out1[1] = x14 - out1[2] = x15 - out1[3] = x16 - out1[4] = x17 - out1[5] = x18 - out1[6] = x19 - out1[7] = x20 - out1[8] = x21 - out1[9] = x22 + x1 := arg1[0] + x2 := ((x1 >> 26) + arg1[1]) + x3 := ((x2 >> 25) + arg1[2]) + x4 := ((x3 >> 26) + arg1[3]) + x5 := ((x4 >> 25) + arg1[4]) + x6 := ((x5 >> 26) + arg1[5]) + x7 := ((x6 >> 25) + arg1[6]) + x8 := ((x7 >> 26) + arg1[7]) + x9 := ((x8 >> 25) + arg1[8]) + x10 := ((x9 >> 26) + arg1[9]) + x11 := ((x1 & 0x3ffffff) + ((x10 >> 25) * 0x13)) + x12 := (uint32(uint1((x11 >> 26))) + (x2 & 0x1ffffff)) + x13 := (x11 & 0x3ffffff) + x14 := (x12 & 0x1ffffff) + x15 := (uint32(uint1((x12 >> 25))) + (x3 & 0x3ffffff)) + x16 := (x4 & 0x1ffffff) + x17 := (x5 & 0x3ffffff) + x18 := (x6 & 0x1ffffff) + x19 := (x7 & 0x3ffffff) + x20 := (x8 & 0x1ffffff) + x21 := (x9 & 0x3ffffff) + x22 := (x10 & 0x1ffffff) + out1[0] = x13 + out1[1] = x14 + out1[2] = x15 + out1[3] = x16 + out1[4] = x17 + out1[5] = x18 + out1[6] = x19 + out1[7] = x20 + out1[8] = x21 + out1[9] = x22 } -/* - The function Add adds two field elements. - Postconditions: - eval out1 mod m = (eval arg1 + eval arg2) mod m - - Input Bounds: - arg1: [[0x0 ~> 0x4000000], [0x0 ~> 0x2000000], [0x0 ~> 0x4000000], [0x0 ~> 0x2000000], [0x0 ~> 0x4000000], [0x0 ~> 0x2000000], [0x0 ~> 0x4000000], [0x0 ~> 0x2000000], [0x0 ~> 0x4000000], [0x0 ~> 0x2000000]] - arg2: [[0x0 ~> 0x4000000], [0x0 ~> 0x2000000], [0x0 ~> 0x4000000], [0x0 ~> 0x2000000], [0x0 ~> 0x4000000], [0x0 ~> 0x2000000], [0x0 ~> 0x4000000], [0x0 ~> 0x2000000], [0x0 ~> 0x4000000], [0x0 ~> 0x2000000]] - Output Bounds: - out1: [[0x0 ~> 0xc000000], [0x0 ~> 0x6000000], [0x0 ~> 0xc000000], [0x0 ~> 0x6000000], [0x0 ~> 0xc000000], [0x0 ~> 0x6000000], [0x0 ~> 0xc000000], [0x0 ~> 0x6000000], [0x0 ~> 0xc000000], [0x0 ~> 0x6000000]] - */ -/*inline*/ +// Add adds two field elements. +// +// Postconditions: +// eval out1 mod m = (eval arg1 + eval arg2) mod m +// +// Input Bounds: +// arg1: [[0x0 ~> 0x4000000], [0x0 ~> 0x2000000], [0x0 ~> 0x4000000], [0x0 ~> 0x2000000], [0x0 ~> 0x4000000], [0x0 ~> 0x2000000], [0x0 ~> 0x4000000], [0x0 ~> 0x2000000], [0x0 ~> 0x4000000], [0x0 ~> 0x2000000]] +// arg2: [[0x0 ~> 0x4000000], [0x0 ~> 0x2000000], [0x0 ~> 0x4000000], [0x0 ~> 0x2000000], [0x0 ~> 0x4000000], [0x0 ~> 0x2000000], [0x0 ~> 0x4000000], [0x0 ~> 0x2000000], [0x0 ~> 0x4000000], [0x0 ~> 0x2000000]] +// Output Bounds: +// out1: [[0x0 ~> 0xc000000], [0x0 ~> 0x6000000], [0x0 ~> 0xc000000], [0x0 ~> 0x6000000], [0x0 ~> 0xc000000], [0x0 ~> 0x6000000], [0x0 ~> 0xc000000], [0x0 ~> 0x6000000], [0x0 ~> 0xc000000], [0x0 ~> 0x6000000]] func Add(out1 *[10]uint32, arg1 *[10]uint32, arg2 *[10]uint32) { - var x1 uint32 = ((arg1[0]) + (arg2[0])) - var x2 uint32 = ((arg1[1]) + (arg2[1])) - var x3 uint32 = ((arg1[2]) + (arg2[2])) - var x4 uint32 = ((arg1[3]) + (arg2[3])) - var x5 uint32 = ((arg1[4]) + (arg2[4])) - var x6 uint32 = ((arg1[5]) + (arg2[5])) - var x7 uint32 = ((arg1[6]) + (arg2[6])) - var x8 uint32 = ((arg1[7]) + (arg2[7])) - var x9 uint32 = ((arg1[8]) + (arg2[8])) - var x10 uint32 = ((arg1[9]) + (arg2[9])) - out1[0] = x1 - out1[1] = x2 - out1[2] = x3 - out1[3] = x4 - out1[4] = x5 - out1[5] = x6 - out1[6] = x7 - out1[7] = x8 - out1[8] = x9 - out1[9] = x10 + x1 := (arg1[0] + arg2[0]) + x2 := (arg1[1] + arg2[1]) + x3 := (arg1[2] + arg2[2]) + x4 := (arg1[3] + arg2[3]) + x5 := (arg1[4] + arg2[4]) + x6 := (arg1[5] + arg2[5]) + x7 := (arg1[6] + arg2[6]) + x8 := (arg1[7] + arg2[7]) + x9 := (arg1[8] + arg2[8]) + x10 := (arg1[9] + arg2[9]) + out1[0] = x1 + out1[1] = x2 + out1[2] = x3 + out1[3] = x4 + out1[4] = x5 + out1[5] = x6 + out1[6] = x7 + out1[7] = x8 + out1[8] = x9 + out1[9] = x10 } -/* - The function Sub subtracts two field elements. - Postconditions: - eval out1 mod m = (eval arg1 - eval arg2) mod m - - Input Bounds: - arg1: [[0x0 ~> 0x4000000], [0x0 ~> 0x2000000], [0x0 ~> 0x4000000], [0x0 ~> 0x2000000], [0x0 ~> 0x4000000], [0x0 ~> 0x2000000], [0x0 ~> 0x4000000], [0x0 ~> 0x2000000], [0x0 ~> 0x4000000], [0x0 ~> 0x2000000]] - arg2: [[0x0 ~> 0x4000000], [0x0 ~> 0x2000000], [0x0 ~> 0x4000000], [0x0 ~> 0x2000000], [0x0 ~> 0x4000000], [0x0 ~> 0x2000000], [0x0 ~> 0x4000000], [0x0 ~> 0x2000000], [0x0 ~> 0x4000000], [0x0 ~> 0x2000000]] - Output Bounds: - out1: [[0x0 ~> 0xc000000], [0x0 ~> 0x6000000], [0x0 ~> 0xc000000], [0x0 ~> 0x6000000], [0x0 ~> 0xc000000], [0x0 ~> 0x6000000], [0x0 ~> 0xc000000], [0x0 ~> 0x6000000], [0x0 ~> 0xc000000], [0x0 ~> 0x6000000]] - */ -/*inline*/ +// Sub subtracts two field elements. +// +// Postconditions: +// eval out1 mod m = (eval arg1 - eval arg2) mod m +// +// Input Bounds: +// arg1: [[0x0 ~> 0x4000000], [0x0 ~> 0x2000000], [0x0 ~> 0x4000000], [0x0 ~> 0x2000000], [0x0 ~> 0x4000000], [0x0 ~> 0x2000000], [0x0 ~> 0x4000000], [0x0 ~> 0x2000000], [0x0 ~> 0x4000000], [0x0 ~> 0x2000000]] +// arg2: [[0x0 ~> 0x4000000], [0x0 ~> 0x2000000], [0x0 ~> 0x4000000], [0x0 ~> 0x2000000], [0x0 ~> 0x4000000], [0x0 ~> 0x2000000], [0x0 ~> 0x4000000], [0x0 ~> 0x2000000], [0x0 ~> 0x4000000], [0x0 ~> 0x2000000]] +// Output Bounds: +// out1: [[0x0 ~> 0xc000000], [0x0 ~> 0x6000000], [0x0 ~> 0xc000000], [0x0 ~> 0x6000000], [0x0 ~> 0xc000000], [0x0 ~> 0x6000000], [0x0 ~> 0xc000000], [0x0 ~> 0x6000000], [0x0 ~> 0xc000000], [0x0 ~> 0x6000000]] func Sub(out1 *[10]uint32, arg1 *[10]uint32, arg2 *[10]uint32) { - var x1 uint32 = ((0x7ffffda + (arg1[0])) - (arg2[0])) - var x2 uint32 = ((0x3fffffe + (arg1[1])) - (arg2[1])) - var x3 uint32 = ((0x7fffffe + (arg1[2])) - (arg2[2])) - var x4 uint32 = ((0x3fffffe + (arg1[3])) - (arg2[3])) - var x5 uint32 = ((0x7fffffe + (arg1[4])) - (arg2[4])) - var x6 uint32 = ((0x3fffffe + (arg1[5])) - (arg2[5])) - var x7 uint32 = ((0x7fffffe + (arg1[6])) - (arg2[6])) - var x8 uint32 = ((0x3fffffe + (arg1[7])) - (arg2[7])) - var x9 uint32 = ((0x7fffffe + (arg1[8])) - (arg2[8])) - var x10 uint32 = ((0x3fffffe + (arg1[9])) - (arg2[9])) - out1[0] = x1 - out1[1] = x2 - out1[2] = x3 - out1[3] = x4 - out1[4] = x5 - out1[5] = x6 - out1[6] = x7 - out1[7] = x8 - out1[8] = x9 - out1[9] = x10 + x1 := ((0x7ffffda + arg1[0]) - arg2[0]) + x2 := ((0x3fffffe + arg1[1]) - arg2[1]) + x3 := ((0x7fffffe + arg1[2]) - arg2[2]) + x4 := ((0x3fffffe + arg1[3]) - arg2[3]) + x5 := ((0x7fffffe + arg1[4]) - arg2[4]) + x6 := ((0x3fffffe + arg1[5]) - arg2[5]) + x7 := ((0x7fffffe + arg1[6]) - arg2[6]) + x8 := ((0x3fffffe + arg1[7]) - arg2[7]) + x9 := ((0x7fffffe + arg1[8]) - arg2[8]) + x10 := ((0x3fffffe + arg1[9]) - arg2[9]) + out1[0] = x1 + out1[1] = x2 + out1[2] = x3 + out1[3] = x4 + out1[4] = x5 + out1[5] = x6 + out1[6] = x7 + out1[7] = x8 + out1[8] = x9 + out1[9] = x10 } -/* - The function Opp negates a field element. - Postconditions: - eval out1 mod m = -eval arg1 mod m - - Input Bounds: - arg1: [[0x0 ~> 0x4000000], [0x0 ~> 0x2000000], [0x0 ~> 0x4000000], [0x0 ~> 0x2000000], [0x0 ~> 0x4000000], [0x0 ~> 0x2000000], [0x0 ~> 0x4000000], [0x0 ~> 0x2000000], [0x0 ~> 0x4000000], [0x0 ~> 0x2000000]] - Output Bounds: - out1: [[0x0 ~> 0xc000000], [0x0 ~> 0x6000000], [0x0 ~> 0xc000000], [0x0 ~> 0x6000000], [0x0 ~> 0xc000000], [0x0 ~> 0x6000000], [0x0 ~> 0xc000000], [0x0 ~> 0x6000000], [0x0 ~> 0xc000000], [0x0 ~> 0x6000000]] - */ -/*inline*/ +// Opp negates a field element. +// +// Postconditions: +// eval out1 mod m = -eval arg1 mod m +// +// Input Bounds: +// arg1: [[0x0 ~> 0x4000000], [0x0 ~> 0x2000000], [0x0 ~> 0x4000000], [0x0 ~> 0x2000000], [0x0 ~> 0x4000000], [0x0 ~> 0x2000000], [0x0 ~> 0x4000000], [0x0 ~> 0x2000000], [0x0 ~> 0x4000000], [0x0 ~> 0x2000000]] +// Output Bounds: +// out1: [[0x0 ~> 0xc000000], [0x0 ~> 0x6000000], [0x0 ~> 0xc000000], [0x0 ~> 0x6000000], [0x0 ~> 0xc000000], [0x0 ~> 0x6000000], [0x0 ~> 0xc000000], [0x0 ~> 0x6000000], [0x0 ~> 0xc000000], [0x0 ~> 0x6000000]] func Opp(out1 *[10]uint32, arg1 *[10]uint32) { - var x1 uint32 = (0x7ffffda - (arg1[0])) - var x2 uint32 = (0x3fffffe - (arg1[1])) - var x3 uint32 = (0x7fffffe - (arg1[2])) - var x4 uint32 = (0x3fffffe - (arg1[3])) - var x5 uint32 = (0x7fffffe - (arg1[4])) - var x6 uint32 = (0x3fffffe - (arg1[5])) - var x7 uint32 = (0x7fffffe - (arg1[6])) - var x8 uint32 = (0x3fffffe - (arg1[7])) - var x9 uint32 = (0x7fffffe - (arg1[8])) - var x10 uint32 = (0x3fffffe - (arg1[9])) - out1[0] = x1 - out1[1] = x2 - out1[2] = x3 - out1[3] = x4 - out1[4] = x5 - out1[5] = x6 - out1[6] = x7 - out1[7] = x8 - out1[8] = x9 - out1[9] = x10 + x1 := (0x7ffffda - arg1[0]) + x2 := (0x3fffffe - arg1[1]) + x3 := (0x7fffffe - arg1[2]) + x4 := (0x3fffffe - arg1[3]) + x5 := (0x7fffffe - arg1[4]) + x6 := (0x3fffffe - arg1[5]) + x7 := (0x7fffffe - arg1[6]) + x8 := (0x3fffffe - arg1[7]) + x9 := (0x7fffffe - arg1[8]) + x10 := (0x3fffffe - arg1[9]) + out1[0] = x1 + out1[1] = x2 + out1[2] = x3 + out1[3] = x4 + out1[4] = x5 + out1[5] = x6 + out1[6] = x7 + out1[7] = x8 + out1[8] = x9 + out1[9] = x10 } -/* - The function Selectznz is a multi-limb conditional select. - Postconditions: - eval out1 = (if arg1 = 0 then eval arg2 else eval arg3) - - Input Bounds: - arg1: [0x0 ~> 0x1] - arg2: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] - arg3: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] - Output Bounds: - out1: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] - */ -/*inline*/ +// Selectznz is a multi-limb conditional select. +// +// Postconditions: +// eval out1 = (if arg1 = 0 then eval arg2 else eval arg3) +// +// Input Bounds: +// arg1: [0x0 ~> 0x1] +// arg2: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] +// arg3: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] +// Output Bounds: +// out1: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] func Selectznz(out1 *[10]uint32, arg1 uint1, arg2 *[10]uint32, arg3 *[10]uint32) { - var x1 uint32 - cmovznzU32(&x1, arg1, (arg2[0]), (arg3[0])) - var x2 uint32 - cmovznzU32(&x2, arg1, (arg2[1]), (arg3[1])) - var x3 uint32 - cmovznzU32(&x3, arg1, (arg2[2]), (arg3[2])) - var x4 uint32 - cmovznzU32(&x4, arg1, (arg2[3]), (arg3[3])) - var x5 uint32 - cmovznzU32(&x5, arg1, (arg2[4]), (arg3[4])) - var x6 uint32 - cmovznzU32(&x6, arg1, (arg2[5]), (arg3[5])) - var x7 uint32 - cmovznzU32(&x7, arg1, (arg2[6]), (arg3[6])) - var x8 uint32 - cmovznzU32(&x8, arg1, (arg2[7]), (arg3[7])) - var x9 uint32 - cmovznzU32(&x9, arg1, (arg2[8]), (arg3[8])) - var x10 uint32 - cmovznzU32(&x10, arg1, (arg2[9]), (arg3[9])) - out1[0] = x1 - out1[1] = x2 - out1[2] = x3 - out1[3] = x4 - out1[4] = x5 - out1[5] = x6 - out1[6] = x7 - out1[7] = x8 - out1[8] = x9 - out1[9] = x10 + var x1 uint32 + cmovznzU32(&x1, arg1, arg2[0], arg3[0]) + var x2 uint32 + cmovznzU32(&x2, arg1, arg2[1], arg3[1]) + var x3 uint32 + cmovznzU32(&x3, arg1, arg2[2], arg3[2]) + var x4 uint32 + cmovznzU32(&x4, arg1, arg2[3], arg3[3]) + var x5 uint32 + cmovznzU32(&x5, arg1, arg2[4], arg3[4]) + var x6 uint32 + cmovznzU32(&x6, arg1, arg2[5], arg3[5]) + var x7 uint32 + cmovznzU32(&x7, arg1, arg2[6], arg3[6]) + var x8 uint32 + cmovznzU32(&x8, arg1, arg2[7], arg3[7]) + var x9 uint32 + cmovznzU32(&x9, arg1, arg2[8], arg3[8]) + var x10 uint32 + cmovznzU32(&x10, arg1, arg2[9], arg3[9]) + out1[0] = x1 + out1[1] = x2 + out1[2] = x3 + out1[3] = x4 + out1[4] = x5 + out1[5] = x6 + out1[6] = x7 + out1[7] = x8 + out1[8] = x9 + out1[9] = x10 } -/* - The function ToBytes serializes a field element to bytes in little-endian order. - Postconditions: - out1 = map (λ x, ⌊((eval arg1 mod m) mod 2^(8 * (x + 1))) / 2^(8 * x)⌋) [0..31] - - Input Bounds: - arg1: [[0x0 ~> 0x4000000], [0x0 ~> 0x2000000], [0x0 ~> 0x4000000], [0x0 ~> 0x2000000], [0x0 ~> 0x4000000], [0x0 ~> 0x2000000], [0x0 ~> 0x4000000], [0x0 ~> 0x2000000], [0x0 ~> 0x4000000], [0x0 ~> 0x2000000]] - Output Bounds: - out1: [[0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0x7f]] - */ -/*inline*/ +// ToBytes serializes a field element to bytes in little-endian order. +// +// Postconditions: +// out1 = map (λ x, ⌊((eval arg1 mod m) mod 2^(8 * (x + 1))) / 2^(8 * x)⌋) [0..31] +// +// Input Bounds: +// arg1: [[0x0 ~> 0x4000000], [0x0 ~> 0x2000000], [0x0 ~> 0x4000000], [0x0 ~> 0x2000000], [0x0 ~> 0x4000000], [0x0 ~> 0x2000000], [0x0 ~> 0x4000000], [0x0 ~> 0x2000000], [0x0 ~> 0x4000000], [0x0 ~> 0x2000000]] +// Output Bounds: +// out1: [[0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0x7f]] func ToBytes(out1 *[32]uint8, arg1 *[10]uint32) { - var x1 uint32 - var x2 uint1 - subborrowxU26(&x1, &x2, 0x0, (arg1[0]), 0x3ffffed) - var x3 uint32 - var x4 uint1 - subborrowxU25(&x3, &x4, x2, (arg1[1]), 0x1ffffff) - var x5 uint32 - var x6 uint1 - subborrowxU26(&x5, &x6, x4, (arg1[2]), 0x3ffffff) - var x7 uint32 - var x8 uint1 - subborrowxU25(&x7, &x8, x6, (arg1[3]), 0x1ffffff) - var x9 uint32 - var x10 uint1 - subborrowxU26(&x9, &x10, x8, (arg1[4]), 0x3ffffff) - var x11 uint32 - var x12 uint1 - subborrowxU25(&x11, &x12, x10, (arg1[5]), 0x1ffffff) - var x13 uint32 - var x14 uint1 - subborrowxU26(&x13, &x14, x12, (arg1[6]), 0x3ffffff) - var x15 uint32 - var x16 uint1 - subborrowxU25(&x15, &x16, x14, (arg1[7]), 0x1ffffff) - var x17 uint32 - var x18 uint1 - subborrowxU26(&x17, &x18, x16, (arg1[8]), 0x3ffffff) - var x19 uint32 - var x20 uint1 - subborrowxU25(&x19, &x20, x18, (arg1[9]), 0x1ffffff) - var x21 uint32 - cmovznzU32(&x21, x20, uint32(0x0), 0xffffffff) - var x22 uint32 - var x23 uint1 - addcarryxU26(&x22, &x23, 0x0, x1, (x21 & 0x3ffffed)) - var x24 uint32 - var x25 uint1 - addcarryxU25(&x24, &x25, x23, x3, (x21 & 0x1ffffff)) - var x26 uint32 - var x27 uint1 - addcarryxU26(&x26, &x27, x25, x5, (x21 & 0x3ffffff)) - var x28 uint32 - var x29 uint1 - addcarryxU25(&x28, &x29, x27, x7, (x21 & 0x1ffffff)) - var x30 uint32 - var x31 uint1 - addcarryxU26(&x30, &x31, x29, x9, (x21 & 0x3ffffff)) - var x32 uint32 - var x33 uint1 - addcarryxU25(&x32, &x33, x31, x11, (x21 & 0x1ffffff)) - var x34 uint32 - var x35 uint1 - addcarryxU26(&x34, &x35, x33, x13, (x21 & 0x3ffffff)) - var x36 uint32 - var x37 uint1 - addcarryxU25(&x36, &x37, x35, x15, (x21 & 0x1ffffff)) - var x38 uint32 - var x39 uint1 - addcarryxU26(&x38, &x39, x37, x17, (x21 & 0x3ffffff)) - var x40 uint32 - var x41 uint1 - addcarryxU25(&x40, &x41, x39, x19, (x21 & 0x1ffffff)) - var x42 uint32 = (x40 << 6) - var x43 uint32 = (x38 << 4) - var x44 uint32 = (x36 << 3) - var x45 uint32 = (x34 * uint32(0x2)) - var x46 uint32 = (x30 << 6) - var x47 uint32 = (x28 << 5) - var x48 uint32 = (x26 << 3) - var x49 uint32 = (x24 << 2) - var x50 uint8 = (uint8(x22) & 0xff) - var x51 uint32 = (x22 >> 8) - var x52 uint8 = (uint8(x51) & 0xff) - var x53 uint32 = (x51 >> 8) - var x54 uint8 = (uint8(x53) & 0xff) - var x55 uint8 = uint8((x53 >> 8)) - var x56 uint32 = (x49 + uint32(x55)) - var x57 uint8 = (uint8(x56) & 0xff) - var x58 uint32 = (x56 >> 8) - var x59 uint8 = (uint8(x58) & 0xff) - var x60 uint32 = (x58 >> 8) - var x61 uint8 = (uint8(x60) & 0xff) - var x62 uint8 = uint8((x60 >> 8)) - var x63 uint32 = (x48 + uint32(x62)) - var x64 uint8 = (uint8(x63) & 0xff) - var x65 uint32 = (x63 >> 8) - var x66 uint8 = (uint8(x65) & 0xff) - var x67 uint32 = (x65 >> 8) - var x68 uint8 = (uint8(x67) & 0xff) - var x69 uint8 = uint8((x67 >> 8)) - var x70 uint32 = (x47 + uint32(x69)) - var x71 uint8 = (uint8(x70) & 0xff) - var x72 uint32 = (x70 >> 8) - var x73 uint8 = (uint8(x72) & 0xff) - var x74 uint32 = (x72 >> 8) - var x75 uint8 = (uint8(x74) & 0xff) - var x76 uint8 = uint8((x74 >> 8)) - var x77 uint32 = (x46 + uint32(x76)) - var x78 uint8 = (uint8(x77) & 0xff) - var x79 uint32 = (x77 >> 8) - var x80 uint8 = (uint8(x79) & 0xff) - var x81 uint32 = (x79 >> 8) - var x82 uint8 = (uint8(x81) & 0xff) - var x83 uint8 = uint8((x81 >> 8)) - var x84 uint8 = (uint8(x32) & 0xff) - var x85 uint32 = (x32 >> 8) - var x86 uint8 = (uint8(x85) & 0xff) - var x87 uint32 = (x85 >> 8) - var x88 uint8 = (uint8(x87) & 0xff) - var x89 uint1 = uint1((x87 >> 8)) - var x90 uint32 = (x45 + uint32(x89)) - var x91 uint8 = (uint8(x90) & 0xff) - var x92 uint32 = (x90 >> 8) - var x93 uint8 = (uint8(x92) & 0xff) - var x94 uint32 = (x92 >> 8) - var x95 uint8 = (uint8(x94) & 0xff) - var x96 uint8 = uint8((x94 >> 8)) - var x97 uint32 = (x44 + uint32(x96)) - var x98 uint8 = (uint8(x97) & 0xff) - var x99 uint32 = (x97 >> 8) - var x100 uint8 = (uint8(x99) & 0xff) - var x101 uint32 = (x99 >> 8) - var x102 uint8 = (uint8(x101) & 0xff) - var x103 uint8 = uint8((x101 >> 8)) - var x104 uint32 = (x43 + uint32(x103)) - var x105 uint8 = (uint8(x104) & 0xff) - var x106 uint32 = (x104 >> 8) - var x107 uint8 = (uint8(x106) & 0xff) - var x108 uint32 = (x106 >> 8) - var x109 uint8 = (uint8(x108) & 0xff) - var x110 uint8 = uint8((x108 >> 8)) - var x111 uint32 = (x42 + uint32(x110)) - var x112 uint8 = (uint8(x111) & 0xff) - var x113 uint32 = (x111 >> 8) - var x114 uint8 = (uint8(x113) & 0xff) - var x115 uint32 = (x113 >> 8) - var x116 uint8 = (uint8(x115) & 0xff) - var x117 uint8 = uint8((x115 >> 8)) - out1[0] = x50 - out1[1] = x52 - out1[2] = x54 - out1[3] = x57 - out1[4] = x59 - out1[5] = x61 - out1[6] = x64 - out1[7] = x66 - out1[8] = x68 - out1[9] = x71 - out1[10] = x73 - out1[11] = x75 - out1[12] = x78 - out1[13] = x80 - out1[14] = x82 - out1[15] = x83 - out1[16] = x84 - out1[17] = x86 - out1[18] = x88 - out1[19] = x91 - out1[20] = x93 - out1[21] = x95 - out1[22] = x98 - out1[23] = x100 - out1[24] = x102 - out1[25] = x105 - out1[26] = x107 - out1[27] = x109 - out1[28] = x112 - out1[29] = x114 - out1[30] = x116 - out1[31] = x117 + var x1 uint32 + var x2 uint1 + subborrowxU26(&x1, &x2, 0x0, arg1[0], 0x3ffffed) + var x3 uint32 + var x4 uint1 + subborrowxU25(&x3, &x4, x2, arg1[1], 0x1ffffff) + var x5 uint32 + var x6 uint1 + subborrowxU26(&x5, &x6, x4, arg1[2], 0x3ffffff) + var x7 uint32 + var x8 uint1 + subborrowxU25(&x7, &x8, x6, arg1[3], 0x1ffffff) + var x9 uint32 + var x10 uint1 + subborrowxU26(&x9, &x10, x8, arg1[4], 0x3ffffff) + var x11 uint32 + var x12 uint1 + subborrowxU25(&x11, &x12, x10, arg1[5], 0x1ffffff) + var x13 uint32 + var x14 uint1 + subborrowxU26(&x13, &x14, x12, arg1[6], 0x3ffffff) + var x15 uint32 + var x16 uint1 + subborrowxU25(&x15, &x16, x14, arg1[7], 0x1ffffff) + var x17 uint32 + var x18 uint1 + subborrowxU26(&x17, &x18, x16, arg1[8], 0x3ffffff) + var x19 uint32 + var x20 uint1 + subborrowxU25(&x19, &x20, x18, arg1[9], 0x1ffffff) + var x21 uint32 + cmovznzU32(&x21, x20, uint32(0x0), 0xffffffff) + var x22 uint32 + var x23 uint1 + addcarryxU26(&x22, &x23, 0x0, x1, (x21 & 0x3ffffed)) + var x24 uint32 + var x25 uint1 + addcarryxU25(&x24, &x25, x23, x3, (x21 & 0x1ffffff)) + var x26 uint32 + var x27 uint1 + addcarryxU26(&x26, &x27, x25, x5, (x21 & 0x3ffffff)) + var x28 uint32 + var x29 uint1 + addcarryxU25(&x28, &x29, x27, x7, (x21 & 0x1ffffff)) + var x30 uint32 + var x31 uint1 + addcarryxU26(&x30, &x31, x29, x9, (x21 & 0x3ffffff)) + var x32 uint32 + var x33 uint1 + addcarryxU25(&x32, &x33, x31, x11, (x21 & 0x1ffffff)) + var x34 uint32 + var x35 uint1 + addcarryxU26(&x34, &x35, x33, x13, (x21 & 0x3ffffff)) + var x36 uint32 + var x37 uint1 + addcarryxU25(&x36, &x37, x35, x15, (x21 & 0x1ffffff)) + var x38 uint32 + var x39 uint1 + addcarryxU26(&x38, &x39, x37, x17, (x21 & 0x3ffffff)) + var x40 uint32 + var x41 uint1 + addcarryxU25(&x40, &x41, x39, x19, (x21 & 0x1ffffff)) + x42 := (x40 << 6) + x43 := (x38 << 4) + x44 := (x36 << 3) + x45 := (x34 * uint32(0x2)) + x46 := (x30 << 6) + x47 := (x28 << 5) + x48 := (x26 << 3) + x49 := (x24 << 2) + x50 := (uint8(x22) & 0xff) + x51 := (x22 >> 8) + x52 := (uint8(x51) & 0xff) + x53 := (x51 >> 8) + x54 := (uint8(x53) & 0xff) + x55 := uint8((x53 >> 8)) + x56 := (x49 + uint32(x55)) + x57 := (uint8(x56) & 0xff) + x58 := (x56 >> 8) + x59 := (uint8(x58) & 0xff) + x60 := (x58 >> 8) + x61 := (uint8(x60) & 0xff) + x62 := uint8((x60 >> 8)) + x63 := (x48 + uint32(x62)) + x64 := (uint8(x63) & 0xff) + x65 := (x63 >> 8) + x66 := (uint8(x65) & 0xff) + x67 := (x65 >> 8) + x68 := (uint8(x67) & 0xff) + x69 := uint8((x67 >> 8)) + x70 := (x47 + uint32(x69)) + x71 := (uint8(x70) & 0xff) + x72 := (x70 >> 8) + x73 := (uint8(x72) & 0xff) + x74 := (x72 >> 8) + x75 := (uint8(x74) & 0xff) + x76 := uint8((x74 >> 8)) + x77 := (x46 + uint32(x76)) + x78 := (uint8(x77) & 0xff) + x79 := (x77 >> 8) + x80 := (uint8(x79) & 0xff) + x81 := (x79 >> 8) + x82 := (uint8(x81) & 0xff) + x83 := uint8((x81 >> 8)) + x84 := (uint8(x32) & 0xff) + x85 := (x32 >> 8) + x86 := (uint8(x85) & 0xff) + x87 := (x85 >> 8) + x88 := (uint8(x87) & 0xff) + x89 := uint1((x87 >> 8)) + x90 := (x45 + uint32(x89)) + x91 := (uint8(x90) & 0xff) + x92 := (x90 >> 8) + x93 := (uint8(x92) & 0xff) + x94 := (x92 >> 8) + x95 := (uint8(x94) & 0xff) + x96 := uint8((x94 >> 8)) + x97 := (x44 + uint32(x96)) + x98 := (uint8(x97) & 0xff) + x99 := (x97 >> 8) + x100 := (uint8(x99) & 0xff) + x101 := (x99 >> 8) + x102 := (uint8(x101) & 0xff) + x103 := uint8((x101 >> 8)) + x104 := (x43 + uint32(x103)) + x105 := (uint8(x104) & 0xff) + x106 := (x104 >> 8) + x107 := (uint8(x106) & 0xff) + x108 := (x106 >> 8) + x109 := (uint8(x108) & 0xff) + x110 := uint8((x108 >> 8)) + x111 := (x42 + uint32(x110)) + x112 := (uint8(x111) & 0xff) + x113 := (x111 >> 8) + x114 := (uint8(x113) & 0xff) + x115 := (x113 >> 8) + x116 := (uint8(x115) & 0xff) + x117 := uint8((x115 >> 8)) + out1[0] = x50 + out1[1] = x52 + out1[2] = x54 + out1[3] = x57 + out1[4] = x59 + out1[5] = x61 + out1[6] = x64 + out1[7] = x66 + out1[8] = x68 + out1[9] = x71 + out1[10] = x73 + out1[11] = x75 + out1[12] = x78 + out1[13] = x80 + out1[14] = x82 + out1[15] = x83 + out1[16] = x84 + out1[17] = x86 + out1[18] = x88 + out1[19] = x91 + out1[20] = x93 + out1[21] = x95 + out1[22] = x98 + out1[23] = x100 + out1[24] = x102 + out1[25] = x105 + out1[26] = x107 + out1[27] = x109 + out1[28] = x112 + out1[29] = x114 + out1[30] = x116 + out1[31] = x117 } -/* - The function FromBytes deserializes a field element from bytes in little-endian order. - Postconditions: - eval out1 mod m = bytes_eval arg1 mod m - - Input Bounds: - arg1: [[0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0x7f]] - Output Bounds: - out1: [[0x0 ~> 0x4000000], [0x0 ~> 0x2000000], [0x0 ~> 0x4000000], [0x0 ~> 0x2000000], [0x0 ~> 0x4000000], [0x0 ~> 0x2000000], [0x0 ~> 0x4000000], [0x0 ~> 0x2000000], [0x0 ~> 0x4000000], [0x0 ~> 0x2000000]] - */ -/*inline*/ +// FromBytes deserializes a field element from bytes in little-endian order. +// +// Postconditions: +// eval out1 mod m = bytes_eval arg1 mod m +// +// Input Bounds: +// arg1: [[0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0x7f]] +// Output Bounds: +// out1: [[0x0 ~> 0x4000000], [0x0 ~> 0x2000000], [0x0 ~> 0x4000000], [0x0 ~> 0x2000000], [0x0 ~> 0x4000000], [0x0 ~> 0x2000000], [0x0 ~> 0x4000000], [0x0 ~> 0x2000000], [0x0 ~> 0x4000000], [0x0 ~> 0x2000000]] func FromBytes(out1 *[10]uint32, arg1 *[32]uint8) { - var x1 uint32 = (uint32((arg1[31])) << 18) - var x2 uint32 = (uint32((arg1[30])) << 10) - var x3 uint32 = (uint32((arg1[29])) << 2) - var x4 uint32 = (uint32((arg1[28])) << 20) - var x5 uint32 = (uint32((arg1[27])) << 12) - var x6 uint32 = (uint32((arg1[26])) << 4) - var x7 uint32 = (uint32((arg1[25])) << 21) - var x8 uint32 = (uint32((arg1[24])) << 13) - var x9 uint32 = (uint32((arg1[23])) << 5) - var x10 uint32 = (uint32((arg1[22])) << 23) - var x11 uint32 = (uint32((arg1[21])) << 15) - var x12 uint32 = (uint32((arg1[20])) << 7) - var x13 uint32 = (uint32((arg1[19])) << 24) - var x14 uint32 = (uint32((arg1[18])) << 16) - var x15 uint32 = (uint32((arg1[17])) << 8) - var x16 uint8 = (arg1[16]) - var x17 uint32 = (uint32((arg1[15])) << 18) - var x18 uint32 = (uint32((arg1[14])) << 10) - var x19 uint32 = (uint32((arg1[13])) << 2) - var x20 uint32 = (uint32((arg1[12])) << 19) - var x21 uint32 = (uint32((arg1[11])) << 11) - var x22 uint32 = (uint32((arg1[10])) << 3) - var x23 uint32 = (uint32((arg1[9])) << 21) - var x24 uint32 = (uint32((arg1[8])) << 13) - var x25 uint32 = (uint32((arg1[7])) << 5) - var x26 uint32 = (uint32((arg1[6])) << 22) - var x27 uint32 = (uint32((arg1[5])) << 14) - var x28 uint32 = (uint32((arg1[4])) << 6) - var x29 uint32 = (uint32((arg1[3])) << 24) - var x30 uint32 = (uint32((arg1[2])) << 16) - var x31 uint32 = (uint32((arg1[1])) << 8) - var x32 uint8 = (arg1[0]) - var x33 uint32 = (x31 + uint32(x32)) - var x34 uint32 = (x30 + x33) - var x35 uint32 = (x29 + x34) - var x36 uint32 = (x35 & 0x3ffffff) - var x37 uint8 = uint8((x35 >> 26)) - var x38 uint32 = (x28 + uint32(x37)) - var x39 uint32 = (x27 + x38) - var x40 uint32 = (x26 + x39) - var x41 uint32 = (x40 & 0x1ffffff) - var x42 uint8 = uint8((x40 >> 25)) - var x43 uint32 = (x25 + uint32(x42)) - var x44 uint32 = (x24 + x43) - var x45 uint32 = (x23 + x44) - var x46 uint32 = (x45 & 0x3ffffff) - var x47 uint8 = uint8((x45 >> 26)) - var x48 uint32 = (x22 + uint32(x47)) - var x49 uint32 = (x21 + x48) - var x50 uint32 = (x20 + x49) - var x51 uint32 = (x50 & 0x1ffffff) - var x52 uint8 = uint8((x50 >> 25)) - var x53 uint32 = (x19 + uint32(x52)) - var x54 uint32 = (x18 + x53) - var x55 uint32 = (x17 + x54) - var x56 uint32 = (x15 + uint32(x16)) - var x57 uint32 = (x14 + x56) - var x58 uint32 = (x13 + x57) - var x59 uint32 = (x58 & 0x1ffffff) - var x60 uint8 = uint8((x58 >> 25)) - var x61 uint32 = (x12 + uint32(x60)) - var x62 uint32 = (x11 + x61) - var x63 uint32 = (x10 + x62) - var x64 uint32 = (x63 & 0x3ffffff) - var x65 uint8 = uint8((x63 >> 26)) - var x66 uint32 = (x9 + uint32(x65)) - var x67 uint32 = (x8 + x66) - var x68 uint32 = (x7 + x67) - var x69 uint32 = (x68 & 0x1ffffff) - var x70 uint8 = uint8((x68 >> 25)) - var x71 uint32 = (x6 + uint32(x70)) - var x72 uint32 = (x5 + x71) - var x73 uint32 = (x4 + x72) - var x74 uint32 = (x73 & 0x3ffffff) - var x75 uint8 = uint8((x73 >> 26)) - var x76 uint32 = (x3 + uint32(x75)) - var x77 uint32 = (x2 + x76) - var x78 uint32 = (x1 + x77) - out1[0] = x36 - out1[1] = x41 - out1[2] = x46 - out1[3] = x51 - out1[4] = x55 - out1[5] = x59 - out1[6] = x64 - out1[7] = x69 - out1[8] = x74 - out1[9] = x78 + x1 := (uint32(arg1[31]) << 18) + x2 := (uint32(arg1[30]) << 10) + x3 := (uint32(arg1[29]) << 2) + x4 := (uint32(arg1[28]) << 20) + x5 := (uint32(arg1[27]) << 12) + x6 := (uint32(arg1[26]) << 4) + x7 := (uint32(arg1[25]) << 21) + x8 := (uint32(arg1[24]) << 13) + x9 := (uint32(arg1[23]) << 5) + x10 := (uint32(arg1[22]) << 23) + x11 := (uint32(arg1[21]) << 15) + x12 := (uint32(arg1[20]) << 7) + x13 := (uint32(arg1[19]) << 24) + x14 := (uint32(arg1[18]) << 16) + x15 := (uint32(arg1[17]) << 8) + x16 := arg1[16] + x17 := (uint32(arg1[15]) << 18) + x18 := (uint32(arg1[14]) << 10) + x19 := (uint32(arg1[13]) << 2) + x20 := (uint32(arg1[12]) << 19) + x21 := (uint32(arg1[11]) << 11) + x22 := (uint32(arg1[10]) << 3) + x23 := (uint32(arg1[9]) << 21) + x24 := (uint32(arg1[8]) << 13) + x25 := (uint32(arg1[7]) << 5) + x26 := (uint32(arg1[6]) << 22) + x27 := (uint32(arg1[5]) << 14) + x28 := (uint32(arg1[4]) << 6) + x29 := (uint32(arg1[3]) << 24) + x30 := (uint32(arg1[2]) << 16) + x31 := (uint32(arg1[1]) << 8) + x32 := arg1[0] + x33 := (x31 + uint32(x32)) + x34 := (x30 + x33) + x35 := (x29 + x34) + x36 := (x35 & 0x3ffffff) + x37 := uint8((x35 >> 26)) + x38 := (x28 + uint32(x37)) + x39 := (x27 + x38) + x40 := (x26 + x39) + x41 := (x40 & 0x1ffffff) + x42 := uint8((x40 >> 25)) + x43 := (x25 + uint32(x42)) + x44 := (x24 + x43) + x45 := (x23 + x44) + x46 := (x45 & 0x3ffffff) + x47 := uint8((x45 >> 26)) + x48 := (x22 + uint32(x47)) + x49 := (x21 + x48) + x50 := (x20 + x49) + x51 := (x50 & 0x1ffffff) + x52 := uint8((x50 >> 25)) + x53 := (x19 + uint32(x52)) + x54 := (x18 + x53) + x55 := (x17 + x54) + x56 := (x15 + uint32(x16)) + x57 := (x14 + x56) + x58 := (x13 + x57) + x59 := (x58 & 0x1ffffff) + x60 := uint8((x58 >> 25)) + x61 := (x12 + uint32(x60)) + x62 := (x11 + x61) + x63 := (x10 + x62) + x64 := (x63 & 0x3ffffff) + x65 := uint8((x63 >> 26)) + x66 := (x9 + uint32(x65)) + x67 := (x8 + x66) + x68 := (x7 + x67) + x69 := (x68 & 0x1ffffff) + x70 := uint8((x68 >> 25)) + x71 := (x6 + uint32(x70)) + x72 := (x5 + x71) + x73 := (x4 + x72) + x74 := (x73 & 0x3ffffff) + x75 := uint8((x73 >> 26)) + x76 := (x3 + uint32(x75)) + x77 := (x2 + x76) + x78 := (x1 + x77) + out1[0] = x36 + out1[1] = x41 + out1[2] = x46 + out1[3] = x51 + out1[4] = x55 + out1[5] = x59 + out1[6] = x64 + out1[7] = x69 + out1[8] = x74 + out1[9] = x78 } -/* - The function CarryScmul121666 multiplies a field element by 121666 and reduces the result. - Postconditions: - eval out1 mod m = (121666 * eval arg1) mod m - - Input Bounds: - arg1: [[0x0 ~> 0xc000000], [0x0 ~> 0x6000000], [0x0 ~> 0xc000000], [0x0 ~> 0x6000000], [0x0 ~> 0xc000000], [0x0 ~> 0x6000000], [0x0 ~> 0xc000000], [0x0 ~> 0x6000000], [0x0 ~> 0xc000000], [0x0 ~> 0x6000000]] - Output Bounds: - out1: [[0x0 ~> 0x4000000], [0x0 ~> 0x2000000], [0x0 ~> 0x4000000], [0x0 ~> 0x2000000], [0x0 ~> 0x4000000], [0x0 ~> 0x2000000], [0x0 ~> 0x4000000], [0x0 ~> 0x2000000], [0x0 ~> 0x4000000], [0x0 ~> 0x2000000]] - */ -/*inline*/ +// CarryScmul121666 multiplies a field element by 121666 and reduces the result. +// +// Postconditions: +// eval out1 mod m = (121666 * eval arg1) mod m +// +// Input Bounds: +// arg1: [[0x0 ~> 0xc000000], [0x0 ~> 0x6000000], [0x0 ~> 0xc000000], [0x0 ~> 0x6000000], [0x0 ~> 0xc000000], [0x0 ~> 0x6000000], [0x0 ~> 0xc000000], [0x0 ~> 0x6000000], [0x0 ~> 0xc000000], [0x0 ~> 0x6000000]] +// Output Bounds: +// out1: [[0x0 ~> 0x4000000], [0x0 ~> 0x2000000], [0x0 ~> 0x4000000], [0x0 ~> 0x2000000], [0x0 ~> 0x4000000], [0x0 ~> 0x2000000], [0x0 ~> 0x4000000], [0x0 ~> 0x2000000], [0x0 ~> 0x4000000], [0x0 ~> 0x2000000]] func CarryScmul121666(out1 *[10]uint32, arg1 *[10]uint32) { - var x1 uint64 = (uint64(0x1db42) * uint64((arg1[9]))) - var x2 uint64 = (uint64(0x1db42) * uint64((arg1[8]))) - var x3 uint64 = (uint64(0x1db42) * uint64((arg1[7]))) - var x4 uint64 = (uint64(0x1db42) * uint64((arg1[6]))) - var x5 uint64 = (uint64(0x1db42) * uint64((arg1[5]))) - var x6 uint64 = (uint64(0x1db42) * uint64((arg1[4]))) - var x7 uint64 = (uint64(0x1db42) * uint64((arg1[3]))) - var x8 uint64 = (uint64(0x1db42) * uint64((arg1[2]))) - var x9 uint64 = (uint64(0x1db42) * uint64((arg1[1]))) - var x10 uint64 = (uint64(0x1db42) * uint64((arg1[0]))) - var x11 uint32 = uint32((x10 >> 26)) - var x12 uint32 = (uint32(x10) & 0x3ffffff) - var x13 uint64 = (uint64(x11) + x9) - var x14 uint32 = uint32((x13 >> 25)) - var x15 uint32 = (uint32(x13) & 0x1ffffff) - var x16 uint64 = (uint64(x14) + x8) - var x17 uint32 = uint32((x16 >> 26)) - var x18 uint32 = (uint32(x16) & 0x3ffffff) - var x19 uint64 = (uint64(x17) + x7) - var x20 uint32 = uint32((x19 >> 25)) - var x21 uint32 = (uint32(x19) & 0x1ffffff) - var x22 uint64 = (uint64(x20) + x6) - var x23 uint32 = uint32((x22 >> 26)) - var x24 uint32 = (uint32(x22) & 0x3ffffff) - var x25 uint64 = (uint64(x23) + x5) - var x26 uint32 = uint32((x25 >> 25)) - var x27 uint32 = (uint32(x25) & 0x1ffffff) - var x28 uint64 = (uint64(x26) + x4) - var x29 uint32 = uint32((x28 >> 26)) - var x30 uint32 = (uint32(x28) & 0x3ffffff) - var x31 uint64 = (uint64(x29) + x3) - var x32 uint32 = uint32((x31 >> 25)) - var x33 uint32 = (uint32(x31) & 0x1ffffff) - var x34 uint64 = (uint64(x32) + x2) - var x35 uint32 = uint32((x34 >> 26)) - var x36 uint32 = (uint32(x34) & 0x3ffffff) - var x37 uint64 = (uint64(x35) + x1) - var x38 uint32 = uint32((x37 >> 25)) - var x39 uint32 = (uint32(x37) & 0x1ffffff) - var x40 uint32 = (x38 * 0x13) - var x41 uint32 = (x12 + x40) - var x42 uint1 = uint1((x41 >> 26)) - var x43 uint32 = (x41 & 0x3ffffff) - var x44 uint32 = (uint32(x42) + x15) - var x45 uint1 = uint1((x44 >> 25)) - var x46 uint32 = (x44 & 0x1ffffff) - var x47 uint32 = (uint32(x45) + x18) - out1[0] = x43 - out1[1] = x46 - out1[2] = x47 - out1[3] = x21 - out1[4] = x24 - out1[5] = x27 - out1[6] = x30 - out1[7] = x33 - out1[8] = x36 - out1[9] = x39 + x1 := (uint64(0x1db42) * uint64(arg1[9])) + x2 := (uint64(0x1db42) * uint64(arg1[8])) + x3 := (uint64(0x1db42) * uint64(arg1[7])) + x4 := (uint64(0x1db42) * uint64(arg1[6])) + x5 := (uint64(0x1db42) * uint64(arg1[5])) + x6 := (uint64(0x1db42) * uint64(arg1[4])) + x7 := (uint64(0x1db42) * uint64(arg1[3])) + x8 := (uint64(0x1db42) * uint64(arg1[2])) + x9 := (uint64(0x1db42) * uint64(arg1[1])) + x10 := (uint64(0x1db42) * uint64(arg1[0])) + x11 := uint32((x10 >> 26)) + x12 := (uint32(x10) & 0x3ffffff) + x13 := (uint64(x11) + x9) + x14 := uint32((x13 >> 25)) + x15 := (uint32(x13) & 0x1ffffff) + x16 := (uint64(x14) + x8) + x17 := uint32((x16 >> 26)) + x18 := (uint32(x16) & 0x3ffffff) + x19 := (uint64(x17) + x7) + x20 := uint32((x19 >> 25)) + x21 := (uint32(x19) & 0x1ffffff) + x22 := (uint64(x20) + x6) + x23 := uint32((x22 >> 26)) + x24 := (uint32(x22) & 0x3ffffff) + x25 := (uint64(x23) + x5) + x26 := uint32((x25 >> 25)) + x27 := (uint32(x25) & 0x1ffffff) + x28 := (uint64(x26) + x4) + x29 := uint32((x28 >> 26)) + x30 := (uint32(x28) & 0x3ffffff) + x31 := (uint64(x29) + x3) + x32 := uint32((x31 >> 25)) + x33 := (uint32(x31) & 0x1ffffff) + x34 := (uint64(x32) + x2) + x35 := uint32((x34 >> 26)) + x36 := (uint32(x34) & 0x3ffffff) + x37 := (uint64(x35) + x1) + x38 := uint32((x37 >> 25)) + x39 := (uint32(x37) & 0x1ffffff) + x40 := (x38 * 0x13) + x41 := (x12 + x40) + x42 := uint1((x41 >> 26)) + x43 := (x41 & 0x3ffffff) + x44 := (uint32(x42) + x15) + x45 := uint1((x44 >> 25)) + x46 := (x44 & 0x1ffffff) + x47 := (uint32(x45) + x18) + out1[0] = x43 + out1[1] = x46 + out1[2] = x47 + out1[3] = x21 + out1[4] = x24 + out1[5] = x27 + out1[6] = x30 + out1[7] = x33 + out1[8] = x36 + out1[9] = x39 } - diff --git a/fiat-go/32/p224/p224.go b/fiat-go/32/p224/p224.go index 06343df3669..d1d8cf0df17 100644 --- a/fiat-go/32/p224/p224.go +++ b/fiat-go/32/p224/p224.go @@ -1,3692 +1,3655 @@ -/* - Autogenerated: 'src/ExtractionOCaml/word_by_word_montgomery' --lang Go --cmovznz-by-mul --internal-static --package-case flatcase --public-function-case UpperCamelCase --private-function-case camelCase --public-type-case UpperCamelCase --private-type-case camelCase --no-prefix-fiat --package-name p224 '' 32 '2^224 - 2^96 + 1' mul square add sub opp from_montgomery to_montgomery nonzero selectznz to_bytes from_bytes one msat divstep divstep_precomp - - curve description (via package name): p224 - - machine_wordsize = 32 (from "32") - - requested operations: mul, square, add, sub, opp, from_montgomery, to_montgomery, nonzero, selectznz, to_bytes, from_bytes, one, msat, divstep, divstep_precomp - - m = 0xffffffffffffffffffffffffffffffff000000000000000000000001 (from "2^224 - 2^96 + 1") - - - - NOTE: In addition to the bounds specified above each function, all - - functions synthesized for this Montgomery arithmetic require the - - input to be strictly less than the prime modulus (m), and also - - require the input to be in the unique saturated representation. - - All functions also ensure that these two properties are true of - - return values. - - - - Computed values: - - eval z = z[0] + (z[1] << 32) + (z[2] << 64) + (z[3] << 96) + (z[4] << 128) + (z[5] << 160) + (z[6] << 192) - - bytes_eval z = z[0] + (z[1] << 8) + (z[2] << 16) + (z[3] << 24) + (z[4] << 32) + (z[5] << 40) + (z[6] << 48) + (z[7] << 56) + (z[8] << 64) + (z[9] << 72) + (z[10] << 80) + (z[11] << 88) + (z[12] << 96) + (z[13] << 104) + (z[14] << 112) + (z[15] << 120) + (z[16] << 128) + (z[17] << 136) + (z[18] << 144) + (z[19] << 152) + (z[20] << 160) + (z[21] << 168) + (z[22] << 176) + (z[23] << 184) + (z[24] << 192) + (z[25] << 200) + (z[26] << 208) + (z[27] << 216) - - twos_complement_eval z = let x1 := z[0] + (z[1] << 32) + (z[2] << 64) + (z[3] << 96) + (z[4] << 128) + (z[5] << 160) + (z[6] << 192) in - - if x1 & (2^224-1) < 2^223 then x1 & (2^224-1) else (x1 & (2^224-1)) - 2^224 - */ +// Code generated by Fiat Cryptography. DO NOT EDIT. +// +// Autogenerated: 'src/ExtractionOCaml/word_by_word_montgomery' --lang Go --cmovznz-by-mul --internal-static --package-case flatcase --public-function-case UpperCamelCase --private-function-case camelCase --public-type-case UpperCamelCase --private-type-case camelCase --no-prefix-fiat --doc-prepend-header 'Code generated by Fiat Cryptography. DO NOT EDIT.' --doc-text-before-function-name '' --package-name p224 '' 32 '2^224 - 2^96 + 1' mul square add sub opp from_montgomery to_montgomery nonzero selectznz to_bytes from_bytes one msat divstep divstep_precomp +// +// curve description (via package name): p224 +// +// machine_wordsize = 32 (from "32") +// +// requested operations: mul, square, add, sub, opp, from_montgomery, to_montgomery, nonzero, selectznz, to_bytes, from_bytes, one, msat, divstep, divstep_precomp +// +// m = 0xffffffffffffffffffffffffffffffff000000000000000000000001 (from "2^224 - 2^96 + 1") +// +// +// +// NOTE: In addition to the bounds specified above each function, all +// +// functions synthesized for this Montgomery arithmetic require the +// +// input to be strictly less than the prime modulus (m), and also +// +// require the input to be in the unique saturated representation. +// +// All functions also ensure that these two properties are true of +// +// return values. +// +// +// +// Computed values: +// +// eval z = z[0] + (z[1] << 32) + (z[2] << 64) + (z[3] << 96) + (z[4] << 128) + (z[5] << 160) + (z[6] << 192) +// +// bytes_eval z = z[0] + (z[1] << 8) + (z[2] << 16) + (z[3] << 24) + (z[4] << 32) + (z[5] << 40) + (z[6] << 48) + (z[7] << 56) + (z[8] << 64) + (z[9] << 72) + (z[10] << 80) + (z[11] << 88) + (z[12] << 96) + (z[13] << 104) + (z[14] << 112) + (z[15] << 120) + (z[16] << 128) + (z[17] << 136) + (z[18] << 144) + (z[19] << 152) + (z[20] << 160) + (z[21] << 168) + (z[22] << 176) + (z[23] << 184) + (z[24] << 192) + (z[25] << 200) + (z[26] << 208) + (z[27] << 216) +// +// twos_complement_eval z = let x1 := z[0] + (z[1] << 32) + (z[2] << 64) + (z[3] << 96) + (z[4] << 128) + (z[5] << 160) + (z[6] << 192) in +// +// if x1 & (2^224-1) < 2^223 then x1 & (2^224-1) else (x1 & (2^224-1)) - 2^224 package p224 import "math/bits" + type uint1 uint8 type int1 int8 -/* The function addcarryxU32 is a thin wrapper around bits.Add32 that uses uint1 rather than uint32 */ +// addcarryxU32 is a thin wrapper around bits.Add32 that uses uint1 rather than uint32 func addcarryxU32(x uint32, y uint32, carry uint1) (uint32, uint1) { - var sum uint32 - var carryOut uint32 - sum, carryOut = bits.Add32(x, y, uint32(carry)) - return sum, uint1(carryOut) + sum, carryOut := bits.Add32(x, y, uint32(carry)) + return sum, uint1(carryOut) } -/* The function subborrowxU32 is a thin wrapper around bits.Sub32 that uses uint1 rather than uint32 */ +// subborrowxU32 is a thin wrapper around bits.Sub32 that uses uint1 rather than uint32 func subborrowxU32(x uint32, y uint32, carry uint1) (uint32, uint1) { - var sum uint32 - var carryOut uint32 - sum, carryOut = bits.Sub32(x, y, uint32(carry)) - return sum, uint1(carryOut) + sum, carryOut := bits.Sub32(x, y, uint32(carry)) + return sum, uint1(carryOut) } - -/* - The function cmovznzU32 is a single-word conditional move. - Postconditions: - out1 = (if arg1 = 0 then arg2 else arg3) - - Input Bounds: - arg1: [0x0 ~> 0x1] - arg2: [0x0 ~> 0xffffffff] - arg3: [0x0 ~> 0xffffffff] - Output Bounds: - out1: [0x0 ~> 0xffffffff] - */ -/*inline*/ +// cmovznzU32 is a single-word conditional move. +// +// Postconditions: +// out1 = (if arg1 = 0 then arg2 else arg3) +// +// Input Bounds: +// arg1: [0x0 ~> 0x1] +// arg2: [0x0 ~> 0xffffffff] +// arg3: [0x0 ~> 0xffffffff] +// Output Bounds: +// out1: [0x0 ~> 0xffffffff] func cmovznzU32(out1 *uint32, arg1 uint1, arg2 uint32, arg3 uint32) { - var x1 uint32 = (uint32(arg1) * 0xffffffff) - var x2 uint32 = ((x1 & arg3) | ((^x1) & arg2)) - *out1 = x2 + x1 := (uint32(arg1) * 0xffffffff) + x2 := ((x1 & arg3) | ((^x1) & arg2)) + *out1 = x2 } -/* - The function Mul multiplies two field elements in the Montgomery domain. - Preconditions: - 0 ≤ eval arg1 < m - 0 ≤ eval arg2 < m - Postconditions: - eval (from_montgomery out1) mod m = (eval (from_montgomery arg1) * eval (from_montgomery arg2)) mod m - 0 ≤ eval out1 < m - - Input Bounds: - arg1: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] - arg2: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] - Output Bounds: - out1: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] - */ -/*inline*/ +// Mul multiplies two field elements in the Montgomery domain. +// +// Preconditions: +// 0 ≤ eval arg1 < m +// 0 ≤ eval arg2 < m +// Postconditions: +// eval (from_montgomery out1) mod m = (eval (from_montgomery arg1) * eval (from_montgomery arg2)) mod m +// 0 ≤ eval out1 < m +// +// Input Bounds: +// arg1: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] +// arg2: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] +// Output Bounds: +// out1: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] func Mul(out1 *[7]uint32, arg1 *[7]uint32, arg2 *[7]uint32) { - var x1 uint32 = (arg1[1]) - var x2 uint32 = (arg1[2]) - var x3 uint32 = (arg1[3]) - var x4 uint32 = (arg1[4]) - var x5 uint32 = (arg1[5]) - var x6 uint32 = (arg1[6]) - var x7 uint32 = (arg1[0]) - var x8 uint32 - var x9 uint32 - x9, x8 = bits.Mul32(x7, (arg2[6])) - var x10 uint32 - var x11 uint32 - x11, x10 = bits.Mul32(x7, (arg2[5])) - var x12 uint32 - var x13 uint32 - x13, x12 = bits.Mul32(x7, (arg2[4])) - var x14 uint32 - var x15 uint32 - x15, x14 = bits.Mul32(x7, (arg2[3])) - var x16 uint32 - var x17 uint32 - x17, x16 = bits.Mul32(x7, (arg2[2])) - var x18 uint32 - var x19 uint32 - x19, x18 = bits.Mul32(x7, (arg2[1])) - var x20 uint32 - var x21 uint32 - x21, x20 = bits.Mul32(x7, (arg2[0])) - var x22 uint32 - var x23 uint1 - x22, x23 = addcarryxU32(x21, x18, 0x0) - var x24 uint32 - var x25 uint1 - x24, x25 = addcarryxU32(x19, x16, x23) - var x26 uint32 - var x27 uint1 - x26, x27 = addcarryxU32(x17, x14, x25) - var x28 uint32 - var x29 uint1 - x28, x29 = addcarryxU32(x15, x12, x27) - var x30 uint32 - var x31 uint1 - x30, x31 = addcarryxU32(x13, x10, x29) - var x32 uint32 - var x33 uint1 - x32, x33 = addcarryxU32(x11, x8, x31) - var x34 uint32 = (uint32(x33) + x9) - var x35 uint32 - _, x35 = bits.Mul32(x20, 0xffffffff) - var x37 uint32 - var x38 uint32 - x38, x37 = bits.Mul32(x35, 0xffffffff) - var x39 uint32 - var x40 uint32 - x40, x39 = bits.Mul32(x35, 0xffffffff) - var x41 uint32 - var x42 uint32 - x42, x41 = bits.Mul32(x35, 0xffffffff) - var x43 uint32 - var x44 uint32 - x44, x43 = bits.Mul32(x35, 0xffffffff) - var x45 uint32 - var x46 uint1 - x45, x46 = addcarryxU32(x44, x41, 0x0) - var x47 uint32 - var x48 uint1 - x47, x48 = addcarryxU32(x42, x39, x46) - var x49 uint32 - var x50 uint1 - x49, x50 = addcarryxU32(x40, x37, x48) - var x51 uint32 = (uint32(x50) + x38) - var x53 uint1 - _, x53 = addcarryxU32(x20, x35, 0x0) - var x54 uint32 - var x55 uint1 - x54, x55 = addcarryxU32(x22, uint32(0x0), x53) - var x56 uint32 - var x57 uint1 - x56, x57 = addcarryxU32(x24, uint32(0x0), x55) - var x58 uint32 - var x59 uint1 - x58, x59 = addcarryxU32(x26, x43, x57) - var x60 uint32 - var x61 uint1 - x60, x61 = addcarryxU32(x28, x45, x59) - var x62 uint32 - var x63 uint1 - x62, x63 = addcarryxU32(x30, x47, x61) - var x64 uint32 - var x65 uint1 - x64, x65 = addcarryxU32(x32, x49, x63) - var x66 uint32 - var x67 uint1 - x66, x67 = addcarryxU32(x34, x51, x65) - var x68 uint32 - var x69 uint32 - x69, x68 = bits.Mul32(x1, (arg2[6])) - var x70 uint32 - var x71 uint32 - x71, x70 = bits.Mul32(x1, (arg2[5])) - var x72 uint32 - var x73 uint32 - x73, x72 = bits.Mul32(x1, (arg2[4])) - var x74 uint32 - var x75 uint32 - x75, x74 = bits.Mul32(x1, (arg2[3])) - var x76 uint32 - var x77 uint32 - x77, x76 = bits.Mul32(x1, (arg2[2])) - var x78 uint32 - var x79 uint32 - x79, x78 = bits.Mul32(x1, (arg2[1])) - var x80 uint32 - var x81 uint32 - x81, x80 = bits.Mul32(x1, (arg2[0])) - var x82 uint32 - var x83 uint1 - x82, x83 = addcarryxU32(x81, x78, 0x0) - var x84 uint32 - var x85 uint1 - x84, x85 = addcarryxU32(x79, x76, x83) - var x86 uint32 - var x87 uint1 - x86, x87 = addcarryxU32(x77, x74, x85) - var x88 uint32 - var x89 uint1 - x88, x89 = addcarryxU32(x75, x72, x87) - var x90 uint32 - var x91 uint1 - x90, x91 = addcarryxU32(x73, x70, x89) - var x92 uint32 - var x93 uint1 - x92, x93 = addcarryxU32(x71, x68, x91) - var x94 uint32 = (uint32(x93) + x69) - var x95 uint32 - var x96 uint1 - x95, x96 = addcarryxU32(x54, x80, 0x0) - var x97 uint32 - var x98 uint1 - x97, x98 = addcarryxU32(x56, x82, x96) - var x99 uint32 - var x100 uint1 - x99, x100 = addcarryxU32(x58, x84, x98) - var x101 uint32 - var x102 uint1 - x101, x102 = addcarryxU32(x60, x86, x100) - var x103 uint32 - var x104 uint1 - x103, x104 = addcarryxU32(x62, x88, x102) - var x105 uint32 - var x106 uint1 - x105, x106 = addcarryxU32(x64, x90, x104) - var x107 uint32 - var x108 uint1 - x107, x108 = addcarryxU32(x66, x92, x106) - var x109 uint32 - var x110 uint1 - x109, x110 = addcarryxU32(uint32(x67), x94, x108) - var x111 uint32 - _, x111 = bits.Mul32(x95, 0xffffffff) - var x113 uint32 - var x114 uint32 - x114, x113 = bits.Mul32(x111, 0xffffffff) - var x115 uint32 - var x116 uint32 - x116, x115 = bits.Mul32(x111, 0xffffffff) - var x117 uint32 - var x118 uint32 - x118, x117 = bits.Mul32(x111, 0xffffffff) - var x119 uint32 - var x120 uint32 - x120, x119 = bits.Mul32(x111, 0xffffffff) - var x121 uint32 - var x122 uint1 - x121, x122 = addcarryxU32(x120, x117, 0x0) - var x123 uint32 - var x124 uint1 - x123, x124 = addcarryxU32(x118, x115, x122) - var x125 uint32 - var x126 uint1 - x125, x126 = addcarryxU32(x116, x113, x124) - var x127 uint32 = (uint32(x126) + x114) - var x129 uint1 - _, x129 = addcarryxU32(x95, x111, 0x0) - var x130 uint32 - var x131 uint1 - x130, x131 = addcarryxU32(x97, uint32(0x0), x129) - var x132 uint32 - var x133 uint1 - x132, x133 = addcarryxU32(x99, uint32(0x0), x131) - var x134 uint32 - var x135 uint1 - x134, x135 = addcarryxU32(x101, x119, x133) - var x136 uint32 - var x137 uint1 - x136, x137 = addcarryxU32(x103, x121, x135) - var x138 uint32 - var x139 uint1 - x138, x139 = addcarryxU32(x105, x123, x137) - var x140 uint32 - var x141 uint1 - x140, x141 = addcarryxU32(x107, x125, x139) - var x142 uint32 - var x143 uint1 - x142, x143 = addcarryxU32(x109, x127, x141) - var x144 uint32 = (uint32(x143) + uint32(x110)) - var x145 uint32 - var x146 uint32 - x146, x145 = bits.Mul32(x2, (arg2[6])) - var x147 uint32 - var x148 uint32 - x148, x147 = bits.Mul32(x2, (arg2[5])) - var x149 uint32 - var x150 uint32 - x150, x149 = bits.Mul32(x2, (arg2[4])) - var x151 uint32 - var x152 uint32 - x152, x151 = bits.Mul32(x2, (arg2[3])) - var x153 uint32 - var x154 uint32 - x154, x153 = bits.Mul32(x2, (arg2[2])) - var x155 uint32 - var x156 uint32 - x156, x155 = bits.Mul32(x2, (arg2[1])) - var x157 uint32 - var x158 uint32 - x158, x157 = bits.Mul32(x2, (arg2[0])) - var x159 uint32 - var x160 uint1 - x159, x160 = addcarryxU32(x158, x155, 0x0) - var x161 uint32 - var x162 uint1 - x161, x162 = addcarryxU32(x156, x153, x160) - var x163 uint32 - var x164 uint1 - x163, x164 = addcarryxU32(x154, x151, x162) - var x165 uint32 - var x166 uint1 - x165, x166 = addcarryxU32(x152, x149, x164) - var x167 uint32 - var x168 uint1 - x167, x168 = addcarryxU32(x150, x147, x166) - var x169 uint32 - var x170 uint1 - x169, x170 = addcarryxU32(x148, x145, x168) - var x171 uint32 = (uint32(x170) + x146) - var x172 uint32 - var x173 uint1 - x172, x173 = addcarryxU32(x130, x157, 0x0) - var x174 uint32 - var x175 uint1 - x174, x175 = addcarryxU32(x132, x159, x173) - var x176 uint32 - var x177 uint1 - x176, x177 = addcarryxU32(x134, x161, x175) - var x178 uint32 - var x179 uint1 - x178, x179 = addcarryxU32(x136, x163, x177) - var x180 uint32 - var x181 uint1 - x180, x181 = addcarryxU32(x138, x165, x179) - var x182 uint32 - var x183 uint1 - x182, x183 = addcarryxU32(x140, x167, x181) - var x184 uint32 - var x185 uint1 - x184, x185 = addcarryxU32(x142, x169, x183) - var x186 uint32 - var x187 uint1 - x186, x187 = addcarryxU32(x144, x171, x185) - var x188 uint32 - _, x188 = bits.Mul32(x172, 0xffffffff) - var x190 uint32 - var x191 uint32 - x191, x190 = bits.Mul32(x188, 0xffffffff) - var x192 uint32 - var x193 uint32 - x193, x192 = bits.Mul32(x188, 0xffffffff) - var x194 uint32 - var x195 uint32 - x195, x194 = bits.Mul32(x188, 0xffffffff) - var x196 uint32 - var x197 uint32 - x197, x196 = bits.Mul32(x188, 0xffffffff) - var x198 uint32 - var x199 uint1 - x198, x199 = addcarryxU32(x197, x194, 0x0) - var x200 uint32 - var x201 uint1 - x200, x201 = addcarryxU32(x195, x192, x199) - var x202 uint32 - var x203 uint1 - x202, x203 = addcarryxU32(x193, x190, x201) - var x204 uint32 = (uint32(x203) + x191) - var x206 uint1 - _, x206 = addcarryxU32(x172, x188, 0x0) - var x207 uint32 - var x208 uint1 - x207, x208 = addcarryxU32(x174, uint32(0x0), x206) - var x209 uint32 - var x210 uint1 - x209, x210 = addcarryxU32(x176, uint32(0x0), x208) - var x211 uint32 - var x212 uint1 - x211, x212 = addcarryxU32(x178, x196, x210) - var x213 uint32 - var x214 uint1 - x213, x214 = addcarryxU32(x180, x198, x212) - var x215 uint32 - var x216 uint1 - x215, x216 = addcarryxU32(x182, x200, x214) - var x217 uint32 - var x218 uint1 - x217, x218 = addcarryxU32(x184, x202, x216) - var x219 uint32 - var x220 uint1 - x219, x220 = addcarryxU32(x186, x204, x218) - var x221 uint32 = (uint32(x220) + uint32(x187)) - var x222 uint32 - var x223 uint32 - x223, x222 = bits.Mul32(x3, (arg2[6])) - var x224 uint32 - var x225 uint32 - x225, x224 = bits.Mul32(x3, (arg2[5])) - var x226 uint32 - var x227 uint32 - x227, x226 = bits.Mul32(x3, (arg2[4])) - var x228 uint32 - var x229 uint32 - x229, x228 = bits.Mul32(x3, (arg2[3])) - var x230 uint32 - var x231 uint32 - x231, x230 = bits.Mul32(x3, (arg2[2])) - var x232 uint32 - var x233 uint32 - x233, x232 = bits.Mul32(x3, (arg2[1])) - var x234 uint32 - var x235 uint32 - x235, x234 = bits.Mul32(x3, (arg2[0])) - var x236 uint32 - var x237 uint1 - x236, x237 = addcarryxU32(x235, x232, 0x0) - var x238 uint32 - var x239 uint1 - x238, x239 = addcarryxU32(x233, x230, x237) - var x240 uint32 - var x241 uint1 - x240, x241 = addcarryxU32(x231, x228, x239) - var x242 uint32 - var x243 uint1 - x242, x243 = addcarryxU32(x229, x226, x241) - var x244 uint32 - var x245 uint1 - x244, x245 = addcarryxU32(x227, x224, x243) - var x246 uint32 - var x247 uint1 - x246, x247 = addcarryxU32(x225, x222, x245) - var x248 uint32 = (uint32(x247) + x223) - var x249 uint32 - var x250 uint1 - x249, x250 = addcarryxU32(x207, x234, 0x0) - var x251 uint32 - var x252 uint1 - x251, x252 = addcarryxU32(x209, x236, x250) - var x253 uint32 - var x254 uint1 - x253, x254 = addcarryxU32(x211, x238, x252) - var x255 uint32 - var x256 uint1 - x255, x256 = addcarryxU32(x213, x240, x254) - var x257 uint32 - var x258 uint1 - x257, x258 = addcarryxU32(x215, x242, x256) - var x259 uint32 - var x260 uint1 - x259, x260 = addcarryxU32(x217, x244, x258) - var x261 uint32 - var x262 uint1 - x261, x262 = addcarryxU32(x219, x246, x260) - var x263 uint32 - var x264 uint1 - x263, x264 = addcarryxU32(x221, x248, x262) - var x265 uint32 - _, x265 = bits.Mul32(x249, 0xffffffff) - var x267 uint32 - var x268 uint32 - x268, x267 = bits.Mul32(x265, 0xffffffff) - var x269 uint32 - var x270 uint32 - x270, x269 = bits.Mul32(x265, 0xffffffff) - var x271 uint32 - var x272 uint32 - x272, x271 = bits.Mul32(x265, 0xffffffff) - var x273 uint32 - var x274 uint32 - x274, x273 = bits.Mul32(x265, 0xffffffff) - var x275 uint32 - var x276 uint1 - x275, x276 = addcarryxU32(x274, x271, 0x0) - var x277 uint32 - var x278 uint1 - x277, x278 = addcarryxU32(x272, x269, x276) - var x279 uint32 - var x280 uint1 - x279, x280 = addcarryxU32(x270, x267, x278) - var x281 uint32 = (uint32(x280) + x268) - var x283 uint1 - _, x283 = addcarryxU32(x249, x265, 0x0) - var x284 uint32 - var x285 uint1 - x284, x285 = addcarryxU32(x251, uint32(0x0), x283) - var x286 uint32 - var x287 uint1 - x286, x287 = addcarryxU32(x253, uint32(0x0), x285) - var x288 uint32 - var x289 uint1 - x288, x289 = addcarryxU32(x255, x273, x287) - var x290 uint32 - var x291 uint1 - x290, x291 = addcarryxU32(x257, x275, x289) - var x292 uint32 - var x293 uint1 - x292, x293 = addcarryxU32(x259, x277, x291) - var x294 uint32 - var x295 uint1 - x294, x295 = addcarryxU32(x261, x279, x293) - var x296 uint32 - var x297 uint1 - x296, x297 = addcarryxU32(x263, x281, x295) - var x298 uint32 = (uint32(x297) + uint32(x264)) - var x299 uint32 - var x300 uint32 - x300, x299 = bits.Mul32(x4, (arg2[6])) - var x301 uint32 - var x302 uint32 - x302, x301 = bits.Mul32(x4, (arg2[5])) - var x303 uint32 - var x304 uint32 - x304, x303 = bits.Mul32(x4, (arg2[4])) - var x305 uint32 - var x306 uint32 - x306, x305 = bits.Mul32(x4, (arg2[3])) - var x307 uint32 - var x308 uint32 - x308, x307 = bits.Mul32(x4, (arg2[2])) - var x309 uint32 - var x310 uint32 - x310, x309 = bits.Mul32(x4, (arg2[1])) - var x311 uint32 - var x312 uint32 - x312, x311 = bits.Mul32(x4, (arg2[0])) - var x313 uint32 - var x314 uint1 - x313, x314 = addcarryxU32(x312, x309, 0x0) - var x315 uint32 - var x316 uint1 - x315, x316 = addcarryxU32(x310, x307, x314) - var x317 uint32 - var x318 uint1 - x317, x318 = addcarryxU32(x308, x305, x316) - var x319 uint32 - var x320 uint1 - x319, x320 = addcarryxU32(x306, x303, x318) - var x321 uint32 - var x322 uint1 - x321, x322 = addcarryxU32(x304, x301, x320) - var x323 uint32 - var x324 uint1 - x323, x324 = addcarryxU32(x302, x299, x322) - var x325 uint32 = (uint32(x324) + x300) - var x326 uint32 - var x327 uint1 - x326, x327 = addcarryxU32(x284, x311, 0x0) - var x328 uint32 - var x329 uint1 - x328, x329 = addcarryxU32(x286, x313, x327) - var x330 uint32 - var x331 uint1 - x330, x331 = addcarryxU32(x288, x315, x329) - var x332 uint32 - var x333 uint1 - x332, x333 = addcarryxU32(x290, x317, x331) - var x334 uint32 - var x335 uint1 - x334, x335 = addcarryxU32(x292, x319, x333) - var x336 uint32 - var x337 uint1 - x336, x337 = addcarryxU32(x294, x321, x335) - var x338 uint32 - var x339 uint1 - x338, x339 = addcarryxU32(x296, x323, x337) - var x340 uint32 - var x341 uint1 - x340, x341 = addcarryxU32(x298, x325, x339) - var x342 uint32 - _, x342 = bits.Mul32(x326, 0xffffffff) - var x344 uint32 - var x345 uint32 - x345, x344 = bits.Mul32(x342, 0xffffffff) - var x346 uint32 - var x347 uint32 - x347, x346 = bits.Mul32(x342, 0xffffffff) - var x348 uint32 - var x349 uint32 - x349, x348 = bits.Mul32(x342, 0xffffffff) - var x350 uint32 - var x351 uint32 - x351, x350 = bits.Mul32(x342, 0xffffffff) - var x352 uint32 - var x353 uint1 - x352, x353 = addcarryxU32(x351, x348, 0x0) - var x354 uint32 - var x355 uint1 - x354, x355 = addcarryxU32(x349, x346, x353) - var x356 uint32 - var x357 uint1 - x356, x357 = addcarryxU32(x347, x344, x355) - var x358 uint32 = (uint32(x357) + x345) - var x360 uint1 - _, x360 = addcarryxU32(x326, x342, 0x0) - var x361 uint32 - var x362 uint1 - x361, x362 = addcarryxU32(x328, uint32(0x0), x360) - var x363 uint32 - var x364 uint1 - x363, x364 = addcarryxU32(x330, uint32(0x0), x362) - var x365 uint32 - var x366 uint1 - x365, x366 = addcarryxU32(x332, x350, x364) - var x367 uint32 - var x368 uint1 - x367, x368 = addcarryxU32(x334, x352, x366) - var x369 uint32 - var x370 uint1 - x369, x370 = addcarryxU32(x336, x354, x368) - var x371 uint32 - var x372 uint1 - x371, x372 = addcarryxU32(x338, x356, x370) - var x373 uint32 - var x374 uint1 - x373, x374 = addcarryxU32(x340, x358, x372) - var x375 uint32 = (uint32(x374) + uint32(x341)) - var x376 uint32 - var x377 uint32 - x377, x376 = bits.Mul32(x5, (arg2[6])) - var x378 uint32 - var x379 uint32 - x379, x378 = bits.Mul32(x5, (arg2[5])) - var x380 uint32 - var x381 uint32 - x381, x380 = bits.Mul32(x5, (arg2[4])) - var x382 uint32 - var x383 uint32 - x383, x382 = bits.Mul32(x5, (arg2[3])) - var x384 uint32 - var x385 uint32 - x385, x384 = bits.Mul32(x5, (arg2[2])) - var x386 uint32 - var x387 uint32 - x387, x386 = bits.Mul32(x5, (arg2[1])) - var x388 uint32 - var x389 uint32 - x389, x388 = bits.Mul32(x5, (arg2[0])) - var x390 uint32 - var x391 uint1 - x390, x391 = addcarryxU32(x389, x386, 0x0) - var x392 uint32 - var x393 uint1 - x392, x393 = addcarryxU32(x387, x384, x391) - var x394 uint32 - var x395 uint1 - x394, x395 = addcarryxU32(x385, x382, x393) - var x396 uint32 - var x397 uint1 - x396, x397 = addcarryxU32(x383, x380, x395) - var x398 uint32 - var x399 uint1 - x398, x399 = addcarryxU32(x381, x378, x397) - var x400 uint32 - var x401 uint1 - x400, x401 = addcarryxU32(x379, x376, x399) - var x402 uint32 = (uint32(x401) + x377) - var x403 uint32 - var x404 uint1 - x403, x404 = addcarryxU32(x361, x388, 0x0) - var x405 uint32 - var x406 uint1 - x405, x406 = addcarryxU32(x363, x390, x404) - var x407 uint32 - var x408 uint1 - x407, x408 = addcarryxU32(x365, x392, x406) - var x409 uint32 - var x410 uint1 - x409, x410 = addcarryxU32(x367, x394, x408) - var x411 uint32 - var x412 uint1 - x411, x412 = addcarryxU32(x369, x396, x410) - var x413 uint32 - var x414 uint1 - x413, x414 = addcarryxU32(x371, x398, x412) - var x415 uint32 - var x416 uint1 - x415, x416 = addcarryxU32(x373, x400, x414) - var x417 uint32 - var x418 uint1 - x417, x418 = addcarryxU32(x375, x402, x416) - var x419 uint32 - _, x419 = bits.Mul32(x403, 0xffffffff) - var x421 uint32 - var x422 uint32 - x422, x421 = bits.Mul32(x419, 0xffffffff) - var x423 uint32 - var x424 uint32 - x424, x423 = bits.Mul32(x419, 0xffffffff) - var x425 uint32 - var x426 uint32 - x426, x425 = bits.Mul32(x419, 0xffffffff) - var x427 uint32 - var x428 uint32 - x428, x427 = bits.Mul32(x419, 0xffffffff) - var x429 uint32 - var x430 uint1 - x429, x430 = addcarryxU32(x428, x425, 0x0) - var x431 uint32 - var x432 uint1 - x431, x432 = addcarryxU32(x426, x423, x430) - var x433 uint32 - var x434 uint1 - x433, x434 = addcarryxU32(x424, x421, x432) - var x435 uint32 = (uint32(x434) + x422) - var x437 uint1 - _, x437 = addcarryxU32(x403, x419, 0x0) - var x438 uint32 - var x439 uint1 - x438, x439 = addcarryxU32(x405, uint32(0x0), x437) - var x440 uint32 - var x441 uint1 - x440, x441 = addcarryxU32(x407, uint32(0x0), x439) - var x442 uint32 - var x443 uint1 - x442, x443 = addcarryxU32(x409, x427, x441) - var x444 uint32 - var x445 uint1 - x444, x445 = addcarryxU32(x411, x429, x443) - var x446 uint32 - var x447 uint1 - x446, x447 = addcarryxU32(x413, x431, x445) - var x448 uint32 - var x449 uint1 - x448, x449 = addcarryxU32(x415, x433, x447) - var x450 uint32 - var x451 uint1 - x450, x451 = addcarryxU32(x417, x435, x449) - var x452 uint32 = (uint32(x451) + uint32(x418)) - var x453 uint32 - var x454 uint32 - x454, x453 = bits.Mul32(x6, (arg2[6])) - var x455 uint32 - var x456 uint32 - x456, x455 = bits.Mul32(x6, (arg2[5])) - var x457 uint32 - var x458 uint32 - x458, x457 = bits.Mul32(x6, (arg2[4])) - var x459 uint32 - var x460 uint32 - x460, x459 = bits.Mul32(x6, (arg2[3])) - var x461 uint32 - var x462 uint32 - x462, x461 = bits.Mul32(x6, (arg2[2])) - var x463 uint32 - var x464 uint32 - x464, x463 = bits.Mul32(x6, (arg2[1])) - var x465 uint32 - var x466 uint32 - x466, x465 = bits.Mul32(x6, (arg2[0])) - var x467 uint32 - var x468 uint1 - x467, x468 = addcarryxU32(x466, x463, 0x0) - var x469 uint32 - var x470 uint1 - x469, x470 = addcarryxU32(x464, x461, x468) - var x471 uint32 - var x472 uint1 - x471, x472 = addcarryxU32(x462, x459, x470) - var x473 uint32 - var x474 uint1 - x473, x474 = addcarryxU32(x460, x457, x472) - var x475 uint32 - var x476 uint1 - x475, x476 = addcarryxU32(x458, x455, x474) - var x477 uint32 - var x478 uint1 - x477, x478 = addcarryxU32(x456, x453, x476) - var x479 uint32 = (uint32(x478) + x454) - var x480 uint32 - var x481 uint1 - x480, x481 = addcarryxU32(x438, x465, 0x0) - var x482 uint32 - var x483 uint1 - x482, x483 = addcarryxU32(x440, x467, x481) - var x484 uint32 - var x485 uint1 - x484, x485 = addcarryxU32(x442, x469, x483) - var x486 uint32 - var x487 uint1 - x486, x487 = addcarryxU32(x444, x471, x485) - var x488 uint32 - var x489 uint1 - x488, x489 = addcarryxU32(x446, x473, x487) - var x490 uint32 - var x491 uint1 - x490, x491 = addcarryxU32(x448, x475, x489) - var x492 uint32 - var x493 uint1 - x492, x493 = addcarryxU32(x450, x477, x491) - var x494 uint32 - var x495 uint1 - x494, x495 = addcarryxU32(x452, x479, x493) - var x496 uint32 - _, x496 = bits.Mul32(x480, 0xffffffff) - var x498 uint32 - var x499 uint32 - x499, x498 = bits.Mul32(x496, 0xffffffff) - var x500 uint32 - var x501 uint32 - x501, x500 = bits.Mul32(x496, 0xffffffff) - var x502 uint32 - var x503 uint32 - x503, x502 = bits.Mul32(x496, 0xffffffff) - var x504 uint32 - var x505 uint32 - x505, x504 = bits.Mul32(x496, 0xffffffff) - var x506 uint32 - var x507 uint1 - x506, x507 = addcarryxU32(x505, x502, 0x0) - var x508 uint32 - var x509 uint1 - x508, x509 = addcarryxU32(x503, x500, x507) - var x510 uint32 - var x511 uint1 - x510, x511 = addcarryxU32(x501, x498, x509) - var x512 uint32 = (uint32(x511) + x499) - var x514 uint1 - _, x514 = addcarryxU32(x480, x496, 0x0) - var x515 uint32 - var x516 uint1 - x515, x516 = addcarryxU32(x482, uint32(0x0), x514) - var x517 uint32 - var x518 uint1 - x517, x518 = addcarryxU32(x484, uint32(0x0), x516) - var x519 uint32 - var x520 uint1 - x519, x520 = addcarryxU32(x486, x504, x518) - var x521 uint32 - var x522 uint1 - x521, x522 = addcarryxU32(x488, x506, x520) - var x523 uint32 - var x524 uint1 - x523, x524 = addcarryxU32(x490, x508, x522) - var x525 uint32 - var x526 uint1 - x525, x526 = addcarryxU32(x492, x510, x524) - var x527 uint32 - var x528 uint1 - x527, x528 = addcarryxU32(x494, x512, x526) - var x529 uint32 = (uint32(x528) + uint32(x495)) - var x530 uint32 - var x531 uint1 - x530, x531 = subborrowxU32(x515, uint32(0x1), 0x0) - var x532 uint32 - var x533 uint1 - x532, x533 = subborrowxU32(x517, uint32(0x0), x531) - var x534 uint32 - var x535 uint1 - x534, x535 = subborrowxU32(x519, uint32(0x0), x533) - var x536 uint32 - var x537 uint1 - x536, x537 = subborrowxU32(x521, 0xffffffff, x535) - var x538 uint32 - var x539 uint1 - x538, x539 = subborrowxU32(x523, 0xffffffff, x537) - var x540 uint32 - var x541 uint1 - x540, x541 = subborrowxU32(x525, 0xffffffff, x539) - var x542 uint32 - var x543 uint1 - x542, x543 = subborrowxU32(x527, 0xffffffff, x541) - var x545 uint1 - _, x545 = subborrowxU32(x529, uint32(0x0), x543) - var x546 uint32 - cmovznzU32(&x546, x545, x530, x515) - var x547 uint32 - cmovznzU32(&x547, x545, x532, x517) - var x548 uint32 - cmovznzU32(&x548, x545, x534, x519) - var x549 uint32 - cmovznzU32(&x549, x545, x536, x521) - var x550 uint32 - cmovznzU32(&x550, x545, x538, x523) - var x551 uint32 - cmovznzU32(&x551, x545, x540, x525) - var x552 uint32 - cmovznzU32(&x552, x545, x542, x527) - out1[0] = x546 - out1[1] = x547 - out1[2] = x548 - out1[3] = x549 - out1[4] = x550 - out1[5] = x551 - out1[6] = x552 + x1 := arg1[1] + x2 := arg1[2] + x3 := arg1[3] + x4 := arg1[4] + x5 := arg1[5] + x6 := arg1[6] + x7 := arg1[0] + var x8 uint32 + var x9 uint32 + x9, x8 = bits.Mul32(x7, arg2[6]) + var x10 uint32 + var x11 uint32 + x11, x10 = bits.Mul32(x7, arg2[5]) + var x12 uint32 + var x13 uint32 + x13, x12 = bits.Mul32(x7, arg2[4]) + var x14 uint32 + var x15 uint32 + x15, x14 = bits.Mul32(x7, arg2[3]) + var x16 uint32 + var x17 uint32 + x17, x16 = bits.Mul32(x7, arg2[2]) + var x18 uint32 + var x19 uint32 + x19, x18 = bits.Mul32(x7, arg2[1]) + var x20 uint32 + var x21 uint32 + x21, x20 = bits.Mul32(x7, arg2[0]) + var x22 uint32 + var x23 uint1 + x22, x23 = addcarryxU32(x21, x18, 0x0) + var x24 uint32 + var x25 uint1 + x24, x25 = addcarryxU32(x19, x16, x23) + var x26 uint32 + var x27 uint1 + x26, x27 = addcarryxU32(x17, x14, x25) + var x28 uint32 + var x29 uint1 + x28, x29 = addcarryxU32(x15, x12, x27) + var x30 uint32 + var x31 uint1 + x30, x31 = addcarryxU32(x13, x10, x29) + var x32 uint32 + var x33 uint1 + x32, x33 = addcarryxU32(x11, x8, x31) + x34 := (uint32(x33) + x9) + var x35 uint32 + _, x35 = bits.Mul32(x20, 0xffffffff) + var x37 uint32 + var x38 uint32 + x38, x37 = bits.Mul32(x35, 0xffffffff) + var x39 uint32 + var x40 uint32 + x40, x39 = bits.Mul32(x35, 0xffffffff) + var x41 uint32 + var x42 uint32 + x42, x41 = bits.Mul32(x35, 0xffffffff) + var x43 uint32 + var x44 uint32 + x44, x43 = bits.Mul32(x35, 0xffffffff) + var x45 uint32 + var x46 uint1 + x45, x46 = addcarryxU32(x44, x41, 0x0) + var x47 uint32 + var x48 uint1 + x47, x48 = addcarryxU32(x42, x39, x46) + var x49 uint32 + var x50 uint1 + x49, x50 = addcarryxU32(x40, x37, x48) + x51 := (uint32(x50) + x38) + var x53 uint1 + _, x53 = addcarryxU32(x20, x35, 0x0) + var x54 uint32 + var x55 uint1 + x54, x55 = addcarryxU32(x22, uint32(0x0), x53) + var x56 uint32 + var x57 uint1 + x56, x57 = addcarryxU32(x24, uint32(0x0), x55) + var x58 uint32 + var x59 uint1 + x58, x59 = addcarryxU32(x26, x43, x57) + var x60 uint32 + var x61 uint1 + x60, x61 = addcarryxU32(x28, x45, x59) + var x62 uint32 + var x63 uint1 + x62, x63 = addcarryxU32(x30, x47, x61) + var x64 uint32 + var x65 uint1 + x64, x65 = addcarryxU32(x32, x49, x63) + var x66 uint32 + var x67 uint1 + x66, x67 = addcarryxU32(x34, x51, x65) + var x68 uint32 + var x69 uint32 + x69, x68 = bits.Mul32(x1, arg2[6]) + var x70 uint32 + var x71 uint32 + x71, x70 = bits.Mul32(x1, arg2[5]) + var x72 uint32 + var x73 uint32 + x73, x72 = bits.Mul32(x1, arg2[4]) + var x74 uint32 + var x75 uint32 + x75, x74 = bits.Mul32(x1, arg2[3]) + var x76 uint32 + var x77 uint32 + x77, x76 = bits.Mul32(x1, arg2[2]) + var x78 uint32 + var x79 uint32 + x79, x78 = bits.Mul32(x1, arg2[1]) + var x80 uint32 + var x81 uint32 + x81, x80 = bits.Mul32(x1, arg2[0]) + var x82 uint32 + var x83 uint1 + x82, x83 = addcarryxU32(x81, x78, 0x0) + var x84 uint32 + var x85 uint1 + x84, x85 = addcarryxU32(x79, x76, x83) + var x86 uint32 + var x87 uint1 + x86, x87 = addcarryxU32(x77, x74, x85) + var x88 uint32 + var x89 uint1 + x88, x89 = addcarryxU32(x75, x72, x87) + var x90 uint32 + var x91 uint1 + x90, x91 = addcarryxU32(x73, x70, x89) + var x92 uint32 + var x93 uint1 + x92, x93 = addcarryxU32(x71, x68, x91) + x94 := (uint32(x93) + x69) + var x95 uint32 + var x96 uint1 + x95, x96 = addcarryxU32(x54, x80, 0x0) + var x97 uint32 + var x98 uint1 + x97, x98 = addcarryxU32(x56, x82, x96) + var x99 uint32 + var x100 uint1 + x99, x100 = addcarryxU32(x58, x84, x98) + var x101 uint32 + var x102 uint1 + x101, x102 = addcarryxU32(x60, x86, x100) + var x103 uint32 + var x104 uint1 + x103, x104 = addcarryxU32(x62, x88, x102) + var x105 uint32 + var x106 uint1 + x105, x106 = addcarryxU32(x64, x90, x104) + var x107 uint32 + var x108 uint1 + x107, x108 = addcarryxU32(x66, x92, x106) + var x109 uint32 + var x110 uint1 + x109, x110 = addcarryxU32(uint32(x67), x94, x108) + var x111 uint32 + _, x111 = bits.Mul32(x95, 0xffffffff) + var x113 uint32 + var x114 uint32 + x114, x113 = bits.Mul32(x111, 0xffffffff) + var x115 uint32 + var x116 uint32 + x116, x115 = bits.Mul32(x111, 0xffffffff) + var x117 uint32 + var x118 uint32 + x118, x117 = bits.Mul32(x111, 0xffffffff) + var x119 uint32 + var x120 uint32 + x120, x119 = bits.Mul32(x111, 0xffffffff) + var x121 uint32 + var x122 uint1 + x121, x122 = addcarryxU32(x120, x117, 0x0) + var x123 uint32 + var x124 uint1 + x123, x124 = addcarryxU32(x118, x115, x122) + var x125 uint32 + var x126 uint1 + x125, x126 = addcarryxU32(x116, x113, x124) + x127 := (uint32(x126) + x114) + var x129 uint1 + _, x129 = addcarryxU32(x95, x111, 0x0) + var x130 uint32 + var x131 uint1 + x130, x131 = addcarryxU32(x97, uint32(0x0), x129) + var x132 uint32 + var x133 uint1 + x132, x133 = addcarryxU32(x99, uint32(0x0), x131) + var x134 uint32 + var x135 uint1 + x134, x135 = addcarryxU32(x101, x119, x133) + var x136 uint32 + var x137 uint1 + x136, x137 = addcarryxU32(x103, x121, x135) + var x138 uint32 + var x139 uint1 + x138, x139 = addcarryxU32(x105, x123, x137) + var x140 uint32 + var x141 uint1 + x140, x141 = addcarryxU32(x107, x125, x139) + var x142 uint32 + var x143 uint1 + x142, x143 = addcarryxU32(x109, x127, x141) + x144 := (uint32(x143) + uint32(x110)) + var x145 uint32 + var x146 uint32 + x146, x145 = bits.Mul32(x2, arg2[6]) + var x147 uint32 + var x148 uint32 + x148, x147 = bits.Mul32(x2, arg2[5]) + var x149 uint32 + var x150 uint32 + x150, x149 = bits.Mul32(x2, arg2[4]) + var x151 uint32 + var x152 uint32 + x152, x151 = bits.Mul32(x2, arg2[3]) + var x153 uint32 + var x154 uint32 + x154, x153 = bits.Mul32(x2, arg2[2]) + var x155 uint32 + var x156 uint32 + x156, x155 = bits.Mul32(x2, arg2[1]) + var x157 uint32 + var x158 uint32 + x158, x157 = bits.Mul32(x2, arg2[0]) + var x159 uint32 + var x160 uint1 + x159, x160 = addcarryxU32(x158, x155, 0x0) + var x161 uint32 + var x162 uint1 + x161, x162 = addcarryxU32(x156, x153, x160) + var x163 uint32 + var x164 uint1 + x163, x164 = addcarryxU32(x154, x151, x162) + var x165 uint32 + var x166 uint1 + x165, x166 = addcarryxU32(x152, x149, x164) + var x167 uint32 + var x168 uint1 + x167, x168 = addcarryxU32(x150, x147, x166) + var x169 uint32 + var x170 uint1 + x169, x170 = addcarryxU32(x148, x145, x168) + x171 := (uint32(x170) + x146) + var x172 uint32 + var x173 uint1 + x172, x173 = addcarryxU32(x130, x157, 0x0) + var x174 uint32 + var x175 uint1 + x174, x175 = addcarryxU32(x132, x159, x173) + var x176 uint32 + var x177 uint1 + x176, x177 = addcarryxU32(x134, x161, x175) + var x178 uint32 + var x179 uint1 + x178, x179 = addcarryxU32(x136, x163, x177) + var x180 uint32 + var x181 uint1 + x180, x181 = addcarryxU32(x138, x165, x179) + var x182 uint32 + var x183 uint1 + x182, x183 = addcarryxU32(x140, x167, x181) + var x184 uint32 + var x185 uint1 + x184, x185 = addcarryxU32(x142, x169, x183) + var x186 uint32 + var x187 uint1 + x186, x187 = addcarryxU32(x144, x171, x185) + var x188 uint32 + _, x188 = bits.Mul32(x172, 0xffffffff) + var x190 uint32 + var x191 uint32 + x191, x190 = bits.Mul32(x188, 0xffffffff) + var x192 uint32 + var x193 uint32 + x193, x192 = bits.Mul32(x188, 0xffffffff) + var x194 uint32 + var x195 uint32 + x195, x194 = bits.Mul32(x188, 0xffffffff) + var x196 uint32 + var x197 uint32 + x197, x196 = bits.Mul32(x188, 0xffffffff) + var x198 uint32 + var x199 uint1 + x198, x199 = addcarryxU32(x197, x194, 0x0) + var x200 uint32 + var x201 uint1 + x200, x201 = addcarryxU32(x195, x192, x199) + var x202 uint32 + var x203 uint1 + x202, x203 = addcarryxU32(x193, x190, x201) + x204 := (uint32(x203) + x191) + var x206 uint1 + _, x206 = addcarryxU32(x172, x188, 0x0) + var x207 uint32 + var x208 uint1 + x207, x208 = addcarryxU32(x174, uint32(0x0), x206) + var x209 uint32 + var x210 uint1 + x209, x210 = addcarryxU32(x176, uint32(0x0), x208) + var x211 uint32 + var x212 uint1 + x211, x212 = addcarryxU32(x178, x196, x210) + var x213 uint32 + var x214 uint1 + x213, x214 = addcarryxU32(x180, x198, x212) + var x215 uint32 + var x216 uint1 + x215, x216 = addcarryxU32(x182, x200, x214) + var x217 uint32 + var x218 uint1 + x217, x218 = addcarryxU32(x184, x202, x216) + var x219 uint32 + var x220 uint1 + x219, x220 = addcarryxU32(x186, x204, x218) + x221 := (uint32(x220) + uint32(x187)) + var x222 uint32 + var x223 uint32 + x223, x222 = bits.Mul32(x3, arg2[6]) + var x224 uint32 + var x225 uint32 + x225, x224 = bits.Mul32(x3, arg2[5]) + var x226 uint32 + var x227 uint32 + x227, x226 = bits.Mul32(x3, arg2[4]) + var x228 uint32 + var x229 uint32 + x229, x228 = bits.Mul32(x3, arg2[3]) + var x230 uint32 + var x231 uint32 + x231, x230 = bits.Mul32(x3, arg2[2]) + var x232 uint32 + var x233 uint32 + x233, x232 = bits.Mul32(x3, arg2[1]) + var x234 uint32 + var x235 uint32 + x235, x234 = bits.Mul32(x3, arg2[0]) + var x236 uint32 + var x237 uint1 + x236, x237 = addcarryxU32(x235, x232, 0x0) + var x238 uint32 + var x239 uint1 + x238, x239 = addcarryxU32(x233, x230, x237) + var x240 uint32 + var x241 uint1 + x240, x241 = addcarryxU32(x231, x228, x239) + var x242 uint32 + var x243 uint1 + x242, x243 = addcarryxU32(x229, x226, x241) + var x244 uint32 + var x245 uint1 + x244, x245 = addcarryxU32(x227, x224, x243) + var x246 uint32 + var x247 uint1 + x246, x247 = addcarryxU32(x225, x222, x245) + x248 := (uint32(x247) + x223) + var x249 uint32 + var x250 uint1 + x249, x250 = addcarryxU32(x207, x234, 0x0) + var x251 uint32 + var x252 uint1 + x251, x252 = addcarryxU32(x209, x236, x250) + var x253 uint32 + var x254 uint1 + x253, x254 = addcarryxU32(x211, x238, x252) + var x255 uint32 + var x256 uint1 + x255, x256 = addcarryxU32(x213, x240, x254) + var x257 uint32 + var x258 uint1 + x257, x258 = addcarryxU32(x215, x242, x256) + var x259 uint32 + var x260 uint1 + x259, x260 = addcarryxU32(x217, x244, x258) + var x261 uint32 + var x262 uint1 + x261, x262 = addcarryxU32(x219, x246, x260) + var x263 uint32 + var x264 uint1 + x263, x264 = addcarryxU32(x221, x248, x262) + var x265 uint32 + _, x265 = bits.Mul32(x249, 0xffffffff) + var x267 uint32 + var x268 uint32 + x268, x267 = bits.Mul32(x265, 0xffffffff) + var x269 uint32 + var x270 uint32 + x270, x269 = bits.Mul32(x265, 0xffffffff) + var x271 uint32 + var x272 uint32 + x272, x271 = bits.Mul32(x265, 0xffffffff) + var x273 uint32 + var x274 uint32 + x274, x273 = bits.Mul32(x265, 0xffffffff) + var x275 uint32 + var x276 uint1 + x275, x276 = addcarryxU32(x274, x271, 0x0) + var x277 uint32 + var x278 uint1 + x277, x278 = addcarryxU32(x272, x269, x276) + var x279 uint32 + var x280 uint1 + x279, x280 = addcarryxU32(x270, x267, x278) + x281 := (uint32(x280) + x268) + var x283 uint1 + _, x283 = addcarryxU32(x249, x265, 0x0) + var x284 uint32 + var x285 uint1 + x284, x285 = addcarryxU32(x251, uint32(0x0), x283) + var x286 uint32 + var x287 uint1 + x286, x287 = addcarryxU32(x253, uint32(0x0), x285) + var x288 uint32 + var x289 uint1 + x288, x289 = addcarryxU32(x255, x273, x287) + var x290 uint32 + var x291 uint1 + x290, x291 = addcarryxU32(x257, x275, x289) + var x292 uint32 + var x293 uint1 + x292, x293 = addcarryxU32(x259, x277, x291) + var x294 uint32 + var x295 uint1 + x294, x295 = addcarryxU32(x261, x279, x293) + var x296 uint32 + var x297 uint1 + x296, x297 = addcarryxU32(x263, x281, x295) + x298 := (uint32(x297) + uint32(x264)) + var x299 uint32 + var x300 uint32 + x300, x299 = bits.Mul32(x4, arg2[6]) + var x301 uint32 + var x302 uint32 + x302, x301 = bits.Mul32(x4, arg2[5]) + var x303 uint32 + var x304 uint32 + x304, x303 = bits.Mul32(x4, arg2[4]) + var x305 uint32 + var x306 uint32 + x306, x305 = bits.Mul32(x4, arg2[3]) + var x307 uint32 + var x308 uint32 + x308, x307 = bits.Mul32(x4, arg2[2]) + var x309 uint32 + var x310 uint32 + x310, x309 = bits.Mul32(x4, arg2[1]) + var x311 uint32 + var x312 uint32 + x312, x311 = bits.Mul32(x4, arg2[0]) + var x313 uint32 + var x314 uint1 + x313, x314 = addcarryxU32(x312, x309, 0x0) + var x315 uint32 + var x316 uint1 + x315, x316 = addcarryxU32(x310, x307, x314) + var x317 uint32 + var x318 uint1 + x317, x318 = addcarryxU32(x308, x305, x316) + var x319 uint32 + var x320 uint1 + x319, x320 = addcarryxU32(x306, x303, x318) + var x321 uint32 + var x322 uint1 + x321, x322 = addcarryxU32(x304, x301, x320) + var x323 uint32 + var x324 uint1 + x323, x324 = addcarryxU32(x302, x299, x322) + x325 := (uint32(x324) + x300) + var x326 uint32 + var x327 uint1 + x326, x327 = addcarryxU32(x284, x311, 0x0) + var x328 uint32 + var x329 uint1 + x328, x329 = addcarryxU32(x286, x313, x327) + var x330 uint32 + var x331 uint1 + x330, x331 = addcarryxU32(x288, x315, x329) + var x332 uint32 + var x333 uint1 + x332, x333 = addcarryxU32(x290, x317, x331) + var x334 uint32 + var x335 uint1 + x334, x335 = addcarryxU32(x292, x319, x333) + var x336 uint32 + var x337 uint1 + x336, x337 = addcarryxU32(x294, x321, x335) + var x338 uint32 + var x339 uint1 + x338, x339 = addcarryxU32(x296, x323, x337) + var x340 uint32 + var x341 uint1 + x340, x341 = addcarryxU32(x298, x325, x339) + var x342 uint32 + _, x342 = bits.Mul32(x326, 0xffffffff) + var x344 uint32 + var x345 uint32 + x345, x344 = bits.Mul32(x342, 0xffffffff) + var x346 uint32 + var x347 uint32 + x347, x346 = bits.Mul32(x342, 0xffffffff) + var x348 uint32 + var x349 uint32 + x349, x348 = bits.Mul32(x342, 0xffffffff) + var x350 uint32 + var x351 uint32 + x351, x350 = bits.Mul32(x342, 0xffffffff) + var x352 uint32 + var x353 uint1 + x352, x353 = addcarryxU32(x351, x348, 0x0) + var x354 uint32 + var x355 uint1 + x354, x355 = addcarryxU32(x349, x346, x353) + var x356 uint32 + var x357 uint1 + x356, x357 = addcarryxU32(x347, x344, x355) + x358 := (uint32(x357) + x345) + var x360 uint1 + _, x360 = addcarryxU32(x326, x342, 0x0) + var x361 uint32 + var x362 uint1 + x361, x362 = addcarryxU32(x328, uint32(0x0), x360) + var x363 uint32 + var x364 uint1 + x363, x364 = addcarryxU32(x330, uint32(0x0), x362) + var x365 uint32 + var x366 uint1 + x365, x366 = addcarryxU32(x332, x350, x364) + var x367 uint32 + var x368 uint1 + x367, x368 = addcarryxU32(x334, x352, x366) + var x369 uint32 + var x370 uint1 + x369, x370 = addcarryxU32(x336, x354, x368) + var x371 uint32 + var x372 uint1 + x371, x372 = addcarryxU32(x338, x356, x370) + var x373 uint32 + var x374 uint1 + x373, x374 = addcarryxU32(x340, x358, x372) + x375 := (uint32(x374) + uint32(x341)) + var x376 uint32 + var x377 uint32 + x377, x376 = bits.Mul32(x5, arg2[6]) + var x378 uint32 + var x379 uint32 + x379, x378 = bits.Mul32(x5, arg2[5]) + var x380 uint32 + var x381 uint32 + x381, x380 = bits.Mul32(x5, arg2[4]) + var x382 uint32 + var x383 uint32 + x383, x382 = bits.Mul32(x5, arg2[3]) + var x384 uint32 + var x385 uint32 + x385, x384 = bits.Mul32(x5, arg2[2]) + var x386 uint32 + var x387 uint32 + x387, x386 = bits.Mul32(x5, arg2[1]) + var x388 uint32 + var x389 uint32 + x389, x388 = bits.Mul32(x5, arg2[0]) + var x390 uint32 + var x391 uint1 + x390, x391 = addcarryxU32(x389, x386, 0x0) + var x392 uint32 + var x393 uint1 + x392, x393 = addcarryxU32(x387, x384, x391) + var x394 uint32 + var x395 uint1 + x394, x395 = addcarryxU32(x385, x382, x393) + var x396 uint32 + var x397 uint1 + x396, x397 = addcarryxU32(x383, x380, x395) + var x398 uint32 + var x399 uint1 + x398, x399 = addcarryxU32(x381, x378, x397) + var x400 uint32 + var x401 uint1 + x400, x401 = addcarryxU32(x379, x376, x399) + x402 := (uint32(x401) + x377) + var x403 uint32 + var x404 uint1 + x403, x404 = addcarryxU32(x361, x388, 0x0) + var x405 uint32 + var x406 uint1 + x405, x406 = addcarryxU32(x363, x390, x404) + var x407 uint32 + var x408 uint1 + x407, x408 = addcarryxU32(x365, x392, x406) + var x409 uint32 + var x410 uint1 + x409, x410 = addcarryxU32(x367, x394, x408) + var x411 uint32 + var x412 uint1 + x411, x412 = addcarryxU32(x369, x396, x410) + var x413 uint32 + var x414 uint1 + x413, x414 = addcarryxU32(x371, x398, x412) + var x415 uint32 + var x416 uint1 + x415, x416 = addcarryxU32(x373, x400, x414) + var x417 uint32 + var x418 uint1 + x417, x418 = addcarryxU32(x375, x402, x416) + var x419 uint32 + _, x419 = bits.Mul32(x403, 0xffffffff) + var x421 uint32 + var x422 uint32 + x422, x421 = bits.Mul32(x419, 0xffffffff) + var x423 uint32 + var x424 uint32 + x424, x423 = bits.Mul32(x419, 0xffffffff) + var x425 uint32 + var x426 uint32 + x426, x425 = bits.Mul32(x419, 0xffffffff) + var x427 uint32 + var x428 uint32 + x428, x427 = bits.Mul32(x419, 0xffffffff) + var x429 uint32 + var x430 uint1 + x429, x430 = addcarryxU32(x428, x425, 0x0) + var x431 uint32 + var x432 uint1 + x431, x432 = addcarryxU32(x426, x423, x430) + var x433 uint32 + var x434 uint1 + x433, x434 = addcarryxU32(x424, x421, x432) + x435 := (uint32(x434) + x422) + var x437 uint1 + _, x437 = addcarryxU32(x403, x419, 0x0) + var x438 uint32 + var x439 uint1 + x438, x439 = addcarryxU32(x405, uint32(0x0), x437) + var x440 uint32 + var x441 uint1 + x440, x441 = addcarryxU32(x407, uint32(0x0), x439) + var x442 uint32 + var x443 uint1 + x442, x443 = addcarryxU32(x409, x427, x441) + var x444 uint32 + var x445 uint1 + x444, x445 = addcarryxU32(x411, x429, x443) + var x446 uint32 + var x447 uint1 + x446, x447 = addcarryxU32(x413, x431, x445) + var x448 uint32 + var x449 uint1 + x448, x449 = addcarryxU32(x415, x433, x447) + var x450 uint32 + var x451 uint1 + x450, x451 = addcarryxU32(x417, x435, x449) + x452 := (uint32(x451) + uint32(x418)) + var x453 uint32 + var x454 uint32 + x454, x453 = bits.Mul32(x6, arg2[6]) + var x455 uint32 + var x456 uint32 + x456, x455 = bits.Mul32(x6, arg2[5]) + var x457 uint32 + var x458 uint32 + x458, x457 = bits.Mul32(x6, arg2[4]) + var x459 uint32 + var x460 uint32 + x460, x459 = bits.Mul32(x6, arg2[3]) + var x461 uint32 + var x462 uint32 + x462, x461 = bits.Mul32(x6, arg2[2]) + var x463 uint32 + var x464 uint32 + x464, x463 = bits.Mul32(x6, arg2[1]) + var x465 uint32 + var x466 uint32 + x466, x465 = bits.Mul32(x6, arg2[0]) + var x467 uint32 + var x468 uint1 + x467, x468 = addcarryxU32(x466, x463, 0x0) + var x469 uint32 + var x470 uint1 + x469, x470 = addcarryxU32(x464, x461, x468) + var x471 uint32 + var x472 uint1 + x471, x472 = addcarryxU32(x462, x459, x470) + var x473 uint32 + var x474 uint1 + x473, x474 = addcarryxU32(x460, x457, x472) + var x475 uint32 + var x476 uint1 + x475, x476 = addcarryxU32(x458, x455, x474) + var x477 uint32 + var x478 uint1 + x477, x478 = addcarryxU32(x456, x453, x476) + x479 := (uint32(x478) + x454) + var x480 uint32 + var x481 uint1 + x480, x481 = addcarryxU32(x438, x465, 0x0) + var x482 uint32 + var x483 uint1 + x482, x483 = addcarryxU32(x440, x467, x481) + var x484 uint32 + var x485 uint1 + x484, x485 = addcarryxU32(x442, x469, x483) + var x486 uint32 + var x487 uint1 + x486, x487 = addcarryxU32(x444, x471, x485) + var x488 uint32 + var x489 uint1 + x488, x489 = addcarryxU32(x446, x473, x487) + var x490 uint32 + var x491 uint1 + x490, x491 = addcarryxU32(x448, x475, x489) + var x492 uint32 + var x493 uint1 + x492, x493 = addcarryxU32(x450, x477, x491) + var x494 uint32 + var x495 uint1 + x494, x495 = addcarryxU32(x452, x479, x493) + var x496 uint32 + _, x496 = bits.Mul32(x480, 0xffffffff) + var x498 uint32 + var x499 uint32 + x499, x498 = bits.Mul32(x496, 0xffffffff) + var x500 uint32 + var x501 uint32 + x501, x500 = bits.Mul32(x496, 0xffffffff) + var x502 uint32 + var x503 uint32 + x503, x502 = bits.Mul32(x496, 0xffffffff) + var x504 uint32 + var x505 uint32 + x505, x504 = bits.Mul32(x496, 0xffffffff) + var x506 uint32 + var x507 uint1 + x506, x507 = addcarryxU32(x505, x502, 0x0) + var x508 uint32 + var x509 uint1 + x508, x509 = addcarryxU32(x503, x500, x507) + var x510 uint32 + var x511 uint1 + x510, x511 = addcarryxU32(x501, x498, x509) + x512 := (uint32(x511) + x499) + var x514 uint1 + _, x514 = addcarryxU32(x480, x496, 0x0) + var x515 uint32 + var x516 uint1 + x515, x516 = addcarryxU32(x482, uint32(0x0), x514) + var x517 uint32 + var x518 uint1 + x517, x518 = addcarryxU32(x484, uint32(0x0), x516) + var x519 uint32 + var x520 uint1 + x519, x520 = addcarryxU32(x486, x504, x518) + var x521 uint32 + var x522 uint1 + x521, x522 = addcarryxU32(x488, x506, x520) + var x523 uint32 + var x524 uint1 + x523, x524 = addcarryxU32(x490, x508, x522) + var x525 uint32 + var x526 uint1 + x525, x526 = addcarryxU32(x492, x510, x524) + var x527 uint32 + var x528 uint1 + x527, x528 = addcarryxU32(x494, x512, x526) + x529 := (uint32(x528) + uint32(x495)) + var x530 uint32 + var x531 uint1 + x530, x531 = subborrowxU32(x515, uint32(0x1), 0x0) + var x532 uint32 + var x533 uint1 + x532, x533 = subborrowxU32(x517, uint32(0x0), x531) + var x534 uint32 + var x535 uint1 + x534, x535 = subborrowxU32(x519, uint32(0x0), x533) + var x536 uint32 + var x537 uint1 + x536, x537 = subborrowxU32(x521, 0xffffffff, x535) + var x538 uint32 + var x539 uint1 + x538, x539 = subborrowxU32(x523, 0xffffffff, x537) + var x540 uint32 + var x541 uint1 + x540, x541 = subborrowxU32(x525, 0xffffffff, x539) + var x542 uint32 + var x543 uint1 + x542, x543 = subborrowxU32(x527, 0xffffffff, x541) + var x545 uint1 + _, x545 = subborrowxU32(x529, uint32(0x0), x543) + var x546 uint32 + cmovznzU32(&x546, x545, x530, x515) + var x547 uint32 + cmovznzU32(&x547, x545, x532, x517) + var x548 uint32 + cmovznzU32(&x548, x545, x534, x519) + var x549 uint32 + cmovznzU32(&x549, x545, x536, x521) + var x550 uint32 + cmovznzU32(&x550, x545, x538, x523) + var x551 uint32 + cmovznzU32(&x551, x545, x540, x525) + var x552 uint32 + cmovznzU32(&x552, x545, x542, x527) + out1[0] = x546 + out1[1] = x547 + out1[2] = x548 + out1[3] = x549 + out1[4] = x550 + out1[5] = x551 + out1[6] = x552 } -/* - The function Square squares a field element in the Montgomery domain. - Preconditions: - 0 ≤ eval arg1 < m - Postconditions: - eval (from_montgomery out1) mod m = (eval (from_montgomery arg1) * eval (from_montgomery arg1)) mod m - 0 ≤ eval out1 < m - - Input Bounds: - arg1: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] - Output Bounds: - out1: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] - */ -/*inline*/ +// Square squares a field element in the Montgomery domain. +// +// Preconditions: +// 0 ≤ eval arg1 < m +// Postconditions: +// eval (from_montgomery out1) mod m = (eval (from_montgomery arg1) * eval (from_montgomery arg1)) mod m +// 0 ≤ eval out1 < m +// +// Input Bounds: +// arg1: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] +// Output Bounds: +// out1: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] func Square(out1 *[7]uint32, arg1 *[7]uint32) { - var x1 uint32 = (arg1[1]) - var x2 uint32 = (arg1[2]) - var x3 uint32 = (arg1[3]) - var x4 uint32 = (arg1[4]) - var x5 uint32 = (arg1[5]) - var x6 uint32 = (arg1[6]) - var x7 uint32 = (arg1[0]) - var x8 uint32 - var x9 uint32 - x9, x8 = bits.Mul32(x7, (arg1[6])) - var x10 uint32 - var x11 uint32 - x11, x10 = bits.Mul32(x7, (arg1[5])) - var x12 uint32 - var x13 uint32 - x13, x12 = bits.Mul32(x7, (arg1[4])) - var x14 uint32 - var x15 uint32 - x15, x14 = bits.Mul32(x7, (arg1[3])) - var x16 uint32 - var x17 uint32 - x17, x16 = bits.Mul32(x7, (arg1[2])) - var x18 uint32 - var x19 uint32 - x19, x18 = bits.Mul32(x7, (arg1[1])) - var x20 uint32 - var x21 uint32 - x21, x20 = bits.Mul32(x7, (arg1[0])) - var x22 uint32 - var x23 uint1 - x22, x23 = addcarryxU32(x21, x18, 0x0) - var x24 uint32 - var x25 uint1 - x24, x25 = addcarryxU32(x19, x16, x23) - var x26 uint32 - var x27 uint1 - x26, x27 = addcarryxU32(x17, x14, x25) - var x28 uint32 - var x29 uint1 - x28, x29 = addcarryxU32(x15, x12, x27) - var x30 uint32 - var x31 uint1 - x30, x31 = addcarryxU32(x13, x10, x29) - var x32 uint32 - var x33 uint1 - x32, x33 = addcarryxU32(x11, x8, x31) - var x34 uint32 = (uint32(x33) + x9) - var x35 uint32 - _, x35 = bits.Mul32(x20, 0xffffffff) - var x37 uint32 - var x38 uint32 - x38, x37 = bits.Mul32(x35, 0xffffffff) - var x39 uint32 - var x40 uint32 - x40, x39 = bits.Mul32(x35, 0xffffffff) - var x41 uint32 - var x42 uint32 - x42, x41 = bits.Mul32(x35, 0xffffffff) - var x43 uint32 - var x44 uint32 - x44, x43 = bits.Mul32(x35, 0xffffffff) - var x45 uint32 - var x46 uint1 - x45, x46 = addcarryxU32(x44, x41, 0x0) - var x47 uint32 - var x48 uint1 - x47, x48 = addcarryxU32(x42, x39, x46) - var x49 uint32 - var x50 uint1 - x49, x50 = addcarryxU32(x40, x37, x48) - var x51 uint32 = (uint32(x50) + x38) - var x53 uint1 - _, x53 = addcarryxU32(x20, x35, 0x0) - var x54 uint32 - var x55 uint1 - x54, x55 = addcarryxU32(x22, uint32(0x0), x53) - var x56 uint32 - var x57 uint1 - x56, x57 = addcarryxU32(x24, uint32(0x0), x55) - var x58 uint32 - var x59 uint1 - x58, x59 = addcarryxU32(x26, x43, x57) - var x60 uint32 - var x61 uint1 - x60, x61 = addcarryxU32(x28, x45, x59) - var x62 uint32 - var x63 uint1 - x62, x63 = addcarryxU32(x30, x47, x61) - var x64 uint32 - var x65 uint1 - x64, x65 = addcarryxU32(x32, x49, x63) - var x66 uint32 - var x67 uint1 - x66, x67 = addcarryxU32(x34, x51, x65) - var x68 uint32 - var x69 uint32 - x69, x68 = bits.Mul32(x1, (arg1[6])) - var x70 uint32 - var x71 uint32 - x71, x70 = bits.Mul32(x1, (arg1[5])) - var x72 uint32 - var x73 uint32 - x73, x72 = bits.Mul32(x1, (arg1[4])) - var x74 uint32 - var x75 uint32 - x75, x74 = bits.Mul32(x1, (arg1[3])) - var x76 uint32 - var x77 uint32 - x77, x76 = bits.Mul32(x1, (arg1[2])) - var x78 uint32 - var x79 uint32 - x79, x78 = bits.Mul32(x1, (arg1[1])) - var x80 uint32 - var x81 uint32 - x81, x80 = bits.Mul32(x1, (arg1[0])) - var x82 uint32 - var x83 uint1 - x82, x83 = addcarryxU32(x81, x78, 0x0) - var x84 uint32 - var x85 uint1 - x84, x85 = addcarryxU32(x79, x76, x83) - var x86 uint32 - var x87 uint1 - x86, x87 = addcarryxU32(x77, x74, x85) - var x88 uint32 - var x89 uint1 - x88, x89 = addcarryxU32(x75, x72, x87) - var x90 uint32 - var x91 uint1 - x90, x91 = addcarryxU32(x73, x70, x89) - var x92 uint32 - var x93 uint1 - x92, x93 = addcarryxU32(x71, x68, x91) - var x94 uint32 = (uint32(x93) + x69) - var x95 uint32 - var x96 uint1 - x95, x96 = addcarryxU32(x54, x80, 0x0) - var x97 uint32 - var x98 uint1 - x97, x98 = addcarryxU32(x56, x82, x96) - var x99 uint32 - var x100 uint1 - x99, x100 = addcarryxU32(x58, x84, x98) - var x101 uint32 - var x102 uint1 - x101, x102 = addcarryxU32(x60, x86, x100) - var x103 uint32 - var x104 uint1 - x103, x104 = addcarryxU32(x62, x88, x102) - var x105 uint32 - var x106 uint1 - x105, x106 = addcarryxU32(x64, x90, x104) - var x107 uint32 - var x108 uint1 - x107, x108 = addcarryxU32(x66, x92, x106) - var x109 uint32 - var x110 uint1 - x109, x110 = addcarryxU32(uint32(x67), x94, x108) - var x111 uint32 - _, x111 = bits.Mul32(x95, 0xffffffff) - var x113 uint32 - var x114 uint32 - x114, x113 = bits.Mul32(x111, 0xffffffff) - var x115 uint32 - var x116 uint32 - x116, x115 = bits.Mul32(x111, 0xffffffff) - var x117 uint32 - var x118 uint32 - x118, x117 = bits.Mul32(x111, 0xffffffff) - var x119 uint32 - var x120 uint32 - x120, x119 = bits.Mul32(x111, 0xffffffff) - var x121 uint32 - var x122 uint1 - x121, x122 = addcarryxU32(x120, x117, 0x0) - var x123 uint32 - var x124 uint1 - x123, x124 = addcarryxU32(x118, x115, x122) - var x125 uint32 - var x126 uint1 - x125, x126 = addcarryxU32(x116, x113, x124) - var x127 uint32 = (uint32(x126) + x114) - var x129 uint1 - _, x129 = addcarryxU32(x95, x111, 0x0) - var x130 uint32 - var x131 uint1 - x130, x131 = addcarryxU32(x97, uint32(0x0), x129) - var x132 uint32 - var x133 uint1 - x132, x133 = addcarryxU32(x99, uint32(0x0), x131) - var x134 uint32 - var x135 uint1 - x134, x135 = addcarryxU32(x101, x119, x133) - var x136 uint32 - var x137 uint1 - x136, x137 = addcarryxU32(x103, x121, x135) - var x138 uint32 - var x139 uint1 - x138, x139 = addcarryxU32(x105, x123, x137) - var x140 uint32 - var x141 uint1 - x140, x141 = addcarryxU32(x107, x125, x139) - var x142 uint32 - var x143 uint1 - x142, x143 = addcarryxU32(x109, x127, x141) - var x144 uint32 = (uint32(x143) + uint32(x110)) - var x145 uint32 - var x146 uint32 - x146, x145 = bits.Mul32(x2, (arg1[6])) - var x147 uint32 - var x148 uint32 - x148, x147 = bits.Mul32(x2, (arg1[5])) - var x149 uint32 - var x150 uint32 - x150, x149 = bits.Mul32(x2, (arg1[4])) - var x151 uint32 - var x152 uint32 - x152, x151 = bits.Mul32(x2, (arg1[3])) - var x153 uint32 - var x154 uint32 - x154, x153 = bits.Mul32(x2, (arg1[2])) - var x155 uint32 - var x156 uint32 - x156, x155 = bits.Mul32(x2, (arg1[1])) - var x157 uint32 - var x158 uint32 - x158, x157 = bits.Mul32(x2, (arg1[0])) - var x159 uint32 - var x160 uint1 - x159, x160 = addcarryxU32(x158, x155, 0x0) - var x161 uint32 - var x162 uint1 - x161, x162 = addcarryxU32(x156, x153, x160) - var x163 uint32 - var x164 uint1 - x163, x164 = addcarryxU32(x154, x151, x162) - var x165 uint32 - var x166 uint1 - x165, x166 = addcarryxU32(x152, x149, x164) - var x167 uint32 - var x168 uint1 - x167, x168 = addcarryxU32(x150, x147, x166) - var x169 uint32 - var x170 uint1 - x169, x170 = addcarryxU32(x148, x145, x168) - var x171 uint32 = (uint32(x170) + x146) - var x172 uint32 - var x173 uint1 - x172, x173 = addcarryxU32(x130, x157, 0x0) - var x174 uint32 - var x175 uint1 - x174, x175 = addcarryxU32(x132, x159, x173) - var x176 uint32 - var x177 uint1 - x176, x177 = addcarryxU32(x134, x161, x175) - var x178 uint32 - var x179 uint1 - x178, x179 = addcarryxU32(x136, x163, x177) - var x180 uint32 - var x181 uint1 - x180, x181 = addcarryxU32(x138, x165, x179) - var x182 uint32 - var x183 uint1 - x182, x183 = addcarryxU32(x140, x167, x181) - var x184 uint32 - var x185 uint1 - x184, x185 = addcarryxU32(x142, x169, x183) - var x186 uint32 - var x187 uint1 - x186, x187 = addcarryxU32(x144, x171, x185) - var x188 uint32 - _, x188 = bits.Mul32(x172, 0xffffffff) - var x190 uint32 - var x191 uint32 - x191, x190 = bits.Mul32(x188, 0xffffffff) - var x192 uint32 - var x193 uint32 - x193, x192 = bits.Mul32(x188, 0xffffffff) - var x194 uint32 - var x195 uint32 - x195, x194 = bits.Mul32(x188, 0xffffffff) - var x196 uint32 - var x197 uint32 - x197, x196 = bits.Mul32(x188, 0xffffffff) - var x198 uint32 - var x199 uint1 - x198, x199 = addcarryxU32(x197, x194, 0x0) - var x200 uint32 - var x201 uint1 - x200, x201 = addcarryxU32(x195, x192, x199) - var x202 uint32 - var x203 uint1 - x202, x203 = addcarryxU32(x193, x190, x201) - var x204 uint32 = (uint32(x203) + x191) - var x206 uint1 - _, x206 = addcarryxU32(x172, x188, 0x0) - var x207 uint32 - var x208 uint1 - x207, x208 = addcarryxU32(x174, uint32(0x0), x206) - var x209 uint32 - var x210 uint1 - x209, x210 = addcarryxU32(x176, uint32(0x0), x208) - var x211 uint32 - var x212 uint1 - x211, x212 = addcarryxU32(x178, x196, x210) - var x213 uint32 - var x214 uint1 - x213, x214 = addcarryxU32(x180, x198, x212) - var x215 uint32 - var x216 uint1 - x215, x216 = addcarryxU32(x182, x200, x214) - var x217 uint32 - var x218 uint1 - x217, x218 = addcarryxU32(x184, x202, x216) - var x219 uint32 - var x220 uint1 - x219, x220 = addcarryxU32(x186, x204, x218) - var x221 uint32 = (uint32(x220) + uint32(x187)) - var x222 uint32 - var x223 uint32 - x223, x222 = bits.Mul32(x3, (arg1[6])) - var x224 uint32 - var x225 uint32 - x225, x224 = bits.Mul32(x3, (arg1[5])) - var x226 uint32 - var x227 uint32 - x227, x226 = bits.Mul32(x3, (arg1[4])) - var x228 uint32 - var x229 uint32 - x229, x228 = bits.Mul32(x3, (arg1[3])) - var x230 uint32 - var x231 uint32 - x231, x230 = bits.Mul32(x3, (arg1[2])) - var x232 uint32 - var x233 uint32 - x233, x232 = bits.Mul32(x3, (arg1[1])) - var x234 uint32 - var x235 uint32 - x235, x234 = bits.Mul32(x3, (arg1[0])) - var x236 uint32 - var x237 uint1 - x236, x237 = addcarryxU32(x235, x232, 0x0) - var x238 uint32 - var x239 uint1 - x238, x239 = addcarryxU32(x233, x230, x237) - var x240 uint32 - var x241 uint1 - x240, x241 = addcarryxU32(x231, x228, x239) - var x242 uint32 - var x243 uint1 - x242, x243 = addcarryxU32(x229, x226, x241) - var x244 uint32 - var x245 uint1 - x244, x245 = addcarryxU32(x227, x224, x243) - var x246 uint32 - var x247 uint1 - x246, x247 = addcarryxU32(x225, x222, x245) - var x248 uint32 = (uint32(x247) + x223) - var x249 uint32 - var x250 uint1 - x249, x250 = addcarryxU32(x207, x234, 0x0) - var x251 uint32 - var x252 uint1 - x251, x252 = addcarryxU32(x209, x236, x250) - var x253 uint32 - var x254 uint1 - x253, x254 = addcarryxU32(x211, x238, x252) - var x255 uint32 - var x256 uint1 - x255, x256 = addcarryxU32(x213, x240, x254) - var x257 uint32 - var x258 uint1 - x257, x258 = addcarryxU32(x215, x242, x256) - var x259 uint32 - var x260 uint1 - x259, x260 = addcarryxU32(x217, x244, x258) - var x261 uint32 - var x262 uint1 - x261, x262 = addcarryxU32(x219, x246, x260) - var x263 uint32 - var x264 uint1 - x263, x264 = addcarryxU32(x221, x248, x262) - var x265 uint32 - _, x265 = bits.Mul32(x249, 0xffffffff) - var x267 uint32 - var x268 uint32 - x268, x267 = bits.Mul32(x265, 0xffffffff) - var x269 uint32 - var x270 uint32 - x270, x269 = bits.Mul32(x265, 0xffffffff) - var x271 uint32 - var x272 uint32 - x272, x271 = bits.Mul32(x265, 0xffffffff) - var x273 uint32 - var x274 uint32 - x274, x273 = bits.Mul32(x265, 0xffffffff) - var x275 uint32 - var x276 uint1 - x275, x276 = addcarryxU32(x274, x271, 0x0) - var x277 uint32 - var x278 uint1 - x277, x278 = addcarryxU32(x272, x269, x276) - var x279 uint32 - var x280 uint1 - x279, x280 = addcarryxU32(x270, x267, x278) - var x281 uint32 = (uint32(x280) + x268) - var x283 uint1 - _, x283 = addcarryxU32(x249, x265, 0x0) - var x284 uint32 - var x285 uint1 - x284, x285 = addcarryxU32(x251, uint32(0x0), x283) - var x286 uint32 - var x287 uint1 - x286, x287 = addcarryxU32(x253, uint32(0x0), x285) - var x288 uint32 - var x289 uint1 - x288, x289 = addcarryxU32(x255, x273, x287) - var x290 uint32 - var x291 uint1 - x290, x291 = addcarryxU32(x257, x275, x289) - var x292 uint32 - var x293 uint1 - x292, x293 = addcarryxU32(x259, x277, x291) - var x294 uint32 - var x295 uint1 - x294, x295 = addcarryxU32(x261, x279, x293) - var x296 uint32 - var x297 uint1 - x296, x297 = addcarryxU32(x263, x281, x295) - var x298 uint32 = (uint32(x297) + uint32(x264)) - var x299 uint32 - var x300 uint32 - x300, x299 = bits.Mul32(x4, (arg1[6])) - var x301 uint32 - var x302 uint32 - x302, x301 = bits.Mul32(x4, (arg1[5])) - var x303 uint32 - var x304 uint32 - x304, x303 = bits.Mul32(x4, (arg1[4])) - var x305 uint32 - var x306 uint32 - x306, x305 = bits.Mul32(x4, (arg1[3])) - var x307 uint32 - var x308 uint32 - x308, x307 = bits.Mul32(x4, (arg1[2])) - var x309 uint32 - var x310 uint32 - x310, x309 = bits.Mul32(x4, (arg1[1])) - var x311 uint32 - var x312 uint32 - x312, x311 = bits.Mul32(x4, (arg1[0])) - var x313 uint32 - var x314 uint1 - x313, x314 = addcarryxU32(x312, x309, 0x0) - var x315 uint32 - var x316 uint1 - x315, x316 = addcarryxU32(x310, x307, x314) - var x317 uint32 - var x318 uint1 - x317, x318 = addcarryxU32(x308, x305, x316) - var x319 uint32 - var x320 uint1 - x319, x320 = addcarryxU32(x306, x303, x318) - var x321 uint32 - var x322 uint1 - x321, x322 = addcarryxU32(x304, x301, x320) - var x323 uint32 - var x324 uint1 - x323, x324 = addcarryxU32(x302, x299, x322) - var x325 uint32 = (uint32(x324) + x300) - var x326 uint32 - var x327 uint1 - x326, x327 = addcarryxU32(x284, x311, 0x0) - var x328 uint32 - var x329 uint1 - x328, x329 = addcarryxU32(x286, x313, x327) - var x330 uint32 - var x331 uint1 - x330, x331 = addcarryxU32(x288, x315, x329) - var x332 uint32 - var x333 uint1 - x332, x333 = addcarryxU32(x290, x317, x331) - var x334 uint32 - var x335 uint1 - x334, x335 = addcarryxU32(x292, x319, x333) - var x336 uint32 - var x337 uint1 - x336, x337 = addcarryxU32(x294, x321, x335) - var x338 uint32 - var x339 uint1 - x338, x339 = addcarryxU32(x296, x323, x337) - var x340 uint32 - var x341 uint1 - x340, x341 = addcarryxU32(x298, x325, x339) - var x342 uint32 - _, x342 = bits.Mul32(x326, 0xffffffff) - var x344 uint32 - var x345 uint32 - x345, x344 = bits.Mul32(x342, 0xffffffff) - var x346 uint32 - var x347 uint32 - x347, x346 = bits.Mul32(x342, 0xffffffff) - var x348 uint32 - var x349 uint32 - x349, x348 = bits.Mul32(x342, 0xffffffff) - var x350 uint32 - var x351 uint32 - x351, x350 = bits.Mul32(x342, 0xffffffff) - var x352 uint32 - var x353 uint1 - x352, x353 = addcarryxU32(x351, x348, 0x0) - var x354 uint32 - var x355 uint1 - x354, x355 = addcarryxU32(x349, x346, x353) - var x356 uint32 - var x357 uint1 - x356, x357 = addcarryxU32(x347, x344, x355) - var x358 uint32 = (uint32(x357) + x345) - var x360 uint1 - _, x360 = addcarryxU32(x326, x342, 0x0) - var x361 uint32 - var x362 uint1 - x361, x362 = addcarryxU32(x328, uint32(0x0), x360) - var x363 uint32 - var x364 uint1 - x363, x364 = addcarryxU32(x330, uint32(0x0), x362) - var x365 uint32 - var x366 uint1 - x365, x366 = addcarryxU32(x332, x350, x364) - var x367 uint32 - var x368 uint1 - x367, x368 = addcarryxU32(x334, x352, x366) - var x369 uint32 - var x370 uint1 - x369, x370 = addcarryxU32(x336, x354, x368) - var x371 uint32 - var x372 uint1 - x371, x372 = addcarryxU32(x338, x356, x370) - var x373 uint32 - var x374 uint1 - x373, x374 = addcarryxU32(x340, x358, x372) - var x375 uint32 = (uint32(x374) + uint32(x341)) - var x376 uint32 - var x377 uint32 - x377, x376 = bits.Mul32(x5, (arg1[6])) - var x378 uint32 - var x379 uint32 - x379, x378 = bits.Mul32(x5, (arg1[5])) - var x380 uint32 - var x381 uint32 - x381, x380 = bits.Mul32(x5, (arg1[4])) - var x382 uint32 - var x383 uint32 - x383, x382 = bits.Mul32(x5, (arg1[3])) - var x384 uint32 - var x385 uint32 - x385, x384 = bits.Mul32(x5, (arg1[2])) - var x386 uint32 - var x387 uint32 - x387, x386 = bits.Mul32(x5, (arg1[1])) - var x388 uint32 - var x389 uint32 - x389, x388 = bits.Mul32(x5, (arg1[0])) - var x390 uint32 - var x391 uint1 - x390, x391 = addcarryxU32(x389, x386, 0x0) - var x392 uint32 - var x393 uint1 - x392, x393 = addcarryxU32(x387, x384, x391) - var x394 uint32 - var x395 uint1 - x394, x395 = addcarryxU32(x385, x382, x393) - var x396 uint32 - var x397 uint1 - x396, x397 = addcarryxU32(x383, x380, x395) - var x398 uint32 - var x399 uint1 - x398, x399 = addcarryxU32(x381, x378, x397) - var x400 uint32 - var x401 uint1 - x400, x401 = addcarryxU32(x379, x376, x399) - var x402 uint32 = (uint32(x401) + x377) - var x403 uint32 - var x404 uint1 - x403, x404 = addcarryxU32(x361, x388, 0x0) - var x405 uint32 - var x406 uint1 - x405, x406 = addcarryxU32(x363, x390, x404) - var x407 uint32 - var x408 uint1 - x407, x408 = addcarryxU32(x365, x392, x406) - var x409 uint32 - var x410 uint1 - x409, x410 = addcarryxU32(x367, x394, x408) - var x411 uint32 - var x412 uint1 - x411, x412 = addcarryxU32(x369, x396, x410) - var x413 uint32 - var x414 uint1 - x413, x414 = addcarryxU32(x371, x398, x412) - var x415 uint32 - var x416 uint1 - x415, x416 = addcarryxU32(x373, x400, x414) - var x417 uint32 - var x418 uint1 - x417, x418 = addcarryxU32(x375, x402, x416) - var x419 uint32 - _, x419 = bits.Mul32(x403, 0xffffffff) - var x421 uint32 - var x422 uint32 - x422, x421 = bits.Mul32(x419, 0xffffffff) - var x423 uint32 - var x424 uint32 - x424, x423 = bits.Mul32(x419, 0xffffffff) - var x425 uint32 - var x426 uint32 - x426, x425 = bits.Mul32(x419, 0xffffffff) - var x427 uint32 - var x428 uint32 - x428, x427 = bits.Mul32(x419, 0xffffffff) - var x429 uint32 - var x430 uint1 - x429, x430 = addcarryxU32(x428, x425, 0x0) - var x431 uint32 - var x432 uint1 - x431, x432 = addcarryxU32(x426, x423, x430) - var x433 uint32 - var x434 uint1 - x433, x434 = addcarryxU32(x424, x421, x432) - var x435 uint32 = (uint32(x434) + x422) - var x437 uint1 - _, x437 = addcarryxU32(x403, x419, 0x0) - var x438 uint32 - var x439 uint1 - x438, x439 = addcarryxU32(x405, uint32(0x0), x437) - var x440 uint32 - var x441 uint1 - x440, x441 = addcarryxU32(x407, uint32(0x0), x439) - var x442 uint32 - var x443 uint1 - x442, x443 = addcarryxU32(x409, x427, x441) - var x444 uint32 - var x445 uint1 - x444, x445 = addcarryxU32(x411, x429, x443) - var x446 uint32 - var x447 uint1 - x446, x447 = addcarryxU32(x413, x431, x445) - var x448 uint32 - var x449 uint1 - x448, x449 = addcarryxU32(x415, x433, x447) - var x450 uint32 - var x451 uint1 - x450, x451 = addcarryxU32(x417, x435, x449) - var x452 uint32 = (uint32(x451) + uint32(x418)) - var x453 uint32 - var x454 uint32 - x454, x453 = bits.Mul32(x6, (arg1[6])) - var x455 uint32 - var x456 uint32 - x456, x455 = bits.Mul32(x6, (arg1[5])) - var x457 uint32 - var x458 uint32 - x458, x457 = bits.Mul32(x6, (arg1[4])) - var x459 uint32 - var x460 uint32 - x460, x459 = bits.Mul32(x6, (arg1[3])) - var x461 uint32 - var x462 uint32 - x462, x461 = bits.Mul32(x6, (arg1[2])) - var x463 uint32 - var x464 uint32 - x464, x463 = bits.Mul32(x6, (arg1[1])) - var x465 uint32 - var x466 uint32 - x466, x465 = bits.Mul32(x6, (arg1[0])) - var x467 uint32 - var x468 uint1 - x467, x468 = addcarryxU32(x466, x463, 0x0) - var x469 uint32 - var x470 uint1 - x469, x470 = addcarryxU32(x464, x461, x468) - var x471 uint32 - var x472 uint1 - x471, x472 = addcarryxU32(x462, x459, x470) - var x473 uint32 - var x474 uint1 - x473, x474 = addcarryxU32(x460, x457, x472) - var x475 uint32 - var x476 uint1 - x475, x476 = addcarryxU32(x458, x455, x474) - var x477 uint32 - var x478 uint1 - x477, x478 = addcarryxU32(x456, x453, x476) - var x479 uint32 = (uint32(x478) + x454) - var x480 uint32 - var x481 uint1 - x480, x481 = addcarryxU32(x438, x465, 0x0) - var x482 uint32 - var x483 uint1 - x482, x483 = addcarryxU32(x440, x467, x481) - var x484 uint32 - var x485 uint1 - x484, x485 = addcarryxU32(x442, x469, x483) - var x486 uint32 - var x487 uint1 - x486, x487 = addcarryxU32(x444, x471, x485) - var x488 uint32 - var x489 uint1 - x488, x489 = addcarryxU32(x446, x473, x487) - var x490 uint32 - var x491 uint1 - x490, x491 = addcarryxU32(x448, x475, x489) - var x492 uint32 - var x493 uint1 - x492, x493 = addcarryxU32(x450, x477, x491) - var x494 uint32 - var x495 uint1 - x494, x495 = addcarryxU32(x452, x479, x493) - var x496 uint32 - _, x496 = bits.Mul32(x480, 0xffffffff) - var x498 uint32 - var x499 uint32 - x499, x498 = bits.Mul32(x496, 0xffffffff) - var x500 uint32 - var x501 uint32 - x501, x500 = bits.Mul32(x496, 0xffffffff) - var x502 uint32 - var x503 uint32 - x503, x502 = bits.Mul32(x496, 0xffffffff) - var x504 uint32 - var x505 uint32 - x505, x504 = bits.Mul32(x496, 0xffffffff) - var x506 uint32 - var x507 uint1 - x506, x507 = addcarryxU32(x505, x502, 0x0) - var x508 uint32 - var x509 uint1 - x508, x509 = addcarryxU32(x503, x500, x507) - var x510 uint32 - var x511 uint1 - x510, x511 = addcarryxU32(x501, x498, x509) - var x512 uint32 = (uint32(x511) + x499) - var x514 uint1 - _, x514 = addcarryxU32(x480, x496, 0x0) - var x515 uint32 - var x516 uint1 - x515, x516 = addcarryxU32(x482, uint32(0x0), x514) - var x517 uint32 - var x518 uint1 - x517, x518 = addcarryxU32(x484, uint32(0x0), x516) - var x519 uint32 - var x520 uint1 - x519, x520 = addcarryxU32(x486, x504, x518) - var x521 uint32 - var x522 uint1 - x521, x522 = addcarryxU32(x488, x506, x520) - var x523 uint32 - var x524 uint1 - x523, x524 = addcarryxU32(x490, x508, x522) - var x525 uint32 - var x526 uint1 - x525, x526 = addcarryxU32(x492, x510, x524) - var x527 uint32 - var x528 uint1 - x527, x528 = addcarryxU32(x494, x512, x526) - var x529 uint32 = (uint32(x528) + uint32(x495)) - var x530 uint32 - var x531 uint1 - x530, x531 = subborrowxU32(x515, uint32(0x1), 0x0) - var x532 uint32 - var x533 uint1 - x532, x533 = subborrowxU32(x517, uint32(0x0), x531) - var x534 uint32 - var x535 uint1 - x534, x535 = subborrowxU32(x519, uint32(0x0), x533) - var x536 uint32 - var x537 uint1 - x536, x537 = subborrowxU32(x521, 0xffffffff, x535) - var x538 uint32 - var x539 uint1 - x538, x539 = subborrowxU32(x523, 0xffffffff, x537) - var x540 uint32 - var x541 uint1 - x540, x541 = subborrowxU32(x525, 0xffffffff, x539) - var x542 uint32 - var x543 uint1 - x542, x543 = subborrowxU32(x527, 0xffffffff, x541) - var x545 uint1 - _, x545 = subborrowxU32(x529, uint32(0x0), x543) - var x546 uint32 - cmovznzU32(&x546, x545, x530, x515) - var x547 uint32 - cmovznzU32(&x547, x545, x532, x517) - var x548 uint32 - cmovznzU32(&x548, x545, x534, x519) - var x549 uint32 - cmovznzU32(&x549, x545, x536, x521) - var x550 uint32 - cmovznzU32(&x550, x545, x538, x523) - var x551 uint32 - cmovznzU32(&x551, x545, x540, x525) - var x552 uint32 - cmovznzU32(&x552, x545, x542, x527) - out1[0] = x546 - out1[1] = x547 - out1[2] = x548 - out1[3] = x549 - out1[4] = x550 - out1[5] = x551 - out1[6] = x552 + x1 := arg1[1] + x2 := arg1[2] + x3 := arg1[3] + x4 := arg1[4] + x5 := arg1[5] + x6 := arg1[6] + x7 := arg1[0] + var x8 uint32 + var x9 uint32 + x9, x8 = bits.Mul32(x7, arg1[6]) + var x10 uint32 + var x11 uint32 + x11, x10 = bits.Mul32(x7, arg1[5]) + var x12 uint32 + var x13 uint32 + x13, x12 = bits.Mul32(x7, arg1[4]) + var x14 uint32 + var x15 uint32 + x15, x14 = bits.Mul32(x7, arg1[3]) + var x16 uint32 + var x17 uint32 + x17, x16 = bits.Mul32(x7, arg1[2]) + var x18 uint32 + var x19 uint32 + x19, x18 = bits.Mul32(x7, arg1[1]) + var x20 uint32 + var x21 uint32 + x21, x20 = bits.Mul32(x7, arg1[0]) + var x22 uint32 + var x23 uint1 + x22, x23 = addcarryxU32(x21, x18, 0x0) + var x24 uint32 + var x25 uint1 + x24, x25 = addcarryxU32(x19, x16, x23) + var x26 uint32 + var x27 uint1 + x26, x27 = addcarryxU32(x17, x14, x25) + var x28 uint32 + var x29 uint1 + x28, x29 = addcarryxU32(x15, x12, x27) + var x30 uint32 + var x31 uint1 + x30, x31 = addcarryxU32(x13, x10, x29) + var x32 uint32 + var x33 uint1 + x32, x33 = addcarryxU32(x11, x8, x31) + x34 := (uint32(x33) + x9) + var x35 uint32 + _, x35 = bits.Mul32(x20, 0xffffffff) + var x37 uint32 + var x38 uint32 + x38, x37 = bits.Mul32(x35, 0xffffffff) + var x39 uint32 + var x40 uint32 + x40, x39 = bits.Mul32(x35, 0xffffffff) + var x41 uint32 + var x42 uint32 + x42, x41 = bits.Mul32(x35, 0xffffffff) + var x43 uint32 + var x44 uint32 + x44, x43 = bits.Mul32(x35, 0xffffffff) + var x45 uint32 + var x46 uint1 + x45, x46 = addcarryxU32(x44, x41, 0x0) + var x47 uint32 + var x48 uint1 + x47, x48 = addcarryxU32(x42, x39, x46) + var x49 uint32 + var x50 uint1 + x49, x50 = addcarryxU32(x40, x37, x48) + x51 := (uint32(x50) + x38) + var x53 uint1 + _, x53 = addcarryxU32(x20, x35, 0x0) + var x54 uint32 + var x55 uint1 + x54, x55 = addcarryxU32(x22, uint32(0x0), x53) + var x56 uint32 + var x57 uint1 + x56, x57 = addcarryxU32(x24, uint32(0x0), x55) + var x58 uint32 + var x59 uint1 + x58, x59 = addcarryxU32(x26, x43, x57) + var x60 uint32 + var x61 uint1 + x60, x61 = addcarryxU32(x28, x45, x59) + var x62 uint32 + var x63 uint1 + x62, x63 = addcarryxU32(x30, x47, x61) + var x64 uint32 + var x65 uint1 + x64, x65 = addcarryxU32(x32, x49, x63) + var x66 uint32 + var x67 uint1 + x66, x67 = addcarryxU32(x34, x51, x65) + var x68 uint32 + var x69 uint32 + x69, x68 = bits.Mul32(x1, arg1[6]) + var x70 uint32 + var x71 uint32 + x71, x70 = bits.Mul32(x1, arg1[5]) + var x72 uint32 + var x73 uint32 + x73, x72 = bits.Mul32(x1, arg1[4]) + var x74 uint32 + var x75 uint32 + x75, x74 = bits.Mul32(x1, arg1[3]) + var x76 uint32 + var x77 uint32 + x77, x76 = bits.Mul32(x1, arg1[2]) + var x78 uint32 + var x79 uint32 + x79, x78 = bits.Mul32(x1, arg1[1]) + var x80 uint32 + var x81 uint32 + x81, x80 = bits.Mul32(x1, arg1[0]) + var x82 uint32 + var x83 uint1 + x82, x83 = addcarryxU32(x81, x78, 0x0) + var x84 uint32 + var x85 uint1 + x84, x85 = addcarryxU32(x79, x76, x83) + var x86 uint32 + var x87 uint1 + x86, x87 = addcarryxU32(x77, x74, x85) + var x88 uint32 + var x89 uint1 + x88, x89 = addcarryxU32(x75, x72, x87) + var x90 uint32 + var x91 uint1 + x90, x91 = addcarryxU32(x73, x70, x89) + var x92 uint32 + var x93 uint1 + x92, x93 = addcarryxU32(x71, x68, x91) + x94 := (uint32(x93) + x69) + var x95 uint32 + var x96 uint1 + x95, x96 = addcarryxU32(x54, x80, 0x0) + var x97 uint32 + var x98 uint1 + x97, x98 = addcarryxU32(x56, x82, x96) + var x99 uint32 + var x100 uint1 + x99, x100 = addcarryxU32(x58, x84, x98) + var x101 uint32 + var x102 uint1 + x101, x102 = addcarryxU32(x60, x86, x100) + var x103 uint32 + var x104 uint1 + x103, x104 = addcarryxU32(x62, x88, x102) + var x105 uint32 + var x106 uint1 + x105, x106 = addcarryxU32(x64, x90, x104) + var x107 uint32 + var x108 uint1 + x107, x108 = addcarryxU32(x66, x92, x106) + var x109 uint32 + var x110 uint1 + x109, x110 = addcarryxU32(uint32(x67), x94, x108) + var x111 uint32 + _, x111 = bits.Mul32(x95, 0xffffffff) + var x113 uint32 + var x114 uint32 + x114, x113 = bits.Mul32(x111, 0xffffffff) + var x115 uint32 + var x116 uint32 + x116, x115 = bits.Mul32(x111, 0xffffffff) + var x117 uint32 + var x118 uint32 + x118, x117 = bits.Mul32(x111, 0xffffffff) + var x119 uint32 + var x120 uint32 + x120, x119 = bits.Mul32(x111, 0xffffffff) + var x121 uint32 + var x122 uint1 + x121, x122 = addcarryxU32(x120, x117, 0x0) + var x123 uint32 + var x124 uint1 + x123, x124 = addcarryxU32(x118, x115, x122) + var x125 uint32 + var x126 uint1 + x125, x126 = addcarryxU32(x116, x113, x124) + x127 := (uint32(x126) + x114) + var x129 uint1 + _, x129 = addcarryxU32(x95, x111, 0x0) + var x130 uint32 + var x131 uint1 + x130, x131 = addcarryxU32(x97, uint32(0x0), x129) + var x132 uint32 + var x133 uint1 + x132, x133 = addcarryxU32(x99, uint32(0x0), x131) + var x134 uint32 + var x135 uint1 + x134, x135 = addcarryxU32(x101, x119, x133) + var x136 uint32 + var x137 uint1 + x136, x137 = addcarryxU32(x103, x121, x135) + var x138 uint32 + var x139 uint1 + x138, x139 = addcarryxU32(x105, x123, x137) + var x140 uint32 + var x141 uint1 + x140, x141 = addcarryxU32(x107, x125, x139) + var x142 uint32 + var x143 uint1 + x142, x143 = addcarryxU32(x109, x127, x141) + x144 := (uint32(x143) + uint32(x110)) + var x145 uint32 + var x146 uint32 + x146, x145 = bits.Mul32(x2, arg1[6]) + var x147 uint32 + var x148 uint32 + x148, x147 = bits.Mul32(x2, arg1[5]) + var x149 uint32 + var x150 uint32 + x150, x149 = bits.Mul32(x2, arg1[4]) + var x151 uint32 + var x152 uint32 + x152, x151 = bits.Mul32(x2, arg1[3]) + var x153 uint32 + var x154 uint32 + x154, x153 = bits.Mul32(x2, arg1[2]) + var x155 uint32 + var x156 uint32 + x156, x155 = bits.Mul32(x2, arg1[1]) + var x157 uint32 + var x158 uint32 + x158, x157 = bits.Mul32(x2, arg1[0]) + var x159 uint32 + var x160 uint1 + x159, x160 = addcarryxU32(x158, x155, 0x0) + var x161 uint32 + var x162 uint1 + x161, x162 = addcarryxU32(x156, x153, x160) + var x163 uint32 + var x164 uint1 + x163, x164 = addcarryxU32(x154, x151, x162) + var x165 uint32 + var x166 uint1 + x165, x166 = addcarryxU32(x152, x149, x164) + var x167 uint32 + var x168 uint1 + x167, x168 = addcarryxU32(x150, x147, x166) + var x169 uint32 + var x170 uint1 + x169, x170 = addcarryxU32(x148, x145, x168) + x171 := (uint32(x170) + x146) + var x172 uint32 + var x173 uint1 + x172, x173 = addcarryxU32(x130, x157, 0x0) + var x174 uint32 + var x175 uint1 + x174, x175 = addcarryxU32(x132, x159, x173) + var x176 uint32 + var x177 uint1 + x176, x177 = addcarryxU32(x134, x161, x175) + var x178 uint32 + var x179 uint1 + x178, x179 = addcarryxU32(x136, x163, x177) + var x180 uint32 + var x181 uint1 + x180, x181 = addcarryxU32(x138, x165, x179) + var x182 uint32 + var x183 uint1 + x182, x183 = addcarryxU32(x140, x167, x181) + var x184 uint32 + var x185 uint1 + x184, x185 = addcarryxU32(x142, x169, x183) + var x186 uint32 + var x187 uint1 + x186, x187 = addcarryxU32(x144, x171, x185) + var x188 uint32 + _, x188 = bits.Mul32(x172, 0xffffffff) + var x190 uint32 + var x191 uint32 + x191, x190 = bits.Mul32(x188, 0xffffffff) + var x192 uint32 + var x193 uint32 + x193, x192 = bits.Mul32(x188, 0xffffffff) + var x194 uint32 + var x195 uint32 + x195, x194 = bits.Mul32(x188, 0xffffffff) + var x196 uint32 + var x197 uint32 + x197, x196 = bits.Mul32(x188, 0xffffffff) + var x198 uint32 + var x199 uint1 + x198, x199 = addcarryxU32(x197, x194, 0x0) + var x200 uint32 + var x201 uint1 + x200, x201 = addcarryxU32(x195, x192, x199) + var x202 uint32 + var x203 uint1 + x202, x203 = addcarryxU32(x193, x190, x201) + x204 := (uint32(x203) + x191) + var x206 uint1 + _, x206 = addcarryxU32(x172, x188, 0x0) + var x207 uint32 + var x208 uint1 + x207, x208 = addcarryxU32(x174, uint32(0x0), x206) + var x209 uint32 + var x210 uint1 + x209, x210 = addcarryxU32(x176, uint32(0x0), x208) + var x211 uint32 + var x212 uint1 + x211, x212 = addcarryxU32(x178, x196, x210) + var x213 uint32 + var x214 uint1 + x213, x214 = addcarryxU32(x180, x198, x212) + var x215 uint32 + var x216 uint1 + x215, x216 = addcarryxU32(x182, x200, x214) + var x217 uint32 + var x218 uint1 + x217, x218 = addcarryxU32(x184, x202, x216) + var x219 uint32 + var x220 uint1 + x219, x220 = addcarryxU32(x186, x204, x218) + x221 := (uint32(x220) + uint32(x187)) + var x222 uint32 + var x223 uint32 + x223, x222 = bits.Mul32(x3, arg1[6]) + var x224 uint32 + var x225 uint32 + x225, x224 = bits.Mul32(x3, arg1[5]) + var x226 uint32 + var x227 uint32 + x227, x226 = bits.Mul32(x3, arg1[4]) + var x228 uint32 + var x229 uint32 + x229, x228 = bits.Mul32(x3, arg1[3]) + var x230 uint32 + var x231 uint32 + x231, x230 = bits.Mul32(x3, arg1[2]) + var x232 uint32 + var x233 uint32 + x233, x232 = bits.Mul32(x3, arg1[1]) + var x234 uint32 + var x235 uint32 + x235, x234 = bits.Mul32(x3, arg1[0]) + var x236 uint32 + var x237 uint1 + x236, x237 = addcarryxU32(x235, x232, 0x0) + var x238 uint32 + var x239 uint1 + x238, x239 = addcarryxU32(x233, x230, x237) + var x240 uint32 + var x241 uint1 + x240, x241 = addcarryxU32(x231, x228, x239) + var x242 uint32 + var x243 uint1 + x242, x243 = addcarryxU32(x229, x226, x241) + var x244 uint32 + var x245 uint1 + x244, x245 = addcarryxU32(x227, x224, x243) + var x246 uint32 + var x247 uint1 + x246, x247 = addcarryxU32(x225, x222, x245) + x248 := (uint32(x247) + x223) + var x249 uint32 + var x250 uint1 + x249, x250 = addcarryxU32(x207, x234, 0x0) + var x251 uint32 + var x252 uint1 + x251, x252 = addcarryxU32(x209, x236, x250) + var x253 uint32 + var x254 uint1 + x253, x254 = addcarryxU32(x211, x238, x252) + var x255 uint32 + var x256 uint1 + x255, x256 = addcarryxU32(x213, x240, x254) + var x257 uint32 + var x258 uint1 + x257, x258 = addcarryxU32(x215, x242, x256) + var x259 uint32 + var x260 uint1 + x259, x260 = addcarryxU32(x217, x244, x258) + var x261 uint32 + var x262 uint1 + x261, x262 = addcarryxU32(x219, x246, x260) + var x263 uint32 + var x264 uint1 + x263, x264 = addcarryxU32(x221, x248, x262) + var x265 uint32 + _, x265 = bits.Mul32(x249, 0xffffffff) + var x267 uint32 + var x268 uint32 + x268, x267 = bits.Mul32(x265, 0xffffffff) + var x269 uint32 + var x270 uint32 + x270, x269 = bits.Mul32(x265, 0xffffffff) + var x271 uint32 + var x272 uint32 + x272, x271 = bits.Mul32(x265, 0xffffffff) + var x273 uint32 + var x274 uint32 + x274, x273 = bits.Mul32(x265, 0xffffffff) + var x275 uint32 + var x276 uint1 + x275, x276 = addcarryxU32(x274, x271, 0x0) + var x277 uint32 + var x278 uint1 + x277, x278 = addcarryxU32(x272, x269, x276) + var x279 uint32 + var x280 uint1 + x279, x280 = addcarryxU32(x270, x267, x278) + x281 := (uint32(x280) + x268) + var x283 uint1 + _, x283 = addcarryxU32(x249, x265, 0x0) + var x284 uint32 + var x285 uint1 + x284, x285 = addcarryxU32(x251, uint32(0x0), x283) + var x286 uint32 + var x287 uint1 + x286, x287 = addcarryxU32(x253, uint32(0x0), x285) + var x288 uint32 + var x289 uint1 + x288, x289 = addcarryxU32(x255, x273, x287) + var x290 uint32 + var x291 uint1 + x290, x291 = addcarryxU32(x257, x275, x289) + var x292 uint32 + var x293 uint1 + x292, x293 = addcarryxU32(x259, x277, x291) + var x294 uint32 + var x295 uint1 + x294, x295 = addcarryxU32(x261, x279, x293) + var x296 uint32 + var x297 uint1 + x296, x297 = addcarryxU32(x263, x281, x295) + x298 := (uint32(x297) + uint32(x264)) + var x299 uint32 + var x300 uint32 + x300, x299 = bits.Mul32(x4, arg1[6]) + var x301 uint32 + var x302 uint32 + x302, x301 = bits.Mul32(x4, arg1[5]) + var x303 uint32 + var x304 uint32 + x304, x303 = bits.Mul32(x4, arg1[4]) + var x305 uint32 + var x306 uint32 + x306, x305 = bits.Mul32(x4, arg1[3]) + var x307 uint32 + var x308 uint32 + x308, x307 = bits.Mul32(x4, arg1[2]) + var x309 uint32 + var x310 uint32 + x310, x309 = bits.Mul32(x4, arg1[1]) + var x311 uint32 + var x312 uint32 + x312, x311 = bits.Mul32(x4, arg1[0]) + var x313 uint32 + var x314 uint1 + x313, x314 = addcarryxU32(x312, x309, 0x0) + var x315 uint32 + var x316 uint1 + x315, x316 = addcarryxU32(x310, x307, x314) + var x317 uint32 + var x318 uint1 + x317, x318 = addcarryxU32(x308, x305, x316) + var x319 uint32 + var x320 uint1 + x319, x320 = addcarryxU32(x306, x303, x318) + var x321 uint32 + var x322 uint1 + x321, x322 = addcarryxU32(x304, x301, x320) + var x323 uint32 + var x324 uint1 + x323, x324 = addcarryxU32(x302, x299, x322) + x325 := (uint32(x324) + x300) + var x326 uint32 + var x327 uint1 + x326, x327 = addcarryxU32(x284, x311, 0x0) + var x328 uint32 + var x329 uint1 + x328, x329 = addcarryxU32(x286, x313, x327) + var x330 uint32 + var x331 uint1 + x330, x331 = addcarryxU32(x288, x315, x329) + var x332 uint32 + var x333 uint1 + x332, x333 = addcarryxU32(x290, x317, x331) + var x334 uint32 + var x335 uint1 + x334, x335 = addcarryxU32(x292, x319, x333) + var x336 uint32 + var x337 uint1 + x336, x337 = addcarryxU32(x294, x321, x335) + var x338 uint32 + var x339 uint1 + x338, x339 = addcarryxU32(x296, x323, x337) + var x340 uint32 + var x341 uint1 + x340, x341 = addcarryxU32(x298, x325, x339) + var x342 uint32 + _, x342 = bits.Mul32(x326, 0xffffffff) + var x344 uint32 + var x345 uint32 + x345, x344 = bits.Mul32(x342, 0xffffffff) + var x346 uint32 + var x347 uint32 + x347, x346 = bits.Mul32(x342, 0xffffffff) + var x348 uint32 + var x349 uint32 + x349, x348 = bits.Mul32(x342, 0xffffffff) + var x350 uint32 + var x351 uint32 + x351, x350 = bits.Mul32(x342, 0xffffffff) + var x352 uint32 + var x353 uint1 + x352, x353 = addcarryxU32(x351, x348, 0x0) + var x354 uint32 + var x355 uint1 + x354, x355 = addcarryxU32(x349, x346, x353) + var x356 uint32 + var x357 uint1 + x356, x357 = addcarryxU32(x347, x344, x355) + x358 := (uint32(x357) + x345) + var x360 uint1 + _, x360 = addcarryxU32(x326, x342, 0x0) + var x361 uint32 + var x362 uint1 + x361, x362 = addcarryxU32(x328, uint32(0x0), x360) + var x363 uint32 + var x364 uint1 + x363, x364 = addcarryxU32(x330, uint32(0x0), x362) + var x365 uint32 + var x366 uint1 + x365, x366 = addcarryxU32(x332, x350, x364) + var x367 uint32 + var x368 uint1 + x367, x368 = addcarryxU32(x334, x352, x366) + var x369 uint32 + var x370 uint1 + x369, x370 = addcarryxU32(x336, x354, x368) + var x371 uint32 + var x372 uint1 + x371, x372 = addcarryxU32(x338, x356, x370) + var x373 uint32 + var x374 uint1 + x373, x374 = addcarryxU32(x340, x358, x372) + x375 := (uint32(x374) + uint32(x341)) + var x376 uint32 + var x377 uint32 + x377, x376 = bits.Mul32(x5, arg1[6]) + var x378 uint32 + var x379 uint32 + x379, x378 = bits.Mul32(x5, arg1[5]) + var x380 uint32 + var x381 uint32 + x381, x380 = bits.Mul32(x5, arg1[4]) + var x382 uint32 + var x383 uint32 + x383, x382 = bits.Mul32(x5, arg1[3]) + var x384 uint32 + var x385 uint32 + x385, x384 = bits.Mul32(x5, arg1[2]) + var x386 uint32 + var x387 uint32 + x387, x386 = bits.Mul32(x5, arg1[1]) + var x388 uint32 + var x389 uint32 + x389, x388 = bits.Mul32(x5, arg1[0]) + var x390 uint32 + var x391 uint1 + x390, x391 = addcarryxU32(x389, x386, 0x0) + var x392 uint32 + var x393 uint1 + x392, x393 = addcarryxU32(x387, x384, x391) + var x394 uint32 + var x395 uint1 + x394, x395 = addcarryxU32(x385, x382, x393) + var x396 uint32 + var x397 uint1 + x396, x397 = addcarryxU32(x383, x380, x395) + var x398 uint32 + var x399 uint1 + x398, x399 = addcarryxU32(x381, x378, x397) + var x400 uint32 + var x401 uint1 + x400, x401 = addcarryxU32(x379, x376, x399) + x402 := (uint32(x401) + x377) + var x403 uint32 + var x404 uint1 + x403, x404 = addcarryxU32(x361, x388, 0x0) + var x405 uint32 + var x406 uint1 + x405, x406 = addcarryxU32(x363, x390, x404) + var x407 uint32 + var x408 uint1 + x407, x408 = addcarryxU32(x365, x392, x406) + var x409 uint32 + var x410 uint1 + x409, x410 = addcarryxU32(x367, x394, x408) + var x411 uint32 + var x412 uint1 + x411, x412 = addcarryxU32(x369, x396, x410) + var x413 uint32 + var x414 uint1 + x413, x414 = addcarryxU32(x371, x398, x412) + var x415 uint32 + var x416 uint1 + x415, x416 = addcarryxU32(x373, x400, x414) + var x417 uint32 + var x418 uint1 + x417, x418 = addcarryxU32(x375, x402, x416) + var x419 uint32 + _, x419 = bits.Mul32(x403, 0xffffffff) + var x421 uint32 + var x422 uint32 + x422, x421 = bits.Mul32(x419, 0xffffffff) + var x423 uint32 + var x424 uint32 + x424, x423 = bits.Mul32(x419, 0xffffffff) + var x425 uint32 + var x426 uint32 + x426, x425 = bits.Mul32(x419, 0xffffffff) + var x427 uint32 + var x428 uint32 + x428, x427 = bits.Mul32(x419, 0xffffffff) + var x429 uint32 + var x430 uint1 + x429, x430 = addcarryxU32(x428, x425, 0x0) + var x431 uint32 + var x432 uint1 + x431, x432 = addcarryxU32(x426, x423, x430) + var x433 uint32 + var x434 uint1 + x433, x434 = addcarryxU32(x424, x421, x432) + x435 := (uint32(x434) + x422) + var x437 uint1 + _, x437 = addcarryxU32(x403, x419, 0x0) + var x438 uint32 + var x439 uint1 + x438, x439 = addcarryxU32(x405, uint32(0x0), x437) + var x440 uint32 + var x441 uint1 + x440, x441 = addcarryxU32(x407, uint32(0x0), x439) + var x442 uint32 + var x443 uint1 + x442, x443 = addcarryxU32(x409, x427, x441) + var x444 uint32 + var x445 uint1 + x444, x445 = addcarryxU32(x411, x429, x443) + var x446 uint32 + var x447 uint1 + x446, x447 = addcarryxU32(x413, x431, x445) + var x448 uint32 + var x449 uint1 + x448, x449 = addcarryxU32(x415, x433, x447) + var x450 uint32 + var x451 uint1 + x450, x451 = addcarryxU32(x417, x435, x449) + x452 := (uint32(x451) + uint32(x418)) + var x453 uint32 + var x454 uint32 + x454, x453 = bits.Mul32(x6, arg1[6]) + var x455 uint32 + var x456 uint32 + x456, x455 = bits.Mul32(x6, arg1[5]) + var x457 uint32 + var x458 uint32 + x458, x457 = bits.Mul32(x6, arg1[4]) + var x459 uint32 + var x460 uint32 + x460, x459 = bits.Mul32(x6, arg1[3]) + var x461 uint32 + var x462 uint32 + x462, x461 = bits.Mul32(x6, arg1[2]) + var x463 uint32 + var x464 uint32 + x464, x463 = bits.Mul32(x6, arg1[1]) + var x465 uint32 + var x466 uint32 + x466, x465 = bits.Mul32(x6, arg1[0]) + var x467 uint32 + var x468 uint1 + x467, x468 = addcarryxU32(x466, x463, 0x0) + var x469 uint32 + var x470 uint1 + x469, x470 = addcarryxU32(x464, x461, x468) + var x471 uint32 + var x472 uint1 + x471, x472 = addcarryxU32(x462, x459, x470) + var x473 uint32 + var x474 uint1 + x473, x474 = addcarryxU32(x460, x457, x472) + var x475 uint32 + var x476 uint1 + x475, x476 = addcarryxU32(x458, x455, x474) + var x477 uint32 + var x478 uint1 + x477, x478 = addcarryxU32(x456, x453, x476) + x479 := (uint32(x478) + x454) + var x480 uint32 + var x481 uint1 + x480, x481 = addcarryxU32(x438, x465, 0x0) + var x482 uint32 + var x483 uint1 + x482, x483 = addcarryxU32(x440, x467, x481) + var x484 uint32 + var x485 uint1 + x484, x485 = addcarryxU32(x442, x469, x483) + var x486 uint32 + var x487 uint1 + x486, x487 = addcarryxU32(x444, x471, x485) + var x488 uint32 + var x489 uint1 + x488, x489 = addcarryxU32(x446, x473, x487) + var x490 uint32 + var x491 uint1 + x490, x491 = addcarryxU32(x448, x475, x489) + var x492 uint32 + var x493 uint1 + x492, x493 = addcarryxU32(x450, x477, x491) + var x494 uint32 + var x495 uint1 + x494, x495 = addcarryxU32(x452, x479, x493) + var x496 uint32 + _, x496 = bits.Mul32(x480, 0xffffffff) + var x498 uint32 + var x499 uint32 + x499, x498 = bits.Mul32(x496, 0xffffffff) + var x500 uint32 + var x501 uint32 + x501, x500 = bits.Mul32(x496, 0xffffffff) + var x502 uint32 + var x503 uint32 + x503, x502 = bits.Mul32(x496, 0xffffffff) + var x504 uint32 + var x505 uint32 + x505, x504 = bits.Mul32(x496, 0xffffffff) + var x506 uint32 + var x507 uint1 + x506, x507 = addcarryxU32(x505, x502, 0x0) + var x508 uint32 + var x509 uint1 + x508, x509 = addcarryxU32(x503, x500, x507) + var x510 uint32 + var x511 uint1 + x510, x511 = addcarryxU32(x501, x498, x509) + x512 := (uint32(x511) + x499) + var x514 uint1 + _, x514 = addcarryxU32(x480, x496, 0x0) + var x515 uint32 + var x516 uint1 + x515, x516 = addcarryxU32(x482, uint32(0x0), x514) + var x517 uint32 + var x518 uint1 + x517, x518 = addcarryxU32(x484, uint32(0x0), x516) + var x519 uint32 + var x520 uint1 + x519, x520 = addcarryxU32(x486, x504, x518) + var x521 uint32 + var x522 uint1 + x521, x522 = addcarryxU32(x488, x506, x520) + var x523 uint32 + var x524 uint1 + x523, x524 = addcarryxU32(x490, x508, x522) + var x525 uint32 + var x526 uint1 + x525, x526 = addcarryxU32(x492, x510, x524) + var x527 uint32 + var x528 uint1 + x527, x528 = addcarryxU32(x494, x512, x526) + x529 := (uint32(x528) + uint32(x495)) + var x530 uint32 + var x531 uint1 + x530, x531 = subborrowxU32(x515, uint32(0x1), 0x0) + var x532 uint32 + var x533 uint1 + x532, x533 = subborrowxU32(x517, uint32(0x0), x531) + var x534 uint32 + var x535 uint1 + x534, x535 = subborrowxU32(x519, uint32(0x0), x533) + var x536 uint32 + var x537 uint1 + x536, x537 = subborrowxU32(x521, 0xffffffff, x535) + var x538 uint32 + var x539 uint1 + x538, x539 = subborrowxU32(x523, 0xffffffff, x537) + var x540 uint32 + var x541 uint1 + x540, x541 = subborrowxU32(x525, 0xffffffff, x539) + var x542 uint32 + var x543 uint1 + x542, x543 = subborrowxU32(x527, 0xffffffff, x541) + var x545 uint1 + _, x545 = subborrowxU32(x529, uint32(0x0), x543) + var x546 uint32 + cmovznzU32(&x546, x545, x530, x515) + var x547 uint32 + cmovznzU32(&x547, x545, x532, x517) + var x548 uint32 + cmovznzU32(&x548, x545, x534, x519) + var x549 uint32 + cmovznzU32(&x549, x545, x536, x521) + var x550 uint32 + cmovznzU32(&x550, x545, x538, x523) + var x551 uint32 + cmovznzU32(&x551, x545, x540, x525) + var x552 uint32 + cmovznzU32(&x552, x545, x542, x527) + out1[0] = x546 + out1[1] = x547 + out1[2] = x548 + out1[3] = x549 + out1[4] = x550 + out1[5] = x551 + out1[6] = x552 } -/* - The function Add adds two field elements in the Montgomery domain. - Preconditions: - 0 ≤ eval arg1 < m - 0 ≤ eval arg2 < m - Postconditions: - eval (from_montgomery out1) mod m = (eval (from_montgomery arg1) + eval (from_montgomery arg2)) mod m - 0 ≤ eval out1 < m - - Input Bounds: - arg1: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] - arg2: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] - Output Bounds: - out1: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] - */ -/*inline*/ +// Add adds two field elements in the Montgomery domain. +// +// Preconditions: +// 0 ≤ eval arg1 < m +// 0 ≤ eval arg2 < m +// Postconditions: +// eval (from_montgomery out1) mod m = (eval (from_montgomery arg1) + eval (from_montgomery arg2)) mod m +// 0 ≤ eval out1 < m +// +// Input Bounds: +// arg1: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] +// arg2: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] +// Output Bounds: +// out1: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] func Add(out1 *[7]uint32, arg1 *[7]uint32, arg2 *[7]uint32) { - var x1 uint32 - var x2 uint1 - x1, x2 = addcarryxU32((arg1[0]), (arg2[0]), 0x0) - var x3 uint32 - var x4 uint1 - x3, x4 = addcarryxU32((arg1[1]), (arg2[1]), x2) - var x5 uint32 - var x6 uint1 - x5, x6 = addcarryxU32((arg1[2]), (arg2[2]), x4) - var x7 uint32 - var x8 uint1 - x7, x8 = addcarryxU32((arg1[3]), (arg2[3]), x6) - var x9 uint32 - var x10 uint1 - x9, x10 = addcarryxU32((arg1[4]), (arg2[4]), x8) - var x11 uint32 - var x12 uint1 - x11, x12 = addcarryxU32((arg1[5]), (arg2[5]), x10) - var x13 uint32 - var x14 uint1 - x13, x14 = addcarryxU32((arg1[6]), (arg2[6]), x12) - var x15 uint32 - var x16 uint1 - x15, x16 = subborrowxU32(x1, uint32(0x1), 0x0) - var x17 uint32 - var x18 uint1 - x17, x18 = subborrowxU32(x3, uint32(0x0), x16) - var x19 uint32 - var x20 uint1 - x19, x20 = subborrowxU32(x5, uint32(0x0), x18) - var x21 uint32 - var x22 uint1 - x21, x22 = subborrowxU32(x7, 0xffffffff, x20) - var x23 uint32 - var x24 uint1 - x23, x24 = subborrowxU32(x9, 0xffffffff, x22) - var x25 uint32 - var x26 uint1 - x25, x26 = subborrowxU32(x11, 0xffffffff, x24) - var x27 uint32 - var x28 uint1 - x27, x28 = subborrowxU32(x13, 0xffffffff, x26) - var x30 uint1 - _, x30 = subborrowxU32(uint32(x14), uint32(0x0), x28) - var x31 uint32 - cmovznzU32(&x31, x30, x15, x1) - var x32 uint32 - cmovznzU32(&x32, x30, x17, x3) - var x33 uint32 - cmovznzU32(&x33, x30, x19, x5) - var x34 uint32 - cmovznzU32(&x34, x30, x21, x7) - var x35 uint32 - cmovznzU32(&x35, x30, x23, x9) - var x36 uint32 - cmovznzU32(&x36, x30, x25, x11) - var x37 uint32 - cmovznzU32(&x37, x30, x27, x13) - out1[0] = x31 - out1[1] = x32 - out1[2] = x33 - out1[3] = x34 - out1[4] = x35 - out1[5] = x36 - out1[6] = x37 + var x1 uint32 + var x2 uint1 + x1, x2 = addcarryxU32(arg1[0], arg2[0], 0x0) + var x3 uint32 + var x4 uint1 + x3, x4 = addcarryxU32(arg1[1], arg2[1], x2) + var x5 uint32 + var x6 uint1 + x5, x6 = addcarryxU32(arg1[2], arg2[2], x4) + var x7 uint32 + var x8 uint1 + x7, x8 = addcarryxU32(arg1[3], arg2[3], x6) + var x9 uint32 + var x10 uint1 + x9, x10 = addcarryxU32(arg1[4], arg2[4], x8) + var x11 uint32 + var x12 uint1 + x11, x12 = addcarryxU32(arg1[5], arg2[5], x10) + var x13 uint32 + var x14 uint1 + x13, x14 = addcarryxU32(arg1[6], arg2[6], x12) + var x15 uint32 + var x16 uint1 + x15, x16 = subborrowxU32(x1, uint32(0x1), 0x0) + var x17 uint32 + var x18 uint1 + x17, x18 = subborrowxU32(x3, uint32(0x0), x16) + var x19 uint32 + var x20 uint1 + x19, x20 = subborrowxU32(x5, uint32(0x0), x18) + var x21 uint32 + var x22 uint1 + x21, x22 = subborrowxU32(x7, 0xffffffff, x20) + var x23 uint32 + var x24 uint1 + x23, x24 = subborrowxU32(x9, 0xffffffff, x22) + var x25 uint32 + var x26 uint1 + x25, x26 = subborrowxU32(x11, 0xffffffff, x24) + var x27 uint32 + var x28 uint1 + x27, x28 = subborrowxU32(x13, 0xffffffff, x26) + var x30 uint1 + _, x30 = subborrowxU32(uint32(x14), uint32(0x0), x28) + var x31 uint32 + cmovznzU32(&x31, x30, x15, x1) + var x32 uint32 + cmovznzU32(&x32, x30, x17, x3) + var x33 uint32 + cmovznzU32(&x33, x30, x19, x5) + var x34 uint32 + cmovznzU32(&x34, x30, x21, x7) + var x35 uint32 + cmovznzU32(&x35, x30, x23, x9) + var x36 uint32 + cmovznzU32(&x36, x30, x25, x11) + var x37 uint32 + cmovznzU32(&x37, x30, x27, x13) + out1[0] = x31 + out1[1] = x32 + out1[2] = x33 + out1[3] = x34 + out1[4] = x35 + out1[5] = x36 + out1[6] = x37 } -/* - The function Sub subtracts two field elements in the Montgomery domain. - Preconditions: - 0 ≤ eval arg1 < m - 0 ≤ eval arg2 < m - Postconditions: - eval (from_montgomery out1) mod m = (eval (from_montgomery arg1) - eval (from_montgomery arg2)) mod m - 0 ≤ eval out1 < m - - Input Bounds: - arg1: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] - arg2: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] - Output Bounds: - out1: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] - */ -/*inline*/ +// Sub subtracts two field elements in the Montgomery domain. +// +// Preconditions: +// 0 ≤ eval arg1 < m +// 0 ≤ eval arg2 < m +// Postconditions: +// eval (from_montgomery out1) mod m = (eval (from_montgomery arg1) - eval (from_montgomery arg2)) mod m +// 0 ≤ eval out1 < m +// +// Input Bounds: +// arg1: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] +// arg2: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] +// Output Bounds: +// out1: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] func Sub(out1 *[7]uint32, arg1 *[7]uint32, arg2 *[7]uint32) { - var x1 uint32 - var x2 uint1 - x1, x2 = subborrowxU32((arg1[0]), (arg2[0]), 0x0) - var x3 uint32 - var x4 uint1 - x3, x4 = subborrowxU32((arg1[1]), (arg2[1]), x2) - var x5 uint32 - var x6 uint1 - x5, x6 = subborrowxU32((arg1[2]), (arg2[2]), x4) - var x7 uint32 - var x8 uint1 - x7, x8 = subborrowxU32((arg1[3]), (arg2[3]), x6) - var x9 uint32 - var x10 uint1 - x9, x10 = subborrowxU32((arg1[4]), (arg2[4]), x8) - var x11 uint32 - var x12 uint1 - x11, x12 = subborrowxU32((arg1[5]), (arg2[5]), x10) - var x13 uint32 - var x14 uint1 - x13, x14 = subborrowxU32((arg1[6]), (arg2[6]), x12) - var x15 uint32 - cmovznzU32(&x15, x14, uint32(0x0), 0xffffffff) - var x16 uint32 - var x17 uint1 - x16, x17 = addcarryxU32(x1, uint32((uint1(x15) & 0x1)), 0x0) - var x18 uint32 - var x19 uint1 - x18, x19 = addcarryxU32(x3, uint32(0x0), x17) - var x20 uint32 - var x21 uint1 - x20, x21 = addcarryxU32(x5, uint32(0x0), x19) - var x22 uint32 - var x23 uint1 - x22, x23 = addcarryxU32(x7, x15, x21) - var x24 uint32 - var x25 uint1 - x24, x25 = addcarryxU32(x9, x15, x23) - var x26 uint32 - var x27 uint1 - x26, x27 = addcarryxU32(x11, x15, x25) - var x28 uint32 - x28, _ = addcarryxU32(x13, x15, x27) - out1[0] = x16 - out1[1] = x18 - out1[2] = x20 - out1[3] = x22 - out1[4] = x24 - out1[5] = x26 - out1[6] = x28 + var x1 uint32 + var x2 uint1 + x1, x2 = subborrowxU32(arg1[0], arg2[0], 0x0) + var x3 uint32 + var x4 uint1 + x3, x4 = subborrowxU32(arg1[1], arg2[1], x2) + var x5 uint32 + var x6 uint1 + x5, x6 = subborrowxU32(arg1[2], arg2[2], x4) + var x7 uint32 + var x8 uint1 + x7, x8 = subborrowxU32(arg1[3], arg2[3], x6) + var x9 uint32 + var x10 uint1 + x9, x10 = subborrowxU32(arg1[4], arg2[4], x8) + var x11 uint32 + var x12 uint1 + x11, x12 = subborrowxU32(arg1[5], arg2[5], x10) + var x13 uint32 + var x14 uint1 + x13, x14 = subborrowxU32(arg1[6], arg2[6], x12) + var x15 uint32 + cmovznzU32(&x15, x14, uint32(0x0), 0xffffffff) + var x16 uint32 + var x17 uint1 + x16, x17 = addcarryxU32(x1, uint32((uint1(x15) & 0x1)), 0x0) + var x18 uint32 + var x19 uint1 + x18, x19 = addcarryxU32(x3, uint32(0x0), x17) + var x20 uint32 + var x21 uint1 + x20, x21 = addcarryxU32(x5, uint32(0x0), x19) + var x22 uint32 + var x23 uint1 + x22, x23 = addcarryxU32(x7, x15, x21) + var x24 uint32 + var x25 uint1 + x24, x25 = addcarryxU32(x9, x15, x23) + var x26 uint32 + var x27 uint1 + x26, x27 = addcarryxU32(x11, x15, x25) + var x28 uint32 + x28, _ = addcarryxU32(x13, x15, x27) + out1[0] = x16 + out1[1] = x18 + out1[2] = x20 + out1[3] = x22 + out1[4] = x24 + out1[5] = x26 + out1[6] = x28 } -/* - The function Opp negates a field element in the Montgomery domain. - Preconditions: - 0 ≤ eval arg1 < m - Postconditions: - eval (from_montgomery out1) mod m = -eval (from_montgomery arg1) mod m - 0 ≤ eval out1 < m - - Input Bounds: - arg1: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] - Output Bounds: - out1: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] - */ -/*inline*/ +// Opp negates a field element in the Montgomery domain. +// +// Preconditions: +// 0 ≤ eval arg1 < m +// Postconditions: +// eval (from_montgomery out1) mod m = -eval (from_montgomery arg1) mod m +// 0 ≤ eval out1 < m +// +// Input Bounds: +// arg1: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] +// Output Bounds: +// out1: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] func Opp(out1 *[7]uint32, arg1 *[7]uint32) { - var x1 uint32 - var x2 uint1 - x1, x2 = subborrowxU32(uint32(0x0), (arg1[0]), 0x0) - var x3 uint32 - var x4 uint1 - x3, x4 = subborrowxU32(uint32(0x0), (arg1[1]), x2) - var x5 uint32 - var x6 uint1 - x5, x6 = subborrowxU32(uint32(0x0), (arg1[2]), x4) - var x7 uint32 - var x8 uint1 - x7, x8 = subborrowxU32(uint32(0x0), (arg1[3]), x6) - var x9 uint32 - var x10 uint1 - x9, x10 = subborrowxU32(uint32(0x0), (arg1[4]), x8) - var x11 uint32 - var x12 uint1 - x11, x12 = subborrowxU32(uint32(0x0), (arg1[5]), x10) - var x13 uint32 - var x14 uint1 - x13, x14 = subborrowxU32(uint32(0x0), (arg1[6]), x12) - var x15 uint32 - cmovznzU32(&x15, x14, uint32(0x0), 0xffffffff) - var x16 uint32 - var x17 uint1 - x16, x17 = addcarryxU32(x1, uint32((uint1(x15) & 0x1)), 0x0) - var x18 uint32 - var x19 uint1 - x18, x19 = addcarryxU32(x3, uint32(0x0), x17) - var x20 uint32 - var x21 uint1 - x20, x21 = addcarryxU32(x5, uint32(0x0), x19) - var x22 uint32 - var x23 uint1 - x22, x23 = addcarryxU32(x7, x15, x21) - var x24 uint32 - var x25 uint1 - x24, x25 = addcarryxU32(x9, x15, x23) - var x26 uint32 - var x27 uint1 - x26, x27 = addcarryxU32(x11, x15, x25) - var x28 uint32 - x28, _ = addcarryxU32(x13, x15, x27) - out1[0] = x16 - out1[1] = x18 - out1[2] = x20 - out1[3] = x22 - out1[4] = x24 - out1[5] = x26 - out1[6] = x28 + var x1 uint32 + var x2 uint1 + x1, x2 = subborrowxU32(uint32(0x0), arg1[0], 0x0) + var x3 uint32 + var x4 uint1 + x3, x4 = subborrowxU32(uint32(0x0), arg1[1], x2) + var x5 uint32 + var x6 uint1 + x5, x6 = subborrowxU32(uint32(0x0), arg1[2], x4) + var x7 uint32 + var x8 uint1 + x7, x8 = subborrowxU32(uint32(0x0), arg1[3], x6) + var x9 uint32 + var x10 uint1 + x9, x10 = subborrowxU32(uint32(0x0), arg1[4], x8) + var x11 uint32 + var x12 uint1 + x11, x12 = subborrowxU32(uint32(0x0), arg1[5], x10) + var x13 uint32 + var x14 uint1 + x13, x14 = subborrowxU32(uint32(0x0), arg1[6], x12) + var x15 uint32 + cmovznzU32(&x15, x14, uint32(0x0), 0xffffffff) + var x16 uint32 + var x17 uint1 + x16, x17 = addcarryxU32(x1, uint32((uint1(x15) & 0x1)), 0x0) + var x18 uint32 + var x19 uint1 + x18, x19 = addcarryxU32(x3, uint32(0x0), x17) + var x20 uint32 + var x21 uint1 + x20, x21 = addcarryxU32(x5, uint32(0x0), x19) + var x22 uint32 + var x23 uint1 + x22, x23 = addcarryxU32(x7, x15, x21) + var x24 uint32 + var x25 uint1 + x24, x25 = addcarryxU32(x9, x15, x23) + var x26 uint32 + var x27 uint1 + x26, x27 = addcarryxU32(x11, x15, x25) + var x28 uint32 + x28, _ = addcarryxU32(x13, x15, x27) + out1[0] = x16 + out1[1] = x18 + out1[2] = x20 + out1[3] = x22 + out1[4] = x24 + out1[5] = x26 + out1[6] = x28 } -/* - The function FromMontgomery translates a field element out of the Montgomery domain. - Preconditions: - 0 ≤ eval arg1 < m - Postconditions: - eval out1 mod m = (eval arg1 * ((2^32)⁻¹ mod m)^7) mod m - 0 ≤ eval out1 < m - - Input Bounds: - arg1: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] - Output Bounds: - out1: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] - */ -/*inline*/ +// FromMontgomery translates a field element out of the Montgomery domain. +// +// Preconditions: +// 0 ≤ eval arg1 < m +// Postconditions: +// eval out1 mod m = (eval arg1 * ((2^32)⁻¹ mod m)^7) mod m +// 0 ≤ eval out1 < m +// +// Input Bounds: +// arg1: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] +// Output Bounds: +// out1: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] func FromMontgomery(out1 *[7]uint32, arg1 *[7]uint32) { - var x1 uint32 = (arg1[0]) - var x2 uint32 - _, x2 = bits.Mul32(x1, 0xffffffff) - var x4 uint32 - var x5 uint32 - x5, x4 = bits.Mul32(x2, 0xffffffff) - var x6 uint32 - var x7 uint32 - x7, x6 = bits.Mul32(x2, 0xffffffff) - var x8 uint32 - var x9 uint32 - x9, x8 = bits.Mul32(x2, 0xffffffff) - var x10 uint32 - var x11 uint32 - x11, x10 = bits.Mul32(x2, 0xffffffff) - var x12 uint32 - var x13 uint1 - x12, x13 = addcarryxU32(x11, x8, 0x0) - var x14 uint32 - var x15 uint1 - x14, x15 = addcarryxU32(x9, x6, x13) - var x16 uint32 - var x17 uint1 - x16, x17 = addcarryxU32(x7, x4, x15) - var x19 uint1 - _, x19 = addcarryxU32(x1, x2, 0x0) - var x20 uint32 - var x21 uint1 - x20, x21 = addcarryxU32(uint32(x19), (arg1[1]), 0x0) - var x22 uint32 - _, x22 = bits.Mul32(x20, 0xffffffff) - var x24 uint32 - var x25 uint32 - x25, x24 = bits.Mul32(x22, 0xffffffff) - var x26 uint32 - var x27 uint32 - x27, x26 = bits.Mul32(x22, 0xffffffff) - var x28 uint32 - var x29 uint32 - x29, x28 = bits.Mul32(x22, 0xffffffff) - var x30 uint32 - var x31 uint32 - x31, x30 = bits.Mul32(x22, 0xffffffff) - var x32 uint32 - var x33 uint1 - x32, x33 = addcarryxU32(x31, x28, 0x0) - var x34 uint32 - var x35 uint1 - x34, x35 = addcarryxU32(x29, x26, x33) - var x36 uint32 - var x37 uint1 - x36, x37 = addcarryxU32(x27, x24, x35) - var x38 uint32 - var x39 uint1 - x38, x39 = addcarryxU32(x12, x30, 0x0) - var x40 uint32 - var x41 uint1 - x40, x41 = addcarryxU32(x14, x32, x39) - var x42 uint32 - var x43 uint1 - x42, x43 = addcarryxU32(x16, x34, x41) - var x44 uint32 - var x45 uint1 - x44, x45 = addcarryxU32((uint32(x17) + x5), x36, x43) - var x46 uint32 - var x47 uint1 - x46, x47 = addcarryxU32(uint32(0x0), (uint32(x37) + x25), x45) - var x49 uint1 - _, x49 = addcarryxU32(x20, x22, 0x0) - var x50 uint32 - var x51 uint1 - x50, x51 = addcarryxU32((uint32(x49) + uint32(x21)), (arg1[2]), 0x0) - var x52 uint32 - var x53 uint1 - x52, x53 = addcarryxU32(x10, uint32(0x0), x51) - var x54 uint32 - var x55 uint1 - x54, x55 = addcarryxU32(x38, uint32(0x0), x53) - var x56 uint32 - var x57 uint1 - x56, x57 = addcarryxU32(x40, uint32(0x0), x55) - var x58 uint32 - var x59 uint1 - x58, x59 = addcarryxU32(x42, uint32(0x0), x57) - var x60 uint32 - var x61 uint1 - x60, x61 = addcarryxU32(x44, uint32(0x0), x59) - var x62 uint32 - var x63 uint1 - x62, x63 = addcarryxU32(x46, uint32(0x0), x61) - var x64 uint32 - _, x64 = bits.Mul32(x50, 0xffffffff) - var x66 uint32 - var x67 uint32 - x67, x66 = bits.Mul32(x64, 0xffffffff) - var x68 uint32 - var x69 uint32 - x69, x68 = bits.Mul32(x64, 0xffffffff) - var x70 uint32 - var x71 uint32 - x71, x70 = bits.Mul32(x64, 0xffffffff) - var x72 uint32 - var x73 uint32 - x73, x72 = bits.Mul32(x64, 0xffffffff) - var x74 uint32 - var x75 uint1 - x74, x75 = addcarryxU32(x73, x70, 0x0) - var x76 uint32 - var x77 uint1 - x76, x77 = addcarryxU32(x71, x68, x75) - var x78 uint32 - var x79 uint1 - x78, x79 = addcarryxU32(x69, x66, x77) - var x81 uint1 - _, x81 = addcarryxU32(x50, x64, 0x0) - var x82 uint32 - var x83 uint1 - x82, x83 = addcarryxU32(x52, uint32(0x0), x81) - var x84 uint32 - var x85 uint1 - x84, x85 = addcarryxU32(x54, uint32(0x0), x83) - var x86 uint32 - var x87 uint1 - x86, x87 = addcarryxU32(x56, x72, x85) - var x88 uint32 - var x89 uint1 - x88, x89 = addcarryxU32(x58, x74, x87) - var x90 uint32 - var x91 uint1 - x90, x91 = addcarryxU32(x60, x76, x89) - var x92 uint32 - var x93 uint1 - x92, x93 = addcarryxU32(x62, x78, x91) - var x94 uint32 - var x95 uint1 - x94, x95 = addcarryxU32((uint32(x63) + uint32(x47)), (uint32(x79) + x67), x93) - var x96 uint32 - var x97 uint1 - x96, x97 = addcarryxU32(x82, (arg1[3]), 0x0) - var x98 uint32 - var x99 uint1 - x98, x99 = addcarryxU32(x84, uint32(0x0), x97) - var x100 uint32 - var x101 uint1 - x100, x101 = addcarryxU32(x86, uint32(0x0), x99) - var x102 uint32 - var x103 uint1 - x102, x103 = addcarryxU32(x88, uint32(0x0), x101) - var x104 uint32 - var x105 uint1 - x104, x105 = addcarryxU32(x90, uint32(0x0), x103) - var x106 uint32 - var x107 uint1 - x106, x107 = addcarryxU32(x92, uint32(0x0), x105) - var x108 uint32 - var x109 uint1 - x108, x109 = addcarryxU32(x94, uint32(0x0), x107) - var x110 uint32 - _, x110 = bits.Mul32(x96, 0xffffffff) - var x112 uint32 - var x113 uint32 - x113, x112 = bits.Mul32(x110, 0xffffffff) - var x114 uint32 - var x115 uint32 - x115, x114 = bits.Mul32(x110, 0xffffffff) - var x116 uint32 - var x117 uint32 - x117, x116 = bits.Mul32(x110, 0xffffffff) - var x118 uint32 - var x119 uint32 - x119, x118 = bits.Mul32(x110, 0xffffffff) - var x120 uint32 - var x121 uint1 - x120, x121 = addcarryxU32(x119, x116, 0x0) - var x122 uint32 - var x123 uint1 - x122, x123 = addcarryxU32(x117, x114, x121) - var x124 uint32 - var x125 uint1 - x124, x125 = addcarryxU32(x115, x112, x123) - var x127 uint1 - _, x127 = addcarryxU32(x96, x110, 0x0) - var x128 uint32 - var x129 uint1 - x128, x129 = addcarryxU32(x98, uint32(0x0), x127) - var x130 uint32 - var x131 uint1 - x130, x131 = addcarryxU32(x100, uint32(0x0), x129) - var x132 uint32 - var x133 uint1 - x132, x133 = addcarryxU32(x102, x118, x131) - var x134 uint32 - var x135 uint1 - x134, x135 = addcarryxU32(x104, x120, x133) - var x136 uint32 - var x137 uint1 - x136, x137 = addcarryxU32(x106, x122, x135) - var x138 uint32 - var x139 uint1 - x138, x139 = addcarryxU32(x108, x124, x137) - var x140 uint32 - var x141 uint1 - x140, x141 = addcarryxU32((uint32(x109) + uint32(x95)), (uint32(x125) + x113), x139) - var x142 uint32 - var x143 uint1 - x142, x143 = addcarryxU32(x128, (arg1[4]), 0x0) - var x144 uint32 - var x145 uint1 - x144, x145 = addcarryxU32(x130, uint32(0x0), x143) - var x146 uint32 - var x147 uint1 - x146, x147 = addcarryxU32(x132, uint32(0x0), x145) - var x148 uint32 - var x149 uint1 - x148, x149 = addcarryxU32(x134, uint32(0x0), x147) - var x150 uint32 - var x151 uint1 - x150, x151 = addcarryxU32(x136, uint32(0x0), x149) - var x152 uint32 - var x153 uint1 - x152, x153 = addcarryxU32(x138, uint32(0x0), x151) - var x154 uint32 - var x155 uint1 - x154, x155 = addcarryxU32(x140, uint32(0x0), x153) - var x156 uint32 - _, x156 = bits.Mul32(x142, 0xffffffff) - var x158 uint32 - var x159 uint32 - x159, x158 = bits.Mul32(x156, 0xffffffff) - var x160 uint32 - var x161 uint32 - x161, x160 = bits.Mul32(x156, 0xffffffff) - var x162 uint32 - var x163 uint32 - x163, x162 = bits.Mul32(x156, 0xffffffff) - var x164 uint32 - var x165 uint32 - x165, x164 = bits.Mul32(x156, 0xffffffff) - var x166 uint32 - var x167 uint1 - x166, x167 = addcarryxU32(x165, x162, 0x0) - var x168 uint32 - var x169 uint1 - x168, x169 = addcarryxU32(x163, x160, x167) - var x170 uint32 - var x171 uint1 - x170, x171 = addcarryxU32(x161, x158, x169) - var x173 uint1 - _, x173 = addcarryxU32(x142, x156, 0x0) - var x174 uint32 - var x175 uint1 - x174, x175 = addcarryxU32(x144, uint32(0x0), x173) - var x176 uint32 - var x177 uint1 - x176, x177 = addcarryxU32(x146, uint32(0x0), x175) - var x178 uint32 - var x179 uint1 - x178, x179 = addcarryxU32(x148, x164, x177) - var x180 uint32 - var x181 uint1 - x180, x181 = addcarryxU32(x150, x166, x179) - var x182 uint32 - var x183 uint1 - x182, x183 = addcarryxU32(x152, x168, x181) - var x184 uint32 - var x185 uint1 - x184, x185 = addcarryxU32(x154, x170, x183) - var x186 uint32 - var x187 uint1 - x186, x187 = addcarryxU32((uint32(x155) + uint32(x141)), (uint32(x171) + x159), x185) - var x188 uint32 - var x189 uint1 - x188, x189 = addcarryxU32(x174, (arg1[5]), 0x0) - var x190 uint32 - var x191 uint1 - x190, x191 = addcarryxU32(x176, uint32(0x0), x189) - var x192 uint32 - var x193 uint1 - x192, x193 = addcarryxU32(x178, uint32(0x0), x191) - var x194 uint32 - var x195 uint1 - x194, x195 = addcarryxU32(x180, uint32(0x0), x193) - var x196 uint32 - var x197 uint1 - x196, x197 = addcarryxU32(x182, uint32(0x0), x195) - var x198 uint32 - var x199 uint1 - x198, x199 = addcarryxU32(x184, uint32(0x0), x197) - var x200 uint32 - var x201 uint1 - x200, x201 = addcarryxU32(x186, uint32(0x0), x199) - var x202 uint32 - _, x202 = bits.Mul32(x188, 0xffffffff) - var x204 uint32 - var x205 uint32 - x205, x204 = bits.Mul32(x202, 0xffffffff) - var x206 uint32 - var x207 uint32 - x207, x206 = bits.Mul32(x202, 0xffffffff) - var x208 uint32 - var x209 uint32 - x209, x208 = bits.Mul32(x202, 0xffffffff) - var x210 uint32 - var x211 uint32 - x211, x210 = bits.Mul32(x202, 0xffffffff) - var x212 uint32 - var x213 uint1 - x212, x213 = addcarryxU32(x211, x208, 0x0) - var x214 uint32 - var x215 uint1 - x214, x215 = addcarryxU32(x209, x206, x213) - var x216 uint32 - var x217 uint1 - x216, x217 = addcarryxU32(x207, x204, x215) - var x219 uint1 - _, x219 = addcarryxU32(x188, x202, 0x0) - var x220 uint32 - var x221 uint1 - x220, x221 = addcarryxU32(x190, uint32(0x0), x219) - var x222 uint32 - var x223 uint1 - x222, x223 = addcarryxU32(x192, uint32(0x0), x221) - var x224 uint32 - var x225 uint1 - x224, x225 = addcarryxU32(x194, x210, x223) - var x226 uint32 - var x227 uint1 - x226, x227 = addcarryxU32(x196, x212, x225) - var x228 uint32 - var x229 uint1 - x228, x229 = addcarryxU32(x198, x214, x227) - var x230 uint32 - var x231 uint1 - x230, x231 = addcarryxU32(x200, x216, x229) - var x232 uint32 - var x233 uint1 - x232, x233 = addcarryxU32((uint32(x201) + uint32(x187)), (uint32(x217) + x205), x231) - var x234 uint32 - var x235 uint1 - x234, x235 = addcarryxU32(x220, (arg1[6]), 0x0) - var x236 uint32 - var x237 uint1 - x236, x237 = addcarryxU32(x222, uint32(0x0), x235) - var x238 uint32 - var x239 uint1 - x238, x239 = addcarryxU32(x224, uint32(0x0), x237) - var x240 uint32 - var x241 uint1 - x240, x241 = addcarryxU32(x226, uint32(0x0), x239) - var x242 uint32 - var x243 uint1 - x242, x243 = addcarryxU32(x228, uint32(0x0), x241) - var x244 uint32 - var x245 uint1 - x244, x245 = addcarryxU32(x230, uint32(0x0), x243) - var x246 uint32 - var x247 uint1 - x246, x247 = addcarryxU32(x232, uint32(0x0), x245) - var x248 uint32 - _, x248 = bits.Mul32(x234, 0xffffffff) - var x250 uint32 - var x251 uint32 - x251, x250 = bits.Mul32(x248, 0xffffffff) - var x252 uint32 - var x253 uint32 - x253, x252 = bits.Mul32(x248, 0xffffffff) - var x254 uint32 - var x255 uint32 - x255, x254 = bits.Mul32(x248, 0xffffffff) - var x256 uint32 - var x257 uint32 - x257, x256 = bits.Mul32(x248, 0xffffffff) - var x258 uint32 - var x259 uint1 - x258, x259 = addcarryxU32(x257, x254, 0x0) - var x260 uint32 - var x261 uint1 - x260, x261 = addcarryxU32(x255, x252, x259) - var x262 uint32 - var x263 uint1 - x262, x263 = addcarryxU32(x253, x250, x261) - var x265 uint1 - _, x265 = addcarryxU32(x234, x248, 0x0) - var x266 uint32 - var x267 uint1 - x266, x267 = addcarryxU32(x236, uint32(0x0), x265) - var x268 uint32 - var x269 uint1 - x268, x269 = addcarryxU32(x238, uint32(0x0), x267) - var x270 uint32 - var x271 uint1 - x270, x271 = addcarryxU32(x240, x256, x269) - var x272 uint32 - var x273 uint1 - x272, x273 = addcarryxU32(x242, x258, x271) - var x274 uint32 - var x275 uint1 - x274, x275 = addcarryxU32(x244, x260, x273) - var x276 uint32 - var x277 uint1 - x276, x277 = addcarryxU32(x246, x262, x275) - var x278 uint32 - var x279 uint1 - x278, x279 = addcarryxU32((uint32(x247) + uint32(x233)), (uint32(x263) + x251), x277) - var x280 uint32 - var x281 uint1 - x280, x281 = subborrowxU32(x266, uint32(0x1), 0x0) - var x282 uint32 - var x283 uint1 - x282, x283 = subborrowxU32(x268, uint32(0x0), x281) - var x284 uint32 - var x285 uint1 - x284, x285 = subborrowxU32(x270, uint32(0x0), x283) - var x286 uint32 - var x287 uint1 - x286, x287 = subborrowxU32(x272, 0xffffffff, x285) - var x288 uint32 - var x289 uint1 - x288, x289 = subborrowxU32(x274, 0xffffffff, x287) - var x290 uint32 - var x291 uint1 - x290, x291 = subborrowxU32(x276, 0xffffffff, x289) - var x292 uint32 - var x293 uint1 - x292, x293 = subborrowxU32(x278, 0xffffffff, x291) - var x295 uint1 - _, x295 = subborrowxU32(uint32(x279), uint32(0x0), x293) - var x296 uint32 - cmovznzU32(&x296, x295, x280, x266) - var x297 uint32 - cmovznzU32(&x297, x295, x282, x268) - var x298 uint32 - cmovznzU32(&x298, x295, x284, x270) - var x299 uint32 - cmovznzU32(&x299, x295, x286, x272) - var x300 uint32 - cmovznzU32(&x300, x295, x288, x274) - var x301 uint32 - cmovznzU32(&x301, x295, x290, x276) - var x302 uint32 - cmovznzU32(&x302, x295, x292, x278) - out1[0] = x296 - out1[1] = x297 - out1[2] = x298 - out1[3] = x299 - out1[4] = x300 - out1[5] = x301 - out1[6] = x302 + x1 := arg1[0] + var x2 uint32 + _, x2 = bits.Mul32(x1, 0xffffffff) + var x4 uint32 + var x5 uint32 + x5, x4 = bits.Mul32(x2, 0xffffffff) + var x6 uint32 + var x7 uint32 + x7, x6 = bits.Mul32(x2, 0xffffffff) + var x8 uint32 + var x9 uint32 + x9, x8 = bits.Mul32(x2, 0xffffffff) + var x10 uint32 + var x11 uint32 + x11, x10 = bits.Mul32(x2, 0xffffffff) + var x12 uint32 + var x13 uint1 + x12, x13 = addcarryxU32(x11, x8, 0x0) + var x14 uint32 + var x15 uint1 + x14, x15 = addcarryxU32(x9, x6, x13) + var x16 uint32 + var x17 uint1 + x16, x17 = addcarryxU32(x7, x4, x15) + var x19 uint1 + _, x19 = addcarryxU32(x1, x2, 0x0) + var x20 uint32 + var x21 uint1 + x20, x21 = addcarryxU32(uint32(x19), arg1[1], 0x0) + var x22 uint32 + _, x22 = bits.Mul32(x20, 0xffffffff) + var x24 uint32 + var x25 uint32 + x25, x24 = bits.Mul32(x22, 0xffffffff) + var x26 uint32 + var x27 uint32 + x27, x26 = bits.Mul32(x22, 0xffffffff) + var x28 uint32 + var x29 uint32 + x29, x28 = bits.Mul32(x22, 0xffffffff) + var x30 uint32 + var x31 uint32 + x31, x30 = bits.Mul32(x22, 0xffffffff) + var x32 uint32 + var x33 uint1 + x32, x33 = addcarryxU32(x31, x28, 0x0) + var x34 uint32 + var x35 uint1 + x34, x35 = addcarryxU32(x29, x26, x33) + var x36 uint32 + var x37 uint1 + x36, x37 = addcarryxU32(x27, x24, x35) + var x38 uint32 + var x39 uint1 + x38, x39 = addcarryxU32(x12, x30, 0x0) + var x40 uint32 + var x41 uint1 + x40, x41 = addcarryxU32(x14, x32, x39) + var x42 uint32 + var x43 uint1 + x42, x43 = addcarryxU32(x16, x34, x41) + var x44 uint32 + var x45 uint1 + x44, x45 = addcarryxU32((uint32(x17) + x5), x36, x43) + var x46 uint32 + var x47 uint1 + x46, x47 = addcarryxU32(uint32(0x0), (uint32(x37) + x25), x45) + var x49 uint1 + _, x49 = addcarryxU32(x20, x22, 0x0) + var x50 uint32 + var x51 uint1 + x50, x51 = addcarryxU32((uint32(x49) + uint32(x21)), arg1[2], 0x0) + var x52 uint32 + var x53 uint1 + x52, x53 = addcarryxU32(x10, uint32(0x0), x51) + var x54 uint32 + var x55 uint1 + x54, x55 = addcarryxU32(x38, uint32(0x0), x53) + var x56 uint32 + var x57 uint1 + x56, x57 = addcarryxU32(x40, uint32(0x0), x55) + var x58 uint32 + var x59 uint1 + x58, x59 = addcarryxU32(x42, uint32(0x0), x57) + var x60 uint32 + var x61 uint1 + x60, x61 = addcarryxU32(x44, uint32(0x0), x59) + var x62 uint32 + var x63 uint1 + x62, x63 = addcarryxU32(x46, uint32(0x0), x61) + var x64 uint32 + _, x64 = bits.Mul32(x50, 0xffffffff) + var x66 uint32 + var x67 uint32 + x67, x66 = bits.Mul32(x64, 0xffffffff) + var x68 uint32 + var x69 uint32 + x69, x68 = bits.Mul32(x64, 0xffffffff) + var x70 uint32 + var x71 uint32 + x71, x70 = bits.Mul32(x64, 0xffffffff) + var x72 uint32 + var x73 uint32 + x73, x72 = bits.Mul32(x64, 0xffffffff) + var x74 uint32 + var x75 uint1 + x74, x75 = addcarryxU32(x73, x70, 0x0) + var x76 uint32 + var x77 uint1 + x76, x77 = addcarryxU32(x71, x68, x75) + var x78 uint32 + var x79 uint1 + x78, x79 = addcarryxU32(x69, x66, x77) + var x81 uint1 + _, x81 = addcarryxU32(x50, x64, 0x0) + var x82 uint32 + var x83 uint1 + x82, x83 = addcarryxU32(x52, uint32(0x0), x81) + var x84 uint32 + var x85 uint1 + x84, x85 = addcarryxU32(x54, uint32(0x0), x83) + var x86 uint32 + var x87 uint1 + x86, x87 = addcarryxU32(x56, x72, x85) + var x88 uint32 + var x89 uint1 + x88, x89 = addcarryxU32(x58, x74, x87) + var x90 uint32 + var x91 uint1 + x90, x91 = addcarryxU32(x60, x76, x89) + var x92 uint32 + var x93 uint1 + x92, x93 = addcarryxU32(x62, x78, x91) + var x94 uint32 + var x95 uint1 + x94, x95 = addcarryxU32((uint32(x63) + uint32(x47)), (uint32(x79) + x67), x93) + var x96 uint32 + var x97 uint1 + x96, x97 = addcarryxU32(x82, arg1[3], 0x0) + var x98 uint32 + var x99 uint1 + x98, x99 = addcarryxU32(x84, uint32(0x0), x97) + var x100 uint32 + var x101 uint1 + x100, x101 = addcarryxU32(x86, uint32(0x0), x99) + var x102 uint32 + var x103 uint1 + x102, x103 = addcarryxU32(x88, uint32(0x0), x101) + var x104 uint32 + var x105 uint1 + x104, x105 = addcarryxU32(x90, uint32(0x0), x103) + var x106 uint32 + var x107 uint1 + x106, x107 = addcarryxU32(x92, uint32(0x0), x105) + var x108 uint32 + var x109 uint1 + x108, x109 = addcarryxU32(x94, uint32(0x0), x107) + var x110 uint32 + _, x110 = bits.Mul32(x96, 0xffffffff) + var x112 uint32 + var x113 uint32 + x113, x112 = bits.Mul32(x110, 0xffffffff) + var x114 uint32 + var x115 uint32 + x115, x114 = bits.Mul32(x110, 0xffffffff) + var x116 uint32 + var x117 uint32 + x117, x116 = bits.Mul32(x110, 0xffffffff) + var x118 uint32 + var x119 uint32 + x119, x118 = bits.Mul32(x110, 0xffffffff) + var x120 uint32 + var x121 uint1 + x120, x121 = addcarryxU32(x119, x116, 0x0) + var x122 uint32 + var x123 uint1 + x122, x123 = addcarryxU32(x117, x114, x121) + var x124 uint32 + var x125 uint1 + x124, x125 = addcarryxU32(x115, x112, x123) + var x127 uint1 + _, x127 = addcarryxU32(x96, x110, 0x0) + var x128 uint32 + var x129 uint1 + x128, x129 = addcarryxU32(x98, uint32(0x0), x127) + var x130 uint32 + var x131 uint1 + x130, x131 = addcarryxU32(x100, uint32(0x0), x129) + var x132 uint32 + var x133 uint1 + x132, x133 = addcarryxU32(x102, x118, x131) + var x134 uint32 + var x135 uint1 + x134, x135 = addcarryxU32(x104, x120, x133) + var x136 uint32 + var x137 uint1 + x136, x137 = addcarryxU32(x106, x122, x135) + var x138 uint32 + var x139 uint1 + x138, x139 = addcarryxU32(x108, x124, x137) + var x140 uint32 + var x141 uint1 + x140, x141 = addcarryxU32((uint32(x109) + uint32(x95)), (uint32(x125) + x113), x139) + var x142 uint32 + var x143 uint1 + x142, x143 = addcarryxU32(x128, arg1[4], 0x0) + var x144 uint32 + var x145 uint1 + x144, x145 = addcarryxU32(x130, uint32(0x0), x143) + var x146 uint32 + var x147 uint1 + x146, x147 = addcarryxU32(x132, uint32(0x0), x145) + var x148 uint32 + var x149 uint1 + x148, x149 = addcarryxU32(x134, uint32(0x0), x147) + var x150 uint32 + var x151 uint1 + x150, x151 = addcarryxU32(x136, uint32(0x0), x149) + var x152 uint32 + var x153 uint1 + x152, x153 = addcarryxU32(x138, uint32(0x0), x151) + var x154 uint32 + var x155 uint1 + x154, x155 = addcarryxU32(x140, uint32(0x0), x153) + var x156 uint32 + _, x156 = bits.Mul32(x142, 0xffffffff) + var x158 uint32 + var x159 uint32 + x159, x158 = bits.Mul32(x156, 0xffffffff) + var x160 uint32 + var x161 uint32 + x161, x160 = bits.Mul32(x156, 0xffffffff) + var x162 uint32 + var x163 uint32 + x163, x162 = bits.Mul32(x156, 0xffffffff) + var x164 uint32 + var x165 uint32 + x165, x164 = bits.Mul32(x156, 0xffffffff) + var x166 uint32 + var x167 uint1 + x166, x167 = addcarryxU32(x165, x162, 0x0) + var x168 uint32 + var x169 uint1 + x168, x169 = addcarryxU32(x163, x160, x167) + var x170 uint32 + var x171 uint1 + x170, x171 = addcarryxU32(x161, x158, x169) + var x173 uint1 + _, x173 = addcarryxU32(x142, x156, 0x0) + var x174 uint32 + var x175 uint1 + x174, x175 = addcarryxU32(x144, uint32(0x0), x173) + var x176 uint32 + var x177 uint1 + x176, x177 = addcarryxU32(x146, uint32(0x0), x175) + var x178 uint32 + var x179 uint1 + x178, x179 = addcarryxU32(x148, x164, x177) + var x180 uint32 + var x181 uint1 + x180, x181 = addcarryxU32(x150, x166, x179) + var x182 uint32 + var x183 uint1 + x182, x183 = addcarryxU32(x152, x168, x181) + var x184 uint32 + var x185 uint1 + x184, x185 = addcarryxU32(x154, x170, x183) + var x186 uint32 + var x187 uint1 + x186, x187 = addcarryxU32((uint32(x155) + uint32(x141)), (uint32(x171) + x159), x185) + var x188 uint32 + var x189 uint1 + x188, x189 = addcarryxU32(x174, arg1[5], 0x0) + var x190 uint32 + var x191 uint1 + x190, x191 = addcarryxU32(x176, uint32(0x0), x189) + var x192 uint32 + var x193 uint1 + x192, x193 = addcarryxU32(x178, uint32(0x0), x191) + var x194 uint32 + var x195 uint1 + x194, x195 = addcarryxU32(x180, uint32(0x0), x193) + var x196 uint32 + var x197 uint1 + x196, x197 = addcarryxU32(x182, uint32(0x0), x195) + var x198 uint32 + var x199 uint1 + x198, x199 = addcarryxU32(x184, uint32(0x0), x197) + var x200 uint32 + var x201 uint1 + x200, x201 = addcarryxU32(x186, uint32(0x0), x199) + var x202 uint32 + _, x202 = bits.Mul32(x188, 0xffffffff) + var x204 uint32 + var x205 uint32 + x205, x204 = bits.Mul32(x202, 0xffffffff) + var x206 uint32 + var x207 uint32 + x207, x206 = bits.Mul32(x202, 0xffffffff) + var x208 uint32 + var x209 uint32 + x209, x208 = bits.Mul32(x202, 0xffffffff) + var x210 uint32 + var x211 uint32 + x211, x210 = bits.Mul32(x202, 0xffffffff) + var x212 uint32 + var x213 uint1 + x212, x213 = addcarryxU32(x211, x208, 0x0) + var x214 uint32 + var x215 uint1 + x214, x215 = addcarryxU32(x209, x206, x213) + var x216 uint32 + var x217 uint1 + x216, x217 = addcarryxU32(x207, x204, x215) + var x219 uint1 + _, x219 = addcarryxU32(x188, x202, 0x0) + var x220 uint32 + var x221 uint1 + x220, x221 = addcarryxU32(x190, uint32(0x0), x219) + var x222 uint32 + var x223 uint1 + x222, x223 = addcarryxU32(x192, uint32(0x0), x221) + var x224 uint32 + var x225 uint1 + x224, x225 = addcarryxU32(x194, x210, x223) + var x226 uint32 + var x227 uint1 + x226, x227 = addcarryxU32(x196, x212, x225) + var x228 uint32 + var x229 uint1 + x228, x229 = addcarryxU32(x198, x214, x227) + var x230 uint32 + var x231 uint1 + x230, x231 = addcarryxU32(x200, x216, x229) + var x232 uint32 + var x233 uint1 + x232, x233 = addcarryxU32((uint32(x201) + uint32(x187)), (uint32(x217) + x205), x231) + var x234 uint32 + var x235 uint1 + x234, x235 = addcarryxU32(x220, arg1[6], 0x0) + var x236 uint32 + var x237 uint1 + x236, x237 = addcarryxU32(x222, uint32(0x0), x235) + var x238 uint32 + var x239 uint1 + x238, x239 = addcarryxU32(x224, uint32(0x0), x237) + var x240 uint32 + var x241 uint1 + x240, x241 = addcarryxU32(x226, uint32(0x0), x239) + var x242 uint32 + var x243 uint1 + x242, x243 = addcarryxU32(x228, uint32(0x0), x241) + var x244 uint32 + var x245 uint1 + x244, x245 = addcarryxU32(x230, uint32(0x0), x243) + var x246 uint32 + var x247 uint1 + x246, x247 = addcarryxU32(x232, uint32(0x0), x245) + var x248 uint32 + _, x248 = bits.Mul32(x234, 0xffffffff) + var x250 uint32 + var x251 uint32 + x251, x250 = bits.Mul32(x248, 0xffffffff) + var x252 uint32 + var x253 uint32 + x253, x252 = bits.Mul32(x248, 0xffffffff) + var x254 uint32 + var x255 uint32 + x255, x254 = bits.Mul32(x248, 0xffffffff) + var x256 uint32 + var x257 uint32 + x257, x256 = bits.Mul32(x248, 0xffffffff) + var x258 uint32 + var x259 uint1 + x258, x259 = addcarryxU32(x257, x254, 0x0) + var x260 uint32 + var x261 uint1 + x260, x261 = addcarryxU32(x255, x252, x259) + var x262 uint32 + var x263 uint1 + x262, x263 = addcarryxU32(x253, x250, x261) + var x265 uint1 + _, x265 = addcarryxU32(x234, x248, 0x0) + var x266 uint32 + var x267 uint1 + x266, x267 = addcarryxU32(x236, uint32(0x0), x265) + var x268 uint32 + var x269 uint1 + x268, x269 = addcarryxU32(x238, uint32(0x0), x267) + var x270 uint32 + var x271 uint1 + x270, x271 = addcarryxU32(x240, x256, x269) + var x272 uint32 + var x273 uint1 + x272, x273 = addcarryxU32(x242, x258, x271) + var x274 uint32 + var x275 uint1 + x274, x275 = addcarryxU32(x244, x260, x273) + var x276 uint32 + var x277 uint1 + x276, x277 = addcarryxU32(x246, x262, x275) + var x278 uint32 + var x279 uint1 + x278, x279 = addcarryxU32((uint32(x247) + uint32(x233)), (uint32(x263) + x251), x277) + var x280 uint32 + var x281 uint1 + x280, x281 = subborrowxU32(x266, uint32(0x1), 0x0) + var x282 uint32 + var x283 uint1 + x282, x283 = subborrowxU32(x268, uint32(0x0), x281) + var x284 uint32 + var x285 uint1 + x284, x285 = subborrowxU32(x270, uint32(0x0), x283) + var x286 uint32 + var x287 uint1 + x286, x287 = subborrowxU32(x272, 0xffffffff, x285) + var x288 uint32 + var x289 uint1 + x288, x289 = subborrowxU32(x274, 0xffffffff, x287) + var x290 uint32 + var x291 uint1 + x290, x291 = subborrowxU32(x276, 0xffffffff, x289) + var x292 uint32 + var x293 uint1 + x292, x293 = subborrowxU32(x278, 0xffffffff, x291) + var x295 uint1 + _, x295 = subborrowxU32(uint32(x279), uint32(0x0), x293) + var x296 uint32 + cmovznzU32(&x296, x295, x280, x266) + var x297 uint32 + cmovznzU32(&x297, x295, x282, x268) + var x298 uint32 + cmovznzU32(&x298, x295, x284, x270) + var x299 uint32 + cmovznzU32(&x299, x295, x286, x272) + var x300 uint32 + cmovznzU32(&x300, x295, x288, x274) + var x301 uint32 + cmovznzU32(&x301, x295, x290, x276) + var x302 uint32 + cmovznzU32(&x302, x295, x292, x278) + out1[0] = x296 + out1[1] = x297 + out1[2] = x298 + out1[3] = x299 + out1[4] = x300 + out1[5] = x301 + out1[6] = x302 } -/* - The function ToMontgomery translates a field element into the Montgomery domain. - Preconditions: - 0 ≤ eval arg1 < m - Postconditions: - eval (from_montgomery out1) mod m = eval arg1 mod m - 0 ≤ eval out1 < m - - Input Bounds: - arg1: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] - Output Bounds: - out1: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] - */ -/*inline*/ +// ToMontgomery translates a field element into the Montgomery domain. +// +// Preconditions: +// 0 ≤ eval arg1 < m +// Postconditions: +// eval (from_montgomery out1) mod m = eval arg1 mod m +// 0 ≤ eval out1 < m +// +// Input Bounds: +// arg1: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] +// Output Bounds: +// out1: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] func ToMontgomery(out1 *[7]uint32, arg1 *[7]uint32) { - var x1 uint32 = (arg1[1]) - var x2 uint32 = (arg1[2]) - var x3 uint32 = (arg1[3]) - var x4 uint32 = (arg1[4]) - var x5 uint32 = (arg1[5]) - var x6 uint32 = (arg1[6]) - var x7 uint32 = (arg1[0]) - var x8 uint32 - var x9 uint32 - x9, x8 = bits.Mul32(x7, 0xffffffff) - var x10 uint32 - var x11 uint32 - x11, x10 = bits.Mul32(x7, 0xffffffff) - var x12 uint32 - var x13 uint32 - x13, x12 = bits.Mul32(x7, 0xfffffffe) - var x14 uint32 - var x15 uint1 - x14, x15 = addcarryxU32(x13, x10, 0x0) - var x16 uint32 - var x17 uint1 - x16, x17 = addcarryxU32(x11, x8, x15) - var x18 uint32 - _, x18 = bits.Mul32(x7, 0xffffffff) - var x20 uint32 - var x21 uint32 - x21, x20 = bits.Mul32(x18, 0xffffffff) - var x22 uint32 - var x23 uint32 - x23, x22 = bits.Mul32(x18, 0xffffffff) - var x24 uint32 - var x25 uint32 - x25, x24 = bits.Mul32(x18, 0xffffffff) - var x26 uint32 - var x27 uint32 - x27, x26 = bits.Mul32(x18, 0xffffffff) - var x28 uint32 - var x29 uint1 - x28, x29 = addcarryxU32(x27, x24, 0x0) - var x30 uint32 - var x31 uint1 - x30, x31 = addcarryxU32(x25, x22, x29) - var x32 uint32 - var x33 uint1 - x32, x33 = addcarryxU32(x23, x20, x31) - var x34 uint32 - var x35 uint1 - x34, x35 = addcarryxU32(x12, x26, 0x0) - var x36 uint32 - var x37 uint1 - x36, x37 = addcarryxU32(x14, x28, x35) - var x38 uint32 - var x39 uint1 - x38, x39 = addcarryxU32(x16, x30, x37) - var x40 uint32 - var x41 uint1 - x40, x41 = addcarryxU32((uint32(x17) + x9), x32, x39) - var x42 uint32 - var x43 uint1 - x42, x43 = addcarryxU32(uint32(0x0), (uint32(x33) + x21), x41) - var x44 uint32 - var x45 uint32 - x45, x44 = bits.Mul32(x1, 0xffffffff) - var x46 uint32 - var x47 uint32 - x47, x46 = bits.Mul32(x1, 0xffffffff) - var x48 uint32 - var x49 uint32 - x49, x48 = bits.Mul32(x1, 0xfffffffe) - var x50 uint32 - var x51 uint1 - x50, x51 = addcarryxU32(x49, x46, 0x0) - var x52 uint32 - var x53 uint1 - x52, x53 = addcarryxU32(x47, x44, x51) - var x55 uint1 - _, x55 = addcarryxU32(x7, x18, 0x0) - var x56 uint32 - var x57 uint1 - x56, x57 = addcarryxU32(uint32(x55), x1, 0x0) - var x58 uint32 - var x59 uint1 - x58, x59 = addcarryxU32(x36, x48, 0x0) - var x60 uint32 - var x61 uint1 - x60, x61 = addcarryxU32(x38, x50, x59) - var x62 uint32 - var x63 uint1 - x62, x63 = addcarryxU32(x40, x52, x61) - var x64 uint32 - var x65 uint1 - x64, x65 = addcarryxU32(x42, (uint32(x53) + x45), x63) - var x66 uint32 - _, x66 = bits.Mul32(x56, 0xffffffff) - var x68 uint32 - var x69 uint32 - x69, x68 = bits.Mul32(x66, 0xffffffff) - var x70 uint32 - var x71 uint32 - x71, x70 = bits.Mul32(x66, 0xffffffff) - var x72 uint32 - var x73 uint32 - x73, x72 = bits.Mul32(x66, 0xffffffff) - var x74 uint32 - var x75 uint32 - x75, x74 = bits.Mul32(x66, 0xffffffff) - var x76 uint32 - var x77 uint1 - x76, x77 = addcarryxU32(x75, x72, 0x0) - var x78 uint32 - var x79 uint1 - x78, x79 = addcarryxU32(x73, x70, x77) - var x80 uint32 - var x81 uint1 - x80, x81 = addcarryxU32(x71, x68, x79) - var x82 uint32 - var x83 uint1 - x82, x83 = addcarryxU32(x58, x74, 0x0) - var x84 uint32 - var x85 uint1 - x84, x85 = addcarryxU32(x60, x76, x83) - var x86 uint32 - var x87 uint1 - x86, x87 = addcarryxU32(x62, x78, x85) - var x88 uint32 - var x89 uint1 - x88, x89 = addcarryxU32(x64, x80, x87) - var x90 uint32 - var x91 uint1 - x90, x91 = addcarryxU32((uint32(x65) + uint32(x43)), (uint32(x81) + x69), x89) - var x92 uint32 - var x93 uint32 - x93, x92 = bits.Mul32(x2, 0xffffffff) - var x94 uint32 - var x95 uint32 - x95, x94 = bits.Mul32(x2, 0xffffffff) - var x96 uint32 - var x97 uint32 - x97, x96 = bits.Mul32(x2, 0xfffffffe) - var x98 uint32 - var x99 uint1 - x98, x99 = addcarryxU32(x97, x94, 0x0) - var x100 uint32 - var x101 uint1 - x100, x101 = addcarryxU32(x95, x92, x99) - var x103 uint1 - _, x103 = addcarryxU32(x56, x66, 0x0) - var x104 uint32 - var x105 uint1 - x104, x105 = addcarryxU32((uint32(x103) + uint32(x57)), x2, 0x0) - var x106 uint32 - var x107 uint1 - x106, x107 = addcarryxU32(x34, uint32(0x0), x105) - var x108 uint32 - var x109 uint1 - x108, x109 = addcarryxU32(x82, uint32(0x0), x107) - var x110 uint32 - var x111 uint1 - x110, x111 = addcarryxU32(x84, x96, x109) - var x112 uint32 - var x113 uint1 - x112, x113 = addcarryxU32(x86, x98, x111) - var x114 uint32 - var x115 uint1 - x114, x115 = addcarryxU32(x88, x100, x113) - var x116 uint32 - var x117 uint1 - x116, x117 = addcarryxU32(x90, (uint32(x101) + x93), x115) - var x118 uint32 - _, x118 = bits.Mul32(x104, 0xffffffff) - var x120 uint32 - var x121 uint32 - x121, x120 = bits.Mul32(x118, 0xffffffff) - var x122 uint32 - var x123 uint32 - x123, x122 = bits.Mul32(x118, 0xffffffff) - var x124 uint32 - var x125 uint32 - x125, x124 = bits.Mul32(x118, 0xffffffff) - var x126 uint32 - var x127 uint32 - x127, x126 = bits.Mul32(x118, 0xffffffff) - var x128 uint32 - var x129 uint1 - x128, x129 = addcarryxU32(x127, x124, 0x0) - var x130 uint32 - var x131 uint1 - x130, x131 = addcarryxU32(x125, x122, x129) - var x132 uint32 - var x133 uint1 - x132, x133 = addcarryxU32(x123, x120, x131) - var x135 uint1 - _, x135 = addcarryxU32(x104, x118, 0x0) - var x136 uint32 - var x137 uint1 - x136, x137 = addcarryxU32(x106, uint32(0x0), x135) - var x138 uint32 - var x139 uint1 - x138, x139 = addcarryxU32(x108, uint32(0x0), x137) - var x140 uint32 - var x141 uint1 - x140, x141 = addcarryxU32(x110, x126, x139) - var x142 uint32 - var x143 uint1 - x142, x143 = addcarryxU32(x112, x128, x141) - var x144 uint32 - var x145 uint1 - x144, x145 = addcarryxU32(x114, x130, x143) - var x146 uint32 - var x147 uint1 - x146, x147 = addcarryxU32(x116, x132, x145) - var x148 uint32 - var x149 uint1 - x148, x149 = addcarryxU32((uint32(x117) + uint32(x91)), (uint32(x133) + x121), x147) - var x150 uint32 - var x151 uint32 - x151, x150 = bits.Mul32(x3, 0xffffffff) - var x152 uint32 - var x153 uint32 - x153, x152 = bits.Mul32(x3, 0xffffffff) - var x154 uint32 - var x155 uint32 - x155, x154 = bits.Mul32(x3, 0xfffffffe) - var x156 uint32 - var x157 uint1 - x156, x157 = addcarryxU32(x155, x152, 0x0) - var x158 uint32 - var x159 uint1 - x158, x159 = addcarryxU32(x153, x150, x157) - var x160 uint32 - var x161 uint1 - x160, x161 = addcarryxU32(x136, x3, 0x0) - var x162 uint32 - var x163 uint1 - x162, x163 = addcarryxU32(x138, uint32(0x0), x161) - var x164 uint32 - var x165 uint1 - x164, x165 = addcarryxU32(x140, uint32(0x0), x163) - var x166 uint32 - var x167 uint1 - x166, x167 = addcarryxU32(x142, x154, x165) - var x168 uint32 - var x169 uint1 - x168, x169 = addcarryxU32(x144, x156, x167) - var x170 uint32 - var x171 uint1 - x170, x171 = addcarryxU32(x146, x158, x169) - var x172 uint32 - var x173 uint1 - x172, x173 = addcarryxU32(x148, (uint32(x159) + x151), x171) - var x174 uint32 - _, x174 = bits.Mul32(x160, 0xffffffff) - var x176 uint32 - var x177 uint32 - x177, x176 = bits.Mul32(x174, 0xffffffff) - var x178 uint32 - var x179 uint32 - x179, x178 = bits.Mul32(x174, 0xffffffff) - var x180 uint32 - var x181 uint32 - x181, x180 = bits.Mul32(x174, 0xffffffff) - var x182 uint32 - var x183 uint32 - x183, x182 = bits.Mul32(x174, 0xffffffff) - var x184 uint32 - var x185 uint1 - x184, x185 = addcarryxU32(x183, x180, 0x0) - var x186 uint32 - var x187 uint1 - x186, x187 = addcarryxU32(x181, x178, x185) - var x188 uint32 - var x189 uint1 - x188, x189 = addcarryxU32(x179, x176, x187) - var x191 uint1 - _, x191 = addcarryxU32(x160, x174, 0x0) - var x192 uint32 - var x193 uint1 - x192, x193 = addcarryxU32(x162, uint32(0x0), x191) - var x194 uint32 - var x195 uint1 - x194, x195 = addcarryxU32(x164, uint32(0x0), x193) - var x196 uint32 - var x197 uint1 - x196, x197 = addcarryxU32(x166, x182, x195) - var x198 uint32 - var x199 uint1 - x198, x199 = addcarryxU32(x168, x184, x197) - var x200 uint32 - var x201 uint1 - x200, x201 = addcarryxU32(x170, x186, x199) - var x202 uint32 - var x203 uint1 - x202, x203 = addcarryxU32(x172, x188, x201) - var x204 uint32 - var x205 uint1 - x204, x205 = addcarryxU32((uint32(x173) + uint32(x149)), (uint32(x189) + x177), x203) - var x206 uint32 - var x207 uint32 - x207, x206 = bits.Mul32(x4, 0xffffffff) - var x208 uint32 - var x209 uint32 - x209, x208 = bits.Mul32(x4, 0xffffffff) - var x210 uint32 - var x211 uint32 - x211, x210 = bits.Mul32(x4, 0xfffffffe) - var x212 uint32 - var x213 uint1 - x212, x213 = addcarryxU32(x211, x208, 0x0) - var x214 uint32 - var x215 uint1 - x214, x215 = addcarryxU32(x209, x206, x213) - var x216 uint32 - var x217 uint1 - x216, x217 = addcarryxU32(x192, x4, 0x0) - var x218 uint32 - var x219 uint1 - x218, x219 = addcarryxU32(x194, uint32(0x0), x217) - var x220 uint32 - var x221 uint1 - x220, x221 = addcarryxU32(x196, uint32(0x0), x219) - var x222 uint32 - var x223 uint1 - x222, x223 = addcarryxU32(x198, x210, x221) - var x224 uint32 - var x225 uint1 - x224, x225 = addcarryxU32(x200, x212, x223) - var x226 uint32 - var x227 uint1 - x226, x227 = addcarryxU32(x202, x214, x225) - var x228 uint32 - var x229 uint1 - x228, x229 = addcarryxU32(x204, (uint32(x215) + x207), x227) - var x230 uint32 - _, x230 = bits.Mul32(x216, 0xffffffff) - var x232 uint32 - var x233 uint32 - x233, x232 = bits.Mul32(x230, 0xffffffff) - var x234 uint32 - var x235 uint32 - x235, x234 = bits.Mul32(x230, 0xffffffff) - var x236 uint32 - var x237 uint32 - x237, x236 = bits.Mul32(x230, 0xffffffff) - var x238 uint32 - var x239 uint32 - x239, x238 = bits.Mul32(x230, 0xffffffff) - var x240 uint32 - var x241 uint1 - x240, x241 = addcarryxU32(x239, x236, 0x0) - var x242 uint32 - var x243 uint1 - x242, x243 = addcarryxU32(x237, x234, x241) - var x244 uint32 - var x245 uint1 - x244, x245 = addcarryxU32(x235, x232, x243) - var x247 uint1 - _, x247 = addcarryxU32(x216, x230, 0x0) - var x248 uint32 - var x249 uint1 - x248, x249 = addcarryxU32(x218, uint32(0x0), x247) - var x250 uint32 - var x251 uint1 - x250, x251 = addcarryxU32(x220, uint32(0x0), x249) - var x252 uint32 - var x253 uint1 - x252, x253 = addcarryxU32(x222, x238, x251) - var x254 uint32 - var x255 uint1 - x254, x255 = addcarryxU32(x224, x240, x253) - var x256 uint32 - var x257 uint1 - x256, x257 = addcarryxU32(x226, x242, x255) - var x258 uint32 - var x259 uint1 - x258, x259 = addcarryxU32(x228, x244, x257) - var x260 uint32 - var x261 uint1 - x260, x261 = addcarryxU32((uint32(x229) + uint32(x205)), (uint32(x245) + x233), x259) - var x262 uint32 - var x263 uint32 - x263, x262 = bits.Mul32(x5, 0xffffffff) - var x264 uint32 - var x265 uint32 - x265, x264 = bits.Mul32(x5, 0xffffffff) - var x266 uint32 - var x267 uint32 - x267, x266 = bits.Mul32(x5, 0xfffffffe) - var x268 uint32 - var x269 uint1 - x268, x269 = addcarryxU32(x267, x264, 0x0) - var x270 uint32 - var x271 uint1 - x270, x271 = addcarryxU32(x265, x262, x269) - var x272 uint32 - var x273 uint1 - x272, x273 = addcarryxU32(x248, x5, 0x0) - var x274 uint32 - var x275 uint1 - x274, x275 = addcarryxU32(x250, uint32(0x0), x273) - var x276 uint32 - var x277 uint1 - x276, x277 = addcarryxU32(x252, uint32(0x0), x275) - var x278 uint32 - var x279 uint1 - x278, x279 = addcarryxU32(x254, x266, x277) - var x280 uint32 - var x281 uint1 - x280, x281 = addcarryxU32(x256, x268, x279) - var x282 uint32 - var x283 uint1 - x282, x283 = addcarryxU32(x258, x270, x281) - var x284 uint32 - var x285 uint1 - x284, x285 = addcarryxU32(x260, (uint32(x271) + x263), x283) - var x286 uint32 - _, x286 = bits.Mul32(x272, 0xffffffff) - var x288 uint32 - var x289 uint32 - x289, x288 = bits.Mul32(x286, 0xffffffff) - var x290 uint32 - var x291 uint32 - x291, x290 = bits.Mul32(x286, 0xffffffff) - var x292 uint32 - var x293 uint32 - x293, x292 = bits.Mul32(x286, 0xffffffff) - var x294 uint32 - var x295 uint32 - x295, x294 = bits.Mul32(x286, 0xffffffff) - var x296 uint32 - var x297 uint1 - x296, x297 = addcarryxU32(x295, x292, 0x0) - var x298 uint32 - var x299 uint1 - x298, x299 = addcarryxU32(x293, x290, x297) - var x300 uint32 - var x301 uint1 - x300, x301 = addcarryxU32(x291, x288, x299) - var x303 uint1 - _, x303 = addcarryxU32(x272, x286, 0x0) - var x304 uint32 - var x305 uint1 - x304, x305 = addcarryxU32(x274, uint32(0x0), x303) - var x306 uint32 - var x307 uint1 - x306, x307 = addcarryxU32(x276, uint32(0x0), x305) - var x308 uint32 - var x309 uint1 - x308, x309 = addcarryxU32(x278, x294, x307) - var x310 uint32 - var x311 uint1 - x310, x311 = addcarryxU32(x280, x296, x309) - var x312 uint32 - var x313 uint1 - x312, x313 = addcarryxU32(x282, x298, x311) - var x314 uint32 - var x315 uint1 - x314, x315 = addcarryxU32(x284, x300, x313) - var x316 uint32 - var x317 uint1 - x316, x317 = addcarryxU32((uint32(x285) + uint32(x261)), (uint32(x301) + x289), x315) - var x318 uint32 - var x319 uint32 - x319, x318 = bits.Mul32(x6, 0xffffffff) - var x320 uint32 - var x321 uint32 - x321, x320 = bits.Mul32(x6, 0xffffffff) - var x322 uint32 - var x323 uint32 - x323, x322 = bits.Mul32(x6, 0xfffffffe) - var x324 uint32 - var x325 uint1 - x324, x325 = addcarryxU32(x323, x320, 0x0) - var x326 uint32 - var x327 uint1 - x326, x327 = addcarryxU32(x321, x318, x325) - var x328 uint32 - var x329 uint1 - x328, x329 = addcarryxU32(x304, x6, 0x0) - var x330 uint32 - var x331 uint1 - x330, x331 = addcarryxU32(x306, uint32(0x0), x329) - var x332 uint32 - var x333 uint1 - x332, x333 = addcarryxU32(x308, uint32(0x0), x331) - var x334 uint32 - var x335 uint1 - x334, x335 = addcarryxU32(x310, x322, x333) - var x336 uint32 - var x337 uint1 - x336, x337 = addcarryxU32(x312, x324, x335) - var x338 uint32 - var x339 uint1 - x338, x339 = addcarryxU32(x314, x326, x337) - var x340 uint32 - var x341 uint1 - x340, x341 = addcarryxU32(x316, (uint32(x327) + x319), x339) - var x342 uint32 - _, x342 = bits.Mul32(x328, 0xffffffff) - var x344 uint32 - var x345 uint32 - x345, x344 = bits.Mul32(x342, 0xffffffff) - var x346 uint32 - var x347 uint32 - x347, x346 = bits.Mul32(x342, 0xffffffff) - var x348 uint32 - var x349 uint32 - x349, x348 = bits.Mul32(x342, 0xffffffff) - var x350 uint32 - var x351 uint32 - x351, x350 = bits.Mul32(x342, 0xffffffff) - var x352 uint32 - var x353 uint1 - x352, x353 = addcarryxU32(x351, x348, 0x0) - var x354 uint32 - var x355 uint1 - x354, x355 = addcarryxU32(x349, x346, x353) - var x356 uint32 - var x357 uint1 - x356, x357 = addcarryxU32(x347, x344, x355) - var x359 uint1 - _, x359 = addcarryxU32(x328, x342, 0x0) - var x360 uint32 - var x361 uint1 - x360, x361 = addcarryxU32(x330, uint32(0x0), x359) - var x362 uint32 - var x363 uint1 - x362, x363 = addcarryxU32(x332, uint32(0x0), x361) - var x364 uint32 - var x365 uint1 - x364, x365 = addcarryxU32(x334, x350, x363) - var x366 uint32 - var x367 uint1 - x366, x367 = addcarryxU32(x336, x352, x365) - var x368 uint32 - var x369 uint1 - x368, x369 = addcarryxU32(x338, x354, x367) - var x370 uint32 - var x371 uint1 - x370, x371 = addcarryxU32(x340, x356, x369) - var x372 uint32 - var x373 uint1 - x372, x373 = addcarryxU32((uint32(x341) + uint32(x317)), (uint32(x357) + x345), x371) - var x374 uint32 - var x375 uint1 - x374, x375 = subborrowxU32(x360, uint32(0x1), 0x0) - var x376 uint32 - var x377 uint1 - x376, x377 = subborrowxU32(x362, uint32(0x0), x375) - var x378 uint32 - var x379 uint1 - x378, x379 = subborrowxU32(x364, uint32(0x0), x377) - var x380 uint32 - var x381 uint1 - x380, x381 = subborrowxU32(x366, 0xffffffff, x379) - var x382 uint32 - var x383 uint1 - x382, x383 = subborrowxU32(x368, 0xffffffff, x381) - var x384 uint32 - var x385 uint1 - x384, x385 = subborrowxU32(x370, 0xffffffff, x383) - var x386 uint32 - var x387 uint1 - x386, x387 = subborrowxU32(x372, 0xffffffff, x385) - var x389 uint1 - _, x389 = subborrowxU32(uint32(x373), uint32(0x0), x387) - var x390 uint32 - cmovznzU32(&x390, x389, x374, x360) - var x391 uint32 - cmovznzU32(&x391, x389, x376, x362) - var x392 uint32 - cmovznzU32(&x392, x389, x378, x364) - var x393 uint32 - cmovznzU32(&x393, x389, x380, x366) - var x394 uint32 - cmovznzU32(&x394, x389, x382, x368) - var x395 uint32 - cmovznzU32(&x395, x389, x384, x370) - var x396 uint32 - cmovznzU32(&x396, x389, x386, x372) - out1[0] = x390 - out1[1] = x391 - out1[2] = x392 - out1[3] = x393 - out1[4] = x394 - out1[5] = x395 - out1[6] = x396 + x1 := arg1[1] + x2 := arg1[2] + x3 := arg1[3] + x4 := arg1[4] + x5 := arg1[5] + x6 := arg1[6] + x7 := arg1[0] + var x8 uint32 + var x9 uint32 + x9, x8 = bits.Mul32(x7, 0xffffffff) + var x10 uint32 + var x11 uint32 + x11, x10 = bits.Mul32(x7, 0xffffffff) + var x12 uint32 + var x13 uint32 + x13, x12 = bits.Mul32(x7, 0xfffffffe) + var x14 uint32 + var x15 uint1 + x14, x15 = addcarryxU32(x13, x10, 0x0) + var x16 uint32 + var x17 uint1 + x16, x17 = addcarryxU32(x11, x8, x15) + var x18 uint32 + _, x18 = bits.Mul32(x7, 0xffffffff) + var x20 uint32 + var x21 uint32 + x21, x20 = bits.Mul32(x18, 0xffffffff) + var x22 uint32 + var x23 uint32 + x23, x22 = bits.Mul32(x18, 0xffffffff) + var x24 uint32 + var x25 uint32 + x25, x24 = bits.Mul32(x18, 0xffffffff) + var x26 uint32 + var x27 uint32 + x27, x26 = bits.Mul32(x18, 0xffffffff) + var x28 uint32 + var x29 uint1 + x28, x29 = addcarryxU32(x27, x24, 0x0) + var x30 uint32 + var x31 uint1 + x30, x31 = addcarryxU32(x25, x22, x29) + var x32 uint32 + var x33 uint1 + x32, x33 = addcarryxU32(x23, x20, x31) + var x34 uint32 + var x35 uint1 + x34, x35 = addcarryxU32(x12, x26, 0x0) + var x36 uint32 + var x37 uint1 + x36, x37 = addcarryxU32(x14, x28, x35) + var x38 uint32 + var x39 uint1 + x38, x39 = addcarryxU32(x16, x30, x37) + var x40 uint32 + var x41 uint1 + x40, x41 = addcarryxU32((uint32(x17) + x9), x32, x39) + var x42 uint32 + var x43 uint1 + x42, x43 = addcarryxU32(uint32(0x0), (uint32(x33) + x21), x41) + var x44 uint32 + var x45 uint32 + x45, x44 = bits.Mul32(x1, 0xffffffff) + var x46 uint32 + var x47 uint32 + x47, x46 = bits.Mul32(x1, 0xffffffff) + var x48 uint32 + var x49 uint32 + x49, x48 = bits.Mul32(x1, 0xfffffffe) + var x50 uint32 + var x51 uint1 + x50, x51 = addcarryxU32(x49, x46, 0x0) + var x52 uint32 + var x53 uint1 + x52, x53 = addcarryxU32(x47, x44, x51) + var x55 uint1 + _, x55 = addcarryxU32(x7, x18, 0x0) + var x56 uint32 + var x57 uint1 + x56, x57 = addcarryxU32(uint32(x55), x1, 0x0) + var x58 uint32 + var x59 uint1 + x58, x59 = addcarryxU32(x36, x48, 0x0) + var x60 uint32 + var x61 uint1 + x60, x61 = addcarryxU32(x38, x50, x59) + var x62 uint32 + var x63 uint1 + x62, x63 = addcarryxU32(x40, x52, x61) + var x64 uint32 + var x65 uint1 + x64, x65 = addcarryxU32(x42, (uint32(x53) + x45), x63) + var x66 uint32 + _, x66 = bits.Mul32(x56, 0xffffffff) + var x68 uint32 + var x69 uint32 + x69, x68 = bits.Mul32(x66, 0xffffffff) + var x70 uint32 + var x71 uint32 + x71, x70 = bits.Mul32(x66, 0xffffffff) + var x72 uint32 + var x73 uint32 + x73, x72 = bits.Mul32(x66, 0xffffffff) + var x74 uint32 + var x75 uint32 + x75, x74 = bits.Mul32(x66, 0xffffffff) + var x76 uint32 + var x77 uint1 + x76, x77 = addcarryxU32(x75, x72, 0x0) + var x78 uint32 + var x79 uint1 + x78, x79 = addcarryxU32(x73, x70, x77) + var x80 uint32 + var x81 uint1 + x80, x81 = addcarryxU32(x71, x68, x79) + var x82 uint32 + var x83 uint1 + x82, x83 = addcarryxU32(x58, x74, 0x0) + var x84 uint32 + var x85 uint1 + x84, x85 = addcarryxU32(x60, x76, x83) + var x86 uint32 + var x87 uint1 + x86, x87 = addcarryxU32(x62, x78, x85) + var x88 uint32 + var x89 uint1 + x88, x89 = addcarryxU32(x64, x80, x87) + var x90 uint32 + var x91 uint1 + x90, x91 = addcarryxU32((uint32(x65) + uint32(x43)), (uint32(x81) + x69), x89) + var x92 uint32 + var x93 uint32 + x93, x92 = bits.Mul32(x2, 0xffffffff) + var x94 uint32 + var x95 uint32 + x95, x94 = bits.Mul32(x2, 0xffffffff) + var x96 uint32 + var x97 uint32 + x97, x96 = bits.Mul32(x2, 0xfffffffe) + var x98 uint32 + var x99 uint1 + x98, x99 = addcarryxU32(x97, x94, 0x0) + var x100 uint32 + var x101 uint1 + x100, x101 = addcarryxU32(x95, x92, x99) + var x103 uint1 + _, x103 = addcarryxU32(x56, x66, 0x0) + var x104 uint32 + var x105 uint1 + x104, x105 = addcarryxU32((uint32(x103) + uint32(x57)), x2, 0x0) + var x106 uint32 + var x107 uint1 + x106, x107 = addcarryxU32(x34, uint32(0x0), x105) + var x108 uint32 + var x109 uint1 + x108, x109 = addcarryxU32(x82, uint32(0x0), x107) + var x110 uint32 + var x111 uint1 + x110, x111 = addcarryxU32(x84, x96, x109) + var x112 uint32 + var x113 uint1 + x112, x113 = addcarryxU32(x86, x98, x111) + var x114 uint32 + var x115 uint1 + x114, x115 = addcarryxU32(x88, x100, x113) + var x116 uint32 + var x117 uint1 + x116, x117 = addcarryxU32(x90, (uint32(x101) + x93), x115) + var x118 uint32 + _, x118 = bits.Mul32(x104, 0xffffffff) + var x120 uint32 + var x121 uint32 + x121, x120 = bits.Mul32(x118, 0xffffffff) + var x122 uint32 + var x123 uint32 + x123, x122 = bits.Mul32(x118, 0xffffffff) + var x124 uint32 + var x125 uint32 + x125, x124 = bits.Mul32(x118, 0xffffffff) + var x126 uint32 + var x127 uint32 + x127, x126 = bits.Mul32(x118, 0xffffffff) + var x128 uint32 + var x129 uint1 + x128, x129 = addcarryxU32(x127, x124, 0x0) + var x130 uint32 + var x131 uint1 + x130, x131 = addcarryxU32(x125, x122, x129) + var x132 uint32 + var x133 uint1 + x132, x133 = addcarryxU32(x123, x120, x131) + var x135 uint1 + _, x135 = addcarryxU32(x104, x118, 0x0) + var x136 uint32 + var x137 uint1 + x136, x137 = addcarryxU32(x106, uint32(0x0), x135) + var x138 uint32 + var x139 uint1 + x138, x139 = addcarryxU32(x108, uint32(0x0), x137) + var x140 uint32 + var x141 uint1 + x140, x141 = addcarryxU32(x110, x126, x139) + var x142 uint32 + var x143 uint1 + x142, x143 = addcarryxU32(x112, x128, x141) + var x144 uint32 + var x145 uint1 + x144, x145 = addcarryxU32(x114, x130, x143) + var x146 uint32 + var x147 uint1 + x146, x147 = addcarryxU32(x116, x132, x145) + var x148 uint32 + var x149 uint1 + x148, x149 = addcarryxU32((uint32(x117) + uint32(x91)), (uint32(x133) + x121), x147) + var x150 uint32 + var x151 uint32 + x151, x150 = bits.Mul32(x3, 0xffffffff) + var x152 uint32 + var x153 uint32 + x153, x152 = bits.Mul32(x3, 0xffffffff) + var x154 uint32 + var x155 uint32 + x155, x154 = bits.Mul32(x3, 0xfffffffe) + var x156 uint32 + var x157 uint1 + x156, x157 = addcarryxU32(x155, x152, 0x0) + var x158 uint32 + var x159 uint1 + x158, x159 = addcarryxU32(x153, x150, x157) + var x160 uint32 + var x161 uint1 + x160, x161 = addcarryxU32(x136, x3, 0x0) + var x162 uint32 + var x163 uint1 + x162, x163 = addcarryxU32(x138, uint32(0x0), x161) + var x164 uint32 + var x165 uint1 + x164, x165 = addcarryxU32(x140, uint32(0x0), x163) + var x166 uint32 + var x167 uint1 + x166, x167 = addcarryxU32(x142, x154, x165) + var x168 uint32 + var x169 uint1 + x168, x169 = addcarryxU32(x144, x156, x167) + var x170 uint32 + var x171 uint1 + x170, x171 = addcarryxU32(x146, x158, x169) + var x172 uint32 + var x173 uint1 + x172, x173 = addcarryxU32(x148, (uint32(x159) + x151), x171) + var x174 uint32 + _, x174 = bits.Mul32(x160, 0xffffffff) + var x176 uint32 + var x177 uint32 + x177, x176 = bits.Mul32(x174, 0xffffffff) + var x178 uint32 + var x179 uint32 + x179, x178 = bits.Mul32(x174, 0xffffffff) + var x180 uint32 + var x181 uint32 + x181, x180 = bits.Mul32(x174, 0xffffffff) + var x182 uint32 + var x183 uint32 + x183, x182 = bits.Mul32(x174, 0xffffffff) + var x184 uint32 + var x185 uint1 + x184, x185 = addcarryxU32(x183, x180, 0x0) + var x186 uint32 + var x187 uint1 + x186, x187 = addcarryxU32(x181, x178, x185) + var x188 uint32 + var x189 uint1 + x188, x189 = addcarryxU32(x179, x176, x187) + var x191 uint1 + _, x191 = addcarryxU32(x160, x174, 0x0) + var x192 uint32 + var x193 uint1 + x192, x193 = addcarryxU32(x162, uint32(0x0), x191) + var x194 uint32 + var x195 uint1 + x194, x195 = addcarryxU32(x164, uint32(0x0), x193) + var x196 uint32 + var x197 uint1 + x196, x197 = addcarryxU32(x166, x182, x195) + var x198 uint32 + var x199 uint1 + x198, x199 = addcarryxU32(x168, x184, x197) + var x200 uint32 + var x201 uint1 + x200, x201 = addcarryxU32(x170, x186, x199) + var x202 uint32 + var x203 uint1 + x202, x203 = addcarryxU32(x172, x188, x201) + var x204 uint32 + var x205 uint1 + x204, x205 = addcarryxU32((uint32(x173) + uint32(x149)), (uint32(x189) + x177), x203) + var x206 uint32 + var x207 uint32 + x207, x206 = bits.Mul32(x4, 0xffffffff) + var x208 uint32 + var x209 uint32 + x209, x208 = bits.Mul32(x4, 0xffffffff) + var x210 uint32 + var x211 uint32 + x211, x210 = bits.Mul32(x4, 0xfffffffe) + var x212 uint32 + var x213 uint1 + x212, x213 = addcarryxU32(x211, x208, 0x0) + var x214 uint32 + var x215 uint1 + x214, x215 = addcarryxU32(x209, x206, x213) + var x216 uint32 + var x217 uint1 + x216, x217 = addcarryxU32(x192, x4, 0x0) + var x218 uint32 + var x219 uint1 + x218, x219 = addcarryxU32(x194, uint32(0x0), x217) + var x220 uint32 + var x221 uint1 + x220, x221 = addcarryxU32(x196, uint32(0x0), x219) + var x222 uint32 + var x223 uint1 + x222, x223 = addcarryxU32(x198, x210, x221) + var x224 uint32 + var x225 uint1 + x224, x225 = addcarryxU32(x200, x212, x223) + var x226 uint32 + var x227 uint1 + x226, x227 = addcarryxU32(x202, x214, x225) + var x228 uint32 + var x229 uint1 + x228, x229 = addcarryxU32(x204, (uint32(x215) + x207), x227) + var x230 uint32 + _, x230 = bits.Mul32(x216, 0xffffffff) + var x232 uint32 + var x233 uint32 + x233, x232 = bits.Mul32(x230, 0xffffffff) + var x234 uint32 + var x235 uint32 + x235, x234 = bits.Mul32(x230, 0xffffffff) + var x236 uint32 + var x237 uint32 + x237, x236 = bits.Mul32(x230, 0xffffffff) + var x238 uint32 + var x239 uint32 + x239, x238 = bits.Mul32(x230, 0xffffffff) + var x240 uint32 + var x241 uint1 + x240, x241 = addcarryxU32(x239, x236, 0x0) + var x242 uint32 + var x243 uint1 + x242, x243 = addcarryxU32(x237, x234, x241) + var x244 uint32 + var x245 uint1 + x244, x245 = addcarryxU32(x235, x232, x243) + var x247 uint1 + _, x247 = addcarryxU32(x216, x230, 0x0) + var x248 uint32 + var x249 uint1 + x248, x249 = addcarryxU32(x218, uint32(0x0), x247) + var x250 uint32 + var x251 uint1 + x250, x251 = addcarryxU32(x220, uint32(0x0), x249) + var x252 uint32 + var x253 uint1 + x252, x253 = addcarryxU32(x222, x238, x251) + var x254 uint32 + var x255 uint1 + x254, x255 = addcarryxU32(x224, x240, x253) + var x256 uint32 + var x257 uint1 + x256, x257 = addcarryxU32(x226, x242, x255) + var x258 uint32 + var x259 uint1 + x258, x259 = addcarryxU32(x228, x244, x257) + var x260 uint32 + var x261 uint1 + x260, x261 = addcarryxU32((uint32(x229) + uint32(x205)), (uint32(x245) + x233), x259) + var x262 uint32 + var x263 uint32 + x263, x262 = bits.Mul32(x5, 0xffffffff) + var x264 uint32 + var x265 uint32 + x265, x264 = bits.Mul32(x5, 0xffffffff) + var x266 uint32 + var x267 uint32 + x267, x266 = bits.Mul32(x5, 0xfffffffe) + var x268 uint32 + var x269 uint1 + x268, x269 = addcarryxU32(x267, x264, 0x0) + var x270 uint32 + var x271 uint1 + x270, x271 = addcarryxU32(x265, x262, x269) + var x272 uint32 + var x273 uint1 + x272, x273 = addcarryxU32(x248, x5, 0x0) + var x274 uint32 + var x275 uint1 + x274, x275 = addcarryxU32(x250, uint32(0x0), x273) + var x276 uint32 + var x277 uint1 + x276, x277 = addcarryxU32(x252, uint32(0x0), x275) + var x278 uint32 + var x279 uint1 + x278, x279 = addcarryxU32(x254, x266, x277) + var x280 uint32 + var x281 uint1 + x280, x281 = addcarryxU32(x256, x268, x279) + var x282 uint32 + var x283 uint1 + x282, x283 = addcarryxU32(x258, x270, x281) + var x284 uint32 + var x285 uint1 + x284, x285 = addcarryxU32(x260, (uint32(x271) + x263), x283) + var x286 uint32 + _, x286 = bits.Mul32(x272, 0xffffffff) + var x288 uint32 + var x289 uint32 + x289, x288 = bits.Mul32(x286, 0xffffffff) + var x290 uint32 + var x291 uint32 + x291, x290 = bits.Mul32(x286, 0xffffffff) + var x292 uint32 + var x293 uint32 + x293, x292 = bits.Mul32(x286, 0xffffffff) + var x294 uint32 + var x295 uint32 + x295, x294 = bits.Mul32(x286, 0xffffffff) + var x296 uint32 + var x297 uint1 + x296, x297 = addcarryxU32(x295, x292, 0x0) + var x298 uint32 + var x299 uint1 + x298, x299 = addcarryxU32(x293, x290, x297) + var x300 uint32 + var x301 uint1 + x300, x301 = addcarryxU32(x291, x288, x299) + var x303 uint1 + _, x303 = addcarryxU32(x272, x286, 0x0) + var x304 uint32 + var x305 uint1 + x304, x305 = addcarryxU32(x274, uint32(0x0), x303) + var x306 uint32 + var x307 uint1 + x306, x307 = addcarryxU32(x276, uint32(0x0), x305) + var x308 uint32 + var x309 uint1 + x308, x309 = addcarryxU32(x278, x294, x307) + var x310 uint32 + var x311 uint1 + x310, x311 = addcarryxU32(x280, x296, x309) + var x312 uint32 + var x313 uint1 + x312, x313 = addcarryxU32(x282, x298, x311) + var x314 uint32 + var x315 uint1 + x314, x315 = addcarryxU32(x284, x300, x313) + var x316 uint32 + var x317 uint1 + x316, x317 = addcarryxU32((uint32(x285) + uint32(x261)), (uint32(x301) + x289), x315) + var x318 uint32 + var x319 uint32 + x319, x318 = bits.Mul32(x6, 0xffffffff) + var x320 uint32 + var x321 uint32 + x321, x320 = bits.Mul32(x6, 0xffffffff) + var x322 uint32 + var x323 uint32 + x323, x322 = bits.Mul32(x6, 0xfffffffe) + var x324 uint32 + var x325 uint1 + x324, x325 = addcarryxU32(x323, x320, 0x0) + var x326 uint32 + var x327 uint1 + x326, x327 = addcarryxU32(x321, x318, x325) + var x328 uint32 + var x329 uint1 + x328, x329 = addcarryxU32(x304, x6, 0x0) + var x330 uint32 + var x331 uint1 + x330, x331 = addcarryxU32(x306, uint32(0x0), x329) + var x332 uint32 + var x333 uint1 + x332, x333 = addcarryxU32(x308, uint32(0x0), x331) + var x334 uint32 + var x335 uint1 + x334, x335 = addcarryxU32(x310, x322, x333) + var x336 uint32 + var x337 uint1 + x336, x337 = addcarryxU32(x312, x324, x335) + var x338 uint32 + var x339 uint1 + x338, x339 = addcarryxU32(x314, x326, x337) + var x340 uint32 + var x341 uint1 + x340, x341 = addcarryxU32(x316, (uint32(x327) + x319), x339) + var x342 uint32 + _, x342 = bits.Mul32(x328, 0xffffffff) + var x344 uint32 + var x345 uint32 + x345, x344 = bits.Mul32(x342, 0xffffffff) + var x346 uint32 + var x347 uint32 + x347, x346 = bits.Mul32(x342, 0xffffffff) + var x348 uint32 + var x349 uint32 + x349, x348 = bits.Mul32(x342, 0xffffffff) + var x350 uint32 + var x351 uint32 + x351, x350 = bits.Mul32(x342, 0xffffffff) + var x352 uint32 + var x353 uint1 + x352, x353 = addcarryxU32(x351, x348, 0x0) + var x354 uint32 + var x355 uint1 + x354, x355 = addcarryxU32(x349, x346, x353) + var x356 uint32 + var x357 uint1 + x356, x357 = addcarryxU32(x347, x344, x355) + var x359 uint1 + _, x359 = addcarryxU32(x328, x342, 0x0) + var x360 uint32 + var x361 uint1 + x360, x361 = addcarryxU32(x330, uint32(0x0), x359) + var x362 uint32 + var x363 uint1 + x362, x363 = addcarryxU32(x332, uint32(0x0), x361) + var x364 uint32 + var x365 uint1 + x364, x365 = addcarryxU32(x334, x350, x363) + var x366 uint32 + var x367 uint1 + x366, x367 = addcarryxU32(x336, x352, x365) + var x368 uint32 + var x369 uint1 + x368, x369 = addcarryxU32(x338, x354, x367) + var x370 uint32 + var x371 uint1 + x370, x371 = addcarryxU32(x340, x356, x369) + var x372 uint32 + var x373 uint1 + x372, x373 = addcarryxU32((uint32(x341) + uint32(x317)), (uint32(x357) + x345), x371) + var x374 uint32 + var x375 uint1 + x374, x375 = subborrowxU32(x360, uint32(0x1), 0x0) + var x376 uint32 + var x377 uint1 + x376, x377 = subborrowxU32(x362, uint32(0x0), x375) + var x378 uint32 + var x379 uint1 + x378, x379 = subborrowxU32(x364, uint32(0x0), x377) + var x380 uint32 + var x381 uint1 + x380, x381 = subborrowxU32(x366, 0xffffffff, x379) + var x382 uint32 + var x383 uint1 + x382, x383 = subborrowxU32(x368, 0xffffffff, x381) + var x384 uint32 + var x385 uint1 + x384, x385 = subborrowxU32(x370, 0xffffffff, x383) + var x386 uint32 + var x387 uint1 + x386, x387 = subborrowxU32(x372, 0xffffffff, x385) + var x389 uint1 + _, x389 = subborrowxU32(uint32(x373), uint32(0x0), x387) + var x390 uint32 + cmovznzU32(&x390, x389, x374, x360) + var x391 uint32 + cmovznzU32(&x391, x389, x376, x362) + var x392 uint32 + cmovznzU32(&x392, x389, x378, x364) + var x393 uint32 + cmovznzU32(&x393, x389, x380, x366) + var x394 uint32 + cmovznzU32(&x394, x389, x382, x368) + var x395 uint32 + cmovznzU32(&x395, x389, x384, x370) + var x396 uint32 + cmovznzU32(&x396, x389, x386, x372) + out1[0] = x390 + out1[1] = x391 + out1[2] = x392 + out1[3] = x393 + out1[4] = x394 + out1[5] = x395 + out1[6] = x396 } -/* - The function Nonzero outputs a single non-zero word if the input is non-zero and zero otherwise. - Preconditions: - 0 ≤ eval arg1 < m - Postconditions: - out1 = 0 ↔ eval (from_montgomery arg1) mod m = 0 - - Input Bounds: - arg1: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] - Output Bounds: - out1: [0x0 ~> 0xffffffff] - */ -/*inline*/ +// Nonzero outputs a single non-zero word if the input is non-zero and zero otherwise. +// +// Preconditions: +// 0 ≤ eval arg1 < m +// Postconditions: +// out1 = 0 ↔ eval (from_montgomery arg1) mod m = 0 +// +// Input Bounds: +// arg1: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] +// Output Bounds: +// out1: [0x0 ~> 0xffffffff] func Nonzero(out1 *uint32, arg1 *[7]uint32) { - var x1 uint32 = ((arg1[0]) | ((arg1[1]) | ((arg1[2]) | ((arg1[3]) | ((arg1[4]) | ((arg1[5]) | (arg1[6]))))))) - *out1 = x1 + x1 := (arg1[0] | (arg1[1] | (arg1[2] | (arg1[3] | (arg1[4] | (arg1[5] | arg1[6])))))) + *out1 = x1 } -/* - The function Selectznz is a multi-limb conditional select. - Postconditions: - eval out1 = (if arg1 = 0 then eval arg2 else eval arg3) - - Input Bounds: - arg1: [0x0 ~> 0x1] - arg2: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] - arg3: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] - Output Bounds: - out1: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] - */ -/*inline*/ +// Selectznz is a multi-limb conditional select. +// +// Postconditions: +// eval out1 = (if arg1 = 0 then eval arg2 else eval arg3) +// +// Input Bounds: +// arg1: [0x0 ~> 0x1] +// arg2: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] +// arg3: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] +// Output Bounds: +// out1: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] func Selectznz(out1 *[7]uint32, arg1 uint1, arg2 *[7]uint32, arg3 *[7]uint32) { - var x1 uint32 - cmovznzU32(&x1, arg1, (arg2[0]), (arg3[0])) - var x2 uint32 - cmovznzU32(&x2, arg1, (arg2[1]), (arg3[1])) - var x3 uint32 - cmovznzU32(&x3, arg1, (arg2[2]), (arg3[2])) - var x4 uint32 - cmovznzU32(&x4, arg1, (arg2[3]), (arg3[3])) - var x5 uint32 - cmovznzU32(&x5, arg1, (arg2[4]), (arg3[4])) - var x6 uint32 - cmovznzU32(&x6, arg1, (arg2[5]), (arg3[5])) - var x7 uint32 - cmovznzU32(&x7, arg1, (arg2[6]), (arg3[6])) - out1[0] = x1 - out1[1] = x2 - out1[2] = x3 - out1[3] = x4 - out1[4] = x5 - out1[5] = x6 - out1[6] = x7 + var x1 uint32 + cmovznzU32(&x1, arg1, arg2[0], arg3[0]) + var x2 uint32 + cmovznzU32(&x2, arg1, arg2[1], arg3[1]) + var x3 uint32 + cmovznzU32(&x3, arg1, arg2[2], arg3[2]) + var x4 uint32 + cmovznzU32(&x4, arg1, arg2[3], arg3[3]) + var x5 uint32 + cmovznzU32(&x5, arg1, arg2[4], arg3[4]) + var x6 uint32 + cmovznzU32(&x6, arg1, arg2[5], arg3[5]) + var x7 uint32 + cmovznzU32(&x7, arg1, arg2[6], arg3[6]) + out1[0] = x1 + out1[1] = x2 + out1[2] = x3 + out1[3] = x4 + out1[4] = x5 + out1[5] = x6 + out1[6] = x7 } -/* - The function ToBytes serializes a field element NOT in the Montgomery domain to bytes in little-endian order. - Preconditions: - 0 ≤ eval arg1 < m - Postconditions: - out1 = map (λ x, ⌊((eval arg1 mod m) mod 2^(8 * (x + 1))) / 2^(8 * x)⌋) [0..27] - - Input Bounds: - arg1: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] - Output Bounds: - out1: [[0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff]] - */ -/*inline*/ +// ToBytes serializes a field element NOT in the Montgomery domain to bytes in little-endian order. +// +// Preconditions: +// 0 ≤ eval arg1 < m +// Postconditions: +// out1 = map (λ x, ⌊((eval arg1 mod m) mod 2^(8 * (x + 1))) / 2^(8 * x)⌋) [0..27] +// +// Input Bounds: +// arg1: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] +// Output Bounds: +// out1: [[0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff]] func ToBytes(out1 *[28]uint8, arg1 *[7]uint32) { - var x1 uint32 = (arg1[6]) - var x2 uint32 = (arg1[5]) - var x3 uint32 = (arg1[4]) - var x4 uint32 = (arg1[3]) - var x5 uint32 = (arg1[2]) - var x6 uint32 = (arg1[1]) - var x7 uint32 = (arg1[0]) - var x8 uint8 = (uint8(x7) & 0xff) - var x9 uint32 = (x7 >> 8) - var x10 uint8 = (uint8(x9) & 0xff) - var x11 uint32 = (x9 >> 8) - var x12 uint8 = (uint8(x11) & 0xff) - var x13 uint8 = uint8((x11 >> 8)) - var x14 uint8 = (uint8(x6) & 0xff) - var x15 uint32 = (x6 >> 8) - var x16 uint8 = (uint8(x15) & 0xff) - var x17 uint32 = (x15 >> 8) - var x18 uint8 = (uint8(x17) & 0xff) - var x19 uint8 = uint8((x17 >> 8)) - var x20 uint8 = (uint8(x5) & 0xff) - var x21 uint32 = (x5 >> 8) - var x22 uint8 = (uint8(x21) & 0xff) - var x23 uint32 = (x21 >> 8) - var x24 uint8 = (uint8(x23) & 0xff) - var x25 uint8 = uint8((x23 >> 8)) - var x26 uint8 = (uint8(x4) & 0xff) - var x27 uint32 = (x4 >> 8) - var x28 uint8 = (uint8(x27) & 0xff) - var x29 uint32 = (x27 >> 8) - var x30 uint8 = (uint8(x29) & 0xff) - var x31 uint8 = uint8((x29 >> 8)) - var x32 uint8 = (uint8(x3) & 0xff) - var x33 uint32 = (x3 >> 8) - var x34 uint8 = (uint8(x33) & 0xff) - var x35 uint32 = (x33 >> 8) - var x36 uint8 = (uint8(x35) & 0xff) - var x37 uint8 = uint8((x35 >> 8)) - var x38 uint8 = (uint8(x2) & 0xff) - var x39 uint32 = (x2 >> 8) - var x40 uint8 = (uint8(x39) & 0xff) - var x41 uint32 = (x39 >> 8) - var x42 uint8 = (uint8(x41) & 0xff) - var x43 uint8 = uint8((x41 >> 8)) - var x44 uint8 = (uint8(x1) & 0xff) - var x45 uint32 = (x1 >> 8) - var x46 uint8 = (uint8(x45) & 0xff) - var x47 uint32 = (x45 >> 8) - var x48 uint8 = (uint8(x47) & 0xff) - var x49 uint8 = uint8((x47 >> 8)) - out1[0] = x8 - out1[1] = x10 - out1[2] = x12 - out1[3] = x13 - out1[4] = x14 - out1[5] = x16 - out1[6] = x18 - out1[7] = x19 - out1[8] = x20 - out1[9] = x22 - out1[10] = x24 - out1[11] = x25 - out1[12] = x26 - out1[13] = x28 - out1[14] = x30 - out1[15] = x31 - out1[16] = x32 - out1[17] = x34 - out1[18] = x36 - out1[19] = x37 - out1[20] = x38 - out1[21] = x40 - out1[22] = x42 - out1[23] = x43 - out1[24] = x44 - out1[25] = x46 - out1[26] = x48 - out1[27] = x49 + x1 := arg1[6] + x2 := arg1[5] + x3 := arg1[4] + x4 := arg1[3] + x5 := arg1[2] + x6 := arg1[1] + x7 := arg1[0] + x8 := (uint8(x7) & 0xff) + x9 := (x7 >> 8) + x10 := (uint8(x9) & 0xff) + x11 := (x9 >> 8) + x12 := (uint8(x11) & 0xff) + x13 := uint8((x11 >> 8)) + x14 := (uint8(x6) & 0xff) + x15 := (x6 >> 8) + x16 := (uint8(x15) & 0xff) + x17 := (x15 >> 8) + x18 := (uint8(x17) & 0xff) + x19 := uint8((x17 >> 8)) + x20 := (uint8(x5) & 0xff) + x21 := (x5 >> 8) + x22 := (uint8(x21) & 0xff) + x23 := (x21 >> 8) + x24 := (uint8(x23) & 0xff) + x25 := uint8((x23 >> 8)) + x26 := (uint8(x4) & 0xff) + x27 := (x4 >> 8) + x28 := (uint8(x27) & 0xff) + x29 := (x27 >> 8) + x30 := (uint8(x29) & 0xff) + x31 := uint8((x29 >> 8)) + x32 := (uint8(x3) & 0xff) + x33 := (x3 >> 8) + x34 := (uint8(x33) & 0xff) + x35 := (x33 >> 8) + x36 := (uint8(x35) & 0xff) + x37 := uint8((x35 >> 8)) + x38 := (uint8(x2) & 0xff) + x39 := (x2 >> 8) + x40 := (uint8(x39) & 0xff) + x41 := (x39 >> 8) + x42 := (uint8(x41) & 0xff) + x43 := uint8((x41 >> 8)) + x44 := (uint8(x1) & 0xff) + x45 := (x1 >> 8) + x46 := (uint8(x45) & 0xff) + x47 := (x45 >> 8) + x48 := (uint8(x47) & 0xff) + x49 := uint8((x47 >> 8)) + out1[0] = x8 + out1[1] = x10 + out1[2] = x12 + out1[3] = x13 + out1[4] = x14 + out1[5] = x16 + out1[6] = x18 + out1[7] = x19 + out1[8] = x20 + out1[9] = x22 + out1[10] = x24 + out1[11] = x25 + out1[12] = x26 + out1[13] = x28 + out1[14] = x30 + out1[15] = x31 + out1[16] = x32 + out1[17] = x34 + out1[18] = x36 + out1[19] = x37 + out1[20] = x38 + out1[21] = x40 + out1[22] = x42 + out1[23] = x43 + out1[24] = x44 + out1[25] = x46 + out1[26] = x48 + out1[27] = x49 } -/* - The function FromBytes deserializes a field element NOT in the Montgomery domain from bytes in little-endian order. - Preconditions: - 0 ≤ bytes_eval arg1 < m - Postconditions: - eval out1 mod m = bytes_eval arg1 mod m - 0 ≤ eval out1 < m - - Input Bounds: - arg1: [[0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff]] - Output Bounds: - out1: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] - */ -/*inline*/ +// FromBytes deserializes a field element NOT in the Montgomery domain from bytes in little-endian order. +// +// Preconditions: +// 0 ≤ bytes_eval arg1 < m +// Postconditions: +// eval out1 mod m = bytes_eval arg1 mod m +// 0 ≤ eval out1 < m +// +// Input Bounds: +// arg1: [[0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff]] +// Output Bounds: +// out1: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] func FromBytes(out1 *[7]uint32, arg1 *[28]uint8) { - var x1 uint32 = (uint32((arg1[27])) << 24) - var x2 uint32 = (uint32((arg1[26])) << 16) - var x3 uint32 = (uint32((arg1[25])) << 8) - var x4 uint8 = (arg1[24]) - var x5 uint32 = (uint32((arg1[23])) << 24) - var x6 uint32 = (uint32((arg1[22])) << 16) - var x7 uint32 = (uint32((arg1[21])) << 8) - var x8 uint8 = (arg1[20]) - var x9 uint32 = (uint32((arg1[19])) << 24) - var x10 uint32 = (uint32((arg1[18])) << 16) - var x11 uint32 = (uint32((arg1[17])) << 8) - var x12 uint8 = (arg1[16]) - var x13 uint32 = (uint32((arg1[15])) << 24) - var x14 uint32 = (uint32((arg1[14])) << 16) - var x15 uint32 = (uint32((arg1[13])) << 8) - var x16 uint8 = (arg1[12]) - var x17 uint32 = (uint32((arg1[11])) << 24) - var x18 uint32 = (uint32((arg1[10])) << 16) - var x19 uint32 = (uint32((arg1[9])) << 8) - var x20 uint8 = (arg1[8]) - var x21 uint32 = (uint32((arg1[7])) << 24) - var x22 uint32 = (uint32((arg1[6])) << 16) - var x23 uint32 = (uint32((arg1[5])) << 8) - var x24 uint8 = (arg1[4]) - var x25 uint32 = (uint32((arg1[3])) << 24) - var x26 uint32 = (uint32((arg1[2])) << 16) - var x27 uint32 = (uint32((arg1[1])) << 8) - var x28 uint8 = (arg1[0]) - var x29 uint32 = (x27 + uint32(x28)) - var x30 uint32 = (x26 + x29) - var x31 uint32 = (x25 + x30) - var x32 uint32 = (x23 + uint32(x24)) - var x33 uint32 = (x22 + x32) - var x34 uint32 = (x21 + x33) - var x35 uint32 = (x19 + uint32(x20)) - var x36 uint32 = (x18 + x35) - var x37 uint32 = (x17 + x36) - var x38 uint32 = (x15 + uint32(x16)) - var x39 uint32 = (x14 + x38) - var x40 uint32 = (x13 + x39) - var x41 uint32 = (x11 + uint32(x12)) - var x42 uint32 = (x10 + x41) - var x43 uint32 = (x9 + x42) - var x44 uint32 = (x7 + uint32(x8)) - var x45 uint32 = (x6 + x44) - var x46 uint32 = (x5 + x45) - var x47 uint32 = (x3 + uint32(x4)) - var x48 uint32 = (x2 + x47) - var x49 uint32 = (x1 + x48) - out1[0] = x31 - out1[1] = x34 - out1[2] = x37 - out1[3] = x40 - out1[4] = x43 - out1[5] = x46 - out1[6] = x49 + x1 := (uint32(arg1[27]) << 24) + x2 := (uint32(arg1[26]) << 16) + x3 := (uint32(arg1[25]) << 8) + x4 := arg1[24] + x5 := (uint32(arg1[23]) << 24) + x6 := (uint32(arg1[22]) << 16) + x7 := (uint32(arg1[21]) << 8) + x8 := arg1[20] + x9 := (uint32(arg1[19]) << 24) + x10 := (uint32(arg1[18]) << 16) + x11 := (uint32(arg1[17]) << 8) + x12 := arg1[16] + x13 := (uint32(arg1[15]) << 24) + x14 := (uint32(arg1[14]) << 16) + x15 := (uint32(arg1[13]) << 8) + x16 := arg1[12] + x17 := (uint32(arg1[11]) << 24) + x18 := (uint32(arg1[10]) << 16) + x19 := (uint32(arg1[9]) << 8) + x20 := arg1[8] + x21 := (uint32(arg1[7]) << 24) + x22 := (uint32(arg1[6]) << 16) + x23 := (uint32(arg1[5]) << 8) + x24 := arg1[4] + x25 := (uint32(arg1[3]) << 24) + x26 := (uint32(arg1[2]) << 16) + x27 := (uint32(arg1[1]) << 8) + x28 := arg1[0] + x29 := (x27 + uint32(x28)) + x30 := (x26 + x29) + x31 := (x25 + x30) + x32 := (x23 + uint32(x24)) + x33 := (x22 + x32) + x34 := (x21 + x33) + x35 := (x19 + uint32(x20)) + x36 := (x18 + x35) + x37 := (x17 + x36) + x38 := (x15 + uint32(x16)) + x39 := (x14 + x38) + x40 := (x13 + x39) + x41 := (x11 + uint32(x12)) + x42 := (x10 + x41) + x43 := (x9 + x42) + x44 := (x7 + uint32(x8)) + x45 := (x6 + x44) + x46 := (x5 + x45) + x47 := (x3 + uint32(x4)) + x48 := (x2 + x47) + x49 := (x1 + x48) + out1[0] = x31 + out1[1] = x34 + out1[2] = x37 + out1[3] = x40 + out1[4] = x43 + out1[5] = x46 + out1[6] = x49 } -/* - The function SetOne returns the field element one in the Montgomery domain. - Postconditions: - eval (from_montgomery out1) mod m = 1 mod m - 0 ≤ eval out1 < m - - Input Bounds: - Output Bounds: - out1: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] - */ -/*inline*/ +// SetOne returns the field element one in the Montgomery domain. +// +// Postconditions: +// eval (from_montgomery out1) mod m = 1 mod m +// 0 ≤ eval out1 < m +// +// Input Bounds: +// Output Bounds: +// out1: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] func SetOne(out1 *[7]uint32) { - out1[0] = 0xffffffff - out1[1] = 0xffffffff - out1[2] = 0xffffffff - out1[3] = uint32(0x0) - out1[4] = uint32(0x0) - out1[5] = uint32(0x0) - out1[6] = uint32(0x0) + out1[0] = 0xffffffff + out1[1] = 0xffffffff + out1[2] = 0xffffffff + out1[3] = uint32(0x0) + out1[4] = uint32(0x0) + out1[5] = uint32(0x0) + out1[6] = uint32(0x0) } -/* - The function Msat returns the saturated representation of the prime modulus. - Postconditions: - twos_complement_eval out1 = m - 0 ≤ eval out1 < m - - Input Bounds: - Output Bounds: - out1: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] - */ -/*inline*/ +// Msat returns the saturated representation of the prime modulus. +// +// Postconditions: +// twos_complement_eval out1 = m +// 0 ≤ eval out1 < m +// +// Input Bounds: +// Output Bounds: +// out1: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] func Msat(out1 *[8]uint32) { - out1[0] = uint32(0x1) - out1[1] = uint32(0x0) - out1[2] = uint32(0x0) - out1[3] = 0xffffffff - out1[4] = 0xffffffff - out1[5] = 0xffffffff - out1[6] = 0xffffffff - out1[7] = uint32(0x0) + out1[0] = uint32(0x1) + out1[1] = uint32(0x0) + out1[2] = uint32(0x0) + out1[3] = 0xffffffff + out1[4] = 0xffffffff + out1[5] = 0xffffffff + out1[6] = 0xffffffff + out1[7] = uint32(0x0) } -/* - The function Divstep computes a divstep. - Preconditions: - 0 ≤ eval arg4 < m - 0 ≤ eval arg5 < m - Postconditions: - out1 = (if 0 < arg1 ∧ (twos_complement_eval arg3) is odd then 1 - arg1 else 1 + arg1) - twos_complement_eval out2 = (if 0 < arg1 ∧ (twos_complement_eval arg3) is odd then twos_complement_eval arg3 else twos_complement_eval arg2) - twos_complement_eval out3 = (if 0 < arg1 ∧ (twos_complement_eval arg3) is odd then ⌊(twos_complement_eval arg3 - twos_complement_eval arg2) / 2⌋ else ⌊(twos_complement_eval arg3 + (twos_complement_eval arg3 mod 2) * twos_complement_eval arg2) / 2⌋) - eval (from_montgomery out4) mod m = (if 0 < arg1 ∧ (twos_complement_eval arg3) is odd then (2 * eval (from_montgomery arg5)) mod m else (2 * eval (from_montgomery arg4)) mod m) - eval (from_montgomery out5) mod m = (if 0 < arg1 ∧ (twos_complement_eval arg3) is odd then (eval (from_montgomery arg4) - eval (from_montgomery arg4)) mod m else (eval (from_montgomery arg5) + (twos_complement_eval arg3 mod 2) * eval (from_montgomery arg4)) mod m) - 0 ≤ eval out5 < m - 0 ≤ eval out5 < m - 0 ≤ eval out2 < m - 0 ≤ eval out3 < m - - Input Bounds: - arg1: [0x0 ~> 0xffffffff] - arg2: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] - arg3: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] - arg4: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] - arg5: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] - Output Bounds: - out1: [0x0 ~> 0xffffffff] - out2: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] - out3: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] - out4: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] - out5: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] - */ -/*inline*/ +// Divstep computes a divstep. +// +// Preconditions: +// 0 ≤ eval arg4 < m +// 0 ≤ eval arg5 < m +// Postconditions: +// out1 = (if 0 < arg1 ∧ (twos_complement_eval arg3) is odd then 1 - arg1 else 1 + arg1) +// twos_complement_eval out2 = (if 0 < arg1 ∧ (twos_complement_eval arg3) is odd then twos_complement_eval arg3 else twos_complement_eval arg2) +// twos_complement_eval out3 = (if 0 < arg1 ∧ (twos_complement_eval arg3) is odd then ⌊(twos_complement_eval arg3 - twos_complement_eval arg2) / 2⌋ else ⌊(twos_complement_eval arg3 + (twos_complement_eval arg3 mod 2) * twos_complement_eval arg2) / 2⌋) +// eval (from_montgomery out4) mod m = (if 0 < arg1 ∧ (twos_complement_eval arg3) is odd then (2 * eval (from_montgomery arg5)) mod m else (2 * eval (from_montgomery arg4)) mod m) +// eval (from_montgomery out5) mod m = (if 0 < arg1 ∧ (twos_complement_eval arg3) is odd then (eval (from_montgomery arg4) - eval (from_montgomery arg4)) mod m else (eval (from_montgomery arg5) + (twos_complement_eval arg3 mod 2) * eval (from_montgomery arg4)) mod m) +// 0 ≤ eval out5 < m +// 0 ≤ eval out5 < m +// 0 ≤ eval out2 < m +// 0 ≤ eval out3 < m +// +// Input Bounds: +// arg1: [0x0 ~> 0xffffffff] +// arg2: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] +// arg3: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] +// arg4: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] +// arg5: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] +// Output Bounds: +// out1: [0x0 ~> 0xffffffff] +// out2: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] +// out3: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] +// out4: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] +// out5: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] func Divstep(out1 *uint32, out2 *[8]uint32, out3 *[8]uint32, out4 *[7]uint32, out5 *[7]uint32, arg1 uint32, arg2 *[8]uint32, arg3 *[8]uint32, arg4 *[7]uint32, arg5 *[7]uint32) { - var x1 uint32 - x1, _ = addcarryxU32((^arg1), uint32(0x1), 0x0) - var x3 uint1 = (uint1((x1 >> 31)) & (uint1((arg3[0])) & 0x1)) - var x4 uint32 - x4, _ = addcarryxU32((^arg1), uint32(0x1), 0x0) - var x6 uint32 - cmovznzU32(&x6, x3, arg1, x4) - var x7 uint32 - cmovznzU32(&x7, x3, (arg2[0]), (arg3[0])) - var x8 uint32 - cmovznzU32(&x8, x3, (arg2[1]), (arg3[1])) - var x9 uint32 - cmovznzU32(&x9, x3, (arg2[2]), (arg3[2])) - var x10 uint32 - cmovznzU32(&x10, x3, (arg2[3]), (arg3[3])) - var x11 uint32 - cmovznzU32(&x11, x3, (arg2[4]), (arg3[4])) - var x12 uint32 - cmovznzU32(&x12, x3, (arg2[5]), (arg3[5])) - var x13 uint32 - cmovznzU32(&x13, x3, (arg2[6]), (arg3[6])) - var x14 uint32 - cmovznzU32(&x14, x3, (arg2[7]), (arg3[7])) - var x15 uint32 - var x16 uint1 - x15, x16 = addcarryxU32(uint32(0x1), (^(arg2[0])), 0x0) - var x17 uint32 - var x18 uint1 - x17, x18 = addcarryxU32(uint32(0x0), (^(arg2[1])), x16) - var x19 uint32 - var x20 uint1 - x19, x20 = addcarryxU32(uint32(0x0), (^(arg2[2])), x18) - var x21 uint32 - var x22 uint1 - x21, x22 = addcarryxU32(uint32(0x0), (^(arg2[3])), x20) - var x23 uint32 - var x24 uint1 - x23, x24 = addcarryxU32(uint32(0x0), (^(arg2[4])), x22) - var x25 uint32 - var x26 uint1 - x25, x26 = addcarryxU32(uint32(0x0), (^(arg2[5])), x24) - var x27 uint32 - var x28 uint1 - x27, x28 = addcarryxU32(uint32(0x0), (^(arg2[6])), x26) - var x29 uint32 - x29, _ = addcarryxU32(uint32(0x0), (^(arg2[7])), x28) - var x31 uint32 - cmovznzU32(&x31, x3, (arg3[0]), x15) - var x32 uint32 - cmovznzU32(&x32, x3, (arg3[1]), x17) - var x33 uint32 - cmovznzU32(&x33, x3, (arg3[2]), x19) - var x34 uint32 - cmovznzU32(&x34, x3, (arg3[3]), x21) - var x35 uint32 - cmovznzU32(&x35, x3, (arg3[4]), x23) - var x36 uint32 - cmovznzU32(&x36, x3, (arg3[5]), x25) - var x37 uint32 - cmovznzU32(&x37, x3, (arg3[6]), x27) - var x38 uint32 - cmovznzU32(&x38, x3, (arg3[7]), x29) - var x39 uint32 - cmovznzU32(&x39, x3, (arg4[0]), (arg5[0])) - var x40 uint32 - cmovznzU32(&x40, x3, (arg4[1]), (arg5[1])) - var x41 uint32 - cmovznzU32(&x41, x3, (arg4[2]), (arg5[2])) - var x42 uint32 - cmovznzU32(&x42, x3, (arg4[3]), (arg5[3])) - var x43 uint32 - cmovznzU32(&x43, x3, (arg4[4]), (arg5[4])) - var x44 uint32 - cmovznzU32(&x44, x3, (arg4[5]), (arg5[5])) - var x45 uint32 - cmovznzU32(&x45, x3, (arg4[6]), (arg5[6])) - var x46 uint32 - var x47 uint1 - x46, x47 = addcarryxU32(x39, x39, 0x0) - var x48 uint32 - var x49 uint1 - x48, x49 = addcarryxU32(x40, x40, x47) - var x50 uint32 - var x51 uint1 - x50, x51 = addcarryxU32(x41, x41, x49) - var x52 uint32 - var x53 uint1 - x52, x53 = addcarryxU32(x42, x42, x51) - var x54 uint32 - var x55 uint1 - x54, x55 = addcarryxU32(x43, x43, x53) - var x56 uint32 - var x57 uint1 - x56, x57 = addcarryxU32(x44, x44, x55) - var x58 uint32 - var x59 uint1 - x58, x59 = addcarryxU32(x45, x45, x57) - var x60 uint32 - var x61 uint1 - x60, x61 = subborrowxU32(x46, uint32(0x1), 0x0) - var x62 uint32 - var x63 uint1 - x62, x63 = subborrowxU32(x48, uint32(0x0), x61) - var x64 uint32 - var x65 uint1 - x64, x65 = subborrowxU32(x50, uint32(0x0), x63) - var x66 uint32 - var x67 uint1 - x66, x67 = subborrowxU32(x52, 0xffffffff, x65) - var x68 uint32 - var x69 uint1 - x68, x69 = subborrowxU32(x54, 0xffffffff, x67) - var x70 uint32 - var x71 uint1 - x70, x71 = subborrowxU32(x56, 0xffffffff, x69) - var x72 uint32 - var x73 uint1 - x72, x73 = subborrowxU32(x58, 0xffffffff, x71) - var x75 uint1 - _, x75 = subborrowxU32(uint32(x59), uint32(0x0), x73) - var x76 uint32 = (arg4[6]) - var x77 uint32 = (arg4[5]) - var x78 uint32 = (arg4[4]) - var x79 uint32 = (arg4[3]) - var x80 uint32 = (arg4[2]) - var x81 uint32 = (arg4[1]) - var x82 uint32 = (arg4[0]) - var x83 uint32 - var x84 uint1 - x83, x84 = subborrowxU32(uint32(0x0), x82, 0x0) - var x85 uint32 - var x86 uint1 - x85, x86 = subborrowxU32(uint32(0x0), x81, x84) - var x87 uint32 - var x88 uint1 - x87, x88 = subborrowxU32(uint32(0x0), x80, x86) - var x89 uint32 - var x90 uint1 - x89, x90 = subborrowxU32(uint32(0x0), x79, x88) - var x91 uint32 - var x92 uint1 - x91, x92 = subborrowxU32(uint32(0x0), x78, x90) - var x93 uint32 - var x94 uint1 - x93, x94 = subborrowxU32(uint32(0x0), x77, x92) - var x95 uint32 - var x96 uint1 - x95, x96 = subborrowxU32(uint32(0x0), x76, x94) - var x97 uint32 - cmovznzU32(&x97, x96, uint32(0x0), 0xffffffff) - var x98 uint32 - var x99 uint1 - x98, x99 = addcarryxU32(x83, uint32((uint1(x97) & 0x1)), 0x0) - var x100 uint32 - var x101 uint1 - x100, x101 = addcarryxU32(x85, uint32(0x0), x99) - var x102 uint32 - var x103 uint1 - x102, x103 = addcarryxU32(x87, uint32(0x0), x101) - var x104 uint32 - var x105 uint1 - x104, x105 = addcarryxU32(x89, x97, x103) - var x106 uint32 - var x107 uint1 - x106, x107 = addcarryxU32(x91, x97, x105) - var x108 uint32 - var x109 uint1 - x108, x109 = addcarryxU32(x93, x97, x107) - var x110 uint32 - x110, _ = addcarryxU32(x95, x97, x109) - var x112 uint32 - cmovznzU32(&x112, x3, (arg5[0]), x98) - var x113 uint32 - cmovznzU32(&x113, x3, (arg5[1]), x100) - var x114 uint32 - cmovznzU32(&x114, x3, (arg5[2]), x102) - var x115 uint32 - cmovznzU32(&x115, x3, (arg5[3]), x104) - var x116 uint32 - cmovznzU32(&x116, x3, (arg5[4]), x106) - var x117 uint32 - cmovznzU32(&x117, x3, (arg5[5]), x108) - var x118 uint32 - cmovznzU32(&x118, x3, (arg5[6]), x110) - var x119 uint1 = (uint1(x31) & 0x1) - var x120 uint32 - cmovznzU32(&x120, x119, uint32(0x0), x7) - var x121 uint32 - cmovznzU32(&x121, x119, uint32(0x0), x8) - var x122 uint32 - cmovznzU32(&x122, x119, uint32(0x0), x9) - var x123 uint32 - cmovznzU32(&x123, x119, uint32(0x0), x10) - var x124 uint32 - cmovznzU32(&x124, x119, uint32(0x0), x11) - var x125 uint32 - cmovznzU32(&x125, x119, uint32(0x0), x12) - var x126 uint32 - cmovznzU32(&x126, x119, uint32(0x0), x13) - var x127 uint32 - cmovznzU32(&x127, x119, uint32(0x0), x14) - var x128 uint32 - var x129 uint1 - x128, x129 = addcarryxU32(x31, x120, 0x0) - var x130 uint32 - var x131 uint1 - x130, x131 = addcarryxU32(x32, x121, x129) - var x132 uint32 - var x133 uint1 - x132, x133 = addcarryxU32(x33, x122, x131) - var x134 uint32 - var x135 uint1 - x134, x135 = addcarryxU32(x34, x123, x133) - var x136 uint32 - var x137 uint1 - x136, x137 = addcarryxU32(x35, x124, x135) - var x138 uint32 - var x139 uint1 - x138, x139 = addcarryxU32(x36, x125, x137) - var x140 uint32 - var x141 uint1 - x140, x141 = addcarryxU32(x37, x126, x139) - var x142 uint32 - x142, _ = addcarryxU32(x38, x127, x141) - var x144 uint32 - cmovznzU32(&x144, x119, uint32(0x0), x39) - var x145 uint32 - cmovznzU32(&x145, x119, uint32(0x0), x40) - var x146 uint32 - cmovznzU32(&x146, x119, uint32(0x0), x41) - var x147 uint32 - cmovznzU32(&x147, x119, uint32(0x0), x42) - var x148 uint32 - cmovznzU32(&x148, x119, uint32(0x0), x43) - var x149 uint32 - cmovznzU32(&x149, x119, uint32(0x0), x44) - var x150 uint32 - cmovznzU32(&x150, x119, uint32(0x0), x45) - var x151 uint32 - var x152 uint1 - x151, x152 = addcarryxU32(x112, x144, 0x0) - var x153 uint32 - var x154 uint1 - x153, x154 = addcarryxU32(x113, x145, x152) - var x155 uint32 - var x156 uint1 - x155, x156 = addcarryxU32(x114, x146, x154) - var x157 uint32 - var x158 uint1 - x157, x158 = addcarryxU32(x115, x147, x156) - var x159 uint32 - var x160 uint1 - x159, x160 = addcarryxU32(x116, x148, x158) - var x161 uint32 - var x162 uint1 - x161, x162 = addcarryxU32(x117, x149, x160) - var x163 uint32 - var x164 uint1 - x163, x164 = addcarryxU32(x118, x150, x162) - var x165 uint32 - var x166 uint1 - x165, x166 = subborrowxU32(x151, uint32(0x1), 0x0) - var x167 uint32 - var x168 uint1 - x167, x168 = subborrowxU32(x153, uint32(0x0), x166) - var x169 uint32 - var x170 uint1 - x169, x170 = subborrowxU32(x155, uint32(0x0), x168) - var x171 uint32 - var x172 uint1 - x171, x172 = subborrowxU32(x157, 0xffffffff, x170) - var x173 uint32 - var x174 uint1 - x173, x174 = subborrowxU32(x159, 0xffffffff, x172) - var x175 uint32 - var x176 uint1 - x175, x176 = subborrowxU32(x161, 0xffffffff, x174) - var x177 uint32 - var x178 uint1 - x177, x178 = subborrowxU32(x163, 0xffffffff, x176) - var x180 uint1 - _, x180 = subborrowxU32(uint32(x164), uint32(0x0), x178) - var x181 uint32 - x181, _ = addcarryxU32(x6, uint32(0x1), 0x0) - var x183 uint32 = ((x128 >> 1) | ((x130 << 31) & 0xffffffff)) - var x184 uint32 = ((x130 >> 1) | ((x132 << 31) & 0xffffffff)) - var x185 uint32 = ((x132 >> 1) | ((x134 << 31) & 0xffffffff)) - var x186 uint32 = ((x134 >> 1) | ((x136 << 31) & 0xffffffff)) - var x187 uint32 = ((x136 >> 1) | ((x138 << 31) & 0xffffffff)) - var x188 uint32 = ((x138 >> 1) | ((x140 << 31) & 0xffffffff)) - var x189 uint32 = ((x140 >> 1) | ((x142 << 31) & 0xffffffff)) - var x190 uint32 = ((x142 & 0x80000000) | (x142 >> 1)) - var x191 uint32 - cmovznzU32(&x191, x75, x60, x46) - var x192 uint32 - cmovznzU32(&x192, x75, x62, x48) - var x193 uint32 - cmovznzU32(&x193, x75, x64, x50) - var x194 uint32 - cmovznzU32(&x194, x75, x66, x52) - var x195 uint32 - cmovznzU32(&x195, x75, x68, x54) - var x196 uint32 - cmovznzU32(&x196, x75, x70, x56) - var x197 uint32 - cmovznzU32(&x197, x75, x72, x58) - var x198 uint32 - cmovznzU32(&x198, x180, x165, x151) - var x199 uint32 - cmovznzU32(&x199, x180, x167, x153) - var x200 uint32 - cmovznzU32(&x200, x180, x169, x155) - var x201 uint32 - cmovznzU32(&x201, x180, x171, x157) - var x202 uint32 - cmovznzU32(&x202, x180, x173, x159) - var x203 uint32 - cmovznzU32(&x203, x180, x175, x161) - var x204 uint32 - cmovznzU32(&x204, x180, x177, x163) - *out1 = x181 - out2[0] = x7 - out2[1] = x8 - out2[2] = x9 - out2[3] = x10 - out2[4] = x11 - out2[5] = x12 - out2[6] = x13 - out2[7] = x14 - out3[0] = x183 - out3[1] = x184 - out3[2] = x185 - out3[3] = x186 - out3[4] = x187 - out3[5] = x188 - out3[6] = x189 - out3[7] = x190 - out4[0] = x191 - out4[1] = x192 - out4[2] = x193 - out4[3] = x194 - out4[4] = x195 - out4[5] = x196 - out4[6] = x197 - out5[0] = x198 - out5[1] = x199 - out5[2] = x200 - out5[3] = x201 - out5[4] = x202 - out5[5] = x203 - out5[6] = x204 + var x1 uint32 + x1, _ = addcarryxU32((^arg1), uint32(0x1), 0x0) + x3 := (uint1((x1 >> 31)) & (uint1(arg3[0]) & 0x1)) + var x4 uint32 + x4, _ = addcarryxU32((^arg1), uint32(0x1), 0x0) + var x6 uint32 + cmovznzU32(&x6, x3, arg1, x4) + var x7 uint32 + cmovznzU32(&x7, x3, arg2[0], arg3[0]) + var x8 uint32 + cmovznzU32(&x8, x3, arg2[1], arg3[1]) + var x9 uint32 + cmovznzU32(&x9, x3, arg2[2], arg3[2]) + var x10 uint32 + cmovznzU32(&x10, x3, arg2[3], arg3[3]) + var x11 uint32 + cmovznzU32(&x11, x3, arg2[4], arg3[4]) + var x12 uint32 + cmovznzU32(&x12, x3, arg2[5], arg3[5]) + var x13 uint32 + cmovznzU32(&x13, x3, arg2[6], arg3[6]) + var x14 uint32 + cmovznzU32(&x14, x3, arg2[7], arg3[7]) + var x15 uint32 + var x16 uint1 + x15, x16 = addcarryxU32(uint32(0x1), (^arg2[0]), 0x0) + var x17 uint32 + var x18 uint1 + x17, x18 = addcarryxU32(uint32(0x0), (^arg2[1]), x16) + var x19 uint32 + var x20 uint1 + x19, x20 = addcarryxU32(uint32(0x0), (^arg2[2]), x18) + var x21 uint32 + var x22 uint1 + x21, x22 = addcarryxU32(uint32(0x0), (^arg2[3]), x20) + var x23 uint32 + var x24 uint1 + x23, x24 = addcarryxU32(uint32(0x0), (^arg2[4]), x22) + var x25 uint32 + var x26 uint1 + x25, x26 = addcarryxU32(uint32(0x0), (^arg2[5]), x24) + var x27 uint32 + var x28 uint1 + x27, x28 = addcarryxU32(uint32(0x0), (^arg2[6]), x26) + var x29 uint32 + x29, _ = addcarryxU32(uint32(0x0), (^arg2[7]), x28) + var x31 uint32 + cmovznzU32(&x31, x3, arg3[0], x15) + var x32 uint32 + cmovznzU32(&x32, x3, arg3[1], x17) + var x33 uint32 + cmovznzU32(&x33, x3, arg3[2], x19) + var x34 uint32 + cmovznzU32(&x34, x3, arg3[3], x21) + var x35 uint32 + cmovznzU32(&x35, x3, arg3[4], x23) + var x36 uint32 + cmovznzU32(&x36, x3, arg3[5], x25) + var x37 uint32 + cmovznzU32(&x37, x3, arg3[6], x27) + var x38 uint32 + cmovznzU32(&x38, x3, arg3[7], x29) + var x39 uint32 + cmovznzU32(&x39, x3, arg4[0], arg5[0]) + var x40 uint32 + cmovznzU32(&x40, x3, arg4[1], arg5[1]) + var x41 uint32 + cmovznzU32(&x41, x3, arg4[2], arg5[2]) + var x42 uint32 + cmovznzU32(&x42, x3, arg4[3], arg5[3]) + var x43 uint32 + cmovznzU32(&x43, x3, arg4[4], arg5[4]) + var x44 uint32 + cmovznzU32(&x44, x3, arg4[5], arg5[5]) + var x45 uint32 + cmovznzU32(&x45, x3, arg4[6], arg5[6]) + var x46 uint32 + var x47 uint1 + x46, x47 = addcarryxU32(x39, x39, 0x0) + var x48 uint32 + var x49 uint1 + x48, x49 = addcarryxU32(x40, x40, x47) + var x50 uint32 + var x51 uint1 + x50, x51 = addcarryxU32(x41, x41, x49) + var x52 uint32 + var x53 uint1 + x52, x53 = addcarryxU32(x42, x42, x51) + var x54 uint32 + var x55 uint1 + x54, x55 = addcarryxU32(x43, x43, x53) + var x56 uint32 + var x57 uint1 + x56, x57 = addcarryxU32(x44, x44, x55) + var x58 uint32 + var x59 uint1 + x58, x59 = addcarryxU32(x45, x45, x57) + var x60 uint32 + var x61 uint1 + x60, x61 = subborrowxU32(x46, uint32(0x1), 0x0) + var x62 uint32 + var x63 uint1 + x62, x63 = subborrowxU32(x48, uint32(0x0), x61) + var x64 uint32 + var x65 uint1 + x64, x65 = subborrowxU32(x50, uint32(0x0), x63) + var x66 uint32 + var x67 uint1 + x66, x67 = subborrowxU32(x52, 0xffffffff, x65) + var x68 uint32 + var x69 uint1 + x68, x69 = subborrowxU32(x54, 0xffffffff, x67) + var x70 uint32 + var x71 uint1 + x70, x71 = subborrowxU32(x56, 0xffffffff, x69) + var x72 uint32 + var x73 uint1 + x72, x73 = subborrowxU32(x58, 0xffffffff, x71) + var x75 uint1 + _, x75 = subborrowxU32(uint32(x59), uint32(0x0), x73) + x76 := arg4[6] + x77 := arg4[5] + x78 := arg4[4] + x79 := arg4[3] + x80 := arg4[2] + x81 := arg4[1] + x82 := arg4[0] + var x83 uint32 + var x84 uint1 + x83, x84 = subborrowxU32(uint32(0x0), x82, 0x0) + var x85 uint32 + var x86 uint1 + x85, x86 = subborrowxU32(uint32(0x0), x81, x84) + var x87 uint32 + var x88 uint1 + x87, x88 = subborrowxU32(uint32(0x0), x80, x86) + var x89 uint32 + var x90 uint1 + x89, x90 = subborrowxU32(uint32(0x0), x79, x88) + var x91 uint32 + var x92 uint1 + x91, x92 = subborrowxU32(uint32(0x0), x78, x90) + var x93 uint32 + var x94 uint1 + x93, x94 = subborrowxU32(uint32(0x0), x77, x92) + var x95 uint32 + var x96 uint1 + x95, x96 = subborrowxU32(uint32(0x0), x76, x94) + var x97 uint32 + cmovznzU32(&x97, x96, uint32(0x0), 0xffffffff) + var x98 uint32 + var x99 uint1 + x98, x99 = addcarryxU32(x83, uint32((uint1(x97) & 0x1)), 0x0) + var x100 uint32 + var x101 uint1 + x100, x101 = addcarryxU32(x85, uint32(0x0), x99) + var x102 uint32 + var x103 uint1 + x102, x103 = addcarryxU32(x87, uint32(0x0), x101) + var x104 uint32 + var x105 uint1 + x104, x105 = addcarryxU32(x89, x97, x103) + var x106 uint32 + var x107 uint1 + x106, x107 = addcarryxU32(x91, x97, x105) + var x108 uint32 + var x109 uint1 + x108, x109 = addcarryxU32(x93, x97, x107) + var x110 uint32 + x110, _ = addcarryxU32(x95, x97, x109) + var x112 uint32 + cmovznzU32(&x112, x3, arg5[0], x98) + var x113 uint32 + cmovznzU32(&x113, x3, arg5[1], x100) + var x114 uint32 + cmovznzU32(&x114, x3, arg5[2], x102) + var x115 uint32 + cmovznzU32(&x115, x3, arg5[3], x104) + var x116 uint32 + cmovznzU32(&x116, x3, arg5[4], x106) + var x117 uint32 + cmovznzU32(&x117, x3, arg5[5], x108) + var x118 uint32 + cmovznzU32(&x118, x3, arg5[6], x110) + x119 := (uint1(x31) & 0x1) + var x120 uint32 + cmovznzU32(&x120, x119, uint32(0x0), x7) + var x121 uint32 + cmovznzU32(&x121, x119, uint32(0x0), x8) + var x122 uint32 + cmovznzU32(&x122, x119, uint32(0x0), x9) + var x123 uint32 + cmovznzU32(&x123, x119, uint32(0x0), x10) + var x124 uint32 + cmovznzU32(&x124, x119, uint32(0x0), x11) + var x125 uint32 + cmovznzU32(&x125, x119, uint32(0x0), x12) + var x126 uint32 + cmovznzU32(&x126, x119, uint32(0x0), x13) + var x127 uint32 + cmovznzU32(&x127, x119, uint32(0x0), x14) + var x128 uint32 + var x129 uint1 + x128, x129 = addcarryxU32(x31, x120, 0x0) + var x130 uint32 + var x131 uint1 + x130, x131 = addcarryxU32(x32, x121, x129) + var x132 uint32 + var x133 uint1 + x132, x133 = addcarryxU32(x33, x122, x131) + var x134 uint32 + var x135 uint1 + x134, x135 = addcarryxU32(x34, x123, x133) + var x136 uint32 + var x137 uint1 + x136, x137 = addcarryxU32(x35, x124, x135) + var x138 uint32 + var x139 uint1 + x138, x139 = addcarryxU32(x36, x125, x137) + var x140 uint32 + var x141 uint1 + x140, x141 = addcarryxU32(x37, x126, x139) + var x142 uint32 + x142, _ = addcarryxU32(x38, x127, x141) + var x144 uint32 + cmovznzU32(&x144, x119, uint32(0x0), x39) + var x145 uint32 + cmovznzU32(&x145, x119, uint32(0x0), x40) + var x146 uint32 + cmovznzU32(&x146, x119, uint32(0x0), x41) + var x147 uint32 + cmovznzU32(&x147, x119, uint32(0x0), x42) + var x148 uint32 + cmovznzU32(&x148, x119, uint32(0x0), x43) + var x149 uint32 + cmovznzU32(&x149, x119, uint32(0x0), x44) + var x150 uint32 + cmovznzU32(&x150, x119, uint32(0x0), x45) + var x151 uint32 + var x152 uint1 + x151, x152 = addcarryxU32(x112, x144, 0x0) + var x153 uint32 + var x154 uint1 + x153, x154 = addcarryxU32(x113, x145, x152) + var x155 uint32 + var x156 uint1 + x155, x156 = addcarryxU32(x114, x146, x154) + var x157 uint32 + var x158 uint1 + x157, x158 = addcarryxU32(x115, x147, x156) + var x159 uint32 + var x160 uint1 + x159, x160 = addcarryxU32(x116, x148, x158) + var x161 uint32 + var x162 uint1 + x161, x162 = addcarryxU32(x117, x149, x160) + var x163 uint32 + var x164 uint1 + x163, x164 = addcarryxU32(x118, x150, x162) + var x165 uint32 + var x166 uint1 + x165, x166 = subborrowxU32(x151, uint32(0x1), 0x0) + var x167 uint32 + var x168 uint1 + x167, x168 = subborrowxU32(x153, uint32(0x0), x166) + var x169 uint32 + var x170 uint1 + x169, x170 = subborrowxU32(x155, uint32(0x0), x168) + var x171 uint32 + var x172 uint1 + x171, x172 = subborrowxU32(x157, 0xffffffff, x170) + var x173 uint32 + var x174 uint1 + x173, x174 = subborrowxU32(x159, 0xffffffff, x172) + var x175 uint32 + var x176 uint1 + x175, x176 = subborrowxU32(x161, 0xffffffff, x174) + var x177 uint32 + var x178 uint1 + x177, x178 = subborrowxU32(x163, 0xffffffff, x176) + var x180 uint1 + _, x180 = subborrowxU32(uint32(x164), uint32(0x0), x178) + var x181 uint32 + x181, _ = addcarryxU32(x6, uint32(0x1), 0x0) + x183 := ((x128 >> 1) | ((x130 << 31) & 0xffffffff)) + x184 := ((x130 >> 1) | ((x132 << 31) & 0xffffffff)) + x185 := ((x132 >> 1) | ((x134 << 31) & 0xffffffff)) + x186 := ((x134 >> 1) | ((x136 << 31) & 0xffffffff)) + x187 := ((x136 >> 1) | ((x138 << 31) & 0xffffffff)) + x188 := ((x138 >> 1) | ((x140 << 31) & 0xffffffff)) + x189 := ((x140 >> 1) | ((x142 << 31) & 0xffffffff)) + x190 := ((x142 & 0x80000000) | (x142 >> 1)) + var x191 uint32 + cmovznzU32(&x191, x75, x60, x46) + var x192 uint32 + cmovznzU32(&x192, x75, x62, x48) + var x193 uint32 + cmovznzU32(&x193, x75, x64, x50) + var x194 uint32 + cmovznzU32(&x194, x75, x66, x52) + var x195 uint32 + cmovznzU32(&x195, x75, x68, x54) + var x196 uint32 + cmovznzU32(&x196, x75, x70, x56) + var x197 uint32 + cmovznzU32(&x197, x75, x72, x58) + var x198 uint32 + cmovznzU32(&x198, x180, x165, x151) + var x199 uint32 + cmovznzU32(&x199, x180, x167, x153) + var x200 uint32 + cmovznzU32(&x200, x180, x169, x155) + var x201 uint32 + cmovznzU32(&x201, x180, x171, x157) + var x202 uint32 + cmovznzU32(&x202, x180, x173, x159) + var x203 uint32 + cmovznzU32(&x203, x180, x175, x161) + var x204 uint32 + cmovznzU32(&x204, x180, x177, x163) + *out1 = x181 + out2[0] = x7 + out2[1] = x8 + out2[2] = x9 + out2[3] = x10 + out2[4] = x11 + out2[5] = x12 + out2[6] = x13 + out2[7] = x14 + out3[0] = x183 + out3[1] = x184 + out3[2] = x185 + out3[3] = x186 + out3[4] = x187 + out3[5] = x188 + out3[6] = x189 + out3[7] = x190 + out4[0] = x191 + out4[1] = x192 + out4[2] = x193 + out4[3] = x194 + out4[4] = x195 + out4[5] = x196 + out4[6] = x197 + out5[0] = x198 + out5[1] = x199 + out5[2] = x200 + out5[3] = x201 + out5[4] = x202 + out5[5] = x203 + out5[6] = x204 } -/* - The function DivstepPrecomp returns the precomputed value for Bernstein-Yang-inversion (in montgomery form). - Postconditions: - eval (from_montgomery out1) = ⌊(m - 1) / 2⌋^(if (log2 m) + 1 < 46 then ⌊(49 * ((log2 m) + 1) + 80) / 17⌋ else ⌊(49 * ((log2 m) + 1) + 57) / 17⌋) - 0 ≤ eval out1 < m - - Input Bounds: - Output Bounds: - out1: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] - */ -/*inline*/ +// DivstepPrecomp returns the precomputed value for Bernstein-Yang-inversion (in montgomery form). +// +// Postconditions: +// eval (from_montgomery out1) = ⌊(m - 1) / 2⌋^(if (log2 m) + 1 < 46 then ⌊(49 * ((log2 m) + 1) + 80) / 17⌋ else ⌊(49 * ((log2 m) + 1) + 57) / 17⌋) +// 0 ≤ eval out1 < m +// +// Input Bounds: +// Output Bounds: +// out1: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] func DivstepPrecomp(out1 *[7]uint32) { - out1[0] = 0x800000 - out1[1] = 0x800000 - out1[2] = 0xfe000000 - out1[3] = 0xffffff - out1[4] = uint32(0x0) - out1[5] = 0xff800000 - out1[6] = 0x17fffff + out1[0] = 0x800000 + out1[1] = 0x800000 + out1[2] = 0xfe000000 + out1[3] = 0xffffff + out1[4] = uint32(0x0) + out1[5] = 0xff800000 + out1[6] = 0x17fffff } - diff --git a/fiat-go/32/p256/p256.go b/fiat-go/32/p256/p256.go index 3ad493f563c..c86b7779aea 100644 --- a/fiat-go/32/p256/p256.go +++ b/fiat-go/32/p256/p256.go @@ -1,4476 +1,4439 @@ -/* - Autogenerated: 'src/ExtractionOCaml/word_by_word_montgomery' --lang Go --cmovznz-by-mul --internal-static --package-case flatcase --public-function-case UpperCamelCase --private-function-case camelCase --public-type-case UpperCamelCase --private-type-case camelCase --no-prefix-fiat --package-name p256 '' 32 '2^256 - 2^224 + 2^192 + 2^96 - 1' mul square add sub opp from_montgomery to_montgomery nonzero selectznz to_bytes from_bytes one msat divstep divstep_precomp - - curve description (via package name): p256 - - machine_wordsize = 32 (from "32") - - requested operations: mul, square, add, sub, opp, from_montgomery, to_montgomery, nonzero, selectznz, to_bytes, from_bytes, one, msat, divstep, divstep_precomp - - m = 0xffffffff00000001000000000000000000000000ffffffffffffffffffffffff (from "2^256 - 2^224 + 2^192 + 2^96 - 1") - - - - NOTE: In addition to the bounds specified above each function, all - - functions synthesized for this Montgomery arithmetic require the - - input to be strictly less than the prime modulus (m), and also - - require the input to be in the unique saturated representation. - - All functions also ensure that these two properties are true of - - return values. - - - - Computed values: - - eval z = z[0] + (z[1] << 32) + (z[2] << 64) + (z[3] << 96) + (z[4] << 128) + (z[5] << 160) + (z[6] << 192) + (z[7] << 224) - - bytes_eval z = z[0] + (z[1] << 8) + (z[2] << 16) + (z[3] << 24) + (z[4] << 32) + (z[5] << 40) + (z[6] << 48) + (z[7] << 56) + (z[8] << 64) + (z[9] << 72) + (z[10] << 80) + (z[11] << 88) + (z[12] << 96) + (z[13] << 104) + (z[14] << 112) + (z[15] << 120) + (z[16] << 128) + (z[17] << 136) + (z[18] << 144) + (z[19] << 152) + (z[20] << 160) + (z[21] << 168) + (z[22] << 176) + (z[23] << 184) + (z[24] << 192) + (z[25] << 200) + (z[26] << 208) + (z[27] << 216) + (z[28] << 224) + (z[29] << 232) + (z[30] << 240) + (z[31] << 248) - - twos_complement_eval z = let x1 := z[0] + (z[1] << 32) + (z[2] << 64) + (z[3] << 96) + (z[4] << 128) + (z[5] << 160) + (z[6] << 192) + (z[7] << 224) in - - if x1 & (2^256-1) < 2^255 then x1 & (2^256-1) else (x1 & (2^256-1)) - 2^256 - */ +// Code generated by Fiat Cryptography. DO NOT EDIT. +// +// Autogenerated: 'src/ExtractionOCaml/word_by_word_montgomery' --lang Go --cmovznz-by-mul --internal-static --package-case flatcase --public-function-case UpperCamelCase --private-function-case camelCase --public-type-case UpperCamelCase --private-type-case camelCase --no-prefix-fiat --doc-prepend-header 'Code generated by Fiat Cryptography. DO NOT EDIT.' --doc-text-before-function-name '' --package-name p256 '' 32 '2^256 - 2^224 + 2^192 + 2^96 - 1' mul square add sub opp from_montgomery to_montgomery nonzero selectznz to_bytes from_bytes one msat divstep divstep_precomp +// +// curve description (via package name): p256 +// +// machine_wordsize = 32 (from "32") +// +// requested operations: mul, square, add, sub, opp, from_montgomery, to_montgomery, nonzero, selectznz, to_bytes, from_bytes, one, msat, divstep, divstep_precomp +// +// m = 0xffffffff00000001000000000000000000000000ffffffffffffffffffffffff (from "2^256 - 2^224 + 2^192 + 2^96 - 1") +// +// +// +// NOTE: In addition to the bounds specified above each function, all +// +// functions synthesized for this Montgomery arithmetic require the +// +// input to be strictly less than the prime modulus (m), and also +// +// require the input to be in the unique saturated representation. +// +// All functions also ensure that these two properties are true of +// +// return values. +// +// +// +// Computed values: +// +// eval z = z[0] + (z[1] << 32) + (z[2] << 64) + (z[3] << 96) + (z[4] << 128) + (z[5] << 160) + (z[6] << 192) + (z[7] << 224) +// +// bytes_eval z = z[0] + (z[1] << 8) + (z[2] << 16) + (z[3] << 24) + (z[4] << 32) + (z[5] << 40) + (z[6] << 48) + (z[7] << 56) + (z[8] << 64) + (z[9] << 72) + (z[10] << 80) + (z[11] << 88) + (z[12] << 96) + (z[13] << 104) + (z[14] << 112) + (z[15] << 120) + (z[16] << 128) + (z[17] << 136) + (z[18] << 144) + (z[19] << 152) + (z[20] << 160) + (z[21] << 168) + (z[22] << 176) + (z[23] << 184) + (z[24] << 192) + (z[25] << 200) + (z[26] << 208) + (z[27] << 216) + (z[28] << 224) + (z[29] << 232) + (z[30] << 240) + (z[31] << 248) +// +// twos_complement_eval z = let x1 := z[0] + (z[1] << 32) + (z[2] << 64) + (z[3] << 96) + (z[4] << 128) + (z[5] << 160) + (z[6] << 192) + (z[7] << 224) in +// +// if x1 & (2^256-1) < 2^255 then x1 & (2^256-1) else (x1 & (2^256-1)) - 2^256 package p256 import "math/bits" + type uint1 uint8 type int1 int8 -/* The function addcarryxU32 is a thin wrapper around bits.Add32 that uses uint1 rather than uint32 */ +// addcarryxU32 is a thin wrapper around bits.Add32 that uses uint1 rather than uint32 func addcarryxU32(x uint32, y uint32, carry uint1) (uint32, uint1) { - var sum uint32 - var carryOut uint32 - sum, carryOut = bits.Add32(x, y, uint32(carry)) - return sum, uint1(carryOut) + sum, carryOut := bits.Add32(x, y, uint32(carry)) + return sum, uint1(carryOut) } -/* The function subborrowxU32 is a thin wrapper around bits.Sub32 that uses uint1 rather than uint32 */ +// subborrowxU32 is a thin wrapper around bits.Sub32 that uses uint1 rather than uint32 func subborrowxU32(x uint32, y uint32, carry uint1) (uint32, uint1) { - var sum uint32 - var carryOut uint32 - sum, carryOut = bits.Sub32(x, y, uint32(carry)) - return sum, uint1(carryOut) + sum, carryOut := bits.Sub32(x, y, uint32(carry)) + return sum, uint1(carryOut) } - -/* - The function cmovznzU32 is a single-word conditional move. - Postconditions: - out1 = (if arg1 = 0 then arg2 else arg3) - - Input Bounds: - arg1: [0x0 ~> 0x1] - arg2: [0x0 ~> 0xffffffff] - arg3: [0x0 ~> 0xffffffff] - Output Bounds: - out1: [0x0 ~> 0xffffffff] - */ -/*inline*/ +// cmovznzU32 is a single-word conditional move. +// +// Postconditions: +// out1 = (if arg1 = 0 then arg2 else arg3) +// +// Input Bounds: +// arg1: [0x0 ~> 0x1] +// arg2: [0x0 ~> 0xffffffff] +// arg3: [0x0 ~> 0xffffffff] +// Output Bounds: +// out1: [0x0 ~> 0xffffffff] func cmovznzU32(out1 *uint32, arg1 uint1, arg2 uint32, arg3 uint32) { - var x1 uint32 = (uint32(arg1) * 0xffffffff) - var x2 uint32 = ((x1 & arg3) | ((^x1) & arg2)) - *out1 = x2 + x1 := (uint32(arg1) * 0xffffffff) + x2 := ((x1 & arg3) | ((^x1) & arg2)) + *out1 = x2 } -/* - The function Mul multiplies two field elements in the Montgomery domain. - Preconditions: - 0 ≤ eval arg1 < m - 0 ≤ eval arg2 < m - Postconditions: - eval (from_montgomery out1) mod m = (eval (from_montgomery arg1) * eval (from_montgomery arg2)) mod m - 0 ≤ eval out1 < m - - Input Bounds: - arg1: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] - arg2: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] - Output Bounds: - out1: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] - */ -/*inline*/ +// Mul multiplies two field elements in the Montgomery domain. +// +// Preconditions: +// 0 ≤ eval arg1 < m +// 0 ≤ eval arg2 < m +// Postconditions: +// eval (from_montgomery out1) mod m = (eval (from_montgomery arg1) * eval (from_montgomery arg2)) mod m +// 0 ≤ eval out1 < m +// +// Input Bounds: +// arg1: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] +// arg2: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] +// Output Bounds: +// out1: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] func Mul(out1 *[8]uint32, arg1 *[8]uint32, arg2 *[8]uint32) { - var x1 uint32 = (arg1[1]) - var x2 uint32 = (arg1[2]) - var x3 uint32 = (arg1[3]) - var x4 uint32 = (arg1[4]) - var x5 uint32 = (arg1[5]) - var x6 uint32 = (arg1[6]) - var x7 uint32 = (arg1[7]) - var x8 uint32 = (arg1[0]) - var x9 uint32 - var x10 uint32 - x10, x9 = bits.Mul32(x8, (arg2[7])) - var x11 uint32 - var x12 uint32 - x12, x11 = bits.Mul32(x8, (arg2[6])) - var x13 uint32 - var x14 uint32 - x14, x13 = bits.Mul32(x8, (arg2[5])) - var x15 uint32 - var x16 uint32 - x16, x15 = bits.Mul32(x8, (arg2[4])) - var x17 uint32 - var x18 uint32 - x18, x17 = bits.Mul32(x8, (arg2[3])) - var x19 uint32 - var x20 uint32 - x20, x19 = bits.Mul32(x8, (arg2[2])) - var x21 uint32 - var x22 uint32 - x22, x21 = bits.Mul32(x8, (arg2[1])) - var x23 uint32 - var x24 uint32 - x24, x23 = bits.Mul32(x8, (arg2[0])) - var x25 uint32 - var x26 uint1 - x25, x26 = addcarryxU32(x24, x21, 0x0) - var x27 uint32 - var x28 uint1 - x27, x28 = addcarryxU32(x22, x19, x26) - var x29 uint32 - var x30 uint1 - x29, x30 = addcarryxU32(x20, x17, x28) - var x31 uint32 - var x32 uint1 - x31, x32 = addcarryxU32(x18, x15, x30) - var x33 uint32 - var x34 uint1 - x33, x34 = addcarryxU32(x16, x13, x32) - var x35 uint32 - var x36 uint1 - x35, x36 = addcarryxU32(x14, x11, x34) - var x37 uint32 - var x38 uint1 - x37, x38 = addcarryxU32(x12, x9, x36) - var x39 uint32 = (uint32(x38) + x10) - var x40 uint32 - var x41 uint32 - x41, x40 = bits.Mul32(x23, 0xffffffff) - var x42 uint32 - var x43 uint32 - x43, x42 = bits.Mul32(x23, 0xffffffff) - var x44 uint32 - var x45 uint32 - x45, x44 = bits.Mul32(x23, 0xffffffff) - var x46 uint32 - var x47 uint32 - x47, x46 = bits.Mul32(x23, 0xffffffff) - var x48 uint32 - var x49 uint1 - x48, x49 = addcarryxU32(x47, x44, 0x0) - var x50 uint32 - var x51 uint1 - x50, x51 = addcarryxU32(x45, x42, x49) - var x52 uint32 = (uint32(x51) + x43) - var x54 uint1 - _, x54 = addcarryxU32(x23, x46, 0x0) - var x55 uint32 - var x56 uint1 - x55, x56 = addcarryxU32(x25, x48, x54) - var x57 uint32 - var x58 uint1 - x57, x58 = addcarryxU32(x27, x50, x56) - var x59 uint32 - var x60 uint1 - x59, x60 = addcarryxU32(x29, x52, x58) - var x61 uint32 - var x62 uint1 - x61, x62 = addcarryxU32(x31, uint32(0x0), x60) - var x63 uint32 - var x64 uint1 - x63, x64 = addcarryxU32(x33, uint32(0x0), x62) - var x65 uint32 - var x66 uint1 - x65, x66 = addcarryxU32(x35, x23, x64) - var x67 uint32 - var x68 uint1 - x67, x68 = addcarryxU32(x37, x40, x66) - var x69 uint32 - var x70 uint1 - x69, x70 = addcarryxU32(x39, x41, x68) - var x71 uint32 - var x72 uint32 - x72, x71 = bits.Mul32(x1, (arg2[7])) - var x73 uint32 - var x74 uint32 - x74, x73 = bits.Mul32(x1, (arg2[6])) - var x75 uint32 - var x76 uint32 - x76, x75 = bits.Mul32(x1, (arg2[5])) - var x77 uint32 - var x78 uint32 - x78, x77 = bits.Mul32(x1, (arg2[4])) - var x79 uint32 - var x80 uint32 - x80, x79 = bits.Mul32(x1, (arg2[3])) - var x81 uint32 - var x82 uint32 - x82, x81 = bits.Mul32(x1, (arg2[2])) - var x83 uint32 - var x84 uint32 - x84, x83 = bits.Mul32(x1, (arg2[1])) - var x85 uint32 - var x86 uint32 - x86, x85 = bits.Mul32(x1, (arg2[0])) - var x87 uint32 - var x88 uint1 - x87, x88 = addcarryxU32(x86, x83, 0x0) - var x89 uint32 - var x90 uint1 - x89, x90 = addcarryxU32(x84, x81, x88) - var x91 uint32 - var x92 uint1 - x91, x92 = addcarryxU32(x82, x79, x90) - var x93 uint32 - var x94 uint1 - x93, x94 = addcarryxU32(x80, x77, x92) - var x95 uint32 - var x96 uint1 - x95, x96 = addcarryxU32(x78, x75, x94) - var x97 uint32 - var x98 uint1 - x97, x98 = addcarryxU32(x76, x73, x96) - var x99 uint32 - var x100 uint1 - x99, x100 = addcarryxU32(x74, x71, x98) - var x101 uint32 = (uint32(x100) + x72) - var x102 uint32 - var x103 uint1 - x102, x103 = addcarryxU32(x55, x85, 0x0) - var x104 uint32 - var x105 uint1 - x104, x105 = addcarryxU32(x57, x87, x103) - var x106 uint32 - var x107 uint1 - x106, x107 = addcarryxU32(x59, x89, x105) - var x108 uint32 - var x109 uint1 - x108, x109 = addcarryxU32(x61, x91, x107) - var x110 uint32 - var x111 uint1 - x110, x111 = addcarryxU32(x63, x93, x109) - var x112 uint32 - var x113 uint1 - x112, x113 = addcarryxU32(x65, x95, x111) - var x114 uint32 - var x115 uint1 - x114, x115 = addcarryxU32(x67, x97, x113) - var x116 uint32 - var x117 uint1 - x116, x117 = addcarryxU32(x69, x99, x115) - var x118 uint32 - var x119 uint1 - x118, x119 = addcarryxU32(uint32(x70), x101, x117) - var x120 uint32 - var x121 uint32 - x121, x120 = bits.Mul32(x102, 0xffffffff) - var x122 uint32 - var x123 uint32 - x123, x122 = bits.Mul32(x102, 0xffffffff) - var x124 uint32 - var x125 uint32 - x125, x124 = bits.Mul32(x102, 0xffffffff) - var x126 uint32 - var x127 uint32 - x127, x126 = bits.Mul32(x102, 0xffffffff) - var x128 uint32 - var x129 uint1 - x128, x129 = addcarryxU32(x127, x124, 0x0) - var x130 uint32 - var x131 uint1 - x130, x131 = addcarryxU32(x125, x122, x129) - var x132 uint32 = (uint32(x131) + x123) - var x134 uint1 - _, x134 = addcarryxU32(x102, x126, 0x0) - var x135 uint32 - var x136 uint1 - x135, x136 = addcarryxU32(x104, x128, x134) - var x137 uint32 - var x138 uint1 - x137, x138 = addcarryxU32(x106, x130, x136) - var x139 uint32 - var x140 uint1 - x139, x140 = addcarryxU32(x108, x132, x138) - var x141 uint32 - var x142 uint1 - x141, x142 = addcarryxU32(x110, uint32(0x0), x140) - var x143 uint32 - var x144 uint1 - x143, x144 = addcarryxU32(x112, uint32(0x0), x142) - var x145 uint32 - var x146 uint1 - x145, x146 = addcarryxU32(x114, x102, x144) - var x147 uint32 - var x148 uint1 - x147, x148 = addcarryxU32(x116, x120, x146) - var x149 uint32 - var x150 uint1 - x149, x150 = addcarryxU32(x118, x121, x148) - var x151 uint32 = (uint32(x150) + uint32(x119)) - var x152 uint32 - var x153 uint32 - x153, x152 = bits.Mul32(x2, (arg2[7])) - var x154 uint32 - var x155 uint32 - x155, x154 = bits.Mul32(x2, (arg2[6])) - var x156 uint32 - var x157 uint32 - x157, x156 = bits.Mul32(x2, (arg2[5])) - var x158 uint32 - var x159 uint32 - x159, x158 = bits.Mul32(x2, (arg2[4])) - var x160 uint32 - var x161 uint32 - x161, x160 = bits.Mul32(x2, (arg2[3])) - var x162 uint32 - var x163 uint32 - x163, x162 = bits.Mul32(x2, (arg2[2])) - var x164 uint32 - var x165 uint32 - x165, x164 = bits.Mul32(x2, (arg2[1])) - var x166 uint32 - var x167 uint32 - x167, x166 = bits.Mul32(x2, (arg2[0])) - var x168 uint32 - var x169 uint1 - x168, x169 = addcarryxU32(x167, x164, 0x0) - var x170 uint32 - var x171 uint1 - x170, x171 = addcarryxU32(x165, x162, x169) - var x172 uint32 - var x173 uint1 - x172, x173 = addcarryxU32(x163, x160, x171) - var x174 uint32 - var x175 uint1 - x174, x175 = addcarryxU32(x161, x158, x173) - var x176 uint32 - var x177 uint1 - x176, x177 = addcarryxU32(x159, x156, x175) - var x178 uint32 - var x179 uint1 - x178, x179 = addcarryxU32(x157, x154, x177) - var x180 uint32 - var x181 uint1 - x180, x181 = addcarryxU32(x155, x152, x179) - var x182 uint32 = (uint32(x181) + x153) - var x183 uint32 - var x184 uint1 - x183, x184 = addcarryxU32(x135, x166, 0x0) - var x185 uint32 - var x186 uint1 - x185, x186 = addcarryxU32(x137, x168, x184) - var x187 uint32 - var x188 uint1 - x187, x188 = addcarryxU32(x139, x170, x186) - var x189 uint32 - var x190 uint1 - x189, x190 = addcarryxU32(x141, x172, x188) - var x191 uint32 - var x192 uint1 - x191, x192 = addcarryxU32(x143, x174, x190) - var x193 uint32 - var x194 uint1 - x193, x194 = addcarryxU32(x145, x176, x192) - var x195 uint32 - var x196 uint1 - x195, x196 = addcarryxU32(x147, x178, x194) - var x197 uint32 - var x198 uint1 - x197, x198 = addcarryxU32(x149, x180, x196) - var x199 uint32 - var x200 uint1 - x199, x200 = addcarryxU32(x151, x182, x198) - var x201 uint32 - var x202 uint32 - x202, x201 = bits.Mul32(x183, 0xffffffff) - var x203 uint32 - var x204 uint32 - x204, x203 = bits.Mul32(x183, 0xffffffff) - var x205 uint32 - var x206 uint32 - x206, x205 = bits.Mul32(x183, 0xffffffff) - var x207 uint32 - var x208 uint32 - x208, x207 = bits.Mul32(x183, 0xffffffff) - var x209 uint32 - var x210 uint1 - x209, x210 = addcarryxU32(x208, x205, 0x0) - var x211 uint32 - var x212 uint1 - x211, x212 = addcarryxU32(x206, x203, x210) - var x213 uint32 = (uint32(x212) + x204) - var x215 uint1 - _, x215 = addcarryxU32(x183, x207, 0x0) - var x216 uint32 - var x217 uint1 - x216, x217 = addcarryxU32(x185, x209, x215) - var x218 uint32 - var x219 uint1 - x218, x219 = addcarryxU32(x187, x211, x217) - var x220 uint32 - var x221 uint1 - x220, x221 = addcarryxU32(x189, x213, x219) - var x222 uint32 - var x223 uint1 - x222, x223 = addcarryxU32(x191, uint32(0x0), x221) - var x224 uint32 - var x225 uint1 - x224, x225 = addcarryxU32(x193, uint32(0x0), x223) - var x226 uint32 - var x227 uint1 - x226, x227 = addcarryxU32(x195, x183, x225) - var x228 uint32 - var x229 uint1 - x228, x229 = addcarryxU32(x197, x201, x227) - var x230 uint32 - var x231 uint1 - x230, x231 = addcarryxU32(x199, x202, x229) - var x232 uint32 = (uint32(x231) + uint32(x200)) - var x233 uint32 - var x234 uint32 - x234, x233 = bits.Mul32(x3, (arg2[7])) - var x235 uint32 - var x236 uint32 - x236, x235 = bits.Mul32(x3, (arg2[6])) - var x237 uint32 - var x238 uint32 - x238, x237 = bits.Mul32(x3, (arg2[5])) - var x239 uint32 - var x240 uint32 - x240, x239 = bits.Mul32(x3, (arg2[4])) - var x241 uint32 - var x242 uint32 - x242, x241 = bits.Mul32(x3, (arg2[3])) - var x243 uint32 - var x244 uint32 - x244, x243 = bits.Mul32(x3, (arg2[2])) - var x245 uint32 - var x246 uint32 - x246, x245 = bits.Mul32(x3, (arg2[1])) - var x247 uint32 - var x248 uint32 - x248, x247 = bits.Mul32(x3, (arg2[0])) - var x249 uint32 - var x250 uint1 - x249, x250 = addcarryxU32(x248, x245, 0x0) - var x251 uint32 - var x252 uint1 - x251, x252 = addcarryxU32(x246, x243, x250) - var x253 uint32 - var x254 uint1 - x253, x254 = addcarryxU32(x244, x241, x252) - var x255 uint32 - var x256 uint1 - x255, x256 = addcarryxU32(x242, x239, x254) - var x257 uint32 - var x258 uint1 - x257, x258 = addcarryxU32(x240, x237, x256) - var x259 uint32 - var x260 uint1 - x259, x260 = addcarryxU32(x238, x235, x258) - var x261 uint32 - var x262 uint1 - x261, x262 = addcarryxU32(x236, x233, x260) - var x263 uint32 = (uint32(x262) + x234) - var x264 uint32 - var x265 uint1 - x264, x265 = addcarryxU32(x216, x247, 0x0) - var x266 uint32 - var x267 uint1 - x266, x267 = addcarryxU32(x218, x249, x265) - var x268 uint32 - var x269 uint1 - x268, x269 = addcarryxU32(x220, x251, x267) - var x270 uint32 - var x271 uint1 - x270, x271 = addcarryxU32(x222, x253, x269) - var x272 uint32 - var x273 uint1 - x272, x273 = addcarryxU32(x224, x255, x271) - var x274 uint32 - var x275 uint1 - x274, x275 = addcarryxU32(x226, x257, x273) - var x276 uint32 - var x277 uint1 - x276, x277 = addcarryxU32(x228, x259, x275) - var x278 uint32 - var x279 uint1 - x278, x279 = addcarryxU32(x230, x261, x277) - var x280 uint32 - var x281 uint1 - x280, x281 = addcarryxU32(x232, x263, x279) - var x282 uint32 - var x283 uint32 - x283, x282 = bits.Mul32(x264, 0xffffffff) - var x284 uint32 - var x285 uint32 - x285, x284 = bits.Mul32(x264, 0xffffffff) - var x286 uint32 - var x287 uint32 - x287, x286 = bits.Mul32(x264, 0xffffffff) - var x288 uint32 - var x289 uint32 - x289, x288 = bits.Mul32(x264, 0xffffffff) - var x290 uint32 - var x291 uint1 - x290, x291 = addcarryxU32(x289, x286, 0x0) - var x292 uint32 - var x293 uint1 - x292, x293 = addcarryxU32(x287, x284, x291) - var x294 uint32 = (uint32(x293) + x285) - var x296 uint1 - _, x296 = addcarryxU32(x264, x288, 0x0) - var x297 uint32 - var x298 uint1 - x297, x298 = addcarryxU32(x266, x290, x296) - var x299 uint32 - var x300 uint1 - x299, x300 = addcarryxU32(x268, x292, x298) - var x301 uint32 - var x302 uint1 - x301, x302 = addcarryxU32(x270, x294, x300) - var x303 uint32 - var x304 uint1 - x303, x304 = addcarryxU32(x272, uint32(0x0), x302) - var x305 uint32 - var x306 uint1 - x305, x306 = addcarryxU32(x274, uint32(0x0), x304) - var x307 uint32 - var x308 uint1 - x307, x308 = addcarryxU32(x276, x264, x306) - var x309 uint32 - var x310 uint1 - x309, x310 = addcarryxU32(x278, x282, x308) - var x311 uint32 - var x312 uint1 - x311, x312 = addcarryxU32(x280, x283, x310) - var x313 uint32 = (uint32(x312) + uint32(x281)) - var x314 uint32 - var x315 uint32 - x315, x314 = bits.Mul32(x4, (arg2[7])) - var x316 uint32 - var x317 uint32 - x317, x316 = bits.Mul32(x4, (arg2[6])) - var x318 uint32 - var x319 uint32 - x319, x318 = bits.Mul32(x4, (arg2[5])) - var x320 uint32 - var x321 uint32 - x321, x320 = bits.Mul32(x4, (arg2[4])) - var x322 uint32 - var x323 uint32 - x323, x322 = bits.Mul32(x4, (arg2[3])) - var x324 uint32 - var x325 uint32 - x325, x324 = bits.Mul32(x4, (arg2[2])) - var x326 uint32 - var x327 uint32 - x327, x326 = bits.Mul32(x4, (arg2[1])) - var x328 uint32 - var x329 uint32 - x329, x328 = bits.Mul32(x4, (arg2[0])) - var x330 uint32 - var x331 uint1 - x330, x331 = addcarryxU32(x329, x326, 0x0) - var x332 uint32 - var x333 uint1 - x332, x333 = addcarryxU32(x327, x324, x331) - var x334 uint32 - var x335 uint1 - x334, x335 = addcarryxU32(x325, x322, x333) - var x336 uint32 - var x337 uint1 - x336, x337 = addcarryxU32(x323, x320, x335) - var x338 uint32 - var x339 uint1 - x338, x339 = addcarryxU32(x321, x318, x337) - var x340 uint32 - var x341 uint1 - x340, x341 = addcarryxU32(x319, x316, x339) - var x342 uint32 - var x343 uint1 - x342, x343 = addcarryxU32(x317, x314, x341) - var x344 uint32 = (uint32(x343) + x315) - var x345 uint32 - var x346 uint1 - x345, x346 = addcarryxU32(x297, x328, 0x0) - var x347 uint32 - var x348 uint1 - x347, x348 = addcarryxU32(x299, x330, x346) - var x349 uint32 - var x350 uint1 - x349, x350 = addcarryxU32(x301, x332, x348) - var x351 uint32 - var x352 uint1 - x351, x352 = addcarryxU32(x303, x334, x350) - var x353 uint32 - var x354 uint1 - x353, x354 = addcarryxU32(x305, x336, x352) - var x355 uint32 - var x356 uint1 - x355, x356 = addcarryxU32(x307, x338, x354) - var x357 uint32 - var x358 uint1 - x357, x358 = addcarryxU32(x309, x340, x356) - var x359 uint32 - var x360 uint1 - x359, x360 = addcarryxU32(x311, x342, x358) - var x361 uint32 - var x362 uint1 - x361, x362 = addcarryxU32(x313, x344, x360) - var x363 uint32 - var x364 uint32 - x364, x363 = bits.Mul32(x345, 0xffffffff) - var x365 uint32 - var x366 uint32 - x366, x365 = bits.Mul32(x345, 0xffffffff) - var x367 uint32 - var x368 uint32 - x368, x367 = bits.Mul32(x345, 0xffffffff) - var x369 uint32 - var x370 uint32 - x370, x369 = bits.Mul32(x345, 0xffffffff) - var x371 uint32 - var x372 uint1 - x371, x372 = addcarryxU32(x370, x367, 0x0) - var x373 uint32 - var x374 uint1 - x373, x374 = addcarryxU32(x368, x365, x372) - var x375 uint32 = (uint32(x374) + x366) - var x377 uint1 - _, x377 = addcarryxU32(x345, x369, 0x0) - var x378 uint32 - var x379 uint1 - x378, x379 = addcarryxU32(x347, x371, x377) - var x380 uint32 - var x381 uint1 - x380, x381 = addcarryxU32(x349, x373, x379) - var x382 uint32 - var x383 uint1 - x382, x383 = addcarryxU32(x351, x375, x381) - var x384 uint32 - var x385 uint1 - x384, x385 = addcarryxU32(x353, uint32(0x0), x383) - var x386 uint32 - var x387 uint1 - x386, x387 = addcarryxU32(x355, uint32(0x0), x385) - var x388 uint32 - var x389 uint1 - x388, x389 = addcarryxU32(x357, x345, x387) - var x390 uint32 - var x391 uint1 - x390, x391 = addcarryxU32(x359, x363, x389) - var x392 uint32 - var x393 uint1 - x392, x393 = addcarryxU32(x361, x364, x391) - var x394 uint32 = (uint32(x393) + uint32(x362)) - var x395 uint32 - var x396 uint32 - x396, x395 = bits.Mul32(x5, (arg2[7])) - var x397 uint32 - var x398 uint32 - x398, x397 = bits.Mul32(x5, (arg2[6])) - var x399 uint32 - var x400 uint32 - x400, x399 = bits.Mul32(x5, (arg2[5])) - var x401 uint32 - var x402 uint32 - x402, x401 = bits.Mul32(x5, (arg2[4])) - var x403 uint32 - var x404 uint32 - x404, x403 = bits.Mul32(x5, (arg2[3])) - var x405 uint32 - var x406 uint32 - x406, x405 = bits.Mul32(x5, (arg2[2])) - var x407 uint32 - var x408 uint32 - x408, x407 = bits.Mul32(x5, (arg2[1])) - var x409 uint32 - var x410 uint32 - x410, x409 = bits.Mul32(x5, (arg2[0])) - var x411 uint32 - var x412 uint1 - x411, x412 = addcarryxU32(x410, x407, 0x0) - var x413 uint32 - var x414 uint1 - x413, x414 = addcarryxU32(x408, x405, x412) - var x415 uint32 - var x416 uint1 - x415, x416 = addcarryxU32(x406, x403, x414) - var x417 uint32 - var x418 uint1 - x417, x418 = addcarryxU32(x404, x401, x416) - var x419 uint32 - var x420 uint1 - x419, x420 = addcarryxU32(x402, x399, x418) - var x421 uint32 - var x422 uint1 - x421, x422 = addcarryxU32(x400, x397, x420) - var x423 uint32 - var x424 uint1 - x423, x424 = addcarryxU32(x398, x395, x422) - var x425 uint32 = (uint32(x424) + x396) - var x426 uint32 - var x427 uint1 - x426, x427 = addcarryxU32(x378, x409, 0x0) - var x428 uint32 - var x429 uint1 - x428, x429 = addcarryxU32(x380, x411, x427) - var x430 uint32 - var x431 uint1 - x430, x431 = addcarryxU32(x382, x413, x429) - var x432 uint32 - var x433 uint1 - x432, x433 = addcarryxU32(x384, x415, x431) - var x434 uint32 - var x435 uint1 - x434, x435 = addcarryxU32(x386, x417, x433) - var x436 uint32 - var x437 uint1 - x436, x437 = addcarryxU32(x388, x419, x435) - var x438 uint32 - var x439 uint1 - x438, x439 = addcarryxU32(x390, x421, x437) - var x440 uint32 - var x441 uint1 - x440, x441 = addcarryxU32(x392, x423, x439) - var x442 uint32 - var x443 uint1 - x442, x443 = addcarryxU32(x394, x425, x441) - var x444 uint32 - var x445 uint32 - x445, x444 = bits.Mul32(x426, 0xffffffff) - var x446 uint32 - var x447 uint32 - x447, x446 = bits.Mul32(x426, 0xffffffff) - var x448 uint32 - var x449 uint32 - x449, x448 = bits.Mul32(x426, 0xffffffff) - var x450 uint32 - var x451 uint32 - x451, x450 = bits.Mul32(x426, 0xffffffff) - var x452 uint32 - var x453 uint1 - x452, x453 = addcarryxU32(x451, x448, 0x0) - var x454 uint32 - var x455 uint1 - x454, x455 = addcarryxU32(x449, x446, x453) - var x456 uint32 = (uint32(x455) + x447) - var x458 uint1 - _, x458 = addcarryxU32(x426, x450, 0x0) - var x459 uint32 - var x460 uint1 - x459, x460 = addcarryxU32(x428, x452, x458) - var x461 uint32 - var x462 uint1 - x461, x462 = addcarryxU32(x430, x454, x460) - var x463 uint32 - var x464 uint1 - x463, x464 = addcarryxU32(x432, x456, x462) - var x465 uint32 - var x466 uint1 - x465, x466 = addcarryxU32(x434, uint32(0x0), x464) - var x467 uint32 - var x468 uint1 - x467, x468 = addcarryxU32(x436, uint32(0x0), x466) - var x469 uint32 - var x470 uint1 - x469, x470 = addcarryxU32(x438, x426, x468) - var x471 uint32 - var x472 uint1 - x471, x472 = addcarryxU32(x440, x444, x470) - var x473 uint32 - var x474 uint1 - x473, x474 = addcarryxU32(x442, x445, x472) - var x475 uint32 = (uint32(x474) + uint32(x443)) - var x476 uint32 - var x477 uint32 - x477, x476 = bits.Mul32(x6, (arg2[7])) - var x478 uint32 - var x479 uint32 - x479, x478 = bits.Mul32(x6, (arg2[6])) - var x480 uint32 - var x481 uint32 - x481, x480 = bits.Mul32(x6, (arg2[5])) - var x482 uint32 - var x483 uint32 - x483, x482 = bits.Mul32(x6, (arg2[4])) - var x484 uint32 - var x485 uint32 - x485, x484 = bits.Mul32(x6, (arg2[3])) - var x486 uint32 - var x487 uint32 - x487, x486 = bits.Mul32(x6, (arg2[2])) - var x488 uint32 - var x489 uint32 - x489, x488 = bits.Mul32(x6, (arg2[1])) - var x490 uint32 - var x491 uint32 - x491, x490 = bits.Mul32(x6, (arg2[0])) - var x492 uint32 - var x493 uint1 - x492, x493 = addcarryxU32(x491, x488, 0x0) - var x494 uint32 - var x495 uint1 - x494, x495 = addcarryxU32(x489, x486, x493) - var x496 uint32 - var x497 uint1 - x496, x497 = addcarryxU32(x487, x484, x495) - var x498 uint32 - var x499 uint1 - x498, x499 = addcarryxU32(x485, x482, x497) - var x500 uint32 - var x501 uint1 - x500, x501 = addcarryxU32(x483, x480, x499) - var x502 uint32 - var x503 uint1 - x502, x503 = addcarryxU32(x481, x478, x501) - var x504 uint32 - var x505 uint1 - x504, x505 = addcarryxU32(x479, x476, x503) - var x506 uint32 = (uint32(x505) + x477) - var x507 uint32 - var x508 uint1 - x507, x508 = addcarryxU32(x459, x490, 0x0) - var x509 uint32 - var x510 uint1 - x509, x510 = addcarryxU32(x461, x492, x508) - var x511 uint32 - var x512 uint1 - x511, x512 = addcarryxU32(x463, x494, x510) - var x513 uint32 - var x514 uint1 - x513, x514 = addcarryxU32(x465, x496, x512) - var x515 uint32 - var x516 uint1 - x515, x516 = addcarryxU32(x467, x498, x514) - var x517 uint32 - var x518 uint1 - x517, x518 = addcarryxU32(x469, x500, x516) - var x519 uint32 - var x520 uint1 - x519, x520 = addcarryxU32(x471, x502, x518) - var x521 uint32 - var x522 uint1 - x521, x522 = addcarryxU32(x473, x504, x520) - var x523 uint32 - var x524 uint1 - x523, x524 = addcarryxU32(x475, x506, x522) - var x525 uint32 - var x526 uint32 - x526, x525 = bits.Mul32(x507, 0xffffffff) - var x527 uint32 - var x528 uint32 - x528, x527 = bits.Mul32(x507, 0xffffffff) - var x529 uint32 - var x530 uint32 - x530, x529 = bits.Mul32(x507, 0xffffffff) - var x531 uint32 - var x532 uint32 - x532, x531 = bits.Mul32(x507, 0xffffffff) - var x533 uint32 - var x534 uint1 - x533, x534 = addcarryxU32(x532, x529, 0x0) - var x535 uint32 - var x536 uint1 - x535, x536 = addcarryxU32(x530, x527, x534) - var x537 uint32 = (uint32(x536) + x528) - var x539 uint1 - _, x539 = addcarryxU32(x507, x531, 0x0) - var x540 uint32 - var x541 uint1 - x540, x541 = addcarryxU32(x509, x533, x539) - var x542 uint32 - var x543 uint1 - x542, x543 = addcarryxU32(x511, x535, x541) - var x544 uint32 - var x545 uint1 - x544, x545 = addcarryxU32(x513, x537, x543) - var x546 uint32 - var x547 uint1 - x546, x547 = addcarryxU32(x515, uint32(0x0), x545) - var x548 uint32 - var x549 uint1 - x548, x549 = addcarryxU32(x517, uint32(0x0), x547) - var x550 uint32 - var x551 uint1 - x550, x551 = addcarryxU32(x519, x507, x549) - var x552 uint32 - var x553 uint1 - x552, x553 = addcarryxU32(x521, x525, x551) - var x554 uint32 - var x555 uint1 - x554, x555 = addcarryxU32(x523, x526, x553) - var x556 uint32 = (uint32(x555) + uint32(x524)) - var x557 uint32 - var x558 uint32 - x558, x557 = bits.Mul32(x7, (arg2[7])) - var x559 uint32 - var x560 uint32 - x560, x559 = bits.Mul32(x7, (arg2[6])) - var x561 uint32 - var x562 uint32 - x562, x561 = bits.Mul32(x7, (arg2[5])) - var x563 uint32 - var x564 uint32 - x564, x563 = bits.Mul32(x7, (arg2[4])) - var x565 uint32 - var x566 uint32 - x566, x565 = bits.Mul32(x7, (arg2[3])) - var x567 uint32 - var x568 uint32 - x568, x567 = bits.Mul32(x7, (arg2[2])) - var x569 uint32 - var x570 uint32 - x570, x569 = bits.Mul32(x7, (arg2[1])) - var x571 uint32 - var x572 uint32 - x572, x571 = bits.Mul32(x7, (arg2[0])) - var x573 uint32 - var x574 uint1 - x573, x574 = addcarryxU32(x572, x569, 0x0) - var x575 uint32 - var x576 uint1 - x575, x576 = addcarryxU32(x570, x567, x574) - var x577 uint32 - var x578 uint1 - x577, x578 = addcarryxU32(x568, x565, x576) - var x579 uint32 - var x580 uint1 - x579, x580 = addcarryxU32(x566, x563, x578) - var x581 uint32 - var x582 uint1 - x581, x582 = addcarryxU32(x564, x561, x580) - var x583 uint32 - var x584 uint1 - x583, x584 = addcarryxU32(x562, x559, x582) - var x585 uint32 - var x586 uint1 - x585, x586 = addcarryxU32(x560, x557, x584) - var x587 uint32 = (uint32(x586) + x558) - var x588 uint32 - var x589 uint1 - x588, x589 = addcarryxU32(x540, x571, 0x0) - var x590 uint32 - var x591 uint1 - x590, x591 = addcarryxU32(x542, x573, x589) - var x592 uint32 - var x593 uint1 - x592, x593 = addcarryxU32(x544, x575, x591) - var x594 uint32 - var x595 uint1 - x594, x595 = addcarryxU32(x546, x577, x593) - var x596 uint32 - var x597 uint1 - x596, x597 = addcarryxU32(x548, x579, x595) - var x598 uint32 - var x599 uint1 - x598, x599 = addcarryxU32(x550, x581, x597) - var x600 uint32 - var x601 uint1 - x600, x601 = addcarryxU32(x552, x583, x599) - var x602 uint32 - var x603 uint1 - x602, x603 = addcarryxU32(x554, x585, x601) - var x604 uint32 - var x605 uint1 - x604, x605 = addcarryxU32(x556, x587, x603) - var x606 uint32 - var x607 uint32 - x607, x606 = bits.Mul32(x588, 0xffffffff) - var x608 uint32 - var x609 uint32 - x609, x608 = bits.Mul32(x588, 0xffffffff) - var x610 uint32 - var x611 uint32 - x611, x610 = bits.Mul32(x588, 0xffffffff) - var x612 uint32 - var x613 uint32 - x613, x612 = bits.Mul32(x588, 0xffffffff) - var x614 uint32 - var x615 uint1 - x614, x615 = addcarryxU32(x613, x610, 0x0) - var x616 uint32 - var x617 uint1 - x616, x617 = addcarryxU32(x611, x608, x615) - var x618 uint32 = (uint32(x617) + x609) - var x620 uint1 - _, x620 = addcarryxU32(x588, x612, 0x0) - var x621 uint32 - var x622 uint1 - x621, x622 = addcarryxU32(x590, x614, x620) - var x623 uint32 - var x624 uint1 - x623, x624 = addcarryxU32(x592, x616, x622) - var x625 uint32 - var x626 uint1 - x625, x626 = addcarryxU32(x594, x618, x624) - var x627 uint32 - var x628 uint1 - x627, x628 = addcarryxU32(x596, uint32(0x0), x626) - var x629 uint32 - var x630 uint1 - x629, x630 = addcarryxU32(x598, uint32(0x0), x628) - var x631 uint32 - var x632 uint1 - x631, x632 = addcarryxU32(x600, x588, x630) - var x633 uint32 - var x634 uint1 - x633, x634 = addcarryxU32(x602, x606, x632) - var x635 uint32 - var x636 uint1 - x635, x636 = addcarryxU32(x604, x607, x634) - var x637 uint32 = (uint32(x636) + uint32(x605)) - var x638 uint32 - var x639 uint1 - x638, x639 = subborrowxU32(x621, 0xffffffff, 0x0) - var x640 uint32 - var x641 uint1 - x640, x641 = subborrowxU32(x623, 0xffffffff, x639) - var x642 uint32 - var x643 uint1 - x642, x643 = subborrowxU32(x625, 0xffffffff, x641) - var x644 uint32 - var x645 uint1 - x644, x645 = subborrowxU32(x627, uint32(0x0), x643) - var x646 uint32 - var x647 uint1 - x646, x647 = subborrowxU32(x629, uint32(0x0), x645) - var x648 uint32 - var x649 uint1 - x648, x649 = subborrowxU32(x631, uint32(0x0), x647) - var x650 uint32 - var x651 uint1 - x650, x651 = subborrowxU32(x633, uint32(0x1), x649) - var x652 uint32 - var x653 uint1 - x652, x653 = subborrowxU32(x635, 0xffffffff, x651) - var x655 uint1 - _, x655 = subborrowxU32(x637, uint32(0x0), x653) - var x656 uint32 - cmovznzU32(&x656, x655, x638, x621) - var x657 uint32 - cmovznzU32(&x657, x655, x640, x623) - var x658 uint32 - cmovznzU32(&x658, x655, x642, x625) - var x659 uint32 - cmovznzU32(&x659, x655, x644, x627) - var x660 uint32 - cmovznzU32(&x660, x655, x646, x629) - var x661 uint32 - cmovznzU32(&x661, x655, x648, x631) - var x662 uint32 - cmovznzU32(&x662, x655, x650, x633) - var x663 uint32 - cmovznzU32(&x663, x655, x652, x635) - out1[0] = x656 - out1[1] = x657 - out1[2] = x658 - out1[3] = x659 - out1[4] = x660 - out1[5] = x661 - out1[6] = x662 - out1[7] = x663 + x1 := arg1[1] + x2 := arg1[2] + x3 := arg1[3] + x4 := arg1[4] + x5 := arg1[5] + x6 := arg1[6] + x7 := arg1[7] + x8 := arg1[0] + var x9 uint32 + var x10 uint32 + x10, x9 = bits.Mul32(x8, arg2[7]) + var x11 uint32 + var x12 uint32 + x12, x11 = bits.Mul32(x8, arg2[6]) + var x13 uint32 + var x14 uint32 + x14, x13 = bits.Mul32(x8, arg2[5]) + var x15 uint32 + var x16 uint32 + x16, x15 = bits.Mul32(x8, arg2[4]) + var x17 uint32 + var x18 uint32 + x18, x17 = bits.Mul32(x8, arg2[3]) + var x19 uint32 + var x20 uint32 + x20, x19 = bits.Mul32(x8, arg2[2]) + var x21 uint32 + var x22 uint32 + x22, x21 = bits.Mul32(x8, arg2[1]) + var x23 uint32 + var x24 uint32 + x24, x23 = bits.Mul32(x8, arg2[0]) + var x25 uint32 + var x26 uint1 + x25, x26 = addcarryxU32(x24, x21, 0x0) + var x27 uint32 + var x28 uint1 + x27, x28 = addcarryxU32(x22, x19, x26) + var x29 uint32 + var x30 uint1 + x29, x30 = addcarryxU32(x20, x17, x28) + var x31 uint32 + var x32 uint1 + x31, x32 = addcarryxU32(x18, x15, x30) + var x33 uint32 + var x34 uint1 + x33, x34 = addcarryxU32(x16, x13, x32) + var x35 uint32 + var x36 uint1 + x35, x36 = addcarryxU32(x14, x11, x34) + var x37 uint32 + var x38 uint1 + x37, x38 = addcarryxU32(x12, x9, x36) + x39 := (uint32(x38) + x10) + var x40 uint32 + var x41 uint32 + x41, x40 = bits.Mul32(x23, 0xffffffff) + var x42 uint32 + var x43 uint32 + x43, x42 = bits.Mul32(x23, 0xffffffff) + var x44 uint32 + var x45 uint32 + x45, x44 = bits.Mul32(x23, 0xffffffff) + var x46 uint32 + var x47 uint32 + x47, x46 = bits.Mul32(x23, 0xffffffff) + var x48 uint32 + var x49 uint1 + x48, x49 = addcarryxU32(x47, x44, 0x0) + var x50 uint32 + var x51 uint1 + x50, x51 = addcarryxU32(x45, x42, x49) + x52 := (uint32(x51) + x43) + var x54 uint1 + _, x54 = addcarryxU32(x23, x46, 0x0) + var x55 uint32 + var x56 uint1 + x55, x56 = addcarryxU32(x25, x48, x54) + var x57 uint32 + var x58 uint1 + x57, x58 = addcarryxU32(x27, x50, x56) + var x59 uint32 + var x60 uint1 + x59, x60 = addcarryxU32(x29, x52, x58) + var x61 uint32 + var x62 uint1 + x61, x62 = addcarryxU32(x31, uint32(0x0), x60) + var x63 uint32 + var x64 uint1 + x63, x64 = addcarryxU32(x33, uint32(0x0), x62) + var x65 uint32 + var x66 uint1 + x65, x66 = addcarryxU32(x35, x23, x64) + var x67 uint32 + var x68 uint1 + x67, x68 = addcarryxU32(x37, x40, x66) + var x69 uint32 + var x70 uint1 + x69, x70 = addcarryxU32(x39, x41, x68) + var x71 uint32 + var x72 uint32 + x72, x71 = bits.Mul32(x1, arg2[7]) + var x73 uint32 + var x74 uint32 + x74, x73 = bits.Mul32(x1, arg2[6]) + var x75 uint32 + var x76 uint32 + x76, x75 = bits.Mul32(x1, arg2[5]) + var x77 uint32 + var x78 uint32 + x78, x77 = bits.Mul32(x1, arg2[4]) + var x79 uint32 + var x80 uint32 + x80, x79 = bits.Mul32(x1, arg2[3]) + var x81 uint32 + var x82 uint32 + x82, x81 = bits.Mul32(x1, arg2[2]) + var x83 uint32 + var x84 uint32 + x84, x83 = bits.Mul32(x1, arg2[1]) + var x85 uint32 + var x86 uint32 + x86, x85 = bits.Mul32(x1, arg2[0]) + var x87 uint32 + var x88 uint1 + x87, x88 = addcarryxU32(x86, x83, 0x0) + var x89 uint32 + var x90 uint1 + x89, x90 = addcarryxU32(x84, x81, x88) + var x91 uint32 + var x92 uint1 + x91, x92 = addcarryxU32(x82, x79, x90) + var x93 uint32 + var x94 uint1 + x93, x94 = addcarryxU32(x80, x77, x92) + var x95 uint32 + var x96 uint1 + x95, x96 = addcarryxU32(x78, x75, x94) + var x97 uint32 + var x98 uint1 + x97, x98 = addcarryxU32(x76, x73, x96) + var x99 uint32 + var x100 uint1 + x99, x100 = addcarryxU32(x74, x71, x98) + x101 := (uint32(x100) + x72) + var x102 uint32 + var x103 uint1 + x102, x103 = addcarryxU32(x55, x85, 0x0) + var x104 uint32 + var x105 uint1 + x104, x105 = addcarryxU32(x57, x87, x103) + var x106 uint32 + var x107 uint1 + x106, x107 = addcarryxU32(x59, x89, x105) + var x108 uint32 + var x109 uint1 + x108, x109 = addcarryxU32(x61, x91, x107) + var x110 uint32 + var x111 uint1 + x110, x111 = addcarryxU32(x63, x93, x109) + var x112 uint32 + var x113 uint1 + x112, x113 = addcarryxU32(x65, x95, x111) + var x114 uint32 + var x115 uint1 + x114, x115 = addcarryxU32(x67, x97, x113) + var x116 uint32 + var x117 uint1 + x116, x117 = addcarryxU32(x69, x99, x115) + var x118 uint32 + var x119 uint1 + x118, x119 = addcarryxU32(uint32(x70), x101, x117) + var x120 uint32 + var x121 uint32 + x121, x120 = bits.Mul32(x102, 0xffffffff) + var x122 uint32 + var x123 uint32 + x123, x122 = bits.Mul32(x102, 0xffffffff) + var x124 uint32 + var x125 uint32 + x125, x124 = bits.Mul32(x102, 0xffffffff) + var x126 uint32 + var x127 uint32 + x127, x126 = bits.Mul32(x102, 0xffffffff) + var x128 uint32 + var x129 uint1 + x128, x129 = addcarryxU32(x127, x124, 0x0) + var x130 uint32 + var x131 uint1 + x130, x131 = addcarryxU32(x125, x122, x129) + x132 := (uint32(x131) + x123) + var x134 uint1 + _, x134 = addcarryxU32(x102, x126, 0x0) + var x135 uint32 + var x136 uint1 + x135, x136 = addcarryxU32(x104, x128, x134) + var x137 uint32 + var x138 uint1 + x137, x138 = addcarryxU32(x106, x130, x136) + var x139 uint32 + var x140 uint1 + x139, x140 = addcarryxU32(x108, x132, x138) + var x141 uint32 + var x142 uint1 + x141, x142 = addcarryxU32(x110, uint32(0x0), x140) + var x143 uint32 + var x144 uint1 + x143, x144 = addcarryxU32(x112, uint32(0x0), x142) + var x145 uint32 + var x146 uint1 + x145, x146 = addcarryxU32(x114, x102, x144) + var x147 uint32 + var x148 uint1 + x147, x148 = addcarryxU32(x116, x120, x146) + var x149 uint32 + var x150 uint1 + x149, x150 = addcarryxU32(x118, x121, x148) + x151 := (uint32(x150) + uint32(x119)) + var x152 uint32 + var x153 uint32 + x153, x152 = bits.Mul32(x2, arg2[7]) + var x154 uint32 + var x155 uint32 + x155, x154 = bits.Mul32(x2, arg2[6]) + var x156 uint32 + var x157 uint32 + x157, x156 = bits.Mul32(x2, arg2[5]) + var x158 uint32 + var x159 uint32 + x159, x158 = bits.Mul32(x2, arg2[4]) + var x160 uint32 + var x161 uint32 + x161, x160 = bits.Mul32(x2, arg2[3]) + var x162 uint32 + var x163 uint32 + x163, x162 = bits.Mul32(x2, arg2[2]) + var x164 uint32 + var x165 uint32 + x165, x164 = bits.Mul32(x2, arg2[1]) + var x166 uint32 + var x167 uint32 + x167, x166 = bits.Mul32(x2, arg2[0]) + var x168 uint32 + var x169 uint1 + x168, x169 = addcarryxU32(x167, x164, 0x0) + var x170 uint32 + var x171 uint1 + x170, x171 = addcarryxU32(x165, x162, x169) + var x172 uint32 + var x173 uint1 + x172, x173 = addcarryxU32(x163, x160, x171) + var x174 uint32 + var x175 uint1 + x174, x175 = addcarryxU32(x161, x158, x173) + var x176 uint32 + var x177 uint1 + x176, x177 = addcarryxU32(x159, x156, x175) + var x178 uint32 + var x179 uint1 + x178, x179 = addcarryxU32(x157, x154, x177) + var x180 uint32 + var x181 uint1 + x180, x181 = addcarryxU32(x155, x152, x179) + x182 := (uint32(x181) + x153) + var x183 uint32 + var x184 uint1 + x183, x184 = addcarryxU32(x135, x166, 0x0) + var x185 uint32 + var x186 uint1 + x185, x186 = addcarryxU32(x137, x168, x184) + var x187 uint32 + var x188 uint1 + x187, x188 = addcarryxU32(x139, x170, x186) + var x189 uint32 + var x190 uint1 + x189, x190 = addcarryxU32(x141, x172, x188) + var x191 uint32 + var x192 uint1 + x191, x192 = addcarryxU32(x143, x174, x190) + var x193 uint32 + var x194 uint1 + x193, x194 = addcarryxU32(x145, x176, x192) + var x195 uint32 + var x196 uint1 + x195, x196 = addcarryxU32(x147, x178, x194) + var x197 uint32 + var x198 uint1 + x197, x198 = addcarryxU32(x149, x180, x196) + var x199 uint32 + var x200 uint1 + x199, x200 = addcarryxU32(x151, x182, x198) + var x201 uint32 + var x202 uint32 + x202, x201 = bits.Mul32(x183, 0xffffffff) + var x203 uint32 + var x204 uint32 + x204, x203 = bits.Mul32(x183, 0xffffffff) + var x205 uint32 + var x206 uint32 + x206, x205 = bits.Mul32(x183, 0xffffffff) + var x207 uint32 + var x208 uint32 + x208, x207 = bits.Mul32(x183, 0xffffffff) + var x209 uint32 + var x210 uint1 + x209, x210 = addcarryxU32(x208, x205, 0x0) + var x211 uint32 + var x212 uint1 + x211, x212 = addcarryxU32(x206, x203, x210) + x213 := (uint32(x212) + x204) + var x215 uint1 + _, x215 = addcarryxU32(x183, x207, 0x0) + var x216 uint32 + var x217 uint1 + x216, x217 = addcarryxU32(x185, x209, x215) + var x218 uint32 + var x219 uint1 + x218, x219 = addcarryxU32(x187, x211, x217) + var x220 uint32 + var x221 uint1 + x220, x221 = addcarryxU32(x189, x213, x219) + var x222 uint32 + var x223 uint1 + x222, x223 = addcarryxU32(x191, uint32(0x0), x221) + var x224 uint32 + var x225 uint1 + x224, x225 = addcarryxU32(x193, uint32(0x0), x223) + var x226 uint32 + var x227 uint1 + x226, x227 = addcarryxU32(x195, x183, x225) + var x228 uint32 + var x229 uint1 + x228, x229 = addcarryxU32(x197, x201, x227) + var x230 uint32 + var x231 uint1 + x230, x231 = addcarryxU32(x199, x202, x229) + x232 := (uint32(x231) + uint32(x200)) + var x233 uint32 + var x234 uint32 + x234, x233 = bits.Mul32(x3, arg2[7]) + var x235 uint32 + var x236 uint32 + x236, x235 = bits.Mul32(x3, arg2[6]) + var x237 uint32 + var x238 uint32 + x238, x237 = bits.Mul32(x3, arg2[5]) + var x239 uint32 + var x240 uint32 + x240, x239 = bits.Mul32(x3, arg2[4]) + var x241 uint32 + var x242 uint32 + x242, x241 = bits.Mul32(x3, arg2[3]) + var x243 uint32 + var x244 uint32 + x244, x243 = bits.Mul32(x3, arg2[2]) + var x245 uint32 + var x246 uint32 + x246, x245 = bits.Mul32(x3, arg2[1]) + var x247 uint32 + var x248 uint32 + x248, x247 = bits.Mul32(x3, arg2[0]) + var x249 uint32 + var x250 uint1 + x249, x250 = addcarryxU32(x248, x245, 0x0) + var x251 uint32 + var x252 uint1 + x251, x252 = addcarryxU32(x246, x243, x250) + var x253 uint32 + var x254 uint1 + x253, x254 = addcarryxU32(x244, x241, x252) + var x255 uint32 + var x256 uint1 + x255, x256 = addcarryxU32(x242, x239, x254) + var x257 uint32 + var x258 uint1 + x257, x258 = addcarryxU32(x240, x237, x256) + var x259 uint32 + var x260 uint1 + x259, x260 = addcarryxU32(x238, x235, x258) + var x261 uint32 + var x262 uint1 + x261, x262 = addcarryxU32(x236, x233, x260) + x263 := (uint32(x262) + x234) + var x264 uint32 + var x265 uint1 + x264, x265 = addcarryxU32(x216, x247, 0x0) + var x266 uint32 + var x267 uint1 + x266, x267 = addcarryxU32(x218, x249, x265) + var x268 uint32 + var x269 uint1 + x268, x269 = addcarryxU32(x220, x251, x267) + var x270 uint32 + var x271 uint1 + x270, x271 = addcarryxU32(x222, x253, x269) + var x272 uint32 + var x273 uint1 + x272, x273 = addcarryxU32(x224, x255, x271) + var x274 uint32 + var x275 uint1 + x274, x275 = addcarryxU32(x226, x257, x273) + var x276 uint32 + var x277 uint1 + x276, x277 = addcarryxU32(x228, x259, x275) + var x278 uint32 + var x279 uint1 + x278, x279 = addcarryxU32(x230, x261, x277) + var x280 uint32 + var x281 uint1 + x280, x281 = addcarryxU32(x232, x263, x279) + var x282 uint32 + var x283 uint32 + x283, x282 = bits.Mul32(x264, 0xffffffff) + var x284 uint32 + var x285 uint32 + x285, x284 = bits.Mul32(x264, 0xffffffff) + var x286 uint32 + var x287 uint32 + x287, x286 = bits.Mul32(x264, 0xffffffff) + var x288 uint32 + var x289 uint32 + x289, x288 = bits.Mul32(x264, 0xffffffff) + var x290 uint32 + var x291 uint1 + x290, x291 = addcarryxU32(x289, x286, 0x0) + var x292 uint32 + var x293 uint1 + x292, x293 = addcarryxU32(x287, x284, x291) + x294 := (uint32(x293) + x285) + var x296 uint1 + _, x296 = addcarryxU32(x264, x288, 0x0) + var x297 uint32 + var x298 uint1 + x297, x298 = addcarryxU32(x266, x290, x296) + var x299 uint32 + var x300 uint1 + x299, x300 = addcarryxU32(x268, x292, x298) + var x301 uint32 + var x302 uint1 + x301, x302 = addcarryxU32(x270, x294, x300) + var x303 uint32 + var x304 uint1 + x303, x304 = addcarryxU32(x272, uint32(0x0), x302) + var x305 uint32 + var x306 uint1 + x305, x306 = addcarryxU32(x274, uint32(0x0), x304) + var x307 uint32 + var x308 uint1 + x307, x308 = addcarryxU32(x276, x264, x306) + var x309 uint32 + var x310 uint1 + x309, x310 = addcarryxU32(x278, x282, x308) + var x311 uint32 + var x312 uint1 + x311, x312 = addcarryxU32(x280, x283, x310) + x313 := (uint32(x312) + uint32(x281)) + var x314 uint32 + var x315 uint32 + x315, x314 = bits.Mul32(x4, arg2[7]) + var x316 uint32 + var x317 uint32 + x317, x316 = bits.Mul32(x4, arg2[6]) + var x318 uint32 + var x319 uint32 + x319, x318 = bits.Mul32(x4, arg2[5]) + var x320 uint32 + var x321 uint32 + x321, x320 = bits.Mul32(x4, arg2[4]) + var x322 uint32 + var x323 uint32 + x323, x322 = bits.Mul32(x4, arg2[3]) + var x324 uint32 + var x325 uint32 + x325, x324 = bits.Mul32(x4, arg2[2]) + var x326 uint32 + var x327 uint32 + x327, x326 = bits.Mul32(x4, arg2[1]) + var x328 uint32 + var x329 uint32 + x329, x328 = bits.Mul32(x4, arg2[0]) + var x330 uint32 + var x331 uint1 + x330, x331 = addcarryxU32(x329, x326, 0x0) + var x332 uint32 + var x333 uint1 + x332, x333 = addcarryxU32(x327, x324, x331) + var x334 uint32 + var x335 uint1 + x334, x335 = addcarryxU32(x325, x322, x333) + var x336 uint32 + var x337 uint1 + x336, x337 = addcarryxU32(x323, x320, x335) + var x338 uint32 + var x339 uint1 + x338, x339 = addcarryxU32(x321, x318, x337) + var x340 uint32 + var x341 uint1 + x340, x341 = addcarryxU32(x319, x316, x339) + var x342 uint32 + var x343 uint1 + x342, x343 = addcarryxU32(x317, x314, x341) + x344 := (uint32(x343) + x315) + var x345 uint32 + var x346 uint1 + x345, x346 = addcarryxU32(x297, x328, 0x0) + var x347 uint32 + var x348 uint1 + x347, x348 = addcarryxU32(x299, x330, x346) + var x349 uint32 + var x350 uint1 + x349, x350 = addcarryxU32(x301, x332, x348) + var x351 uint32 + var x352 uint1 + x351, x352 = addcarryxU32(x303, x334, x350) + var x353 uint32 + var x354 uint1 + x353, x354 = addcarryxU32(x305, x336, x352) + var x355 uint32 + var x356 uint1 + x355, x356 = addcarryxU32(x307, x338, x354) + var x357 uint32 + var x358 uint1 + x357, x358 = addcarryxU32(x309, x340, x356) + var x359 uint32 + var x360 uint1 + x359, x360 = addcarryxU32(x311, x342, x358) + var x361 uint32 + var x362 uint1 + x361, x362 = addcarryxU32(x313, x344, x360) + var x363 uint32 + var x364 uint32 + x364, x363 = bits.Mul32(x345, 0xffffffff) + var x365 uint32 + var x366 uint32 + x366, x365 = bits.Mul32(x345, 0xffffffff) + var x367 uint32 + var x368 uint32 + x368, x367 = bits.Mul32(x345, 0xffffffff) + var x369 uint32 + var x370 uint32 + x370, x369 = bits.Mul32(x345, 0xffffffff) + var x371 uint32 + var x372 uint1 + x371, x372 = addcarryxU32(x370, x367, 0x0) + var x373 uint32 + var x374 uint1 + x373, x374 = addcarryxU32(x368, x365, x372) + x375 := (uint32(x374) + x366) + var x377 uint1 + _, x377 = addcarryxU32(x345, x369, 0x0) + var x378 uint32 + var x379 uint1 + x378, x379 = addcarryxU32(x347, x371, x377) + var x380 uint32 + var x381 uint1 + x380, x381 = addcarryxU32(x349, x373, x379) + var x382 uint32 + var x383 uint1 + x382, x383 = addcarryxU32(x351, x375, x381) + var x384 uint32 + var x385 uint1 + x384, x385 = addcarryxU32(x353, uint32(0x0), x383) + var x386 uint32 + var x387 uint1 + x386, x387 = addcarryxU32(x355, uint32(0x0), x385) + var x388 uint32 + var x389 uint1 + x388, x389 = addcarryxU32(x357, x345, x387) + var x390 uint32 + var x391 uint1 + x390, x391 = addcarryxU32(x359, x363, x389) + var x392 uint32 + var x393 uint1 + x392, x393 = addcarryxU32(x361, x364, x391) + x394 := (uint32(x393) + uint32(x362)) + var x395 uint32 + var x396 uint32 + x396, x395 = bits.Mul32(x5, arg2[7]) + var x397 uint32 + var x398 uint32 + x398, x397 = bits.Mul32(x5, arg2[6]) + var x399 uint32 + var x400 uint32 + x400, x399 = bits.Mul32(x5, arg2[5]) + var x401 uint32 + var x402 uint32 + x402, x401 = bits.Mul32(x5, arg2[4]) + var x403 uint32 + var x404 uint32 + x404, x403 = bits.Mul32(x5, arg2[3]) + var x405 uint32 + var x406 uint32 + x406, x405 = bits.Mul32(x5, arg2[2]) + var x407 uint32 + var x408 uint32 + x408, x407 = bits.Mul32(x5, arg2[1]) + var x409 uint32 + var x410 uint32 + x410, x409 = bits.Mul32(x5, arg2[0]) + var x411 uint32 + var x412 uint1 + x411, x412 = addcarryxU32(x410, x407, 0x0) + var x413 uint32 + var x414 uint1 + x413, x414 = addcarryxU32(x408, x405, x412) + var x415 uint32 + var x416 uint1 + x415, x416 = addcarryxU32(x406, x403, x414) + var x417 uint32 + var x418 uint1 + x417, x418 = addcarryxU32(x404, x401, x416) + var x419 uint32 + var x420 uint1 + x419, x420 = addcarryxU32(x402, x399, x418) + var x421 uint32 + var x422 uint1 + x421, x422 = addcarryxU32(x400, x397, x420) + var x423 uint32 + var x424 uint1 + x423, x424 = addcarryxU32(x398, x395, x422) + x425 := (uint32(x424) + x396) + var x426 uint32 + var x427 uint1 + x426, x427 = addcarryxU32(x378, x409, 0x0) + var x428 uint32 + var x429 uint1 + x428, x429 = addcarryxU32(x380, x411, x427) + var x430 uint32 + var x431 uint1 + x430, x431 = addcarryxU32(x382, x413, x429) + var x432 uint32 + var x433 uint1 + x432, x433 = addcarryxU32(x384, x415, x431) + var x434 uint32 + var x435 uint1 + x434, x435 = addcarryxU32(x386, x417, x433) + var x436 uint32 + var x437 uint1 + x436, x437 = addcarryxU32(x388, x419, x435) + var x438 uint32 + var x439 uint1 + x438, x439 = addcarryxU32(x390, x421, x437) + var x440 uint32 + var x441 uint1 + x440, x441 = addcarryxU32(x392, x423, x439) + var x442 uint32 + var x443 uint1 + x442, x443 = addcarryxU32(x394, x425, x441) + var x444 uint32 + var x445 uint32 + x445, x444 = bits.Mul32(x426, 0xffffffff) + var x446 uint32 + var x447 uint32 + x447, x446 = bits.Mul32(x426, 0xffffffff) + var x448 uint32 + var x449 uint32 + x449, x448 = bits.Mul32(x426, 0xffffffff) + var x450 uint32 + var x451 uint32 + x451, x450 = bits.Mul32(x426, 0xffffffff) + var x452 uint32 + var x453 uint1 + x452, x453 = addcarryxU32(x451, x448, 0x0) + var x454 uint32 + var x455 uint1 + x454, x455 = addcarryxU32(x449, x446, x453) + x456 := (uint32(x455) + x447) + var x458 uint1 + _, x458 = addcarryxU32(x426, x450, 0x0) + var x459 uint32 + var x460 uint1 + x459, x460 = addcarryxU32(x428, x452, x458) + var x461 uint32 + var x462 uint1 + x461, x462 = addcarryxU32(x430, x454, x460) + var x463 uint32 + var x464 uint1 + x463, x464 = addcarryxU32(x432, x456, x462) + var x465 uint32 + var x466 uint1 + x465, x466 = addcarryxU32(x434, uint32(0x0), x464) + var x467 uint32 + var x468 uint1 + x467, x468 = addcarryxU32(x436, uint32(0x0), x466) + var x469 uint32 + var x470 uint1 + x469, x470 = addcarryxU32(x438, x426, x468) + var x471 uint32 + var x472 uint1 + x471, x472 = addcarryxU32(x440, x444, x470) + var x473 uint32 + var x474 uint1 + x473, x474 = addcarryxU32(x442, x445, x472) + x475 := (uint32(x474) + uint32(x443)) + var x476 uint32 + var x477 uint32 + x477, x476 = bits.Mul32(x6, arg2[7]) + var x478 uint32 + var x479 uint32 + x479, x478 = bits.Mul32(x6, arg2[6]) + var x480 uint32 + var x481 uint32 + x481, x480 = bits.Mul32(x6, arg2[5]) + var x482 uint32 + var x483 uint32 + x483, x482 = bits.Mul32(x6, arg2[4]) + var x484 uint32 + var x485 uint32 + x485, x484 = bits.Mul32(x6, arg2[3]) + var x486 uint32 + var x487 uint32 + x487, x486 = bits.Mul32(x6, arg2[2]) + var x488 uint32 + var x489 uint32 + x489, x488 = bits.Mul32(x6, arg2[1]) + var x490 uint32 + var x491 uint32 + x491, x490 = bits.Mul32(x6, arg2[0]) + var x492 uint32 + var x493 uint1 + x492, x493 = addcarryxU32(x491, x488, 0x0) + var x494 uint32 + var x495 uint1 + x494, x495 = addcarryxU32(x489, x486, x493) + var x496 uint32 + var x497 uint1 + x496, x497 = addcarryxU32(x487, x484, x495) + var x498 uint32 + var x499 uint1 + x498, x499 = addcarryxU32(x485, x482, x497) + var x500 uint32 + var x501 uint1 + x500, x501 = addcarryxU32(x483, x480, x499) + var x502 uint32 + var x503 uint1 + x502, x503 = addcarryxU32(x481, x478, x501) + var x504 uint32 + var x505 uint1 + x504, x505 = addcarryxU32(x479, x476, x503) + x506 := (uint32(x505) + x477) + var x507 uint32 + var x508 uint1 + x507, x508 = addcarryxU32(x459, x490, 0x0) + var x509 uint32 + var x510 uint1 + x509, x510 = addcarryxU32(x461, x492, x508) + var x511 uint32 + var x512 uint1 + x511, x512 = addcarryxU32(x463, x494, x510) + var x513 uint32 + var x514 uint1 + x513, x514 = addcarryxU32(x465, x496, x512) + var x515 uint32 + var x516 uint1 + x515, x516 = addcarryxU32(x467, x498, x514) + var x517 uint32 + var x518 uint1 + x517, x518 = addcarryxU32(x469, x500, x516) + var x519 uint32 + var x520 uint1 + x519, x520 = addcarryxU32(x471, x502, x518) + var x521 uint32 + var x522 uint1 + x521, x522 = addcarryxU32(x473, x504, x520) + var x523 uint32 + var x524 uint1 + x523, x524 = addcarryxU32(x475, x506, x522) + var x525 uint32 + var x526 uint32 + x526, x525 = bits.Mul32(x507, 0xffffffff) + var x527 uint32 + var x528 uint32 + x528, x527 = bits.Mul32(x507, 0xffffffff) + var x529 uint32 + var x530 uint32 + x530, x529 = bits.Mul32(x507, 0xffffffff) + var x531 uint32 + var x532 uint32 + x532, x531 = bits.Mul32(x507, 0xffffffff) + var x533 uint32 + var x534 uint1 + x533, x534 = addcarryxU32(x532, x529, 0x0) + var x535 uint32 + var x536 uint1 + x535, x536 = addcarryxU32(x530, x527, x534) + x537 := (uint32(x536) + x528) + var x539 uint1 + _, x539 = addcarryxU32(x507, x531, 0x0) + var x540 uint32 + var x541 uint1 + x540, x541 = addcarryxU32(x509, x533, x539) + var x542 uint32 + var x543 uint1 + x542, x543 = addcarryxU32(x511, x535, x541) + var x544 uint32 + var x545 uint1 + x544, x545 = addcarryxU32(x513, x537, x543) + var x546 uint32 + var x547 uint1 + x546, x547 = addcarryxU32(x515, uint32(0x0), x545) + var x548 uint32 + var x549 uint1 + x548, x549 = addcarryxU32(x517, uint32(0x0), x547) + var x550 uint32 + var x551 uint1 + x550, x551 = addcarryxU32(x519, x507, x549) + var x552 uint32 + var x553 uint1 + x552, x553 = addcarryxU32(x521, x525, x551) + var x554 uint32 + var x555 uint1 + x554, x555 = addcarryxU32(x523, x526, x553) + x556 := (uint32(x555) + uint32(x524)) + var x557 uint32 + var x558 uint32 + x558, x557 = bits.Mul32(x7, arg2[7]) + var x559 uint32 + var x560 uint32 + x560, x559 = bits.Mul32(x7, arg2[6]) + var x561 uint32 + var x562 uint32 + x562, x561 = bits.Mul32(x7, arg2[5]) + var x563 uint32 + var x564 uint32 + x564, x563 = bits.Mul32(x7, arg2[4]) + var x565 uint32 + var x566 uint32 + x566, x565 = bits.Mul32(x7, arg2[3]) + var x567 uint32 + var x568 uint32 + x568, x567 = bits.Mul32(x7, arg2[2]) + var x569 uint32 + var x570 uint32 + x570, x569 = bits.Mul32(x7, arg2[1]) + var x571 uint32 + var x572 uint32 + x572, x571 = bits.Mul32(x7, arg2[0]) + var x573 uint32 + var x574 uint1 + x573, x574 = addcarryxU32(x572, x569, 0x0) + var x575 uint32 + var x576 uint1 + x575, x576 = addcarryxU32(x570, x567, x574) + var x577 uint32 + var x578 uint1 + x577, x578 = addcarryxU32(x568, x565, x576) + var x579 uint32 + var x580 uint1 + x579, x580 = addcarryxU32(x566, x563, x578) + var x581 uint32 + var x582 uint1 + x581, x582 = addcarryxU32(x564, x561, x580) + var x583 uint32 + var x584 uint1 + x583, x584 = addcarryxU32(x562, x559, x582) + var x585 uint32 + var x586 uint1 + x585, x586 = addcarryxU32(x560, x557, x584) + x587 := (uint32(x586) + x558) + var x588 uint32 + var x589 uint1 + x588, x589 = addcarryxU32(x540, x571, 0x0) + var x590 uint32 + var x591 uint1 + x590, x591 = addcarryxU32(x542, x573, x589) + var x592 uint32 + var x593 uint1 + x592, x593 = addcarryxU32(x544, x575, x591) + var x594 uint32 + var x595 uint1 + x594, x595 = addcarryxU32(x546, x577, x593) + var x596 uint32 + var x597 uint1 + x596, x597 = addcarryxU32(x548, x579, x595) + var x598 uint32 + var x599 uint1 + x598, x599 = addcarryxU32(x550, x581, x597) + var x600 uint32 + var x601 uint1 + x600, x601 = addcarryxU32(x552, x583, x599) + var x602 uint32 + var x603 uint1 + x602, x603 = addcarryxU32(x554, x585, x601) + var x604 uint32 + var x605 uint1 + x604, x605 = addcarryxU32(x556, x587, x603) + var x606 uint32 + var x607 uint32 + x607, x606 = bits.Mul32(x588, 0xffffffff) + var x608 uint32 + var x609 uint32 + x609, x608 = bits.Mul32(x588, 0xffffffff) + var x610 uint32 + var x611 uint32 + x611, x610 = bits.Mul32(x588, 0xffffffff) + var x612 uint32 + var x613 uint32 + x613, x612 = bits.Mul32(x588, 0xffffffff) + var x614 uint32 + var x615 uint1 + x614, x615 = addcarryxU32(x613, x610, 0x0) + var x616 uint32 + var x617 uint1 + x616, x617 = addcarryxU32(x611, x608, x615) + x618 := (uint32(x617) + x609) + var x620 uint1 + _, x620 = addcarryxU32(x588, x612, 0x0) + var x621 uint32 + var x622 uint1 + x621, x622 = addcarryxU32(x590, x614, x620) + var x623 uint32 + var x624 uint1 + x623, x624 = addcarryxU32(x592, x616, x622) + var x625 uint32 + var x626 uint1 + x625, x626 = addcarryxU32(x594, x618, x624) + var x627 uint32 + var x628 uint1 + x627, x628 = addcarryxU32(x596, uint32(0x0), x626) + var x629 uint32 + var x630 uint1 + x629, x630 = addcarryxU32(x598, uint32(0x0), x628) + var x631 uint32 + var x632 uint1 + x631, x632 = addcarryxU32(x600, x588, x630) + var x633 uint32 + var x634 uint1 + x633, x634 = addcarryxU32(x602, x606, x632) + var x635 uint32 + var x636 uint1 + x635, x636 = addcarryxU32(x604, x607, x634) + x637 := (uint32(x636) + uint32(x605)) + var x638 uint32 + var x639 uint1 + x638, x639 = subborrowxU32(x621, 0xffffffff, 0x0) + var x640 uint32 + var x641 uint1 + x640, x641 = subborrowxU32(x623, 0xffffffff, x639) + var x642 uint32 + var x643 uint1 + x642, x643 = subborrowxU32(x625, 0xffffffff, x641) + var x644 uint32 + var x645 uint1 + x644, x645 = subborrowxU32(x627, uint32(0x0), x643) + var x646 uint32 + var x647 uint1 + x646, x647 = subborrowxU32(x629, uint32(0x0), x645) + var x648 uint32 + var x649 uint1 + x648, x649 = subborrowxU32(x631, uint32(0x0), x647) + var x650 uint32 + var x651 uint1 + x650, x651 = subborrowxU32(x633, uint32(0x1), x649) + var x652 uint32 + var x653 uint1 + x652, x653 = subborrowxU32(x635, 0xffffffff, x651) + var x655 uint1 + _, x655 = subborrowxU32(x637, uint32(0x0), x653) + var x656 uint32 + cmovznzU32(&x656, x655, x638, x621) + var x657 uint32 + cmovznzU32(&x657, x655, x640, x623) + var x658 uint32 + cmovznzU32(&x658, x655, x642, x625) + var x659 uint32 + cmovznzU32(&x659, x655, x644, x627) + var x660 uint32 + cmovznzU32(&x660, x655, x646, x629) + var x661 uint32 + cmovznzU32(&x661, x655, x648, x631) + var x662 uint32 + cmovznzU32(&x662, x655, x650, x633) + var x663 uint32 + cmovznzU32(&x663, x655, x652, x635) + out1[0] = x656 + out1[1] = x657 + out1[2] = x658 + out1[3] = x659 + out1[4] = x660 + out1[5] = x661 + out1[6] = x662 + out1[7] = x663 } -/* - The function Square squares a field element in the Montgomery domain. - Preconditions: - 0 ≤ eval arg1 < m - Postconditions: - eval (from_montgomery out1) mod m = (eval (from_montgomery arg1) * eval (from_montgomery arg1)) mod m - 0 ≤ eval out1 < m - - Input Bounds: - arg1: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] - Output Bounds: - out1: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] - */ -/*inline*/ +// Square squares a field element in the Montgomery domain. +// +// Preconditions: +// 0 ≤ eval arg1 < m +// Postconditions: +// eval (from_montgomery out1) mod m = (eval (from_montgomery arg1) * eval (from_montgomery arg1)) mod m +// 0 ≤ eval out1 < m +// +// Input Bounds: +// arg1: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] +// Output Bounds: +// out1: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] func Square(out1 *[8]uint32, arg1 *[8]uint32) { - var x1 uint32 = (arg1[1]) - var x2 uint32 = (arg1[2]) - var x3 uint32 = (arg1[3]) - var x4 uint32 = (arg1[4]) - var x5 uint32 = (arg1[5]) - var x6 uint32 = (arg1[6]) - var x7 uint32 = (arg1[7]) - var x8 uint32 = (arg1[0]) - var x9 uint32 - var x10 uint32 - x10, x9 = bits.Mul32(x8, (arg1[7])) - var x11 uint32 - var x12 uint32 - x12, x11 = bits.Mul32(x8, (arg1[6])) - var x13 uint32 - var x14 uint32 - x14, x13 = bits.Mul32(x8, (arg1[5])) - var x15 uint32 - var x16 uint32 - x16, x15 = bits.Mul32(x8, (arg1[4])) - var x17 uint32 - var x18 uint32 - x18, x17 = bits.Mul32(x8, (arg1[3])) - var x19 uint32 - var x20 uint32 - x20, x19 = bits.Mul32(x8, (arg1[2])) - var x21 uint32 - var x22 uint32 - x22, x21 = bits.Mul32(x8, (arg1[1])) - var x23 uint32 - var x24 uint32 - x24, x23 = bits.Mul32(x8, (arg1[0])) - var x25 uint32 - var x26 uint1 - x25, x26 = addcarryxU32(x24, x21, 0x0) - var x27 uint32 - var x28 uint1 - x27, x28 = addcarryxU32(x22, x19, x26) - var x29 uint32 - var x30 uint1 - x29, x30 = addcarryxU32(x20, x17, x28) - var x31 uint32 - var x32 uint1 - x31, x32 = addcarryxU32(x18, x15, x30) - var x33 uint32 - var x34 uint1 - x33, x34 = addcarryxU32(x16, x13, x32) - var x35 uint32 - var x36 uint1 - x35, x36 = addcarryxU32(x14, x11, x34) - var x37 uint32 - var x38 uint1 - x37, x38 = addcarryxU32(x12, x9, x36) - var x39 uint32 = (uint32(x38) + x10) - var x40 uint32 - var x41 uint32 - x41, x40 = bits.Mul32(x23, 0xffffffff) - var x42 uint32 - var x43 uint32 - x43, x42 = bits.Mul32(x23, 0xffffffff) - var x44 uint32 - var x45 uint32 - x45, x44 = bits.Mul32(x23, 0xffffffff) - var x46 uint32 - var x47 uint32 - x47, x46 = bits.Mul32(x23, 0xffffffff) - var x48 uint32 - var x49 uint1 - x48, x49 = addcarryxU32(x47, x44, 0x0) - var x50 uint32 - var x51 uint1 - x50, x51 = addcarryxU32(x45, x42, x49) - var x52 uint32 = (uint32(x51) + x43) - var x54 uint1 - _, x54 = addcarryxU32(x23, x46, 0x0) - var x55 uint32 - var x56 uint1 - x55, x56 = addcarryxU32(x25, x48, x54) - var x57 uint32 - var x58 uint1 - x57, x58 = addcarryxU32(x27, x50, x56) - var x59 uint32 - var x60 uint1 - x59, x60 = addcarryxU32(x29, x52, x58) - var x61 uint32 - var x62 uint1 - x61, x62 = addcarryxU32(x31, uint32(0x0), x60) - var x63 uint32 - var x64 uint1 - x63, x64 = addcarryxU32(x33, uint32(0x0), x62) - var x65 uint32 - var x66 uint1 - x65, x66 = addcarryxU32(x35, x23, x64) - var x67 uint32 - var x68 uint1 - x67, x68 = addcarryxU32(x37, x40, x66) - var x69 uint32 - var x70 uint1 - x69, x70 = addcarryxU32(x39, x41, x68) - var x71 uint32 - var x72 uint32 - x72, x71 = bits.Mul32(x1, (arg1[7])) - var x73 uint32 - var x74 uint32 - x74, x73 = bits.Mul32(x1, (arg1[6])) - var x75 uint32 - var x76 uint32 - x76, x75 = bits.Mul32(x1, (arg1[5])) - var x77 uint32 - var x78 uint32 - x78, x77 = bits.Mul32(x1, (arg1[4])) - var x79 uint32 - var x80 uint32 - x80, x79 = bits.Mul32(x1, (arg1[3])) - var x81 uint32 - var x82 uint32 - x82, x81 = bits.Mul32(x1, (arg1[2])) - var x83 uint32 - var x84 uint32 - x84, x83 = bits.Mul32(x1, (arg1[1])) - var x85 uint32 - var x86 uint32 - x86, x85 = bits.Mul32(x1, (arg1[0])) - var x87 uint32 - var x88 uint1 - x87, x88 = addcarryxU32(x86, x83, 0x0) - var x89 uint32 - var x90 uint1 - x89, x90 = addcarryxU32(x84, x81, x88) - var x91 uint32 - var x92 uint1 - x91, x92 = addcarryxU32(x82, x79, x90) - var x93 uint32 - var x94 uint1 - x93, x94 = addcarryxU32(x80, x77, x92) - var x95 uint32 - var x96 uint1 - x95, x96 = addcarryxU32(x78, x75, x94) - var x97 uint32 - var x98 uint1 - x97, x98 = addcarryxU32(x76, x73, x96) - var x99 uint32 - var x100 uint1 - x99, x100 = addcarryxU32(x74, x71, x98) - var x101 uint32 = (uint32(x100) + x72) - var x102 uint32 - var x103 uint1 - x102, x103 = addcarryxU32(x55, x85, 0x0) - var x104 uint32 - var x105 uint1 - x104, x105 = addcarryxU32(x57, x87, x103) - var x106 uint32 - var x107 uint1 - x106, x107 = addcarryxU32(x59, x89, x105) - var x108 uint32 - var x109 uint1 - x108, x109 = addcarryxU32(x61, x91, x107) - var x110 uint32 - var x111 uint1 - x110, x111 = addcarryxU32(x63, x93, x109) - var x112 uint32 - var x113 uint1 - x112, x113 = addcarryxU32(x65, x95, x111) - var x114 uint32 - var x115 uint1 - x114, x115 = addcarryxU32(x67, x97, x113) - var x116 uint32 - var x117 uint1 - x116, x117 = addcarryxU32(x69, x99, x115) - var x118 uint32 - var x119 uint1 - x118, x119 = addcarryxU32(uint32(x70), x101, x117) - var x120 uint32 - var x121 uint32 - x121, x120 = bits.Mul32(x102, 0xffffffff) - var x122 uint32 - var x123 uint32 - x123, x122 = bits.Mul32(x102, 0xffffffff) - var x124 uint32 - var x125 uint32 - x125, x124 = bits.Mul32(x102, 0xffffffff) - var x126 uint32 - var x127 uint32 - x127, x126 = bits.Mul32(x102, 0xffffffff) - var x128 uint32 - var x129 uint1 - x128, x129 = addcarryxU32(x127, x124, 0x0) - var x130 uint32 - var x131 uint1 - x130, x131 = addcarryxU32(x125, x122, x129) - var x132 uint32 = (uint32(x131) + x123) - var x134 uint1 - _, x134 = addcarryxU32(x102, x126, 0x0) - var x135 uint32 - var x136 uint1 - x135, x136 = addcarryxU32(x104, x128, x134) - var x137 uint32 - var x138 uint1 - x137, x138 = addcarryxU32(x106, x130, x136) - var x139 uint32 - var x140 uint1 - x139, x140 = addcarryxU32(x108, x132, x138) - var x141 uint32 - var x142 uint1 - x141, x142 = addcarryxU32(x110, uint32(0x0), x140) - var x143 uint32 - var x144 uint1 - x143, x144 = addcarryxU32(x112, uint32(0x0), x142) - var x145 uint32 - var x146 uint1 - x145, x146 = addcarryxU32(x114, x102, x144) - var x147 uint32 - var x148 uint1 - x147, x148 = addcarryxU32(x116, x120, x146) - var x149 uint32 - var x150 uint1 - x149, x150 = addcarryxU32(x118, x121, x148) - var x151 uint32 = (uint32(x150) + uint32(x119)) - var x152 uint32 - var x153 uint32 - x153, x152 = bits.Mul32(x2, (arg1[7])) - var x154 uint32 - var x155 uint32 - x155, x154 = bits.Mul32(x2, (arg1[6])) - var x156 uint32 - var x157 uint32 - x157, x156 = bits.Mul32(x2, (arg1[5])) - var x158 uint32 - var x159 uint32 - x159, x158 = bits.Mul32(x2, (arg1[4])) - var x160 uint32 - var x161 uint32 - x161, x160 = bits.Mul32(x2, (arg1[3])) - var x162 uint32 - var x163 uint32 - x163, x162 = bits.Mul32(x2, (arg1[2])) - var x164 uint32 - var x165 uint32 - x165, x164 = bits.Mul32(x2, (arg1[1])) - var x166 uint32 - var x167 uint32 - x167, x166 = bits.Mul32(x2, (arg1[0])) - var x168 uint32 - var x169 uint1 - x168, x169 = addcarryxU32(x167, x164, 0x0) - var x170 uint32 - var x171 uint1 - x170, x171 = addcarryxU32(x165, x162, x169) - var x172 uint32 - var x173 uint1 - x172, x173 = addcarryxU32(x163, x160, x171) - var x174 uint32 - var x175 uint1 - x174, x175 = addcarryxU32(x161, x158, x173) - var x176 uint32 - var x177 uint1 - x176, x177 = addcarryxU32(x159, x156, x175) - var x178 uint32 - var x179 uint1 - x178, x179 = addcarryxU32(x157, x154, x177) - var x180 uint32 - var x181 uint1 - x180, x181 = addcarryxU32(x155, x152, x179) - var x182 uint32 = (uint32(x181) + x153) - var x183 uint32 - var x184 uint1 - x183, x184 = addcarryxU32(x135, x166, 0x0) - var x185 uint32 - var x186 uint1 - x185, x186 = addcarryxU32(x137, x168, x184) - var x187 uint32 - var x188 uint1 - x187, x188 = addcarryxU32(x139, x170, x186) - var x189 uint32 - var x190 uint1 - x189, x190 = addcarryxU32(x141, x172, x188) - var x191 uint32 - var x192 uint1 - x191, x192 = addcarryxU32(x143, x174, x190) - var x193 uint32 - var x194 uint1 - x193, x194 = addcarryxU32(x145, x176, x192) - var x195 uint32 - var x196 uint1 - x195, x196 = addcarryxU32(x147, x178, x194) - var x197 uint32 - var x198 uint1 - x197, x198 = addcarryxU32(x149, x180, x196) - var x199 uint32 - var x200 uint1 - x199, x200 = addcarryxU32(x151, x182, x198) - var x201 uint32 - var x202 uint32 - x202, x201 = bits.Mul32(x183, 0xffffffff) - var x203 uint32 - var x204 uint32 - x204, x203 = bits.Mul32(x183, 0xffffffff) - var x205 uint32 - var x206 uint32 - x206, x205 = bits.Mul32(x183, 0xffffffff) - var x207 uint32 - var x208 uint32 - x208, x207 = bits.Mul32(x183, 0xffffffff) - var x209 uint32 - var x210 uint1 - x209, x210 = addcarryxU32(x208, x205, 0x0) - var x211 uint32 - var x212 uint1 - x211, x212 = addcarryxU32(x206, x203, x210) - var x213 uint32 = (uint32(x212) + x204) - var x215 uint1 - _, x215 = addcarryxU32(x183, x207, 0x0) - var x216 uint32 - var x217 uint1 - x216, x217 = addcarryxU32(x185, x209, x215) - var x218 uint32 - var x219 uint1 - x218, x219 = addcarryxU32(x187, x211, x217) - var x220 uint32 - var x221 uint1 - x220, x221 = addcarryxU32(x189, x213, x219) - var x222 uint32 - var x223 uint1 - x222, x223 = addcarryxU32(x191, uint32(0x0), x221) - var x224 uint32 - var x225 uint1 - x224, x225 = addcarryxU32(x193, uint32(0x0), x223) - var x226 uint32 - var x227 uint1 - x226, x227 = addcarryxU32(x195, x183, x225) - var x228 uint32 - var x229 uint1 - x228, x229 = addcarryxU32(x197, x201, x227) - var x230 uint32 - var x231 uint1 - x230, x231 = addcarryxU32(x199, x202, x229) - var x232 uint32 = (uint32(x231) + uint32(x200)) - var x233 uint32 - var x234 uint32 - x234, x233 = bits.Mul32(x3, (arg1[7])) - var x235 uint32 - var x236 uint32 - x236, x235 = bits.Mul32(x3, (arg1[6])) - var x237 uint32 - var x238 uint32 - x238, x237 = bits.Mul32(x3, (arg1[5])) - var x239 uint32 - var x240 uint32 - x240, x239 = bits.Mul32(x3, (arg1[4])) - var x241 uint32 - var x242 uint32 - x242, x241 = bits.Mul32(x3, (arg1[3])) - var x243 uint32 - var x244 uint32 - x244, x243 = bits.Mul32(x3, (arg1[2])) - var x245 uint32 - var x246 uint32 - x246, x245 = bits.Mul32(x3, (arg1[1])) - var x247 uint32 - var x248 uint32 - x248, x247 = bits.Mul32(x3, (arg1[0])) - var x249 uint32 - var x250 uint1 - x249, x250 = addcarryxU32(x248, x245, 0x0) - var x251 uint32 - var x252 uint1 - x251, x252 = addcarryxU32(x246, x243, x250) - var x253 uint32 - var x254 uint1 - x253, x254 = addcarryxU32(x244, x241, x252) - var x255 uint32 - var x256 uint1 - x255, x256 = addcarryxU32(x242, x239, x254) - var x257 uint32 - var x258 uint1 - x257, x258 = addcarryxU32(x240, x237, x256) - var x259 uint32 - var x260 uint1 - x259, x260 = addcarryxU32(x238, x235, x258) - var x261 uint32 - var x262 uint1 - x261, x262 = addcarryxU32(x236, x233, x260) - var x263 uint32 = (uint32(x262) + x234) - var x264 uint32 - var x265 uint1 - x264, x265 = addcarryxU32(x216, x247, 0x0) - var x266 uint32 - var x267 uint1 - x266, x267 = addcarryxU32(x218, x249, x265) - var x268 uint32 - var x269 uint1 - x268, x269 = addcarryxU32(x220, x251, x267) - var x270 uint32 - var x271 uint1 - x270, x271 = addcarryxU32(x222, x253, x269) - var x272 uint32 - var x273 uint1 - x272, x273 = addcarryxU32(x224, x255, x271) - var x274 uint32 - var x275 uint1 - x274, x275 = addcarryxU32(x226, x257, x273) - var x276 uint32 - var x277 uint1 - x276, x277 = addcarryxU32(x228, x259, x275) - var x278 uint32 - var x279 uint1 - x278, x279 = addcarryxU32(x230, x261, x277) - var x280 uint32 - var x281 uint1 - x280, x281 = addcarryxU32(x232, x263, x279) - var x282 uint32 - var x283 uint32 - x283, x282 = bits.Mul32(x264, 0xffffffff) - var x284 uint32 - var x285 uint32 - x285, x284 = bits.Mul32(x264, 0xffffffff) - var x286 uint32 - var x287 uint32 - x287, x286 = bits.Mul32(x264, 0xffffffff) - var x288 uint32 - var x289 uint32 - x289, x288 = bits.Mul32(x264, 0xffffffff) - var x290 uint32 - var x291 uint1 - x290, x291 = addcarryxU32(x289, x286, 0x0) - var x292 uint32 - var x293 uint1 - x292, x293 = addcarryxU32(x287, x284, x291) - var x294 uint32 = (uint32(x293) + x285) - var x296 uint1 - _, x296 = addcarryxU32(x264, x288, 0x0) - var x297 uint32 - var x298 uint1 - x297, x298 = addcarryxU32(x266, x290, x296) - var x299 uint32 - var x300 uint1 - x299, x300 = addcarryxU32(x268, x292, x298) - var x301 uint32 - var x302 uint1 - x301, x302 = addcarryxU32(x270, x294, x300) - var x303 uint32 - var x304 uint1 - x303, x304 = addcarryxU32(x272, uint32(0x0), x302) - var x305 uint32 - var x306 uint1 - x305, x306 = addcarryxU32(x274, uint32(0x0), x304) - var x307 uint32 - var x308 uint1 - x307, x308 = addcarryxU32(x276, x264, x306) - var x309 uint32 - var x310 uint1 - x309, x310 = addcarryxU32(x278, x282, x308) - var x311 uint32 - var x312 uint1 - x311, x312 = addcarryxU32(x280, x283, x310) - var x313 uint32 = (uint32(x312) + uint32(x281)) - var x314 uint32 - var x315 uint32 - x315, x314 = bits.Mul32(x4, (arg1[7])) - var x316 uint32 - var x317 uint32 - x317, x316 = bits.Mul32(x4, (arg1[6])) - var x318 uint32 - var x319 uint32 - x319, x318 = bits.Mul32(x4, (arg1[5])) - var x320 uint32 - var x321 uint32 - x321, x320 = bits.Mul32(x4, (arg1[4])) - var x322 uint32 - var x323 uint32 - x323, x322 = bits.Mul32(x4, (arg1[3])) - var x324 uint32 - var x325 uint32 - x325, x324 = bits.Mul32(x4, (arg1[2])) - var x326 uint32 - var x327 uint32 - x327, x326 = bits.Mul32(x4, (arg1[1])) - var x328 uint32 - var x329 uint32 - x329, x328 = bits.Mul32(x4, (arg1[0])) - var x330 uint32 - var x331 uint1 - x330, x331 = addcarryxU32(x329, x326, 0x0) - var x332 uint32 - var x333 uint1 - x332, x333 = addcarryxU32(x327, x324, x331) - var x334 uint32 - var x335 uint1 - x334, x335 = addcarryxU32(x325, x322, x333) - var x336 uint32 - var x337 uint1 - x336, x337 = addcarryxU32(x323, x320, x335) - var x338 uint32 - var x339 uint1 - x338, x339 = addcarryxU32(x321, x318, x337) - var x340 uint32 - var x341 uint1 - x340, x341 = addcarryxU32(x319, x316, x339) - var x342 uint32 - var x343 uint1 - x342, x343 = addcarryxU32(x317, x314, x341) - var x344 uint32 = (uint32(x343) + x315) - var x345 uint32 - var x346 uint1 - x345, x346 = addcarryxU32(x297, x328, 0x0) - var x347 uint32 - var x348 uint1 - x347, x348 = addcarryxU32(x299, x330, x346) - var x349 uint32 - var x350 uint1 - x349, x350 = addcarryxU32(x301, x332, x348) - var x351 uint32 - var x352 uint1 - x351, x352 = addcarryxU32(x303, x334, x350) - var x353 uint32 - var x354 uint1 - x353, x354 = addcarryxU32(x305, x336, x352) - var x355 uint32 - var x356 uint1 - x355, x356 = addcarryxU32(x307, x338, x354) - var x357 uint32 - var x358 uint1 - x357, x358 = addcarryxU32(x309, x340, x356) - var x359 uint32 - var x360 uint1 - x359, x360 = addcarryxU32(x311, x342, x358) - var x361 uint32 - var x362 uint1 - x361, x362 = addcarryxU32(x313, x344, x360) - var x363 uint32 - var x364 uint32 - x364, x363 = bits.Mul32(x345, 0xffffffff) - var x365 uint32 - var x366 uint32 - x366, x365 = bits.Mul32(x345, 0xffffffff) - var x367 uint32 - var x368 uint32 - x368, x367 = bits.Mul32(x345, 0xffffffff) - var x369 uint32 - var x370 uint32 - x370, x369 = bits.Mul32(x345, 0xffffffff) - var x371 uint32 - var x372 uint1 - x371, x372 = addcarryxU32(x370, x367, 0x0) - var x373 uint32 - var x374 uint1 - x373, x374 = addcarryxU32(x368, x365, x372) - var x375 uint32 = (uint32(x374) + x366) - var x377 uint1 - _, x377 = addcarryxU32(x345, x369, 0x0) - var x378 uint32 - var x379 uint1 - x378, x379 = addcarryxU32(x347, x371, x377) - var x380 uint32 - var x381 uint1 - x380, x381 = addcarryxU32(x349, x373, x379) - var x382 uint32 - var x383 uint1 - x382, x383 = addcarryxU32(x351, x375, x381) - var x384 uint32 - var x385 uint1 - x384, x385 = addcarryxU32(x353, uint32(0x0), x383) - var x386 uint32 - var x387 uint1 - x386, x387 = addcarryxU32(x355, uint32(0x0), x385) - var x388 uint32 - var x389 uint1 - x388, x389 = addcarryxU32(x357, x345, x387) - var x390 uint32 - var x391 uint1 - x390, x391 = addcarryxU32(x359, x363, x389) - var x392 uint32 - var x393 uint1 - x392, x393 = addcarryxU32(x361, x364, x391) - var x394 uint32 = (uint32(x393) + uint32(x362)) - var x395 uint32 - var x396 uint32 - x396, x395 = bits.Mul32(x5, (arg1[7])) - var x397 uint32 - var x398 uint32 - x398, x397 = bits.Mul32(x5, (arg1[6])) - var x399 uint32 - var x400 uint32 - x400, x399 = bits.Mul32(x5, (arg1[5])) - var x401 uint32 - var x402 uint32 - x402, x401 = bits.Mul32(x5, (arg1[4])) - var x403 uint32 - var x404 uint32 - x404, x403 = bits.Mul32(x5, (arg1[3])) - var x405 uint32 - var x406 uint32 - x406, x405 = bits.Mul32(x5, (arg1[2])) - var x407 uint32 - var x408 uint32 - x408, x407 = bits.Mul32(x5, (arg1[1])) - var x409 uint32 - var x410 uint32 - x410, x409 = bits.Mul32(x5, (arg1[0])) - var x411 uint32 - var x412 uint1 - x411, x412 = addcarryxU32(x410, x407, 0x0) - var x413 uint32 - var x414 uint1 - x413, x414 = addcarryxU32(x408, x405, x412) - var x415 uint32 - var x416 uint1 - x415, x416 = addcarryxU32(x406, x403, x414) - var x417 uint32 - var x418 uint1 - x417, x418 = addcarryxU32(x404, x401, x416) - var x419 uint32 - var x420 uint1 - x419, x420 = addcarryxU32(x402, x399, x418) - var x421 uint32 - var x422 uint1 - x421, x422 = addcarryxU32(x400, x397, x420) - var x423 uint32 - var x424 uint1 - x423, x424 = addcarryxU32(x398, x395, x422) - var x425 uint32 = (uint32(x424) + x396) - var x426 uint32 - var x427 uint1 - x426, x427 = addcarryxU32(x378, x409, 0x0) - var x428 uint32 - var x429 uint1 - x428, x429 = addcarryxU32(x380, x411, x427) - var x430 uint32 - var x431 uint1 - x430, x431 = addcarryxU32(x382, x413, x429) - var x432 uint32 - var x433 uint1 - x432, x433 = addcarryxU32(x384, x415, x431) - var x434 uint32 - var x435 uint1 - x434, x435 = addcarryxU32(x386, x417, x433) - var x436 uint32 - var x437 uint1 - x436, x437 = addcarryxU32(x388, x419, x435) - var x438 uint32 - var x439 uint1 - x438, x439 = addcarryxU32(x390, x421, x437) - var x440 uint32 - var x441 uint1 - x440, x441 = addcarryxU32(x392, x423, x439) - var x442 uint32 - var x443 uint1 - x442, x443 = addcarryxU32(x394, x425, x441) - var x444 uint32 - var x445 uint32 - x445, x444 = bits.Mul32(x426, 0xffffffff) - var x446 uint32 - var x447 uint32 - x447, x446 = bits.Mul32(x426, 0xffffffff) - var x448 uint32 - var x449 uint32 - x449, x448 = bits.Mul32(x426, 0xffffffff) - var x450 uint32 - var x451 uint32 - x451, x450 = bits.Mul32(x426, 0xffffffff) - var x452 uint32 - var x453 uint1 - x452, x453 = addcarryxU32(x451, x448, 0x0) - var x454 uint32 - var x455 uint1 - x454, x455 = addcarryxU32(x449, x446, x453) - var x456 uint32 = (uint32(x455) + x447) - var x458 uint1 - _, x458 = addcarryxU32(x426, x450, 0x0) - var x459 uint32 - var x460 uint1 - x459, x460 = addcarryxU32(x428, x452, x458) - var x461 uint32 - var x462 uint1 - x461, x462 = addcarryxU32(x430, x454, x460) - var x463 uint32 - var x464 uint1 - x463, x464 = addcarryxU32(x432, x456, x462) - var x465 uint32 - var x466 uint1 - x465, x466 = addcarryxU32(x434, uint32(0x0), x464) - var x467 uint32 - var x468 uint1 - x467, x468 = addcarryxU32(x436, uint32(0x0), x466) - var x469 uint32 - var x470 uint1 - x469, x470 = addcarryxU32(x438, x426, x468) - var x471 uint32 - var x472 uint1 - x471, x472 = addcarryxU32(x440, x444, x470) - var x473 uint32 - var x474 uint1 - x473, x474 = addcarryxU32(x442, x445, x472) - var x475 uint32 = (uint32(x474) + uint32(x443)) - var x476 uint32 - var x477 uint32 - x477, x476 = bits.Mul32(x6, (arg1[7])) - var x478 uint32 - var x479 uint32 - x479, x478 = bits.Mul32(x6, (arg1[6])) - var x480 uint32 - var x481 uint32 - x481, x480 = bits.Mul32(x6, (arg1[5])) - var x482 uint32 - var x483 uint32 - x483, x482 = bits.Mul32(x6, (arg1[4])) - var x484 uint32 - var x485 uint32 - x485, x484 = bits.Mul32(x6, (arg1[3])) - var x486 uint32 - var x487 uint32 - x487, x486 = bits.Mul32(x6, (arg1[2])) - var x488 uint32 - var x489 uint32 - x489, x488 = bits.Mul32(x6, (arg1[1])) - var x490 uint32 - var x491 uint32 - x491, x490 = bits.Mul32(x6, (arg1[0])) - var x492 uint32 - var x493 uint1 - x492, x493 = addcarryxU32(x491, x488, 0x0) - var x494 uint32 - var x495 uint1 - x494, x495 = addcarryxU32(x489, x486, x493) - var x496 uint32 - var x497 uint1 - x496, x497 = addcarryxU32(x487, x484, x495) - var x498 uint32 - var x499 uint1 - x498, x499 = addcarryxU32(x485, x482, x497) - var x500 uint32 - var x501 uint1 - x500, x501 = addcarryxU32(x483, x480, x499) - var x502 uint32 - var x503 uint1 - x502, x503 = addcarryxU32(x481, x478, x501) - var x504 uint32 - var x505 uint1 - x504, x505 = addcarryxU32(x479, x476, x503) - var x506 uint32 = (uint32(x505) + x477) - var x507 uint32 - var x508 uint1 - x507, x508 = addcarryxU32(x459, x490, 0x0) - var x509 uint32 - var x510 uint1 - x509, x510 = addcarryxU32(x461, x492, x508) - var x511 uint32 - var x512 uint1 - x511, x512 = addcarryxU32(x463, x494, x510) - var x513 uint32 - var x514 uint1 - x513, x514 = addcarryxU32(x465, x496, x512) - var x515 uint32 - var x516 uint1 - x515, x516 = addcarryxU32(x467, x498, x514) - var x517 uint32 - var x518 uint1 - x517, x518 = addcarryxU32(x469, x500, x516) - var x519 uint32 - var x520 uint1 - x519, x520 = addcarryxU32(x471, x502, x518) - var x521 uint32 - var x522 uint1 - x521, x522 = addcarryxU32(x473, x504, x520) - var x523 uint32 - var x524 uint1 - x523, x524 = addcarryxU32(x475, x506, x522) - var x525 uint32 - var x526 uint32 - x526, x525 = bits.Mul32(x507, 0xffffffff) - var x527 uint32 - var x528 uint32 - x528, x527 = bits.Mul32(x507, 0xffffffff) - var x529 uint32 - var x530 uint32 - x530, x529 = bits.Mul32(x507, 0xffffffff) - var x531 uint32 - var x532 uint32 - x532, x531 = bits.Mul32(x507, 0xffffffff) - var x533 uint32 - var x534 uint1 - x533, x534 = addcarryxU32(x532, x529, 0x0) - var x535 uint32 - var x536 uint1 - x535, x536 = addcarryxU32(x530, x527, x534) - var x537 uint32 = (uint32(x536) + x528) - var x539 uint1 - _, x539 = addcarryxU32(x507, x531, 0x0) - var x540 uint32 - var x541 uint1 - x540, x541 = addcarryxU32(x509, x533, x539) - var x542 uint32 - var x543 uint1 - x542, x543 = addcarryxU32(x511, x535, x541) - var x544 uint32 - var x545 uint1 - x544, x545 = addcarryxU32(x513, x537, x543) - var x546 uint32 - var x547 uint1 - x546, x547 = addcarryxU32(x515, uint32(0x0), x545) - var x548 uint32 - var x549 uint1 - x548, x549 = addcarryxU32(x517, uint32(0x0), x547) - var x550 uint32 - var x551 uint1 - x550, x551 = addcarryxU32(x519, x507, x549) - var x552 uint32 - var x553 uint1 - x552, x553 = addcarryxU32(x521, x525, x551) - var x554 uint32 - var x555 uint1 - x554, x555 = addcarryxU32(x523, x526, x553) - var x556 uint32 = (uint32(x555) + uint32(x524)) - var x557 uint32 - var x558 uint32 - x558, x557 = bits.Mul32(x7, (arg1[7])) - var x559 uint32 - var x560 uint32 - x560, x559 = bits.Mul32(x7, (arg1[6])) - var x561 uint32 - var x562 uint32 - x562, x561 = bits.Mul32(x7, (arg1[5])) - var x563 uint32 - var x564 uint32 - x564, x563 = bits.Mul32(x7, (arg1[4])) - var x565 uint32 - var x566 uint32 - x566, x565 = bits.Mul32(x7, (arg1[3])) - var x567 uint32 - var x568 uint32 - x568, x567 = bits.Mul32(x7, (arg1[2])) - var x569 uint32 - var x570 uint32 - x570, x569 = bits.Mul32(x7, (arg1[1])) - var x571 uint32 - var x572 uint32 - x572, x571 = bits.Mul32(x7, (arg1[0])) - var x573 uint32 - var x574 uint1 - x573, x574 = addcarryxU32(x572, x569, 0x0) - var x575 uint32 - var x576 uint1 - x575, x576 = addcarryxU32(x570, x567, x574) - var x577 uint32 - var x578 uint1 - x577, x578 = addcarryxU32(x568, x565, x576) - var x579 uint32 - var x580 uint1 - x579, x580 = addcarryxU32(x566, x563, x578) - var x581 uint32 - var x582 uint1 - x581, x582 = addcarryxU32(x564, x561, x580) - var x583 uint32 - var x584 uint1 - x583, x584 = addcarryxU32(x562, x559, x582) - var x585 uint32 - var x586 uint1 - x585, x586 = addcarryxU32(x560, x557, x584) - var x587 uint32 = (uint32(x586) + x558) - var x588 uint32 - var x589 uint1 - x588, x589 = addcarryxU32(x540, x571, 0x0) - var x590 uint32 - var x591 uint1 - x590, x591 = addcarryxU32(x542, x573, x589) - var x592 uint32 - var x593 uint1 - x592, x593 = addcarryxU32(x544, x575, x591) - var x594 uint32 - var x595 uint1 - x594, x595 = addcarryxU32(x546, x577, x593) - var x596 uint32 - var x597 uint1 - x596, x597 = addcarryxU32(x548, x579, x595) - var x598 uint32 - var x599 uint1 - x598, x599 = addcarryxU32(x550, x581, x597) - var x600 uint32 - var x601 uint1 - x600, x601 = addcarryxU32(x552, x583, x599) - var x602 uint32 - var x603 uint1 - x602, x603 = addcarryxU32(x554, x585, x601) - var x604 uint32 - var x605 uint1 - x604, x605 = addcarryxU32(x556, x587, x603) - var x606 uint32 - var x607 uint32 - x607, x606 = bits.Mul32(x588, 0xffffffff) - var x608 uint32 - var x609 uint32 - x609, x608 = bits.Mul32(x588, 0xffffffff) - var x610 uint32 - var x611 uint32 - x611, x610 = bits.Mul32(x588, 0xffffffff) - var x612 uint32 - var x613 uint32 - x613, x612 = bits.Mul32(x588, 0xffffffff) - var x614 uint32 - var x615 uint1 - x614, x615 = addcarryxU32(x613, x610, 0x0) - var x616 uint32 - var x617 uint1 - x616, x617 = addcarryxU32(x611, x608, x615) - var x618 uint32 = (uint32(x617) + x609) - var x620 uint1 - _, x620 = addcarryxU32(x588, x612, 0x0) - var x621 uint32 - var x622 uint1 - x621, x622 = addcarryxU32(x590, x614, x620) - var x623 uint32 - var x624 uint1 - x623, x624 = addcarryxU32(x592, x616, x622) - var x625 uint32 - var x626 uint1 - x625, x626 = addcarryxU32(x594, x618, x624) - var x627 uint32 - var x628 uint1 - x627, x628 = addcarryxU32(x596, uint32(0x0), x626) - var x629 uint32 - var x630 uint1 - x629, x630 = addcarryxU32(x598, uint32(0x0), x628) - var x631 uint32 - var x632 uint1 - x631, x632 = addcarryxU32(x600, x588, x630) - var x633 uint32 - var x634 uint1 - x633, x634 = addcarryxU32(x602, x606, x632) - var x635 uint32 - var x636 uint1 - x635, x636 = addcarryxU32(x604, x607, x634) - var x637 uint32 = (uint32(x636) + uint32(x605)) - var x638 uint32 - var x639 uint1 - x638, x639 = subborrowxU32(x621, 0xffffffff, 0x0) - var x640 uint32 - var x641 uint1 - x640, x641 = subborrowxU32(x623, 0xffffffff, x639) - var x642 uint32 - var x643 uint1 - x642, x643 = subborrowxU32(x625, 0xffffffff, x641) - var x644 uint32 - var x645 uint1 - x644, x645 = subborrowxU32(x627, uint32(0x0), x643) - var x646 uint32 - var x647 uint1 - x646, x647 = subborrowxU32(x629, uint32(0x0), x645) - var x648 uint32 - var x649 uint1 - x648, x649 = subborrowxU32(x631, uint32(0x0), x647) - var x650 uint32 - var x651 uint1 - x650, x651 = subborrowxU32(x633, uint32(0x1), x649) - var x652 uint32 - var x653 uint1 - x652, x653 = subborrowxU32(x635, 0xffffffff, x651) - var x655 uint1 - _, x655 = subborrowxU32(x637, uint32(0x0), x653) - var x656 uint32 - cmovznzU32(&x656, x655, x638, x621) - var x657 uint32 - cmovznzU32(&x657, x655, x640, x623) - var x658 uint32 - cmovznzU32(&x658, x655, x642, x625) - var x659 uint32 - cmovznzU32(&x659, x655, x644, x627) - var x660 uint32 - cmovznzU32(&x660, x655, x646, x629) - var x661 uint32 - cmovznzU32(&x661, x655, x648, x631) - var x662 uint32 - cmovznzU32(&x662, x655, x650, x633) - var x663 uint32 - cmovznzU32(&x663, x655, x652, x635) - out1[0] = x656 - out1[1] = x657 - out1[2] = x658 - out1[3] = x659 - out1[4] = x660 - out1[5] = x661 - out1[6] = x662 - out1[7] = x663 + x1 := arg1[1] + x2 := arg1[2] + x3 := arg1[3] + x4 := arg1[4] + x5 := arg1[5] + x6 := arg1[6] + x7 := arg1[7] + x8 := arg1[0] + var x9 uint32 + var x10 uint32 + x10, x9 = bits.Mul32(x8, arg1[7]) + var x11 uint32 + var x12 uint32 + x12, x11 = bits.Mul32(x8, arg1[6]) + var x13 uint32 + var x14 uint32 + x14, x13 = bits.Mul32(x8, arg1[5]) + var x15 uint32 + var x16 uint32 + x16, x15 = bits.Mul32(x8, arg1[4]) + var x17 uint32 + var x18 uint32 + x18, x17 = bits.Mul32(x8, arg1[3]) + var x19 uint32 + var x20 uint32 + x20, x19 = bits.Mul32(x8, arg1[2]) + var x21 uint32 + var x22 uint32 + x22, x21 = bits.Mul32(x8, arg1[1]) + var x23 uint32 + var x24 uint32 + x24, x23 = bits.Mul32(x8, arg1[0]) + var x25 uint32 + var x26 uint1 + x25, x26 = addcarryxU32(x24, x21, 0x0) + var x27 uint32 + var x28 uint1 + x27, x28 = addcarryxU32(x22, x19, x26) + var x29 uint32 + var x30 uint1 + x29, x30 = addcarryxU32(x20, x17, x28) + var x31 uint32 + var x32 uint1 + x31, x32 = addcarryxU32(x18, x15, x30) + var x33 uint32 + var x34 uint1 + x33, x34 = addcarryxU32(x16, x13, x32) + var x35 uint32 + var x36 uint1 + x35, x36 = addcarryxU32(x14, x11, x34) + var x37 uint32 + var x38 uint1 + x37, x38 = addcarryxU32(x12, x9, x36) + x39 := (uint32(x38) + x10) + var x40 uint32 + var x41 uint32 + x41, x40 = bits.Mul32(x23, 0xffffffff) + var x42 uint32 + var x43 uint32 + x43, x42 = bits.Mul32(x23, 0xffffffff) + var x44 uint32 + var x45 uint32 + x45, x44 = bits.Mul32(x23, 0xffffffff) + var x46 uint32 + var x47 uint32 + x47, x46 = bits.Mul32(x23, 0xffffffff) + var x48 uint32 + var x49 uint1 + x48, x49 = addcarryxU32(x47, x44, 0x0) + var x50 uint32 + var x51 uint1 + x50, x51 = addcarryxU32(x45, x42, x49) + x52 := (uint32(x51) + x43) + var x54 uint1 + _, x54 = addcarryxU32(x23, x46, 0x0) + var x55 uint32 + var x56 uint1 + x55, x56 = addcarryxU32(x25, x48, x54) + var x57 uint32 + var x58 uint1 + x57, x58 = addcarryxU32(x27, x50, x56) + var x59 uint32 + var x60 uint1 + x59, x60 = addcarryxU32(x29, x52, x58) + var x61 uint32 + var x62 uint1 + x61, x62 = addcarryxU32(x31, uint32(0x0), x60) + var x63 uint32 + var x64 uint1 + x63, x64 = addcarryxU32(x33, uint32(0x0), x62) + var x65 uint32 + var x66 uint1 + x65, x66 = addcarryxU32(x35, x23, x64) + var x67 uint32 + var x68 uint1 + x67, x68 = addcarryxU32(x37, x40, x66) + var x69 uint32 + var x70 uint1 + x69, x70 = addcarryxU32(x39, x41, x68) + var x71 uint32 + var x72 uint32 + x72, x71 = bits.Mul32(x1, arg1[7]) + var x73 uint32 + var x74 uint32 + x74, x73 = bits.Mul32(x1, arg1[6]) + var x75 uint32 + var x76 uint32 + x76, x75 = bits.Mul32(x1, arg1[5]) + var x77 uint32 + var x78 uint32 + x78, x77 = bits.Mul32(x1, arg1[4]) + var x79 uint32 + var x80 uint32 + x80, x79 = bits.Mul32(x1, arg1[3]) + var x81 uint32 + var x82 uint32 + x82, x81 = bits.Mul32(x1, arg1[2]) + var x83 uint32 + var x84 uint32 + x84, x83 = bits.Mul32(x1, arg1[1]) + var x85 uint32 + var x86 uint32 + x86, x85 = bits.Mul32(x1, arg1[0]) + var x87 uint32 + var x88 uint1 + x87, x88 = addcarryxU32(x86, x83, 0x0) + var x89 uint32 + var x90 uint1 + x89, x90 = addcarryxU32(x84, x81, x88) + var x91 uint32 + var x92 uint1 + x91, x92 = addcarryxU32(x82, x79, x90) + var x93 uint32 + var x94 uint1 + x93, x94 = addcarryxU32(x80, x77, x92) + var x95 uint32 + var x96 uint1 + x95, x96 = addcarryxU32(x78, x75, x94) + var x97 uint32 + var x98 uint1 + x97, x98 = addcarryxU32(x76, x73, x96) + var x99 uint32 + var x100 uint1 + x99, x100 = addcarryxU32(x74, x71, x98) + x101 := (uint32(x100) + x72) + var x102 uint32 + var x103 uint1 + x102, x103 = addcarryxU32(x55, x85, 0x0) + var x104 uint32 + var x105 uint1 + x104, x105 = addcarryxU32(x57, x87, x103) + var x106 uint32 + var x107 uint1 + x106, x107 = addcarryxU32(x59, x89, x105) + var x108 uint32 + var x109 uint1 + x108, x109 = addcarryxU32(x61, x91, x107) + var x110 uint32 + var x111 uint1 + x110, x111 = addcarryxU32(x63, x93, x109) + var x112 uint32 + var x113 uint1 + x112, x113 = addcarryxU32(x65, x95, x111) + var x114 uint32 + var x115 uint1 + x114, x115 = addcarryxU32(x67, x97, x113) + var x116 uint32 + var x117 uint1 + x116, x117 = addcarryxU32(x69, x99, x115) + var x118 uint32 + var x119 uint1 + x118, x119 = addcarryxU32(uint32(x70), x101, x117) + var x120 uint32 + var x121 uint32 + x121, x120 = bits.Mul32(x102, 0xffffffff) + var x122 uint32 + var x123 uint32 + x123, x122 = bits.Mul32(x102, 0xffffffff) + var x124 uint32 + var x125 uint32 + x125, x124 = bits.Mul32(x102, 0xffffffff) + var x126 uint32 + var x127 uint32 + x127, x126 = bits.Mul32(x102, 0xffffffff) + var x128 uint32 + var x129 uint1 + x128, x129 = addcarryxU32(x127, x124, 0x0) + var x130 uint32 + var x131 uint1 + x130, x131 = addcarryxU32(x125, x122, x129) + x132 := (uint32(x131) + x123) + var x134 uint1 + _, x134 = addcarryxU32(x102, x126, 0x0) + var x135 uint32 + var x136 uint1 + x135, x136 = addcarryxU32(x104, x128, x134) + var x137 uint32 + var x138 uint1 + x137, x138 = addcarryxU32(x106, x130, x136) + var x139 uint32 + var x140 uint1 + x139, x140 = addcarryxU32(x108, x132, x138) + var x141 uint32 + var x142 uint1 + x141, x142 = addcarryxU32(x110, uint32(0x0), x140) + var x143 uint32 + var x144 uint1 + x143, x144 = addcarryxU32(x112, uint32(0x0), x142) + var x145 uint32 + var x146 uint1 + x145, x146 = addcarryxU32(x114, x102, x144) + var x147 uint32 + var x148 uint1 + x147, x148 = addcarryxU32(x116, x120, x146) + var x149 uint32 + var x150 uint1 + x149, x150 = addcarryxU32(x118, x121, x148) + x151 := (uint32(x150) + uint32(x119)) + var x152 uint32 + var x153 uint32 + x153, x152 = bits.Mul32(x2, arg1[7]) + var x154 uint32 + var x155 uint32 + x155, x154 = bits.Mul32(x2, arg1[6]) + var x156 uint32 + var x157 uint32 + x157, x156 = bits.Mul32(x2, arg1[5]) + var x158 uint32 + var x159 uint32 + x159, x158 = bits.Mul32(x2, arg1[4]) + var x160 uint32 + var x161 uint32 + x161, x160 = bits.Mul32(x2, arg1[3]) + var x162 uint32 + var x163 uint32 + x163, x162 = bits.Mul32(x2, arg1[2]) + var x164 uint32 + var x165 uint32 + x165, x164 = bits.Mul32(x2, arg1[1]) + var x166 uint32 + var x167 uint32 + x167, x166 = bits.Mul32(x2, arg1[0]) + var x168 uint32 + var x169 uint1 + x168, x169 = addcarryxU32(x167, x164, 0x0) + var x170 uint32 + var x171 uint1 + x170, x171 = addcarryxU32(x165, x162, x169) + var x172 uint32 + var x173 uint1 + x172, x173 = addcarryxU32(x163, x160, x171) + var x174 uint32 + var x175 uint1 + x174, x175 = addcarryxU32(x161, x158, x173) + var x176 uint32 + var x177 uint1 + x176, x177 = addcarryxU32(x159, x156, x175) + var x178 uint32 + var x179 uint1 + x178, x179 = addcarryxU32(x157, x154, x177) + var x180 uint32 + var x181 uint1 + x180, x181 = addcarryxU32(x155, x152, x179) + x182 := (uint32(x181) + x153) + var x183 uint32 + var x184 uint1 + x183, x184 = addcarryxU32(x135, x166, 0x0) + var x185 uint32 + var x186 uint1 + x185, x186 = addcarryxU32(x137, x168, x184) + var x187 uint32 + var x188 uint1 + x187, x188 = addcarryxU32(x139, x170, x186) + var x189 uint32 + var x190 uint1 + x189, x190 = addcarryxU32(x141, x172, x188) + var x191 uint32 + var x192 uint1 + x191, x192 = addcarryxU32(x143, x174, x190) + var x193 uint32 + var x194 uint1 + x193, x194 = addcarryxU32(x145, x176, x192) + var x195 uint32 + var x196 uint1 + x195, x196 = addcarryxU32(x147, x178, x194) + var x197 uint32 + var x198 uint1 + x197, x198 = addcarryxU32(x149, x180, x196) + var x199 uint32 + var x200 uint1 + x199, x200 = addcarryxU32(x151, x182, x198) + var x201 uint32 + var x202 uint32 + x202, x201 = bits.Mul32(x183, 0xffffffff) + var x203 uint32 + var x204 uint32 + x204, x203 = bits.Mul32(x183, 0xffffffff) + var x205 uint32 + var x206 uint32 + x206, x205 = bits.Mul32(x183, 0xffffffff) + var x207 uint32 + var x208 uint32 + x208, x207 = bits.Mul32(x183, 0xffffffff) + var x209 uint32 + var x210 uint1 + x209, x210 = addcarryxU32(x208, x205, 0x0) + var x211 uint32 + var x212 uint1 + x211, x212 = addcarryxU32(x206, x203, x210) + x213 := (uint32(x212) + x204) + var x215 uint1 + _, x215 = addcarryxU32(x183, x207, 0x0) + var x216 uint32 + var x217 uint1 + x216, x217 = addcarryxU32(x185, x209, x215) + var x218 uint32 + var x219 uint1 + x218, x219 = addcarryxU32(x187, x211, x217) + var x220 uint32 + var x221 uint1 + x220, x221 = addcarryxU32(x189, x213, x219) + var x222 uint32 + var x223 uint1 + x222, x223 = addcarryxU32(x191, uint32(0x0), x221) + var x224 uint32 + var x225 uint1 + x224, x225 = addcarryxU32(x193, uint32(0x0), x223) + var x226 uint32 + var x227 uint1 + x226, x227 = addcarryxU32(x195, x183, x225) + var x228 uint32 + var x229 uint1 + x228, x229 = addcarryxU32(x197, x201, x227) + var x230 uint32 + var x231 uint1 + x230, x231 = addcarryxU32(x199, x202, x229) + x232 := (uint32(x231) + uint32(x200)) + var x233 uint32 + var x234 uint32 + x234, x233 = bits.Mul32(x3, arg1[7]) + var x235 uint32 + var x236 uint32 + x236, x235 = bits.Mul32(x3, arg1[6]) + var x237 uint32 + var x238 uint32 + x238, x237 = bits.Mul32(x3, arg1[5]) + var x239 uint32 + var x240 uint32 + x240, x239 = bits.Mul32(x3, arg1[4]) + var x241 uint32 + var x242 uint32 + x242, x241 = bits.Mul32(x3, arg1[3]) + var x243 uint32 + var x244 uint32 + x244, x243 = bits.Mul32(x3, arg1[2]) + var x245 uint32 + var x246 uint32 + x246, x245 = bits.Mul32(x3, arg1[1]) + var x247 uint32 + var x248 uint32 + x248, x247 = bits.Mul32(x3, arg1[0]) + var x249 uint32 + var x250 uint1 + x249, x250 = addcarryxU32(x248, x245, 0x0) + var x251 uint32 + var x252 uint1 + x251, x252 = addcarryxU32(x246, x243, x250) + var x253 uint32 + var x254 uint1 + x253, x254 = addcarryxU32(x244, x241, x252) + var x255 uint32 + var x256 uint1 + x255, x256 = addcarryxU32(x242, x239, x254) + var x257 uint32 + var x258 uint1 + x257, x258 = addcarryxU32(x240, x237, x256) + var x259 uint32 + var x260 uint1 + x259, x260 = addcarryxU32(x238, x235, x258) + var x261 uint32 + var x262 uint1 + x261, x262 = addcarryxU32(x236, x233, x260) + x263 := (uint32(x262) + x234) + var x264 uint32 + var x265 uint1 + x264, x265 = addcarryxU32(x216, x247, 0x0) + var x266 uint32 + var x267 uint1 + x266, x267 = addcarryxU32(x218, x249, x265) + var x268 uint32 + var x269 uint1 + x268, x269 = addcarryxU32(x220, x251, x267) + var x270 uint32 + var x271 uint1 + x270, x271 = addcarryxU32(x222, x253, x269) + var x272 uint32 + var x273 uint1 + x272, x273 = addcarryxU32(x224, x255, x271) + var x274 uint32 + var x275 uint1 + x274, x275 = addcarryxU32(x226, x257, x273) + var x276 uint32 + var x277 uint1 + x276, x277 = addcarryxU32(x228, x259, x275) + var x278 uint32 + var x279 uint1 + x278, x279 = addcarryxU32(x230, x261, x277) + var x280 uint32 + var x281 uint1 + x280, x281 = addcarryxU32(x232, x263, x279) + var x282 uint32 + var x283 uint32 + x283, x282 = bits.Mul32(x264, 0xffffffff) + var x284 uint32 + var x285 uint32 + x285, x284 = bits.Mul32(x264, 0xffffffff) + var x286 uint32 + var x287 uint32 + x287, x286 = bits.Mul32(x264, 0xffffffff) + var x288 uint32 + var x289 uint32 + x289, x288 = bits.Mul32(x264, 0xffffffff) + var x290 uint32 + var x291 uint1 + x290, x291 = addcarryxU32(x289, x286, 0x0) + var x292 uint32 + var x293 uint1 + x292, x293 = addcarryxU32(x287, x284, x291) + x294 := (uint32(x293) + x285) + var x296 uint1 + _, x296 = addcarryxU32(x264, x288, 0x0) + var x297 uint32 + var x298 uint1 + x297, x298 = addcarryxU32(x266, x290, x296) + var x299 uint32 + var x300 uint1 + x299, x300 = addcarryxU32(x268, x292, x298) + var x301 uint32 + var x302 uint1 + x301, x302 = addcarryxU32(x270, x294, x300) + var x303 uint32 + var x304 uint1 + x303, x304 = addcarryxU32(x272, uint32(0x0), x302) + var x305 uint32 + var x306 uint1 + x305, x306 = addcarryxU32(x274, uint32(0x0), x304) + var x307 uint32 + var x308 uint1 + x307, x308 = addcarryxU32(x276, x264, x306) + var x309 uint32 + var x310 uint1 + x309, x310 = addcarryxU32(x278, x282, x308) + var x311 uint32 + var x312 uint1 + x311, x312 = addcarryxU32(x280, x283, x310) + x313 := (uint32(x312) + uint32(x281)) + var x314 uint32 + var x315 uint32 + x315, x314 = bits.Mul32(x4, arg1[7]) + var x316 uint32 + var x317 uint32 + x317, x316 = bits.Mul32(x4, arg1[6]) + var x318 uint32 + var x319 uint32 + x319, x318 = bits.Mul32(x4, arg1[5]) + var x320 uint32 + var x321 uint32 + x321, x320 = bits.Mul32(x4, arg1[4]) + var x322 uint32 + var x323 uint32 + x323, x322 = bits.Mul32(x4, arg1[3]) + var x324 uint32 + var x325 uint32 + x325, x324 = bits.Mul32(x4, arg1[2]) + var x326 uint32 + var x327 uint32 + x327, x326 = bits.Mul32(x4, arg1[1]) + var x328 uint32 + var x329 uint32 + x329, x328 = bits.Mul32(x4, arg1[0]) + var x330 uint32 + var x331 uint1 + x330, x331 = addcarryxU32(x329, x326, 0x0) + var x332 uint32 + var x333 uint1 + x332, x333 = addcarryxU32(x327, x324, x331) + var x334 uint32 + var x335 uint1 + x334, x335 = addcarryxU32(x325, x322, x333) + var x336 uint32 + var x337 uint1 + x336, x337 = addcarryxU32(x323, x320, x335) + var x338 uint32 + var x339 uint1 + x338, x339 = addcarryxU32(x321, x318, x337) + var x340 uint32 + var x341 uint1 + x340, x341 = addcarryxU32(x319, x316, x339) + var x342 uint32 + var x343 uint1 + x342, x343 = addcarryxU32(x317, x314, x341) + x344 := (uint32(x343) + x315) + var x345 uint32 + var x346 uint1 + x345, x346 = addcarryxU32(x297, x328, 0x0) + var x347 uint32 + var x348 uint1 + x347, x348 = addcarryxU32(x299, x330, x346) + var x349 uint32 + var x350 uint1 + x349, x350 = addcarryxU32(x301, x332, x348) + var x351 uint32 + var x352 uint1 + x351, x352 = addcarryxU32(x303, x334, x350) + var x353 uint32 + var x354 uint1 + x353, x354 = addcarryxU32(x305, x336, x352) + var x355 uint32 + var x356 uint1 + x355, x356 = addcarryxU32(x307, x338, x354) + var x357 uint32 + var x358 uint1 + x357, x358 = addcarryxU32(x309, x340, x356) + var x359 uint32 + var x360 uint1 + x359, x360 = addcarryxU32(x311, x342, x358) + var x361 uint32 + var x362 uint1 + x361, x362 = addcarryxU32(x313, x344, x360) + var x363 uint32 + var x364 uint32 + x364, x363 = bits.Mul32(x345, 0xffffffff) + var x365 uint32 + var x366 uint32 + x366, x365 = bits.Mul32(x345, 0xffffffff) + var x367 uint32 + var x368 uint32 + x368, x367 = bits.Mul32(x345, 0xffffffff) + var x369 uint32 + var x370 uint32 + x370, x369 = bits.Mul32(x345, 0xffffffff) + var x371 uint32 + var x372 uint1 + x371, x372 = addcarryxU32(x370, x367, 0x0) + var x373 uint32 + var x374 uint1 + x373, x374 = addcarryxU32(x368, x365, x372) + x375 := (uint32(x374) + x366) + var x377 uint1 + _, x377 = addcarryxU32(x345, x369, 0x0) + var x378 uint32 + var x379 uint1 + x378, x379 = addcarryxU32(x347, x371, x377) + var x380 uint32 + var x381 uint1 + x380, x381 = addcarryxU32(x349, x373, x379) + var x382 uint32 + var x383 uint1 + x382, x383 = addcarryxU32(x351, x375, x381) + var x384 uint32 + var x385 uint1 + x384, x385 = addcarryxU32(x353, uint32(0x0), x383) + var x386 uint32 + var x387 uint1 + x386, x387 = addcarryxU32(x355, uint32(0x0), x385) + var x388 uint32 + var x389 uint1 + x388, x389 = addcarryxU32(x357, x345, x387) + var x390 uint32 + var x391 uint1 + x390, x391 = addcarryxU32(x359, x363, x389) + var x392 uint32 + var x393 uint1 + x392, x393 = addcarryxU32(x361, x364, x391) + x394 := (uint32(x393) + uint32(x362)) + var x395 uint32 + var x396 uint32 + x396, x395 = bits.Mul32(x5, arg1[7]) + var x397 uint32 + var x398 uint32 + x398, x397 = bits.Mul32(x5, arg1[6]) + var x399 uint32 + var x400 uint32 + x400, x399 = bits.Mul32(x5, arg1[5]) + var x401 uint32 + var x402 uint32 + x402, x401 = bits.Mul32(x5, arg1[4]) + var x403 uint32 + var x404 uint32 + x404, x403 = bits.Mul32(x5, arg1[3]) + var x405 uint32 + var x406 uint32 + x406, x405 = bits.Mul32(x5, arg1[2]) + var x407 uint32 + var x408 uint32 + x408, x407 = bits.Mul32(x5, arg1[1]) + var x409 uint32 + var x410 uint32 + x410, x409 = bits.Mul32(x5, arg1[0]) + var x411 uint32 + var x412 uint1 + x411, x412 = addcarryxU32(x410, x407, 0x0) + var x413 uint32 + var x414 uint1 + x413, x414 = addcarryxU32(x408, x405, x412) + var x415 uint32 + var x416 uint1 + x415, x416 = addcarryxU32(x406, x403, x414) + var x417 uint32 + var x418 uint1 + x417, x418 = addcarryxU32(x404, x401, x416) + var x419 uint32 + var x420 uint1 + x419, x420 = addcarryxU32(x402, x399, x418) + var x421 uint32 + var x422 uint1 + x421, x422 = addcarryxU32(x400, x397, x420) + var x423 uint32 + var x424 uint1 + x423, x424 = addcarryxU32(x398, x395, x422) + x425 := (uint32(x424) + x396) + var x426 uint32 + var x427 uint1 + x426, x427 = addcarryxU32(x378, x409, 0x0) + var x428 uint32 + var x429 uint1 + x428, x429 = addcarryxU32(x380, x411, x427) + var x430 uint32 + var x431 uint1 + x430, x431 = addcarryxU32(x382, x413, x429) + var x432 uint32 + var x433 uint1 + x432, x433 = addcarryxU32(x384, x415, x431) + var x434 uint32 + var x435 uint1 + x434, x435 = addcarryxU32(x386, x417, x433) + var x436 uint32 + var x437 uint1 + x436, x437 = addcarryxU32(x388, x419, x435) + var x438 uint32 + var x439 uint1 + x438, x439 = addcarryxU32(x390, x421, x437) + var x440 uint32 + var x441 uint1 + x440, x441 = addcarryxU32(x392, x423, x439) + var x442 uint32 + var x443 uint1 + x442, x443 = addcarryxU32(x394, x425, x441) + var x444 uint32 + var x445 uint32 + x445, x444 = bits.Mul32(x426, 0xffffffff) + var x446 uint32 + var x447 uint32 + x447, x446 = bits.Mul32(x426, 0xffffffff) + var x448 uint32 + var x449 uint32 + x449, x448 = bits.Mul32(x426, 0xffffffff) + var x450 uint32 + var x451 uint32 + x451, x450 = bits.Mul32(x426, 0xffffffff) + var x452 uint32 + var x453 uint1 + x452, x453 = addcarryxU32(x451, x448, 0x0) + var x454 uint32 + var x455 uint1 + x454, x455 = addcarryxU32(x449, x446, x453) + x456 := (uint32(x455) + x447) + var x458 uint1 + _, x458 = addcarryxU32(x426, x450, 0x0) + var x459 uint32 + var x460 uint1 + x459, x460 = addcarryxU32(x428, x452, x458) + var x461 uint32 + var x462 uint1 + x461, x462 = addcarryxU32(x430, x454, x460) + var x463 uint32 + var x464 uint1 + x463, x464 = addcarryxU32(x432, x456, x462) + var x465 uint32 + var x466 uint1 + x465, x466 = addcarryxU32(x434, uint32(0x0), x464) + var x467 uint32 + var x468 uint1 + x467, x468 = addcarryxU32(x436, uint32(0x0), x466) + var x469 uint32 + var x470 uint1 + x469, x470 = addcarryxU32(x438, x426, x468) + var x471 uint32 + var x472 uint1 + x471, x472 = addcarryxU32(x440, x444, x470) + var x473 uint32 + var x474 uint1 + x473, x474 = addcarryxU32(x442, x445, x472) + x475 := (uint32(x474) + uint32(x443)) + var x476 uint32 + var x477 uint32 + x477, x476 = bits.Mul32(x6, arg1[7]) + var x478 uint32 + var x479 uint32 + x479, x478 = bits.Mul32(x6, arg1[6]) + var x480 uint32 + var x481 uint32 + x481, x480 = bits.Mul32(x6, arg1[5]) + var x482 uint32 + var x483 uint32 + x483, x482 = bits.Mul32(x6, arg1[4]) + var x484 uint32 + var x485 uint32 + x485, x484 = bits.Mul32(x6, arg1[3]) + var x486 uint32 + var x487 uint32 + x487, x486 = bits.Mul32(x6, arg1[2]) + var x488 uint32 + var x489 uint32 + x489, x488 = bits.Mul32(x6, arg1[1]) + var x490 uint32 + var x491 uint32 + x491, x490 = bits.Mul32(x6, arg1[0]) + var x492 uint32 + var x493 uint1 + x492, x493 = addcarryxU32(x491, x488, 0x0) + var x494 uint32 + var x495 uint1 + x494, x495 = addcarryxU32(x489, x486, x493) + var x496 uint32 + var x497 uint1 + x496, x497 = addcarryxU32(x487, x484, x495) + var x498 uint32 + var x499 uint1 + x498, x499 = addcarryxU32(x485, x482, x497) + var x500 uint32 + var x501 uint1 + x500, x501 = addcarryxU32(x483, x480, x499) + var x502 uint32 + var x503 uint1 + x502, x503 = addcarryxU32(x481, x478, x501) + var x504 uint32 + var x505 uint1 + x504, x505 = addcarryxU32(x479, x476, x503) + x506 := (uint32(x505) + x477) + var x507 uint32 + var x508 uint1 + x507, x508 = addcarryxU32(x459, x490, 0x0) + var x509 uint32 + var x510 uint1 + x509, x510 = addcarryxU32(x461, x492, x508) + var x511 uint32 + var x512 uint1 + x511, x512 = addcarryxU32(x463, x494, x510) + var x513 uint32 + var x514 uint1 + x513, x514 = addcarryxU32(x465, x496, x512) + var x515 uint32 + var x516 uint1 + x515, x516 = addcarryxU32(x467, x498, x514) + var x517 uint32 + var x518 uint1 + x517, x518 = addcarryxU32(x469, x500, x516) + var x519 uint32 + var x520 uint1 + x519, x520 = addcarryxU32(x471, x502, x518) + var x521 uint32 + var x522 uint1 + x521, x522 = addcarryxU32(x473, x504, x520) + var x523 uint32 + var x524 uint1 + x523, x524 = addcarryxU32(x475, x506, x522) + var x525 uint32 + var x526 uint32 + x526, x525 = bits.Mul32(x507, 0xffffffff) + var x527 uint32 + var x528 uint32 + x528, x527 = bits.Mul32(x507, 0xffffffff) + var x529 uint32 + var x530 uint32 + x530, x529 = bits.Mul32(x507, 0xffffffff) + var x531 uint32 + var x532 uint32 + x532, x531 = bits.Mul32(x507, 0xffffffff) + var x533 uint32 + var x534 uint1 + x533, x534 = addcarryxU32(x532, x529, 0x0) + var x535 uint32 + var x536 uint1 + x535, x536 = addcarryxU32(x530, x527, x534) + x537 := (uint32(x536) + x528) + var x539 uint1 + _, x539 = addcarryxU32(x507, x531, 0x0) + var x540 uint32 + var x541 uint1 + x540, x541 = addcarryxU32(x509, x533, x539) + var x542 uint32 + var x543 uint1 + x542, x543 = addcarryxU32(x511, x535, x541) + var x544 uint32 + var x545 uint1 + x544, x545 = addcarryxU32(x513, x537, x543) + var x546 uint32 + var x547 uint1 + x546, x547 = addcarryxU32(x515, uint32(0x0), x545) + var x548 uint32 + var x549 uint1 + x548, x549 = addcarryxU32(x517, uint32(0x0), x547) + var x550 uint32 + var x551 uint1 + x550, x551 = addcarryxU32(x519, x507, x549) + var x552 uint32 + var x553 uint1 + x552, x553 = addcarryxU32(x521, x525, x551) + var x554 uint32 + var x555 uint1 + x554, x555 = addcarryxU32(x523, x526, x553) + x556 := (uint32(x555) + uint32(x524)) + var x557 uint32 + var x558 uint32 + x558, x557 = bits.Mul32(x7, arg1[7]) + var x559 uint32 + var x560 uint32 + x560, x559 = bits.Mul32(x7, arg1[6]) + var x561 uint32 + var x562 uint32 + x562, x561 = bits.Mul32(x7, arg1[5]) + var x563 uint32 + var x564 uint32 + x564, x563 = bits.Mul32(x7, arg1[4]) + var x565 uint32 + var x566 uint32 + x566, x565 = bits.Mul32(x7, arg1[3]) + var x567 uint32 + var x568 uint32 + x568, x567 = bits.Mul32(x7, arg1[2]) + var x569 uint32 + var x570 uint32 + x570, x569 = bits.Mul32(x7, arg1[1]) + var x571 uint32 + var x572 uint32 + x572, x571 = bits.Mul32(x7, arg1[0]) + var x573 uint32 + var x574 uint1 + x573, x574 = addcarryxU32(x572, x569, 0x0) + var x575 uint32 + var x576 uint1 + x575, x576 = addcarryxU32(x570, x567, x574) + var x577 uint32 + var x578 uint1 + x577, x578 = addcarryxU32(x568, x565, x576) + var x579 uint32 + var x580 uint1 + x579, x580 = addcarryxU32(x566, x563, x578) + var x581 uint32 + var x582 uint1 + x581, x582 = addcarryxU32(x564, x561, x580) + var x583 uint32 + var x584 uint1 + x583, x584 = addcarryxU32(x562, x559, x582) + var x585 uint32 + var x586 uint1 + x585, x586 = addcarryxU32(x560, x557, x584) + x587 := (uint32(x586) + x558) + var x588 uint32 + var x589 uint1 + x588, x589 = addcarryxU32(x540, x571, 0x0) + var x590 uint32 + var x591 uint1 + x590, x591 = addcarryxU32(x542, x573, x589) + var x592 uint32 + var x593 uint1 + x592, x593 = addcarryxU32(x544, x575, x591) + var x594 uint32 + var x595 uint1 + x594, x595 = addcarryxU32(x546, x577, x593) + var x596 uint32 + var x597 uint1 + x596, x597 = addcarryxU32(x548, x579, x595) + var x598 uint32 + var x599 uint1 + x598, x599 = addcarryxU32(x550, x581, x597) + var x600 uint32 + var x601 uint1 + x600, x601 = addcarryxU32(x552, x583, x599) + var x602 uint32 + var x603 uint1 + x602, x603 = addcarryxU32(x554, x585, x601) + var x604 uint32 + var x605 uint1 + x604, x605 = addcarryxU32(x556, x587, x603) + var x606 uint32 + var x607 uint32 + x607, x606 = bits.Mul32(x588, 0xffffffff) + var x608 uint32 + var x609 uint32 + x609, x608 = bits.Mul32(x588, 0xffffffff) + var x610 uint32 + var x611 uint32 + x611, x610 = bits.Mul32(x588, 0xffffffff) + var x612 uint32 + var x613 uint32 + x613, x612 = bits.Mul32(x588, 0xffffffff) + var x614 uint32 + var x615 uint1 + x614, x615 = addcarryxU32(x613, x610, 0x0) + var x616 uint32 + var x617 uint1 + x616, x617 = addcarryxU32(x611, x608, x615) + x618 := (uint32(x617) + x609) + var x620 uint1 + _, x620 = addcarryxU32(x588, x612, 0x0) + var x621 uint32 + var x622 uint1 + x621, x622 = addcarryxU32(x590, x614, x620) + var x623 uint32 + var x624 uint1 + x623, x624 = addcarryxU32(x592, x616, x622) + var x625 uint32 + var x626 uint1 + x625, x626 = addcarryxU32(x594, x618, x624) + var x627 uint32 + var x628 uint1 + x627, x628 = addcarryxU32(x596, uint32(0x0), x626) + var x629 uint32 + var x630 uint1 + x629, x630 = addcarryxU32(x598, uint32(0x0), x628) + var x631 uint32 + var x632 uint1 + x631, x632 = addcarryxU32(x600, x588, x630) + var x633 uint32 + var x634 uint1 + x633, x634 = addcarryxU32(x602, x606, x632) + var x635 uint32 + var x636 uint1 + x635, x636 = addcarryxU32(x604, x607, x634) + x637 := (uint32(x636) + uint32(x605)) + var x638 uint32 + var x639 uint1 + x638, x639 = subborrowxU32(x621, 0xffffffff, 0x0) + var x640 uint32 + var x641 uint1 + x640, x641 = subborrowxU32(x623, 0xffffffff, x639) + var x642 uint32 + var x643 uint1 + x642, x643 = subborrowxU32(x625, 0xffffffff, x641) + var x644 uint32 + var x645 uint1 + x644, x645 = subborrowxU32(x627, uint32(0x0), x643) + var x646 uint32 + var x647 uint1 + x646, x647 = subborrowxU32(x629, uint32(0x0), x645) + var x648 uint32 + var x649 uint1 + x648, x649 = subborrowxU32(x631, uint32(0x0), x647) + var x650 uint32 + var x651 uint1 + x650, x651 = subborrowxU32(x633, uint32(0x1), x649) + var x652 uint32 + var x653 uint1 + x652, x653 = subborrowxU32(x635, 0xffffffff, x651) + var x655 uint1 + _, x655 = subborrowxU32(x637, uint32(0x0), x653) + var x656 uint32 + cmovznzU32(&x656, x655, x638, x621) + var x657 uint32 + cmovznzU32(&x657, x655, x640, x623) + var x658 uint32 + cmovznzU32(&x658, x655, x642, x625) + var x659 uint32 + cmovznzU32(&x659, x655, x644, x627) + var x660 uint32 + cmovznzU32(&x660, x655, x646, x629) + var x661 uint32 + cmovznzU32(&x661, x655, x648, x631) + var x662 uint32 + cmovznzU32(&x662, x655, x650, x633) + var x663 uint32 + cmovznzU32(&x663, x655, x652, x635) + out1[0] = x656 + out1[1] = x657 + out1[2] = x658 + out1[3] = x659 + out1[4] = x660 + out1[5] = x661 + out1[6] = x662 + out1[7] = x663 } -/* - The function Add adds two field elements in the Montgomery domain. - Preconditions: - 0 ≤ eval arg1 < m - 0 ≤ eval arg2 < m - Postconditions: - eval (from_montgomery out1) mod m = (eval (from_montgomery arg1) + eval (from_montgomery arg2)) mod m - 0 ≤ eval out1 < m - - Input Bounds: - arg1: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] - arg2: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] - Output Bounds: - out1: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] - */ -/*inline*/ +// Add adds two field elements in the Montgomery domain. +// +// Preconditions: +// 0 ≤ eval arg1 < m +// 0 ≤ eval arg2 < m +// Postconditions: +// eval (from_montgomery out1) mod m = (eval (from_montgomery arg1) + eval (from_montgomery arg2)) mod m +// 0 ≤ eval out1 < m +// +// Input Bounds: +// arg1: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] +// arg2: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] +// Output Bounds: +// out1: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] func Add(out1 *[8]uint32, arg1 *[8]uint32, arg2 *[8]uint32) { - var x1 uint32 - var x2 uint1 - x1, x2 = addcarryxU32((arg1[0]), (arg2[0]), 0x0) - var x3 uint32 - var x4 uint1 - x3, x4 = addcarryxU32((arg1[1]), (arg2[1]), x2) - var x5 uint32 - var x6 uint1 - x5, x6 = addcarryxU32((arg1[2]), (arg2[2]), x4) - var x7 uint32 - var x8 uint1 - x7, x8 = addcarryxU32((arg1[3]), (arg2[3]), x6) - var x9 uint32 - var x10 uint1 - x9, x10 = addcarryxU32((arg1[4]), (arg2[4]), x8) - var x11 uint32 - var x12 uint1 - x11, x12 = addcarryxU32((arg1[5]), (arg2[5]), x10) - var x13 uint32 - var x14 uint1 - x13, x14 = addcarryxU32((arg1[6]), (arg2[6]), x12) - var x15 uint32 - var x16 uint1 - x15, x16 = addcarryxU32((arg1[7]), (arg2[7]), x14) - var x17 uint32 - var x18 uint1 - x17, x18 = subborrowxU32(x1, 0xffffffff, 0x0) - var x19 uint32 - var x20 uint1 - x19, x20 = subborrowxU32(x3, 0xffffffff, x18) - var x21 uint32 - var x22 uint1 - x21, x22 = subborrowxU32(x5, 0xffffffff, x20) - var x23 uint32 - var x24 uint1 - x23, x24 = subborrowxU32(x7, uint32(0x0), x22) - var x25 uint32 - var x26 uint1 - x25, x26 = subborrowxU32(x9, uint32(0x0), x24) - var x27 uint32 - var x28 uint1 - x27, x28 = subborrowxU32(x11, uint32(0x0), x26) - var x29 uint32 - var x30 uint1 - x29, x30 = subborrowxU32(x13, uint32(0x1), x28) - var x31 uint32 - var x32 uint1 - x31, x32 = subborrowxU32(x15, 0xffffffff, x30) - var x34 uint1 - _, x34 = subborrowxU32(uint32(x16), uint32(0x0), x32) - var x35 uint32 - cmovznzU32(&x35, x34, x17, x1) - var x36 uint32 - cmovznzU32(&x36, x34, x19, x3) - var x37 uint32 - cmovznzU32(&x37, x34, x21, x5) - var x38 uint32 - cmovznzU32(&x38, x34, x23, x7) - var x39 uint32 - cmovznzU32(&x39, x34, x25, x9) - var x40 uint32 - cmovznzU32(&x40, x34, x27, x11) - var x41 uint32 - cmovznzU32(&x41, x34, x29, x13) - var x42 uint32 - cmovznzU32(&x42, x34, x31, x15) - out1[0] = x35 - out1[1] = x36 - out1[2] = x37 - out1[3] = x38 - out1[4] = x39 - out1[5] = x40 - out1[6] = x41 - out1[7] = x42 + var x1 uint32 + var x2 uint1 + x1, x2 = addcarryxU32(arg1[0], arg2[0], 0x0) + var x3 uint32 + var x4 uint1 + x3, x4 = addcarryxU32(arg1[1], arg2[1], x2) + var x5 uint32 + var x6 uint1 + x5, x6 = addcarryxU32(arg1[2], arg2[2], x4) + var x7 uint32 + var x8 uint1 + x7, x8 = addcarryxU32(arg1[3], arg2[3], x6) + var x9 uint32 + var x10 uint1 + x9, x10 = addcarryxU32(arg1[4], arg2[4], x8) + var x11 uint32 + var x12 uint1 + x11, x12 = addcarryxU32(arg1[5], arg2[5], x10) + var x13 uint32 + var x14 uint1 + x13, x14 = addcarryxU32(arg1[6], arg2[6], x12) + var x15 uint32 + var x16 uint1 + x15, x16 = addcarryxU32(arg1[7], arg2[7], x14) + var x17 uint32 + var x18 uint1 + x17, x18 = subborrowxU32(x1, 0xffffffff, 0x0) + var x19 uint32 + var x20 uint1 + x19, x20 = subborrowxU32(x3, 0xffffffff, x18) + var x21 uint32 + var x22 uint1 + x21, x22 = subborrowxU32(x5, 0xffffffff, x20) + var x23 uint32 + var x24 uint1 + x23, x24 = subborrowxU32(x7, uint32(0x0), x22) + var x25 uint32 + var x26 uint1 + x25, x26 = subborrowxU32(x9, uint32(0x0), x24) + var x27 uint32 + var x28 uint1 + x27, x28 = subborrowxU32(x11, uint32(0x0), x26) + var x29 uint32 + var x30 uint1 + x29, x30 = subborrowxU32(x13, uint32(0x1), x28) + var x31 uint32 + var x32 uint1 + x31, x32 = subborrowxU32(x15, 0xffffffff, x30) + var x34 uint1 + _, x34 = subborrowxU32(uint32(x16), uint32(0x0), x32) + var x35 uint32 + cmovznzU32(&x35, x34, x17, x1) + var x36 uint32 + cmovznzU32(&x36, x34, x19, x3) + var x37 uint32 + cmovznzU32(&x37, x34, x21, x5) + var x38 uint32 + cmovznzU32(&x38, x34, x23, x7) + var x39 uint32 + cmovznzU32(&x39, x34, x25, x9) + var x40 uint32 + cmovznzU32(&x40, x34, x27, x11) + var x41 uint32 + cmovznzU32(&x41, x34, x29, x13) + var x42 uint32 + cmovznzU32(&x42, x34, x31, x15) + out1[0] = x35 + out1[1] = x36 + out1[2] = x37 + out1[3] = x38 + out1[4] = x39 + out1[5] = x40 + out1[6] = x41 + out1[7] = x42 } -/* - The function Sub subtracts two field elements in the Montgomery domain. - Preconditions: - 0 ≤ eval arg1 < m - 0 ≤ eval arg2 < m - Postconditions: - eval (from_montgomery out1) mod m = (eval (from_montgomery arg1) - eval (from_montgomery arg2)) mod m - 0 ≤ eval out1 < m - - Input Bounds: - arg1: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] - arg2: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] - Output Bounds: - out1: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] - */ -/*inline*/ +// Sub subtracts two field elements in the Montgomery domain. +// +// Preconditions: +// 0 ≤ eval arg1 < m +// 0 ≤ eval arg2 < m +// Postconditions: +// eval (from_montgomery out1) mod m = (eval (from_montgomery arg1) - eval (from_montgomery arg2)) mod m +// 0 ≤ eval out1 < m +// +// Input Bounds: +// arg1: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] +// arg2: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] +// Output Bounds: +// out1: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] func Sub(out1 *[8]uint32, arg1 *[8]uint32, arg2 *[8]uint32) { - var x1 uint32 - var x2 uint1 - x1, x2 = subborrowxU32((arg1[0]), (arg2[0]), 0x0) - var x3 uint32 - var x4 uint1 - x3, x4 = subborrowxU32((arg1[1]), (arg2[1]), x2) - var x5 uint32 - var x6 uint1 - x5, x6 = subborrowxU32((arg1[2]), (arg2[2]), x4) - var x7 uint32 - var x8 uint1 - x7, x8 = subborrowxU32((arg1[3]), (arg2[3]), x6) - var x9 uint32 - var x10 uint1 - x9, x10 = subborrowxU32((arg1[4]), (arg2[4]), x8) - var x11 uint32 - var x12 uint1 - x11, x12 = subborrowxU32((arg1[5]), (arg2[5]), x10) - var x13 uint32 - var x14 uint1 - x13, x14 = subborrowxU32((arg1[6]), (arg2[6]), x12) - var x15 uint32 - var x16 uint1 - x15, x16 = subborrowxU32((arg1[7]), (arg2[7]), x14) - var x17 uint32 - cmovznzU32(&x17, x16, uint32(0x0), 0xffffffff) - var x18 uint32 - var x19 uint1 - x18, x19 = addcarryxU32(x1, x17, 0x0) - var x20 uint32 - var x21 uint1 - x20, x21 = addcarryxU32(x3, x17, x19) - var x22 uint32 - var x23 uint1 - x22, x23 = addcarryxU32(x5, x17, x21) - var x24 uint32 - var x25 uint1 - x24, x25 = addcarryxU32(x7, uint32(0x0), x23) - var x26 uint32 - var x27 uint1 - x26, x27 = addcarryxU32(x9, uint32(0x0), x25) - var x28 uint32 - var x29 uint1 - x28, x29 = addcarryxU32(x11, uint32(0x0), x27) - var x30 uint32 - var x31 uint1 - x30, x31 = addcarryxU32(x13, uint32((uint1(x17) & 0x1)), x29) - var x32 uint32 - x32, _ = addcarryxU32(x15, x17, x31) - out1[0] = x18 - out1[1] = x20 - out1[2] = x22 - out1[3] = x24 - out1[4] = x26 - out1[5] = x28 - out1[6] = x30 - out1[7] = x32 + var x1 uint32 + var x2 uint1 + x1, x2 = subborrowxU32(arg1[0], arg2[0], 0x0) + var x3 uint32 + var x4 uint1 + x3, x4 = subborrowxU32(arg1[1], arg2[1], x2) + var x5 uint32 + var x6 uint1 + x5, x6 = subborrowxU32(arg1[2], arg2[2], x4) + var x7 uint32 + var x8 uint1 + x7, x8 = subborrowxU32(arg1[3], arg2[3], x6) + var x9 uint32 + var x10 uint1 + x9, x10 = subborrowxU32(arg1[4], arg2[4], x8) + var x11 uint32 + var x12 uint1 + x11, x12 = subborrowxU32(arg1[5], arg2[5], x10) + var x13 uint32 + var x14 uint1 + x13, x14 = subborrowxU32(arg1[6], arg2[6], x12) + var x15 uint32 + var x16 uint1 + x15, x16 = subborrowxU32(arg1[7], arg2[7], x14) + var x17 uint32 + cmovznzU32(&x17, x16, uint32(0x0), 0xffffffff) + var x18 uint32 + var x19 uint1 + x18, x19 = addcarryxU32(x1, x17, 0x0) + var x20 uint32 + var x21 uint1 + x20, x21 = addcarryxU32(x3, x17, x19) + var x22 uint32 + var x23 uint1 + x22, x23 = addcarryxU32(x5, x17, x21) + var x24 uint32 + var x25 uint1 + x24, x25 = addcarryxU32(x7, uint32(0x0), x23) + var x26 uint32 + var x27 uint1 + x26, x27 = addcarryxU32(x9, uint32(0x0), x25) + var x28 uint32 + var x29 uint1 + x28, x29 = addcarryxU32(x11, uint32(0x0), x27) + var x30 uint32 + var x31 uint1 + x30, x31 = addcarryxU32(x13, uint32((uint1(x17) & 0x1)), x29) + var x32 uint32 + x32, _ = addcarryxU32(x15, x17, x31) + out1[0] = x18 + out1[1] = x20 + out1[2] = x22 + out1[3] = x24 + out1[4] = x26 + out1[5] = x28 + out1[6] = x30 + out1[7] = x32 } -/* - The function Opp negates a field element in the Montgomery domain. - Preconditions: - 0 ≤ eval arg1 < m - Postconditions: - eval (from_montgomery out1) mod m = -eval (from_montgomery arg1) mod m - 0 ≤ eval out1 < m - - Input Bounds: - arg1: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] - Output Bounds: - out1: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] - */ -/*inline*/ +// Opp negates a field element in the Montgomery domain. +// +// Preconditions: +// 0 ≤ eval arg1 < m +// Postconditions: +// eval (from_montgomery out1) mod m = -eval (from_montgomery arg1) mod m +// 0 ≤ eval out1 < m +// +// Input Bounds: +// arg1: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] +// Output Bounds: +// out1: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] func Opp(out1 *[8]uint32, arg1 *[8]uint32) { - var x1 uint32 - var x2 uint1 - x1, x2 = subborrowxU32(uint32(0x0), (arg1[0]), 0x0) - var x3 uint32 - var x4 uint1 - x3, x4 = subborrowxU32(uint32(0x0), (arg1[1]), x2) - var x5 uint32 - var x6 uint1 - x5, x6 = subborrowxU32(uint32(0x0), (arg1[2]), x4) - var x7 uint32 - var x8 uint1 - x7, x8 = subborrowxU32(uint32(0x0), (arg1[3]), x6) - var x9 uint32 - var x10 uint1 - x9, x10 = subborrowxU32(uint32(0x0), (arg1[4]), x8) - var x11 uint32 - var x12 uint1 - x11, x12 = subborrowxU32(uint32(0x0), (arg1[5]), x10) - var x13 uint32 - var x14 uint1 - x13, x14 = subborrowxU32(uint32(0x0), (arg1[6]), x12) - var x15 uint32 - var x16 uint1 - x15, x16 = subborrowxU32(uint32(0x0), (arg1[7]), x14) - var x17 uint32 - cmovznzU32(&x17, x16, uint32(0x0), 0xffffffff) - var x18 uint32 - var x19 uint1 - x18, x19 = addcarryxU32(x1, x17, 0x0) - var x20 uint32 - var x21 uint1 - x20, x21 = addcarryxU32(x3, x17, x19) - var x22 uint32 - var x23 uint1 - x22, x23 = addcarryxU32(x5, x17, x21) - var x24 uint32 - var x25 uint1 - x24, x25 = addcarryxU32(x7, uint32(0x0), x23) - var x26 uint32 - var x27 uint1 - x26, x27 = addcarryxU32(x9, uint32(0x0), x25) - var x28 uint32 - var x29 uint1 - x28, x29 = addcarryxU32(x11, uint32(0x0), x27) - var x30 uint32 - var x31 uint1 - x30, x31 = addcarryxU32(x13, uint32((uint1(x17) & 0x1)), x29) - var x32 uint32 - x32, _ = addcarryxU32(x15, x17, x31) - out1[0] = x18 - out1[1] = x20 - out1[2] = x22 - out1[3] = x24 - out1[4] = x26 - out1[5] = x28 - out1[6] = x30 - out1[7] = x32 + var x1 uint32 + var x2 uint1 + x1, x2 = subborrowxU32(uint32(0x0), arg1[0], 0x0) + var x3 uint32 + var x4 uint1 + x3, x4 = subborrowxU32(uint32(0x0), arg1[1], x2) + var x5 uint32 + var x6 uint1 + x5, x6 = subborrowxU32(uint32(0x0), arg1[2], x4) + var x7 uint32 + var x8 uint1 + x7, x8 = subborrowxU32(uint32(0x0), arg1[3], x6) + var x9 uint32 + var x10 uint1 + x9, x10 = subborrowxU32(uint32(0x0), arg1[4], x8) + var x11 uint32 + var x12 uint1 + x11, x12 = subborrowxU32(uint32(0x0), arg1[5], x10) + var x13 uint32 + var x14 uint1 + x13, x14 = subborrowxU32(uint32(0x0), arg1[6], x12) + var x15 uint32 + var x16 uint1 + x15, x16 = subborrowxU32(uint32(0x0), arg1[7], x14) + var x17 uint32 + cmovznzU32(&x17, x16, uint32(0x0), 0xffffffff) + var x18 uint32 + var x19 uint1 + x18, x19 = addcarryxU32(x1, x17, 0x0) + var x20 uint32 + var x21 uint1 + x20, x21 = addcarryxU32(x3, x17, x19) + var x22 uint32 + var x23 uint1 + x22, x23 = addcarryxU32(x5, x17, x21) + var x24 uint32 + var x25 uint1 + x24, x25 = addcarryxU32(x7, uint32(0x0), x23) + var x26 uint32 + var x27 uint1 + x26, x27 = addcarryxU32(x9, uint32(0x0), x25) + var x28 uint32 + var x29 uint1 + x28, x29 = addcarryxU32(x11, uint32(0x0), x27) + var x30 uint32 + var x31 uint1 + x30, x31 = addcarryxU32(x13, uint32((uint1(x17) & 0x1)), x29) + var x32 uint32 + x32, _ = addcarryxU32(x15, x17, x31) + out1[0] = x18 + out1[1] = x20 + out1[2] = x22 + out1[3] = x24 + out1[4] = x26 + out1[5] = x28 + out1[6] = x30 + out1[7] = x32 } -/* - The function FromMontgomery translates a field element out of the Montgomery domain. - Preconditions: - 0 ≤ eval arg1 < m - Postconditions: - eval out1 mod m = (eval arg1 * ((2^32)⁻¹ mod m)^8) mod m - 0 ≤ eval out1 < m - - Input Bounds: - arg1: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] - Output Bounds: - out1: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] - */ -/*inline*/ +// FromMontgomery translates a field element out of the Montgomery domain. +// +// Preconditions: +// 0 ≤ eval arg1 < m +// Postconditions: +// eval out1 mod m = (eval arg1 * ((2^32)⁻¹ mod m)^8) mod m +// 0 ≤ eval out1 < m +// +// Input Bounds: +// arg1: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] +// Output Bounds: +// out1: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] func FromMontgomery(out1 *[8]uint32, arg1 *[8]uint32) { - var x1 uint32 = (arg1[0]) - var x2 uint32 - var x3 uint32 - x3, x2 = bits.Mul32(x1, 0xffffffff) - var x4 uint32 - var x5 uint32 - x5, x4 = bits.Mul32(x1, 0xffffffff) - var x6 uint32 - var x7 uint32 - x7, x6 = bits.Mul32(x1, 0xffffffff) - var x8 uint32 - var x9 uint32 - x9, x8 = bits.Mul32(x1, 0xffffffff) - var x10 uint32 - var x11 uint1 - x10, x11 = addcarryxU32(x9, x6, 0x0) - var x12 uint32 - var x13 uint1 - x12, x13 = addcarryxU32(x7, x4, x11) - var x15 uint1 - _, x15 = addcarryxU32(x1, x8, 0x0) - var x16 uint32 - var x17 uint1 - x16, x17 = addcarryxU32(uint32(0x0), x10, x15) - var x18 uint32 - var x19 uint1 - x18, x19 = addcarryxU32(uint32(0x0), x12, x17) - var x20 uint32 - var x21 uint1 - x20, x21 = addcarryxU32(uint32(0x0), (uint32(x13) + x5), x19) - var x22 uint32 - var x23 uint1 - x22, x23 = addcarryxU32(x16, (arg1[1]), 0x0) - var x24 uint32 - var x25 uint1 - x24, x25 = addcarryxU32(x18, uint32(0x0), x23) - var x26 uint32 - var x27 uint1 - x26, x27 = addcarryxU32(x20, uint32(0x0), x25) - var x28 uint32 - var x29 uint32 - x29, x28 = bits.Mul32(x22, 0xffffffff) - var x30 uint32 - var x31 uint32 - x31, x30 = bits.Mul32(x22, 0xffffffff) - var x32 uint32 - var x33 uint32 - x33, x32 = bits.Mul32(x22, 0xffffffff) - var x34 uint32 - var x35 uint32 - x35, x34 = bits.Mul32(x22, 0xffffffff) - var x36 uint32 - var x37 uint1 - x36, x37 = addcarryxU32(x35, x32, 0x0) - var x38 uint32 - var x39 uint1 - x38, x39 = addcarryxU32(x33, x30, x37) - var x41 uint1 - _, x41 = addcarryxU32(x22, x34, 0x0) - var x42 uint32 - var x43 uint1 - x42, x43 = addcarryxU32(x24, x36, x41) - var x44 uint32 - var x45 uint1 - x44, x45 = addcarryxU32(x26, x38, x43) - var x46 uint32 - var x47 uint1 - x46, x47 = addcarryxU32((uint32(x27) + uint32(x21)), (uint32(x39) + x31), x45) - var x48 uint32 - var x49 uint1 - x48, x49 = addcarryxU32(x2, x22, 0x0) - var x50 uint32 - var x51 uint1 - x50, x51 = addcarryxU32(x3, x28, x49) - var x52 uint32 - var x53 uint1 - x52, x53 = addcarryxU32(x42, (arg1[2]), 0x0) - var x54 uint32 - var x55 uint1 - x54, x55 = addcarryxU32(x44, uint32(0x0), x53) - var x56 uint32 - var x57 uint1 - x56, x57 = addcarryxU32(x46, uint32(0x0), x55) - var x58 uint32 - var x59 uint32 - x59, x58 = bits.Mul32(x52, 0xffffffff) - var x60 uint32 - var x61 uint32 - x61, x60 = bits.Mul32(x52, 0xffffffff) - var x62 uint32 - var x63 uint32 - x63, x62 = bits.Mul32(x52, 0xffffffff) - var x64 uint32 - var x65 uint32 - x65, x64 = bits.Mul32(x52, 0xffffffff) - var x66 uint32 - var x67 uint1 - x66, x67 = addcarryxU32(x65, x62, 0x0) - var x68 uint32 - var x69 uint1 - x68, x69 = addcarryxU32(x63, x60, x67) - var x71 uint1 - _, x71 = addcarryxU32(x52, x64, 0x0) - var x72 uint32 - var x73 uint1 - x72, x73 = addcarryxU32(x54, x66, x71) - var x74 uint32 - var x75 uint1 - x74, x75 = addcarryxU32(x56, x68, x73) - var x76 uint32 - var x77 uint1 - x76, x77 = addcarryxU32((uint32(x57) + uint32(x47)), (uint32(x69) + x61), x75) - var x78 uint32 - var x79 uint1 - x78, x79 = addcarryxU32(x1, uint32(0x0), x77) - var x80 uint32 - var x81 uint1 - x80, x81 = addcarryxU32(x48, uint32(0x0), x79) - var x82 uint32 - var x83 uint1 - x82, x83 = addcarryxU32(x50, x52, x81) - var x84 uint32 - var x85 uint1 - x84, x85 = addcarryxU32((uint32(x51) + x29), x58, x83) - var x86 uint32 - var x87 uint1 - x86, x87 = addcarryxU32(x72, (arg1[3]), 0x0) - var x88 uint32 - var x89 uint1 - x88, x89 = addcarryxU32(x74, uint32(0x0), x87) - var x90 uint32 - var x91 uint1 - x90, x91 = addcarryxU32(x76, uint32(0x0), x89) - var x92 uint32 - var x93 uint1 - x92, x93 = addcarryxU32(x78, uint32(0x0), x91) - var x94 uint32 - var x95 uint1 - x94, x95 = addcarryxU32(x80, uint32(0x0), x93) - var x96 uint32 - var x97 uint1 - x96, x97 = addcarryxU32(x82, uint32(0x0), x95) - var x98 uint32 - var x99 uint1 - x98, x99 = addcarryxU32(x84, uint32(0x0), x97) - var x100 uint32 - var x101 uint1 - x100, x101 = addcarryxU32((uint32(x85) + x59), uint32(0x0), x99) - var x102 uint32 - var x103 uint32 - x103, x102 = bits.Mul32(x86, 0xffffffff) - var x104 uint32 - var x105 uint32 - x105, x104 = bits.Mul32(x86, 0xffffffff) - var x106 uint32 - var x107 uint32 - x107, x106 = bits.Mul32(x86, 0xffffffff) - var x108 uint32 - var x109 uint32 - x109, x108 = bits.Mul32(x86, 0xffffffff) - var x110 uint32 - var x111 uint1 - x110, x111 = addcarryxU32(x109, x106, 0x0) - var x112 uint32 - var x113 uint1 - x112, x113 = addcarryxU32(x107, x104, x111) - var x115 uint1 - _, x115 = addcarryxU32(x86, x108, 0x0) - var x116 uint32 - var x117 uint1 - x116, x117 = addcarryxU32(x88, x110, x115) - var x118 uint32 - var x119 uint1 - x118, x119 = addcarryxU32(x90, x112, x117) - var x120 uint32 - var x121 uint1 - x120, x121 = addcarryxU32(x92, (uint32(x113) + x105), x119) - var x122 uint32 - var x123 uint1 - x122, x123 = addcarryxU32(x94, uint32(0x0), x121) - var x124 uint32 - var x125 uint1 - x124, x125 = addcarryxU32(x96, uint32(0x0), x123) - var x126 uint32 - var x127 uint1 - x126, x127 = addcarryxU32(x98, x86, x125) - var x128 uint32 - var x129 uint1 - x128, x129 = addcarryxU32(x100, x102, x127) - var x130 uint32 - var x131 uint1 - x130, x131 = addcarryxU32(uint32(x101), x103, x129) - var x132 uint32 - var x133 uint1 - x132, x133 = addcarryxU32(x116, (arg1[4]), 0x0) - var x134 uint32 - var x135 uint1 - x134, x135 = addcarryxU32(x118, uint32(0x0), x133) - var x136 uint32 - var x137 uint1 - x136, x137 = addcarryxU32(x120, uint32(0x0), x135) - var x138 uint32 - var x139 uint1 - x138, x139 = addcarryxU32(x122, uint32(0x0), x137) - var x140 uint32 - var x141 uint1 - x140, x141 = addcarryxU32(x124, uint32(0x0), x139) - var x142 uint32 - var x143 uint1 - x142, x143 = addcarryxU32(x126, uint32(0x0), x141) - var x144 uint32 - var x145 uint1 - x144, x145 = addcarryxU32(x128, uint32(0x0), x143) - var x146 uint32 - var x147 uint1 - x146, x147 = addcarryxU32(x130, uint32(0x0), x145) - var x148 uint32 - var x149 uint32 - x149, x148 = bits.Mul32(x132, 0xffffffff) - var x150 uint32 - var x151 uint32 - x151, x150 = bits.Mul32(x132, 0xffffffff) - var x152 uint32 - var x153 uint32 - x153, x152 = bits.Mul32(x132, 0xffffffff) - var x154 uint32 - var x155 uint32 - x155, x154 = bits.Mul32(x132, 0xffffffff) - var x156 uint32 - var x157 uint1 - x156, x157 = addcarryxU32(x155, x152, 0x0) - var x158 uint32 - var x159 uint1 - x158, x159 = addcarryxU32(x153, x150, x157) - var x161 uint1 - _, x161 = addcarryxU32(x132, x154, 0x0) - var x162 uint32 - var x163 uint1 - x162, x163 = addcarryxU32(x134, x156, x161) - var x164 uint32 - var x165 uint1 - x164, x165 = addcarryxU32(x136, x158, x163) - var x166 uint32 - var x167 uint1 - x166, x167 = addcarryxU32(x138, (uint32(x159) + x151), x165) - var x168 uint32 - var x169 uint1 - x168, x169 = addcarryxU32(x140, uint32(0x0), x167) - var x170 uint32 - var x171 uint1 - x170, x171 = addcarryxU32(x142, uint32(0x0), x169) - var x172 uint32 - var x173 uint1 - x172, x173 = addcarryxU32(x144, x132, x171) - var x174 uint32 - var x175 uint1 - x174, x175 = addcarryxU32(x146, x148, x173) - var x176 uint32 - var x177 uint1 - x176, x177 = addcarryxU32((uint32(x147) + uint32(x131)), x149, x175) - var x178 uint32 - var x179 uint1 - x178, x179 = addcarryxU32(x162, (arg1[5]), 0x0) - var x180 uint32 - var x181 uint1 - x180, x181 = addcarryxU32(x164, uint32(0x0), x179) - var x182 uint32 - var x183 uint1 - x182, x183 = addcarryxU32(x166, uint32(0x0), x181) - var x184 uint32 - var x185 uint1 - x184, x185 = addcarryxU32(x168, uint32(0x0), x183) - var x186 uint32 - var x187 uint1 - x186, x187 = addcarryxU32(x170, uint32(0x0), x185) - var x188 uint32 - var x189 uint1 - x188, x189 = addcarryxU32(x172, uint32(0x0), x187) - var x190 uint32 - var x191 uint1 - x190, x191 = addcarryxU32(x174, uint32(0x0), x189) - var x192 uint32 - var x193 uint1 - x192, x193 = addcarryxU32(x176, uint32(0x0), x191) - var x194 uint32 - var x195 uint32 - x195, x194 = bits.Mul32(x178, 0xffffffff) - var x196 uint32 - var x197 uint32 - x197, x196 = bits.Mul32(x178, 0xffffffff) - var x198 uint32 - var x199 uint32 - x199, x198 = bits.Mul32(x178, 0xffffffff) - var x200 uint32 - var x201 uint32 - x201, x200 = bits.Mul32(x178, 0xffffffff) - var x202 uint32 - var x203 uint1 - x202, x203 = addcarryxU32(x201, x198, 0x0) - var x204 uint32 - var x205 uint1 - x204, x205 = addcarryxU32(x199, x196, x203) - var x207 uint1 - _, x207 = addcarryxU32(x178, x200, 0x0) - var x208 uint32 - var x209 uint1 - x208, x209 = addcarryxU32(x180, x202, x207) - var x210 uint32 - var x211 uint1 - x210, x211 = addcarryxU32(x182, x204, x209) - var x212 uint32 - var x213 uint1 - x212, x213 = addcarryxU32(x184, (uint32(x205) + x197), x211) - var x214 uint32 - var x215 uint1 - x214, x215 = addcarryxU32(x186, uint32(0x0), x213) - var x216 uint32 - var x217 uint1 - x216, x217 = addcarryxU32(x188, uint32(0x0), x215) - var x218 uint32 - var x219 uint1 - x218, x219 = addcarryxU32(x190, x178, x217) - var x220 uint32 - var x221 uint1 - x220, x221 = addcarryxU32(x192, x194, x219) - var x222 uint32 - var x223 uint1 - x222, x223 = addcarryxU32((uint32(x193) + uint32(x177)), x195, x221) - var x224 uint32 - var x225 uint1 - x224, x225 = addcarryxU32(x208, (arg1[6]), 0x0) - var x226 uint32 - var x227 uint1 - x226, x227 = addcarryxU32(x210, uint32(0x0), x225) - var x228 uint32 - var x229 uint1 - x228, x229 = addcarryxU32(x212, uint32(0x0), x227) - var x230 uint32 - var x231 uint1 - x230, x231 = addcarryxU32(x214, uint32(0x0), x229) - var x232 uint32 - var x233 uint1 - x232, x233 = addcarryxU32(x216, uint32(0x0), x231) - var x234 uint32 - var x235 uint1 - x234, x235 = addcarryxU32(x218, uint32(0x0), x233) - var x236 uint32 - var x237 uint1 - x236, x237 = addcarryxU32(x220, uint32(0x0), x235) - var x238 uint32 - var x239 uint1 - x238, x239 = addcarryxU32(x222, uint32(0x0), x237) - var x240 uint32 - var x241 uint32 - x241, x240 = bits.Mul32(x224, 0xffffffff) - var x242 uint32 - var x243 uint32 - x243, x242 = bits.Mul32(x224, 0xffffffff) - var x244 uint32 - var x245 uint32 - x245, x244 = bits.Mul32(x224, 0xffffffff) - var x246 uint32 - var x247 uint32 - x247, x246 = bits.Mul32(x224, 0xffffffff) - var x248 uint32 - var x249 uint1 - x248, x249 = addcarryxU32(x247, x244, 0x0) - var x250 uint32 - var x251 uint1 - x250, x251 = addcarryxU32(x245, x242, x249) - var x253 uint1 - _, x253 = addcarryxU32(x224, x246, 0x0) - var x254 uint32 - var x255 uint1 - x254, x255 = addcarryxU32(x226, x248, x253) - var x256 uint32 - var x257 uint1 - x256, x257 = addcarryxU32(x228, x250, x255) - var x258 uint32 - var x259 uint1 - x258, x259 = addcarryxU32(x230, (uint32(x251) + x243), x257) - var x260 uint32 - var x261 uint1 - x260, x261 = addcarryxU32(x232, uint32(0x0), x259) - var x262 uint32 - var x263 uint1 - x262, x263 = addcarryxU32(x234, uint32(0x0), x261) - var x264 uint32 - var x265 uint1 - x264, x265 = addcarryxU32(x236, x224, x263) - var x266 uint32 - var x267 uint1 - x266, x267 = addcarryxU32(x238, x240, x265) - var x268 uint32 - var x269 uint1 - x268, x269 = addcarryxU32((uint32(x239) + uint32(x223)), x241, x267) - var x270 uint32 - var x271 uint1 - x270, x271 = addcarryxU32(x254, (arg1[7]), 0x0) - var x272 uint32 - var x273 uint1 - x272, x273 = addcarryxU32(x256, uint32(0x0), x271) - var x274 uint32 - var x275 uint1 - x274, x275 = addcarryxU32(x258, uint32(0x0), x273) - var x276 uint32 - var x277 uint1 - x276, x277 = addcarryxU32(x260, uint32(0x0), x275) - var x278 uint32 - var x279 uint1 - x278, x279 = addcarryxU32(x262, uint32(0x0), x277) - var x280 uint32 - var x281 uint1 - x280, x281 = addcarryxU32(x264, uint32(0x0), x279) - var x282 uint32 - var x283 uint1 - x282, x283 = addcarryxU32(x266, uint32(0x0), x281) - var x284 uint32 - var x285 uint1 - x284, x285 = addcarryxU32(x268, uint32(0x0), x283) - var x286 uint32 - var x287 uint32 - x287, x286 = bits.Mul32(x270, 0xffffffff) - var x288 uint32 - var x289 uint32 - x289, x288 = bits.Mul32(x270, 0xffffffff) - var x290 uint32 - var x291 uint32 - x291, x290 = bits.Mul32(x270, 0xffffffff) - var x292 uint32 - var x293 uint32 - x293, x292 = bits.Mul32(x270, 0xffffffff) - var x294 uint32 - var x295 uint1 - x294, x295 = addcarryxU32(x293, x290, 0x0) - var x296 uint32 - var x297 uint1 - x296, x297 = addcarryxU32(x291, x288, x295) - var x299 uint1 - _, x299 = addcarryxU32(x270, x292, 0x0) - var x300 uint32 - var x301 uint1 - x300, x301 = addcarryxU32(x272, x294, x299) - var x302 uint32 - var x303 uint1 - x302, x303 = addcarryxU32(x274, x296, x301) - var x304 uint32 - var x305 uint1 - x304, x305 = addcarryxU32(x276, (uint32(x297) + x289), x303) - var x306 uint32 - var x307 uint1 - x306, x307 = addcarryxU32(x278, uint32(0x0), x305) - var x308 uint32 - var x309 uint1 - x308, x309 = addcarryxU32(x280, uint32(0x0), x307) - var x310 uint32 - var x311 uint1 - x310, x311 = addcarryxU32(x282, x270, x309) - var x312 uint32 - var x313 uint1 - x312, x313 = addcarryxU32(x284, x286, x311) - var x314 uint32 - var x315 uint1 - x314, x315 = addcarryxU32((uint32(x285) + uint32(x269)), x287, x313) - var x316 uint32 - var x317 uint1 - x316, x317 = subborrowxU32(x300, 0xffffffff, 0x0) - var x318 uint32 - var x319 uint1 - x318, x319 = subborrowxU32(x302, 0xffffffff, x317) - var x320 uint32 - var x321 uint1 - x320, x321 = subborrowxU32(x304, 0xffffffff, x319) - var x322 uint32 - var x323 uint1 - x322, x323 = subborrowxU32(x306, uint32(0x0), x321) - var x324 uint32 - var x325 uint1 - x324, x325 = subborrowxU32(x308, uint32(0x0), x323) - var x326 uint32 - var x327 uint1 - x326, x327 = subborrowxU32(x310, uint32(0x0), x325) - var x328 uint32 - var x329 uint1 - x328, x329 = subborrowxU32(x312, uint32(0x1), x327) - var x330 uint32 - var x331 uint1 - x330, x331 = subborrowxU32(x314, 0xffffffff, x329) - var x333 uint1 - _, x333 = subborrowxU32(uint32(x315), uint32(0x0), x331) - var x334 uint32 - cmovznzU32(&x334, x333, x316, x300) - var x335 uint32 - cmovznzU32(&x335, x333, x318, x302) - var x336 uint32 - cmovznzU32(&x336, x333, x320, x304) - var x337 uint32 - cmovznzU32(&x337, x333, x322, x306) - var x338 uint32 - cmovznzU32(&x338, x333, x324, x308) - var x339 uint32 - cmovznzU32(&x339, x333, x326, x310) - var x340 uint32 - cmovznzU32(&x340, x333, x328, x312) - var x341 uint32 - cmovznzU32(&x341, x333, x330, x314) - out1[0] = x334 - out1[1] = x335 - out1[2] = x336 - out1[3] = x337 - out1[4] = x338 - out1[5] = x339 - out1[6] = x340 - out1[7] = x341 + x1 := arg1[0] + var x2 uint32 + var x3 uint32 + x3, x2 = bits.Mul32(x1, 0xffffffff) + var x4 uint32 + var x5 uint32 + x5, x4 = bits.Mul32(x1, 0xffffffff) + var x6 uint32 + var x7 uint32 + x7, x6 = bits.Mul32(x1, 0xffffffff) + var x8 uint32 + var x9 uint32 + x9, x8 = bits.Mul32(x1, 0xffffffff) + var x10 uint32 + var x11 uint1 + x10, x11 = addcarryxU32(x9, x6, 0x0) + var x12 uint32 + var x13 uint1 + x12, x13 = addcarryxU32(x7, x4, x11) + var x15 uint1 + _, x15 = addcarryxU32(x1, x8, 0x0) + var x16 uint32 + var x17 uint1 + x16, x17 = addcarryxU32(uint32(0x0), x10, x15) + var x18 uint32 + var x19 uint1 + x18, x19 = addcarryxU32(uint32(0x0), x12, x17) + var x20 uint32 + var x21 uint1 + x20, x21 = addcarryxU32(uint32(0x0), (uint32(x13) + x5), x19) + var x22 uint32 + var x23 uint1 + x22, x23 = addcarryxU32(x16, arg1[1], 0x0) + var x24 uint32 + var x25 uint1 + x24, x25 = addcarryxU32(x18, uint32(0x0), x23) + var x26 uint32 + var x27 uint1 + x26, x27 = addcarryxU32(x20, uint32(0x0), x25) + var x28 uint32 + var x29 uint32 + x29, x28 = bits.Mul32(x22, 0xffffffff) + var x30 uint32 + var x31 uint32 + x31, x30 = bits.Mul32(x22, 0xffffffff) + var x32 uint32 + var x33 uint32 + x33, x32 = bits.Mul32(x22, 0xffffffff) + var x34 uint32 + var x35 uint32 + x35, x34 = bits.Mul32(x22, 0xffffffff) + var x36 uint32 + var x37 uint1 + x36, x37 = addcarryxU32(x35, x32, 0x0) + var x38 uint32 + var x39 uint1 + x38, x39 = addcarryxU32(x33, x30, x37) + var x41 uint1 + _, x41 = addcarryxU32(x22, x34, 0x0) + var x42 uint32 + var x43 uint1 + x42, x43 = addcarryxU32(x24, x36, x41) + var x44 uint32 + var x45 uint1 + x44, x45 = addcarryxU32(x26, x38, x43) + var x46 uint32 + var x47 uint1 + x46, x47 = addcarryxU32((uint32(x27) + uint32(x21)), (uint32(x39) + x31), x45) + var x48 uint32 + var x49 uint1 + x48, x49 = addcarryxU32(x2, x22, 0x0) + var x50 uint32 + var x51 uint1 + x50, x51 = addcarryxU32(x3, x28, x49) + var x52 uint32 + var x53 uint1 + x52, x53 = addcarryxU32(x42, arg1[2], 0x0) + var x54 uint32 + var x55 uint1 + x54, x55 = addcarryxU32(x44, uint32(0x0), x53) + var x56 uint32 + var x57 uint1 + x56, x57 = addcarryxU32(x46, uint32(0x0), x55) + var x58 uint32 + var x59 uint32 + x59, x58 = bits.Mul32(x52, 0xffffffff) + var x60 uint32 + var x61 uint32 + x61, x60 = bits.Mul32(x52, 0xffffffff) + var x62 uint32 + var x63 uint32 + x63, x62 = bits.Mul32(x52, 0xffffffff) + var x64 uint32 + var x65 uint32 + x65, x64 = bits.Mul32(x52, 0xffffffff) + var x66 uint32 + var x67 uint1 + x66, x67 = addcarryxU32(x65, x62, 0x0) + var x68 uint32 + var x69 uint1 + x68, x69 = addcarryxU32(x63, x60, x67) + var x71 uint1 + _, x71 = addcarryxU32(x52, x64, 0x0) + var x72 uint32 + var x73 uint1 + x72, x73 = addcarryxU32(x54, x66, x71) + var x74 uint32 + var x75 uint1 + x74, x75 = addcarryxU32(x56, x68, x73) + var x76 uint32 + var x77 uint1 + x76, x77 = addcarryxU32((uint32(x57) + uint32(x47)), (uint32(x69) + x61), x75) + var x78 uint32 + var x79 uint1 + x78, x79 = addcarryxU32(x1, uint32(0x0), x77) + var x80 uint32 + var x81 uint1 + x80, x81 = addcarryxU32(x48, uint32(0x0), x79) + var x82 uint32 + var x83 uint1 + x82, x83 = addcarryxU32(x50, x52, x81) + var x84 uint32 + var x85 uint1 + x84, x85 = addcarryxU32((uint32(x51) + x29), x58, x83) + var x86 uint32 + var x87 uint1 + x86, x87 = addcarryxU32(x72, arg1[3], 0x0) + var x88 uint32 + var x89 uint1 + x88, x89 = addcarryxU32(x74, uint32(0x0), x87) + var x90 uint32 + var x91 uint1 + x90, x91 = addcarryxU32(x76, uint32(0x0), x89) + var x92 uint32 + var x93 uint1 + x92, x93 = addcarryxU32(x78, uint32(0x0), x91) + var x94 uint32 + var x95 uint1 + x94, x95 = addcarryxU32(x80, uint32(0x0), x93) + var x96 uint32 + var x97 uint1 + x96, x97 = addcarryxU32(x82, uint32(0x0), x95) + var x98 uint32 + var x99 uint1 + x98, x99 = addcarryxU32(x84, uint32(0x0), x97) + var x100 uint32 + var x101 uint1 + x100, x101 = addcarryxU32((uint32(x85) + x59), uint32(0x0), x99) + var x102 uint32 + var x103 uint32 + x103, x102 = bits.Mul32(x86, 0xffffffff) + var x104 uint32 + var x105 uint32 + x105, x104 = bits.Mul32(x86, 0xffffffff) + var x106 uint32 + var x107 uint32 + x107, x106 = bits.Mul32(x86, 0xffffffff) + var x108 uint32 + var x109 uint32 + x109, x108 = bits.Mul32(x86, 0xffffffff) + var x110 uint32 + var x111 uint1 + x110, x111 = addcarryxU32(x109, x106, 0x0) + var x112 uint32 + var x113 uint1 + x112, x113 = addcarryxU32(x107, x104, x111) + var x115 uint1 + _, x115 = addcarryxU32(x86, x108, 0x0) + var x116 uint32 + var x117 uint1 + x116, x117 = addcarryxU32(x88, x110, x115) + var x118 uint32 + var x119 uint1 + x118, x119 = addcarryxU32(x90, x112, x117) + var x120 uint32 + var x121 uint1 + x120, x121 = addcarryxU32(x92, (uint32(x113) + x105), x119) + var x122 uint32 + var x123 uint1 + x122, x123 = addcarryxU32(x94, uint32(0x0), x121) + var x124 uint32 + var x125 uint1 + x124, x125 = addcarryxU32(x96, uint32(0x0), x123) + var x126 uint32 + var x127 uint1 + x126, x127 = addcarryxU32(x98, x86, x125) + var x128 uint32 + var x129 uint1 + x128, x129 = addcarryxU32(x100, x102, x127) + var x130 uint32 + var x131 uint1 + x130, x131 = addcarryxU32(uint32(x101), x103, x129) + var x132 uint32 + var x133 uint1 + x132, x133 = addcarryxU32(x116, arg1[4], 0x0) + var x134 uint32 + var x135 uint1 + x134, x135 = addcarryxU32(x118, uint32(0x0), x133) + var x136 uint32 + var x137 uint1 + x136, x137 = addcarryxU32(x120, uint32(0x0), x135) + var x138 uint32 + var x139 uint1 + x138, x139 = addcarryxU32(x122, uint32(0x0), x137) + var x140 uint32 + var x141 uint1 + x140, x141 = addcarryxU32(x124, uint32(0x0), x139) + var x142 uint32 + var x143 uint1 + x142, x143 = addcarryxU32(x126, uint32(0x0), x141) + var x144 uint32 + var x145 uint1 + x144, x145 = addcarryxU32(x128, uint32(0x0), x143) + var x146 uint32 + var x147 uint1 + x146, x147 = addcarryxU32(x130, uint32(0x0), x145) + var x148 uint32 + var x149 uint32 + x149, x148 = bits.Mul32(x132, 0xffffffff) + var x150 uint32 + var x151 uint32 + x151, x150 = bits.Mul32(x132, 0xffffffff) + var x152 uint32 + var x153 uint32 + x153, x152 = bits.Mul32(x132, 0xffffffff) + var x154 uint32 + var x155 uint32 + x155, x154 = bits.Mul32(x132, 0xffffffff) + var x156 uint32 + var x157 uint1 + x156, x157 = addcarryxU32(x155, x152, 0x0) + var x158 uint32 + var x159 uint1 + x158, x159 = addcarryxU32(x153, x150, x157) + var x161 uint1 + _, x161 = addcarryxU32(x132, x154, 0x0) + var x162 uint32 + var x163 uint1 + x162, x163 = addcarryxU32(x134, x156, x161) + var x164 uint32 + var x165 uint1 + x164, x165 = addcarryxU32(x136, x158, x163) + var x166 uint32 + var x167 uint1 + x166, x167 = addcarryxU32(x138, (uint32(x159) + x151), x165) + var x168 uint32 + var x169 uint1 + x168, x169 = addcarryxU32(x140, uint32(0x0), x167) + var x170 uint32 + var x171 uint1 + x170, x171 = addcarryxU32(x142, uint32(0x0), x169) + var x172 uint32 + var x173 uint1 + x172, x173 = addcarryxU32(x144, x132, x171) + var x174 uint32 + var x175 uint1 + x174, x175 = addcarryxU32(x146, x148, x173) + var x176 uint32 + var x177 uint1 + x176, x177 = addcarryxU32((uint32(x147) + uint32(x131)), x149, x175) + var x178 uint32 + var x179 uint1 + x178, x179 = addcarryxU32(x162, arg1[5], 0x0) + var x180 uint32 + var x181 uint1 + x180, x181 = addcarryxU32(x164, uint32(0x0), x179) + var x182 uint32 + var x183 uint1 + x182, x183 = addcarryxU32(x166, uint32(0x0), x181) + var x184 uint32 + var x185 uint1 + x184, x185 = addcarryxU32(x168, uint32(0x0), x183) + var x186 uint32 + var x187 uint1 + x186, x187 = addcarryxU32(x170, uint32(0x0), x185) + var x188 uint32 + var x189 uint1 + x188, x189 = addcarryxU32(x172, uint32(0x0), x187) + var x190 uint32 + var x191 uint1 + x190, x191 = addcarryxU32(x174, uint32(0x0), x189) + var x192 uint32 + var x193 uint1 + x192, x193 = addcarryxU32(x176, uint32(0x0), x191) + var x194 uint32 + var x195 uint32 + x195, x194 = bits.Mul32(x178, 0xffffffff) + var x196 uint32 + var x197 uint32 + x197, x196 = bits.Mul32(x178, 0xffffffff) + var x198 uint32 + var x199 uint32 + x199, x198 = bits.Mul32(x178, 0xffffffff) + var x200 uint32 + var x201 uint32 + x201, x200 = bits.Mul32(x178, 0xffffffff) + var x202 uint32 + var x203 uint1 + x202, x203 = addcarryxU32(x201, x198, 0x0) + var x204 uint32 + var x205 uint1 + x204, x205 = addcarryxU32(x199, x196, x203) + var x207 uint1 + _, x207 = addcarryxU32(x178, x200, 0x0) + var x208 uint32 + var x209 uint1 + x208, x209 = addcarryxU32(x180, x202, x207) + var x210 uint32 + var x211 uint1 + x210, x211 = addcarryxU32(x182, x204, x209) + var x212 uint32 + var x213 uint1 + x212, x213 = addcarryxU32(x184, (uint32(x205) + x197), x211) + var x214 uint32 + var x215 uint1 + x214, x215 = addcarryxU32(x186, uint32(0x0), x213) + var x216 uint32 + var x217 uint1 + x216, x217 = addcarryxU32(x188, uint32(0x0), x215) + var x218 uint32 + var x219 uint1 + x218, x219 = addcarryxU32(x190, x178, x217) + var x220 uint32 + var x221 uint1 + x220, x221 = addcarryxU32(x192, x194, x219) + var x222 uint32 + var x223 uint1 + x222, x223 = addcarryxU32((uint32(x193) + uint32(x177)), x195, x221) + var x224 uint32 + var x225 uint1 + x224, x225 = addcarryxU32(x208, arg1[6], 0x0) + var x226 uint32 + var x227 uint1 + x226, x227 = addcarryxU32(x210, uint32(0x0), x225) + var x228 uint32 + var x229 uint1 + x228, x229 = addcarryxU32(x212, uint32(0x0), x227) + var x230 uint32 + var x231 uint1 + x230, x231 = addcarryxU32(x214, uint32(0x0), x229) + var x232 uint32 + var x233 uint1 + x232, x233 = addcarryxU32(x216, uint32(0x0), x231) + var x234 uint32 + var x235 uint1 + x234, x235 = addcarryxU32(x218, uint32(0x0), x233) + var x236 uint32 + var x237 uint1 + x236, x237 = addcarryxU32(x220, uint32(0x0), x235) + var x238 uint32 + var x239 uint1 + x238, x239 = addcarryxU32(x222, uint32(0x0), x237) + var x240 uint32 + var x241 uint32 + x241, x240 = bits.Mul32(x224, 0xffffffff) + var x242 uint32 + var x243 uint32 + x243, x242 = bits.Mul32(x224, 0xffffffff) + var x244 uint32 + var x245 uint32 + x245, x244 = bits.Mul32(x224, 0xffffffff) + var x246 uint32 + var x247 uint32 + x247, x246 = bits.Mul32(x224, 0xffffffff) + var x248 uint32 + var x249 uint1 + x248, x249 = addcarryxU32(x247, x244, 0x0) + var x250 uint32 + var x251 uint1 + x250, x251 = addcarryxU32(x245, x242, x249) + var x253 uint1 + _, x253 = addcarryxU32(x224, x246, 0x0) + var x254 uint32 + var x255 uint1 + x254, x255 = addcarryxU32(x226, x248, x253) + var x256 uint32 + var x257 uint1 + x256, x257 = addcarryxU32(x228, x250, x255) + var x258 uint32 + var x259 uint1 + x258, x259 = addcarryxU32(x230, (uint32(x251) + x243), x257) + var x260 uint32 + var x261 uint1 + x260, x261 = addcarryxU32(x232, uint32(0x0), x259) + var x262 uint32 + var x263 uint1 + x262, x263 = addcarryxU32(x234, uint32(0x0), x261) + var x264 uint32 + var x265 uint1 + x264, x265 = addcarryxU32(x236, x224, x263) + var x266 uint32 + var x267 uint1 + x266, x267 = addcarryxU32(x238, x240, x265) + var x268 uint32 + var x269 uint1 + x268, x269 = addcarryxU32((uint32(x239) + uint32(x223)), x241, x267) + var x270 uint32 + var x271 uint1 + x270, x271 = addcarryxU32(x254, arg1[7], 0x0) + var x272 uint32 + var x273 uint1 + x272, x273 = addcarryxU32(x256, uint32(0x0), x271) + var x274 uint32 + var x275 uint1 + x274, x275 = addcarryxU32(x258, uint32(0x0), x273) + var x276 uint32 + var x277 uint1 + x276, x277 = addcarryxU32(x260, uint32(0x0), x275) + var x278 uint32 + var x279 uint1 + x278, x279 = addcarryxU32(x262, uint32(0x0), x277) + var x280 uint32 + var x281 uint1 + x280, x281 = addcarryxU32(x264, uint32(0x0), x279) + var x282 uint32 + var x283 uint1 + x282, x283 = addcarryxU32(x266, uint32(0x0), x281) + var x284 uint32 + var x285 uint1 + x284, x285 = addcarryxU32(x268, uint32(0x0), x283) + var x286 uint32 + var x287 uint32 + x287, x286 = bits.Mul32(x270, 0xffffffff) + var x288 uint32 + var x289 uint32 + x289, x288 = bits.Mul32(x270, 0xffffffff) + var x290 uint32 + var x291 uint32 + x291, x290 = bits.Mul32(x270, 0xffffffff) + var x292 uint32 + var x293 uint32 + x293, x292 = bits.Mul32(x270, 0xffffffff) + var x294 uint32 + var x295 uint1 + x294, x295 = addcarryxU32(x293, x290, 0x0) + var x296 uint32 + var x297 uint1 + x296, x297 = addcarryxU32(x291, x288, x295) + var x299 uint1 + _, x299 = addcarryxU32(x270, x292, 0x0) + var x300 uint32 + var x301 uint1 + x300, x301 = addcarryxU32(x272, x294, x299) + var x302 uint32 + var x303 uint1 + x302, x303 = addcarryxU32(x274, x296, x301) + var x304 uint32 + var x305 uint1 + x304, x305 = addcarryxU32(x276, (uint32(x297) + x289), x303) + var x306 uint32 + var x307 uint1 + x306, x307 = addcarryxU32(x278, uint32(0x0), x305) + var x308 uint32 + var x309 uint1 + x308, x309 = addcarryxU32(x280, uint32(0x0), x307) + var x310 uint32 + var x311 uint1 + x310, x311 = addcarryxU32(x282, x270, x309) + var x312 uint32 + var x313 uint1 + x312, x313 = addcarryxU32(x284, x286, x311) + var x314 uint32 + var x315 uint1 + x314, x315 = addcarryxU32((uint32(x285) + uint32(x269)), x287, x313) + var x316 uint32 + var x317 uint1 + x316, x317 = subborrowxU32(x300, 0xffffffff, 0x0) + var x318 uint32 + var x319 uint1 + x318, x319 = subborrowxU32(x302, 0xffffffff, x317) + var x320 uint32 + var x321 uint1 + x320, x321 = subborrowxU32(x304, 0xffffffff, x319) + var x322 uint32 + var x323 uint1 + x322, x323 = subborrowxU32(x306, uint32(0x0), x321) + var x324 uint32 + var x325 uint1 + x324, x325 = subborrowxU32(x308, uint32(0x0), x323) + var x326 uint32 + var x327 uint1 + x326, x327 = subborrowxU32(x310, uint32(0x0), x325) + var x328 uint32 + var x329 uint1 + x328, x329 = subborrowxU32(x312, uint32(0x1), x327) + var x330 uint32 + var x331 uint1 + x330, x331 = subborrowxU32(x314, 0xffffffff, x329) + var x333 uint1 + _, x333 = subborrowxU32(uint32(x315), uint32(0x0), x331) + var x334 uint32 + cmovznzU32(&x334, x333, x316, x300) + var x335 uint32 + cmovznzU32(&x335, x333, x318, x302) + var x336 uint32 + cmovznzU32(&x336, x333, x320, x304) + var x337 uint32 + cmovznzU32(&x337, x333, x322, x306) + var x338 uint32 + cmovznzU32(&x338, x333, x324, x308) + var x339 uint32 + cmovznzU32(&x339, x333, x326, x310) + var x340 uint32 + cmovznzU32(&x340, x333, x328, x312) + var x341 uint32 + cmovznzU32(&x341, x333, x330, x314) + out1[0] = x334 + out1[1] = x335 + out1[2] = x336 + out1[3] = x337 + out1[4] = x338 + out1[5] = x339 + out1[6] = x340 + out1[7] = x341 } -/* - The function ToMontgomery translates a field element into the Montgomery domain. - Preconditions: - 0 ≤ eval arg1 < m - Postconditions: - eval (from_montgomery out1) mod m = eval arg1 mod m - 0 ≤ eval out1 < m - - Input Bounds: - arg1: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] - Output Bounds: - out1: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] - */ -/*inline*/ +// ToMontgomery translates a field element into the Montgomery domain. +// +// Preconditions: +// 0 ≤ eval arg1 < m +// Postconditions: +// eval (from_montgomery out1) mod m = eval arg1 mod m +// 0 ≤ eval out1 < m +// +// Input Bounds: +// arg1: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] +// Output Bounds: +// out1: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] func ToMontgomery(out1 *[8]uint32, arg1 *[8]uint32) { - var x1 uint32 = (arg1[1]) - var x2 uint32 = (arg1[2]) - var x3 uint32 = (arg1[3]) - var x4 uint32 = (arg1[4]) - var x5 uint32 = (arg1[5]) - var x6 uint32 = (arg1[6]) - var x7 uint32 = (arg1[7]) - var x8 uint32 = (arg1[0]) - var x9 uint32 - var x10 uint32 - x10, x9 = bits.Mul32(x8, 0x4) - var x11 uint32 - var x12 uint32 - x12, x11 = bits.Mul32(x8, 0xfffffffd) - var x13 uint32 - var x14 uint32 - x14, x13 = bits.Mul32(x8, 0xffffffff) - var x15 uint32 - var x16 uint32 - x16, x15 = bits.Mul32(x8, 0xfffffffe) - var x17 uint32 - var x18 uint32 - x18, x17 = bits.Mul32(x8, 0xfffffffb) - var x19 uint32 - var x20 uint32 - x20, x19 = bits.Mul32(x8, 0xffffffff) - var x21 uint32 - var x22 uint32 - x22, x21 = bits.Mul32(x8, 0x3) - var x23 uint32 - var x24 uint1 - x23, x24 = addcarryxU32(x20, x17, 0x0) - var x25 uint32 - var x26 uint1 - x25, x26 = addcarryxU32(x18, x15, x24) - var x27 uint32 - var x28 uint1 - x27, x28 = addcarryxU32(x16, x13, x26) - var x29 uint32 - var x30 uint1 - x29, x30 = addcarryxU32(x14, x11, x28) - var x31 uint32 - var x32 uint1 - x31, x32 = addcarryxU32(x12, x9, x30) - var x33 uint32 - var x34 uint32 - x34, x33 = bits.Mul32(x21, 0xffffffff) - var x35 uint32 - var x36 uint32 - x36, x35 = bits.Mul32(x21, 0xffffffff) - var x37 uint32 - var x38 uint32 - x38, x37 = bits.Mul32(x21, 0xffffffff) - var x39 uint32 - var x40 uint32 - x40, x39 = bits.Mul32(x21, 0xffffffff) - var x41 uint32 - var x42 uint1 - x41, x42 = addcarryxU32(x40, x37, 0x0) - var x43 uint32 - var x44 uint1 - x43, x44 = addcarryxU32(x38, x35, x42) - var x46 uint1 - _, x46 = addcarryxU32(x21, x39, 0x0) - var x47 uint32 - var x48 uint1 - x47, x48 = addcarryxU32(x22, x41, x46) - var x49 uint32 - var x50 uint1 - x49, x50 = addcarryxU32(x19, x43, x48) - var x51 uint32 - var x52 uint1 - x51, x52 = addcarryxU32(x23, (uint32(x44) + x36), x50) - var x53 uint32 - var x54 uint1 - x53, x54 = addcarryxU32(x25, uint32(0x0), x52) - var x55 uint32 - var x56 uint1 - x55, x56 = addcarryxU32(x27, uint32(0x0), x54) - var x57 uint32 - var x58 uint1 - x57, x58 = addcarryxU32(x29, x21, x56) - var x59 uint32 - var x60 uint1 - x59, x60 = addcarryxU32(x31, x33, x58) - var x61 uint32 - var x62 uint1 - x61, x62 = addcarryxU32((uint32(x32) + x10), x34, x60) - var x63 uint32 - var x64 uint32 - x64, x63 = bits.Mul32(x1, 0x4) - var x65 uint32 - var x66 uint32 - x66, x65 = bits.Mul32(x1, 0xfffffffd) - var x67 uint32 - var x68 uint32 - x68, x67 = bits.Mul32(x1, 0xffffffff) - var x69 uint32 - var x70 uint32 - x70, x69 = bits.Mul32(x1, 0xfffffffe) - var x71 uint32 - var x72 uint32 - x72, x71 = bits.Mul32(x1, 0xfffffffb) - var x73 uint32 - var x74 uint32 - x74, x73 = bits.Mul32(x1, 0xffffffff) - var x75 uint32 - var x76 uint32 - x76, x75 = bits.Mul32(x1, 0x3) - var x77 uint32 - var x78 uint1 - x77, x78 = addcarryxU32(x74, x71, 0x0) - var x79 uint32 - var x80 uint1 - x79, x80 = addcarryxU32(x72, x69, x78) - var x81 uint32 - var x82 uint1 - x81, x82 = addcarryxU32(x70, x67, x80) - var x83 uint32 - var x84 uint1 - x83, x84 = addcarryxU32(x68, x65, x82) - var x85 uint32 - var x86 uint1 - x85, x86 = addcarryxU32(x66, x63, x84) - var x87 uint32 - var x88 uint1 - x87, x88 = addcarryxU32(x47, x75, 0x0) - var x89 uint32 - var x90 uint1 - x89, x90 = addcarryxU32(x49, x76, x88) - var x91 uint32 - var x92 uint1 - x91, x92 = addcarryxU32(x51, x73, x90) - var x93 uint32 - var x94 uint1 - x93, x94 = addcarryxU32(x53, x77, x92) - var x95 uint32 - var x96 uint1 - x95, x96 = addcarryxU32(x55, x79, x94) - var x97 uint32 - var x98 uint1 - x97, x98 = addcarryxU32(x57, x81, x96) - var x99 uint32 - var x100 uint1 - x99, x100 = addcarryxU32(x59, x83, x98) - var x101 uint32 - var x102 uint1 - x101, x102 = addcarryxU32(x61, x85, x100) - var x103 uint32 - var x104 uint32 - x104, x103 = bits.Mul32(x87, 0xffffffff) - var x105 uint32 - var x106 uint32 - x106, x105 = bits.Mul32(x87, 0xffffffff) - var x107 uint32 - var x108 uint32 - x108, x107 = bits.Mul32(x87, 0xffffffff) - var x109 uint32 - var x110 uint32 - x110, x109 = bits.Mul32(x87, 0xffffffff) - var x111 uint32 - var x112 uint1 - x111, x112 = addcarryxU32(x110, x107, 0x0) - var x113 uint32 - var x114 uint1 - x113, x114 = addcarryxU32(x108, x105, x112) - var x116 uint1 - _, x116 = addcarryxU32(x87, x109, 0x0) - var x117 uint32 - var x118 uint1 - x117, x118 = addcarryxU32(x89, x111, x116) - var x119 uint32 - var x120 uint1 - x119, x120 = addcarryxU32(x91, x113, x118) - var x121 uint32 - var x122 uint1 - x121, x122 = addcarryxU32(x93, (uint32(x114) + x106), x120) - var x123 uint32 - var x124 uint1 - x123, x124 = addcarryxU32(x95, uint32(0x0), x122) - var x125 uint32 - var x126 uint1 - x125, x126 = addcarryxU32(x97, uint32(0x0), x124) - var x127 uint32 - var x128 uint1 - x127, x128 = addcarryxU32(x99, x87, x126) - var x129 uint32 - var x130 uint1 - x129, x130 = addcarryxU32(x101, x103, x128) - var x131 uint32 - var x132 uint1 - x131, x132 = addcarryxU32(((uint32(x102) + uint32(x62)) + (uint32(x86) + x64)), x104, x130) - var x133 uint32 - var x134 uint32 - x134, x133 = bits.Mul32(x2, 0x4) - var x135 uint32 - var x136 uint32 - x136, x135 = bits.Mul32(x2, 0xfffffffd) - var x137 uint32 - var x138 uint32 - x138, x137 = bits.Mul32(x2, 0xffffffff) - var x139 uint32 - var x140 uint32 - x140, x139 = bits.Mul32(x2, 0xfffffffe) - var x141 uint32 - var x142 uint32 - x142, x141 = bits.Mul32(x2, 0xfffffffb) - var x143 uint32 - var x144 uint32 - x144, x143 = bits.Mul32(x2, 0xffffffff) - var x145 uint32 - var x146 uint32 - x146, x145 = bits.Mul32(x2, 0x3) - var x147 uint32 - var x148 uint1 - x147, x148 = addcarryxU32(x144, x141, 0x0) - var x149 uint32 - var x150 uint1 - x149, x150 = addcarryxU32(x142, x139, x148) - var x151 uint32 - var x152 uint1 - x151, x152 = addcarryxU32(x140, x137, x150) - var x153 uint32 - var x154 uint1 - x153, x154 = addcarryxU32(x138, x135, x152) - var x155 uint32 - var x156 uint1 - x155, x156 = addcarryxU32(x136, x133, x154) - var x157 uint32 - var x158 uint1 - x157, x158 = addcarryxU32(x117, x145, 0x0) - var x159 uint32 - var x160 uint1 - x159, x160 = addcarryxU32(x119, x146, x158) - var x161 uint32 - var x162 uint1 - x161, x162 = addcarryxU32(x121, x143, x160) - var x163 uint32 - var x164 uint1 - x163, x164 = addcarryxU32(x123, x147, x162) - var x165 uint32 - var x166 uint1 - x165, x166 = addcarryxU32(x125, x149, x164) - var x167 uint32 - var x168 uint1 - x167, x168 = addcarryxU32(x127, x151, x166) - var x169 uint32 - var x170 uint1 - x169, x170 = addcarryxU32(x129, x153, x168) - var x171 uint32 - var x172 uint1 - x171, x172 = addcarryxU32(x131, x155, x170) - var x173 uint32 - var x174 uint32 - x174, x173 = bits.Mul32(x157, 0xffffffff) - var x175 uint32 - var x176 uint32 - x176, x175 = bits.Mul32(x157, 0xffffffff) - var x177 uint32 - var x178 uint32 - x178, x177 = bits.Mul32(x157, 0xffffffff) - var x179 uint32 - var x180 uint32 - x180, x179 = bits.Mul32(x157, 0xffffffff) - var x181 uint32 - var x182 uint1 - x181, x182 = addcarryxU32(x180, x177, 0x0) - var x183 uint32 - var x184 uint1 - x183, x184 = addcarryxU32(x178, x175, x182) - var x186 uint1 - _, x186 = addcarryxU32(x157, x179, 0x0) - var x187 uint32 - var x188 uint1 - x187, x188 = addcarryxU32(x159, x181, x186) - var x189 uint32 - var x190 uint1 - x189, x190 = addcarryxU32(x161, x183, x188) - var x191 uint32 - var x192 uint1 - x191, x192 = addcarryxU32(x163, (uint32(x184) + x176), x190) - var x193 uint32 - var x194 uint1 - x193, x194 = addcarryxU32(x165, uint32(0x0), x192) - var x195 uint32 - var x196 uint1 - x195, x196 = addcarryxU32(x167, uint32(0x0), x194) - var x197 uint32 - var x198 uint1 - x197, x198 = addcarryxU32(x169, x157, x196) - var x199 uint32 - var x200 uint1 - x199, x200 = addcarryxU32(x171, x173, x198) - var x201 uint32 - var x202 uint1 - x201, x202 = addcarryxU32(((uint32(x172) + uint32(x132)) + (uint32(x156) + x134)), x174, x200) - var x203 uint32 - var x204 uint32 - x204, x203 = bits.Mul32(x3, 0x4) - var x205 uint32 - var x206 uint32 - x206, x205 = bits.Mul32(x3, 0xfffffffd) - var x207 uint32 - var x208 uint32 - x208, x207 = bits.Mul32(x3, 0xffffffff) - var x209 uint32 - var x210 uint32 - x210, x209 = bits.Mul32(x3, 0xfffffffe) - var x211 uint32 - var x212 uint32 - x212, x211 = bits.Mul32(x3, 0xfffffffb) - var x213 uint32 - var x214 uint32 - x214, x213 = bits.Mul32(x3, 0xffffffff) - var x215 uint32 - var x216 uint32 - x216, x215 = bits.Mul32(x3, 0x3) - var x217 uint32 - var x218 uint1 - x217, x218 = addcarryxU32(x214, x211, 0x0) - var x219 uint32 - var x220 uint1 - x219, x220 = addcarryxU32(x212, x209, x218) - var x221 uint32 - var x222 uint1 - x221, x222 = addcarryxU32(x210, x207, x220) - var x223 uint32 - var x224 uint1 - x223, x224 = addcarryxU32(x208, x205, x222) - var x225 uint32 - var x226 uint1 - x225, x226 = addcarryxU32(x206, x203, x224) - var x227 uint32 - var x228 uint1 - x227, x228 = addcarryxU32(x187, x215, 0x0) - var x229 uint32 - var x230 uint1 - x229, x230 = addcarryxU32(x189, x216, x228) - var x231 uint32 - var x232 uint1 - x231, x232 = addcarryxU32(x191, x213, x230) - var x233 uint32 - var x234 uint1 - x233, x234 = addcarryxU32(x193, x217, x232) - var x235 uint32 - var x236 uint1 - x235, x236 = addcarryxU32(x195, x219, x234) - var x237 uint32 - var x238 uint1 - x237, x238 = addcarryxU32(x197, x221, x236) - var x239 uint32 - var x240 uint1 - x239, x240 = addcarryxU32(x199, x223, x238) - var x241 uint32 - var x242 uint1 - x241, x242 = addcarryxU32(x201, x225, x240) - var x243 uint32 - var x244 uint32 - x244, x243 = bits.Mul32(x227, 0xffffffff) - var x245 uint32 - var x246 uint32 - x246, x245 = bits.Mul32(x227, 0xffffffff) - var x247 uint32 - var x248 uint32 - x248, x247 = bits.Mul32(x227, 0xffffffff) - var x249 uint32 - var x250 uint32 - x250, x249 = bits.Mul32(x227, 0xffffffff) - var x251 uint32 - var x252 uint1 - x251, x252 = addcarryxU32(x250, x247, 0x0) - var x253 uint32 - var x254 uint1 - x253, x254 = addcarryxU32(x248, x245, x252) - var x256 uint1 - _, x256 = addcarryxU32(x227, x249, 0x0) - var x257 uint32 - var x258 uint1 - x257, x258 = addcarryxU32(x229, x251, x256) - var x259 uint32 - var x260 uint1 - x259, x260 = addcarryxU32(x231, x253, x258) - var x261 uint32 - var x262 uint1 - x261, x262 = addcarryxU32(x233, (uint32(x254) + x246), x260) - var x263 uint32 - var x264 uint1 - x263, x264 = addcarryxU32(x235, uint32(0x0), x262) - var x265 uint32 - var x266 uint1 - x265, x266 = addcarryxU32(x237, uint32(0x0), x264) - var x267 uint32 - var x268 uint1 - x267, x268 = addcarryxU32(x239, x227, x266) - var x269 uint32 - var x270 uint1 - x269, x270 = addcarryxU32(x241, x243, x268) - var x271 uint32 - var x272 uint1 - x271, x272 = addcarryxU32(((uint32(x242) + uint32(x202)) + (uint32(x226) + x204)), x244, x270) - var x273 uint32 - var x274 uint32 - x274, x273 = bits.Mul32(x4, 0x4) - var x275 uint32 - var x276 uint32 - x276, x275 = bits.Mul32(x4, 0xfffffffd) - var x277 uint32 - var x278 uint32 - x278, x277 = bits.Mul32(x4, 0xffffffff) - var x279 uint32 - var x280 uint32 - x280, x279 = bits.Mul32(x4, 0xfffffffe) - var x281 uint32 - var x282 uint32 - x282, x281 = bits.Mul32(x4, 0xfffffffb) - var x283 uint32 - var x284 uint32 - x284, x283 = bits.Mul32(x4, 0xffffffff) - var x285 uint32 - var x286 uint32 - x286, x285 = bits.Mul32(x4, 0x3) - var x287 uint32 - var x288 uint1 - x287, x288 = addcarryxU32(x284, x281, 0x0) - var x289 uint32 - var x290 uint1 - x289, x290 = addcarryxU32(x282, x279, x288) - var x291 uint32 - var x292 uint1 - x291, x292 = addcarryxU32(x280, x277, x290) - var x293 uint32 - var x294 uint1 - x293, x294 = addcarryxU32(x278, x275, x292) - var x295 uint32 - var x296 uint1 - x295, x296 = addcarryxU32(x276, x273, x294) - var x297 uint32 - var x298 uint1 - x297, x298 = addcarryxU32(x257, x285, 0x0) - var x299 uint32 - var x300 uint1 - x299, x300 = addcarryxU32(x259, x286, x298) - var x301 uint32 - var x302 uint1 - x301, x302 = addcarryxU32(x261, x283, x300) - var x303 uint32 - var x304 uint1 - x303, x304 = addcarryxU32(x263, x287, x302) - var x305 uint32 - var x306 uint1 - x305, x306 = addcarryxU32(x265, x289, x304) - var x307 uint32 - var x308 uint1 - x307, x308 = addcarryxU32(x267, x291, x306) - var x309 uint32 - var x310 uint1 - x309, x310 = addcarryxU32(x269, x293, x308) - var x311 uint32 - var x312 uint1 - x311, x312 = addcarryxU32(x271, x295, x310) - var x313 uint32 - var x314 uint32 - x314, x313 = bits.Mul32(x297, 0xffffffff) - var x315 uint32 - var x316 uint32 - x316, x315 = bits.Mul32(x297, 0xffffffff) - var x317 uint32 - var x318 uint32 - x318, x317 = bits.Mul32(x297, 0xffffffff) - var x319 uint32 - var x320 uint32 - x320, x319 = bits.Mul32(x297, 0xffffffff) - var x321 uint32 - var x322 uint1 - x321, x322 = addcarryxU32(x320, x317, 0x0) - var x323 uint32 - var x324 uint1 - x323, x324 = addcarryxU32(x318, x315, x322) - var x326 uint1 - _, x326 = addcarryxU32(x297, x319, 0x0) - var x327 uint32 - var x328 uint1 - x327, x328 = addcarryxU32(x299, x321, x326) - var x329 uint32 - var x330 uint1 - x329, x330 = addcarryxU32(x301, x323, x328) - var x331 uint32 - var x332 uint1 - x331, x332 = addcarryxU32(x303, (uint32(x324) + x316), x330) - var x333 uint32 - var x334 uint1 - x333, x334 = addcarryxU32(x305, uint32(0x0), x332) - var x335 uint32 - var x336 uint1 - x335, x336 = addcarryxU32(x307, uint32(0x0), x334) - var x337 uint32 - var x338 uint1 - x337, x338 = addcarryxU32(x309, x297, x336) - var x339 uint32 - var x340 uint1 - x339, x340 = addcarryxU32(x311, x313, x338) - var x341 uint32 - var x342 uint1 - x341, x342 = addcarryxU32(((uint32(x312) + uint32(x272)) + (uint32(x296) + x274)), x314, x340) - var x343 uint32 - var x344 uint32 - x344, x343 = bits.Mul32(x5, 0x4) - var x345 uint32 - var x346 uint32 - x346, x345 = bits.Mul32(x5, 0xfffffffd) - var x347 uint32 - var x348 uint32 - x348, x347 = bits.Mul32(x5, 0xffffffff) - var x349 uint32 - var x350 uint32 - x350, x349 = bits.Mul32(x5, 0xfffffffe) - var x351 uint32 - var x352 uint32 - x352, x351 = bits.Mul32(x5, 0xfffffffb) - var x353 uint32 - var x354 uint32 - x354, x353 = bits.Mul32(x5, 0xffffffff) - var x355 uint32 - var x356 uint32 - x356, x355 = bits.Mul32(x5, 0x3) - var x357 uint32 - var x358 uint1 - x357, x358 = addcarryxU32(x354, x351, 0x0) - var x359 uint32 - var x360 uint1 - x359, x360 = addcarryxU32(x352, x349, x358) - var x361 uint32 - var x362 uint1 - x361, x362 = addcarryxU32(x350, x347, x360) - var x363 uint32 - var x364 uint1 - x363, x364 = addcarryxU32(x348, x345, x362) - var x365 uint32 - var x366 uint1 - x365, x366 = addcarryxU32(x346, x343, x364) - var x367 uint32 - var x368 uint1 - x367, x368 = addcarryxU32(x327, x355, 0x0) - var x369 uint32 - var x370 uint1 - x369, x370 = addcarryxU32(x329, x356, x368) - var x371 uint32 - var x372 uint1 - x371, x372 = addcarryxU32(x331, x353, x370) - var x373 uint32 - var x374 uint1 - x373, x374 = addcarryxU32(x333, x357, x372) - var x375 uint32 - var x376 uint1 - x375, x376 = addcarryxU32(x335, x359, x374) - var x377 uint32 - var x378 uint1 - x377, x378 = addcarryxU32(x337, x361, x376) - var x379 uint32 - var x380 uint1 - x379, x380 = addcarryxU32(x339, x363, x378) - var x381 uint32 - var x382 uint1 - x381, x382 = addcarryxU32(x341, x365, x380) - var x383 uint32 - var x384 uint32 - x384, x383 = bits.Mul32(x367, 0xffffffff) - var x385 uint32 - var x386 uint32 - x386, x385 = bits.Mul32(x367, 0xffffffff) - var x387 uint32 - var x388 uint32 - x388, x387 = bits.Mul32(x367, 0xffffffff) - var x389 uint32 - var x390 uint32 - x390, x389 = bits.Mul32(x367, 0xffffffff) - var x391 uint32 - var x392 uint1 - x391, x392 = addcarryxU32(x390, x387, 0x0) - var x393 uint32 - var x394 uint1 - x393, x394 = addcarryxU32(x388, x385, x392) - var x396 uint1 - _, x396 = addcarryxU32(x367, x389, 0x0) - var x397 uint32 - var x398 uint1 - x397, x398 = addcarryxU32(x369, x391, x396) - var x399 uint32 - var x400 uint1 - x399, x400 = addcarryxU32(x371, x393, x398) - var x401 uint32 - var x402 uint1 - x401, x402 = addcarryxU32(x373, (uint32(x394) + x386), x400) - var x403 uint32 - var x404 uint1 - x403, x404 = addcarryxU32(x375, uint32(0x0), x402) - var x405 uint32 - var x406 uint1 - x405, x406 = addcarryxU32(x377, uint32(0x0), x404) - var x407 uint32 - var x408 uint1 - x407, x408 = addcarryxU32(x379, x367, x406) - var x409 uint32 - var x410 uint1 - x409, x410 = addcarryxU32(x381, x383, x408) - var x411 uint32 - var x412 uint1 - x411, x412 = addcarryxU32(((uint32(x382) + uint32(x342)) + (uint32(x366) + x344)), x384, x410) - var x413 uint32 - var x414 uint32 - x414, x413 = bits.Mul32(x6, 0x4) - var x415 uint32 - var x416 uint32 - x416, x415 = bits.Mul32(x6, 0xfffffffd) - var x417 uint32 - var x418 uint32 - x418, x417 = bits.Mul32(x6, 0xffffffff) - var x419 uint32 - var x420 uint32 - x420, x419 = bits.Mul32(x6, 0xfffffffe) - var x421 uint32 - var x422 uint32 - x422, x421 = bits.Mul32(x6, 0xfffffffb) - var x423 uint32 - var x424 uint32 - x424, x423 = bits.Mul32(x6, 0xffffffff) - var x425 uint32 - var x426 uint32 - x426, x425 = bits.Mul32(x6, 0x3) - var x427 uint32 - var x428 uint1 - x427, x428 = addcarryxU32(x424, x421, 0x0) - var x429 uint32 - var x430 uint1 - x429, x430 = addcarryxU32(x422, x419, x428) - var x431 uint32 - var x432 uint1 - x431, x432 = addcarryxU32(x420, x417, x430) - var x433 uint32 - var x434 uint1 - x433, x434 = addcarryxU32(x418, x415, x432) - var x435 uint32 - var x436 uint1 - x435, x436 = addcarryxU32(x416, x413, x434) - var x437 uint32 - var x438 uint1 - x437, x438 = addcarryxU32(x397, x425, 0x0) - var x439 uint32 - var x440 uint1 - x439, x440 = addcarryxU32(x399, x426, x438) - var x441 uint32 - var x442 uint1 - x441, x442 = addcarryxU32(x401, x423, x440) - var x443 uint32 - var x444 uint1 - x443, x444 = addcarryxU32(x403, x427, x442) - var x445 uint32 - var x446 uint1 - x445, x446 = addcarryxU32(x405, x429, x444) - var x447 uint32 - var x448 uint1 - x447, x448 = addcarryxU32(x407, x431, x446) - var x449 uint32 - var x450 uint1 - x449, x450 = addcarryxU32(x409, x433, x448) - var x451 uint32 - var x452 uint1 - x451, x452 = addcarryxU32(x411, x435, x450) - var x453 uint32 - var x454 uint32 - x454, x453 = bits.Mul32(x437, 0xffffffff) - var x455 uint32 - var x456 uint32 - x456, x455 = bits.Mul32(x437, 0xffffffff) - var x457 uint32 - var x458 uint32 - x458, x457 = bits.Mul32(x437, 0xffffffff) - var x459 uint32 - var x460 uint32 - x460, x459 = bits.Mul32(x437, 0xffffffff) - var x461 uint32 - var x462 uint1 - x461, x462 = addcarryxU32(x460, x457, 0x0) - var x463 uint32 - var x464 uint1 - x463, x464 = addcarryxU32(x458, x455, x462) - var x466 uint1 - _, x466 = addcarryxU32(x437, x459, 0x0) - var x467 uint32 - var x468 uint1 - x467, x468 = addcarryxU32(x439, x461, x466) - var x469 uint32 - var x470 uint1 - x469, x470 = addcarryxU32(x441, x463, x468) - var x471 uint32 - var x472 uint1 - x471, x472 = addcarryxU32(x443, (uint32(x464) + x456), x470) - var x473 uint32 - var x474 uint1 - x473, x474 = addcarryxU32(x445, uint32(0x0), x472) - var x475 uint32 - var x476 uint1 - x475, x476 = addcarryxU32(x447, uint32(0x0), x474) - var x477 uint32 - var x478 uint1 - x477, x478 = addcarryxU32(x449, x437, x476) - var x479 uint32 - var x480 uint1 - x479, x480 = addcarryxU32(x451, x453, x478) - var x481 uint32 - var x482 uint1 - x481, x482 = addcarryxU32(((uint32(x452) + uint32(x412)) + (uint32(x436) + x414)), x454, x480) - var x483 uint32 - var x484 uint32 - x484, x483 = bits.Mul32(x7, 0x4) - var x485 uint32 - var x486 uint32 - x486, x485 = bits.Mul32(x7, 0xfffffffd) - var x487 uint32 - var x488 uint32 - x488, x487 = bits.Mul32(x7, 0xffffffff) - var x489 uint32 - var x490 uint32 - x490, x489 = bits.Mul32(x7, 0xfffffffe) - var x491 uint32 - var x492 uint32 - x492, x491 = bits.Mul32(x7, 0xfffffffb) - var x493 uint32 - var x494 uint32 - x494, x493 = bits.Mul32(x7, 0xffffffff) - var x495 uint32 - var x496 uint32 - x496, x495 = bits.Mul32(x7, 0x3) - var x497 uint32 - var x498 uint1 - x497, x498 = addcarryxU32(x494, x491, 0x0) - var x499 uint32 - var x500 uint1 - x499, x500 = addcarryxU32(x492, x489, x498) - var x501 uint32 - var x502 uint1 - x501, x502 = addcarryxU32(x490, x487, x500) - var x503 uint32 - var x504 uint1 - x503, x504 = addcarryxU32(x488, x485, x502) - var x505 uint32 - var x506 uint1 - x505, x506 = addcarryxU32(x486, x483, x504) - var x507 uint32 - var x508 uint1 - x507, x508 = addcarryxU32(x467, x495, 0x0) - var x509 uint32 - var x510 uint1 - x509, x510 = addcarryxU32(x469, x496, x508) - var x511 uint32 - var x512 uint1 - x511, x512 = addcarryxU32(x471, x493, x510) - var x513 uint32 - var x514 uint1 - x513, x514 = addcarryxU32(x473, x497, x512) - var x515 uint32 - var x516 uint1 - x515, x516 = addcarryxU32(x475, x499, x514) - var x517 uint32 - var x518 uint1 - x517, x518 = addcarryxU32(x477, x501, x516) - var x519 uint32 - var x520 uint1 - x519, x520 = addcarryxU32(x479, x503, x518) - var x521 uint32 - var x522 uint1 - x521, x522 = addcarryxU32(x481, x505, x520) - var x523 uint32 - var x524 uint32 - x524, x523 = bits.Mul32(x507, 0xffffffff) - var x525 uint32 - var x526 uint32 - x526, x525 = bits.Mul32(x507, 0xffffffff) - var x527 uint32 - var x528 uint32 - x528, x527 = bits.Mul32(x507, 0xffffffff) - var x529 uint32 - var x530 uint32 - x530, x529 = bits.Mul32(x507, 0xffffffff) - var x531 uint32 - var x532 uint1 - x531, x532 = addcarryxU32(x530, x527, 0x0) - var x533 uint32 - var x534 uint1 - x533, x534 = addcarryxU32(x528, x525, x532) - var x536 uint1 - _, x536 = addcarryxU32(x507, x529, 0x0) - var x537 uint32 - var x538 uint1 - x537, x538 = addcarryxU32(x509, x531, x536) - var x539 uint32 - var x540 uint1 - x539, x540 = addcarryxU32(x511, x533, x538) - var x541 uint32 - var x542 uint1 - x541, x542 = addcarryxU32(x513, (uint32(x534) + x526), x540) - var x543 uint32 - var x544 uint1 - x543, x544 = addcarryxU32(x515, uint32(0x0), x542) - var x545 uint32 - var x546 uint1 - x545, x546 = addcarryxU32(x517, uint32(0x0), x544) - var x547 uint32 - var x548 uint1 - x547, x548 = addcarryxU32(x519, x507, x546) - var x549 uint32 - var x550 uint1 - x549, x550 = addcarryxU32(x521, x523, x548) - var x551 uint32 - var x552 uint1 - x551, x552 = addcarryxU32(((uint32(x522) + uint32(x482)) + (uint32(x506) + x484)), x524, x550) - var x553 uint32 - var x554 uint1 - x553, x554 = subborrowxU32(x537, 0xffffffff, 0x0) - var x555 uint32 - var x556 uint1 - x555, x556 = subborrowxU32(x539, 0xffffffff, x554) - var x557 uint32 - var x558 uint1 - x557, x558 = subborrowxU32(x541, 0xffffffff, x556) - var x559 uint32 - var x560 uint1 - x559, x560 = subborrowxU32(x543, uint32(0x0), x558) - var x561 uint32 - var x562 uint1 - x561, x562 = subborrowxU32(x545, uint32(0x0), x560) - var x563 uint32 - var x564 uint1 - x563, x564 = subborrowxU32(x547, uint32(0x0), x562) - var x565 uint32 - var x566 uint1 - x565, x566 = subborrowxU32(x549, uint32(0x1), x564) - var x567 uint32 - var x568 uint1 - x567, x568 = subborrowxU32(x551, 0xffffffff, x566) - var x570 uint1 - _, x570 = subborrowxU32(uint32(x552), uint32(0x0), x568) - var x571 uint32 - cmovznzU32(&x571, x570, x553, x537) - var x572 uint32 - cmovznzU32(&x572, x570, x555, x539) - var x573 uint32 - cmovznzU32(&x573, x570, x557, x541) - var x574 uint32 - cmovznzU32(&x574, x570, x559, x543) - var x575 uint32 - cmovznzU32(&x575, x570, x561, x545) - var x576 uint32 - cmovznzU32(&x576, x570, x563, x547) - var x577 uint32 - cmovznzU32(&x577, x570, x565, x549) - var x578 uint32 - cmovznzU32(&x578, x570, x567, x551) - out1[0] = x571 - out1[1] = x572 - out1[2] = x573 - out1[3] = x574 - out1[4] = x575 - out1[5] = x576 - out1[6] = x577 - out1[7] = x578 + x1 := arg1[1] + x2 := arg1[2] + x3 := arg1[3] + x4 := arg1[4] + x5 := arg1[5] + x6 := arg1[6] + x7 := arg1[7] + x8 := arg1[0] + var x9 uint32 + var x10 uint32 + x10, x9 = bits.Mul32(x8, 0x4) + var x11 uint32 + var x12 uint32 + x12, x11 = bits.Mul32(x8, 0xfffffffd) + var x13 uint32 + var x14 uint32 + x14, x13 = bits.Mul32(x8, 0xffffffff) + var x15 uint32 + var x16 uint32 + x16, x15 = bits.Mul32(x8, 0xfffffffe) + var x17 uint32 + var x18 uint32 + x18, x17 = bits.Mul32(x8, 0xfffffffb) + var x19 uint32 + var x20 uint32 + x20, x19 = bits.Mul32(x8, 0xffffffff) + var x21 uint32 + var x22 uint32 + x22, x21 = bits.Mul32(x8, 0x3) + var x23 uint32 + var x24 uint1 + x23, x24 = addcarryxU32(x20, x17, 0x0) + var x25 uint32 + var x26 uint1 + x25, x26 = addcarryxU32(x18, x15, x24) + var x27 uint32 + var x28 uint1 + x27, x28 = addcarryxU32(x16, x13, x26) + var x29 uint32 + var x30 uint1 + x29, x30 = addcarryxU32(x14, x11, x28) + var x31 uint32 + var x32 uint1 + x31, x32 = addcarryxU32(x12, x9, x30) + var x33 uint32 + var x34 uint32 + x34, x33 = bits.Mul32(x21, 0xffffffff) + var x35 uint32 + var x36 uint32 + x36, x35 = bits.Mul32(x21, 0xffffffff) + var x37 uint32 + var x38 uint32 + x38, x37 = bits.Mul32(x21, 0xffffffff) + var x39 uint32 + var x40 uint32 + x40, x39 = bits.Mul32(x21, 0xffffffff) + var x41 uint32 + var x42 uint1 + x41, x42 = addcarryxU32(x40, x37, 0x0) + var x43 uint32 + var x44 uint1 + x43, x44 = addcarryxU32(x38, x35, x42) + var x46 uint1 + _, x46 = addcarryxU32(x21, x39, 0x0) + var x47 uint32 + var x48 uint1 + x47, x48 = addcarryxU32(x22, x41, x46) + var x49 uint32 + var x50 uint1 + x49, x50 = addcarryxU32(x19, x43, x48) + var x51 uint32 + var x52 uint1 + x51, x52 = addcarryxU32(x23, (uint32(x44) + x36), x50) + var x53 uint32 + var x54 uint1 + x53, x54 = addcarryxU32(x25, uint32(0x0), x52) + var x55 uint32 + var x56 uint1 + x55, x56 = addcarryxU32(x27, uint32(0x0), x54) + var x57 uint32 + var x58 uint1 + x57, x58 = addcarryxU32(x29, x21, x56) + var x59 uint32 + var x60 uint1 + x59, x60 = addcarryxU32(x31, x33, x58) + var x61 uint32 + var x62 uint1 + x61, x62 = addcarryxU32((uint32(x32) + x10), x34, x60) + var x63 uint32 + var x64 uint32 + x64, x63 = bits.Mul32(x1, 0x4) + var x65 uint32 + var x66 uint32 + x66, x65 = bits.Mul32(x1, 0xfffffffd) + var x67 uint32 + var x68 uint32 + x68, x67 = bits.Mul32(x1, 0xffffffff) + var x69 uint32 + var x70 uint32 + x70, x69 = bits.Mul32(x1, 0xfffffffe) + var x71 uint32 + var x72 uint32 + x72, x71 = bits.Mul32(x1, 0xfffffffb) + var x73 uint32 + var x74 uint32 + x74, x73 = bits.Mul32(x1, 0xffffffff) + var x75 uint32 + var x76 uint32 + x76, x75 = bits.Mul32(x1, 0x3) + var x77 uint32 + var x78 uint1 + x77, x78 = addcarryxU32(x74, x71, 0x0) + var x79 uint32 + var x80 uint1 + x79, x80 = addcarryxU32(x72, x69, x78) + var x81 uint32 + var x82 uint1 + x81, x82 = addcarryxU32(x70, x67, x80) + var x83 uint32 + var x84 uint1 + x83, x84 = addcarryxU32(x68, x65, x82) + var x85 uint32 + var x86 uint1 + x85, x86 = addcarryxU32(x66, x63, x84) + var x87 uint32 + var x88 uint1 + x87, x88 = addcarryxU32(x47, x75, 0x0) + var x89 uint32 + var x90 uint1 + x89, x90 = addcarryxU32(x49, x76, x88) + var x91 uint32 + var x92 uint1 + x91, x92 = addcarryxU32(x51, x73, x90) + var x93 uint32 + var x94 uint1 + x93, x94 = addcarryxU32(x53, x77, x92) + var x95 uint32 + var x96 uint1 + x95, x96 = addcarryxU32(x55, x79, x94) + var x97 uint32 + var x98 uint1 + x97, x98 = addcarryxU32(x57, x81, x96) + var x99 uint32 + var x100 uint1 + x99, x100 = addcarryxU32(x59, x83, x98) + var x101 uint32 + var x102 uint1 + x101, x102 = addcarryxU32(x61, x85, x100) + var x103 uint32 + var x104 uint32 + x104, x103 = bits.Mul32(x87, 0xffffffff) + var x105 uint32 + var x106 uint32 + x106, x105 = bits.Mul32(x87, 0xffffffff) + var x107 uint32 + var x108 uint32 + x108, x107 = bits.Mul32(x87, 0xffffffff) + var x109 uint32 + var x110 uint32 + x110, x109 = bits.Mul32(x87, 0xffffffff) + var x111 uint32 + var x112 uint1 + x111, x112 = addcarryxU32(x110, x107, 0x0) + var x113 uint32 + var x114 uint1 + x113, x114 = addcarryxU32(x108, x105, x112) + var x116 uint1 + _, x116 = addcarryxU32(x87, x109, 0x0) + var x117 uint32 + var x118 uint1 + x117, x118 = addcarryxU32(x89, x111, x116) + var x119 uint32 + var x120 uint1 + x119, x120 = addcarryxU32(x91, x113, x118) + var x121 uint32 + var x122 uint1 + x121, x122 = addcarryxU32(x93, (uint32(x114) + x106), x120) + var x123 uint32 + var x124 uint1 + x123, x124 = addcarryxU32(x95, uint32(0x0), x122) + var x125 uint32 + var x126 uint1 + x125, x126 = addcarryxU32(x97, uint32(0x0), x124) + var x127 uint32 + var x128 uint1 + x127, x128 = addcarryxU32(x99, x87, x126) + var x129 uint32 + var x130 uint1 + x129, x130 = addcarryxU32(x101, x103, x128) + var x131 uint32 + var x132 uint1 + x131, x132 = addcarryxU32(((uint32(x102) + uint32(x62)) + (uint32(x86) + x64)), x104, x130) + var x133 uint32 + var x134 uint32 + x134, x133 = bits.Mul32(x2, 0x4) + var x135 uint32 + var x136 uint32 + x136, x135 = bits.Mul32(x2, 0xfffffffd) + var x137 uint32 + var x138 uint32 + x138, x137 = bits.Mul32(x2, 0xffffffff) + var x139 uint32 + var x140 uint32 + x140, x139 = bits.Mul32(x2, 0xfffffffe) + var x141 uint32 + var x142 uint32 + x142, x141 = bits.Mul32(x2, 0xfffffffb) + var x143 uint32 + var x144 uint32 + x144, x143 = bits.Mul32(x2, 0xffffffff) + var x145 uint32 + var x146 uint32 + x146, x145 = bits.Mul32(x2, 0x3) + var x147 uint32 + var x148 uint1 + x147, x148 = addcarryxU32(x144, x141, 0x0) + var x149 uint32 + var x150 uint1 + x149, x150 = addcarryxU32(x142, x139, x148) + var x151 uint32 + var x152 uint1 + x151, x152 = addcarryxU32(x140, x137, x150) + var x153 uint32 + var x154 uint1 + x153, x154 = addcarryxU32(x138, x135, x152) + var x155 uint32 + var x156 uint1 + x155, x156 = addcarryxU32(x136, x133, x154) + var x157 uint32 + var x158 uint1 + x157, x158 = addcarryxU32(x117, x145, 0x0) + var x159 uint32 + var x160 uint1 + x159, x160 = addcarryxU32(x119, x146, x158) + var x161 uint32 + var x162 uint1 + x161, x162 = addcarryxU32(x121, x143, x160) + var x163 uint32 + var x164 uint1 + x163, x164 = addcarryxU32(x123, x147, x162) + var x165 uint32 + var x166 uint1 + x165, x166 = addcarryxU32(x125, x149, x164) + var x167 uint32 + var x168 uint1 + x167, x168 = addcarryxU32(x127, x151, x166) + var x169 uint32 + var x170 uint1 + x169, x170 = addcarryxU32(x129, x153, x168) + var x171 uint32 + var x172 uint1 + x171, x172 = addcarryxU32(x131, x155, x170) + var x173 uint32 + var x174 uint32 + x174, x173 = bits.Mul32(x157, 0xffffffff) + var x175 uint32 + var x176 uint32 + x176, x175 = bits.Mul32(x157, 0xffffffff) + var x177 uint32 + var x178 uint32 + x178, x177 = bits.Mul32(x157, 0xffffffff) + var x179 uint32 + var x180 uint32 + x180, x179 = bits.Mul32(x157, 0xffffffff) + var x181 uint32 + var x182 uint1 + x181, x182 = addcarryxU32(x180, x177, 0x0) + var x183 uint32 + var x184 uint1 + x183, x184 = addcarryxU32(x178, x175, x182) + var x186 uint1 + _, x186 = addcarryxU32(x157, x179, 0x0) + var x187 uint32 + var x188 uint1 + x187, x188 = addcarryxU32(x159, x181, x186) + var x189 uint32 + var x190 uint1 + x189, x190 = addcarryxU32(x161, x183, x188) + var x191 uint32 + var x192 uint1 + x191, x192 = addcarryxU32(x163, (uint32(x184) + x176), x190) + var x193 uint32 + var x194 uint1 + x193, x194 = addcarryxU32(x165, uint32(0x0), x192) + var x195 uint32 + var x196 uint1 + x195, x196 = addcarryxU32(x167, uint32(0x0), x194) + var x197 uint32 + var x198 uint1 + x197, x198 = addcarryxU32(x169, x157, x196) + var x199 uint32 + var x200 uint1 + x199, x200 = addcarryxU32(x171, x173, x198) + var x201 uint32 + var x202 uint1 + x201, x202 = addcarryxU32(((uint32(x172) + uint32(x132)) + (uint32(x156) + x134)), x174, x200) + var x203 uint32 + var x204 uint32 + x204, x203 = bits.Mul32(x3, 0x4) + var x205 uint32 + var x206 uint32 + x206, x205 = bits.Mul32(x3, 0xfffffffd) + var x207 uint32 + var x208 uint32 + x208, x207 = bits.Mul32(x3, 0xffffffff) + var x209 uint32 + var x210 uint32 + x210, x209 = bits.Mul32(x3, 0xfffffffe) + var x211 uint32 + var x212 uint32 + x212, x211 = bits.Mul32(x3, 0xfffffffb) + var x213 uint32 + var x214 uint32 + x214, x213 = bits.Mul32(x3, 0xffffffff) + var x215 uint32 + var x216 uint32 + x216, x215 = bits.Mul32(x3, 0x3) + var x217 uint32 + var x218 uint1 + x217, x218 = addcarryxU32(x214, x211, 0x0) + var x219 uint32 + var x220 uint1 + x219, x220 = addcarryxU32(x212, x209, x218) + var x221 uint32 + var x222 uint1 + x221, x222 = addcarryxU32(x210, x207, x220) + var x223 uint32 + var x224 uint1 + x223, x224 = addcarryxU32(x208, x205, x222) + var x225 uint32 + var x226 uint1 + x225, x226 = addcarryxU32(x206, x203, x224) + var x227 uint32 + var x228 uint1 + x227, x228 = addcarryxU32(x187, x215, 0x0) + var x229 uint32 + var x230 uint1 + x229, x230 = addcarryxU32(x189, x216, x228) + var x231 uint32 + var x232 uint1 + x231, x232 = addcarryxU32(x191, x213, x230) + var x233 uint32 + var x234 uint1 + x233, x234 = addcarryxU32(x193, x217, x232) + var x235 uint32 + var x236 uint1 + x235, x236 = addcarryxU32(x195, x219, x234) + var x237 uint32 + var x238 uint1 + x237, x238 = addcarryxU32(x197, x221, x236) + var x239 uint32 + var x240 uint1 + x239, x240 = addcarryxU32(x199, x223, x238) + var x241 uint32 + var x242 uint1 + x241, x242 = addcarryxU32(x201, x225, x240) + var x243 uint32 + var x244 uint32 + x244, x243 = bits.Mul32(x227, 0xffffffff) + var x245 uint32 + var x246 uint32 + x246, x245 = bits.Mul32(x227, 0xffffffff) + var x247 uint32 + var x248 uint32 + x248, x247 = bits.Mul32(x227, 0xffffffff) + var x249 uint32 + var x250 uint32 + x250, x249 = bits.Mul32(x227, 0xffffffff) + var x251 uint32 + var x252 uint1 + x251, x252 = addcarryxU32(x250, x247, 0x0) + var x253 uint32 + var x254 uint1 + x253, x254 = addcarryxU32(x248, x245, x252) + var x256 uint1 + _, x256 = addcarryxU32(x227, x249, 0x0) + var x257 uint32 + var x258 uint1 + x257, x258 = addcarryxU32(x229, x251, x256) + var x259 uint32 + var x260 uint1 + x259, x260 = addcarryxU32(x231, x253, x258) + var x261 uint32 + var x262 uint1 + x261, x262 = addcarryxU32(x233, (uint32(x254) + x246), x260) + var x263 uint32 + var x264 uint1 + x263, x264 = addcarryxU32(x235, uint32(0x0), x262) + var x265 uint32 + var x266 uint1 + x265, x266 = addcarryxU32(x237, uint32(0x0), x264) + var x267 uint32 + var x268 uint1 + x267, x268 = addcarryxU32(x239, x227, x266) + var x269 uint32 + var x270 uint1 + x269, x270 = addcarryxU32(x241, x243, x268) + var x271 uint32 + var x272 uint1 + x271, x272 = addcarryxU32(((uint32(x242) + uint32(x202)) + (uint32(x226) + x204)), x244, x270) + var x273 uint32 + var x274 uint32 + x274, x273 = bits.Mul32(x4, 0x4) + var x275 uint32 + var x276 uint32 + x276, x275 = bits.Mul32(x4, 0xfffffffd) + var x277 uint32 + var x278 uint32 + x278, x277 = bits.Mul32(x4, 0xffffffff) + var x279 uint32 + var x280 uint32 + x280, x279 = bits.Mul32(x4, 0xfffffffe) + var x281 uint32 + var x282 uint32 + x282, x281 = bits.Mul32(x4, 0xfffffffb) + var x283 uint32 + var x284 uint32 + x284, x283 = bits.Mul32(x4, 0xffffffff) + var x285 uint32 + var x286 uint32 + x286, x285 = bits.Mul32(x4, 0x3) + var x287 uint32 + var x288 uint1 + x287, x288 = addcarryxU32(x284, x281, 0x0) + var x289 uint32 + var x290 uint1 + x289, x290 = addcarryxU32(x282, x279, x288) + var x291 uint32 + var x292 uint1 + x291, x292 = addcarryxU32(x280, x277, x290) + var x293 uint32 + var x294 uint1 + x293, x294 = addcarryxU32(x278, x275, x292) + var x295 uint32 + var x296 uint1 + x295, x296 = addcarryxU32(x276, x273, x294) + var x297 uint32 + var x298 uint1 + x297, x298 = addcarryxU32(x257, x285, 0x0) + var x299 uint32 + var x300 uint1 + x299, x300 = addcarryxU32(x259, x286, x298) + var x301 uint32 + var x302 uint1 + x301, x302 = addcarryxU32(x261, x283, x300) + var x303 uint32 + var x304 uint1 + x303, x304 = addcarryxU32(x263, x287, x302) + var x305 uint32 + var x306 uint1 + x305, x306 = addcarryxU32(x265, x289, x304) + var x307 uint32 + var x308 uint1 + x307, x308 = addcarryxU32(x267, x291, x306) + var x309 uint32 + var x310 uint1 + x309, x310 = addcarryxU32(x269, x293, x308) + var x311 uint32 + var x312 uint1 + x311, x312 = addcarryxU32(x271, x295, x310) + var x313 uint32 + var x314 uint32 + x314, x313 = bits.Mul32(x297, 0xffffffff) + var x315 uint32 + var x316 uint32 + x316, x315 = bits.Mul32(x297, 0xffffffff) + var x317 uint32 + var x318 uint32 + x318, x317 = bits.Mul32(x297, 0xffffffff) + var x319 uint32 + var x320 uint32 + x320, x319 = bits.Mul32(x297, 0xffffffff) + var x321 uint32 + var x322 uint1 + x321, x322 = addcarryxU32(x320, x317, 0x0) + var x323 uint32 + var x324 uint1 + x323, x324 = addcarryxU32(x318, x315, x322) + var x326 uint1 + _, x326 = addcarryxU32(x297, x319, 0x0) + var x327 uint32 + var x328 uint1 + x327, x328 = addcarryxU32(x299, x321, x326) + var x329 uint32 + var x330 uint1 + x329, x330 = addcarryxU32(x301, x323, x328) + var x331 uint32 + var x332 uint1 + x331, x332 = addcarryxU32(x303, (uint32(x324) + x316), x330) + var x333 uint32 + var x334 uint1 + x333, x334 = addcarryxU32(x305, uint32(0x0), x332) + var x335 uint32 + var x336 uint1 + x335, x336 = addcarryxU32(x307, uint32(0x0), x334) + var x337 uint32 + var x338 uint1 + x337, x338 = addcarryxU32(x309, x297, x336) + var x339 uint32 + var x340 uint1 + x339, x340 = addcarryxU32(x311, x313, x338) + var x341 uint32 + var x342 uint1 + x341, x342 = addcarryxU32(((uint32(x312) + uint32(x272)) + (uint32(x296) + x274)), x314, x340) + var x343 uint32 + var x344 uint32 + x344, x343 = bits.Mul32(x5, 0x4) + var x345 uint32 + var x346 uint32 + x346, x345 = bits.Mul32(x5, 0xfffffffd) + var x347 uint32 + var x348 uint32 + x348, x347 = bits.Mul32(x5, 0xffffffff) + var x349 uint32 + var x350 uint32 + x350, x349 = bits.Mul32(x5, 0xfffffffe) + var x351 uint32 + var x352 uint32 + x352, x351 = bits.Mul32(x5, 0xfffffffb) + var x353 uint32 + var x354 uint32 + x354, x353 = bits.Mul32(x5, 0xffffffff) + var x355 uint32 + var x356 uint32 + x356, x355 = bits.Mul32(x5, 0x3) + var x357 uint32 + var x358 uint1 + x357, x358 = addcarryxU32(x354, x351, 0x0) + var x359 uint32 + var x360 uint1 + x359, x360 = addcarryxU32(x352, x349, x358) + var x361 uint32 + var x362 uint1 + x361, x362 = addcarryxU32(x350, x347, x360) + var x363 uint32 + var x364 uint1 + x363, x364 = addcarryxU32(x348, x345, x362) + var x365 uint32 + var x366 uint1 + x365, x366 = addcarryxU32(x346, x343, x364) + var x367 uint32 + var x368 uint1 + x367, x368 = addcarryxU32(x327, x355, 0x0) + var x369 uint32 + var x370 uint1 + x369, x370 = addcarryxU32(x329, x356, x368) + var x371 uint32 + var x372 uint1 + x371, x372 = addcarryxU32(x331, x353, x370) + var x373 uint32 + var x374 uint1 + x373, x374 = addcarryxU32(x333, x357, x372) + var x375 uint32 + var x376 uint1 + x375, x376 = addcarryxU32(x335, x359, x374) + var x377 uint32 + var x378 uint1 + x377, x378 = addcarryxU32(x337, x361, x376) + var x379 uint32 + var x380 uint1 + x379, x380 = addcarryxU32(x339, x363, x378) + var x381 uint32 + var x382 uint1 + x381, x382 = addcarryxU32(x341, x365, x380) + var x383 uint32 + var x384 uint32 + x384, x383 = bits.Mul32(x367, 0xffffffff) + var x385 uint32 + var x386 uint32 + x386, x385 = bits.Mul32(x367, 0xffffffff) + var x387 uint32 + var x388 uint32 + x388, x387 = bits.Mul32(x367, 0xffffffff) + var x389 uint32 + var x390 uint32 + x390, x389 = bits.Mul32(x367, 0xffffffff) + var x391 uint32 + var x392 uint1 + x391, x392 = addcarryxU32(x390, x387, 0x0) + var x393 uint32 + var x394 uint1 + x393, x394 = addcarryxU32(x388, x385, x392) + var x396 uint1 + _, x396 = addcarryxU32(x367, x389, 0x0) + var x397 uint32 + var x398 uint1 + x397, x398 = addcarryxU32(x369, x391, x396) + var x399 uint32 + var x400 uint1 + x399, x400 = addcarryxU32(x371, x393, x398) + var x401 uint32 + var x402 uint1 + x401, x402 = addcarryxU32(x373, (uint32(x394) + x386), x400) + var x403 uint32 + var x404 uint1 + x403, x404 = addcarryxU32(x375, uint32(0x0), x402) + var x405 uint32 + var x406 uint1 + x405, x406 = addcarryxU32(x377, uint32(0x0), x404) + var x407 uint32 + var x408 uint1 + x407, x408 = addcarryxU32(x379, x367, x406) + var x409 uint32 + var x410 uint1 + x409, x410 = addcarryxU32(x381, x383, x408) + var x411 uint32 + var x412 uint1 + x411, x412 = addcarryxU32(((uint32(x382) + uint32(x342)) + (uint32(x366) + x344)), x384, x410) + var x413 uint32 + var x414 uint32 + x414, x413 = bits.Mul32(x6, 0x4) + var x415 uint32 + var x416 uint32 + x416, x415 = bits.Mul32(x6, 0xfffffffd) + var x417 uint32 + var x418 uint32 + x418, x417 = bits.Mul32(x6, 0xffffffff) + var x419 uint32 + var x420 uint32 + x420, x419 = bits.Mul32(x6, 0xfffffffe) + var x421 uint32 + var x422 uint32 + x422, x421 = bits.Mul32(x6, 0xfffffffb) + var x423 uint32 + var x424 uint32 + x424, x423 = bits.Mul32(x6, 0xffffffff) + var x425 uint32 + var x426 uint32 + x426, x425 = bits.Mul32(x6, 0x3) + var x427 uint32 + var x428 uint1 + x427, x428 = addcarryxU32(x424, x421, 0x0) + var x429 uint32 + var x430 uint1 + x429, x430 = addcarryxU32(x422, x419, x428) + var x431 uint32 + var x432 uint1 + x431, x432 = addcarryxU32(x420, x417, x430) + var x433 uint32 + var x434 uint1 + x433, x434 = addcarryxU32(x418, x415, x432) + var x435 uint32 + var x436 uint1 + x435, x436 = addcarryxU32(x416, x413, x434) + var x437 uint32 + var x438 uint1 + x437, x438 = addcarryxU32(x397, x425, 0x0) + var x439 uint32 + var x440 uint1 + x439, x440 = addcarryxU32(x399, x426, x438) + var x441 uint32 + var x442 uint1 + x441, x442 = addcarryxU32(x401, x423, x440) + var x443 uint32 + var x444 uint1 + x443, x444 = addcarryxU32(x403, x427, x442) + var x445 uint32 + var x446 uint1 + x445, x446 = addcarryxU32(x405, x429, x444) + var x447 uint32 + var x448 uint1 + x447, x448 = addcarryxU32(x407, x431, x446) + var x449 uint32 + var x450 uint1 + x449, x450 = addcarryxU32(x409, x433, x448) + var x451 uint32 + var x452 uint1 + x451, x452 = addcarryxU32(x411, x435, x450) + var x453 uint32 + var x454 uint32 + x454, x453 = bits.Mul32(x437, 0xffffffff) + var x455 uint32 + var x456 uint32 + x456, x455 = bits.Mul32(x437, 0xffffffff) + var x457 uint32 + var x458 uint32 + x458, x457 = bits.Mul32(x437, 0xffffffff) + var x459 uint32 + var x460 uint32 + x460, x459 = bits.Mul32(x437, 0xffffffff) + var x461 uint32 + var x462 uint1 + x461, x462 = addcarryxU32(x460, x457, 0x0) + var x463 uint32 + var x464 uint1 + x463, x464 = addcarryxU32(x458, x455, x462) + var x466 uint1 + _, x466 = addcarryxU32(x437, x459, 0x0) + var x467 uint32 + var x468 uint1 + x467, x468 = addcarryxU32(x439, x461, x466) + var x469 uint32 + var x470 uint1 + x469, x470 = addcarryxU32(x441, x463, x468) + var x471 uint32 + var x472 uint1 + x471, x472 = addcarryxU32(x443, (uint32(x464) + x456), x470) + var x473 uint32 + var x474 uint1 + x473, x474 = addcarryxU32(x445, uint32(0x0), x472) + var x475 uint32 + var x476 uint1 + x475, x476 = addcarryxU32(x447, uint32(0x0), x474) + var x477 uint32 + var x478 uint1 + x477, x478 = addcarryxU32(x449, x437, x476) + var x479 uint32 + var x480 uint1 + x479, x480 = addcarryxU32(x451, x453, x478) + var x481 uint32 + var x482 uint1 + x481, x482 = addcarryxU32(((uint32(x452) + uint32(x412)) + (uint32(x436) + x414)), x454, x480) + var x483 uint32 + var x484 uint32 + x484, x483 = bits.Mul32(x7, 0x4) + var x485 uint32 + var x486 uint32 + x486, x485 = bits.Mul32(x7, 0xfffffffd) + var x487 uint32 + var x488 uint32 + x488, x487 = bits.Mul32(x7, 0xffffffff) + var x489 uint32 + var x490 uint32 + x490, x489 = bits.Mul32(x7, 0xfffffffe) + var x491 uint32 + var x492 uint32 + x492, x491 = bits.Mul32(x7, 0xfffffffb) + var x493 uint32 + var x494 uint32 + x494, x493 = bits.Mul32(x7, 0xffffffff) + var x495 uint32 + var x496 uint32 + x496, x495 = bits.Mul32(x7, 0x3) + var x497 uint32 + var x498 uint1 + x497, x498 = addcarryxU32(x494, x491, 0x0) + var x499 uint32 + var x500 uint1 + x499, x500 = addcarryxU32(x492, x489, x498) + var x501 uint32 + var x502 uint1 + x501, x502 = addcarryxU32(x490, x487, x500) + var x503 uint32 + var x504 uint1 + x503, x504 = addcarryxU32(x488, x485, x502) + var x505 uint32 + var x506 uint1 + x505, x506 = addcarryxU32(x486, x483, x504) + var x507 uint32 + var x508 uint1 + x507, x508 = addcarryxU32(x467, x495, 0x0) + var x509 uint32 + var x510 uint1 + x509, x510 = addcarryxU32(x469, x496, x508) + var x511 uint32 + var x512 uint1 + x511, x512 = addcarryxU32(x471, x493, x510) + var x513 uint32 + var x514 uint1 + x513, x514 = addcarryxU32(x473, x497, x512) + var x515 uint32 + var x516 uint1 + x515, x516 = addcarryxU32(x475, x499, x514) + var x517 uint32 + var x518 uint1 + x517, x518 = addcarryxU32(x477, x501, x516) + var x519 uint32 + var x520 uint1 + x519, x520 = addcarryxU32(x479, x503, x518) + var x521 uint32 + var x522 uint1 + x521, x522 = addcarryxU32(x481, x505, x520) + var x523 uint32 + var x524 uint32 + x524, x523 = bits.Mul32(x507, 0xffffffff) + var x525 uint32 + var x526 uint32 + x526, x525 = bits.Mul32(x507, 0xffffffff) + var x527 uint32 + var x528 uint32 + x528, x527 = bits.Mul32(x507, 0xffffffff) + var x529 uint32 + var x530 uint32 + x530, x529 = bits.Mul32(x507, 0xffffffff) + var x531 uint32 + var x532 uint1 + x531, x532 = addcarryxU32(x530, x527, 0x0) + var x533 uint32 + var x534 uint1 + x533, x534 = addcarryxU32(x528, x525, x532) + var x536 uint1 + _, x536 = addcarryxU32(x507, x529, 0x0) + var x537 uint32 + var x538 uint1 + x537, x538 = addcarryxU32(x509, x531, x536) + var x539 uint32 + var x540 uint1 + x539, x540 = addcarryxU32(x511, x533, x538) + var x541 uint32 + var x542 uint1 + x541, x542 = addcarryxU32(x513, (uint32(x534) + x526), x540) + var x543 uint32 + var x544 uint1 + x543, x544 = addcarryxU32(x515, uint32(0x0), x542) + var x545 uint32 + var x546 uint1 + x545, x546 = addcarryxU32(x517, uint32(0x0), x544) + var x547 uint32 + var x548 uint1 + x547, x548 = addcarryxU32(x519, x507, x546) + var x549 uint32 + var x550 uint1 + x549, x550 = addcarryxU32(x521, x523, x548) + var x551 uint32 + var x552 uint1 + x551, x552 = addcarryxU32(((uint32(x522) + uint32(x482)) + (uint32(x506) + x484)), x524, x550) + var x553 uint32 + var x554 uint1 + x553, x554 = subborrowxU32(x537, 0xffffffff, 0x0) + var x555 uint32 + var x556 uint1 + x555, x556 = subborrowxU32(x539, 0xffffffff, x554) + var x557 uint32 + var x558 uint1 + x557, x558 = subborrowxU32(x541, 0xffffffff, x556) + var x559 uint32 + var x560 uint1 + x559, x560 = subborrowxU32(x543, uint32(0x0), x558) + var x561 uint32 + var x562 uint1 + x561, x562 = subborrowxU32(x545, uint32(0x0), x560) + var x563 uint32 + var x564 uint1 + x563, x564 = subborrowxU32(x547, uint32(0x0), x562) + var x565 uint32 + var x566 uint1 + x565, x566 = subborrowxU32(x549, uint32(0x1), x564) + var x567 uint32 + var x568 uint1 + x567, x568 = subborrowxU32(x551, 0xffffffff, x566) + var x570 uint1 + _, x570 = subborrowxU32(uint32(x552), uint32(0x0), x568) + var x571 uint32 + cmovznzU32(&x571, x570, x553, x537) + var x572 uint32 + cmovznzU32(&x572, x570, x555, x539) + var x573 uint32 + cmovznzU32(&x573, x570, x557, x541) + var x574 uint32 + cmovznzU32(&x574, x570, x559, x543) + var x575 uint32 + cmovznzU32(&x575, x570, x561, x545) + var x576 uint32 + cmovznzU32(&x576, x570, x563, x547) + var x577 uint32 + cmovznzU32(&x577, x570, x565, x549) + var x578 uint32 + cmovznzU32(&x578, x570, x567, x551) + out1[0] = x571 + out1[1] = x572 + out1[2] = x573 + out1[3] = x574 + out1[4] = x575 + out1[5] = x576 + out1[6] = x577 + out1[7] = x578 } -/* - The function Nonzero outputs a single non-zero word if the input is non-zero and zero otherwise. - Preconditions: - 0 ≤ eval arg1 < m - Postconditions: - out1 = 0 ↔ eval (from_montgomery arg1) mod m = 0 - - Input Bounds: - arg1: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] - Output Bounds: - out1: [0x0 ~> 0xffffffff] - */ -/*inline*/ +// Nonzero outputs a single non-zero word if the input is non-zero and zero otherwise. +// +// Preconditions: +// 0 ≤ eval arg1 < m +// Postconditions: +// out1 = 0 ↔ eval (from_montgomery arg1) mod m = 0 +// +// Input Bounds: +// arg1: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] +// Output Bounds: +// out1: [0x0 ~> 0xffffffff] func Nonzero(out1 *uint32, arg1 *[8]uint32) { - var x1 uint32 = ((arg1[0]) | ((arg1[1]) | ((arg1[2]) | ((arg1[3]) | ((arg1[4]) | ((arg1[5]) | ((arg1[6]) | (arg1[7])))))))) - *out1 = x1 + x1 := (arg1[0] | (arg1[1] | (arg1[2] | (arg1[3] | (arg1[4] | (arg1[5] | (arg1[6] | arg1[7]))))))) + *out1 = x1 } -/* - The function Selectznz is a multi-limb conditional select. - Postconditions: - eval out1 = (if arg1 = 0 then eval arg2 else eval arg3) - - Input Bounds: - arg1: [0x0 ~> 0x1] - arg2: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] - arg3: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] - Output Bounds: - out1: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] - */ -/*inline*/ +// Selectznz is a multi-limb conditional select. +// +// Postconditions: +// eval out1 = (if arg1 = 0 then eval arg2 else eval arg3) +// +// Input Bounds: +// arg1: [0x0 ~> 0x1] +// arg2: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] +// arg3: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] +// Output Bounds: +// out1: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] func Selectznz(out1 *[8]uint32, arg1 uint1, arg2 *[8]uint32, arg3 *[8]uint32) { - var x1 uint32 - cmovznzU32(&x1, arg1, (arg2[0]), (arg3[0])) - var x2 uint32 - cmovznzU32(&x2, arg1, (arg2[1]), (arg3[1])) - var x3 uint32 - cmovznzU32(&x3, arg1, (arg2[2]), (arg3[2])) - var x4 uint32 - cmovznzU32(&x4, arg1, (arg2[3]), (arg3[3])) - var x5 uint32 - cmovznzU32(&x5, arg1, (arg2[4]), (arg3[4])) - var x6 uint32 - cmovznzU32(&x6, arg1, (arg2[5]), (arg3[5])) - var x7 uint32 - cmovznzU32(&x7, arg1, (arg2[6]), (arg3[6])) - var x8 uint32 - cmovznzU32(&x8, arg1, (arg2[7]), (arg3[7])) - out1[0] = x1 - out1[1] = x2 - out1[2] = x3 - out1[3] = x4 - out1[4] = x5 - out1[5] = x6 - out1[6] = x7 - out1[7] = x8 + var x1 uint32 + cmovznzU32(&x1, arg1, arg2[0], arg3[0]) + var x2 uint32 + cmovznzU32(&x2, arg1, arg2[1], arg3[1]) + var x3 uint32 + cmovznzU32(&x3, arg1, arg2[2], arg3[2]) + var x4 uint32 + cmovznzU32(&x4, arg1, arg2[3], arg3[3]) + var x5 uint32 + cmovznzU32(&x5, arg1, arg2[4], arg3[4]) + var x6 uint32 + cmovznzU32(&x6, arg1, arg2[5], arg3[5]) + var x7 uint32 + cmovznzU32(&x7, arg1, arg2[6], arg3[6]) + var x8 uint32 + cmovznzU32(&x8, arg1, arg2[7], arg3[7]) + out1[0] = x1 + out1[1] = x2 + out1[2] = x3 + out1[3] = x4 + out1[4] = x5 + out1[5] = x6 + out1[6] = x7 + out1[7] = x8 } -/* - The function ToBytes serializes a field element NOT in the Montgomery domain to bytes in little-endian order. - Preconditions: - 0 ≤ eval arg1 < m - Postconditions: - out1 = map (λ x, ⌊((eval arg1 mod m) mod 2^(8 * (x + 1))) / 2^(8 * x)⌋) [0..31] - - Input Bounds: - arg1: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] - Output Bounds: - out1: [[0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff]] - */ -/*inline*/ +// ToBytes serializes a field element NOT in the Montgomery domain to bytes in little-endian order. +// +// Preconditions: +// 0 ≤ eval arg1 < m +// Postconditions: +// out1 = map (λ x, ⌊((eval arg1 mod m) mod 2^(8 * (x + 1))) / 2^(8 * x)⌋) [0..31] +// +// Input Bounds: +// arg1: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] +// Output Bounds: +// out1: [[0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff]] func ToBytes(out1 *[32]uint8, arg1 *[8]uint32) { - var x1 uint32 = (arg1[7]) - var x2 uint32 = (arg1[6]) - var x3 uint32 = (arg1[5]) - var x4 uint32 = (arg1[4]) - var x5 uint32 = (arg1[3]) - var x6 uint32 = (arg1[2]) - var x7 uint32 = (arg1[1]) - var x8 uint32 = (arg1[0]) - var x9 uint8 = (uint8(x8) & 0xff) - var x10 uint32 = (x8 >> 8) - var x11 uint8 = (uint8(x10) & 0xff) - var x12 uint32 = (x10 >> 8) - var x13 uint8 = (uint8(x12) & 0xff) - var x14 uint8 = uint8((x12 >> 8)) - var x15 uint8 = (uint8(x7) & 0xff) - var x16 uint32 = (x7 >> 8) - var x17 uint8 = (uint8(x16) & 0xff) - var x18 uint32 = (x16 >> 8) - var x19 uint8 = (uint8(x18) & 0xff) - var x20 uint8 = uint8((x18 >> 8)) - var x21 uint8 = (uint8(x6) & 0xff) - var x22 uint32 = (x6 >> 8) - var x23 uint8 = (uint8(x22) & 0xff) - var x24 uint32 = (x22 >> 8) - var x25 uint8 = (uint8(x24) & 0xff) - var x26 uint8 = uint8((x24 >> 8)) - var x27 uint8 = (uint8(x5) & 0xff) - var x28 uint32 = (x5 >> 8) - var x29 uint8 = (uint8(x28) & 0xff) - var x30 uint32 = (x28 >> 8) - var x31 uint8 = (uint8(x30) & 0xff) - var x32 uint8 = uint8((x30 >> 8)) - var x33 uint8 = (uint8(x4) & 0xff) - var x34 uint32 = (x4 >> 8) - var x35 uint8 = (uint8(x34) & 0xff) - var x36 uint32 = (x34 >> 8) - var x37 uint8 = (uint8(x36) & 0xff) - var x38 uint8 = uint8((x36 >> 8)) - var x39 uint8 = (uint8(x3) & 0xff) - var x40 uint32 = (x3 >> 8) - var x41 uint8 = (uint8(x40) & 0xff) - var x42 uint32 = (x40 >> 8) - var x43 uint8 = (uint8(x42) & 0xff) - var x44 uint8 = uint8((x42 >> 8)) - var x45 uint8 = (uint8(x2) & 0xff) - var x46 uint32 = (x2 >> 8) - var x47 uint8 = (uint8(x46) & 0xff) - var x48 uint32 = (x46 >> 8) - var x49 uint8 = (uint8(x48) & 0xff) - var x50 uint8 = uint8((x48 >> 8)) - var x51 uint8 = (uint8(x1) & 0xff) - var x52 uint32 = (x1 >> 8) - var x53 uint8 = (uint8(x52) & 0xff) - var x54 uint32 = (x52 >> 8) - var x55 uint8 = (uint8(x54) & 0xff) - var x56 uint8 = uint8((x54 >> 8)) - out1[0] = x9 - out1[1] = x11 - out1[2] = x13 - out1[3] = x14 - out1[4] = x15 - out1[5] = x17 - out1[6] = x19 - out1[7] = x20 - out1[8] = x21 - out1[9] = x23 - out1[10] = x25 - out1[11] = x26 - out1[12] = x27 - out1[13] = x29 - out1[14] = x31 - out1[15] = x32 - out1[16] = x33 - out1[17] = x35 - out1[18] = x37 - out1[19] = x38 - out1[20] = x39 - out1[21] = x41 - out1[22] = x43 - out1[23] = x44 - out1[24] = x45 - out1[25] = x47 - out1[26] = x49 - out1[27] = x50 - out1[28] = x51 - out1[29] = x53 - out1[30] = x55 - out1[31] = x56 + x1 := arg1[7] + x2 := arg1[6] + x3 := arg1[5] + x4 := arg1[4] + x5 := arg1[3] + x6 := arg1[2] + x7 := arg1[1] + x8 := arg1[0] + x9 := (uint8(x8) & 0xff) + x10 := (x8 >> 8) + x11 := (uint8(x10) & 0xff) + x12 := (x10 >> 8) + x13 := (uint8(x12) & 0xff) + x14 := uint8((x12 >> 8)) + x15 := (uint8(x7) & 0xff) + x16 := (x7 >> 8) + x17 := (uint8(x16) & 0xff) + x18 := (x16 >> 8) + x19 := (uint8(x18) & 0xff) + x20 := uint8((x18 >> 8)) + x21 := (uint8(x6) & 0xff) + x22 := (x6 >> 8) + x23 := (uint8(x22) & 0xff) + x24 := (x22 >> 8) + x25 := (uint8(x24) & 0xff) + x26 := uint8((x24 >> 8)) + x27 := (uint8(x5) & 0xff) + x28 := (x5 >> 8) + x29 := (uint8(x28) & 0xff) + x30 := (x28 >> 8) + x31 := (uint8(x30) & 0xff) + x32 := uint8((x30 >> 8)) + x33 := (uint8(x4) & 0xff) + x34 := (x4 >> 8) + x35 := (uint8(x34) & 0xff) + x36 := (x34 >> 8) + x37 := (uint8(x36) & 0xff) + x38 := uint8((x36 >> 8)) + x39 := (uint8(x3) & 0xff) + x40 := (x3 >> 8) + x41 := (uint8(x40) & 0xff) + x42 := (x40 >> 8) + x43 := (uint8(x42) & 0xff) + x44 := uint8((x42 >> 8)) + x45 := (uint8(x2) & 0xff) + x46 := (x2 >> 8) + x47 := (uint8(x46) & 0xff) + x48 := (x46 >> 8) + x49 := (uint8(x48) & 0xff) + x50 := uint8((x48 >> 8)) + x51 := (uint8(x1) & 0xff) + x52 := (x1 >> 8) + x53 := (uint8(x52) & 0xff) + x54 := (x52 >> 8) + x55 := (uint8(x54) & 0xff) + x56 := uint8((x54 >> 8)) + out1[0] = x9 + out1[1] = x11 + out1[2] = x13 + out1[3] = x14 + out1[4] = x15 + out1[5] = x17 + out1[6] = x19 + out1[7] = x20 + out1[8] = x21 + out1[9] = x23 + out1[10] = x25 + out1[11] = x26 + out1[12] = x27 + out1[13] = x29 + out1[14] = x31 + out1[15] = x32 + out1[16] = x33 + out1[17] = x35 + out1[18] = x37 + out1[19] = x38 + out1[20] = x39 + out1[21] = x41 + out1[22] = x43 + out1[23] = x44 + out1[24] = x45 + out1[25] = x47 + out1[26] = x49 + out1[27] = x50 + out1[28] = x51 + out1[29] = x53 + out1[30] = x55 + out1[31] = x56 } -/* - The function FromBytes deserializes a field element NOT in the Montgomery domain from bytes in little-endian order. - Preconditions: - 0 ≤ bytes_eval arg1 < m - Postconditions: - eval out1 mod m = bytes_eval arg1 mod m - 0 ≤ eval out1 < m - - Input Bounds: - arg1: [[0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff]] - Output Bounds: - out1: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] - */ -/*inline*/ +// FromBytes deserializes a field element NOT in the Montgomery domain from bytes in little-endian order. +// +// Preconditions: +// 0 ≤ bytes_eval arg1 < m +// Postconditions: +// eval out1 mod m = bytes_eval arg1 mod m +// 0 ≤ eval out1 < m +// +// Input Bounds: +// arg1: [[0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff]] +// Output Bounds: +// out1: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] func FromBytes(out1 *[8]uint32, arg1 *[32]uint8) { - var x1 uint32 = (uint32((arg1[31])) << 24) - var x2 uint32 = (uint32((arg1[30])) << 16) - var x3 uint32 = (uint32((arg1[29])) << 8) - var x4 uint8 = (arg1[28]) - var x5 uint32 = (uint32((arg1[27])) << 24) - var x6 uint32 = (uint32((arg1[26])) << 16) - var x7 uint32 = (uint32((arg1[25])) << 8) - var x8 uint8 = (arg1[24]) - var x9 uint32 = (uint32((arg1[23])) << 24) - var x10 uint32 = (uint32((arg1[22])) << 16) - var x11 uint32 = (uint32((arg1[21])) << 8) - var x12 uint8 = (arg1[20]) - var x13 uint32 = (uint32((arg1[19])) << 24) - var x14 uint32 = (uint32((arg1[18])) << 16) - var x15 uint32 = (uint32((arg1[17])) << 8) - var x16 uint8 = (arg1[16]) - var x17 uint32 = (uint32((arg1[15])) << 24) - var x18 uint32 = (uint32((arg1[14])) << 16) - var x19 uint32 = (uint32((arg1[13])) << 8) - var x20 uint8 = (arg1[12]) - var x21 uint32 = (uint32((arg1[11])) << 24) - var x22 uint32 = (uint32((arg1[10])) << 16) - var x23 uint32 = (uint32((arg1[9])) << 8) - var x24 uint8 = (arg1[8]) - var x25 uint32 = (uint32((arg1[7])) << 24) - var x26 uint32 = (uint32((arg1[6])) << 16) - var x27 uint32 = (uint32((arg1[5])) << 8) - var x28 uint8 = (arg1[4]) - var x29 uint32 = (uint32((arg1[3])) << 24) - var x30 uint32 = (uint32((arg1[2])) << 16) - var x31 uint32 = (uint32((arg1[1])) << 8) - var x32 uint8 = (arg1[0]) - var x33 uint32 = (x31 + uint32(x32)) - var x34 uint32 = (x30 + x33) - var x35 uint32 = (x29 + x34) - var x36 uint32 = (x27 + uint32(x28)) - var x37 uint32 = (x26 + x36) - var x38 uint32 = (x25 + x37) - var x39 uint32 = (x23 + uint32(x24)) - var x40 uint32 = (x22 + x39) - var x41 uint32 = (x21 + x40) - var x42 uint32 = (x19 + uint32(x20)) - var x43 uint32 = (x18 + x42) - var x44 uint32 = (x17 + x43) - var x45 uint32 = (x15 + uint32(x16)) - var x46 uint32 = (x14 + x45) - var x47 uint32 = (x13 + x46) - var x48 uint32 = (x11 + uint32(x12)) - var x49 uint32 = (x10 + x48) - var x50 uint32 = (x9 + x49) - var x51 uint32 = (x7 + uint32(x8)) - var x52 uint32 = (x6 + x51) - var x53 uint32 = (x5 + x52) - var x54 uint32 = (x3 + uint32(x4)) - var x55 uint32 = (x2 + x54) - var x56 uint32 = (x1 + x55) - out1[0] = x35 - out1[1] = x38 - out1[2] = x41 - out1[3] = x44 - out1[4] = x47 - out1[5] = x50 - out1[6] = x53 - out1[7] = x56 + x1 := (uint32(arg1[31]) << 24) + x2 := (uint32(arg1[30]) << 16) + x3 := (uint32(arg1[29]) << 8) + x4 := arg1[28] + x5 := (uint32(arg1[27]) << 24) + x6 := (uint32(arg1[26]) << 16) + x7 := (uint32(arg1[25]) << 8) + x8 := arg1[24] + x9 := (uint32(arg1[23]) << 24) + x10 := (uint32(arg1[22]) << 16) + x11 := (uint32(arg1[21]) << 8) + x12 := arg1[20] + x13 := (uint32(arg1[19]) << 24) + x14 := (uint32(arg1[18]) << 16) + x15 := (uint32(arg1[17]) << 8) + x16 := arg1[16] + x17 := (uint32(arg1[15]) << 24) + x18 := (uint32(arg1[14]) << 16) + x19 := (uint32(arg1[13]) << 8) + x20 := arg1[12] + x21 := (uint32(arg1[11]) << 24) + x22 := (uint32(arg1[10]) << 16) + x23 := (uint32(arg1[9]) << 8) + x24 := arg1[8] + x25 := (uint32(arg1[7]) << 24) + x26 := (uint32(arg1[6]) << 16) + x27 := (uint32(arg1[5]) << 8) + x28 := arg1[4] + x29 := (uint32(arg1[3]) << 24) + x30 := (uint32(arg1[2]) << 16) + x31 := (uint32(arg1[1]) << 8) + x32 := arg1[0] + x33 := (x31 + uint32(x32)) + x34 := (x30 + x33) + x35 := (x29 + x34) + x36 := (x27 + uint32(x28)) + x37 := (x26 + x36) + x38 := (x25 + x37) + x39 := (x23 + uint32(x24)) + x40 := (x22 + x39) + x41 := (x21 + x40) + x42 := (x19 + uint32(x20)) + x43 := (x18 + x42) + x44 := (x17 + x43) + x45 := (x15 + uint32(x16)) + x46 := (x14 + x45) + x47 := (x13 + x46) + x48 := (x11 + uint32(x12)) + x49 := (x10 + x48) + x50 := (x9 + x49) + x51 := (x7 + uint32(x8)) + x52 := (x6 + x51) + x53 := (x5 + x52) + x54 := (x3 + uint32(x4)) + x55 := (x2 + x54) + x56 := (x1 + x55) + out1[0] = x35 + out1[1] = x38 + out1[2] = x41 + out1[3] = x44 + out1[4] = x47 + out1[5] = x50 + out1[6] = x53 + out1[7] = x56 } -/* - The function SetOne returns the field element one in the Montgomery domain. - Postconditions: - eval (from_montgomery out1) mod m = 1 mod m - 0 ≤ eval out1 < m - - Input Bounds: - Output Bounds: - out1: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] - */ -/*inline*/ +// SetOne returns the field element one in the Montgomery domain. +// +// Postconditions: +// eval (from_montgomery out1) mod m = 1 mod m +// 0 ≤ eval out1 < m +// +// Input Bounds: +// Output Bounds: +// out1: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] func SetOne(out1 *[8]uint32) { - out1[0] = uint32(0x1) - out1[1] = uint32(0x0) - out1[2] = uint32(0x0) - out1[3] = 0xffffffff - out1[4] = 0xffffffff - out1[5] = 0xffffffff - out1[6] = 0xfffffffe - out1[7] = uint32(0x0) + out1[0] = uint32(0x1) + out1[1] = uint32(0x0) + out1[2] = uint32(0x0) + out1[3] = 0xffffffff + out1[4] = 0xffffffff + out1[5] = 0xffffffff + out1[6] = 0xfffffffe + out1[7] = uint32(0x0) } -/* - The function Msat returns the saturated representation of the prime modulus. - Postconditions: - twos_complement_eval out1 = m - 0 ≤ eval out1 < m - - Input Bounds: - Output Bounds: - out1: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] - */ -/*inline*/ +// Msat returns the saturated representation of the prime modulus. +// +// Postconditions: +// twos_complement_eval out1 = m +// 0 ≤ eval out1 < m +// +// Input Bounds: +// Output Bounds: +// out1: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] func Msat(out1 *[9]uint32) { - out1[0] = 0xffffffff - out1[1] = 0xffffffff - out1[2] = 0xffffffff - out1[3] = uint32(0x0) - out1[4] = uint32(0x0) - out1[5] = uint32(0x0) - out1[6] = uint32(0x1) - out1[7] = 0xffffffff - out1[8] = uint32(0x0) + out1[0] = 0xffffffff + out1[1] = 0xffffffff + out1[2] = 0xffffffff + out1[3] = uint32(0x0) + out1[4] = uint32(0x0) + out1[5] = uint32(0x0) + out1[6] = uint32(0x1) + out1[7] = 0xffffffff + out1[8] = uint32(0x0) } -/* - The function Divstep computes a divstep. - Preconditions: - 0 ≤ eval arg4 < m - 0 ≤ eval arg5 < m - Postconditions: - out1 = (if 0 < arg1 ∧ (twos_complement_eval arg3) is odd then 1 - arg1 else 1 + arg1) - twos_complement_eval out2 = (if 0 < arg1 ∧ (twos_complement_eval arg3) is odd then twos_complement_eval arg3 else twos_complement_eval arg2) - twos_complement_eval out3 = (if 0 < arg1 ∧ (twos_complement_eval arg3) is odd then ⌊(twos_complement_eval arg3 - twos_complement_eval arg2) / 2⌋ else ⌊(twos_complement_eval arg3 + (twos_complement_eval arg3 mod 2) * twos_complement_eval arg2) / 2⌋) - eval (from_montgomery out4) mod m = (if 0 < arg1 ∧ (twos_complement_eval arg3) is odd then (2 * eval (from_montgomery arg5)) mod m else (2 * eval (from_montgomery arg4)) mod m) - eval (from_montgomery out5) mod m = (if 0 < arg1 ∧ (twos_complement_eval arg3) is odd then (eval (from_montgomery arg4) - eval (from_montgomery arg4)) mod m else (eval (from_montgomery arg5) + (twos_complement_eval arg3 mod 2) * eval (from_montgomery arg4)) mod m) - 0 ≤ eval out5 < m - 0 ≤ eval out5 < m - 0 ≤ eval out2 < m - 0 ≤ eval out3 < m - - Input Bounds: - arg1: [0x0 ~> 0xffffffff] - arg2: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] - arg3: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] - arg4: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] - arg5: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] - Output Bounds: - out1: [0x0 ~> 0xffffffff] - out2: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] - out3: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] - out4: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] - out5: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] - */ -/*inline*/ +// Divstep computes a divstep. +// +// Preconditions: +// 0 ≤ eval arg4 < m +// 0 ≤ eval arg5 < m +// Postconditions: +// out1 = (if 0 < arg1 ∧ (twos_complement_eval arg3) is odd then 1 - arg1 else 1 + arg1) +// twos_complement_eval out2 = (if 0 < arg1 ∧ (twos_complement_eval arg3) is odd then twos_complement_eval arg3 else twos_complement_eval arg2) +// twos_complement_eval out3 = (if 0 < arg1 ∧ (twos_complement_eval arg3) is odd then ⌊(twos_complement_eval arg3 - twos_complement_eval arg2) / 2⌋ else ⌊(twos_complement_eval arg3 + (twos_complement_eval arg3 mod 2) * twos_complement_eval arg2) / 2⌋) +// eval (from_montgomery out4) mod m = (if 0 < arg1 ∧ (twos_complement_eval arg3) is odd then (2 * eval (from_montgomery arg5)) mod m else (2 * eval (from_montgomery arg4)) mod m) +// eval (from_montgomery out5) mod m = (if 0 < arg1 ∧ (twos_complement_eval arg3) is odd then (eval (from_montgomery arg4) - eval (from_montgomery arg4)) mod m else (eval (from_montgomery arg5) + (twos_complement_eval arg3 mod 2) * eval (from_montgomery arg4)) mod m) +// 0 ≤ eval out5 < m +// 0 ≤ eval out5 < m +// 0 ≤ eval out2 < m +// 0 ≤ eval out3 < m +// +// Input Bounds: +// arg1: [0x0 ~> 0xffffffff] +// arg2: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] +// arg3: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] +// arg4: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] +// arg5: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] +// Output Bounds: +// out1: [0x0 ~> 0xffffffff] +// out2: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] +// out3: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] +// out4: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] +// out5: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] func Divstep(out1 *uint32, out2 *[9]uint32, out3 *[9]uint32, out4 *[8]uint32, out5 *[8]uint32, arg1 uint32, arg2 *[9]uint32, arg3 *[9]uint32, arg4 *[8]uint32, arg5 *[8]uint32) { - var x1 uint32 - x1, _ = addcarryxU32((^arg1), uint32(0x1), 0x0) - var x3 uint1 = (uint1((x1 >> 31)) & (uint1((arg3[0])) & 0x1)) - var x4 uint32 - x4, _ = addcarryxU32((^arg1), uint32(0x1), 0x0) - var x6 uint32 - cmovznzU32(&x6, x3, arg1, x4) - var x7 uint32 - cmovznzU32(&x7, x3, (arg2[0]), (arg3[0])) - var x8 uint32 - cmovznzU32(&x8, x3, (arg2[1]), (arg3[1])) - var x9 uint32 - cmovznzU32(&x9, x3, (arg2[2]), (arg3[2])) - var x10 uint32 - cmovznzU32(&x10, x3, (arg2[3]), (arg3[3])) - var x11 uint32 - cmovznzU32(&x11, x3, (arg2[4]), (arg3[4])) - var x12 uint32 - cmovznzU32(&x12, x3, (arg2[5]), (arg3[5])) - var x13 uint32 - cmovznzU32(&x13, x3, (arg2[6]), (arg3[6])) - var x14 uint32 - cmovznzU32(&x14, x3, (arg2[7]), (arg3[7])) - var x15 uint32 - cmovznzU32(&x15, x3, (arg2[8]), (arg3[8])) - var x16 uint32 - var x17 uint1 - x16, x17 = addcarryxU32(uint32(0x1), (^(arg2[0])), 0x0) - var x18 uint32 - var x19 uint1 - x18, x19 = addcarryxU32(uint32(0x0), (^(arg2[1])), x17) - var x20 uint32 - var x21 uint1 - x20, x21 = addcarryxU32(uint32(0x0), (^(arg2[2])), x19) - var x22 uint32 - var x23 uint1 - x22, x23 = addcarryxU32(uint32(0x0), (^(arg2[3])), x21) - var x24 uint32 - var x25 uint1 - x24, x25 = addcarryxU32(uint32(0x0), (^(arg2[4])), x23) - var x26 uint32 - var x27 uint1 - x26, x27 = addcarryxU32(uint32(0x0), (^(arg2[5])), x25) - var x28 uint32 - var x29 uint1 - x28, x29 = addcarryxU32(uint32(0x0), (^(arg2[6])), x27) - var x30 uint32 - var x31 uint1 - x30, x31 = addcarryxU32(uint32(0x0), (^(arg2[7])), x29) - var x32 uint32 - x32, _ = addcarryxU32(uint32(0x0), (^(arg2[8])), x31) - var x34 uint32 - cmovznzU32(&x34, x3, (arg3[0]), x16) - var x35 uint32 - cmovznzU32(&x35, x3, (arg3[1]), x18) - var x36 uint32 - cmovznzU32(&x36, x3, (arg3[2]), x20) - var x37 uint32 - cmovznzU32(&x37, x3, (arg3[3]), x22) - var x38 uint32 - cmovznzU32(&x38, x3, (arg3[4]), x24) - var x39 uint32 - cmovznzU32(&x39, x3, (arg3[5]), x26) - var x40 uint32 - cmovznzU32(&x40, x3, (arg3[6]), x28) - var x41 uint32 - cmovznzU32(&x41, x3, (arg3[7]), x30) - var x42 uint32 - cmovznzU32(&x42, x3, (arg3[8]), x32) - var x43 uint32 - cmovznzU32(&x43, x3, (arg4[0]), (arg5[0])) - var x44 uint32 - cmovznzU32(&x44, x3, (arg4[1]), (arg5[1])) - var x45 uint32 - cmovznzU32(&x45, x3, (arg4[2]), (arg5[2])) - var x46 uint32 - cmovznzU32(&x46, x3, (arg4[3]), (arg5[3])) - var x47 uint32 - cmovznzU32(&x47, x3, (arg4[4]), (arg5[4])) - var x48 uint32 - cmovznzU32(&x48, x3, (arg4[5]), (arg5[5])) - var x49 uint32 - cmovznzU32(&x49, x3, (arg4[6]), (arg5[6])) - var x50 uint32 - cmovznzU32(&x50, x3, (arg4[7]), (arg5[7])) - var x51 uint32 - var x52 uint1 - x51, x52 = addcarryxU32(x43, x43, 0x0) - var x53 uint32 - var x54 uint1 - x53, x54 = addcarryxU32(x44, x44, x52) - var x55 uint32 - var x56 uint1 - x55, x56 = addcarryxU32(x45, x45, x54) - var x57 uint32 - var x58 uint1 - x57, x58 = addcarryxU32(x46, x46, x56) - var x59 uint32 - var x60 uint1 - x59, x60 = addcarryxU32(x47, x47, x58) - var x61 uint32 - var x62 uint1 - x61, x62 = addcarryxU32(x48, x48, x60) - var x63 uint32 - var x64 uint1 - x63, x64 = addcarryxU32(x49, x49, x62) - var x65 uint32 - var x66 uint1 - x65, x66 = addcarryxU32(x50, x50, x64) - var x67 uint32 - var x68 uint1 - x67, x68 = subborrowxU32(x51, 0xffffffff, 0x0) - var x69 uint32 - var x70 uint1 - x69, x70 = subborrowxU32(x53, 0xffffffff, x68) - var x71 uint32 - var x72 uint1 - x71, x72 = subborrowxU32(x55, 0xffffffff, x70) - var x73 uint32 - var x74 uint1 - x73, x74 = subborrowxU32(x57, uint32(0x0), x72) - var x75 uint32 - var x76 uint1 - x75, x76 = subborrowxU32(x59, uint32(0x0), x74) - var x77 uint32 - var x78 uint1 - x77, x78 = subborrowxU32(x61, uint32(0x0), x76) - var x79 uint32 - var x80 uint1 - x79, x80 = subborrowxU32(x63, uint32(0x1), x78) - var x81 uint32 - var x82 uint1 - x81, x82 = subborrowxU32(x65, 0xffffffff, x80) - var x84 uint1 - _, x84 = subborrowxU32(uint32(x66), uint32(0x0), x82) - var x85 uint32 = (arg4[7]) - var x86 uint32 = (arg4[6]) - var x87 uint32 = (arg4[5]) - var x88 uint32 = (arg4[4]) - var x89 uint32 = (arg4[3]) - var x90 uint32 = (arg4[2]) - var x91 uint32 = (arg4[1]) - var x92 uint32 = (arg4[0]) - var x93 uint32 - var x94 uint1 - x93, x94 = subborrowxU32(uint32(0x0), x92, 0x0) - var x95 uint32 - var x96 uint1 - x95, x96 = subborrowxU32(uint32(0x0), x91, x94) - var x97 uint32 - var x98 uint1 - x97, x98 = subborrowxU32(uint32(0x0), x90, x96) - var x99 uint32 - var x100 uint1 - x99, x100 = subborrowxU32(uint32(0x0), x89, x98) - var x101 uint32 - var x102 uint1 - x101, x102 = subborrowxU32(uint32(0x0), x88, x100) - var x103 uint32 - var x104 uint1 - x103, x104 = subborrowxU32(uint32(0x0), x87, x102) - var x105 uint32 - var x106 uint1 - x105, x106 = subborrowxU32(uint32(0x0), x86, x104) - var x107 uint32 - var x108 uint1 - x107, x108 = subborrowxU32(uint32(0x0), x85, x106) - var x109 uint32 - cmovznzU32(&x109, x108, uint32(0x0), 0xffffffff) - var x110 uint32 - var x111 uint1 - x110, x111 = addcarryxU32(x93, x109, 0x0) - var x112 uint32 - var x113 uint1 - x112, x113 = addcarryxU32(x95, x109, x111) - var x114 uint32 - var x115 uint1 - x114, x115 = addcarryxU32(x97, x109, x113) - var x116 uint32 - var x117 uint1 - x116, x117 = addcarryxU32(x99, uint32(0x0), x115) - var x118 uint32 - var x119 uint1 - x118, x119 = addcarryxU32(x101, uint32(0x0), x117) - var x120 uint32 - var x121 uint1 - x120, x121 = addcarryxU32(x103, uint32(0x0), x119) - var x122 uint32 - var x123 uint1 - x122, x123 = addcarryxU32(x105, uint32((uint1(x109) & 0x1)), x121) - var x124 uint32 - x124, _ = addcarryxU32(x107, x109, x123) - var x126 uint32 - cmovznzU32(&x126, x3, (arg5[0]), x110) - var x127 uint32 - cmovznzU32(&x127, x3, (arg5[1]), x112) - var x128 uint32 - cmovznzU32(&x128, x3, (arg5[2]), x114) - var x129 uint32 - cmovznzU32(&x129, x3, (arg5[3]), x116) - var x130 uint32 - cmovznzU32(&x130, x3, (arg5[4]), x118) - var x131 uint32 - cmovznzU32(&x131, x3, (arg5[5]), x120) - var x132 uint32 - cmovznzU32(&x132, x3, (arg5[6]), x122) - var x133 uint32 - cmovznzU32(&x133, x3, (arg5[7]), x124) - var x134 uint1 = (uint1(x34) & 0x1) - var x135 uint32 - cmovznzU32(&x135, x134, uint32(0x0), x7) - var x136 uint32 - cmovznzU32(&x136, x134, uint32(0x0), x8) - var x137 uint32 - cmovznzU32(&x137, x134, uint32(0x0), x9) - var x138 uint32 - cmovznzU32(&x138, x134, uint32(0x0), x10) - var x139 uint32 - cmovznzU32(&x139, x134, uint32(0x0), x11) - var x140 uint32 - cmovznzU32(&x140, x134, uint32(0x0), x12) - var x141 uint32 - cmovznzU32(&x141, x134, uint32(0x0), x13) - var x142 uint32 - cmovznzU32(&x142, x134, uint32(0x0), x14) - var x143 uint32 - cmovznzU32(&x143, x134, uint32(0x0), x15) - var x144 uint32 - var x145 uint1 - x144, x145 = addcarryxU32(x34, x135, 0x0) - var x146 uint32 - var x147 uint1 - x146, x147 = addcarryxU32(x35, x136, x145) - var x148 uint32 - var x149 uint1 - x148, x149 = addcarryxU32(x36, x137, x147) - var x150 uint32 - var x151 uint1 - x150, x151 = addcarryxU32(x37, x138, x149) - var x152 uint32 - var x153 uint1 - x152, x153 = addcarryxU32(x38, x139, x151) - var x154 uint32 - var x155 uint1 - x154, x155 = addcarryxU32(x39, x140, x153) - var x156 uint32 - var x157 uint1 - x156, x157 = addcarryxU32(x40, x141, x155) - var x158 uint32 - var x159 uint1 - x158, x159 = addcarryxU32(x41, x142, x157) - var x160 uint32 - x160, _ = addcarryxU32(x42, x143, x159) - var x162 uint32 - cmovznzU32(&x162, x134, uint32(0x0), x43) - var x163 uint32 - cmovznzU32(&x163, x134, uint32(0x0), x44) - var x164 uint32 - cmovznzU32(&x164, x134, uint32(0x0), x45) - var x165 uint32 - cmovznzU32(&x165, x134, uint32(0x0), x46) - var x166 uint32 - cmovznzU32(&x166, x134, uint32(0x0), x47) - var x167 uint32 - cmovznzU32(&x167, x134, uint32(0x0), x48) - var x168 uint32 - cmovznzU32(&x168, x134, uint32(0x0), x49) - var x169 uint32 - cmovznzU32(&x169, x134, uint32(0x0), x50) - var x170 uint32 - var x171 uint1 - x170, x171 = addcarryxU32(x126, x162, 0x0) - var x172 uint32 - var x173 uint1 - x172, x173 = addcarryxU32(x127, x163, x171) - var x174 uint32 - var x175 uint1 - x174, x175 = addcarryxU32(x128, x164, x173) - var x176 uint32 - var x177 uint1 - x176, x177 = addcarryxU32(x129, x165, x175) - var x178 uint32 - var x179 uint1 - x178, x179 = addcarryxU32(x130, x166, x177) - var x180 uint32 - var x181 uint1 - x180, x181 = addcarryxU32(x131, x167, x179) - var x182 uint32 - var x183 uint1 - x182, x183 = addcarryxU32(x132, x168, x181) - var x184 uint32 - var x185 uint1 - x184, x185 = addcarryxU32(x133, x169, x183) - var x186 uint32 - var x187 uint1 - x186, x187 = subborrowxU32(x170, 0xffffffff, 0x0) - var x188 uint32 - var x189 uint1 - x188, x189 = subborrowxU32(x172, 0xffffffff, x187) - var x190 uint32 - var x191 uint1 - x190, x191 = subborrowxU32(x174, 0xffffffff, x189) - var x192 uint32 - var x193 uint1 - x192, x193 = subborrowxU32(x176, uint32(0x0), x191) - var x194 uint32 - var x195 uint1 - x194, x195 = subborrowxU32(x178, uint32(0x0), x193) - var x196 uint32 - var x197 uint1 - x196, x197 = subborrowxU32(x180, uint32(0x0), x195) - var x198 uint32 - var x199 uint1 - x198, x199 = subborrowxU32(x182, uint32(0x1), x197) - var x200 uint32 - var x201 uint1 - x200, x201 = subborrowxU32(x184, 0xffffffff, x199) - var x203 uint1 - _, x203 = subborrowxU32(uint32(x185), uint32(0x0), x201) - var x204 uint32 - x204, _ = addcarryxU32(x6, uint32(0x1), 0x0) - var x206 uint32 = ((x144 >> 1) | ((x146 << 31) & 0xffffffff)) - var x207 uint32 = ((x146 >> 1) | ((x148 << 31) & 0xffffffff)) - var x208 uint32 = ((x148 >> 1) | ((x150 << 31) & 0xffffffff)) - var x209 uint32 = ((x150 >> 1) | ((x152 << 31) & 0xffffffff)) - var x210 uint32 = ((x152 >> 1) | ((x154 << 31) & 0xffffffff)) - var x211 uint32 = ((x154 >> 1) | ((x156 << 31) & 0xffffffff)) - var x212 uint32 = ((x156 >> 1) | ((x158 << 31) & 0xffffffff)) - var x213 uint32 = ((x158 >> 1) | ((x160 << 31) & 0xffffffff)) - var x214 uint32 = ((x160 & 0x80000000) | (x160 >> 1)) - var x215 uint32 - cmovznzU32(&x215, x84, x67, x51) - var x216 uint32 - cmovznzU32(&x216, x84, x69, x53) - var x217 uint32 - cmovznzU32(&x217, x84, x71, x55) - var x218 uint32 - cmovznzU32(&x218, x84, x73, x57) - var x219 uint32 - cmovznzU32(&x219, x84, x75, x59) - var x220 uint32 - cmovznzU32(&x220, x84, x77, x61) - var x221 uint32 - cmovznzU32(&x221, x84, x79, x63) - var x222 uint32 - cmovznzU32(&x222, x84, x81, x65) - var x223 uint32 - cmovznzU32(&x223, x203, x186, x170) - var x224 uint32 - cmovznzU32(&x224, x203, x188, x172) - var x225 uint32 - cmovznzU32(&x225, x203, x190, x174) - var x226 uint32 - cmovznzU32(&x226, x203, x192, x176) - var x227 uint32 - cmovznzU32(&x227, x203, x194, x178) - var x228 uint32 - cmovznzU32(&x228, x203, x196, x180) - var x229 uint32 - cmovznzU32(&x229, x203, x198, x182) - var x230 uint32 - cmovznzU32(&x230, x203, x200, x184) - *out1 = x204 - out2[0] = x7 - out2[1] = x8 - out2[2] = x9 - out2[3] = x10 - out2[4] = x11 - out2[5] = x12 - out2[6] = x13 - out2[7] = x14 - out2[8] = x15 - out3[0] = x206 - out3[1] = x207 - out3[2] = x208 - out3[3] = x209 - out3[4] = x210 - out3[5] = x211 - out3[6] = x212 - out3[7] = x213 - out3[8] = x214 - out4[0] = x215 - out4[1] = x216 - out4[2] = x217 - out4[3] = x218 - out4[4] = x219 - out4[5] = x220 - out4[6] = x221 - out4[7] = x222 - out5[0] = x223 - out5[1] = x224 - out5[2] = x225 - out5[3] = x226 - out5[4] = x227 - out5[5] = x228 - out5[6] = x229 - out5[7] = x230 + var x1 uint32 + x1, _ = addcarryxU32((^arg1), uint32(0x1), 0x0) + x3 := (uint1((x1 >> 31)) & (uint1(arg3[0]) & 0x1)) + var x4 uint32 + x4, _ = addcarryxU32((^arg1), uint32(0x1), 0x0) + var x6 uint32 + cmovznzU32(&x6, x3, arg1, x4) + var x7 uint32 + cmovznzU32(&x7, x3, arg2[0], arg3[0]) + var x8 uint32 + cmovznzU32(&x8, x3, arg2[1], arg3[1]) + var x9 uint32 + cmovznzU32(&x9, x3, arg2[2], arg3[2]) + var x10 uint32 + cmovznzU32(&x10, x3, arg2[3], arg3[3]) + var x11 uint32 + cmovznzU32(&x11, x3, arg2[4], arg3[4]) + var x12 uint32 + cmovznzU32(&x12, x3, arg2[5], arg3[5]) + var x13 uint32 + cmovznzU32(&x13, x3, arg2[6], arg3[6]) + var x14 uint32 + cmovznzU32(&x14, x3, arg2[7], arg3[7]) + var x15 uint32 + cmovznzU32(&x15, x3, arg2[8], arg3[8]) + var x16 uint32 + var x17 uint1 + x16, x17 = addcarryxU32(uint32(0x1), (^arg2[0]), 0x0) + var x18 uint32 + var x19 uint1 + x18, x19 = addcarryxU32(uint32(0x0), (^arg2[1]), x17) + var x20 uint32 + var x21 uint1 + x20, x21 = addcarryxU32(uint32(0x0), (^arg2[2]), x19) + var x22 uint32 + var x23 uint1 + x22, x23 = addcarryxU32(uint32(0x0), (^arg2[3]), x21) + var x24 uint32 + var x25 uint1 + x24, x25 = addcarryxU32(uint32(0x0), (^arg2[4]), x23) + var x26 uint32 + var x27 uint1 + x26, x27 = addcarryxU32(uint32(0x0), (^arg2[5]), x25) + var x28 uint32 + var x29 uint1 + x28, x29 = addcarryxU32(uint32(0x0), (^arg2[6]), x27) + var x30 uint32 + var x31 uint1 + x30, x31 = addcarryxU32(uint32(0x0), (^arg2[7]), x29) + var x32 uint32 + x32, _ = addcarryxU32(uint32(0x0), (^arg2[8]), x31) + var x34 uint32 + cmovznzU32(&x34, x3, arg3[0], x16) + var x35 uint32 + cmovznzU32(&x35, x3, arg3[1], x18) + var x36 uint32 + cmovznzU32(&x36, x3, arg3[2], x20) + var x37 uint32 + cmovznzU32(&x37, x3, arg3[3], x22) + var x38 uint32 + cmovznzU32(&x38, x3, arg3[4], x24) + var x39 uint32 + cmovznzU32(&x39, x3, arg3[5], x26) + var x40 uint32 + cmovznzU32(&x40, x3, arg3[6], x28) + var x41 uint32 + cmovznzU32(&x41, x3, arg3[7], x30) + var x42 uint32 + cmovznzU32(&x42, x3, arg3[8], x32) + var x43 uint32 + cmovznzU32(&x43, x3, arg4[0], arg5[0]) + var x44 uint32 + cmovznzU32(&x44, x3, arg4[1], arg5[1]) + var x45 uint32 + cmovznzU32(&x45, x3, arg4[2], arg5[2]) + var x46 uint32 + cmovznzU32(&x46, x3, arg4[3], arg5[3]) + var x47 uint32 + cmovznzU32(&x47, x3, arg4[4], arg5[4]) + var x48 uint32 + cmovznzU32(&x48, x3, arg4[5], arg5[5]) + var x49 uint32 + cmovznzU32(&x49, x3, arg4[6], arg5[6]) + var x50 uint32 + cmovznzU32(&x50, x3, arg4[7], arg5[7]) + var x51 uint32 + var x52 uint1 + x51, x52 = addcarryxU32(x43, x43, 0x0) + var x53 uint32 + var x54 uint1 + x53, x54 = addcarryxU32(x44, x44, x52) + var x55 uint32 + var x56 uint1 + x55, x56 = addcarryxU32(x45, x45, x54) + var x57 uint32 + var x58 uint1 + x57, x58 = addcarryxU32(x46, x46, x56) + var x59 uint32 + var x60 uint1 + x59, x60 = addcarryxU32(x47, x47, x58) + var x61 uint32 + var x62 uint1 + x61, x62 = addcarryxU32(x48, x48, x60) + var x63 uint32 + var x64 uint1 + x63, x64 = addcarryxU32(x49, x49, x62) + var x65 uint32 + var x66 uint1 + x65, x66 = addcarryxU32(x50, x50, x64) + var x67 uint32 + var x68 uint1 + x67, x68 = subborrowxU32(x51, 0xffffffff, 0x0) + var x69 uint32 + var x70 uint1 + x69, x70 = subborrowxU32(x53, 0xffffffff, x68) + var x71 uint32 + var x72 uint1 + x71, x72 = subborrowxU32(x55, 0xffffffff, x70) + var x73 uint32 + var x74 uint1 + x73, x74 = subborrowxU32(x57, uint32(0x0), x72) + var x75 uint32 + var x76 uint1 + x75, x76 = subborrowxU32(x59, uint32(0x0), x74) + var x77 uint32 + var x78 uint1 + x77, x78 = subborrowxU32(x61, uint32(0x0), x76) + var x79 uint32 + var x80 uint1 + x79, x80 = subborrowxU32(x63, uint32(0x1), x78) + var x81 uint32 + var x82 uint1 + x81, x82 = subborrowxU32(x65, 0xffffffff, x80) + var x84 uint1 + _, x84 = subborrowxU32(uint32(x66), uint32(0x0), x82) + x85 := arg4[7] + x86 := arg4[6] + x87 := arg4[5] + x88 := arg4[4] + x89 := arg4[3] + x90 := arg4[2] + x91 := arg4[1] + x92 := arg4[0] + var x93 uint32 + var x94 uint1 + x93, x94 = subborrowxU32(uint32(0x0), x92, 0x0) + var x95 uint32 + var x96 uint1 + x95, x96 = subborrowxU32(uint32(0x0), x91, x94) + var x97 uint32 + var x98 uint1 + x97, x98 = subborrowxU32(uint32(0x0), x90, x96) + var x99 uint32 + var x100 uint1 + x99, x100 = subborrowxU32(uint32(0x0), x89, x98) + var x101 uint32 + var x102 uint1 + x101, x102 = subborrowxU32(uint32(0x0), x88, x100) + var x103 uint32 + var x104 uint1 + x103, x104 = subborrowxU32(uint32(0x0), x87, x102) + var x105 uint32 + var x106 uint1 + x105, x106 = subborrowxU32(uint32(0x0), x86, x104) + var x107 uint32 + var x108 uint1 + x107, x108 = subborrowxU32(uint32(0x0), x85, x106) + var x109 uint32 + cmovznzU32(&x109, x108, uint32(0x0), 0xffffffff) + var x110 uint32 + var x111 uint1 + x110, x111 = addcarryxU32(x93, x109, 0x0) + var x112 uint32 + var x113 uint1 + x112, x113 = addcarryxU32(x95, x109, x111) + var x114 uint32 + var x115 uint1 + x114, x115 = addcarryxU32(x97, x109, x113) + var x116 uint32 + var x117 uint1 + x116, x117 = addcarryxU32(x99, uint32(0x0), x115) + var x118 uint32 + var x119 uint1 + x118, x119 = addcarryxU32(x101, uint32(0x0), x117) + var x120 uint32 + var x121 uint1 + x120, x121 = addcarryxU32(x103, uint32(0x0), x119) + var x122 uint32 + var x123 uint1 + x122, x123 = addcarryxU32(x105, uint32((uint1(x109) & 0x1)), x121) + var x124 uint32 + x124, _ = addcarryxU32(x107, x109, x123) + var x126 uint32 + cmovznzU32(&x126, x3, arg5[0], x110) + var x127 uint32 + cmovznzU32(&x127, x3, arg5[1], x112) + var x128 uint32 + cmovznzU32(&x128, x3, arg5[2], x114) + var x129 uint32 + cmovznzU32(&x129, x3, arg5[3], x116) + var x130 uint32 + cmovznzU32(&x130, x3, arg5[4], x118) + var x131 uint32 + cmovznzU32(&x131, x3, arg5[5], x120) + var x132 uint32 + cmovznzU32(&x132, x3, arg5[6], x122) + var x133 uint32 + cmovznzU32(&x133, x3, arg5[7], x124) + x134 := (uint1(x34) & 0x1) + var x135 uint32 + cmovznzU32(&x135, x134, uint32(0x0), x7) + var x136 uint32 + cmovznzU32(&x136, x134, uint32(0x0), x8) + var x137 uint32 + cmovznzU32(&x137, x134, uint32(0x0), x9) + var x138 uint32 + cmovznzU32(&x138, x134, uint32(0x0), x10) + var x139 uint32 + cmovznzU32(&x139, x134, uint32(0x0), x11) + var x140 uint32 + cmovznzU32(&x140, x134, uint32(0x0), x12) + var x141 uint32 + cmovznzU32(&x141, x134, uint32(0x0), x13) + var x142 uint32 + cmovznzU32(&x142, x134, uint32(0x0), x14) + var x143 uint32 + cmovznzU32(&x143, x134, uint32(0x0), x15) + var x144 uint32 + var x145 uint1 + x144, x145 = addcarryxU32(x34, x135, 0x0) + var x146 uint32 + var x147 uint1 + x146, x147 = addcarryxU32(x35, x136, x145) + var x148 uint32 + var x149 uint1 + x148, x149 = addcarryxU32(x36, x137, x147) + var x150 uint32 + var x151 uint1 + x150, x151 = addcarryxU32(x37, x138, x149) + var x152 uint32 + var x153 uint1 + x152, x153 = addcarryxU32(x38, x139, x151) + var x154 uint32 + var x155 uint1 + x154, x155 = addcarryxU32(x39, x140, x153) + var x156 uint32 + var x157 uint1 + x156, x157 = addcarryxU32(x40, x141, x155) + var x158 uint32 + var x159 uint1 + x158, x159 = addcarryxU32(x41, x142, x157) + var x160 uint32 + x160, _ = addcarryxU32(x42, x143, x159) + var x162 uint32 + cmovznzU32(&x162, x134, uint32(0x0), x43) + var x163 uint32 + cmovznzU32(&x163, x134, uint32(0x0), x44) + var x164 uint32 + cmovznzU32(&x164, x134, uint32(0x0), x45) + var x165 uint32 + cmovznzU32(&x165, x134, uint32(0x0), x46) + var x166 uint32 + cmovznzU32(&x166, x134, uint32(0x0), x47) + var x167 uint32 + cmovznzU32(&x167, x134, uint32(0x0), x48) + var x168 uint32 + cmovznzU32(&x168, x134, uint32(0x0), x49) + var x169 uint32 + cmovznzU32(&x169, x134, uint32(0x0), x50) + var x170 uint32 + var x171 uint1 + x170, x171 = addcarryxU32(x126, x162, 0x0) + var x172 uint32 + var x173 uint1 + x172, x173 = addcarryxU32(x127, x163, x171) + var x174 uint32 + var x175 uint1 + x174, x175 = addcarryxU32(x128, x164, x173) + var x176 uint32 + var x177 uint1 + x176, x177 = addcarryxU32(x129, x165, x175) + var x178 uint32 + var x179 uint1 + x178, x179 = addcarryxU32(x130, x166, x177) + var x180 uint32 + var x181 uint1 + x180, x181 = addcarryxU32(x131, x167, x179) + var x182 uint32 + var x183 uint1 + x182, x183 = addcarryxU32(x132, x168, x181) + var x184 uint32 + var x185 uint1 + x184, x185 = addcarryxU32(x133, x169, x183) + var x186 uint32 + var x187 uint1 + x186, x187 = subborrowxU32(x170, 0xffffffff, 0x0) + var x188 uint32 + var x189 uint1 + x188, x189 = subborrowxU32(x172, 0xffffffff, x187) + var x190 uint32 + var x191 uint1 + x190, x191 = subborrowxU32(x174, 0xffffffff, x189) + var x192 uint32 + var x193 uint1 + x192, x193 = subborrowxU32(x176, uint32(0x0), x191) + var x194 uint32 + var x195 uint1 + x194, x195 = subborrowxU32(x178, uint32(0x0), x193) + var x196 uint32 + var x197 uint1 + x196, x197 = subborrowxU32(x180, uint32(0x0), x195) + var x198 uint32 + var x199 uint1 + x198, x199 = subborrowxU32(x182, uint32(0x1), x197) + var x200 uint32 + var x201 uint1 + x200, x201 = subborrowxU32(x184, 0xffffffff, x199) + var x203 uint1 + _, x203 = subborrowxU32(uint32(x185), uint32(0x0), x201) + var x204 uint32 + x204, _ = addcarryxU32(x6, uint32(0x1), 0x0) + x206 := ((x144 >> 1) | ((x146 << 31) & 0xffffffff)) + x207 := ((x146 >> 1) | ((x148 << 31) & 0xffffffff)) + x208 := ((x148 >> 1) | ((x150 << 31) & 0xffffffff)) + x209 := ((x150 >> 1) | ((x152 << 31) & 0xffffffff)) + x210 := ((x152 >> 1) | ((x154 << 31) & 0xffffffff)) + x211 := ((x154 >> 1) | ((x156 << 31) & 0xffffffff)) + x212 := ((x156 >> 1) | ((x158 << 31) & 0xffffffff)) + x213 := ((x158 >> 1) | ((x160 << 31) & 0xffffffff)) + x214 := ((x160 & 0x80000000) | (x160 >> 1)) + var x215 uint32 + cmovznzU32(&x215, x84, x67, x51) + var x216 uint32 + cmovznzU32(&x216, x84, x69, x53) + var x217 uint32 + cmovznzU32(&x217, x84, x71, x55) + var x218 uint32 + cmovznzU32(&x218, x84, x73, x57) + var x219 uint32 + cmovznzU32(&x219, x84, x75, x59) + var x220 uint32 + cmovznzU32(&x220, x84, x77, x61) + var x221 uint32 + cmovznzU32(&x221, x84, x79, x63) + var x222 uint32 + cmovznzU32(&x222, x84, x81, x65) + var x223 uint32 + cmovznzU32(&x223, x203, x186, x170) + var x224 uint32 + cmovznzU32(&x224, x203, x188, x172) + var x225 uint32 + cmovznzU32(&x225, x203, x190, x174) + var x226 uint32 + cmovznzU32(&x226, x203, x192, x176) + var x227 uint32 + cmovznzU32(&x227, x203, x194, x178) + var x228 uint32 + cmovznzU32(&x228, x203, x196, x180) + var x229 uint32 + cmovznzU32(&x229, x203, x198, x182) + var x230 uint32 + cmovznzU32(&x230, x203, x200, x184) + *out1 = x204 + out2[0] = x7 + out2[1] = x8 + out2[2] = x9 + out2[3] = x10 + out2[4] = x11 + out2[5] = x12 + out2[6] = x13 + out2[7] = x14 + out2[8] = x15 + out3[0] = x206 + out3[1] = x207 + out3[2] = x208 + out3[3] = x209 + out3[4] = x210 + out3[5] = x211 + out3[6] = x212 + out3[7] = x213 + out3[8] = x214 + out4[0] = x215 + out4[1] = x216 + out4[2] = x217 + out4[3] = x218 + out4[4] = x219 + out4[5] = x220 + out4[6] = x221 + out4[7] = x222 + out5[0] = x223 + out5[1] = x224 + out5[2] = x225 + out5[3] = x226 + out5[4] = x227 + out5[5] = x228 + out5[6] = x229 + out5[7] = x230 } -/* - The function DivstepPrecomp returns the precomputed value for Bernstein-Yang-inversion (in montgomery form). - Postconditions: - eval (from_montgomery out1) = ⌊(m - 1) / 2⌋^(if (log2 m) + 1 < 46 then ⌊(49 * ((log2 m) + 1) + 80) / 17⌋ else ⌊(49 * ((log2 m) + 1) + 57) / 17⌋) - 0 ≤ eval out1 < m - - Input Bounds: - Output Bounds: - out1: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] - */ -/*inline*/ +// DivstepPrecomp returns the precomputed value for Bernstein-Yang-inversion (in montgomery form). +// +// Postconditions: +// eval (from_montgomery out1) = ⌊(m - 1) / 2⌋^(if (log2 m) + 1 < 46 then ⌊(49 * ((log2 m) + 1) + 80) / 17⌋ else ⌊(49 * ((log2 m) + 1) + 57) / 17⌋) +// 0 ≤ eval out1 < m +// +// Input Bounds: +// Output Bounds: +// out1: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] func DivstepPrecomp(out1 *[8]uint32) { - out1[0] = 0xb8000000 - out1[1] = 0x67ffffff - out1[2] = 0x38000000 - out1[3] = 0xc0000000 - out1[4] = 0x7fffffff - out1[5] = 0xd8000000 - out1[6] = 0xffffffff - out1[7] = 0x2fffffff + out1[0] = 0xb8000000 + out1[1] = 0x67ffffff + out1[2] = 0x38000000 + out1[3] = 0xc0000000 + out1[4] = 0x7fffffff + out1[5] = 0xd8000000 + out1[6] = 0xffffffff + out1[7] = 0x2fffffff } - diff --git a/fiat-go/32/p384/p384.go b/fiat-go/32/p384/p384.go index 2144d7c9b4b..6f79b83baa7 100644 --- a/fiat-go/32/p384/p384.go +++ b/fiat-go/32/p384/p384.go @@ -1,9741 +1,9704 @@ -/* - Autogenerated: 'src/ExtractionOCaml/word_by_word_montgomery' --lang Go --cmovznz-by-mul --internal-static --package-case flatcase --public-function-case UpperCamelCase --private-function-case camelCase --public-type-case UpperCamelCase --private-type-case camelCase --no-prefix-fiat --package-name p384 '' 32 '2^384 - 2^128 - 2^96 + 2^32 - 1' mul square add sub opp from_montgomery to_montgomery nonzero selectznz to_bytes from_bytes one msat divstep divstep_precomp - - curve description (via package name): p384 - - machine_wordsize = 32 (from "32") - - requested operations: mul, square, add, sub, opp, from_montgomery, to_montgomery, nonzero, selectznz, to_bytes, from_bytes, one, msat, divstep, divstep_precomp - - m = 0xfffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffeffffffff0000000000000000ffffffff (from "2^384 - 2^128 - 2^96 + 2^32 - 1") - - - - NOTE: In addition to the bounds specified above each function, all - - functions synthesized for this Montgomery arithmetic require the - - input to be strictly less than the prime modulus (m), and also - - require the input to be in the unique saturated representation. - - All functions also ensure that these two properties are true of - - return values. - - - - Computed values: - - eval z = z[0] + (z[1] << 32) + (z[2] << 64) + (z[3] << 96) + (z[4] << 128) + (z[5] << 160) + (z[6] << 192) + (z[7] << 224) + (z[8] << 256) + (z[9] << 0x120) + (z[10] << 0x140) + (z[11] << 0x160) - - bytes_eval z = z[0] + (z[1] << 8) + (z[2] << 16) + (z[3] << 24) + (z[4] << 32) + (z[5] << 40) + (z[6] << 48) + (z[7] << 56) + (z[8] << 64) + (z[9] << 72) + (z[10] << 80) + (z[11] << 88) + (z[12] << 96) + (z[13] << 104) + (z[14] << 112) + (z[15] << 120) + (z[16] << 128) + (z[17] << 136) + (z[18] << 144) + (z[19] << 152) + (z[20] << 160) + (z[21] << 168) + (z[22] << 176) + (z[23] << 184) + (z[24] << 192) + (z[25] << 200) + (z[26] << 208) + (z[27] << 216) + (z[28] << 224) + (z[29] << 232) + (z[30] << 240) + (z[31] << 248) + (z[32] << 256) + (z[33] << 0x108) + (z[34] << 0x110) + (z[35] << 0x118) + (z[36] << 0x120) + (z[37] << 0x128) + (z[38] << 0x130) + (z[39] << 0x138) + (z[40] << 0x140) + (z[41] << 0x148) + (z[42] << 0x150) + (z[43] << 0x158) + (z[44] << 0x160) + (z[45] << 0x168) + (z[46] << 0x170) + (z[47] << 0x178) - - twos_complement_eval z = let x1 := z[0] + (z[1] << 32) + (z[2] << 64) + (z[3] << 96) + (z[4] << 128) + (z[5] << 160) + (z[6] << 192) + (z[7] << 224) + (z[8] << 256) + (z[9] << 0x120) + (z[10] << 0x140) + (z[11] << 0x160) in - - if x1 & (2^384-1) < 2^383 then x1 & (2^384-1) else (x1 & (2^384-1)) - 2^384 - */ +// Code generated by Fiat Cryptography. DO NOT EDIT. +// +// Autogenerated: 'src/ExtractionOCaml/word_by_word_montgomery' --lang Go --cmovznz-by-mul --internal-static --package-case flatcase --public-function-case UpperCamelCase --private-function-case camelCase --public-type-case UpperCamelCase --private-type-case camelCase --no-prefix-fiat --doc-prepend-header 'Code generated by Fiat Cryptography. DO NOT EDIT.' --doc-text-before-function-name '' --package-name p384 '' 32 '2^384 - 2^128 - 2^96 + 2^32 - 1' mul square add sub opp from_montgomery to_montgomery nonzero selectznz to_bytes from_bytes one msat divstep divstep_precomp +// +// curve description (via package name): p384 +// +// machine_wordsize = 32 (from "32") +// +// requested operations: mul, square, add, sub, opp, from_montgomery, to_montgomery, nonzero, selectznz, to_bytes, from_bytes, one, msat, divstep, divstep_precomp +// +// m = 0xfffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffeffffffff0000000000000000ffffffff (from "2^384 - 2^128 - 2^96 + 2^32 - 1") +// +// +// +// NOTE: In addition to the bounds specified above each function, all +// +// functions synthesized for this Montgomery arithmetic require the +// +// input to be strictly less than the prime modulus (m), and also +// +// require the input to be in the unique saturated representation. +// +// All functions also ensure that these two properties are true of +// +// return values. +// +// +// +// Computed values: +// +// eval z = z[0] + (z[1] << 32) + (z[2] << 64) + (z[3] << 96) + (z[4] << 128) + (z[5] << 160) + (z[6] << 192) + (z[7] << 224) + (z[8] << 256) + (z[9] << 0x120) + (z[10] << 0x140) + (z[11] << 0x160) +// +// bytes_eval z = z[0] + (z[1] << 8) + (z[2] << 16) + (z[3] << 24) + (z[4] << 32) + (z[5] << 40) + (z[6] << 48) + (z[7] << 56) + (z[8] << 64) + (z[9] << 72) + (z[10] << 80) + (z[11] << 88) + (z[12] << 96) + (z[13] << 104) + (z[14] << 112) + (z[15] << 120) + (z[16] << 128) + (z[17] << 136) + (z[18] << 144) + (z[19] << 152) + (z[20] << 160) + (z[21] << 168) + (z[22] << 176) + (z[23] << 184) + (z[24] << 192) + (z[25] << 200) + (z[26] << 208) + (z[27] << 216) + (z[28] << 224) + (z[29] << 232) + (z[30] << 240) + (z[31] << 248) + (z[32] << 256) + (z[33] << 0x108) + (z[34] << 0x110) + (z[35] << 0x118) + (z[36] << 0x120) + (z[37] << 0x128) + (z[38] << 0x130) + (z[39] << 0x138) + (z[40] << 0x140) + (z[41] << 0x148) + (z[42] << 0x150) + (z[43] << 0x158) + (z[44] << 0x160) + (z[45] << 0x168) + (z[46] << 0x170) + (z[47] << 0x178) +// +// twos_complement_eval z = let x1 := z[0] + (z[1] << 32) + (z[2] << 64) + (z[3] << 96) + (z[4] << 128) + (z[5] << 160) + (z[6] << 192) + (z[7] << 224) + (z[8] << 256) + (z[9] << 0x120) + (z[10] << 0x140) + (z[11] << 0x160) in +// +// if x1 & (2^384-1) < 2^383 then x1 & (2^384-1) else (x1 & (2^384-1)) - 2^384 package p384 import "math/bits" + type uint1 uint8 type int1 int8 -/* The function addcarryxU32 is a thin wrapper around bits.Add32 that uses uint1 rather than uint32 */ +// addcarryxU32 is a thin wrapper around bits.Add32 that uses uint1 rather than uint32 func addcarryxU32(x uint32, y uint32, carry uint1) (uint32, uint1) { - var sum uint32 - var carryOut uint32 - sum, carryOut = bits.Add32(x, y, uint32(carry)) - return sum, uint1(carryOut) + sum, carryOut := bits.Add32(x, y, uint32(carry)) + return sum, uint1(carryOut) } -/* The function subborrowxU32 is a thin wrapper around bits.Sub32 that uses uint1 rather than uint32 */ +// subborrowxU32 is a thin wrapper around bits.Sub32 that uses uint1 rather than uint32 func subborrowxU32(x uint32, y uint32, carry uint1) (uint32, uint1) { - var sum uint32 - var carryOut uint32 - sum, carryOut = bits.Sub32(x, y, uint32(carry)) - return sum, uint1(carryOut) + sum, carryOut := bits.Sub32(x, y, uint32(carry)) + return sum, uint1(carryOut) } - -/* - The function cmovznzU32 is a single-word conditional move. - Postconditions: - out1 = (if arg1 = 0 then arg2 else arg3) - - Input Bounds: - arg1: [0x0 ~> 0x1] - arg2: [0x0 ~> 0xffffffff] - arg3: [0x0 ~> 0xffffffff] - Output Bounds: - out1: [0x0 ~> 0xffffffff] - */ -/*inline*/ +// cmovznzU32 is a single-word conditional move. +// +// Postconditions: +// out1 = (if arg1 = 0 then arg2 else arg3) +// +// Input Bounds: +// arg1: [0x0 ~> 0x1] +// arg2: [0x0 ~> 0xffffffff] +// arg3: [0x0 ~> 0xffffffff] +// Output Bounds: +// out1: [0x0 ~> 0xffffffff] func cmovznzU32(out1 *uint32, arg1 uint1, arg2 uint32, arg3 uint32) { - var x1 uint32 = (uint32(arg1) * 0xffffffff) - var x2 uint32 = ((x1 & arg3) | ((^x1) & arg2)) - *out1 = x2 + x1 := (uint32(arg1) * 0xffffffff) + x2 := ((x1 & arg3) | ((^x1) & arg2)) + *out1 = x2 } -/* - The function Mul multiplies two field elements in the Montgomery domain. - Preconditions: - 0 ≤ eval arg1 < m - 0 ≤ eval arg2 < m - Postconditions: - eval (from_montgomery out1) mod m = (eval (from_montgomery arg1) * eval (from_montgomery arg2)) mod m - 0 ≤ eval out1 < m - - Input Bounds: - arg1: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] - arg2: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] - Output Bounds: - out1: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] - */ -/*inline*/ +// Mul multiplies two field elements in the Montgomery domain. +// +// Preconditions: +// 0 ≤ eval arg1 < m +// 0 ≤ eval arg2 < m +// Postconditions: +// eval (from_montgomery out1) mod m = (eval (from_montgomery arg1) * eval (from_montgomery arg2)) mod m +// 0 ≤ eval out1 < m +// +// Input Bounds: +// arg1: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] +// arg2: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] +// Output Bounds: +// out1: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] func Mul(out1 *[12]uint32, arg1 *[12]uint32, arg2 *[12]uint32) { - var x1 uint32 = (arg1[1]) - var x2 uint32 = (arg1[2]) - var x3 uint32 = (arg1[3]) - var x4 uint32 = (arg1[4]) - var x5 uint32 = (arg1[5]) - var x6 uint32 = (arg1[6]) - var x7 uint32 = (arg1[7]) - var x8 uint32 = (arg1[8]) - var x9 uint32 = (arg1[9]) - var x10 uint32 = (arg1[10]) - var x11 uint32 = (arg1[11]) - var x12 uint32 = (arg1[0]) - var x13 uint32 - var x14 uint32 - x14, x13 = bits.Mul32(x12, (arg2[11])) - var x15 uint32 - var x16 uint32 - x16, x15 = bits.Mul32(x12, (arg2[10])) - var x17 uint32 - var x18 uint32 - x18, x17 = bits.Mul32(x12, (arg2[9])) - var x19 uint32 - var x20 uint32 - x20, x19 = bits.Mul32(x12, (arg2[8])) - var x21 uint32 - var x22 uint32 - x22, x21 = bits.Mul32(x12, (arg2[7])) - var x23 uint32 - var x24 uint32 - x24, x23 = bits.Mul32(x12, (arg2[6])) - var x25 uint32 - var x26 uint32 - x26, x25 = bits.Mul32(x12, (arg2[5])) - var x27 uint32 - var x28 uint32 - x28, x27 = bits.Mul32(x12, (arg2[4])) - var x29 uint32 - var x30 uint32 - x30, x29 = bits.Mul32(x12, (arg2[3])) - var x31 uint32 - var x32 uint32 - x32, x31 = bits.Mul32(x12, (arg2[2])) - var x33 uint32 - var x34 uint32 - x34, x33 = bits.Mul32(x12, (arg2[1])) - var x35 uint32 - var x36 uint32 - x36, x35 = bits.Mul32(x12, (arg2[0])) - var x37 uint32 - var x38 uint1 - x37, x38 = addcarryxU32(x36, x33, 0x0) - var x39 uint32 - var x40 uint1 - x39, x40 = addcarryxU32(x34, x31, x38) - var x41 uint32 - var x42 uint1 - x41, x42 = addcarryxU32(x32, x29, x40) - var x43 uint32 - var x44 uint1 - x43, x44 = addcarryxU32(x30, x27, x42) - var x45 uint32 - var x46 uint1 - x45, x46 = addcarryxU32(x28, x25, x44) - var x47 uint32 - var x48 uint1 - x47, x48 = addcarryxU32(x26, x23, x46) - var x49 uint32 - var x50 uint1 - x49, x50 = addcarryxU32(x24, x21, x48) - var x51 uint32 - var x52 uint1 - x51, x52 = addcarryxU32(x22, x19, x50) - var x53 uint32 - var x54 uint1 - x53, x54 = addcarryxU32(x20, x17, x52) - var x55 uint32 - var x56 uint1 - x55, x56 = addcarryxU32(x18, x15, x54) - var x57 uint32 - var x58 uint1 - x57, x58 = addcarryxU32(x16, x13, x56) - var x59 uint32 = (uint32(x58) + x14) - var x60 uint32 - var x61 uint32 - x61, x60 = bits.Mul32(x35, 0xffffffff) - var x62 uint32 - var x63 uint32 - x63, x62 = bits.Mul32(x35, 0xffffffff) - var x64 uint32 - var x65 uint32 - x65, x64 = bits.Mul32(x35, 0xffffffff) - var x66 uint32 - var x67 uint32 - x67, x66 = bits.Mul32(x35, 0xffffffff) - var x68 uint32 - var x69 uint32 - x69, x68 = bits.Mul32(x35, 0xffffffff) - var x70 uint32 - var x71 uint32 - x71, x70 = bits.Mul32(x35, 0xffffffff) - var x72 uint32 - var x73 uint32 - x73, x72 = bits.Mul32(x35, 0xffffffff) - var x74 uint32 - var x75 uint32 - x75, x74 = bits.Mul32(x35, 0xfffffffe) - var x76 uint32 - var x77 uint32 - x77, x76 = bits.Mul32(x35, 0xffffffff) - var x78 uint32 - var x79 uint32 - x79, x78 = bits.Mul32(x35, 0xffffffff) - var x80 uint32 - var x81 uint1 - x80, x81 = addcarryxU32(x77, x74, 0x0) - var x82 uint32 - var x83 uint1 - x82, x83 = addcarryxU32(x75, x72, x81) - var x84 uint32 - var x85 uint1 - x84, x85 = addcarryxU32(x73, x70, x83) - var x86 uint32 - var x87 uint1 - x86, x87 = addcarryxU32(x71, x68, x85) - var x88 uint32 - var x89 uint1 - x88, x89 = addcarryxU32(x69, x66, x87) - var x90 uint32 - var x91 uint1 - x90, x91 = addcarryxU32(x67, x64, x89) - var x92 uint32 - var x93 uint1 - x92, x93 = addcarryxU32(x65, x62, x91) - var x94 uint32 - var x95 uint1 - x94, x95 = addcarryxU32(x63, x60, x93) - var x96 uint32 = (uint32(x95) + x61) - var x98 uint1 - _, x98 = addcarryxU32(x35, x78, 0x0) - var x99 uint32 - var x100 uint1 - x99, x100 = addcarryxU32(x37, x79, x98) - var x101 uint32 - var x102 uint1 - x101, x102 = addcarryxU32(x39, uint32(0x0), x100) - var x103 uint32 - var x104 uint1 - x103, x104 = addcarryxU32(x41, x76, x102) - var x105 uint32 - var x106 uint1 - x105, x106 = addcarryxU32(x43, x80, x104) - var x107 uint32 - var x108 uint1 - x107, x108 = addcarryxU32(x45, x82, x106) - var x109 uint32 - var x110 uint1 - x109, x110 = addcarryxU32(x47, x84, x108) - var x111 uint32 - var x112 uint1 - x111, x112 = addcarryxU32(x49, x86, x110) - var x113 uint32 - var x114 uint1 - x113, x114 = addcarryxU32(x51, x88, x112) - var x115 uint32 - var x116 uint1 - x115, x116 = addcarryxU32(x53, x90, x114) - var x117 uint32 - var x118 uint1 - x117, x118 = addcarryxU32(x55, x92, x116) - var x119 uint32 - var x120 uint1 - x119, x120 = addcarryxU32(x57, x94, x118) - var x121 uint32 - var x122 uint1 - x121, x122 = addcarryxU32(x59, x96, x120) - var x123 uint32 - var x124 uint32 - x124, x123 = bits.Mul32(x1, (arg2[11])) - var x125 uint32 - var x126 uint32 - x126, x125 = bits.Mul32(x1, (arg2[10])) - var x127 uint32 - var x128 uint32 - x128, x127 = bits.Mul32(x1, (arg2[9])) - var x129 uint32 - var x130 uint32 - x130, x129 = bits.Mul32(x1, (arg2[8])) - var x131 uint32 - var x132 uint32 - x132, x131 = bits.Mul32(x1, (arg2[7])) - var x133 uint32 - var x134 uint32 - x134, x133 = bits.Mul32(x1, (arg2[6])) - var x135 uint32 - var x136 uint32 - x136, x135 = bits.Mul32(x1, (arg2[5])) - var x137 uint32 - var x138 uint32 - x138, x137 = bits.Mul32(x1, (arg2[4])) - var x139 uint32 - var x140 uint32 - x140, x139 = bits.Mul32(x1, (arg2[3])) - var x141 uint32 - var x142 uint32 - x142, x141 = bits.Mul32(x1, (arg2[2])) - var x143 uint32 - var x144 uint32 - x144, x143 = bits.Mul32(x1, (arg2[1])) - var x145 uint32 - var x146 uint32 - x146, x145 = bits.Mul32(x1, (arg2[0])) - var x147 uint32 - var x148 uint1 - x147, x148 = addcarryxU32(x146, x143, 0x0) - var x149 uint32 - var x150 uint1 - x149, x150 = addcarryxU32(x144, x141, x148) - var x151 uint32 - var x152 uint1 - x151, x152 = addcarryxU32(x142, x139, x150) - var x153 uint32 - var x154 uint1 - x153, x154 = addcarryxU32(x140, x137, x152) - var x155 uint32 - var x156 uint1 - x155, x156 = addcarryxU32(x138, x135, x154) - var x157 uint32 - var x158 uint1 - x157, x158 = addcarryxU32(x136, x133, x156) - var x159 uint32 - var x160 uint1 - x159, x160 = addcarryxU32(x134, x131, x158) - var x161 uint32 - var x162 uint1 - x161, x162 = addcarryxU32(x132, x129, x160) - var x163 uint32 - var x164 uint1 - x163, x164 = addcarryxU32(x130, x127, x162) - var x165 uint32 - var x166 uint1 - x165, x166 = addcarryxU32(x128, x125, x164) - var x167 uint32 - var x168 uint1 - x167, x168 = addcarryxU32(x126, x123, x166) - var x169 uint32 = (uint32(x168) + x124) - var x170 uint32 - var x171 uint1 - x170, x171 = addcarryxU32(x99, x145, 0x0) - var x172 uint32 - var x173 uint1 - x172, x173 = addcarryxU32(x101, x147, x171) - var x174 uint32 - var x175 uint1 - x174, x175 = addcarryxU32(x103, x149, x173) - var x176 uint32 - var x177 uint1 - x176, x177 = addcarryxU32(x105, x151, x175) - var x178 uint32 - var x179 uint1 - x178, x179 = addcarryxU32(x107, x153, x177) - var x180 uint32 - var x181 uint1 - x180, x181 = addcarryxU32(x109, x155, x179) - var x182 uint32 - var x183 uint1 - x182, x183 = addcarryxU32(x111, x157, x181) - var x184 uint32 - var x185 uint1 - x184, x185 = addcarryxU32(x113, x159, x183) - var x186 uint32 - var x187 uint1 - x186, x187 = addcarryxU32(x115, x161, x185) - var x188 uint32 - var x189 uint1 - x188, x189 = addcarryxU32(x117, x163, x187) - var x190 uint32 - var x191 uint1 - x190, x191 = addcarryxU32(x119, x165, x189) - var x192 uint32 - var x193 uint1 - x192, x193 = addcarryxU32(x121, x167, x191) - var x194 uint32 - var x195 uint1 - x194, x195 = addcarryxU32(uint32(x122), x169, x193) - var x196 uint32 - var x197 uint32 - x197, x196 = bits.Mul32(x170, 0xffffffff) - var x198 uint32 - var x199 uint32 - x199, x198 = bits.Mul32(x170, 0xffffffff) - var x200 uint32 - var x201 uint32 - x201, x200 = bits.Mul32(x170, 0xffffffff) - var x202 uint32 - var x203 uint32 - x203, x202 = bits.Mul32(x170, 0xffffffff) - var x204 uint32 - var x205 uint32 - x205, x204 = bits.Mul32(x170, 0xffffffff) - var x206 uint32 - var x207 uint32 - x207, x206 = bits.Mul32(x170, 0xffffffff) - var x208 uint32 - var x209 uint32 - x209, x208 = bits.Mul32(x170, 0xffffffff) - var x210 uint32 - var x211 uint32 - x211, x210 = bits.Mul32(x170, 0xfffffffe) - var x212 uint32 - var x213 uint32 - x213, x212 = bits.Mul32(x170, 0xffffffff) - var x214 uint32 - var x215 uint32 - x215, x214 = bits.Mul32(x170, 0xffffffff) - var x216 uint32 - var x217 uint1 - x216, x217 = addcarryxU32(x213, x210, 0x0) - var x218 uint32 - var x219 uint1 - x218, x219 = addcarryxU32(x211, x208, x217) - var x220 uint32 - var x221 uint1 - x220, x221 = addcarryxU32(x209, x206, x219) - var x222 uint32 - var x223 uint1 - x222, x223 = addcarryxU32(x207, x204, x221) - var x224 uint32 - var x225 uint1 - x224, x225 = addcarryxU32(x205, x202, x223) - var x226 uint32 - var x227 uint1 - x226, x227 = addcarryxU32(x203, x200, x225) - var x228 uint32 - var x229 uint1 - x228, x229 = addcarryxU32(x201, x198, x227) - var x230 uint32 - var x231 uint1 - x230, x231 = addcarryxU32(x199, x196, x229) - var x232 uint32 = (uint32(x231) + x197) - var x234 uint1 - _, x234 = addcarryxU32(x170, x214, 0x0) - var x235 uint32 - var x236 uint1 - x235, x236 = addcarryxU32(x172, x215, x234) - var x237 uint32 - var x238 uint1 - x237, x238 = addcarryxU32(x174, uint32(0x0), x236) - var x239 uint32 - var x240 uint1 - x239, x240 = addcarryxU32(x176, x212, x238) - var x241 uint32 - var x242 uint1 - x241, x242 = addcarryxU32(x178, x216, x240) - var x243 uint32 - var x244 uint1 - x243, x244 = addcarryxU32(x180, x218, x242) - var x245 uint32 - var x246 uint1 - x245, x246 = addcarryxU32(x182, x220, x244) - var x247 uint32 - var x248 uint1 - x247, x248 = addcarryxU32(x184, x222, x246) - var x249 uint32 - var x250 uint1 - x249, x250 = addcarryxU32(x186, x224, x248) - var x251 uint32 - var x252 uint1 - x251, x252 = addcarryxU32(x188, x226, x250) - var x253 uint32 - var x254 uint1 - x253, x254 = addcarryxU32(x190, x228, x252) - var x255 uint32 - var x256 uint1 - x255, x256 = addcarryxU32(x192, x230, x254) - var x257 uint32 - var x258 uint1 - x257, x258 = addcarryxU32(x194, x232, x256) - var x259 uint32 = (uint32(x258) + uint32(x195)) - var x260 uint32 - var x261 uint32 - x261, x260 = bits.Mul32(x2, (arg2[11])) - var x262 uint32 - var x263 uint32 - x263, x262 = bits.Mul32(x2, (arg2[10])) - var x264 uint32 - var x265 uint32 - x265, x264 = bits.Mul32(x2, (arg2[9])) - var x266 uint32 - var x267 uint32 - x267, x266 = bits.Mul32(x2, (arg2[8])) - var x268 uint32 - var x269 uint32 - x269, x268 = bits.Mul32(x2, (arg2[7])) - var x270 uint32 - var x271 uint32 - x271, x270 = bits.Mul32(x2, (arg2[6])) - var x272 uint32 - var x273 uint32 - x273, x272 = bits.Mul32(x2, (arg2[5])) - var x274 uint32 - var x275 uint32 - x275, x274 = bits.Mul32(x2, (arg2[4])) - var x276 uint32 - var x277 uint32 - x277, x276 = bits.Mul32(x2, (arg2[3])) - var x278 uint32 - var x279 uint32 - x279, x278 = bits.Mul32(x2, (arg2[2])) - var x280 uint32 - var x281 uint32 - x281, x280 = bits.Mul32(x2, (arg2[1])) - var x282 uint32 - var x283 uint32 - x283, x282 = bits.Mul32(x2, (arg2[0])) - var x284 uint32 - var x285 uint1 - x284, x285 = addcarryxU32(x283, x280, 0x0) - var x286 uint32 - var x287 uint1 - x286, x287 = addcarryxU32(x281, x278, x285) - var x288 uint32 - var x289 uint1 - x288, x289 = addcarryxU32(x279, x276, x287) - var x290 uint32 - var x291 uint1 - x290, x291 = addcarryxU32(x277, x274, x289) - var x292 uint32 - var x293 uint1 - x292, x293 = addcarryxU32(x275, x272, x291) - var x294 uint32 - var x295 uint1 - x294, x295 = addcarryxU32(x273, x270, x293) - var x296 uint32 - var x297 uint1 - x296, x297 = addcarryxU32(x271, x268, x295) - var x298 uint32 - var x299 uint1 - x298, x299 = addcarryxU32(x269, x266, x297) - var x300 uint32 - var x301 uint1 - x300, x301 = addcarryxU32(x267, x264, x299) - var x302 uint32 - var x303 uint1 - x302, x303 = addcarryxU32(x265, x262, x301) - var x304 uint32 - var x305 uint1 - x304, x305 = addcarryxU32(x263, x260, x303) - var x306 uint32 = (uint32(x305) + x261) - var x307 uint32 - var x308 uint1 - x307, x308 = addcarryxU32(x235, x282, 0x0) - var x309 uint32 - var x310 uint1 - x309, x310 = addcarryxU32(x237, x284, x308) - var x311 uint32 - var x312 uint1 - x311, x312 = addcarryxU32(x239, x286, x310) - var x313 uint32 - var x314 uint1 - x313, x314 = addcarryxU32(x241, x288, x312) - var x315 uint32 - var x316 uint1 - x315, x316 = addcarryxU32(x243, x290, x314) - var x317 uint32 - var x318 uint1 - x317, x318 = addcarryxU32(x245, x292, x316) - var x319 uint32 - var x320 uint1 - x319, x320 = addcarryxU32(x247, x294, x318) - var x321 uint32 - var x322 uint1 - x321, x322 = addcarryxU32(x249, x296, x320) - var x323 uint32 - var x324 uint1 - x323, x324 = addcarryxU32(x251, x298, x322) - var x325 uint32 - var x326 uint1 - x325, x326 = addcarryxU32(x253, x300, x324) - var x327 uint32 - var x328 uint1 - x327, x328 = addcarryxU32(x255, x302, x326) - var x329 uint32 - var x330 uint1 - x329, x330 = addcarryxU32(x257, x304, x328) - var x331 uint32 - var x332 uint1 - x331, x332 = addcarryxU32(x259, x306, x330) - var x333 uint32 - var x334 uint32 - x334, x333 = bits.Mul32(x307, 0xffffffff) - var x335 uint32 - var x336 uint32 - x336, x335 = bits.Mul32(x307, 0xffffffff) - var x337 uint32 - var x338 uint32 - x338, x337 = bits.Mul32(x307, 0xffffffff) - var x339 uint32 - var x340 uint32 - x340, x339 = bits.Mul32(x307, 0xffffffff) - var x341 uint32 - var x342 uint32 - x342, x341 = bits.Mul32(x307, 0xffffffff) - var x343 uint32 - var x344 uint32 - x344, x343 = bits.Mul32(x307, 0xffffffff) - var x345 uint32 - var x346 uint32 - x346, x345 = bits.Mul32(x307, 0xffffffff) - var x347 uint32 - var x348 uint32 - x348, x347 = bits.Mul32(x307, 0xfffffffe) - var x349 uint32 - var x350 uint32 - x350, x349 = bits.Mul32(x307, 0xffffffff) - var x351 uint32 - var x352 uint32 - x352, x351 = bits.Mul32(x307, 0xffffffff) - var x353 uint32 - var x354 uint1 - x353, x354 = addcarryxU32(x350, x347, 0x0) - var x355 uint32 - var x356 uint1 - x355, x356 = addcarryxU32(x348, x345, x354) - var x357 uint32 - var x358 uint1 - x357, x358 = addcarryxU32(x346, x343, x356) - var x359 uint32 - var x360 uint1 - x359, x360 = addcarryxU32(x344, x341, x358) - var x361 uint32 - var x362 uint1 - x361, x362 = addcarryxU32(x342, x339, x360) - var x363 uint32 - var x364 uint1 - x363, x364 = addcarryxU32(x340, x337, x362) - var x365 uint32 - var x366 uint1 - x365, x366 = addcarryxU32(x338, x335, x364) - var x367 uint32 - var x368 uint1 - x367, x368 = addcarryxU32(x336, x333, x366) - var x369 uint32 = (uint32(x368) + x334) - var x371 uint1 - _, x371 = addcarryxU32(x307, x351, 0x0) - var x372 uint32 - var x373 uint1 - x372, x373 = addcarryxU32(x309, x352, x371) - var x374 uint32 - var x375 uint1 - x374, x375 = addcarryxU32(x311, uint32(0x0), x373) - var x376 uint32 - var x377 uint1 - x376, x377 = addcarryxU32(x313, x349, x375) - var x378 uint32 - var x379 uint1 - x378, x379 = addcarryxU32(x315, x353, x377) - var x380 uint32 - var x381 uint1 - x380, x381 = addcarryxU32(x317, x355, x379) - var x382 uint32 - var x383 uint1 - x382, x383 = addcarryxU32(x319, x357, x381) - var x384 uint32 - var x385 uint1 - x384, x385 = addcarryxU32(x321, x359, x383) - var x386 uint32 - var x387 uint1 - x386, x387 = addcarryxU32(x323, x361, x385) - var x388 uint32 - var x389 uint1 - x388, x389 = addcarryxU32(x325, x363, x387) - var x390 uint32 - var x391 uint1 - x390, x391 = addcarryxU32(x327, x365, x389) - var x392 uint32 - var x393 uint1 - x392, x393 = addcarryxU32(x329, x367, x391) - var x394 uint32 - var x395 uint1 - x394, x395 = addcarryxU32(x331, x369, x393) - var x396 uint32 = (uint32(x395) + uint32(x332)) - var x397 uint32 - var x398 uint32 - x398, x397 = bits.Mul32(x3, (arg2[11])) - var x399 uint32 - var x400 uint32 - x400, x399 = bits.Mul32(x3, (arg2[10])) - var x401 uint32 - var x402 uint32 - x402, x401 = bits.Mul32(x3, (arg2[9])) - var x403 uint32 - var x404 uint32 - x404, x403 = bits.Mul32(x3, (arg2[8])) - var x405 uint32 - var x406 uint32 - x406, x405 = bits.Mul32(x3, (arg2[7])) - var x407 uint32 - var x408 uint32 - x408, x407 = bits.Mul32(x3, (arg2[6])) - var x409 uint32 - var x410 uint32 - x410, x409 = bits.Mul32(x3, (arg2[5])) - var x411 uint32 - var x412 uint32 - x412, x411 = bits.Mul32(x3, (arg2[4])) - var x413 uint32 - var x414 uint32 - x414, x413 = bits.Mul32(x3, (arg2[3])) - var x415 uint32 - var x416 uint32 - x416, x415 = bits.Mul32(x3, (arg2[2])) - var x417 uint32 - var x418 uint32 - x418, x417 = bits.Mul32(x3, (arg2[1])) - var x419 uint32 - var x420 uint32 - x420, x419 = bits.Mul32(x3, (arg2[0])) - var x421 uint32 - var x422 uint1 - x421, x422 = addcarryxU32(x420, x417, 0x0) - var x423 uint32 - var x424 uint1 - x423, x424 = addcarryxU32(x418, x415, x422) - var x425 uint32 - var x426 uint1 - x425, x426 = addcarryxU32(x416, x413, x424) - var x427 uint32 - var x428 uint1 - x427, x428 = addcarryxU32(x414, x411, x426) - var x429 uint32 - var x430 uint1 - x429, x430 = addcarryxU32(x412, x409, x428) - var x431 uint32 - var x432 uint1 - x431, x432 = addcarryxU32(x410, x407, x430) - var x433 uint32 - var x434 uint1 - x433, x434 = addcarryxU32(x408, x405, x432) - var x435 uint32 - var x436 uint1 - x435, x436 = addcarryxU32(x406, x403, x434) - var x437 uint32 - var x438 uint1 - x437, x438 = addcarryxU32(x404, x401, x436) - var x439 uint32 - var x440 uint1 - x439, x440 = addcarryxU32(x402, x399, x438) - var x441 uint32 - var x442 uint1 - x441, x442 = addcarryxU32(x400, x397, x440) - var x443 uint32 = (uint32(x442) + x398) - var x444 uint32 - var x445 uint1 - x444, x445 = addcarryxU32(x372, x419, 0x0) - var x446 uint32 - var x447 uint1 - x446, x447 = addcarryxU32(x374, x421, x445) - var x448 uint32 - var x449 uint1 - x448, x449 = addcarryxU32(x376, x423, x447) - var x450 uint32 - var x451 uint1 - x450, x451 = addcarryxU32(x378, x425, x449) - var x452 uint32 - var x453 uint1 - x452, x453 = addcarryxU32(x380, x427, x451) - var x454 uint32 - var x455 uint1 - x454, x455 = addcarryxU32(x382, x429, x453) - var x456 uint32 - var x457 uint1 - x456, x457 = addcarryxU32(x384, x431, x455) - var x458 uint32 - var x459 uint1 - x458, x459 = addcarryxU32(x386, x433, x457) - var x460 uint32 - var x461 uint1 - x460, x461 = addcarryxU32(x388, x435, x459) - var x462 uint32 - var x463 uint1 - x462, x463 = addcarryxU32(x390, x437, x461) - var x464 uint32 - var x465 uint1 - x464, x465 = addcarryxU32(x392, x439, x463) - var x466 uint32 - var x467 uint1 - x466, x467 = addcarryxU32(x394, x441, x465) - var x468 uint32 - var x469 uint1 - x468, x469 = addcarryxU32(x396, x443, x467) - var x470 uint32 - var x471 uint32 - x471, x470 = bits.Mul32(x444, 0xffffffff) - var x472 uint32 - var x473 uint32 - x473, x472 = bits.Mul32(x444, 0xffffffff) - var x474 uint32 - var x475 uint32 - x475, x474 = bits.Mul32(x444, 0xffffffff) - var x476 uint32 - var x477 uint32 - x477, x476 = bits.Mul32(x444, 0xffffffff) - var x478 uint32 - var x479 uint32 - x479, x478 = bits.Mul32(x444, 0xffffffff) - var x480 uint32 - var x481 uint32 - x481, x480 = bits.Mul32(x444, 0xffffffff) - var x482 uint32 - var x483 uint32 - x483, x482 = bits.Mul32(x444, 0xffffffff) - var x484 uint32 - var x485 uint32 - x485, x484 = bits.Mul32(x444, 0xfffffffe) - var x486 uint32 - var x487 uint32 - x487, x486 = bits.Mul32(x444, 0xffffffff) - var x488 uint32 - var x489 uint32 - x489, x488 = bits.Mul32(x444, 0xffffffff) - var x490 uint32 - var x491 uint1 - x490, x491 = addcarryxU32(x487, x484, 0x0) - var x492 uint32 - var x493 uint1 - x492, x493 = addcarryxU32(x485, x482, x491) - var x494 uint32 - var x495 uint1 - x494, x495 = addcarryxU32(x483, x480, x493) - var x496 uint32 - var x497 uint1 - x496, x497 = addcarryxU32(x481, x478, x495) - var x498 uint32 - var x499 uint1 - x498, x499 = addcarryxU32(x479, x476, x497) - var x500 uint32 - var x501 uint1 - x500, x501 = addcarryxU32(x477, x474, x499) - var x502 uint32 - var x503 uint1 - x502, x503 = addcarryxU32(x475, x472, x501) - var x504 uint32 - var x505 uint1 - x504, x505 = addcarryxU32(x473, x470, x503) - var x506 uint32 = (uint32(x505) + x471) - var x508 uint1 - _, x508 = addcarryxU32(x444, x488, 0x0) - var x509 uint32 - var x510 uint1 - x509, x510 = addcarryxU32(x446, x489, x508) - var x511 uint32 - var x512 uint1 - x511, x512 = addcarryxU32(x448, uint32(0x0), x510) - var x513 uint32 - var x514 uint1 - x513, x514 = addcarryxU32(x450, x486, x512) - var x515 uint32 - var x516 uint1 - x515, x516 = addcarryxU32(x452, x490, x514) - var x517 uint32 - var x518 uint1 - x517, x518 = addcarryxU32(x454, x492, x516) - var x519 uint32 - var x520 uint1 - x519, x520 = addcarryxU32(x456, x494, x518) - var x521 uint32 - var x522 uint1 - x521, x522 = addcarryxU32(x458, x496, x520) - var x523 uint32 - var x524 uint1 - x523, x524 = addcarryxU32(x460, x498, x522) - var x525 uint32 - var x526 uint1 - x525, x526 = addcarryxU32(x462, x500, x524) - var x527 uint32 - var x528 uint1 - x527, x528 = addcarryxU32(x464, x502, x526) - var x529 uint32 - var x530 uint1 - x529, x530 = addcarryxU32(x466, x504, x528) - var x531 uint32 - var x532 uint1 - x531, x532 = addcarryxU32(x468, x506, x530) - var x533 uint32 = (uint32(x532) + uint32(x469)) - var x534 uint32 - var x535 uint32 - x535, x534 = bits.Mul32(x4, (arg2[11])) - var x536 uint32 - var x537 uint32 - x537, x536 = bits.Mul32(x4, (arg2[10])) - var x538 uint32 - var x539 uint32 - x539, x538 = bits.Mul32(x4, (arg2[9])) - var x540 uint32 - var x541 uint32 - x541, x540 = bits.Mul32(x4, (arg2[8])) - var x542 uint32 - var x543 uint32 - x543, x542 = bits.Mul32(x4, (arg2[7])) - var x544 uint32 - var x545 uint32 - x545, x544 = bits.Mul32(x4, (arg2[6])) - var x546 uint32 - var x547 uint32 - x547, x546 = bits.Mul32(x4, (arg2[5])) - var x548 uint32 - var x549 uint32 - x549, x548 = bits.Mul32(x4, (arg2[4])) - var x550 uint32 - var x551 uint32 - x551, x550 = bits.Mul32(x4, (arg2[3])) - var x552 uint32 - var x553 uint32 - x553, x552 = bits.Mul32(x4, (arg2[2])) - var x554 uint32 - var x555 uint32 - x555, x554 = bits.Mul32(x4, (arg2[1])) - var x556 uint32 - var x557 uint32 - x557, x556 = bits.Mul32(x4, (arg2[0])) - var x558 uint32 - var x559 uint1 - x558, x559 = addcarryxU32(x557, x554, 0x0) - var x560 uint32 - var x561 uint1 - x560, x561 = addcarryxU32(x555, x552, x559) - var x562 uint32 - var x563 uint1 - x562, x563 = addcarryxU32(x553, x550, x561) - var x564 uint32 - var x565 uint1 - x564, x565 = addcarryxU32(x551, x548, x563) - var x566 uint32 - var x567 uint1 - x566, x567 = addcarryxU32(x549, x546, x565) - var x568 uint32 - var x569 uint1 - x568, x569 = addcarryxU32(x547, x544, x567) - var x570 uint32 - var x571 uint1 - x570, x571 = addcarryxU32(x545, x542, x569) - var x572 uint32 - var x573 uint1 - x572, x573 = addcarryxU32(x543, x540, x571) - var x574 uint32 - var x575 uint1 - x574, x575 = addcarryxU32(x541, x538, x573) - var x576 uint32 - var x577 uint1 - x576, x577 = addcarryxU32(x539, x536, x575) - var x578 uint32 - var x579 uint1 - x578, x579 = addcarryxU32(x537, x534, x577) - var x580 uint32 = (uint32(x579) + x535) - var x581 uint32 - var x582 uint1 - x581, x582 = addcarryxU32(x509, x556, 0x0) - var x583 uint32 - var x584 uint1 - x583, x584 = addcarryxU32(x511, x558, x582) - var x585 uint32 - var x586 uint1 - x585, x586 = addcarryxU32(x513, x560, x584) - var x587 uint32 - var x588 uint1 - x587, x588 = addcarryxU32(x515, x562, x586) - var x589 uint32 - var x590 uint1 - x589, x590 = addcarryxU32(x517, x564, x588) - var x591 uint32 - var x592 uint1 - x591, x592 = addcarryxU32(x519, x566, x590) - var x593 uint32 - var x594 uint1 - x593, x594 = addcarryxU32(x521, x568, x592) - var x595 uint32 - var x596 uint1 - x595, x596 = addcarryxU32(x523, x570, x594) - var x597 uint32 - var x598 uint1 - x597, x598 = addcarryxU32(x525, x572, x596) - var x599 uint32 - var x600 uint1 - x599, x600 = addcarryxU32(x527, x574, x598) - var x601 uint32 - var x602 uint1 - x601, x602 = addcarryxU32(x529, x576, x600) - var x603 uint32 - var x604 uint1 - x603, x604 = addcarryxU32(x531, x578, x602) - var x605 uint32 - var x606 uint1 - x605, x606 = addcarryxU32(x533, x580, x604) - var x607 uint32 - var x608 uint32 - x608, x607 = bits.Mul32(x581, 0xffffffff) - var x609 uint32 - var x610 uint32 - x610, x609 = bits.Mul32(x581, 0xffffffff) - var x611 uint32 - var x612 uint32 - x612, x611 = bits.Mul32(x581, 0xffffffff) - var x613 uint32 - var x614 uint32 - x614, x613 = bits.Mul32(x581, 0xffffffff) - var x615 uint32 - var x616 uint32 - x616, x615 = bits.Mul32(x581, 0xffffffff) - var x617 uint32 - var x618 uint32 - x618, x617 = bits.Mul32(x581, 0xffffffff) - var x619 uint32 - var x620 uint32 - x620, x619 = bits.Mul32(x581, 0xffffffff) - var x621 uint32 - var x622 uint32 - x622, x621 = bits.Mul32(x581, 0xfffffffe) - var x623 uint32 - var x624 uint32 - x624, x623 = bits.Mul32(x581, 0xffffffff) - var x625 uint32 - var x626 uint32 - x626, x625 = bits.Mul32(x581, 0xffffffff) - var x627 uint32 - var x628 uint1 - x627, x628 = addcarryxU32(x624, x621, 0x0) - var x629 uint32 - var x630 uint1 - x629, x630 = addcarryxU32(x622, x619, x628) - var x631 uint32 - var x632 uint1 - x631, x632 = addcarryxU32(x620, x617, x630) - var x633 uint32 - var x634 uint1 - x633, x634 = addcarryxU32(x618, x615, x632) - var x635 uint32 - var x636 uint1 - x635, x636 = addcarryxU32(x616, x613, x634) - var x637 uint32 - var x638 uint1 - x637, x638 = addcarryxU32(x614, x611, x636) - var x639 uint32 - var x640 uint1 - x639, x640 = addcarryxU32(x612, x609, x638) - var x641 uint32 - var x642 uint1 - x641, x642 = addcarryxU32(x610, x607, x640) - var x643 uint32 = (uint32(x642) + x608) - var x645 uint1 - _, x645 = addcarryxU32(x581, x625, 0x0) - var x646 uint32 - var x647 uint1 - x646, x647 = addcarryxU32(x583, x626, x645) - var x648 uint32 - var x649 uint1 - x648, x649 = addcarryxU32(x585, uint32(0x0), x647) - var x650 uint32 - var x651 uint1 - x650, x651 = addcarryxU32(x587, x623, x649) - var x652 uint32 - var x653 uint1 - x652, x653 = addcarryxU32(x589, x627, x651) - var x654 uint32 - var x655 uint1 - x654, x655 = addcarryxU32(x591, x629, x653) - var x656 uint32 - var x657 uint1 - x656, x657 = addcarryxU32(x593, x631, x655) - var x658 uint32 - var x659 uint1 - x658, x659 = addcarryxU32(x595, x633, x657) - var x660 uint32 - var x661 uint1 - x660, x661 = addcarryxU32(x597, x635, x659) - var x662 uint32 - var x663 uint1 - x662, x663 = addcarryxU32(x599, x637, x661) - var x664 uint32 - var x665 uint1 - x664, x665 = addcarryxU32(x601, x639, x663) - var x666 uint32 - var x667 uint1 - x666, x667 = addcarryxU32(x603, x641, x665) - var x668 uint32 - var x669 uint1 - x668, x669 = addcarryxU32(x605, x643, x667) - var x670 uint32 = (uint32(x669) + uint32(x606)) - var x671 uint32 - var x672 uint32 - x672, x671 = bits.Mul32(x5, (arg2[11])) - var x673 uint32 - var x674 uint32 - x674, x673 = bits.Mul32(x5, (arg2[10])) - var x675 uint32 - var x676 uint32 - x676, x675 = bits.Mul32(x5, (arg2[9])) - var x677 uint32 - var x678 uint32 - x678, x677 = bits.Mul32(x5, (arg2[8])) - var x679 uint32 - var x680 uint32 - x680, x679 = bits.Mul32(x5, (arg2[7])) - var x681 uint32 - var x682 uint32 - x682, x681 = bits.Mul32(x5, (arg2[6])) - var x683 uint32 - var x684 uint32 - x684, x683 = bits.Mul32(x5, (arg2[5])) - var x685 uint32 - var x686 uint32 - x686, x685 = bits.Mul32(x5, (arg2[4])) - var x687 uint32 - var x688 uint32 - x688, x687 = bits.Mul32(x5, (arg2[3])) - var x689 uint32 - var x690 uint32 - x690, x689 = bits.Mul32(x5, (arg2[2])) - var x691 uint32 - var x692 uint32 - x692, x691 = bits.Mul32(x5, (arg2[1])) - var x693 uint32 - var x694 uint32 - x694, x693 = bits.Mul32(x5, (arg2[0])) - var x695 uint32 - var x696 uint1 - x695, x696 = addcarryxU32(x694, x691, 0x0) - var x697 uint32 - var x698 uint1 - x697, x698 = addcarryxU32(x692, x689, x696) - var x699 uint32 - var x700 uint1 - x699, x700 = addcarryxU32(x690, x687, x698) - var x701 uint32 - var x702 uint1 - x701, x702 = addcarryxU32(x688, x685, x700) - var x703 uint32 - var x704 uint1 - x703, x704 = addcarryxU32(x686, x683, x702) - var x705 uint32 - var x706 uint1 - x705, x706 = addcarryxU32(x684, x681, x704) - var x707 uint32 - var x708 uint1 - x707, x708 = addcarryxU32(x682, x679, x706) - var x709 uint32 - var x710 uint1 - x709, x710 = addcarryxU32(x680, x677, x708) - var x711 uint32 - var x712 uint1 - x711, x712 = addcarryxU32(x678, x675, x710) - var x713 uint32 - var x714 uint1 - x713, x714 = addcarryxU32(x676, x673, x712) - var x715 uint32 - var x716 uint1 - x715, x716 = addcarryxU32(x674, x671, x714) - var x717 uint32 = (uint32(x716) + x672) - var x718 uint32 - var x719 uint1 - x718, x719 = addcarryxU32(x646, x693, 0x0) - var x720 uint32 - var x721 uint1 - x720, x721 = addcarryxU32(x648, x695, x719) - var x722 uint32 - var x723 uint1 - x722, x723 = addcarryxU32(x650, x697, x721) - var x724 uint32 - var x725 uint1 - x724, x725 = addcarryxU32(x652, x699, x723) - var x726 uint32 - var x727 uint1 - x726, x727 = addcarryxU32(x654, x701, x725) - var x728 uint32 - var x729 uint1 - x728, x729 = addcarryxU32(x656, x703, x727) - var x730 uint32 - var x731 uint1 - x730, x731 = addcarryxU32(x658, x705, x729) - var x732 uint32 - var x733 uint1 - x732, x733 = addcarryxU32(x660, x707, x731) - var x734 uint32 - var x735 uint1 - x734, x735 = addcarryxU32(x662, x709, x733) - var x736 uint32 - var x737 uint1 - x736, x737 = addcarryxU32(x664, x711, x735) - var x738 uint32 - var x739 uint1 - x738, x739 = addcarryxU32(x666, x713, x737) - var x740 uint32 - var x741 uint1 - x740, x741 = addcarryxU32(x668, x715, x739) - var x742 uint32 - var x743 uint1 - x742, x743 = addcarryxU32(x670, x717, x741) - var x744 uint32 - var x745 uint32 - x745, x744 = bits.Mul32(x718, 0xffffffff) - var x746 uint32 - var x747 uint32 - x747, x746 = bits.Mul32(x718, 0xffffffff) - var x748 uint32 - var x749 uint32 - x749, x748 = bits.Mul32(x718, 0xffffffff) - var x750 uint32 - var x751 uint32 - x751, x750 = bits.Mul32(x718, 0xffffffff) - var x752 uint32 - var x753 uint32 - x753, x752 = bits.Mul32(x718, 0xffffffff) - var x754 uint32 - var x755 uint32 - x755, x754 = bits.Mul32(x718, 0xffffffff) - var x756 uint32 - var x757 uint32 - x757, x756 = bits.Mul32(x718, 0xffffffff) - var x758 uint32 - var x759 uint32 - x759, x758 = bits.Mul32(x718, 0xfffffffe) - var x760 uint32 - var x761 uint32 - x761, x760 = bits.Mul32(x718, 0xffffffff) - var x762 uint32 - var x763 uint32 - x763, x762 = bits.Mul32(x718, 0xffffffff) - var x764 uint32 - var x765 uint1 - x764, x765 = addcarryxU32(x761, x758, 0x0) - var x766 uint32 - var x767 uint1 - x766, x767 = addcarryxU32(x759, x756, x765) - var x768 uint32 - var x769 uint1 - x768, x769 = addcarryxU32(x757, x754, x767) - var x770 uint32 - var x771 uint1 - x770, x771 = addcarryxU32(x755, x752, x769) - var x772 uint32 - var x773 uint1 - x772, x773 = addcarryxU32(x753, x750, x771) - var x774 uint32 - var x775 uint1 - x774, x775 = addcarryxU32(x751, x748, x773) - var x776 uint32 - var x777 uint1 - x776, x777 = addcarryxU32(x749, x746, x775) - var x778 uint32 - var x779 uint1 - x778, x779 = addcarryxU32(x747, x744, x777) - var x780 uint32 = (uint32(x779) + x745) - var x782 uint1 - _, x782 = addcarryxU32(x718, x762, 0x0) - var x783 uint32 - var x784 uint1 - x783, x784 = addcarryxU32(x720, x763, x782) - var x785 uint32 - var x786 uint1 - x785, x786 = addcarryxU32(x722, uint32(0x0), x784) - var x787 uint32 - var x788 uint1 - x787, x788 = addcarryxU32(x724, x760, x786) - var x789 uint32 - var x790 uint1 - x789, x790 = addcarryxU32(x726, x764, x788) - var x791 uint32 - var x792 uint1 - x791, x792 = addcarryxU32(x728, x766, x790) - var x793 uint32 - var x794 uint1 - x793, x794 = addcarryxU32(x730, x768, x792) - var x795 uint32 - var x796 uint1 - x795, x796 = addcarryxU32(x732, x770, x794) - var x797 uint32 - var x798 uint1 - x797, x798 = addcarryxU32(x734, x772, x796) - var x799 uint32 - var x800 uint1 - x799, x800 = addcarryxU32(x736, x774, x798) - var x801 uint32 - var x802 uint1 - x801, x802 = addcarryxU32(x738, x776, x800) - var x803 uint32 - var x804 uint1 - x803, x804 = addcarryxU32(x740, x778, x802) - var x805 uint32 - var x806 uint1 - x805, x806 = addcarryxU32(x742, x780, x804) - var x807 uint32 = (uint32(x806) + uint32(x743)) - var x808 uint32 - var x809 uint32 - x809, x808 = bits.Mul32(x6, (arg2[11])) - var x810 uint32 - var x811 uint32 - x811, x810 = bits.Mul32(x6, (arg2[10])) - var x812 uint32 - var x813 uint32 - x813, x812 = bits.Mul32(x6, (arg2[9])) - var x814 uint32 - var x815 uint32 - x815, x814 = bits.Mul32(x6, (arg2[8])) - var x816 uint32 - var x817 uint32 - x817, x816 = bits.Mul32(x6, (arg2[7])) - var x818 uint32 - var x819 uint32 - x819, x818 = bits.Mul32(x6, (arg2[6])) - var x820 uint32 - var x821 uint32 - x821, x820 = bits.Mul32(x6, (arg2[5])) - var x822 uint32 - var x823 uint32 - x823, x822 = bits.Mul32(x6, (arg2[4])) - var x824 uint32 - var x825 uint32 - x825, x824 = bits.Mul32(x6, (arg2[3])) - var x826 uint32 - var x827 uint32 - x827, x826 = bits.Mul32(x6, (arg2[2])) - var x828 uint32 - var x829 uint32 - x829, x828 = bits.Mul32(x6, (arg2[1])) - var x830 uint32 - var x831 uint32 - x831, x830 = bits.Mul32(x6, (arg2[0])) - var x832 uint32 - var x833 uint1 - x832, x833 = addcarryxU32(x831, x828, 0x0) - var x834 uint32 - var x835 uint1 - x834, x835 = addcarryxU32(x829, x826, x833) - var x836 uint32 - var x837 uint1 - x836, x837 = addcarryxU32(x827, x824, x835) - var x838 uint32 - var x839 uint1 - x838, x839 = addcarryxU32(x825, x822, x837) - var x840 uint32 - var x841 uint1 - x840, x841 = addcarryxU32(x823, x820, x839) - var x842 uint32 - var x843 uint1 - x842, x843 = addcarryxU32(x821, x818, x841) - var x844 uint32 - var x845 uint1 - x844, x845 = addcarryxU32(x819, x816, x843) - var x846 uint32 - var x847 uint1 - x846, x847 = addcarryxU32(x817, x814, x845) - var x848 uint32 - var x849 uint1 - x848, x849 = addcarryxU32(x815, x812, x847) - var x850 uint32 - var x851 uint1 - x850, x851 = addcarryxU32(x813, x810, x849) - var x852 uint32 - var x853 uint1 - x852, x853 = addcarryxU32(x811, x808, x851) - var x854 uint32 = (uint32(x853) + x809) - var x855 uint32 - var x856 uint1 - x855, x856 = addcarryxU32(x783, x830, 0x0) - var x857 uint32 - var x858 uint1 - x857, x858 = addcarryxU32(x785, x832, x856) - var x859 uint32 - var x860 uint1 - x859, x860 = addcarryxU32(x787, x834, x858) - var x861 uint32 - var x862 uint1 - x861, x862 = addcarryxU32(x789, x836, x860) - var x863 uint32 - var x864 uint1 - x863, x864 = addcarryxU32(x791, x838, x862) - var x865 uint32 - var x866 uint1 - x865, x866 = addcarryxU32(x793, x840, x864) - var x867 uint32 - var x868 uint1 - x867, x868 = addcarryxU32(x795, x842, x866) - var x869 uint32 - var x870 uint1 - x869, x870 = addcarryxU32(x797, x844, x868) - var x871 uint32 - var x872 uint1 - x871, x872 = addcarryxU32(x799, x846, x870) - var x873 uint32 - var x874 uint1 - x873, x874 = addcarryxU32(x801, x848, x872) - var x875 uint32 - var x876 uint1 - x875, x876 = addcarryxU32(x803, x850, x874) - var x877 uint32 - var x878 uint1 - x877, x878 = addcarryxU32(x805, x852, x876) - var x879 uint32 - var x880 uint1 - x879, x880 = addcarryxU32(x807, x854, x878) - var x881 uint32 - var x882 uint32 - x882, x881 = bits.Mul32(x855, 0xffffffff) - var x883 uint32 - var x884 uint32 - x884, x883 = bits.Mul32(x855, 0xffffffff) - var x885 uint32 - var x886 uint32 - x886, x885 = bits.Mul32(x855, 0xffffffff) - var x887 uint32 - var x888 uint32 - x888, x887 = bits.Mul32(x855, 0xffffffff) - var x889 uint32 - var x890 uint32 - x890, x889 = bits.Mul32(x855, 0xffffffff) - var x891 uint32 - var x892 uint32 - x892, x891 = bits.Mul32(x855, 0xffffffff) - var x893 uint32 - var x894 uint32 - x894, x893 = bits.Mul32(x855, 0xffffffff) - var x895 uint32 - var x896 uint32 - x896, x895 = bits.Mul32(x855, 0xfffffffe) - var x897 uint32 - var x898 uint32 - x898, x897 = bits.Mul32(x855, 0xffffffff) - var x899 uint32 - var x900 uint32 - x900, x899 = bits.Mul32(x855, 0xffffffff) - var x901 uint32 - var x902 uint1 - x901, x902 = addcarryxU32(x898, x895, 0x0) - var x903 uint32 - var x904 uint1 - x903, x904 = addcarryxU32(x896, x893, x902) - var x905 uint32 - var x906 uint1 - x905, x906 = addcarryxU32(x894, x891, x904) - var x907 uint32 - var x908 uint1 - x907, x908 = addcarryxU32(x892, x889, x906) - var x909 uint32 - var x910 uint1 - x909, x910 = addcarryxU32(x890, x887, x908) - var x911 uint32 - var x912 uint1 - x911, x912 = addcarryxU32(x888, x885, x910) - var x913 uint32 - var x914 uint1 - x913, x914 = addcarryxU32(x886, x883, x912) - var x915 uint32 - var x916 uint1 - x915, x916 = addcarryxU32(x884, x881, x914) - var x917 uint32 = (uint32(x916) + x882) - var x919 uint1 - _, x919 = addcarryxU32(x855, x899, 0x0) - var x920 uint32 - var x921 uint1 - x920, x921 = addcarryxU32(x857, x900, x919) - var x922 uint32 - var x923 uint1 - x922, x923 = addcarryxU32(x859, uint32(0x0), x921) - var x924 uint32 - var x925 uint1 - x924, x925 = addcarryxU32(x861, x897, x923) - var x926 uint32 - var x927 uint1 - x926, x927 = addcarryxU32(x863, x901, x925) - var x928 uint32 - var x929 uint1 - x928, x929 = addcarryxU32(x865, x903, x927) - var x930 uint32 - var x931 uint1 - x930, x931 = addcarryxU32(x867, x905, x929) - var x932 uint32 - var x933 uint1 - x932, x933 = addcarryxU32(x869, x907, x931) - var x934 uint32 - var x935 uint1 - x934, x935 = addcarryxU32(x871, x909, x933) - var x936 uint32 - var x937 uint1 - x936, x937 = addcarryxU32(x873, x911, x935) - var x938 uint32 - var x939 uint1 - x938, x939 = addcarryxU32(x875, x913, x937) - var x940 uint32 - var x941 uint1 - x940, x941 = addcarryxU32(x877, x915, x939) - var x942 uint32 - var x943 uint1 - x942, x943 = addcarryxU32(x879, x917, x941) - var x944 uint32 = (uint32(x943) + uint32(x880)) - var x945 uint32 - var x946 uint32 - x946, x945 = bits.Mul32(x7, (arg2[11])) - var x947 uint32 - var x948 uint32 - x948, x947 = bits.Mul32(x7, (arg2[10])) - var x949 uint32 - var x950 uint32 - x950, x949 = bits.Mul32(x7, (arg2[9])) - var x951 uint32 - var x952 uint32 - x952, x951 = bits.Mul32(x7, (arg2[8])) - var x953 uint32 - var x954 uint32 - x954, x953 = bits.Mul32(x7, (arg2[7])) - var x955 uint32 - var x956 uint32 - x956, x955 = bits.Mul32(x7, (arg2[6])) - var x957 uint32 - var x958 uint32 - x958, x957 = bits.Mul32(x7, (arg2[5])) - var x959 uint32 - var x960 uint32 - x960, x959 = bits.Mul32(x7, (arg2[4])) - var x961 uint32 - var x962 uint32 - x962, x961 = bits.Mul32(x7, (arg2[3])) - var x963 uint32 - var x964 uint32 - x964, x963 = bits.Mul32(x7, (arg2[2])) - var x965 uint32 - var x966 uint32 - x966, x965 = bits.Mul32(x7, (arg2[1])) - var x967 uint32 - var x968 uint32 - x968, x967 = bits.Mul32(x7, (arg2[0])) - var x969 uint32 - var x970 uint1 - x969, x970 = addcarryxU32(x968, x965, 0x0) - var x971 uint32 - var x972 uint1 - x971, x972 = addcarryxU32(x966, x963, x970) - var x973 uint32 - var x974 uint1 - x973, x974 = addcarryxU32(x964, x961, x972) - var x975 uint32 - var x976 uint1 - x975, x976 = addcarryxU32(x962, x959, x974) - var x977 uint32 - var x978 uint1 - x977, x978 = addcarryxU32(x960, x957, x976) - var x979 uint32 - var x980 uint1 - x979, x980 = addcarryxU32(x958, x955, x978) - var x981 uint32 - var x982 uint1 - x981, x982 = addcarryxU32(x956, x953, x980) - var x983 uint32 - var x984 uint1 - x983, x984 = addcarryxU32(x954, x951, x982) - var x985 uint32 - var x986 uint1 - x985, x986 = addcarryxU32(x952, x949, x984) - var x987 uint32 - var x988 uint1 - x987, x988 = addcarryxU32(x950, x947, x986) - var x989 uint32 - var x990 uint1 - x989, x990 = addcarryxU32(x948, x945, x988) - var x991 uint32 = (uint32(x990) + x946) - var x992 uint32 - var x993 uint1 - x992, x993 = addcarryxU32(x920, x967, 0x0) - var x994 uint32 - var x995 uint1 - x994, x995 = addcarryxU32(x922, x969, x993) - var x996 uint32 - var x997 uint1 - x996, x997 = addcarryxU32(x924, x971, x995) - var x998 uint32 - var x999 uint1 - x998, x999 = addcarryxU32(x926, x973, x997) - var x1000 uint32 - var x1001 uint1 - x1000, x1001 = addcarryxU32(x928, x975, x999) - var x1002 uint32 - var x1003 uint1 - x1002, x1003 = addcarryxU32(x930, x977, x1001) - var x1004 uint32 - var x1005 uint1 - x1004, x1005 = addcarryxU32(x932, x979, x1003) - var x1006 uint32 - var x1007 uint1 - x1006, x1007 = addcarryxU32(x934, x981, x1005) - var x1008 uint32 - var x1009 uint1 - x1008, x1009 = addcarryxU32(x936, x983, x1007) - var x1010 uint32 - var x1011 uint1 - x1010, x1011 = addcarryxU32(x938, x985, x1009) - var x1012 uint32 - var x1013 uint1 - x1012, x1013 = addcarryxU32(x940, x987, x1011) - var x1014 uint32 - var x1015 uint1 - x1014, x1015 = addcarryxU32(x942, x989, x1013) - var x1016 uint32 - var x1017 uint1 - x1016, x1017 = addcarryxU32(x944, x991, x1015) - var x1018 uint32 - var x1019 uint32 - x1019, x1018 = bits.Mul32(x992, 0xffffffff) - var x1020 uint32 - var x1021 uint32 - x1021, x1020 = bits.Mul32(x992, 0xffffffff) - var x1022 uint32 - var x1023 uint32 - x1023, x1022 = bits.Mul32(x992, 0xffffffff) - var x1024 uint32 - var x1025 uint32 - x1025, x1024 = bits.Mul32(x992, 0xffffffff) - var x1026 uint32 - var x1027 uint32 - x1027, x1026 = bits.Mul32(x992, 0xffffffff) - var x1028 uint32 - var x1029 uint32 - x1029, x1028 = bits.Mul32(x992, 0xffffffff) - var x1030 uint32 - var x1031 uint32 - x1031, x1030 = bits.Mul32(x992, 0xffffffff) - var x1032 uint32 - var x1033 uint32 - x1033, x1032 = bits.Mul32(x992, 0xfffffffe) - var x1034 uint32 - var x1035 uint32 - x1035, x1034 = bits.Mul32(x992, 0xffffffff) - var x1036 uint32 - var x1037 uint32 - x1037, x1036 = bits.Mul32(x992, 0xffffffff) - var x1038 uint32 - var x1039 uint1 - x1038, x1039 = addcarryxU32(x1035, x1032, 0x0) - var x1040 uint32 - var x1041 uint1 - x1040, x1041 = addcarryxU32(x1033, x1030, x1039) - var x1042 uint32 - var x1043 uint1 - x1042, x1043 = addcarryxU32(x1031, x1028, x1041) - var x1044 uint32 - var x1045 uint1 - x1044, x1045 = addcarryxU32(x1029, x1026, x1043) - var x1046 uint32 - var x1047 uint1 - x1046, x1047 = addcarryxU32(x1027, x1024, x1045) - var x1048 uint32 - var x1049 uint1 - x1048, x1049 = addcarryxU32(x1025, x1022, x1047) - var x1050 uint32 - var x1051 uint1 - x1050, x1051 = addcarryxU32(x1023, x1020, x1049) - var x1052 uint32 - var x1053 uint1 - x1052, x1053 = addcarryxU32(x1021, x1018, x1051) - var x1054 uint32 = (uint32(x1053) + x1019) - var x1056 uint1 - _, x1056 = addcarryxU32(x992, x1036, 0x0) - var x1057 uint32 - var x1058 uint1 - x1057, x1058 = addcarryxU32(x994, x1037, x1056) - var x1059 uint32 - var x1060 uint1 - x1059, x1060 = addcarryxU32(x996, uint32(0x0), x1058) - var x1061 uint32 - var x1062 uint1 - x1061, x1062 = addcarryxU32(x998, x1034, x1060) - var x1063 uint32 - var x1064 uint1 - x1063, x1064 = addcarryxU32(x1000, x1038, x1062) - var x1065 uint32 - var x1066 uint1 - x1065, x1066 = addcarryxU32(x1002, x1040, x1064) - var x1067 uint32 - var x1068 uint1 - x1067, x1068 = addcarryxU32(x1004, x1042, x1066) - var x1069 uint32 - var x1070 uint1 - x1069, x1070 = addcarryxU32(x1006, x1044, x1068) - var x1071 uint32 - var x1072 uint1 - x1071, x1072 = addcarryxU32(x1008, x1046, x1070) - var x1073 uint32 - var x1074 uint1 - x1073, x1074 = addcarryxU32(x1010, x1048, x1072) - var x1075 uint32 - var x1076 uint1 - x1075, x1076 = addcarryxU32(x1012, x1050, x1074) - var x1077 uint32 - var x1078 uint1 - x1077, x1078 = addcarryxU32(x1014, x1052, x1076) - var x1079 uint32 - var x1080 uint1 - x1079, x1080 = addcarryxU32(x1016, x1054, x1078) - var x1081 uint32 = (uint32(x1080) + uint32(x1017)) - var x1082 uint32 - var x1083 uint32 - x1083, x1082 = bits.Mul32(x8, (arg2[11])) - var x1084 uint32 - var x1085 uint32 - x1085, x1084 = bits.Mul32(x8, (arg2[10])) - var x1086 uint32 - var x1087 uint32 - x1087, x1086 = bits.Mul32(x8, (arg2[9])) - var x1088 uint32 - var x1089 uint32 - x1089, x1088 = bits.Mul32(x8, (arg2[8])) - var x1090 uint32 - var x1091 uint32 - x1091, x1090 = bits.Mul32(x8, (arg2[7])) - var x1092 uint32 - var x1093 uint32 - x1093, x1092 = bits.Mul32(x8, (arg2[6])) - var x1094 uint32 - var x1095 uint32 - x1095, x1094 = bits.Mul32(x8, (arg2[5])) - var x1096 uint32 - var x1097 uint32 - x1097, x1096 = bits.Mul32(x8, (arg2[4])) - var x1098 uint32 - var x1099 uint32 - x1099, x1098 = bits.Mul32(x8, (arg2[3])) - var x1100 uint32 - var x1101 uint32 - x1101, x1100 = bits.Mul32(x8, (arg2[2])) - var x1102 uint32 - var x1103 uint32 - x1103, x1102 = bits.Mul32(x8, (arg2[1])) - var x1104 uint32 - var x1105 uint32 - x1105, x1104 = bits.Mul32(x8, (arg2[0])) - var x1106 uint32 - var x1107 uint1 - x1106, x1107 = addcarryxU32(x1105, x1102, 0x0) - var x1108 uint32 - var x1109 uint1 - x1108, x1109 = addcarryxU32(x1103, x1100, x1107) - var x1110 uint32 - var x1111 uint1 - x1110, x1111 = addcarryxU32(x1101, x1098, x1109) - var x1112 uint32 - var x1113 uint1 - x1112, x1113 = addcarryxU32(x1099, x1096, x1111) - var x1114 uint32 - var x1115 uint1 - x1114, x1115 = addcarryxU32(x1097, x1094, x1113) - var x1116 uint32 - var x1117 uint1 - x1116, x1117 = addcarryxU32(x1095, x1092, x1115) - var x1118 uint32 - var x1119 uint1 - x1118, x1119 = addcarryxU32(x1093, x1090, x1117) - var x1120 uint32 - var x1121 uint1 - x1120, x1121 = addcarryxU32(x1091, x1088, x1119) - var x1122 uint32 - var x1123 uint1 - x1122, x1123 = addcarryxU32(x1089, x1086, x1121) - var x1124 uint32 - var x1125 uint1 - x1124, x1125 = addcarryxU32(x1087, x1084, x1123) - var x1126 uint32 - var x1127 uint1 - x1126, x1127 = addcarryxU32(x1085, x1082, x1125) - var x1128 uint32 = (uint32(x1127) + x1083) - var x1129 uint32 - var x1130 uint1 - x1129, x1130 = addcarryxU32(x1057, x1104, 0x0) - var x1131 uint32 - var x1132 uint1 - x1131, x1132 = addcarryxU32(x1059, x1106, x1130) - var x1133 uint32 - var x1134 uint1 - x1133, x1134 = addcarryxU32(x1061, x1108, x1132) - var x1135 uint32 - var x1136 uint1 - x1135, x1136 = addcarryxU32(x1063, x1110, x1134) - var x1137 uint32 - var x1138 uint1 - x1137, x1138 = addcarryxU32(x1065, x1112, x1136) - var x1139 uint32 - var x1140 uint1 - x1139, x1140 = addcarryxU32(x1067, x1114, x1138) - var x1141 uint32 - var x1142 uint1 - x1141, x1142 = addcarryxU32(x1069, x1116, x1140) - var x1143 uint32 - var x1144 uint1 - x1143, x1144 = addcarryxU32(x1071, x1118, x1142) - var x1145 uint32 - var x1146 uint1 - x1145, x1146 = addcarryxU32(x1073, x1120, x1144) - var x1147 uint32 - var x1148 uint1 - x1147, x1148 = addcarryxU32(x1075, x1122, x1146) - var x1149 uint32 - var x1150 uint1 - x1149, x1150 = addcarryxU32(x1077, x1124, x1148) - var x1151 uint32 - var x1152 uint1 - x1151, x1152 = addcarryxU32(x1079, x1126, x1150) - var x1153 uint32 - var x1154 uint1 - x1153, x1154 = addcarryxU32(x1081, x1128, x1152) - var x1155 uint32 - var x1156 uint32 - x1156, x1155 = bits.Mul32(x1129, 0xffffffff) - var x1157 uint32 - var x1158 uint32 - x1158, x1157 = bits.Mul32(x1129, 0xffffffff) - var x1159 uint32 - var x1160 uint32 - x1160, x1159 = bits.Mul32(x1129, 0xffffffff) - var x1161 uint32 - var x1162 uint32 - x1162, x1161 = bits.Mul32(x1129, 0xffffffff) - var x1163 uint32 - var x1164 uint32 - x1164, x1163 = bits.Mul32(x1129, 0xffffffff) - var x1165 uint32 - var x1166 uint32 - x1166, x1165 = bits.Mul32(x1129, 0xffffffff) - var x1167 uint32 - var x1168 uint32 - x1168, x1167 = bits.Mul32(x1129, 0xffffffff) - var x1169 uint32 - var x1170 uint32 - x1170, x1169 = bits.Mul32(x1129, 0xfffffffe) - var x1171 uint32 - var x1172 uint32 - x1172, x1171 = bits.Mul32(x1129, 0xffffffff) - var x1173 uint32 - var x1174 uint32 - x1174, x1173 = bits.Mul32(x1129, 0xffffffff) - var x1175 uint32 - var x1176 uint1 - x1175, x1176 = addcarryxU32(x1172, x1169, 0x0) - var x1177 uint32 - var x1178 uint1 - x1177, x1178 = addcarryxU32(x1170, x1167, x1176) - var x1179 uint32 - var x1180 uint1 - x1179, x1180 = addcarryxU32(x1168, x1165, x1178) - var x1181 uint32 - var x1182 uint1 - x1181, x1182 = addcarryxU32(x1166, x1163, x1180) - var x1183 uint32 - var x1184 uint1 - x1183, x1184 = addcarryxU32(x1164, x1161, x1182) - var x1185 uint32 - var x1186 uint1 - x1185, x1186 = addcarryxU32(x1162, x1159, x1184) - var x1187 uint32 - var x1188 uint1 - x1187, x1188 = addcarryxU32(x1160, x1157, x1186) - var x1189 uint32 - var x1190 uint1 - x1189, x1190 = addcarryxU32(x1158, x1155, x1188) - var x1191 uint32 = (uint32(x1190) + x1156) - var x1193 uint1 - _, x1193 = addcarryxU32(x1129, x1173, 0x0) - var x1194 uint32 - var x1195 uint1 - x1194, x1195 = addcarryxU32(x1131, x1174, x1193) - var x1196 uint32 - var x1197 uint1 - x1196, x1197 = addcarryxU32(x1133, uint32(0x0), x1195) - var x1198 uint32 - var x1199 uint1 - x1198, x1199 = addcarryxU32(x1135, x1171, x1197) - var x1200 uint32 - var x1201 uint1 - x1200, x1201 = addcarryxU32(x1137, x1175, x1199) - var x1202 uint32 - var x1203 uint1 - x1202, x1203 = addcarryxU32(x1139, x1177, x1201) - var x1204 uint32 - var x1205 uint1 - x1204, x1205 = addcarryxU32(x1141, x1179, x1203) - var x1206 uint32 - var x1207 uint1 - x1206, x1207 = addcarryxU32(x1143, x1181, x1205) - var x1208 uint32 - var x1209 uint1 - x1208, x1209 = addcarryxU32(x1145, x1183, x1207) - var x1210 uint32 - var x1211 uint1 - x1210, x1211 = addcarryxU32(x1147, x1185, x1209) - var x1212 uint32 - var x1213 uint1 - x1212, x1213 = addcarryxU32(x1149, x1187, x1211) - var x1214 uint32 - var x1215 uint1 - x1214, x1215 = addcarryxU32(x1151, x1189, x1213) - var x1216 uint32 - var x1217 uint1 - x1216, x1217 = addcarryxU32(x1153, x1191, x1215) - var x1218 uint32 = (uint32(x1217) + uint32(x1154)) - var x1219 uint32 - var x1220 uint32 - x1220, x1219 = bits.Mul32(x9, (arg2[11])) - var x1221 uint32 - var x1222 uint32 - x1222, x1221 = bits.Mul32(x9, (arg2[10])) - var x1223 uint32 - var x1224 uint32 - x1224, x1223 = bits.Mul32(x9, (arg2[9])) - var x1225 uint32 - var x1226 uint32 - x1226, x1225 = bits.Mul32(x9, (arg2[8])) - var x1227 uint32 - var x1228 uint32 - x1228, x1227 = bits.Mul32(x9, (arg2[7])) - var x1229 uint32 - var x1230 uint32 - x1230, x1229 = bits.Mul32(x9, (arg2[6])) - var x1231 uint32 - var x1232 uint32 - x1232, x1231 = bits.Mul32(x9, (arg2[5])) - var x1233 uint32 - var x1234 uint32 - x1234, x1233 = bits.Mul32(x9, (arg2[4])) - var x1235 uint32 - var x1236 uint32 - x1236, x1235 = bits.Mul32(x9, (arg2[3])) - var x1237 uint32 - var x1238 uint32 - x1238, x1237 = bits.Mul32(x9, (arg2[2])) - var x1239 uint32 - var x1240 uint32 - x1240, x1239 = bits.Mul32(x9, (arg2[1])) - var x1241 uint32 - var x1242 uint32 - x1242, x1241 = bits.Mul32(x9, (arg2[0])) - var x1243 uint32 - var x1244 uint1 - x1243, x1244 = addcarryxU32(x1242, x1239, 0x0) - var x1245 uint32 - var x1246 uint1 - x1245, x1246 = addcarryxU32(x1240, x1237, x1244) - var x1247 uint32 - var x1248 uint1 - x1247, x1248 = addcarryxU32(x1238, x1235, x1246) - var x1249 uint32 - var x1250 uint1 - x1249, x1250 = addcarryxU32(x1236, x1233, x1248) - var x1251 uint32 - var x1252 uint1 - x1251, x1252 = addcarryxU32(x1234, x1231, x1250) - var x1253 uint32 - var x1254 uint1 - x1253, x1254 = addcarryxU32(x1232, x1229, x1252) - var x1255 uint32 - var x1256 uint1 - x1255, x1256 = addcarryxU32(x1230, x1227, x1254) - var x1257 uint32 - var x1258 uint1 - x1257, x1258 = addcarryxU32(x1228, x1225, x1256) - var x1259 uint32 - var x1260 uint1 - x1259, x1260 = addcarryxU32(x1226, x1223, x1258) - var x1261 uint32 - var x1262 uint1 - x1261, x1262 = addcarryxU32(x1224, x1221, x1260) - var x1263 uint32 - var x1264 uint1 - x1263, x1264 = addcarryxU32(x1222, x1219, x1262) - var x1265 uint32 = (uint32(x1264) + x1220) - var x1266 uint32 - var x1267 uint1 - x1266, x1267 = addcarryxU32(x1194, x1241, 0x0) - var x1268 uint32 - var x1269 uint1 - x1268, x1269 = addcarryxU32(x1196, x1243, x1267) - var x1270 uint32 - var x1271 uint1 - x1270, x1271 = addcarryxU32(x1198, x1245, x1269) - var x1272 uint32 - var x1273 uint1 - x1272, x1273 = addcarryxU32(x1200, x1247, x1271) - var x1274 uint32 - var x1275 uint1 - x1274, x1275 = addcarryxU32(x1202, x1249, x1273) - var x1276 uint32 - var x1277 uint1 - x1276, x1277 = addcarryxU32(x1204, x1251, x1275) - var x1278 uint32 - var x1279 uint1 - x1278, x1279 = addcarryxU32(x1206, x1253, x1277) - var x1280 uint32 - var x1281 uint1 - x1280, x1281 = addcarryxU32(x1208, x1255, x1279) - var x1282 uint32 - var x1283 uint1 - x1282, x1283 = addcarryxU32(x1210, x1257, x1281) - var x1284 uint32 - var x1285 uint1 - x1284, x1285 = addcarryxU32(x1212, x1259, x1283) - var x1286 uint32 - var x1287 uint1 - x1286, x1287 = addcarryxU32(x1214, x1261, x1285) - var x1288 uint32 - var x1289 uint1 - x1288, x1289 = addcarryxU32(x1216, x1263, x1287) - var x1290 uint32 - var x1291 uint1 - x1290, x1291 = addcarryxU32(x1218, x1265, x1289) - var x1292 uint32 - var x1293 uint32 - x1293, x1292 = bits.Mul32(x1266, 0xffffffff) - var x1294 uint32 - var x1295 uint32 - x1295, x1294 = bits.Mul32(x1266, 0xffffffff) - var x1296 uint32 - var x1297 uint32 - x1297, x1296 = bits.Mul32(x1266, 0xffffffff) - var x1298 uint32 - var x1299 uint32 - x1299, x1298 = bits.Mul32(x1266, 0xffffffff) - var x1300 uint32 - var x1301 uint32 - x1301, x1300 = bits.Mul32(x1266, 0xffffffff) - var x1302 uint32 - var x1303 uint32 - x1303, x1302 = bits.Mul32(x1266, 0xffffffff) - var x1304 uint32 - var x1305 uint32 - x1305, x1304 = bits.Mul32(x1266, 0xffffffff) - var x1306 uint32 - var x1307 uint32 - x1307, x1306 = bits.Mul32(x1266, 0xfffffffe) - var x1308 uint32 - var x1309 uint32 - x1309, x1308 = bits.Mul32(x1266, 0xffffffff) - var x1310 uint32 - var x1311 uint32 - x1311, x1310 = bits.Mul32(x1266, 0xffffffff) - var x1312 uint32 - var x1313 uint1 - x1312, x1313 = addcarryxU32(x1309, x1306, 0x0) - var x1314 uint32 - var x1315 uint1 - x1314, x1315 = addcarryxU32(x1307, x1304, x1313) - var x1316 uint32 - var x1317 uint1 - x1316, x1317 = addcarryxU32(x1305, x1302, x1315) - var x1318 uint32 - var x1319 uint1 - x1318, x1319 = addcarryxU32(x1303, x1300, x1317) - var x1320 uint32 - var x1321 uint1 - x1320, x1321 = addcarryxU32(x1301, x1298, x1319) - var x1322 uint32 - var x1323 uint1 - x1322, x1323 = addcarryxU32(x1299, x1296, x1321) - var x1324 uint32 - var x1325 uint1 - x1324, x1325 = addcarryxU32(x1297, x1294, x1323) - var x1326 uint32 - var x1327 uint1 - x1326, x1327 = addcarryxU32(x1295, x1292, x1325) - var x1328 uint32 = (uint32(x1327) + x1293) - var x1330 uint1 - _, x1330 = addcarryxU32(x1266, x1310, 0x0) - var x1331 uint32 - var x1332 uint1 - x1331, x1332 = addcarryxU32(x1268, x1311, x1330) - var x1333 uint32 - var x1334 uint1 - x1333, x1334 = addcarryxU32(x1270, uint32(0x0), x1332) - var x1335 uint32 - var x1336 uint1 - x1335, x1336 = addcarryxU32(x1272, x1308, x1334) - var x1337 uint32 - var x1338 uint1 - x1337, x1338 = addcarryxU32(x1274, x1312, x1336) - var x1339 uint32 - var x1340 uint1 - x1339, x1340 = addcarryxU32(x1276, x1314, x1338) - var x1341 uint32 - var x1342 uint1 - x1341, x1342 = addcarryxU32(x1278, x1316, x1340) - var x1343 uint32 - var x1344 uint1 - x1343, x1344 = addcarryxU32(x1280, x1318, x1342) - var x1345 uint32 - var x1346 uint1 - x1345, x1346 = addcarryxU32(x1282, x1320, x1344) - var x1347 uint32 - var x1348 uint1 - x1347, x1348 = addcarryxU32(x1284, x1322, x1346) - var x1349 uint32 - var x1350 uint1 - x1349, x1350 = addcarryxU32(x1286, x1324, x1348) - var x1351 uint32 - var x1352 uint1 - x1351, x1352 = addcarryxU32(x1288, x1326, x1350) - var x1353 uint32 - var x1354 uint1 - x1353, x1354 = addcarryxU32(x1290, x1328, x1352) - var x1355 uint32 = (uint32(x1354) + uint32(x1291)) - var x1356 uint32 - var x1357 uint32 - x1357, x1356 = bits.Mul32(x10, (arg2[11])) - var x1358 uint32 - var x1359 uint32 - x1359, x1358 = bits.Mul32(x10, (arg2[10])) - var x1360 uint32 - var x1361 uint32 - x1361, x1360 = bits.Mul32(x10, (arg2[9])) - var x1362 uint32 - var x1363 uint32 - x1363, x1362 = bits.Mul32(x10, (arg2[8])) - var x1364 uint32 - var x1365 uint32 - x1365, x1364 = bits.Mul32(x10, (arg2[7])) - var x1366 uint32 - var x1367 uint32 - x1367, x1366 = bits.Mul32(x10, (arg2[6])) - var x1368 uint32 - var x1369 uint32 - x1369, x1368 = bits.Mul32(x10, (arg2[5])) - var x1370 uint32 - var x1371 uint32 - x1371, x1370 = bits.Mul32(x10, (arg2[4])) - var x1372 uint32 - var x1373 uint32 - x1373, x1372 = bits.Mul32(x10, (arg2[3])) - var x1374 uint32 - var x1375 uint32 - x1375, x1374 = bits.Mul32(x10, (arg2[2])) - var x1376 uint32 - var x1377 uint32 - x1377, x1376 = bits.Mul32(x10, (arg2[1])) - var x1378 uint32 - var x1379 uint32 - x1379, x1378 = bits.Mul32(x10, (arg2[0])) - var x1380 uint32 - var x1381 uint1 - x1380, x1381 = addcarryxU32(x1379, x1376, 0x0) - var x1382 uint32 - var x1383 uint1 - x1382, x1383 = addcarryxU32(x1377, x1374, x1381) - var x1384 uint32 - var x1385 uint1 - x1384, x1385 = addcarryxU32(x1375, x1372, x1383) - var x1386 uint32 - var x1387 uint1 - x1386, x1387 = addcarryxU32(x1373, x1370, x1385) - var x1388 uint32 - var x1389 uint1 - x1388, x1389 = addcarryxU32(x1371, x1368, x1387) - var x1390 uint32 - var x1391 uint1 - x1390, x1391 = addcarryxU32(x1369, x1366, x1389) - var x1392 uint32 - var x1393 uint1 - x1392, x1393 = addcarryxU32(x1367, x1364, x1391) - var x1394 uint32 - var x1395 uint1 - x1394, x1395 = addcarryxU32(x1365, x1362, x1393) - var x1396 uint32 - var x1397 uint1 - x1396, x1397 = addcarryxU32(x1363, x1360, x1395) - var x1398 uint32 - var x1399 uint1 - x1398, x1399 = addcarryxU32(x1361, x1358, x1397) - var x1400 uint32 - var x1401 uint1 - x1400, x1401 = addcarryxU32(x1359, x1356, x1399) - var x1402 uint32 = (uint32(x1401) + x1357) - var x1403 uint32 - var x1404 uint1 - x1403, x1404 = addcarryxU32(x1331, x1378, 0x0) - var x1405 uint32 - var x1406 uint1 - x1405, x1406 = addcarryxU32(x1333, x1380, x1404) - var x1407 uint32 - var x1408 uint1 - x1407, x1408 = addcarryxU32(x1335, x1382, x1406) - var x1409 uint32 - var x1410 uint1 - x1409, x1410 = addcarryxU32(x1337, x1384, x1408) - var x1411 uint32 - var x1412 uint1 - x1411, x1412 = addcarryxU32(x1339, x1386, x1410) - var x1413 uint32 - var x1414 uint1 - x1413, x1414 = addcarryxU32(x1341, x1388, x1412) - var x1415 uint32 - var x1416 uint1 - x1415, x1416 = addcarryxU32(x1343, x1390, x1414) - var x1417 uint32 - var x1418 uint1 - x1417, x1418 = addcarryxU32(x1345, x1392, x1416) - var x1419 uint32 - var x1420 uint1 - x1419, x1420 = addcarryxU32(x1347, x1394, x1418) - var x1421 uint32 - var x1422 uint1 - x1421, x1422 = addcarryxU32(x1349, x1396, x1420) - var x1423 uint32 - var x1424 uint1 - x1423, x1424 = addcarryxU32(x1351, x1398, x1422) - var x1425 uint32 - var x1426 uint1 - x1425, x1426 = addcarryxU32(x1353, x1400, x1424) - var x1427 uint32 - var x1428 uint1 - x1427, x1428 = addcarryxU32(x1355, x1402, x1426) - var x1429 uint32 - var x1430 uint32 - x1430, x1429 = bits.Mul32(x1403, 0xffffffff) - var x1431 uint32 - var x1432 uint32 - x1432, x1431 = bits.Mul32(x1403, 0xffffffff) - var x1433 uint32 - var x1434 uint32 - x1434, x1433 = bits.Mul32(x1403, 0xffffffff) - var x1435 uint32 - var x1436 uint32 - x1436, x1435 = bits.Mul32(x1403, 0xffffffff) - var x1437 uint32 - var x1438 uint32 - x1438, x1437 = bits.Mul32(x1403, 0xffffffff) - var x1439 uint32 - var x1440 uint32 - x1440, x1439 = bits.Mul32(x1403, 0xffffffff) - var x1441 uint32 - var x1442 uint32 - x1442, x1441 = bits.Mul32(x1403, 0xffffffff) - var x1443 uint32 - var x1444 uint32 - x1444, x1443 = bits.Mul32(x1403, 0xfffffffe) - var x1445 uint32 - var x1446 uint32 - x1446, x1445 = bits.Mul32(x1403, 0xffffffff) - var x1447 uint32 - var x1448 uint32 - x1448, x1447 = bits.Mul32(x1403, 0xffffffff) - var x1449 uint32 - var x1450 uint1 - x1449, x1450 = addcarryxU32(x1446, x1443, 0x0) - var x1451 uint32 - var x1452 uint1 - x1451, x1452 = addcarryxU32(x1444, x1441, x1450) - var x1453 uint32 - var x1454 uint1 - x1453, x1454 = addcarryxU32(x1442, x1439, x1452) - var x1455 uint32 - var x1456 uint1 - x1455, x1456 = addcarryxU32(x1440, x1437, x1454) - var x1457 uint32 - var x1458 uint1 - x1457, x1458 = addcarryxU32(x1438, x1435, x1456) - var x1459 uint32 - var x1460 uint1 - x1459, x1460 = addcarryxU32(x1436, x1433, x1458) - var x1461 uint32 - var x1462 uint1 - x1461, x1462 = addcarryxU32(x1434, x1431, x1460) - var x1463 uint32 - var x1464 uint1 - x1463, x1464 = addcarryxU32(x1432, x1429, x1462) - var x1465 uint32 = (uint32(x1464) + x1430) - var x1467 uint1 - _, x1467 = addcarryxU32(x1403, x1447, 0x0) - var x1468 uint32 - var x1469 uint1 - x1468, x1469 = addcarryxU32(x1405, x1448, x1467) - var x1470 uint32 - var x1471 uint1 - x1470, x1471 = addcarryxU32(x1407, uint32(0x0), x1469) - var x1472 uint32 - var x1473 uint1 - x1472, x1473 = addcarryxU32(x1409, x1445, x1471) - var x1474 uint32 - var x1475 uint1 - x1474, x1475 = addcarryxU32(x1411, x1449, x1473) - var x1476 uint32 - var x1477 uint1 - x1476, x1477 = addcarryxU32(x1413, x1451, x1475) - var x1478 uint32 - var x1479 uint1 - x1478, x1479 = addcarryxU32(x1415, x1453, x1477) - var x1480 uint32 - var x1481 uint1 - x1480, x1481 = addcarryxU32(x1417, x1455, x1479) - var x1482 uint32 - var x1483 uint1 - x1482, x1483 = addcarryxU32(x1419, x1457, x1481) - var x1484 uint32 - var x1485 uint1 - x1484, x1485 = addcarryxU32(x1421, x1459, x1483) - var x1486 uint32 - var x1487 uint1 - x1486, x1487 = addcarryxU32(x1423, x1461, x1485) - var x1488 uint32 - var x1489 uint1 - x1488, x1489 = addcarryxU32(x1425, x1463, x1487) - var x1490 uint32 - var x1491 uint1 - x1490, x1491 = addcarryxU32(x1427, x1465, x1489) - var x1492 uint32 = (uint32(x1491) + uint32(x1428)) - var x1493 uint32 - var x1494 uint32 - x1494, x1493 = bits.Mul32(x11, (arg2[11])) - var x1495 uint32 - var x1496 uint32 - x1496, x1495 = bits.Mul32(x11, (arg2[10])) - var x1497 uint32 - var x1498 uint32 - x1498, x1497 = bits.Mul32(x11, (arg2[9])) - var x1499 uint32 - var x1500 uint32 - x1500, x1499 = bits.Mul32(x11, (arg2[8])) - var x1501 uint32 - var x1502 uint32 - x1502, x1501 = bits.Mul32(x11, (arg2[7])) - var x1503 uint32 - var x1504 uint32 - x1504, x1503 = bits.Mul32(x11, (arg2[6])) - var x1505 uint32 - var x1506 uint32 - x1506, x1505 = bits.Mul32(x11, (arg2[5])) - var x1507 uint32 - var x1508 uint32 - x1508, x1507 = bits.Mul32(x11, (arg2[4])) - var x1509 uint32 - var x1510 uint32 - x1510, x1509 = bits.Mul32(x11, (arg2[3])) - var x1511 uint32 - var x1512 uint32 - x1512, x1511 = bits.Mul32(x11, (arg2[2])) - var x1513 uint32 - var x1514 uint32 - x1514, x1513 = bits.Mul32(x11, (arg2[1])) - var x1515 uint32 - var x1516 uint32 - x1516, x1515 = bits.Mul32(x11, (arg2[0])) - var x1517 uint32 - var x1518 uint1 - x1517, x1518 = addcarryxU32(x1516, x1513, 0x0) - var x1519 uint32 - var x1520 uint1 - x1519, x1520 = addcarryxU32(x1514, x1511, x1518) - var x1521 uint32 - var x1522 uint1 - x1521, x1522 = addcarryxU32(x1512, x1509, x1520) - var x1523 uint32 - var x1524 uint1 - x1523, x1524 = addcarryxU32(x1510, x1507, x1522) - var x1525 uint32 - var x1526 uint1 - x1525, x1526 = addcarryxU32(x1508, x1505, x1524) - var x1527 uint32 - var x1528 uint1 - x1527, x1528 = addcarryxU32(x1506, x1503, x1526) - var x1529 uint32 - var x1530 uint1 - x1529, x1530 = addcarryxU32(x1504, x1501, x1528) - var x1531 uint32 - var x1532 uint1 - x1531, x1532 = addcarryxU32(x1502, x1499, x1530) - var x1533 uint32 - var x1534 uint1 - x1533, x1534 = addcarryxU32(x1500, x1497, x1532) - var x1535 uint32 - var x1536 uint1 - x1535, x1536 = addcarryxU32(x1498, x1495, x1534) - var x1537 uint32 - var x1538 uint1 - x1537, x1538 = addcarryxU32(x1496, x1493, x1536) - var x1539 uint32 = (uint32(x1538) + x1494) - var x1540 uint32 - var x1541 uint1 - x1540, x1541 = addcarryxU32(x1468, x1515, 0x0) - var x1542 uint32 - var x1543 uint1 - x1542, x1543 = addcarryxU32(x1470, x1517, x1541) - var x1544 uint32 - var x1545 uint1 - x1544, x1545 = addcarryxU32(x1472, x1519, x1543) - var x1546 uint32 - var x1547 uint1 - x1546, x1547 = addcarryxU32(x1474, x1521, x1545) - var x1548 uint32 - var x1549 uint1 - x1548, x1549 = addcarryxU32(x1476, x1523, x1547) - var x1550 uint32 - var x1551 uint1 - x1550, x1551 = addcarryxU32(x1478, x1525, x1549) - var x1552 uint32 - var x1553 uint1 - x1552, x1553 = addcarryxU32(x1480, x1527, x1551) - var x1554 uint32 - var x1555 uint1 - x1554, x1555 = addcarryxU32(x1482, x1529, x1553) - var x1556 uint32 - var x1557 uint1 - x1556, x1557 = addcarryxU32(x1484, x1531, x1555) - var x1558 uint32 - var x1559 uint1 - x1558, x1559 = addcarryxU32(x1486, x1533, x1557) - var x1560 uint32 - var x1561 uint1 - x1560, x1561 = addcarryxU32(x1488, x1535, x1559) - var x1562 uint32 - var x1563 uint1 - x1562, x1563 = addcarryxU32(x1490, x1537, x1561) - var x1564 uint32 - var x1565 uint1 - x1564, x1565 = addcarryxU32(x1492, x1539, x1563) - var x1566 uint32 - var x1567 uint32 - x1567, x1566 = bits.Mul32(x1540, 0xffffffff) - var x1568 uint32 - var x1569 uint32 - x1569, x1568 = bits.Mul32(x1540, 0xffffffff) - var x1570 uint32 - var x1571 uint32 - x1571, x1570 = bits.Mul32(x1540, 0xffffffff) - var x1572 uint32 - var x1573 uint32 - x1573, x1572 = bits.Mul32(x1540, 0xffffffff) - var x1574 uint32 - var x1575 uint32 - x1575, x1574 = bits.Mul32(x1540, 0xffffffff) - var x1576 uint32 - var x1577 uint32 - x1577, x1576 = bits.Mul32(x1540, 0xffffffff) - var x1578 uint32 - var x1579 uint32 - x1579, x1578 = bits.Mul32(x1540, 0xffffffff) - var x1580 uint32 - var x1581 uint32 - x1581, x1580 = bits.Mul32(x1540, 0xfffffffe) - var x1582 uint32 - var x1583 uint32 - x1583, x1582 = bits.Mul32(x1540, 0xffffffff) - var x1584 uint32 - var x1585 uint32 - x1585, x1584 = bits.Mul32(x1540, 0xffffffff) - var x1586 uint32 - var x1587 uint1 - x1586, x1587 = addcarryxU32(x1583, x1580, 0x0) - var x1588 uint32 - var x1589 uint1 - x1588, x1589 = addcarryxU32(x1581, x1578, x1587) - var x1590 uint32 - var x1591 uint1 - x1590, x1591 = addcarryxU32(x1579, x1576, x1589) - var x1592 uint32 - var x1593 uint1 - x1592, x1593 = addcarryxU32(x1577, x1574, x1591) - var x1594 uint32 - var x1595 uint1 - x1594, x1595 = addcarryxU32(x1575, x1572, x1593) - var x1596 uint32 - var x1597 uint1 - x1596, x1597 = addcarryxU32(x1573, x1570, x1595) - var x1598 uint32 - var x1599 uint1 - x1598, x1599 = addcarryxU32(x1571, x1568, x1597) - var x1600 uint32 - var x1601 uint1 - x1600, x1601 = addcarryxU32(x1569, x1566, x1599) - var x1602 uint32 = (uint32(x1601) + x1567) - var x1604 uint1 - _, x1604 = addcarryxU32(x1540, x1584, 0x0) - var x1605 uint32 - var x1606 uint1 - x1605, x1606 = addcarryxU32(x1542, x1585, x1604) - var x1607 uint32 - var x1608 uint1 - x1607, x1608 = addcarryxU32(x1544, uint32(0x0), x1606) - var x1609 uint32 - var x1610 uint1 - x1609, x1610 = addcarryxU32(x1546, x1582, x1608) - var x1611 uint32 - var x1612 uint1 - x1611, x1612 = addcarryxU32(x1548, x1586, x1610) - var x1613 uint32 - var x1614 uint1 - x1613, x1614 = addcarryxU32(x1550, x1588, x1612) - var x1615 uint32 - var x1616 uint1 - x1615, x1616 = addcarryxU32(x1552, x1590, x1614) - var x1617 uint32 - var x1618 uint1 - x1617, x1618 = addcarryxU32(x1554, x1592, x1616) - var x1619 uint32 - var x1620 uint1 - x1619, x1620 = addcarryxU32(x1556, x1594, x1618) - var x1621 uint32 - var x1622 uint1 - x1621, x1622 = addcarryxU32(x1558, x1596, x1620) - var x1623 uint32 - var x1624 uint1 - x1623, x1624 = addcarryxU32(x1560, x1598, x1622) - var x1625 uint32 - var x1626 uint1 - x1625, x1626 = addcarryxU32(x1562, x1600, x1624) - var x1627 uint32 - var x1628 uint1 - x1627, x1628 = addcarryxU32(x1564, x1602, x1626) - var x1629 uint32 = (uint32(x1628) + uint32(x1565)) - var x1630 uint32 - var x1631 uint1 - x1630, x1631 = subborrowxU32(x1605, 0xffffffff, 0x0) - var x1632 uint32 - var x1633 uint1 - x1632, x1633 = subborrowxU32(x1607, uint32(0x0), x1631) - var x1634 uint32 - var x1635 uint1 - x1634, x1635 = subborrowxU32(x1609, uint32(0x0), x1633) - var x1636 uint32 - var x1637 uint1 - x1636, x1637 = subborrowxU32(x1611, 0xffffffff, x1635) - var x1638 uint32 - var x1639 uint1 - x1638, x1639 = subborrowxU32(x1613, 0xfffffffe, x1637) - var x1640 uint32 - var x1641 uint1 - x1640, x1641 = subborrowxU32(x1615, 0xffffffff, x1639) - var x1642 uint32 - var x1643 uint1 - x1642, x1643 = subborrowxU32(x1617, 0xffffffff, x1641) - var x1644 uint32 - var x1645 uint1 - x1644, x1645 = subborrowxU32(x1619, 0xffffffff, x1643) - var x1646 uint32 - var x1647 uint1 - x1646, x1647 = subborrowxU32(x1621, 0xffffffff, x1645) - var x1648 uint32 - var x1649 uint1 - x1648, x1649 = subborrowxU32(x1623, 0xffffffff, x1647) - var x1650 uint32 - var x1651 uint1 - x1650, x1651 = subborrowxU32(x1625, 0xffffffff, x1649) - var x1652 uint32 - var x1653 uint1 - x1652, x1653 = subborrowxU32(x1627, 0xffffffff, x1651) - var x1655 uint1 - _, x1655 = subborrowxU32(x1629, uint32(0x0), x1653) - var x1656 uint32 - cmovznzU32(&x1656, x1655, x1630, x1605) - var x1657 uint32 - cmovznzU32(&x1657, x1655, x1632, x1607) - var x1658 uint32 - cmovznzU32(&x1658, x1655, x1634, x1609) - var x1659 uint32 - cmovznzU32(&x1659, x1655, x1636, x1611) - var x1660 uint32 - cmovznzU32(&x1660, x1655, x1638, x1613) - var x1661 uint32 - cmovznzU32(&x1661, x1655, x1640, x1615) - var x1662 uint32 - cmovznzU32(&x1662, x1655, x1642, x1617) - var x1663 uint32 - cmovznzU32(&x1663, x1655, x1644, x1619) - var x1664 uint32 - cmovznzU32(&x1664, x1655, x1646, x1621) - var x1665 uint32 - cmovznzU32(&x1665, x1655, x1648, x1623) - var x1666 uint32 - cmovznzU32(&x1666, x1655, x1650, x1625) - var x1667 uint32 - cmovznzU32(&x1667, x1655, x1652, x1627) - out1[0] = x1656 - out1[1] = x1657 - out1[2] = x1658 - out1[3] = x1659 - out1[4] = x1660 - out1[5] = x1661 - out1[6] = x1662 - out1[7] = x1663 - out1[8] = x1664 - out1[9] = x1665 - out1[10] = x1666 - out1[11] = x1667 + x1 := arg1[1] + x2 := arg1[2] + x3 := arg1[3] + x4 := arg1[4] + x5 := arg1[5] + x6 := arg1[6] + x7 := arg1[7] + x8 := arg1[8] + x9 := arg1[9] + x10 := arg1[10] + x11 := arg1[11] + x12 := arg1[0] + var x13 uint32 + var x14 uint32 + x14, x13 = bits.Mul32(x12, arg2[11]) + var x15 uint32 + var x16 uint32 + x16, x15 = bits.Mul32(x12, arg2[10]) + var x17 uint32 + var x18 uint32 + x18, x17 = bits.Mul32(x12, arg2[9]) + var x19 uint32 + var x20 uint32 + x20, x19 = bits.Mul32(x12, arg2[8]) + var x21 uint32 + var x22 uint32 + x22, x21 = bits.Mul32(x12, arg2[7]) + var x23 uint32 + var x24 uint32 + x24, x23 = bits.Mul32(x12, arg2[6]) + var x25 uint32 + var x26 uint32 + x26, x25 = bits.Mul32(x12, arg2[5]) + var x27 uint32 + var x28 uint32 + x28, x27 = bits.Mul32(x12, arg2[4]) + var x29 uint32 + var x30 uint32 + x30, x29 = bits.Mul32(x12, arg2[3]) + var x31 uint32 + var x32 uint32 + x32, x31 = bits.Mul32(x12, arg2[2]) + var x33 uint32 + var x34 uint32 + x34, x33 = bits.Mul32(x12, arg2[1]) + var x35 uint32 + var x36 uint32 + x36, x35 = bits.Mul32(x12, arg2[0]) + var x37 uint32 + var x38 uint1 + x37, x38 = addcarryxU32(x36, x33, 0x0) + var x39 uint32 + var x40 uint1 + x39, x40 = addcarryxU32(x34, x31, x38) + var x41 uint32 + var x42 uint1 + x41, x42 = addcarryxU32(x32, x29, x40) + var x43 uint32 + var x44 uint1 + x43, x44 = addcarryxU32(x30, x27, x42) + var x45 uint32 + var x46 uint1 + x45, x46 = addcarryxU32(x28, x25, x44) + var x47 uint32 + var x48 uint1 + x47, x48 = addcarryxU32(x26, x23, x46) + var x49 uint32 + var x50 uint1 + x49, x50 = addcarryxU32(x24, x21, x48) + var x51 uint32 + var x52 uint1 + x51, x52 = addcarryxU32(x22, x19, x50) + var x53 uint32 + var x54 uint1 + x53, x54 = addcarryxU32(x20, x17, x52) + var x55 uint32 + var x56 uint1 + x55, x56 = addcarryxU32(x18, x15, x54) + var x57 uint32 + var x58 uint1 + x57, x58 = addcarryxU32(x16, x13, x56) + x59 := (uint32(x58) + x14) + var x60 uint32 + var x61 uint32 + x61, x60 = bits.Mul32(x35, 0xffffffff) + var x62 uint32 + var x63 uint32 + x63, x62 = bits.Mul32(x35, 0xffffffff) + var x64 uint32 + var x65 uint32 + x65, x64 = bits.Mul32(x35, 0xffffffff) + var x66 uint32 + var x67 uint32 + x67, x66 = bits.Mul32(x35, 0xffffffff) + var x68 uint32 + var x69 uint32 + x69, x68 = bits.Mul32(x35, 0xffffffff) + var x70 uint32 + var x71 uint32 + x71, x70 = bits.Mul32(x35, 0xffffffff) + var x72 uint32 + var x73 uint32 + x73, x72 = bits.Mul32(x35, 0xffffffff) + var x74 uint32 + var x75 uint32 + x75, x74 = bits.Mul32(x35, 0xfffffffe) + var x76 uint32 + var x77 uint32 + x77, x76 = bits.Mul32(x35, 0xffffffff) + var x78 uint32 + var x79 uint32 + x79, x78 = bits.Mul32(x35, 0xffffffff) + var x80 uint32 + var x81 uint1 + x80, x81 = addcarryxU32(x77, x74, 0x0) + var x82 uint32 + var x83 uint1 + x82, x83 = addcarryxU32(x75, x72, x81) + var x84 uint32 + var x85 uint1 + x84, x85 = addcarryxU32(x73, x70, x83) + var x86 uint32 + var x87 uint1 + x86, x87 = addcarryxU32(x71, x68, x85) + var x88 uint32 + var x89 uint1 + x88, x89 = addcarryxU32(x69, x66, x87) + var x90 uint32 + var x91 uint1 + x90, x91 = addcarryxU32(x67, x64, x89) + var x92 uint32 + var x93 uint1 + x92, x93 = addcarryxU32(x65, x62, x91) + var x94 uint32 + var x95 uint1 + x94, x95 = addcarryxU32(x63, x60, x93) + x96 := (uint32(x95) + x61) + var x98 uint1 + _, x98 = addcarryxU32(x35, x78, 0x0) + var x99 uint32 + var x100 uint1 + x99, x100 = addcarryxU32(x37, x79, x98) + var x101 uint32 + var x102 uint1 + x101, x102 = addcarryxU32(x39, uint32(0x0), x100) + var x103 uint32 + var x104 uint1 + x103, x104 = addcarryxU32(x41, x76, x102) + var x105 uint32 + var x106 uint1 + x105, x106 = addcarryxU32(x43, x80, x104) + var x107 uint32 + var x108 uint1 + x107, x108 = addcarryxU32(x45, x82, x106) + var x109 uint32 + var x110 uint1 + x109, x110 = addcarryxU32(x47, x84, x108) + var x111 uint32 + var x112 uint1 + x111, x112 = addcarryxU32(x49, x86, x110) + var x113 uint32 + var x114 uint1 + x113, x114 = addcarryxU32(x51, x88, x112) + var x115 uint32 + var x116 uint1 + x115, x116 = addcarryxU32(x53, x90, x114) + var x117 uint32 + var x118 uint1 + x117, x118 = addcarryxU32(x55, x92, x116) + var x119 uint32 + var x120 uint1 + x119, x120 = addcarryxU32(x57, x94, x118) + var x121 uint32 + var x122 uint1 + x121, x122 = addcarryxU32(x59, x96, x120) + var x123 uint32 + var x124 uint32 + x124, x123 = bits.Mul32(x1, arg2[11]) + var x125 uint32 + var x126 uint32 + x126, x125 = bits.Mul32(x1, arg2[10]) + var x127 uint32 + var x128 uint32 + x128, x127 = bits.Mul32(x1, arg2[9]) + var x129 uint32 + var x130 uint32 + x130, x129 = bits.Mul32(x1, arg2[8]) + var x131 uint32 + var x132 uint32 + x132, x131 = bits.Mul32(x1, arg2[7]) + var x133 uint32 + var x134 uint32 + x134, x133 = bits.Mul32(x1, arg2[6]) + var x135 uint32 + var x136 uint32 + x136, x135 = bits.Mul32(x1, arg2[5]) + var x137 uint32 + var x138 uint32 + x138, x137 = bits.Mul32(x1, arg2[4]) + var x139 uint32 + var x140 uint32 + x140, x139 = bits.Mul32(x1, arg2[3]) + var x141 uint32 + var x142 uint32 + x142, x141 = bits.Mul32(x1, arg2[2]) + var x143 uint32 + var x144 uint32 + x144, x143 = bits.Mul32(x1, arg2[1]) + var x145 uint32 + var x146 uint32 + x146, x145 = bits.Mul32(x1, arg2[0]) + var x147 uint32 + var x148 uint1 + x147, x148 = addcarryxU32(x146, x143, 0x0) + var x149 uint32 + var x150 uint1 + x149, x150 = addcarryxU32(x144, x141, x148) + var x151 uint32 + var x152 uint1 + x151, x152 = addcarryxU32(x142, x139, x150) + var x153 uint32 + var x154 uint1 + x153, x154 = addcarryxU32(x140, x137, x152) + var x155 uint32 + var x156 uint1 + x155, x156 = addcarryxU32(x138, x135, x154) + var x157 uint32 + var x158 uint1 + x157, x158 = addcarryxU32(x136, x133, x156) + var x159 uint32 + var x160 uint1 + x159, x160 = addcarryxU32(x134, x131, x158) + var x161 uint32 + var x162 uint1 + x161, x162 = addcarryxU32(x132, x129, x160) + var x163 uint32 + var x164 uint1 + x163, x164 = addcarryxU32(x130, x127, x162) + var x165 uint32 + var x166 uint1 + x165, x166 = addcarryxU32(x128, x125, x164) + var x167 uint32 + var x168 uint1 + x167, x168 = addcarryxU32(x126, x123, x166) + x169 := (uint32(x168) + x124) + var x170 uint32 + var x171 uint1 + x170, x171 = addcarryxU32(x99, x145, 0x0) + var x172 uint32 + var x173 uint1 + x172, x173 = addcarryxU32(x101, x147, x171) + var x174 uint32 + var x175 uint1 + x174, x175 = addcarryxU32(x103, x149, x173) + var x176 uint32 + var x177 uint1 + x176, x177 = addcarryxU32(x105, x151, x175) + var x178 uint32 + var x179 uint1 + x178, x179 = addcarryxU32(x107, x153, x177) + var x180 uint32 + var x181 uint1 + x180, x181 = addcarryxU32(x109, x155, x179) + var x182 uint32 + var x183 uint1 + x182, x183 = addcarryxU32(x111, x157, x181) + var x184 uint32 + var x185 uint1 + x184, x185 = addcarryxU32(x113, x159, x183) + var x186 uint32 + var x187 uint1 + x186, x187 = addcarryxU32(x115, x161, x185) + var x188 uint32 + var x189 uint1 + x188, x189 = addcarryxU32(x117, x163, x187) + var x190 uint32 + var x191 uint1 + x190, x191 = addcarryxU32(x119, x165, x189) + var x192 uint32 + var x193 uint1 + x192, x193 = addcarryxU32(x121, x167, x191) + var x194 uint32 + var x195 uint1 + x194, x195 = addcarryxU32(uint32(x122), x169, x193) + var x196 uint32 + var x197 uint32 + x197, x196 = bits.Mul32(x170, 0xffffffff) + var x198 uint32 + var x199 uint32 + x199, x198 = bits.Mul32(x170, 0xffffffff) + var x200 uint32 + var x201 uint32 + x201, x200 = bits.Mul32(x170, 0xffffffff) + var x202 uint32 + var x203 uint32 + x203, x202 = bits.Mul32(x170, 0xffffffff) + var x204 uint32 + var x205 uint32 + x205, x204 = bits.Mul32(x170, 0xffffffff) + var x206 uint32 + var x207 uint32 + x207, x206 = bits.Mul32(x170, 0xffffffff) + var x208 uint32 + var x209 uint32 + x209, x208 = bits.Mul32(x170, 0xffffffff) + var x210 uint32 + var x211 uint32 + x211, x210 = bits.Mul32(x170, 0xfffffffe) + var x212 uint32 + var x213 uint32 + x213, x212 = bits.Mul32(x170, 0xffffffff) + var x214 uint32 + var x215 uint32 + x215, x214 = bits.Mul32(x170, 0xffffffff) + var x216 uint32 + var x217 uint1 + x216, x217 = addcarryxU32(x213, x210, 0x0) + var x218 uint32 + var x219 uint1 + x218, x219 = addcarryxU32(x211, x208, x217) + var x220 uint32 + var x221 uint1 + x220, x221 = addcarryxU32(x209, x206, x219) + var x222 uint32 + var x223 uint1 + x222, x223 = addcarryxU32(x207, x204, x221) + var x224 uint32 + var x225 uint1 + x224, x225 = addcarryxU32(x205, x202, x223) + var x226 uint32 + var x227 uint1 + x226, x227 = addcarryxU32(x203, x200, x225) + var x228 uint32 + var x229 uint1 + x228, x229 = addcarryxU32(x201, x198, x227) + var x230 uint32 + var x231 uint1 + x230, x231 = addcarryxU32(x199, x196, x229) + x232 := (uint32(x231) + x197) + var x234 uint1 + _, x234 = addcarryxU32(x170, x214, 0x0) + var x235 uint32 + var x236 uint1 + x235, x236 = addcarryxU32(x172, x215, x234) + var x237 uint32 + var x238 uint1 + x237, x238 = addcarryxU32(x174, uint32(0x0), x236) + var x239 uint32 + var x240 uint1 + x239, x240 = addcarryxU32(x176, x212, x238) + var x241 uint32 + var x242 uint1 + x241, x242 = addcarryxU32(x178, x216, x240) + var x243 uint32 + var x244 uint1 + x243, x244 = addcarryxU32(x180, x218, x242) + var x245 uint32 + var x246 uint1 + x245, x246 = addcarryxU32(x182, x220, x244) + var x247 uint32 + var x248 uint1 + x247, x248 = addcarryxU32(x184, x222, x246) + var x249 uint32 + var x250 uint1 + x249, x250 = addcarryxU32(x186, x224, x248) + var x251 uint32 + var x252 uint1 + x251, x252 = addcarryxU32(x188, x226, x250) + var x253 uint32 + var x254 uint1 + x253, x254 = addcarryxU32(x190, x228, x252) + var x255 uint32 + var x256 uint1 + x255, x256 = addcarryxU32(x192, x230, x254) + var x257 uint32 + var x258 uint1 + x257, x258 = addcarryxU32(x194, x232, x256) + x259 := (uint32(x258) + uint32(x195)) + var x260 uint32 + var x261 uint32 + x261, x260 = bits.Mul32(x2, arg2[11]) + var x262 uint32 + var x263 uint32 + x263, x262 = bits.Mul32(x2, arg2[10]) + var x264 uint32 + var x265 uint32 + x265, x264 = bits.Mul32(x2, arg2[9]) + var x266 uint32 + var x267 uint32 + x267, x266 = bits.Mul32(x2, arg2[8]) + var x268 uint32 + var x269 uint32 + x269, x268 = bits.Mul32(x2, arg2[7]) + var x270 uint32 + var x271 uint32 + x271, x270 = bits.Mul32(x2, arg2[6]) + var x272 uint32 + var x273 uint32 + x273, x272 = bits.Mul32(x2, arg2[5]) + var x274 uint32 + var x275 uint32 + x275, x274 = bits.Mul32(x2, arg2[4]) + var x276 uint32 + var x277 uint32 + x277, x276 = bits.Mul32(x2, arg2[3]) + var x278 uint32 + var x279 uint32 + x279, x278 = bits.Mul32(x2, arg2[2]) + var x280 uint32 + var x281 uint32 + x281, x280 = bits.Mul32(x2, arg2[1]) + var x282 uint32 + var x283 uint32 + x283, x282 = bits.Mul32(x2, arg2[0]) + var x284 uint32 + var x285 uint1 + x284, x285 = addcarryxU32(x283, x280, 0x0) + var x286 uint32 + var x287 uint1 + x286, x287 = addcarryxU32(x281, x278, x285) + var x288 uint32 + var x289 uint1 + x288, x289 = addcarryxU32(x279, x276, x287) + var x290 uint32 + var x291 uint1 + x290, x291 = addcarryxU32(x277, x274, x289) + var x292 uint32 + var x293 uint1 + x292, x293 = addcarryxU32(x275, x272, x291) + var x294 uint32 + var x295 uint1 + x294, x295 = addcarryxU32(x273, x270, x293) + var x296 uint32 + var x297 uint1 + x296, x297 = addcarryxU32(x271, x268, x295) + var x298 uint32 + var x299 uint1 + x298, x299 = addcarryxU32(x269, x266, x297) + var x300 uint32 + var x301 uint1 + x300, x301 = addcarryxU32(x267, x264, x299) + var x302 uint32 + var x303 uint1 + x302, x303 = addcarryxU32(x265, x262, x301) + var x304 uint32 + var x305 uint1 + x304, x305 = addcarryxU32(x263, x260, x303) + x306 := (uint32(x305) + x261) + var x307 uint32 + var x308 uint1 + x307, x308 = addcarryxU32(x235, x282, 0x0) + var x309 uint32 + var x310 uint1 + x309, x310 = addcarryxU32(x237, x284, x308) + var x311 uint32 + var x312 uint1 + x311, x312 = addcarryxU32(x239, x286, x310) + var x313 uint32 + var x314 uint1 + x313, x314 = addcarryxU32(x241, x288, x312) + var x315 uint32 + var x316 uint1 + x315, x316 = addcarryxU32(x243, x290, x314) + var x317 uint32 + var x318 uint1 + x317, x318 = addcarryxU32(x245, x292, x316) + var x319 uint32 + var x320 uint1 + x319, x320 = addcarryxU32(x247, x294, x318) + var x321 uint32 + var x322 uint1 + x321, x322 = addcarryxU32(x249, x296, x320) + var x323 uint32 + var x324 uint1 + x323, x324 = addcarryxU32(x251, x298, x322) + var x325 uint32 + var x326 uint1 + x325, x326 = addcarryxU32(x253, x300, x324) + var x327 uint32 + var x328 uint1 + x327, x328 = addcarryxU32(x255, x302, x326) + var x329 uint32 + var x330 uint1 + x329, x330 = addcarryxU32(x257, x304, x328) + var x331 uint32 + var x332 uint1 + x331, x332 = addcarryxU32(x259, x306, x330) + var x333 uint32 + var x334 uint32 + x334, x333 = bits.Mul32(x307, 0xffffffff) + var x335 uint32 + var x336 uint32 + x336, x335 = bits.Mul32(x307, 0xffffffff) + var x337 uint32 + var x338 uint32 + x338, x337 = bits.Mul32(x307, 0xffffffff) + var x339 uint32 + var x340 uint32 + x340, x339 = bits.Mul32(x307, 0xffffffff) + var x341 uint32 + var x342 uint32 + x342, x341 = bits.Mul32(x307, 0xffffffff) + var x343 uint32 + var x344 uint32 + x344, x343 = bits.Mul32(x307, 0xffffffff) + var x345 uint32 + var x346 uint32 + x346, x345 = bits.Mul32(x307, 0xffffffff) + var x347 uint32 + var x348 uint32 + x348, x347 = bits.Mul32(x307, 0xfffffffe) + var x349 uint32 + var x350 uint32 + x350, x349 = bits.Mul32(x307, 0xffffffff) + var x351 uint32 + var x352 uint32 + x352, x351 = bits.Mul32(x307, 0xffffffff) + var x353 uint32 + var x354 uint1 + x353, x354 = addcarryxU32(x350, x347, 0x0) + var x355 uint32 + var x356 uint1 + x355, x356 = addcarryxU32(x348, x345, x354) + var x357 uint32 + var x358 uint1 + x357, x358 = addcarryxU32(x346, x343, x356) + var x359 uint32 + var x360 uint1 + x359, x360 = addcarryxU32(x344, x341, x358) + var x361 uint32 + var x362 uint1 + x361, x362 = addcarryxU32(x342, x339, x360) + var x363 uint32 + var x364 uint1 + x363, x364 = addcarryxU32(x340, x337, x362) + var x365 uint32 + var x366 uint1 + x365, x366 = addcarryxU32(x338, x335, x364) + var x367 uint32 + var x368 uint1 + x367, x368 = addcarryxU32(x336, x333, x366) + x369 := (uint32(x368) + x334) + var x371 uint1 + _, x371 = addcarryxU32(x307, x351, 0x0) + var x372 uint32 + var x373 uint1 + x372, x373 = addcarryxU32(x309, x352, x371) + var x374 uint32 + var x375 uint1 + x374, x375 = addcarryxU32(x311, uint32(0x0), x373) + var x376 uint32 + var x377 uint1 + x376, x377 = addcarryxU32(x313, x349, x375) + var x378 uint32 + var x379 uint1 + x378, x379 = addcarryxU32(x315, x353, x377) + var x380 uint32 + var x381 uint1 + x380, x381 = addcarryxU32(x317, x355, x379) + var x382 uint32 + var x383 uint1 + x382, x383 = addcarryxU32(x319, x357, x381) + var x384 uint32 + var x385 uint1 + x384, x385 = addcarryxU32(x321, x359, x383) + var x386 uint32 + var x387 uint1 + x386, x387 = addcarryxU32(x323, x361, x385) + var x388 uint32 + var x389 uint1 + x388, x389 = addcarryxU32(x325, x363, x387) + var x390 uint32 + var x391 uint1 + x390, x391 = addcarryxU32(x327, x365, x389) + var x392 uint32 + var x393 uint1 + x392, x393 = addcarryxU32(x329, x367, x391) + var x394 uint32 + var x395 uint1 + x394, x395 = addcarryxU32(x331, x369, x393) + x396 := (uint32(x395) + uint32(x332)) + var x397 uint32 + var x398 uint32 + x398, x397 = bits.Mul32(x3, arg2[11]) + var x399 uint32 + var x400 uint32 + x400, x399 = bits.Mul32(x3, arg2[10]) + var x401 uint32 + var x402 uint32 + x402, x401 = bits.Mul32(x3, arg2[9]) + var x403 uint32 + var x404 uint32 + x404, x403 = bits.Mul32(x3, arg2[8]) + var x405 uint32 + var x406 uint32 + x406, x405 = bits.Mul32(x3, arg2[7]) + var x407 uint32 + var x408 uint32 + x408, x407 = bits.Mul32(x3, arg2[6]) + var x409 uint32 + var x410 uint32 + x410, x409 = bits.Mul32(x3, arg2[5]) + var x411 uint32 + var x412 uint32 + x412, x411 = bits.Mul32(x3, arg2[4]) + var x413 uint32 + var x414 uint32 + x414, x413 = bits.Mul32(x3, arg2[3]) + var x415 uint32 + var x416 uint32 + x416, x415 = bits.Mul32(x3, arg2[2]) + var x417 uint32 + var x418 uint32 + x418, x417 = bits.Mul32(x3, arg2[1]) + var x419 uint32 + var x420 uint32 + x420, x419 = bits.Mul32(x3, arg2[0]) + var x421 uint32 + var x422 uint1 + x421, x422 = addcarryxU32(x420, x417, 0x0) + var x423 uint32 + var x424 uint1 + x423, x424 = addcarryxU32(x418, x415, x422) + var x425 uint32 + var x426 uint1 + x425, x426 = addcarryxU32(x416, x413, x424) + var x427 uint32 + var x428 uint1 + x427, x428 = addcarryxU32(x414, x411, x426) + var x429 uint32 + var x430 uint1 + x429, x430 = addcarryxU32(x412, x409, x428) + var x431 uint32 + var x432 uint1 + x431, x432 = addcarryxU32(x410, x407, x430) + var x433 uint32 + var x434 uint1 + x433, x434 = addcarryxU32(x408, x405, x432) + var x435 uint32 + var x436 uint1 + x435, x436 = addcarryxU32(x406, x403, x434) + var x437 uint32 + var x438 uint1 + x437, x438 = addcarryxU32(x404, x401, x436) + var x439 uint32 + var x440 uint1 + x439, x440 = addcarryxU32(x402, x399, x438) + var x441 uint32 + var x442 uint1 + x441, x442 = addcarryxU32(x400, x397, x440) + x443 := (uint32(x442) + x398) + var x444 uint32 + var x445 uint1 + x444, x445 = addcarryxU32(x372, x419, 0x0) + var x446 uint32 + var x447 uint1 + x446, x447 = addcarryxU32(x374, x421, x445) + var x448 uint32 + var x449 uint1 + x448, x449 = addcarryxU32(x376, x423, x447) + var x450 uint32 + var x451 uint1 + x450, x451 = addcarryxU32(x378, x425, x449) + var x452 uint32 + var x453 uint1 + x452, x453 = addcarryxU32(x380, x427, x451) + var x454 uint32 + var x455 uint1 + x454, x455 = addcarryxU32(x382, x429, x453) + var x456 uint32 + var x457 uint1 + x456, x457 = addcarryxU32(x384, x431, x455) + var x458 uint32 + var x459 uint1 + x458, x459 = addcarryxU32(x386, x433, x457) + var x460 uint32 + var x461 uint1 + x460, x461 = addcarryxU32(x388, x435, x459) + var x462 uint32 + var x463 uint1 + x462, x463 = addcarryxU32(x390, x437, x461) + var x464 uint32 + var x465 uint1 + x464, x465 = addcarryxU32(x392, x439, x463) + var x466 uint32 + var x467 uint1 + x466, x467 = addcarryxU32(x394, x441, x465) + var x468 uint32 + var x469 uint1 + x468, x469 = addcarryxU32(x396, x443, x467) + var x470 uint32 + var x471 uint32 + x471, x470 = bits.Mul32(x444, 0xffffffff) + var x472 uint32 + var x473 uint32 + x473, x472 = bits.Mul32(x444, 0xffffffff) + var x474 uint32 + var x475 uint32 + x475, x474 = bits.Mul32(x444, 0xffffffff) + var x476 uint32 + var x477 uint32 + x477, x476 = bits.Mul32(x444, 0xffffffff) + var x478 uint32 + var x479 uint32 + x479, x478 = bits.Mul32(x444, 0xffffffff) + var x480 uint32 + var x481 uint32 + x481, x480 = bits.Mul32(x444, 0xffffffff) + var x482 uint32 + var x483 uint32 + x483, x482 = bits.Mul32(x444, 0xffffffff) + var x484 uint32 + var x485 uint32 + x485, x484 = bits.Mul32(x444, 0xfffffffe) + var x486 uint32 + var x487 uint32 + x487, x486 = bits.Mul32(x444, 0xffffffff) + var x488 uint32 + var x489 uint32 + x489, x488 = bits.Mul32(x444, 0xffffffff) + var x490 uint32 + var x491 uint1 + x490, x491 = addcarryxU32(x487, x484, 0x0) + var x492 uint32 + var x493 uint1 + x492, x493 = addcarryxU32(x485, x482, x491) + var x494 uint32 + var x495 uint1 + x494, x495 = addcarryxU32(x483, x480, x493) + var x496 uint32 + var x497 uint1 + x496, x497 = addcarryxU32(x481, x478, x495) + var x498 uint32 + var x499 uint1 + x498, x499 = addcarryxU32(x479, x476, x497) + var x500 uint32 + var x501 uint1 + x500, x501 = addcarryxU32(x477, x474, x499) + var x502 uint32 + var x503 uint1 + x502, x503 = addcarryxU32(x475, x472, x501) + var x504 uint32 + var x505 uint1 + x504, x505 = addcarryxU32(x473, x470, x503) + x506 := (uint32(x505) + x471) + var x508 uint1 + _, x508 = addcarryxU32(x444, x488, 0x0) + var x509 uint32 + var x510 uint1 + x509, x510 = addcarryxU32(x446, x489, x508) + var x511 uint32 + var x512 uint1 + x511, x512 = addcarryxU32(x448, uint32(0x0), x510) + var x513 uint32 + var x514 uint1 + x513, x514 = addcarryxU32(x450, x486, x512) + var x515 uint32 + var x516 uint1 + x515, x516 = addcarryxU32(x452, x490, x514) + var x517 uint32 + var x518 uint1 + x517, x518 = addcarryxU32(x454, x492, x516) + var x519 uint32 + var x520 uint1 + x519, x520 = addcarryxU32(x456, x494, x518) + var x521 uint32 + var x522 uint1 + x521, x522 = addcarryxU32(x458, x496, x520) + var x523 uint32 + var x524 uint1 + x523, x524 = addcarryxU32(x460, x498, x522) + var x525 uint32 + var x526 uint1 + x525, x526 = addcarryxU32(x462, x500, x524) + var x527 uint32 + var x528 uint1 + x527, x528 = addcarryxU32(x464, x502, x526) + var x529 uint32 + var x530 uint1 + x529, x530 = addcarryxU32(x466, x504, x528) + var x531 uint32 + var x532 uint1 + x531, x532 = addcarryxU32(x468, x506, x530) + x533 := (uint32(x532) + uint32(x469)) + var x534 uint32 + var x535 uint32 + x535, x534 = bits.Mul32(x4, arg2[11]) + var x536 uint32 + var x537 uint32 + x537, x536 = bits.Mul32(x4, arg2[10]) + var x538 uint32 + var x539 uint32 + x539, x538 = bits.Mul32(x4, arg2[9]) + var x540 uint32 + var x541 uint32 + x541, x540 = bits.Mul32(x4, arg2[8]) + var x542 uint32 + var x543 uint32 + x543, x542 = bits.Mul32(x4, arg2[7]) + var x544 uint32 + var x545 uint32 + x545, x544 = bits.Mul32(x4, arg2[6]) + var x546 uint32 + var x547 uint32 + x547, x546 = bits.Mul32(x4, arg2[5]) + var x548 uint32 + var x549 uint32 + x549, x548 = bits.Mul32(x4, arg2[4]) + var x550 uint32 + var x551 uint32 + x551, x550 = bits.Mul32(x4, arg2[3]) + var x552 uint32 + var x553 uint32 + x553, x552 = bits.Mul32(x4, arg2[2]) + var x554 uint32 + var x555 uint32 + x555, x554 = bits.Mul32(x4, arg2[1]) + var x556 uint32 + var x557 uint32 + x557, x556 = bits.Mul32(x4, arg2[0]) + var x558 uint32 + var x559 uint1 + x558, x559 = addcarryxU32(x557, x554, 0x0) + var x560 uint32 + var x561 uint1 + x560, x561 = addcarryxU32(x555, x552, x559) + var x562 uint32 + var x563 uint1 + x562, x563 = addcarryxU32(x553, x550, x561) + var x564 uint32 + var x565 uint1 + x564, x565 = addcarryxU32(x551, x548, x563) + var x566 uint32 + var x567 uint1 + x566, x567 = addcarryxU32(x549, x546, x565) + var x568 uint32 + var x569 uint1 + x568, x569 = addcarryxU32(x547, x544, x567) + var x570 uint32 + var x571 uint1 + x570, x571 = addcarryxU32(x545, x542, x569) + var x572 uint32 + var x573 uint1 + x572, x573 = addcarryxU32(x543, x540, x571) + var x574 uint32 + var x575 uint1 + x574, x575 = addcarryxU32(x541, x538, x573) + var x576 uint32 + var x577 uint1 + x576, x577 = addcarryxU32(x539, x536, x575) + var x578 uint32 + var x579 uint1 + x578, x579 = addcarryxU32(x537, x534, x577) + x580 := (uint32(x579) + x535) + var x581 uint32 + var x582 uint1 + x581, x582 = addcarryxU32(x509, x556, 0x0) + var x583 uint32 + var x584 uint1 + x583, x584 = addcarryxU32(x511, x558, x582) + var x585 uint32 + var x586 uint1 + x585, x586 = addcarryxU32(x513, x560, x584) + var x587 uint32 + var x588 uint1 + x587, x588 = addcarryxU32(x515, x562, x586) + var x589 uint32 + var x590 uint1 + x589, x590 = addcarryxU32(x517, x564, x588) + var x591 uint32 + var x592 uint1 + x591, x592 = addcarryxU32(x519, x566, x590) + var x593 uint32 + var x594 uint1 + x593, x594 = addcarryxU32(x521, x568, x592) + var x595 uint32 + var x596 uint1 + x595, x596 = addcarryxU32(x523, x570, x594) + var x597 uint32 + var x598 uint1 + x597, x598 = addcarryxU32(x525, x572, x596) + var x599 uint32 + var x600 uint1 + x599, x600 = addcarryxU32(x527, x574, x598) + var x601 uint32 + var x602 uint1 + x601, x602 = addcarryxU32(x529, x576, x600) + var x603 uint32 + var x604 uint1 + x603, x604 = addcarryxU32(x531, x578, x602) + var x605 uint32 + var x606 uint1 + x605, x606 = addcarryxU32(x533, x580, x604) + var x607 uint32 + var x608 uint32 + x608, x607 = bits.Mul32(x581, 0xffffffff) + var x609 uint32 + var x610 uint32 + x610, x609 = bits.Mul32(x581, 0xffffffff) + var x611 uint32 + var x612 uint32 + x612, x611 = bits.Mul32(x581, 0xffffffff) + var x613 uint32 + var x614 uint32 + x614, x613 = bits.Mul32(x581, 0xffffffff) + var x615 uint32 + var x616 uint32 + x616, x615 = bits.Mul32(x581, 0xffffffff) + var x617 uint32 + var x618 uint32 + x618, x617 = bits.Mul32(x581, 0xffffffff) + var x619 uint32 + var x620 uint32 + x620, x619 = bits.Mul32(x581, 0xffffffff) + var x621 uint32 + var x622 uint32 + x622, x621 = bits.Mul32(x581, 0xfffffffe) + var x623 uint32 + var x624 uint32 + x624, x623 = bits.Mul32(x581, 0xffffffff) + var x625 uint32 + var x626 uint32 + x626, x625 = bits.Mul32(x581, 0xffffffff) + var x627 uint32 + var x628 uint1 + x627, x628 = addcarryxU32(x624, x621, 0x0) + var x629 uint32 + var x630 uint1 + x629, x630 = addcarryxU32(x622, x619, x628) + var x631 uint32 + var x632 uint1 + x631, x632 = addcarryxU32(x620, x617, x630) + var x633 uint32 + var x634 uint1 + x633, x634 = addcarryxU32(x618, x615, x632) + var x635 uint32 + var x636 uint1 + x635, x636 = addcarryxU32(x616, x613, x634) + var x637 uint32 + var x638 uint1 + x637, x638 = addcarryxU32(x614, x611, x636) + var x639 uint32 + var x640 uint1 + x639, x640 = addcarryxU32(x612, x609, x638) + var x641 uint32 + var x642 uint1 + x641, x642 = addcarryxU32(x610, x607, x640) + x643 := (uint32(x642) + x608) + var x645 uint1 + _, x645 = addcarryxU32(x581, x625, 0x0) + var x646 uint32 + var x647 uint1 + x646, x647 = addcarryxU32(x583, x626, x645) + var x648 uint32 + var x649 uint1 + x648, x649 = addcarryxU32(x585, uint32(0x0), x647) + var x650 uint32 + var x651 uint1 + x650, x651 = addcarryxU32(x587, x623, x649) + var x652 uint32 + var x653 uint1 + x652, x653 = addcarryxU32(x589, x627, x651) + var x654 uint32 + var x655 uint1 + x654, x655 = addcarryxU32(x591, x629, x653) + var x656 uint32 + var x657 uint1 + x656, x657 = addcarryxU32(x593, x631, x655) + var x658 uint32 + var x659 uint1 + x658, x659 = addcarryxU32(x595, x633, x657) + var x660 uint32 + var x661 uint1 + x660, x661 = addcarryxU32(x597, x635, x659) + var x662 uint32 + var x663 uint1 + x662, x663 = addcarryxU32(x599, x637, x661) + var x664 uint32 + var x665 uint1 + x664, x665 = addcarryxU32(x601, x639, x663) + var x666 uint32 + var x667 uint1 + x666, x667 = addcarryxU32(x603, x641, x665) + var x668 uint32 + var x669 uint1 + x668, x669 = addcarryxU32(x605, x643, x667) + x670 := (uint32(x669) + uint32(x606)) + var x671 uint32 + var x672 uint32 + x672, x671 = bits.Mul32(x5, arg2[11]) + var x673 uint32 + var x674 uint32 + x674, x673 = bits.Mul32(x5, arg2[10]) + var x675 uint32 + var x676 uint32 + x676, x675 = bits.Mul32(x5, arg2[9]) + var x677 uint32 + var x678 uint32 + x678, x677 = bits.Mul32(x5, arg2[8]) + var x679 uint32 + var x680 uint32 + x680, x679 = bits.Mul32(x5, arg2[7]) + var x681 uint32 + var x682 uint32 + x682, x681 = bits.Mul32(x5, arg2[6]) + var x683 uint32 + var x684 uint32 + x684, x683 = bits.Mul32(x5, arg2[5]) + var x685 uint32 + var x686 uint32 + x686, x685 = bits.Mul32(x5, arg2[4]) + var x687 uint32 + var x688 uint32 + x688, x687 = bits.Mul32(x5, arg2[3]) + var x689 uint32 + var x690 uint32 + x690, x689 = bits.Mul32(x5, arg2[2]) + var x691 uint32 + var x692 uint32 + x692, x691 = bits.Mul32(x5, arg2[1]) + var x693 uint32 + var x694 uint32 + x694, x693 = bits.Mul32(x5, arg2[0]) + var x695 uint32 + var x696 uint1 + x695, x696 = addcarryxU32(x694, x691, 0x0) + var x697 uint32 + var x698 uint1 + x697, x698 = addcarryxU32(x692, x689, x696) + var x699 uint32 + var x700 uint1 + x699, x700 = addcarryxU32(x690, x687, x698) + var x701 uint32 + var x702 uint1 + x701, x702 = addcarryxU32(x688, x685, x700) + var x703 uint32 + var x704 uint1 + x703, x704 = addcarryxU32(x686, x683, x702) + var x705 uint32 + var x706 uint1 + x705, x706 = addcarryxU32(x684, x681, x704) + var x707 uint32 + var x708 uint1 + x707, x708 = addcarryxU32(x682, x679, x706) + var x709 uint32 + var x710 uint1 + x709, x710 = addcarryxU32(x680, x677, x708) + var x711 uint32 + var x712 uint1 + x711, x712 = addcarryxU32(x678, x675, x710) + var x713 uint32 + var x714 uint1 + x713, x714 = addcarryxU32(x676, x673, x712) + var x715 uint32 + var x716 uint1 + x715, x716 = addcarryxU32(x674, x671, x714) + x717 := (uint32(x716) + x672) + var x718 uint32 + var x719 uint1 + x718, x719 = addcarryxU32(x646, x693, 0x0) + var x720 uint32 + var x721 uint1 + x720, x721 = addcarryxU32(x648, x695, x719) + var x722 uint32 + var x723 uint1 + x722, x723 = addcarryxU32(x650, x697, x721) + var x724 uint32 + var x725 uint1 + x724, x725 = addcarryxU32(x652, x699, x723) + var x726 uint32 + var x727 uint1 + x726, x727 = addcarryxU32(x654, x701, x725) + var x728 uint32 + var x729 uint1 + x728, x729 = addcarryxU32(x656, x703, x727) + var x730 uint32 + var x731 uint1 + x730, x731 = addcarryxU32(x658, x705, x729) + var x732 uint32 + var x733 uint1 + x732, x733 = addcarryxU32(x660, x707, x731) + var x734 uint32 + var x735 uint1 + x734, x735 = addcarryxU32(x662, x709, x733) + var x736 uint32 + var x737 uint1 + x736, x737 = addcarryxU32(x664, x711, x735) + var x738 uint32 + var x739 uint1 + x738, x739 = addcarryxU32(x666, x713, x737) + var x740 uint32 + var x741 uint1 + x740, x741 = addcarryxU32(x668, x715, x739) + var x742 uint32 + var x743 uint1 + x742, x743 = addcarryxU32(x670, x717, x741) + var x744 uint32 + var x745 uint32 + x745, x744 = bits.Mul32(x718, 0xffffffff) + var x746 uint32 + var x747 uint32 + x747, x746 = bits.Mul32(x718, 0xffffffff) + var x748 uint32 + var x749 uint32 + x749, x748 = bits.Mul32(x718, 0xffffffff) + var x750 uint32 + var x751 uint32 + x751, x750 = bits.Mul32(x718, 0xffffffff) + var x752 uint32 + var x753 uint32 + x753, x752 = bits.Mul32(x718, 0xffffffff) + var x754 uint32 + var x755 uint32 + x755, x754 = bits.Mul32(x718, 0xffffffff) + var x756 uint32 + var x757 uint32 + x757, x756 = bits.Mul32(x718, 0xffffffff) + var x758 uint32 + var x759 uint32 + x759, x758 = bits.Mul32(x718, 0xfffffffe) + var x760 uint32 + var x761 uint32 + x761, x760 = bits.Mul32(x718, 0xffffffff) + var x762 uint32 + var x763 uint32 + x763, x762 = bits.Mul32(x718, 0xffffffff) + var x764 uint32 + var x765 uint1 + x764, x765 = addcarryxU32(x761, x758, 0x0) + var x766 uint32 + var x767 uint1 + x766, x767 = addcarryxU32(x759, x756, x765) + var x768 uint32 + var x769 uint1 + x768, x769 = addcarryxU32(x757, x754, x767) + var x770 uint32 + var x771 uint1 + x770, x771 = addcarryxU32(x755, x752, x769) + var x772 uint32 + var x773 uint1 + x772, x773 = addcarryxU32(x753, x750, x771) + var x774 uint32 + var x775 uint1 + x774, x775 = addcarryxU32(x751, x748, x773) + var x776 uint32 + var x777 uint1 + x776, x777 = addcarryxU32(x749, x746, x775) + var x778 uint32 + var x779 uint1 + x778, x779 = addcarryxU32(x747, x744, x777) + x780 := (uint32(x779) + x745) + var x782 uint1 + _, x782 = addcarryxU32(x718, x762, 0x0) + var x783 uint32 + var x784 uint1 + x783, x784 = addcarryxU32(x720, x763, x782) + var x785 uint32 + var x786 uint1 + x785, x786 = addcarryxU32(x722, uint32(0x0), x784) + var x787 uint32 + var x788 uint1 + x787, x788 = addcarryxU32(x724, x760, x786) + var x789 uint32 + var x790 uint1 + x789, x790 = addcarryxU32(x726, x764, x788) + var x791 uint32 + var x792 uint1 + x791, x792 = addcarryxU32(x728, x766, x790) + var x793 uint32 + var x794 uint1 + x793, x794 = addcarryxU32(x730, x768, x792) + var x795 uint32 + var x796 uint1 + x795, x796 = addcarryxU32(x732, x770, x794) + var x797 uint32 + var x798 uint1 + x797, x798 = addcarryxU32(x734, x772, x796) + var x799 uint32 + var x800 uint1 + x799, x800 = addcarryxU32(x736, x774, x798) + var x801 uint32 + var x802 uint1 + x801, x802 = addcarryxU32(x738, x776, x800) + var x803 uint32 + var x804 uint1 + x803, x804 = addcarryxU32(x740, x778, x802) + var x805 uint32 + var x806 uint1 + x805, x806 = addcarryxU32(x742, x780, x804) + x807 := (uint32(x806) + uint32(x743)) + var x808 uint32 + var x809 uint32 + x809, x808 = bits.Mul32(x6, arg2[11]) + var x810 uint32 + var x811 uint32 + x811, x810 = bits.Mul32(x6, arg2[10]) + var x812 uint32 + var x813 uint32 + x813, x812 = bits.Mul32(x6, arg2[9]) + var x814 uint32 + var x815 uint32 + x815, x814 = bits.Mul32(x6, arg2[8]) + var x816 uint32 + var x817 uint32 + x817, x816 = bits.Mul32(x6, arg2[7]) + var x818 uint32 + var x819 uint32 + x819, x818 = bits.Mul32(x6, arg2[6]) + var x820 uint32 + var x821 uint32 + x821, x820 = bits.Mul32(x6, arg2[5]) + var x822 uint32 + var x823 uint32 + x823, x822 = bits.Mul32(x6, arg2[4]) + var x824 uint32 + var x825 uint32 + x825, x824 = bits.Mul32(x6, arg2[3]) + var x826 uint32 + var x827 uint32 + x827, x826 = bits.Mul32(x6, arg2[2]) + var x828 uint32 + var x829 uint32 + x829, x828 = bits.Mul32(x6, arg2[1]) + var x830 uint32 + var x831 uint32 + x831, x830 = bits.Mul32(x6, arg2[0]) + var x832 uint32 + var x833 uint1 + x832, x833 = addcarryxU32(x831, x828, 0x0) + var x834 uint32 + var x835 uint1 + x834, x835 = addcarryxU32(x829, x826, x833) + var x836 uint32 + var x837 uint1 + x836, x837 = addcarryxU32(x827, x824, x835) + var x838 uint32 + var x839 uint1 + x838, x839 = addcarryxU32(x825, x822, x837) + var x840 uint32 + var x841 uint1 + x840, x841 = addcarryxU32(x823, x820, x839) + var x842 uint32 + var x843 uint1 + x842, x843 = addcarryxU32(x821, x818, x841) + var x844 uint32 + var x845 uint1 + x844, x845 = addcarryxU32(x819, x816, x843) + var x846 uint32 + var x847 uint1 + x846, x847 = addcarryxU32(x817, x814, x845) + var x848 uint32 + var x849 uint1 + x848, x849 = addcarryxU32(x815, x812, x847) + var x850 uint32 + var x851 uint1 + x850, x851 = addcarryxU32(x813, x810, x849) + var x852 uint32 + var x853 uint1 + x852, x853 = addcarryxU32(x811, x808, x851) + x854 := (uint32(x853) + x809) + var x855 uint32 + var x856 uint1 + x855, x856 = addcarryxU32(x783, x830, 0x0) + var x857 uint32 + var x858 uint1 + x857, x858 = addcarryxU32(x785, x832, x856) + var x859 uint32 + var x860 uint1 + x859, x860 = addcarryxU32(x787, x834, x858) + var x861 uint32 + var x862 uint1 + x861, x862 = addcarryxU32(x789, x836, x860) + var x863 uint32 + var x864 uint1 + x863, x864 = addcarryxU32(x791, x838, x862) + var x865 uint32 + var x866 uint1 + x865, x866 = addcarryxU32(x793, x840, x864) + var x867 uint32 + var x868 uint1 + x867, x868 = addcarryxU32(x795, x842, x866) + var x869 uint32 + var x870 uint1 + x869, x870 = addcarryxU32(x797, x844, x868) + var x871 uint32 + var x872 uint1 + x871, x872 = addcarryxU32(x799, x846, x870) + var x873 uint32 + var x874 uint1 + x873, x874 = addcarryxU32(x801, x848, x872) + var x875 uint32 + var x876 uint1 + x875, x876 = addcarryxU32(x803, x850, x874) + var x877 uint32 + var x878 uint1 + x877, x878 = addcarryxU32(x805, x852, x876) + var x879 uint32 + var x880 uint1 + x879, x880 = addcarryxU32(x807, x854, x878) + var x881 uint32 + var x882 uint32 + x882, x881 = bits.Mul32(x855, 0xffffffff) + var x883 uint32 + var x884 uint32 + x884, x883 = bits.Mul32(x855, 0xffffffff) + var x885 uint32 + var x886 uint32 + x886, x885 = bits.Mul32(x855, 0xffffffff) + var x887 uint32 + var x888 uint32 + x888, x887 = bits.Mul32(x855, 0xffffffff) + var x889 uint32 + var x890 uint32 + x890, x889 = bits.Mul32(x855, 0xffffffff) + var x891 uint32 + var x892 uint32 + x892, x891 = bits.Mul32(x855, 0xffffffff) + var x893 uint32 + var x894 uint32 + x894, x893 = bits.Mul32(x855, 0xffffffff) + var x895 uint32 + var x896 uint32 + x896, x895 = bits.Mul32(x855, 0xfffffffe) + var x897 uint32 + var x898 uint32 + x898, x897 = bits.Mul32(x855, 0xffffffff) + var x899 uint32 + var x900 uint32 + x900, x899 = bits.Mul32(x855, 0xffffffff) + var x901 uint32 + var x902 uint1 + x901, x902 = addcarryxU32(x898, x895, 0x0) + var x903 uint32 + var x904 uint1 + x903, x904 = addcarryxU32(x896, x893, x902) + var x905 uint32 + var x906 uint1 + x905, x906 = addcarryxU32(x894, x891, x904) + var x907 uint32 + var x908 uint1 + x907, x908 = addcarryxU32(x892, x889, x906) + var x909 uint32 + var x910 uint1 + x909, x910 = addcarryxU32(x890, x887, x908) + var x911 uint32 + var x912 uint1 + x911, x912 = addcarryxU32(x888, x885, x910) + var x913 uint32 + var x914 uint1 + x913, x914 = addcarryxU32(x886, x883, x912) + var x915 uint32 + var x916 uint1 + x915, x916 = addcarryxU32(x884, x881, x914) + x917 := (uint32(x916) + x882) + var x919 uint1 + _, x919 = addcarryxU32(x855, x899, 0x0) + var x920 uint32 + var x921 uint1 + x920, x921 = addcarryxU32(x857, x900, x919) + var x922 uint32 + var x923 uint1 + x922, x923 = addcarryxU32(x859, uint32(0x0), x921) + var x924 uint32 + var x925 uint1 + x924, x925 = addcarryxU32(x861, x897, x923) + var x926 uint32 + var x927 uint1 + x926, x927 = addcarryxU32(x863, x901, x925) + var x928 uint32 + var x929 uint1 + x928, x929 = addcarryxU32(x865, x903, x927) + var x930 uint32 + var x931 uint1 + x930, x931 = addcarryxU32(x867, x905, x929) + var x932 uint32 + var x933 uint1 + x932, x933 = addcarryxU32(x869, x907, x931) + var x934 uint32 + var x935 uint1 + x934, x935 = addcarryxU32(x871, x909, x933) + var x936 uint32 + var x937 uint1 + x936, x937 = addcarryxU32(x873, x911, x935) + var x938 uint32 + var x939 uint1 + x938, x939 = addcarryxU32(x875, x913, x937) + var x940 uint32 + var x941 uint1 + x940, x941 = addcarryxU32(x877, x915, x939) + var x942 uint32 + var x943 uint1 + x942, x943 = addcarryxU32(x879, x917, x941) + x944 := (uint32(x943) + uint32(x880)) + var x945 uint32 + var x946 uint32 + x946, x945 = bits.Mul32(x7, arg2[11]) + var x947 uint32 + var x948 uint32 + x948, x947 = bits.Mul32(x7, arg2[10]) + var x949 uint32 + var x950 uint32 + x950, x949 = bits.Mul32(x7, arg2[9]) + var x951 uint32 + var x952 uint32 + x952, x951 = bits.Mul32(x7, arg2[8]) + var x953 uint32 + var x954 uint32 + x954, x953 = bits.Mul32(x7, arg2[7]) + var x955 uint32 + var x956 uint32 + x956, x955 = bits.Mul32(x7, arg2[6]) + var x957 uint32 + var x958 uint32 + x958, x957 = bits.Mul32(x7, arg2[5]) + var x959 uint32 + var x960 uint32 + x960, x959 = bits.Mul32(x7, arg2[4]) + var x961 uint32 + var x962 uint32 + x962, x961 = bits.Mul32(x7, arg2[3]) + var x963 uint32 + var x964 uint32 + x964, x963 = bits.Mul32(x7, arg2[2]) + var x965 uint32 + var x966 uint32 + x966, x965 = bits.Mul32(x7, arg2[1]) + var x967 uint32 + var x968 uint32 + x968, x967 = bits.Mul32(x7, arg2[0]) + var x969 uint32 + var x970 uint1 + x969, x970 = addcarryxU32(x968, x965, 0x0) + var x971 uint32 + var x972 uint1 + x971, x972 = addcarryxU32(x966, x963, x970) + var x973 uint32 + var x974 uint1 + x973, x974 = addcarryxU32(x964, x961, x972) + var x975 uint32 + var x976 uint1 + x975, x976 = addcarryxU32(x962, x959, x974) + var x977 uint32 + var x978 uint1 + x977, x978 = addcarryxU32(x960, x957, x976) + var x979 uint32 + var x980 uint1 + x979, x980 = addcarryxU32(x958, x955, x978) + var x981 uint32 + var x982 uint1 + x981, x982 = addcarryxU32(x956, x953, x980) + var x983 uint32 + var x984 uint1 + x983, x984 = addcarryxU32(x954, x951, x982) + var x985 uint32 + var x986 uint1 + x985, x986 = addcarryxU32(x952, x949, x984) + var x987 uint32 + var x988 uint1 + x987, x988 = addcarryxU32(x950, x947, x986) + var x989 uint32 + var x990 uint1 + x989, x990 = addcarryxU32(x948, x945, x988) + x991 := (uint32(x990) + x946) + var x992 uint32 + var x993 uint1 + x992, x993 = addcarryxU32(x920, x967, 0x0) + var x994 uint32 + var x995 uint1 + x994, x995 = addcarryxU32(x922, x969, x993) + var x996 uint32 + var x997 uint1 + x996, x997 = addcarryxU32(x924, x971, x995) + var x998 uint32 + var x999 uint1 + x998, x999 = addcarryxU32(x926, x973, x997) + var x1000 uint32 + var x1001 uint1 + x1000, x1001 = addcarryxU32(x928, x975, x999) + var x1002 uint32 + var x1003 uint1 + x1002, x1003 = addcarryxU32(x930, x977, x1001) + var x1004 uint32 + var x1005 uint1 + x1004, x1005 = addcarryxU32(x932, x979, x1003) + var x1006 uint32 + var x1007 uint1 + x1006, x1007 = addcarryxU32(x934, x981, x1005) + var x1008 uint32 + var x1009 uint1 + x1008, x1009 = addcarryxU32(x936, x983, x1007) + var x1010 uint32 + var x1011 uint1 + x1010, x1011 = addcarryxU32(x938, x985, x1009) + var x1012 uint32 + var x1013 uint1 + x1012, x1013 = addcarryxU32(x940, x987, x1011) + var x1014 uint32 + var x1015 uint1 + x1014, x1015 = addcarryxU32(x942, x989, x1013) + var x1016 uint32 + var x1017 uint1 + x1016, x1017 = addcarryxU32(x944, x991, x1015) + var x1018 uint32 + var x1019 uint32 + x1019, x1018 = bits.Mul32(x992, 0xffffffff) + var x1020 uint32 + var x1021 uint32 + x1021, x1020 = bits.Mul32(x992, 0xffffffff) + var x1022 uint32 + var x1023 uint32 + x1023, x1022 = bits.Mul32(x992, 0xffffffff) + var x1024 uint32 + var x1025 uint32 + x1025, x1024 = bits.Mul32(x992, 0xffffffff) + var x1026 uint32 + var x1027 uint32 + x1027, x1026 = bits.Mul32(x992, 0xffffffff) + var x1028 uint32 + var x1029 uint32 + x1029, x1028 = bits.Mul32(x992, 0xffffffff) + var x1030 uint32 + var x1031 uint32 + x1031, x1030 = bits.Mul32(x992, 0xffffffff) + var x1032 uint32 + var x1033 uint32 + x1033, x1032 = bits.Mul32(x992, 0xfffffffe) + var x1034 uint32 + var x1035 uint32 + x1035, x1034 = bits.Mul32(x992, 0xffffffff) + var x1036 uint32 + var x1037 uint32 + x1037, x1036 = bits.Mul32(x992, 0xffffffff) + var x1038 uint32 + var x1039 uint1 + x1038, x1039 = addcarryxU32(x1035, x1032, 0x0) + var x1040 uint32 + var x1041 uint1 + x1040, x1041 = addcarryxU32(x1033, x1030, x1039) + var x1042 uint32 + var x1043 uint1 + x1042, x1043 = addcarryxU32(x1031, x1028, x1041) + var x1044 uint32 + var x1045 uint1 + x1044, x1045 = addcarryxU32(x1029, x1026, x1043) + var x1046 uint32 + var x1047 uint1 + x1046, x1047 = addcarryxU32(x1027, x1024, x1045) + var x1048 uint32 + var x1049 uint1 + x1048, x1049 = addcarryxU32(x1025, x1022, x1047) + var x1050 uint32 + var x1051 uint1 + x1050, x1051 = addcarryxU32(x1023, x1020, x1049) + var x1052 uint32 + var x1053 uint1 + x1052, x1053 = addcarryxU32(x1021, x1018, x1051) + x1054 := (uint32(x1053) + x1019) + var x1056 uint1 + _, x1056 = addcarryxU32(x992, x1036, 0x0) + var x1057 uint32 + var x1058 uint1 + x1057, x1058 = addcarryxU32(x994, x1037, x1056) + var x1059 uint32 + var x1060 uint1 + x1059, x1060 = addcarryxU32(x996, uint32(0x0), x1058) + var x1061 uint32 + var x1062 uint1 + x1061, x1062 = addcarryxU32(x998, x1034, x1060) + var x1063 uint32 + var x1064 uint1 + x1063, x1064 = addcarryxU32(x1000, x1038, x1062) + var x1065 uint32 + var x1066 uint1 + x1065, x1066 = addcarryxU32(x1002, x1040, x1064) + var x1067 uint32 + var x1068 uint1 + x1067, x1068 = addcarryxU32(x1004, x1042, x1066) + var x1069 uint32 + var x1070 uint1 + x1069, x1070 = addcarryxU32(x1006, x1044, x1068) + var x1071 uint32 + var x1072 uint1 + x1071, x1072 = addcarryxU32(x1008, x1046, x1070) + var x1073 uint32 + var x1074 uint1 + x1073, x1074 = addcarryxU32(x1010, x1048, x1072) + var x1075 uint32 + var x1076 uint1 + x1075, x1076 = addcarryxU32(x1012, x1050, x1074) + var x1077 uint32 + var x1078 uint1 + x1077, x1078 = addcarryxU32(x1014, x1052, x1076) + var x1079 uint32 + var x1080 uint1 + x1079, x1080 = addcarryxU32(x1016, x1054, x1078) + x1081 := (uint32(x1080) + uint32(x1017)) + var x1082 uint32 + var x1083 uint32 + x1083, x1082 = bits.Mul32(x8, arg2[11]) + var x1084 uint32 + var x1085 uint32 + x1085, x1084 = bits.Mul32(x8, arg2[10]) + var x1086 uint32 + var x1087 uint32 + x1087, x1086 = bits.Mul32(x8, arg2[9]) + var x1088 uint32 + var x1089 uint32 + x1089, x1088 = bits.Mul32(x8, arg2[8]) + var x1090 uint32 + var x1091 uint32 + x1091, x1090 = bits.Mul32(x8, arg2[7]) + var x1092 uint32 + var x1093 uint32 + x1093, x1092 = bits.Mul32(x8, arg2[6]) + var x1094 uint32 + var x1095 uint32 + x1095, x1094 = bits.Mul32(x8, arg2[5]) + var x1096 uint32 + var x1097 uint32 + x1097, x1096 = bits.Mul32(x8, arg2[4]) + var x1098 uint32 + var x1099 uint32 + x1099, x1098 = bits.Mul32(x8, arg2[3]) + var x1100 uint32 + var x1101 uint32 + x1101, x1100 = bits.Mul32(x8, arg2[2]) + var x1102 uint32 + var x1103 uint32 + x1103, x1102 = bits.Mul32(x8, arg2[1]) + var x1104 uint32 + var x1105 uint32 + x1105, x1104 = bits.Mul32(x8, arg2[0]) + var x1106 uint32 + var x1107 uint1 + x1106, x1107 = addcarryxU32(x1105, x1102, 0x0) + var x1108 uint32 + var x1109 uint1 + x1108, x1109 = addcarryxU32(x1103, x1100, x1107) + var x1110 uint32 + var x1111 uint1 + x1110, x1111 = addcarryxU32(x1101, x1098, x1109) + var x1112 uint32 + var x1113 uint1 + x1112, x1113 = addcarryxU32(x1099, x1096, x1111) + var x1114 uint32 + var x1115 uint1 + x1114, x1115 = addcarryxU32(x1097, x1094, x1113) + var x1116 uint32 + var x1117 uint1 + x1116, x1117 = addcarryxU32(x1095, x1092, x1115) + var x1118 uint32 + var x1119 uint1 + x1118, x1119 = addcarryxU32(x1093, x1090, x1117) + var x1120 uint32 + var x1121 uint1 + x1120, x1121 = addcarryxU32(x1091, x1088, x1119) + var x1122 uint32 + var x1123 uint1 + x1122, x1123 = addcarryxU32(x1089, x1086, x1121) + var x1124 uint32 + var x1125 uint1 + x1124, x1125 = addcarryxU32(x1087, x1084, x1123) + var x1126 uint32 + var x1127 uint1 + x1126, x1127 = addcarryxU32(x1085, x1082, x1125) + x1128 := (uint32(x1127) + x1083) + var x1129 uint32 + var x1130 uint1 + x1129, x1130 = addcarryxU32(x1057, x1104, 0x0) + var x1131 uint32 + var x1132 uint1 + x1131, x1132 = addcarryxU32(x1059, x1106, x1130) + var x1133 uint32 + var x1134 uint1 + x1133, x1134 = addcarryxU32(x1061, x1108, x1132) + var x1135 uint32 + var x1136 uint1 + x1135, x1136 = addcarryxU32(x1063, x1110, x1134) + var x1137 uint32 + var x1138 uint1 + x1137, x1138 = addcarryxU32(x1065, x1112, x1136) + var x1139 uint32 + var x1140 uint1 + x1139, x1140 = addcarryxU32(x1067, x1114, x1138) + var x1141 uint32 + var x1142 uint1 + x1141, x1142 = addcarryxU32(x1069, x1116, x1140) + var x1143 uint32 + var x1144 uint1 + x1143, x1144 = addcarryxU32(x1071, x1118, x1142) + var x1145 uint32 + var x1146 uint1 + x1145, x1146 = addcarryxU32(x1073, x1120, x1144) + var x1147 uint32 + var x1148 uint1 + x1147, x1148 = addcarryxU32(x1075, x1122, x1146) + var x1149 uint32 + var x1150 uint1 + x1149, x1150 = addcarryxU32(x1077, x1124, x1148) + var x1151 uint32 + var x1152 uint1 + x1151, x1152 = addcarryxU32(x1079, x1126, x1150) + var x1153 uint32 + var x1154 uint1 + x1153, x1154 = addcarryxU32(x1081, x1128, x1152) + var x1155 uint32 + var x1156 uint32 + x1156, x1155 = bits.Mul32(x1129, 0xffffffff) + var x1157 uint32 + var x1158 uint32 + x1158, x1157 = bits.Mul32(x1129, 0xffffffff) + var x1159 uint32 + var x1160 uint32 + x1160, x1159 = bits.Mul32(x1129, 0xffffffff) + var x1161 uint32 + var x1162 uint32 + x1162, x1161 = bits.Mul32(x1129, 0xffffffff) + var x1163 uint32 + var x1164 uint32 + x1164, x1163 = bits.Mul32(x1129, 0xffffffff) + var x1165 uint32 + var x1166 uint32 + x1166, x1165 = bits.Mul32(x1129, 0xffffffff) + var x1167 uint32 + var x1168 uint32 + x1168, x1167 = bits.Mul32(x1129, 0xffffffff) + var x1169 uint32 + var x1170 uint32 + x1170, x1169 = bits.Mul32(x1129, 0xfffffffe) + var x1171 uint32 + var x1172 uint32 + x1172, x1171 = bits.Mul32(x1129, 0xffffffff) + var x1173 uint32 + var x1174 uint32 + x1174, x1173 = bits.Mul32(x1129, 0xffffffff) + var x1175 uint32 + var x1176 uint1 + x1175, x1176 = addcarryxU32(x1172, x1169, 0x0) + var x1177 uint32 + var x1178 uint1 + x1177, x1178 = addcarryxU32(x1170, x1167, x1176) + var x1179 uint32 + var x1180 uint1 + x1179, x1180 = addcarryxU32(x1168, x1165, x1178) + var x1181 uint32 + var x1182 uint1 + x1181, x1182 = addcarryxU32(x1166, x1163, x1180) + var x1183 uint32 + var x1184 uint1 + x1183, x1184 = addcarryxU32(x1164, x1161, x1182) + var x1185 uint32 + var x1186 uint1 + x1185, x1186 = addcarryxU32(x1162, x1159, x1184) + var x1187 uint32 + var x1188 uint1 + x1187, x1188 = addcarryxU32(x1160, x1157, x1186) + var x1189 uint32 + var x1190 uint1 + x1189, x1190 = addcarryxU32(x1158, x1155, x1188) + x1191 := (uint32(x1190) + x1156) + var x1193 uint1 + _, x1193 = addcarryxU32(x1129, x1173, 0x0) + var x1194 uint32 + var x1195 uint1 + x1194, x1195 = addcarryxU32(x1131, x1174, x1193) + var x1196 uint32 + var x1197 uint1 + x1196, x1197 = addcarryxU32(x1133, uint32(0x0), x1195) + var x1198 uint32 + var x1199 uint1 + x1198, x1199 = addcarryxU32(x1135, x1171, x1197) + var x1200 uint32 + var x1201 uint1 + x1200, x1201 = addcarryxU32(x1137, x1175, x1199) + var x1202 uint32 + var x1203 uint1 + x1202, x1203 = addcarryxU32(x1139, x1177, x1201) + var x1204 uint32 + var x1205 uint1 + x1204, x1205 = addcarryxU32(x1141, x1179, x1203) + var x1206 uint32 + var x1207 uint1 + x1206, x1207 = addcarryxU32(x1143, x1181, x1205) + var x1208 uint32 + var x1209 uint1 + x1208, x1209 = addcarryxU32(x1145, x1183, x1207) + var x1210 uint32 + var x1211 uint1 + x1210, x1211 = addcarryxU32(x1147, x1185, x1209) + var x1212 uint32 + var x1213 uint1 + x1212, x1213 = addcarryxU32(x1149, x1187, x1211) + var x1214 uint32 + var x1215 uint1 + x1214, x1215 = addcarryxU32(x1151, x1189, x1213) + var x1216 uint32 + var x1217 uint1 + x1216, x1217 = addcarryxU32(x1153, x1191, x1215) + x1218 := (uint32(x1217) + uint32(x1154)) + var x1219 uint32 + var x1220 uint32 + x1220, x1219 = bits.Mul32(x9, arg2[11]) + var x1221 uint32 + var x1222 uint32 + x1222, x1221 = bits.Mul32(x9, arg2[10]) + var x1223 uint32 + var x1224 uint32 + x1224, x1223 = bits.Mul32(x9, arg2[9]) + var x1225 uint32 + var x1226 uint32 + x1226, x1225 = bits.Mul32(x9, arg2[8]) + var x1227 uint32 + var x1228 uint32 + x1228, x1227 = bits.Mul32(x9, arg2[7]) + var x1229 uint32 + var x1230 uint32 + x1230, x1229 = bits.Mul32(x9, arg2[6]) + var x1231 uint32 + var x1232 uint32 + x1232, x1231 = bits.Mul32(x9, arg2[5]) + var x1233 uint32 + var x1234 uint32 + x1234, x1233 = bits.Mul32(x9, arg2[4]) + var x1235 uint32 + var x1236 uint32 + x1236, x1235 = bits.Mul32(x9, arg2[3]) + var x1237 uint32 + var x1238 uint32 + x1238, x1237 = bits.Mul32(x9, arg2[2]) + var x1239 uint32 + var x1240 uint32 + x1240, x1239 = bits.Mul32(x9, arg2[1]) + var x1241 uint32 + var x1242 uint32 + x1242, x1241 = bits.Mul32(x9, arg2[0]) + var x1243 uint32 + var x1244 uint1 + x1243, x1244 = addcarryxU32(x1242, x1239, 0x0) + var x1245 uint32 + var x1246 uint1 + x1245, x1246 = addcarryxU32(x1240, x1237, x1244) + var x1247 uint32 + var x1248 uint1 + x1247, x1248 = addcarryxU32(x1238, x1235, x1246) + var x1249 uint32 + var x1250 uint1 + x1249, x1250 = addcarryxU32(x1236, x1233, x1248) + var x1251 uint32 + var x1252 uint1 + x1251, x1252 = addcarryxU32(x1234, x1231, x1250) + var x1253 uint32 + var x1254 uint1 + x1253, x1254 = addcarryxU32(x1232, x1229, x1252) + var x1255 uint32 + var x1256 uint1 + x1255, x1256 = addcarryxU32(x1230, x1227, x1254) + var x1257 uint32 + var x1258 uint1 + x1257, x1258 = addcarryxU32(x1228, x1225, x1256) + var x1259 uint32 + var x1260 uint1 + x1259, x1260 = addcarryxU32(x1226, x1223, x1258) + var x1261 uint32 + var x1262 uint1 + x1261, x1262 = addcarryxU32(x1224, x1221, x1260) + var x1263 uint32 + var x1264 uint1 + x1263, x1264 = addcarryxU32(x1222, x1219, x1262) + x1265 := (uint32(x1264) + x1220) + var x1266 uint32 + var x1267 uint1 + x1266, x1267 = addcarryxU32(x1194, x1241, 0x0) + var x1268 uint32 + var x1269 uint1 + x1268, x1269 = addcarryxU32(x1196, x1243, x1267) + var x1270 uint32 + var x1271 uint1 + x1270, x1271 = addcarryxU32(x1198, x1245, x1269) + var x1272 uint32 + var x1273 uint1 + x1272, x1273 = addcarryxU32(x1200, x1247, x1271) + var x1274 uint32 + var x1275 uint1 + x1274, x1275 = addcarryxU32(x1202, x1249, x1273) + var x1276 uint32 + var x1277 uint1 + x1276, x1277 = addcarryxU32(x1204, x1251, x1275) + var x1278 uint32 + var x1279 uint1 + x1278, x1279 = addcarryxU32(x1206, x1253, x1277) + var x1280 uint32 + var x1281 uint1 + x1280, x1281 = addcarryxU32(x1208, x1255, x1279) + var x1282 uint32 + var x1283 uint1 + x1282, x1283 = addcarryxU32(x1210, x1257, x1281) + var x1284 uint32 + var x1285 uint1 + x1284, x1285 = addcarryxU32(x1212, x1259, x1283) + var x1286 uint32 + var x1287 uint1 + x1286, x1287 = addcarryxU32(x1214, x1261, x1285) + var x1288 uint32 + var x1289 uint1 + x1288, x1289 = addcarryxU32(x1216, x1263, x1287) + var x1290 uint32 + var x1291 uint1 + x1290, x1291 = addcarryxU32(x1218, x1265, x1289) + var x1292 uint32 + var x1293 uint32 + x1293, x1292 = bits.Mul32(x1266, 0xffffffff) + var x1294 uint32 + var x1295 uint32 + x1295, x1294 = bits.Mul32(x1266, 0xffffffff) + var x1296 uint32 + var x1297 uint32 + x1297, x1296 = bits.Mul32(x1266, 0xffffffff) + var x1298 uint32 + var x1299 uint32 + x1299, x1298 = bits.Mul32(x1266, 0xffffffff) + var x1300 uint32 + var x1301 uint32 + x1301, x1300 = bits.Mul32(x1266, 0xffffffff) + var x1302 uint32 + var x1303 uint32 + x1303, x1302 = bits.Mul32(x1266, 0xffffffff) + var x1304 uint32 + var x1305 uint32 + x1305, x1304 = bits.Mul32(x1266, 0xffffffff) + var x1306 uint32 + var x1307 uint32 + x1307, x1306 = bits.Mul32(x1266, 0xfffffffe) + var x1308 uint32 + var x1309 uint32 + x1309, x1308 = bits.Mul32(x1266, 0xffffffff) + var x1310 uint32 + var x1311 uint32 + x1311, x1310 = bits.Mul32(x1266, 0xffffffff) + var x1312 uint32 + var x1313 uint1 + x1312, x1313 = addcarryxU32(x1309, x1306, 0x0) + var x1314 uint32 + var x1315 uint1 + x1314, x1315 = addcarryxU32(x1307, x1304, x1313) + var x1316 uint32 + var x1317 uint1 + x1316, x1317 = addcarryxU32(x1305, x1302, x1315) + var x1318 uint32 + var x1319 uint1 + x1318, x1319 = addcarryxU32(x1303, x1300, x1317) + var x1320 uint32 + var x1321 uint1 + x1320, x1321 = addcarryxU32(x1301, x1298, x1319) + var x1322 uint32 + var x1323 uint1 + x1322, x1323 = addcarryxU32(x1299, x1296, x1321) + var x1324 uint32 + var x1325 uint1 + x1324, x1325 = addcarryxU32(x1297, x1294, x1323) + var x1326 uint32 + var x1327 uint1 + x1326, x1327 = addcarryxU32(x1295, x1292, x1325) + x1328 := (uint32(x1327) + x1293) + var x1330 uint1 + _, x1330 = addcarryxU32(x1266, x1310, 0x0) + var x1331 uint32 + var x1332 uint1 + x1331, x1332 = addcarryxU32(x1268, x1311, x1330) + var x1333 uint32 + var x1334 uint1 + x1333, x1334 = addcarryxU32(x1270, uint32(0x0), x1332) + var x1335 uint32 + var x1336 uint1 + x1335, x1336 = addcarryxU32(x1272, x1308, x1334) + var x1337 uint32 + var x1338 uint1 + x1337, x1338 = addcarryxU32(x1274, x1312, x1336) + var x1339 uint32 + var x1340 uint1 + x1339, x1340 = addcarryxU32(x1276, x1314, x1338) + var x1341 uint32 + var x1342 uint1 + x1341, x1342 = addcarryxU32(x1278, x1316, x1340) + var x1343 uint32 + var x1344 uint1 + x1343, x1344 = addcarryxU32(x1280, x1318, x1342) + var x1345 uint32 + var x1346 uint1 + x1345, x1346 = addcarryxU32(x1282, x1320, x1344) + var x1347 uint32 + var x1348 uint1 + x1347, x1348 = addcarryxU32(x1284, x1322, x1346) + var x1349 uint32 + var x1350 uint1 + x1349, x1350 = addcarryxU32(x1286, x1324, x1348) + var x1351 uint32 + var x1352 uint1 + x1351, x1352 = addcarryxU32(x1288, x1326, x1350) + var x1353 uint32 + var x1354 uint1 + x1353, x1354 = addcarryxU32(x1290, x1328, x1352) + x1355 := (uint32(x1354) + uint32(x1291)) + var x1356 uint32 + var x1357 uint32 + x1357, x1356 = bits.Mul32(x10, arg2[11]) + var x1358 uint32 + var x1359 uint32 + x1359, x1358 = bits.Mul32(x10, arg2[10]) + var x1360 uint32 + var x1361 uint32 + x1361, x1360 = bits.Mul32(x10, arg2[9]) + var x1362 uint32 + var x1363 uint32 + x1363, x1362 = bits.Mul32(x10, arg2[8]) + var x1364 uint32 + var x1365 uint32 + x1365, x1364 = bits.Mul32(x10, arg2[7]) + var x1366 uint32 + var x1367 uint32 + x1367, x1366 = bits.Mul32(x10, arg2[6]) + var x1368 uint32 + var x1369 uint32 + x1369, x1368 = bits.Mul32(x10, arg2[5]) + var x1370 uint32 + var x1371 uint32 + x1371, x1370 = bits.Mul32(x10, arg2[4]) + var x1372 uint32 + var x1373 uint32 + x1373, x1372 = bits.Mul32(x10, arg2[3]) + var x1374 uint32 + var x1375 uint32 + x1375, x1374 = bits.Mul32(x10, arg2[2]) + var x1376 uint32 + var x1377 uint32 + x1377, x1376 = bits.Mul32(x10, arg2[1]) + var x1378 uint32 + var x1379 uint32 + x1379, x1378 = bits.Mul32(x10, arg2[0]) + var x1380 uint32 + var x1381 uint1 + x1380, x1381 = addcarryxU32(x1379, x1376, 0x0) + var x1382 uint32 + var x1383 uint1 + x1382, x1383 = addcarryxU32(x1377, x1374, x1381) + var x1384 uint32 + var x1385 uint1 + x1384, x1385 = addcarryxU32(x1375, x1372, x1383) + var x1386 uint32 + var x1387 uint1 + x1386, x1387 = addcarryxU32(x1373, x1370, x1385) + var x1388 uint32 + var x1389 uint1 + x1388, x1389 = addcarryxU32(x1371, x1368, x1387) + var x1390 uint32 + var x1391 uint1 + x1390, x1391 = addcarryxU32(x1369, x1366, x1389) + var x1392 uint32 + var x1393 uint1 + x1392, x1393 = addcarryxU32(x1367, x1364, x1391) + var x1394 uint32 + var x1395 uint1 + x1394, x1395 = addcarryxU32(x1365, x1362, x1393) + var x1396 uint32 + var x1397 uint1 + x1396, x1397 = addcarryxU32(x1363, x1360, x1395) + var x1398 uint32 + var x1399 uint1 + x1398, x1399 = addcarryxU32(x1361, x1358, x1397) + var x1400 uint32 + var x1401 uint1 + x1400, x1401 = addcarryxU32(x1359, x1356, x1399) + x1402 := (uint32(x1401) + x1357) + var x1403 uint32 + var x1404 uint1 + x1403, x1404 = addcarryxU32(x1331, x1378, 0x0) + var x1405 uint32 + var x1406 uint1 + x1405, x1406 = addcarryxU32(x1333, x1380, x1404) + var x1407 uint32 + var x1408 uint1 + x1407, x1408 = addcarryxU32(x1335, x1382, x1406) + var x1409 uint32 + var x1410 uint1 + x1409, x1410 = addcarryxU32(x1337, x1384, x1408) + var x1411 uint32 + var x1412 uint1 + x1411, x1412 = addcarryxU32(x1339, x1386, x1410) + var x1413 uint32 + var x1414 uint1 + x1413, x1414 = addcarryxU32(x1341, x1388, x1412) + var x1415 uint32 + var x1416 uint1 + x1415, x1416 = addcarryxU32(x1343, x1390, x1414) + var x1417 uint32 + var x1418 uint1 + x1417, x1418 = addcarryxU32(x1345, x1392, x1416) + var x1419 uint32 + var x1420 uint1 + x1419, x1420 = addcarryxU32(x1347, x1394, x1418) + var x1421 uint32 + var x1422 uint1 + x1421, x1422 = addcarryxU32(x1349, x1396, x1420) + var x1423 uint32 + var x1424 uint1 + x1423, x1424 = addcarryxU32(x1351, x1398, x1422) + var x1425 uint32 + var x1426 uint1 + x1425, x1426 = addcarryxU32(x1353, x1400, x1424) + var x1427 uint32 + var x1428 uint1 + x1427, x1428 = addcarryxU32(x1355, x1402, x1426) + var x1429 uint32 + var x1430 uint32 + x1430, x1429 = bits.Mul32(x1403, 0xffffffff) + var x1431 uint32 + var x1432 uint32 + x1432, x1431 = bits.Mul32(x1403, 0xffffffff) + var x1433 uint32 + var x1434 uint32 + x1434, x1433 = bits.Mul32(x1403, 0xffffffff) + var x1435 uint32 + var x1436 uint32 + x1436, x1435 = bits.Mul32(x1403, 0xffffffff) + var x1437 uint32 + var x1438 uint32 + x1438, x1437 = bits.Mul32(x1403, 0xffffffff) + var x1439 uint32 + var x1440 uint32 + x1440, x1439 = bits.Mul32(x1403, 0xffffffff) + var x1441 uint32 + var x1442 uint32 + x1442, x1441 = bits.Mul32(x1403, 0xffffffff) + var x1443 uint32 + var x1444 uint32 + x1444, x1443 = bits.Mul32(x1403, 0xfffffffe) + var x1445 uint32 + var x1446 uint32 + x1446, x1445 = bits.Mul32(x1403, 0xffffffff) + var x1447 uint32 + var x1448 uint32 + x1448, x1447 = bits.Mul32(x1403, 0xffffffff) + var x1449 uint32 + var x1450 uint1 + x1449, x1450 = addcarryxU32(x1446, x1443, 0x0) + var x1451 uint32 + var x1452 uint1 + x1451, x1452 = addcarryxU32(x1444, x1441, x1450) + var x1453 uint32 + var x1454 uint1 + x1453, x1454 = addcarryxU32(x1442, x1439, x1452) + var x1455 uint32 + var x1456 uint1 + x1455, x1456 = addcarryxU32(x1440, x1437, x1454) + var x1457 uint32 + var x1458 uint1 + x1457, x1458 = addcarryxU32(x1438, x1435, x1456) + var x1459 uint32 + var x1460 uint1 + x1459, x1460 = addcarryxU32(x1436, x1433, x1458) + var x1461 uint32 + var x1462 uint1 + x1461, x1462 = addcarryxU32(x1434, x1431, x1460) + var x1463 uint32 + var x1464 uint1 + x1463, x1464 = addcarryxU32(x1432, x1429, x1462) + x1465 := (uint32(x1464) + x1430) + var x1467 uint1 + _, x1467 = addcarryxU32(x1403, x1447, 0x0) + var x1468 uint32 + var x1469 uint1 + x1468, x1469 = addcarryxU32(x1405, x1448, x1467) + var x1470 uint32 + var x1471 uint1 + x1470, x1471 = addcarryxU32(x1407, uint32(0x0), x1469) + var x1472 uint32 + var x1473 uint1 + x1472, x1473 = addcarryxU32(x1409, x1445, x1471) + var x1474 uint32 + var x1475 uint1 + x1474, x1475 = addcarryxU32(x1411, x1449, x1473) + var x1476 uint32 + var x1477 uint1 + x1476, x1477 = addcarryxU32(x1413, x1451, x1475) + var x1478 uint32 + var x1479 uint1 + x1478, x1479 = addcarryxU32(x1415, x1453, x1477) + var x1480 uint32 + var x1481 uint1 + x1480, x1481 = addcarryxU32(x1417, x1455, x1479) + var x1482 uint32 + var x1483 uint1 + x1482, x1483 = addcarryxU32(x1419, x1457, x1481) + var x1484 uint32 + var x1485 uint1 + x1484, x1485 = addcarryxU32(x1421, x1459, x1483) + var x1486 uint32 + var x1487 uint1 + x1486, x1487 = addcarryxU32(x1423, x1461, x1485) + var x1488 uint32 + var x1489 uint1 + x1488, x1489 = addcarryxU32(x1425, x1463, x1487) + var x1490 uint32 + var x1491 uint1 + x1490, x1491 = addcarryxU32(x1427, x1465, x1489) + x1492 := (uint32(x1491) + uint32(x1428)) + var x1493 uint32 + var x1494 uint32 + x1494, x1493 = bits.Mul32(x11, arg2[11]) + var x1495 uint32 + var x1496 uint32 + x1496, x1495 = bits.Mul32(x11, arg2[10]) + var x1497 uint32 + var x1498 uint32 + x1498, x1497 = bits.Mul32(x11, arg2[9]) + var x1499 uint32 + var x1500 uint32 + x1500, x1499 = bits.Mul32(x11, arg2[8]) + var x1501 uint32 + var x1502 uint32 + x1502, x1501 = bits.Mul32(x11, arg2[7]) + var x1503 uint32 + var x1504 uint32 + x1504, x1503 = bits.Mul32(x11, arg2[6]) + var x1505 uint32 + var x1506 uint32 + x1506, x1505 = bits.Mul32(x11, arg2[5]) + var x1507 uint32 + var x1508 uint32 + x1508, x1507 = bits.Mul32(x11, arg2[4]) + var x1509 uint32 + var x1510 uint32 + x1510, x1509 = bits.Mul32(x11, arg2[3]) + var x1511 uint32 + var x1512 uint32 + x1512, x1511 = bits.Mul32(x11, arg2[2]) + var x1513 uint32 + var x1514 uint32 + x1514, x1513 = bits.Mul32(x11, arg2[1]) + var x1515 uint32 + var x1516 uint32 + x1516, x1515 = bits.Mul32(x11, arg2[0]) + var x1517 uint32 + var x1518 uint1 + x1517, x1518 = addcarryxU32(x1516, x1513, 0x0) + var x1519 uint32 + var x1520 uint1 + x1519, x1520 = addcarryxU32(x1514, x1511, x1518) + var x1521 uint32 + var x1522 uint1 + x1521, x1522 = addcarryxU32(x1512, x1509, x1520) + var x1523 uint32 + var x1524 uint1 + x1523, x1524 = addcarryxU32(x1510, x1507, x1522) + var x1525 uint32 + var x1526 uint1 + x1525, x1526 = addcarryxU32(x1508, x1505, x1524) + var x1527 uint32 + var x1528 uint1 + x1527, x1528 = addcarryxU32(x1506, x1503, x1526) + var x1529 uint32 + var x1530 uint1 + x1529, x1530 = addcarryxU32(x1504, x1501, x1528) + var x1531 uint32 + var x1532 uint1 + x1531, x1532 = addcarryxU32(x1502, x1499, x1530) + var x1533 uint32 + var x1534 uint1 + x1533, x1534 = addcarryxU32(x1500, x1497, x1532) + var x1535 uint32 + var x1536 uint1 + x1535, x1536 = addcarryxU32(x1498, x1495, x1534) + var x1537 uint32 + var x1538 uint1 + x1537, x1538 = addcarryxU32(x1496, x1493, x1536) + x1539 := (uint32(x1538) + x1494) + var x1540 uint32 + var x1541 uint1 + x1540, x1541 = addcarryxU32(x1468, x1515, 0x0) + var x1542 uint32 + var x1543 uint1 + x1542, x1543 = addcarryxU32(x1470, x1517, x1541) + var x1544 uint32 + var x1545 uint1 + x1544, x1545 = addcarryxU32(x1472, x1519, x1543) + var x1546 uint32 + var x1547 uint1 + x1546, x1547 = addcarryxU32(x1474, x1521, x1545) + var x1548 uint32 + var x1549 uint1 + x1548, x1549 = addcarryxU32(x1476, x1523, x1547) + var x1550 uint32 + var x1551 uint1 + x1550, x1551 = addcarryxU32(x1478, x1525, x1549) + var x1552 uint32 + var x1553 uint1 + x1552, x1553 = addcarryxU32(x1480, x1527, x1551) + var x1554 uint32 + var x1555 uint1 + x1554, x1555 = addcarryxU32(x1482, x1529, x1553) + var x1556 uint32 + var x1557 uint1 + x1556, x1557 = addcarryxU32(x1484, x1531, x1555) + var x1558 uint32 + var x1559 uint1 + x1558, x1559 = addcarryxU32(x1486, x1533, x1557) + var x1560 uint32 + var x1561 uint1 + x1560, x1561 = addcarryxU32(x1488, x1535, x1559) + var x1562 uint32 + var x1563 uint1 + x1562, x1563 = addcarryxU32(x1490, x1537, x1561) + var x1564 uint32 + var x1565 uint1 + x1564, x1565 = addcarryxU32(x1492, x1539, x1563) + var x1566 uint32 + var x1567 uint32 + x1567, x1566 = bits.Mul32(x1540, 0xffffffff) + var x1568 uint32 + var x1569 uint32 + x1569, x1568 = bits.Mul32(x1540, 0xffffffff) + var x1570 uint32 + var x1571 uint32 + x1571, x1570 = bits.Mul32(x1540, 0xffffffff) + var x1572 uint32 + var x1573 uint32 + x1573, x1572 = bits.Mul32(x1540, 0xffffffff) + var x1574 uint32 + var x1575 uint32 + x1575, x1574 = bits.Mul32(x1540, 0xffffffff) + var x1576 uint32 + var x1577 uint32 + x1577, x1576 = bits.Mul32(x1540, 0xffffffff) + var x1578 uint32 + var x1579 uint32 + x1579, x1578 = bits.Mul32(x1540, 0xffffffff) + var x1580 uint32 + var x1581 uint32 + x1581, x1580 = bits.Mul32(x1540, 0xfffffffe) + var x1582 uint32 + var x1583 uint32 + x1583, x1582 = bits.Mul32(x1540, 0xffffffff) + var x1584 uint32 + var x1585 uint32 + x1585, x1584 = bits.Mul32(x1540, 0xffffffff) + var x1586 uint32 + var x1587 uint1 + x1586, x1587 = addcarryxU32(x1583, x1580, 0x0) + var x1588 uint32 + var x1589 uint1 + x1588, x1589 = addcarryxU32(x1581, x1578, x1587) + var x1590 uint32 + var x1591 uint1 + x1590, x1591 = addcarryxU32(x1579, x1576, x1589) + var x1592 uint32 + var x1593 uint1 + x1592, x1593 = addcarryxU32(x1577, x1574, x1591) + var x1594 uint32 + var x1595 uint1 + x1594, x1595 = addcarryxU32(x1575, x1572, x1593) + var x1596 uint32 + var x1597 uint1 + x1596, x1597 = addcarryxU32(x1573, x1570, x1595) + var x1598 uint32 + var x1599 uint1 + x1598, x1599 = addcarryxU32(x1571, x1568, x1597) + var x1600 uint32 + var x1601 uint1 + x1600, x1601 = addcarryxU32(x1569, x1566, x1599) + x1602 := (uint32(x1601) + x1567) + var x1604 uint1 + _, x1604 = addcarryxU32(x1540, x1584, 0x0) + var x1605 uint32 + var x1606 uint1 + x1605, x1606 = addcarryxU32(x1542, x1585, x1604) + var x1607 uint32 + var x1608 uint1 + x1607, x1608 = addcarryxU32(x1544, uint32(0x0), x1606) + var x1609 uint32 + var x1610 uint1 + x1609, x1610 = addcarryxU32(x1546, x1582, x1608) + var x1611 uint32 + var x1612 uint1 + x1611, x1612 = addcarryxU32(x1548, x1586, x1610) + var x1613 uint32 + var x1614 uint1 + x1613, x1614 = addcarryxU32(x1550, x1588, x1612) + var x1615 uint32 + var x1616 uint1 + x1615, x1616 = addcarryxU32(x1552, x1590, x1614) + var x1617 uint32 + var x1618 uint1 + x1617, x1618 = addcarryxU32(x1554, x1592, x1616) + var x1619 uint32 + var x1620 uint1 + x1619, x1620 = addcarryxU32(x1556, x1594, x1618) + var x1621 uint32 + var x1622 uint1 + x1621, x1622 = addcarryxU32(x1558, x1596, x1620) + var x1623 uint32 + var x1624 uint1 + x1623, x1624 = addcarryxU32(x1560, x1598, x1622) + var x1625 uint32 + var x1626 uint1 + x1625, x1626 = addcarryxU32(x1562, x1600, x1624) + var x1627 uint32 + var x1628 uint1 + x1627, x1628 = addcarryxU32(x1564, x1602, x1626) + x1629 := (uint32(x1628) + uint32(x1565)) + var x1630 uint32 + var x1631 uint1 + x1630, x1631 = subborrowxU32(x1605, 0xffffffff, 0x0) + var x1632 uint32 + var x1633 uint1 + x1632, x1633 = subborrowxU32(x1607, uint32(0x0), x1631) + var x1634 uint32 + var x1635 uint1 + x1634, x1635 = subborrowxU32(x1609, uint32(0x0), x1633) + var x1636 uint32 + var x1637 uint1 + x1636, x1637 = subborrowxU32(x1611, 0xffffffff, x1635) + var x1638 uint32 + var x1639 uint1 + x1638, x1639 = subborrowxU32(x1613, 0xfffffffe, x1637) + var x1640 uint32 + var x1641 uint1 + x1640, x1641 = subborrowxU32(x1615, 0xffffffff, x1639) + var x1642 uint32 + var x1643 uint1 + x1642, x1643 = subborrowxU32(x1617, 0xffffffff, x1641) + var x1644 uint32 + var x1645 uint1 + x1644, x1645 = subborrowxU32(x1619, 0xffffffff, x1643) + var x1646 uint32 + var x1647 uint1 + x1646, x1647 = subborrowxU32(x1621, 0xffffffff, x1645) + var x1648 uint32 + var x1649 uint1 + x1648, x1649 = subborrowxU32(x1623, 0xffffffff, x1647) + var x1650 uint32 + var x1651 uint1 + x1650, x1651 = subborrowxU32(x1625, 0xffffffff, x1649) + var x1652 uint32 + var x1653 uint1 + x1652, x1653 = subborrowxU32(x1627, 0xffffffff, x1651) + var x1655 uint1 + _, x1655 = subborrowxU32(x1629, uint32(0x0), x1653) + var x1656 uint32 + cmovznzU32(&x1656, x1655, x1630, x1605) + var x1657 uint32 + cmovznzU32(&x1657, x1655, x1632, x1607) + var x1658 uint32 + cmovznzU32(&x1658, x1655, x1634, x1609) + var x1659 uint32 + cmovznzU32(&x1659, x1655, x1636, x1611) + var x1660 uint32 + cmovznzU32(&x1660, x1655, x1638, x1613) + var x1661 uint32 + cmovznzU32(&x1661, x1655, x1640, x1615) + var x1662 uint32 + cmovznzU32(&x1662, x1655, x1642, x1617) + var x1663 uint32 + cmovznzU32(&x1663, x1655, x1644, x1619) + var x1664 uint32 + cmovznzU32(&x1664, x1655, x1646, x1621) + var x1665 uint32 + cmovznzU32(&x1665, x1655, x1648, x1623) + var x1666 uint32 + cmovznzU32(&x1666, x1655, x1650, x1625) + var x1667 uint32 + cmovznzU32(&x1667, x1655, x1652, x1627) + out1[0] = x1656 + out1[1] = x1657 + out1[2] = x1658 + out1[3] = x1659 + out1[4] = x1660 + out1[5] = x1661 + out1[6] = x1662 + out1[7] = x1663 + out1[8] = x1664 + out1[9] = x1665 + out1[10] = x1666 + out1[11] = x1667 } -/* - The function Square squares a field element in the Montgomery domain. - Preconditions: - 0 ≤ eval arg1 < m - Postconditions: - eval (from_montgomery out1) mod m = (eval (from_montgomery arg1) * eval (from_montgomery arg1)) mod m - 0 ≤ eval out1 < m - - Input Bounds: - arg1: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] - Output Bounds: - out1: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] - */ -/*inline*/ +// Square squares a field element in the Montgomery domain. +// +// Preconditions: +// 0 ≤ eval arg1 < m +// Postconditions: +// eval (from_montgomery out1) mod m = (eval (from_montgomery arg1) * eval (from_montgomery arg1)) mod m +// 0 ≤ eval out1 < m +// +// Input Bounds: +// arg1: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] +// Output Bounds: +// out1: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] func Square(out1 *[12]uint32, arg1 *[12]uint32) { - var x1 uint32 = (arg1[1]) - var x2 uint32 = (arg1[2]) - var x3 uint32 = (arg1[3]) - var x4 uint32 = (arg1[4]) - var x5 uint32 = (arg1[5]) - var x6 uint32 = (arg1[6]) - var x7 uint32 = (arg1[7]) - var x8 uint32 = (arg1[8]) - var x9 uint32 = (arg1[9]) - var x10 uint32 = (arg1[10]) - var x11 uint32 = (arg1[11]) - var x12 uint32 = (arg1[0]) - var x13 uint32 - var x14 uint32 - x14, x13 = bits.Mul32(x12, (arg1[11])) - var x15 uint32 - var x16 uint32 - x16, x15 = bits.Mul32(x12, (arg1[10])) - var x17 uint32 - var x18 uint32 - x18, x17 = bits.Mul32(x12, (arg1[9])) - var x19 uint32 - var x20 uint32 - x20, x19 = bits.Mul32(x12, (arg1[8])) - var x21 uint32 - var x22 uint32 - x22, x21 = bits.Mul32(x12, (arg1[7])) - var x23 uint32 - var x24 uint32 - x24, x23 = bits.Mul32(x12, (arg1[6])) - var x25 uint32 - var x26 uint32 - x26, x25 = bits.Mul32(x12, (arg1[5])) - var x27 uint32 - var x28 uint32 - x28, x27 = bits.Mul32(x12, (arg1[4])) - var x29 uint32 - var x30 uint32 - x30, x29 = bits.Mul32(x12, (arg1[3])) - var x31 uint32 - var x32 uint32 - x32, x31 = bits.Mul32(x12, (arg1[2])) - var x33 uint32 - var x34 uint32 - x34, x33 = bits.Mul32(x12, (arg1[1])) - var x35 uint32 - var x36 uint32 - x36, x35 = bits.Mul32(x12, (arg1[0])) - var x37 uint32 - var x38 uint1 - x37, x38 = addcarryxU32(x36, x33, 0x0) - var x39 uint32 - var x40 uint1 - x39, x40 = addcarryxU32(x34, x31, x38) - var x41 uint32 - var x42 uint1 - x41, x42 = addcarryxU32(x32, x29, x40) - var x43 uint32 - var x44 uint1 - x43, x44 = addcarryxU32(x30, x27, x42) - var x45 uint32 - var x46 uint1 - x45, x46 = addcarryxU32(x28, x25, x44) - var x47 uint32 - var x48 uint1 - x47, x48 = addcarryxU32(x26, x23, x46) - var x49 uint32 - var x50 uint1 - x49, x50 = addcarryxU32(x24, x21, x48) - var x51 uint32 - var x52 uint1 - x51, x52 = addcarryxU32(x22, x19, x50) - var x53 uint32 - var x54 uint1 - x53, x54 = addcarryxU32(x20, x17, x52) - var x55 uint32 - var x56 uint1 - x55, x56 = addcarryxU32(x18, x15, x54) - var x57 uint32 - var x58 uint1 - x57, x58 = addcarryxU32(x16, x13, x56) - var x59 uint32 = (uint32(x58) + x14) - var x60 uint32 - var x61 uint32 - x61, x60 = bits.Mul32(x35, 0xffffffff) - var x62 uint32 - var x63 uint32 - x63, x62 = bits.Mul32(x35, 0xffffffff) - var x64 uint32 - var x65 uint32 - x65, x64 = bits.Mul32(x35, 0xffffffff) - var x66 uint32 - var x67 uint32 - x67, x66 = bits.Mul32(x35, 0xffffffff) - var x68 uint32 - var x69 uint32 - x69, x68 = bits.Mul32(x35, 0xffffffff) - var x70 uint32 - var x71 uint32 - x71, x70 = bits.Mul32(x35, 0xffffffff) - var x72 uint32 - var x73 uint32 - x73, x72 = bits.Mul32(x35, 0xffffffff) - var x74 uint32 - var x75 uint32 - x75, x74 = bits.Mul32(x35, 0xfffffffe) - var x76 uint32 - var x77 uint32 - x77, x76 = bits.Mul32(x35, 0xffffffff) - var x78 uint32 - var x79 uint32 - x79, x78 = bits.Mul32(x35, 0xffffffff) - var x80 uint32 - var x81 uint1 - x80, x81 = addcarryxU32(x77, x74, 0x0) - var x82 uint32 - var x83 uint1 - x82, x83 = addcarryxU32(x75, x72, x81) - var x84 uint32 - var x85 uint1 - x84, x85 = addcarryxU32(x73, x70, x83) - var x86 uint32 - var x87 uint1 - x86, x87 = addcarryxU32(x71, x68, x85) - var x88 uint32 - var x89 uint1 - x88, x89 = addcarryxU32(x69, x66, x87) - var x90 uint32 - var x91 uint1 - x90, x91 = addcarryxU32(x67, x64, x89) - var x92 uint32 - var x93 uint1 - x92, x93 = addcarryxU32(x65, x62, x91) - var x94 uint32 - var x95 uint1 - x94, x95 = addcarryxU32(x63, x60, x93) - var x96 uint32 = (uint32(x95) + x61) - var x98 uint1 - _, x98 = addcarryxU32(x35, x78, 0x0) - var x99 uint32 - var x100 uint1 - x99, x100 = addcarryxU32(x37, x79, x98) - var x101 uint32 - var x102 uint1 - x101, x102 = addcarryxU32(x39, uint32(0x0), x100) - var x103 uint32 - var x104 uint1 - x103, x104 = addcarryxU32(x41, x76, x102) - var x105 uint32 - var x106 uint1 - x105, x106 = addcarryxU32(x43, x80, x104) - var x107 uint32 - var x108 uint1 - x107, x108 = addcarryxU32(x45, x82, x106) - var x109 uint32 - var x110 uint1 - x109, x110 = addcarryxU32(x47, x84, x108) - var x111 uint32 - var x112 uint1 - x111, x112 = addcarryxU32(x49, x86, x110) - var x113 uint32 - var x114 uint1 - x113, x114 = addcarryxU32(x51, x88, x112) - var x115 uint32 - var x116 uint1 - x115, x116 = addcarryxU32(x53, x90, x114) - var x117 uint32 - var x118 uint1 - x117, x118 = addcarryxU32(x55, x92, x116) - var x119 uint32 - var x120 uint1 - x119, x120 = addcarryxU32(x57, x94, x118) - var x121 uint32 - var x122 uint1 - x121, x122 = addcarryxU32(x59, x96, x120) - var x123 uint32 - var x124 uint32 - x124, x123 = bits.Mul32(x1, (arg1[11])) - var x125 uint32 - var x126 uint32 - x126, x125 = bits.Mul32(x1, (arg1[10])) - var x127 uint32 - var x128 uint32 - x128, x127 = bits.Mul32(x1, (arg1[9])) - var x129 uint32 - var x130 uint32 - x130, x129 = bits.Mul32(x1, (arg1[8])) - var x131 uint32 - var x132 uint32 - x132, x131 = bits.Mul32(x1, (arg1[7])) - var x133 uint32 - var x134 uint32 - x134, x133 = bits.Mul32(x1, (arg1[6])) - var x135 uint32 - var x136 uint32 - x136, x135 = bits.Mul32(x1, (arg1[5])) - var x137 uint32 - var x138 uint32 - x138, x137 = bits.Mul32(x1, (arg1[4])) - var x139 uint32 - var x140 uint32 - x140, x139 = bits.Mul32(x1, (arg1[3])) - var x141 uint32 - var x142 uint32 - x142, x141 = bits.Mul32(x1, (arg1[2])) - var x143 uint32 - var x144 uint32 - x144, x143 = bits.Mul32(x1, (arg1[1])) - var x145 uint32 - var x146 uint32 - x146, x145 = bits.Mul32(x1, (arg1[0])) - var x147 uint32 - var x148 uint1 - x147, x148 = addcarryxU32(x146, x143, 0x0) - var x149 uint32 - var x150 uint1 - x149, x150 = addcarryxU32(x144, x141, x148) - var x151 uint32 - var x152 uint1 - x151, x152 = addcarryxU32(x142, x139, x150) - var x153 uint32 - var x154 uint1 - x153, x154 = addcarryxU32(x140, x137, x152) - var x155 uint32 - var x156 uint1 - x155, x156 = addcarryxU32(x138, x135, x154) - var x157 uint32 - var x158 uint1 - x157, x158 = addcarryxU32(x136, x133, x156) - var x159 uint32 - var x160 uint1 - x159, x160 = addcarryxU32(x134, x131, x158) - var x161 uint32 - var x162 uint1 - x161, x162 = addcarryxU32(x132, x129, x160) - var x163 uint32 - var x164 uint1 - x163, x164 = addcarryxU32(x130, x127, x162) - var x165 uint32 - var x166 uint1 - x165, x166 = addcarryxU32(x128, x125, x164) - var x167 uint32 - var x168 uint1 - x167, x168 = addcarryxU32(x126, x123, x166) - var x169 uint32 = (uint32(x168) + x124) - var x170 uint32 - var x171 uint1 - x170, x171 = addcarryxU32(x99, x145, 0x0) - var x172 uint32 - var x173 uint1 - x172, x173 = addcarryxU32(x101, x147, x171) - var x174 uint32 - var x175 uint1 - x174, x175 = addcarryxU32(x103, x149, x173) - var x176 uint32 - var x177 uint1 - x176, x177 = addcarryxU32(x105, x151, x175) - var x178 uint32 - var x179 uint1 - x178, x179 = addcarryxU32(x107, x153, x177) - var x180 uint32 - var x181 uint1 - x180, x181 = addcarryxU32(x109, x155, x179) - var x182 uint32 - var x183 uint1 - x182, x183 = addcarryxU32(x111, x157, x181) - var x184 uint32 - var x185 uint1 - x184, x185 = addcarryxU32(x113, x159, x183) - var x186 uint32 - var x187 uint1 - x186, x187 = addcarryxU32(x115, x161, x185) - var x188 uint32 - var x189 uint1 - x188, x189 = addcarryxU32(x117, x163, x187) - var x190 uint32 - var x191 uint1 - x190, x191 = addcarryxU32(x119, x165, x189) - var x192 uint32 - var x193 uint1 - x192, x193 = addcarryxU32(x121, x167, x191) - var x194 uint32 - var x195 uint1 - x194, x195 = addcarryxU32(uint32(x122), x169, x193) - var x196 uint32 - var x197 uint32 - x197, x196 = bits.Mul32(x170, 0xffffffff) - var x198 uint32 - var x199 uint32 - x199, x198 = bits.Mul32(x170, 0xffffffff) - var x200 uint32 - var x201 uint32 - x201, x200 = bits.Mul32(x170, 0xffffffff) - var x202 uint32 - var x203 uint32 - x203, x202 = bits.Mul32(x170, 0xffffffff) - var x204 uint32 - var x205 uint32 - x205, x204 = bits.Mul32(x170, 0xffffffff) - var x206 uint32 - var x207 uint32 - x207, x206 = bits.Mul32(x170, 0xffffffff) - var x208 uint32 - var x209 uint32 - x209, x208 = bits.Mul32(x170, 0xffffffff) - var x210 uint32 - var x211 uint32 - x211, x210 = bits.Mul32(x170, 0xfffffffe) - var x212 uint32 - var x213 uint32 - x213, x212 = bits.Mul32(x170, 0xffffffff) - var x214 uint32 - var x215 uint32 - x215, x214 = bits.Mul32(x170, 0xffffffff) - var x216 uint32 - var x217 uint1 - x216, x217 = addcarryxU32(x213, x210, 0x0) - var x218 uint32 - var x219 uint1 - x218, x219 = addcarryxU32(x211, x208, x217) - var x220 uint32 - var x221 uint1 - x220, x221 = addcarryxU32(x209, x206, x219) - var x222 uint32 - var x223 uint1 - x222, x223 = addcarryxU32(x207, x204, x221) - var x224 uint32 - var x225 uint1 - x224, x225 = addcarryxU32(x205, x202, x223) - var x226 uint32 - var x227 uint1 - x226, x227 = addcarryxU32(x203, x200, x225) - var x228 uint32 - var x229 uint1 - x228, x229 = addcarryxU32(x201, x198, x227) - var x230 uint32 - var x231 uint1 - x230, x231 = addcarryxU32(x199, x196, x229) - var x232 uint32 = (uint32(x231) + x197) - var x234 uint1 - _, x234 = addcarryxU32(x170, x214, 0x0) - var x235 uint32 - var x236 uint1 - x235, x236 = addcarryxU32(x172, x215, x234) - var x237 uint32 - var x238 uint1 - x237, x238 = addcarryxU32(x174, uint32(0x0), x236) - var x239 uint32 - var x240 uint1 - x239, x240 = addcarryxU32(x176, x212, x238) - var x241 uint32 - var x242 uint1 - x241, x242 = addcarryxU32(x178, x216, x240) - var x243 uint32 - var x244 uint1 - x243, x244 = addcarryxU32(x180, x218, x242) - var x245 uint32 - var x246 uint1 - x245, x246 = addcarryxU32(x182, x220, x244) - var x247 uint32 - var x248 uint1 - x247, x248 = addcarryxU32(x184, x222, x246) - var x249 uint32 - var x250 uint1 - x249, x250 = addcarryxU32(x186, x224, x248) - var x251 uint32 - var x252 uint1 - x251, x252 = addcarryxU32(x188, x226, x250) - var x253 uint32 - var x254 uint1 - x253, x254 = addcarryxU32(x190, x228, x252) - var x255 uint32 - var x256 uint1 - x255, x256 = addcarryxU32(x192, x230, x254) - var x257 uint32 - var x258 uint1 - x257, x258 = addcarryxU32(x194, x232, x256) - var x259 uint32 = (uint32(x258) + uint32(x195)) - var x260 uint32 - var x261 uint32 - x261, x260 = bits.Mul32(x2, (arg1[11])) - var x262 uint32 - var x263 uint32 - x263, x262 = bits.Mul32(x2, (arg1[10])) - var x264 uint32 - var x265 uint32 - x265, x264 = bits.Mul32(x2, (arg1[9])) - var x266 uint32 - var x267 uint32 - x267, x266 = bits.Mul32(x2, (arg1[8])) - var x268 uint32 - var x269 uint32 - x269, x268 = bits.Mul32(x2, (arg1[7])) - var x270 uint32 - var x271 uint32 - x271, x270 = bits.Mul32(x2, (arg1[6])) - var x272 uint32 - var x273 uint32 - x273, x272 = bits.Mul32(x2, (arg1[5])) - var x274 uint32 - var x275 uint32 - x275, x274 = bits.Mul32(x2, (arg1[4])) - var x276 uint32 - var x277 uint32 - x277, x276 = bits.Mul32(x2, (arg1[3])) - var x278 uint32 - var x279 uint32 - x279, x278 = bits.Mul32(x2, (arg1[2])) - var x280 uint32 - var x281 uint32 - x281, x280 = bits.Mul32(x2, (arg1[1])) - var x282 uint32 - var x283 uint32 - x283, x282 = bits.Mul32(x2, (arg1[0])) - var x284 uint32 - var x285 uint1 - x284, x285 = addcarryxU32(x283, x280, 0x0) - var x286 uint32 - var x287 uint1 - x286, x287 = addcarryxU32(x281, x278, x285) - var x288 uint32 - var x289 uint1 - x288, x289 = addcarryxU32(x279, x276, x287) - var x290 uint32 - var x291 uint1 - x290, x291 = addcarryxU32(x277, x274, x289) - var x292 uint32 - var x293 uint1 - x292, x293 = addcarryxU32(x275, x272, x291) - var x294 uint32 - var x295 uint1 - x294, x295 = addcarryxU32(x273, x270, x293) - var x296 uint32 - var x297 uint1 - x296, x297 = addcarryxU32(x271, x268, x295) - var x298 uint32 - var x299 uint1 - x298, x299 = addcarryxU32(x269, x266, x297) - var x300 uint32 - var x301 uint1 - x300, x301 = addcarryxU32(x267, x264, x299) - var x302 uint32 - var x303 uint1 - x302, x303 = addcarryxU32(x265, x262, x301) - var x304 uint32 - var x305 uint1 - x304, x305 = addcarryxU32(x263, x260, x303) - var x306 uint32 = (uint32(x305) + x261) - var x307 uint32 - var x308 uint1 - x307, x308 = addcarryxU32(x235, x282, 0x0) - var x309 uint32 - var x310 uint1 - x309, x310 = addcarryxU32(x237, x284, x308) - var x311 uint32 - var x312 uint1 - x311, x312 = addcarryxU32(x239, x286, x310) - var x313 uint32 - var x314 uint1 - x313, x314 = addcarryxU32(x241, x288, x312) - var x315 uint32 - var x316 uint1 - x315, x316 = addcarryxU32(x243, x290, x314) - var x317 uint32 - var x318 uint1 - x317, x318 = addcarryxU32(x245, x292, x316) - var x319 uint32 - var x320 uint1 - x319, x320 = addcarryxU32(x247, x294, x318) - var x321 uint32 - var x322 uint1 - x321, x322 = addcarryxU32(x249, x296, x320) - var x323 uint32 - var x324 uint1 - x323, x324 = addcarryxU32(x251, x298, x322) - var x325 uint32 - var x326 uint1 - x325, x326 = addcarryxU32(x253, x300, x324) - var x327 uint32 - var x328 uint1 - x327, x328 = addcarryxU32(x255, x302, x326) - var x329 uint32 - var x330 uint1 - x329, x330 = addcarryxU32(x257, x304, x328) - var x331 uint32 - var x332 uint1 - x331, x332 = addcarryxU32(x259, x306, x330) - var x333 uint32 - var x334 uint32 - x334, x333 = bits.Mul32(x307, 0xffffffff) - var x335 uint32 - var x336 uint32 - x336, x335 = bits.Mul32(x307, 0xffffffff) - var x337 uint32 - var x338 uint32 - x338, x337 = bits.Mul32(x307, 0xffffffff) - var x339 uint32 - var x340 uint32 - x340, x339 = bits.Mul32(x307, 0xffffffff) - var x341 uint32 - var x342 uint32 - x342, x341 = bits.Mul32(x307, 0xffffffff) - var x343 uint32 - var x344 uint32 - x344, x343 = bits.Mul32(x307, 0xffffffff) - var x345 uint32 - var x346 uint32 - x346, x345 = bits.Mul32(x307, 0xffffffff) - var x347 uint32 - var x348 uint32 - x348, x347 = bits.Mul32(x307, 0xfffffffe) - var x349 uint32 - var x350 uint32 - x350, x349 = bits.Mul32(x307, 0xffffffff) - var x351 uint32 - var x352 uint32 - x352, x351 = bits.Mul32(x307, 0xffffffff) - var x353 uint32 - var x354 uint1 - x353, x354 = addcarryxU32(x350, x347, 0x0) - var x355 uint32 - var x356 uint1 - x355, x356 = addcarryxU32(x348, x345, x354) - var x357 uint32 - var x358 uint1 - x357, x358 = addcarryxU32(x346, x343, x356) - var x359 uint32 - var x360 uint1 - x359, x360 = addcarryxU32(x344, x341, x358) - var x361 uint32 - var x362 uint1 - x361, x362 = addcarryxU32(x342, x339, x360) - var x363 uint32 - var x364 uint1 - x363, x364 = addcarryxU32(x340, x337, x362) - var x365 uint32 - var x366 uint1 - x365, x366 = addcarryxU32(x338, x335, x364) - var x367 uint32 - var x368 uint1 - x367, x368 = addcarryxU32(x336, x333, x366) - var x369 uint32 = (uint32(x368) + x334) - var x371 uint1 - _, x371 = addcarryxU32(x307, x351, 0x0) - var x372 uint32 - var x373 uint1 - x372, x373 = addcarryxU32(x309, x352, x371) - var x374 uint32 - var x375 uint1 - x374, x375 = addcarryxU32(x311, uint32(0x0), x373) - var x376 uint32 - var x377 uint1 - x376, x377 = addcarryxU32(x313, x349, x375) - var x378 uint32 - var x379 uint1 - x378, x379 = addcarryxU32(x315, x353, x377) - var x380 uint32 - var x381 uint1 - x380, x381 = addcarryxU32(x317, x355, x379) - var x382 uint32 - var x383 uint1 - x382, x383 = addcarryxU32(x319, x357, x381) - var x384 uint32 - var x385 uint1 - x384, x385 = addcarryxU32(x321, x359, x383) - var x386 uint32 - var x387 uint1 - x386, x387 = addcarryxU32(x323, x361, x385) - var x388 uint32 - var x389 uint1 - x388, x389 = addcarryxU32(x325, x363, x387) - var x390 uint32 - var x391 uint1 - x390, x391 = addcarryxU32(x327, x365, x389) - var x392 uint32 - var x393 uint1 - x392, x393 = addcarryxU32(x329, x367, x391) - var x394 uint32 - var x395 uint1 - x394, x395 = addcarryxU32(x331, x369, x393) - var x396 uint32 = (uint32(x395) + uint32(x332)) - var x397 uint32 - var x398 uint32 - x398, x397 = bits.Mul32(x3, (arg1[11])) - var x399 uint32 - var x400 uint32 - x400, x399 = bits.Mul32(x3, (arg1[10])) - var x401 uint32 - var x402 uint32 - x402, x401 = bits.Mul32(x3, (arg1[9])) - var x403 uint32 - var x404 uint32 - x404, x403 = bits.Mul32(x3, (arg1[8])) - var x405 uint32 - var x406 uint32 - x406, x405 = bits.Mul32(x3, (arg1[7])) - var x407 uint32 - var x408 uint32 - x408, x407 = bits.Mul32(x3, (arg1[6])) - var x409 uint32 - var x410 uint32 - x410, x409 = bits.Mul32(x3, (arg1[5])) - var x411 uint32 - var x412 uint32 - x412, x411 = bits.Mul32(x3, (arg1[4])) - var x413 uint32 - var x414 uint32 - x414, x413 = bits.Mul32(x3, (arg1[3])) - var x415 uint32 - var x416 uint32 - x416, x415 = bits.Mul32(x3, (arg1[2])) - var x417 uint32 - var x418 uint32 - x418, x417 = bits.Mul32(x3, (arg1[1])) - var x419 uint32 - var x420 uint32 - x420, x419 = bits.Mul32(x3, (arg1[0])) - var x421 uint32 - var x422 uint1 - x421, x422 = addcarryxU32(x420, x417, 0x0) - var x423 uint32 - var x424 uint1 - x423, x424 = addcarryxU32(x418, x415, x422) - var x425 uint32 - var x426 uint1 - x425, x426 = addcarryxU32(x416, x413, x424) - var x427 uint32 - var x428 uint1 - x427, x428 = addcarryxU32(x414, x411, x426) - var x429 uint32 - var x430 uint1 - x429, x430 = addcarryxU32(x412, x409, x428) - var x431 uint32 - var x432 uint1 - x431, x432 = addcarryxU32(x410, x407, x430) - var x433 uint32 - var x434 uint1 - x433, x434 = addcarryxU32(x408, x405, x432) - var x435 uint32 - var x436 uint1 - x435, x436 = addcarryxU32(x406, x403, x434) - var x437 uint32 - var x438 uint1 - x437, x438 = addcarryxU32(x404, x401, x436) - var x439 uint32 - var x440 uint1 - x439, x440 = addcarryxU32(x402, x399, x438) - var x441 uint32 - var x442 uint1 - x441, x442 = addcarryxU32(x400, x397, x440) - var x443 uint32 = (uint32(x442) + x398) - var x444 uint32 - var x445 uint1 - x444, x445 = addcarryxU32(x372, x419, 0x0) - var x446 uint32 - var x447 uint1 - x446, x447 = addcarryxU32(x374, x421, x445) - var x448 uint32 - var x449 uint1 - x448, x449 = addcarryxU32(x376, x423, x447) - var x450 uint32 - var x451 uint1 - x450, x451 = addcarryxU32(x378, x425, x449) - var x452 uint32 - var x453 uint1 - x452, x453 = addcarryxU32(x380, x427, x451) - var x454 uint32 - var x455 uint1 - x454, x455 = addcarryxU32(x382, x429, x453) - var x456 uint32 - var x457 uint1 - x456, x457 = addcarryxU32(x384, x431, x455) - var x458 uint32 - var x459 uint1 - x458, x459 = addcarryxU32(x386, x433, x457) - var x460 uint32 - var x461 uint1 - x460, x461 = addcarryxU32(x388, x435, x459) - var x462 uint32 - var x463 uint1 - x462, x463 = addcarryxU32(x390, x437, x461) - var x464 uint32 - var x465 uint1 - x464, x465 = addcarryxU32(x392, x439, x463) - var x466 uint32 - var x467 uint1 - x466, x467 = addcarryxU32(x394, x441, x465) - var x468 uint32 - var x469 uint1 - x468, x469 = addcarryxU32(x396, x443, x467) - var x470 uint32 - var x471 uint32 - x471, x470 = bits.Mul32(x444, 0xffffffff) - var x472 uint32 - var x473 uint32 - x473, x472 = bits.Mul32(x444, 0xffffffff) - var x474 uint32 - var x475 uint32 - x475, x474 = bits.Mul32(x444, 0xffffffff) - var x476 uint32 - var x477 uint32 - x477, x476 = bits.Mul32(x444, 0xffffffff) - var x478 uint32 - var x479 uint32 - x479, x478 = bits.Mul32(x444, 0xffffffff) - var x480 uint32 - var x481 uint32 - x481, x480 = bits.Mul32(x444, 0xffffffff) - var x482 uint32 - var x483 uint32 - x483, x482 = bits.Mul32(x444, 0xffffffff) - var x484 uint32 - var x485 uint32 - x485, x484 = bits.Mul32(x444, 0xfffffffe) - var x486 uint32 - var x487 uint32 - x487, x486 = bits.Mul32(x444, 0xffffffff) - var x488 uint32 - var x489 uint32 - x489, x488 = bits.Mul32(x444, 0xffffffff) - var x490 uint32 - var x491 uint1 - x490, x491 = addcarryxU32(x487, x484, 0x0) - var x492 uint32 - var x493 uint1 - x492, x493 = addcarryxU32(x485, x482, x491) - var x494 uint32 - var x495 uint1 - x494, x495 = addcarryxU32(x483, x480, x493) - var x496 uint32 - var x497 uint1 - x496, x497 = addcarryxU32(x481, x478, x495) - var x498 uint32 - var x499 uint1 - x498, x499 = addcarryxU32(x479, x476, x497) - var x500 uint32 - var x501 uint1 - x500, x501 = addcarryxU32(x477, x474, x499) - var x502 uint32 - var x503 uint1 - x502, x503 = addcarryxU32(x475, x472, x501) - var x504 uint32 - var x505 uint1 - x504, x505 = addcarryxU32(x473, x470, x503) - var x506 uint32 = (uint32(x505) + x471) - var x508 uint1 - _, x508 = addcarryxU32(x444, x488, 0x0) - var x509 uint32 - var x510 uint1 - x509, x510 = addcarryxU32(x446, x489, x508) - var x511 uint32 - var x512 uint1 - x511, x512 = addcarryxU32(x448, uint32(0x0), x510) - var x513 uint32 - var x514 uint1 - x513, x514 = addcarryxU32(x450, x486, x512) - var x515 uint32 - var x516 uint1 - x515, x516 = addcarryxU32(x452, x490, x514) - var x517 uint32 - var x518 uint1 - x517, x518 = addcarryxU32(x454, x492, x516) - var x519 uint32 - var x520 uint1 - x519, x520 = addcarryxU32(x456, x494, x518) - var x521 uint32 - var x522 uint1 - x521, x522 = addcarryxU32(x458, x496, x520) - var x523 uint32 - var x524 uint1 - x523, x524 = addcarryxU32(x460, x498, x522) - var x525 uint32 - var x526 uint1 - x525, x526 = addcarryxU32(x462, x500, x524) - var x527 uint32 - var x528 uint1 - x527, x528 = addcarryxU32(x464, x502, x526) - var x529 uint32 - var x530 uint1 - x529, x530 = addcarryxU32(x466, x504, x528) - var x531 uint32 - var x532 uint1 - x531, x532 = addcarryxU32(x468, x506, x530) - var x533 uint32 = (uint32(x532) + uint32(x469)) - var x534 uint32 - var x535 uint32 - x535, x534 = bits.Mul32(x4, (arg1[11])) - var x536 uint32 - var x537 uint32 - x537, x536 = bits.Mul32(x4, (arg1[10])) - var x538 uint32 - var x539 uint32 - x539, x538 = bits.Mul32(x4, (arg1[9])) - var x540 uint32 - var x541 uint32 - x541, x540 = bits.Mul32(x4, (arg1[8])) - var x542 uint32 - var x543 uint32 - x543, x542 = bits.Mul32(x4, (arg1[7])) - var x544 uint32 - var x545 uint32 - x545, x544 = bits.Mul32(x4, (arg1[6])) - var x546 uint32 - var x547 uint32 - x547, x546 = bits.Mul32(x4, (arg1[5])) - var x548 uint32 - var x549 uint32 - x549, x548 = bits.Mul32(x4, (arg1[4])) - var x550 uint32 - var x551 uint32 - x551, x550 = bits.Mul32(x4, (arg1[3])) - var x552 uint32 - var x553 uint32 - x553, x552 = bits.Mul32(x4, (arg1[2])) - var x554 uint32 - var x555 uint32 - x555, x554 = bits.Mul32(x4, (arg1[1])) - var x556 uint32 - var x557 uint32 - x557, x556 = bits.Mul32(x4, (arg1[0])) - var x558 uint32 - var x559 uint1 - x558, x559 = addcarryxU32(x557, x554, 0x0) - var x560 uint32 - var x561 uint1 - x560, x561 = addcarryxU32(x555, x552, x559) - var x562 uint32 - var x563 uint1 - x562, x563 = addcarryxU32(x553, x550, x561) - var x564 uint32 - var x565 uint1 - x564, x565 = addcarryxU32(x551, x548, x563) - var x566 uint32 - var x567 uint1 - x566, x567 = addcarryxU32(x549, x546, x565) - var x568 uint32 - var x569 uint1 - x568, x569 = addcarryxU32(x547, x544, x567) - var x570 uint32 - var x571 uint1 - x570, x571 = addcarryxU32(x545, x542, x569) - var x572 uint32 - var x573 uint1 - x572, x573 = addcarryxU32(x543, x540, x571) - var x574 uint32 - var x575 uint1 - x574, x575 = addcarryxU32(x541, x538, x573) - var x576 uint32 - var x577 uint1 - x576, x577 = addcarryxU32(x539, x536, x575) - var x578 uint32 - var x579 uint1 - x578, x579 = addcarryxU32(x537, x534, x577) - var x580 uint32 = (uint32(x579) + x535) - var x581 uint32 - var x582 uint1 - x581, x582 = addcarryxU32(x509, x556, 0x0) - var x583 uint32 - var x584 uint1 - x583, x584 = addcarryxU32(x511, x558, x582) - var x585 uint32 - var x586 uint1 - x585, x586 = addcarryxU32(x513, x560, x584) - var x587 uint32 - var x588 uint1 - x587, x588 = addcarryxU32(x515, x562, x586) - var x589 uint32 - var x590 uint1 - x589, x590 = addcarryxU32(x517, x564, x588) - var x591 uint32 - var x592 uint1 - x591, x592 = addcarryxU32(x519, x566, x590) - var x593 uint32 - var x594 uint1 - x593, x594 = addcarryxU32(x521, x568, x592) - var x595 uint32 - var x596 uint1 - x595, x596 = addcarryxU32(x523, x570, x594) - var x597 uint32 - var x598 uint1 - x597, x598 = addcarryxU32(x525, x572, x596) - var x599 uint32 - var x600 uint1 - x599, x600 = addcarryxU32(x527, x574, x598) - var x601 uint32 - var x602 uint1 - x601, x602 = addcarryxU32(x529, x576, x600) - var x603 uint32 - var x604 uint1 - x603, x604 = addcarryxU32(x531, x578, x602) - var x605 uint32 - var x606 uint1 - x605, x606 = addcarryxU32(x533, x580, x604) - var x607 uint32 - var x608 uint32 - x608, x607 = bits.Mul32(x581, 0xffffffff) - var x609 uint32 - var x610 uint32 - x610, x609 = bits.Mul32(x581, 0xffffffff) - var x611 uint32 - var x612 uint32 - x612, x611 = bits.Mul32(x581, 0xffffffff) - var x613 uint32 - var x614 uint32 - x614, x613 = bits.Mul32(x581, 0xffffffff) - var x615 uint32 - var x616 uint32 - x616, x615 = bits.Mul32(x581, 0xffffffff) - var x617 uint32 - var x618 uint32 - x618, x617 = bits.Mul32(x581, 0xffffffff) - var x619 uint32 - var x620 uint32 - x620, x619 = bits.Mul32(x581, 0xffffffff) - var x621 uint32 - var x622 uint32 - x622, x621 = bits.Mul32(x581, 0xfffffffe) - var x623 uint32 - var x624 uint32 - x624, x623 = bits.Mul32(x581, 0xffffffff) - var x625 uint32 - var x626 uint32 - x626, x625 = bits.Mul32(x581, 0xffffffff) - var x627 uint32 - var x628 uint1 - x627, x628 = addcarryxU32(x624, x621, 0x0) - var x629 uint32 - var x630 uint1 - x629, x630 = addcarryxU32(x622, x619, x628) - var x631 uint32 - var x632 uint1 - x631, x632 = addcarryxU32(x620, x617, x630) - var x633 uint32 - var x634 uint1 - x633, x634 = addcarryxU32(x618, x615, x632) - var x635 uint32 - var x636 uint1 - x635, x636 = addcarryxU32(x616, x613, x634) - var x637 uint32 - var x638 uint1 - x637, x638 = addcarryxU32(x614, x611, x636) - var x639 uint32 - var x640 uint1 - x639, x640 = addcarryxU32(x612, x609, x638) - var x641 uint32 - var x642 uint1 - x641, x642 = addcarryxU32(x610, x607, x640) - var x643 uint32 = (uint32(x642) + x608) - var x645 uint1 - _, x645 = addcarryxU32(x581, x625, 0x0) - var x646 uint32 - var x647 uint1 - x646, x647 = addcarryxU32(x583, x626, x645) - var x648 uint32 - var x649 uint1 - x648, x649 = addcarryxU32(x585, uint32(0x0), x647) - var x650 uint32 - var x651 uint1 - x650, x651 = addcarryxU32(x587, x623, x649) - var x652 uint32 - var x653 uint1 - x652, x653 = addcarryxU32(x589, x627, x651) - var x654 uint32 - var x655 uint1 - x654, x655 = addcarryxU32(x591, x629, x653) - var x656 uint32 - var x657 uint1 - x656, x657 = addcarryxU32(x593, x631, x655) - var x658 uint32 - var x659 uint1 - x658, x659 = addcarryxU32(x595, x633, x657) - var x660 uint32 - var x661 uint1 - x660, x661 = addcarryxU32(x597, x635, x659) - var x662 uint32 - var x663 uint1 - x662, x663 = addcarryxU32(x599, x637, x661) - var x664 uint32 - var x665 uint1 - x664, x665 = addcarryxU32(x601, x639, x663) - var x666 uint32 - var x667 uint1 - x666, x667 = addcarryxU32(x603, x641, x665) - var x668 uint32 - var x669 uint1 - x668, x669 = addcarryxU32(x605, x643, x667) - var x670 uint32 = (uint32(x669) + uint32(x606)) - var x671 uint32 - var x672 uint32 - x672, x671 = bits.Mul32(x5, (arg1[11])) - var x673 uint32 - var x674 uint32 - x674, x673 = bits.Mul32(x5, (arg1[10])) - var x675 uint32 - var x676 uint32 - x676, x675 = bits.Mul32(x5, (arg1[9])) - var x677 uint32 - var x678 uint32 - x678, x677 = bits.Mul32(x5, (arg1[8])) - var x679 uint32 - var x680 uint32 - x680, x679 = bits.Mul32(x5, (arg1[7])) - var x681 uint32 - var x682 uint32 - x682, x681 = bits.Mul32(x5, (arg1[6])) - var x683 uint32 - var x684 uint32 - x684, x683 = bits.Mul32(x5, (arg1[5])) - var x685 uint32 - var x686 uint32 - x686, x685 = bits.Mul32(x5, (arg1[4])) - var x687 uint32 - var x688 uint32 - x688, x687 = bits.Mul32(x5, (arg1[3])) - var x689 uint32 - var x690 uint32 - x690, x689 = bits.Mul32(x5, (arg1[2])) - var x691 uint32 - var x692 uint32 - x692, x691 = bits.Mul32(x5, (arg1[1])) - var x693 uint32 - var x694 uint32 - x694, x693 = bits.Mul32(x5, (arg1[0])) - var x695 uint32 - var x696 uint1 - x695, x696 = addcarryxU32(x694, x691, 0x0) - var x697 uint32 - var x698 uint1 - x697, x698 = addcarryxU32(x692, x689, x696) - var x699 uint32 - var x700 uint1 - x699, x700 = addcarryxU32(x690, x687, x698) - var x701 uint32 - var x702 uint1 - x701, x702 = addcarryxU32(x688, x685, x700) - var x703 uint32 - var x704 uint1 - x703, x704 = addcarryxU32(x686, x683, x702) - var x705 uint32 - var x706 uint1 - x705, x706 = addcarryxU32(x684, x681, x704) - var x707 uint32 - var x708 uint1 - x707, x708 = addcarryxU32(x682, x679, x706) - var x709 uint32 - var x710 uint1 - x709, x710 = addcarryxU32(x680, x677, x708) - var x711 uint32 - var x712 uint1 - x711, x712 = addcarryxU32(x678, x675, x710) - var x713 uint32 - var x714 uint1 - x713, x714 = addcarryxU32(x676, x673, x712) - var x715 uint32 - var x716 uint1 - x715, x716 = addcarryxU32(x674, x671, x714) - var x717 uint32 = (uint32(x716) + x672) - var x718 uint32 - var x719 uint1 - x718, x719 = addcarryxU32(x646, x693, 0x0) - var x720 uint32 - var x721 uint1 - x720, x721 = addcarryxU32(x648, x695, x719) - var x722 uint32 - var x723 uint1 - x722, x723 = addcarryxU32(x650, x697, x721) - var x724 uint32 - var x725 uint1 - x724, x725 = addcarryxU32(x652, x699, x723) - var x726 uint32 - var x727 uint1 - x726, x727 = addcarryxU32(x654, x701, x725) - var x728 uint32 - var x729 uint1 - x728, x729 = addcarryxU32(x656, x703, x727) - var x730 uint32 - var x731 uint1 - x730, x731 = addcarryxU32(x658, x705, x729) - var x732 uint32 - var x733 uint1 - x732, x733 = addcarryxU32(x660, x707, x731) - var x734 uint32 - var x735 uint1 - x734, x735 = addcarryxU32(x662, x709, x733) - var x736 uint32 - var x737 uint1 - x736, x737 = addcarryxU32(x664, x711, x735) - var x738 uint32 - var x739 uint1 - x738, x739 = addcarryxU32(x666, x713, x737) - var x740 uint32 - var x741 uint1 - x740, x741 = addcarryxU32(x668, x715, x739) - var x742 uint32 - var x743 uint1 - x742, x743 = addcarryxU32(x670, x717, x741) - var x744 uint32 - var x745 uint32 - x745, x744 = bits.Mul32(x718, 0xffffffff) - var x746 uint32 - var x747 uint32 - x747, x746 = bits.Mul32(x718, 0xffffffff) - var x748 uint32 - var x749 uint32 - x749, x748 = bits.Mul32(x718, 0xffffffff) - var x750 uint32 - var x751 uint32 - x751, x750 = bits.Mul32(x718, 0xffffffff) - var x752 uint32 - var x753 uint32 - x753, x752 = bits.Mul32(x718, 0xffffffff) - var x754 uint32 - var x755 uint32 - x755, x754 = bits.Mul32(x718, 0xffffffff) - var x756 uint32 - var x757 uint32 - x757, x756 = bits.Mul32(x718, 0xffffffff) - var x758 uint32 - var x759 uint32 - x759, x758 = bits.Mul32(x718, 0xfffffffe) - var x760 uint32 - var x761 uint32 - x761, x760 = bits.Mul32(x718, 0xffffffff) - var x762 uint32 - var x763 uint32 - x763, x762 = bits.Mul32(x718, 0xffffffff) - var x764 uint32 - var x765 uint1 - x764, x765 = addcarryxU32(x761, x758, 0x0) - var x766 uint32 - var x767 uint1 - x766, x767 = addcarryxU32(x759, x756, x765) - var x768 uint32 - var x769 uint1 - x768, x769 = addcarryxU32(x757, x754, x767) - var x770 uint32 - var x771 uint1 - x770, x771 = addcarryxU32(x755, x752, x769) - var x772 uint32 - var x773 uint1 - x772, x773 = addcarryxU32(x753, x750, x771) - var x774 uint32 - var x775 uint1 - x774, x775 = addcarryxU32(x751, x748, x773) - var x776 uint32 - var x777 uint1 - x776, x777 = addcarryxU32(x749, x746, x775) - var x778 uint32 - var x779 uint1 - x778, x779 = addcarryxU32(x747, x744, x777) - var x780 uint32 = (uint32(x779) + x745) - var x782 uint1 - _, x782 = addcarryxU32(x718, x762, 0x0) - var x783 uint32 - var x784 uint1 - x783, x784 = addcarryxU32(x720, x763, x782) - var x785 uint32 - var x786 uint1 - x785, x786 = addcarryxU32(x722, uint32(0x0), x784) - var x787 uint32 - var x788 uint1 - x787, x788 = addcarryxU32(x724, x760, x786) - var x789 uint32 - var x790 uint1 - x789, x790 = addcarryxU32(x726, x764, x788) - var x791 uint32 - var x792 uint1 - x791, x792 = addcarryxU32(x728, x766, x790) - var x793 uint32 - var x794 uint1 - x793, x794 = addcarryxU32(x730, x768, x792) - var x795 uint32 - var x796 uint1 - x795, x796 = addcarryxU32(x732, x770, x794) - var x797 uint32 - var x798 uint1 - x797, x798 = addcarryxU32(x734, x772, x796) - var x799 uint32 - var x800 uint1 - x799, x800 = addcarryxU32(x736, x774, x798) - var x801 uint32 - var x802 uint1 - x801, x802 = addcarryxU32(x738, x776, x800) - var x803 uint32 - var x804 uint1 - x803, x804 = addcarryxU32(x740, x778, x802) - var x805 uint32 - var x806 uint1 - x805, x806 = addcarryxU32(x742, x780, x804) - var x807 uint32 = (uint32(x806) + uint32(x743)) - var x808 uint32 - var x809 uint32 - x809, x808 = bits.Mul32(x6, (arg1[11])) - var x810 uint32 - var x811 uint32 - x811, x810 = bits.Mul32(x6, (arg1[10])) - var x812 uint32 - var x813 uint32 - x813, x812 = bits.Mul32(x6, (arg1[9])) - var x814 uint32 - var x815 uint32 - x815, x814 = bits.Mul32(x6, (arg1[8])) - var x816 uint32 - var x817 uint32 - x817, x816 = bits.Mul32(x6, (arg1[7])) - var x818 uint32 - var x819 uint32 - x819, x818 = bits.Mul32(x6, (arg1[6])) - var x820 uint32 - var x821 uint32 - x821, x820 = bits.Mul32(x6, (arg1[5])) - var x822 uint32 - var x823 uint32 - x823, x822 = bits.Mul32(x6, (arg1[4])) - var x824 uint32 - var x825 uint32 - x825, x824 = bits.Mul32(x6, (arg1[3])) - var x826 uint32 - var x827 uint32 - x827, x826 = bits.Mul32(x6, (arg1[2])) - var x828 uint32 - var x829 uint32 - x829, x828 = bits.Mul32(x6, (arg1[1])) - var x830 uint32 - var x831 uint32 - x831, x830 = bits.Mul32(x6, (arg1[0])) - var x832 uint32 - var x833 uint1 - x832, x833 = addcarryxU32(x831, x828, 0x0) - var x834 uint32 - var x835 uint1 - x834, x835 = addcarryxU32(x829, x826, x833) - var x836 uint32 - var x837 uint1 - x836, x837 = addcarryxU32(x827, x824, x835) - var x838 uint32 - var x839 uint1 - x838, x839 = addcarryxU32(x825, x822, x837) - var x840 uint32 - var x841 uint1 - x840, x841 = addcarryxU32(x823, x820, x839) - var x842 uint32 - var x843 uint1 - x842, x843 = addcarryxU32(x821, x818, x841) - var x844 uint32 - var x845 uint1 - x844, x845 = addcarryxU32(x819, x816, x843) - var x846 uint32 - var x847 uint1 - x846, x847 = addcarryxU32(x817, x814, x845) - var x848 uint32 - var x849 uint1 - x848, x849 = addcarryxU32(x815, x812, x847) - var x850 uint32 - var x851 uint1 - x850, x851 = addcarryxU32(x813, x810, x849) - var x852 uint32 - var x853 uint1 - x852, x853 = addcarryxU32(x811, x808, x851) - var x854 uint32 = (uint32(x853) + x809) - var x855 uint32 - var x856 uint1 - x855, x856 = addcarryxU32(x783, x830, 0x0) - var x857 uint32 - var x858 uint1 - x857, x858 = addcarryxU32(x785, x832, x856) - var x859 uint32 - var x860 uint1 - x859, x860 = addcarryxU32(x787, x834, x858) - var x861 uint32 - var x862 uint1 - x861, x862 = addcarryxU32(x789, x836, x860) - var x863 uint32 - var x864 uint1 - x863, x864 = addcarryxU32(x791, x838, x862) - var x865 uint32 - var x866 uint1 - x865, x866 = addcarryxU32(x793, x840, x864) - var x867 uint32 - var x868 uint1 - x867, x868 = addcarryxU32(x795, x842, x866) - var x869 uint32 - var x870 uint1 - x869, x870 = addcarryxU32(x797, x844, x868) - var x871 uint32 - var x872 uint1 - x871, x872 = addcarryxU32(x799, x846, x870) - var x873 uint32 - var x874 uint1 - x873, x874 = addcarryxU32(x801, x848, x872) - var x875 uint32 - var x876 uint1 - x875, x876 = addcarryxU32(x803, x850, x874) - var x877 uint32 - var x878 uint1 - x877, x878 = addcarryxU32(x805, x852, x876) - var x879 uint32 - var x880 uint1 - x879, x880 = addcarryxU32(x807, x854, x878) - var x881 uint32 - var x882 uint32 - x882, x881 = bits.Mul32(x855, 0xffffffff) - var x883 uint32 - var x884 uint32 - x884, x883 = bits.Mul32(x855, 0xffffffff) - var x885 uint32 - var x886 uint32 - x886, x885 = bits.Mul32(x855, 0xffffffff) - var x887 uint32 - var x888 uint32 - x888, x887 = bits.Mul32(x855, 0xffffffff) - var x889 uint32 - var x890 uint32 - x890, x889 = bits.Mul32(x855, 0xffffffff) - var x891 uint32 - var x892 uint32 - x892, x891 = bits.Mul32(x855, 0xffffffff) - var x893 uint32 - var x894 uint32 - x894, x893 = bits.Mul32(x855, 0xffffffff) - var x895 uint32 - var x896 uint32 - x896, x895 = bits.Mul32(x855, 0xfffffffe) - var x897 uint32 - var x898 uint32 - x898, x897 = bits.Mul32(x855, 0xffffffff) - var x899 uint32 - var x900 uint32 - x900, x899 = bits.Mul32(x855, 0xffffffff) - var x901 uint32 - var x902 uint1 - x901, x902 = addcarryxU32(x898, x895, 0x0) - var x903 uint32 - var x904 uint1 - x903, x904 = addcarryxU32(x896, x893, x902) - var x905 uint32 - var x906 uint1 - x905, x906 = addcarryxU32(x894, x891, x904) - var x907 uint32 - var x908 uint1 - x907, x908 = addcarryxU32(x892, x889, x906) - var x909 uint32 - var x910 uint1 - x909, x910 = addcarryxU32(x890, x887, x908) - var x911 uint32 - var x912 uint1 - x911, x912 = addcarryxU32(x888, x885, x910) - var x913 uint32 - var x914 uint1 - x913, x914 = addcarryxU32(x886, x883, x912) - var x915 uint32 - var x916 uint1 - x915, x916 = addcarryxU32(x884, x881, x914) - var x917 uint32 = (uint32(x916) + x882) - var x919 uint1 - _, x919 = addcarryxU32(x855, x899, 0x0) - var x920 uint32 - var x921 uint1 - x920, x921 = addcarryxU32(x857, x900, x919) - var x922 uint32 - var x923 uint1 - x922, x923 = addcarryxU32(x859, uint32(0x0), x921) - var x924 uint32 - var x925 uint1 - x924, x925 = addcarryxU32(x861, x897, x923) - var x926 uint32 - var x927 uint1 - x926, x927 = addcarryxU32(x863, x901, x925) - var x928 uint32 - var x929 uint1 - x928, x929 = addcarryxU32(x865, x903, x927) - var x930 uint32 - var x931 uint1 - x930, x931 = addcarryxU32(x867, x905, x929) - var x932 uint32 - var x933 uint1 - x932, x933 = addcarryxU32(x869, x907, x931) - var x934 uint32 - var x935 uint1 - x934, x935 = addcarryxU32(x871, x909, x933) - var x936 uint32 - var x937 uint1 - x936, x937 = addcarryxU32(x873, x911, x935) - var x938 uint32 - var x939 uint1 - x938, x939 = addcarryxU32(x875, x913, x937) - var x940 uint32 - var x941 uint1 - x940, x941 = addcarryxU32(x877, x915, x939) - var x942 uint32 - var x943 uint1 - x942, x943 = addcarryxU32(x879, x917, x941) - var x944 uint32 = (uint32(x943) + uint32(x880)) - var x945 uint32 - var x946 uint32 - x946, x945 = bits.Mul32(x7, (arg1[11])) - var x947 uint32 - var x948 uint32 - x948, x947 = bits.Mul32(x7, (arg1[10])) - var x949 uint32 - var x950 uint32 - x950, x949 = bits.Mul32(x7, (arg1[9])) - var x951 uint32 - var x952 uint32 - x952, x951 = bits.Mul32(x7, (arg1[8])) - var x953 uint32 - var x954 uint32 - x954, x953 = bits.Mul32(x7, (arg1[7])) - var x955 uint32 - var x956 uint32 - x956, x955 = bits.Mul32(x7, (arg1[6])) - var x957 uint32 - var x958 uint32 - x958, x957 = bits.Mul32(x7, (arg1[5])) - var x959 uint32 - var x960 uint32 - x960, x959 = bits.Mul32(x7, (arg1[4])) - var x961 uint32 - var x962 uint32 - x962, x961 = bits.Mul32(x7, (arg1[3])) - var x963 uint32 - var x964 uint32 - x964, x963 = bits.Mul32(x7, (arg1[2])) - var x965 uint32 - var x966 uint32 - x966, x965 = bits.Mul32(x7, (arg1[1])) - var x967 uint32 - var x968 uint32 - x968, x967 = bits.Mul32(x7, (arg1[0])) - var x969 uint32 - var x970 uint1 - x969, x970 = addcarryxU32(x968, x965, 0x0) - var x971 uint32 - var x972 uint1 - x971, x972 = addcarryxU32(x966, x963, x970) - var x973 uint32 - var x974 uint1 - x973, x974 = addcarryxU32(x964, x961, x972) - var x975 uint32 - var x976 uint1 - x975, x976 = addcarryxU32(x962, x959, x974) - var x977 uint32 - var x978 uint1 - x977, x978 = addcarryxU32(x960, x957, x976) - var x979 uint32 - var x980 uint1 - x979, x980 = addcarryxU32(x958, x955, x978) - var x981 uint32 - var x982 uint1 - x981, x982 = addcarryxU32(x956, x953, x980) - var x983 uint32 - var x984 uint1 - x983, x984 = addcarryxU32(x954, x951, x982) - var x985 uint32 - var x986 uint1 - x985, x986 = addcarryxU32(x952, x949, x984) - var x987 uint32 - var x988 uint1 - x987, x988 = addcarryxU32(x950, x947, x986) - var x989 uint32 - var x990 uint1 - x989, x990 = addcarryxU32(x948, x945, x988) - var x991 uint32 = (uint32(x990) + x946) - var x992 uint32 - var x993 uint1 - x992, x993 = addcarryxU32(x920, x967, 0x0) - var x994 uint32 - var x995 uint1 - x994, x995 = addcarryxU32(x922, x969, x993) - var x996 uint32 - var x997 uint1 - x996, x997 = addcarryxU32(x924, x971, x995) - var x998 uint32 - var x999 uint1 - x998, x999 = addcarryxU32(x926, x973, x997) - var x1000 uint32 - var x1001 uint1 - x1000, x1001 = addcarryxU32(x928, x975, x999) - var x1002 uint32 - var x1003 uint1 - x1002, x1003 = addcarryxU32(x930, x977, x1001) - var x1004 uint32 - var x1005 uint1 - x1004, x1005 = addcarryxU32(x932, x979, x1003) - var x1006 uint32 - var x1007 uint1 - x1006, x1007 = addcarryxU32(x934, x981, x1005) - var x1008 uint32 - var x1009 uint1 - x1008, x1009 = addcarryxU32(x936, x983, x1007) - var x1010 uint32 - var x1011 uint1 - x1010, x1011 = addcarryxU32(x938, x985, x1009) - var x1012 uint32 - var x1013 uint1 - x1012, x1013 = addcarryxU32(x940, x987, x1011) - var x1014 uint32 - var x1015 uint1 - x1014, x1015 = addcarryxU32(x942, x989, x1013) - var x1016 uint32 - var x1017 uint1 - x1016, x1017 = addcarryxU32(x944, x991, x1015) - var x1018 uint32 - var x1019 uint32 - x1019, x1018 = bits.Mul32(x992, 0xffffffff) - var x1020 uint32 - var x1021 uint32 - x1021, x1020 = bits.Mul32(x992, 0xffffffff) - var x1022 uint32 - var x1023 uint32 - x1023, x1022 = bits.Mul32(x992, 0xffffffff) - var x1024 uint32 - var x1025 uint32 - x1025, x1024 = bits.Mul32(x992, 0xffffffff) - var x1026 uint32 - var x1027 uint32 - x1027, x1026 = bits.Mul32(x992, 0xffffffff) - var x1028 uint32 - var x1029 uint32 - x1029, x1028 = bits.Mul32(x992, 0xffffffff) - var x1030 uint32 - var x1031 uint32 - x1031, x1030 = bits.Mul32(x992, 0xffffffff) - var x1032 uint32 - var x1033 uint32 - x1033, x1032 = bits.Mul32(x992, 0xfffffffe) - var x1034 uint32 - var x1035 uint32 - x1035, x1034 = bits.Mul32(x992, 0xffffffff) - var x1036 uint32 - var x1037 uint32 - x1037, x1036 = bits.Mul32(x992, 0xffffffff) - var x1038 uint32 - var x1039 uint1 - x1038, x1039 = addcarryxU32(x1035, x1032, 0x0) - var x1040 uint32 - var x1041 uint1 - x1040, x1041 = addcarryxU32(x1033, x1030, x1039) - var x1042 uint32 - var x1043 uint1 - x1042, x1043 = addcarryxU32(x1031, x1028, x1041) - var x1044 uint32 - var x1045 uint1 - x1044, x1045 = addcarryxU32(x1029, x1026, x1043) - var x1046 uint32 - var x1047 uint1 - x1046, x1047 = addcarryxU32(x1027, x1024, x1045) - var x1048 uint32 - var x1049 uint1 - x1048, x1049 = addcarryxU32(x1025, x1022, x1047) - var x1050 uint32 - var x1051 uint1 - x1050, x1051 = addcarryxU32(x1023, x1020, x1049) - var x1052 uint32 - var x1053 uint1 - x1052, x1053 = addcarryxU32(x1021, x1018, x1051) - var x1054 uint32 = (uint32(x1053) + x1019) - var x1056 uint1 - _, x1056 = addcarryxU32(x992, x1036, 0x0) - var x1057 uint32 - var x1058 uint1 - x1057, x1058 = addcarryxU32(x994, x1037, x1056) - var x1059 uint32 - var x1060 uint1 - x1059, x1060 = addcarryxU32(x996, uint32(0x0), x1058) - var x1061 uint32 - var x1062 uint1 - x1061, x1062 = addcarryxU32(x998, x1034, x1060) - var x1063 uint32 - var x1064 uint1 - x1063, x1064 = addcarryxU32(x1000, x1038, x1062) - var x1065 uint32 - var x1066 uint1 - x1065, x1066 = addcarryxU32(x1002, x1040, x1064) - var x1067 uint32 - var x1068 uint1 - x1067, x1068 = addcarryxU32(x1004, x1042, x1066) - var x1069 uint32 - var x1070 uint1 - x1069, x1070 = addcarryxU32(x1006, x1044, x1068) - var x1071 uint32 - var x1072 uint1 - x1071, x1072 = addcarryxU32(x1008, x1046, x1070) - var x1073 uint32 - var x1074 uint1 - x1073, x1074 = addcarryxU32(x1010, x1048, x1072) - var x1075 uint32 - var x1076 uint1 - x1075, x1076 = addcarryxU32(x1012, x1050, x1074) - var x1077 uint32 - var x1078 uint1 - x1077, x1078 = addcarryxU32(x1014, x1052, x1076) - var x1079 uint32 - var x1080 uint1 - x1079, x1080 = addcarryxU32(x1016, x1054, x1078) - var x1081 uint32 = (uint32(x1080) + uint32(x1017)) - var x1082 uint32 - var x1083 uint32 - x1083, x1082 = bits.Mul32(x8, (arg1[11])) - var x1084 uint32 - var x1085 uint32 - x1085, x1084 = bits.Mul32(x8, (arg1[10])) - var x1086 uint32 - var x1087 uint32 - x1087, x1086 = bits.Mul32(x8, (arg1[9])) - var x1088 uint32 - var x1089 uint32 - x1089, x1088 = bits.Mul32(x8, (arg1[8])) - var x1090 uint32 - var x1091 uint32 - x1091, x1090 = bits.Mul32(x8, (arg1[7])) - var x1092 uint32 - var x1093 uint32 - x1093, x1092 = bits.Mul32(x8, (arg1[6])) - var x1094 uint32 - var x1095 uint32 - x1095, x1094 = bits.Mul32(x8, (arg1[5])) - var x1096 uint32 - var x1097 uint32 - x1097, x1096 = bits.Mul32(x8, (arg1[4])) - var x1098 uint32 - var x1099 uint32 - x1099, x1098 = bits.Mul32(x8, (arg1[3])) - var x1100 uint32 - var x1101 uint32 - x1101, x1100 = bits.Mul32(x8, (arg1[2])) - var x1102 uint32 - var x1103 uint32 - x1103, x1102 = bits.Mul32(x8, (arg1[1])) - var x1104 uint32 - var x1105 uint32 - x1105, x1104 = bits.Mul32(x8, (arg1[0])) - var x1106 uint32 - var x1107 uint1 - x1106, x1107 = addcarryxU32(x1105, x1102, 0x0) - var x1108 uint32 - var x1109 uint1 - x1108, x1109 = addcarryxU32(x1103, x1100, x1107) - var x1110 uint32 - var x1111 uint1 - x1110, x1111 = addcarryxU32(x1101, x1098, x1109) - var x1112 uint32 - var x1113 uint1 - x1112, x1113 = addcarryxU32(x1099, x1096, x1111) - var x1114 uint32 - var x1115 uint1 - x1114, x1115 = addcarryxU32(x1097, x1094, x1113) - var x1116 uint32 - var x1117 uint1 - x1116, x1117 = addcarryxU32(x1095, x1092, x1115) - var x1118 uint32 - var x1119 uint1 - x1118, x1119 = addcarryxU32(x1093, x1090, x1117) - var x1120 uint32 - var x1121 uint1 - x1120, x1121 = addcarryxU32(x1091, x1088, x1119) - var x1122 uint32 - var x1123 uint1 - x1122, x1123 = addcarryxU32(x1089, x1086, x1121) - var x1124 uint32 - var x1125 uint1 - x1124, x1125 = addcarryxU32(x1087, x1084, x1123) - var x1126 uint32 - var x1127 uint1 - x1126, x1127 = addcarryxU32(x1085, x1082, x1125) - var x1128 uint32 = (uint32(x1127) + x1083) - var x1129 uint32 - var x1130 uint1 - x1129, x1130 = addcarryxU32(x1057, x1104, 0x0) - var x1131 uint32 - var x1132 uint1 - x1131, x1132 = addcarryxU32(x1059, x1106, x1130) - var x1133 uint32 - var x1134 uint1 - x1133, x1134 = addcarryxU32(x1061, x1108, x1132) - var x1135 uint32 - var x1136 uint1 - x1135, x1136 = addcarryxU32(x1063, x1110, x1134) - var x1137 uint32 - var x1138 uint1 - x1137, x1138 = addcarryxU32(x1065, x1112, x1136) - var x1139 uint32 - var x1140 uint1 - x1139, x1140 = addcarryxU32(x1067, x1114, x1138) - var x1141 uint32 - var x1142 uint1 - x1141, x1142 = addcarryxU32(x1069, x1116, x1140) - var x1143 uint32 - var x1144 uint1 - x1143, x1144 = addcarryxU32(x1071, x1118, x1142) - var x1145 uint32 - var x1146 uint1 - x1145, x1146 = addcarryxU32(x1073, x1120, x1144) - var x1147 uint32 - var x1148 uint1 - x1147, x1148 = addcarryxU32(x1075, x1122, x1146) - var x1149 uint32 - var x1150 uint1 - x1149, x1150 = addcarryxU32(x1077, x1124, x1148) - var x1151 uint32 - var x1152 uint1 - x1151, x1152 = addcarryxU32(x1079, x1126, x1150) - var x1153 uint32 - var x1154 uint1 - x1153, x1154 = addcarryxU32(x1081, x1128, x1152) - var x1155 uint32 - var x1156 uint32 - x1156, x1155 = bits.Mul32(x1129, 0xffffffff) - var x1157 uint32 - var x1158 uint32 - x1158, x1157 = bits.Mul32(x1129, 0xffffffff) - var x1159 uint32 - var x1160 uint32 - x1160, x1159 = bits.Mul32(x1129, 0xffffffff) - var x1161 uint32 - var x1162 uint32 - x1162, x1161 = bits.Mul32(x1129, 0xffffffff) - var x1163 uint32 - var x1164 uint32 - x1164, x1163 = bits.Mul32(x1129, 0xffffffff) - var x1165 uint32 - var x1166 uint32 - x1166, x1165 = bits.Mul32(x1129, 0xffffffff) - var x1167 uint32 - var x1168 uint32 - x1168, x1167 = bits.Mul32(x1129, 0xffffffff) - var x1169 uint32 - var x1170 uint32 - x1170, x1169 = bits.Mul32(x1129, 0xfffffffe) - var x1171 uint32 - var x1172 uint32 - x1172, x1171 = bits.Mul32(x1129, 0xffffffff) - var x1173 uint32 - var x1174 uint32 - x1174, x1173 = bits.Mul32(x1129, 0xffffffff) - var x1175 uint32 - var x1176 uint1 - x1175, x1176 = addcarryxU32(x1172, x1169, 0x0) - var x1177 uint32 - var x1178 uint1 - x1177, x1178 = addcarryxU32(x1170, x1167, x1176) - var x1179 uint32 - var x1180 uint1 - x1179, x1180 = addcarryxU32(x1168, x1165, x1178) - var x1181 uint32 - var x1182 uint1 - x1181, x1182 = addcarryxU32(x1166, x1163, x1180) - var x1183 uint32 - var x1184 uint1 - x1183, x1184 = addcarryxU32(x1164, x1161, x1182) - var x1185 uint32 - var x1186 uint1 - x1185, x1186 = addcarryxU32(x1162, x1159, x1184) - var x1187 uint32 - var x1188 uint1 - x1187, x1188 = addcarryxU32(x1160, x1157, x1186) - var x1189 uint32 - var x1190 uint1 - x1189, x1190 = addcarryxU32(x1158, x1155, x1188) - var x1191 uint32 = (uint32(x1190) + x1156) - var x1193 uint1 - _, x1193 = addcarryxU32(x1129, x1173, 0x0) - var x1194 uint32 - var x1195 uint1 - x1194, x1195 = addcarryxU32(x1131, x1174, x1193) - var x1196 uint32 - var x1197 uint1 - x1196, x1197 = addcarryxU32(x1133, uint32(0x0), x1195) - var x1198 uint32 - var x1199 uint1 - x1198, x1199 = addcarryxU32(x1135, x1171, x1197) - var x1200 uint32 - var x1201 uint1 - x1200, x1201 = addcarryxU32(x1137, x1175, x1199) - var x1202 uint32 - var x1203 uint1 - x1202, x1203 = addcarryxU32(x1139, x1177, x1201) - var x1204 uint32 - var x1205 uint1 - x1204, x1205 = addcarryxU32(x1141, x1179, x1203) - var x1206 uint32 - var x1207 uint1 - x1206, x1207 = addcarryxU32(x1143, x1181, x1205) - var x1208 uint32 - var x1209 uint1 - x1208, x1209 = addcarryxU32(x1145, x1183, x1207) - var x1210 uint32 - var x1211 uint1 - x1210, x1211 = addcarryxU32(x1147, x1185, x1209) - var x1212 uint32 - var x1213 uint1 - x1212, x1213 = addcarryxU32(x1149, x1187, x1211) - var x1214 uint32 - var x1215 uint1 - x1214, x1215 = addcarryxU32(x1151, x1189, x1213) - var x1216 uint32 - var x1217 uint1 - x1216, x1217 = addcarryxU32(x1153, x1191, x1215) - var x1218 uint32 = (uint32(x1217) + uint32(x1154)) - var x1219 uint32 - var x1220 uint32 - x1220, x1219 = bits.Mul32(x9, (arg1[11])) - var x1221 uint32 - var x1222 uint32 - x1222, x1221 = bits.Mul32(x9, (arg1[10])) - var x1223 uint32 - var x1224 uint32 - x1224, x1223 = bits.Mul32(x9, (arg1[9])) - var x1225 uint32 - var x1226 uint32 - x1226, x1225 = bits.Mul32(x9, (arg1[8])) - var x1227 uint32 - var x1228 uint32 - x1228, x1227 = bits.Mul32(x9, (arg1[7])) - var x1229 uint32 - var x1230 uint32 - x1230, x1229 = bits.Mul32(x9, (arg1[6])) - var x1231 uint32 - var x1232 uint32 - x1232, x1231 = bits.Mul32(x9, (arg1[5])) - var x1233 uint32 - var x1234 uint32 - x1234, x1233 = bits.Mul32(x9, (arg1[4])) - var x1235 uint32 - var x1236 uint32 - x1236, x1235 = bits.Mul32(x9, (arg1[3])) - var x1237 uint32 - var x1238 uint32 - x1238, x1237 = bits.Mul32(x9, (arg1[2])) - var x1239 uint32 - var x1240 uint32 - x1240, x1239 = bits.Mul32(x9, (arg1[1])) - var x1241 uint32 - var x1242 uint32 - x1242, x1241 = bits.Mul32(x9, (arg1[0])) - var x1243 uint32 - var x1244 uint1 - x1243, x1244 = addcarryxU32(x1242, x1239, 0x0) - var x1245 uint32 - var x1246 uint1 - x1245, x1246 = addcarryxU32(x1240, x1237, x1244) - var x1247 uint32 - var x1248 uint1 - x1247, x1248 = addcarryxU32(x1238, x1235, x1246) - var x1249 uint32 - var x1250 uint1 - x1249, x1250 = addcarryxU32(x1236, x1233, x1248) - var x1251 uint32 - var x1252 uint1 - x1251, x1252 = addcarryxU32(x1234, x1231, x1250) - var x1253 uint32 - var x1254 uint1 - x1253, x1254 = addcarryxU32(x1232, x1229, x1252) - var x1255 uint32 - var x1256 uint1 - x1255, x1256 = addcarryxU32(x1230, x1227, x1254) - var x1257 uint32 - var x1258 uint1 - x1257, x1258 = addcarryxU32(x1228, x1225, x1256) - var x1259 uint32 - var x1260 uint1 - x1259, x1260 = addcarryxU32(x1226, x1223, x1258) - var x1261 uint32 - var x1262 uint1 - x1261, x1262 = addcarryxU32(x1224, x1221, x1260) - var x1263 uint32 - var x1264 uint1 - x1263, x1264 = addcarryxU32(x1222, x1219, x1262) - var x1265 uint32 = (uint32(x1264) + x1220) - var x1266 uint32 - var x1267 uint1 - x1266, x1267 = addcarryxU32(x1194, x1241, 0x0) - var x1268 uint32 - var x1269 uint1 - x1268, x1269 = addcarryxU32(x1196, x1243, x1267) - var x1270 uint32 - var x1271 uint1 - x1270, x1271 = addcarryxU32(x1198, x1245, x1269) - var x1272 uint32 - var x1273 uint1 - x1272, x1273 = addcarryxU32(x1200, x1247, x1271) - var x1274 uint32 - var x1275 uint1 - x1274, x1275 = addcarryxU32(x1202, x1249, x1273) - var x1276 uint32 - var x1277 uint1 - x1276, x1277 = addcarryxU32(x1204, x1251, x1275) - var x1278 uint32 - var x1279 uint1 - x1278, x1279 = addcarryxU32(x1206, x1253, x1277) - var x1280 uint32 - var x1281 uint1 - x1280, x1281 = addcarryxU32(x1208, x1255, x1279) - var x1282 uint32 - var x1283 uint1 - x1282, x1283 = addcarryxU32(x1210, x1257, x1281) - var x1284 uint32 - var x1285 uint1 - x1284, x1285 = addcarryxU32(x1212, x1259, x1283) - var x1286 uint32 - var x1287 uint1 - x1286, x1287 = addcarryxU32(x1214, x1261, x1285) - var x1288 uint32 - var x1289 uint1 - x1288, x1289 = addcarryxU32(x1216, x1263, x1287) - var x1290 uint32 - var x1291 uint1 - x1290, x1291 = addcarryxU32(x1218, x1265, x1289) - var x1292 uint32 - var x1293 uint32 - x1293, x1292 = bits.Mul32(x1266, 0xffffffff) - var x1294 uint32 - var x1295 uint32 - x1295, x1294 = bits.Mul32(x1266, 0xffffffff) - var x1296 uint32 - var x1297 uint32 - x1297, x1296 = bits.Mul32(x1266, 0xffffffff) - var x1298 uint32 - var x1299 uint32 - x1299, x1298 = bits.Mul32(x1266, 0xffffffff) - var x1300 uint32 - var x1301 uint32 - x1301, x1300 = bits.Mul32(x1266, 0xffffffff) - var x1302 uint32 - var x1303 uint32 - x1303, x1302 = bits.Mul32(x1266, 0xffffffff) - var x1304 uint32 - var x1305 uint32 - x1305, x1304 = bits.Mul32(x1266, 0xffffffff) - var x1306 uint32 - var x1307 uint32 - x1307, x1306 = bits.Mul32(x1266, 0xfffffffe) - var x1308 uint32 - var x1309 uint32 - x1309, x1308 = bits.Mul32(x1266, 0xffffffff) - var x1310 uint32 - var x1311 uint32 - x1311, x1310 = bits.Mul32(x1266, 0xffffffff) - var x1312 uint32 - var x1313 uint1 - x1312, x1313 = addcarryxU32(x1309, x1306, 0x0) - var x1314 uint32 - var x1315 uint1 - x1314, x1315 = addcarryxU32(x1307, x1304, x1313) - var x1316 uint32 - var x1317 uint1 - x1316, x1317 = addcarryxU32(x1305, x1302, x1315) - var x1318 uint32 - var x1319 uint1 - x1318, x1319 = addcarryxU32(x1303, x1300, x1317) - var x1320 uint32 - var x1321 uint1 - x1320, x1321 = addcarryxU32(x1301, x1298, x1319) - var x1322 uint32 - var x1323 uint1 - x1322, x1323 = addcarryxU32(x1299, x1296, x1321) - var x1324 uint32 - var x1325 uint1 - x1324, x1325 = addcarryxU32(x1297, x1294, x1323) - var x1326 uint32 - var x1327 uint1 - x1326, x1327 = addcarryxU32(x1295, x1292, x1325) - var x1328 uint32 = (uint32(x1327) + x1293) - var x1330 uint1 - _, x1330 = addcarryxU32(x1266, x1310, 0x0) - var x1331 uint32 - var x1332 uint1 - x1331, x1332 = addcarryxU32(x1268, x1311, x1330) - var x1333 uint32 - var x1334 uint1 - x1333, x1334 = addcarryxU32(x1270, uint32(0x0), x1332) - var x1335 uint32 - var x1336 uint1 - x1335, x1336 = addcarryxU32(x1272, x1308, x1334) - var x1337 uint32 - var x1338 uint1 - x1337, x1338 = addcarryxU32(x1274, x1312, x1336) - var x1339 uint32 - var x1340 uint1 - x1339, x1340 = addcarryxU32(x1276, x1314, x1338) - var x1341 uint32 - var x1342 uint1 - x1341, x1342 = addcarryxU32(x1278, x1316, x1340) - var x1343 uint32 - var x1344 uint1 - x1343, x1344 = addcarryxU32(x1280, x1318, x1342) - var x1345 uint32 - var x1346 uint1 - x1345, x1346 = addcarryxU32(x1282, x1320, x1344) - var x1347 uint32 - var x1348 uint1 - x1347, x1348 = addcarryxU32(x1284, x1322, x1346) - var x1349 uint32 - var x1350 uint1 - x1349, x1350 = addcarryxU32(x1286, x1324, x1348) - var x1351 uint32 - var x1352 uint1 - x1351, x1352 = addcarryxU32(x1288, x1326, x1350) - var x1353 uint32 - var x1354 uint1 - x1353, x1354 = addcarryxU32(x1290, x1328, x1352) - var x1355 uint32 = (uint32(x1354) + uint32(x1291)) - var x1356 uint32 - var x1357 uint32 - x1357, x1356 = bits.Mul32(x10, (arg1[11])) - var x1358 uint32 - var x1359 uint32 - x1359, x1358 = bits.Mul32(x10, (arg1[10])) - var x1360 uint32 - var x1361 uint32 - x1361, x1360 = bits.Mul32(x10, (arg1[9])) - var x1362 uint32 - var x1363 uint32 - x1363, x1362 = bits.Mul32(x10, (arg1[8])) - var x1364 uint32 - var x1365 uint32 - x1365, x1364 = bits.Mul32(x10, (arg1[7])) - var x1366 uint32 - var x1367 uint32 - x1367, x1366 = bits.Mul32(x10, (arg1[6])) - var x1368 uint32 - var x1369 uint32 - x1369, x1368 = bits.Mul32(x10, (arg1[5])) - var x1370 uint32 - var x1371 uint32 - x1371, x1370 = bits.Mul32(x10, (arg1[4])) - var x1372 uint32 - var x1373 uint32 - x1373, x1372 = bits.Mul32(x10, (arg1[3])) - var x1374 uint32 - var x1375 uint32 - x1375, x1374 = bits.Mul32(x10, (arg1[2])) - var x1376 uint32 - var x1377 uint32 - x1377, x1376 = bits.Mul32(x10, (arg1[1])) - var x1378 uint32 - var x1379 uint32 - x1379, x1378 = bits.Mul32(x10, (arg1[0])) - var x1380 uint32 - var x1381 uint1 - x1380, x1381 = addcarryxU32(x1379, x1376, 0x0) - var x1382 uint32 - var x1383 uint1 - x1382, x1383 = addcarryxU32(x1377, x1374, x1381) - var x1384 uint32 - var x1385 uint1 - x1384, x1385 = addcarryxU32(x1375, x1372, x1383) - var x1386 uint32 - var x1387 uint1 - x1386, x1387 = addcarryxU32(x1373, x1370, x1385) - var x1388 uint32 - var x1389 uint1 - x1388, x1389 = addcarryxU32(x1371, x1368, x1387) - var x1390 uint32 - var x1391 uint1 - x1390, x1391 = addcarryxU32(x1369, x1366, x1389) - var x1392 uint32 - var x1393 uint1 - x1392, x1393 = addcarryxU32(x1367, x1364, x1391) - var x1394 uint32 - var x1395 uint1 - x1394, x1395 = addcarryxU32(x1365, x1362, x1393) - var x1396 uint32 - var x1397 uint1 - x1396, x1397 = addcarryxU32(x1363, x1360, x1395) - var x1398 uint32 - var x1399 uint1 - x1398, x1399 = addcarryxU32(x1361, x1358, x1397) - var x1400 uint32 - var x1401 uint1 - x1400, x1401 = addcarryxU32(x1359, x1356, x1399) - var x1402 uint32 = (uint32(x1401) + x1357) - var x1403 uint32 - var x1404 uint1 - x1403, x1404 = addcarryxU32(x1331, x1378, 0x0) - var x1405 uint32 - var x1406 uint1 - x1405, x1406 = addcarryxU32(x1333, x1380, x1404) - var x1407 uint32 - var x1408 uint1 - x1407, x1408 = addcarryxU32(x1335, x1382, x1406) - var x1409 uint32 - var x1410 uint1 - x1409, x1410 = addcarryxU32(x1337, x1384, x1408) - var x1411 uint32 - var x1412 uint1 - x1411, x1412 = addcarryxU32(x1339, x1386, x1410) - var x1413 uint32 - var x1414 uint1 - x1413, x1414 = addcarryxU32(x1341, x1388, x1412) - var x1415 uint32 - var x1416 uint1 - x1415, x1416 = addcarryxU32(x1343, x1390, x1414) - var x1417 uint32 - var x1418 uint1 - x1417, x1418 = addcarryxU32(x1345, x1392, x1416) - var x1419 uint32 - var x1420 uint1 - x1419, x1420 = addcarryxU32(x1347, x1394, x1418) - var x1421 uint32 - var x1422 uint1 - x1421, x1422 = addcarryxU32(x1349, x1396, x1420) - var x1423 uint32 - var x1424 uint1 - x1423, x1424 = addcarryxU32(x1351, x1398, x1422) - var x1425 uint32 - var x1426 uint1 - x1425, x1426 = addcarryxU32(x1353, x1400, x1424) - var x1427 uint32 - var x1428 uint1 - x1427, x1428 = addcarryxU32(x1355, x1402, x1426) - var x1429 uint32 - var x1430 uint32 - x1430, x1429 = bits.Mul32(x1403, 0xffffffff) - var x1431 uint32 - var x1432 uint32 - x1432, x1431 = bits.Mul32(x1403, 0xffffffff) - var x1433 uint32 - var x1434 uint32 - x1434, x1433 = bits.Mul32(x1403, 0xffffffff) - var x1435 uint32 - var x1436 uint32 - x1436, x1435 = bits.Mul32(x1403, 0xffffffff) - var x1437 uint32 - var x1438 uint32 - x1438, x1437 = bits.Mul32(x1403, 0xffffffff) - var x1439 uint32 - var x1440 uint32 - x1440, x1439 = bits.Mul32(x1403, 0xffffffff) - var x1441 uint32 - var x1442 uint32 - x1442, x1441 = bits.Mul32(x1403, 0xffffffff) - var x1443 uint32 - var x1444 uint32 - x1444, x1443 = bits.Mul32(x1403, 0xfffffffe) - var x1445 uint32 - var x1446 uint32 - x1446, x1445 = bits.Mul32(x1403, 0xffffffff) - var x1447 uint32 - var x1448 uint32 - x1448, x1447 = bits.Mul32(x1403, 0xffffffff) - var x1449 uint32 - var x1450 uint1 - x1449, x1450 = addcarryxU32(x1446, x1443, 0x0) - var x1451 uint32 - var x1452 uint1 - x1451, x1452 = addcarryxU32(x1444, x1441, x1450) - var x1453 uint32 - var x1454 uint1 - x1453, x1454 = addcarryxU32(x1442, x1439, x1452) - var x1455 uint32 - var x1456 uint1 - x1455, x1456 = addcarryxU32(x1440, x1437, x1454) - var x1457 uint32 - var x1458 uint1 - x1457, x1458 = addcarryxU32(x1438, x1435, x1456) - var x1459 uint32 - var x1460 uint1 - x1459, x1460 = addcarryxU32(x1436, x1433, x1458) - var x1461 uint32 - var x1462 uint1 - x1461, x1462 = addcarryxU32(x1434, x1431, x1460) - var x1463 uint32 - var x1464 uint1 - x1463, x1464 = addcarryxU32(x1432, x1429, x1462) - var x1465 uint32 = (uint32(x1464) + x1430) - var x1467 uint1 - _, x1467 = addcarryxU32(x1403, x1447, 0x0) - var x1468 uint32 - var x1469 uint1 - x1468, x1469 = addcarryxU32(x1405, x1448, x1467) - var x1470 uint32 - var x1471 uint1 - x1470, x1471 = addcarryxU32(x1407, uint32(0x0), x1469) - var x1472 uint32 - var x1473 uint1 - x1472, x1473 = addcarryxU32(x1409, x1445, x1471) - var x1474 uint32 - var x1475 uint1 - x1474, x1475 = addcarryxU32(x1411, x1449, x1473) - var x1476 uint32 - var x1477 uint1 - x1476, x1477 = addcarryxU32(x1413, x1451, x1475) - var x1478 uint32 - var x1479 uint1 - x1478, x1479 = addcarryxU32(x1415, x1453, x1477) - var x1480 uint32 - var x1481 uint1 - x1480, x1481 = addcarryxU32(x1417, x1455, x1479) - var x1482 uint32 - var x1483 uint1 - x1482, x1483 = addcarryxU32(x1419, x1457, x1481) - var x1484 uint32 - var x1485 uint1 - x1484, x1485 = addcarryxU32(x1421, x1459, x1483) - var x1486 uint32 - var x1487 uint1 - x1486, x1487 = addcarryxU32(x1423, x1461, x1485) - var x1488 uint32 - var x1489 uint1 - x1488, x1489 = addcarryxU32(x1425, x1463, x1487) - var x1490 uint32 - var x1491 uint1 - x1490, x1491 = addcarryxU32(x1427, x1465, x1489) - var x1492 uint32 = (uint32(x1491) + uint32(x1428)) - var x1493 uint32 - var x1494 uint32 - x1494, x1493 = bits.Mul32(x11, (arg1[11])) - var x1495 uint32 - var x1496 uint32 - x1496, x1495 = bits.Mul32(x11, (arg1[10])) - var x1497 uint32 - var x1498 uint32 - x1498, x1497 = bits.Mul32(x11, (arg1[9])) - var x1499 uint32 - var x1500 uint32 - x1500, x1499 = bits.Mul32(x11, (arg1[8])) - var x1501 uint32 - var x1502 uint32 - x1502, x1501 = bits.Mul32(x11, (arg1[7])) - var x1503 uint32 - var x1504 uint32 - x1504, x1503 = bits.Mul32(x11, (arg1[6])) - var x1505 uint32 - var x1506 uint32 - x1506, x1505 = bits.Mul32(x11, (arg1[5])) - var x1507 uint32 - var x1508 uint32 - x1508, x1507 = bits.Mul32(x11, (arg1[4])) - var x1509 uint32 - var x1510 uint32 - x1510, x1509 = bits.Mul32(x11, (arg1[3])) - var x1511 uint32 - var x1512 uint32 - x1512, x1511 = bits.Mul32(x11, (arg1[2])) - var x1513 uint32 - var x1514 uint32 - x1514, x1513 = bits.Mul32(x11, (arg1[1])) - var x1515 uint32 - var x1516 uint32 - x1516, x1515 = bits.Mul32(x11, (arg1[0])) - var x1517 uint32 - var x1518 uint1 - x1517, x1518 = addcarryxU32(x1516, x1513, 0x0) - var x1519 uint32 - var x1520 uint1 - x1519, x1520 = addcarryxU32(x1514, x1511, x1518) - var x1521 uint32 - var x1522 uint1 - x1521, x1522 = addcarryxU32(x1512, x1509, x1520) - var x1523 uint32 - var x1524 uint1 - x1523, x1524 = addcarryxU32(x1510, x1507, x1522) - var x1525 uint32 - var x1526 uint1 - x1525, x1526 = addcarryxU32(x1508, x1505, x1524) - var x1527 uint32 - var x1528 uint1 - x1527, x1528 = addcarryxU32(x1506, x1503, x1526) - var x1529 uint32 - var x1530 uint1 - x1529, x1530 = addcarryxU32(x1504, x1501, x1528) - var x1531 uint32 - var x1532 uint1 - x1531, x1532 = addcarryxU32(x1502, x1499, x1530) - var x1533 uint32 - var x1534 uint1 - x1533, x1534 = addcarryxU32(x1500, x1497, x1532) - var x1535 uint32 - var x1536 uint1 - x1535, x1536 = addcarryxU32(x1498, x1495, x1534) - var x1537 uint32 - var x1538 uint1 - x1537, x1538 = addcarryxU32(x1496, x1493, x1536) - var x1539 uint32 = (uint32(x1538) + x1494) - var x1540 uint32 - var x1541 uint1 - x1540, x1541 = addcarryxU32(x1468, x1515, 0x0) - var x1542 uint32 - var x1543 uint1 - x1542, x1543 = addcarryxU32(x1470, x1517, x1541) - var x1544 uint32 - var x1545 uint1 - x1544, x1545 = addcarryxU32(x1472, x1519, x1543) - var x1546 uint32 - var x1547 uint1 - x1546, x1547 = addcarryxU32(x1474, x1521, x1545) - var x1548 uint32 - var x1549 uint1 - x1548, x1549 = addcarryxU32(x1476, x1523, x1547) - var x1550 uint32 - var x1551 uint1 - x1550, x1551 = addcarryxU32(x1478, x1525, x1549) - var x1552 uint32 - var x1553 uint1 - x1552, x1553 = addcarryxU32(x1480, x1527, x1551) - var x1554 uint32 - var x1555 uint1 - x1554, x1555 = addcarryxU32(x1482, x1529, x1553) - var x1556 uint32 - var x1557 uint1 - x1556, x1557 = addcarryxU32(x1484, x1531, x1555) - var x1558 uint32 - var x1559 uint1 - x1558, x1559 = addcarryxU32(x1486, x1533, x1557) - var x1560 uint32 - var x1561 uint1 - x1560, x1561 = addcarryxU32(x1488, x1535, x1559) - var x1562 uint32 - var x1563 uint1 - x1562, x1563 = addcarryxU32(x1490, x1537, x1561) - var x1564 uint32 - var x1565 uint1 - x1564, x1565 = addcarryxU32(x1492, x1539, x1563) - var x1566 uint32 - var x1567 uint32 - x1567, x1566 = bits.Mul32(x1540, 0xffffffff) - var x1568 uint32 - var x1569 uint32 - x1569, x1568 = bits.Mul32(x1540, 0xffffffff) - var x1570 uint32 - var x1571 uint32 - x1571, x1570 = bits.Mul32(x1540, 0xffffffff) - var x1572 uint32 - var x1573 uint32 - x1573, x1572 = bits.Mul32(x1540, 0xffffffff) - var x1574 uint32 - var x1575 uint32 - x1575, x1574 = bits.Mul32(x1540, 0xffffffff) - var x1576 uint32 - var x1577 uint32 - x1577, x1576 = bits.Mul32(x1540, 0xffffffff) - var x1578 uint32 - var x1579 uint32 - x1579, x1578 = bits.Mul32(x1540, 0xffffffff) - var x1580 uint32 - var x1581 uint32 - x1581, x1580 = bits.Mul32(x1540, 0xfffffffe) - var x1582 uint32 - var x1583 uint32 - x1583, x1582 = bits.Mul32(x1540, 0xffffffff) - var x1584 uint32 - var x1585 uint32 - x1585, x1584 = bits.Mul32(x1540, 0xffffffff) - var x1586 uint32 - var x1587 uint1 - x1586, x1587 = addcarryxU32(x1583, x1580, 0x0) - var x1588 uint32 - var x1589 uint1 - x1588, x1589 = addcarryxU32(x1581, x1578, x1587) - var x1590 uint32 - var x1591 uint1 - x1590, x1591 = addcarryxU32(x1579, x1576, x1589) - var x1592 uint32 - var x1593 uint1 - x1592, x1593 = addcarryxU32(x1577, x1574, x1591) - var x1594 uint32 - var x1595 uint1 - x1594, x1595 = addcarryxU32(x1575, x1572, x1593) - var x1596 uint32 - var x1597 uint1 - x1596, x1597 = addcarryxU32(x1573, x1570, x1595) - var x1598 uint32 - var x1599 uint1 - x1598, x1599 = addcarryxU32(x1571, x1568, x1597) - var x1600 uint32 - var x1601 uint1 - x1600, x1601 = addcarryxU32(x1569, x1566, x1599) - var x1602 uint32 = (uint32(x1601) + x1567) - var x1604 uint1 - _, x1604 = addcarryxU32(x1540, x1584, 0x0) - var x1605 uint32 - var x1606 uint1 - x1605, x1606 = addcarryxU32(x1542, x1585, x1604) - var x1607 uint32 - var x1608 uint1 - x1607, x1608 = addcarryxU32(x1544, uint32(0x0), x1606) - var x1609 uint32 - var x1610 uint1 - x1609, x1610 = addcarryxU32(x1546, x1582, x1608) - var x1611 uint32 - var x1612 uint1 - x1611, x1612 = addcarryxU32(x1548, x1586, x1610) - var x1613 uint32 - var x1614 uint1 - x1613, x1614 = addcarryxU32(x1550, x1588, x1612) - var x1615 uint32 - var x1616 uint1 - x1615, x1616 = addcarryxU32(x1552, x1590, x1614) - var x1617 uint32 - var x1618 uint1 - x1617, x1618 = addcarryxU32(x1554, x1592, x1616) - var x1619 uint32 - var x1620 uint1 - x1619, x1620 = addcarryxU32(x1556, x1594, x1618) - var x1621 uint32 - var x1622 uint1 - x1621, x1622 = addcarryxU32(x1558, x1596, x1620) - var x1623 uint32 - var x1624 uint1 - x1623, x1624 = addcarryxU32(x1560, x1598, x1622) - var x1625 uint32 - var x1626 uint1 - x1625, x1626 = addcarryxU32(x1562, x1600, x1624) - var x1627 uint32 - var x1628 uint1 - x1627, x1628 = addcarryxU32(x1564, x1602, x1626) - var x1629 uint32 = (uint32(x1628) + uint32(x1565)) - var x1630 uint32 - var x1631 uint1 - x1630, x1631 = subborrowxU32(x1605, 0xffffffff, 0x0) - var x1632 uint32 - var x1633 uint1 - x1632, x1633 = subborrowxU32(x1607, uint32(0x0), x1631) - var x1634 uint32 - var x1635 uint1 - x1634, x1635 = subborrowxU32(x1609, uint32(0x0), x1633) - var x1636 uint32 - var x1637 uint1 - x1636, x1637 = subborrowxU32(x1611, 0xffffffff, x1635) - var x1638 uint32 - var x1639 uint1 - x1638, x1639 = subborrowxU32(x1613, 0xfffffffe, x1637) - var x1640 uint32 - var x1641 uint1 - x1640, x1641 = subborrowxU32(x1615, 0xffffffff, x1639) - var x1642 uint32 - var x1643 uint1 - x1642, x1643 = subborrowxU32(x1617, 0xffffffff, x1641) - var x1644 uint32 - var x1645 uint1 - x1644, x1645 = subborrowxU32(x1619, 0xffffffff, x1643) - var x1646 uint32 - var x1647 uint1 - x1646, x1647 = subborrowxU32(x1621, 0xffffffff, x1645) - var x1648 uint32 - var x1649 uint1 - x1648, x1649 = subborrowxU32(x1623, 0xffffffff, x1647) - var x1650 uint32 - var x1651 uint1 - x1650, x1651 = subborrowxU32(x1625, 0xffffffff, x1649) - var x1652 uint32 - var x1653 uint1 - x1652, x1653 = subborrowxU32(x1627, 0xffffffff, x1651) - var x1655 uint1 - _, x1655 = subborrowxU32(x1629, uint32(0x0), x1653) - var x1656 uint32 - cmovznzU32(&x1656, x1655, x1630, x1605) - var x1657 uint32 - cmovznzU32(&x1657, x1655, x1632, x1607) - var x1658 uint32 - cmovznzU32(&x1658, x1655, x1634, x1609) - var x1659 uint32 - cmovznzU32(&x1659, x1655, x1636, x1611) - var x1660 uint32 - cmovznzU32(&x1660, x1655, x1638, x1613) - var x1661 uint32 - cmovznzU32(&x1661, x1655, x1640, x1615) - var x1662 uint32 - cmovznzU32(&x1662, x1655, x1642, x1617) - var x1663 uint32 - cmovznzU32(&x1663, x1655, x1644, x1619) - var x1664 uint32 - cmovznzU32(&x1664, x1655, x1646, x1621) - var x1665 uint32 - cmovznzU32(&x1665, x1655, x1648, x1623) - var x1666 uint32 - cmovznzU32(&x1666, x1655, x1650, x1625) - var x1667 uint32 - cmovznzU32(&x1667, x1655, x1652, x1627) - out1[0] = x1656 - out1[1] = x1657 - out1[2] = x1658 - out1[3] = x1659 - out1[4] = x1660 - out1[5] = x1661 - out1[6] = x1662 - out1[7] = x1663 - out1[8] = x1664 - out1[9] = x1665 - out1[10] = x1666 - out1[11] = x1667 + x1 := arg1[1] + x2 := arg1[2] + x3 := arg1[3] + x4 := arg1[4] + x5 := arg1[5] + x6 := arg1[6] + x7 := arg1[7] + x8 := arg1[8] + x9 := arg1[9] + x10 := arg1[10] + x11 := arg1[11] + x12 := arg1[0] + var x13 uint32 + var x14 uint32 + x14, x13 = bits.Mul32(x12, arg1[11]) + var x15 uint32 + var x16 uint32 + x16, x15 = bits.Mul32(x12, arg1[10]) + var x17 uint32 + var x18 uint32 + x18, x17 = bits.Mul32(x12, arg1[9]) + var x19 uint32 + var x20 uint32 + x20, x19 = bits.Mul32(x12, arg1[8]) + var x21 uint32 + var x22 uint32 + x22, x21 = bits.Mul32(x12, arg1[7]) + var x23 uint32 + var x24 uint32 + x24, x23 = bits.Mul32(x12, arg1[6]) + var x25 uint32 + var x26 uint32 + x26, x25 = bits.Mul32(x12, arg1[5]) + var x27 uint32 + var x28 uint32 + x28, x27 = bits.Mul32(x12, arg1[4]) + var x29 uint32 + var x30 uint32 + x30, x29 = bits.Mul32(x12, arg1[3]) + var x31 uint32 + var x32 uint32 + x32, x31 = bits.Mul32(x12, arg1[2]) + var x33 uint32 + var x34 uint32 + x34, x33 = bits.Mul32(x12, arg1[1]) + var x35 uint32 + var x36 uint32 + x36, x35 = bits.Mul32(x12, arg1[0]) + var x37 uint32 + var x38 uint1 + x37, x38 = addcarryxU32(x36, x33, 0x0) + var x39 uint32 + var x40 uint1 + x39, x40 = addcarryxU32(x34, x31, x38) + var x41 uint32 + var x42 uint1 + x41, x42 = addcarryxU32(x32, x29, x40) + var x43 uint32 + var x44 uint1 + x43, x44 = addcarryxU32(x30, x27, x42) + var x45 uint32 + var x46 uint1 + x45, x46 = addcarryxU32(x28, x25, x44) + var x47 uint32 + var x48 uint1 + x47, x48 = addcarryxU32(x26, x23, x46) + var x49 uint32 + var x50 uint1 + x49, x50 = addcarryxU32(x24, x21, x48) + var x51 uint32 + var x52 uint1 + x51, x52 = addcarryxU32(x22, x19, x50) + var x53 uint32 + var x54 uint1 + x53, x54 = addcarryxU32(x20, x17, x52) + var x55 uint32 + var x56 uint1 + x55, x56 = addcarryxU32(x18, x15, x54) + var x57 uint32 + var x58 uint1 + x57, x58 = addcarryxU32(x16, x13, x56) + x59 := (uint32(x58) + x14) + var x60 uint32 + var x61 uint32 + x61, x60 = bits.Mul32(x35, 0xffffffff) + var x62 uint32 + var x63 uint32 + x63, x62 = bits.Mul32(x35, 0xffffffff) + var x64 uint32 + var x65 uint32 + x65, x64 = bits.Mul32(x35, 0xffffffff) + var x66 uint32 + var x67 uint32 + x67, x66 = bits.Mul32(x35, 0xffffffff) + var x68 uint32 + var x69 uint32 + x69, x68 = bits.Mul32(x35, 0xffffffff) + var x70 uint32 + var x71 uint32 + x71, x70 = bits.Mul32(x35, 0xffffffff) + var x72 uint32 + var x73 uint32 + x73, x72 = bits.Mul32(x35, 0xffffffff) + var x74 uint32 + var x75 uint32 + x75, x74 = bits.Mul32(x35, 0xfffffffe) + var x76 uint32 + var x77 uint32 + x77, x76 = bits.Mul32(x35, 0xffffffff) + var x78 uint32 + var x79 uint32 + x79, x78 = bits.Mul32(x35, 0xffffffff) + var x80 uint32 + var x81 uint1 + x80, x81 = addcarryxU32(x77, x74, 0x0) + var x82 uint32 + var x83 uint1 + x82, x83 = addcarryxU32(x75, x72, x81) + var x84 uint32 + var x85 uint1 + x84, x85 = addcarryxU32(x73, x70, x83) + var x86 uint32 + var x87 uint1 + x86, x87 = addcarryxU32(x71, x68, x85) + var x88 uint32 + var x89 uint1 + x88, x89 = addcarryxU32(x69, x66, x87) + var x90 uint32 + var x91 uint1 + x90, x91 = addcarryxU32(x67, x64, x89) + var x92 uint32 + var x93 uint1 + x92, x93 = addcarryxU32(x65, x62, x91) + var x94 uint32 + var x95 uint1 + x94, x95 = addcarryxU32(x63, x60, x93) + x96 := (uint32(x95) + x61) + var x98 uint1 + _, x98 = addcarryxU32(x35, x78, 0x0) + var x99 uint32 + var x100 uint1 + x99, x100 = addcarryxU32(x37, x79, x98) + var x101 uint32 + var x102 uint1 + x101, x102 = addcarryxU32(x39, uint32(0x0), x100) + var x103 uint32 + var x104 uint1 + x103, x104 = addcarryxU32(x41, x76, x102) + var x105 uint32 + var x106 uint1 + x105, x106 = addcarryxU32(x43, x80, x104) + var x107 uint32 + var x108 uint1 + x107, x108 = addcarryxU32(x45, x82, x106) + var x109 uint32 + var x110 uint1 + x109, x110 = addcarryxU32(x47, x84, x108) + var x111 uint32 + var x112 uint1 + x111, x112 = addcarryxU32(x49, x86, x110) + var x113 uint32 + var x114 uint1 + x113, x114 = addcarryxU32(x51, x88, x112) + var x115 uint32 + var x116 uint1 + x115, x116 = addcarryxU32(x53, x90, x114) + var x117 uint32 + var x118 uint1 + x117, x118 = addcarryxU32(x55, x92, x116) + var x119 uint32 + var x120 uint1 + x119, x120 = addcarryxU32(x57, x94, x118) + var x121 uint32 + var x122 uint1 + x121, x122 = addcarryxU32(x59, x96, x120) + var x123 uint32 + var x124 uint32 + x124, x123 = bits.Mul32(x1, arg1[11]) + var x125 uint32 + var x126 uint32 + x126, x125 = bits.Mul32(x1, arg1[10]) + var x127 uint32 + var x128 uint32 + x128, x127 = bits.Mul32(x1, arg1[9]) + var x129 uint32 + var x130 uint32 + x130, x129 = bits.Mul32(x1, arg1[8]) + var x131 uint32 + var x132 uint32 + x132, x131 = bits.Mul32(x1, arg1[7]) + var x133 uint32 + var x134 uint32 + x134, x133 = bits.Mul32(x1, arg1[6]) + var x135 uint32 + var x136 uint32 + x136, x135 = bits.Mul32(x1, arg1[5]) + var x137 uint32 + var x138 uint32 + x138, x137 = bits.Mul32(x1, arg1[4]) + var x139 uint32 + var x140 uint32 + x140, x139 = bits.Mul32(x1, arg1[3]) + var x141 uint32 + var x142 uint32 + x142, x141 = bits.Mul32(x1, arg1[2]) + var x143 uint32 + var x144 uint32 + x144, x143 = bits.Mul32(x1, arg1[1]) + var x145 uint32 + var x146 uint32 + x146, x145 = bits.Mul32(x1, arg1[0]) + var x147 uint32 + var x148 uint1 + x147, x148 = addcarryxU32(x146, x143, 0x0) + var x149 uint32 + var x150 uint1 + x149, x150 = addcarryxU32(x144, x141, x148) + var x151 uint32 + var x152 uint1 + x151, x152 = addcarryxU32(x142, x139, x150) + var x153 uint32 + var x154 uint1 + x153, x154 = addcarryxU32(x140, x137, x152) + var x155 uint32 + var x156 uint1 + x155, x156 = addcarryxU32(x138, x135, x154) + var x157 uint32 + var x158 uint1 + x157, x158 = addcarryxU32(x136, x133, x156) + var x159 uint32 + var x160 uint1 + x159, x160 = addcarryxU32(x134, x131, x158) + var x161 uint32 + var x162 uint1 + x161, x162 = addcarryxU32(x132, x129, x160) + var x163 uint32 + var x164 uint1 + x163, x164 = addcarryxU32(x130, x127, x162) + var x165 uint32 + var x166 uint1 + x165, x166 = addcarryxU32(x128, x125, x164) + var x167 uint32 + var x168 uint1 + x167, x168 = addcarryxU32(x126, x123, x166) + x169 := (uint32(x168) + x124) + var x170 uint32 + var x171 uint1 + x170, x171 = addcarryxU32(x99, x145, 0x0) + var x172 uint32 + var x173 uint1 + x172, x173 = addcarryxU32(x101, x147, x171) + var x174 uint32 + var x175 uint1 + x174, x175 = addcarryxU32(x103, x149, x173) + var x176 uint32 + var x177 uint1 + x176, x177 = addcarryxU32(x105, x151, x175) + var x178 uint32 + var x179 uint1 + x178, x179 = addcarryxU32(x107, x153, x177) + var x180 uint32 + var x181 uint1 + x180, x181 = addcarryxU32(x109, x155, x179) + var x182 uint32 + var x183 uint1 + x182, x183 = addcarryxU32(x111, x157, x181) + var x184 uint32 + var x185 uint1 + x184, x185 = addcarryxU32(x113, x159, x183) + var x186 uint32 + var x187 uint1 + x186, x187 = addcarryxU32(x115, x161, x185) + var x188 uint32 + var x189 uint1 + x188, x189 = addcarryxU32(x117, x163, x187) + var x190 uint32 + var x191 uint1 + x190, x191 = addcarryxU32(x119, x165, x189) + var x192 uint32 + var x193 uint1 + x192, x193 = addcarryxU32(x121, x167, x191) + var x194 uint32 + var x195 uint1 + x194, x195 = addcarryxU32(uint32(x122), x169, x193) + var x196 uint32 + var x197 uint32 + x197, x196 = bits.Mul32(x170, 0xffffffff) + var x198 uint32 + var x199 uint32 + x199, x198 = bits.Mul32(x170, 0xffffffff) + var x200 uint32 + var x201 uint32 + x201, x200 = bits.Mul32(x170, 0xffffffff) + var x202 uint32 + var x203 uint32 + x203, x202 = bits.Mul32(x170, 0xffffffff) + var x204 uint32 + var x205 uint32 + x205, x204 = bits.Mul32(x170, 0xffffffff) + var x206 uint32 + var x207 uint32 + x207, x206 = bits.Mul32(x170, 0xffffffff) + var x208 uint32 + var x209 uint32 + x209, x208 = bits.Mul32(x170, 0xffffffff) + var x210 uint32 + var x211 uint32 + x211, x210 = bits.Mul32(x170, 0xfffffffe) + var x212 uint32 + var x213 uint32 + x213, x212 = bits.Mul32(x170, 0xffffffff) + var x214 uint32 + var x215 uint32 + x215, x214 = bits.Mul32(x170, 0xffffffff) + var x216 uint32 + var x217 uint1 + x216, x217 = addcarryxU32(x213, x210, 0x0) + var x218 uint32 + var x219 uint1 + x218, x219 = addcarryxU32(x211, x208, x217) + var x220 uint32 + var x221 uint1 + x220, x221 = addcarryxU32(x209, x206, x219) + var x222 uint32 + var x223 uint1 + x222, x223 = addcarryxU32(x207, x204, x221) + var x224 uint32 + var x225 uint1 + x224, x225 = addcarryxU32(x205, x202, x223) + var x226 uint32 + var x227 uint1 + x226, x227 = addcarryxU32(x203, x200, x225) + var x228 uint32 + var x229 uint1 + x228, x229 = addcarryxU32(x201, x198, x227) + var x230 uint32 + var x231 uint1 + x230, x231 = addcarryxU32(x199, x196, x229) + x232 := (uint32(x231) + x197) + var x234 uint1 + _, x234 = addcarryxU32(x170, x214, 0x0) + var x235 uint32 + var x236 uint1 + x235, x236 = addcarryxU32(x172, x215, x234) + var x237 uint32 + var x238 uint1 + x237, x238 = addcarryxU32(x174, uint32(0x0), x236) + var x239 uint32 + var x240 uint1 + x239, x240 = addcarryxU32(x176, x212, x238) + var x241 uint32 + var x242 uint1 + x241, x242 = addcarryxU32(x178, x216, x240) + var x243 uint32 + var x244 uint1 + x243, x244 = addcarryxU32(x180, x218, x242) + var x245 uint32 + var x246 uint1 + x245, x246 = addcarryxU32(x182, x220, x244) + var x247 uint32 + var x248 uint1 + x247, x248 = addcarryxU32(x184, x222, x246) + var x249 uint32 + var x250 uint1 + x249, x250 = addcarryxU32(x186, x224, x248) + var x251 uint32 + var x252 uint1 + x251, x252 = addcarryxU32(x188, x226, x250) + var x253 uint32 + var x254 uint1 + x253, x254 = addcarryxU32(x190, x228, x252) + var x255 uint32 + var x256 uint1 + x255, x256 = addcarryxU32(x192, x230, x254) + var x257 uint32 + var x258 uint1 + x257, x258 = addcarryxU32(x194, x232, x256) + x259 := (uint32(x258) + uint32(x195)) + var x260 uint32 + var x261 uint32 + x261, x260 = bits.Mul32(x2, arg1[11]) + var x262 uint32 + var x263 uint32 + x263, x262 = bits.Mul32(x2, arg1[10]) + var x264 uint32 + var x265 uint32 + x265, x264 = bits.Mul32(x2, arg1[9]) + var x266 uint32 + var x267 uint32 + x267, x266 = bits.Mul32(x2, arg1[8]) + var x268 uint32 + var x269 uint32 + x269, x268 = bits.Mul32(x2, arg1[7]) + var x270 uint32 + var x271 uint32 + x271, x270 = bits.Mul32(x2, arg1[6]) + var x272 uint32 + var x273 uint32 + x273, x272 = bits.Mul32(x2, arg1[5]) + var x274 uint32 + var x275 uint32 + x275, x274 = bits.Mul32(x2, arg1[4]) + var x276 uint32 + var x277 uint32 + x277, x276 = bits.Mul32(x2, arg1[3]) + var x278 uint32 + var x279 uint32 + x279, x278 = bits.Mul32(x2, arg1[2]) + var x280 uint32 + var x281 uint32 + x281, x280 = bits.Mul32(x2, arg1[1]) + var x282 uint32 + var x283 uint32 + x283, x282 = bits.Mul32(x2, arg1[0]) + var x284 uint32 + var x285 uint1 + x284, x285 = addcarryxU32(x283, x280, 0x0) + var x286 uint32 + var x287 uint1 + x286, x287 = addcarryxU32(x281, x278, x285) + var x288 uint32 + var x289 uint1 + x288, x289 = addcarryxU32(x279, x276, x287) + var x290 uint32 + var x291 uint1 + x290, x291 = addcarryxU32(x277, x274, x289) + var x292 uint32 + var x293 uint1 + x292, x293 = addcarryxU32(x275, x272, x291) + var x294 uint32 + var x295 uint1 + x294, x295 = addcarryxU32(x273, x270, x293) + var x296 uint32 + var x297 uint1 + x296, x297 = addcarryxU32(x271, x268, x295) + var x298 uint32 + var x299 uint1 + x298, x299 = addcarryxU32(x269, x266, x297) + var x300 uint32 + var x301 uint1 + x300, x301 = addcarryxU32(x267, x264, x299) + var x302 uint32 + var x303 uint1 + x302, x303 = addcarryxU32(x265, x262, x301) + var x304 uint32 + var x305 uint1 + x304, x305 = addcarryxU32(x263, x260, x303) + x306 := (uint32(x305) + x261) + var x307 uint32 + var x308 uint1 + x307, x308 = addcarryxU32(x235, x282, 0x0) + var x309 uint32 + var x310 uint1 + x309, x310 = addcarryxU32(x237, x284, x308) + var x311 uint32 + var x312 uint1 + x311, x312 = addcarryxU32(x239, x286, x310) + var x313 uint32 + var x314 uint1 + x313, x314 = addcarryxU32(x241, x288, x312) + var x315 uint32 + var x316 uint1 + x315, x316 = addcarryxU32(x243, x290, x314) + var x317 uint32 + var x318 uint1 + x317, x318 = addcarryxU32(x245, x292, x316) + var x319 uint32 + var x320 uint1 + x319, x320 = addcarryxU32(x247, x294, x318) + var x321 uint32 + var x322 uint1 + x321, x322 = addcarryxU32(x249, x296, x320) + var x323 uint32 + var x324 uint1 + x323, x324 = addcarryxU32(x251, x298, x322) + var x325 uint32 + var x326 uint1 + x325, x326 = addcarryxU32(x253, x300, x324) + var x327 uint32 + var x328 uint1 + x327, x328 = addcarryxU32(x255, x302, x326) + var x329 uint32 + var x330 uint1 + x329, x330 = addcarryxU32(x257, x304, x328) + var x331 uint32 + var x332 uint1 + x331, x332 = addcarryxU32(x259, x306, x330) + var x333 uint32 + var x334 uint32 + x334, x333 = bits.Mul32(x307, 0xffffffff) + var x335 uint32 + var x336 uint32 + x336, x335 = bits.Mul32(x307, 0xffffffff) + var x337 uint32 + var x338 uint32 + x338, x337 = bits.Mul32(x307, 0xffffffff) + var x339 uint32 + var x340 uint32 + x340, x339 = bits.Mul32(x307, 0xffffffff) + var x341 uint32 + var x342 uint32 + x342, x341 = bits.Mul32(x307, 0xffffffff) + var x343 uint32 + var x344 uint32 + x344, x343 = bits.Mul32(x307, 0xffffffff) + var x345 uint32 + var x346 uint32 + x346, x345 = bits.Mul32(x307, 0xffffffff) + var x347 uint32 + var x348 uint32 + x348, x347 = bits.Mul32(x307, 0xfffffffe) + var x349 uint32 + var x350 uint32 + x350, x349 = bits.Mul32(x307, 0xffffffff) + var x351 uint32 + var x352 uint32 + x352, x351 = bits.Mul32(x307, 0xffffffff) + var x353 uint32 + var x354 uint1 + x353, x354 = addcarryxU32(x350, x347, 0x0) + var x355 uint32 + var x356 uint1 + x355, x356 = addcarryxU32(x348, x345, x354) + var x357 uint32 + var x358 uint1 + x357, x358 = addcarryxU32(x346, x343, x356) + var x359 uint32 + var x360 uint1 + x359, x360 = addcarryxU32(x344, x341, x358) + var x361 uint32 + var x362 uint1 + x361, x362 = addcarryxU32(x342, x339, x360) + var x363 uint32 + var x364 uint1 + x363, x364 = addcarryxU32(x340, x337, x362) + var x365 uint32 + var x366 uint1 + x365, x366 = addcarryxU32(x338, x335, x364) + var x367 uint32 + var x368 uint1 + x367, x368 = addcarryxU32(x336, x333, x366) + x369 := (uint32(x368) + x334) + var x371 uint1 + _, x371 = addcarryxU32(x307, x351, 0x0) + var x372 uint32 + var x373 uint1 + x372, x373 = addcarryxU32(x309, x352, x371) + var x374 uint32 + var x375 uint1 + x374, x375 = addcarryxU32(x311, uint32(0x0), x373) + var x376 uint32 + var x377 uint1 + x376, x377 = addcarryxU32(x313, x349, x375) + var x378 uint32 + var x379 uint1 + x378, x379 = addcarryxU32(x315, x353, x377) + var x380 uint32 + var x381 uint1 + x380, x381 = addcarryxU32(x317, x355, x379) + var x382 uint32 + var x383 uint1 + x382, x383 = addcarryxU32(x319, x357, x381) + var x384 uint32 + var x385 uint1 + x384, x385 = addcarryxU32(x321, x359, x383) + var x386 uint32 + var x387 uint1 + x386, x387 = addcarryxU32(x323, x361, x385) + var x388 uint32 + var x389 uint1 + x388, x389 = addcarryxU32(x325, x363, x387) + var x390 uint32 + var x391 uint1 + x390, x391 = addcarryxU32(x327, x365, x389) + var x392 uint32 + var x393 uint1 + x392, x393 = addcarryxU32(x329, x367, x391) + var x394 uint32 + var x395 uint1 + x394, x395 = addcarryxU32(x331, x369, x393) + x396 := (uint32(x395) + uint32(x332)) + var x397 uint32 + var x398 uint32 + x398, x397 = bits.Mul32(x3, arg1[11]) + var x399 uint32 + var x400 uint32 + x400, x399 = bits.Mul32(x3, arg1[10]) + var x401 uint32 + var x402 uint32 + x402, x401 = bits.Mul32(x3, arg1[9]) + var x403 uint32 + var x404 uint32 + x404, x403 = bits.Mul32(x3, arg1[8]) + var x405 uint32 + var x406 uint32 + x406, x405 = bits.Mul32(x3, arg1[7]) + var x407 uint32 + var x408 uint32 + x408, x407 = bits.Mul32(x3, arg1[6]) + var x409 uint32 + var x410 uint32 + x410, x409 = bits.Mul32(x3, arg1[5]) + var x411 uint32 + var x412 uint32 + x412, x411 = bits.Mul32(x3, arg1[4]) + var x413 uint32 + var x414 uint32 + x414, x413 = bits.Mul32(x3, arg1[3]) + var x415 uint32 + var x416 uint32 + x416, x415 = bits.Mul32(x3, arg1[2]) + var x417 uint32 + var x418 uint32 + x418, x417 = bits.Mul32(x3, arg1[1]) + var x419 uint32 + var x420 uint32 + x420, x419 = bits.Mul32(x3, arg1[0]) + var x421 uint32 + var x422 uint1 + x421, x422 = addcarryxU32(x420, x417, 0x0) + var x423 uint32 + var x424 uint1 + x423, x424 = addcarryxU32(x418, x415, x422) + var x425 uint32 + var x426 uint1 + x425, x426 = addcarryxU32(x416, x413, x424) + var x427 uint32 + var x428 uint1 + x427, x428 = addcarryxU32(x414, x411, x426) + var x429 uint32 + var x430 uint1 + x429, x430 = addcarryxU32(x412, x409, x428) + var x431 uint32 + var x432 uint1 + x431, x432 = addcarryxU32(x410, x407, x430) + var x433 uint32 + var x434 uint1 + x433, x434 = addcarryxU32(x408, x405, x432) + var x435 uint32 + var x436 uint1 + x435, x436 = addcarryxU32(x406, x403, x434) + var x437 uint32 + var x438 uint1 + x437, x438 = addcarryxU32(x404, x401, x436) + var x439 uint32 + var x440 uint1 + x439, x440 = addcarryxU32(x402, x399, x438) + var x441 uint32 + var x442 uint1 + x441, x442 = addcarryxU32(x400, x397, x440) + x443 := (uint32(x442) + x398) + var x444 uint32 + var x445 uint1 + x444, x445 = addcarryxU32(x372, x419, 0x0) + var x446 uint32 + var x447 uint1 + x446, x447 = addcarryxU32(x374, x421, x445) + var x448 uint32 + var x449 uint1 + x448, x449 = addcarryxU32(x376, x423, x447) + var x450 uint32 + var x451 uint1 + x450, x451 = addcarryxU32(x378, x425, x449) + var x452 uint32 + var x453 uint1 + x452, x453 = addcarryxU32(x380, x427, x451) + var x454 uint32 + var x455 uint1 + x454, x455 = addcarryxU32(x382, x429, x453) + var x456 uint32 + var x457 uint1 + x456, x457 = addcarryxU32(x384, x431, x455) + var x458 uint32 + var x459 uint1 + x458, x459 = addcarryxU32(x386, x433, x457) + var x460 uint32 + var x461 uint1 + x460, x461 = addcarryxU32(x388, x435, x459) + var x462 uint32 + var x463 uint1 + x462, x463 = addcarryxU32(x390, x437, x461) + var x464 uint32 + var x465 uint1 + x464, x465 = addcarryxU32(x392, x439, x463) + var x466 uint32 + var x467 uint1 + x466, x467 = addcarryxU32(x394, x441, x465) + var x468 uint32 + var x469 uint1 + x468, x469 = addcarryxU32(x396, x443, x467) + var x470 uint32 + var x471 uint32 + x471, x470 = bits.Mul32(x444, 0xffffffff) + var x472 uint32 + var x473 uint32 + x473, x472 = bits.Mul32(x444, 0xffffffff) + var x474 uint32 + var x475 uint32 + x475, x474 = bits.Mul32(x444, 0xffffffff) + var x476 uint32 + var x477 uint32 + x477, x476 = bits.Mul32(x444, 0xffffffff) + var x478 uint32 + var x479 uint32 + x479, x478 = bits.Mul32(x444, 0xffffffff) + var x480 uint32 + var x481 uint32 + x481, x480 = bits.Mul32(x444, 0xffffffff) + var x482 uint32 + var x483 uint32 + x483, x482 = bits.Mul32(x444, 0xffffffff) + var x484 uint32 + var x485 uint32 + x485, x484 = bits.Mul32(x444, 0xfffffffe) + var x486 uint32 + var x487 uint32 + x487, x486 = bits.Mul32(x444, 0xffffffff) + var x488 uint32 + var x489 uint32 + x489, x488 = bits.Mul32(x444, 0xffffffff) + var x490 uint32 + var x491 uint1 + x490, x491 = addcarryxU32(x487, x484, 0x0) + var x492 uint32 + var x493 uint1 + x492, x493 = addcarryxU32(x485, x482, x491) + var x494 uint32 + var x495 uint1 + x494, x495 = addcarryxU32(x483, x480, x493) + var x496 uint32 + var x497 uint1 + x496, x497 = addcarryxU32(x481, x478, x495) + var x498 uint32 + var x499 uint1 + x498, x499 = addcarryxU32(x479, x476, x497) + var x500 uint32 + var x501 uint1 + x500, x501 = addcarryxU32(x477, x474, x499) + var x502 uint32 + var x503 uint1 + x502, x503 = addcarryxU32(x475, x472, x501) + var x504 uint32 + var x505 uint1 + x504, x505 = addcarryxU32(x473, x470, x503) + x506 := (uint32(x505) + x471) + var x508 uint1 + _, x508 = addcarryxU32(x444, x488, 0x0) + var x509 uint32 + var x510 uint1 + x509, x510 = addcarryxU32(x446, x489, x508) + var x511 uint32 + var x512 uint1 + x511, x512 = addcarryxU32(x448, uint32(0x0), x510) + var x513 uint32 + var x514 uint1 + x513, x514 = addcarryxU32(x450, x486, x512) + var x515 uint32 + var x516 uint1 + x515, x516 = addcarryxU32(x452, x490, x514) + var x517 uint32 + var x518 uint1 + x517, x518 = addcarryxU32(x454, x492, x516) + var x519 uint32 + var x520 uint1 + x519, x520 = addcarryxU32(x456, x494, x518) + var x521 uint32 + var x522 uint1 + x521, x522 = addcarryxU32(x458, x496, x520) + var x523 uint32 + var x524 uint1 + x523, x524 = addcarryxU32(x460, x498, x522) + var x525 uint32 + var x526 uint1 + x525, x526 = addcarryxU32(x462, x500, x524) + var x527 uint32 + var x528 uint1 + x527, x528 = addcarryxU32(x464, x502, x526) + var x529 uint32 + var x530 uint1 + x529, x530 = addcarryxU32(x466, x504, x528) + var x531 uint32 + var x532 uint1 + x531, x532 = addcarryxU32(x468, x506, x530) + x533 := (uint32(x532) + uint32(x469)) + var x534 uint32 + var x535 uint32 + x535, x534 = bits.Mul32(x4, arg1[11]) + var x536 uint32 + var x537 uint32 + x537, x536 = bits.Mul32(x4, arg1[10]) + var x538 uint32 + var x539 uint32 + x539, x538 = bits.Mul32(x4, arg1[9]) + var x540 uint32 + var x541 uint32 + x541, x540 = bits.Mul32(x4, arg1[8]) + var x542 uint32 + var x543 uint32 + x543, x542 = bits.Mul32(x4, arg1[7]) + var x544 uint32 + var x545 uint32 + x545, x544 = bits.Mul32(x4, arg1[6]) + var x546 uint32 + var x547 uint32 + x547, x546 = bits.Mul32(x4, arg1[5]) + var x548 uint32 + var x549 uint32 + x549, x548 = bits.Mul32(x4, arg1[4]) + var x550 uint32 + var x551 uint32 + x551, x550 = bits.Mul32(x4, arg1[3]) + var x552 uint32 + var x553 uint32 + x553, x552 = bits.Mul32(x4, arg1[2]) + var x554 uint32 + var x555 uint32 + x555, x554 = bits.Mul32(x4, arg1[1]) + var x556 uint32 + var x557 uint32 + x557, x556 = bits.Mul32(x4, arg1[0]) + var x558 uint32 + var x559 uint1 + x558, x559 = addcarryxU32(x557, x554, 0x0) + var x560 uint32 + var x561 uint1 + x560, x561 = addcarryxU32(x555, x552, x559) + var x562 uint32 + var x563 uint1 + x562, x563 = addcarryxU32(x553, x550, x561) + var x564 uint32 + var x565 uint1 + x564, x565 = addcarryxU32(x551, x548, x563) + var x566 uint32 + var x567 uint1 + x566, x567 = addcarryxU32(x549, x546, x565) + var x568 uint32 + var x569 uint1 + x568, x569 = addcarryxU32(x547, x544, x567) + var x570 uint32 + var x571 uint1 + x570, x571 = addcarryxU32(x545, x542, x569) + var x572 uint32 + var x573 uint1 + x572, x573 = addcarryxU32(x543, x540, x571) + var x574 uint32 + var x575 uint1 + x574, x575 = addcarryxU32(x541, x538, x573) + var x576 uint32 + var x577 uint1 + x576, x577 = addcarryxU32(x539, x536, x575) + var x578 uint32 + var x579 uint1 + x578, x579 = addcarryxU32(x537, x534, x577) + x580 := (uint32(x579) + x535) + var x581 uint32 + var x582 uint1 + x581, x582 = addcarryxU32(x509, x556, 0x0) + var x583 uint32 + var x584 uint1 + x583, x584 = addcarryxU32(x511, x558, x582) + var x585 uint32 + var x586 uint1 + x585, x586 = addcarryxU32(x513, x560, x584) + var x587 uint32 + var x588 uint1 + x587, x588 = addcarryxU32(x515, x562, x586) + var x589 uint32 + var x590 uint1 + x589, x590 = addcarryxU32(x517, x564, x588) + var x591 uint32 + var x592 uint1 + x591, x592 = addcarryxU32(x519, x566, x590) + var x593 uint32 + var x594 uint1 + x593, x594 = addcarryxU32(x521, x568, x592) + var x595 uint32 + var x596 uint1 + x595, x596 = addcarryxU32(x523, x570, x594) + var x597 uint32 + var x598 uint1 + x597, x598 = addcarryxU32(x525, x572, x596) + var x599 uint32 + var x600 uint1 + x599, x600 = addcarryxU32(x527, x574, x598) + var x601 uint32 + var x602 uint1 + x601, x602 = addcarryxU32(x529, x576, x600) + var x603 uint32 + var x604 uint1 + x603, x604 = addcarryxU32(x531, x578, x602) + var x605 uint32 + var x606 uint1 + x605, x606 = addcarryxU32(x533, x580, x604) + var x607 uint32 + var x608 uint32 + x608, x607 = bits.Mul32(x581, 0xffffffff) + var x609 uint32 + var x610 uint32 + x610, x609 = bits.Mul32(x581, 0xffffffff) + var x611 uint32 + var x612 uint32 + x612, x611 = bits.Mul32(x581, 0xffffffff) + var x613 uint32 + var x614 uint32 + x614, x613 = bits.Mul32(x581, 0xffffffff) + var x615 uint32 + var x616 uint32 + x616, x615 = bits.Mul32(x581, 0xffffffff) + var x617 uint32 + var x618 uint32 + x618, x617 = bits.Mul32(x581, 0xffffffff) + var x619 uint32 + var x620 uint32 + x620, x619 = bits.Mul32(x581, 0xffffffff) + var x621 uint32 + var x622 uint32 + x622, x621 = bits.Mul32(x581, 0xfffffffe) + var x623 uint32 + var x624 uint32 + x624, x623 = bits.Mul32(x581, 0xffffffff) + var x625 uint32 + var x626 uint32 + x626, x625 = bits.Mul32(x581, 0xffffffff) + var x627 uint32 + var x628 uint1 + x627, x628 = addcarryxU32(x624, x621, 0x0) + var x629 uint32 + var x630 uint1 + x629, x630 = addcarryxU32(x622, x619, x628) + var x631 uint32 + var x632 uint1 + x631, x632 = addcarryxU32(x620, x617, x630) + var x633 uint32 + var x634 uint1 + x633, x634 = addcarryxU32(x618, x615, x632) + var x635 uint32 + var x636 uint1 + x635, x636 = addcarryxU32(x616, x613, x634) + var x637 uint32 + var x638 uint1 + x637, x638 = addcarryxU32(x614, x611, x636) + var x639 uint32 + var x640 uint1 + x639, x640 = addcarryxU32(x612, x609, x638) + var x641 uint32 + var x642 uint1 + x641, x642 = addcarryxU32(x610, x607, x640) + x643 := (uint32(x642) + x608) + var x645 uint1 + _, x645 = addcarryxU32(x581, x625, 0x0) + var x646 uint32 + var x647 uint1 + x646, x647 = addcarryxU32(x583, x626, x645) + var x648 uint32 + var x649 uint1 + x648, x649 = addcarryxU32(x585, uint32(0x0), x647) + var x650 uint32 + var x651 uint1 + x650, x651 = addcarryxU32(x587, x623, x649) + var x652 uint32 + var x653 uint1 + x652, x653 = addcarryxU32(x589, x627, x651) + var x654 uint32 + var x655 uint1 + x654, x655 = addcarryxU32(x591, x629, x653) + var x656 uint32 + var x657 uint1 + x656, x657 = addcarryxU32(x593, x631, x655) + var x658 uint32 + var x659 uint1 + x658, x659 = addcarryxU32(x595, x633, x657) + var x660 uint32 + var x661 uint1 + x660, x661 = addcarryxU32(x597, x635, x659) + var x662 uint32 + var x663 uint1 + x662, x663 = addcarryxU32(x599, x637, x661) + var x664 uint32 + var x665 uint1 + x664, x665 = addcarryxU32(x601, x639, x663) + var x666 uint32 + var x667 uint1 + x666, x667 = addcarryxU32(x603, x641, x665) + var x668 uint32 + var x669 uint1 + x668, x669 = addcarryxU32(x605, x643, x667) + x670 := (uint32(x669) + uint32(x606)) + var x671 uint32 + var x672 uint32 + x672, x671 = bits.Mul32(x5, arg1[11]) + var x673 uint32 + var x674 uint32 + x674, x673 = bits.Mul32(x5, arg1[10]) + var x675 uint32 + var x676 uint32 + x676, x675 = bits.Mul32(x5, arg1[9]) + var x677 uint32 + var x678 uint32 + x678, x677 = bits.Mul32(x5, arg1[8]) + var x679 uint32 + var x680 uint32 + x680, x679 = bits.Mul32(x5, arg1[7]) + var x681 uint32 + var x682 uint32 + x682, x681 = bits.Mul32(x5, arg1[6]) + var x683 uint32 + var x684 uint32 + x684, x683 = bits.Mul32(x5, arg1[5]) + var x685 uint32 + var x686 uint32 + x686, x685 = bits.Mul32(x5, arg1[4]) + var x687 uint32 + var x688 uint32 + x688, x687 = bits.Mul32(x5, arg1[3]) + var x689 uint32 + var x690 uint32 + x690, x689 = bits.Mul32(x5, arg1[2]) + var x691 uint32 + var x692 uint32 + x692, x691 = bits.Mul32(x5, arg1[1]) + var x693 uint32 + var x694 uint32 + x694, x693 = bits.Mul32(x5, arg1[0]) + var x695 uint32 + var x696 uint1 + x695, x696 = addcarryxU32(x694, x691, 0x0) + var x697 uint32 + var x698 uint1 + x697, x698 = addcarryxU32(x692, x689, x696) + var x699 uint32 + var x700 uint1 + x699, x700 = addcarryxU32(x690, x687, x698) + var x701 uint32 + var x702 uint1 + x701, x702 = addcarryxU32(x688, x685, x700) + var x703 uint32 + var x704 uint1 + x703, x704 = addcarryxU32(x686, x683, x702) + var x705 uint32 + var x706 uint1 + x705, x706 = addcarryxU32(x684, x681, x704) + var x707 uint32 + var x708 uint1 + x707, x708 = addcarryxU32(x682, x679, x706) + var x709 uint32 + var x710 uint1 + x709, x710 = addcarryxU32(x680, x677, x708) + var x711 uint32 + var x712 uint1 + x711, x712 = addcarryxU32(x678, x675, x710) + var x713 uint32 + var x714 uint1 + x713, x714 = addcarryxU32(x676, x673, x712) + var x715 uint32 + var x716 uint1 + x715, x716 = addcarryxU32(x674, x671, x714) + x717 := (uint32(x716) + x672) + var x718 uint32 + var x719 uint1 + x718, x719 = addcarryxU32(x646, x693, 0x0) + var x720 uint32 + var x721 uint1 + x720, x721 = addcarryxU32(x648, x695, x719) + var x722 uint32 + var x723 uint1 + x722, x723 = addcarryxU32(x650, x697, x721) + var x724 uint32 + var x725 uint1 + x724, x725 = addcarryxU32(x652, x699, x723) + var x726 uint32 + var x727 uint1 + x726, x727 = addcarryxU32(x654, x701, x725) + var x728 uint32 + var x729 uint1 + x728, x729 = addcarryxU32(x656, x703, x727) + var x730 uint32 + var x731 uint1 + x730, x731 = addcarryxU32(x658, x705, x729) + var x732 uint32 + var x733 uint1 + x732, x733 = addcarryxU32(x660, x707, x731) + var x734 uint32 + var x735 uint1 + x734, x735 = addcarryxU32(x662, x709, x733) + var x736 uint32 + var x737 uint1 + x736, x737 = addcarryxU32(x664, x711, x735) + var x738 uint32 + var x739 uint1 + x738, x739 = addcarryxU32(x666, x713, x737) + var x740 uint32 + var x741 uint1 + x740, x741 = addcarryxU32(x668, x715, x739) + var x742 uint32 + var x743 uint1 + x742, x743 = addcarryxU32(x670, x717, x741) + var x744 uint32 + var x745 uint32 + x745, x744 = bits.Mul32(x718, 0xffffffff) + var x746 uint32 + var x747 uint32 + x747, x746 = bits.Mul32(x718, 0xffffffff) + var x748 uint32 + var x749 uint32 + x749, x748 = bits.Mul32(x718, 0xffffffff) + var x750 uint32 + var x751 uint32 + x751, x750 = bits.Mul32(x718, 0xffffffff) + var x752 uint32 + var x753 uint32 + x753, x752 = bits.Mul32(x718, 0xffffffff) + var x754 uint32 + var x755 uint32 + x755, x754 = bits.Mul32(x718, 0xffffffff) + var x756 uint32 + var x757 uint32 + x757, x756 = bits.Mul32(x718, 0xffffffff) + var x758 uint32 + var x759 uint32 + x759, x758 = bits.Mul32(x718, 0xfffffffe) + var x760 uint32 + var x761 uint32 + x761, x760 = bits.Mul32(x718, 0xffffffff) + var x762 uint32 + var x763 uint32 + x763, x762 = bits.Mul32(x718, 0xffffffff) + var x764 uint32 + var x765 uint1 + x764, x765 = addcarryxU32(x761, x758, 0x0) + var x766 uint32 + var x767 uint1 + x766, x767 = addcarryxU32(x759, x756, x765) + var x768 uint32 + var x769 uint1 + x768, x769 = addcarryxU32(x757, x754, x767) + var x770 uint32 + var x771 uint1 + x770, x771 = addcarryxU32(x755, x752, x769) + var x772 uint32 + var x773 uint1 + x772, x773 = addcarryxU32(x753, x750, x771) + var x774 uint32 + var x775 uint1 + x774, x775 = addcarryxU32(x751, x748, x773) + var x776 uint32 + var x777 uint1 + x776, x777 = addcarryxU32(x749, x746, x775) + var x778 uint32 + var x779 uint1 + x778, x779 = addcarryxU32(x747, x744, x777) + x780 := (uint32(x779) + x745) + var x782 uint1 + _, x782 = addcarryxU32(x718, x762, 0x0) + var x783 uint32 + var x784 uint1 + x783, x784 = addcarryxU32(x720, x763, x782) + var x785 uint32 + var x786 uint1 + x785, x786 = addcarryxU32(x722, uint32(0x0), x784) + var x787 uint32 + var x788 uint1 + x787, x788 = addcarryxU32(x724, x760, x786) + var x789 uint32 + var x790 uint1 + x789, x790 = addcarryxU32(x726, x764, x788) + var x791 uint32 + var x792 uint1 + x791, x792 = addcarryxU32(x728, x766, x790) + var x793 uint32 + var x794 uint1 + x793, x794 = addcarryxU32(x730, x768, x792) + var x795 uint32 + var x796 uint1 + x795, x796 = addcarryxU32(x732, x770, x794) + var x797 uint32 + var x798 uint1 + x797, x798 = addcarryxU32(x734, x772, x796) + var x799 uint32 + var x800 uint1 + x799, x800 = addcarryxU32(x736, x774, x798) + var x801 uint32 + var x802 uint1 + x801, x802 = addcarryxU32(x738, x776, x800) + var x803 uint32 + var x804 uint1 + x803, x804 = addcarryxU32(x740, x778, x802) + var x805 uint32 + var x806 uint1 + x805, x806 = addcarryxU32(x742, x780, x804) + x807 := (uint32(x806) + uint32(x743)) + var x808 uint32 + var x809 uint32 + x809, x808 = bits.Mul32(x6, arg1[11]) + var x810 uint32 + var x811 uint32 + x811, x810 = bits.Mul32(x6, arg1[10]) + var x812 uint32 + var x813 uint32 + x813, x812 = bits.Mul32(x6, arg1[9]) + var x814 uint32 + var x815 uint32 + x815, x814 = bits.Mul32(x6, arg1[8]) + var x816 uint32 + var x817 uint32 + x817, x816 = bits.Mul32(x6, arg1[7]) + var x818 uint32 + var x819 uint32 + x819, x818 = bits.Mul32(x6, arg1[6]) + var x820 uint32 + var x821 uint32 + x821, x820 = bits.Mul32(x6, arg1[5]) + var x822 uint32 + var x823 uint32 + x823, x822 = bits.Mul32(x6, arg1[4]) + var x824 uint32 + var x825 uint32 + x825, x824 = bits.Mul32(x6, arg1[3]) + var x826 uint32 + var x827 uint32 + x827, x826 = bits.Mul32(x6, arg1[2]) + var x828 uint32 + var x829 uint32 + x829, x828 = bits.Mul32(x6, arg1[1]) + var x830 uint32 + var x831 uint32 + x831, x830 = bits.Mul32(x6, arg1[0]) + var x832 uint32 + var x833 uint1 + x832, x833 = addcarryxU32(x831, x828, 0x0) + var x834 uint32 + var x835 uint1 + x834, x835 = addcarryxU32(x829, x826, x833) + var x836 uint32 + var x837 uint1 + x836, x837 = addcarryxU32(x827, x824, x835) + var x838 uint32 + var x839 uint1 + x838, x839 = addcarryxU32(x825, x822, x837) + var x840 uint32 + var x841 uint1 + x840, x841 = addcarryxU32(x823, x820, x839) + var x842 uint32 + var x843 uint1 + x842, x843 = addcarryxU32(x821, x818, x841) + var x844 uint32 + var x845 uint1 + x844, x845 = addcarryxU32(x819, x816, x843) + var x846 uint32 + var x847 uint1 + x846, x847 = addcarryxU32(x817, x814, x845) + var x848 uint32 + var x849 uint1 + x848, x849 = addcarryxU32(x815, x812, x847) + var x850 uint32 + var x851 uint1 + x850, x851 = addcarryxU32(x813, x810, x849) + var x852 uint32 + var x853 uint1 + x852, x853 = addcarryxU32(x811, x808, x851) + x854 := (uint32(x853) + x809) + var x855 uint32 + var x856 uint1 + x855, x856 = addcarryxU32(x783, x830, 0x0) + var x857 uint32 + var x858 uint1 + x857, x858 = addcarryxU32(x785, x832, x856) + var x859 uint32 + var x860 uint1 + x859, x860 = addcarryxU32(x787, x834, x858) + var x861 uint32 + var x862 uint1 + x861, x862 = addcarryxU32(x789, x836, x860) + var x863 uint32 + var x864 uint1 + x863, x864 = addcarryxU32(x791, x838, x862) + var x865 uint32 + var x866 uint1 + x865, x866 = addcarryxU32(x793, x840, x864) + var x867 uint32 + var x868 uint1 + x867, x868 = addcarryxU32(x795, x842, x866) + var x869 uint32 + var x870 uint1 + x869, x870 = addcarryxU32(x797, x844, x868) + var x871 uint32 + var x872 uint1 + x871, x872 = addcarryxU32(x799, x846, x870) + var x873 uint32 + var x874 uint1 + x873, x874 = addcarryxU32(x801, x848, x872) + var x875 uint32 + var x876 uint1 + x875, x876 = addcarryxU32(x803, x850, x874) + var x877 uint32 + var x878 uint1 + x877, x878 = addcarryxU32(x805, x852, x876) + var x879 uint32 + var x880 uint1 + x879, x880 = addcarryxU32(x807, x854, x878) + var x881 uint32 + var x882 uint32 + x882, x881 = bits.Mul32(x855, 0xffffffff) + var x883 uint32 + var x884 uint32 + x884, x883 = bits.Mul32(x855, 0xffffffff) + var x885 uint32 + var x886 uint32 + x886, x885 = bits.Mul32(x855, 0xffffffff) + var x887 uint32 + var x888 uint32 + x888, x887 = bits.Mul32(x855, 0xffffffff) + var x889 uint32 + var x890 uint32 + x890, x889 = bits.Mul32(x855, 0xffffffff) + var x891 uint32 + var x892 uint32 + x892, x891 = bits.Mul32(x855, 0xffffffff) + var x893 uint32 + var x894 uint32 + x894, x893 = bits.Mul32(x855, 0xffffffff) + var x895 uint32 + var x896 uint32 + x896, x895 = bits.Mul32(x855, 0xfffffffe) + var x897 uint32 + var x898 uint32 + x898, x897 = bits.Mul32(x855, 0xffffffff) + var x899 uint32 + var x900 uint32 + x900, x899 = bits.Mul32(x855, 0xffffffff) + var x901 uint32 + var x902 uint1 + x901, x902 = addcarryxU32(x898, x895, 0x0) + var x903 uint32 + var x904 uint1 + x903, x904 = addcarryxU32(x896, x893, x902) + var x905 uint32 + var x906 uint1 + x905, x906 = addcarryxU32(x894, x891, x904) + var x907 uint32 + var x908 uint1 + x907, x908 = addcarryxU32(x892, x889, x906) + var x909 uint32 + var x910 uint1 + x909, x910 = addcarryxU32(x890, x887, x908) + var x911 uint32 + var x912 uint1 + x911, x912 = addcarryxU32(x888, x885, x910) + var x913 uint32 + var x914 uint1 + x913, x914 = addcarryxU32(x886, x883, x912) + var x915 uint32 + var x916 uint1 + x915, x916 = addcarryxU32(x884, x881, x914) + x917 := (uint32(x916) + x882) + var x919 uint1 + _, x919 = addcarryxU32(x855, x899, 0x0) + var x920 uint32 + var x921 uint1 + x920, x921 = addcarryxU32(x857, x900, x919) + var x922 uint32 + var x923 uint1 + x922, x923 = addcarryxU32(x859, uint32(0x0), x921) + var x924 uint32 + var x925 uint1 + x924, x925 = addcarryxU32(x861, x897, x923) + var x926 uint32 + var x927 uint1 + x926, x927 = addcarryxU32(x863, x901, x925) + var x928 uint32 + var x929 uint1 + x928, x929 = addcarryxU32(x865, x903, x927) + var x930 uint32 + var x931 uint1 + x930, x931 = addcarryxU32(x867, x905, x929) + var x932 uint32 + var x933 uint1 + x932, x933 = addcarryxU32(x869, x907, x931) + var x934 uint32 + var x935 uint1 + x934, x935 = addcarryxU32(x871, x909, x933) + var x936 uint32 + var x937 uint1 + x936, x937 = addcarryxU32(x873, x911, x935) + var x938 uint32 + var x939 uint1 + x938, x939 = addcarryxU32(x875, x913, x937) + var x940 uint32 + var x941 uint1 + x940, x941 = addcarryxU32(x877, x915, x939) + var x942 uint32 + var x943 uint1 + x942, x943 = addcarryxU32(x879, x917, x941) + x944 := (uint32(x943) + uint32(x880)) + var x945 uint32 + var x946 uint32 + x946, x945 = bits.Mul32(x7, arg1[11]) + var x947 uint32 + var x948 uint32 + x948, x947 = bits.Mul32(x7, arg1[10]) + var x949 uint32 + var x950 uint32 + x950, x949 = bits.Mul32(x7, arg1[9]) + var x951 uint32 + var x952 uint32 + x952, x951 = bits.Mul32(x7, arg1[8]) + var x953 uint32 + var x954 uint32 + x954, x953 = bits.Mul32(x7, arg1[7]) + var x955 uint32 + var x956 uint32 + x956, x955 = bits.Mul32(x7, arg1[6]) + var x957 uint32 + var x958 uint32 + x958, x957 = bits.Mul32(x7, arg1[5]) + var x959 uint32 + var x960 uint32 + x960, x959 = bits.Mul32(x7, arg1[4]) + var x961 uint32 + var x962 uint32 + x962, x961 = bits.Mul32(x7, arg1[3]) + var x963 uint32 + var x964 uint32 + x964, x963 = bits.Mul32(x7, arg1[2]) + var x965 uint32 + var x966 uint32 + x966, x965 = bits.Mul32(x7, arg1[1]) + var x967 uint32 + var x968 uint32 + x968, x967 = bits.Mul32(x7, arg1[0]) + var x969 uint32 + var x970 uint1 + x969, x970 = addcarryxU32(x968, x965, 0x0) + var x971 uint32 + var x972 uint1 + x971, x972 = addcarryxU32(x966, x963, x970) + var x973 uint32 + var x974 uint1 + x973, x974 = addcarryxU32(x964, x961, x972) + var x975 uint32 + var x976 uint1 + x975, x976 = addcarryxU32(x962, x959, x974) + var x977 uint32 + var x978 uint1 + x977, x978 = addcarryxU32(x960, x957, x976) + var x979 uint32 + var x980 uint1 + x979, x980 = addcarryxU32(x958, x955, x978) + var x981 uint32 + var x982 uint1 + x981, x982 = addcarryxU32(x956, x953, x980) + var x983 uint32 + var x984 uint1 + x983, x984 = addcarryxU32(x954, x951, x982) + var x985 uint32 + var x986 uint1 + x985, x986 = addcarryxU32(x952, x949, x984) + var x987 uint32 + var x988 uint1 + x987, x988 = addcarryxU32(x950, x947, x986) + var x989 uint32 + var x990 uint1 + x989, x990 = addcarryxU32(x948, x945, x988) + x991 := (uint32(x990) + x946) + var x992 uint32 + var x993 uint1 + x992, x993 = addcarryxU32(x920, x967, 0x0) + var x994 uint32 + var x995 uint1 + x994, x995 = addcarryxU32(x922, x969, x993) + var x996 uint32 + var x997 uint1 + x996, x997 = addcarryxU32(x924, x971, x995) + var x998 uint32 + var x999 uint1 + x998, x999 = addcarryxU32(x926, x973, x997) + var x1000 uint32 + var x1001 uint1 + x1000, x1001 = addcarryxU32(x928, x975, x999) + var x1002 uint32 + var x1003 uint1 + x1002, x1003 = addcarryxU32(x930, x977, x1001) + var x1004 uint32 + var x1005 uint1 + x1004, x1005 = addcarryxU32(x932, x979, x1003) + var x1006 uint32 + var x1007 uint1 + x1006, x1007 = addcarryxU32(x934, x981, x1005) + var x1008 uint32 + var x1009 uint1 + x1008, x1009 = addcarryxU32(x936, x983, x1007) + var x1010 uint32 + var x1011 uint1 + x1010, x1011 = addcarryxU32(x938, x985, x1009) + var x1012 uint32 + var x1013 uint1 + x1012, x1013 = addcarryxU32(x940, x987, x1011) + var x1014 uint32 + var x1015 uint1 + x1014, x1015 = addcarryxU32(x942, x989, x1013) + var x1016 uint32 + var x1017 uint1 + x1016, x1017 = addcarryxU32(x944, x991, x1015) + var x1018 uint32 + var x1019 uint32 + x1019, x1018 = bits.Mul32(x992, 0xffffffff) + var x1020 uint32 + var x1021 uint32 + x1021, x1020 = bits.Mul32(x992, 0xffffffff) + var x1022 uint32 + var x1023 uint32 + x1023, x1022 = bits.Mul32(x992, 0xffffffff) + var x1024 uint32 + var x1025 uint32 + x1025, x1024 = bits.Mul32(x992, 0xffffffff) + var x1026 uint32 + var x1027 uint32 + x1027, x1026 = bits.Mul32(x992, 0xffffffff) + var x1028 uint32 + var x1029 uint32 + x1029, x1028 = bits.Mul32(x992, 0xffffffff) + var x1030 uint32 + var x1031 uint32 + x1031, x1030 = bits.Mul32(x992, 0xffffffff) + var x1032 uint32 + var x1033 uint32 + x1033, x1032 = bits.Mul32(x992, 0xfffffffe) + var x1034 uint32 + var x1035 uint32 + x1035, x1034 = bits.Mul32(x992, 0xffffffff) + var x1036 uint32 + var x1037 uint32 + x1037, x1036 = bits.Mul32(x992, 0xffffffff) + var x1038 uint32 + var x1039 uint1 + x1038, x1039 = addcarryxU32(x1035, x1032, 0x0) + var x1040 uint32 + var x1041 uint1 + x1040, x1041 = addcarryxU32(x1033, x1030, x1039) + var x1042 uint32 + var x1043 uint1 + x1042, x1043 = addcarryxU32(x1031, x1028, x1041) + var x1044 uint32 + var x1045 uint1 + x1044, x1045 = addcarryxU32(x1029, x1026, x1043) + var x1046 uint32 + var x1047 uint1 + x1046, x1047 = addcarryxU32(x1027, x1024, x1045) + var x1048 uint32 + var x1049 uint1 + x1048, x1049 = addcarryxU32(x1025, x1022, x1047) + var x1050 uint32 + var x1051 uint1 + x1050, x1051 = addcarryxU32(x1023, x1020, x1049) + var x1052 uint32 + var x1053 uint1 + x1052, x1053 = addcarryxU32(x1021, x1018, x1051) + x1054 := (uint32(x1053) + x1019) + var x1056 uint1 + _, x1056 = addcarryxU32(x992, x1036, 0x0) + var x1057 uint32 + var x1058 uint1 + x1057, x1058 = addcarryxU32(x994, x1037, x1056) + var x1059 uint32 + var x1060 uint1 + x1059, x1060 = addcarryxU32(x996, uint32(0x0), x1058) + var x1061 uint32 + var x1062 uint1 + x1061, x1062 = addcarryxU32(x998, x1034, x1060) + var x1063 uint32 + var x1064 uint1 + x1063, x1064 = addcarryxU32(x1000, x1038, x1062) + var x1065 uint32 + var x1066 uint1 + x1065, x1066 = addcarryxU32(x1002, x1040, x1064) + var x1067 uint32 + var x1068 uint1 + x1067, x1068 = addcarryxU32(x1004, x1042, x1066) + var x1069 uint32 + var x1070 uint1 + x1069, x1070 = addcarryxU32(x1006, x1044, x1068) + var x1071 uint32 + var x1072 uint1 + x1071, x1072 = addcarryxU32(x1008, x1046, x1070) + var x1073 uint32 + var x1074 uint1 + x1073, x1074 = addcarryxU32(x1010, x1048, x1072) + var x1075 uint32 + var x1076 uint1 + x1075, x1076 = addcarryxU32(x1012, x1050, x1074) + var x1077 uint32 + var x1078 uint1 + x1077, x1078 = addcarryxU32(x1014, x1052, x1076) + var x1079 uint32 + var x1080 uint1 + x1079, x1080 = addcarryxU32(x1016, x1054, x1078) + x1081 := (uint32(x1080) + uint32(x1017)) + var x1082 uint32 + var x1083 uint32 + x1083, x1082 = bits.Mul32(x8, arg1[11]) + var x1084 uint32 + var x1085 uint32 + x1085, x1084 = bits.Mul32(x8, arg1[10]) + var x1086 uint32 + var x1087 uint32 + x1087, x1086 = bits.Mul32(x8, arg1[9]) + var x1088 uint32 + var x1089 uint32 + x1089, x1088 = bits.Mul32(x8, arg1[8]) + var x1090 uint32 + var x1091 uint32 + x1091, x1090 = bits.Mul32(x8, arg1[7]) + var x1092 uint32 + var x1093 uint32 + x1093, x1092 = bits.Mul32(x8, arg1[6]) + var x1094 uint32 + var x1095 uint32 + x1095, x1094 = bits.Mul32(x8, arg1[5]) + var x1096 uint32 + var x1097 uint32 + x1097, x1096 = bits.Mul32(x8, arg1[4]) + var x1098 uint32 + var x1099 uint32 + x1099, x1098 = bits.Mul32(x8, arg1[3]) + var x1100 uint32 + var x1101 uint32 + x1101, x1100 = bits.Mul32(x8, arg1[2]) + var x1102 uint32 + var x1103 uint32 + x1103, x1102 = bits.Mul32(x8, arg1[1]) + var x1104 uint32 + var x1105 uint32 + x1105, x1104 = bits.Mul32(x8, arg1[0]) + var x1106 uint32 + var x1107 uint1 + x1106, x1107 = addcarryxU32(x1105, x1102, 0x0) + var x1108 uint32 + var x1109 uint1 + x1108, x1109 = addcarryxU32(x1103, x1100, x1107) + var x1110 uint32 + var x1111 uint1 + x1110, x1111 = addcarryxU32(x1101, x1098, x1109) + var x1112 uint32 + var x1113 uint1 + x1112, x1113 = addcarryxU32(x1099, x1096, x1111) + var x1114 uint32 + var x1115 uint1 + x1114, x1115 = addcarryxU32(x1097, x1094, x1113) + var x1116 uint32 + var x1117 uint1 + x1116, x1117 = addcarryxU32(x1095, x1092, x1115) + var x1118 uint32 + var x1119 uint1 + x1118, x1119 = addcarryxU32(x1093, x1090, x1117) + var x1120 uint32 + var x1121 uint1 + x1120, x1121 = addcarryxU32(x1091, x1088, x1119) + var x1122 uint32 + var x1123 uint1 + x1122, x1123 = addcarryxU32(x1089, x1086, x1121) + var x1124 uint32 + var x1125 uint1 + x1124, x1125 = addcarryxU32(x1087, x1084, x1123) + var x1126 uint32 + var x1127 uint1 + x1126, x1127 = addcarryxU32(x1085, x1082, x1125) + x1128 := (uint32(x1127) + x1083) + var x1129 uint32 + var x1130 uint1 + x1129, x1130 = addcarryxU32(x1057, x1104, 0x0) + var x1131 uint32 + var x1132 uint1 + x1131, x1132 = addcarryxU32(x1059, x1106, x1130) + var x1133 uint32 + var x1134 uint1 + x1133, x1134 = addcarryxU32(x1061, x1108, x1132) + var x1135 uint32 + var x1136 uint1 + x1135, x1136 = addcarryxU32(x1063, x1110, x1134) + var x1137 uint32 + var x1138 uint1 + x1137, x1138 = addcarryxU32(x1065, x1112, x1136) + var x1139 uint32 + var x1140 uint1 + x1139, x1140 = addcarryxU32(x1067, x1114, x1138) + var x1141 uint32 + var x1142 uint1 + x1141, x1142 = addcarryxU32(x1069, x1116, x1140) + var x1143 uint32 + var x1144 uint1 + x1143, x1144 = addcarryxU32(x1071, x1118, x1142) + var x1145 uint32 + var x1146 uint1 + x1145, x1146 = addcarryxU32(x1073, x1120, x1144) + var x1147 uint32 + var x1148 uint1 + x1147, x1148 = addcarryxU32(x1075, x1122, x1146) + var x1149 uint32 + var x1150 uint1 + x1149, x1150 = addcarryxU32(x1077, x1124, x1148) + var x1151 uint32 + var x1152 uint1 + x1151, x1152 = addcarryxU32(x1079, x1126, x1150) + var x1153 uint32 + var x1154 uint1 + x1153, x1154 = addcarryxU32(x1081, x1128, x1152) + var x1155 uint32 + var x1156 uint32 + x1156, x1155 = bits.Mul32(x1129, 0xffffffff) + var x1157 uint32 + var x1158 uint32 + x1158, x1157 = bits.Mul32(x1129, 0xffffffff) + var x1159 uint32 + var x1160 uint32 + x1160, x1159 = bits.Mul32(x1129, 0xffffffff) + var x1161 uint32 + var x1162 uint32 + x1162, x1161 = bits.Mul32(x1129, 0xffffffff) + var x1163 uint32 + var x1164 uint32 + x1164, x1163 = bits.Mul32(x1129, 0xffffffff) + var x1165 uint32 + var x1166 uint32 + x1166, x1165 = bits.Mul32(x1129, 0xffffffff) + var x1167 uint32 + var x1168 uint32 + x1168, x1167 = bits.Mul32(x1129, 0xffffffff) + var x1169 uint32 + var x1170 uint32 + x1170, x1169 = bits.Mul32(x1129, 0xfffffffe) + var x1171 uint32 + var x1172 uint32 + x1172, x1171 = bits.Mul32(x1129, 0xffffffff) + var x1173 uint32 + var x1174 uint32 + x1174, x1173 = bits.Mul32(x1129, 0xffffffff) + var x1175 uint32 + var x1176 uint1 + x1175, x1176 = addcarryxU32(x1172, x1169, 0x0) + var x1177 uint32 + var x1178 uint1 + x1177, x1178 = addcarryxU32(x1170, x1167, x1176) + var x1179 uint32 + var x1180 uint1 + x1179, x1180 = addcarryxU32(x1168, x1165, x1178) + var x1181 uint32 + var x1182 uint1 + x1181, x1182 = addcarryxU32(x1166, x1163, x1180) + var x1183 uint32 + var x1184 uint1 + x1183, x1184 = addcarryxU32(x1164, x1161, x1182) + var x1185 uint32 + var x1186 uint1 + x1185, x1186 = addcarryxU32(x1162, x1159, x1184) + var x1187 uint32 + var x1188 uint1 + x1187, x1188 = addcarryxU32(x1160, x1157, x1186) + var x1189 uint32 + var x1190 uint1 + x1189, x1190 = addcarryxU32(x1158, x1155, x1188) + x1191 := (uint32(x1190) + x1156) + var x1193 uint1 + _, x1193 = addcarryxU32(x1129, x1173, 0x0) + var x1194 uint32 + var x1195 uint1 + x1194, x1195 = addcarryxU32(x1131, x1174, x1193) + var x1196 uint32 + var x1197 uint1 + x1196, x1197 = addcarryxU32(x1133, uint32(0x0), x1195) + var x1198 uint32 + var x1199 uint1 + x1198, x1199 = addcarryxU32(x1135, x1171, x1197) + var x1200 uint32 + var x1201 uint1 + x1200, x1201 = addcarryxU32(x1137, x1175, x1199) + var x1202 uint32 + var x1203 uint1 + x1202, x1203 = addcarryxU32(x1139, x1177, x1201) + var x1204 uint32 + var x1205 uint1 + x1204, x1205 = addcarryxU32(x1141, x1179, x1203) + var x1206 uint32 + var x1207 uint1 + x1206, x1207 = addcarryxU32(x1143, x1181, x1205) + var x1208 uint32 + var x1209 uint1 + x1208, x1209 = addcarryxU32(x1145, x1183, x1207) + var x1210 uint32 + var x1211 uint1 + x1210, x1211 = addcarryxU32(x1147, x1185, x1209) + var x1212 uint32 + var x1213 uint1 + x1212, x1213 = addcarryxU32(x1149, x1187, x1211) + var x1214 uint32 + var x1215 uint1 + x1214, x1215 = addcarryxU32(x1151, x1189, x1213) + var x1216 uint32 + var x1217 uint1 + x1216, x1217 = addcarryxU32(x1153, x1191, x1215) + x1218 := (uint32(x1217) + uint32(x1154)) + var x1219 uint32 + var x1220 uint32 + x1220, x1219 = bits.Mul32(x9, arg1[11]) + var x1221 uint32 + var x1222 uint32 + x1222, x1221 = bits.Mul32(x9, arg1[10]) + var x1223 uint32 + var x1224 uint32 + x1224, x1223 = bits.Mul32(x9, arg1[9]) + var x1225 uint32 + var x1226 uint32 + x1226, x1225 = bits.Mul32(x9, arg1[8]) + var x1227 uint32 + var x1228 uint32 + x1228, x1227 = bits.Mul32(x9, arg1[7]) + var x1229 uint32 + var x1230 uint32 + x1230, x1229 = bits.Mul32(x9, arg1[6]) + var x1231 uint32 + var x1232 uint32 + x1232, x1231 = bits.Mul32(x9, arg1[5]) + var x1233 uint32 + var x1234 uint32 + x1234, x1233 = bits.Mul32(x9, arg1[4]) + var x1235 uint32 + var x1236 uint32 + x1236, x1235 = bits.Mul32(x9, arg1[3]) + var x1237 uint32 + var x1238 uint32 + x1238, x1237 = bits.Mul32(x9, arg1[2]) + var x1239 uint32 + var x1240 uint32 + x1240, x1239 = bits.Mul32(x9, arg1[1]) + var x1241 uint32 + var x1242 uint32 + x1242, x1241 = bits.Mul32(x9, arg1[0]) + var x1243 uint32 + var x1244 uint1 + x1243, x1244 = addcarryxU32(x1242, x1239, 0x0) + var x1245 uint32 + var x1246 uint1 + x1245, x1246 = addcarryxU32(x1240, x1237, x1244) + var x1247 uint32 + var x1248 uint1 + x1247, x1248 = addcarryxU32(x1238, x1235, x1246) + var x1249 uint32 + var x1250 uint1 + x1249, x1250 = addcarryxU32(x1236, x1233, x1248) + var x1251 uint32 + var x1252 uint1 + x1251, x1252 = addcarryxU32(x1234, x1231, x1250) + var x1253 uint32 + var x1254 uint1 + x1253, x1254 = addcarryxU32(x1232, x1229, x1252) + var x1255 uint32 + var x1256 uint1 + x1255, x1256 = addcarryxU32(x1230, x1227, x1254) + var x1257 uint32 + var x1258 uint1 + x1257, x1258 = addcarryxU32(x1228, x1225, x1256) + var x1259 uint32 + var x1260 uint1 + x1259, x1260 = addcarryxU32(x1226, x1223, x1258) + var x1261 uint32 + var x1262 uint1 + x1261, x1262 = addcarryxU32(x1224, x1221, x1260) + var x1263 uint32 + var x1264 uint1 + x1263, x1264 = addcarryxU32(x1222, x1219, x1262) + x1265 := (uint32(x1264) + x1220) + var x1266 uint32 + var x1267 uint1 + x1266, x1267 = addcarryxU32(x1194, x1241, 0x0) + var x1268 uint32 + var x1269 uint1 + x1268, x1269 = addcarryxU32(x1196, x1243, x1267) + var x1270 uint32 + var x1271 uint1 + x1270, x1271 = addcarryxU32(x1198, x1245, x1269) + var x1272 uint32 + var x1273 uint1 + x1272, x1273 = addcarryxU32(x1200, x1247, x1271) + var x1274 uint32 + var x1275 uint1 + x1274, x1275 = addcarryxU32(x1202, x1249, x1273) + var x1276 uint32 + var x1277 uint1 + x1276, x1277 = addcarryxU32(x1204, x1251, x1275) + var x1278 uint32 + var x1279 uint1 + x1278, x1279 = addcarryxU32(x1206, x1253, x1277) + var x1280 uint32 + var x1281 uint1 + x1280, x1281 = addcarryxU32(x1208, x1255, x1279) + var x1282 uint32 + var x1283 uint1 + x1282, x1283 = addcarryxU32(x1210, x1257, x1281) + var x1284 uint32 + var x1285 uint1 + x1284, x1285 = addcarryxU32(x1212, x1259, x1283) + var x1286 uint32 + var x1287 uint1 + x1286, x1287 = addcarryxU32(x1214, x1261, x1285) + var x1288 uint32 + var x1289 uint1 + x1288, x1289 = addcarryxU32(x1216, x1263, x1287) + var x1290 uint32 + var x1291 uint1 + x1290, x1291 = addcarryxU32(x1218, x1265, x1289) + var x1292 uint32 + var x1293 uint32 + x1293, x1292 = bits.Mul32(x1266, 0xffffffff) + var x1294 uint32 + var x1295 uint32 + x1295, x1294 = bits.Mul32(x1266, 0xffffffff) + var x1296 uint32 + var x1297 uint32 + x1297, x1296 = bits.Mul32(x1266, 0xffffffff) + var x1298 uint32 + var x1299 uint32 + x1299, x1298 = bits.Mul32(x1266, 0xffffffff) + var x1300 uint32 + var x1301 uint32 + x1301, x1300 = bits.Mul32(x1266, 0xffffffff) + var x1302 uint32 + var x1303 uint32 + x1303, x1302 = bits.Mul32(x1266, 0xffffffff) + var x1304 uint32 + var x1305 uint32 + x1305, x1304 = bits.Mul32(x1266, 0xffffffff) + var x1306 uint32 + var x1307 uint32 + x1307, x1306 = bits.Mul32(x1266, 0xfffffffe) + var x1308 uint32 + var x1309 uint32 + x1309, x1308 = bits.Mul32(x1266, 0xffffffff) + var x1310 uint32 + var x1311 uint32 + x1311, x1310 = bits.Mul32(x1266, 0xffffffff) + var x1312 uint32 + var x1313 uint1 + x1312, x1313 = addcarryxU32(x1309, x1306, 0x0) + var x1314 uint32 + var x1315 uint1 + x1314, x1315 = addcarryxU32(x1307, x1304, x1313) + var x1316 uint32 + var x1317 uint1 + x1316, x1317 = addcarryxU32(x1305, x1302, x1315) + var x1318 uint32 + var x1319 uint1 + x1318, x1319 = addcarryxU32(x1303, x1300, x1317) + var x1320 uint32 + var x1321 uint1 + x1320, x1321 = addcarryxU32(x1301, x1298, x1319) + var x1322 uint32 + var x1323 uint1 + x1322, x1323 = addcarryxU32(x1299, x1296, x1321) + var x1324 uint32 + var x1325 uint1 + x1324, x1325 = addcarryxU32(x1297, x1294, x1323) + var x1326 uint32 + var x1327 uint1 + x1326, x1327 = addcarryxU32(x1295, x1292, x1325) + x1328 := (uint32(x1327) + x1293) + var x1330 uint1 + _, x1330 = addcarryxU32(x1266, x1310, 0x0) + var x1331 uint32 + var x1332 uint1 + x1331, x1332 = addcarryxU32(x1268, x1311, x1330) + var x1333 uint32 + var x1334 uint1 + x1333, x1334 = addcarryxU32(x1270, uint32(0x0), x1332) + var x1335 uint32 + var x1336 uint1 + x1335, x1336 = addcarryxU32(x1272, x1308, x1334) + var x1337 uint32 + var x1338 uint1 + x1337, x1338 = addcarryxU32(x1274, x1312, x1336) + var x1339 uint32 + var x1340 uint1 + x1339, x1340 = addcarryxU32(x1276, x1314, x1338) + var x1341 uint32 + var x1342 uint1 + x1341, x1342 = addcarryxU32(x1278, x1316, x1340) + var x1343 uint32 + var x1344 uint1 + x1343, x1344 = addcarryxU32(x1280, x1318, x1342) + var x1345 uint32 + var x1346 uint1 + x1345, x1346 = addcarryxU32(x1282, x1320, x1344) + var x1347 uint32 + var x1348 uint1 + x1347, x1348 = addcarryxU32(x1284, x1322, x1346) + var x1349 uint32 + var x1350 uint1 + x1349, x1350 = addcarryxU32(x1286, x1324, x1348) + var x1351 uint32 + var x1352 uint1 + x1351, x1352 = addcarryxU32(x1288, x1326, x1350) + var x1353 uint32 + var x1354 uint1 + x1353, x1354 = addcarryxU32(x1290, x1328, x1352) + x1355 := (uint32(x1354) + uint32(x1291)) + var x1356 uint32 + var x1357 uint32 + x1357, x1356 = bits.Mul32(x10, arg1[11]) + var x1358 uint32 + var x1359 uint32 + x1359, x1358 = bits.Mul32(x10, arg1[10]) + var x1360 uint32 + var x1361 uint32 + x1361, x1360 = bits.Mul32(x10, arg1[9]) + var x1362 uint32 + var x1363 uint32 + x1363, x1362 = bits.Mul32(x10, arg1[8]) + var x1364 uint32 + var x1365 uint32 + x1365, x1364 = bits.Mul32(x10, arg1[7]) + var x1366 uint32 + var x1367 uint32 + x1367, x1366 = bits.Mul32(x10, arg1[6]) + var x1368 uint32 + var x1369 uint32 + x1369, x1368 = bits.Mul32(x10, arg1[5]) + var x1370 uint32 + var x1371 uint32 + x1371, x1370 = bits.Mul32(x10, arg1[4]) + var x1372 uint32 + var x1373 uint32 + x1373, x1372 = bits.Mul32(x10, arg1[3]) + var x1374 uint32 + var x1375 uint32 + x1375, x1374 = bits.Mul32(x10, arg1[2]) + var x1376 uint32 + var x1377 uint32 + x1377, x1376 = bits.Mul32(x10, arg1[1]) + var x1378 uint32 + var x1379 uint32 + x1379, x1378 = bits.Mul32(x10, arg1[0]) + var x1380 uint32 + var x1381 uint1 + x1380, x1381 = addcarryxU32(x1379, x1376, 0x0) + var x1382 uint32 + var x1383 uint1 + x1382, x1383 = addcarryxU32(x1377, x1374, x1381) + var x1384 uint32 + var x1385 uint1 + x1384, x1385 = addcarryxU32(x1375, x1372, x1383) + var x1386 uint32 + var x1387 uint1 + x1386, x1387 = addcarryxU32(x1373, x1370, x1385) + var x1388 uint32 + var x1389 uint1 + x1388, x1389 = addcarryxU32(x1371, x1368, x1387) + var x1390 uint32 + var x1391 uint1 + x1390, x1391 = addcarryxU32(x1369, x1366, x1389) + var x1392 uint32 + var x1393 uint1 + x1392, x1393 = addcarryxU32(x1367, x1364, x1391) + var x1394 uint32 + var x1395 uint1 + x1394, x1395 = addcarryxU32(x1365, x1362, x1393) + var x1396 uint32 + var x1397 uint1 + x1396, x1397 = addcarryxU32(x1363, x1360, x1395) + var x1398 uint32 + var x1399 uint1 + x1398, x1399 = addcarryxU32(x1361, x1358, x1397) + var x1400 uint32 + var x1401 uint1 + x1400, x1401 = addcarryxU32(x1359, x1356, x1399) + x1402 := (uint32(x1401) + x1357) + var x1403 uint32 + var x1404 uint1 + x1403, x1404 = addcarryxU32(x1331, x1378, 0x0) + var x1405 uint32 + var x1406 uint1 + x1405, x1406 = addcarryxU32(x1333, x1380, x1404) + var x1407 uint32 + var x1408 uint1 + x1407, x1408 = addcarryxU32(x1335, x1382, x1406) + var x1409 uint32 + var x1410 uint1 + x1409, x1410 = addcarryxU32(x1337, x1384, x1408) + var x1411 uint32 + var x1412 uint1 + x1411, x1412 = addcarryxU32(x1339, x1386, x1410) + var x1413 uint32 + var x1414 uint1 + x1413, x1414 = addcarryxU32(x1341, x1388, x1412) + var x1415 uint32 + var x1416 uint1 + x1415, x1416 = addcarryxU32(x1343, x1390, x1414) + var x1417 uint32 + var x1418 uint1 + x1417, x1418 = addcarryxU32(x1345, x1392, x1416) + var x1419 uint32 + var x1420 uint1 + x1419, x1420 = addcarryxU32(x1347, x1394, x1418) + var x1421 uint32 + var x1422 uint1 + x1421, x1422 = addcarryxU32(x1349, x1396, x1420) + var x1423 uint32 + var x1424 uint1 + x1423, x1424 = addcarryxU32(x1351, x1398, x1422) + var x1425 uint32 + var x1426 uint1 + x1425, x1426 = addcarryxU32(x1353, x1400, x1424) + var x1427 uint32 + var x1428 uint1 + x1427, x1428 = addcarryxU32(x1355, x1402, x1426) + var x1429 uint32 + var x1430 uint32 + x1430, x1429 = bits.Mul32(x1403, 0xffffffff) + var x1431 uint32 + var x1432 uint32 + x1432, x1431 = bits.Mul32(x1403, 0xffffffff) + var x1433 uint32 + var x1434 uint32 + x1434, x1433 = bits.Mul32(x1403, 0xffffffff) + var x1435 uint32 + var x1436 uint32 + x1436, x1435 = bits.Mul32(x1403, 0xffffffff) + var x1437 uint32 + var x1438 uint32 + x1438, x1437 = bits.Mul32(x1403, 0xffffffff) + var x1439 uint32 + var x1440 uint32 + x1440, x1439 = bits.Mul32(x1403, 0xffffffff) + var x1441 uint32 + var x1442 uint32 + x1442, x1441 = bits.Mul32(x1403, 0xffffffff) + var x1443 uint32 + var x1444 uint32 + x1444, x1443 = bits.Mul32(x1403, 0xfffffffe) + var x1445 uint32 + var x1446 uint32 + x1446, x1445 = bits.Mul32(x1403, 0xffffffff) + var x1447 uint32 + var x1448 uint32 + x1448, x1447 = bits.Mul32(x1403, 0xffffffff) + var x1449 uint32 + var x1450 uint1 + x1449, x1450 = addcarryxU32(x1446, x1443, 0x0) + var x1451 uint32 + var x1452 uint1 + x1451, x1452 = addcarryxU32(x1444, x1441, x1450) + var x1453 uint32 + var x1454 uint1 + x1453, x1454 = addcarryxU32(x1442, x1439, x1452) + var x1455 uint32 + var x1456 uint1 + x1455, x1456 = addcarryxU32(x1440, x1437, x1454) + var x1457 uint32 + var x1458 uint1 + x1457, x1458 = addcarryxU32(x1438, x1435, x1456) + var x1459 uint32 + var x1460 uint1 + x1459, x1460 = addcarryxU32(x1436, x1433, x1458) + var x1461 uint32 + var x1462 uint1 + x1461, x1462 = addcarryxU32(x1434, x1431, x1460) + var x1463 uint32 + var x1464 uint1 + x1463, x1464 = addcarryxU32(x1432, x1429, x1462) + x1465 := (uint32(x1464) + x1430) + var x1467 uint1 + _, x1467 = addcarryxU32(x1403, x1447, 0x0) + var x1468 uint32 + var x1469 uint1 + x1468, x1469 = addcarryxU32(x1405, x1448, x1467) + var x1470 uint32 + var x1471 uint1 + x1470, x1471 = addcarryxU32(x1407, uint32(0x0), x1469) + var x1472 uint32 + var x1473 uint1 + x1472, x1473 = addcarryxU32(x1409, x1445, x1471) + var x1474 uint32 + var x1475 uint1 + x1474, x1475 = addcarryxU32(x1411, x1449, x1473) + var x1476 uint32 + var x1477 uint1 + x1476, x1477 = addcarryxU32(x1413, x1451, x1475) + var x1478 uint32 + var x1479 uint1 + x1478, x1479 = addcarryxU32(x1415, x1453, x1477) + var x1480 uint32 + var x1481 uint1 + x1480, x1481 = addcarryxU32(x1417, x1455, x1479) + var x1482 uint32 + var x1483 uint1 + x1482, x1483 = addcarryxU32(x1419, x1457, x1481) + var x1484 uint32 + var x1485 uint1 + x1484, x1485 = addcarryxU32(x1421, x1459, x1483) + var x1486 uint32 + var x1487 uint1 + x1486, x1487 = addcarryxU32(x1423, x1461, x1485) + var x1488 uint32 + var x1489 uint1 + x1488, x1489 = addcarryxU32(x1425, x1463, x1487) + var x1490 uint32 + var x1491 uint1 + x1490, x1491 = addcarryxU32(x1427, x1465, x1489) + x1492 := (uint32(x1491) + uint32(x1428)) + var x1493 uint32 + var x1494 uint32 + x1494, x1493 = bits.Mul32(x11, arg1[11]) + var x1495 uint32 + var x1496 uint32 + x1496, x1495 = bits.Mul32(x11, arg1[10]) + var x1497 uint32 + var x1498 uint32 + x1498, x1497 = bits.Mul32(x11, arg1[9]) + var x1499 uint32 + var x1500 uint32 + x1500, x1499 = bits.Mul32(x11, arg1[8]) + var x1501 uint32 + var x1502 uint32 + x1502, x1501 = bits.Mul32(x11, arg1[7]) + var x1503 uint32 + var x1504 uint32 + x1504, x1503 = bits.Mul32(x11, arg1[6]) + var x1505 uint32 + var x1506 uint32 + x1506, x1505 = bits.Mul32(x11, arg1[5]) + var x1507 uint32 + var x1508 uint32 + x1508, x1507 = bits.Mul32(x11, arg1[4]) + var x1509 uint32 + var x1510 uint32 + x1510, x1509 = bits.Mul32(x11, arg1[3]) + var x1511 uint32 + var x1512 uint32 + x1512, x1511 = bits.Mul32(x11, arg1[2]) + var x1513 uint32 + var x1514 uint32 + x1514, x1513 = bits.Mul32(x11, arg1[1]) + var x1515 uint32 + var x1516 uint32 + x1516, x1515 = bits.Mul32(x11, arg1[0]) + var x1517 uint32 + var x1518 uint1 + x1517, x1518 = addcarryxU32(x1516, x1513, 0x0) + var x1519 uint32 + var x1520 uint1 + x1519, x1520 = addcarryxU32(x1514, x1511, x1518) + var x1521 uint32 + var x1522 uint1 + x1521, x1522 = addcarryxU32(x1512, x1509, x1520) + var x1523 uint32 + var x1524 uint1 + x1523, x1524 = addcarryxU32(x1510, x1507, x1522) + var x1525 uint32 + var x1526 uint1 + x1525, x1526 = addcarryxU32(x1508, x1505, x1524) + var x1527 uint32 + var x1528 uint1 + x1527, x1528 = addcarryxU32(x1506, x1503, x1526) + var x1529 uint32 + var x1530 uint1 + x1529, x1530 = addcarryxU32(x1504, x1501, x1528) + var x1531 uint32 + var x1532 uint1 + x1531, x1532 = addcarryxU32(x1502, x1499, x1530) + var x1533 uint32 + var x1534 uint1 + x1533, x1534 = addcarryxU32(x1500, x1497, x1532) + var x1535 uint32 + var x1536 uint1 + x1535, x1536 = addcarryxU32(x1498, x1495, x1534) + var x1537 uint32 + var x1538 uint1 + x1537, x1538 = addcarryxU32(x1496, x1493, x1536) + x1539 := (uint32(x1538) + x1494) + var x1540 uint32 + var x1541 uint1 + x1540, x1541 = addcarryxU32(x1468, x1515, 0x0) + var x1542 uint32 + var x1543 uint1 + x1542, x1543 = addcarryxU32(x1470, x1517, x1541) + var x1544 uint32 + var x1545 uint1 + x1544, x1545 = addcarryxU32(x1472, x1519, x1543) + var x1546 uint32 + var x1547 uint1 + x1546, x1547 = addcarryxU32(x1474, x1521, x1545) + var x1548 uint32 + var x1549 uint1 + x1548, x1549 = addcarryxU32(x1476, x1523, x1547) + var x1550 uint32 + var x1551 uint1 + x1550, x1551 = addcarryxU32(x1478, x1525, x1549) + var x1552 uint32 + var x1553 uint1 + x1552, x1553 = addcarryxU32(x1480, x1527, x1551) + var x1554 uint32 + var x1555 uint1 + x1554, x1555 = addcarryxU32(x1482, x1529, x1553) + var x1556 uint32 + var x1557 uint1 + x1556, x1557 = addcarryxU32(x1484, x1531, x1555) + var x1558 uint32 + var x1559 uint1 + x1558, x1559 = addcarryxU32(x1486, x1533, x1557) + var x1560 uint32 + var x1561 uint1 + x1560, x1561 = addcarryxU32(x1488, x1535, x1559) + var x1562 uint32 + var x1563 uint1 + x1562, x1563 = addcarryxU32(x1490, x1537, x1561) + var x1564 uint32 + var x1565 uint1 + x1564, x1565 = addcarryxU32(x1492, x1539, x1563) + var x1566 uint32 + var x1567 uint32 + x1567, x1566 = bits.Mul32(x1540, 0xffffffff) + var x1568 uint32 + var x1569 uint32 + x1569, x1568 = bits.Mul32(x1540, 0xffffffff) + var x1570 uint32 + var x1571 uint32 + x1571, x1570 = bits.Mul32(x1540, 0xffffffff) + var x1572 uint32 + var x1573 uint32 + x1573, x1572 = bits.Mul32(x1540, 0xffffffff) + var x1574 uint32 + var x1575 uint32 + x1575, x1574 = bits.Mul32(x1540, 0xffffffff) + var x1576 uint32 + var x1577 uint32 + x1577, x1576 = bits.Mul32(x1540, 0xffffffff) + var x1578 uint32 + var x1579 uint32 + x1579, x1578 = bits.Mul32(x1540, 0xffffffff) + var x1580 uint32 + var x1581 uint32 + x1581, x1580 = bits.Mul32(x1540, 0xfffffffe) + var x1582 uint32 + var x1583 uint32 + x1583, x1582 = bits.Mul32(x1540, 0xffffffff) + var x1584 uint32 + var x1585 uint32 + x1585, x1584 = bits.Mul32(x1540, 0xffffffff) + var x1586 uint32 + var x1587 uint1 + x1586, x1587 = addcarryxU32(x1583, x1580, 0x0) + var x1588 uint32 + var x1589 uint1 + x1588, x1589 = addcarryxU32(x1581, x1578, x1587) + var x1590 uint32 + var x1591 uint1 + x1590, x1591 = addcarryxU32(x1579, x1576, x1589) + var x1592 uint32 + var x1593 uint1 + x1592, x1593 = addcarryxU32(x1577, x1574, x1591) + var x1594 uint32 + var x1595 uint1 + x1594, x1595 = addcarryxU32(x1575, x1572, x1593) + var x1596 uint32 + var x1597 uint1 + x1596, x1597 = addcarryxU32(x1573, x1570, x1595) + var x1598 uint32 + var x1599 uint1 + x1598, x1599 = addcarryxU32(x1571, x1568, x1597) + var x1600 uint32 + var x1601 uint1 + x1600, x1601 = addcarryxU32(x1569, x1566, x1599) + x1602 := (uint32(x1601) + x1567) + var x1604 uint1 + _, x1604 = addcarryxU32(x1540, x1584, 0x0) + var x1605 uint32 + var x1606 uint1 + x1605, x1606 = addcarryxU32(x1542, x1585, x1604) + var x1607 uint32 + var x1608 uint1 + x1607, x1608 = addcarryxU32(x1544, uint32(0x0), x1606) + var x1609 uint32 + var x1610 uint1 + x1609, x1610 = addcarryxU32(x1546, x1582, x1608) + var x1611 uint32 + var x1612 uint1 + x1611, x1612 = addcarryxU32(x1548, x1586, x1610) + var x1613 uint32 + var x1614 uint1 + x1613, x1614 = addcarryxU32(x1550, x1588, x1612) + var x1615 uint32 + var x1616 uint1 + x1615, x1616 = addcarryxU32(x1552, x1590, x1614) + var x1617 uint32 + var x1618 uint1 + x1617, x1618 = addcarryxU32(x1554, x1592, x1616) + var x1619 uint32 + var x1620 uint1 + x1619, x1620 = addcarryxU32(x1556, x1594, x1618) + var x1621 uint32 + var x1622 uint1 + x1621, x1622 = addcarryxU32(x1558, x1596, x1620) + var x1623 uint32 + var x1624 uint1 + x1623, x1624 = addcarryxU32(x1560, x1598, x1622) + var x1625 uint32 + var x1626 uint1 + x1625, x1626 = addcarryxU32(x1562, x1600, x1624) + var x1627 uint32 + var x1628 uint1 + x1627, x1628 = addcarryxU32(x1564, x1602, x1626) + x1629 := (uint32(x1628) + uint32(x1565)) + var x1630 uint32 + var x1631 uint1 + x1630, x1631 = subborrowxU32(x1605, 0xffffffff, 0x0) + var x1632 uint32 + var x1633 uint1 + x1632, x1633 = subborrowxU32(x1607, uint32(0x0), x1631) + var x1634 uint32 + var x1635 uint1 + x1634, x1635 = subborrowxU32(x1609, uint32(0x0), x1633) + var x1636 uint32 + var x1637 uint1 + x1636, x1637 = subborrowxU32(x1611, 0xffffffff, x1635) + var x1638 uint32 + var x1639 uint1 + x1638, x1639 = subborrowxU32(x1613, 0xfffffffe, x1637) + var x1640 uint32 + var x1641 uint1 + x1640, x1641 = subborrowxU32(x1615, 0xffffffff, x1639) + var x1642 uint32 + var x1643 uint1 + x1642, x1643 = subborrowxU32(x1617, 0xffffffff, x1641) + var x1644 uint32 + var x1645 uint1 + x1644, x1645 = subborrowxU32(x1619, 0xffffffff, x1643) + var x1646 uint32 + var x1647 uint1 + x1646, x1647 = subborrowxU32(x1621, 0xffffffff, x1645) + var x1648 uint32 + var x1649 uint1 + x1648, x1649 = subborrowxU32(x1623, 0xffffffff, x1647) + var x1650 uint32 + var x1651 uint1 + x1650, x1651 = subborrowxU32(x1625, 0xffffffff, x1649) + var x1652 uint32 + var x1653 uint1 + x1652, x1653 = subborrowxU32(x1627, 0xffffffff, x1651) + var x1655 uint1 + _, x1655 = subborrowxU32(x1629, uint32(0x0), x1653) + var x1656 uint32 + cmovznzU32(&x1656, x1655, x1630, x1605) + var x1657 uint32 + cmovznzU32(&x1657, x1655, x1632, x1607) + var x1658 uint32 + cmovznzU32(&x1658, x1655, x1634, x1609) + var x1659 uint32 + cmovznzU32(&x1659, x1655, x1636, x1611) + var x1660 uint32 + cmovznzU32(&x1660, x1655, x1638, x1613) + var x1661 uint32 + cmovznzU32(&x1661, x1655, x1640, x1615) + var x1662 uint32 + cmovznzU32(&x1662, x1655, x1642, x1617) + var x1663 uint32 + cmovznzU32(&x1663, x1655, x1644, x1619) + var x1664 uint32 + cmovznzU32(&x1664, x1655, x1646, x1621) + var x1665 uint32 + cmovznzU32(&x1665, x1655, x1648, x1623) + var x1666 uint32 + cmovznzU32(&x1666, x1655, x1650, x1625) + var x1667 uint32 + cmovznzU32(&x1667, x1655, x1652, x1627) + out1[0] = x1656 + out1[1] = x1657 + out1[2] = x1658 + out1[3] = x1659 + out1[4] = x1660 + out1[5] = x1661 + out1[6] = x1662 + out1[7] = x1663 + out1[8] = x1664 + out1[9] = x1665 + out1[10] = x1666 + out1[11] = x1667 } -/* - The function Add adds two field elements in the Montgomery domain. - Preconditions: - 0 ≤ eval arg1 < m - 0 ≤ eval arg2 < m - Postconditions: - eval (from_montgomery out1) mod m = (eval (from_montgomery arg1) + eval (from_montgomery arg2)) mod m - 0 ≤ eval out1 < m - - Input Bounds: - arg1: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] - arg2: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] - Output Bounds: - out1: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] - */ -/*inline*/ +// Add adds two field elements in the Montgomery domain. +// +// Preconditions: +// 0 ≤ eval arg1 < m +// 0 ≤ eval arg2 < m +// Postconditions: +// eval (from_montgomery out1) mod m = (eval (from_montgomery arg1) + eval (from_montgomery arg2)) mod m +// 0 ≤ eval out1 < m +// +// Input Bounds: +// arg1: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] +// arg2: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] +// Output Bounds: +// out1: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] func Add(out1 *[12]uint32, arg1 *[12]uint32, arg2 *[12]uint32) { - var x1 uint32 - var x2 uint1 - x1, x2 = addcarryxU32((arg1[0]), (arg2[0]), 0x0) - var x3 uint32 - var x4 uint1 - x3, x4 = addcarryxU32((arg1[1]), (arg2[1]), x2) - var x5 uint32 - var x6 uint1 - x5, x6 = addcarryxU32((arg1[2]), (arg2[2]), x4) - var x7 uint32 - var x8 uint1 - x7, x8 = addcarryxU32((arg1[3]), (arg2[3]), x6) - var x9 uint32 - var x10 uint1 - x9, x10 = addcarryxU32((arg1[4]), (arg2[4]), x8) - var x11 uint32 - var x12 uint1 - x11, x12 = addcarryxU32((arg1[5]), (arg2[5]), x10) - var x13 uint32 - var x14 uint1 - x13, x14 = addcarryxU32((arg1[6]), (arg2[6]), x12) - var x15 uint32 - var x16 uint1 - x15, x16 = addcarryxU32((arg1[7]), (arg2[7]), x14) - var x17 uint32 - var x18 uint1 - x17, x18 = addcarryxU32((arg1[8]), (arg2[8]), x16) - var x19 uint32 - var x20 uint1 - x19, x20 = addcarryxU32((arg1[9]), (arg2[9]), x18) - var x21 uint32 - var x22 uint1 - x21, x22 = addcarryxU32((arg1[10]), (arg2[10]), x20) - var x23 uint32 - var x24 uint1 - x23, x24 = addcarryxU32((arg1[11]), (arg2[11]), x22) - var x25 uint32 - var x26 uint1 - x25, x26 = subborrowxU32(x1, 0xffffffff, 0x0) - var x27 uint32 - var x28 uint1 - x27, x28 = subborrowxU32(x3, uint32(0x0), x26) - var x29 uint32 - var x30 uint1 - x29, x30 = subborrowxU32(x5, uint32(0x0), x28) - var x31 uint32 - var x32 uint1 - x31, x32 = subborrowxU32(x7, 0xffffffff, x30) - var x33 uint32 - var x34 uint1 - x33, x34 = subborrowxU32(x9, 0xfffffffe, x32) - var x35 uint32 - var x36 uint1 - x35, x36 = subborrowxU32(x11, 0xffffffff, x34) - var x37 uint32 - var x38 uint1 - x37, x38 = subborrowxU32(x13, 0xffffffff, x36) - var x39 uint32 - var x40 uint1 - x39, x40 = subborrowxU32(x15, 0xffffffff, x38) - var x41 uint32 - var x42 uint1 - x41, x42 = subborrowxU32(x17, 0xffffffff, x40) - var x43 uint32 - var x44 uint1 - x43, x44 = subborrowxU32(x19, 0xffffffff, x42) - var x45 uint32 - var x46 uint1 - x45, x46 = subborrowxU32(x21, 0xffffffff, x44) - var x47 uint32 - var x48 uint1 - x47, x48 = subborrowxU32(x23, 0xffffffff, x46) - var x50 uint1 - _, x50 = subborrowxU32(uint32(x24), uint32(0x0), x48) - var x51 uint32 - cmovznzU32(&x51, x50, x25, x1) - var x52 uint32 - cmovznzU32(&x52, x50, x27, x3) - var x53 uint32 - cmovznzU32(&x53, x50, x29, x5) - var x54 uint32 - cmovznzU32(&x54, x50, x31, x7) - var x55 uint32 - cmovznzU32(&x55, x50, x33, x9) - var x56 uint32 - cmovznzU32(&x56, x50, x35, x11) - var x57 uint32 - cmovznzU32(&x57, x50, x37, x13) - var x58 uint32 - cmovznzU32(&x58, x50, x39, x15) - var x59 uint32 - cmovznzU32(&x59, x50, x41, x17) - var x60 uint32 - cmovznzU32(&x60, x50, x43, x19) - var x61 uint32 - cmovznzU32(&x61, x50, x45, x21) - var x62 uint32 - cmovznzU32(&x62, x50, x47, x23) - out1[0] = x51 - out1[1] = x52 - out1[2] = x53 - out1[3] = x54 - out1[4] = x55 - out1[5] = x56 - out1[6] = x57 - out1[7] = x58 - out1[8] = x59 - out1[9] = x60 - out1[10] = x61 - out1[11] = x62 + var x1 uint32 + var x2 uint1 + x1, x2 = addcarryxU32(arg1[0], arg2[0], 0x0) + var x3 uint32 + var x4 uint1 + x3, x4 = addcarryxU32(arg1[1], arg2[1], x2) + var x5 uint32 + var x6 uint1 + x5, x6 = addcarryxU32(arg1[2], arg2[2], x4) + var x7 uint32 + var x8 uint1 + x7, x8 = addcarryxU32(arg1[3], arg2[3], x6) + var x9 uint32 + var x10 uint1 + x9, x10 = addcarryxU32(arg1[4], arg2[4], x8) + var x11 uint32 + var x12 uint1 + x11, x12 = addcarryxU32(arg1[5], arg2[5], x10) + var x13 uint32 + var x14 uint1 + x13, x14 = addcarryxU32(arg1[6], arg2[6], x12) + var x15 uint32 + var x16 uint1 + x15, x16 = addcarryxU32(arg1[7], arg2[7], x14) + var x17 uint32 + var x18 uint1 + x17, x18 = addcarryxU32(arg1[8], arg2[8], x16) + var x19 uint32 + var x20 uint1 + x19, x20 = addcarryxU32(arg1[9], arg2[9], x18) + var x21 uint32 + var x22 uint1 + x21, x22 = addcarryxU32(arg1[10], arg2[10], x20) + var x23 uint32 + var x24 uint1 + x23, x24 = addcarryxU32(arg1[11], arg2[11], x22) + var x25 uint32 + var x26 uint1 + x25, x26 = subborrowxU32(x1, 0xffffffff, 0x0) + var x27 uint32 + var x28 uint1 + x27, x28 = subborrowxU32(x3, uint32(0x0), x26) + var x29 uint32 + var x30 uint1 + x29, x30 = subborrowxU32(x5, uint32(0x0), x28) + var x31 uint32 + var x32 uint1 + x31, x32 = subborrowxU32(x7, 0xffffffff, x30) + var x33 uint32 + var x34 uint1 + x33, x34 = subborrowxU32(x9, 0xfffffffe, x32) + var x35 uint32 + var x36 uint1 + x35, x36 = subborrowxU32(x11, 0xffffffff, x34) + var x37 uint32 + var x38 uint1 + x37, x38 = subborrowxU32(x13, 0xffffffff, x36) + var x39 uint32 + var x40 uint1 + x39, x40 = subborrowxU32(x15, 0xffffffff, x38) + var x41 uint32 + var x42 uint1 + x41, x42 = subborrowxU32(x17, 0xffffffff, x40) + var x43 uint32 + var x44 uint1 + x43, x44 = subborrowxU32(x19, 0xffffffff, x42) + var x45 uint32 + var x46 uint1 + x45, x46 = subborrowxU32(x21, 0xffffffff, x44) + var x47 uint32 + var x48 uint1 + x47, x48 = subborrowxU32(x23, 0xffffffff, x46) + var x50 uint1 + _, x50 = subborrowxU32(uint32(x24), uint32(0x0), x48) + var x51 uint32 + cmovznzU32(&x51, x50, x25, x1) + var x52 uint32 + cmovznzU32(&x52, x50, x27, x3) + var x53 uint32 + cmovznzU32(&x53, x50, x29, x5) + var x54 uint32 + cmovznzU32(&x54, x50, x31, x7) + var x55 uint32 + cmovznzU32(&x55, x50, x33, x9) + var x56 uint32 + cmovznzU32(&x56, x50, x35, x11) + var x57 uint32 + cmovznzU32(&x57, x50, x37, x13) + var x58 uint32 + cmovznzU32(&x58, x50, x39, x15) + var x59 uint32 + cmovznzU32(&x59, x50, x41, x17) + var x60 uint32 + cmovznzU32(&x60, x50, x43, x19) + var x61 uint32 + cmovznzU32(&x61, x50, x45, x21) + var x62 uint32 + cmovznzU32(&x62, x50, x47, x23) + out1[0] = x51 + out1[1] = x52 + out1[2] = x53 + out1[3] = x54 + out1[4] = x55 + out1[5] = x56 + out1[6] = x57 + out1[7] = x58 + out1[8] = x59 + out1[9] = x60 + out1[10] = x61 + out1[11] = x62 } -/* - The function Sub subtracts two field elements in the Montgomery domain. - Preconditions: - 0 ≤ eval arg1 < m - 0 ≤ eval arg2 < m - Postconditions: - eval (from_montgomery out1) mod m = (eval (from_montgomery arg1) - eval (from_montgomery arg2)) mod m - 0 ≤ eval out1 < m - - Input Bounds: - arg1: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] - arg2: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] - Output Bounds: - out1: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] - */ -/*inline*/ +// Sub subtracts two field elements in the Montgomery domain. +// +// Preconditions: +// 0 ≤ eval arg1 < m +// 0 ≤ eval arg2 < m +// Postconditions: +// eval (from_montgomery out1) mod m = (eval (from_montgomery arg1) - eval (from_montgomery arg2)) mod m +// 0 ≤ eval out1 < m +// +// Input Bounds: +// arg1: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] +// arg2: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] +// Output Bounds: +// out1: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] func Sub(out1 *[12]uint32, arg1 *[12]uint32, arg2 *[12]uint32) { - var x1 uint32 - var x2 uint1 - x1, x2 = subborrowxU32((arg1[0]), (arg2[0]), 0x0) - var x3 uint32 - var x4 uint1 - x3, x4 = subborrowxU32((arg1[1]), (arg2[1]), x2) - var x5 uint32 - var x6 uint1 - x5, x6 = subborrowxU32((arg1[2]), (arg2[2]), x4) - var x7 uint32 - var x8 uint1 - x7, x8 = subborrowxU32((arg1[3]), (arg2[3]), x6) - var x9 uint32 - var x10 uint1 - x9, x10 = subborrowxU32((arg1[4]), (arg2[4]), x8) - var x11 uint32 - var x12 uint1 - x11, x12 = subborrowxU32((arg1[5]), (arg2[5]), x10) - var x13 uint32 - var x14 uint1 - x13, x14 = subborrowxU32((arg1[6]), (arg2[6]), x12) - var x15 uint32 - var x16 uint1 - x15, x16 = subborrowxU32((arg1[7]), (arg2[7]), x14) - var x17 uint32 - var x18 uint1 - x17, x18 = subborrowxU32((arg1[8]), (arg2[8]), x16) - var x19 uint32 - var x20 uint1 - x19, x20 = subborrowxU32((arg1[9]), (arg2[9]), x18) - var x21 uint32 - var x22 uint1 - x21, x22 = subborrowxU32((arg1[10]), (arg2[10]), x20) - var x23 uint32 - var x24 uint1 - x23, x24 = subborrowxU32((arg1[11]), (arg2[11]), x22) - var x25 uint32 - cmovznzU32(&x25, x24, uint32(0x0), 0xffffffff) - var x26 uint32 - var x27 uint1 - x26, x27 = addcarryxU32(x1, x25, 0x0) - var x28 uint32 - var x29 uint1 - x28, x29 = addcarryxU32(x3, uint32(0x0), x27) - var x30 uint32 - var x31 uint1 - x30, x31 = addcarryxU32(x5, uint32(0x0), x29) - var x32 uint32 - var x33 uint1 - x32, x33 = addcarryxU32(x7, x25, x31) - var x34 uint32 - var x35 uint1 - x34, x35 = addcarryxU32(x9, (x25 & 0xfffffffe), x33) - var x36 uint32 - var x37 uint1 - x36, x37 = addcarryxU32(x11, x25, x35) - var x38 uint32 - var x39 uint1 - x38, x39 = addcarryxU32(x13, x25, x37) - var x40 uint32 - var x41 uint1 - x40, x41 = addcarryxU32(x15, x25, x39) - var x42 uint32 - var x43 uint1 - x42, x43 = addcarryxU32(x17, x25, x41) - var x44 uint32 - var x45 uint1 - x44, x45 = addcarryxU32(x19, x25, x43) - var x46 uint32 - var x47 uint1 - x46, x47 = addcarryxU32(x21, x25, x45) - var x48 uint32 - x48, _ = addcarryxU32(x23, x25, x47) - out1[0] = x26 - out1[1] = x28 - out1[2] = x30 - out1[3] = x32 - out1[4] = x34 - out1[5] = x36 - out1[6] = x38 - out1[7] = x40 - out1[8] = x42 - out1[9] = x44 - out1[10] = x46 - out1[11] = x48 + var x1 uint32 + var x2 uint1 + x1, x2 = subborrowxU32(arg1[0], arg2[0], 0x0) + var x3 uint32 + var x4 uint1 + x3, x4 = subborrowxU32(arg1[1], arg2[1], x2) + var x5 uint32 + var x6 uint1 + x5, x6 = subborrowxU32(arg1[2], arg2[2], x4) + var x7 uint32 + var x8 uint1 + x7, x8 = subborrowxU32(arg1[3], arg2[3], x6) + var x9 uint32 + var x10 uint1 + x9, x10 = subborrowxU32(arg1[4], arg2[4], x8) + var x11 uint32 + var x12 uint1 + x11, x12 = subborrowxU32(arg1[5], arg2[5], x10) + var x13 uint32 + var x14 uint1 + x13, x14 = subborrowxU32(arg1[6], arg2[6], x12) + var x15 uint32 + var x16 uint1 + x15, x16 = subborrowxU32(arg1[7], arg2[7], x14) + var x17 uint32 + var x18 uint1 + x17, x18 = subborrowxU32(arg1[8], arg2[8], x16) + var x19 uint32 + var x20 uint1 + x19, x20 = subborrowxU32(arg1[9], arg2[9], x18) + var x21 uint32 + var x22 uint1 + x21, x22 = subborrowxU32(arg1[10], arg2[10], x20) + var x23 uint32 + var x24 uint1 + x23, x24 = subborrowxU32(arg1[11], arg2[11], x22) + var x25 uint32 + cmovznzU32(&x25, x24, uint32(0x0), 0xffffffff) + var x26 uint32 + var x27 uint1 + x26, x27 = addcarryxU32(x1, x25, 0x0) + var x28 uint32 + var x29 uint1 + x28, x29 = addcarryxU32(x3, uint32(0x0), x27) + var x30 uint32 + var x31 uint1 + x30, x31 = addcarryxU32(x5, uint32(0x0), x29) + var x32 uint32 + var x33 uint1 + x32, x33 = addcarryxU32(x7, x25, x31) + var x34 uint32 + var x35 uint1 + x34, x35 = addcarryxU32(x9, (x25 & 0xfffffffe), x33) + var x36 uint32 + var x37 uint1 + x36, x37 = addcarryxU32(x11, x25, x35) + var x38 uint32 + var x39 uint1 + x38, x39 = addcarryxU32(x13, x25, x37) + var x40 uint32 + var x41 uint1 + x40, x41 = addcarryxU32(x15, x25, x39) + var x42 uint32 + var x43 uint1 + x42, x43 = addcarryxU32(x17, x25, x41) + var x44 uint32 + var x45 uint1 + x44, x45 = addcarryxU32(x19, x25, x43) + var x46 uint32 + var x47 uint1 + x46, x47 = addcarryxU32(x21, x25, x45) + var x48 uint32 + x48, _ = addcarryxU32(x23, x25, x47) + out1[0] = x26 + out1[1] = x28 + out1[2] = x30 + out1[3] = x32 + out1[4] = x34 + out1[5] = x36 + out1[6] = x38 + out1[7] = x40 + out1[8] = x42 + out1[9] = x44 + out1[10] = x46 + out1[11] = x48 } -/* - The function Opp negates a field element in the Montgomery domain. - Preconditions: - 0 ≤ eval arg1 < m - Postconditions: - eval (from_montgomery out1) mod m = -eval (from_montgomery arg1) mod m - 0 ≤ eval out1 < m - - Input Bounds: - arg1: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] - Output Bounds: - out1: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] - */ -/*inline*/ +// Opp negates a field element in the Montgomery domain. +// +// Preconditions: +// 0 ≤ eval arg1 < m +// Postconditions: +// eval (from_montgomery out1) mod m = -eval (from_montgomery arg1) mod m +// 0 ≤ eval out1 < m +// +// Input Bounds: +// arg1: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] +// Output Bounds: +// out1: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] func Opp(out1 *[12]uint32, arg1 *[12]uint32) { - var x1 uint32 - var x2 uint1 - x1, x2 = subborrowxU32(uint32(0x0), (arg1[0]), 0x0) - var x3 uint32 - var x4 uint1 - x3, x4 = subborrowxU32(uint32(0x0), (arg1[1]), x2) - var x5 uint32 - var x6 uint1 - x5, x6 = subborrowxU32(uint32(0x0), (arg1[2]), x4) - var x7 uint32 - var x8 uint1 - x7, x8 = subborrowxU32(uint32(0x0), (arg1[3]), x6) - var x9 uint32 - var x10 uint1 - x9, x10 = subborrowxU32(uint32(0x0), (arg1[4]), x8) - var x11 uint32 - var x12 uint1 - x11, x12 = subborrowxU32(uint32(0x0), (arg1[5]), x10) - var x13 uint32 - var x14 uint1 - x13, x14 = subborrowxU32(uint32(0x0), (arg1[6]), x12) - var x15 uint32 - var x16 uint1 - x15, x16 = subborrowxU32(uint32(0x0), (arg1[7]), x14) - var x17 uint32 - var x18 uint1 - x17, x18 = subborrowxU32(uint32(0x0), (arg1[8]), x16) - var x19 uint32 - var x20 uint1 - x19, x20 = subborrowxU32(uint32(0x0), (arg1[9]), x18) - var x21 uint32 - var x22 uint1 - x21, x22 = subborrowxU32(uint32(0x0), (arg1[10]), x20) - var x23 uint32 - var x24 uint1 - x23, x24 = subborrowxU32(uint32(0x0), (arg1[11]), x22) - var x25 uint32 - cmovznzU32(&x25, x24, uint32(0x0), 0xffffffff) - var x26 uint32 - var x27 uint1 - x26, x27 = addcarryxU32(x1, x25, 0x0) - var x28 uint32 - var x29 uint1 - x28, x29 = addcarryxU32(x3, uint32(0x0), x27) - var x30 uint32 - var x31 uint1 - x30, x31 = addcarryxU32(x5, uint32(0x0), x29) - var x32 uint32 - var x33 uint1 - x32, x33 = addcarryxU32(x7, x25, x31) - var x34 uint32 - var x35 uint1 - x34, x35 = addcarryxU32(x9, (x25 & 0xfffffffe), x33) - var x36 uint32 - var x37 uint1 - x36, x37 = addcarryxU32(x11, x25, x35) - var x38 uint32 - var x39 uint1 - x38, x39 = addcarryxU32(x13, x25, x37) - var x40 uint32 - var x41 uint1 - x40, x41 = addcarryxU32(x15, x25, x39) - var x42 uint32 - var x43 uint1 - x42, x43 = addcarryxU32(x17, x25, x41) - var x44 uint32 - var x45 uint1 - x44, x45 = addcarryxU32(x19, x25, x43) - var x46 uint32 - var x47 uint1 - x46, x47 = addcarryxU32(x21, x25, x45) - var x48 uint32 - x48, _ = addcarryxU32(x23, x25, x47) - out1[0] = x26 - out1[1] = x28 - out1[2] = x30 - out1[3] = x32 - out1[4] = x34 - out1[5] = x36 - out1[6] = x38 - out1[7] = x40 - out1[8] = x42 - out1[9] = x44 - out1[10] = x46 - out1[11] = x48 + var x1 uint32 + var x2 uint1 + x1, x2 = subborrowxU32(uint32(0x0), arg1[0], 0x0) + var x3 uint32 + var x4 uint1 + x3, x4 = subborrowxU32(uint32(0x0), arg1[1], x2) + var x5 uint32 + var x6 uint1 + x5, x6 = subborrowxU32(uint32(0x0), arg1[2], x4) + var x7 uint32 + var x8 uint1 + x7, x8 = subborrowxU32(uint32(0x0), arg1[3], x6) + var x9 uint32 + var x10 uint1 + x9, x10 = subborrowxU32(uint32(0x0), arg1[4], x8) + var x11 uint32 + var x12 uint1 + x11, x12 = subborrowxU32(uint32(0x0), arg1[5], x10) + var x13 uint32 + var x14 uint1 + x13, x14 = subborrowxU32(uint32(0x0), arg1[6], x12) + var x15 uint32 + var x16 uint1 + x15, x16 = subborrowxU32(uint32(0x0), arg1[7], x14) + var x17 uint32 + var x18 uint1 + x17, x18 = subborrowxU32(uint32(0x0), arg1[8], x16) + var x19 uint32 + var x20 uint1 + x19, x20 = subborrowxU32(uint32(0x0), arg1[9], x18) + var x21 uint32 + var x22 uint1 + x21, x22 = subborrowxU32(uint32(0x0), arg1[10], x20) + var x23 uint32 + var x24 uint1 + x23, x24 = subborrowxU32(uint32(0x0), arg1[11], x22) + var x25 uint32 + cmovznzU32(&x25, x24, uint32(0x0), 0xffffffff) + var x26 uint32 + var x27 uint1 + x26, x27 = addcarryxU32(x1, x25, 0x0) + var x28 uint32 + var x29 uint1 + x28, x29 = addcarryxU32(x3, uint32(0x0), x27) + var x30 uint32 + var x31 uint1 + x30, x31 = addcarryxU32(x5, uint32(0x0), x29) + var x32 uint32 + var x33 uint1 + x32, x33 = addcarryxU32(x7, x25, x31) + var x34 uint32 + var x35 uint1 + x34, x35 = addcarryxU32(x9, (x25 & 0xfffffffe), x33) + var x36 uint32 + var x37 uint1 + x36, x37 = addcarryxU32(x11, x25, x35) + var x38 uint32 + var x39 uint1 + x38, x39 = addcarryxU32(x13, x25, x37) + var x40 uint32 + var x41 uint1 + x40, x41 = addcarryxU32(x15, x25, x39) + var x42 uint32 + var x43 uint1 + x42, x43 = addcarryxU32(x17, x25, x41) + var x44 uint32 + var x45 uint1 + x44, x45 = addcarryxU32(x19, x25, x43) + var x46 uint32 + var x47 uint1 + x46, x47 = addcarryxU32(x21, x25, x45) + var x48 uint32 + x48, _ = addcarryxU32(x23, x25, x47) + out1[0] = x26 + out1[1] = x28 + out1[2] = x30 + out1[3] = x32 + out1[4] = x34 + out1[5] = x36 + out1[6] = x38 + out1[7] = x40 + out1[8] = x42 + out1[9] = x44 + out1[10] = x46 + out1[11] = x48 } -/* - The function FromMontgomery translates a field element out of the Montgomery domain. - Preconditions: - 0 ≤ eval arg1 < m - Postconditions: - eval out1 mod m = (eval arg1 * ((2^32)⁻¹ mod m)^12) mod m - 0 ≤ eval out1 < m - - Input Bounds: - arg1: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] - Output Bounds: - out1: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] - */ -/*inline*/ +// FromMontgomery translates a field element out of the Montgomery domain. +// +// Preconditions: +// 0 ≤ eval arg1 < m +// Postconditions: +// eval out1 mod m = (eval arg1 * ((2^32)⁻¹ mod m)^12) mod m +// 0 ≤ eval out1 < m +// +// Input Bounds: +// arg1: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] +// Output Bounds: +// out1: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] func FromMontgomery(out1 *[12]uint32, arg1 *[12]uint32) { - var x1 uint32 = (arg1[0]) - var x2 uint32 - var x3 uint32 - x3, x2 = bits.Mul32(x1, 0xffffffff) - var x4 uint32 - var x5 uint32 - x5, x4 = bits.Mul32(x1, 0xffffffff) - var x6 uint32 - var x7 uint32 - x7, x6 = bits.Mul32(x1, 0xffffffff) - var x8 uint32 - var x9 uint32 - x9, x8 = bits.Mul32(x1, 0xffffffff) - var x10 uint32 - var x11 uint32 - x11, x10 = bits.Mul32(x1, 0xffffffff) - var x12 uint32 - var x13 uint32 - x13, x12 = bits.Mul32(x1, 0xffffffff) - var x14 uint32 - var x15 uint32 - x15, x14 = bits.Mul32(x1, 0xffffffff) - var x16 uint32 - var x17 uint32 - x17, x16 = bits.Mul32(x1, 0xfffffffe) - var x18 uint32 - var x19 uint32 - x19, x18 = bits.Mul32(x1, 0xffffffff) - var x20 uint32 - var x21 uint32 - x21, x20 = bits.Mul32(x1, 0xffffffff) - var x22 uint32 - var x23 uint1 - x22, x23 = addcarryxU32(x19, x16, 0x0) - var x24 uint32 - var x25 uint1 - x24, x25 = addcarryxU32(x17, x14, x23) - var x26 uint32 - var x27 uint1 - x26, x27 = addcarryxU32(x15, x12, x25) - var x28 uint32 - var x29 uint1 - x28, x29 = addcarryxU32(x13, x10, x27) - var x30 uint32 - var x31 uint1 - x30, x31 = addcarryxU32(x11, x8, x29) - var x32 uint32 - var x33 uint1 - x32, x33 = addcarryxU32(x9, x6, x31) - var x34 uint32 - var x35 uint1 - x34, x35 = addcarryxU32(x7, x4, x33) - var x36 uint32 - var x37 uint1 - x36, x37 = addcarryxU32(x5, x2, x35) - var x39 uint1 - _, x39 = addcarryxU32(x1, x20, 0x0) - var x40 uint32 - var x41 uint1 - x40, x41 = addcarryxU32((uint32(x39) + x21), (arg1[1]), 0x0) - var x42 uint32 - var x43 uint32 - x43, x42 = bits.Mul32(x40, 0xffffffff) - var x44 uint32 - var x45 uint32 - x45, x44 = bits.Mul32(x40, 0xffffffff) - var x46 uint32 - var x47 uint32 - x47, x46 = bits.Mul32(x40, 0xffffffff) - var x48 uint32 - var x49 uint32 - x49, x48 = bits.Mul32(x40, 0xffffffff) - var x50 uint32 - var x51 uint32 - x51, x50 = bits.Mul32(x40, 0xffffffff) - var x52 uint32 - var x53 uint32 - x53, x52 = bits.Mul32(x40, 0xffffffff) - var x54 uint32 - var x55 uint32 - x55, x54 = bits.Mul32(x40, 0xffffffff) - var x56 uint32 - var x57 uint32 - x57, x56 = bits.Mul32(x40, 0xfffffffe) - var x58 uint32 - var x59 uint32 - x59, x58 = bits.Mul32(x40, 0xffffffff) - var x60 uint32 - var x61 uint32 - x61, x60 = bits.Mul32(x40, 0xffffffff) - var x62 uint32 - var x63 uint1 - x62, x63 = addcarryxU32(x59, x56, 0x0) - var x64 uint32 - var x65 uint1 - x64, x65 = addcarryxU32(x57, x54, x63) - var x66 uint32 - var x67 uint1 - x66, x67 = addcarryxU32(x55, x52, x65) - var x68 uint32 - var x69 uint1 - x68, x69 = addcarryxU32(x53, x50, x67) - var x70 uint32 - var x71 uint1 - x70, x71 = addcarryxU32(x51, x48, x69) - var x72 uint32 - var x73 uint1 - x72, x73 = addcarryxU32(x49, x46, x71) - var x74 uint32 - var x75 uint1 - x74, x75 = addcarryxU32(x47, x44, x73) - var x76 uint32 - var x77 uint1 - x76, x77 = addcarryxU32(x45, x42, x75) - var x79 uint1 - _, x79 = addcarryxU32(x40, x60, 0x0) - var x80 uint32 - var x81 uint1 - x80, x81 = addcarryxU32(uint32(x41), x61, x79) - var x82 uint32 - var x83 uint1 - x82, x83 = addcarryxU32(x18, uint32(0x0), x81) - var x84 uint32 - var x85 uint1 - x84, x85 = addcarryxU32(x22, x58, x83) - var x86 uint32 - var x87 uint1 - x86, x87 = addcarryxU32(x24, x62, x85) - var x88 uint32 - var x89 uint1 - x88, x89 = addcarryxU32(x26, x64, x87) - var x90 uint32 - var x91 uint1 - x90, x91 = addcarryxU32(x28, x66, x89) - var x92 uint32 - var x93 uint1 - x92, x93 = addcarryxU32(x30, x68, x91) - var x94 uint32 - var x95 uint1 - x94, x95 = addcarryxU32(x32, x70, x93) - var x96 uint32 - var x97 uint1 - x96, x97 = addcarryxU32(x34, x72, x95) - var x98 uint32 - var x99 uint1 - x98, x99 = addcarryxU32(x36, x74, x97) - var x100 uint32 - var x101 uint1 - x100, x101 = addcarryxU32((uint32(x37) + x3), x76, x99) - var x102 uint32 - var x103 uint1 - x102, x103 = addcarryxU32(uint32(0x0), (uint32(x77) + x43), x101) - var x104 uint32 - var x105 uint1 - x104, x105 = addcarryxU32(x80, (arg1[2]), 0x0) - var x106 uint32 - var x107 uint1 - x106, x107 = addcarryxU32(x82, uint32(0x0), x105) - var x108 uint32 - var x109 uint1 - x108, x109 = addcarryxU32(x84, uint32(0x0), x107) - var x110 uint32 - var x111 uint1 - x110, x111 = addcarryxU32(x86, uint32(0x0), x109) - var x112 uint32 - var x113 uint1 - x112, x113 = addcarryxU32(x88, uint32(0x0), x111) - var x114 uint32 - var x115 uint1 - x114, x115 = addcarryxU32(x90, uint32(0x0), x113) - var x116 uint32 - var x117 uint1 - x116, x117 = addcarryxU32(x92, uint32(0x0), x115) - var x118 uint32 - var x119 uint1 - x118, x119 = addcarryxU32(x94, uint32(0x0), x117) - var x120 uint32 - var x121 uint1 - x120, x121 = addcarryxU32(x96, uint32(0x0), x119) - var x122 uint32 - var x123 uint1 - x122, x123 = addcarryxU32(x98, uint32(0x0), x121) - var x124 uint32 - var x125 uint1 - x124, x125 = addcarryxU32(x100, uint32(0x0), x123) - var x126 uint32 - var x127 uint1 - x126, x127 = addcarryxU32(x102, uint32(0x0), x125) - var x128 uint32 - var x129 uint32 - x129, x128 = bits.Mul32(x104, 0xffffffff) - var x130 uint32 - var x131 uint32 - x131, x130 = bits.Mul32(x104, 0xffffffff) - var x132 uint32 - var x133 uint32 - x133, x132 = bits.Mul32(x104, 0xffffffff) - var x134 uint32 - var x135 uint32 - x135, x134 = bits.Mul32(x104, 0xffffffff) - var x136 uint32 - var x137 uint32 - x137, x136 = bits.Mul32(x104, 0xffffffff) - var x138 uint32 - var x139 uint32 - x139, x138 = bits.Mul32(x104, 0xffffffff) - var x140 uint32 - var x141 uint32 - x141, x140 = bits.Mul32(x104, 0xffffffff) - var x142 uint32 - var x143 uint32 - x143, x142 = bits.Mul32(x104, 0xfffffffe) - var x144 uint32 - var x145 uint32 - x145, x144 = bits.Mul32(x104, 0xffffffff) - var x146 uint32 - var x147 uint32 - x147, x146 = bits.Mul32(x104, 0xffffffff) - var x148 uint32 - var x149 uint1 - x148, x149 = addcarryxU32(x145, x142, 0x0) - var x150 uint32 - var x151 uint1 - x150, x151 = addcarryxU32(x143, x140, x149) - var x152 uint32 - var x153 uint1 - x152, x153 = addcarryxU32(x141, x138, x151) - var x154 uint32 - var x155 uint1 - x154, x155 = addcarryxU32(x139, x136, x153) - var x156 uint32 - var x157 uint1 - x156, x157 = addcarryxU32(x137, x134, x155) - var x158 uint32 - var x159 uint1 - x158, x159 = addcarryxU32(x135, x132, x157) - var x160 uint32 - var x161 uint1 - x160, x161 = addcarryxU32(x133, x130, x159) - var x162 uint32 - var x163 uint1 - x162, x163 = addcarryxU32(x131, x128, x161) - var x165 uint1 - _, x165 = addcarryxU32(x104, x146, 0x0) - var x166 uint32 - var x167 uint1 - x166, x167 = addcarryxU32(x106, x147, x165) - var x168 uint32 - var x169 uint1 - x168, x169 = addcarryxU32(x108, uint32(0x0), x167) - var x170 uint32 - var x171 uint1 - x170, x171 = addcarryxU32(x110, x144, x169) - var x172 uint32 - var x173 uint1 - x172, x173 = addcarryxU32(x112, x148, x171) - var x174 uint32 - var x175 uint1 - x174, x175 = addcarryxU32(x114, x150, x173) - var x176 uint32 - var x177 uint1 - x176, x177 = addcarryxU32(x116, x152, x175) - var x178 uint32 - var x179 uint1 - x178, x179 = addcarryxU32(x118, x154, x177) - var x180 uint32 - var x181 uint1 - x180, x181 = addcarryxU32(x120, x156, x179) - var x182 uint32 - var x183 uint1 - x182, x183 = addcarryxU32(x122, x158, x181) - var x184 uint32 - var x185 uint1 - x184, x185 = addcarryxU32(x124, x160, x183) - var x186 uint32 - var x187 uint1 - x186, x187 = addcarryxU32(x126, x162, x185) - var x188 uint32 - var x189 uint1 - x188, x189 = addcarryxU32((uint32(x127) + uint32(x103)), (uint32(x163) + x129), x187) - var x190 uint32 - var x191 uint1 - x190, x191 = addcarryxU32(x166, (arg1[3]), 0x0) - var x192 uint32 - var x193 uint1 - x192, x193 = addcarryxU32(x168, uint32(0x0), x191) - var x194 uint32 - var x195 uint1 - x194, x195 = addcarryxU32(x170, uint32(0x0), x193) - var x196 uint32 - var x197 uint1 - x196, x197 = addcarryxU32(x172, uint32(0x0), x195) - var x198 uint32 - var x199 uint1 - x198, x199 = addcarryxU32(x174, uint32(0x0), x197) - var x200 uint32 - var x201 uint1 - x200, x201 = addcarryxU32(x176, uint32(0x0), x199) - var x202 uint32 - var x203 uint1 - x202, x203 = addcarryxU32(x178, uint32(0x0), x201) - var x204 uint32 - var x205 uint1 - x204, x205 = addcarryxU32(x180, uint32(0x0), x203) - var x206 uint32 - var x207 uint1 - x206, x207 = addcarryxU32(x182, uint32(0x0), x205) - var x208 uint32 - var x209 uint1 - x208, x209 = addcarryxU32(x184, uint32(0x0), x207) - var x210 uint32 - var x211 uint1 - x210, x211 = addcarryxU32(x186, uint32(0x0), x209) - var x212 uint32 - var x213 uint1 - x212, x213 = addcarryxU32(x188, uint32(0x0), x211) - var x214 uint32 - var x215 uint32 - x215, x214 = bits.Mul32(x190, 0xffffffff) - var x216 uint32 - var x217 uint32 - x217, x216 = bits.Mul32(x190, 0xffffffff) - var x218 uint32 - var x219 uint32 - x219, x218 = bits.Mul32(x190, 0xffffffff) - var x220 uint32 - var x221 uint32 - x221, x220 = bits.Mul32(x190, 0xffffffff) - var x222 uint32 - var x223 uint32 - x223, x222 = bits.Mul32(x190, 0xffffffff) - var x224 uint32 - var x225 uint32 - x225, x224 = bits.Mul32(x190, 0xffffffff) - var x226 uint32 - var x227 uint32 - x227, x226 = bits.Mul32(x190, 0xffffffff) - var x228 uint32 - var x229 uint32 - x229, x228 = bits.Mul32(x190, 0xfffffffe) - var x230 uint32 - var x231 uint32 - x231, x230 = bits.Mul32(x190, 0xffffffff) - var x232 uint32 - var x233 uint32 - x233, x232 = bits.Mul32(x190, 0xffffffff) - var x234 uint32 - var x235 uint1 - x234, x235 = addcarryxU32(x231, x228, 0x0) - var x236 uint32 - var x237 uint1 - x236, x237 = addcarryxU32(x229, x226, x235) - var x238 uint32 - var x239 uint1 - x238, x239 = addcarryxU32(x227, x224, x237) - var x240 uint32 - var x241 uint1 - x240, x241 = addcarryxU32(x225, x222, x239) - var x242 uint32 - var x243 uint1 - x242, x243 = addcarryxU32(x223, x220, x241) - var x244 uint32 - var x245 uint1 - x244, x245 = addcarryxU32(x221, x218, x243) - var x246 uint32 - var x247 uint1 - x246, x247 = addcarryxU32(x219, x216, x245) - var x248 uint32 - var x249 uint1 - x248, x249 = addcarryxU32(x217, x214, x247) - var x251 uint1 - _, x251 = addcarryxU32(x190, x232, 0x0) - var x252 uint32 - var x253 uint1 - x252, x253 = addcarryxU32(x192, x233, x251) - var x254 uint32 - var x255 uint1 - x254, x255 = addcarryxU32(x194, uint32(0x0), x253) - var x256 uint32 - var x257 uint1 - x256, x257 = addcarryxU32(x196, x230, x255) - var x258 uint32 - var x259 uint1 - x258, x259 = addcarryxU32(x198, x234, x257) - var x260 uint32 - var x261 uint1 - x260, x261 = addcarryxU32(x200, x236, x259) - var x262 uint32 - var x263 uint1 - x262, x263 = addcarryxU32(x202, x238, x261) - var x264 uint32 - var x265 uint1 - x264, x265 = addcarryxU32(x204, x240, x263) - var x266 uint32 - var x267 uint1 - x266, x267 = addcarryxU32(x206, x242, x265) - var x268 uint32 - var x269 uint1 - x268, x269 = addcarryxU32(x208, x244, x267) - var x270 uint32 - var x271 uint1 - x270, x271 = addcarryxU32(x210, x246, x269) - var x272 uint32 - var x273 uint1 - x272, x273 = addcarryxU32(x212, x248, x271) - var x274 uint32 - var x275 uint1 - x274, x275 = addcarryxU32((uint32(x213) + uint32(x189)), (uint32(x249) + x215), x273) - var x276 uint32 - var x277 uint1 - x276, x277 = addcarryxU32(x252, (arg1[4]), 0x0) - var x278 uint32 - var x279 uint1 - x278, x279 = addcarryxU32(x254, uint32(0x0), x277) - var x280 uint32 - var x281 uint1 - x280, x281 = addcarryxU32(x256, uint32(0x0), x279) - var x282 uint32 - var x283 uint1 - x282, x283 = addcarryxU32(x258, uint32(0x0), x281) - var x284 uint32 - var x285 uint1 - x284, x285 = addcarryxU32(x260, uint32(0x0), x283) - var x286 uint32 - var x287 uint1 - x286, x287 = addcarryxU32(x262, uint32(0x0), x285) - var x288 uint32 - var x289 uint1 - x288, x289 = addcarryxU32(x264, uint32(0x0), x287) - var x290 uint32 - var x291 uint1 - x290, x291 = addcarryxU32(x266, uint32(0x0), x289) - var x292 uint32 - var x293 uint1 - x292, x293 = addcarryxU32(x268, uint32(0x0), x291) - var x294 uint32 - var x295 uint1 - x294, x295 = addcarryxU32(x270, uint32(0x0), x293) - var x296 uint32 - var x297 uint1 - x296, x297 = addcarryxU32(x272, uint32(0x0), x295) - var x298 uint32 - var x299 uint1 - x298, x299 = addcarryxU32(x274, uint32(0x0), x297) - var x300 uint32 - var x301 uint32 - x301, x300 = bits.Mul32(x276, 0xffffffff) - var x302 uint32 - var x303 uint32 - x303, x302 = bits.Mul32(x276, 0xffffffff) - var x304 uint32 - var x305 uint32 - x305, x304 = bits.Mul32(x276, 0xffffffff) - var x306 uint32 - var x307 uint32 - x307, x306 = bits.Mul32(x276, 0xffffffff) - var x308 uint32 - var x309 uint32 - x309, x308 = bits.Mul32(x276, 0xffffffff) - var x310 uint32 - var x311 uint32 - x311, x310 = bits.Mul32(x276, 0xffffffff) - var x312 uint32 - var x313 uint32 - x313, x312 = bits.Mul32(x276, 0xffffffff) - var x314 uint32 - var x315 uint32 - x315, x314 = bits.Mul32(x276, 0xfffffffe) - var x316 uint32 - var x317 uint32 - x317, x316 = bits.Mul32(x276, 0xffffffff) - var x318 uint32 - var x319 uint32 - x319, x318 = bits.Mul32(x276, 0xffffffff) - var x320 uint32 - var x321 uint1 - x320, x321 = addcarryxU32(x317, x314, 0x0) - var x322 uint32 - var x323 uint1 - x322, x323 = addcarryxU32(x315, x312, x321) - var x324 uint32 - var x325 uint1 - x324, x325 = addcarryxU32(x313, x310, x323) - var x326 uint32 - var x327 uint1 - x326, x327 = addcarryxU32(x311, x308, x325) - var x328 uint32 - var x329 uint1 - x328, x329 = addcarryxU32(x309, x306, x327) - var x330 uint32 - var x331 uint1 - x330, x331 = addcarryxU32(x307, x304, x329) - var x332 uint32 - var x333 uint1 - x332, x333 = addcarryxU32(x305, x302, x331) - var x334 uint32 - var x335 uint1 - x334, x335 = addcarryxU32(x303, x300, x333) - var x337 uint1 - _, x337 = addcarryxU32(x276, x318, 0x0) - var x338 uint32 - var x339 uint1 - x338, x339 = addcarryxU32(x278, x319, x337) - var x340 uint32 - var x341 uint1 - x340, x341 = addcarryxU32(x280, uint32(0x0), x339) - var x342 uint32 - var x343 uint1 - x342, x343 = addcarryxU32(x282, x316, x341) - var x344 uint32 - var x345 uint1 - x344, x345 = addcarryxU32(x284, x320, x343) - var x346 uint32 - var x347 uint1 - x346, x347 = addcarryxU32(x286, x322, x345) - var x348 uint32 - var x349 uint1 - x348, x349 = addcarryxU32(x288, x324, x347) - var x350 uint32 - var x351 uint1 - x350, x351 = addcarryxU32(x290, x326, x349) - var x352 uint32 - var x353 uint1 - x352, x353 = addcarryxU32(x292, x328, x351) - var x354 uint32 - var x355 uint1 - x354, x355 = addcarryxU32(x294, x330, x353) - var x356 uint32 - var x357 uint1 - x356, x357 = addcarryxU32(x296, x332, x355) - var x358 uint32 - var x359 uint1 - x358, x359 = addcarryxU32(x298, x334, x357) - var x360 uint32 - var x361 uint1 - x360, x361 = addcarryxU32((uint32(x299) + uint32(x275)), (uint32(x335) + x301), x359) - var x362 uint32 - var x363 uint1 - x362, x363 = addcarryxU32(x338, (arg1[5]), 0x0) - var x364 uint32 - var x365 uint1 - x364, x365 = addcarryxU32(x340, uint32(0x0), x363) - var x366 uint32 - var x367 uint1 - x366, x367 = addcarryxU32(x342, uint32(0x0), x365) - var x368 uint32 - var x369 uint1 - x368, x369 = addcarryxU32(x344, uint32(0x0), x367) - var x370 uint32 - var x371 uint1 - x370, x371 = addcarryxU32(x346, uint32(0x0), x369) - var x372 uint32 - var x373 uint1 - x372, x373 = addcarryxU32(x348, uint32(0x0), x371) - var x374 uint32 - var x375 uint1 - x374, x375 = addcarryxU32(x350, uint32(0x0), x373) - var x376 uint32 - var x377 uint1 - x376, x377 = addcarryxU32(x352, uint32(0x0), x375) - var x378 uint32 - var x379 uint1 - x378, x379 = addcarryxU32(x354, uint32(0x0), x377) - var x380 uint32 - var x381 uint1 - x380, x381 = addcarryxU32(x356, uint32(0x0), x379) - var x382 uint32 - var x383 uint1 - x382, x383 = addcarryxU32(x358, uint32(0x0), x381) - var x384 uint32 - var x385 uint1 - x384, x385 = addcarryxU32(x360, uint32(0x0), x383) - var x386 uint32 - var x387 uint32 - x387, x386 = bits.Mul32(x362, 0xffffffff) - var x388 uint32 - var x389 uint32 - x389, x388 = bits.Mul32(x362, 0xffffffff) - var x390 uint32 - var x391 uint32 - x391, x390 = bits.Mul32(x362, 0xffffffff) - var x392 uint32 - var x393 uint32 - x393, x392 = bits.Mul32(x362, 0xffffffff) - var x394 uint32 - var x395 uint32 - x395, x394 = bits.Mul32(x362, 0xffffffff) - var x396 uint32 - var x397 uint32 - x397, x396 = bits.Mul32(x362, 0xffffffff) - var x398 uint32 - var x399 uint32 - x399, x398 = bits.Mul32(x362, 0xffffffff) - var x400 uint32 - var x401 uint32 - x401, x400 = bits.Mul32(x362, 0xfffffffe) - var x402 uint32 - var x403 uint32 - x403, x402 = bits.Mul32(x362, 0xffffffff) - var x404 uint32 - var x405 uint32 - x405, x404 = bits.Mul32(x362, 0xffffffff) - var x406 uint32 - var x407 uint1 - x406, x407 = addcarryxU32(x403, x400, 0x0) - var x408 uint32 - var x409 uint1 - x408, x409 = addcarryxU32(x401, x398, x407) - var x410 uint32 - var x411 uint1 - x410, x411 = addcarryxU32(x399, x396, x409) - var x412 uint32 - var x413 uint1 - x412, x413 = addcarryxU32(x397, x394, x411) - var x414 uint32 - var x415 uint1 - x414, x415 = addcarryxU32(x395, x392, x413) - var x416 uint32 - var x417 uint1 - x416, x417 = addcarryxU32(x393, x390, x415) - var x418 uint32 - var x419 uint1 - x418, x419 = addcarryxU32(x391, x388, x417) - var x420 uint32 - var x421 uint1 - x420, x421 = addcarryxU32(x389, x386, x419) - var x423 uint1 - _, x423 = addcarryxU32(x362, x404, 0x0) - var x424 uint32 - var x425 uint1 - x424, x425 = addcarryxU32(x364, x405, x423) - var x426 uint32 - var x427 uint1 - x426, x427 = addcarryxU32(x366, uint32(0x0), x425) - var x428 uint32 - var x429 uint1 - x428, x429 = addcarryxU32(x368, x402, x427) - var x430 uint32 - var x431 uint1 - x430, x431 = addcarryxU32(x370, x406, x429) - var x432 uint32 - var x433 uint1 - x432, x433 = addcarryxU32(x372, x408, x431) - var x434 uint32 - var x435 uint1 - x434, x435 = addcarryxU32(x374, x410, x433) - var x436 uint32 - var x437 uint1 - x436, x437 = addcarryxU32(x376, x412, x435) - var x438 uint32 - var x439 uint1 - x438, x439 = addcarryxU32(x378, x414, x437) - var x440 uint32 - var x441 uint1 - x440, x441 = addcarryxU32(x380, x416, x439) - var x442 uint32 - var x443 uint1 - x442, x443 = addcarryxU32(x382, x418, x441) - var x444 uint32 - var x445 uint1 - x444, x445 = addcarryxU32(x384, x420, x443) - var x446 uint32 - var x447 uint1 - x446, x447 = addcarryxU32((uint32(x385) + uint32(x361)), (uint32(x421) + x387), x445) - var x448 uint32 - var x449 uint1 - x448, x449 = addcarryxU32(x424, (arg1[6]), 0x0) - var x450 uint32 - var x451 uint1 - x450, x451 = addcarryxU32(x426, uint32(0x0), x449) - var x452 uint32 - var x453 uint1 - x452, x453 = addcarryxU32(x428, uint32(0x0), x451) - var x454 uint32 - var x455 uint1 - x454, x455 = addcarryxU32(x430, uint32(0x0), x453) - var x456 uint32 - var x457 uint1 - x456, x457 = addcarryxU32(x432, uint32(0x0), x455) - var x458 uint32 - var x459 uint1 - x458, x459 = addcarryxU32(x434, uint32(0x0), x457) - var x460 uint32 - var x461 uint1 - x460, x461 = addcarryxU32(x436, uint32(0x0), x459) - var x462 uint32 - var x463 uint1 - x462, x463 = addcarryxU32(x438, uint32(0x0), x461) - var x464 uint32 - var x465 uint1 - x464, x465 = addcarryxU32(x440, uint32(0x0), x463) - var x466 uint32 - var x467 uint1 - x466, x467 = addcarryxU32(x442, uint32(0x0), x465) - var x468 uint32 - var x469 uint1 - x468, x469 = addcarryxU32(x444, uint32(0x0), x467) - var x470 uint32 - var x471 uint1 - x470, x471 = addcarryxU32(x446, uint32(0x0), x469) - var x472 uint32 - var x473 uint32 - x473, x472 = bits.Mul32(x448, 0xffffffff) - var x474 uint32 - var x475 uint32 - x475, x474 = bits.Mul32(x448, 0xffffffff) - var x476 uint32 - var x477 uint32 - x477, x476 = bits.Mul32(x448, 0xffffffff) - var x478 uint32 - var x479 uint32 - x479, x478 = bits.Mul32(x448, 0xffffffff) - var x480 uint32 - var x481 uint32 - x481, x480 = bits.Mul32(x448, 0xffffffff) - var x482 uint32 - var x483 uint32 - x483, x482 = bits.Mul32(x448, 0xffffffff) - var x484 uint32 - var x485 uint32 - x485, x484 = bits.Mul32(x448, 0xffffffff) - var x486 uint32 - var x487 uint32 - x487, x486 = bits.Mul32(x448, 0xfffffffe) - var x488 uint32 - var x489 uint32 - x489, x488 = bits.Mul32(x448, 0xffffffff) - var x490 uint32 - var x491 uint32 - x491, x490 = bits.Mul32(x448, 0xffffffff) - var x492 uint32 - var x493 uint1 - x492, x493 = addcarryxU32(x489, x486, 0x0) - var x494 uint32 - var x495 uint1 - x494, x495 = addcarryxU32(x487, x484, x493) - var x496 uint32 - var x497 uint1 - x496, x497 = addcarryxU32(x485, x482, x495) - var x498 uint32 - var x499 uint1 - x498, x499 = addcarryxU32(x483, x480, x497) - var x500 uint32 - var x501 uint1 - x500, x501 = addcarryxU32(x481, x478, x499) - var x502 uint32 - var x503 uint1 - x502, x503 = addcarryxU32(x479, x476, x501) - var x504 uint32 - var x505 uint1 - x504, x505 = addcarryxU32(x477, x474, x503) - var x506 uint32 - var x507 uint1 - x506, x507 = addcarryxU32(x475, x472, x505) - var x509 uint1 - _, x509 = addcarryxU32(x448, x490, 0x0) - var x510 uint32 - var x511 uint1 - x510, x511 = addcarryxU32(x450, x491, x509) - var x512 uint32 - var x513 uint1 - x512, x513 = addcarryxU32(x452, uint32(0x0), x511) - var x514 uint32 - var x515 uint1 - x514, x515 = addcarryxU32(x454, x488, x513) - var x516 uint32 - var x517 uint1 - x516, x517 = addcarryxU32(x456, x492, x515) - var x518 uint32 - var x519 uint1 - x518, x519 = addcarryxU32(x458, x494, x517) - var x520 uint32 - var x521 uint1 - x520, x521 = addcarryxU32(x460, x496, x519) - var x522 uint32 - var x523 uint1 - x522, x523 = addcarryxU32(x462, x498, x521) - var x524 uint32 - var x525 uint1 - x524, x525 = addcarryxU32(x464, x500, x523) - var x526 uint32 - var x527 uint1 - x526, x527 = addcarryxU32(x466, x502, x525) - var x528 uint32 - var x529 uint1 - x528, x529 = addcarryxU32(x468, x504, x527) - var x530 uint32 - var x531 uint1 - x530, x531 = addcarryxU32(x470, x506, x529) - var x532 uint32 - var x533 uint1 - x532, x533 = addcarryxU32((uint32(x471) + uint32(x447)), (uint32(x507) + x473), x531) - var x534 uint32 - var x535 uint1 - x534, x535 = addcarryxU32(x510, (arg1[7]), 0x0) - var x536 uint32 - var x537 uint1 - x536, x537 = addcarryxU32(x512, uint32(0x0), x535) - var x538 uint32 - var x539 uint1 - x538, x539 = addcarryxU32(x514, uint32(0x0), x537) - var x540 uint32 - var x541 uint1 - x540, x541 = addcarryxU32(x516, uint32(0x0), x539) - var x542 uint32 - var x543 uint1 - x542, x543 = addcarryxU32(x518, uint32(0x0), x541) - var x544 uint32 - var x545 uint1 - x544, x545 = addcarryxU32(x520, uint32(0x0), x543) - var x546 uint32 - var x547 uint1 - x546, x547 = addcarryxU32(x522, uint32(0x0), x545) - var x548 uint32 - var x549 uint1 - x548, x549 = addcarryxU32(x524, uint32(0x0), x547) - var x550 uint32 - var x551 uint1 - x550, x551 = addcarryxU32(x526, uint32(0x0), x549) - var x552 uint32 - var x553 uint1 - x552, x553 = addcarryxU32(x528, uint32(0x0), x551) - var x554 uint32 - var x555 uint1 - x554, x555 = addcarryxU32(x530, uint32(0x0), x553) - var x556 uint32 - var x557 uint1 - x556, x557 = addcarryxU32(x532, uint32(0x0), x555) - var x558 uint32 - var x559 uint32 - x559, x558 = bits.Mul32(x534, 0xffffffff) - var x560 uint32 - var x561 uint32 - x561, x560 = bits.Mul32(x534, 0xffffffff) - var x562 uint32 - var x563 uint32 - x563, x562 = bits.Mul32(x534, 0xffffffff) - var x564 uint32 - var x565 uint32 - x565, x564 = bits.Mul32(x534, 0xffffffff) - var x566 uint32 - var x567 uint32 - x567, x566 = bits.Mul32(x534, 0xffffffff) - var x568 uint32 - var x569 uint32 - x569, x568 = bits.Mul32(x534, 0xffffffff) - var x570 uint32 - var x571 uint32 - x571, x570 = bits.Mul32(x534, 0xffffffff) - var x572 uint32 - var x573 uint32 - x573, x572 = bits.Mul32(x534, 0xfffffffe) - var x574 uint32 - var x575 uint32 - x575, x574 = bits.Mul32(x534, 0xffffffff) - var x576 uint32 - var x577 uint32 - x577, x576 = bits.Mul32(x534, 0xffffffff) - var x578 uint32 - var x579 uint1 - x578, x579 = addcarryxU32(x575, x572, 0x0) - var x580 uint32 - var x581 uint1 - x580, x581 = addcarryxU32(x573, x570, x579) - var x582 uint32 - var x583 uint1 - x582, x583 = addcarryxU32(x571, x568, x581) - var x584 uint32 - var x585 uint1 - x584, x585 = addcarryxU32(x569, x566, x583) - var x586 uint32 - var x587 uint1 - x586, x587 = addcarryxU32(x567, x564, x585) - var x588 uint32 - var x589 uint1 - x588, x589 = addcarryxU32(x565, x562, x587) - var x590 uint32 - var x591 uint1 - x590, x591 = addcarryxU32(x563, x560, x589) - var x592 uint32 - var x593 uint1 - x592, x593 = addcarryxU32(x561, x558, x591) - var x595 uint1 - _, x595 = addcarryxU32(x534, x576, 0x0) - var x596 uint32 - var x597 uint1 - x596, x597 = addcarryxU32(x536, x577, x595) - var x598 uint32 - var x599 uint1 - x598, x599 = addcarryxU32(x538, uint32(0x0), x597) - var x600 uint32 - var x601 uint1 - x600, x601 = addcarryxU32(x540, x574, x599) - var x602 uint32 - var x603 uint1 - x602, x603 = addcarryxU32(x542, x578, x601) - var x604 uint32 - var x605 uint1 - x604, x605 = addcarryxU32(x544, x580, x603) - var x606 uint32 - var x607 uint1 - x606, x607 = addcarryxU32(x546, x582, x605) - var x608 uint32 - var x609 uint1 - x608, x609 = addcarryxU32(x548, x584, x607) - var x610 uint32 - var x611 uint1 - x610, x611 = addcarryxU32(x550, x586, x609) - var x612 uint32 - var x613 uint1 - x612, x613 = addcarryxU32(x552, x588, x611) - var x614 uint32 - var x615 uint1 - x614, x615 = addcarryxU32(x554, x590, x613) - var x616 uint32 - var x617 uint1 - x616, x617 = addcarryxU32(x556, x592, x615) - var x618 uint32 - var x619 uint1 - x618, x619 = addcarryxU32((uint32(x557) + uint32(x533)), (uint32(x593) + x559), x617) - var x620 uint32 - var x621 uint1 - x620, x621 = addcarryxU32(x596, (arg1[8]), 0x0) - var x622 uint32 - var x623 uint1 - x622, x623 = addcarryxU32(x598, uint32(0x0), x621) - var x624 uint32 - var x625 uint1 - x624, x625 = addcarryxU32(x600, uint32(0x0), x623) - var x626 uint32 - var x627 uint1 - x626, x627 = addcarryxU32(x602, uint32(0x0), x625) - var x628 uint32 - var x629 uint1 - x628, x629 = addcarryxU32(x604, uint32(0x0), x627) - var x630 uint32 - var x631 uint1 - x630, x631 = addcarryxU32(x606, uint32(0x0), x629) - var x632 uint32 - var x633 uint1 - x632, x633 = addcarryxU32(x608, uint32(0x0), x631) - var x634 uint32 - var x635 uint1 - x634, x635 = addcarryxU32(x610, uint32(0x0), x633) - var x636 uint32 - var x637 uint1 - x636, x637 = addcarryxU32(x612, uint32(0x0), x635) - var x638 uint32 - var x639 uint1 - x638, x639 = addcarryxU32(x614, uint32(0x0), x637) - var x640 uint32 - var x641 uint1 - x640, x641 = addcarryxU32(x616, uint32(0x0), x639) - var x642 uint32 - var x643 uint1 - x642, x643 = addcarryxU32(x618, uint32(0x0), x641) - var x644 uint32 - var x645 uint32 - x645, x644 = bits.Mul32(x620, 0xffffffff) - var x646 uint32 - var x647 uint32 - x647, x646 = bits.Mul32(x620, 0xffffffff) - var x648 uint32 - var x649 uint32 - x649, x648 = bits.Mul32(x620, 0xffffffff) - var x650 uint32 - var x651 uint32 - x651, x650 = bits.Mul32(x620, 0xffffffff) - var x652 uint32 - var x653 uint32 - x653, x652 = bits.Mul32(x620, 0xffffffff) - var x654 uint32 - var x655 uint32 - x655, x654 = bits.Mul32(x620, 0xffffffff) - var x656 uint32 - var x657 uint32 - x657, x656 = bits.Mul32(x620, 0xffffffff) - var x658 uint32 - var x659 uint32 - x659, x658 = bits.Mul32(x620, 0xfffffffe) - var x660 uint32 - var x661 uint32 - x661, x660 = bits.Mul32(x620, 0xffffffff) - var x662 uint32 - var x663 uint32 - x663, x662 = bits.Mul32(x620, 0xffffffff) - var x664 uint32 - var x665 uint1 - x664, x665 = addcarryxU32(x661, x658, 0x0) - var x666 uint32 - var x667 uint1 - x666, x667 = addcarryxU32(x659, x656, x665) - var x668 uint32 - var x669 uint1 - x668, x669 = addcarryxU32(x657, x654, x667) - var x670 uint32 - var x671 uint1 - x670, x671 = addcarryxU32(x655, x652, x669) - var x672 uint32 - var x673 uint1 - x672, x673 = addcarryxU32(x653, x650, x671) - var x674 uint32 - var x675 uint1 - x674, x675 = addcarryxU32(x651, x648, x673) - var x676 uint32 - var x677 uint1 - x676, x677 = addcarryxU32(x649, x646, x675) - var x678 uint32 - var x679 uint1 - x678, x679 = addcarryxU32(x647, x644, x677) - var x681 uint1 - _, x681 = addcarryxU32(x620, x662, 0x0) - var x682 uint32 - var x683 uint1 - x682, x683 = addcarryxU32(x622, x663, x681) - var x684 uint32 - var x685 uint1 - x684, x685 = addcarryxU32(x624, uint32(0x0), x683) - var x686 uint32 - var x687 uint1 - x686, x687 = addcarryxU32(x626, x660, x685) - var x688 uint32 - var x689 uint1 - x688, x689 = addcarryxU32(x628, x664, x687) - var x690 uint32 - var x691 uint1 - x690, x691 = addcarryxU32(x630, x666, x689) - var x692 uint32 - var x693 uint1 - x692, x693 = addcarryxU32(x632, x668, x691) - var x694 uint32 - var x695 uint1 - x694, x695 = addcarryxU32(x634, x670, x693) - var x696 uint32 - var x697 uint1 - x696, x697 = addcarryxU32(x636, x672, x695) - var x698 uint32 - var x699 uint1 - x698, x699 = addcarryxU32(x638, x674, x697) - var x700 uint32 - var x701 uint1 - x700, x701 = addcarryxU32(x640, x676, x699) - var x702 uint32 - var x703 uint1 - x702, x703 = addcarryxU32(x642, x678, x701) - var x704 uint32 - var x705 uint1 - x704, x705 = addcarryxU32((uint32(x643) + uint32(x619)), (uint32(x679) + x645), x703) - var x706 uint32 - var x707 uint1 - x706, x707 = addcarryxU32(x682, (arg1[9]), 0x0) - var x708 uint32 - var x709 uint1 - x708, x709 = addcarryxU32(x684, uint32(0x0), x707) - var x710 uint32 - var x711 uint1 - x710, x711 = addcarryxU32(x686, uint32(0x0), x709) - var x712 uint32 - var x713 uint1 - x712, x713 = addcarryxU32(x688, uint32(0x0), x711) - var x714 uint32 - var x715 uint1 - x714, x715 = addcarryxU32(x690, uint32(0x0), x713) - var x716 uint32 - var x717 uint1 - x716, x717 = addcarryxU32(x692, uint32(0x0), x715) - var x718 uint32 - var x719 uint1 - x718, x719 = addcarryxU32(x694, uint32(0x0), x717) - var x720 uint32 - var x721 uint1 - x720, x721 = addcarryxU32(x696, uint32(0x0), x719) - var x722 uint32 - var x723 uint1 - x722, x723 = addcarryxU32(x698, uint32(0x0), x721) - var x724 uint32 - var x725 uint1 - x724, x725 = addcarryxU32(x700, uint32(0x0), x723) - var x726 uint32 - var x727 uint1 - x726, x727 = addcarryxU32(x702, uint32(0x0), x725) - var x728 uint32 - var x729 uint1 - x728, x729 = addcarryxU32(x704, uint32(0x0), x727) - var x730 uint32 - var x731 uint32 - x731, x730 = bits.Mul32(x706, 0xffffffff) - var x732 uint32 - var x733 uint32 - x733, x732 = bits.Mul32(x706, 0xffffffff) - var x734 uint32 - var x735 uint32 - x735, x734 = bits.Mul32(x706, 0xffffffff) - var x736 uint32 - var x737 uint32 - x737, x736 = bits.Mul32(x706, 0xffffffff) - var x738 uint32 - var x739 uint32 - x739, x738 = bits.Mul32(x706, 0xffffffff) - var x740 uint32 - var x741 uint32 - x741, x740 = bits.Mul32(x706, 0xffffffff) - var x742 uint32 - var x743 uint32 - x743, x742 = bits.Mul32(x706, 0xffffffff) - var x744 uint32 - var x745 uint32 - x745, x744 = bits.Mul32(x706, 0xfffffffe) - var x746 uint32 - var x747 uint32 - x747, x746 = bits.Mul32(x706, 0xffffffff) - var x748 uint32 - var x749 uint32 - x749, x748 = bits.Mul32(x706, 0xffffffff) - var x750 uint32 - var x751 uint1 - x750, x751 = addcarryxU32(x747, x744, 0x0) - var x752 uint32 - var x753 uint1 - x752, x753 = addcarryxU32(x745, x742, x751) - var x754 uint32 - var x755 uint1 - x754, x755 = addcarryxU32(x743, x740, x753) - var x756 uint32 - var x757 uint1 - x756, x757 = addcarryxU32(x741, x738, x755) - var x758 uint32 - var x759 uint1 - x758, x759 = addcarryxU32(x739, x736, x757) - var x760 uint32 - var x761 uint1 - x760, x761 = addcarryxU32(x737, x734, x759) - var x762 uint32 - var x763 uint1 - x762, x763 = addcarryxU32(x735, x732, x761) - var x764 uint32 - var x765 uint1 - x764, x765 = addcarryxU32(x733, x730, x763) - var x767 uint1 - _, x767 = addcarryxU32(x706, x748, 0x0) - var x768 uint32 - var x769 uint1 - x768, x769 = addcarryxU32(x708, x749, x767) - var x770 uint32 - var x771 uint1 - x770, x771 = addcarryxU32(x710, uint32(0x0), x769) - var x772 uint32 - var x773 uint1 - x772, x773 = addcarryxU32(x712, x746, x771) - var x774 uint32 - var x775 uint1 - x774, x775 = addcarryxU32(x714, x750, x773) - var x776 uint32 - var x777 uint1 - x776, x777 = addcarryxU32(x716, x752, x775) - var x778 uint32 - var x779 uint1 - x778, x779 = addcarryxU32(x718, x754, x777) - var x780 uint32 - var x781 uint1 - x780, x781 = addcarryxU32(x720, x756, x779) - var x782 uint32 - var x783 uint1 - x782, x783 = addcarryxU32(x722, x758, x781) - var x784 uint32 - var x785 uint1 - x784, x785 = addcarryxU32(x724, x760, x783) - var x786 uint32 - var x787 uint1 - x786, x787 = addcarryxU32(x726, x762, x785) - var x788 uint32 - var x789 uint1 - x788, x789 = addcarryxU32(x728, x764, x787) - var x790 uint32 - var x791 uint1 - x790, x791 = addcarryxU32((uint32(x729) + uint32(x705)), (uint32(x765) + x731), x789) - var x792 uint32 - var x793 uint1 - x792, x793 = addcarryxU32(x768, (arg1[10]), 0x0) - var x794 uint32 - var x795 uint1 - x794, x795 = addcarryxU32(x770, uint32(0x0), x793) - var x796 uint32 - var x797 uint1 - x796, x797 = addcarryxU32(x772, uint32(0x0), x795) - var x798 uint32 - var x799 uint1 - x798, x799 = addcarryxU32(x774, uint32(0x0), x797) - var x800 uint32 - var x801 uint1 - x800, x801 = addcarryxU32(x776, uint32(0x0), x799) - var x802 uint32 - var x803 uint1 - x802, x803 = addcarryxU32(x778, uint32(0x0), x801) - var x804 uint32 - var x805 uint1 - x804, x805 = addcarryxU32(x780, uint32(0x0), x803) - var x806 uint32 - var x807 uint1 - x806, x807 = addcarryxU32(x782, uint32(0x0), x805) - var x808 uint32 - var x809 uint1 - x808, x809 = addcarryxU32(x784, uint32(0x0), x807) - var x810 uint32 - var x811 uint1 - x810, x811 = addcarryxU32(x786, uint32(0x0), x809) - var x812 uint32 - var x813 uint1 - x812, x813 = addcarryxU32(x788, uint32(0x0), x811) - var x814 uint32 - var x815 uint1 - x814, x815 = addcarryxU32(x790, uint32(0x0), x813) - var x816 uint32 - var x817 uint32 - x817, x816 = bits.Mul32(x792, 0xffffffff) - var x818 uint32 - var x819 uint32 - x819, x818 = bits.Mul32(x792, 0xffffffff) - var x820 uint32 - var x821 uint32 - x821, x820 = bits.Mul32(x792, 0xffffffff) - var x822 uint32 - var x823 uint32 - x823, x822 = bits.Mul32(x792, 0xffffffff) - var x824 uint32 - var x825 uint32 - x825, x824 = bits.Mul32(x792, 0xffffffff) - var x826 uint32 - var x827 uint32 - x827, x826 = bits.Mul32(x792, 0xffffffff) - var x828 uint32 - var x829 uint32 - x829, x828 = bits.Mul32(x792, 0xffffffff) - var x830 uint32 - var x831 uint32 - x831, x830 = bits.Mul32(x792, 0xfffffffe) - var x832 uint32 - var x833 uint32 - x833, x832 = bits.Mul32(x792, 0xffffffff) - var x834 uint32 - var x835 uint32 - x835, x834 = bits.Mul32(x792, 0xffffffff) - var x836 uint32 - var x837 uint1 - x836, x837 = addcarryxU32(x833, x830, 0x0) - var x838 uint32 - var x839 uint1 - x838, x839 = addcarryxU32(x831, x828, x837) - var x840 uint32 - var x841 uint1 - x840, x841 = addcarryxU32(x829, x826, x839) - var x842 uint32 - var x843 uint1 - x842, x843 = addcarryxU32(x827, x824, x841) - var x844 uint32 - var x845 uint1 - x844, x845 = addcarryxU32(x825, x822, x843) - var x846 uint32 - var x847 uint1 - x846, x847 = addcarryxU32(x823, x820, x845) - var x848 uint32 - var x849 uint1 - x848, x849 = addcarryxU32(x821, x818, x847) - var x850 uint32 - var x851 uint1 - x850, x851 = addcarryxU32(x819, x816, x849) - var x853 uint1 - _, x853 = addcarryxU32(x792, x834, 0x0) - var x854 uint32 - var x855 uint1 - x854, x855 = addcarryxU32(x794, x835, x853) - var x856 uint32 - var x857 uint1 - x856, x857 = addcarryxU32(x796, uint32(0x0), x855) - var x858 uint32 - var x859 uint1 - x858, x859 = addcarryxU32(x798, x832, x857) - var x860 uint32 - var x861 uint1 - x860, x861 = addcarryxU32(x800, x836, x859) - var x862 uint32 - var x863 uint1 - x862, x863 = addcarryxU32(x802, x838, x861) - var x864 uint32 - var x865 uint1 - x864, x865 = addcarryxU32(x804, x840, x863) - var x866 uint32 - var x867 uint1 - x866, x867 = addcarryxU32(x806, x842, x865) - var x868 uint32 - var x869 uint1 - x868, x869 = addcarryxU32(x808, x844, x867) - var x870 uint32 - var x871 uint1 - x870, x871 = addcarryxU32(x810, x846, x869) - var x872 uint32 - var x873 uint1 - x872, x873 = addcarryxU32(x812, x848, x871) - var x874 uint32 - var x875 uint1 - x874, x875 = addcarryxU32(x814, x850, x873) - var x876 uint32 - var x877 uint1 - x876, x877 = addcarryxU32((uint32(x815) + uint32(x791)), (uint32(x851) + x817), x875) - var x878 uint32 - var x879 uint1 - x878, x879 = addcarryxU32(x854, (arg1[11]), 0x0) - var x880 uint32 - var x881 uint1 - x880, x881 = addcarryxU32(x856, uint32(0x0), x879) - var x882 uint32 - var x883 uint1 - x882, x883 = addcarryxU32(x858, uint32(0x0), x881) - var x884 uint32 - var x885 uint1 - x884, x885 = addcarryxU32(x860, uint32(0x0), x883) - var x886 uint32 - var x887 uint1 - x886, x887 = addcarryxU32(x862, uint32(0x0), x885) - var x888 uint32 - var x889 uint1 - x888, x889 = addcarryxU32(x864, uint32(0x0), x887) - var x890 uint32 - var x891 uint1 - x890, x891 = addcarryxU32(x866, uint32(0x0), x889) - var x892 uint32 - var x893 uint1 - x892, x893 = addcarryxU32(x868, uint32(0x0), x891) - var x894 uint32 - var x895 uint1 - x894, x895 = addcarryxU32(x870, uint32(0x0), x893) - var x896 uint32 - var x897 uint1 - x896, x897 = addcarryxU32(x872, uint32(0x0), x895) - var x898 uint32 - var x899 uint1 - x898, x899 = addcarryxU32(x874, uint32(0x0), x897) - var x900 uint32 - var x901 uint1 - x900, x901 = addcarryxU32(x876, uint32(0x0), x899) - var x902 uint32 - var x903 uint32 - x903, x902 = bits.Mul32(x878, 0xffffffff) - var x904 uint32 - var x905 uint32 - x905, x904 = bits.Mul32(x878, 0xffffffff) - var x906 uint32 - var x907 uint32 - x907, x906 = bits.Mul32(x878, 0xffffffff) - var x908 uint32 - var x909 uint32 - x909, x908 = bits.Mul32(x878, 0xffffffff) - var x910 uint32 - var x911 uint32 - x911, x910 = bits.Mul32(x878, 0xffffffff) - var x912 uint32 - var x913 uint32 - x913, x912 = bits.Mul32(x878, 0xffffffff) - var x914 uint32 - var x915 uint32 - x915, x914 = bits.Mul32(x878, 0xffffffff) - var x916 uint32 - var x917 uint32 - x917, x916 = bits.Mul32(x878, 0xfffffffe) - var x918 uint32 - var x919 uint32 - x919, x918 = bits.Mul32(x878, 0xffffffff) - var x920 uint32 - var x921 uint32 - x921, x920 = bits.Mul32(x878, 0xffffffff) - var x922 uint32 - var x923 uint1 - x922, x923 = addcarryxU32(x919, x916, 0x0) - var x924 uint32 - var x925 uint1 - x924, x925 = addcarryxU32(x917, x914, x923) - var x926 uint32 - var x927 uint1 - x926, x927 = addcarryxU32(x915, x912, x925) - var x928 uint32 - var x929 uint1 - x928, x929 = addcarryxU32(x913, x910, x927) - var x930 uint32 - var x931 uint1 - x930, x931 = addcarryxU32(x911, x908, x929) - var x932 uint32 - var x933 uint1 - x932, x933 = addcarryxU32(x909, x906, x931) - var x934 uint32 - var x935 uint1 - x934, x935 = addcarryxU32(x907, x904, x933) - var x936 uint32 - var x937 uint1 - x936, x937 = addcarryxU32(x905, x902, x935) - var x939 uint1 - _, x939 = addcarryxU32(x878, x920, 0x0) - var x940 uint32 - var x941 uint1 - x940, x941 = addcarryxU32(x880, x921, x939) - var x942 uint32 - var x943 uint1 - x942, x943 = addcarryxU32(x882, uint32(0x0), x941) - var x944 uint32 - var x945 uint1 - x944, x945 = addcarryxU32(x884, x918, x943) - var x946 uint32 - var x947 uint1 - x946, x947 = addcarryxU32(x886, x922, x945) - var x948 uint32 - var x949 uint1 - x948, x949 = addcarryxU32(x888, x924, x947) - var x950 uint32 - var x951 uint1 - x950, x951 = addcarryxU32(x890, x926, x949) - var x952 uint32 - var x953 uint1 - x952, x953 = addcarryxU32(x892, x928, x951) - var x954 uint32 - var x955 uint1 - x954, x955 = addcarryxU32(x894, x930, x953) - var x956 uint32 - var x957 uint1 - x956, x957 = addcarryxU32(x896, x932, x955) - var x958 uint32 - var x959 uint1 - x958, x959 = addcarryxU32(x898, x934, x957) - var x960 uint32 - var x961 uint1 - x960, x961 = addcarryxU32(x900, x936, x959) - var x962 uint32 - var x963 uint1 - x962, x963 = addcarryxU32((uint32(x901) + uint32(x877)), (uint32(x937) + x903), x961) - var x964 uint32 - var x965 uint1 - x964, x965 = subborrowxU32(x940, 0xffffffff, 0x0) - var x966 uint32 - var x967 uint1 - x966, x967 = subborrowxU32(x942, uint32(0x0), x965) - var x968 uint32 - var x969 uint1 - x968, x969 = subborrowxU32(x944, uint32(0x0), x967) - var x970 uint32 - var x971 uint1 - x970, x971 = subborrowxU32(x946, 0xffffffff, x969) - var x972 uint32 - var x973 uint1 - x972, x973 = subborrowxU32(x948, 0xfffffffe, x971) - var x974 uint32 - var x975 uint1 - x974, x975 = subborrowxU32(x950, 0xffffffff, x973) - var x976 uint32 - var x977 uint1 - x976, x977 = subborrowxU32(x952, 0xffffffff, x975) - var x978 uint32 - var x979 uint1 - x978, x979 = subborrowxU32(x954, 0xffffffff, x977) - var x980 uint32 - var x981 uint1 - x980, x981 = subborrowxU32(x956, 0xffffffff, x979) - var x982 uint32 - var x983 uint1 - x982, x983 = subborrowxU32(x958, 0xffffffff, x981) - var x984 uint32 - var x985 uint1 - x984, x985 = subborrowxU32(x960, 0xffffffff, x983) - var x986 uint32 - var x987 uint1 - x986, x987 = subborrowxU32(x962, 0xffffffff, x985) - var x989 uint1 - _, x989 = subborrowxU32(uint32(x963), uint32(0x0), x987) - var x990 uint32 - cmovznzU32(&x990, x989, x964, x940) - var x991 uint32 - cmovznzU32(&x991, x989, x966, x942) - var x992 uint32 - cmovznzU32(&x992, x989, x968, x944) - var x993 uint32 - cmovznzU32(&x993, x989, x970, x946) - var x994 uint32 - cmovznzU32(&x994, x989, x972, x948) - var x995 uint32 - cmovznzU32(&x995, x989, x974, x950) - var x996 uint32 - cmovznzU32(&x996, x989, x976, x952) - var x997 uint32 - cmovznzU32(&x997, x989, x978, x954) - var x998 uint32 - cmovznzU32(&x998, x989, x980, x956) - var x999 uint32 - cmovznzU32(&x999, x989, x982, x958) - var x1000 uint32 - cmovznzU32(&x1000, x989, x984, x960) - var x1001 uint32 - cmovznzU32(&x1001, x989, x986, x962) - out1[0] = x990 - out1[1] = x991 - out1[2] = x992 - out1[3] = x993 - out1[4] = x994 - out1[5] = x995 - out1[6] = x996 - out1[7] = x997 - out1[8] = x998 - out1[9] = x999 - out1[10] = x1000 - out1[11] = x1001 + x1 := arg1[0] + var x2 uint32 + var x3 uint32 + x3, x2 = bits.Mul32(x1, 0xffffffff) + var x4 uint32 + var x5 uint32 + x5, x4 = bits.Mul32(x1, 0xffffffff) + var x6 uint32 + var x7 uint32 + x7, x6 = bits.Mul32(x1, 0xffffffff) + var x8 uint32 + var x9 uint32 + x9, x8 = bits.Mul32(x1, 0xffffffff) + var x10 uint32 + var x11 uint32 + x11, x10 = bits.Mul32(x1, 0xffffffff) + var x12 uint32 + var x13 uint32 + x13, x12 = bits.Mul32(x1, 0xffffffff) + var x14 uint32 + var x15 uint32 + x15, x14 = bits.Mul32(x1, 0xffffffff) + var x16 uint32 + var x17 uint32 + x17, x16 = bits.Mul32(x1, 0xfffffffe) + var x18 uint32 + var x19 uint32 + x19, x18 = bits.Mul32(x1, 0xffffffff) + var x20 uint32 + var x21 uint32 + x21, x20 = bits.Mul32(x1, 0xffffffff) + var x22 uint32 + var x23 uint1 + x22, x23 = addcarryxU32(x19, x16, 0x0) + var x24 uint32 + var x25 uint1 + x24, x25 = addcarryxU32(x17, x14, x23) + var x26 uint32 + var x27 uint1 + x26, x27 = addcarryxU32(x15, x12, x25) + var x28 uint32 + var x29 uint1 + x28, x29 = addcarryxU32(x13, x10, x27) + var x30 uint32 + var x31 uint1 + x30, x31 = addcarryxU32(x11, x8, x29) + var x32 uint32 + var x33 uint1 + x32, x33 = addcarryxU32(x9, x6, x31) + var x34 uint32 + var x35 uint1 + x34, x35 = addcarryxU32(x7, x4, x33) + var x36 uint32 + var x37 uint1 + x36, x37 = addcarryxU32(x5, x2, x35) + var x39 uint1 + _, x39 = addcarryxU32(x1, x20, 0x0) + var x40 uint32 + var x41 uint1 + x40, x41 = addcarryxU32((uint32(x39) + x21), arg1[1], 0x0) + var x42 uint32 + var x43 uint32 + x43, x42 = bits.Mul32(x40, 0xffffffff) + var x44 uint32 + var x45 uint32 + x45, x44 = bits.Mul32(x40, 0xffffffff) + var x46 uint32 + var x47 uint32 + x47, x46 = bits.Mul32(x40, 0xffffffff) + var x48 uint32 + var x49 uint32 + x49, x48 = bits.Mul32(x40, 0xffffffff) + var x50 uint32 + var x51 uint32 + x51, x50 = bits.Mul32(x40, 0xffffffff) + var x52 uint32 + var x53 uint32 + x53, x52 = bits.Mul32(x40, 0xffffffff) + var x54 uint32 + var x55 uint32 + x55, x54 = bits.Mul32(x40, 0xffffffff) + var x56 uint32 + var x57 uint32 + x57, x56 = bits.Mul32(x40, 0xfffffffe) + var x58 uint32 + var x59 uint32 + x59, x58 = bits.Mul32(x40, 0xffffffff) + var x60 uint32 + var x61 uint32 + x61, x60 = bits.Mul32(x40, 0xffffffff) + var x62 uint32 + var x63 uint1 + x62, x63 = addcarryxU32(x59, x56, 0x0) + var x64 uint32 + var x65 uint1 + x64, x65 = addcarryxU32(x57, x54, x63) + var x66 uint32 + var x67 uint1 + x66, x67 = addcarryxU32(x55, x52, x65) + var x68 uint32 + var x69 uint1 + x68, x69 = addcarryxU32(x53, x50, x67) + var x70 uint32 + var x71 uint1 + x70, x71 = addcarryxU32(x51, x48, x69) + var x72 uint32 + var x73 uint1 + x72, x73 = addcarryxU32(x49, x46, x71) + var x74 uint32 + var x75 uint1 + x74, x75 = addcarryxU32(x47, x44, x73) + var x76 uint32 + var x77 uint1 + x76, x77 = addcarryxU32(x45, x42, x75) + var x79 uint1 + _, x79 = addcarryxU32(x40, x60, 0x0) + var x80 uint32 + var x81 uint1 + x80, x81 = addcarryxU32(uint32(x41), x61, x79) + var x82 uint32 + var x83 uint1 + x82, x83 = addcarryxU32(x18, uint32(0x0), x81) + var x84 uint32 + var x85 uint1 + x84, x85 = addcarryxU32(x22, x58, x83) + var x86 uint32 + var x87 uint1 + x86, x87 = addcarryxU32(x24, x62, x85) + var x88 uint32 + var x89 uint1 + x88, x89 = addcarryxU32(x26, x64, x87) + var x90 uint32 + var x91 uint1 + x90, x91 = addcarryxU32(x28, x66, x89) + var x92 uint32 + var x93 uint1 + x92, x93 = addcarryxU32(x30, x68, x91) + var x94 uint32 + var x95 uint1 + x94, x95 = addcarryxU32(x32, x70, x93) + var x96 uint32 + var x97 uint1 + x96, x97 = addcarryxU32(x34, x72, x95) + var x98 uint32 + var x99 uint1 + x98, x99 = addcarryxU32(x36, x74, x97) + var x100 uint32 + var x101 uint1 + x100, x101 = addcarryxU32((uint32(x37) + x3), x76, x99) + var x102 uint32 + var x103 uint1 + x102, x103 = addcarryxU32(uint32(0x0), (uint32(x77) + x43), x101) + var x104 uint32 + var x105 uint1 + x104, x105 = addcarryxU32(x80, arg1[2], 0x0) + var x106 uint32 + var x107 uint1 + x106, x107 = addcarryxU32(x82, uint32(0x0), x105) + var x108 uint32 + var x109 uint1 + x108, x109 = addcarryxU32(x84, uint32(0x0), x107) + var x110 uint32 + var x111 uint1 + x110, x111 = addcarryxU32(x86, uint32(0x0), x109) + var x112 uint32 + var x113 uint1 + x112, x113 = addcarryxU32(x88, uint32(0x0), x111) + var x114 uint32 + var x115 uint1 + x114, x115 = addcarryxU32(x90, uint32(0x0), x113) + var x116 uint32 + var x117 uint1 + x116, x117 = addcarryxU32(x92, uint32(0x0), x115) + var x118 uint32 + var x119 uint1 + x118, x119 = addcarryxU32(x94, uint32(0x0), x117) + var x120 uint32 + var x121 uint1 + x120, x121 = addcarryxU32(x96, uint32(0x0), x119) + var x122 uint32 + var x123 uint1 + x122, x123 = addcarryxU32(x98, uint32(0x0), x121) + var x124 uint32 + var x125 uint1 + x124, x125 = addcarryxU32(x100, uint32(0x0), x123) + var x126 uint32 + var x127 uint1 + x126, x127 = addcarryxU32(x102, uint32(0x0), x125) + var x128 uint32 + var x129 uint32 + x129, x128 = bits.Mul32(x104, 0xffffffff) + var x130 uint32 + var x131 uint32 + x131, x130 = bits.Mul32(x104, 0xffffffff) + var x132 uint32 + var x133 uint32 + x133, x132 = bits.Mul32(x104, 0xffffffff) + var x134 uint32 + var x135 uint32 + x135, x134 = bits.Mul32(x104, 0xffffffff) + var x136 uint32 + var x137 uint32 + x137, x136 = bits.Mul32(x104, 0xffffffff) + var x138 uint32 + var x139 uint32 + x139, x138 = bits.Mul32(x104, 0xffffffff) + var x140 uint32 + var x141 uint32 + x141, x140 = bits.Mul32(x104, 0xffffffff) + var x142 uint32 + var x143 uint32 + x143, x142 = bits.Mul32(x104, 0xfffffffe) + var x144 uint32 + var x145 uint32 + x145, x144 = bits.Mul32(x104, 0xffffffff) + var x146 uint32 + var x147 uint32 + x147, x146 = bits.Mul32(x104, 0xffffffff) + var x148 uint32 + var x149 uint1 + x148, x149 = addcarryxU32(x145, x142, 0x0) + var x150 uint32 + var x151 uint1 + x150, x151 = addcarryxU32(x143, x140, x149) + var x152 uint32 + var x153 uint1 + x152, x153 = addcarryxU32(x141, x138, x151) + var x154 uint32 + var x155 uint1 + x154, x155 = addcarryxU32(x139, x136, x153) + var x156 uint32 + var x157 uint1 + x156, x157 = addcarryxU32(x137, x134, x155) + var x158 uint32 + var x159 uint1 + x158, x159 = addcarryxU32(x135, x132, x157) + var x160 uint32 + var x161 uint1 + x160, x161 = addcarryxU32(x133, x130, x159) + var x162 uint32 + var x163 uint1 + x162, x163 = addcarryxU32(x131, x128, x161) + var x165 uint1 + _, x165 = addcarryxU32(x104, x146, 0x0) + var x166 uint32 + var x167 uint1 + x166, x167 = addcarryxU32(x106, x147, x165) + var x168 uint32 + var x169 uint1 + x168, x169 = addcarryxU32(x108, uint32(0x0), x167) + var x170 uint32 + var x171 uint1 + x170, x171 = addcarryxU32(x110, x144, x169) + var x172 uint32 + var x173 uint1 + x172, x173 = addcarryxU32(x112, x148, x171) + var x174 uint32 + var x175 uint1 + x174, x175 = addcarryxU32(x114, x150, x173) + var x176 uint32 + var x177 uint1 + x176, x177 = addcarryxU32(x116, x152, x175) + var x178 uint32 + var x179 uint1 + x178, x179 = addcarryxU32(x118, x154, x177) + var x180 uint32 + var x181 uint1 + x180, x181 = addcarryxU32(x120, x156, x179) + var x182 uint32 + var x183 uint1 + x182, x183 = addcarryxU32(x122, x158, x181) + var x184 uint32 + var x185 uint1 + x184, x185 = addcarryxU32(x124, x160, x183) + var x186 uint32 + var x187 uint1 + x186, x187 = addcarryxU32(x126, x162, x185) + var x188 uint32 + var x189 uint1 + x188, x189 = addcarryxU32((uint32(x127) + uint32(x103)), (uint32(x163) + x129), x187) + var x190 uint32 + var x191 uint1 + x190, x191 = addcarryxU32(x166, arg1[3], 0x0) + var x192 uint32 + var x193 uint1 + x192, x193 = addcarryxU32(x168, uint32(0x0), x191) + var x194 uint32 + var x195 uint1 + x194, x195 = addcarryxU32(x170, uint32(0x0), x193) + var x196 uint32 + var x197 uint1 + x196, x197 = addcarryxU32(x172, uint32(0x0), x195) + var x198 uint32 + var x199 uint1 + x198, x199 = addcarryxU32(x174, uint32(0x0), x197) + var x200 uint32 + var x201 uint1 + x200, x201 = addcarryxU32(x176, uint32(0x0), x199) + var x202 uint32 + var x203 uint1 + x202, x203 = addcarryxU32(x178, uint32(0x0), x201) + var x204 uint32 + var x205 uint1 + x204, x205 = addcarryxU32(x180, uint32(0x0), x203) + var x206 uint32 + var x207 uint1 + x206, x207 = addcarryxU32(x182, uint32(0x0), x205) + var x208 uint32 + var x209 uint1 + x208, x209 = addcarryxU32(x184, uint32(0x0), x207) + var x210 uint32 + var x211 uint1 + x210, x211 = addcarryxU32(x186, uint32(0x0), x209) + var x212 uint32 + var x213 uint1 + x212, x213 = addcarryxU32(x188, uint32(0x0), x211) + var x214 uint32 + var x215 uint32 + x215, x214 = bits.Mul32(x190, 0xffffffff) + var x216 uint32 + var x217 uint32 + x217, x216 = bits.Mul32(x190, 0xffffffff) + var x218 uint32 + var x219 uint32 + x219, x218 = bits.Mul32(x190, 0xffffffff) + var x220 uint32 + var x221 uint32 + x221, x220 = bits.Mul32(x190, 0xffffffff) + var x222 uint32 + var x223 uint32 + x223, x222 = bits.Mul32(x190, 0xffffffff) + var x224 uint32 + var x225 uint32 + x225, x224 = bits.Mul32(x190, 0xffffffff) + var x226 uint32 + var x227 uint32 + x227, x226 = bits.Mul32(x190, 0xffffffff) + var x228 uint32 + var x229 uint32 + x229, x228 = bits.Mul32(x190, 0xfffffffe) + var x230 uint32 + var x231 uint32 + x231, x230 = bits.Mul32(x190, 0xffffffff) + var x232 uint32 + var x233 uint32 + x233, x232 = bits.Mul32(x190, 0xffffffff) + var x234 uint32 + var x235 uint1 + x234, x235 = addcarryxU32(x231, x228, 0x0) + var x236 uint32 + var x237 uint1 + x236, x237 = addcarryxU32(x229, x226, x235) + var x238 uint32 + var x239 uint1 + x238, x239 = addcarryxU32(x227, x224, x237) + var x240 uint32 + var x241 uint1 + x240, x241 = addcarryxU32(x225, x222, x239) + var x242 uint32 + var x243 uint1 + x242, x243 = addcarryxU32(x223, x220, x241) + var x244 uint32 + var x245 uint1 + x244, x245 = addcarryxU32(x221, x218, x243) + var x246 uint32 + var x247 uint1 + x246, x247 = addcarryxU32(x219, x216, x245) + var x248 uint32 + var x249 uint1 + x248, x249 = addcarryxU32(x217, x214, x247) + var x251 uint1 + _, x251 = addcarryxU32(x190, x232, 0x0) + var x252 uint32 + var x253 uint1 + x252, x253 = addcarryxU32(x192, x233, x251) + var x254 uint32 + var x255 uint1 + x254, x255 = addcarryxU32(x194, uint32(0x0), x253) + var x256 uint32 + var x257 uint1 + x256, x257 = addcarryxU32(x196, x230, x255) + var x258 uint32 + var x259 uint1 + x258, x259 = addcarryxU32(x198, x234, x257) + var x260 uint32 + var x261 uint1 + x260, x261 = addcarryxU32(x200, x236, x259) + var x262 uint32 + var x263 uint1 + x262, x263 = addcarryxU32(x202, x238, x261) + var x264 uint32 + var x265 uint1 + x264, x265 = addcarryxU32(x204, x240, x263) + var x266 uint32 + var x267 uint1 + x266, x267 = addcarryxU32(x206, x242, x265) + var x268 uint32 + var x269 uint1 + x268, x269 = addcarryxU32(x208, x244, x267) + var x270 uint32 + var x271 uint1 + x270, x271 = addcarryxU32(x210, x246, x269) + var x272 uint32 + var x273 uint1 + x272, x273 = addcarryxU32(x212, x248, x271) + var x274 uint32 + var x275 uint1 + x274, x275 = addcarryxU32((uint32(x213) + uint32(x189)), (uint32(x249) + x215), x273) + var x276 uint32 + var x277 uint1 + x276, x277 = addcarryxU32(x252, arg1[4], 0x0) + var x278 uint32 + var x279 uint1 + x278, x279 = addcarryxU32(x254, uint32(0x0), x277) + var x280 uint32 + var x281 uint1 + x280, x281 = addcarryxU32(x256, uint32(0x0), x279) + var x282 uint32 + var x283 uint1 + x282, x283 = addcarryxU32(x258, uint32(0x0), x281) + var x284 uint32 + var x285 uint1 + x284, x285 = addcarryxU32(x260, uint32(0x0), x283) + var x286 uint32 + var x287 uint1 + x286, x287 = addcarryxU32(x262, uint32(0x0), x285) + var x288 uint32 + var x289 uint1 + x288, x289 = addcarryxU32(x264, uint32(0x0), x287) + var x290 uint32 + var x291 uint1 + x290, x291 = addcarryxU32(x266, uint32(0x0), x289) + var x292 uint32 + var x293 uint1 + x292, x293 = addcarryxU32(x268, uint32(0x0), x291) + var x294 uint32 + var x295 uint1 + x294, x295 = addcarryxU32(x270, uint32(0x0), x293) + var x296 uint32 + var x297 uint1 + x296, x297 = addcarryxU32(x272, uint32(0x0), x295) + var x298 uint32 + var x299 uint1 + x298, x299 = addcarryxU32(x274, uint32(0x0), x297) + var x300 uint32 + var x301 uint32 + x301, x300 = bits.Mul32(x276, 0xffffffff) + var x302 uint32 + var x303 uint32 + x303, x302 = bits.Mul32(x276, 0xffffffff) + var x304 uint32 + var x305 uint32 + x305, x304 = bits.Mul32(x276, 0xffffffff) + var x306 uint32 + var x307 uint32 + x307, x306 = bits.Mul32(x276, 0xffffffff) + var x308 uint32 + var x309 uint32 + x309, x308 = bits.Mul32(x276, 0xffffffff) + var x310 uint32 + var x311 uint32 + x311, x310 = bits.Mul32(x276, 0xffffffff) + var x312 uint32 + var x313 uint32 + x313, x312 = bits.Mul32(x276, 0xffffffff) + var x314 uint32 + var x315 uint32 + x315, x314 = bits.Mul32(x276, 0xfffffffe) + var x316 uint32 + var x317 uint32 + x317, x316 = bits.Mul32(x276, 0xffffffff) + var x318 uint32 + var x319 uint32 + x319, x318 = bits.Mul32(x276, 0xffffffff) + var x320 uint32 + var x321 uint1 + x320, x321 = addcarryxU32(x317, x314, 0x0) + var x322 uint32 + var x323 uint1 + x322, x323 = addcarryxU32(x315, x312, x321) + var x324 uint32 + var x325 uint1 + x324, x325 = addcarryxU32(x313, x310, x323) + var x326 uint32 + var x327 uint1 + x326, x327 = addcarryxU32(x311, x308, x325) + var x328 uint32 + var x329 uint1 + x328, x329 = addcarryxU32(x309, x306, x327) + var x330 uint32 + var x331 uint1 + x330, x331 = addcarryxU32(x307, x304, x329) + var x332 uint32 + var x333 uint1 + x332, x333 = addcarryxU32(x305, x302, x331) + var x334 uint32 + var x335 uint1 + x334, x335 = addcarryxU32(x303, x300, x333) + var x337 uint1 + _, x337 = addcarryxU32(x276, x318, 0x0) + var x338 uint32 + var x339 uint1 + x338, x339 = addcarryxU32(x278, x319, x337) + var x340 uint32 + var x341 uint1 + x340, x341 = addcarryxU32(x280, uint32(0x0), x339) + var x342 uint32 + var x343 uint1 + x342, x343 = addcarryxU32(x282, x316, x341) + var x344 uint32 + var x345 uint1 + x344, x345 = addcarryxU32(x284, x320, x343) + var x346 uint32 + var x347 uint1 + x346, x347 = addcarryxU32(x286, x322, x345) + var x348 uint32 + var x349 uint1 + x348, x349 = addcarryxU32(x288, x324, x347) + var x350 uint32 + var x351 uint1 + x350, x351 = addcarryxU32(x290, x326, x349) + var x352 uint32 + var x353 uint1 + x352, x353 = addcarryxU32(x292, x328, x351) + var x354 uint32 + var x355 uint1 + x354, x355 = addcarryxU32(x294, x330, x353) + var x356 uint32 + var x357 uint1 + x356, x357 = addcarryxU32(x296, x332, x355) + var x358 uint32 + var x359 uint1 + x358, x359 = addcarryxU32(x298, x334, x357) + var x360 uint32 + var x361 uint1 + x360, x361 = addcarryxU32((uint32(x299) + uint32(x275)), (uint32(x335) + x301), x359) + var x362 uint32 + var x363 uint1 + x362, x363 = addcarryxU32(x338, arg1[5], 0x0) + var x364 uint32 + var x365 uint1 + x364, x365 = addcarryxU32(x340, uint32(0x0), x363) + var x366 uint32 + var x367 uint1 + x366, x367 = addcarryxU32(x342, uint32(0x0), x365) + var x368 uint32 + var x369 uint1 + x368, x369 = addcarryxU32(x344, uint32(0x0), x367) + var x370 uint32 + var x371 uint1 + x370, x371 = addcarryxU32(x346, uint32(0x0), x369) + var x372 uint32 + var x373 uint1 + x372, x373 = addcarryxU32(x348, uint32(0x0), x371) + var x374 uint32 + var x375 uint1 + x374, x375 = addcarryxU32(x350, uint32(0x0), x373) + var x376 uint32 + var x377 uint1 + x376, x377 = addcarryxU32(x352, uint32(0x0), x375) + var x378 uint32 + var x379 uint1 + x378, x379 = addcarryxU32(x354, uint32(0x0), x377) + var x380 uint32 + var x381 uint1 + x380, x381 = addcarryxU32(x356, uint32(0x0), x379) + var x382 uint32 + var x383 uint1 + x382, x383 = addcarryxU32(x358, uint32(0x0), x381) + var x384 uint32 + var x385 uint1 + x384, x385 = addcarryxU32(x360, uint32(0x0), x383) + var x386 uint32 + var x387 uint32 + x387, x386 = bits.Mul32(x362, 0xffffffff) + var x388 uint32 + var x389 uint32 + x389, x388 = bits.Mul32(x362, 0xffffffff) + var x390 uint32 + var x391 uint32 + x391, x390 = bits.Mul32(x362, 0xffffffff) + var x392 uint32 + var x393 uint32 + x393, x392 = bits.Mul32(x362, 0xffffffff) + var x394 uint32 + var x395 uint32 + x395, x394 = bits.Mul32(x362, 0xffffffff) + var x396 uint32 + var x397 uint32 + x397, x396 = bits.Mul32(x362, 0xffffffff) + var x398 uint32 + var x399 uint32 + x399, x398 = bits.Mul32(x362, 0xffffffff) + var x400 uint32 + var x401 uint32 + x401, x400 = bits.Mul32(x362, 0xfffffffe) + var x402 uint32 + var x403 uint32 + x403, x402 = bits.Mul32(x362, 0xffffffff) + var x404 uint32 + var x405 uint32 + x405, x404 = bits.Mul32(x362, 0xffffffff) + var x406 uint32 + var x407 uint1 + x406, x407 = addcarryxU32(x403, x400, 0x0) + var x408 uint32 + var x409 uint1 + x408, x409 = addcarryxU32(x401, x398, x407) + var x410 uint32 + var x411 uint1 + x410, x411 = addcarryxU32(x399, x396, x409) + var x412 uint32 + var x413 uint1 + x412, x413 = addcarryxU32(x397, x394, x411) + var x414 uint32 + var x415 uint1 + x414, x415 = addcarryxU32(x395, x392, x413) + var x416 uint32 + var x417 uint1 + x416, x417 = addcarryxU32(x393, x390, x415) + var x418 uint32 + var x419 uint1 + x418, x419 = addcarryxU32(x391, x388, x417) + var x420 uint32 + var x421 uint1 + x420, x421 = addcarryxU32(x389, x386, x419) + var x423 uint1 + _, x423 = addcarryxU32(x362, x404, 0x0) + var x424 uint32 + var x425 uint1 + x424, x425 = addcarryxU32(x364, x405, x423) + var x426 uint32 + var x427 uint1 + x426, x427 = addcarryxU32(x366, uint32(0x0), x425) + var x428 uint32 + var x429 uint1 + x428, x429 = addcarryxU32(x368, x402, x427) + var x430 uint32 + var x431 uint1 + x430, x431 = addcarryxU32(x370, x406, x429) + var x432 uint32 + var x433 uint1 + x432, x433 = addcarryxU32(x372, x408, x431) + var x434 uint32 + var x435 uint1 + x434, x435 = addcarryxU32(x374, x410, x433) + var x436 uint32 + var x437 uint1 + x436, x437 = addcarryxU32(x376, x412, x435) + var x438 uint32 + var x439 uint1 + x438, x439 = addcarryxU32(x378, x414, x437) + var x440 uint32 + var x441 uint1 + x440, x441 = addcarryxU32(x380, x416, x439) + var x442 uint32 + var x443 uint1 + x442, x443 = addcarryxU32(x382, x418, x441) + var x444 uint32 + var x445 uint1 + x444, x445 = addcarryxU32(x384, x420, x443) + var x446 uint32 + var x447 uint1 + x446, x447 = addcarryxU32((uint32(x385) + uint32(x361)), (uint32(x421) + x387), x445) + var x448 uint32 + var x449 uint1 + x448, x449 = addcarryxU32(x424, arg1[6], 0x0) + var x450 uint32 + var x451 uint1 + x450, x451 = addcarryxU32(x426, uint32(0x0), x449) + var x452 uint32 + var x453 uint1 + x452, x453 = addcarryxU32(x428, uint32(0x0), x451) + var x454 uint32 + var x455 uint1 + x454, x455 = addcarryxU32(x430, uint32(0x0), x453) + var x456 uint32 + var x457 uint1 + x456, x457 = addcarryxU32(x432, uint32(0x0), x455) + var x458 uint32 + var x459 uint1 + x458, x459 = addcarryxU32(x434, uint32(0x0), x457) + var x460 uint32 + var x461 uint1 + x460, x461 = addcarryxU32(x436, uint32(0x0), x459) + var x462 uint32 + var x463 uint1 + x462, x463 = addcarryxU32(x438, uint32(0x0), x461) + var x464 uint32 + var x465 uint1 + x464, x465 = addcarryxU32(x440, uint32(0x0), x463) + var x466 uint32 + var x467 uint1 + x466, x467 = addcarryxU32(x442, uint32(0x0), x465) + var x468 uint32 + var x469 uint1 + x468, x469 = addcarryxU32(x444, uint32(0x0), x467) + var x470 uint32 + var x471 uint1 + x470, x471 = addcarryxU32(x446, uint32(0x0), x469) + var x472 uint32 + var x473 uint32 + x473, x472 = bits.Mul32(x448, 0xffffffff) + var x474 uint32 + var x475 uint32 + x475, x474 = bits.Mul32(x448, 0xffffffff) + var x476 uint32 + var x477 uint32 + x477, x476 = bits.Mul32(x448, 0xffffffff) + var x478 uint32 + var x479 uint32 + x479, x478 = bits.Mul32(x448, 0xffffffff) + var x480 uint32 + var x481 uint32 + x481, x480 = bits.Mul32(x448, 0xffffffff) + var x482 uint32 + var x483 uint32 + x483, x482 = bits.Mul32(x448, 0xffffffff) + var x484 uint32 + var x485 uint32 + x485, x484 = bits.Mul32(x448, 0xffffffff) + var x486 uint32 + var x487 uint32 + x487, x486 = bits.Mul32(x448, 0xfffffffe) + var x488 uint32 + var x489 uint32 + x489, x488 = bits.Mul32(x448, 0xffffffff) + var x490 uint32 + var x491 uint32 + x491, x490 = bits.Mul32(x448, 0xffffffff) + var x492 uint32 + var x493 uint1 + x492, x493 = addcarryxU32(x489, x486, 0x0) + var x494 uint32 + var x495 uint1 + x494, x495 = addcarryxU32(x487, x484, x493) + var x496 uint32 + var x497 uint1 + x496, x497 = addcarryxU32(x485, x482, x495) + var x498 uint32 + var x499 uint1 + x498, x499 = addcarryxU32(x483, x480, x497) + var x500 uint32 + var x501 uint1 + x500, x501 = addcarryxU32(x481, x478, x499) + var x502 uint32 + var x503 uint1 + x502, x503 = addcarryxU32(x479, x476, x501) + var x504 uint32 + var x505 uint1 + x504, x505 = addcarryxU32(x477, x474, x503) + var x506 uint32 + var x507 uint1 + x506, x507 = addcarryxU32(x475, x472, x505) + var x509 uint1 + _, x509 = addcarryxU32(x448, x490, 0x0) + var x510 uint32 + var x511 uint1 + x510, x511 = addcarryxU32(x450, x491, x509) + var x512 uint32 + var x513 uint1 + x512, x513 = addcarryxU32(x452, uint32(0x0), x511) + var x514 uint32 + var x515 uint1 + x514, x515 = addcarryxU32(x454, x488, x513) + var x516 uint32 + var x517 uint1 + x516, x517 = addcarryxU32(x456, x492, x515) + var x518 uint32 + var x519 uint1 + x518, x519 = addcarryxU32(x458, x494, x517) + var x520 uint32 + var x521 uint1 + x520, x521 = addcarryxU32(x460, x496, x519) + var x522 uint32 + var x523 uint1 + x522, x523 = addcarryxU32(x462, x498, x521) + var x524 uint32 + var x525 uint1 + x524, x525 = addcarryxU32(x464, x500, x523) + var x526 uint32 + var x527 uint1 + x526, x527 = addcarryxU32(x466, x502, x525) + var x528 uint32 + var x529 uint1 + x528, x529 = addcarryxU32(x468, x504, x527) + var x530 uint32 + var x531 uint1 + x530, x531 = addcarryxU32(x470, x506, x529) + var x532 uint32 + var x533 uint1 + x532, x533 = addcarryxU32((uint32(x471) + uint32(x447)), (uint32(x507) + x473), x531) + var x534 uint32 + var x535 uint1 + x534, x535 = addcarryxU32(x510, arg1[7], 0x0) + var x536 uint32 + var x537 uint1 + x536, x537 = addcarryxU32(x512, uint32(0x0), x535) + var x538 uint32 + var x539 uint1 + x538, x539 = addcarryxU32(x514, uint32(0x0), x537) + var x540 uint32 + var x541 uint1 + x540, x541 = addcarryxU32(x516, uint32(0x0), x539) + var x542 uint32 + var x543 uint1 + x542, x543 = addcarryxU32(x518, uint32(0x0), x541) + var x544 uint32 + var x545 uint1 + x544, x545 = addcarryxU32(x520, uint32(0x0), x543) + var x546 uint32 + var x547 uint1 + x546, x547 = addcarryxU32(x522, uint32(0x0), x545) + var x548 uint32 + var x549 uint1 + x548, x549 = addcarryxU32(x524, uint32(0x0), x547) + var x550 uint32 + var x551 uint1 + x550, x551 = addcarryxU32(x526, uint32(0x0), x549) + var x552 uint32 + var x553 uint1 + x552, x553 = addcarryxU32(x528, uint32(0x0), x551) + var x554 uint32 + var x555 uint1 + x554, x555 = addcarryxU32(x530, uint32(0x0), x553) + var x556 uint32 + var x557 uint1 + x556, x557 = addcarryxU32(x532, uint32(0x0), x555) + var x558 uint32 + var x559 uint32 + x559, x558 = bits.Mul32(x534, 0xffffffff) + var x560 uint32 + var x561 uint32 + x561, x560 = bits.Mul32(x534, 0xffffffff) + var x562 uint32 + var x563 uint32 + x563, x562 = bits.Mul32(x534, 0xffffffff) + var x564 uint32 + var x565 uint32 + x565, x564 = bits.Mul32(x534, 0xffffffff) + var x566 uint32 + var x567 uint32 + x567, x566 = bits.Mul32(x534, 0xffffffff) + var x568 uint32 + var x569 uint32 + x569, x568 = bits.Mul32(x534, 0xffffffff) + var x570 uint32 + var x571 uint32 + x571, x570 = bits.Mul32(x534, 0xffffffff) + var x572 uint32 + var x573 uint32 + x573, x572 = bits.Mul32(x534, 0xfffffffe) + var x574 uint32 + var x575 uint32 + x575, x574 = bits.Mul32(x534, 0xffffffff) + var x576 uint32 + var x577 uint32 + x577, x576 = bits.Mul32(x534, 0xffffffff) + var x578 uint32 + var x579 uint1 + x578, x579 = addcarryxU32(x575, x572, 0x0) + var x580 uint32 + var x581 uint1 + x580, x581 = addcarryxU32(x573, x570, x579) + var x582 uint32 + var x583 uint1 + x582, x583 = addcarryxU32(x571, x568, x581) + var x584 uint32 + var x585 uint1 + x584, x585 = addcarryxU32(x569, x566, x583) + var x586 uint32 + var x587 uint1 + x586, x587 = addcarryxU32(x567, x564, x585) + var x588 uint32 + var x589 uint1 + x588, x589 = addcarryxU32(x565, x562, x587) + var x590 uint32 + var x591 uint1 + x590, x591 = addcarryxU32(x563, x560, x589) + var x592 uint32 + var x593 uint1 + x592, x593 = addcarryxU32(x561, x558, x591) + var x595 uint1 + _, x595 = addcarryxU32(x534, x576, 0x0) + var x596 uint32 + var x597 uint1 + x596, x597 = addcarryxU32(x536, x577, x595) + var x598 uint32 + var x599 uint1 + x598, x599 = addcarryxU32(x538, uint32(0x0), x597) + var x600 uint32 + var x601 uint1 + x600, x601 = addcarryxU32(x540, x574, x599) + var x602 uint32 + var x603 uint1 + x602, x603 = addcarryxU32(x542, x578, x601) + var x604 uint32 + var x605 uint1 + x604, x605 = addcarryxU32(x544, x580, x603) + var x606 uint32 + var x607 uint1 + x606, x607 = addcarryxU32(x546, x582, x605) + var x608 uint32 + var x609 uint1 + x608, x609 = addcarryxU32(x548, x584, x607) + var x610 uint32 + var x611 uint1 + x610, x611 = addcarryxU32(x550, x586, x609) + var x612 uint32 + var x613 uint1 + x612, x613 = addcarryxU32(x552, x588, x611) + var x614 uint32 + var x615 uint1 + x614, x615 = addcarryxU32(x554, x590, x613) + var x616 uint32 + var x617 uint1 + x616, x617 = addcarryxU32(x556, x592, x615) + var x618 uint32 + var x619 uint1 + x618, x619 = addcarryxU32((uint32(x557) + uint32(x533)), (uint32(x593) + x559), x617) + var x620 uint32 + var x621 uint1 + x620, x621 = addcarryxU32(x596, arg1[8], 0x0) + var x622 uint32 + var x623 uint1 + x622, x623 = addcarryxU32(x598, uint32(0x0), x621) + var x624 uint32 + var x625 uint1 + x624, x625 = addcarryxU32(x600, uint32(0x0), x623) + var x626 uint32 + var x627 uint1 + x626, x627 = addcarryxU32(x602, uint32(0x0), x625) + var x628 uint32 + var x629 uint1 + x628, x629 = addcarryxU32(x604, uint32(0x0), x627) + var x630 uint32 + var x631 uint1 + x630, x631 = addcarryxU32(x606, uint32(0x0), x629) + var x632 uint32 + var x633 uint1 + x632, x633 = addcarryxU32(x608, uint32(0x0), x631) + var x634 uint32 + var x635 uint1 + x634, x635 = addcarryxU32(x610, uint32(0x0), x633) + var x636 uint32 + var x637 uint1 + x636, x637 = addcarryxU32(x612, uint32(0x0), x635) + var x638 uint32 + var x639 uint1 + x638, x639 = addcarryxU32(x614, uint32(0x0), x637) + var x640 uint32 + var x641 uint1 + x640, x641 = addcarryxU32(x616, uint32(0x0), x639) + var x642 uint32 + var x643 uint1 + x642, x643 = addcarryxU32(x618, uint32(0x0), x641) + var x644 uint32 + var x645 uint32 + x645, x644 = bits.Mul32(x620, 0xffffffff) + var x646 uint32 + var x647 uint32 + x647, x646 = bits.Mul32(x620, 0xffffffff) + var x648 uint32 + var x649 uint32 + x649, x648 = bits.Mul32(x620, 0xffffffff) + var x650 uint32 + var x651 uint32 + x651, x650 = bits.Mul32(x620, 0xffffffff) + var x652 uint32 + var x653 uint32 + x653, x652 = bits.Mul32(x620, 0xffffffff) + var x654 uint32 + var x655 uint32 + x655, x654 = bits.Mul32(x620, 0xffffffff) + var x656 uint32 + var x657 uint32 + x657, x656 = bits.Mul32(x620, 0xffffffff) + var x658 uint32 + var x659 uint32 + x659, x658 = bits.Mul32(x620, 0xfffffffe) + var x660 uint32 + var x661 uint32 + x661, x660 = bits.Mul32(x620, 0xffffffff) + var x662 uint32 + var x663 uint32 + x663, x662 = bits.Mul32(x620, 0xffffffff) + var x664 uint32 + var x665 uint1 + x664, x665 = addcarryxU32(x661, x658, 0x0) + var x666 uint32 + var x667 uint1 + x666, x667 = addcarryxU32(x659, x656, x665) + var x668 uint32 + var x669 uint1 + x668, x669 = addcarryxU32(x657, x654, x667) + var x670 uint32 + var x671 uint1 + x670, x671 = addcarryxU32(x655, x652, x669) + var x672 uint32 + var x673 uint1 + x672, x673 = addcarryxU32(x653, x650, x671) + var x674 uint32 + var x675 uint1 + x674, x675 = addcarryxU32(x651, x648, x673) + var x676 uint32 + var x677 uint1 + x676, x677 = addcarryxU32(x649, x646, x675) + var x678 uint32 + var x679 uint1 + x678, x679 = addcarryxU32(x647, x644, x677) + var x681 uint1 + _, x681 = addcarryxU32(x620, x662, 0x0) + var x682 uint32 + var x683 uint1 + x682, x683 = addcarryxU32(x622, x663, x681) + var x684 uint32 + var x685 uint1 + x684, x685 = addcarryxU32(x624, uint32(0x0), x683) + var x686 uint32 + var x687 uint1 + x686, x687 = addcarryxU32(x626, x660, x685) + var x688 uint32 + var x689 uint1 + x688, x689 = addcarryxU32(x628, x664, x687) + var x690 uint32 + var x691 uint1 + x690, x691 = addcarryxU32(x630, x666, x689) + var x692 uint32 + var x693 uint1 + x692, x693 = addcarryxU32(x632, x668, x691) + var x694 uint32 + var x695 uint1 + x694, x695 = addcarryxU32(x634, x670, x693) + var x696 uint32 + var x697 uint1 + x696, x697 = addcarryxU32(x636, x672, x695) + var x698 uint32 + var x699 uint1 + x698, x699 = addcarryxU32(x638, x674, x697) + var x700 uint32 + var x701 uint1 + x700, x701 = addcarryxU32(x640, x676, x699) + var x702 uint32 + var x703 uint1 + x702, x703 = addcarryxU32(x642, x678, x701) + var x704 uint32 + var x705 uint1 + x704, x705 = addcarryxU32((uint32(x643) + uint32(x619)), (uint32(x679) + x645), x703) + var x706 uint32 + var x707 uint1 + x706, x707 = addcarryxU32(x682, arg1[9], 0x0) + var x708 uint32 + var x709 uint1 + x708, x709 = addcarryxU32(x684, uint32(0x0), x707) + var x710 uint32 + var x711 uint1 + x710, x711 = addcarryxU32(x686, uint32(0x0), x709) + var x712 uint32 + var x713 uint1 + x712, x713 = addcarryxU32(x688, uint32(0x0), x711) + var x714 uint32 + var x715 uint1 + x714, x715 = addcarryxU32(x690, uint32(0x0), x713) + var x716 uint32 + var x717 uint1 + x716, x717 = addcarryxU32(x692, uint32(0x0), x715) + var x718 uint32 + var x719 uint1 + x718, x719 = addcarryxU32(x694, uint32(0x0), x717) + var x720 uint32 + var x721 uint1 + x720, x721 = addcarryxU32(x696, uint32(0x0), x719) + var x722 uint32 + var x723 uint1 + x722, x723 = addcarryxU32(x698, uint32(0x0), x721) + var x724 uint32 + var x725 uint1 + x724, x725 = addcarryxU32(x700, uint32(0x0), x723) + var x726 uint32 + var x727 uint1 + x726, x727 = addcarryxU32(x702, uint32(0x0), x725) + var x728 uint32 + var x729 uint1 + x728, x729 = addcarryxU32(x704, uint32(0x0), x727) + var x730 uint32 + var x731 uint32 + x731, x730 = bits.Mul32(x706, 0xffffffff) + var x732 uint32 + var x733 uint32 + x733, x732 = bits.Mul32(x706, 0xffffffff) + var x734 uint32 + var x735 uint32 + x735, x734 = bits.Mul32(x706, 0xffffffff) + var x736 uint32 + var x737 uint32 + x737, x736 = bits.Mul32(x706, 0xffffffff) + var x738 uint32 + var x739 uint32 + x739, x738 = bits.Mul32(x706, 0xffffffff) + var x740 uint32 + var x741 uint32 + x741, x740 = bits.Mul32(x706, 0xffffffff) + var x742 uint32 + var x743 uint32 + x743, x742 = bits.Mul32(x706, 0xffffffff) + var x744 uint32 + var x745 uint32 + x745, x744 = bits.Mul32(x706, 0xfffffffe) + var x746 uint32 + var x747 uint32 + x747, x746 = bits.Mul32(x706, 0xffffffff) + var x748 uint32 + var x749 uint32 + x749, x748 = bits.Mul32(x706, 0xffffffff) + var x750 uint32 + var x751 uint1 + x750, x751 = addcarryxU32(x747, x744, 0x0) + var x752 uint32 + var x753 uint1 + x752, x753 = addcarryxU32(x745, x742, x751) + var x754 uint32 + var x755 uint1 + x754, x755 = addcarryxU32(x743, x740, x753) + var x756 uint32 + var x757 uint1 + x756, x757 = addcarryxU32(x741, x738, x755) + var x758 uint32 + var x759 uint1 + x758, x759 = addcarryxU32(x739, x736, x757) + var x760 uint32 + var x761 uint1 + x760, x761 = addcarryxU32(x737, x734, x759) + var x762 uint32 + var x763 uint1 + x762, x763 = addcarryxU32(x735, x732, x761) + var x764 uint32 + var x765 uint1 + x764, x765 = addcarryxU32(x733, x730, x763) + var x767 uint1 + _, x767 = addcarryxU32(x706, x748, 0x0) + var x768 uint32 + var x769 uint1 + x768, x769 = addcarryxU32(x708, x749, x767) + var x770 uint32 + var x771 uint1 + x770, x771 = addcarryxU32(x710, uint32(0x0), x769) + var x772 uint32 + var x773 uint1 + x772, x773 = addcarryxU32(x712, x746, x771) + var x774 uint32 + var x775 uint1 + x774, x775 = addcarryxU32(x714, x750, x773) + var x776 uint32 + var x777 uint1 + x776, x777 = addcarryxU32(x716, x752, x775) + var x778 uint32 + var x779 uint1 + x778, x779 = addcarryxU32(x718, x754, x777) + var x780 uint32 + var x781 uint1 + x780, x781 = addcarryxU32(x720, x756, x779) + var x782 uint32 + var x783 uint1 + x782, x783 = addcarryxU32(x722, x758, x781) + var x784 uint32 + var x785 uint1 + x784, x785 = addcarryxU32(x724, x760, x783) + var x786 uint32 + var x787 uint1 + x786, x787 = addcarryxU32(x726, x762, x785) + var x788 uint32 + var x789 uint1 + x788, x789 = addcarryxU32(x728, x764, x787) + var x790 uint32 + var x791 uint1 + x790, x791 = addcarryxU32((uint32(x729) + uint32(x705)), (uint32(x765) + x731), x789) + var x792 uint32 + var x793 uint1 + x792, x793 = addcarryxU32(x768, arg1[10], 0x0) + var x794 uint32 + var x795 uint1 + x794, x795 = addcarryxU32(x770, uint32(0x0), x793) + var x796 uint32 + var x797 uint1 + x796, x797 = addcarryxU32(x772, uint32(0x0), x795) + var x798 uint32 + var x799 uint1 + x798, x799 = addcarryxU32(x774, uint32(0x0), x797) + var x800 uint32 + var x801 uint1 + x800, x801 = addcarryxU32(x776, uint32(0x0), x799) + var x802 uint32 + var x803 uint1 + x802, x803 = addcarryxU32(x778, uint32(0x0), x801) + var x804 uint32 + var x805 uint1 + x804, x805 = addcarryxU32(x780, uint32(0x0), x803) + var x806 uint32 + var x807 uint1 + x806, x807 = addcarryxU32(x782, uint32(0x0), x805) + var x808 uint32 + var x809 uint1 + x808, x809 = addcarryxU32(x784, uint32(0x0), x807) + var x810 uint32 + var x811 uint1 + x810, x811 = addcarryxU32(x786, uint32(0x0), x809) + var x812 uint32 + var x813 uint1 + x812, x813 = addcarryxU32(x788, uint32(0x0), x811) + var x814 uint32 + var x815 uint1 + x814, x815 = addcarryxU32(x790, uint32(0x0), x813) + var x816 uint32 + var x817 uint32 + x817, x816 = bits.Mul32(x792, 0xffffffff) + var x818 uint32 + var x819 uint32 + x819, x818 = bits.Mul32(x792, 0xffffffff) + var x820 uint32 + var x821 uint32 + x821, x820 = bits.Mul32(x792, 0xffffffff) + var x822 uint32 + var x823 uint32 + x823, x822 = bits.Mul32(x792, 0xffffffff) + var x824 uint32 + var x825 uint32 + x825, x824 = bits.Mul32(x792, 0xffffffff) + var x826 uint32 + var x827 uint32 + x827, x826 = bits.Mul32(x792, 0xffffffff) + var x828 uint32 + var x829 uint32 + x829, x828 = bits.Mul32(x792, 0xffffffff) + var x830 uint32 + var x831 uint32 + x831, x830 = bits.Mul32(x792, 0xfffffffe) + var x832 uint32 + var x833 uint32 + x833, x832 = bits.Mul32(x792, 0xffffffff) + var x834 uint32 + var x835 uint32 + x835, x834 = bits.Mul32(x792, 0xffffffff) + var x836 uint32 + var x837 uint1 + x836, x837 = addcarryxU32(x833, x830, 0x0) + var x838 uint32 + var x839 uint1 + x838, x839 = addcarryxU32(x831, x828, x837) + var x840 uint32 + var x841 uint1 + x840, x841 = addcarryxU32(x829, x826, x839) + var x842 uint32 + var x843 uint1 + x842, x843 = addcarryxU32(x827, x824, x841) + var x844 uint32 + var x845 uint1 + x844, x845 = addcarryxU32(x825, x822, x843) + var x846 uint32 + var x847 uint1 + x846, x847 = addcarryxU32(x823, x820, x845) + var x848 uint32 + var x849 uint1 + x848, x849 = addcarryxU32(x821, x818, x847) + var x850 uint32 + var x851 uint1 + x850, x851 = addcarryxU32(x819, x816, x849) + var x853 uint1 + _, x853 = addcarryxU32(x792, x834, 0x0) + var x854 uint32 + var x855 uint1 + x854, x855 = addcarryxU32(x794, x835, x853) + var x856 uint32 + var x857 uint1 + x856, x857 = addcarryxU32(x796, uint32(0x0), x855) + var x858 uint32 + var x859 uint1 + x858, x859 = addcarryxU32(x798, x832, x857) + var x860 uint32 + var x861 uint1 + x860, x861 = addcarryxU32(x800, x836, x859) + var x862 uint32 + var x863 uint1 + x862, x863 = addcarryxU32(x802, x838, x861) + var x864 uint32 + var x865 uint1 + x864, x865 = addcarryxU32(x804, x840, x863) + var x866 uint32 + var x867 uint1 + x866, x867 = addcarryxU32(x806, x842, x865) + var x868 uint32 + var x869 uint1 + x868, x869 = addcarryxU32(x808, x844, x867) + var x870 uint32 + var x871 uint1 + x870, x871 = addcarryxU32(x810, x846, x869) + var x872 uint32 + var x873 uint1 + x872, x873 = addcarryxU32(x812, x848, x871) + var x874 uint32 + var x875 uint1 + x874, x875 = addcarryxU32(x814, x850, x873) + var x876 uint32 + var x877 uint1 + x876, x877 = addcarryxU32((uint32(x815) + uint32(x791)), (uint32(x851) + x817), x875) + var x878 uint32 + var x879 uint1 + x878, x879 = addcarryxU32(x854, arg1[11], 0x0) + var x880 uint32 + var x881 uint1 + x880, x881 = addcarryxU32(x856, uint32(0x0), x879) + var x882 uint32 + var x883 uint1 + x882, x883 = addcarryxU32(x858, uint32(0x0), x881) + var x884 uint32 + var x885 uint1 + x884, x885 = addcarryxU32(x860, uint32(0x0), x883) + var x886 uint32 + var x887 uint1 + x886, x887 = addcarryxU32(x862, uint32(0x0), x885) + var x888 uint32 + var x889 uint1 + x888, x889 = addcarryxU32(x864, uint32(0x0), x887) + var x890 uint32 + var x891 uint1 + x890, x891 = addcarryxU32(x866, uint32(0x0), x889) + var x892 uint32 + var x893 uint1 + x892, x893 = addcarryxU32(x868, uint32(0x0), x891) + var x894 uint32 + var x895 uint1 + x894, x895 = addcarryxU32(x870, uint32(0x0), x893) + var x896 uint32 + var x897 uint1 + x896, x897 = addcarryxU32(x872, uint32(0x0), x895) + var x898 uint32 + var x899 uint1 + x898, x899 = addcarryxU32(x874, uint32(0x0), x897) + var x900 uint32 + var x901 uint1 + x900, x901 = addcarryxU32(x876, uint32(0x0), x899) + var x902 uint32 + var x903 uint32 + x903, x902 = bits.Mul32(x878, 0xffffffff) + var x904 uint32 + var x905 uint32 + x905, x904 = bits.Mul32(x878, 0xffffffff) + var x906 uint32 + var x907 uint32 + x907, x906 = bits.Mul32(x878, 0xffffffff) + var x908 uint32 + var x909 uint32 + x909, x908 = bits.Mul32(x878, 0xffffffff) + var x910 uint32 + var x911 uint32 + x911, x910 = bits.Mul32(x878, 0xffffffff) + var x912 uint32 + var x913 uint32 + x913, x912 = bits.Mul32(x878, 0xffffffff) + var x914 uint32 + var x915 uint32 + x915, x914 = bits.Mul32(x878, 0xffffffff) + var x916 uint32 + var x917 uint32 + x917, x916 = bits.Mul32(x878, 0xfffffffe) + var x918 uint32 + var x919 uint32 + x919, x918 = bits.Mul32(x878, 0xffffffff) + var x920 uint32 + var x921 uint32 + x921, x920 = bits.Mul32(x878, 0xffffffff) + var x922 uint32 + var x923 uint1 + x922, x923 = addcarryxU32(x919, x916, 0x0) + var x924 uint32 + var x925 uint1 + x924, x925 = addcarryxU32(x917, x914, x923) + var x926 uint32 + var x927 uint1 + x926, x927 = addcarryxU32(x915, x912, x925) + var x928 uint32 + var x929 uint1 + x928, x929 = addcarryxU32(x913, x910, x927) + var x930 uint32 + var x931 uint1 + x930, x931 = addcarryxU32(x911, x908, x929) + var x932 uint32 + var x933 uint1 + x932, x933 = addcarryxU32(x909, x906, x931) + var x934 uint32 + var x935 uint1 + x934, x935 = addcarryxU32(x907, x904, x933) + var x936 uint32 + var x937 uint1 + x936, x937 = addcarryxU32(x905, x902, x935) + var x939 uint1 + _, x939 = addcarryxU32(x878, x920, 0x0) + var x940 uint32 + var x941 uint1 + x940, x941 = addcarryxU32(x880, x921, x939) + var x942 uint32 + var x943 uint1 + x942, x943 = addcarryxU32(x882, uint32(0x0), x941) + var x944 uint32 + var x945 uint1 + x944, x945 = addcarryxU32(x884, x918, x943) + var x946 uint32 + var x947 uint1 + x946, x947 = addcarryxU32(x886, x922, x945) + var x948 uint32 + var x949 uint1 + x948, x949 = addcarryxU32(x888, x924, x947) + var x950 uint32 + var x951 uint1 + x950, x951 = addcarryxU32(x890, x926, x949) + var x952 uint32 + var x953 uint1 + x952, x953 = addcarryxU32(x892, x928, x951) + var x954 uint32 + var x955 uint1 + x954, x955 = addcarryxU32(x894, x930, x953) + var x956 uint32 + var x957 uint1 + x956, x957 = addcarryxU32(x896, x932, x955) + var x958 uint32 + var x959 uint1 + x958, x959 = addcarryxU32(x898, x934, x957) + var x960 uint32 + var x961 uint1 + x960, x961 = addcarryxU32(x900, x936, x959) + var x962 uint32 + var x963 uint1 + x962, x963 = addcarryxU32((uint32(x901) + uint32(x877)), (uint32(x937) + x903), x961) + var x964 uint32 + var x965 uint1 + x964, x965 = subborrowxU32(x940, 0xffffffff, 0x0) + var x966 uint32 + var x967 uint1 + x966, x967 = subborrowxU32(x942, uint32(0x0), x965) + var x968 uint32 + var x969 uint1 + x968, x969 = subborrowxU32(x944, uint32(0x0), x967) + var x970 uint32 + var x971 uint1 + x970, x971 = subborrowxU32(x946, 0xffffffff, x969) + var x972 uint32 + var x973 uint1 + x972, x973 = subborrowxU32(x948, 0xfffffffe, x971) + var x974 uint32 + var x975 uint1 + x974, x975 = subborrowxU32(x950, 0xffffffff, x973) + var x976 uint32 + var x977 uint1 + x976, x977 = subborrowxU32(x952, 0xffffffff, x975) + var x978 uint32 + var x979 uint1 + x978, x979 = subborrowxU32(x954, 0xffffffff, x977) + var x980 uint32 + var x981 uint1 + x980, x981 = subborrowxU32(x956, 0xffffffff, x979) + var x982 uint32 + var x983 uint1 + x982, x983 = subborrowxU32(x958, 0xffffffff, x981) + var x984 uint32 + var x985 uint1 + x984, x985 = subborrowxU32(x960, 0xffffffff, x983) + var x986 uint32 + var x987 uint1 + x986, x987 = subborrowxU32(x962, 0xffffffff, x985) + var x989 uint1 + _, x989 = subborrowxU32(uint32(x963), uint32(0x0), x987) + var x990 uint32 + cmovznzU32(&x990, x989, x964, x940) + var x991 uint32 + cmovznzU32(&x991, x989, x966, x942) + var x992 uint32 + cmovznzU32(&x992, x989, x968, x944) + var x993 uint32 + cmovznzU32(&x993, x989, x970, x946) + var x994 uint32 + cmovznzU32(&x994, x989, x972, x948) + var x995 uint32 + cmovznzU32(&x995, x989, x974, x950) + var x996 uint32 + cmovznzU32(&x996, x989, x976, x952) + var x997 uint32 + cmovznzU32(&x997, x989, x978, x954) + var x998 uint32 + cmovznzU32(&x998, x989, x980, x956) + var x999 uint32 + cmovznzU32(&x999, x989, x982, x958) + var x1000 uint32 + cmovznzU32(&x1000, x989, x984, x960) + var x1001 uint32 + cmovznzU32(&x1001, x989, x986, x962) + out1[0] = x990 + out1[1] = x991 + out1[2] = x992 + out1[3] = x993 + out1[4] = x994 + out1[5] = x995 + out1[6] = x996 + out1[7] = x997 + out1[8] = x998 + out1[9] = x999 + out1[10] = x1000 + out1[11] = x1001 } -/* - The function ToMontgomery translates a field element into the Montgomery domain. - Preconditions: - 0 ≤ eval arg1 < m - Postconditions: - eval (from_montgomery out1) mod m = eval arg1 mod m - 0 ≤ eval out1 < m - - Input Bounds: - arg1: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] - Output Bounds: - out1: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] - */ -/*inline*/ +// ToMontgomery translates a field element into the Montgomery domain. +// +// Preconditions: +// 0 ≤ eval arg1 < m +// Postconditions: +// eval (from_montgomery out1) mod m = eval arg1 mod m +// 0 ≤ eval out1 < m +// +// Input Bounds: +// arg1: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] +// Output Bounds: +// out1: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] func ToMontgomery(out1 *[12]uint32, arg1 *[12]uint32) { - var x1 uint32 = (arg1[1]) - var x2 uint32 = (arg1[2]) - var x3 uint32 = (arg1[3]) - var x4 uint32 = (arg1[4]) - var x5 uint32 = (arg1[5]) - var x6 uint32 = (arg1[6]) - var x7 uint32 = (arg1[7]) - var x8 uint32 = (arg1[8]) - var x9 uint32 = (arg1[9]) - var x10 uint32 = (arg1[10]) - var x11 uint32 = (arg1[11]) - var x12 uint32 = (arg1[0]) - var x13 uint32 - var x14 uint32 - x14, x13 = bits.Mul32(x12, 0x2) - var x15 uint32 - var x16 uint32 - x16, x15 = bits.Mul32(x12, 0xfffffffe) - var x17 uint32 - var x18 uint32 - x18, x17 = bits.Mul32(x12, 0x2) - var x19 uint32 - var x20 uint32 - x20, x19 = bits.Mul32(x12, 0xfffffffe) - var x21 uint32 - var x22 uint1 - x21, x22 = addcarryxU32(uint32(uint1(x14)), x12, 0x0) - var x23 uint32 - var x24 uint32 - x24, x23 = bits.Mul32(x12, 0xffffffff) - var x25 uint32 - var x26 uint32 - x26, x25 = bits.Mul32(x12, 0xffffffff) - var x27 uint32 - var x28 uint32 - x28, x27 = bits.Mul32(x12, 0xffffffff) - var x29 uint32 - var x30 uint32 - x30, x29 = bits.Mul32(x12, 0xffffffff) - var x31 uint32 - var x32 uint32 - x32, x31 = bits.Mul32(x12, 0xffffffff) - var x33 uint32 - var x34 uint32 - x34, x33 = bits.Mul32(x12, 0xffffffff) - var x35 uint32 - var x36 uint32 - x36, x35 = bits.Mul32(x12, 0xffffffff) - var x37 uint32 - var x38 uint32 - x38, x37 = bits.Mul32(x12, 0xfffffffe) - var x39 uint32 - var x40 uint32 - x40, x39 = bits.Mul32(x12, 0xffffffff) - var x41 uint32 - var x42 uint32 - x42, x41 = bits.Mul32(x12, 0xffffffff) - var x43 uint32 - var x44 uint1 - x43, x44 = addcarryxU32(x40, x37, 0x0) - var x45 uint32 - var x46 uint1 - x45, x46 = addcarryxU32(x38, x35, x44) - var x47 uint32 - var x48 uint1 - x47, x48 = addcarryxU32(x36, x33, x46) - var x49 uint32 - var x50 uint1 - x49, x50 = addcarryxU32(x34, x31, x48) - var x51 uint32 - var x52 uint1 - x51, x52 = addcarryxU32(x32, x29, x50) - var x53 uint32 - var x54 uint1 - x53, x54 = addcarryxU32(x30, x27, x52) - var x55 uint32 - var x56 uint1 - x55, x56 = addcarryxU32(x28, x25, x54) - var x57 uint32 - var x58 uint1 - x57, x58 = addcarryxU32(x26, x23, x56) - var x60 uint1 - _, x60 = addcarryxU32(x12, x41, 0x0) - var x61 uint32 - var x62 uint1 - x61, x62 = addcarryxU32(x19, x42, x60) - var x63 uint32 - var x64 uint1 - x63, x64 = addcarryxU32(x17, x39, 0x0) - var x65 uint32 - var x66 uint1 - x65, x66 = addcarryxU32(uint32(uint1(x18)), x43, x64) - var x67 uint32 - var x68 uint1 - x67, x68 = addcarryxU32(x15, x45, x66) - var x69 uint32 - var x70 uint1 - x69, x70 = addcarryxU32(x16, x47, x68) - var x71 uint32 - var x72 uint1 - x71, x72 = addcarryxU32(x13, x49, x70) - var x73 uint32 - var x74 uint1 - x73, x74 = addcarryxU32(x21, x51, x72) - var x75 uint32 - var x76 uint1 - x75, x76 = addcarryxU32(uint32(x22), x53, x74) - var x77 uint32 - var x78 uint1 - x77, x78 = addcarryxU32(uint32(0x0), x55, x76) - var x79 uint32 - var x80 uint1 - x79, x80 = addcarryxU32(uint32(0x0), x57, x78) - var x81 uint32 - var x82 uint1 - x81, x82 = addcarryxU32(uint32(0x0), (uint32(x58) + x24), x80) - var x83 uint32 - var x84 uint32 - x84, x83 = bits.Mul32(x1, 0x2) - var x85 uint32 - var x86 uint32 - x86, x85 = bits.Mul32(x1, 0xfffffffe) - var x87 uint32 - var x88 uint32 - x88, x87 = bits.Mul32(x1, 0x2) - var x89 uint32 - var x90 uint32 - x90, x89 = bits.Mul32(x1, 0xfffffffe) - var x91 uint32 - var x92 uint1 - x91, x92 = addcarryxU32(uint32(uint1(x84)), x1, 0x0) - var x93 uint32 - var x94 uint1 - x93, x94 = addcarryxU32(x61, x1, 0x0) - var x95 uint32 - var x96 uint1 - x95, x96 = addcarryxU32((uint32(x62) + x20), x89, x94) - var x97 uint32 - var x98 uint1 - x97, x98 = addcarryxU32(x63, x90, x96) - var x99 uint32 - var x100 uint1 - x99, x100 = addcarryxU32(x65, x87, x98) - var x101 uint32 - var x102 uint1 - x101, x102 = addcarryxU32(x67, uint32(uint1(x88)), x100) - var x103 uint32 - var x104 uint1 - x103, x104 = addcarryxU32(x69, x85, x102) - var x105 uint32 - var x106 uint1 - x105, x106 = addcarryxU32(x71, x86, x104) - var x107 uint32 - var x108 uint1 - x107, x108 = addcarryxU32(x73, x83, x106) - var x109 uint32 - var x110 uint1 - x109, x110 = addcarryxU32(x75, x91, x108) - var x111 uint32 - var x112 uint1 - x111, x112 = addcarryxU32(x77, uint32(x92), x110) - var x113 uint32 - var x114 uint1 - x113, x114 = addcarryxU32(x79, uint32(0x0), x112) - var x115 uint32 - var x116 uint1 - x115, x116 = addcarryxU32(x81, uint32(0x0), x114) - var x117 uint32 - var x118 uint32 - x118, x117 = bits.Mul32(x93, 0xffffffff) - var x119 uint32 - var x120 uint32 - x120, x119 = bits.Mul32(x93, 0xffffffff) - var x121 uint32 - var x122 uint32 - x122, x121 = bits.Mul32(x93, 0xffffffff) - var x123 uint32 - var x124 uint32 - x124, x123 = bits.Mul32(x93, 0xffffffff) - var x125 uint32 - var x126 uint32 - x126, x125 = bits.Mul32(x93, 0xffffffff) - var x127 uint32 - var x128 uint32 - x128, x127 = bits.Mul32(x93, 0xffffffff) - var x129 uint32 - var x130 uint32 - x130, x129 = bits.Mul32(x93, 0xffffffff) - var x131 uint32 - var x132 uint32 - x132, x131 = bits.Mul32(x93, 0xfffffffe) - var x133 uint32 - var x134 uint32 - x134, x133 = bits.Mul32(x93, 0xffffffff) - var x135 uint32 - var x136 uint32 - x136, x135 = bits.Mul32(x93, 0xffffffff) - var x137 uint32 - var x138 uint1 - x137, x138 = addcarryxU32(x134, x131, 0x0) - var x139 uint32 - var x140 uint1 - x139, x140 = addcarryxU32(x132, x129, x138) - var x141 uint32 - var x142 uint1 - x141, x142 = addcarryxU32(x130, x127, x140) - var x143 uint32 - var x144 uint1 - x143, x144 = addcarryxU32(x128, x125, x142) - var x145 uint32 - var x146 uint1 - x145, x146 = addcarryxU32(x126, x123, x144) - var x147 uint32 - var x148 uint1 - x147, x148 = addcarryxU32(x124, x121, x146) - var x149 uint32 - var x150 uint1 - x149, x150 = addcarryxU32(x122, x119, x148) - var x151 uint32 - var x152 uint1 - x151, x152 = addcarryxU32(x120, x117, x150) - var x154 uint1 - _, x154 = addcarryxU32(x93, x135, 0x0) - var x155 uint32 - var x156 uint1 - x155, x156 = addcarryxU32(x95, x136, x154) - var x157 uint32 - var x158 uint1 - x157, x158 = addcarryxU32(x97, uint32(0x0), x156) - var x159 uint32 - var x160 uint1 - x159, x160 = addcarryxU32(x99, x133, x158) - var x161 uint32 - var x162 uint1 - x161, x162 = addcarryxU32(x101, x137, x160) - var x163 uint32 - var x164 uint1 - x163, x164 = addcarryxU32(x103, x139, x162) - var x165 uint32 - var x166 uint1 - x165, x166 = addcarryxU32(x105, x141, x164) - var x167 uint32 - var x168 uint1 - x167, x168 = addcarryxU32(x107, x143, x166) - var x169 uint32 - var x170 uint1 - x169, x170 = addcarryxU32(x109, x145, x168) - var x171 uint32 - var x172 uint1 - x171, x172 = addcarryxU32(x111, x147, x170) - var x173 uint32 - var x174 uint1 - x173, x174 = addcarryxU32(x113, x149, x172) - var x175 uint32 - var x176 uint1 - x175, x176 = addcarryxU32(x115, x151, x174) - var x177 uint32 - var x178 uint1 - x177, x178 = addcarryxU32((uint32(x116) + uint32(x82)), (uint32(x152) + x118), x176) - var x179 uint32 - var x180 uint32 - x180, x179 = bits.Mul32(x2, 0x2) - var x181 uint32 - var x182 uint32 - x182, x181 = bits.Mul32(x2, 0xfffffffe) - var x183 uint32 - var x184 uint32 - x184, x183 = bits.Mul32(x2, 0x2) - var x185 uint32 - var x186 uint32 - x186, x185 = bits.Mul32(x2, 0xfffffffe) - var x187 uint32 - var x188 uint1 - x187, x188 = addcarryxU32(uint32(uint1(x180)), x2, 0x0) - var x189 uint32 - var x190 uint1 - x189, x190 = addcarryxU32(x155, x2, 0x0) - var x191 uint32 - var x192 uint1 - x191, x192 = addcarryxU32(x157, x185, x190) - var x193 uint32 - var x194 uint1 - x193, x194 = addcarryxU32(x159, x186, x192) - var x195 uint32 - var x196 uint1 - x195, x196 = addcarryxU32(x161, x183, x194) - var x197 uint32 - var x198 uint1 - x197, x198 = addcarryxU32(x163, uint32(uint1(x184)), x196) - var x199 uint32 - var x200 uint1 - x199, x200 = addcarryxU32(x165, x181, x198) - var x201 uint32 - var x202 uint1 - x201, x202 = addcarryxU32(x167, x182, x200) - var x203 uint32 - var x204 uint1 - x203, x204 = addcarryxU32(x169, x179, x202) - var x205 uint32 - var x206 uint1 - x205, x206 = addcarryxU32(x171, x187, x204) - var x207 uint32 - var x208 uint1 - x207, x208 = addcarryxU32(x173, uint32(x188), x206) - var x209 uint32 - var x210 uint1 - x209, x210 = addcarryxU32(x175, uint32(0x0), x208) - var x211 uint32 - var x212 uint1 - x211, x212 = addcarryxU32(x177, uint32(0x0), x210) - var x213 uint32 - var x214 uint32 - x214, x213 = bits.Mul32(x189, 0xffffffff) - var x215 uint32 - var x216 uint32 - x216, x215 = bits.Mul32(x189, 0xffffffff) - var x217 uint32 - var x218 uint32 - x218, x217 = bits.Mul32(x189, 0xffffffff) - var x219 uint32 - var x220 uint32 - x220, x219 = bits.Mul32(x189, 0xffffffff) - var x221 uint32 - var x222 uint32 - x222, x221 = bits.Mul32(x189, 0xffffffff) - var x223 uint32 - var x224 uint32 - x224, x223 = bits.Mul32(x189, 0xffffffff) - var x225 uint32 - var x226 uint32 - x226, x225 = bits.Mul32(x189, 0xffffffff) - var x227 uint32 - var x228 uint32 - x228, x227 = bits.Mul32(x189, 0xfffffffe) - var x229 uint32 - var x230 uint32 - x230, x229 = bits.Mul32(x189, 0xffffffff) - var x231 uint32 - var x232 uint32 - x232, x231 = bits.Mul32(x189, 0xffffffff) - var x233 uint32 - var x234 uint1 - x233, x234 = addcarryxU32(x230, x227, 0x0) - var x235 uint32 - var x236 uint1 - x235, x236 = addcarryxU32(x228, x225, x234) - var x237 uint32 - var x238 uint1 - x237, x238 = addcarryxU32(x226, x223, x236) - var x239 uint32 - var x240 uint1 - x239, x240 = addcarryxU32(x224, x221, x238) - var x241 uint32 - var x242 uint1 - x241, x242 = addcarryxU32(x222, x219, x240) - var x243 uint32 - var x244 uint1 - x243, x244 = addcarryxU32(x220, x217, x242) - var x245 uint32 - var x246 uint1 - x245, x246 = addcarryxU32(x218, x215, x244) - var x247 uint32 - var x248 uint1 - x247, x248 = addcarryxU32(x216, x213, x246) - var x250 uint1 - _, x250 = addcarryxU32(x189, x231, 0x0) - var x251 uint32 - var x252 uint1 - x251, x252 = addcarryxU32(x191, x232, x250) - var x253 uint32 - var x254 uint1 - x253, x254 = addcarryxU32(x193, uint32(0x0), x252) - var x255 uint32 - var x256 uint1 - x255, x256 = addcarryxU32(x195, x229, x254) - var x257 uint32 - var x258 uint1 - x257, x258 = addcarryxU32(x197, x233, x256) - var x259 uint32 - var x260 uint1 - x259, x260 = addcarryxU32(x199, x235, x258) - var x261 uint32 - var x262 uint1 - x261, x262 = addcarryxU32(x201, x237, x260) - var x263 uint32 - var x264 uint1 - x263, x264 = addcarryxU32(x203, x239, x262) - var x265 uint32 - var x266 uint1 - x265, x266 = addcarryxU32(x205, x241, x264) - var x267 uint32 - var x268 uint1 - x267, x268 = addcarryxU32(x207, x243, x266) - var x269 uint32 - var x270 uint1 - x269, x270 = addcarryxU32(x209, x245, x268) - var x271 uint32 - var x272 uint1 - x271, x272 = addcarryxU32(x211, x247, x270) - var x273 uint32 - var x274 uint1 - x273, x274 = addcarryxU32((uint32(x212) + uint32(x178)), (uint32(x248) + x214), x272) - var x275 uint32 - var x276 uint32 - x276, x275 = bits.Mul32(x3, 0x2) - var x277 uint32 - var x278 uint32 - x278, x277 = bits.Mul32(x3, 0xfffffffe) - var x279 uint32 - var x280 uint32 - x280, x279 = bits.Mul32(x3, 0x2) - var x281 uint32 - var x282 uint32 - x282, x281 = bits.Mul32(x3, 0xfffffffe) - var x283 uint32 - var x284 uint1 - x283, x284 = addcarryxU32(uint32(uint1(x276)), x3, 0x0) - var x285 uint32 - var x286 uint1 - x285, x286 = addcarryxU32(x251, x3, 0x0) - var x287 uint32 - var x288 uint1 - x287, x288 = addcarryxU32(x253, x281, x286) - var x289 uint32 - var x290 uint1 - x289, x290 = addcarryxU32(x255, x282, x288) - var x291 uint32 - var x292 uint1 - x291, x292 = addcarryxU32(x257, x279, x290) - var x293 uint32 - var x294 uint1 - x293, x294 = addcarryxU32(x259, uint32(uint1(x280)), x292) - var x295 uint32 - var x296 uint1 - x295, x296 = addcarryxU32(x261, x277, x294) - var x297 uint32 - var x298 uint1 - x297, x298 = addcarryxU32(x263, x278, x296) - var x299 uint32 - var x300 uint1 - x299, x300 = addcarryxU32(x265, x275, x298) - var x301 uint32 - var x302 uint1 - x301, x302 = addcarryxU32(x267, x283, x300) - var x303 uint32 - var x304 uint1 - x303, x304 = addcarryxU32(x269, uint32(x284), x302) - var x305 uint32 - var x306 uint1 - x305, x306 = addcarryxU32(x271, uint32(0x0), x304) - var x307 uint32 - var x308 uint1 - x307, x308 = addcarryxU32(x273, uint32(0x0), x306) - var x309 uint32 - var x310 uint32 - x310, x309 = bits.Mul32(x285, 0xffffffff) - var x311 uint32 - var x312 uint32 - x312, x311 = bits.Mul32(x285, 0xffffffff) - var x313 uint32 - var x314 uint32 - x314, x313 = bits.Mul32(x285, 0xffffffff) - var x315 uint32 - var x316 uint32 - x316, x315 = bits.Mul32(x285, 0xffffffff) - var x317 uint32 - var x318 uint32 - x318, x317 = bits.Mul32(x285, 0xffffffff) - var x319 uint32 - var x320 uint32 - x320, x319 = bits.Mul32(x285, 0xffffffff) - var x321 uint32 - var x322 uint32 - x322, x321 = bits.Mul32(x285, 0xffffffff) - var x323 uint32 - var x324 uint32 - x324, x323 = bits.Mul32(x285, 0xfffffffe) - var x325 uint32 - var x326 uint32 - x326, x325 = bits.Mul32(x285, 0xffffffff) - var x327 uint32 - var x328 uint32 - x328, x327 = bits.Mul32(x285, 0xffffffff) - var x329 uint32 - var x330 uint1 - x329, x330 = addcarryxU32(x326, x323, 0x0) - var x331 uint32 - var x332 uint1 - x331, x332 = addcarryxU32(x324, x321, x330) - var x333 uint32 - var x334 uint1 - x333, x334 = addcarryxU32(x322, x319, x332) - var x335 uint32 - var x336 uint1 - x335, x336 = addcarryxU32(x320, x317, x334) - var x337 uint32 - var x338 uint1 - x337, x338 = addcarryxU32(x318, x315, x336) - var x339 uint32 - var x340 uint1 - x339, x340 = addcarryxU32(x316, x313, x338) - var x341 uint32 - var x342 uint1 - x341, x342 = addcarryxU32(x314, x311, x340) - var x343 uint32 - var x344 uint1 - x343, x344 = addcarryxU32(x312, x309, x342) - var x346 uint1 - _, x346 = addcarryxU32(x285, x327, 0x0) - var x347 uint32 - var x348 uint1 - x347, x348 = addcarryxU32(x287, x328, x346) - var x349 uint32 - var x350 uint1 - x349, x350 = addcarryxU32(x289, uint32(0x0), x348) - var x351 uint32 - var x352 uint1 - x351, x352 = addcarryxU32(x291, x325, x350) - var x353 uint32 - var x354 uint1 - x353, x354 = addcarryxU32(x293, x329, x352) - var x355 uint32 - var x356 uint1 - x355, x356 = addcarryxU32(x295, x331, x354) - var x357 uint32 - var x358 uint1 - x357, x358 = addcarryxU32(x297, x333, x356) - var x359 uint32 - var x360 uint1 - x359, x360 = addcarryxU32(x299, x335, x358) - var x361 uint32 - var x362 uint1 - x361, x362 = addcarryxU32(x301, x337, x360) - var x363 uint32 - var x364 uint1 - x363, x364 = addcarryxU32(x303, x339, x362) - var x365 uint32 - var x366 uint1 - x365, x366 = addcarryxU32(x305, x341, x364) - var x367 uint32 - var x368 uint1 - x367, x368 = addcarryxU32(x307, x343, x366) - var x369 uint32 - var x370 uint1 - x369, x370 = addcarryxU32((uint32(x308) + uint32(x274)), (uint32(x344) + x310), x368) - var x371 uint32 - var x372 uint32 - x372, x371 = bits.Mul32(x4, 0x2) - var x373 uint32 - var x374 uint32 - x374, x373 = bits.Mul32(x4, 0xfffffffe) - var x375 uint32 - var x376 uint32 - x376, x375 = bits.Mul32(x4, 0x2) - var x377 uint32 - var x378 uint32 - x378, x377 = bits.Mul32(x4, 0xfffffffe) - var x379 uint32 - var x380 uint1 - x379, x380 = addcarryxU32(uint32(uint1(x372)), x4, 0x0) - var x381 uint32 - var x382 uint1 - x381, x382 = addcarryxU32(x347, x4, 0x0) - var x383 uint32 - var x384 uint1 - x383, x384 = addcarryxU32(x349, x377, x382) - var x385 uint32 - var x386 uint1 - x385, x386 = addcarryxU32(x351, x378, x384) - var x387 uint32 - var x388 uint1 - x387, x388 = addcarryxU32(x353, x375, x386) - var x389 uint32 - var x390 uint1 - x389, x390 = addcarryxU32(x355, uint32(uint1(x376)), x388) - var x391 uint32 - var x392 uint1 - x391, x392 = addcarryxU32(x357, x373, x390) - var x393 uint32 - var x394 uint1 - x393, x394 = addcarryxU32(x359, x374, x392) - var x395 uint32 - var x396 uint1 - x395, x396 = addcarryxU32(x361, x371, x394) - var x397 uint32 - var x398 uint1 - x397, x398 = addcarryxU32(x363, x379, x396) - var x399 uint32 - var x400 uint1 - x399, x400 = addcarryxU32(x365, uint32(x380), x398) - var x401 uint32 - var x402 uint1 - x401, x402 = addcarryxU32(x367, uint32(0x0), x400) - var x403 uint32 - var x404 uint1 - x403, x404 = addcarryxU32(x369, uint32(0x0), x402) - var x405 uint32 - var x406 uint32 - x406, x405 = bits.Mul32(x381, 0xffffffff) - var x407 uint32 - var x408 uint32 - x408, x407 = bits.Mul32(x381, 0xffffffff) - var x409 uint32 - var x410 uint32 - x410, x409 = bits.Mul32(x381, 0xffffffff) - var x411 uint32 - var x412 uint32 - x412, x411 = bits.Mul32(x381, 0xffffffff) - var x413 uint32 - var x414 uint32 - x414, x413 = bits.Mul32(x381, 0xffffffff) - var x415 uint32 - var x416 uint32 - x416, x415 = bits.Mul32(x381, 0xffffffff) - var x417 uint32 - var x418 uint32 - x418, x417 = bits.Mul32(x381, 0xffffffff) - var x419 uint32 - var x420 uint32 - x420, x419 = bits.Mul32(x381, 0xfffffffe) - var x421 uint32 - var x422 uint32 - x422, x421 = bits.Mul32(x381, 0xffffffff) - var x423 uint32 - var x424 uint32 - x424, x423 = bits.Mul32(x381, 0xffffffff) - var x425 uint32 - var x426 uint1 - x425, x426 = addcarryxU32(x422, x419, 0x0) - var x427 uint32 - var x428 uint1 - x427, x428 = addcarryxU32(x420, x417, x426) - var x429 uint32 - var x430 uint1 - x429, x430 = addcarryxU32(x418, x415, x428) - var x431 uint32 - var x432 uint1 - x431, x432 = addcarryxU32(x416, x413, x430) - var x433 uint32 - var x434 uint1 - x433, x434 = addcarryxU32(x414, x411, x432) - var x435 uint32 - var x436 uint1 - x435, x436 = addcarryxU32(x412, x409, x434) - var x437 uint32 - var x438 uint1 - x437, x438 = addcarryxU32(x410, x407, x436) - var x439 uint32 - var x440 uint1 - x439, x440 = addcarryxU32(x408, x405, x438) - var x442 uint1 - _, x442 = addcarryxU32(x381, x423, 0x0) - var x443 uint32 - var x444 uint1 - x443, x444 = addcarryxU32(x383, x424, x442) - var x445 uint32 - var x446 uint1 - x445, x446 = addcarryxU32(x385, uint32(0x0), x444) - var x447 uint32 - var x448 uint1 - x447, x448 = addcarryxU32(x387, x421, x446) - var x449 uint32 - var x450 uint1 - x449, x450 = addcarryxU32(x389, x425, x448) - var x451 uint32 - var x452 uint1 - x451, x452 = addcarryxU32(x391, x427, x450) - var x453 uint32 - var x454 uint1 - x453, x454 = addcarryxU32(x393, x429, x452) - var x455 uint32 - var x456 uint1 - x455, x456 = addcarryxU32(x395, x431, x454) - var x457 uint32 - var x458 uint1 - x457, x458 = addcarryxU32(x397, x433, x456) - var x459 uint32 - var x460 uint1 - x459, x460 = addcarryxU32(x399, x435, x458) - var x461 uint32 - var x462 uint1 - x461, x462 = addcarryxU32(x401, x437, x460) - var x463 uint32 - var x464 uint1 - x463, x464 = addcarryxU32(x403, x439, x462) - var x465 uint32 - var x466 uint1 - x465, x466 = addcarryxU32((uint32(x404) + uint32(x370)), (uint32(x440) + x406), x464) - var x467 uint32 - var x468 uint32 - x468, x467 = bits.Mul32(x5, 0x2) - var x469 uint32 - var x470 uint32 - x470, x469 = bits.Mul32(x5, 0xfffffffe) - var x471 uint32 - var x472 uint32 - x472, x471 = bits.Mul32(x5, 0x2) - var x473 uint32 - var x474 uint32 - x474, x473 = bits.Mul32(x5, 0xfffffffe) - var x475 uint32 - var x476 uint1 - x475, x476 = addcarryxU32(uint32(uint1(x468)), x5, 0x0) - var x477 uint32 - var x478 uint1 - x477, x478 = addcarryxU32(x443, x5, 0x0) - var x479 uint32 - var x480 uint1 - x479, x480 = addcarryxU32(x445, x473, x478) - var x481 uint32 - var x482 uint1 - x481, x482 = addcarryxU32(x447, x474, x480) - var x483 uint32 - var x484 uint1 - x483, x484 = addcarryxU32(x449, x471, x482) - var x485 uint32 - var x486 uint1 - x485, x486 = addcarryxU32(x451, uint32(uint1(x472)), x484) - var x487 uint32 - var x488 uint1 - x487, x488 = addcarryxU32(x453, x469, x486) - var x489 uint32 - var x490 uint1 - x489, x490 = addcarryxU32(x455, x470, x488) - var x491 uint32 - var x492 uint1 - x491, x492 = addcarryxU32(x457, x467, x490) - var x493 uint32 - var x494 uint1 - x493, x494 = addcarryxU32(x459, x475, x492) - var x495 uint32 - var x496 uint1 - x495, x496 = addcarryxU32(x461, uint32(x476), x494) - var x497 uint32 - var x498 uint1 - x497, x498 = addcarryxU32(x463, uint32(0x0), x496) - var x499 uint32 - var x500 uint1 - x499, x500 = addcarryxU32(x465, uint32(0x0), x498) - var x501 uint32 - var x502 uint32 - x502, x501 = bits.Mul32(x477, 0xffffffff) - var x503 uint32 - var x504 uint32 - x504, x503 = bits.Mul32(x477, 0xffffffff) - var x505 uint32 - var x506 uint32 - x506, x505 = bits.Mul32(x477, 0xffffffff) - var x507 uint32 - var x508 uint32 - x508, x507 = bits.Mul32(x477, 0xffffffff) - var x509 uint32 - var x510 uint32 - x510, x509 = bits.Mul32(x477, 0xffffffff) - var x511 uint32 - var x512 uint32 - x512, x511 = bits.Mul32(x477, 0xffffffff) - var x513 uint32 - var x514 uint32 - x514, x513 = bits.Mul32(x477, 0xffffffff) - var x515 uint32 - var x516 uint32 - x516, x515 = bits.Mul32(x477, 0xfffffffe) - var x517 uint32 - var x518 uint32 - x518, x517 = bits.Mul32(x477, 0xffffffff) - var x519 uint32 - var x520 uint32 - x520, x519 = bits.Mul32(x477, 0xffffffff) - var x521 uint32 - var x522 uint1 - x521, x522 = addcarryxU32(x518, x515, 0x0) - var x523 uint32 - var x524 uint1 - x523, x524 = addcarryxU32(x516, x513, x522) - var x525 uint32 - var x526 uint1 - x525, x526 = addcarryxU32(x514, x511, x524) - var x527 uint32 - var x528 uint1 - x527, x528 = addcarryxU32(x512, x509, x526) - var x529 uint32 - var x530 uint1 - x529, x530 = addcarryxU32(x510, x507, x528) - var x531 uint32 - var x532 uint1 - x531, x532 = addcarryxU32(x508, x505, x530) - var x533 uint32 - var x534 uint1 - x533, x534 = addcarryxU32(x506, x503, x532) - var x535 uint32 - var x536 uint1 - x535, x536 = addcarryxU32(x504, x501, x534) - var x538 uint1 - _, x538 = addcarryxU32(x477, x519, 0x0) - var x539 uint32 - var x540 uint1 - x539, x540 = addcarryxU32(x479, x520, x538) - var x541 uint32 - var x542 uint1 - x541, x542 = addcarryxU32(x481, uint32(0x0), x540) - var x543 uint32 - var x544 uint1 - x543, x544 = addcarryxU32(x483, x517, x542) - var x545 uint32 - var x546 uint1 - x545, x546 = addcarryxU32(x485, x521, x544) - var x547 uint32 - var x548 uint1 - x547, x548 = addcarryxU32(x487, x523, x546) - var x549 uint32 - var x550 uint1 - x549, x550 = addcarryxU32(x489, x525, x548) - var x551 uint32 - var x552 uint1 - x551, x552 = addcarryxU32(x491, x527, x550) - var x553 uint32 - var x554 uint1 - x553, x554 = addcarryxU32(x493, x529, x552) - var x555 uint32 - var x556 uint1 - x555, x556 = addcarryxU32(x495, x531, x554) - var x557 uint32 - var x558 uint1 - x557, x558 = addcarryxU32(x497, x533, x556) - var x559 uint32 - var x560 uint1 - x559, x560 = addcarryxU32(x499, x535, x558) - var x561 uint32 - var x562 uint1 - x561, x562 = addcarryxU32((uint32(x500) + uint32(x466)), (uint32(x536) + x502), x560) - var x563 uint32 - var x564 uint32 - x564, x563 = bits.Mul32(x6, 0x2) - var x565 uint32 - var x566 uint32 - x566, x565 = bits.Mul32(x6, 0xfffffffe) - var x567 uint32 - var x568 uint32 - x568, x567 = bits.Mul32(x6, 0x2) - var x569 uint32 - var x570 uint32 - x570, x569 = bits.Mul32(x6, 0xfffffffe) - var x571 uint32 - var x572 uint1 - x571, x572 = addcarryxU32(uint32(uint1(x564)), x6, 0x0) - var x573 uint32 - var x574 uint1 - x573, x574 = addcarryxU32(x539, x6, 0x0) - var x575 uint32 - var x576 uint1 - x575, x576 = addcarryxU32(x541, x569, x574) - var x577 uint32 - var x578 uint1 - x577, x578 = addcarryxU32(x543, x570, x576) - var x579 uint32 - var x580 uint1 - x579, x580 = addcarryxU32(x545, x567, x578) - var x581 uint32 - var x582 uint1 - x581, x582 = addcarryxU32(x547, uint32(uint1(x568)), x580) - var x583 uint32 - var x584 uint1 - x583, x584 = addcarryxU32(x549, x565, x582) - var x585 uint32 - var x586 uint1 - x585, x586 = addcarryxU32(x551, x566, x584) - var x587 uint32 - var x588 uint1 - x587, x588 = addcarryxU32(x553, x563, x586) - var x589 uint32 - var x590 uint1 - x589, x590 = addcarryxU32(x555, x571, x588) - var x591 uint32 - var x592 uint1 - x591, x592 = addcarryxU32(x557, uint32(x572), x590) - var x593 uint32 - var x594 uint1 - x593, x594 = addcarryxU32(x559, uint32(0x0), x592) - var x595 uint32 - var x596 uint1 - x595, x596 = addcarryxU32(x561, uint32(0x0), x594) - var x597 uint32 - var x598 uint32 - x598, x597 = bits.Mul32(x573, 0xffffffff) - var x599 uint32 - var x600 uint32 - x600, x599 = bits.Mul32(x573, 0xffffffff) - var x601 uint32 - var x602 uint32 - x602, x601 = bits.Mul32(x573, 0xffffffff) - var x603 uint32 - var x604 uint32 - x604, x603 = bits.Mul32(x573, 0xffffffff) - var x605 uint32 - var x606 uint32 - x606, x605 = bits.Mul32(x573, 0xffffffff) - var x607 uint32 - var x608 uint32 - x608, x607 = bits.Mul32(x573, 0xffffffff) - var x609 uint32 - var x610 uint32 - x610, x609 = bits.Mul32(x573, 0xffffffff) - var x611 uint32 - var x612 uint32 - x612, x611 = bits.Mul32(x573, 0xfffffffe) - var x613 uint32 - var x614 uint32 - x614, x613 = bits.Mul32(x573, 0xffffffff) - var x615 uint32 - var x616 uint32 - x616, x615 = bits.Mul32(x573, 0xffffffff) - var x617 uint32 - var x618 uint1 - x617, x618 = addcarryxU32(x614, x611, 0x0) - var x619 uint32 - var x620 uint1 - x619, x620 = addcarryxU32(x612, x609, x618) - var x621 uint32 - var x622 uint1 - x621, x622 = addcarryxU32(x610, x607, x620) - var x623 uint32 - var x624 uint1 - x623, x624 = addcarryxU32(x608, x605, x622) - var x625 uint32 - var x626 uint1 - x625, x626 = addcarryxU32(x606, x603, x624) - var x627 uint32 - var x628 uint1 - x627, x628 = addcarryxU32(x604, x601, x626) - var x629 uint32 - var x630 uint1 - x629, x630 = addcarryxU32(x602, x599, x628) - var x631 uint32 - var x632 uint1 - x631, x632 = addcarryxU32(x600, x597, x630) - var x634 uint1 - _, x634 = addcarryxU32(x573, x615, 0x0) - var x635 uint32 - var x636 uint1 - x635, x636 = addcarryxU32(x575, x616, x634) - var x637 uint32 - var x638 uint1 - x637, x638 = addcarryxU32(x577, uint32(0x0), x636) - var x639 uint32 - var x640 uint1 - x639, x640 = addcarryxU32(x579, x613, x638) - var x641 uint32 - var x642 uint1 - x641, x642 = addcarryxU32(x581, x617, x640) - var x643 uint32 - var x644 uint1 - x643, x644 = addcarryxU32(x583, x619, x642) - var x645 uint32 - var x646 uint1 - x645, x646 = addcarryxU32(x585, x621, x644) - var x647 uint32 - var x648 uint1 - x647, x648 = addcarryxU32(x587, x623, x646) - var x649 uint32 - var x650 uint1 - x649, x650 = addcarryxU32(x589, x625, x648) - var x651 uint32 - var x652 uint1 - x651, x652 = addcarryxU32(x591, x627, x650) - var x653 uint32 - var x654 uint1 - x653, x654 = addcarryxU32(x593, x629, x652) - var x655 uint32 - var x656 uint1 - x655, x656 = addcarryxU32(x595, x631, x654) - var x657 uint32 - var x658 uint1 - x657, x658 = addcarryxU32((uint32(x596) + uint32(x562)), (uint32(x632) + x598), x656) - var x659 uint32 - var x660 uint32 - x660, x659 = bits.Mul32(x7, 0x2) - var x661 uint32 - var x662 uint32 - x662, x661 = bits.Mul32(x7, 0xfffffffe) - var x663 uint32 - var x664 uint32 - x664, x663 = bits.Mul32(x7, 0x2) - var x665 uint32 - var x666 uint32 - x666, x665 = bits.Mul32(x7, 0xfffffffe) - var x667 uint32 - var x668 uint1 - x667, x668 = addcarryxU32(uint32(uint1(x660)), x7, 0x0) - var x669 uint32 - var x670 uint1 - x669, x670 = addcarryxU32(x635, x7, 0x0) - var x671 uint32 - var x672 uint1 - x671, x672 = addcarryxU32(x637, x665, x670) - var x673 uint32 - var x674 uint1 - x673, x674 = addcarryxU32(x639, x666, x672) - var x675 uint32 - var x676 uint1 - x675, x676 = addcarryxU32(x641, x663, x674) - var x677 uint32 - var x678 uint1 - x677, x678 = addcarryxU32(x643, uint32(uint1(x664)), x676) - var x679 uint32 - var x680 uint1 - x679, x680 = addcarryxU32(x645, x661, x678) - var x681 uint32 - var x682 uint1 - x681, x682 = addcarryxU32(x647, x662, x680) - var x683 uint32 - var x684 uint1 - x683, x684 = addcarryxU32(x649, x659, x682) - var x685 uint32 - var x686 uint1 - x685, x686 = addcarryxU32(x651, x667, x684) - var x687 uint32 - var x688 uint1 - x687, x688 = addcarryxU32(x653, uint32(x668), x686) - var x689 uint32 - var x690 uint1 - x689, x690 = addcarryxU32(x655, uint32(0x0), x688) - var x691 uint32 - var x692 uint1 - x691, x692 = addcarryxU32(x657, uint32(0x0), x690) - var x693 uint32 - var x694 uint32 - x694, x693 = bits.Mul32(x669, 0xffffffff) - var x695 uint32 - var x696 uint32 - x696, x695 = bits.Mul32(x669, 0xffffffff) - var x697 uint32 - var x698 uint32 - x698, x697 = bits.Mul32(x669, 0xffffffff) - var x699 uint32 - var x700 uint32 - x700, x699 = bits.Mul32(x669, 0xffffffff) - var x701 uint32 - var x702 uint32 - x702, x701 = bits.Mul32(x669, 0xffffffff) - var x703 uint32 - var x704 uint32 - x704, x703 = bits.Mul32(x669, 0xffffffff) - var x705 uint32 - var x706 uint32 - x706, x705 = bits.Mul32(x669, 0xffffffff) - var x707 uint32 - var x708 uint32 - x708, x707 = bits.Mul32(x669, 0xfffffffe) - var x709 uint32 - var x710 uint32 - x710, x709 = bits.Mul32(x669, 0xffffffff) - var x711 uint32 - var x712 uint32 - x712, x711 = bits.Mul32(x669, 0xffffffff) - var x713 uint32 - var x714 uint1 - x713, x714 = addcarryxU32(x710, x707, 0x0) - var x715 uint32 - var x716 uint1 - x715, x716 = addcarryxU32(x708, x705, x714) - var x717 uint32 - var x718 uint1 - x717, x718 = addcarryxU32(x706, x703, x716) - var x719 uint32 - var x720 uint1 - x719, x720 = addcarryxU32(x704, x701, x718) - var x721 uint32 - var x722 uint1 - x721, x722 = addcarryxU32(x702, x699, x720) - var x723 uint32 - var x724 uint1 - x723, x724 = addcarryxU32(x700, x697, x722) - var x725 uint32 - var x726 uint1 - x725, x726 = addcarryxU32(x698, x695, x724) - var x727 uint32 - var x728 uint1 - x727, x728 = addcarryxU32(x696, x693, x726) - var x730 uint1 - _, x730 = addcarryxU32(x669, x711, 0x0) - var x731 uint32 - var x732 uint1 - x731, x732 = addcarryxU32(x671, x712, x730) - var x733 uint32 - var x734 uint1 - x733, x734 = addcarryxU32(x673, uint32(0x0), x732) - var x735 uint32 - var x736 uint1 - x735, x736 = addcarryxU32(x675, x709, x734) - var x737 uint32 - var x738 uint1 - x737, x738 = addcarryxU32(x677, x713, x736) - var x739 uint32 - var x740 uint1 - x739, x740 = addcarryxU32(x679, x715, x738) - var x741 uint32 - var x742 uint1 - x741, x742 = addcarryxU32(x681, x717, x740) - var x743 uint32 - var x744 uint1 - x743, x744 = addcarryxU32(x683, x719, x742) - var x745 uint32 - var x746 uint1 - x745, x746 = addcarryxU32(x685, x721, x744) - var x747 uint32 - var x748 uint1 - x747, x748 = addcarryxU32(x687, x723, x746) - var x749 uint32 - var x750 uint1 - x749, x750 = addcarryxU32(x689, x725, x748) - var x751 uint32 - var x752 uint1 - x751, x752 = addcarryxU32(x691, x727, x750) - var x753 uint32 - var x754 uint1 - x753, x754 = addcarryxU32((uint32(x692) + uint32(x658)), (uint32(x728) + x694), x752) - var x755 uint32 - var x756 uint32 - x756, x755 = bits.Mul32(x8, 0x2) - var x757 uint32 - var x758 uint32 - x758, x757 = bits.Mul32(x8, 0xfffffffe) - var x759 uint32 - var x760 uint32 - x760, x759 = bits.Mul32(x8, 0x2) - var x761 uint32 - var x762 uint32 - x762, x761 = bits.Mul32(x8, 0xfffffffe) - var x763 uint32 - var x764 uint1 - x763, x764 = addcarryxU32(uint32(uint1(x756)), x8, 0x0) - var x765 uint32 - var x766 uint1 - x765, x766 = addcarryxU32(x731, x8, 0x0) - var x767 uint32 - var x768 uint1 - x767, x768 = addcarryxU32(x733, x761, x766) - var x769 uint32 - var x770 uint1 - x769, x770 = addcarryxU32(x735, x762, x768) - var x771 uint32 - var x772 uint1 - x771, x772 = addcarryxU32(x737, x759, x770) - var x773 uint32 - var x774 uint1 - x773, x774 = addcarryxU32(x739, uint32(uint1(x760)), x772) - var x775 uint32 - var x776 uint1 - x775, x776 = addcarryxU32(x741, x757, x774) - var x777 uint32 - var x778 uint1 - x777, x778 = addcarryxU32(x743, x758, x776) - var x779 uint32 - var x780 uint1 - x779, x780 = addcarryxU32(x745, x755, x778) - var x781 uint32 - var x782 uint1 - x781, x782 = addcarryxU32(x747, x763, x780) - var x783 uint32 - var x784 uint1 - x783, x784 = addcarryxU32(x749, uint32(x764), x782) - var x785 uint32 - var x786 uint1 - x785, x786 = addcarryxU32(x751, uint32(0x0), x784) - var x787 uint32 - var x788 uint1 - x787, x788 = addcarryxU32(x753, uint32(0x0), x786) - var x789 uint32 - var x790 uint32 - x790, x789 = bits.Mul32(x765, 0xffffffff) - var x791 uint32 - var x792 uint32 - x792, x791 = bits.Mul32(x765, 0xffffffff) - var x793 uint32 - var x794 uint32 - x794, x793 = bits.Mul32(x765, 0xffffffff) - var x795 uint32 - var x796 uint32 - x796, x795 = bits.Mul32(x765, 0xffffffff) - var x797 uint32 - var x798 uint32 - x798, x797 = bits.Mul32(x765, 0xffffffff) - var x799 uint32 - var x800 uint32 - x800, x799 = bits.Mul32(x765, 0xffffffff) - var x801 uint32 - var x802 uint32 - x802, x801 = bits.Mul32(x765, 0xffffffff) - var x803 uint32 - var x804 uint32 - x804, x803 = bits.Mul32(x765, 0xfffffffe) - var x805 uint32 - var x806 uint32 - x806, x805 = bits.Mul32(x765, 0xffffffff) - var x807 uint32 - var x808 uint32 - x808, x807 = bits.Mul32(x765, 0xffffffff) - var x809 uint32 - var x810 uint1 - x809, x810 = addcarryxU32(x806, x803, 0x0) - var x811 uint32 - var x812 uint1 - x811, x812 = addcarryxU32(x804, x801, x810) - var x813 uint32 - var x814 uint1 - x813, x814 = addcarryxU32(x802, x799, x812) - var x815 uint32 - var x816 uint1 - x815, x816 = addcarryxU32(x800, x797, x814) - var x817 uint32 - var x818 uint1 - x817, x818 = addcarryxU32(x798, x795, x816) - var x819 uint32 - var x820 uint1 - x819, x820 = addcarryxU32(x796, x793, x818) - var x821 uint32 - var x822 uint1 - x821, x822 = addcarryxU32(x794, x791, x820) - var x823 uint32 - var x824 uint1 - x823, x824 = addcarryxU32(x792, x789, x822) - var x826 uint1 - _, x826 = addcarryxU32(x765, x807, 0x0) - var x827 uint32 - var x828 uint1 - x827, x828 = addcarryxU32(x767, x808, x826) - var x829 uint32 - var x830 uint1 - x829, x830 = addcarryxU32(x769, uint32(0x0), x828) - var x831 uint32 - var x832 uint1 - x831, x832 = addcarryxU32(x771, x805, x830) - var x833 uint32 - var x834 uint1 - x833, x834 = addcarryxU32(x773, x809, x832) - var x835 uint32 - var x836 uint1 - x835, x836 = addcarryxU32(x775, x811, x834) - var x837 uint32 - var x838 uint1 - x837, x838 = addcarryxU32(x777, x813, x836) - var x839 uint32 - var x840 uint1 - x839, x840 = addcarryxU32(x779, x815, x838) - var x841 uint32 - var x842 uint1 - x841, x842 = addcarryxU32(x781, x817, x840) - var x843 uint32 - var x844 uint1 - x843, x844 = addcarryxU32(x783, x819, x842) - var x845 uint32 - var x846 uint1 - x845, x846 = addcarryxU32(x785, x821, x844) - var x847 uint32 - var x848 uint1 - x847, x848 = addcarryxU32(x787, x823, x846) - var x849 uint32 - var x850 uint1 - x849, x850 = addcarryxU32((uint32(x788) + uint32(x754)), (uint32(x824) + x790), x848) - var x851 uint32 - var x852 uint32 - x852, x851 = bits.Mul32(x9, 0x2) - var x853 uint32 - var x854 uint32 - x854, x853 = bits.Mul32(x9, 0xfffffffe) - var x855 uint32 - var x856 uint32 - x856, x855 = bits.Mul32(x9, 0x2) - var x857 uint32 - var x858 uint32 - x858, x857 = bits.Mul32(x9, 0xfffffffe) - var x859 uint32 - var x860 uint1 - x859, x860 = addcarryxU32(uint32(uint1(x852)), x9, 0x0) - var x861 uint32 - var x862 uint1 - x861, x862 = addcarryxU32(x827, x9, 0x0) - var x863 uint32 - var x864 uint1 - x863, x864 = addcarryxU32(x829, x857, x862) - var x865 uint32 - var x866 uint1 - x865, x866 = addcarryxU32(x831, x858, x864) - var x867 uint32 - var x868 uint1 - x867, x868 = addcarryxU32(x833, x855, x866) - var x869 uint32 - var x870 uint1 - x869, x870 = addcarryxU32(x835, uint32(uint1(x856)), x868) - var x871 uint32 - var x872 uint1 - x871, x872 = addcarryxU32(x837, x853, x870) - var x873 uint32 - var x874 uint1 - x873, x874 = addcarryxU32(x839, x854, x872) - var x875 uint32 - var x876 uint1 - x875, x876 = addcarryxU32(x841, x851, x874) - var x877 uint32 - var x878 uint1 - x877, x878 = addcarryxU32(x843, x859, x876) - var x879 uint32 - var x880 uint1 - x879, x880 = addcarryxU32(x845, uint32(x860), x878) - var x881 uint32 - var x882 uint1 - x881, x882 = addcarryxU32(x847, uint32(0x0), x880) - var x883 uint32 - var x884 uint1 - x883, x884 = addcarryxU32(x849, uint32(0x0), x882) - var x885 uint32 - var x886 uint32 - x886, x885 = bits.Mul32(x861, 0xffffffff) - var x887 uint32 - var x888 uint32 - x888, x887 = bits.Mul32(x861, 0xffffffff) - var x889 uint32 - var x890 uint32 - x890, x889 = bits.Mul32(x861, 0xffffffff) - var x891 uint32 - var x892 uint32 - x892, x891 = bits.Mul32(x861, 0xffffffff) - var x893 uint32 - var x894 uint32 - x894, x893 = bits.Mul32(x861, 0xffffffff) - var x895 uint32 - var x896 uint32 - x896, x895 = bits.Mul32(x861, 0xffffffff) - var x897 uint32 - var x898 uint32 - x898, x897 = bits.Mul32(x861, 0xffffffff) - var x899 uint32 - var x900 uint32 - x900, x899 = bits.Mul32(x861, 0xfffffffe) - var x901 uint32 - var x902 uint32 - x902, x901 = bits.Mul32(x861, 0xffffffff) - var x903 uint32 - var x904 uint32 - x904, x903 = bits.Mul32(x861, 0xffffffff) - var x905 uint32 - var x906 uint1 - x905, x906 = addcarryxU32(x902, x899, 0x0) - var x907 uint32 - var x908 uint1 - x907, x908 = addcarryxU32(x900, x897, x906) - var x909 uint32 - var x910 uint1 - x909, x910 = addcarryxU32(x898, x895, x908) - var x911 uint32 - var x912 uint1 - x911, x912 = addcarryxU32(x896, x893, x910) - var x913 uint32 - var x914 uint1 - x913, x914 = addcarryxU32(x894, x891, x912) - var x915 uint32 - var x916 uint1 - x915, x916 = addcarryxU32(x892, x889, x914) - var x917 uint32 - var x918 uint1 - x917, x918 = addcarryxU32(x890, x887, x916) - var x919 uint32 - var x920 uint1 - x919, x920 = addcarryxU32(x888, x885, x918) - var x922 uint1 - _, x922 = addcarryxU32(x861, x903, 0x0) - var x923 uint32 - var x924 uint1 - x923, x924 = addcarryxU32(x863, x904, x922) - var x925 uint32 - var x926 uint1 - x925, x926 = addcarryxU32(x865, uint32(0x0), x924) - var x927 uint32 - var x928 uint1 - x927, x928 = addcarryxU32(x867, x901, x926) - var x929 uint32 - var x930 uint1 - x929, x930 = addcarryxU32(x869, x905, x928) - var x931 uint32 - var x932 uint1 - x931, x932 = addcarryxU32(x871, x907, x930) - var x933 uint32 - var x934 uint1 - x933, x934 = addcarryxU32(x873, x909, x932) - var x935 uint32 - var x936 uint1 - x935, x936 = addcarryxU32(x875, x911, x934) - var x937 uint32 - var x938 uint1 - x937, x938 = addcarryxU32(x877, x913, x936) - var x939 uint32 - var x940 uint1 - x939, x940 = addcarryxU32(x879, x915, x938) - var x941 uint32 - var x942 uint1 - x941, x942 = addcarryxU32(x881, x917, x940) - var x943 uint32 - var x944 uint1 - x943, x944 = addcarryxU32(x883, x919, x942) - var x945 uint32 - var x946 uint1 - x945, x946 = addcarryxU32((uint32(x884) + uint32(x850)), (uint32(x920) + x886), x944) - var x947 uint32 - var x948 uint32 - x948, x947 = bits.Mul32(x10, 0x2) - var x949 uint32 - var x950 uint32 - x950, x949 = bits.Mul32(x10, 0xfffffffe) - var x951 uint32 - var x952 uint32 - x952, x951 = bits.Mul32(x10, 0x2) - var x953 uint32 - var x954 uint32 - x954, x953 = bits.Mul32(x10, 0xfffffffe) - var x955 uint32 - var x956 uint1 - x955, x956 = addcarryxU32(uint32(uint1(x948)), x10, 0x0) - var x957 uint32 - var x958 uint1 - x957, x958 = addcarryxU32(x923, x10, 0x0) - var x959 uint32 - var x960 uint1 - x959, x960 = addcarryxU32(x925, x953, x958) - var x961 uint32 - var x962 uint1 - x961, x962 = addcarryxU32(x927, x954, x960) - var x963 uint32 - var x964 uint1 - x963, x964 = addcarryxU32(x929, x951, x962) - var x965 uint32 - var x966 uint1 - x965, x966 = addcarryxU32(x931, uint32(uint1(x952)), x964) - var x967 uint32 - var x968 uint1 - x967, x968 = addcarryxU32(x933, x949, x966) - var x969 uint32 - var x970 uint1 - x969, x970 = addcarryxU32(x935, x950, x968) - var x971 uint32 - var x972 uint1 - x971, x972 = addcarryxU32(x937, x947, x970) - var x973 uint32 - var x974 uint1 - x973, x974 = addcarryxU32(x939, x955, x972) - var x975 uint32 - var x976 uint1 - x975, x976 = addcarryxU32(x941, uint32(x956), x974) - var x977 uint32 - var x978 uint1 - x977, x978 = addcarryxU32(x943, uint32(0x0), x976) - var x979 uint32 - var x980 uint1 - x979, x980 = addcarryxU32(x945, uint32(0x0), x978) - var x981 uint32 - var x982 uint32 - x982, x981 = bits.Mul32(x957, 0xffffffff) - var x983 uint32 - var x984 uint32 - x984, x983 = bits.Mul32(x957, 0xffffffff) - var x985 uint32 - var x986 uint32 - x986, x985 = bits.Mul32(x957, 0xffffffff) - var x987 uint32 - var x988 uint32 - x988, x987 = bits.Mul32(x957, 0xffffffff) - var x989 uint32 - var x990 uint32 - x990, x989 = bits.Mul32(x957, 0xffffffff) - var x991 uint32 - var x992 uint32 - x992, x991 = bits.Mul32(x957, 0xffffffff) - var x993 uint32 - var x994 uint32 - x994, x993 = bits.Mul32(x957, 0xffffffff) - var x995 uint32 - var x996 uint32 - x996, x995 = bits.Mul32(x957, 0xfffffffe) - var x997 uint32 - var x998 uint32 - x998, x997 = bits.Mul32(x957, 0xffffffff) - var x999 uint32 - var x1000 uint32 - x1000, x999 = bits.Mul32(x957, 0xffffffff) - var x1001 uint32 - var x1002 uint1 - x1001, x1002 = addcarryxU32(x998, x995, 0x0) - var x1003 uint32 - var x1004 uint1 - x1003, x1004 = addcarryxU32(x996, x993, x1002) - var x1005 uint32 - var x1006 uint1 - x1005, x1006 = addcarryxU32(x994, x991, x1004) - var x1007 uint32 - var x1008 uint1 - x1007, x1008 = addcarryxU32(x992, x989, x1006) - var x1009 uint32 - var x1010 uint1 - x1009, x1010 = addcarryxU32(x990, x987, x1008) - var x1011 uint32 - var x1012 uint1 - x1011, x1012 = addcarryxU32(x988, x985, x1010) - var x1013 uint32 - var x1014 uint1 - x1013, x1014 = addcarryxU32(x986, x983, x1012) - var x1015 uint32 - var x1016 uint1 - x1015, x1016 = addcarryxU32(x984, x981, x1014) - var x1018 uint1 - _, x1018 = addcarryxU32(x957, x999, 0x0) - var x1019 uint32 - var x1020 uint1 - x1019, x1020 = addcarryxU32(x959, x1000, x1018) - var x1021 uint32 - var x1022 uint1 - x1021, x1022 = addcarryxU32(x961, uint32(0x0), x1020) - var x1023 uint32 - var x1024 uint1 - x1023, x1024 = addcarryxU32(x963, x997, x1022) - var x1025 uint32 - var x1026 uint1 - x1025, x1026 = addcarryxU32(x965, x1001, x1024) - var x1027 uint32 - var x1028 uint1 - x1027, x1028 = addcarryxU32(x967, x1003, x1026) - var x1029 uint32 - var x1030 uint1 - x1029, x1030 = addcarryxU32(x969, x1005, x1028) - var x1031 uint32 - var x1032 uint1 - x1031, x1032 = addcarryxU32(x971, x1007, x1030) - var x1033 uint32 - var x1034 uint1 - x1033, x1034 = addcarryxU32(x973, x1009, x1032) - var x1035 uint32 - var x1036 uint1 - x1035, x1036 = addcarryxU32(x975, x1011, x1034) - var x1037 uint32 - var x1038 uint1 - x1037, x1038 = addcarryxU32(x977, x1013, x1036) - var x1039 uint32 - var x1040 uint1 - x1039, x1040 = addcarryxU32(x979, x1015, x1038) - var x1041 uint32 - var x1042 uint1 - x1041, x1042 = addcarryxU32((uint32(x980) + uint32(x946)), (uint32(x1016) + x982), x1040) - var x1043 uint32 - var x1044 uint32 - x1044, x1043 = bits.Mul32(x11, 0x2) - var x1045 uint32 - var x1046 uint32 - x1046, x1045 = bits.Mul32(x11, 0xfffffffe) - var x1047 uint32 - var x1048 uint32 - x1048, x1047 = bits.Mul32(x11, 0x2) - var x1049 uint32 - var x1050 uint32 - x1050, x1049 = bits.Mul32(x11, 0xfffffffe) - var x1051 uint32 - var x1052 uint1 - x1051, x1052 = addcarryxU32(uint32(uint1(x1044)), x11, 0x0) - var x1053 uint32 - var x1054 uint1 - x1053, x1054 = addcarryxU32(x1019, x11, 0x0) - var x1055 uint32 - var x1056 uint1 - x1055, x1056 = addcarryxU32(x1021, x1049, x1054) - var x1057 uint32 - var x1058 uint1 - x1057, x1058 = addcarryxU32(x1023, x1050, x1056) - var x1059 uint32 - var x1060 uint1 - x1059, x1060 = addcarryxU32(x1025, x1047, x1058) - var x1061 uint32 - var x1062 uint1 - x1061, x1062 = addcarryxU32(x1027, uint32(uint1(x1048)), x1060) - var x1063 uint32 - var x1064 uint1 - x1063, x1064 = addcarryxU32(x1029, x1045, x1062) - var x1065 uint32 - var x1066 uint1 - x1065, x1066 = addcarryxU32(x1031, x1046, x1064) - var x1067 uint32 - var x1068 uint1 - x1067, x1068 = addcarryxU32(x1033, x1043, x1066) - var x1069 uint32 - var x1070 uint1 - x1069, x1070 = addcarryxU32(x1035, x1051, x1068) - var x1071 uint32 - var x1072 uint1 - x1071, x1072 = addcarryxU32(x1037, uint32(x1052), x1070) - var x1073 uint32 - var x1074 uint1 - x1073, x1074 = addcarryxU32(x1039, uint32(0x0), x1072) - var x1075 uint32 - var x1076 uint1 - x1075, x1076 = addcarryxU32(x1041, uint32(0x0), x1074) - var x1077 uint32 - var x1078 uint32 - x1078, x1077 = bits.Mul32(x1053, 0xffffffff) - var x1079 uint32 - var x1080 uint32 - x1080, x1079 = bits.Mul32(x1053, 0xffffffff) - var x1081 uint32 - var x1082 uint32 - x1082, x1081 = bits.Mul32(x1053, 0xffffffff) - var x1083 uint32 - var x1084 uint32 - x1084, x1083 = bits.Mul32(x1053, 0xffffffff) - var x1085 uint32 - var x1086 uint32 - x1086, x1085 = bits.Mul32(x1053, 0xffffffff) - var x1087 uint32 - var x1088 uint32 - x1088, x1087 = bits.Mul32(x1053, 0xffffffff) - var x1089 uint32 - var x1090 uint32 - x1090, x1089 = bits.Mul32(x1053, 0xffffffff) - var x1091 uint32 - var x1092 uint32 - x1092, x1091 = bits.Mul32(x1053, 0xfffffffe) - var x1093 uint32 - var x1094 uint32 - x1094, x1093 = bits.Mul32(x1053, 0xffffffff) - var x1095 uint32 - var x1096 uint32 - x1096, x1095 = bits.Mul32(x1053, 0xffffffff) - var x1097 uint32 - var x1098 uint1 - x1097, x1098 = addcarryxU32(x1094, x1091, 0x0) - var x1099 uint32 - var x1100 uint1 - x1099, x1100 = addcarryxU32(x1092, x1089, x1098) - var x1101 uint32 - var x1102 uint1 - x1101, x1102 = addcarryxU32(x1090, x1087, x1100) - var x1103 uint32 - var x1104 uint1 - x1103, x1104 = addcarryxU32(x1088, x1085, x1102) - var x1105 uint32 - var x1106 uint1 - x1105, x1106 = addcarryxU32(x1086, x1083, x1104) - var x1107 uint32 - var x1108 uint1 - x1107, x1108 = addcarryxU32(x1084, x1081, x1106) - var x1109 uint32 - var x1110 uint1 - x1109, x1110 = addcarryxU32(x1082, x1079, x1108) - var x1111 uint32 - var x1112 uint1 - x1111, x1112 = addcarryxU32(x1080, x1077, x1110) - var x1114 uint1 - _, x1114 = addcarryxU32(x1053, x1095, 0x0) - var x1115 uint32 - var x1116 uint1 - x1115, x1116 = addcarryxU32(x1055, x1096, x1114) - var x1117 uint32 - var x1118 uint1 - x1117, x1118 = addcarryxU32(x1057, uint32(0x0), x1116) - var x1119 uint32 - var x1120 uint1 - x1119, x1120 = addcarryxU32(x1059, x1093, x1118) - var x1121 uint32 - var x1122 uint1 - x1121, x1122 = addcarryxU32(x1061, x1097, x1120) - var x1123 uint32 - var x1124 uint1 - x1123, x1124 = addcarryxU32(x1063, x1099, x1122) - var x1125 uint32 - var x1126 uint1 - x1125, x1126 = addcarryxU32(x1065, x1101, x1124) - var x1127 uint32 - var x1128 uint1 - x1127, x1128 = addcarryxU32(x1067, x1103, x1126) - var x1129 uint32 - var x1130 uint1 - x1129, x1130 = addcarryxU32(x1069, x1105, x1128) - var x1131 uint32 - var x1132 uint1 - x1131, x1132 = addcarryxU32(x1071, x1107, x1130) - var x1133 uint32 - var x1134 uint1 - x1133, x1134 = addcarryxU32(x1073, x1109, x1132) - var x1135 uint32 - var x1136 uint1 - x1135, x1136 = addcarryxU32(x1075, x1111, x1134) - var x1137 uint32 - var x1138 uint1 - x1137, x1138 = addcarryxU32((uint32(x1076) + uint32(x1042)), (uint32(x1112) + x1078), x1136) - var x1139 uint32 - var x1140 uint1 - x1139, x1140 = subborrowxU32(x1115, 0xffffffff, 0x0) - var x1141 uint32 - var x1142 uint1 - x1141, x1142 = subborrowxU32(x1117, uint32(0x0), x1140) - var x1143 uint32 - var x1144 uint1 - x1143, x1144 = subborrowxU32(x1119, uint32(0x0), x1142) - var x1145 uint32 - var x1146 uint1 - x1145, x1146 = subborrowxU32(x1121, 0xffffffff, x1144) - var x1147 uint32 - var x1148 uint1 - x1147, x1148 = subborrowxU32(x1123, 0xfffffffe, x1146) - var x1149 uint32 - var x1150 uint1 - x1149, x1150 = subborrowxU32(x1125, 0xffffffff, x1148) - var x1151 uint32 - var x1152 uint1 - x1151, x1152 = subborrowxU32(x1127, 0xffffffff, x1150) - var x1153 uint32 - var x1154 uint1 - x1153, x1154 = subborrowxU32(x1129, 0xffffffff, x1152) - var x1155 uint32 - var x1156 uint1 - x1155, x1156 = subborrowxU32(x1131, 0xffffffff, x1154) - var x1157 uint32 - var x1158 uint1 - x1157, x1158 = subborrowxU32(x1133, 0xffffffff, x1156) - var x1159 uint32 - var x1160 uint1 - x1159, x1160 = subborrowxU32(x1135, 0xffffffff, x1158) - var x1161 uint32 - var x1162 uint1 - x1161, x1162 = subborrowxU32(x1137, 0xffffffff, x1160) - var x1164 uint1 - _, x1164 = subborrowxU32(uint32(x1138), uint32(0x0), x1162) - var x1165 uint32 - cmovznzU32(&x1165, x1164, x1139, x1115) - var x1166 uint32 - cmovznzU32(&x1166, x1164, x1141, x1117) - var x1167 uint32 - cmovznzU32(&x1167, x1164, x1143, x1119) - var x1168 uint32 - cmovznzU32(&x1168, x1164, x1145, x1121) - var x1169 uint32 - cmovznzU32(&x1169, x1164, x1147, x1123) - var x1170 uint32 - cmovznzU32(&x1170, x1164, x1149, x1125) - var x1171 uint32 - cmovznzU32(&x1171, x1164, x1151, x1127) - var x1172 uint32 - cmovznzU32(&x1172, x1164, x1153, x1129) - var x1173 uint32 - cmovznzU32(&x1173, x1164, x1155, x1131) - var x1174 uint32 - cmovznzU32(&x1174, x1164, x1157, x1133) - var x1175 uint32 - cmovznzU32(&x1175, x1164, x1159, x1135) - var x1176 uint32 - cmovznzU32(&x1176, x1164, x1161, x1137) - out1[0] = x1165 - out1[1] = x1166 - out1[2] = x1167 - out1[3] = x1168 - out1[4] = x1169 - out1[5] = x1170 - out1[6] = x1171 - out1[7] = x1172 - out1[8] = x1173 - out1[9] = x1174 - out1[10] = x1175 - out1[11] = x1176 + x1 := arg1[1] + x2 := arg1[2] + x3 := arg1[3] + x4 := arg1[4] + x5 := arg1[5] + x6 := arg1[6] + x7 := arg1[7] + x8 := arg1[8] + x9 := arg1[9] + x10 := arg1[10] + x11 := arg1[11] + x12 := arg1[0] + var x13 uint32 + var x14 uint32 + x14, x13 = bits.Mul32(x12, 0x2) + var x15 uint32 + var x16 uint32 + x16, x15 = bits.Mul32(x12, 0xfffffffe) + var x17 uint32 + var x18 uint32 + x18, x17 = bits.Mul32(x12, 0x2) + var x19 uint32 + var x20 uint32 + x20, x19 = bits.Mul32(x12, 0xfffffffe) + var x21 uint32 + var x22 uint1 + x21, x22 = addcarryxU32(uint32(uint1(x14)), x12, 0x0) + var x23 uint32 + var x24 uint32 + x24, x23 = bits.Mul32(x12, 0xffffffff) + var x25 uint32 + var x26 uint32 + x26, x25 = bits.Mul32(x12, 0xffffffff) + var x27 uint32 + var x28 uint32 + x28, x27 = bits.Mul32(x12, 0xffffffff) + var x29 uint32 + var x30 uint32 + x30, x29 = bits.Mul32(x12, 0xffffffff) + var x31 uint32 + var x32 uint32 + x32, x31 = bits.Mul32(x12, 0xffffffff) + var x33 uint32 + var x34 uint32 + x34, x33 = bits.Mul32(x12, 0xffffffff) + var x35 uint32 + var x36 uint32 + x36, x35 = bits.Mul32(x12, 0xffffffff) + var x37 uint32 + var x38 uint32 + x38, x37 = bits.Mul32(x12, 0xfffffffe) + var x39 uint32 + var x40 uint32 + x40, x39 = bits.Mul32(x12, 0xffffffff) + var x41 uint32 + var x42 uint32 + x42, x41 = bits.Mul32(x12, 0xffffffff) + var x43 uint32 + var x44 uint1 + x43, x44 = addcarryxU32(x40, x37, 0x0) + var x45 uint32 + var x46 uint1 + x45, x46 = addcarryxU32(x38, x35, x44) + var x47 uint32 + var x48 uint1 + x47, x48 = addcarryxU32(x36, x33, x46) + var x49 uint32 + var x50 uint1 + x49, x50 = addcarryxU32(x34, x31, x48) + var x51 uint32 + var x52 uint1 + x51, x52 = addcarryxU32(x32, x29, x50) + var x53 uint32 + var x54 uint1 + x53, x54 = addcarryxU32(x30, x27, x52) + var x55 uint32 + var x56 uint1 + x55, x56 = addcarryxU32(x28, x25, x54) + var x57 uint32 + var x58 uint1 + x57, x58 = addcarryxU32(x26, x23, x56) + var x60 uint1 + _, x60 = addcarryxU32(x12, x41, 0x0) + var x61 uint32 + var x62 uint1 + x61, x62 = addcarryxU32(x19, x42, x60) + var x63 uint32 + var x64 uint1 + x63, x64 = addcarryxU32(x17, x39, 0x0) + var x65 uint32 + var x66 uint1 + x65, x66 = addcarryxU32(uint32(uint1(x18)), x43, x64) + var x67 uint32 + var x68 uint1 + x67, x68 = addcarryxU32(x15, x45, x66) + var x69 uint32 + var x70 uint1 + x69, x70 = addcarryxU32(x16, x47, x68) + var x71 uint32 + var x72 uint1 + x71, x72 = addcarryxU32(x13, x49, x70) + var x73 uint32 + var x74 uint1 + x73, x74 = addcarryxU32(x21, x51, x72) + var x75 uint32 + var x76 uint1 + x75, x76 = addcarryxU32(uint32(x22), x53, x74) + var x77 uint32 + var x78 uint1 + x77, x78 = addcarryxU32(uint32(0x0), x55, x76) + var x79 uint32 + var x80 uint1 + x79, x80 = addcarryxU32(uint32(0x0), x57, x78) + var x81 uint32 + var x82 uint1 + x81, x82 = addcarryxU32(uint32(0x0), (uint32(x58) + x24), x80) + var x83 uint32 + var x84 uint32 + x84, x83 = bits.Mul32(x1, 0x2) + var x85 uint32 + var x86 uint32 + x86, x85 = bits.Mul32(x1, 0xfffffffe) + var x87 uint32 + var x88 uint32 + x88, x87 = bits.Mul32(x1, 0x2) + var x89 uint32 + var x90 uint32 + x90, x89 = bits.Mul32(x1, 0xfffffffe) + var x91 uint32 + var x92 uint1 + x91, x92 = addcarryxU32(uint32(uint1(x84)), x1, 0x0) + var x93 uint32 + var x94 uint1 + x93, x94 = addcarryxU32(x61, x1, 0x0) + var x95 uint32 + var x96 uint1 + x95, x96 = addcarryxU32((uint32(x62) + x20), x89, x94) + var x97 uint32 + var x98 uint1 + x97, x98 = addcarryxU32(x63, x90, x96) + var x99 uint32 + var x100 uint1 + x99, x100 = addcarryxU32(x65, x87, x98) + var x101 uint32 + var x102 uint1 + x101, x102 = addcarryxU32(x67, uint32(uint1(x88)), x100) + var x103 uint32 + var x104 uint1 + x103, x104 = addcarryxU32(x69, x85, x102) + var x105 uint32 + var x106 uint1 + x105, x106 = addcarryxU32(x71, x86, x104) + var x107 uint32 + var x108 uint1 + x107, x108 = addcarryxU32(x73, x83, x106) + var x109 uint32 + var x110 uint1 + x109, x110 = addcarryxU32(x75, x91, x108) + var x111 uint32 + var x112 uint1 + x111, x112 = addcarryxU32(x77, uint32(x92), x110) + var x113 uint32 + var x114 uint1 + x113, x114 = addcarryxU32(x79, uint32(0x0), x112) + var x115 uint32 + var x116 uint1 + x115, x116 = addcarryxU32(x81, uint32(0x0), x114) + var x117 uint32 + var x118 uint32 + x118, x117 = bits.Mul32(x93, 0xffffffff) + var x119 uint32 + var x120 uint32 + x120, x119 = bits.Mul32(x93, 0xffffffff) + var x121 uint32 + var x122 uint32 + x122, x121 = bits.Mul32(x93, 0xffffffff) + var x123 uint32 + var x124 uint32 + x124, x123 = bits.Mul32(x93, 0xffffffff) + var x125 uint32 + var x126 uint32 + x126, x125 = bits.Mul32(x93, 0xffffffff) + var x127 uint32 + var x128 uint32 + x128, x127 = bits.Mul32(x93, 0xffffffff) + var x129 uint32 + var x130 uint32 + x130, x129 = bits.Mul32(x93, 0xffffffff) + var x131 uint32 + var x132 uint32 + x132, x131 = bits.Mul32(x93, 0xfffffffe) + var x133 uint32 + var x134 uint32 + x134, x133 = bits.Mul32(x93, 0xffffffff) + var x135 uint32 + var x136 uint32 + x136, x135 = bits.Mul32(x93, 0xffffffff) + var x137 uint32 + var x138 uint1 + x137, x138 = addcarryxU32(x134, x131, 0x0) + var x139 uint32 + var x140 uint1 + x139, x140 = addcarryxU32(x132, x129, x138) + var x141 uint32 + var x142 uint1 + x141, x142 = addcarryxU32(x130, x127, x140) + var x143 uint32 + var x144 uint1 + x143, x144 = addcarryxU32(x128, x125, x142) + var x145 uint32 + var x146 uint1 + x145, x146 = addcarryxU32(x126, x123, x144) + var x147 uint32 + var x148 uint1 + x147, x148 = addcarryxU32(x124, x121, x146) + var x149 uint32 + var x150 uint1 + x149, x150 = addcarryxU32(x122, x119, x148) + var x151 uint32 + var x152 uint1 + x151, x152 = addcarryxU32(x120, x117, x150) + var x154 uint1 + _, x154 = addcarryxU32(x93, x135, 0x0) + var x155 uint32 + var x156 uint1 + x155, x156 = addcarryxU32(x95, x136, x154) + var x157 uint32 + var x158 uint1 + x157, x158 = addcarryxU32(x97, uint32(0x0), x156) + var x159 uint32 + var x160 uint1 + x159, x160 = addcarryxU32(x99, x133, x158) + var x161 uint32 + var x162 uint1 + x161, x162 = addcarryxU32(x101, x137, x160) + var x163 uint32 + var x164 uint1 + x163, x164 = addcarryxU32(x103, x139, x162) + var x165 uint32 + var x166 uint1 + x165, x166 = addcarryxU32(x105, x141, x164) + var x167 uint32 + var x168 uint1 + x167, x168 = addcarryxU32(x107, x143, x166) + var x169 uint32 + var x170 uint1 + x169, x170 = addcarryxU32(x109, x145, x168) + var x171 uint32 + var x172 uint1 + x171, x172 = addcarryxU32(x111, x147, x170) + var x173 uint32 + var x174 uint1 + x173, x174 = addcarryxU32(x113, x149, x172) + var x175 uint32 + var x176 uint1 + x175, x176 = addcarryxU32(x115, x151, x174) + var x177 uint32 + var x178 uint1 + x177, x178 = addcarryxU32((uint32(x116) + uint32(x82)), (uint32(x152) + x118), x176) + var x179 uint32 + var x180 uint32 + x180, x179 = bits.Mul32(x2, 0x2) + var x181 uint32 + var x182 uint32 + x182, x181 = bits.Mul32(x2, 0xfffffffe) + var x183 uint32 + var x184 uint32 + x184, x183 = bits.Mul32(x2, 0x2) + var x185 uint32 + var x186 uint32 + x186, x185 = bits.Mul32(x2, 0xfffffffe) + var x187 uint32 + var x188 uint1 + x187, x188 = addcarryxU32(uint32(uint1(x180)), x2, 0x0) + var x189 uint32 + var x190 uint1 + x189, x190 = addcarryxU32(x155, x2, 0x0) + var x191 uint32 + var x192 uint1 + x191, x192 = addcarryxU32(x157, x185, x190) + var x193 uint32 + var x194 uint1 + x193, x194 = addcarryxU32(x159, x186, x192) + var x195 uint32 + var x196 uint1 + x195, x196 = addcarryxU32(x161, x183, x194) + var x197 uint32 + var x198 uint1 + x197, x198 = addcarryxU32(x163, uint32(uint1(x184)), x196) + var x199 uint32 + var x200 uint1 + x199, x200 = addcarryxU32(x165, x181, x198) + var x201 uint32 + var x202 uint1 + x201, x202 = addcarryxU32(x167, x182, x200) + var x203 uint32 + var x204 uint1 + x203, x204 = addcarryxU32(x169, x179, x202) + var x205 uint32 + var x206 uint1 + x205, x206 = addcarryxU32(x171, x187, x204) + var x207 uint32 + var x208 uint1 + x207, x208 = addcarryxU32(x173, uint32(x188), x206) + var x209 uint32 + var x210 uint1 + x209, x210 = addcarryxU32(x175, uint32(0x0), x208) + var x211 uint32 + var x212 uint1 + x211, x212 = addcarryxU32(x177, uint32(0x0), x210) + var x213 uint32 + var x214 uint32 + x214, x213 = bits.Mul32(x189, 0xffffffff) + var x215 uint32 + var x216 uint32 + x216, x215 = bits.Mul32(x189, 0xffffffff) + var x217 uint32 + var x218 uint32 + x218, x217 = bits.Mul32(x189, 0xffffffff) + var x219 uint32 + var x220 uint32 + x220, x219 = bits.Mul32(x189, 0xffffffff) + var x221 uint32 + var x222 uint32 + x222, x221 = bits.Mul32(x189, 0xffffffff) + var x223 uint32 + var x224 uint32 + x224, x223 = bits.Mul32(x189, 0xffffffff) + var x225 uint32 + var x226 uint32 + x226, x225 = bits.Mul32(x189, 0xffffffff) + var x227 uint32 + var x228 uint32 + x228, x227 = bits.Mul32(x189, 0xfffffffe) + var x229 uint32 + var x230 uint32 + x230, x229 = bits.Mul32(x189, 0xffffffff) + var x231 uint32 + var x232 uint32 + x232, x231 = bits.Mul32(x189, 0xffffffff) + var x233 uint32 + var x234 uint1 + x233, x234 = addcarryxU32(x230, x227, 0x0) + var x235 uint32 + var x236 uint1 + x235, x236 = addcarryxU32(x228, x225, x234) + var x237 uint32 + var x238 uint1 + x237, x238 = addcarryxU32(x226, x223, x236) + var x239 uint32 + var x240 uint1 + x239, x240 = addcarryxU32(x224, x221, x238) + var x241 uint32 + var x242 uint1 + x241, x242 = addcarryxU32(x222, x219, x240) + var x243 uint32 + var x244 uint1 + x243, x244 = addcarryxU32(x220, x217, x242) + var x245 uint32 + var x246 uint1 + x245, x246 = addcarryxU32(x218, x215, x244) + var x247 uint32 + var x248 uint1 + x247, x248 = addcarryxU32(x216, x213, x246) + var x250 uint1 + _, x250 = addcarryxU32(x189, x231, 0x0) + var x251 uint32 + var x252 uint1 + x251, x252 = addcarryxU32(x191, x232, x250) + var x253 uint32 + var x254 uint1 + x253, x254 = addcarryxU32(x193, uint32(0x0), x252) + var x255 uint32 + var x256 uint1 + x255, x256 = addcarryxU32(x195, x229, x254) + var x257 uint32 + var x258 uint1 + x257, x258 = addcarryxU32(x197, x233, x256) + var x259 uint32 + var x260 uint1 + x259, x260 = addcarryxU32(x199, x235, x258) + var x261 uint32 + var x262 uint1 + x261, x262 = addcarryxU32(x201, x237, x260) + var x263 uint32 + var x264 uint1 + x263, x264 = addcarryxU32(x203, x239, x262) + var x265 uint32 + var x266 uint1 + x265, x266 = addcarryxU32(x205, x241, x264) + var x267 uint32 + var x268 uint1 + x267, x268 = addcarryxU32(x207, x243, x266) + var x269 uint32 + var x270 uint1 + x269, x270 = addcarryxU32(x209, x245, x268) + var x271 uint32 + var x272 uint1 + x271, x272 = addcarryxU32(x211, x247, x270) + var x273 uint32 + var x274 uint1 + x273, x274 = addcarryxU32((uint32(x212) + uint32(x178)), (uint32(x248) + x214), x272) + var x275 uint32 + var x276 uint32 + x276, x275 = bits.Mul32(x3, 0x2) + var x277 uint32 + var x278 uint32 + x278, x277 = bits.Mul32(x3, 0xfffffffe) + var x279 uint32 + var x280 uint32 + x280, x279 = bits.Mul32(x3, 0x2) + var x281 uint32 + var x282 uint32 + x282, x281 = bits.Mul32(x3, 0xfffffffe) + var x283 uint32 + var x284 uint1 + x283, x284 = addcarryxU32(uint32(uint1(x276)), x3, 0x0) + var x285 uint32 + var x286 uint1 + x285, x286 = addcarryxU32(x251, x3, 0x0) + var x287 uint32 + var x288 uint1 + x287, x288 = addcarryxU32(x253, x281, x286) + var x289 uint32 + var x290 uint1 + x289, x290 = addcarryxU32(x255, x282, x288) + var x291 uint32 + var x292 uint1 + x291, x292 = addcarryxU32(x257, x279, x290) + var x293 uint32 + var x294 uint1 + x293, x294 = addcarryxU32(x259, uint32(uint1(x280)), x292) + var x295 uint32 + var x296 uint1 + x295, x296 = addcarryxU32(x261, x277, x294) + var x297 uint32 + var x298 uint1 + x297, x298 = addcarryxU32(x263, x278, x296) + var x299 uint32 + var x300 uint1 + x299, x300 = addcarryxU32(x265, x275, x298) + var x301 uint32 + var x302 uint1 + x301, x302 = addcarryxU32(x267, x283, x300) + var x303 uint32 + var x304 uint1 + x303, x304 = addcarryxU32(x269, uint32(x284), x302) + var x305 uint32 + var x306 uint1 + x305, x306 = addcarryxU32(x271, uint32(0x0), x304) + var x307 uint32 + var x308 uint1 + x307, x308 = addcarryxU32(x273, uint32(0x0), x306) + var x309 uint32 + var x310 uint32 + x310, x309 = bits.Mul32(x285, 0xffffffff) + var x311 uint32 + var x312 uint32 + x312, x311 = bits.Mul32(x285, 0xffffffff) + var x313 uint32 + var x314 uint32 + x314, x313 = bits.Mul32(x285, 0xffffffff) + var x315 uint32 + var x316 uint32 + x316, x315 = bits.Mul32(x285, 0xffffffff) + var x317 uint32 + var x318 uint32 + x318, x317 = bits.Mul32(x285, 0xffffffff) + var x319 uint32 + var x320 uint32 + x320, x319 = bits.Mul32(x285, 0xffffffff) + var x321 uint32 + var x322 uint32 + x322, x321 = bits.Mul32(x285, 0xffffffff) + var x323 uint32 + var x324 uint32 + x324, x323 = bits.Mul32(x285, 0xfffffffe) + var x325 uint32 + var x326 uint32 + x326, x325 = bits.Mul32(x285, 0xffffffff) + var x327 uint32 + var x328 uint32 + x328, x327 = bits.Mul32(x285, 0xffffffff) + var x329 uint32 + var x330 uint1 + x329, x330 = addcarryxU32(x326, x323, 0x0) + var x331 uint32 + var x332 uint1 + x331, x332 = addcarryxU32(x324, x321, x330) + var x333 uint32 + var x334 uint1 + x333, x334 = addcarryxU32(x322, x319, x332) + var x335 uint32 + var x336 uint1 + x335, x336 = addcarryxU32(x320, x317, x334) + var x337 uint32 + var x338 uint1 + x337, x338 = addcarryxU32(x318, x315, x336) + var x339 uint32 + var x340 uint1 + x339, x340 = addcarryxU32(x316, x313, x338) + var x341 uint32 + var x342 uint1 + x341, x342 = addcarryxU32(x314, x311, x340) + var x343 uint32 + var x344 uint1 + x343, x344 = addcarryxU32(x312, x309, x342) + var x346 uint1 + _, x346 = addcarryxU32(x285, x327, 0x0) + var x347 uint32 + var x348 uint1 + x347, x348 = addcarryxU32(x287, x328, x346) + var x349 uint32 + var x350 uint1 + x349, x350 = addcarryxU32(x289, uint32(0x0), x348) + var x351 uint32 + var x352 uint1 + x351, x352 = addcarryxU32(x291, x325, x350) + var x353 uint32 + var x354 uint1 + x353, x354 = addcarryxU32(x293, x329, x352) + var x355 uint32 + var x356 uint1 + x355, x356 = addcarryxU32(x295, x331, x354) + var x357 uint32 + var x358 uint1 + x357, x358 = addcarryxU32(x297, x333, x356) + var x359 uint32 + var x360 uint1 + x359, x360 = addcarryxU32(x299, x335, x358) + var x361 uint32 + var x362 uint1 + x361, x362 = addcarryxU32(x301, x337, x360) + var x363 uint32 + var x364 uint1 + x363, x364 = addcarryxU32(x303, x339, x362) + var x365 uint32 + var x366 uint1 + x365, x366 = addcarryxU32(x305, x341, x364) + var x367 uint32 + var x368 uint1 + x367, x368 = addcarryxU32(x307, x343, x366) + var x369 uint32 + var x370 uint1 + x369, x370 = addcarryxU32((uint32(x308) + uint32(x274)), (uint32(x344) + x310), x368) + var x371 uint32 + var x372 uint32 + x372, x371 = bits.Mul32(x4, 0x2) + var x373 uint32 + var x374 uint32 + x374, x373 = bits.Mul32(x4, 0xfffffffe) + var x375 uint32 + var x376 uint32 + x376, x375 = bits.Mul32(x4, 0x2) + var x377 uint32 + var x378 uint32 + x378, x377 = bits.Mul32(x4, 0xfffffffe) + var x379 uint32 + var x380 uint1 + x379, x380 = addcarryxU32(uint32(uint1(x372)), x4, 0x0) + var x381 uint32 + var x382 uint1 + x381, x382 = addcarryxU32(x347, x4, 0x0) + var x383 uint32 + var x384 uint1 + x383, x384 = addcarryxU32(x349, x377, x382) + var x385 uint32 + var x386 uint1 + x385, x386 = addcarryxU32(x351, x378, x384) + var x387 uint32 + var x388 uint1 + x387, x388 = addcarryxU32(x353, x375, x386) + var x389 uint32 + var x390 uint1 + x389, x390 = addcarryxU32(x355, uint32(uint1(x376)), x388) + var x391 uint32 + var x392 uint1 + x391, x392 = addcarryxU32(x357, x373, x390) + var x393 uint32 + var x394 uint1 + x393, x394 = addcarryxU32(x359, x374, x392) + var x395 uint32 + var x396 uint1 + x395, x396 = addcarryxU32(x361, x371, x394) + var x397 uint32 + var x398 uint1 + x397, x398 = addcarryxU32(x363, x379, x396) + var x399 uint32 + var x400 uint1 + x399, x400 = addcarryxU32(x365, uint32(x380), x398) + var x401 uint32 + var x402 uint1 + x401, x402 = addcarryxU32(x367, uint32(0x0), x400) + var x403 uint32 + var x404 uint1 + x403, x404 = addcarryxU32(x369, uint32(0x0), x402) + var x405 uint32 + var x406 uint32 + x406, x405 = bits.Mul32(x381, 0xffffffff) + var x407 uint32 + var x408 uint32 + x408, x407 = bits.Mul32(x381, 0xffffffff) + var x409 uint32 + var x410 uint32 + x410, x409 = bits.Mul32(x381, 0xffffffff) + var x411 uint32 + var x412 uint32 + x412, x411 = bits.Mul32(x381, 0xffffffff) + var x413 uint32 + var x414 uint32 + x414, x413 = bits.Mul32(x381, 0xffffffff) + var x415 uint32 + var x416 uint32 + x416, x415 = bits.Mul32(x381, 0xffffffff) + var x417 uint32 + var x418 uint32 + x418, x417 = bits.Mul32(x381, 0xffffffff) + var x419 uint32 + var x420 uint32 + x420, x419 = bits.Mul32(x381, 0xfffffffe) + var x421 uint32 + var x422 uint32 + x422, x421 = bits.Mul32(x381, 0xffffffff) + var x423 uint32 + var x424 uint32 + x424, x423 = bits.Mul32(x381, 0xffffffff) + var x425 uint32 + var x426 uint1 + x425, x426 = addcarryxU32(x422, x419, 0x0) + var x427 uint32 + var x428 uint1 + x427, x428 = addcarryxU32(x420, x417, x426) + var x429 uint32 + var x430 uint1 + x429, x430 = addcarryxU32(x418, x415, x428) + var x431 uint32 + var x432 uint1 + x431, x432 = addcarryxU32(x416, x413, x430) + var x433 uint32 + var x434 uint1 + x433, x434 = addcarryxU32(x414, x411, x432) + var x435 uint32 + var x436 uint1 + x435, x436 = addcarryxU32(x412, x409, x434) + var x437 uint32 + var x438 uint1 + x437, x438 = addcarryxU32(x410, x407, x436) + var x439 uint32 + var x440 uint1 + x439, x440 = addcarryxU32(x408, x405, x438) + var x442 uint1 + _, x442 = addcarryxU32(x381, x423, 0x0) + var x443 uint32 + var x444 uint1 + x443, x444 = addcarryxU32(x383, x424, x442) + var x445 uint32 + var x446 uint1 + x445, x446 = addcarryxU32(x385, uint32(0x0), x444) + var x447 uint32 + var x448 uint1 + x447, x448 = addcarryxU32(x387, x421, x446) + var x449 uint32 + var x450 uint1 + x449, x450 = addcarryxU32(x389, x425, x448) + var x451 uint32 + var x452 uint1 + x451, x452 = addcarryxU32(x391, x427, x450) + var x453 uint32 + var x454 uint1 + x453, x454 = addcarryxU32(x393, x429, x452) + var x455 uint32 + var x456 uint1 + x455, x456 = addcarryxU32(x395, x431, x454) + var x457 uint32 + var x458 uint1 + x457, x458 = addcarryxU32(x397, x433, x456) + var x459 uint32 + var x460 uint1 + x459, x460 = addcarryxU32(x399, x435, x458) + var x461 uint32 + var x462 uint1 + x461, x462 = addcarryxU32(x401, x437, x460) + var x463 uint32 + var x464 uint1 + x463, x464 = addcarryxU32(x403, x439, x462) + var x465 uint32 + var x466 uint1 + x465, x466 = addcarryxU32((uint32(x404) + uint32(x370)), (uint32(x440) + x406), x464) + var x467 uint32 + var x468 uint32 + x468, x467 = bits.Mul32(x5, 0x2) + var x469 uint32 + var x470 uint32 + x470, x469 = bits.Mul32(x5, 0xfffffffe) + var x471 uint32 + var x472 uint32 + x472, x471 = bits.Mul32(x5, 0x2) + var x473 uint32 + var x474 uint32 + x474, x473 = bits.Mul32(x5, 0xfffffffe) + var x475 uint32 + var x476 uint1 + x475, x476 = addcarryxU32(uint32(uint1(x468)), x5, 0x0) + var x477 uint32 + var x478 uint1 + x477, x478 = addcarryxU32(x443, x5, 0x0) + var x479 uint32 + var x480 uint1 + x479, x480 = addcarryxU32(x445, x473, x478) + var x481 uint32 + var x482 uint1 + x481, x482 = addcarryxU32(x447, x474, x480) + var x483 uint32 + var x484 uint1 + x483, x484 = addcarryxU32(x449, x471, x482) + var x485 uint32 + var x486 uint1 + x485, x486 = addcarryxU32(x451, uint32(uint1(x472)), x484) + var x487 uint32 + var x488 uint1 + x487, x488 = addcarryxU32(x453, x469, x486) + var x489 uint32 + var x490 uint1 + x489, x490 = addcarryxU32(x455, x470, x488) + var x491 uint32 + var x492 uint1 + x491, x492 = addcarryxU32(x457, x467, x490) + var x493 uint32 + var x494 uint1 + x493, x494 = addcarryxU32(x459, x475, x492) + var x495 uint32 + var x496 uint1 + x495, x496 = addcarryxU32(x461, uint32(x476), x494) + var x497 uint32 + var x498 uint1 + x497, x498 = addcarryxU32(x463, uint32(0x0), x496) + var x499 uint32 + var x500 uint1 + x499, x500 = addcarryxU32(x465, uint32(0x0), x498) + var x501 uint32 + var x502 uint32 + x502, x501 = bits.Mul32(x477, 0xffffffff) + var x503 uint32 + var x504 uint32 + x504, x503 = bits.Mul32(x477, 0xffffffff) + var x505 uint32 + var x506 uint32 + x506, x505 = bits.Mul32(x477, 0xffffffff) + var x507 uint32 + var x508 uint32 + x508, x507 = bits.Mul32(x477, 0xffffffff) + var x509 uint32 + var x510 uint32 + x510, x509 = bits.Mul32(x477, 0xffffffff) + var x511 uint32 + var x512 uint32 + x512, x511 = bits.Mul32(x477, 0xffffffff) + var x513 uint32 + var x514 uint32 + x514, x513 = bits.Mul32(x477, 0xffffffff) + var x515 uint32 + var x516 uint32 + x516, x515 = bits.Mul32(x477, 0xfffffffe) + var x517 uint32 + var x518 uint32 + x518, x517 = bits.Mul32(x477, 0xffffffff) + var x519 uint32 + var x520 uint32 + x520, x519 = bits.Mul32(x477, 0xffffffff) + var x521 uint32 + var x522 uint1 + x521, x522 = addcarryxU32(x518, x515, 0x0) + var x523 uint32 + var x524 uint1 + x523, x524 = addcarryxU32(x516, x513, x522) + var x525 uint32 + var x526 uint1 + x525, x526 = addcarryxU32(x514, x511, x524) + var x527 uint32 + var x528 uint1 + x527, x528 = addcarryxU32(x512, x509, x526) + var x529 uint32 + var x530 uint1 + x529, x530 = addcarryxU32(x510, x507, x528) + var x531 uint32 + var x532 uint1 + x531, x532 = addcarryxU32(x508, x505, x530) + var x533 uint32 + var x534 uint1 + x533, x534 = addcarryxU32(x506, x503, x532) + var x535 uint32 + var x536 uint1 + x535, x536 = addcarryxU32(x504, x501, x534) + var x538 uint1 + _, x538 = addcarryxU32(x477, x519, 0x0) + var x539 uint32 + var x540 uint1 + x539, x540 = addcarryxU32(x479, x520, x538) + var x541 uint32 + var x542 uint1 + x541, x542 = addcarryxU32(x481, uint32(0x0), x540) + var x543 uint32 + var x544 uint1 + x543, x544 = addcarryxU32(x483, x517, x542) + var x545 uint32 + var x546 uint1 + x545, x546 = addcarryxU32(x485, x521, x544) + var x547 uint32 + var x548 uint1 + x547, x548 = addcarryxU32(x487, x523, x546) + var x549 uint32 + var x550 uint1 + x549, x550 = addcarryxU32(x489, x525, x548) + var x551 uint32 + var x552 uint1 + x551, x552 = addcarryxU32(x491, x527, x550) + var x553 uint32 + var x554 uint1 + x553, x554 = addcarryxU32(x493, x529, x552) + var x555 uint32 + var x556 uint1 + x555, x556 = addcarryxU32(x495, x531, x554) + var x557 uint32 + var x558 uint1 + x557, x558 = addcarryxU32(x497, x533, x556) + var x559 uint32 + var x560 uint1 + x559, x560 = addcarryxU32(x499, x535, x558) + var x561 uint32 + var x562 uint1 + x561, x562 = addcarryxU32((uint32(x500) + uint32(x466)), (uint32(x536) + x502), x560) + var x563 uint32 + var x564 uint32 + x564, x563 = bits.Mul32(x6, 0x2) + var x565 uint32 + var x566 uint32 + x566, x565 = bits.Mul32(x6, 0xfffffffe) + var x567 uint32 + var x568 uint32 + x568, x567 = bits.Mul32(x6, 0x2) + var x569 uint32 + var x570 uint32 + x570, x569 = bits.Mul32(x6, 0xfffffffe) + var x571 uint32 + var x572 uint1 + x571, x572 = addcarryxU32(uint32(uint1(x564)), x6, 0x0) + var x573 uint32 + var x574 uint1 + x573, x574 = addcarryxU32(x539, x6, 0x0) + var x575 uint32 + var x576 uint1 + x575, x576 = addcarryxU32(x541, x569, x574) + var x577 uint32 + var x578 uint1 + x577, x578 = addcarryxU32(x543, x570, x576) + var x579 uint32 + var x580 uint1 + x579, x580 = addcarryxU32(x545, x567, x578) + var x581 uint32 + var x582 uint1 + x581, x582 = addcarryxU32(x547, uint32(uint1(x568)), x580) + var x583 uint32 + var x584 uint1 + x583, x584 = addcarryxU32(x549, x565, x582) + var x585 uint32 + var x586 uint1 + x585, x586 = addcarryxU32(x551, x566, x584) + var x587 uint32 + var x588 uint1 + x587, x588 = addcarryxU32(x553, x563, x586) + var x589 uint32 + var x590 uint1 + x589, x590 = addcarryxU32(x555, x571, x588) + var x591 uint32 + var x592 uint1 + x591, x592 = addcarryxU32(x557, uint32(x572), x590) + var x593 uint32 + var x594 uint1 + x593, x594 = addcarryxU32(x559, uint32(0x0), x592) + var x595 uint32 + var x596 uint1 + x595, x596 = addcarryxU32(x561, uint32(0x0), x594) + var x597 uint32 + var x598 uint32 + x598, x597 = bits.Mul32(x573, 0xffffffff) + var x599 uint32 + var x600 uint32 + x600, x599 = bits.Mul32(x573, 0xffffffff) + var x601 uint32 + var x602 uint32 + x602, x601 = bits.Mul32(x573, 0xffffffff) + var x603 uint32 + var x604 uint32 + x604, x603 = bits.Mul32(x573, 0xffffffff) + var x605 uint32 + var x606 uint32 + x606, x605 = bits.Mul32(x573, 0xffffffff) + var x607 uint32 + var x608 uint32 + x608, x607 = bits.Mul32(x573, 0xffffffff) + var x609 uint32 + var x610 uint32 + x610, x609 = bits.Mul32(x573, 0xffffffff) + var x611 uint32 + var x612 uint32 + x612, x611 = bits.Mul32(x573, 0xfffffffe) + var x613 uint32 + var x614 uint32 + x614, x613 = bits.Mul32(x573, 0xffffffff) + var x615 uint32 + var x616 uint32 + x616, x615 = bits.Mul32(x573, 0xffffffff) + var x617 uint32 + var x618 uint1 + x617, x618 = addcarryxU32(x614, x611, 0x0) + var x619 uint32 + var x620 uint1 + x619, x620 = addcarryxU32(x612, x609, x618) + var x621 uint32 + var x622 uint1 + x621, x622 = addcarryxU32(x610, x607, x620) + var x623 uint32 + var x624 uint1 + x623, x624 = addcarryxU32(x608, x605, x622) + var x625 uint32 + var x626 uint1 + x625, x626 = addcarryxU32(x606, x603, x624) + var x627 uint32 + var x628 uint1 + x627, x628 = addcarryxU32(x604, x601, x626) + var x629 uint32 + var x630 uint1 + x629, x630 = addcarryxU32(x602, x599, x628) + var x631 uint32 + var x632 uint1 + x631, x632 = addcarryxU32(x600, x597, x630) + var x634 uint1 + _, x634 = addcarryxU32(x573, x615, 0x0) + var x635 uint32 + var x636 uint1 + x635, x636 = addcarryxU32(x575, x616, x634) + var x637 uint32 + var x638 uint1 + x637, x638 = addcarryxU32(x577, uint32(0x0), x636) + var x639 uint32 + var x640 uint1 + x639, x640 = addcarryxU32(x579, x613, x638) + var x641 uint32 + var x642 uint1 + x641, x642 = addcarryxU32(x581, x617, x640) + var x643 uint32 + var x644 uint1 + x643, x644 = addcarryxU32(x583, x619, x642) + var x645 uint32 + var x646 uint1 + x645, x646 = addcarryxU32(x585, x621, x644) + var x647 uint32 + var x648 uint1 + x647, x648 = addcarryxU32(x587, x623, x646) + var x649 uint32 + var x650 uint1 + x649, x650 = addcarryxU32(x589, x625, x648) + var x651 uint32 + var x652 uint1 + x651, x652 = addcarryxU32(x591, x627, x650) + var x653 uint32 + var x654 uint1 + x653, x654 = addcarryxU32(x593, x629, x652) + var x655 uint32 + var x656 uint1 + x655, x656 = addcarryxU32(x595, x631, x654) + var x657 uint32 + var x658 uint1 + x657, x658 = addcarryxU32((uint32(x596) + uint32(x562)), (uint32(x632) + x598), x656) + var x659 uint32 + var x660 uint32 + x660, x659 = bits.Mul32(x7, 0x2) + var x661 uint32 + var x662 uint32 + x662, x661 = bits.Mul32(x7, 0xfffffffe) + var x663 uint32 + var x664 uint32 + x664, x663 = bits.Mul32(x7, 0x2) + var x665 uint32 + var x666 uint32 + x666, x665 = bits.Mul32(x7, 0xfffffffe) + var x667 uint32 + var x668 uint1 + x667, x668 = addcarryxU32(uint32(uint1(x660)), x7, 0x0) + var x669 uint32 + var x670 uint1 + x669, x670 = addcarryxU32(x635, x7, 0x0) + var x671 uint32 + var x672 uint1 + x671, x672 = addcarryxU32(x637, x665, x670) + var x673 uint32 + var x674 uint1 + x673, x674 = addcarryxU32(x639, x666, x672) + var x675 uint32 + var x676 uint1 + x675, x676 = addcarryxU32(x641, x663, x674) + var x677 uint32 + var x678 uint1 + x677, x678 = addcarryxU32(x643, uint32(uint1(x664)), x676) + var x679 uint32 + var x680 uint1 + x679, x680 = addcarryxU32(x645, x661, x678) + var x681 uint32 + var x682 uint1 + x681, x682 = addcarryxU32(x647, x662, x680) + var x683 uint32 + var x684 uint1 + x683, x684 = addcarryxU32(x649, x659, x682) + var x685 uint32 + var x686 uint1 + x685, x686 = addcarryxU32(x651, x667, x684) + var x687 uint32 + var x688 uint1 + x687, x688 = addcarryxU32(x653, uint32(x668), x686) + var x689 uint32 + var x690 uint1 + x689, x690 = addcarryxU32(x655, uint32(0x0), x688) + var x691 uint32 + var x692 uint1 + x691, x692 = addcarryxU32(x657, uint32(0x0), x690) + var x693 uint32 + var x694 uint32 + x694, x693 = bits.Mul32(x669, 0xffffffff) + var x695 uint32 + var x696 uint32 + x696, x695 = bits.Mul32(x669, 0xffffffff) + var x697 uint32 + var x698 uint32 + x698, x697 = bits.Mul32(x669, 0xffffffff) + var x699 uint32 + var x700 uint32 + x700, x699 = bits.Mul32(x669, 0xffffffff) + var x701 uint32 + var x702 uint32 + x702, x701 = bits.Mul32(x669, 0xffffffff) + var x703 uint32 + var x704 uint32 + x704, x703 = bits.Mul32(x669, 0xffffffff) + var x705 uint32 + var x706 uint32 + x706, x705 = bits.Mul32(x669, 0xffffffff) + var x707 uint32 + var x708 uint32 + x708, x707 = bits.Mul32(x669, 0xfffffffe) + var x709 uint32 + var x710 uint32 + x710, x709 = bits.Mul32(x669, 0xffffffff) + var x711 uint32 + var x712 uint32 + x712, x711 = bits.Mul32(x669, 0xffffffff) + var x713 uint32 + var x714 uint1 + x713, x714 = addcarryxU32(x710, x707, 0x0) + var x715 uint32 + var x716 uint1 + x715, x716 = addcarryxU32(x708, x705, x714) + var x717 uint32 + var x718 uint1 + x717, x718 = addcarryxU32(x706, x703, x716) + var x719 uint32 + var x720 uint1 + x719, x720 = addcarryxU32(x704, x701, x718) + var x721 uint32 + var x722 uint1 + x721, x722 = addcarryxU32(x702, x699, x720) + var x723 uint32 + var x724 uint1 + x723, x724 = addcarryxU32(x700, x697, x722) + var x725 uint32 + var x726 uint1 + x725, x726 = addcarryxU32(x698, x695, x724) + var x727 uint32 + var x728 uint1 + x727, x728 = addcarryxU32(x696, x693, x726) + var x730 uint1 + _, x730 = addcarryxU32(x669, x711, 0x0) + var x731 uint32 + var x732 uint1 + x731, x732 = addcarryxU32(x671, x712, x730) + var x733 uint32 + var x734 uint1 + x733, x734 = addcarryxU32(x673, uint32(0x0), x732) + var x735 uint32 + var x736 uint1 + x735, x736 = addcarryxU32(x675, x709, x734) + var x737 uint32 + var x738 uint1 + x737, x738 = addcarryxU32(x677, x713, x736) + var x739 uint32 + var x740 uint1 + x739, x740 = addcarryxU32(x679, x715, x738) + var x741 uint32 + var x742 uint1 + x741, x742 = addcarryxU32(x681, x717, x740) + var x743 uint32 + var x744 uint1 + x743, x744 = addcarryxU32(x683, x719, x742) + var x745 uint32 + var x746 uint1 + x745, x746 = addcarryxU32(x685, x721, x744) + var x747 uint32 + var x748 uint1 + x747, x748 = addcarryxU32(x687, x723, x746) + var x749 uint32 + var x750 uint1 + x749, x750 = addcarryxU32(x689, x725, x748) + var x751 uint32 + var x752 uint1 + x751, x752 = addcarryxU32(x691, x727, x750) + var x753 uint32 + var x754 uint1 + x753, x754 = addcarryxU32((uint32(x692) + uint32(x658)), (uint32(x728) + x694), x752) + var x755 uint32 + var x756 uint32 + x756, x755 = bits.Mul32(x8, 0x2) + var x757 uint32 + var x758 uint32 + x758, x757 = bits.Mul32(x8, 0xfffffffe) + var x759 uint32 + var x760 uint32 + x760, x759 = bits.Mul32(x8, 0x2) + var x761 uint32 + var x762 uint32 + x762, x761 = bits.Mul32(x8, 0xfffffffe) + var x763 uint32 + var x764 uint1 + x763, x764 = addcarryxU32(uint32(uint1(x756)), x8, 0x0) + var x765 uint32 + var x766 uint1 + x765, x766 = addcarryxU32(x731, x8, 0x0) + var x767 uint32 + var x768 uint1 + x767, x768 = addcarryxU32(x733, x761, x766) + var x769 uint32 + var x770 uint1 + x769, x770 = addcarryxU32(x735, x762, x768) + var x771 uint32 + var x772 uint1 + x771, x772 = addcarryxU32(x737, x759, x770) + var x773 uint32 + var x774 uint1 + x773, x774 = addcarryxU32(x739, uint32(uint1(x760)), x772) + var x775 uint32 + var x776 uint1 + x775, x776 = addcarryxU32(x741, x757, x774) + var x777 uint32 + var x778 uint1 + x777, x778 = addcarryxU32(x743, x758, x776) + var x779 uint32 + var x780 uint1 + x779, x780 = addcarryxU32(x745, x755, x778) + var x781 uint32 + var x782 uint1 + x781, x782 = addcarryxU32(x747, x763, x780) + var x783 uint32 + var x784 uint1 + x783, x784 = addcarryxU32(x749, uint32(x764), x782) + var x785 uint32 + var x786 uint1 + x785, x786 = addcarryxU32(x751, uint32(0x0), x784) + var x787 uint32 + var x788 uint1 + x787, x788 = addcarryxU32(x753, uint32(0x0), x786) + var x789 uint32 + var x790 uint32 + x790, x789 = bits.Mul32(x765, 0xffffffff) + var x791 uint32 + var x792 uint32 + x792, x791 = bits.Mul32(x765, 0xffffffff) + var x793 uint32 + var x794 uint32 + x794, x793 = bits.Mul32(x765, 0xffffffff) + var x795 uint32 + var x796 uint32 + x796, x795 = bits.Mul32(x765, 0xffffffff) + var x797 uint32 + var x798 uint32 + x798, x797 = bits.Mul32(x765, 0xffffffff) + var x799 uint32 + var x800 uint32 + x800, x799 = bits.Mul32(x765, 0xffffffff) + var x801 uint32 + var x802 uint32 + x802, x801 = bits.Mul32(x765, 0xffffffff) + var x803 uint32 + var x804 uint32 + x804, x803 = bits.Mul32(x765, 0xfffffffe) + var x805 uint32 + var x806 uint32 + x806, x805 = bits.Mul32(x765, 0xffffffff) + var x807 uint32 + var x808 uint32 + x808, x807 = bits.Mul32(x765, 0xffffffff) + var x809 uint32 + var x810 uint1 + x809, x810 = addcarryxU32(x806, x803, 0x0) + var x811 uint32 + var x812 uint1 + x811, x812 = addcarryxU32(x804, x801, x810) + var x813 uint32 + var x814 uint1 + x813, x814 = addcarryxU32(x802, x799, x812) + var x815 uint32 + var x816 uint1 + x815, x816 = addcarryxU32(x800, x797, x814) + var x817 uint32 + var x818 uint1 + x817, x818 = addcarryxU32(x798, x795, x816) + var x819 uint32 + var x820 uint1 + x819, x820 = addcarryxU32(x796, x793, x818) + var x821 uint32 + var x822 uint1 + x821, x822 = addcarryxU32(x794, x791, x820) + var x823 uint32 + var x824 uint1 + x823, x824 = addcarryxU32(x792, x789, x822) + var x826 uint1 + _, x826 = addcarryxU32(x765, x807, 0x0) + var x827 uint32 + var x828 uint1 + x827, x828 = addcarryxU32(x767, x808, x826) + var x829 uint32 + var x830 uint1 + x829, x830 = addcarryxU32(x769, uint32(0x0), x828) + var x831 uint32 + var x832 uint1 + x831, x832 = addcarryxU32(x771, x805, x830) + var x833 uint32 + var x834 uint1 + x833, x834 = addcarryxU32(x773, x809, x832) + var x835 uint32 + var x836 uint1 + x835, x836 = addcarryxU32(x775, x811, x834) + var x837 uint32 + var x838 uint1 + x837, x838 = addcarryxU32(x777, x813, x836) + var x839 uint32 + var x840 uint1 + x839, x840 = addcarryxU32(x779, x815, x838) + var x841 uint32 + var x842 uint1 + x841, x842 = addcarryxU32(x781, x817, x840) + var x843 uint32 + var x844 uint1 + x843, x844 = addcarryxU32(x783, x819, x842) + var x845 uint32 + var x846 uint1 + x845, x846 = addcarryxU32(x785, x821, x844) + var x847 uint32 + var x848 uint1 + x847, x848 = addcarryxU32(x787, x823, x846) + var x849 uint32 + var x850 uint1 + x849, x850 = addcarryxU32((uint32(x788) + uint32(x754)), (uint32(x824) + x790), x848) + var x851 uint32 + var x852 uint32 + x852, x851 = bits.Mul32(x9, 0x2) + var x853 uint32 + var x854 uint32 + x854, x853 = bits.Mul32(x9, 0xfffffffe) + var x855 uint32 + var x856 uint32 + x856, x855 = bits.Mul32(x9, 0x2) + var x857 uint32 + var x858 uint32 + x858, x857 = bits.Mul32(x9, 0xfffffffe) + var x859 uint32 + var x860 uint1 + x859, x860 = addcarryxU32(uint32(uint1(x852)), x9, 0x0) + var x861 uint32 + var x862 uint1 + x861, x862 = addcarryxU32(x827, x9, 0x0) + var x863 uint32 + var x864 uint1 + x863, x864 = addcarryxU32(x829, x857, x862) + var x865 uint32 + var x866 uint1 + x865, x866 = addcarryxU32(x831, x858, x864) + var x867 uint32 + var x868 uint1 + x867, x868 = addcarryxU32(x833, x855, x866) + var x869 uint32 + var x870 uint1 + x869, x870 = addcarryxU32(x835, uint32(uint1(x856)), x868) + var x871 uint32 + var x872 uint1 + x871, x872 = addcarryxU32(x837, x853, x870) + var x873 uint32 + var x874 uint1 + x873, x874 = addcarryxU32(x839, x854, x872) + var x875 uint32 + var x876 uint1 + x875, x876 = addcarryxU32(x841, x851, x874) + var x877 uint32 + var x878 uint1 + x877, x878 = addcarryxU32(x843, x859, x876) + var x879 uint32 + var x880 uint1 + x879, x880 = addcarryxU32(x845, uint32(x860), x878) + var x881 uint32 + var x882 uint1 + x881, x882 = addcarryxU32(x847, uint32(0x0), x880) + var x883 uint32 + var x884 uint1 + x883, x884 = addcarryxU32(x849, uint32(0x0), x882) + var x885 uint32 + var x886 uint32 + x886, x885 = bits.Mul32(x861, 0xffffffff) + var x887 uint32 + var x888 uint32 + x888, x887 = bits.Mul32(x861, 0xffffffff) + var x889 uint32 + var x890 uint32 + x890, x889 = bits.Mul32(x861, 0xffffffff) + var x891 uint32 + var x892 uint32 + x892, x891 = bits.Mul32(x861, 0xffffffff) + var x893 uint32 + var x894 uint32 + x894, x893 = bits.Mul32(x861, 0xffffffff) + var x895 uint32 + var x896 uint32 + x896, x895 = bits.Mul32(x861, 0xffffffff) + var x897 uint32 + var x898 uint32 + x898, x897 = bits.Mul32(x861, 0xffffffff) + var x899 uint32 + var x900 uint32 + x900, x899 = bits.Mul32(x861, 0xfffffffe) + var x901 uint32 + var x902 uint32 + x902, x901 = bits.Mul32(x861, 0xffffffff) + var x903 uint32 + var x904 uint32 + x904, x903 = bits.Mul32(x861, 0xffffffff) + var x905 uint32 + var x906 uint1 + x905, x906 = addcarryxU32(x902, x899, 0x0) + var x907 uint32 + var x908 uint1 + x907, x908 = addcarryxU32(x900, x897, x906) + var x909 uint32 + var x910 uint1 + x909, x910 = addcarryxU32(x898, x895, x908) + var x911 uint32 + var x912 uint1 + x911, x912 = addcarryxU32(x896, x893, x910) + var x913 uint32 + var x914 uint1 + x913, x914 = addcarryxU32(x894, x891, x912) + var x915 uint32 + var x916 uint1 + x915, x916 = addcarryxU32(x892, x889, x914) + var x917 uint32 + var x918 uint1 + x917, x918 = addcarryxU32(x890, x887, x916) + var x919 uint32 + var x920 uint1 + x919, x920 = addcarryxU32(x888, x885, x918) + var x922 uint1 + _, x922 = addcarryxU32(x861, x903, 0x0) + var x923 uint32 + var x924 uint1 + x923, x924 = addcarryxU32(x863, x904, x922) + var x925 uint32 + var x926 uint1 + x925, x926 = addcarryxU32(x865, uint32(0x0), x924) + var x927 uint32 + var x928 uint1 + x927, x928 = addcarryxU32(x867, x901, x926) + var x929 uint32 + var x930 uint1 + x929, x930 = addcarryxU32(x869, x905, x928) + var x931 uint32 + var x932 uint1 + x931, x932 = addcarryxU32(x871, x907, x930) + var x933 uint32 + var x934 uint1 + x933, x934 = addcarryxU32(x873, x909, x932) + var x935 uint32 + var x936 uint1 + x935, x936 = addcarryxU32(x875, x911, x934) + var x937 uint32 + var x938 uint1 + x937, x938 = addcarryxU32(x877, x913, x936) + var x939 uint32 + var x940 uint1 + x939, x940 = addcarryxU32(x879, x915, x938) + var x941 uint32 + var x942 uint1 + x941, x942 = addcarryxU32(x881, x917, x940) + var x943 uint32 + var x944 uint1 + x943, x944 = addcarryxU32(x883, x919, x942) + var x945 uint32 + var x946 uint1 + x945, x946 = addcarryxU32((uint32(x884) + uint32(x850)), (uint32(x920) + x886), x944) + var x947 uint32 + var x948 uint32 + x948, x947 = bits.Mul32(x10, 0x2) + var x949 uint32 + var x950 uint32 + x950, x949 = bits.Mul32(x10, 0xfffffffe) + var x951 uint32 + var x952 uint32 + x952, x951 = bits.Mul32(x10, 0x2) + var x953 uint32 + var x954 uint32 + x954, x953 = bits.Mul32(x10, 0xfffffffe) + var x955 uint32 + var x956 uint1 + x955, x956 = addcarryxU32(uint32(uint1(x948)), x10, 0x0) + var x957 uint32 + var x958 uint1 + x957, x958 = addcarryxU32(x923, x10, 0x0) + var x959 uint32 + var x960 uint1 + x959, x960 = addcarryxU32(x925, x953, x958) + var x961 uint32 + var x962 uint1 + x961, x962 = addcarryxU32(x927, x954, x960) + var x963 uint32 + var x964 uint1 + x963, x964 = addcarryxU32(x929, x951, x962) + var x965 uint32 + var x966 uint1 + x965, x966 = addcarryxU32(x931, uint32(uint1(x952)), x964) + var x967 uint32 + var x968 uint1 + x967, x968 = addcarryxU32(x933, x949, x966) + var x969 uint32 + var x970 uint1 + x969, x970 = addcarryxU32(x935, x950, x968) + var x971 uint32 + var x972 uint1 + x971, x972 = addcarryxU32(x937, x947, x970) + var x973 uint32 + var x974 uint1 + x973, x974 = addcarryxU32(x939, x955, x972) + var x975 uint32 + var x976 uint1 + x975, x976 = addcarryxU32(x941, uint32(x956), x974) + var x977 uint32 + var x978 uint1 + x977, x978 = addcarryxU32(x943, uint32(0x0), x976) + var x979 uint32 + var x980 uint1 + x979, x980 = addcarryxU32(x945, uint32(0x0), x978) + var x981 uint32 + var x982 uint32 + x982, x981 = bits.Mul32(x957, 0xffffffff) + var x983 uint32 + var x984 uint32 + x984, x983 = bits.Mul32(x957, 0xffffffff) + var x985 uint32 + var x986 uint32 + x986, x985 = bits.Mul32(x957, 0xffffffff) + var x987 uint32 + var x988 uint32 + x988, x987 = bits.Mul32(x957, 0xffffffff) + var x989 uint32 + var x990 uint32 + x990, x989 = bits.Mul32(x957, 0xffffffff) + var x991 uint32 + var x992 uint32 + x992, x991 = bits.Mul32(x957, 0xffffffff) + var x993 uint32 + var x994 uint32 + x994, x993 = bits.Mul32(x957, 0xffffffff) + var x995 uint32 + var x996 uint32 + x996, x995 = bits.Mul32(x957, 0xfffffffe) + var x997 uint32 + var x998 uint32 + x998, x997 = bits.Mul32(x957, 0xffffffff) + var x999 uint32 + var x1000 uint32 + x1000, x999 = bits.Mul32(x957, 0xffffffff) + var x1001 uint32 + var x1002 uint1 + x1001, x1002 = addcarryxU32(x998, x995, 0x0) + var x1003 uint32 + var x1004 uint1 + x1003, x1004 = addcarryxU32(x996, x993, x1002) + var x1005 uint32 + var x1006 uint1 + x1005, x1006 = addcarryxU32(x994, x991, x1004) + var x1007 uint32 + var x1008 uint1 + x1007, x1008 = addcarryxU32(x992, x989, x1006) + var x1009 uint32 + var x1010 uint1 + x1009, x1010 = addcarryxU32(x990, x987, x1008) + var x1011 uint32 + var x1012 uint1 + x1011, x1012 = addcarryxU32(x988, x985, x1010) + var x1013 uint32 + var x1014 uint1 + x1013, x1014 = addcarryxU32(x986, x983, x1012) + var x1015 uint32 + var x1016 uint1 + x1015, x1016 = addcarryxU32(x984, x981, x1014) + var x1018 uint1 + _, x1018 = addcarryxU32(x957, x999, 0x0) + var x1019 uint32 + var x1020 uint1 + x1019, x1020 = addcarryxU32(x959, x1000, x1018) + var x1021 uint32 + var x1022 uint1 + x1021, x1022 = addcarryxU32(x961, uint32(0x0), x1020) + var x1023 uint32 + var x1024 uint1 + x1023, x1024 = addcarryxU32(x963, x997, x1022) + var x1025 uint32 + var x1026 uint1 + x1025, x1026 = addcarryxU32(x965, x1001, x1024) + var x1027 uint32 + var x1028 uint1 + x1027, x1028 = addcarryxU32(x967, x1003, x1026) + var x1029 uint32 + var x1030 uint1 + x1029, x1030 = addcarryxU32(x969, x1005, x1028) + var x1031 uint32 + var x1032 uint1 + x1031, x1032 = addcarryxU32(x971, x1007, x1030) + var x1033 uint32 + var x1034 uint1 + x1033, x1034 = addcarryxU32(x973, x1009, x1032) + var x1035 uint32 + var x1036 uint1 + x1035, x1036 = addcarryxU32(x975, x1011, x1034) + var x1037 uint32 + var x1038 uint1 + x1037, x1038 = addcarryxU32(x977, x1013, x1036) + var x1039 uint32 + var x1040 uint1 + x1039, x1040 = addcarryxU32(x979, x1015, x1038) + var x1041 uint32 + var x1042 uint1 + x1041, x1042 = addcarryxU32((uint32(x980) + uint32(x946)), (uint32(x1016) + x982), x1040) + var x1043 uint32 + var x1044 uint32 + x1044, x1043 = bits.Mul32(x11, 0x2) + var x1045 uint32 + var x1046 uint32 + x1046, x1045 = bits.Mul32(x11, 0xfffffffe) + var x1047 uint32 + var x1048 uint32 + x1048, x1047 = bits.Mul32(x11, 0x2) + var x1049 uint32 + var x1050 uint32 + x1050, x1049 = bits.Mul32(x11, 0xfffffffe) + var x1051 uint32 + var x1052 uint1 + x1051, x1052 = addcarryxU32(uint32(uint1(x1044)), x11, 0x0) + var x1053 uint32 + var x1054 uint1 + x1053, x1054 = addcarryxU32(x1019, x11, 0x0) + var x1055 uint32 + var x1056 uint1 + x1055, x1056 = addcarryxU32(x1021, x1049, x1054) + var x1057 uint32 + var x1058 uint1 + x1057, x1058 = addcarryxU32(x1023, x1050, x1056) + var x1059 uint32 + var x1060 uint1 + x1059, x1060 = addcarryxU32(x1025, x1047, x1058) + var x1061 uint32 + var x1062 uint1 + x1061, x1062 = addcarryxU32(x1027, uint32(uint1(x1048)), x1060) + var x1063 uint32 + var x1064 uint1 + x1063, x1064 = addcarryxU32(x1029, x1045, x1062) + var x1065 uint32 + var x1066 uint1 + x1065, x1066 = addcarryxU32(x1031, x1046, x1064) + var x1067 uint32 + var x1068 uint1 + x1067, x1068 = addcarryxU32(x1033, x1043, x1066) + var x1069 uint32 + var x1070 uint1 + x1069, x1070 = addcarryxU32(x1035, x1051, x1068) + var x1071 uint32 + var x1072 uint1 + x1071, x1072 = addcarryxU32(x1037, uint32(x1052), x1070) + var x1073 uint32 + var x1074 uint1 + x1073, x1074 = addcarryxU32(x1039, uint32(0x0), x1072) + var x1075 uint32 + var x1076 uint1 + x1075, x1076 = addcarryxU32(x1041, uint32(0x0), x1074) + var x1077 uint32 + var x1078 uint32 + x1078, x1077 = bits.Mul32(x1053, 0xffffffff) + var x1079 uint32 + var x1080 uint32 + x1080, x1079 = bits.Mul32(x1053, 0xffffffff) + var x1081 uint32 + var x1082 uint32 + x1082, x1081 = bits.Mul32(x1053, 0xffffffff) + var x1083 uint32 + var x1084 uint32 + x1084, x1083 = bits.Mul32(x1053, 0xffffffff) + var x1085 uint32 + var x1086 uint32 + x1086, x1085 = bits.Mul32(x1053, 0xffffffff) + var x1087 uint32 + var x1088 uint32 + x1088, x1087 = bits.Mul32(x1053, 0xffffffff) + var x1089 uint32 + var x1090 uint32 + x1090, x1089 = bits.Mul32(x1053, 0xffffffff) + var x1091 uint32 + var x1092 uint32 + x1092, x1091 = bits.Mul32(x1053, 0xfffffffe) + var x1093 uint32 + var x1094 uint32 + x1094, x1093 = bits.Mul32(x1053, 0xffffffff) + var x1095 uint32 + var x1096 uint32 + x1096, x1095 = bits.Mul32(x1053, 0xffffffff) + var x1097 uint32 + var x1098 uint1 + x1097, x1098 = addcarryxU32(x1094, x1091, 0x0) + var x1099 uint32 + var x1100 uint1 + x1099, x1100 = addcarryxU32(x1092, x1089, x1098) + var x1101 uint32 + var x1102 uint1 + x1101, x1102 = addcarryxU32(x1090, x1087, x1100) + var x1103 uint32 + var x1104 uint1 + x1103, x1104 = addcarryxU32(x1088, x1085, x1102) + var x1105 uint32 + var x1106 uint1 + x1105, x1106 = addcarryxU32(x1086, x1083, x1104) + var x1107 uint32 + var x1108 uint1 + x1107, x1108 = addcarryxU32(x1084, x1081, x1106) + var x1109 uint32 + var x1110 uint1 + x1109, x1110 = addcarryxU32(x1082, x1079, x1108) + var x1111 uint32 + var x1112 uint1 + x1111, x1112 = addcarryxU32(x1080, x1077, x1110) + var x1114 uint1 + _, x1114 = addcarryxU32(x1053, x1095, 0x0) + var x1115 uint32 + var x1116 uint1 + x1115, x1116 = addcarryxU32(x1055, x1096, x1114) + var x1117 uint32 + var x1118 uint1 + x1117, x1118 = addcarryxU32(x1057, uint32(0x0), x1116) + var x1119 uint32 + var x1120 uint1 + x1119, x1120 = addcarryxU32(x1059, x1093, x1118) + var x1121 uint32 + var x1122 uint1 + x1121, x1122 = addcarryxU32(x1061, x1097, x1120) + var x1123 uint32 + var x1124 uint1 + x1123, x1124 = addcarryxU32(x1063, x1099, x1122) + var x1125 uint32 + var x1126 uint1 + x1125, x1126 = addcarryxU32(x1065, x1101, x1124) + var x1127 uint32 + var x1128 uint1 + x1127, x1128 = addcarryxU32(x1067, x1103, x1126) + var x1129 uint32 + var x1130 uint1 + x1129, x1130 = addcarryxU32(x1069, x1105, x1128) + var x1131 uint32 + var x1132 uint1 + x1131, x1132 = addcarryxU32(x1071, x1107, x1130) + var x1133 uint32 + var x1134 uint1 + x1133, x1134 = addcarryxU32(x1073, x1109, x1132) + var x1135 uint32 + var x1136 uint1 + x1135, x1136 = addcarryxU32(x1075, x1111, x1134) + var x1137 uint32 + var x1138 uint1 + x1137, x1138 = addcarryxU32((uint32(x1076) + uint32(x1042)), (uint32(x1112) + x1078), x1136) + var x1139 uint32 + var x1140 uint1 + x1139, x1140 = subborrowxU32(x1115, 0xffffffff, 0x0) + var x1141 uint32 + var x1142 uint1 + x1141, x1142 = subborrowxU32(x1117, uint32(0x0), x1140) + var x1143 uint32 + var x1144 uint1 + x1143, x1144 = subborrowxU32(x1119, uint32(0x0), x1142) + var x1145 uint32 + var x1146 uint1 + x1145, x1146 = subborrowxU32(x1121, 0xffffffff, x1144) + var x1147 uint32 + var x1148 uint1 + x1147, x1148 = subborrowxU32(x1123, 0xfffffffe, x1146) + var x1149 uint32 + var x1150 uint1 + x1149, x1150 = subborrowxU32(x1125, 0xffffffff, x1148) + var x1151 uint32 + var x1152 uint1 + x1151, x1152 = subborrowxU32(x1127, 0xffffffff, x1150) + var x1153 uint32 + var x1154 uint1 + x1153, x1154 = subborrowxU32(x1129, 0xffffffff, x1152) + var x1155 uint32 + var x1156 uint1 + x1155, x1156 = subborrowxU32(x1131, 0xffffffff, x1154) + var x1157 uint32 + var x1158 uint1 + x1157, x1158 = subborrowxU32(x1133, 0xffffffff, x1156) + var x1159 uint32 + var x1160 uint1 + x1159, x1160 = subborrowxU32(x1135, 0xffffffff, x1158) + var x1161 uint32 + var x1162 uint1 + x1161, x1162 = subborrowxU32(x1137, 0xffffffff, x1160) + var x1164 uint1 + _, x1164 = subborrowxU32(uint32(x1138), uint32(0x0), x1162) + var x1165 uint32 + cmovznzU32(&x1165, x1164, x1139, x1115) + var x1166 uint32 + cmovznzU32(&x1166, x1164, x1141, x1117) + var x1167 uint32 + cmovznzU32(&x1167, x1164, x1143, x1119) + var x1168 uint32 + cmovznzU32(&x1168, x1164, x1145, x1121) + var x1169 uint32 + cmovznzU32(&x1169, x1164, x1147, x1123) + var x1170 uint32 + cmovznzU32(&x1170, x1164, x1149, x1125) + var x1171 uint32 + cmovznzU32(&x1171, x1164, x1151, x1127) + var x1172 uint32 + cmovznzU32(&x1172, x1164, x1153, x1129) + var x1173 uint32 + cmovznzU32(&x1173, x1164, x1155, x1131) + var x1174 uint32 + cmovznzU32(&x1174, x1164, x1157, x1133) + var x1175 uint32 + cmovznzU32(&x1175, x1164, x1159, x1135) + var x1176 uint32 + cmovznzU32(&x1176, x1164, x1161, x1137) + out1[0] = x1165 + out1[1] = x1166 + out1[2] = x1167 + out1[3] = x1168 + out1[4] = x1169 + out1[5] = x1170 + out1[6] = x1171 + out1[7] = x1172 + out1[8] = x1173 + out1[9] = x1174 + out1[10] = x1175 + out1[11] = x1176 } -/* - The function Nonzero outputs a single non-zero word if the input is non-zero and zero otherwise. - Preconditions: - 0 ≤ eval arg1 < m - Postconditions: - out1 = 0 ↔ eval (from_montgomery arg1) mod m = 0 - - Input Bounds: - arg1: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] - Output Bounds: - out1: [0x0 ~> 0xffffffff] - */ -/*inline*/ +// Nonzero outputs a single non-zero word if the input is non-zero and zero otherwise. +// +// Preconditions: +// 0 ≤ eval arg1 < m +// Postconditions: +// out1 = 0 ↔ eval (from_montgomery arg1) mod m = 0 +// +// Input Bounds: +// arg1: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] +// Output Bounds: +// out1: [0x0 ~> 0xffffffff] func Nonzero(out1 *uint32, arg1 *[12]uint32) { - var x1 uint32 = ((arg1[0]) | ((arg1[1]) | ((arg1[2]) | ((arg1[3]) | ((arg1[4]) | ((arg1[5]) | ((arg1[6]) | ((arg1[7]) | ((arg1[8]) | ((arg1[9]) | ((arg1[10]) | (arg1[11])))))))))))) - *out1 = x1 + x1 := (arg1[0] | (arg1[1] | (arg1[2] | (arg1[3] | (arg1[4] | (arg1[5] | (arg1[6] | (arg1[7] | (arg1[8] | (arg1[9] | (arg1[10] | arg1[11]))))))))))) + *out1 = x1 } -/* - The function Selectznz is a multi-limb conditional select. - Postconditions: - eval out1 = (if arg1 = 0 then eval arg2 else eval arg3) - - Input Bounds: - arg1: [0x0 ~> 0x1] - arg2: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] - arg3: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] - Output Bounds: - out1: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] - */ -/*inline*/ +// Selectznz is a multi-limb conditional select. +// +// Postconditions: +// eval out1 = (if arg1 = 0 then eval arg2 else eval arg3) +// +// Input Bounds: +// arg1: [0x0 ~> 0x1] +// arg2: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] +// arg3: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] +// Output Bounds: +// out1: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] func Selectznz(out1 *[12]uint32, arg1 uint1, arg2 *[12]uint32, arg3 *[12]uint32) { - var x1 uint32 - cmovznzU32(&x1, arg1, (arg2[0]), (arg3[0])) - var x2 uint32 - cmovznzU32(&x2, arg1, (arg2[1]), (arg3[1])) - var x3 uint32 - cmovznzU32(&x3, arg1, (arg2[2]), (arg3[2])) - var x4 uint32 - cmovznzU32(&x4, arg1, (arg2[3]), (arg3[3])) - var x5 uint32 - cmovznzU32(&x5, arg1, (arg2[4]), (arg3[4])) - var x6 uint32 - cmovznzU32(&x6, arg1, (arg2[5]), (arg3[5])) - var x7 uint32 - cmovznzU32(&x7, arg1, (arg2[6]), (arg3[6])) - var x8 uint32 - cmovznzU32(&x8, arg1, (arg2[7]), (arg3[7])) - var x9 uint32 - cmovznzU32(&x9, arg1, (arg2[8]), (arg3[8])) - var x10 uint32 - cmovznzU32(&x10, arg1, (arg2[9]), (arg3[9])) - var x11 uint32 - cmovznzU32(&x11, arg1, (arg2[10]), (arg3[10])) - var x12 uint32 - cmovznzU32(&x12, arg1, (arg2[11]), (arg3[11])) - out1[0] = x1 - out1[1] = x2 - out1[2] = x3 - out1[3] = x4 - out1[4] = x5 - out1[5] = x6 - out1[6] = x7 - out1[7] = x8 - out1[8] = x9 - out1[9] = x10 - out1[10] = x11 - out1[11] = x12 + var x1 uint32 + cmovznzU32(&x1, arg1, arg2[0], arg3[0]) + var x2 uint32 + cmovznzU32(&x2, arg1, arg2[1], arg3[1]) + var x3 uint32 + cmovznzU32(&x3, arg1, arg2[2], arg3[2]) + var x4 uint32 + cmovznzU32(&x4, arg1, arg2[3], arg3[3]) + var x5 uint32 + cmovznzU32(&x5, arg1, arg2[4], arg3[4]) + var x6 uint32 + cmovznzU32(&x6, arg1, arg2[5], arg3[5]) + var x7 uint32 + cmovznzU32(&x7, arg1, arg2[6], arg3[6]) + var x8 uint32 + cmovznzU32(&x8, arg1, arg2[7], arg3[7]) + var x9 uint32 + cmovznzU32(&x9, arg1, arg2[8], arg3[8]) + var x10 uint32 + cmovznzU32(&x10, arg1, arg2[9], arg3[9]) + var x11 uint32 + cmovznzU32(&x11, arg1, arg2[10], arg3[10]) + var x12 uint32 + cmovznzU32(&x12, arg1, arg2[11], arg3[11]) + out1[0] = x1 + out1[1] = x2 + out1[2] = x3 + out1[3] = x4 + out1[4] = x5 + out1[5] = x6 + out1[6] = x7 + out1[7] = x8 + out1[8] = x9 + out1[9] = x10 + out1[10] = x11 + out1[11] = x12 } -/* - The function ToBytes serializes a field element NOT in the Montgomery domain to bytes in little-endian order. - Preconditions: - 0 ≤ eval arg1 < m - Postconditions: - out1 = map (λ x, ⌊((eval arg1 mod m) mod 2^(8 * (x + 1))) / 2^(8 * x)⌋) [0..47] - - Input Bounds: - arg1: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] - Output Bounds: - out1: [[0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff]] - */ -/*inline*/ +// ToBytes serializes a field element NOT in the Montgomery domain to bytes in little-endian order. +// +// Preconditions: +// 0 ≤ eval arg1 < m +// Postconditions: +// out1 = map (λ x, ⌊((eval arg1 mod m) mod 2^(8 * (x + 1))) / 2^(8 * x)⌋) [0..47] +// +// Input Bounds: +// arg1: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] +// Output Bounds: +// out1: [[0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff]] func ToBytes(out1 *[48]uint8, arg1 *[12]uint32) { - var x1 uint32 = (arg1[11]) - var x2 uint32 = (arg1[10]) - var x3 uint32 = (arg1[9]) - var x4 uint32 = (arg1[8]) - var x5 uint32 = (arg1[7]) - var x6 uint32 = (arg1[6]) - var x7 uint32 = (arg1[5]) - var x8 uint32 = (arg1[4]) - var x9 uint32 = (arg1[3]) - var x10 uint32 = (arg1[2]) - var x11 uint32 = (arg1[1]) - var x12 uint32 = (arg1[0]) - var x13 uint8 = (uint8(x12) & 0xff) - var x14 uint32 = (x12 >> 8) - var x15 uint8 = (uint8(x14) & 0xff) - var x16 uint32 = (x14 >> 8) - var x17 uint8 = (uint8(x16) & 0xff) - var x18 uint8 = uint8((x16 >> 8)) - var x19 uint8 = (uint8(x11) & 0xff) - var x20 uint32 = (x11 >> 8) - var x21 uint8 = (uint8(x20) & 0xff) - var x22 uint32 = (x20 >> 8) - var x23 uint8 = (uint8(x22) & 0xff) - var x24 uint8 = uint8((x22 >> 8)) - var x25 uint8 = (uint8(x10) & 0xff) - var x26 uint32 = (x10 >> 8) - var x27 uint8 = (uint8(x26) & 0xff) - var x28 uint32 = (x26 >> 8) - var x29 uint8 = (uint8(x28) & 0xff) - var x30 uint8 = uint8((x28 >> 8)) - var x31 uint8 = (uint8(x9) & 0xff) - var x32 uint32 = (x9 >> 8) - var x33 uint8 = (uint8(x32) & 0xff) - var x34 uint32 = (x32 >> 8) - var x35 uint8 = (uint8(x34) & 0xff) - var x36 uint8 = uint8((x34 >> 8)) - var x37 uint8 = (uint8(x8) & 0xff) - var x38 uint32 = (x8 >> 8) - var x39 uint8 = (uint8(x38) & 0xff) - var x40 uint32 = (x38 >> 8) - var x41 uint8 = (uint8(x40) & 0xff) - var x42 uint8 = uint8((x40 >> 8)) - var x43 uint8 = (uint8(x7) & 0xff) - var x44 uint32 = (x7 >> 8) - var x45 uint8 = (uint8(x44) & 0xff) - var x46 uint32 = (x44 >> 8) - var x47 uint8 = (uint8(x46) & 0xff) - var x48 uint8 = uint8((x46 >> 8)) - var x49 uint8 = (uint8(x6) & 0xff) - var x50 uint32 = (x6 >> 8) - var x51 uint8 = (uint8(x50) & 0xff) - var x52 uint32 = (x50 >> 8) - var x53 uint8 = (uint8(x52) & 0xff) - var x54 uint8 = uint8((x52 >> 8)) - var x55 uint8 = (uint8(x5) & 0xff) - var x56 uint32 = (x5 >> 8) - var x57 uint8 = (uint8(x56) & 0xff) - var x58 uint32 = (x56 >> 8) - var x59 uint8 = (uint8(x58) & 0xff) - var x60 uint8 = uint8((x58 >> 8)) - var x61 uint8 = (uint8(x4) & 0xff) - var x62 uint32 = (x4 >> 8) - var x63 uint8 = (uint8(x62) & 0xff) - var x64 uint32 = (x62 >> 8) - var x65 uint8 = (uint8(x64) & 0xff) - var x66 uint8 = uint8((x64 >> 8)) - var x67 uint8 = (uint8(x3) & 0xff) - var x68 uint32 = (x3 >> 8) - var x69 uint8 = (uint8(x68) & 0xff) - var x70 uint32 = (x68 >> 8) - var x71 uint8 = (uint8(x70) & 0xff) - var x72 uint8 = uint8((x70 >> 8)) - var x73 uint8 = (uint8(x2) & 0xff) - var x74 uint32 = (x2 >> 8) - var x75 uint8 = (uint8(x74) & 0xff) - var x76 uint32 = (x74 >> 8) - var x77 uint8 = (uint8(x76) & 0xff) - var x78 uint8 = uint8((x76 >> 8)) - var x79 uint8 = (uint8(x1) & 0xff) - var x80 uint32 = (x1 >> 8) - var x81 uint8 = (uint8(x80) & 0xff) - var x82 uint32 = (x80 >> 8) - var x83 uint8 = (uint8(x82) & 0xff) - var x84 uint8 = uint8((x82 >> 8)) - out1[0] = x13 - out1[1] = x15 - out1[2] = x17 - out1[3] = x18 - out1[4] = x19 - out1[5] = x21 - out1[6] = x23 - out1[7] = x24 - out1[8] = x25 - out1[9] = x27 - out1[10] = x29 - out1[11] = x30 - out1[12] = x31 - out1[13] = x33 - out1[14] = x35 - out1[15] = x36 - out1[16] = x37 - out1[17] = x39 - out1[18] = x41 - out1[19] = x42 - out1[20] = x43 - out1[21] = x45 - out1[22] = x47 - out1[23] = x48 - out1[24] = x49 - out1[25] = x51 - out1[26] = x53 - out1[27] = x54 - out1[28] = x55 - out1[29] = x57 - out1[30] = x59 - out1[31] = x60 - out1[32] = x61 - out1[33] = x63 - out1[34] = x65 - out1[35] = x66 - out1[36] = x67 - out1[37] = x69 - out1[38] = x71 - out1[39] = x72 - out1[40] = x73 - out1[41] = x75 - out1[42] = x77 - out1[43] = x78 - out1[44] = x79 - out1[45] = x81 - out1[46] = x83 - out1[47] = x84 + x1 := arg1[11] + x2 := arg1[10] + x3 := arg1[9] + x4 := arg1[8] + x5 := arg1[7] + x6 := arg1[6] + x7 := arg1[5] + x8 := arg1[4] + x9 := arg1[3] + x10 := arg1[2] + x11 := arg1[1] + x12 := arg1[0] + x13 := (uint8(x12) & 0xff) + x14 := (x12 >> 8) + x15 := (uint8(x14) & 0xff) + x16 := (x14 >> 8) + x17 := (uint8(x16) & 0xff) + x18 := uint8((x16 >> 8)) + x19 := (uint8(x11) & 0xff) + x20 := (x11 >> 8) + x21 := (uint8(x20) & 0xff) + x22 := (x20 >> 8) + x23 := (uint8(x22) & 0xff) + x24 := uint8((x22 >> 8)) + x25 := (uint8(x10) & 0xff) + x26 := (x10 >> 8) + x27 := (uint8(x26) & 0xff) + x28 := (x26 >> 8) + x29 := (uint8(x28) & 0xff) + x30 := uint8((x28 >> 8)) + x31 := (uint8(x9) & 0xff) + x32 := (x9 >> 8) + x33 := (uint8(x32) & 0xff) + x34 := (x32 >> 8) + x35 := (uint8(x34) & 0xff) + x36 := uint8((x34 >> 8)) + x37 := (uint8(x8) & 0xff) + x38 := (x8 >> 8) + x39 := (uint8(x38) & 0xff) + x40 := (x38 >> 8) + x41 := (uint8(x40) & 0xff) + x42 := uint8((x40 >> 8)) + x43 := (uint8(x7) & 0xff) + x44 := (x7 >> 8) + x45 := (uint8(x44) & 0xff) + x46 := (x44 >> 8) + x47 := (uint8(x46) & 0xff) + x48 := uint8((x46 >> 8)) + x49 := (uint8(x6) & 0xff) + x50 := (x6 >> 8) + x51 := (uint8(x50) & 0xff) + x52 := (x50 >> 8) + x53 := (uint8(x52) & 0xff) + x54 := uint8((x52 >> 8)) + x55 := (uint8(x5) & 0xff) + x56 := (x5 >> 8) + x57 := (uint8(x56) & 0xff) + x58 := (x56 >> 8) + x59 := (uint8(x58) & 0xff) + x60 := uint8((x58 >> 8)) + x61 := (uint8(x4) & 0xff) + x62 := (x4 >> 8) + x63 := (uint8(x62) & 0xff) + x64 := (x62 >> 8) + x65 := (uint8(x64) & 0xff) + x66 := uint8((x64 >> 8)) + x67 := (uint8(x3) & 0xff) + x68 := (x3 >> 8) + x69 := (uint8(x68) & 0xff) + x70 := (x68 >> 8) + x71 := (uint8(x70) & 0xff) + x72 := uint8((x70 >> 8)) + x73 := (uint8(x2) & 0xff) + x74 := (x2 >> 8) + x75 := (uint8(x74) & 0xff) + x76 := (x74 >> 8) + x77 := (uint8(x76) & 0xff) + x78 := uint8((x76 >> 8)) + x79 := (uint8(x1) & 0xff) + x80 := (x1 >> 8) + x81 := (uint8(x80) & 0xff) + x82 := (x80 >> 8) + x83 := (uint8(x82) & 0xff) + x84 := uint8((x82 >> 8)) + out1[0] = x13 + out1[1] = x15 + out1[2] = x17 + out1[3] = x18 + out1[4] = x19 + out1[5] = x21 + out1[6] = x23 + out1[7] = x24 + out1[8] = x25 + out1[9] = x27 + out1[10] = x29 + out1[11] = x30 + out1[12] = x31 + out1[13] = x33 + out1[14] = x35 + out1[15] = x36 + out1[16] = x37 + out1[17] = x39 + out1[18] = x41 + out1[19] = x42 + out1[20] = x43 + out1[21] = x45 + out1[22] = x47 + out1[23] = x48 + out1[24] = x49 + out1[25] = x51 + out1[26] = x53 + out1[27] = x54 + out1[28] = x55 + out1[29] = x57 + out1[30] = x59 + out1[31] = x60 + out1[32] = x61 + out1[33] = x63 + out1[34] = x65 + out1[35] = x66 + out1[36] = x67 + out1[37] = x69 + out1[38] = x71 + out1[39] = x72 + out1[40] = x73 + out1[41] = x75 + out1[42] = x77 + out1[43] = x78 + out1[44] = x79 + out1[45] = x81 + out1[46] = x83 + out1[47] = x84 } -/* - The function FromBytes deserializes a field element NOT in the Montgomery domain from bytes in little-endian order. - Preconditions: - 0 ≤ bytes_eval arg1 < m - Postconditions: - eval out1 mod m = bytes_eval arg1 mod m - 0 ≤ eval out1 < m - - Input Bounds: - arg1: [[0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff]] - Output Bounds: - out1: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] - */ -/*inline*/ +// FromBytes deserializes a field element NOT in the Montgomery domain from bytes in little-endian order. +// +// Preconditions: +// 0 ≤ bytes_eval arg1 < m +// Postconditions: +// eval out1 mod m = bytes_eval arg1 mod m +// 0 ≤ eval out1 < m +// +// Input Bounds: +// arg1: [[0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff]] +// Output Bounds: +// out1: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] func FromBytes(out1 *[12]uint32, arg1 *[48]uint8) { - var x1 uint32 = (uint32((arg1[47])) << 24) - var x2 uint32 = (uint32((arg1[46])) << 16) - var x3 uint32 = (uint32((arg1[45])) << 8) - var x4 uint8 = (arg1[44]) - var x5 uint32 = (uint32((arg1[43])) << 24) - var x6 uint32 = (uint32((arg1[42])) << 16) - var x7 uint32 = (uint32((arg1[41])) << 8) - var x8 uint8 = (arg1[40]) - var x9 uint32 = (uint32((arg1[39])) << 24) - var x10 uint32 = (uint32((arg1[38])) << 16) - var x11 uint32 = (uint32((arg1[37])) << 8) - var x12 uint8 = (arg1[36]) - var x13 uint32 = (uint32((arg1[35])) << 24) - var x14 uint32 = (uint32((arg1[34])) << 16) - var x15 uint32 = (uint32((arg1[33])) << 8) - var x16 uint8 = (arg1[32]) - var x17 uint32 = (uint32((arg1[31])) << 24) - var x18 uint32 = (uint32((arg1[30])) << 16) - var x19 uint32 = (uint32((arg1[29])) << 8) - var x20 uint8 = (arg1[28]) - var x21 uint32 = (uint32((arg1[27])) << 24) - var x22 uint32 = (uint32((arg1[26])) << 16) - var x23 uint32 = (uint32((arg1[25])) << 8) - var x24 uint8 = (arg1[24]) - var x25 uint32 = (uint32((arg1[23])) << 24) - var x26 uint32 = (uint32((arg1[22])) << 16) - var x27 uint32 = (uint32((arg1[21])) << 8) - var x28 uint8 = (arg1[20]) - var x29 uint32 = (uint32((arg1[19])) << 24) - var x30 uint32 = (uint32((arg1[18])) << 16) - var x31 uint32 = (uint32((arg1[17])) << 8) - var x32 uint8 = (arg1[16]) - var x33 uint32 = (uint32((arg1[15])) << 24) - var x34 uint32 = (uint32((arg1[14])) << 16) - var x35 uint32 = (uint32((arg1[13])) << 8) - var x36 uint8 = (arg1[12]) - var x37 uint32 = (uint32((arg1[11])) << 24) - var x38 uint32 = (uint32((arg1[10])) << 16) - var x39 uint32 = (uint32((arg1[9])) << 8) - var x40 uint8 = (arg1[8]) - var x41 uint32 = (uint32((arg1[7])) << 24) - var x42 uint32 = (uint32((arg1[6])) << 16) - var x43 uint32 = (uint32((arg1[5])) << 8) - var x44 uint8 = (arg1[4]) - var x45 uint32 = (uint32((arg1[3])) << 24) - var x46 uint32 = (uint32((arg1[2])) << 16) - var x47 uint32 = (uint32((arg1[1])) << 8) - var x48 uint8 = (arg1[0]) - var x49 uint32 = (x47 + uint32(x48)) - var x50 uint32 = (x46 + x49) - var x51 uint32 = (x45 + x50) - var x52 uint32 = (x43 + uint32(x44)) - var x53 uint32 = (x42 + x52) - var x54 uint32 = (x41 + x53) - var x55 uint32 = (x39 + uint32(x40)) - var x56 uint32 = (x38 + x55) - var x57 uint32 = (x37 + x56) - var x58 uint32 = (x35 + uint32(x36)) - var x59 uint32 = (x34 + x58) - var x60 uint32 = (x33 + x59) - var x61 uint32 = (x31 + uint32(x32)) - var x62 uint32 = (x30 + x61) - var x63 uint32 = (x29 + x62) - var x64 uint32 = (x27 + uint32(x28)) - var x65 uint32 = (x26 + x64) - var x66 uint32 = (x25 + x65) - var x67 uint32 = (x23 + uint32(x24)) - var x68 uint32 = (x22 + x67) - var x69 uint32 = (x21 + x68) - var x70 uint32 = (x19 + uint32(x20)) - var x71 uint32 = (x18 + x70) - var x72 uint32 = (x17 + x71) - var x73 uint32 = (x15 + uint32(x16)) - var x74 uint32 = (x14 + x73) - var x75 uint32 = (x13 + x74) - var x76 uint32 = (x11 + uint32(x12)) - var x77 uint32 = (x10 + x76) - var x78 uint32 = (x9 + x77) - var x79 uint32 = (x7 + uint32(x8)) - var x80 uint32 = (x6 + x79) - var x81 uint32 = (x5 + x80) - var x82 uint32 = (x3 + uint32(x4)) - var x83 uint32 = (x2 + x82) - var x84 uint32 = (x1 + x83) - out1[0] = x51 - out1[1] = x54 - out1[2] = x57 - out1[3] = x60 - out1[4] = x63 - out1[5] = x66 - out1[6] = x69 - out1[7] = x72 - out1[8] = x75 - out1[9] = x78 - out1[10] = x81 - out1[11] = x84 + x1 := (uint32(arg1[47]) << 24) + x2 := (uint32(arg1[46]) << 16) + x3 := (uint32(arg1[45]) << 8) + x4 := arg1[44] + x5 := (uint32(arg1[43]) << 24) + x6 := (uint32(arg1[42]) << 16) + x7 := (uint32(arg1[41]) << 8) + x8 := arg1[40] + x9 := (uint32(arg1[39]) << 24) + x10 := (uint32(arg1[38]) << 16) + x11 := (uint32(arg1[37]) << 8) + x12 := arg1[36] + x13 := (uint32(arg1[35]) << 24) + x14 := (uint32(arg1[34]) << 16) + x15 := (uint32(arg1[33]) << 8) + x16 := arg1[32] + x17 := (uint32(arg1[31]) << 24) + x18 := (uint32(arg1[30]) << 16) + x19 := (uint32(arg1[29]) << 8) + x20 := arg1[28] + x21 := (uint32(arg1[27]) << 24) + x22 := (uint32(arg1[26]) << 16) + x23 := (uint32(arg1[25]) << 8) + x24 := arg1[24] + x25 := (uint32(arg1[23]) << 24) + x26 := (uint32(arg1[22]) << 16) + x27 := (uint32(arg1[21]) << 8) + x28 := arg1[20] + x29 := (uint32(arg1[19]) << 24) + x30 := (uint32(arg1[18]) << 16) + x31 := (uint32(arg1[17]) << 8) + x32 := arg1[16] + x33 := (uint32(arg1[15]) << 24) + x34 := (uint32(arg1[14]) << 16) + x35 := (uint32(arg1[13]) << 8) + x36 := arg1[12] + x37 := (uint32(arg1[11]) << 24) + x38 := (uint32(arg1[10]) << 16) + x39 := (uint32(arg1[9]) << 8) + x40 := arg1[8] + x41 := (uint32(arg1[7]) << 24) + x42 := (uint32(arg1[6]) << 16) + x43 := (uint32(arg1[5]) << 8) + x44 := arg1[4] + x45 := (uint32(arg1[3]) << 24) + x46 := (uint32(arg1[2]) << 16) + x47 := (uint32(arg1[1]) << 8) + x48 := arg1[0] + x49 := (x47 + uint32(x48)) + x50 := (x46 + x49) + x51 := (x45 + x50) + x52 := (x43 + uint32(x44)) + x53 := (x42 + x52) + x54 := (x41 + x53) + x55 := (x39 + uint32(x40)) + x56 := (x38 + x55) + x57 := (x37 + x56) + x58 := (x35 + uint32(x36)) + x59 := (x34 + x58) + x60 := (x33 + x59) + x61 := (x31 + uint32(x32)) + x62 := (x30 + x61) + x63 := (x29 + x62) + x64 := (x27 + uint32(x28)) + x65 := (x26 + x64) + x66 := (x25 + x65) + x67 := (x23 + uint32(x24)) + x68 := (x22 + x67) + x69 := (x21 + x68) + x70 := (x19 + uint32(x20)) + x71 := (x18 + x70) + x72 := (x17 + x71) + x73 := (x15 + uint32(x16)) + x74 := (x14 + x73) + x75 := (x13 + x74) + x76 := (x11 + uint32(x12)) + x77 := (x10 + x76) + x78 := (x9 + x77) + x79 := (x7 + uint32(x8)) + x80 := (x6 + x79) + x81 := (x5 + x80) + x82 := (x3 + uint32(x4)) + x83 := (x2 + x82) + x84 := (x1 + x83) + out1[0] = x51 + out1[1] = x54 + out1[2] = x57 + out1[3] = x60 + out1[4] = x63 + out1[5] = x66 + out1[6] = x69 + out1[7] = x72 + out1[8] = x75 + out1[9] = x78 + out1[10] = x81 + out1[11] = x84 } -/* - The function SetOne returns the field element one in the Montgomery domain. - Postconditions: - eval (from_montgomery out1) mod m = 1 mod m - 0 ≤ eval out1 < m - - Input Bounds: - Output Bounds: - out1: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] - */ -/*inline*/ +// SetOne returns the field element one in the Montgomery domain. +// +// Postconditions: +// eval (from_montgomery out1) mod m = 1 mod m +// 0 ≤ eval out1 < m +// +// Input Bounds: +// Output Bounds: +// out1: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] func SetOne(out1 *[12]uint32) { - out1[0] = uint32(0x1) - out1[1] = 0xffffffff - out1[2] = 0xffffffff - out1[3] = uint32(0x0) - out1[4] = uint32(0x1) - out1[5] = uint32(0x0) - out1[6] = uint32(0x0) - out1[7] = uint32(0x0) - out1[8] = uint32(0x0) - out1[9] = uint32(0x0) - out1[10] = uint32(0x0) - out1[11] = uint32(0x0) + out1[0] = uint32(0x1) + out1[1] = 0xffffffff + out1[2] = 0xffffffff + out1[3] = uint32(0x0) + out1[4] = uint32(0x1) + out1[5] = uint32(0x0) + out1[6] = uint32(0x0) + out1[7] = uint32(0x0) + out1[8] = uint32(0x0) + out1[9] = uint32(0x0) + out1[10] = uint32(0x0) + out1[11] = uint32(0x0) } -/* - The function Msat returns the saturated representation of the prime modulus. - Postconditions: - twos_complement_eval out1 = m - 0 ≤ eval out1 < m - - Input Bounds: - Output Bounds: - out1: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] - */ -/*inline*/ +// Msat returns the saturated representation of the prime modulus. +// +// Postconditions: +// twos_complement_eval out1 = m +// 0 ≤ eval out1 < m +// +// Input Bounds: +// Output Bounds: +// out1: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] func Msat(out1 *[13]uint32) { - out1[0] = 0xffffffff - out1[1] = uint32(0x0) - out1[2] = uint32(0x0) - out1[3] = 0xffffffff - out1[4] = 0xfffffffe - out1[5] = 0xffffffff - out1[6] = 0xffffffff - out1[7] = 0xffffffff - out1[8] = 0xffffffff - out1[9] = 0xffffffff - out1[10] = 0xffffffff - out1[11] = 0xffffffff - out1[12] = uint32(0x0) + out1[0] = 0xffffffff + out1[1] = uint32(0x0) + out1[2] = uint32(0x0) + out1[3] = 0xffffffff + out1[4] = 0xfffffffe + out1[5] = 0xffffffff + out1[6] = 0xffffffff + out1[7] = 0xffffffff + out1[8] = 0xffffffff + out1[9] = 0xffffffff + out1[10] = 0xffffffff + out1[11] = 0xffffffff + out1[12] = uint32(0x0) } -/* - The function Divstep computes a divstep. - Preconditions: - 0 ≤ eval arg4 < m - 0 ≤ eval arg5 < m - Postconditions: - out1 = (if 0 < arg1 ∧ (twos_complement_eval arg3) is odd then 1 - arg1 else 1 + arg1) - twos_complement_eval out2 = (if 0 < arg1 ∧ (twos_complement_eval arg3) is odd then twos_complement_eval arg3 else twos_complement_eval arg2) - twos_complement_eval out3 = (if 0 < arg1 ∧ (twos_complement_eval arg3) is odd then ⌊(twos_complement_eval arg3 - twos_complement_eval arg2) / 2⌋ else ⌊(twos_complement_eval arg3 + (twos_complement_eval arg3 mod 2) * twos_complement_eval arg2) / 2⌋) - eval (from_montgomery out4) mod m = (if 0 < arg1 ∧ (twos_complement_eval arg3) is odd then (2 * eval (from_montgomery arg5)) mod m else (2 * eval (from_montgomery arg4)) mod m) - eval (from_montgomery out5) mod m = (if 0 < arg1 ∧ (twos_complement_eval arg3) is odd then (eval (from_montgomery arg4) - eval (from_montgomery arg4)) mod m else (eval (from_montgomery arg5) + (twos_complement_eval arg3 mod 2) * eval (from_montgomery arg4)) mod m) - 0 ≤ eval out5 < m - 0 ≤ eval out5 < m - 0 ≤ eval out2 < m - 0 ≤ eval out3 < m - - Input Bounds: - arg1: [0x0 ~> 0xffffffff] - arg2: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] - arg3: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] - arg4: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] - arg5: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] - Output Bounds: - out1: [0x0 ~> 0xffffffff] - out2: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] - out3: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] - out4: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] - out5: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] - */ -/*inline*/ +// Divstep computes a divstep. +// +// Preconditions: +// 0 ≤ eval arg4 < m +// 0 ≤ eval arg5 < m +// Postconditions: +// out1 = (if 0 < arg1 ∧ (twos_complement_eval arg3) is odd then 1 - arg1 else 1 + arg1) +// twos_complement_eval out2 = (if 0 < arg1 ∧ (twos_complement_eval arg3) is odd then twos_complement_eval arg3 else twos_complement_eval arg2) +// twos_complement_eval out3 = (if 0 < arg1 ∧ (twos_complement_eval arg3) is odd then ⌊(twos_complement_eval arg3 - twos_complement_eval arg2) / 2⌋ else ⌊(twos_complement_eval arg3 + (twos_complement_eval arg3 mod 2) * twos_complement_eval arg2) / 2⌋) +// eval (from_montgomery out4) mod m = (if 0 < arg1 ∧ (twos_complement_eval arg3) is odd then (2 * eval (from_montgomery arg5)) mod m else (2 * eval (from_montgomery arg4)) mod m) +// eval (from_montgomery out5) mod m = (if 0 < arg1 ∧ (twos_complement_eval arg3) is odd then (eval (from_montgomery arg4) - eval (from_montgomery arg4)) mod m else (eval (from_montgomery arg5) + (twos_complement_eval arg3 mod 2) * eval (from_montgomery arg4)) mod m) +// 0 ≤ eval out5 < m +// 0 ≤ eval out5 < m +// 0 ≤ eval out2 < m +// 0 ≤ eval out3 < m +// +// Input Bounds: +// arg1: [0x0 ~> 0xffffffff] +// arg2: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] +// arg3: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] +// arg4: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] +// arg5: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] +// Output Bounds: +// out1: [0x0 ~> 0xffffffff] +// out2: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] +// out3: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] +// out4: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] +// out5: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] func Divstep(out1 *uint32, out2 *[13]uint32, out3 *[13]uint32, out4 *[12]uint32, out5 *[12]uint32, arg1 uint32, arg2 *[13]uint32, arg3 *[13]uint32, arg4 *[12]uint32, arg5 *[12]uint32) { - var x1 uint32 - x1, _ = addcarryxU32((^arg1), uint32(0x1), 0x0) - var x3 uint1 = (uint1((x1 >> 31)) & (uint1((arg3[0])) & 0x1)) - var x4 uint32 - x4, _ = addcarryxU32((^arg1), uint32(0x1), 0x0) - var x6 uint32 - cmovznzU32(&x6, x3, arg1, x4) - var x7 uint32 - cmovznzU32(&x7, x3, (arg2[0]), (arg3[0])) - var x8 uint32 - cmovznzU32(&x8, x3, (arg2[1]), (arg3[1])) - var x9 uint32 - cmovznzU32(&x9, x3, (arg2[2]), (arg3[2])) - var x10 uint32 - cmovznzU32(&x10, x3, (arg2[3]), (arg3[3])) - var x11 uint32 - cmovznzU32(&x11, x3, (arg2[4]), (arg3[4])) - var x12 uint32 - cmovznzU32(&x12, x3, (arg2[5]), (arg3[5])) - var x13 uint32 - cmovznzU32(&x13, x3, (arg2[6]), (arg3[6])) - var x14 uint32 - cmovznzU32(&x14, x3, (arg2[7]), (arg3[7])) - var x15 uint32 - cmovznzU32(&x15, x3, (arg2[8]), (arg3[8])) - var x16 uint32 - cmovznzU32(&x16, x3, (arg2[9]), (arg3[9])) - var x17 uint32 - cmovznzU32(&x17, x3, (arg2[10]), (arg3[10])) - var x18 uint32 - cmovznzU32(&x18, x3, (arg2[11]), (arg3[11])) - var x19 uint32 - cmovznzU32(&x19, x3, (arg2[12]), (arg3[12])) - var x20 uint32 - var x21 uint1 - x20, x21 = addcarryxU32(uint32(0x1), (^(arg2[0])), 0x0) - var x22 uint32 - var x23 uint1 - x22, x23 = addcarryxU32(uint32(0x0), (^(arg2[1])), x21) - var x24 uint32 - var x25 uint1 - x24, x25 = addcarryxU32(uint32(0x0), (^(arg2[2])), x23) - var x26 uint32 - var x27 uint1 - x26, x27 = addcarryxU32(uint32(0x0), (^(arg2[3])), x25) - var x28 uint32 - var x29 uint1 - x28, x29 = addcarryxU32(uint32(0x0), (^(arg2[4])), x27) - var x30 uint32 - var x31 uint1 - x30, x31 = addcarryxU32(uint32(0x0), (^(arg2[5])), x29) - var x32 uint32 - var x33 uint1 - x32, x33 = addcarryxU32(uint32(0x0), (^(arg2[6])), x31) - var x34 uint32 - var x35 uint1 - x34, x35 = addcarryxU32(uint32(0x0), (^(arg2[7])), x33) - var x36 uint32 - var x37 uint1 - x36, x37 = addcarryxU32(uint32(0x0), (^(arg2[8])), x35) - var x38 uint32 - var x39 uint1 - x38, x39 = addcarryxU32(uint32(0x0), (^(arg2[9])), x37) - var x40 uint32 - var x41 uint1 - x40, x41 = addcarryxU32(uint32(0x0), (^(arg2[10])), x39) - var x42 uint32 - var x43 uint1 - x42, x43 = addcarryxU32(uint32(0x0), (^(arg2[11])), x41) - var x44 uint32 - x44, _ = addcarryxU32(uint32(0x0), (^(arg2[12])), x43) - var x46 uint32 - cmovznzU32(&x46, x3, (arg3[0]), x20) - var x47 uint32 - cmovznzU32(&x47, x3, (arg3[1]), x22) - var x48 uint32 - cmovznzU32(&x48, x3, (arg3[2]), x24) - var x49 uint32 - cmovznzU32(&x49, x3, (arg3[3]), x26) - var x50 uint32 - cmovznzU32(&x50, x3, (arg3[4]), x28) - var x51 uint32 - cmovznzU32(&x51, x3, (arg3[5]), x30) - var x52 uint32 - cmovznzU32(&x52, x3, (arg3[6]), x32) - var x53 uint32 - cmovznzU32(&x53, x3, (arg3[7]), x34) - var x54 uint32 - cmovznzU32(&x54, x3, (arg3[8]), x36) - var x55 uint32 - cmovznzU32(&x55, x3, (arg3[9]), x38) - var x56 uint32 - cmovznzU32(&x56, x3, (arg3[10]), x40) - var x57 uint32 - cmovznzU32(&x57, x3, (arg3[11]), x42) - var x58 uint32 - cmovznzU32(&x58, x3, (arg3[12]), x44) - var x59 uint32 - cmovznzU32(&x59, x3, (arg4[0]), (arg5[0])) - var x60 uint32 - cmovznzU32(&x60, x3, (arg4[1]), (arg5[1])) - var x61 uint32 - cmovznzU32(&x61, x3, (arg4[2]), (arg5[2])) - var x62 uint32 - cmovznzU32(&x62, x3, (arg4[3]), (arg5[3])) - var x63 uint32 - cmovznzU32(&x63, x3, (arg4[4]), (arg5[4])) - var x64 uint32 - cmovznzU32(&x64, x3, (arg4[5]), (arg5[5])) - var x65 uint32 - cmovznzU32(&x65, x3, (arg4[6]), (arg5[6])) - var x66 uint32 - cmovznzU32(&x66, x3, (arg4[7]), (arg5[7])) - var x67 uint32 - cmovznzU32(&x67, x3, (arg4[8]), (arg5[8])) - var x68 uint32 - cmovznzU32(&x68, x3, (arg4[9]), (arg5[9])) - var x69 uint32 - cmovznzU32(&x69, x3, (arg4[10]), (arg5[10])) - var x70 uint32 - cmovznzU32(&x70, x3, (arg4[11]), (arg5[11])) - var x71 uint32 - var x72 uint1 - x71, x72 = addcarryxU32(x59, x59, 0x0) - var x73 uint32 - var x74 uint1 - x73, x74 = addcarryxU32(x60, x60, x72) - var x75 uint32 - var x76 uint1 - x75, x76 = addcarryxU32(x61, x61, x74) - var x77 uint32 - var x78 uint1 - x77, x78 = addcarryxU32(x62, x62, x76) - var x79 uint32 - var x80 uint1 - x79, x80 = addcarryxU32(x63, x63, x78) - var x81 uint32 - var x82 uint1 - x81, x82 = addcarryxU32(x64, x64, x80) - var x83 uint32 - var x84 uint1 - x83, x84 = addcarryxU32(x65, x65, x82) - var x85 uint32 - var x86 uint1 - x85, x86 = addcarryxU32(x66, x66, x84) - var x87 uint32 - var x88 uint1 - x87, x88 = addcarryxU32(x67, x67, x86) - var x89 uint32 - var x90 uint1 - x89, x90 = addcarryxU32(x68, x68, x88) - var x91 uint32 - var x92 uint1 - x91, x92 = addcarryxU32(x69, x69, x90) - var x93 uint32 - var x94 uint1 - x93, x94 = addcarryxU32(x70, x70, x92) - var x95 uint32 - var x96 uint1 - x95, x96 = subborrowxU32(x71, 0xffffffff, 0x0) - var x97 uint32 - var x98 uint1 - x97, x98 = subborrowxU32(x73, uint32(0x0), x96) - var x99 uint32 - var x100 uint1 - x99, x100 = subborrowxU32(x75, uint32(0x0), x98) - var x101 uint32 - var x102 uint1 - x101, x102 = subborrowxU32(x77, 0xffffffff, x100) - var x103 uint32 - var x104 uint1 - x103, x104 = subborrowxU32(x79, 0xfffffffe, x102) - var x105 uint32 - var x106 uint1 - x105, x106 = subborrowxU32(x81, 0xffffffff, x104) - var x107 uint32 - var x108 uint1 - x107, x108 = subborrowxU32(x83, 0xffffffff, x106) - var x109 uint32 - var x110 uint1 - x109, x110 = subborrowxU32(x85, 0xffffffff, x108) - var x111 uint32 - var x112 uint1 - x111, x112 = subborrowxU32(x87, 0xffffffff, x110) - var x113 uint32 - var x114 uint1 - x113, x114 = subborrowxU32(x89, 0xffffffff, x112) - var x115 uint32 - var x116 uint1 - x115, x116 = subborrowxU32(x91, 0xffffffff, x114) - var x117 uint32 - var x118 uint1 - x117, x118 = subborrowxU32(x93, 0xffffffff, x116) - var x120 uint1 - _, x120 = subborrowxU32(uint32(x94), uint32(0x0), x118) - var x121 uint32 = (arg4[11]) - var x122 uint32 = (arg4[10]) - var x123 uint32 = (arg4[9]) - var x124 uint32 = (arg4[8]) - var x125 uint32 = (arg4[7]) - var x126 uint32 = (arg4[6]) - var x127 uint32 = (arg4[5]) - var x128 uint32 = (arg4[4]) - var x129 uint32 = (arg4[3]) - var x130 uint32 = (arg4[2]) - var x131 uint32 = (arg4[1]) - var x132 uint32 = (arg4[0]) - var x133 uint32 - var x134 uint1 - x133, x134 = subborrowxU32(uint32(0x0), x132, 0x0) - var x135 uint32 - var x136 uint1 - x135, x136 = subborrowxU32(uint32(0x0), x131, x134) - var x137 uint32 - var x138 uint1 - x137, x138 = subborrowxU32(uint32(0x0), x130, x136) - var x139 uint32 - var x140 uint1 - x139, x140 = subborrowxU32(uint32(0x0), x129, x138) - var x141 uint32 - var x142 uint1 - x141, x142 = subborrowxU32(uint32(0x0), x128, x140) - var x143 uint32 - var x144 uint1 - x143, x144 = subborrowxU32(uint32(0x0), x127, x142) - var x145 uint32 - var x146 uint1 - x145, x146 = subborrowxU32(uint32(0x0), x126, x144) - var x147 uint32 - var x148 uint1 - x147, x148 = subborrowxU32(uint32(0x0), x125, x146) - var x149 uint32 - var x150 uint1 - x149, x150 = subborrowxU32(uint32(0x0), x124, x148) - var x151 uint32 - var x152 uint1 - x151, x152 = subborrowxU32(uint32(0x0), x123, x150) - var x153 uint32 - var x154 uint1 - x153, x154 = subborrowxU32(uint32(0x0), x122, x152) - var x155 uint32 - var x156 uint1 - x155, x156 = subborrowxU32(uint32(0x0), x121, x154) - var x157 uint32 - cmovznzU32(&x157, x156, uint32(0x0), 0xffffffff) - var x158 uint32 - var x159 uint1 - x158, x159 = addcarryxU32(x133, x157, 0x0) - var x160 uint32 - var x161 uint1 - x160, x161 = addcarryxU32(x135, uint32(0x0), x159) - var x162 uint32 - var x163 uint1 - x162, x163 = addcarryxU32(x137, uint32(0x0), x161) - var x164 uint32 - var x165 uint1 - x164, x165 = addcarryxU32(x139, x157, x163) - var x166 uint32 - var x167 uint1 - x166, x167 = addcarryxU32(x141, (x157 & 0xfffffffe), x165) - var x168 uint32 - var x169 uint1 - x168, x169 = addcarryxU32(x143, x157, x167) - var x170 uint32 - var x171 uint1 - x170, x171 = addcarryxU32(x145, x157, x169) - var x172 uint32 - var x173 uint1 - x172, x173 = addcarryxU32(x147, x157, x171) - var x174 uint32 - var x175 uint1 - x174, x175 = addcarryxU32(x149, x157, x173) - var x176 uint32 - var x177 uint1 - x176, x177 = addcarryxU32(x151, x157, x175) - var x178 uint32 - var x179 uint1 - x178, x179 = addcarryxU32(x153, x157, x177) - var x180 uint32 - x180, _ = addcarryxU32(x155, x157, x179) - var x182 uint32 - cmovznzU32(&x182, x3, (arg5[0]), x158) - var x183 uint32 - cmovznzU32(&x183, x3, (arg5[1]), x160) - var x184 uint32 - cmovznzU32(&x184, x3, (arg5[2]), x162) - var x185 uint32 - cmovznzU32(&x185, x3, (arg5[3]), x164) - var x186 uint32 - cmovznzU32(&x186, x3, (arg5[4]), x166) - var x187 uint32 - cmovznzU32(&x187, x3, (arg5[5]), x168) - var x188 uint32 - cmovznzU32(&x188, x3, (arg5[6]), x170) - var x189 uint32 - cmovznzU32(&x189, x3, (arg5[7]), x172) - var x190 uint32 - cmovznzU32(&x190, x3, (arg5[8]), x174) - var x191 uint32 - cmovznzU32(&x191, x3, (arg5[9]), x176) - var x192 uint32 - cmovznzU32(&x192, x3, (arg5[10]), x178) - var x193 uint32 - cmovznzU32(&x193, x3, (arg5[11]), x180) - var x194 uint1 = (uint1(x46) & 0x1) - var x195 uint32 - cmovznzU32(&x195, x194, uint32(0x0), x7) - var x196 uint32 - cmovznzU32(&x196, x194, uint32(0x0), x8) - var x197 uint32 - cmovznzU32(&x197, x194, uint32(0x0), x9) - var x198 uint32 - cmovznzU32(&x198, x194, uint32(0x0), x10) - var x199 uint32 - cmovznzU32(&x199, x194, uint32(0x0), x11) - var x200 uint32 - cmovznzU32(&x200, x194, uint32(0x0), x12) - var x201 uint32 - cmovznzU32(&x201, x194, uint32(0x0), x13) - var x202 uint32 - cmovznzU32(&x202, x194, uint32(0x0), x14) - var x203 uint32 - cmovznzU32(&x203, x194, uint32(0x0), x15) - var x204 uint32 - cmovznzU32(&x204, x194, uint32(0x0), x16) - var x205 uint32 - cmovznzU32(&x205, x194, uint32(0x0), x17) - var x206 uint32 - cmovznzU32(&x206, x194, uint32(0x0), x18) - var x207 uint32 - cmovznzU32(&x207, x194, uint32(0x0), x19) - var x208 uint32 - var x209 uint1 - x208, x209 = addcarryxU32(x46, x195, 0x0) - var x210 uint32 - var x211 uint1 - x210, x211 = addcarryxU32(x47, x196, x209) - var x212 uint32 - var x213 uint1 - x212, x213 = addcarryxU32(x48, x197, x211) - var x214 uint32 - var x215 uint1 - x214, x215 = addcarryxU32(x49, x198, x213) - var x216 uint32 - var x217 uint1 - x216, x217 = addcarryxU32(x50, x199, x215) - var x218 uint32 - var x219 uint1 - x218, x219 = addcarryxU32(x51, x200, x217) - var x220 uint32 - var x221 uint1 - x220, x221 = addcarryxU32(x52, x201, x219) - var x222 uint32 - var x223 uint1 - x222, x223 = addcarryxU32(x53, x202, x221) - var x224 uint32 - var x225 uint1 - x224, x225 = addcarryxU32(x54, x203, x223) - var x226 uint32 - var x227 uint1 - x226, x227 = addcarryxU32(x55, x204, x225) - var x228 uint32 - var x229 uint1 - x228, x229 = addcarryxU32(x56, x205, x227) - var x230 uint32 - var x231 uint1 - x230, x231 = addcarryxU32(x57, x206, x229) - var x232 uint32 - x232, _ = addcarryxU32(x58, x207, x231) - var x234 uint32 - cmovznzU32(&x234, x194, uint32(0x0), x59) - var x235 uint32 - cmovznzU32(&x235, x194, uint32(0x0), x60) - var x236 uint32 - cmovznzU32(&x236, x194, uint32(0x0), x61) - var x237 uint32 - cmovznzU32(&x237, x194, uint32(0x0), x62) - var x238 uint32 - cmovznzU32(&x238, x194, uint32(0x0), x63) - var x239 uint32 - cmovznzU32(&x239, x194, uint32(0x0), x64) - var x240 uint32 - cmovznzU32(&x240, x194, uint32(0x0), x65) - var x241 uint32 - cmovznzU32(&x241, x194, uint32(0x0), x66) - var x242 uint32 - cmovznzU32(&x242, x194, uint32(0x0), x67) - var x243 uint32 - cmovznzU32(&x243, x194, uint32(0x0), x68) - var x244 uint32 - cmovznzU32(&x244, x194, uint32(0x0), x69) - var x245 uint32 - cmovznzU32(&x245, x194, uint32(0x0), x70) - var x246 uint32 - var x247 uint1 - x246, x247 = addcarryxU32(x182, x234, 0x0) - var x248 uint32 - var x249 uint1 - x248, x249 = addcarryxU32(x183, x235, x247) - var x250 uint32 - var x251 uint1 - x250, x251 = addcarryxU32(x184, x236, x249) - var x252 uint32 - var x253 uint1 - x252, x253 = addcarryxU32(x185, x237, x251) - var x254 uint32 - var x255 uint1 - x254, x255 = addcarryxU32(x186, x238, x253) - var x256 uint32 - var x257 uint1 - x256, x257 = addcarryxU32(x187, x239, x255) - var x258 uint32 - var x259 uint1 - x258, x259 = addcarryxU32(x188, x240, x257) - var x260 uint32 - var x261 uint1 - x260, x261 = addcarryxU32(x189, x241, x259) - var x262 uint32 - var x263 uint1 - x262, x263 = addcarryxU32(x190, x242, x261) - var x264 uint32 - var x265 uint1 - x264, x265 = addcarryxU32(x191, x243, x263) - var x266 uint32 - var x267 uint1 - x266, x267 = addcarryxU32(x192, x244, x265) - var x268 uint32 - var x269 uint1 - x268, x269 = addcarryxU32(x193, x245, x267) - var x270 uint32 - var x271 uint1 - x270, x271 = subborrowxU32(x246, 0xffffffff, 0x0) - var x272 uint32 - var x273 uint1 - x272, x273 = subborrowxU32(x248, uint32(0x0), x271) - var x274 uint32 - var x275 uint1 - x274, x275 = subborrowxU32(x250, uint32(0x0), x273) - var x276 uint32 - var x277 uint1 - x276, x277 = subborrowxU32(x252, 0xffffffff, x275) - var x278 uint32 - var x279 uint1 - x278, x279 = subborrowxU32(x254, 0xfffffffe, x277) - var x280 uint32 - var x281 uint1 - x280, x281 = subborrowxU32(x256, 0xffffffff, x279) - var x282 uint32 - var x283 uint1 - x282, x283 = subborrowxU32(x258, 0xffffffff, x281) - var x284 uint32 - var x285 uint1 - x284, x285 = subborrowxU32(x260, 0xffffffff, x283) - var x286 uint32 - var x287 uint1 - x286, x287 = subborrowxU32(x262, 0xffffffff, x285) - var x288 uint32 - var x289 uint1 - x288, x289 = subborrowxU32(x264, 0xffffffff, x287) - var x290 uint32 - var x291 uint1 - x290, x291 = subborrowxU32(x266, 0xffffffff, x289) - var x292 uint32 - var x293 uint1 - x292, x293 = subborrowxU32(x268, 0xffffffff, x291) - var x295 uint1 - _, x295 = subborrowxU32(uint32(x269), uint32(0x0), x293) - var x296 uint32 - x296, _ = addcarryxU32(x6, uint32(0x1), 0x0) - var x298 uint32 = ((x208 >> 1) | ((x210 << 31) & 0xffffffff)) - var x299 uint32 = ((x210 >> 1) | ((x212 << 31) & 0xffffffff)) - var x300 uint32 = ((x212 >> 1) | ((x214 << 31) & 0xffffffff)) - var x301 uint32 = ((x214 >> 1) | ((x216 << 31) & 0xffffffff)) - var x302 uint32 = ((x216 >> 1) | ((x218 << 31) & 0xffffffff)) - var x303 uint32 = ((x218 >> 1) | ((x220 << 31) & 0xffffffff)) - var x304 uint32 = ((x220 >> 1) | ((x222 << 31) & 0xffffffff)) - var x305 uint32 = ((x222 >> 1) | ((x224 << 31) & 0xffffffff)) - var x306 uint32 = ((x224 >> 1) | ((x226 << 31) & 0xffffffff)) - var x307 uint32 = ((x226 >> 1) | ((x228 << 31) & 0xffffffff)) - var x308 uint32 = ((x228 >> 1) | ((x230 << 31) & 0xffffffff)) - var x309 uint32 = ((x230 >> 1) | ((x232 << 31) & 0xffffffff)) - var x310 uint32 = ((x232 & 0x80000000) | (x232 >> 1)) - var x311 uint32 - cmovznzU32(&x311, x120, x95, x71) - var x312 uint32 - cmovznzU32(&x312, x120, x97, x73) - var x313 uint32 - cmovznzU32(&x313, x120, x99, x75) - var x314 uint32 - cmovznzU32(&x314, x120, x101, x77) - var x315 uint32 - cmovznzU32(&x315, x120, x103, x79) - var x316 uint32 - cmovznzU32(&x316, x120, x105, x81) - var x317 uint32 - cmovznzU32(&x317, x120, x107, x83) - var x318 uint32 - cmovznzU32(&x318, x120, x109, x85) - var x319 uint32 - cmovznzU32(&x319, x120, x111, x87) - var x320 uint32 - cmovznzU32(&x320, x120, x113, x89) - var x321 uint32 - cmovznzU32(&x321, x120, x115, x91) - var x322 uint32 - cmovznzU32(&x322, x120, x117, x93) - var x323 uint32 - cmovznzU32(&x323, x295, x270, x246) - var x324 uint32 - cmovznzU32(&x324, x295, x272, x248) - var x325 uint32 - cmovznzU32(&x325, x295, x274, x250) - var x326 uint32 - cmovznzU32(&x326, x295, x276, x252) - var x327 uint32 - cmovznzU32(&x327, x295, x278, x254) - var x328 uint32 - cmovznzU32(&x328, x295, x280, x256) - var x329 uint32 - cmovznzU32(&x329, x295, x282, x258) - var x330 uint32 - cmovznzU32(&x330, x295, x284, x260) - var x331 uint32 - cmovznzU32(&x331, x295, x286, x262) - var x332 uint32 - cmovznzU32(&x332, x295, x288, x264) - var x333 uint32 - cmovznzU32(&x333, x295, x290, x266) - var x334 uint32 - cmovznzU32(&x334, x295, x292, x268) - *out1 = x296 - out2[0] = x7 - out2[1] = x8 - out2[2] = x9 - out2[3] = x10 - out2[4] = x11 - out2[5] = x12 - out2[6] = x13 - out2[7] = x14 - out2[8] = x15 - out2[9] = x16 - out2[10] = x17 - out2[11] = x18 - out2[12] = x19 - out3[0] = x298 - out3[1] = x299 - out3[2] = x300 - out3[3] = x301 - out3[4] = x302 - out3[5] = x303 - out3[6] = x304 - out3[7] = x305 - out3[8] = x306 - out3[9] = x307 - out3[10] = x308 - out3[11] = x309 - out3[12] = x310 - out4[0] = x311 - out4[1] = x312 - out4[2] = x313 - out4[3] = x314 - out4[4] = x315 - out4[5] = x316 - out4[6] = x317 - out4[7] = x318 - out4[8] = x319 - out4[9] = x320 - out4[10] = x321 - out4[11] = x322 - out5[0] = x323 - out5[1] = x324 - out5[2] = x325 - out5[3] = x326 - out5[4] = x327 - out5[5] = x328 - out5[6] = x329 - out5[7] = x330 - out5[8] = x331 - out5[9] = x332 - out5[10] = x333 - out5[11] = x334 + var x1 uint32 + x1, _ = addcarryxU32((^arg1), uint32(0x1), 0x0) + x3 := (uint1((x1 >> 31)) & (uint1(arg3[0]) & 0x1)) + var x4 uint32 + x4, _ = addcarryxU32((^arg1), uint32(0x1), 0x0) + var x6 uint32 + cmovznzU32(&x6, x3, arg1, x4) + var x7 uint32 + cmovznzU32(&x7, x3, arg2[0], arg3[0]) + var x8 uint32 + cmovznzU32(&x8, x3, arg2[1], arg3[1]) + var x9 uint32 + cmovznzU32(&x9, x3, arg2[2], arg3[2]) + var x10 uint32 + cmovznzU32(&x10, x3, arg2[3], arg3[3]) + var x11 uint32 + cmovznzU32(&x11, x3, arg2[4], arg3[4]) + var x12 uint32 + cmovznzU32(&x12, x3, arg2[5], arg3[5]) + var x13 uint32 + cmovznzU32(&x13, x3, arg2[6], arg3[6]) + var x14 uint32 + cmovznzU32(&x14, x3, arg2[7], arg3[7]) + var x15 uint32 + cmovznzU32(&x15, x3, arg2[8], arg3[8]) + var x16 uint32 + cmovznzU32(&x16, x3, arg2[9], arg3[9]) + var x17 uint32 + cmovznzU32(&x17, x3, arg2[10], arg3[10]) + var x18 uint32 + cmovznzU32(&x18, x3, arg2[11], arg3[11]) + var x19 uint32 + cmovznzU32(&x19, x3, arg2[12], arg3[12]) + var x20 uint32 + var x21 uint1 + x20, x21 = addcarryxU32(uint32(0x1), (^arg2[0]), 0x0) + var x22 uint32 + var x23 uint1 + x22, x23 = addcarryxU32(uint32(0x0), (^arg2[1]), x21) + var x24 uint32 + var x25 uint1 + x24, x25 = addcarryxU32(uint32(0x0), (^arg2[2]), x23) + var x26 uint32 + var x27 uint1 + x26, x27 = addcarryxU32(uint32(0x0), (^arg2[3]), x25) + var x28 uint32 + var x29 uint1 + x28, x29 = addcarryxU32(uint32(0x0), (^arg2[4]), x27) + var x30 uint32 + var x31 uint1 + x30, x31 = addcarryxU32(uint32(0x0), (^arg2[5]), x29) + var x32 uint32 + var x33 uint1 + x32, x33 = addcarryxU32(uint32(0x0), (^arg2[6]), x31) + var x34 uint32 + var x35 uint1 + x34, x35 = addcarryxU32(uint32(0x0), (^arg2[7]), x33) + var x36 uint32 + var x37 uint1 + x36, x37 = addcarryxU32(uint32(0x0), (^arg2[8]), x35) + var x38 uint32 + var x39 uint1 + x38, x39 = addcarryxU32(uint32(0x0), (^arg2[9]), x37) + var x40 uint32 + var x41 uint1 + x40, x41 = addcarryxU32(uint32(0x0), (^arg2[10]), x39) + var x42 uint32 + var x43 uint1 + x42, x43 = addcarryxU32(uint32(0x0), (^arg2[11]), x41) + var x44 uint32 + x44, _ = addcarryxU32(uint32(0x0), (^arg2[12]), x43) + var x46 uint32 + cmovznzU32(&x46, x3, arg3[0], x20) + var x47 uint32 + cmovznzU32(&x47, x3, arg3[1], x22) + var x48 uint32 + cmovznzU32(&x48, x3, arg3[2], x24) + var x49 uint32 + cmovznzU32(&x49, x3, arg3[3], x26) + var x50 uint32 + cmovznzU32(&x50, x3, arg3[4], x28) + var x51 uint32 + cmovznzU32(&x51, x3, arg3[5], x30) + var x52 uint32 + cmovznzU32(&x52, x3, arg3[6], x32) + var x53 uint32 + cmovznzU32(&x53, x3, arg3[7], x34) + var x54 uint32 + cmovznzU32(&x54, x3, arg3[8], x36) + var x55 uint32 + cmovznzU32(&x55, x3, arg3[9], x38) + var x56 uint32 + cmovznzU32(&x56, x3, arg3[10], x40) + var x57 uint32 + cmovznzU32(&x57, x3, arg3[11], x42) + var x58 uint32 + cmovznzU32(&x58, x3, arg3[12], x44) + var x59 uint32 + cmovznzU32(&x59, x3, arg4[0], arg5[0]) + var x60 uint32 + cmovznzU32(&x60, x3, arg4[1], arg5[1]) + var x61 uint32 + cmovznzU32(&x61, x3, arg4[2], arg5[2]) + var x62 uint32 + cmovznzU32(&x62, x3, arg4[3], arg5[3]) + var x63 uint32 + cmovznzU32(&x63, x3, arg4[4], arg5[4]) + var x64 uint32 + cmovznzU32(&x64, x3, arg4[5], arg5[5]) + var x65 uint32 + cmovznzU32(&x65, x3, arg4[6], arg5[6]) + var x66 uint32 + cmovznzU32(&x66, x3, arg4[7], arg5[7]) + var x67 uint32 + cmovznzU32(&x67, x3, arg4[8], arg5[8]) + var x68 uint32 + cmovznzU32(&x68, x3, arg4[9], arg5[9]) + var x69 uint32 + cmovznzU32(&x69, x3, arg4[10], arg5[10]) + var x70 uint32 + cmovznzU32(&x70, x3, arg4[11], arg5[11]) + var x71 uint32 + var x72 uint1 + x71, x72 = addcarryxU32(x59, x59, 0x0) + var x73 uint32 + var x74 uint1 + x73, x74 = addcarryxU32(x60, x60, x72) + var x75 uint32 + var x76 uint1 + x75, x76 = addcarryxU32(x61, x61, x74) + var x77 uint32 + var x78 uint1 + x77, x78 = addcarryxU32(x62, x62, x76) + var x79 uint32 + var x80 uint1 + x79, x80 = addcarryxU32(x63, x63, x78) + var x81 uint32 + var x82 uint1 + x81, x82 = addcarryxU32(x64, x64, x80) + var x83 uint32 + var x84 uint1 + x83, x84 = addcarryxU32(x65, x65, x82) + var x85 uint32 + var x86 uint1 + x85, x86 = addcarryxU32(x66, x66, x84) + var x87 uint32 + var x88 uint1 + x87, x88 = addcarryxU32(x67, x67, x86) + var x89 uint32 + var x90 uint1 + x89, x90 = addcarryxU32(x68, x68, x88) + var x91 uint32 + var x92 uint1 + x91, x92 = addcarryxU32(x69, x69, x90) + var x93 uint32 + var x94 uint1 + x93, x94 = addcarryxU32(x70, x70, x92) + var x95 uint32 + var x96 uint1 + x95, x96 = subborrowxU32(x71, 0xffffffff, 0x0) + var x97 uint32 + var x98 uint1 + x97, x98 = subborrowxU32(x73, uint32(0x0), x96) + var x99 uint32 + var x100 uint1 + x99, x100 = subborrowxU32(x75, uint32(0x0), x98) + var x101 uint32 + var x102 uint1 + x101, x102 = subborrowxU32(x77, 0xffffffff, x100) + var x103 uint32 + var x104 uint1 + x103, x104 = subborrowxU32(x79, 0xfffffffe, x102) + var x105 uint32 + var x106 uint1 + x105, x106 = subborrowxU32(x81, 0xffffffff, x104) + var x107 uint32 + var x108 uint1 + x107, x108 = subborrowxU32(x83, 0xffffffff, x106) + var x109 uint32 + var x110 uint1 + x109, x110 = subborrowxU32(x85, 0xffffffff, x108) + var x111 uint32 + var x112 uint1 + x111, x112 = subborrowxU32(x87, 0xffffffff, x110) + var x113 uint32 + var x114 uint1 + x113, x114 = subborrowxU32(x89, 0xffffffff, x112) + var x115 uint32 + var x116 uint1 + x115, x116 = subborrowxU32(x91, 0xffffffff, x114) + var x117 uint32 + var x118 uint1 + x117, x118 = subborrowxU32(x93, 0xffffffff, x116) + var x120 uint1 + _, x120 = subborrowxU32(uint32(x94), uint32(0x0), x118) + x121 := arg4[11] + x122 := arg4[10] + x123 := arg4[9] + x124 := arg4[8] + x125 := arg4[7] + x126 := arg4[6] + x127 := arg4[5] + x128 := arg4[4] + x129 := arg4[3] + x130 := arg4[2] + x131 := arg4[1] + x132 := arg4[0] + var x133 uint32 + var x134 uint1 + x133, x134 = subborrowxU32(uint32(0x0), x132, 0x0) + var x135 uint32 + var x136 uint1 + x135, x136 = subborrowxU32(uint32(0x0), x131, x134) + var x137 uint32 + var x138 uint1 + x137, x138 = subborrowxU32(uint32(0x0), x130, x136) + var x139 uint32 + var x140 uint1 + x139, x140 = subborrowxU32(uint32(0x0), x129, x138) + var x141 uint32 + var x142 uint1 + x141, x142 = subborrowxU32(uint32(0x0), x128, x140) + var x143 uint32 + var x144 uint1 + x143, x144 = subborrowxU32(uint32(0x0), x127, x142) + var x145 uint32 + var x146 uint1 + x145, x146 = subborrowxU32(uint32(0x0), x126, x144) + var x147 uint32 + var x148 uint1 + x147, x148 = subborrowxU32(uint32(0x0), x125, x146) + var x149 uint32 + var x150 uint1 + x149, x150 = subborrowxU32(uint32(0x0), x124, x148) + var x151 uint32 + var x152 uint1 + x151, x152 = subborrowxU32(uint32(0x0), x123, x150) + var x153 uint32 + var x154 uint1 + x153, x154 = subborrowxU32(uint32(0x0), x122, x152) + var x155 uint32 + var x156 uint1 + x155, x156 = subborrowxU32(uint32(0x0), x121, x154) + var x157 uint32 + cmovznzU32(&x157, x156, uint32(0x0), 0xffffffff) + var x158 uint32 + var x159 uint1 + x158, x159 = addcarryxU32(x133, x157, 0x0) + var x160 uint32 + var x161 uint1 + x160, x161 = addcarryxU32(x135, uint32(0x0), x159) + var x162 uint32 + var x163 uint1 + x162, x163 = addcarryxU32(x137, uint32(0x0), x161) + var x164 uint32 + var x165 uint1 + x164, x165 = addcarryxU32(x139, x157, x163) + var x166 uint32 + var x167 uint1 + x166, x167 = addcarryxU32(x141, (x157 & 0xfffffffe), x165) + var x168 uint32 + var x169 uint1 + x168, x169 = addcarryxU32(x143, x157, x167) + var x170 uint32 + var x171 uint1 + x170, x171 = addcarryxU32(x145, x157, x169) + var x172 uint32 + var x173 uint1 + x172, x173 = addcarryxU32(x147, x157, x171) + var x174 uint32 + var x175 uint1 + x174, x175 = addcarryxU32(x149, x157, x173) + var x176 uint32 + var x177 uint1 + x176, x177 = addcarryxU32(x151, x157, x175) + var x178 uint32 + var x179 uint1 + x178, x179 = addcarryxU32(x153, x157, x177) + var x180 uint32 + x180, _ = addcarryxU32(x155, x157, x179) + var x182 uint32 + cmovznzU32(&x182, x3, arg5[0], x158) + var x183 uint32 + cmovznzU32(&x183, x3, arg5[1], x160) + var x184 uint32 + cmovznzU32(&x184, x3, arg5[2], x162) + var x185 uint32 + cmovznzU32(&x185, x3, arg5[3], x164) + var x186 uint32 + cmovznzU32(&x186, x3, arg5[4], x166) + var x187 uint32 + cmovznzU32(&x187, x3, arg5[5], x168) + var x188 uint32 + cmovznzU32(&x188, x3, arg5[6], x170) + var x189 uint32 + cmovznzU32(&x189, x3, arg5[7], x172) + var x190 uint32 + cmovznzU32(&x190, x3, arg5[8], x174) + var x191 uint32 + cmovznzU32(&x191, x3, arg5[9], x176) + var x192 uint32 + cmovznzU32(&x192, x3, arg5[10], x178) + var x193 uint32 + cmovznzU32(&x193, x3, arg5[11], x180) + x194 := (uint1(x46) & 0x1) + var x195 uint32 + cmovznzU32(&x195, x194, uint32(0x0), x7) + var x196 uint32 + cmovznzU32(&x196, x194, uint32(0x0), x8) + var x197 uint32 + cmovznzU32(&x197, x194, uint32(0x0), x9) + var x198 uint32 + cmovznzU32(&x198, x194, uint32(0x0), x10) + var x199 uint32 + cmovznzU32(&x199, x194, uint32(0x0), x11) + var x200 uint32 + cmovznzU32(&x200, x194, uint32(0x0), x12) + var x201 uint32 + cmovznzU32(&x201, x194, uint32(0x0), x13) + var x202 uint32 + cmovznzU32(&x202, x194, uint32(0x0), x14) + var x203 uint32 + cmovznzU32(&x203, x194, uint32(0x0), x15) + var x204 uint32 + cmovznzU32(&x204, x194, uint32(0x0), x16) + var x205 uint32 + cmovznzU32(&x205, x194, uint32(0x0), x17) + var x206 uint32 + cmovznzU32(&x206, x194, uint32(0x0), x18) + var x207 uint32 + cmovznzU32(&x207, x194, uint32(0x0), x19) + var x208 uint32 + var x209 uint1 + x208, x209 = addcarryxU32(x46, x195, 0x0) + var x210 uint32 + var x211 uint1 + x210, x211 = addcarryxU32(x47, x196, x209) + var x212 uint32 + var x213 uint1 + x212, x213 = addcarryxU32(x48, x197, x211) + var x214 uint32 + var x215 uint1 + x214, x215 = addcarryxU32(x49, x198, x213) + var x216 uint32 + var x217 uint1 + x216, x217 = addcarryxU32(x50, x199, x215) + var x218 uint32 + var x219 uint1 + x218, x219 = addcarryxU32(x51, x200, x217) + var x220 uint32 + var x221 uint1 + x220, x221 = addcarryxU32(x52, x201, x219) + var x222 uint32 + var x223 uint1 + x222, x223 = addcarryxU32(x53, x202, x221) + var x224 uint32 + var x225 uint1 + x224, x225 = addcarryxU32(x54, x203, x223) + var x226 uint32 + var x227 uint1 + x226, x227 = addcarryxU32(x55, x204, x225) + var x228 uint32 + var x229 uint1 + x228, x229 = addcarryxU32(x56, x205, x227) + var x230 uint32 + var x231 uint1 + x230, x231 = addcarryxU32(x57, x206, x229) + var x232 uint32 + x232, _ = addcarryxU32(x58, x207, x231) + var x234 uint32 + cmovznzU32(&x234, x194, uint32(0x0), x59) + var x235 uint32 + cmovznzU32(&x235, x194, uint32(0x0), x60) + var x236 uint32 + cmovznzU32(&x236, x194, uint32(0x0), x61) + var x237 uint32 + cmovznzU32(&x237, x194, uint32(0x0), x62) + var x238 uint32 + cmovznzU32(&x238, x194, uint32(0x0), x63) + var x239 uint32 + cmovznzU32(&x239, x194, uint32(0x0), x64) + var x240 uint32 + cmovznzU32(&x240, x194, uint32(0x0), x65) + var x241 uint32 + cmovznzU32(&x241, x194, uint32(0x0), x66) + var x242 uint32 + cmovznzU32(&x242, x194, uint32(0x0), x67) + var x243 uint32 + cmovznzU32(&x243, x194, uint32(0x0), x68) + var x244 uint32 + cmovznzU32(&x244, x194, uint32(0x0), x69) + var x245 uint32 + cmovznzU32(&x245, x194, uint32(0x0), x70) + var x246 uint32 + var x247 uint1 + x246, x247 = addcarryxU32(x182, x234, 0x0) + var x248 uint32 + var x249 uint1 + x248, x249 = addcarryxU32(x183, x235, x247) + var x250 uint32 + var x251 uint1 + x250, x251 = addcarryxU32(x184, x236, x249) + var x252 uint32 + var x253 uint1 + x252, x253 = addcarryxU32(x185, x237, x251) + var x254 uint32 + var x255 uint1 + x254, x255 = addcarryxU32(x186, x238, x253) + var x256 uint32 + var x257 uint1 + x256, x257 = addcarryxU32(x187, x239, x255) + var x258 uint32 + var x259 uint1 + x258, x259 = addcarryxU32(x188, x240, x257) + var x260 uint32 + var x261 uint1 + x260, x261 = addcarryxU32(x189, x241, x259) + var x262 uint32 + var x263 uint1 + x262, x263 = addcarryxU32(x190, x242, x261) + var x264 uint32 + var x265 uint1 + x264, x265 = addcarryxU32(x191, x243, x263) + var x266 uint32 + var x267 uint1 + x266, x267 = addcarryxU32(x192, x244, x265) + var x268 uint32 + var x269 uint1 + x268, x269 = addcarryxU32(x193, x245, x267) + var x270 uint32 + var x271 uint1 + x270, x271 = subborrowxU32(x246, 0xffffffff, 0x0) + var x272 uint32 + var x273 uint1 + x272, x273 = subborrowxU32(x248, uint32(0x0), x271) + var x274 uint32 + var x275 uint1 + x274, x275 = subborrowxU32(x250, uint32(0x0), x273) + var x276 uint32 + var x277 uint1 + x276, x277 = subborrowxU32(x252, 0xffffffff, x275) + var x278 uint32 + var x279 uint1 + x278, x279 = subborrowxU32(x254, 0xfffffffe, x277) + var x280 uint32 + var x281 uint1 + x280, x281 = subborrowxU32(x256, 0xffffffff, x279) + var x282 uint32 + var x283 uint1 + x282, x283 = subborrowxU32(x258, 0xffffffff, x281) + var x284 uint32 + var x285 uint1 + x284, x285 = subborrowxU32(x260, 0xffffffff, x283) + var x286 uint32 + var x287 uint1 + x286, x287 = subborrowxU32(x262, 0xffffffff, x285) + var x288 uint32 + var x289 uint1 + x288, x289 = subborrowxU32(x264, 0xffffffff, x287) + var x290 uint32 + var x291 uint1 + x290, x291 = subborrowxU32(x266, 0xffffffff, x289) + var x292 uint32 + var x293 uint1 + x292, x293 = subborrowxU32(x268, 0xffffffff, x291) + var x295 uint1 + _, x295 = subborrowxU32(uint32(x269), uint32(0x0), x293) + var x296 uint32 + x296, _ = addcarryxU32(x6, uint32(0x1), 0x0) + x298 := ((x208 >> 1) | ((x210 << 31) & 0xffffffff)) + x299 := ((x210 >> 1) | ((x212 << 31) & 0xffffffff)) + x300 := ((x212 >> 1) | ((x214 << 31) & 0xffffffff)) + x301 := ((x214 >> 1) | ((x216 << 31) & 0xffffffff)) + x302 := ((x216 >> 1) | ((x218 << 31) & 0xffffffff)) + x303 := ((x218 >> 1) | ((x220 << 31) & 0xffffffff)) + x304 := ((x220 >> 1) | ((x222 << 31) & 0xffffffff)) + x305 := ((x222 >> 1) | ((x224 << 31) & 0xffffffff)) + x306 := ((x224 >> 1) | ((x226 << 31) & 0xffffffff)) + x307 := ((x226 >> 1) | ((x228 << 31) & 0xffffffff)) + x308 := ((x228 >> 1) | ((x230 << 31) & 0xffffffff)) + x309 := ((x230 >> 1) | ((x232 << 31) & 0xffffffff)) + x310 := ((x232 & 0x80000000) | (x232 >> 1)) + var x311 uint32 + cmovznzU32(&x311, x120, x95, x71) + var x312 uint32 + cmovznzU32(&x312, x120, x97, x73) + var x313 uint32 + cmovznzU32(&x313, x120, x99, x75) + var x314 uint32 + cmovznzU32(&x314, x120, x101, x77) + var x315 uint32 + cmovznzU32(&x315, x120, x103, x79) + var x316 uint32 + cmovznzU32(&x316, x120, x105, x81) + var x317 uint32 + cmovznzU32(&x317, x120, x107, x83) + var x318 uint32 + cmovznzU32(&x318, x120, x109, x85) + var x319 uint32 + cmovznzU32(&x319, x120, x111, x87) + var x320 uint32 + cmovznzU32(&x320, x120, x113, x89) + var x321 uint32 + cmovznzU32(&x321, x120, x115, x91) + var x322 uint32 + cmovznzU32(&x322, x120, x117, x93) + var x323 uint32 + cmovznzU32(&x323, x295, x270, x246) + var x324 uint32 + cmovznzU32(&x324, x295, x272, x248) + var x325 uint32 + cmovznzU32(&x325, x295, x274, x250) + var x326 uint32 + cmovznzU32(&x326, x295, x276, x252) + var x327 uint32 + cmovznzU32(&x327, x295, x278, x254) + var x328 uint32 + cmovznzU32(&x328, x295, x280, x256) + var x329 uint32 + cmovznzU32(&x329, x295, x282, x258) + var x330 uint32 + cmovznzU32(&x330, x295, x284, x260) + var x331 uint32 + cmovznzU32(&x331, x295, x286, x262) + var x332 uint32 + cmovznzU32(&x332, x295, x288, x264) + var x333 uint32 + cmovznzU32(&x333, x295, x290, x266) + var x334 uint32 + cmovznzU32(&x334, x295, x292, x268) + *out1 = x296 + out2[0] = x7 + out2[1] = x8 + out2[2] = x9 + out2[3] = x10 + out2[4] = x11 + out2[5] = x12 + out2[6] = x13 + out2[7] = x14 + out2[8] = x15 + out2[9] = x16 + out2[10] = x17 + out2[11] = x18 + out2[12] = x19 + out3[0] = x298 + out3[1] = x299 + out3[2] = x300 + out3[3] = x301 + out3[4] = x302 + out3[5] = x303 + out3[6] = x304 + out3[7] = x305 + out3[8] = x306 + out3[9] = x307 + out3[10] = x308 + out3[11] = x309 + out3[12] = x310 + out4[0] = x311 + out4[1] = x312 + out4[2] = x313 + out4[3] = x314 + out4[4] = x315 + out4[5] = x316 + out4[6] = x317 + out4[7] = x318 + out4[8] = x319 + out4[9] = x320 + out4[10] = x321 + out4[11] = x322 + out5[0] = x323 + out5[1] = x324 + out5[2] = x325 + out5[3] = x326 + out5[4] = x327 + out5[5] = x328 + out5[6] = x329 + out5[7] = x330 + out5[8] = x331 + out5[9] = x332 + out5[10] = x333 + out5[11] = x334 } -/* - The function DivstepPrecomp returns the precomputed value for Bernstein-Yang-inversion (in montgomery form). - Postconditions: - eval (from_montgomery out1) = ⌊(m - 1) / 2⌋^(if (log2 m) + 1 < 46 then ⌊(49 * ((log2 m) + 1) + 80) / 17⌋ else ⌊(49 * ((log2 m) + 1) + 57) / 17⌋) - 0 ≤ eval out1 < m - - Input Bounds: - Output Bounds: - out1: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] - */ -/*inline*/ +// DivstepPrecomp returns the precomputed value for Bernstein-Yang-inversion (in montgomery form). +// +// Postconditions: +// eval (from_montgomery out1) = ⌊(m - 1) / 2⌋^(if (log2 m) + 1 < 46 then ⌊(49 * ((log2 m) + 1) + 80) / 17⌋ else ⌊(49 * ((log2 m) + 1) + 57) / 17⌋) +// 0 ≤ eval out1 < m +// +// Input Bounds: +// Output Bounds: +// out1: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] func DivstepPrecomp(out1 *[12]uint32) { - out1[0] = 0xfff18fff - out1[1] = 0xfff69400 - out1[2] = 0xffffd3ff - out1[3] = 0x2b7fe - out1[4] = 0xfffe97ff - out1[5] = 0xfffedbff - out1[6] = 0x2fff - out1[7] = 0x28400 - out1[8] = 0x50400 - out1[9] = 0x60400 - out1[10] = 0x38000 - out1[11] = 0xfffc4800 + out1[0] = 0xfff18fff + out1[1] = 0xfff69400 + out1[2] = 0xffffd3ff + out1[3] = 0x2b7fe + out1[4] = 0xfffe97ff + out1[5] = 0xfffedbff + out1[6] = 0x2fff + out1[7] = 0x28400 + out1[8] = 0x50400 + out1[9] = 0x60400 + out1[10] = 0x38000 + out1[11] = 0xfffc4800 } - diff --git a/fiat-go/32/poly1305/poly1305.go b/fiat-go/32/poly1305/poly1305.go index 866eca58721..24bf7fbe2c1 100644 --- a/fiat-go/32/poly1305/poly1305.go +++ b/fiat-go/32/poly1305/poly1305.go @@ -1,531 +1,505 @@ -/* - Autogenerated: 'src/ExtractionOCaml/unsaturated_solinas' --lang Go --cmovznz-by-mul --internal-static --package-case flatcase --public-function-case UpperCamelCase --private-function-case camelCase --public-type-case UpperCamelCase --private-type-case camelCase --no-prefix-fiat --package-name poly1305 '' 32 '(auto)' '2^130 - 5' carry_mul carry_square carry add sub opp selectznz to_bytes from_bytes - - curve description (via package name): poly1305 - - machine_wordsize = 32 (from "32") - - requested operations: carry_mul, carry_square, carry, add, sub, opp, selectznz, to_bytes, from_bytes - - n = 5 (from "(auto)") - - s-c = 2^130 - [(1, 5)] (from "2^130 - 5") - - tight_bounds_multiplier = 1 (from "") - - - - Computed values: - - carry_chain = [0, 1, 2, 3, 4, 0, 1] - - eval z = z[0] + (z[1] << 26) + (z[2] << 52) + (z[3] << 78) + (z[4] << 104) - - bytes_eval z = z[0] + (z[1] << 8) + (z[2] << 16) + (z[3] << 24) + (z[4] << 32) + (z[5] << 40) + (z[6] << 48) + (z[7] << 56) + (z[8] << 64) + (z[9] << 72) + (z[10] << 80) + (z[11] << 88) + (z[12] << 96) + (z[13] << 104) + (z[14] << 112) + (z[15] << 120) + (z[16] << 128) - - balance = [0x7fffff6, 0x7fffffe, 0x7fffffe, 0x7fffffe, 0x7fffffe] - */ +// Code generated by Fiat Cryptography. DO NOT EDIT. +// +// Autogenerated: 'src/ExtractionOCaml/unsaturated_solinas' --lang Go --cmovznz-by-mul --internal-static --package-case flatcase --public-function-case UpperCamelCase --private-function-case camelCase --public-type-case UpperCamelCase --private-type-case camelCase --no-prefix-fiat --doc-prepend-header 'Code generated by Fiat Cryptography. DO NOT EDIT.' --doc-text-before-function-name '' --package-name poly1305 '' 32 '(auto)' '2^130 - 5' carry_mul carry_square carry add sub opp selectznz to_bytes from_bytes +// +// curve description (via package name): poly1305 +// +// machine_wordsize = 32 (from "32") +// +// requested operations: carry_mul, carry_square, carry, add, sub, opp, selectznz, to_bytes, from_bytes +// +// n = 5 (from "(auto)") +// +// s-c = 2^130 - [(1, 5)] (from "2^130 - 5") +// +// tight_bounds_multiplier = 1 (from "") +// +// +// +// Computed values: +// +// carry_chain = [0, 1, 2, 3, 4, 0, 1] +// +// eval z = z[0] + (z[1] << 26) + (z[2] << 52) + (z[3] << 78) + (z[4] << 104) +// +// bytes_eval z = z[0] + (z[1] << 8) + (z[2] << 16) + (z[3] << 24) + (z[4] << 32) + (z[5] << 40) + (z[6] << 48) + (z[7] << 56) + (z[8] << 64) + (z[9] << 72) + (z[10] << 80) + (z[11] << 88) + (z[12] << 96) + (z[13] << 104) + (z[14] << 112) + (z[15] << 120) + (z[16] << 128) +// +// balance = [0x7fffff6, 0x7fffffe, 0x7fffffe, 0x7fffffe, 0x7fffffe] package poly1305 type uint1 uint8 type int1 int8 - -/* - The function addcarryxU26 is an addition with carry. - Postconditions: - out1 = (arg1 + arg2 + arg3) mod 2^26 - out2 = ⌊(arg1 + arg2 + arg3) / 2^26⌋ - - Input Bounds: - arg1: [0x0 ~> 0x1] - arg2: [0x0 ~> 0x3ffffff] - arg3: [0x0 ~> 0x3ffffff] - Output Bounds: - out1: [0x0 ~> 0x3ffffff] - out2: [0x0 ~> 0x1] - */ -/*inline*/ +// addcarryxU26 is an addition with carry. +// +// Postconditions: +// out1 = (arg1 + arg2 + arg3) mod 2^26 +// out2 = ⌊(arg1 + arg2 + arg3) / 2^26⌋ +// +// Input Bounds: +// arg1: [0x0 ~> 0x1] +// arg2: [0x0 ~> 0x3ffffff] +// arg3: [0x0 ~> 0x3ffffff] +// Output Bounds: +// out1: [0x0 ~> 0x3ffffff] +// out2: [0x0 ~> 0x1] func addcarryxU26(out1 *uint32, out2 *uint1, arg1 uint1, arg2 uint32, arg3 uint32) { - var x1 uint32 = ((uint32(arg1) + arg2) + arg3) - var x2 uint32 = (x1 & 0x3ffffff) - var x3 uint1 = uint1((x1 >> 26)) - *out1 = x2 - *out2 = x3 + x1 := ((uint32(arg1) + arg2) + arg3) + x2 := (x1 & 0x3ffffff) + x3 := uint1((x1 >> 26)) + *out1 = x2 + *out2 = x3 } -/* - The function subborrowxU26 is a subtraction with borrow. - Postconditions: - out1 = (-arg1 + arg2 + -arg3) mod 2^26 - out2 = -⌊(-arg1 + arg2 + -arg3) / 2^26⌋ - - Input Bounds: - arg1: [0x0 ~> 0x1] - arg2: [0x0 ~> 0x3ffffff] - arg3: [0x0 ~> 0x3ffffff] - Output Bounds: - out1: [0x0 ~> 0x3ffffff] - out2: [0x0 ~> 0x1] - */ -/*inline*/ +// subborrowxU26 is a subtraction with borrow. +// +// Postconditions: +// out1 = (-arg1 + arg2 + -arg3) mod 2^26 +// out2 = -⌊(-arg1 + arg2 + -arg3) / 2^26⌋ +// +// Input Bounds: +// arg1: [0x0 ~> 0x1] +// arg2: [0x0 ~> 0x3ffffff] +// arg3: [0x0 ~> 0x3ffffff] +// Output Bounds: +// out1: [0x0 ~> 0x3ffffff] +// out2: [0x0 ~> 0x1] func subborrowxU26(out1 *uint32, out2 *uint1, arg1 uint1, arg2 uint32, arg3 uint32) { - var x1 int32 = ((int32(arg2) - int32(arg1)) - int32(arg3)) - var x2 int1 = int1((x1 >> 26)) - var x3 uint32 = (uint32(x1) & 0x3ffffff) - *out1 = x3 - *out2 = (0x0 - uint1(x2)) + x1 := ((int32(arg2) - int32(arg1)) - int32(arg3)) + x2 := int1((x1 >> 26)) + x3 := (uint32(x1) & 0x3ffffff) + *out1 = x3 + *out2 = (0x0 - uint1(x2)) } -/* - The function cmovznzU32 is a single-word conditional move. - Postconditions: - out1 = (if arg1 = 0 then arg2 else arg3) - - Input Bounds: - arg1: [0x0 ~> 0x1] - arg2: [0x0 ~> 0xffffffff] - arg3: [0x0 ~> 0xffffffff] - Output Bounds: - out1: [0x0 ~> 0xffffffff] - */ -/*inline*/ +// cmovznzU32 is a single-word conditional move. +// +// Postconditions: +// out1 = (if arg1 = 0 then arg2 else arg3) +// +// Input Bounds: +// arg1: [0x0 ~> 0x1] +// arg2: [0x0 ~> 0xffffffff] +// arg3: [0x0 ~> 0xffffffff] +// Output Bounds: +// out1: [0x0 ~> 0xffffffff] func cmovznzU32(out1 *uint32, arg1 uint1, arg2 uint32, arg3 uint32) { - var x1 uint32 = (uint32(arg1) * 0xffffffff) - var x2 uint32 = ((x1 & arg3) | ((^x1) & arg2)) - *out1 = x2 + x1 := (uint32(arg1) * 0xffffffff) + x2 := ((x1 & arg3) | ((^x1) & arg2)) + *out1 = x2 } -/* - The function CarryMul multiplies two field elements and reduces the result. - Postconditions: - eval out1 mod m = (eval arg1 * eval arg2) mod m - - Input Bounds: - arg1: [[0x0 ~> 0xc000000], [0x0 ~> 0xc000000], [0x0 ~> 0xc000000], [0x0 ~> 0xc000000], [0x0 ~> 0xc000000]] - arg2: [[0x0 ~> 0xc000000], [0x0 ~> 0xc000000], [0x0 ~> 0xc000000], [0x0 ~> 0xc000000], [0x0 ~> 0xc000000]] - Output Bounds: - out1: [[0x0 ~> 0x4000000], [0x0 ~> 0x4000000], [0x0 ~> 0x4000000], [0x0 ~> 0x4000000], [0x0 ~> 0x4000000]] - */ -/*inline*/ +// CarryMul multiplies two field elements and reduces the result. +// +// Postconditions: +// eval out1 mod m = (eval arg1 * eval arg2) mod m +// +// Input Bounds: +// arg1: [[0x0 ~> 0xc000000], [0x0 ~> 0xc000000], [0x0 ~> 0xc000000], [0x0 ~> 0xc000000], [0x0 ~> 0xc000000]] +// arg2: [[0x0 ~> 0xc000000], [0x0 ~> 0xc000000], [0x0 ~> 0xc000000], [0x0 ~> 0xc000000], [0x0 ~> 0xc000000]] +// Output Bounds: +// out1: [[0x0 ~> 0x4000000], [0x0 ~> 0x4000000], [0x0 ~> 0x4000000], [0x0 ~> 0x4000000], [0x0 ~> 0x4000000]] func CarryMul(out1 *[5]uint32, arg1 *[5]uint32, arg2 *[5]uint32) { - var x1 uint64 = (uint64((arg1[4])) * uint64(((arg2[4]) * 0x5))) - var x2 uint64 = (uint64((arg1[4])) * uint64(((arg2[3]) * 0x5))) - var x3 uint64 = (uint64((arg1[4])) * uint64(((arg2[2]) * 0x5))) - var x4 uint64 = (uint64((arg1[4])) * uint64(((arg2[1]) * 0x5))) - var x5 uint64 = (uint64((arg1[3])) * uint64(((arg2[4]) * 0x5))) - var x6 uint64 = (uint64((arg1[3])) * uint64(((arg2[3]) * 0x5))) - var x7 uint64 = (uint64((arg1[3])) * uint64(((arg2[2]) * 0x5))) - var x8 uint64 = (uint64((arg1[2])) * uint64(((arg2[4]) * 0x5))) - var x9 uint64 = (uint64((arg1[2])) * uint64(((arg2[3]) * 0x5))) - var x10 uint64 = (uint64((arg1[1])) * uint64(((arg2[4]) * 0x5))) - var x11 uint64 = (uint64((arg1[4])) * uint64((arg2[0]))) - var x12 uint64 = (uint64((arg1[3])) * uint64((arg2[1]))) - var x13 uint64 = (uint64((arg1[3])) * uint64((arg2[0]))) - var x14 uint64 = (uint64((arg1[2])) * uint64((arg2[2]))) - var x15 uint64 = (uint64((arg1[2])) * uint64((arg2[1]))) - var x16 uint64 = (uint64((arg1[2])) * uint64((arg2[0]))) - var x17 uint64 = (uint64((arg1[1])) * uint64((arg2[3]))) - var x18 uint64 = (uint64((arg1[1])) * uint64((arg2[2]))) - var x19 uint64 = (uint64((arg1[1])) * uint64((arg2[1]))) - var x20 uint64 = (uint64((arg1[1])) * uint64((arg2[0]))) - var x21 uint64 = (uint64((arg1[0])) * uint64((arg2[4]))) - var x22 uint64 = (uint64((arg1[0])) * uint64((arg2[3]))) - var x23 uint64 = (uint64((arg1[0])) * uint64((arg2[2]))) - var x24 uint64 = (uint64((arg1[0])) * uint64((arg2[1]))) - var x25 uint64 = (uint64((arg1[0])) * uint64((arg2[0]))) - var x26 uint64 = (x25 + (x10 + (x9 + (x7 + x4)))) - var x27 uint64 = (x26 >> 26) - var x28 uint32 = (uint32(x26) & 0x3ffffff) - var x29 uint64 = (x21 + (x17 + (x14 + (x12 + x11)))) - var x30 uint64 = (x22 + (x18 + (x15 + (x13 + x1)))) - var x31 uint64 = (x23 + (x19 + (x16 + (x5 + x2)))) - var x32 uint64 = (x24 + (x20 + (x8 + (x6 + x3)))) - var x33 uint64 = (x27 + x32) - var x34 uint64 = (x33 >> 26) - var x35 uint32 = (uint32(x33) & 0x3ffffff) - var x36 uint64 = (x34 + x31) - var x37 uint64 = (x36 >> 26) - var x38 uint32 = (uint32(x36) & 0x3ffffff) - var x39 uint64 = (x37 + x30) - var x40 uint64 = (x39 >> 26) - var x41 uint32 = (uint32(x39) & 0x3ffffff) - var x42 uint64 = (x40 + x29) - var x43 uint32 = uint32((x42 >> 26)) - var x44 uint32 = (uint32(x42) & 0x3ffffff) - var x45 uint64 = (uint64(x43) * uint64(0x5)) - var x46 uint64 = (uint64(x28) + x45) - var x47 uint32 = uint32((x46 >> 26)) - var x48 uint32 = (uint32(x46) & 0x3ffffff) - var x49 uint32 = (x47 + x35) - var x50 uint1 = uint1((x49 >> 26)) - var x51 uint32 = (x49 & 0x3ffffff) - var x52 uint32 = (uint32(x50) + x38) - out1[0] = x48 - out1[1] = x51 - out1[2] = x52 - out1[3] = x41 - out1[4] = x44 + x1 := (uint64(arg1[4]) * uint64((arg2[4] * 0x5))) + x2 := (uint64(arg1[4]) * uint64((arg2[3] * 0x5))) + x3 := (uint64(arg1[4]) * uint64((arg2[2] * 0x5))) + x4 := (uint64(arg1[4]) * uint64((arg2[1] * 0x5))) + x5 := (uint64(arg1[3]) * uint64((arg2[4] * 0x5))) + x6 := (uint64(arg1[3]) * uint64((arg2[3] * 0x5))) + x7 := (uint64(arg1[3]) * uint64((arg2[2] * 0x5))) + x8 := (uint64(arg1[2]) * uint64((arg2[4] * 0x5))) + x9 := (uint64(arg1[2]) * uint64((arg2[3] * 0x5))) + x10 := (uint64(arg1[1]) * uint64((arg2[4] * 0x5))) + x11 := (uint64(arg1[4]) * uint64(arg2[0])) + x12 := (uint64(arg1[3]) * uint64(arg2[1])) + x13 := (uint64(arg1[3]) * uint64(arg2[0])) + x14 := (uint64(arg1[2]) * uint64(arg2[2])) + x15 := (uint64(arg1[2]) * uint64(arg2[1])) + x16 := (uint64(arg1[2]) * uint64(arg2[0])) + x17 := (uint64(arg1[1]) * uint64(arg2[3])) + x18 := (uint64(arg1[1]) * uint64(arg2[2])) + x19 := (uint64(arg1[1]) * uint64(arg2[1])) + x20 := (uint64(arg1[1]) * uint64(arg2[0])) + x21 := (uint64(arg1[0]) * uint64(arg2[4])) + x22 := (uint64(arg1[0]) * uint64(arg2[3])) + x23 := (uint64(arg1[0]) * uint64(arg2[2])) + x24 := (uint64(arg1[0]) * uint64(arg2[1])) + x25 := (uint64(arg1[0]) * uint64(arg2[0])) + x26 := (x25 + (x10 + (x9 + (x7 + x4)))) + x27 := (x26 >> 26) + x28 := (uint32(x26) & 0x3ffffff) + x29 := (x21 + (x17 + (x14 + (x12 + x11)))) + x30 := (x22 + (x18 + (x15 + (x13 + x1)))) + x31 := (x23 + (x19 + (x16 + (x5 + x2)))) + x32 := (x24 + (x20 + (x8 + (x6 + x3)))) + x33 := (x27 + x32) + x34 := (x33 >> 26) + x35 := (uint32(x33) & 0x3ffffff) + x36 := (x34 + x31) + x37 := (x36 >> 26) + x38 := (uint32(x36) & 0x3ffffff) + x39 := (x37 + x30) + x40 := (x39 >> 26) + x41 := (uint32(x39) & 0x3ffffff) + x42 := (x40 + x29) + x43 := uint32((x42 >> 26)) + x44 := (uint32(x42) & 0x3ffffff) + x45 := (uint64(x43) * uint64(0x5)) + x46 := (uint64(x28) + x45) + x47 := uint32((x46 >> 26)) + x48 := (uint32(x46) & 0x3ffffff) + x49 := (x47 + x35) + x50 := uint1((x49 >> 26)) + x51 := (x49 & 0x3ffffff) + x52 := (uint32(x50) + x38) + out1[0] = x48 + out1[1] = x51 + out1[2] = x52 + out1[3] = x41 + out1[4] = x44 } -/* - The function CarrySquare squares a field element and reduces the result. - Postconditions: - eval out1 mod m = (eval arg1 * eval arg1) mod m - - Input Bounds: - arg1: [[0x0 ~> 0xc000000], [0x0 ~> 0xc000000], [0x0 ~> 0xc000000], [0x0 ~> 0xc000000], [0x0 ~> 0xc000000]] - Output Bounds: - out1: [[0x0 ~> 0x4000000], [0x0 ~> 0x4000000], [0x0 ~> 0x4000000], [0x0 ~> 0x4000000], [0x0 ~> 0x4000000]] - */ -/*inline*/ +// CarrySquare squares a field element and reduces the result. +// +// Postconditions: +// eval out1 mod m = (eval arg1 * eval arg1) mod m +// +// Input Bounds: +// arg1: [[0x0 ~> 0xc000000], [0x0 ~> 0xc000000], [0x0 ~> 0xc000000], [0x0 ~> 0xc000000], [0x0 ~> 0xc000000]] +// Output Bounds: +// out1: [[0x0 ~> 0x4000000], [0x0 ~> 0x4000000], [0x0 ~> 0x4000000], [0x0 ~> 0x4000000], [0x0 ~> 0x4000000]] func CarrySquare(out1 *[5]uint32, arg1 *[5]uint32) { - var x1 uint32 = ((arg1[4]) * 0x5) - var x2 uint32 = (x1 * 0x2) - var x3 uint32 = ((arg1[4]) * 0x2) - var x4 uint32 = ((arg1[3]) * 0x5) - var x5 uint32 = (x4 * 0x2) - var x6 uint32 = ((arg1[3]) * 0x2) - var x7 uint32 = ((arg1[2]) * 0x2) - var x8 uint32 = ((arg1[1]) * 0x2) - var x9 uint64 = (uint64((arg1[4])) * uint64(x1)) - var x10 uint64 = (uint64((arg1[3])) * uint64(x2)) - var x11 uint64 = (uint64((arg1[3])) * uint64(x4)) - var x12 uint64 = (uint64((arg1[2])) * uint64(x2)) - var x13 uint64 = (uint64((arg1[2])) * uint64(x5)) - var x14 uint64 = (uint64((arg1[2])) * uint64((arg1[2]))) - var x15 uint64 = (uint64((arg1[1])) * uint64(x2)) - var x16 uint64 = (uint64((arg1[1])) * uint64(x6)) - var x17 uint64 = (uint64((arg1[1])) * uint64(x7)) - var x18 uint64 = (uint64((arg1[1])) * uint64((arg1[1]))) - var x19 uint64 = (uint64((arg1[0])) * uint64(x3)) - var x20 uint64 = (uint64((arg1[0])) * uint64(x6)) - var x21 uint64 = (uint64((arg1[0])) * uint64(x7)) - var x22 uint64 = (uint64((arg1[0])) * uint64(x8)) - var x23 uint64 = (uint64((arg1[0])) * uint64((arg1[0]))) - var x24 uint64 = (x23 + (x15 + x13)) - var x25 uint64 = (x24 >> 26) - var x26 uint32 = (uint32(x24) & 0x3ffffff) - var x27 uint64 = (x19 + (x16 + x14)) - var x28 uint64 = (x20 + (x17 + x9)) - var x29 uint64 = (x21 + (x18 + x10)) - var x30 uint64 = (x22 + (x12 + x11)) - var x31 uint64 = (x25 + x30) - var x32 uint64 = (x31 >> 26) - var x33 uint32 = (uint32(x31) & 0x3ffffff) - var x34 uint64 = (x32 + x29) - var x35 uint64 = (x34 >> 26) - var x36 uint32 = (uint32(x34) & 0x3ffffff) - var x37 uint64 = (x35 + x28) - var x38 uint64 = (x37 >> 26) - var x39 uint32 = (uint32(x37) & 0x3ffffff) - var x40 uint64 = (x38 + x27) - var x41 uint32 = uint32((x40 >> 26)) - var x42 uint32 = (uint32(x40) & 0x3ffffff) - var x43 uint64 = (uint64(x41) * uint64(0x5)) - var x44 uint64 = (uint64(x26) + x43) - var x45 uint32 = uint32((x44 >> 26)) - var x46 uint32 = (uint32(x44) & 0x3ffffff) - var x47 uint32 = (x45 + x33) - var x48 uint1 = uint1((x47 >> 26)) - var x49 uint32 = (x47 & 0x3ffffff) - var x50 uint32 = (uint32(x48) + x36) - out1[0] = x46 - out1[1] = x49 - out1[2] = x50 - out1[3] = x39 - out1[4] = x42 + x1 := (arg1[4] * 0x5) + x2 := (x1 * 0x2) + x3 := (arg1[4] * 0x2) + x4 := (arg1[3] * 0x5) + x5 := (x4 * 0x2) + x6 := (arg1[3] * 0x2) + x7 := (arg1[2] * 0x2) + x8 := (arg1[1] * 0x2) + x9 := (uint64(arg1[4]) * uint64(x1)) + x10 := (uint64(arg1[3]) * uint64(x2)) + x11 := (uint64(arg1[3]) * uint64(x4)) + x12 := (uint64(arg1[2]) * uint64(x2)) + x13 := (uint64(arg1[2]) * uint64(x5)) + x14 := (uint64(arg1[2]) * uint64(arg1[2])) + x15 := (uint64(arg1[1]) * uint64(x2)) + x16 := (uint64(arg1[1]) * uint64(x6)) + x17 := (uint64(arg1[1]) * uint64(x7)) + x18 := (uint64(arg1[1]) * uint64(arg1[1])) + x19 := (uint64(arg1[0]) * uint64(x3)) + x20 := (uint64(arg1[0]) * uint64(x6)) + x21 := (uint64(arg1[0]) * uint64(x7)) + x22 := (uint64(arg1[0]) * uint64(x8)) + x23 := (uint64(arg1[0]) * uint64(arg1[0])) + x24 := (x23 + (x15 + x13)) + x25 := (x24 >> 26) + x26 := (uint32(x24) & 0x3ffffff) + x27 := (x19 + (x16 + x14)) + x28 := (x20 + (x17 + x9)) + x29 := (x21 + (x18 + x10)) + x30 := (x22 + (x12 + x11)) + x31 := (x25 + x30) + x32 := (x31 >> 26) + x33 := (uint32(x31) & 0x3ffffff) + x34 := (x32 + x29) + x35 := (x34 >> 26) + x36 := (uint32(x34) & 0x3ffffff) + x37 := (x35 + x28) + x38 := (x37 >> 26) + x39 := (uint32(x37) & 0x3ffffff) + x40 := (x38 + x27) + x41 := uint32((x40 >> 26)) + x42 := (uint32(x40) & 0x3ffffff) + x43 := (uint64(x41) * uint64(0x5)) + x44 := (uint64(x26) + x43) + x45 := uint32((x44 >> 26)) + x46 := (uint32(x44) & 0x3ffffff) + x47 := (x45 + x33) + x48 := uint1((x47 >> 26)) + x49 := (x47 & 0x3ffffff) + x50 := (uint32(x48) + x36) + out1[0] = x46 + out1[1] = x49 + out1[2] = x50 + out1[3] = x39 + out1[4] = x42 } -/* - The function Carry reduces a field element. - Postconditions: - eval out1 mod m = eval arg1 mod m - - Input Bounds: - arg1: [[0x0 ~> 0xc000000], [0x0 ~> 0xc000000], [0x0 ~> 0xc000000], [0x0 ~> 0xc000000], [0x0 ~> 0xc000000]] - Output Bounds: - out1: [[0x0 ~> 0x4000000], [0x0 ~> 0x4000000], [0x0 ~> 0x4000000], [0x0 ~> 0x4000000], [0x0 ~> 0x4000000]] - */ -/*inline*/ +// Carry reduces a field element. +// +// Postconditions: +// eval out1 mod m = eval arg1 mod m +// +// Input Bounds: +// arg1: [[0x0 ~> 0xc000000], [0x0 ~> 0xc000000], [0x0 ~> 0xc000000], [0x0 ~> 0xc000000], [0x0 ~> 0xc000000]] +// Output Bounds: +// out1: [[0x0 ~> 0x4000000], [0x0 ~> 0x4000000], [0x0 ~> 0x4000000], [0x0 ~> 0x4000000], [0x0 ~> 0x4000000]] func Carry(out1 *[5]uint32, arg1 *[5]uint32) { - var x1 uint32 = (arg1[0]) - var x2 uint32 = ((x1 >> 26) + (arg1[1])) - var x3 uint32 = ((x2 >> 26) + (arg1[2])) - var x4 uint32 = ((x3 >> 26) + (arg1[3])) - var x5 uint32 = ((x4 >> 26) + (arg1[4])) - var x6 uint32 = ((x1 & 0x3ffffff) + ((x5 >> 26) * 0x5)) - var x7 uint32 = (uint32(uint1((x6 >> 26))) + (x2 & 0x3ffffff)) - var x8 uint32 = (x6 & 0x3ffffff) - var x9 uint32 = (x7 & 0x3ffffff) - var x10 uint32 = (uint32(uint1((x7 >> 26))) + (x3 & 0x3ffffff)) - var x11 uint32 = (x4 & 0x3ffffff) - var x12 uint32 = (x5 & 0x3ffffff) - out1[0] = x8 - out1[1] = x9 - out1[2] = x10 - out1[3] = x11 - out1[4] = x12 + x1 := arg1[0] + x2 := ((x1 >> 26) + arg1[1]) + x3 := ((x2 >> 26) + arg1[2]) + x4 := ((x3 >> 26) + arg1[3]) + x5 := ((x4 >> 26) + arg1[4]) + x6 := ((x1 & 0x3ffffff) + ((x5 >> 26) * 0x5)) + x7 := (uint32(uint1((x6 >> 26))) + (x2 & 0x3ffffff)) + x8 := (x6 & 0x3ffffff) + x9 := (x7 & 0x3ffffff) + x10 := (uint32(uint1((x7 >> 26))) + (x3 & 0x3ffffff)) + x11 := (x4 & 0x3ffffff) + x12 := (x5 & 0x3ffffff) + out1[0] = x8 + out1[1] = x9 + out1[2] = x10 + out1[3] = x11 + out1[4] = x12 } -/* - The function Add adds two field elements. - Postconditions: - eval out1 mod m = (eval arg1 + eval arg2) mod m - - Input Bounds: - arg1: [[0x0 ~> 0x4000000], [0x0 ~> 0x4000000], [0x0 ~> 0x4000000], [0x0 ~> 0x4000000], [0x0 ~> 0x4000000]] - arg2: [[0x0 ~> 0x4000000], [0x0 ~> 0x4000000], [0x0 ~> 0x4000000], [0x0 ~> 0x4000000], [0x0 ~> 0x4000000]] - Output Bounds: - out1: [[0x0 ~> 0xc000000], [0x0 ~> 0xc000000], [0x0 ~> 0xc000000], [0x0 ~> 0xc000000], [0x0 ~> 0xc000000]] - */ -/*inline*/ +// Add adds two field elements. +// +// Postconditions: +// eval out1 mod m = (eval arg1 + eval arg2) mod m +// +// Input Bounds: +// arg1: [[0x0 ~> 0x4000000], [0x0 ~> 0x4000000], [0x0 ~> 0x4000000], [0x0 ~> 0x4000000], [0x0 ~> 0x4000000]] +// arg2: [[0x0 ~> 0x4000000], [0x0 ~> 0x4000000], [0x0 ~> 0x4000000], [0x0 ~> 0x4000000], [0x0 ~> 0x4000000]] +// Output Bounds: +// out1: [[0x0 ~> 0xc000000], [0x0 ~> 0xc000000], [0x0 ~> 0xc000000], [0x0 ~> 0xc000000], [0x0 ~> 0xc000000]] func Add(out1 *[5]uint32, arg1 *[5]uint32, arg2 *[5]uint32) { - var x1 uint32 = ((arg1[0]) + (arg2[0])) - var x2 uint32 = ((arg1[1]) + (arg2[1])) - var x3 uint32 = ((arg1[2]) + (arg2[2])) - var x4 uint32 = ((arg1[3]) + (arg2[3])) - var x5 uint32 = ((arg1[4]) + (arg2[4])) - out1[0] = x1 - out1[1] = x2 - out1[2] = x3 - out1[3] = x4 - out1[4] = x5 + x1 := (arg1[0] + arg2[0]) + x2 := (arg1[1] + arg2[1]) + x3 := (arg1[2] + arg2[2]) + x4 := (arg1[3] + arg2[3]) + x5 := (arg1[4] + arg2[4]) + out1[0] = x1 + out1[1] = x2 + out1[2] = x3 + out1[3] = x4 + out1[4] = x5 } -/* - The function Sub subtracts two field elements. - Postconditions: - eval out1 mod m = (eval arg1 - eval arg2) mod m - - Input Bounds: - arg1: [[0x0 ~> 0x4000000], [0x0 ~> 0x4000000], [0x0 ~> 0x4000000], [0x0 ~> 0x4000000], [0x0 ~> 0x4000000]] - arg2: [[0x0 ~> 0x4000000], [0x0 ~> 0x4000000], [0x0 ~> 0x4000000], [0x0 ~> 0x4000000], [0x0 ~> 0x4000000]] - Output Bounds: - out1: [[0x0 ~> 0xc000000], [0x0 ~> 0xc000000], [0x0 ~> 0xc000000], [0x0 ~> 0xc000000], [0x0 ~> 0xc000000]] - */ -/*inline*/ +// Sub subtracts two field elements. +// +// Postconditions: +// eval out1 mod m = (eval arg1 - eval arg2) mod m +// +// Input Bounds: +// arg1: [[0x0 ~> 0x4000000], [0x0 ~> 0x4000000], [0x0 ~> 0x4000000], [0x0 ~> 0x4000000], [0x0 ~> 0x4000000]] +// arg2: [[0x0 ~> 0x4000000], [0x0 ~> 0x4000000], [0x0 ~> 0x4000000], [0x0 ~> 0x4000000], [0x0 ~> 0x4000000]] +// Output Bounds: +// out1: [[0x0 ~> 0xc000000], [0x0 ~> 0xc000000], [0x0 ~> 0xc000000], [0x0 ~> 0xc000000], [0x0 ~> 0xc000000]] func Sub(out1 *[5]uint32, arg1 *[5]uint32, arg2 *[5]uint32) { - var x1 uint32 = ((0x7fffff6 + (arg1[0])) - (arg2[0])) - var x2 uint32 = ((0x7fffffe + (arg1[1])) - (arg2[1])) - var x3 uint32 = ((0x7fffffe + (arg1[2])) - (arg2[2])) - var x4 uint32 = ((0x7fffffe + (arg1[3])) - (arg2[3])) - var x5 uint32 = ((0x7fffffe + (arg1[4])) - (arg2[4])) - out1[0] = x1 - out1[1] = x2 - out1[2] = x3 - out1[3] = x4 - out1[4] = x5 + x1 := ((0x7fffff6 + arg1[0]) - arg2[0]) + x2 := ((0x7fffffe + arg1[1]) - arg2[1]) + x3 := ((0x7fffffe + arg1[2]) - arg2[2]) + x4 := ((0x7fffffe + arg1[3]) - arg2[3]) + x5 := ((0x7fffffe + arg1[4]) - arg2[4]) + out1[0] = x1 + out1[1] = x2 + out1[2] = x3 + out1[3] = x4 + out1[4] = x5 } -/* - The function Opp negates a field element. - Postconditions: - eval out1 mod m = -eval arg1 mod m - - Input Bounds: - arg1: [[0x0 ~> 0x4000000], [0x0 ~> 0x4000000], [0x0 ~> 0x4000000], [0x0 ~> 0x4000000], [0x0 ~> 0x4000000]] - Output Bounds: - out1: [[0x0 ~> 0xc000000], [0x0 ~> 0xc000000], [0x0 ~> 0xc000000], [0x0 ~> 0xc000000], [0x0 ~> 0xc000000]] - */ -/*inline*/ +// Opp negates a field element. +// +// Postconditions: +// eval out1 mod m = -eval arg1 mod m +// +// Input Bounds: +// arg1: [[0x0 ~> 0x4000000], [0x0 ~> 0x4000000], [0x0 ~> 0x4000000], [0x0 ~> 0x4000000], [0x0 ~> 0x4000000]] +// Output Bounds: +// out1: [[0x0 ~> 0xc000000], [0x0 ~> 0xc000000], [0x0 ~> 0xc000000], [0x0 ~> 0xc000000], [0x0 ~> 0xc000000]] func Opp(out1 *[5]uint32, arg1 *[5]uint32) { - var x1 uint32 = (0x7fffff6 - (arg1[0])) - var x2 uint32 = (0x7fffffe - (arg1[1])) - var x3 uint32 = (0x7fffffe - (arg1[2])) - var x4 uint32 = (0x7fffffe - (arg1[3])) - var x5 uint32 = (0x7fffffe - (arg1[4])) - out1[0] = x1 - out1[1] = x2 - out1[2] = x3 - out1[3] = x4 - out1[4] = x5 + x1 := (0x7fffff6 - arg1[0]) + x2 := (0x7fffffe - arg1[1]) + x3 := (0x7fffffe - arg1[2]) + x4 := (0x7fffffe - arg1[3]) + x5 := (0x7fffffe - arg1[4]) + out1[0] = x1 + out1[1] = x2 + out1[2] = x3 + out1[3] = x4 + out1[4] = x5 } -/* - The function Selectznz is a multi-limb conditional select. - Postconditions: - eval out1 = (if arg1 = 0 then eval arg2 else eval arg3) - - Input Bounds: - arg1: [0x0 ~> 0x1] - arg2: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] - arg3: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] - Output Bounds: - out1: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] - */ -/*inline*/ +// Selectznz is a multi-limb conditional select. +// +// Postconditions: +// eval out1 = (if arg1 = 0 then eval arg2 else eval arg3) +// +// Input Bounds: +// arg1: [0x0 ~> 0x1] +// arg2: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] +// arg3: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] +// Output Bounds: +// out1: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] func Selectznz(out1 *[5]uint32, arg1 uint1, arg2 *[5]uint32, arg3 *[5]uint32) { - var x1 uint32 - cmovznzU32(&x1, arg1, (arg2[0]), (arg3[0])) - var x2 uint32 - cmovznzU32(&x2, arg1, (arg2[1]), (arg3[1])) - var x3 uint32 - cmovznzU32(&x3, arg1, (arg2[2]), (arg3[2])) - var x4 uint32 - cmovznzU32(&x4, arg1, (arg2[3]), (arg3[3])) - var x5 uint32 - cmovznzU32(&x5, arg1, (arg2[4]), (arg3[4])) - out1[0] = x1 - out1[1] = x2 - out1[2] = x3 - out1[3] = x4 - out1[4] = x5 + var x1 uint32 + cmovznzU32(&x1, arg1, arg2[0], arg3[0]) + var x2 uint32 + cmovznzU32(&x2, arg1, arg2[1], arg3[1]) + var x3 uint32 + cmovznzU32(&x3, arg1, arg2[2], arg3[2]) + var x4 uint32 + cmovznzU32(&x4, arg1, arg2[3], arg3[3]) + var x5 uint32 + cmovznzU32(&x5, arg1, arg2[4], arg3[4]) + out1[0] = x1 + out1[1] = x2 + out1[2] = x3 + out1[3] = x4 + out1[4] = x5 } -/* - The function ToBytes serializes a field element to bytes in little-endian order. - Postconditions: - out1 = map (λ x, ⌊((eval arg1 mod m) mod 2^(8 * (x + 1))) / 2^(8 * x)⌋) [0..16] - - Input Bounds: - arg1: [[0x0 ~> 0x4000000], [0x0 ~> 0x4000000], [0x0 ~> 0x4000000], [0x0 ~> 0x4000000], [0x0 ~> 0x4000000]] - Output Bounds: - out1: [[0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0x3]] - */ -/*inline*/ +// ToBytes serializes a field element to bytes in little-endian order. +// +// Postconditions: +// out1 = map (λ x, ⌊((eval arg1 mod m) mod 2^(8 * (x + 1))) / 2^(8 * x)⌋) [0..16] +// +// Input Bounds: +// arg1: [[0x0 ~> 0x4000000], [0x0 ~> 0x4000000], [0x0 ~> 0x4000000], [0x0 ~> 0x4000000], [0x0 ~> 0x4000000]] +// Output Bounds: +// out1: [[0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0x3]] func ToBytes(out1 *[17]uint8, arg1 *[5]uint32) { - var x1 uint32 - var x2 uint1 - subborrowxU26(&x1, &x2, 0x0, (arg1[0]), 0x3fffffb) - var x3 uint32 - var x4 uint1 - subborrowxU26(&x3, &x4, x2, (arg1[1]), 0x3ffffff) - var x5 uint32 - var x6 uint1 - subborrowxU26(&x5, &x6, x4, (arg1[2]), 0x3ffffff) - var x7 uint32 - var x8 uint1 - subborrowxU26(&x7, &x8, x6, (arg1[3]), 0x3ffffff) - var x9 uint32 - var x10 uint1 - subborrowxU26(&x9, &x10, x8, (arg1[4]), 0x3ffffff) - var x11 uint32 - cmovznzU32(&x11, x10, uint32(0x0), 0xffffffff) - var x12 uint32 - var x13 uint1 - addcarryxU26(&x12, &x13, 0x0, x1, (x11 & 0x3fffffb)) - var x14 uint32 - var x15 uint1 - addcarryxU26(&x14, &x15, x13, x3, (x11 & 0x3ffffff)) - var x16 uint32 - var x17 uint1 - addcarryxU26(&x16, &x17, x15, x5, (x11 & 0x3ffffff)) - var x18 uint32 - var x19 uint1 - addcarryxU26(&x18, &x19, x17, x7, (x11 & 0x3ffffff)) - var x20 uint32 - var x21 uint1 - addcarryxU26(&x20, &x21, x19, x9, (x11 & 0x3ffffff)) - var x22 uint32 = (x18 << 6) - var x23 uint32 = (x16 << 4) - var x24 uint32 = (x14 << 2) - var x25 uint8 = (uint8(x12) & 0xff) - var x26 uint32 = (x12 >> 8) - var x27 uint8 = (uint8(x26) & 0xff) - var x28 uint32 = (x26 >> 8) - var x29 uint8 = (uint8(x28) & 0xff) - var x30 uint8 = uint8((x28 >> 8)) - var x31 uint32 = (x24 + uint32(x30)) - var x32 uint8 = (uint8(x31) & 0xff) - var x33 uint32 = (x31 >> 8) - var x34 uint8 = (uint8(x33) & 0xff) - var x35 uint32 = (x33 >> 8) - var x36 uint8 = (uint8(x35) & 0xff) - var x37 uint8 = uint8((x35 >> 8)) - var x38 uint32 = (x23 + uint32(x37)) - var x39 uint8 = (uint8(x38) & 0xff) - var x40 uint32 = (x38 >> 8) - var x41 uint8 = (uint8(x40) & 0xff) - var x42 uint32 = (x40 >> 8) - var x43 uint8 = (uint8(x42) & 0xff) - var x44 uint8 = uint8((x42 >> 8)) - var x45 uint32 = (x22 + uint32(x44)) - var x46 uint8 = (uint8(x45) & 0xff) - var x47 uint32 = (x45 >> 8) - var x48 uint8 = (uint8(x47) & 0xff) - var x49 uint32 = (x47 >> 8) - var x50 uint8 = (uint8(x49) & 0xff) - var x51 uint8 = uint8((x49 >> 8)) - var x52 uint8 = (uint8(x20) & 0xff) - var x53 uint32 = (x20 >> 8) - var x54 uint8 = (uint8(x53) & 0xff) - var x55 uint32 = (x53 >> 8) - var x56 uint8 = (uint8(x55) & 0xff) - var x57 uint8 = uint8((x55 >> 8)) - out1[0] = x25 - out1[1] = x27 - out1[2] = x29 - out1[3] = x32 - out1[4] = x34 - out1[5] = x36 - out1[6] = x39 - out1[7] = x41 - out1[8] = x43 - out1[9] = x46 - out1[10] = x48 - out1[11] = x50 - out1[12] = x51 - out1[13] = x52 - out1[14] = x54 - out1[15] = x56 - out1[16] = x57 + var x1 uint32 + var x2 uint1 + subborrowxU26(&x1, &x2, 0x0, arg1[0], 0x3fffffb) + var x3 uint32 + var x4 uint1 + subborrowxU26(&x3, &x4, x2, arg1[1], 0x3ffffff) + var x5 uint32 + var x6 uint1 + subborrowxU26(&x5, &x6, x4, arg1[2], 0x3ffffff) + var x7 uint32 + var x8 uint1 + subborrowxU26(&x7, &x8, x6, arg1[3], 0x3ffffff) + var x9 uint32 + var x10 uint1 + subborrowxU26(&x9, &x10, x8, arg1[4], 0x3ffffff) + var x11 uint32 + cmovznzU32(&x11, x10, uint32(0x0), 0xffffffff) + var x12 uint32 + var x13 uint1 + addcarryxU26(&x12, &x13, 0x0, x1, (x11 & 0x3fffffb)) + var x14 uint32 + var x15 uint1 + addcarryxU26(&x14, &x15, x13, x3, (x11 & 0x3ffffff)) + var x16 uint32 + var x17 uint1 + addcarryxU26(&x16, &x17, x15, x5, (x11 & 0x3ffffff)) + var x18 uint32 + var x19 uint1 + addcarryxU26(&x18, &x19, x17, x7, (x11 & 0x3ffffff)) + var x20 uint32 + var x21 uint1 + addcarryxU26(&x20, &x21, x19, x9, (x11 & 0x3ffffff)) + x22 := (x18 << 6) + x23 := (x16 << 4) + x24 := (x14 << 2) + x25 := (uint8(x12) & 0xff) + x26 := (x12 >> 8) + x27 := (uint8(x26) & 0xff) + x28 := (x26 >> 8) + x29 := (uint8(x28) & 0xff) + x30 := uint8((x28 >> 8)) + x31 := (x24 + uint32(x30)) + x32 := (uint8(x31) & 0xff) + x33 := (x31 >> 8) + x34 := (uint8(x33) & 0xff) + x35 := (x33 >> 8) + x36 := (uint8(x35) & 0xff) + x37 := uint8((x35 >> 8)) + x38 := (x23 + uint32(x37)) + x39 := (uint8(x38) & 0xff) + x40 := (x38 >> 8) + x41 := (uint8(x40) & 0xff) + x42 := (x40 >> 8) + x43 := (uint8(x42) & 0xff) + x44 := uint8((x42 >> 8)) + x45 := (x22 + uint32(x44)) + x46 := (uint8(x45) & 0xff) + x47 := (x45 >> 8) + x48 := (uint8(x47) & 0xff) + x49 := (x47 >> 8) + x50 := (uint8(x49) & 0xff) + x51 := uint8((x49 >> 8)) + x52 := (uint8(x20) & 0xff) + x53 := (x20 >> 8) + x54 := (uint8(x53) & 0xff) + x55 := (x53 >> 8) + x56 := (uint8(x55) & 0xff) + x57 := uint8((x55 >> 8)) + out1[0] = x25 + out1[1] = x27 + out1[2] = x29 + out1[3] = x32 + out1[4] = x34 + out1[5] = x36 + out1[6] = x39 + out1[7] = x41 + out1[8] = x43 + out1[9] = x46 + out1[10] = x48 + out1[11] = x50 + out1[12] = x51 + out1[13] = x52 + out1[14] = x54 + out1[15] = x56 + out1[16] = x57 } -/* - The function FromBytes deserializes a field element from bytes in little-endian order. - Postconditions: - eval out1 mod m = bytes_eval arg1 mod m - - Input Bounds: - arg1: [[0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0x3]] - Output Bounds: - out1: [[0x0 ~> 0x4000000], [0x0 ~> 0x4000000], [0x0 ~> 0x4000000], [0x0 ~> 0x4000000], [0x0 ~> 0x4000000]] - */ -/*inline*/ +// FromBytes deserializes a field element from bytes in little-endian order. +// +// Postconditions: +// eval out1 mod m = bytes_eval arg1 mod m +// +// Input Bounds: +// arg1: [[0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0x3]] +// Output Bounds: +// out1: [[0x0 ~> 0x4000000], [0x0 ~> 0x4000000], [0x0 ~> 0x4000000], [0x0 ~> 0x4000000], [0x0 ~> 0x4000000]] func FromBytes(out1 *[5]uint32, arg1 *[17]uint8) { - var x1 uint32 = (uint32((arg1[16])) << 24) - var x2 uint32 = (uint32((arg1[15])) << 16) - var x3 uint32 = (uint32((arg1[14])) << 8) - var x4 uint8 = (arg1[13]) - var x5 uint32 = (uint32((arg1[12])) << 18) - var x6 uint32 = (uint32((arg1[11])) << 10) - var x7 uint32 = (uint32((arg1[10])) << 2) - var x8 uint32 = (uint32((arg1[9])) << 20) - var x9 uint32 = (uint32((arg1[8])) << 12) - var x10 uint32 = (uint32((arg1[7])) << 4) - var x11 uint32 = (uint32((arg1[6])) << 22) - var x12 uint32 = (uint32((arg1[5])) << 14) - var x13 uint32 = (uint32((arg1[4])) << 6) - var x14 uint32 = (uint32((arg1[3])) << 24) - var x15 uint32 = (uint32((arg1[2])) << 16) - var x16 uint32 = (uint32((arg1[1])) << 8) - var x17 uint8 = (arg1[0]) - var x18 uint32 = (x16 + uint32(x17)) - var x19 uint32 = (x15 + x18) - var x20 uint32 = (x14 + x19) - var x21 uint32 = (x20 & 0x3ffffff) - var x22 uint8 = uint8((x20 >> 26)) - var x23 uint32 = (x13 + uint32(x22)) - var x24 uint32 = (x12 + x23) - var x25 uint32 = (x11 + x24) - var x26 uint32 = (x25 & 0x3ffffff) - var x27 uint8 = uint8((x25 >> 26)) - var x28 uint32 = (x10 + uint32(x27)) - var x29 uint32 = (x9 + x28) - var x30 uint32 = (x8 + x29) - var x31 uint32 = (x30 & 0x3ffffff) - var x32 uint8 = uint8((x30 >> 26)) - var x33 uint32 = (x7 + uint32(x32)) - var x34 uint32 = (x6 + x33) - var x35 uint32 = (x5 + x34) - var x36 uint32 = (x3 + uint32(x4)) - var x37 uint32 = (x2 + x36) - var x38 uint32 = (x1 + x37) - out1[0] = x21 - out1[1] = x26 - out1[2] = x31 - out1[3] = x35 - out1[4] = x38 + x1 := (uint32(arg1[16]) << 24) + x2 := (uint32(arg1[15]) << 16) + x3 := (uint32(arg1[14]) << 8) + x4 := arg1[13] + x5 := (uint32(arg1[12]) << 18) + x6 := (uint32(arg1[11]) << 10) + x7 := (uint32(arg1[10]) << 2) + x8 := (uint32(arg1[9]) << 20) + x9 := (uint32(arg1[8]) << 12) + x10 := (uint32(arg1[7]) << 4) + x11 := (uint32(arg1[6]) << 22) + x12 := (uint32(arg1[5]) << 14) + x13 := (uint32(arg1[4]) << 6) + x14 := (uint32(arg1[3]) << 24) + x15 := (uint32(arg1[2]) << 16) + x16 := (uint32(arg1[1]) << 8) + x17 := arg1[0] + x18 := (x16 + uint32(x17)) + x19 := (x15 + x18) + x20 := (x14 + x19) + x21 := (x20 & 0x3ffffff) + x22 := uint8((x20 >> 26)) + x23 := (x13 + uint32(x22)) + x24 := (x12 + x23) + x25 := (x11 + x24) + x26 := (x25 & 0x3ffffff) + x27 := uint8((x25 >> 26)) + x28 := (x10 + uint32(x27)) + x29 := (x9 + x28) + x30 := (x8 + x29) + x31 := (x30 & 0x3ffffff) + x32 := uint8((x30 >> 26)) + x33 := (x7 + uint32(x32)) + x34 := (x6 + x33) + x35 := (x5 + x34) + x36 := (x3 + uint32(x4)) + x37 := (x2 + x36) + x38 := (x1 + x37) + out1[0] = x21 + out1[1] = x26 + out1[2] = x31 + out1[3] = x35 + out1[4] = x38 } - diff --git a/fiat-go/32/secp256k1/secp256k1.go b/fiat-go/32/secp256k1/secp256k1.go index a700b404793..46ed9350e35 100644 --- a/fiat-go/32/secp256k1/secp256k1.go +++ b/fiat-go/32/secp256k1/secp256k1.go @@ -1,5269 +1,5232 @@ -/* - Autogenerated: 'src/ExtractionOCaml/word_by_word_montgomery' --lang Go --cmovznz-by-mul --internal-static --package-case flatcase --public-function-case UpperCamelCase --private-function-case camelCase --public-type-case UpperCamelCase --private-type-case camelCase --no-prefix-fiat --package-name secp256k1 '' 32 '2^256 - 2^32 - 977' mul square add sub opp from_montgomery to_montgomery nonzero selectznz to_bytes from_bytes one msat divstep divstep_precomp - - curve description (via package name): secp256k1 - - machine_wordsize = 32 (from "32") - - requested operations: mul, square, add, sub, opp, from_montgomery, to_montgomery, nonzero, selectznz, to_bytes, from_bytes, one, msat, divstep, divstep_precomp - - m = 0xfffffffffffffffffffffffffffffffffffffffffffffffffffffffefffffc2f (from "2^256 - 2^32 - 977") - - - - NOTE: In addition to the bounds specified above each function, all - - functions synthesized for this Montgomery arithmetic require the - - input to be strictly less than the prime modulus (m), and also - - require the input to be in the unique saturated representation. - - All functions also ensure that these two properties are true of - - return values. - - - - Computed values: - - eval z = z[0] + (z[1] << 32) + (z[2] << 64) + (z[3] << 96) + (z[4] << 128) + (z[5] << 160) + (z[6] << 192) + (z[7] << 224) - - bytes_eval z = z[0] + (z[1] << 8) + (z[2] << 16) + (z[3] << 24) + (z[4] << 32) + (z[5] << 40) + (z[6] << 48) + (z[7] << 56) + (z[8] << 64) + (z[9] << 72) + (z[10] << 80) + (z[11] << 88) + (z[12] << 96) + (z[13] << 104) + (z[14] << 112) + (z[15] << 120) + (z[16] << 128) + (z[17] << 136) + (z[18] << 144) + (z[19] << 152) + (z[20] << 160) + (z[21] << 168) + (z[22] << 176) + (z[23] << 184) + (z[24] << 192) + (z[25] << 200) + (z[26] << 208) + (z[27] << 216) + (z[28] << 224) + (z[29] << 232) + (z[30] << 240) + (z[31] << 248) - - twos_complement_eval z = let x1 := z[0] + (z[1] << 32) + (z[2] << 64) + (z[3] << 96) + (z[4] << 128) + (z[5] << 160) + (z[6] << 192) + (z[7] << 224) in - - if x1 & (2^256-1) < 2^255 then x1 & (2^256-1) else (x1 & (2^256-1)) - 2^256 - */ +// Code generated by Fiat Cryptography. DO NOT EDIT. +// +// Autogenerated: 'src/ExtractionOCaml/word_by_word_montgomery' --lang Go --cmovznz-by-mul --internal-static --package-case flatcase --public-function-case UpperCamelCase --private-function-case camelCase --public-type-case UpperCamelCase --private-type-case camelCase --no-prefix-fiat --doc-prepend-header 'Code generated by Fiat Cryptography. DO NOT EDIT.' --doc-text-before-function-name '' --package-name secp256k1 '' 32 '2^256 - 2^32 - 977' mul square add sub opp from_montgomery to_montgomery nonzero selectznz to_bytes from_bytes one msat divstep divstep_precomp +// +// curve description (via package name): secp256k1 +// +// machine_wordsize = 32 (from "32") +// +// requested operations: mul, square, add, sub, opp, from_montgomery, to_montgomery, nonzero, selectznz, to_bytes, from_bytes, one, msat, divstep, divstep_precomp +// +// m = 0xfffffffffffffffffffffffffffffffffffffffffffffffffffffffefffffc2f (from "2^256 - 2^32 - 977") +// +// +// +// NOTE: In addition to the bounds specified above each function, all +// +// functions synthesized for this Montgomery arithmetic require the +// +// input to be strictly less than the prime modulus (m), and also +// +// require the input to be in the unique saturated representation. +// +// All functions also ensure that these two properties are true of +// +// return values. +// +// +// +// Computed values: +// +// eval z = z[0] + (z[1] << 32) + (z[2] << 64) + (z[3] << 96) + (z[4] << 128) + (z[5] << 160) + (z[6] << 192) + (z[7] << 224) +// +// bytes_eval z = z[0] + (z[1] << 8) + (z[2] << 16) + (z[3] << 24) + (z[4] << 32) + (z[5] << 40) + (z[6] << 48) + (z[7] << 56) + (z[8] << 64) + (z[9] << 72) + (z[10] << 80) + (z[11] << 88) + (z[12] << 96) + (z[13] << 104) + (z[14] << 112) + (z[15] << 120) + (z[16] << 128) + (z[17] << 136) + (z[18] << 144) + (z[19] << 152) + (z[20] << 160) + (z[21] << 168) + (z[22] << 176) + (z[23] << 184) + (z[24] << 192) + (z[25] << 200) + (z[26] << 208) + (z[27] << 216) + (z[28] << 224) + (z[29] << 232) + (z[30] << 240) + (z[31] << 248) +// +// twos_complement_eval z = let x1 := z[0] + (z[1] << 32) + (z[2] << 64) + (z[3] << 96) + (z[4] << 128) + (z[5] << 160) + (z[6] << 192) + (z[7] << 224) in +// +// if x1 & (2^256-1) < 2^255 then x1 & (2^256-1) else (x1 & (2^256-1)) - 2^256 package secp256k1 import "math/bits" + type uint1 uint8 type int1 int8 -/* The function addcarryxU32 is a thin wrapper around bits.Add32 that uses uint1 rather than uint32 */ +// addcarryxU32 is a thin wrapper around bits.Add32 that uses uint1 rather than uint32 func addcarryxU32(x uint32, y uint32, carry uint1) (uint32, uint1) { - var sum uint32 - var carryOut uint32 - sum, carryOut = bits.Add32(x, y, uint32(carry)) - return sum, uint1(carryOut) + sum, carryOut := bits.Add32(x, y, uint32(carry)) + return sum, uint1(carryOut) } -/* The function subborrowxU32 is a thin wrapper around bits.Sub32 that uses uint1 rather than uint32 */ +// subborrowxU32 is a thin wrapper around bits.Sub32 that uses uint1 rather than uint32 func subborrowxU32(x uint32, y uint32, carry uint1) (uint32, uint1) { - var sum uint32 - var carryOut uint32 - sum, carryOut = bits.Sub32(x, y, uint32(carry)) - return sum, uint1(carryOut) + sum, carryOut := bits.Sub32(x, y, uint32(carry)) + return sum, uint1(carryOut) } - -/* - The function cmovznzU32 is a single-word conditional move. - Postconditions: - out1 = (if arg1 = 0 then arg2 else arg3) - - Input Bounds: - arg1: [0x0 ~> 0x1] - arg2: [0x0 ~> 0xffffffff] - arg3: [0x0 ~> 0xffffffff] - Output Bounds: - out1: [0x0 ~> 0xffffffff] - */ -/*inline*/ +// cmovznzU32 is a single-word conditional move. +// +// Postconditions: +// out1 = (if arg1 = 0 then arg2 else arg3) +// +// Input Bounds: +// arg1: [0x0 ~> 0x1] +// arg2: [0x0 ~> 0xffffffff] +// arg3: [0x0 ~> 0xffffffff] +// Output Bounds: +// out1: [0x0 ~> 0xffffffff] func cmovznzU32(out1 *uint32, arg1 uint1, arg2 uint32, arg3 uint32) { - var x1 uint32 = (uint32(arg1) * 0xffffffff) - var x2 uint32 = ((x1 & arg3) | ((^x1) & arg2)) - *out1 = x2 + x1 := (uint32(arg1) * 0xffffffff) + x2 := ((x1 & arg3) | ((^x1) & arg2)) + *out1 = x2 } -/* - The function Mul multiplies two field elements in the Montgomery domain. - Preconditions: - 0 ≤ eval arg1 < m - 0 ≤ eval arg2 < m - Postconditions: - eval (from_montgomery out1) mod m = (eval (from_montgomery arg1) * eval (from_montgomery arg2)) mod m - 0 ≤ eval out1 < m - - Input Bounds: - arg1: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] - arg2: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] - Output Bounds: - out1: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] - */ -/*inline*/ +// Mul multiplies two field elements in the Montgomery domain. +// +// Preconditions: +// 0 ≤ eval arg1 < m +// 0 ≤ eval arg2 < m +// Postconditions: +// eval (from_montgomery out1) mod m = (eval (from_montgomery arg1) * eval (from_montgomery arg2)) mod m +// 0 ≤ eval out1 < m +// +// Input Bounds: +// arg1: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] +// arg2: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] +// Output Bounds: +// out1: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] func Mul(out1 *[8]uint32, arg1 *[8]uint32, arg2 *[8]uint32) { - var x1 uint32 = (arg1[1]) - var x2 uint32 = (arg1[2]) - var x3 uint32 = (arg1[3]) - var x4 uint32 = (arg1[4]) - var x5 uint32 = (arg1[5]) - var x6 uint32 = (arg1[6]) - var x7 uint32 = (arg1[7]) - var x8 uint32 = (arg1[0]) - var x9 uint32 - var x10 uint32 - x10, x9 = bits.Mul32(x8, (arg2[7])) - var x11 uint32 - var x12 uint32 - x12, x11 = bits.Mul32(x8, (arg2[6])) - var x13 uint32 - var x14 uint32 - x14, x13 = bits.Mul32(x8, (arg2[5])) - var x15 uint32 - var x16 uint32 - x16, x15 = bits.Mul32(x8, (arg2[4])) - var x17 uint32 - var x18 uint32 - x18, x17 = bits.Mul32(x8, (arg2[3])) - var x19 uint32 - var x20 uint32 - x20, x19 = bits.Mul32(x8, (arg2[2])) - var x21 uint32 - var x22 uint32 - x22, x21 = bits.Mul32(x8, (arg2[1])) - var x23 uint32 - var x24 uint32 - x24, x23 = bits.Mul32(x8, (arg2[0])) - var x25 uint32 - var x26 uint1 - x25, x26 = addcarryxU32(x24, x21, 0x0) - var x27 uint32 - var x28 uint1 - x27, x28 = addcarryxU32(x22, x19, x26) - var x29 uint32 - var x30 uint1 - x29, x30 = addcarryxU32(x20, x17, x28) - var x31 uint32 - var x32 uint1 - x31, x32 = addcarryxU32(x18, x15, x30) - var x33 uint32 - var x34 uint1 - x33, x34 = addcarryxU32(x16, x13, x32) - var x35 uint32 - var x36 uint1 - x35, x36 = addcarryxU32(x14, x11, x34) - var x37 uint32 - var x38 uint1 - x37, x38 = addcarryxU32(x12, x9, x36) - var x39 uint32 = (uint32(x38) + x10) - var x40 uint32 - _, x40 = bits.Mul32(x23, 0xd2253531) - var x42 uint32 - var x43 uint32 - x43, x42 = bits.Mul32(x40, 0xffffffff) - var x44 uint32 - var x45 uint32 - x45, x44 = bits.Mul32(x40, 0xffffffff) - var x46 uint32 - var x47 uint32 - x47, x46 = bits.Mul32(x40, 0xffffffff) - var x48 uint32 - var x49 uint32 - x49, x48 = bits.Mul32(x40, 0xffffffff) - var x50 uint32 - var x51 uint32 - x51, x50 = bits.Mul32(x40, 0xffffffff) - var x52 uint32 - var x53 uint32 - x53, x52 = bits.Mul32(x40, 0xffffffff) - var x54 uint32 - var x55 uint32 - x55, x54 = bits.Mul32(x40, 0xfffffffe) - var x56 uint32 - var x57 uint32 - x57, x56 = bits.Mul32(x40, 0xfffffc2f) - var x58 uint32 - var x59 uint1 - x58, x59 = addcarryxU32(x57, x54, 0x0) - var x60 uint32 - var x61 uint1 - x60, x61 = addcarryxU32(x55, x52, x59) - var x62 uint32 - var x63 uint1 - x62, x63 = addcarryxU32(x53, x50, x61) - var x64 uint32 - var x65 uint1 - x64, x65 = addcarryxU32(x51, x48, x63) - var x66 uint32 - var x67 uint1 - x66, x67 = addcarryxU32(x49, x46, x65) - var x68 uint32 - var x69 uint1 - x68, x69 = addcarryxU32(x47, x44, x67) - var x70 uint32 - var x71 uint1 - x70, x71 = addcarryxU32(x45, x42, x69) - var x72 uint32 = (uint32(x71) + x43) - var x74 uint1 - _, x74 = addcarryxU32(x23, x56, 0x0) - var x75 uint32 - var x76 uint1 - x75, x76 = addcarryxU32(x25, x58, x74) - var x77 uint32 - var x78 uint1 - x77, x78 = addcarryxU32(x27, x60, x76) - var x79 uint32 - var x80 uint1 - x79, x80 = addcarryxU32(x29, x62, x78) - var x81 uint32 - var x82 uint1 - x81, x82 = addcarryxU32(x31, x64, x80) - var x83 uint32 - var x84 uint1 - x83, x84 = addcarryxU32(x33, x66, x82) - var x85 uint32 - var x86 uint1 - x85, x86 = addcarryxU32(x35, x68, x84) - var x87 uint32 - var x88 uint1 - x87, x88 = addcarryxU32(x37, x70, x86) - var x89 uint32 - var x90 uint1 - x89, x90 = addcarryxU32(x39, x72, x88) - var x91 uint32 - var x92 uint32 - x92, x91 = bits.Mul32(x1, (arg2[7])) - var x93 uint32 - var x94 uint32 - x94, x93 = bits.Mul32(x1, (arg2[6])) - var x95 uint32 - var x96 uint32 - x96, x95 = bits.Mul32(x1, (arg2[5])) - var x97 uint32 - var x98 uint32 - x98, x97 = bits.Mul32(x1, (arg2[4])) - var x99 uint32 - var x100 uint32 - x100, x99 = bits.Mul32(x1, (arg2[3])) - var x101 uint32 - var x102 uint32 - x102, x101 = bits.Mul32(x1, (arg2[2])) - var x103 uint32 - var x104 uint32 - x104, x103 = bits.Mul32(x1, (arg2[1])) - var x105 uint32 - var x106 uint32 - x106, x105 = bits.Mul32(x1, (arg2[0])) - var x107 uint32 - var x108 uint1 - x107, x108 = addcarryxU32(x106, x103, 0x0) - var x109 uint32 - var x110 uint1 - x109, x110 = addcarryxU32(x104, x101, x108) - var x111 uint32 - var x112 uint1 - x111, x112 = addcarryxU32(x102, x99, x110) - var x113 uint32 - var x114 uint1 - x113, x114 = addcarryxU32(x100, x97, x112) - var x115 uint32 - var x116 uint1 - x115, x116 = addcarryxU32(x98, x95, x114) - var x117 uint32 - var x118 uint1 - x117, x118 = addcarryxU32(x96, x93, x116) - var x119 uint32 - var x120 uint1 - x119, x120 = addcarryxU32(x94, x91, x118) - var x121 uint32 = (uint32(x120) + x92) - var x122 uint32 - var x123 uint1 - x122, x123 = addcarryxU32(x75, x105, 0x0) - var x124 uint32 - var x125 uint1 - x124, x125 = addcarryxU32(x77, x107, x123) - var x126 uint32 - var x127 uint1 - x126, x127 = addcarryxU32(x79, x109, x125) - var x128 uint32 - var x129 uint1 - x128, x129 = addcarryxU32(x81, x111, x127) - var x130 uint32 - var x131 uint1 - x130, x131 = addcarryxU32(x83, x113, x129) - var x132 uint32 - var x133 uint1 - x132, x133 = addcarryxU32(x85, x115, x131) - var x134 uint32 - var x135 uint1 - x134, x135 = addcarryxU32(x87, x117, x133) - var x136 uint32 - var x137 uint1 - x136, x137 = addcarryxU32(x89, x119, x135) - var x138 uint32 - var x139 uint1 - x138, x139 = addcarryxU32(uint32(x90), x121, x137) - var x140 uint32 - _, x140 = bits.Mul32(x122, 0xd2253531) - var x142 uint32 - var x143 uint32 - x143, x142 = bits.Mul32(x140, 0xffffffff) - var x144 uint32 - var x145 uint32 - x145, x144 = bits.Mul32(x140, 0xffffffff) - var x146 uint32 - var x147 uint32 - x147, x146 = bits.Mul32(x140, 0xffffffff) - var x148 uint32 - var x149 uint32 - x149, x148 = bits.Mul32(x140, 0xffffffff) - var x150 uint32 - var x151 uint32 - x151, x150 = bits.Mul32(x140, 0xffffffff) - var x152 uint32 - var x153 uint32 - x153, x152 = bits.Mul32(x140, 0xffffffff) - var x154 uint32 - var x155 uint32 - x155, x154 = bits.Mul32(x140, 0xfffffffe) - var x156 uint32 - var x157 uint32 - x157, x156 = bits.Mul32(x140, 0xfffffc2f) - var x158 uint32 - var x159 uint1 - x158, x159 = addcarryxU32(x157, x154, 0x0) - var x160 uint32 - var x161 uint1 - x160, x161 = addcarryxU32(x155, x152, x159) - var x162 uint32 - var x163 uint1 - x162, x163 = addcarryxU32(x153, x150, x161) - var x164 uint32 - var x165 uint1 - x164, x165 = addcarryxU32(x151, x148, x163) - var x166 uint32 - var x167 uint1 - x166, x167 = addcarryxU32(x149, x146, x165) - var x168 uint32 - var x169 uint1 - x168, x169 = addcarryxU32(x147, x144, x167) - var x170 uint32 - var x171 uint1 - x170, x171 = addcarryxU32(x145, x142, x169) - var x172 uint32 = (uint32(x171) + x143) - var x174 uint1 - _, x174 = addcarryxU32(x122, x156, 0x0) - var x175 uint32 - var x176 uint1 - x175, x176 = addcarryxU32(x124, x158, x174) - var x177 uint32 - var x178 uint1 - x177, x178 = addcarryxU32(x126, x160, x176) - var x179 uint32 - var x180 uint1 - x179, x180 = addcarryxU32(x128, x162, x178) - var x181 uint32 - var x182 uint1 - x181, x182 = addcarryxU32(x130, x164, x180) - var x183 uint32 - var x184 uint1 - x183, x184 = addcarryxU32(x132, x166, x182) - var x185 uint32 - var x186 uint1 - x185, x186 = addcarryxU32(x134, x168, x184) - var x187 uint32 - var x188 uint1 - x187, x188 = addcarryxU32(x136, x170, x186) - var x189 uint32 - var x190 uint1 - x189, x190 = addcarryxU32(x138, x172, x188) - var x191 uint32 = (uint32(x190) + uint32(x139)) - var x192 uint32 - var x193 uint32 - x193, x192 = bits.Mul32(x2, (arg2[7])) - var x194 uint32 - var x195 uint32 - x195, x194 = bits.Mul32(x2, (arg2[6])) - var x196 uint32 - var x197 uint32 - x197, x196 = bits.Mul32(x2, (arg2[5])) - var x198 uint32 - var x199 uint32 - x199, x198 = bits.Mul32(x2, (arg2[4])) - var x200 uint32 - var x201 uint32 - x201, x200 = bits.Mul32(x2, (arg2[3])) - var x202 uint32 - var x203 uint32 - x203, x202 = bits.Mul32(x2, (arg2[2])) - var x204 uint32 - var x205 uint32 - x205, x204 = bits.Mul32(x2, (arg2[1])) - var x206 uint32 - var x207 uint32 - x207, x206 = bits.Mul32(x2, (arg2[0])) - var x208 uint32 - var x209 uint1 - x208, x209 = addcarryxU32(x207, x204, 0x0) - var x210 uint32 - var x211 uint1 - x210, x211 = addcarryxU32(x205, x202, x209) - var x212 uint32 - var x213 uint1 - x212, x213 = addcarryxU32(x203, x200, x211) - var x214 uint32 - var x215 uint1 - x214, x215 = addcarryxU32(x201, x198, x213) - var x216 uint32 - var x217 uint1 - x216, x217 = addcarryxU32(x199, x196, x215) - var x218 uint32 - var x219 uint1 - x218, x219 = addcarryxU32(x197, x194, x217) - var x220 uint32 - var x221 uint1 - x220, x221 = addcarryxU32(x195, x192, x219) - var x222 uint32 = (uint32(x221) + x193) - var x223 uint32 - var x224 uint1 - x223, x224 = addcarryxU32(x175, x206, 0x0) - var x225 uint32 - var x226 uint1 - x225, x226 = addcarryxU32(x177, x208, x224) - var x227 uint32 - var x228 uint1 - x227, x228 = addcarryxU32(x179, x210, x226) - var x229 uint32 - var x230 uint1 - x229, x230 = addcarryxU32(x181, x212, x228) - var x231 uint32 - var x232 uint1 - x231, x232 = addcarryxU32(x183, x214, x230) - var x233 uint32 - var x234 uint1 - x233, x234 = addcarryxU32(x185, x216, x232) - var x235 uint32 - var x236 uint1 - x235, x236 = addcarryxU32(x187, x218, x234) - var x237 uint32 - var x238 uint1 - x237, x238 = addcarryxU32(x189, x220, x236) - var x239 uint32 - var x240 uint1 - x239, x240 = addcarryxU32(x191, x222, x238) - var x241 uint32 - _, x241 = bits.Mul32(x223, 0xd2253531) - var x243 uint32 - var x244 uint32 - x244, x243 = bits.Mul32(x241, 0xffffffff) - var x245 uint32 - var x246 uint32 - x246, x245 = bits.Mul32(x241, 0xffffffff) - var x247 uint32 - var x248 uint32 - x248, x247 = bits.Mul32(x241, 0xffffffff) - var x249 uint32 - var x250 uint32 - x250, x249 = bits.Mul32(x241, 0xffffffff) - var x251 uint32 - var x252 uint32 - x252, x251 = bits.Mul32(x241, 0xffffffff) - var x253 uint32 - var x254 uint32 - x254, x253 = bits.Mul32(x241, 0xffffffff) - var x255 uint32 - var x256 uint32 - x256, x255 = bits.Mul32(x241, 0xfffffffe) - var x257 uint32 - var x258 uint32 - x258, x257 = bits.Mul32(x241, 0xfffffc2f) - var x259 uint32 - var x260 uint1 - x259, x260 = addcarryxU32(x258, x255, 0x0) - var x261 uint32 - var x262 uint1 - x261, x262 = addcarryxU32(x256, x253, x260) - var x263 uint32 - var x264 uint1 - x263, x264 = addcarryxU32(x254, x251, x262) - var x265 uint32 - var x266 uint1 - x265, x266 = addcarryxU32(x252, x249, x264) - var x267 uint32 - var x268 uint1 - x267, x268 = addcarryxU32(x250, x247, x266) - var x269 uint32 - var x270 uint1 - x269, x270 = addcarryxU32(x248, x245, x268) - var x271 uint32 - var x272 uint1 - x271, x272 = addcarryxU32(x246, x243, x270) - var x273 uint32 = (uint32(x272) + x244) - var x275 uint1 - _, x275 = addcarryxU32(x223, x257, 0x0) - var x276 uint32 - var x277 uint1 - x276, x277 = addcarryxU32(x225, x259, x275) - var x278 uint32 - var x279 uint1 - x278, x279 = addcarryxU32(x227, x261, x277) - var x280 uint32 - var x281 uint1 - x280, x281 = addcarryxU32(x229, x263, x279) - var x282 uint32 - var x283 uint1 - x282, x283 = addcarryxU32(x231, x265, x281) - var x284 uint32 - var x285 uint1 - x284, x285 = addcarryxU32(x233, x267, x283) - var x286 uint32 - var x287 uint1 - x286, x287 = addcarryxU32(x235, x269, x285) - var x288 uint32 - var x289 uint1 - x288, x289 = addcarryxU32(x237, x271, x287) - var x290 uint32 - var x291 uint1 - x290, x291 = addcarryxU32(x239, x273, x289) - var x292 uint32 = (uint32(x291) + uint32(x240)) - var x293 uint32 - var x294 uint32 - x294, x293 = bits.Mul32(x3, (arg2[7])) - var x295 uint32 - var x296 uint32 - x296, x295 = bits.Mul32(x3, (arg2[6])) - var x297 uint32 - var x298 uint32 - x298, x297 = bits.Mul32(x3, (arg2[5])) - var x299 uint32 - var x300 uint32 - x300, x299 = bits.Mul32(x3, (arg2[4])) - var x301 uint32 - var x302 uint32 - x302, x301 = bits.Mul32(x3, (arg2[3])) - var x303 uint32 - var x304 uint32 - x304, x303 = bits.Mul32(x3, (arg2[2])) - var x305 uint32 - var x306 uint32 - x306, x305 = bits.Mul32(x3, (arg2[1])) - var x307 uint32 - var x308 uint32 - x308, x307 = bits.Mul32(x3, (arg2[0])) - var x309 uint32 - var x310 uint1 - x309, x310 = addcarryxU32(x308, x305, 0x0) - var x311 uint32 - var x312 uint1 - x311, x312 = addcarryxU32(x306, x303, x310) - var x313 uint32 - var x314 uint1 - x313, x314 = addcarryxU32(x304, x301, x312) - var x315 uint32 - var x316 uint1 - x315, x316 = addcarryxU32(x302, x299, x314) - var x317 uint32 - var x318 uint1 - x317, x318 = addcarryxU32(x300, x297, x316) - var x319 uint32 - var x320 uint1 - x319, x320 = addcarryxU32(x298, x295, x318) - var x321 uint32 - var x322 uint1 - x321, x322 = addcarryxU32(x296, x293, x320) - var x323 uint32 = (uint32(x322) + x294) - var x324 uint32 - var x325 uint1 - x324, x325 = addcarryxU32(x276, x307, 0x0) - var x326 uint32 - var x327 uint1 - x326, x327 = addcarryxU32(x278, x309, x325) - var x328 uint32 - var x329 uint1 - x328, x329 = addcarryxU32(x280, x311, x327) - var x330 uint32 - var x331 uint1 - x330, x331 = addcarryxU32(x282, x313, x329) - var x332 uint32 - var x333 uint1 - x332, x333 = addcarryxU32(x284, x315, x331) - var x334 uint32 - var x335 uint1 - x334, x335 = addcarryxU32(x286, x317, x333) - var x336 uint32 - var x337 uint1 - x336, x337 = addcarryxU32(x288, x319, x335) - var x338 uint32 - var x339 uint1 - x338, x339 = addcarryxU32(x290, x321, x337) - var x340 uint32 - var x341 uint1 - x340, x341 = addcarryxU32(x292, x323, x339) - var x342 uint32 - _, x342 = bits.Mul32(x324, 0xd2253531) - var x344 uint32 - var x345 uint32 - x345, x344 = bits.Mul32(x342, 0xffffffff) - var x346 uint32 - var x347 uint32 - x347, x346 = bits.Mul32(x342, 0xffffffff) - var x348 uint32 - var x349 uint32 - x349, x348 = bits.Mul32(x342, 0xffffffff) - var x350 uint32 - var x351 uint32 - x351, x350 = bits.Mul32(x342, 0xffffffff) - var x352 uint32 - var x353 uint32 - x353, x352 = bits.Mul32(x342, 0xffffffff) - var x354 uint32 - var x355 uint32 - x355, x354 = bits.Mul32(x342, 0xffffffff) - var x356 uint32 - var x357 uint32 - x357, x356 = bits.Mul32(x342, 0xfffffffe) - var x358 uint32 - var x359 uint32 - x359, x358 = bits.Mul32(x342, 0xfffffc2f) - var x360 uint32 - var x361 uint1 - x360, x361 = addcarryxU32(x359, x356, 0x0) - var x362 uint32 - var x363 uint1 - x362, x363 = addcarryxU32(x357, x354, x361) - var x364 uint32 - var x365 uint1 - x364, x365 = addcarryxU32(x355, x352, x363) - var x366 uint32 - var x367 uint1 - x366, x367 = addcarryxU32(x353, x350, x365) - var x368 uint32 - var x369 uint1 - x368, x369 = addcarryxU32(x351, x348, x367) - var x370 uint32 - var x371 uint1 - x370, x371 = addcarryxU32(x349, x346, x369) - var x372 uint32 - var x373 uint1 - x372, x373 = addcarryxU32(x347, x344, x371) - var x374 uint32 = (uint32(x373) + x345) - var x376 uint1 - _, x376 = addcarryxU32(x324, x358, 0x0) - var x377 uint32 - var x378 uint1 - x377, x378 = addcarryxU32(x326, x360, x376) - var x379 uint32 - var x380 uint1 - x379, x380 = addcarryxU32(x328, x362, x378) - var x381 uint32 - var x382 uint1 - x381, x382 = addcarryxU32(x330, x364, x380) - var x383 uint32 - var x384 uint1 - x383, x384 = addcarryxU32(x332, x366, x382) - var x385 uint32 - var x386 uint1 - x385, x386 = addcarryxU32(x334, x368, x384) - var x387 uint32 - var x388 uint1 - x387, x388 = addcarryxU32(x336, x370, x386) - var x389 uint32 - var x390 uint1 - x389, x390 = addcarryxU32(x338, x372, x388) - var x391 uint32 - var x392 uint1 - x391, x392 = addcarryxU32(x340, x374, x390) - var x393 uint32 = (uint32(x392) + uint32(x341)) - var x394 uint32 - var x395 uint32 - x395, x394 = bits.Mul32(x4, (arg2[7])) - var x396 uint32 - var x397 uint32 - x397, x396 = bits.Mul32(x4, (arg2[6])) - var x398 uint32 - var x399 uint32 - x399, x398 = bits.Mul32(x4, (arg2[5])) - var x400 uint32 - var x401 uint32 - x401, x400 = bits.Mul32(x4, (arg2[4])) - var x402 uint32 - var x403 uint32 - x403, x402 = bits.Mul32(x4, (arg2[3])) - var x404 uint32 - var x405 uint32 - x405, x404 = bits.Mul32(x4, (arg2[2])) - var x406 uint32 - var x407 uint32 - x407, x406 = bits.Mul32(x4, (arg2[1])) - var x408 uint32 - var x409 uint32 - x409, x408 = bits.Mul32(x4, (arg2[0])) - var x410 uint32 - var x411 uint1 - x410, x411 = addcarryxU32(x409, x406, 0x0) - var x412 uint32 - var x413 uint1 - x412, x413 = addcarryxU32(x407, x404, x411) - var x414 uint32 - var x415 uint1 - x414, x415 = addcarryxU32(x405, x402, x413) - var x416 uint32 - var x417 uint1 - x416, x417 = addcarryxU32(x403, x400, x415) - var x418 uint32 - var x419 uint1 - x418, x419 = addcarryxU32(x401, x398, x417) - var x420 uint32 - var x421 uint1 - x420, x421 = addcarryxU32(x399, x396, x419) - var x422 uint32 - var x423 uint1 - x422, x423 = addcarryxU32(x397, x394, x421) - var x424 uint32 = (uint32(x423) + x395) - var x425 uint32 - var x426 uint1 - x425, x426 = addcarryxU32(x377, x408, 0x0) - var x427 uint32 - var x428 uint1 - x427, x428 = addcarryxU32(x379, x410, x426) - var x429 uint32 - var x430 uint1 - x429, x430 = addcarryxU32(x381, x412, x428) - var x431 uint32 - var x432 uint1 - x431, x432 = addcarryxU32(x383, x414, x430) - var x433 uint32 - var x434 uint1 - x433, x434 = addcarryxU32(x385, x416, x432) - var x435 uint32 - var x436 uint1 - x435, x436 = addcarryxU32(x387, x418, x434) - var x437 uint32 - var x438 uint1 - x437, x438 = addcarryxU32(x389, x420, x436) - var x439 uint32 - var x440 uint1 - x439, x440 = addcarryxU32(x391, x422, x438) - var x441 uint32 - var x442 uint1 - x441, x442 = addcarryxU32(x393, x424, x440) - var x443 uint32 - _, x443 = bits.Mul32(x425, 0xd2253531) - var x445 uint32 - var x446 uint32 - x446, x445 = bits.Mul32(x443, 0xffffffff) - var x447 uint32 - var x448 uint32 - x448, x447 = bits.Mul32(x443, 0xffffffff) - var x449 uint32 - var x450 uint32 - x450, x449 = bits.Mul32(x443, 0xffffffff) - var x451 uint32 - var x452 uint32 - x452, x451 = bits.Mul32(x443, 0xffffffff) - var x453 uint32 - var x454 uint32 - x454, x453 = bits.Mul32(x443, 0xffffffff) - var x455 uint32 - var x456 uint32 - x456, x455 = bits.Mul32(x443, 0xffffffff) - var x457 uint32 - var x458 uint32 - x458, x457 = bits.Mul32(x443, 0xfffffffe) - var x459 uint32 - var x460 uint32 - x460, x459 = bits.Mul32(x443, 0xfffffc2f) - var x461 uint32 - var x462 uint1 - x461, x462 = addcarryxU32(x460, x457, 0x0) - var x463 uint32 - var x464 uint1 - x463, x464 = addcarryxU32(x458, x455, x462) - var x465 uint32 - var x466 uint1 - x465, x466 = addcarryxU32(x456, x453, x464) - var x467 uint32 - var x468 uint1 - x467, x468 = addcarryxU32(x454, x451, x466) - var x469 uint32 - var x470 uint1 - x469, x470 = addcarryxU32(x452, x449, x468) - var x471 uint32 - var x472 uint1 - x471, x472 = addcarryxU32(x450, x447, x470) - var x473 uint32 - var x474 uint1 - x473, x474 = addcarryxU32(x448, x445, x472) - var x475 uint32 = (uint32(x474) + x446) - var x477 uint1 - _, x477 = addcarryxU32(x425, x459, 0x0) - var x478 uint32 - var x479 uint1 - x478, x479 = addcarryxU32(x427, x461, x477) - var x480 uint32 - var x481 uint1 - x480, x481 = addcarryxU32(x429, x463, x479) - var x482 uint32 - var x483 uint1 - x482, x483 = addcarryxU32(x431, x465, x481) - var x484 uint32 - var x485 uint1 - x484, x485 = addcarryxU32(x433, x467, x483) - var x486 uint32 - var x487 uint1 - x486, x487 = addcarryxU32(x435, x469, x485) - var x488 uint32 - var x489 uint1 - x488, x489 = addcarryxU32(x437, x471, x487) - var x490 uint32 - var x491 uint1 - x490, x491 = addcarryxU32(x439, x473, x489) - var x492 uint32 - var x493 uint1 - x492, x493 = addcarryxU32(x441, x475, x491) - var x494 uint32 = (uint32(x493) + uint32(x442)) - var x495 uint32 - var x496 uint32 - x496, x495 = bits.Mul32(x5, (arg2[7])) - var x497 uint32 - var x498 uint32 - x498, x497 = bits.Mul32(x5, (arg2[6])) - var x499 uint32 - var x500 uint32 - x500, x499 = bits.Mul32(x5, (arg2[5])) - var x501 uint32 - var x502 uint32 - x502, x501 = bits.Mul32(x5, (arg2[4])) - var x503 uint32 - var x504 uint32 - x504, x503 = bits.Mul32(x5, (arg2[3])) - var x505 uint32 - var x506 uint32 - x506, x505 = bits.Mul32(x5, (arg2[2])) - var x507 uint32 - var x508 uint32 - x508, x507 = bits.Mul32(x5, (arg2[1])) - var x509 uint32 - var x510 uint32 - x510, x509 = bits.Mul32(x5, (arg2[0])) - var x511 uint32 - var x512 uint1 - x511, x512 = addcarryxU32(x510, x507, 0x0) - var x513 uint32 - var x514 uint1 - x513, x514 = addcarryxU32(x508, x505, x512) - var x515 uint32 - var x516 uint1 - x515, x516 = addcarryxU32(x506, x503, x514) - var x517 uint32 - var x518 uint1 - x517, x518 = addcarryxU32(x504, x501, x516) - var x519 uint32 - var x520 uint1 - x519, x520 = addcarryxU32(x502, x499, x518) - var x521 uint32 - var x522 uint1 - x521, x522 = addcarryxU32(x500, x497, x520) - var x523 uint32 - var x524 uint1 - x523, x524 = addcarryxU32(x498, x495, x522) - var x525 uint32 = (uint32(x524) + x496) - var x526 uint32 - var x527 uint1 - x526, x527 = addcarryxU32(x478, x509, 0x0) - var x528 uint32 - var x529 uint1 - x528, x529 = addcarryxU32(x480, x511, x527) - var x530 uint32 - var x531 uint1 - x530, x531 = addcarryxU32(x482, x513, x529) - var x532 uint32 - var x533 uint1 - x532, x533 = addcarryxU32(x484, x515, x531) - var x534 uint32 - var x535 uint1 - x534, x535 = addcarryxU32(x486, x517, x533) - var x536 uint32 - var x537 uint1 - x536, x537 = addcarryxU32(x488, x519, x535) - var x538 uint32 - var x539 uint1 - x538, x539 = addcarryxU32(x490, x521, x537) - var x540 uint32 - var x541 uint1 - x540, x541 = addcarryxU32(x492, x523, x539) - var x542 uint32 - var x543 uint1 - x542, x543 = addcarryxU32(x494, x525, x541) - var x544 uint32 - _, x544 = bits.Mul32(x526, 0xd2253531) - var x546 uint32 - var x547 uint32 - x547, x546 = bits.Mul32(x544, 0xffffffff) - var x548 uint32 - var x549 uint32 - x549, x548 = bits.Mul32(x544, 0xffffffff) - var x550 uint32 - var x551 uint32 - x551, x550 = bits.Mul32(x544, 0xffffffff) - var x552 uint32 - var x553 uint32 - x553, x552 = bits.Mul32(x544, 0xffffffff) - var x554 uint32 - var x555 uint32 - x555, x554 = bits.Mul32(x544, 0xffffffff) - var x556 uint32 - var x557 uint32 - x557, x556 = bits.Mul32(x544, 0xffffffff) - var x558 uint32 - var x559 uint32 - x559, x558 = bits.Mul32(x544, 0xfffffffe) - var x560 uint32 - var x561 uint32 - x561, x560 = bits.Mul32(x544, 0xfffffc2f) - var x562 uint32 - var x563 uint1 - x562, x563 = addcarryxU32(x561, x558, 0x0) - var x564 uint32 - var x565 uint1 - x564, x565 = addcarryxU32(x559, x556, x563) - var x566 uint32 - var x567 uint1 - x566, x567 = addcarryxU32(x557, x554, x565) - var x568 uint32 - var x569 uint1 - x568, x569 = addcarryxU32(x555, x552, x567) - var x570 uint32 - var x571 uint1 - x570, x571 = addcarryxU32(x553, x550, x569) - var x572 uint32 - var x573 uint1 - x572, x573 = addcarryxU32(x551, x548, x571) - var x574 uint32 - var x575 uint1 - x574, x575 = addcarryxU32(x549, x546, x573) - var x576 uint32 = (uint32(x575) + x547) - var x578 uint1 - _, x578 = addcarryxU32(x526, x560, 0x0) - var x579 uint32 - var x580 uint1 - x579, x580 = addcarryxU32(x528, x562, x578) - var x581 uint32 - var x582 uint1 - x581, x582 = addcarryxU32(x530, x564, x580) - var x583 uint32 - var x584 uint1 - x583, x584 = addcarryxU32(x532, x566, x582) - var x585 uint32 - var x586 uint1 - x585, x586 = addcarryxU32(x534, x568, x584) - var x587 uint32 - var x588 uint1 - x587, x588 = addcarryxU32(x536, x570, x586) - var x589 uint32 - var x590 uint1 - x589, x590 = addcarryxU32(x538, x572, x588) - var x591 uint32 - var x592 uint1 - x591, x592 = addcarryxU32(x540, x574, x590) - var x593 uint32 - var x594 uint1 - x593, x594 = addcarryxU32(x542, x576, x592) - var x595 uint32 = (uint32(x594) + uint32(x543)) - var x596 uint32 - var x597 uint32 - x597, x596 = bits.Mul32(x6, (arg2[7])) - var x598 uint32 - var x599 uint32 - x599, x598 = bits.Mul32(x6, (arg2[6])) - var x600 uint32 - var x601 uint32 - x601, x600 = bits.Mul32(x6, (arg2[5])) - var x602 uint32 - var x603 uint32 - x603, x602 = bits.Mul32(x6, (arg2[4])) - var x604 uint32 - var x605 uint32 - x605, x604 = bits.Mul32(x6, (arg2[3])) - var x606 uint32 - var x607 uint32 - x607, x606 = bits.Mul32(x6, (arg2[2])) - var x608 uint32 - var x609 uint32 - x609, x608 = bits.Mul32(x6, (arg2[1])) - var x610 uint32 - var x611 uint32 - x611, x610 = bits.Mul32(x6, (arg2[0])) - var x612 uint32 - var x613 uint1 - x612, x613 = addcarryxU32(x611, x608, 0x0) - var x614 uint32 - var x615 uint1 - x614, x615 = addcarryxU32(x609, x606, x613) - var x616 uint32 - var x617 uint1 - x616, x617 = addcarryxU32(x607, x604, x615) - var x618 uint32 - var x619 uint1 - x618, x619 = addcarryxU32(x605, x602, x617) - var x620 uint32 - var x621 uint1 - x620, x621 = addcarryxU32(x603, x600, x619) - var x622 uint32 - var x623 uint1 - x622, x623 = addcarryxU32(x601, x598, x621) - var x624 uint32 - var x625 uint1 - x624, x625 = addcarryxU32(x599, x596, x623) - var x626 uint32 = (uint32(x625) + x597) - var x627 uint32 - var x628 uint1 - x627, x628 = addcarryxU32(x579, x610, 0x0) - var x629 uint32 - var x630 uint1 - x629, x630 = addcarryxU32(x581, x612, x628) - var x631 uint32 - var x632 uint1 - x631, x632 = addcarryxU32(x583, x614, x630) - var x633 uint32 - var x634 uint1 - x633, x634 = addcarryxU32(x585, x616, x632) - var x635 uint32 - var x636 uint1 - x635, x636 = addcarryxU32(x587, x618, x634) - var x637 uint32 - var x638 uint1 - x637, x638 = addcarryxU32(x589, x620, x636) - var x639 uint32 - var x640 uint1 - x639, x640 = addcarryxU32(x591, x622, x638) - var x641 uint32 - var x642 uint1 - x641, x642 = addcarryxU32(x593, x624, x640) - var x643 uint32 - var x644 uint1 - x643, x644 = addcarryxU32(x595, x626, x642) - var x645 uint32 - _, x645 = bits.Mul32(x627, 0xd2253531) - var x647 uint32 - var x648 uint32 - x648, x647 = bits.Mul32(x645, 0xffffffff) - var x649 uint32 - var x650 uint32 - x650, x649 = bits.Mul32(x645, 0xffffffff) - var x651 uint32 - var x652 uint32 - x652, x651 = bits.Mul32(x645, 0xffffffff) - var x653 uint32 - var x654 uint32 - x654, x653 = bits.Mul32(x645, 0xffffffff) - var x655 uint32 - var x656 uint32 - x656, x655 = bits.Mul32(x645, 0xffffffff) - var x657 uint32 - var x658 uint32 - x658, x657 = bits.Mul32(x645, 0xffffffff) - var x659 uint32 - var x660 uint32 - x660, x659 = bits.Mul32(x645, 0xfffffffe) - var x661 uint32 - var x662 uint32 - x662, x661 = bits.Mul32(x645, 0xfffffc2f) - var x663 uint32 - var x664 uint1 - x663, x664 = addcarryxU32(x662, x659, 0x0) - var x665 uint32 - var x666 uint1 - x665, x666 = addcarryxU32(x660, x657, x664) - var x667 uint32 - var x668 uint1 - x667, x668 = addcarryxU32(x658, x655, x666) - var x669 uint32 - var x670 uint1 - x669, x670 = addcarryxU32(x656, x653, x668) - var x671 uint32 - var x672 uint1 - x671, x672 = addcarryxU32(x654, x651, x670) - var x673 uint32 - var x674 uint1 - x673, x674 = addcarryxU32(x652, x649, x672) - var x675 uint32 - var x676 uint1 - x675, x676 = addcarryxU32(x650, x647, x674) - var x677 uint32 = (uint32(x676) + x648) - var x679 uint1 - _, x679 = addcarryxU32(x627, x661, 0x0) - var x680 uint32 - var x681 uint1 - x680, x681 = addcarryxU32(x629, x663, x679) - var x682 uint32 - var x683 uint1 - x682, x683 = addcarryxU32(x631, x665, x681) - var x684 uint32 - var x685 uint1 - x684, x685 = addcarryxU32(x633, x667, x683) - var x686 uint32 - var x687 uint1 - x686, x687 = addcarryxU32(x635, x669, x685) - var x688 uint32 - var x689 uint1 - x688, x689 = addcarryxU32(x637, x671, x687) - var x690 uint32 - var x691 uint1 - x690, x691 = addcarryxU32(x639, x673, x689) - var x692 uint32 - var x693 uint1 - x692, x693 = addcarryxU32(x641, x675, x691) - var x694 uint32 - var x695 uint1 - x694, x695 = addcarryxU32(x643, x677, x693) - var x696 uint32 = (uint32(x695) + uint32(x644)) - var x697 uint32 - var x698 uint32 - x698, x697 = bits.Mul32(x7, (arg2[7])) - var x699 uint32 - var x700 uint32 - x700, x699 = bits.Mul32(x7, (arg2[6])) - var x701 uint32 - var x702 uint32 - x702, x701 = bits.Mul32(x7, (arg2[5])) - var x703 uint32 - var x704 uint32 - x704, x703 = bits.Mul32(x7, (arg2[4])) - var x705 uint32 - var x706 uint32 - x706, x705 = bits.Mul32(x7, (arg2[3])) - var x707 uint32 - var x708 uint32 - x708, x707 = bits.Mul32(x7, (arg2[2])) - var x709 uint32 - var x710 uint32 - x710, x709 = bits.Mul32(x7, (arg2[1])) - var x711 uint32 - var x712 uint32 - x712, x711 = bits.Mul32(x7, (arg2[0])) - var x713 uint32 - var x714 uint1 - x713, x714 = addcarryxU32(x712, x709, 0x0) - var x715 uint32 - var x716 uint1 - x715, x716 = addcarryxU32(x710, x707, x714) - var x717 uint32 - var x718 uint1 - x717, x718 = addcarryxU32(x708, x705, x716) - var x719 uint32 - var x720 uint1 - x719, x720 = addcarryxU32(x706, x703, x718) - var x721 uint32 - var x722 uint1 - x721, x722 = addcarryxU32(x704, x701, x720) - var x723 uint32 - var x724 uint1 - x723, x724 = addcarryxU32(x702, x699, x722) - var x725 uint32 - var x726 uint1 - x725, x726 = addcarryxU32(x700, x697, x724) - var x727 uint32 = (uint32(x726) + x698) - var x728 uint32 - var x729 uint1 - x728, x729 = addcarryxU32(x680, x711, 0x0) - var x730 uint32 - var x731 uint1 - x730, x731 = addcarryxU32(x682, x713, x729) - var x732 uint32 - var x733 uint1 - x732, x733 = addcarryxU32(x684, x715, x731) - var x734 uint32 - var x735 uint1 - x734, x735 = addcarryxU32(x686, x717, x733) - var x736 uint32 - var x737 uint1 - x736, x737 = addcarryxU32(x688, x719, x735) - var x738 uint32 - var x739 uint1 - x738, x739 = addcarryxU32(x690, x721, x737) - var x740 uint32 - var x741 uint1 - x740, x741 = addcarryxU32(x692, x723, x739) - var x742 uint32 - var x743 uint1 - x742, x743 = addcarryxU32(x694, x725, x741) - var x744 uint32 - var x745 uint1 - x744, x745 = addcarryxU32(x696, x727, x743) - var x746 uint32 - _, x746 = bits.Mul32(x728, 0xd2253531) - var x748 uint32 - var x749 uint32 - x749, x748 = bits.Mul32(x746, 0xffffffff) - var x750 uint32 - var x751 uint32 - x751, x750 = bits.Mul32(x746, 0xffffffff) - var x752 uint32 - var x753 uint32 - x753, x752 = bits.Mul32(x746, 0xffffffff) - var x754 uint32 - var x755 uint32 - x755, x754 = bits.Mul32(x746, 0xffffffff) - var x756 uint32 - var x757 uint32 - x757, x756 = bits.Mul32(x746, 0xffffffff) - var x758 uint32 - var x759 uint32 - x759, x758 = bits.Mul32(x746, 0xffffffff) - var x760 uint32 - var x761 uint32 - x761, x760 = bits.Mul32(x746, 0xfffffffe) - var x762 uint32 - var x763 uint32 - x763, x762 = bits.Mul32(x746, 0xfffffc2f) - var x764 uint32 - var x765 uint1 - x764, x765 = addcarryxU32(x763, x760, 0x0) - var x766 uint32 - var x767 uint1 - x766, x767 = addcarryxU32(x761, x758, x765) - var x768 uint32 - var x769 uint1 - x768, x769 = addcarryxU32(x759, x756, x767) - var x770 uint32 - var x771 uint1 - x770, x771 = addcarryxU32(x757, x754, x769) - var x772 uint32 - var x773 uint1 - x772, x773 = addcarryxU32(x755, x752, x771) - var x774 uint32 - var x775 uint1 - x774, x775 = addcarryxU32(x753, x750, x773) - var x776 uint32 - var x777 uint1 - x776, x777 = addcarryxU32(x751, x748, x775) - var x778 uint32 = (uint32(x777) + x749) - var x780 uint1 - _, x780 = addcarryxU32(x728, x762, 0x0) - var x781 uint32 - var x782 uint1 - x781, x782 = addcarryxU32(x730, x764, x780) - var x783 uint32 - var x784 uint1 - x783, x784 = addcarryxU32(x732, x766, x782) - var x785 uint32 - var x786 uint1 - x785, x786 = addcarryxU32(x734, x768, x784) - var x787 uint32 - var x788 uint1 - x787, x788 = addcarryxU32(x736, x770, x786) - var x789 uint32 - var x790 uint1 - x789, x790 = addcarryxU32(x738, x772, x788) - var x791 uint32 - var x792 uint1 - x791, x792 = addcarryxU32(x740, x774, x790) - var x793 uint32 - var x794 uint1 - x793, x794 = addcarryxU32(x742, x776, x792) - var x795 uint32 - var x796 uint1 - x795, x796 = addcarryxU32(x744, x778, x794) - var x797 uint32 = (uint32(x796) + uint32(x745)) - var x798 uint32 - var x799 uint1 - x798, x799 = subborrowxU32(x781, 0xfffffc2f, 0x0) - var x800 uint32 - var x801 uint1 - x800, x801 = subborrowxU32(x783, 0xfffffffe, x799) - var x802 uint32 - var x803 uint1 - x802, x803 = subborrowxU32(x785, 0xffffffff, x801) - var x804 uint32 - var x805 uint1 - x804, x805 = subborrowxU32(x787, 0xffffffff, x803) - var x806 uint32 - var x807 uint1 - x806, x807 = subborrowxU32(x789, 0xffffffff, x805) - var x808 uint32 - var x809 uint1 - x808, x809 = subborrowxU32(x791, 0xffffffff, x807) - var x810 uint32 - var x811 uint1 - x810, x811 = subborrowxU32(x793, 0xffffffff, x809) - var x812 uint32 - var x813 uint1 - x812, x813 = subborrowxU32(x795, 0xffffffff, x811) - var x815 uint1 - _, x815 = subborrowxU32(x797, uint32(0x0), x813) - var x816 uint32 - cmovznzU32(&x816, x815, x798, x781) - var x817 uint32 - cmovznzU32(&x817, x815, x800, x783) - var x818 uint32 - cmovznzU32(&x818, x815, x802, x785) - var x819 uint32 - cmovznzU32(&x819, x815, x804, x787) - var x820 uint32 - cmovznzU32(&x820, x815, x806, x789) - var x821 uint32 - cmovznzU32(&x821, x815, x808, x791) - var x822 uint32 - cmovznzU32(&x822, x815, x810, x793) - var x823 uint32 - cmovznzU32(&x823, x815, x812, x795) - out1[0] = x816 - out1[1] = x817 - out1[2] = x818 - out1[3] = x819 - out1[4] = x820 - out1[5] = x821 - out1[6] = x822 - out1[7] = x823 + x1 := arg1[1] + x2 := arg1[2] + x3 := arg1[3] + x4 := arg1[4] + x5 := arg1[5] + x6 := arg1[6] + x7 := arg1[7] + x8 := arg1[0] + var x9 uint32 + var x10 uint32 + x10, x9 = bits.Mul32(x8, arg2[7]) + var x11 uint32 + var x12 uint32 + x12, x11 = bits.Mul32(x8, arg2[6]) + var x13 uint32 + var x14 uint32 + x14, x13 = bits.Mul32(x8, arg2[5]) + var x15 uint32 + var x16 uint32 + x16, x15 = bits.Mul32(x8, arg2[4]) + var x17 uint32 + var x18 uint32 + x18, x17 = bits.Mul32(x8, arg2[3]) + var x19 uint32 + var x20 uint32 + x20, x19 = bits.Mul32(x8, arg2[2]) + var x21 uint32 + var x22 uint32 + x22, x21 = bits.Mul32(x8, arg2[1]) + var x23 uint32 + var x24 uint32 + x24, x23 = bits.Mul32(x8, arg2[0]) + var x25 uint32 + var x26 uint1 + x25, x26 = addcarryxU32(x24, x21, 0x0) + var x27 uint32 + var x28 uint1 + x27, x28 = addcarryxU32(x22, x19, x26) + var x29 uint32 + var x30 uint1 + x29, x30 = addcarryxU32(x20, x17, x28) + var x31 uint32 + var x32 uint1 + x31, x32 = addcarryxU32(x18, x15, x30) + var x33 uint32 + var x34 uint1 + x33, x34 = addcarryxU32(x16, x13, x32) + var x35 uint32 + var x36 uint1 + x35, x36 = addcarryxU32(x14, x11, x34) + var x37 uint32 + var x38 uint1 + x37, x38 = addcarryxU32(x12, x9, x36) + x39 := (uint32(x38) + x10) + var x40 uint32 + _, x40 = bits.Mul32(x23, 0xd2253531) + var x42 uint32 + var x43 uint32 + x43, x42 = bits.Mul32(x40, 0xffffffff) + var x44 uint32 + var x45 uint32 + x45, x44 = bits.Mul32(x40, 0xffffffff) + var x46 uint32 + var x47 uint32 + x47, x46 = bits.Mul32(x40, 0xffffffff) + var x48 uint32 + var x49 uint32 + x49, x48 = bits.Mul32(x40, 0xffffffff) + var x50 uint32 + var x51 uint32 + x51, x50 = bits.Mul32(x40, 0xffffffff) + var x52 uint32 + var x53 uint32 + x53, x52 = bits.Mul32(x40, 0xffffffff) + var x54 uint32 + var x55 uint32 + x55, x54 = bits.Mul32(x40, 0xfffffffe) + var x56 uint32 + var x57 uint32 + x57, x56 = bits.Mul32(x40, 0xfffffc2f) + var x58 uint32 + var x59 uint1 + x58, x59 = addcarryxU32(x57, x54, 0x0) + var x60 uint32 + var x61 uint1 + x60, x61 = addcarryxU32(x55, x52, x59) + var x62 uint32 + var x63 uint1 + x62, x63 = addcarryxU32(x53, x50, x61) + var x64 uint32 + var x65 uint1 + x64, x65 = addcarryxU32(x51, x48, x63) + var x66 uint32 + var x67 uint1 + x66, x67 = addcarryxU32(x49, x46, x65) + var x68 uint32 + var x69 uint1 + x68, x69 = addcarryxU32(x47, x44, x67) + var x70 uint32 + var x71 uint1 + x70, x71 = addcarryxU32(x45, x42, x69) + x72 := (uint32(x71) + x43) + var x74 uint1 + _, x74 = addcarryxU32(x23, x56, 0x0) + var x75 uint32 + var x76 uint1 + x75, x76 = addcarryxU32(x25, x58, x74) + var x77 uint32 + var x78 uint1 + x77, x78 = addcarryxU32(x27, x60, x76) + var x79 uint32 + var x80 uint1 + x79, x80 = addcarryxU32(x29, x62, x78) + var x81 uint32 + var x82 uint1 + x81, x82 = addcarryxU32(x31, x64, x80) + var x83 uint32 + var x84 uint1 + x83, x84 = addcarryxU32(x33, x66, x82) + var x85 uint32 + var x86 uint1 + x85, x86 = addcarryxU32(x35, x68, x84) + var x87 uint32 + var x88 uint1 + x87, x88 = addcarryxU32(x37, x70, x86) + var x89 uint32 + var x90 uint1 + x89, x90 = addcarryxU32(x39, x72, x88) + var x91 uint32 + var x92 uint32 + x92, x91 = bits.Mul32(x1, arg2[7]) + var x93 uint32 + var x94 uint32 + x94, x93 = bits.Mul32(x1, arg2[6]) + var x95 uint32 + var x96 uint32 + x96, x95 = bits.Mul32(x1, arg2[5]) + var x97 uint32 + var x98 uint32 + x98, x97 = bits.Mul32(x1, arg2[4]) + var x99 uint32 + var x100 uint32 + x100, x99 = bits.Mul32(x1, arg2[3]) + var x101 uint32 + var x102 uint32 + x102, x101 = bits.Mul32(x1, arg2[2]) + var x103 uint32 + var x104 uint32 + x104, x103 = bits.Mul32(x1, arg2[1]) + var x105 uint32 + var x106 uint32 + x106, x105 = bits.Mul32(x1, arg2[0]) + var x107 uint32 + var x108 uint1 + x107, x108 = addcarryxU32(x106, x103, 0x0) + var x109 uint32 + var x110 uint1 + x109, x110 = addcarryxU32(x104, x101, x108) + var x111 uint32 + var x112 uint1 + x111, x112 = addcarryxU32(x102, x99, x110) + var x113 uint32 + var x114 uint1 + x113, x114 = addcarryxU32(x100, x97, x112) + var x115 uint32 + var x116 uint1 + x115, x116 = addcarryxU32(x98, x95, x114) + var x117 uint32 + var x118 uint1 + x117, x118 = addcarryxU32(x96, x93, x116) + var x119 uint32 + var x120 uint1 + x119, x120 = addcarryxU32(x94, x91, x118) + x121 := (uint32(x120) + x92) + var x122 uint32 + var x123 uint1 + x122, x123 = addcarryxU32(x75, x105, 0x0) + var x124 uint32 + var x125 uint1 + x124, x125 = addcarryxU32(x77, x107, x123) + var x126 uint32 + var x127 uint1 + x126, x127 = addcarryxU32(x79, x109, x125) + var x128 uint32 + var x129 uint1 + x128, x129 = addcarryxU32(x81, x111, x127) + var x130 uint32 + var x131 uint1 + x130, x131 = addcarryxU32(x83, x113, x129) + var x132 uint32 + var x133 uint1 + x132, x133 = addcarryxU32(x85, x115, x131) + var x134 uint32 + var x135 uint1 + x134, x135 = addcarryxU32(x87, x117, x133) + var x136 uint32 + var x137 uint1 + x136, x137 = addcarryxU32(x89, x119, x135) + var x138 uint32 + var x139 uint1 + x138, x139 = addcarryxU32(uint32(x90), x121, x137) + var x140 uint32 + _, x140 = bits.Mul32(x122, 0xd2253531) + var x142 uint32 + var x143 uint32 + x143, x142 = bits.Mul32(x140, 0xffffffff) + var x144 uint32 + var x145 uint32 + x145, x144 = bits.Mul32(x140, 0xffffffff) + var x146 uint32 + var x147 uint32 + x147, x146 = bits.Mul32(x140, 0xffffffff) + var x148 uint32 + var x149 uint32 + x149, x148 = bits.Mul32(x140, 0xffffffff) + var x150 uint32 + var x151 uint32 + x151, x150 = bits.Mul32(x140, 0xffffffff) + var x152 uint32 + var x153 uint32 + x153, x152 = bits.Mul32(x140, 0xffffffff) + var x154 uint32 + var x155 uint32 + x155, x154 = bits.Mul32(x140, 0xfffffffe) + var x156 uint32 + var x157 uint32 + x157, x156 = bits.Mul32(x140, 0xfffffc2f) + var x158 uint32 + var x159 uint1 + x158, x159 = addcarryxU32(x157, x154, 0x0) + var x160 uint32 + var x161 uint1 + x160, x161 = addcarryxU32(x155, x152, x159) + var x162 uint32 + var x163 uint1 + x162, x163 = addcarryxU32(x153, x150, x161) + var x164 uint32 + var x165 uint1 + x164, x165 = addcarryxU32(x151, x148, x163) + var x166 uint32 + var x167 uint1 + x166, x167 = addcarryxU32(x149, x146, x165) + var x168 uint32 + var x169 uint1 + x168, x169 = addcarryxU32(x147, x144, x167) + var x170 uint32 + var x171 uint1 + x170, x171 = addcarryxU32(x145, x142, x169) + x172 := (uint32(x171) + x143) + var x174 uint1 + _, x174 = addcarryxU32(x122, x156, 0x0) + var x175 uint32 + var x176 uint1 + x175, x176 = addcarryxU32(x124, x158, x174) + var x177 uint32 + var x178 uint1 + x177, x178 = addcarryxU32(x126, x160, x176) + var x179 uint32 + var x180 uint1 + x179, x180 = addcarryxU32(x128, x162, x178) + var x181 uint32 + var x182 uint1 + x181, x182 = addcarryxU32(x130, x164, x180) + var x183 uint32 + var x184 uint1 + x183, x184 = addcarryxU32(x132, x166, x182) + var x185 uint32 + var x186 uint1 + x185, x186 = addcarryxU32(x134, x168, x184) + var x187 uint32 + var x188 uint1 + x187, x188 = addcarryxU32(x136, x170, x186) + var x189 uint32 + var x190 uint1 + x189, x190 = addcarryxU32(x138, x172, x188) + x191 := (uint32(x190) + uint32(x139)) + var x192 uint32 + var x193 uint32 + x193, x192 = bits.Mul32(x2, arg2[7]) + var x194 uint32 + var x195 uint32 + x195, x194 = bits.Mul32(x2, arg2[6]) + var x196 uint32 + var x197 uint32 + x197, x196 = bits.Mul32(x2, arg2[5]) + var x198 uint32 + var x199 uint32 + x199, x198 = bits.Mul32(x2, arg2[4]) + var x200 uint32 + var x201 uint32 + x201, x200 = bits.Mul32(x2, arg2[3]) + var x202 uint32 + var x203 uint32 + x203, x202 = bits.Mul32(x2, arg2[2]) + var x204 uint32 + var x205 uint32 + x205, x204 = bits.Mul32(x2, arg2[1]) + var x206 uint32 + var x207 uint32 + x207, x206 = bits.Mul32(x2, arg2[0]) + var x208 uint32 + var x209 uint1 + x208, x209 = addcarryxU32(x207, x204, 0x0) + var x210 uint32 + var x211 uint1 + x210, x211 = addcarryxU32(x205, x202, x209) + var x212 uint32 + var x213 uint1 + x212, x213 = addcarryxU32(x203, x200, x211) + var x214 uint32 + var x215 uint1 + x214, x215 = addcarryxU32(x201, x198, x213) + var x216 uint32 + var x217 uint1 + x216, x217 = addcarryxU32(x199, x196, x215) + var x218 uint32 + var x219 uint1 + x218, x219 = addcarryxU32(x197, x194, x217) + var x220 uint32 + var x221 uint1 + x220, x221 = addcarryxU32(x195, x192, x219) + x222 := (uint32(x221) + x193) + var x223 uint32 + var x224 uint1 + x223, x224 = addcarryxU32(x175, x206, 0x0) + var x225 uint32 + var x226 uint1 + x225, x226 = addcarryxU32(x177, x208, x224) + var x227 uint32 + var x228 uint1 + x227, x228 = addcarryxU32(x179, x210, x226) + var x229 uint32 + var x230 uint1 + x229, x230 = addcarryxU32(x181, x212, x228) + var x231 uint32 + var x232 uint1 + x231, x232 = addcarryxU32(x183, x214, x230) + var x233 uint32 + var x234 uint1 + x233, x234 = addcarryxU32(x185, x216, x232) + var x235 uint32 + var x236 uint1 + x235, x236 = addcarryxU32(x187, x218, x234) + var x237 uint32 + var x238 uint1 + x237, x238 = addcarryxU32(x189, x220, x236) + var x239 uint32 + var x240 uint1 + x239, x240 = addcarryxU32(x191, x222, x238) + var x241 uint32 + _, x241 = bits.Mul32(x223, 0xd2253531) + var x243 uint32 + var x244 uint32 + x244, x243 = bits.Mul32(x241, 0xffffffff) + var x245 uint32 + var x246 uint32 + x246, x245 = bits.Mul32(x241, 0xffffffff) + var x247 uint32 + var x248 uint32 + x248, x247 = bits.Mul32(x241, 0xffffffff) + var x249 uint32 + var x250 uint32 + x250, x249 = bits.Mul32(x241, 0xffffffff) + var x251 uint32 + var x252 uint32 + x252, x251 = bits.Mul32(x241, 0xffffffff) + var x253 uint32 + var x254 uint32 + x254, x253 = bits.Mul32(x241, 0xffffffff) + var x255 uint32 + var x256 uint32 + x256, x255 = bits.Mul32(x241, 0xfffffffe) + var x257 uint32 + var x258 uint32 + x258, x257 = bits.Mul32(x241, 0xfffffc2f) + var x259 uint32 + var x260 uint1 + x259, x260 = addcarryxU32(x258, x255, 0x0) + var x261 uint32 + var x262 uint1 + x261, x262 = addcarryxU32(x256, x253, x260) + var x263 uint32 + var x264 uint1 + x263, x264 = addcarryxU32(x254, x251, x262) + var x265 uint32 + var x266 uint1 + x265, x266 = addcarryxU32(x252, x249, x264) + var x267 uint32 + var x268 uint1 + x267, x268 = addcarryxU32(x250, x247, x266) + var x269 uint32 + var x270 uint1 + x269, x270 = addcarryxU32(x248, x245, x268) + var x271 uint32 + var x272 uint1 + x271, x272 = addcarryxU32(x246, x243, x270) + x273 := (uint32(x272) + x244) + var x275 uint1 + _, x275 = addcarryxU32(x223, x257, 0x0) + var x276 uint32 + var x277 uint1 + x276, x277 = addcarryxU32(x225, x259, x275) + var x278 uint32 + var x279 uint1 + x278, x279 = addcarryxU32(x227, x261, x277) + var x280 uint32 + var x281 uint1 + x280, x281 = addcarryxU32(x229, x263, x279) + var x282 uint32 + var x283 uint1 + x282, x283 = addcarryxU32(x231, x265, x281) + var x284 uint32 + var x285 uint1 + x284, x285 = addcarryxU32(x233, x267, x283) + var x286 uint32 + var x287 uint1 + x286, x287 = addcarryxU32(x235, x269, x285) + var x288 uint32 + var x289 uint1 + x288, x289 = addcarryxU32(x237, x271, x287) + var x290 uint32 + var x291 uint1 + x290, x291 = addcarryxU32(x239, x273, x289) + x292 := (uint32(x291) + uint32(x240)) + var x293 uint32 + var x294 uint32 + x294, x293 = bits.Mul32(x3, arg2[7]) + var x295 uint32 + var x296 uint32 + x296, x295 = bits.Mul32(x3, arg2[6]) + var x297 uint32 + var x298 uint32 + x298, x297 = bits.Mul32(x3, arg2[5]) + var x299 uint32 + var x300 uint32 + x300, x299 = bits.Mul32(x3, arg2[4]) + var x301 uint32 + var x302 uint32 + x302, x301 = bits.Mul32(x3, arg2[3]) + var x303 uint32 + var x304 uint32 + x304, x303 = bits.Mul32(x3, arg2[2]) + var x305 uint32 + var x306 uint32 + x306, x305 = bits.Mul32(x3, arg2[1]) + var x307 uint32 + var x308 uint32 + x308, x307 = bits.Mul32(x3, arg2[0]) + var x309 uint32 + var x310 uint1 + x309, x310 = addcarryxU32(x308, x305, 0x0) + var x311 uint32 + var x312 uint1 + x311, x312 = addcarryxU32(x306, x303, x310) + var x313 uint32 + var x314 uint1 + x313, x314 = addcarryxU32(x304, x301, x312) + var x315 uint32 + var x316 uint1 + x315, x316 = addcarryxU32(x302, x299, x314) + var x317 uint32 + var x318 uint1 + x317, x318 = addcarryxU32(x300, x297, x316) + var x319 uint32 + var x320 uint1 + x319, x320 = addcarryxU32(x298, x295, x318) + var x321 uint32 + var x322 uint1 + x321, x322 = addcarryxU32(x296, x293, x320) + x323 := (uint32(x322) + x294) + var x324 uint32 + var x325 uint1 + x324, x325 = addcarryxU32(x276, x307, 0x0) + var x326 uint32 + var x327 uint1 + x326, x327 = addcarryxU32(x278, x309, x325) + var x328 uint32 + var x329 uint1 + x328, x329 = addcarryxU32(x280, x311, x327) + var x330 uint32 + var x331 uint1 + x330, x331 = addcarryxU32(x282, x313, x329) + var x332 uint32 + var x333 uint1 + x332, x333 = addcarryxU32(x284, x315, x331) + var x334 uint32 + var x335 uint1 + x334, x335 = addcarryxU32(x286, x317, x333) + var x336 uint32 + var x337 uint1 + x336, x337 = addcarryxU32(x288, x319, x335) + var x338 uint32 + var x339 uint1 + x338, x339 = addcarryxU32(x290, x321, x337) + var x340 uint32 + var x341 uint1 + x340, x341 = addcarryxU32(x292, x323, x339) + var x342 uint32 + _, x342 = bits.Mul32(x324, 0xd2253531) + var x344 uint32 + var x345 uint32 + x345, x344 = bits.Mul32(x342, 0xffffffff) + var x346 uint32 + var x347 uint32 + x347, x346 = bits.Mul32(x342, 0xffffffff) + var x348 uint32 + var x349 uint32 + x349, x348 = bits.Mul32(x342, 0xffffffff) + var x350 uint32 + var x351 uint32 + x351, x350 = bits.Mul32(x342, 0xffffffff) + var x352 uint32 + var x353 uint32 + x353, x352 = bits.Mul32(x342, 0xffffffff) + var x354 uint32 + var x355 uint32 + x355, x354 = bits.Mul32(x342, 0xffffffff) + var x356 uint32 + var x357 uint32 + x357, x356 = bits.Mul32(x342, 0xfffffffe) + var x358 uint32 + var x359 uint32 + x359, x358 = bits.Mul32(x342, 0xfffffc2f) + var x360 uint32 + var x361 uint1 + x360, x361 = addcarryxU32(x359, x356, 0x0) + var x362 uint32 + var x363 uint1 + x362, x363 = addcarryxU32(x357, x354, x361) + var x364 uint32 + var x365 uint1 + x364, x365 = addcarryxU32(x355, x352, x363) + var x366 uint32 + var x367 uint1 + x366, x367 = addcarryxU32(x353, x350, x365) + var x368 uint32 + var x369 uint1 + x368, x369 = addcarryxU32(x351, x348, x367) + var x370 uint32 + var x371 uint1 + x370, x371 = addcarryxU32(x349, x346, x369) + var x372 uint32 + var x373 uint1 + x372, x373 = addcarryxU32(x347, x344, x371) + x374 := (uint32(x373) + x345) + var x376 uint1 + _, x376 = addcarryxU32(x324, x358, 0x0) + var x377 uint32 + var x378 uint1 + x377, x378 = addcarryxU32(x326, x360, x376) + var x379 uint32 + var x380 uint1 + x379, x380 = addcarryxU32(x328, x362, x378) + var x381 uint32 + var x382 uint1 + x381, x382 = addcarryxU32(x330, x364, x380) + var x383 uint32 + var x384 uint1 + x383, x384 = addcarryxU32(x332, x366, x382) + var x385 uint32 + var x386 uint1 + x385, x386 = addcarryxU32(x334, x368, x384) + var x387 uint32 + var x388 uint1 + x387, x388 = addcarryxU32(x336, x370, x386) + var x389 uint32 + var x390 uint1 + x389, x390 = addcarryxU32(x338, x372, x388) + var x391 uint32 + var x392 uint1 + x391, x392 = addcarryxU32(x340, x374, x390) + x393 := (uint32(x392) + uint32(x341)) + var x394 uint32 + var x395 uint32 + x395, x394 = bits.Mul32(x4, arg2[7]) + var x396 uint32 + var x397 uint32 + x397, x396 = bits.Mul32(x4, arg2[6]) + var x398 uint32 + var x399 uint32 + x399, x398 = bits.Mul32(x4, arg2[5]) + var x400 uint32 + var x401 uint32 + x401, x400 = bits.Mul32(x4, arg2[4]) + var x402 uint32 + var x403 uint32 + x403, x402 = bits.Mul32(x4, arg2[3]) + var x404 uint32 + var x405 uint32 + x405, x404 = bits.Mul32(x4, arg2[2]) + var x406 uint32 + var x407 uint32 + x407, x406 = bits.Mul32(x4, arg2[1]) + var x408 uint32 + var x409 uint32 + x409, x408 = bits.Mul32(x4, arg2[0]) + var x410 uint32 + var x411 uint1 + x410, x411 = addcarryxU32(x409, x406, 0x0) + var x412 uint32 + var x413 uint1 + x412, x413 = addcarryxU32(x407, x404, x411) + var x414 uint32 + var x415 uint1 + x414, x415 = addcarryxU32(x405, x402, x413) + var x416 uint32 + var x417 uint1 + x416, x417 = addcarryxU32(x403, x400, x415) + var x418 uint32 + var x419 uint1 + x418, x419 = addcarryxU32(x401, x398, x417) + var x420 uint32 + var x421 uint1 + x420, x421 = addcarryxU32(x399, x396, x419) + var x422 uint32 + var x423 uint1 + x422, x423 = addcarryxU32(x397, x394, x421) + x424 := (uint32(x423) + x395) + var x425 uint32 + var x426 uint1 + x425, x426 = addcarryxU32(x377, x408, 0x0) + var x427 uint32 + var x428 uint1 + x427, x428 = addcarryxU32(x379, x410, x426) + var x429 uint32 + var x430 uint1 + x429, x430 = addcarryxU32(x381, x412, x428) + var x431 uint32 + var x432 uint1 + x431, x432 = addcarryxU32(x383, x414, x430) + var x433 uint32 + var x434 uint1 + x433, x434 = addcarryxU32(x385, x416, x432) + var x435 uint32 + var x436 uint1 + x435, x436 = addcarryxU32(x387, x418, x434) + var x437 uint32 + var x438 uint1 + x437, x438 = addcarryxU32(x389, x420, x436) + var x439 uint32 + var x440 uint1 + x439, x440 = addcarryxU32(x391, x422, x438) + var x441 uint32 + var x442 uint1 + x441, x442 = addcarryxU32(x393, x424, x440) + var x443 uint32 + _, x443 = bits.Mul32(x425, 0xd2253531) + var x445 uint32 + var x446 uint32 + x446, x445 = bits.Mul32(x443, 0xffffffff) + var x447 uint32 + var x448 uint32 + x448, x447 = bits.Mul32(x443, 0xffffffff) + var x449 uint32 + var x450 uint32 + x450, x449 = bits.Mul32(x443, 0xffffffff) + var x451 uint32 + var x452 uint32 + x452, x451 = bits.Mul32(x443, 0xffffffff) + var x453 uint32 + var x454 uint32 + x454, x453 = bits.Mul32(x443, 0xffffffff) + var x455 uint32 + var x456 uint32 + x456, x455 = bits.Mul32(x443, 0xffffffff) + var x457 uint32 + var x458 uint32 + x458, x457 = bits.Mul32(x443, 0xfffffffe) + var x459 uint32 + var x460 uint32 + x460, x459 = bits.Mul32(x443, 0xfffffc2f) + var x461 uint32 + var x462 uint1 + x461, x462 = addcarryxU32(x460, x457, 0x0) + var x463 uint32 + var x464 uint1 + x463, x464 = addcarryxU32(x458, x455, x462) + var x465 uint32 + var x466 uint1 + x465, x466 = addcarryxU32(x456, x453, x464) + var x467 uint32 + var x468 uint1 + x467, x468 = addcarryxU32(x454, x451, x466) + var x469 uint32 + var x470 uint1 + x469, x470 = addcarryxU32(x452, x449, x468) + var x471 uint32 + var x472 uint1 + x471, x472 = addcarryxU32(x450, x447, x470) + var x473 uint32 + var x474 uint1 + x473, x474 = addcarryxU32(x448, x445, x472) + x475 := (uint32(x474) + x446) + var x477 uint1 + _, x477 = addcarryxU32(x425, x459, 0x0) + var x478 uint32 + var x479 uint1 + x478, x479 = addcarryxU32(x427, x461, x477) + var x480 uint32 + var x481 uint1 + x480, x481 = addcarryxU32(x429, x463, x479) + var x482 uint32 + var x483 uint1 + x482, x483 = addcarryxU32(x431, x465, x481) + var x484 uint32 + var x485 uint1 + x484, x485 = addcarryxU32(x433, x467, x483) + var x486 uint32 + var x487 uint1 + x486, x487 = addcarryxU32(x435, x469, x485) + var x488 uint32 + var x489 uint1 + x488, x489 = addcarryxU32(x437, x471, x487) + var x490 uint32 + var x491 uint1 + x490, x491 = addcarryxU32(x439, x473, x489) + var x492 uint32 + var x493 uint1 + x492, x493 = addcarryxU32(x441, x475, x491) + x494 := (uint32(x493) + uint32(x442)) + var x495 uint32 + var x496 uint32 + x496, x495 = bits.Mul32(x5, arg2[7]) + var x497 uint32 + var x498 uint32 + x498, x497 = bits.Mul32(x5, arg2[6]) + var x499 uint32 + var x500 uint32 + x500, x499 = bits.Mul32(x5, arg2[5]) + var x501 uint32 + var x502 uint32 + x502, x501 = bits.Mul32(x5, arg2[4]) + var x503 uint32 + var x504 uint32 + x504, x503 = bits.Mul32(x5, arg2[3]) + var x505 uint32 + var x506 uint32 + x506, x505 = bits.Mul32(x5, arg2[2]) + var x507 uint32 + var x508 uint32 + x508, x507 = bits.Mul32(x5, arg2[1]) + var x509 uint32 + var x510 uint32 + x510, x509 = bits.Mul32(x5, arg2[0]) + var x511 uint32 + var x512 uint1 + x511, x512 = addcarryxU32(x510, x507, 0x0) + var x513 uint32 + var x514 uint1 + x513, x514 = addcarryxU32(x508, x505, x512) + var x515 uint32 + var x516 uint1 + x515, x516 = addcarryxU32(x506, x503, x514) + var x517 uint32 + var x518 uint1 + x517, x518 = addcarryxU32(x504, x501, x516) + var x519 uint32 + var x520 uint1 + x519, x520 = addcarryxU32(x502, x499, x518) + var x521 uint32 + var x522 uint1 + x521, x522 = addcarryxU32(x500, x497, x520) + var x523 uint32 + var x524 uint1 + x523, x524 = addcarryxU32(x498, x495, x522) + x525 := (uint32(x524) + x496) + var x526 uint32 + var x527 uint1 + x526, x527 = addcarryxU32(x478, x509, 0x0) + var x528 uint32 + var x529 uint1 + x528, x529 = addcarryxU32(x480, x511, x527) + var x530 uint32 + var x531 uint1 + x530, x531 = addcarryxU32(x482, x513, x529) + var x532 uint32 + var x533 uint1 + x532, x533 = addcarryxU32(x484, x515, x531) + var x534 uint32 + var x535 uint1 + x534, x535 = addcarryxU32(x486, x517, x533) + var x536 uint32 + var x537 uint1 + x536, x537 = addcarryxU32(x488, x519, x535) + var x538 uint32 + var x539 uint1 + x538, x539 = addcarryxU32(x490, x521, x537) + var x540 uint32 + var x541 uint1 + x540, x541 = addcarryxU32(x492, x523, x539) + var x542 uint32 + var x543 uint1 + x542, x543 = addcarryxU32(x494, x525, x541) + var x544 uint32 + _, x544 = bits.Mul32(x526, 0xd2253531) + var x546 uint32 + var x547 uint32 + x547, x546 = bits.Mul32(x544, 0xffffffff) + var x548 uint32 + var x549 uint32 + x549, x548 = bits.Mul32(x544, 0xffffffff) + var x550 uint32 + var x551 uint32 + x551, x550 = bits.Mul32(x544, 0xffffffff) + var x552 uint32 + var x553 uint32 + x553, x552 = bits.Mul32(x544, 0xffffffff) + var x554 uint32 + var x555 uint32 + x555, x554 = bits.Mul32(x544, 0xffffffff) + var x556 uint32 + var x557 uint32 + x557, x556 = bits.Mul32(x544, 0xffffffff) + var x558 uint32 + var x559 uint32 + x559, x558 = bits.Mul32(x544, 0xfffffffe) + var x560 uint32 + var x561 uint32 + x561, x560 = bits.Mul32(x544, 0xfffffc2f) + var x562 uint32 + var x563 uint1 + x562, x563 = addcarryxU32(x561, x558, 0x0) + var x564 uint32 + var x565 uint1 + x564, x565 = addcarryxU32(x559, x556, x563) + var x566 uint32 + var x567 uint1 + x566, x567 = addcarryxU32(x557, x554, x565) + var x568 uint32 + var x569 uint1 + x568, x569 = addcarryxU32(x555, x552, x567) + var x570 uint32 + var x571 uint1 + x570, x571 = addcarryxU32(x553, x550, x569) + var x572 uint32 + var x573 uint1 + x572, x573 = addcarryxU32(x551, x548, x571) + var x574 uint32 + var x575 uint1 + x574, x575 = addcarryxU32(x549, x546, x573) + x576 := (uint32(x575) + x547) + var x578 uint1 + _, x578 = addcarryxU32(x526, x560, 0x0) + var x579 uint32 + var x580 uint1 + x579, x580 = addcarryxU32(x528, x562, x578) + var x581 uint32 + var x582 uint1 + x581, x582 = addcarryxU32(x530, x564, x580) + var x583 uint32 + var x584 uint1 + x583, x584 = addcarryxU32(x532, x566, x582) + var x585 uint32 + var x586 uint1 + x585, x586 = addcarryxU32(x534, x568, x584) + var x587 uint32 + var x588 uint1 + x587, x588 = addcarryxU32(x536, x570, x586) + var x589 uint32 + var x590 uint1 + x589, x590 = addcarryxU32(x538, x572, x588) + var x591 uint32 + var x592 uint1 + x591, x592 = addcarryxU32(x540, x574, x590) + var x593 uint32 + var x594 uint1 + x593, x594 = addcarryxU32(x542, x576, x592) + x595 := (uint32(x594) + uint32(x543)) + var x596 uint32 + var x597 uint32 + x597, x596 = bits.Mul32(x6, arg2[7]) + var x598 uint32 + var x599 uint32 + x599, x598 = bits.Mul32(x6, arg2[6]) + var x600 uint32 + var x601 uint32 + x601, x600 = bits.Mul32(x6, arg2[5]) + var x602 uint32 + var x603 uint32 + x603, x602 = bits.Mul32(x6, arg2[4]) + var x604 uint32 + var x605 uint32 + x605, x604 = bits.Mul32(x6, arg2[3]) + var x606 uint32 + var x607 uint32 + x607, x606 = bits.Mul32(x6, arg2[2]) + var x608 uint32 + var x609 uint32 + x609, x608 = bits.Mul32(x6, arg2[1]) + var x610 uint32 + var x611 uint32 + x611, x610 = bits.Mul32(x6, arg2[0]) + var x612 uint32 + var x613 uint1 + x612, x613 = addcarryxU32(x611, x608, 0x0) + var x614 uint32 + var x615 uint1 + x614, x615 = addcarryxU32(x609, x606, x613) + var x616 uint32 + var x617 uint1 + x616, x617 = addcarryxU32(x607, x604, x615) + var x618 uint32 + var x619 uint1 + x618, x619 = addcarryxU32(x605, x602, x617) + var x620 uint32 + var x621 uint1 + x620, x621 = addcarryxU32(x603, x600, x619) + var x622 uint32 + var x623 uint1 + x622, x623 = addcarryxU32(x601, x598, x621) + var x624 uint32 + var x625 uint1 + x624, x625 = addcarryxU32(x599, x596, x623) + x626 := (uint32(x625) + x597) + var x627 uint32 + var x628 uint1 + x627, x628 = addcarryxU32(x579, x610, 0x0) + var x629 uint32 + var x630 uint1 + x629, x630 = addcarryxU32(x581, x612, x628) + var x631 uint32 + var x632 uint1 + x631, x632 = addcarryxU32(x583, x614, x630) + var x633 uint32 + var x634 uint1 + x633, x634 = addcarryxU32(x585, x616, x632) + var x635 uint32 + var x636 uint1 + x635, x636 = addcarryxU32(x587, x618, x634) + var x637 uint32 + var x638 uint1 + x637, x638 = addcarryxU32(x589, x620, x636) + var x639 uint32 + var x640 uint1 + x639, x640 = addcarryxU32(x591, x622, x638) + var x641 uint32 + var x642 uint1 + x641, x642 = addcarryxU32(x593, x624, x640) + var x643 uint32 + var x644 uint1 + x643, x644 = addcarryxU32(x595, x626, x642) + var x645 uint32 + _, x645 = bits.Mul32(x627, 0xd2253531) + var x647 uint32 + var x648 uint32 + x648, x647 = bits.Mul32(x645, 0xffffffff) + var x649 uint32 + var x650 uint32 + x650, x649 = bits.Mul32(x645, 0xffffffff) + var x651 uint32 + var x652 uint32 + x652, x651 = bits.Mul32(x645, 0xffffffff) + var x653 uint32 + var x654 uint32 + x654, x653 = bits.Mul32(x645, 0xffffffff) + var x655 uint32 + var x656 uint32 + x656, x655 = bits.Mul32(x645, 0xffffffff) + var x657 uint32 + var x658 uint32 + x658, x657 = bits.Mul32(x645, 0xffffffff) + var x659 uint32 + var x660 uint32 + x660, x659 = bits.Mul32(x645, 0xfffffffe) + var x661 uint32 + var x662 uint32 + x662, x661 = bits.Mul32(x645, 0xfffffc2f) + var x663 uint32 + var x664 uint1 + x663, x664 = addcarryxU32(x662, x659, 0x0) + var x665 uint32 + var x666 uint1 + x665, x666 = addcarryxU32(x660, x657, x664) + var x667 uint32 + var x668 uint1 + x667, x668 = addcarryxU32(x658, x655, x666) + var x669 uint32 + var x670 uint1 + x669, x670 = addcarryxU32(x656, x653, x668) + var x671 uint32 + var x672 uint1 + x671, x672 = addcarryxU32(x654, x651, x670) + var x673 uint32 + var x674 uint1 + x673, x674 = addcarryxU32(x652, x649, x672) + var x675 uint32 + var x676 uint1 + x675, x676 = addcarryxU32(x650, x647, x674) + x677 := (uint32(x676) + x648) + var x679 uint1 + _, x679 = addcarryxU32(x627, x661, 0x0) + var x680 uint32 + var x681 uint1 + x680, x681 = addcarryxU32(x629, x663, x679) + var x682 uint32 + var x683 uint1 + x682, x683 = addcarryxU32(x631, x665, x681) + var x684 uint32 + var x685 uint1 + x684, x685 = addcarryxU32(x633, x667, x683) + var x686 uint32 + var x687 uint1 + x686, x687 = addcarryxU32(x635, x669, x685) + var x688 uint32 + var x689 uint1 + x688, x689 = addcarryxU32(x637, x671, x687) + var x690 uint32 + var x691 uint1 + x690, x691 = addcarryxU32(x639, x673, x689) + var x692 uint32 + var x693 uint1 + x692, x693 = addcarryxU32(x641, x675, x691) + var x694 uint32 + var x695 uint1 + x694, x695 = addcarryxU32(x643, x677, x693) + x696 := (uint32(x695) + uint32(x644)) + var x697 uint32 + var x698 uint32 + x698, x697 = bits.Mul32(x7, arg2[7]) + var x699 uint32 + var x700 uint32 + x700, x699 = bits.Mul32(x7, arg2[6]) + var x701 uint32 + var x702 uint32 + x702, x701 = bits.Mul32(x7, arg2[5]) + var x703 uint32 + var x704 uint32 + x704, x703 = bits.Mul32(x7, arg2[4]) + var x705 uint32 + var x706 uint32 + x706, x705 = bits.Mul32(x7, arg2[3]) + var x707 uint32 + var x708 uint32 + x708, x707 = bits.Mul32(x7, arg2[2]) + var x709 uint32 + var x710 uint32 + x710, x709 = bits.Mul32(x7, arg2[1]) + var x711 uint32 + var x712 uint32 + x712, x711 = bits.Mul32(x7, arg2[0]) + var x713 uint32 + var x714 uint1 + x713, x714 = addcarryxU32(x712, x709, 0x0) + var x715 uint32 + var x716 uint1 + x715, x716 = addcarryxU32(x710, x707, x714) + var x717 uint32 + var x718 uint1 + x717, x718 = addcarryxU32(x708, x705, x716) + var x719 uint32 + var x720 uint1 + x719, x720 = addcarryxU32(x706, x703, x718) + var x721 uint32 + var x722 uint1 + x721, x722 = addcarryxU32(x704, x701, x720) + var x723 uint32 + var x724 uint1 + x723, x724 = addcarryxU32(x702, x699, x722) + var x725 uint32 + var x726 uint1 + x725, x726 = addcarryxU32(x700, x697, x724) + x727 := (uint32(x726) + x698) + var x728 uint32 + var x729 uint1 + x728, x729 = addcarryxU32(x680, x711, 0x0) + var x730 uint32 + var x731 uint1 + x730, x731 = addcarryxU32(x682, x713, x729) + var x732 uint32 + var x733 uint1 + x732, x733 = addcarryxU32(x684, x715, x731) + var x734 uint32 + var x735 uint1 + x734, x735 = addcarryxU32(x686, x717, x733) + var x736 uint32 + var x737 uint1 + x736, x737 = addcarryxU32(x688, x719, x735) + var x738 uint32 + var x739 uint1 + x738, x739 = addcarryxU32(x690, x721, x737) + var x740 uint32 + var x741 uint1 + x740, x741 = addcarryxU32(x692, x723, x739) + var x742 uint32 + var x743 uint1 + x742, x743 = addcarryxU32(x694, x725, x741) + var x744 uint32 + var x745 uint1 + x744, x745 = addcarryxU32(x696, x727, x743) + var x746 uint32 + _, x746 = bits.Mul32(x728, 0xd2253531) + var x748 uint32 + var x749 uint32 + x749, x748 = bits.Mul32(x746, 0xffffffff) + var x750 uint32 + var x751 uint32 + x751, x750 = bits.Mul32(x746, 0xffffffff) + var x752 uint32 + var x753 uint32 + x753, x752 = bits.Mul32(x746, 0xffffffff) + var x754 uint32 + var x755 uint32 + x755, x754 = bits.Mul32(x746, 0xffffffff) + var x756 uint32 + var x757 uint32 + x757, x756 = bits.Mul32(x746, 0xffffffff) + var x758 uint32 + var x759 uint32 + x759, x758 = bits.Mul32(x746, 0xffffffff) + var x760 uint32 + var x761 uint32 + x761, x760 = bits.Mul32(x746, 0xfffffffe) + var x762 uint32 + var x763 uint32 + x763, x762 = bits.Mul32(x746, 0xfffffc2f) + var x764 uint32 + var x765 uint1 + x764, x765 = addcarryxU32(x763, x760, 0x0) + var x766 uint32 + var x767 uint1 + x766, x767 = addcarryxU32(x761, x758, x765) + var x768 uint32 + var x769 uint1 + x768, x769 = addcarryxU32(x759, x756, x767) + var x770 uint32 + var x771 uint1 + x770, x771 = addcarryxU32(x757, x754, x769) + var x772 uint32 + var x773 uint1 + x772, x773 = addcarryxU32(x755, x752, x771) + var x774 uint32 + var x775 uint1 + x774, x775 = addcarryxU32(x753, x750, x773) + var x776 uint32 + var x777 uint1 + x776, x777 = addcarryxU32(x751, x748, x775) + x778 := (uint32(x777) + x749) + var x780 uint1 + _, x780 = addcarryxU32(x728, x762, 0x0) + var x781 uint32 + var x782 uint1 + x781, x782 = addcarryxU32(x730, x764, x780) + var x783 uint32 + var x784 uint1 + x783, x784 = addcarryxU32(x732, x766, x782) + var x785 uint32 + var x786 uint1 + x785, x786 = addcarryxU32(x734, x768, x784) + var x787 uint32 + var x788 uint1 + x787, x788 = addcarryxU32(x736, x770, x786) + var x789 uint32 + var x790 uint1 + x789, x790 = addcarryxU32(x738, x772, x788) + var x791 uint32 + var x792 uint1 + x791, x792 = addcarryxU32(x740, x774, x790) + var x793 uint32 + var x794 uint1 + x793, x794 = addcarryxU32(x742, x776, x792) + var x795 uint32 + var x796 uint1 + x795, x796 = addcarryxU32(x744, x778, x794) + x797 := (uint32(x796) + uint32(x745)) + var x798 uint32 + var x799 uint1 + x798, x799 = subborrowxU32(x781, 0xfffffc2f, 0x0) + var x800 uint32 + var x801 uint1 + x800, x801 = subborrowxU32(x783, 0xfffffffe, x799) + var x802 uint32 + var x803 uint1 + x802, x803 = subborrowxU32(x785, 0xffffffff, x801) + var x804 uint32 + var x805 uint1 + x804, x805 = subborrowxU32(x787, 0xffffffff, x803) + var x806 uint32 + var x807 uint1 + x806, x807 = subborrowxU32(x789, 0xffffffff, x805) + var x808 uint32 + var x809 uint1 + x808, x809 = subborrowxU32(x791, 0xffffffff, x807) + var x810 uint32 + var x811 uint1 + x810, x811 = subborrowxU32(x793, 0xffffffff, x809) + var x812 uint32 + var x813 uint1 + x812, x813 = subborrowxU32(x795, 0xffffffff, x811) + var x815 uint1 + _, x815 = subborrowxU32(x797, uint32(0x0), x813) + var x816 uint32 + cmovznzU32(&x816, x815, x798, x781) + var x817 uint32 + cmovznzU32(&x817, x815, x800, x783) + var x818 uint32 + cmovznzU32(&x818, x815, x802, x785) + var x819 uint32 + cmovznzU32(&x819, x815, x804, x787) + var x820 uint32 + cmovznzU32(&x820, x815, x806, x789) + var x821 uint32 + cmovznzU32(&x821, x815, x808, x791) + var x822 uint32 + cmovznzU32(&x822, x815, x810, x793) + var x823 uint32 + cmovznzU32(&x823, x815, x812, x795) + out1[0] = x816 + out1[1] = x817 + out1[2] = x818 + out1[3] = x819 + out1[4] = x820 + out1[5] = x821 + out1[6] = x822 + out1[7] = x823 } -/* - The function Square squares a field element in the Montgomery domain. - Preconditions: - 0 ≤ eval arg1 < m - Postconditions: - eval (from_montgomery out1) mod m = (eval (from_montgomery arg1) * eval (from_montgomery arg1)) mod m - 0 ≤ eval out1 < m - - Input Bounds: - arg1: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] - Output Bounds: - out1: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] - */ -/*inline*/ +// Square squares a field element in the Montgomery domain. +// +// Preconditions: +// 0 ≤ eval arg1 < m +// Postconditions: +// eval (from_montgomery out1) mod m = (eval (from_montgomery arg1) * eval (from_montgomery arg1)) mod m +// 0 ≤ eval out1 < m +// +// Input Bounds: +// arg1: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] +// Output Bounds: +// out1: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] func Square(out1 *[8]uint32, arg1 *[8]uint32) { - var x1 uint32 = (arg1[1]) - var x2 uint32 = (arg1[2]) - var x3 uint32 = (arg1[3]) - var x4 uint32 = (arg1[4]) - var x5 uint32 = (arg1[5]) - var x6 uint32 = (arg1[6]) - var x7 uint32 = (arg1[7]) - var x8 uint32 = (arg1[0]) - var x9 uint32 - var x10 uint32 - x10, x9 = bits.Mul32(x8, (arg1[7])) - var x11 uint32 - var x12 uint32 - x12, x11 = bits.Mul32(x8, (arg1[6])) - var x13 uint32 - var x14 uint32 - x14, x13 = bits.Mul32(x8, (arg1[5])) - var x15 uint32 - var x16 uint32 - x16, x15 = bits.Mul32(x8, (arg1[4])) - var x17 uint32 - var x18 uint32 - x18, x17 = bits.Mul32(x8, (arg1[3])) - var x19 uint32 - var x20 uint32 - x20, x19 = bits.Mul32(x8, (arg1[2])) - var x21 uint32 - var x22 uint32 - x22, x21 = bits.Mul32(x8, (arg1[1])) - var x23 uint32 - var x24 uint32 - x24, x23 = bits.Mul32(x8, (arg1[0])) - var x25 uint32 - var x26 uint1 - x25, x26 = addcarryxU32(x24, x21, 0x0) - var x27 uint32 - var x28 uint1 - x27, x28 = addcarryxU32(x22, x19, x26) - var x29 uint32 - var x30 uint1 - x29, x30 = addcarryxU32(x20, x17, x28) - var x31 uint32 - var x32 uint1 - x31, x32 = addcarryxU32(x18, x15, x30) - var x33 uint32 - var x34 uint1 - x33, x34 = addcarryxU32(x16, x13, x32) - var x35 uint32 - var x36 uint1 - x35, x36 = addcarryxU32(x14, x11, x34) - var x37 uint32 - var x38 uint1 - x37, x38 = addcarryxU32(x12, x9, x36) - var x39 uint32 = (uint32(x38) + x10) - var x40 uint32 - _, x40 = bits.Mul32(x23, 0xd2253531) - var x42 uint32 - var x43 uint32 - x43, x42 = bits.Mul32(x40, 0xffffffff) - var x44 uint32 - var x45 uint32 - x45, x44 = bits.Mul32(x40, 0xffffffff) - var x46 uint32 - var x47 uint32 - x47, x46 = bits.Mul32(x40, 0xffffffff) - var x48 uint32 - var x49 uint32 - x49, x48 = bits.Mul32(x40, 0xffffffff) - var x50 uint32 - var x51 uint32 - x51, x50 = bits.Mul32(x40, 0xffffffff) - var x52 uint32 - var x53 uint32 - x53, x52 = bits.Mul32(x40, 0xffffffff) - var x54 uint32 - var x55 uint32 - x55, x54 = bits.Mul32(x40, 0xfffffffe) - var x56 uint32 - var x57 uint32 - x57, x56 = bits.Mul32(x40, 0xfffffc2f) - var x58 uint32 - var x59 uint1 - x58, x59 = addcarryxU32(x57, x54, 0x0) - var x60 uint32 - var x61 uint1 - x60, x61 = addcarryxU32(x55, x52, x59) - var x62 uint32 - var x63 uint1 - x62, x63 = addcarryxU32(x53, x50, x61) - var x64 uint32 - var x65 uint1 - x64, x65 = addcarryxU32(x51, x48, x63) - var x66 uint32 - var x67 uint1 - x66, x67 = addcarryxU32(x49, x46, x65) - var x68 uint32 - var x69 uint1 - x68, x69 = addcarryxU32(x47, x44, x67) - var x70 uint32 - var x71 uint1 - x70, x71 = addcarryxU32(x45, x42, x69) - var x72 uint32 = (uint32(x71) + x43) - var x74 uint1 - _, x74 = addcarryxU32(x23, x56, 0x0) - var x75 uint32 - var x76 uint1 - x75, x76 = addcarryxU32(x25, x58, x74) - var x77 uint32 - var x78 uint1 - x77, x78 = addcarryxU32(x27, x60, x76) - var x79 uint32 - var x80 uint1 - x79, x80 = addcarryxU32(x29, x62, x78) - var x81 uint32 - var x82 uint1 - x81, x82 = addcarryxU32(x31, x64, x80) - var x83 uint32 - var x84 uint1 - x83, x84 = addcarryxU32(x33, x66, x82) - var x85 uint32 - var x86 uint1 - x85, x86 = addcarryxU32(x35, x68, x84) - var x87 uint32 - var x88 uint1 - x87, x88 = addcarryxU32(x37, x70, x86) - var x89 uint32 - var x90 uint1 - x89, x90 = addcarryxU32(x39, x72, x88) - var x91 uint32 - var x92 uint32 - x92, x91 = bits.Mul32(x1, (arg1[7])) - var x93 uint32 - var x94 uint32 - x94, x93 = bits.Mul32(x1, (arg1[6])) - var x95 uint32 - var x96 uint32 - x96, x95 = bits.Mul32(x1, (arg1[5])) - var x97 uint32 - var x98 uint32 - x98, x97 = bits.Mul32(x1, (arg1[4])) - var x99 uint32 - var x100 uint32 - x100, x99 = bits.Mul32(x1, (arg1[3])) - var x101 uint32 - var x102 uint32 - x102, x101 = bits.Mul32(x1, (arg1[2])) - var x103 uint32 - var x104 uint32 - x104, x103 = bits.Mul32(x1, (arg1[1])) - var x105 uint32 - var x106 uint32 - x106, x105 = bits.Mul32(x1, (arg1[0])) - var x107 uint32 - var x108 uint1 - x107, x108 = addcarryxU32(x106, x103, 0x0) - var x109 uint32 - var x110 uint1 - x109, x110 = addcarryxU32(x104, x101, x108) - var x111 uint32 - var x112 uint1 - x111, x112 = addcarryxU32(x102, x99, x110) - var x113 uint32 - var x114 uint1 - x113, x114 = addcarryxU32(x100, x97, x112) - var x115 uint32 - var x116 uint1 - x115, x116 = addcarryxU32(x98, x95, x114) - var x117 uint32 - var x118 uint1 - x117, x118 = addcarryxU32(x96, x93, x116) - var x119 uint32 - var x120 uint1 - x119, x120 = addcarryxU32(x94, x91, x118) - var x121 uint32 = (uint32(x120) + x92) - var x122 uint32 - var x123 uint1 - x122, x123 = addcarryxU32(x75, x105, 0x0) - var x124 uint32 - var x125 uint1 - x124, x125 = addcarryxU32(x77, x107, x123) - var x126 uint32 - var x127 uint1 - x126, x127 = addcarryxU32(x79, x109, x125) - var x128 uint32 - var x129 uint1 - x128, x129 = addcarryxU32(x81, x111, x127) - var x130 uint32 - var x131 uint1 - x130, x131 = addcarryxU32(x83, x113, x129) - var x132 uint32 - var x133 uint1 - x132, x133 = addcarryxU32(x85, x115, x131) - var x134 uint32 - var x135 uint1 - x134, x135 = addcarryxU32(x87, x117, x133) - var x136 uint32 - var x137 uint1 - x136, x137 = addcarryxU32(x89, x119, x135) - var x138 uint32 - var x139 uint1 - x138, x139 = addcarryxU32(uint32(x90), x121, x137) - var x140 uint32 - _, x140 = bits.Mul32(x122, 0xd2253531) - var x142 uint32 - var x143 uint32 - x143, x142 = bits.Mul32(x140, 0xffffffff) - var x144 uint32 - var x145 uint32 - x145, x144 = bits.Mul32(x140, 0xffffffff) - var x146 uint32 - var x147 uint32 - x147, x146 = bits.Mul32(x140, 0xffffffff) - var x148 uint32 - var x149 uint32 - x149, x148 = bits.Mul32(x140, 0xffffffff) - var x150 uint32 - var x151 uint32 - x151, x150 = bits.Mul32(x140, 0xffffffff) - var x152 uint32 - var x153 uint32 - x153, x152 = bits.Mul32(x140, 0xffffffff) - var x154 uint32 - var x155 uint32 - x155, x154 = bits.Mul32(x140, 0xfffffffe) - var x156 uint32 - var x157 uint32 - x157, x156 = bits.Mul32(x140, 0xfffffc2f) - var x158 uint32 - var x159 uint1 - x158, x159 = addcarryxU32(x157, x154, 0x0) - var x160 uint32 - var x161 uint1 - x160, x161 = addcarryxU32(x155, x152, x159) - var x162 uint32 - var x163 uint1 - x162, x163 = addcarryxU32(x153, x150, x161) - var x164 uint32 - var x165 uint1 - x164, x165 = addcarryxU32(x151, x148, x163) - var x166 uint32 - var x167 uint1 - x166, x167 = addcarryxU32(x149, x146, x165) - var x168 uint32 - var x169 uint1 - x168, x169 = addcarryxU32(x147, x144, x167) - var x170 uint32 - var x171 uint1 - x170, x171 = addcarryxU32(x145, x142, x169) - var x172 uint32 = (uint32(x171) + x143) - var x174 uint1 - _, x174 = addcarryxU32(x122, x156, 0x0) - var x175 uint32 - var x176 uint1 - x175, x176 = addcarryxU32(x124, x158, x174) - var x177 uint32 - var x178 uint1 - x177, x178 = addcarryxU32(x126, x160, x176) - var x179 uint32 - var x180 uint1 - x179, x180 = addcarryxU32(x128, x162, x178) - var x181 uint32 - var x182 uint1 - x181, x182 = addcarryxU32(x130, x164, x180) - var x183 uint32 - var x184 uint1 - x183, x184 = addcarryxU32(x132, x166, x182) - var x185 uint32 - var x186 uint1 - x185, x186 = addcarryxU32(x134, x168, x184) - var x187 uint32 - var x188 uint1 - x187, x188 = addcarryxU32(x136, x170, x186) - var x189 uint32 - var x190 uint1 - x189, x190 = addcarryxU32(x138, x172, x188) - var x191 uint32 = (uint32(x190) + uint32(x139)) - var x192 uint32 - var x193 uint32 - x193, x192 = bits.Mul32(x2, (arg1[7])) - var x194 uint32 - var x195 uint32 - x195, x194 = bits.Mul32(x2, (arg1[6])) - var x196 uint32 - var x197 uint32 - x197, x196 = bits.Mul32(x2, (arg1[5])) - var x198 uint32 - var x199 uint32 - x199, x198 = bits.Mul32(x2, (arg1[4])) - var x200 uint32 - var x201 uint32 - x201, x200 = bits.Mul32(x2, (arg1[3])) - var x202 uint32 - var x203 uint32 - x203, x202 = bits.Mul32(x2, (arg1[2])) - var x204 uint32 - var x205 uint32 - x205, x204 = bits.Mul32(x2, (arg1[1])) - var x206 uint32 - var x207 uint32 - x207, x206 = bits.Mul32(x2, (arg1[0])) - var x208 uint32 - var x209 uint1 - x208, x209 = addcarryxU32(x207, x204, 0x0) - var x210 uint32 - var x211 uint1 - x210, x211 = addcarryxU32(x205, x202, x209) - var x212 uint32 - var x213 uint1 - x212, x213 = addcarryxU32(x203, x200, x211) - var x214 uint32 - var x215 uint1 - x214, x215 = addcarryxU32(x201, x198, x213) - var x216 uint32 - var x217 uint1 - x216, x217 = addcarryxU32(x199, x196, x215) - var x218 uint32 - var x219 uint1 - x218, x219 = addcarryxU32(x197, x194, x217) - var x220 uint32 - var x221 uint1 - x220, x221 = addcarryxU32(x195, x192, x219) - var x222 uint32 = (uint32(x221) + x193) - var x223 uint32 - var x224 uint1 - x223, x224 = addcarryxU32(x175, x206, 0x0) - var x225 uint32 - var x226 uint1 - x225, x226 = addcarryxU32(x177, x208, x224) - var x227 uint32 - var x228 uint1 - x227, x228 = addcarryxU32(x179, x210, x226) - var x229 uint32 - var x230 uint1 - x229, x230 = addcarryxU32(x181, x212, x228) - var x231 uint32 - var x232 uint1 - x231, x232 = addcarryxU32(x183, x214, x230) - var x233 uint32 - var x234 uint1 - x233, x234 = addcarryxU32(x185, x216, x232) - var x235 uint32 - var x236 uint1 - x235, x236 = addcarryxU32(x187, x218, x234) - var x237 uint32 - var x238 uint1 - x237, x238 = addcarryxU32(x189, x220, x236) - var x239 uint32 - var x240 uint1 - x239, x240 = addcarryxU32(x191, x222, x238) - var x241 uint32 - _, x241 = bits.Mul32(x223, 0xd2253531) - var x243 uint32 - var x244 uint32 - x244, x243 = bits.Mul32(x241, 0xffffffff) - var x245 uint32 - var x246 uint32 - x246, x245 = bits.Mul32(x241, 0xffffffff) - var x247 uint32 - var x248 uint32 - x248, x247 = bits.Mul32(x241, 0xffffffff) - var x249 uint32 - var x250 uint32 - x250, x249 = bits.Mul32(x241, 0xffffffff) - var x251 uint32 - var x252 uint32 - x252, x251 = bits.Mul32(x241, 0xffffffff) - var x253 uint32 - var x254 uint32 - x254, x253 = bits.Mul32(x241, 0xffffffff) - var x255 uint32 - var x256 uint32 - x256, x255 = bits.Mul32(x241, 0xfffffffe) - var x257 uint32 - var x258 uint32 - x258, x257 = bits.Mul32(x241, 0xfffffc2f) - var x259 uint32 - var x260 uint1 - x259, x260 = addcarryxU32(x258, x255, 0x0) - var x261 uint32 - var x262 uint1 - x261, x262 = addcarryxU32(x256, x253, x260) - var x263 uint32 - var x264 uint1 - x263, x264 = addcarryxU32(x254, x251, x262) - var x265 uint32 - var x266 uint1 - x265, x266 = addcarryxU32(x252, x249, x264) - var x267 uint32 - var x268 uint1 - x267, x268 = addcarryxU32(x250, x247, x266) - var x269 uint32 - var x270 uint1 - x269, x270 = addcarryxU32(x248, x245, x268) - var x271 uint32 - var x272 uint1 - x271, x272 = addcarryxU32(x246, x243, x270) - var x273 uint32 = (uint32(x272) + x244) - var x275 uint1 - _, x275 = addcarryxU32(x223, x257, 0x0) - var x276 uint32 - var x277 uint1 - x276, x277 = addcarryxU32(x225, x259, x275) - var x278 uint32 - var x279 uint1 - x278, x279 = addcarryxU32(x227, x261, x277) - var x280 uint32 - var x281 uint1 - x280, x281 = addcarryxU32(x229, x263, x279) - var x282 uint32 - var x283 uint1 - x282, x283 = addcarryxU32(x231, x265, x281) - var x284 uint32 - var x285 uint1 - x284, x285 = addcarryxU32(x233, x267, x283) - var x286 uint32 - var x287 uint1 - x286, x287 = addcarryxU32(x235, x269, x285) - var x288 uint32 - var x289 uint1 - x288, x289 = addcarryxU32(x237, x271, x287) - var x290 uint32 - var x291 uint1 - x290, x291 = addcarryxU32(x239, x273, x289) - var x292 uint32 = (uint32(x291) + uint32(x240)) - var x293 uint32 - var x294 uint32 - x294, x293 = bits.Mul32(x3, (arg1[7])) - var x295 uint32 - var x296 uint32 - x296, x295 = bits.Mul32(x3, (arg1[6])) - var x297 uint32 - var x298 uint32 - x298, x297 = bits.Mul32(x3, (arg1[5])) - var x299 uint32 - var x300 uint32 - x300, x299 = bits.Mul32(x3, (arg1[4])) - var x301 uint32 - var x302 uint32 - x302, x301 = bits.Mul32(x3, (arg1[3])) - var x303 uint32 - var x304 uint32 - x304, x303 = bits.Mul32(x3, (arg1[2])) - var x305 uint32 - var x306 uint32 - x306, x305 = bits.Mul32(x3, (arg1[1])) - var x307 uint32 - var x308 uint32 - x308, x307 = bits.Mul32(x3, (arg1[0])) - var x309 uint32 - var x310 uint1 - x309, x310 = addcarryxU32(x308, x305, 0x0) - var x311 uint32 - var x312 uint1 - x311, x312 = addcarryxU32(x306, x303, x310) - var x313 uint32 - var x314 uint1 - x313, x314 = addcarryxU32(x304, x301, x312) - var x315 uint32 - var x316 uint1 - x315, x316 = addcarryxU32(x302, x299, x314) - var x317 uint32 - var x318 uint1 - x317, x318 = addcarryxU32(x300, x297, x316) - var x319 uint32 - var x320 uint1 - x319, x320 = addcarryxU32(x298, x295, x318) - var x321 uint32 - var x322 uint1 - x321, x322 = addcarryxU32(x296, x293, x320) - var x323 uint32 = (uint32(x322) + x294) - var x324 uint32 - var x325 uint1 - x324, x325 = addcarryxU32(x276, x307, 0x0) - var x326 uint32 - var x327 uint1 - x326, x327 = addcarryxU32(x278, x309, x325) - var x328 uint32 - var x329 uint1 - x328, x329 = addcarryxU32(x280, x311, x327) - var x330 uint32 - var x331 uint1 - x330, x331 = addcarryxU32(x282, x313, x329) - var x332 uint32 - var x333 uint1 - x332, x333 = addcarryxU32(x284, x315, x331) - var x334 uint32 - var x335 uint1 - x334, x335 = addcarryxU32(x286, x317, x333) - var x336 uint32 - var x337 uint1 - x336, x337 = addcarryxU32(x288, x319, x335) - var x338 uint32 - var x339 uint1 - x338, x339 = addcarryxU32(x290, x321, x337) - var x340 uint32 - var x341 uint1 - x340, x341 = addcarryxU32(x292, x323, x339) - var x342 uint32 - _, x342 = bits.Mul32(x324, 0xd2253531) - var x344 uint32 - var x345 uint32 - x345, x344 = bits.Mul32(x342, 0xffffffff) - var x346 uint32 - var x347 uint32 - x347, x346 = bits.Mul32(x342, 0xffffffff) - var x348 uint32 - var x349 uint32 - x349, x348 = bits.Mul32(x342, 0xffffffff) - var x350 uint32 - var x351 uint32 - x351, x350 = bits.Mul32(x342, 0xffffffff) - var x352 uint32 - var x353 uint32 - x353, x352 = bits.Mul32(x342, 0xffffffff) - var x354 uint32 - var x355 uint32 - x355, x354 = bits.Mul32(x342, 0xffffffff) - var x356 uint32 - var x357 uint32 - x357, x356 = bits.Mul32(x342, 0xfffffffe) - var x358 uint32 - var x359 uint32 - x359, x358 = bits.Mul32(x342, 0xfffffc2f) - var x360 uint32 - var x361 uint1 - x360, x361 = addcarryxU32(x359, x356, 0x0) - var x362 uint32 - var x363 uint1 - x362, x363 = addcarryxU32(x357, x354, x361) - var x364 uint32 - var x365 uint1 - x364, x365 = addcarryxU32(x355, x352, x363) - var x366 uint32 - var x367 uint1 - x366, x367 = addcarryxU32(x353, x350, x365) - var x368 uint32 - var x369 uint1 - x368, x369 = addcarryxU32(x351, x348, x367) - var x370 uint32 - var x371 uint1 - x370, x371 = addcarryxU32(x349, x346, x369) - var x372 uint32 - var x373 uint1 - x372, x373 = addcarryxU32(x347, x344, x371) - var x374 uint32 = (uint32(x373) + x345) - var x376 uint1 - _, x376 = addcarryxU32(x324, x358, 0x0) - var x377 uint32 - var x378 uint1 - x377, x378 = addcarryxU32(x326, x360, x376) - var x379 uint32 - var x380 uint1 - x379, x380 = addcarryxU32(x328, x362, x378) - var x381 uint32 - var x382 uint1 - x381, x382 = addcarryxU32(x330, x364, x380) - var x383 uint32 - var x384 uint1 - x383, x384 = addcarryxU32(x332, x366, x382) - var x385 uint32 - var x386 uint1 - x385, x386 = addcarryxU32(x334, x368, x384) - var x387 uint32 - var x388 uint1 - x387, x388 = addcarryxU32(x336, x370, x386) - var x389 uint32 - var x390 uint1 - x389, x390 = addcarryxU32(x338, x372, x388) - var x391 uint32 - var x392 uint1 - x391, x392 = addcarryxU32(x340, x374, x390) - var x393 uint32 = (uint32(x392) + uint32(x341)) - var x394 uint32 - var x395 uint32 - x395, x394 = bits.Mul32(x4, (arg1[7])) - var x396 uint32 - var x397 uint32 - x397, x396 = bits.Mul32(x4, (arg1[6])) - var x398 uint32 - var x399 uint32 - x399, x398 = bits.Mul32(x4, (arg1[5])) - var x400 uint32 - var x401 uint32 - x401, x400 = bits.Mul32(x4, (arg1[4])) - var x402 uint32 - var x403 uint32 - x403, x402 = bits.Mul32(x4, (arg1[3])) - var x404 uint32 - var x405 uint32 - x405, x404 = bits.Mul32(x4, (arg1[2])) - var x406 uint32 - var x407 uint32 - x407, x406 = bits.Mul32(x4, (arg1[1])) - var x408 uint32 - var x409 uint32 - x409, x408 = bits.Mul32(x4, (arg1[0])) - var x410 uint32 - var x411 uint1 - x410, x411 = addcarryxU32(x409, x406, 0x0) - var x412 uint32 - var x413 uint1 - x412, x413 = addcarryxU32(x407, x404, x411) - var x414 uint32 - var x415 uint1 - x414, x415 = addcarryxU32(x405, x402, x413) - var x416 uint32 - var x417 uint1 - x416, x417 = addcarryxU32(x403, x400, x415) - var x418 uint32 - var x419 uint1 - x418, x419 = addcarryxU32(x401, x398, x417) - var x420 uint32 - var x421 uint1 - x420, x421 = addcarryxU32(x399, x396, x419) - var x422 uint32 - var x423 uint1 - x422, x423 = addcarryxU32(x397, x394, x421) - var x424 uint32 = (uint32(x423) + x395) - var x425 uint32 - var x426 uint1 - x425, x426 = addcarryxU32(x377, x408, 0x0) - var x427 uint32 - var x428 uint1 - x427, x428 = addcarryxU32(x379, x410, x426) - var x429 uint32 - var x430 uint1 - x429, x430 = addcarryxU32(x381, x412, x428) - var x431 uint32 - var x432 uint1 - x431, x432 = addcarryxU32(x383, x414, x430) - var x433 uint32 - var x434 uint1 - x433, x434 = addcarryxU32(x385, x416, x432) - var x435 uint32 - var x436 uint1 - x435, x436 = addcarryxU32(x387, x418, x434) - var x437 uint32 - var x438 uint1 - x437, x438 = addcarryxU32(x389, x420, x436) - var x439 uint32 - var x440 uint1 - x439, x440 = addcarryxU32(x391, x422, x438) - var x441 uint32 - var x442 uint1 - x441, x442 = addcarryxU32(x393, x424, x440) - var x443 uint32 - _, x443 = bits.Mul32(x425, 0xd2253531) - var x445 uint32 - var x446 uint32 - x446, x445 = bits.Mul32(x443, 0xffffffff) - var x447 uint32 - var x448 uint32 - x448, x447 = bits.Mul32(x443, 0xffffffff) - var x449 uint32 - var x450 uint32 - x450, x449 = bits.Mul32(x443, 0xffffffff) - var x451 uint32 - var x452 uint32 - x452, x451 = bits.Mul32(x443, 0xffffffff) - var x453 uint32 - var x454 uint32 - x454, x453 = bits.Mul32(x443, 0xffffffff) - var x455 uint32 - var x456 uint32 - x456, x455 = bits.Mul32(x443, 0xffffffff) - var x457 uint32 - var x458 uint32 - x458, x457 = bits.Mul32(x443, 0xfffffffe) - var x459 uint32 - var x460 uint32 - x460, x459 = bits.Mul32(x443, 0xfffffc2f) - var x461 uint32 - var x462 uint1 - x461, x462 = addcarryxU32(x460, x457, 0x0) - var x463 uint32 - var x464 uint1 - x463, x464 = addcarryxU32(x458, x455, x462) - var x465 uint32 - var x466 uint1 - x465, x466 = addcarryxU32(x456, x453, x464) - var x467 uint32 - var x468 uint1 - x467, x468 = addcarryxU32(x454, x451, x466) - var x469 uint32 - var x470 uint1 - x469, x470 = addcarryxU32(x452, x449, x468) - var x471 uint32 - var x472 uint1 - x471, x472 = addcarryxU32(x450, x447, x470) - var x473 uint32 - var x474 uint1 - x473, x474 = addcarryxU32(x448, x445, x472) - var x475 uint32 = (uint32(x474) + x446) - var x477 uint1 - _, x477 = addcarryxU32(x425, x459, 0x0) - var x478 uint32 - var x479 uint1 - x478, x479 = addcarryxU32(x427, x461, x477) - var x480 uint32 - var x481 uint1 - x480, x481 = addcarryxU32(x429, x463, x479) - var x482 uint32 - var x483 uint1 - x482, x483 = addcarryxU32(x431, x465, x481) - var x484 uint32 - var x485 uint1 - x484, x485 = addcarryxU32(x433, x467, x483) - var x486 uint32 - var x487 uint1 - x486, x487 = addcarryxU32(x435, x469, x485) - var x488 uint32 - var x489 uint1 - x488, x489 = addcarryxU32(x437, x471, x487) - var x490 uint32 - var x491 uint1 - x490, x491 = addcarryxU32(x439, x473, x489) - var x492 uint32 - var x493 uint1 - x492, x493 = addcarryxU32(x441, x475, x491) - var x494 uint32 = (uint32(x493) + uint32(x442)) - var x495 uint32 - var x496 uint32 - x496, x495 = bits.Mul32(x5, (arg1[7])) - var x497 uint32 - var x498 uint32 - x498, x497 = bits.Mul32(x5, (arg1[6])) - var x499 uint32 - var x500 uint32 - x500, x499 = bits.Mul32(x5, (arg1[5])) - var x501 uint32 - var x502 uint32 - x502, x501 = bits.Mul32(x5, (arg1[4])) - var x503 uint32 - var x504 uint32 - x504, x503 = bits.Mul32(x5, (arg1[3])) - var x505 uint32 - var x506 uint32 - x506, x505 = bits.Mul32(x5, (arg1[2])) - var x507 uint32 - var x508 uint32 - x508, x507 = bits.Mul32(x5, (arg1[1])) - var x509 uint32 - var x510 uint32 - x510, x509 = bits.Mul32(x5, (arg1[0])) - var x511 uint32 - var x512 uint1 - x511, x512 = addcarryxU32(x510, x507, 0x0) - var x513 uint32 - var x514 uint1 - x513, x514 = addcarryxU32(x508, x505, x512) - var x515 uint32 - var x516 uint1 - x515, x516 = addcarryxU32(x506, x503, x514) - var x517 uint32 - var x518 uint1 - x517, x518 = addcarryxU32(x504, x501, x516) - var x519 uint32 - var x520 uint1 - x519, x520 = addcarryxU32(x502, x499, x518) - var x521 uint32 - var x522 uint1 - x521, x522 = addcarryxU32(x500, x497, x520) - var x523 uint32 - var x524 uint1 - x523, x524 = addcarryxU32(x498, x495, x522) - var x525 uint32 = (uint32(x524) + x496) - var x526 uint32 - var x527 uint1 - x526, x527 = addcarryxU32(x478, x509, 0x0) - var x528 uint32 - var x529 uint1 - x528, x529 = addcarryxU32(x480, x511, x527) - var x530 uint32 - var x531 uint1 - x530, x531 = addcarryxU32(x482, x513, x529) - var x532 uint32 - var x533 uint1 - x532, x533 = addcarryxU32(x484, x515, x531) - var x534 uint32 - var x535 uint1 - x534, x535 = addcarryxU32(x486, x517, x533) - var x536 uint32 - var x537 uint1 - x536, x537 = addcarryxU32(x488, x519, x535) - var x538 uint32 - var x539 uint1 - x538, x539 = addcarryxU32(x490, x521, x537) - var x540 uint32 - var x541 uint1 - x540, x541 = addcarryxU32(x492, x523, x539) - var x542 uint32 - var x543 uint1 - x542, x543 = addcarryxU32(x494, x525, x541) - var x544 uint32 - _, x544 = bits.Mul32(x526, 0xd2253531) - var x546 uint32 - var x547 uint32 - x547, x546 = bits.Mul32(x544, 0xffffffff) - var x548 uint32 - var x549 uint32 - x549, x548 = bits.Mul32(x544, 0xffffffff) - var x550 uint32 - var x551 uint32 - x551, x550 = bits.Mul32(x544, 0xffffffff) - var x552 uint32 - var x553 uint32 - x553, x552 = bits.Mul32(x544, 0xffffffff) - var x554 uint32 - var x555 uint32 - x555, x554 = bits.Mul32(x544, 0xffffffff) - var x556 uint32 - var x557 uint32 - x557, x556 = bits.Mul32(x544, 0xffffffff) - var x558 uint32 - var x559 uint32 - x559, x558 = bits.Mul32(x544, 0xfffffffe) - var x560 uint32 - var x561 uint32 - x561, x560 = bits.Mul32(x544, 0xfffffc2f) - var x562 uint32 - var x563 uint1 - x562, x563 = addcarryxU32(x561, x558, 0x0) - var x564 uint32 - var x565 uint1 - x564, x565 = addcarryxU32(x559, x556, x563) - var x566 uint32 - var x567 uint1 - x566, x567 = addcarryxU32(x557, x554, x565) - var x568 uint32 - var x569 uint1 - x568, x569 = addcarryxU32(x555, x552, x567) - var x570 uint32 - var x571 uint1 - x570, x571 = addcarryxU32(x553, x550, x569) - var x572 uint32 - var x573 uint1 - x572, x573 = addcarryxU32(x551, x548, x571) - var x574 uint32 - var x575 uint1 - x574, x575 = addcarryxU32(x549, x546, x573) - var x576 uint32 = (uint32(x575) + x547) - var x578 uint1 - _, x578 = addcarryxU32(x526, x560, 0x0) - var x579 uint32 - var x580 uint1 - x579, x580 = addcarryxU32(x528, x562, x578) - var x581 uint32 - var x582 uint1 - x581, x582 = addcarryxU32(x530, x564, x580) - var x583 uint32 - var x584 uint1 - x583, x584 = addcarryxU32(x532, x566, x582) - var x585 uint32 - var x586 uint1 - x585, x586 = addcarryxU32(x534, x568, x584) - var x587 uint32 - var x588 uint1 - x587, x588 = addcarryxU32(x536, x570, x586) - var x589 uint32 - var x590 uint1 - x589, x590 = addcarryxU32(x538, x572, x588) - var x591 uint32 - var x592 uint1 - x591, x592 = addcarryxU32(x540, x574, x590) - var x593 uint32 - var x594 uint1 - x593, x594 = addcarryxU32(x542, x576, x592) - var x595 uint32 = (uint32(x594) + uint32(x543)) - var x596 uint32 - var x597 uint32 - x597, x596 = bits.Mul32(x6, (arg1[7])) - var x598 uint32 - var x599 uint32 - x599, x598 = bits.Mul32(x6, (arg1[6])) - var x600 uint32 - var x601 uint32 - x601, x600 = bits.Mul32(x6, (arg1[5])) - var x602 uint32 - var x603 uint32 - x603, x602 = bits.Mul32(x6, (arg1[4])) - var x604 uint32 - var x605 uint32 - x605, x604 = bits.Mul32(x6, (arg1[3])) - var x606 uint32 - var x607 uint32 - x607, x606 = bits.Mul32(x6, (arg1[2])) - var x608 uint32 - var x609 uint32 - x609, x608 = bits.Mul32(x6, (arg1[1])) - var x610 uint32 - var x611 uint32 - x611, x610 = bits.Mul32(x6, (arg1[0])) - var x612 uint32 - var x613 uint1 - x612, x613 = addcarryxU32(x611, x608, 0x0) - var x614 uint32 - var x615 uint1 - x614, x615 = addcarryxU32(x609, x606, x613) - var x616 uint32 - var x617 uint1 - x616, x617 = addcarryxU32(x607, x604, x615) - var x618 uint32 - var x619 uint1 - x618, x619 = addcarryxU32(x605, x602, x617) - var x620 uint32 - var x621 uint1 - x620, x621 = addcarryxU32(x603, x600, x619) - var x622 uint32 - var x623 uint1 - x622, x623 = addcarryxU32(x601, x598, x621) - var x624 uint32 - var x625 uint1 - x624, x625 = addcarryxU32(x599, x596, x623) - var x626 uint32 = (uint32(x625) + x597) - var x627 uint32 - var x628 uint1 - x627, x628 = addcarryxU32(x579, x610, 0x0) - var x629 uint32 - var x630 uint1 - x629, x630 = addcarryxU32(x581, x612, x628) - var x631 uint32 - var x632 uint1 - x631, x632 = addcarryxU32(x583, x614, x630) - var x633 uint32 - var x634 uint1 - x633, x634 = addcarryxU32(x585, x616, x632) - var x635 uint32 - var x636 uint1 - x635, x636 = addcarryxU32(x587, x618, x634) - var x637 uint32 - var x638 uint1 - x637, x638 = addcarryxU32(x589, x620, x636) - var x639 uint32 - var x640 uint1 - x639, x640 = addcarryxU32(x591, x622, x638) - var x641 uint32 - var x642 uint1 - x641, x642 = addcarryxU32(x593, x624, x640) - var x643 uint32 - var x644 uint1 - x643, x644 = addcarryxU32(x595, x626, x642) - var x645 uint32 - _, x645 = bits.Mul32(x627, 0xd2253531) - var x647 uint32 - var x648 uint32 - x648, x647 = bits.Mul32(x645, 0xffffffff) - var x649 uint32 - var x650 uint32 - x650, x649 = bits.Mul32(x645, 0xffffffff) - var x651 uint32 - var x652 uint32 - x652, x651 = bits.Mul32(x645, 0xffffffff) - var x653 uint32 - var x654 uint32 - x654, x653 = bits.Mul32(x645, 0xffffffff) - var x655 uint32 - var x656 uint32 - x656, x655 = bits.Mul32(x645, 0xffffffff) - var x657 uint32 - var x658 uint32 - x658, x657 = bits.Mul32(x645, 0xffffffff) - var x659 uint32 - var x660 uint32 - x660, x659 = bits.Mul32(x645, 0xfffffffe) - var x661 uint32 - var x662 uint32 - x662, x661 = bits.Mul32(x645, 0xfffffc2f) - var x663 uint32 - var x664 uint1 - x663, x664 = addcarryxU32(x662, x659, 0x0) - var x665 uint32 - var x666 uint1 - x665, x666 = addcarryxU32(x660, x657, x664) - var x667 uint32 - var x668 uint1 - x667, x668 = addcarryxU32(x658, x655, x666) - var x669 uint32 - var x670 uint1 - x669, x670 = addcarryxU32(x656, x653, x668) - var x671 uint32 - var x672 uint1 - x671, x672 = addcarryxU32(x654, x651, x670) - var x673 uint32 - var x674 uint1 - x673, x674 = addcarryxU32(x652, x649, x672) - var x675 uint32 - var x676 uint1 - x675, x676 = addcarryxU32(x650, x647, x674) - var x677 uint32 = (uint32(x676) + x648) - var x679 uint1 - _, x679 = addcarryxU32(x627, x661, 0x0) - var x680 uint32 - var x681 uint1 - x680, x681 = addcarryxU32(x629, x663, x679) - var x682 uint32 - var x683 uint1 - x682, x683 = addcarryxU32(x631, x665, x681) - var x684 uint32 - var x685 uint1 - x684, x685 = addcarryxU32(x633, x667, x683) - var x686 uint32 - var x687 uint1 - x686, x687 = addcarryxU32(x635, x669, x685) - var x688 uint32 - var x689 uint1 - x688, x689 = addcarryxU32(x637, x671, x687) - var x690 uint32 - var x691 uint1 - x690, x691 = addcarryxU32(x639, x673, x689) - var x692 uint32 - var x693 uint1 - x692, x693 = addcarryxU32(x641, x675, x691) - var x694 uint32 - var x695 uint1 - x694, x695 = addcarryxU32(x643, x677, x693) - var x696 uint32 = (uint32(x695) + uint32(x644)) - var x697 uint32 - var x698 uint32 - x698, x697 = bits.Mul32(x7, (arg1[7])) - var x699 uint32 - var x700 uint32 - x700, x699 = bits.Mul32(x7, (arg1[6])) - var x701 uint32 - var x702 uint32 - x702, x701 = bits.Mul32(x7, (arg1[5])) - var x703 uint32 - var x704 uint32 - x704, x703 = bits.Mul32(x7, (arg1[4])) - var x705 uint32 - var x706 uint32 - x706, x705 = bits.Mul32(x7, (arg1[3])) - var x707 uint32 - var x708 uint32 - x708, x707 = bits.Mul32(x7, (arg1[2])) - var x709 uint32 - var x710 uint32 - x710, x709 = bits.Mul32(x7, (arg1[1])) - var x711 uint32 - var x712 uint32 - x712, x711 = bits.Mul32(x7, (arg1[0])) - var x713 uint32 - var x714 uint1 - x713, x714 = addcarryxU32(x712, x709, 0x0) - var x715 uint32 - var x716 uint1 - x715, x716 = addcarryxU32(x710, x707, x714) - var x717 uint32 - var x718 uint1 - x717, x718 = addcarryxU32(x708, x705, x716) - var x719 uint32 - var x720 uint1 - x719, x720 = addcarryxU32(x706, x703, x718) - var x721 uint32 - var x722 uint1 - x721, x722 = addcarryxU32(x704, x701, x720) - var x723 uint32 - var x724 uint1 - x723, x724 = addcarryxU32(x702, x699, x722) - var x725 uint32 - var x726 uint1 - x725, x726 = addcarryxU32(x700, x697, x724) - var x727 uint32 = (uint32(x726) + x698) - var x728 uint32 - var x729 uint1 - x728, x729 = addcarryxU32(x680, x711, 0x0) - var x730 uint32 - var x731 uint1 - x730, x731 = addcarryxU32(x682, x713, x729) - var x732 uint32 - var x733 uint1 - x732, x733 = addcarryxU32(x684, x715, x731) - var x734 uint32 - var x735 uint1 - x734, x735 = addcarryxU32(x686, x717, x733) - var x736 uint32 - var x737 uint1 - x736, x737 = addcarryxU32(x688, x719, x735) - var x738 uint32 - var x739 uint1 - x738, x739 = addcarryxU32(x690, x721, x737) - var x740 uint32 - var x741 uint1 - x740, x741 = addcarryxU32(x692, x723, x739) - var x742 uint32 - var x743 uint1 - x742, x743 = addcarryxU32(x694, x725, x741) - var x744 uint32 - var x745 uint1 - x744, x745 = addcarryxU32(x696, x727, x743) - var x746 uint32 - _, x746 = bits.Mul32(x728, 0xd2253531) - var x748 uint32 - var x749 uint32 - x749, x748 = bits.Mul32(x746, 0xffffffff) - var x750 uint32 - var x751 uint32 - x751, x750 = bits.Mul32(x746, 0xffffffff) - var x752 uint32 - var x753 uint32 - x753, x752 = bits.Mul32(x746, 0xffffffff) - var x754 uint32 - var x755 uint32 - x755, x754 = bits.Mul32(x746, 0xffffffff) - var x756 uint32 - var x757 uint32 - x757, x756 = bits.Mul32(x746, 0xffffffff) - var x758 uint32 - var x759 uint32 - x759, x758 = bits.Mul32(x746, 0xffffffff) - var x760 uint32 - var x761 uint32 - x761, x760 = bits.Mul32(x746, 0xfffffffe) - var x762 uint32 - var x763 uint32 - x763, x762 = bits.Mul32(x746, 0xfffffc2f) - var x764 uint32 - var x765 uint1 - x764, x765 = addcarryxU32(x763, x760, 0x0) - var x766 uint32 - var x767 uint1 - x766, x767 = addcarryxU32(x761, x758, x765) - var x768 uint32 - var x769 uint1 - x768, x769 = addcarryxU32(x759, x756, x767) - var x770 uint32 - var x771 uint1 - x770, x771 = addcarryxU32(x757, x754, x769) - var x772 uint32 - var x773 uint1 - x772, x773 = addcarryxU32(x755, x752, x771) - var x774 uint32 - var x775 uint1 - x774, x775 = addcarryxU32(x753, x750, x773) - var x776 uint32 - var x777 uint1 - x776, x777 = addcarryxU32(x751, x748, x775) - var x778 uint32 = (uint32(x777) + x749) - var x780 uint1 - _, x780 = addcarryxU32(x728, x762, 0x0) - var x781 uint32 - var x782 uint1 - x781, x782 = addcarryxU32(x730, x764, x780) - var x783 uint32 - var x784 uint1 - x783, x784 = addcarryxU32(x732, x766, x782) - var x785 uint32 - var x786 uint1 - x785, x786 = addcarryxU32(x734, x768, x784) - var x787 uint32 - var x788 uint1 - x787, x788 = addcarryxU32(x736, x770, x786) - var x789 uint32 - var x790 uint1 - x789, x790 = addcarryxU32(x738, x772, x788) - var x791 uint32 - var x792 uint1 - x791, x792 = addcarryxU32(x740, x774, x790) - var x793 uint32 - var x794 uint1 - x793, x794 = addcarryxU32(x742, x776, x792) - var x795 uint32 - var x796 uint1 - x795, x796 = addcarryxU32(x744, x778, x794) - var x797 uint32 = (uint32(x796) + uint32(x745)) - var x798 uint32 - var x799 uint1 - x798, x799 = subborrowxU32(x781, 0xfffffc2f, 0x0) - var x800 uint32 - var x801 uint1 - x800, x801 = subborrowxU32(x783, 0xfffffffe, x799) - var x802 uint32 - var x803 uint1 - x802, x803 = subborrowxU32(x785, 0xffffffff, x801) - var x804 uint32 - var x805 uint1 - x804, x805 = subborrowxU32(x787, 0xffffffff, x803) - var x806 uint32 - var x807 uint1 - x806, x807 = subborrowxU32(x789, 0xffffffff, x805) - var x808 uint32 - var x809 uint1 - x808, x809 = subborrowxU32(x791, 0xffffffff, x807) - var x810 uint32 - var x811 uint1 - x810, x811 = subborrowxU32(x793, 0xffffffff, x809) - var x812 uint32 - var x813 uint1 - x812, x813 = subborrowxU32(x795, 0xffffffff, x811) - var x815 uint1 - _, x815 = subborrowxU32(x797, uint32(0x0), x813) - var x816 uint32 - cmovznzU32(&x816, x815, x798, x781) - var x817 uint32 - cmovznzU32(&x817, x815, x800, x783) - var x818 uint32 - cmovznzU32(&x818, x815, x802, x785) - var x819 uint32 - cmovznzU32(&x819, x815, x804, x787) - var x820 uint32 - cmovznzU32(&x820, x815, x806, x789) - var x821 uint32 - cmovznzU32(&x821, x815, x808, x791) - var x822 uint32 - cmovznzU32(&x822, x815, x810, x793) - var x823 uint32 - cmovznzU32(&x823, x815, x812, x795) - out1[0] = x816 - out1[1] = x817 - out1[2] = x818 - out1[3] = x819 - out1[4] = x820 - out1[5] = x821 - out1[6] = x822 - out1[7] = x823 + x1 := arg1[1] + x2 := arg1[2] + x3 := arg1[3] + x4 := arg1[4] + x5 := arg1[5] + x6 := arg1[6] + x7 := arg1[7] + x8 := arg1[0] + var x9 uint32 + var x10 uint32 + x10, x9 = bits.Mul32(x8, arg1[7]) + var x11 uint32 + var x12 uint32 + x12, x11 = bits.Mul32(x8, arg1[6]) + var x13 uint32 + var x14 uint32 + x14, x13 = bits.Mul32(x8, arg1[5]) + var x15 uint32 + var x16 uint32 + x16, x15 = bits.Mul32(x8, arg1[4]) + var x17 uint32 + var x18 uint32 + x18, x17 = bits.Mul32(x8, arg1[3]) + var x19 uint32 + var x20 uint32 + x20, x19 = bits.Mul32(x8, arg1[2]) + var x21 uint32 + var x22 uint32 + x22, x21 = bits.Mul32(x8, arg1[1]) + var x23 uint32 + var x24 uint32 + x24, x23 = bits.Mul32(x8, arg1[0]) + var x25 uint32 + var x26 uint1 + x25, x26 = addcarryxU32(x24, x21, 0x0) + var x27 uint32 + var x28 uint1 + x27, x28 = addcarryxU32(x22, x19, x26) + var x29 uint32 + var x30 uint1 + x29, x30 = addcarryxU32(x20, x17, x28) + var x31 uint32 + var x32 uint1 + x31, x32 = addcarryxU32(x18, x15, x30) + var x33 uint32 + var x34 uint1 + x33, x34 = addcarryxU32(x16, x13, x32) + var x35 uint32 + var x36 uint1 + x35, x36 = addcarryxU32(x14, x11, x34) + var x37 uint32 + var x38 uint1 + x37, x38 = addcarryxU32(x12, x9, x36) + x39 := (uint32(x38) + x10) + var x40 uint32 + _, x40 = bits.Mul32(x23, 0xd2253531) + var x42 uint32 + var x43 uint32 + x43, x42 = bits.Mul32(x40, 0xffffffff) + var x44 uint32 + var x45 uint32 + x45, x44 = bits.Mul32(x40, 0xffffffff) + var x46 uint32 + var x47 uint32 + x47, x46 = bits.Mul32(x40, 0xffffffff) + var x48 uint32 + var x49 uint32 + x49, x48 = bits.Mul32(x40, 0xffffffff) + var x50 uint32 + var x51 uint32 + x51, x50 = bits.Mul32(x40, 0xffffffff) + var x52 uint32 + var x53 uint32 + x53, x52 = bits.Mul32(x40, 0xffffffff) + var x54 uint32 + var x55 uint32 + x55, x54 = bits.Mul32(x40, 0xfffffffe) + var x56 uint32 + var x57 uint32 + x57, x56 = bits.Mul32(x40, 0xfffffc2f) + var x58 uint32 + var x59 uint1 + x58, x59 = addcarryxU32(x57, x54, 0x0) + var x60 uint32 + var x61 uint1 + x60, x61 = addcarryxU32(x55, x52, x59) + var x62 uint32 + var x63 uint1 + x62, x63 = addcarryxU32(x53, x50, x61) + var x64 uint32 + var x65 uint1 + x64, x65 = addcarryxU32(x51, x48, x63) + var x66 uint32 + var x67 uint1 + x66, x67 = addcarryxU32(x49, x46, x65) + var x68 uint32 + var x69 uint1 + x68, x69 = addcarryxU32(x47, x44, x67) + var x70 uint32 + var x71 uint1 + x70, x71 = addcarryxU32(x45, x42, x69) + x72 := (uint32(x71) + x43) + var x74 uint1 + _, x74 = addcarryxU32(x23, x56, 0x0) + var x75 uint32 + var x76 uint1 + x75, x76 = addcarryxU32(x25, x58, x74) + var x77 uint32 + var x78 uint1 + x77, x78 = addcarryxU32(x27, x60, x76) + var x79 uint32 + var x80 uint1 + x79, x80 = addcarryxU32(x29, x62, x78) + var x81 uint32 + var x82 uint1 + x81, x82 = addcarryxU32(x31, x64, x80) + var x83 uint32 + var x84 uint1 + x83, x84 = addcarryxU32(x33, x66, x82) + var x85 uint32 + var x86 uint1 + x85, x86 = addcarryxU32(x35, x68, x84) + var x87 uint32 + var x88 uint1 + x87, x88 = addcarryxU32(x37, x70, x86) + var x89 uint32 + var x90 uint1 + x89, x90 = addcarryxU32(x39, x72, x88) + var x91 uint32 + var x92 uint32 + x92, x91 = bits.Mul32(x1, arg1[7]) + var x93 uint32 + var x94 uint32 + x94, x93 = bits.Mul32(x1, arg1[6]) + var x95 uint32 + var x96 uint32 + x96, x95 = bits.Mul32(x1, arg1[5]) + var x97 uint32 + var x98 uint32 + x98, x97 = bits.Mul32(x1, arg1[4]) + var x99 uint32 + var x100 uint32 + x100, x99 = bits.Mul32(x1, arg1[3]) + var x101 uint32 + var x102 uint32 + x102, x101 = bits.Mul32(x1, arg1[2]) + var x103 uint32 + var x104 uint32 + x104, x103 = bits.Mul32(x1, arg1[1]) + var x105 uint32 + var x106 uint32 + x106, x105 = bits.Mul32(x1, arg1[0]) + var x107 uint32 + var x108 uint1 + x107, x108 = addcarryxU32(x106, x103, 0x0) + var x109 uint32 + var x110 uint1 + x109, x110 = addcarryxU32(x104, x101, x108) + var x111 uint32 + var x112 uint1 + x111, x112 = addcarryxU32(x102, x99, x110) + var x113 uint32 + var x114 uint1 + x113, x114 = addcarryxU32(x100, x97, x112) + var x115 uint32 + var x116 uint1 + x115, x116 = addcarryxU32(x98, x95, x114) + var x117 uint32 + var x118 uint1 + x117, x118 = addcarryxU32(x96, x93, x116) + var x119 uint32 + var x120 uint1 + x119, x120 = addcarryxU32(x94, x91, x118) + x121 := (uint32(x120) + x92) + var x122 uint32 + var x123 uint1 + x122, x123 = addcarryxU32(x75, x105, 0x0) + var x124 uint32 + var x125 uint1 + x124, x125 = addcarryxU32(x77, x107, x123) + var x126 uint32 + var x127 uint1 + x126, x127 = addcarryxU32(x79, x109, x125) + var x128 uint32 + var x129 uint1 + x128, x129 = addcarryxU32(x81, x111, x127) + var x130 uint32 + var x131 uint1 + x130, x131 = addcarryxU32(x83, x113, x129) + var x132 uint32 + var x133 uint1 + x132, x133 = addcarryxU32(x85, x115, x131) + var x134 uint32 + var x135 uint1 + x134, x135 = addcarryxU32(x87, x117, x133) + var x136 uint32 + var x137 uint1 + x136, x137 = addcarryxU32(x89, x119, x135) + var x138 uint32 + var x139 uint1 + x138, x139 = addcarryxU32(uint32(x90), x121, x137) + var x140 uint32 + _, x140 = bits.Mul32(x122, 0xd2253531) + var x142 uint32 + var x143 uint32 + x143, x142 = bits.Mul32(x140, 0xffffffff) + var x144 uint32 + var x145 uint32 + x145, x144 = bits.Mul32(x140, 0xffffffff) + var x146 uint32 + var x147 uint32 + x147, x146 = bits.Mul32(x140, 0xffffffff) + var x148 uint32 + var x149 uint32 + x149, x148 = bits.Mul32(x140, 0xffffffff) + var x150 uint32 + var x151 uint32 + x151, x150 = bits.Mul32(x140, 0xffffffff) + var x152 uint32 + var x153 uint32 + x153, x152 = bits.Mul32(x140, 0xffffffff) + var x154 uint32 + var x155 uint32 + x155, x154 = bits.Mul32(x140, 0xfffffffe) + var x156 uint32 + var x157 uint32 + x157, x156 = bits.Mul32(x140, 0xfffffc2f) + var x158 uint32 + var x159 uint1 + x158, x159 = addcarryxU32(x157, x154, 0x0) + var x160 uint32 + var x161 uint1 + x160, x161 = addcarryxU32(x155, x152, x159) + var x162 uint32 + var x163 uint1 + x162, x163 = addcarryxU32(x153, x150, x161) + var x164 uint32 + var x165 uint1 + x164, x165 = addcarryxU32(x151, x148, x163) + var x166 uint32 + var x167 uint1 + x166, x167 = addcarryxU32(x149, x146, x165) + var x168 uint32 + var x169 uint1 + x168, x169 = addcarryxU32(x147, x144, x167) + var x170 uint32 + var x171 uint1 + x170, x171 = addcarryxU32(x145, x142, x169) + x172 := (uint32(x171) + x143) + var x174 uint1 + _, x174 = addcarryxU32(x122, x156, 0x0) + var x175 uint32 + var x176 uint1 + x175, x176 = addcarryxU32(x124, x158, x174) + var x177 uint32 + var x178 uint1 + x177, x178 = addcarryxU32(x126, x160, x176) + var x179 uint32 + var x180 uint1 + x179, x180 = addcarryxU32(x128, x162, x178) + var x181 uint32 + var x182 uint1 + x181, x182 = addcarryxU32(x130, x164, x180) + var x183 uint32 + var x184 uint1 + x183, x184 = addcarryxU32(x132, x166, x182) + var x185 uint32 + var x186 uint1 + x185, x186 = addcarryxU32(x134, x168, x184) + var x187 uint32 + var x188 uint1 + x187, x188 = addcarryxU32(x136, x170, x186) + var x189 uint32 + var x190 uint1 + x189, x190 = addcarryxU32(x138, x172, x188) + x191 := (uint32(x190) + uint32(x139)) + var x192 uint32 + var x193 uint32 + x193, x192 = bits.Mul32(x2, arg1[7]) + var x194 uint32 + var x195 uint32 + x195, x194 = bits.Mul32(x2, arg1[6]) + var x196 uint32 + var x197 uint32 + x197, x196 = bits.Mul32(x2, arg1[5]) + var x198 uint32 + var x199 uint32 + x199, x198 = bits.Mul32(x2, arg1[4]) + var x200 uint32 + var x201 uint32 + x201, x200 = bits.Mul32(x2, arg1[3]) + var x202 uint32 + var x203 uint32 + x203, x202 = bits.Mul32(x2, arg1[2]) + var x204 uint32 + var x205 uint32 + x205, x204 = bits.Mul32(x2, arg1[1]) + var x206 uint32 + var x207 uint32 + x207, x206 = bits.Mul32(x2, arg1[0]) + var x208 uint32 + var x209 uint1 + x208, x209 = addcarryxU32(x207, x204, 0x0) + var x210 uint32 + var x211 uint1 + x210, x211 = addcarryxU32(x205, x202, x209) + var x212 uint32 + var x213 uint1 + x212, x213 = addcarryxU32(x203, x200, x211) + var x214 uint32 + var x215 uint1 + x214, x215 = addcarryxU32(x201, x198, x213) + var x216 uint32 + var x217 uint1 + x216, x217 = addcarryxU32(x199, x196, x215) + var x218 uint32 + var x219 uint1 + x218, x219 = addcarryxU32(x197, x194, x217) + var x220 uint32 + var x221 uint1 + x220, x221 = addcarryxU32(x195, x192, x219) + x222 := (uint32(x221) + x193) + var x223 uint32 + var x224 uint1 + x223, x224 = addcarryxU32(x175, x206, 0x0) + var x225 uint32 + var x226 uint1 + x225, x226 = addcarryxU32(x177, x208, x224) + var x227 uint32 + var x228 uint1 + x227, x228 = addcarryxU32(x179, x210, x226) + var x229 uint32 + var x230 uint1 + x229, x230 = addcarryxU32(x181, x212, x228) + var x231 uint32 + var x232 uint1 + x231, x232 = addcarryxU32(x183, x214, x230) + var x233 uint32 + var x234 uint1 + x233, x234 = addcarryxU32(x185, x216, x232) + var x235 uint32 + var x236 uint1 + x235, x236 = addcarryxU32(x187, x218, x234) + var x237 uint32 + var x238 uint1 + x237, x238 = addcarryxU32(x189, x220, x236) + var x239 uint32 + var x240 uint1 + x239, x240 = addcarryxU32(x191, x222, x238) + var x241 uint32 + _, x241 = bits.Mul32(x223, 0xd2253531) + var x243 uint32 + var x244 uint32 + x244, x243 = bits.Mul32(x241, 0xffffffff) + var x245 uint32 + var x246 uint32 + x246, x245 = bits.Mul32(x241, 0xffffffff) + var x247 uint32 + var x248 uint32 + x248, x247 = bits.Mul32(x241, 0xffffffff) + var x249 uint32 + var x250 uint32 + x250, x249 = bits.Mul32(x241, 0xffffffff) + var x251 uint32 + var x252 uint32 + x252, x251 = bits.Mul32(x241, 0xffffffff) + var x253 uint32 + var x254 uint32 + x254, x253 = bits.Mul32(x241, 0xffffffff) + var x255 uint32 + var x256 uint32 + x256, x255 = bits.Mul32(x241, 0xfffffffe) + var x257 uint32 + var x258 uint32 + x258, x257 = bits.Mul32(x241, 0xfffffc2f) + var x259 uint32 + var x260 uint1 + x259, x260 = addcarryxU32(x258, x255, 0x0) + var x261 uint32 + var x262 uint1 + x261, x262 = addcarryxU32(x256, x253, x260) + var x263 uint32 + var x264 uint1 + x263, x264 = addcarryxU32(x254, x251, x262) + var x265 uint32 + var x266 uint1 + x265, x266 = addcarryxU32(x252, x249, x264) + var x267 uint32 + var x268 uint1 + x267, x268 = addcarryxU32(x250, x247, x266) + var x269 uint32 + var x270 uint1 + x269, x270 = addcarryxU32(x248, x245, x268) + var x271 uint32 + var x272 uint1 + x271, x272 = addcarryxU32(x246, x243, x270) + x273 := (uint32(x272) + x244) + var x275 uint1 + _, x275 = addcarryxU32(x223, x257, 0x0) + var x276 uint32 + var x277 uint1 + x276, x277 = addcarryxU32(x225, x259, x275) + var x278 uint32 + var x279 uint1 + x278, x279 = addcarryxU32(x227, x261, x277) + var x280 uint32 + var x281 uint1 + x280, x281 = addcarryxU32(x229, x263, x279) + var x282 uint32 + var x283 uint1 + x282, x283 = addcarryxU32(x231, x265, x281) + var x284 uint32 + var x285 uint1 + x284, x285 = addcarryxU32(x233, x267, x283) + var x286 uint32 + var x287 uint1 + x286, x287 = addcarryxU32(x235, x269, x285) + var x288 uint32 + var x289 uint1 + x288, x289 = addcarryxU32(x237, x271, x287) + var x290 uint32 + var x291 uint1 + x290, x291 = addcarryxU32(x239, x273, x289) + x292 := (uint32(x291) + uint32(x240)) + var x293 uint32 + var x294 uint32 + x294, x293 = bits.Mul32(x3, arg1[7]) + var x295 uint32 + var x296 uint32 + x296, x295 = bits.Mul32(x3, arg1[6]) + var x297 uint32 + var x298 uint32 + x298, x297 = bits.Mul32(x3, arg1[5]) + var x299 uint32 + var x300 uint32 + x300, x299 = bits.Mul32(x3, arg1[4]) + var x301 uint32 + var x302 uint32 + x302, x301 = bits.Mul32(x3, arg1[3]) + var x303 uint32 + var x304 uint32 + x304, x303 = bits.Mul32(x3, arg1[2]) + var x305 uint32 + var x306 uint32 + x306, x305 = bits.Mul32(x3, arg1[1]) + var x307 uint32 + var x308 uint32 + x308, x307 = bits.Mul32(x3, arg1[0]) + var x309 uint32 + var x310 uint1 + x309, x310 = addcarryxU32(x308, x305, 0x0) + var x311 uint32 + var x312 uint1 + x311, x312 = addcarryxU32(x306, x303, x310) + var x313 uint32 + var x314 uint1 + x313, x314 = addcarryxU32(x304, x301, x312) + var x315 uint32 + var x316 uint1 + x315, x316 = addcarryxU32(x302, x299, x314) + var x317 uint32 + var x318 uint1 + x317, x318 = addcarryxU32(x300, x297, x316) + var x319 uint32 + var x320 uint1 + x319, x320 = addcarryxU32(x298, x295, x318) + var x321 uint32 + var x322 uint1 + x321, x322 = addcarryxU32(x296, x293, x320) + x323 := (uint32(x322) + x294) + var x324 uint32 + var x325 uint1 + x324, x325 = addcarryxU32(x276, x307, 0x0) + var x326 uint32 + var x327 uint1 + x326, x327 = addcarryxU32(x278, x309, x325) + var x328 uint32 + var x329 uint1 + x328, x329 = addcarryxU32(x280, x311, x327) + var x330 uint32 + var x331 uint1 + x330, x331 = addcarryxU32(x282, x313, x329) + var x332 uint32 + var x333 uint1 + x332, x333 = addcarryxU32(x284, x315, x331) + var x334 uint32 + var x335 uint1 + x334, x335 = addcarryxU32(x286, x317, x333) + var x336 uint32 + var x337 uint1 + x336, x337 = addcarryxU32(x288, x319, x335) + var x338 uint32 + var x339 uint1 + x338, x339 = addcarryxU32(x290, x321, x337) + var x340 uint32 + var x341 uint1 + x340, x341 = addcarryxU32(x292, x323, x339) + var x342 uint32 + _, x342 = bits.Mul32(x324, 0xd2253531) + var x344 uint32 + var x345 uint32 + x345, x344 = bits.Mul32(x342, 0xffffffff) + var x346 uint32 + var x347 uint32 + x347, x346 = bits.Mul32(x342, 0xffffffff) + var x348 uint32 + var x349 uint32 + x349, x348 = bits.Mul32(x342, 0xffffffff) + var x350 uint32 + var x351 uint32 + x351, x350 = bits.Mul32(x342, 0xffffffff) + var x352 uint32 + var x353 uint32 + x353, x352 = bits.Mul32(x342, 0xffffffff) + var x354 uint32 + var x355 uint32 + x355, x354 = bits.Mul32(x342, 0xffffffff) + var x356 uint32 + var x357 uint32 + x357, x356 = bits.Mul32(x342, 0xfffffffe) + var x358 uint32 + var x359 uint32 + x359, x358 = bits.Mul32(x342, 0xfffffc2f) + var x360 uint32 + var x361 uint1 + x360, x361 = addcarryxU32(x359, x356, 0x0) + var x362 uint32 + var x363 uint1 + x362, x363 = addcarryxU32(x357, x354, x361) + var x364 uint32 + var x365 uint1 + x364, x365 = addcarryxU32(x355, x352, x363) + var x366 uint32 + var x367 uint1 + x366, x367 = addcarryxU32(x353, x350, x365) + var x368 uint32 + var x369 uint1 + x368, x369 = addcarryxU32(x351, x348, x367) + var x370 uint32 + var x371 uint1 + x370, x371 = addcarryxU32(x349, x346, x369) + var x372 uint32 + var x373 uint1 + x372, x373 = addcarryxU32(x347, x344, x371) + x374 := (uint32(x373) + x345) + var x376 uint1 + _, x376 = addcarryxU32(x324, x358, 0x0) + var x377 uint32 + var x378 uint1 + x377, x378 = addcarryxU32(x326, x360, x376) + var x379 uint32 + var x380 uint1 + x379, x380 = addcarryxU32(x328, x362, x378) + var x381 uint32 + var x382 uint1 + x381, x382 = addcarryxU32(x330, x364, x380) + var x383 uint32 + var x384 uint1 + x383, x384 = addcarryxU32(x332, x366, x382) + var x385 uint32 + var x386 uint1 + x385, x386 = addcarryxU32(x334, x368, x384) + var x387 uint32 + var x388 uint1 + x387, x388 = addcarryxU32(x336, x370, x386) + var x389 uint32 + var x390 uint1 + x389, x390 = addcarryxU32(x338, x372, x388) + var x391 uint32 + var x392 uint1 + x391, x392 = addcarryxU32(x340, x374, x390) + x393 := (uint32(x392) + uint32(x341)) + var x394 uint32 + var x395 uint32 + x395, x394 = bits.Mul32(x4, arg1[7]) + var x396 uint32 + var x397 uint32 + x397, x396 = bits.Mul32(x4, arg1[6]) + var x398 uint32 + var x399 uint32 + x399, x398 = bits.Mul32(x4, arg1[5]) + var x400 uint32 + var x401 uint32 + x401, x400 = bits.Mul32(x4, arg1[4]) + var x402 uint32 + var x403 uint32 + x403, x402 = bits.Mul32(x4, arg1[3]) + var x404 uint32 + var x405 uint32 + x405, x404 = bits.Mul32(x4, arg1[2]) + var x406 uint32 + var x407 uint32 + x407, x406 = bits.Mul32(x4, arg1[1]) + var x408 uint32 + var x409 uint32 + x409, x408 = bits.Mul32(x4, arg1[0]) + var x410 uint32 + var x411 uint1 + x410, x411 = addcarryxU32(x409, x406, 0x0) + var x412 uint32 + var x413 uint1 + x412, x413 = addcarryxU32(x407, x404, x411) + var x414 uint32 + var x415 uint1 + x414, x415 = addcarryxU32(x405, x402, x413) + var x416 uint32 + var x417 uint1 + x416, x417 = addcarryxU32(x403, x400, x415) + var x418 uint32 + var x419 uint1 + x418, x419 = addcarryxU32(x401, x398, x417) + var x420 uint32 + var x421 uint1 + x420, x421 = addcarryxU32(x399, x396, x419) + var x422 uint32 + var x423 uint1 + x422, x423 = addcarryxU32(x397, x394, x421) + x424 := (uint32(x423) + x395) + var x425 uint32 + var x426 uint1 + x425, x426 = addcarryxU32(x377, x408, 0x0) + var x427 uint32 + var x428 uint1 + x427, x428 = addcarryxU32(x379, x410, x426) + var x429 uint32 + var x430 uint1 + x429, x430 = addcarryxU32(x381, x412, x428) + var x431 uint32 + var x432 uint1 + x431, x432 = addcarryxU32(x383, x414, x430) + var x433 uint32 + var x434 uint1 + x433, x434 = addcarryxU32(x385, x416, x432) + var x435 uint32 + var x436 uint1 + x435, x436 = addcarryxU32(x387, x418, x434) + var x437 uint32 + var x438 uint1 + x437, x438 = addcarryxU32(x389, x420, x436) + var x439 uint32 + var x440 uint1 + x439, x440 = addcarryxU32(x391, x422, x438) + var x441 uint32 + var x442 uint1 + x441, x442 = addcarryxU32(x393, x424, x440) + var x443 uint32 + _, x443 = bits.Mul32(x425, 0xd2253531) + var x445 uint32 + var x446 uint32 + x446, x445 = bits.Mul32(x443, 0xffffffff) + var x447 uint32 + var x448 uint32 + x448, x447 = bits.Mul32(x443, 0xffffffff) + var x449 uint32 + var x450 uint32 + x450, x449 = bits.Mul32(x443, 0xffffffff) + var x451 uint32 + var x452 uint32 + x452, x451 = bits.Mul32(x443, 0xffffffff) + var x453 uint32 + var x454 uint32 + x454, x453 = bits.Mul32(x443, 0xffffffff) + var x455 uint32 + var x456 uint32 + x456, x455 = bits.Mul32(x443, 0xffffffff) + var x457 uint32 + var x458 uint32 + x458, x457 = bits.Mul32(x443, 0xfffffffe) + var x459 uint32 + var x460 uint32 + x460, x459 = bits.Mul32(x443, 0xfffffc2f) + var x461 uint32 + var x462 uint1 + x461, x462 = addcarryxU32(x460, x457, 0x0) + var x463 uint32 + var x464 uint1 + x463, x464 = addcarryxU32(x458, x455, x462) + var x465 uint32 + var x466 uint1 + x465, x466 = addcarryxU32(x456, x453, x464) + var x467 uint32 + var x468 uint1 + x467, x468 = addcarryxU32(x454, x451, x466) + var x469 uint32 + var x470 uint1 + x469, x470 = addcarryxU32(x452, x449, x468) + var x471 uint32 + var x472 uint1 + x471, x472 = addcarryxU32(x450, x447, x470) + var x473 uint32 + var x474 uint1 + x473, x474 = addcarryxU32(x448, x445, x472) + x475 := (uint32(x474) + x446) + var x477 uint1 + _, x477 = addcarryxU32(x425, x459, 0x0) + var x478 uint32 + var x479 uint1 + x478, x479 = addcarryxU32(x427, x461, x477) + var x480 uint32 + var x481 uint1 + x480, x481 = addcarryxU32(x429, x463, x479) + var x482 uint32 + var x483 uint1 + x482, x483 = addcarryxU32(x431, x465, x481) + var x484 uint32 + var x485 uint1 + x484, x485 = addcarryxU32(x433, x467, x483) + var x486 uint32 + var x487 uint1 + x486, x487 = addcarryxU32(x435, x469, x485) + var x488 uint32 + var x489 uint1 + x488, x489 = addcarryxU32(x437, x471, x487) + var x490 uint32 + var x491 uint1 + x490, x491 = addcarryxU32(x439, x473, x489) + var x492 uint32 + var x493 uint1 + x492, x493 = addcarryxU32(x441, x475, x491) + x494 := (uint32(x493) + uint32(x442)) + var x495 uint32 + var x496 uint32 + x496, x495 = bits.Mul32(x5, arg1[7]) + var x497 uint32 + var x498 uint32 + x498, x497 = bits.Mul32(x5, arg1[6]) + var x499 uint32 + var x500 uint32 + x500, x499 = bits.Mul32(x5, arg1[5]) + var x501 uint32 + var x502 uint32 + x502, x501 = bits.Mul32(x5, arg1[4]) + var x503 uint32 + var x504 uint32 + x504, x503 = bits.Mul32(x5, arg1[3]) + var x505 uint32 + var x506 uint32 + x506, x505 = bits.Mul32(x5, arg1[2]) + var x507 uint32 + var x508 uint32 + x508, x507 = bits.Mul32(x5, arg1[1]) + var x509 uint32 + var x510 uint32 + x510, x509 = bits.Mul32(x5, arg1[0]) + var x511 uint32 + var x512 uint1 + x511, x512 = addcarryxU32(x510, x507, 0x0) + var x513 uint32 + var x514 uint1 + x513, x514 = addcarryxU32(x508, x505, x512) + var x515 uint32 + var x516 uint1 + x515, x516 = addcarryxU32(x506, x503, x514) + var x517 uint32 + var x518 uint1 + x517, x518 = addcarryxU32(x504, x501, x516) + var x519 uint32 + var x520 uint1 + x519, x520 = addcarryxU32(x502, x499, x518) + var x521 uint32 + var x522 uint1 + x521, x522 = addcarryxU32(x500, x497, x520) + var x523 uint32 + var x524 uint1 + x523, x524 = addcarryxU32(x498, x495, x522) + x525 := (uint32(x524) + x496) + var x526 uint32 + var x527 uint1 + x526, x527 = addcarryxU32(x478, x509, 0x0) + var x528 uint32 + var x529 uint1 + x528, x529 = addcarryxU32(x480, x511, x527) + var x530 uint32 + var x531 uint1 + x530, x531 = addcarryxU32(x482, x513, x529) + var x532 uint32 + var x533 uint1 + x532, x533 = addcarryxU32(x484, x515, x531) + var x534 uint32 + var x535 uint1 + x534, x535 = addcarryxU32(x486, x517, x533) + var x536 uint32 + var x537 uint1 + x536, x537 = addcarryxU32(x488, x519, x535) + var x538 uint32 + var x539 uint1 + x538, x539 = addcarryxU32(x490, x521, x537) + var x540 uint32 + var x541 uint1 + x540, x541 = addcarryxU32(x492, x523, x539) + var x542 uint32 + var x543 uint1 + x542, x543 = addcarryxU32(x494, x525, x541) + var x544 uint32 + _, x544 = bits.Mul32(x526, 0xd2253531) + var x546 uint32 + var x547 uint32 + x547, x546 = bits.Mul32(x544, 0xffffffff) + var x548 uint32 + var x549 uint32 + x549, x548 = bits.Mul32(x544, 0xffffffff) + var x550 uint32 + var x551 uint32 + x551, x550 = bits.Mul32(x544, 0xffffffff) + var x552 uint32 + var x553 uint32 + x553, x552 = bits.Mul32(x544, 0xffffffff) + var x554 uint32 + var x555 uint32 + x555, x554 = bits.Mul32(x544, 0xffffffff) + var x556 uint32 + var x557 uint32 + x557, x556 = bits.Mul32(x544, 0xffffffff) + var x558 uint32 + var x559 uint32 + x559, x558 = bits.Mul32(x544, 0xfffffffe) + var x560 uint32 + var x561 uint32 + x561, x560 = bits.Mul32(x544, 0xfffffc2f) + var x562 uint32 + var x563 uint1 + x562, x563 = addcarryxU32(x561, x558, 0x0) + var x564 uint32 + var x565 uint1 + x564, x565 = addcarryxU32(x559, x556, x563) + var x566 uint32 + var x567 uint1 + x566, x567 = addcarryxU32(x557, x554, x565) + var x568 uint32 + var x569 uint1 + x568, x569 = addcarryxU32(x555, x552, x567) + var x570 uint32 + var x571 uint1 + x570, x571 = addcarryxU32(x553, x550, x569) + var x572 uint32 + var x573 uint1 + x572, x573 = addcarryxU32(x551, x548, x571) + var x574 uint32 + var x575 uint1 + x574, x575 = addcarryxU32(x549, x546, x573) + x576 := (uint32(x575) + x547) + var x578 uint1 + _, x578 = addcarryxU32(x526, x560, 0x0) + var x579 uint32 + var x580 uint1 + x579, x580 = addcarryxU32(x528, x562, x578) + var x581 uint32 + var x582 uint1 + x581, x582 = addcarryxU32(x530, x564, x580) + var x583 uint32 + var x584 uint1 + x583, x584 = addcarryxU32(x532, x566, x582) + var x585 uint32 + var x586 uint1 + x585, x586 = addcarryxU32(x534, x568, x584) + var x587 uint32 + var x588 uint1 + x587, x588 = addcarryxU32(x536, x570, x586) + var x589 uint32 + var x590 uint1 + x589, x590 = addcarryxU32(x538, x572, x588) + var x591 uint32 + var x592 uint1 + x591, x592 = addcarryxU32(x540, x574, x590) + var x593 uint32 + var x594 uint1 + x593, x594 = addcarryxU32(x542, x576, x592) + x595 := (uint32(x594) + uint32(x543)) + var x596 uint32 + var x597 uint32 + x597, x596 = bits.Mul32(x6, arg1[7]) + var x598 uint32 + var x599 uint32 + x599, x598 = bits.Mul32(x6, arg1[6]) + var x600 uint32 + var x601 uint32 + x601, x600 = bits.Mul32(x6, arg1[5]) + var x602 uint32 + var x603 uint32 + x603, x602 = bits.Mul32(x6, arg1[4]) + var x604 uint32 + var x605 uint32 + x605, x604 = bits.Mul32(x6, arg1[3]) + var x606 uint32 + var x607 uint32 + x607, x606 = bits.Mul32(x6, arg1[2]) + var x608 uint32 + var x609 uint32 + x609, x608 = bits.Mul32(x6, arg1[1]) + var x610 uint32 + var x611 uint32 + x611, x610 = bits.Mul32(x6, arg1[0]) + var x612 uint32 + var x613 uint1 + x612, x613 = addcarryxU32(x611, x608, 0x0) + var x614 uint32 + var x615 uint1 + x614, x615 = addcarryxU32(x609, x606, x613) + var x616 uint32 + var x617 uint1 + x616, x617 = addcarryxU32(x607, x604, x615) + var x618 uint32 + var x619 uint1 + x618, x619 = addcarryxU32(x605, x602, x617) + var x620 uint32 + var x621 uint1 + x620, x621 = addcarryxU32(x603, x600, x619) + var x622 uint32 + var x623 uint1 + x622, x623 = addcarryxU32(x601, x598, x621) + var x624 uint32 + var x625 uint1 + x624, x625 = addcarryxU32(x599, x596, x623) + x626 := (uint32(x625) + x597) + var x627 uint32 + var x628 uint1 + x627, x628 = addcarryxU32(x579, x610, 0x0) + var x629 uint32 + var x630 uint1 + x629, x630 = addcarryxU32(x581, x612, x628) + var x631 uint32 + var x632 uint1 + x631, x632 = addcarryxU32(x583, x614, x630) + var x633 uint32 + var x634 uint1 + x633, x634 = addcarryxU32(x585, x616, x632) + var x635 uint32 + var x636 uint1 + x635, x636 = addcarryxU32(x587, x618, x634) + var x637 uint32 + var x638 uint1 + x637, x638 = addcarryxU32(x589, x620, x636) + var x639 uint32 + var x640 uint1 + x639, x640 = addcarryxU32(x591, x622, x638) + var x641 uint32 + var x642 uint1 + x641, x642 = addcarryxU32(x593, x624, x640) + var x643 uint32 + var x644 uint1 + x643, x644 = addcarryxU32(x595, x626, x642) + var x645 uint32 + _, x645 = bits.Mul32(x627, 0xd2253531) + var x647 uint32 + var x648 uint32 + x648, x647 = bits.Mul32(x645, 0xffffffff) + var x649 uint32 + var x650 uint32 + x650, x649 = bits.Mul32(x645, 0xffffffff) + var x651 uint32 + var x652 uint32 + x652, x651 = bits.Mul32(x645, 0xffffffff) + var x653 uint32 + var x654 uint32 + x654, x653 = bits.Mul32(x645, 0xffffffff) + var x655 uint32 + var x656 uint32 + x656, x655 = bits.Mul32(x645, 0xffffffff) + var x657 uint32 + var x658 uint32 + x658, x657 = bits.Mul32(x645, 0xffffffff) + var x659 uint32 + var x660 uint32 + x660, x659 = bits.Mul32(x645, 0xfffffffe) + var x661 uint32 + var x662 uint32 + x662, x661 = bits.Mul32(x645, 0xfffffc2f) + var x663 uint32 + var x664 uint1 + x663, x664 = addcarryxU32(x662, x659, 0x0) + var x665 uint32 + var x666 uint1 + x665, x666 = addcarryxU32(x660, x657, x664) + var x667 uint32 + var x668 uint1 + x667, x668 = addcarryxU32(x658, x655, x666) + var x669 uint32 + var x670 uint1 + x669, x670 = addcarryxU32(x656, x653, x668) + var x671 uint32 + var x672 uint1 + x671, x672 = addcarryxU32(x654, x651, x670) + var x673 uint32 + var x674 uint1 + x673, x674 = addcarryxU32(x652, x649, x672) + var x675 uint32 + var x676 uint1 + x675, x676 = addcarryxU32(x650, x647, x674) + x677 := (uint32(x676) + x648) + var x679 uint1 + _, x679 = addcarryxU32(x627, x661, 0x0) + var x680 uint32 + var x681 uint1 + x680, x681 = addcarryxU32(x629, x663, x679) + var x682 uint32 + var x683 uint1 + x682, x683 = addcarryxU32(x631, x665, x681) + var x684 uint32 + var x685 uint1 + x684, x685 = addcarryxU32(x633, x667, x683) + var x686 uint32 + var x687 uint1 + x686, x687 = addcarryxU32(x635, x669, x685) + var x688 uint32 + var x689 uint1 + x688, x689 = addcarryxU32(x637, x671, x687) + var x690 uint32 + var x691 uint1 + x690, x691 = addcarryxU32(x639, x673, x689) + var x692 uint32 + var x693 uint1 + x692, x693 = addcarryxU32(x641, x675, x691) + var x694 uint32 + var x695 uint1 + x694, x695 = addcarryxU32(x643, x677, x693) + x696 := (uint32(x695) + uint32(x644)) + var x697 uint32 + var x698 uint32 + x698, x697 = bits.Mul32(x7, arg1[7]) + var x699 uint32 + var x700 uint32 + x700, x699 = bits.Mul32(x7, arg1[6]) + var x701 uint32 + var x702 uint32 + x702, x701 = bits.Mul32(x7, arg1[5]) + var x703 uint32 + var x704 uint32 + x704, x703 = bits.Mul32(x7, arg1[4]) + var x705 uint32 + var x706 uint32 + x706, x705 = bits.Mul32(x7, arg1[3]) + var x707 uint32 + var x708 uint32 + x708, x707 = bits.Mul32(x7, arg1[2]) + var x709 uint32 + var x710 uint32 + x710, x709 = bits.Mul32(x7, arg1[1]) + var x711 uint32 + var x712 uint32 + x712, x711 = bits.Mul32(x7, arg1[0]) + var x713 uint32 + var x714 uint1 + x713, x714 = addcarryxU32(x712, x709, 0x0) + var x715 uint32 + var x716 uint1 + x715, x716 = addcarryxU32(x710, x707, x714) + var x717 uint32 + var x718 uint1 + x717, x718 = addcarryxU32(x708, x705, x716) + var x719 uint32 + var x720 uint1 + x719, x720 = addcarryxU32(x706, x703, x718) + var x721 uint32 + var x722 uint1 + x721, x722 = addcarryxU32(x704, x701, x720) + var x723 uint32 + var x724 uint1 + x723, x724 = addcarryxU32(x702, x699, x722) + var x725 uint32 + var x726 uint1 + x725, x726 = addcarryxU32(x700, x697, x724) + x727 := (uint32(x726) + x698) + var x728 uint32 + var x729 uint1 + x728, x729 = addcarryxU32(x680, x711, 0x0) + var x730 uint32 + var x731 uint1 + x730, x731 = addcarryxU32(x682, x713, x729) + var x732 uint32 + var x733 uint1 + x732, x733 = addcarryxU32(x684, x715, x731) + var x734 uint32 + var x735 uint1 + x734, x735 = addcarryxU32(x686, x717, x733) + var x736 uint32 + var x737 uint1 + x736, x737 = addcarryxU32(x688, x719, x735) + var x738 uint32 + var x739 uint1 + x738, x739 = addcarryxU32(x690, x721, x737) + var x740 uint32 + var x741 uint1 + x740, x741 = addcarryxU32(x692, x723, x739) + var x742 uint32 + var x743 uint1 + x742, x743 = addcarryxU32(x694, x725, x741) + var x744 uint32 + var x745 uint1 + x744, x745 = addcarryxU32(x696, x727, x743) + var x746 uint32 + _, x746 = bits.Mul32(x728, 0xd2253531) + var x748 uint32 + var x749 uint32 + x749, x748 = bits.Mul32(x746, 0xffffffff) + var x750 uint32 + var x751 uint32 + x751, x750 = bits.Mul32(x746, 0xffffffff) + var x752 uint32 + var x753 uint32 + x753, x752 = bits.Mul32(x746, 0xffffffff) + var x754 uint32 + var x755 uint32 + x755, x754 = bits.Mul32(x746, 0xffffffff) + var x756 uint32 + var x757 uint32 + x757, x756 = bits.Mul32(x746, 0xffffffff) + var x758 uint32 + var x759 uint32 + x759, x758 = bits.Mul32(x746, 0xffffffff) + var x760 uint32 + var x761 uint32 + x761, x760 = bits.Mul32(x746, 0xfffffffe) + var x762 uint32 + var x763 uint32 + x763, x762 = bits.Mul32(x746, 0xfffffc2f) + var x764 uint32 + var x765 uint1 + x764, x765 = addcarryxU32(x763, x760, 0x0) + var x766 uint32 + var x767 uint1 + x766, x767 = addcarryxU32(x761, x758, x765) + var x768 uint32 + var x769 uint1 + x768, x769 = addcarryxU32(x759, x756, x767) + var x770 uint32 + var x771 uint1 + x770, x771 = addcarryxU32(x757, x754, x769) + var x772 uint32 + var x773 uint1 + x772, x773 = addcarryxU32(x755, x752, x771) + var x774 uint32 + var x775 uint1 + x774, x775 = addcarryxU32(x753, x750, x773) + var x776 uint32 + var x777 uint1 + x776, x777 = addcarryxU32(x751, x748, x775) + x778 := (uint32(x777) + x749) + var x780 uint1 + _, x780 = addcarryxU32(x728, x762, 0x0) + var x781 uint32 + var x782 uint1 + x781, x782 = addcarryxU32(x730, x764, x780) + var x783 uint32 + var x784 uint1 + x783, x784 = addcarryxU32(x732, x766, x782) + var x785 uint32 + var x786 uint1 + x785, x786 = addcarryxU32(x734, x768, x784) + var x787 uint32 + var x788 uint1 + x787, x788 = addcarryxU32(x736, x770, x786) + var x789 uint32 + var x790 uint1 + x789, x790 = addcarryxU32(x738, x772, x788) + var x791 uint32 + var x792 uint1 + x791, x792 = addcarryxU32(x740, x774, x790) + var x793 uint32 + var x794 uint1 + x793, x794 = addcarryxU32(x742, x776, x792) + var x795 uint32 + var x796 uint1 + x795, x796 = addcarryxU32(x744, x778, x794) + x797 := (uint32(x796) + uint32(x745)) + var x798 uint32 + var x799 uint1 + x798, x799 = subborrowxU32(x781, 0xfffffc2f, 0x0) + var x800 uint32 + var x801 uint1 + x800, x801 = subborrowxU32(x783, 0xfffffffe, x799) + var x802 uint32 + var x803 uint1 + x802, x803 = subborrowxU32(x785, 0xffffffff, x801) + var x804 uint32 + var x805 uint1 + x804, x805 = subborrowxU32(x787, 0xffffffff, x803) + var x806 uint32 + var x807 uint1 + x806, x807 = subborrowxU32(x789, 0xffffffff, x805) + var x808 uint32 + var x809 uint1 + x808, x809 = subborrowxU32(x791, 0xffffffff, x807) + var x810 uint32 + var x811 uint1 + x810, x811 = subborrowxU32(x793, 0xffffffff, x809) + var x812 uint32 + var x813 uint1 + x812, x813 = subborrowxU32(x795, 0xffffffff, x811) + var x815 uint1 + _, x815 = subborrowxU32(x797, uint32(0x0), x813) + var x816 uint32 + cmovznzU32(&x816, x815, x798, x781) + var x817 uint32 + cmovznzU32(&x817, x815, x800, x783) + var x818 uint32 + cmovznzU32(&x818, x815, x802, x785) + var x819 uint32 + cmovznzU32(&x819, x815, x804, x787) + var x820 uint32 + cmovznzU32(&x820, x815, x806, x789) + var x821 uint32 + cmovznzU32(&x821, x815, x808, x791) + var x822 uint32 + cmovznzU32(&x822, x815, x810, x793) + var x823 uint32 + cmovznzU32(&x823, x815, x812, x795) + out1[0] = x816 + out1[1] = x817 + out1[2] = x818 + out1[3] = x819 + out1[4] = x820 + out1[5] = x821 + out1[6] = x822 + out1[7] = x823 } -/* - The function Add adds two field elements in the Montgomery domain. - Preconditions: - 0 ≤ eval arg1 < m - 0 ≤ eval arg2 < m - Postconditions: - eval (from_montgomery out1) mod m = (eval (from_montgomery arg1) + eval (from_montgomery arg2)) mod m - 0 ≤ eval out1 < m - - Input Bounds: - arg1: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] - arg2: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] - Output Bounds: - out1: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] - */ -/*inline*/ +// Add adds two field elements in the Montgomery domain. +// +// Preconditions: +// 0 ≤ eval arg1 < m +// 0 ≤ eval arg2 < m +// Postconditions: +// eval (from_montgomery out1) mod m = (eval (from_montgomery arg1) + eval (from_montgomery arg2)) mod m +// 0 ≤ eval out1 < m +// +// Input Bounds: +// arg1: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] +// arg2: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] +// Output Bounds: +// out1: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] func Add(out1 *[8]uint32, arg1 *[8]uint32, arg2 *[8]uint32) { - var x1 uint32 - var x2 uint1 - x1, x2 = addcarryxU32((arg1[0]), (arg2[0]), 0x0) - var x3 uint32 - var x4 uint1 - x3, x4 = addcarryxU32((arg1[1]), (arg2[1]), x2) - var x5 uint32 - var x6 uint1 - x5, x6 = addcarryxU32((arg1[2]), (arg2[2]), x4) - var x7 uint32 - var x8 uint1 - x7, x8 = addcarryxU32((arg1[3]), (arg2[3]), x6) - var x9 uint32 - var x10 uint1 - x9, x10 = addcarryxU32((arg1[4]), (arg2[4]), x8) - var x11 uint32 - var x12 uint1 - x11, x12 = addcarryxU32((arg1[5]), (arg2[5]), x10) - var x13 uint32 - var x14 uint1 - x13, x14 = addcarryxU32((arg1[6]), (arg2[6]), x12) - var x15 uint32 - var x16 uint1 - x15, x16 = addcarryxU32((arg1[7]), (arg2[7]), x14) - var x17 uint32 - var x18 uint1 - x17, x18 = subborrowxU32(x1, 0xfffffc2f, 0x0) - var x19 uint32 - var x20 uint1 - x19, x20 = subborrowxU32(x3, 0xfffffffe, x18) - var x21 uint32 - var x22 uint1 - x21, x22 = subborrowxU32(x5, 0xffffffff, x20) - var x23 uint32 - var x24 uint1 - x23, x24 = subborrowxU32(x7, 0xffffffff, x22) - var x25 uint32 - var x26 uint1 - x25, x26 = subborrowxU32(x9, 0xffffffff, x24) - var x27 uint32 - var x28 uint1 - x27, x28 = subborrowxU32(x11, 0xffffffff, x26) - var x29 uint32 - var x30 uint1 - x29, x30 = subborrowxU32(x13, 0xffffffff, x28) - var x31 uint32 - var x32 uint1 - x31, x32 = subborrowxU32(x15, 0xffffffff, x30) - var x34 uint1 - _, x34 = subborrowxU32(uint32(x16), uint32(0x0), x32) - var x35 uint32 - cmovznzU32(&x35, x34, x17, x1) - var x36 uint32 - cmovznzU32(&x36, x34, x19, x3) - var x37 uint32 - cmovznzU32(&x37, x34, x21, x5) - var x38 uint32 - cmovznzU32(&x38, x34, x23, x7) - var x39 uint32 - cmovznzU32(&x39, x34, x25, x9) - var x40 uint32 - cmovznzU32(&x40, x34, x27, x11) - var x41 uint32 - cmovznzU32(&x41, x34, x29, x13) - var x42 uint32 - cmovznzU32(&x42, x34, x31, x15) - out1[0] = x35 - out1[1] = x36 - out1[2] = x37 - out1[3] = x38 - out1[4] = x39 - out1[5] = x40 - out1[6] = x41 - out1[7] = x42 + var x1 uint32 + var x2 uint1 + x1, x2 = addcarryxU32(arg1[0], arg2[0], 0x0) + var x3 uint32 + var x4 uint1 + x3, x4 = addcarryxU32(arg1[1], arg2[1], x2) + var x5 uint32 + var x6 uint1 + x5, x6 = addcarryxU32(arg1[2], arg2[2], x4) + var x7 uint32 + var x8 uint1 + x7, x8 = addcarryxU32(arg1[3], arg2[3], x6) + var x9 uint32 + var x10 uint1 + x9, x10 = addcarryxU32(arg1[4], arg2[4], x8) + var x11 uint32 + var x12 uint1 + x11, x12 = addcarryxU32(arg1[5], arg2[5], x10) + var x13 uint32 + var x14 uint1 + x13, x14 = addcarryxU32(arg1[6], arg2[6], x12) + var x15 uint32 + var x16 uint1 + x15, x16 = addcarryxU32(arg1[7], arg2[7], x14) + var x17 uint32 + var x18 uint1 + x17, x18 = subborrowxU32(x1, 0xfffffc2f, 0x0) + var x19 uint32 + var x20 uint1 + x19, x20 = subborrowxU32(x3, 0xfffffffe, x18) + var x21 uint32 + var x22 uint1 + x21, x22 = subborrowxU32(x5, 0xffffffff, x20) + var x23 uint32 + var x24 uint1 + x23, x24 = subborrowxU32(x7, 0xffffffff, x22) + var x25 uint32 + var x26 uint1 + x25, x26 = subborrowxU32(x9, 0xffffffff, x24) + var x27 uint32 + var x28 uint1 + x27, x28 = subborrowxU32(x11, 0xffffffff, x26) + var x29 uint32 + var x30 uint1 + x29, x30 = subborrowxU32(x13, 0xffffffff, x28) + var x31 uint32 + var x32 uint1 + x31, x32 = subborrowxU32(x15, 0xffffffff, x30) + var x34 uint1 + _, x34 = subborrowxU32(uint32(x16), uint32(0x0), x32) + var x35 uint32 + cmovznzU32(&x35, x34, x17, x1) + var x36 uint32 + cmovznzU32(&x36, x34, x19, x3) + var x37 uint32 + cmovznzU32(&x37, x34, x21, x5) + var x38 uint32 + cmovznzU32(&x38, x34, x23, x7) + var x39 uint32 + cmovznzU32(&x39, x34, x25, x9) + var x40 uint32 + cmovznzU32(&x40, x34, x27, x11) + var x41 uint32 + cmovznzU32(&x41, x34, x29, x13) + var x42 uint32 + cmovznzU32(&x42, x34, x31, x15) + out1[0] = x35 + out1[1] = x36 + out1[2] = x37 + out1[3] = x38 + out1[4] = x39 + out1[5] = x40 + out1[6] = x41 + out1[7] = x42 } -/* - The function Sub subtracts two field elements in the Montgomery domain. - Preconditions: - 0 ≤ eval arg1 < m - 0 ≤ eval arg2 < m - Postconditions: - eval (from_montgomery out1) mod m = (eval (from_montgomery arg1) - eval (from_montgomery arg2)) mod m - 0 ≤ eval out1 < m - - Input Bounds: - arg1: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] - arg2: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] - Output Bounds: - out1: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] - */ -/*inline*/ +// Sub subtracts two field elements in the Montgomery domain. +// +// Preconditions: +// 0 ≤ eval arg1 < m +// 0 ≤ eval arg2 < m +// Postconditions: +// eval (from_montgomery out1) mod m = (eval (from_montgomery arg1) - eval (from_montgomery arg2)) mod m +// 0 ≤ eval out1 < m +// +// Input Bounds: +// arg1: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] +// arg2: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] +// Output Bounds: +// out1: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] func Sub(out1 *[8]uint32, arg1 *[8]uint32, arg2 *[8]uint32) { - var x1 uint32 - var x2 uint1 - x1, x2 = subborrowxU32((arg1[0]), (arg2[0]), 0x0) - var x3 uint32 - var x4 uint1 - x3, x4 = subborrowxU32((arg1[1]), (arg2[1]), x2) - var x5 uint32 - var x6 uint1 - x5, x6 = subborrowxU32((arg1[2]), (arg2[2]), x4) - var x7 uint32 - var x8 uint1 - x7, x8 = subborrowxU32((arg1[3]), (arg2[3]), x6) - var x9 uint32 - var x10 uint1 - x9, x10 = subborrowxU32((arg1[4]), (arg2[4]), x8) - var x11 uint32 - var x12 uint1 - x11, x12 = subborrowxU32((arg1[5]), (arg2[5]), x10) - var x13 uint32 - var x14 uint1 - x13, x14 = subborrowxU32((arg1[6]), (arg2[6]), x12) - var x15 uint32 - var x16 uint1 - x15, x16 = subborrowxU32((arg1[7]), (arg2[7]), x14) - var x17 uint32 - cmovznzU32(&x17, x16, uint32(0x0), 0xffffffff) - var x18 uint32 - var x19 uint1 - x18, x19 = addcarryxU32(x1, (x17 & 0xfffffc2f), 0x0) - var x20 uint32 - var x21 uint1 - x20, x21 = addcarryxU32(x3, (x17 & 0xfffffffe), x19) - var x22 uint32 - var x23 uint1 - x22, x23 = addcarryxU32(x5, x17, x21) - var x24 uint32 - var x25 uint1 - x24, x25 = addcarryxU32(x7, x17, x23) - var x26 uint32 - var x27 uint1 - x26, x27 = addcarryxU32(x9, x17, x25) - var x28 uint32 - var x29 uint1 - x28, x29 = addcarryxU32(x11, x17, x27) - var x30 uint32 - var x31 uint1 - x30, x31 = addcarryxU32(x13, x17, x29) - var x32 uint32 - x32, _ = addcarryxU32(x15, x17, x31) - out1[0] = x18 - out1[1] = x20 - out1[2] = x22 - out1[3] = x24 - out1[4] = x26 - out1[5] = x28 - out1[6] = x30 - out1[7] = x32 + var x1 uint32 + var x2 uint1 + x1, x2 = subborrowxU32(arg1[0], arg2[0], 0x0) + var x3 uint32 + var x4 uint1 + x3, x4 = subborrowxU32(arg1[1], arg2[1], x2) + var x5 uint32 + var x6 uint1 + x5, x6 = subborrowxU32(arg1[2], arg2[2], x4) + var x7 uint32 + var x8 uint1 + x7, x8 = subborrowxU32(arg1[3], arg2[3], x6) + var x9 uint32 + var x10 uint1 + x9, x10 = subborrowxU32(arg1[4], arg2[4], x8) + var x11 uint32 + var x12 uint1 + x11, x12 = subborrowxU32(arg1[5], arg2[5], x10) + var x13 uint32 + var x14 uint1 + x13, x14 = subborrowxU32(arg1[6], arg2[6], x12) + var x15 uint32 + var x16 uint1 + x15, x16 = subborrowxU32(arg1[7], arg2[7], x14) + var x17 uint32 + cmovznzU32(&x17, x16, uint32(0x0), 0xffffffff) + var x18 uint32 + var x19 uint1 + x18, x19 = addcarryxU32(x1, (x17 & 0xfffffc2f), 0x0) + var x20 uint32 + var x21 uint1 + x20, x21 = addcarryxU32(x3, (x17 & 0xfffffffe), x19) + var x22 uint32 + var x23 uint1 + x22, x23 = addcarryxU32(x5, x17, x21) + var x24 uint32 + var x25 uint1 + x24, x25 = addcarryxU32(x7, x17, x23) + var x26 uint32 + var x27 uint1 + x26, x27 = addcarryxU32(x9, x17, x25) + var x28 uint32 + var x29 uint1 + x28, x29 = addcarryxU32(x11, x17, x27) + var x30 uint32 + var x31 uint1 + x30, x31 = addcarryxU32(x13, x17, x29) + var x32 uint32 + x32, _ = addcarryxU32(x15, x17, x31) + out1[0] = x18 + out1[1] = x20 + out1[2] = x22 + out1[3] = x24 + out1[4] = x26 + out1[5] = x28 + out1[6] = x30 + out1[7] = x32 } -/* - The function Opp negates a field element in the Montgomery domain. - Preconditions: - 0 ≤ eval arg1 < m - Postconditions: - eval (from_montgomery out1) mod m = -eval (from_montgomery arg1) mod m - 0 ≤ eval out1 < m - - Input Bounds: - arg1: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] - Output Bounds: - out1: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] - */ -/*inline*/ +// Opp negates a field element in the Montgomery domain. +// +// Preconditions: +// 0 ≤ eval arg1 < m +// Postconditions: +// eval (from_montgomery out1) mod m = -eval (from_montgomery arg1) mod m +// 0 ≤ eval out1 < m +// +// Input Bounds: +// arg1: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] +// Output Bounds: +// out1: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] func Opp(out1 *[8]uint32, arg1 *[8]uint32) { - var x1 uint32 - var x2 uint1 - x1, x2 = subborrowxU32(uint32(0x0), (arg1[0]), 0x0) - var x3 uint32 - var x4 uint1 - x3, x4 = subborrowxU32(uint32(0x0), (arg1[1]), x2) - var x5 uint32 - var x6 uint1 - x5, x6 = subborrowxU32(uint32(0x0), (arg1[2]), x4) - var x7 uint32 - var x8 uint1 - x7, x8 = subborrowxU32(uint32(0x0), (arg1[3]), x6) - var x9 uint32 - var x10 uint1 - x9, x10 = subborrowxU32(uint32(0x0), (arg1[4]), x8) - var x11 uint32 - var x12 uint1 - x11, x12 = subborrowxU32(uint32(0x0), (arg1[5]), x10) - var x13 uint32 - var x14 uint1 - x13, x14 = subborrowxU32(uint32(0x0), (arg1[6]), x12) - var x15 uint32 - var x16 uint1 - x15, x16 = subborrowxU32(uint32(0x0), (arg1[7]), x14) - var x17 uint32 - cmovznzU32(&x17, x16, uint32(0x0), 0xffffffff) - var x18 uint32 - var x19 uint1 - x18, x19 = addcarryxU32(x1, (x17 & 0xfffffc2f), 0x0) - var x20 uint32 - var x21 uint1 - x20, x21 = addcarryxU32(x3, (x17 & 0xfffffffe), x19) - var x22 uint32 - var x23 uint1 - x22, x23 = addcarryxU32(x5, x17, x21) - var x24 uint32 - var x25 uint1 - x24, x25 = addcarryxU32(x7, x17, x23) - var x26 uint32 - var x27 uint1 - x26, x27 = addcarryxU32(x9, x17, x25) - var x28 uint32 - var x29 uint1 - x28, x29 = addcarryxU32(x11, x17, x27) - var x30 uint32 - var x31 uint1 - x30, x31 = addcarryxU32(x13, x17, x29) - var x32 uint32 - x32, _ = addcarryxU32(x15, x17, x31) - out1[0] = x18 - out1[1] = x20 - out1[2] = x22 - out1[3] = x24 - out1[4] = x26 - out1[5] = x28 - out1[6] = x30 - out1[7] = x32 + var x1 uint32 + var x2 uint1 + x1, x2 = subborrowxU32(uint32(0x0), arg1[0], 0x0) + var x3 uint32 + var x4 uint1 + x3, x4 = subborrowxU32(uint32(0x0), arg1[1], x2) + var x5 uint32 + var x6 uint1 + x5, x6 = subborrowxU32(uint32(0x0), arg1[2], x4) + var x7 uint32 + var x8 uint1 + x7, x8 = subborrowxU32(uint32(0x0), arg1[3], x6) + var x9 uint32 + var x10 uint1 + x9, x10 = subborrowxU32(uint32(0x0), arg1[4], x8) + var x11 uint32 + var x12 uint1 + x11, x12 = subborrowxU32(uint32(0x0), arg1[5], x10) + var x13 uint32 + var x14 uint1 + x13, x14 = subborrowxU32(uint32(0x0), arg1[6], x12) + var x15 uint32 + var x16 uint1 + x15, x16 = subborrowxU32(uint32(0x0), arg1[7], x14) + var x17 uint32 + cmovznzU32(&x17, x16, uint32(0x0), 0xffffffff) + var x18 uint32 + var x19 uint1 + x18, x19 = addcarryxU32(x1, (x17 & 0xfffffc2f), 0x0) + var x20 uint32 + var x21 uint1 + x20, x21 = addcarryxU32(x3, (x17 & 0xfffffffe), x19) + var x22 uint32 + var x23 uint1 + x22, x23 = addcarryxU32(x5, x17, x21) + var x24 uint32 + var x25 uint1 + x24, x25 = addcarryxU32(x7, x17, x23) + var x26 uint32 + var x27 uint1 + x26, x27 = addcarryxU32(x9, x17, x25) + var x28 uint32 + var x29 uint1 + x28, x29 = addcarryxU32(x11, x17, x27) + var x30 uint32 + var x31 uint1 + x30, x31 = addcarryxU32(x13, x17, x29) + var x32 uint32 + x32, _ = addcarryxU32(x15, x17, x31) + out1[0] = x18 + out1[1] = x20 + out1[2] = x22 + out1[3] = x24 + out1[4] = x26 + out1[5] = x28 + out1[6] = x30 + out1[7] = x32 } -/* - The function FromMontgomery translates a field element out of the Montgomery domain. - Preconditions: - 0 ≤ eval arg1 < m - Postconditions: - eval out1 mod m = (eval arg1 * ((2^32)⁻¹ mod m)^8) mod m - 0 ≤ eval out1 < m - - Input Bounds: - arg1: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] - Output Bounds: - out1: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] - */ -/*inline*/ +// FromMontgomery translates a field element out of the Montgomery domain. +// +// Preconditions: +// 0 ≤ eval arg1 < m +// Postconditions: +// eval out1 mod m = (eval arg1 * ((2^32)⁻¹ mod m)^8) mod m +// 0 ≤ eval out1 < m +// +// Input Bounds: +// arg1: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] +// Output Bounds: +// out1: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] func FromMontgomery(out1 *[8]uint32, arg1 *[8]uint32) { - var x1 uint32 = (arg1[0]) - var x2 uint32 - _, x2 = bits.Mul32(x1, 0xd2253531) - var x4 uint32 - var x5 uint32 - x5, x4 = bits.Mul32(x2, 0xffffffff) - var x6 uint32 - var x7 uint32 - x7, x6 = bits.Mul32(x2, 0xffffffff) - var x8 uint32 - var x9 uint32 - x9, x8 = bits.Mul32(x2, 0xffffffff) - var x10 uint32 - var x11 uint32 - x11, x10 = bits.Mul32(x2, 0xffffffff) - var x12 uint32 - var x13 uint32 - x13, x12 = bits.Mul32(x2, 0xffffffff) - var x14 uint32 - var x15 uint32 - x15, x14 = bits.Mul32(x2, 0xffffffff) - var x16 uint32 - var x17 uint32 - x17, x16 = bits.Mul32(x2, 0xfffffffe) - var x18 uint32 - var x19 uint32 - x19, x18 = bits.Mul32(x2, 0xfffffc2f) - var x20 uint32 - var x21 uint1 - x20, x21 = addcarryxU32(x19, x16, 0x0) - var x22 uint32 - var x23 uint1 - x22, x23 = addcarryxU32(x17, x14, x21) - var x24 uint32 - var x25 uint1 - x24, x25 = addcarryxU32(x15, x12, x23) - var x26 uint32 - var x27 uint1 - x26, x27 = addcarryxU32(x13, x10, x25) - var x28 uint32 - var x29 uint1 - x28, x29 = addcarryxU32(x11, x8, x27) - var x30 uint32 - var x31 uint1 - x30, x31 = addcarryxU32(x9, x6, x29) - var x32 uint32 - var x33 uint1 - x32, x33 = addcarryxU32(x7, x4, x31) - var x35 uint1 - _, x35 = addcarryxU32(x1, x18, 0x0) - var x36 uint32 - var x37 uint1 - x36, x37 = addcarryxU32(uint32(0x0), x20, x35) - var x38 uint32 - var x39 uint1 - x38, x39 = addcarryxU32(uint32(0x0), x22, x37) - var x40 uint32 - var x41 uint1 - x40, x41 = addcarryxU32(uint32(0x0), x24, x39) - var x42 uint32 - var x43 uint1 - x42, x43 = addcarryxU32(uint32(0x0), x26, x41) - var x44 uint32 - var x45 uint1 - x44, x45 = addcarryxU32(uint32(0x0), x28, x43) - var x46 uint32 - var x47 uint1 - x46, x47 = addcarryxU32(uint32(0x0), x30, x45) - var x48 uint32 - var x49 uint1 - x48, x49 = addcarryxU32(uint32(0x0), x32, x47) - var x50 uint32 - var x51 uint1 - x50, x51 = addcarryxU32(uint32(0x0), (uint32(x33) + x5), x49) - var x52 uint32 - var x53 uint1 - x52, x53 = addcarryxU32(x36, (arg1[1]), 0x0) - var x54 uint32 - var x55 uint1 - x54, x55 = addcarryxU32(x38, uint32(0x0), x53) - var x56 uint32 - var x57 uint1 - x56, x57 = addcarryxU32(x40, uint32(0x0), x55) - var x58 uint32 - var x59 uint1 - x58, x59 = addcarryxU32(x42, uint32(0x0), x57) - var x60 uint32 - var x61 uint1 - x60, x61 = addcarryxU32(x44, uint32(0x0), x59) - var x62 uint32 - var x63 uint1 - x62, x63 = addcarryxU32(x46, uint32(0x0), x61) - var x64 uint32 - var x65 uint1 - x64, x65 = addcarryxU32(x48, uint32(0x0), x63) - var x66 uint32 - var x67 uint1 - x66, x67 = addcarryxU32(x50, uint32(0x0), x65) - var x68 uint32 - _, x68 = bits.Mul32(x52, 0xd2253531) - var x70 uint32 - var x71 uint32 - x71, x70 = bits.Mul32(x68, 0xffffffff) - var x72 uint32 - var x73 uint32 - x73, x72 = bits.Mul32(x68, 0xffffffff) - var x74 uint32 - var x75 uint32 - x75, x74 = bits.Mul32(x68, 0xffffffff) - var x76 uint32 - var x77 uint32 - x77, x76 = bits.Mul32(x68, 0xffffffff) - var x78 uint32 - var x79 uint32 - x79, x78 = bits.Mul32(x68, 0xffffffff) - var x80 uint32 - var x81 uint32 - x81, x80 = bits.Mul32(x68, 0xffffffff) - var x82 uint32 - var x83 uint32 - x83, x82 = bits.Mul32(x68, 0xfffffffe) - var x84 uint32 - var x85 uint32 - x85, x84 = bits.Mul32(x68, 0xfffffc2f) - var x86 uint32 - var x87 uint1 - x86, x87 = addcarryxU32(x85, x82, 0x0) - var x88 uint32 - var x89 uint1 - x88, x89 = addcarryxU32(x83, x80, x87) - var x90 uint32 - var x91 uint1 - x90, x91 = addcarryxU32(x81, x78, x89) - var x92 uint32 - var x93 uint1 - x92, x93 = addcarryxU32(x79, x76, x91) - var x94 uint32 - var x95 uint1 - x94, x95 = addcarryxU32(x77, x74, x93) - var x96 uint32 - var x97 uint1 - x96, x97 = addcarryxU32(x75, x72, x95) - var x98 uint32 - var x99 uint1 - x98, x99 = addcarryxU32(x73, x70, x97) - var x101 uint1 - _, x101 = addcarryxU32(x52, x84, 0x0) - var x102 uint32 - var x103 uint1 - x102, x103 = addcarryxU32(x54, x86, x101) - var x104 uint32 - var x105 uint1 - x104, x105 = addcarryxU32(x56, x88, x103) - var x106 uint32 - var x107 uint1 - x106, x107 = addcarryxU32(x58, x90, x105) - var x108 uint32 - var x109 uint1 - x108, x109 = addcarryxU32(x60, x92, x107) - var x110 uint32 - var x111 uint1 - x110, x111 = addcarryxU32(x62, x94, x109) - var x112 uint32 - var x113 uint1 - x112, x113 = addcarryxU32(x64, x96, x111) - var x114 uint32 - var x115 uint1 - x114, x115 = addcarryxU32(x66, x98, x113) - var x116 uint32 - var x117 uint1 - x116, x117 = addcarryxU32((uint32(x67) + uint32(x51)), (uint32(x99) + x71), x115) - var x118 uint32 - var x119 uint1 - x118, x119 = addcarryxU32(x102, (arg1[2]), 0x0) - var x120 uint32 - var x121 uint1 - x120, x121 = addcarryxU32(x104, uint32(0x0), x119) - var x122 uint32 - var x123 uint1 - x122, x123 = addcarryxU32(x106, uint32(0x0), x121) - var x124 uint32 - var x125 uint1 - x124, x125 = addcarryxU32(x108, uint32(0x0), x123) - var x126 uint32 - var x127 uint1 - x126, x127 = addcarryxU32(x110, uint32(0x0), x125) - var x128 uint32 - var x129 uint1 - x128, x129 = addcarryxU32(x112, uint32(0x0), x127) - var x130 uint32 - var x131 uint1 - x130, x131 = addcarryxU32(x114, uint32(0x0), x129) - var x132 uint32 - var x133 uint1 - x132, x133 = addcarryxU32(x116, uint32(0x0), x131) - var x134 uint32 - _, x134 = bits.Mul32(x118, 0xd2253531) - var x136 uint32 - var x137 uint32 - x137, x136 = bits.Mul32(x134, 0xffffffff) - var x138 uint32 - var x139 uint32 - x139, x138 = bits.Mul32(x134, 0xffffffff) - var x140 uint32 - var x141 uint32 - x141, x140 = bits.Mul32(x134, 0xffffffff) - var x142 uint32 - var x143 uint32 - x143, x142 = bits.Mul32(x134, 0xffffffff) - var x144 uint32 - var x145 uint32 - x145, x144 = bits.Mul32(x134, 0xffffffff) - var x146 uint32 - var x147 uint32 - x147, x146 = bits.Mul32(x134, 0xffffffff) - var x148 uint32 - var x149 uint32 - x149, x148 = bits.Mul32(x134, 0xfffffffe) - var x150 uint32 - var x151 uint32 - x151, x150 = bits.Mul32(x134, 0xfffffc2f) - var x152 uint32 - var x153 uint1 - x152, x153 = addcarryxU32(x151, x148, 0x0) - var x154 uint32 - var x155 uint1 - x154, x155 = addcarryxU32(x149, x146, x153) - var x156 uint32 - var x157 uint1 - x156, x157 = addcarryxU32(x147, x144, x155) - var x158 uint32 - var x159 uint1 - x158, x159 = addcarryxU32(x145, x142, x157) - var x160 uint32 - var x161 uint1 - x160, x161 = addcarryxU32(x143, x140, x159) - var x162 uint32 - var x163 uint1 - x162, x163 = addcarryxU32(x141, x138, x161) - var x164 uint32 - var x165 uint1 - x164, x165 = addcarryxU32(x139, x136, x163) - var x167 uint1 - _, x167 = addcarryxU32(x118, x150, 0x0) - var x168 uint32 - var x169 uint1 - x168, x169 = addcarryxU32(x120, x152, x167) - var x170 uint32 - var x171 uint1 - x170, x171 = addcarryxU32(x122, x154, x169) - var x172 uint32 - var x173 uint1 - x172, x173 = addcarryxU32(x124, x156, x171) - var x174 uint32 - var x175 uint1 - x174, x175 = addcarryxU32(x126, x158, x173) - var x176 uint32 - var x177 uint1 - x176, x177 = addcarryxU32(x128, x160, x175) - var x178 uint32 - var x179 uint1 - x178, x179 = addcarryxU32(x130, x162, x177) - var x180 uint32 - var x181 uint1 - x180, x181 = addcarryxU32(x132, x164, x179) - var x182 uint32 - var x183 uint1 - x182, x183 = addcarryxU32((uint32(x133) + uint32(x117)), (uint32(x165) + x137), x181) - var x184 uint32 - var x185 uint1 - x184, x185 = addcarryxU32(x168, (arg1[3]), 0x0) - var x186 uint32 - var x187 uint1 - x186, x187 = addcarryxU32(x170, uint32(0x0), x185) - var x188 uint32 - var x189 uint1 - x188, x189 = addcarryxU32(x172, uint32(0x0), x187) - var x190 uint32 - var x191 uint1 - x190, x191 = addcarryxU32(x174, uint32(0x0), x189) - var x192 uint32 - var x193 uint1 - x192, x193 = addcarryxU32(x176, uint32(0x0), x191) - var x194 uint32 - var x195 uint1 - x194, x195 = addcarryxU32(x178, uint32(0x0), x193) - var x196 uint32 - var x197 uint1 - x196, x197 = addcarryxU32(x180, uint32(0x0), x195) - var x198 uint32 - var x199 uint1 - x198, x199 = addcarryxU32(x182, uint32(0x0), x197) - var x200 uint32 - _, x200 = bits.Mul32(x184, 0xd2253531) - var x202 uint32 - var x203 uint32 - x203, x202 = bits.Mul32(x200, 0xffffffff) - var x204 uint32 - var x205 uint32 - x205, x204 = bits.Mul32(x200, 0xffffffff) - var x206 uint32 - var x207 uint32 - x207, x206 = bits.Mul32(x200, 0xffffffff) - var x208 uint32 - var x209 uint32 - x209, x208 = bits.Mul32(x200, 0xffffffff) - var x210 uint32 - var x211 uint32 - x211, x210 = bits.Mul32(x200, 0xffffffff) - var x212 uint32 - var x213 uint32 - x213, x212 = bits.Mul32(x200, 0xffffffff) - var x214 uint32 - var x215 uint32 - x215, x214 = bits.Mul32(x200, 0xfffffffe) - var x216 uint32 - var x217 uint32 - x217, x216 = bits.Mul32(x200, 0xfffffc2f) - var x218 uint32 - var x219 uint1 - x218, x219 = addcarryxU32(x217, x214, 0x0) - var x220 uint32 - var x221 uint1 - x220, x221 = addcarryxU32(x215, x212, x219) - var x222 uint32 - var x223 uint1 - x222, x223 = addcarryxU32(x213, x210, x221) - var x224 uint32 - var x225 uint1 - x224, x225 = addcarryxU32(x211, x208, x223) - var x226 uint32 - var x227 uint1 - x226, x227 = addcarryxU32(x209, x206, x225) - var x228 uint32 - var x229 uint1 - x228, x229 = addcarryxU32(x207, x204, x227) - var x230 uint32 - var x231 uint1 - x230, x231 = addcarryxU32(x205, x202, x229) - var x233 uint1 - _, x233 = addcarryxU32(x184, x216, 0x0) - var x234 uint32 - var x235 uint1 - x234, x235 = addcarryxU32(x186, x218, x233) - var x236 uint32 - var x237 uint1 - x236, x237 = addcarryxU32(x188, x220, x235) - var x238 uint32 - var x239 uint1 - x238, x239 = addcarryxU32(x190, x222, x237) - var x240 uint32 - var x241 uint1 - x240, x241 = addcarryxU32(x192, x224, x239) - var x242 uint32 - var x243 uint1 - x242, x243 = addcarryxU32(x194, x226, x241) - var x244 uint32 - var x245 uint1 - x244, x245 = addcarryxU32(x196, x228, x243) - var x246 uint32 - var x247 uint1 - x246, x247 = addcarryxU32(x198, x230, x245) - var x248 uint32 - var x249 uint1 - x248, x249 = addcarryxU32((uint32(x199) + uint32(x183)), (uint32(x231) + x203), x247) - var x250 uint32 - var x251 uint1 - x250, x251 = addcarryxU32(x234, (arg1[4]), 0x0) - var x252 uint32 - var x253 uint1 - x252, x253 = addcarryxU32(x236, uint32(0x0), x251) - var x254 uint32 - var x255 uint1 - x254, x255 = addcarryxU32(x238, uint32(0x0), x253) - var x256 uint32 - var x257 uint1 - x256, x257 = addcarryxU32(x240, uint32(0x0), x255) - var x258 uint32 - var x259 uint1 - x258, x259 = addcarryxU32(x242, uint32(0x0), x257) - var x260 uint32 - var x261 uint1 - x260, x261 = addcarryxU32(x244, uint32(0x0), x259) - var x262 uint32 - var x263 uint1 - x262, x263 = addcarryxU32(x246, uint32(0x0), x261) - var x264 uint32 - var x265 uint1 - x264, x265 = addcarryxU32(x248, uint32(0x0), x263) - var x266 uint32 - _, x266 = bits.Mul32(x250, 0xd2253531) - var x268 uint32 - var x269 uint32 - x269, x268 = bits.Mul32(x266, 0xffffffff) - var x270 uint32 - var x271 uint32 - x271, x270 = bits.Mul32(x266, 0xffffffff) - var x272 uint32 - var x273 uint32 - x273, x272 = bits.Mul32(x266, 0xffffffff) - var x274 uint32 - var x275 uint32 - x275, x274 = bits.Mul32(x266, 0xffffffff) - var x276 uint32 - var x277 uint32 - x277, x276 = bits.Mul32(x266, 0xffffffff) - var x278 uint32 - var x279 uint32 - x279, x278 = bits.Mul32(x266, 0xffffffff) - var x280 uint32 - var x281 uint32 - x281, x280 = bits.Mul32(x266, 0xfffffffe) - var x282 uint32 - var x283 uint32 - x283, x282 = bits.Mul32(x266, 0xfffffc2f) - var x284 uint32 - var x285 uint1 - x284, x285 = addcarryxU32(x283, x280, 0x0) - var x286 uint32 - var x287 uint1 - x286, x287 = addcarryxU32(x281, x278, x285) - var x288 uint32 - var x289 uint1 - x288, x289 = addcarryxU32(x279, x276, x287) - var x290 uint32 - var x291 uint1 - x290, x291 = addcarryxU32(x277, x274, x289) - var x292 uint32 - var x293 uint1 - x292, x293 = addcarryxU32(x275, x272, x291) - var x294 uint32 - var x295 uint1 - x294, x295 = addcarryxU32(x273, x270, x293) - var x296 uint32 - var x297 uint1 - x296, x297 = addcarryxU32(x271, x268, x295) - var x299 uint1 - _, x299 = addcarryxU32(x250, x282, 0x0) - var x300 uint32 - var x301 uint1 - x300, x301 = addcarryxU32(x252, x284, x299) - var x302 uint32 - var x303 uint1 - x302, x303 = addcarryxU32(x254, x286, x301) - var x304 uint32 - var x305 uint1 - x304, x305 = addcarryxU32(x256, x288, x303) - var x306 uint32 - var x307 uint1 - x306, x307 = addcarryxU32(x258, x290, x305) - var x308 uint32 - var x309 uint1 - x308, x309 = addcarryxU32(x260, x292, x307) - var x310 uint32 - var x311 uint1 - x310, x311 = addcarryxU32(x262, x294, x309) - var x312 uint32 - var x313 uint1 - x312, x313 = addcarryxU32(x264, x296, x311) - var x314 uint32 - var x315 uint1 - x314, x315 = addcarryxU32((uint32(x265) + uint32(x249)), (uint32(x297) + x269), x313) - var x316 uint32 - var x317 uint1 - x316, x317 = addcarryxU32(x300, (arg1[5]), 0x0) - var x318 uint32 - var x319 uint1 - x318, x319 = addcarryxU32(x302, uint32(0x0), x317) - var x320 uint32 - var x321 uint1 - x320, x321 = addcarryxU32(x304, uint32(0x0), x319) - var x322 uint32 - var x323 uint1 - x322, x323 = addcarryxU32(x306, uint32(0x0), x321) - var x324 uint32 - var x325 uint1 - x324, x325 = addcarryxU32(x308, uint32(0x0), x323) - var x326 uint32 - var x327 uint1 - x326, x327 = addcarryxU32(x310, uint32(0x0), x325) - var x328 uint32 - var x329 uint1 - x328, x329 = addcarryxU32(x312, uint32(0x0), x327) - var x330 uint32 - var x331 uint1 - x330, x331 = addcarryxU32(x314, uint32(0x0), x329) - var x332 uint32 - _, x332 = bits.Mul32(x316, 0xd2253531) - var x334 uint32 - var x335 uint32 - x335, x334 = bits.Mul32(x332, 0xffffffff) - var x336 uint32 - var x337 uint32 - x337, x336 = bits.Mul32(x332, 0xffffffff) - var x338 uint32 - var x339 uint32 - x339, x338 = bits.Mul32(x332, 0xffffffff) - var x340 uint32 - var x341 uint32 - x341, x340 = bits.Mul32(x332, 0xffffffff) - var x342 uint32 - var x343 uint32 - x343, x342 = bits.Mul32(x332, 0xffffffff) - var x344 uint32 - var x345 uint32 - x345, x344 = bits.Mul32(x332, 0xffffffff) - var x346 uint32 - var x347 uint32 - x347, x346 = bits.Mul32(x332, 0xfffffffe) - var x348 uint32 - var x349 uint32 - x349, x348 = bits.Mul32(x332, 0xfffffc2f) - var x350 uint32 - var x351 uint1 - x350, x351 = addcarryxU32(x349, x346, 0x0) - var x352 uint32 - var x353 uint1 - x352, x353 = addcarryxU32(x347, x344, x351) - var x354 uint32 - var x355 uint1 - x354, x355 = addcarryxU32(x345, x342, x353) - var x356 uint32 - var x357 uint1 - x356, x357 = addcarryxU32(x343, x340, x355) - var x358 uint32 - var x359 uint1 - x358, x359 = addcarryxU32(x341, x338, x357) - var x360 uint32 - var x361 uint1 - x360, x361 = addcarryxU32(x339, x336, x359) - var x362 uint32 - var x363 uint1 - x362, x363 = addcarryxU32(x337, x334, x361) - var x365 uint1 - _, x365 = addcarryxU32(x316, x348, 0x0) - var x366 uint32 - var x367 uint1 - x366, x367 = addcarryxU32(x318, x350, x365) - var x368 uint32 - var x369 uint1 - x368, x369 = addcarryxU32(x320, x352, x367) - var x370 uint32 - var x371 uint1 - x370, x371 = addcarryxU32(x322, x354, x369) - var x372 uint32 - var x373 uint1 - x372, x373 = addcarryxU32(x324, x356, x371) - var x374 uint32 - var x375 uint1 - x374, x375 = addcarryxU32(x326, x358, x373) - var x376 uint32 - var x377 uint1 - x376, x377 = addcarryxU32(x328, x360, x375) - var x378 uint32 - var x379 uint1 - x378, x379 = addcarryxU32(x330, x362, x377) - var x380 uint32 - var x381 uint1 - x380, x381 = addcarryxU32((uint32(x331) + uint32(x315)), (uint32(x363) + x335), x379) - var x382 uint32 - var x383 uint1 - x382, x383 = addcarryxU32(x366, (arg1[6]), 0x0) - var x384 uint32 - var x385 uint1 - x384, x385 = addcarryxU32(x368, uint32(0x0), x383) - var x386 uint32 - var x387 uint1 - x386, x387 = addcarryxU32(x370, uint32(0x0), x385) - var x388 uint32 - var x389 uint1 - x388, x389 = addcarryxU32(x372, uint32(0x0), x387) - var x390 uint32 - var x391 uint1 - x390, x391 = addcarryxU32(x374, uint32(0x0), x389) - var x392 uint32 - var x393 uint1 - x392, x393 = addcarryxU32(x376, uint32(0x0), x391) - var x394 uint32 - var x395 uint1 - x394, x395 = addcarryxU32(x378, uint32(0x0), x393) - var x396 uint32 - var x397 uint1 - x396, x397 = addcarryxU32(x380, uint32(0x0), x395) - var x398 uint32 - _, x398 = bits.Mul32(x382, 0xd2253531) - var x400 uint32 - var x401 uint32 - x401, x400 = bits.Mul32(x398, 0xffffffff) - var x402 uint32 - var x403 uint32 - x403, x402 = bits.Mul32(x398, 0xffffffff) - var x404 uint32 - var x405 uint32 - x405, x404 = bits.Mul32(x398, 0xffffffff) - var x406 uint32 - var x407 uint32 - x407, x406 = bits.Mul32(x398, 0xffffffff) - var x408 uint32 - var x409 uint32 - x409, x408 = bits.Mul32(x398, 0xffffffff) - var x410 uint32 - var x411 uint32 - x411, x410 = bits.Mul32(x398, 0xffffffff) - var x412 uint32 - var x413 uint32 - x413, x412 = bits.Mul32(x398, 0xfffffffe) - var x414 uint32 - var x415 uint32 - x415, x414 = bits.Mul32(x398, 0xfffffc2f) - var x416 uint32 - var x417 uint1 - x416, x417 = addcarryxU32(x415, x412, 0x0) - var x418 uint32 - var x419 uint1 - x418, x419 = addcarryxU32(x413, x410, x417) - var x420 uint32 - var x421 uint1 - x420, x421 = addcarryxU32(x411, x408, x419) - var x422 uint32 - var x423 uint1 - x422, x423 = addcarryxU32(x409, x406, x421) - var x424 uint32 - var x425 uint1 - x424, x425 = addcarryxU32(x407, x404, x423) - var x426 uint32 - var x427 uint1 - x426, x427 = addcarryxU32(x405, x402, x425) - var x428 uint32 - var x429 uint1 - x428, x429 = addcarryxU32(x403, x400, x427) - var x431 uint1 - _, x431 = addcarryxU32(x382, x414, 0x0) - var x432 uint32 - var x433 uint1 - x432, x433 = addcarryxU32(x384, x416, x431) - var x434 uint32 - var x435 uint1 - x434, x435 = addcarryxU32(x386, x418, x433) - var x436 uint32 - var x437 uint1 - x436, x437 = addcarryxU32(x388, x420, x435) - var x438 uint32 - var x439 uint1 - x438, x439 = addcarryxU32(x390, x422, x437) - var x440 uint32 - var x441 uint1 - x440, x441 = addcarryxU32(x392, x424, x439) - var x442 uint32 - var x443 uint1 - x442, x443 = addcarryxU32(x394, x426, x441) - var x444 uint32 - var x445 uint1 - x444, x445 = addcarryxU32(x396, x428, x443) - var x446 uint32 - var x447 uint1 - x446, x447 = addcarryxU32((uint32(x397) + uint32(x381)), (uint32(x429) + x401), x445) - var x448 uint32 - var x449 uint1 - x448, x449 = addcarryxU32(x432, (arg1[7]), 0x0) - var x450 uint32 - var x451 uint1 - x450, x451 = addcarryxU32(x434, uint32(0x0), x449) - var x452 uint32 - var x453 uint1 - x452, x453 = addcarryxU32(x436, uint32(0x0), x451) - var x454 uint32 - var x455 uint1 - x454, x455 = addcarryxU32(x438, uint32(0x0), x453) - var x456 uint32 - var x457 uint1 - x456, x457 = addcarryxU32(x440, uint32(0x0), x455) - var x458 uint32 - var x459 uint1 - x458, x459 = addcarryxU32(x442, uint32(0x0), x457) - var x460 uint32 - var x461 uint1 - x460, x461 = addcarryxU32(x444, uint32(0x0), x459) - var x462 uint32 - var x463 uint1 - x462, x463 = addcarryxU32(x446, uint32(0x0), x461) - var x464 uint32 - _, x464 = bits.Mul32(x448, 0xd2253531) - var x466 uint32 - var x467 uint32 - x467, x466 = bits.Mul32(x464, 0xffffffff) - var x468 uint32 - var x469 uint32 - x469, x468 = bits.Mul32(x464, 0xffffffff) - var x470 uint32 - var x471 uint32 - x471, x470 = bits.Mul32(x464, 0xffffffff) - var x472 uint32 - var x473 uint32 - x473, x472 = bits.Mul32(x464, 0xffffffff) - var x474 uint32 - var x475 uint32 - x475, x474 = bits.Mul32(x464, 0xffffffff) - var x476 uint32 - var x477 uint32 - x477, x476 = bits.Mul32(x464, 0xffffffff) - var x478 uint32 - var x479 uint32 - x479, x478 = bits.Mul32(x464, 0xfffffffe) - var x480 uint32 - var x481 uint32 - x481, x480 = bits.Mul32(x464, 0xfffffc2f) - var x482 uint32 - var x483 uint1 - x482, x483 = addcarryxU32(x481, x478, 0x0) - var x484 uint32 - var x485 uint1 - x484, x485 = addcarryxU32(x479, x476, x483) - var x486 uint32 - var x487 uint1 - x486, x487 = addcarryxU32(x477, x474, x485) - var x488 uint32 - var x489 uint1 - x488, x489 = addcarryxU32(x475, x472, x487) - var x490 uint32 - var x491 uint1 - x490, x491 = addcarryxU32(x473, x470, x489) - var x492 uint32 - var x493 uint1 - x492, x493 = addcarryxU32(x471, x468, x491) - var x494 uint32 - var x495 uint1 - x494, x495 = addcarryxU32(x469, x466, x493) - var x497 uint1 - _, x497 = addcarryxU32(x448, x480, 0x0) - var x498 uint32 - var x499 uint1 - x498, x499 = addcarryxU32(x450, x482, x497) - var x500 uint32 - var x501 uint1 - x500, x501 = addcarryxU32(x452, x484, x499) - var x502 uint32 - var x503 uint1 - x502, x503 = addcarryxU32(x454, x486, x501) - var x504 uint32 - var x505 uint1 - x504, x505 = addcarryxU32(x456, x488, x503) - var x506 uint32 - var x507 uint1 - x506, x507 = addcarryxU32(x458, x490, x505) - var x508 uint32 - var x509 uint1 - x508, x509 = addcarryxU32(x460, x492, x507) - var x510 uint32 - var x511 uint1 - x510, x511 = addcarryxU32(x462, x494, x509) - var x512 uint32 - var x513 uint1 - x512, x513 = addcarryxU32((uint32(x463) + uint32(x447)), (uint32(x495) + x467), x511) - var x514 uint32 - var x515 uint1 - x514, x515 = subborrowxU32(x498, 0xfffffc2f, 0x0) - var x516 uint32 - var x517 uint1 - x516, x517 = subborrowxU32(x500, 0xfffffffe, x515) - var x518 uint32 - var x519 uint1 - x518, x519 = subborrowxU32(x502, 0xffffffff, x517) - var x520 uint32 - var x521 uint1 - x520, x521 = subborrowxU32(x504, 0xffffffff, x519) - var x522 uint32 - var x523 uint1 - x522, x523 = subborrowxU32(x506, 0xffffffff, x521) - var x524 uint32 - var x525 uint1 - x524, x525 = subborrowxU32(x508, 0xffffffff, x523) - var x526 uint32 - var x527 uint1 - x526, x527 = subborrowxU32(x510, 0xffffffff, x525) - var x528 uint32 - var x529 uint1 - x528, x529 = subborrowxU32(x512, 0xffffffff, x527) - var x531 uint1 - _, x531 = subborrowxU32(uint32(x513), uint32(0x0), x529) - var x532 uint32 - cmovznzU32(&x532, x531, x514, x498) - var x533 uint32 - cmovznzU32(&x533, x531, x516, x500) - var x534 uint32 - cmovznzU32(&x534, x531, x518, x502) - var x535 uint32 - cmovznzU32(&x535, x531, x520, x504) - var x536 uint32 - cmovznzU32(&x536, x531, x522, x506) - var x537 uint32 - cmovznzU32(&x537, x531, x524, x508) - var x538 uint32 - cmovznzU32(&x538, x531, x526, x510) - var x539 uint32 - cmovznzU32(&x539, x531, x528, x512) - out1[0] = x532 - out1[1] = x533 - out1[2] = x534 - out1[3] = x535 - out1[4] = x536 - out1[5] = x537 - out1[6] = x538 - out1[7] = x539 + x1 := arg1[0] + var x2 uint32 + _, x2 = bits.Mul32(x1, 0xd2253531) + var x4 uint32 + var x5 uint32 + x5, x4 = bits.Mul32(x2, 0xffffffff) + var x6 uint32 + var x7 uint32 + x7, x6 = bits.Mul32(x2, 0xffffffff) + var x8 uint32 + var x9 uint32 + x9, x8 = bits.Mul32(x2, 0xffffffff) + var x10 uint32 + var x11 uint32 + x11, x10 = bits.Mul32(x2, 0xffffffff) + var x12 uint32 + var x13 uint32 + x13, x12 = bits.Mul32(x2, 0xffffffff) + var x14 uint32 + var x15 uint32 + x15, x14 = bits.Mul32(x2, 0xffffffff) + var x16 uint32 + var x17 uint32 + x17, x16 = bits.Mul32(x2, 0xfffffffe) + var x18 uint32 + var x19 uint32 + x19, x18 = bits.Mul32(x2, 0xfffffc2f) + var x20 uint32 + var x21 uint1 + x20, x21 = addcarryxU32(x19, x16, 0x0) + var x22 uint32 + var x23 uint1 + x22, x23 = addcarryxU32(x17, x14, x21) + var x24 uint32 + var x25 uint1 + x24, x25 = addcarryxU32(x15, x12, x23) + var x26 uint32 + var x27 uint1 + x26, x27 = addcarryxU32(x13, x10, x25) + var x28 uint32 + var x29 uint1 + x28, x29 = addcarryxU32(x11, x8, x27) + var x30 uint32 + var x31 uint1 + x30, x31 = addcarryxU32(x9, x6, x29) + var x32 uint32 + var x33 uint1 + x32, x33 = addcarryxU32(x7, x4, x31) + var x35 uint1 + _, x35 = addcarryxU32(x1, x18, 0x0) + var x36 uint32 + var x37 uint1 + x36, x37 = addcarryxU32(uint32(0x0), x20, x35) + var x38 uint32 + var x39 uint1 + x38, x39 = addcarryxU32(uint32(0x0), x22, x37) + var x40 uint32 + var x41 uint1 + x40, x41 = addcarryxU32(uint32(0x0), x24, x39) + var x42 uint32 + var x43 uint1 + x42, x43 = addcarryxU32(uint32(0x0), x26, x41) + var x44 uint32 + var x45 uint1 + x44, x45 = addcarryxU32(uint32(0x0), x28, x43) + var x46 uint32 + var x47 uint1 + x46, x47 = addcarryxU32(uint32(0x0), x30, x45) + var x48 uint32 + var x49 uint1 + x48, x49 = addcarryxU32(uint32(0x0), x32, x47) + var x50 uint32 + var x51 uint1 + x50, x51 = addcarryxU32(uint32(0x0), (uint32(x33) + x5), x49) + var x52 uint32 + var x53 uint1 + x52, x53 = addcarryxU32(x36, arg1[1], 0x0) + var x54 uint32 + var x55 uint1 + x54, x55 = addcarryxU32(x38, uint32(0x0), x53) + var x56 uint32 + var x57 uint1 + x56, x57 = addcarryxU32(x40, uint32(0x0), x55) + var x58 uint32 + var x59 uint1 + x58, x59 = addcarryxU32(x42, uint32(0x0), x57) + var x60 uint32 + var x61 uint1 + x60, x61 = addcarryxU32(x44, uint32(0x0), x59) + var x62 uint32 + var x63 uint1 + x62, x63 = addcarryxU32(x46, uint32(0x0), x61) + var x64 uint32 + var x65 uint1 + x64, x65 = addcarryxU32(x48, uint32(0x0), x63) + var x66 uint32 + var x67 uint1 + x66, x67 = addcarryxU32(x50, uint32(0x0), x65) + var x68 uint32 + _, x68 = bits.Mul32(x52, 0xd2253531) + var x70 uint32 + var x71 uint32 + x71, x70 = bits.Mul32(x68, 0xffffffff) + var x72 uint32 + var x73 uint32 + x73, x72 = bits.Mul32(x68, 0xffffffff) + var x74 uint32 + var x75 uint32 + x75, x74 = bits.Mul32(x68, 0xffffffff) + var x76 uint32 + var x77 uint32 + x77, x76 = bits.Mul32(x68, 0xffffffff) + var x78 uint32 + var x79 uint32 + x79, x78 = bits.Mul32(x68, 0xffffffff) + var x80 uint32 + var x81 uint32 + x81, x80 = bits.Mul32(x68, 0xffffffff) + var x82 uint32 + var x83 uint32 + x83, x82 = bits.Mul32(x68, 0xfffffffe) + var x84 uint32 + var x85 uint32 + x85, x84 = bits.Mul32(x68, 0xfffffc2f) + var x86 uint32 + var x87 uint1 + x86, x87 = addcarryxU32(x85, x82, 0x0) + var x88 uint32 + var x89 uint1 + x88, x89 = addcarryxU32(x83, x80, x87) + var x90 uint32 + var x91 uint1 + x90, x91 = addcarryxU32(x81, x78, x89) + var x92 uint32 + var x93 uint1 + x92, x93 = addcarryxU32(x79, x76, x91) + var x94 uint32 + var x95 uint1 + x94, x95 = addcarryxU32(x77, x74, x93) + var x96 uint32 + var x97 uint1 + x96, x97 = addcarryxU32(x75, x72, x95) + var x98 uint32 + var x99 uint1 + x98, x99 = addcarryxU32(x73, x70, x97) + var x101 uint1 + _, x101 = addcarryxU32(x52, x84, 0x0) + var x102 uint32 + var x103 uint1 + x102, x103 = addcarryxU32(x54, x86, x101) + var x104 uint32 + var x105 uint1 + x104, x105 = addcarryxU32(x56, x88, x103) + var x106 uint32 + var x107 uint1 + x106, x107 = addcarryxU32(x58, x90, x105) + var x108 uint32 + var x109 uint1 + x108, x109 = addcarryxU32(x60, x92, x107) + var x110 uint32 + var x111 uint1 + x110, x111 = addcarryxU32(x62, x94, x109) + var x112 uint32 + var x113 uint1 + x112, x113 = addcarryxU32(x64, x96, x111) + var x114 uint32 + var x115 uint1 + x114, x115 = addcarryxU32(x66, x98, x113) + var x116 uint32 + var x117 uint1 + x116, x117 = addcarryxU32((uint32(x67) + uint32(x51)), (uint32(x99) + x71), x115) + var x118 uint32 + var x119 uint1 + x118, x119 = addcarryxU32(x102, arg1[2], 0x0) + var x120 uint32 + var x121 uint1 + x120, x121 = addcarryxU32(x104, uint32(0x0), x119) + var x122 uint32 + var x123 uint1 + x122, x123 = addcarryxU32(x106, uint32(0x0), x121) + var x124 uint32 + var x125 uint1 + x124, x125 = addcarryxU32(x108, uint32(0x0), x123) + var x126 uint32 + var x127 uint1 + x126, x127 = addcarryxU32(x110, uint32(0x0), x125) + var x128 uint32 + var x129 uint1 + x128, x129 = addcarryxU32(x112, uint32(0x0), x127) + var x130 uint32 + var x131 uint1 + x130, x131 = addcarryxU32(x114, uint32(0x0), x129) + var x132 uint32 + var x133 uint1 + x132, x133 = addcarryxU32(x116, uint32(0x0), x131) + var x134 uint32 + _, x134 = bits.Mul32(x118, 0xd2253531) + var x136 uint32 + var x137 uint32 + x137, x136 = bits.Mul32(x134, 0xffffffff) + var x138 uint32 + var x139 uint32 + x139, x138 = bits.Mul32(x134, 0xffffffff) + var x140 uint32 + var x141 uint32 + x141, x140 = bits.Mul32(x134, 0xffffffff) + var x142 uint32 + var x143 uint32 + x143, x142 = bits.Mul32(x134, 0xffffffff) + var x144 uint32 + var x145 uint32 + x145, x144 = bits.Mul32(x134, 0xffffffff) + var x146 uint32 + var x147 uint32 + x147, x146 = bits.Mul32(x134, 0xffffffff) + var x148 uint32 + var x149 uint32 + x149, x148 = bits.Mul32(x134, 0xfffffffe) + var x150 uint32 + var x151 uint32 + x151, x150 = bits.Mul32(x134, 0xfffffc2f) + var x152 uint32 + var x153 uint1 + x152, x153 = addcarryxU32(x151, x148, 0x0) + var x154 uint32 + var x155 uint1 + x154, x155 = addcarryxU32(x149, x146, x153) + var x156 uint32 + var x157 uint1 + x156, x157 = addcarryxU32(x147, x144, x155) + var x158 uint32 + var x159 uint1 + x158, x159 = addcarryxU32(x145, x142, x157) + var x160 uint32 + var x161 uint1 + x160, x161 = addcarryxU32(x143, x140, x159) + var x162 uint32 + var x163 uint1 + x162, x163 = addcarryxU32(x141, x138, x161) + var x164 uint32 + var x165 uint1 + x164, x165 = addcarryxU32(x139, x136, x163) + var x167 uint1 + _, x167 = addcarryxU32(x118, x150, 0x0) + var x168 uint32 + var x169 uint1 + x168, x169 = addcarryxU32(x120, x152, x167) + var x170 uint32 + var x171 uint1 + x170, x171 = addcarryxU32(x122, x154, x169) + var x172 uint32 + var x173 uint1 + x172, x173 = addcarryxU32(x124, x156, x171) + var x174 uint32 + var x175 uint1 + x174, x175 = addcarryxU32(x126, x158, x173) + var x176 uint32 + var x177 uint1 + x176, x177 = addcarryxU32(x128, x160, x175) + var x178 uint32 + var x179 uint1 + x178, x179 = addcarryxU32(x130, x162, x177) + var x180 uint32 + var x181 uint1 + x180, x181 = addcarryxU32(x132, x164, x179) + var x182 uint32 + var x183 uint1 + x182, x183 = addcarryxU32((uint32(x133) + uint32(x117)), (uint32(x165) + x137), x181) + var x184 uint32 + var x185 uint1 + x184, x185 = addcarryxU32(x168, arg1[3], 0x0) + var x186 uint32 + var x187 uint1 + x186, x187 = addcarryxU32(x170, uint32(0x0), x185) + var x188 uint32 + var x189 uint1 + x188, x189 = addcarryxU32(x172, uint32(0x0), x187) + var x190 uint32 + var x191 uint1 + x190, x191 = addcarryxU32(x174, uint32(0x0), x189) + var x192 uint32 + var x193 uint1 + x192, x193 = addcarryxU32(x176, uint32(0x0), x191) + var x194 uint32 + var x195 uint1 + x194, x195 = addcarryxU32(x178, uint32(0x0), x193) + var x196 uint32 + var x197 uint1 + x196, x197 = addcarryxU32(x180, uint32(0x0), x195) + var x198 uint32 + var x199 uint1 + x198, x199 = addcarryxU32(x182, uint32(0x0), x197) + var x200 uint32 + _, x200 = bits.Mul32(x184, 0xd2253531) + var x202 uint32 + var x203 uint32 + x203, x202 = bits.Mul32(x200, 0xffffffff) + var x204 uint32 + var x205 uint32 + x205, x204 = bits.Mul32(x200, 0xffffffff) + var x206 uint32 + var x207 uint32 + x207, x206 = bits.Mul32(x200, 0xffffffff) + var x208 uint32 + var x209 uint32 + x209, x208 = bits.Mul32(x200, 0xffffffff) + var x210 uint32 + var x211 uint32 + x211, x210 = bits.Mul32(x200, 0xffffffff) + var x212 uint32 + var x213 uint32 + x213, x212 = bits.Mul32(x200, 0xffffffff) + var x214 uint32 + var x215 uint32 + x215, x214 = bits.Mul32(x200, 0xfffffffe) + var x216 uint32 + var x217 uint32 + x217, x216 = bits.Mul32(x200, 0xfffffc2f) + var x218 uint32 + var x219 uint1 + x218, x219 = addcarryxU32(x217, x214, 0x0) + var x220 uint32 + var x221 uint1 + x220, x221 = addcarryxU32(x215, x212, x219) + var x222 uint32 + var x223 uint1 + x222, x223 = addcarryxU32(x213, x210, x221) + var x224 uint32 + var x225 uint1 + x224, x225 = addcarryxU32(x211, x208, x223) + var x226 uint32 + var x227 uint1 + x226, x227 = addcarryxU32(x209, x206, x225) + var x228 uint32 + var x229 uint1 + x228, x229 = addcarryxU32(x207, x204, x227) + var x230 uint32 + var x231 uint1 + x230, x231 = addcarryxU32(x205, x202, x229) + var x233 uint1 + _, x233 = addcarryxU32(x184, x216, 0x0) + var x234 uint32 + var x235 uint1 + x234, x235 = addcarryxU32(x186, x218, x233) + var x236 uint32 + var x237 uint1 + x236, x237 = addcarryxU32(x188, x220, x235) + var x238 uint32 + var x239 uint1 + x238, x239 = addcarryxU32(x190, x222, x237) + var x240 uint32 + var x241 uint1 + x240, x241 = addcarryxU32(x192, x224, x239) + var x242 uint32 + var x243 uint1 + x242, x243 = addcarryxU32(x194, x226, x241) + var x244 uint32 + var x245 uint1 + x244, x245 = addcarryxU32(x196, x228, x243) + var x246 uint32 + var x247 uint1 + x246, x247 = addcarryxU32(x198, x230, x245) + var x248 uint32 + var x249 uint1 + x248, x249 = addcarryxU32((uint32(x199) + uint32(x183)), (uint32(x231) + x203), x247) + var x250 uint32 + var x251 uint1 + x250, x251 = addcarryxU32(x234, arg1[4], 0x0) + var x252 uint32 + var x253 uint1 + x252, x253 = addcarryxU32(x236, uint32(0x0), x251) + var x254 uint32 + var x255 uint1 + x254, x255 = addcarryxU32(x238, uint32(0x0), x253) + var x256 uint32 + var x257 uint1 + x256, x257 = addcarryxU32(x240, uint32(0x0), x255) + var x258 uint32 + var x259 uint1 + x258, x259 = addcarryxU32(x242, uint32(0x0), x257) + var x260 uint32 + var x261 uint1 + x260, x261 = addcarryxU32(x244, uint32(0x0), x259) + var x262 uint32 + var x263 uint1 + x262, x263 = addcarryxU32(x246, uint32(0x0), x261) + var x264 uint32 + var x265 uint1 + x264, x265 = addcarryxU32(x248, uint32(0x0), x263) + var x266 uint32 + _, x266 = bits.Mul32(x250, 0xd2253531) + var x268 uint32 + var x269 uint32 + x269, x268 = bits.Mul32(x266, 0xffffffff) + var x270 uint32 + var x271 uint32 + x271, x270 = bits.Mul32(x266, 0xffffffff) + var x272 uint32 + var x273 uint32 + x273, x272 = bits.Mul32(x266, 0xffffffff) + var x274 uint32 + var x275 uint32 + x275, x274 = bits.Mul32(x266, 0xffffffff) + var x276 uint32 + var x277 uint32 + x277, x276 = bits.Mul32(x266, 0xffffffff) + var x278 uint32 + var x279 uint32 + x279, x278 = bits.Mul32(x266, 0xffffffff) + var x280 uint32 + var x281 uint32 + x281, x280 = bits.Mul32(x266, 0xfffffffe) + var x282 uint32 + var x283 uint32 + x283, x282 = bits.Mul32(x266, 0xfffffc2f) + var x284 uint32 + var x285 uint1 + x284, x285 = addcarryxU32(x283, x280, 0x0) + var x286 uint32 + var x287 uint1 + x286, x287 = addcarryxU32(x281, x278, x285) + var x288 uint32 + var x289 uint1 + x288, x289 = addcarryxU32(x279, x276, x287) + var x290 uint32 + var x291 uint1 + x290, x291 = addcarryxU32(x277, x274, x289) + var x292 uint32 + var x293 uint1 + x292, x293 = addcarryxU32(x275, x272, x291) + var x294 uint32 + var x295 uint1 + x294, x295 = addcarryxU32(x273, x270, x293) + var x296 uint32 + var x297 uint1 + x296, x297 = addcarryxU32(x271, x268, x295) + var x299 uint1 + _, x299 = addcarryxU32(x250, x282, 0x0) + var x300 uint32 + var x301 uint1 + x300, x301 = addcarryxU32(x252, x284, x299) + var x302 uint32 + var x303 uint1 + x302, x303 = addcarryxU32(x254, x286, x301) + var x304 uint32 + var x305 uint1 + x304, x305 = addcarryxU32(x256, x288, x303) + var x306 uint32 + var x307 uint1 + x306, x307 = addcarryxU32(x258, x290, x305) + var x308 uint32 + var x309 uint1 + x308, x309 = addcarryxU32(x260, x292, x307) + var x310 uint32 + var x311 uint1 + x310, x311 = addcarryxU32(x262, x294, x309) + var x312 uint32 + var x313 uint1 + x312, x313 = addcarryxU32(x264, x296, x311) + var x314 uint32 + var x315 uint1 + x314, x315 = addcarryxU32((uint32(x265) + uint32(x249)), (uint32(x297) + x269), x313) + var x316 uint32 + var x317 uint1 + x316, x317 = addcarryxU32(x300, arg1[5], 0x0) + var x318 uint32 + var x319 uint1 + x318, x319 = addcarryxU32(x302, uint32(0x0), x317) + var x320 uint32 + var x321 uint1 + x320, x321 = addcarryxU32(x304, uint32(0x0), x319) + var x322 uint32 + var x323 uint1 + x322, x323 = addcarryxU32(x306, uint32(0x0), x321) + var x324 uint32 + var x325 uint1 + x324, x325 = addcarryxU32(x308, uint32(0x0), x323) + var x326 uint32 + var x327 uint1 + x326, x327 = addcarryxU32(x310, uint32(0x0), x325) + var x328 uint32 + var x329 uint1 + x328, x329 = addcarryxU32(x312, uint32(0x0), x327) + var x330 uint32 + var x331 uint1 + x330, x331 = addcarryxU32(x314, uint32(0x0), x329) + var x332 uint32 + _, x332 = bits.Mul32(x316, 0xd2253531) + var x334 uint32 + var x335 uint32 + x335, x334 = bits.Mul32(x332, 0xffffffff) + var x336 uint32 + var x337 uint32 + x337, x336 = bits.Mul32(x332, 0xffffffff) + var x338 uint32 + var x339 uint32 + x339, x338 = bits.Mul32(x332, 0xffffffff) + var x340 uint32 + var x341 uint32 + x341, x340 = bits.Mul32(x332, 0xffffffff) + var x342 uint32 + var x343 uint32 + x343, x342 = bits.Mul32(x332, 0xffffffff) + var x344 uint32 + var x345 uint32 + x345, x344 = bits.Mul32(x332, 0xffffffff) + var x346 uint32 + var x347 uint32 + x347, x346 = bits.Mul32(x332, 0xfffffffe) + var x348 uint32 + var x349 uint32 + x349, x348 = bits.Mul32(x332, 0xfffffc2f) + var x350 uint32 + var x351 uint1 + x350, x351 = addcarryxU32(x349, x346, 0x0) + var x352 uint32 + var x353 uint1 + x352, x353 = addcarryxU32(x347, x344, x351) + var x354 uint32 + var x355 uint1 + x354, x355 = addcarryxU32(x345, x342, x353) + var x356 uint32 + var x357 uint1 + x356, x357 = addcarryxU32(x343, x340, x355) + var x358 uint32 + var x359 uint1 + x358, x359 = addcarryxU32(x341, x338, x357) + var x360 uint32 + var x361 uint1 + x360, x361 = addcarryxU32(x339, x336, x359) + var x362 uint32 + var x363 uint1 + x362, x363 = addcarryxU32(x337, x334, x361) + var x365 uint1 + _, x365 = addcarryxU32(x316, x348, 0x0) + var x366 uint32 + var x367 uint1 + x366, x367 = addcarryxU32(x318, x350, x365) + var x368 uint32 + var x369 uint1 + x368, x369 = addcarryxU32(x320, x352, x367) + var x370 uint32 + var x371 uint1 + x370, x371 = addcarryxU32(x322, x354, x369) + var x372 uint32 + var x373 uint1 + x372, x373 = addcarryxU32(x324, x356, x371) + var x374 uint32 + var x375 uint1 + x374, x375 = addcarryxU32(x326, x358, x373) + var x376 uint32 + var x377 uint1 + x376, x377 = addcarryxU32(x328, x360, x375) + var x378 uint32 + var x379 uint1 + x378, x379 = addcarryxU32(x330, x362, x377) + var x380 uint32 + var x381 uint1 + x380, x381 = addcarryxU32((uint32(x331) + uint32(x315)), (uint32(x363) + x335), x379) + var x382 uint32 + var x383 uint1 + x382, x383 = addcarryxU32(x366, arg1[6], 0x0) + var x384 uint32 + var x385 uint1 + x384, x385 = addcarryxU32(x368, uint32(0x0), x383) + var x386 uint32 + var x387 uint1 + x386, x387 = addcarryxU32(x370, uint32(0x0), x385) + var x388 uint32 + var x389 uint1 + x388, x389 = addcarryxU32(x372, uint32(0x0), x387) + var x390 uint32 + var x391 uint1 + x390, x391 = addcarryxU32(x374, uint32(0x0), x389) + var x392 uint32 + var x393 uint1 + x392, x393 = addcarryxU32(x376, uint32(0x0), x391) + var x394 uint32 + var x395 uint1 + x394, x395 = addcarryxU32(x378, uint32(0x0), x393) + var x396 uint32 + var x397 uint1 + x396, x397 = addcarryxU32(x380, uint32(0x0), x395) + var x398 uint32 + _, x398 = bits.Mul32(x382, 0xd2253531) + var x400 uint32 + var x401 uint32 + x401, x400 = bits.Mul32(x398, 0xffffffff) + var x402 uint32 + var x403 uint32 + x403, x402 = bits.Mul32(x398, 0xffffffff) + var x404 uint32 + var x405 uint32 + x405, x404 = bits.Mul32(x398, 0xffffffff) + var x406 uint32 + var x407 uint32 + x407, x406 = bits.Mul32(x398, 0xffffffff) + var x408 uint32 + var x409 uint32 + x409, x408 = bits.Mul32(x398, 0xffffffff) + var x410 uint32 + var x411 uint32 + x411, x410 = bits.Mul32(x398, 0xffffffff) + var x412 uint32 + var x413 uint32 + x413, x412 = bits.Mul32(x398, 0xfffffffe) + var x414 uint32 + var x415 uint32 + x415, x414 = bits.Mul32(x398, 0xfffffc2f) + var x416 uint32 + var x417 uint1 + x416, x417 = addcarryxU32(x415, x412, 0x0) + var x418 uint32 + var x419 uint1 + x418, x419 = addcarryxU32(x413, x410, x417) + var x420 uint32 + var x421 uint1 + x420, x421 = addcarryxU32(x411, x408, x419) + var x422 uint32 + var x423 uint1 + x422, x423 = addcarryxU32(x409, x406, x421) + var x424 uint32 + var x425 uint1 + x424, x425 = addcarryxU32(x407, x404, x423) + var x426 uint32 + var x427 uint1 + x426, x427 = addcarryxU32(x405, x402, x425) + var x428 uint32 + var x429 uint1 + x428, x429 = addcarryxU32(x403, x400, x427) + var x431 uint1 + _, x431 = addcarryxU32(x382, x414, 0x0) + var x432 uint32 + var x433 uint1 + x432, x433 = addcarryxU32(x384, x416, x431) + var x434 uint32 + var x435 uint1 + x434, x435 = addcarryxU32(x386, x418, x433) + var x436 uint32 + var x437 uint1 + x436, x437 = addcarryxU32(x388, x420, x435) + var x438 uint32 + var x439 uint1 + x438, x439 = addcarryxU32(x390, x422, x437) + var x440 uint32 + var x441 uint1 + x440, x441 = addcarryxU32(x392, x424, x439) + var x442 uint32 + var x443 uint1 + x442, x443 = addcarryxU32(x394, x426, x441) + var x444 uint32 + var x445 uint1 + x444, x445 = addcarryxU32(x396, x428, x443) + var x446 uint32 + var x447 uint1 + x446, x447 = addcarryxU32((uint32(x397) + uint32(x381)), (uint32(x429) + x401), x445) + var x448 uint32 + var x449 uint1 + x448, x449 = addcarryxU32(x432, arg1[7], 0x0) + var x450 uint32 + var x451 uint1 + x450, x451 = addcarryxU32(x434, uint32(0x0), x449) + var x452 uint32 + var x453 uint1 + x452, x453 = addcarryxU32(x436, uint32(0x0), x451) + var x454 uint32 + var x455 uint1 + x454, x455 = addcarryxU32(x438, uint32(0x0), x453) + var x456 uint32 + var x457 uint1 + x456, x457 = addcarryxU32(x440, uint32(0x0), x455) + var x458 uint32 + var x459 uint1 + x458, x459 = addcarryxU32(x442, uint32(0x0), x457) + var x460 uint32 + var x461 uint1 + x460, x461 = addcarryxU32(x444, uint32(0x0), x459) + var x462 uint32 + var x463 uint1 + x462, x463 = addcarryxU32(x446, uint32(0x0), x461) + var x464 uint32 + _, x464 = bits.Mul32(x448, 0xd2253531) + var x466 uint32 + var x467 uint32 + x467, x466 = bits.Mul32(x464, 0xffffffff) + var x468 uint32 + var x469 uint32 + x469, x468 = bits.Mul32(x464, 0xffffffff) + var x470 uint32 + var x471 uint32 + x471, x470 = bits.Mul32(x464, 0xffffffff) + var x472 uint32 + var x473 uint32 + x473, x472 = bits.Mul32(x464, 0xffffffff) + var x474 uint32 + var x475 uint32 + x475, x474 = bits.Mul32(x464, 0xffffffff) + var x476 uint32 + var x477 uint32 + x477, x476 = bits.Mul32(x464, 0xffffffff) + var x478 uint32 + var x479 uint32 + x479, x478 = bits.Mul32(x464, 0xfffffffe) + var x480 uint32 + var x481 uint32 + x481, x480 = bits.Mul32(x464, 0xfffffc2f) + var x482 uint32 + var x483 uint1 + x482, x483 = addcarryxU32(x481, x478, 0x0) + var x484 uint32 + var x485 uint1 + x484, x485 = addcarryxU32(x479, x476, x483) + var x486 uint32 + var x487 uint1 + x486, x487 = addcarryxU32(x477, x474, x485) + var x488 uint32 + var x489 uint1 + x488, x489 = addcarryxU32(x475, x472, x487) + var x490 uint32 + var x491 uint1 + x490, x491 = addcarryxU32(x473, x470, x489) + var x492 uint32 + var x493 uint1 + x492, x493 = addcarryxU32(x471, x468, x491) + var x494 uint32 + var x495 uint1 + x494, x495 = addcarryxU32(x469, x466, x493) + var x497 uint1 + _, x497 = addcarryxU32(x448, x480, 0x0) + var x498 uint32 + var x499 uint1 + x498, x499 = addcarryxU32(x450, x482, x497) + var x500 uint32 + var x501 uint1 + x500, x501 = addcarryxU32(x452, x484, x499) + var x502 uint32 + var x503 uint1 + x502, x503 = addcarryxU32(x454, x486, x501) + var x504 uint32 + var x505 uint1 + x504, x505 = addcarryxU32(x456, x488, x503) + var x506 uint32 + var x507 uint1 + x506, x507 = addcarryxU32(x458, x490, x505) + var x508 uint32 + var x509 uint1 + x508, x509 = addcarryxU32(x460, x492, x507) + var x510 uint32 + var x511 uint1 + x510, x511 = addcarryxU32(x462, x494, x509) + var x512 uint32 + var x513 uint1 + x512, x513 = addcarryxU32((uint32(x463) + uint32(x447)), (uint32(x495) + x467), x511) + var x514 uint32 + var x515 uint1 + x514, x515 = subborrowxU32(x498, 0xfffffc2f, 0x0) + var x516 uint32 + var x517 uint1 + x516, x517 = subborrowxU32(x500, 0xfffffffe, x515) + var x518 uint32 + var x519 uint1 + x518, x519 = subborrowxU32(x502, 0xffffffff, x517) + var x520 uint32 + var x521 uint1 + x520, x521 = subborrowxU32(x504, 0xffffffff, x519) + var x522 uint32 + var x523 uint1 + x522, x523 = subborrowxU32(x506, 0xffffffff, x521) + var x524 uint32 + var x525 uint1 + x524, x525 = subborrowxU32(x508, 0xffffffff, x523) + var x526 uint32 + var x527 uint1 + x526, x527 = subborrowxU32(x510, 0xffffffff, x525) + var x528 uint32 + var x529 uint1 + x528, x529 = subborrowxU32(x512, 0xffffffff, x527) + var x531 uint1 + _, x531 = subborrowxU32(uint32(x513), uint32(0x0), x529) + var x532 uint32 + cmovznzU32(&x532, x531, x514, x498) + var x533 uint32 + cmovznzU32(&x533, x531, x516, x500) + var x534 uint32 + cmovznzU32(&x534, x531, x518, x502) + var x535 uint32 + cmovznzU32(&x535, x531, x520, x504) + var x536 uint32 + cmovznzU32(&x536, x531, x522, x506) + var x537 uint32 + cmovznzU32(&x537, x531, x524, x508) + var x538 uint32 + cmovznzU32(&x538, x531, x526, x510) + var x539 uint32 + cmovznzU32(&x539, x531, x528, x512) + out1[0] = x532 + out1[1] = x533 + out1[2] = x534 + out1[3] = x535 + out1[4] = x536 + out1[5] = x537 + out1[6] = x538 + out1[7] = x539 } -/* - The function ToMontgomery translates a field element into the Montgomery domain. - Preconditions: - 0 ≤ eval arg1 < m - Postconditions: - eval (from_montgomery out1) mod m = eval arg1 mod m - 0 ≤ eval out1 < m - - Input Bounds: - arg1: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] - Output Bounds: - out1: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] - */ -/*inline*/ +// ToMontgomery translates a field element into the Montgomery domain. +// +// Preconditions: +// 0 ≤ eval arg1 < m +// Postconditions: +// eval (from_montgomery out1) mod m = eval arg1 mod m +// 0 ≤ eval out1 < m +// +// Input Bounds: +// arg1: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] +// Output Bounds: +// out1: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] func ToMontgomery(out1 *[8]uint32, arg1 *[8]uint32) { - var x1 uint32 = (arg1[1]) - var x2 uint32 = (arg1[2]) - var x3 uint32 = (arg1[3]) - var x4 uint32 = (arg1[4]) - var x5 uint32 = (arg1[5]) - var x6 uint32 = (arg1[6]) - var x7 uint32 = (arg1[7]) - var x8 uint32 = (arg1[0]) - var x9 uint32 - var x10 uint32 - x10, x9 = bits.Mul32(x8, 0x7a2) - var x11 uint32 - var x12 uint32 - x12, x11 = bits.Mul32(x8, 0xe90a1) - var x13 uint32 - var x14 uint1 - x13, x14 = addcarryxU32(x12, x9, 0x0) - var x15 uint32 - var x16 uint1 - x15, x16 = addcarryxU32(x10, x8, x14) - var x17 uint32 - _, x17 = bits.Mul32(x11, 0xd2253531) - var x19 uint32 - var x20 uint32 - x20, x19 = bits.Mul32(x17, 0xffffffff) - var x21 uint32 - var x22 uint32 - x22, x21 = bits.Mul32(x17, 0xffffffff) - var x23 uint32 - var x24 uint32 - x24, x23 = bits.Mul32(x17, 0xffffffff) - var x25 uint32 - var x26 uint32 - x26, x25 = bits.Mul32(x17, 0xffffffff) - var x27 uint32 - var x28 uint32 - x28, x27 = bits.Mul32(x17, 0xffffffff) - var x29 uint32 - var x30 uint32 - x30, x29 = bits.Mul32(x17, 0xffffffff) - var x31 uint32 - var x32 uint32 - x32, x31 = bits.Mul32(x17, 0xfffffffe) - var x33 uint32 - var x34 uint32 - x34, x33 = bits.Mul32(x17, 0xfffffc2f) - var x35 uint32 - var x36 uint1 - x35, x36 = addcarryxU32(x34, x31, 0x0) - var x37 uint32 - var x38 uint1 - x37, x38 = addcarryxU32(x32, x29, x36) - var x39 uint32 - var x40 uint1 - x39, x40 = addcarryxU32(x30, x27, x38) - var x41 uint32 - var x42 uint1 - x41, x42 = addcarryxU32(x28, x25, x40) - var x43 uint32 - var x44 uint1 - x43, x44 = addcarryxU32(x26, x23, x42) - var x45 uint32 - var x46 uint1 - x45, x46 = addcarryxU32(x24, x21, x44) - var x47 uint32 - var x48 uint1 - x47, x48 = addcarryxU32(x22, x19, x46) - var x50 uint1 - _, x50 = addcarryxU32(x11, x33, 0x0) - var x51 uint32 - var x52 uint1 - x51, x52 = addcarryxU32(x13, x35, x50) - var x53 uint32 - var x54 uint1 - x53, x54 = addcarryxU32(x15, x37, x52) - var x55 uint32 - var x56 uint1 - x55, x56 = addcarryxU32(uint32(x16), x39, x54) - var x57 uint32 - var x58 uint1 - x57, x58 = addcarryxU32(uint32(0x0), x41, x56) - var x59 uint32 - var x60 uint1 - x59, x60 = addcarryxU32(uint32(0x0), x43, x58) - var x61 uint32 - var x62 uint1 - x61, x62 = addcarryxU32(uint32(0x0), x45, x60) - var x63 uint32 - var x64 uint1 - x63, x64 = addcarryxU32(uint32(0x0), x47, x62) - var x65 uint32 - var x66 uint1 - x65, x66 = addcarryxU32(uint32(0x0), (uint32(x48) + x20), x64) - var x67 uint32 - var x68 uint32 - x68, x67 = bits.Mul32(x1, 0x7a2) - var x69 uint32 - var x70 uint32 - x70, x69 = bits.Mul32(x1, 0xe90a1) - var x71 uint32 - var x72 uint1 - x71, x72 = addcarryxU32(x70, x67, 0x0) - var x73 uint32 - var x74 uint1 - x73, x74 = addcarryxU32(x68, x1, x72) - var x75 uint32 - var x76 uint1 - x75, x76 = addcarryxU32(x51, x69, 0x0) - var x77 uint32 - var x78 uint1 - x77, x78 = addcarryxU32(x53, x71, x76) - var x79 uint32 - var x80 uint1 - x79, x80 = addcarryxU32(x55, x73, x78) - var x81 uint32 - var x82 uint1 - x81, x82 = addcarryxU32(x57, uint32(x74), x80) - var x83 uint32 - var x84 uint1 - x83, x84 = addcarryxU32(x59, uint32(0x0), x82) - var x85 uint32 - var x86 uint1 - x85, x86 = addcarryxU32(x61, uint32(0x0), x84) - var x87 uint32 - var x88 uint1 - x87, x88 = addcarryxU32(x63, uint32(0x0), x86) - var x89 uint32 - var x90 uint1 - x89, x90 = addcarryxU32(x65, uint32(0x0), x88) - var x91 uint32 - _, x91 = bits.Mul32(x75, 0xd2253531) - var x93 uint32 - var x94 uint32 - x94, x93 = bits.Mul32(x91, 0xffffffff) - var x95 uint32 - var x96 uint32 - x96, x95 = bits.Mul32(x91, 0xffffffff) - var x97 uint32 - var x98 uint32 - x98, x97 = bits.Mul32(x91, 0xffffffff) - var x99 uint32 - var x100 uint32 - x100, x99 = bits.Mul32(x91, 0xffffffff) - var x101 uint32 - var x102 uint32 - x102, x101 = bits.Mul32(x91, 0xffffffff) - var x103 uint32 - var x104 uint32 - x104, x103 = bits.Mul32(x91, 0xffffffff) - var x105 uint32 - var x106 uint32 - x106, x105 = bits.Mul32(x91, 0xfffffffe) - var x107 uint32 - var x108 uint32 - x108, x107 = bits.Mul32(x91, 0xfffffc2f) - var x109 uint32 - var x110 uint1 - x109, x110 = addcarryxU32(x108, x105, 0x0) - var x111 uint32 - var x112 uint1 - x111, x112 = addcarryxU32(x106, x103, x110) - var x113 uint32 - var x114 uint1 - x113, x114 = addcarryxU32(x104, x101, x112) - var x115 uint32 - var x116 uint1 - x115, x116 = addcarryxU32(x102, x99, x114) - var x117 uint32 - var x118 uint1 - x117, x118 = addcarryxU32(x100, x97, x116) - var x119 uint32 - var x120 uint1 - x119, x120 = addcarryxU32(x98, x95, x118) - var x121 uint32 - var x122 uint1 - x121, x122 = addcarryxU32(x96, x93, x120) - var x124 uint1 - _, x124 = addcarryxU32(x75, x107, 0x0) - var x125 uint32 - var x126 uint1 - x125, x126 = addcarryxU32(x77, x109, x124) - var x127 uint32 - var x128 uint1 - x127, x128 = addcarryxU32(x79, x111, x126) - var x129 uint32 - var x130 uint1 - x129, x130 = addcarryxU32(x81, x113, x128) - var x131 uint32 - var x132 uint1 - x131, x132 = addcarryxU32(x83, x115, x130) - var x133 uint32 - var x134 uint1 - x133, x134 = addcarryxU32(x85, x117, x132) - var x135 uint32 - var x136 uint1 - x135, x136 = addcarryxU32(x87, x119, x134) - var x137 uint32 - var x138 uint1 - x137, x138 = addcarryxU32(x89, x121, x136) - var x139 uint32 - var x140 uint1 - x139, x140 = addcarryxU32((uint32(x90) + uint32(x66)), (uint32(x122) + x94), x138) - var x141 uint32 - var x142 uint32 - x142, x141 = bits.Mul32(x2, 0x7a2) - var x143 uint32 - var x144 uint32 - x144, x143 = bits.Mul32(x2, 0xe90a1) - var x145 uint32 - var x146 uint1 - x145, x146 = addcarryxU32(x144, x141, 0x0) - var x147 uint32 - var x148 uint1 - x147, x148 = addcarryxU32(x142, x2, x146) - var x149 uint32 - var x150 uint1 - x149, x150 = addcarryxU32(x125, x143, 0x0) - var x151 uint32 - var x152 uint1 - x151, x152 = addcarryxU32(x127, x145, x150) - var x153 uint32 - var x154 uint1 - x153, x154 = addcarryxU32(x129, x147, x152) - var x155 uint32 - var x156 uint1 - x155, x156 = addcarryxU32(x131, uint32(x148), x154) - var x157 uint32 - var x158 uint1 - x157, x158 = addcarryxU32(x133, uint32(0x0), x156) - var x159 uint32 - var x160 uint1 - x159, x160 = addcarryxU32(x135, uint32(0x0), x158) - var x161 uint32 - var x162 uint1 - x161, x162 = addcarryxU32(x137, uint32(0x0), x160) - var x163 uint32 - var x164 uint1 - x163, x164 = addcarryxU32(x139, uint32(0x0), x162) - var x165 uint32 - _, x165 = bits.Mul32(x149, 0xd2253531) - var x167 uint32 - var x168 uint32 - x168, x167 = bits.Mul32(x165, 0xffffffff) - var x169 uint32 - var x170 uint32 - x170, x169 = bits.Mul32(x165, 0xffffffff) - var x171 uint32 - var x172 uint32 - x172, x171 = bits.Mul32(x165, 0xffffffff) - var x173 uint32 - var x174 uint32 - x174, x173 = bits.Mul32(x165, 0xffffffff) - var x175 uint32 - var x176 uint32 - x176, x175 = bits.Mul32(x165, 0xffffffff) - var x177 uint32 - var x178 uint32 - x178, x177 = bits.Mul32(x165, 0xffffffff) - var x179 uint32 - var x180 uint32 - x180, x179 = bits.Mul32(x165, 0xfffffffe) - var x181 uint32 - var x182 uint32 - x182, x181 = bits.Mul32(x165, 0xfffffc2f) - var x183 uint32 - var x184 uint1 - x183, x184 = addcarryxU32(x182, x179, 0x0) - var x185 uint32 - var x186 uint1 - x185, x186 = addcarryxU32(x180, x177, x184) - var x187 uint32 - var x188 uint1 - x187, x188 = addcarryxU32(x178, x175, x186) - var x189 uint32 - var x190 uint1 - x189, x190 = addcarryxU32(x176, x173, x188) - var x191 uint32 - var x192 uint1 - x191, x192 = addcarryxU32(x174, x171, x190) - var x193 uint32 - var x194 uint1 - x193, x194 = addcarryxU32(x172, x169, x192) - var x195 uint32 - var x196 uint1 - x195, x196 = addcarryxU32(x170, x167, x194) - var x198 uint1 - _, x198 = addcarryxU32(x149, x181, 0x0) - var x199 uint32 - var x200 uint1 - x199, x200 = addcarryxU32(x151, x183, x198) - var x201 uint32 - var x202 uint1 - x201, x202 = addcarryxU32(x153, x185, x200) - var x203 uint32 - var x204 uint1 - x203, x204 = addcarryxU32(x155, x187, x202) - var x205 uint32 - var x206 uint1 - x205, x206 = addcarryxU32(x157, x189, x204) - var x207 uint32 - var x208 uint1 - x207, x208 = addcarryxU32(x159, x191, x206) - var x209 uint32 - var x210 uint1 - x209, x210 = addcarryxU32(x161, x193, x208) - var x211 uint32 - var x212 uint1 - x211, x212 = addcarryxU32(x163, x195, x210) - var x213 uint32 - var x214 uint1 - x213, x214 = addcarryxU32((uint32(x164) + uint32(x140)), (uint32(x196) + x168), x212) - var x215 uint32 - var x216 uint32 - x216, x215 = bits.Mul32(x3, 0x7a2) - var x217 uint32 - var x218 uint32 - x218, x217 = bits.Mul32(x3, 0xe90a1) - var x219 uint32 - var x220 uint1 - x219, x220 = addcarryxU32(x218, x215, 0x0) - var x221 uint32 - var x222 uint1 - x221, x222 = addcarryxU32(x216, x3, x220) - var x223 uint32 - var x224 uint1 - x223, x224 = addcarryxU32(x199, x217, 0x0) - var x225 uint32 - var x226 uint1 - x225, x226 = addcarryxU32(x201, x219, x224) - var x227 uint32 - var x228 uint1 - x227, x228 = addcarryxU32(x203, x221, x226) - var x229 uint32 - var x230 uint1 - x229, x230 = addcarryxU32(x205, uint32(x222), x228) - var x231 uint32 - var x232 uint1 - x231, x232 = addcarryxU32(x207, uint32(0x0), x230) - var x233 uint32 - var x234 uint1 - x233, x234 = addcarryxU32(x209, uint32(0x0), x232) - var x235 uint32 - var x236 uint1 - x235, x236 = addcarryxU32(x211, uint32(0x0), x234) - var x237 uint32 - var x238 uint1 - x237, x238 = addcarryxU32(x213, uint32(0x0), x236) - var x239 uint32 - _, x239 = bits.Mul32(x223, 0xd2253531) - var x241 uint32 - var x242 uint32 - x242, x241 = bits.Mul32(x239, 0xffffffff) - var x243 uint32 - var x244 uint32 - x244, x243 = bits.Mul32(x239, 0xffffffff) - var x245 uint32 - var x246 uint32 - x246, x245 = bits.Mul32(x239, 0xffffffff) - var x247 uint32 - var x248 uint32 - x248, x247 = bits.Mul32(x239, 0xffffffff) - var x249 uint32 - var x250 uint32 - x250, x249 = bits.Mul32(x239, 0xffffffff) - var x251 uint32 - var x252 uint32 - x252, x251 = bits.Mul32(x239, 0xffffffff) - var x253 uint32 - var x254 uint32 - x254, x253 = bits.Mul32(x239, 0xfffffffe) - var x255 uint32 - var x256 uint32 - x256, x255 = bits.Mul32(x239, 0xfffffc2f) - var x257 uint32 - var x258 uint1 - x257, x258 = addcarryxU32(x256, x253, 0x0) - var x259 uint32 - var x260 uint1 - x259, x260 = addcarryxU32(x254, x251, x258) - var x261 uint32 - var x262 uint1 - x261, x262 = addcarryxU32(x252, x249, x260) - var x263 uint32 - var x264 uint1 - x263, x264 = addcarryxU32(x250, x247, x262) - var x265 uint32 - var x266 uint1 - x265, x266 = addcarryxU32(x248, x245, x264) - var x267 uint32 - var x268 uint1 - x267, x268 = addcarryxU32(x246, x243, x266) - var x269 uint32 - var x270 uint1 - x269, x270 = addcarryxU32(x244, x241, x268) - var x272 uint1 - _, x272 = addcarryxU32(x223, x255, 0x0) - var x273 uint32 - var x274 uint1 - x273, x274 = addcarryxU32(x225, x257, x272) - var x275 uint32 - var x276 uint1 - x275, x276 = addcarryxU32(x227, x259, x274) - var x277 uint32 - var x278 uint1 - x277, x278 = addcarryxU32(x229, x261, x276) - var x279 uint32 - var x280 uint1 - x279, x280 = addcarryxU32(x231, x263, x278) - var x281 uint32 - var x282 uint1 - x281, x282 = addcarryxU32(x233, x265, x280) - var x283 uint32 - var x284 uint1 - x283, x284 = addcarryxU32(x235, x267, x282) - var x285 uint32 - var x286 uint1 - x285, x286 = addcarryxU32(x237, x269, x284) - var x287 uint32 - var x288 uint1 - x287, x288 = addcarryxU32((uint32(x238) + uint32(x214)), (uint32(x270) + x242), x286) - var x289 uint32 - var x290 uint32 - x290, x289 = bits.Mul32(x4, 0x7a2) - var x291 uint32 - var x292 uint32 - x292, x291 = bits.Mul32(x4, 0xe90a1) - var x293 uint32 - var x294 uint1 - x293, x294 = addcarryxU32(x292, x289, 0x0) - var x295 uint32 - var x296 uint1 - x295, x296 = addcarryxU32(x290, x4, x294) - var x297 uint32 - var x298 uint1 - x297, x298 = addcarryxU32(x273, x291, 0x0) - var x299 uint32 - var x300 uint1 - x299, x300 = addcarryxU32(x275, x293, x298) - var x301 uint32 - var x302 uint1 - x301, x302 = addcarryxU32(x277, x295, x300) - var x303 uint32 - var x304 uint1 - x303, x304 = addcarryxU32(x279, uint32(x296), x302) - var x305 uint32 - var x306 uint1 - x305, x306 = addcarryxU32(x281, uint32(0x0), x304) - var x307 uint32 - var x308 uint1 - x307, x308 = addcarryxU32(x283, uint32(0x0), x306) - var x309 uint32 - var x310 uint1 - x309, x310 = addcarryxU32(x285, uint32(0x0), x308) - var x311 uint32 - var x312 uint1 - x311, x312 = addcarryxU32(x287, uint32(0x0), x310) - var x313 uint32 - _, x313 = bits.Mul32(x297, 0xd2253531) - var x315 uint32 - var x316 uint32 - x316, x315 = bits.Mul32(x313, 0xffffffff) - var x317 uint32 - var x318 uint32 - x318, x317 = bits.Mul32(x313, 0xffffffff) - var x319 uint32 - var x320 uint32 - x320, x319 = bits.Mul32(x313, 0xffffffff) - var x321 uint32 - var x322 uint32 - x322, x321 = bits.Mul32(x313, 0xffffffff) - var x323 uint32 - var x324 uint32 - x324, x323 = bits.Mul32(x313, 0xffffffff) - var x325 uint32 - var x326 uint32 - x326, x325 = bits.Mul32(x313, 0xffffffff) - var x327 uint32 - var x328 uint32 - x328, x327 = bits.Mul32(x313, 0xfffffffe) - var x329 uint32 - var x330 uint32 - x330, x329 = bits.Mul32(x313, 0xfffffc2f) - var x331 uint32 - var x332 uint1 - x331, x332 = addcarryxU32(x330, x327, 0x0) - var x333 uint32 - var x334 uint1 - x333, x334 = addcarryxU32(x328, x325, x332) - var x335 uint32 - var x336 uint1 - x335, x336 = addcarryxU32(x326, x323, x334) - var x337 uint32 - var x338 uint1 - x337, x338 = addcarryxU32(x324, x321, x336) - var x339 uint32 - var x340 uint1 - x339, x340 = addcarryxU32(x322, x319, x338) - var x341 uint32 - var x342 uint1 - x341, x342 = addcarryxU32(x320, x317, x340) - var x343 uint32 - var x344 uint1 - x343, x344 = addcarryxU32(x318, x315, x342) - var x346 uint1 - _, x346 = addcarryxU32(x297, x329, 0x0) - var x347 uint32 - var x348 uint1 - x347, x348 = addcarryxU32(x299, x331, x346) - var x349 uint32 - var x350 uint1 - x349, x350 = addcarryxU32(x301, x333, x348) - var x351 uint32 - var x352 uint1 - x351, x352 = addcarryxU32(x303, x335, x350) - var x353 uint32 - var x354 uint1 - x353, x354 = addcarryxU32(x305, x337, x352) - var x355 uint32 - var x356 uint1 - x355, x356 = addcarryxU32(x307, x339, x354) - var x357 uint32 - var x358 uint1 - x357, x358 = addcarryxU32(x309, x341, x356) - var x359 uint32 - var x360 uint1 - x359, x360 = addcarryxU32(x311, x343, x358) - var x361 uint32 - var x362 uint1 - x361, x362 = addcarryxU32((uint32(x312) + uint32(x288)), (uint32(x344) + x316), x360) - var x363 uint32 - var x364 uint32 - x364, x363 = bits.Mul32(x5, 0x7a2) - var x365 uint32 - var x366 uint32 - x366, x365 = bits.Mul32(x5, 0xe90a1) - var x367 uint32 - var x368 uint1 - x367, x368 = addcarryxU32(x366, x363, 0x0) - var x369 uint32 - var x370 uint1 - x369, x370 = addcarryxU32(x364, x5, x368) - var x371 uint32 - var x372 uint1 - x371, x372 = addcarryxU32(x347, x365, 0x0) - var x373 uint32 - var x374 uint1 - x373, x374 = addcarryxU32(x349, x367, x372) - var x375 uint32 - var x376 uint1 - x375, x376 = addcarryxU32(x351, x369, x374) - var x377 uint32 - var x378 uint1 - x377, x378 = addcarryxU32(x353, uint32(x370), x376) - var x379 uint32 - var x380 uint1 - x379, x380 = addcarryxU32(x355, uint32(0x0), x378) - var x381 uint32 - var x382 uint1 - x381, x382 = addcarryxU32(x357, uint32(0x0), x380) - var x383 uint32 - var x384 uint1 - x383, x384 = addcarryxU32(x359, uint32(0x0), x382) - var x385 uint32 - var x386 uint1 - x385, x386 = addcarryxU32(x361, uint32(0x0), x384) - var x387 uint32 - _, x387 = bits.Mul32(x371, 0xd2253531) - var x389 uint32 - var x390 uint32 - x390, x389 = bits.Mul32(x387, 0xffffffff) - var x391 uint32 - var x392 uint32 - x392, x391 = bits.Mul32(x387, 0xffffffff) - var x393 uint32 - var x394 uint32 - x394, x393 = bits.Mul32(x387, 0xffffffff) - var x395 uint32 - var x396 uint32 - x396, x395 = bits.Mul32(x387, 0xffffffff) - var x397 uint32 - var x398 uint32 - x398, x397 = bits.Mul32(x387, 0xffffffff) - var x399 uint32 - var x400 uint32 - x400, x399 = bits.Mul32(x387, 0xffffffff) - var x401 uint32 - var x402 uint32 - x402, x401 = bits.Mul32(x387, 0xfffffffe) - var x403 uint32 - var x404 uint32 - x404, x403 = bits.Mul32(x387, 0xfffffc2f) - var x405 uint32 - var x406 uint1 - x405, x406 = addcarryxU32(x404, x401, 0x0) - var x407 uint32 - var x408 uint1 - x407, x408 = addcarryxU32(x402, x399, x406) - var x409 uint32 - var x410 uint1 - x409, x410 = addcarryxU32(x400, x397, x408) - var x411 uint32 - var x412 uint1 - x411, x412 = addcarryxU32(x398, x395, x410) - var x413 uint32 - var x414 uint1 - x413, x414 = addcarryxU32(x396, x393, x412) - var x415 uint32 - var x416 uint1 - x415, x416 = addcarryxU32(x394, x391, x414) - var x417 uint32 - var x418 uint1 - x417, x418 = addcarryxU32(x392, x389, x416) - var x420 uint1 - _, x420 = addcarryxU32(x371, x403, 0x0) - var x421 uint32 - var x422 uint1 - x421, x422 = addcarryxU32(x373, x405, x420) - var x423 uint32 - var x424 uint1 - x423, x424 = addcarryxU32(x375, x407, x422) - var x425 uint32 - var x426 uint1 - x425, x426 = addcarryxU32(x377, x409, x424) - var x427 uint32 - var x428 uint1 - x427, x428 = addcarryxU32(x379, x411, x426) - var x429 uint32 - var x430 uint1 - x429, x430 = addcarryxU32(x381, x413, x428) - var x431 uint32 - var x432 uint1 - x431, x432 = addcarryxU32(x383, x415, x430) - var x433 uint32 - var x434 uint1 - x433, x434 = addcarryxU32(x385, x417, x432) - var x435 uint32 - var x436 uint1 - x435, x436 = addcarryxU32((uint32(x386) + uint32(x362)), (uint32(x418) + x390), x434) - var x437 uint32 - var x438 uint32 - x438, x437 = bits.Mul32(x6, 0x7a2) - var x439 uint32 - var x440 uint32 - x440, x439 = bits.Mul32(x6, 0xe90a1) - var x441 uint32 - var x442 uint1 - x441, x442 = addcarryxU32(x440, x437, 0x0) - var x443 uint32 - var x444 uint1 - x443, x444 = addcarryxU32(x438, x6, x442) - var x445 uint32 - var x446 uint1 - x445, x446 = addcarryxU32(x421, x439, 0x0) - var x447 uint32 - var x448 uint1 - x447, x448 = addcarryxU32(x423, x441, x446) - var x449 uint32 - var x450 uint1 - x449, x450 = addcarryxU32(x425, x443, x448) - var x451 uint32 - var x452 uint1 - x451, x452 = addcarryxU32(x427, uint32(x444), x450) - var x453 uint32 - var x454 uint1 - x453, x454 = addcarryxU32(x429, uint32(0x0), x452) - var x455 uint32 - var x456 uint1 - x455, x456 = addcarryxU32(x431, uint32(0x0), x454) - var x457 uint32 - var x458 uint1 - x457, x458 = addcarryxU32(x433, uint32(0x0), x456) - var x459 uint32 - var x460 uint1 - x459, x460 = addcarryxU32(x435, uint32(0x0), x458) - var x461 uint32 - _, x461 = bits.Mul32(x445, 0xd2253531) - var x463 uint32 - var x464 uint32 - x464, x463 = bits.Mul32(x461, 0xffffffff) - var x465 uint32 - var x466 uint32 - x466, x465 = bits.Mul32(x461, 0xffffffff) - var x467 uint32 - var x468 uint32 - x468, x467 = bits.Mul32(x461, 0xffffffff) - var x469 uint32 - var x470 uint32 - x470, x469 = bits.Mul32(x461, 0xffffffff) - var x471 uint32 - var x472 uint32 - x472, x471 = bits.Mul32(x461, 0xffffffff) - var x473 uint32 - var x474 uint32 - x474, x473 = bits.Mul32(x461, 0xffffffff) - var x475 uint32 - var x476 uint32 - x476, x475 = bits.Mul32(x461, 0xfffffffe) - var x477 uint32 - var x478 uint32 - x478, x477 = bits.Mul32(x461, 0xfffffc2f) - var x479 uint32 - var x480 uint1 - x479, x480 = addcarryxU32(x478, x475, 0x0) - var x481 uint32 - var x482 uint1 - x481, x482 = addcarryxU32(x476, x473, x480) - var x483 uint32 - var x484 uint1 - x483, x484 = addcarryxU32(x474, x471, x482) - var x485 uint32 - var x486 uint1 - x485, x486 = addcarryxU32(x472, x469, x484) - var x487 uint32 - var x488 uint1 - x487, x488 = addcarryxU32(x470, x467, x486) - var x489 uint32 - var x490 uint1 - x489, x490 = addcarryxU32(x468, x465, x488) - var x491 uint32 - var x492 uint1 - x491, x492 = addcarryxU32(x466, x463, x490) - var x494 uint1 - _, x494 = addcarryxU32(x445, x477, 0x0) - var x495 uint32 - var x496 uint1 - x495, x496 = addcarryxU32(x447, x479, x494) - var x497 uint32 - var x498 uint1 - x497, x498 = addcarryxU32(x449, x481, x496) - var x499 uint32 - var x500 uint1 - x499, x500 = addcarryxU32(x451, x483, x498) - var x501 uint32 - var x502 uint1 - x501, x502 = addcarryxU32(x453, x485, x500) - var x503 uint32 - var x504 uint1 - x503, x504 = addcarryxU32(x455, x487, x502) - var x505 uint32 - var x506 uint1 - x505, x506 = addcarryxU32(x457, x489, x504) - var x507 uint32 - var x508 uint1 - x507, x508 = addcarryxU32(x459, x491, x506) - var x509 uint32 - var x510 uint1 - x509, x510 = addcarryxU32((uint32(x460) + uint32(x436)), (uint32(x492) + x464), x508) - var x511 uint32 - var x512 uint32 - x512, x511 = bits.Mul32(x7, 0x7a2) - var x513 uint32 - var x514 uint32 - x514, x513 = bits.Mul32(x7, 0xe90a1) - var x515 uint32 - var x516 uint1 - x515, x516 = addcarryxU32(x514, x511, 0x0) - var x517 uint32 - var x518 uint1 - x517, x518 = addcarryxU32(x512, x7, x516) - var x519 uint32 - var x520 uint1 - x519, x520 = addcarryxU32(x495, x513, 0x0) - var x521 uint32 - var x522 uint1 - x521, x522 = addcarryxU32(x497, x515, x520) - var x523 uint32 - var x524 uint1 - x523, x524 = addcarryxU32(x499, x517, x522) - var x525 uint32 - var x526 uint1 - x525, x526 = addcarryxU32(x501, uint32(x518), x524) - var x527 uint32 - var x528 uint1 - x527, x528 = addcarryxU32(x503, uint32(0x0), x526) - var x529 uint32 - var x530 uint1 - x529, x530 = addcarryxU32(x505, uint32(0x0), x528) - var x531 uint32 - var x532 uint1 - x531, x532 = addcarryxU32(x507, uint32(0x0), x530) - var x533 uint32 - var x534 uint1 - x533, x534 = addcarryxU32(x509, uint32(0x0), x532) - var x535 uint32 - _, x535 = bits.Mul32(x519, 0xd2253531) - var x537 uint32 - var x538 uint32 - x538, x537 = bits.Mul32(x535, 0xffffffff) - var x539 uint32 - var x540 uint32 - x540, x539 = bits.Mul32(x535, 0xffffffff) - var x541 uint32 - var x542 uint32 - x542, x541 = bits.Mul32(x535, 0xffffffff) - var x543 uint32 - var x544 uint32 - x544, x543 = bits.Mul32(x535, 0xffffffff) - var x545 uint32 - var x546 uint32 - x546, x545 = bits.Mul32(x535, 0xffffffff) - var x547 uint32 - var x548 uint32 - x548, x547 = bits.Mul32(x535, 0xffffffff) - var x549 uint32 - var x550 uint32 - x550, x549 = bits.Mul32(x535, 0xfffffffe) - var x551 uint32 - var x552 uint32 - x552, x551 = bits.Mul32(x535, 0xfffffc2f) - var x553 uint32 - var x554 uint1 - x553, x554 = addcarryxU32(x552, x549, 0x0) - var x555 uint32 - var x556 uint1 - x555, x556 = addcarryxU32(x550, x547, x554) - var x557 uint32 - var x558 uint1 - x557, x558 = addcarryxU32(x548, x545, x556) - var x559 uint32 - var x560 uint1 - x559, x560 = addcarryxU32(x546, x543, x558) - var x561 uint32 - var x562 uint1 - x561, x562 = addcarryxU32(x544, x541, x560) - var x563 uint32 - var x564 uint1 - x563, x564 = addcarryxU32(x542, x539, x562) - var x565 uint32 - var x566 uint1 - x565, x566 = addcarryxU32(x540, x537, x564) - var x568 uint1 - _, x568 = addcarryxU32(x519, x551, 0x0) - var x569 uint32 - var x570 uint1 - x569, x570 = addcarryxU32(x521, x553, x568) - var x571 uint32 - var x572 uint1 - x571, x572 = addcarryxU32(x523, x555, x570) - var x573 uint32 - var x574 uint1 - x573, x574 = addcarryxU32(x525, x557, x572) - var x575 uint32 - var x576 uint1 - x575, x576 = addcarryxU32(x527, x559, x574) - var x577 uint32 - var x578 uint1 - x577, x578 = addcarryxU32(x529, x561, x576) - var x579 uint32 - var x580 uint1 - x579, x580 = addcarryxU32(x531, x563, x578) - var x581 uint32 - var x582 uint1 - x581, x582 = addcarryxU32(x533, x565, x580) - var x583 uint32 - var x584 uint1 - x583, x584 = addcarryxU32((uint32(x534) + uint32(x510)), (uint32(x566) + x538), x582) - var x585 uint32 - var x586 uint1 - x585, x586 = subborrowxU32(x569, 0xfffffc2f, 0x0) - var x587 uint32 - var x588 uint1 - x587, x588 = subborrowxU32(x571, 0xfffffffe, x586) - var x589 uint32 - var x590 uint1 - x589, x590 = subborrowxU32(x573, 0xffffffff, x588) - var x591 uint32 - var x592 uint1 - x591, x592 = subborrowxU32(x575, 0xffffffff, x590) - var x593 uint32 - var x594 uint1 - x593, x594 = subborrowxU32(x577, 0xffffffff, x592) - var x595 uint32 - var x596 uint1 - x595, x596 = subborrowxU32(x579, 0xffffffff, x594) - var x597 uint32 - var x598 uint1 - x597, x598 = subborrowxU32(x581, 0xffffffff, x596) - var x599 uint32 - var x600 uint1 - x599, x600 = subborrowxU32(x583, 0xffffffff, x598) - var x602 uint1 - _, x602 = subborrowxU32(uint32(x584), uint32(0x0), x600) - var x603 uint32 - cmovznzU32(&x603, x602, x585, x569) - var x604 uint32 - cmovznzU32(&x604, x602, x587, x571) - var x605 uint32 - cmovznzU32(&x605, x602, x589, x573) - var x606 uint32 - cmovznzU32(&x606, x602, x591, x575) - var x607 uint32 - cmovznzU32(&x607, x602, x593, x577) - var x608 uint32 - cmovznzU32(&x608, x602, x595, x579) - var x609 uint32 - cmovznzU32(&x609, x602, x597, x581) - var x610 uint32 - cmovznzU32(&x610, x602, x599, x583) - out1[0] = x603 - out1[1] = x604 - out1[2] = x605 - out1[3] = x606 - out1[4] = x607 - out1[5] = x608 - out1[6] = x609 - out1[7] = x610 + x1 := arg1[1] + x2 := arg1[2] + x3 := arg1[3] + x4 := arg1[4] + x5 := arg1[5] + x6 := arg1[6] + x7 := arg1[7] + x8 := arg1[0] + var x9 uint32 + var x10 uint32 + x10, x9 = bits.Mul32(x8, 0x7a2) + var x11 uint32 + var x12 uint32 + x12, x11 = bits.Mul32(x8, 0xe90a1) + var x13 uint32 + var x14 uint1 + x13, x14 = addcarryxU32(x12, x9, 0x0) + var x15 uint32 + var x16 uint1 + x15, x16 = addcarryxU32(x10, x8, x14) + var x17 uint32 + _, x17 = bits.Mul32(x11, 0xd2253531) + var x19 uint32 + var x20 uint32 + x20, x19 = bits.Mul32(x17, 0xffffffff) + var x21 uint32 + var x22 uint32 + x22, x21 = bits.Mul32(x17, 0xffffffff) + var x23 uint32 + var x24 uint32 + x24, x23 = bits.Mul32(x17, 0xffffffff) + var x25 uint32 + var x26 uint32 + x26, x25 = bits.Mul32(x17, 0xffffffff) + var x27 uint32 + var x28 uint32 + x28, x27 = bits.Mul32(x17, 0xffffffff) + var x29 uint32 + var x30 uint32 + x30, x29 = bits.Mul32(x17, 0xffffffff) + var x31 uint32 + var x32 uint32 + x32, x31 = bits.Mul32(x17, 0xfffffffe) + var x33 uint32 + var x34 uint32 + x34, x33 = bits.Mul32(x17, 0xfffffc2f) + var x35 uint32 + var x36 uint1 + x35, x36 = addcarryxU32(x34, x31, 0x0) + var x37 uint32 + var x38 uint1 + x37, x38 = addcarryxU32(x32, x29, x36) + var x39 uint32 + var x40 uint1 + x39, x40 = addcarryxU32(x30, x27, x38) + var x41 uint32 + var x42 uint1 + x41, x42 = addcarryxU32(x28, x25, x40) + var x43 uint32 + var x44 uint1 + x43, x44 = addcarryxU32(x26, x23, x42) + var x45 uint32 + var x46 uint1 + x45, x46 = addcarryxU32(x24, x21, x44) + var x47 uint32 + var x48 uint1 + x47, x48 = addcarryxU32(x22, x19, x46) + var x50 uint1 + _, x50 = addcarryxU32(x11, x33, 0x0) + var x51 uint32 + var x52 uint1 + x51, x52 = addcarryxU32(x13, x35, x50) + var x53 uint32 + var x54 uint1 + x53, x54 = addcarryxU32(x15, x37, x52) + var x55 uint32 + var x56 uint1 + x55, x56 = addcarryxU32(uint32(x16), x39, x54) + var x57 uint32 + var x58 uint1 + x57, x58 = addcarryxU32(uint32(0x0), x41, x56) + var x59 uint32 + var x60 uint1 + x59, x60 = addcarryxU32(uint32(0x0), x43, x58) + var x61 uint32 + var x62 uint1 + x61, x62 = addcarryxU32(uint32(0x0), x45, x60) + var x63 uint32 + var x64 uint1 + x63, x64 = addcarryxU32(uint32(0x0), x47, x62) + var x65 uint32 + var x66 uint1 + x65, x66 = addcarryxU32(uint32(0x0), (uint32(x48) + x20), x64) + var x67 uint32 + var x68 uint32 + x68, x67 = bits.Mul32(x1, 0x7a2) + var x69 uint32 + var x70 uint32 + x70, x69 = bits.Mul32(x1, 0xe90a1) + var x71 uint32 + var x72 uint1 + x71, x72 = addcarryxU32(x70, x67, 0x0) + var x73 uint32 + var x74 uint1 + x73, x74 = addcarryxU32(x68, x1, x72) + var x75 uint32 + var x76 uint1 + x75, x76 = addcarryxU32(x51, x69, 0x0) + var x77 uint32 + var x78 uint1 + x77, x78 = addcarryxU32(x53, x71, x76) + var x79 uint32 + var x80 uint1 + x79, x80 = addcarryxU32(x55, x73, x78) + var x81 uint32 + var x82 uint1 + x81, x82 = addcarryxU32(x57, uint32(x74), x80) + var x83 uint32 + var x84 uint1 + x83, x84 = addcarryxU32(x59, uint32(0x0), x82) + var x85 uint32 + var x86 uint1 + x85, x86 = addcarryxU32(x61, uint32(0x0), x84) + var x87 uint32 + var x88 uint1 + x87, x88 = addcarryxU32(x63, uint32(0x0), x86) + var x89 uint32 + var x90 uint1 + x89, x90 = addcarryxU32(x65, uint32(0x0), x88) + var x91 uint32 + _, x91 = bits.Mul32(x75, 0xd2253531) + var x93 uint32 + var x94 uint32 + x94, x93 = bits.Mul32(x91, 0xffffffff) + var x95 uint32 + var x96 uint32 + x96, x95 = bits.Mul32(x91, 0xffffffff) + var x97 uint32 + var x98 uint32 + x98, x97 = bits.Mul32(x91, 0xffffffff) + var x99 uint32 + var x100 uint32 + x100, x99 = bits.Mul32(x91, 0xffffffff) + var x101 uint32 + var x102 uint32 + x102, x101 = bits.Mul32(x91, 0xffffffff) + var x103 uint32 + var x104 uint32 + x104, x103 = bits.Mul32(x91, 0xffffffff) + var x105 uint32 + var x106 uint32 + x106, x105 = bits.Mul32(x91, 0xfffffffe) + var x107 uint32 + var x108 uint32 + x108, x107 = bits.Mul32(x91, 0xfffffc2f) + var x109 uint32 + var x110 uint1 + x109, x110 = addcarryxU32(x108, x105, 0x0) + var x111 uint32 + var x112 uint1 + x111, x112 = addcarryxU32(x106, x103, x110) + var x113 uint32 + var x114 uint1 + x113, x114 = addcarryxU32(x104, x101, x112) + var x115 uint32 + var x116 uint1 + x115, x116 = addcarryxU32(x102, x99, x114) + var x117 uint32 + var x118 uint1 + x117, x118 = addcarryxU32(x100, x97, x116) + var x119 uint32 + var x120 uint1 + x119, x120 = addcarryxU32(x98, x95, x118) + var x121 uint32 + var x122 uint1 + x121, x122 = addcarryxU32(x96, x93, x120) + var x124 uint1 + _, x124 = addcarryxU32(x75, x107, 0x0) + var x125 uint32 + var x126 uint1 + x125, x126 = addcarryxU32(x77, x109, x124) + var x127 uint32 + var x128 uint1 + x127, x128 = addcarryxU32(x79, x111, x126) + var x129 uint32 + var x130 uint1 + x129, x130 = addcarryxU32(x81, x113, x128) + var x131 uint32 + var x132 uint1 + x131, x132 = addcarryxU32(x83, x115, x130) + var x133 uint32 + var x134 uint1 + x133, x134 = addcarryxU32(x85, x117, x132) + var x135 uint32 + var x136 uint1 + x135, x136 = addcarryxU32(x87, x119, x134) + var x137 uint32 + var x138 uint1 + x137, x138 = addcarryxU32(x89, x121, x136) + var x139 uint32 + var x140 uint1 + x139, x140 = addcarryxU32((uint32(x90) + uint32(x66)), (uint32(x122) + x94), x138) + var x141 uint32 + var x142 uint32 + x142, x141 = bits.Mul32(x2, 0x7a2) + var x143 uint32 + var x144 uint32 + x144, x143 = bits.Mul32(x2, 0xe90a1) + var x145 uint32 + var x146 uint1 + x145, x146 = addcarryxU32(x144, x141, 0x0) + var x147 uint32 + var x148 uint1 + x147, x148 = addcarryxU32(x142, x2, x146) + var x149 uint32 + var x150 uint1 + x149, x150 = addcarryxU32(x125, x143, 0x0) + var x151 uint32 + var x152 uint1 + x151, x152 = addcarryxU32(x127, x145, x150) + var x153 uint32 + var x154 uint1 + x153, x154 = addcarryxU32(x129, x147, x152) + var x155 uint32 + var x156 uint1 + x155, x156 = addcarryxU32(x131, uint32(x148), x154) + var x157 uint32 + var x158 uint1 + x157, x158 = addcarryxU32(x133, uint32(0x0), x156) + var x159 uint32 + var x160 uint1 + x159, x160 = addcarryxU32(x135, uint32(0x0), x158) + var x161 uint32 + var x162 uint1 + x161, x162 = addcarryxU32(x137, uint32(0x0), x160) + var x163 uint32 + var x164 uint1 + x163, x164 = addcarryxU32(x139, uint32(0x0), x162) + var x165 uint32 + _, x165 = bits.Mul32(x149, 0xd2253531) + var x167 uint32 + var x168 uint32 + x168, x167 = bits.Mul32(x165, 0xffffffff) + var x169 uint32 + var x170 uint32 + x170, x169 = bits.Mul32(x165, 0xffffffff) + var x171 uint32 + var x172 uint32 + x172, x171 = bits.Mul32(x165, 0xffffffff) + var x173 uint32 + var x174 uint32 + x174, x173 = bits.Mul32(x165, 0xffffffff) + var x175 uint32 + var x176 uint32 + x176, x175 = bits.Mul32(x165, 0xffffffff) + var x177 uint32 + var x178 uint32 + x178, x177 = bits.Mul32(x165, 0xffffffff) + var x179 uint32 + var x180 uint32 + x180, x179 = bits.Mul32(x165, 0xfffffffe) + var x181 uint32 + var x182 uint32 + x182, x181 = bits.Mul32(x165, 0xfffffc2f) + var x183 uint32 + var x184 uint1 + x183, x184 = addcarryxU32(x182, x179, 0x0) + var x185 uint32 + var x186 uint1 + x185, x186 = addcarryxU32(x180, x177, x184) + var x187 uint32 + var x188 uint1 + x187, x188 = addcarryxU32(x178, x175, x186) + var x189 uint32 + var x190 uint1 + x189, x190 = addcarryxU32(x176, x173, x188) + var x191 uint32 + var x192 uint1 + x191, x192 = addcarryxU32(x174, x171, x190) + var x193 uint32 + var x194 uint1 + x193, x194 = addcarryxU32(x172, x169, x192) + var x195 uint32 + var x196 uint1 + x195, x196 = addcarryxU32(x170, x167, x194) + var x198 uint1 + _, x198 = addcarryxU32(x149, x181, 0x0) + var x199 uint32 + var x200 uint1 + x199, x200 = addcarryxU32(x151, x183, x198) + var x201 uint32 + var x202 uint1 + x201, x202 = addcarryxU32(x153, x185, x200) + var x203 uint32 + var x204 uint1 + x203, x204 = addcarryxU32(x155, x187, x202) + var x205 uint32 + var x206 uint1 + x205, x206 = addcarryxU32(x157, x189, x204) + var x207 uint32 + var x208 uint1 + x207, x208 = addcarryxU32(x159, x191, x206) + var x209 uint32 + var x210 uint1 + x209, x210 = addcarryxU32(x161, x193, x208) + var x211 uint32 + var x212 uint1 + x211, x212 = addcarryxU32(x163, x195, x210) + var x213 uint32 + var x214 uint1 + x213, x214 = addcarryxU32((uint32(x164) + uint32(x140)), (uint32(x196) + x168), x212) + var x215 uint32 + var x216 uint32 + x216, x215 = bits.Mul32(x3, 0x7a2) + var x217 uint32 + var x218 uint32 + x218, x217 = bits.Mul32(x3, 0xe90a1) + var x219 uint32 + var x220 uint1 + x219, x220 = addcarryxU32(x218, x215, 0x0) + var x221 uint32 + var x222 uint1 + x221, x222 = addcarryxU32(x216, x3, x220) + var x223 uint32 + var x224 uint1 + x223, x224 = addcarryxU32(x199, x217, 0x0) + var x225 uint32 + var x226 uint1 + x225, x226 = addcarryxU32(x201, x219, x224) + var x227 uint32 + var x228 uint1 + x227, x228 = addcarryxU32(x203, x221, x226) + var x229 uint32 + var x230 uint1 + x229, x230 = addcarryxU32(x205, uint32(x222), x228) + var x231 uint32 + var x232 uint1 + x231, x232 = addcarryxU32(x207, uint32(0x0), x230) + var x233 uint32 + var x234 uint1 + x233, x234 = addcarryxU32(x209, uint32(0x0), x232) + var x235 uint32 + var x236 uint1 + x235, x236 = addcarryxU32(x211, uint32(0x0), x234) + var x237 uint32 + var x238 uint1 + x237, x238 = addcarryxU32(x213, uint32(0x0), x236) + var x239 uint32 + _, x239 = bits.Mul32(x223, 0xd2253531) + var x241 uint32 + var x242 uint32 + x242, x241 = bits.Mul32(x239, 0xffffffff) + var x243 uint32 + var x244 uint32 + x244, x243 = bits.Mul32(x239, 0xffffffff) + var x245 uint32 + var x246 uint32 + x246, x245 = bits.Mul32(x239, 0xffffffff) + var x247 uint32 + var x248 uint32 + x248, x247 = bits.Mul32(x239, 0xffffffff) + var x249 uint32 + var x250 uint32 + x250, x249 = bits.Mul32(x239, 0xffffffff) + var x251 uint32 + var x252 uint32 + x252, x251 = bits.Mul32(x239, 0xffffffff) + var x253 uint32 + var x254 uint32 + x254, x253 = bits.Mul32(x239, 0xfffffffe) + var x255 uint32 + var x256 uint32 + x256, x255 = bits.Mul32(x239, 0xfffffc2f) + var x257 uint32 + var x258 uint1 + x257, x258 = addcarryxU32(x256, x253, 0x0) + var x259 uint32 + var x260 uint1 + x259, x260 = addcarryxU32(x254, x251, x258) + var x261 uint32 + var x262 uint1 + x261, x262 = addcarryxU32(x252, x249, x260) + var x263 uint32 + var x264 uint1 + x263, x264 = addcarryxU32(x250, x247, x262) + var x265 uint32 + var x266 uint1 + x265, x266 = addcarryxU32(x248, x245, x264) + var x267 uint32 + var x268 uint1 + x267, x268 = addcarryxU32(x246, x243, x266) + var x269 uint32 + var x270 uint1 + x269, x270 = addcarryxU32(x244, x241, x268) + var x272 uint1 + _, x272 = addcarryxU32(x223, x255, 0x0) + var x273 uint32 + var x274 uint1 + x273, x274 = addcarryxU32(x225, x257, x272) + var x275 uint32 + var x276 uint1 + x275, x276 = addcarryxU32(x227, x259, x274) + var x277 uint32 + var x278 uint1 + x277, x278 = addcarryxU32(x229, x261, x276) + var x279 uint32 + var x280 uint1 + x279, x280 = addcarryxU32(x231, x263, x278) + var x281 uint32 + var x282 uint1 + x281, x282 = addcarryxU32(x233, x265, x280) + var x283 uint32 + var x284 uint1 + x283, x284 = addcarryxU32(x235, x267, x282) + var x285 uint32 + var x286 uint1 + x285, x286 = addcarryxU32(x237, x269, x284) + var x287 uint32 + var x288 uint1 + x287, x288 = addcarryxU32((uint32(x238) + uint32(x214)), (uint32(x270) + x242), x286) + var x289 uint32 + var x290 uint32 + x290, x289 = bits.Mul32(x4, 0x7a2) + var x291 uint32 + var x292 uint32 + x292, x291 = bits.Mul32(x4, 0xe90a1) + var x293 uint32 + var x294 uint1 + x293, x294 = addcarryxU32(x292, x289, 0x0) + var x295 uint32 + var x296 uint1 + x295, x296 = addcarryxU32(x290, x4, x294) + var x297 uint32 + var x298 uint1 + x297, x298 = addcarryxU32(x273, x291, 0x0) + var x299 uint32 + var x300 uint1 + x299, x300 = addcarryxU32(x275, x293, x298) + var x301 uint32 + var x302 uint1 + x301, x302 = addcarryxU32(x277, x295, x300) + var x303 uint32 + var x304 uint1 + x303, x304 = addcarryxU32(x279, uint32(x296), x302) + var x305 uint32 + var x306 uint1 + x305, x306 = addcarryxU32(x281, uint32(0x0), x304) + var x307 uint32 + var x308 uint1 + x307, x308 = addcarryxU32(x283, uint32(0x0), x306) + var x309 uint32 + var x310 uint1 + x309, x310 = addcarryxU32(x285, uint32(0x0), x308) + var x311 uint32 + var x312 uint1 + x311, x312 = addcarryxU32(x287, uint32(0x0), x310) + var x313 uint32 + _, x313 = bits.Mul32(x297, 0xd2253531) + var x315 uint32 + var x316 uint32 + x316, x315 = bits.Mul32(x313, 0xffffffff) + var x317 uint32 + var x318 uint32 + x318, x317 = bits.Mul32(x313, 0xffffffff) + var x319 uint32 + var x320 uint32 + x320, x319 = bits.Mul32(x313, 0xffffffff) + var x321 uint32 + var x322 uint32 + x322, x321 = bits.Mul32(x313, 0xffffffff) + var x323 uint32 + var x324 uint32 + x324, x323 = bits.Mul32(x313, 0xffffffff) + var x325 uint32 + var x326 uint32 + x326, x325 = bits.Mul32(x313, 0xffffffff) + var x327 uint32 + var x328 uint32 + x328, x327 = bits.Mul32(x313, 0xfffffffe) + var x329 uint32 + var x330 uint32 + x330, x329 = bits.Mul32(x313, 0xfffffc2f) + var x331 uint32 + var x332 uint1 + x331, x332 = addcarryxU32(x330, x327, 0x0) + var x333 uint32 + var x334 uint1 + x333, x334 = addcarryxU32(x328, x325, x332) + var x335 uint32 + var x336 uint1 + x335, x336 = addcarryxU32(x326, x323, x334) + var x337 uint32 + var x338 uint1 + x337, x338 = addcarryxU32(x324, x321, x336) + var x339 uint32 + var x340 uint1 + x339, x340 = addcarryxU32(x322, x319, x338) + var x341 uint32 + var x342 uint1 + x341, x342 = addcarryxU32(x320, x317, x340) + var x343 uint32 + var x344 uint1 + x343, x344 = addcarryxU32(x318, x315, x342) + var x346 uint1 + _, x346 = addcarryxU32(x297, x329, 0x0) + var x347 uint32 + var x348 uint1 + x347, x348 = addcarryxU32(x299, x331, x346) + var x349 uint32 + var x350 uint1 + x349, x350 = addcarryxU32(x301, x333, x348) + var x351 uint32 + var x352 uint1 + x351, x352 = addcarryxU32(x303, x335, x350) + var x353 uint32 + var x354 uint1 + x353, x354 = addcarryxU32(x305, x337, x352) + var x355 uint32 + var x356 uint1 + x355, x356 = addcarryxU32(x307, x339, x354) + var x357 uint32 + var x358 uint1 + x357, x358 = addcarryxU32(x309, x341, x356) + var x359 uint32 + var x360 uint1 + x359, x360 = addcarryxU32(x311, x343, x358) + var x361 uint32 + var x362 uint1 + x361, x362 = addcarryxU32((uint32(x312) + uint32(x288)), (uint32(x344) + x316), x360) + var x363 uint32 + var x364 uint32 + x364, x363 = bits.Mul32(x5, 0x7a2) + var x365 uint32 + var x366 uint32 + x366, x365 = bits.Mul32(x5, 0xe90a1) + var x367 uint32 + var x368 uint1 + x367, x368 = addcarryxU32(x366, x363, 0x0) + var x369 uint32 + var x370 uint1 + x369, x370 = addcarryxU32(x364, x5, x368) + var x371 uint32 + var x372 uint1 + x371, x372 = addcarryxU32(x347, x365, 0x0) + var x373 uint32 + var x374 uint1 + x373, x374 = addcarryxU32(x349, x367, x372) + var x375 uint32 + var x376 uint1 + x375, x376 = addcarryxU32(x351, x369, x374) + var x377 uint32 + var x378 uint1 + x377, x378 = addcarryxU32(x353, uint32(x370), x376) + var x379 uint32 + var x380 uint1 + x379, x380 = addcarryxU32(x355, uint32(0x0), x378) + var x381 uint32 + var x382 uint1 + x381, x382 = addcarryxU32(x357, uint32(0x0), x380) + var x383 uint32 + var x384 uint1 + x383, x384 = addcarryxU32(x359, uint32(0x0), x382) + var x385 uint32 + var x386 uint1 + x385, x386 = addcarryxU32(x361, uint32(0x0), x384) + var x387 uint32 + _, x387 = bits.Mul32(x371, 0xd2253531) + var x389 uint32 + var x390 uint32 + x390, x389 = bits.Mul32(x387, 0xffffffff) + var x391 uint32 + var x392 uint32 + x392, x391 = bits.Mul32(x387, 0xffffffff) + var x393 uint32 + var x394 uint32 + x394, x393 = bits.Mul32(x387, 0xffffffff) + var x395 uint32 + var x396 uint32 + x396, x395 = bits.Mul32(x387, 0xffffffff) + var x397 uint32 + var x398 uint32 + x398, x397 = bits.Mul32(x387, 0xffffffff) + var x399 uint32 + var x400 uint32 + x400, x399 = bits.Mul32(x387, 0xffffffff) + var x401 uint32 + var x402 uint32 + x402, x401 = bits.Mul32(x387, 0xfffffffe) + var x403 uint32 + var x404 uint32 + x404, x403 = bits.Mul32(x387, 0xfffffc2f) + var x405 uint32 + var x406 uint1 + x405, x406 = addcarryxU32(x404, x401, 0x0) + var x407 uint32 + var x408 uint1 + x407, x408 = addcarryxU32(x402, x399, x406) + var x409 uint32 + var x410 uint1 + x409, x410 = addcarryxU32(x400, x397, x408) + var x411 uint32 + var x412 uint1 + x411, x412 = addcarryxU32(x398, x395, x410) + var x413 uint32 + var x414 uint1 + x413, x414 = addcarryxU32(x396, x393, x412) + var x415 uint32 + var x416 uint1 + x415, x416 = addcarryxU32(x394, x391, x414) + var x417 uint32 + var x418 uint1 + x417, x418 = addcarryxU32(x392, x389, x416) + var x420 uint1 + _, x420 = addcarryxU32(x371, x403, 0x0) + var x421 uint32 + var x422 uint1 + x421, x422 = addcarryxU32(x373, x405, x420) + var x423 uint32 + var x424 uint1 + x423, x424 = addcarryxU32(x375, x407, x422) + var x425 uint32 + var x426 uint1 + x425, x426 = addcarryxU32(x377, x409, x424) + var x427 uint32 + var x428 uint1 + x427, x428 = addcarryxU32(x379, x411, x426) + var x429 uint32 + var x430 uint1 + x429, x430 = addcarryxU32(x381, x413, x428) + var x431 uint32 + var x432 uint1 + x431, x432 = addcarryxU32(x383, x415, x430) + var x433 uint32 + var x434 uint1 + x433, x434 = addcarryxU32(x385, x417, x432) + var x435 uint32 + var x436 uint1 + x435, x436 = addcarryxU32((uint32(x386) + uint32(x362)), (uint32(x418) + x390), x434) + var x437 uint32 + var x438 uint32 + x438, x437 = bits.Mul32(x6, 0x7a2) + var x439 uint32 + var x440 uint32 + x440, x439 = bits.Mul32(x6, 0xe90a1) + var x441 uint32 + var x442 uint1 + x441, x442 = addcarryxU32(x440, x437, 0x0) + var x443 uint32 + var x444 uint1 + x443, x444 = addcarryxU32(x438, x6, x442) + var x445 uint32 + var x446 uint1 + x445, x446 = addcarryxU32(x421, x439, 0x0) + var x447 uint32 + var x448 uint1 + x447, x448 = addcarryxU32(x423, x441, x446) + var x449 uint32 + var x450 uint1 + x449, x450 = addcarryxU32(x425, x443, x448) + var x451 uint32 + var x452 uint1 + x451, x452 = addcarryxU32(x427, uint32(x444), x450) + var x453 uint32 + var x454 uint1 + x453, x454 = addcarryxU32(x429, uint32(0x0), x452) + var x455 uint32 + var x456 uint1 + x455, x456 = addcarryxU32(x431, uint32(0x0), x454) + var x457 uint32 + var x458 uint1 + x457, x458 = addcarryxU32(x433, uint32(0x0), x456) + var x459 uint32 + var x460 uint1 + x459, x460 = addcarryxU32(x435, uint32(0x0), x458) + var x461 uint32 + _, x461 = bits.Mul32(x445, 0xd2253531) + var x463 uint32 + var x464 uint32 + x464, x463 = bits.Mul32(x461, 0xffffffff) + var x465 uint32 + var x466 uint32 + x466, x465 = bits.Mul32(x461, 0xffffffff) + var x467 uint32 + var x468 uint32 + x468, x467 = bits.Mul32(x461, 0xffffffff) + var x469 uint32 + var x470 uint32 + x470, x469 = bits.Mul32(x461, 0xffffffff) + var x471 uint32 + var x472 uint32 + x472, x471 = bits.Mul32(x461, 0xffffffff) + var x473 uint32 + var x474 uint32 + x474, x473 = bits.Mul32(x461, 0xffffffff) + var x475 uint32 + var x476 uint32 + x476, x475 = bits.Mul32(x461, 0xfffffffe) + var x477 uint32 + var x478 uint32 + x478, x477 = bits.Mul32(x461, 0xfffffc2f) + var x479 uint32 + var x480 uint1 + x479, x480 = addcarryxU32(x478, x475, 0x0) + var x481 uint32 + var x482 uint1 + x481, x482 = addcarryxU32(x476, x473, x480) + var x483 uint32 + var x484 uint1 + x483, x484 = addcarryxU32(x474, x471, x482) + var x485 uint32 + var x486 uint1 + x485, x486 = addcarryxU32(x472, x469, x484) + var x487 uint32 + var x488 uint1 + x487, x488 = addcarryxU32(x470, x467, x486) + var x489 uint32 + var x490 uint1 + x489, x490 = addcarryxU32(x468, x465, x488) + var x491 uint32 + var x492 uint1 + x491, x492 = addcarryxU32(x466, x463, x490) + var x494 uint1 + _, x494 = addcarryxU32(x445, x477, 0x0) + var x495 uint32 + var x496 uint1 + x495, x496 = addcarryxU32(x447, x479, x494) + var x497 uint32 + var x498 uint1 + x497, x498 = addcarryxU32(x449, x481, x496) + var x499 uint32 + var x500 uint1 + x499, x500 = addcarryxU32(x451, x483, x498) + var x501 uint32 + var x502 uint1 + x501, x502 = addcarryxU32(x453, x485, x500) + var x503 uint32 + var x504 uint1 + x503, x504 = addcarryxU32(x455, x487, x502) + var x505 uint32 + var x506 uint1 + x505, x506 = addcarryxU32(x457, x489, x504) + var x507 uint32 + var x508 uint1 + x507, x508 = addcarryxU32(x459, x491, x506) + var x509 uint32 + var x510 uint1 + x509, x510 = addcarryxU32((uint32(x460) + uint32(x436)), (uint32(x492) + x464), x508) + var x511 uint32 + var x512 uint32 + x512, x511 = bits.Mul32(x7, 0x7a2) + var x513 uint32 + var x514 uint32 + x514, x513 = bits.Mul32(x7, 0xe90a1) + var x515 uint32 + var x516 uint1 + x515, x516 = addcarryxU32(x514, x511, 0x0) + var x517 uint32 + var x518 uint1 + x517, x518 = addcarryxU32(x512, x7, x516) + var x519 uint32 + var x520 uint1 + x519, x520 = addcarryxU32(x495, x513, 0x0) + var x521 uint32 + var x522 uint1 + x521, x522 = addcarryxU32(x497, x515, x520) + var x523 uint32 + var x524 uint1 + x523, x524 = addcarryxU32(x499, x517, x522) + var x525 uint32 + var x526 uint1 + x525, x526 = addcarryxU32(x501, uint32(x518), x524) + var x527 uint32 + var x528 uint1 + x527, x528 = addcarryxU32(x503, uint32(0x0), x526) + var x529 uint32 + var x530 uint1 + x529, x530 = addcarryxU32(x505, uint32(0x0), x528) + var x531 uint32 + var x532 uint1 + x531, x532 = addcarryxU32(x507, uint32(0x0), x530) + var x533 uint32 + var x534 uint1 + x533, x534 = addcarryxU32(x509, uint32(0x0), x532) + var x535 uint32 + _, x535 = bits.Mul32(x519, 0xd2253531) + var x537 uint32 + var x538 uint32 + x538, x537 = bits.Mul32(x535, 0xffffffff) + var x539 uint32 + var x540 uint32 + x540, x539 = bits.Mul32(x535, 0xffffffff) + var x541 uint32 + var x542 uint32 + x542, x541 = bits.Mul32(x535, 0xffffffff) + var x543 uint32 + var x544 uint32 + x544, x543 = bits.Mul32(x535, 0xffffffff) + var x545 uint32 + var x546 uint32 + x546, x545 = bits.Mul32(x535, 0xffffffff) + var x547 uint32 + var x548 uint32 + x548, x547 = bits.Mul32(x535, 0xffffffff) + var x549 uint32 + var x550 uint32 + x550, x549 = bits.Mul32(x535, 0xfffffffe) + var x551 uint32 + var x552 uint32 + x552, x551 = bits.Mul32(x535, 0xfffffc2f) + var x553 uint32 + var x554 uint1 + x553, x554 = addcarryxU32(x552, x549, 0x0) + var x555 uint32 + var x556 uint1 + x555, x556 = addcarryxU32(x550, x547, x554) + var x557 uint32 + var x558 uint1 + x557, x558 = addcarryxU32(x548, x545, x556) + var x559 uint32 + var x560 uint1 + x559, x560 = addcarryxU32(x546, x543, x558) + var x561 uint32 + var x562 uint1 + x561, x562 = addcarryxU32(x544, x541, x560) + var x563 uint32 + var x564 uint1 + x563, x564 = addcarryxU32(x542, x539, x562) + var x565 uint32 + var x566 uint1 + x565, x566 = addcarryxU32(x540, x537, x564) + var x568 uint1 + _, x568 = addcarryxU32(x519, x551, 0x0) + var x569 uint32 + var x570 uint1 + x569, x570 = addcarryxU32(x521, x553, x568) + var x571 uint32 + var x572 uint1 + x571, x572 = addcarryxU32(x523, x555, x570) + var x573 uint32 + var x574 uint1 + x573, x574 = addcarryxU32(x525, x557, x572) + var x575 uint32 + var x576 uint1 + x575, x576 = addcarryxU32(x527, x559, x574) + var x577 uint32 + var x578 uint1 + x577, x578 = addcarryxU32(x529, x561, x576) + var x579 uint32 + var x580 uint1 + x579, x580 = addcarryxU32(x531, x563, x578) + var x581 uint32 + var x582 uint1 + x581, x582 = addcarryxU32(x533, x565, x580) + var x583 uint32 + var x584 uint1 + x583, x584 = addcarryxU32((uint32(x534) + uint32(x510)), (uint32(x566) + x538), x582) + var x585 uint32 + var x586 uint1 + x585, x586 = subborrowxU32(x569, 0xfffffc2f, 0x0) + var x587 uint32 + var x588 uint1 + x587, x588 = subborrowxU32(x571, 0xfffffffe, x586) + var x589 uint32 + var x590 uint1 + x589, x590 = subborrowxU32(x573, 0xffffffff, x588) + var x591 uint32 + var x592 uint1 + x591, x592 = subborrowxU32(x575, 0xffffffff, x590) + var x593 uint32 + var x594 uint1 + x593, x594 = subborrowxU32(x577, 0xffffffff, x592) + var x595 uint32 + var x596 uint1 + x595, x596 = subborrowxU32(x579, 0xffffffff, x594) + var x597 uint32 + var x598 uint1 + x597, x598 = subborrowxU32(x581, 0xffffffff, x596) + var x599 uint32 + var x600 uint1 + x599, x600 = subborrowxU32(x583, 0xffffffff, x598) + var x602 uint1 + _, x602 = subborrowxU32(uint32(x584), uint32(0x0), x600) + var x603 uint32 + cmovznzU32(&x603, x602, x585, x569) + var x604 uint32 + cmovznzU32(&x604, x602, x587, x571) + var x605 uint32 + cmovznzU32(&x605, x602, x589, x573) + var x606 uint32 + cmovznzU32(&x606, x602, x591, x575) + var x607 uint32 + cmovznzU32(&x607, x602, x593, x577) + var x608 uint32 + cmovznzU32(&x608, x602, x595, x579) + var x609 uint32 + cmovznzU32(&x609, x602, x597, x581) + var x610 uint32 + cmovznzU32(&x610, x602, x599, x583) + out1[0] = x603 + out1[1] = x604 + out1[2] = x605 + out1[3] = x606 + out1[4] = x607 + out1[5] = x608 + out1[6] = x609 + out1[7] = x610 } -/* - The function Nonzero outputs a single non-zero word if the input is non-zero and zero otherwise. - Preconditions: - 0 ≤ eval arg1 < m - Postconditions: - out1 = 0 ↔ eval (from_montgomery arg1) mod m = 0 - - Input Bounds: - arg1: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] - Output Bounds: - out1: [0x0 ~> 0xffffffff] - */ -/*inline*/ +// Nonzero outputs a single non-zero word if the input is non-zero and zero otherwise. +// +// Preconditions: +// 0 ≤ eval arg1 < m +// Postconditions: +// out1 = 0 ↔ eval (from_montgomery arg1) mod m = 0 +// +// Input Bounds: +// arg1: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] +// Output Bounds: +// out1: [0x0 ~> 0xffffffff] func Nonzero(out1 *uint32, arg1 *[8]uint32) { - var x1 uint32 = ((arg1[0]) | ((arg1[1]) | ((arg1[2]) | ((arg1[3]) | ((arg1[4]) | ((arg1[5]) | ((arg1[6]) | (arg1[7])))))))) - *out1 = x1 + x1 := (arg1[0] | (arg1[1] | (arg1[2] | (arg1[3] | (arg1[4] | (arg1[5] | (arg1[6] | arg1[7]))))))) + *out1 = x1 } -/* - The function Selectznz is a multi-limb conditional select. - Postconditions: - eval out1 = (if arg1 = 0 then eval arg2 else eval arg3) - - Input Bounds: - arg1: [0x0 ~> 0x1] - arg2: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] - arg3: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] - Output Bounds: - out1: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] - */ -/*inline*/ +// Selectznz is a multi-limb conditional select. +// +// Postconditions: +// eval out1 = (if arg1 = 0 then eval arg2 else eval arg3) +// +// Input Bounds: +// arg1: [0x0 ~> 0x1] +// arg2: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] +// arg3: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] +// Output Bounds: +// out1: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] func Selectznz(out1 *[8]uint32, arg1 uint1, arg2 *[8]uint32, arg3 *[8]uint32) { - var x1 uint32 - cmovznzU32(&x1, arg1, (arg2[0]), (arg3[0])) - var x2 uint32 - cmovznzU32(&x2, arg1, (arg2[1]), (arg3[1])) - var x3 uint32 - cmovznzU32(&x3, arg1, (arg2[2]), (arg3[2])) - var x4 uint32 - cmovznzU32(&x4, arg1, (arg2[3]), (arg3[3])) - var x5 uint32 - cmovznzU32(&x5, arg1, (arg2[4]), (arg3[4])) - var x6 uint32 - cmovznzU32(&x6, arg1, (arg2[5]), (arg3[5])) - var x7 uint32 - cmovznzU32(&x7, arg1, (arg2[6]), (arg3[6])) - var x8 uint32 - cmovznzU32(&x8, arg1, (arg2[7]), (arg3[7])) - out1[0] = x1 - out1[1] = x2 - out1[2] = x3 - out1[3] = x4 - out1[4] = x5 - out1[5] = x6 - out1[6] = x7 - out1[7] = x8 + var x1 uint32 + cmovznzU32(&x1, arg1, arg2[0], arg3[0]) + var x2 uint32 + cmovznzU32(&x2, arg1, arg2[1], arg3[1]) + var x3 uint32 + cmovznzU32(&x3, arg1, arg2[2], arg3[2]) + var x4 uint32 + cmovznzU32(&x4, arg1, arg2[3], arg3[3]) + var x5 uint32 + cmovznzU32(&x5, arg1, arg2[4], arg3[4]) + var x6 uint32 + cmovznzU32(&x6, arg1, arg2[5], arg3[5]) + var x7 uint32 + cmovznzU32(&x7, arg1, arg2[6], arg3[6]) + var x8 uint32 + cmovznzU32(&x8, arg1, arg2[7], arg3[7]) + out1[0] = x1 + out1[1] = x2 + out1[2] = x3 + out1[3] = x4 + out1[4] = x5 + out1[5] = x6 + out1[6] = x7 + out1[7] = x8 } -/* - The function ToBytes serializes a field element NOT in the Montgomery domain to bytes in little-endian order. - Preconditions: - 0 ≤ eval arg1 < m - Postconditions: - out1 = map (λ x, ⌊((eval arg1 mod m) mod 2^(8 * (x + 1))) / 2^(8 * x)⌋) [0..31] - - Input Bounds: - arg1: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] - Output Bounds: - out1: [[0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff]] - */ -/*inline*/ +// ToBytes serializes a field element NOT in the Montgomery domain to bytes in little-endian order. +// +// Preconditions: +// 0 ≤ eval arg1 < m +// Postconditions: +// out1 = map (λ x, ⌊((eval arg1 mod m) mod 2^(8 * (x + 1))) / 2^(8 * x)⌋) [0..31] +// +// Input Bounds: +// arg1: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] +// Output Bounds: +// out1: [[0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff]] func ToBytes(out1 *[32]uint8, arg1 *[8]uint32) { - var x1 uint32 = (arg1[7]) - var x2 uint32 = (arg1[6]) - var x3 uint32 = (arg1[5]) - var x4 uint32 = (arg1[4]) - var x5 uint32 = (arg1[3]) - var x6 uint32 = (arg1[2]) - var x7 uint32 = (arg1[1]) - var x8 uint32 = (arg1[0]) - var x9 uint8 = (uint8(x8) & 0xff) - var x10 uint32 = (x8 >> 8) - var x11 uint8 = (uint8(x10) & 0xff) - var x12 uint32 = (x10 >> 8) - var x13 uint8 = (uint8(x12) & 0xff) - var x14 uint8 = uint8((x12 >> 8)) - var x15 uint8 = (uint8(x7) & 0xff) - var x16 uint32 = (x7 >> 8) - var x17 uint8 = (uint8(x16) & 0xff) - var x18 uint32 = (x16 >> 8) - var x19 uint8 = (uint8(x18) & 0xff) - var x20 uint8 = uint8((x18 >> 8)) - var x21 uint8 = (uint8(x6) & 0xff) - var x22 uint32 = (x6 >> 8) - var x23 uint8 = (uint8(x22) & 0xff) - var x24 uint32 = (x22 >> 8) - var x25 uint8 = (uint8(x24) & 0xff) - var x26 uint8 = uint8((x24 >> 8)) - var x27 uint8 = (uint8(x5) & 0xff) - var x28 uint32 = (x5 >> 8) - var x29 uint8 = (uint8(x28) & 0xff) - var x30 uint32 = (x28 >> 8) - var x31 uint8 = (uint8(x30) & 0xff) - var x32 uint8 = uint8((x30 >> 8)) - var x33 uint8 = (uint8(x4) & 0xff) - var x34 uint32 = (x4 >> 8) - var x35 uint8 = (uint8(x34) & 0xff) - var x36 uint32 = (x34 >> 8) - var x37 uint8 = (uint8(x36) & 0xff) - var x38 uint8 = uint8((x36 >> 8)) - var x39 uint8 = (uint8(x3) & 0xff) - var x40 uint32 = (x3 >> 8) - var x41 uint8 = (uint8(x40) & 0xff) - var x42 uint32 = (x40 >> 8) - var x43 uint8 = (uint8(x42) & 0xff) - var x44 uint8 = uint8((x42 >> 8)) - var x45 uint8 = (uint8(x2) & 0xff) - var x46 uint32 = (x2 >> 8) - var x47 uint8 = (uint8(x46) & 0xff) - var x48 uint32 = (x46 >> 8) - var x49 uint8 = (uint8(x48) & 0xff) - var x50 uint8 = uint8((x48 >> 8)) - var x51 uint8 = (uint8(x1) & 0xff) - var x52 uint32 = (x1 >> 8) - var x53 uint8 = (uint8(x52) & 0xff) - var x54 uint32 = (x52 >> 8) - var x55 uint8 = (uint8(x54) & 0xff) - var x56 uint8 = uint8((x54 >> 8)) - out1[0] = x9 - out1[1] = x11 - out1[2] = x13 - out1[3] = x14 - out1[4] = x15 - out1[5] = x17 - out1[6] = x19 - out1[7] = x20 - out1[8] = x21 - out1[9] = x23 - out1[10] = x25 - out1[11] = x26 - out1[12] = x27 - out1[13] = x29 - out1[14] = x31 - out1[15] = x32 - out1[16] = x33 - out1[17] = x35 - out1[18] = x37 - out1[19] = x38 - out1[20] = x39 - out1[21] = x41 - out1[22] = x43 - out1[23] = x44 - out1[24] = x45 - out1[25] = x47 - out1[26] = x49 - out1[27] = x50 - out1[28] = x51 - out1[29] = x53 - out1[30] = x55 - out1[31] = x56 + x1 := arg1[7] + x2 := arg1[6] + x3 := arg1[5] + x4 := arg1[4] + x5 := arg1[3] + x6 := arg1[2] + x7 := arg1[1] + x8 := arg1[0] + x9 := (uint8(x8) & 0xff) + x10 := (x8 >> 8) + x11 := (uint8(x10) & 0xff) + x12 := (x10 >> 8) + x13 := (uint8(x12) & 0xff) + x14 := uint8((x12 >> 8)) + x15 := (uint8(x7) & 0xff) + x16 := (x7 >> 8) + x17 := (uint8(x16) & 0xff) + x18 := (x16 >> 8) + x19 := (uint8(x18) & 0xff) + x20 := uint8((x18 >> 8)) + x21 := (uint8(x6) & 0xff) + x22 := (x6 >> 8) + x23 := (uint8(x22) & 0xff) + x24 := (x22 >> 8) + x25 := (uint8(x24) & 0xff) + x26 := uint8((x24 >> 8)) + x27 := (uint8(x5) & 0xff) + x28 := (x5 >> 8) + x29 := (uint8(x28) & 0xff) + x30 := (x28 >> 8) + x31 := (uint8(x30) & 0xff) + x32 := uint8((x30 >> 8)) + x33 := (uint8(x4) & 0xff) + x34 := (x4 >> 8) + x35 := (uint8(x34) & 0xff) + x36 := (x34 >> 8) + x37 := (uint8(x36) & 0xff) + x38 := uint8((x36 >> 8)) + x39 := (uint8(x3) & 0xff) + x40 := (x3 >> 8) + x41 := (uint8(x40) & 0xff) + x42 := (x40 >> 8) + x43 := (uint8(x42) & 0xff) + x44 := uint8((x42 >> 8)) + x45 := (uint8(x2) & 0xff) + x46 := (x2 >> 8) + x47 := (uint8(x46) & 0xff) + x48 := (x46 >> 8) + x49 := (uint8(x48) & 0xff) + x50 := uint8((x48 >> 8)) + x51 := (uint8(x1) & 0xff) + x52 := (x1 >> 8) + x53 := (uint8(x52) & 0xff) + x54 := (x52 >> 8) + x55 := (uint8(x54) & 0xff) + x56 := uint8((x54 >> 8)) + out1[0] = x9 + out1[1] = x11 + out1[2] = x13 + out1[3] = x14 + out1[4] = x15 + out1[5] = x17 + out1[6] = x19 + out1[7] = x20 + out1[8] = x21 + out1[9] = x23 + out1[10] = x25 + out1[11] = x26 + out1[12] = x27 + out1[13] = x29 + out1[14] = x31 + out1[15] = x32 + out1[16] = x33 + out1[17] = x35 + out1[18] = x37 + out1[19] = x38 + out1[20] = x39 + out1[21] = x41 + out1[22] = x43 + out1[23] = x44 + out1[24] = x45 + out1[25] = x47 + out1[26] = x49 + out1[27] = x50 + out1[28] = x51 + out1[29] = x53 + out1[30] = x55 + out1[31] = x56 } -/* - The function FromBytes deserializes a field element NOT in the Montgomery domain from bytes in little-endian order. - Preconditions: - 0 ≤ bytes_eval arg1 < m - Postconditions: - eval out1 mod m = bytes_eval arg1 mod m - 0 ≤ eval out1 < m - - Input Bounds: - arg1: [[0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff]] - Output Bounds: - out1: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] - */ -/*inline*/ +// FromBytes deserializes a field element NOT in the Montgomery domain from bytes in little-endian order. +// +// Preconditions: +// 0 ≤ bytes_eval arg1 < m +// Postconditions: +// eval out1 mod m = bytes_eval arg1 mod m +// 0 ≤ eval out1 < m +// +// Input Bounds: +// arg1: [[0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff]] +// Output Bounds: +// out1: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] func FromBytes(out1 *[8]uint32, arg1 *[32]uint8) { - var x1 uint32 = (uint32((arg1[31])) << 24) - var x2 uint32 = (uint32((arg1[30])) << 16) - var x3 uint32 = (uint32((arg1[29])) << 8) - var x4 uint8 = (arg1[28]) - var x5 uint32 = (uint32((arg1[27])) << 24) - var x6 uint32 = (uint32((arg1[26])) << 16) - var x7 uint32 = (uint32((arg1[25])) << 8) - var x8 uint8 = (arg1[24]) - var x9 uint32 = (uint32((arg1[23])) << 24) - var x10 uint32 = (uint32((arg1[22])) << 16) - var x11 uint32 = (uint32((arg1[21])) << 8) - var x12 uint8 = (arg1[20]) - var x13 uint32 = (uint32((arg1[19])) << 24) - var x14 uint32 = (uint32((arg1[18])) << 16) - var x15 uint32 = (uint32((arg1[17])) << 8) - var x16 uint8 = (arg1[16]) - var x17 uint32 = (uint32((arg1[15])) << 24) - var x18 uint32 = (uint32((arg1[14])) << 16) - var x19 uint32 = (uint32((arg1[13])) << 8) - var x20 uint8 = (arg1[12]) - var x21 uint32 = (uint32((arg1[11])) << 24) - var x22 uint32 = (uint32((arg1[10])) << 16) - var x23 uint32 = (uint32((arg1[9])) << 8) - var x24 uint8 = (arg1[8]) - var x25 uint32 = (uint32((arg1[7])) << 24) - var x26 uint32 = (uint32((arg1[6])) << 16) - var x27 uint32 = (uint32((arg1[5])) << 8) - var x28 uint8 = (arg1[4]) - var x29 uint32 = (uint32((arg1[3])) << 24) - var x30 uint32 = (uint32((arg1[2])) << 16) - var x31 uint32 = (uint32((arg1[1])) << 8) - var x32 uint8 = (arg1[0]) - var x33 uint32 = (x31 + uint32(x32)) - var x34 uint32 = (x30 + x33) - var x35 uint32 = (x29 + x34) - var x36 uint32 = (x27 + uint32(x28)) - var x37 uint32 = (x26 + x36) - var x38 uint32 = (x25 + x37) - var x39 uint32 = (x23 + uint32(x24)) - var x40 uint32 = (x22 + x39) - var x41 uint32 = (x21 + x40) - var x42 uint32 = (x19 + uint32(x20)) - var x43 uint32 = (x18 + x42) - var x44 uint32 = (x17 + x43) - var x45 uint32 = (x15 + uint32(x16)) - var x46 uint32 = (x14 + x45) - var x47 uint32 = (x13 + x46) - var x48 uint32 = (x11 + uint32(x12)) - var x49 uint32 = (x10 + x48) - var x50 uint32 = (x9 + x49) - var x51 uint32 = (x7 + uint32(x8)) - var x52 uint32 = (x6 + x51) - var x53 uint32 = (x5 + x52) - var x54 uint32 = (x3 + uint32(x4)) - var x55 uint32 = (x2 + x54) - var x56 uint32 = (x1 + x55) - out1[0] = x35 - out1[1] = x38 - out1[2] = x41 - out1[3] = x44 - out1[4] = x47 - out1[5] = x50 - out1[6] = x53 - out1[7] = x56 + x1 := (uint32(arg1[31]) << 24) + x2 := (uint32(arg1[30]) << 16) + x3 := (uint32(arg1[29]) << 8) + x4 := arg1[28] + x5 := (uint32(arg1[27]) << 24) + x6 := (uint32(arg1[26]) << 16) + x7 := (uint32(arg1[25]) << 8) + x8 := arg1[24] + x9 := (uint32(arg1[23]) << 24) + x10 := (uint32(arg1[22]) << 16) + x11 := (uint32(arg1[21]) << 8) + x12 := arg1[20] + x13 := (uint32(arg1[19]) << 24) + x14 := (uint32(arg1[18]) << 16) + x15 := (uint32(arg1[17]) << 8) + x16 := arg1[16] + x17 := (uint32(arg1[15]) << 24) + x18 := (uint32(arg1[14]) << 16) + x19 := (uint32(arg1[13]) << 8) + x20 := arg1[12] + x21 := (uint32(arg1[11]) << 24) + x22 := (uint32(arg1[10]) << 16) + x23 := (uint32(arg1[9]) << 8) + x24 := arg1[8] + x25 := (uint32(arg1[7]) << 24) + x26 := (uint32(arg1[6]) << 16) + x27 := (uint32(arg1[5]) << 8) + x28 := arg1[4] + x29 := (uint32(arg1[3]) << 24) + x30 := (uint32(arg1[2]) << 16) + x31 := (uint32(arg1[1]) << 8) + x32 := arg1[0] + x33 := (x31 + uint32(x32)) + x34 := (x30 + x33) + x35 := (x29 + x34) + x36 := (x27 + uint32(x28)) + x37 := (x26 + x36) + x38 := (x25 + x37) + x39 := (x23 + uint32(x24)) + x40 := (x22 + x39) + x41 := (x21 + x40) + x42 := (x19 + uint32(x20)) + x43 := (x18 + x42) + x44 := (x17 + x43) + x45 := (x15 + uint32(x16)) + x46 := (x14 + x45) + x47 := (x13 + x46) + x48 := (x11 + uint32(x12)) + x49 := (x10 + x48) + x50 := (x9 + x49) + x51 := (x7 + uint32(x8)) + x52 := (x6 + x51) + x53 := (x5 + x52) + x54 := (x3 + uint32(x4)) + x55 := (x2 + x54) + x56 := (x1 + x55) + out1[0] = x35 + out1[1] = x38 + out1[2] = x41 + out1[3] = x44 + out1[4] = x47 + out1[5] = x50 + out1[6] = x53 + out1[7] = x56 } -/* - The function SetOne returns the field element one in the Montgomery domain. - Postconditions: - eval (from_montgomery out1) mod m = 1 mod m - 0 ≤ eval out1 < m - - Input Bounds: - Output Bounds: - out1: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] - */ -/*inline*/ +// SetOne returns the field element one in the Montgomery domain. +// +// Postconditions: +// eval (from_montgomery out1) mod m = 1 mod m +// 0 ≤ eval out1 < m +// +// Input Bounds: +// Output Bounds: +// out1: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] func SetOne(out1 *[8]uint32) { - out1[0] = 0x3d1 - out1[1] = uint32(0x1) - out1[2] = uint32(0x0) - out1[3] = uint32(0x0) - out1[4] = uint32(0x0) - out1[5] = uint32(0x0) - out1[6] = uint32(0x0) - out1[7] = uint32(0x0) + out1[0] = 0x3d1 + out1[1] = uint32(0x1) + out1[2] = uint32(0x0) + out1[3] = uint32(0x0) + out1[4] = uint32(0x0) + out1[5] = uint32(0x0) + out1[6] = uint32(0x0) + out1[7] = uint32(0x0) } -/* - The function Msat returns the saturated representation of the prime modulus. - Postconditions: - twos_complement_eval out1 = m - 0 ≤ eval out1 < m - - Input Bounds: - Output Bounds: - out1: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] - */ -/*inline*/ +// Msat returns the saturated representation of the prime modulus. +// +// Postconditions: +// twos_complement_eval out1 = m +// 0 ≤ eval out1 < m +// +// Input Bounds: +// Output Bounds: +// out1: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] func Msat(out1 *[9]uint32) { - out1[0] = 0xfffffc2f - out1[1] = 0xfffffffe - out1[2] = 0xffffffff - out1[3] = 0xffffffff - out1[4] = 0xffffffff - out1[5] = 0xffffffff - out1[6] = 0xffffffff - out1[7] = 0xffffffff - out1[8] = uint32(0x0) + out1[0] = 0xfffffc2f + out1[1] = 0xfffffffe + out1[2] = 0xffffffff + out1[3] = 0xffffffff + out1[4] = 0xffffffff + out1[5] = 0xffffffff + out1[6] = 0xffffffff + out1[7] = 0xffffffff + out1[8] = uint32(0x0) } -/* - The function Divstep computes a divstep. - Preconditions: - 0 ≤ eval arg4 < m - 0 ≤ eval arg5 < m - Postconditions: - out1 = (if 0 < arg1 ∧ (twos_complement_eval arg3) is odd then 1 - arg1 else 1 + arg1) - twos_complement_eval out2 = (if 0 < arg1 ∧ (twos_complement_eval arg3) is odd then twos_complement_eval arg3 else twos_complement_eval arg2) - twos_complement_eval out3 = (if 0 < arg1 ∧ (twos_complement_eval arg3) is odd then ⌊(twos_complement_eval arg3 - twos_complement_eval arg2) / 2⌋ else ⌊(twos_complement_eval arg3 + (twos_complement_eval arg3 mod 2) * twos_complement_eval arg2) / 2⌋) - eval (from_montgomery out4) mod m = (if 0 < arg1 ∧ (twos_complement_eval arg3) is odd then (2 * eval (from_montgomery arg5)) mod m else (2 * eval (from_montgomery arg4)) mod m) - eval (from_montgomery out5) mod m = (if 0 < arg1 ∧ (twos_complement_eval arg3) is odd then (eval (from_montgomery arg4) - eval (from_montgomery arg4)) mod m else (eval (from_montgomery arg5) + (twos_complement_eval arg3 mod 2) * eval (from_montgomery arg4)) mod m) - 0 ≤ eval out5 < m - 0 ≤ eval out5 < m - 0 ≤ eval out2 < m - 0 ≤ eval out3 < m - - Input Bounds: - arg1: [0x0 ~> 0xffffffff] - arg2: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] - arg3: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] - arg4: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] - arg5: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] - Output Bounds: - out1: [0x0 ~> 0xffffffff] - out2: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] - out3: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] - out4: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] - out5: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] - */ -/*inline*/ +// Divstep computes a divstep. +// +// Preconditions: +// 0 ≤ eval arg4 < m +// 0 ≤ eval arg5 < m +// Postconditions: +// out1 = (if 0 < arg1 ∧ (twos_complement_eval arg3) is odd then 1 - arg1 else 1 + arg1) +// twos_complement_eval out2 = (if 0 < arg1 ∧ (twos_complement_eval arg3) is odd then twos_complement_eval arg3 else twos_complement_eval arg2) +// twos_complement_eval out3 = (if 0 < arg1 ∧ (twos_complement_eval arg3) is odd then ⌊(twos_complement_eval arg3 - twos_complement_eval arg2) / 2⌋ else ⌊(twos_complement_eval arg3 + (twos_complement_eval arg3 mod 2) * twos_complement_eval arg2) / 2⌋) +// eval (from_montgomery out4) mod m = (if 0 < arg1 ∧ (twos_complement_eval arg3) is odd then (2 * eval (from_montgomery arg5)) mod m else (2 * eval (from_montgomery arg4)) mod m) +// eval (from_montgomery out5) mod m = (if 0 < arg1 ∧ (twos_complement_eval arg3) is odd then (eval (from_montgomery arg4) - eval (from_montgomery arg4)) mod m else (eval (from_montgomery arg5) + (twos_complement_eval arg3 mod 2) * eval (from_montgomery arg4)) mod m) +// 0 ≤ eval out5 < m +// 0 ≤ eval out5 < m +// 0 ≤ eval out2 < m +// 0 ≤ eval out3 < m +// +// Input Bounds: +// arg1: [0x0 ~> 0xffffffff] +// arg2: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] +// arg3: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] +// arg4: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] +// arg5: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] +// Output Bounds: +// out1: [0x0 ~> 0xffffffff] +// out2: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] +// out3: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] +// out4: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] +// out5: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] func Divstep(out1 *uint32, out2 *[9]uint32, out3 *[9]uint32, out4 *[8]uint32, out5 *[8]uint32, arg1 uint32, arg2 *[9]uint32, arg3 *[9]uint32, arg4 *[8]uint32, arg5 *[8]uint32) { - var x1 uint32 - x1, _ = addcarryxU32((^arg1), uint32(0x1), 0x0) - var x3 uint1 = (uint1((x1 >> 31)) & (uint1((arg3[0])) & 0x1)) - var x4 uint32 - x4, _ = addcarryxU32((^arg1), uint32(0x1), 0x0) - var x6 uint32 - cmovznzU32(&x6, x3, arg1, x4) - var x7 uint32 - cmovznzU32(&x7, x3, (arg2[0]), (arg3[0])) - var x8 uint32 - cmovznzU32(&x8, x3, (arg2[1]), (arg3[1])) - var x9 uint32 - cmovznzU32(&x9, x3, (arg2[2]), (arg3[2])) - var x10 uint32 - cmovznzU32(&x10, x3, (arg2[3]), (arg3[3])) - var x11 uint32 - cmovznzU32(&x11, x3, (arg2[4]), (arg3[4])) - var x12 uint32 - cmovznzU32(&x12, x3, (arg2[5]), (arg3[5])) - var x13 uint32 - cmovznzU32(&x13, x3, (arg2[6]), (arg3[6])) - var x14 uint32 - cmovznzU32(&x14, x3, (arg2[7]), (arg3[7])) - var x15 uint32 - cmovznzU32(&x15, x3, (arg2[8]), (arg3[8])) - var x16 uint32 - var x17 uint1 - x16, x17 = addcarryxU32(uint32(0x1), (^(arg2[0])), 0x0) - var x18 uint32 - var x19 uint1 - x18, x19 = addcarryxU32(uint32(0x0), (^(arg2[1])), x17) - var x20 uint32 - var x21 uint1 - x20, x21 = addcarryxU32(uint32(0x0), (^(arg2[2])), x19) - var x22 uint32 - var x23 uint1 - x22, x23 = addcarryxU32(uint32(0x0), (^(arg2[3])), x21) - var x24 uint32 - var x25 uint1 - x24, x25 = addcarryxU32(uint32(0x0), (^(arg2[4])), x23) - var x26 uint32 - var x27 uint1 - x26, x27 = addcarryxU32(uint32(0x0), (^(arg2[5])), x25) - var x28 uint32 - var x29 uint1 - x28, x29 = addcarryxU32(uint32(0x0), (^(arg2[6])), x27) - var x30 uint32 - var x31 uint1 - x30, x31 = addcarryxU32(uint32(0x0), (^(arg2[7])), x29) - var x32 uint32 - x32, _ = addcarryxU32(uint32(0x0), (^(arg2[8])), x31) - var x34 uint32 - cmovznzU32(&x34, x3, (arg3[0]), x16) - var x35 uint32 - cmovznzU32(&x35, x3, (arg3[1]), x18) - var x36 uint32 - cmovznzU32(&x36, x3, (arg3[2]), x20) - var x37 uint32 - cmovznzU32(&x37, x3, (arg3[3]), x22) - var x38 uint32 - cmovznzU32(&x38, x3, (arg3[4]), x24) - var x39 uint32 - cmovznzU32(&x39, x3, (arg3[5]), x26) - var x40 uint32 - cmovznzU32(&x40, x3, (arg3[6]), x28) - var x41 uint32 - cmovznzU32(&x41, x3, (arg3[7]), x30) - var x42 uint32 - cmovznzU32(&x42, x3, (arg3[8]), x32) - var x43 uint32 - cmovznzU32(&x43, x3, (arg4[0]), (arg5[0])) - var x44 uint32 - cmovznzU32(&x44, x3, (arg4[1]), (arg5[1])) - var x45 uint32 - cmovznzU32(&x45, x3, (arg4[2]), (arg5[2])) - var x46 uint32 - cmovznzU32(&x46, x3, (arg4[3]), (arg5[3])) - var x47 uint32 - cmovznzU32(&x47, x3, (arg4[4]), (arg5[4])) - var x48 uint32 - cmovznzU32(&x48, x3, (arg4[5]), (arg5[5])) - var x49 uint32 - cmovznzU32(&x49, x3, (arg4[6]), (arg5[6])) - var x50 uint32 - cmovznzU32(&x50, x3, (arg4[7]), (arg5[7])) - var x51 uint32 - var x52 uint1 - x51, x52 = addcarryxU32(x43, x43, 0x0) - var x53 uint32 - var x54 uint1 - x53, x54 = addcarryxU32(x44, x44, x52) - var x55 uint32 - var x56 uint1 - x55, x56 = addcarryxU32(x45, x45, x54) - var x57 uint32 - var x58 uint1 - x57, x58 = addcarryxU32(x46, x46, x56) - var x59 uint32 - var x60 uint1 - x59, x60 = addcarryxU32(x47, x47, x58) - var x61 uint32 - var x62 uint1 - x61, x62 = addcarryxU32(x48, x48, x60) - var x63 uint32 - var x64 uint1 - x63, x64 = addcarryxU32(x49, x49, x62) - var x65 uint32 - var x66 uint1 - x65, x66 = addcarryxU32(x50, x50, x64) - var x67 uint32 - var x68 uint1 - x67, x68 = subborrowxU32(x51, 0xfffffc2f, 0x0) - var x69 uint32 - var x70 uint1 - x69, x70 = subborrowxU32(x53, 0xfffffffe, x68) - var x71 uint32 - var x72 uint1 - x71, x72 = subborrowxU32(x55, 0xffffffff, x70) - var x73 uint32 - var x74 uint1 - x73, x74 = subborrowxU32(x57, 0xffffffff, x72) - var x75 uint32 - var x76 uint1 - x75, x76 = subborrowxU32(x59, 0xffffffff, x74) - var x77 uint32 - var x78 uint1 - x77, x78 = subborrowxU32(x61, 0xffffffff, x76) - var x79 uint32 - var x80 uint1 - x79, x80 = subborrowxU32(x63, 0xffffffff, x78) - var x81 uint32 - var x82 uint1 - x81, x82 = subborrowxU32(x65, 0xffffffff, x80) - var x84 uint1 - _, x84 = subborrowxU32(uint32(x66), uint32(0x0), x82) - var x85 uint32 = (arg4[7]) - var x86 uint32 = (arg4[6]) - var x87 uint32 = (arg4[5]) - var x88 uint32 = (arg4[4]) - var x89 uint32 = (arg4[3]) - var x90 uint32 = (arg4[2]) - var x91 uint32 = (arg4[1]) - var x92 uint32 = (arg4[0]) - var x93 uint32 - var x94 uint1 - x93, x94 = subborrowxU32(uint32(0x0), x92, 0x0) - var x95 uint32 - var x96 uint1 - x95, x96 = subborrowxU32(uint32(0x0), x91, x94) - var x97 uint32 - var x98 uint1 - x97, x98 = subborrowxU32(uint32(0x0), x90, x96) - var x99 uint32 - var x100 uint1 - x99, x100 = subborrowxU32(uint32(0x0), x89, x98) - var x101 uint32 - var x102 uint1 - x101, x102 = subborrowxU32(uint32(0x0), x88, x100) - var x103 uint32 - var x104 uint1 - x103, x104 = subborrowxU32(uint32(0x0), x87, x102) - var x105 uint32 - var x106 uint1 - x105, x106 = subborrowxU32(uint32(0x0), x86, x104) - var x107 uint32 - var x108 uint1 - x107, x108 = subborrowxU32(uint32(0x0), x85, x106) - var x109 uint32 - cmovznzU32(&x109, x108, uint32(0x0), 0xffffffff) - var x110 uint32 - var x111 uint1 - x110, x111 = addcarryxU32(x93, (x109 & 0xfffffc2f), 0x0) - var x112 uint32 - var x113 uint1 - x112, x113 = addcarryxU32(x95, (x109 & 0xfffffffe), x111) - var x114 uint32 - var x115 uint1 - x114, x115 = addcarryxU32(x97, x109, x113) - var x116 uint32 - var x117 uint1 - x116, x117 = addcarryxU32(x99, x109, x115) - var x118 uint32 - var x119 uint1 - x118, x119 = addcarryxU32(x101, x109, x117) - var x120 uint32 - var x121 uint1 - x120, x121 = addcarryxU32(x103, x109, x119) - var x122 uint32 - var x123 uint1 - x122, x123 = addcarryxU32(x105, x109, x121) - var x124 uint32 - x124, _ = addcarryxU32(x107, x109, x123) - var x126 uint32 - cmovznzU32(&x126, x3, (arg5[0]), x110) - var x127 uint32 - cmovznzU32(&x127, x3, (arg5[1]), x112) - var x128 uint32 - cmovznzU32(&x128, x3, (arg5[2]), x114) - var x129 uint32 - cmovznzU32(&x129, x3, (arg5[3]), x116) - var x130 uint32 - cmovznzU32(&x130, x3, (arg5[4]), x118) - var x131 uint32 - cmovznzU32(&x131, x3, (arg5[5]), x120) - var x132 uint32 - cmovznzU32(&x132, x3, (arg5[6]), x122) - var x133 uint32 - cmovznzU32(&x133, x3, (arg5[7]), x124) - var x134 uint1 = (uint1(x34) & 0x1) - var x135 uint32 - cmovznzU32(&x135, x134, uint32(0x0), x7) - var x136 uint32 - cmovznzU32(&x136, x134, uint32(0x0), x8) - var x137 uint32 - cmovznzU32(&x137, x134, uint32(0x0), x9) - var x138 uint32 - cmovznzU32(&x138, x134, uint32(0x0), x10) - var x139 uint32 - cmovznzU32(&x139, x134, uint32(0x0), x11) - var x140 uint32 - cmovznzU32(&x140, x134, uint32(0x0), x12) - var x141 uint32 - cmovznzU32(&x141, x134, uint32(0x0), x13) - var x142 uint32 - cmovznzU32(&x142, x134, uint32(0x0), x14) - var x143 uint32 - cmovznzU32(&x143, x134, uint32(0x0), x15) - var x144 uint32 - var x145 uint1 - x144, x145 = addcarryxU32(x34, x135, 0x0) - var x146 uint32 - var x147 uint1 - x146, x147 = addcarryxU32(x35, x136, x145) - var x148 uint32 - var x149 uint1 - x148, x149 = addcarryxU32(x36, x137, x147) - var x150 uint32 - var x151 uint1 - x150, x151 = addcarryxU32(x37, x138, x149) - var x152 uint32 - var x153 uint1 - x152, x153 = addcarryxU32(x38, x139, x151) - var x154 uint32 - var x155 uint1 - x154, x155 = addcarryxU32(x39, x140, x153) - var x156 uint32 - var x157 uint1 - x156, x157 = addcarryxU32(x40, x141, x155) - var x158 uint32 - var x159 uint1 - x158, x159 = addcarryxU32(x41, x142, x157) - var x160 uint32 - x160, _ = addcarryxU32(x42, x143, x159) - var x162 uint32 - cmovznzU32(&x162, x134, uint32(0x0), x43) - var x163 uint32 - cmovznzU32(&x163, x134, uint32(0x0), x44) - var x164 uint32 - cmovznzU32(&x164, x134, uint32(0x0), x45) - var x165 uint32 - cmovznzU32(&x165, x134, uint32(0x0), x46) - var x166 uint32 - cmovznzU32(&x166, x134, uint32(0x0), x47) - var x167 uint32 - cmovznzU32(&x167, x134, uint32(0x0), x48) - var x168 uint32 - cmovznzU32(&x168, x134, uint32(0x0), x49) - var x169 uint32 - cmovznzU32(&x169, x134, uint32(0x0), x50) - var x170 uint32 - var x171 uint1 - x170, x171 = addcarryxU32(x126, x162, 0x0) - var x172 uint32 - var x173 uint1 - x172, x173 = addcarryxU32(x127, x163, x171) - var x174 uint32 - var x175 uint1 - x174, x175 = addcarryxU32(x128, x164, x173) - var x176 uint32 - var x177 uint1 - x176, x177 = addcarryxU32(x129, x165, x175) - var x178 uint32 - var x179 uint1 - x178, x179 = addcarryxU32(x130, x166, x177) - var x180 uint32 - var x181 uint1 - x180, x181 = addcarryxU32(x131, x167, x179) - var x182 uint32 - var x183 uint1 - x182, x183 = addcarryxU32(x132, x168, x181) - var x184 uint32 - var x185 uint1 - x184, x185 = addcarryxU32(x133, x169, x183) - var x186 uint32 - var x187 uint1 - x186, x187 = subborrowxU32(x170, 0xfffffc2f, 0x0) - var x188 uint32 - var x189 uint1 - x188, x189 = subborrowxU32(x172, 0xfffffffe, x187) - var x190 uint32 - var x191 uint1 - x190, x191 = subborrowxU32(x174, 0xffffffff, x189) - var x192 uint32 - var x193 uint1 - x192, x193 = subborrowxU32(x176, 0xffffffff, x191) - var x194 uint32 - var x195 uint1 - x194, x195 = subborrowxU32(x178, 0xffffffff, x193) - var x196 uint32 - var x197 uint1 - x196, x197 = subborrowxU32(x180, 0xffffffff, x195) - var x198 uint32 - var x199 uint1 - x198, x199 = subborrowxU32(x182, 0xffffffff, x197) - var x200 uint32 - var x201 uint1 - x200, x201 = subborrowxU32(x184, 0xffffffff, x199) - var x203 uint1 - _, x203 = subborrowxU32(uint32(x185), uint32(0x0), x201) - var x204 uint32 - x204, _ = addcarryxU32(x6, uint32(0x1), 0x0) - var x206 uint32 = ((x144 >> 1) | ((x146 << 31) & 0xffffffff)) - var x207 uint32 = ((x146 >> 1) | ((x148 << 31) & 0xffffffff)) - var x208 uint32 = ((x148 >> 1) | ((x150 << 31) & 0xffffffff)) - var x209 uint32 = ((x150 >> 1) | ((x152 << 31) & 0xffffffff)) - var x210 uint32 = ((x152 >> 1) | ((x154 << 31) & 0xffffffff)) - var x211 uint32 = ((x154 >> 1) | ((x156 << 31) & 0xffffffff)) - var x212 uint32 = ((x156 >> 1) | ((x158 << 31) & 0xffffffff)) - var x213 uint32 = ((x158 >> 1) | ((x160 << 31) & 0xffffffff)) - var x214 uint32 = ((x160 & 0x80000000) | (x160 >> 1)) - var x215 uint32 - cmovznzU32(&x215, x84, x67, x51) - var x216 uint32 - cmovznzU32(&x216, x84, x69, x53) - var x217 uint32 - cmovznzU32(&x217, x84, x71, x55) - var x218 uint32 - cmovznzU32(&x218, x84, x73, x57) - var x219 uint32 - cmovznzU32(&x219, x84, x75, x59) - var x220 uint32 - cmovznzU32(&x220, x84, x77, x61) - var x221 uint32 - cmovznzU32(&x221, x84, x79, x63) - var x222 uint32 - cmovznzU32(&x222, x84, x81, x65) - var x223 uint32 - cmovznzU32(&x223, x203, x186, x170) - var x224 uint32 - cmovznzU32(&x224, x203, x188, x172) - var x225 uint32 - cmovznzU32(&x225, x203, x190, x174) - var x226 uint32 - cmovznzU32(&x226, x203, x192, x176) - var x227 uint32 - cmovznzU32(&x227, x203, x194, x178) - var x228 uint32 - cmovznzU32(&x228, x203, x196, x180) - var x229 uint32 - cmovznzU32(&x229, x203, x198, x182) - var x230 uint32 - cmovznzU32(&x230, x203, x200, x184) - *out1 = x204 - out2[0] = x7 - out2[1] = x8 - out2[2] = x9 - out2[3] = x10 - out2[4] = x11 - out2[5] = x12 - out2[6] = x13 - out2[7] = x14 - out2[8] = x15 - out3[0] = x206 - out3[1] = x207 - out3[2] = x208 - out3[3] = x209 - out3[4] = x210 - out3[5] = x211 - out3[6] = x212 - out3[7] = x213 - out3[8] = x214 - out4[0] = x215 - out4[1] = x216 - out4[2] = x217 - out4[3] = x218 - out4[4] = x219 - out4[5] = x220 - out4[6] = x221 - out4[7] = x222 - out5[0] = x223 - out5[1] = x224 - out5[2] = x225 - out5[3] = x226 - out5[4] = x227 - out5[5] = x228 - out5[6] = x229 - out5[7] = x230 + var x1 uint32 + x1, _ = addcarryxU32((^arg1), uint32(0x1), 0x0) + x3 := (uint1((x1 >> 31)) & (uint1(arg3[0]) & 0x1)) + var x4 uint32 + x4, _ = addcarryxU32((^arg1), uint32(0x1), 0x0) + var x6 uint32 + cmovznzU32(&x6, x3, arg1, x4) + var x7 uint32 + cmovznzU32(&x7, x3, arg2[0], arg3[0]) + var x8 uint32 + cmovznzU32(&x8, x3, arg2[1], arg3[1]) + var x9 uint32 + cmovznzU32(&x9, x3, arg2[2], arg3[2]) + var x10 uint32 + cmovznzU32(&x10, x3, arg2[3], arg3[3]) + var x11 uint32 + cmovznzU32(&x11, x3, arg2[4], arg3[4]) + var x12 uint32 + cmovznzU32(&x12, x3, arg2[5], arg3[5]) + var x13 uint32 + cmovznzU32(&x13, x3, arg2[6], arg3[6]) + var x14 uint32 + cmovznzU32(&x14, x3, arg2[7], arg3[7]) + var x15 uint32 + cmovznzU32(&x15, x3, arg2[8], arg3[8]) + var x16 uint32 + var x17 uint1 + x16, x17 = addcarryxU32(uint32(0x1), (^arg2[0]), 0x0) + var x18 uint32 + var x19 uint1 + x18, x19 = addcarryxU32(uint32(0x0), (^arg2[1]), x17) + var x20 uint32 + var x21 uint1 + x20, x21 = addcarryxU32(uint32(0x0), (^arg2[2]), x19) + var x22 uint32 + var x23 uint1 + x22, x23 = addcarryxU32(uint32(0x0), (^arg2[3]), x21) + var x24 uint32 + var x25 uint1 + x24, x25 = addcarryxU32(uint32(0x0), (^arg2[4]), x23) + var x26 uint32 + var x27 uint1 + x26, x27 = addcarryxU32(uint32(0x0), (^arg2[5]), x25) + var x28 uint32 + var x29 uint1 + x28, x29 = addcarryxU32(uint32(0x0), (^arg2[6]), x27) + var x30 uint32 + var x31 uint1 + x30, x31 = addcarryxU32(uint32(0x0), (^arg2[7]), x29) + var x32 uint32 + x32, _ = addcarryxU32(uint32(0x0), (^arg2[8]), x31) + var x34 uint32 + cmovznzU32(&x34, x3, arg3[0], x16) + var x35 uint32 + cmovznzU32(&x35, x3, arg3[1], x18) + var x36 uint32 + cmovznzU32(&x36, x3, arg3[2], x20) + var x37 uint32 + cmovznzU32(&x37, x3, arg3[3], x22) + var x38 uint32 + cmovznzU32(&x38, x3, arg3[4], x24) + var x39 uint32 + cmovznzU32(&x39, x3, arg3[5], x26) + var x40 uint32 + cmovznzU32(&x40, x3, arg3[6], x28) + var x41 uint32 + cmovznzU32(&x41, x3, arg3[7], x30) + var x42 uint32 + cmovznzU32(&x42, x3, arg3[8], x32) + var x43 uint32 + cmovznzU32(&x43, x3, arg4[0], arg5[0]) + var x44 uint32 + cmovznzU32(&x44, x3, arg4[1], arg5[1]) + var x45 uint32 + cmovznzU32(&x45, x3, arg4[2], arg5[2]) + var x46 uint32 + cmovznzU32(&x46, x3, arg4[3], arg5[3]) + var x47 uint32 + cmovznzU32(&x47, x3, arg4[4], arg5[4]) + var x48 uint32 + cmovznzU32(&x48, x3, arg4[5], arg5[5]) + var x49 uint32 + cmovznzU32(&x49, x3, arg4[6], arg5[6]) + var x50 uint32 + cmovznzU32(&x50, x3, arg4[7], arg5[7]) + var x51 uint32 + var x52 uint1 + x51, x52 = addcarryxU32(x43, x43, 0x0) + var x53 uint32 + var x54 uint1 + x53, x54 = addcarryxU32(x44, x44, x52) + var x55 uint32 + var x56 uint1 + x55, x56 = addcarryxU32(x45, x45, x54) + var x57 uint32 + var x58 uint1 + x57, x58 = addcarryxU32(x46, x46, x56) + var x59 uint32 + var x60 uint1 + x59, x60 = addcarryxU32(x47, x47, x58) + var x61 uint32 + var x62 uint1 + x61, x62 = addcarryxU32(x48, x48, x60) + var x63 uint32 + var x64 uint1 + x63, x64 = addcarryxU32(x49, x49, x62) + var x65 uint32 + var x66 uint1 + x65, x66 = addcarryxU32(x50, x50, x64) + var x67 uint32 + var x68 uint1 + x67, x68 = subborrowxU32(x51, 0xfffffc2f, 0x0) + var x69 uint32 + var x70 uint1 + x69, x70 = subborrowxU32(x53, 0xfffffffe, x68) + var x71 uint32 + var x72 uint1 + x71, x72 = subborrowxU32(x55, 0xffffffff, x70) + var x73 uint32 + var x74 uint1 + x73, x74 = subborrowxU32(x57, 0xffffffff, x72) + var x75 uint32 + var x76 uint1 + x75, x76 = subborrowxU32(x59, 0xffffffff, x74) + var x77 uint32 + var x78 uint1 + x77, x78 = subborrowxU32(x61, 0xffffffff, x76) + var x79 uint32 + var x80 uint1 + x79, x80 = subborrowxU32(x63, 0xffffffff, x78) + var x81 uint32 + var x82 uint1 + x81, x82 = subborrowxU32(x65, 0xffffffff, x80) + var x84 uint1 + _, x84 = subborrowxU32(uint32(x66), uint32(0x0), x82) + x85 := arg4[7] + x86 := arg4[6] + x87 := arg4[5] + x88 := arg4[4] + x89 := arg4[3] + x90 := arg4[2] + x91 := arg4[1] + x92 := arg4[0] + var x93 uint32 + var x94 uint1 + x93, x94 = subborrowxU32(uint32(0x0), x92, 0x0) + var x95 uint32 + var x96 uint1 + x95, x96 = subborrowxU32(uint32(0x0), x91, x94) + var x97 uint32 + var x98 uint1 + x97, x98 = subborrowxU32(uint32(0x0), x90, x96) + var x99 uint32 + var x100 uint1 + x99, x100 = subborrowxU32(uint32(0x0), x89, x98) + var x101 uint32 + var x102 uint1 + x101, x102 = subborrowxU32(uint32(0x0), x88, x100) + var x103 uint32 + var x104 uint1 + x103, x104 = subborrowxU32(uint32(0x0), x87, x102) + var x105 uint32 + var x106 uint1 + x105, x106 = subborrowxU32(uint32(0x0), x86, x104) + var x107 uint32 + var x108 uint1 + x107, x108 = subborrowxU32(uint32(0x0), x85, x106) + var x109 uint32 + cmovznzU32(&x109, x108, uint32(0x0), 0xffffffff) + var x110 uint32 + var x111 uint1 + x110, x111 = addcarryxU32(x93, (x109 & 0xfffffc2f), 0x0) + var x112 uint32 + var x113 uint1 + x112, x113 = addcarryxU32(x95, (x109 & 0xfffffffe), x111) + var x114 uint32 + var x115 uint1 + x114, x115 = addcarryxU32(x97, x109, x113) + var x116 uint32 + var x117 uint1 + x116, x117 = addcarryxU32(x99, x109, x115) + var x118 uint32 + var x119 uint1 + x118, x119 = addcarryxU32(x101, x109, x117) + var x120 uint32 + var x121 uint1 + x120, x121 = addcarryxU32(x103, x109, x119) + var x122 uint32 + var x123 uint1 + x122, x123 = addcarryxU32(x105, x109, x121) + var x124 uint32 + x124, _ = addcarryxU32(x107, x109, x123) + var x126 uint32 + cmovznzU32(&x126, x3, arg5[0], x110) + var x127 uint32 + cmovznzU32(&x127, x3, arg5[1], x112) + var x128 uint32 + cmovznzU32(&x128, x3, arg5[2], x114) + var x129 uint32 + cmovznzU32(&x129, x3, arg5[3], x116) + var x130 uint32 + cmovznzU32(&x130, x3, arg5[4], x118) + var x131 uint32 + cmovznzU32(&x131, x3, arg5[5], x120) + var x132 uint32 + cmovznzU32(&x132, x3, arg5[6], x122) + var x133 uint32 + cmovznzU32(&x133, x3, arg5[7], x124) + x134 := (uint1(x34) & 0x1) + var x135 uint32 + cmovznzU32(&x135, x134, uint32(0x0), x7) + var x136 uint32 + cmovznzU32(&x136, x134, uint32(0x0), x8) + var x137 uint32 + cmovznzU32(&x137, x134, uint32(0x0), x9) + var x138 uint32 + cmovznzU32(&x138, x134, uint32(0x0), x10) + var x139 uint32 + cmovznzU32(&x139, x134, uint32(0x0), x11) + var x140 uint32 + cmovznzU32(&x140, x134, uint32(0x0), x12) + var x141 uint32 + cmovznzU32(&x141, x134, uint32(0x0), x13) + var x142 uint32 + cmovznzU32(&x142, x134, uint32(0x0), x14) + var x143 uint32 + cmovznzU32(&x143, x134, uint32(0x0), x15) + var x144 uint32 + var x145 uint1 + x144, x145 = addcarryxU32(x34, x135, 0x0) + var x146 uint32 + var x147 uint1 + x146, x147 = addcarryxU32(x35, x136, x145) + var x148 uint32 + var x149 uint1 + x148, x149 = addcarryxU32(x36, x137, x147) + var x150 uint32 + var x151 uint1 + x150, x151 = addcarryxU32(x37, x138, x149) + var x152 uint32 + var x153 uint1 + x152, x153 = addcarryxU32(x38, x139, x151) + var x154 uint32 + var x155 uint1 + x154, x155 = addcarryxU32(x39, x140, x153) + var x156 uint32 + var x157 uint1 + x156, x157 = addcarryxU32(x40, x141, x155) + var x158 uint32 + var x159 uint1 + x158, x159 = addcarryxU32(x41, x142, x157) + var x160 uint32 + x160, _ = addcarryxU32(x42, x143, x159) + var x162 uint32 + cmovznzU32(&x162, x134, uint32(0x0), x43) + var x163 uint32 + cmovznzU32(&x163, x134, uint32(0x0), x44) + var x164 uint32 + cmovznzU32(&x164, x134, uint32(0x0), x45) + var x165 uint32 + cmovznzU32(&x165, x134, uint32(0x0), x46) + var x166 uint32 + cmovznzU32(&x166, x134, uint32(0x0), x47) + var x167 uint32 + cmovznzU32(&x167, x134, uint32(0x0), x48) + var x168 uint32 + cmovznzU32(&x168, x134, uint32(0x0), x49) + var x169 uint32 + cmovznzU32(&x169, x134, uint32(0x0), x50) + var x170 uint32 + var x171 uint1 + x170, x171 = addcarryxU32(x126, x162, 0x0) + var x172 uint32 + var x173 uint1 + x172, x173 = addcarryxU32(x127, x163, x171) + var x174 uint32 + var x175 uint1 + x174, x175 = addcarryxU32(x128, x164, x173) + var x176 uint32 + var x177 uint1 + x176, x177 = addcarryxU32(x129, x165, x175) + var x178 uint32 + var x179 uint1 + x178, x179 = addcarryxU32(x130, x166, x177) + var x180 uint32 + var x181 uint1 + x180, x181 = addcarryxU32(x131, x167, x179) + var x182 uint32 + var x183 uint1 + x182, x183 = addcarryxU32(x132, x168, x181) + var x184 uint32 + var x185 uint1 + x184, x185 = addcarryxU32(x133, x169, x183) + var x186 uint32 + var x187 uint1 + x186, x187 = subborrowxU32(x170, 0xfffffc2f, 0x0) + var x188 uint32 + var x189 uint1 + x188, x189 = subborrowxU32(x172, 0xfffffffe, x187) + var x190 uint32 + var x191 uint1 + x190, x191 = subborrowxU32(x174, 0xffffffff, x189) + var x192 uint32 + var x193 uint1 + x192, x193 = subborrowxU32(x176, 0xffffffff, x191) + var x194 uint32 + var x195 uint1 + x194, x195 = subborrowxU32(x178, 0xffffffff, x193) + var x196 uint32 + var x197 uint1 + x196, x197 = subborrowxU32(x180, 0xffffffff, x195) + var x198 uint32 + var x199 uint1 + x198, x199 = subborrowxU32(x182, 0xffffffff, x197) + var x200 uint32 + var x201 uint1 + x200, x201 = subborrowxU32(x184, 0xffffffff, x199) + var x203 uint1 + _, x203 = subborrowxU32(uint32(x185), uint32(0x0), x201) + var x204 uint32 + x204, _ = addcarryxU32(x6, uint32(0x1), 0x0) + x206 := ((x144 >> 1) | ((x146 << 31) & 0xffffffff)) + x207 := ((x146 >> 1) | ((x148 << 31) & 0xffffffff)) + x208 := ((x148 >> 1) | ((x150 << 31) & 0xffffffff)) + x209 := ((x150 >> 1) | ((x152 << 31) & 0xffffffff)) + x210 := ((x152 >> 1) | ((x154 << 31) & 0xffffffff)) + x211 := ((x154 >> 1) | ((x156 << 31) & 0xffffffff)) + x212 := ((x156 >> 1) | ((x158 << 31) & 0xffffffff)) + x213 := ((x158 >> 1) | ((x160 << 31) & 0xffffffff)) + x214 := ((x160 & 0x80000000) | (x160 >> 1)) + var x215 uint32 + cmovznzU32(&x215, x84, x67, x51) + var x216 uint32 + cmovznzU32(&x216, x84, x69, x53) + var x217 uint32 + cmovznzU32(&x217, x84, x71, x55) + var x218 uint32 + cmovznzU32(&x218, x84, x73, x57) + var x219 uint32 + cmovznzU32(&x219, x84, x75, x59) + var x220 uint32 + cmovznzU32(&x220, x84, x77, x61) + var x221 uint32 + cmovznzU32(&x221, x84, x79, x63) + var x222 uint32 + cmovznzU32(&x222, x84, x81, x65) + var x223 uint32 + cmovznzU32(&x223, x203, x186, x170) + var x224 uint32 + cmovznzU32(&x224, x203, x188, x172) + var x225 uint32 + cmovznzU32(&x225, x203, x190, x174) + var x226 uint32 + cmovznzU32(&x226, x203, x192, x176) + var x227 uint32 + cmovznzU32(&x227, x203, x194, x178) + var x228 uint32 + cmovznzU32(&x228, x203, x196, x180) + var x229 uint32 + cmovznzU32(&x229, x203, x198, x182) + var x230 uint32 + cmovznzU32(&x230, x203, x200, x184) + *out1 = x204 + out2[0] = x7 + out2[1] = x8 + out2[2] = x9 + out2[3] = x10 + out2[4] = x11 + out2[5] = x12 + out2[6] = x13 + out2[7] = x14 + out2[8] = x15 + out3[0] = x206 + out3[1] = x207 + out3[2] = x208 + out3[3] = x209 + out3[4] = x210 + out3[5] = x211 + out3[6] = x212 + out3[7] = x213 + out3[8] = x214 + out4[0] = x215 + out4[1] = x216 + out4[2] = x217 + out4[3] = x218 + out4[4] = x219 + out4[5] = x220 + out4[6] = x221 + out4[7] = x222 + out5[0] = x223 + out5[1] = x224 + out5[2] = x225 + out5[3] = x226 + out5[4] = x227 + out5[5] = x228 + out5[6] = x229 + out5[7] = x230 } -/* - The function DivstepPrecomp returns the precomputed value for Bernstein-Yang-inversion (in montgomery form). - Postconditions: - eval (from_montgomery out1) = ⌊(m - 1) / 2⌋^(if (log2 m) + 1 < 46 then ⌊(49 * ((log2 m) + 1) + 80) / 17⌋ else ⌊(49 * ((log2 m) + 1) + 57) / 17⌋) - 0 ≤ eval out1 < m - - Input Bounds: - Output Bounds: - out1: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] - */ -/*inline*/ +// DivstepPrecomp returns the precomputed value for Bernstein-Yang-inversion (in montgomery form). +// +// Postconditions: +// eval (from_montgomery out1) = ⌊(m - 1) / 2⌋^(if (log2 m) + 1 < 46 then ⌊(49 * ((log2 m) + 1) + 80) / 17⌋ else ⌊(49 * ((log2 m) + 1) + 57) / 17⌋) +// 0 ≤ eval out1 < m +// +// Input Bounds: +// Output Bounds: +// out1: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] func DivstepPrecomp(out1 *[8]uint32) { - out1[0] = 0x31525e0a - out1[1] = 0xf201a418 - out1[2] = 0xcd648d85 - out1[3] = 0x9953f9dd - out1[4] = 0x3db210a9 - out1[5] = 0xe8602946 - out1[6] = 0x4b03709 - out1[7] = 0x24fb8a31 + out1[0] = 0x31525e0a + out1[1] = 0xf201a418 + out1[2] = 0xcd648d85 + out1[3] = 0x9953f9dd + out1[4] = 0x3db210a9 + out1[5] = 0xe8602946 + out1[6] = 0x4b03709 + out1[7] = 0x24fb8a31 } - diff --git a/fiat-go/64/curve25519/curve25519.go b/fiat-go/64/curve25519/curve25519.go index cdead93b555..8f45230dc04 100644 --- a/fiat-go/64/curve25519/curve25519.go +++ b/fiat-go/64/curve25519/curve25519.go @@ -1,942 +1,911 @@ -/* - Autogenerated: 'src/ExtractionOCaml/unsaturated_solinas' --lang Go --no-wide-int --cmovznz-by-mul --internal-static --package-case flatcase --public-function-case UpperCamelCase --private-function-case camelCase --public-type-case UpperCamelCase --private-type-case camelCase --no-prefix-fiat --package-name curve25519 '' 64 '(auto)' '2^255 - 19' carry_mul carry_square carry add sub opp selectznz to_bytes from_bytes carry_scmul121666 - - curve description (via package name): curve25519 - - machine_wordsize = 64 (from "64") - - requested operations: carry_mul, carry_square, carry, add, sub, opp, selectznz, to_bytes, from_bytes, carry_scmul121666 - - n = 5 (from "(auto)") - - s-c = 2^255 - [(1, 19)] (from "2^255 - 19") - - tight_bounds_multiplier = 1 (from "") - - - - Computed values: - - carry_chain = [0, 1, 2, 3, 4, 0, 1] - - eval z = z[0] + (z[1] << 51) + (z[2] << 102) + (z[3] << 153) + (z[4] << 204) - - bytes_eval z = z[0] + (z[1] << 8) + (z[2] << 16) + (z[3] << 24) + (z[4] << 32) + (z[5] << 40) + (z[6] << 48) + (z[7] << 56) + (z[8] << 64) + (z[9] << 72) + (z[10] << 80) + (z[11] << 88) + (z[12] << 96) + (z[13] << 104) + (z[14] << 112) + (z[15] << 120) + (z[16] << 128) + (z[17] << 136) + (z[18] << 144) + (z[19] << 152) + (z[20] << 160) + (z[21] << 168) + (z[22] << 176) + (z[23] << 184) + (z[24] << 192) + (z[25] << 200) + (z[26] << 208) + (z[27] << 216) + (z[28] << 224) + (z[29] << 232) + (z[30] << 240) + (z[31] << 248) - - balance = [0xfffffffffffda, 0xffffffffffffe, 0xffffffffffffe, 0xffffffffffffe, 0xffffffffffffe] - */ +// Code generated by Fiat Cryptography. DO NOT EDIT. +// +// Autogenerated: 'src/ExtractionOCaml/unsaturated_solinas' --lang Go --no-wide-int --cmovznz-by-mul --internal-static --package-case flatcase --public-function-case UpperCamelCase --private-function-case camelCase --public-type-case UpperCamelCase --private-type-case camelCase --no-prefix-fiat --doc-prepend-header 'Code generated by Fiat Cryptography. DO NOT EDIT.' --doc-text-before-function-name '' --package-name curve25519 '' 64 '(auto)' '2^255 - 19' carry_mul carry_square carry add sub opp selectznz to_bytes from_bytes carry_scmul121666 +// +// curve description (via package name): curve25519 +// +// machine_wordsize = 64 (from "64") +// +// requested operations: carry_mul, carry_square, carry, add, sub, opp, selectznz, to_bytes, from_bytes, carry_scmul121666 +// +// n = 5 (from "(auto)") +// +// s-c = 2^255 - [(1, 19)] (from "2^255 - 19") +// +// tight_bounds_multiplier = 1 (from "") +// +// +// +// Computed values: +// +// carry_chain = [0, 1, 2, 3, 4, 0, 1] +// +// eval z = z[0] + (z[1] << 51) + (z[2] << 102) + (z[3] << 153) + (z[4] << 204) +// +// bytes_eval z = z[0] + (z[1] << 8) + (z[2] << 16) + (z[3] << 24) + (z[4] << 32) + (z[5] << 40) + (z[6] << 48) + (z[7] << 56) + (z[8] << 64) + (z[9] << 72) + (z[10] << 80) + (z[11] << 88) + (z[12] << 96) + (z[13] << 104) + (z[14] << 112) + (z[15] << 120) + (z[16] << 128) + (z[17] << 136) + (z[18] << 144) + (z[19] << 152) + (z[20] << 160) + (z[21] << 168) + (z[22] << 176) + (z[23] << 184) + (z[24] << 192) + (z[25] << 200) + (z[26] << 208) + (z[27] << 216) + (z[28] << 224) + (z[29] << 232) + (z[30] << 240) + (z[31] << 248) +// +// balance = [0xfffffffffffda, 0xffffffffffffe, 0xffffffffffffe, 0xffffffffffffe, 0xffffffffffffe] package curve25519 import "math/bits" + type uint1 uint8 type int1 int8 -/* The function addcarryxU64 is a thin wrapper around bits.Add64 that uses uint1 rather than uint64 */ +// addcarryxU64 is a thin wrapper around bits.Add64 that uses uint1 rather than uint64 func addcarryxU64(x uint64, y uint64, carry uint1) (uint64, uint1) { - var sum uint64 - var carryOut uint64 - sum, carryOut = bits.Add64(x, y, uint64(carry)) - return sum, uint1(carryOut) + sum, carryOut := bits.Add64(x, y, uint64(carry)) + return sum, uint1(carryOut) } -/* The function subborrowxU64 is a thin wrapper around bits.Sub64 that uses uint1 rather than uint64 */ +// subborrowxU64 is a thin wrapper around bits.Sub64 that uses uint1 rather than uint64 func subborrowxU64(x uint64, y uint64, carry uint1) (uint64, uint1) { - var sum uint64 - var carryOut uint64 - sum, carryOut = bits.Sub64(x, y, uint64(carry)) - return sum, uint1(carryOut) + sum, carryOut := bits.Sub64(x, y, uint64(carry)) + return sum, uint1(carryOut) } - -/* - The function addcarryxU51 is an addition with carry. - Postconditions: - out1 = (arg1 + arg2 + arg3) mod 2^51 - out2 = ⌊(arg1 + arg2 + arg3) / 2^51⌋ - - Input Bounds: - arg1: [0x0 ~> 0x1] - arg2: [0x0 ~> 0x7ffffffffffff] - arg3: [0x0 ~> 0x7ffffffffffff] - Output Bounds: - out1: [0x0 ~> 0x7ffffffffffff] - out2: [0x0 ~> 0x1] - */ -/*inline*/ +// addcarryxU51 is an addition with carry. +// +// Postconditions: +// out1 = (arg1 + arg2 + arg3) mod 2^51 +// out2 = ⌊(arg1 + arg2 + arg3) / 2^51⌋ +// +// Input Bounds: +// arg1: [0x0 ~> 0x1] +// arg2: [0x0 ~> 0x7ffffffffffff] +// arg3: [0x0 ~> 0x7ffffffffffff] +// Output Bounds: +// out1: [0x0 ~> 0x7ffffffffffff] +// out2: [0x0 ~> 0x1] func addcarryxU51(out1 *uint64, out2 *uint1, arg1 uint1, arg2 uint64, arg3 uint64) { - var x1 uint64 = ((uint64(arg1) + arg2) + arg3) - var x2 uint64 = (x1 & 0x7ffffffffffff) - var x3 uint1 = uint1((x1 >> 51)) - *out1 = x2 - *out2 = x3 + x1 := ((uint64(arg1) + arg2) + arg3) + x2 := (x1 & 0x7ffffffffffff) + x3 := uint1((x1 >> 51)) + *out1 = x2 + *out2 = x3 } -/* - The function subborrowxU51 is a subtraction with borrow. - Postconditions: - out1 = (-arg1 + arg2 + -arg3) mod 2^51 - out2 = -⌊(-arg1 + arg2 + -arg3) / 2^51⌋ - - Input Bounds: - arg1: [0x0 ~> 0x1] - arg2: [0x0 ~> 0x7ffffffffffff] - arg3: [0x0 ~> 0x7ffffffffffff] - Output Bounds: - out1: [0x0 ~> 0x7ffffffffffff] - out2: [0x0 ~> 0x1] - */ -/*inline*/ +// subborrowxU51 is a subtraction with borrow. +// +// Postconditions: +// out1 = (-arg1 + arg2 + -arg3) mod 2^51 +// out2 = -⌊(-arg1 + arg2 + -arg3) / 2^51⌋ +// +// Input Bounds: +// arg1: [0x0 ~> 0x1] +// arg2: [0x0 ~> 0x7ffffffffffff] +// arg3: [0x0 ~> 0x7ffffffffffff] +// Output Bounds: +// out1: [0x0 ~> 0x7ffffffffffff] +// out2: [0x0 ~> 0x1] func subborrowxU51(out1 *uint64, out2 *uint1, arg1 uint1, arg2 uint64, arg3 uint64) { - var x1 int64 = ((int64(arg2) - int64(arg1)) - int64(arg3)) - var x2 int1 = int1((x1 >> 51)) - var x3 uint64 = (uint64(x1) & 0x7ffffffffffff) - *out1 = x3 - *out2 = (0x0 - uint1(x2)) + x1 := ((int64(arg2) - int64(arg1)) - int64(arg3)) + x2 := int1((x1 >> 51)) + x3 := (uint64(x1) & 0x7ffffffffffff) + *out1 = x3 + *out2 = (0x0 - uint1(x2)) } -/* - The function cmovznzU64 is a single-word conditional move. - Postconditions: - out1 = (if arg1 = 0 then arg2 else arg3) - - Input Bounds: - arg1: [0x0 ~> 0x1] - arg2: [0x0 ~> 0xffffffffffffffff] - arg3: [0x0 ~> 0xffffffffffffffff] - Output Bounds: - out1: [0x0 ~> 0xffffffffffffffff] - */ -/*inline*/ +// cmovznzU64 is a single-word conditional move. +// +// Postconditions: +// out1 = (if arg1 = 0 then arg2 else arg3) +// +// Input Bounds: +// arg1: [0x0 ~> 0x1] +// arg2: [0x0 ~> 0xffffffffffffffff] +// arg3: [0x0 ~> 0xffffffffffffffff] +// Output Bounds: +// out1: [0x0 ~> 0xffffffffffffffff] func cmovznzU64(out1 *uint64, arg1 uint1, arg2 uint64, arg3 uint64) { - var x1 uint64 = (uint64(arg1) * 0xffffffffffffffff) - var x2 uint64 = ((x1 & arg3) | ((^x1) & arg2)) - *out1 = x2 + x1 := (uint64(arg1) * 0xffffffffffffffff) + x2 := ((x1 & arg3) | ((^x1) & arg2)) + *out1 = x2 } -/* - The function CarryMul multiplies two field elements and reduces the result. - Postconditions: - eval out1 mod m = (eval arg1 * eval arg2) mod m - - Input Bounds: - arg1: [[0x0 ~> 0x18000000000000], [0x0 ~> 0x18000000000000], [0x0 ~> 0x18000000000000], [0x0 ~> 0x18000000000000], [0x0 ~> 0x18000000000000]] - arg2: [[0x0 ~> 0x18000000000000], [0x0 ~> 0x18000000000000], [0x0 ~> 0x18000000000000], [0x0 ~> 0x18000000000000], [0x0 ~> 0x18000000000000]] - Output Bounds: - out1: [[0x0 ~> 0x8000000000000], [0x0 ~> 0x8000000000000], [0x0 ~> 0x8000000000000], [0x0 ~> 0x8000000000000], [0x0 ~> 0x8000000000000]] - */ -/*inline*/ +// CarryMul multiplies two field elements and reduces the result. +// +// Postconditions: +// eval out1 mod m = (eval arg1 * eval arg2) mod m +// +// Input Bounds: +// arg1: [[0x0 ~> 0x18000000000000], [0x0 ~> 0x18000000000000], [0x0 ~> 0x18000000000000], [0x0 ~> 0x18000000000000], [0x0 ~> 0x18000000000000]] +// arg2: [[0x0 ~> 0x18000000000000], [0x0 ~> 0x18000000000000], [0x0 ~> 0x18000000000000], [0x0 ~> 0x18000000000000], [0x0 ~> 0x18000000000000]] +// Output Bounds: +// out1: [[0x0 ~> 0x8000000000000], [0x0 ~> 0x8000000000000], [0x0 ~> 0x8000000000000], [0x0 ~> 0x8000000000000], [0x0 ~> 0x8000000000000]] func CarryMul(out1 *[5]uint64, arg1 *[5]uint64, arg2 *[5]uint64) { - var x1 uint64 - var x2 uint64 - x2, x1 = bits.Mul64((arg1[4]), ((arg2[4]) * 0x13)) - var x3 uint64 - var x4 uint64 - x4, x3 = bits.Mul64((arg1[4]), ((arg2[3]) * 0x13)) - var x5 uint64 - var x6 uint64 - x6, x5 = bits.Mul64((arg1[4]), ((arg2[2]) * 0x13)) - var x7 uint64 - var x8 uint64 - x8, x7 = bits.Mul64((arg1[4]), ((arg2[1]) * 0x13)) - var x9 uint64 - var x10 uint64 - x10, x9 = bits.Mul64((arg1[3]), ((arg2[4]) * 0x13)) - var x11 uint64 - var x12 uint64 - x12, x11 = bits.Mul64((arg1[3]), ((arg2[3]) * 0x13)) - var x13 uint64 - var x14 uint64 - x14, x13 = bits.Mul64((arg1[3]), ((arg2[2]) * 0x13)) - var x15 uint64 - var x16 uint64 - x16, x15 = bits.Mul64((arg1[2]), ((arg2[4]) * 0x13)) - var x17 uint64 - var x18 uint64 - x18, x17 = bits.Mul64((arg1[2]), ((arg2[3]) * 0x13)) - var x19 uint64 - var x20 uint64 - x20, x19 = bits.Mul64((arg1[1]), ((arg2[4]) * 0x13)) - var x21 uint64 - var x22 uint64 - x22, x21 = bits.Mul64((arg1[4]), (arg2[0])) - var x23 uint64 - var x24 uint64 - x24, x23 = bits.Mul64((arg1[3]), (arg2[1])) - var x25 uint64 - var x26 uint64 - x26, x25 = bits.Mul64((arg1[3]), (arg2[0])) - var x27 uint64 - var x28 uint64 - x28, x27 = bits.Mul64((arg1[2]), (arg2[2])) - var x29 uint64 - var x30 uint64 - x30, x29 = bits.Mul64((arg1[2]), (arg2[1])) - var x31 uint64 - var x32 uint64 - x32, x31 = bits.Mul64((arg1[2]), (arg2[0])) - var x33 uint64 - var x34 uint64 - x34, x33 = bits.Mul64((arg1[1]), (arg2[3])) - var x35 uint64 - var x36 uint64 - x36, x35 = bits.Mul64((arg1[1]), (arg2[2])) - var x37 uint64 - var x38 uint64 - x38, x37 = bits.Mul64((arg1[1]), (arg2[1])) - var x39 uint64 - var x40 uint64 - x40, x39 = bits.Mul64((arg1[1]), (arg2[0])) - var x41 uint64 - var x42 uint64 - x42, x41 = bits.Mul64((arg1[0]), (arg2[4])) - var x43 uint64 - var x44 uint64 - x44, x43 = bits.Mul64((arg1[0]), (arg2[3])) - var x45 uint64 - var x46 uint64 - x46, x45 = bits.Mul64((arg1[0]), (arg2[2])) - var x47 uint64 - var x48 uint64 - x48, x47 = bits.Mul64((arg1[0]), (arg2[1])) - var x49 uint64 - var x50 uint64 - x50, x49 = bits.Mul64((arg1[0]), (arg2[0])) - var x51 uint64 - var x52 uint1 - x51, x52 = addcarryxU64(x13, x7, 0x0) - var x53 uint64 - x53, _ = addcarryxU64(x14, x8, x52) - var x55 uint64 - var x56 uint1 - x55, x56 = addcarryxU64(x17, x51, 0x0) - var x57 uint64 - x57, _ = addcarryxU64(x18, x53, x56) - var x59 uint64 - var x60 uint1 - x59, x60 = addcarryxU64(x19, x55, 0x0) - var x61 uint64 - x61, _ = addcarryxU64(x20, x57, x60) - var x63 uint64 - var x64 uint1 - x63, x64 = addcarryxU64(x49, x59, 0x0) - var x65 uint64 - x65, _ = addcarryxU64(x50, x61, x64) - var x67 uint64 = ((x63 >> 51) | ((x65 << 13) & 0xffffffffffffffff)) - var x68 uint64 = (x63 & 0x7ffffffffffff) - var x69 uint64 - var x70 uint1 - x69, x70 = addcarryxU64(x23, x21, 0x0) - var x71 uint64 - x71, _ = addcarryxU64(x24, x22, x70) - var x73 uint64 - var x74 uint1 - x73, x74 = addcarryxU64(x27, x69, 0x0) - var x75 uint64 - x75, _ = addcarryxU64(x28, x71, x74) - var x77 uint64 - var x78 uint1 - x77, x78 = addcarryxU64(x33, x73, 0x0) - var x79 uint64 - x79, _ = addcarryxU64(x34, x75, x78) - var x81 uint64 - var x82 uint1 - x81, x82 = addcarryxU64(x41, x77, 0x0) - var x83 uint64 - x83, _ = addcarryxU64(x42, x79, x82) - var x85 uint64 - var x86 uint1 - x85, x86 = addcarryxU64(x25, x1, 0x0) - var x87 uint64 - x87, _ = addcarryxU64(x26, x2, x86) - var x89 uint64 - var x90 uint1 - x89, x90 = addcarryxU64(x29, x85, 0x0) - var x91 uint64 - x91, _ = addcarryxU64(x30, x87, x90) - var x93 uint64 - var x94 uint1 - x93, x94 = addcarryxU64(x35, x89, 0x0) - var x95 uint64 - x95, _ = addcarryxU64(x36, x91, x94) - var x97 uint64 - var x98 uint1 - x97, x98 = addcarryxU64(x43, x93, 0x0) - var x99 uint64 - x99, _ = addcarryxU64(x44, x95, x98) - var x101 uint64 - var x102 uint1 - x101, x102 = addcarryxU64(x9, x3, 0x0) - var x103 uint64 - x103, _ = addcarryxU64(x10, x4, x102) - var x105 uint64 - var x106 uint1 - x105, x106 = addcarryxU64(x31, x101, 0x0) - var x107 uint64 - x107, _ = addcarryxU64(x32, x103, x106) - var x109 uint64 - var x110 uint1 - x109, x110 = addcarryxU64(x37, x105, 0x0) - var x111 uint64 - x111, _ = addcarryxU64(x38, x107, x110) - var x113 uint64 - var x114 uint1 - x113, x114 = addcarryxU64(x45, x109, 0x0) - var x115 uint64 - x115, _ = addcarryxU64(x46, x111, x114) - var x117 uint64 - var x118 uint1 - x117, x118 = addcarryxU64(x11, x5, 0x0) - var x119 uint64 - x119, _ = addcarryxU64(x12, x6, x118) - var x121 uint64 - var x122 uint1 - x121, x122 = addcarryxU64(x15, x117, 0x0) - var x123 uint64 - x123, _ = addcarryxU64(x16, x119, x122) - var x125 uint64 - var x126 uint1 - x125, x126 = addcarryxU64(x39, x121, 0x0) - var x127 uint64 - x127, _ = addcarryxU64(x40, x123, x126) - var x129 uint64 - var x130 uint1 - x129, x130 = addcarryxU64(x47, x125, 0x0) - var x131 uint64 - x131, _ = addcarryxU64(x48, x127, x130) - var x133 uint64 - var x134 uint1 - x133, x134 = addcarryxU64(x67, x129, 0x0) - var x135 uint64 = (uint64(x134) + x131) - var x136 uint64 = ((x133 >> 51) | ((x135 << 13) & 0xffffffffffffffff)) - var x137 uint64 = (x133 & 0x7ffffffffffff) - var x138 uint64 - var x139 uint1 - x138, x139 = addcarryxU64(x136, x113, 0x0) - var x140 uint64 = (uint64(x139) + x115) - var x141 uint64 = ((x138 >> 51) | ((x140 << 13) & 0xffffffffffffffff)) - var x142 uint64 = (x138 & 0x7ffffffffffff) - var x143 uint64 - var x144 uint1 - x143, x144 = addcarryxU64(x141, x97, 0x0) - var x145 uint64 = (uint64(x144) + x99) - var x146 uint64 = ((x143 >> 51) | ((x145 << 13) & 0xffffffffffffffff)) - var x147 uint64 = (x143 & 0x7ffffffffffff) - var x148 uint64 - var x149 uint1 - x148, x149 = addcarryxU64(x146, x81, 0x0) - var x150 uint64 = (uint64(x149) + x83) - var x151 uint64 = ((x148 >> 51) | ((x150 << 13) & 0xffffffffffffffff)) - var x152 uint64 = (x148 & 0x7ffffffffffff) - var x153 uint64 = (x151 * 0x13) - var x154 uint64 = (x68 + x153) - var x155 uint64 = (x154 >> 51) - var x156 uint64 = (x154 & 0x7ffffffffffff) - var x157 uint64 = (x155 + x137) - var x158 uint1 = uint1((x157 >> 51)) - var x159 uint64 = (x157 & 0x7ffffffffffff) - var x160 uint64 = (uint64(x158) + x142) - out1[0] = x156 - out1[1] = x159 - out1[2] = x160 - out1[3] = x147 - out1[4] = x152 + var x1 uint64 + var x2 uint64 + x2, x1 = bits.Mul64(arg1[4], (arg2[4] * 0x13)) + var x3 uint64 + var x4 uint64 + x4, x3 = bits.Mul64(arg1[4], (arg2[3] * 0x13)) + var x5 uint64 + var x6 uint64 + x6, x5 = bits.Mul64(arg1[4], (arg2[2] * 0x13)) + var x7 uint64 + var x8 uint64 + x8, x7 = bits.Mul64(arg1[4], (arg2[1] * 0x13)) + var x9 uint64 + var x10 uint64 + x10, x9 = bits.Mul64(arg1[3], (arg2[4] * 0x13)) + var x11 uint64 + var x12 uint64 + x12, x11 = bits.Mul64(arg1[3], (arg2[3] * 0x13)) + var x13 uint64 + var x14 uint64 + x14, x13 = bits.Mul64(arg1[3], (arg2[2] * 0x13)) + var x15 uint64 + var x16 uint64 + x16, x15 = bits.Mul64(arg1[2], (arg2[4] * 0x13)) + var x17 uint64 + var x18 uint64 + x18, x17 = bits.Mul64(arg1[2], (arg2[3] * 0x13)) + var x19 uint64 + var x20 uint64 + x20, x19 = bits.Mul64(arg1[1], (arg2[4] * 0x13)) + var x21 uint64 + var x22 uint64 + x22, x21 = bits.Mul64(arg1[4], arg2[0]) + var x23 uint64 + var x24 uint64 + x24, x23 = bits.Mul64(arg1[3], arg2[1]) + var x25 uint64 + var x26 uint64 + x26, x25 = bits.Mul64(arg1[3], arg2[0]) + var x27 uint64 + var x28 uint64 + x28, x27 = bits.Mul64(arg1[2], arg2[2]) + var x29 uint64 + var x30 uint64 + x30, x29 = bits.Mul64(arg1[2], arg2[1]) + var x31 uint64 + var x32 uint64 + x32, x31 = bits.Mul64(arg1[2], arg2[0]) + var x33 uint64 + var x34 uint64 + x34, x33 = bits.Mul64(arg1[1], arg2[3]) + var x35 uint64 + var x36 uint64 + x36, x35 = bits.Mul64(arg1[1], arg2[2]) + var x37 uint64 + var x38 uint64 + x38, x37 = bits.Mul64(arg1[1], arg2[1]) + var x39 uint64 + var x40 uint64 + x40, x39 = bits.Mul64(arg1[1], arg2[0]) + var x41 uint64 + var x42 uint64 + x42, x41 = bits.Mul64(arg1[0], arg2[4]) + var x43 uint64 + var x44 uint64 + x44, x43 = bits.Mul64(arg1[0], arg2[3]) + var x45 uint64 + var x46 uint64 + x46, x45 = bits.Mul64(arg1[0], arg2[2]) + var x47 uint64 + var x48 uint64 + x48, x47 = bits.Mul64(arg1[0], arg2[1]) + var x49 uint64 + var x50 uint64 + x50, x49 = bits.Mul64(arg1[0], arg2[0]) + var x51 uint64 + var x52 uint1 + x51, x52 = addcarryxU64(x13, x7, 0x0) + var x53 uint64 + x53, _ = addcarryxU64(x14, x8, x52) + var x55 uint64 + var x56 uint1 + x55, x56 = addcarryxU64(x17, x51, 0x0) + var x57 uint64 + x57, _ = addcarryxU64(x18, x53, x56) + var x59 uint64 + var x60 uint1 + x59, x60 = addcarryxU64(x19, x55, 0x0) + var x61 uint64 + x61, _ = addcarryxU64(x20, x57, x60) + var x63 uint64 + var x64 uint1 + x63, x64 = addcarryxU64(x49, x59, 0x0) + var x65 uint64 + x65, _ = addcarryxU64(x50, x61, x64) + x67 := ((x63 >> 51) | ((x65 << 13) & 0xffffffffffffffff)) + x68 := (x63 & 0x7ffffffffffff) + var x69 uint64 + var x70 uint1 + x69, x70 = addcarryxU64(x23, x21, 0x0) + var x71 uint64 + x71, _ = addcarryxU64(x24, x22, x70) + var x73 uint64 + var x74 uint1 + x73, x74 = addcarryxU64(x27, x69, 0x0) + var x75 uint64 + x75, _ = addcarryxU64(x28, x71, x74) + var x77 uint64 + var x78 uint1 + x77, x78 = addcarryxU64(x33, x73, 0x0) + var x79 uint64 + x79, _ = addcarryxU64(x34, x75, x78) + var x81 uint64 + var x82 uint1 + x81, x82 = addcarryxU64(x41, x77, 0x0) + var x83 uint64 + x83, _ = addcarryxU64(x42, x79, x82) + var x85 uint64 + var x86 uint1 + x85, x86 = addcarryxU64(x25, x1, 0x0) + var x87 uint64 + x87, _ = addcarryxU64(x26, x2, x86) + var x89 uint64 + var x90 uint1 + x89, x90 = addcarryxU64(x29, x85, 0x0) + var x91 uint64 + x91, _ = addcarryxU64(x30, x87, x90) + var x93 uint64 + var x94 uint1 + x93, x94 = addcarryxU64(x35, x89, 0x0) + var x95 uint64 + x95, _ = addcarryxU64(x36, x91, x94) + var x97 uint64 + var x98 uint1 + x97, x98 = addcarryxU64(x43, x93, 0x0) + var x99 uint64 + x99, _ = addcarryxU64(x44, x95, x98) + var x101 uint64 + var x102 uint1 + x101, x102 = addcarryxU64(x9, x3, 0x0) + var x103 uint64 + x103, _ = addcarryxU64(x10, x4, x102) + var x105 uint64 + var x106 uint1 + x105, x106 = addcarryxU64(x31, x101, 0x0) + var x107 uint64 + x107, _ = addcarryxU64(x32, x103, x106) + var x109 uint64 + var x110 uint1 + x109, x110 = addcarryxU64(x37, x105, 0x0) + var x111 uint64 + x111, _ = addcarryxU64(x38, x107, x110) + var x113 uint64 + var x114 uint1 + x113, x114 = addcarryxU64(x45, x109, 0x0) + var x115 uint64 + x115, _ = addcarryxU64(x46, x111, x114) + var x117 uint64 + var x118 uint1 + x117, x118 = addcarryxU64(x11, x5, 0x0) + var x119 uint64 + x119, _ = addcarryxU64(x12, x6, x118) + var x121 uint64 + var x122 uint1 + x121, x122 = addcarryxU64(x15, x117, 0x0) + var x123 uint64 + x123, _ = addcarryxU64(x16, x119, x122) + var x125 uint64 + var x126 uint1 + x125, x126 = addcarryxU64(x39, x121, 0x0) + var x127 uint64 + x127, _ = addcarryxU64(x40, x123, x126) + var x129 uint64 + var x130 uint1 + x129, x130 = addcarryxU64(x47, x125, 0x0) + var x131 uint64 + x131, _ = addcarryxU64(x48, x127, x130) + var x133 uint64 + var x134 uint1 + x133, x134 = addcarryxU64(x67, x129, 0x0) + x135 := (uint64(x134) + x131) + x136 := ((x133 >> 51) | ((x135 << 13) & 0xffffffffffffffff)) + x137 := (x133 & 0x7ffffffffffff) + var x138 uint64 + var x139 uint1 + x138, x139 = addcarryxU64(x136, x113, 0x0) + x140 := (uint64(x139) + x115) + x141 := ((x138 >> 51) | ((x140 << 13) & 0xffffffffffffffff)) + x142 := (x138 & 0x7ffffffffffff) + var x143 uint64 + var x144 uint1 + x143, x144 = addcarryxU64(x141, x97, 0x0) + x145 := (uint64(x144) + x99) + x146 := ((x143 >> 51) | ((x145 << 13) & 0xffffffffffffffff)) + x147 := (x143 & 0x7ffffffffffff) + var x148 uint64 + var x149 uint1 + x148, x149 = addcarryxU64(x146, x81, 0x0) + x150 := (uint64(x149) + x83) + x151 := ((x148 >> 51) | ((x150 << 13) & 0xffffffffffffffff)) + x152 := (x148 & 0x7ffffffffffff) + x153 := (x151 * 0x13) + x154 := (x68 + x153) + x155 := (x154 >> 51) + x156 := (x154 & 0x7ffffffffffff) + x157 := (x155 + x137) + x158 := uint1((x157 >> 51)) + x159 := (x157 & 0x7ffffffffffff) + x160 := (uint64(x158) + x142) + out1[0] = x156 + out1[1] = x159 + out1[2] = x160 + out1[3] = x147 + out1[4] = x152 } -/* - The function CarrySquare squares a field element and reduces the result. - Postconditions: - eval out1 mod m = (eval arg1 * eval arg1) mod m - - Input Bounds: - arg1: [[0x0 ~> 0x18000000000000], [0x0 ~> 0x18000000000000], [0x0 ~> 0x18000000000000], [0x0 ~> 0x18000000000000], [0x0 ~> 0x18000000000000]] - Output Bounds: - out1: [[0x0 ~> 0x8000000000000], [0x0 ~> 0x8000000000000], [0x0 ~> 0x8000000000000], [0x0 ~> 0x8000000000000], [0x0 ~> 0x8000000000000]] - */ -/*inline*/ +// CarrySquare squares a field element and reduces the result. +// +// Postconditions: +// eval out1 mod m = (eval arg1 * eval arg1) mod m +// +// Input Bounds: +// arg1: [[0x0 ~> 0x18000000000000], [0x0 ~> 0x18000000000000], [0x0 ~> 0x18000000000000], [0x0 ~> 0x18000000000000], [0x0 ~> 0x18000000000000]] +// Output Bounds: +// out1: [[0x0 ~> 0x8000000000000], [0x0 ~> 0x8000000000000], [0x0 ~> 0x8000000000000], [0x0 ~> 0x8000000000000], [0x0 ~> 0x8000000000000]] func CarrySquare(out1 *[5]uint64, arg1 *[5]uint64) { - var x1 uint64 = ((arg1[4]) * 0x13) - var x2 uint64 = (x1 * 0x2) - var x3 uint64 = ((arg1[4]) * 0x2) - var x4 uint64 = ((arg1[3]) * 0x13) - var x5 uint64 = (x4 * 0x2) - var x6 uint64 = ((arg1[3]) * 0x2) - var x7 uint64 = ((arg1[2]) * 0x2) - var x8 uint64 = ((arg1[1]) * 0x2) - var x9 uint64 - var x10 uint64 - x10, x9 = bits.Mul64((arg1[4]), x1) - var x11 uint64 - var x12 uint64 - x12, x11 = bits.Mul64((arg1[3]), x2) - var x13 uint64 - var x14 uint64 - x14, x13 = bits.Mul64((arg1[3]), x4) - var x15 uint64 - var x16 uint64 - x16, x15 = bits.Mul64((arg1[2]), x2) - var x17 uint64 - var x18 uint64 - x18, x17 = bits.Mul64((arg1[2]), x5) - var x19 uint64 - var x20 uint64 - x20, x19 = bits.Mul64((arg1[2]), (arg1[2])) - var x21 uint64 - var x22 uint64 - x22, x21 = bits.Mul64((arg1[1]), x2) - var x23 uint64 - var x24 uint64 - x24, x23 = bits.Mul64((arg1[1]), x6) - var x25 uint64 - var x26 uint64 - x26, x25 = bits.Mul64((arg1[1]), x7) - var x27 uint64 - var x28 uint64 - x28, x27 = bits.Mul64((arg1[1]), (arg1[1])) - var x29 uint64 - var x30 uint64 - x30, x29 = bits.Mul64((arg1[0]), x3) - var x31 uint64 - var x32 uint64 - x32, x31 = bits.Mul64((arg1[0]), x6) - var x33 uint64 - var x34 uint64 - x34, x33 = bits.Mul64((arg1[0]), x7) - var x35 uint64 - var x36 uint64 - x36, x35 = bits.Mul64((arg1[0]), x8) - var x37 uint64 - var x38 uint64 - x38, x37 = bits.Mul64((arg1[0]), (arg1[0])) - var x39 uint64 - var x40 uint1 - x39, x40 = addcarryxU64(x21, x17, 0x0) - var x41 uint64 - x41, _ = addcarryxU64(x22, x18, x40) - var x43 uint64 - var x44 uint1 - x43, x44 = addcarryxU64(x37, x39, 0x0) - var x45 uint64 - x45, _ = addcarryxU64(x38, x41, x44) - var x47 uint64 = ((x43 >> 51) | ((x45 << 13) & 0xffffffffffffffff)) - var x48 uint64 = (x43 & 0x7ffffffffffff) - var x49 uint64 - var x50 uint1 - x49, x50 = addcarryxU64(x23, x19, 0x0) - var x51 uint64 - x51, _ = addcarryxU64(x24, x20, x50) - var x53 uint64 - var x54 uint1 - x53, x54 = addcarryxU64(x29, x49, 0x0) - var x55 uint64 - x55, _ = addcarryxU64(x30, x51, x54) - var x57 uint64 - var x58 uint1 - x57, x58 = addcarryxU64(x25, x9, 0x0) - var x59 uint64 - x59, _ = addcarryxU64(x26, x10, x58) - var x61 uint64 - var x62 uint1 - x61, x62 = addcarryxU64(x31, x57, 0x0) - var x63 uint64 - x63, _ = addcarryxU64(x32, x59, x62) - var x65 uint64 - var x66 uint1 - x65, x66 = addcarryxU64(x27, x11, 0x0) - var x67 uint64 - x67, _ = addcarryxU64(x28, x12, x66) - var x69 uint64 - var x70 uint1 - x69, x70 = addcarryxU64(x33, x65, 0x0) - var x71 uint64 - x71, _ = addcarryxU64(x34, x67, x70) - var x73 uint64 - var x74 uint1 - x73, x74 = addcarryxU64(x15, x13, 0x0) - var x75 uint64 - x75, _ = addcarryxU64(x16, x14, x74) - var x77 uint64 - var x78 uint1 - x77, x78 = addcarryxU64(x35, x73, 0x0) - var x79 uint64 - x79, _ = addcarryxU64(x36, x75, x78) - var x81 uint64 - var x82 uint1 - x81, x82 = addcarryxU64(x47, x77, 0x0) - var x83 uint64 = (uint64(x82) + x79) - var x84 uint64 = ((x81 >> 51) | ((x83 << 13) & 0xffffffffffffffff)) - var x85 uint64 = (x81 & 0x7ffffffffffff) - var x86 uint64 - var x87 uint1 - x86, x87 = addcarryxU64(x84, x69, 0x0) - var x88 uint64 = (uint64(x87) + x71) - var x89 uint64 = ((x86 >> 51) | ((x88 << 13) & 0xffffffffffffffff)) - var x90 uint64 = (x86 & 0x7ffffffffffff) - var x91 uint64 - var x92 uint1 - x91, x92 = addcarryxU64(x89, x61, 0x0) - var x93 uint64 = (uint64(x92) + x63) - var x94 uint64 = ((x91 >> 51) | ((x93 << 13) & 0xffffffffffffffff)) - var x95 uint64 = (x91 & 0x7ffffffffffff) - var x96 uint64 - var x97 uint1 - x96, x97 = addcarryxU64(x94, x53, 0x0) - var x98 uint64 = (uint64(x97) + x55) - var x99 uint64 = ((x96 >> 51) | ((x98 << 13) & 0xffffffffffffffff)) - var x100 uint64 = (x96 & 0x7ffffffffffff) - var x101 uint64 = (x99 * 0x13) - var x102 uint64 = (x48 + x101) - var x103 uint64 = (x102 >> 51) - var x104 uint64 = (x102 & 0x7ffffffffffff) - var x105 uint64 = (x103 + x85) - var x106 uint1 = uint1((x105 >> 51)) - var x107 uint64 = (x105 & 0x7ffffffffffff) - var x108 uint64 = (uint64(x106) + x90) - out1[0] = x104 - out1[1] = x107 - out1[2] = x108 - out1[3] = x95 - out1[4] = x100 + x1 := (arg1[4] * 0x13) + x2 := (x1 * 0x2) + x3 := (arg1[4] * 0x2) + x4 := (arg1[3] * 0x13) + x5 := (x4 * 0x2) + x6 := (arg1[3] * 0x2) + x7 := (arg1[2] * 0x2) + x8 := (arg1[1] * 0x2) + var x9 uint64 + var x10 uint64 + x10, x9 = bits.Mul64(arg1[4], x1) + var x11 uint64 + var x12 uint64 + x12, x11 = bits.Mul64(arg1[3], x2) + var x13 uint64 + var x14 uint64 + x14, x13 = bits.Mul64(arg1[3], x4) + var x15 uint64 + var x16 uint64 + x16, x15 = bits.Mul64(arg1[2], x2) + var x17 uint64 + var x18 uint64 + x18, x17 = bits.Mul64(arg1[2], x5) + var x19 uint64 + var x20 uint64 + x20, x19 = bits.Mul64(arg1[2], arg1[2]) + var x21 uint64 + var x22 uint64 + x22, x21 = bits.Mul64(arg1[1], x2) + var x23 uint64 + var x24 uint64 + x24, x23 = bits.Mul64(arg1[1], x6) + var x25 uint64 + var x26 uint64 + x26, x25 = bits.Mul64(arg1[1], x7) + var x27 uint64 + var x28 uint64 + x28, x27 = bits.Mul64(arg1[1], arg1[1]) + var x29 uint64 + var x30 uint64 + x30, x29 = bits.Mul64(arg1[0], x3) + var x31 uint64 + var x32 uint64 + x32, x31 = bits.Mul64(arg1[0], x6) + var x33 uint64 + var x34 uint64 + x34, x33 = bits.Mul64(arg1[0], x7) + var x35 uint64 + var x36 uint64 + x36, x35 = bits.Mul64(arg1[0], x8) + var x37 uint64 + var x38 uint64 + x38, x37 = bits.Mul64(arg1[0], arg1[0]) + var x39 uint64 + var x40 uint1 + x39, x40 = addcarryxU64(x21, x17, 0x0) + var x41 uint64 + x41, _ = addcarryxU64(x22, x18, x40) + var x43 uint64 + var x44 uint1 + x43, x44 = addcarryxU64(x37, x39, 0x0) + var x45 uint64 + x45, _ = addcarryxU64(x38, x41, x44) + x47 := ((x43 >> 51) | ((x45 << 13) & 0xffffffffffffffff)) + x48 := (x43 & 0x7ffffffffffff) + var x49 uint64 + var x50 uint1 + x49, x50 = addcarryxU64(x23, x19, 0x0) + var x51 uint64 + x51, _ = addcarryxU64(x24, x20, x50) + var x53 uint64 + var x54 uint1 + x53, x54 = addcarryxU64(x29, x49, 0x0) + var x55 uint64 + x55, _ = addcarryxU64(x30, x51, x54) + var x57 uint64 + var x58 uint1 + x57, x58 = addcarryxU64(x25, x9, 0x0) + var x59 uint64 + x59, _ = addcarryxU64(x26, x10, x58) + var x61 uint64 + var x62 uint1 + x61, x62 = addcarryxU64(x31, x57, 0x0) + var x63 uint64 + x63, _ = addcarryxU64(x32, x59, x62) + var x65 uint64 + var x66 uint1 + x65, x66 = addcarryxU64(x27, x11, 0x0) + var x67 uint64 + x67, _ = addcarryxU64(x28, x12, x66) + var x69 uint64 + var x70 uint1 + x69, x70 = addcarryxU64(x33, x65, 0x0) + var x71 uint64 + x71, _ = addcarryxU64(x34, x67, x70) + var x73 uint64 + var x74 uint1 + x73, x74 = addcarryxU64(x15, x13, 0x0) + var x75 uint64 + x75, _ = addcarryxU64(x16, x14, x74) + var x77 uint64 + var x78 uint1 + x77, x78 = addcarryxU64(x35, x73, 0x0) + var x79 uint64 + x79, _ = addcarryxU64(x36, x75, x78) + var x81 uint64 + var x82 uint1 + x81, x82 = addcarryxU64(x47, x77, 0x0) + x83 := (uint64(x82) + x79) + x84 := ((x81 >> 51) | ((x83 << 13) & 0xffffffffffffffff)) + x85 := (x81 & 0x7ffffffffffff) + var x86 uint64 + var x87 uint1 + x86, x87 = addcarryxU64(x84, x69, 0x0) + x88 := (uint64(x87) + x71) + x89 := ((x86 >> 51) | ((x88 << 13) & 0xffffffffffffffff)) + x90 := (x86 & 0x7ffffffffffff) + var x91 uint64 + var x92 uint1 + x91, x92 = addcarryxU64(x89, x61, 0x0) + x93 := (uint64(x92) + x63) + x94 := ((x91 >> 51) | ((x93 << 13) & 0xffffffffffffffff)) + x95 := (x91 & 0x7ffffffffffff) + var x96 uint64 + var x97 uint1 + x96, x97 = addcarryxU64(x94, x53, 0x0) + x98 := (uint64(x97) + x55) + x99 := ((x96 >> 51) | ((x98 << 13) & 0xffffffffffffffff)) + x100 := (x96 & 0x7ffffffffffff) + x101 := (x99 * 0x13) + x102 := (x48 + x101) + x103 := (x102 >> 51) + x104 := (x102 & 0x7ffffffffffff) + x105 := (x103 + x85) + x106 := uint1((x105 >> 51)) + x107 := (x105 & 0x7ffffffffffff) + x108 := (uint64(x106) + x90) + out1[0] = x104 + out1[1] = x107 + out1[2] = x108 + out1[3] = x95 + out1[4] = x100 } -/* - The function Carry reduces a field element. - Postconditions: - eval out1 mod m = eval arg1 mod m - - Input Bounds: - arg1: [[0x0 ~> 0x18000000000000], [0x0 ~> 0x18000000000000], [0x0 ~> 0x18000000000000], [0x0 ~> 0x18000000000000], [0x0 ~> 0x18000000000000]] - Output Bounds: - out1: [[0x0 ~> 0x8000000000000], [0x0 ~> 0x8000000000000], [0x0 ~> 0x8000000000000], [0x0 ~> 0x8000000000000], [0x0 ~> 0x8000000000000]] - */ -/*inline*/ +// Carry reduces a field element. +// +// Postconditions: +// eval out1 mod m = eval arg1 mod m +// +// Input Bounds: +// arg1: [[0x0 ~> 0x18000000000000], [0x0 ~> 0x18000000000000], [0x0 ~> 0x18000000000000], [0x0 ~> 0x18000000000000], [0x0 ~> 0x18000000000000]] +// Output Bounds: +// out1: [[0x0 ~> 0x8000000000000], [0x0 ~> 0x8000000000000], [0x0 ~> 0x8000000000000], [0x0 ~> 0x8000000000000], [0x0 ~> 0x8000000000000]] func Carry(out1 *[5]uint64, arg1 *[5]uint64) { - var x1 uint64 = (arg1[0]) - var x2 uint64 = ((x1 >> 51) + (arg1[1])) - var x3 uint64 = ((x2 >> 51) + (arg1[2])) - var x4 uint64 = ((x3 >> 51) + (arg1[3])) - var x5 uint64 = ((x4 >> 51) + (arg1[4])) - var x6 uint64 = ((x1 & 0x7ffffffffffff) + ((x5 >> 51) * 0x13)) - var x7 uint64 = (uint64(uint1((x6 >> 51))) + (x2 & 0x7ffffffffffff)) - var x8 uint64 = (x6 & 0x7ffffffffffff) - var x9 uint64 = (x7 & 0x7ffffffffffff) - var x10 uint64 = (uint64(uint1((x7 >> 51))) + (x3 & 0x7ffffffffffff)) - var x11 uint64 = (x4 & 0x7ffffffffffff) - var x12 uint64 = (x5 & 0x7ffffffffffff) - out1[0] = x8 - out1[1] = x9 - out1[2] = x10 - out1[3] = x11 - out1[4] = x12 + x1 := arg1[0] + x2 := ((x1 >> 51) + arg1[1]) + x3 := ((x2 >> 51) + arg1[2]) + x4 := ((x3 >> 51) + arg1[3]) + x5 := ((x4 >> 51) + arg1[4]) + x6 := ((x1 & 0x7ffffffffffff) + ((x5 >> 51) * 0x13)) + x7 := (uint64(uint1((x6 >> 51))) + (x2 & 0x7ffffffffffff)) + x8 := (x6 & 0x7ffffffffffff) + x9 := (x7 & 0x7ffffffffffff) + x10 := (uint64(uint1((x7 >> 51))) + (x3 & 0x7ffffffffffff)) + x11 := (x4 & 0x7ffffffffffff) + x12 := (x5 & 0x7ffffffffffff) + out1[0] = x8 + out1[1] = x9 + out1[2] = x10 + out1[3] = x11 + out1[4] = x12 } -/* - The function Add adds two field elements. - Postconditions: - eval out1 mod m = (eval arg1 + eval arg2) mod m - - Input Bounds: - arg1: [[0x0 ~> 0x8000000000000], [0x0 ~> 0x8000000000000], [0x0 ~> 0x8000000000000], [0x0 ~> 0x8000000000000], [0x0 ~> 0x8000000000000]] - arg2: [[0x0 ~> 0x8000000000000], [0x0 ~> 0x8000000000000], [0x0 ~> 0x8000000000000], [0x0 ~> 0x8000000000000], [0x0 ~> 0x8000000000000]] - Output Bounds: - out1: [[0x0 ~> 0x18000000000000], [0x0 ~> 0x18000000000000], [0x0 ~> 0x18000000000000], [0x0 ~> 0x18000000000000], [0x0 ~> 0x18000000000000]] - */ -/*inline*/ +// Add adds two field elements. +// +// Postconditions: +// eval out1 mod m = (eval arg1 + eval arg2) mod m +// +// Input Bounds: +// arg1: [[0x0 ~> 0x8000000000000], [0x0 ~> 0x8000000000000], [0x0 ~> 0x8000000000000], [0x0 ~> 0x8000000000000], [0x0 ~> 0x8000000000000]] +// arg2: [[0x0 ~> 0x8000000000000], [0x0 ~> 0x8000000000000], [0x0 ~> 0x8000000000000], [0x0 ~> 0x8000000000000], [0x0 ~> 0x8000000000000]] +// Output Bounds: +// out1: [[0x0 ~> 0x18000000000000], [0x0 ~> 0x18000000000000], [0x0 ~> 0x18000000000000], [0x0 ~> 0x18000000000000], [0x0 ~> 0x18000000000000]] func Add(out1 *[5]uint64, arg1 *[5]uint64, arg2 *[5]uint64) { - var x1 uint64 = ((arg1[0]) + (arg2[0])) - var x2 uint64 = ((arg1[1]) + (arg2[1])) - var x3 uint64 = ((arg1[2]) + (arg2[2])) - var x4 uint64 = ((arg1[3]) + (arg2[3])) - var x5 uint64 = ((arg1[4]) + (arg2[4])) - out1[0] = x1 - out1[1] = x2 - out1[2] = x3 - out1[3] = x4 - out1[4] = x5 + x1 := (arg1[0] + arg2[0]) + x2 := (arg1[1] + arg2[1]) + x3 := (arg1[2] + arg2[2]) + x4 := (arg1[3] + arg2[3]) + x5 := (arg1[4] + arg2[4]) + out1[0] = x1 + out1[1] = x2 + out1[2] = x3 + out1[3] = x4 + out1[4] = x5 } -/* - The function Sub subtracts two field elements. - Postconditions: - eval out1 mod m = (eval arg1 - eval arg2) mod m - - Input Bounds: - arg1: [[0x0 ~> 0x8000000000000], [0x0 ~> 0x8000000000000], [0x0 ~> 0x8000000000000], [0x0 ~> 0x8000000000000], [0x0 ~> 0x8000000000000]] - arg2: [[0x0 ~> 0x8000000000000], [0x0 ~> 0x8000000000000], [0x0 ~> 0x8000000000000], [0x0 ~> 0x8000000000000], [0x0 ~> 0x8000000000000]] - Output Bounds: - out1: [[0x0 ~> 0x18000000000000], [0x0 ~> 0x18000000000000], [0x0 ~> 0x18000000000000], [0x0 ~> 0x18000000000000], [0x0 ~> 0x18000000000000]] - */ -/*inline*/ +// Sub subtracts two field elements. +// +// Postconditions: +// eval out1 mod m = (eval arg1 - eval arg2) mod m +// +// Input Bounds: +// arg1: [[0x0 ~> 0x8000000000000], [0x0 ~> 0x8000000000000], [0x0 ~> 0x8000000000000], [0x0 ~> 0x8000000000000], [0x0 ~> 0x8000000000000]] +// arg2: [[0x0 ~> 0x8000000000000], [0x0 ~> 0x8000000000000], [0x0 ~> 0x8000000000000], [0x0 ~> 0x8000000000000], [0x0 ~> 0x8000000000000]] +// Output Bounds: +// out1: [[0x0 ~> 0x18000000000000], [0x0 ~> 0x18000000000000], [0x0 ~> 0x18000000000000], [0x0 ~> 0x18000000000000], [0x0 ~> 0x18000000000000]] func Sub(out1 *[5]uint64, arg1 *[5]uint64, arg2 *[5]uint64) { - var x1 uint64 = ((0xfffffffffffda + (arg1[0])) - (arg2[0])) - var x2 uint64 = ((0xffffffffffffe + (arg1[1])) - (arg2[1])) - var x3 uint64 = ((0xffffffffffffe + (arg1[2])) - (arg2[2])) - var x4 uint64 = ((0xffffffffffffe + (arg1[3])) - (arg2[3])) - var x5 uint64 = ((0xffffffffffffe + (arg1[4])) - (arg2[4])) - out1[0] = x1 - out1[1] = x2 - out1[2] = x3 - out1[3] = x4 - out1[4] = x5 + x1 := ((0xfffffffffffda + arg1[0]) - arg2[0]) + x2 := ((0xffffffffffffe + arg1[1]) - arg2[1]) + x3 := ((0xffffffffffffe + arg1[2]) - arg2[2]) + x4 := ((0xffffffffffffe + arg1[3]) - arg2[3]) + x5 := ((0xffffffffffffe + arg1[4]) - arg2[4]) + out1[0] = x1 + out1[1] = x2 + out1[2] = x3 + out1[3] = x4 + out1[4] = x5 } -/* - The function Opp negates a field element. - Postconditions: - eval out1 mod m = -eval arg1 mod m - - Input Bounds: - arg1: [[0x0 ~> 0x8000000000000], [0x0 ~> 0x8000000000000], [0x0 ~> 0x8000000000000], [0x0 ~> 0x8000000000000], [0x0 ~> 0x8000000000000]] - Output Bounds: - out1: [[0x0 ~> 0x18000000000000], [0x0 ~> 0x18000000000000], [0x0 ~> 0x18000000000000], [0x0 ~> 0x18000000000000], [0x0 ~> 0x18000000000000]] - */ -/*inline*/ +// Opp negates a field element. +// +// Postconditions: +// eval out1 mod m = -eval arg1 mod m +// +// Input Bounds: +// arg1: [[0x0 ~> 0x8000000000000], [0x0 ~> 0x8000000000000], [0x0 ~> 0x8000000000000], [0x0 ~> 0x8000000000000], [0x0 ~> 0x8000000000000]] +// Output Bounds: +// out1: [[0x0 ~> 0x18000000000000], [0x0 ~> 0x18000000000000], [0x0 ~> 0x18000000000000], [0x0 ~> 0x18000000000000], [0x0 ~> 0x18000000000000]] func Opp(out1 *[5]uint64, arg1 *[5]uint64) { - var x1 uint64 = (0xfffffffffffda - (arg1[0])) - var x2 uint64 = (0xffffffffffffe - (arg1[1])) - var x3 uint64 = (0xffffffffffffe - (arg1[2])) - var x4 uint64 = (0xffffffffffffe - (arg1[3])) - var x5 uint64 = (0xffffffffffffe - (arg1[4])) - out1[0] = x1 - out1[1] = x2 - out1[2] = x3 - out1[3] = x4 - out1[4] = x5 + x1 := (0xfffffffffffda - arg1[0]) + x2 := (0xffffffffffffe - arg1[1]) + x3 := (0xffffffffffffe - arg1[2]) + x4 := (0xffffffffffffe - arg1[3]) + x5 := (0xffffffffffffe - arg1[4]) + out1[0] = x1 + out1[1] = x2 + out1[2] = x3 + out1[3] = x4 + out1[4] = x5 } -/* - The function Selectznz is a multi-limb conditional select. - Postconditions: - eval out1 = (if arg1 = 0 then eval arg2 else eval arg3) - - Input Bounds: - arg1: [0x0 ~> 0x1] - arg2: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] - arg3: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] - Output Bounds: - out1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] - */ -/*inline*/ +// Selectznz is a multi-limb conditional select. +// +// Postconditions: +// eval out1 = (if arg1 = 0 then eval arg2 else eval arg3) +// +// Input Bounds: +// arg1: [0x0 ~> 0x1] +// arg2: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] +// arg3: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] +// Output Bounds: +// out1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] func Selectznz(out1 *[5]uint64, arg1 uint1, arg2 *[5]uint64, arg3 *[5]uint64) { - var x1 uint64 - cmovznzU64(&x1, arg1, (arg2[0]), (arg3[0])) - var x2 uint64 - cmovznzU64(&x2, arg1, (arg2[1]), (arg3[1])) - var x3 uint64 - cmovznzU64(&x3, arg1, (arg2[2]), (arg3[2])) - var x4 uint64 - cmovznzU64(&x4, arg1, (arg2[3]), (arg3[3])) - var x5 uint64 - cmovznzU64(&x5, arg1, (arg2[4]), (arg3[4])) - out1[0] = x1 - out1[1] = x2 - out1[2] = x3 - out1[3] = x4 - out1[4] = x5 + var x1 uint64 + cmovznzU64(&x1, arg1, arg2[0], arg3[0]) + var x2 uint64 + cmovznzU64(&x2, arg1, arg2[1], arg3[1]) + var x3 uint64 + cmovznzU64(&x3, arg1, arg2[2], arg3[2]) + var x4 uint64 + cmovznzU64(&x4, arg1, arg2[3], arg3[3]) + var x5 uint64 + cmovznzU64(&x5, arg1, arg2[4], arg3[4]) + out1[0] = x1 + out1[1] = x2 + out1[2] = x3 + out1[3] = x4 + out1[4] = x5 } -/* - The function ToBytes serializes a field element to bytes in little-endian order. - Postconditions: - out1 = map (λ x, ⌊((eval arg1 mod m) mod 2^(8 * (x + 1))) / 2^(8 * x)⌋) [0..31] - - Input Bounds: - arg1: [[0x0 ~> 0x8000000000000], [0x0 ~> 0x8000000000000], [0x0 ~> 0x8000000000000], [0x0 ~> 0x8000000000000], [0x0 ~> 0x8000000000000]] - Output Bounds: - out1: [[0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0x7f]] - */ -/*inline*/ +// ToBytes serializes a field element to bytes in little-endian order. +// +// Postconditions: +// out1 = map (λ x, ⌊((eval arg1 mod m) mod 2^(8 * (x + 1))) / 2^(8 * x)⌋) [0..31] +// +// Input Bounds: +// arg1: [[0x0 ~> 0x8000000000000], [0x0 ~> 0x8000000000000], [0x0 ~> 0x8000000000000], [0x0 ~> 0x8000000000000], [0x0 ~> 0x8000000000000]] +// Output Bounds: +// out1: [[0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0x7f]] func ToBytes(out1 *[32]uint8, arg1 *[5]uint64) { - var x1 uint64 - var x2 uint1 - subborrowxU51(&x1, &x2, 0x0, (arg1[0]), 0x7ffffffffffed) - var x3 uint64 - var x4 uint1 - subborrowxU51(&x3, &x4, x2, (arg1[1]), 0x7ffffffffffff) - var x5 uint64 - var x6 uint1 - subborrowxU51(&x5, &x6, x4, (arg1[2]), 0x7ffffffffffff) - var x7 uint64 - var x8 uint1 - subborrowxU51(&x7, &x8, x6, (arg1[3]), 0x7ffffffffffff) - var x9 uint64 - var x10 uint1 - subborrowxU51(&x9, &x10, x8, (arg1[4]), 0x7ffffffffffff) - var x11 uint64 - cmovznzU64(&x11, x10, uint64(0x0), 0xffffffffffffffff) - var x12 uint64 - var x13 uint1 - addcarryxU51(&x12, &x13, 0x0, x1, (x11 & 0x7ffffffffffed)) - var x14 uint64 - var x15 uint1 - addcarryxU51(&x14, &x15, x13, x3, (x11 & 0x7ffffffffffff)) - var x16 uint64 - var x17 uint1 - addcarryxU51(&x16, &x17, x15, x5, (x11 & 0x7ffffffffffff)) - var x18 uint64 - var x19 uint1 - addcarryxU51(&x18, &x19, x17, x7, (x11 & 0x7ffffffffffff)) - var x20 uint64 - var x21 uint1 - addcarryxU51(&x20, &x21, x19, x9, (x11 & 0x7ffffffffffff)) - var x22 uint64 = (x20 << 4) - var x23 uint64 = (x18 * uint64(0x2)) - var x24 uint64 = (x16 << 6) - var x25 uint64 = (x14 << 3) - var x26 uint8 = (uint8(x12) & 0xff) - var x27 uint64 = (x12 >> 8) - var x28 uint8 = (uint8(x27) & 0xff) - var x29 uint64 = (x27 >> 8) - var x30 uint8 = (uint8(x29) & 0xff) - var x31 uint64 = (x29 >> 8) - var x32 uint8 = (uint8(x31) & 0xff) - var x33 uint64 = (x31 >> 8) - var x34 uint8 = (uint8(x33) & 0xff) - var x35 uint64 = (x33 >> 8) - var x36 uint8 = (uint8(x35) & 0xff) - var x37 uint8 = uint8((x35 >> 8)) - var x38 uint64 = (x25 + uint64(x37)) - var x39 uint8 = (uint8(x38) & 0xff) - var x40 uint64 = (x38 >> 8) - var x41 uint8 = (uint8(x40) & 0xff) - var x42 uint64 = (x40 >> 8) - var x43 uint8 = (uint8(x42) & 0xff) - var x44 uint64 = (x42 >> 8) - var x45 uint8 = (uint8(x44) & 0xff) - var x46 uint64 = (x44 >> 8) - var x47 uint8 = (uint8(x46) & 0xff) - var x48 uint64 = (x46 >> 8) - var x49 uint8 = (uint8(x48) & 0xff) - var x50 uint8 = uint8((x48 >> 8)) - var x51 uint64 = (x24 + uint64(x50)) - var x52 uint8 = (uint8(x51) & 0xff) - var x53 uint64 = (x51 >> 8) - var x54 uint8 = (uint8(x53) & 0xff) - var x55 uint64 = (x53 >> 8) - var x56 uint8 = (uint8(x55) & 0xff) - var x57 uint64 = (x55 >> 8) - var x58 uint8 = (uint8(x57) & 0xff) - var x59 uint64 = (x57 >> 8) - var x60 uint8 = (uint8(x59) & 0xff) - var x61 uint64 = (x59 >> 8) - var x62 uint8 = (uint8(x61) & 0xff) - var x63 uint64 = (x61 >> 8) - var x64 uint8 = (uint8(x63) & 0xff) - var x65 uint1 = uint1((x63 >> 8)) - var x66 uint64 = (x23 + uint64(x65)) - var x67 uint8 = (uint8(x66) & 0xff) - var x68 uint64 = (x66 >> 8) - var x69 uint8 = (uint8(x68) & 0xff) - var x70 uint64 = (x68 >> 8) - var x71 uint8 = (uint8(x70) & 0xff) - var x72 uint64 = (x70 >> 8) - var x73 uint8 = (uint8(x72) & 0xff) - var x74 uint64 = (x72 >> 8) - var x75 uint8 = (uint8(x74) & 0xff) - var x76 uint64 = (x74 >> 8) - var x77 uint8 = (uint8(x76) & 0xff) - var x78 uint8 = uint8((x76 >> 8)) - var x79 uint64 = (x22 + uint64(x78)) - var x80 uint8 = (uint8(x79) & 0xff) - var x81 uint64 = (x79 >> 8) - var x82 uint8 = (uint8(x81) & 0xff) - var x83 uint64 = (x81 >> 8) - var x84 uint8 = (uint8(x83) & 0xff) - var x85 uint64 = (x83 >> 8) - var x86 uint8 = (uint8(x85) & 0xff) - var x87 uint64 = (x85 >> 8) - var x88 uint8 = (uint8(x87) & 0xff) - var x89 uint64 = (x87 >> 8) - var x90 uint8 = (uint8(x89) & 0xff) - var x91 uint8 = uint8((x89 >> 8)) - out1[0] = x26 - out1[1] = x28 - out1[2] = x30 - out1[3] = x32 - out1[4] = x34 - out1[5] = x36 - out1[6] = x39 - out1[7] = x41 - out1[8] = x43 - out1[9] = x45 - out1[10] = x47 - out1[11] = x49 - out1[12] = x52 - out1[13] = x54 - out1[14] = x56 - out1[15] = x58 - out1[16] = x60 - out1[17] = x62 - out1[18] = x64 - out1[19] = x67 - out1[20] = x69 - out1[21] = x71 - out1[22] = x73 - out1[23] = x75 - out1[24] = x77 - out1[25] = x80 - out1[26] = x82 - out1[27] = x84 - out1[28] = x86 - out1[29] = x88 - out1[30] = x90 - out1[31] = x91 + var x1 uint64 + var x2 uint1 + subborrowxU51(&x1, &x2, 0x0, arg1[0], 0x7ffffffffffed) + var x3 uint64 + var x4 uint1 + subborrowxU51(&x3, &x4, x2, arg1[1], 0x7ffffffffffff) + var x5 uint64 + var x6 uint1 + subborrowxU51(&x5, &x6, x4, arg1[2], 0x7ffffffffffff) + var x7 uint64 + var x8 uint1 + subborrowxU51(&x7, &x8, x6, arg1[3], 0x7ffffffffffff) + var x9 uint64 + var x10 uint1 + subborrowxU51(&x9, &x10, x8, arg1[4], 0x7ffffffffffff) + var x11 uint64 + cmovznzU64(&x11, x10, uint64(0x0), 0xffffffffffffffff) + var x12 uint64 + var x13 uint1 + addcarryxU51(&x12, &x13, 0x0, x1, (x11 & 0x7ffffffffffed)) + var x14 uint64 + var x15 uint1 + addcarryxU51(&x14, &x15, x13, x3, (x11 & 0x7ffffffffffff)) + var x16 uint64 + var x17 uint1 + addcarryxU51(&x16, &x17, x15, x5, (x11 & 0x7ffffffffffff)) + var x18 uint64 + var x19 uint1 + addcarryxU51(&x18, &x19, x17, x7, (x11 & 0x7ffffffffffff)) + var x20 uint64 + var x21 uint1 + addcarryxU51(&x20, &x21, x19, x9, (x11 & 0x7ffffffffffff)) + x22 := (x20 << 4) + x23 := (x18 * uint64(0x2)) + x24 := (x16 << 6) + x25 := (x14 << 3) + x26 := (uint8(x12) & 0xff) + x27 := (x12 >> 8) + x28 := (uint8(x27) & 0xff) + x29 := (x27 >> 8) + x30 := (uint8(x29) & 0xff) + x31 := (x29 >> 8) + x32 := (uint8(x31) & 0xff) + x33 := (x31 >> 8) + x34 := (uint8(x33) & 0xff) + x35 := (x33 >> 8) + x36 := (uint8(x35) & 0xff) + x37 := uint8((x35 >> 8)) + x38 := (x25 + uint64(x37)) + x39 := (uint8(x38) & 0xff) + x40 := (x38 >> 8) + x41 := (uint8(x40) & 0xff) + x42 := (x40 >> 8) + x43 := (uint8(x42) & 0xff) + x44 := (x42 >> 8) + x45 := (uint8(x44) & 0xff) + x46 := (x44 >> 8) + x47 := (uint8(x46) & 0xff) + x48 := (x46 >> 8) + x49 := (uint8(x48) & 0xff) + x50 := uint8((x48 >> 8)) + x51 := (x24 + uint64(x50)) + x52 := (uint8(x51) & 0xff) + x53 := (x51 >> 8) + x54 := (uint8(x53) & 0xff) + x55 := (x53 >> 8) + x56 := (uint8(x55) & 0xff) + x57 := (x55 >> 8) + x58 := (uint8(x57) & 0xff) + x59 := (x57 >> 8) + x60 := (uint8(x59) & 0xff) + x61 := (x59 >> 8) + x62 := (uint8(x61) & 0xff) + x63 := (x61 >> 8) + x64 := (uint8(x63) & 0xff) + x65 := uint1((x63 >> 8)) + x66 := (x23 + uint64(x65)) + x67 := (uint8(x66) & 0xff) + x68 := (x66 >> 8) + x69 := (uint8(x68) & 0xff) + x70 := (x68 >> 8) + x71 := (uint8(x70) & 0xff) + x72 := (x70 >> 8) + x73 := (uint8(x72) & 0xff) + x74 := (x72 >> 8) + x75 := (uint8(x74) & 0xff) + x76 := (x74 >> 8) + x77 := (uint8(x76) & 0xff) + x78 := uint8((x76 >> 8)) + x79 := (x22 + uint64(x78)) + x80 := (uint8(x79) & 0xff) + x81 := (x79 >> 8) + x82 := (uint8(x81) & 0xff) + x83 := (x81 >> 8) + x84 := (uint8(x83) & 0xff) + x85 := (x83 >> 8) + x86 := (uint8(x85) & 0xff) + x87 := (x85 >> 8) + x88 := (uint8(x87) & 0xff) + x89 := (x87 >> 8) + x90 := (uint8(x89) & 0xff) + x91 := uint8((x89 >> 8)) + out1[0] = x26 + out1[1] = x28 + out1[2] = x30 + out1[3] = x32 + out1[4] = x34 + out1[5] = x36 + out1[6] = x39 + out1[7] = x41 + out1[8] = x43 + out1[9] = x45 + out1[10] = x47 + out1[11] = x49 + out1[12] = x52 + out1[13] = x54 + out1[14] = x56 + out1[15] = x58 + out1[16] = x60 + out1[17] = x62 + out1[18] = x64 + out1[19] = x67 + out1[20] = x69 + out1[21] = x71 + out1[22] = x73 + out1[23] = x75 + out1[24] = x77 + out1[25] = x80 + out1[26] = x82 + out1[27] = x84 + out1[28] = x86 + out1[29] = x88 + out1[30] = x90 + out1[31] = x91 } -/* - The function FromBytes deserializes a field element from bytes in little-endian order. - Postconditions: - eval out1 mod m = bytes_eval arg1 mod m - - Input Bounds: - arg1: [[0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0x7f]] - Output Bounds: - out1: [[0x0 ~> 0x8000000000000], [0x0 ~> 0x8000000000000], [0x0 ~> 0x8000000000000], [0x0 ~> 0x8000000000000], [0x0 ~> 0x8000000000000]] - */ -/*inline*/ +// FromBytes deserializes a field element from bytes in little-endian order. +// +// Postconditions: +// eval out1 mod m = bytes_eval arg1 mod m +// +// Input Bounds: +// arg1: [[0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0x7f]] +// Output Bounds: +// out1: [[0x0 ~> 0x8000000000000], [0x0 ~> 0x8000000000000], [0x0 ~> 0x8000000000000], [0x0 ~> 0x8000000000000], [0x0 ~> 0x8000000000000]] func FromBytes(out1 *[5]uint64, arg1 *[32]uint8) { - var x1 uint64 = (uint64((arg1[31])) << 44) - var x2 uint64 = (uint64((arg1[30])) << 36) - var x3 uint64 = (uint64((arg1[29])) << 28) - var x4 uint64 = (uint64((arg1[28])) << 20) - var x5 uint64 = (uint64((arg1[27])) << 12) - var x6 uint64 = (uint64((arg1[26])) << 4) - var x7 uint64 = (uint64((arg1[25])) << 47) - var x8 uint64 = (uint64((arg1[24])) << 39) - var x9 uint64 = (uint64((arg1[23])) << 31) - var x10 uint64 = (uint64((arg1[22])) << 23) - var x11 uint64 = (uint64((arg1[21])) << 15) - var x12 uint64 = (uint64((arg1[20])) << 7) - var x13 uint64 = (uint64((arg1[19])) << 50) - var x14 uint64 = (uint64((arg1[18])) << 42) - var x15 uint64 = (uint64((arg1[17])) << 34) - var x16 uint64 = (uint64((arg1[16])) << 26) - var x17 uint64 = (uint64((arg1[15])) << 18) - var x18 uint64 = (uint64((arg1[14])) << 10) - var x19 uint64 = (uint64((arg1[13])) << 2) - var x20 uint64 = (uint64((arg1[12])) << 45) - var x21 uint64 = (uint64((arg1[11])) << 37) - var x22 uint64 = (uint64((arg1[10])) << 29) - var x23 uint64 = (uint64((arg1[9])) << 21) - var x24 uint64 = (uint64((arg1[8])) << 13) - var x25 uint64 = (uint64((arg1[7])) << 5) - var x26 uint64 = (uint64((arg1[6])) << 48) - var x27 uint64 = (uint64((arg1[5])) << 40) - var x28 uint64 = (uint64((arg1[4])) << 32) - var x29 uint64 = (uint64((arg1[3])) << 24) - var x30 uint64 = (uint64((arg1[2])) << 16) - var x31 uint64 = (uint64((arg1[1])) << 8) - var x32 uint8 = (arg1[0]) - var x33 uint64 = (x31 + uint64(x32)) - var x34 uint64 = (x30 + x33) - var x35 uint64 = (x29 + x34) - var x36 uint64 = (x28 + x35) - var x37 uint64 = (x27 + x36) - var x38 uint64 = (x26 + x37) - var x39 uint64 = (x38 & 0x7ffffffffffff) - var x40 uint8 = uint8((x38 >> 51)) - var x41 uint64 = (x25 + uint64(x40)) - var x42 uint64 = (x24 + x41) - var x43 uint64 = (x23 + x42) - var x44 uint64 = (x22 + x43) - var x45 uint64 = (x21 + x44) - var x46 uint64 = (x20 + x45) - var x47 uint64 = (x46 & 0x7ffffffffffff) - var x48 uint8 = uint8((x46 >> 51)) - var x49 uint64 = (x19 + uint64(x48)) - var x50 uint64 = (x18 + x49) - var x51 uint64 = (x17 + x50) - var x52 uint64 = (x16 + x51) - var x53 uint64 = (x15 + x52) - var x54 uint64 = (x14 + x53) - var x55 uint64 = (x13 + x54) - var x56 uint64 = (x55 & 0x7ffffffffffff) - var x57 uint8 = uint8((x55 >> 51)) - var x58 uint64 = (x12 + uint64(x57)) - var x59 uint64 = (x11 + x58) - var x60 uint64 = (x10 + x59) - var x61 uint64 = (x9 + x60) - var x62 uint64 = (x8 + x61) - var x63 uint64 = (x7 + x62) - var x64 uint64 = (x63 & 0x7ffffffffffff) - var x65 uint8 = uint8((x63 >> 51)) - var x66 uint64 = (x6 + uint64(x65)) - var x67 uint64 = (x5 + x66) - var x68 uint64 = (x4 + x67) - var x69 uint64 = (x3 + x68) - var x70 uint64 = (x2 + x69) - var x71 uint64 = (x1 + x70) - out1[0] = x39 - out1[1] = x47 - out1[2] = x56 - out1[3] = x64 - out1[4] = x71 + x1 := (uint64(arg1[31]) << 44) + x2 := (uint64(arg1[30]) << 36) + x3 := (uint64(arg1[29]) << 28) + x4 := (uint64(arg1[28]) << 20) + x5 := (uint64(arg1[27]) << 12) + x6 := (uint64(arg1[26]) << 4) + x7 := (uint64(arg1[25]) << 47) + x8 := (uint64(arg1[24]) << 39) + x9 := (uint64(arg1[23]) << 31) + x10 := (uint64(arg1[22]) << 23) + x11 := (uint64(arg1[21]) << 15) + x12 := (uint64(arg1[20]) << 7) + x13 := (uint64(arg1[19]) << 50) + x14 := (uint64(arg1[18]) << 42) + x15 := (uint64(arg1[17]) << 34) + x16 := (uint64(arg1[16]) << 26) + x17 := (uint64(arg1[15]) << 18) + x18 := (uint64(arg1[14]) << 10) + x19 := (uint64(arg1[13]) << 2) + x20 := (uint64(arg1[12]) << 45) + x21 := (uint64(arg1[11]) << 37) + x22 := (uint64(arg1[10]) << 29) + x23 := (uint64(arg1[9]) << 21) + x24 := (uint64(arg1[8]) << 13) + x25 := (uint64(arg1[7]) << 5) + x26 := (uint64(arg1[6]) << 48) + x27 := (uint64(arg1[5]) << 40) + x28 := (uint64(arg1[4]) << 32) + x29 := (uint64(arg1[3]) << 24) + x30 := (uint64(arg1[2]) << 16) + x31 := (uint64(arg1[1]) << 8) + x32 := arg1[0] + x33 := (x31 + uint64(x32)) + x34 := (x30 + x33) + x35 := (x29 + x34) + x36 := (x28 + x35) + x37 := (x27 + x36) + x38 := (x26 + x37) + x39 := (x38 & 0x7ffffffffffff) + x40 := uint8((x38 >> 51)) + x41 := (x25 + uint64(x40)) + x42 := (x24 + x41) + x43 := (x23 + x42) + x44 := (x22 + x43) + x45 := (x21 + x44) + x46 := (x20 + x45) + x47 := (x46 & 0x7ffffffffffff) + x48 := uint8((x46 >> 51)) + x49 := (x19 + uint64(x48)) + x50 := (x18 + x49) + x51 := (x17 + x50) + x52 := (x16 + x51) + x53 := (x15 + x52) + x54 := (x14 + x53) + x55 := (x13 + x54) + x56 := (x55 & 0x7ffffffffffff) + x57 := uint8((x55 >> 51)) + x58 := (x12 + uint64(x57)) + x59 := (x11 + x58) + x60 := (x10 + x59) + x61 := (x9 + x60) + x62 := (x8 + x61) + x63 := (x7 + x62) + x64 := (x63 & 0x7ffffffffffff) + x65 := uint8((x63 >> 51)) + x66 := (x6 + uint64(x65)) + x67 := (x5 + x66) + x68 := (x4 + x67) + x69 := (x3 + x68) + x70 := (x2 + x69) + x71 := (x1 + x70) + out1[0] = x39 + out1[1] = x47 + out1[2] = x56 + out1[3] = x64 + out1[4] = x71 } -/* - The function CarryScmul121666 multiplies a field element by 121666 and reduces the result. - Postconditions: - eval out1 mod m = (121666 * eval arg1) mod m - - Input Bounds: - arg1: [[0x0 ~> 0x18000000000000], [0x0 ~> 0x18000000000000], [0x0 ~> 0x18000000000000], [0x0 ~> 0x18000000000000], [0x0 ~> 0x18000000000000]] - Output Bounds: - out1: [[0x0 ~> 0x8000000000000], [0x0 ~> 0x8000000000000], [0x0 ~> 0x8000000000000], [0x0 ~> 0x8000000000000], [0x0 ~> 0x8000000000000]] - */ -/*inline*/ +// CarryScmul121666 multiplies a field element by 121666 and reduces the result. +// +// Postconditions: +// eval out1 mod m = (121666 * eval arg1) mod m +// +// Input Bounds: +// arg1: [[0x0 ~> 0x18000000000000], [0x0 ~> 0x18000000000000], [0x0 ~> 0x18000000000000], [0x0 ~> 0x18000000000000], [0x0 ~> 0x18000000000000]] +// Output Bounds: +// out1: [[0x0 ~> 0x8000000000000], [0x0 ~> 0x8000000000000], [0x0 ~> 0x8000000000000], [0x0 ~> 0x8000000000000], [0x0 ~> 0x8000000000000]] func CarryScmul121666(out1 *[5]uint64, arg1 *[5]uint64) { - var x1 uint64 - var x2 uint64 - x2, x1 = bits.Mul64(0x1db42, (arg1[4])) - var x3 uint64 - var x4 uint64 - x4, x3 = bits.Mul64(0x1db42, (arg1[3])) - var x5 uint64 - var x6 uint64 - x6, x5 = bits.Mul64(0x1db42, (arg1[2])) - var x7 uint64 - var x8 uint64 - x8, x7 = bits.Mul64(0x1db42, (arg1[1])) - var x9 uint64 - var x10 uint64 - x10, x9 = bits.Mul64(0x1db42, (arg1[0])) - var x11 uint64 = ((x9 >> 51) | ((x10 << 13) & 0xffffffffffffffff)) - var x12 uint64 = (x9 & 0x7ffffffffffff) - var x13 uint64 - var x14 uint1 - x13, x14 = addcarryxU64(x11, x7, 0x0) - var x15 uint64 = (uint64(x14) + x8) - var x16 uint64 = ((x13 >> 51) | ((x15 << 13) & 0xffffffffffffffff)) - var x17 uint64 = (x13 & 0x7ffffffffffff) - var x18 uint64 - var x19 uint1 - x18, x19 = addcarryxU64(x16, x5, 0x0) - var x20 uint64 = (uint64(x19) + x6) - var x21 uint64 = ((x18 >> 51) | ((x20 << 13) & 0xffffffffffffffff)) - var x22 uint64 = (x18 & 0x7ffffffffffff) - var x23 uint64 - var x24 uint1 - x23, x24 = addcarryxU64(x21, x3, 0x0) - var x25 uint64 = (uint64(x24) + x4) - var x26 uint64 = ((x23 >> 51) | ((x25 << 13) & 0xffffffffffffffff)) - var x27 uint64 = (x23 & 0x7ffffffffffff) - var x28 uint64 - var x29 uint1 - x28, x29 = addcarryxU64(x26, x1, 0x0) - var x30 uint64 = (uint64(x29) + x2) - var x31 uint64 = ((x28 >> 51) | ((x30 << 13) & 0xffffffffffffffff)) - var x32 uint64 = (x28 & 0x7ffffffffffff) - var x33 uint64 = (x31 * 0x13) - var x34 uint64 = (x12 + x33) - var x35 uint1 = uint1((x34 >> 51)) - var x36 uint64 = (x34 & 0x7ffffffffffff) - var x37 uint64 = (uint64(x35) + x17) - var x38 uint1 = uint1((x37 >> 51)) - var x39 uint64 = (x37 & 0x7ffffffffffff) - var x40 uint64 = (uint64(x38) + x22) - out1[0] = x36 - out1[1] = x39 - out1[2] = x40 - out1[3] = x27 - out1[4] = x32 + var x1 uint64 + var x2 uint64 + x2, x1 = bits.Mul64(0x1db42, arg1[4]) + var x3 uint64 + var x4 uint64 + x4, x3 = bits.Mul64(0x1db42, arg1[3]) + var x5 uint64 + var x6 uint64 + x6, x5 = bits.Mul64(0x1db42, arg1[2]) + var x7 uint64 + var x8 uint64 + x8, x7 = bits.Mul64(0x1db42, arg1[1]) + var x9 uint64 + var x10 uint64 + x10, x9 = bits.Mul64(0x1db42, arg1[0]) + x11 := ((x9 >> 51) | ((x10 << 13) & 0xffffffffffffffff)) + x12 := (x9 & 0x7ffffffffffff) + var x13 uint64 + var x14 uint1 + x13, x14 = addcarryxU64(x11, x7, 0x0) + x15 := (uint64(x14) + x8) + x16 := ((x13 >> 51) | ((x15 << 13) & 0xffffffffffffffff)) + x17 := (x13 & 0x7ffffffffffff) + var x18 uint64 + var x19 uint1 + x18, x19 = addcarryxU64(x16, x5, 0x0) + x20 := (uint64(x19) + x6) + x21 := ((x18 >> 51) | ((x20 << 13) & 0xffffffffffffffff)) + x22 := (x18 & 0x7ffffffffffff) + var x23 uint64 + var x24 uint1 + x23, x24 = addcarryxU64(x21, x3, 0x0) + x25 := (uint64(x24) + x4) + x26 := ((x23 >> 51) | ((x25 << 13) & 0xffffffffffffffff)) + x27 := (x23 & 0x7ffffffffffff) + var x28 uint64 + var x29 uint1 + x28, x29 = addcarryxU64(x26, x1, 0x0) + x30 := (uint64(x29) + x2) + x31 := ((x28 >> 51) | ((x30 << 13) & 0xffffffffffffffff)) + x32 := (x28 & 0x7ffffffffffff) + x33 := (x31 * 0x13) + x34 := (x12 + x33) + x35 := uint1((x34 >> 51)) + x36 := (x34 & 0x7ffffffffffff) + x37 := (uint64(x35) + x17) + x38 := uint1((x37 >> 51)) + x39 := (x37 & 0x7ffffffffffff) + x40 := (uint64(x38) + x22) + out1[0] = x36 + out1[1] = x39 + out1[2] = x40 + out1[3] = x27 + out1[4] = x32 } - diff --git a/fiat-go/64/p224/p224.go b/fiat-go/64/p224/p224.go index b760eb4be30..3a736872f1d 100644 --- a/fiat-go/64/p224/p224.go +++ b/fiat-go/64/p224/p224.go @@ -1,1834 +1,1797 @@ -/* - Autogenerated: 'src/ExtractionOCaml/word_by_word_montgomery' --lang Go --no-wide-int --cmovznz-by-mul --internal-static --package-case flatcase --public-function-case UpperCamelCase --private-function-case camelCase --public-type-case UpperCamelCase --private-type-case camelCase --no-prefix-fiat --package-name p224 '' 64 '2^224 - 2^96 + 1' mul square add sub opp from_montgomery to_montgomery nonzero selectznz to_bytes from_bytes one msat divstep divstep_precomp - - curve description (via package name): p224 - - machine_wordsize = 64 (from "64") - - requested operations: mul, square, add, sub, opp, from_montgomery, to_montgomery, nonzero, selectznz, to_bytes, from_bytes, one, msat, divstep, divstep_precomp - - m = 0xffffffffffffffffffffffffffffffff000000000000000000000001 (from "2^224 - 2^96 + 1") - - - - NOTE: In addition to the bounds specified above each function, all - - functions synthesized for this Montgomery arithmetic require the - - input to be strictly less than the prime modulus (m), and also - - require the input to be in the unique saturated representation. - - All functions also ensure that these two properties are true of - - return values. - - - - Computed values: - - eval z = z[0] + (z[1] << 64) + (z[2] << 128) + (z[3] << 192) - - bytes_eval z = z[0] + (z[1] << 8) + (z[2] << 16) + (z[3] << 24) + (z[4] << 32) + (z[5] << 40) + (z[6] << 48) + (z[7] << 56) + (z[8] << 64) + (z[9] << 72) + (z[10] << 80) + (z[11] << 88) + (z[12] << 96) + (z[13] << 104) + (z[14] << 112) + (z[15] << 120) + (z[16] << 128) + (z[17] << 136) + (z[18] << 144) + (z[19] << 152) + (z[20] << 160) + (z[21] << 168) + (z[22] << 176) + (z[23] << 184) + (z[24] << 192) + (z[25] << 200) + (z[26] << 208) + (z[27] << 216) - - twos_complement_eval z = let x1 := z[0] + (z[1] << 64) + (z[2] << 128) + (z[3] << 192) in - - if x1 & (2^256-1) < 2^255 then x1 & (2^256-1) else (x1 & (2^256-1)) - 2^256 - */ +// Code generated by Fiat Cryptography. DO NOT EDIT. +// +// Autogenerated: 'src/ExtractionOCaml/word_by_word_montgomery' --lang Go --no-wide-int --cmovznz-by-mul --internal-static --package-case flatcase --public-function-case UpperCamelCase --private-function-case camelCase --public-type-case UpperCamelCase --private-type-case camelCase --no-prefix-fiat --doc-prepend-header 'Code generated by Fiat Cryptography. DO NOT EDIT.' --doc-text-before-function-name '' --package-name p224 '' 64 '2^224 - 2^96 + 1' mul square add sub opp from_montgomery to_montgomery nonzero selectznz to_bytes from_bytes one msat divstep divstep_precomp +// +// curve description (via package name): p224 +// +// machine_wordsize = 64 (from "64") +// +// requested operations: mul, square, add, sub, opp, from_montgomery, to_montgomery, nonzero, selectznz, to_bytes, from_bytes, one, msat, divstep, divstep_precomp +// +// m = 0xffffffffffffffffffffffffffffffff000000000000000000000001 (from "2^224 - 2^96 + 1") +// +// +// +// NOTE: In addition to the bounds specified above each function, all +// +// functions synthesized for this Montgomery arithmetic require the +// +// input to be strictly less than the prime modulus (m), and also +// +// require the input to be in the unique saturated representation. +// +// All functions also ensure that these two properties are true of +// +// return values. +// +// +// +// Computed values: +// +// eval z = z[0] + (z[1] << 64) + (z[2] << 128) + (z[3] << 192) +// +// bytes_eval z = z[0] + (z[1] << 8) + (z[2] << 16) + (z[3] << 24) + (z[4] << 32) + (z[5] << 40) + (z[6] << 48) + (z[7] << 56) + (z[8] << 64) + (z[9] << 72) + (z[10] << 80) + (z[11] << 88) + (z[12] << 96) + (z[13] << 104) + (z[14] << 112) + (z[15] << 120) + (z[16] << 128) + (z[17] << 136) + (z[18] << 144) + (z[19] << 152) + (z[20] << 160) + (z[21] << 168) + (z[22] << 176) + (z[23] << 184) + (z[24] << 192) + (z[25] << 200) + (z[26] << 208) + (z[27] << 216) +// +// twos_complement_eval z = let x1 := z[0] + (z[1] << 64) + (z[2] << 128) + (z[3] << 192) in +// +// if x1 & (2^256-1) < 2^255 then x1 & (2^256-1) else (x1 & (2^256-1)) - 2^256 package p224 import "math/bits" + type uint1 uint8 type int1 int8 -/* The function addcarryxU64 is a thin wrapper around bits.Add64 that uses uint1 rather than uint64 */ +// addcarryxU64 is a thin wrapper around bits.Add64 that uses uint1 rather than uint64 func addcarryxU64(x uint64, y uint64, carry uint1) (uint64, uint1) { - var sum uint64 - var carryOut uint64 - sum, carryOut = bits.Add64(x, y, uint64(carry)) - return sum, uint1(carryOut) + sum, carryOut := bits.Add64(x, y, uint64(carry)) + return sum, uint1(carryOut) } -/* The function subborrowxU64 is a thin wrapper around bits.Sub64 that uses uint1 rather than uint64 */ +// subborrowxU64 is a thin wrapper around bits.Sub64 that uses uint1 rather than uint64 func subborrowxU64(x uint64, y uint64, carry uint1) (uint64, uint1) { - var sum uint64 - var carryOut uint64 - sum, carryOut = bits.Sub64(x, y, uint64(carry)) - return sum, uint1(carryOut) + sum, carryOut := bits.Sub64(x, y, uint64(carry)) + return sum, uint1(carryOut) } - -/* - The function cmovznzU64 is a single-word conditional move. - Postconditions: - out1 = (if arg1 = 0 then arg2 else arg3) - - Input Bounds: - arg1: [0x0 ~> 0x1] - arg2: [0x0 ~> 0xffffffffffffffff] - arg3: [0x0 ~> 0xffffffffffffffff] - Output Bounds: - out1: [0x0 ~> 0xffffffffffffffff] - */ -/*inline*/ +// cmovznzU64 is a single-word conditional move. +// +// Postconditions: +// out1 = (if arg1 = 0 then arg2 else arg3) +// +// Input Bounds: +// arg1: [0x0 ~> 0x1] +// arg2: [0x0 ~> 0xffffffffffffffff] +// arg3: [0x0 ~> 0xffffffffffffffff] +// Output Bounds: +// out1: [0x0 ~> 0xffffffffffffffff] func cmovznzU64(out1 *uint64, arg1 uint1, arg2 uint64, arg3 uint64) { - var x1 uint64 = (uint64(arg1) * 0xffffffffffffffff) - var x2 uint64 = ((x1 & arg3) | ((^x1) & arg2)) - *out1 = x2 + x1 := (uint64(arg1) * 0xffffffffffffffff) + x2 := ((x1 & arg3) | ((^x1) & arg2)) + *out1 = x2 } -/* - The function Mul multiplies two field elements in the Montgomery domain. - Preconditions: - 0 ≤ eval arg1 < m - 0 ≤ eval arg2 < m - Postconditions: - eval (from_montgomery out1) mod m = (eval (from_montgomery arg1) * eval (from_montgomery arg2)) mod m - 0 ≤ eval out1 < m - - Input Bounds: - arg1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] - arg2: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] - Output Bounds: - out1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] - */ -/*inline*/ +// Mul multiplies two field elements in the Montgomery domain. +// +// Preconditions: +// 0 ≤ eval arg1 < m +// 0 ≤ eval arg2 < m +// Postconditions: +// eval (from_montgomery out1) mod m = (eval (from_montgomery arg1) * eval (from_montgomery arg2)) mod m +// 0 ≤ eval out1 < m +// +// Input Bounds: +// arg1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] +// arg2: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] +// Output Bounds: +// out1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] func Mul(out1 *[4]uint64, arg1 *[4]uint64, arg2 *[4]uint64) { - var x1 uint64 = (arg1[1]) - var x2 uint64 = (arg1[2]) - var x3 uint64 = (arg1[3]) - var x4 uint64 = (arg1[0]) - var x5 uint64 - var x6 uint64 - x6, x5 = bits.Mul64(x4, (arg2[3])) - var x7 uint64 - var x8 uint64 - x8, x7 = bits.Mul64(x4, (arg2[2])) - var x9 uint64 - var x10 uint64 - x10, x9 = bits.Mul64(x4, (arg2[1])) - var x11 uint64 - var x12 uint64 - x12, x11 = bits.Mul64(x4, (arg2[0])) - var x13 uint64 - var x14 uint1 - x13, x14 = addcarryxU64(x12, x9, 0x0) - var x15 uint64 - var x16 uint1 - x15, x16 = addcarryxU64(x10, x7, x14) - var x17 uint64 - var x18 uint1 - x17, x18 = addcarryxU64(x8, x5, x16) - var x19 uint64 = (uint64(x18) + x6) - var x20 uint64 - _, x20 = bits.Mul64(x11, 0xffffffffffffffff) - var x22 uint64 - var x23 uint64 - x23, x22 = bits.Mul64(x20, 0xffffffff) - var x24 uint64 - var x25 uint64 - x25, x24 = bits.Mul64(x20, 0xffffffffffffffff) - var x26 uint64 - var x27 uint64 - x27, x26 = bits.Mul64(x20, 0xffffffff00000000) - var x28 uint64 - var x29 uint1 - x28, x29 = addcarryxU64(x27, x24, 0x0) - var x30 uint64 - var x31 uint1 - x30, x31 = addcarryxU64(x25, x22, x29) - var x32 uint64 = (uint64(x31) + x23) - var x34 uint1 - _, x34 = addcarryxU64(x11, x20, 0x0) - var x35 uint64 - var x36 uint1 - x35, x36 = addcarryxU64(x13, x26, x34) - var x37 uint64 - var x38 uint1 - x37, x38 = addcarryxU64(x15, x28, x36) - var x39 uint64 - var x40 uint1 - x39, x40 = addcarryxU64(x17, x30, x38) - var x41 uint64 - var x42 uint1 - x41, x42 = addcarryxU64(x19, x32, x40) - var x43 uint64 - var x44 uint64 - x44, x43 = bits.Mul64(x1, (arg2[3])) - var x45 uint64 - var x46 uint64 - x46, x45 = bits.Mul64(x1, (arg2[2])) - var x47 uint64 - var x48 uint64 - x48, x47 = bits.Mul64(x1, (arg2[1])) - var x49 uint64 - var x50 uint64 - x50, x49 = bits.Mul64(x1, (arg2[0])) - var x51 uint64 - var x52 uint1 - x51, x52 = addcarryxU64(x50, x47, 0x0) - var x53 uint64 - var x54 uint1 - x53, x54 = addcarryxU64(x48, x45, x52) - var x55 uint64 - var x56 uint1 - x55, x56 = addcarryxU64(x46, x43, x54) - var x57 uint64 = (uint64(x56) + x44) - var x58 uint64 - var x59 uint1 - x58, x59 = addcarryxU64(x35, x49, 0x0) - var x60 uint64 - var x61 uint1 - x60, x61 = addcarryxU64(x37, x51, x59) - var x62 uint64 - var x63 uint1 - x62, x63 = addcarryxU64(x39, x53, x61) - var x64 uint64 - var x65 uint1 - x64, x65 = addcarryxU64(x41, x55, x63) - var x66 uint64 - var x67 uint1 - x66, x67 = addcarryxU64(uint64(x42), x57, x65) - var x68 uint64 - _, x68 = bits.Mul64(x58, 0xffffffffffffffff) - var x70 uint64 - var x71 uint64 - x71, x70 = bits.Mul64(x68, 0xffffffff) - var x72 uint64 - var x73 uint64 - x73, x72 = bits.Mul64(x68, 0xffffffffffffffff) - var x74 uint64 - var x75 uint64 - x75, x74 = bits.Mul64(x68, 0xffffffff00000000) - var x76 uint64 - var x77 uint1 - x76, x77 = addcarryxU64(x75, x72, 0x0) - var x78 uint64 - var x79 uint1 - x78, x79 = addcarryxU64(x73, x70, x77) - var x80 uint64 = (uint64(x79) + x71) - var x82 uint1 - _, x82 = addcarryxU64(x58, x68, 0x0) - var x83 uint64 - var x84 uint1 - x83, x84 = addcarryxU64(x60, x74, x82) - var x85 uint64 - var x86 uint1 - x85, x86 = addcarryxU64(x62, x76, x84) - var x87 uint64 - var x88 uint1 - x87, x88 = addcarryxU64(x64, x78, x86) - var x89 uint64 - var x90 uint1 - x89, x90 = addcarryxU64(x66, x80, x88) - var x91 uint64 = (uint64(x90) + uint64(x67)) - var x92 uint64 - var x93 uint64 - x93, x92 = bits.Mul64(x2, (arg2[3])) - var x94 uint64 - var x95 uint64 - x95, x94 = bits.Mul64(x2, (arg2[2])) - var x96 uint64 - var x97 uint64 - x97, x96 = bits.Mul64(x2, (arg2[1])) - var x98 uint64 - var x99 uint64 - x99, x98 = bits.Mul64(x2, (arg2[0])) - var x100 uint64 - var x101 uint1 - x100, x101 = addcarryxU64(x99, x96, 0x0) - var x102 uint64 - var x103 uint1 - x102, x103 = addcarryxU64(x97, x94, x101) - var x104 uint64 - var x105 uint1 - x104, x105 = addcarryxU64(x95, x92, x103) - var x106 uint64 = (uint64(x105) + x93) - var x107 uint64 - var x108 uint1 - x107, x108 = addcarryxU64(x83, x98, 0x0) - var x109 uint64 - var x110 uint1 - x109, x110 = addcarryxU64(x85, x100, x108) - var x111 uint64 - var x112 uint1 - x111, x112 = addcarryxU64(x87, x102, x110) - var x113 uint64 - var x114 uint1 - x113, x114 = addcarryxU64(x89, x104, x112) - var x115 uint64 - var x116 uint1 - x115, x116 = addcarryxU64(x91, x106, x114) - var x117 uint64 - _, x117 = bits.Mul64(x107, 0xffffffffffffffff) - var x119 uint64 - var x120 uint64 - x120, x119 = bits.Mul64(x117, 0xffffffff) - var x121 uint64 - var x122 uint64 - x122, x121 = bits.Mul64(x117, 0xffffffffffffffff) - var x123 uint64 - var x124 uint64 - x124, x123 = bits.Mul64(x117, 0xffffffff00000000) - var x125 uint64 - var x126 uint1 - x125, x126 = addcarryxU64(x124, x121, 0x0) - var x127 uint64 - var x128 uint1 - x127, x128 = addcarryxU64(x122, x119, x126) - var x129 uint64 = (uint64(x128) + x120) - var x131 uint1 - _, x131 = addcarryxU64(x107, x117, 0x0) - var x132 uint64 - var x133 uint1 - x132, x133 = addcarryxU64(x109, x123, x131) - var x134 uint64 - var x135 uint1 - x134, x135 = addcarryxU64(x111, x125, x133) - var x136 uint64 - var x137 uint1 - x136, x137 = addcarryxU64(x113, x127, x135) - var x138 uint64 - var x139 uint1 - x138, x139 = addcarryxU64(x115, x129, x137) - var x140 uint64 = (uint64(x139) + uint64(x116)) - var x141 uint64 - var x142 uint64 - x142, x141 = bits.Mul64(x3, (arg2[3])) - var x143 uint64 - var x144 uint64 - x144, x143 = bits.Mul64(x3, (arg2[2])) - var x145 uint64 - var x146 uint64 - x146, x145 = bits.Mul64(x3, (arg2[1])) - var x147 uint64 - var x148 uint64 - x148, x147 = bits.Mul64(x3, (arg2[0])) - var x149 uint64 - var x150 uint1 - x149, x150 = addcarryxU64(x148, x145, 0x0) - var x151 uint64 - var x152 uint1 - x151, x152 = addcarryxU64(x146, x143, x150) - var x153 uint64 - var x154 uint1 - x153, x154 = addcarryxU64(x144, x141, x152) - var x155 uint64 = (uint64(x154) + x142) - var x156 uint64 - var x157 uint1 - x156, x157 = addcarryxU64(x132, x147, 0x0) - var x158 uint64 - var x159 uint1 - x158, x159 = addcarryxU64(x134, x149, x157) - var x160 uint64 - var x161 uint1 - x160, x161 = addcarryxU64(x136, x151, x159) - var x162 uint64 - var x163 uint1 - x162, x163 = addcarryxU64(x138, x153, x161) - var x164 uint64 - var x165 uint1 - x164, x165 = addcarryxU64(x140, x155, x163) - var x166 uint64 - _, x166 = bits.Mul64(x156, 0xffffffffffffffff) - var x168 uint64 - var x169 uint64 - x169, x168 = bits.Mul64(x166, 0xffffffff) - var x170 uint64 - var x171 uint64 - x171, x170 = bits.Mul64(x166, 0xffffffffffffffff) - var x172 uint64 - var x173 uint64 - x173, x172 = bits.Mul64(x166, 0xffffffff00000000) - var x174 uint64 - var x175 uint1 - x174, x175 = addcarryxU64(x173, x170, 0x0) - var x176 uint64 - var x177 uint1 - x176, x177 = addcarryxU64(x171, x168, x175) - var x178 uint64 = (uint64(x177) + x169) - var x180 uint1 - _, x180 = addcarryxU64(x156, x166, 0x0) - var x181 uint64 - var x182 uint1 - x181, x182 = addcarryxU64(x158, x172, x180) - var x183 uint64 - var x184 uint1 - x183, x184 = addcarryxU64(x160, x174, x182) - var x185 uint64 - var x186 uint1 - x185, x186 = addcarryxU64(x162, x176, x184) - var x187 uint64 - var x188 uint1 - x187, x188 = addcarryxU64(x164, x178, x186) - var x189 uint64 = (uint64(x188) + uint64(x165)) - var x190 uint64 - var x191 uint1 - x190, x191 = subborrowxU64(x181, uint64(0x1), 0x0) - var x192 uint64 - var x193 uint1 - x192, x193 = subborrowxU64(x183, 0xffffffff00000000, x191) - var x194 uint64 - var x195 uint1 - x194, x195 = subborrowxU64(x185, 0xffffffffffffffff, x193) - var x196 uint64 - var x197 uint1 - x196, x197 = subborrowxU64(x187, 0xffffffff, x195) - var x199 uint1 - _, x199 = subborrowxU64(x189, uint64(0x0), x197) - var x200 uint64 - cmovznzU64(&x200, x199, x190, x181) - var x201 uint64 - cmovznzU64(&x201, x199, x192, x183) - var x202 uint64 - cmovznzU64(&x202, x199, x194, x185) - var x203 uint64 - cmovznzU64(&x203, x199, x196, x187) - out1[0] = x200 - out1[1] = x201 - out1[2] = x202 - out1[3] = x203 + x1 := arg1[1] + x2 := arg1[2] + x3 := arg1[3] + x4 := arg1[0] + var x5 uint64 + var x6 uint64 + x6, x5 = bits.Mul64(x4, arg2[3]) + var x7 uint64 + var x8 uint64 + x8, x7 = bits.Mul64(x4, arg2[2]) + var x9 uint64 + var x10 uint64 + x10, x9 = bits.Mul64(x4, arg2[1]) + var x11 uint64 + var x12 uint64 + x12, x11 = bits.Mul64(x4, arg2[0]) + var x13 uint64 + var x14 uint1 + x13, x14 = addcarryxU64(x12, x9, 0x0) + var x15 uint64 + var x16 uint1 + x15, x16 = addcarryxU64(x10, x7, x14) + var x17 uint64 + var x18 uint1 + x17, x18 = addcarryxU64(x8, x5, x16) + x19 := (uint64(x18) + x6) + var x20 uint64 + _, x20 = bits.Mul64(x11, 0xffffffffffffffff) + var x22 uint64 + var x23 uint64 + x23, x22 = bits.Mul64(x20, 0xffffffff) + var x24 uint64 + var x25 uint64 + x25, x24 = bits.Mul64(x20, 0xffffffffffffffff) + var x26 uint64 + var x27 uint64 + x27, x26 = bits.Mul64(x20, 0xffffffff00000000) + var x28 uint64 + var x29 uint1 + x28, x29 = addcarryxU64(x27, x24, 0x0) + var x30 uint64 + var x31 uint1 + x30, x31 = addcarryxU64(x25, x22, x29) + x32 := (uint64(x31) + x23) + var x34 uint1 + _, x34 = addcarryxU64(x11, x20, 0x0) + var x35 uint64 + var x36 uint1 + x35, x36 = addcarryxU64(x13, x26, x34) + var x37 uint64 + var x38 uint1 + x37, x38 = addcarryxU64(x15, x28, x36) + var x39 uint64 + var x40 uint1 + x39, x40 = addcarryxU64(x17, x30, x38) + var x41 uint64 + var x42 uint1 + x41, x42 = addcarryxU64(x19, x32, x40) + var x43 uint64 + var x44 uint64 + x44, x43 = bits.Mul64(x1, arg2[3]) + var x45 uint64 + var x46 uint64 + x46, x45 = bits.Mul64(x1, arg2[2]) + var x47 uint64 + var x48 uint64 + x48, x47 = bits.Mul64(x1, arg2[1]) + var x49 uint64 + var x50 uint64 + x50, x49 = bits.Mul64(x1, arg2[0]) + var x51 uint64 + var x52 uint1 + x51, x52 = addcarryxU64(x50, x47, 0x0) + var x53 uint64 + var x54 uint1 + x53, x54 = addcarryxU64(x48, x45, x52) + var x55 uint64 + var x56 uint1 + x55, x56 = addcarryxU64(x46, x43, x54) + x57 := (uint64(x56) + x44) + var x58 uint64 + var x59 uint1 + x58, x59 = addcarryxU64(x35, x49, 0x0) + var x60 uint64 + var x61 uint1 + x60, x61 = addcarryxU64(x37, x51, x59) + var x62 uint64 + var x63 uint1 + x62, x63 = addcarryxU64(x39, x53, x61) + var x64 uint64 + var x65 uint1 + x64, x65 = addcarryxU64(x41, x55, x63) + var x66 uint64 + var x67 uint1 + x66, x67 = addcarryxU64(uint64(x42), x57, x65) + var x68 uint64 + _, x68 = bits.Mul64(x58, 0xffffffffffffffff) + var x70 uint64 + var x71 uint64 + x71, x70 = bits.Mul64(x68, 0xffffffff) + var x72 uint64 + var x73 uint64 + x73, x72 = bits.Mul64(x68, 0xffffffffffffffff) + var x74 uint64 + var x75 uint64 + x75, x74 = bits.Mul64(x68, 0xffffffff00000000) + var x76 uint64 + var x77 uint1 + x76, x77 = addcarryxU64(x75, x72, 0x0) + var x78 uint64 + var x79 uint1 + x78, x79 = addcarryxU64(x73, x70, x77) + x80 := (uint64(x79) + x71) + var x82 uint1 + _, x82 = addcarryxU64(x58, x68, 0x0) + var x83 uint64 + var x84 uint1 + x83, x84 = addcarryxU64(x60, x74, x82) + var x85 uint64 + var x86 uint1 + x85, x86 = addcarryxU64(x62, x76, x84) + var x87 uint64 + var x88 uint1 + x87, x88 = addcarryxU64(x64, x78, x86) + var x89 uint64 + var x90 uint1 + x89, x90 = addcarryxU64(x66, x80, x88) + x91 := (uint64(x90) + uint64(x67)) + var x92 uint64 + var x93 uint64 + x93, x92 = bits.Mul64(x2, arg2[3]) + var x94 uint64 + var x95 uint64 + x95, x94 = bits.Mul64(x2, arg2[2]) + var x96 uint64 + var x97 uint64 + x97, x96 = bits.Mul64(x2, arg2[1]) + var x98 uint64 + var x99 uint64 + x99, x98 = bits.Mul64(x2, arg2[0]) + var x100 uint64 + var x101 uint1 + x100, x101 = addcarryxU64(x99, x96, 0x0) + var x102 uint64 + var x103 uint1 + x102, x103 = addcarryxU64(x97, x94, x101) + var x104 uint64 + var x105 uint1 + x104, x105 = addcarryxU64(x95, x92, x103) + x106 := (uint64(x105) + x93) + var x107 uint64 + var x108 uint1 + x107, x108 = addcarryxU64(x83, x98, 0x0) + var x109 uint64 + var x110 uint1 + x109, x110 = addcarryxU64(x85, x100, x108) + var x111 uint64 + var x112 uint1 + x111, x112 = addcarryxU64(x87, x102, x110) + var x113 uint64 + var x114 uint1 + x113, x114 = addcarryxU64(x89, x104, x112) + var x115 uint64 + var x116 uint1 + x115, x116 = addcarryxU64(x91, x106, x114) + var x117 uint64 + _, x117 = bits.Mul64(x107, 0xffffffffffffffff) + var x119 uint64 + var x120 uint64 + x120, x119 = bits.Mul64(x117, 0xffffffff) + var x121 uint64 + var x122 uint64 + x122, x121 = bits.Mul64(x117, 0xffffffffffffffff) + var x123 uint64 + var x124 uint64 + x124, x123 = bits.Mul64(x117, 0xffffffff00000000) + var x125 uint64 + var x126 uint1 + x125, x126 = addcarryxU64(x124, x121, 0x0) + var x127 uint64 + var x128 uint1 + x127, x128 = addcarryxU64(x122, x119, x126) + x129 := (uint64(x128) + x120) + var x131 uint1 + _, x131 = addcarryxU64(x107, x117, 0x0) + var x132 uint64 + var x133 uint1 + x132, x133 = addcarryxU64(x109, x123, x131) + var x134 uint64 + var x135 uint1 + x134, x135 = addcarryxU64(x111, x125, x133) + var x136 uint64 + var x137 uint1 + x136, x137 = addcarryxU64(x113, x127, x135) + var x138 uint64 + var x139 uint1 + x138, x139 = addcarryxU64(x115, x129, x137) + x140 := (uint64(x139) + uint64(x116)) + var x141 uint64 + var x142 uint64 + x142, x141 = bits.Mul64(x3, arg2[3]) + var x143 uint64 + var x144 uint64 + x144, x143 = bits.Mul64(x3, arg2[2]) + var x145 uint64 + var x146 uint64 + x146, x145 = bits.Mul64(x3, arg2[1]) + var x147 uint64 + var x148 uint64 + x148, x147 = bits.Mul64(x3, arg2[0]) + var x149 uint64 + var x150 uint1 + x149, x150 = addcarryxU64(x148, x145, 0x0) + var x151 uint64 + var x152 uint1 + x151, x152 = addcarryxU64(x146, x143, x150) + var x153 uint64 + var x154 uint1 + x153, x154 = addcarryxU64(x144, x141, x152) + x155 := (uint64(x154) + x142) + var x156 uint64 + var x157 uint1 + x156, x157 = addcarryxU64(x132, x147, 0x0) + var x158 uint64 + var x159 uint1 + x158, x159 = addcarryxU64(x134, x149, x157) + var x160 uint64 + var x161 uint1 + x160, x161 = addcarryxU64(x136, x151, x159) + var x162 uint64 + var x163 uint1 + x162, x163 = addcarryxU64(x138, x153, x161) + var x164 uint64 + var x165 uint1 + x164, x165 = addcarryxU64(x140, x155, x163) + var x166 uint64 + _, x166 = bits.Mul64(x156, 0xffffffffffffffff) + var x168 uint64 + var x169 uint64 + x169, x168 = bits.Mul64(x166, 0xffffffff) + var x170 uint64 + var x171 uint64 + x171, x170 = bits.Mul64(x166, 0xffffffffffffffff) + var x172 uint64 + var x173 uint64 + x173, x172 = bits.Mul64(x166, 0xffffffff00000000) + var x174 uint64 + var x175 uint1 + x174, x175 = addcarryxU64(x173, x170, 0x0) + var x176 uint64 + var x177 uint1 + x176, x177 = addcarryxU64(x171, x168, x175) + x178 := (uint64(x177) + x169) + var x180 uint1 + _, x180 = addcarryxU64(x156, x166, 0x0) + var x181 uint64 + var x182 uint1 + x181, x182 = addcarryxU64(x158, x172, x180) + var x183 uint64 + var x184 uint1 + x183, x184 = addcarryxU64(x160, x174, x182) + var x185 uint64 + var x186 uint1 + x185, x186 = addcarryxU64(x162, x176, x184) + var x187 uint64 + var x188 uint1 + x187, x188 = addcarryxU64(x164, x178, x186) + x189 := (uint64(x188) + uint64(x165)) + var x190 uint64 + var x191 uint1 + x190, x191 = subborrowxU64(x181, uint64(0x1), 0x0) + var x192 uint64 + var x193 uint1 + x192, x193 = subborrowxU64(x183, 0xffffffff00000000, x191) + var x194 uint64 + var x195 uint1 + x194, x195 = subborrowxU64(x185, 0xffffffffffffffff, x193) + var x196 uint64 + var x197 uint1 + x196, x197 = subborrowxU64(x187, 0xffffffff, x195) + var x199 uint1 + _, x199 = subborrowxU64(x189, uint64(0x0), x197) + var x200 uint64 + cmovznzU64(&x200, x199, x190, x181) + var x201 uint64 + cmovznzU64(&x201, x199, x192, x183) + var x202 uint64 + cmovznzU64(&x202, x199, x194, x185) + var x203 uint64 + cmovznzU64(&x203, x199, x196, x187) + out1[0] = x200 + out1[1] = x201 + out1[2] = x202 + out1[3] = x203 } -/* - The function Square squares a field element in the Montgomery domain. - Preconditions: - 0 ≤ eval arg1 < m - Postconditions: - eval (from_montgomery out1) mod m = (eval (from_montgomery arg1) * eval (from_montgomery arg1)) mod m - 0 ≤ eval out1 < m - - Input Bounds: - arg1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] - Output Bounds: - out1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] - */ -/*inline*/ +// Square squares a field element in the Montgomery domain. +// +// Preconditions: +// 0 ≤ eval arg1 < m +// Postconditions: +// eval (from_montgomery out1) mod m = (eval (from_montgomery arg1) * eval (from_montgomery arg1)) mod m +// 0 ≤ eval out1 < m +// +// Input Bounds: +// arg1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] +// Output Bounds: +// out1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] func Square(out1 *[4]uint64, arg1 *[4]uint64) { - var x1 uint64 = (arg1[1]) - var x2 uint64 = (arg1[2]) - var x3 uint64 = (arg1[3]) - var x4 uint64 = (arg1[0]) - var x5 uint64 - var x6 uint64 - x6, x5 = bits.Mul64(x4, (arg1[3])) - var x7 uint64 - var x8 uint64 - x8, x7 = bits.Mul64(x4, (arg1[2])) - var x9 uint64 - var x10 uint64 - x10, x9 = bits.Mul64(x4, (arg1[1])) - var x11 uint64 - var x12 uint64 - x12, x11 = bits.Mul64(x4, (arg1[0])) - var x13 uint64 - var x14 uint1 - x13, x14 = addcarryxU64(x12, x9, 0x0) - var x15 uint64 - var x16 uint1 - x15, x16 = addcarryxU64(x10, x7, x14) - var x17 uint64 - var x18 uint1 - x17, x18 = addcarryxU64(x8, x5, x16) - var x19 uint64 = (uint64(x18) + x6) - var x20 uint64 - _, x20 = bits.Mul64(x11, 0xffffffffffffffff) - var x22 uint64 - var x23 uint64 - x23, x22 = bits.Mul64(x20, 0xffffffff) - var x24 uint64 - var x25 uint64 - x25, x24 = bits.Mul64(x20, 0xffffffffffffffff) - var x26 uint64 - var x27 uint64 - x27, x26 = bits.Mul64(x20, 0xffffffff00000000) - var x28 uint64 - var x29 uint1 - x28, x29 = addcarryxU64(x27, x24, 0x0) - var x30 uint64 - var x31 uint1 - x30, x31 = addcarryxU64(x25, x22, x29) - var x32 uint64 = (uint64(x31) + x23) - var x34 uint1 - _, x34 = addcarryxU64(x11, x20, 0x0) - var x35 uint64 - var x36 uint1 - x35, x36 = addcarryxU64(x13, x26, x34) - var x37 uint64 - var x38 uint1 - x37, x38 = addcarryxU64(x15, x28, x36) - var x39 uint64 - var x40 uint1 - x39, x40 = addcarryxU64(x17, x30, x38) - var x41 uint64 - var x42 uint1 - x41, x42 = addcarryxU64(x19, x32, x40) - var x43 uint64 - var x44 uint64 - x44, x43 = bits.Mul64(x1, (arg1[3])) - var x45 uint64 - var x46 uint64 - x46, x45 = bits.Mul64(x1, (arg1[2])) - var x47 uint64 - var x48 uint64 - x48, x47 = bits.Mul64(x1, (arg1[1])) - var x49 uint64 - var x50 uint64 - x50, x49 = bits.Mul64(x1, (arg1[0])) - var x51 uint64 - var x52 uint1 - x51, x52 = addcarryxU64(x50, x47, 0x0) - var x53 uint64 - var x54 uint1 - x53, x54 = addcarryxU64(x48, x45, x52) - var x55 uint64 - var x56 uint1 - x55, x56 = addcarryxU64(x46, x43, x54) - var x57 uint64 = (uint64(x56) + x44) - var x58 uint64 - var x59 uint1 - x58, x59 = addcarryxU64(x35, x49, 0x0) - var x60 uint64 - var x61 uint1 - x60, x61 = addcarryxU64(x37, x51, x59) - var x62 uint64 - var x63 uint1 - x62, x63 = addcarryxU64(x39, x53, x61) - var x64 uint64 - var x65 uint1 - x64, x65 = addcarryxU64(x41, x55, x63) - var x66 uint64 - var x67 uint1 - x66, x67 = addcarryxU64(uint64(x42), x57, x65) - var x68 uint64 - _, x68 = bits.Mul64(x58, 0xffffffffffffffff) - var x70 uint64 - var x71 uint64 - x71, x70 = bits.Mul64(x68, 0xffffffff) - var x72 uint64 - var x73 uint64 - x73, x72 = bits.Mul64(x68, 0xffffffffffffffff) - var x74 uint64 - var x75 uint64 - x75, x74 = bits.Mul64(x68, 0xffffffff00000000) - var x76 uint64 - var x77 uint1 - x76, x77 = addcarryxU64(x75, x72, 0x0) - var x78 uint64 - var x79 uint1 - x78, x79 = addcarryxU64(x73, x70, x77) - var x80 uint64 = (uint64(x79) + x71) - var x82 uint1 - _, x82 = addcarryxU64(x58, x68, 0x0) - var x83 uint64 - var x84 uint1 - x83, x84 = addcarryxU64(x60, x74, x82) - var x85 uint64 - var x86 uint1 - x85, x86 = addcarryxU64(x62, x76, x84) - var x87 uint64 - var x88 uint1 - x87, x88 = addcarryxU64(x64, x78, x86) - var x89 uint64 - var x90 uint1 - x89, x90 = addcarryxU64(x66, x80, x88) - var x91 uint64 = (uint64(x90) + uint64(x67)) - var x92 uint64 - var x93 uint64 - x93, x92 = bits.Mul64(x2, (arg1[3])) - var x94 uint64 - var x95 uint64 - x95, x94 = bits.Mul64(x2, (arg1[2])) - var x96 uint64 - var x97 uint64 - x97, x96 = bits.Mul64(x2, (arg1[1])) - var x98 uint64 - var x99 uint64 - x99, x98 = bits.Mul64(x2, (arg1[0])) - var x100 uint64 - var x101 uint1 - x100, x101 = addcarryxU64(x99, x96, 0x0) - var x102 uint64 - var x103 uint1 - x102, x103 = addcarryxU64(x97, x94, x101) - var x104 uint64 - var x105 uint1 - x104, x105 = addcarryxU64(x95, x92, x103) - var x106 uint64 = (uint64(x105) + x93) - var x107 uint64 - var x108 uint1 - x107, x108 = addcarryxU64(x83, x98, 0x0) - var x109 uint64 - var x110 uint1 - x109, x110 = addcarryxU64(x85, x100, x108) - var x111 uint64 - var x112 uint1 - x111, x112 = addcarryxU64(x87, x102, x110) - var x113 uint64 - var x114 uint1 - x113, x114 = addcarryxU64(x89, x104, x112) - var x115 uint64 - var x116 uint1 - x115, x116 = addcarryxU64(x91, x106, x114) - var x117 uint64 - _, x117 = bits.Mul64(x107, 0xffffffffffffffff) - var x119 uint64 - var x120 uint64 - x120, x119 = bits.Mul64(x117, 0xffffffff) - var x121 uint64 - var x122 uint64 - x122, x121 = bits.Mul64(x117, 0xffffffffffffffff) - var x123 uint64 - var x124 uint64 - x124, x123 = bits.Mul64(x117, 0xffffffff00000000) - var x125 uint64 - var x126 uint1 - x125, x126 = addcarryxU64(x124, x121, 0x0) - var x127 uint64 - var x128 uint1 - x127, x128 = addcarryxU64(x122, x119, x126) - var x129 uint64 = (uint64(x128) + x120) - var x131 uint1 - _, x131 = addcarryxU64(x107, x117, 0x0) - var x132 uint64 - var x133 uint1 - x132, x133 = addcarryxU64(x109, x123, x131) - var x134 uint64 - var x135 uint1 - x134, x135 = addcarryxU64(x111, x125, x133) - var x136 uint64 - var x137 uint1 - x136, x137 = addcarryxU64(x113, x127, x135) - var x138 uint64 - var x139 uint1 - x138, x139 = addcarryxU64(x115, x129, x137) - var x140 uint64 = (uint64(x139) + uint64(x116)) - var x141 uint64 - var x142 uint64 - x142, x141 = bits.Mul64(x3, (arg1[3])) - var x143 uint64 - var x144 uint64 - x144, x143 = bits.Mul64(x3, (arg1[2])) - var x145 uint64 - var x146 uint64 - x146, x145 = bits.Mul64(x3, (arg1[1])) - var x147 uint64 - var x148 uint64 - x148, x147 = bits.Mul64(x3, (arg1[0])) - var x149 uint64 - var x150 uint1 - x149, x150 = addcarryxU64(x148, x145, 0x0) - var x151 uint64 - var x152 uint1 - x151, x152 = addcarryxU64(x146, x143, x150) - var x153 uint64 - var x154 uint1 - x153, x154 = addcarryxU64(x144, x141, x152) - var x155 uint64 = (uint64(x154) + x142) - var x156 uint64 - var x157 uint1 - x156, x157 = addcarryxU64(x132, x147, 0x0) - var x158 uint64 - var x159 uint1 - x158, x159 = addcarryxU64(x134, x149, x157) - var x160 uint64 - var x161 uint1 - x160, x161 = addcarryxU64(x136, x151, x159) - var x162 uint64 - var x163 uint1 - x162, x163 = addcarryxU64(x138, x153, x161) - var x164 uint64 - var x165 uint1 - x164, x165 = addcarryxU64(x140, x155, x163) - var x166 uint64 - _, x166 = bits.Mul64(x156, 0xffffffffffffffff) - var x168 uint64 - var x169 uint64 - x169, x168 = bits.Mul64(x166, 0xffffffff) - var x170 uint64 - var x171 uint64 - x171, x170 = bits.Mul64(x166, 0xffffffffffffffff) - var x172 uint64 - var x173 uint64 - x173, x172 = bits.Mul64(x166, 0xffffffff00000000) - var x174 uint64 - var x175 uint1 - x174, x175 = addcarryxU64(x173, x170, 0x0) - var x176 uint64 - var x177 uint1 - x176, x177 = addcarryxU64(x171, x168, x175) - var x178 uint64 = (uint64(x177) + x169) - var x180 uint1 - _, x180 = addcarryxU64(x156, x166, 0x0) - var x181 uint64 - var x182 uint1 - x181, x182 = addcarryxU64(x158, x172, x180) - var x183 uint64 - var x184 uint1 - x183, x184 = addcarryxU64(x160, x174, x182) - var x185 uint64 - var x186 uint1 - x185, x186 = addcarryxU64(x162, x176, x184) - var x187 uint64 - var x188 uint1 - x187, x188 = addcarryxU64(x164, x178, x186) - var x189 uint64 = (uint64(x188) + uint64(x165)) - var x190 uint64 - var x191 uint1 - x190, x191 = subborrowxU64(x181, uint64(0x1), 0x0) - var x192 uint64 - var x193 uint1 - x192, x193 = subborrowxU64(x183, 0xffffffff00000000, x191) - var x194 uint64 - var x195 uint1 - x194, x195 = subborrowxU64(x185, 0xffffffffffffffff, x193) - var x196 uint64 - var x197 uint1 - x196, x197 = subborrowxU64(x187, 0xffffffff, x195) - var x199 uint1 - _, x199 = subborrowxU64(x189, uint64(0x0), x197) - var x200 uint64 - cmovznzU64(&x200, x199, x190, x181) - var x201 uint64 - cmovznzU64(&x201, x199, x192, x183) - var x202 uint64 - cmovznzU64(&x202, x199, x194, x185) - var x203 uint64 - cmovznzU64(&x203, x199, x196, x187) - out1[0] = x200 - out1[1] = x201 - out1[2] = x202 - out1[3] = x203 + x1 := arg1[1] + x2 := arg1[2] + x3 := arg1[3] + x4 := arg1[0] + var x5 uint64 + var x6 uint64 + x6, x5 = bits.Mul64(x4, arg1[3]) + var x7 uint64 + var x8 uint64 + x8, x7 = bits.Mul64(x4, arg1[2]) + var x9 uint64 + var x10 uint64 + x10, x9 = bits.Mul64(x4, arg1[1]) + var x11 uint64 + var x12 uint64 + x12, x11 = bits.Mul64(x4, arg1[0]) + var x13 uint64 + var x14 uint1 + x13, x14 = addcarryxU64(x12, x9, 0x0) + var x15 uint64 + var x16 uint1 + x15, x16 = addcarryxU64(x10, x7, x14) + var x17 uint64 + var x18 uint1 + x17, x18 = addcarryxU64(x8, x5, x16) + x19 := (uint64(x18) + x6) + var x20 uint64 + _, x20 = bits.Mul64(x11, 0xffffffffffffffff) + var x22 uint64 + var x23 uint64 + x23, x22 = bits.Mul64(x20, 0xffffffff) + var x24 uint64 + var x25 uint64 + x25, x24 = bits.Mul64(x20, 0xffffffffffffffff) + var x26 uint64 + var x27 uint64 + x27, x26 = bits.Mul64(x20, 0xffffffff00000000) + var x28 uint64 + var x29 uint1 + x28, x29 = addcarryxU64(x27, x24, 0x0) + var x30 uint64 + var x31 uint1 + x30, x31 = addcarryxU64(x25, x22, x29) + x32 := (uint64(x31) + x23) + var x34 uint1 + _, x34 = addcarryxU64(x11, x20, 0x0) + var x35 uint64 + var x36 uint1 + x35, x36 = addcarryxU64(x13, x26, x34) + var x37 uint64 + var x38 uint1 + x37, x38 = addcarryxU64(x15, x28, x36) + var x39 uint64 + var x40 uint1 + x39, x40 = addcarryxU64(x17, x30, x38) + var x41 uint64 + var x42 uint1 + x41, x42 = addcarryxU64(x19, x32, x40) + var x43 uint64 + var x44 uint64 + x44, x43 = bits.Mul64(x1, arg1[3]) + var x45 uint64 + var x46 uint64 + x46, x45 = bits.Mul64(x1, arg1[2]) + var x47 uint64 + var x48 uint64 + x48, x47 = bits.Mul64(x1, arg1[1]) + var x49 uint64 + var x50 uint64 + x50, x49 = bits.Mul64(x1, arg1[0]) + var x51 uint64 + var x52 uint1 + x51, x52 = addcarryxU64(x50, x47, 0x0) + var x53 uint64 + var x54 uint1 + x53, x54 = addcarryxU64(x48, x45, x52) + var x55 uint64 + var x56 uint1 + x55, x56 = addcarryxU64(x46, x43, x54) + x57 := (uint64(x56) + x44) + var x58 uint64 + var x59 uint1 + x58, x59 = addcarryxU64(x35, x49, 0x0) + var x60 uint64 + var x61 uint1 + x60, x61 = addcarryxU64(x37, x51, x59) + var x62 uint64 + var x63 uint1 + x62, x63 = addcarryxU64(x39, x53, x61) + var x64 uint64 + var x65 uint1 + x64, x65 = addcarryxU64(x41, x55, x63) + var x66 uint64 + var x67 uint1 + x66, x67 = addcarryxU64(uint64(x42), x57, x65) + var x68 uint64 + _, x68 = bits.Mul64(x58, 0xffffffffffffffff) + var x70 uint64 + var x71 uint64 + x71, x70 = bits.Mul64(x68, 0xffffffff) + var x72 uint64 + var x73 uint64 + x73, x72 = bits.Mul64(x68, 0xffffffffffffffff) + var x74 uint64 + var x75 uint64 + x75, x74 = bits.Mul64(x68, 0xffffffff00000000) + var x76 uint64 + var x77 uint1 + x76, x77 = addcarryxU64(x75, x72, 0x0) + var x78 uint64 + var x79 uint1 + x78, x79 = addcarryxU64(x73, x70, x77) + x80 := (uint64(x79) + x71) + var x82 uint1 + _, x82 = addcarryxU64(x58, x68, 0x0) + var x83 uint64 + var x84 uint1 + x83, x84 = addcarryxU64(x60, x74, x82) + var x85 uint64 + var x86 uint1 + x85, x86 = addcarryxU64(x62, x76, x84) + var x87 uint64 + var x88 uint1 + x87, x88 = addcarryxU64(x64, x78, x86) + var x89 uint64 + var x90 uint1 + x89, x90 = addcarryxU64(x66, x80, x88) + x91 := (uint64(x90) + uint64(x67)) + var x92 uint64 + var x93 uint64 + x93, x92 = bits.Mul64(x2, arg1[3]) + var x94 uint64 + var x95 uint64 + x95, x94 = bits.Mul64(x2, arg1[2]) + var x96 uint64 + var x97 uint64 + x97, x96 = bits.Mul64(x2, arg1[1]) + var x98 uint64 + var x99 uint64 + x99, x98 = bits.Mul64(x2, arg1[0]) + var x100 uint64 + var x101 uint1 + x100, x101 = addcarryxU64(x99, x96, 0x0) + var x102 uint64 + var x103 uint1 + x102, x103 = addcarryxU64(x97, x94, x101) + var x104 uint64 + var x105 uint1 + x104, x105 = addcarryxU64(x95, x92, x103) + x106 := (uint64(x105) + x93) + var x107 uint64 + var x108 uint1 + x107, x108 = addcarryxU64(x83, x98, 0x0) + var x109 uint64 + var x110 uint1 + x109, x110 = addcarryxU64(x85, x100, x108) + var x111 uint64 + var x112 uint1 + x111, x112 = addcarryxU64(x87, x102, x110) + var x113 uint64 + var x114 uint1 + x113, x114 = addcarryxU64(x89, x104, x112) + var x115 uint64 + var x116 uint1 + x115, x116 = addcarryxU64(x91, x106, x114) + var x117 uint64 + _, x117 = bits.Mul64(x107, 0xffffffffffffffff) + var x119 uint64 + var x120 uint64 + x120, x119 = bits.Mul64(x117, 0xffffffff) + var x121 uint64 + var x122 uint64 + x122, x121 = bits.Mul64(x117, 0xffffffffffffffff) + var x123 uint64 + var x124 uint64 + x124, x123 = bits.Mul64(x117, 0xffffffff00000000) + var x125 uint64 + var x126 uint1 + x125, x126 = addcarryxU64(x124, x121, 0x0) + var x127 uint64 + var x128 uint1 + x127, x128 = addcarryxU64(x122, x119, x126) + x129 := (uint64(x128) + x120) + var x131 uint1 + _, x131 = addcarryxU64(x107, x117, 0x0) + var x132 uint64 + var x133 uint1 + x132, x133 = addcarryxU64(x109, x123, x131) + var x134 uint64 + var x135 uint1 + x134, x135 = addcarryxU64(x111, x125, x133) + var x136 uint64 + var x137 uint1 + x136, x137 = addcarryxU64(x113, x127, x135) + var x138 uint64 + var x139 uint1 + x138, x139 = addcarryxU64(x115, x129, x137) + x140 := (uint64(x139) + uint64(x116)) + var x141 uint64 + var x142 uint64 + x142, x141 = bits.Mul64(x3, arg1[3]) + var x143 uint64 + var x144 uint64 + x144, x143 = bits.Mul64(x3, arg1[2]) + var x145 uint64 + var x146 uint64 + x146, x145 = bits.Mul64(x3, arg1[1]) + var x147 uint64 + var x148 uint64 + x148, x147 = bits.Mul64(x3, arg1[0]) + var x149 uint64 + var x150 uint1 + x149, x150 = addcarryxU64(x148, x145, 0x0) + var x151 uint64 + var x152 uint1 + x151, x152 = addcarryxU64(x146, x143, x150) + var x153 uint64 + var x154 uint1 + x153, x154 = addcarryxU64(x144, x141, x152) + x155 := (uint64(x154) + x142) + var x156 uint64 + var x157 uint1 + x156, x157 = addcarryxU64(x132, x147, 0x0) + var x158 uint64 + var x159 uint1 + x158, x159 = addcarryxU64(x134, x149, x157) + var x160 uint64 + var x161 uint1 + x160, x161 = addcarryxU64(x136, x151, x159) + var x162 uint64 + var x163 uint1 + x162, x163 = addcarryxU64(x138, x153, x161) + var x164 uint64 + var x165 uint1 + x164, x165 = addcarryxU64(x140, x155, x163) + var x166 uint64 + _, x166 = bits.Mul64(x156, 0xffffffffffffffff) + var x168 uint64 + var x169 uint64 + x169, x168 = bits.Mul64(x166, 0xffffffff) + var x170 uint64 + var x171 uint64 + x171, x170 = bits.Mul64(x166, 0xffffffffffffffff) + var x172 uint64 + var x173 uint64 + x173, x172 = bits.Mul64(x166, 0xffffffff00000000) + var x174 uint64 + var x175 uint1 + x174, x175 = addcarryxU64(x173, x170, 0x0) + var x176 uint64 + var x177 uint1 + x176, x177 = addcarryxU64(x171, x168, x175) + x178 := (uint64(x177) + x169) + var x180 uint1 + _, x180 = addcarryxU64(x156, x166, 0x0) + var x181 uint64 + var x182 uint1 + x181, x182 = addcarryxU64(x158, x172, x180) + var x183 uint64 + var x184 uint1 + x183, x184 = addcarryxU64(x160, x174, x182) + var x185 uint64 + var x186 uint1 + x185, x186 = addcarryxU64(x162, x176, x184) + var x187 uint64 + var x188 uint1 + x187, x188 = addcarryxU64(x164, x178, x186) + x189 := (uint64(x188) + uint64(x165)) + var x190 uint64 + var x191 uint1 + x190, x191 = subborrowxU64(x181, uint64(0x1), 0x0) + var x192 uint64 + var x193 uint1 + x192, x193 = subborrowxU64(x183, 0xffffffff00000000, x191) + var x194 uint64 + var x195 uint1 + x194, x195 = subborrowxU64(x185, 0xffffffffffffffff, x193) + var x196 uint64 + var x197 uint1 + x196, x197 = subborrowxU64(x187, 0xffffffff, x195) + var x199 uint1 + _, x199 = subborrowxU64(x189, uint64(0x0), x197) + var x200 uint64 + cmovznzU64(&x200, x199, x190, x181) + var x201 uint64 + cmovznzU64(&x201, x199, x192, x183) + var x202 uint64 + cmovznzU64(&x202, x199, x194, x185) + var x203 uint64 + cmovznzU64(&x203, x199, x196, x187) + out1[0] = x200 + out1[1] = x201 + out1[2] = x202 + out1[3] = x203 } -/* - The function Add adds two field elements in the Montgomery domain. - Preconditions: - 0 ≤ eval arg1 < m - 0 ≤ eval arg2 < m - Postconditions: - eval (from_montgomery out1) mod m = (eval (from_montgomery arg1) + eval (from_montgomery arg2)) mod m - 0 ≤ eval out1 < m - - Input Bounds: - arg1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] - arg2: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] - Output Bounds: - out1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] - */ -/*inline*/ +// Add adds two field elements in the Montgomery domain. +// +// Preconditions: +// 0 ≤ eval arg1 < m +// 0 ≤ eval arg2 < m +// Postconditions: +// eval (from_montgomery out1) mod m = (eval (from_montgomery arg1) + eval (from_montgomery arg2)) mod m +// 0 ≤ eval out1 < m +// +// Input Bounds: +// arg1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] +// arg2: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] +// Output Bounds: +// out1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] func Add(out1 *[4]uint64, arg1 *[4]uint64, arg2 *[4]uint64) { - var x1 uint64 - var x2 uint1 - x1, x2 = addcarryxU64((arg1[0]), (arg2[0]), 0x0) - var x3 uint64 - var x4 uint1 - x3, x4 = addcarryxU64((arg1[1]), (arg2[1]), x2) - var x5 uint64 - var x6 uint1 - x5, x6 = addcarryxU64((arg1[2]), (arg2[2]), x4) - var x7 uint64 - var x8 uint1 - x7, x8 = addcarryxU64((arg1[3]), (arg2[3]), x6) - var x9 uint64 - var x10 uint1 - x9, x10 = subborrowxU64(x1, uint64(0x1), 0x0) - var x11 uint64 - var x12 uint1 - x11, x12 = subborrowxU64(x3, 0xffffffff00000000, x10) - var x13 uint64 - var x14 uint1 - x13, x14 = subborrowxU64(x5, 0xffffffffffffffff, x12) - var x15 uint64 - var x16 uint1 - x15, x16 = subborrowxU64(x7, 0xffffffff, x14) - var x18 uint1 - _, x18 = subborrowxU64(uint64(x8), uint64(0x0), x16) - var x19 uint64 - cmovznzU64(&x19, x18, x9, x1) - var x20 uint64 - cmovznzU64(&x20, x18, x11, x3) - var x21 uint64 - cmovznzU64(&x21, x18, x13, x5) - var x22 uint64 - cmovznzU64(&x22, x18, x15, x7) - out1[0] = x19 - out1[1] = x20 - out1[2] = x21 - out1[3] = x22 + var x1 uint64 + var x2 uint1 + x1, x2 = addcarryxU64(arg1[0], arg2[0], 0x0) + var x3 uint64 + var x4 uint1 + x3, x4 = addcarryxU64(arg1[1], arg2[1], x2) + var x5 uint64 + var x6 uint1 + x5, x6 = addcarryxU64(arg1[2], arg2[2], x4) + var x7 uint64 + var x8 uint1 + x7, x8 = addcarryxU64(arg1[3], arg2[3], x6) + var x9 uint64 + var x10 uint1 + x9, x10 = subborrowxU64(x1, uint64(0x1), 0x0) + var x11 uint64 + var x12 uint1 + x11, x12 = subborrowxU64(x3, 0xffffffff00000000, x10) + var x13 uint64 + var x14 uint1 + x13, x14 = subborrowxU64(x5, 0xffffffffffffffff, x12) + var x15 uint64 + var x16 uint1 + x15, x16 = subborrowxU64(x7, 0xffffffff, x14) + var x18 uint1 + _, x18 = subborrowxU64(uint64(x8), uint64(0x0), x16) + var x19 uint64 + cmovznzU64(&x19, x18, x9, x1) + var x20 uint64 + cmovznzU64(&x20, x18, x11, x3) + var x21 uint64 + cmovznzU64(&x21, x18, x13, x5) + var x22 uint64 + cmovznzU64(&x22, x18, x15, x7) + out1[0] = x19 + out1[1] = x20 + out1[2] = x21 + out1[3] = x22 } -/* - The function Sub subtracts two field elements in the Montgomery domain. - Preconditions: - 0 ≤ eval arg1 < m - 0 ≤ eval arg2 < m - Postconditions: - eval (from_montgomery out1) mod m = (eval (from_montgomery arg1) - eval (from_montgomery arg2)) mod m - 0 ≤ eval out1 < m - - Input Bounds: - arg1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] - arg2: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] - Output Bounds: - out1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] - */ -/*inline*/ +// Sub subtracts two field elements in the Montgomery domain. +// +// Preconditions: +// 0 ≤ eval arg1 < m +// 0 ≤ eval arg2 < m +// Postconditions: +// eval (from_montgomery out1) mod m = (eval (from_montgomery arg1) - eval (from_montgomery arg2)) mod m +// 0 ≤ eval out1 < m +// +// Input Bounds: +// arg1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] +// arg2: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] +// Output Bounds: +// out1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] func Sub(out1 *[4]uint64, arg1 *[4]uint64, arg2 *[4]uint64) { - var x1 uint64 - var x2 uint1 - x1, x2 = subborrowxU64((arg1[0]), (arg2[0]), 0x0) - var x3 uint64 - var x4 uint1 - x3, x4 = subborrowxU64((arg1[1]), (arg2[1]), x2) - var x5 uint64 - var x6 uint1 - x5, x6 = subborrowxU64((arg1[2]), (arg2[2]), x4) - var x7 uint64 - var x8 uint1 - x7, x8 = subborrowxU64((arg1[3]), (arg2[3]), x6) - var x9 uint64 - cmovznzU64(&x9, x8, uint64(0x0), 0xffffffffffffffff) - var x10 uint64 - var x11 uint1 - x10, x11 = addcarryxU64(x1, uint64((uint1(x9) & 0x1)), 0x0) - var x12 uint64 - var x13 uint1 - x12, x13 = addcarryxU64(x3, (x9 & 0xffffffff00000000), x11) - var x14 uint64 - var x15 uint1 - x14, x15 = addcarryxU64(x5, x9, x13) - var x16 uint64 - x16, _ = addcarryxU64(x7, (x9 & 0xffffffff), x15) - out1[0] = x10 - out1[1] = x12 - out1[2] = x14 - out1[3] = x16 + var x1 uint64 + var x2 uint1 + x1, x2 = subborrowxU64(arg1[0], arg2[0], 0x0) + var x3 uint64 + var x4 uint1 + x3, x4 = subborrowxU64(arg1[1], arg2[1], x2) + var x5 uint64 + var x6 uint1 + x5, x6 = subborrowxU64(arg1[2], arg2[2], x4) + var x7 uint64 + var x8 uint1 + x7, x8 = subborrowxU64(arg1[3], arg2[3], x6) + var x9 uint64 + cmovznzU64(&x9, x8, uint64(0x0), 0xffffffffffffffff) + var x10 uint64 + var x11 uint1 + x10, x11 = addcarryxU64(x1, uint64((uint1(x9) & 0x1)), 0x0) + var x12 uint64 + var x13 uint1 + x12, x13 = addcarryxU64(x3, (x9 & 0xffffffff00000000), x11) + var x14 uint64 + var x15 uint1 + x14, x15 = addcarryxU64(x5, x9, x13) + var x16 uint64 + x16, _ = addcarryxU64(x7, (x9 & 0xffffffff), x15) + out1[0] = x10 + out1[1] = x12 + out1[2] = x14 + out1[3] = x16 } -/* - The function Opp negates a field element in the Montgomery domain. - Preconditions: - 0 ≤ eval arg1 < m - Postconditions: - eval (from_montgomery out1) mod m = -eval (from_montgomery arg1) mod m - 0 ≤ eval out1 < m - - Input Bounds: - arg1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] - Output Bounds: - out1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] - */ -/*inline*/ +// Opp negates a field element in the Montgomery domain. +// +// Preconditions: +// 0 ≤ eval arg1 < m +// Postconditions: +// eval (from_montgomery out1) mod m = -eval (from_montgomery arg1) mod m +// 0 ≤ eval out1 < m +// +// Input Bounds: +// arg1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] +// Output Bounds: +// out1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] func Opp(out1 *[4]uint64, arg1 *[4]uint64) { - var x1 uint64 - var x2 uint1 - x1, x2 = subborrowxU64(uint64(0x0), (arg1[0]), 0x0) - var x3 uint64 - var x4 uint1 - x3, x4 = subborrowxU64(uint64(0x0), (arg1[1]), x2) - var x5 uint64 - var x6 uint1 - x5, x6 = subborrowxU64(uint64(0x0), (arg1[2]), x4) - var x7 uint64 - var x8 uint1 - x7, x8 = subborrowxU64(uint64(0x0), (arg1[3]), x6) - var x9 uint64 - cmovznzU64(&x9, x8, uint64(0x0), 0xffffffffffffffff) - var x10 uint64 - var x11 uint1 - x10, x11 = addcarryxU64(x1, uint64((uint1(x9) & 0x1)), 0x0) - var x12 uint64 - var x13 uint1 - x12, x13 = addcarryxU64(x3, (x9 & 0xffffffff00000000), x11) - var x14 uint64 - var x15 uint1 - x14, x15 = addcarryxU64(x5, x9, x13) - var x16 uint64 - x16, _ = addcarryxU64(x7, (x9 & 0xffffffff), x15) - out1[0] = x10 - out1[1] = x12 - out1[2] = x14 - out1[3] = x16 + var x1 uint64 + var x2 uint1 + x1, x2 = subborrowxU64(uint64(0x0), arg1[0], 0x0) + var x3 uint64 + var x4 uint1 + x3, x4 = subborrowxU64(uint64(0x0), arg1[1], x2) + var x5 uint64 + var x6 uint1 + x5, x6 = subborrowxU64(uint64(0x0), arg1[2], x4) + var x7 uint64 + var x8 uint1 + x7, x8 = subborrowxU64(uint64(0x0), arg1[3], x6) + var x9 uint64 + cmovznzU64(&x9, x8, uint64(0x0), 0xffffffffffffffff) + var x10 uint64 + var x11 uint1 + x10, x11 = addcarryxU64(x1, uint64((uint1(x9) & 0x1)), 0x0) + var x12 uint64 + var x13 uint1 + x12, x13 = addcarryxU64(x3, (x9 & 0xffffffff00000000), x11) + var x14 uint64 + var x15 uint1 + x14, x15 = addcarryxU64(x5, x9, x13) + var x16 uint64 + x16, _ = addcarryxU64(x7, (x9 & 0xffffffff), x15) + out1[0] = x10 + out1[1] = x12 + out1[2] = x14 + out1[3] = x16 } -/* - The function FromMontgomery translates a field element out of the Montgomery domain. - Preconditions: - 0 ≤ eval arg1 < m - Postconditions: - eval out1 mod m = (eval arg1 * ((2^64)⁻¹ mod m)^4) mod m - 0 ≤ eval out1 < m - - Input Bounds: - arg1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] - Output Bounds: - out1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] - */ -/*inline*/ +// FromMontgomery translates a field element out of the Montgomery domain. +// +// Preconditions: +// 0 ≤ eval arg1 < m +// Postconditions: +// eval out1 mod m = (eval arg1 * ((2^64)⁻¹ mod m)^4) mod m +// 0 ≤ eval out1 < m +// +// Input Bounds: +// arg1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] +// Output Bounds: +// out1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] func FromMontgomery(out1 *[4]uint64, arg1 *[4]uint64) { - var x1 uint64 = (arg1[0]) - var x2 uint64 - _, x2 = bits.Mul64(x1, 0xffffffffffffffff) - var x4 uint64 - var x5 uint64 - x5, x4 = bits.Mul64(x2, 0xffffffff) - var x6 uint64 - var x7 uint64 - x7, x6 = bits.Mul64(x2, 0xffffffffffffffff) - var x8 uint64 - var x9 uint64 - x9, x8 = bits.Mul64(x2, 0xffffffff00000000) - var x10 uint64 - var x11 uint1 - x10, x11 = addcarryxU64(x9, x6, 0x0) - var x12 uint64 - var x13 uint1 - x12, x13 = addcarryxU64(x7, x4, x11) - var x15 uint1 - _, x15 = addcarryxU64(x1, x2, 0x0) - var x16 uint64 - var x17 uint1 - x16, x17 = addcarryxU64(uint64(0x0), x8, x15) - var x18 uint64 - var x19 uint1 - x18, x19 = addcarryxU64(uint64(0x0), x10, x17) - var x20 uint64 - var x21 uint1 - x20, x21 = addcarryxU64(uint64(0x0), x12, x19) - var x22 uint64 - var x23 uint1 - x22, x23 = addcarryxU64(x16, (arg1[1]), 0x0) - var x24 uint64 - var x25 uint1 - x24, x25 = addcarryxU64(x18, uint64(0x0), x23) - var x26 uint64 - var x27 uint1 - x26, x27 = addcarryxU64(x20, uint64(0x0), x25) - var x28 uint64 - _, x28 = bits.Mul64(x22, 0xffffffffffffffff) - var x30 uint64 - var x31 uint64 - x31, x30 = bits.Mul64(x28, 0xffffffff) - var x32 uint64 - var x33 uint64 - x33, x32 = bits.Mul64(x28, 0xffffffffffffffff) - var x34 uint64 - var x35 uint64 - x35, x34 = bits.Mul64(x28, 0xffffffff00000000) - var x36 uint64 - var x37 uint1 - x36, x37 = addcarryxU64(x35, x32, 0x0) - var x38 uint64 - var x39 uint1 - x38, x39 = addcarryxU64(x33, x30, x37) - var x41 uint1 - _, x41 = addcarryxU64(x22, x28, 0x0) - var x42 uint64 - var x43 uint1 - x42, x43 = addcarryxU64(x24, x34, x41) - var x44 uint64 - var x45 uint1 - x44, x45 = addcarryxU64(x26, x36, x43) - var x46 uint64 - var x47 uint1 - x46, x47 = addcarryxU64((uint64(x27) + (uint64(x21) + (uint64(x13) + x5))), x38, x45) - var x48 uint64 - var x49 uint1 - x48, x49 = addcarryxU64(x42, (arg1[2]), 0x0) - var x50 uint64 - var x51 uint1 - x50, x51 = addcarryxU64(x44, uint64(0x0), x49) - var x52 uint64 - var x53 uint1 - x52, x53 = addcarryxU64(x46, uint64(0x0), x51) - var x54 uint64 - _, x54 = bits.Mul64(x48, 0xffffffffffffffff) - var x56 uint64 - var x57 uint64 - x57, x56 = bits.Mul64(x54, 0xffffffff) - var x58 uint64 - var x59 uint64 - x59, x58 = bits.Mul64(x54, 0xffffffffffffffff) - var x60 uint64 - var x61 uint64 - x61, x60 = bits.Mul64(x54, 0xffffffff00000000) - var x62 uint64 - var x63 uint1 - x62, x63 = addcarryxU64(x61, x58, 0x0) - var x64 uint64 - var x65 uint1 - x64, x65 = addcarryxU64(x59, x56, x63) - var x67 uint1 - _, x67 = addcarryxU64(x48, x54, 0x0) - var x68 uint64 - var x69 uint1 - x68, x69 = addcarryxU64(x50, x60, x67) - var x70 uint64 - var x71 uint1 - x70, x71 = addcarryxU64(x52, x62, x69) - var x72 uint64 - var x73 uint1 - x72, x73 = addcarryxU64((uint64(x53) + (uint64(x47) + (uint64(x39) + x31))), x64, x71) - var x74 uint64 - var x75 uint1 - x74, x75 = addcarryxU64(x68, (arg1[3]), 0x0) - var x76 uint64 - var x77 uint1 - x76, x77 = addcarryxU64(x70, uint64(0x0), x75) - var x78 uint64 - var x79 uint1 - x78, x79 = addcarryxU64(x72, uint64(0x0), x77) - var x80 uint64 - _, x80 = bits.Mul64(x74, 0xffffffffffffffff) - var x82 uint64 - var x83 uint64 - x83, x82 = bits.Mul64(x80, 0xffffffff) - var x84 uint64 - var x85 uint64 - x85, x84 = bits.Mul64(x80, 0xffffffffffffffff) - var x86 uint64 - var x87 uint64 - x87, x86 = bits.Mul64(x80, 0xffffffff00000000) - var x88 uint64 - var x89 uint1 - x88, x89 = addcarryxU64(x87, x84, 0x0) - var x90 uint64 - var x91 uint1 - x90, x91 = addcarryxU64(x85, x82, x89) - var x93 uint1 - _, x93 = addcarryxU64(x74, x80, 0x0) - var x94 uint64 - var x95 uint1 - x94, x95 = addcarryxU64(x76, x86, x93) - var x96 uint64 - var x97 uint1 - x96, x97 = addcarryxU64(x78, x88, x95) - var x98 uint64 - var x99 uint1 - x98, x99 = addcarryxU64((uint64(x79) + (uint64(x73) + (uint64(x65) + x57))), x90, x97) - var x100 uint64 = (uint64(x99) + (uint64(x91) + x83)) - var x101 uint64 - var x102 uint1 - x101, x102 = subborrowxU64(x94, uint64(0x1), 0x0) - var x103 uint64 - var x104 uint1 - x103, x104 = subborrowxU64(x96, 0xffffffff00000000, x102) - var x105 uint64 - var x106 uint1 - x105, x106 = subborrowxU64(x98, 0xffffffffffffffff, x104) - var x107 uint64 - var x108 uint1 - x107, x108 = subborrowxU64(x100, 0xffffffff, x106) - var x110 uint1 - _, x110 = subborrowxU64(uint64(0x0), uint64(0x0), x108) - var x111 uint64 - cmovznzU64(&x111, x110, x101, x94) - var x112 uint64 - cmovznzU64(&x112, x110, x103, x96) - var x113 uint64 - cmovznzU64(&x113, x110, x105, x98) - var x114 uint64 - cmovznzU64(&x114, x110, x107, x100) - out1[0] = x111 - out1[1] = x112 - out1[2] = x113 - out1[3] = x114 + x1 := arg1[0] + var x2 uint64 + _, x2 = bits.Mul64(x1, 0xffffffffffffffff) + var x4 uint64 + var x5 uint64 + x5, x4 = bits.Mul64(x2, 0xffffffff) + var x6 uint64 + var x7 uint64 + x7, x6 = bits.Mul64(x2, 0xffffffffffffffff) + var x8 uint64 + var x9 uint64 + x9, x8 = bits.Mul64(x2, 0xffffffff00000000) + var x10 uint64 + var x11 uint1 + x10, x11 = addcarryxU64(x9, x6, 0x0) + var x12 uint64 + var x13 uint1 + x12, x13 = addcarryxU64(x7, x4, x11) + var x15 uint1 + _, x15 = addcarryxU64(x1, x2, 0x0) + var x16 uint64 + var x17 uint1 + x16, x17 = addcarryxU64(uint64(0x0), x8, x15) + var x18 uint64 + var x19 uint1 + x18, x19 = addcarryxU64(uint64(0x0), x10, x17) + var x20 uint64 + var x21 uint1 + x20, x21 = addcarryxU64(uint64(0x0), x12, x19) + var x22 uint64 + var x23 uint1 + x22, x23 = addcarryxU64(x16, arg1[1], 0x0) + var x24 uint64 + var x25 uint1 + x24, x25 = addcarryxU64(x18, uint64(0x0), x23) + var x26 uint64 + var x27 uint1 + x26, x27 = addcarryxU64(x20, uint64(0x0), x25) + var x28 uint64 + _, x28 = bits.Mul64(x22, 0xffffffffffffffff) + var x30 uint64 + var x31 uint64 + x31, x30 = bits.Mul64(x28, 0xffffffff) + var x32 uint64 + var x33 uint64 + x33, x32 = bits.Mul64(x28, 0xffffffffffffffff) + var x34 uint64 + var x35 uint64 + x35, x34 = bits.Mul64(x28, 0xffffffff00000000) + var x36 uint64 + var x37 uint1 + x36, x37 = addcarryxU64(x35, x32, 0x0) + var x38 uint64 + var x39 uint1 + x38, x39 = addcarryxU64(x33, x30, x37) + var x41 uint1 + _, x41 = addcarryxU64(x22, x28, 0x0) + var x42 uint64 + var x43 uint1 + x42, x43 = addcarryxU64(x24, x34, x41) + var x44 uint64 + var x45 uint1 + x44, x45 = addcarryxU64(x26, x36, x43) + var x46 uint64 + var x47 uint1 + x46, x47 = addcarryxU64((uint64(x27) + (uint64(x21) + (uint64(x13) + x5))), x38, x45) + var x48 uint64 + var x49 uint1 + x48, x49 = addcarryxU64(x42, arg1[2], 0x0) + var x50 uint64 + var x51 uint1 + x50, x51 = addcarryxU64(x44, uint64(0x0), x49) + var x52 uint64 + var x53 uint1 + x52, x53 = addcarryxU64(x46, uint64(0x0), x51) + var x54 uint64 + _, x54 = bits.Mul64(x48, 0xffffffffffffffff) + var x56 uint64 + var x57 uint64 + x57, x56 = bits.Mul64(x54, 0xffffffff) + var x58 uint64 + var x59 uint64 + x59, x58 = bits.Mul64(x54, 0xffffffffffffffff) + var x60 uint64 + var x61 uint64 + x61, x60 = bits.Mul64(x54, 0xffffffff00000000) + var x62 uint64 + var x63 uint1 + x62, x63 = addcarryxU64(x61, x58, 0x0) + var x64 uint64 + var x65 uint1 + x64, x65 = addcarryxU64(x59, x56, x63) + var x67 uint1 + _, x67 = addcarryxU64(x48, x54, 0x0) + var x68 uint64 + var x69 uint1 + x68, x69 = addcarryxU64(x50, x60, x67) + var x70 uint64 + var x71 uint1 + x70, x71 = addcarryxU64(x52, x62, x69) + var x72 uint64 + var x73 uint1 + x72, x73 = addcarryxU64((uint64(x53) + (uint64(x47) + (uint64(x39) + x31))), x64, x71) + var x74 uint64 + var x75 uint1 + x74, x75 = addcarryxU64(x68, arg1[3], 0x0) + var x76 uint64 + var x77 uint1 + x76, x77 = addcarryxU64(x70, uint64(0x0), x75) + var x78 uint64 + var x79 uint1 + x78, x79 = addcarryxU64(x72, uint64(0x0), x77) + var x80 uint64 + _, x80 = bits.Mul64(x74, 0xffffffffffffffff) + var x82 uint64 + var x83 uint64 + x83, x82 = bits.Mul64(x80, 0xffffffff) + var x84 uint64 + var x85 uint64 + x85, x84 = bits.Mul64(x80, 0xffffffffffffffff) + var x86 uint64 + var x87 uint64 + x87, x86 = bits.Mul64(x80, 0xffffffff00000000) + var x88 uint64 + var x89 uint1 + x88, x89 = addcarryxU64(x87, x84, 0x0) + var x90 uint64 + var x91 uint1 + x90, x91 = addcarryxU64(x85, x82, x89) + var x93 uint1 + _, x93 = addcarryxU64(x74, x80, 0x0) + var x94 uint64 + var x95 uint1 + x94, x95 = addcarryxU64(x76, x86, x93) + var x96 uint64 + var x97 uint1 + x96, x97 = addcarryxU64(x78, x88, x95) + var x98 uint64 + var x99 uint1 + x98, x99 = addcarryxU64((uint64(x79) + (uint64(x73) + (uint64(x65) + x57))), x90, x97) + x100 := (uint64(x99) + (uint64(x91) + x83)) + var x101 uint64 + var x102 uint1 + x101, x102 = subborrowxU64(x94, uint64(0x1), 0x0) + var x103 uint64 + var x104 uint1 + x103, x104 = subborrowxU64(x96, 0xffffffff00000000, x102) + var x105 uint64 + var x106 uint1 + x105, x106 = subborrowxU64(x98, 0xffffffffffffffff, x104) + var x107 uint64 + var x108 uint1 + x107, x108 = subborrowxU64(x100, 0xffffffff, x106) + var x110 uint1 + _, x110 = subborrowxU64(uint64(0x0), uint64(0x0), x108) + var x111 uint64 + cmovznzU64(&x111, x110, x101, x94) + var x112 uint64 + cmovznzU64(&x112, x110, x103, x96) + var x113 uint64 + cmovznzU64(&x113, x110, x105, x98) + var x114 uint64 + cmovznzU64(&x114, x110, x107, x100) + out1[0] = x111 + out1[1] = x112 + out1[2] = x113 + out1[3] = x114 } -/* - The function ToMontgomery translates a field element into the Montgomery domain. - Preconditions: - 0 ≤ eval arg1 < m - Postconditions: - eval (from_montgomery out1) mod m = eval arg1 mod m - 0 ≤ eval out1 < m - - Input Bounds: - arg1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] - Output Bounds: - out1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] - */ -/*inline*/ +// ToMontgomery translates a field element into the Montgomery domain. +// +// Preconditions: +// 0 ≤ eval arg1 < m +// Postconditions: +// eval (from_montgomery out1) mod m = eval arg1 mod m +// 0 ≤ eval out1 < m +// +// Input Bounds: +// arg1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] +// Output Bounds: +// out1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] func ToMontgomery(out1 *[4]uint64, arg1 *[4]uint64) { - var x1 uint64 = (arg1[1]) - var x2 uint64 = (arg1[2]) - var x3 uint64 = (arg1[3]) - var x4 uint64 = (arg1[0]) - var x5 uint64 - var x6 uint64 - x6, x5 = bits.Mul64(x4, 0xffffffff) - var x7 uint64 - var x8 uint64 - x8, x7 = bits.Mul64(x4, 0xfffffffe00000000) - var x9 uint64 - var x10 uint64 - x10, x9 = bits.Mul64(x4, 0xffffffff00000000) - var x11 uint64 - var x12 uint64 - x12, x11 = bits.Mul64(x4, 0xffffffff00000001) - var x13 uint64 - var x14 uint1 - x13, x14 = addcarryxU64(x12, x9, 0x0) - var x15 uint64 - var x16 uint1 - x15, x16 = addcarryxU64(x10, x7, x14) - var x17 uint64 - var x18 uint1 - x17, x18 = addcarryxU64(x8, x5, x16) - var x19 uint64 - _, x19 = bits.Mul64(x11, 0xffffffffffffffff) - var x21 uint64 - var x22 uint64 - x22, x21 = bits.Mul64(x19, 0xffffffff) - var x23 uint64 - var x24 uint64 - x24, x23 = bits.Mul64(x19, 0xffffffffffffffff) - var x25 uint64 - var x26 uint64 - x26, x25 = bits.Mul64(x19, 0xffffffff00000000) - var x27 uint64 - var x28 uint1 - x27, x28 = addcarryxU64(x26, x23, 0x0) - var x29 uint64 - var x30 uint1 - x29, x30 = addcarryxU64(x24, x21, x28) - var x32 uint1 - _, x32 = addcarryxU64(x11, x19, 0x0) - var x33 uint64 - var x34 uint1 - x33, x34 = addcarryxU64(x13, x25, x32) - var x35 uint64 - var x36 uint1 - x35, x36 = addcarryxU64(x15, x27, x34) - var x37 uint64 - var x38 uint1 - x37, x38 = addcarryxU64(x17, x29, x36) - var x39 uint64 - var x40 uint64 - x40, x39 = bits.Mul64(x1, 0xffffffff) - var x41 uint64 - var x42 uint64 - x42, x41 = bits.Mul64(x1, 0xfffffffe00000000) - var x43 uint64 - var x44 uint64 - x44, x43 = bits.Mul64(x1, 0xffffffff00000000) - var x45 uint64 - var x46 uint64 - x46, x45 = bits.Mul64(x1, 0xffffffff00000001) - var x47 uint64 - var x48 uint1 - x47, x48 = addcarryxU64(x46, x43, 0x0) - var x49 uint64 - var x50 uint1 - x49, x50 = addcarryxU64(x44, x41, x48) - var x51 uint64 - var x52 uint1 - x51, x52 = addcarryxU64(x42, x39, x50) - var x53 uint64 - var x54 uint1 - x53, x54 = addcarryxU64(x33, x45, 0x0) - var x55 uint64 - var x56 uint1 - x55, x56 = addcarryxU64(x35, x47, x54) - var x57 uint64 - var x58 uint1 - x57, x58 = addcarryxU64(x37, x49, x56) - var x59 uint64 - var x60 uint1 - x59, x60 = addcarryxU64(((uint64(x38) + (uint64(x18) + x6)) + (uint64(x30) + x22)), x51, x58) - var x61 uint64 - _, x61 = bits.Mul64(x53, 0xffffffffffffffff) - var x63 uint64 - var x64 uint64 - x64, x63 = bits.Mul64(x61, 0xffffffff) - var x65 uint64 - var x66 uint64 - x66, x65 = bits.Mul64(x61, 0xffffffffffffffff) - var x67 uint64 - var x68 uint64 - x68, x67 = bits.Mul64(x61, 0xffffffff00000000) - var x69 uint64 - var x70 uint1 - x69, x70 = addcarryxU64(x68, x65, 0x0) - var x71 uint64 - var x72 uint1 - x71, x72 = addcarryxU64(x66, x63, x70) - var x74 uint1 - _, x74 = addcarryxU64(x53, x61, 0x0) - var x75 uint64 - var x76 uint1 - x75, x76 = addcarryxU64(x55, x67, x74) - var x77 uint64 - var x78 uint1 - x77, x78 = addcarryxU64(x57, x69, x76) - var x79 uint64 - var x80 uint1 - x79, x80 = addcarryxU64(x59, x71, x78) - var x81 uint64 - var x82 uint64 - x82, x81 = bits.Mul64(x2, 0xffffffff) - var x83 uint64 - var x84 uint64 - x84, x83 = bits.Mul64(x2, 0xfffffffe00000000) - var x85 uint64 - var x86 uint64 - x86, x85 = bits.Mul64(x2, 0xffffffff00000000) - var x87 uint64 - var x88 uint64 - x88, x87 = bits.Mul64(x2, 0xffffffff00000001) - var x89 uint64 - var x90 uint1 - x89, x90 = addcarryxU64(x88, x85, 0x0) - var x91 uint64 - var x92 uint1 - x91, x92 = addcarryxU64(x86, x83, x90) - var x93 uint64 - var x94 uint1 - x93, x94 = addcarryxU64(x84, x81, x92) - var x95 uint64 - var x96 uint1 - x95, x96 = addcarryxU64(x75, x87, 0x0) - var x97 uint64 - var x98 uint1 - x97, x98 = addcarryxU64(x77, x89, x96) - var x99 uint64 - var x100 uint1 - x99, x100 = addcarryxU64(x79, x91, x98) - var x101 uint64 - var x102 uint1 - x101, x102 = addcarryxU64(((uint64(x80) + (uint64(x60) + (uint64(x52) + x40))) + (uint64(x72) + x64)), x93, x100) - var x103 uint64 - _, x103 = bits.Mul64(x95, 0xffffffffffffffff) - var x105 uint64 - var x106 uint64 - x106, x105 = bits.Mul64(x103, 0xffffffff) - var x107 uint64 - var x108 uint64 - x108, x107 = bits.Mul64(x103, 0xffffffffffffffff) - var x109 uint64 - var x110 uint64 - x110, x109 = bits.Mul64(x103, 0xffffffff00000000) - var x111 uint64 - var x112 uint1 - x111, x112 = addcarryxU64(x110, x107, 0x0) - var x113 uint64 - var x114 uint1 - x113, x114 = addcarryxU64(x108, x105, x112) - var x116 uint1 - _, x116 = addcarryxU64(x95, x103, 0x0) - var x117 uint64 - var x118 uint1 - x117, x118 = addcarryxU64(x97, x109, x116) - var x119 uint64 - var x120 uint1 - x119, x120 = addcarryxU64(x99, x111, x118) - var x121 uint64 - var x122 uint1 - x121, x122 = addcarryxU64(x101, x113, x120) - var x123 uint64 - var x124 uint64 - x124, x123 = bits.Mul64(x3, 0xffffffff) - var x125 uint64 - var x126 uint64 - x126, x125 = bits.Mul64(x3, 0xfffffffe00000000) - var x127 uint64 - var x128 uint64 - x128, x127 = bits.Mul64(x3, 0xffffffff00000000) - var x129 uint64 - var x130 uint64 - x130, x129 = bits.Mul64(x3, 0xffffffff00000001) - var x131 uint64 - var x132 uint1 - x131, x132 = addcarryxU64(x130, x127, 0x0) - var x133 uint64 - var x134 uint1 - x133, x134 = addcarryxU64(x128, x125, x132) - var x135 uint64 - var x136 uint1 - x135, x136 = addcarryxU64(x126, x123, x134) - var x137 uint64 - var x138 uint1 - x137, x138 = addcarryxU64(x117, x129, 0x0) - var x139 uint64 - var x140 uint1 - x139, x140 = addcarryxU64(x119, x131, x138) - var x141 uint64 - var x142 uint1 - x141, x142 = addcarryxU64(x121, x133, x140) - var x143 uint64 - var x144 uint1 - x143, x144 = addcarryxU64(((uint64(x122) + (uint64(x102) + (uint64(x94) + x82))) + (uint64(x114) + x106)), x135, x142) - var x145 uint64 - _, x145 = bits.Mul64(x137, 0xffffffffffffffff) - var x147 uint64 - var x148 uint64 - x148, x147 = bits.Mul64(x145, 0xffffffff) - var x149 uint64 - var x150 uint64 - x150, x149 = bits.Mul64(x145, 0xffffffffffffffff) - var x151 uint64 - var x152 uint64 - x152, x151 = bits.Mul64(x145, 0xffffffff00000000) - var x153 uint64 - var x154 uint1 - x153, x154 = addcarryxU64(x152, x149, 0x0) - var x155 uint64 - var x156 uint1 - x155, x156 = addcarryxU64(x150, x147, x154) - var x158 uint1 - _, x158 = addcarryxU64(x137, x145, 0x0) - var x159 uint64 - var x160 uint1 - x159, x160 = addcarryxU64(x139, x151, x158) - var x161 uint64 - var x162 uint1 - x161, x162 = addcarryxU64(x141, x153, x160) - var x163 uint64 - var x164 uint1 - x163, x164 = addcarryxU64(x143, x155, x162) - var x165 uint64 = ((uint64(x164) + (uint64(x144) + (uint64(x136) + x124))) + (uint64(x156) + x148)) - var x166 uint64 - var x167 uint1 - x166, x167 = subborrowxU64(x159, uint64(0x1), 0x0) - var x168 uint64 - var x169 uint1 - x168, x169 = subborrowxU64(x161, 0xffffffff00000000, x167) - var x170 uint64 - var x171 uint1 - x170, x171 = subborrowxU64(x163, 0xffffffffffffffff, x169) - var x172 uint64 - var x173 uint1 - x172, x173 = subborrowxU64(x165, 0xffffffff, x171) - var x175 uint1 - _, x175 = subborrowxU64(uint64(0x0), uint64(0x0), x173) - var x176 uint64 - cmovznzU64(&x176, x175, x166, x159) - var x177 uint64 - cmovznzU64(&x177, x175, x168, x161) - var x178 uint64 - cmovznzU64(&x178, x175, x170, x163) - var x179 uint64 - cmovznzU64(&x179, x175, x172, x165) - out1[0] = x176 - out1[1] = x177 - out1[2] = x178 - out1[3] = x179 + x1 := arg1[1] + x2 := arg1[2] + x3 := arg1[3] + x4 := arg1[0] + var x5 uint64 + var x6 uint64 + x6, x5 = bits.Mul64(x4, 0xffffffff) + var x7 uint64 + var x8 uint64 + x8, x7 = bits.Mul64(x4, 0xfffffffe00000000) + var x9 uint64 + var x10 uint64 + x10, x9 = bits.Mul64(x4, 0xffffffff00000000) + var x11 uint64 + var x12 uint64 + x12, x11 = bits.Mul64(x4, 0xffffffff00000001) + var x13 uint64 + var x14 uint1 + x13, x14 = addcarryxU64(x12, x9, 0x0) + var x15 uint64 + var x16 uint1 + x15, x16 = addcarryxU64(x10, x7, x14) + var x17 uint64 + var x18 uint1 + x17, x18 = addcarryxU64(x8, x5, x16) + var x19 uint64 + _, x19 = bits.Mul64(x11, 0xffffffffffffffff) + var x21 uint64 + var x22 uint64 + x22, x21 = bits.Mul64(x19, 0xffffffff) + var x23 uint64 + var x24 uint64 + x24, x23 = bits.Mul64(x19, 0xffffffffffffffff) + var x25 uint64 + var x26 uint64 + x26, x25 = bits.Mul64(x19, 0xffffffff00000000) + var x27 uint64 + var x28 uint1 + x27, x28 = addcarryxU64(x26, x23, 0x0) + var x29 uint64 + var x30 uint1 + x29, x30 = addcarryxU64(x24, x21, x28) + var x32 uint1 + _, x32 = addcarryxU64(x11, x19, 0x0) + var x33 uint64 + var x34 uint1 + x33, x34 = addcarryxU64(x13, x25, x32) + var x35 uint64 + var x36 uint1 + x35, x36 = addcarryxU64(x15, x27, x34) + var x37 uint64 + var x38 uint1 + x37, x38 = addcarryxU64(x17, x29, x36) + var x39 uint64 + var x40 uint64 + x40, x39 = bits.Mul64(x1, 0xffffffff) + var x41 uint64 + var x42 uint64 + x42, x41 = bits.Mul64(x1, 0xfffffffe00000000) + var x43 uint64 + var x44 uint64 + x44, x43 = bits.Mul64(x1, 0xffffffff00000000) + var x45 uint64 + var x46 uint64 + x46, x45 = bits.Mul64(x1, 0xffffffff00000001) + var x47 uint64 + var x48 uint1 + x47, x48 = addcarryxU64(x46, x43, 0x0) + var x49 uint64 + var x50 uint1 + x49, x50 = addcarryxU64(x44, x41, x48) + var x51 uint64 + var x52 uint1 + x51, x52 = addcarryxU64(x42, x39, x50) + var x53 uint64 + var x54 uint1 + x53, x54 = addcarryxU64(x33, x45, 0x0) + var x55 uint64 + var x56 uint1 + x55, x56 = addcarryxU64(x35, x47, x54) + var x57 uint64 + var x58 uint1 + x57, x58 = addcarryxU64(x37, x49, x56) + var x59 uint64 + var x60 uint1 + x59, x60 = addcarryxU64(((uint64(x38) + (uint64(x18) + x6)) + (uint64(x30) + x22)), x51, x58) + var x61 uint64 + _, x61 = bits.Mul64(x53, 0xffffffffffffffff) + var x63 uint64 + var x64 uint64 + x64, x63 = bits.Mul64(x61, 0xffffffff) + var x65 uint64 + var x66 uint64 + x66, x65 = bits.Mul64(x61, 0xffffffffffffffff) + var x67 uint64 + var x68 uint64 + x68, x67 = bits.Mul64(x61, 0xffffffff00000000) + var x69 uint64 + var x70 uint1 + x69, x70 = addcarryxU64(x68, x65, 0x0) + var x71 uint64 + var x72 uint1 + x71, x72 = addcarryxU64(x66, x63, x70) + var x74 uint1 + _, x74 = addcarryxU64(x53, x61, 0x0) + var x75 uint64 + var x76 uint1 + x75, x76 = addcarryxU64(x55, x67, x74) + var x77 uint64 + var x78 uint1 + x77, x78 = addcarryxU64(x57, x69, x76) + var x79 uint64 + var x80 uint1 + x79, x80 = addcarryxU64(x59, x71, x78) + var x81 uint64 + var x82 uint64 + x82, x81 = bits.Mul64(x2, 0xffffffff) + var x83 uint64 + var x84 uint64 + x84, x83 = bits.Mul64(x2, 0xfffffffe00000000) + var x85 uint64 + var x86 uint64 + x86, x85 = bits.Mul64(x2, 0xffffffff00000000) + var x87 uint64 + var x88 uint64 + x88, x87 = bits.Mul64(x2, 0xffffffff00000001) + var x89 uint64 + var x90 uint1 + x89, x90 = addcarryxU64(x88, x85, 0x0) + var x91 uint64 + var x92 uint1 + x91, x92 = addcarryxU64(x86, x83, x90) + var x93 uint64 + var x94 uint1 + x93, x94 = addcarryxU64(x84, x81, x92) + var x95 uint64 + var x96 uint1 + x95, x96 = addcarryxU64(x75, x87, 0x0) + var x97 uint64 + var x98 uint1 + x97, x98 = addcarryxU64(x77, x89, x96) + var x99 uint64 + var x100 uint1 + x99, x100 = addcarryxU64(x79, x91, x98) + var x101 uint64 + var x102 uint1 + x101, x102 = addcarryxU64(((uint64(x80) + (uint64(x60) + (uint64(x52) + x40))) + (uint64(x72) + x64)), x93, x100) + var x103 uint64 + _, x103 = bits.Mul64(x95, 0xffffffffffffffff) + var x105 uint64 + var x106 uint64 + x106, x105 = bits.Mul64(x103, 0xffffffff) + var x107 uint64 + var x108 uint64 + x108, x107 = bits.Mul64(x103, 0xffffffffffffffff) + var x109 uint64 + var x110 uint64 + x110, x109 = bits.Mul64(x103, 0xffffffff00000000) + var x111 uint64 + var x112 uint1 + x111, x112 = addcarryxU64(x110, x107, 0x0) + var x113 uint64 + var x114 uint1 + x113, x114 = addcarryxU64(x108, x105, x112) + var x116 uint1 + _, x116 = addcarryxU64(x95, x103, 0x0) + var x117 uint64 + var x118 uint1 + x117, x118 = addcarryxU64(x97, x109, x116) + var x119 uint64 + var x120 uint1 + x119, x120 = addcarryxU64(x99, x111, x118) + var x121 uint64 + var x122 uint1 + x121, x122 = addcarryxU64(x101, x113, x120) + var x123 uint64 + var x124 uint64 + x124, x123 = bits.Mul64(x3, 0xffffffff) + var x125 uint64 + var x126 uint64 + x126, x125 = bits.Mul64(x3, 0xfffffffe00000000) + var x127 uint64 + var x128 uint64 + x128, x127 = bits.Mul64(x3, 0xffffffff00000000) + var x129 uint64 + var x130 uint64 + x130, x129 = bits.Mul64(x3, 0xffffffff00000001) + var x131 uint64 + var x132 uint1 + x131, x132 = addcarryxU64(x130, x127, 0x0) + var x133 uint64 + var x134 uint1 + x133, x134 = addcarryxU64(x128, x125, x132) + var x135 uint64 + var x136 uint1 + x135, x136 = addcarryxU64(x126, x123, x134) + var x137 uint64 + var x138 uint1 + x137, x138 = addcarryxU64(x117, x129, 0x0) + var x139 uint64 + var x140 uint1 + x139, x140 = addcarryxU64(x119, x131, x138) + var x141 uint64 + var x142 uint1 + x141, x142 = addcarryxU64(x121, x133, x140) + var x143 uint64 + var x144 uint1 + x143, x144 = addcarryxU64(((uint64(x122) + (uint64(x102) + (uint64(x94) + x82))) + (uint64(x114) + x106)), x135, x142) + var x145 uint64 + _, x145 = bits.Mul64(x137, 0xffffffffffffffff) + var x147 uint64 + var x148 uint64 + x148, x147 = bits.Mul64(x145, 0xffffffff) + var x149 uint64 + var x150 uint64 + x150, x149 = bits.Mul64(x145, 0xffffffffffffffff) + var x151 uint64 + var x152 uint64 + x152, x151 = bits.Mul64(x145, 0xffffffff00000000) + var x153 uint64 + var x154 uint1 + x153, x154 = addcarryxU64(x152, x149, 0x0) + var x155 uint64 + var x156 uint1 + x155, x156 = addcarryxU64(x150, x147, x154) + var x158 uint1 + _, x158 = addcarryxU64(x137, x145, 0x0) + var x159 uint64 + var x160 uint1 + x159, x160 = addcarryxU64(x139, x151, x158) + var x161 uint64 + var x162 uint1 + x161, x162 = addcarryxU64(x141, x153, x160) + var x163 uint64 + var x164 uint1 + x163, x164 = addcarryxU64(x143, x155, x162) + x165 := ((uint64(x164) + (uint64(x144) + (uint64(x136) + x124))) + (uint64(x156) + x148)) + var x166 uint64 + var x167 uint1 + x166, x167 = subborrowxU64(x159, uint64(0x1), 0x0) + var x168 uint64 + var x169 uint1 + x168, x169 = subborrowxU64(x161, 0xffffffff00000000, x167) + var x170 uint64 + var x171 uint1 + x170, x171 = subborrowxU64(x163, 0xffffffffffffffff, x169) + var x172 uint64 + var x173 uint1 + x172, x173 = subborrowxU64(x165, 0xffffffff, x171) + var x175 uint1 + _, x175 = subborrowxU64(uint64(0x0), uint64(0x0), x173) + var x176 uint64 + cmovznzU64(&x176, x175, x166, x159) + var x177 uint64 + cmovznzU64(&x177, x175, x168, x161) + var x178 uint64 + cmovznzU64(&x178, x175, x170, x163) + var x179 uint64 + cmovznzU64(&x179, x175, x172, x165) + out1[0] = x176 + out1[1] = x177 + out1[2] = x178 + out1[3] = x179 } -/* - The function Nonzero outputs a single non-zero word if the input is non-zero and zero otherwise. - Preconditions: - 0 ≤ eval arg1 < m - Postconditions: - out1 = 0 ↔ eval (from_montgomery arg1) mod m = 0 - - Input Bounds: - arg1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] - Output Bounds: - out1: [0x0 ~> 0xffffffffffffffff] - */ -/*inline*/ +// Nonzero outputs a single non-zero word if the input is non-zero and zero otherwise. +// +// Preconditions: +// 0 ≤ eval arg1 < m +// Postconditions: +// out1 = 0 ↔ eval (from_montgomery arg1) mod m = 0 +// +// Input Bounds: +// arg1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] +// Output Bounds: +// out1: [0x0 ~> 0xffffffffffffffff] func Nonzero(out1 *uint64, arg1 *[4]uint64) { - var x1 uint64 = ((arg1[0]) | ((arg1[1]) | ((arg1[2]) | (arg1[3])))) - *out1 = x1 + x1 := (arg1[0] | (arg1[1] | (arg1[2] | arg1[3]))) + *out1 = x1 } -/* - The function Selectznz is a multi-limb conditional select. - Postconditions: - eval out1 = (if arg1 = 0 then eval arg2 else eval arg3) - - Input Bounds: - arg1: [0x0 ~> 0x1] - arg2: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] - arg3: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] - Output Bounds: - out1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] - */ -/*inline*/ +// Selectznz is a multi-limb conditional select. +// +// Postconditions: +// eval out1 = (if arg1 = 0 then eval arg2 else eval arg3) +// +// Input Bounds: +// arg1: [0x0 ~> 0x1] +// arg2: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] +// arg3: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] +// Output Bounds: +// out1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] func Selectznz(out1 *[4]uint64, arg1 uint1, arg2 *[4]uint64, arg3 *[4]uint64) { - var x1 uint64 - cmovznzU64(&x1, arg1, (arg2[0]), (arg3[0])) - var x2 uint64 - cmovznzU64(&x2, arg1, (arg2[1]), (arg3[1])) - var x3 uint64 - cmovznzU64(&x3, arg1, (arg2[2]), (arg3[2])) - var x4 uint64 - cmovznzU64(&x4, arg1, (arg2[3]), (arg3[3])) - out1[0] = x1 - out1[1] = x2 - out1[2] = x3 - out1[3] = x4 + var x1 uint64 + cmovznzU64(&x1, arg1, arg2[0], arg3[0]) + var x2 uint64 + cmovznzU64(&x2, arg1, arg2[1], arg3[1]) + var x3 uint64 + cmovznzU64(&x3, arg1, arg2[2], arg3[2]) + var x4 uint64 + cmovznzU64(&x4, arg1, arg2[3], arg3[3]) + out1[0] = x1 + out1[1] = x2 + out1[2] = x3 + out1[3] = x4 } -/* - The function ToBytes serializes a field element NOT in the Montgomery domain to bytes in little-endian order. - Preconditions: - 0 ≤ eval arg1 < m - Postconditions: - out1 = map (λ x, ⌊((eval arg1 mod m) mod 2^(8 * (x + 1))) / 2^(8 * x)⌋) [0..27] - - Input Bounds: - arg1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffff]] - Output Bounds: - out1: [[0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff]] - */ -/*inline*/ +// ToBytes serializes a field element NOT in the Montgomery domain to bytes in little-endian order. +// +// Preconditions: +// 0 ≤ eval arg1 < m +// Postconditions: +// out1 = map (λ x, ⌊((eval arg1 mod m) mod 2^(8 * (x + 1))) / 2^(8 * x)⌋) [0..27] +// +// Input Bounds: +// arg1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffff]] +// Output Bounds: +// out1: [[0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff]] func ToBytes(out1 *[28]uint8, arg1 *[4]uint64) { - var x1 uint64 = (arg1[3]) - var x2 uint64 = (arg1[2]) - var x3 uint64 = (arg1[1]) - var x4 uint64 = (arg1[0]) - var x5 uint8 = (uint8(x4) & 0xff) - var x6 uint64 = (x4 >> 8) - var x7 uint8 = (uint8(x6) & 0xff) - var x8 uint64 = (x6 >> 8) - var x9 uint8 = (uint8(x8) & 0xff) - var x10 uint64 = (x8 >> 8) - var x11 uint8 = (uint8(x10) & 0xff) - var x12 uint64 = (x10 >> 8) - var x13 uint8 = (uint8(x12) & 0xff) - var x14 uint64 = (x12 >> 8) - var x15 uint8 = (uint8(x14) & 0xff) - var x16 uint64 = (x14 >> 8) - var x17 uint8 = (uint8(x16) & 0xff) - var x18 uint8 = uint8((x16 >> 8)) - var x19 uint8 = (uint8(x3) & 0xff) - var x20 uint64 = (x3 >> 8) - var x21 uint8 = (uint8(x20) & 0xff) - var x22 uint64 = (x20 >> 8) - var x23 uint8 = (uint8(x22) & 0xff) - var x24 uint64 = (x22 >> 8) - var x25 uint8 = (uint8(x24) & 0xff) - var x26 uint64 = (x24 >> 8) - var x27 uint8 = (uint8(x26) & 0xff) - var x28 uint64 = (x26 >> 8) - var x29 uint8 = (uint8(x28) & 0xff) - var x30 uint64 = (x28 >> 8) - var x31 uint8 = (uint8(x30) & 0xff) - var x32 uint8 = uint8((x30 >> 8)) - var x33 uint8 = (uint8(x2) & 0xff) - var x34 uint64 = (x2 >> 8) - var x35 uint8 = (uint8(x34) & 0xff) - var x36 uint64 = (x34 >> 8) - var x37 uint8 = (uint8(x36) & 0xff) - var x38 uint64 = (x36 >> 8) - var x39 uint8 = (uint8(x38) & 0xff) - var x40 uint64 = (x38 >> 8) - var x41 uint8 = (uint8(x40) & 0xff) - var x42 uint64 = (x40 >> 8) - var x43 uint8 = (uint8(x42) & 0xff) - var x44 uint64 = (x42 >> 8) - var x45 uint8 = (uint8(x44) & 0xff) - var x46 uint8 = uint8((x44 >> 8)) - var x47 uint8 = (uint8(x1) & 0xff) - var x48 uint64 = (x1 >> 8) - var x49 uint8 = (uint8(x48) & 0xff) - var x50 uint64 = (x48 >> 8) - var x51 uint8 = (uint8(x50) & 0xff) - var x52 uint8 = uint8((x50 >> 8)) - out1[0] = x5 - out1[1] = x7 - out1[2] = x9 - out1[3] = x11 - out1[4] = x13 - out1[5] = x15 - out1[6] = x17 - out1[7] = x18 - out1[8] = x19 - out1[9] = x21 - out1[10] = x23 - out1[11] = x25 - out1[12] = x27 - out1[13] = x29 - out1[14] = x31 - out1[15] = x32 - out1[16] = x33 - out1[17] = x35 - out1[18] = x37 - out1[19] = x39 - out1[20] = x41 - out1[21] = x43 - out1[22] = x45 - out1[23] = x46 - out1[24] = x47 - out1[25] = x49 - out1[26] = x51 - out1[27] = x52 + x1 := arg1[3] + x2 := arg1[2] + x3 := arg1[1] + x4 := arg1[0] + x5 := (uint8(x4) & 0xff) + x6 := (x4 >> 8) + x7 := (uint8(x6) & 0xff) + x8 := (x6 >> 8) + x9 := (uint8(x8) & 0xff) + x10 := (x8 >> 8) + x11 := (uint8(x10) & 0xff) + x12 := (x10 >> 8) + x13 := (uint8(x12) & 0xff) + x14 := (x12 >> 8) + x15 := (uint8(x14) & 0xff) + x16 := (x14 >> 8) + x17 := (uint8(x16) & 0xff) + x18 := uint8((x16 >> 8)) + x19 := (uint8(x3) & 0xff) + x20 := (x3 >> 8) + x21 := (uint8(x20) & 0xff) + x22 := (x20 >> 8) + x23 := (uint8(x22) & 0xff) + x24 := (x22 >> 8) + x25 := (uint8(x24) & 0xff) + x26 := (x24 >> 8) + x27 := (uint8(x26) & 0xff) + x28 := (x26 >> 8) + x29 := (uint8(x28) & 0xff) + x30 := (x28 >> 8) + x31 := (uint8(x30) & 0xff) + x32 := uint8((x30 >> 8)) + x33 := (uint8(x2) & 0xff) + x34 := (x2 >> 8) + x35 := (uint8(x34) & 0xff) + x36 := (x34 >> 8) + x37 := (uint8(x36) & 0xff) + x38 := (x36 >> 8) + x39 := (uint8(x38) & 0xff) + x40 := (x38 >> 8) + x41 := (uint8(x40) & 0xff) + x42 := (x40 >> 8) + x43 := (uint8(x42) & 0xff) + x44 := (x42 >> 8) + x45 := (uint8(x44) & 0xff) + x46 := uint8((x44 >> 8)) + x47 := (uint8(x1) & 0xff) + x48 := (x1 >> 8) + x49 := (uint8(x48) & 0xff) + x50 := (x48 >> 8) + x51 := (uint8(x50) & 0xff) + x52 := uint8((x50 >> 8)) + out1[0] = x5 + out1[1] = x7 + out1[2] = x9 + out1[3] = x11 + out1[4] = x13 + out1[5] = x15 + out1[6] = x17 + out1[7] = x18 + out1[8] = x19 + out1[9] = x21 + out1[10] = x23 + out1[11] = x25 + out1[12] = x27 + out1[13] = x29 + out1[14] = x31 + out1[15] = x32 + out1[16] = x33 + out1[17] = x35 + out1[18] = x37 + out1[19] = x39 + out1[20] = x41 + out1[21] = x43 + out1[22] = x45 + out1[23] = x46 + out1[24] = x47 + out1[25] = x49 + out1[26] = x51 + out1[27] = x52 } -/* - The function FromBytes deserializes a field element NOT in the Montgomery domain from bytes in little-endian order. - Preconditions: - 0 ≤ bytes_eval arg1 < m - Postconditions: - eval out1 mod m = bytes_eval arg1 mod m - 0 ≤ eval out1 < m - - Input Bounds: - arg1: [[0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff]] - Output Bounds: - out1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffff]] - */ -/*inline*/ +// FromBytes deserializes a field element NOT in the Montgomery domain from bytes in little-endian order. +// +// Preconditions: +// 0 ≤ bytes_eval arg1 < m +// Postconditions: +// eval out1 mod m = bytes_eval arg1 mod m +// 0 ≤ eval out1 < m +// +// Input Bounds: +// arg1: [[0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff]] +// Output Bounds: +// out1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffff]] func FromBytes(out1 *[4]uint64, arg1 *[28]uint8) { - var x1 uint64 = (uint64((arg1[27])) << 24) - var x2 uint64 = (uint64((arg1[26])) << 16) - var x3 uint64 = (uint64((arg1[25])) << 8) - var x4 uint8 = (arg1[24]) - var x5 uint64 = (uint64((arg1[23])) << 56) - var x6 uint64 = (uint64((arg1[22])) << 48) - var x7 uint64 = (uint64((arg1[21])) << 40) - var x8 uint64 = (uint64((arg1[20])) << 32) - var x9 uint64 = (uint64((arg1[19])) << 24) - var x10 uint64 = (uint64((arg1[18])) << 16) - var x11 uint64 = (uint64((arg1[17])) << 8) - var x12 uint8 = (arg1[16]) - var x13 uint64 = (uint64((arg1[15])) << 56) - var x14 uint64 = (uint64((arg1[14])) << 48) - var x15 uint64 = (uint64((arg1[13])) << 40) - var x16 uint64 = (uint64((arg1[12])) << 32) - var x17 uint64 = (uint64((arg1[11])) << 24) - var x18 uint64 = (uint64((arg1[10])) << 16) - var x19 uint64 = (uint64((arg1[9])) << 8) - var x20 uint8 = (arg1[8]) - var x21 uint64 = (uint64((arg1[7])) << 56) - var x22 uint64 = (uint64((arg1[6])) << 48) - var x23 uint64 = (uint64((arg1[5])) << 40) - var x24 uint64 = (uint64((arg1[4])) << 32) - var x25 uint64 = (uint64((arg1[3])) << 24) - var x26 uint64 = (uint64((arg1[2])) << 16) - var x27 uint64 = (uint64((arg1[1])) << 8) - var x28 uint8 = (arg1[0]) - var x29 uint64 = (x27 + uint64(x28)) - var x30 uint64 = (x26 + x29) - var x31 uint64 = (x25 + x30) - var x32 uint64 = (x24 + x31) - var x33 uint64 = (x23 + x32) - var x34 uint64 = (x22 + x33) - var x35 uint64 = (x21 + x34) - var x36 uint64 = (x19 + uint64(x20)) - var x37 uint64 = (x18 + x36) - var x38 uint64 = (x17 + x37) - var x39 uint64 = (x16 + x38) - var x40 uint64 = (x15 + x39) - var x41 uint64 = (x14 + x40) - var x42 uint64 = (x13 + x41) - var x43 uint64 = (x11 + uint64(x12)) - var x44 uint64 = (x10 + x43) - var x45 uint64 = (x9 + x44) - var x46 uint64 = (x8 + x45) - var x47 uint64 = (x7 + x46) - var x48 uint64 = (x6 + x47) - var x49 uint64 = (x5 + x48) - var x50 uint64 = (x3 + uint64(x4)) - var x51 uint64 = (x2 + x50) - var x52 uint64 = (x1 + x51) - out1[0] = x35 - out1[1] = x42 - out1[2] = x49 - out1[3] = x52 + x1 := (uint64(arg1[27]) << 24) + x2 := (uint64(arg1[26]) << 16) + x3 := (uint64(arg1[25]) << 8) + x4 := arg1[24] + x5 := (uint64(arg1[23]) << 56) + x6 := (uint64(arg1[22]) << 48) + x7 := (uint64(arg1[21]) << 40) + x8 := (uint64(arg1[20]) << 32) + x9 := (uint64(arg1[19]) << 24) + x10 := (uint64(arg1[18]) << 16) + x11 := (uint64(arg1[17]) << 8) + x12 := arg1[16] + x13 := (uint64(arg1[15]) << 56) + x14 := (uint64(arg1[14]) << 48) + x15 := (uint64(arg1[13]) << 40) + x16 := (uint64(arg1[12]) << 32) + x17 := (uint64(arg1[11]) << 24) + x18 := (uint64(arg1[10]) << 16) + x19 := (uint64(arg1[9]) << 8) + x20 := arg1[8] + x21 := (uint64(arg1[7]) << 56) + x22 := (uint64(arg1[6]) << 48) + x23 := (uint64(arg1[5]) << 40) + x24 := (uint64(arg1[4]) << 32) + x25 := (uint64(arg1[3]) << 24) + x26 := (uint64(arg1[2]) << 16) + x27 := (uint64(arg1[1]) << 8) + x28 := arg1[0] + x29 := (x27 + uint64(x28)) + x30 := (x26 + x29) + x31 := (x25 + x30) + x32 := (x24 + x31) + x33 := (x23 + x32) + x34 := (x22 + x33) + x35 := (x21 + x34) + x36 := (x19 + uint64(x20)) + x37 := (x18 + x36) + x38 := (x17 + x37) + x39 := (x16 + x38) + x40 := (x15 + x39) + x41 := (x14 + x40) + x42 := (x13 + x41) + x43 := (x11 + uint64(x12)) + x44 := (x10 + x43) + x45 := (x9 + x44) + x46 := (x8 + x45) + x47 := (x7 + x46) + x48 := (x6 + x47) + x49 := (x5 + x48) + x50 := (x3 + uint64(x4)) + x51 := (x2 + x50) + x52 := (x1 + x51) + out1[0] = x35 + out1[1] = x42 + out1[2] = x49 + out1[3] = x52 } -/* - The function SetOne returns the field element one in the Montgomery domain. - Postconditions: - eval (from_montgomery out1) mod m = 1 mod m - 0 ≤ eval out1 < m - - Input Bounds: - Output Bounds: - out1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] - */ -/*inline*/ +// SetOne returns the field element one in the Montgomery domain. +// +// Postconditions: +// eval (from_montgomery out1) mod m = 1 mod m +// 0 ≤ eval out1 < m +// +// Input Bounds: +// Output Bounds: +// out1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] func SetOne(out1 *[4]uint64) { - out1[0] = 0xffffffff00000000 - out1[1] = 0xffffffffffffffff - out1[2] = uint64(0x0) - out1[3] = uint64(0x0) + out1[0] = 0xffffffff00000000 + out1[1] = 0xffffffffffffffff + out1[2] = uint64(0x0) + out1[3] = uint64(0x0) } -/* - The function Msat returns the saturated representation of the prime modulus. - Postconditions: - twos_complement_eval out1 = m - 0 ≤ eval out1 < m - - Input Bounds: - Output Bounds: - out1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] - */ -/*inline*/ +// Msat returns the saturated representation of the prime modulus. +// +// Postconditions: +// twos_complement_eval out1 = m +// 0 ≤ eval out1 < m +// +// Input Bounds: +// Output Bounds: +// out1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] func Msat(out1 *[5]uint64) { - out1[0] = uint64(0x1) - out1[1] = 0xffffffff00000000 - out1[2] = 0xffffffffffffffff - out1[3] = 0xffffffff - out1[4] = uint64(0x0) + out1[0] = uint64(0x1) + out1[1] = 0xffffffff00000000 + out1[2] = 0xffffffffffffffff + out1[3] = 0xffffffff + out1[4] = uint64(0x0) } -/* - The function Divstep computes a divstep. - Preconditions: - 0 ≤ eval arg4 < m - 0 ≤ eval arg5 < m - Postconditions: - out1 = (if 0 < arg1 ∧ (twos_complement_eval arg3) is odd then 1 - arg1 else 1 + arg1) - twos_complement_eval out2 = (if 0 < arg1 ∧ (twos_complement_eval arg3) is odd then twos_complement_eval arg3 else twos_complement_eval arg2) - twos_complement_eval out3 = (if 0 < arg1 ∧ (twos_complement_eval arg3) is odd then ⌊(twos_complement_eval arg3 - twos_complement_eval arg2) / 2⌋ else ⌊(twos_complement_eval arg3 + (twos_complement_eval arg3 mod 2) * twos_complement_eval arg2) / 2⌋) - eval (from_montgomery out4) mod m = (if 0 < arg1 ∧ (twos_complement_eval arg3) is odd then (2 * eval (from_montgomery arg5)) mod m else (2 * eval (from_montgomery arg4)) mod m) - eval (from_montgomery out5) mod m = (if 0 < arg1 ∧ (twos_complement_eval arg3) is odd then (eval (from_montgomery arg4) - eval (from_montgomery arg4)) mod m else (eval (from_montgomery arg5) + (twos_complement_eval arg3 mod 2) * eval (from_montgomery arg4)) mod m) - 0 ≤ eval out5 < m - 0 ≤ eval out5 < m - 0 ≤ eval out2 < m - 0 ≤ eval out3 < m - - Input Bounds: - arg1: [0x0 ~> 0xffffffffffffffff] - arg2: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] - arg3: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] - arg4: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] - arg5: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] - Output Bounds: - out1: [0x0 ~> 0xffffffffffffffff] - out2: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] - out3: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] - out4: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] - out5: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] - */ -/*inline*/ +// Divstep computes a divstep. +// +// Preconditions: +// 0 ≤ eval arg4 < m +// 0 ≤ eval arg5 < m +// Postconditions: +// out1 = (if 0 < arg1 ∧ (twos_complement_eval arg3) is odd then 1 - arg1 else 1 + arg1) +// twos_complement_eval out2 = (if 0 < arg1 ∧ (twos_complement_eval arg3) is odd then twos_complement_eval arg3 else twos_complement_eval arg2) +// twos_complement_eval out3 = (if 0 < arg1 ∧ (twos_complement_eval arg3) is odd then ⌊(twos_complement_eval arg3 - twos_complement_eval arg2) / 2⌋ else ⌊(twos_complement_eval arg3 + (twos_complement_eval arg3 mod 2) * twos_complement_eval arg2) / 2⌋) +// eval (from_montgomery out4) mod m = (if 0 < arg1 ∧ (twos_complement_eval arg3) is odd then (2 * eval (from_montgomery arg5)) mod m else (2 * eval (from_montgomery arg4)) mod m) +// eval (from_montgomery out5) mod m = (if 0 < arg1 ∧ (twos_complement_eval arg3) is odd then (eval (from_montgomery arg4) - eval (from_montgomery arg4)) mod m else (eval (from_montgomery arg5) + (twos_complement_eval arg3 mod 2) * eval (from_montgomery arg4)) mod m) +// 0 ≤ eval out5 < m +// 0 ≤ eval out5 < m +// 0 ≤ eval out2 < m +// 0 ≤ eval out3 < m +// +// Input Bounds: +// arg1: [0x0 ~> 0xffffffffffffffff] +// arg2: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] +// arg3: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] +// arg4: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] +// arg5: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] +// Output Bounds: +// out1: [0x0 ~> 0xffffffffffffffff] +// out2: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] +// out3: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] +// out4: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] +// out5: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] func Divstep(out1 *uint64, out2 *[5]uint64, out3 *[5]uint64, out4 *[4]uint64, out5 *[4]uint64, arg1 uint64, arg2 *[5]uint64, arg3 *[5]uint64, arg4 *[4]uint64, arg5 *[4]uint64) { - var x1 uint64 - x1, _ = addcarryxU64((^arg1), uint64(0x1), 0x0) - var x3 uint1 = (uint1((x1 >> 63)) & (uint1((arg3[0])) & 0x1)) - var x4 uint64 - x4, _ = addcarryxU64((^arg1), uint64(0x1), 0x0) - var x6 uint64 - cmovznzU64(&x6, x3, arg1, x4) - var x7 uint64 - cmovznzU64(&x7, x3, (arg2[0]), (arg3[0])) - var x8 uint64 - cmovznzU64(&x8, x3, (arg2[1]), (arg3[1])) - var x9 uint64 - cmovznzU64(&x9, x3, (arg2[2]), (arg3[2])) - var x10 uint64 - cmovznzU64(&x10, x3, (arg2[3]), (arg3[3])) - var x11 uint64 - cmovznzU64(&x11, x3, (arg2[4]), (arg3[4])) - var x12 uint64 - var x13 uint1 - x12, x13 = addcarryxU64(uint64(0x1), (^(arg2[0])), 0x0) - var x14 uint64 - var x15 uint1 - x14, x15 = addcarryxU64(uint64(0x0), (^(arg2[1])), x13) - var x16 uint64 - var x17 uint1 - x16, x17 = addcarryxU64(uint64(0x0), (^(arg2[2])), x15) - var x18 uint64 - var x19 uint1 - x18, x19 = addcarryxU64(uint64(0x0), (^(arg2[3])), x17) - var x20 uint64 - x20, _ = addcarryxU64(uint64(0x0), (^(arg2[4])), x19) - var x22 uint64 - cmovznzU64(&x22, x3, (arg3[0]), x12) - var x23 uint64 - cmovznzU64(&x23, x3, (arg3[1]), x14) - var x24 uint64 - cmovznzU64(&x24, x3, (arg3[2]), x16) - var x25 uint64 - cmovznzU64(&x25, x3, (arg3[3]), x18) - var x26 uint64 - cmovznzU64(&x26, x3, (arg3[4]), x20) - var x27 uint64 - cmovznzU64(&x27, x3, (arg4[0]), (arg5[0])) - var x28 uint64 - cmovznzU64(&x28, x3, (arg4[1]), (arg5[1])) - var x29 uint64 - cmovznzU64(&x29, x3, (arg4[2]), (arg5[2])) - var x30 uint64 - cmovznzU64(&x30, x3, (arg4[3]), (arg5[3])) - var x31 uint64 - var x32 uint1 - x31, x32 = addcarryxU64(x27, x27, 0x0) - var x33 uint64 - var x34 uint1 - x33, x34 = addcarryxU64(x28, x28, x32) - var x35 uint64 - var x36 uint1 - x35, x36 = addcarryxU64(x29, x29, x34) - var x37 uint64 - var x38 uint1 - x37, x38 = addcarryxU64(x30, x30, x36) - var x39 uint64 - var x40 uint1 - x39, x40 = subborrowxU64(x31, uint64(0x1), 0x0) - var x41 uint64 - var x42 uint1 - x41, x42 = subborrowxU64(x33, 0xffffffff00000000, x40) - var x43 uint64 - var x44 uint1 - x43, x44 = subborrowxU64(x35, 0xffffffffffffffff, x42) - var x45 uint64 - var x46 uint1 - x45, x46 = subborrowxU64(x37, 0xffffffff, x44) - var x48 uint1 - _, x48 = subborrowxU64(uint64(x38), uint64(0x0), x46) - var x49 uint64 = (arg4[3]) - var x50 uint64 = (arg4[2]) - var x51 uint64 = (arg4[1]) - var x52 uint64 = (arg4[0]) - var x53 uint64 - var x54 uint1 - x53, x54 = subborrowxU64(uint64(0x0), x52, 0x0) - var x55 uint64 - var x56 uint1 - x55, x56 = subborrowxU64(uint64(0x0), x51, x54) - var x57 uint64 - var x58 uint1 - x57, x58 = subborrowxU64(uint64(0x0), x50, x56) - var x59 uint64 - var x60 uint1 - x59, x60 = subborrowxU64(uint64(0x0), x49, x58) - var x61 uint64 - cmovznzU64(&x61, x60, uint64(0x0), 0xffffffffffffffff) - var x62 uint64 - var x63 uint1 - x62, x63 = addcarryxU64(x53, uint64((uint1(x61) & 0x1)), 0x0) - var x64 uint64 - var x65 uint1 - x64, x65 = addcarryxU64(x55, (x61 & 0xffffffff00000000), x63) - var x66 uint64 - var x67 uint1 - x66, x67 = addcarryxU64(x57, x61, x65) - var x68 uint64 - x68, _ = addcarryxU64(x59, (x61 & 0xffffffff), x67) - var x70 uint64 - cmovznzU64(&x70, x3, (arg5[0]), x62) - var x71 uint64 - cmovznzU64(&x71, x3, (arg5[1]), x64) - var x72 uint64 - cmovznzU64(&x72, x3, (arg5[2]), x66) - var x73 uint64 - cmovznzU64(&x73, x3, (arg5[3]), x68) - var x74 uint1 = (uint1(x22) & 0x1) - var x75 uint64 - cmovznzU64(&x75, x74, uint64(0x0), x7) - var x76 uint64 - cmovznzU64(&x76, x74, uint64(0x0), x8) - var x77 uint64 - cmovznzU64(&x77, x74, uint64(0x0), x9) - var x78 uint64 - cmovznzU64(&x78, x74, uint64(0x0), x10) - var x79 uint64 - cmovznzU64(&x79, x74, uint64(0x0), x11) - var x80 uint64 - var x81 uint1 - x80, x81 = addcarryxU64(x22, x75, 0x0) - var x82 uint64 - var x83 uint1 - x82, x83 = addcarryxU64(x23, x76, x81) - var x84 uint64 - var x85 uint1 - x84, x85 = addcarryxU64(x24, x77, x83) - var x86 uint64 - var x87 uint1 - x86, x87 = addcarryxU64(x25, x78, x85) - var x88 uint64 - x88, _ = addcarryxU64(x26, x79, x87) - var x90 uint64 - cmovznzU64(&x90, x74, uint64(0x0), x27) - var x91 uint64 - cmovznzU64(&x91, x74, uint64(0x0), x28) - var x92 uint64 - cmovznzU64(&x92, x74, uint64(0x0), x29) - var x93 uint64 - cmovznzU64(&x93, x74, uint64(0x0), x30) - var x94 uint64 - var x95 uint1 - x94, x95 = addcarryxU64(x70, x90, 0x0) - var x96 uint64 - var x97 uint1 - x96, x97 = addcarryxU64(x71, x91, x95) - var x98 uint64 - var x99 uint1 - x98, x99 = addcarryxU64(x72, x92, x97) - var x100 uint64 - var x101 uint1 - x100, x101 = addcarryxU64(x73, x93, x99) - var x102 uint64 - var x103 uint1 - x102, x103 = subborrowxU64(x94, uint64(0x1), 0x0) - var x104 uint64 - var x105 uint1 - x104, x105 = subborrowxU64(x96, 0xffffffff00000000, x103) - var x106 uint64 - var x107 uint1 - x106, x107 = subborrowxU64(x98, 0xffffffffffffffff, x105) - var x108 uint64 - var x109 uint1 - x108, x109 = subborrowxU64(x100, 0xffffffff, x107) - var x111 uint1 - _, x111 = subborrowxU64(uint64(x101), uint64(0x0), x109) - var x112 uint64 - x112, _ = addcarryxU64(x6, uint64(0x1), 0x0) - var x114 uint64 = ((x80 >> 1) | ((x82 << 63) & 0xffffffffffffffff)) - var x115 uint64 = ((x82 >> 1) | ((x84 << 63) & 0xffffffffffffffff)) - var x116 uint64 = ((x84 >> 1) | ((x86 << 63) & 0xffffffffffffffff)) - var x117 uint64 = ((x86 >> 1) | ((x88 << 63) & 0xffffffffffffffff)) - var x118 uint64 = ((x88 & 0x8000000000000000) | (x88 >> 1)) - var x119 uint64 - cmovznzU64(&x119, x48, x39, x31) - var x120 uint64 - cmovznzU64(&x120, x48, x41, x33) - var x121 uint64 - cmovznzU64(&x121, x48, x43, x35) - var x122 uint64 - cmovznzU64(&x122, x48, x45, x37) - var x123 uint64 - cmovznzU64(&x123, x111, x102, x94) - var x124 uint64 - cmovznzU64(&x124, x111, x104, x96) - var x125 uint64 - cmovznzU64(&x125, x111, x106, x98) - var x126 uint64 - cmovznzU64(&x126, x111, x108, x100) - *out1 = x112 - out2[0] = x7 - out2[1] = x8 - out2[2] = x9 - out2[3] = x10 - out2[4] = x11 - out3[0] = x114 - out3[1] = x115 - out3[2] = x116 - out3[3] = x117 - out3[4] = x118 - out4[0] = x119 - out4[1] = x120 - out4[2] = x121 - out4[3] = x122 - out5[0] = x123 - out5[1] = x124 - out5[2] = x125 - out5[3] = x126 + var x1 uint64 + x1, _ = addcarryxU64((^arg1), uint64(0x1), 0x0) + x3 := (uint1((x1 >> 63)) & (uint1(arg3[0]) & 0x1)) + var x4 uint64 + x4, _ = addcarryxU64((^arg1), uint64(0x1), 0x0) + var x6 uint64 + cmovznzU64(&x6, x3, arg1, x4) + var x7 uint64 + cmovznzU64(&x7, x3, arg2[0], arg3[0]) + var x8 uint64 + cmovznzU64(&x8, x3, arg2[1], arg3[1]) + var x9 uint64 + cmovznzU64(&x9, x3, arg2[2], arg3[2]) + var x10 uint64 + cmovznzU64(&x10, x3, arg2[3], arg3[3]) + var x11 uint64 + cmovznzU64(&x11, x3, arg2[4], arg3[4]) + var x12 uint64 + var x13 uint1 + x12, x13 = addcarryxU64(uint64(0x1), (^arg2[0]), 0x0) + var x14 uint64 + var x15 uint1 + x14, x15 = addcarryxU64(uint64(0x0), (^arg2[1]), x13) + var x16 uint64 + var x17 uint1 + x16, x17 = addcarryxU64(uint64(0x0), (^arg2[2]), x15) + var x18 uint64 + var x19 uint1 + x18, x19 = addcarryxU64(uint64(0x0), (^arg2[3]), x17) + var x20 uint64 + x20, _ = addcarryxU64(uint64(0x0), (^arg2[4]), x19) + var x22 uint64 + cmovznzU64(&x22, x3, arg3[0], x12) + var x23 uint64 + cmovznzU64(&x23, x3, arg3[1], x14) + var x24 uint64 + cmovznzU64(&x24, x3, arg3[2], x16) + var x25 uint64 + cmovznzU64(&x25, x3, arg3[3], x18) + var x26 uint64 + cmovznzU64(&x26, x3, arg3[4], x20) + var x27 uint64 + cmovznzU64(&x27, x3, arg4[0], arg5[0]) + var x28 uint64 + cmovznzU64(&x28, x3, arg4[1], arg5[1]) + var x29 uint64 + cmovznzU64(&x29, x3, arg4[2], arg5[2]) + var x30 uint64 + cmovznzU64(&x30, x3, arg4[3], arg5[3]) + var x31 uint64 + var x32 uint1 + x31, x32 = addcarryxU64(x27, x27, 0x0) + var x33 uint64 + var x34 uint1 + x33, x34 = addcarryxU64(x28, x28, x32) + var x35 uint64 + var x36 uint1 + x35, x36 = addcarryxU64(x29, x29, x34) + var x37 uint64 + var x38 uint1 + x37, x38 = addcarryxU64(x30, x30, x36) + var x39 uint64 + var x40 uint1 + x39, x40 = subborrowxU64(x31, uint64(0x1), 0x0) + var x41 uint64 + var x42 uint1 + x41, x42 = subborrowxU64(x33, 0xffffffff00000000, x40) + var x43 uint64 + var x44 uint1 + x43, x44 = subborrowxU64(x35, 0xffffffffffffffff, x42) + var x45 uint64 + var x46 uint1 + x45, x46 = subborrowxU64(x37, 0xffffffff, x44) + var x48 uint1 + _, x48 = subborrowxU64(uint64(x38), uint64(0x0), x46) + x49 := arg4[3] + x50 := arg4[2] + x51 := arg4[1] + x52 := arg4[0] + var x53 uint64 + var x54 uint1 + x53, x54 = subborrowxU64(uint64(0x0), x52, 0x0) + var x55 uint64 + var x56 uint1 + x55, x56 = subborrowxU64(uint64(0x0), x51, x54) + var x57 uint64 + var x58 uint1 + x57, x58 = subborrowxU64(uint64(0x0), x50, x56) + var x59 uint64 + var x60 uint1 + x59, x60 = subborrowxU64(uint64(0x0), x49, x58) + var x61 uint64 + cmovznzU64(&x61, x60, uint64(0x0), 0xffffffffffffffff) + var x62 uint64 + var x63 uint1 + x62, x63 = addcarryxU64(x53, uint64((uint1(x61) & 0x1)), 0x0) + var x64 uint64 + var x65 uint1 + x64, x65 = addcarryxU64(x55, (x61 & 0xffffffff00000000), x63) + var x66 uint64 + var x67 uint1 + x66, x67 = addcarryxU64(x57, x61, x65) + var x68 uint64 + x68, _ = addcarryxU64(x59, (x61 & 0xffffffff), x67) + var x70 uint64 + cmovznzU64(&x70, x3, arg5[0], x62) + var x71 uint64 + cmovznzU64(&x71, x3, arg5[1], x64) + var x72 uint64 + cmovznzU64(&x72, x3, arg5[2], x66) + var x73 uint64 + cmovznzU64(&x73, x3, arg5[3], x68) + x74 := (uint1(x22) & 0x1) + var x75 uint64 + cmovznzU64(&x75, x74, uint64(0x0), x7) + var x76 uint64 + cmovznzU64(&x76, x74, uint64(0x0), x8) + var x77 uint64 + cmovznzU64(&x77, x74, uint64(0x0), x9) + var x78 uint64 + cmovznzU64(&x78, x74, uint64(0x0), x10) + var x79 uint64 + cmovznzU64(&x79, x74, uint64(0x0), x11) + var x80 uint64 + var x81 uint1 + x80, x81 = addcarryxU64(x22, x75, 0x0) + var x82 uint64 + var x83 uint1 + x82, x83 = addcarryxU64(x23, x76, x81) + var x84 uint64 + var x85 uint1 + x84, x85 = addcarryxU64(x24, x77, x83) + var x86 uint64 + var x87 uint1 + x86, x87 = addcarryxU64(x25, x78, x85) + var x88 uint64 + x88, _ = addcarryxU64(x26, x79, x87) + var x90 uint64 + cmovznzU64(&x90, x74, uint64(0x0), x27) + var x91 uint64 + cmovznzU64(&x91, x74, uint64(0x0), x28) + var x92 uint64 + cmovznzU64(&x92, x74, uint64(0x0), x29) + var x93 uint64 + cmovznzU64(&x93, x74, uint64(0x0), x30) + var x94 uint64 + var x95 uint1 + x94, x95 = addcarryxU64(x70, x90, 0x0) + var x96 uint64 + var x97 uint1 + x96, x97 = addcarryxU64(x71, x91, x95) + var x98 uint64 + var x99 uint1 + x98, x99 = addcarryxU64(x72, x92, x97) + var x100 uint64 + var x101 uint1 + x100, x101 = addcarryxU64(x73, x93, x99) + var x102 uint64 + var x103 uint1 + x102, x103 = subborrowxU64(x94, uint64(0x1), 0x0) + var x104 uint64 + var x105 uint1 + x104, x105 = subborrowxU64(x96, 0xffffffff00000000, x103) + var x106 uint64 + var x107 uint1 + x106, x107 = subborrowxU64(x98, 0xffffffffffffffff, x105) + var x108 uint64 + var x109 uint1 + x108, x109 = subborrowxU64(x100, 0xffffffff, x107) + var x111 uint1 + _, x111 = subborrowxU64(uint64(x101), uint64(0x0), x109) + var x112 uint64 + x112, _ = addcarryxU64(x6, uint64(0x1), 0x0) + x114 := ((x80 >> 1) | ((x82 << 63) & 0xffffffffffffffff)) + x115 := ((x82 >> 1) | ((x84 << 63) & 0xffffffffffffffff)) + x116 := ((x84 >> 1) | ((x86 << 63) & 0xffffffffffffffff)) + x117 := ((x86 >> 1) | ((x88 << 63) & 0xffffffffffffffff)) + x118 := ((x88 & 0x8000000000000000) | (x88 >> 1)) + var x119 uint64 + cmovznzU64(&x119, x48, x39, x31) + var x120 uint64 + cmovznzU64(&x120, x48, x41, x33) + var x121 uint64 + cmovznzU64(&x121, x48, x43, x35) + var x122 uint64 + cmovznzU64(&x122, x48, x45, x37) + var x123 uint64 + cmovznzU64(&x123, x111, x102, x94) + var x124 uint64 + cmovznzU64(&x124, x111, x104, x96) + var x125 uint64 + cmovznzU64(&x125, x111, x106, x98) + var x126 uint64 + cmovznzU64(&x126, x111, x108, x100) + *out1 = x112 + out2[0] = x7 + out2[1] = x8 + out2[2] = x9 + out2[3] = x10 + out2[4] = x11 + out3[0] = x114 + out3[1] = x115 + out3[2] = x116 + out3[3] = x117 + out3[4] = x118 + out4[0] = x119 + out4[1] = x120 + out4[2] = x121 + out4[3] = x122 + out5[0] = x123 + out5[1] = x124 + out5[2] = x125 + out5[3] = x126 } -/* - The function DivstepPrecomp returns the precomputed value for Bernstein-Yang-inversion (in montgomery form). - Postconditions: - eval (from_montgomery out1) = ⌊(m - 1) / 2⌋^(if (log2 m) + 1 < 46 then ⌊(49 * ((log2 m) + 1) + 80) / 17⌋ else ⌊(49 * ((log2 m) + 1) + 57) / 17⌋) - 0 ≤ eval out1 < m - - Input Bounds: - Output Bounds: - out1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] - */ -/*inline*/ +// DivstepPrecomp returns the precomputed value for Bernstein-Yang-inversion (in montgomery form). +// +// Postconditions: +// eval (from_montgomery out1) = ⌊(m - 1) / 2⌋^(if (log2 m) + 1 < 46 then ⌊(49 * ((log2 m) + 1) + 80) / 17⌋ else ⌊(49 * ((log2 m) + 1) + 57) / 17⌋) +// 0 ≤ eval out1 < m +// +// Input Bounds: +// Output Bounds: +// out1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] func DivstepPrecomp(out1 *[4]uint64) { - out1[0] = 0x7ffffffe800001 - out1[1] = 0xff7fffff00800000 - out1[2] = 0xffffff - out1[3] = 0xff800000 + out1[0] = 0x7ffffffe800001 + out1[1] = 0xff7fffff00800000 + out1[2] = 0xffffff + out1[3] = 0xff800000 } - diff --git a/fiat-go/64/p256/p256.go b/fiat-go/64/p256/p256.go index 6ff1825695a..72b5ee21c29 100644 --- a/fiat-go/64/p256/p256.go +++ b/fiat-go/64/p256/p256.go @@ -1,1773 +1,1736 @@ -/* - Autogenerated: 'src/ExtractionOCaml/word_by_word_montgomery' --lang Go --no-wide-int --cmovznz-by-mul --internal-static --package-case flatcase --public-function-case UpperCamelCase --private-function-case camelCase --public-type-case UpperCamelCase --private-type-case camelCase --no-prefix-fiat --package-name p256 '' 64 '2^256 - 2^224 + 2^192 + 2^96 - 1' mul square add sub opp from_montgomery to_montgomery nonzero selectznz to_bytes from_bytes one msat divstep divstep_precomp - - curve description (via package name): p256 - - machine_wordsize = 64 (from "64") - - requested operations: mul, square, add, sub, opp, from_montgomery, to_montgomery, nonzero, selectznz, to_bytes, from_bytes, one, msat, divstep, divstep_precomp - - m = 0xffffffff00000001000000000000000000000000ffffffffffffffffffffffff (from "2^256 - 2^224 + 2^192 + 2^96 - 1") - - - - NOTE: In addition to the bounds specified above each function, all - - functions synthesized for this Montgomery arithmetic require the - - input to be strictly less than the prime modulus (m), and also - - require the input to be in the unique saturated representation. - - All functions also ensure that these two properties are true of - - return values. - - - - Computed values: - - eval z = z[0] + (z[1] << 64) + (z[2] << 128) + (z[3] << 192) - - bytes_eval z = z[0] + (z[1] << 8) + (z[2] << 16) + (z[3] << 24) + (z[4] << 32) + (z[5] << 40) + (z[6] << 48) + (z[7] << 56) + (z[8] << 64) + (z[9] << 72) + (z[10] << 80) + (z[11] << 88) + (z[12] << 96) + (z[13] << 104) + (z[14] << 112) + (z[15] << 120) + (z[16] << 128) + (z[17] << 136) + (z[18] << 144) + (z[19] << 152) + (z[20] << 160) + (z[21] << 168) + (z[22] << 176) + (z[23] << 184) + (z[24] << 192) + (z[25] << 200) + (z[26] << 208) + (z[27] << 216) + (z[28] << 224) + (z[29] << 232) + (z[30] << 240) + (z[31] << 248) - - twos_complement_eval z = let x1 := z[0] + (z[1] << 64) + (z[2] << 128) + (z[3] << 192) in - - if x1 & (2^256-1) < 2^255 then x1 & (2^256-1) else (x1 & (2^256-1)) - 2^256 - */ +// Code generated by Fiat Cryptography. DO NOT EDIT. +// +// Autogenerated: 'src/ExtractionOCaml/word_by_word_montgomery' --lang Go --no-wide-int --cmovznz-by-mul --internal-static --package-case flatcase --public-function-case UpperCamelCase --private-function-case camelCase --public-type-case UpperCamelCase --private-type-case camelCase --no-prefix-fiat --doc-prepend-header 'Code generated by Fiat Cryptography. DO NOT EDIT.' --doc-text-before-function-name '' --package-name p256 '' 64 '2^256 - 2^224 + 2^192 + 2^96 - 1' mul square add sub opp from_montgomery to_montgomery nonzero selectznz to_bytes from_bytes one msat divstep divstep_precomp +// +// curve description (via package name): p256 +// +// machine_wordsize = 64 (from "64") +// +// requested operations: mul, square, add, sub, opp, from_montgomery, to_montgomery, nonzero, selectznz, to_bytes, from_bytes, one, msat, divstep, divstep_precomp +// +// m = 0xffffffff00000001000000000000000000000000ffffffffffffffffffffffff (from "2^256 - 2^224 + 2^192 + 2^96 - 1") +// +// +// +// NOTE: In addition to the bounds specified above each function, all +// +// functions synthesized for this Montgomery arithmetic require the +// +// input to be strictly less than the prime modulus (m), and also +// +// require the input to be in the unique saturated representation. +// +// All functions also ensure that these two properties are true of +// +// return values. +// +// +// +// Computed values: +// +// eval z = z[0] + (z[1] << 64) + (z[2] << 128) + (z[3] << 192) +// +// bytes_eval z = z[0] + (z[1] << 8) + (z[2] << 16) + (z[3] << 24) + (z[4] << 32) + (z[5] << 40) + (z[6] << 48) + (z[7] << 56) + (z[8] << 64) + (z[9] << 72) + (z[10] << 80) + (z[11] << 88) + (z[12] << 96) + (z[13] << 104) + (z[14] << 112) + (z[15] << 120) + (z[16] << 128) + (z[17] << 136) + (z[18] << 144) + (z[19] << 152) + (z[20] << 160) + (z[21] << 168) + (z[22] << 176) + (z[23] << 184) + (z[24] << 192) + (z[25] << 200) + (z[26] << 208) + (z[27] << 216) + (z[28] << 224) + (z[29] << 232) + (z[30] << 240) + (z[31] << 248) +// +// twos_complement_eval z = let x1 := z[0] + (z[1] << 64) + (z[2] << 128) + (z[3] << 192) in +// +// if x1 & (2^256-1) < 2^255 then x1 & (2^256-1) else (x1 & (2^256-1)) - 2^256 package p256 import "math/bits" + type uint1 uint8 type int1 int8 -/* The function addcarryxU64 is a thin wrapper around bits.Add64 that uses uint1 rather than uint64 */ +// addcarryxU64 is a thin wrapper around bits.Add64 that uses uint1 rather than uint64 func addcarryxU64(x uint64, y uint64, carry uint1) (uint64, uint1) { - var sum uint64 - var carryOut uint64 - sum, carryOut = bits.Add64(x, y, uint64(carry)) - return sum, uint1(carryOut) + sum, carryOut := bits.Add64(x, y, uint64(carry)) + return sum, uint1(carryOut) } -/* The function subborrowxU64 is a thin wrapper around bits.Sub64 that uses uint1 rather than uint64 */ +// subborrowxU64 is a thin wrapper around bits.Sub64 that uses uint1 rather than uint64 func subborrowxU64(x uint64, y uint64, carry uint1) (uint64, uint1) { - var sum uint64 - var carryOut uint64 - sum, carryOut = bits.Sub64(x, y, uint64(carry)) - return sum, uint1(carryOut) + sum, carryOut := bits.Sub64(x, y, uint64(carry)) + return sum, uint1(carryOut) } - -/* - The function cmovznzU64 is a single-word conditional move. - Postconditions: - out1 = (if arg1 = 0 then arg2 else arg3) - - Input Bounds: - arg1: [0x0 ~> 0x1] - arg2: [0x0 ~> 0xffffffffffffffff] - arg3: [0x0 ~> 0xffffffffffffffff] - Output Bounds: - out1: [0x0 ~> 0xffffffffffffffff] - */ -/*inline*/ +// cmovznzU64 is a single-word conditional move. +// +// Postconditions: +// out1 = (if arg1 = 0 then arg2 else arg3) +// +// Input Bounds: +// arg1: [0x0 ~> 0x1] +// arg2: [0x0 ~> 0xffffffffffffffff] +// arg3: [0x0 ~> 0xffffffffffffffff] +// Output Bounds: +// out1: [0x0 ~> 0xffffffffffffffff] func cmovznzU64(out1 *uint64, arg1 uint1, arg2 uint64, arg3 uint64) { - var x1 uint64 = (uint64(arg1) * 0xffffffffffffffff) - var x2 uint64 = ((x1 & arg3) | ((^x1) & arg2)) - *out1 = x2 + x1 := (uint64(arg1) * 0xffffffffffffffff) + x2 := ((x1 & arg3) | ((^x1) & arg2)) + *out1 = x2 } -/* - The function Mul multiplies two field elements in the Montgomery domain. - Preconditions: - 0 ≤ eval arg1 < m - 0 ≤ eval arg2 < m - Postconditions: - eval (from_montgomery out1) mod m = (eval (from_montgomery arg1) * eval (from_montgomery arg2)) mod m - 0 ≤ eval out1 < m - - Input Bounds: - arg1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] - arg2: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] - Output Bounds: - out1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] - */ -/*inline*/ +// Mul multiplies two field elements in the Montgomery domain. +// +// Preconditions: +// 0 ≤ eval arg1 < m +// 0 ≤ eval arg2 < m +// Postconditions: +// eval (from_montgomery out1) mod m = (eval (from_montgomery arg1) * eval (from_montgomery arg2)) mod m +// 0 ≤ eval out1 < m +// +// Input Bounds: +// arg1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] +// arg2: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] +// Output Bounds: +// out1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] func Mul(out1 *[4]uint64, arg1 *[4]uint64, arg2 *[4]uint64) { - var x1 uint64 = (arg1[1]) - var x2 uint64 = (arg1[2]) - var x3 uint64 = (arg1[3]) - var x4 uint64 = (arg1[0]) - var x5 uint64 - var x6 uint64 - x6, x5 = bits.Mul64(x4, (arg2[3])) - var x7 uint64 - var x8 uint64 - x8, x7 = bits.Mul64(x4, (arg2[2])) - var x9 uint64 - var x10 uint64 - x10, x9 = bits.Mul64(x4, (arg2[1])) - var x11 uint64 - var x12 uint64 - x12, x11 = bits.Mul64(x4, (arg2[0])) - var x13 uint64 - var x14 uint1 - x13, x14 = addcarryxU64(x12, x9, 0x0) - var x15 uint64 - var x16 uint1 - x15, x16 = addcarryxU64(x10, x7, x14) - var x17 uint64 - var x18 uint1 - x17, x18 = addcarryxU64(x8, x5, x16) - var x19 uint64 = (uint64(x18) + x6) - var x20 uint64 - var x21 uint64 - x21, x20 = bits.Mul64(x11, 0xffffffff00000001) - var x22 uint64 - var x23 uint64 - x23, x22 = bits.Mul64(x11, 0xffffffff) - var x24 uint64 - var x25 uint64 - x25, x24 = bits.Mul64(x11, 0xffffffffffffffff) - var x26 uint64 - var x27 uint1 - x26, x27 = addcarryxU64(x25, x22, 0x0) - var x28 uint64 = (uint64(x27) + x23) - var x30 uint1 - _, x30 = addcarryxU64(x11, x24, 0x0) - var x31 uint64 - var x32 uint1 - x31, x32 = addcarryxU64(x13, x26, x30) - var x33 uint64 - var x34 uint1 - x33, x34 = addcarryxU64(x15, x28, x32) - var x35 uint64 - var x36 uint1 - x35, x36 = addcarryxU64(x17, x20, x34) - var x37 uint64 - var x38 uint1 - x37, x38 = addcarryxU64(x19, x21, x36) - var x39 uint64 - var x40 uint64 - x40, x39 = bits.Mul64(x1, (arg2[3])) - var x41 uint64 - var x42 uint64 - x42, x41 = bits.Mul64(x1, (arg2[2])) - var x43 uint64 - var x44 uint64 - x44, x43 = bits.Mul64(x1, (arg2[1])) - var x45 uint64 - var x46 uint64 - x46, x45 = bits.Mul64(x1, (arg2[0])) - var x47 uint64 - var x48 uint1 - x47, x48 = addcarryxU64(x46, x43, 0x0) - var x49 uint64 - var x50 uint1 - x49, x50 = addcarryxU64(x44, x41, x48) - var x51 uint64 - var x52 uint1 - x51, x52 = addcarryxU64(x42, x39, x50) - var x53 uint64 = (uint64(x52) + x40) - var x54 uint64 - var x55 uint1 - x54, x55 = addcarryxU64(x31, x45, 0x0) - var x56 uint64 - var x57 uint1 - x56, x57 = addcarryxU64(x33, x47, x55) - var x58 uint64 - var x59 uint1 - x58, x59 = addcarryxU64(x35, x49, x57) - var x60 uint64 - var x61 uint1 - x60, x61 = addcarryxU64(x37, x51, x59) - var x62 uint64 - var x63 uint1 - x62, x63 = addcarryxU64(uint64(x38), x53, x61) - var x64 uint64 - var x65 uint64 - x65, x64 = bits.Mul64(x54, 0xffffffff00000001) - var x66 uint64 - var x67 uint64 - x67, x66 = bits.Mul64(x54, 0xffffffff) - var x68 uint64 - var x69 uint64 - x69, x68 = bits.Mul64(x54, 0xffffffffffffffff) - var x70 uint64 - var x71 uint1 - x70, x71 = addcarryxU64(x69, x66, 0x0) - var x72 uint64 = (uint64(x71) + x67) - var x74 uint1 - _, x74 = addcarryxU64(x54, x68, 0x0) - var x75 uint64 - var x76 uint1 - x75, x76 = addcarryxU64(x56, x70, x74) - var x77 uint64 - var x78 uint1 - x77, x78 = addcarryxU64(x58, x72, x76) - var x79 uint64 - var x80 uint1 - x79, x80 = addcarryxU64(x60, x64, x78) - var x81 uint64 - var x82 uint1 - x81, x82 = addcarryxU64(x62, x65, x80) - var x83 uint64 = (uint64(x82) + uint64(x63)) - var x84 uint64 - var x85 uint64 - x85, x84 = bits.Mul64(x2, (arg2[3])) - var x86 uint64 - var x87 uint64 - x87, x86 = bits.Mul64(x2, (arg2[2])) - var x88 uint64 - var x89 uint64 - x89, x88 = bits.Mul64(x2, (arg2[1])) - var x90 uint64 - var x91 uint64 - x91, x90 = bits.Mul64(x2, (arg2[0])) - var x92 uint64 - var x93 uint1 - x92, x93 = addcarryxU64(x91, x88, 0x0) - var x94 uint64 - var x95 uint1 - x94, x95 = addcarryxU64(x89, x86, x93) - var x96 uint64 - var x97 uint1 - x96, x97 = addcarryxU64(x87, x84, x95) - var x98 uint64 = (uint64(x97) + x85) - var x99 uint64 - var x100 uint1 - x99, x100 = addcarryxU64(x75, x90, 0x0) - var x101 uint64 - var x102 uint1 - x101, x102 = addcarryxU64(x77, x92, x100) - var x103 uint64 - var x104 uint1 - x103, x104 = addcarryxU64(x79, x94, x102) - var x105 uint64 - var x106 uint1 - x105, x106 = addcarryxU64(x81, x96, x104) - var x107 uint64 - var x108 uint1 - x107, x108 = addcarryxU64(x83, x98, x106) - var x109 uint64 - var x110 uint64 - x110, x109 = bits.Mul64(x99, 0xffffffff00000001) - var x111 uint64 - var x112 uint64 - x112, x111 = bits.Mul64(x99, 0xffffffff) - var x113 uint64 - var x114 uint64 - x114, x113 = bits.Mul64(x99, 0xffffffffffffffff) - var x115 uint64 - var x116 uint1 - x115, x116 = addcarryxU64(x114, x111, 0x0) - var x117 uint64 = (uint64(x116) + x112) - var x119 uint1 - _, x119 = addcarryxU64(x99, x113, 0x0) - var x120 uint64 - var x121 uint1 - x120, x121 = addcarryxU64(x101, x115, x119) - var x122 uint64 - var x123 uint1 - x122, x123 = addcarryxU64(x103, x117, x121) - var x124 uint64 - var x125 uint1 - x124, x125 = addcarryxU64(x105, x109, x123) - var x126 uint64 - var x127 uint1 - x126, x127 = addcarryxU64(x107, x110, x125) - var x128 uint64 = (uint64(x127) + uint64(x108)) - var x129 uint64 - var x130 uint64 - x130, x129 = bits.Mul64(x3, (arg2[3])) - var x131 uint64 - var x132 uint64 - x132, x131 = bits.Mul64(x3, (arg2[2])) - var x133 uint64 - var x134 uint64 - x134, x133 = bits.Mul64(x3, (arg2[1])) - var x135 uint64 - var x136 uint64 - x136, x135 = bits.Mul64(x3, (arg2[0])) - var x137 uint64 - var x138 uint1 - x137, x138 = addcarryxU64(x136, x133, 0x0) - var x139 uint64 - var x140 uint1 - x139, x140 = addcarryxU64(x134, x131, x138) - var x141 uint64 - var x142 uint1 - x141, x142 = addcarryxU64(x132, x129, x140) - var x143 uint64 = (uint64(x142) + x130) - var x144 uint64 - var x145 uint1 - x144, x145 = addcarryxU64(x120, x135, 0x0) - var x146 uint64 - var x147 uint1 - x146, x147 = addcarryxU64(x122, x137, x145) - var x148 uint64 - var x149 uint1 - x148, x149 = addcarryxU64(x124, x139, x147) - var x150 uint64 - var x151 uint1 - x150, x151 = addcarryxU64(x126, x141, x149) - var x152 uint64 - var x153 uint1 - x152, x153 = addcarryxU64(x128, x143, x151) - var x154 uint64 - var x155 uint64 - x155, x154 = bits.Mul64(x144, 0xffffffff00000001) - var x156 uint64 - var x157 uint64 - x157, x156 = bits.Mul64(x144, 0xffffffff) - var x158 uint64 - var x159 uint64 - x159, x158 = bits.Mul64(x144, 0xffffffffffffffff) - var x160 uint64 - var x161 uint1 - x160, x161 = addcarryxU64(x159, x156, 0x0) - var x162 uint64 = (uint64(x161) + x157) - var x164 uint1 - _, x164 = addcarryxU64(x144, x158, 0x0) - var x165 uint64 - var x166 uint1 - x165, x166 = addcarryxU64(x146, x160, x164) - var x167 uint64 - var x168 uint1 - x167, x168 = addcarryxU64(x148, x162, x166) - var x169 uint64 - var x170 uint1 - x169, x170 = addcarryxU64(x150, x154, x168) - var x171 uint64 - var x172 uint1 - x171, x172 = addcarryxU64(x152, x155, x170) - var x173 uint64 = (uint64(x172) + uint64(x153)) - var x174 uint64 - var x175 uint1 - x174, x175 = subborrowxU64(x165, 0xffffffffffffffff, 0x0) - var x176 uint64 - var x177 uint1 - x176, x177 = subborrowxU64(x167, 0xffffffff, x175) - var x178 uint64 - var x179 uint1 - x178, x179 = subborrowxU64(x169, uint64(0x0), x177) - var x180 uint64 - var x181 uint1 - x180, x181 = subborrowxU64(x171, 0xffffffff00000001, x179) - var x183 uint1 - _, x183 = subborrowxU64(x173, uint64(0x0), x181) - var x184 uint64 - cmovznzU64(&x184, x183, x174, x165) - var x185 uint64 - cmovznzU64(&x185, x183, x176, x167) - var x186 uint64 - cmovznzU64(&x186, x183, x178, x169) - var x187 uint64 - cmovznzU64(&x187, x183, x180, x171) - out1[0] = x184 - out1[1] = x185 - out1[2] = x186 - out1[3] = x187 + x1 := arg1[1] + x2 := arg1[2] + x3 := arg1[3] + x4 := arg1[0] + var x5 uint64 + var x6 uint64 + x6, x5 = bits.Mul64(x4, arg2[3]) + var x7 uint64 + var x8 uint64 + x8, x7 = bits.Mul64(x4, arg2[2]) + var x9 uint64 + var x10 uint64 + x10, x9 = bits.Mul64(x4, arg2[1]) + var x11 uint64 + var x12 uint64 + x12, x11 = bits.Mul64(x4, arg2[0]) + var x13 uint64 + var x14 uint1 + x13, x14 = addcarryxU64(x12, x9, 0x0) + var x15 uint64 + var x16 uint1 + x15, x16 = addcarryxU64(x10, x7, x14) + var x17 uint64 + var x18 uint1 + x17, x18 = addcarryxU64(x8, x5, x16) + x19 := (uint64(x18) + x6) + var x20 uint64 + var x21 uint64 + x21, x20 = bits.Mul64(x11, 0xffffffff00000001) + var x22 uint64 + var x23 uint64 + x23, x22 = bits.Mul64(x11, 0xffffffff) + var x24 uint64 + var x25 uint64 + x25, x24 = bits.Mul64(x11, 0xffffffffffffffff) + var x26 uint64 + var x27 uint1 + x26, x27 = addcarryxU64(x25, x22, 0x0) + x28 := (uint64(x27) + x23) + var x30 uint1 + _, x30 = addcarryxU64(x11, x24, 0x0) + var x31 uint64 + var x32 uint1 + x31, x32 = addcarryxU64(x13, x26, x30) + var x33 uint64 + var x34 uint1 + x33, x34 = addcarryxU64(x15, x28, x32) + var x35 uint64 + var x36 uint1 + x35, x36 = addcarryxU64(x17, x20, x34) + var x37 uint64 + var x38 uint1 + x37, x38 = addcarryxU64(x19, x21, x36) + var x39 uint64 + var x40 uint64 + x40, x39 = bits.Mul64(x1, arg2[3]) + var x41 uint64 + var x42 uint64 + x42, x41 = bits.Mul64(x1, arg2[2]) + var x43 uint64 + var x44 uint64 + x44, x43 = bits.Mul64(x1, arg2[1]) + var x45 uint64 + var x46 uint64 + x46, x45 = bits.Mul64(x1, arg2[0]) + var x47 uint64 + var x48 uint1 + x47, x48 = addcarryxU64(x46, x43, 0x0) + var x49 uint64 + var x50 uint1 + x49, x50 = addcarryxU64(x44, x41, x48) + var x51 uint64 + var x52 uint1 + x51, x52 = addcarryxU64(x42, x39, x50) + x53 := (uint64(x52) + x40) + var x54 uint64 + var x55 uint1 + x54, x55 = addcarryxU64(x31, x45, 0x0) + var x56 uint64 + var x57 uint1 + x56, x57 = addcarryxU64(x33, x47, x55) + var x58 uint64 + var x59 uint1 + x58, x59 = addcarryxU64(x35, x49, x57) + var x60 uint64 + var x61 uint1 + x60, x61 = addcarryxU64(x37, x51, x59) + var x62 uint64 + var x63 uint1 + x62, x63 = addcarryxU64(uint64(x38), x53, x61) + var x64 uint64 + var x65 uint64 + x65, x64 = bits.Mul64(x54, 0xffffffff00000001) + var x66 uint64 + var x67 uint64 + x67, x66 = bits.Mul64(x54, 0xffffffff) + var x68 uint64 + var x69 uint64 + x69, x68 = bits.Mul64(x54, 0xffffffffffffffff) + var x70 uint64 + var x71 uint1 + x70, x71 = addcarryxU64(x69, x66, 0x0) + x72 := (uint64(x71) + x67) + var x74 uint1 + _, x74 = addcarryxU64(x54, x68, 0x0) + var x75 uint64 + var x76 uint1 + x75, x76 = addcarryxU64(x56, x70, x74) + var x77 uint64 + var x78 uint1 + x77, x78 = addcarryxU64(x58, x72, x76) + var x79 uint64 + var x80 uint1 + x79, x80 = addcarryxU64(x60, x64, x78) + var x81 uint64 + var x82 uint1 + x81, x82 = addcarryxU64(x62, x65, x80) + x83 := (uint64(x82) + uint64(x63)) + var x84 uint64 + var x85 uint64 + x85, x84 = bits.Mul64(x2, arg2[3]) + var x86 uint64 + var x87 uint64 + x87, x86 = bits.Mul64(x2, arg2[2]) + var x88 uint64 + var x89 uint64 + x89, x88 = bits.Mul64(x2, arg2[1]) + var x90 uint64 + var x91 uint64 + x91, x90 = bits.Mul64(x2, arg2[0]) + var x92 uint64 + var x93 uint1 + x92, x93 = addcarryxU64(x91, x88, 0x0) + var x94 uint64 + var x95 uint1 + x94, x95 = addcarryxU64(x89, x86, x93) + var x96 uint64 + var x97 uint1 + x96, x97 = addcarryxU64(x87, x84, x95) + x98 := (uint64(x97) + x85) + var x99 uint64 + var x100 uint1 + x99, x100 = addcarryxU64(x75, x90, 0x0) + var x101 uint64 + var x102 uint1 + x101, x102 = addcarryxU64(x77, x92, x100) + var x103 uint64 + var x104 uint1 + x103, x104 = addcarryxU64(x79, x94, x102) + var x105 uint64 + var x106 uint1 + x105, x106 = addcarryxU64(x81, x96, x104) + var x107 uint64 + var x108 uint1 + x107, x108 = addcarryxU64(x83, x98, x106) + var x109 uint64 + var x110 uint64 + x110, x109 = bits.Mul64(x99, 0xffffffff00000001) + var x111 uint64 + var x112 uint64 + x112, x111 = bits.Mul64(x99, 0xffffffff) + var x113 uint64 + var x114 uint64 + x114, x113 = bits.Mul64(x99, 0xffffffffffffffff) + var x115 uint64 + var x116 uint1 + x115, x116 = addcarryxU64(x114, x111, 0x0) + x117 := (uint64(x116) + x112) + var x119 uint1 + _, x119 = addcarryxU64(x99, x113, 0x0) + var x120 uint64 + var x121 uint1 + x120, x121 = addcarryxU64(x101, x115, x119) + var x122 uint64 + var x123 uint1 + x122, x123 = addcarryxU64(x103, x117, x121) + var x124 uint64 + var x125 uint1 + x124, x125 = addcarryxU64(x105, x109, x123) + var x126 uint64 + var x127 uint1 + x126, x127 = addcarryxU64(x107, x110, x125) + x128 := (uint64(x127) + uint64(x108)) + var x129 uint64 + var x130 uint64 + x130, x129 = bits.Mul64(x3, arg2[3]) + var x131 uint64 + var x132 uint64 + x132, x131 = bits.Mul64(x3, arg2[2]) + var x133 uint64 + var x134 uint64 + x134, x133 = bits.Mul64(x3, arg2[1]) + var x135 uint64 + var x136 uint64 + x136, x135 = bits.Mul64(x3, arg2[0]) + var x137 uint64 + var x138 uint1 + x137, x138 = addcarryxU64(x136, x133, 0x0) + var x139 uint64 + var x140 uint1 + x139, x140 = addcarryxU64(x134, x131, x138) + var x141 uint64 + var x142 uint1 + x141, x142 = addcarryxU64(x132, x129, x140) + x143 := (uint64(x142) + x130) + var x144 uint64 + var x145 uint1 + x144, x145 = addcarryxU64(x120, x135, 0x0) + var x146 uint64 + var x147 uint1 + x146, x147 = addcarryxU64(x122, x137, x145) + var x148 uint64 + var x149 uint1 + x148, x149 = addcarryxU64(x124, x139, x147) + var x150 uint64 + var x151 uint1 + x150, x151 = addcarryxU64(x126, x141, x149) + var x152 uint64 + var x153 uint1 + x152, x153 = addcarryxU64(x128, x143, x151) + var x154 uint64 + var x155 uint64 + x155, x154 = bits.Mul64(x144, 0xffffffff00000001) + var x156 uint64 + var x157 uint64 + x157, x156 = bits.Mul64(x144, 0xffffffff) + var x158 uint64 + var x159 uint64 + x159, x158 = bits.Mul64(x144, 0xffffffffffffffff) + var x160 uint64 + var x161 uint1 + x160, x161 = addcarryxU64(x159, x156, 0x0) + x162 := (uint64(x161) + x157) + var x164 uint1 + _, x164 = addcarryxU64(x144, x158, 0x0) + var x165 uint64 + var x166 uint1 + x165, x166 = addcarryxU64(x146, x160, x164) + var x167 uint64 + var x168 uint1 + x167, x168 = addcarryxU64(x148, x162, x166) + var x169 uint64 + var x170 uint1 + x169, x170 = addcarryxU64(x150, x154, x168) + var x171 uint64 + var x172 uint1 + x171, x172 = addcarryxU64(x152, x155, x170) + x173 := (uint64(x172) + uint64(x153)) + var x174 uint64 + var x175 uint1 + x174, x175 = subborrowxU64(x165, 0xffffffffffffffff, 0x0) + var x176 uint64 + var x177 uint1 + x176, x177 = subborrowxU64(x167, 0xffffffff, x175) + var x178 uint64 + var x179 uint1 + x178, x179 = subborrowxU64(x169, uint64(0x0), x177) + var x180 uint64 + var x181 uint1 + x180, x181 = subborrowxU64(x171, 0xffffffff00000001, x179) + var x183 uint1 + _, x183 = subborrowxU64(x173, uint64(0x0), x181) + var x184 uint64 + cmovznzU64(&x184, x183, x174, x165) + var x185 uint64 + cmovznzU64(&x185, x183, x176, x167) + var x186 uint64 + cmovznzU64(&x186, x183, x178, x169) + var x187 uint64 + cmovznzU64(&x187, x183, x180, x171) + out1[0] = x184 + out1[1] = x185 + out1[2] = x186 + out1[3] = x187 } -/* - The function Square squares a field element in the Montgomery domain. - Preconditions: - 0 ≤ eval arg1 < m - Postconditions: - eval (from_montgomery out1) mod m = (eval (from_montgomery arg1) * eval (from_montgomery arg1)) mod m - 0 ≤ eval out1 < m - - Input Bounds: - arg1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] - Output Bounds: - out1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] - */ -/*inline*/ +// Square squares a field element in the Montgomery domain. +// +// Preconditions: +// 0 ≤ eval arg1 < m +// Postconditions: +// eval (from_montgomery out1) mod m = (eval (from_montgomery arg1) * eval (from_montgomery arg1)) mod m +// 0 ≤ eval out1 < m +// +// Input Bounds: +// arg1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] +// Output Bounds: +// out1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] func Square(out1 *[4]uint64, arg1 *[4]uint64) { - var x1 uint64 = (arg1[1]) - var x2 uint64 = (arg1[2]) - var x3 uint64 = (arg1[3]) - var x4 uint64 = (arg1[0]) - var x5 uint64 - var x6 uint64 - x6, x5 = bits.Mul64(x4, (arg1[3])) - var x7 uint64 - var x8 uint64 - x8, x7 = bits.Mul64(x4, (arg1[2])) - var x9 uint64 - var x10 uint64 - x10, x9 = bits.Mul64(x4, (arg1[1])) - var x11 uint64 - var x12 uint64 - x12, x11 = bits.Mul64(x4, (arg1[0])) - var x13 uint64 - var x14 uint1 - x13, x14 = addcarryxU64(x12, x9, 0x0) - var x15 uint64 - var x16 uint1 - x15, x16 = addcarryxU64(x10, x7, x14) - var x17 uint64 - var x18 uint1 - x17, x18 = addcarryxU64(x8, x5, x16) - var x19 uint64 = (uint64(x18) + x6) - var x20 uint64 - var x21 uint64 - x21, x20 = bits.Mul64(x11, 0xffffffff00000001) - var x22 uint64 - var x23 uint64 - x23, x22 = bits.Mul64(x11, 0xffffffff) - var x24 uint64 - var x25 uint64 - x25, x24 = bits.Mul64(x11, 0xffffffffffffffff) - var x26 uint64 - var x27 uint1 - x26, x27 = addcarryxU64(x25, x22, 0x0) - var x28 uint64 = (uint64(x27) + x23) - var x30 uint1 - _, x30 = addcarryxU64(x11, x24, 0x0) - var x31 uint64 - var x32 uint1 - x31, x32 = addcarryxU64(x13, x26, x30) - var x33 uint64 - var x34 uint1 - x33, x34 = addcarryxU64(x15, x28, x32) - var x35 uint64 - var x36 uint1 - x35, x36 = addcarryxU64(x17, x20, x34) - var x37 uint64 - var x38 uint1 - x37, x38 = addcarryxU64(x19, x21, x36) - var x39 uint64 - var x40 uint64 - x40, x39 = bits.Mul64(x1, (arg1[3])) - var x41 uint64 - var x42 uint64 - x42, x41 = bits.Mul64(x1, (arg1[2])) - var x43 uint64 - var x44 uint64 - x44, x43 = bits.Mul64(x1, (arg1[1])) - var x45 uint64 - var x46 uint64 - x46, x45 = bits.Mul64(x1, (arg1[0])) - var x47 uint64 - var x48 uint1 - x47, x48 = addcarryxU64(x46, x43, 0x0) - var x49 uint64 - var x50 uint1 - x49, x50 = addcarryxU64(x44, x41, x48) - var x51 uint64 - var x52 uint1 - x51, x52 = addcarryxU64(x42, x39, x50) - var x53 uint64 = (uint64(x52) + x40) - var x54 uint64 - var x55 uint1 - x54, x55 = addcarryxU64(x31, x45, 0x0) - var x56 uint64 - var x57 uint1 - x56, x57 = addcarryxU64(x33, x47, x55) - var x58 uint64 - var x59 uint1 - x58, x59 = addcarryxU64(x35, x49, x57) - var x60 uint64 - var x61 uint1 - x60, x61 = addcarryxU64(x37, x51, x59) - var x62 uint64 - var x63 uint1 - x62, x63 = addcarryxU64(uint64(x38), x53, x61) - var x64 uint64 - var x65 uint64 - x65, x64 = bits.Mul64(x54, 0xffffffff00000001) - var x66 uint64 - var x67 uint64 - x67, x66 = bits.Mul64(x54, 0xffffffff) - var x68 uint64 - var x69 uint64 - x69, x68 = bits.Mul64(x54, 0xffffffffffffffff) - var x70 uint64 - var x71 uint1 - x70, x71 = addcarryxU64(x69, x66, 0x0) - var x72 uint64 = (uint64(x71) + x67) - var x74 uint1 - _, x74 = addcarryxU64(x54, x68, 0x0) - var x75 uint64 - var x76 uint1 - x75, x76 = addcarryxU64(x56, x70, x74) - var x77 uint64 - var x78 uint1 - x77, x78 = addcarryxU64(x58, x72, x76) - var x79 uint64 - var x80 uint1 - x79, x80 = addcarryxU64(x60, x64, x78) - var x81 uint64 - var x82 uint1 - x81, x82 = addcarryxU64(x62, x65, x80) - var x83 uint64 = (uint64(x82) + uint64(x63)) - var x84 uint64 - var x85 uint64 - x85, x84 = bits.Mul64(x2, (arg1[3])) - var x86 uint64 - var x87 uint64 - x87, x86 = bits.Mul64(x2, (arg1[2])) - var x88 uint64 - var x89 uint64 - x89, x88 = bits.Mul64(x2, (arg1[1])) - var x90 uint64 - var x91 uint64 - x91, x90 = bits.Mul64(x2, (arg1[0])) - var x92 uint64 - var x93 uint1 - x92, x93 = addcarryxU64(x91, x88, 0x0) - var x94 uint64 - var x95 uint1 - x94, x95 = addcarryxU64(x89, x86, x93) - var x96 uint64 - var x97 uint1 - x96, x97 = addcarryxU64(x87, x84, x95) - var x98 uint64 = (uint64(x97) + x85) - var x99 uint64 - var x100 uint1 - x99, x100 = addcarryxU64(x75, x90, 0x0) - var x101 uint64 - var x102 uint1 - x101, x102 = addcarryxU64(x77, x92, x100) - var x103 uint64 - var x104 uint1 - x103, x104 = addcarryxU64(x79, x94, x102) - var x105 uint64 - var x106 uint1 - x105, x106 = addcarryxU64(x81, x96, x104) - var x107 uint64 - var x108 uint1 - x107, x108 = addcarryxU64(x83, x98, x106) - var x109 uint64 - var x110 uint64 - x110, x109 = bits.Mul64(x99, 0xffffffff00000001) - var x111 uint64 - var x112 uint64 - x112, x111 = bits.Mul64(x99, 0xffffffff) - var x113 uint64 - var x114 uint64 - x114, x113 = bits.Mul64(x99, 0xffffffffffffffff) - var x115 uint64 - var x116 uint1 - x115, x116 = addcarryxU64(x114, x111, 0x0) - var x117 uint64 = (uint64(x116) + x112) - var x119 uint1 - _, x119 = addcarryxU64(x99, x113, 0x0) - var x120 uint64 - var x121 uint1 - x120, x121 = addcarryxU64(x101, x115, x119) - var x122 uint64 - var x123 uint1 - x122, x123 = addcarryxU64(x103, x117, x121) - var x124 uint64 - var x125 uint1 - x124, x125 = addcarryxU64(x105, x109, x123) - var x126 uint64 - var x127 uint1 - x126, x127 = addcarryxU64(x107, x110, x125) - var x128 uint64 = (uint64(x127) + uint64(x108)) - var x129 uint64 - var x130 uint64 - x130, x129 = bits.Mul64(x3, (arg1[3])) - var x131 uint64 - var x132 uint64 - x132, x131 = bits.Mul64(x3, (arg1[2])) - var x133 uint64 - var x134 uint64 - x134, x133 = bits.Mul64(x3, (arg1[1])) - var x135 uint64 - var x136 uint64 - x136, x135 = bits.Mul64(x3, (arg1[0])) - var x137 uint64 - var x138 uint1 - x137, x138 = addcarryxU64(x136, x133, 0x0) - var x139 uint64 - var x140 uint1 - x139, x140 = addcarryxU64(x134, x131, x138) - var x141 uint64 - var x142 uint1 - x141, x142 = addcarryxU64(x132, x129, x140) - var x143 uint64 = (uint64(x142) + x130) - var x144 uint64 - var x145 uint1 - x144, x145 = addcarryxU64(x120, x135, 0x0) - var x146 uint64 - var x147 uint1 - x146, x147 = addcarryxU64(x122, x137, x145) - var x148 uint64 - var x149 uint1 - x148, x149 = addcarryxU64(x124, x139, x147) - var x150 uint64 - var x151 uint1 - x150, x151 = addcarryxU64(x126, x141, x149) - var x152 uint64 - var x153 uint1 - x152, x153 = addcarryxU64(x128, x143, x151) - var x154 uint64 - var x155 uint64 - x155, x154 = bits.Mul64(x144, 0xffffffff00000001) - var x156 uint64 - var x157 uint64 - x157, x156 = bits.Mul64(x144, 0xffffffff) - var x158 uint64 - var x159 uint64 - x159, x158 = bits.Mul64(x144, 0xffffffffffffffff) - var x160 uint64 - var x161 uint1 - x160, x161 = addcarryxU64(x159, x156, 0x0) - var x162 uint64 = (uint64(x161) + x157) - var x164 uint1 - _, x164 = addcarryxU64(x144, x158, 0x0) - var x165 uint64 - var x166 uint1 - x165, x166 = addcarryxU64(x146, x160, x164) - var x167 uint64 - var x168 uint1 - x167, x168 = addcarryxU64(x148, x162, x166) - var x169 uint64 - var x170 uint1 - x169, x170 = addcarryxU64(x150, x154, x168) - var x171 uint64 - var x172 uint1 - x171, x172 = addcarryxU64(x152, x155, x170) - var x173 uint64 = (uint64(x172) + uint64(x153)) - var x174 uint64 - var x175 uint1 - x174, x175 = subborrowxU64(x165, 0xffffffffffffffff, 0x0) - var x176 uint64 - var x177 uint1 - x176, x177 = subborrowxU64(x167, 0xffffffff, x175) - var x178 uint64 - var x179 uint1 - x178, x179 = subborrowxU64(x169, uint64(0x0), x177) - var x180 uint64 - var x181 uint1 - x180, x181 = subborrowxU64(x171, 0xffffffff00000001, x179) - var x183 uint1 - _, x183 = subborrowxU64(x173, uint64(0x0), x181) - var x184 uint64 - cmovznzU64(&x184, x183, x174, x165) - var x185 uint64 - cmovznzU64(&x185, x183, x176, x167) - var x186 uint64 - cmovznzU64(&x186, x183, x178, x169) - var x187 uint64 - cmovznzU64(&x187, x183, x180, x171) - out1[0] = x184 - out1[1] = x185 - out1[2] = x186 - out1[3] = x187 + x1 := arg1[1] + x2 := arg1[2] + x3 := arg1[3] + x4 := arg1[0] + var x5 uint64 + var x6 uint64 + x6, x5 = bits.Mul64(x4, arg1[3]) + var x7 uint64 + var x8 uint64 + x8, x7 = bits.Mul64(x4, arg1[2]) + var x9 uint64 + var x10 uint64 + x10, x9 = bits.Mul64(x4, arg1[1]) + var x11 uint64 + var x12 uint64 + x12, x11 = bits.Mul64(x4, arg1[0]) + var x13 uint64 + var x14 uint1 + x13, x14 = addcarryxU64(x12, x9, 0x0) + var x15 uint64 + var x16 uint1 + x15, x16 = addcarryxU64(x10, x7, x14) + var x17 uint64 + var x18 uint1 + x17, x18 = addcarryxU64(x8, x5, x16) + x19 := (uint64(x18) + x6) + var x20 uint64 + var x21 uint64 + x21, x20 = bits.Mul64(x11, 0xffffffff00000001) + var x22 uint64 + var x23 uint64 + x23, x22 = bits.Mul64(x11, 0xffffffff) + var x24 uint64 + var x25 uint64 + x25, x24 = bits.Mul64(x11, 0xffffffffffffffff) + var x26 uint64 + var x27 uint1 + x26, x27 = addcarryxU64(x25, x22, 0x0) + x28 := (uint64(x27) + x23) + var x30 uint1 + _, x30 = addcarryxU64(x11, x24, 0x0) + var x31 uint64 + var x32 uint1 + x31, x32 = addcarryxU64(x13, x26, x30) + var x33 uint64 + var x34 uint1 + x33, x34 = addcarryxU64(x15, x28, x32) + var x35 uint64 + var x36 uint1 + x35, x36 = addcarryxU64(x17, x20, x34) + var x37 uint64 + var x38 uint1 + x37, x38 = addcarryxU64(x19, x21, x36) + var x39 uint64 + var x40 uint64 + x40, x39 = bits.Mul64(x1, arg1[3]) + var x41 uint64 + var x42 uint64 + x42, x41 = bits.Mul64(x1, arg1[2]) + var x43 uint64 + var x44 uint64 + x44, x43 = bits.Mul64(x1, arg1[1]) + var x45 uint64 + var x46 uint64 + x46, x45 = bits.Mul64(x1, arg1[0]) + var x47 uint64 + var x48 uint1 + x47, x48 = addcarryxU64(x46, x43, 0x0) + var x49 uint64 + var x50 uint1 + x49, x50 = addcarryxU64(x44, x41, x48) + var x51 uint64 + var x52 uint1 + x51, x52 = addcarryxU64(x42, x39, x50) + x53 := (uint64(x52) + x40) + var x54 uint64 + var x55 uint1 + x54, x55 = addcarryxU64(x31, x45, 0x0) + var x56 uint64 + var x57 uint1 + x56, x57 = addcarryxU64(x33, x47, x55) + var x58 uint64 + var x59 uint1 + x58, x59 = addcarryxU64(x35, x49, x57) + var x60 uint64 + var x61 uint1 + x60, x61 = addcarryxU64(x37, x51, x59) + var x62 uint64 + var x63 uint1 + x62, x63 = addcarryxU64(uint64(x38), x53, x61) + var x64 uint64 + var x65 uint64 + x65, x64 = bits.Mul64(x54, 0xffffffff00000001) + var x66 uint64 + var x67 uint64 + x67, x66 = bits.Mul64(x54, 0xffffffff) + var x68 uint64 + var x69 uint64 + x69, x68 = bits.Mul64(x54, 0xffffffffffffffff) + var x70 uint64 + var x71 uint1 + x70, x71 = addcarryxU64(x69, x66, 0x0) + x72 := (uint64(x71) + x67) + var x74 uint1 + _, x74 = addcarryxU64(x54, x68, 0x0) + var x75 uint64 + var x76 uint1 + x75, x76 = addcarryxU64(x56, x70, x74) + var x77 uint64 + var x78 uint1 + x77, x78 = addcarryxU64(x58, x72, x76) + var x79 uint64 + var x80 uint1 + x79, x80 = addcarryxU64(x60, x64, x78) + var x81 uint64 + var x82 uint1 + x81, x82 = addcarryxU64(x62, x65, x80) + x83 := (uint64(x82) + uint64(x63)) + var x84 uint64 + var x85 uint64 + x85, x84 = bits.Mul64(x2, arg1[3]) + var x86 uint64 + var x87 uint64 + x87, x86 = bits.Mul64(x2, arg1[2]) + var x88 uint64 + var x89 uint64 + x89, x88 = bits.Mul64(x2, arg1[1]) + var x90 uint64 + var x91 uint64 + x91, x90 = bits.Mul64(x2, arg1[0]) + var x92 uint64 + var x93 uint1 + x92, x93 = addcarryxU64(x91, x88, 0x0) + var x94 uint64 + var x95 uint1 + x94, x95 = addcarryxU64(x89, x86, x93) + var x96 uint64 + var x97 uint1 + x96, x97 = addcarryxU64(x87, x84, x95) + x98 := (uint64(x97) + x85) + var x99 uint64 + var x100 uint1 + x99, x100 = addcarryxU64(x75, x90, 0x0) + var x101 uint64 + var x102 uint1 + x101, x102 = addcarryxU64(x77, x92, x100) + var x103 uint64 + var x104 uint1 + x103, x104 = addcarryxU64(x79, x94, x102) + var x105 uint64 + var x106 uint1 + x105, x106 = addcarryxU64(x81, x96, x104) + var x107 uint64 + var x108 uint1 + x107, x108 = addcarryxU64(x83, x98, x106) + var x109 uint64 + var x110 uint64 + x110, x109 = bits.Mul64(x99, 0xffffffff00000001) + var x111 uint64 + var x112 uint64 + x112, x111 = bits.Mul64(x99, 0xffffffff) + var x113 uint64 + var x114 uint64 + x114, x113 = bits.Mul64(x99, 0xffffffffffffffff) + var x115 uint64 + var x116 uint1 + x115, x116 = addcarryxU64(x114, x111, 0x0) + x117 := (uint64(x116) + x112) + var x119 uint1 + _, x119 = addcarryxU64(x99, x113, 0x0) + var x120 uint64 + var x121 uint1 + x120, x121 = addcarryxU64(x101, x115, x119) + var x122 uint64 + var x123 uint1 + x122, x123 = addcarryxU64(x103, x117, x121) + var x124 uint64 + var x125 uint1 + x124, x125 = addcarryxU64(x105, x109, x123) + var x126 uint64 + var x127 uint1 + x126, x127 = addcarryxU64(x107, x110, x125) + x128 := (uint64(x127) + uint64(x108)) + var x129 uint64 + var x130 uint64 + x130, x129 = bits.Mul64(x3, arg1[3]) + var x131 uint64 + var x132 uint64 + x132, x131 = bits.Mul64(x3, arg1[2]) + var x133 uint64 + var x134 uint64 + x134, x133 = bits.Mul64(x3, arg1[1]) + var x135 uint64 + var x136 uint64 + x136, x135 = bits.Mul64(x3, arg1[0]) + var x137 uint64 + var x138 uint1 + x137, x138 = addcarryxU64(x136, x133, 0x0) + var x139 uint64 + var x140 uint1 + x139, x140 = addcarryxU64(x134, x131, x138) + var x141 uint64 + var x142 uint1 + x141, x142 = addcarryxU64(x132, x129, x140) + x143 := (uint64(x142) + x130) + var x144 uint64 + var x145 uint1 + x144, x145 = addcarryxU64(x120, x135, 0x0) + var x146 uint64 + var x147 uint1 + x146, x147 = addcarryxU64(x122, x137, x145) + var x148 uint64 + var x149 uint1 + x148, x149 = addcarryxU64(x124, x139, x147) + var x150 uint64 + var x151 uint1 + x150, x151 = addcarryxU64(x126, x141, x149) + var x152 uint64 + var x153 uint1 + x152, x153 = addcarryxU64(x128, x143, x151) + var x154 uint64 + var x155 uint64 + x155, x154 = bits.Mul64(x144, 0xffffffff00000001) + var x156 uint64 + var x157 uint64 + x157, x156 = bits.Mul64(x144, 0xffffffff) + var x158 uint64 + var x159 uint64 + x159, x158 = bits.Mul64(x144, 0xffffffffffffffff) + var x160 uint64 + var x161 uint1 + x160, x161 = addcarryxU64(x159, x156, 0x0) + x162 := (uint64(x161) + x157) + var x164 uint1 + _, x164 = addcarryxU64(x144, x158, 0x0) + var x165 uint64 + var x166 uint1 + x165, x166 = addcarryxU64(x146, x160, x164) + var x167 uint64 + var x168 uint1 + x167, x168 = addcarryxU64(x148, x162, x166) + var x169 uint64 + var x170 uint1 + x169, x170 = addcarryxU64(x150, x154, x168) + var x171 uint64 + var x172 uint1 + x171, x172 = addcarryxU64(x152, x155, x170) + x173 := (uint64(x172) + uint64(x153)) + var x174 uint64 + var x175 uint1 + x174, x175 = subborrowxU64(x165, 0xffffffffffffffff, 0x0) + var x176 uint64 + var x177 uint1 + x176, x177 = subborrowxU64(x167, 0xffffffff, x175) + var x178 uint64 + var x179 uint1 + x178, x179 = subborrowxU64(x169, uint64(0x0), x177) + var x180 uint64 + var x181 uint1 + x180, x181 = subborrowxU64(x171, 0xffffffff00000001, x179) + var x183 uint1 + _, x183 = subborrowxU64(x173, uint64(0x0), x181) + var x184 uint64 + cmovznzU64(&x184, x183, x174, x165) + var x185 uint64 + cmovznzU64(&x185, x183, x176, x167) + var x186 uint64 + cmovznzU64(&x186, x183, x178, x169) + var x187 uint64 + cmovznzU64(&x187, x183, x180, x171) + out1[0] = x184 + out1[1] = x185 + out1[2] = x186 + out1[3] = x187 } -/* - The function Add adds two field elements in the Montgomery domain. - Preconditions: - 0 ≤ eval arg1 < m - 0 ≤ eval arg2 < m - Postconditions: - eval (from_montgomery out1) mod m = (eval (from_montgomery arg1) + eval (from_montgomery arg2)) mod m - 0 ≤ eval out1 < m - - Input Bounds: - arg1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] - arg2: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] - Output Bounds: - out1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] - */ -/*inline*/ +// Add adds two field elements in the Montgomery domain. +// +// Preconditions: +// 0 ≤ eval arg1 < m +// 0 ≤ eval arg2 < m +// Postconditions: +// eval (from_montgomery out1) mod m = (eval (from_montgomery arg1) + eval (from_montgomery arg2)) mod m +// 0 ≤ eval out1 < m +// +// Input Bounds: +// arg1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] +// arg2: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] +// Output Bounds: +// out1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] func Add(out1 *[4]uint64, arg1 *[4]uint64, arg2 *[4]uint64) { - var x1 uint64 - var x2 uint1 - x1, x2 = addcarryxU64((arg1[0]), (arg2[0]), 0x0) - var x3 uint64 - var x4 uint1 - x3, x4 = addcarryxU64((arg1[1]), (arg2[1]), x2) - var x5 uint64 - var x6 uint1 - x5, x6 = addcarryxU64((arg1[2]), (arg2[2]), x4) - var x7 uint64 - var x8 uint1 - x7, x8 = addcarryxU64((arg1[3]), (arg2[3]), x6) - var x9 uint64 - var x10 uint1 - x9, x10 = subborrowxU64(x1, 0xffffffffffffffff, 0x0) - var x11 uint64 - var x12 uint1 - x11, x12 = subborrowxU64(x3, 0xffffffff, x10) - var x13 uint64 - var x14 uint1 - x13, x14 = subborrowxU64(x5, uint64(0x0), x12) - var x15 uint64 - var x16 uint1 - x15, x16 = subborrowxU64(x7, 0xffffffff00000001, x14) - var x18 uint1 - _, x18 = subborrowxU64(uint64(x8), uint64(0x0), x16) - var x19 uint64 - cmovznzU64(&x19, x18, x9, x1) - var x20 uint64 - cmovznzU64(&x20, x18, x11, x3) - var x21 uint64 - cmovznzU64(&x21, x18, x13, x5) - var x22 uint64 - cmovznzU64(&x22, x18, x15, x7) - out1[0] = x19 - out1[1] = x20 - out1[2] = x21 - out1[3] = x22 + var x1 uint64 + var x2 uint1 + x1, x2 = addcarryxU64(arg1[0], arg2[0], 0x0) + var x3 uint64 + var x4 uint1 + x3, x4 = addcarryxU64(arg1[1], arg2[1], x2) + var x5 uint64 + var x6 uint1 + x5, x6 = addcarryxU64(arg1[2], arg2[2], x4) + var x7 uint64 + var x8 uint1 + x7, x8 = addcarryxU64(arg1[3], arg2[3], x6) + var x9 uint64 + var x10 uint1 + x9, x10 = subborrowxU64(x1, 0xffffffffffffffff, 0x0) + var x11 uint64 + var x12 uint1 + x11, x12 = subborrowxU64(x3, 0xffffffff, x10) + var x13 uint64 + var x14 uint1 + x13, x14 = subborrowxU64(x5, uint64(0x0), x12) + var x15 uint64 + var x16 uint1 + x15, x16 = subborrowxU64(x7, 0xffffffff00000001, x14) + var x18 uint1 + _, x18 = subborrowxU64(uint64(x8), uint64(0x0), x16) + var x19 uint64 + cmovznzU64(&x19, x18, x9, x1) + var x20 uint64 + cmovznzU64(&x20, x18, x11, x3) + var x21 uint64 + cmovznzU64(&x21, x18, x13, x5) + var x22 uint64 + cmovznzU64(&x22, x18, x15, x7) + out1[0] = x19 + out1[1] = x20 + out1[2] = x21 + out1[3] = x22 } -/* - The function Sub subtracts two field elements in the Montgomery domain. - Preconditions: - 0 ≤ eval arg1 < m - 0 ≤ eval arg2 < m - Postconditions: - eval (from_montgomery out1) mod m = (eval (from_montgomery arg1) - eval (from_montgomery arg2)) mod m - 0 ≤ eval out1 < m - - Input Bounds: - arg1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] - arg2: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] - Output Bounds: - out1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] - */ -/*inline*/ +// Sub subtracts two field elements in the Montgomery domain. +// +// Preconditions: +// 0 ≤ eval arg1 < m +// 0 ≤ eval arg2 < m +// Postconditions: +// eval (from_montgomery out1) mod m = (eval (from_montgomery arg1) - eval (from_montgomery arg2)) mod m +// 0 ≤ eval out1 < m +// +// Input Bounds: +// arg1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] +// arg2: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] +// Output Bounds: +// out1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] func Sub(out1 *[4]uint64, arg1 *[4]uint64, arg2 *[4]uint64) { - var x1 uint64 - var x2 uint1 - x1, x2 = subborrowxU64((arg1[0]), (arg2[0]), 0x0) - var x3 uint64 - var x4 uint1 - x3, x4 = subborrowxU64((arg1[1]), (arg2[1]), x2) - var x5 uint64 - var x6 uint1 - x5, x6 = subborrowxU64((arg1[2]), (arg2[2]), x4) - var x7 uint64 - var x8 uint1 - x7, x8 = subborrowxU64((arg1[3]), (arg2[3]), x6) - var x9 uint64 - cmovznzU64(&x9, x8, uint64(0x0), 0xffffffffffffffff) - var x10 uint64 - var x11 uint1 - x10, x11 = addcarryxU64(x1, x9, 0x0) - var x12 uint64 - var x13 uint1 - x12, x13 = addcarryxU64(x3, (x9 & 0xffffffff), x11) - var x14 uint64 - var x15 uint1 - x14, x15 = addcarryxU64(x5, uint64(0x0), x13) - var x16 uint64 - x16, _ = addcarryxU64(x7, (x9 & 0xffffffff00000001), x15) - out1[0] = x10 - out1[1] = x12 - out1[2] = x14 - out1[3] = x16 + var x1 uint64 + var x2 uint1 + x1, x2 = subborrowxU64(arg1[0], arg2[0], 0x0) + var x3 uint64 + var x4 uint1 + x3, x4 = subborrowxU64(arg1[1], arg2[1], x2) + var x5 uint64 + var x6 uint1 + x5, x6 = subborrowxU64(arg1[2], arg2[2], x4) + var x7 uint64 + var x8 uint1 + x7, x8 = subborrowxU64(arg1[3], arg2[3], x6) + var x9 uint64 + cmovznzU64(&x9, x8, uint64(0x0), 0xffffffffffffffff) + var x10 uint64 + var x11 uint1 + x10, x11 = addcarryxU64(x1, x9, 0x0) + var x12 uint64 + var x13 uint1 + x12, x13 = addcarryxU64(x3, (x9 & 0xffffffff), x11) + var x14 uint64 + var x15 uint1 + x14, x15 = addcarryxU64(x5, uint64(0x0), x13) + var x16 uint64 + x16, _ = addcarryxU64(x7, (x9 & 0xffffffff00000001), x15) + out1[0] = x10 + out1[1] = x12 + out1[2] = x14 + out1[3] = x16 } -/* - The function Opp negates a field element in the Montgomery domain. - Preconditions: - 0 ≤ eval arg1 < m - Postconditions: - eval (from_montgomery out1) mod m = -eval (from_montgomery arg1) mod m - 0 ≤ eval out1 < m - - Input Bounds: - arg1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] - Output Bounds: - out1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] - */ -/*inline*/ +// Opp negates a field element in the Montgomery domain. +// +// Preconditions: +// 0 ≤ eval arg1 < m +// Postconditions: +// eval (from_montgomery out1) mod m = -eval (from_montgomery arg1) mod m +// 0 ≤ eval out1 < m +// +// Input Bounds: +// arg1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] +// Output Bounds: +// out1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] func Opp(out1 *[4]uint64, arg1 *[4]uint64) { - var x1 uint64 - var x2 uint1 - x1, x2 = subborrowxU64(uint64(0x0), (arg1[0]), 0x0) - var x3 uint64 - var x4 uint1 - x3, x4 = subborrowxU64(uint64(0x0), (arg1[1]), x2) - var x5 uint64 - var x6 uint1 - x5, x6 = subborrowxU64(uint64(0x0), (arg1[2]), x4) - var x7 uint64 - var x8 uint1 - x7, x8 = subborrowxU64(uint64(0x0), (arg1[3]), x6) - var x9 uint64 - cmovznzU64(&x9, x8, uint64(0x0), 0xffffffffffffffff) - var x10 uint64 - var x11 uint1 - x10, x11 = addcarryxU64(x1, x9, 0x0) - var x12 uint64 - var x13 uint1 - x12, x13 = addcarryxU64(x3, (x9 & 0xffffffff), x11) - var x14 uint64 - var x15 uint1 - x14, x15 = addcarryxU64(x5, uint64(0x0), x13) - var x16 uint64 - x16, _ = addcarryxU64(x7, (x9 & 0xffffffff00000001), x15) - out1[0] = x10 - out1[1] = x12 - out1[2] = x14 - out1[3] = x16 + var x1 uint64 + var x2 uint1 + x1, x2 = subborrowxU64(uint64(0x0), arg1[0], 0x0) + var x3 uint64 + var x4 uint1 + x3, x4 = subborrowxU64(uint64(0x0), arg1[1], x2) + var x5 uint64 + var x6 uint1 + x5, x6 = subborrowxU64(uint64(0x0), arg1[2], x4) + var x7 uint64 + var x8 uint1 + x7, x8 = subborrowxU64(uint64(0x0), arg1[3], x6) + var x9 uint64 + cmovznzU64(&x9, x8, uint64(0x0), 0xffffffffffffffff) + var x10 uint64 + var x11 uint1 + x10, x11 = addcarryxU64(x1, x9, 0x0) + var x12 uint64 + var x13 uint1 + x12, x13 = addcarryxU64(x3, (x9 & 0xffffffff), x11) + var x14 uint64 + var x15 uint1 + x14, x15 = addcarryxU64(x5, uint64(0x0), x13) + var x16 uint64 + x16, _ = addcarryxU64(x7, (x9 & 0xffffffff00000001), x15) + out1[0] = x10 + out1[1] = x12 + out1[2] = x14 + out1[3] = x16 } -/* - The function FromMontgomery translates a field element out of the Montgomery domain. - Preconditions: - 0 ≤ eval arg1 < m - Postconditions: - eval out1 mod m = (eval arg1 * ((2^64)⁻¹ mod m)^4) mod m - 0 ≤ eval out1 < m - - Input Bounds: - arg1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] - Output Bounds: - out1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] - */ -/*inline*/ +// FromMontgomery translates a field element out of the Montgomery domain. +// +// Preconditions: +// 0 ≤ eval arg1 < m +// Postconditions: +// eval out1 mod m = (eval arg1 * ((2^64)⁻¹ mod m)^4) mod m +// 0 ≤ eval out1 < m +// +// Input Bounds: +// arg1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] +// Output Bounds: +// out1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] func FromMontgomery(out1 *[4]uint64, arg1 *[4]uint64) { - var x1 uint64 = (arg1[0]) - var x2 uint64 - var x3 uint64 - x3, x2 = bits.Mul64(x1, 0xffffffff00000001) - var x4 uint64 - var x5 uint64 - x5, x4 = bits.Mul64(x1, 0xffffffff) - var x6 uint64 - var x7 uint64 - x7, x6 = bits.Mul64(x1, 0xffffffffffffffff) - var x8 uint64 - var x9 uint1 - x8, x9 = addcarryxU64(x7, x4, 0x0) - var x11 uint1 - _, x11 = addcarryxU64(x1, x6, 0x0) - var x12 uint64 - var x13 uint1 - x12, x13 = addcarryxU64(uint64(0x0), x8, x11) - var x14 uint64 - var x15 uint1 - x14, x15 = addcarryxU64(x12, (arg1[1]), 0x0) - var x16 uint64 - var x17 uint64 - x17, x16 = bits.Mul64(x14, 0xffffffff00000001) - var x18 uint64 - var x19 uint64 - x19, x18 = bits.Mul64(x14, 0xffffffff) - var x20 uint64 - var x21 uint64 - x21, x20 = bits.Mul64(x14, 0xffffffffffffffff) - var x22 uint64 - var x23 uint1 - x22, x23 = addcarryxU64(x21, x18, 0x0) - var x25 uint1 - _, x25 = addcarryxU64(x14, x20, 0x0) - var x26 uint64 - var x27 uint1 - x26, x27 = addcarryxU64((uint64(x15) + (uint64(x13) + (uint64(x9) + x5))), x22, x25) - var x28 uint64 - var x29 uint1 - x28, x29 = addcarryxU64(x2, (uint64(x23) + x19), x27) - var x30 uint64 - var x31 uint1 - x30, x31 = addcarryxU64(x3, x16, x29) - var x32 uint64 - var x33 uint1 - x32, x33 = addcarryxU64(x26, (arg1[2]), 0x0) - var x34 uint64 - var x35 uint1 - x34, x35 = addcarryxU64(x28, uint64(0x0), x33) - var x36 uint64 - var x37 uint1 - x36, x37 = addcarryxU64(x30, uint64(0x0), x35) - var x38 uint64 - var x39 uint64 - x39, x38 = bits.Mul64(x32, 0xffffffff00000001) - var x40 uint64 - var x41 uint64 - x41, x40 = bits.Mul64(x32, 0xffffffff) - var x42 uint64 - var x43 uint64 - x43, x42 = bits.Mul64(x32, 0xffffffffffffffff) - var x44 uint64 - var x45 uint1 - x44, x45 = addcarryxU64(x43, x40, 0x0) - var x47 uint1 - _, x47 = addcarryxU64(x32, x42, 0x0) - var x48 uint64 - var x49 uint1 - x48, x49 = addcarryxU64(x34, x44, x47) - var x50 uint64 - var x51 uint1 - x50, x51 = addcarryxU64(x36, (uint64(x45) + x41), x49) - var x52 uint64 - var x53 uint1 - x52, x53 = addcarryxU64((uint64(x37) + (uint64(x31) + x17)), x38, x51) - var x54 uint64 - var x55 uint1 - x54, x55 = addcarryxU64(x48, (arg1[3]), 0x0) - var x56 uint64 - var x57 uint1 - x56, x57 = addcarryxU64(x50, uint64(0x0), x55) - var x58 uint64 - var x59 uint1 - x58, x59 = addcarryxU64(x52, uint64(0x0), x57) - var x60 uint64 - var x61 uint64 - x61, x60 = bits.Mul64(x54, 0xffffffff00000001) - var x62 uint64 - var x63 uint64 - x63, x62 = bits.Mul64(x54, 0xffffffff) - var x64 uint64 - var x65 uint64 - x65, x64 = bits.Mul64(x54, 0xffffffffffffffff) - var x66 uint64 - var x67 uint1 - x66, x67 = addcarryxU64(x65, x62, 0x0) - var x69 uint1 - _, x69 = addcarryxU64(x54, x64, 0x0) - var x70 uint64 - var x71 uint1 - x70, x71 = addcarryxU64(x56, x66, x69) - var x72 uint64 - var x73 uint1 - x72, x73 = addcarryxU64(x58, (uint64(x67) + x63), x71) - var x74 uint64 - var x75 uint1 - x74, x75 = addcarryxU64((uint64(x59) + (uint64(x53) + x39)), x60, x73) - var x76 uint64 = (uint64(x75) + x61) - var x77 uint64 - var x78 uint1 - x77, x78 = subborrowxU64(x70, 0xffffffffffffffff, 0x0) - var x79 uint64 - var x80 uint1 - x79, x80 = subborrowxU64(x72, 0xffffffff, x78) - var x81 uint64 - var x82 uint1 - x81, x82 = subborrowxU64(x74, uint64(0x0), x80) - var x83 uint64 - var x84 uint1 - x83, x84 = subborrowxU64(x76, 0xffffffff00000001, x82) - var x86 uint1 - _, x86 = subborrowxU64(uint64(0x0), uint64(0x0), x84) - var x87 uint64 - cmovznzU64(&x87, x86, x77, x70) - var x88 uint64 - cmovznzU64(&x88, x86, x79, x72) - var x89 uint64 - cmovznzU64(&x89, x86, x81, x74) - var x90 uint64 - cmovznzU64(&x90, x86, x83, x76) - out1[0] = x87 - out1[1] = x88 - out1[2] = x89 - out1[3] = x90 + x1 := arg1[0] + var x2 uint64 + var x3 uint64 + x3, x2 = bits.Mul64(x1, 0xffffffff00000001) + var x4 uint64 + var x5 uint64 + x5, x4 = bits.Mul64(x1, 0xffffffff) + var x6 uint64 + var x7 uint64 + x7, x6 = bits.Mul64(x1, 0xffffffffffffffff) + var x8 uint64 + var x9 uint1 + x8, x9 = addcarryxU64(x7, x4, 0x0) + var x11 uint1 + _, x11 = addcarryxU64(x1, x6, 0x0) + var x12 uint64 + var x13 uint1 + x12, x13 = addcarryxU64(uint64(0x0), x8, x11) + var x14 uint64 + var x15 uint1 + x14, x15 = addcarryxU64(x12, arg1[1], 0x0) + var x16 uint64 + var x17 uint64 + x17, x16 = bits.Mul64(x14, 0xffffffff00000001) + var x18 uint64 + var x19 uint64 + x19, x18 = bits.Mul64(x14, 0xffffffff) + var x20 uint64 + var x21 uint64 + x21, x20 = bits.Mul64(x14, 0xffffffffffffffff) + var x22 uint64 + var x23 uint1 + x22, x23 = addcarryxU64(x21, x18, 0x0) + var x25 uint1 + _, x25 = addcarryxU64(x14, x20, 0x0) + var x26 uint64 + var x27 uint1 + x26, x27 = addcarryxU64((uint64(x15) + (uint64(x13) + (uint64(x9) + x5))), x22, x25) + var x28 uint64 + var x29 uint1 + x28, x29 = addcarryxU64(x2, (uint64(x23) + x19), x27) + var x30 uint64 + var x31 uint1 + x30, x31 = addcarryxU64(x3, x16, x29) + var x32 uint64 + var x33 uint1 + x32, x33 = addcarryxU64(x26, arg1[2], 0x0) + var x34 uint64 + var x35 uint1 + x34, x35 = addcarryxU64(x28, uint64(0x0), x33) + var x36 uint64 + var x37 uint1 + x36, x37 = addcarryxU64(x30, uint64(0x0), x35) + var x38 uint64 + var x39 uint64 + x39, x38 = bits.Mul64(x32, 0xffffffff00000001) + var x40 uint64 + var x41 uint64 + x41, x40 = bits.Mul64(x32, 0xffffffff) + var x42 uint64 + var x43 uint64 + x43, x42 = bits.Mul64(x32, 0xffffffffffffffff) + var x44 uint64 + var x45 uint1 + x44, x45 = addcarryxU64(x43, x40, 0x0) + var x47 uint1 + _, x47 = addcarryxU64(x32, x42, 0x0) + var x48 uint64 + var x49 uint1 + x48, x49 = addcarryxU64(x34, x44, x47) + var x50 uint64 + var x51 uint1 + x50, x51 = addcarryxU64(x36, (uint64(x45) + x41), x49) + var x52 uint64 + var x53 uint1 + x52, x53 = addcarryxU64((uint64(x37) + (uint64(x31) + x17)), x38, x51) + var x54 uint64 + var x55 uint1 + x54, x55 = addcarryxU64(x48, arg1[3], 0x0) + var x56 uint64 + var x57 uint1 + x56, x57 = addcarryxU64(x50, uint64(0x0), x55) + var x58 uint64 + var x59 uint1 + x58, x59 = addcarryxU64(x52, uint64(0x0), x57) + var x60 uint64 + var x61 uint64 + x61, x60 = bits.Mul64(x54, 0xffffffff00000001) + var x62 uint64 + var x63 uint64 + x63, x62 = bits.Mul64(x54, 0xffffffff) + var x64 uint64 + var x65 uint64 + x65, x64 = bits.Mul64(x54, 0xffffffffffffffff) + var x66 uint64 + var x67 uint1 + x66, x67 = addcarryxU64(x65, x62, 0x0) + var x69 uint1 + _, x69 = addcarryxU64(x54, x64, 0x0) + var x70 uint64 + var x71 uint1 + x70, x71 = addcarryxU64(x56, x66, x69) + var x72 uint64 + var x73 uint1 + x72, x73 = addcarryxU64(x58, (uint64(x67) + x63), x71) + var x74 uint64 + var x75 uint1 + x74, x75 = addcarryxU64((uint64(x59) + (uint64(x53) + x39)), x60, x73) + x76 := (uint64(x75) + x61) + var x77 uint64 + var x78 uint1 + x77, x78 = subborrowxU64(x70, 0xffffffffffffffff, 0x0) + var x79 uint64 + var x80 uint1 + x79, x80 = subborrowxU64(x72, 0xffffffff, x78) + var x81 uint64 + var x82 uint1 + x81, x82 = subborrowxU64(x74, uint64(0x0), x80) + var x83 uint64 + var x84 uint1 + x83, x84 = subborrowxU64(x76, 0xffffffff00000001, x82) + var x86 uint1 + _, x86 = subborrowxU64(uint64(0x0), uint64(0x0), x84) + var x87 uint64 + cmovznzU64(&x87, x86, x77, x70) + var x88 uint64 + cmovznzU64(&x88, x86, x79, x72) + var x89 uint64 + cmovznzU64(&x89, x86, x81, x74) + var x90 uint64 + cmovznzU64(&x90, x86, x83, x76) + out1[0] = x87 + out1[1] = x88 + out1[2] = x89 + out1[3] = x90 } -/* - The function ToMontgomery translates a field element into the Montgomery domain. - Preconditions: - 0 ≤ eval arg1 < m - Postconditions: - eval (from_montgomery out1) mod m = eval arg1 mod m - 0 ≤ eval out1 < m - - Input Bounds: - arg1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] - Output Bounds: - out1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] - */ -/*inline*/ +// ToMontgomery translates a field element into the Montgomery domain. +// +// Preconditions: +// 0 ≤ eval arg1 < m +// Postconditions: +// eval (from_montgomery out1) mod m = eval arg1 mod m +// 0 ≤ eval out1 < m +// +// Input Bounds: +// arg1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] +// Output Bounds: +// out1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] func ToMontgomery(out1 *[4]uint64, arg1 *[4]uint64) { - var x1 uint64 = (arg1[1]) - var x2 uint64 = (arg1[2]) - var x3 uint64 = (arg1[3]) - var x4 uint64 = (arg1[0]) - var x5 uint64 - var x6 uint64 - x6, x5 = bits.Mul64(x4, 0x4fffffffd) - var x7 uint64 - var x8 uint64 - x8, x7 = bits.Mul64(x4, 0xfffffffffffffffe) - var x9 uint64 - var x10 uint64 - x10, x9 = bits.Mul64(x4, 0xfffffffbffffffff) - var x11 uint64 - var x12 uint64 - x12, x11 = bits.Mul64(x4, 0x3) - var x13 uint64 - var x14 uint1 - x13, x14 = addcarryxU64(x12, x9, 0x0) - var x15 uint64 - var x16 uint1 - x15, x16 = addcarryxU64(x10, x7, x14) - var x17 uint64 - var x18 uint1 - x17, x18 = addcarryxU64(x8, x5, x16) - var x19 uint64 - var x20 uint64 - x20, x19 = bits.Mul64(x11, 0xffffffff00000001) - var x21 uint64 - var x22 uint64 - x22, x21 = bits.Mul64(x11, 0xffffffff) - var x23 uint64 - var x24 uint64 - x24, x23 = bits.Mul64(x11, 0xffffffffffffffff) - var x25 uint64 - var x26 uint1 - x25, x26 = addcarryxU64(x24, x21, 0x0) - var x28 uint1 - _, x28 = addcarryxU64(x11, x23, 0x0) - var x29 uint64 - var x30 uint1 - x29, x30 = addcarryxU64(x13, x25, x28) - var x31 uint64 - var x32 uint1 - x31, x32 = addcarryxU64(x15, (uint64(x26) + x22), x30) - var x33 uint64 - var x34 uint1 - x33, x34 = addcarryxU64(x17, x19, x32) - var x35 uint64 - var x36 uint1 - x35, x36 = addcarryxU64((uint64(x18) + x6), x20, x34) - var x37 uint64 - var x38 uint64 - x38, x37 = bits.Mul64(x1, 0x4fffffffd) - var x39 uint64 - var x40 uint64 - x40, x39 = bits.Mul64(x1, 0xfffffffffffffffe) - var x41 uint64 - var x42 uint64 - x42, x41 = bits.Mul64(x1, 0xfffffffbffffffff) - var x43 uint64 - var x44 uint64 - x44, x43 = bits.Mul64(x1, 0x3) - var x45 uint64 - var x46 uint1 - x45, x46 = addcarryxU64(x44, x41, 0x0) - var x47 uint64 - var x48 uint1 - x47, x48 = addcarryxU64(x42, x39, x46) - var x49 uint64 - var x50 uint1 - x49, x50 = addcarryxU64(x40, x37, x48) - var x51 uint64 - var x52 uint1 - x51, x52 = addcarryxU64(x29, x43, 0x0) - var x53 uint64 - var x54 uint1 - x53, x54 = addcarryxU64(x31, x45, x52) - var x55 uint64 - var x56 uint1 - x55, x56 = addcarryxU64(x33, x47, x54) - var x57 uint64 - var x58 uint1 - x57, x58 = addcarryxU64(x35, x49, x56) - var x59 uint64 - var x60 uint64 - x60, x59 = bits.Mul64(x51, 0xffffffff00000001) - var x61 uint64 - var x62 uint64 - x62, x61 = bits.Mul64(x51, 0xffffffff) - var x63 uint64 - var x64 uint64 - x64, x63 = bits.Mul64(x51, 0xffffffffffffffff) - var x65 uint64 - var x66 uint1 - x65, x66 = addcarryxU64(x64, x61, 0x0) - var x68 uint1 - _, x68 = addcarryxU64(x51, x63, 0x0) - var x69 uint64 - var x70 uint1 - x69, x70 = addcarryxU64(x53, x65, x68) - var x71 uint64 - var x72 uint1 - x71, x72 = addcarryxU64(x55, (uint64(x66) + x62), x70) - var x73 uint64 - var x74 uint1 - x73, x74 = addcarryxU64(x57, x59, x72) - var x75 uint64 - var x76 uint1 - x75, x76 = addcarryxU64(((uint64(x58) + uint64(x36)) + (uint64(x50) + x38)), x60, x74) - var x77 uint64 - var x78 uint64 - x78, x77 = bits.Mul64(x2, 0x4fffffffd) - var x79 uint64 - var x80 uint64 - x80, x79 = bits.Mul64(x2, 0xfffffffffffffffe) - var x81 uint64 - var x82 uint64 - x82, x81 = bits.Mul64(x2, 0xfffffffbffffffff) - var x83 uint64 - var x84 uint64 - x84, x83 = bits.Mul64(x2, 0x3) - var x85 uint64 - var x86 uint1 - x85, x86 = addcarryxU64(x84, x81, 0x0) - var x87 uint64 - var x88 uint1 - x87, x88 = addcarryxU64(x82, x79, x86) - var x89 uint64 - var x90 uint1 - x89, x90 = addcarryxU64(x80, x77, x88) - var x91 uint64 - var x92 uint1 - x91, x92 = addcarryxU64(x69, x83, 0x0) - var x93 uint64 - var x94 uint1 - x93, x94 = addcarryxU64(x71, x85, x92) - var x95 uint64 - var x96 uint1 - x95, x96 = addcarryxU64(x73, x87, x94) - var x97 uint64 - var x98 uint1 - x97, x98 = addcarryxU64(x75, x89, x96) - var x99 uint64 - var x100 uint64 - x100, x99 = bits.Mul64(x91, 0xffffffff00000001) - var x101 uint64 - var x102 uint64 - x102, x101 = bits.Mul64(x91, 0xffffffff) - var x103 uint64 - var x104 uint64 - x104, x103 = bits.Mul64(x91, 0xffffffffffffffff) - var x105 uint64 - var x106 uint1 - x105, x106 = addcarryxU64(x104, x101, 0x0) - var x108 uint1 - _, x108 = addcarryxU64(x91, x103, 0x0) - var x109 uint64 - var x110 uint1 - x109, x110 = addcarryxU64(x93, x105, x108) - var x111 uint64 - var x112 uint1 - x111, x112 = addcarryxU64(x95, (uint64(x106) + x102), x110) - var x113 uint64 - var x114 uint1 - x113, x114 = addcarryxU64(x97, x99, x112) - var x115 uint64 - var x116 uint1 - x115, x116 = addcarryxU64(((uint64(x98) + uint64(x76)) + (uint64(x90) + x78)), x100, x114) - var x117 uint64 - var x118 uint64 - x118, x117 = bits.Mul64(x3, 0x4fffffffd) - var x119 uint64 - var x120 uint64 - x120, x119 = bits.Mul64(x3, 0xfffffffffffffffe) - var x121 uint64 - var x122 uint64 - x122, x121 = bits.Mul64(x3, 0xfffffffbffffffff) - var x123 uint64 - var x124 uint64 - x124, x123 = bits.Mul64(x3, 0x3) - var x125 uint64 - var x126 uint1 - x125, x126 = addcarryxU64(x124, x121, 0x0) - var x127 uint64 - var x128 uint1 - x127, x128 = addcarryxU64(x122, x119, x126) - var x129 uint64 - var x130 uint1 - x129, x130 = addcarryxU64(x120, x117, x128) - var x131 uint64 - var x132 uint1 - x131, x132 = addcarryxU64(x109, x123, 0x0) - var x133 uint64 - var x134 uint1 - x133, x134 = addcarryxU64(x111, x125, x132) - var x135 uint64 - var x136 uint1 - x135, x136 = addcarryxU64(x113, x127, x134) - var x137 uint64 - var x138 uint1 - x137, x138 = addcarryxU64(x115, x129, x136) - var x139 uint64 - var x140 uint64 - x140, x139 = bits.Mul64(x131, 0xffffffff00000001) - var x141 uint64 - var x142 uint64 - x142, x141 = bits.Mul64(x131, 0xffffffff) - var x143 uint64 - var x144 uint64 - x144, x143 = bits.Mul64(x131, 0xffffffffffffffff) - var x145 uint64 - var x146 uint1 - x145, x146 = addcarryxU64(x144, x141, 0x0) - var x148 uint1 - _, x148 = addcarryxU64(x131, x143, 0x0) - var x149 uint64 - var x150 uint1 - x149, x150 = addcarryxU64(x133, x145, x148) - var x151 uint64 - var x152 uint1 - x151, x152 = addcarryxU64(x135, (uint64(x146) + x142), x150) - var x153 uint64 - var x154 uint1 - x153, x154 = addcarryxU64(x137, x139, x152) - var x155 uint64 - var x156 uint1 - x155, x156 = addcarryxU64(((uint64(x138) + uint64(x116)) + (uint64(x130) + x118)), x140, x154) - var x157 uint64 - var x158 uint1 - x157, x158 = subborrowxU64(x149, 0xffffffffffffffff, 0x0) - var x159 uint64 - var x160 uint1 - x159, x160 = subborrowxU64(x151, 0xffffffff, x158) - var x161 uint64 - var x162 uint1 - x161, x162 = subborrowxU64(x153, uint64(0x0), x160) - var x163 uint64 - var x164 uint1 - x163, x164 = subborrowxU64(x155, 0xffffffff00000001, x162) - var x166 uint1 - _, x166 = subborrowxU64(uint64(x156), uint64(0x0), x164) - var x167 uint64 - cmovznzU64(&x167, x166, x157, x149) - var x168 uint64 - cmovznzU64(&x168, x166, x159, x151) - var x169 uint64 - cmovznzU64(&x169, x166, x161, x153) - var x170 uint64 - cmovznzU64(&x170, x166, x163, x155) - out1[0] = x167 - out1[1] = x168 - out1[2] = x169 - out1[3] = x170 + x1 := arg1[1] + x2 := arg1[2] + x3 := arg1[3] + x4 := arg1[0] + var x5 uint64 + var x6 uint64 + x6, x5 = bits.Mul64(x4, 0x4fffffffd) + var x7 uint64 + var x8 uint64 + x8, x7 = bits.Mul64(x4, 0xfffffffffffffffe) + var x9 uint64 + var x10 uint64 + x10, x9 = bits.Mul64(x4, 0xfffffffbffffffff) + var x11 uint64 + var x12 uint64 + x12, x11 = bits.Mul64(x4, 0x3) + var x13 uint64 + var x14 uint1 + x13, x14 = addcarryxU64(x12, x9, 0x0) + var x15 uint64 + var x16 uint1 + x15, x16 = addcarryxU64(x10, x7, x14) + var x17 uint64 + var x18 uint1 + x17, x18 = addcarryxU64(x8, x5, x16) + var x19 uint64 + var x20 uint64 + x20, x19 = bits.Mul64(x11, 0xffffffff00000001) + var x21 uint64 + var x22 uint64 + x22, x21 = bits.Mul64(x11, 0xffffffff) + var x23 uint64 + var x24 uint64 + x24, x23 = bits.Mul64(x11, 0xffffffffffffffff) + var x25 uint64 + var x26 uint1 + x25, x26 = addcarryxU64(x24, x21, 0x0) + var x28 uint1 + _, x28 = addcarryxU64(x11, x23, 0x0) + var x29 uint64 + var x30 uint1 + x29, x30 = addcarryxU64(x13, x25, x28) + var x31 uint64 + var x32 uint1 + x31, x32 = addcarryxU64(x15, (uint64(x26) + x22), x30) + var x33 uint64 + var x34 uint1 + x33, x34 = addcarryxU64(x17, x19, x32) + var x35 uint64 + var x36 uint1 + x35, x36 = addcarryxU64((uint64(x18) + x6), x20, x34) + var x37 uint64 + var x38 uint64 + x38, x37 = bits.Mul64(x1, 0x4fffffffd) + var x39 uint64 + var x40 uint64 + x40, x39 = bits.Mul64(x1, 0xfffffffffffffffe) + var x41 uint64 + var x42 uint64 + x42, x41 = bits.Mul64(x1, 0xfffffffbffffffff) + var x43 uint64 + var x44 uint64 + x44, x43 = bits.Mul64(x1, 0x3) + var x45 uint64 + var x46 uint1 + x45, x46 = addcarryxU64(x44, x41, 0x0) + var x47 uint64 + var x48 uint1 + x47, x48 = addcarryxU64(x42, x39, x46) + var x49 uint64 + var x50 uint1 + x49, x50 = addcarryxU64(x40, x37, x48) + var x51 uint64 + var x52 uint1 + x51, x52 = addcarryxU64(x29, x43, 0x0) + var x53 uint64 + var x54 uint1 + x53, x54 = addcarryxU64(x31, x45, x52) + var x55 uint64 + var x56 uint1 + x55, x56 = addcarryxU64(x33, x47, x54) + var x57 uint64 + var x58 uint1 + x57, x58 = addcarryxU64(x35, x49, x56) + var x59 uint64 + var x60 uint64 + x60, x59 = bits.Mul64(x51, 0xffffffff00000001) + var x61 uint64 + var x62 uint64 + x62, x61 = bits.Mul64(x51, 0xffffffff) + var x63 uint64 + var x64 uint64 + x64, x63 = bits.Mul64(x51, 0xffffffffffffffff) + var x65 uint64 + var x66 uint1 + x65, x66 = addcarryxU64(x64, x61, 0x0) + var x68 uint1 + _, x68 = addcarryxU64(x51, x63, 0x0) + var x69 uint64 + var x70 uint1 + x69, x70 = addcarryxU64(x53, x65, x68) + var x71 uint64 + var x72 uint1 + x71, x72 = addcarryxU64(x55, (uint64(x66) + x62), x70) + var x73 uint64 + var x74 uint1 + x73, x74 = addcarryxU64(x57, x59, x72) + var x75 uint64 + var x76 uint1 + x75, x76 = addcarryxU64(((uint64(x58) + uint64(x36)) + (uint64(x50) + x38)), x60, x74) + var x77 uint64 + var x78 uint64 + x78, x77 = bits.Mul64(x2, 0x4fffffffd) + var x79 uint64 + var x80 uint64 + x80, x79 = bits.Mul64(x2, 0xfffffffffffffffe) + var x81 uint64 + var x82 uint64 + x82, x81 = bits.Mul64(x2, 0xfffffffbffffffff) + var x83 uint64 + var x84 uint64 + x84, x83 = bits.Mul64(x2, 0x3) + var x85 uint64 + var x86 uint1 + x85, x86 = addcarryxU64(x84, x81, 0x0) + var x87 uint64 + var x88 uint1 + x87, x88 = addcarryxU64(x82, x79, x86) + var x89 uint64 + var x90 uint1 + x89, x90 = addcarryxU64(x80, x77, x88) + var x91 uint64 + var x92 uint1 + x91, x92 = addcarryxU64(x69, x83, 0x0) + var x93 uint64 + var x94 uint1 + x93, x94 = addcarryxU64(x71, x85, x92) + var x95 uint64 + var x96 uint1 + x95, x96 = addcarryxU64(x73, x87, x94) + var x97 uint64 + var x98 uint1 + x97, x98 = addcarryxU64(x75, x89, x96) + var x99 uint64 + var x100 uint64 + x100, x99 = bits.Mul64(x91, 0xffffffff00000001) + var x101 uint64 + var x102 uint64 + x102, x101 = bits.Mul64(x91, 0xffffffff) + var x103 uint64 + var x104 uint64 + x104, x103 = bits.Mul64(x91, 0xffffffffffffffff) + var x105 uint64 + var x106 uint1 + x105, x106 = addcarryxU64(x104, x101, 0x0) + var x108 uint1 + _, x108 = addcarryxU64(x91, x103, 0x0) + var x109 uint64 + var x110 uint1 + x109, x110 = addcarryxU64(x93, x105, x108) + var x111 uint64 + var x112 uint1 + x111, x112 = addcarryxU64(x95, (uint64(x106) + x102), x110) + var x113 uint64 + var x114 uint1 + x113, x114 = addcarryxU64(x97, x99, x112) + var x115 uint64 + var x116 uint1 + x115, x116 = addcarryxU64(((uint64(x98) + uint64(x76)) + (uint64(x90) + x78)), x100, x114) + var x117 uint64 + var x118 uint64 + x118, x117 = bits.Mul64(x3, 0x4fffffffd) + var x119 uint64 + var x120 uint64 + x120, x119 = bits.Mul64(x3, 0xfffffffffffffffe) + var x121 uint64 + var x122 uint64 + x122, x121 = bits.Mul64(x3, 0xfffffffbffffffff) + var x123 uint64 + var x124 uint64 + x124, x123 = bits.Mul64(x3, 0x3) + var x125 uint64 + var x126 uint1 + x125, x126 = addcarryxU64(x124, x121, 0x0) + var x127 uint64 + var x128 uint1 + x127, x128 = addcarryxU64(x122, x119, x126) + var x129 uint64 + var x130 uint1 + x129, x130 = addcarryxU64(x120, x117, x128) + var x131 uint64 + var x132 uint1 + x131, x132 = addcarryxU64(x109, x123, 0x0) + var x133 uint64 + var x134 uint1 + x133, x134 = addcarryxU64(x111, x125, x132) + var x135 uint64 + var x136 uint1 + x135, x136 = addcarryxU64(x113, x127, x134) + var x137 uint64 + var x138 uint1 + x137, x138 = addcarryxU64(x115, x129, x136) + var x139 uint64 + var x140 uint64 + x140, x139 = bits.Mul64(x131, 0xffffffff00000001) + var x141 uint64 + var x142 uint64 + x142, x141 = bits.Mul64(x131, 0xffffffff) + var x143 uint64 + var x144 uint64 + x144, x143 = bits.Mul64(x131, 0xffffffffffffffff) + var x145 uint64 + var x146 uint1 + x145, x146 = addcarryxU64(x144, x141, 0x0) + var x148 uint1 + _, x148 = addcarryxU64(x131, x143, 0x0) + var x149 uint64 + var x150 uint1 + x149, x150 = addcarryxU64(x133, x145, x148) + var x151 uint64 + var x152 uint1 + x151, x152 = addcarryxU64(x135, (uint64(x146) + x142), x150) + var x153 uint64 + var x154 uint1 + x153, x154 = addcarryxU64(x137, x139, x152) + var x155 uint64 + var x156 uint1 + x155, x156 = addcarryxU64(((uint64(x138) + uint64(x116)) + (uint64(x130) + x118)), x140, x154) + var x157 uint64 + var x158 uint1 + x157, x158 = subborrowxU64(x149, 0xffffffffffffffff, 0x0) + var x159 uint64 + var x160 uint1 + x159, x160 = subborrowxU64(x151, 0xffffffff, x158) + var x161 uint64 + var x162 uint1 + x161, x162 = subborrowxU64(x153, uint64(0x0), x160) + var x163 uint64 + var x164 uint1 + x163, x164 = subborrowxU64(x155, 0xffffffff00000001, x162) + var x166 uint1 + _, x166 = subborrowxU64(uint64(x156), uint64(0x0), x164) + var x167 uint64 + cmovznzU64(&x167, x166, x157, x149) + var x168 uint64 + cmovznzU64(&x168, x166, x159, x151) + var x169 uint64 + cmovznzU64(&x169, x166, x161, x153) + var x170 uint64 + cmovznzU64(&x170, x166, x163, x155) + out1[0] = x167 + out1[1] = x168 + out1[2] = x169 + out1[3] = x170 } -/* - The function Nonzero outputs a single non-zero word if the input is non-zero and zero otherwise. - Preconditions: - 0 ≤ eval arg1 < m - Postconditions: - out1 = 0 ↔ eval (from_montgomery arg1) mod m = 0 - - Input Bounds: - arg1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] - Output Bounds: - out1: [0x0 ~> 0xffffffffffffffff] - */ -/*inline*/ +// Nonzero outputs a single non-zero word if the input is non-zero and zero otherwise. +// +// Preconditions: +// 0 ≤ eval arg1 < m +// Postconditions: +// out1 = 0 ↔ eval (from_montgomery arg1) mod m = 0 +// +// Input Bounds: +// arg1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] +// Output Bounds: +// out1: [0x0 ~> 0xffffffffffffffff] func Nonzero(out1 *uint64, arg1 *[4]uint64) { - var x1 uint64 = ((arg1[0]) | ((arg1[1]) | ((arg1[2]) | (arg1[3])))) - *out1 = x1 + x1 := (arg1[0] | (arg1[1] | (arg1[2] | arg1[3]))) + *out1 = x1 } -/* - The function Selectznz is a multi-limb conditional select. - Postconditions: - eval out1 = (if arg1 = 0 then eval arg2 else eval arg3) - - Input Bounds: - arg1: [0x0 ~> 0x1] - arg2: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] - arg3: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] - Output Bounds: - out1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] - */ -/*inline*/ +// Selectznz is a multi-limb conditional select. +// +// Postconditions: +// eval out1 = (if arg1 = 0 then eval arg2 else eval arg3) +// +// Input Bounds: +// arg1: [0x0 ~> 0x1] +// arg2: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] +// arg3: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] +// Output Bounds: +// out1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] func Selectznz(out1 *[4]uint64, arg1 uint1, arg2 *[4]uint64, arg3 *[4]uint64) { - var x1 uint64 - cmovznzU64(&x1, arg1, (arg2[0]), (arg3[0])) - var x2 uint64 - cmovznzU64(&x2, arg1, (arg2[1]), (arg3[1])) - var x3 uint64 - cmovznzU64(&x3, arg1, (arg2[2]), (arg3[2])) - var x4 uint64 - cmovznzU64(&x4, arg1, (arg2[3]), (arg3[3])) - out1[0] = x1 - out1[1] = x2 - out1[2] = x3 - out1[3] = x4 + var x1 uint64 + cmovznzU64(&x1, arg1, arg2[0], arg3[0]) + var x2 uint64 + cmovznzU64(&x2, arg1, arg2[1], arg3[1]) + var x3 uint64 + cmovznzU64(&x3, arg1, arg2[2], arg3[2]) + var x4 uint64 + cmovznzU64(&x4, arg1, arg2[3], arg3[3]) + out1[0] = x1 + out1[1] = x2 + out1[2] = x3 + out1[3] = x4 } -/* - The function ToBytes serializes a field element NOT in the Montgomery domain to bytes in little-endian order. - Preconditions: - 0 ≤ eval arg1 < m - Postconditions: - out1 = map (λ x, ⌊((eval arg1 mod m) mod 2^(8 * (x + 1))) / 2^(8 * x)⌋) [0..31] - - Input Bounds: - arg1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] - Output Bounds: - out1: [[0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff]] - */ -/*inline*/ +// ToBytes serializes a field element NOT in the Montgomery domain to bytes in little-endian order. +// +// Preconditions: +// 0 ≤ eval arg1 < m +// Postconditions: +// out1 = map (λ x, ⌊((eval arg1 mod m) mod 2^(8 * (x + 1))) / 2^(8 * x)⌋) [0..31] +// +// Input Bounds: +// arg1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] +// Output Bounds: +// out1: [[0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff]] func ToBytes(out1 *[32]uint8, arg1 *[4]uint64) { - var x1 uint64 = (arg1[3]) - var x2 uint64 = (arg1[2]) - var x3 uint64 = (arg1[1]) - var x4 uint64 = (arg1[0]) - var x5 uint8 = (uint8(x4) & 0xff) - var x6 uint64 = (x4 >> 8) - var x7 uint8 = (uint8(x6) & 0xff) - var x8 uint64 = (x6 >> 8) - var x9 uint8 = (uint8(x8) & 0xff) - var x10 uint64 = (x8 >> 8) - var x11 uint8 = (uint8(x10) & 0xff) - var x12 uint64 = (x10 >> 8) - var x13 uint8 = (uint8(x12) & 0xff) - var x14 uint64 = (x12 >> 8) - var x15 uint8 = (uint8(x14) & 0xff) - var x16 uint64 = (x14 >> 8) - var x17 uint8 = (uint8(x16) & 0xff) - var x18 uint8 = uint8((x16 >> 8)) - var x19 uint8 = (uint8(x3) & 0xff) - var x20 uint64 = (x3 >> 8) - var x21 uint8 = (uint8(x20) & 0xff) - var x22 uint64 = (x20 >> 8) - var x23 uint8 = (uint8(x22) & 0xff) - var x24 uint64 = (x22 >> 8) - var x25 uint8 = (uint8(x24) & 0xff) - var x26 uint64 = (x24 >> 8) - var x27 uint8 = (uint8(x26) & 0xff) - var x28 uint64 = (x26 >> 8) - var x29 uint8 = (uint8(x28) & 0xff) - var x30 uint64 = (x28 >> 8) - var x31 uint8 = (uint8(x30) & 0xff) - var x32 uint8 = uint8((x30 >> 8)) - var x33 uint8 = (uint8(x2) & 0xff) - var x34 uint64 = (x2 >> 8) - var x35 uint8 = (uint8(x34) & 0xff) - var x36 uint64 = (x34 >> 8) - var x37 uint8 = (uint8(x36) & 0xff) - var x38 uint64 = (x36 >> 8) - var x39 uint8 = (uint8(x38) & 0xff) - var x40 uint64 = (x38 >> 8) - var x41 uint8 = (uint8(x40) & 0xff) - var x42 uint64 = (x40 >> 8) - var x43 uint8 = (uint8(x42) & 0xff) - var x44 uint64 = (x42 >> 8) - var x45 uint8 = (uint8(x44) & 0xff) - var x46 uint8 = uint8((x44 >> 8)) - var x47 uint8 = (uint8(x1) & 0xff) - var x48 uint64 = (x1 >> 8) - var x49 uint8 = (uint8(x48) & 0xff) - var x50 uint64 = (x48 >> 8) - var x51 uint8 = (uint8(x50) & 0xff) - var x52 uint64 = (x50 >> 8) - var x53 uint8 = (uint8(x52) & 0xff) - var x54 uint64 = (x52 >> 8) - var x55 uint8 = (uint8(x54) & 0xff) - var x56 uint64 = (x54 >> 8) - var x57 uint8 = (uint8(x56) & 0xff) - var x58 uint64 = (x56 >> 8) - var x59 uint8 = (uint8(x58) & 0xff) - var x60 uint8 = uint8((x58 >> 8)) - out1[0] = x5 - out1[1] = x7 - out1[2] = x9 - out1[3] = x11 - out1[4] = x13 - out1[5] = x15 - out1[6] = x17 - out1[7] = x18 - out1[8] = x19 - out1[9] = x21 - out1[10] = x23 - out1[11] = x25 - out1[12] = x27 - out1[13] = x29 - out1[14] = x31 - out1[15] = x32 - out1[16] = x33 - out1[17] = x35 - out1[18] = x37 - out1[19] = x39 - out1[20] = x41 - out1[21] = x43 - out1[22] = x45 - out1[23] = x46 - out1[24] = x47 - out1[25] = x49 - out1[26] = x51 - out1[27] = x53 - out1[28] = x55 - out1[29] = x57 - out1[30] = x59 - out1[31] = x60 + x1 := arg1[3] + x2 := arg1[2] + x3 := arg1[1] + x4 := arg1[0] + x5 := (uint8(x4) & 0xff) + x6 := (x4 >> 8) + x7 := (uint8(x6) & 0xff) + x8 := (x6 >> 8) + x9 := (uint8(x8) & 0xff) + x10 := (x8 >> 8) + x11 := (uint8(x10) & 0xff) + x12 := (x10 >> 8) + x13 := (uint8(x12) & 0xff) + x14 := (x12 >> 8) + x15 := (uint8(x14) & 0xff) + x16 := (x14 >> 8) + x17 := (uint8(x16) & 0xff) + x18 := uint8((x16 >> 8)) + x19 := (uint8(x3) & 0xff) + x20 := (x3 >> 8) + x21 := (uint8(x20) & 0xff) + x22 := (x20 >> 8) + x23 := (uint8(x22) & 0xff) + x24 := (x22 >> 8) + x25 := (uint8(x24) & 0xff) + x26 := (x24 >> 8) + x27 := (uint8(x26) & 0xff) + x28 := (x26 >> 8) + x29 := (uint8(x28) & 0xff) + x30 := (x28 >> 8) + x31 := (uint8(x30) & 0xff) + x32 := uint8((x30 >> 8)) + x33 := (uint8(x2) & 0xff) + x34 := (x2 >> 8) + x35 := (uint8(x34) & 0xff) + x36 := (x34 >> 8) + x37 := (uint8(x36) & 0xff) + x38 := (x36 >> 8) + x39 := (uint8(x38) & 0xff) + x40 := (x38 >> 8) + x41 := (uint8(x40) & 0xff) + x42 := (x40 >> 8) + x43 := (uint8(x42) & 0xff) + x44 := (x42 >> 8) + x45 := (uint8(x44) & 0xff) + x46 := uint8((x44 >> 8)) + x47 := (uint8(x1) & 0xff) + x48 := (x1 >> 8) + x49 := (uint8(x48) & 0xff) + x50 := (x48 >> 8) + x51 := (uint8(x50) & 0xff) + x52 := (x50 >> 8) + x53 := (uint8(x52) & 0xff) + x54 := (x52 >> 8) + x55 := (uint8(x54) & 0xff) + x56 := (x54 >> 8) + x57 := (uint8(x56) & 0xff) + x58 := (x56 >> 8) + x59 := (uint8(x58) & 0xff) + x60 := uint8((x58 >> 8)) + out1[0] = x5 + out1[1] = x7 + out1[2] = x9 + out1[3] = x11 + out1[4] = x13 + out1[5] = x15 + out1[6] = x17 + out1[7] = x18 + out1[8] = x19 + out1[9] = x21 + out1[10] = x23 + out1[11] = x25 + out1[12] = x27 + out1[13] = x29 + out1[14] = x31 + out1[15] = x32 + out1[16] = x33 + out1[17] = x35 + out1[18] = x37 + out1[19] = x39 + out1[20] = x41 + out1[21] = x43 + out1[22] = x45 + out1[23] = x46 + out1[24] = x47 + out1[25] = x49 + out1[26] = x51 + out1[27] = x53 + out1[28] = x55 + out1[29] = x57 + out1[30] = x59 + out1[31] = x60 } -/* - The function FromBytes deserializes a field element NOT in the Montgomery domain from bytes in little-endian order. - Preconditions: - 0 ≤ bytes_eval arg1 < m - Postconditions: - eval out1 mod m = bytes_eval arg1 mod m - 0 ≤ eval out1 < m - - Input Bounds: - arg1: [[0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff]] - Output Bounds: - out1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] - */ -/*inline*/ +// FromBytes deserializes a field element NOT in the Montgomery domain from bytes in little-endian order. +// +// Preconditions: +// 0 ≤ bytes_eval arg1 < m +// Postconditions: +// eval out1 mod m = bytes_eval arg1 mod m +// 0 ≤ eval out1 < m +// +// Input Bounds: +// arg1: [[0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff]] +// Output Bounds: +// out1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] func FromBytes(out1 *[4]uint64, arg1 *[32]uint8) { - var x1 uint64 = (uint64((arg1[31])) << 56) - var x2 uint64 = (uint64((arg1[30])) << 48) - var x3 uint64 = (uint64((arg1[29])) << 40) - var x4 uint64 = (uint64((arg1[28])) << 32) - var x5 uint64 = (uint64((arg1[27])) << 24) - var x6 uint64 = (uint64((arg1[26])) << 16) - var x7 uint64 = (uint64((arg1[25])) << 8) - var x8 uint8 = (arg1[24]) - var x9 uint64 = (uint64((arg1[23])) << 56) - var x10 uint64 = (uint64((arg1[22])) << 48) - var x11 uint64 = (uint64((arg1[21])) << 40) - var x12 uint64 = (uint64((arg1[20])) << 32) - var x13 uint64 = (uint64((arg1[19])) << 24) - var x14 uint64 = (uint64((arg1[18])) << 16) - var x15 uint64 = (uint64((arg1[17])) << 8) - var x16 uint8 = (arg1[16]) - var x17 uint64 = (uint64((arg1[15])) << 56) - var x18 uint64 = (uint64((arg1[14])) << 48) - var x19 uint64 = (uint64((arg1[13])) << 40) - var x20 uint64 = (uint64((arg1[12])) << 32) - var x21 uint64 = (uint64((arg1[11])) << 24) - var x22 uint64 = (uint64((arg1[10])) << 16) - var x23 uint64 = (uint64((arg1[9])) << 8) - var x24 uint8 = (arg1[8]) - var x25 uint64 = (uint64((arg1[7])) << 56) - var x26 uint64 = (uint64((arg1[6])) << 48) - var x27 uint64 = (uint64((arg1[5])) << 40) - var x28 uint64 = (uint64((arg1[4])) << 32) - var x29 uint64 = (uint64((arg1[3])) << 24) - var x30 uint64 = (uint64((arg1[2])) << 16) - var x31 uint64 = (uint64((arg1[1])) << 8) - var x32 uint8 = (arg1[0]) - var x33 uint64 = (x31 + uint64(x32)) - var x34 uint64 = (x30 + x33) - var x35 uint64 = (x29 + x34) - var x36 uint64 = (x28 + x35) - var x37 uint64 = (x27 + x36) - var x38 uint64 = (x26 + x37) - var x39 uint64 = (x25 + x38) - var x40 uint64 = (x23 + uint64(x24)) - var x41 uint64 = (x22 + x40) - var x42 uint64 = (x21 + x41) - var x43 uint64 = (x20 + x42) - var x44 uint64 = (x19 + x43) - var x45 uint64 = (x18 + x44) - var x46 uint64 = (x17 + x45) - var x47 uint64 = (x15 + uint64(x16)) - var x48 uint64 = (x14 + x47) - var x49 uint64 = (x13 + x48) - var x50 uint64 = (x12 + x49) - var x51 uint64 = (x11 + x50) - var x52 uint64 = (x10 + x51) - var x53 uint64 = (x9 + x52) - var x54 uint64 = (x7 + uint64(x8)) - var x55 uint64 = (x6 + x54) - var x56 uint64 = (x5 + x55) - var x57 uint64 = (x4 + x56) - var x58 uint64 = (x3 + x57) - var x59 uint64 = (x2 + x58) - var x60 uint64 = (x1 + x59) - out1[0] = x39 - out1[1] = x46 - out1[2] = x53 - out1[3] = x60 + x1 := (uint64(arg1[31]) << 56) + x2 := (uint64(arg1[30]) << 48) + x3 := (uint64(arg1[29]) << 40) + x4 := (uint64(arg1[28]) << 32) + x5 := (uint64(arg1[27]) << 24) + x6 := (uint64(arg1[26]) << 16) + x7 := (uint64(arg1[25]) << 8) + x8 := arg1[24] + x9 := (uint64(arg1[23]) << 56) + x10 := (uint64(arg1[22]) << 48) + x11 := (uint64(arg1[21]) << 40) + x12 := (uint64(arg1[20]) << 32) + x13 := (uint64(arg1[19]) << 24) + x14 := (uint64(arg1[18]) << 16) + x15 := (uint64(arg1[17]) << 8) + x16 := arg1[16] + x17 := (uint64(arg1[15]) << 56) + x18 := (uint64(arg1[14]) << 48) + x19 := (uint64(arg1[13]) << 40) + x20 := (uint64(arg1[12]) << 32) + x21 := (uint64(arg1[11]) << 24) + x22 := (uint64(arg1[10]) << 16) + x23 := (uint64(arg1[9]) << 8) + x24 := arg1[8] + x25 := (uint64(arg1[7]) << 56) + x26 := (uint64(arg1[6]) << 48) + x27 := (uint64(arg1[5]) << 40) + x28 := (uint64(arg1[4]) << 32) + x29 := (uint64(arg1[3]) << 24) + x30 := (uint64(arg1[2]) << 16) + x31 := (uint64(arg1[1]) << 8) + x32 := arg1[0] + x33 := (x31 + uint64(x32)) + x34 := (x30 + x33) + x35 := (x29 + x34) + x36 := (x28 + x35) + x37 := (x27 + x36) + x38 := (x26 + x37) + x39 := (x25 + x38) + x40 := (x23 + uint64(x24)) + x41 := (x22 + x40) + x42 := (x21 + x41) + x43 := (x20 + x42) + x44 := (x19 + x43) + x45 := (x18 + x44) + x46 := (x17 + x45) + x47 := (x15 + uint64(x16)) + x48 := (x14 + x47) + x49 := (x13 + x48) + x50 := (x12 + x49) + x51 := (x11 + x50) + x52 := (x10 + x51) + x53 := (x9 + x52) + x54 := (x7 + uint64(x8)) + x55 := (x6 + x54) + x56 := (x5 + x55) + x57 := (x4 + x56) + x58 := (x3 + x57) + x59 := (x2 + x58) + x60 := (x1 + x59) + out1[0] = x39 + out1[1] = x46 + out1[2] = x53 + out1[3] = x60 } -/* - The function SetOne returns the field element one in the Montgomery domain. - Postconditions: - eval (from_montgomery out1) mod m = 1 mod m - 0 ≤ eval out1 < m - - Input Bounds: - Output Bounds: - out1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] - */ -/*inline*/ +// SetOne returns the field element one in the Montgomery domain. +// +// Postconditions: +// eval (from_montgomery out1) mod m = 1 mod m +// 0 ≤ eval out1 < m +// +// Input Bounds: +// Output Bounds: +// out1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] func SetOne(out1 *[4]uint64) { - out1[0] = uint64(0x1) - out1[1] = 0xffffffff00000000 - out1[2] = 0xffffffffffffffff - out1[3] = 0xfffffffe + out1[0] = uint64(0x1) + out1[1] = 0xffffffff00000000 + out1[2] = 0xffffffffffffffff + out1[3] = 0xfffffffe } -/* - The function Msat returns the saturated representation of the prime modulus. - Postconditions: - twos_complement_eval out1 = m - 0 ≤ eval out1 < m - - Input Bounds: - Output Bounds: - out1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] - */ -/*inline*/ +// Msat returns the saturated representation of the prime modulus. +// +// Postconditions: +// twos_complement_eval out1 = m +// 0 ≤ eval out1 < m +// +// Input Bounds: +// Output Bounds: +// out1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] func Msat(out1 *[5]uint64) { - out1[0] = 0xffffffffffffffff - out1[1] = 0xffffffff - out1[2] = uint64(0x0) - out1[3] = 0xffffffff00000001 - out1[4] = uint64(0x0) + out1[0] = 0xffffffffffffffff + out1[1] = 0xffffffff + out1[2] = uint64(0x0) + out1[3] = 0xffffffff00000001 + out1[4] = uint64(0x0) } -/* - The function Divstep computes a divstep. - Preconditions: - 0 ≤ eval arg4 < m - 0 ≤ eval arg5 < m - Postconditions: - out1 = (if 0 < arg1 ∧ (twos_complement_eval arg3) is odd then 1 - arg1 else 1 + arg1) - twos_complement_eval out2 = (if 0 < arg1 ∧ (twos_complement_eval arg3) is odd then twos_complement_eval arg3 else twos_complement_eval arg2) - twos_complement_eval out3 = (if 0 < arg1 ∧ (twos_complement_eval arg3) is odd then ⌊(twos_complement_eval arg3 - twos_complement_eval arg2) / 2⌋ else ⌊(twos_complement_eval arg3 + (twos_complement_eval arg3 mod 2) * twos_complement_eval arg2) / 2⌋) - eval (from_montgomery out4) mod m = (if 0 < arg1 ∧ (twos_complement_eval arg3) is odd then (2 * eval (from_montgomery arg5)) mod m else (2 * eval (from_montgomery arg4)) mod m) - eval (from_montgomery out5) mod m = (if 0 < arg1 ∧ (twos_complement_eval arg3) is odd then (eval (from_montgomery arg4) - eval (from_montgomery arg4)) mod m else (eval (from_montgomery arg5) + (twos_complement_eval arg3 mod 2) * eval (from_montgomery arg4)) mod m) - 0 ≤ eval out5 < m - 0 ≤ eval out5 < m - 0 ≤ eval out2 < m - 0 ≤ eval out3 < m - - Input Bounds: - arg1: [0x0 ~> 0xffffffffffffffff] - arg2: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] - arg3: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] - arg4: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] - arg5: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] - Output Bounds: - out1: [0x0 ~> 0xffffffffffffffff] - out2: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] - out3: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] - out4: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] - out5: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] - */ -/*inline*/ +// Divstep computes a divstep. +// +// Preconditions: +// 0 ≤ eval arg4 < m +// 0 ≤ eval arg5 < m +// Postconditions: +// out1 = (if 0 < arg1 ∧ (twos_complement_eval arg3) is odd then 1 - arg1 else 1 + arg1) +// twos_complement_eval out2 = (if 0 < arg1 ∧ (twos_complement_eval arg3) is odd then twos_complement_eval arg3 else twos_complement_eval arg2) +// twos_complement_eval out3 = (if 0 < arg1 ∧ (twos_complement_eval arg3) is odd then ⌊(twos_complement_eval arg3 - twos_complement_eval arg2) / 2⌋ else ⌊(twos_complement_eval arg3 + (twos_complement_eval arg3 mod 2) * twos_complement_eval arg2) / 2⌋) +// eval (from_montgomery out4) mod m = (if 0 < arg1 ∧ (twos_complement_eval arg3) is odd then (2 * eval (from_montgomery arg5)) mod m else (2 * eval (from_montgomery arg4)) mod m) +// eval (from_montgomery out5) mod m = (if 0 < arg1 ∧ (twos_complement_eval arg3) is odd then (eval (from_montgomery arg4) - eval (from_montgomery arg4)) mod m else (eval (from_montgomery arg5) + (twos_complement_eval arg3 mod 2) * eval (from_montgomery arg4)) mod m) +// 0 ≤ eval out5 < m +// 0 ≤ eval out5 < m +// 0 ≤ eval out2 < m +// 0 ≤ eval out3 < m +// +// Input Bounds: +// arg1: [0x0 ~> 0xffffffffffffffff] +// arg2: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] +// arg3: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] +// arg4: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] +// arg5: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] +// Output Bounds: +// out1: [0x0 ~> 0xffffffffffffffff] +// out2: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] +// out3: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] +// out4: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] +// out5: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] func Divstep(out1 *uint64, out2 *[5]uint64, out3 *[5]uint64, out4 *[4]uint64, out5 *[4]uint64, arg1 uint64, arg2 *[5]uint64, arg3 *[5]uint64, arg4 *[4]uint64, arg5 *[4]uint64) { - var x1 uint64 - x1, _ = addcarryxU64((^arg1), uint64(0x1), 0x0) - var x3 uint1 = (uint1((x1 >> 63)) & (uint1((arg3[0])) & 0x1)) - var x4 uint64 - x4, _ = addcarryxU64((^arg1), uint64(0x1), 0x0) - var x6 uint64 - cmovznzU64(&x6, x3, arg1, x4) - var x7 uint64 - cmovznzU64(&x7, x3, (arg2[0]), (arg3[0])) - var x8 uint64 - cmovznzU64(&x8, x3, (arg2[1]), (arg3[1])) - var x9 uint64 - cmovznzU64(&x9, x3, (arg2[2]), (arg3[2])) - var x10 uint64 - cmovznzU64(&x10, x3, (arg2[3]), (arg3[3])) - var x11 uint64 - cmovznzU64(&x11, x3, (arg2[4]), (arg3[4])) - var x12 uint64 - var x13 uint1 - x12, x13 = addcarryxU64(uint64(0x1), (^(arg2[0])), 0x0) - var x14 uint64 - var x15 uint1 - x14, x15 = addcarryxU64(uint64(0x0), (^(arg2[1])), x13) - var x16 uint64 - var x17 uint1 - x16, x17 = addcarryxU64(uint64(0x0), (^(arg2[2])), x15) - var x18 uint64 - var x19 uint1 - x18, x19 = addcarryxU64(uint64(0x0), (^(arg2[3])), x17) - var x20 uint64 - x20, _ = addcarryxU64(uint64(0x0), (^(arg2[4])), x19) - var x22 uint64 - cmovznzU64(&x22, x3, (arg3[0]), x12) - var x23 uint64 - cmovznzU64(&x23, x3, (arg3[1]), x14) - var x24 uint64 - cmovznzU64(&x24, x3, (arg3[2]), x16) - var x25 uint64 - cmovznzU64(&x25, x3, (arg3[3]), x18) - var x26 uint64 - cmovznzU64(&x26, x3, (arg3[4]), x20) - var x27 uint64 - cmovznzU64(&x27, x3, (arg4[0]), (arg5[0])) - var x28 uint64 - cmovznzU64(&x28, x3, (arg4[1]), (arg5[1])) - var x29 uint64 - cmovznzU64(&x29, x3, (arg4[2]), (arg5[2])) - var x30 uint64 - cmovznzU64(&x30, x3, (arg4[3]), (arg5[3])) - var x31 uint64 - var x32 uint1 - x31, x32 = addcarryxU64(x27, x27, 0x0) - var x33 uint64 - var x34 uint1 - x33, x34 = addcarryxU64(x28, x28, x32) - var x35 uint64 - var x36 uint1 - x35, x36 = addcarryxU64(x29, x29, x34) - var x37 uint64 - var x38 uint1 - x37, x38 = addcarryxU64(x30, x30, x36) - var x39 uint64 - var x40 uint1 - x39, x40 = subborrowxU64(x31, 0xffffffffffffffff, 0x0) - var x41 uint64 - var x42 uint1 - x41, x42 = subborrowxU64(x33, 0xffffffff, x40) - var x43 uint64 - var x44 uint1 - x43, x44 = subborrowxU64(x35, uint64(0x0), x42) - var x45 uint64 - var x46 uint1 - x45, x46 = subborrowxU64(x37, 0xffffffff00000001, x44) - var x48 uint1 - _, x48 = subborrowxU64(uint64(x38), uint64(0x0), x46) - var x49 uint64 = (arg4[3]) - var x50 uint64 = (arg4[2]) - var x51 uint64 = (arg4[1]) - var x52 uint64 = (arg4[0]) - var x53 uint64 - var x54 uint1 - x53, x54 = subborrowxU64(uint64(0x0), x52, 0x0) - var x55 uint64 - var x56 uint1 - x55, x56 = subborrowxU64(uint64(0x0), x51, x54) - var x57 uint64 - var x58 uint1 - x57, x58 = subborrowxU64(uint64(0x0), x50, x56) - var x59 uint64 - var x60 uint1 - x59, x60 = subborrowxU64(uint64(0x0), x49, x58) - var x61 uint64 - cmovznzU64(&x61, x60, uint64(0x0), 0xffffffffffffffff) - var x62 uint64 - var x63 uint1 - x62, x63 = addcarryxU64(x53, x61, 0x0) - var x64 uint64 - var x65 uint1 - x64, x65 = addcarryxU64(x55, (x61 & 0xffffffff), x63) - var x66 uint64 - var x67 uint1 - x66, x67 = addcarryxU64(x57, uint64(0x0), x65) - var x68 uint64 - x68, _ = addcarryxU64(x59, (x61 & 0xffffffff00000001), x67) - var x70 uint64 - cmovznzU64(&x70, x3, (arg5[0]), x62) - var x71 uint64 - cmovznzU64(&x71, x3, (arg5[1]), x64) - var x72 uint64 - cmovznzU64(&x72, x3, (arg5[2]), x66) - var x73 uint64 - cmovznzU64(&x73, x3, (arg5[3]), x68) - var x74 uint1 = (uint1(x22) & 0x1) - var x75 uint64 - cmovznzU64(&x75, x74, uint64(0x0), x7) - var x76 uint64 - cmovznzU64(&x76, x74, uint64(0x0), x8) - var x77 uint64 - cmovznzU64(&x77, x74, uint64(0x0), x9) - var x78 uint64 - cmovznzU64(&x78, x74, uint64(0x0), x10) - var x79 uint64 - cmovznzU64(&x79, x74, uint64(0x0), x11) - var x80 uint64 - var x81 uint1 - x80, x81 = addcarryxU64(x22, x75, 0x0) - var x82 uint64 - var x83 uint1 - x82, x83 = addcarryxU64(x23, x76, x81) - var x84 uint64 - var x85 uint1 - x84, x85 = addcarryxU64(x24, x77, x83) - var x86 uint64 - var x87 uint1 - x86, x87 = addcarryxU64(x25, x78, x85) - var x88 uint64 - x88, _ = addcarryxU64(x26, x79, x87) - var x90 uint64 - cmovznzU64(&x90, x74, uint64(0x0), x27) - var x91 uint64 - cmovznzU64(&x91, x74, uint64(0x0), x28) - var x92 uint64 - cmovznzU64(&x92, x74, uint64(0x0), x29) - var x93 uint64 - cmovznzU64(&x93, x74, uint64(0x0), x30) - var x94 uint64 - var x95 uint1 - x94, x95 = addcarryxU64(x70, x90, 0x0) - var x96 uint64 - var x97 uint1 - x96, x97 = addcarryxU64(x71, x91, x95) - var x98 uint64 - var x99 uint1 - x98, x99 = addcarryxU64(x72, x92, x97) - var x100 uint64 - var x101 uint1 - x100, x101 = addcarryxU64(x73, x93, x99) - var x102 uint64 - var x103 uint1 - x102, x103 = subborrowxU64(x94, 0xffffffffffffffff, 0x0) - var x104 uint64 - var x105 uint1 - x104, x105 = subborrowxU64(x96, 0xffffffff, x103) - var x106 uint64 - var x107 uint1 - x106, x107 = subborrowxU64(x98, uint64(0x0), x105) - var x108 uint64 - var x109 uint1 - x108, x109 = subborrowxU64(x100, 0xffffffff00000001, x107) - var x111 uint1 - _, x111 = subborrowxU64(uint64(x101), uint64(0x0), x109) - var x112 uint64 - x112, _ = addcarryxU64(x6, uint64(0x1), 0x0) - var x114 uint64 = ((x80 >> 1) | ((x82 << 63) & 0xffffffffffffffff)) - var x115 uint64 = ((x82 >> 1) | ((x84 << 63) & 0xffffffffffffffff)) - var x116 uint64 = ((x84 >> 1) | ((x86 << 63) & 0xffffffffffffffff)) - var x117 uint64 = ((x86 >> 1) | ((x88 << 63) & 0xffffffffffffffff)) - var x118 uint64 = ((x88 & 0x8000000000000000) | (x88 >> 1)) - var x119 uint64 - cmovznzU64(&x119, x48, x39, x31) - var x120 uint64 - cmovznzU64(&x120, x48, x41, x33) - var x121 uint64 - cmovznzU64(&x121, x48, x43, x35) - var x122 uint64 - cmovznzU64(&x122, x48, x45, x37) - var x123 uint64 - cmovznzU64(&x123, x111, x102, x94) - var x124 uint64 - cmovznzU64(&x124, x111, x104, x96) - var x125 uint64 - cmovznzU64(&x125, x111, x106, x98) - var x126 uint64 - cmovznzU64(&x126, x111, x108, x100) - *out1 = x112 - out2[0] = x7 - out2[1] = x8 - out2[2] = x9 - out2[3] = x10 - out2[4] = x11 - out3[0] = x114 - out3[1] = x115 - out3[2] = x116 - out3[3] = x117 - out3[4] = x118 - out4[0] = x119 - out4[1] = x120 - out4[2] = x121 - out4[3] = x122 - out5[0] = x123 - out5[1] = x124 - out5[2] = x125 - out5[3] = x126 + var x1 uint64 + x1, _ = addcarryxU64((^arg1), uint64(0x1), 0x0) + x3 := (uint1((x1 >> 63)) & (uint1(arg3[0]) & 0x1)) + var x4 uint64 + x4, _ = addcarryxU64((^arg1), uint64(0x1), 0x0) + var x6 uint64 + cmovznzU64(&x6, x3, arg1, x4) + var x7 uint64 + cmovznzU64(&x7, x3, arg2[0], arg3[0]) + var x8 uint64 + cmovznzU64(&x8, x3, arg2[1], arg3[1]) + var x9 uint64 + cmovznzU64(&x9, x3, arg2[2], arg3[2]) + var x10 uint64 + cmovznzU64(&x10, x3, arg2[3], arg3[3]) + var x11 uint64 + cmovznzU64(&x11, x3, arg2[4], arg3[4]) + var x12 uint64 + var x13 uint1 + x12, x13 = addcarryxU64(uint64(0x1), (^arg2[0]), 0x0) + var x14 uint64 + var x15 uint1 + x14, x15 = addcarryxU64(uint64(0x0), (^arg2[1]), x13) + var x16 uint64 + var x17 uint1 + x16, x17 = addcarryxU64(uint64(0x0), (^arg2[2]), x15) + var x18 uint64 + var x19 uint1 + x18, x19 = addcarryxU64(uint64(0x0), (^arg2[3]), x17) + var x20 uint64 + x20, _ = addcarryxU64(uint64(0x0), (^arg2[4]), x19) + var x22 uint64 + cmovznzU64(&x22, x3, arg3[0], x12) + var x23 uint64 + cmovznzU64(&x23, x3, arg3[1], x14) + var x24 uint64 + cmovznzU64(&x24, x3, arg3[2], x16) + var x25 uint64 + cmovznzU64(&x25, x3, arg3[3], x18) + var x26 uint64 + cmovznzU64(&x26, x3, arg3[4], x20) + var x27 uint64 + cmovznzU64(&x27, x3, arg4[0], arg5[0]) + var x28 uint64 + cmovznzU64(&x28, x3, arg4[1], arg5[1]) + var x29 uint64 + cmovznzU64(&x29, x3, arg4[2], arg5[2]) + var x30 uint64 + cmovznzU64(&x30, x3, arg4[3], arg5[3]) + var x31 uint64 + var x32 uint1 + x31, x32 = addcarryxU64(x27, x27, 0x0) + var x33 uint64 + var x34 uint1 + x33, x34 = addcarryxU64(x28, x28, x32) + var x35 uint64 + var x36 uint1 + x35, x36 = addcarryxU64(x29, x29, x34) + var x37 uint64 + var x38 uint1 + x37, x38 = addcarryxU64(x30, x30, x36) + var x39 uint64 + var x40 uint1 + x39, x40 = subborrowxU64(x31, 0xffffffffffffffff, 0x0) + var x41 uint64 + var x42 uint1 + x41, x42 = subborrowxU64(x33, 0xffffffff, x40) + var x43 uint64 + var x44 uint1 + x43, x44 = subborrowxU64(x35, uint64(0x0), x42) + var x45 uint64 + var x46 uint1 + x45, x46 = subborrowxU64(x37, 0xffffffff00000001, x44) + var x48 uint1 + _, x48 = subborrowxU64(uint64(x38), uint64(0x0), x46) + x49 := arg4[3] + x50 := arg4[2] + x51 := arg4[1] + x52 := arg4[0] + var x53 uint64 + var x54 uint1 + x53, x54 = subborrowxU64(uint64(0x0), x52, 0x0) + var x55 uint64 + var x56 uint1 + x55, x56 = subborrowxU64(uint64(0x0), x51, x54) + var x57 uint64 + var x58 uint1 + x57, x58 = subborrowxU64(uint64(0x0), x50, x56) + var x59 uint64 + var x60 uint1 + x59, x60 = subborrowxU64(uint64(0x0), x49, x58) + var x61 uint64 + cmovznzU64(&x61, x60, uint64(0x0), 0xffffffffffffffff) + var x62 uint64 + var x63 uint1 + x62, x63 = addcarryxU64(x53, x61, 0x0) + var x64 uint64 + var x65 uint1 + x64, x65 = addcarryxU64(x55, (x61 & 0xffffffff), x63) + var x66 uint64 + var x67 uint1 + x66, x67 = addcarryxU64(x57, uint64(0x0), x65) + var x68 uint64 + x68, _ = addcarryxU64(x59, (x61 & 0xffffffff00000001), x67) + var x70 uint64 + cmovznzU64(&x70, x3, arg5[0], x62) + var x71 uint64 + cmovznzU64(&x71, x3, arg5[1], x64) + var x72 uint64 + cmovznzU64(&x72, x3, arg5[2], x66) + var x73 uint64 + cmovznzU64(&x73, x3, arg5[3], x68) + x74 := (uint1(x22) & 0x1) + var x75 uint64 + cmovznzU64(&x75, x74, uint64(0x0), x7) + var x76 uint64 + cmovznzU64(&x76, x74, uint64(0x0), x8) + var x77 uint64 + cmovznzU64(&x77, x74, uint64(0x0), x9) + var x78 uint64 + cmovznzU64(&x78, x74, uint64(0x0), x10) + var x79 uint64 + cmovznzU64(&x79, x74, uint64(0x0), x11) + var x80 uint64 + var x81 uint1 + x80, x81 = addcarryxU64(x22, x75, 0x0) + var x82 uint64 + var x83 uint1 + x82, x83 = addcarryxU64(x23, x76, x81) + var x84 uint64 + var x85 uint1 + x84, x85 = addcarryxU64(x24, x77, x83) + var x86 uint64 + var x87 uint1 + x86, x87 = addcarryxU64(x25, x78, x85) + var x88 uint64 + x88, _ = addcarryxU64(x26, x79, x87) + var x90 uint64 + cmovznzU64(&x90, x74, uint64(0x0), x27) + var x91 uint64 + cmovznzU64(&x91, x74, uint64(0x0), x28) + var x92 uint64 + cmovznzU64(&x92, x74, uint64(0x0), x29) + var x93 uint64 + cmovznzU64(&x93, x74, uint64(0x0), x30) + var x94 uint64 + var x95 uint1 + x94, x95 = addcarryxU64(x70, x90, 0x0) + var x96 uint64 + var x97 uint1 + x96, x97 = addcarryxU64(x71, x91, x95) + var x98 uint64 + var x99 uint1 + x98, x99 = addcarryxU64(x72, x92, x97) + var x100 uint64 + var x101 uint1 + x100, x101 = addcarryxU64(x73, x93, x99) + var x102 uint64 + var x103 uint1 + x102, x103 = subborrowxU64(x94, 0xffffffffffffffff, 0x0) + var x104 uint64 + var x105 uint1 + x104, x105 = subborrowxU64(x96, 0xffffffff, x103) + var x106 uint64 + var x107 uint1 + x106, x107 = subborrowxU64(x98, uint64(0x0), x105) + var x108 uint64 + var x109 uint1 + x108, x109 = subborrowxU64(x100, 0xffffffff00000001, x107) + var x111 uint1 + _, x111 = subborrowxU64(uint64(x101), uint64(0x0), x109) + var x112 uint64 + x112, _ = addcarryxU64(x6, uint64(0x1), 0x0) + x114 := ((x80 >> 1) | ((x82 << 63) & 0xffffffffffffffff)) + x115 := ((x82 >> 1) | ((x84 << 63) & 0xffffffffffffffff)) + x116 := ((x84 >> 1) | ((x86 << 63) & 0xffffffffffffffff)) + x117 := ((x86 >> 1) | ((x88 << 63) & 0xffffffffffffffff)) + x118 := ((x88 & 0x8000000000000000) | (x88 >> 1)) + var x119 uint64 + cmovznzU64(&x119, x48, x39, x31) + var x120 uint64 + cmovznzU64(&x120, x48, x41, x33) + var x121 uint64 + cmovznzU64(&x121, x48, x43, x35) + var x122 uint64 + cmovznzU64(&x122, x48, x45, x37) + var x123 uint64 + cmovznzU64(&x123, x111, x102, x94) + var x124 uint64 + cmovznzU64(&x124, x111, x104, x96) + var x125 uint64 + cmovznzU64(&x125, x111, x106, x98) + var x126 uint64 + cmovznzU64(&x126, x111, x108, x100) + *out1 = x112 + out2[0] = x7 + out2[1] = x8 + out2[2] = x9 + out2[3] = x10 + out2[4] = x11 + out3[0] = x114 + out3[1] = x115 + out3[2] = x116 + out3[3] = x117 + out3[4] = x118 + out4[0] = x119 + out4[1] = x120 + out4[2] = x121 + out4[3] = x122 + out5[0] = x123 + out5[1] = x124 + out5[2] = x125 + out5[3] = x126 } -/* - The function DivstepPrecomp returns the precomputed value for Bernstein-Yang-inversion (in montgomery form). - Postconditions: - eval (from_montgomery out1) = ⌊(m - 1) / 2⌋^(if (log2 m) + 1 < 46 then ⌊(49 * ((log2 m) + 1) + 80) / 17⌋ else ⌊(49 * ((log2 m) + 1) + 57) / 17⌋) - 0 ≤ eval out1 < m - - Input Bounds: - Output Bounds: - out1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] - */ -/*inline*/ +// DivstepPrecomp returns the precomputed value for Bernstein-Yang-inversion (in montgomery form). +// +// Postconditions: +// eval (from_montgomery out1) = ⌊(m - 1) / 2⌋^(if (log2 m) + 1 < 46 then ⌊(49 * ((log2 m) + 1) + 80) / 17⌋ else ⌊(49 * ((log2 m) + 1) + 57) / 17⌋) +// 0 ≤ eval out1 < m +// +// Input Bounds: +// Output Bounds: +// out1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] func DivstepPrecomp(out1 *[4]uint64) { - out1[0] = 0x67ffffffb8000000 - out1[1] = 0xc000000038000000 - out1[2] = 0xd80000007fffffff - out1[3] = 0x2fffffffffffffff + out1[0] = 0x67ffffffb8000000 + out1[1] = 0xc000000038000000 + out1[2] = 0xd80000007fffffff + out1[3] = 0x2fffffffffffffff } - diff --git a/fiat-go/64/p384/p384.go b/fiat-go/64/p384/p384.go index ec822ed6ad5..4d24558779f 100644 --- a/fiat-go/64/p384/p384.go +++ b/fiat-go/64/p384/p384.go @@ -1,3519 +1,3482 @@ -/* - Autogenerated: 'src/ExtractionOCaml/word_by_word_montgomery' --lang Go --no-wide-int --cmovznz-by-mul --internal-static --package-case flatcase --public-function-case UpperCamelCase --private-function-case camelCase --public-type-case UpperCamelCase --private-type-case camelCase --no-prefix-fiat --package-name p384 '' 64 '2^384 - 2^128 - 2^96 + 2^32 - 1' mul square add sub opp from_montgomery to_montgomery nonzero selectznz to_bytes from_bytes one msat divstep divstep_precomp - - curve description (via package name): p384 - - machine_wordsize = 64 (from "64") - - requested operations: mul, square, add, sub, opp, from_montgomery, to_montgomery, nonzero, selectznz, to_bytes, from_bytes, one, msat, divstep, divstep_precomp - - m = 0xfffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffeffffffff0000000000000000ffffffff (from "2^384 - 2^128 - 2^96 + 2^32 - 1") - - - - NOTE: In addition to the bounds specified above each function, all - - functions synthesized for this Montgomery arithmetic require the - - input to be strictly less than the prime modulus (m), and also - - require the input to be in the unique saturated representation. - - All functions also ensure that these two properties are true of - - return values. - - - - Computed values: - - eval z = z[0] + (z[1] << 64) + (z[2] << 128) + (z[3] << 192) + (z[4] << 256) + (z[5] << 0x140) - - bytes_eval z = z[0] + (z[1] << 8) + (z[2] << 16) + (z[3] << 24) + (z[4] << 32) + (z[5] << 40) + (z[6] << 48) + (z[7] << 56) + (z[8] << 64) + (z[9] << 72) + (z[10] << 80) + (z[11] << 88) + (z[12] << 96) + (z[13] << 104) + (z[14] << 112) + (z[15] << 120) + (z[16] << 128) + (z[17] << 136) + (z[18] << 144) + (z[19] << 152) + (z[20] << 160) + (z[21] << 168) + (z[22] << 176) + (z[23] << 184) + (z[24] << 192) + (z[25] << 200) + (z[26] << 208) + (z[27] << 216) + (z[28] << 224) + (z[29] << 232) + (z[30] << 240) + (z[31] << 248) + (z[32] << 256) + (z[33] << 0x108) + (z[34] << 0x110) + (z[35] << 0x118) + (z[36] << 0x120) + (z[37] << 0x128) + (z[38] << 0x130) + (z[39] << 0x138) + (z[40] << 0x140) + (z[41] << 0x148) + (z[42] << 0x150) + (z[43] << 0x158) + (z[44] << 0x160) + (z[45] << 0x168) + (z[46] << 0x170) + (z[47] << 0x178) - - twos_complement_eval z = let x1 := z[0] + (z[1] << 64) + (z[2] << 128) + (z[3] << 192) + (z[4] << 256) + (z[5] << 0x140) in - - if x1 & (2^384-1) < 2^383 then x1 & (2^384-1) else (x1 & (2^384-1)) - 2^384 - */ +// Code generated by Fiat Cryptography. DO NOT EDIT. +// +// Autogenerated: 'src/ExtractionOCaml/word_by_word_montgomery' --lang Go --no-wide-int --cmovznz-by-mul --internal-static --package-case flatcase --public-function-case UpperCamelCase --private-function-case camelCase --public-type-case UpperCamelCase --private-type-case camelCase --no-prefix-fiat --doc-prepend-header 'Code generated by Fiat Cryptography. DO NOT EDIT.' --doc-text-before-function-name '' --package-name p384 '' 64 '2^384 - 2^128 - 2^96 + 2^32 - 1' mul square add sub opp from_montgomery to_montgomery nonzero selectznz to_bytes from_bytes one msat divstep divstep_precomp +// +// curve description (via package name): p384 +// +// machine_wordsize = 64 (from "64") +// +// requested operations: mul, square, add, sub, opp, from_montgomery, to_montgomery, nonzero, selectznz, to_bytes, from_bytes, one, msat, divstep, divstep_precomp +// +// m = 0xfffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffeffffffff0000000000000000ffffffff (from "2^384 - 2^128 - 2^96 + 2^32 - 1") +// +// +// +// NOTE: In addition to the bounds specified above each function, all +// +// functions synthesized for this Montgomery arithmetic require the +// +// input to be strictly less than the prime modulus (m), and also +// +// require the input to be in the unique saturated representation. +// +// All functions also ensure that these two properties are true of +// +// return values. +// +// +// +// Computed values: +// +// eval z = z[0] + (z[1] << 64) + (z[2] << 128) + (z[3] << 192) + (z[4] << 256) + (z[5] << 0x140) +// +// bytes_eval z = z[0] + (z[1] << 8) + (z[2] << 16) + (z[3] << 24) + (z[4] << 32) + (z[5] << 40) + (z[6] << 48) + (z[7] << 56) + (z[8] << 64) + (z[9] << 72) + (z[10] << 80) + (z[11] << 88) + (z[12] << 96) + (z[13] << 104) + (z[14] << 112) + (z[15] << 120) + (z[16] << 128) + (z[17] << 136) + (z[18] << 144) + (z[19] << 152) + (z[20] << 160) + (z[21] << 168) + (z[22] << 176) + (z[23] << 184) + (z[24] << 192) + (z[25] << 200) + (z[26] << 208) + (z[27] << 216) + (z[28] << 224) + (z[29] << 232) + (z[30] << 240) + (z[31] << 248) + (z[32] << 256) + (z[33] << 0x108) + (z[34] << 0x110) + (z[35] << 0x118) + (z[36] << 0x120) + (z[37] << 0x128) + (z[38] << 0x130) + (z[39] << 0x138) + (z[40] << 0x140) + (z[41] << 0x148) + (z[42] << 0x150) + (z[43] << 0x158) + (z[44] << 0x160) + (z[45] << 0x168) + (z[46] << 0x170) + (z[47] << 0x178) +// +// twos_complement_eval z = let x1 := z[0] + (z[1] << 64) + (z[2] << 128) + (z[3] << 192) + (z[4] << 256) + (z[5] << 0x140) in +// +// if x1 & (2^384-1) < 2^383 then x1 & (2^384-1) else (x1 & (2^384-1)) - 2^384 package p384 import "math/bits" + type uint1 uint8 type int1 int8 -/* The function addcarryxU64 is a thin wrapper around bits.Add64 that uses uint1 rather than uint64 */ +// addcarryxU64 is a thin wrapper around bits.Add64 that uses uint1 rather than uint64 func addcarryxU64(x uint64, y uint64, carry uint1) (uint64, uint1) { - var sum uint64 - var carryOut uint64 - sum, carryOut = bits.Add64(x, y, uint64(carry)) - return sum, uint1(carryOut) + sum, carryOut := bits.Add64(x, y, uint64(carry)) + return sum, uint1(carryOut) } -/* The function subborrowxU64 is a thin wrapper around bits.Sub64 that uses uint1 rather than uint64 */ +// subborrowxU64 is a thin wrapper around bits.Sub64 that uses uint1 rather than uint64 func subborrowxU64(x uint64, y uint64, carry uint1) (uint64, uint1) { - var sum uint64 - var carryOut uint64 - sum, carryOut = bits.Sub64(x, y, uint64(carry)) - return sum, uint1(carryOut) + sum, carryOut := bits.Sub64(x, y, uint64(carry)) + return sum, uint1(carryOut) } - -/* - The function cmovznzU64 is a single-word conditional move. - Postconditions: - out1 = (if arg1 = 0 then arg2 else arg3) - - Input Bounds: - arg1: [0x0 ~> 0x1] - arg2: [0x0 ~> 0xffffffffffffffff] - arg3: [0x0 ~> 0xffffffffffffffff] - Output Bounds: - out1: [0x0 ~> 0xffffffffffffffff] - */ -/*inline*/ +// cmovznzU64 is a single-word conditional move. +// +// Postconditions: +// out1 = (if arg1 = 0 then arg2 else arg3) +// +// Input Bounds: +// arg1: [0x0 ~> 0x1] +// arg2: [0x0 ~> 0xffffffffffffffff] +// arg3: [0x0 ~> 0xffffffffffffffff] +// Output Bounds: +// out1: [0x0 ~> 0xffffffffffffffff] func cmovznzU64(out1 *uint64, arg1 uint1, arg2 uint64, arg3 uint64) { - var x1 uint64 = (uint64(arg1) * 0xffffffffffffffff) - var x2 uint64 = ((x1 & arg3) | ((^x1) & arg2)) - *out1 = x2 + x1 := (uint64(arg1) * 0xffffffffffffffff) + x2 := ((x1 & arg3) | ((^x1) & arg2)) + *out1 = x2 } -/* - The function Mul multiplies two field elements in the Montgomery domain. - Preconditions: - 0 ≤ eval arg1 < m - 0 ≤ eval arg2 < m - Postconditions: - eval (from_montgomery out1) mod m = (eval (from_montgomery arg1) * eval (from_montgomery arg2)) mod m - 0 ≤ eval out1 < m - - Input Bounds: - arg1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] - arg2: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] - Output Bounds: - out1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] - */ -/*inline*/ +// Mul multiplies two field elements in the Montgomery domain. +// +// Preconditions: +// 0 ≤ eval arg1 < m +// 0 ≤ eval arg2 < m +// Postconditions: +// eval (from_montgomery out1) mod m = (eval (from_montgomery arg1) * eval (from_montgomery arg2)) mod m +// 0 ≤ eval out1 < m +// +// Input Bounds: +// arg1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] +// arg2: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] +// Output Bounds: +// out1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] func Mul(out1 *[6]uint64, arg1 *[6]uint64, arg2 *[6]uint64) { - var x1 uint64 = (arg1[1]) - var x2 uint64 = (arg1[2]) - var x3 uint64 = (arg1[3]) - var x4 uint64 = (arg1[4]) - var x5 uint64 = (arg1[5]) - var x6 uint64 = (arg1[0]) - var x7 uint64 - var x8 uint64 - x8, x7 = bits.Mul64(x6, (arg2[5])) - var x9 uint64 - var x10 uint64 - x10, x9 = bits.Mul64(x6, (arg2[4])) - var x11 uint64 - var x12 uint64 - x12, x11 = bits.Mul64(x6, (arg2[3])) - var x13 uint64 - var x14 uint64 - x14, x13 = bits.Mul64(x6, (arg2[2])) - var x15 uint64 - var x16 uint64 - x16, x15 = bits.Mul64(x6, (arg2[1])) - var x17 uint64 - var x18 uint64 - x18, x17 = bits.Mul64(x6, (arg2[0])) - var x19 uint64 - var x20 uint1 - x19, x20 = addcarryxU64(x18, x15, 0x0) - var x21 uint64 - var x22 uint1 - x21, x22 = addcarryxU64(x16, x13, x20) - var x23 uint64 - var x24 uint1 - x23, x24 = addcarryxU64(x14, x11, x22) - var x25 uint64 - var x26 uint1 - x25, x26 = addcarryxU64(x12, x9, x24) - var x27 uint64 - var x28 uint1 - x27, x28 = addcarryxU64(x10, x7, x26) - var x29 uint64 = (uint64(x28) + x8) - var x30 uint64 - _, x30 = bits.Mul64(x17, 0x100000001) - var x32 uint64 - var x33 uint64 - x33, x32 = bits.Mul64(x30, 0xffffffffffffffff) - var x34 uint64 - var x35 uint64 - x35, x34 = bits.Mul64(x30, 0xffffffffffffffff) - var x36 uint64 - var x37 uint64 - x37, x36 = bits.Mul64(x30, 0xffffffffffffffff) - var x38 uint64 - var x39 uint64 - x39, x38 = bits.Mul64(x30, 0xfffffffffffffffe) - var x40 uint64 - var x41 uint64 - x41, x40 = bits.Mul64(x30, 0xffffffff00000000) - var x42 uint64 - var x43 uint64 - x43, x42 = bits.Mul64(x30, 0xffffffff) - var x44 uint64 - var x45 uint1 - x44, x45 = addcarryxU64(x43, x40, 0x0) - var x46 uint64 - var x47 uint1 - x46, x47 = addcarryxU64(x41, x38, x45) - var x48 uint64 - var x49 uint1 - x48, x49 = addcarryxU64(x39, x36, x47) - var x50 uint64 - var x51 uint1 - x50, x51 = addcarryxU64(x37, x34, x49) - var x52 uint64 - var x53 uint1 - x52, x53 = addcarryxU64(x35, x32, x51) - var x54 uint64 = (uint64(x53) + x33) - var x56 uint1 - _, x56 = addcarryxU64(x17, x42, 0x0) - var x57 uint64 - var x58 uint1 - x57, x58 = addcarryxU64(x19, x44, x56) - var x59 uint64 - var x60 uint1 - x59, x60 = addcarryxU64(x21, x46, x58) - var x61 uint64 - var x62 uint1 - x61, x62 = addcarryxU64(x23, x48, x60) - var x63 uint64 - var x64 uint1 - x63, x64 = addcarryxU64(x25, x50, x62) - var x65 uint64 - var x66 uint1 - x65, x66 = addcarryxU64(x27, x52, x64) - var x67 uint64 - var x68 uint1 - x67, x68 = addcarryxU64(x29, x54, x66) - var x69 uint64 - var x70 uint64 - x70, x69 = bits.Mul64(x1, (arg2[5])) - var x71 uint64 - var x72 uint64 - x72, x71 = bits.Mul64(x1, (arg2[4])) - var x73 uint64 - var x74 uint64 - x74, x73 = bits.Mul64(x1, (arg2[3])) - var x75 uint64 - var x76 uint64 - x76, x75 = bits.Mul64(x1, (arg2[2])) - var x77 uint64 - var x78 uint64 - x78, x77 = bits.Mul64(x1, (arg2[1])) - var x79 uint64 - var x80 uint64 - x80, x79 = bits.Mul64(x1, (arg2[0])) - var x81 uint64 - var x82 uint1 - x81, x82 = addcarryxU64(x80, x77, 0x0) - var x83 uint64 - var x84 uint1 - x83, x84 = addcarryxU64(x78, x75, x82) - var x85 uint64 - var x86 uint1 - x85, x86 = addcarryxU64(x76, x73, x84) - var x87 uint64 - var x88 uint1 - x87, x88 = addcarryxU64(x74, x71, x86) - var x89 uint64 - var x90 uint1 - x89, x90 = addcarryxU64(x72, x69, x88) - var x91 uint64 = (uint64(x90) + x70) - var x92 uint64 - var x93 uint1 - x92, x93 = addcarryxU64(x57, x79, 0x0) - var x94 uint64 - var x95 uint1 - x94, x95 = addcarryxU64(x59, x81, x93) - var x96 uint64 - var x97 uint1 - x96, x97 = addcarryxU64(x61, x83, x95) - var x98 uint64 - var x99 uint1 - x98, x99 = addcarryxU64(x63, x85, x97) - var x100 uint64 - var x101 uint1 - x100, x101 = addcarryxU64(x65, x87, x99) - var x102 uint64 - var x103 uint1 - x102, x103 = addcarryxU64(x67, x89, x101) - var x104 uint64 - var x105 uint1 - x104, x105 = addcarryxU64(uint64(x68), x91, x103) - var x106 uint64 - _, x106 = bits.Mul64(x92, 0x100000001) - var x108 uint64 - var x109 uint64 - x109, x108 = bits.Mul64(x106, 0xffffffffffffffff) - var x110 uint64 - var x111 uint64 - x111, x110 = bits.Mul64(x106, 0xffffffffffffffff) - var x112 uint64 - var x113 uint64 - x113, x112 = bits.Mul64(x106, 0xffffffffffffffff) - var x114 uint64 - var x115 uint64 - x115, x114 = bits.Mul64(x106, 0xfffffffffffffffe) - var x116 uint64 - var x117 uint64 - x117, x116 = bits.Mul64(x106, 0xffffffff00000000) - var x118 uint64 - var x119 uint64 - x119, x118 = bits.Mul64(x106, 0xffffffff) - var x120 uint64 - var x121 uint1 - x120, x121 = addcarryxU64(x119, x116, 0x0) - var x122 uint64 - var x123 uint1 - x122, x123 = addcarryxU64(x117, x114, x121) - var x124 uint64 - var x125 uint1 - x124, x125 = addcarryxU64(x115, x112, x123) - var x126 uint64 - var x127 uint1 - x126, x127 = addcarryxU64(x113, x110, x125) - var x128 uint64 - var x129 uint1 - x128, x129 = addcarryxU64(x111, x108, x127) - var x130 uint64 = (uint64(x129) + x109) - var x132 uint1 - _, x132 = addcarryxU64(x92, x118, 0x0) - var x133 uint64 - var x134 uint1 - x133, x134 = addcarryxU64(x94, x120, x132) - var x135 uint64 - var x136 uint1 - x135, x136 = addcarryxU64(x96, x122, x134) - var x137 uint64 - var x138 uint1 - x137, x138 = addcarryxU64(x98, x124, x136) - var x139 uint64 - var x140 uint1 - x139, x140 = addcarryxU64(x100, x126, x138) - var x141 uint64 - var x142 uint1 - x141, x142 = addcarryxU64(x102, x128, x140) - var x143 uint64 - var x144 uint1 - x143, x144 = addcarryxU64(x104, x130, x142) - var x145 uint64 = (uint64(x144) + uint64(x105)) - var x146 uint64 - var x147 uint64 - x147, x146 = bits.Mul64(x2, (arg2[5])) - var x148 uint64 - var x149 uint64 - x149, x148 = bits.Mul64(x2, (arg2[4])) - var x150 uint64 - var x151 uint64 - x151, x150 = bits.Mul64(x2, (arg2[3])) - var x152 uint64 - var x153 uint64 - x153, x152 = bits.Mul64(x2, (arg2[2])) - var x154 uint64 - var x155 uint64 - x155, x154 = bits.Mul64(x2, (arg2[1])) - var x156 uint64 - var x157 uint64 - x157, x156 = bits.Mul64(x2, (arg2[0])) - var x158 uint64 - var x159 uint1 - x158, x159 = addcarryxU64(x157, x154, 0x0) - var x160 uint64 - var x161 uint1 - x160, x161 = addcarryxU64(x155, x152, x159) - var x162 uint64 - var x163 uint1 - x162, x163 = addcarryxU64(x153, x150, x161) - var x164 uint64 - var x165 uint1 - x164, x165 = addcarryxU64(x151, x148, x163) - var x166 uint64 - var x167 uint1 - x166, x167 = addcarryxU64(x149, x146, x165) - var x168 uint64 = (uint64(x167) + x147) - var x169 uint64 - var x170 uint1 - x169, x170 = addcarryxU64(x133, x156, 0x0) - var x171 uint64 - var x172 uint1 - x171, x172 = addcarryxU64(x135, x158, x170) - var x173 uint64 - var x174 uint1 - x173, x174 = addcarryxU64(x137, x160, x172) - var x175 uint64 - var x176 uint1 - x175, x176 = addcarryxU64(x139, x162, x174) - var x177 uint64 - var x178 uint1 - x177, x178 = addcarryxU64(x141, x164, x176) - var x179 uint64 - var x180 uint1 - x179, x180 = addcarryxU64(x143, x166, x178) - var x181 uint64 - var x182 uint1 - x181, x182 = addcarryxU64(x145, x168, x180) - var x183 uint64 - _, x183 = bits.Mul64(x169, 0x100000001) - var x185 uint64 - var x186 uint64 - x186, x185 = bits.Mul64(x183, 0xffffffffffffffff) - var x187 uint64 - var x188 uint64 - x188, x187 = bits.Mul64(x183, 0xffffffffffffffff) - var x189 uint64 - var x190 uint64 - x190, x189 = bits.Mul64(x183, 0xffffffffffffffff) - var x191 uint64 - var x192 uint64 - x192, x191 = bits.Mul64(x183, 0xfffffffffffffffe) - var x193 uint64 - var x194 uint64 - x194, x193 = bits.Mul64(x183, 0xffffffff00000000) - var x195 uint64 - var x196 uint64 - x196, x195 = bits.Mul64(x183, 0xffffffff) - var x197 uint64 - var x198 uint1 - x197, x198 = addcarryxU64(x196, x193, 0x0) - var x199 uint64 - var x200 uint1 - x199, x200 = addcarryxU64(x194, x191, x198) - var x201 uint64 - var x202 uint1 - x201, x202 = addcarryxU64(x192, x189, x200) - var x203 uint64 - var x204 uint1 - x203, x204 = addcarryxU64(x190, x187, x202) - var x205 uint64 - var x206 uint1 - x205, x206 = addcarryxU64(x188, x185, x204) - var x207 uint64 = (uint64(x206) + x186) - var x209 uint1 - _, x209 = addcarryxU64(x169, x195, 0x0) - var x210 uint64 - var x211 uint1 - x210, x211 = addcarryxU64(x171, x197, x209) - var x212 uint64 - var x213 uint1 - x212, x213 = addcarryxU64(x173, x199, x211) - var x214 uint64 - var x215 uint1 - x214, x215 = addcarryxU64(x175, x201, x213) - var x216 uint64 - var x217 uint1 - x216, x217 = addcarryxU64(x177, x203, x215) - var x218 uint64 - var x219 uint1 - x218, x219 = addcarryxU64(x179, x205, x217) - var x220 uint64 - var x221 uint1 - x220, x221 = addcarryxU64(x181, x207, x219) - var x222 uint64 = (uint64(x221) + uint64(x182)) - var x223 uint64 - var x224 uint64 - x224, x223 = bits.Mul64(x3, (arg2[5])) - var x225 uint64 - var x226 uint64 - x226, x225 = bits.Mul64(x3, (arg2[4])) - var x227 uint64 - var x228 uint64 - x228, x227 = bits.Mul64(x3, (arg2[3])) - var x229 uint64 - var x230 uint64 - x230, x229 = bits.Mul64(x3, (arg2[2])) - var x231 uint64 - var x232 uint64 - x232, x231 = bits.Mul64(x3, (arg2[1])) - var x233 uint64 - var x234 uint64 - x234, x233 = bits.Mul64(x3, (arg2[0])) - var x235 uint64 - var x236 uint1 - x235, x236 = addcarryxU64(x234, x231, 0x0) - var x237 uint64 - var x238 uint1 - x237, x238 = addcarryxU64(x232, x229, x236) - var x239 uint64 - var x240 uint1 - x239, x240 = addcarryxU64(x230, x227, x238) - var x241 uint64 - var x242 uint1 - x241, x242 = addcarryxU64(x228, x225, x240) - var x243 uint64 - var x244 uint1 - x243, x244 = addcarryxU64(x226, x223, x242) - var x245 uint64 = (uint64(x244) + x224) - var x246 uint64 - var x247 uint1 - x246, x247 = addcarryxU64(x210, x233, 0x0) - var x248 uint64 - var x249 uint1 - x248, x249 = addcarryxU64(x212, x235, x247) - var x250 uint64 - var x251 uint1 - x250, x251 = addcarryxU64(x214, x237, x249) - var x252 uint64 - var x253 uint1 - x252, x253 = addcarryxU64(x216, x239, x251) - var x254 uint64 - var x255 uint1 - x254, x255 = addcarryxU64(x218, x241, x253) - var x256 uint64 - var x257 uint1 - x256, x257 = addcarryxU64(x220, x243, x255) - var x258 uint64 - var x259 uint1 - x258, x259 = addcarryxU64(x222, x245, x257) - var x260 uint64 - _, x260 = bits.Mul64(x246, 0x100000001) - var x262 uint64 - var x263 uint64 - x263, x262 = bits.Mul64(x260, 0xffffffffffffffff) - var x264 uint64 - var x265 uint64 - x265, x264 = bits.Mul64(x260, 0xffffffffffffffff) - var x266 uint64 - var x267 uint64 - x267, x266 = bits.Mul64(x260, 0xffffffffffffffff) - var x268 uint64 - var x269 uint64 - x269, x268 = bits.Mul64(x260, 0xfffffffffffffffe) - var x270 uint64 - var x271 uint64 - x271, x270 = bits.Mul64(x260, 0xffffffff00000000) - var x272 uint64 - var x273 uint64 - x273, x272 = bits.Mul64(x260, 0xffffffff) - var x274 uint64 - var x275 uint1 - x274, x275 = addcarryxU64(x273, x270, 0x0) - var x276 uint64 - var x277 uint1 - x276, x277 = addcarryxU64(x271, x268, x275) - var x278 uint64 - var x279 uint1 - x278, x279 = addcarryxU64(x269, x266, x277) - var x280 uint64 - var x281 uint1 - x280, x281 = addcarryxU64(x267, x264, x279) - var x282 uint64 - var x283 uint1 - x282, x283 = addcarryxU64(x265, x262, x281) - var x284 uint64 = (uint64(x283) + x263) - var x286 uint1 - _, x286 = addcarryxU64(x246, x272, 0x0) - var x287 uint64 - var x288 uint1 - x287, x288 = addcarryxU64(x248, x274, x286) - var x289 uint64 - var x290 uint1 - x289, x290 = addcarryxU64(x250, x276, x288) - var x291 uint64 - var x292 uint1 - x291, x292 = addcarryxU64(x252, x278, x290) - var x293 uint64 - var x294 uint1 - x293, x294 = addcarryxU64(x254, x280, x292) - var x295 uint64 - var x296 uint1 - x295, x296 = addcarryxU64(x256, x282, x294) - var x297 uint64 - var x298 uint1 - x297, x298 = addcarryxU64(x258, x284, x296) - var x299 uint64 = (uint64(x298) + uint64(x259)) - var x300 uint64 - var x301 uint64 - x301, x300 = bits.Mul64(x4, (arg2[5])) - var x302 uint64 - var x303 uint64 - x303, x302 = bits.Mul64(x4, (arg2[4])) - var x304 uint64 - var x305 uint64 - x305, x304 = bits.Mul64(x4, (arg2[3])) - var x306 uint64 - var x307 uint64 - x307, x306 = bits.Mul64(x4, (arg2[2])) - var x308 uint64 - var x309 uint64 - x309, x308 = bits.Mul64(x4, (arg2[1])) - var x310 uint64 - var x311 uint64 - x311, x310 = bits.Mul64(x4, (arg2[0])) - var x312 uint64 - var x313 uint1 - x312, x313 = addcarryxU64(x311, x308, 0x0) - var x314 uint64 - var x315 uint1 - x314, x315 = addcarryxU64(x309, x306, x313) - var x316 uint64 - var x317 uint1 - x316, x317 = addcarryxU64(x307, x304, x315) - var x318 uint64 - var x319 uint1 - x318, x319 = addcarryxU64(x305, x302, x317) - var x320 uint64 - var x321 uint1 - x320, x321 = addcarryxU64(x303, x300, x319) - var x322 uint64 = (uint64(x321) + x301) - var x323 uint64 - var x324 uint1 - x323, x324 = addcarryxU64(x287, x310, 0x0) - var x325 uint64 - var x326 uint1 - x325, x326 = addcarryxU64(x289, x312, x324) - var x327 uint64 - var x328 uint1 - x327, x328 = addcarryxU64(x291, x314, x326) - var x329 uint64 - var x330 uint1 - x329, x330 = addcarryxU64(x293, x316, x328) - var x331 uint64 - var x332 uint1 - x331, x332 = addcarryxU64(x295, x318, x330) - var x333 uint64 - var x334 uint1 - x333, x334 = addcarryxU64(x297, x320, x332) - var x335 uint64 - var x336 uint1 - x335, x336 = addcarryxU64(x299, x322, x334) - var x337 uint64 - _, x337 = bits.Mul64(x323, 0x100000001) - var x339 uint64 - var x340 uint64 - x340, x339 = bits.Mul64(x337, 0xffffffffffffffff) - var x341 uint64 - var x342 uint64 - x342, x341 = bits.Mul64(x337, 0xffffffffffffffff) - var x343 uint64 - var x344 uint64 - x344, x343 = bits.Mul64(x337, 0xffffffffffffffff) - var x345 uint64 - var x346 uint64 - x346, x345 = bits.Mul64(x337, 0xfffffffffffffffe) - var x347 uint64 - var x348 uint64 - x348, x347 = bits.Mul64(x337, 0xffffffff00000000) - var x349 uint64 - var x350 uint64 - x350, x349 = bits.Mul64(x337, 0xffffffff) - var x351 uint64 - var x352 uint1 - x351, x352 = addcarryxU64(x350, x347, 0x0) - var x353 uint64 - var x354 uint1 - x353, x354 = addcarryxU64(x348, x345, x352) - var x355 uint64 - var x356 uint1 - x355, x356 = addcarryxU64(x346, x343, x354) - var x357 uint64 - var x358 uint1 - x357, x358 = addcarryxU64(x344, x341, x356) - var x359 uint64 - var x360 uint1 - x359, x360 = addcarryxU64(x342, x339, x358) - var x361 uint64 = (uint64(x360) + x340) - var x363 uint1 - _, x363 = addcarryxU64(x323, x349, 0x0) - var x364 uint64 - var x365 uint1 - x364, x365 = addcarryxU64(x325, x351, x363) - var x366 uint64 - var x367 uint1 - x366, x367 = addcarryxU64(x327, x353, x365) - var x368 uint64 - var x369 uint1 - x368, x369 = addcarryxU64(x329, x355, x367) - var x370 uint64 - var x371 uint1 - x370, x371 = addcarryxU64(x331, x357, x369) - var x372 uint64 - var x373 uint1 - x372, x373 = addcarryxU64(x333, x359, x371) - var x374 uint64 - var x375 uint1 - x374, x375 = addcarryxU64(x335, x361, x373) - var x376 uint64 = (uint64(x375) + uint64(x336)) - var x377 uint64 - var x378 uint64 - x378, x377 = bits.Mul64(x5, (arg2[5])) - var x379 uint64 - var x380 uint64 - x380, x379 = bits.Mul64(x5, (arg2[4])) - var x381 uint64 - var x382 uint64 - x382, x381 = bits.Mul64(x5, (arg2[3])) - var x383 uint64 - var x384 uint64 - x384, x383 = bits.Mul64(x5, (arg2[2])) - var x385 uint64 - var x386 uint64 - x386, x385 = bits.Mul64(x5, (arg2[1])) - var x387 uint64 - var x388 uint64 - x388, x387 = bits.Mul64(x5, (arg2[0])) - var x389 uint64 - var x390 uint1 - x389, x390 = addcarryxU64(x388, x385, 0x0) - var x391 uint64 - var x392 uint1 - x391, x392 = addcarryxU64(x386, x383, x390) - var x393 uint64 - var x394 uint1 - x393, x394 = addcarryxU64(x384, x381, x392) - var x395 uint64 - var x396 uint1 - x395, x396 = addcarryxU64(x382, x379, x394) - var x397 uint64 - var x398 uint1 - x397, x398 = addcarryxU64(x380, x377, x396) - var x399 uint64 = (uint64(x398) + x378) - var x400 uint64 - var x401 uint1 - x400, x401 = addcarryxU64(x364, x387, 0x0) - var x402 uint64 - var x403 uint1 - x402, x403 = addcarryxU64(x366, x389, x401) - var x404 uint64 - var x405 uint1 - x404, x405 = addcarryxU64(x368, x391, x403) - var x406 uint64 - var x407 uint1 - x406, x407 = addcarryxU64(x370, x393, x405) - var x408 uint64 - var x409 uint1 - x408, x409 = addcarryxU64(x372, x395, x407) - var x410 uint64 - var x411 uint1 - x410, x411 = addcarryxU64(x374, x397, x409) - var x412 uint64 - var x413 uint1 - x412, x413 = addcarryxU64(x376, x399, x411) - var x414 uint64 - _, x414 = bits.Mul64(x400, 0x100000001) - var x416 uint64 - var x417 uint64 - x417, x416 = bits.Mul64(x414, 0xffffffffffffffff) - var x418 uint64 - var x419 uint64 - x419, x418 = bits.Mul64(x414, 0xffffffffffffffff) - var x420 uint64 - var x421 uint64 - x421, x420 = bits.Mul64(x414, 0xffffffffffffffff) - var x422 uint64 - var x423 uint64 - x423, x422 = bits.Mul64(x414, 0xfffffffffffffffe) - var x424 uint64 - var x425 uint64 - x425, x424 = bits.Mul64(x414, 0xffffffff00000000) - var x426 uint64 - var x427 uint64 - x427, x426 = bits.Mul64(x414, 0xffffffff) - var x428 uint64 - var x429 uint1 - x428, x429 = addcarryxU64(x427, x424, 0x0) - var x430 uint64 - var x431 uint1 - x430, x431 = addcarryxU64(x425, x422, x429) - var x432 uint64 - var x433 uint1 - x432, x433 = addcarryxU64(x423, x420, x431) - var x434 uint64 - var x435 uint1 - x434, x435 = addcarryxU64(x421, x418, x433) - var x436 uint64 - var x437 uint1 - x436, x437 = addcarryxU64(x419, x416, x435) - var x438 uint64 = (uint64(x437) + x417) - var x440 uint1 - _, x440 = addcarryxU64(x400, x426, 0x0) - var x441 uint64 - var x442 uint1 - x441, x442 = addcarryxU64(x402, x428, x440) - var x443 uint64 - var x444 uint1 - x443, x444 = addcarryxU64(x404, x430, x442) - var x445 uint64 - var x446 uint1 - x445, x446 = addcarryxU64(x406, x432, x444) - var x447 uint64 - var x448 uint1 - x447, x448 = addcarryxU64(x408, x434, x446) - var x449 uint64 - var x450 uint1 - x449, x450 = addcarryxU64(x410, x436, x448) - var x451 uint64 - var x452 uint1 - x451, x452 = addcarryxU64(x412, x438, x450) - var x453 uint64 = (uint64(x452) + uint64(x413)) - var x454 uint64 - var x455 uint1 - x454, x455 = subborrowxU64(x441, 0xffffffff, 0x0) - var x456 uint64 - var x457 uint1 - x456, x457 = subborrowxU64(x443, 0xffffffff00000000, x455) - var x458 uint64 - var x459 uint1 - x458, x459 = subborrowxU64(x445, 0xfffffffffffffffe, x457) - var x460 uint64 - var x461 uint1 - x460, x461 = subborrowxU64(x447, 0xffffffffffffffff, x459) - var x462 uint64 - var x463 uint1 - x462, x463 = subborrowxU64(x449, 0xffffffffffffffff, x461) - var x464 uint64 - var x465 uint1 - x464, x465 = subborrowxU64(x451, 0xffffffffffffffff, x463) - var x467 uint1 - _, x467 = subborrowxU64(x453, uint64(0x0), x465) - var x468 uint64 - cmovznzU64(&x468, x467, x454, x441) - var x469 uint64 - cmovznzU64(&x469, x467, x456, x443) - var x470 uint64 - cmovznzU64(&x470, x467, x458, x445) - var x471 uint64 - cmovznzU64(&x471, x467, x460, x447) - var x472 uint64 - cmovznzU64(&x472, x467, x462, x449) - var x473 uint64 - cmovznzU64(&x473, x467, x464, x451) - out1[0] = x468 - out1[1] = x469 - out1[2] = x470 - out1[3] = x471 - out1[4] = x472 - out1[5] = x473 + x1 := arg1[1] + x2 := arg1[2] + x3 := arg1[3] + x4 := arg1[4] + x5 := arg1[5] + x6 := arg1[0] + var x7 uint64 + var x8 uint64 + x8, x7 = bits.Mul64(x6, arg2[5]) + var x9 uint64 + var x10 uint64 + x10, x9 = bits.Mul64(x6, arg2[4]) + var x11 uint64 + var x12 uint64 + x12, x11 = bits.Mul64(x6, arg2[3]) + var x13 uint64 + var x14 uint64 + x14, x13 = bits.Mul64(x6, arg2[2]) + var x15 uint64 + var x16 uint64 + x16, x15 = bits.Mul64(x6, arg2[1]) + var x17 uint64 + var x18 uint64 + x18, x17 = bits.Mul64(x6, arg2[0]) + var x19 uint64 + var x20 uint1 + x19, x20 = addcarryxU64(x18, x15, 0x0) + var x21 uint64 + var x22 uint1 + x21, x22 = addcarryxU64(x16, x13, x20) + var x23 uint64 + var x24 uint1 + x23, x24 = addcarryxU64(x14, x11, x22) + var x25 uint64 + var x26 uint1 + x25, x26 = addcarryxU64(x12, x9, x24) + var x27 uint64 + var x28 uint1 + x27, x28 = addcarryxU64(x10, x7, x26) + x29 := (uint64(x28) + x8) + var x30 uint64 + _, x30 = bits.Mul64(x17, 0x100000001) + var x32 uint64 + var x33 uint64 + x33, x32 = bits.Mul64(x30, 0xffffffffffffffff) + var x34 uint64 + var x35 uint64 + x35, x34 = bits.Mul64(x30, 0xffffffffffffffff) + var x36 uint64 + var x37 uint64 + x37, x36 = bits.Mul64(x30, 0xffffffffffffffff) + var x38 uint64 + var x39 uint64 + x39, x38 = bits.Mul64(x30, 0xfffffffffffffffe) + var x40 uint64 + var x41 uint64 + x41, x40 = bits.Mul64(x30, 0xffffffff00000000) + var x42 uint64 + var x43 uint64 + x43, x42 = bits.Mul64(x30, 0xffffffff) + var x44 uint64 + var x45 uint1 + x44, x45 = addcarryxU64(x43, x40, 0x0) + var x46 uint64 + var x47 uint1 + x46, x47 = addcarryxU64(x41, x38, x45) + var x48 uint64 + var x49 uint1 + x48, x49 = addcarryxU64(x39, x36, x47) + var x50 uint64 + var x51 uint1 + x50, x51 = addcarryxU64(x37, x34, x49) + var x52 uint64 + var x53 uint1 + x52, x53 = addcarryxU64(x35, x32, x51) + x54 := (uint64(x53) + x33) + var x56 uint1 + _, x56 = addcarryxU64(x17, x42, 0x0) + var x57 uint64 + var x58 uint1 + x57, x58 = addcarryxU64(x19, x44, x56) + var x59 uint64 + var x60 uint1 + x59, x60 = addcarryxU64(x21, x46, x58) + var x61 uint64 + var x62 uint1 + x61, x62 = addcarryxU64(x23, x48, x60) + var x63 uint64 + var x64 uint1 + x63, x64 = addcarryxU64(x25, x50, x62) + var x65 uint64 + var x66 uint1 + x65, x66 = addcarryxU64(x27, x52, x64) + var x67 uint64 + var x68 uint1 + x67, x68 = addcarryxU64(x29, x54, x66) + var x69 uint64 + var x70 uint64 + x70, x69 = bits.Mul64(x1, arg2[5]) + var x71 uint64 + var x72 uint64 + x72, x71 = bits.Mul64(x1, arg2[4]) + var x73 uint64 + var x74 uint64 + x74, x73 = bits.Mul64(x1, arg2[3]) + var x75 uint64 + var x76 uint64 + x76, x75 = bits.Mul64(x1, arg2[2]) + var x77 uint64 + var x78 uint64 + x78, x77 = bits.Mul64(x1, arg2[1]) + var x79 uint64 + var x80 uint64 + x80, x79 = bits.Mul64(x1, arg2[0]) + var x81 uint64 + var x82 uint1 + x81, x82 = addcarryxU64(x80, x77, 0x0) + var x83 uint64 + var x84 uint1 + x83, x84 = addcarryxU64(x78, x75, x82) + var x85 uint64 + var x86 uint1 + x85, x86 = addcarryxU64(x76, x73, x84) + var x87 uint64 + var x88 uint1 + x87, x88 = addcarryxU64(x74, x71, x86) + var x89 uint64 + var x90 uint1 + x89, x90 = addcarryxU64(x72, x69, x88) + x91 := (uint64(x90) + x70) + var x92 uint64 + var x93 uint1 + x92, x93 = addcarryxU64(x57, x79, 0x0) + var x94 uint64 + var x95 uint1 + x94, x95 = addcarryxU64(x59, x81, x93) + var x96 uint64 + var x97 uint1 + x96, x97 = addcarryxU64(x61, x83, x95) + var x98 uint64 + var x99 uint1 + x98, x99 = addcarryxU64(x63, x85, x97) + var x100 uint64 + var x101 uint1 + x100, x101 = addcarryxU64(x65, x87, x99) + var x102 uint64 + var x103 uint1 + x102, x103 = addcarryxU64(x67, x89, x101) + var x104 uint64 + var x105 uint1 + x104, x105 = addcarryxU64(uint64(x68), x91, x103) + var x106 uint64 + _, x106 = bits.Mul64(x92, 0x100000001) + var x108 uint64 + var x109 uint64 + x109, x108 = bits.Mul64(x106, 0xffffffffffffffff) + var x110 uint64 + var x111 uint64 + x111, x110 = bits.Mul64(x106, 0xffffffffffffffff) + var x112 uint64 + var x113 uint64 + x113, x112 = bits.Mul64(x106, 0xffffffffffffffff) + var x114 uint64 + var x115 uint64 + x115, x114 = bits.Mul64(x106, 0xfffffffffffffffe) + var x116 uint64 + var x117 uint64 + x117, x116 = bits.Mul64(x106, 0xffffffff00000000) + var x118 uint64 + var x119 uint64 + x119, x118 = bits.Mul64(x106, 0xffffffff) + var x120 uint64 + var x121 uint1 + x120, x121 = addcarryxU64(x119, x116, 0x0) + var x122 uint64 + var x123 uint1 + x122, x123 = addcarryxU64(x117, x114, x121) + var x124 uint64 + var x125 uint1 + x124, x125 = addcarryxU64(x115, x112, x123) + var x126 uint64 + var x127 uint1 + x126, x127 = addcarryxU64(x113, x110, x125) + var x128 uint64 + var x129 uint1 + x128, x129 = addcarryxU64(x111, x108, x127) + x130 := (uint64(x129) + x109) + var x132 uint1 + _, x132 = addcarryxU64(x92, x118, 0x0) + var x133 uint64 + var x134 uint1 + x133, x134 = addcarryxU64(x94, x120, x132) + var x135 uint64 + var x136 uint1 + x135, x136 = addcarryxU64(x96, x122, x134) + var x137 uint64 + var x138 uint1 + x137, x138 = addcarryxU64(x98, x124, x136) + var x139 uint64 + var x140 uint1 + x139, x140 = addcarryxU64(x100, x126, x138) + var x141 uint64 + var x142 uint1 + x141, x142 = addcarryxU64(x102, x128, x140) + var x143 uint64 + var x144 uint1 + x143, x144 = addcarryxU64(x104, x130, x142) + x145 := (uint64(x144) + uint64(x105)) + var x146 uint64 + var x147 uint64 + x147, x146 = bits.Mul64(x2, arg2[5]) + var x148 uint64 + var x149 uint64 + x149, x148 = bits.Mul64(x2, arg2[4]) + var x150 uint64 + var x151 uint64 + x151, x150 = bits.Mul64(x2, arg2[3]) + var x152 uint64 + var x153 uint64 + x153, x152 = bits.Mul64(x2, arg2[2]) + var x154 uint64 + var x155 uint64 + x155, x154 = bits.Mul64(x2, arg2[1]) + var x156 uint64 + var x157 uint64 + x157, x156 = bits.Mul64(x2, arg2[0]) + var x158 uint64 + var x159 uint1 + x158, x159 = addcarryxU64(x157, x154, 0x0) + var x160 uint64 + var x161 uint1 + x160, x161 = addcarryxU64(x155, x152, x159) + var x162 uint64 + var x163 uint1 + x162, x163 = addcarryxU64(x153, x150, x161) + var x164 uint64 + var x165 uint1 + x164, x165 = addcarryxU64(x151, x148, x163) + var x166 uint64 + var x167 uint1 + x166, x167 = addcarryxU64(x149, x146, x165) + x168 := (uint64(x167) + x147) + var x169 uint64 + var x170 uint1 + x169, x170 = addcarryxU64(x133, x156, 0x0) + var x171 uint64 + var x172 uint1 + x171, x172 = addcarryxU64(x135, x158, x170) + var x173 uint64 + var x174 uint1 + x173, x174 = addcarryxU64(x137, x160, x172) + var x175 uint64 + var x176 uint1 + x175, x176 = addcarryxU64(x139, x162, x174) + var x177 uint64 + var x178 uint1 + x177, x178 = addcarryxU64(x141, x164, x176) + var x179 uint64 + var x180 uint1 + x179, x180 = addcarryxU64(x143, x166, x178) + var x181 uint64 + var x182 uint1 + x181, x182 = addcarryxU64(x145, x168, x180) + var x183 uint64 + _, x183 = bits.Mul64(x169, 0x100000001) + var x185 uint64 + var x186 uint64 + x186, x185 = bits.Mul64(x183, 0xffffffffffffffff) + var x187 uint64 + var x188 uint64 + x188, x187 = bits.Mul64(x183, 0xffffffffffffffff) + var x189 uint64 + var x190 uint64 + x190, x189 = bits.Mul64(x183, 0xffffffffffffffff) + var x191 uint64 + var x192 uint64 + x192, x191 = bits.Mul64(x183, 0xfffffffffffffffe) + var x193 uint64 + var x194 uint64 + x194, x193 = bits.Mul64(x183, 0xffffffff00000000) + var x195 uint64 + var x196 uint64 + x196, x195 = bits.Mul64(x183, 0xffffffff) + var x197 uint64 + var x198 uint1 + x197, x198 = addcarryxU64(x196, x193, 0x0) + var x199 uint64 + var x200 uint1 + x199, x200 = addcarryxU64(x194, x191, x198) + var x201 uint64 + var x202 uint1 + x201, x202 = addcarryxU64(x192, x189, x200) + var x203 uint64 + var x204 uint1 + x203, x204 = addcarryxU64(x190, x187, x202) + var x205 uint64 + var x206 uint1 + x205, x206 = addcarryxU64(x188, x185, x204) + x207 := (uint64(x206) + x186) + var x209 uint1 + _, x209 = addcarryxU64(x169, x195, 0x0) + var x210 uint64 + var x211 uint1 + x210, x211 = addcarryxU64(x171, x197, x209) + var x212 uint64 + var x213 uint1 + x212, x213 = addcarryxU64(x173, x199, x211) + var x214 uint64 + var x215 uint1 + x214, x215 = addcarryxU64(x175, x201, x213) + var x216 uint64 + var x217 uint1 + x216, x217 = addcarryxU64(x177, x203, x215) + var x218 uint64 + var x219 uint1 + x218, x219 = addcarryxU64(x179, x205, x217) + var x220 uint64 + var x221 uint1 + x220, x221 = addcarryxU64(x181, x207, x219) + x222 := (uint64(x221) + uint64(x182)) + var x223 uint64 + var x224 uint64 + x224, x223 = bits.Mul64(x3, arg2[5]) + var x225 uint64 + var x226 uint64 + x226, x225 = bits.Mul64(x3, arg2[4]) + var x227 uint64 + var x228 uint64 + x228, x227 = bits.Mul64(x3, arg2[3]) + var x229 uint64 + var x230 uint64 + x230, x229 = bits.Mul64(x3, arg2[2]) + var x231 uint64 + var x232 uint64 + x232, x231 = bits.Mul64(x3, arg2[1]) + var x233 uint64 + var x234 uint64 + x234, x233 = bits.Mul64(x3, arg2[0]) + var x235 uint64 + var x236 uint1 + x235, x236 = addcarryxU64(x234, x231, 0x0) + var x237 uint64 + var x238 uint1 + x237, x238 = addcarryxU64(x232, x229, x236) + var x239 uint64 + var x240 uint1 + x239, x240 = addcarryxU64(x230, x227, x238) + var x241 uint64 + var x242 uint1 + x241, x242 = addcarryxU64(x228, x225, x240) + var x243 uint64 + var x244 uint1 + x243, x244 = addcarryxU64(x226, x223, x242) + x245 := (uint64(x244) + x224) + var x246 uint64 + var x247 uint1 + x246, x247 = addcarryxU64(x210, x233, 0x0) + var x248 uint64 + var x249 uint1 + x248, x249 = addcarryxU64(x212, x235, x247) + var x250 uint64 + var x251 uint1 + x250, x251 = addcarryxU64(x214, x237, x249) + var x252 uint64 + var x253 uint1 + x252, x253 = addcarryxU64(x216, x239, x251) + var x254 uint64 + var x255 uint1 + x254, x255 = addcarryxU64(x218, x241, x253) + var x256 uint64 + var x257 uint1 + x256, x257 = addcarryxU64(x220, x243, x255) + var x258 uint64 + var x259 uint1 + x258, x259 = addcarryxU64(x222, x245, x257) + var x260 uint64 + _, x260 = bits.Mul64(x246, 0x100000001) + var x262 uint64 + var x263 uint64 + x263, x262 = bits.Mul64(x260, 0xffffffffffffffff) + var x264 uint64 + var x265 uint64 + x265, x264 = bits.Mul64(x260, 0xffffffffffffffff) + var x266 uint64 + var x267 uint64 + x267, x266 = bits.Mul64(x260, 0xffffffffffffffff) + var x268 uint64 + var x269 uint64 + x269, x268 = bits.Mul64(x260, 0xfffffffffffffffe) + var x270 uint64 + var x271 uint64 + x271, x270 = bits.Mul64(x260, 0xffffffff00000000) + var x272 uint64 + var x273 uint64 + x273, x272 = bits.Mul64(x260, 0xffffffff) + var x274 uint64 + var x275 uint1 + x274, x275 = addcarryxU64(x273, x270, 0x0) + var x276 uint64 + var x277 uint1 + x276, x277 = addcarryxU64(x271, x268, x275) + var x278 uint64 + var x279 uint1 + x278, x279 = addcarryxU64(x269, x266, x277) + var x280 uint64 + var x281 uint1 + x280, x281 = addcarryxU64(x267, x264, x279) + var x282 uint64 + var x283 uint1 + x282, x283 = addcarryxU64(x265, x262, x281) + x284 := (uint64(x283) + x263) + var x286 uint1 + _, x286 = addcarryxU64(x246, x272, 0x0) + var x287 uint64 + var x288 uint1 + x287, x288 = addcarryxU64(x248, x274, x286) + var x289 uint64 + var x290 uint1 + x289, x290 = addcarryxU64(x250, x276, x288) + var x291 uint64 + var x292 uint1 + x291, x292 = addcarryxU64(x252, x278, x290) + var x293 uint64 + var x294 uint1 + x293, x294 = addcarryxU64(x254, x280, x292) + var x295 uint64 + var x296 uint1 + x295, x296 = addcarryxU64(x256, x282, x294) + var x297 uint64 + var x298 uint1 + x297, x298 = addcarryxU64(x258, x284, x296) + x299 := (uint64(x298) + uint64(x259)) + var x300 uint64 + var x301 uint64 + x301, x300 = bits.Mul64(x4, arg2[5]) + var x302 uint64 + var x303 uint64 + x303, x302 = bits.Mul64(x4, arg2[4]) + var x304 uint64 + var x305 uint64 + x305, x304 = bits.Mul64(x4, arg2[3]) + var x306 uint64 + var x307 uint64 + x307, x306 = bits.Mul64(x4, arg2[2]) + var x308 uint64 + var x309 uint64 + x309, x308 = bits.Mul64(x4, arg2[1]) + var x310 uint64 + var x311 uint64 + x311, x310 = bits.Mul64(x4, arg2[0]) + var x312 uint64 + var x313 uint1 + x312, x313 = addcarryxU64(x311, x308, 0x0) + var x314 uint64 + var x315 uint1 + x314, x315 = addcarryxU64(x309, x306, x313) + var x316 uint64 + var x317 uint1 + x316, x317 = addcarryxU64(x307, x304, x315) + var x318 uint64 + var x319 uint1 + x318, x319 = addcarryxU64(x305, x302, x317) + var x320 uint64 + var x321 uint1 + x320, x321 = addcarryxU64(x303, x300, x319) + x322 := (uint64(x321) + x301) + var x323 uint64 + var x324 uint1 + x323, x324 = addcarryxU64(x287, x310, 0x0) + var x325 uint64 + var x326 uint1 + x325, x326 = addcarryxU64(x289, x312, x324) + var x327 uint64 + var x328 uint1 + x327, x328 = addcarryxU64(x291, x314, x326) + var x329 uint64 + var x330 uint1 + x329, x330 = addcarryxU64(x293, x316, x328) + var x331 uint64 + var x332 uint1 + x331, x332 = addcarryxU64(x295, x318, x330) + var x333 uint64 + var x334 uint1 + x333, x334 = addcarryxU64(x297, x320, x332) + var x335 uint64 + var x336 uint1 + x335, x336 = addcarryxU64(x299, x322, x334) + var x337 uint64 + _, x337 = bits.Mul64(x323, 0x100000001) + var x339 uint64 + var x340 uint64 + x340, x339 = bits.Mul64(x337, 0xffffffffffffffff) + var x341 uint64 + var x342 uint64 + x342, x341 = bits.Mul64(x337, 0xffffffffffffffff) + var x343 uint64 + var x344 uint64 + x344, x343 = bits.Mul64(x337, 0xffffffffffffffff) + var x345 uint64 + var x346 uint64 + x346, x345 = bits.Mul64(x337, 0xfffffffffffffffe) + var x347 uint64 + var x348 uint64 + x348, x347 = bits.Mul64(x337, 0xffffffff00000000) + var x349 uint64 + var x350 uint64 + x350, x349 = bits.Mul64(x337, 0xffffffff) + var x351 uint64 + var x352 uint1 + x351, x352 = addcarryxU64(x350, x347, 0x0) + var x353 uint64 + var x354 uint1 + x353, x354 = addcarryxU64(x348, x345, x352) + var x355 uint64 + var x356 uint1 + x355, x356 = addcarryxU64(x346, x343, x354) + var x357 uint64 + var x358 uint1 + x357, x358 = addcarryxU64(x344, x341, x356) + var x359 uint64 + var x360 uint1 + x359, x360 = addcarryxU64(x342, x339, x358) + x361 := (uint64(x360) + x340) + var x363 uint1 + _, x363 = addcarryxU64(x323, x349, 0x0) + var x364 uint64 + var x365 uint1 + x364, x365 = addcarryxU64(x325, x351, x363) + var x366 uint64 + var x367 uint1 + x366, x367 = addcarryxU64(x327, x353, x365) + var x368 uint64 + var x369 uint1 + x368, x369 = addcarryxU64(x329, x355, x367) + var x370 uint64 + var x371 uint1 + x370, x371 = addcarryxU64(x331, x357, x369) + var x372 uint64 + var x373 uint1 + x372, x373 = addcarryxU64(x333, x359, x371) + var x374 uint64 + var x375 uint1 + x374, x375 = addcarryxU64(x335, x361, x373) + x376 := (uint64(x375) + uint64(x336)) + var x377 uint64 + var x378 uint64 + x378, x377 = bits.Mul64(x5, arg2[5]) + var x379 uint64 + var x380 uint64 + x380, x379 = bits.Mul64(x5, arg2[4]) + var x381 uint64 + var x382 uint64 + x382, x381 = bits.Mul64(x5, arg2[3]) + var x383 uint64 + var x384 uint64 + x384, x383 = bits.Mul64(x5, arg2[2]) + var x385 uint64 + var x386 uint64 + x386, x385 = bits.Mul64(x5, arg2[1]) + var x387 uint64 + var x388 uint64 + x388, x387 = bits.Mul64(x5, arg2[0]) + var x389 uint64 + var x390 uint1 + x389, x390 = addcarryxU64(x388, x385, 0x0) + var x391 uint64 + var x392 uint1 + x391, x392 = addcarryxU64(x386, x383, x390) + var x393 uint64 + var x394 uint1 + x393, x394 = addcarryxU64(x384, x381, x392) + var x395 uint64 + var x396 uint1 + x395, x396 = addcarryxU64(x382, x379, x394) + var x397 uint64 + var x398 uint1 + x397, x398 = addcarryxU64(x380, x377, x396) + x399 := (uint64(x398) + x378) + var x400 uint64 + var x401 uint1 + x400, x401 = addcarryxU64(x364, x387, 0x0) + var x402 uint64 + var x403 uint1 + x402, x403 = addcarryxU64(x366, x389, x401) + var x404 uint64 + var x405 uint1 + x404, x405 = addcarryxU64(x368, x391, x403) + var x406 uint64 + var x407 uint1 + x406, x407 = addcarryxU64(x370, x393, x405) + var x408 uint64 + var x409 uint1 + x408, x409 = addcarryxU64(x372, x395, x407) + var x410 uint64 + var x411 uint1 + x410, x411 = addcarryxU64(x374, x397, x409) + var x412 uint64 + var x413 uint1 + x412, x413 = addcarryxU64(x376, x399, x411) + var x414 uint64 + _, x414 = bits.Mul64(x400, 0x100000001) + var x416 uint64 + var x417 uint64 + x417, x416 = bits.Mul64(x414, 0xffffffffffffffff) + var x418 uint64 + var x419 uint64 + x419, x418 = bits.Mul64(x414, 0xffffffffffffffff) + var x420 uint64 + var x421 uint64 + x421, x420 = bits.Mul64(x414, 0xffffffffffffffff) + var x422 uint64 + var x423 uint64 + x423, x422 = bits.Mul64(x414, 0xfffffffffffffffe) + var x424 uint64 + var x425 uint64 + x425, x424 = bits.Mul64(x414, 0xffffffff00000000) + var x426 uint64 + var x427 uint64 + x427, x426 = bits.Mul64(x414, 0xffffffff) + var x428 uint64 + var x429 uint1 + x428, x429 = addcarryxU64(x427, x424, 0x0) + var x430 uint64 + var x431 uint1 + x430, x431 = addcarryxU64(x425, x422, x429) + var x432 uint64 + var x433 uint1 + x432, x433 = addcarryxU64(x423, x420, x431) + var x434 uint64 + var x435 uint1 + x434, x435 = addcarryxU64(x421, x418, x433) + var x436 uint64 + var x437 uint1 + x436, x437 = addcarryxU64(x419, x416, x435) + x438 := (uint64(x437) + x417) + var x440 uint1 + _, x440 = addcarryxU64(x400, x426, 0x0) + var x441 uint64 + var x442 uint1 + x441, x442 = addcarryxU64(x402, x428, x440) + var x443 uint64 + var x444 uint1 + x443, x444 = addcarryxU64(x404, x430, x442) + var x445 uint64 + var x446 uint1 + x445, x446 = addcarryxU64(x406, x432, x444) + var x447 uint64 + var x448 uint1 + x447, x448 = addcarryxU64(x408, x434, x446) + var x449 uint64 + var x450 uint1 + x449, x450 = addcarryxU64(x410, x436, x448) + var x451 uint64 + var x452 uint1 + x451, x452 = addcarryxU64(x412, x438, x450) + x453 := (uint64(x452) + uint64(x413)) + var x454 uint64 + var x455 uint1 + x454, x455 = subborrowxU64(x441, 0xffffffff, 0x0) + var x456 uint64 + var x457 uint1 + x456, x457 = subborrowxU64(x443, 0xffffffff00000000, x455) + var x458 uint64 + var x459 uint1 + x458, x459 = subborrowxU64(x445, 0xfffffffffffffffe, x457) + var x460 uint64 + var x461 uint1 + x460, x461 = subborrowxU64(x447, 0xffffffffffffffff, x459) + var x462 uint64 + var x463 uint1 + x462, x463 = subborrowxU64(x449, 0xffffffffffffffff, x461) + var x464 uint64 + var x465 uint1 + x464, x465 = subborrowxU64(x451, 0xffffffffffffffff, x463) + var x467 uint1 + _, x467 = subborrowxU64(x453, uint64(0x0), x465) + var x468 uint64 + cmovznzU64(&x468, x467, x454, x441) + var x469 uint64 + cmovznzU64(&x469, x467, x456, x443) + var x470 uint64 + cmovznzU64(&x470, x467, x458, x445) + var x471 uint64 + cmovznzU64(&x471, x467, x460, x447) + var x472 uint64 + cmovznzU64(&x472, x467, x462, x449) + var x473 uint64 + cmovznzU64(&x473, x467, x464, x451) + out1[0] = x468 + out1[1] = x469 + out1[2] = x470 + out1[3] = x471 + out1[4] = x472 + out1[5] = x473 } -/* - The function Square squares a field element in the Montgomery domain. - Preconditions: - 0 ≤ eval arg1 < m - Postconditions: - eval (from_montgomery out1) mod m = (eval (from_montgomery arg1) * eval (from_montgomery arg1)) mod m - 0 ≤ eval out1 < m - - Input Bounds: - arg1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] - Output Bounds: - out1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] - */ -/*inline*/ +// Square squares a field element in the Montgomery domain. +// +// Preconditions: +// 0 ≤ eval arg1 < m +// Postconditions: +// eval (from_montgomery out1) mod m = (eval (from_montgomery arg1) * eval (from_montgomery arg1)) mod m +// 0 ≤ eval out1 < m +// +// Input Bounds: +// arg1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] +// Output Bounds: +// out1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] func Square(out1 *[6]uint64, arg1 *[6]uint64) { - var x1 uint64 = (arg1[1]) - var x2 uint64 = (arg1[2]) - var x3 uint64 = (arg1[3]) - var x4 uint64 = (arg1[4]) - var x5 uint64 = (arg1[5]) - var x6 uint64 = (arg1[0]) - var x7 uint64 - var x8 uint64 - x8, x7 = bits.Mul64(x6, (arg1[5])) - var x9 uint64 - var x10 uint64 - x10, x9 = bits.Mul64(x6, (arg1[4])) - var x11 uint64 - var x12 uint64 - x12, x11 = bits.Mul64(x6, (arg1[3])) - var x13 uint64 - var x14 uint64 - x14, x13 = bits.Mul64(x6, (arg1[2])) - var x15 uint64 - var x16 uint64 - x16, x15 = bits.Mul64(x6, (arg1[1])) - var x17 uint64 - var x18 uint64 - x18, x17 = bits.Mul64(x6, (arg1[0])) - var x19 uint64 - var x20 uint1 - x19, x20 = addcarryxU64(x18, x15, 0x0) - var x21 uint64 - var x22 uint1 - x21, x22 = addcarryxU64(x16, x13, x20) - var x23 uint64 - var x24 uint1 - x23, x24 = addcarryxU64(x14, x11, x22) - var x25 uint64 - var x26 uint1 - x25, x26 = addcarryxU64(x12, x9, x24) - var x27 uint64 - var x28 uint1 - x27, x28 = addcarryxU64(x10, x7, x26) - var x29 uint64 = (uint64(x28) + x8) - var x30 uint64 - _, x30 = bits.Mul64(x17, 0x100000001) - var x32 uint64 - var x33 uint64 - x33, x32 = bits.Mul64(x30, 0xffffffffffffffff) - var x34 uint64 - var x35 uint64 - x35, x34 = bits.Mul64(x30, 0xffffffffffffffff) - var x36 uint64 - var x37 uint64 - x37, x36 = bits.Mul64(x30, 0xffffffffffffffff) - var x38 uint64 - var x39 uint64 - x39, x38 = bits.Mul64(x30, 0xfffffffffffffffe) - var x40 uint64 - var x41 uint64 - x41, x40 = bits.Mul64(x30, 0xffffffff00000000) - var x42 uint64 - var x43 uint64 - x43, x42 = bits.Mul64(x30, 0xffffffff) - var x44 uint64 - var x45 uint1 - x44, x45 = addcarryxU64(x43, x40, 0x0) - var x46 uint64 - var x47 uint1 - x46, x47 = addcarryxU64(x41, x38, x45) - var x48 uint64 - var x49 uint1 - x48, x49 = addcarryxU64(x39, x36, x47) - var x50 uint64 - var x51 uint1 - x50, x51 = addcarryxU64(x37, x34, x49) - var x52 uint64 - var x53 uint1 - x52, x53 = addcarryxU64(x35, x32, x51) - var x54 uint64 = (uint64(x53) + x33) - var x56 uint1 - _, x56 = addcarryxU64(x17, x42, 0x0) - var x57 uint64 - var x58 uint1 - x57, x58 = addcarryxU64(x19, x44, x56) - var x59 uint64 - var x60 uint1 - x59, x60 = addcarryxU64(x21, x46, x58) - var x61 uint64 - var x62 uint1 - x61, x62 = addcarryxU64(x23, x48, x60) - var x63 uint64 - var x64 uint1 - x63, x64 = addcarryxU64(x25, x50, x62) - var x65 uint64 - var x66 uint1 - x65, x66 = addcarryxU64(x27, x52, x64) - var x67 uint64 - var x68 uint1 - x67, x68 = addcarryxU64(x29, x54, x66) - var x69 uint64 - var x70 uint64 - x70, x69 = bits.Mul64(x1, (arg1[5])) - var x71 uint64 - var x72 uint64 - x72, x71 = bits.Mul64(x1, (arg1[4])) - var x73 uint64 - var x74 uint64 - x74, x73 = bits.Mul64(x1, (arg1[3])) - var x75 uint64 - var x76 uint64 - x76, x75 = bits.Mul64(x1, (arg1[2])) - var x77 uint64 - var x78 uint64 - x78, x77 = bits.Mul64(x1, (arg1[1])) - var x79 uint64 - var x80 uint64 - x80, x79 = bits.Mul64(x1, (arg1[0])) - var x81 uint64 - var x82 uint1 - x81, x82 = addcarryxU64(x80, x77, 0x0) - var x83 uint64 - var x84 uint1 - x83, x84 = addcarryxU64(x78, x75, x82) - var x85 uint64 - var x86 uint1 - x85, x86 = addcarryxU64(x76, x73, x84) - var x87 uint64 - var x88 uint1 - x87, x88 = addcarryxU64(x74, x71, x86) - var x89 uint64 - var x90 uint1 - x89, x90 = addcarryxU64(x72, x69, x88) - var x91 uint64 = (uint64(x90) + x70) - var x92 uint64 - var x93 uint1 - x92, x93 = addcarryxU64(x57, x79, 0x0) - var x94 uint64 - var x95 uint1 - x94, x95 = addcarryxU64(x59, x81, x93) - var x96 uint64 - var x97 uint1 - x96, x97 = addcarryxU64(x61, x83, x95) - var x98 uint64 - var x99 uint1 - x98, x99 = addcarryxU64(x63, x85, x97) - var x100 uint64 - var x101 uint1 - x100, x101 = addcarryxU64(x65, x87, x99) - var x102 uint64 - var x103 uint1 - x102, x103 = addcarryxU64(x67, x89, x101) - var x104 uint64 - var x105 uint1 - x104, x105 = addcarryxU64(uint64(x68), x91, x103) - var x106 uint64 - _, x106 = bits.Mul64(x92, 0x100000001) - var x108 uint64 - var x109 uint64 - x109, x108 = bits.Mul64(x106, 0xffffffffffffffff) - var x110 uint64 - var x111 uint64 - x111, x110 = bits.Mul64(x106, 0xffffffffffffffff) - var x112 uint64 - var x113 uint64 - x113, x112 = bits.Mul64(x106, 0xffffffffffffffff) - var x114 uint64 - var x115 uint64 - x115, x114 = bits.Mul64(x106, 0xfffffffffffffffe) - var x116 uint64 - var x117 uint64 - x117, x116 = bits.Mul64(x106, 0xffffffff00000000) - var x118 uint64 - var x119 uint64 - x119, x118 = bits.Mul64(x106, 0xffffffff) - var x120 uint64 - var x121 uint1 - x120, x121 = addcarryxU64(x119, x116, 0x0) - var x122 uint64 - var x123 uint1 - x122, x123 = addcarryxU64(x117, x114, x121) - var x124 uint64 - var x125 uint1 - x124, x125 = addcarryxU64(x115, x112, x123) - var x126 uint64 - var x127 uint1 - x126, x127 = addcarryxU64(x113, x110, x125) - var x128 uint64 - var x129 uint1 - x128, x129 = addcarryxU64(x111, x108, x127) - var x130 uint64 = (uint64(x129) + x109) - var x132 uint1 - _, x132 = addcarryxU64(x92, x118, 0x0) - var x133 uint64 - var x134 uint1 - x133, x134 = addcarryxU64(x94, x120, x132) - var x135 uint64 - var x136 uint1 - x135, x136 = addcarryxU64(x96, x122, x134) - var x137 uint64 - var x138 uint1 - x137, x138 = addcarryxU64(x98, x124, x136) - var x139 uint64 - var x140 uint1 - x139, x140 = addcarryxU64(x100, x126, x138) - var x141 uint64 - var x142 uint1 - x141, x142 = addcarryxU64(x102, x128, x140) - var x143 uint64 - var x144 uint1 - x143, x144 = addcarryxU64(x104, x130, x142) - var x145 uint64 = (uint64(x144) + uint64(x105)) - var x146 uint64 - var x147 uint64 - x147, x146 = bits.Mul64(x2, (arg1[5])) - var x148 uint64 - var x149 uint64 - x149, x148 = bits.Mul64(x2, (arg1[4])) - var x150 uint64 - var x151 uint64 - x151, x150 = bits.Mul64(x2, (arg1[3])) - var x152 uint64 - var x153 uint64 - x153, x152 = bits.Mul64(x2, (arg1[2])) - var x154 uint64 - var x155 uint64 - x155, x154 = bits.Mul64(x2, (arg1[1])) - var x156 uint64 - var x157 uint64 - x157, x156 = bits.Mul64(x2, (arg1[0])) - var x158 uint64 - var x159 uint1 - x158, x159 = addcarryxU64(x157, x154, 0x0) - var x160 uint64 - var x161 uint1 - x160, x161 = addcarryxU64(x155, x152, x159) - var x162 uint64 - var x163 uint1 - x162, x163 = addcarryxU64(x153, x150, x161) - var x164 uint64 - var x165 uint1 - x164, x165 = addcarryxU64(x151, x148, x163) - var x166 uint64 - var x167 uint1 - x166, x167 = addcarryxU64(x149, x146, x165) - var x168 uint64 = (uint64(x167) + x147) - var x169 uint64 - var x170 uint1 - x169, x170 = addcarryxU64(x133, x156, 0x0) - var x171 uint64 - var x172 uint1 - x171, x172 = addcarryxU64(x135, x158, x170) - var x173 uint64 - var x174 uint1 - x173, x174 = addcarryxU64(x137, x160, x172) - var x175 uint64 - var x176 uint1 - x175, x176 = addcarryxU64(x139, x162, x174) - var x177 uint64 - var x178 uint1 - x177, x178 = addcarryxU64(x141, x164, x176) - var x179 uint64 - var x180 uint1 - x179, x180 = addcarryxU64(x143, x166, x178) - var x181 uint64 - var x182 uint1 - x181, x182 = addcarryxU64(x145, x168, x180) - var x183 uint64 - _, x183 = bits.Mul64(x169, 0x100000001) - var x185 uint64 - var x186 uint64 - x186, x185 = bits.Mul64(x183, 0xffffffffffffffff) - var x187 uint64 - var x188 uint64 - x188, x187 = bits.Mul64(x183, 0xffffffffffffffff) - var x189 uint64 - var x190 uint64 - x190, x189 = bits.Mul64(x183, 0xffffffffffffffff) - var x191 uint64 - var x192 uint64 - x192, x191 = bits.Mul64(x183, 0xfffffffffffffffe) - var x193 uint64 - var x194 uint64 - x194, x193 = bits.Mul64(x183, 0xffffffff00000000) - var x195 uint64 - var x196 uint64 - x196, x195 = bits.Mul64(x183, 0xffffffff) - var x197 uint64 - var x198 uint1 - x197, x198 = addcarryxU64(x196, x193, 0x0) - var x199 uint64 - var x200 uint1 - x199, x200 = addcarryxU64(x194, x191, x198) - var x201 uint64 - var x202 uint1 - x201, x202 = addcarryxU64(x192, x189, x200) - var x203 uint64 - var x204 uint1 - x203, x204 = addcarryxU64(x190, x187, x202) - var x205 uint64 - var x206 uint1 - x205, x206 = addcarryxU64(x188, x185, x204) - var x207 uint64 = (uint64(x206) + x186) - var x209 uint1 - _, x209 = addcarryxU64(x169, x195, 0x0) - var x210 uint64 - var x211 uint1 - x210, x211 = addcarryxU64(x171, x197, x209) - var x212 uint64 - var x213 uint1 - x212, x213 = addcarryxU64(x173, x199, x211) - var x214 uint64 - var x215 uint1 - x214, x215 = addcarryxU64(x175, x201, x213) - var x216 uint64 - var x217 uint1 - x216, x217 = addcarryxU64(x177, x203, x215) - var x218 uint64 - var x219 uint1 - x218, x219 = addcarryxU64(x179, x205, x217) - var x220 uint64 - var x221 uint1 - x220, x221 = addcarryxU64(x181, x207, x219) - var x222 uint64 = (uint64(x221) + uint64(x182)) - var x223 uint64 - var x224 uint64 - x224, x223 = bits.Mul64(x3, (arg1[5])) - var x225 uint64 - var x226 uint64 - x226, x225 = bits.Mul64(x3, (arg1[4])) - var x227 uint64 - var x228 uint64 - x228, x227 = bits.Mul64(x3, (arg1[3])) - var x229 uint64 - var x230 uint64 - x230, x229 = bits.Mul64(x3, (arg1[2])) - var x231 uint64 - var x232 uint64 - x232, x231 = bits.Mul64(x3, (arg1[1])) - var x233 uint64 - var x234 uint64 - x234, x233 = bits.Mul64(x3, (arg1[0])) - var x235 uint64 - var x236 uint1 - x235, x236 = addcarryxU64(x234, x231, 0x0) - var x237 uint64 - var x238 uint1 - x237, x238 = addcarryxU64(x232, x229, x236) - var x239 uint64 - var x240 uint1 - x239, x240 = addcarryxU64(x230, x227, x238) - var x241 uint64 - var x242 uint1 - x241, x242 = addcarryxU64(x228, x225, x240) - var x243 uint64 - var x244 uint1 - x243, x244 = addcarryxU64(x226, x223, x242) - var x245 uint64 = (uint64(x244) + x224) - var x246 uint64 - var x247 uint1 - x246, x247 = addcarryxU64(x210, x233, 0x0) - var x248 uint64 - var x249 uint1 - x248, x249 = addcarryxU64(x212, x235, x247) - var x250 uint64 - var x251 uint1 - x250, x251 = addcarryxU64(x214, x237, x249) - var x252 uint64 - var x253 uint1 - x252, x253 = addcarryxU64(x216, x239, x251) - var x254 uint64 - var x255 uint1 - x254, x255 = addcarryxU64(x218, x241, x253) - var x256 uint64 - var x257 uint1 - x256, x257 = addcarryxU64(x220, x243, x255) - var x258 uint64 - var x259 uint1 - x258, x259 = addcarryxU64(x222, x245, x257) - var x260 uint64 - _, x260 = bits.Mul64(x246, 0x100000001) - var x262 uint64 - var x263 uint64 - x263, x262 = bits.Mul64(x260, 0xffffffffffffffff) - var x264 uint64 - var x265 uint64 - x265, x264 = bits.Mul64(x260, 0xffffffffffffffff) - var x266 uint64 - var x267 uint64 - x267, x266 = bits.Mul64(x260, 0xffffffffffffffff) - var x268 uint64 - var x269 uint64 - x269, x268 = bits.Mul64(x260, 0xfffffffffffffffe) - var x270 uint64 - var x271 uint64 - x271, x270 = bits.Mul64(x260, 0xffffffff00000000) - var x272 uint64 - var x273 uint64 - x273, x272 = bits.Mul64(x260, 0xffffffff) - var x274 uint64 - var x275 uint1 - x274, x275 = addcarryxU64(x273, x270, 0x0) - var x276 uint64 - var x277 uint1 - x276, x277 = addcarryxU64(x271, x268, x275) - var x278 uint64 - var x279 uint1 - x278, x279 = addcarryxU64(x269, x266, x277) - var x280 uint64 - var x281 uint1 - x280, x281 = addcarryxU64(x267, x264, x279) - var x282 uint64 - var x283 uint1 - x282, x283 = addcarryxU64(x265, x262, x281) - var x284 uint64 = (uint64(x283) + x263) - var x286 uint1 - _, x286 = addcarryxU64(x246, x272, 0x0) - var x287 uint64 - var x288 uint1 - x287, x288 = addcarryxU64(x248, x274, x286) - var x289 uint64 - var x290 uint1 - x289, x290 = addcarryxU64(x250, x276, x288) - var x291 uint64 - var x292 uint1 - x291, x292 = addcarryxU64(x252, x278, x290) - var x293 uint64 - var x294 uint1 - x293, x294 = addcarryxU64(x254, x280, x292) - var x295 uint64 - var x296 uint1 - x295, x296 = addcarryxU64(x256, x282, x294) - var x297 uint64 - var x298 uint1 - x297, x298 = addcarryxU64(x258, x284, x296) - var x299 uint64 = (uint64(x298) + uint64(x259)) - var x300 uint64 - var x301 uint64 - x301, x300 = bits.Mul64(x4, (arg1[5])) - var x302 uint64 - var x303 uint64 - x303, x302 = bits.Mul64(x4, (arg1[4])) - var x304 uint64 - var x305 uint64 - x305, x304 = bits.Mul64(x4, (arg1[3])) - var x306 uint64 - var x307 uint64 - x307, x306 = bits.Mul64(x4, (arg1[2])) - var x308 uint64 - var x309 uint64 - x309, x308 = bits.Mul64(x4, (arg1[1])) - var x310 uint64 - var x311 uint64 - x311, x310 = bits.Mul64(x4, (arg1[0])) - var x312 uint64 - var x313 uint1 - x312, x313 = addcarryxU64(x311, x308, 0x0) - var x314 uint64 - var x315 uint1 - x314, x315 = addcarryxU64(x309, x306, x313) - var x316 uint64 - var x317 uint1 - x316, x317 = addcarryxU64(x307, x304, x315) - var x318 uint64 - var x319 uint1 - x318, x319 = addcarryxU64(x305, x302, x317) - var x320 uint64 - var x321 uint1 - x320, x321 = addcarryxU64(x303, x300, x319) - var x322 uint64 = (uint64(x321) + x301) - var x323 uint64 - var x324 uint1 - x323, x324 = addcarryxU64(x287, x310, 0x0) - var x325 uint64 - var x326 uint1 - x325, x326 = addcarryxU64(x289, x312, x324) - var x327 uint64 - var x328 uint1 - x327, x328 = addcarryxU64(x291, x314, x326) - var x329 uint64 - var x330 uint1 - x329, x330 = addcarryxU64(x293, x316, x328) - var x331 uint64 - var x332 uint1 - x331, x332 = addcarryxU64(x295, x318, x330) - var x333 uint64 - var x334 uint1 - x333, x334 = addcarryxU64(x297, x320, x332) - var x335 uint64 - var x336 uint1 - x335, x336 = addcarryxU64(x299, x322, x334) - var x337 uint64 - _, x337 = bits.Mul64(x323, 0x100000001) - var x339 uint64 - var x340 uint64 - x340, x339 = bits.Mul64(x337, 0xffffffffffffffff) - var x341 uint64 - var x342 uint64 - x342, x341 = bits.Mul64(x337, 0xffffffffffffffff) - var x343 uint64 - var x344 uint64 - x344, x343 = bits.Mul64(x337, 0xffffffffffffffff) - var x345 uint64 - var x346 uint64 - x346, x345 = bits.Mul64(x337, 0xfffffffffffffffe) - var x347 uint64 - var x348 uint64 - x348, x347 = bits.Mul64(x337, 0xffffffff00000000) - var x349 uint64 - var x350 uint64 - x350, x349 = bits.Mul64(x337, 0xffffffff) - var x351 uint64 - var x352 uint1 - x351, x352 = addcarryxU64(x350, x347, 0x0) - var x353 uint64 - var x354 uint1 - x353, x354 = addcarryxU64(x348, x345, x352) - var x355 uint64 - var x356 uint1 - x355, x356 = addcarryxU64(x346, x343, x354) - var x357 uint64 - var x358 uint1 - x357, x358 = addcarryxU64(x344, x341, x356) - var x359 uint64 - var x360 uint1 - x359, x360 = addcarryxU64(x342, x339, x358) - var x361 uint64 = (uint64(x360) + x340) - var x363 uint1 - _, x363 = addcarryxU64(x323, x349, 0x0) - var x364 uint64 - var x365 uint1 - x364, x365 = addcarryxU64(x325, x351, x363) - var x366 uint64 - var x367 uint1 - x366, x367 = addcarryxU64(x327, x353, x365) - var x368 uint64 - var x369 uint1 - x368, x369 = addcarryxU64(x329, x355, x367) - var x370 uint64 - var x371 uint1 - x370, x371 = addcarryxU64(x331, x357, x369) - var x372 uint64 - var x373 uint1 - x372, x373 = addcarryxU64(x333, x359, x371) - var x374 uint64 - var x375 uint1 - x374, x375 = addcarryxU64(x335, x361, x373) - var x376 uint64 = (uint64(x375) + uint64(x336)) - var x377 uint64 - var x378 uint64 - x378, x377 = bits.Mul64(x5, (arg1[5])) - var x379 uint64 - var x380 uint64 - x380, x379 = bits.Mul64(x5, (arg1[4])) - var x381 uint64 - var x382 uint64 - x382, x381 = bits.Mul64(x5, (arg1[3])) - var x383 uint64 - var x384 uint64 - x384, x383 = bits.Mul64(x5, (arg1[2])) - var x385 uint64 - var x386 uint64 - x386, x385 = bits.Mul64(x5, (arg1[1])) - var x387 uint64 - var x388 uint64 - x388, x387 = bits.Mul64(x5, (arg1[0])) - var x389 uint64 - var x390 uint1 - x389, x390 = addcarryxU64(x388, x385, 0x0) - var x391 uint64 - var x392 uint1 - x391, x392 = addcarryxU64(x386, x383, x390) - var x393 uint64 - var x394 uint1 - x393, x394 = addcarryxU64(x384, x381, x392) - var x395 uint64 - var x396 uint1 - x395, x396 = addcarryxU64(x382, x379, x394) - var x397 uint64 - var x398 uint1 - x397, x398 = addcarryxU64(x380, x377, x396) - var x399 uint64 = (uint64(x398) + x378) - var x400 uint64 - var x401 uint1 - x400, x401 = addcarryxU64(x364, x387, 0x0) - var x402 uint64 - var x403 uint1 - x402, x403 = addcarryxU64(x366, x389, x401) - var x404 uint64 - var x405 uint1 - x404, x405 = addcarryxU64(x368, x391, x403) - var x406 uint64 - var x407 uint1 - x406, x407 = addcarryxU64(x370, x393, x405) - var x408 uint64 - var x409 uint1 - x408, x409 = addcarryxU64(x372, x395, x407) - var x410 uint64 - var x411 uint1 - x410, x411 = addcarryxU64(x374, x397, x409) - var x412 uint64 - var x413 uint1 - x412, x413 = addcarryxU64(x376, x399, x411) - var x414 uint64 - _, x414 = bits.Mul64(x400, 0x100000001) - var x416 uint64 - var x417 uint64 - x417, x416 = bits.Mul64(x414, 0xffffffffffffffff) - var x418 uint64 - var x419 uint64 - x419, x418 = bits.Mul64(x414, 0xffffffffffffffff) - var x420 uint64 - var x421 uint64 - x421, x420 = bits.Mul64(x414, 0xffffffffffffffff) - var x422 uint64 - var x423 uint64 - x423, x422 = bits.Mul64(x414, 0xfffffffffffffffe) - var x424 uint64 - var x425 uint64 - x425, x424 = bits.Mul64(x414, 0xffffffff00000000) - var x426 uint64 - var x427 uint64 - x427, x426 = bits.Mul64(x414, 0xffffffff) - var x428 uint64 - var x429 uint1 - x428, x429 = addcarryxU64(x427, x424, 0x0) - var x430 uint64 - var x431 uint1 - x430, x431 = addcarryxU64(x425, x422, x429) - var x432 uint64 - var x433 uint1 - x432, x433 = addcarryxU64(x423, x420, x431) - var x434 uint64 - var x435 uint1 - x434, x435 = addcarryxU64(x421, x418, x433) - var x436 uint64 - var x437 uint1 - x436, x437 = addcarryxU64(x419, x416, x435) - var x438 uint64 = (uint64(x437) + x417) - var x440 uint1 - _, x440 = addcarryxU64(x400, x426, 0x0) - var x441 uint64 - var x442 uint1 - x441, x442 = addcarryxU64(x402, x428, x440) - var x443 uint64 - var x444 uint1 - x443, x444 = addcarryxU64(x404, x430, x442) - var x445 uint64 - var x446 uint1 - x445, x446 = addcarryxU64(x406, x432, x444) - var x447 uint64 - var x448 uint1 - x447, x448 = addcarryxU64(x408, x434, x446) - var x449 uint64 - var x450 uint1 - x449, x450 = addcarryxU64(x410, x436, x448) - var x451 uint64 - var x452 uint1 - x451, x452 = addcarryxU64(x412, x438, x450) - var x453 uint64 = (uint64(x452) + uint64(x413)) - var x454 uint64 - var x455 uint1 - x454, x455 = subborrowxU64(x441, 0xffffffff, 0x0) - var x456 uint64 - var x457 uint1 - x456, x457 = subborrowxU64(x443, 0xffffffff00000000, x455) - var x458 uint64 - var x459 uint1 - x458, x459 = subborrowxU64(x445, 0xfffffffffffffffe, x457) - var x460 uint64 - var x461 uint1 - x460, x461 = subborrowxU64(x447, 0xffffffffffffffff, x459) - var x462 uint64 - var x463 uint1 - x462, x463 = subborrowxU64(x449, 0xffffffffffffffff, x461) - var x464 uint64 - var x465 uint1 - x464, x465 = subborrowxU64(x451, 0xffffffffffffffff, x463) - var x467 uint1 - _, x467 = subborrowxU64(x453, uint64(0x0), x465) - var x468 uint64 - cmovznzU64(&x468, x467, x454, x441) - var x469 uint64 - cmovznzU64(&x469, x467, x456, x443) - var x470 uint64 - cmovznzU64(&x470, x467, x458, x445) - var x471 uint64 - cmovznzU64(&x471, x467, x460, x447) - var x472 uint64 - cmovznzU64(&x472, x467, x462, x449) - var x473 uint64 - cmovznzU64(&x473, x467, x464, x451) - out1[0] = x468 - out1[1] = x469 - out1[2] = x470 - out1[3] = x471 - out1[4] = x472 - out1[5] = x473 + x1 := arg1[1] + x2 := arg1[2] + x3 := arg1[3] + x4 := arg1[4] + x5 := arg1[5] + x6 := arg1[0] + var x7 uint64 + var x8 uint64 + x8, x7 = bits.Mul64(x6, arg1[5]) + var x9 uint64 + var x10 uint64 + x10, x9 = bits.Mul64(x6, arg1[4]) + var x11 uint64 + var x12 uint64 + x12, x11 = bits.Mul64(x6, arg1[3]) + var x13 uint64 + var x14 uint64 + x14, x13 = bits.Mul64(x6, arg1[2]) + var x15 uint64 + var x16 uint64 + x16, x15 = bits.Mul64(x6, arg1[1]) + var x17 uint64 + var x18 uint64 + x18, x17 = bits.Mul64(x6, arg1[0]) + var x19 uint64 + var x20 uint1 + x19, x20 = addcarryxU64(x18, x15, 0x0) + var x21 uint64 + var x22 uint1 + x21, x22 = addcarryxU64(x16, x13, x20) + var x23 uint64 + var x24 uint1 + x23, x24 = addcarryxU64(x14, x11, x22) + var x25 uint64 + var x26 uint1 + x25, x26 = addcarryxU64(x12, x9, x24) + var x27 uint64 + var x28 uint1 + x27, x28 = addcarryxU64(x10, x7, x26) + x29 := (uint64(x28) + x8) + var x30 uint64 + _, x30 = bits.Mul64(x17, 0x100000001) + var x32 uint64 + var x33 uint64 + x33, x32 = bits.Mul64(x30, 0xffffffffffffffff) + var x34 uint64 + var x35 uint64 + x35, x34 = bits.Mul64(x30, 0xffffffffffffffff) + var x36 uint64 + var x37 uint64 + x37, x36 = bits.Mul64(x30, 0xffffffffffffffff) + var x38 uint64 + var x39 uint64 + x39, x38 = bits.Mul64(x30, 0xfffffffffffffffe) + var x40 uint64 + var x41 uint64 + x41, x40 = bits.Mul64(x30, 0xffffffff00000000) + var x42 uint64 + var x43 uint64 + x43, x42 = bits.Mul64(x30, 0xffffffff) + var x44 uint64 + var x45 uint1 + x44, x45 = addcarryxU64(x43, x40, 0x0) + var x46 uint64 + var x47 uint1 + x46, x47 = addcarryxU64(x41, x38, x45) + var x48 uint64 + var x49 uint1 + x48, x49 = addcarryxU64(x39, x36, x47) + var x50 uint64 + var x51 uint1 + x50, x51 = addcarryxU64(x37, x34, x49) + var x52 uint64 + var x53 uint1 + x52, x53 = addcarryxU64(x35, x32, x51) + x54 := (uint64(x53) + x33) + var x56 uint1 + _, x56 = addcarryxU64(x17, x42, 0x0) + var x57 uint64 + var x58 uint1 + x57, x58 = addcarryxU64(x19, x44, x56) + var x59 uint64 + var x60 uint1 + x59, x60 = addcarryxU64(x21, x46, x58) + var x61 uint64 + var x62 uint1 + x61, x62 = addcarryxU64(x23, x48, x60) + var x63 uint64 + var x64 uint1 + x63, x64 = addcarryxU64(x25, x50, x62) + var x65 uint64 + var x66 uint1 + x65, x66 = addcarryxU64(x27, x52, x64) + var x67 uint64 + var x68 uint1 + x67, x68 = addcarryxU64(x29, x54, x66) + var x69 uint64 + var x70 uint64 + x70, x69 = bits.Mul64(x1, arg1[5]) + var x71 uint64 + var x72 uint64 + x72, x71 = bits.Mul64(x1, arg1[4]) + var x73 uint64 + var x74 uint64 + x74, x73 = bits.Mul64(x1, arg1[3]) + var x75 uint64 + var x76 uint64 + x76, x75 = bits.Mul64(x1, arg1[2]) + var x77 uint64 + var x78 uint64 + x78, x77 = bits.Mul64(x1, arg1[1]) + var x79 uint64 + var x80 uint64 + x80, x79 = bits.Mul64(x1, arg1[0]) + var x81 uint64 + var x82 uint1 + x81, x82 = addcarryxU64(x80, x77, 0x0) + var x83 uint64 + var x84 uint1 + x83, x84 = addcarryxU64(x78, x75, x82) + var x85 uint64 + var x86 uint1 + x85, x86 = addcarryxU64(x76, x73, x84) + var x87 uint64 + var x88 uint1 + x87, x88 = addcarryxU64(x74, x71, x86) + var x89 uint64 + var x90 uint1 + x89, x90 = addcarryxU64(x72, x69, x88) + x91 := (uint64(x90) + x70) + var x92 uint64 + var x93 uint1 + x92, x93 = addcarryxU64(x57, x79, 0x0) + var x94 uint64 + var x95 uint1 + x94, x95 = addcarryxU64(x59, x81, x93) + var x96 uint64 + var x97 uint1 + x96, x97 = addcarryxU64(x61, x83, x95) + var x98 uint64 + var x99 uint1 + x98, x99 = addcarryxU64(x63, x85, x97) + var x100 uint64 + var x101 uint1 + x100, x101 = addcarryxU64(x65, x87, x99) + var x102 uint64 + var x103 uint1 + x102, x103 = addcarryxU64(x67, x89, x101) + var x104 uint64 + var x105 uint1 + x104, x105 = addcarryxU64(uint64(x68), x91, x103) + var x106 uint64 + _, x106 = bits.Mul64(x92, 0x100000001) + var x108 uint64 + var x109 uint64 + x109, x108 = bits.Mul64(x106, 0xffffffffffffffff) + var x110 uint64 + var x111 uint64 + x111, x110 = bits.Mul64(x106, 0xffffffffffffffff) + var x112 uint64 + var x113 uint64 + x113, x112 = bits.Mul64(x106, 0xffffffffffffffff) + var x114 uint64 + var x115 uint64 + x115, x114 = bits.Mul64(x106, 0xfffffffffffffffe) + var x116 uint64 + var x117 uint64 + x117, x116 = bits.Mul64(x106, 0xffffffff00000000) + var x118 uint64 + var x119 uint64 + x119, x118 = bits.Mul64(x106, 0xffffffff) + var x120 uint64 + var x121 uint1 + x120, x121 = addcarryxU64(x119, x116, 0x0) + var x122 uint64 + var x123 uint1 + x122, x123 = addcarryxU64(x117, x114, x121) + var x124 uint64 + var x125 uint1 + x124, x125 = addcarryxU64(x115, x112, x123) + var x126 uint64 + var x127 uint1 + x126, x127 = addcarryxU64(x113, x110, x125) + var x128 uint64 + var x129 uint1 + x128, x129 = addcarryxU64(x111, x108, x127) + x130 := (uint64(x129) + x109) + var x132 uint1 + _, x132 = addcarryxU64(x92, x118, 0x0) + var x133 uint64 + var x134 uint1 + x133, x134 = addcarryxU64(x94, x120, x132) + var x135 uint64 + var x136 uint1 + x135, x136 = addcarryxU64(x96, x122, x134) + var x137 uint64 + var x138 uint1 + x137, x138 = addcarryxU64(x98, x124, x136) + var x139 uint64 + var x140 uint1 + x139, x140 = addcarryxU64(x100, x126, x138) + var x141 uint64 + var x142 uint1 + x141, x142 = addcarryxU64(x102, x128, x140) + var x143 uint64 + var x144 uint1 + x143, x144 = addcarryxU64(x104, x130, x142) + x145 := (uint64(x144) + uint64(x105)) + var x146 uint64 + var x147 uint64 + x147, x146 = bits.Mul64(x2, arg1[5]) + var x148 uint64 + var x149 uint64 + x149, x148 = bits.Mul64(x2, arg1[4]) + var x150 uint64 + var x151 uint64 + x151, x150 = bits.Mul64(x2, arg1[3]) + var x152 uint64 + var x153 uint64 + x153, x152 = bits.Mul64(x2, arg1[2]) + var x154 uint64 + var x155 uint64 + x155, x154 = bits.Mul64(x2, arg1[1]) + var x156 uint64 + var x157 uint64 + x157, x156 = bits.Mul64(x2, arg1[0]) + var x158 uint64 + var x159 uint1 + x158, x159 = addcarryxU64(x157, x154, 0x0) + var x160 uint64 + var x161 uint1 + x160, x161 = addcarryxU64(x155, x152, x159) + var x162 uint64 + var x163 uint1 + x162, x163 = addcarryxU64(x153, x150, x161) + var x164 uint64 + var x165 uint1 + x164, x165 = addcarryxU64(x151, x148, x163) + var x166 uint64 + var x167 uint1 + x166, x167 = addcarryxU64(x149, x146, x165) + x168 := (uint64(x167) + x147) + var x169 uint64 + var x170 uint1 + x169, x170 = addcarryxU64(x133, x156, 0x0) + var x171 uint64 + var x172 uint1 + x171, x172 = addcarryxU64(x135, x158, x170) + var x173 uint64 + var x174 uint1 + x173, x174 = addcarryxU64(x137, x160, x172) + var x175 uint64 + var x176 uint1 + x175, x176 = addcarryxU64(x139, x162, x174) + var x177 uint64 + var x178 uint1 + x177, x178 = addcarryxU64(x141, x164, x176) + var x179 uint64 + var x180 uint1 + x179, x180 = addcarryxU64(x143, x166, x178) + var x181 uint64 + var x182 uint1 + x181, x182 = addcarryxU64(x145, x168, x180) + var x183 uint64 + _, x183 = bits.Mul64(x169, 0x100000001) + var x185 uint64 + var x186 uint64 + x186, x185 = bits.Mul64(x183, 0xffffffffffffffff) + var x187 uint64 + var x188 uint64 + x188, x187 = bits.Mul64(x183, 0xffffffffffffffff) + var x189 uint64 + var x190 uint64 + x190, x189 = bits.Mul64(x183, 0xffffffffffffffff) + var x191 uint64 + var x192 uint64 + x192, x191 = bits.Mul64(x183, 0xfffffffffffffffe) + var x193 uint64 + var x194 uint64 + x194, x193 = bits.Mul64(x183, 0xffffffff00000000) + var x195 uint64 + var x196 uint64 + x196, x195 = bits.Mul64(x183, 0xffffffff) + var x197 uint64 + var x198 uint1 + x197, x198 = addcarryxU64(x196, x193, 0x0) + var x199 uint64 + var x200 uint1 + x199, x200 = addcarryxU64(x194, x191, x198) + var x201 uint64 + var x202 uint1 + x201, x202 = addcarryxU64(x192, x189, x200) + var x203 uint64 + var x204 uint1 + x203, x204 = addcarryxU64(x190, x187, x202) + var x205 uint64 + var x206 uint1 + x205, x206 = addcarryxU64(x188, x185, x204) + x207 := (uint64(x206) + x186) + var x209 uint1 + _, x209 = addcarryxU64(x169, x195, 0x0) + var x210 uint64 + var x211 uint1 + x210, x211 = addcarryxU64(x171, x197, x209) + var x212 uint64 + var x213 uint1 + x212, x213 = addcarryxU64(x173, x199, x211) + var x214 uint64 + var x215 uint1 + x214, x215 = addcarryxU64(x175, x201, x213) + var x216 uint64 + var x217 uint1 + x216, x217 = addcarryxU64(x177, x203, x215) + var x218 uint64 + var x219 uint1 + x218, x219 = addcarryxU64(x179, x205, x217) + var x220 uint64 + var x221 uint1 + x220, x221 = addcarryxU64(x181, x207, x219) + x222 := (uint64(x221) + uint64(x182)) + var x223 uint64 + var x224 uint64 + x224, x223 = bits.Mul64(x3, arg1[5]) + var x225 uint64 + var x226 uint64 + x226, x225 = bits.Mul64(x3, arg1[4]) + var x227 uint64 + var x228 uint64 + x228, x227 = bits.Mul64(x3, arg1[3]) + var x229 uint64 + var x230 uint64 + x230, x229 = bits.Mul64(x3, arg1[2]) + var x231 uint64 + var x232 uint64 + x232, x231 = bits.Mul64(x3, arg1[1]) + var x233 uint64 + var x234 uint64 + x234, x233 = bits.Mul64(x3, arg1[0]) + var x235 uint64 + var x236 uint1 + x235, x236 = addcarryxU64(x234, x231, 0x0) + var x237 uint64 + var x238 uint1 + x237, x238 = addcarryxU64(x232, x229, x236) + var x239 uint64 + var x240 uint1 + x239, x240 = addcarryxU64(x230, x227, x238) + var x241 uint64 + var x242 uint1 + x241, x242 = addcarryxU64(x228, x225, x240) + var x243 uint64 + var x244 uint1 + x243, x244 = addcarryxU64(x226, x223, x242) + x245 := (uint64(x244) + x224) + var x246 uint64 + var x247 uint1 + x246, x247 = addcarryxU64(x210, x233, 0x0) + var x248 uint64 + var x249 uint1 + x248, x249 = addcarryxU64(x212, x235, x247) + var x250 uint64 + var x251 uint1 + x250, x251 = addcarryxU64(x214, x237, x249) + var x252 uint64 + var x253 uint1 + x252, x253 = addcarryxU64(x216, x239, x251) + var x254 uint64 + var x255 uint1 + x254, x255 = addcarryxU64(x218, x241, x253) + var x256 uint64 + var x257 uint1 + x256, x257 = addcarryxU64(x220, x243, x255) + var x258 uint64 + var x259 uint1 + x258, x259 = addcarryxU64(x222, x245, x257) + var x260 uint64 + _, x260 = bits.Mul64(x246, 0x100000001) + var x262 uint64 + var x263 uint64 + x263, x262 = bits.Mul64(x260, 0xffffffffffffffff) + var x264 uint64 + var x265 uint64 + x265, x264 = bits.Mul64(x260, 0xffffffffffffffff) + var x266 uint64 + var x267 uint64 + x267, x266 = bits.Mul64(x260, 0xffffffffffffffff) + var x268 uint64 + var x269 uint64 + x269, x268 = bits.Mul64(x260, 0xfffffffffffffffe) + var x270 uint64 + var x271 uint64 + x271, x270 = bits.Mul64(x260, 0xffffffff00000000) + var x272 uint64 + var x273 uint64 + x273, x272 = bits.Mul64(x260, 0xffffffff) + var x274 uint64 + var x275 uint1 + x274, x275 = addcarryxU64(x273, x270, 0x0) + var x276 uint64 + var x277 uint1 + x276, x277 = addcarryxU64(x271, x268, x275) + var x278 uint64 + var x279 uint1 + x278, x279 = addcarryxU64(x269, x266, x277) + var x280 uint64 + var x281 uint1 + x280, x281 = addcarryxU64(x267, x264, x279) + var x282 uint64 + var x283 uint1 + x282, x283 = addcarryxU64(x265, x262, x281) + x284 := (uint64(x283) + x263) + var x286 uint1 + _, x286 = addcarryxU64(x246, x272, 0x0) + var x287 uint64 + var x288 uint1 + x287, x288 = addcarryxU64(x248, x274, x286) + var x289 uint64 + var x290 uint1 + x289, x290 = addcarryxU64(x250, x276, x288) + var x291 uint64 + var x292 uint1 + x291, x292 = addcarryxU64(x252, x278, x290) + var x293 uint64 + var x294 uint1 + x293, x294 = addcarryxU64(x254, x280, x292) + var x295 uint64 + var x296 uint1 + x295, x296 = addcarryxU64(x256, x282, x294) + var x297 uint64 + var x298 uint1 + x297, x298 = addcarryxU64(x258, x284, x296) + x299 := (uint64(x298) + uint64(x259)) + var x300 uint64 + var x301 uint64 + x301, x300 = bits.Mul64(x4, arg1[5]) + var x302 uint64 + var x303 uint64 + x303, x302 = bits.Mul64(x4, arg1[4]) + var x304 uint64 + var x305 uint64 + x305, x304 = bits.Mul64(x4, arg1[3]) + var x306 uint64 + var x307 uint64 + x307, x306 = bits.Mul64(x4, arg1[2]) + var x308 uint64 + var x309 uint64 + x309, x308 = bits.Mul64(x4, arg1[1]) + var x310 uint64 + var x311 uint64 + x311, x310 = bits.Mul64(x4, arg1[0]) + var x312 uint64 + var x313 uint1 + x312, x313 = addcarryxU64(x311, x308, 0x0) + var x314 uint64 + var x315 uint1 + x314, x315 = addcarryxU64(x309, x306, x313) + var x316 uint64 + var x317 uint1 + x316, x317 = addcarryxU64(x307, x304, x315) + var x318 uint64 + var x319 uint1 + x318, x319 = addcarryxU64(x305, x302, x317) + var x320 uint64 + var x321 uint1 + x320, x321 = addcarryxU64(x303, x300, x319) + x322 := (uint64(x321) + x301) + var x323 uint64 + var x324 uint1 + x323, x324 = addcarryxU64(x287, x310, 0x0) + var x325 uint64 + var x326 uint1 + x325, x326 = addcarryxU64(x289, x312, x324) + var x327 uint64 + var x328 uint1 + x327, x328 = addcarryxU64(x291, x314, x326) + var x329 uint64 + var x330 uint1 + x329, x330 = addcarryxU64(x293, x316, x328) + var x331 uint64 + var x332 uint1 + x331, x332 = addcarryxU64(x295, x318, x330) + var x333 uint64 + var x334 uint1 + x333, x334 = addcarryxU64(x297, x320, x332) + var x335 uint64 + var x336 uint1 + x335, x336 = addcarryxU64(x299, x322, x334) + var x337 uint64 + _, x337 = bits.Mul64(x323, 0x100000001) + var x339 uint64 + var x340 uint64 + x340, x339 = bits.Mul64(x337, 0xffffffffffffffff) + var x341 uint64 + var x342 uint64 + x342, x341 = bits.Mul64(x337, 0xffffffffffffffff) + var x343 uint64 + var x344 uint64 + x344, x343 = bits.Mul64(x337, 0xffffffffffffffff) + var x345 uint64 + var x346 uint64 + x346, x345 = bits.Mul64(x337, 0xfffffffffffffffe) + var x347 uint64 + var x348 uint64 + x348, x347 = bits.Mul64(x337, 0xffffffff00000000) + var x349 uint64 + var x350 uint64 + x350, x349 = bits.Mul64(x337, 0xffffffff) + var x351 uint64 + var x352 uint1 + x351, x352 = addcarryxU64(x350, x347, 0x0) + var x353 uint64 + var x354 uint1 + x353, x354 = addcarryxU64(x348, x345, x352) + var x355 uint64 + var x356 uint1 + x355, x356 = addcarryxU64(x346, x343, x354) + var x357 uint64 + var x358 uint1 + x357, x358 = addcarryxU64(x344, x341, x356) + var x359 uint64 + var x360 uint1 + x359, x360 = addcarryxU64(x342, x339, x358) + x361 := (uint64(x360) + x340) + var x363 uint1 + _, x363 = addcarryxU64(x323, x349, 0x0) + var x364 uint64 + var x365 uint1 + x364, x365 = addcarryxU64(x325, x351, x363) + var x366 uint64 + var x367 uint1 + x366, x367 = addcarryxU64(x327, x353, x365) + var x368 uint64 + var x369 uint1 + x368, x369 = addcarryxU64(x329, x355, x367) + var x370 uint64 + var x371 uint1 + x370, x371 = addcarryxU64(x331, x357, x369) + var x372 uint64 + var x373 uint1 + x372, x373 = addcarryxU64(x333, x359, x371) + var x374 uint64 + var x375 uint1 + x374, x375 = addcarryxU64(x335, x361, x373) + x376 := (uint64(x375) + uint64(x336)) + var x377 uint64 + var x378 uint64 + x378, x377 = bits.Mul64(x5, arg1[5]) + var x379 uint64 + var x380 uint64 + x380, x379 = bits.Mul64(x5, arg1[4]) + var x381 uint64 + var x382 uint64 + x382, x381 = bits.Mul64(x5, arg1[3]) + var x383 uint64 + var x384 uint64 + x384, x383 = bits.Mul64(x5, arg1[2]) + var x385 uint64 + var x386 uint64 + x386, x385 = bits.Mul64(x5, arg1[1]) + var x387 uint64 + var x388 uint64 + x388, x387 = bits.Mul64(x5, arg1[0]) + var x389 uint64 + var x390 uint1 + x389, x390 = addcarryxU64(x388, x385, 0x0) + var x391 uint64 + var x392 uint1 + x391, x392 = addcarryxU64(x386, x383, x390) + var x393 uint64 + var x394 uint1 + x393, x394 = addcarryxU64(x384, x381, x392) + var x395 uint64 + var x396 uint1 + x395, x396 = addcarryxU64(x382, x379, x394) + var x397 uint64 + var x398 uint1 + x397, x398 = addcarryxU64(x380, x377, x396) + x399 := (uint64(x398) + x378) + var x400 uint64 + var x401 uint1 + x400, x401 = addcarryxU64(x364, x387, 0x0) + var x402 uint64 + var x403 uint1 + x402, x403 = addcarryxU64(x366, x389, x401) + var x404 uint64 + var x405 uint1 + x404, x405 = addcarryxU64(x368, x391, x403) + var x406 uint64 + var x407 uint1 + x406, x407 = addcarryxU64(x370, x393, x405) + var x408 uint64 + var x409 uint1 + x408, x409 = addcarryxU64(x372, x395, x407) + var x410 uint64 + var x411 uint1 + x410, x411 = addcarryxU64(x374, x397, x409) + var x412 uint64 + var x413 uint1 + x412, x413 = addcarryxU64(x376, x399, x411) + var x414 uint64 + _, x414 = bits.Mul64(x400, 0x100000001) + var x416 uint64 + var x417 uint64 + x417, x416 = bits.Mul64(x414, 0xffffffffffffffff) + var x418 uint64 + var x419 uint64 + x419, x418 = bits.Mul64(x414, 0xffffffffffffffff) + var x420 uint64 + var x421 uint64 + x421, x420 = bits.Mul64(x414, 0xffffffffffffffff) + var x422 uint64 + var x423 uint64 + x423, x422 = bits.Mul64(x414, 0xfffffffffffffffe) + var x424 uint64 + var x425 uint64 + x425, x424 = bits.Mul64(x414, 0xffffffff00000000) + var x426 uint64 + var x427 uint64 + x427, x426 = bits.Mul64(x414, 0xffffffff) + var x428 uint64 + var x429 uint1 + x428, x429 = addcarryxU64(x427, x424, 0x0) + var x430 uint64 + var x431 uint1 + x430, x431 = addcarryxU64(x425, x422, x429) + var x432 uint64 + var x433 uint1 + x432, x433 = addcarryxU64(x423, x420, x431) + var x434 uint64 + var x435 uint1 + x434, x435 = addcarryxU64(x421, x418, x433) + var x436 uint64 + var x437 uint1 + x436, x437 = addcarryxU64(x419, x416, x435) + x438 := (uint64(x437) + x417) + var x440 uint1 + _, x440 = addcarryxU64(x400, x426, 0x0) + var x441 uint64 + var x442 uint1 + x441, x442 = addcarryxU64(x402, x428, x440) + var x443 uint64 + var x444 uint1 + x443, x444 = addcarryxU64(x404, x430, x442) + var x445 uint64 + var x446 uint1 + x445, x446 = addcarryxU64(x406, x432, x444) + var x447 uint64 + var x448 uint1 + x447, x448 = addcarryxU64(x408, x434, x446) + var x449 uint64 + var x450 uint1 + x449, x450 = addcarryxU64(x410, x436, x448) + var x451 uint64 + var x452 uint1 + x451, x452 = addcarryxU64(x412, x438, x450) + x453 := (uint64(x452) + uint64(x413)) + var x454 uint64 + var x455 uint1 + x454, x455 = subborrowxU64(x441, 0xffffffff, 0x0) + var x456 uint64 + var x457 uint1 + x456, x457 = subborrowxU64(x443, 0xffffffff00000000, x455) + var x458 uint64 + var x459 uint1 + x458, x459 = subborrowxU64(x445, 0xfffffffffffffffe, x457) + var x460 uint64 + var x461 uint1 + x460, x461 = subborrowxU64(x447, 0xffffffffffffffff, x459) + var x462 uint64 + var x463 uint1 + x462, x463 = subborrowxU64(x449, 0xffffffffffffffff, x461) + var x464 uint64 + var x465 uint1 + x464, x465 = subborrowxU64(x451, 0xffffffffffffffff, x463) + var x467 uint1 + _, x467 = subborrowxU64(x453, uint64(0x0), x465) + var x468 uint64 + cmovznzU64(&x468, x467, x454, x441) + var x469 uint64 + cmovznzU64(&x469, x467, x456, x443) + var x470 uint64 + cmovznzU64(&x470, x467, x458, x445) + var x471 uint64 + cmovznzU64(&x471, x467, x460, x447) + var x472 uint64 + cmovznzU64(&x472, x467, x462, x449) + var x473 uint64 + cmovznzU64(&x473, x467, x464, x451) + out1[0] = x468 + out1[1] = x469 + out1[2] = x470 + out1[3] = x471 + out1[4] = x472 + out1[5] = x473 } -/* - The function Add adds two field elements in the Montgomery domain. - Preconditions: - 0 ≤ eval arg1 < m - 0 ≤ eval arg2 < m - Postconditions: - eval (from_montgomery out1) mod m = (eval (from_montgomery arg1) + eval (from_montgomery arg2)) mod m - 0 ≤ eval out1 < m - - Input Bounds: - arg1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] - arg2: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] - Output Bounds: - out1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] - */ -/*inline*/ +// Add adds two field elements in the Montgomery domain. +// +// Preconditions: +// 0 ≤ eval arg1 < m +// 0 ≤ eval arg2 < m +// Postconditions: +// eval (from_montgomery out1) mod m = (eval (from_montgomery arg1) + eval (from_montgomery arg2)) mod m +// 0 ≤ eval out1 < m +// +// Input Bounds: +// arg1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] +// arg2: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] +// Output Bounds: +// out1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] func Add(out1 *[6]uint64, arg1 *[6]uint64, arg2 *[6]uint64) { - var x1 uint64 - var x2 uint1 - x1, x2 = addcarryxU64((arg1[0]), (arg2[0]), 0x0) - var x3 uint64 - var x4 uint1 - x3, x4 = addcarryxU64((arg1[1]), (arg2[1]), x2) - var x5 uint64 - var x6 uint1 - x5, x6 = addcarryxU64((arg1[2]), (arg2[2]), x4) - var x7 uint64 - var x8 uint1 - x7, x8 = addcarryxU64((arg1[3]), (arg2[3]), x6) - var x9 uint64 - var x10 uint1 - x9, x10 = addcarryxU64((arg1[4]), (arg2[4]), x8) - var x11 uint64 - var x12 uint1 - x11, x12 = addcarryxU64((arg1[5]), (arg2[5]), x10) - var x13 uint64 - var x14 uint1 - x13, x14 = subborrowxU64(x1, 0xffffffff, 0x0) - var x15 uint64 - var x16 uint1 - x15, x16 = subborrowxU64(x3, 0xffffffff00000000, x14) - var x17 uint64 - var x18 uint1 - x17, x18 = subborrowxU64(x5, 0xfffffffffffffffe, x16) - var x19 uint64 - var x20 uint1 - x19, x20 = subborrowxU64(x7, 0xffffffffffffffff, x18) - var x21 uint64 - var x22 uint1 - x21, x22 = subborrowxU64(x9, 0xffffffffffffffff, x20) - var x23 uint64 - var x24 uint1 - x23, x24 = subborrowxU64(x11, 0xffffffffffffffff, x22) - var x26 uint1 - _, x26 = subborrowxU64(uint64(x12), uint64(0x0), x24) - var x27 uint64 - cmovznzU64(&x27, x26, x13, x1) - var x28 uint64 - cmovznzU64(&x28, x26, x15, x3) - var x29 uint64 - cmovznzU64(&x29, x26, x17, x5) - var x30 uint64 - cmovznzU64(&x30, x26, x19, x7) - var x31 uint64 - cmovznzU64(&x31, x26, x21, x9) - var x32 uint64 - cmovznzU64(&x32, x26, x23, x11) - out1[0] = x27 - out1[1] = x28 - out1[2] = x29 - out1[3] = x30 - out1[4] = x31 - out1[5] = x32 + var x1 uint64 + var x2 uint1 + x1, x2 = addcarryxU64(arg1[0], arg2[0], 0x0) + var x3 uint64 + var x4 uint1 + x3, x4 = addcarryxU64(arg1[1], arg2[1], x2) + var x5 uint64 + var x6 uint1 + x5, x6 = addcarryxU64(arg1[2], arg2[2], x4) + var x7 uint64 + var x8 uint1 + x7, x8 = addcarryxU64(arg1[3], arg2[3], x6) + var x9 uint64 + var x10 uint1 + x9, x10 = addcarryxU64(arg1[4], arg2[4], x8) + var x11 uint64 + var x12 uint1 + x11, x12 = addcarryxU64(arg1[5], arg2[5], x10) + var x13 uint64 + var x14 uint1 + x13, x14 = subborrowxU64(x1, 0xffffffff, 0x0) + var x15 uint64 + var x16 uint1 + x15, x16 = subborrowxU64(x3, 0xffffffff00000000, x14) + var x17 uint64 + var x18 uint1 + x17, x18 = subborrowxU64(x5, 0xfffffffffffffffe, x16) + var x19 uint64 + var x20 uint1 + x19, x20 = subborrowxU64(x7, 0xffffffffffffffff, x18) + var x21 uint64 + var x22 uint1 + x21, x22 = subborrowxU64(x9, 0xffffffffffffffff, x20) + var x23 uint64 + var x24 uint1 + x23, x24 = subborrowxU64(x11, 0xffffffffffffffff, x22) + var x26 uint1 + _, x26 = subborrowxU64(uint64(x12), uint64(0x0), x24) + var x27 uint64 + cmovznzU64(&x27, x26, x13, x1) + var x28 uint64 + cmovznzU64(&x28, x26, x15, x3) + var x29 uint64 + cmovznzU64(&x29, x26, x17, x5) + var x30 uint64 + cmovznzU64(&x30, x26, x19, x7) + var x31 uint64 + cmovznzU64(&x31, x26, x21, x9) + var x32 uint64 + cmovznzU64(&x32, x26, x23, x11) + out1[0] = x27 + out1[1] = x28 + out1[2] = x29 + out1[3] = x30 + out1[4] = x31 + out1[5] = x32 } -/* - The function Sub subtracts two field elements in the Montgomery domain. - Preconditions: - 0 ≤ eval arg1 < m - 0 ≤ eval arg2 < m - Postconditions: - eval (from_montgomery out1) mod m = (eval (from_montgomery arg1) - eval (from_montgomery arg2)) mod m - 0 ≤ eval out1 < m - - Input Bounds: - arg1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] - arg2: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] - Output Bounds: - out1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] - */ -/*inline*/ +// Sub subtracts two field elements in the Montgomery domain. +// +// Preconditions: +// 0 ≤ eval arg1 < m +// 0 ≤ eval arg2 < m +// Postconditions: +// eval (from_montgomery out1) mod m = (eval (from_montgomery arg1) - eval (from_montgomery arg2)) mod m +// 0 ≤ eval out1 < m +// +// Input Bounds: +// arg1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] +// arg2: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] +// Output Bounds: +// out1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] func Sub(out1 *[6]uint64, arg1 *[6]uint64, arg2 *[6]uint64) { - var x1 uint64 - var x2 uint1 - x1, x2 = subborrowxU64((arg1[0]), (arg2[0]), 0x0) - var x3 uint64 - var x4 uint1 - x3, x4 = subborrowxU64((arg1[1]), (arg2[1]), x2) - var x5 uint64 - var x6 uint1 - x5, x6 = subborrowxU64((arg1[2]), (arg2[2]), x4) - var x7 uint64 - var x8 uint1 - x7, x8 = subborrowxU64((arg1[3]), (arg2[3]), x6) - var x9 uint64 - var x10 uint1 - x9, x10 = subborrowxU64((arg1[4]), (arg2[4]), x8) - var x11 uint64 - var x12 uint1 - x11, x12 = subborrowxU64((arg1[5]), (arg2[5]), x10) - var x13 uint64 - cmovznzU64(&x13, x12, uint64(0x0), 0xffffffffffffffff) - var x14 uint64 - var x15 uint1 - x14, x15 = addcarryxU64(x1, (x13 & 0xffffffff), 0x0) - var x16 uint64 - var x17 uint1 - x16, x17 = addcarryxU64(x3, (x13 & 0xffffffff00000000), x15) - var x18 uint64 - var x19 uint1 - x18, x19 = addcarryxU64(x5, (x13 & 0xfffffffffffffffe), x17) - var x20 uint64 - var x21 uint1 - x20, x21 = addcarryxU64(x7, x13, x19) - var x22 uint64 - var x23 uint1 - x22, x23 = addcarryxU64(x9, x13, x21) - var x24 uint64 - x24, _ = addcarryxU64(x11, x13, x23) - out1[0] = x14 - out1[1] = x16 - out1[2] = x18 - out1[3] = x20 - out1[4] = x22 - out1[5] = x24 + var x1 uint64 + var x2 uint1 + x1, x2 = subborrowxU64(arg1[0], arg2[0], 0x0) + var x3 uint64 + var x4 uint1 + x3, x4 = subborrowxU64(arg1[1], arg2[1], x2) + var x5 uint64 + var x6 uint1 + x5, x6 = subborrowxU64(arg1[2], arg2[2], x4) + var x7 uint64 + var x8 uint1 + x7, x8 = subborrowxU64(arg1[3], arg2[3], x6) + var x9 uint64 + var x10 uint1 + x9, x10 = subborrowxU64(arg1[4], arg2[4], x8) + var x11 uint64 + var x12 uint1 + x11, x12 = subborrowxU64(arg1[5], arg2[5], x10) + var x13 uint64 + cmovznzU64(&x13, x12, uint64(0x0), 0xffffffffffffffff) + var x14 uint64 + var x15 uint1 + x14, x15 = addcarryxU64(x1, (x13 & 0xffffffff), 0x0) + var x16 uint64 + var x17 uint1 + x16, x17 = addcarryxU64(x3, (x13 & 0xffffffff00000000), x15) + var x18 uint64 + var x19 uint1 + x18, x19 = addcarryxU64(x5, (x13 & 0xfffffffffffffffe), x17) + var x20 uint64 + var x21 uint1 + x20, x21 = addcarryxU64(x7, x13, x19) + var x22 uint64 + var x23 uint1 + x22, x23 = addcarryxU64(x9, x13, x21) + var x24 uint64 + x24, _ = addcarryxU64(x11, x13, x23) + out1[0] = x14 + out1[1] = x16 + out1[2] = x18 + out1[3] = x20 + out1[4] = x22 + out1[5] = x24 } -/* - The function Opp negates a field element in the Montgomery domain. - Preconditions: - 0 ≤ eval arg1 < m - Postconditions: - eval (from_montgomery out1) mod m = -eval (from_montgomery arg1) mod m - 0 ≤ eval out1 < m - - Input Bounds: - arg1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] - Output Bounds: - out1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] - */ -/*inline*/ +// Opp negates a field element in the Montgomery domain. +// +// Preconditions: +// 0 ≤ eval arg1 < m +// Postconditions: +// eval (from_montgomery out1) mod m = -eval (from_montgomery arg1) mod m +// 0 ≤ eval out1 < m +// +// Input Bounds: +// arg1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] +// Output Bounds: +// out1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] func Opp(out1 *[6]uint64, arg1 *[6]uint64) { - var x1 uint64 - var x2 uint1 - x1, x2 = subborrowxU64(uint64(0x0), (arg1[0]), 0x0) - var x3 uint64 - var x4 uint1 - x3, x4 = subborrowxU64(uint64(0x0), (arg1[1]), x2) - var x5 uint64 - var x6 uint1 - x5, x6 = subborrowxU64(uint64(0x0), (arg1[2]), x4) - var x7 uint64 - var x8 uint1 - x7, x8 = subborrowxU64(uint64(0x0), (arg1[3]), x6) - var x9 uint64 - var x10 uint1 - x9, x10 = subborrowxU64(uint64(0x0), (arg1[4]), x8) - var x11 uint64 - var x12 uint1 - x11, x12 = subborrowxU64(uint64(0x0), (arg1[5]), x10) - var x13 uint64 - cmovznzU64(&x13, x12, uint64(0x0), 0xffffffffffffffff) - var x14 uint64 - var x15 uint1 - x14, x15 = addcarryxU64(x1, (x13 & 0xffffffff), 0x0) - var x16 uint64 - var x17 uint1 - x16, x17 = addcarryxU64(x3, (x13 & 0xffffffff00000000), x15) - var x18 uint64 - var x19 uint1 - x18, x19 = addcarryxU64(x5, (x13 & 0xfffffffffffffffe), x17) - var x20 uint64 - var x21 uint1 - x20, x21 = addcarryxU64(x7, x13, x19) - var x22 uint64 - var x23 uint1 - x22, x23 = addcarryxU64(x9, x13, x21) - var x24 uint64 - x24, _ = addcarryxU64(x11, x13, x23) - out1[0] = x14 - out1[1] = x16 - out1[2] = x18 - out1[3] = x20 - out1[4] = x22 - out1[5] = x24 + var x1 uint64 + var x2 uint1 + x1, x2 = subborrowxU64(uint64(0x0), arg1[0], 0x0) + var x3 uint64 + var x4 uint1 + x3, x4 = subborrowxU64(uint64(0x0), arg1[1], x2) + var x5 uint64 + var x6 uint1 + x5, x6 = subborrowxU64(uint64(0x0), arg1[2], x4) + var x7 uint64 + var x8 uint1 + x7, x8 = subborrowxU64(uint64(0x0), arg1[3], x6) + var x9 uint64 + var x10 uint1 + x9, x10 = subborrowxU64(uint64(0x0), arg1[4], x8) + var x11 uint64 + var x12 uint1 + x11, x12 = subborrowxU64(uint64(0x0), arg1[5], x10) + var x13 uint64 + cmovznzU64(&x13, x12, uint64(0x0), 0xffffffffffffffff) + var x14 uint64 + var x15 uint1 + x14, x15 = addcarryxU64(x1, (x13 & 0xffffffff), 0x0) + var x16 uint64 + var x17 uint1 + x16, x17 = addcarryxU64(x3, (x13 & 0xffffffff00000000), x15) + var x18 uint64 + var x19 uint1 + x18, x19 = addcarryxU64(x5, (x13 & 0xfffffffffffffffe), x17) + var x20 uint64 + var x21 uint1 + x20, x21 = addcarryxU64(x7, x13, x19) + var x22 uint64 + var x23 uint1 + x22, x23 = addcarryxU64(x9, x13, x21) + var x24 uint64 + x24, _ = addcarryxU64(x11, x13, x23) + out1[0] = x14 + out1[1] = x16 + out1[2] = x18 + out1[3] = x20 + out1[4] = x22 + out1[5] = x24 } -/* - The function FromMontgomery translates a field element out of the Montgomery domain. - Preconditions: - 0 ≤ eval arg1 < m - Postconditions: - eval out1 mod m = (eval arg1 * ((2^64)⁻¹ mod m)^6) mod m - 0 ≤ eval out1 < m - - Input Bounds: - arg1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] - Output Bounds: - out1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] - */ -/*inline*/ +// FromMontgomery translates a field element out of the Montgomery domain. +// +// Preconditions: +// 0 ≤ eval arg1 < m +// Postconditions: +// eval out1 mod m = (eval arg1 * ((2^64)⁻¹ mod m)^6) mod m +// 0 ≤ eval out1 < m +// +// Input Bounds: +// arg1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] +// Output Bounds: +// out1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] func FromMontgomery(out1 *[6]uint64, arg1 *[6]uint64) { - var x1 uint64 = (arg1[0]) - var x2 uint64 - _, x2 = bits.Mul64(x1, 0x100000001) - var x4 uint64 - var x5 uint64 - x5, x4 = bits.Mul64(x2, 0xffffffffffffffff) - var x6 uint64 - var x7 uint64 - x7, x6 = bits.Mul64(x2, 0xffffffffffffffff) - var x8 uint64 - var x9 uint64 - x9, x8 = bits.Mul64(x2, 0xffffffffffffffff) - var x10 uint64 - var x11 uint64 - x11, x10 = bits.Mul64(x2, 0xfffffffffffffffe) - var x12 uint64 - var x13 uint64 - x13, x12 = bits.Mul64(x2, 0xffffffff00000000) - var x14 uint64 - var x15 uint64 - x15, x14 = bits.Mul64(x2, 0xffffffff) - var x16 uint64 - var x17 uint1 - x16, x17 = addcarryxU64(x15, x12, 0x0) - var x18 uint64 - var x19 uint1 - x18, x19 = addcarryxU64(x13, x10, x17) - var x20 uint64 - var x21 uint1 - x20, x21 = addcarryxU64(x11, x8, x19) - var x22 uint64 - var x23 uint1 - x22, x23 = addcarryxU64(x9, x6, x21) - var x24 uint64 - var x25 uint1 - x24, x25 = addcarryxU64(x7, x4, x23) - var x27 uint1 - _, x27 = addcarryxU64(x1, x14, 0x0) - var x28 uint64 - var x29 uint1 - x28, x29 = addcarryxU64(uint64(0x0), x16, x27) - var x30 uint64 - var x31 uint1 - x30, x31 = addcarryxU64(uint64(0x0), x18, x29) - var x32 uint64 - var x33 uint1 - x32, x33 = addcarryxU64(uint64(0x0), x20, x31) - var x34 uint64 - var x35 uint1 - x34, x35 = addcarryxU64(uint64(0x0), x22, x33) - var x36 uint64 - var x37 uint1 - x36, x37 = addcarryxU64(uint64(0x0), x24, x35) - var x38 uint64 - var x39 uint1 - x38, x39 = addcarryxU64(uint64(0x0), (uint64(x25) + x5), x37) - var x40 uint64 - var x41 uint1 - x40, x41 = addcarryxU64(x28, (arg1[1]), 0x0) - var x42 uint64 - var x43 uint1 - x42, x43 = addcarryxU64(x30, uint64(0x0), x41) - var x44 uint64 - var x45 uint1 - x44, x45 = addcarryxU64(x32, uint64(0x0), x43) - var x46 uint64 - var x47 uint1 - x46, x47 = addcarryxU64(x34, uint64(0x0), x45) - var x48 uint64 - var x49 uint1 - x48, x49 = addcarryxU64(x36, uint64(0x0), x47) - var x50 uint64 - var x51 uint1 - x50, x51 = addcarryxU64(x38, uint64(0x0), x49) - var x52 uint64 - _, x52 = bits.Mul64(x40, 0x100000001) - var x54 uint64 - var x55 uint64 - x55, x54 = bits.Mul64(x52, 0xffffffffffffffff) - var x56 uint64 - var x57 uint64 - x57, x56 = bits.Mul64(x52, 0xffffffffffffffff) - var x58 uint64 - var x59 uint64 - x59, x58 = bits.Mul64(x52, 0xffffffffffffffff) - var x60 uint64 - var x61 uint64 - x61, x60 = bits.Mul64(x52, 0xfffffffffffffffe) - var x62 uint64 - var x63 uint64 - x63, x62 = bits.Mul64(x52, 0xffffffff00000000) - var x64 uint64 - var x65 uint64 - x65, x64 = bits.Mul64(x52, 0xffffffff) - var x66 uint64 - var x67 uint1 - x66, x67 = addcarryxU64(x65, x62, 0x0) - var x68 uint64 - var x69 uint1 - x68, x69 = addcarryxU64(x63, x60, x67) - var x70 uint64 - var x71 uint1 - x70, x71 = addcarryxU64(x61, x58, x69) - var x72 uint64 - var x73 uint1 - x72, x73 = addcarryxU64(x59, x56, x71) - var x74 uint64 - var x75 uint1 - x74, x75 = addcarryxU64(x57, x54, x73) - var x77 uint1 - _, x77 = addcarryxU64(x40, x64, 0x0) - var x78 uint64 - var x79 uint1 - x78, x79 = addcarryxU64(x42, x66, x77) - var x80 uint64 - var x81 uint1 - x80, x81 = addcarryxU64(x44, x68, x79) - var x82 uint64 - var x83 uint1 - x82, x83 = addcarryxU64(x46, x70, x81) - var x84 uint64 - var x85 uint1 - x84, x85 = addcarryxU64(x48, x72, x83) - var x86 uint64 - var x87 uint1 - x86, x87 = addcarryxU64(x50, x74, x85) - var x88 uint64 - var x89 uint1 - x88, x89 = addcarryxU64((uint64(x51) + uint64(x39)), (uint64(x75) + x55), x87) - var x90 uint64 - var x91 uint1 - x90, x91 = addcarryxU64(x78, (arg1[2]), 0x0) - var x92 uint64 - var x93 uint1 - x92, x93 = addcarryxU64(x80, uint64(0x0), x91) - var x94 uint64 - var x95 uint1 - x94, x95 = addcarryxU64(x82, uint64(0x0), x93) - var x96 uint64 - var x97 uint1 - x96, x97 = addcarryxU64(x84, uint64(0x0), x95) - var x98 uint64 - var x99 uint1 - x98, x99 = addcarryxU64(x86, uint64(0x0), x97) - var x100 uint64 - var x101 uint1 - x100, x101 = addcarryxU64(x88, uint64(0x0), x99) - var x102 uint64 - _, x102 = bits.Mul64(x90, 0x100000001) - var x104 uint64 - var x105 uint64 - x105, x104 = bits.Mul64(x102, 0xffffffffffffffff) - var x106 uint64 - var x107 uint64 - x107, x106 = bits.Mul64(x102, 0xffffffffffffffff) - var x108 uint64 - var x109 uint64 - x109, x108 = bits.Mul64(x102, 0xffffffffffffffff) - var x110 uint64 - var x111 uint64 - x111, x110 = bits.Mul64(x102, 0xfffffffffffffffe) - var x112 uint64 - var x113 uint64 - x113, x112 = bits.Mul64(x102, 0xffffffff00000000) - var x114 uint64 - var x115 uint64 - x115, x114 = bits.Mul64(x102, 0xffffffff) - var x116 uint64 - var x117 uint1 - x116, x117 = addcarryxU64(x115, x112, 0x0) - var x118 uint64 - var x119 uint1 - x118, x119 = addcarryxU64(x113, x110, x117) - var x120 uint64 - var x121 uint1 - x120, x121 = addcarryxU64(x111, x108, x119) - var x122 uint64 - var x123 uint1 - x122, x123 = addcarryxU64(x109, x106, x121) - var x124 uint64 - var x125 uint1 - x124, x125 = addcarryxU64(x107, x104, x123) - var x127 uint1 - _, x127 = addcarryxU64(x90, x114, 0x0) - var x128 uint64 - var x129 uint1 - x128, x129 = addcarryxU64(x92, x116, x127) - var x130 uint64 - var x131 uint1 - x130, x131 = addcarryxU64(x94, x118, x129) - var x132 uint64 - var x133 uint1 - x132, x133 = addcarryxU64(x96, x120, x131) - var x134 uint64 - var x135 uint1 - x134, x135 = addcarryxU64(x98, x122, x133) - var x136 uint64 - var x137 uint1 - x136, x137 = addcarryxU64(x100, x124, x135) - var x138 uint64 - var x139 uint1 - x138, x139 = addcarryxU64((uint64(x101) + uint64(x89)), (uint64(x125) + x105), x137) - var x140 uint64 - var x141 uint1 - x140, x141 = addcarryxU64(x128, (arg1[3]), 0x0) - var x142 uint64 - var x143 uint1 - x142, x143 = addcarryxU64(x130, uint64(0x0), x141) - var x144 uint64 - var x145 uint1 - x144, x145 = addcarryxU64(x132, uint64(0x0), x143) - var x146 uint64 - var x147 uint1 - x146, x147 = addcarryxU64(x134, uint64(0x0), x145) - var x148 uint64 - var x149 uint1 - x148, x149 = addcarryxU64(x136, uint64(0x0), x147) - var x150 uint64 - var x151 uint1 - x150, x151 = addcarryxU64(x138, uint64(0x0), x149) - var x152 uint64 - _, x152 = bits.Mul64(x140, 0x100000001) - var x154 uint64 - var x155 uint64 - x155, x154 = bits.Mul64(x152, 0xffffffffffffffff) - var x156 uint64 - var x157 uint64 - x157, x156 = bits.Mul64(x152, 0xffffffffffffffff) - var x158 uint64 - var x159 uint64 - x159, x158 = bits.Mul64(x152, 0xffffffffffffffff) - var x160 uint64 - var x161 uint64 - x161, x160 = bits.Mul64(x152, 0xfffffffffffffffe) - var x162 uint64 - var x163 uint64 - x163, x162 = bits.Mul64(x152, 0xffffffff00000000) - var x164 uint64 - var x165 uint64 - x165, x164 = bits.Mul64(x152, 0xffffffff) - var x166 uint64 - var x167 uint1 - x166, x167 = addcarryxU64(x165, x162, 0x0) - var x168 uint64 - var x169 uint1 - x168, x169 = addcarryxU64(x163, x160, x167) - var x170 uint64 - var x171 uint1 - x170, x171 = addcarryxU64(x161, x158, x169) - var x172 uint64 - var x173 uint1 - x172, x173 = addcarryxU64(x159, x156, x171) - var x174 uint64 - var x175 uint1 - x174, x175 = addcarryxU64(x157, x154, x173) - var x177 uint1 - _, x177 = addcarryxU64(x140, x164, 0x0) - var x178 uint64 - var x179 uint1 - x178, x179 = addcarryxU64(x142, x166, x177) - var x180 uint64 - var x181 uint1 - x180, x181 = addcarryxU64(x144, x168, x179) - var x182 uint64 - var x183 uint1 - x182, x183 = addcarryxU64(x146, x170, x181) - var x184 uint64 - var x185 uint1 - x184, x185 = addcarryxU64(x148, x172, x183) - var x186 uint64 - var x187 uint1 - x186, x187 = addcarryxU64(x150, x174, x185) - var x188 uint64 - var x189 uint1 - x188, x189 = addcarryxU64((uint64(x151) + uint64(x139)), (uint64(x175) + x155), x187) - var x190 uint64 - var x191 uint1 - x190, x191 = addcarryxU64(x178, (arg1[4]), 0x0) - var x192 uint64 - var x193 uint1 - x192, x193 = addcarryxU64(x180, uint64(0x0), x191) - var x194 uint64 - var x195 uint1 - x194, x195 = addcarryxU64(x182, uint64(0x0), x193) - var x196 uint64 - var x197 uint1 - x196, x197 = addcarryxU64(x184, uint64(0x0), x195) - var x198 uint64 - var x199 uint1 - x198, x199 = addcarryxU64(x186, uint64(0x0), x197) - var x200 uint64 - var x201 uint1 - x200, x201 = addcarryxU64(x188, uint64(0x0), x199) - var x202 uint64 - _, x202 = bits.Mul64(x190, 0x100000001) - var x204 uint64 - var x205 uint64 - x205, x204 = bits.Mul64(x202, 0xffffffffffffffff) - var x206 uint64 - var x207 uint64 - x207, x206 = bits.Mul64(x202, 0xffffffffffffffff) - var x208 uint64 - var x209 uint64 - x209, x208 = bits.Mul64(x202, 0xffffffffffffffff) - var x210 uint64 - var x211 uint64 - x211, x210 = bits.Mul64(x202, 0xfffffffffffffffe) - var x212 uint64 - var x213 uint64 - x213, x212 = bits.Mul64(x202, 0xffffffff00000000) - var x214 uint64 - var x215 uint64 - x215, x214 = bits.Mul64(x202, 0xffffffff) - var x216 uint64 - var x217 uint1 - x216, x217 = addcarryxU64(x215, x212, 0x0) - var x218 uint64 - var x219 uint1 - x218, x219 = addcarryxU64(x213, x210, x217) - var x220 uint64 - var x221 uint1 - x220, x221 = addcarryxU64(x211, x208, x219) - var x222 uint64 - var x223 uint1 - x222, x223 = addcarryxU64(x209, x206, x221) - var x224 uint64 - var x225 uint1 - x224, x225 = addcarryxU64(x207, x204, x223) - var x227 uint1 - _, x227 = addcarryxU64(x190, x214, 0x0) - var x228 uint64 - var x229 uint1 - x228, x229 = addcarryxU64(x192, x216, x227) - var x230 uint64 - var x231 uint1 - x230, x231 = addcarryxU64(x194, x218, x229) - var x232 uint64 - var x233 uint1 - x232, x233 = addcarryxU64(x196, x220, x231) - var x234 uint64 - var x235 uint1 - x234, x235 = addcarryxU64(x198, x222, x233) - var x236 uint64 - var x237 uint1 - x236, x237 = addcarryxU64(x200, x224, x235) - var x238 uint64 - var x239 uint1 - x238, x239 = addcarryxU64((uint64(x201) + uint64(x189)), (uint64(x225) + x205), x237) - var x240 uint64 - var x241 uint1 - x240, x241 = addcarryxU64(x228, (arg1[5]), 0x0) - var x242 uint64 - var x243 uint1 - x242, x243 = addcarryxU64(x230, uint64(0x0), x241) - var x244 uint64 - var x245 uint1 - x244, x245 = addcarryxU64(x232, uint64(0x0), x243) - var x246 uint64 - var x247 uint1 - x246, x247 = addcarryxU64(x234, uint64(0x0), x245) - var x248 uint64 - var x249 uint1 - x248, x249 = addcarryxU64(x236, uint64(0x0), x247) - var x250 uint64 - var x251 uint1 - x250, x251 = addcarryxU64(x238, uint64(0x0), x249) - var x252 uint64 - _, x252 = bits.Mul64(x240, 0x100000001) - var x254 uint64 - var x255 uint64 - x255, x254 = bits.Mul64(x252, 0xffffffffffffffff) - var x256 uint64 - var x257 uint64 - x257, x256 = bits.Mul64(x252, 0xffffffffffffffff) - var x258 uint64 - var x259 uint64 - x259, x258 = bits.Mul64(x252, 0xffffffffffffffff) - var x260 uint64 - var x261 uint64 - x261, x260 = bits.Mul64(x252, 0xfffffffffffffffe) - var x262 uint64 - var x263 uint64 - x263, x262 = bits.Mul64(x252, 0xffffffff00000000) - var x264 uint64 - var x265 uint64 - x265, x264 = bits.Mul64(x252, 0xffffffff) - var x266 uint64 - var x267 uint1 - x266, x267 = addcarryxU64(x265, x262, 0x0) - var x268 uint64 - var x269 uint1 - x268, x269 = addcarryxU64(x263, x260, x267) - var x270 uint64 - var x271 uint1 - x270, x271 = addcarryxU64(x261, x258, x269) - var x272 uint64 - var x273 uint1 - x272, x273 = addcarryxU64(x259, x256, x271) - var x274 uint64 - var x275 uint1 - x274, x275 = addcarryxU64(x257, x254, x273) - var x277 uint1 - _, x277 = addcarryxU64(x240, x264, 0x0) - var x278 uint64 - var x279 uint1 - x278, x279 = addcarryxU64(x242, x266, x277) - var x280 uint64 - var x281 uint1 - x280, x281 = addcarryxU64(x244, x268, x279) - var x282 uint64 - var x283 uint1 - x282, x283 = addcarryxU64(x246, x270, x281) - var x284 uint64 - var x285 uint1 - x284, x285 = addcarryxU64(x248, x272, x283) - var x286 uint64 - var x287 uint1 - x286, x287 = addcarryxU64(x250, x274, x285) - var x288 uint64 - var x289 uint1 - x288, x289 = addcarryxU64((uint64(x251) + uint64(x239)), (uint64(x275) + x255), x287) - var x290 uint64 - var x291 uint1 - x290, x291 = subborrowxU64(x278, 0xffffffff, 0x0) - var x292 uint64 - var x293 uint1 - x292, x293 = subborrowxU64(x280, 0xffffffff00000000, x291) - var x294 uint64 - var x295 uint1 - x294, x295 = subborrowxU64(x282, 0xfffffffffffffffe, x293) - var x296 uint64 - var x297 uint1 - x296, x297 = subborrowxU64(x284, 0xffffffffffffffff, x295) - var x298 uint64 - var x299 uint1 - x298, x299 = subborrowxU64(x286, 0xffffffffffffffff, x297) - var x300 uint64 - var x301 uint1 - x300, x301 = subborrowxU64(x288, 0xffffffffffffffff, x299) - var x303 uint1 - _, x303 = subborrowxU64(uint64(x289), uint64(0x0), x301) - var x304 uint64 - cmovznzU64(&x304, x303, x290, x278) - var x305 uint64 - cmovznzU64(&x305, x303, x292, x280) - var x306 uint64 - cmovznzU64(&x306, x303, x294, x282) - var x307 uint64 - cmovznzU64(&x307, x303, x296, x284) - var x308 uint64 - cmovznzU64(&x308, x303, x298, x286) - var x309 uint64 - cmovznzU64(&x309, x303, x300, x288) - out1[0] = x304 - out1[1] = x305 - out1[2] = x306 - out1[3] = x307 - out1[4] = x308 - out1[5] = x309 + x1 := arg1[0] + var x2 uint64 + _, x2 = bits.Mul64(x1, 0x100000001) + var x4 uint64 + var x5 uint64 + x5, x4 = bits.Mul64(x2, 0xffffffffffffffff) + var x6 uint64 + var x7 uint64 + x7, x6 = bits.Mul64(x2, 0xffffffffffffffff) + var x8 uint64 + var x9 uint64 + x9, x8 = bits.Mul64(x2, 0xffffffffffffffff) + var x10 uint64 + var x11 uint64 + x11, x10 = bits.Mul64(x2, 0xfffffffffffffffe) + var x12 uint64 + var x13 uint64 + x13, x12 = bits.Mul64(x2, 0xffffffff00000000) + var x14 uint64 + var x15 uint64 + x15, x14 = bits.Mul64(x2, 0xffffffff) + var x16 uint64 + var x17 uint1 + x16, x17 = addcarryxU64(x15, x12, 0x0) + var x18 uint64 + var x19 uint1 + x18, x19 = addcarryxU64(x13, x10, x17) + var x20 uint64 + var x21 uint1 + x20, x21 = addcarryxU64(x11, x8, x19) + var x22 uint64 + var x23 uint1 + x22, x23 = addcarryxU64(x9, x6, x21) + var x24 uint64 + var x25 uint1 + x24, x25 = addcarryxU64(x7, x4, x23) + var x27 uint1 + _, x27 = addcarryxU64(x1, x14, 0x0) + var x28 uint64 + var x29 uint1 + x28, x29 = addcarryxU64(uint64(0x0), x16, x27) + var x30 uint64 + var x31 uint1 + x30, x31 = addcarryxU64(uint64(0x0), x18, x29) + var x32 uint64 + var x33 uint1 + x32, x33 = addcarryxU64(uint64(0x0), x20, x31) + var x34 uint64 + var x35 uint1 + x34, x35 = addcarryxU64(uint64(0x0), x22, x33) + var x36 uint64 + var x37 uint1 + x36, x37 = addcarryxU64(uint64(0x0), x24, x35) + var x38 uint64 + var x39 uint1 + x38, x39 = addcarryxU64(uint64(0x0), (uint64(x25) + x5), x37) + var x40 uint64 + var x41 uint1 + x40, x41 = addcarryxU64(x28, arg1[1], 0x0) + var x42 uint64 + var x43 uint1 + x42, x43 = addcarryxU64(x30, uint64(0x0), x41) + var x44 uint64 + var x45 uint1 + x44, x45 = addcarryxU64(x32, uint64(0x0), x43) + var x46 uint64 + var x47 uint1 + x46, x47 = addcarryxU64(x34, uint64(0x0), x45) + var x48 uint64 + var x49 uint1 + x48, x49 = addcarryxU64(x36, uint64(0x0), x47) + var x50 uint64 + var x51 uint1 + x50, x51 = addcarryxU64(x38, uint64(0x0), x49) + var x52 uint64 + _, x52 = bits.Mul64(x40, 0x100000001) + var x54 uint64 + var x55 uint64 + x55, x54 = bits.Mul64(x52, 0xffffffffffffffff) + var x56 uint64 + var x57 uint64 + x57, x56 = bits.Mul64(x52, 0xffffffffffffffff) + var x58 uint64 + var x59 uint64 + x59, x58 = bits.Mul64(x52, 0xffffffffffffffff) + var x60 uint64 + var x61 uint64 + x61, x60 = bits.Mul64(x52, 0xfffffffffffffffe) + var x62 uint64 + var x63 uint64 + x63, x62 = bits.Mul64(x52, 0xffffffff00000000) + var x64 uint64 + var x65 uint64 + x65, x64 = bits.Mul64(x52, 0xffffffff) + var x66 uint64 + var x67 uint1 + x66, x67 = addcarryxU64(x65, x62, 0x0) + var x68 uint64 + var x69 uint1 + x68, x69 = addcarryxU64(x63, x60, x67) + var x70 uint64 + var x71 uint1 + x70, x71 = addcarryxU64(x61, x58, x69) + var x72 uint64 + var x73 uint1 + x72, x73 = addcarryxU64(x59, x56, x71) + var x74 uint64 + var x75 uint1 + x74, x75 = addcarryxU64(x57, x54, x73) + var x77 uint1 + _, x77 = addcarryxU64(x40, x64, 0x0) + var x78 uint64 + var x79 uint1 + x78, x79 = addcarryxU64(x42, x66, x77) + var x80 uint64 + var x81 uint1 + x80, x81 = addcarryxU64(x44, x68, x79) + var x82 uint64 + var x83 uint1 + x82, x83 = addcarryxU64(x46, x70, x81) + var x84 uint64 + var x85 uint1 + x84, x85 = addcarryxU64(x48, x72, x83) + var x86 uint64 + var x87 uint1 + x86, x87 = addcarryxU64(x50, x74, x85) + var x88 uint64 + var x89 uint1 + x88, x89 = addcarryxU64((uint64(x51) + uint64(x39)), (uint64(x75) + x55), x87) + var x90 uint64 + var x91 uint1 + x90, x91 = addcarryxU64(x78, arg1[2], 0x0) + var x92 uint64 + var x93 uint1 + x92, x93 = addcarryxU64(x80, uint64(0x0), x91) + var x94 uint64 + var x95 uint1 + x94, x95 = addcarryxU64(x82, uint64(0x0), x93) + var x96 uint64 + var x97 uint1 + x96, x97 = addcarryxU64(x84, uint64(0x0), x95) + var x98 uint64 + var x99 uint1 + x98, x99 = addcarryxU64(x86, uint64(0x0), x97) + var x100 uint64 + var x101 uint1 + x100, x101 = addcarryxU64(x88, uint64(0x0), x99) + var x102 uint64 + _, x102 = bits.Mul64(x90, 0x100000001) + var x104 uint64 + var x105 uint64 + x105, x104 = bits.Mul64(x102, 0xffffffffffffffff) + var x106 uint64 + var x107 uint64 + x107, x106 = bits.Mul64(x102, 0xffffffffffffffff) + var x108 uint64 + var x109 uint64 + x109, x108 = bits.Mul64(x102, 0xffffffffffffffff) + var x110 uint64 + var x111 uint64 + x111, x110 = bits.Mul64(x102, 0xfffffffffffffffe) + var x112 uint64 + var x113 uint64 + x113, x112 = bits.Mul64(x102, 0xffffffff00000000) + var x114 uint64 + var x115 uint64 + x115, x114 = bits.Mul64(x102, 0xffffffff) + var x116 uint64 + var x117 uint1 + x116, x117 = addcarryxU64(x115, x112, 0x0) + var x118 uint64 + var x119 uint1 + x118, x119 = addcarryxU64(x113, x110, x117) + var x120 uint64 + var x121 uint1 + x120, x121 = addcarryxU64(x111, x108, x119) + var x122 uint64 + var x123 uint1 + x122, x123 = addcarryxU64(x109, x106, x121) + var x124 uint64 + var x125 uint1 + x124, x125 = addcarryxU64(x107, x104, x123) + var x127 uint1 + _, x127 = addcarryxU64(x90, x114, 0x0) + var x128 uint64 + var x129 uint1 + x128, x129 = addcarryxU64(x92, x116, x127) + var x130 uint64 + var x131 uint1 + x130, x131 = addcarryxU64(x94, x118, x129) + var x132 uint64 + var x133 uint1 + x132, x133 = addcarryxU64(x96, x120, x131) + var x134 uint64 + var x135 uint1 + x134, x135 = addcarryxU64(x98, x122, x133) + var x136 uint64 + var x137 uint1 + x136, x137 = addcarryxU64(x100, x124, x135) + var x138 uint64 + var x139 uint1 + x138, x139 = addcarryxU64((uint64(x101) + uint64(x89)), (uint64(x125) + x105), x137) + var x140 uint64 + var x141 uint1 + x140, x141 = addcarryxU64(x128, arg1[3], 0x0) + var x142 uint64 + var x143 uint1 + x142, x143 = addcarryxU64(x130, uint64(0x0), x141) + var x144 uint64 + var x145 uint1 + x144, x145 = addcarryxU64(x132, uint64(0x0), x143) + var x146 uint64 + var x147 uint1 + x146, x147 = addcarryxU64(x134, uint64(0x0), x145) + var x148 uint64 + var x149 uint1 + x148, x149 = addcarryxU64(x136, uint64(0x0), x147) + var x150 uint64 + var x151 uint1 + x150, x151 = addcarryxU64(x138, uint64(0x0), x149) + var x152 uint64 + _, x152 = bits.Mul64(x140, 0x100000001) + var x154 uint64 + var x155 uint64 + x155, x154 = bits.Mul64(x152, 0xffffffffffffffff) + var x156 uint64 + var x157 uint64 + x157, x156 = bits.Mul64(x152, 0xffffffffffffffff) + var x158 uint64 + var x159 uint64 + x159, x158 = bits.Mul64(x152, 0xffffffffffffffff) + var x160 uint64 + var x161 uint64 + x161, x160 = bits.Mul64(x152, 0xfffffffffffffffe) + var x162 uint64 + var x163 uint64 + x163, x162 = bits.Mul64(x152, 0xffffffff00000000) + var x164 uint64 + var x165 uint64 + x165, x164 = bits.Mul64(x152, 0xffffffff) + var x166 uint64 + var x167 uint1 + x166, x167 = addcarryxU64(x165, x162, 0x0) + var x168 uint64 + var x169 uint1 + x168, x169 = addcarryxU64(x163, x160, x167) + var x170 uint64 + var x171 uint1 + x170, x171 = addcarryxU64(x161, x158, x169) + var x172 uint64 + var x173 uint1 + x172, x173 = addcarryxU64(x159, x156, x171) + var x174 uint64 + var x175 uint1 + x174, x175 = addcarryxU64(x157, x154, x173) + var x177 uint1 + _, x177 = addcarryxU64(x140, x164, 0x0) + var x178 uint64 + var x179 uint1 + x178, x179 = addcarryxU64(x142, x166, x177) + var x180 uint64 + var x181 uint1 + x180, x181 = addcarryxU64(x144, x168, x179) + var x182 uint64 + var x183 uint1 + x182, x183 = addcarryxU64(x146, x170, x181) + var x184 uint64 + var x185 uint1 + x184, x185 = addcarryxU64(x148, x172, x183) + var x186 uint64 + var x187 uint1 + x186, x187 = addcarryxU64(x150, x174, x185) + var x188 uint64 + var x189 uint1 + x188, x189 = addcarryxU64((uint64(x151) + uint64(x139)), (uint64(x175) + x155), x187) + var x190 uint64 + var x191 uint1 + x190, x191 = addcarryxU64(x178, arg1[4], 0x0) + var x192 uint64 + var x193 uint1 + x192, x193 = addcarryxU64(x180, uint64(0x0), x191) + var x194 uint64 + var x195 uint1 + x194, x195 = addcarryxU64(x182, uint64(0x0), x193) + var x196 uint64 + var x197 uint1 + x196, x197 = addcarryxU64(x184, uint64(0x0), x195) + var x198 uint64 + var x199 uint1 + x198, x199 = addcarryxU64(x186, uint64(0x0), x197) + var x200 uint64 + var x201 uint1 + x200, x201 = addcarryxU64(x188, uint64(0x0), x199) + var x202 uint64 + _, x202 = bits.Mul64(x190, 0x100000001) + var x204 uint64 + var x205 uint64 + x205, x204 = bits.Mul64(x202, 0xffffffffffffffff) + var x206 uint64 + var x207 uint64 + x207, x206 = bits.Mul64(x202, 0xffffffffffffffff) + var x208 uint64 + var x209 uint64 + x209, x208 = bits.Mul64(x202, 0xffffffffffffffff) + var x210 uint64 + var x211 uint64 + x211, x210 = bits.Mul64(x202, 0xfffffffffffffffe) + var x212 uint64 + var x213 uint64 + x213, x212 = bits.Mul64(x202, 0xffffffff00000000) + var x214 uint64 + var x215 uint64 + x215, x214 = bits.Mul64(x202, 0xffffffff) + var x216 uint64 + var x217 uint1 + x216, x217 = addcarryxU64(x215, x212, 0x0) + var x218 uint64 + var x219 uint1 + x218, x219 = addcarryxU64(x213, x210, x217) + var x220 uint64 + var x221 uint1 + x220, x221 = addcarryxU64(x211, x208, x219) + var x222 uint64 + var x223 uint1 + x222, x223 = addcarryxU64(x209, x206, x221) + var x224 uint64 + var x225 uint1 + x224, x225 = addcarryxU64(x207, x204, x223) + var x227 uint1 + _, x227 = addcarryxU64(x190, x214, 0x0) + var x228 uint64 + var x229 uint1 + x228, x229 = addcarryxU64(x192, x216, x227) + var x230 uint64 + var x231 uint1 + x230, x231 = addcarryxU64(x194, x218, x229) + var x232 uint64 + var x233 uint1 + x232, x233 = addcarryxU64(x196, x220, x231) + var x234 uint64 + var x235 uint1 + x234, x235 = addcarryxU64(x198, x222, x233) + var x236 uint64 + var x237 uint1 + x236, x237 = addcarryxU64(x200, x224, x235) + var x238 uint64 + var x239 uint1 + x238, x239 = addcarryxU64((uint64(x201) + uint64(x189)), (uint64(x225) + x205), x237) + var x240 uint64 + var x241 uint1 + x240, x241 = addcarryxU64(x228, arg1[5], 0x0) + var x242 uint64 + var x243 uint1 + x242, x243 = addcarryxU64(x230, uint64(0x0), x241) + var x244 uint64 + var x245 uint1 + x244, x245 = addcarryxU64(x232, uint64(0x0), x243) + var x246 uint64 + var x247 uint1 + x246, x247 = addcarryxU64(x234, uint64(0x0), x245) + var x248 uint64 + var x249 uint1 + x248, x249 = addcarryxU64(x236, uint64(0x0), x247) + var x250 uint64 + var x251 uint1 + x250, x251 = addcarryxU64(x238, uint64(0x0), x249) + var x252 uint64 + _, x252 = bits.Mul64(x240, 0x100000001) + var x254 uint64 + var x255 uint64 + x255, x254 = bits.Mul64(x252, 0xffffffffffffffff) + var x256 uint64 + var x257 uint64 + x257, x256 = bits.Mul64(x252, 0xffffffffffffffff) + var x258 uint64 + var x259 uint64 + x259, x258 = bits.Mul64(x252, 0xffffffffffffffff) + var x260 uint64 + var x261 uint64 + x261, x260 = bits.Mul64(x252, 0xfffffffffffffffe) + var x262 uint64 + var x263 uint64 + x263, x262 = bits.Mul64(x252, 0xffffffff00000000) + var x264 uint64 + var x265 uint64 + x265, x264 = bits.Mul64(x252, 0xffffffff) + var x266 uint64 + var x267 uint1 + x266, x267 = addcarryxU64(x265, x262, 0x0) + var x268 uint64 + var x269 uint1 + x268, x269 = addcarryxU64(x263, x260, x267) + var x270 uint64 + var x271 uint1 + x270, x271 = addcarryxU64(x261, x258, x269) + var x272 uint64 + var x273 uint1 + x272, x273 = addcarryxU64(x259, x256, x271) + var x274 uint64 + var x275 uint1 + x274, x275 = addcarryxU64(x257, x254, x273) + var x277 uint1 + _, x277 = addcarryxU64(x240, x264, 0x0) + var x278 uint64 + var x279 uint1 + x278, x279 = addcarryxU64(x242, x266, x277) + var x280 uint64 + var x281 uint1 + x280, x281 = addcarryxU64(x244, x268, x279) + var x282 uint64 + var x283 uint1 + x282, x283 = addcarryxU64(x246, x270, x281) + var x284 uint64 + var x285 uint1 + x284, x285 = addcarryxU64(x248, x272, x283) + var x286 uint64 + var x287 uint1 + x286, x287 = addcarryxU64(x250, x274, x285) + var x288 uint64 + var x289 uint1 + x288, x289 = addcarryxU64((uint64(x251) + uint64(x239)), (uint64(x275) + x255), x287) + var x290 uint64 + var x291 uint1 + x290, x291 = subborrowxU64(x278, 0xffffffff, 0x0) + var x292 uint64 + var x293 uint1 + x292, x293 = subborrowxU64(x280, 0xffffffff00000000, x291) + var x294 uint64 + var x295 uint1 + x294, x295 = subborrowxU64(x282, 0xfffffffffffffffe, x293) + var x296 uint64 + var x297 uint1 + x296, x297 = subborrowxU64(x284, 0xffffffffffffffff, x295) + var x298 uint64 + var x299 uint1 + x298, x299 = subborrowxU64(x286, 0xffffffffffffffff, x297) + var x300 uint64 + var x301 uint1 + x300, x301 = subborrowxU64(x288, 0xffffffffffffffff, x299) + var x303 uint1 + _, x303 = subborrowxU64(uint64(x289), uint64(0x0), x301) + var x304 uint64 + cmovznzU64(&x304, x303, x290, x278) + var x305 uint64 + cmovznzU64(&x305, x303, x292, x280) + var x306 uint64 + cmovznzU64(&x306, x303, x294, x282) + var x307 uint64 + cmovznzU64(&x307, x303, x296, x284) + var x308 uint64 + cmovznzU64(&x308, x303, x298, x286) + var x309 uint64 + cmovznzU64(&x309, x303, x300, x288) + out1[0] = x304 + out1[1] = x305 + out1[2] = x306 + out1[3] = x307 + out1[4] = x308 + out1[5] = x309 } -/* - The function ToMontgomery translates a field element into the Montgomery domain. - Preconditions: - 0 ≤ eval arg1 < m - Postconditions: - eval (from_montgomery out1) mod m = eval arg1 mod m - 0 ≤ eval out1 < m - - Input Bounds: - arg1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] - Output Bounds: - out1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] - */ -/*inline*/ +// ToMontgomery translates a field element into the Montgomery domain. +// +// Preconditions: +// 0 ≤ eval arg1 < m +// Postconditions: +// eval (from_montgomery out1) mod m = eval arg1 mod m +// 0 ≤ eval out1 < m +// +// Input Bounds: +// arg1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] +// Output Bounds: +// out1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] func ToMontgomery(out1 *[6]uint64, arg1 *[6]uint64) { - var x1 uint64 = (arg1[1]) - var x2 uint64 = (arg1[2]) - var x3 uint64 = (arg1[3]) - var x4 uint64 = (arg1[4]) - var x5 uint64 = (arg1[5]) - var x6 uint64 = (arg1[0]) - var x7 uint64 - var x8 uint64 - x8, x7 = bits.Mul64(x6, 0x200000000) - var x9 uint64 - var x10 uint64 - x10, x9 = bits.Mul64(x6, 0xfffffffe00000000) - var x11 uint64 - var x12 uint64 - x12, x11 = bits.Mul64(x6, 0x200000000) - var x13 uint64 - var x14 uint64 - x14, x13 = bits.Mul64(x6, 0xfffffffe00000001) - var x15 uint64 - var x16 uint1 - x15, x16 = addcarryxU64(x14, x11, 0x0) - var x17 uint64 - var x18 uint1 - x17, x18 = addcarryxU64(x12, x9, x16) - var x19 uint64 - var x20 uint1 - x19, x20 = addcarryxU64(x10, x7, x18) - var x21 uint64 - var x22 uint1 - x21, x22 = addcarryxU64(x8, x6, x20) - var x23 uint64 - _, x23 = bits.Mul64(x13, 0x100000001) - var x25 uint64 - var x26 uint64 - x26, x25 = bits.Mul64(x23, 0xffffffffffffffff) - var x27 uint64 - var x28 uint64 - x28, x27 = bits.Mul64(x23, 0xffffffffffffffff) - var x29 uint64 - var x30 uint64 - x30, x29 = bits.Mul64(x23, 0xffffffffffffffff) - var x31 uint64 - var x32 uint64 - x32, x31 = bits.Mul64(x23, 0xfffffffffffffffe) - var x33 uint64 - var x34 uint64 - x34, x33 = bits.Mul64(x23, 0xffffffff00000000) - var x35 uint64 - var x36 uint64 - x36, x35 = bits.Mul64(x23, 0xffffffff) - var x37 uint64 - var x38 uint1 - x37, x38 = addcarryxU64(x36, x33, 0x0) - var x39 uint64 - var x40 uint1 - x39, x40 = addcarryxU64(x34, x31, x38) - var x41 uint64 - var x42 uint1 - x41, x42 = addcarryxU64(x32, x29, x40) - var x43 uint64 - var x44 uint1 - x43, x44 = addcarryxU64(x30, x27, x42) - var x45 uint64 - var x46 uint1 - x45, x46 = addcarryxU64(x28, x25, x44) - var x48 uint1 - _, x48 = addcarryxU64(x13, x35, 0x0) - var x49 uint64 - var x50 uint1 - x49, x50 = addcarryxU64(x15, x37, x48) - var x51 uint64 - var x52 uint1 - x51, x52 = addcarryxU64(x17, x39, x50) - var x53 uint64 - var x54 uint1 - x53, x54 = addcarryxU64(x19, x41, x52) - var x55 uint64 - var x56 uint1 - x55, x56 = addcarryxU64(x21, x43, x54) - var x57 uint64 - var x58 uint1 - x57, x58 = addcarryxU64(uint64(x22), x45, x56) - var x59 uint64 - var x60 uint1 - x59, x60 = addcarryxU64(uint64(0x0), (uint64(x46) + x26), x58) - var x61 uint64 - var x62 uint64 - x62, x61 = bits.Mul64(x1, 0x200000000) - var x63 uint64 - var x64 uint64 - x64, x63 = bits.Mul64(x1, 0xfffffffe00000000) - var x65 uint64 - var x66 uint64 - x66, x65 = bits.Mul64(x1, 0x200000000) - var x67 uint64 - var x68 uint64 - x68, x67 = bits.Mul64(x1, 0xfffffffe00000001) - var x69 uint64 - var x70 uint1 - x69, x70 = addcarryxU64(x68, x65, 0x0) - var x71 uint64 - var x72 uint1 - x71, x72 = addcarryxU64(x66, x63, x70) - var x73 uint64 - var x74 uint1 - x73, x74 = addcarryxU64(x64, x61, x72) - var x75 uint64 - var x76 uint1 - x75, x76 = addcarryxU64(x62, x1, x74) - var x77 uint64 - var x78 uint1 - x77, x78 = addcarryxU64(x49, x67, 0x0) - var x79 uint64 - var x80 uint1 - x79, x80 = addcarryxU64(x51, x69, x78) - var x81 uint64 - var x82 uint1 - x81, x82 = addcarryxU64(x53, x71, x80) - var x83 uint64 - var x84 uint1 - x83, x84 = addcarryxU64(x55, x73, x82) - var x85 uint64 - var x86 uint1 - x85, x86 = addcarryxU64(x57, x75, x84) - var x87 uint64 - var x88 uint1 - x87, x88 = addcarryxU64(x59, uint64(x76), x86) - var x89 uint64 - _, x89 = bits.Mul64(x77, 0x100000001) - var x91 uint64 - var x92 uint64 - x92, x91 = bits.Mul64(x89, 0xffffffffffffffff) - var x93 uint64 - var x94 uint64 - x94, x93 = bits.Mul64(x89, 0xffffffffffffffff) - var x95 uint64 - var x96 uint64 - x96, x95 = bits.Mul64(x89, 0xffffffffffffffff) - var x97 uint64 - var x98 uint64 - x98, x97 = bits.Mul64(x89, 0xfffffffffffffffe) - var x99 uint64 - var x100 uint64 - x100, x99 = bits.Mul64(x89, 0xffffffff00000000) - var x101 uint64 - var x102 uint64 - x102, x101 = bits.Mul64(x89, 0xffffffff) - var x103 uint64 - var x104 uint1 - x103, x104 = addcarryxU64(x102, x99, 0x0) - var x105 uint64 - var x106 uint1 - x105, x106 = addcarryxU64(x100, x97, x104) - var x107 uint64 - var x108 uint1 - x107, x108 = addcarryxU64(x98, x95, x106) - var x109 uint64 - var x110 uint1 - x109, x110 = addcarryxU64(x96, x93, x108) - var x111 uint64 - var x112 uint1 - x111, x112 = addcarryxU64(x94, x91, x110) - var x114 uint1 - _, x114 = addcarryxU64(x77, x101, 0x0) - var x115 uint64 - var x116 uint1 - x115, x116 = addcarryxU64(x79, x103, x114) - var x117 uint64 - var x118 uint1 - x117, x118 = addcarryxU64(x81, x105, x116) - var x119 uint64 - var x120 uint1 - x119, x120 = addcarryxU64(x83, x107, x118) - var x121 uint64 - var x122 uint1 - x121, x122 = addcarryxU64(x85, x109, x120) - var x123 uint64 - var x124 uint1 - x123, x124 = addcarryxU64(x87, x111, x122) - var x125 uint64 - var x126 uint1 - x125, x126 = addcarryxU64((uint64(x88) + uint64(x60)), (uint64(x112) + x92), x124) - var x127 uint64 - var x128 uint64 - x128, x127 = bits.Mul64(x2, 0x200000000) - var x129 uint64 - var x130 uint64 - x130, x129 = bits.Mul64(x2, 0xfffffffe00000000) - var x131 uint64 - var x132 uint64 - x132, x131 = bits.Mul64(x2, 0x200000000) - var x133 uint64 - var x134 uint64 - x134, x133 = bits.Mul64(x2, 0xfffffffe00000001) - var x135 uint64 - var x136 uint1 - x135, x136 = addcarryxU64(x134, x131, 0x0) - var x137 uint64 - var x138 uint1 - x137, x138 = addcarryxU64(x132, x129, x136) - var x139 uint64 - var x140 uint1 - x139, x140 = addcarryxU64(x130, x127, x138) - var x141 uint64 - var x142 uint1 - x141, x142 = addcarryxU64(x128, x2, x140) - var x143 uint64 - var x144 uint1 - x143, x144 = addcarryxU64(x115, x133, 0x0) - var x145 uint64 - var x146 uint1 - x145, x146 = addcarryxU64(x117, x135, x144) - var x147 uint64 - var x148 uint1 - x147, x148 = addcarryxU64(x119, x137, x146) - var x149 uint64 - var x150 uint1 - x149, x150 = addcarryxU64(x121, x139, x148) - var x151 uint64 - var x152 uint1 - x151, x152 = addcarryxU64(x123, x141, x150) - var x153 uint64 - var x154 uint1 - x153, x154 = addcarryxU64(x125, uint64(x142), x152) - var x155 uint64 - _, x155 = bits.Mul64(x143, 0x100000001) - var x157 uint64 - var x158 uint64 - x158, x157 = bits.Mul64(x155, 0xffffffffffffffff) - var x159 uint64 - var x160 uint64 - x160, x159 = bits.Mul64(x155, 0xffffffffffffffff) - var x161 uint64 - var x162 uint64 - x162, x161 = bits.Mul64(x155, 0xffffffffffffffff) - var x163 uint64 - var x164 uint64 - x164, x163 = bits.Mul64(x155, 0xfffffffffffffffe) - var x165 uint64 - var x166 uint64 - x166, x165 = bits.Mul64(x155, 0xffffffff00000000) - var x167 uint64 - var x168 uint64 - x168, x167 = bits.Mul64(x155, 0xffffffff) - var x169 uint64 - var x170 uint1 - x169, x170 = addcarryxU64(x168, x165, 0x0) - var x171 uint64 - var x172 uint1 - x171, x172 = addcarryxU64(x166, x163, x170) - var x173 uint64 - var x174 uint1 - x173, x174 = addcarryxU64(x164, x161, x172) - var x175 uint64 - var x176 uint1 - x175, x176 = addcarryxU64(x162, x159, x174) - var x177 uint64 - var x178 uint1 - x177, x178 = addcarryxU64(x160, x157, x176) - var x180 uint1 - _, x180 = addcarryxU64(x143, x167, 0x0) - var x181 uint64 - var x182 uint1 - x181, x182 = addcarryxU64(x145, x169, x180) - var x183 uint64 - var x184 uint1 - x183, x184 = addcarryxU64(x147, x171, x182) - var x185 uint64 - var x186 uint1 - x185, x186 = addcarryxU64(x149, x173, x184) - var x187 uint64 - var x188 uint1 - x187, x188 = addcarryxU64(x151, x175, x186) - var x189 uint64 - var x190 uint1 - x189, x190 = addcarryxU64(x153, x177, x188) - var x191 uint64 - var x192 uint1 - x191, x192 = addcarryxU64((uint64(x154) + uint64(x126)), (uint64(x178) + x158), x190) - var x193 uint64 - var x194 uint64 - x194, x193 = bits.Mul64(x3, 0x200000000) - var x195 uint64 - var x196 uint64 - x196, x195 = bits.Mul64(x3, 0xfffffffe00000000) - var x197 uint64 - var x198 uint64 - x198, x197 = bits.Mul64(x3, 0x200000000) - var x199 uint64 - var x200 uint64 - x200, x199 = bits.Mul64(x3, 0xfffffffe00000001) - var x201 uint64 - var x202 uint1 - x201, x202 = addcarryxU64(x200, x197, 0x0) - var x203 uint64 - var x204 uint1 - x203, x204 = addcarryxU64(x198, x195, x202) - var x205 uint64 - var x206 uint1 - x205, x206 = addcarryxU64(x196, x193, x204) - var x207 uint64 - var x208 uint1 - x207, x208 = addcarryxU64(x194, x3, x206) - var x209 uint64 - var x210 uint1 - x209, x210 = addcarryxU64(x181, x199, 0x0) - var x211 uint64 - var x212 uint1 - x211, x212 = addcarryxU64(x183, x201, x210) - var x213 uint64 - var x214 uint1 - x213, x214 = addcarryxU64(x185, x203, x212) - var x215 uint64 - var x216 uint1 - x215, x216 = addcarryxU64(x187, x205, x214) - var x217 uint64 - var x218 uint1 - x217, x218 = addcarryxU64(x189, x207, x216) - var x219 uint64 - var x220 uint1 - x219, x220 = addcarryxU64(x191, uint64(x208), x218) - var x221 uint64 - _, x221 = bits.Mul64(x209, 0x100000001) - var x223 uint64 - var x224 uint64 - x224, x223 = bits.Mul64(x221, 0xffffffffffffffff) - var x225 uint64 - var x226 uint64 - x226, x225 = bits.Mul64(x221, 0xffffffffffffffff) - var x227 uint64 - var x228 uint64 - x228, x227 = bits.Mul64(x221, 0xffffffffffffffff) - var x229 uint64 - var x230 uint64 - x230, x229 = bits.Mul64(x221, 0xfffffffffffffffe) - var x231 uint64 - var x232 uint64 - x232, x231 = bits.Mul64(x221, 0xffffffff00000000) - var x233 uint64 - var x234 uint64 - x234, x233 = bits.Mul64(x221, 0xffffffff) - var x235 uint64 - var x236 uint1 - x235, x236 = addcarryxU64(x234, x231, 0x0) - var x237 uint64 - var x238 uint1 - x237, x238 = addcarryxU64(x232, x229, x236) - var x239 uint64 - var x240 uint1 - x239, x240 = addcarryxU64(x230, x227, x238) - var x241 uint64 - var x242 uint1 - x241, x242 = addcarryxU64(x228, x225, x240) - var x243 uint64 - var x244 uint1 - x243, x244 = addcarryxU64(x226, x223, x242) - var x246 uint1 - _, x246 = addcarryxU64(x209, x233, 0x0) - var x247 uint64 - var x248 uint1 - x247, x248 = addcarryxU64(x211, x235, x246) - var x249 uint64 - var x250 uint1 - x249, x250 = addcarryxU64(x213, x237, x248) - var x251 uint64 - var x252 uint1 - x251, x252 = addcarryxU64(x215, x239, x250) - var x253 uint64 - var x254 uint1 - x253, x254 = addcarryxU64(x217, x241, x252) - var x255 uint64 - var x256 uint1 - x255, x256 = addcarryxU64(x219, x243, x254) - var x257 uint64 - var x258 uint1 - x257, x258 = addcarryxU64((uint64(x220) + uint64(x192)), (uint64(x244) + x224), x256) - var x259 uint64 - var x260 uint64 - x260, x259 = bits.Mul64(x4, 0x200000000) - var x261 uint64 - var x262 uint64 - x262, x261 = bits.Mul64(x4, 0xfffffffe00000000) - var x263 uint64 - var x264 uint64 - x264, x263 = bits.Mul64(x4, 0x200000000) - var x265 uint64 - var x266 uint64 - x266, x265 = bits.Mul64(x4, 0xfffffffe00000001) - var x267 uint64 - var x268 uint1 - x267, x268 = addcarryxU64(x266, x263, 0x0) - var x269 uint64 - var x270 uint1 - x269, x270 = addcarryxU64(x264, x261, x268) - var x271 uint64 - var x272 uint1 - x271, x272 = addcarryxU64(x262, x259, x270) - var x273 uint64 - var x274 uint1 - x273, x274 = addcarryxU64(x260, x4, x272) - var x275 uint64 - var x276 uint1 - x275, x276 = addcarryxU64(x247, x265, 0x0) - var x277 uint64 - var x278 uint1 - x277, x278 = addcarryxU64(x249, x267, x276) - var x279 uint64 - var x280 uint1 - x279, x280 = addcarryxU64(x251, x269, x278) - var x281 uint64 - var x282 uint1 - x281, x282 = addcarryxU64(x253, x271, x280) - var x283 uint64 - var x284 uint1 - x283, x284 = addcarryxU64(x255, x273, x282) - var x285 uint64 - var x286 uint1 - x285, x286 = addcarryxU64(x257, uint64(x274), x284) - var x287 uint64 - _, x287 = bits.Mul64(x275, 0x100000001) - var x289 uint64 - var x290 uint64 - x290, x289 = bits.Mul64(x287, 0xffffffffffffffff) - var x291 uint64 - var x292 uint64 - x292, x291 = bits.Mul64(x287, 0xffffffffffffffff) - var x293 uint64 - var x294 uint64 - x294, x293 = bits.Mul64(x287, 0xffffffffffffffff) - var x295 uint64 - var x296 uint64 - x296, x295 = bits.Mul64(x287, 0xfffffffffffffffe) - var x297 uint64 - var x298 uint64 - x298, x297 = bits.Mul64(x287, 0xffffffff00000000) - var x299 uint64 - var x300 uint64 - x300, x299 = bits.Mul64(x287, 0xffffffff) - var x301 uint64 - var x302 uint1 - x301, x302 = addcarryxU64(x300, x297, 0x0) - var x303 uint64 - var x304 uint1 - x303, x304 = addcarryxU64(x298, x295, x302) - var x305 uint64 - var x306 uint1 - x305, x306 = addcarryxU64(x296, x293, x304) - var x307 uint64 - var x308 uint1 - x307, x308 = addcarryxU64(x294, x291, x306) - var x309 uint64 - var x310 uint1 - x309, x310 = addcarryxU64(x292, x289, x308) - var x312 uint1 - _, x312 = addcarryxU64(x275, x299, 0x0) - var x313 uint64 - var x314 uint1 - x313, x314 = addcarryxU64(x277, x301, x312) - var x315 uint64 - var x316 uint1 - x315, x316 = addcarryxU64(x279, x303, x314) - var x317 uint64 - var x318 uint1 - x317, x318 = addcarryxU64(x281, x305, x316) - var x319 uint64 - var x320 uint1 - x319, x320 = addcarryxU64(x283, x307, x318) - var x321 uint64 - var x322 uint1 - x321, x322 = addcarryxU64(x285, x309, x320) - var x323 uint64 - var x324 uint1 - x323, x324 = addcarryxU64((uint64(x286) + uint64(x258)), (uint64(x310) + x290), x322) - var x325 uint64 - var x326 uint64 - x326, x325 = bits.Mul64(x5, 0x200000000) - var x327 uint64 - var x328 uint64 - x328, x327 = bits.Mul64(x5, 0xfffffffe00000000) - var x329 uint64 - var x330 uint64 - x330, x329 = bits.Mul64(x5, 0x200000000) - var x331 uint64 - var x332 uint64 - x332, x331 = bits.Mul64(x5, 0xfffffffe00000001) - var x333 uint64 - var x334 uint1 - x333, x334 = addcarryxU64(x332, x329, 0x0) - var x335 uint64 - var x336 uint1 - x335, x336 = addcarryxU64(x330, x327, x334) - var x337 uint64 - var x338 uint1 - x337, x338 = addcarryxU64(x328, x325, x336) - var x339 uint64 - var x340 uint1 - x339, x340 = addcarryxU64(x326, x5, x338) - var x341 uint64 - var x342 uint1 - x341, x342 = addcarryxU64(x313, x331, 0x0) - var x343 uint64 - var x344 uint1 - x343, x344 = addcarryxU64(x315, x333, x342) - var x345 uint64 - var x346 uint1 - x345, x346 = addcarryxU64(x317, x335, x344) - var x347 uint64 - var x348 uint1 - x347, x348 = addcarryxU64(x319, x337, x346) - var x349 uint64 - var x350 uint1 - x349, x350 = addcarryxU64(x321, x339, x348) - var x351 uint64 - var x352 uint1 - x351, x352 = addcarryxU64(x323, uint64(x340), x350) - var x353 uint64 - _, x353 = bits.Mul64(x341, 0x100000001) - var x355 uint64 - var x356 uint64 - x356, x355 = bits.Mul64(x353, 0xffffffffffffffff) - var x357 uint64 - var x358 uint64 - x358, x357 = bits.Mul64(x353, 0xffffffffffffffff) - var x359 uint64 - var x360 uint64 - x360, x359 = bits.Mul64(x353, 0xffffffffffffffff) - var x361 uint64 - var x362 uint64 - x362, x361 = bits.Mul64(x353, 0xfffffffffffffffe) - var x363 uint64 - var x364 uint64 - x364, x363 = bits.Mul64(x353, 0xffffffff00000000) - var x365 uint64 - var x366 uint64 - x366, x365 = bits.Mul64(x353, 0xffffffff) - var x367 uint64 - var x368 uint1 - x367, x368 = addcarryxU64(x366, x363, 0x0) - var x369 uint64 - var x370 uint1 - x369, x370 = addcarryxU64(x364, x361, x368) - var x371 uint64 - var x372 uint1 - x371, x372 = addcarryxU64(x362, x359, x370) - var x373 uint64 - var x374 uint1 - x373, x374 = addcarryxU64(x360, x357, x372) - var x375 uint64 - var x376 uint1 - x375, x376 = addcarryxU64(x358, x355, x374) - var x378 uint1 - _, x378 = addcarryxU64(x341, x365, 0x0) - var x379 uint64 - var x380 uint1 - x379, x380 = addcarryxU64(x343, x367, x378) - var x381 uint64 - var x382 uint1 - x381, x382 = addcarryxU64(x345, x369, x380) - var x383 uint64 - var x384 uint1 - x383, x384 = addcarryxU64(x347, x371, x382) - var x385 uint64 - var x386 uint1 - x385, x386 = addcarryxU64(x349, x373, x384) - var x387 uint64 - var x388 uint1 - x387, x388 = addcarryxU64(x351, x375, x386) - var x389 uint64 - var x390 uint1 - x389, x390 = addcarryxU64((uint64(x352) + uint64(x324)), (uint64(x376) + x356), x388) - var x391 uint64 - var x392 uint1 - x391, x392 = subborrowxU64(x379, 0xffffffff, 0x0) - var x393 uint64 - var x394 uint1 - x393, x394 = subborrowxU64(x381, 0xffffffff00000000, x392) - var x395 uint64 - var x396 uint1 - x395, x396 = subborrowxU64(x383, 0xfffffffffffffffe, x394) - var x397 uint64 - var x398 uint1 - x397, x398 = subborrowxU64(x385, 0xffffffffffffffff, x396) - var x399 uint64 - var x400 uint1 - x399, x400 = subborrowxU64(x387, 0xffffffffffffffff, x398) - var x401 uint64 - var x402 uint1 - x401, x402 = subborrowxU64(x389, 0xffffffffffffffff, x400) - var x404 uint1 - _, x404 = subborrowxU64(uint64(x390), uint64(0x0), x402) - var x405 uint64 - cmovznzU64(&x405, x404, x391, x379) - var x406 uint64 - cmovznzU64(&x406, x404, x393, x381) - var x407 uint64 - cmovznzU64(&x407, x404, x395, x383) - var x408 uint64 - cmovznzU64(&x408, x404, x397, x385) - var x409 uint64 - cmovznzU64(&x409, x404, x399, x387) - var x410 uint64 - cmovznzU64(&x410, x404, x401, x389) - out1[0] = x405 - out1[1] = x406 - out1[2] = x407 - out1[3] = x408 - out1[4] = x409 - out1[5] = x410 + x1 := arg1[1] + x2 := arg1[2] + x3 := arg1[3] + x4 := arg1[4] + x5 := arg1[5] + x6 := arg1[0] + var x7 uint64 + var x8 uint64 + x8, x7 = bits.Mul64(x6, 0x200000000) + var x9 uint64 + var x10 uint64 + x10, x9 = bits.Mul64(x6, 0xfffffffe00000000) + var x11 uint64 + var x12 uint64 + x12, x11 = bits.Mul64(x6, 0x200000000) + var x13 uint64 + var x14 uint64 + x14, x13 = bits.Mul64(x6, 0xfffffffe00000001) + var x15 uint64 + var x16 uint1 + x15, x16 = addcarryxU64(x14, x11, 0x0) + var x17 uint64 + var x18 uint1 + x17, x18 = addcarryxU64(x12, x9, x16) + var x19 uint64 + var x20 uint1 + x19, x20 = addcarryxU64(x10, x7, x18) + var x21 uint64 + var x22 uint1 + x21, x22 = addcarryxU64(x8, x6, x20) + var x23 uint64 + _, x23 = bits.Mul64(x13, 0x100000001) + var x25 uint64 + var x26 uint64 + x26, x25 = bits.Mul64(x23, 0xffffffffffffffff) + var x27 uint64 + var x28 uint64 + x28, x27 = bits.Mul64(x23, 0xffffffffffffffff) + var x29 uint64 + var x30 uint64 + x30, x29 = bits.Mul64(x23, 0xffffffffffffffff) + var x31 uint64 + var x32 uint64 + x32, x31 = bits.Mul64(x23, 0xfffffffffffffffe) + var x33 uint64 + var x34 uint64 + x34, x33 = bits.Mul64(x23, 0xffffffff00000000) + var x35 uint64 + var x36 uint64 + x36, x35 = bits.Mul64(x23, 0xffffffff) + var x37 uint64 + var x38 uint1 + x37, x38 = addcarryxU64(x36, x33, 0x0) + var x39 uint64 + var x40 uint1 + x39, x40 = addcarryxU64(x34, x31, x38) + var x41 uint64 + var x42 uint1 + x41, x42 = addcarryxU64(x32, x29, x40) + var x43 uint64 + var x44 uint1 + x43, x44 = addcarryxU64(x30, x27, x42) + var x45 uint64 + var x46 uint1 + x45, x46 = addcarryxU64(x28, x25, x44) + var x48 uint1 + _, x48 = addcarryxU64(x13, x35, 0x0) + var x49 uint64 + var x50 uint1 + x49, x50 = addcarryxU64(x15, x37, x48) + var x51 uint64 + var x52 uint1 + x51, x52 = addcarryxU64(x17, x39, x50) + var x53 uint64 + var x54 uint1 + x53, x54 = addcarryxU64(x19, x41, x52) + var x55 uint64 + var x56 uint1 + x55, x56 = addcarryxU64(x21, x43, x54) + var x57 uint64 + var x58 uint1 + x57, x58 = addcarryxU64(uint64(x22), x45, x56) + var x59 uint64 + var x60 uint1 + x59, x60 = addcarryxU64(uint64(0x0), (uint64(x46) + x26), x58) + var x61 uint64 + var x62 uint64 + x62, x61 = bits.Mul64(x1, 0x200000000) + var x63 uint64 + var x64 uint64 + x64, x63 = bits.Mul64(x1, 0xfffffffe00000000) + var x65 uint64 + var x66 uint64 + x66, x65 = bits.Mul64(x1, 0x200000000) + var x67 uint64 + var x68 uint64 + x68, x67 = bits.Mul64(x1, 0xfffffffe00000001) + var x69 uint64 + var x70 uint1 + x69, x70 = addcarryxU64(x68, x65, 0x0) + var x71 uint64 + var x72 uint1 + x71, x72 = addcarryxU64(x66, x63, x70) + var x73 uint64 + var x74 uint1 + x73, x74 = addcarryxU64(x64, x61, x72) + var x75 uint64 + var x76 uint1 + x75, x76 = addcarryxU64(x62, x1, x74) + var x77 uint64 + var x78 uint1 + x77, x78 = addcarryxU64(x49, x67, 0x0) + var x79 uint64 + var x80 uint1 + x79, x80 = addcarryxU64(x51, x69, x78) + var x81 uint64 + var x82 uint1 + x81, x82 = addcarryxU64(x53, x71, x80) + var x83 uint64 + var x84 uint1 + x83, x84 = addcarryxU64(x55, x73, x82) + var x85 uint64 + var x86 uint1 + x85, x86 = addcarryxU64(x57, x75, x84) + var x87 uint64 + var x88 uint1 + x87, x88 = addcarryxU64(x59, uint64(x76), x86) + var x89 uint64 + _, x89 = bits.Mul64(x77, 0x100000001) + var x91 uint64 + var x92 uint64 + x92, x91 = bits.Mul64(x89, 0xffffffffffffffff) + var x93 uint64 + var x94 uint64 + x94, x93 = bits.Mul64(x89, 0xffffffffffffffff) + var x95 uint64 + var x96 uint64 + x96, x95 = bits.Mul64(x89, 0xffffffffffffffff) + var x97 uint64 + var x98 uint64 + x98, x97 = bits.Mul64(x89, 0xfffffffffffffffe) + var x99 uint64 + var x100 uint64 + x100, x99 = bits.Mul64(x89, 0xffffffff00000000) + var x101 uint64 + var x102 uint64 + x102, x101 = bits.Mul64(x89, 0xffffffff) + var x103 uint64 + var x104 uint1 + x103, x104 = addcarryxU64(x102, x99, 0x0) + var x105 uint64 + var x106 uint1 + x105, x106 = addcarryxU64(x100, x97, x104) + var x107 uint64 + var x108 uint1 + x107, x108 = addcarryxU64(x98, x95, x106) + var x109 uint64 + var x110 uint1 + x109, x110 = addcarryxU64(x96, x93, x108) + var x111 uint64 + var x112 uint1 + x111, x112 = addcarryxU64(x94, x91, x110) + var x114 uint1 + _, x114 = addcarryxU64(x77, x101, 0x0) + var x115 uint64 + var x116 uint1 + x115, x116 = addcarryxU64(x79, x103, x114) + var x117 uint64 + var x118 uint1 + x117, x118 = addcarryxU64(x81, x105, x116) + var x119 uint64 + var x120 uint1 + x119, x120 = addcarryxU64(x83, x107, x118) + var x121 uint64 + var x122 uint1 + x121, x122 = addcarryxU64(x85, x109, x120) + var x123 uint64 + var x124 uint1 + x123, x124 = addcarryxU64(x87, x111, x122) + var x125 uint64 + var x126 uint1 + x125, x126 = addcarryxU64((uint64(x88) + uint64(x60)), (uint64(x112) + x92), x124) + var x127 uint64 + var x128 uint64 + x128, x127 = bits.Mul64(x2, 0x200000000) + var x129 uint64 + var x130 uint64 + x130, x129 = bits.Mul64(x2, 0xfffffffe00000000) + var x131 uint64 + var x132 uint64 + x132, x131 = bits.Mul64(x2, 0x200000000) + var x133 uint64 + var x134 uint64 + x134, x133 = bits.Mul64(x2, 0xfffffffe00000001) + var x135 uint64 + var x136 uint1 + x135, x136 = addcarryxU64(x134, x131, 0x0) + var x137 uint64 + var x138 uint1 + x137, x138 = addcarryxU64(x132, x129, x136) + var x139 uint64 + var x140 uint1 + x139, x140 = addcarryxU64(x130, x127, x138) + var x141 uint64 + var x142 uint1 + x141, x142 = addcarryxU64(x128, x2, x140) + var x143 uint64 + var x144 uint1 + x143, x144 = addcarryxU64(x115, x133, 0x0) + var x145 uint64 + var x146 uint1 + x145, x146 = addcarryxU64(x117, x135, x144) + var x147 uint64 + var x148 uint1 + x147, x148 = addcarryxU64(x119, x137, x146) + var x149 uint64 + var x150 uint1 + x149, x150 = addcarryxU64(x121, x139, x148) + var x151 uint64 + var x152 uint1 + x151, x152 = addcarryxU64(x123, x141, x150) + var x153 uint64 + var x154 uint1 + x153, x154 = addcarryxU64(x125, uint64(x142), x152) + var x155 uint64 + _, x155 = bits.Mul64(x143, 0x100000001) + var x157 uint64 + var x158 uint64 + x158, x157 = bits.Mul64(x155, 0xffffffffffffffff) + var x159 uint64 + var x160 uint64 + x160, x159 = bits.Mul64(x155, 0xffffffffffffffff) + var x161 uint64 + var x162 uint64 + x162, x161 = bits.Mul64(x155, 0xffffffffffffffff) + var x163 uint64 + var x164 uint64 + x164, x163 = bits.Mul64(x155, 0xfffffffffffffffe) + var x165 uint64 + var x166 uint64 + x166, x165 = bits.Mul64(x155, 0xffffffff00000000) + var x167 uint64 + var x168 uint64 + x168, x167 = bits.Mul64(x155, 0xffffffff) + var x169 uint64 + var x170 uint1 + x169, x170 = addcarryxU64(x168, x165, 0x0) + var x171 uint64 + var x172 uint1 + x171, x172 = addcarryxU64(x166, x163, x170) + var x173 uint64 + var x174 uint1 + x173, x174 = addcarryxU64(x164, x161, x172) + var x175 uint64 + var x176 uint1 + x175, x176 = addcarryxU64(x162, x159, x174) + var x177 uint64 + var x178 uint1 + x177, x178 = addcarryxU64(x160, x157, x176) + var x180 uint1 + _, x180 = addcarryxU64(x143, x167, 0x0) + var x181 uint64 + var x182 uint1 + x181, x182 = addcarryxU64(x145, x169, x180) + var x183 uint64 + var x184 uint1 + x183, x184 = addcarryxU64(x147, x171, x182) + var x185 uint64 + var x186 uint1 + x185, x186 = addcarryxU64(x149, x173, x184) + var x187 uint64 + var x188 uint1 + x187, x188 = addcarryxU64(x151, x175, x186) + var x189 uint64 + var x190 uint1 + x189, x190 = addcarryxU64(x153, x177, x188) + var x191 uint64 + var x192 uint1 + x191, x192 = addcarryxU64((uint64(x154) + uint64(x126)), (uint64(x178) + x158), x190) + var x193 uint64 + var x194 uint64 + x194, x193 = bits.Mul64(x3, 0x200000000) + var x195 uint64 + var x196 uint64 + x196, x195 = bits.Mul64(x3, 0xfffffffe00000000) + var x197 uint64 + var x198 uint64 + x198, x197 = bits.Mul64(x3, 0x200000000) + var x199 uint64 + var x200 uint64 + x200, x199 = bits.Mul64(x3, 0xfffffffe00000001) + var x201 uint64 + var x202 uint1 + x201, x202 = addcarryxU64(x200, x197, 0x0) + var x203 uint64 + var x204 uint1 + x203, x204 = addcarryxU64(x198, x195, x202) + var x205 uint64 + var x206 uint1 + x205, x206 = addcarryxU64(x196, x193, x204) + var x207 uint64 + var x208 uint1 + x207, x208 = addcarryxU64(x194, x3, x206) + var x209 uint64 + var x210 uint1 + x209, x210 = addcarryxU64(x181, x199, 0x0) + var x211 uint64 + var x212 uint1 + x211, x212 = addcarryxU64(x183, x201, x210) + var x213 uint64 + var x214 uint1 + x213, x214 = addcarryxU64(x185, x203, x212) + var x215 uint64 + var x216 uint1 + x215, x216 = addcarryxU64(x187, x205, x214) + var x217 uint64 + var x218 uint1 + x217, x218 = addcarryxU64(x189, x207, x216) + var x219 uint64 + var x220 uint1 + x219, x220 = addcarryxU64(x191, uint64(x208), x218) + var x221 uint64 + _, x221 = bits.Mul64(x209, 0x100000001) + var x223 uint64 + var x224 uint64 + x224, x223 = bits.Mul64(x221, 0xffffffffffffffff) + var x225 uint64 + var x226 uint64 + x226, x225 = bits.Mul64(x221, 0xffffffffffffffff) + var x227 uint64 + var x228 uint64 + x228, x227 = bits.Mul64(x221, 0xffffffffffffffff) + var x229 uint64 + var x230 uint64 + x230, x229 = bits.Mul64(x221, 0xfffffffffffffffe) + var x231 uint64 + var x232 uint64 + x232, x231 = bits.Mul64(x221, 0xffffffff00000000) + var x233 uint64 + var x234 uint64 + x234, x233 = bits.Mul64(x221, 0xffffffff) + var x235 uint64 + var x236 uint1 + x235, x236 = addcarryxU64(x234, x231, 0x0) + var x237 uint64 + var x238 uint1 + x237, x238 = addcarryxU64(x232, x229, x236) + var x239 uint64 + var x240 uint1 + x239, x240 = addcarryxU64(x230, x227, x238) + var x241 uint64 + var x242 uint1 + x241, x242 = addcarryxU64(x228, x225, x240) + var x243 uint64 + var x244 uint1 + x243, x244 = addcarryxU64(x226, x223, x242) + var x246 uint1 + _, x246 = addcarryxU64(x209, x233, 0x0) + var x247 uint64 + var x248 uint1 + x247, x248 = addcarryxU64(x211, x235, x246) + var x249 uint64 + var x250 uint1 + x249, x250 = addcarryxU64(x213, x237, x248) + var x251 uint64 + var x252 uint1 + x251, x252 = addcarryxU64(x215, x239, x250) + var x253 uint64 + var x254 uint1 + x253, x254 = addcarryxU64(x217, x241, x252) + var x255 uint64 + var x256 uint1 + x255, x256 = addcarryxU64(x219, x243, x254) + var x257 uint64 + var x258 uint1 + x257, x258 = addcarryxU64((uint64(x220) + uint64(x192)), (uint64(x244) + x224), x256) + var x259 uint64 + var x260 uint64 + x260, x259 = bits.Mul64(x4, 0x200000000) + var x261 uint64 + var x262 uint64 + x262, x261 = bits.Mul64(x4, 0xfffffffe00000000) + var x263 uint64 + var x264 uint64 + x264, x263 = bits.Mul64(x4, 0x200000000) + var x265 uint64 + var x266 uint64 + x266, x265 = bits.Mul64(x4, 0xfffffffe00000001) + var x267 uint64 + var x268 uint1 + x267, x268 = addcarryxU64(x266, x263, 0x0) + var x269 uint64 + var x270 uint1 + x269, x270 = addcarryxU64(x264, x261, x268) + var x271 uint64 + var x272 uint1 + x271, x272 = addcarryxU64(x262, x259, x270) + var x273 uint64 + var x274 uint1 + x273, x274 = addcarryxU64(x260, x4, x272) + var x275 uint64 + var x276 uint1 + x275, x276 = addcarryxU64(x247, x265, 0x0) + var x277 uint64 + var x278 uint1 + x277, x278 = addcarryxU64(x249, x267, x276) + var x279 uint64 + var x280 uint1 + x279, x280 = addcarryxU64(x251, x269, x278) + var x281 uint64 + var x282 uint1 + x281, x282 = addcarryxU64(x253, x271, x280) + var x283 uint64 + var x284 uint1 + x283, x284 = addcarryxU64(x255, x273, x282) + var x285 uint64 + var x286 uint1 + x285, x286 = addcarryxU64(x257, uint64(x274), x284) + var x287 uint64 + _, x287 = bits.Mul64(x275, 0x100000001) + var x289 uint64 + var x290 uint64 + x290, x289 = bits.Mul64(x287, 0xffffffffffffffff) + var x291 uint64 + var x292 uint64 + x292, x291 = bits.Mul64(x287, 0xffffffffffffffff) + var x293 uint64 + var x294 uint64 + x294, x293 = bits.Mul64(x287, 0xffffffffffffffff) + var x295 uint64 + var x296 uint64 + x296, x295 = bits.Mul64(x287, 0xfffffffffffffffe) + var x297 uint64 + var x298 uint64 + x298, x297 = bits.Mul64(x287, 0xffffffff00000000) + var x299 uint64 + var x300 uint64 + x300, x299 = bits.Mul64(x287, 0xffffffff) + var x301 uint64 + var x302 uint1 + x301, x302 = addcarryxU64(x300, x297, 0x0) + var x303 uint64 + var x304 uint1 + x303, x304 = addcarryxU64(x298, x295, x302) + var x305 uint64 + var x306 uint1 + x305, x306 = addcarryxU64(x296, x293, x304) + var x307 uint64 + var x308 uint1 + x307, x308 = addcarryxU64(x294, x291, x306) + var x309 uint64 + var x310 uint1 + x309, x310 = addcarryxU64(x292, x289, x308) + var x312 uint1 + _, x312 = addcarryxU64(x275, x299, 0x0) + var x313 uint64 + var x314 uint1 + x313, x314 = addcarryxU64(x277, x301, x312) + var x315 uint64 + var x316 uint1 + x315, x316 = addcarryxU64(x279, x303, x314) + var x317 uint64 + var x318 uint1 + x317, x318 = addcarryxU64(x281, x305, x316) + var x319 uint64 + var x320 uint1 + x319, x320 = addcarryxU64(x283, x307, x318) + var x321 uint64 + var x322 uint1 + x321, x322 = addcarryxU64(x285, x309, x320) + var x323 uint64 + var x324 uint1 + x323, x324 = addcarryxU64((uint64(x286) + uint64(x258)), (uint64(x310) + x290), x322) + var x325 uint64 + var x326 uint64 + x326, x325 = bits.Mul64(x5, 0x200000000) + var x327 uint64 + var x328 uint64 + x328, x327 = bits.Mul64(x5, 0xfffffffe00000000) + var x329 uint64 + var x330 uint64 + x330, x329 = bits.Mul64(x5, 0x200000000) + var x331 uint64 + var x332 uint64 + x332, x331 = bits.Mul64(x5, 0xfffffffe00000001) + var x333 uint64 + var x334 uint1 + x333, x334 = addcarryxU64(x332, x329, 0x0) + var x335 uint64 + var x336 uint1 + x335, x336 = addcarryxU64(x330, x327, x334) + var x337 uint64 + var x338 uint1 + x337, x338 = addcarryxU64(x328, x325, x336) + var x339 uint64 + var x340 uint1 + x339, x340 = addcarryxU64(x326, x5, x338) + var x341 uint64 + var x342 uint1 + x341, x342 = addcarryxU64(x313, x331, 0x0) + var x343 uint64 + var x344 uint1 + x343, x344 = addcarryxU64(x315, x333, x342) + var x345 uint64 + var x346 uint1 + x345, x346 = addcarryxU64(x317, x335, x344) + var x347 uint64 + var x348 uint1 + x347, x348 = addcarryxU64(x319, x337, x346) + var x349 uint64 + var x350 uint1 + x349, x350 = addcarryxU64(x321, x339, x348) + var x351 uint64 + var x352 uint1 + x351, x352 = addcarryxU64(x323, uint64(x340), x350) + var x353 uint64 + _, x353 = bits.Mul64(x341, 0x100000001) + var x355 uint64 + var x356 uint64 + x356, x355 = bits.Mul64(x353, 0xffffffffffffffff) + var x357 uint64 + var x358 uint64 + x358, x357 = bits.Mul64(x353, 0xffffffffffffffff) + var x359 uint64 + var x360 uint64 + x360, x359 = bits.Mul64(x353, 0xffffffffffffffff) + var x361 uint64 + var x362 uint64 + x362, x361 = bits.Mul64(x353, 0xfffffffffffffffe) + var x363 uint64 + var x364 uint64 + x364, x363 = bits.Mul64(x353, 0xffffffff00000000) + var x365 uint64 + var x366 uint64 + x366, x365 = bits.Mul64(x353, 0xffffffff) + var x367 uint64 + var x368 uint1 + x367, x368 = addcarryxU64(x366, x363, 0x0) + var x369 uint64 + var x370 uint1 + x369, x370 = addcarryxU64(x364, x361, x368) + var x371 uint64 + var x372 uint1 + x371, x372 = addcarryxU64(x362, x359, x370) + var x373 uint64 + var x374 uint1 + x373, x374 = addcarryxU64(x360, x357, x372) + var x375 uint64 + var x376 uint1 + x375, x376 = addcarryxU64(x358, x355, x374) + var x378 uint1 + _, x378 = addcarryxU64(x341, x365, 0x0) + var x379 uint64 + var x380 uint1 + x379, x380 = addcarryxU64(x343, x367, x378) + var x381 uint64 + var x382 uint1 + x381, x382 = addcarryxU64(x345, x369, x380) + var x383 uint64 + var x384 uint1 + x383, x384 = addcarryxU64(x347, x371, x382) + var x385 uint64 + var x386 uint1 + x385, x386 = addcarryxU64(x349, x373, x384) + var x387 uint64 + var x388 uint1 + x387, x388 = addcarryxU64(x351, x375, x386) + var x389 uint64 + var x390 uint1 + x389, x390 = addcarryxU64((uint64(x352) + uint64(x324)), (uint64(x376) + x356), x388) + var x391 uint64 + var x392 uint1 + x391, x392 = subborrowxU64(x379, 0xffffffff, 0x0) + var x393 uint64 + var x394 uint1 + x393, x394 = subborrowxU64(x381, 0xffffffff00000000, x392) + var x395 uint64 + var x396 uint1 + x395, x396 = subborrowxU64(x383, 0xfffffffffffffffe, x394) + var x397 uint64 + var x398 uint1 + x397, x398 = subborrowxU64(x385, 0xffffffffffffffff, x396) + var x399 uint64 + var x400 uint1 + x399, x400 = subborrowxU64(x387, 0xffffffffffffffff, x398) + var x401 uint64 + var x402 uint1 + x401, x402 = subborrowxU64(x389, 0xffffffffffffffff, x400) + var x404 uint1 + _, x404 = subborrowxU64(uint64(x390), uint64(0x0), x402) + var x405 uint64 + cmovznzU64(&x405, x404, x391, x379) + var x406 uint64 + cmovznzU64(&x406, x404, x393, x381) + var x407 uint64 + cmovznzU64(&x407, x404, x395, x383) + var x408 uint64 + cmovznzU64(&x408, x404, x397, x385) + var x409 uint64 + cmovznzU64(&x409, x404, x399, x387) + var x410 uint64 + cmovznzU64(&x410, x404, x401, x389) + out1[0] = x405 + out1[1] = x406 + out1[2] = x407 + out1[3] = x408 + out1[4] = x409 + out1[5] = x410 } -/* - The function Nonzero outputs a single non-zero word if the input is non-zero and zero otherwise. - Preconditions: - 0 ≤ eval arg1 < m - Postconditions: - out1 = 0 ↔ eval (from_montgomery arg1) mod m = 0 - - Input Bounds: - arg1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] - Output Bounds: - out1: [0x0 ~> 0xffffffffffffffff] - */ -/*inline*/ +// Nonzero outputs a single non-zero word if the input is non-zero and zero otherwise. +// +// Preconditions: +// 0 ≤ eval arg1 < m +// Postconditions: +// out1 = 0 ↔ eval (from_montgomery arg1) mod m = 0 +// +// Input Bounds: +// arg1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] +// Output Bounds: +// out1: [0x0 ~> 0xffffffffffffffff] func Nonzero(out1 *uint64, arg1 *[6]uint64) { - var x1 uint64 = ((arg1[0]) | ((arg1[1]) | ((arg1[2]) | ((arg1[3]) | ((arg1[4]) | (arg1[5])))))) - *out1 = x1 + x1 := (arg1[0] | (arg1[1] | (arg1[2] | (arg1[3] | (arg1[4] | arg1[5]))))) + *out1 = x1 } -/* - The function Selectznz is a multi-limb conditional select. - Postconditions: - eval out1 = (if arg1 = 0 then eval arg2 else eval arg3) - - Input Bounds: - arg1: [0x0 ~> 0x1] - arg2: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] - arg3: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] - Output Bounds: - out1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] - */ -/*inline*/ +// Selectznz is a multi-limb conditional select. +// +// Postconditions: +// eval out1 = (if arg1 = 0 then eval arg2 else eval arg3) +// +// Input Bounds: +// arg1: [0x0 ~> 0x1] +// arg2: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] +// arg3: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] +// Output Bounds: +// out1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] func Selectznz(out1 *[6]uint64, arg1 uint1, arg2 *[6]uint64, arg3 *[6]uint64) { - var x1 uint64 - cmovznzU64(&x1, arg1, (arg2[0]), (arg3[0])) - var x2 uint64 - cmovznzU64(&x2, arg1, (arg2[1]), (arg3[1])) - var x3 uint64 - cmovznzU64(&x3, arg1, (arg2[2]), (arg3[2])) - var x4 uint64 - cmovznzU64(&x4, arg1, (arg2[3]), (arg3[3])) - var x5 uint64 - cmovznzU64(&x5, arg1, (arg2[4]), (arg3[4])) - var x6 uint64 - cmovznzU64(&x6, arg1, (arg2[5]), (arg3[5])) - out1[0] = x1 - out1[1] = x2 - out1[2] = x3 - out1[3] = x4 - out1[4] = x5 - out1[5] = x6 + var x1 uint64 + cmovznzU64(&x1, arg1, arg2[0], arg3[0]) + var x2 uint64 + cmovznzU64(&x2, arg1, arg2[1], arg3[1]) + var x3 uint64 + cmovznzU64(&x3, arg1, arg2[2], arg3[2]) + var x4 uint64 + cmovznzU64(&x4, arg1, arg2[3], arg3[3]) + var x5 uint64 + cmovznzU64(&x5, arg1, arg2[4], arg3[4]) + var x6 uint64 + cmovznzU64(&x6, arg1, arg2[5], arg3[5]) + out1[0] = x1 + out1[1] = x2 + out1[2] = x3 + out1[3] = x4 + out1[4] = x5 + out1[5] = x6 } -/* - The function ToBytes serializes a field element NOT in the Montgomery domain to bytes in little-endian order. - Preconditions: - 0 ≤ eval arg1 < m - Postconditions: - out1 = map (λ x, ⌊((eval arg1 mod m) mod 2^(8 * (x + 1))) / 2^(8 * x)⌋) [0..47] - - Input Bounds: - arg1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] - Output Bounds: - out1: [[0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff]] - */ -/*inline*/ +// ToBytes serializes a field element NOT in the Montgomery domain to bytes in little-endian order. +// +// Preconditions: +// 0 ≤ eval arg1 < m +// Postconditions: +// out1 = map (λ x, ⌊((eval arg1 mod m) mod 2^(8 * (x + 1))) / 2^(8 * x)⌋) [0..47] +// +// Input Bounds: +// arg1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] +// Output Bounds: +// out1: [[0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff]] func ToBytes(out1 *[48]uint8, arg1 *[6]uint64) { - var x1 uint64 = (arg1[5]) - var x2 uint64 = (arg1[4]) - var x3 uint64 = (arg1[3]) - var x4 uint64 = (arg1[2]) - var x5 uint64 = (arg1[1]) - var x6 uint64 = (arg1[0]) - var x7 uint8 = (uint8(x6) & 0xff) - var x8 uint64 = (x6 >> 8) - var x9 uint8 = (uint8(x8) & 0xff) - var x10 uint64 = (x8 >> 8) - var x11 uint8 = (uint8(x10) & 0xff) - var x12 uint64 = (x10 >> 8) - var x13 uint8 = (uint8(x12) & 0xff) - var x14 uint64 = (x12 >> 8) - var x15 uint8 = (uint8(x14) & 0xff) - var x16 uint64 = (x14 >> 8) - var x17 uint8 = (uint8(x16) & 0xff) - var x18 uint64 = (x16 >> 8) - var x19 uint8 = (uint8(x18) & 0xff) - var x20 uint8 = uint8((x18 >> 8)) - var x21 uint8 = (uint8(x5) & 0xff) - var x22 uint64 = (x5 >> 8) - var x23 uint8 = (uint8(x22) & 0xff) - var x24 uint64 = (x22 >> 8) - var x25 uint8 = (uint8(x24) & 0xff) - var x26 uint64 = (x24 >> 8) - var x27 uint8 = (uint8(x26) & 0xff) - var x28 uint64 = (x26 >> 8) - var x29 uint8 = (uint8(x28) & 0xff) - var x30 uint64 = (x28 >> 8) - var x31 uint8 = (uint8(x30) & 0xff) - var x32 uint64 = (x30 >> 8) - var x33 uint8 = (uint8(x32) & 0xff) - var x34 uint8 = uint8((x32 >> 8)) - var x35 uint8 = (uint8(x4) & 0xff) - var x36 uint64 = (x4 >> 8) - var x37 uint8 = (uint8(x36) & 0xff) - var x38 uint64 = (x36 >> 8) - var x39 uint8 = (uint8(x38) & 0xff) - var x40 uint64 = (x38 >> 8) - var x41 uint8 = (uint8(x40) & 0xff) - var x42 uint64 = (x40 >> 8) - var x43 uint8 = (uint8(x42) & 0xff) - var x44 uint64 = (x42 >> 8) - var x45 uint8 = (uint8(x44) & 0xff) - var x46 uint64 = (x44 >> 8) - var x47 uint8 = (uint8(x46) & 0xff) - var x48 uint8 = uint8((x46 >> 8)) - var x49 uint8 = (uint8(x3) & 0xff) - var x50 uint64 = (x3 >> 8) - var x51 uint8 = (uint8(x50) & 0xff) - var x52 uint64 = (x50 >> 8) - var x53 uint8 = (uint8(x52) & 0xff) - var x54 uint64 = (x52 >> 8) - var x55 uint8 = (uint8(x54) & 0xff) - var x56 uint64 = (x54 >> 8) - var x57 uint8 = (uint8(x56) & 0xff) - var x58 uint64 = (x56 >> 8) - var x59 uint8 = (uint8(x58) & 0xff) - var x60 uint64 = (x58 >> 8) - var x61 uint8 = (uint8(x60) & 0xff) - var x62 uint8 = uint8((x60 >> 8)) - var x63 uint8 = (uint8(x2) & 0xff) - var x64 uint64 = (x2 >> 8) - var x65 uint8 = (uint8(x64) & 0xff) - var x66 uint64 = (x64 >> 8) - var x67 uint8 = (uint8(x66) & 0xff) - var x68 uint64 = (x66 >> 8) - var x69 uint8 = (uint8(x68) & 0xff) - var x70 uint64 = (x68 >> 8) - var x71 uint8 = (uint8(x70) & 0xff) - var x72 uint64 = (x70 >> 8) - var x73 uint8 = (uint8(x72) & 0xff) - var x74 uint64 = (x72 >> 8) - var x75 uint8 = (uint8(x74) & 0xff) - var x76 uint8 = uint8((x74 >> 8)) - var x77 uint8 = (uint8(x1) & 0xff) - var x78 uint64 = (x1 >> 8) - var x79 uint8 = (uint8(x78) & 0xff) - var x80 uint64 = (x78 >> 8) - var x81 uint8 = (uint8(x80) & 0xff) - var x82 uint64 = (x80 >> 8) - var x83 uint8 = (uint8(x82) & 0xff) - var x84 uint64 = (x82 >> 8) - var x85 uint8 = (uint8(x84) & 0xff) - var x86 uint64 = (x84 >> 8) - var x87 uint8 = (uint8(x86) & 0xff) - var x88 uint64 = (x86 >> 8) - var x89 uint8 = (uint8(x88) & 0xff) - var x90 uint8 = uint8((x88 >> 8)) - out1[0] = x7 - out1[1] = x9 - out1[2] = x11 - out1[3] = x13 - out1[4] = x15 - out1[5] = x17 - out1[6] = x19 - out1[7] = x20 - out1[8] = x21 - out1[9] = x23 - out1[10] = x25 - out1[11] = x27 - out1[12] = x29 - out1[13] = x31 - out1[14] = x33 - out1[15] = x34 - out1[16] = x35 - out1[17] = x37 - out1[18] = x39 - out1[19] = x41 - out1[20] = x43 - out1[21] = x45 - out1[22] = x47 - out1[23] = x48 - out1[24] = x49 - out1[25] = x51 - out1[26] = x53 - out1[27] = x55 - out1[28] = x57 - out1[29] = x59 - out1[30] = x61 - out1[31] = x62 - out1[32] = x63 - out1[33] = x65 - out1[34] = x67 - out1[35] = x69 - out1[36] = x71 - out1[37] = x73 - out1[38] = x75 - out1[39] = x76 - out1[40] = x77 - out1[41] = x79 - out1[42] = x81 - out1[43] = x83 - out1[44] = x85 - out1[45] = x87 - out1[46] = x89 - out1[47] = x90 + x1 := arg1[5] + x2 := arg1[4] + x3 := arg1[3] + x4 := arg1[2] + x5 := arg1[1] + x6 := arg1[0] + x7 := (uint8(x6) & 0xff) + x8 := (x6 >> 8) + x9 := (uint8(x8) & 0xff) + x10 := (x8 >> 8) + x11 := (uint8(x10) & 0xff) + x12 := (x10 >> 8) + x13 := (uint8(x12) & 0xff) + x14 := (x12 >> 8) + x15 := (uint8(x14) & 0xff) + x16 := (x14 >> 8) + x17 := (uint8(x16) & 0xff) + x18 := (x16 >> 8) + x19 := (uint8(x18) & 0xff) + x20 := uint8((x18 >> 8)) + x21 := (uint8(x5) & 0xff) + x22 := (x5 >> 8) + x23 := (uint8(x22) & 0xff) + x24 := (x22 >> 8) + x25 := (uint8(x24) & 0xff) + x26 := (x24 >> 8) + x27 := (uint8(x26) & 0xff) + x28 := (x26 >> 8) + x29 := (uint8(x28) & 0xff) + x30 := (x28 >> 8) + x31 := (uint8(x30) & 0xff) + x32 := (x30 >> 8) + x33 := (uint8(x32) & 0xff) + x34 := uint8((x32 >> 8)) + x35 := (uint8(x4) & 0xff) + x36 := (x4 >> 8) + x37 := (uint8(x36) & 0xff) + x38 := (x36 >> 8) + x39 := (uint8(x38) & 0xff) + x40 := (x38 >> 8) + x41 := (uint8(x40) & 0xff) + x42 := (x40 >> 8) + x43 := (uint8(x42) & 0xff) + x44 := (x42 >> 8) + x45 := (uint8(x44) & 0xff) + x46 := (x44 >> 8) + x47 := (uint8(x46) & 0xff) + x48 := uint8((x46 >> 8)) + x49 := (uint8(x3) & 0xff) + x50 := (x3 >> 8) + x51 := (uint8(x50) & 0xff) + x52 := (x50 >> 8) + x53 := (uint8(x52) & 0xff) + x54 := (x52 >> 8) + x55 := (uint8(x54) & 0xff) + x56 := (x54 >> 8) + x57 := (uint8(x56) & 0xff) + x58 := (x56 >> 8) + x59 := (uint8(x58) & 0xff) + x60 := (x58 >> 8) + x61 := (uint8(x60) & 0xff) + x62 := uint8((x60 >> 8)) + x63 := (uint8(x2) & 0xff) + x64 := (x2 >> 8) + x65 := (uint8(x64) & 0xff) + x66 := (x64 >> 8) + x67 := (uint8(x66) & 0xff) + x68 := (x66 >> 8) + x69 := (uint8(x68) & 0xff) + x70 := (x68 >> 8) + x71 := (uint8(x70) & 0xff) + x72 := (x70 >> 8) + x73 := (uint8(x72) & 0xff) + x74 := (x72 >> 8) + x75 := (uint8(x74) & 0xff) + x76 := uint8((x74 >> 8)) + x77 := (uint8(x1) & 0xff) + x78 := (x1 >> 8) + x79 := (uint8(x78) & 0xff) + x80 := (x78 >> 8) + x81 := (uint8(x80) & 0xff) + x82 := (x80 >> 8) + x83 := (uint8(x82) & 0xff) + x84 := (x82 >> 8) + x85 := (uint8(x84) & 0xff) + x86 := (x84 >> 8) + x87 := (uint8(x86) & 0xff) + x88 := (x86 >> 8) + x89 := (uint8(x88) & 0xff) + x90 := uint8((x88 >> 8)) + out1[0] = x7 + out1[1] = x9 + out1[2] = x11 + out1[3] = x13 + out1[4] = x15 + out1[5] = x17 + out1[6] = x19 + out1[7] = x20 + out1[8] = x21 + out1[9] = x23 + out1[10] = x25 + out1[11] = x27 + out1[12] = x29 + out1[13] = x31 + out1[14] = x33 + out1[15] = x34 + out1[16] = x35 + out1[17] = x37 + out1[18] = x39 + out1[19] = x41 + out1[20] = x43 + out1[21] = x45 + out1[22] = x47 + out1[23] = x48 + out1[24] = x49 + out1[25] = x51 + out1[26] = x53 + out1[27] = x55 + out1[28] = x57 + out1[29] = x59 + out1[30] = x61 + out1[31] = x62 + out1[32] = x63 + out1[33] = x65 + out1[34] = x67 + out1[35] = x69 + out1[36] = x71 + out1[37] = x73 + out1[38] = x75 + out1[39] = x76 + out1[40] = x77 + out1[41] = x79 + out1[42] = x81 + out1[43] = x83 + out1[44] = x85 + out1[45] = x87 + out1[46] = x89 + out1[47] = x90 } -/* - The function FromBytes deserializes a field element NOT in the Montgomery domain from bytes in little-endian order. - Preconditions: - 0 ≤ bytes_eval arg1 < m - Postconditions: - eval out1 mod m = bytes_eval arg1 mod m - 0 ≤ eval out1 < m - - Input Bounds: - arg1: [[0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff]] - Output Bounds: - out1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] - */ -/*inline*/ +// FromBytes deserializes a field element NOT in the Montgomery domain from bytes in little-endian order. +// +// Preconditions: +// 0 ≤ bytes_eval arg1 < m +// Postconditions: +// eval out1 mod m = bytes_eval arg1 mod m +// 0 ≤ eval out1 < m +// +// Input Bounds: +// arg1: [[0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff]] +// Output Bounds: +// out1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] func FromBytes(out1 *[6]uint64, arg1 *[48]uint8) { - var x1 uint64 = (uint64((arg1[47])) << 56) - var x2 uint64 = (uint64((arg1[46])) << 48) - var x3 uint64 = (uint64((arg1[45])) << 40) - var x4 uint64 = (uint64((arg1[44])) << 32) - var x5 uint64 = (uint64((arg1[43])) << 24) - var x6 uint64 = (uint64((arg1[42])) << 16) - var x7 uint64 = (uint64((arg1[41])) << 8) - var x8 uint8 = (arg1[40]) - var x9 uint64 = (uint64((arg1[39])) << 56) - var x10 uint64 = (uint64((arg1[38])) << 48) - var x11 uint64 = (uint64((arg1[37])) << 40) - var x12 uint64 = (uint64((arg1[36])) << 32) - var x13 uint64 = (uint64((arg1[35])) << 24) - var x14 uint64 = (uint64((arg1[34])) << 16) - var x15 uint64 = (uint64((arg1[33])) << 8) - var x16 uint8 = (arg1[32]) - var x17 uint64 = (uint64((arg1[31])) << 56) - var x18 uint64 = (uint64((arg1[30])) << 48) - var x19 uint64 = (uint64((arg1[29])) << 40) - var x20 uint64 = (uint64((arg1[28])) << 32) - var x21 uint64 = (uint64((arg1[27])) << 24) - var x22 uint64 = (uint64((arg1[26])) << 16) - var x23 uint64 = (uint64((arg1[25])) << 8) - var x24 uint8 = (arg1[24]) - var x25 uint64 = (uint64((arg1[23])) << 56) - var x26 uint64 = (uint64((arg1[22])) << 48) - var x27 uint64 = (uint64((arg1[21])) << 40) - var x28 uint64 = (uint64((arg1[20])) << 32) - var x29 uint64 = (uint64((arg1[19])) << 24) - var x30 uint64 = (uint64((arg1[18])) << 16) - var x31 uint64 = (uint64((arg1[17])) << 8) - var x32 uint8 = (arg1[16]) - var x33 uint64 = (uint64((arg1[15])) << 56) - var x34 uint64 = (uint64((arg1[14])) << 48) - var x35 uint64 = (uint64((arg1[13])) << 40) - var x36 uint64 = (uint64((arg1[12])) << 32) - var x37 uint64 = (uint64((arg1[11])) << 24) - var x38 uint64 = (uint64((arg1[10])) << 16) - var x39 uint64 = (uint64((arg1[9])) << 8) - var x40 uint8 = (arg1[8]) - var x41 uint64 = (uint64((arg1[7])) << 56) - var x42 uint64 = (uint64((arg1[6])) << 48) - var x43 uint64 = (uint64((arg1[5])) << 40) - var x44 uint64 = (uint64((arg1[4])) << 32) - var x45 uint64 = (uint64((arg1[3])) << 24) - var x46 uint64 = (uint64((arg1[2])) << 16) - var x47 uint64 = (uint64((arg1[1])) << 8) - var x48 uint8 = (arg1[0]) - var x49 uint64 = (x47 + uint64(x48)) - var x50 uint64 = (x46 + x49) - var x51 uint64 = (x45 + x50) - var x52 uint64 = (x44 + x51) - var x53 uint64 = (x43 + x52) - var x54 uint64 = (x42 + x53) - var x55 uint64 = (x41 + x54) - var x56 uint64 = (x39 + uint64(x40)) - var x57 uint64 = (x38 + x56) - var x58 uint64 = (x37 + x57) - var x59 uint64 = (x36 + x58) - var x60 uint64 = (x35 + x59) - var x61 uint64 = (x34 + x60) - var x62 uint64 = (x33 + x61) - var x63 uint64 = (x31 + uint64(x32)) - var x64 uint64 = (x30 + x63) - var x65 uint64 = (x29 + x64) - var x66 uint64 = (x28 + x65) - var x67 uint64 = (x27 + x66) - var x68 uint64 = (x26 + x67) - var x69 uint64 = (x25 + x68) - var x70 uint64 = (x23 + uint64(x24)) - var x71 uint64 = (x22 + x70) - var x72 uint64 = (x21 + x71) - var x73 uint64 = (x20 + x72) - var x74 uint64 = (x19 + x73) - var x75 uint64 = (x18 + x74) - var x76 uint64 = (x17 + x75) - var x77 uint64 = (x15 + uint64(x16)) - var x78 uint64 = (x14 + x77) - var x79 uint64 = (x13 + x78) - var x80 uint64 = (x12 + x79) - var x81 uint64 = (x11 + x80) - var x82 uint64 = (x10 + x81) - var x83 uint64 = (x9 + x82) - var x84 uint64 = (x7 + uint64(x8)) - var x85 uint64 = (x6 + x84) - var x86 uint64 = (x5 + x85) - var x87 uint64 = (x4 + x86) - var x88 uint64 = (x3 + x87) - var x89 uint64 = (x2 + x88) - var x90 uint64 = (x1 + x89) - out1[0] = x55 - out1[1] = x62 - out1[2] = x69 - out1[3] = x76 - out1[4] = x83 - out1[5] = x90 + x1 := (uint64(arg1[47]) << 56) + x2 := (uint64(arg1[46]) << 48) + x3 := (uint64(arg1[45]) << 40) + x4 := (uint64(arg1[44]) << 32) + x5 := (uint64(arg1[43]) << 24) + x6 := (uint64(arg1[42]) << 16) + x7 := (uint64(arg1[41]) << 8) + x8 := arg1[40] + x9 := (uint64(arg1[39]) << 56) + x10 := (uint64(arg1[38]) << 48) + x11 := (uint64(arg1[37]) << 40) + x12 := (uint64(arg1[36]) << 32) + x13 := (uint64(arg1[35]) << 24) + x14 := (uint64(arg1[34]) << 16) + x15 := (uint64(arg1[33]) << 8) + x16 := arg1[32] + x17 := (uint64(arg1[31]) << 56) + x18 := (uint64(arg1[30]) << 48) + x19 := (uint64(arg1[29]) << 40) + x20 := (uint64(arg1[28]) << 32) + x21 := (uint64(arg1[27]) << 24) + x22 := (uint64(arg1[26]) << 16) + x23 := (uint64(arg1[25]) << 8) + x24 := arg1[24] + x25 := (uint64(arg1[23]) << 56) + x26 := (uint64(arg1[22]) << 48) + x27 := (uint64(arg1[21]) << 40) + x28 := (uint64(arg1[20]) << 32) + x29 := (uint64(arg1[19]) << 24) + x30 := (uint64(arg1[18]) << 16) + x31 := (uint64(arg1[17]) << 8) + x32 := arg1[16] + x33 := (uint64(arg1[15]) << 56) + x34 := (uint64(arg1[14]) << 48) + x35 := (uint64(arg1[13]) << 40) + x36 := (uint64(arg1[12]) << 32) + x37 := (uint64(arg1[11]) << 24) + x38 := (uint64(arg1[10]) << 16) + x39 := (uint64(arg1[9]) << 8) + x40 := arg1[8] + x41 := (uint64(arg1[7]) << 56) + x42 := (uint64(arg1[6]) << 48) + x43 := (uint64(arg1[5]) << 40) + x44 := (uint64(arg1[4]) << 32) + x45 := (uint64(arg1[3]) << 24) + x46 := (uint64(arg1[2]) << 16) + x47 := (uint64(arg1[1]) << 8) + x48 := arg1[0] + x49 := (x47 + uint64(x48)) + x50 := (x46 + x49) + x51 := (x45 + x50) + x52 := (x44 + x51) + x53 := (x43 + x52) + x54 := (x42 + x53) + x55 := (x41 + x54) + x56 := (x39 + uint64(x40)) + x57 := (x38 + x56) + x58 := (x37 + x57) + x59 := (x36 + x58) + x60 := (x35 + x59) + x61 := (x34 + x60) + x62 := (x33 + x61) + x63 := (x31 + uint64(x32)) + x64 := (x30 + x63) + x65 := (x29 + x64) + x66 := (x28 + x65) + x67 := (x27 + x66) + x68 := (x26 + x67) + x69 := (x25 + x68) + x70 := (x23 + uint64(x24)) + x71 := (x22 + x70) + x72 := (x21 + x71) + x73 := (x20 + x72) + x74 := (x19 + x73) + x75 := (x18 + x74) + x76 := (x17 + x75) + x77 := (x15 + uint64(x16)) + x78 := (x14 + x77) + x79 := (x13 + x78) + x80 := (x12 + x79) + x81 := (x11 + x80) + x82 := (x10 + x81) + x83 := (x9 + x82) + x84 := (x7 + uint64(x8)) + x85 := (x6 + x84) + x86 := (x5 + x85) + x87 := (x4 + x86) + x88 := (x3 + x87) + x89 := (x2 + x88) + x90 := (x1 + x89) + out1[0] = x55 + out1[1] = x62 + out1[2] = x69 + out1[3] = x76 + out1[4] = x83 + out1[5] = x90 } -/* - The function SetOne returns the field element one in the Montgomery domain. - Postconditions: - eval (from_montgomery out1) mod m = 1 mod m - 0 ≤ eval out1 < m - - Input Bounds: - Output Bounds: - out1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] - */ -/*inline*/ +// SetOne returns the field element one in the Montgomery domain. +// +// Postconditions: +// eval (from_montgomery out1) mod m = 1 mod m +// 0 ≤ eval out1 < m +// +// Input Bounds: +// Output Bounds: +// out1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] func SetOne(out1 *[6]uint64) { - out1[0] = 0xffffffff00000001 - out1[1] = 0xffffffff - out1[2] = uint64(0x1) - out1[3] = uint64(0x0) - out1[4] = uint64(0x0) - out1[5] = uint64(0x0) + out1[0] = 0xffffffff00000001 + out1[1] = 0xffffffff + out1[2] = uint64(0x1) + out1[3] = uint64(0x0) + out1[4] = uint64(0x0) + out1[5] = uint64(0x0) } -/* - The function Msat returns the saturated representation of the prime modulus. - Postconditions: - twos_complement_eval out1 = m - 0 ≤ eval out1 < m - - Input Bounds: - Output Bounds: - out1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] - */ -/*inline*/ +// Msat returns the saturated representation of the prime modulus. +// +// Postconditions: +// twos_complement_eval out1 = m +// 0 ≤ eval out1 < m +// +// Input Bounds: +// Output Bounds: +// out1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] func Msat(out1 *[7]uint64) { - out1[0] = 0xffffffff - out1[1] = 0xffffffff00000000 - out1[2] = 0xfffffffffffffffe - out1[3] = 0xffffffffffffffff - out1[4] = 0xffffffffffffffff - out1[5] = 0xffffffffffffffff - out1[6] = uint64(0x0) + out1[0] = 0xffffffff + out1[1] = 0xffffffff00000000 + out1[2] = 0xfffffffffffffffe + out1[3] = 0xffffffffffffffff + out1[4] = 0xffffffffffffffff + out1[5] = 0xffffffffffffffff + out1[6] = uint64(0x0) } -/* - The function Divstep computes a divstep. - Preconditions: - 0 ≤ eval arg4 < m - 0 ≤ eval arg5 < m - Postconditions: - out1 = (if 0 < arg1 ∧ (twos_complement_eval arg3) is odd then 1 - arg1 else 1 + arg1) - twos_complement_eval out2 = (if 0 < arg1 ∧ (twos_complement_eval arg3) is odd then twos_complement_eval arg3 else twos_complement_eval arg2) - twos_complement_eval out3 = (if 0 < arg1 ∧ (twos_complement_eval arg3) is odd then ⌊(twos_complement_eval arg3 - twos_complement_eval arg2) / 2⌋ else ⌊(twos_complement_eval arg3 + (twos_complement_eval arg3 mod 2) * twos_complement_eval arg2) / 2⌋) - eval (from_montgomery out4) mod m = (if 0 < arg1 ∧ (twos_complement_eval arg3) is odd then (2 * eval (from_montgomery arg5)) mod m else (2 * eval (from_montgomery arg4)) mod m) - eval (from_montgomery out5) mod m = (if 0 < arg1 ∧ (twos_complement_eval arg3) is odd then (eval (from_montgomery arg4) - eval (from_montgomery arg4)) mod m else (eval (from_montgomery arg5) + (twos_complement_eval arg3 mod 2) * eval (from_montgomery arg4)) mod m) - 0 ≤ eval out5 < m - 0 ≤ eval out5 < m - 0 ≤ eval out2 < m - 0 ≤ eval out3 < m - - Input Bounds: - arg1: [0x0 ~> 0xffffffffffffffff] - arg2: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] - arg3: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] - arg4: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] - arg5: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] - Output Bounds: - out1: [0x0 ~> 0xffffffffffffffff] - out2: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] - out3: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] - out4: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] - out5: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] - */ -/*inline*/ +// Divstep computes a divstep. +// +// Preconditions: +// 0 ≤ eval arg4 < m +// 0 ≤ eval arg5 < m +// Postconditions: +// out1 = (if 0 < arg1 ∧ (twos_complement_eval arg3) is odd then 1 - arg1 else 1 + arg1) +// twos_complement_eval out2 = (if 0 < arg1 ∧ (twos_complement_eval arg3) is odd then twos_complement_eval arg3 else twos_complement_eval arg2) +// twos_complement_eval out3 = (if 0 < arg1 ∧ (twos_complement_eval arg3) is odd then ⌊(twos_complement_eval arg3 - twos_complement_eval arg2) / 2⌋ else ⌊(twos_complement_eval arg3 + (twos_complement_eval arg3 mod 2) * twos_complement_eval arg2) / 2⌋) +// eval (from_montgomery out4) mod m = (if 0 < arg1 ∧ (twos_complement_eval arg3) is odd then (2 * eval (from_montgomery arg5)) mod m else (2 * eval (from_montgomery arg4)) mod m) +// eval (from_montgomery out5) mod m = (if 0 < arg1 ∧ (twos_complement_eval arg3) is odd then (eval (from_montgomery arg4) - eval (from_montgomery arg4)) mod m else (eval (from_montgomery arg5) + (twos_complement_eval arg3 mod 2) * eval (from_montgomery arg4)) mod m) +// 0 ≤ eval out5 < m +// 0 ≤ eval out5 < m +// 0 ≤ eval out2 < m +// 0 ≤ eval out3 < m +// +// Input Bounds: +// arg1: [0x0 ~> 0xffffffffffffffff] +// arg2: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] +// arg3: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] +// arg4: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] +// arg5: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] +// Output Bounds: +// out1: [0x0 ~> 0xffffffffffffffff] +// out2: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] +// out3: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] +// out4: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] +// out5: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] func Divstep(out1 *uint64, out2 *[7]uint64, out3 *[7]uint64, out4 *[6]uint64, out5 *[6]uint64, arg1 uint64, arg2 *[7]uint64, arg3 *[7]uint64, arg4 *[6]uint64, arg5 *[6]uint64) { - var x1 uint64 - x1, _ = addcarryxU64((^arg1), uint64(0x1), 0x0) - var x3 uint1 = (uint1((x1 >> 63)) & (uint1((arg3[0])) & 0x1)) - var x4 uint64 - x4, _ = addcarryxU64((^arg1), uint64(0x1), 0x0) - var x6 uint64 - cmovznzU64(&x6, x3, arg1, x4) - var x7 uint64 - cmovznzU64(&x7, x3, (arg2[0]), (arg3[0])) - var x8 uint64 - cmovznzU64(&x8, x3, (arg2[1]), (arg3[1])) - var x9 uint64 - cmovznzU64(&x9, x3, (arg2[2]), (arg3[2])) - var x10 uint64 - cmovznzU64(&x10, x3, (arg2[3]), (arg3[3])) - var x11 uint64 - cmovznzU64(&x11, x3, (arg2[4]), (arg3[4])) - var x12 uint64 - cmovznzU64(&x12, x3, (arg2[5]), (arg3[5])) - var x13 uint64 - cmovznzU64(&x13, x3, (arg2[6]), (arg3[6])) - var x14 uint64 - var x15 uint1 - x14, x15 = addcarryxU64(uint64(0x1), (^(arg2[0])), 0x0) - var x16 uint64 - var x17 uint1 - x16, x17 = addcarryxU64(uint64(0x0), (^(arg2[1])), x15) - var x18 uint64 - var x19 uint1 - x18, x19 = addcarryxU64(uint64(0x0), (^(arg2[2])), x17) - var x20 uint64 - var x21 uint1 - x20, x21 = addcarryxU64(uint64(0x0), (^(arg2[3])), x19) - var x22 uint64 - var x23 uint1 - x22, x23 = addcarryxU64(uint64(0x0), (^(arg2[4])), x21) - var x24 uint64 - var x25 uint1 - x24, x25 = addcarryxU64(uint64(0x0), (^(arg2[5])), x23) - var x26 uint64 - x26, _ = addcarryxU64(uint64(0x0), (^(arg2[6])), x25) - var x28 uint64 - cmovznzU64(&x28, x3, (arg3[0]), x14) - var x29 uint64 - cmovznzU64(&x29, x3, (arg3[1]), x16) - var x30 uint64 - cmovznzU64(&x30, x3, (arg3[2]), x18) - var x31 uint64 - cmovznzU64(&x31, x3, (arg3[3]), x20) - var x32 uint64 - cmovznzU64(&x32, x3, (arg3[4]), x22) - var x33 uint64 - cmovznzU64(&x33, x3, (arg3[5]), x24) - var x34 uint64 - cmovznzU64(&x34, x3, (arg3[6]), x26) - var x35 uint64 - cmovznzU64(&x35, x3, (arg4[0]), (arg5[0])) - var x36 uint64 - cmovznzU64(&x36, x3, (arg4[1]), (arg5[1])) - var x37 uint64 - cmovznzU64(&x37, x3, (arg4[2]), (arg5[2])) - var x38 uint64 - cmovznzU64(&x38, x3, (arg4[3]), (arg5[3])) - var x39 uint64 - cmovznzU64(&x39, x3, (arg4[4]), (arg5[4])) - var x40 uint64 - cmovznzU64(&x40, x3, (arg4[5]), (arg5[5])) - var x41 uint64 - var x42 uint1 - x41, x42 = addcarryxU64(x35, x35, 0x0) - var x43 uint64 - var x44 uint1 - x43, x44 = addcarryxU64(x36, x36, x42) - var x45 uint64 - var x46 uint1 - x45, x46 = addcarryxU64(x37, x37, x44) - var x47 uint64 - var x48 uint1 - x47, x48 = addcarryxU64(x38, x38, x46) - var x49 uint64 - var x50 uint1 - x49, x50 = addcarryxU64(x39, x39, x48) - var x51 uint64 - var x52 uint1 - x51, x52 = addcarryxU64(x40, x40, x50) - var x53 uint64 - var x54 uint1 - x53, x54 = subborrowxU64(x41, 0xffffffff, 0x0) - var x55 uint64 - var x56 uint1 - x55, x56 = subborrowxU64(x43, 0xffffffff00000000, x54) - var x57 uint64 - var x58 uint1 - x57, x58 = subborrowxU64(x45, 0xfffffffffffffffe, x56) - var x59 uint64 - var x60 uint1 - x59, x60 = subborrowxU64(x47, 0xffffffffffffffff, x58) - var x61 uint64 - var x62 uint1 - x61, x62 = subborrowxU64(x49, 0xffffffffffffffff, x60) - var x63 uint64 - var x64 uint1 - x63, x64 = subborrowxU64(x51, 0xffffffffffffffff, x62) - var x66 uint1 - _, x66 = subborrowxU64(uint64(x52), uint64(0x0), x64) - var x67 uint64 = (arg4[5]) - var x68 uint64 = (arg4[4]) - var x69 uint64 = (arg4[3]) - var x70 uint64 = (arg4[2]) - var x71 uint64 = (arg4[1]) - var x72 uint64 = (arg4[0]) - var x73 uint64 - var x74 uint1 - x73, x74 = subborrowxU64(uint64(0x0), x72, 0x0) - var x75 uint64 - var x76 uint1 - x75, x76 = subborrowxU64(uint64(0x0), x71, x74) - var x77 uint64 - var x78 uint1 - x77, x78 = subborrowxU64(uint64(0x0), x70, x76) - var x79 uint64 - var x80 uint1 - x79, x80 = subborrowxU64(uint64(0x0), x69, x78) - var x81 uint64 - var x82 uint1 - x81, x82 = subborrowxU64(uint64(0x0), x68, x80) - var x83 uint64 - var x84 uint1 - x83, x84 = subborrowxU64(uint64(0x0), x67, x82) - var x85 uint64 - cmovznzU64(&x85, x84, uint64(0x0), 0xffffffffffffffff) - var x86 uint64 - var x87 uint1 - x86, x87 = addcarryxU64(x73, (x85 & 0xffffffff), 0x0) - var x88 uint64 - var x89 uint1 - x88, x89 = addcarryxU64(x75, (x85 & 0xffffffff00000000), x87) - var x90 uint64 - var x91 uint1 - x90, x91 = addcarryxU64(x77, (x85 & 0xfffffffffffffffe), x89) - var x92 uint64 - var x93 uint1 - x92, x93 = addcarryxU64(x79, x85, x91) - var x94 uint64 - var x95 uint1 - x94, x95 = addcarryxU64(x81, x85, x93) - var x96 uint64 - x96, _ = addcarryxU64(x83, x85, x95) - var x98 uint64 - cmovznzU64(&x98, x3, (arg5[0]), x86) - var x99 uint64 - cmovznzU64(&x99, x3, (arg5[1]), x88) - var x100 uint64 - cmovznzU64(&x100, x3, (arg5[2]), x90) - var x101 uint64 - cmovznzU64(&x101, x3, (arg5[3]), x92) - var x102 uint64 - cmovznzU64(&x102, x3, (arg5[4]), x94) - var x103 uint64 - cmovznzU64(&x103, x3, (arg5[5]), x96) - var x104 uint1 = (uint1(x28) & 0x1) - var x105 uint64 - cmovznzU64(&x105, x104, uint64(0x0), x7) - var x106 uint64 - cmovznzU64(&x106, x104, uint64(0x0), x8) - var x107 uint64 - cmovznzU64(&x107, x104, uint64(0x0), x9) - var x108 uint64 - cmovznzU64(&x108, x104, uint64(0x0), x10) - var x109 uint64 - cmovznzU64(&x109, x104, uint64(0x0), x11) - var x110 uint64 - cmovznzU64(&x110, x104, uint64(0x0), x12) - var x111 uint64 - cmovznzU64(&x111, x104, uint64(0x0), x13) - var x112 uint64 - var x113 uint1 - x112, x113 = addcarryxU64(x28, x105, 0x0) - var x114 uint64 - var x115 uint1 - x114, x115 = addcarryxU64(x29, x106, x113) - var x116 uint64 - var x117 uint1 - x116, x117 = addcarryxU64(x30, x107, x115) - var x118 uint64 - var x119 uint1 - x118, x119 = addcarryxU64(x31, x108, x117) - var x120 uint64 - var x121 uint1 - x120, x121 = addcarryxU64(x32, x109, x119) - var x122 uint64 - var x123 uint1 - x122, x123 = addcarryxU64(x33, x110, x121) - var x124 uint64 - x124, _ = addcarryxU64(x34, x111, x123) - var x126 uint64 - cmovznzU64(&x126, x104, uint64(0x0), x35) - var x127 uint64 - cmovznzU64(&x127, x104, uint64(0x0), x36) - var x128 uint64 - cmovznzU64(&x128, x104, uint64(0x0), x37) - var x129 uint64 - cmovznzU64(&x129, x104, uint64(0x0), x38) - var x130 uint64 - cmovznzU64(&x130, x104, uint64(0x0), x39) - var x131 uint64 - cmovznzU64(&x131, x104, uint64(0x0), x40) - var x132 uint64 - var x133 uint1 - x132, x133 = addcarryxU64(x98, x126, 0x0) - var x134 uint64 - var x135 uint1 - x134, x135 = addcarryxU64(x99, x127, x133) - var x136 uint64 - var x137 uint1 - x136, x137 = addcarryxU64(x100, x128, x135) - var x138 uint64 - var x139 uint1 - x138, x139 = addcarryxU64(x101, x129, x137) - var x140 uint64 - var x141 uint1 - x140, x141 = addcarryxU64(x102, x130, x139) - var x142 uint64 - var x143 uint1 - x142, x143 = addcarryxU64(x103, x131, x141) - var x144 uint64 - var x145 uint1 - x144, x145 = subborrowxU64(x132, 0xffffffff, 0x0) - var x146 uint64 - var x147 uint1 - x146, x147 = subborrowxU64(x134, 0xffffffff00000000, x145) - var x148 uint64 - var x149 uint1 - x148, x149 = subborrowxU64(x136, 0xfffffffffffffffe, x147) - var x150 uint64 - var x151 uint1 - x150, x151 = subborrowxU64(x138, 0xffffffffffffffff, x149) - var x152 uint64 - var x153 uint1 - x152, x153 = subborrowxU64(x140, 0xffffffffffffffff, x151) - var x154 uint64 - var x155 uint1 - x154, x155 = subborrowxU64(x142, 0xffffffffffffffff, x153) - var x157 uint1 - _, x157 = subborrowxU64(uint64(x143), uint64(0x0), x155) - var x158 uint64 - x158, _ = addcarryxU64(x6, uint64(0x1), 0x0) - var x160 uint64 = ((x112 >> 1) | ((x114 << 63) & 0xffffffffffffffff)) - var x161 uint64 = ((x114 >> 1) | ((x116 << 63) & 0xffffffffffffffff)) - var x162 uint64 = ((x116 >> 1) | ((x118 << 63) & 0xffffffffffffffff)) - var x163 uint64 = ((x118 >> 1) | ((x120 << 63) & 0xffffffffffffffff)) - var x164 uint64 = ((x120 >> 1) | ((x122 << 63) & 0xffffffffffffffff)) - var x165 uint64 = ((x122 >> 1) | ((x124 << 63) & 0xffffffffffffffff)) - var x166 uint64 = ((x124 & 0x8000000000000000) | (x124 >> 1)) - var x167 uint64 - cmovznzU64(&x167, x66, x53, x41) - var x168 uint64 - cmovznzU64(&x168, x66, x55, x43) - var x169 uint64 - cmovznzU64(&x169, x66, x57, x45) - var x170 uint64 - cmovznzU64(&x170, x66, x59, x47) - var x171 uint64 - cmovznzU64(&x171, x66, x61, x49) - var x172 uint64 - cmovznzU64(&x172, x66, x63, x51) - var x173 uint64 - cmovznzU64(&x173, x157, x144, x132) - var x174 uint64 - cmovznzU64(&x174, x157, x146, x134) - var x175 uint64 - cmovznzU64(&x175, x157, x148, x136) - var x176 uint64 - cmovznzU64(&x176, x157, x150, x138) - var x177 uint64 - cmovznzU64(&x177, x157, x152, x140) - var x178 uint64 - cmovznzU64(&x178, x157, x154, x142) - *out1 = x158 - out2[0] = x7 - out2[1] = x8 - out2[2] = x9 - out2[3] = x10 - out2[4] = x11 - out2[5] = x12 - out2[6] = x13 - out3[0] = x160 - out3[1] = x161 - out3[2] = x162 - out3[3] = x163 - out3[4] = x164 - out3[5] = x165 - out3[6] = x166 - out4[0] = x167 - out4[1] = x168 - out4[2] = x169 - out4[3] = x170 - out4[4] = x171 - out4[5] = x172 - out5[0] = x173 - out5[1] = x174 - out5[2] = x175 - out5[3] = x176 - out5[4] = x177 - out5[5] = x178 + var x1 uint64 + x1, _ = addcarryxU64((^arg1), uint64(0x1), 0x0) + x3 := (uint1((x1 >> 63)) & (uint1(arg3[0]) & 0x1)) + var x4 uint64 + x4, _ = addcarryxU64((^arg1), uint64(0x1), 0x0) + var x6 uint64 + cmovznzU64(&x6, x3, arg1, x4) + var x7 uint64 + cmovznzU64(&x7, x3, arg2[0], arg3[0]) + var x8 uint64 + cmovznzU64(&x8, x3, arg2[1], arg3[1]) + var x9 uint64 + cmovznzU64(&x9, x3, arg2[2], arg3[2]) + var x10 uint64 + cmovznzU64(&x10, x3, arg2[3], arg3[3]) + var x11 uint64 + cmovznzU64(&x11, x3, arg2[4], arg3[4]) + var x12 uint64 + cmovznzU64(&x12, x3, arg2[5], arg3[5]) + var x13 uint64 + cmovznzU64(&x13, x3, arg2[6], arg3[6]) + var x14 uint64 + var x15 uint1 + x14, x15 = addcarryxU64(uint64(0x1), (^arg2[0]), 0x0) + var x16 uint64 + var x17 uint1 + x16, x17 = addcarryxU64(uint64(0x0), (^arg2[1]), x15) + var x18 uint64 + var x19 uint1 + x18, x19 = addcarryxU64(uint64(0x0), (^arg2[2]), x17) + var x20 uint64 + var x21 uint1 + x20, x21 = addcarryxU64(uint64(0x0), (^arg2[3]), x19) + var x22 uint64 + var x23 uint1 + x22, x23 = addcarryxU64(uint64(0x0), (^arg2[4]), x21) + var x24 uint64 + var x25 uint1 + x24, x25 = addcarryxU64(uint64(0x0), (^arg2[5]), x23) + var x26 uint64 + x26, _ = addcarryxU64(uint64(0x0), (^arg2[6]), x25) + var x28 uint64 + cmovznzU64(&x28, x3, arg3[0], x14) + var x29 uint64 + cmovznzU64(&x29, x3, arg3[1], x16) + var x30 uint64 + cmovznzU64(&x30, x3, arg3[2], x18) + var x31 uint64 + cmovznzU64(&x31, x3, arg3[3], x20) + var x32 uint64 + cmovznzU64(&x32, x3, arg3[4], x22) + var x33 uint64 + cmovznzU64(&x33, x3, arg3[5], x24) + var x34 uint64 + cmovznzU64(&x34, x3, arg3[6], x26) + var x35 uint64 + cmovznzU64(&x35, x3, arg4[0], arg5[0]) + var x36 uint64 + cmovznzU64(&x36, x3, arg4[1], arg5[1]) + var x37 uint64 + cmovznzU64(&x37, x3, arg4[2], arg5[2]) + var x38 uint64 + cmovznzU64(&x38, x3, arg4[3], arg5[3]) + var x39 uint64 + cmovznzU64(&x39, x3, arg4[4], arg5[4]) + var x40 uint64 + cmovznzU64(&x40, x3, arg4[5], arg5[5]) + var x41 uint64 + var x42 uint1 + x41, x42 = addcarryxU64(x35, x35, 0x0) + var x43 uint64 + var x44 uint1 + x43, x44 = addcarryxU64(x36, x36, x42) + var x45 uint64 + var x46 uint1 + x45, x46 = addcarryxU64(x37, x37, x44) + var x47 uint64 + var x48 uint1 + x47, x48 = addcarryxU64(x38, x38, x46) + var x49 uint64 + var x50 uint1 + x49, x50 = addcarryxU64(x39, x39, x48) + var x51 uint64 + var x52 uint1 + x51, x52 = addcarryxU64(x40, x40, x50) + var x53 uint64 + var x54 uint1 + x53, x54 = subborrowxU64(x41, 0xffffffff, 0x0) + var x55 uint64 + var x56 uint1 + x55, x56 = subborrowxU64(x43, 0xffffffff00000000, x54) + var x57 uint64 + var x58 uint1 + x57, x58 = subborrowxU64(x45, 0xfffffffffffffffe, x56) + var x59 uint64 + var x60 uint1 + x59, x60 = subborrowxU64(x47, 0xffffffffffffffff, x58) + var x61 uint64 + var x62 uint1 + x61, x62 = subborrowxU64(x49, 0xffffffffffffffff, x60) + var x63 uint64 + var x64 uint1 + x63, x64 = subborrowxU64(x51, 0xffffffffffffffff, x62) + var x66 uint1 + _, x66 = subborrowxU64(uint64(x52), uint64(0x0), x64) + x67 := arg4[5] + x68 := arg4[4] + x69 := arg4[3] + x70 := arg4[2] + x71 := arg4[1] + x72 := arg4[0] + var x73 uint64 + var x74 uint1 + x73, x74 = subborrowxU64(uint64(0x0), x72, 0x0) + var x75 uint64 + var x76 uint1 + x75, x76 = subborrowxU64(uint64(0x0), x71, x74) + var x77 uint64 + var x78 uint1 + x77, x78 = subborrowxU64(uint64(0x0), x70, x76) + var x79 uint64 + var x80 uint1 + x79, x80 = subborrowxU64(uint64(0x0), x69, x78) + var x81 uint64 + var x82 uint1 + x81, x82 = subborrowxU64(uint64(0x0), x68, x80) + var x83 uint64 + var x84 uint1 + x83, x84 = subborrowxU64(uint64(0x0), x67, x82) + var x85 uint64 + cmovznzU64(&x85, x84, uint64(0x0), 0xffffffffffffffff) + var x86 uint64 + var x87 uint1 + x86, x87 = addcarryxU64(x73, (x85 & 0xffffffff), 0x0) + var x88 uint64 + var x89 uint1 + x88, x89 = addcarryxU64(x75, (x85 & 0xffffffff00000000), x87) + var x90 uint64 + var x91 uint1 + x90, x91 = addcarryxU64(x77, (x85 & 0xfffffffffffffffe), x89) + var x92 uint64 + var x93 uint1 + x92, x93 = addcarryxU64(x79, x85, x91) + var x94 uint64 + var x95 uint1 + x94, x95 = addcarryxU64(x81, x85, x93) + var x96 uint64 + x96, _ = addcarryxU64(x83, x85, x95) + var x98 uint64 + cmovznzU64(&x98, x3, arg5[0], x86) + var x99 uint64 + cmovznzU64(&x99, x3, arg5[1], x88) + var x100 uint64 + cmovznzU64(&x100, x3, arg5[2], x90) + var x101 uint64 + cmovznzU64(&x101, x3, arg5[3], x92) + var x102 uint64 + cmovznzU64(&x102, x3, arg5[4], x94) + var x103 uint64 + cmovznzU64(&x103, x3, arg5[5], x96) + x104 := (uint1(x28) & 0x1) + var x105 uint64 + cmovznzU64(&x105, x104, uint64(0x0), x7) + var x106 uint64 + cmovznzU64(&x106, x104, uint64(0x0), x8) + var x107 uint64 + cmovznzU64(&x107, x104, uint64(0x0), x9) + var x108 uint64 + cmovznzU64(&x108, x104, uint64(0x0), x10) + var x109 uint64 + cmovznzU64(&x109, x104, uint64(0x0), x11) + var x110 uint64 + cmovznzU64(&x110, x104, uint64(0x0), x12) + var x111 uint64 + cmovznzU64(&x111, x104, uint64(0x0), x13) + var x112 uint64 + var x113 uint1 + x112, x113 = addcarryxU64(x28, x105, 0x0) + var x114 uint64 + var x115 uint1 + x114, x115 = addcarryxU64(x29, x106, x113) + var x116 uint64 + var x117 uint1 + x116, x117 = addcarryxU64(x30, x107, x115) + var x118 uint64 + var x119 uint1 + x118, x119 = addcarryxU64(x31, x108, x117) + var x120 uint64 + var x121 uint1 + x120, x121 = addcarryxU64(x32, x109, x119) + var x122 uint64 + var x123 uint1 + x122, x123 = addcarryxU64(x33, x110, x121) + var x124 uint64 + x124, _ = addcarryxU64(x34, x111, x123) + var x126 uint64 + cmovznzU64(&x126, x104, uint64(0x0), x35) + var x127 uint64 + cmovznzU64(&x127, x104, uint64(0x0), x36) + var x128 uint64 + cmovznzU64(&x128, x104, uint64(0x0), x37) + var x129 uint64 + cmovznzU64(&x129, x104, uint64(0x0), x38) + var x130 uint64 + cmovznzU64(&x130, x104, uint64(0x0), x39) + var x131 uint64 + cmovznzU64(&x131, x104, uint64(0x0), x40) + var x132 uint64 + var x133 uint1 + x132, x133 = addcarryxU64(x98, x126, 0x0) + var x134 uint64 + var x135 uint1 + x134, x135 = addcarryxU64(x99, x127, x133) + var x136 uint64 + var x137 uint1 + x136, x137 = addcarryxU64(x100, x128, x135) + var x138 uint64 + var x139 uint1 + x138, x139 = addcarryxU64(x101, x129, x137) + var x140 uint64 + var x141 uint1 + x140, x141 = addcarryxU64(x102, x130, x139) + var x142 uint64 + var x143 uint1 + x142, x143 = addcarryxU64(x103, x131, x141) + var x144 uint64 + var x145 uint1 + x144, x145 = subborrowxU64(x132, 0xffffffff, 0x0) + var x146 uint64 + var x147 uint1 + x146, x147 = subborrowxU64(x134, 0xffffffff00000000, x145) + var x148 uint64 + var x149 uint1 + x148, x149 = subborrowxU64(x136, 0xfffffffffffffffe, x147) + var x150 uint64 + var x151 uint1 + x150, x151 = subborrowxU64(x138, 0xffffffffffffffff, x149) + var x152 uint64 + var x153 uint1 + x152, x153 = subborrowxU64(x140, 0xffffffffffffffff, x151) + var x154 uint64 + var x155 uint1 + x154, x155 = subborrowxU64(x142, 0xffffffffffffffff, x153) + var x157 uint1 + _, x157 = subborrowxU64(uint64(x143), uint64(0x0), x155) + var x158 uint64 + x158, _ = addcarryxU64(x6, uint64(0x1), 0x0) + x160 := ((x112 >> 1) | ((x114 << 63) & 0xffffffffffffffff)) + x161 := ((x114 >> 1) | ((x116 << 63) & 0xffffffffffffffff)) + x162 := ((x116 >> 1) | ((x118 << 63) & 0xffffffffffffffff)) + x163 := ((x118 >> 1) | ((x120 << 63) & 0xffffffffffffffff)) + x164 := ((x120 >> 1) | ((x122 << 63) & 0xffffffffffffffff)) + x165 := ((x122 >> 1) | ((x124 << 63) & 0xffffffffffffffff)) + x166 := ((x124 & 0x8000000000000000) | (x124 >> 1)) + var x167 uint64 + cmovznzU64(&x167, x66, x53, x41) + var x168 uint64 + cmovznzU64(&x168, x66, x55, x43) + var x169 uint64 + cmovznzU64(&x169, x66, x57, x45) + var x170 uint64 + cmovznzU64(&x170, x66, x59, x47) + var x171 uint64 + cmovznzU64(&x171, x66, x61, x49) + var x172 uint64 + cmovznzU64(&x172, x66, x63, x51) + var x173 uint64 + cmovznzU64(&x173, x157, x144, x132) + var x174 uint64 + cmovznzU64(&x174, x157, x146, x134) + var x175 uint64 + cmovznzU64(&x175, x157, x148, x136) + var x176 uint64 + cmovznzU64(&x176, x157, x150, x138) + var x177 uint64 + cmovznzU64(&x177, x157, x152, x140) + var x178 uint64 + cmovznzU64(&x178, x157, x154, x142) + *out1 = x158 + out2[0] = x7 + out2[1] = x8 + out2[2] = x9 + out2[3] = x10 + out2[4] = x11 + out2[5] = x12 + out2[6] = x13 + out3[0] = x160 + out3[1] = x161 + out3[2] = x162 + out3[3] = x163 + out3[4] = x164 + out3[5] = x165 + out3[6] = x166 + out4[0] = x167 + out4[1] = x168 + out4[2] = x169 + out4[3] = x170 + out4[4] = x171 + out4[5] = x172 + out5[0] = x173 + out5[1] = x174 + out5[2] = x175 + out5[3] = x176 + out5[4] = x177 + out5[5] = x178 } -/* - The function DivstepPrecomp returns the precomputed value for Bernstein-Yang-inversion (in montgomery form). - Postconditions: - eval (from_montgomery out1) = ⌊(m - 1) / 2⌋^(if (log2 m) + 1 < 46 then ⌊(49 * ((log2 m) + 1) + 80) / 17⌋ else ⌊(49 * ((log2 m) + 1) + 57) / 17⌋) - 0 ≤ eval out1 < m - - Input Bounds: - Output Bounds: - out1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] - */ -/*inline*/ +// DivstepPrecomp returns the precomputed value for Bernstein-Yang-inversion (in montgomery form). +// +// Postconditions: +// eval (from_montgomery out1) = ⌊(m - 1) / 2⌋^(if (log2 m) + 1 < 46 then ⌊(49 * ((log2 m) + 1) + 80) / 17⌋ else ⌊(49 * ((log2 m) + 1) + 57) / 17⌋) +// 0 ≤ eval out1 < m +// +// Input Bounds: +// Output Bounds: +// out1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] func DivstepPrecomp(out1 *[6]uint64) { - out1[0] = 0xfff69400fff18fff - out1[1] = 0x2b7feffffd3ff - out1[2] = 0xfffedbfffffe97ff - out1[3] = 0x2840000002fff - out1[4] = 0x6040000050400 - out1[5] = 0xfffc480000038000 + out1[0] = 0xfff69400fff18fff + out1[1] = 0x2b7feffffd3ff + out1[2] = 0xfffedbfffffe97ff + out1[3] = 0x2840000002fff + out1[4] = 0x6040000050400 + out1[5] = 0xfffc480000038000 } - diff --git a/fiat-go/64/p434/p434.go b/fiat-go/64/p434/p434.go index 7c294e19b73..8539bdba190 100644 --- a/fiat-go/64/p434/p434.go +++ b/fiat-go/64/p434/p434.go @@ -1,4448 +1,4411 @@ -/* - Autogenerated: 'src/ExtractionOCaml/word_by_word_montgomery' --lang Go --no-wide-int --cmovznz-by-mul --internal-static --package-case flatcase --public-function-case UpperCamelCase --private-function-case camelCase --public-type-case UpperCamelCase --private-type-case camelCase --no-prefix-fiat --package-name p434 '' 64 '2^216 * 3^137 - 1' mul square add sub opp from_montgomery to_montgomery nonzero selectznz to_bytes from_bytes one msat divstep divstep_precomp - - curve description (via package name): p434 - - machine_wordsize = 64 (from "64") - - requested operations: mul, square, add, sub, opp, from_montgomery, to_montgomery, nonzero, selectznz, to_bytes, from_bytes, one, msat, divstep, divstep_precomp - - m = 0x2341f271773446cfc5fd681c520567bc65c783158aea3fdc1767ae2ffffffffffffffffffffffffffffffffffffffffffffffffffffff (from "2^216 * 3^137 - 1") - - - - NOTE: In addition to the bounds specified above each function, all - - functions synthesized for this Montgomery arithmetic require the - - input to be strictly less than the prime modulus (m), and also - - require the input to be in the unique saturated representation. - - All functions also ensure that these two properties are true of - - return values. - - - - Computed values: - - eval z = z[0] + (z[1] << 64) + (z[2] << 128) + (z[3] << 192) + (z[4] << 256) + (z[5] << 0x140) + (z[6] << 0x180) - - bytes_eval z = z[0] + (z[1] << 8) + (z[2] << 16) + (z[3] << 24) + (z[4] << 32) + (z[5] << 40) + (z[6] << 48) + (z[7] << 56) + (z[8] << 64) + (z[9] << 72) + (z[10] << 80) + (z[11] << 88) + (z[12] << 96) + (z[13] << 104) + (z[14] << 112) + (z[15] << 120) + (z[16] << 128) + (z[17] << 136) + (z[18] << 144) + (z[19] << 152) + (z[20] << 160) + (z[21] << 168) + (z[22] << 176) + (z[23] << 184) + (z[24] << 192) + (z[25] << 200) + (z[26] << 208) + (z[27] << 216) + (z[28] << 224) + (z[29] << 232) + (z[30] << 240) + (z[31] << 248) + (z[32] << 256) + (z[33] << 0x108) + (z[34] << 0x110) + (z[35] << 0x118) + (z[36] << 0x120) + (z[37] << 0x128) + (z[38] << 0x130) + (z[39] << 0x138) + (z[40] << 0x140) + (z[41] << 0x148) + (z[42] << 0x150) + (z[43] << 0x158) + (z[44] << 0x160) + (z[45] << 0x168) + (z[46] << 0x170) + (z[47] << 0x178) + (z[48] << 0x180) + (z[49] << 0x188) + (z[50] << 0x190) + (z[51] << 0x198) + (z[52] << 0x1a0) + (z[53] << 0x1a8) + (z[54] << 0x1b0) - - twos_complement_eval z = let x1 := z[0] + (z[1] << 64) + (z[2] << 128) + (z[3] << 192) + (z[4] << 256) + (z[5] << 0x140) + (z[6] << 0x180) in - - if x1 & (2^448-1) < 2^447 then x1 & (2^448-1) else (x1 & (2^448-1)) - 2^448 - */ +// Code generated by Fiat Cryptography. DO NOT EDIT. +// +// Autogenerated: 'src/ExtractionOCaml/word_by_word_montgomery' --lang Go --no-wide-int --cmovznz-by-mul --internal-static --package-case flatcase --public-function-case UpperCamelCase --private-function-case camelCase --public-type-case UpperCamelCase --private-type-case camelCase --no-prefix-fiat --doc-prepend-header 'Code generated by Fiat Cryptography. DO NOT EDIT.' --doc-text-before-function-name '' --package-name p434 '' 64 '2^216 * 3^137 - 1' mul square add sub opp from_montgomery to_montgomery nonzero selectznz to_bytes from_bytes one msat divstep divstep_precomp +// +// curve description (via package name): p434 +// +// machine_wordsize = 64 (from "64") +// +// requested operations: mul, square, add, sub, opp, from_montgomery, to_montgomery, nonzero, selectznz, to_bytes, from_bytes, one, msat, divstep, divstep_precomp +// +// m = 0x2341f271773446cfc5fd681c520567bc65c783158aea3fdc1767ae2ffffffffffffffffffffffffffffffffffffffffffffffffffffff (from "2^216 * 3^137 - 1") +// +// +// +// NOTE: In addition to the bounds specified above each function, all +// +// functions synthesized for this Montgomery arithmetic require the +// +// input to be strictly less than the prime modulus (m), and also +// +// require the input to be in the unique saturated representation. +// +// All functions also ensure that these two properties are true of +// +// return values. +// +// +// +// Computed values: +// +// eval z = z[0] + (z[1] << 64) + (z[2] << 128) + (z[3] << 192) + (z[4] << 256) + (z[5] << 0x140) + (z[6] << 0x180) +// +// bytes_eval z = z[0] + (z[1] << 8) + (z[2] << 16) + (z[3] << 24) + (z[4] << 32) + (z[5] << 40) + (z[6] << 48) + (z[7] << 56) + (z[8] << 64) + (z[9] << 72) + (z[10] << 80) + (z[11] << 88) + (z[12] << 96) + (z[13] << 104) + (z[14] << 112) + (z[15] << 120) + (z[16] << 128) + (z[17] << 136) + (z[18] << 144) + (z[19] << 152) + (z[20] << 160) + (z[21] << 168) + (z[22] << 176) + (z[23] << 184) + (z[24] << 192) + (z[25] << 200) + (z[26] << 208) + (z[27] << 216) + (z[28] << 224) + (z[29] << 232) + (z[30] << 240) + (z[31] << 248) + (z[32] << 256) + (z[33] << 0x108) + (z[34] << 0x110) + (z[35] << 0x118) + (z[36] << 0x120) + (z[37] << 0x128) + (z[38] << 0x130) + (z[39] << 0x138) + (z[40] << 0x140) + (z[41] << 0x148) + (z[42] << 0x150) + (z[43] << 0x158) + (z[44] << 0x160) + (z[45] << 0x168) + (z[46] << 0x170) + (z[47] << 0x178) + (z[48] << 0x180) + (z[49] << 0x188) + (z[50] << 0x190) + (z[51] << 0x198) + (z[52] << 0x1a0) + (z[53] << 0x1a8) + (z[54] << 0x1b0) +// +// twos_complement_eval z = let x1 := z[0] + (z[1] << 64) + (z[2] << 128) + (z[3] << 192) + (z[4] << 256) + (z[5] << 0x140) + (z[6] << 0x180) in +// +// if x1 & (2^448-1) < 2^447 then x1 & (2^448-1) else (x1 & (2^448-1)) - 2^448 package p434 import "math/bits" + type uint1 uint8 type int1 int8 -/* The function addcarryxU64 is a thin wrapper around bits.Add64 that uses uint1 rather than uint64 */ +// addcarryxU64 is a thin wrapper around bits.Add64 that uses uint1 rather than uint64 func addcarryxU64(x uint64, y uint64, carry uint1) (uint64, uint1) { - var sum uint64 - var carryOut uint64 - sum, carryOut = bits.Add64(x, y, uint64(carry)) - return sum, uint1(carryOut) + sum, carryOut := bits.Add64(x, y, uint64(carry)) + return sum, uint1(carryOut) } -/* The function subborrowxU64 is a thin wrapper around bits.Sub64 that uses uint1 rather than uint64 */ +// subborrowxU64 is a thin wrapper around bits.Sub64 that uses uint1 rather than uint64 func subborrowxU64(x uint64, y uint64, carry uint1) (uint64, uint1) { - var sum uint64 - var carryOut uint64 - sum, carryOut = bits.Sub64(x, y, uint64(carry)) - return sum, uint1(carryOut) + sum, carryOut := bits.Sub64(x, y, uint64(carry)) + return sum, uint1(carryOut) } - -/* - The function cmovznzU64 is a single-word conditional move. - Postconditions: - out1 = (if arg1 = 0 then arg2 else arg3) - - Input Bounds: - arg1: [0x0 ~> 0x1] - arg2: [0x0 ~> 0xffffffffffffffff] - arg3: [0x0 ~> 0xffffffffffffffff] - Output Bounds: - out1: [0x0 ~> 0xffffffffffffffff] - */ -/*inline*/ +// cmovznzU64 is a single-word conditional move. +// +// Postconditions: +// out1 = (if arg1 = 0 then arg2 else arg3) +// +// Input Bounds: +// arg1: [0x0 ~> 0x1] +// arg2: [0x0 ~> 0xffffffffffffffff] +// arg3: [0x0 ~> 0xffffffffffffffff] +// Output Bounds: +// out1: [0x0 ~> 0xffffffffffffffff] func cmovznzU64(out1 *uint64, arg1 uint1, arg2 uint64, arg3 uint64) { - var x1 uint64 = (uint64(arg1) * 0xffffffffffffffff) - var x2 uint64 = ((x1 & arg3) | ((^x1) & arg2)) - *out1 = x2 + x1 := (uint64(arg1) * 0xffffffffffffffff) + x2 := ((x1 & arg3) | ((^x1) & arg2)) + *out1 = x2 } -/* - The function Mul multiplies two field elements in the Montgomery domain. - Preconditions: - 0 ≤ eval arg1 < m - 0 ≤ eval arg2 < m - Postconditions: - eval (from_montgomery out1) mod m = (eval (from_montgomery arg1) * eval (from_montgomery arg2)) mod m - 0 ≤ eval out1 < m - - Input Bounds: - arg1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] - arg2: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] - Output Bounds: - out1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] - */ -/*inline*/ +// Mul multiplies two field elements in the Montgomery domain. +// +// Preconditions: +// 0 ≤ eval arg1 < m +// 0 ≤ eval arg2 < m +// Postconditions: +// eval (from_montgomery out1) mod m = (eval (from_montgomery arg1) * eval (from_montgomery arg2)) mod m +// 0 ≤ eval out1 < m +// +// Input Bounds: +// arg1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] +// arg2: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] +// Output Bounds: +// out1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] func Mul(out1 *[7]uint64, arg1 *[7]uint64, arg2 *[7]uint64) { - var x1 uint64 = (arg1[1]) - var x2 uint64 = (arg1[2]) - var x3 uint64 = (arg1[3]) - var x4 uint64 = (arg1[4]) - var x5 uint64 = (arg1[5]) - var x6 uint64 = (arg1[6]) - var x7 uint64 = (arg1[0]) - var x8 uint64 - var x9 uint64 - x9, x8 = bits.Mul64(x7, (arg2[6])) - var x10 uint64 - var x11 uint64 - x11, x10 = bits.Mul64(x7, (arg2[5])) - var x12 uint64 - var x13 uint64 - x13, x12 = bits.Mul64(x7, (arg2[4])) - var x14 uint64 - var x15 uint64 - x15, x14 = bits.Mul64(x7, (arg2[3])) - var x16 uint64 - var x17 uint64 - x17, x16 = bits.Mul64(x7, (arg2[2])) - var x18 uint64 - var x19 uint64 - x19, x18 = bits.Mul64(x7, (arg2[1])) - var x20 uint64 - var x21 uint64 - x21, x20 = bits.Mul64(x7, (arg2[0])) - var x22 uint64 - var x23 uint1 - x22, x23 = addcarryxU64(x21, x18, 0x0) - var x24 uint64 - var x25 uint1 - x24, x25 = addcarryxU64(x19, x16, x23) - var x26 uint64 - var x27 uint1 - x26, x27 = addcarryxU64(x17, x14, x25) - var x28 uint64 - var x29 uint1 - x28, x29 = addcarryxU64(x15, x12, x27) - var x30 uint64 - var x31 uint1 - x30, x31 = addcarryxU64(x13, x10, x29) - var x32 uint64 - var x33 uint1 - x32, x33 = addcarryxU64(x11, x8, x31) - var x34 uint64 = (uint64(x33) + x9) - var x35 uint64 - var x36 uint64 - x36, x35 = bits.Mul64(x20, 0x2341f27177344) - var x37 uint64 - var x38 uint64 - x38, x37 = bits.Mul64(x20, 0x6cfc5fd681c52056) - var x39 uint64 - var x40 uint64 - x40, x39 = bits.Mul64(x20, 0x7bc65c783158aea3) - var x41 uint64 - var x42 uint64 - x42, x41 = bits.Mul64(x20, 0xfdc1767ae2ffffff) - var x43 uint64 - var x44 uint64 - x44, x43 = bits.Mul64(x20, 0xffffffffffffffff) - var x45 uint64 - var x46 uint64 - x46, x45 = bits.Mul64(x20, 0xffffffffffffffff) - var x47 uint64 - var x48 uint64 - x48, x47 = bits.Mul64(x20, 0xffffffffffffffff) - var x49 uint64 - var x50 uint1 - x49, x50 = addcarryxU64(x48, x45, 0x0) - var x51 uint64 - var x52 uint1 - x51, x52 = addcarryxU64(x46, x43, x50) - var x53 uint64 - var x54 uint1 - x53, x54 = addcarryxU64(x44, x41, x52) - var x55 uint64 - var x56 uint1 - x55, x56 = addcarryxU64(x42, x39, x54) - var x57 uint64 - var x58 uint1 - x57, x58 = addcarryxU64(x40, x37, x56) - var x59 uint64 - var x60 uint1 - x59, x60 = addcarryxU64(x38, x35, x58) - var x61 uint64 = (uint64(x60) + x36) - var x63 uint1 - _, x63 = addcarryxU64(x20, x47, 0x0) - var x64 uint64 - var x65 uint1 - x64, x65 = addcarryxU64(x22, x49, x63) - var x66 uint64 - var x67 uint1 - x66, x67 = addcarryxU64(x24, x51, x65) - var x68 uint64 - var x69 uint1 - x68, x69 = addcarryxU64(x26, x53, x67) - var x70 uint64 - var x71 uint1 - x70, x71 = addcarryxU64(x28, x55, x69) - var x72 uint64 - var x73 uint1 - x72, x73 = addcarryxU64(x30, x57, x71) - var x74 uint64 - var x75 uint1 - x74, x75 = addcarryxU64(x32, x59, x73) - var x76 uint64 - var x77 uint1 - x76, x77 = addcarryxU64(x34, x61, x75) - var x78 uint64 - var x79 uint64 - x79, x78 = bits.Mul64(x1, (arg2[6])) - var x80 uint64 - var x81 uint64 - x81, x80 = bits.Mul64(x1, (arg2[5])) - var x82 uint64 - var x83 uint64 - x83, x82 = bits.Mul64(x1, (arg2[4])) - var x84 uint64 - var x85 uint64 - x85, x84 = bits.Mul64(x1, (arg2[3])) - var x86 uint64 - var x87 uint64 - x87, x86 = bits.Mul64(x1, (arg2[2])) - var x88 uint64 - var x89 uint64 - x89, x88 = bits.Mul64(x1, (arg2[1])) - var x90 uint64 - var x91 uint64 - x91, x90 = bits.Mul64(x1, (arg2[0])) - var x92 uint64 - var x93 uint1 - x92, x93 = addcarryxU64(x91, x88, 0x0) - var x94 uint64 - var x95 uint1 - x94, x95 = addcarryxU64(x89, x86, x93) - var x96 uint64 - var x97 uint1 - x96, x97 = addcarryxU64(x87, x84, x95) - var x98 uint64 - var x99 uint1 - x98, x99 = addcarryxU64(x85, x82, x97) - var x100 uint64 - var x101 uint1 - x100, x101 = addcarryxU64(x83, x80, x99) - var x102 uint64 - var x103 uint1 - x102, x103 = addcarryxU64(x81, x78, x101) - var x104 uint64 = (uint64(x103) + x79) - var x105 uint64 - var x106 uint1 - x105, x106 = addcarryxU64(x64, x90, 0x0) - var x107 uint64 - var x108 uint1 - x107, x108 = addcarryxU64(x66, x92, x106) - var x109 uint64 - var x110 uint1 - x109, x110 = addcarryxU64(x68, x94, x108) - var x111 uint64 - var x112 uint1 - x111, x112 = addcarryxU64(x70, x96, x110) - var x113 uint64 - var x114 uint1 - x113, x114 = addcarryxU64(x72, x98, x112) - var x115 uint64 - var x116 uint1 - x115, x116 = addcarryxU64(x74, x100, x114) - var x117 uint64 - var x118 uint1 - x117, x118 = addcarryxU64(x76, x102, x116) - var x119 uint64 - var x120 uint1 - x119, x120 = addcarryxU64(uint64(x77), x104, x118) - var x121 uint64 - var x122 uint64 - x122, x121 = bits.Mul64(x105, 0x2341f27177344) - var x123 uint64 - var x124 uint64 - x124, x123 = bits.Mul64(x105, 0x6cfc5fd681c52056) - var x125 uint64 - var x126 uint64 - x126, x125 = bits.Mul64(x105, 0x7bc65c783158aea3) - var x127 uint64 - var x128 uint64 - x128, x127 = bits.Mul64(x105, 0xfdc1767ae2ffffff) - var x129 uint64 - var x130 uint64 - x130, x129 = bits.Mul64(x105, 0xffffffffffffffff) - var x131 uint64 - var x132 uint64 - x132, x131 = bits.Mul64(x105, 0xffffffffffffffff) - var x133 uint64 - var x134 uint64 - x134, x133 = bits.Mul64(x105, 0xffffffffffffffff) - var x135 uint64 - var x136 uint1 - x135, x136 = addcarryxU64(x134, x131, 0x0) - var x137 uint64 - var x138 uint1 - x137, x138 = addcarryxU64(x132, x129, x136) - var x139 uint64 - var x140 uint1 - x139, x140 = addcarryxU64(x130, x127, x138) - var x141 uint64 - var x142 uint1 - x141, x142 = addcarryxU64(x128, x125, x140) - var x143 uint64 - var x144 uint1 - x143, x144 = addcarryxU64(x126, x123, x142) - var x145 uint64 - var x146 uint1 - x145, x146 = addcarryxU64(x124, x121, x144) - var x147 uint64 = (uint64(x146) + x122) - var x149 uint1 - _, x149 = addcarryxU64(x105, x133, 0x0) - var x150 uint64 - var x151 uint1 - x150, x151 = addcarryxU64(x107, x135, x149) - var x152 uint64 - var x153 uint1 - x152, x153 = addcarryxU64(x109, x137, x151) - var x154 uint64 - var x155 uint1 - x154, x155 = addcarryxU64(x111, x139, x153) - var x156 uint64 - var x157 uint1 - x156, x157 = addcarryxU64(x113, x141, x155) - var x158 uint64 - var x159 uint1 - x158, x159 = addcarryxU64(x115, x143, x157) - var x160 uint64 - var x161 uint1 - x160, x161 = addcarryxU64(x117, x145, x159) - var x162 uint64 - var x163 uint1 - x162, x163 = addcarryxU64(x119, x147, x161) - var x164 uint64 = (uint64(x163) + uint64(x120)) - var x165 uint64 - var x166 uint64 - x166, x165 = bits.Mul64(x2, (arg2[6])) - var x167 uint64 - var x168 uint64 - x168, x167 = bits.Mul64(x2, (arg2[5])) - var x169 uint64 - var x170 uint64 - x170, x169 = bits.Mul64(x2, (arg2[4])) - var x171 uint64 - var x172 uint64 - x172, x171 = bits.Mul64(x2, (arg2[3])) - var x173 uint64 - var x174 uint64 - x174, x173 = bits.Mul64(x2, (arg2[2])) - var x175 uint64 - var x176 uint64 - x176, x175 = bits.Mul64(x2, (arg2[1])) - var x177 uint64 - var x178 uint64 - x178, x177 = bits.Mul64(x2, (arg2[0])) - var x179 uint64 - var x180 uint1 - x179, x180 = addcarryxU64(x178, x175, 0x0) - var x181 uint64 - var x182 uint1 - x181, x182 = addcarryxU64(x176, x173, x180) - var x183 uint64 - var x184 uint1 - x183, x184 = addcarryxU64(x174, x171, x182) - var x185 uint64 - var x186 uint1 - x185, x186 = addcarryxU64(x172, x169, x184) - var x187 uint64 - var x188 uint1 - x187, x188 = addcarryxU64(x170, x167, x186) - var x189 uint64 - var x190 uint1 - x189, x190 = addcarryxU64(x168, x165, x188) - var x191 uint64 = (uint64(x190) + x166) - var x192 uint64 - var x193 uint1 - x192, x193 = addcarryxU64(x150, x177, 0x0) - var x194 uint64 - var x195 uint1 - x194, x195 = addcarryxU64(x152, x179, x193) - var x196 uint64 - var x197 uint1 - x196, x197 = addcarryxU64(x154, x181, x195) - var x198 uint64 - var x199 uint1 - x198, x199 = addcarryxU64(x156, x183, x197) - var x200 uint64 - var x201 uint1 - x200, x201 = addcarryxU64(x158, x185, x199) - var x202 uint64 - var x203 uint1 - x202, x203 = addcarryxU64(x160, x187, x201) - var x204 uint64 - var x205 uint1 - x204, x205 = addcarryxU64(x162, x189, x203) - var x206 uint64 - var x207 uint1 - x206, x207 = addcarryxU64(x164, x191, x205) - var x208 uint64 - var x209 uint64 - x209, x208 = bits.Mul64(x192, 0x2341f27177344) - var x210 uint64 - var x211 uint64 - x211, x210 = bits.Mul64(x192, 0x6cfc5fd681c52056) - var x212 uint64 - var x213 uint64 - x213, x212 = bits.Mul64(x192, 0x7bc65c783158aea3) - var x214 uint64 - var x215 uint64 - x215, x214 = bits.Mul64(x192, 0xfdc1767ae2ffffff) - var x216 uint64 - var x217 uint64 - x217, x216 = bits.Mul64(x192, 0xffffffffffffffff) - var x218 uint64 - var x219 uint64 - x219, x218 = bits.Mul64(x192, 0xffffffffffffffff) - var x220 uint64 - var x221 uint64 - x221, x220 = bits.Mul64(x192, 0xffffffffffffffff) - var x222 uint64 - var x223 uint1 - x222, x223 = addcarryxU64(x221, x218, 0x0) - var x224 uint64 - var x225 uint1 - x224, x225 = addcarryxU64(x219, x216, x223) - var x226 uint64 - var x227 uint1 - x226, x227 = addcarryxU64(x217, x214, x225) - var x228 uint64 - var x229 uint1 - x228, x229 = addcarryxU64(x215, x212, x227) - var x230 uint64 - var x231 uint1 - x230, x231 = addcarryxU64(x213, x210, x229) - var x232 uint64 - var x233 uint1 - x232, x233 = addcarryxU64(x211, x208, x231) - var x234 uint64 = (uint64(x233) + x209) - var x236 uint1 - _, x236 = addcarryxU64(x192, x220, 0x0) - var x237 uint64 - var x238 uint1 - x237, x238 = addcarryxU64(x194, x222, x236) - var x239 uint64 - var x240 uint1 - x239, x240 = addcarryxU64(x196, x224, x238) - var x241 uint64 - var x242 uint1 - x241, x242 = addcarryxU64(x198, x226, x240) - var x243 uint64 - var x244 uint1 - x243, x244 = addcarryxU64(x200, x228, x242) - var x245 uint64 - var x246 uint1 - x245, x246 = addcarryxU64(x202, x230, x244) - var x247 uint64 - var x248 uint1 - x247, x248 = addcarryxU64(x204, x232, x246) - var x249 uint64 - var x250 uint1 - x249, x250 = addcarryxU64(x206, x234, x248) - var x251 uint64 = (uint64(x250) + uint64(x207)) - var x252 uint64 - var x253 uint64 - x253, x252 = bits.Mul64(x3, (arg2[6])) - var x254 uint64 - var x255 uint64 - x255, x254 = bits.Mul64(x3, (arg2[5])) - var x256 uint64 - var x257 uint64 - x257, x256 = bits.Mul64(x3, (arg2[4])) - var x258 uint64 - var x259 uint64 - x259, x258 = bits.Mul64(x3, (arg2[3])) - var x260 uint64 - var x261 uint64 - x261, x260 = bits.Mul64(x3, (arg2[2])) - var x262 uint64 - var x263 uint64 - x263, x262 = bits.Mul64(x3, (arg2[1])) - var x264 uint64 - var x265 uint64 - x265, x264 = bits.Mul64(x3, (arg2[0])) - var x266 uint64 - var x267 uint1 - x266, x267 = addcarryxU64(x265, x262, 0x0) - var x268 uint64 - var x269 uint1 - x268, x269 = addcarryxU64(x263, x260, x267) - var x270 uint64 - var x271 uint1 - x270, x271 = addcarryxU64(x261, x258, x269) - var x272 uint64 - var x273 uint1 - x272, x273 = addcarryxU64(x259, x256, x271) - var x274 uint64 - var x275 uint1 - x274, x275 = addcarryxU64(x257, x254, x273) - var x276 uint64 - var x277 uint1 - x276, x277 = addcarryxU64(x255, x252, x275) - var x278 uint64 = (uint64(x277) + x253) - var x279 uint64 - var x280 uint1 - x279, x280 = addcarryxU64(x237, x264, 0x0) - var x281 uint64 - var x282 uint1 - x281, x282 = addcarryxU64(x239, x266, x280) - var x283 uint64 - var x284 uint1 - x283, x284 = addcarryxU64(x241, x268, x282) - var x285 uint64 - var x286 uint1 - x285, x286 = addcarryxU64(x243, x270, x284) - var x287 uint64 - var x288 uint1 - x287, x288 = addcarryxU64(x245, x272, x286) - var x289 uint64 - var x290 uint1 - x289, x290 = addcarryxU64(x247, x274, x288) - var x291 uint64 - var x292 uint1 - x291, x292 = addcarryxU64(x249, x276, x290) - var x293 uint64 - var x294 uint1 - x293, x294 = addcarryxU64(x251, x278, x292) - var x295 uint64 - var x296 uint64 - x296, x295 = bits.Mul64(x279, 0x2341f27177344) - var x297 uint64 - var x298 uint64 - x298, x297 = bits.Mul64(x279, 0x6cfc5fd681c52056) - var x299 uint64 - var x300 uint64 - x300, x299 = bits.Mul64(x279, 0x7bc65c783158aea3) - var x301 uint64 - var x302 uint64 - x302, x301 = bits.Mul64(x279, 0xfdc1767ae2ffffff) - var x303 uint64 - var x304 uint64 - x304, x303 = bits.Mul64(x279, 0xffffffffffffffff) - var x305 uint64 - var x306 uint64 - x306, x305 = bits.Mul64(x279, 0xffffffffffffffff) - var x307 uint64 - var x308 uint64 - x308, x307 = bits.Mul64(x279, 0xffffffffffffffff) - var x309 uint64 - var x310 uint1 - x309, x310 = addcarryxU64(x308, x305, 0x0) - var x311 uint64 - var x312 uint1 - x311, x312 = addcarryxU64(x306, x303, x310) - var x313 uint64 - var x314 uint1 - x313, x314 = addcarryxU64(x304, x301, x312) - var x315 uint64 - var x316 uint1 - x315, x316 = addcarryxU64(x302, x299, x314) - var x317 uint64 - var x318 uint1 - x317, x318 = addcarryxU64(x300, x297, x316) - var x319 uint64 - var x320 uint1 - x319, x320 = addcarryxU64(x298, x295, x318) - var x321 uint64 = (uint64(x320) + x296) - var x323 uint1 - _, x323 = addcarryxU64(x279, x307, 0x0) - var x324 uint64 - var x325 uint1 - x324, x325 = addcarryxU64(x281, x309, x323) - var x326 uint64 - var x327 uint1 - x326, x327 = addcarryxU64(x283, x311, x325) - var x328 uint64 - var x329 uint1 - x328, x329 = addcarryxU64(x285, x313, x327) - var x330 uint64 - var x331 uint1 - x330, x331 = addcarryxU64(x287, x315, x329) - var x332 uint64 - var x333 uint1 - x332, x333 = addcarryxU64(x289, x317, x331) - var x334 uint64 - var x335 uint1 - x334, x335 = addcarryxU64(x291, x319, x333) - var x336 uint64 - var x337 uint1 - x336, x337 = addcarryxU64(x293, x321, x335) - var x338 uint64 = (uint64(x337) + uint64(x294)) - var x339 uint64 - var x340 uint64 - x340, x339 = bits.Mul64(x4, (arg2[6])) - var x341 uint64 - var x342 uint64 - x342, x341 = bits.Mul64(x4, (arg2[5])) - var x343 uint64 - var x344 uint64 - x344, x343 = bits.Mul64(x4, (arg2[4])) - var x345 uint64 - var x346 uint64 - x346, x345 = bits.Mul64(x4, (arg2[3])) - var x347 uint64 - var x348 uint64 - x348, x347 = bits.Mul64(x4, (arg2[2])) - var x349 uint64 - var x350 uint64 - x350, x349 = bits.Mul64(x4, (arg2[1])) - var x351 uint64 - var x352 uint64 - x352, x351 = bits.Mul64(x4, (arg2[0])) - var x353 uint64 - var x354 uint1 - x353, x354 = addcarryxU64(x352, x349, 0x0) - var x355 uint64 - var x356 uint1 - x355, x356 = addcarryxU64(x350, x347, x354) - var x357 uint64 - var x358 uint1 - x357, x358 = addcarryxU64(x348, x345, x356) - var x359 uint64 - var x360 uint1 - x359, x360 = addcarryxU64(x346, x343, x358) - var x361 uint64 - var x362 uint1 - x361, x362 = addcarryxU64(x344, x341, x360) - var x363 uint64 - var x364 uint1 - x363, x364 = addcarryxU64(x342, x339, x362) - var x365 uint64 = (uint64(x364) + x340) - var x366 uint64 - var x367 uint1 - x366, x367 = addcarryxU64(x324, x351, 0x0) - var x368 uint64 - var x369 uint1 - x368, x369 = addcarryxU64(x326, x353, x367) - var x370 uint64 - var x371 uint1 - x370, x371 = addcarryxU64(x328, x355, x369) - var x372 uint64 - var x373 uint1 - x372, x373 = addcarryxU64(x330, x357, x371) - var x374 uint64 - var x375 uint1 - x374, x375 = addcarryxU64(x332, x359, x373) - var x376 uint64 - var x377 uint1 - x376, x377 = addcarryxU64(x334, x361, x375) - var x378 uint64 - var x379 uint1 - x378, x379 = addcarryxU64(x336, x363, x377) - var x380 uint64 - var x381 uint1 - x380, x381 = addcarryxU64(x338, x365, x379) - var x382 uint64 - var x383 uint64 - x383, x382 = bits.Mul64(x366, 0x2341f27177344) - var x384 uint64 - var x385 uint64 - x385, x384 = bits.Mul64(x366, 0x6cfc5fd681c52056) - var x386 uint64 - var x387 uint64 - x387, x386 = bits.Mul64(x366, 0x7bc65c783158aea3) - var x388 uint64 - var x389 uint64 - x389, x388 = bits.Mul64(x366, 0xfdc1767ae2ffffff) - var x390 uint64 - var x391 uint64 - x391, x390 = bits.Mul64(x366, 0xffffffffffffffff) - var x392 uint64 - var x393 uint64 - x393, x392 = bits.Mul64(x366, 0xffffffffffffffff) - var x394 uint64 - var x395 uint64 - x395, x394 = bits.Mul64(x366, 0xffffffffffffffff) - var x396 uint64 - var x397 uint1 - x396, x397 = addcarryxU64(x395, x392, 0x0) - var x398 uint64 - var x399 uint1 - x398, x399 = addcarryxU64(x393, x390, x397) - var x400 uint64 - var x401 uint1 - x400, x401 = addcarryxU64(x391, x388, x399) - var x402 uint64 - var x403 uint1 - x402, x403 = addcarryxU64(x389, x386, x401) - var x404 uint64 - var x405 uint1 - x404, x405 = addcarryxU64(x387, x384, x403) - var x406 uint64 - var x407 uint1 - x406, x407 = addcarryxU64(x385, x382, x405) - var x408 uint64 = (uint64(x407) + x383) - var x410 uint1 - _, x410 = addcarryxU64(x366, x394, 0x0) - var x411 uint64 - var x412 uint1 - x411, x412 = addcarryxU64(x368, x396, x410) - var x413 uint64 - var x414 uint1 - x413, x414 = addcarryxU64(x370, x398, x412) - var x415 uint64 - var x416 uint1 - x415, x416 = addcarryxU64(x372, x400, x414) - var x417 uint64 - var x418 uint1 - x417, x418 = addcarryxU64(x374, x402, x416) - var x419 uint64 - var x420 uint1 - x419, x420 = addcarryxU64(x376, x404, x418) - var x421 uint64 - var x422 uint1 - x421, x422 = addcarryxU64(x378, x406, x420) - var x423 uint64 - var x424 uint1 - x423, x424 = addcarryxU64(x380, x408, x422) - var x425 uint64 = (uint64(x424) + uint64(x381)) - var x426 uint64 - var x427 uint64 - x427, x426 = bits.Mul64(x5, (arg2[6])) - var x428 uint64 - var x429 uint64 - x429, x428 = bits.Mul64(x5, (arg2[5])) - var x430 uint64 - var x431 uint64 - x431, x430 = bits.Mul64(x5, (arg2[4])) - var x432 uint64 - var x433 uint64 - x433, x432 = bits.Mul64(x5, (arg2[3])) - var x434 uint64 - var x435 uint64 - x435, x434 = bits.Mul64(x5, (arg2[2])) - var x436 uint64 - var x437 uint64 - x437, x436 = bits.Mul64(x5, (arg2[1])) - var x438 uint64 - var x439 uint64 - x439, x438 = bits.Mul64(x5, (arg2[0])) - var x440 uint64 - var x441 uint1 - x440, x441 = addcarryxU64(x439, x436, 0x0) - var x442 uint64 - var x443 uint1 - x442, x443 = addcarryxU64(x437, x434, x441) - var x444 uint64 - var x445 uint1 - x444, x445 = addcarryxU64(x435, x432, x443) - var x446 uint64 - var x447 uint1 - x446, x447 = addcarryxU64(x433, x430, x445) - var x448 uint64 - var x449 uint1 - x448, x449 = addcarryxU64(x431, x428, x447) - var x450 uint64 - var x451 uint1 - x450, x451 = addcarryxU64(x429, x426, x449) - var x452 uint64 = (uint64(x451) + x427) - var x453 uint64 - var x454 uint1 - x453, x454 = addcarryxU64(x411, x438, 0x0) - var x455 uint64 - var x456 uint1 - x455, x456 = addcarryxU64(x413, x440, x454) - var x457 uint64 - var x458 uint1 - x457, x458 = addcarryxU64(x415, x442, x456) - var x459 uint64 - var x460 uint1 - x459, x460 = addcarryxU64(x417, x444, x458) - var x461 uint64 - var x462 uint1 - x461, x462 = addcarryxU64(x419, x446, x460) - var x463 uint64 - var x464 uint1 - x463, x464 = addcarryxU64(x421, x448, x462) - var x465 uint64 - var x466 uint1 - x465, x466 = addcarryxU64(x423, x450, x464) - var x467 uint64 - var x468 uint1 - x467, x468 = addcarryxU64(x425, x452, x466) - var x469 uint64 - var x470 uint64 - x470, x469 = bits.Mul64(x453, 0x2341f27177344) - var x471 uint64 - var x472 uint64 - x472, x471 = bits.Mul64(x453, 0x6cfc5fd681c52056) - var x473 uint64 - var x474 uint64 - x474, x473 = bits.Mul64(x453, 0x7bc65c783158aea3) - var x475 uint64 - var x476 uint64 - x476, x475 = bits.Mul64(x453, 0xfdc1767ae2ffffff) - var x477 uint64 - var x478 uint64 - x478, x477 = bits.Mul64(x453, 0xffffffffffffffff) - var x479 uint64 - var x480 uint64 - x480, x479 = bits.Mul64(x453, 0xffffffffffffffff) - var x481 uint64 - var x482 uint64 - x482, x481 = bits.Mul64(x453, 0xffffffffffffffff) - var x483 uint64 - var x484 uint1 - x483, x484 = addcarryxU64(x482, x479, 0x0) - var x485 uint64 - var x486 uint1 - x485, x486 = addcarryxU64(x480, x477, x484) - var x487 uint64 - var x488 uint1 - x487, x488 = addcarryxU64(x478, x475, x486) - var x489 uint64 - var x490 uint1 - x489, x490 = addcarryxU64(x476, x473, x488) - var x491 uint64 - var x492 uint1 - x491, x492 = addcarryxU64(x474, x471, x490) - var x493 uint64 - var x494 uint1 - x493, x494 = addcarryxU64(x472, x469, x492) - var x495 uint64 = (uint64(x494) + x470) - var x497 uint1 - _, x497 = addcarryxU64(x453, x481, 0x0) - var x498 uint64 - var x499 uint1 - x498, x499 = addcarryxU64(x455, x483, x497) - var x500 uint64 - var x501 uint1 - x500, x501 = addcarryxU64(x457, x485, x499) - var x502 uint64 - var x503 uint1 - x502, x503 = addcarryxU64(x459, x487, x501) - var x504 uint64 - var x505 uint1 - x504, x505 = addcarryxU64(x461, x489, x503) - var x506 uint64 - var x507 uint1 - x506, x507 = addcarryxU64(x463, x491, x505) - var x508 uint64 - var x509 uint1 - x508, x509 = addcarryxU64(x465, x493, x507) - var x510 uint64 - var x511 uint1 - x510, x511 = addcarryxU64(x467, x495, x509) - var x512 uint64 = (uint64(x511) + uint64(x468)) - var x513 uint64 - var x514 uint64 - x514, x513 = bits.Mul64(x6, (arg2[6])) - var x515 uint64 - var x516 uint64 - x516, x515 = bits.Mul64(x6, (arg2[5])) - var x517 uint64 - var x518 uint64 - x518, x517 = bits.Mul64(x6, (arg2[4])) - var x519 uint64 - var x520 uint64 - x520, x519 = bits.Mul64(x6, (arg2[3])) - var x521 uint64 - var x522 uint64 - x522, x521 = bits.Mul64(x6, (arg2[2])) - var x523 uint64 - var x524 uint64 - x524, x523 = bits.Mul64(x6, (arg2[1])) - var x525 uint64 - var x526 uint64 - x526, x525 = bits.Mul64(x6, (arg2[0])) - var x527 uint64 - var x528 uint1 - x527, x528 = addcarryxU64(x526, x523, 0x0) - var x529 uint64 - var x530 uint1 - x529, x530 = addcarryxU64(x524, x521, x528) - var x531 uint64 - var x532 uint1 - x531, x532 = addcarryxU64(x522, x519, x530) - var x533 uint64 - var x534 uint1 - x533, x534 = addcarryxU64(x520, x517, x532) - var x535 uint64 - var x536 uint1 - x535, x536 = addcarryxU64(x518, x515, x534) - var x537 uint64 - var x538 uint1 - x537, x538 = addcarryxU64(x516, x513, x536) - var x539 uint64 = (uint64(x538) + x514) - var x540 uint64 - var x541 uint1 - x540, x541 = addcarryxU64(x498, x525, 0x0) - var x542 uint64 - var x543 uint1 - x542, x543 = addcarryxU64(x500, x527, x541) - var x544 uint64 - var x545 uint1 - x544, x545 = addcarryxU64(x502, x529, x543) - var x546 uint64 - var x547 uint1 - x546, x547 = addcarryxU64(x504, x531, x545) - var x548 uint64 - var x549 uint1 - x548, x549 = addcarryxU64(x506, x533, x547) - var x550 uint64 - var x551 uint1 - x550, x551 = addcarryxU64(x508, x535, x549) - var x552 uint64 - var x553 uint1 - x552, x553 = addcarryxU64(x510, x537, x551) - var x554 uint64 - var x555 uint1 - x554, x555 = addcarryxU64(x512, x539, x553) - var x556 uint64 - var x557 uint64 - x557, x556 = bits.Mul64(x540, 0x2341f27177344) - var x558 uint64 - var x559 uint64 - x559, x558 = bits.Mul64(x540, 0x6cfc5fd681c52056) - var x560 uint64 - var x561 uint64 - x561, x560 = bits.Mul64(x540, 0x7bc65c783158aea3) - var x562 uint64 - var x563 uint64 - x563, x562 = bits.Mul64(x540, 0xfdc1767ae2ffffff) - var x564 uint64 - var x565 uint64 - x565, x564 = bits.Mul64(x540, 0xffffffffffffffff) - var x566 uint64 - var x567 uint64 - x567, x566 = bits.Mul64(x540, 0xffffffffffffffff) - var x568 uint64 - var x569 uint64 - x569, x568 = bits.Mul64(x540, 0xffffffffffffffff) - var x570 uint64 - var x571 uint1 - x570, x571 = addcarryxU64(x569, x566, 0x0) - var x572 uint64 - var x573 uint1 - x572, x573 = addcarryxU64(x567, x564, x571) - var x574 uint64 - var x575 uint1 - x574, x575 = addcarryxU64(x565, x562, x573) - var x576 uint64 - var x577 uint1 - x576, x577 = addcarryxU64(x563, x560, x575) - var x578 uint64 - var x579 uint1 - x578, x579 = addcarryxU64(x561, x558, x577) - var x580 uint64 - var x581 uint1 - x580, x581 = addcarryxU64(x559, x556, x579) - var x582 uint64 = (uint64(x581) + x557) - var x584 uint1 - _, x584 = addcarryxU64(x540, x568, 0x0) - var x585 uint64 - var x586 uint1 - x585, x586 = addcarryxU64(x542, x570, x584) - var x587 uint64 - var x588 uint1 - x587, x588 = addcarryxU64(x544, x572, x586) - var x589 uint64 - var x590 uint1 - x589, x590 = addcarryxU64(x546, x574, x588) - var x591 uint64 - var x592 uint1 - x591, x592 = addcarryxU64(x548, x576, x590) - var x593 uint64 - var x594 uint1 - x593, x594 = addcarryxU64(x550, x578, x592) - var x595 uint64 - var x596 uint1 - x595, x596 = addcarryxU64(x552, x580, x594) - var x597 uint64 - var x598 uint1 - x597, x598 = addcarryxU64(x554, x582, x596) - var x599 uint64 = (uint64(x598) + uint64(x555)) - var x600 uint64 - var x601 uint1 - x600, x601 = subborrowxU64(x585, 0xffffffffffffffff, 0x0) - var x602 uint64 - var x603 uint1 - x602, x603 = subborrowxU64(x587, 0xffffffffffffffff, x601) - var x604 uint64 - var x605 uint1 - x604, x605 = subborrowxU64(x589, 0xffffffffffffffff, x603) - var x606 uint64 - var x607 uint1 - x606, x607 = subborrowxU64(x591, 0xfdc1767ae2ffffff, x605) - var x608 uint64 - var x609 uint1 - x608, x609 = subborrowxU64(x593, 0x7bc65c783158aea3, x607) - var x610 uint64 - var x611 uint1 - x610, x611 = subborrowxU64(x595, 0x6cfc5fd681c52056, x609) - var x612 uint64 - var x613 uint1 - x612, x613 = subborrowxU64(x597, 0x2341f27177344, x611) - var x615 uint1 - _, x615 = subborrowxU64(x599, uint64(0x0), x613) - var x616 uint64 - cmovznzU64(&x616, x615, x600, x585) - var x617 uint64 - cmovznzU64(&x617, x615, x602, x587) - var x618 uint64 - cmovznzU64(&x618, x615, x604, x589) - var x619 uint64 - cmovznzU64(&x619, x615, x606, x591) - var x620 uint64 - cmovznzU64(&x620, x615, x608, x593) - var x621 uint64 - cmovznzU64(&x621, x615, x610, x595) - var x622 uint64 - cmovznzU64(&x622, x615, x612, x597) - out1[0] = x616 - out1[1] = x617 - out1[2] = x618 - out1[3] = x619 - out1[4] = x620 - out1[5] = x621 - out1[6] = x622 + x1 := arg1[1] + x2 := arg1[2] + x3 := arg1[3] + x4 := arg1[4] + x5 := arg1[5] + x6 := arg1[6] + x7 := arg1[0] + var x8 uint64 + var x9 uint64 + x9, x8 = bits.Mul64(x7, arg2[6]) + var x10 uint64 + var x11 uint64 + x11, x10 = bits.Mul64(x7, arg2[5]) + var x12 uint64 + var x13 uint64 + x13, x12 = bits.Mul64(x7, arg2[4]) + var x14 uint64 + var x15 uint64 + x15, x14 = bits.Mul64(x7, arg2[3]) + var x16 uint64 + var x17 uint64 + x17, x16 = bits.Mul64(x7, arg2[2]) + var x18 uint64 + var x19 uint64 + x19, x18 = bits.Mul64(x7, arg2[1]) + var x20 uint64 + var x21 uint64 + x21, x20 = bits.Mul64(x7, arg2[0]) + var x22 uint64 + var x23 uint1 + x22, x23 = addcarryxU64(x21, x18, 0x0) + var x24 uint64 + var x25 uint1 + x24, x25 = addcarryxU64(x19, x16, x23) + var x26 uint64 + var x27 uint1 + x26, x27 = addcarryxU64(x17, x14, x25) + var x28 uint64 + var x29 uint1 + x28, x29 = addcarryxU64(x15, x12, x27) + var x30 uint64 + var x31 uint1 + x30, x31 = addcarryxU64(x13, x10, x29) + var x32 uint64 + var x33 uint1 + x32, x33 = addcarryxU64(x11, x8, x31) + x34 := (uint64(x33) + x9) + var x35 uint64 + var x36 uint64 + x36, x35 = bits.Mul64(x20, 0x2341f27177344) + var x37 uint64 + var x38 uint64 + x38, x37 = bits.Mul64(x20, 0x6cfc5fd681c52056) + var x39 uint64 + var x40 uint64 + x40, x39 = bits.Mul64(x20, 0x7bc65c783158aea3) + var x41 uint64 + var x42 uint64 + x42, x41 = bits.Mul64(x20, 0xfdc1767ae2ffffff) + var x43 uint64 + var x44 uint64 + x44, x43 = bits.Mul64(x20, 0xffffffffffffffff) + var x45 uint64 + var x46 uint64 + x46, x45 = bits.Mul64(x20, 0xffffffffffffffff) + var x47 uint64 + var x48 uint64 + x48, x47 = bits.Mul64(x20, 0xffffffffffffffff) + var x49 uint64 + var x50 uint1 + x49, x50 = addcarryxU64(x48, x45, 0x0) + var x51 uint64 + var x52 uint1 + x51, x52 = addcarryxU64(x46, x43, x50) + var x53 uint64 + var x54 uint1 + x53, x54 = addcarryxU64(x44, x41, x52) + var x55 uint64 + var x56 uint1 + x55, x56 = addcarryxU64(x42, x39, x54) + var x57 uint64 + var x58 uint1 + x57, x58 = addcarryxU64(x40, x37, x56) + var x59 uint64 + var x60 uint1 + x59, x60 = addcarryxU64(x38, x35, x58) + x61 := (uint64(x60) + x36) + var x63 uint1 + _, x63 = addcarryxU64(x20, x47, 0x0) + var x64 uint64 + var x65 uint1 + x64, x65 = addcarryxU64(x22, x49, x63) + var x66 uint64 + var x67 uint1 + x66, x67 = addcarryxU64(x24, x51, x65) + var x68 uint64 + var x69 uint1 + x68, x69 = addcarryxU64(x26, x53, x67) + var x70 uint64 + var x71 uint1 + x70, x71 = addcarryxU64(x28, x55, x69) + var x72 uint64 + var x73 uint1 + x72, x73 = addcarryxU64(x30, x57, x71) + var x74 uint64 + var x75 uint1 + x74, x75 = addcarryxU64(x32, x59, x73) + var x76 uint64 + var x77 uint1 + x76, x77 = addcarryxU64(x34, x61, x75) + var x78 uint64 + var x79 uint64 + x79, x78 = bits.Mul64(x1, arg2[6]) + var x80 uint64 + var x81 uint64 + x81, x80 = bits.Mul64(x1, arg2[5]) + var x82 uint64 + var x83 uint64 + x83, x82 = bits.Mul64(x1, arg2[4]) + var x84 uint64 + var x85 uint64 + x85, x84 = bits.Mul64(x1, arg2[3]) + var x86 uint64 + var x87 uint64 + x87, x86 = bits.Mul64(x1, arg2[2]) + var x88 uint64 + var x89 uint64 + x89, x88 = bits.Mul64(x1, arg2[1]) + var x90 uint64 + var x91 uint64 + x91, x90 = bits.Mul64(x1, arg2[0]) + var x92 uint64 + var x93 uint1 + x92, x93 = addcarryxU64(x91, x88, 0x0) + var x94 uint64 + var x95 uint1 + x94, x95 = addcarryxU64(x89, x86, x93) + var x96 uint64 + var x97 uint1 + x96, x97 = addcarryxU64(x87, x84, x95) + var x98 uint64 + var x99 uint1 + x98, x99 = addcarryxU64(x85, x82, x97) + var x100 uint64 + var x101 uint1 + x100, x101 = addcarryxU64(x83, x80, x99) + var x102 uint64 + var x103 uint1 + x102, x103 = addcarryxU64(x81, x78, x101) + x104 := (uint64(x103) + x79) + var x105 uint64 + var x106 uint1 + x105, x106 = addcarryxU64(x64, x90, 0x0) + var x107 uint64 + var x108 uint1 + x107, x108 = addcarryxU64(x66, x92, x106) + var x109 uint64 + var x110 uint1 + x109, x110 = addcarryxU64(x68, x94, x108) + var x111 uint64 + var x112 uint1 + x111, x112 = addcarryxU64(x70, x96, x110) + var x113 uint64 + var x114 uint1 + x113, x114 = addcarryxU64(x72, x98, x112) + var x115 uint64 + var x116 uint1 + x115, x116 = addcarryxU64(x74, x100, x114) + var x117 uint64 + var x118 uint1 + x117, x118 = addcarryxU64(x76, x102, x116) + var x119 uint64 + var x120 uint1 + x119, x120 = addcarryxU64(uint64(x77), x104, x118) + var x121 uint64 + var x122 uint64 + x122, x121 = bits.Mul64(x105, 0x2341f27177344) + var x123 uint64 + var x124 uint64 + x124, x123 = bits.Mul64(x105, 0x6cfc5fd681c52056) + var x125 uint64 + var x126 uint64 + x126, x125 = bits.Mul64(x105, 0x7bc65c783158aea3) + var x127 uint64 + var x128 uint64 + x128, x127 = bits.Mul64(x105, 0xfdc1767ae2ffffff) + var x129 uint64 + var x130 uint64 + x130, x129 = bits.Mul64(x105, 0xffffffffffffffff) + var x131 uint64 + var x132 uint64 + x132, x131 = bits.Mul64(x105, 0xffffffffffffffff) + var x133 uint64 + var x134 uint64 + x134, x133 = bits.Mul64(x105, 0xffffffffffffffff) + var x135 uint64 + var x136 uint1 + x135, x136 = addcarryxU64(x134, x131, 0x0) + var x137 uint64 + var x138 uint1 + x137, x138 = addcarryxU64(x132, x129, x136) + var x139 uint64 + var x140 uint1 + x139, x140 = addcarryxU64(x130, x127, x138) + var x141 uint64 + var x142 uint1 + x141, x142 = addcarryxU64(x128, x125, x140) + var x143 uint64 + var x144 uint1 + x143, x144 = addcarryxU64(x126, x123, x142) + var x145 uint64 + var x146 uint1 + x145, x146 = addcarryxU64(x124, x121, x144) + x147 := (uint64(x146) + x122) + var x149 uint1 + _, x149 = addcarryxU64(x105, x133, 0x0) + var x150 uint64 + var x151 uint1 + x150, x151 = addcarryxU64(x107, x135, x149) + var x152 uint64 + var x153 uint1 + x152, x153 = addcarryxU64(x109, x137, x151) + var x154 uint64 + var x155 uint1 + x154, x155 = addcarryxU64(x111, x139, x153) + var x156 uint64 + var x157 uint1 + x156, x157 = addcarryxU64(x113, x141, x155) + var x158 uint64 + var x159 uint1 + x158, x159 = addcarryxU64(x115, x143, x157) + var x160 uint64 + var x161 uint1 + x160, x161 = addcarryxU64(x117, x145, x159) + var x162 uint64 + var x163 uint1 + x162, x163 = addcarryxU64(x119, x147, x161) + x164 := (uint64(x163) + uint64(x120)) + var x165 uint64 + var x166 uint64 + x166, x165 = bits.Mul64(x2, arg2[6]) + var x167 uint64 + var x168 uint64 + x168, x167 = bits.Mul64(x2, arg2[5]) + var x169 uint64 + var x170 uint64 + x170, x169 = bits.Mul64(x2, arg2[4]) + var x171 uint64 + var x172 uint64 + x172, x171 = bits.Mul64(x2, arg2[3]) + var x173 uint64 + var x174 uint64 + x174, x173 = bits.Mul64(x2, arg2[2]) + var x175 uint64 + var x176 uint64 + x176, x175 = bits.Mul64(x2, arg2[1]) + var x177 uint64 + var x178 uint64 + x178, x177 = bits.Mul64(x2, arg2[0]) + var x179 uint64 + var x180 uint1 + x179, x180 = addcarryxU64(x178, x175, 0x0) + var x181 uint64 + var x182 uint1 + x181, x182 = addcarryxU64(x176, x173, x180) + var x183 uint64 + var x184 uint1 + x183, x184 = addcarryxU64(x174, x171, x182) + var x185 uint64 + var x186 uint1 + x185, x186 = addcarryxU64(x172, x169, x184) + var x187 uint64 + var x188 uint1 + x187, x188 = addcarryxU64(x170, x167, x186) + var x189 uint64 + var x190 uint1 + x189, x190 = addcarryxU64(x168, x165, x188) + x191 := (uint64(x190) + x166) + var x192 uint64 + var x193 uint1 + x192, x193 = addcarryxU64(x150, x177, 0x0) + var x194 uint64 + var x195 uint1 + x194, x195 = addcarryxU64(x152, x179, x193) + var x196 uint64 + var x197 uint1 + x196, x197 = addcarryxU64(x154, x181, x195) + var x198 uint64 + var x199 uint1 + x198, x199 = addcarryxU64(x156, x183, x197) + var x200 uint64 + var x201 uint1 + x200, x201 = addcarryxU64(x158, x185, x199) + var x202 uint64 + var x203 uint1 + x202, x203 = addcarryxU64(x160, x187, x201) + var x204 uint64 + var x205 uint1 + x204, x205 = addcarryxU64(x162, x189, x203) + var x206 uint64 + var x207 uint1 + x206, x207 = addcarryxU64(x164, x191, x205) + var x208 uint64 + var x209 uint64 + x209, x208 = bits.Mul64(x192, 0x2341f27177344) + var x210 uint64 + var x211 uint64 + x211, x210 = bits.Mul64(x192, 0x6cfc5fd681c52056) + var x212 uint64 + var x213 uint64 + x213, x212 = bits.Mul64(x192, 0x7bc65c783158aea3) + var x214 uint64 + var x215 uint64 + x215, x214 = bits.Mul64(x192, 0xfdc1767ae2ffffff) + var x216 uint64 + var x217 uint64 + x217, x216 = bits.Mul64(x192, 0xffffffffffffffff) + var x218 uint64 + var x219 uint64 + x219, x218 = bits.Mul64(x192, 0xffffffffffffffff) + var x220 uint64 + var x221 uint64 + x221, x220 = bits.Mul64(x192, 0xffffffffffffffff) + var x222 uint64 + var x223 uint1 + x222, x223 = addcarryxU64(x221, x218, 0x0) + var x224 uint64 + var x225 uint1 + x224, x225 = addcarryxU64(x219, x216, x223) + var x226 uint64 + var x227 uint1 + x226, x227 = addcarryxU64(x217, x214, x225) + var x228 uint64 + var x229 uint1 + x228, x229 = addcarryxU64(x215, x212, x227) + var x230 uint64 + var x231 uint1 + x230, x231 = addcarryxU64(x213, x210, x229) + var x232 uint64 + var x233 uint1 + x232, x233 = addcarryxU64(x211, x208, x231) + x234 := (uint64(x233) + x209) + var x236 uint1 + _, x236 = addcarryxU64(x192, x220, 0x0) + var x237 uint64 + var x238 uint1 + x237, x238 = addcarryxU64(x194, x222, x236) + var x239 uint64 + var x240 uint1 + x239, x240 = addcarryxU64(x196, x224, x238) + var x241 uint64 + var x242 uint1 + x241, x242 = addcarryxU64(x198, x226, x240) + var x243 uint64 + var x244 uint1 + x243, x244 = addcarryxU64(x200, x228, x242) + var x245 uint64 + var x246 uint1 + x245, x246 = addcarryxU64(x202, x230, x244) + var x247 uint64 + var x248 uint1 + x247, x248 = addcarryxU64(x204, x232, x246) + var x249 uint64 + var x250 uint1 + x249, x250 = addcarryxU64(x206, x234, x248) + x251 := (uint64(x250) + uint64(x207)) + var x252 uint64 + var x253 uint64 + x253, x252 = bits.Mul64(x3, arg2[6]) + var x254 uint64 + var x255 uint64 + x255, x254 = bits.Mul64(x3, arg2[5]) + var x256 uint64 + var x257 uint64 + x257, x256 = bits.Mul64(x3, arg2[4]) + var x258 uint64 + var x259 uint64 + x259, x258 = bits.Mul64(x3, arg2[3]) + var x260 uint64 + var x261 uint64 + x261, x260 = bits.Mul64(x3, arg2[2]) + var x262 uint64 + var x263 uint64 + x263, x262 = bits.Mul64(x3, arg2[1]) + var x264 uint64 + var x265 uint64 + x265, x264 = bits.Mul64(x3, arg2[0]) + var x266 uint64 + var x267 uint1 + x266, x267 = addcarryxU64(x265, x262, 0x0) + var x268 uint64 + var x269 uint1 + x268, x269 = addcarryxU64(x263, x260, x267) + var x270 uint64 + var x271 uint1 + x270, x271 = addcarryxU64(x261, x258, x269) + var x272 uint64 + var x273 uint1 + x272, x273 = addcarryxU64(x259, x256, x271) + var x274 uint64 + var x275 uint1 + x274, x275 = addcarryxU64(x257, x254, x273) + var x276 uint64 + var x277 uint1 + x276, x277 = addcarryxU64(x255, x252, x275) + x278 := (uint64(x277) + x253) + var x279 uint64 + var x280 uint1 + x279, x280 = addcarryxU64(x237, x264, 0x0) + var x281 uint64 + var x282 uint1 + x281, x282 = addcarryxU64(x239, x266, x280) + var x283 uint64 + var x284 uint1 + x283, x284 = addcarryxU64(x241, x268, x282) + var x285 uint64 + var x286 uint1 + x285, x286 = addcarryxU64(x243, x270, x284) + var x287 uint64 + var x288 uint1 + x287, x288 = addcarryxU64(x245, x272, x286) + var x289 uint64 + var x290 uint1 + x289, x290 = addcarryxU64(x247, x274, x288) + var x291 uint64 + var x292 uint1 + x291, x292 = addcarryxU64(x249, x276, x290) + var x293 uint64 + var x294 uint1 + x293, x294 = addcarryxU64(x251, x278, x292) + var x295 uint64 + var x296 uint64 + x296, x295 = bits.Mul64(x279, 0x2341f27177344) + var x297 uint64 + var x298 uint64 + x298, x297 = bits.Mul64(x279, 0x6cfc5fd681c52056) + var x299 uint64 + var x300 uint64 + x300, x299 = bits.Mul64(x279, 0x7bc65c783158aea3) + var x301 uint64 + var x302 uint64 + x302, x301 = bits.Mul64(x279, 0xfdc1767ae2ffffff) + var x303 uint64 + var x304 uint64 + x304, x303 = bits.Mul64(x279, 0xffffffffffffffff) + var x305 uint64 + var x306 uint64 + x306, x305 = bits.Mul64(x279, 0xffffffffffffffff) + var x307 uint64 + var x308 uint64 + x308, x307 = bits.Mul64(x279, 0xffffffffffffffff) + var x309 uint64 + var x310 uint1 + x309, x310 = addcarryxU64(x308, x305, 0x0) + var x311 uint64 + var x312 uint1 + x311, x312 = addcarryxU64(x306, x303, x310) + var x313 uint64 + var x314 uint1 + x313, x314 = addcarryxU64(x304, x301, x312) + var x315 uint64 + var x316 uint1 + x315, x316 = addcarryxU64(x302, x299, x314) + var x317 uint64 + var x318 uint1 + x317, x318 = addcarryxU64(x300, x297, x316) + var x319 uint64 + var x320 uint1 + x319, x320 = addcarryxU64(x298, x295, x318) + x321 := (uint64(x320) + x296) + var x323 uint1 + _, x323 = addcarryxU64(x279, x307, 0x0) + var x324 uint64 + var x325 uint1 + x324, x325 = addcarryxU64(x281, x309, x323) + var x326 uint64 + var x327 uint1 + x326, x327 = addcarryxU64(x283, x311, x325) + var x328 uint64 + var x329 uint1 + x328, x329 = addcarryxU64(x285, x313, x327) + var x330 uint64 + var x331 uint1 + x330, x331 = addcarryxU64(x287, x315, x329) + var x332 uint64 + var x333 uint1 + x332, x333 = addcarryxU64(x289, x317, x331) + var x334 uint64 + var x335 uint1 + x334, x335 = addcarryxU64(x291, x319, x333) + var x336 uint64 + var x337 uint1 + x336, x337 = addcarryxU64(x293, x321, x335) + x338 := (uint64(x337) + uint64(x294)) + var x339 uint64 + var x340 uint64 + x340, x339 = bits.Mul64(x4, arg2[6]) + var x341 uint64 + var x342 uint64 + x342, x341 = bits.Mul64(x4, arg2[5]) + var x343 uint64 + var x344 uint64 + x344, x343 = bits.Mul64(x4, arg2[4]) + var x345 uint64 + var x346 uint64 + x346, x345 = bits.Mul64(x4, arg2[3]) + var x347 uint64 + var x348 uint64 + x348, x347 = bits.Mul64(x4, arg2[2]) + var x349 uint64 + var x350 uint64 + x350, x349 = bits.Mul64(x4, arg2[1]) + var x351 uint64 + var x352 uint64 + x352, x351 = bits.Mul64(x4, arg2[0]) + var x353 uint64 + var x354 uint1 + x353, x354 = addcarryxU64(x352, x349, 0x0) + var x355 uint64 + var x356 uint1 + x355, x356 = addcarryxU64(x350, x347, x354) + var x357 uint64 + var x358 uint1 + x357, x358 = addcarryxU64(x348, x345, x356) + var x359 uint64 + var x360 uint1 + x359, x360 = addcarryxU64(x346, x343, x358) + var x361 uint64 + var x362 uint1 + x361, x362 = addcarryxU64(x344, x341, x360) + var x363 uint64 + var x364 uint1 + x363, x364 = addcarryxU64(x342, x339, x362) + x365 := (uint64(x364) + x340) + var x366 uint64 + var x367 uint1 + x366, x367 = addcarryxU64(x324, x351, 0x0) + var x368 uint64 + var x369 uint1 + x368, x369 = addcarryxU64(x326, x353, x367) + var x370 uint64 + var x371 uint1 + x370, x371 = addcarryxU64(x328, x355, x369) + var x372 uint64 + var x373 uint1 + x372, x373 = addcarryxU64(x330, x357, x371) + var x374 uint64 + var x375 uint1 + x374, x375 = addcarryxU64(x332, x359, x373) + var x376 uint64 + var x377 uint1 + x376, x377 = addcarryxU64(x334, x361, x375) + var x378 uint64 + var x379 uint1 + x378, x379 = addcarryxU64(x336, x363, x377) + var x380 uint64 + var x381 uint1 + x380, x381 = addcarryxU64(x338, x365, x379) + var x382 uint64 + var x383 uint64 + x383, x382 = bits.Mul64(x366, 0x2341f27177344) + var x384 uint64 + var x385 uint64 + x385, x384 = bits.Mul64(x366, 0x6cfc5fd681c52056) + var x386 uint64 + var x387 uint64 + x387, x386 = bits.Mul64(x366, 0x7bc65c783158aea3) + var x388 uint64 + var x389 uint64 + x389, x388 = bits.Mul64(x366, 0xfdc1767ae2ffffff) + var x390 uint64 + var x391 uint64 + x391, x390 = bits.Mul64(x366, 0xffffffffffffffff) + var x392 uint64 + var x393 uint64 + x393, x392 = bits.Mul64(x366, 0xffffffffffffffff) + var x394 uint64 + var x395 uint64 + x395, x394 = bits.Mul64(x366, 0xffffffffffffffff) + var x396 uint64 + var x397 uint1 + x396, x397 = addcarryxU64(x395, x392, 0x0) + var x398 uint64 + var x399 uint1 + x398, x399 = addcarryxU64(x393, x390, x397) + var x400 uint64 + var x401 uint1 + x400, x401 = addcarryxU64(x391, x388, x399) + var x402 uint64 + var x403 uint1 + x402, x403 = addcarryxU64(x389, x386, x401) + var x404 uint64 + var x405 uint1 + x404, x405 = addcarryxU64(x387, x384, x403) + var x406 uint64 + var x407 uint1 + x406, x407 = addcarryxU64(x385, x382, x405) + x408 := (uint64(x407) + x383) + var x410 uint1 + _, x410 = addcarryxU64(x366, x394, 0x0) + var x411 uint64 + var x412 uint1 + x411, x412 = addcarryxU64(x368, x396, x410) + var x413 uint64 + var x414 uint1 + x413, x414 = addcarryxU64(x370, x398, x412) + var x415 uint64 + var x416 uint1 + x415, x416 = addcarryxU64(x372, x400, x414) + var x417 uint64 + var x418 uint1 + x417, x418 = addcarryxU64(x374, x402, x416) + var x419 uint64 + var x420 uint1 + x419, x420 = addcarryxU64(x376, x404, x418) + var x421 uint64 + var x422 uint1 + x421, x422 = addcarryxU64(x378, x406, x420) + var x423 uint64 + var x424 uint1 + x423, x424 = addcarryxU64(x380, x408, x422) + x425 := (uint64(x424) + uint64(x381)) + var x426 uint64 + var x427 uint64 + x427, x426 = bits.Mul64(x5, arg2[6]) + var x428 uint64 + var x429 uint64 + x429, x428 = bits.Mul64(x5, arg2[5]) + var x430 uint64 + var x431 uint64 + x431, x430 = bits.Mul64(x5, arg2[4]) + var x432 uint64 + var x433 uint64 + x433, x432 = bits.Mul64(x5, arg2[3]) + var x434 uint64 + var x435 uint64 + x435, x434 = bits.Mul64(x5, arg2[2]) + var x436 uint64 + var x437 uint64 + x437, x436 = bits.Mul64(x5, arg2[1]) + var x438 uint64 + var x439 uint64 + x439, x438 = bits.Mul64(x5, arg2[0]) + var x440 uint64 + var x441 uint1 + x440, x441 = addcarryxU64(x439, x436, 0x0) + var x442 uint64 + var x443 uint1 + x442, x443 = addcarryxU64(x437, x434, x441) + var x444 uint64 + var x445 uint1 + x444, x445 = addcarryxU64(x435, x432, x443) + var x446 uint64 + var x447 uint1 + x446, x447 = addcarryxU64(x433, x430, x445) + var x448 uint64 + var x449 uint1 + x448, x449 = addcarryxU64(x431, x428, x447) + var x450 uint64 + var x451 uint1 + x450, x451 = addcarryxU64(x429, x426, x449) + x452 := (uint64(x451) + x427) + var x453 uint64 + var x454 uint1 + x453, x454 = addcarryxU64(x411, x438, 0x0) + var x455 uint64 + var x456 uint1 + x455, x456 = addcarryxU64(x413, x440, x454) + var x457 uint64 + var x458 uint1 + x457, x458 = addcarryxU64(x415, x442, x456) + var x459 uint64 + var x460 uint1 + x459, x460 = addcarryxU64(x417, x444, x458) + var x461 uint64 + var x462 uint1 + x461, x462 = addcarryxU64(x419, x446, x460) + var x463 uint64 + var x464 uint1 + x463, x464 = addcarryxU64(x421, x448, x462) + var x465 uint64 + var x466 uint1 + x465, x466 = addcarryxU64(x423, x450, x464) + var x467 uint64 + var x468 uint1 + x467, x468 = addcarryxU64(x425, x452, x466) + var x469 uint64 + var x470 uint64 + x470, x469 = bits.Mul64(x453, 0x2341f27177344) + var x471 uint64 + var x472 uint64 + x472, x471 = bits.Mul64(x453, 0x6cfc5fd681c52056) + var x473 uint64 + var x474 uint64 + x474, x473 = bits.Mul64(x453, 0x7bc65c783158aea3) + var x475 uint64 + var x476 uint64 + x476, x475 = bits.Mul64(x453, 0xfdc1767ae2ffffff) + var x477 uint64 + var x478 uint64 + x478, x477 = bits.Mul64(x453, 0xffffffffffffffff) + var x479 uint64 + var x480 uint64 + x480, x479 = bits.Mul64(x453, 0xffffffffffffffff) + var x481 uint64 + var x482 uint64 + x482, x481 = bits.Mul64(x453, 0xffffffffffffffff) + var x483 uint64 + var x484 uint1 + x483, x484 = addcarryxU64(x482, x479, 0x0) + var x485 uint64 + var x486 uint1 + x485, x486 = addcarryxU64(x480, x477, x484) + var x487 uint64 + var x488 uint1 + x487, x488 = addcarryxU64(x478, x475, x486) + var x489 uint64 + var x490 uint1 + x489, x490 = addcarryxU64(x476, x473, x488) + var x491 uint64 + var x492 uint1 + x491, x492 = addcarryxU64(x474, x471, x490) + var x493 uint64 + var x494 uint1 + x493, x494 = addcarryxU64(x472, x469, x492) + x495 := (uint64(x494) + x470) + var x497 uint1 + _, x497 = addcarryxU64(x453, x481, 0x0) + var x498 uint64 + var x499 uint1 + x498, x499 = addcarryxU64(x455, x483, x497) + var x500 uint64 + var x501 uint1 + x500, x501 = addcarryxU64(x457, x485, x499) + var x502 uint64 + var x503 uint1 + x502, x503 = addcarryxU64(x459, x487, x501) + var x504 uint64 + var x505 uint1 + x504, x505 = addcarryxU64(x461, x489, x503) + var x506 uint64 + var x507 uint1 + x506, x507 = addcarryxU64(x463, x491, x505) + var x508 uint64 + var x509 uint1 + x508, x509 = addcarryxU64(x465, x493, x507) + var x510 uint64 + var x511 uint1 + x510, x511 = addcarryxU64(x467, x495, x509) + x512 := (uint64(x511) + uint64(x468)) + var x513 uint64 + var x514 uint64 + x514, x513 = bits.Mul64(x6, arg2[6]) + var x515 uint64 + var x516 uint64 + x516, x515 = bits.Mul64(x6, arg2[5]) + var x517 uint64 + var x518 uint64 + x518, x517 = bits.Mul64(x6, arg2[4]) + var x519 uint64 + var x520 uint64 + x520, x519 = bits.Mul64(x6, arg2[3]) + var x521 uint64 + var x522 uint64 + x522, x521 = bits.Mul64(x6, arg2[2]) + var x523 uint64 + var x524 uint64 + x524, x523 = bits.Mul64(x6, arg2[1]) + var x525 uint64 + var x526 uint64 + x526, x525 = bits.Mul64(x6, arg2[0]) + var x527 uint64 + var x528 uint1 + x527, x528 = addcarryxU64(x526, x523, 0x0) + var x529 uint64 + var x530 uint1 + x529, x530 = addcarryxU64(x524, x521, x528) + var x531 uint64 + var x532 uint1 + x531, x532 = addcarryxU64(x522, x519, x530) + var x533 uint64 + var x534 uint1 + x533, x534 = addcarryxU64(x520, x517, x532) + var x535 uint64 + var x536 uint1 + x535, x536 = addcarryxU64(x518, x515, x534) + var x537 uint64 + var x538 uint1 + x537, x538 = addcarryxU64(x516, x513, x536) + x539 := (uint64(x538) + x514) + var x540 uint64 + var x541 uint1 + x540, x541 = addcarryxU64(x498, x525, 0x0) + var x542 uint64 + var x543 uint1 + x542, x543 = addcarryxU64(x500, x527, x541) + var x544 uint64 + var x545 uint1 + x544, x545 = addcarryxU64(x502, x529, x543) + var x546 uint64 + var x547 uint1 + x546, x547 = addcarryxU64(x504, x531, x545) + var x548 uint64 + var x549 uint1 + x548, x549 = addcarryxU64(x506, x533, x547) + var x550 uint64 + var x551 uint1 + x550, x551 = addcarryxU64(x508, x535, x549) + var x552 uint64 + var x553 uint1 + x552, x553 = addcarryxU64(x510, x537, x551) + var x554 uint64 + var x555 uint1 + x554, x555 = addcarryxU64(x512, x539, x553) + var x556 uint64 + var x557 uint64 + x557, x556 = bits.Mul64(x540, 0x2341f27177344) + var x558 uint64 + var x559 uint64 + x559, x558 = bits.Mul64(x540, 0x6cfc5fd681c52056) + var x560 uint64 + var x561 uint64 + x561, x560 = bits.Mul64(x540, 0x7bc65c783158aea3) + var x562 uint64 + var x563 uint64 + x563, x562 = bits.Mul64(x540, 0xfdc1767ae2ffffff) + var x564 uint64 + var x565 uint64 + x565, x564 = bits.Mul64(x540, 0xffffffffffffffff) + var x566 uint64 + var x567 uint64 + x567, x566 = bits.Mul64(x540, 0xffffffffffffffff) + var x568 uint64 + var x569 uint64 + x569, x568 = bits.Mul64(x540, 0xffffffffffffffff) + var x570 uint64 + var x571 uint1 + x570, x571 = addcarryxU64(x569, x566, 0x0) + var x572 uint64 + var x573 uint1 + x572, x573 = addcarryxU64(x567, x564, x571) + var x574 uint64 + var x575 uint1 + x574, x575 = addcarryxU64(x565, x562, x573) + var x576 uint64 + var x577 uint1 + x576, x577 = addcarryxU64(x563, x560, x575) + var x578 uint64 + var x579 uint1 + x578, x579 = addcarryxU64(x561, x558, x577) + var x580 uint64 + var x581 uint1 + x580, x581 = addcarryxU64(x559, x556, x579) + x582 := (uint64(x581) + x557) + var x584 uint1 + _, x584 = addcarryxU64(x540, x568, 0x0) + var x585 uint64 + var x586 uint1 + x585, x586 = addcarryxU64(x542, x570, x584) + var x587 uint64 + var x588 uint1 + x587, x588 = addcarryxU64(x544, x572, x586) + var x589 uint64 + var x590 uint1 + x589, x590 = addcarryxU64(x546, x574, x588) + var x591 uint64 + var x592 uint1 + x591, x592 = addcarryxU64(x548, x576, x590) + var x593 uint64 + var x594 uint1 + x593, x594 = addcarryxU64(x550, x578, x592) + var x595 uint64 + var x596 uint1 + x595, x596 = addcarryxU64(x552, x580, x594) + var x597 uint64 + var x598 uint1 + x597, x598 = addcarryxU64(x554, x582, x596) + x599 := (uint64(x598) + uint64(x555)) + var x600 uint64 + var x601 uint1 + x600, x601 = subborrowxU64(x585, 0xffffffffffffffff, 0x0) + var x602 uint64 + var x603 uint1 + x602, x603 = subborrowxU64(x587, 0xffffffffffffffff, x601) + var x604 uint64 + var x605 uint1 + x604, x605 = subborrowxU64(x589, 0xffffffffffffffff, x603) + var x606 uint64 + var x607 uint1 + x606, x607 = subborrowxU64(x591, 0xfdc1767ae2ffffff, x605) + var x608 uint64 + var x609 uint1 + x608, x609 = subborrowxU64(x593, 0x7bc65c783158aea3, x607) + var x610 uint64 + var x611 uint1 + x610, x611 = subborrowxU64(x595, 0x6cfc5fd681c52056, x609) + var x612 uint64 + var x613 uint1 + x612, x613 = subborrowxU64(x597, 0x2341f27177344, x611) + var x615 uint1 + _, x615 = subborrowxU64(x599, uint64(0x0), x613) + var x616 uint64 + cmovznzU64(&x616, x615, x600, x585) + var x617 uint64 + cmovznzU64(&x617, x615, x602, x587) + var x618 uint64 + cmovznzU64(&x618, x615, x604, x589) + var x619 uint64 + cmovznzU64(&x619, x615, x606, x591) + var x620 uint64 + cmovznzU64(&x620, x615, x608, x593) + var x621 uint64 + cmovznzU64(&x621, x615, x610, x595) + var x622 uint64 + cmovznzU64(&x622, x615, x612, x597) + out1[0] = x616 + out1[1] = x617 + out1[2] = x618 + out1[3] = x619 + out1[4] = x620 + out1[5] = x621 + out1[6] = x622 } -/* - The function Square squares a field element in the Montgomery domain. - Preconditions: - 0 ≤ eval arg1 < m - Postconditions: - eval (from_montgomery out1) mod m = (eval (from_montgomery arg1) * eval (from_montgomery arg1)) mod m - 0 ≤ eval out1 < m - - Input Bounds: - arg1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] - Output Bounds: - out1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] - */ -/*inline*/ +// Square squares a field element in the Montgomery domain. +// +// Preconditions: +// 0 ≤ eval arg1 < m +// Postconditions: +// eval (from_montgomery out1) mod m = (eval (from_montgomery arg1) * eval (from_montgomery arg1)) mod m +// 0 ≤ eval out1 < m +// +// Input Bounds: +// arg1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] +// Output Bounds: +// out1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] func Square(out1 *[7]uint64, arg1 *[7]uint64) { - var x1 uint64 = (arg1[1]) - var x2 uint64 = (arg1[2]) - var x3 uint64 = (arg1[3]) - var x4 uint64 = (arg1[4]) - var x5 uint64 = (arg1[5]) - var x6 uint64 = (arg1[6]) - var x7 uint64 = (arg1[0]) - var x8 uint64 - var x9 uint64 - x9, x8 = bits.Mul64(x7, (arg1[6])) - var x10 uint64 - var x11 uint64 - x11, x10 = bits.Mul64(x7, (arg1[5])) - var x12 uint64 - var x13 uint64 - x13, x12 = bits.Mul64(x7, (arg1[4])) - var x14 uint64 - var x15 uint64 - x15, x14 = bits.Mul64(x7, (arg1[3])) - var x16 uint64 - var x17 uint64 - x17, x16 = bits.Mul64(x7, (arg1[2])) - var x18 uint64 - var x19 uint64 - x19, x18 = bits.Mul64(x7, (arg1[1])) - var x20 uint64 - var x21 uint64 - x21, x20 = bits.Mul64(x7, (arg1[0])) - var x22 uint64 - var x23 uint1 - x22, x23 = addcarryxU64(x21, x18, 0x0) - var x24 uint64 - var x25 uint1 - x24, x25 = addcarryxU64(x19, x16, x23) - var x26 uint64 - var x27 uint1 - x26, x27 = addcarryxU64(x17, x14, x25) - var x28 uint64 - var x29 uint1 - x28, x29 = addcarryxU64(x15, x12, x27) - var x30 uint64 - var x31 uint1 - x30, x31 = addcarryxU64(x13, x10, x29) - var x32 uint64 - var x33 uint1 - x32, x33 = addcarryxU64(x11, x8, x31) - var x34 uint64 = (uint64(x33) + x9) - var x35 uint64 - var x36 uint64 - x36, x35 = bits.Mul64(x20, 0x2341f27177344) - var x37 uint64 - var x38 uint64 - x38, x37 = bits.Mul64(x20, 0x6cfc5fd681c52056) - var x39 uint64 - var x40 uint64 - x40, x39 = bits.Mul64(x20, 0x7bc65c783158aea3) - var x41 uint64 - var x42 uint64 - x42, x41 = bits.Mul64(x20, 0xfdc1767ae2ffffff) - var x43 uint64 - var x44 uint64 - x44, x43 = bits.Mul64(x20, 0xffffffffffffffff) - var x45 uint64 - var x46 uint64 - x46, x45 = bits.Mul64(x20, 0xffffffffffffffff) - var x47 uint64 - var x48 uint64 - x48, x47 = bits.Mul64(x20, 0xffffffffffffffff) - var x49 uint64 - var x50 uint1 - x49, x50 = addcarryxU64(x48, x45, 0x0) - var x51 uint64 - var x52 uint1 - x51, x52 = addcarryxU64(x46, x43, x50) - var x53 uint64 - var x54 uint1 - x53, x54 = addcarryxU64(x44, x41, x52) - var x55 uint64 - var x56 uint1 - x55, x56 = addcarryxU64(x42, x39, x54) - var x57 uint64 - var x58 uint1 - x57, x58 = addcarryxU64(x40, x37, x56) - var x59 uint64 - var x60 uint1 - x59, x60 = addcarryxU64(x38, x35, x58) - var x61 uint64 = (uint64(x60) + x36) - var x63 uint1 - _, x63 = addcarryxU64(x20, x47, 0x0) - var x64 uint64 - var x65 uint1 - x64, x65 = addcarryxU64(x22, x49, x63) - var x66 uint64 - var x67 uint1 - x66, x67 = addcarryxU64(x24, x51, x65) - var x68 uint64 - var x69 uint1 - x68, x69 = addcarryxU64(x26, x53, x67) - var x70 uint64 - var x71 uint1 - x70, x71 = addcarryxU64(x28, x55, x69) - var x72 uint64 - var x73 uint1 - x72, x73 = addcarryxU64(x30, x57, x71) - var x74 uint64 - var x75 uint1 - x74, x75 = addcarryxU64(x32, x59, x73) - var x76 uint64 - var x77 uint1 - x76, x77 = addcarryxU64(x34, x61, x75) - var x78 uint64 - var x79 uint64 - x79, x78 = bits.Mul64(x1, (arg1[6])) - var x80 uint64 - var x81 uint64 - x81, x80 = bits.Mul64(x1, (arg1[5])) - var x82 uint64 - var x83 uint64 - x83, x82 = bits.Mul64(x1, (arg1[4])) - var x84 uint64 - var x85 uint64 - x85, x84 = bits.Mul64(x1, (arg1[3])) - var x86 uint64 - var x87 uint64 - x87, x86 = bits.Mul64(x1, (arg1[2])) - var x88 uint64 - var x89 uint64 - x89, x88 = bits.Mul64(x1, (arg1[1])) - var x90 uint64 - var x91 uint64 - x91, x90 = bits.Mul64(x1, (arg1[0])) - var x92 uint64 - var x93 uint1 - x92, x93 = addcarryxU64(x91, x88, 0x0) - var x94 uint64 - var x95 uint1 - x94, x95 = addcarryxU64(x89, x86, x93) - var x96 uint64 - var x97 uint1 - x96, x97 = addcarryxU64(x87, x84, x95) - var x98 uint64 - var x99 uint1 - x98, x99 = addcarryxU64(x85, x82, x97) - var x100 uint64 - var x101 uint1 - x100, x101 = addcarryxU64(x83, x80, x99) - var x102 uint64 - var x103 uint1 - x102, x103 = addcarryxU64(x81, x78, x101) - var x104 uint64 = (uint64(x103) + x79) - var x105 uint64 - var x106 uint1 - x105, x106 = addcarryxU64(x64, x90, 0x0) - var x107 uint64 - var x108 uint1 - x107, x108 = addcarryxU64(x66, x92, x106) - var x109 uint64 - var x110 uint1 - x109, x110 = addcarryxU64(x68, x94, x108) - var x111 uint64 - var x112 uint1 - x111, x112 = addcarryxU64(x70, x96, x110) - var x113 uint64 - var x114 uint1 - x113, x114 = addcarryxU64(x72, x98, x112) - var x115 uint64 - var x116 uint1 - x115, x116 = addcarryxU64(x74, x100, x114) - var x117 uint64 - var x118 uint1 - x117, x118 = addcarryxU64(x76, x102, x116) - var x119 uint64 - var x120 uint1 - x119, x120 = addcarryxU64(uint64(x77), x104, x118) - var x121 uint64 - var x122 uint64 - x122, x121 = bits.Mul64(x105, 0x2341f27177344) - var x123 uint64 - var x124 uint64 - x124, x123 = bits.Mul64(x105, 0x6cfc5fd681c52056) - var x125 uint64 - var x126 uint64 - x126, x125 = bits.Mul64(x105, 0x7bc65c783158aea3) - var x127 uint64 - var x128 uint64 - x128, x127 = bits.Mul64(x105, 0xfdc1767ae2ffffff) - var x129 uint64 - var x130 uint64 - x130, x129 = bits.Mul64(x105, 0xffffffffffffffff) - var x131 uint64 - var x132 uint64 - x132, x131 = bits.Mul64(x105, 0xffffffffffffffff) - var x133 uint64 - var x134 uint64 - x134, x133 = bits.Mul64(x105, 0xffffffffffffffff) - var x135 uint64 - var x136 uint1 - x135, x136 = addcarryxU64(x134, x131, 0x0) - var x137 uint64 - var x138 uint1 - x137, x138 = addcarryxU64(x132, x129, x136) - var x139 uint64 - var x140 uint1 - x139, x140 = addcarryxU64(x130, x127, x138) - var x141 uint64 - var x142 uint1 - x141, x142 = addcarryxU64(x128, x125, x140) - var x143 uint64 - var x144 uint1 - x143, x144 = addcarryxU64(x126, x123, x142) - var x145 uint64 - var x146 uint1 - x145, x146 = addcarryxU64(x124, x121, x144) - var x147 uint64 = (uint64(x146) + x122) - var x149 uint1 - _, x149 = addcarryxU64(x105, x133, 0x0) - var x150 uint64 - var x151 uint1 - x150, x151 = addcarryxU64(x107, x135, x149) - var x152 uint64 - var x153 uint1 - x152, x153 = addcarryxU64(x109, x137, x151) - var x154 uint64 - var x155 uint1 - x154, x155 = addcarryxU64(x111, x139, x153) - var x156 uint64 - var x157 uint1 - x156, x157 = addcarryxU64(x113, x141, x155) - var x158 uint64 - var x159 uint1 - x158, x159 = addcarryxU64(x115, x143, x157) - var x160 uint64 - var x161 uint1 - x160, x161 = addcarryxU64(x117, x145, x159) - var x162 uint64 - var x163 uint1 - x162, x163 = addcarryxU64(x119, x147, x161) - var x164 uint64 = (uint64(x163) + uint64(x120)) - var x165 uint64 - var x166 uint64 - x166, x165 = bits.Mul64(x2, (arg1[6])) - var x167 uint64 - var x168 uint64 - x168, x167 = bits.Mul64(x2, (arg1[5])) - var x169 uint64 - var x170 uint64 - x170, x169 = bits.Mul64(x2, (arg1[4])) - var x171 uint64 - var x172 uint64 - x172, x171 = bits.Mul64(x2, (arg1[3])) - var x173 uint64 - var x174 uint64 - x174, x173 = bits.Mul64(x2, (arg1[2])) - var x175 uint64 - var x176 uint64 - x176, x175 = bits.Mul64(x2, (arg1[1])) - var x177 uint64 - var x178 uint64 - x178, x177 = bits.Mul64(x2, (arg1[0])) - var x179 uint64 - var x180 uint1 - x179, x180 = addcarryxU64(x178, x175, 0x0) - var x181 uint64 - var x182 uint1 - x181, x182 = addcarryxU64(x176, x173, x180) - var x183 uint64 - var x184 uint1 - x183, x184 = addcarryxU64(x174, x171, x182) - var x185 uint64 - var x186 uint1 - x185, x186 = addcarryxU64(x172, x169, x184) - var x187 uint64 - var x188 uint1 - x187, x188 = addcarryxU64(x170, x167, x186) - var x189 uint64 - var x190 uint1 - x189, x190 = addcarryxU64(x168, x165, x188) - var x191 uint64 = (uint64(x190) + x166) - var x192 uint64 - var x193 uint1 - x192, x193 = addcarryxU64(x150, x177, 0x0) - var x194 uint64 - var x195 uint1 - x194, x195 = addcarryxU64(x152, x179, x193) - var x196 uint64 - var x197 uint1 - x196, x197 = addcarryxU64(x154, x181, x195) - var x198 uint64 - var x199 uint1 - x198, x199 = addcarryxU64(x156, x183, x197) - var x200 uint64 - var x201 uint1 - x200, x201 = addcarryxU64(x158, x185, x199) - var x202 uint64 - var x203 uint1 - x202, x203 = addcarryxU64(x160, x187, x201) - var x204 uint64 - var x205 uint1 - x204, x205 = addcarryxU64(x162, x189, x203) - var x206 uint64 - var x207 uint1 - x206, x207 = addcarryxU64(x164, x191, x205) - var x208 uint64 - var x209 uint64 - x209, x208 = bits.Mul64(x192, 0x2341f27177344) - var x210 uint64 - var x211 uint64 - x211, x210 = bits.Mul64(x192, 0x6cfc5fd681c52056) - var x212 uint64 - var x213 uint64 - x213, x212 = bits.Mul64(x192, 0x7bc65c783158aea3) - var x214 uint64 - var x215 uint64 - x215, x214 = bits.Mul64(x192, 0xfdc1767ae2ffffff) - var x216 uint64 - var x217 uint64 - x217, x216 = bits.Mul64(x192, 0xffffffffffffffff) - var x218 uint64 - var x219 uint64 - x219, x218 = bits.Mul64(x192, 0xffffffffffffffff) - var x220 uint64 - var x221 uint64 - x221, x220 = bits.Mul64(x192, 0xffffffffffffffff) - var x222 uint64 - var x223 uint1 - x222, x223 = addcarryxU64(x221, x218, 0x0) - var x224 uint64 - var x225 uint1 - x224, x225 = addcarryxU64(x219, x216, x223) - var x226 uint64 - var x227 uint1 - x226, x227 = addcarryxU64(x217, x214, x225) - var x228 uint64 - var x229 uint1 - x228, x229 = addcarryxU64(x215, x212, x227) - var x230 uint64 - var x231 uint1 - x230, x231 = addcarryxU64(x213, x210, x229) - var x232 uint64 - var x233 uint1 - x232, x233 = addcarryxU64(x211, x208, x231) - var x234 uint64 = (uint64(x233) + x209) - var x236 uint1 - _, x236 = addcarryxU64(x192, x220, 0x0) - var x237 uint64 - var x238 uint1 - x237, x238 = addcarryxU64(x194, x222, x236) - var x239 uint64 - var x240 uint1 - x239, x240 = addcarryxU64(x196, x224, x238) - var x241 uint64 - var x242 uint1 - x241, x242 = addcarryxU64(x198, x226, x240) - var x243 uint64 - var x244 uint1 - x243, x244 = addcarryxU64(x200, x228, x242) - var x245 uint64 - var x246 uint1 - x245, x246 = addcarryxU64(x202, x230, x244) - var x247 uint64 - var x248 uint1 - x247, x248 = addcarryxU64(x204, x232, x246) - var x249 uint64 - var x250 uint1 - x249, x250 = addcarryxU64(x206, x234, x248) - var x251 uint64 = (uint64(x250) + uint64(x207)) - var x252 uint64 - var x253 uint64 - x253, x252 = bits.Mul64(x3, (arg1[6])) - var x254 uint64 - var x255 uint64 - x255, x254 = bits.Mul64(x3, (arg1[5])) - var x256 uint64 - var x257 uint64 - x257, x256 = bits.Mul64(x3, (arg1[4])) - var x258 uint64 - var x259 uint64 - x259, x258 = bits.Mul64(x3, (arg1[3])) - var x260 uint64 - var x261 uint64 - x261, x260 = bits.Mul64(x3, (arg1[2])) - var x262 uint64 - var x263 uint64 - x263, x262 = bits.Mul64(x3, (arg1[1])) - var x264 uint64 - var x265 uint64 - x265, x264 = bits.Mul64(x3, (arg1[0])) - var x266 uint64 - var x267 uint1 - x266, x267 = addcarryxU64(x265, x262, 0x0) - var x268 uint64 - var x269 uint1 - x268, x269 = addcarryxU64(x263, x260, x267) - var x270 uint64 - var x271 uint1 - x270, x271 = addcarryxU64(x261, x258, x269) - var x272 uint64 - var x273 uint1 - x272, x273 = addcarryxU64(x259, x256, x271) - var x274 uint64 - var x275 uint1 - x274, x275 = addcarryxU64(x257, x254, x273) - var x276 uint64 - var x277 uint1 - x276, x277 = addcarryxU64(x255, x252, x275) - var x278 uint64 = (uint64(x277) + x253) - var x279 uint64 - var x280 uint1 - x279, x280 = addcarryxU64(x237, x264, 0x0) - var x281 uint64 - var x282 uint1 - x281, x282 = addcarryxU64(x239, x266, x280) - var x283 uint64 - var x284 uint1 - x283, x284 = addcarryxU64(x241, x268, x282) - var x285 uint64 - var x286 uint1 - x285, x286 = addcarryxU64(x243, x270, x284) - var x287 uint64 - var x288 uint1 - x287, x288 = addcarryxU64(x245, x272, x286) - var x289 uint64 - var x290 uint1 - x289, x290 = addcarryxU64(x247, x274, x288) - var x291 uint64 - var x292 uint1 - x291, x292 = addcarryxU64(x249, x276, x290) - var x293 uint64 - var x294 uint1 - x293, x294 = addcarryxU64(x251, x278, x292) - var x295 uint64 - var x296 uint64 - x296, x295 = bits.Mul64(x279, 0x2341f27177344) - var x297 uint64 - var x298 uint64 - x298, x297 = bits.Mul64(x279, 0x6cfc5fd681c52056) - var x299 uint64 - var x300 uint64 - x300, x299 = bits.Mul64(x279, 0x7bc65c783158aea3) - var x301 uint64 - var x302 uint64 - x302, x301 = bits.Mul64(x279, 0xfdc1767ae2ffffff) - var x303 uint64 - var x304 uint64 - x304, x303 = bits.Mul64(x279, 0xffffffffffffffff) - var x305 uint64 - var x306 uint64 - x306, x305 = bits.Mul64(x279, 0xffffffffffffffff) - var x307 uint64 - var x308 uint64 - x308, x307 = bits.Mul64(x279, 0xffffffffffffffff) - var x309 uint64 - var x310 uint1 - x309, x310 = addcarryxU64(x308, x305, 0x0) - var x311 uint64 - var x312 uint1 - x311, x312 = addcarryxU64(x306, x303, x310) - var x313 uint64 - var x314 uint1 - x313, x314 = addcarryxU64(x304, x301, x312) - var x315 uint64 - var x316 uint1 - x315, x316 = addcarryxU64(x302, x299, x314) - var x317 uint64 - var x318 uint1 - x317, x318 = addcarryxU64(x300, x297, x316) - var x319 uint64 - var x320 uint1 - x319, x320 = addcarryxU64(x298, x295, x318) - var x321 uint64 = (uint64(x320) + x296) - var x323 uint1 - _, x323 = addcarryxU64(x279, x307, 0x0) - var x324 uint64 - var x325 uint1 - x324, x325 = addcarryxU64(x281, x309, x323) - var x326 uint64 - var x327 uint1 - x326, x327 = addcarryxU64(x283, x311, x325) - var x328 uint64 - var x329 uint1 - x328, x329 = addcarryxU64(x285, x313, x327) - var x330 uint64 - var x331 uint1 - x330, x331 = addcarryxU64(x287, x315, x329) - var x332 uint64 - var x333 uint1 - x332, x333 = addcarryxU64(x289, x317, x331) - var x334 uint64 - var x335 uint1 - x334, x335 = addcarryxU64(x291, x319, x333) - var x336 uint64 - var x337 uint1 - x336, x337 = addcarryxU64(x293, x321, x335) - var x338 uint64 = (uint64(x337) + uint64(x294)) - var x339 uint64 - var x340 uint64 - x340, x339 = bits.Mul64(x4, (arg1[6])) - var x341 uint64 - var x342 uint64 - x342, x341 = bits.Mul64(x4, (arg1[5])) - var x343 uint64 - var x344 uint64 - x344, x343 = bits.Mul64(x4, (arg1[4])) - var x345 uint64 - var x346 uint64 - x346, x345 = bits.Mul64(x4, (arg1[3])) - var x347 uint64 - var x348 uint64 - x348, x347 = bits.Mul64(x4, (arg1[2])) - var x349 uint64 - var x350 uint64 - x350, x349 = bits.Mul64(x4, (arg1[1])) - var x351 uint64 - var x352 uint64 - x352, x351 = bits.Mul64(x4, (arg1[0])) - var x353 uint64 - var x354 uint1 - x353, x354 = addcarryxU64(x352, x349, 0x0) - var x355 uint64 - var x356 uint1 - x355, x356 = addcarryxU64(x350, x347, x354) - var x357 uint64 - var x358 uint1 - x357, x358 = addcarryxU64(x348, x345, x356) - var x359 uint64 - var x360 uint1 - x359, x360 = addcarryxU64(x346, x343, x358) - var x361 uint64 - var x362 uint1 - x361, x362 = addcarryxU64(x344, x341, x360) - var x363 uint64 - var x364 uint1 - x363, x364 = addcarryxU64(x342, x339, x362) - var x365 uint64 = (uint64(x364) + x340) - var x366 uint64 - var x367 uint1 - x366, x367 = addcarryxU64(x324, x351, 0x0) - var x368 uint64 - var x369 uint1 - x368, x369 = addcarryxU64(x326, x353, x367) - var x370 uint64 - var x371 uint1 - x370, x371 = addcarryxU64(x328, x355, x369) - var x372 uint64 - var x373 uint1 - x372, x373 = addcarryxU64(x330, x357, x371) - var x374 uint64 - var x375 uint1 - x374, x375 = addcarryxU64(x332, x359, x373) - var x376 uint64 - var x377 uint1 - x376, x377 = addcarryxU64(x334, x361, x375) - var x378 uint64 - var x379 uint1 - x378, x379 = addcarryxU64(x336, x363, x377) - var x380 uint64 - var x381 uint1 - x380, x381 = addcarryxU64(x338, x365, x379) - var x382 uint64 - var x383 uint64 - x383, x382 = bits.Mul64(x366, 0x2341f27177344) - var x384 uint64 - var x385 uint64 - x385, x384 = bits.Mul64(x366, 0x6cfc5fd681c52056) - var x386 uint64 - var x387 uint64 - x387, x386 = bits.Mul64(x366, 0x7bc65c783158aea3) - var x388 uint64 - var x389 uint64 - x389, x388 = bits.Mul64(x366, 0xfdc1767ae2ffffff) - var x390 uint64 - var x391 uint64 - x391, x390 = bits.Mul64(x366, 0xffffffffffffffff) - var x392 uint64 - var x393 uint64 - x393, x392 = bits.Mul64(x366, 0xffffffffffffffff) - var x394 uint64 - var x395 uint64 - x395, x394 = bits.Mul64(x366, 0xffffffffffffffff) - var x396 uint64 - var x397 uint1 - x396, x397 = addcarryxU64(x395, x392, 0x0) - var x398 uint64 - var x399 uint1 - x398, x399 = addcarryxU64(x393, x390, x397) - var x400 uint64 - var x401 uint1 - x400, x401 = addcarryxU64(x391, x388, x399) - var x402 uint64 - var x403 uint1 - x402, x403 = addcarryxU64(x389, x386, x401) - var x404 uint64 - var x405 uint1 - x404, x405 = addcarryxU64(x387, x384, x403) - var x406 uint64 - var x407 uint1 - x406, x407 = addcarryxU64(x385, x382, x405) - var x408 uint64 = (uint64(x407) + x383) - var x410 uint1 - _, x410 = addcarryxU64(x366, x394, 0x0) - var x411 uint64 - var x412 uint1 - x411, x412 = addcarryxU64(x368, x396, x410) - var x413 uint64 - var x414 uint1 - x413, x414 = addcarryxU64(x370, x398, x412) - var x415 uint64 - var x416 uint1 - x415, x416 = addcarryxU64(x372, x400, x414) - var x417 uint64 - var x418 uint1 - x417, x418 = addcarryxU64(x374, x402, x416) - var x419 uint64 - var x420 uint1 - x419, x420 = addcarryxU64(x376, x404, x418) - var x421 uint64 - var x422 uint1 - x421, x422 = addcarryxU64(x378, x406, x420) - var x423 uint64 - var x424 uint1 - x423, x424 = addcarryxU64(x380, x408, x422) - var x425 uint64 = (uint64(x424) + uint64(x381)) - var x426 uint64 - var x427 uint64 - x427, x426 = bits.Mul64(x5, (arg1[6])) - var x428 uint64 - var x429 uint64 - x429, x428 = bits.Mul64(x5, (arg1[5])) - var x430 uint64 - var x431 uint64 - x431, x430 = bits.Mul64(x5, (arg1[4])) - var x432 uint64 - var x433 uint64 - x433, x432 = bits.Mul64(x5, (arg1[3])) - var x434 uint64 - var x435 uint64 - x435, x434 = bits.Mul64(x5, (arg1[2])) - var x436 uint64 - var x437 uint64 - x437, x436 = bits.Mul64(x5, (arg1[1])) - var x438 uint64 - var x439 uint64 - x439, x438 = bits.Mul64(x5, (arg1[0])) - var x440 uint64 - var x441 uint1 - x440, x441 = addcarryxU64(x439, x436, 0x0) - var x442 uint64 - var x443 uint1 - x442, x443 = addcarryxU64(x437, x434, x441) - var x444 uint64 - var x445 uint1 - x444, x445 = addcarryxU64(x435, x432, x443) - var x446 uint64 - var x447 uint1 - x446, x447 = addcarryxU64(x433, x430, x445) - var x448 uint64 - var x449 uint1 - x448, x449 = addcarryxU64(x431, x428, x447) - var x450 uint64 - var x451 uint1 - x450, x451 = addcarryxU64(x429, x426, x449) - var x452 uint64 = (uint64(x451) + x427) - var x453 uint64 - var x454 uint1 - x453, x454 = addcarryxU64(x411, x438, 0x0) - var x455 uint64 - var x456 uint1 - x455, x456 = addcarryxU64(x413, x440, x454) - var x457 uint64 - var x458 uint1 - x457, x458 = addcarryxU64(x415, x442, x456) - var x459 uint64 - var x460 uint1 - x459, x460 = addcarryxU64(x417, x444, x458) - var x461 uint64 - var x462 uint1 - x461, x462 = addcarryxU64(x419, x446, x460) - var x463 uint64 - var x464 uint1 - x463, x464 = addcarryxU64(x421, x448, x462) - var x465 uint64 - var x466 uint1 - x465, x466 = addcarryxU64(x423, x450, x464) - var x467 uint64 - var x468 uint1 - x467, x468 = addcarryxU64(x425, x452, x466) - var x469 uint64 - var x470 uint64 - x470, x469 = bits.Mul64(x453, 0x2341f27177344) - var x471 uint64 - var x472 uint64 - x472, x471 = bits.Mul64(x453, 0x6cfc5fd681c52056) - var x473 uint64 - var x474 uint64 - x474, x473 = bits.Mul64(x453, 0x7bc65c783158aea3) - var x475 uint64 - var x476 uint64 - x476, x475 = bits.Mul64(x453, 0xfdc1767ae2ffffff) - var x477 uint64 - var x478 uint64 - x478, x477 = bits.Mul64(x453, 0xffffffffffffffff) - var x479 uint64 - var x480 uint64 - x480, x479 = bits.Mul64(x453, 0xffffffffffffffff) - var x481 uint64 - var x482 uint64 - x482, x481 = bits.Mul64(x453, 0xffffffffffffffff) - var x483 uint64 - var x484 uint1 - x483, x484 = addcarryxU64(x482, x479, 0x0) - var x485 uint64 - var x486 uint1 - x485, x486 = addcarryxU64(x480, x477, x484) - var x487 uint64 - var x488 uint1 - x487, x488 = addcarryxU64(x478, x475, x486) - var x489 uint64 - var x490 uint1 - x489, x490 = addcarryxU64(x476, x473, x488) - var x491 uint64 - var x492 uint1 - x491, x492 = addcarryxU64(x474, x471, x490) - var x493 uint64 - var x494 uint1 - x493, x494 = addcarryxU64(x472, x469, x492) - var x495 uint64 = (uint64(x494) + x470) - var x497 uint1 - _, x497 = addcarryxU64(x453, x481, 0x0) - var x498 uint64 - var x499 uint1 - x498, x499 = addcarryxU64(x455, x483, x497) - var x500 uint64 - var x501 uint1 - x500, x501 = addcarryxU64(x457, x485, x499) - var x502 uint64 - var x503 uint1 - x502, x503 = addcarryxU64(x459, x487, x501) - var x504 uint64 - var x505 uint1 - x504, x505 = addcarryxU64(x461, x489, x503) - var x506 uint64 - var x507 uint1 - x506, x507 = addcarryxU64(x463, x491, x505) - var x508 uint64 - var x509 uint1 - x508, x509 = addcarryxU64(x465, x493, x507) - var x510 uint64 - var x511 uint1 - x510, x511 = addcarryxU64(x467, x495, x509) - var x512 uint64 = (uint64(x511) + uint64(x468)) - var x513 uint64 - var x514 uint64 - x514, x513 = bits.Mul64(x6, (arg1[6])) - var x515 uint64 - var x516 uint64 - x516, x515 = bits.Mul64(x6, (arg1[5])) - var x517 uint64 - var x518 uint64 - x518, x517 = bits.Mul64(x6, (arg1[4])) - var x519 uint64 - var x520 uint64 - x520, x519 = bits.Mul64(x6, (arg1[3])) - var x521 uint64 - var x522 uint64 - x522, x521 = bits.Mul64(x6, (arg1[2])) - var x523 uint64 - var x524 uint64 - x524, x523 = bits.Mul64(x6, (arg1[1])) - var x525 uint64 - var x526 uint64 - x526, x525 = bits.Mul64(x6, (arg1[0])) - var x527 uint64 - var x528 uint1 - x527, x528 = addcarryxU64(x526, x523, 0x0) - var x529 uint64 - var x530 uint1 - x529, x530 = addcarryxU64(x524, x521, x528) - var x531 uint64 - var x532 uint1 - x531, x532 = addcarryxU64(x522, x519, x530) - var x533 uint64 - var x534 uint1 - x533, x534 = addcarryxU64(x520, x517, x532) - var x535 uint64 - var x536 uint1 - x535, x536 = addcarryxU64(x518, x515, x534) - var x537 uint64 - var x538 uint1 - x537, x538 = addcarryxU64(x516, x513, x536) - var x539 uint64 = (uint64(x538) + x514) - var x540 uint64 - var x541 uint1 - x540, x541 = addcarryxU64(x498, x525, 0x0) - var x542 uint64 - var x543 uint1 - x542, x543 = addcarryxU64(x500, x527, x541) - var x544 uint64 - var x545 uint1 - x544, x545 = addcarryxU64(x502, x529, x543) - var x546 uint64 - var x547 uint1 - x546, x547 = addcarryxU64(x504, x531, x545) - var x548 uint64 - var x549 uint1 - x548, x549 = addcarryxU64(x506, x533, x547) - var x550 uint64 - var x551 uint1 - x550, x551 = addcarryxU64(x508, x535, x549) - var x552 uint64 - var x553 uint1 - x552, x553 = addcarryxU64(x510, x537, x551) - var x554 uint64 - var x555 uint1 - x554, x555 = addcarryxU64(x512, x539, x553) - var x556 uint64 - var x557 uint64 - x557, x556 = bits.Mul64(x540, 0x2341f27177344) - var x558 uint64 - var x559 uint64 - x559, x558 = bits.Mul64(x540, 0x6cfc5fd681c52056) - var x560 uint64 - var x561 uint64 - x561, x560 = bits.Mul64(x540, 0x7bc65c783158aea3) - var x562 uint64 - var x563 uint64 - x563, x562 = bits.Mul64(x540, 0xfdc1767ae2ffffff) - var x564 uint64 - var x565 uint64 - x565, x564 = bits.Mul64(x540, 0xffffffffffffffff) - var x566 uint64 - var x567 uint64 - x567, x566 = bits.Mul64(x540, 0xffffffffffffffff) - var x568 uint64 - var x569 uint64 - x569, x568 = bits.Mul64(x540, 0xffffffffffffffff) - var x570 uint64 - var x571 uint1 - x570, x571 = addcarryxU64(x569, x566, 0x0) - var x572 uint64 - var x573 uint1 - x572, x573 = addcarryxU64(x567, x564, x571) - var x574 uint64 - var x575 uint1 - x574, x575 = addcarryxU64(x565, x562, x573) - var x576 uint64 - var x577 uint1 - x576, x577 = addcarryxU64(x563, x560, x575) - var x578 uint64 - var x579 uint1 - x578, x579 = addcarryxU64(x561, x558, x577) - var x580 uint64 - var x581 uint1 - x580, x581 = addcarryxU64(x559, x556, x579) - var x582 uint64 = (uint64(x581) + x557) - var x584 uint1 - _, x584 = addcarryxU64(x540, x568, 0x0) - var x585 uint64 - var x586 uint1 - x585, x586 = addcarryxU64(x542, x570, x584) - var x587 uint64 - var x588 uint1 - x587, x588 = addcarryxU64(x544, x572, x586) - var x589 uint64 - var x590 uint1 - x589, x590 = addcarryxU64(x546, x574, x588) - var x591 uint64 - var x592 uint1 - x591, x592 = addcarryxU64(x548, x576, x590) - var x593 uint64 - var x594 uint1 - x593, x594 = addcarryxU64(x550, x578, x592) - var x595 uint64 - var x596 uint1 - x595, x596 = addcarryxU64(x552, x580, x594) - var x597 uint64 - var x598 uint1 - x597, x598 = addcarryxU64(x554, x582, x596) - var x599 uint64 = (uint64(x598) + uint64(x555)) - var x600 uint64 - var x601 uint1 - x600, x601 = subborrowxU64(x585, 0xffffffffffffffff, 0x0) - var x602 uint64 - var x603 uint1 - x602, x603 = subborrowxU64(x587, 0xffffffffffffffff, x601) - var x604 uint64 - var x605 uint1 - x604, x605 = subborrowxU64(x589, 0xffffffffffffffff, x603) - var x606 uint64 - var x607 uint1 - x606, x607 = subborrowxU64(x591, 0xfdc1767ae2ffffff, x605) - var x608 uint64 - var x609 uint1 - x608, x609 = subborrowxU64(x593, 0x7bc65c783158aea3, x607) - var x610 uint64 - var x611 uint1 - x610, x611 = subborrowxU64(x595, 0x6cfc5fd681c52056, x609) - var x612 uint64 - var x613 uint1 - x612, x613 = subborrowxU64(x597, 0x2341f27177344, x611) - var x615 uint1 - _, x615 = subborrowxU64(x599, uint64(0x0), x613) - var x616 uint64 - cmovznzU64(&x616, x615, x600, x585) - var x617 uint64 - cmovznzU64(&x617, x615, x602, x587) - var x618 uint64 - cmovznzU64(&x618, x615, x604, x589) - var x619 uint64 - cmovznzU64(&x619, x615, x606, x591) - var x620 uint64 - cmovznzU64(&x620, x615, x608, x593) - var x621 uint64 - cmovznzU64(&x621, x615, x610, x595) - var x622 uint64 - cmovznzU64(&x622, x615, x612, x597) - out1[0] = x616 - out1[1] = x617 - out1[2] = x618 - out1[3] = x619 - out1[4] = x620 - out1[5] = x621 - out1[6] = x622 + x1 := arg1[1] + x2 := arg1[2] + x3 := arg1[3] + x4 := arg1[4] + x5 := arg1[5] + x6 := arg1[6] + x7 := arg1[0] + var x8 uint64 + var x9 uint64 + x9, x8 = bits.Mul64(x7, arg1[6]) + var x10 uint64 + var x11 uint64 + x11, x10 = bits.Mul64(x7, arg1[5]) + var x12 uint64 + var x13 uint64 + x13, x12 = bits.Mul64(x7, arg1[4]) + var x14 uint64 + var x15 uint64 + x15, x14 = bits.Mul64(x7, arg1[3]) + var x16 uint64 + var x17 uint64 + x17, x16 = bits.Mul64(x7, arg1[2]) + var x18 uint64 + var x19 uint64 + x19, x18 = bits.Mul64(x7, arg1[1]) + var x20 uint64 + var x21 uint64 + x21, x20 = bits.Mul64(x7, arg1[0]) + var x22 uint64 + var x23 uint1 + x22, x23 = addcarryxU64(x21, x18, 0x0) + var x24 uint64 + var x25 uint1 + x24, x25 = addcarryxU64(x19, x16, x23) + var x26 uint64 + var x27 uint1 + x26, x27 = addcarryxU64(x17, x14, x25) + var x28 uint64 + var x29 uint1 + x28, x29 = addcarryxU64(x15, x12, x27) + var x30 uint64 + var x31 uint1 + x30, x31 = addcarryxU64(x13, x10, x29) + var x32 uint64 + var x33 uint1 + x32, x33 = addcarryxU64(x11, x8, x31) + x34 := (uint64(x33) + x9) + var x35 uint64 + var x36 uint64 + x36, x35 = bits.Mul64(x20, 0x2341f27177344) + var x37 uint64 + var x38 uint64 + x38, x37 = bits.Mul64(x20, 0x6cfc5fd681c52056) + var x39 uint64 + var x40 uint64 + x40, x39 = bits.Mul64(x20, 0x7bc65c783158aea3) + var x41 uint64 + var x42 uint64 + x42, x41 = bits.Mul64(x20, 0xfdc1767ae2ffffff) + var x43 uint64 + var x44 uint64 + x44, x43 = bits.Mul64(x20, 0xffffffffffffffff) + var x45 uint64 + var x46 uint64 + x46, x45 = bits.Mul64(x20, 0xffffffffffffffff) + var x47 uint64 + var x48 uint64 + x48, x47 = bits.Mul64(x20, 0xffffffffffffffff) + var x49 uint64 + var x50 uint1 + x49, x50 = addcarryxU64(x48, x45, 0x0) + var x51 uint64 + var x52 uint1 + x51, x52 = addcarryxU64(x46, x43, x50) + var x53 uint64 + var x54 uint1 + x53, x54 = addcarryxU64(x44, x41, x52) + var x55 uint64 + var x56 uint1 + x55, x56 = addcarryxU64(x42, x39, x54) + var x57 uint64 + var x58 uint1 + x57, x58 = addcarryxU64(x40, x37, x56) + var x59 uint64 + var x60 uint1 + x59, x60 = addcarryxU64(x38, x35, x58) + x61 := (uint64(x60) + x36) + var x63 uint1 + _, x63 = addcarryxU64(x20, x47, 0x0) + var x64 uint64 + var x65 uint1 + x64, x65 = addcarryxU64(x22, x49, x63) + var x66 uint64 + var x67 uint1 + x66, x67 = addcarryxU64(x24, x51, x65) + var x68 uint64 + var x69 uint1 + x68, x69 = addcarryxU64(x26, x53, x67) + var x70 uint64 + var x71 uint1 + x70, x71 = addcarryxU64(x28, x55, x69) + var x72 uint64 + var x73 uint1 + x72, x73 = addcarryxU64(x30, x57, x71) + var x74 uint64 + var x75 uint1 + x74, x75 = addcarryxU64(x32, x59, x73) + var x76 uint64 + var x77 uint1 + x76, x77 = addcarryxU64(x34, x61, x75) + var x78 uint64 + var x79 uint64 + x79, x78 = bits.Mul64(x1, arg1[6]) + var x80 uint64 + var x81 uint64 + x81, x80 = bits.Mul64(x1, arg1[5]) + var x82 uint64 + var x83 uint64 + x83, x82 = bits.Mul64(x1, arg1[4]) + var x84 uint64 + var x85 uint64 + x85, x84 = bits.Mul64(x1, arg1[3]) + var x86 uint64 + var x87 uint64 + x87, x86 = bits.Mul64(x1, arg1[2]) + var x88 uint64 + var x89 uint64 + x89, x88 = bits.Mul64(x1, arg1[1]) + var x90 uint64 + var x91 uint64 + x91, x90 = bits.Mul64(x1, arg1[0]) + var x92 uint64 + var x93 uint1 + x92, x93 = addcarryxU64(x91, x88, 0x0) + var x94 uint64 + var x95 uint1 + x94, x95 = addcarryxU64(x89, x86, x93) + var x96 uint64 + var x97 uint1 + x96, x97 = addcarryxU64(x87, x84, x95) + var x98 uint64 + var x99 uint1 + x98, x99 = addcarryxU64(x85, x82, x97) + var x100 uint64 + var x101 uint1 + x100, x101 = addcarryxU64(x83, x80, x99) + var x102 uint64 + var x103 uint1 + x102, x103 = addcarryxU64(x81, x78, x101) + x104 := (uint64(x103) + x79) + var x105 uint64 + var x106 uint1 + x105, x106 = addcarryxU64(x64, x90, 0x0) + var x107 uint64 + var x108 uint1 + x107, x108 = addcarryxU64(x66, x92, x106) + var x109 uint64 + var x110 uint1 + x109, x110 = addcarryxU64(x68, x94, x108) + var x111 uint64 + var x112 uint1 + x111, x112 = addcarryxU64(x70, x96, x110) + var x113 uint64 + var x114 uint1 + x113, x114 = addcarryxU64(x72, x98, x112) + var x115 uint64 + var x116 uint1 + x115, x116 = addcarryxU64(x74, x100, x114) + var x117 uint64 + var x118 uint1 + x117, x118 = addcarryxU64(x76, x102, x116) + var x119 uint64 + var x120 uint1 + x119, x120 = addcarryxU64(uint64(x77), x104, x118) + var x121 uint64 + var x122 uint64 + x122, x121 = bits.Mul64(x105, 0x2341f27177344) + var x123 uint64 + var x124 uint64 + x124, x123 = bits.Mul64(x105, 0x6cfc5fd681c52056) + var x125 uint64 + var x126 uint64 + x126, x125 = bits.Mul64(x105, 0x7bc65c783158aea3) + var x127 uint64 + var x128 uint64 + x128, x127 = bits.Mul64(x105, 0xfdc1767ae2ffffff) + var x129 uint64 + var x130 uint64 + x130, x129 = bits.Mul64(x105, 0xffffffffffffffff) + var x131 uint64 + var x132 uint64 + x132, x131 = bits.Mul64(x105, 0xffffffffffffffff) + var x133 uint64 + var x134 uint64 + x134, x133 = bits.Mul64(x105, 0xffffffffffffffff) + var x135 uint64 + var x136 uint1 + x135, x136 = addcarryxU64(x134, x131, 0x0) + var x137 uint64 + var x138 uint1 + x137, x138 = addcarryxU64(x132, x129, x136) + var x139 uint64 + var x140 uint1 + x139, x140 = addcarryxU64(x130, x127, x138) + var x141 uint64 + var x142 uint1 + x141, x142 = addcarryxU64(x128, x125, x140) + var x143 uint64 + var x144 uint1 + x143, x144 = addcarryxU64(x126, x123, x142) + var x145 uint64 + var x146 uint1 + x145, x146 = addcarryxU64(x124, x121, x144) + x147 := (uint64(x146) + x122) + var x149 uint1 + _, x149 = addcarryxU64(x105, x133, 0x0) + var x150 uint64 + var x151 uint1 + x150, x151 = addcarryxU64(x107, x135, x149) + var x152 uint64 + var x153 uint1 + x152, x153 = addcarryxU64(x109, x137, x151) + var x154 uint64 + var x155 uint1 + x154, x155 = addcarryxU64(x111, x139, x153) + var x156 uint64 + var x157 uint1 + x156, x157 = addcarryxU64(x113, x141, x155) + var x158 uint64 + var x159 uint1 + x158, x159 = addcarryxU64(x115, x143, x157) + var x160 uint64 + var x161 uint1 + x160, x161 = addcarryxU64(x117, x145, x159) + var x162 uint64 + var x163 uint1 + x162, x163 = addcarryxU64(x119, x147, x161) + x164 := (uint64(x163) + uint64(x120)) + var x165 uint64 + var x166 uint64 + x166, x165 = bits.Mul64(x2, arg1[6]) + var x167 uint64 + var x168 uint64 + x168, x167 = bits.Mul64(x2, arg1[5]) + var x169 uint64 + var x170 uint64 + x170, x169 = bits.Mul64(x2, arg1[4]) + var x171 uint64 + var x172 uint64 + x172, x171 = bits.Mul64(x2, arg1[3]) + var x173 uint64 + var x174 uint64 + x174, x173 = bits.Mul64(x2, arg1[2]) + var x175 uint64 + var x176 uint64 + x176, x175 = bits.Mul64(x2, arg1[1]) + var x177 uint64 + var x178 uint64 + x178, x177 = bits.Mul64(x2, arg1[0]) + var x179 uint64 + var x180 uint1 + x179, x180 = addcarryxU64(x178, x175, 0x0) + var x181 uint64 + var x182 uint1 + x181, x182 = addcarryxU64(x176, x173, x180) + var x183 uint64 + var x184 uint1 + x183, x184 = addcarryxU64(x174, x171, x182) + var x185 uint64 + var x186 uint1 + x185, x186 = addcarryxU64(x172, x169, x184) + var x187 uint64 + var x188 uint1 + x187, x188 = addcarryxU64(x170, x167, x186) + var x189 uint64 + var x190 uint1 + x189, x190 = addcarryxU64(x168, x165, x188) + x191 := (uint64(x190) + x166) + var x192 uint64 + var x193 uint1 + x192, x193 = addcarryxU64(x150, x177, 0x0) + var x194 uint64 + var x195 uint1 + x194, x195 = addcarryxU64(x152, x179, x193) + var x196 uint64 + var x197 uint1 + x196, x197 = addcarryxU64(x154, x181, x195) + var x198 uint64 + var x199 uint1 + x198, x199 = addcarryxU64(x156, x183, x197) + var x200 uint64 + var x201 uint1 + x200, x201 = addcarryxU64(x158, x185, x199) + var x202 uint64 + var x203 uint1 + x202, x203 = addcarryxU64(x160, x187, x201) + var x204 uint64 + var x205 uint1 + x204, x205 = addcarryxU64(x162, x189, x203) + var x206 uint64 + var x207 uint1 + x206, x207 = addcarryxU64(x164, x191, x205) + var x208 uint64 + var x209 uint64 + x209, x208 = bits.Mul64(x192, 0x2341f27177344) + var x210 uint64 + var x211 uint64 + x211, x210 = bits.Mul64(x192, 0x6cfc5fd681c52056) + var x212 uint64 + var x213 uint64 + x213, x212 = bits.Mul64(x192, 0x7bc65c783158aea3) + var x214 uint64 + var x215 uint64 + x215, x214 = bits.Mul64(x192, 0xfdc1767ae2ffffff) + var x216 uint64 + var x217 uint64 + x217, x216 = bits.Mul64(x192, 0xffffffffffffffff) + var x218 uint64 + var x219 uint64 + x219, x218 = bits.Mul64(x192, 0xffffffffffffffff) + var x220 uint64 + var x221 uint64 + x221, x220 = bits.Mul64(x192, 0xffffffffffffffff) + var x222 uint64 + var x223 uint1 + x222, x223 = addcarryxU64(x221, x218, 0x0) + var x224 uint64 + var x225 uint1 + x224, x225 = addcarryxU64(x219, x216, x223) + var x226 uint64 + var x227 uint1 + x226, x227 = addcarryxU64(x217, x214, x225) + var x228 uint64 + var x229 uint1 + x228, x229 = addcarryxU64(x215, x212, x227) + var x230 uint64 + var x231 uint1 + x230, x231 = addcarryxU64(x213, x210, x229) + var x232 uint64 + var x233 uint1 + x232, x233 = addcarryxU64(x211, x208, x231) + x234 := (uint64(x233) + x209) + var x236 uint1 + _, x236 = addcarryxU64(x192, x220, 0x0) + var x237 uint64 + var x238 uint1 + x237, x238 = addcarryxU64(x194, x222, x236) + var x239 uint64 + var x240 uint1 + x239, x240 = addcarryxU64(x196, x224, x238) + var x241 uint64 + var x242 uint1 + x241, x242 = addcarryxU64(x198, x226, x240) + var x243 uint64 + var x244 uint1 + x243, x244 = addcarryxU64(x200, x228, x242) + var x245 uint64 + var x246 uint1 + x245, x246 = addcarryxU64(x202, x230, x244) + var x247 uint64 + var x248 uint1 + x247, x248 = addcarryxU64(x204, x232, x246) + var x249 uint64 + var x250 uint1 + x249, x250 = addcarryxU64(x206, x234, x248) + x251 := (uint64(x250) + uint64(x207)) + var x252 uint64 + var x253 uint64 + x253, x252 = bits.Mul64(x3, arg1[6]) + var x254 uint64 + var x255 uint64 + x255, x254 = bits.Mul64(x3, arg1[5]) + var x256 uint64 + var x257 uint64 + x257, x256 = bits.Mul64(x3, arg1[4]) + var x258 uint64 + var x259 uint64 + x259, x258 = bits.Mul64(x3, arg1[3]) + var x260 uint64 + var x261 uint64 + x261, x260 = bits.Mul64(x3, arg1[2]) + var x262 uint64 + var x263 uint64 + x263, x262 = bits.Mul64(x3, arg1[1]) + var x264 uint64 + var x265 uint64 + x265, x264 = bits.Mul64(x3, arg1[0]) + var x266 uint64 + var x267 uint1 + x266, x267 = addcarryxU64(x265, x262, 0x0) + var x268 uint64 + var x269 uint1 + x268, x269 = addcarryxU64(x263, x260, x267) + var x270 uint64 + var x271 uint1 + x270, x271 = addcarryxU64(x261, x258, x269) + var x272 uint64 + var x273 uint1 + x272, x273 = addcarryxU64(x259, x256, x271) + var x274 uint64 + var x275 uint1 + x274, x275 = addcarryxU64(x257, x254, x273) + var x276 uint64 + var x277 uint1 + x276, x277 = addcarryxU64(x255, x252, x275) + x278 := (uint64(x277) + x253) + var x279 uint64 + var x280 uint1 + x279, x280 = addcarryxU64(x237, x264, 0x0) + var x281 uint64 + var x282 uint1 + x281, x282 = addcarryxU64(x239, x266, x280) + var x283 uint64 + var x284 uint1 + x283, x284 = addcarryxU64(x241, x268, x282) + var x285 uint64 + var x286 uint1 + x285, x286 = addcarryxU64(x243, x270, x284) + var x287 uint64 + var x288 uint1 + x287, x288 = addcarryxU64(x245, x272, x286) + var x289 uint64 + var x290 uint1 + x289, x290 = addcarryxU64(x247, x274, x288) + var x291 uint64 + var x292 uint1 + x291, x292 = addcarryxU64(x249, x276, x290) + var x293 uint64 + var x294 uint1 + x293, x294 = addcarryxU64(x251, x278, x292) + var x295 uint64 + var x296 uint64 + x296, x295 = bits.Mul64(x279, 0x2341f27177344) + var x297 uint64 + var x298 uint64 + x298, x297 = bits.Mul64(x279, 0x6cfc5fd681c52056) + var x299 uint64 + var x300 uint64 + x300, x299 = bits.Mul64(x279, 0x7bc65c783158aea3) + var x301 uint64 + var x302 uint64 + x302, x301 = bits.Mul64(x279, 0xfdc1767ae2ffffff) + var x303 uint64 + var x304 uint64 + x304, x303 = bits.Mul64(x279, 0xffffffffffffffff) + var x305 uint64 + var x306 uint64 + x306, x305 = bits.Mul64(x279, 0xffffffffffffffff) + var x307 uint64 + var x308 uint64 + x308, x307 = bits.Mul64(x279, 0xffffffffffffffff) + var x309 uint64 + var x310 uint1 + x309, x310 = addcarryxU64(x308, x305, 0x0) + var x311 uint64 + var x312 uint1 + x311, x312 = addcarryxU64(x306, x303, x310) + var x313 uint64 + var x314 uint1 + x313, x314 = addcarryxU64(x304, x301, x312) + var x315 uint64 + var x316 uint1 + x315, x316 = addcarryxU64(x302, x299, x314) + var x317 uint64 + var x318 uint1 + x317, x318 = addcarryxU64(x300, x297, x316) + var x319 uint64 + var x320 uint1 + x319, x320 = addcarryxU64(x298, x295, x318) + x321 := (uint64(x320) + x296) + var x323 uint1 + _, x323 = addcarryxU64(x279, x307, 0x0) + var x324 uint64 + var x325 uint1 + x324, x325 = addcarryxU64(x281, x309, x323) + var x326 uint64 + var x327 uint1 + x326, x327 = addcarryxU64(x283, x311, x325) + var x328 uint64 + var x329 uint1 + x328, x329 = addcarryxU64(x285, x313, x327) + var x330 uint64 + var x331 uint1 + x330, x331 = addcarryxU64(x287, x315, x329) + var x332 uint64 + var x333 uint1 + x332, x333 = addcarryxU64(x289, x317, x331) + var x334 uint64 + var x335 uint1 + x334, x335 = addcarryxU64(x291, x319, x333) + var x336 uint64 + var x337 uint1 + x336, x337 = addcarryxU64(x293, x321, x335) + x338 := (uint64(x337) + uint64(x294)) + var x339 uint64 + var x340 uint64 + x340, x339 = bits.Mul64(x4, arg1[6]) + var x341 uint64 + var x342 uint64 + x342, x341 = bits.Mul64(x4, arg1[5]) + var x343 uint64 + var x344 uint64 + x344, x343 = bits.Mul64(x4, arg1[4]) + var x345 uint64 + var x346 uint64 + x346, x345 = bits.Mul64(x4, arg1[3]) + var x347 uint64 + var x348 uint64 + x348, x347 = bits.Mul64(x4, arg1[2]) + var x349 uint64 + var x350 uint64 + x350, x349 = bits.Mul64(x4, arg1[1]) + var x351 uint64 + var x352 uint64 + x352, x351 = bits.Mul64(x4, arg1[0]) + var x353 uint64 + var x354 uint1 + x353, x354 = addcarryxU64(x352, x349, 0x0) + var x355 uint64 + var x356 uint1 + x355, x356 = addcarryxU64(x350, x347, x354) + var x357 uint64 + var x358 uint1 + x357, x358 = addcarryxU64(x348, x345, x356) + var x359 uint64 + var x360 uint1 + x359, x360 = addcarryxU64(x346, x343, x358) + var x361 uint64 + var x362 uint1 + x361, x362 = addcarryxU64(x344, x341, x360) + var x363 uint64 + var x364 uint1 + x363, x364 = addcarryxU64(x342, x339, x362) + x365 := (uint64(x364) + x340) + var x366 uint64 + var x367 uint1 + x366, x367 = addcarryxU64(x324, x351, 0x0) + var x368 uint64 + var x369 uint1 + x368, x369 = addcarryxU64(x326, x353, x367) + var x370 uint64 + var x371 uint1 + x370, x371 = addcarryxU64(x328, x355, x369) + var x372 uint64 + var x373 uint1 + x372, x373 = addcarryxU64(x330, x357, x371) + var x374 uint64 + var x375 uint1 + x374, x375 = addcarryxU64(x332, x359, x373) + var x376 uint64 + var x377 uint1 + x376, x377 = addcarryxU64(x334, x361, x375) + var x378 uint64 + var x379 uint1 + x378, x379 = addcarryxU64(x336, x363, x377) + var x380 uint64 + var x381 uint1 + x380, x381 = addcarryxU64(x338, x365, x379) + var x382 uint64 + var x383 uint64 + x383, x382 = bits.Mul64(x366, 0x2341f27177344) + var x384 uint64 + var x385 uint64 + x385, x384 = bits.Mul64(x366, 0x6cfc5fd681c52056) + var x386 uint64 + var x387 uint64 + x387, x386 = bits.Mul64(x366, 0x7bc65c783158aea3) + var x388 uint64 + var x389 uint64 + x389, x388 = bits.Mul64(x366, 0xfdc1767ae2ffffff) + var x390 uint64 + var x391 uint64 + x391, x390 = bits.Mul64(x366, 0xffffffffffffffff) + var x392 uint64 + var x393 uint64 + x393, x392 = bits.Mul64(x366, 0xffffffffffffffff) + var x394 uint64 + var x395 uint64 + x395, x394 = bits.Mul64(x366, 0xffffffffffffffff) + var x396 uint64 + var x397 uint1 + x396, x397 = addcarryxU64(x395, x392, 0x0) + var x398 uint64 + var x399 uint1 + x398, x399 = addcarryxU64(x393, x390, x397) + var x400 uint64 + var x401 uint1 + x400, x401 = addcarryxU64(x391, x388, x399) + var x402 uint64 + var x403 uint1 + x402, x403 = addcarryxU64(x389, x386, x401) + var x404 uint64 + var x405 uint1 + x404, x405 = addcarryxU64(x387, x384, x403) + var x406 uint64 + var x407 uint1 + x406, x407 = addcarryxU64(x385, x382, x405) + x408 := (uint64(x407) + x383) + var x410 uint1 + _, x410 = addcarryxU64(x366, x394, 0x0) + var x411 uint64 + var x412 uint1 + x411, x412 = addcarryxU64(x368, x396, x410) + var x413 uint64 + var x414 uint1 + x413, x414 = addcarryxU64(x370, x398, x412) + var x415 uint64 + var x416 uint1 + x415, x416 = addcarryxU64(x372, x400, x414) + var x417 uint64 + var x418 uint1 + x417, x418 = addcarryxU64(x374, x402, x416) + var x419 uint64 + var x420 uint1 + x419, x420 = addcarryxU64(x376, x404, x418) + var x421 uint64 + var x422 uint1 + x421, x422 = addcarryxU64(x378, x406, x420) + var x423 uint64 + var x424 uint1 + x423, x424 = addcarryxU64(x380, x408, x422) + x425 := (uint64(x424) + uint64(x381)) + var x426 uint64 + var x427 uint64 + x427, x426 = bits.Mul64(x5, arg1[6]) + var x428 uint64 + var x429 uint64 + x429, x428 = bits.Mul64(x5, arg1[5]) + var x430 uint64 + var x431 uint64 + x431, x430 = bits.Mul64(x5, arg1[4]) + var x432 uint64 + var x433 uint64 + x433, x432 = bits.Mul64(x5, arg1[3]) + var x434 uint64 + var x435 uint64 + x435, x434 = bits.Mul64(x5, arg1[2]) + var x436 uint64 + var x437 uint64 + x437, x436 = bits.Mul64(x5, arg1[1]) + var x438 uint64 + var x439 uint64 + x439, x438 = bits.Mul64(x5, arg1[0]) + var x440 uint64 + var x441 uint1 + x440, x441 = addcarryxU64(x439, x436, 0x0) + var x442 uint64 + var x443 uint1 + x442, x443 = addcarryxU64(x437, x434, x441) + var x444 uint64 + var x445 uint1 + x444, x445 = addcarryxU64(x435, x432, x443) + var x446 uint64 + var x447 uint1 + x446, x447 = addcarryxU64(x433, x430, x445) + var x448 uint64 + var x449 uint1 + x448, x449 = addcarryxU64(x431, x428, x447) + var x450 uint64 + var x451 uint1 + x450, x451 = addcarryxU64(x429, x426, x449) + x452 := (uint64(x451) + x427) + var x453 uint64 + var x454 uint1 + x453, x454 = addcarryxU64(x411, x438, 0x0) + var x455 uint64 + var x456 uint1 + x455, x456 = addcarryxU64(x413, x440, x454) + var x457 uint64 + var x458 uint1 + x457, x458 = addcarryxU64(x415, x442, x456) + var x459 uint64 + var x460 uint1 + x459, x460 = addcarryxU64(x417, x444, x458) + var x461 uint64 + var x462 uint1 + x461, x462 = addcarryxU64(x419, x446, x460) + var x463 uint64 + var x464 uint1 + x463, x464 = addcarryxU64(x421, x448, x462) + var x465 uint64 + var x466 uint1 + x465, x466 = addcarryxU64(x423, x450, x464) + var x467 uint64 + var x468 uint1 + x467, x468 = addcarryxU64(x425, x452, x466) + var x469 uint64 + var x470 uint64 + x470, x469 = bits.Mul64(x453, 0x2341f27177344) + var x471 uint64 + var x472 uint64 + x472, x471 = bits.Mul64(x453, 0x6cfc5fd681c52056) + var x473 uint64 + var x474 uint64 + x474, x473 = bits.Mul64(x453, 0x7bc65c783158aea3) + var x475 uint64 + var x476 uint64 + x476, x475 = bits.Mul64(x453, 0xfdc1767ae2ffffff) + var x477 uint64 + var x478 uint64 + x478, x477 = bits.Mul64(x453, 0xffffffffffffffff) + var x479 uint64 + var x480 uint64 + x480, x479 = bits.Mul64(x453, 0xffffffffffffffff) + var x481 uint64 + var x482 uint64 + x482, x481 = bits.Mul64(x453, 0xffffffffffffffff) + var x483 uint64 + var x484 uint1 + x483, x484 = addcarryxU64(x482, x479, 0x0) + var x485 uint64 + var x486 uint1 + x485, x486 = addcarryxU64(x480, x477, x484) + var x487 uint64 + var x488 uint1 + x487, x488 = addcarryxU64(x478, x475, x486) + var x489 uint64 + var x490 uint1 + x489, x490 = addcarryxU64(x476, x473, x488) + var x491 uint64 + var x492 uint1 + x491, x492 = addcarryxU64(x474, x471, x490) + var x493 uint64 + var x494 uint1 + x493, x494 = addcarryxU64(x472, x469, x492) + x495 := (uint64(x494) + x470) + var x497 uint1 + _, x497 = addcarryxU64(x453, x481, 0x0) + var x498 uint64 + var x499 uint1 + x498, x499 = addcarryxU64(x455, x483, x497) + var x500 uint64 + var x501 uint1 + x500, x501 = addcarryxU64(x457, x485, x499) + var x502 uint64 + var x503 uint1 + x502, x503 = addcarryxU64(x459, x487, x501) + var x504 uint64 + var x505 uint1 + x504, x505 = addcarryxU64(x461, x489, x503) + var x506 uint64 + var x507 uint1 + x506, x507 = addcarryxU64(x463, x491, x505) + var x508 uint64 + var x509 uint1 + x508, x509 = addcarryxU64(x465, x493, x507) + var x510 uint64 + var x511 uint1 + x510, x511 = addcarryxU64(x467, x495, x509) + x512 := (uint64(x511) + uint64(x468)) + var x513 uint64 + var x514 uint64 + x514, x513 = bits.Mul64(x6, arg1[6]) + var x515 uint64 + var x516 uint64 + x516, x515 = bits.Mul64(x6, arg1[5]) + var x517 uint64 + var x518 uint64 + x518, x517 = bits.Mul64(x6, arg1[4]) + var x519 uint64 + var x520 uint64 + x520, x519 = bits.Mul64(x6, arg1[3]) + var x521 uint64 + var x522 uint64 + x522, x521 = bits.Mul64(x6, arg1[2]) + var x523 uint64 + var x524 uint64 + x524, x523 = bits.Mul64(x6, arg1[1]) + var x525 uint64 + var x526 uint64 + x526, x525 = bits.Mul64(x6, arg1[0]) + var x527 uint64 + var x528 uint1 + x527, x528 = addcarryxU64(x526, x523, 0x0) + var x529 uint64 + var x530 uint1 + x529, x530 = addcarryxU64(x524, x521, x528) + var x531 uint64 + var x532 uint1 + x531, x532 = addcarryxU64(x522, x519, x530) + var x533 uint64 + var x534 uint1 + x533, x534 = addcarryxU64(x520, x517, x532) + var x535 uint64 + var x536 uint1 + x535, x536 = addcarryxU64(x518, x515, x534) + var x537 uint64 + var x538 uint1 + x537, x538 = addcarryxU64(x516, x513, x536) + x539 := (uint64(x538) + x514) + var x540 uint64 + var x541 uint1 + x540, x541 = addcarryxU64(x498, x525, 0x0) + var x542 uint64 + var x543 uint1 + x542, x543 = addcarryxU64(x500, x527, x541) + var x544 uint64 + var x545 uint1 + x544, x545 = addcarryxU64(x502, x529, x543) + var x546 uint64 + var x547 uint1 + x546, x547 = addcarryxU64(x504, x531, x545) + var x548 uint64 + var x549 uint1 + x548, x549 = addcarryxU64(x506, x533, x547) + var x550 uint64 + var x551 uint1 + x550, x551 = addcarryxU64(x508, x535, x549) + var x552 uint64 + var x553 uint1 + x552, x553 = addcarryxU64(x510, x537, x551) + var x554 uint64 + var x555 uint1 + x554, x555 = addcarryxU64(x512, x539, x553) + var x556 uint64 + var x557 uint64 + x557, x556 = bits.Mul64(x540, 0x2341f27177344) + var x558 uint64 + var x559 uint64 + x559, x558 = bits.Mul64(x540, 0x6cfc5fd681c52056) + var x560 uint64 + var x561 uint64 + x561, x560 = bits.Mul64(x540, 0x7bc65c783158aea3) + var x562 uint64 + var x563 uint64 + x563, x562 = bits.Mul64(x540, 0xfdc1767ae2ffffff) + var x564 uint64 + var x565 uint64 + x565, x564 = bits.Mul64(x540, 0xffffffffffffffff) + var x566 uint64 + var x567 uint64 + x567, x566 = bits.Mul64(x540, 0xffffffffffffffff) + var x568 uint64 + var x569 uint64 + x569, x568 = bits.Mul64(x540, 0xffffffffffffffff) + var x570 uint64 + var x571 uint1 + x570, x571 = addcarryxU64(x569, x566, 0x0) + var x572 uint64 + var x573 uint1 + x572, x573 = addcarryxU64(x567, x564, x571) + var x574 uint64 + var x575 uint1 + x574, x575 = addcarryxU64(x565, x562, x573) + var x576 uint64 + var x577 uint1 + x576, x577 = addcarryxU64(x563, x560, x575) + var x578 uint64 + var x579 uint1 + x578, x579 = addcarryxU64(x561, x558, x577) + var x580 uint64 + var x581 uint1 + x580, x581 = addcarryxU64(x559, x556, x579) + x582 := (uint64(x581) + x557) + var x584 uint1 + _, x584 = addcarryxU64(x540, x568, 0x0) + var x585 uint64 + var x586 uint1 + x585, x586 = addcarryxU64(x542, x570, x584) + var x587 uint64 + var x588 uint1 + x587, x588 = addcarryxU64(x544, x572, x586) + var x589 uint64 + var x590 uint1 + x589, x590 = addcarryxU64(x546, x574, x588) + var x591 uint64 + var x592 uint1 + x591, x592 = addcarryxU64(x548, x576, x590) + var x593 uint64 + var x594 uint1 + x593, x594 = addcarryxU64(x550, x578, x592) + var x595 uint64 + var x596 uint1 + x595, x596 = addcarryxU64(x552, x580, x594) + var x597 uint64 + var x598 uint1 + x597, x598 = addcarryxU64(x554, x582, x596) + x599 := (uint64(x598) + uint64(x555)) + var x600 uint64 + var x601 uint1 + x600, x601 = subborrowxU64(x585, 0xffffffffffffffff, 0x0) + var x602 uint64 + var x603 uint1 + x602, x603 = subborrowxU64(x587, 0xffffffffffffffff, x601) + var x604 uint64 + var x605 uint1 + x604, x605 = subborrowxU64(x589, 0xffffffffffffffff, x603) + var x606 uint64 + var x607 uint1 + x606, x607 = subborrowxU64(x591, 0xfdc1767ae2ffffff, x605) + var x608 uint64 + var x609 uint1 + x608, x609 = subborrowxU64(x593, 0x7bc65c783158aea3, x607) + var x610 uint64 + var x611 uint1 + x610, x611 = subborrowxU64(x595, 0x6cfc5fd681c52056, x609) + var x612 uint64 + var x613 uint1 + x612, x613 = subborrowxU64(x597, 0x2341f27177344, x611) + var x615 uint1 + _, x615 = subborrowxU64(x599, uint64(0x0), x613) + var x616 uint64 + cmovznzU64(&x616, x615, x600, x585) + var x617 uint64 + cmovznzU64(&x617, x615, x602, x587) + var x618 uint64 + cmovznzU64(&x618, x615, x604, x589) + var x619 uint64 + cmovznzU64(&x619, x615, x606, x591) + var x620 uint64 + cmovznzU64(&x620, x615, x608, x593) + var x621 uint64 + cmovznzU64(&x621, x615, x610, x595) + var x622 uint64 + cmovznzU64(&x622, x615, x612, x597) + out1[0] = x616 + out1[1] = x617 + out1[2] = x618 + out1[3] = x619 + out1[4] = x620 + out1[5] = x621 + out1[6] = x622 } -/* - The function Add adds two field elements in the Montgomery domain. - Preconditions: - 0 ≤ eval arg1 < m - 0 ≤ eval arg2 < m - Postconditions: - eval (from_montgomery out1) mod m = (eval (from_montgomery arg1) + eval (from_montgomery arg2)) mod m - 0 ≤ eval out1 < m - - Input Bounds: - arg1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] - arg2: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] - Output Bounds: - out1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] - */ -/*inline*/ +// Add adds two field elements in the Montgomery domain. +// +// Preconditions: +// 0 ≤ eval arg1 < m +// 0 ≤ eval arg2 < m +// Postconditions: +// eval (from_montgomery out1) mod m = (eval (from_montgomery arg1) + eval (from_montgomery arg2)) mod m +// 0 ≤ eval out1 < m +// +// Input Bounds: +// arg1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] +// arg2: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] +// Output Bounds: +// out1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] func Add(out1 *[7]uint64, arg1 *[7]uint64, arg2 *[7]uint64) { - var x1 uint64 - var x2 uint1 - x1, x2 = addcarryxU64((arg1[0]), (arg2[0]), 0x0) - var x3 uint64 - var x4 uint1 - x3, x4 = addcarryxU64((arg1[1]), (arg2[1]), x2) - var x5 uint64 - var x6 uint1 - x5, x6 = addcarryxU64((arg1[2]), (arg2[2]), x4) - var x7 uint64 - var x8 uint1 - x7, x8 = addcarryxU64((arg1[3]), (arg2[3]), x6) - var x9 uint64 - var x10 uint1 - x9, x10 = addcarryxU64((arg1[4]), (arg2[4]), x8) - var x11 uint64 - var x12 uint1 - x11, x12 = addcarryxU64((arg1[5]), (arg2[5]), x10) - var x13 uint64 - var x14 uint1 - x13, x14 = addcarryxU64((arg1[6]), (arg2[6]), x12) - var x15 uint64 - var x16 uint1 - x15, x16 = subborrowxU64(x1, 0xffffffffffffffff, 0x0) - var x17 uint64 - var x18 uint1 - x17, x18 = subborrowxU64(x3, 0xffffffffffffffff, x16) - var x19 uint64 - var x20 uint1 - x19, x20 = subborrowxU64(x5, 0xffffffffffffffff, x18) - var x21 uint64 - var x22 uint1 - x21, x22 = subborrowxU64(x7, 0xfdc1767ae2ffffff, x20) - var x23 uint64 - var x24 uint1 - x23, x24 = subborrowxU64(x9, 0x7bc65c783158aea3, x22) - var x25 uint64 - var x26 uint1 - x25, x26 = subborrowxU64(x11, 0x6cfc5fd681c52056, x24) - var x27 uint64 - var x28 uint1 - x27, x28 = subborrowxU64(x13, 0x2341f27177344, x26) - var x30 uint1 - _, x30 = subborrowxU64(uint64(x14), uint64(0x0), x28) - var x31 uint64 - cmovznzU64(&x31, x30, x15, x1) - var x32 uint64 - cmovznzU64(&x32, x30, x17, x3) - var x33 uint64 - cmovznzU64(&x33, x30, x19, x5) - var x34 uint64 - cmovznzU64(&x34, x30, x21, x7) - var x35 uint64 - cmovznzU64(&x35, x30, x23, x9) - var x36 uint64 - cmovznzU64(&x36, x30, x25, x11) - var x37 uint64 - cmovznzU64(&x37, x30, x27, x13) - out1[0] = x31 - out1[1] = x32 - out1[2] = x33 - out1[3] = x34 - out1[4] = x35 - out1[5] = x36 - out1[6] = x37 + var x1 uint64 + var x2 uint1 + x1, x2 = addcarryxU64(arg1[0], arg2[0], 0x0) + var x3 uint64 + var x4 uint1 + x3, x4 = addcarryxU64(arg1[1], arg2[1], x2) + var x5 uint64 + var x6 uint1 + x5, x6 = addcarryxU64(arg1[2], arg2[2], x4) + var x7 uint64 + var x8 uint1 + x7, x8 = addcarryxU64(arg1[3], arg2[3], x6) + var x9 uint64 + var x10 uint1 + x9, x10 = addcarryxU64(arg1[4], arg2[4], x8) + var x11 uint64 + var x12 uint1 + x11, x12 = addcarryxU64(arg1[5], arg2[5], x10) + var x13 uint64 + var x14 uint1 + x13, x14 = addcarryxU64(arg1[6], arg2[6], x12) + var x15 uint64 + var x16 uint1 + x15, x16 = subborrowxU64(x1, 0xffffffffffffffff, 0x0) + var x17 uint64 + var x18 uint1 + x17, x18 = subborrowxU64(x3, 0xffffffffffffffff, x16) + var x19 uint64 + var x20 uint1 + x19, x20 = subborrowxU64(x5, 0xffffffffffffffff, x18) + var x21 uint64 + var x22 uint1 + x21, x22 = subborrowxU64(x7, 0xfdc1767ae2ffffff, x20) + var x23 uint64 + var x24 uint1 + x23, x24 = subborrowxU64(x9, 0x7bc65c783158aea3, x22) + var x25 uint64 + var x26 uint1 + x25, x26 = subborrowxU64(x11, 0x6cfc5fd681c52056, x24) + var x27 uint64 + var x28 uint1 + x27, x28 = subborrowxU64(x13, 0x2341f27177344, x26) + var x30 uint1 + _, x30 = subborrowxU64(uint64(x14), uint64(0x0), x28) + var x31 uint64 + cmovznzU64(&x31, x30, x15, x1) + var x32 uint64 + cmovznzU64(&x32, x30, x17, x3) + var x33 uint64 + cmovznzU64(&x33, x30, x19, x5) + var x34 uint64 + cmovznzU64(&x34, x30, x21, x7) + var x35 uint64 + cmovznzU64(&x35, x30, x23, x9) + var x36 uint64 + cmovznzU64(&x36, x30, x25, x11) + var x37 uint64 + cmovznzU64(&x37, x30, x27, x13) + out1[0] = x31 + out1[1] = x32 + out1[2] = x33 + out1[3] = x34 + out1[4] = x35 + out1[5] = x36 + out1[6] = x37 } -/* - The function Sub subtracts two field elements in the Montgomery domain. - Preconditions: - 0 ≤ eval arg1 < m - 0 ≤ eval arg2 < m - Postconditions: - eval (from_montgomery out1) mod m = (eval (from_montgomery arg1) - eval (from_montgomery arg2)) mod m - 0 ≤ eval out1 < m - - Input Bounds: - arg1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] - arg2: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] - Output Bounds: - out1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] - */ -/*inline*/ +// Sub subtracts two field elements in the Montgomery domain. +// +// Preconditions: +// 0 ≤ eval arg1 < m +// 0 ≤ eval arg2 < m +// Postconditions: +// eval (from_montgomery out1) mod m = (eval (from_montgomery arg1) - eval (from_montgomery arg2)) mod m +// 0 ≤ eval out1 < m +// +// Input Bounds: +// arg1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] +// arg2: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] +// Output Bounds: +// out1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] func Sub(out1 *[7]uint64, arg1 *[7]uint64, arg2 *[7]uint64) { - var x1 uint64 - var x2 uint1 - x1, x2 = subborrowxU64((arg1[0]), (arg2[0]), 0x0) - var x3 uint64 - var x4 uint1 - x3, x4 = subborrowxU64((arg1[1]), (arg2[1]), x2) - var x5 uint64 - var x6 uint1 - x5, x6 = subborrowxU64((arg1[2]), (arg2[2]), x4) - var x7 uint64 - var x8 uint1 - x7, x8 = subborrowxU64((arg1[3]), (arg2[3]), x6) - var x9 uint64 - var x10 uint1 - x9, x10 = subborrowxU64((arg1[4]), (arg2[4]), x8) - var x11 uint64 - var x12 uint1 - x11, x12 = subborrowxU64((arg1[5]), (arg2[5]), x10) - var x13 uint64 - var x14 uint1 - x13, x14 = subborrowxU64((arg1[6]), (arg2[6]), x12) - var x15 uint64 - cmovznzU64(&x15, x14, uint64(0x0), 0xffffffffffffffff) - var x16 uint64 - var x17 uint1 - x16, x17 = addcarryxU64(x1, x15, 0x0) - var x18 uint64 - var x19 uint1 - x18, x19 = addcarryxU64(x3, x15, x17) - var x20 uint64 - var x21 uint1 - x20, x21 = addcarryxU64(x5, x15, x19) - var x22 uint64 - var x23 uint1 - x22, x23 = addcarryxU64(x7, (x15 & 0xfdc1767ae2ffffff), x21) - var x24 uint64 - var x25 uint1 - x24, x25 = addcarryxU64(x9, (x15 & 0x7bc65c783158aea3), x23) - var x26 uint64 - var x27 uint1 - x26, x27 = addcarryxU64(x11, (x15 & 0x6cfc5fd681c52056), x25) - var x28 uint64 - x28, _ = addcarryxU64(x13, (x15 & 0x2341f27177344), x27) - out1[0] = x16 - out1[1] = x18 - out1[2] = x20 - out1[3] = x22 - out1[4] = x24 - out1[5] = x26 - out1[6] = x28 + var x1 uint64 + var x2 uint1 + x1, x2 = subborrowxU64(arg1[0], arg2[0], 0x0) + var x3 uint64 + var x4 uint1 + x3, x4 = subborrowxU64(arg1[1], arg2[1], x2) + var x5 uint64 + var x6 uint1 + x5, x6 = subborrowxU64(arg1[2], arg2[2], x4) + var x7 uint64 + var x8 uint1 + x7, x8 = subborrowxU64(arg1[3], arg2[3], x6) + var x9 uint64 + var x10 uint1 + x9, x10 = subborrowxU64(arg1[4], arg2[4], x8) + var x11 uint64 + var x12 uint1 + x11, x12 = subborrowxU64(arg1[5], arg2[5], x10) + var x13 uint64 + var x14 uint1 + x13, x14 = subborrowxU64(arg1[6], arg2[6], x12) + var x15 uint64 + cmovznzU64(&x15, x14, uint64(0x0), 0xffffffffffffffff) + var x16 uint64 + var x17 uint1 + x16, x17 = addcarryxU64(x1, x15, 0x0) + var x18 uint64 + var x19 uint1 + x18, x19 = addcarryxU64(x3, x15, x17) + var x20 uint64 + var x21 uint1 + x20, x21 = addcarryxU64(x5, x15, x19) + var x22 uint64 + var x23 uint1 + x22, x23 = addcarryxU64(x7, (x15 & 0xfdc1767ae2ffffff), x21) + var x24 uint64 + var x25 uint1 + x24, x25 = addcarryxU64(x9, (x15 & 0x7bc65c783158aea3), x23) + var x26 uint64 + var x27 uint1 + x26, x27 = addcarryxU64(x11, (x15 & 0x6cfc5fd681c52056), x25) + var x28 uint64 + x28, _ = addcarryxU64(x13, (x15 & 0x2341f27177344), x27) + out1[0] = x16 + out1[1] = x18 + out1[2] = x20 + out1[3] = x22 + out1[4] = x24 + out1[5] = x26 + out1[6] = x28 } -/* - The function Opp negates a field element in the Montgomery domain. - Preconditions: - 0 ≤ eval arg1 < m - Postconditions: - eval (from_montgomery out1) mod m = -eval (from_montgomery arg1) mod m - 0 ≤ eval out1 < m - - Input Bounds: - arg1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] - Output Bounds: - out1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] - */ -/*inline*/ +// Opp negates a field element in the Montgomery domain. +// +// Preconditions: +// 0 ≤ eval arg1 < m +// Postconditions: +// eval (from_montgomery out1) mod m = -eval (from_montgomery arg1) mod m +// 0 ≤ eval out1 < m +// +// Input Bounds: +// arg1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] +// Output Bounds: +// out1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] func Opp(out1 *[7]uint64, arg1 *[7]uint64) { - var x1 uint64 - var x2 uint1 - x1, x2 = subborrowxU64(uint64(0x0), (arg1[0]), 0x0) - var x3 uint64 - var x4 uint1 - x3, x4 = subborrowxU64(uint64(0x0), (arg1[1]), x2) - var x5 uint64 - var x6 uint1 - x5, x6 = subborrowxU64(uint64(0x0), (arg1[2]), x4) - var x7 uint64 - var x8 uint1 - x7, x8 = subborrowxU64(uint64(0x0), (arg1[3]), x6) - var x9 uint64 - var x10 uint1 - x9, x10 = subborrowxU64(uint64(0x0), (arg1[4]), x8) - var x11 uint64 - var x12 uint1 - x11, x12 = subborrowxU64(uint64(0x0), (arg1[5]), x10) - var x13 uint64 - var x14 uint1 - x13, x14 = subborrowxU64(uint64(0x0), (arg1[6]), x12) - var x15 uint64 - cmovznzU64(&x15, x14, uint64(0x0), 0xffffffffffffffff) - var x16 uint64 - var x17 uint1 - x16, x17 = addcarryxU64(x1, x15, 0x0) - var x18 uint64 - var x19 uint1 - x18, x19 = addcarryxU64(x3, x15, x17) - var x20 uint64 - var x21 uint1 - x20, x21 = addcarryxU64(x5, x15, x19) - var x22 uint64 - var x23 uint1 - x22, x23 = addcarryxU64(x7, (x15 & 0xfdc1767ae2ffffff), x21) - var x24 uint64 - var x25 uint1 - x24, x25 = addcarryxU64(x9, (x15 & 0x7bc65c783158aea3), x23) - var x26 uint64 - var x27 uint1 - x26, x27 = addcarryxU64(x11, (x15 & 0x6cfc5fd681c52056), x25) - var x28 uint64 - x28, _ = addcarryxU64(x13, (x15 & 0x2341f27177344), x27) - out1[0] = x16 - out1[1] = x18 - out1[2] = x20 - out1[3] = x22 - out1[4] = x24 - out1[5] = x26 - out1[6] = x28 + var x1 uint64 + var x2 uint1 + x1, x2 = subborrowxU64(uint64(0x0), arg1[0], 0x0) + var x3 uint64 + var x4 uint1 + x3, x4 = subborrowxU64(uint64(0x0), arg1[1], x2) + var x5 uint64 + var x6 uint1 + x5, x6 = subborrowxU64(uint64(0x0), arg1[2], x4) + var x7 uint64 + var x8 uint1 + x7, x8 = subborrowxU64(uint64(0x0), arg1[3], x6) + var x9 uint64 + var x10 uint1 + x9, x10 = subborrowxU64(uint64(0x0), arg1[4], x8) + var x11 uint64 + var x12 uint1 + x11, x12 = subborrowxU64(uint64(0x0), arg1[5], x10) + var x13 uint64 + var x14 uint1 + x13, x14 = subborrowxU64(uint64(0x0), arg1[6], x12) + var x15 uint64 + cmovznzU64(&x15, x14, uint64(0x0), 0xffffffffffffffff) + var x16 uint64 + var x17 uint1 + x16, x17 = addcarryxU64(x1, x15, 0x0) + var x18 uint64 + var x19 uint1 + x18, x19 = addcarryxU64(x3, x15, x17) + var x20 uint64 + var x21 uint1 + x20, x21 = addcarryxU64(x5, x15, x19) + var x22 uint64 + var x23 uint1 + x22, x23 = addcarryxU64(x7, (x15 & 0xfdc1767ae2ffffff), x21) + var x24 uint64 + var x25 uint1 + x24, x25 = addcarryxU64(x9, (x15 & 0x7bc65c783158aea3), x23) + var x26 uint64 + var x27 uint1 + x26, x27 = addcarryxU64(x11, (x15 & 0x6cfc5fd681c52056), x25) + var x28 uint64 + x28, _ = addcarryxU64(x13, (x15 & 0x2341f27177344), x27) + out1[0] = x16 + out1[1] = x18 + out1[2] = x20 + out1[3] = x22 + out1[4] = x24 + out1[5] = x26 + out1[6] = x28 } -/* - The function FromMontgomery translates a field element out of the Montgomery domain. - Preconditions: - 0 ≤ eval arg1 < m - Postconditions: - eval out1 mod m = (eval arg1 * ((2^64)⁻¹ mod m)^7) mod m - 0 ≤ eval out1 < m - - Input Bounds: - arg1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] - Output Bounds: - out1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] - */ -/*inline*/ +// FromMontgomery translates a field element out of the Montgomery domain. +// +// Preconditions: +// 0 ≤ eval arg1 < m +// Postconditions: +// eval out1 mod m = (eval arg1 * ((2^64)⁻¹ mod m)^7) mod m +// 0 ≤ eval out1 < m +// +// Input Bounds: +// arg1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] +// Output Bounds: +// out1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] func FromMontgomery(out1 *[7]uint64, arg1 *[7]uint64) { - var x1 uint64 = (arg1[0]) - var x2 uint64 - var x3 uint64 - x3, x2 = bits.Mul64(x1, 0x2341f27177344) - var x4 uint64 - var x5 uint64 - x5, x4 = bits.Mul64(x1, 0x6cfc5fd681c52056) - var x6 uint64 - var x7 uint64 - x7, x6 = bits.Mul64(x1, 0x7bc65c783158aea3) - var x8 uint64 - var x9 uint64 - x9, x8 = bits.Mul64(x1, 0xfdc1767ae2ffffff) - var x10 uint64 - var x11 uint64 - x11, x10 = bits.Mul64(x1, 0xffffffffffffffff) - var x12 uint64 - var x13 uint64 - x13, x12 = bits.Mul64(x1, 0xffffffffffffffff) - var x14 uint64 - var x15 uint64 - x15, x14 = bits.Mul64(x1, 0xffffffffffffffff) - var x16 uint64 - var x17 uint1 - x16, x17 = addcarryxU64(x15, x12, 0x0) - var x18 uint64 - var x19 uint1 - x18, x19 = addcarryxU64(x13, x10, x17) - var x20 uint64 - var x21 uint1 - x20, x21 = addcarryxU64(x11, x8, x19) - var x22 uint64 - var x23 uint1 - x22, x23 = addcarryxU64(x9, x6, x21) - var x24 uint64 - var x25 uint1 - x24, x25 = addcarryxU64(x7, x4, x23) - var x26 uint64 - var x27 uint1 - x26, x27 = addcarryxU64(x5, x2, x25) - var x29 uint1 - _, x29 = addcarryxU64(x1, x14, 0x0) - var x30 uint64 - var x31 uint1 - x30, x31 = addcarryxU64(uint64(0x0), x16, x29) - var x32 uint64 - var x33 uint1 - x32, x33 = addcarryxU64(uint64(0x0), x18, x31) - var x34 uint64 - var x35 uint1 - x34, x35 = addcarryxU64(uint64(0x0), x20, x33) - var x36 uint64 - var x37 uint1 - x36, x37 = addcarryxU64(uint64(0x0), x22, x35) - var x38 uint64 - var x39 uint1 - x38, x39 = addcarryxU64(uint64(0x0), x24, x37) - var x40 uint64 - var x41 uint1 - x40, x41 = addcarryxU64(uint64(0x0), x26, x39) - var x42 uint64 - var x43 uint1 - x42, x43 = addcarryxU64(x30, (arg1[1]), 0x0) - var x44 uint64 - var x45 uint1 - x44, x45 = addcarryxU64(x32, uint64(0x0), x43) - var x46 uint64 - var x47 uint1 - x46, x47 = addcarryxU64(x34, uint64(0x0), x45) - var x48 uint64 - var x49 uint1 - x48, x49 = addcarryxU64(x36, uint64(0x0), x47) - var x50 uint64 - var x51 uint1 - x50, x51 = addcarryxU64(x38, uint64(0x0), x49) - var x52 uint64 - var x53 uint1 - x52, x53 = addcarryxU64(x40, uint64(0x0), x51) - var x54 uint64 - var x55 uint64 - x55, x54 = bits.Mul64(x42, 0x2341f27177344) - var x56 uint64 - var x57 uint64 - x57, x56 = bits.Mul64(x42, 0x6cfc5fd681c52056) - var x58 uint64 - var x59 uint64 - x59, x58 = bits.Mul64(x42, 0x7bc65c783158aea3) - var x60 uint64 - var x61 uint64 - x61, x60 = bits.Mul64(x42, 0xfdc1767ae2ffffff) - var x62 uint64 - var x63 uint64 - x63, x62 = bits.Mul64(x42, 0xffffffffffffffff) - var x64 uint64 - var x65 uint64 - x65, x64 = bits.Mul64(x42, 0xffffffffffffffff) - var x66 uint64 - var x67 uint64 - x67, x66 = bits.Mul64(x42, 0xffffffffffffffff) - var x68 uint64 - var x69 uint1 - x68, x69 = addcarryxU64(x67, x64, 0x0) - var x70 uint64 - var x71 uint1 - x70, x71 = addcarryxU64(x65, x62, x69) - var x72 uint64 - var x73 uint1 - x72, x73 = addcarryxU64(x63, x60, x71) - var x74 uint64 - var x75 uint1 - x74, x75 = addcarryxU64(x61, x58, x73) - var x76 uint64 - var x77 uint1 - x76, x77 = addcarryxU64(x59, x56, x75) - var x78 uint64 - var x79 uint1 - x78, x79 = addcarryxU64(x57, x54, x77) - var x81 uint1 - _, x81 = addcarryxU64(x42, x66, 0x0) - var x82 uint64 - var x83 uint1 - x82, x83 = addcarryxU64(x44, x68, x81) - var x84 uint64 - var x85 uint1 - x84, x85 = addcarryxU64(x46, x70, x83) - var x86 uint64 - var x87 uint1 - x86, x87 = addcarryxU64(x48, x72, x85) - var x88 uint64 - var x89 uint1 - x88, x89 = addcarryxU64(x50, x74, x87) - var x90 uint64 - var x91 uint1 - x90, x91 = addcarryxU64(x52, x76, x89) - var x92 uint64 - var x93 uint1 - x92, x93 = addcarryxU64((uint64(x53) + (uint64(x41) + (uint64(x27) + x3))), x78, x91) - var x94 uint64 - var x95 uint1 - x94, x95 = addcarryxU64(x82, (arg1[2]), 0x0) - var x96 uint64 - var x97 uint1 - x96, x97 = addcarryxU64(x84, uint64(0x0), x95) - var x98 uint64 - var x99 uint1 - x98, x99 = addcarryxU64(x86, uint64(0x0), x97) - var x100 uint64 - var x101 uint1 - x100, x101 = addcarryxU64(x88, uint64(0x0), x99) - var x102 uint64 - var x103 uint1 - x102, x103 = addcarryxU64(x90, uint64(0x0), x101) - var x104 uint64 - var x105 uint1 - x104, x105 = addcarryxU64(x92, uint64(0x0), x103) - var x106 uint64 - var x107 uint64 - x107, x106 = bits.Mul64(x94, 0x2341f27177344) - var x108 uint64 - var x109 uint64 - x109, x108 = bits.Mul64(x94, 0x6cfc5fd681c52056) - var x110 uint64 - var x111 uint64 - x111, x110 = bits.Mul64(x94, 0x7bc65c783158aea3) - var x112 uint64 - var x113 uint64 - x113, x112 = bits.Mul64(x94, 0xfdc1767ae2ffffff) - var x114 uint64 - var x115 uint64 - x115, x114 = bits.Mul64(x94, 0xffffffffffffffff) - var x116 uint64 - var x117 uint64 - x117, x116 = bits.Mul64(x94, 0xffffffffffffffff) - var x118 uint64 - var x119 uint64 - x119, x118 = bits.Mul64(x94, 0xffffffffffffffff) - var x120 uint64 - var x121 uint1 - x120, x121 = addcarryxU64(x119, x116, 0x0) - var x122 uint64 - var x123 uint1 - x122, x123 = addcarryxU64(x117, x114, x121) - var x124 uint64 - var x125 uint1 - x124, x125 = addcarryxU64(x115, x112, x123) - var x126 uint64 - var x127 uint1 - x126, x127 = addcarryxU64(x113, x110, x125) - var x128 uint64 - var x129 uint1 - x128, x129 = addcarryxU64(x111, x108, x127) - var x130 uint64 - var x131 uint1 - x130, x131 = addcarryxU64(x109, x106, x129) - var x133 uint1 - _, x133 = addcarryxU64(x94, x118, 0x0) - var x134 uint64 - var x135 uint1 - x134, x135 = addcarryxU64(x96, x120, x133) - var x136 uint64 - var x137 uint1 - x136, x137 = addcarryxU64(x98, x122, x135) - var x138 uint64 - var x139 uint1 - x138, x139 = addcarryxU64(x100, x124, x137) - var x140 uint64 - var x141 uint1 - x140, x141 = addcarryxU64(x102, x126, x139) - var x142 uint64 - var x143 uint1 - x142, x143 = addcarryxU64(x104, x128, x141) - var x144 uint64 - var x145 uint1 - x144, x145 = addcarryxU64((uint64(x105) + (uint64(x93) + (uint64(x79) + x55))), x130, x143) - var x146 uint64 - var x147 uint1 - x146, x147 = addcarryxU64(x134, (arg1[3]), 0x0) - var x148 uint64 - var x149 uint1 - x148, x149 = addcarryxU64(x136, uint64(0x0), x147) - var x150 uint64 - var x151 uint1 - x150, x151 = addcarryxU64(x138, uint64(0x0), x149) - var x152 uint64 - var x153 uint1 - x152, x153 = addcarryxU64(x140, uint64(0x0), x151) - var x154 uint64 - var x155 uint1 - x154, x155 = addcarryxU64(x142, uint64(0x0), x153) - var x156 uint64 - var x157 uint1 - x156, x157 = addcarryxU64(x144, uint64(0x0), x155) - var x158 uint64 - var x159 uint64 - x159, x158 = bits.Mul64(x146, 0x2341f27177344) - var x160 uint64 - var x161 uint64 - x161, x160 = bits.Mul64(x146, 0x6cfc5fd681c52056) - var x162 uint64 - var x163 uint64 - x163, x162 = bits.Mul64(x146, 0x7bc65c783158aea3) - var x164 uint64 - var x165 uint64 - x165, x164 = bits.Mul64(x146, 0xfdc1767ae2ffffff) - var x166 uint64 - var x167 uint64 - x167, x166 = bits.Mul64(x146, 0xffffffffffffffff) - var x168 uint64 - var x169 uint64 - x169, x168 = bits.Mul64(x146, 0xffffffffffffffff) - var x170 uint64 - var x171 uint64 - x171, x170 = bits.Mul64(x146, 0xffffffffffffffff) - var x172 uint64 - var x173 uint1 - x172, x173 = addcarryxU64(x171, x168, 0x0) - var x174 uint64 - var x175 uint1 - x174, x175 = addcarryxU64(x169, x166, x173) - var x176 uint64 - var x177 uint1 - x176, x177 = addcarryxU64(x167, x164, x175) - var x178 uint64 - var x179 uint1 - x178, x179 = addcarryxU64(x165, x162, x177) - var x180 uint64 - var x181 uint1 - x180, x181 = addcarryxU64(x163, x160, x179) - var x182 uint64 - var x183 uint1 - x182, x183 = addcarryxU64(x161, x158, x181) - var x185 uint1 - _, x185 = addcarryxU64(x146, x170, 0x0) - var x186 uint64 - var x187 uint1 - x186, x187 = addcarryxU64(x148, x172, x185) - var x188 uint64 - var x189 uint1 - x188, x189 = addcarryxU64(x150, x174, x187) - var x190 uint64 - var x191 uint1 - x190, x191 = addcarryxU64(x152, x176, x189) - var x192 uint64 - var x193 uint1 - x192, x193 = addcarryxU64(x154, x178, x191) - var x194 uint64 - var x195 uint1 - x194, x195 = addcarryxU64(x156, x180, x193) - var x196 uint64 - var x197 uint1 - x196, x197 = addcarryxU64((uint64(x157) + (uint64(x145) + (uint64(x131) + x107))), x182, x195) - var x198 uint64 - var x199 uint1 - x198, x199 = addcarryxU64(x186, (arg1[4]), 0x0) - var x200 uint64 - var x201 uint1 - x200, x201 = addcarryxU64(x188, uint64(0x0), x199) - var x202 uint64 - var x203 uint1 - x202, x203 = addcarryxU64(x190, uint64(0x0), x201) - var x204 uint64 - var x205 uint1 - x204, x205 = addcarryxU64(x192, uint64(0x0), x203) - var x206 uint64 - var x207 uint1 - x206, x207 = addcarryxU64(x194, uint64(0x0), x205) - var x208 uint64 - var x209 uint1 - x208, x209 = addcarryxU64(x196, uint64(0x0), x207) - var x210 uint64 - var x211 uint64 - x211, x210 = bits.Mul64(x198, 0x2341f27177344) - var x212 uint64 - var x213 uint64 - x213, x212 = bits.Mul64(x198, 0x6cfc5fd681c52056) - var x214 uint64 - var x215 uint64 - x215, x214 = bits.Mul64(x198, 0x7bc65c783158aea3) - var x216 uint64 - var x217 uint64 - x217, x216 = bits.Mul64(x198, 0xfdc1767ae2ffffff) - var x218 uint64 - var x219 uint64 - x219, x218 = bits.Mul64(x198, 0xffffffffffffffff) - var x220 uint64 - var x221 uint64 - x221, x220 = bits.Mul64(x198, 0xffffffffffffffff) - var x222 uint64 - var x223 uint64 - x223, x222 = bits.Mul64(x198, 0xffffffffffffffff) - var x224 uint64 - var x225 uint1 - x224, x225 = addcarryxU64(x223, x220, 0x0) - var x226 uint64 - var x227 uint1 - x226, x227 = addcarryxU64(x221, x218, x225) - var x228 uint64 - var x229 uint1 - x228, x229 = addcarryxU64(x219, x216, x227) - var x230 uint64 - var x231 uint1 - x230, x231 = addcarryxU64(x217, x214, x229) - var x232 uint64 - var x233 uint1 - x232, x233 = addcarryxU64(x215, x212, x231) - var x234 uint64 - var x235 uint1 - x234, x235 = addcarryxU64(x213, x210, x233) - var x237 uint1 - _, x237 = addcarryxU64(x198, x222, 0x0) - var x238 uint64 - var x239 uint1 - x238, x239 = addcarryxU64(x200, x224, x237) - var x240 uint64 - var x241 uint1 - x240, x241 = addcarryxU64(x202, x226, x239) - var x242 uint64 - var x243 uint1 - x242, x243 = addcarryxU64(x204, x228, x241) - var x244 uint64 - var x245 uint1 - x244, x245 = addcarryxU64(x206, x230, x243) - var x246 uint64 - var x247 uint1 - x246, x247 = addcarryxU64(x208, x232, x245) - var x248 uint64 - var x249 uint1 - x248, x249 = addcarryxU64((uint64(x209) + (uint64(x197) + (uint64(x183) + x159))), x234, x247) - var x250 uint64 - var x251 uint1 - x250, x251 = addcarryxU64(x238, (arg1[5]), 0x0) - var x252 uint64 - var x253 uint1 - x252, x253 = addcarryxU64(x240, uint64(0x0), x251) - var x254 uint64 - var x255 uint1 - x254, x255 = addcarryxU64(x242, uint64(0x0), x253) - var x256 uint64 - var x257 uint1 - x256, x257 = addcarryxU64(x244, uint64(0x0), x255) - var x258 uint64 - var x259 uint1 - x258, x259 = addcarryxU64(x246, uint64(0x0), x257) - var x260 uint64 - var x261 uint1 - x260, x261 = addcarryxU64(x248, uint64(0x0), x259) - var x262 uint64 - var x263 uint64 - x263, x262 = bits.Mul64(x250, 0x2341f27177344) - var x264 uint64 - var x265 uint64 - x265, x264 = bits.Mul64(x250, 0x6cfc5fd681c52056) - var x266 uint64 - var x267 uint64 - x267, x266 = bits.Mul64(x250, 0x7bc65c783158aea3) - var x268 uint64 - var x269 uint64 - x269, x268 = bits.Mul64(x250, 0xfdc1767ae2ffffff) - var x270 uint64 - var x271 uint64 - x271, x270 = bits.Mul64(x250, 0xffffffffffffffff) - var x272 uint64 - var x273 uint64 - x273, x272 = bits.Mul64(x250, 0xffffffffffffffff) - var x274 uint64 - var x275 uint64 - x275, x274 = bits.Mul64(x250, 0xffffffffffffffff) - var x276 uint64 - var x277 uint1 - x276, x277 = addcarryxU64(x275, x272, 0x0) - var x278 uint64 - var x279 uint1 - x278, x279 = addcarryxU64(x273, x270, x277) - var x280 uint64 - var x281 uint1 - x280, x281 = addcarryxU64(x271, x268, x279) - var x282 uint64 - var x283 uint1 - x282, x283 = addcarryxU64(x269, x266, x281) - var x284 uint64 - var x285 uint1 - x284, x285 = addcarryxU64(x267, x264, x283) - var x286 uint64 - var x287 uint1 - x286, x287 = addcarryxU64(x265, x262, x285) - var x289 uint1 - _, x289 = addcarryxU64(x250, x274, 0x0) - var x290 uint64 - var x291 uint1 - x290, x291 = addcarryxU64(x252, x276, x289) - var x292 uint64 - var x293 uint1 - x292, x293 = addcarryxU64(x254, x278, x291) - var x294 uint64 - var x295 uint1 - x294, x295 = addcarryxU64(x256, x280, x293) - var x296 uint64 - var x297 uint1 - x296, x297 = addcarryxU64(x258, x282, x295) - var x298 uint64 - var x299 uint1 - x298, x299 = addcarryxU64(x260, x284, x297) - var x300 uint64 - var x301 uint1 - x300, x301 = addcarryxU64((uint64(x261) + (uint64(x249) + (uint64(x235) + x211))), x286, x299) - var x302 uint64 - var x303 uint1 - x302, x303 = addcarryxU64(x290, (arg1[6]), 0x0) - var x304 uint64 - var x305 uint1 - x304, x305 = addcarryxU64(x292, uint64(0x0), x303) - var x306 uint64 - var x307 uint1 - x306, x307 = addcarryxU64(x294, uint64(0x0), x305) - var x308 uint64 - var x309 uint1 - x308, x309 = addcarryxU64(x296, uint64(0x0), x307) - var x310 uint64 - var x311 uint1 - x310, x311 = addcarryxU64(x298, uint64(0x0), x309) - var x312 uint64 - var x313 uint1 - x312, x313 = addcarryxU64(x300, uint64(0x0), x311) - var x314 uint64 - var x315 uint64 - x315, x314 = bits.Mul64(x302, 0x2341f27177344) - var x316 uint64 - var x317 uint64 - x317, x316 = bits.Mul64(x302, 0x6cfc5fd681c52056) - var x318 uint64 - var x319 uint64 - x319, x318 = bits.Mul64(x302, 0x7bc65c783158aea3) - var x320 uint64 - var x321 uint64 - x321, x320 = bits.Mul64(x302, 0xfdc1767ae2ffffff) - var x322 uint64 - var x323 uint64 - x323, x322 = bits.Mul64(x302, 0xffffffffffffffff) - var x324 uint64 - var x325 uint64 - x325, x324 = bits.Mul64(x302, 0xffffffffffffffff) - var x326 uint64 - var x327 uint64 - x327, x326 = bits.Mul64(x302, 0xffffffffffffffff) - var x328 uint64 - var x329 uint1 - x328, x329 = addcarryxU64(x327, x324, 0x0) - var x330 uint64 - var x331 uint1 - x330, x331 = addcarryxU64(x325, x322, x329) - var x332 uint64 - var x333 uint1 - x332, x333 = addcarryxU64(x323, x320, x331) - var x334 uint64 - var x335 uint1 - x334, x335 = addcarryxU64(x321, x318, x333) - var x336 uint64 - var x337 uint1 - x336, x337 = addcarryxU64(x319, x316, x335) - var x338 uint64 - var x339 uint1 - x338, x339 = addcarryxU64(x317, x314, x337) - var x341 uint1 - _, x341 = addcarryxU64(x302, x326, 0x0) - var x342 uint64 - var x343 uint1 - x342, x343 = addcarryxU64(x304, x328, x341) - var x344 uint64 - var x345 uint1 - x344, x345 = addcarryxU64(x306, x330, x343) - var x346 uint64 - var x347 uint1 - x346, x347 = addcarryxU64(x308, x332, x345) - var x348 uint64 - var x349 uint1 - x348, x349 = addcarryxU64(x310, x334, x347) - var x350 uint64 - var x351 uint1 - x350, x351 = addcarryxU64(x312, x336, x349) - var x352 uint64 - var x353 uint1 - x352, x353 = addcarryxU64((uint64(x313) + (uint64(x301) + (uint64(x287) + x263))), x338, x351) - var x354 uint64 = (uint64(x353) + (uint64(x339) + x315)) - var x355 uint64 - var x356 uint1 - x355, x356 = subborrowxU64(x342, 0xffffffffffffffff, 0x0) - var x357 uint64 - var x358 uint1 - x357, x358 = subborrowxU64(x344, 0xffffffffffffffff, x356) - var x359 uint64 - var x360 uint1 - x359, x360 = subborrowxU64(x346, 0xffffffffffffffff, x358) - var x361 uint64 - var x362 uint1 - x361, x362 = subborrowxU64(x348, 0xfdc1767ae2ffffff, x360) - var x363 uint64 - var x364 uint1 - x363, x364 = subborrowxU64(x350, 0x7bc65c783158aea3, x362) - var x365 uint64 - var x366 uint1 - x365, x366 = subborrowxU64(x352, 0x6cfc5fd681c52056, x364) - var x367 uint64 - var x368 uint1 - x367, x368 = subborrowxU64(x354, 0x2341f27177344, x366) - var x370 uint1 - _, x370 = subborrowxU64(uint64(0x0), uint64(0x0), x368) - var x371 uint64 - cmovznzU64(&x371, x370, x355, x342) - var x372 uint64 - cmovznzU64(&x372, x370, x357, x344) - var x373 uint64 - cmovznzU64(&x373, x370, x359, x346) - var x374 uint64 - cmovznzU64(&x374, x370, x361, x348) - var x375 uint64 - cmovznzU64(&x375, x370, x363, x350) - var x376 uint64 - cmovznzU64(&x376, x370, x365, x352) - var x377 uint64 - cmovznzU64(&x377, x370, x367, x354) - out1[0] = x371 - out1[1] = x372 - out1[2] = x373 - out1[3] = x374 - out1[4] = x375 - out1[5] = x376 - out1[6] = x377 + x1 := arg1[0] + var x2 uint64 + var x3 uint64 + x3, x2 = bits.Mul64(x1, 0x2341f27177344) + var x4 uint64 + var x5 uint64 + x5, x4 = bits.Mul64(x1, 0x6cfc5fd681c52056) + var x6 uint64 + var x7 uint64 + x7, x6 = bits.Mul64(x1, 0x7bc65c783158aea3) + var x8 uint64 + var x9 uint64 + x9, x8 = bits.Mul64(x1, 0xfdc1767ae2ffffff) + var x10 uint64 + var x11 uint64 + x11, x10 = bits.Mul64(x1, 0xffffffffffffffff) + var x12 uint64 + var x13 uint64 + x13, x12 = bits.Mul64(x1, 0xffffffffffffffff) + var x14 uint64 + var x15 uint64 + x15, x14 = bits.Mul64(x1, 0xffffffffffffffff) + var x16 uint64 + var x17 uint1 + x16, x17 = addcarryxU64(x15, x12, 0x0) + var x18 uint64 + var x19 uint1 + x18, x19 = addcarryxU64(x13, x10, x17) + var x20 uint64 + var x21 uint1 + x20, x21 = addcarryxU64(x11, x8, x19) + var x22 uint64 + var x23 uint1 + x22, x23 = addcarryxU64(x9, x6, x21) + var x24 uint64 + var x25 uint1 + x24, x25 = addcarryxU64(x7, x4, x23) + var x26 uint64 + var x27 uint1 + x26, x27 = addcarryxU64(x5, x2, x25) + var x29 uint1 + _, x29 = addcarryxU64(x1, x14, 0x0) + var x30 uint64 + var x31 uint1 + x30, x31 = addcarryxU64(uint64(0x0), x16, x29) + var x32 uint64 + var x33 uint1 + x32, x33 = addcarryxU64(uint64(0x0), x18, x31) + var x34 uint64 + var x35 uint1 + x34, x35 = addcarryxU64(uint64(0x0), x20, x33) + var x36 uint64 + var x37 uint1 + x36, x37 = addcarryxU64(uint64(0x0), x22, x35) + var x38 uint64 + var x39 uint1 + x38, x39 = addcarryxU64(uint64(0x0), x24, x37) + var x40 uint64 + var x41 uint1 + x40, x41 = addcarryxU64(uint64(0x0), x26, x39) + var x42 uint64 + var x43 uint1 + x42, x43 = addcarryxU64(x30, arg1[1], 0x0) + var x44 uint64 + var x45 uint1 + x44, x45 = addcarryxU64(x32, uint64(0x0), x43) + var x46 uint64 + var x47 uint1 + x46, x47 = addcarryxU64(x34, uint64(0x0), x45) + var x48 uint64 + var x49 uint1 + x48, x49 = addcarryxU64(x36, uint64(0x0), x47) + var x50 uint64 + var x51 uint1 + x50, x51 = addcarryxU64(x38, uint64(0x0), x49) + var x52 uint64 + var x53 uint1 + x52, x53 = addcarryxU64(x40, uint64(0x0), x51) + var x54 uint64 + var x55 uint64 + x55, x54 = bits.Mul64(x42, 0x2341f27177344) + var x56 uint64 + var x57 uint64 + x57, x56 = bits.Mul64(x42, 0x6cfc5fd681c52056) + var x58 uint64 + var x59 uint64 + x59, x58 = bits.Mul64(x42, 0x7bc65c783158aea3) + var x60 uint64 + var x61 uint64 + x61, x60 = bits.Mul64(x42, 0xfdc1767ae2ffffff) + var x62 uint64 + var x63 uint64 + x63, x62 = bits.Mul64(x42, 0xffffffffffffffff) + var x64 uint64 + var x65 uint64 + x65, x64 = bits.Mul64(x42, 0xffffffffffffffff) + var x66 uint64 + var x67 uint64 + x67, x66 = bits.Mul64(x42, 0xffffffffffffffff) + var x68 uint64 + var x69 uint1 + x68, x69 = addcarryxU64(x67, x64, 0x0) + var x70 uint64 + var x71 uint1 + x70, x71 = addcarryxU64(x65, x62, x69) + var x72 uint64 + var x73 uint1 + x72, x73 = addcarryxU64(x63, x60, x71) + var x74 uint64 + var x75 uint1 + x74, x75 = addcarryxU64(x61, x58, x73) + var x76 uint64 + var x77 uint1 + x76, x77 = addcarryxU64(x59, x56, x75) + var x78 uint64 + var x79 uint1 + x78, x79 = addcarryxU64(x57, x54, x77) + var x81 uint1 + _, x81 = addcarryxU64(x42, x66, 0x0) + var x82 uint64 + var x83 uint1 + x82, x83 = addcarryxU64(x44, x68, x81) + var x84 uint64 + var x85 uint1 + x84, x85 = addcarryxU64(x46, x70, x83) + var x86 uint64 + var x87 uint1 + x86, x87 = addcarryxU64(x48, x72, x85) + var x88 uint64 + var x89 uint1 + x88, x89 = addcarryxU64(x50, x74, x87) + var x90 uint64 + var x91 uint1 + x90, x91 = addcarryxU64(x52, x76, x89) + var x92 uint64 + var x93 uint1 + x92, x93 = addcarryxU64((uint64(x53) + (uint64(x41) + (uint64(x27) + x3))), x78, x91) + var x94 uint64 + var x95 uint1 + x94, x95 = addcarryxU64(x82, arg1[2], 0x0) + var x96 uint64 + var x97 uint1 + x96, x97 = addcarryxU64(x84, uint64(0x0), x95) + var x98 uint64 + var x99 uint1 + x98, x99 = addcarryxU64(x86, uint64(0x0), x97) + var x100 uint64 + var x101 uint1 + x100, x101 = addcarryxU64(x88, uint64(0x0), x99) + var x102 uint64 + var x103 uint1 + x102, x103 = addcarryxU64(x90, uint64(0x0), x101) + var x104 uint64 + var x105 uint1 + x104, x105 = addcarryxU64(x92, uint64(0x0), x103) + var x106 uint64 + var x107 uint64 + x107, x106 = bits.Mul64(x94, 0x2341f27177344) + var x108 uint64 + var x109 uint64 + x109, x108 = bits.Mul64(x94, 0x6cfc5fd681c52056) + var x110 uint64 + var x111 uint64 + x111, x110 = bits.Mul64(x94, 0x7bc65c783158aea3) + var x112 uint64 + var x113 uint64 + x113, x112 = bits.Mul64(x94, 0xfdc1767ae2ffffff) + var x114 uint64 + var x115 uint64 + x115, x114 = bits.Mul64(x94, 0xffffffffffffffff) + var x116 uint64 + var x117 uint64 + x117, x116 = bits.Mul64(x94, 0xffffffffffffffff) + var x118 uint64 + var x119 uint64 + x119, x118 = bits.Mul64(x94, 0xffffffffffffffff) + var x120 uint64 + var x121 uint1 + x120, x121 = addcarryxU64(x119, x116, 0x0) + var x122 uint64 + var x123 uint1 + x122, x123 = addcarryxU64(x117, x114, x121) + var x124 uint64 + var x125 uint1 + x124, x125 = addcarryxU64(x115, x112, x123) + var x126 uint64 + var x127 uint1 + x126, x127 = addcarryxU64(x113, x110, x125) + var x128 uint64 + var x129 uint1 + x128, x129 = addcarryxU64(x111, x108, x127) + var x130 uint64 + var x131 uint1 + x130, x131 = addcarryxU64(x109, x106, x129) + var x133 uint1 + _, x133 = addcarryxU64(x94, x118, 0x0) + var x134 uint64 + var x135 uint1 + x134, x135 = addcarryxU64(x96, x120, x133) + var x136 uint64 + var x137 uint1 + x136, x137 = addcarryxU64(x98, x122, x135) + var x138 uint64 + var x139 uint1 + x138, x139 = addcarryxU64(x100, x124, x137) + var x140 uint64 + var x141 uint1 + x140, x141 = addcarryxU64(x102, x126, x139) + var x142 uint64 + var x143 uint1 + x142, x143 = addcarryxU64(x104, x128, x141) + var x144 uint64 + var x145 uint1 + x144, x145 = addcarryxU64((uint64(x105) + (uint64(x93) + (uint64(x79) + x55))), x130, x143) + var x146 uint64 + var x147 uint1 + x146, x147 = addcarryxU64(x134, arg1[3], 0x0) + var x148 uint64 + var x149 uint1 + x148, x149 = addcarryxU64(x136, uint64(0x0), x147) + var x150 uint64 + var x151 uint1 + x150, x151 = addcarryxU64(x138, uint64(0x0), x149) + var x152 uint64 + var x153 uint1 + x152, x153 = addcarryxU64(x140, uint64(0x0), x151) + var x154 uint64 + var x155 uint1 + x154, x155 = addcarryxU64(x142, uint64(0x0), x153) + var x156 uint64 + var x157 uint1 + x156, x157 = addcarryxU64(x144, uint64(0x0), x155) + var x158 uint64 + var x159 uint64 + x159, x158 = bits.Mul64(x146, 0x2341f27177344) + var x160 uint64 + var x161 uint64 + x161, x160 = bits.Mul64(x146, 0x6cfc5fd681c52056) + var x162 uint64 + var x163 uint64 + x163, x162 = bits.Mul64(x146, 0x7bc65c783158aea3) + var x164 uint64 + var x165 uint64 + x165, x164 = bits.Mul64(x146, 0xfdc1767ae2ffffff) + var x166 uint64 + var x167 uint64 + x167, x166 = bits.Mul64(x146, 0xffffffffffffffff) + var x168 uint64 + var x169 uint64 + x169, x168 = bits.Mul64(x146, 0xffffffffffffffff) + var x170 uint64 + var x171 uint64 + x171, x170 = bits.Mul64(x146, 0xffffffffffffffff) + var x172 uint64 + var x173 uint1 + x172, x173 = addcarryxU64(x171, x168, 0x0) + var x174 uint64 + var x175 uint1 + x174, x175 = addcarryxU64(x169, x166, x173) + var x176 uint64 + var x177 uint1 + x176, x177 = addcarryxU64(x167, x164, x175) + var x178 uint64 + var x179 uint1 + x178, x179 = addcarryxU64(x165, x162, x177) + var x180 uint64 + var x181 uint1 + x180, x181 = addcarryxU64(x163, x160, x179) + var x182 uint64 + var x183 uint1 + x182, x183 = addcarryxU64(x161, x158, x181) + var x185 uint1 + _, x185 = addcarryxU64(x146, x170, 0x0) + var x186 uint64 + var x187 uint1 + x186, x187 = addcarryxU64(x148, x172, x185) + var x188 uint64 + var x189 uint1 + x188, x189 = addcarryxU64(x150, x174, x187) + var x190 uint64 + var x191 uint1 + x190, x191 = addcarryxU64(x152, x176, x189) + var x192 uint64 + var x193 uint1 + x192, x193 = addcarryxU64(x154, x178, x191) + var x194 uint64 + var x195 uint1 + x194, x195 = addcarryxU64(x156, x180, x193) + var x196 uint64 + var x197 uint1 + x196, x197 = addcarryxU64((uint64(x157) + (uint64(x145) + (uint64(x131) + x107))), x182, x195) + var x198 uint64 + var x199 uint1 + x198, x199 = addcarryxU64(x186, arg1[4], 0x0) + var x200 uint64 + var x201 uint1 + x200, x201 = addcarryxU64(x188, uint64(0x0), x199) + var x202 uint64 + var x203 uint1 + x202, x203 = addcarryxU64(x190, uint64(0x0), x201) + var x204 uint64 + var x205 uint1 + x204, x205 = addcarryxU64(x192, uint64(0x0), x203) + var x206 uint64 + var x207 uint1 + x206, x207 = addcarryxU64(x194, uint64(0x0), x205) + var x208 uint64 + var x209 uint1 + x208, x209 = addcarryxU64(x196, uint64(0x0), x207) + var x210 uint64 + var x211 uint64 + x211, x210 = bits.Mul64(x198, 0x2341f27177344) + var x212 uint64 + var x213 uint64 + x213, x212 = bits.Mul64(x198, 0x6cfc5fd681c52056) + var x214 uint64 + var x215 uint64 + x215, x214 = bits.Mul64(x198, 0x7bc65c783158aea3) + var x216 uint64 + var x217 uint64 + x217, x216 = bits.Mul64(x198, 0xfdc1767ae2ffffff) + var x218 uint64 + var x219 uint64 + x219, x218 = bits.Mul64(x198, 0xffffffffffffffff) + var x220 uint64 + var x221 uint64 + x221, x220 = bits.Mul64(x198, 0xffffffffffffffff) + var x222 uint64 + var x223 uint64 + x223, x222 = bits.Mul64(x198, 0xffffffffffffffff) + var x224 uint64 + var x225 uint1 + x224, x225 = addcarryxU64(x223, x220, 0x0) + var x226 uint64 + var x227 uint1 + x226, x227 = addcarryxU64(x221, x218, x225) + var x228 uint64 + var x229 uint1 + x228, x229 = addcarryxU64(x219, x216, x227) + var x230 uint64 + var x231 uint1 + x230, x231 = addcarryxU64(x217, x214, x229) + var x232 uint64 + var x233 uint1 + x232, x233 = addcarryxU64(x215, x212, x231) + var x234 uint64 + var x235 uint1 + x234, x235 = addcarryxU64(x213, x210, x233) + var x237 uint1 + _, x237 = addcarryxU64(x198, x222, 0x0) + var x238 uint64 + var x239 uint1 + x238, x239 = addcarryxU64(x200, x224, x237) + var x240 uint64 + var x241 uint1 + x240, x241 = addcarryxU64(x202, x226, x239) + var x242 uint64 + var x243 uint1 + x242, x243 = addcarryxU64(x204, x228, x241) + var x244 uint64 + var x245 uint1 + x244, x245 = addcarryxU64(x206, x230, x243) + var x246 uint64 + var x247 uint1 + x246, x247 = addcarryxU64(x208, x232, x245) + var x248 uint64 + var x249 uint1 + x248, x249 = addcarryxU64((uint64(x209) + (uint64(x197) + (uint64(x183) + x159))), x234, x247) + var x250 uint64 + var x251 uint1 + x250, x251 = addcarryxU64(x238, arg1[5], 0x0) + var x252 uint64 + var x253 uint1 + x252, x253 = addcarryxU64(x240, uint64(0x0), x251) + var x254 uint64 + var x255 uint1 + x254, x255 = addcarryxU64(x242, uint64(0x0), x253) + var x256 uint64 + var x257 uint1 + x256, x257 = addcarryxU64(x244, uint64(0x0), x255) + var x258 uint64 + var x259 uint1 + x258, x259 = addcarryxU64(x246, uint64(0x0), x257) + var x260 uint64 + var x261 uint1 + x260, x261 = addcarryxU64(x248, uint64(0x0), x259) + var x262 uint64 + var x263 uint64 + x263, x262 = bits.Mul64(x250, 0x2341f27177344) + var x264 uint64 + var x265 uint64 + x265, x264 = bits.Mul64(x250, 0x6cfc5fd681c52056) + var x266 uint64 + var x267 uint64 + x267, x266 = bits.Mul64(x250, 0x7bc65c783158aea3) + var x268 uint64 + var x269 uint64 + x269, x268 = bits.Mul64(x250, 0xfdc1767ae2ffffff) + var x270 uint64 + var x271 uint64 + x271, x270 = bits.Mul64(x250, 0xffffffffffffffff) + var x272 uint64 + var x273 uint64 + x273, x272 = bits.Mul64(x250, 0xffffffffffffffff) + var x274 uint64 + var x275 uint64 + x275, x274 = bits.Mul64(x250, 0xffffffffffffffff) + var x276 uint64 + var x277 uint1 + x276, x277 = addcarryxU64(x275, x272, 0x0) + var x278 uint64 + var x279 uint1 + x278, x279 = addcarryxU64(x273, x270, x277) + var x280 uint64 + var x281 uint1 + x280, x281 = addcarryxU64(x271, x268, x279) + var x282 uint64 + var x283 uint1 + x282, x283 = addcarryxU64(x269, x266, x281) + var x284 uint64 + var x285 uint1 + x284, x285 = addcarryxU64(x267, x264, x283) + var x286 uint64 + var x287 uint1 + x286, x287 = addcarryxU64(x265, x262, x285) + var x289 uint1 + _, x289 = addcarryxU64(x250, x274, 0x0) + var x290 uint64 + var x291 uint1 + x290, x291 = addcarryxU64(x252, x276, x289) + var x292 uint64 + var x293 uint1 + x292, x293 = addcarryxU64(x254, x278, x291) + var x294 uint64 + var x295 uint1 + x294, x295 = addcarryxU64(x256, x280, x293) + var x296 uint64 + var x297 uint1 + x296, x297 = addcarryxU64(x258, x282, x295) + var x298 uint64 + var x299 uint1 + x298, x299 = addcarryxU64(x260, x284, x297) + var x300 uint64 + var x301 uint1 + x300, x301 = addcarryxU64((uint64(x261) + (uint64(x249) + (uint64(x235) + x211))), x286, x299) + var x302 uint64 + var x303 uint1 + x302, x303 = addcarryxU64(x290, arg1[6], 0x0) + var x304 uint64 + var x305 uint1 + x304, x305 = addcarryxU64(x292, uint64(0x0), x303) + var x306 uint64 + var x307 uint1 + x306, x307 = addcarryxU64(x294, uint64(0x0), x305) + var x308 uint64 + var x309 uint1 + x308, x309 = addcarryxU64(x296, uint64(0x0), x307) + var x310 uint64 + var x311 uint1 + x310, x311 = addcarryxU64(x298, uint64(0x0), x309) + var x312 uint64 + var x313 uint1 + x312, x313 = addcarryxU64(x300, uint64(0x0), x311) + var x314 uint64 + var x315 uint64 + x315, x314 = bits.Mul64(x302, 0x2341f27177344) + var x316 uint64 + var x317 uint64 + x317, x316 = bits.Mul64(x302, 0x6cfc5fd681c52056) + var x318 uint64 + var x319 uint64 + x319, x318 = bits.Mul64(x302, 0x7bc65c783158aea3) + var x320 uint64 + var x321 uint64 + x321, x320 = bits.Mul64(x302, 0xfdc1767ae2ffffff) + var x322 uint64 + var x323 uint64 + x323, x322 = bits.Mul64(x302, 0xffffffffffffffff) + var x324 uint64 + var x325 uint64 + x325, x324 = bits.Mul64(x302, 0xffffffffffffffff) + var x326 uint64 + var x327 uint64 + x327, x326 = bits.Mul64(x302, 0xffffffffffffffff) + var x328 uint64 + var x329 uint1 + x328, x329 = addcarryxU64(x327, x324, 0x0) + var x330 uint64 + var x331 uint1 + x330, x331 = addcarryxU64(x325, x322, x329) + var x332 uint64 + var x333 uint1 + x332, x333 = addcarryxU64(x323, x320, x331) + var x334 uint64 + var x335 uint1 + x334, x335 = addcarryxU64(x321, x318, x333) + var x336 uint64 + var x337 uint1 + x336, x337 = addcarryxU64(x319, x316, x335) + var x338 uint64 + var x339 uint1 + x338, x339 = addcarryxU64(x317, x314, x337) + var x341 uint1 + _, x341 = addcarryxU64(x302, x326, 0x0) + var x342 uint64 + var x343 uint1 + x342, x343 = addcarryxU64(x304, x328, x341) + var x344 uint64 + var x345 uint1 + x344, x345 = addcarryxU64(x306, x330, x343) + var x346 uint64 + var x347 uint1 + x346, x347 = addcarryxU64(x308, x332, x345) + var x348 uint64 + var x349 uint1 + x348, x349 = addcarryxU64(x310, x334, x347) + var x350 uint64 + var x351 uint1 + x350, x351 = addcarryxU64(x312, x336, x349) + var x352 uint64 + var x353 uint1 + x352, x353 = addcarryxU64((uint64(x313) + (uint64(x301) + (uint64(x287) + x263))), x338, x351) + x354 := (uint64(x353) + (uint64(x339) + x315)) + var x355 uint64 + var x356 uint1 + x355, x356 = subborrowxU64(x342, 0xffffffffffffffff, 0x0) + var x357 uint64 + var x358 uint1 + x357, x358 = subborrowxU64(x344, 0xffffffffffffffff, x356) + var x359 uint64 + var x360 uint1 + x359, x360 = subborrowxU64(x346, 0xffffffffffffffff, x358) + var x361 uint64 + var x362 uint1 + x361, x362 = subborrowxU64(x348, 0xfdc1767ae2ffffff, x360) + var x363 uint64 + var x364 uint1 + x363, x364 = subborrowxU64(x350, 0x7bc65c783158aea3, x362) + var x365 uint64 + var x366 uint1 + x365, x366 = subborrowxU64(x352, 0x6cfc5fd681c52056, x364) + var x367 uint64 + var x368 uint1 + x367, x368 = subborrowxU64(x354, 0x2341f27177344, x366) + var x370 uint1 + _, x370 = subborrowxU64(uint64(0x0), uint64(0x0), x368) + var x371 uint64 + cmovznzU64(&x371, x370, x355, x342) + var x372 uint64 + cmovznzU64(&x372, x370, x357, x344) + var x373 uint64 + cmovznzU64(&x373, x370, x359, x346) + var x374 uint64 + cmovznzU64(&x374, x370, x361, x348) + var x375 uint64 + cmovznzU64(&x375, x370, x363, x350) + var x376 uint64 + cmovznzU64(&x376, x370, x365, x352) + var x377 uint64 + cmovznzU64(&x377, x370, x367, x354) + out1[0] = x371 + out1[1] = x372 + out1[2] = x373 + out1[3] = x374 + out1[4] = x375 + out1[5] = x376 + out1[6] = x377 } -/* - The function ToMontgomery translates a field element into the Montgomery domain. - Preconditions: - 0 ≤ eval arg1 < m - Postconditions: - eval (from_montgomery out1) mod m = eval arg1 mod m - 0 ≤ eval out1 < m - - Input Bounds: - arg1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] - Output Bounds: - out1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] - */ -/*inline*/ +// ToMontgomery translates a field element into the Montgomery domain. +// +// Preconditions: +// 0 ≤ eval arg1 < m +// Postconditions: +// eval (from_montgomery out1) mod m = eval arg1 mod m +// 0 ≤ eval out1 < m +// +// Input Bounds: +// arg1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] +// Output Bounds: +// out1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] func ToMontgomery(out1 *[7]uint64, arg1 *[7]uint64) { - var x1 uint64 = (arg1[1]) - var x2 uint64 = (arg1[2]) - var x3 uint64 = (arg1[3]) - var x4 uint64 = (arg1[4]) - var x5 uint64 = (arg1[5]) - var x6 uint64 = (arg1[6]) - var x7 uint64 = (arg1[0]) - var x8 uint64 - var x9 uint64 - x9, x8 = bits.Mul64(x7, 0x25a89bcdd12a) - var x10 uint64 - var x11 uint64 - x11, x10 = bits.Mul64(x7, 0x69e16a61c7686d9a) - var x12 uint64 - var x13 uint64 - x13, x12 = bits.Mul64(x7, 0xabcd92bf2dde347e) - var x14 uint64 - var x15 uint64 - x15, x14 = bits.Mul64(x7, 0x175cc6af8d6c7c0b) - var x16 uint64 - var x17 uint64 - x17, x16 = bits.Mul64(x7, 0xab27973f8311688d) - var x18 uint64 - var x19 uint64 - x19, x18 = bits.Mul64(x7, 0xacec7367768798c2) - var x20 uint64 - var x21 uint64 - x21, x20 = bits.Mul64(x7, 0x28e55b65dcd69b30) - var x22 uint64 - var x23 uint1 - x22, x23 = addcarryxU64(x21, x18, 0x0) - var x24 uint64 - var x25 uint1 - x24, x25 = addcarryxU64(x19, x16, x23) - var x26 uint64 - var x27 uint1 - x26, x27 = addcarryxU64(x17, x14, x25) - var x28 uint64 - var x29 uint1 - x28, x29 = addcarryxU64(x15, x12, x27) - var x30 uint64 - var x31 uint1 - x30, x31 = addcarryxU64(x13, x10, x29) - var x32 uint64 - var x33 uint1 - x32, x33 = addcarryxU64(x11, x8, x31) - var x34 uint64 - var x35 uint64 - x35, x34 = bits.Mul64(x20, 0x2341f27177344) - var x36 uint64 - var x37 uint64 - x37, x36 = bits.Mul64(x20, 0x6cfc5fd681c52056) - var x38 uint64 - var x39 uint64 - x39, x38 = bits.Mul64(x20, 0x7bc65c783158aea3) - var x40 uint64 - var x41 uint64 - x41, x40 = bits.Mul64(x20, 0xfdc1767ae2ffffff) - var x42 uint64 - var x43 uint64 - x43, x42 = bits.Mul64(x20, 0xffffffffffffffff) - var x44 uint64 - var x45 uint64 - x45, x44 = bits.Mul64(x20, 0xffffffffffffffff) - var x46 uint64 - var x47 uint64 - x47, x46 = bits.Mul64(x20, 0xffffffffffffffff) - var x48 uint64 - var x49 uint1 - x48, x49 = addcarryxU64(x47, x44, 0x0) - var x50 uint64 - var x51 uint1 - x50, x51 = addcarryxU64(x45, x42, x49) - var x52 uint64 - var x53 uint1 - x52, x53 = addcarryxU64(x43, x40, x51) - var x54 uint64 - var x55 uint1 - x54, x55 = addcarryxU64(x41, x38, x53) - var x56 uint64 - var x57 uint1 - x56, x57 = addcarryxU64(x39, x36, x55) - var x58 uint64 - var x59 uint1 - x58, x59 = addcarryxU64(x37, x34, x57) - var x61 uint1 - _, x61 = addcarryxU64(x20, x46, 0x0) - var x62 uint64 - var x63 uint1 - x62, x63 = addcarryxU64(x22, x48, x61) - var x64 uint64 - var x65 uint1 - x64, x65 = addcarryxU64(x24, x50, x63) - var x66 uint64 - var x67 uint1 - x66, x67 = addcarryxU64(x26, x52, x65) - var x68 uint64 - var x69 uint1 - x68, x69 = addcarryxU64(x28, x54, x67) - var x70 uint64 - var x71 uint1 - x70, x71 = addcarryxU64(x30, x56, x69) - var x72 uint64 - var x73 uint1 - x72, x73 = addcarryxU64(x32, x58, x71) - var x74 uint64 - var x75 uint64 - x75, x74 = bits.Mul64(x1, 0x25a89bcdd12a) - var x76 uint64 - var x77 uint64 - x77, x76 = bits.Mul64(x1, 0x69e16a61c7686d9a) - var x78 uint64 - var x79 uint64 - x79, x78 = bits.Mul64(x1, 0xabcd92bf2dde347e) - var x80 uint64 - var x81 uint64 - x81, x80 = bits.Mul64(x1, 0x175cc6af8d6c7c0b) - var x82 uint64 - var x83 uint64 - x83, x82 = bits.Mul64(x1, 0xab27973f8311688d) - var x84 uint64 - var x85 uint64 - x85, x84 = bits.Mul64(x1, 0xacec7367768798c2) - var x86 uint64 - var x87 uint64 - x87, x86 = bits.Mul64(x1, 0x28e55b65dcd69b30) - var x88 uint64 - var x89 uint1 - x88, x89 = addcarryxU64(x87, x84, 0x0) - var x90 uint64 - var x91 uint1 - x90, x91 = addcarryxU64(x85, x82, x89) - var x92 uint64 - var x93 uint1 - x92, x93 = addcarryxU64(x83, x80, x91) - var x94 uint64 - var x95 uint1 - x94, x95 = addcarryxU64(x81, x78, x93) - var x96 uint64 - var x97 uint1 - x96, x97 = addcarryxU64(x79, x76, x95) - var x98 uint64 - var x99 uint1 - x98, x99 = addcarryxU64(x77, x74, x97) - var x100 uint64 - var x101 uint1 - x100, x101 = addcarryxU64(x62, x86, 0x0) - var x102 uint64 - var x103 uint1 - x102, x103 = addcarryxU64(x64, x88, x101) - var x104 uint64 - var x105 uint1 - x104, x105 = addcarryxU64(x66, x90, x103) - var x106 uint64 - var x107 uint1 - x106, x107 = addcarryxU64(x68, x92, x105) - var x108 uint64 - var x109 uint1 - x108, x109 = addcarryxU64(x70, x94, x107) - var x110 uint64 - var x111 uint1 - x110, x111 = addcarryxU64(x72, x96, x109) - var x112 uint64 - var x113 uint1 - x112, x113 = addcarryxU64(((uint64(x73) + (uint64(x33) + x9)) + (uint64(x59) + x35)), x98, x111) - var x114 uint64 - var x115 uint64 - x115, x114 = bits.Mul64(x100, 0x2341f27177344) - var x116 uint64 - var x117 uint64 - x117, x116 = bits.Mul64(x100, 0x6cfc5fd681c52056) - var x118 uint64 - var x119 uint64 - x119, x118 = bits.Mul64(x100, 0x7bc65c783158aea3) - var x120 uint64 - var x121 uint64 - x121, x120 = bits.Mul64(x100, 0xfdc1767ae2ffffff) - var x122 uint64 - var x123 uint64 - x123, x122 = bits.Mul64(x100, 0xffffffffffffffff) - var x124 uint64 - var x125 uint64 - x125, x124 = bits.Mul64(x100, 0xffffffffffffffff) - var x126 uint64 - var x127 uint64 - x127, x126 = bits.Mul64(x100, 0xffffffffffffffff) - var x128 uint64 - var x129 uint1 - x128, x129 = addcarryxU64(x127, x124, 0x0) - var x130 uint64 - var x131 uint1 - x130, x131 = addcarryxU64(x125, x122, x129) - var x132 uint64 - var x133 uint1 - x132, x133 = addcarryxU64(x123, x120, x131) - var x134 uint64 - var x135 uint1 - x134, x135 = addcarryxU64(x121, x118, x133) - var x136 uint64 - var x137 uint1 - x136, x137 = addcarryxU64(x119, x116, x135) - var x138 uint64 - var x139 uint1 - x138, x139 = addcarryxU64(x117, x114, x137) - var x141 uint1 - _, x141 = addcarryxU64(x100, x126, 0x0) - var x142 uint64 - var x143 uint1 - x142, x143 = addcarryxU64(x102, x128, x141) - var x144 uint64 - var x145 uint1 - x144, x145 = addcarryxU64(x104, x130, x143) - var x146 uint64 - var x147 uint1 - x146, x147 = addcarryxU64(x106, x132, x145) - var x148 uint64 - var x149 uint1 - x148, x149 = addcarryxU64(x108, x134, x147) - var x150 uint64 - var x151 uint1 - x150, x151 = addcarryxU64(x110, x136, x149) - var x152 uint64 - var x153 uint1 - x152, x153 = addcarryxU64(x112, x138, x151) - var x154 uint64 - var x155 uint64 - x155, x154 = bits.Mul64(x2, 0x25a89bcdd12a) - var x156 uint64 - var x157 uint64 - x157, x156 = bits.Mul64(x2, 0x69e16a61c7686d9a) - var x158 uint64 - var x159 uint64 - x159, x158 = bits.Mul64(x2, 0xabcd92bf2dde347e) - var x160 uint64 - var x161 uint64 - x161, x160 = bits.Mul64(x2, 0x175cc6af8d6c7c0b) - var x162 uint64 - var x163 uint64 - x163, x162 = bits.Mul64(x2, 0xab27973f8311688d) - var x164 uint64 - var x165 uint64 - x165, x164 = bits.Mul64(x2, 0xacec7367768798c2) - var x166 uint64 - var x167 uint64 - x167, x166 = bits.Mul64(x2, 0x28e55b65dcd69b30) - var x168 uint64 - var x169 uint1 - x168, x169 = addcarryxU64(x167, x164, 0x0) - var x170 uint64 - var x171 uint1 - x170, x171 = addcarryxU64(x165, x162, x169) - var x172 uint64 - var x173 uint1 - x172, x173 = addcarryxU64(x163, x160, x171) - var x174 uint64 - var x175 uint1 - x174, x175 = addcarryxU64(x161, x158, x173) - var x176 uint64 - var x177 uint1 - x176, x177 = addcarryxU64(x159, x156, x175) - var x178 uint64 - var x179 uint1 - x178, x179 = addcarryxU64(x157, x154, x177) - var x180 uint64 - var x181 uint1 - x180, x181 = addcarryxU64(x142, x166, 0x0) - var x182 uint64 - var x183 uint1 - x182, x183 = addcarryxU64(x144, x168, x181) - var x184 uint64 - var x185 uint1 - x184, x185 = addcarryxU64(x146, x170, x183) - var x186 uint64 - var x187 uint1 - x186, x187 = addcarryxU64(x148, x172, x185) - var x188 uint64 - var x189 uint1 - x188, x189 = addcarryxU64(x150, x174, x187) - var x190 uint64 - var x191 uint1 - x190, x191 = addcarryxU64(x152, x176, x189) - var x192 uint64 - var x193 uint1 - x192, x193 = addcarryxU64(((uint64(x153) + (uint64(x113) + (uint64(x99) + x75))) + (uint64(x139) + x115)), x178, x191) - var x194 uint64 - var x195 uint64 - x195, x194 = bits.Mul64(x180, 0x2341f27177344) - var x196 uint64 - var x197 uint64 - x197, x196 = bits.Mul64(x180, 0x6cfc5fd681c52056) - var x198 uint64 - var x199 uint64 - x199, x198 = bits.Mul64(x180, 0x7bc65c783158aea3) - var x200 uint64 - var x201 uint64 - x201, x200 = bits.Mul64(x180, 0xfdc1767ae2ffffff) - var x202 uint64 - var x203 uint64 - x203, x202 = bits.Mul64(x180, 0xffffffffffffffff) - var x204 uint64 - var x205 uint64 - x205, x204 = bits.Mul64(x180, 0xffffffffffffffff) - var x206 uint64 - var x207 uint64 - x207, x206 = bits.Mul64(x180, 0xffffffffffffffff) - var x208 uint64 - var x209 uint1 - x208, x209 = addcarryxU64(x207, x204, 0x0) - var x210 uint64 - var x211 uint1 - x210, x211 = addcarryxU64(x205, x202, x209) - var x212 uint64 - var x213 uint1 - x212, x213 = addcarryxU64(x203, x200, x211) - var x214 uint64 - var x215 uint1 - x214, x215 = addcarryxU64(x201, x198, x213) - var x216 uint64 - var x217 uint1 - x216, x217 = addcarryxU64(x199, x196, x215) - var x218 uint64 - var x219 uint1 - x218, x219 = addcarryxU64(x197, x194, x217) - var x221 uint1 - _, x221 = addcarryxU64(x180, x206, 0x0) - var x222 uint64 - var x223 uint1 - x222, x223 = addcarryxU64(x182, x208, x221) - var x224 uint64 - var x225 uint1 - x224, x225 = addcarryxU64(x184, x210, x223) - var x226 uint64 - var x227 uint1 - x226, x227 = addcarryxU64(x186, x212, x225) - var x228 uint64 - var x229 uint1 - x228, x229 = addcarryxU64(x188, x214, x227) - var x230 uint64 - var x231 uint1 - x230, x231 = addcarryxU64(x190, x216, x229) - var x232 uint64 - var x233 uint1 - x232, x233 = addcarryxU64(x192, x218, x231) - var x234 uint64 - var x235 uint64 - x235, x234 = bits.Mul64(x3, 0x25a89bcdd12a) - var x236 uint64 - var x237 uint64 - x237, x236 = bits.Mul64(x3, 0x69e16a61c7686d9a) - var x238 uint64 - var x239 uint64 - x239, x238 = bits.Mul64(x3, 0xabcd92bf2dde347e) - var x240 uint64 - var x241 uint64 - x241, x240 = bits.Mul64(x3, 0x175cc6af8d6c7c0b) - var x242 uint64 - var x243 uint64 - x243, x242 = bits.Mul64(x3, 0xab27973f8311688d) - var x244 uint64 - var x245 uint64 - x245, x244 = bits.Mul64(x3, 0xacec7367768798c2) - var x246 uint64 - var x247 uint64 - x247, x246 = bits.Mul64(x3, 0x28e55b65dcd69b30) - var x248 uint64 - var x249 uint1 - x248, x249 = addcarryxU64(x247, x244, 0x0) - var x250 uint64 - var x251 uint1 - x250, x251 = addcarryxU64(x245, x242, x249) - var x252 uint64 - var x253 uint1 - x252, x253 = addcarryxU64(x243, x240, x251) - var x254 uint64 - var x255 uint1 - x254, x255 = addcarryxU64(x241, x238, x253) - var x256 uint64 - var x257 uint1 - x256, x257 = addcarryxU64(x239, x236, x255) - var x258 uint64 - var x259 uint1 - x258, x259 = addcarryxU64(x237, x234, x257) - var x260 uint64 - var x261 uint1 - x260, x261 = addcarryxU64(x222, x246, 0x0) - var x262 uint64 - var x263 uint1 - x262, x263 = addcarryxU64(x224, x248, x261) - var x264 uint64 - var x265 uint1 - x264, x265 = addcarryxU64(x226, x250, x263) - var x266 uint64 - var x267 uint1 - x266, x267 = addcarryxU64(x228, x252, x265) - var x268 uint64 - var x269 uint1 - x268, x269 = addcarryxU64(x230, x254, x267) - var x270 uint64 - var x271 uint1 - x270, x271 = addcarryxU64(x232, x256, x269) - var x272 uint64 - var x273 uint1 - x272, x273 = addcarryxU64(((uint64(x233) + (uint64(x193) + (uint64(x179) + x155))) + (uint64(x219) + x195)), x258, x271) - var x274 uint64 - var x275 uint64 - x275, x274 = bits.Mul64(x260, 0x2341f27177344) - var x276 uint64 - var x277 uint64 - x277, x276 = bits.Mul64(x260, 0x6cfc5fd681c52056) - var x278 uint64 - var x279 uint64 - x279, x278 = bits.Mul64(x260, 0x7bc65c783158aea3) - var x280 uint64 - var x281 uint64 - x281, x280 = bits.Mul64(x260, 0xfdc1767ae2ffffff) - var x282 uint64 - var x283 uint64 - x283, x282 = bits.Mul64(x260, 0xffffffffffffffff) - var x284 uint64 - var x285 uint64 - x285, x284 = bits.Mul64(x260, 0xffffffffffffffff) - var x286 uint64 - var x287 uint64 - x287, x286 = bits.Mul64(x260, 0xffffffffffffffff) - var x288 uint64 - var x289 uint1 - x288, x289 = addcarryxU64(x287, x284, 0x0) - var x290 uint64 - var x291 uint1 - x290, x291 = addcarryxU64(x285, x282, x289) - var x292 uint64 - var x293 uint1 - x292, x293 = addcarryxU64(x283, x280, x291) - var x294 uint64 - var x295 uint1 - x294, x295 = addcarryxU64(x281, x278, x293) - var x296 uint64 - var x297 uint1 - x296, x297 = addcarryxU64(x279, x276, x295) - var x298 uint64 - var x299 uint1 - x298, x299 = addcarryxU64(x277, x274, x297) - var x301 uint1 - _, x301 = addcarryxU64(x260, x286, 0x0) - var x302 uint64 - var x303 uint1 - x302, x303 = addcarryxU64(x262, x288, x301) - var x304 uint64 - var x305 uint1 - x304, x305 = addcarryxU64(x264, x290, x303) - var x306 uint64 - var x307 uint1 - x306, x307 = addcarryxU64(x266, x292, x305) - var x308 uint64 - var x309 uint1 - x308, x309 = addcarryxU64(x268, x294, x307) - var x310 uint64 - var x311 uint1 - x310, x311 = addcarryxU64(x270, x296, x309) - var x312 uint64 - var x313 uint1 - x312, x313 = addcarryxU64(x272, x298, x311) - var x314 uint64 - var x315 uint64 - x315, x314 = bits.Mul64(x4, 0x25a89bcdd12a) - var x316 uint64 - var x317 uint64 - x317, x316 = bits.Mul64(x4, 0x69e16a61c7686d9a) - var x318 uint64 - var x319 uint64 - x319, x318 = bits.Mul64(x4, 0xabcd92bf2dde347e) - var x320 uint64 - var x321 uint64 - x321, x320 = bits.Mul64(x4, 0x175cc6af8d6c7c0b) - var x322 uint64 - var x323 uint64 - x323, x322 = bits.Mul64(x4, 0xab27973f8311688d) - var x324 uint64 - var x325 uint64 - x325, x324 = bits.Mul64(x4, 0xacec7367768798c2) - var x326 uint64 - var x327 uint64 - x327, x326 = bits.Mul64(x4, 0x28e55b65dcd69b30) - var x328 uint64 - var x329 uint1 - x328, x329 = addcarryxU64(x327, x324, 0x0) - var x330 uint64 - var x331 uint1 - x330, x331 = addcarryxU64(x325, x322, x329) - var x332 uint64 - var x333 uint1 - x332, x333 = addcarryxU64(x323, x320, x331) - var x334 uint64 - var x335 uint1 - x334, x335 = addcarryxU64(x321, x318, x333) - var x336 uint64 - var x337 uint1 - x336, x337 = addcarryxU64(x319, x316, x335) - var x338 uint64 - var x339 uint1 - x338, x339 = addcarryxU64(x317, x314, x337) - var x340 uint64 - var x341 uint1 - x340, x341 = addcarryxU64(x302, x326, 0x0) - var x342 uint64 - var x343 uint1 - x342, x343 = addcarryxU64(x304, x328, x341) - var x344 uint64 - var x345 uint1 - x344, x345 = addcarryxU64(x306, x330, x343) - var x346 uint64 - var x347 uint1 - x346, x347 = addcarryxU64(x308, x332, x345) - var x348 uint64 - var x349 uint1 - x348, x349 = addcarryxU64(x310, x334, x347) - var x350 uint64 - var x351 uint1 - x350, x351 = addcarryxU64(x312, x336, x349) - var x352 uint64 - var x353 uint1 - x352, x353 = addcarryxU64(((uint64(x313) + (uint64(x273) + (uint64(x259) + x235))) + (uint64(x299) + x275)), x338, x351) - var x354 uint64 - var x355 uint64 - x355, x354 = bits.Mul64(x340, 0x2341f27177344) - var x356 uint64 - var x357 uint64 - x357, x356 = bits.Mul64(x340, 0x6cfc5fd681c52056) - var x358 uint64 - var x359 uint64 - x359, x358 = bits.Mul64(x340, 0x7bc65c783158aea3) - var x360 uint64 - var x361 uint64 - x361, x360 = bits.Mul64(x340, 0xfdc1767ae2ffffff) - var x362 uint64 - var x363 uint64 - x363, x362 = bits.Mul64(x340, 0xffffffffffffffff) - var x364 uint64 - var x365 uint64 - x365, x364 = bits.Mul64(x340, 0xffffffffffffffff) - var x366 uint64 - var x367 uint64 - x367, x366 = bits.Mul64(x340, 0xffffffffffffffff) - var x368 uint64 - var x369 uint1 - x368, x369 = addcarryxU64(x367, x364, 0x0) - var x370 uint64 - var x371 uint1 - x370, x371 = addcarryxU64(x365, x362, x369) - var x372 uint64 - var x373 uint1 - x372, x373 = addcarryxU64(x363, x360, x371) - var x374 uint64 - var x375 uint1 - x374, x375 = addcarryxU64(x361, x358, x373) - var x376 uint64 - var x377 uint1 - x376, x377 = addcarryxU64(x359, x356, x375) - var x378 uint64 - var x379 uint1 - x378, x379 = addcarryxU64(x357, x354, x377) - var x381 uint1 - _, x381 = addcarryxU64(x340, x366, 0x0) - var x382 uint64 - var x383 uint1 - x382, x383 = addcarryxU64(x342, x368, x381) - var x384 uint64 - var x385 uint1 - x384, x385 = addcarryxU64(x344, x370, x383) - var x386 uint64 - var x387 uint1 - x386, x387 = addcarryxU64(x346, x372, x385) - var x388 uint64 - var x389 uint1 - x388, x389 = addcarryxU64(x348, x374, x387) - var x390 uint64 - var x391 uint1 - x390, x391 = addcarryxU64(x350, x376, x389) - var x392 uint64 - var x393 uint1 - x392, x393 = addcarryxU64(x352, x378, x391) - var x394 uint64 - var x395 uint64 - x395, x394 = bits.Mul64(x5, 0x25a89bcdd12a) - var x396 uint64 - var x397 uint64 - x397, x396 = bits.Mul64(x5, 0x69e16a61c7686d9a) - var x398 uint64 - var x399 uint64 - x399, x398 = bits.Mul64(x5, 0xabcd92bf2dde347e) - var x400 uint64 - var x401 uint64 - x401, x400 = bits.Mul64(x5, 0x175cc6af8d6c7c0b) - var x402 uint64 - var x403 uint64 - x403, x402 = bits.Mul64(x5, 0xab27973f8311688d) - var x404 uint64 - var x405 uint64 - x405, x404 = bits.Mul64(x5, 0xacec7367768798c2) - var x406 uint64 - var x407 uint64 - x407, x406 = bits.Mul64(x5, 0x28e55b65dcd69b30) - var x408 uint64 - var x409 uint1 - x408, x409 = addcarryxU64(x407, x404, 0x0) - var x410 uint64 - var x411 uint1 - x410, x411 = addcarryxU64(x405, x402, x409) - var x412 uint64 - var x413 uint1 - x412, x413 = addcarryxU64(x403, x400, x411) - var x414 uint64 - var x415 uint1 - x414, x415 = addcarryxU64(x401, x398, x413) - var x416 uint64 - var x417 uint1 - x416, x417 = addcarryxU64(x399, x396, x415) - var x418 uint64 - var x419 uint1 - x418, x419 = addcarryxU64(x397, x394, x417) - var x420 uint64 - var x421 uint1 - x420, x421 = addcarryxU64(x382, x406, 0x0) - var x422 uint64 - var x423 uint1 - x422, x423 = addcarryxU64(x384, x408, x421) - var x424 uint64 - var x425 uint1 - x424, x425 = addcarryxU64(x386, x410, x423) - var x426 uint64 - var x427 uint1 - x426, x427 = addcarryxU64(x388, x412, x425) - var x428 uint64 - var x429 uint1 - x428, x429 = addcarryxU64(x390, x414, x427) - var x430 uint64 - var x431 uint1 - x430, x431 = addcarryxU64(x392, x416, x429) - var x432 uint64 - var x433 uint1 - x432, x433 = addcarryxU64(((uint64(x393) + (uint64(x353) + (uint64(x339) + x315))) + (uint64(x379) + x355)), x418, x431) - var x434 uint64 - var x435 uint64 - x435, x434 = bits.Mul64(x420, 0x2341f27177344) - var x436 uint64 - var x437 uint64 - x437, x436 = bits.Mul64(x420, 0x6cfc5fd681c52056) - var x438 uint64 - var x439 uint64 - x439, x438 = bits.Mul64(x420, 0x7bc65c783158aea3) - var x440 uint64 - var x441 uint64 - x441, x440 = bits.Mul64(x420, 0xfdc1767ae2ffffff) - var x442 uint64 - var x443 uint64 - x443, x442 = bits.Mul64(x420, 0xffffffffffffffff) - var x444 uint64 - var x445 uint64 - x445, x444 = bits.Mul64(x420, 0xffffffffffffffff) - var x446 uint64 - var x447 uint64 - x447, x446 = bits.Mul64(x420, 0xffffffffffffffff) - var x448 uint64 - var x449 uint1 - x448, x449 = addcarryxU64(x447, x444, 0x0) - var x450 uint64 - var x451 uint1 - x450, x451 = addcarryxU64(x445, x442, x449) - var x452 uint64 - var x453 uint1 - x452, x453 = addcarryxU64(x443, x440, x451) - var x454 uint64 - var x455 uint1 - x454, x455 = addcarryxU64(x441, x438, x453) - var x456 uint64 - var x457 uint1 - x456, x457 = addcarryxU64(x439, x436, x455) - var x458 uint64 - var x459 uint1 - x458, x459 = addcarryxU64(x437, x434, x457) - var x461 uint1 - _, x461 = addcarryxU64(x420, x446, 0x0) - var x462 uint64 - var x463 uint1 - x462, x463 = addcarryxU64(x422, x448, x461) - var x464 uint64 - var x465 uint1 - x464, x465 = addcarryxU64(x424, x450, x463) - var x466 uint64 - var x467 uint1 - x466, x467 = addcarryxU64(x426, x452, x465) - var x468 uint64 - var x469 uint1 - x468, x469 = addcarryxU64(x428, x454, x467) - var x470 uint64 - var x471 uint1 - x470, x471 = addcarryxU64(x430, x456, x469) - var x472 uint64 - var x473 uint1 - x472, x473 = addcarryxU64(x432, x458, x471) - var x474 uint64 - var x475 uint64 - x475, x474 = bits.Mul64(x6, 0x25a89bcdd12a) - var x476 uint64 - var x477 uint64 - x477, x476 = bits.Mul64(x6, 0x69e16a61c7686d9a) - var x478 uint64 - var x479 uint64 - x479, x478 = bits.Mul64(x6, 0xabcd92bf2dde347e) - var x480 uint64 - var x481 uint64 - x481, x480 = bits.Mul64(x6, 0x175cc6af8d6c7c0b) - var x482 uint64 - var x483 uint64 - x483, x482 = bits.Mul64(x6, 0xab27973f8311688d) - var x484 uint64 - var x485 uint64 - x485, x484 = bits.Mul64(x6, 0xacec7367768798c2) - var x486 uint64 - var x487 uint64 - x487, x486 = bits.Mul64(x6, 0x28e55b65dcd69b30) - var x488 uint64 - var x489 uint1 - x488, x489 = addcarryxU64(x487, x484, 0x0) - var x490 uint64 - var x491 uint1 - x490, x491 = addcarryxU64(x485, x482, x489) - var x492 uint64 - var x493 uint1 - x492, x493 = addcarryxU64(x483, x480, x491) - var x494 uint64 - var x495 uint1 - x494, x495 = addcarryxU64(x481, x478, x493) - var x496 uint64 - var x497 uint1 - x496, x497 = addcarryxU64(x479, x476, x495) - var x498 uint64 - var x499 uint1 - x498, x499 = addcarryxU64(x477, x474, x497) - var x500 uint64 - var x501 uint1 - x500, x501 = addcarryxU64(x462, x486, 0x0) - var x502 uint64 - var x503 uint1 - x502, x503 = addcarryxU64(x464, x488, x501) - var x504 uint64 - var x505 uint1 - x504, x505 = addcarryxU64(x466, x490, x503) - var x506 uint64 - var x507 uint1 - x506, x507 = addcarryxU64(x468, x492, x505) - var x508 uint64 - var x509 uint1 - x508, x509 = addcarryxU64(x470, x494, x507) - var x510 uint64 - var x511 uint1 - x510, x511 = addcarryxU64(x472, x496, x509) - var x512 uint64 - var x513 uint1 - x512, x513 = addcarryxU64(((uint64(x473) + (uint64(x433) + (uint64(x419) + x395))) + (uint64(x459) + x435)), x498, x511) - var x514 uint64 - var x515 uint64 - x515, x514 = bits.Mul64(x500, 0x2341f27177344) - var x516 uint64 - var x517 uint64 - x517, x516 = bits.Mul64(x500, 0x6cfc5fd681c52056) - var x518 uint64 - var x519 uint64 - x519, x518 = bits.Mul64(x500, 0x7bc65c783158aea3) - var x520 uint64 - var x521 uint64 - x521, x520 = bits.Mul64(x500, 0xfdc1767ae2ffffff) - var x522 uint64 - var x523 uint64 - x523, x522 = bits.Mul64(x500, 0xffffffffffffffff) - var x524 uint64 - var x525 uint64 - x525, x524 = bits.Mul64(x500, 0xffffffffffffffff) - var x526 uint64 - var x527 uint64 - x527, x526 = bits.Mul64(x500, 0xffffffffffffffff) - var x528 uint64 - var x529 uint1 - x528, x529 = addcarryxU64(x527, x524, 0x0) - var x530 uint64 - var x531 uint1 - x530, x531 = addcarryxU64(x525, x522, x529) - var x532 uint64 - var x533 uint1 - x532, x533 = addcarryxU64(x523, x520, x531) - var x534 uint64 - var x535 uint1 - x534, x535 = addcarryxU64(x521, x518, x533) - var x536 uint64 - var x537 uint1 - x536, x537 = addcarryxU64(x519, x516, x535) - var x538 uint64 - var x539 uint1 - x538, x539 = addcarryxU64(x517, x514, x537) - var x541 uint1 - _, x541 = addcarryxU64(x500, x526, 0x0) - var x542 uint64 - var x543 uint1 - x542, x543 = addcarryxU64(x502, x528, x541) - var x544 uint64 - var x545 uint1 - x544, x545 = addcarryxU64(x504, x530, x543) - var x546 uint64 - var x547 uint1 - x546, x547 = addcarryxU64(x506, x532, x545) - var x548 uint64 - var x549 uint1 - x548, x549 = addcarryxU64(x508, x534, x547) - var x550 uint64 - var x551 uint1 - x550, x551 = addcarryxU64(x510, x536, x549) - var x552 uint64 - var x553 uint1 - x552, x553 = addcarryxU64(x512, x538, x551) - var x554 uint64 = ((uint64(x553) + (uint64(x513) + (uint64(x499) + x475))) + (uint64(x539) + x515)) - var x555 uint64 - var x556 uint1 - x555, x556 = subborrowxU64(x542, 0xffffffffffffffff, 0x0) - var x557 uint64 - var x558 uint1 - x557, x558 = subborrowxU64(x544, 0xffffffffffffffff, x556) - var x559 uint64 - var x560 uint1 - x559, x560 = subborrowxU64(x546, 0xffffffffffffffff, x558) - var x561 uint64 - var x562 uint1 - x561, x562 = subborrowxU64(x548, 0xfdc1767ae2ffffff, x560) - var x563 uint64 - var x564 uint1 - x563, x564 = subborrowxU64(x550, 0x7bc65c783158aea3, x562) - var x565 uint64 - var x566 uint1 - x565, x566 = subborrowxU64(x552, 0x6cfc5fd681c52056, x564) - var x567 uint64 - var x568 uint1 - x567, x568 = subborrowxU64(x554, 0x2341f27177344, x566) - var x570 uint1 - _, x570 = subborrowxU64(uint64(0x0), uint64(0x0), x568) - var x571 uint64 - cmovznzU64(&x571, x570, x555, x542) - var x572 uint64 - cmovznzU64(&x572, x570, x557, x544) - var x573 uint64 - cmovznzU64(&x573, x570, x559, x546) - var x574 uint64 - cmovznzU64(&x574, x570, x561, x548) - var x575 uint64 - cmovznzU64(&x575, x570, x563, x550) - var x576 uint64 - cmovznzU64(&x576, x570, x565, x552) - var x577 uint64 - cmovznzU64(&x577, x570, x567, x554) - out1[0] = x571 - out1[1] = x572 - out1[2] = x573 - out1[3] = x574 - out1[4] = x575 - out1[5] = x576 - out1[6] = x577 + x1 := arg1[1] + x2 := arg1[2] + x3 := arg1[3] + x4 := arg1[4] + x5 := arg1[5] + x6 := arg1[6] + x7 := arg1[0] + var x8 uint64 + var x9 uint64 + x9, x8 = bits.Mul64(x7, 0x25a89bcdd12a) + var x10 uint64 + var x11 uint64 + x11, x10 = bits.Mul64(x7, 0x69e16a61c7686d9a) + var x12 uint64 + var x13 uint64 + x13, x12 = bits.Mul64(x7, 0xabcd92bf2dde347e) + var x14 uint64 + var x15 uint64 + x15, x14 = bits.Mul64(x7, 0x175cc6af8d6c7c0b) + var x16 uint64 + var x17 uint64 + x17, x16 = bits.Mul64(x7, 0xab27973f8311688d) + var x18 uint64 + var x19 uint64 + x19, x18 = bits.Mul64(x7, 0xacec7367768798c2) + var x20 uint64 + var x21 uint64 + x21, x20 = bits.Mul64(x7, 0x28e55b65dcd69b30) + var x22 uint64 + var x23 uint1 + x22, x23 = addcarryxU64(x21, x18, 0x0) + var x24 uint64 + var x25 uint1 + x24, x25 = addcarryxU64(x19, x16, x23) + var x26 uint64 + var x27 uint1 + x26, x27 = addcarryxU64(x17, x14, x25) + var x28 uint64 + var x29 uint1 + x28, x29 = addcarryxU64(x15, x12, x27) + var x30 uint64 + var x31 uint1 + x30, x31 = addcarryxU64(x13, x10, x29) + var x32 uint64 + var x33 uint1 + x32, x33 = addcarryxU64(x11, x8, x31) + var x34 uint64 + var x35 uint64 + x35, x34 = bits.Mul64(x20, 0x2341f27177344) + var x36 uint64 + var x37 uint64 + x37, x36 = bits.Mul64(x20, 0x6cfc5fd681c52056) + var x38 uint64 + var x39 uint64 + x39, x38 = bits.Mul64(x20, 0x7bc65c783158aea3) + var x40 uint64 + var x41 uint64 + x41, x40 = bits.Mul64(x20, 0xfdc1767ae2ffffff) + var x42 uint64 + var x43 uint64 + x43, x42 = bits.Mul64(x20, 0xffffffffffffffff) + var x44 uint64 + var x45 uint64 + x45, x44 = bits.Mul64(x20, 0xffffffffffffffff) + var x46 uint64 + var x47 uint64 + x47, x46 = bits.Mul64(x20, 0xffffffffffffffff) + var x48 uint64 + var x49 uint1 + x48, x49 = addcarryxU64(x47, x44, 0x0) + var x50 uint64 + var x51 uint1 + x50, x51 = addcarryxU64(x45, x42, x49) + var x52 uint64 + var x53 uint1 + x52, x53 = addcarryxU64(x43, x40, x51) + var x54 uint64 + var x55 uint1 + x54, x55 = addcarryxU64(x41, x38, x53) + var x56 uint64 + var x57 uint1 + x56, x57 = addcarryxU64(x39, x36, x55) + var x58 uint64 + var x59 uint1 + x58, x59 = addcarryxU64(x37, x34, x57) + var x61 uint1 + _, x61 = addcarryxU64(x20, x46, 0x0) + var x62 uint64 + var x63 uint1 + x62, x63 = addcarryxU64(x22, x48, x61) + var x64 uint64 + var x65 uint1 + x64, x65 = addcarryxU64(x24, x50, x63) + var x66 uint64 + var x67 uint1 + x66, x67 = addcarryxU64(x26, x52, x65) + var x68 uint64 + var x69 uint1 + x68, x69 = addcarryxU64(x28, x54, x67) + var x70 uint64 + var x71 uint1 + x70, x71 = addcarryxU64(x30, x56, x69) + var x72 uint64 + var x73 uint1 + x72, x73 = addcarryxU64(x32, x58, x71) + var x74 uint64 + var x75 uint64 + x75, x74 = bits.Mul64(x1, 0x25a89bcdd12a) + var x76 uint64 + var x77 uint64 + x77, x76 = bits.Mul64(x1, 0x69e16a61c7686d9a) + var x78 uint64 + var x79 uint64 + x79, x78 = bits.Mul64(x1, 0xabcd92bf2dde347e) + var x80 uint64 + var x81 uint64 + x81, x80 = bits.Mul64(x1, 0x175cc6af8d6c7c0b) + var x82 uint64 + var x83 uint64 + x83, x82 = bits.Mul64(x1, 0xab27973f8311688d) + var x84 uint64 + var x85 uint64 + x85, x84 = bits.Mul64(x1, 0xacec7367768798c2) + var x86 uint64 + var x87 uint64 + x87, x86 = bits.Mul64(x1, 0x28e55b65dcd69b30) + var x88 uint64 + var x89 uint1 + x88, x89 = addcarryxU64(x87, x84, 0x0) + var x90 uint64 + var x91 uint1 + x90, x91 = addcarryxU64(x85, x82, x89) + var x92 uint64 + var x93 uint1 + x92, x93 = addcarryxU64(x83, x80, x91) + var x94 uint64 + var x95 uint1 + x94, x95 = addcarryxU64(x81, x78, x93) + var x96 uint64 + var x97 uint1 + x96, x97 = addcarryxU64(x79, x76, x95) + var x98 uint64 + var x99 uint1 + x98, x99 = addcarryxU64(x77, x74, x97) + var x100 uint64 + var x101 uint1 + x100, x101 = addcarryxU64(x62, x86, 0x0) + var x102 uint64 + var x103 uint1 + x102, x103 = addcarryxU64(x64, x88, x101) + var x104 uint64 + var x105 uint1 + x104, x105 = addcarryxU64(x66, x90, x103) + var x106 uint64 + var x107 uint1 + x106, x107 = addcarryxU64(x68, x92, x105) + var x108 uint64 + var x109 uint1 + x108, x109 = addcarryxU64(x70, x94, x107) + var x110 uint64 + var x111 uint1 + x110, x111 = addcarryxU64(x72, x96, x109) + var x112 uint64 + var x113 uint1 + x112, x113 = addcarryxU64(((uint64(x73) + (uint64(x33) + x9)) + (uint64(x59) + x35)), x98, x111) + var x114 uint64 + var x115 uint64 + x115, x114 = bits.Mul64(x100, 0x2341f27177344) + var x116 uint64 + var x117 uint64 + x117, x116 = bits.Mul64(x100, 0x6cfc5fd681c52056) + var x118 uint64 + var x119 uint64 + x119, x118 = bits.Mul64(x100, 0x7bc65c783158aea3) + var x120 uint64 + var x121 uint64 + x121, x120 = bits.Mul64(x100, 0xfdc1767ae2ffffff) + var x122 uint64 + var x123 uint64 + x123, x122 = bits.Mul64(x100, 0xffffffffffffffff) + var x124 uint64 + var x125 uint64 + x125, x124 = bits.Mul64(x100, 0xffffffffffffffff) + var x126 uint64 + var x127 uint64 + x127, x126 = bits.Mul64(x100, 0xffffffffffffffff) + var x128 uint64 + var x129 uint1 + x128, x129 = addcarryxU64(x127, x124, 0x0) + var x130 uint64 + var x131 uint1 + x130, x131 = addcarryxU64(x125, x122, x129) + var x132 uint64 + var x133 uint1 + x132, x133 = addcarryxU64(x123, x120, x131) + var x134 uint64 + var x135 uint1 + x134, x135 = addcarryxU64(x121, x118, x133) + var x136 uint64 + var x137 uint1 + x136, x137 = addcarryxU64(x119, x116, x135) + var x138 uint64 + var x139 uint1 + x138, x139 = addcarryxU64(x117, x114, x137) + var x141 uint1 + _, x141 = addcarryxU64(x100, x126, 0x0) + var x142 uint64 + var x143 uint1 + x142, x143 = addcarryxU64(x102, x128, x141) + var x144 uint64 + var x145 uint1 + x144, x145 = addcarryxU64(x104, x130, x143) + var x146 uint64 + var x147 uint1 + x146, x147 = addcarryxU64(x106, x132, x145) + var x148 uint64 + var x149 uint1 + x148, x149 = addcarryxU64(x108, x134, x147) + var x150 uint64 + var x151 uint1 + x150, x151 = addcarryxU64(x110, x136, x149) + var x152 uint64 + var x153 uint1 + x152, x153 = addcarryxU64(x112, x138, x151) + var x154 uint64 + var x155 uint64 + x155, x154 = bits.Mul64(x2, 0x25a89bcdd12a) + var x156 uint64 + var x157 uint64 + x157, x156 = bits.Mul64(x2, 0x69e16a61c7686d9a) + var x158 uint64 + var x159 uint64 + x159, x158 = bits.Mul64(x2, 0xabcd92bf2dde347e) + var x160 uint64 + var x161 uint64 + x161, x160 = bits.Mul64(x2, 0x175cc6af8d6c7c0b) + var x162 uint64 + var x163 uint64 + x163, x162 = bits.Mul64(x2, 0xab27973f8311688d) + var x164 uint64 + var x165 uint64 + x165, x164 = bits.Mul64(x2, 0xacec7367768798c2) + var x166 uint64 + var x167 uint64 + x167, x166 = bits.Mul64(x2, 0x28e55b65dcd69b30) + var x168 uint64 + var x169 uint1 + x168, x169 = addcarryxU64(x167, x164, 0x0) + var x170 uint64 + var x171 uint1 + x170, x171 = addcarryxU64(x165, x162, x169) + var x172 uint64 + var x173 uint1 + x172, x173 = addcarryxU64(x163, x160, x171) + var x174 uint64 + var x175 uint1 + x174, x175 = addcarryxU64(x161, x158, x173) + var x176 uint64 + var x177 uint1 + x176, x177 = addcarryxU64(x159, x156, x175) + var x178 uint64 + var x179 uint1 + x178, x179 = addcarryxU64(x157, x154, x177) + var x180 uint64 + var x181 uint1 + x180, x181 = addcarryxU64(x142, x166, 0x0) + var x182 uint64 + var x183 uint1 + x182, x183 = addcarryxU64(x144, x168, x181) + var x184 uint64 + var x185 uint1 + x184, x185 = addcarryxU64(x146, x170, x183) + var x186 uint64 + var x187 uint1 + x186, x187 = addcarryxU64(x148, x172, x185) + var x188 uint64 + var x189 uint1 + x188, x189 = addcarryxU64(x150, x174, x187) + var x190 uint64 + var x191 uint1 + x190, x191 = addcarryxU64(x152, x176, x189) + var x192 uint64 + var x193 uint1 + x192, x193 = addcarryxU64(((uint64(x153) + (uint64(x113) + (uint64(x99) + x75))) + (uint64(x139) + x115)), x178, x191) + var x194 uint64 + var x195 uint64 + x195, x194 = bits.Mul64(x180, 0x2341f27177344) + var x196 uint64 + var x197 uint64 + x197, x196 = bits.Mul64(x180, 0x6cfc5fd681c52056) + var x198 uint64 + var x199 uint64 + x199, x198 = bits.Mul64(x180, 0x7bc65c783158aea3) + var x200 uint64 + var x201 uint64 + x201, x200 = bits.Mul64(x180, 0xfdc1767ae2ffffff) + var x202 uint64 + var x203 uint64 + x203, x202 = bits.Mul64(x180, 0xffffffffffffffff) + var x204 uint64 + var x205 uint64 + x205, x204 = bits.Mul64(x180, 0xffffffffffffffff) + var x206 uint64 + var x207 uint64 + x207, x206 = bits.Mul64(x180, 0xffffffffffffffff) + var x208 uint64 + var x209 uint1 + x208, x209 = addcarryxU64(x207, x204, 0x0) + var x210 uint64 + var x211 uint1 + x210, x211 = addcarryxU64(x205, x202, x209) + var x212 uint64 + var x213 uint1 + x212, x213 = addcarryxU64(x203, x200, x211) + var x214 uint64 + var x215 uint1 + x214, x215 = addcarryxU64(x201, x198, x213) + var x216 uint64 + var x217 uint1 + x216, x217 = addcarryxU64(x199, x196, x215) + var x218 uint64 + var x219 uint1 + x218, x219 = addcarryxU64(x197, x194, x217) + var x221 uint1 + _, x221 = addcarryxU64(x180, x206, 0x0) + var x222 uint64 + var x223 uint1 + x222, x223 = addcarryxU64(x182, x208, x221) + var x224 uint64 + var x225 uint1 + x224, x225 = addcarryxU64(x184, x210, x223) + var x226 uint64 + var x227 uint1 + x226, x227 = addcarryxU64(x186, x212, x225) + var x228 uint64 + var x229 uint1 + x228, x229 = addcarryxU64(x188, x214, x227) + var x230 uint64 + var x231 uint1 + x230, x231 = addcarryxU64(x190, x216, x229) + var x232 uint64 + var x233 uint1 + x232, x233 = addcarryxU64(x192, x218, x231) + var x234 uint64 + var x235 uint64 + x235, x234 = bits.Mul64(x3, 0x25a89bcdd12a) + var x236 uint64 + var x237 uint64 + x237, x236 = bits.Mul64(x3, 0x69e16a61c7686d9a) + var x238 uint64 + var x239 uint64 + x239, x238 = bits.Mul64(x3, 0xabcd92bf2dde347e) + var x240 uint64 + var x241 uint64 + x241, x240 = bits.Mul64(x3, 0x175cc6af8d6c7c0b) + var x242 uint64 + var x243 uint64 + x243, x242 = bits.Mul64(x3, 0xab27973f8311688d) + var x244 uint64 + var x245 uint64 + x245, x244 = bits.Mul64(x3, 0xacec7367768798c2) + var x246 uint64 + var x247 uint64 + x247, x246 = bits.Mul64(x3, 0x28e55b65dcd69b30) + var x248 uint64 + var x249 uint1 + x248, x249 = addcarryxU64(x247, x244, 0x0) + var x250 uint64 + var x251 uint1 + x250, x251 = addcarryxU64(x245, x242, x249) + var x252 uint64 + var x253 uint1 + x252, x253 = addcarryxU64(x243, x240, x251) + var x254 uint64 + var x255 uint1 + x254, x255 = addcarryxU64(x241, x238, x253) + var x256 uint64 + var x257 uint1 + x256, x257 = addcarryxU64(x239, x236, x255) + var x258 uint64 + var x259 uint1 + x258, x259 = addcarryxU64(x237, x234, x257) + var x260 uint64 + var x261 uint1 + x260, x261 = addcarryxU64(x222, x246, 0x0) + var x262 uint64 + var x263 uint1 + x262, x263 = addcarryxU64(x224, x248, x261) + var x264 uint64 + var x265 uint1 + x264, x265 = addcarryxU64(x226, x250, x263) + var x266 uint64 + var x267 uint1 + x266, x267 = addcarryxU64(x228, x252, x265) + var x268 uint64 + var x269 uint1 + x268, x269 = addcarryxU64(x230, x254, x267) + var x270 uint64 + var x271 uint1 + x270, x271 = addcarryxU64(x232, x256, x269) + var x272 uint64 + var x273 uint1 + x272, x273 = addcarryxU64(((uint64(x233) + (uint64(x193) + (uint64(x179) + x155))) + (uint64(x219) + x195)), x258, x271) + var x274 uint64 + var x275 uint64 + x275, x274 = bits.Mul64(x260, 0x2341f27177344) + var x276 uint64 + var x277 uint64 + x277, x276 = bits.Mul64(x260, 0x6cfc5fd681c52056) + var x278 uint64 + var x279 uint64 + x279, x278 = bits.Mul64(x260, 0x7bc65c783158aea3) + var x280 uint64 + var x281 uint64 + x281, x280 = bits.Mul64(x260, 0xfdc1767ae2ffffff) + var x282 uint64 + var x283 uint64 + x283, x282 = bits.Mul64(x260, 0xffffffffffffffff) + var x284 uint64 + var x285 uint64 + x285, x284 = bits.Mul64(x260, 0xffffffffffffffff) + var x286 uint64 + var x287 uint64 + x287, x286 = bits.Mul64(x260, 0xffffffffffffffff) + var x288 uint64 + var x289 uint1 + x288, x289 = addcarryxU64(x287, x284, 0x0) + var x290 uint64 + var x291 uint1 + x290, x291 = addcarryxU64(x285, x282, x289) + var x292 uint64 + var x293 uint1 + x292, x293 = addcarryxU64(x283, x280, x291) + var x294 uint64 + var x295 uint1 + x294, x295 = addcarryxU64(x281, x278, x293) + var x296 uint64 + var x297 uint1 + x296, x297 = addcarryxU64(x279, x276, x295) + var x298 uint64 + var x299 uint1 + x298, x299 = addcarryxU64(x277, x274, x297) + var x301 uint1 + _, x301 = addcarryxU64(x260, x286, 0x0) + var x302 uint64 + var x303 uint1 + x302, x303 = addcarryxU64(x262, x288, x301) + var x304 uint64 + var x305 uint1 + x304, x305 = addcarryxU64(x264, x290, x303) + var x306 uint64 + var x307 uint1 + x306, x307 = addcarryxU64(x266, x292, x305) + var x308 uint64 + var x309 uint1 + x308, x309 = addcarryxU64(x268, x294, x307) + var x310 uint64 + var x311 uint1 + x310, x311 = addcarryxU64(x270, x296, x309) + var x312 uint64 + var x313 uint1 + x312, x313 = addcarryxU64(x272, x298, x311) + var x314 uint64 + var x315 uint64 + x315, x314 = bits.Mul64(x4, 0x25a89bcdd12a) + var x316 uint64 + var x317 uint64 + x317, x316 = bits.Mul64(x4, 0x69e16a61c7686d9a) + var x318 uint64 + var x319 uint64 + x319, x318 = bits.Mul64(x4, 0xabcd92bf2dde347e) + var x320 uint64 + var x321 uint64 + x321, x320 = bits.Mul64(x4, 0x175cc6af8d6c7c0b) + var x322 uint64 + var x323 uint64 + x323, x322 = bits.Mul64(x4, 0xab27973f8311688d) + var x324 uint64 + var x325 uint64 + x325, x324 = bits.Mul64(x4, 0xacec7367768798c2) + var x326 uint64 + var x327 uint64 + x327, x326 = bits.Mul64(x4, 0x28e55b65dcd69b30) + var x328 uint64 + var x329 uint1 + x328, x329 = addcarryxU64(x327, x324, 0x0) + var x330 uint64 + var x331 uint1 + x330, x331 = addcarryxU64(x325, x322, x329) + var x332 uint64 + var x333 uint1 + x332, x333 = addcarryxU64(x323, x320, x331) + var x334 uint64 + var x335 uint1 + x334, x335 = addcarryxU64(x321, x318, x333) + var x336 uint64 + var x337 uint1 + x336, x337 = addcarryxU64(x319, x316, x335) + var x338 uint64 + var x339 uint1 + x338, x339 = addcarryxU64(x317, x314, x337) + var x340 uint64 + var x341 uint1 + x340, x341 = addcarryxU64(x302, x326, 0x0) + var x342 uint64 + var x343 uint1 + x342, x343 = addcarryxU64(x304, x328, x341) + var x344 uint64 + var x345 uint1 + x344, x345 = addcarryxU64(x306, x330, x343) + var x346 uint64 + var x347 uint1 + x346, x347 = addcarryxU64(x308, x332, x345) + var x348 uint64 + var x349 uint1 + x348, x349 = addcarryxU64(x310, x334, x347) + var x350 uint64 + var x351 uint1 + x350, x351 = addcarryxU64(x312, x336, x349) + var x352 uint64 + var x353 uint1 + x352, x353 = addcarryxU64(((uint64(x313) + (uint64(x273) + (uint64(x259) + x235))) + (uint64(x299) + x275)), x338, x351) + var x354 uint64 + var x355 uint64 + x355, x354 = bits.Mul64(x340, 0x2341f27177344) + var x356 uint64 + var x357 uint64 + x357, x356 = bits.Mul64(x340, 0x6cfc5fd681c52056) + var x358 uint64 + var x359 uint64 + x359, x358 = bits.Mul64(x340, 0x7bc65c783158aea3) + var x360 uint64 + var x361 uint64 + x361, x360 = bits.Mul64(x340, 0xfdc1767ae2ffffff) + var x362 uint64 + var x363 uint64 + x363, x362 = bits.Mul64(x340, 0xffffffffffffffff) + var x364 uint64 + var x365 uint64 + x365, x364 = bits.Mul64(x340, 0xffffffffffffffff) + var x366 uint64 + var x367 uint64 + x367, x366 = bits.Mul64(x340, 0xffffffffffffffff) + var x368 uint64 + var x369 uint1 + x368, x369 = addcarryxU64(x367, x364, 0x0) + var x370 uint64 + var x371 uint1 + x370, x371 = addcarryxU64(x365, x362, x369) + var x372 uint64 + var x373 uint1 + x372, x373 = addcarryxU64(x363, x360, x371) + var x374 uint64 + var x375 uint1 + x374, x375 = addcarryxU64(x361, x358, x373) + var x376 uint64 + var x377 uint1 + x376, x377 = addcarryxU64(x359, x356, x375) + var x378 uint64 + var x379 uint1 + x378, x379 = addcarryxU64(x357, x354, x377) + var x381 uint1 + _, x381 = addcarryxU64(x340, x366, 0x0) + var x382 uint64 + var x383 uint1 + x382, x383 = addcarryxU64(x342, x368, x381) + var x384 uint64 + var x385 uint1 + x384, x385 = addcarryxU64(x344, x370, x383) + var x386 uint64 + var x387 uint1 + x386, x387 = addcarryxU64(x346, x372, x385) + var x388 uint64 + var x389 uint1 + x388, x389 = addcarryxU64(x348, x374, x387) + var x390 uint64 + var x391 uint1 + x390, x391 = addcarryxU64(x350, x376, x389) + var x392 uint64 + var x393 uint1 + x392, x393 = addcarryxU64(x352, x378, x391) + var x394 uint64 + var x395 uint64 + x395, x394 = bits.Mul64(x5, 0x25a89bcdd12a) + var x396 uint64 + var x397 uint64 + x397, x396 = bits.Mul64(x5, 0x69e16a61c7686d9a) + var x398 uint64 + var x399 uint64 + x399, x398 = bits.Mul64(x5, 0xabcd92bf2dde347e) + var x400 uint64 + var x401 uint64 + x401, x400 = bits.Mul64(x5, 0x175cc6af8d6c7c0b) + var x402 uint64 + var x403 uint64 + x403, x402 = bits.Mul64(x5, 0xab27973f8311688d) + var x404 uint64 + var x405 uint64 + x405, x404 = bits.Mul64(x5, 0xacec7367768798c2) + var x406 uint64 + var x407 uint64 + x407, x406 = bits.Mul64(x5, 0x28e55b65dcd69b30) + var x408 uint64 + var x409 uint1 + x408, x409 = addcarryxU64(x407, x404, 0x0) + var x410 uint64 + var x411 uint1 + x410, x411 = addcarryxU64(x405, x402, x409) + var x412 uint64 + var x413 uint1 + x412, x413 = addcarryxU64(x403, x400, x411) + var x414 uint64 + var x415 uint1 + x414, x415 = addcarryxU64(x401, x398, x413) + var x416 uint64 + var x417 uint1 + x416, x417 = addcarryxU64(x399, x396, x415) + var x418 uint64 + var x419 uint1 + x418, x419 = addcarryxU64(x397, x394, x417) + var x420 uint64 + var x421 uint1 + x420, x421 = addcarryxU64(x382, x406, 0x0) + var x422 uint64 + var x423 uint1 + x422, x423 = addcarryxU64(x384, x408, x421) + var x424 uint64 + var x425 uint1 + x424, x425 = addcarryxU64(x386, x410, x423) + var x426 uint64 + var x427 uint1 + x426, x427 = addcarryxU64(x388, x412, x425) + var x428 uint64 + var x429 uint1 + x428, x429 = addcarryxU64(x390, x414, x427) + var x430 uint64 + var x431 uint1 + x430, x431 = addcarryxU64(x392, x416, x429) + var x432 uint64 + var x433 uint1 + x432, x433 = addcarryxU64(((uint64(x393) + (uint64(x353) + (uint64(x339) + x315))) + (uint64(x379) + x355)), x418, x431) + var x434 uint64 + var x435 uint64 + x435, x434 = bits.Mul64(x420, 0x2341f27177344) + var x436 uint64 + var x437 uint64 + x437, x436 = bits.Mul64(x420, 0x6cfc5fd681c52056) + var x438 uint64 + var x439 uint64 + x439, x438 = bits.Mul64(x420, 0x7bc65c783158aea3) + var x440 uint64 + var x441 uint64 + x441, x440 = bits.Mul64(x420, 0xfdc1767ae2ffffff) + var x442 uint64 + var x443 uint64 + x443, x442 = bits.Mul64(x420, 0xffffffffffffffff) + var x444 uint64 + var x445 uint64 + x445, x444 = bits.Mul64(x420, 0xffffffffffffffff) + var x446 uint64 + var x447 uint64 + x447, x446 = bits.Mul64(x420, 0xffffffffffffffff) + var x448 uint64 + var x449 uint1 + x448, x449 = addcarryxU64(x447, x444, 0x0) + var x450 uint64 + var x451 uint1 + x450, x451 = addcarryxU64(x445, x442, x449) + var x452 uint64 + var x453 uint1 + x452, x453 = addcarryxU64(x443, x440, x451) + var x454 uint64 + var x455 uint1 + x454, x455 = addcarryxU64(x441, x438, x453) + var x456 uint64 + var x457 uint1 + x456, x457 = addcarryxU64(x439, x436, x455) + var x458 uint64 + var x459 uint1 + x458, x459 = addcarryxU64(x437, x434, x457) + var x461 uint1 + _, x461 = addcarryxU64(x420, x446, 0x0) + var x462 uint64 + var x463 uint1 + x462, x463 = addcarryxU64(x422, x448, x461) + var x464 uint64 + var x465 uint1 + x464, x465 = addcarryxU64(x424, x450, x463) + var x466 uint64 + var x467 uint1 + x466, x467 = addcarryxU64(x426, x452, x465) + var x468 uint64 + var x469 uint1 + x468, x469 = addcarryxU64(x428, x454, x467) + var x470 uint64 + var x471 uint1 + x470, x471 = addcarryxU64(x430, x456, x469) + var x472 uint64 + var x473 uint1 + x472, x473 = addcarryxU64(x432, x458, x471) + var x474 uint64 + var x475 uint64 + x475, x474 = bits.Mul64(x6, 0x25a89bcdd12a) + var x476 uint64 + var x477 uint64 + x477, x476 = bits.Mul64(x6, 0x69e16a61c7686d9a) + var x478 uint64 + var x479 uint64 + x479, x478 = bits.Mul64(x6, 0xabcd92bf2dde347e) + var x480 uint64 + var x481 uint64 + x481, x480 = bits.Mul64(x6, 0x175cc6af8d6c7c0b) + var x482 uint64 + var x483 uint64 + x483, x482 = bits.Mul64(x6, 0xab27973f8311688d) + var x484 uint64 + var x485 uint64 + x485, x484 = bits.Mul64(x6, 0xacec7367768798c2) + var x486 uint64 + var x487 uint64 + x487, x486 = bits.Mul64(x6, 0x28e55b65dcd69b30) + var x488 uint64 + var x489 uint1 + x488, x489 = addcarryxU64(x487, x484, 0x0) + var x490 uint64 + var x491 uint1 + x490, x491 = addcarryxU64(x485, x482, x489) + var x492 uint64 + var x493 uint1 + x492, x493 = addcarryxU64(x483, x480, x491) + var x494 uint64 + var x495 uint1 + x494, x495 = addcarryxU64(x481, x478, x493) + var x496 uint64 + var x497 uint1 + x496, x497 = addcarryxU64(x479, x476, x495) + var x498 uint64 + var x499 uint1 + x498, x499 = addcarryxU64(x477, x474, x497) + var x500 uint64 + var x501 uint1 + x500, x501 = addcarryxU64(x462, x486, 0x0) + var x502 uint64 + var x503 uint1 + x502, x503 = addcarryxU64(x464, x488, x501) + var x504 uint64 + var x505 uint1 + x504, x505 = addcarryxU64(x466, x490, x503) + var x506 uint64 + var x507 uint1 + x506, x507 = addcarryxU64(x468, x492, x505) + var x508 uint64 + var x509 uint1 + x508, x509 = addcarryxU64(x470, x494, x507) + var x510 uint64 + var x511 uint1 + x510, x511 = addcarryxU64(x472, x496, x509) + var x512 uint64 + var x513 uint1 + x512, x513 = addcarryxU64(((uint64(x473) + (uint64(x433) + (uint64(x419) + x395))) + (uint64(x459) + x435)), x498, x511) + var x514 uint64 + var x515 uint64 + x515, x514 = bits.Mul64(x500, 0x2341f27177344) + var x516 uint64 + var x517 uint64 + x517, x516 = bits.Mul64(x500, 0x6cfc5fd681c52056) + var x518 uint64 + var x519 uint64 + x519, x518 = bits.Mul64(x500, 0x7bc65c783158aea3) + var x520 uint64 + var x521 uint64 + x521, x520 = bits.Mul64(x500, 0xfdc1767ae2ffffff) + var x522 uint64 + var x523 uint64 + x523, x522 = bits.Mul64(x500, 0xffffffffffffffff) + var x524 uint64 + var x525 uint64 + x525, x524 = bits.Mul64(x500, 0xffffffffffffffff) + var x526 uint64 + var x527 uint64 + x527, x526 = bits.Mul64(x500, 0xffffffffffffffff) + var x528 uint64 + var x529 uint1 + x528, x529 = addcarryxU64(x527, x524, 0x0) + var x530 uint64 + var x531 uint1 + x530, x531 = addcarryxU64(x525, x522, x529) + var x532 uint64 + var x533 uint1 + x532, x533 = addcarryxU64(x523, x520, x531) + var x534 uint64 + var x535 uint1 + x534, x535 = addcarryxU64(x521, x518, x533) + var x536 uint64 + var x537 uint1 + x536, x537 = addcarryxU64(x519, x516, x535) + var x538 uint64 + var x539 uint1 + x538, x539 = addcarryxU64(x517, x514, x537) + var x541 uint1 + _, x541 = addcarryxU64(x500, x526, 0x0) + var x542 uint64 + var x543 uint1 + x542, x543 = addcarryxU64(x502, x528, x541) + var x544 uint64 + var x545 uint1 + x544, x545 = addcarryxU64(x504, x530, x543) + var x546 uint64 + var x547 uint1 + x546, x547 = addcarryxU64(x506, x532, x545) + var x548 uint64 + var x549 uint1 + x548, x549 = addcarryxU64(x508, x534, x547) + var x550 uint64 + var x551 uint1 + x550, x551 = addcarryxU64(x510, x536, x549) + var x552 uint64 + var x553 uint1 + x552, x553 = addcarryxU64(x512, x538, x551) + x554 := ((uint64(x553) + (uint64(x513) + (uint64(x499) + x475))) + (uint64(x539) + x515)) + var x555 uint64 + var x556 uint1 + x555, x556 = subborrowxU64(x542, 0xffffffffffffffff, 0x0) + var x557 uint64 + var x558 uint1 + x557, x558 = subborrowxU64(x544, 0xffffffffffffffff, x556) + var x559 uint64 + var x560 uint1 + x559, x560 = subborrowxU64(x546, 0xffffffffffffffff, x558) + var x561 uint64 + var x562 uint1 + x561, x562 = subborrowxU64(x548, 0xfdc1767ae2ffffff, x560) + var x563 uint64 + var x564 uint1 + x563, x564 = subborrowxU64(x550, 0x7bc65c783158aea3, x562) + var x565 uint64 + var x566 uint1 + x565, x566 = subborrowxU64(x552, 0x6cfc5fd681c52056, x564) + var x567 uint64 + var x568 uint1 + x567, x568 = subborrowxU64(x554, 0x2341f27177344, x566) + var x570 uint1 + _, x570 = subborrowxU64(uint64(0x0), uint64(0x0), x568) + var x571 uint64 + cmovznzU64(&x571, x570, x555, x542) + var x572 uint64 + cmovznzU64(&x572, x570, x557, x544) + var x573 uint64 + cmovznzU64(&x573, x570, x559, x546) + var x574 uint64 + cmovznzU64(&x574, x570, x561, x548) + var x575 uint64 + cmovznzU64(&x575, x570, x563, x550) + var x576 uint64 + cmovznzU64(&x576, x570, x565, x552) + var x577 uint64 + cmovznzU64(&x577, x570, x567, x554) + out1[0] = x571 + out1[1] = x572 + out1[2] = x573 + out1[3] = x574 + out1[4] = x575 + out1[5] = x576 + out1[6] = x577 } -/* - The function Nonzero outputs a single non-zero word if the input is non-zero and zero otherwise. - Preconditions: - 0 ≤ eval arg1 < m - Postconditions: - out1 = 0 ↔ eval (from_montgomery arg1) mod m = 0 - - Input Bounds: - arg1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] - Output Bounds: - out1: [0x0 ~> 0xffffffffffffffff] - */ -/*inline*/ +// Nonzero outputs a single non-zero word if the input is non-zero and zero otherwise. +// +// Preconditions: +// 0 ≤ eval arg1 < m +// Postconditions: +// out1 = 0 ↔ eval (from_montgomery arg1) mod m = 0 +// +// Input Bounds: +// arg1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] +// Output Bounds: +// out1: [0x0 ~> 0xffffffffffffffff] func Nonzero(out1 *uint64, arg1 *[7]uint64) { - var x1 uint64 = ((arg1[0]) | ((arg1[1]) | ((arg1[2]) | ((arg1[3]) | ((arg1[4]) | ((arg1[5]) | (arg1[6]))))))) - *out1 = x1 + x1 := (arg1[0] | (arg1[1] | (arg1[2] | (arg1[3] | (arg1[4] | (arg1[5] | arg1[6])))))) + *out1 = x1 } -/* - The function Selectznz is a multi-limb conditional select. - Postconditions: - eval out1 = (if arg1 = 0 then eval arg2 else eval arg3) - - Input Bounds: - arg1: [0x0 ~> 0x1] - arg2: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] - arg3: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] - Output Bounds: - out1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] - */ -/*inline*/ +// Selectznz is a multi-limb conditional select. +// +// Postconditions: +// eval out1 = (if arg1 = 0 then eval arg2 else eval arg3) +// +// Input Bounds: +// arg1: [0x0 ~> 0x1] +// arg2: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] +// arg3: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] +// Output Bounds: +// out1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] func Selectznz(out1 *[7]uint64, arg1 uint1, arg2 *[7]uint64, arg3 *[7]uint64) { - var x1 uint64 - cmovznzU64(&x1, arg1, (arg2[0]), (arg3[0])) - var x2 uint64 - cmovznzU64(&x2, arg1, (arg2[1]), (arg3[1])) - var x3 uint64 - cmovznzU64(&x3, arg1, (arg2[2]), (arg3[2])) - var x4 uint64 - cmovznzU64(&x4, arg1, (arg2[3]), (arg3[3])) - var x5 uint64 - cmovznzU64(&x5, arg1, (arg2[4]), (arg3[4])) - var x6 uint64 - cmovznzU64(&x6, arg1, (arg2[5]), (arg3[5])) - var x7 uint64 - cmovznzU64(&x7, arg1, (arg2[6]), (arg3[6])) - out1[0] = x1 - out1[1] = x2 - out1[2] = x3 - out1[3] = x4 - out1[4] = x5 - out1[5] = x6 - out1[6] = x7 + var x1 uint64 + cmovznzU64(&x1, arg1, arg2[0], arg3[0]) + var x2 uint64 + cmovznzU64(&x2, arg1, arg2[1], arg3[1]) + var x3 uint64 + cmovznzU64(&x3, arg1, arg2[2], arg3[2]) + var x4 uint64 + cmovznzU64(&x4, arg1, arg2[3], arg3[3]) + var x5 uint64 + cmovznzU64(&x5, arg1, arg2[4], arg3[4]) + var x6 uint64 + cmovznzU64(&x6, arg1, arg2[5], arg3[5]) + var x7 uint64 + cmovznzU64(&x7, arg1, arg2[6], arg3[6]) + out1[0] = x1 + out1[1] = x2 + out1[2] = x3 + out1[3] = x4 + out1[4] = x5 + out1[5] = x6 + out1[6] = x7 } -/* - The function ToBytes serializes a field element NOT in the Montgomery domain to bytes in little-endian order. - Preconditions: - 0 ≤ eval arg1 < m - Postconditions: - out1 = map (λ x, ⌊((eval arg1 mod m) mod 2^(8 * (x + 1))) / 2^(8 * x)⌋) [0..54] - - Input Bounds: - arg1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0x3ffffffffffff]] - Output Bounds: - out1: [[0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0x3]] - */ -/*inline*/ +// ToBytes serializes a field element NOT in the Montgomery domain to bytes in little-endian order. +// +// Preconditions: +// 0 ≤ eval arg1 < m +// Postconditions: +// out1 = map (λ x, ⌊((eval arg1 mod m) mod 2^(8 * (x + 1))) / 2^(8 * x)⌋) [0..54] +// +// Input Bounds: +// arg1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0x3ffffffffffff]] +// Output Bounds: +// out1: [[0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0x3]] func ToBytes(out1 *[55]uint8, arg1 *[7]uint64) { - var x1 uint64 = (arg1[6]) - var x2 uint64 = (arg1[5]) - var x3 uint64 = (arg1[4]) - var x4 uint64 = (arg1[3]) - var x5 uint64 = (arg1[2]) - var x6 uint64 = (arg1[1]) - var x7 uint64 = (arg1[0]) - var x8 uint8 = (uint8(x7) & 0xff) - var x9 uint64 = (x7 >> 8) - var x10 uint8 = (uint8(x9) & 0xff) - var x11 uint64 = (x9 >> 8) - var x12 uint8 = (uint8(x11) & 0xff) - var x13 uint64 = (x11 >> 8) - var x14 uint8 = (uint8(x13) & 0xff) - var x15 uint64 = (x13 >> 8) - var x16 uint8 = (uint8(x15) & 0xff) - var x17 uint64 = (x15 >> 8) - var x18 uint8 = (uint8(x17) & 0xff) - var x19 uint64 = (x17 >> 8) - var x20 uint8 = (uint8(x19) & 0xff) - var x21 uint8 = uint8((x19 >> 8)) - var x22 uint8 = (uint8(x6) & 0xff) - var x23 uint64 = (x6 >> 8) - var x24 uint8 = (uint8(x23) & 0xff) - var x25 uint64 = (x23 >> 8) - var x26 uint8 = (uint8(x25) & 0xff) - var x27 uint64 = (x25 >> 8) - var x28 uint8 = (uint8(x27) & 0xff) - var x29 uint64 = (x27 >> 8) - var x30 uint8 = (uint8(x29) & 0xff) - var x31 uint64 = (x29 >> 8) - var x32 uint8 = (uint8(x31) & 0xff) - var x33 uint64 = (x31 >> 8) - var x34 uint8 = (uint8(x33) & 0xff) - var x35 uint8 = uint8((x33 >> 8)) - var x36 uint8 = (uint8(x5) & 0xff) - var x37 uint64 = (x5 >> 8) - var x38 uint8 = (uint8(x37) & 0xff) - var x39 uint64 = (x37 >> 8) - var x40 uint8 = (uint8(x39) & 0xff) - var x41 uint64 = (x39 >> 8) - var x42 uint8 = (uint8(x41) & 0xff) - var x43 uint64 = (x41 >> 8) - var x44 uint8 = (uint8(x43) & 0xff) - var x45 uint64 = (x43 >> 8) - var x46 uint8 = (uint8(x45) & 0xff) - var x47 uint64 = (x45 >> 8) - var x48 uint8 = (uint8(x47) & 0xff) - var x49 uint8 = uint8((x47 >> 8)) - var x50 uint8 = (uint8(x4) & 0xff) - var x51 uint64 = (x4 >> 8) - var x52 uint8 = (uint8(x51) & 0xff) - var x53 uint64 = (x51 >> 8) - var x54 uint8 = (uint8(x53) & 0xff) - var x55 uint64 = (x53 >> 8) - var x56 uint8 = (uint8(x55) & 0xff) - var x57 uint64 = (x55 >> 8) - var x58 uint8 = (uint8(x57) & 0xff) - var x59 uint64 = (x57 >> 8) - var x60 uint8 = (uint8(x59) & 0xff) - var x61 uint64 = (x59 >> 8) - var x62 uint8 = (uint8(x61) & 0xff) - var x63 uint8 = uint8((x61 >> 8)) - var x64 uint8 = (uint8(x3) & 0xff) - var x65 uint64 = (x3 >> 8) - var x66 uint8 = (uint8(x65) & 0xff) - var x67 uint64 = (x65 >> 8) - var x68 uint8 = (uint8(x67) & 0xff) - var x69 uint64 = (x67 >> 8) - var x70 uint8 = (uint8(x69) & 0xff) - var x71 uint64 = (x69 >> 8) - var x72 uint8 = (uint8(x71) & 0xff) - var x73 uint64 = (x71 >> 8) - var x74 uint8 = (uint8(x73) & 0xff) - var x75 uint64 = (x73 >> 8) - var x76 uint8 = (uint8(x75) & 0xff) - var x77 uint8 = uint8((x75 >> 8)) - var x78 uint8 = (uint8(x2) & 0xff) - var x79 uint64 = (x2 >> 8) - var x80 uint8 = (uint8(x79) & 0xff) - var x81 uint64 = (x79 >> 8) - var x82 uint8 = (uint8(x81) & 0xff) - var x83 uint64 = (x81 >> 8) - var x84 uint8 = (uint8(x83) & 0xff) - var x85 uint64 = (x83 >> 8) - var x86 uint8 = (uint8(x85) & 0xff) - var x87 uint64 = (x85 >> 8) - var x88 uint8 = (uint8(x87) & 0xff) - var x89 uint64 = (x87 >> 8) - var x90 uint8 = (uint8(x89) & 0xff) - var x91 uint8 = uint8((x89 >> 8)) - var x92 uint8 = (uint8(x1) & 0xff) - var x93 uint64 = (x1 >> 8) - var x94 uint8 = (uint8(x93) & 0xff) - var x95 uint64 = (x93 >> 8) - var x96 uint8 = (uint8(x95) & 0xff) - var x97 uint64 = (x95 >> 8) - var x98 uint8 = (uint8(x97) & 0xff) - var x99 uint64 = (x97 >> 8) - var x100 uint8 = (uint8(x99) & 0xff) - var x101 uint64 = (x99 >> 8) - var x102 uint8 = (uint8(x101) & 0xff) - var x103 uint8 = uint8((x101 >> 8)) - out1[0] = x8 - out1[1] = x10 - out1[2] = x12 - out1[3] = x14 - out1[4] = x16 - out1[5] = x18 - out1[6] = x20 - out1[7] = x21 - out1[8] = x22 - out1[9] = x24 - out1[10] = x26 - out1[11] = x28 - out1[12] = x30 - out1[13] = x32 - out1[14] = x34 - out1[15] = x35 - out1[16] = x36 - out1[17] = x38 - out1[18] = x40 - out1[19] = x42 - out1[20] = x44 - out1[21] = x46 - out1[22] = x48 - out1[23] = x49 - out1[24] = x50 - out1[25] = x52 - out1[26] = x54 - out1[27] = x56 - out1[28] = x58 - out1[29] = x60 - out1[30] = x62 - out1[31] = x63 - out1[32] = x64 - out1[33] = x66 - out1[34] = x68 - out1[35] = x70 - out1[36] = x72 - out1[37] = x74 - out1[38] = x76 - out1[39] = x77 - out1[40] = x78 - out1[41] = x80 - out1[42] = x82 - out1[43] = x84 - out1[44] = x86 - out1[45] = x88 - out1[46] = x90 - out1[47] = x91 - out1[48] = x92 - out1[49] = x94 - out1[50] = x96 - out1[51] = x98 - out1[52] = x100 - out1[53] = x102 - out1[54] = x103 + x1 := arg1[6] + x2 := arg1[5] + x3 := arg1[4] + x4 := arg1[3] + x5 := arg1[2] + x6 := arg1[1] + x7 := arg1[0] + x8 := (uint8(x7) & 0xff) + x9 := (x7 >> 8) + x10 := (uint8(x9) & 0xff) + x11 := (x9 >> 8) + x12 := (uint8(x11) & 0xff) + x13 := (x11 >> 8) + x14 := (uint8(x13) & 0xff) + x15 := (x13 >> 8) + x16 := (uint8(x15) & 0xff) + x17 := (x15 >> 8) + x18 := (uint8(x17) & 0xff) + x19 := (x17 >> 8) + x20 := (uint8(x19) & 0xff) + x21 := uint8((x19 >> 8)) + x22 := (uint8(x6) & 0xff) + x23 := (x6 >> 8) + x24 := (uint8(x23) & 0xff) + x25 := (x23 >> 8) + x26 := (uint8(x25) & 0xff) + x27 := (x25 >> 8) + x28 := (uint8(x27) & 0xff) + x29 := (x27 >> 8) + x30 := (uint8(x29) & 0xff) + x31 := (x29 >> 8) + x32 := (uint8(x31) & 0xff) + x33 := (x31 >> 8) + x34 := (uint8(x33) & 0xff) + x35 := uint8((x33 >> 8)) + x36 := (uint8(x5) & 0xff) + x37 := (x5 >> 8) + x38 := (uint8(x37) & 0xff) + x39 := (x37 >> 8) + x40 := (uint8(x39) & 0xff) + x41 := (x39 >> 8) + x42 := (uint8(x41) & 0xff) + x43 := (x41 >> 8) + x44 := (uint8(x43) & 0xff) + x45 := (x43 >> 8) + x46 := (uint8(x45) & 0xff) + x47 := (x45 >> 8) + x48 := (uint8(x47) & 0xff) + x49 := uint8((x47 >> 8)) + x50 := (uint8(x4) & 0xff) + x51 := (x4 >> 8) + x52 := (uint8(x51) & 0xff) + x53 := (x51 >> 8) + x54 := (uint8(x53) & 0xff) + x55 := (x53 >> 8) + x56 := (uint8(x55) & 0xff) + x57 := (x55 >> 8) + x58 := (uint8(x57) & 0xff) + x59 := (x57 >> 8) + x60 := (uint8(x59) & 0xff) + x61 := (x59 >> 8) + x62 := (uint8(x61) & 0xff) + x63 := uint8((x61 >> 8)) + x64 := (uint8(x3) & 0xff) + x65 := (x3 >> 8) + x66 := (uint8(x65) & 0xff) + x67 := (x65 >> 8) + x68 := (uint8(x67) & 0xff) + x69 := (x67 >> 8) + x70 := (uint8(x69) & 0xff) + x71 := (x69 >> 8) + x72 := (uint8(x71) & 0xff) + x73 := (x71 >> 8) + x74 := (uint8(x73) & 0xff) + x75 := (x73 >> 8) + x76 := (uint8(x75) & 0xff) + x77 := uint8((x75 >> 8)) + x78 := (uint8(x2) & 0xff) + x79 := (x2 >> 8) + x80 := (uint8(x79) & 0xff) + x81 := (x79 >> 8) + x82 := (uint8(x81) & 0xff) + x83 := (x81 >> 8) + x84 := (uint8(x83) & 0xff) + x85 := (x83 >> 8) + x86 := (uint8(x85) & 0xff) + x87 := (x85 >> 8) + x88 := (uint8(x87) & 0xff) + x89 := (x87 >> 8) + x90 := (uint8(x89) & 0xff) + x91 := uint8((x89 >> 8)) + x92 := (uint8(x1) & 0xff) + x93 := (x1 >> 8) + x94 := (uint8(x93) & 0xff) + x95 := (x93 >> 8) + x96 := (uint8(x95) & 0xff) + x97 := (x95 >> 8) + x98 := (uint8(x97) & 0xff) + x99 := (x97 >> 8) + x100 := (uint8(x99) & 0xff) + x101 := (x99 >> 8) + x102 := (uint8(x101) & 0xff) + x103 := uint8((x101 >> 8)) + out1[0] = x8 + out1[1] = x10 + out1[2] = x12 + out1[3] = x14 + out1[4] = x16 + out1[5] = x18 + out1[6] = x20 + out1[7] = x21 + out1[8] = x22 + out1[9] = x24 + out1[10] = x26 + out1[11] = x28 + out1[12] = x30 + out1[13] = x32 + out1[14] = x34 + out1[15] = x35 + out1[16] = x36 + out1[17] = x38 + out1[18] = x40 + out1[19] = x42 + out1[20] = x44 + out1[21] = x46 + out1[22] = x48 + out1[23] = x49 + out1[24] = x50 + out1[25] = x52 + out1[26] = x54 + out1[27] = x56 + out1[28] = x58 + out1[29] = x60 + out1[30] = x62 + out1[31] = x63 + out1[32] = x64 + out1[33] = x66 + out1[34] = x68 + out1[35] = x70 + out1[36] = x72 + out1[37] = x74 + out1[38] = x76 + out1[39] = x77 + out1[40] = x78 + out1[41] = x80 + out1[42] = x82 + out1[43] = x84 + out1[44] = x86 + out1[45] = x88 + out1[46] = x90 + out1[47] = x91 + out1[48] = x92 + out1[49] = x94 + out1[50] = x96 + out1[51] = x98 + out1[52] = x100 + out1[53] = x102 + out1[54] = x103 } -/* - The function FromBytes deserializes a field element NOT in the Montgomery domain from bytes in little-endian order. - Preconditions: - 0 ≤ bytes_eval arg1 < m - Postconditions: - eval out1 mod m = bytes_eval arg1 mod m - 0 ≤ eval out1 < m - - Input Bounds: - arg1: [[0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0x3]] - Output Bounds: - out1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0x3ffffffffffff]] - */ -/*inline*/ +// FromBytes deserializes a field element NOT in the Montgomery domain from bytes in little-endian order. +// +// Preconditions: +// 0 ≤ bytes_eval arg1 < m +// Postconditions: +// eval out1 mod m = bytes_eval arg1 mod m +// 0 ≤ eval out1 < m +// +// Input Bounds: +// arg1: [[0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0x3]] +// Output Bounds: +// out1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0x3ffffffffffff]] func FromBytes(out1 *[7]uint64, arg1 *[55]uint8) { - var x1 uint64 = (uint64((arg1[54])) << 48) - var x2 uint64 = (uint64((arg1[53])) << 40) - var x3 uint64 = (uint64((arg1[52])) << 32) - var x4 uint64 = (uint64((arg1[51])) << 24) - var x5 uint64 = (uint64((arg1[50])) << 16) - var x6 uint64 = (uint64((arg1[49])) << 8) - var x7 uint8 = (arg1[48]) - var x8 uint64 = (uint64((arg1[47])) << 56) - var x9 uint64 = (uint64((arg1[46])) << 48) - var x10 uint64 = (uint64((arg1[45])) << 40) - var x11 uint64 = (uint64((arg1[44])) << 32) - var x12 uint64 = (uint64((arg1[43])) << 24) - var x13 uint64 = (uint64((arg1[42])) << 16) - var x14 uint64 = (uint64((arg1[41])) << 8) - var x15 uint8 = (arg1[40]) - var x16 uint64 = (uint64((arg1[39])) << 56) - var x17 uint64 = (uint64((arg1[38])) << 48) - var x18 uint64 = (uint64((arg1[37])) << 40) - var x19 uint64 = (uint64((arg1[36])) << 32) - var x20 uint64 = (uint64((arg1[35])) << 24) - var x21 uint64 = (uint64((arg1[34])) << 16) - var x22 uint64 = (uint64((arg1[33])) << 8) - var x23 uint8 = (arg1[32]) - var x24 uint64 = (uint64((arg1[31])) << 56) - var x25 uint64 = (uint64((arg1[30])) << 48) - var x26 uint64 = (uint64((arg1[29])) << 40) - var x27 uint64 = (uint64((arg1[28])) << 32) - var x28 uint64 = (uint64((arg1[27])) << 24) - var x29 uint64 = (uint64((arg1[26])) << 16) - var x30 uint64 = (uint64((arg1[25])) << 8) - var x31 uint8 = (arg1[24]) - var x32 uint64 = (uint64((arg1[23])) << 56) - var x33 uint64 = (uint64((arg1[22])) << 48) - var x34 uint64 = (uint64((arg1[21])) << 40) - var x35 uint64 = (uint64((arg1[20])) << 32) - var x36 uint64 = (uint64((arg1[19])) << 24) - var x37 uint64 = (uint64((arg1[18])) << 16) - var x38 uint64 = (uint64((arg1[17])) << 8) - var x39 uint8 = (arg1[16]) - var x40 uint64 = (uint64((arg1[15])) << 56) - var x41 uint64 = (uint64((arg1[14])) << 48) - var x42 uint64 = (uint64((arg1[13])) << 40) - var x43 uint64 = (uint64((arg1[12])) << 32) - var x44 uint64 = (uint64((arg1[11])) << 24) - var x45 uint64 = (uint64((arg1[10])) << 16) - var x46 uint64 = (uint64((arg1[9])) << 8) - var x47 uint8 = (arg1[8]) - var x48 uint64 = (uint64((arg1[7])) << 56) - var x49 uint64 = (uint64((arg1[6])) << 48) - var x50 uint64 = (uint64((arg1[5])) << 40) - var x51 uint64 = (uint64((arg1[4])) << 32) - var x52 uint64 = (uint64((arg1[3])) << 24) - var x53 uint64 = (uint64((arg1[2])) << 16) - var x54 uint64 = (uint64((arg1[1])) << 8) - var x55 uint8 = (arg1[0]) - var x56 uint64 = (x54 + uint64(x55)) - var x57 uint64 = (x53 + x56) - var x58 uint64 = (x52 + x57) - var x59 uint64 = (x51 + x58) - var x60 uint64 = (x50 + x59) - var x61 uint64 = (x49 + x60) - var x62 uint64 = (x48 + x61) - var x63 uint64 = (x46 + uint64(x47)) - var x64 uint64 = (x45 + x63) - var x65 uint64 = (x44 + x64) - var x66 uint64 = (x43 + x65) - var x67 uint64 = (x42 + x66) - var x68 uint64 = (x41 + x67) - var x69 uint64 = (x40 + x68) - var x70 uint64 = (x38 + uint64(x39)) - var x71 uint64 = (x37 + x70) - var x72 uint64 = (x36 + x71) - var x73 uint64 = (x35 + x72) - var x74 uint64 = (x34 + x73) - var x75 uint64 = (x33 + x74) - var x76 uint64 = (x32 + x75) - var x77 uint64 = (x30 + uint64(x31)) - var x78 uint64 = (x29 + x77) - var x79 uint64 = (x28 + x78) - var x80 uint64 = (x27 + x79) - var x81 uint64 = (x26 + x80) - var x82 uint64 = (x25 + x81) - var x83 uint64 = (x24 + x82) - var x84 uint64 = (x22 + uint64(x23)) - var x85 uint64 = (x21 + x84) - var x86 uint64 = (x20 + x85) - var x87 uint64 = (x19 + x86) - var x88 uint64 = (x18 + x87) - var x89 uint64 = (x17 + x88) - var x90 uint64 = (x16 + x89) - var x91 uint64 = (x14 + uint64(x15)) - var x92 uint64 = (x13 + x91) - var x93 uint64 = (x12 + x92) - var x94 uint64 = (x11 + x93) - var x95 uint64 = (x10 + x94) - var x96 uint64 = (x9 + x95) - var x97 uint64 = (x8 + x96) - var x98 uint64 = (x6 + uint64(x7)) - var x99 uint64 = (x5 + x98) - var x100 uint64 = (x4 + x99) - var x101 uint64 = (x3 + x100) - var x102 uint64 = (x2 + x101) - var x103 uint64 = (x1 + x102) - out1[0] = x62 - out1[1] = x69 - out1[2] = x76 - out1[3] = x83 - out1[4] = x90 - out1[5] = x97 - out1[6] = x103 + x1 := (uint64(arg1[54]) << 48) + x2 := (uint64(arg1[53]) << 40) + x3 := (uint64(arg1[52]) << 32) + x4 := (uint64(arg1[51]) << 24) + x5 := (uint64(arg1[50]) << 16) + x6 := (uint64(arg1[49]) << 8) + x7 := arg1[48] + x8 := (uint64(arg1[47]) << 56) + x9 := (uint64(arg1[46]) << 48) + x10 := (uint64(arg1[45]) << 40) + x11 := (uint64(arg1[44]) << 32) + x12 := (uint64(arg1[43]) << 24) + x13 := (uint64(arg1[42]) << 16) + x14 := (uint64(arg1[41]) << 8) + x15 := arg1[40] + x16 := (uint64(arg1[39]) << 56) + x17 := (uint64(arg1[38]) << 48) + x18 := (uint64(arg1[37]) << 40) + x19 := (uint64(arg1[36]) << 32) + x20 := (uint64(arg1[35]) << 24) + x21 := (uint64(arg1[34]) << 16) + x22 := (uint64(arg1[33]) << 8) + x23 := arg1[32] + x24 := (uint64(arg1[31]) << 56) + x25 := (uint64(arg1[30]) << 48) + x26 := (uint64(arg1[29]) << 40) + x27 := (uint64(arg1[28]) << 32) + x28 := (uint64(arg1[27]) << 24) + x29 := (uint64(arg1[26]) << 16) + x30 := (uint64(arg1[25]) << 8) + x31 := arg1[24] + x32 := (uint64(arg1[23]) << 56) + x33 := (uint64(arg1[22]) << 48) + x34 := (uint64(arg1[21]) << 40) + x35 := (uint64(arg1[20]) << 32) + x36 := (uint64(arg1[19]) << 24) + x37 := (uint64(arg1[18]) << 16) + x38 := (uint64(arg1[17]) << 8) + x39 := arg1[16] + x40 := (uint64(arg1[15]) << 56) + x41 := (uint64(arg1[14]) << 48) + x42 := (uint64(arg1[13]) << 40) + x43 := (uint64(arg1[12]) << 32) + x44 := (uint64(arg1[11]) << 24) + x45 := (uint64(arg1[10]) << 16) + x46 := (uint64(arg1[9]) << 8) + x47 := arg1[8] + x48 := (uint64(arg1[7]) << 56) + x49 := (uint64(arg1[6]) << 48) + x50 := (uint64(arg1[5]) << 40) + x51 := (uint64(arg1[4]) << 32) + x52 := (uint64(arg1[3]) << 24) + x53 := (uint64(arg1[2]) << 16) + x54 := (uint64(arg1[1]) << 8) + x55 := arg1[0] + x56 := (x54 + uint64(x55)) + x57 := (x53 + x56) + x58 := (x52 + x57) + x59 := (x51 + x58) + x60 := (x50 + x59) + x61 := (x49 + x60) + x62 := (x48 + x61) + x63 := (x46 + uint64(x47)) + x64 := (x45 + x63) + x65 := (x44 + x64) + x66 := (x43 + x65) + x67 := (x42 + x66) + x68 := (x41 + x67) + x69 := (x40 + x68) + x70 := (x38 + uint64(x39)) + x71 := (x37 + x70) + x72 := (x36 + x71) + x73 := (x35 + x72) + x74 := (x34 + x73) + x75 := (x33 + x74) + x76 := (x32 + x75) + x77 := (x30 + uint64(x31)) + x78 := (x29 + x77) + x79 := (x28 + x78) + x80 := (x27 + x79) + x81 := (x26 + x80) + x82 := (x25 + x81) + x83 := (x24 + x82) + x84 := (x22 + uint64(x23)) + x85 := (x21 + x84) + x86 := (x20 + x85) + x87 := (x19 + x86) + x88 := (x18 + x87) + x89 := (x17 + x88) + x90 := (x16 + x89) + x91 := (x14 + uint64(x15)) + x92 := (x13 + x91) + x93 := (x12 + x92) + x94 := (x11 + x93) + x95 := (x10 + x94) + x96 := (x9 + x95) + x97 := (x8 + x96) + x98 := (x6 + uint64(x7)) + x99 := (x5 + x98) + x100 := (x4 + x99) + x101 := (x3 + x100) + x102 := (x2 + x101) + x103 := (x1 + x102) + out1[0] = x62 + out1[1] = x69 + out1[2] = x76 + out1[3] = x83 + out1[4] = x90 + out1[5] = x97 + out1[6] = x103 } -/* - The function SetOne returns the field element one in the Montgomery domain. - Postconditions: - eval (from_montgomery out1) mod m = 1 mod m - 0 ≤ eval out1 < m - - Input Bounds: - Output Bounds: - out1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] - */ -/*inline*/ +// SetOne returns the field element one in the Montgomery domain. +// +// Postconditions: +// eval (from_montgomery out1) mod m = 1 mod m +// 0 ≤ eval out1 < m +// +// Input Bounds: +// Output Bounds: +// out1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] func SetOne(out1 *[7]uint64) { - out1[0] = 0x742c - out1[1] = uint64(0x0) - out1[2] = uint64(0x0) - out1[3] = 0xb90ff404fc000000 - out1[4] = 0xd801a4fb559facd4 - out1[5] = 0xe93254545f77410c - out1[6] = 0xeceea7bd2eda + out1[0] = 0x742c + out1[1] = uint64(0x0) + out1[2] = uint64(0x0) + out1[3] = 0xb90ff404fc000000 + out1[4] = 0xd801a4fb559facd4 + out1[5] = 0xe93254545f77410c + out1[6] = 0xeceea7bd2eda } -/* - The function Msat returns the saturated representation of the prime modulus. - Postconditions: - twos_complement_eval out1 = m - 0 ≤ eval out1 < m - - Input Bounds: - Output Bounds: - out1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] - */ -/*inline*/ +// Msat returns the saturated representation of the prime modulus. +// +// Postconditions: +// twos_complement_eval out1 = m +// 0 ≤ eval out1 < m +// +// Input Bounds: +// Output Bounds: +// out1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] func Msat(out1 *[8]uint64) { - out1[0] = 0xffffffffffffffff - out1[1] = 0xffffffffffffffff - out1[2] = 0xffffffffffffffff - out1[3] = 0xfdc1767ae2ffffff - out1[4] = 0x7bc65c783158aea3 - out1[5] = 0x6cfc5fd681c52056 - out1[6] = 0x2341f27177344 - out1[7] = uint64(0x0) + out1[0] = 0xffffffffffffffff + out1[1] = 0xffffffffffffffff + out1[2] = 0xffffffffffffffff + out1[3] = 0xfdc1767ae2ffffff + out1[4] = 0x7bc65c783158aea3 + out1[5] = 0x6cfc5fd681c52056 + out1[6] = 0x2341f27177344 + out1[7] = uint64(0x0) } -/* - The function Divstep computes a divstep. - Preconditions: - 0 ≤ eval arg4 < m - 0 ≤ eval arg5 < m - Postconditions: - out1 = (if 0 < arg1 ∧ (twos_complement_eval arg3) is odd then 1 - arg1 else 1 + arg1) - twos_complement_eval out2 = (if 0 < arg1 ∧ (twos_complement_eval arg3) is odd then twos_complement_eval arg3 else twos_complement_eval arg2) - twos_complement_eval out3 = (if 0 < arg1 ∧ (twos_complement_eval arg3) is odd then ⌊(twos_complement_eval arg3 - twos_complement_eval arg2) / 2⌋ else ⌊(twos_complement_eval arg3 + (twos_complement_eval arg3 mod 2) * twos_complement_eval arg2) / 2⌋) - eval (from_montgomery out4) mod m = (if 0 < arg1 ∧ (twos_complement_eval arg3) is odd then (2 * eval (from_montgomery arg5)) mod m else (2 * eval (from_montgomery arg4)) mod m) - eval (from_montgomery out5) mod m = (if 0 < arg1 ∧ (twos_complement_eval arg3) is odd then (eval (from_montgomery arg4) - eval (from_montgomery arg4)) mod m else (eval (from_montgomery arg5) + (twos_complement_eval arg3 mod 2) * eval (from_montgomery arg4)) mod m) - 0 ≤ eval out5 < m - 0 ≤ eval out5 < m - 0 ≤ eval out2 < m - 0 ≤ eval out3 < m - - Input Bounds: - arg1: [0x0 ~> 0xffffffffffffffff] - arg2: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] - arg3: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] - arg4: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] - arg5: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] - Output Bounds: - out1: [0x0 ~> 0xffffffffffffffff] - out2: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] - out3: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] - out4: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] - out5: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] - */ -/*inline*/ +// Divstep computes a divstep. +// +// Preconditions: +// 0 ≤ eval arg4 < m +// 0 ≤ eval arg5 < m +// Postconditions: +// out1 = (if 0 < arg1 ∧ (twos_complement_eval arg3) is odd then 1 - arg1 else 1 + arg1) +// twos_complement_eval out2 = (if 0 < arg1 ∧ (twos_complement_eval arg3) is odd then twos_complement_eval arg3 else twos_complement_eval arg2) +// twos_complement_eval out3 = (if 0 < arg1 ∧ (twos_complement_eval arg3) is odd then ⌊(twos_complement_eval arg3 - twos_complement_eval arg2) / 2⌋ else ⌊(twos_complement_eval arg3 + (twos_complement_eval arg3 mod 2) * twos_complement_eval arg2) / 2⌋) +// eval (from_montgomery out4) mod m = (if 0 < arg1 ∧ (twos_complement_eval arg3) is odd then (2 * eval (from_montgomery arg5)) mod m else (2 * eval (from_montgomery arg4)) mod m) +// eval (from_montgomery out5) mod m = (if 0 < arg1 ∧ (twos_complement_eval arg3) is odd then (eval (from_montgomery arg4) - eval (from_montgomery arg4)) mod m else (eval (from_montgomery arg5) + (twos_complement_eval arg3 mod 2) * eval (from_montgomery arg4)) mod m) +// 0 ≤ eval out5 < m +// 0 ≤ eval out5 < m +// 0 ≤ eval out2 < m +// 0 ≤ eval out3 < m +// +// Input Bounds: +// arg1: [0x0 ~> 0xffffffffffffffff] +// arg2: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] +// arg3: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] +// arg4: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] +// arg5: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] +// Output Bounds: +// out1: [0x0 ~> 0xffffffffffffffff] +// out2: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] +// out3: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] +// out4: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] +// out5: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] func Divstep(out1 *uint64, out2 *[8]uint64, out3 *[8]uint64, out4 *[7]uint64, out5 *[7]uint64, arg1 uint64, arg2 *[8]uint64, arg3 *[8]uint64, arg4 *[7]uint64, arg5 *[7]uint64) { - var x1 uint64 - x1, _ = addcarryxU64((^arg1), uint64(0x1), 0x0) - var x3 uint1 = (uint1((x1 >> 63)) & (uint1((arg3[0])) & 0x1)) - var x4 uint64 - x4, _ = addcarryxU64((^arg1), uint64(0x1), 0x0) - var x6 uint64 - cmovznzU64(&x6, x3, arg1, x4) - var x7 uint64 - cmovznzU64(&x7, x3, (arg2[0]), (arg3[0])) - var x8 uint64 - cmovznzU64(&x8, x3, (arg2[1]), (arg3[1])) - var x9 uint64 - cmovznzU64(&x9, x3, (arg2[2]), (arg3[2])) - var x10 uint64 - cmovznzU64(&x10, x3, (arg2[3]), (arg3[3])) - var x11 uint64 - cmovznzU64(&x11, x3, (arg2[4]), (arg3[4])) - var x12 uint64 - cmovznzU64(&x12, x3, (arg2[5]), (arg3[5])) - var x13 uint64 - cmovznzU64(&x13, x3, (arg2[6]), (arg3[6])) - var x14 uint64 - cmovznzU64(&x14, x3, (arg2[7]), (arg3[7])) - var x15 uint64 - var x16 uint1 - x15, x16 = addcarryxU64(uint64(0x1), (^(arg2[0])), 0x0) - var x17 uint64 - var x18 uint1 - x17, x18 = addcarryxU64(uint64(0x0), (^(arg2[1])), x16) - var x19 uint64 - var x20 uint1 - x19, x20 = addcarryxU64(uint64(0x0), (^(arg2[2])), x18) - var x21 uint64 - var x22 uint1 - x21, x22 = addcarryxU64(uint64(0x0), (^(arg2[3])), x20) - var x23 uint64 - var x24 uint1 - x23, x24 = addcarryxU64(uint64(0x0), (^(arg2[4])), x22) - var x25 uint64 - var x26 uint1 - x25, x26 = addcarryxU64(uint64(0x0), (^(arg2[5])), x24) - var x27 uint64 - var x28 uint1 - x27, x28 = addcarryxU64(uint64(0x0), (^(arg2[6])), x26) - var x29 uint64 - x29, _ = addcarryxU64(uint64(0x0), (^(arg2[7])), x28) - var x31 uint64 - cmovznzU64(&x31, x3, (arg3[0]), x15) - var x32 uint64 - cmovznzU64(&x32, x3, (arg3[1]), x17) - var x33 uint64 - cmovznzU64(&x33, x3, (arg3[2]), x19) - var x34 uint64 - cmovznzU64(&x34, x3, (arg3[3]), x21) - var x35 uint64 - cmovznzU64(&x35, x3, (arg3[4]), x23) - var x36 uint64 - cmovznzU64(&x36, x3, (arg3[5]), x25) - var x37 uint64 - cmovznzU64(&x37, x3, (arg3[6]), x27) - var x38 uint64 - cmovznzU64(&x38, x3, (arg3[7]), x29) - var x39 uint64 - cmovznzU64(&x39, x3, (arg4[0]), (arg5[0])) - var x40 uint64 - cmovznzU64(&x40, x3, (arg4[1]), (arg5[1])) - var x41 uint64 - cmovznzU64(&x41, x3, (arg4[2]), (arg5[2])) - var x42 uint64 - cmovznzU64(&x42, x3, (arg4[3]), (arg5[3])) - var x43 uint64 - cmovznzU64(&x43, x3, (arg4[4]), (arg5[4])) - var x44 uint64 - cmovznzU64(&x44, x3, (arg4[5]), (arg5[5])) - var x45 uint64 - cmovznzU64(&x45, x3, (arg4[6]), (arg5[6])) - var x46 uint64 - var x47 uint1 - x46, x47 = addcarryxU64(x39, x39, 0x0) - var x48 uint64 - var x49 uint1 - x48, x49 = addcarryxU64(x40, x40, x47) - var x50 uint64 - var x51 uint1 - x50, x51 = addcarryxU64(x41, x41, x49) - var x52 uint64 - var x53 uint1 - x52, x53 = addcarryxU64(x42, x42, x51) - var x54 uint64 - var x55 uint1 - x54, x55 = addcarryxU64(x43, x43, x53) - var x56 uint64 - var x57 uint1 - x56, x57 = addcarryxU64(x44, x44, x55) - var x58 uint64 - var x59 uint1 - x58, x59 = addcarryxU64(x45, x45, x57) - var x60 uint64 - var x61 uint1 - x60, x61 = subborrowxU64(x46, 0xffffffffffffffff, 0x0) - var x62 uint64 - var x63 uint1 - x62, x63 = subborrowxU64(x48, 0xffffffffffffffff, x61) - var x64 uint64 - var x65 uint1 - x64, x65 = subborrowxU64(x50, 0xffffffffffffffff, x63) - var x66 uint64 - var x67 uint1 - x66, x67 = subborrowxU64(x52, 0xfdc1767ae2ffffff, x65) - var x68 uint64 - var x69 uint1 - x68, x69 = subborrowxU64(x54, 0x7bc65c783158aea3, x67) - var x70 uint64 - var x71 uint1 - x70, x71 = subborrowxU64(x56, 0x6cfc5fd681c52056, x69) - var x72 uint64 - var x73 uint1 - x72, x73 = subborrowxU64(x58, 0x2341f27177344, x71) - var x75 uint1 - _, x75 = subborrowxU64(uint64(x59), uint64(0x0), x73) - var x76 uint64 = (arg4[6]) - var x77 uint64 = (arg4[5]) - var x78 uint64 = (arg4[4]) - var x79 uint64 = (arg4[3]) - var x80 uint64 = (arg4[2]) - var x81 uint64 = (arg4[1]) - var x82 uint64 = (arg4[0]) - var x83 uint64 - var x84 uint1 - x83, x84 = subborrowxU64(uint64(0x0), x82, 0x0) - var x85 uint64 - var x86 uint1 - x85, x86 = subborrowxU64(uint64(0x0), x81, x84) - var x87 uint64 - var x88 uint1 - x87, x88 = subborrowxU64(uint64(0x0), x80, x86) - var x89 uint64 - var x90 uint1 - x89, x90 = subborrowxU64(uint64(0x0), x79, x88) - var x91 uint64 - var x92 uint1 - x91, x92 = subborrowxU64(uint64(0x0), x78, x90) - var x93 uint64 - var x94 uint1 - x93, x94 = subborrowxU64(uint64(0x0), x77, x92) - var x95 uint64 - var x96 uint1 - x95, x96 = subborrowxU64(uint64(0x0), x76, x94) - var x97 uint64 - cmovznzU64(&x97, x96, uint64(0x0), 0xffffffffffffffff) - var x98 uint64 - var x99 uint1 - x98, x99 = addcarryxU64(x83, x97, 0x0) - var x100 uint64 - var x101 uint1 - x100, x101 = addcarryxU64(x85, x97, x99) - var x102 uint64 - var x103 uint1 - x102, x103 = addcarryxU64(x87, x97, x101) - var x104 uint64 - var x105 uint1 - x104, x105 = addcarryxU64(x89, (x97 & 0xfdc1767ae2ffffff), x103) - var x106 uint64 - var x107 uint1 - x106, x107 = addcarryxU64(x91, (x97 & 0x7bc65c783158aea3), x105) - var x108 uint64 - var x109 uint1 - x108, x109 = addcarryxU64(x93, (x97 & 0x6cfc5fd681c52056), x107) - var x110 uint64 - x110, _ = addcarryxU64(x95, (x97 & 0x2341f27177344), x109) - var x112 uint64 - cmovznzU64(&x112, x3, (arg5[0]), x98) - var x113 uint64 - cmovznzU64(&x113, x3, (arg5[1]), x100) - var x114 uint64 - cmovznzU64(&x114, x3, (arg5[2]), x102) - var x115 uint64 - cmovznzU64(&x115, x3, (arg5[3]), x104) - var x116 uint64 - cmovznzU64(&x116, x3, (arg5[4]), x106) - var x117 uint64 - cmovznzU64(&x117, x3, (arg5[5]), x108) - var x118 uint64 - cmovznzU64(&x118, x3, (arg5[6]), x110) - var x119 uint1 = (uint1(x31) & 0x1) - var x120 uint64 - cmovznzU64(&x120, x119, uint64(0x0), x7) - var x121 uint64 - cmovznzU64(&x121, x119, uint64(0x0), x8) - var x122 uint64 - cmovznzU64(&x122, x119, uint64(0x0), x9) - var x123 uint64 - cmovznzU64(&x123, x119, uint64(0x0), x10) - var x124 uint64 - cmovznzU64(&x124, x119, uint64(0x0), x11) - var x125 uint64 - cmovznzU64(&x125, x119, uint64(0x0), x12) - var x126 uint64 - cmovznzU64(&x126, x119, uint64(0x0), x13) - var x127 uint64 - cmovznzU64(&x127, x119, uint64(0x0), x14) - var x128 uint64 - var x129 uint1 - x128, x129 = addcarryxU64(x31, x120, 0x0) - var x130 uint64 - var x131 uint1 - x130, x131 = addcarryxU64(x32, x121, x129) - var x132 uint64 - var x133 uint1 - x132, x133 = addcarryxU64(x33, x122, x131) - var x134 uint64 - var x135 uint1 - x134, x135 = addcarryxU64(x34, x123, x133) - var x136 uint64 - var x137 uint1 - x136, x137 = addcarryxU64(x35, x124, x135) - var x138 uint64 - var x139 uint1 - x138, x139 = addcarryxU64(x36, x125, x137) - var x140 uint64 - var x141 uint1 - x140, x141 = addcarryxU64(x37, x126, x139) - var x142 uint64 - x142, _ = addcarryxU64(x38, x127, x141) - var x144 uint64 - cmovznzU64(&x144, x119, uint64(0x0), x39) - var x145 uint64 - cmovznzU64(&x145, x119, uint64(0x0), x40) - var x146 uint64 - cmovznzU64(&x146, x119, uint64(0x0), x41) - var x147 uint64 - cmovznzU64(&x147, x119, uint64(0x0), x42) - var x148 uint64 - cmovznzU64(&x148, x119, uint64(0x0), x43) - var x149 uint64 - cmovznzU64(&x149, x119, uint64(0x0), x44) - var x150 uint64 - cmovznzU64(&x150, x119, uint64(0x0), x45) - var x151 uint64 - var x152 uint1 - x151, x152 = addcarryxU64(x112, x144, 0x0) - var x153 uint64 - var x154 uint1 - x153, x154 = addcarryxU64(x113, x145, x152) - var x155 uint64 - var x156 uint1 - x155, x156 = addcarryxU64(x114, x146, x154) - var x157 uint64 - var x158 uint1 - x157, x158 = addcarryxU64(x115, x147, x156) - var x159 uint64 - var x160 uint1 - x159, x160 = addcarryxU64(x116, x148, x158) - var x161 uint64 - var x162 uint1 - x161, x162 = addcarryxU64(x117, x149, x160) - var x163 uint64 - var x164 uint1 - x163, x164 = addcarryxU64(x118, x150, x162) - var x165 uint64 - var x166 uint1 - x165, x166 = subborrowxU64(x151, 0xffffffffffffffff, 0x0) - var x167 uint64 - var x168 uint1 - x167, x168 = subborrowxU64(x153, 0xffffffffffffffff, x166) - var x169 uint64 - var x170 uint1 - x169, x170 = subborrowxU64(x155, 0xffffffffffffffff, x168) - var x171 uint64 - var x172 uint1 - x171, x172 = subborrowxU64(x157, 0xfdc1767ae2ffffff, x170) - var x173 uint64 - var x174 uint1 - x173, x174 = subborrowxU64(x159, 0x7bc65c783158aea3, x172) - var x175 uint64 - var x176 uint1 - x175, x176 = subborrowxU64(x161, 0x6cfc5fd681c52056, x174) - var x177 uint64 - var x178 uint1 - x177, x178 = subborrowxU64(x163, 0x2341f27177344, x176) - var x180 uint1 - _, x180 = subborrowxU64(uint64(x164), uint64(0x0), x178) - var x181 uint64 - x181, _ = addcarryxU64(x6, uint64(0x1), 0x0) - var x183 uint64 = ((x128 >> 1) | ((x130 << 63) & 0xffffffffffffffff)) - var x184 uint64 = ((x130 >> 1) | ((x132 << 63) & 0xffffffffffffffff)) - var x185 uint64 = ((x132 >> 1) | ((x134 << 63) & 0xffffffffffffffff)) - var x186 uint64 = ((x134 >> 1) | ((x136 << 63) & 0xffffffffffffffff)) - var x187 uint64 = ((x136 >> 1) | ((x138 << 63) & 0xffffffffffffffff)) - var x188 uint64 = ((x138 >> 1) | ((x140 << 63) & 0xffffffffffffffff)) - var x189 uint64 = ((x140 >> 1) | ((x142 << 63) & 0xffffffffffffffff)) - var x190 uint64 = ((x142 & 0x8000000000000000) | (x142 >> 1)) - var x191 uint64 - cmovznzU64(&x191, x75, x60, x46) - var x192 uint64 - cmovznzU64(&x192, x75, x62, x48) - var x193 uint64 - cmovznzU64(&x193, x75, x64, x50) - var x194 uint64 - cmovznzU64(&x194, x75, x66, x52) - var x195 uint64 - cmovznzU64(&x195, x75, x68, x54) - var x196 uint64 - cmovznzU64(&x196, x75, x70, x56) - var x197 uint64 - cmovznzU64(&x197, x75, x72, x58) - var x198 uint64 - cmovznzU64(&x198, x180, x165, x151) - var x199 uint64 - cmovznzU64(&x199, x180, x167, x153) - var x200 uint64 - cmovznzU64(&x200, x180, x169, x155) - var x201 uint64 - cmovznzU64(&x201, x180, x171, x157) - var x202 uint64 - cmovznzU64(&x202, x180, x173, x159) - var x203 uint64 - cmovznzU64(&x203, x180, x175, x161) - var x204 uint64 - cmovznzU64(&x204, x180, x177, x163) - *out1 = x181 - out2[0] = x7 - out2[1] = x8 - out2[2] = x9 - out2[3] = x10 - out2[4] = x11 - out2[5] = x12 - out2[6] = x13 - out2[7] = x14 - out3[0] = x183 - out3[1] = x184 - out3[2] = x185 - out3[3] = x186 - out3[4] = x187 - out3[5] = x188 - out3[6] = x189 - out3[7] = x190 - out4[0] = x191 - out4[1] = x192 - out4[2] = x193 - out4[3] = x194 - out4[4] = x195 - out4[5] = x196 - out4[6] = x197 - out5[0] = x198 - out5[1] = x199 - out5[2] = x200 - out5[3] = x201 - out5[4] = x202 - out5[5] = x203 - out5[6] = x204 + var x1 uint64 + x1, _ = addcarryxU64((^arg1), uint64(0x1), 0x0) + x3 := (uint1((x1 >> 63)) & (uint1(arg3[0]) & 0x1)) + var x4 uint64 + x4, _ = addcarryxU64((^arg1), uint64(0x1), 0x0) + var x6 uint64 + cmovznzU64(&x6, x3, arg1, x4) + var x7 uint64 + cmovznzU64(&x7, x3, arg2[0], arg3[0]) + var x8 uint64 + cmovznzU64(&x8, x3, arg2[1], arg3[1]) + var x9 uint64 + cmovznzU64(&x9, x3, arg2[2], arg3[2]) + var x10 uint64 + cmovznzU64(&x10, x3, arg2[3], arg3[3]) + var x11 uint64 + cmovznzU64(&x11, x3, arg2[4], arg3[4]) + var x12 uint64 + cmovznzU64(&x12, x3, arg2[5], arg3[5]) + var x13 uint64 + cmovznzU64(&x13, x3, arg2[6], arg3[6]) + var x14 uint64 + cmovznzU64(&x14, x3, arg2[7], arg3[7]) + var x15 uint64 + var x16 uint1 + x15, x16 = addcarryxU64(uint64(0x1), (^arg2[0]), 0x0) + var x17 uint64 + var x18 uint1 + x17, x18 = addcarryxU64(uint64(0x0), (^arg2[1]), x16) + var x19 uint64 + var x20 uint1 + x19, x20 = addcarryxU64(uint64(0x0), (^arg2[2]), x18) + var x21 uint64 + var x22 uint1 + x21, x22 = addcarryxU64(uint64(0x0), (^arg2[3]), x20) + var x23 uint64 + var x24 uint1 + x23, x24 = addcarryxU64(uint64(0x0), (^arg2[4]), x22) + var x25 uint64 + var x26 uint1 + x25, x26 = addcarryxU64(uint64(0x0), (^arg2[5]), x24) + var x27 uint64 + var x28 uint1 + x27, x28 = addcarryxU64(uint64(0x0), (^arg2[6]), x26) + var x29 uint64 + x29, _ = addcarryxU64(uint64(0x0), (^arg2[7]), x28) + var x31 uint64 + cmovznzU64(&x31, x3, arg3[0], x15) + var x32 uint64 + cmovznzU64(&x32, x3, arg3[1], x17) + var x33 uint64 + cmovznzU64(&x33, x3, arg3[2], x19) + var x34 uint64 + cmovznzU64(&x34, x3, arg3[3], x21) + var x35 uint64 + cmovznzU64(&x35, x3, arg3[4], x23) + var x36 uint64 + cmovznzU64(&x36, x3, arg3[5], x25) + var x37 uint64 + cmovznzU64(&x37, x3, arg3[6], x27) + var x38 uint64 + cmovznzU64(&x38, x3, arg3[7], x29) + var x39 uint64 + cmovznzU64(&x39, x3, arg4[0], arg5[0]) + var x40 uint64 + cmovznzU64(&x40, x3, arg4[1], arg5[1]) + var x41 uint64 + cmovznzU64(&x41, x3, arg4[2], arg5[2]) + var x42 uint64 + cmovznzU64(&x42, x3, arg4[3], arg5[3]) + var x43 uint64 + cmovznzU64(&x43, x3, arg4[4], arg5[4]) + var x44 uint64 + cmovznzU64(&x44, x3, arg4[5], arg5[5]) + var x45 uint64 + cmovznzU64(&x45, x3, arg4[6], arg5[6]) + var x46 uint64 + var x47 uint1 + x46, x47 = addcarryxU64(x39, x39, 0x0) + var x48 uint64 + var x49 uint1 + x48, x49 = addcarryxU64(x40, x40, x47) + var x50 uint64 + var x51 uint1 + x50, x51 = addcarryxU64(x41, x41, x49) + var x52 uint64 + var x53 uint1 + x52, x53 = addcarryxU64(x42, x42, x51) + var x54 uint64 + var x55 uint1 + x54, x55 = addcarryxU64(x43, x43, x53) + var x56 uint64 + var x57 uint1 + x56, x57 = addcarryxU64(x44, x44, x55) + var x58 uint64 + var x59 uint1 + x58, x59 = addcarryxU64(x45, x45, x57) + var x60 uint64 + var x61 uint1 + x60, x61 = subborrowxU64(x46, 0xffffffffffffffff, 0x0) + var x62 uint64 + var x63 uint1 + x62, x63 = subborrowxU64(x48, 0xffffffffffffffff, x61) + var x64 uint64 + var x65 uint1 + x64, x65 = subborrowxU64(x50, 0xffffffffffffffff, x63) + var x66 uint64 + var x67 uint1 + x66, x67 = subborrowxU64(x52, 0xfdc1767ae2ffffff, x65) + var x68 uint64 + var x69 uint1 + x68, x69 = subborrowxU64(x54, 0x7bc65c783158aea3, x67) + var x70 uint64 + var x71 uint1 + x70, x71 = subborrowxU64(x56, 0x6cfc5fd681c52056, x69) + var x72 uint64 + var x73 uint1 + x72, x73 = subborrowxU64(x58, 0x2341f27177344, x71) + var x75 uint1 + _, x75 = subborrowxU64(uint64(x59), uint64(0x0), x73) + x76 := arg4[6] + x77 := arg4[5] + x78 := arg4[4] + x79 := arg4[3] + x80 := arg4[2] + x81 := arg4[1] + x82 := arg4[0] + var x83 uint64 + var x84 uint1 + x83, x84 = subborrowxU64(uint64(0x0), x82, 0x0) + var x85 uint64 + var x86 uint1 + x85, x86 = subborrowxU64(uint64(0x0), x81, x84) + var x87 uint64 + var x88 uint1 + x87, x88 = subborrowxU64(uint64(0x0), x80, x86) + var x89 uint64 + var x90 uint1 + x89, x90 = subborrowxU64(uint64(0x0), x79, x88) + var x91 uint64 + var x92 uint1 + x91, x92 = subborrowxU64(uint64(0x0), x78, x90) + var x93 uint64 + var x94 uint1 + x93, x94 = subborrowxU64(uint64(0x0), x77, x92) + var x95 uint64 + var x96 uint1 + x95, x96 = subborrowxU64(uint64(0x0), x76, x94) + var x97 uint64 + cmovznzU64(&x97, x96, uint64(0x0), 0xffffffffffffffff) + var x98 uint64 + var x99 uint1 + x98, x99 = addcarryxU64(x83, x97, 0x0) + var x100 uint64 + var x101 uint1 + x100, x101 = addcarryxU64(x85, x97, x99) + var x102 uint64 + var x103 uint1 + x102, x103 = addcarryxU64(x87, x97, x101) + var x104 uint64 + var x105 uint1 + x104, x105 = addcarryxU64(x89, (x97 & 0xfdc1767ae2ffffff), x103) + var x106 uint64 + var x107 uint1 + x106, x107 = addcarryxU64(x91, (x97 & 0x7bc65c783158aea3), x105) + var x108 uint64 + var x109 uint1 + x108, x109 = addcarryxU64(x93, (x97 & 0x6cfc5fd681c52056), x107) + var x110 uint64 + x110, _ = addcarryxU64(x95, (x97 & 0x2341f27177344), x109) + var x112 uint64 + cmovznzU64(&x112, x3, arg5[0], x98) + var x113 uint64 + cmovznzU64(&x113, x3, arg5[1], x100) + var x114 uint64 + cmovznzU64(&x114, x3, arg5[2], x102) + var x115 uint64 + cmovznzU64(&x115, x3, arg5[3], x104) + var x116 uint64 + cmovznzU64(&x116, x3, arg5[4], x106) + var x117 uint64 + cmovznzU64(&x117, x3, arg5[5], x108) + var x118 uint64 + cmovznzU64(&x118, x3, arg5[6], x110) + x119 := (uint1(x31) & 0x1) + var x120 uint64 + cmovznzU64(&x120, x119, uint64(0x0), x7) + var x121 uint64 + cmovznzU64(&x121, x119, uint64(0x0), x8) + var x122 uint64 + cmovznzU64(&x122, x119, uint64(0x0), x9) + var x123 uint64 + cmovznzU64(&x123, x119, uint64(0x0), x10) + var x124 uint64 + cmovznzU64(&x124, x119, uint64(0x0), x11) + var x125 uint64 + cmovznzU64(&x125, x119, uint64(0x0), x12) + var x126 uint64 + cmovznzU64(&x126, x119, uint64(0x0), x13) + var x127 uint64 + cmovznzU64(&x127, x119, uint64(0x0), x14) + var x128 uint64 + var x129 uint1 + x128, x129 = addcarryxU64(x31, x120, 0x0) + var x130 uint64 + var x131 uint1 + x130, x131 = addcarryxU64(x32, x121, x129) + var x132 uint64 + var x133 uint1 + x132, x133 = addcarryxU64(x33, x122, x131) + var x134 uint64 + var x135 uint1 + x134, x135 = addcarryxU64(x34, x123, x133) + var x136 uint64 + var x137 uint1 + x136, x137 = addcarryxU64(x35, x124, x135) + var x138 uint64 + var x139 uint1 + x138, x139 = addcarryxU64(x36, x125, x137) + var x140 uint64 + var x141 uint1 + x140, x141 = addcarryxU64(x37, x126, x139) + var x142 uint64 + x142, _ = addcarryxU64(x38, x127, x141) + var x144 uint64 + cmovznzU64(&x144, x119, uint64(0x0), x39) + var x145 uint64 + cmovznzU64(&x145, x119, uint64(0x0), x40) + var x146 uint64 + cmovznzU64(&x146, x119, uint64(0x0), x41) + var x147 uint64 + cmovznzU64(&x147, x119, uint64(0x0), x42) + var x148 uint64 + cmovznzU64(&x148, x119, uint64(0x0), x43) + var x149 uint64 + cmovznzU64(&x149, x119, uint64(0x0), x44) + var x150 uint64 + cmovznzU64(&x150, x119, uint64(0x0), x45) + var x151 uint64 + var x152 uint1 + x151, x152 = addcarryxU64(x112, x144, 0x0) + var x153 uint64 + var x154 uint1 + x153, x154 = addcarryxU64(x113, x145, x152) + var x155 uint64 + var x156 uint1 + x155, x156 = addcarryxU64(x114, x146, x154) + var x157 uint64 + var x158 uint1 + x157, x158 = addcarryxU64(x115, x147, x156) + var x159 uint64 + var x160 uint1 + x159, x160 = addcarryxU64(x116, x148, x158) + var x161 uint64 + var x162 uint1 + x161, x162 = addcarryxU64(x117, x149, x160) + var x163 uint64 + var x164 uint1 + x163, x164 = addcarryxU64(x118, x150, x162) + var x165 uint64 + var x166 uint1 + x165, x166 = subborrowxU64(x151, 0xffffffffffffffff, 0x0) + var x167 uint64 + var x168 uint1 + x167, x168 = subborrowxU64(x153, 0xffffffffffffffff, x166) + var x169 uint64 + var x170 uint1 + x169, x170 = subborrowxU64(x155, 0xffffffffffffffff, x168) + var x171 uint64 + var x172 uint1 + x171, x172 = subborrowxU64(x157, 0xfdc1767ae2ffffff, x170) + var x173 uint64 + var x174 uint1 + x173, x174 = subborrowxU64(x159, 0x7bc65c783158aea3, x172) + var x175 uint64 + var x176 uint1 + x175, x176 = subborrowxU64(x161, 0x6cfc5fd681c52056, x174) + var x177 uint64 + var x178 uint1 + x177, x178 = subborrowxU64(x163, 0x2341f27177344, x176) + var x180 uint1 + _, x180 = subborrowxU64(uint64(x164), uint64(0x0), x178) + var x181 uint64 + x181, _ = addcarryxU64(x6, uint64(0x1), 0x0) + x183 := ((x128 >> 1) | ((x130 << 63) & 0xffffffffffffffff)) + x184 := ((x130 >> 1) | ((x132 << 63) & 0xffffffffffffffff)) + x185 := ((x132 >> 1) | ((x134 << 63) & 0xffffffffffffffff)) + x186 := ((x134 >> 1) | ((x136 << 63) & 0xffffffffffffffff)) + x187 := ((x136 >> 1) | ((x138 << 63) & 0xffffffffffffffff)) + x188 := ((x138 >> 1) | ((x140 << 63) & 0xffffffffffffffff)) + x189 := ((x140 >> 1) | ((x142 << 63) & 0xffffffffffffffff)) + x190 := ((x142 & 0x8000000000000000) | (x142 >> 1)) + var x191 uint64 + cmovznzU64(&x191, x75, x60, x46) + var x192 uint64 + cmovznzU64(&x192, x75, x62, x48) + var x193 uint64 + cmovznzU64(&x193, x75, x64, x50) + var x194 uint64 + cmovznzU64(&x194, x75, x66, x52) + var x195 uint64 + cmovznzU64(&x195, x75, x68, x54) + var x196 uint64 + cmovznzU64(&x196, x75, x70, x56) + var x197 uint64 + cmovznzU64(&x197, x75, x72, x58) + var x198 uint64 + cmovznzU64(&x198, x180, x165, x151) + var x199 uint64 + cmovznzU64(&x199, x180, x167, x153) + var x200 uint64 + cmovznzU64(&x200, x180, x169, x155) + var x201 uint64 + cmovznzU64(&x201, x180, x171, x157) + var x202 uint64 + cmovznzU64(&x202, x180, x173, x159) + var x203 uint64 + cmovznzU64(&x203, x180, x175, x161) + var x204 uint64 + cmovznzU64(&x204, x180, x177, x163) + *out1 = x181 + out2[0] = x7 + out2[1] = x8 + out2[2] = x9 + out2[3] = x10 + out2[4] = x11 + out2[5] = x12 + out2[6] = x13 + out2[7] = x14 + out3[0] = x183 + out3[1] = x184 + out3[2] = x185 + out3[3] = x186 + out3[4] = x187 + out3[5] = x188 + out3[6] = x189 + out3[7] = x190 + out4[0] = x191 + out4[1] = x192 + out4[2] = x193 + out4[3] = x194 + out4[4] = x195 + out4[5] = x196 + out4[6] = x197 + out5[0] = x198 + out5[1] = x199 + out5[2] = x200 + out5[3] = x201 + out5[4] = x202 + out5[5] = x203 + out5[6] = x204 } -/* - The function DivstepPrecomp returns the precomputed value for Bernstein-Yang-inversion (in montgomery form). - Postconditions: - eval (from_montgomery out1) = ⌊(m - 1) / 2⌋^(if (log2 m) + 1 < 46 then ⌊(49 * ((log2 m) + 1) + 80) / 17⌋ else ⌊(49 * ((log2 m) + 1) + 57) / 17⌋) - 0 ≤ eval out1 < m - - Input Bounds: - Output Bounds: - out1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] - */ -/*inline*/ +// DivstepPrecomp returns the precomputed value for Bernstein-Yang-inversion (in montgomery form). +// +// Postconditions: +// eval (from_montgomery out1) = ⌊(m - 1) / 2⌋^(if (log2 m) + 1 < 46 then ⌊(49 * ((log2 m) + 1) + 80) / 17⌋ else ⌊(49 * ((log2 m) + 1) + 57) / 17⌋) +// 0 ≤ eval out1 < m +// +// Input Bounds: +// Output Bounds: +// out1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] func DivstepPrecomp(out1 *[7]uint64) { - out1[0] = 0x9f9776e27e1a2b72 - out1[1] = 0x28b59f067e2393d0 - out1[2] = 0xcf316ce1572add54 - out1[3] = 0x312c8965f9032c2f - out1[4] = 0x9d9cab29ad90d34c - out1[5] = 0x6e1ddae1d9609ae1 - out1[6] = 0x6df82285eec6 + out1[0] = 0x9f9776e27e1a2b72 + out1[1] = 0x28b59f067e2393d0 + out1[2] = 0xcf316ce1572add54 + out1[3] = 0x312c8965f9032c2f + out1[4] = 0x9d9cab29ad90d34c + out1[5] = 0x6e1ddae1d9609ae1 + out1[6] = 0x6df82285eec6 } - diff --git a/fiat-go/64/p448solinas/p448solinas.go b/fiat-go/64/p448solinas/p448solinas.go index 5589ba1b183..fde047df1d1 100644 --- a/fiat-go/64/p448solinas/p448solinas.go +++ b/fiat-go/64/p448solinas/p448solinas.go @@ -1,1969 +1,1940 @@ -/* - Autogenerated: 'src/ExtractionOCaml/unsaturated_solinas' --lang Go --no-wide-int --cmovznz-by-mul --internal-static --package-case flatcase --public-function-case UpperCamelCase --private-function-case camelCase --public-type-case UpperCamelCase --private-type-case camelCase --no-prefix-fiat --package-name p448solinas '' 64 8 '2^448 - 2^224 - 1' carry_mul carry_square carry add sub opp selectznz to_bytes from_bytes - - curve description (via package name): p448solinas - - machine_wordsize = 64 (from "64") - - requested operations: carry_mul, carry_square, carry, add, sub, opp, selectznz, to_bytes, from_bytes - - n = 8 (from "8") - - s-c = 2^448 - [(2^224, 1), (1, 1)] (from "2^448 - 2^224 - 1") - - tight_bounds_multiplier = 1 (from "") - - - - Computed values: - - carry_chain = [3, 7, 4, 0, 5, 1, 6, 2, 7, 3, 4, 0] - - eval z = z[0] + (z[1] << 56) + (z[2] << 112) + (z[3] << 168) + (z[4] << 224) + (z[5] << 0x118) + (z[6] << 0x150) + (z[7] << 0x188) - - bytes_eval z = z[0] + (z[1] << 8) + (z[2] << 16) + (z[3] << 24) + (z[4] << 32) + (z[5] << 40) + (z[6] << 48) + (z[7] << 56) + (z[8] << 64) + (z[9] << 72) + (z[10] << 80) + (z[11] << 88) + (z[12] << 96) + (z[13] << 104) + (z[14] << 112) + (z[15] << 120) + (z[16] << 128) + (z[17] << 136) + (z[18] << 144) + (z[19] << 152) + (z[20] << 160) + (z[21] << 168) + (z[22] << 176) + (z[23] << 184) + (z[24] << 192) + (z[25] << 200) + (z[26] << 208) + (z[27] << 216) + (z[28] << 224) + (z[29] << 232) + (z[30] << 240) + (z[31] << 248) + (z[32] << 256) + (z[33] << 0x108) + (z[34] << 0x110) + (z[35] << 0x118) + (z[36] << 0x120) + (z[37] << 0x128) + (z[38] << 0x130) + (z[39] << 0x138) + (z[40] << 0x140) + (z[41] << 0x148) + (z[42] << 0x150) + (z[43] << 0x158) + (z[44] << 0x160) + (z[45] << 0x168) + (z[46] << 0x170) + (z[47] << 0x178) + (z[48] << 0x180) + (z[49] << 0x188) + (z[50] << 0x190) + (z[51] << 0x198) + (z[52] << 0x1a0) + (z[53] << 0x1a8) + (z[54] << 0x1b0) + (z[55] << 0x1b8) - - balance = [0x1fffffffffffffe, 0x1fffffffffffffe, 0x1fffffffffffffe, 0x1fffffffffffffe, 0x1fffffffffffffc, 0x1fffffffffffffe, 0x1fffffffffffffe, 0x1fffffffffffffe] - */ +// Code generated by Fiat Cryptography. DO NOT EDIT. +// +// Autogenerated: 'src/ExtractionOCaml/unsaturated_solinas' --lang Go --no-wide-int --cmovznz-by-mul --internal-static --package-case flatcase --public-function-case UpperCamelCase --private-function-case camelCase --public-type-case UpperCamelCase --private-type-case camelCase --no-prefix-fiat --doc-prepend-header 'Code generated by Fiat Cryptography. DO NOT EDIT.' --doc-text-before-function-name '' --package-name p448solinas '' 64 8 '2^448 - 2^224 - 1' carry_mul carry_square carry add sub opp selectznz to_bytes from_bytes +// +// curve description (via package name): p448solinas +// +// machine_wordsize = 64 (from "64") +// +// requested operations: carry_mul, carry_square, carry, add, sub, opp, selectznz, to_bytes, from_bytes +// +// n = 8 (from "8") +// +// s-c = 2^448 - [(2^224, 1), (1, 1)] (from "2^448 - 2^224 - 1") +// +// tight_bounds_multiplier = 1 (from "") +// +// +// +// Computed values: +// +// carry_chain = [3, 7, 4, 0, 5, 1, 6, 2, 7, 3, 4, 0] +// +// eval z = z[0] + (z[1] << 56) + (z[2] << 112) + (z[3] << 168) + (z[4] << 224) + (z[5] << 0x118) + (z[6] << 0x150) + (z[7] << 0x188) +// +// bytes_eval z = z[0] + (z[1] << 8) + (z[2] << 16) + (z[3] << 24) + (z[4] << 32) + (z[5] << 40) + (z[6] << 48) + (z[7] << 56) + (z[8] << 64) + (z[9] << 72) + (z[10] << 80) + (z[11] << 88) + (z[12] << 96) + (z[13] << 104) + (z[14] << 112) + (z[15] << 120) + (z[16] << 128) + (z[17] << 136) + (z[18] << 144) + (z[19] << 152) + (z[20] << 160) + (z[21] << 168) + (z[22] << 176) + (z[23] << 184) + (z[24] << 192) + (z[25] << 200) + (z[26] << 208) + (z[27] << 216) + (z[28] << 224) + (z[29] << 232) + (z[30] << 240) + (z[31] << 248) + (z[32] << 256) + (z[33] << 0x108) + (z[34] << 0x110) + (z[35] << 0x118) + (z[36] << 0x120) + (z[37] << 0x128) + (z[38] << 0x130) + (z[39] << 0x138) + (z[40] << 0x140) + (z[41] << 0x148) + (z[42] << 0x150) + (z[43] << 0x158) + (z[44] << 0x160) + (z[45] << 0x168) + (z[46] << 0x170) + (z[47] << 0x178) + (z[48] << 0x180) + (z[49] << 0x188) + (z[50] << 0x190) + (z[51] << 0x198) + (z[52] << 0x1a0) + (z[53] << 0x1a8) + (z[54] << 0x1b0) + (z[55] << 0x1b8) +// +// balance = [0x1fffffffffffffe, 0x1fffffffffffffe, 0x1fffffffffffffe, 0x1fffffffffffffe, 0x1fffffffffffffc, 0x1fffffffffffffe, 0x1fffffffffffffe, 0x1fffffffffffffe] package p448solinas import "math/bits" + type uint1 uint8 type int1 int8 -/* The function addcarryxU64 is a thin wrapper around bits.Add64 that uses uint1 rather than uint64 */ +// addcarryxU64 is a thin wrapper around bits.Add64 that uses uint1 rather than uint64 func addcarryxU64(x uint64, y uint64, carry uint1) (uint64, uint1) { - var sum uint64 - var carryOut uint64 - sum, carryOut = bits.Add64(x, y, uint64(carry)) - return sum, uint1(carryOut) + sum, carryOut := bits.Add64(x, y, uint64(carry)) + return sum, uint1(carryOut) } -/* The function subborrowxU64 is a thin wrapper around bits.Sub64 that uses uint1 rather than uint64 */ +// subborrowxU64 is a thin wrapper around bits.Sub64 that uses uint1 rather than uint64 func subborrowxU64(x uint64, y uint64, carry uint1) (uint64, uint1) { - var sum uint64 - var carryOut uint64 - sum, carryOut = bits.Sub64(x, y, uint64(carry)) - return sum, uint1(carryOut) + sum, carryOut := bits.Sub64(x, y, uint64(carry)) + return sum, uint1(carryOut) } - -/* - The function addcarryxU56 is an addition with carry. - Postconditions: - out1 = (arg1 + arg2 + arg3) mod 2^56 - out2 = ⌊(arg1 + arg2 + arg3) / 2^56⌋ - - Input Bounds: - arg1: [0x0 ~> 0x1] - arg2: [0x0 ~> 0xffffffffffffff] - arg3: [0x0 ~> 0xffffffffffffff] - Output Bounds: - out1: [0x0 ~> 0xffffffffffffff] - out2: [0x0 ~> 0x1] - */ -/*inline*/ +// addcarryxU56 is an addition with carry. +// +// Postconditions: +// out1 = (arg1 + arg2 + arg3) mod 2^56 +// out2 = ⌊(arg1 + arg2 + arg3) / 2^56⌋ +// +// Input Bounds: +// arg1: [0x0 ~> 0x1] +// arg2: [0x0 ~> 0xffffffffffffff] +// arg3: [0x0 ~> 0xffffffffffffff] +// Output Bounds: +// out1: [0x0 ~> 0xffffffffffffff] +// out2: [0x0 ~> 0x1] func addcarryxU56(out1 *uint64, out2 *uint1, arg1 uint1, arg2 uint64, arg3 uint64) { - var x1 uint64 = ((uint64(arg1) + arg2) + arg3) - var x2 uint64 = (x1 & 0xffffffffffffff) - var x3 uint1 = uint1((x1 >> 56)) - *out1 = x2 - *out2 = x3 + x1 := ((uint64(arg1) + arg2) + arg3) + x2 := (x1 & 0xffffffffffffff) + x3 := uint1((x1 >> 56)) + *out1 = x2 + *out2 = x3 } -/* - The function subborrowxU56 is a subtraction with borrow. - Postconditions: - out1 = (-arg1 + arg2 + -arg3) mod 2^56 - out2 = -⌊(-arg1 + arg2 + -arg3) / 2^56⌋ - - Input Bounds: - arg1: [0x0 ~> 0x1] - arg2: [0x0 ~> 0xffffffffffffff] - arg3: [0x0 ~> 0xffffffffffffff] - Output Bounds: - out1: [0x0 ~> 0xffffffffffffff] - out2: [0x0 ~> 0x1] - */ -/*inline*/ +// subborrowxU56 is a subtraction with borrow. +// +// Postconditions: +// out1 = (-arg1 + arg2 + -arg3) mod 2^56 +// out2 = -⌊(-arg1 + arg2 + -arg3) / 2^56⌋ +// +// Input Bounds: +// arg1: [0x0 ~> 0x1] +// arg2: [0x0 ~> 0xffffffffffffff] +// arg3: [0x0 ~> 0xffffffffffffff] +// Output Bounds: +// out1: [0x0 ~> 0xffffffffffffff] +// out2: [0x0 ~> 0x1] func subborrowxU56(out1 *uint64, out2 *uint1, arg1 uint1, arg2 uint64, arg3 uint64) { - var x1 int64 = ((int64(arg2) - int64(arg1)) - int64(arg3)) - var x2 int1 = int1((x1 >> 56)) - var x3 uint64 = (uint64(x1) & 0xffffffffffffff) - *out1 = x3 - *out2 = (0x0 - uint1(x2)) + x1 := ((int64(arg2) - int64(arg1)) - int64(arg3)) + x2 := int1((x1 >> 56)) + x3 := (uint64(x1) & 0xffffffffffffff) + *out1 = x3 + *out2 = (0x0 - uint1(x2)) } -/* - The function cmovznzU64 is a single-word conditional move. - Postconditions: - out1 = (if arg1 = 0 then arg2 else arg3) - - Input Bounds: - arg1: [0x0 ~> 0x1] - arg2: [0x0 ~> 0xffffffffffffffff] - arg3: [0x0 ~> 0xffffffffffffffff] - Output Bounds: - out1: [0x0 ~> 0xffffffffffffffff] - */ -/*inline*/ +// cmovznzU64 is a single-word conditional move. +// +// Postconditions: +// out1 = (if arg1 = 0 then arg2 else arg3) +// +// Input Bounds: +// arg1: [0x0 ~> 0x1] +// arg2: [0x0 ~> 0xffffffffffffffff] +// arg3: [0x0 ~> 0xffffffffffffffff] +// Output Bounds: +// out1: [0x0 ~> 0xffffffffffffffff] func cmovznzU64(out1 *uint64, arg1 uint1, arg2 uint64, arg3 uint64) { - var x1 uint64 = (uint64(arg1) * 0xffffffffffffffff) - var x2 uint64 = ((x1 & arg3) | ((^x1) & arg2)) - *out1 = x2 + x1 := (uint64(arg1) * 0xffffffffffffffff) + x2 := ((x1 & arg3) | ((^x1) & arg2)) + *out1 = x2 } -/* - The function CarryMul multiplies two field elements and reduces the result. - Postconditions: - eval out1 mod m = (eval arg1 * eval arg2) mod m - - Input Bounds: - arg1: [[0x0 ~> 0x300000000000000], [0x0 ~> 0x300000000000000], [0x0 ~> 0x300000000000000], [0x0 ~> 0x300000000000000], [0x0 ~> 0x300000000000000], [0x0 ~> 0x300000000000000], [0x0 ~> 0x300000000000000], [0x0 ~> 0x300000000000000]] - arg2: [[0x0 ~> 0x300000000000000], [0x0 ~> 0x300000000000000], [0x0 ~> 0x300000000000000], [0x0 ~> 0x300000000000000], [0x0 ~> 0x300000000000000], [0x0 ~> 0x300000000000000], [0x0 ~> 0x300000000000000], [0x0 ~> 0x300000000000000]] - Output Bounds: - out1: [[0x0 ~> 0x100000000000000], [0x0 ~> 0x100000000000000], [0x0 ~> 0x100000000000000], [0x0 ~> 0x100000000000000], [0x0 ~> 0x100000000000000], [0x0 ~> 0x100000000000000], [0x0 ~> 0x100000000000000], [0x0 ~> 0x100000000000000]] - */ -/*inline*/ +// CarryMul multiplies two field elements and reduces the result. +// +// Postconditions: +// eval out1 mod m = (eval arg1 * eval arg2) mod m +// +// Input Bounds: +// arg1: [[0x0 ~> 0x300000000000000], [0x0 ~> 0x300000000000000], [0x0 ~> 0x300000000000000], [0x0 ~> 0x300000000000000], [0x0 ~> 0x300000000000000], [0x0 ~> 0x300000000000000], [0x0 ~> 0x300000000000000], [0x0 ~> 0x300000000000000]] +// arg2: [[0x0 ~> 0x300000000000000], [0x0 ~> 0x300000000000000], [0x0 ~> 0x300000000000000], [0x0 ~> 0x300000000000000], [0x0 ~> 0x300000000000000], [0x0 ~> 0x300000000000000], [0x0 ~> 0x300000000000000], [0x0 ~> 0x300000000000000]] +// Output Bounds: +// out1: [[0x0 ~> 0x100000000000000], [0x0 ~> 0x100000000000000], [0x0 ~> 0x100000000000000], [0x0 ~> 0x100000000000000], [0x0 ~> 0x100000000000000], [0x0 ~> 0x100000000000000], [0x0 ~> 0x100000000000000], [0x0 ~> 0x100000000000000]] func CarryMul(out1 *[8]uint64, arg1 *[8]uint64, arg2 *[8]uint64) { - var x1 uint64 - var x2 uint64 - x2, x1 = bits.Mul64((arg1[7]), (arg2[7])) - var x3 uint64 - var x4 uint64 - x4, x3 = bits.Mul64((arg1[7]), (arg2[6])) - var x5 uint64 - var x6 uint64 - x6, x5 = bits.Mul64((arg1[7]), (arg2[5])) - var x7 uint64 - var x8 uint64 - x8, x7 = bits.Mul64((arg1[6]), (arg2[7])) - var x9 uint64 - var x10 uint64 - x10, x9 = bits.Mul64((arg1[6]), (arg2[6])) - var x11 uint64 - var x12 uint64 - x12, x11 = bits.Mul64((arg1[5]), (arg2[7])) - var x13 uint64 - var x14 uint64 - x14, x13 = bits.Mul64((arg1[7]), (arg2[7])) - var x15 uint64 - var x16 uint64 - x16, x15 = bits.Mul64((arg1[7]), (arg2[6])) - var x17 uint64 - var x18 uint64 - x18, x17 = bits.Mul64((arg1[7]), (arg2[5])) - var x19 uint64 - var x20 uint64 - x20, x19 = bits.Mul64((arg1[6]), (arg2[7])) - var x21 uint64 - var x22 uint64 - x22, x21 = bits.Mul64((arg1[6]), (arg2[6])) - var x23 uint64 - var x24 uint64 - x24, x23 = bits.Mul64((arg1[5]), (arg2[7])) - var x25 uint64 - var x26 uint64 - x26, x25 = bits.Mul64((arg1[7]), (arg2[7])) - var x27 uint64 - var x28 uint64 - x28, x27 = bits.Mul64((arg1[7]), (arg2[6])) - var x29 uint64 - var x30 uint64 - x30, x29 = bits.Mul64((arg1[7]), (arg2[5])) - var x31 uint64 - var x32 uint64 - x32, x31 = bits.Mul64((arg1[7]), (arg2[4])) - var x33 uint64 - var x34 uint64 - x34, x33 = bits.Mul64((arg1[7]), (arg2[3])) - var x35 uint64 - var x36 uint64 - x36, x35 = bits.Mul64((arg1[7]), (arg2[2])) - var x37 uint64 - var x38 uint64 - x38, x37 = bits.Mul64((arg1[7]), (arg2[1])) - var x39 uint64 - var x40 uint64 - x40, x39 = bits.Mul64((arg1[6]), (arg2[7])) - var x41 uint64 - var x42 uint64 - x42, x41 = bits.Mul64((arg1[6]), (arg2[6])) - var x43 uint64 - var x44 uint64 - x44, x43 = bits.Mul64((arg1[6]), (arg2[5])) - var x45 uint64 - var x46 uint64 - x46, x45 = bits.Mul64((arg1[6]), (arg2[4])) - var x47 uint64 - var x48 uint64 - x48, x47 = bits.Mul64((arg1[6]), (arg2[3])) - var x49 uint64 - var x50 uint64 - x50, x49 = bits.Mul64((arg1[6]), (arg2[2])) - var x51 uint64 - var x52 uint64 - x52, x51 = bits.Mul64((arg1[5]), (arg2[7])) - var x53 uint64 - var x54 uint64 - x54, x53 = bits.Mul64((arg1[5]), (arg2[6])) - var x55 uint64 - var x56 uint64 - x56, x55 = bits.Mul64((arg1[5]), (arg2[5])) - var x57 uint64 - var x58 uint64 - x58, x57 = bits.Mul64((arg1[5]), (arg2[4])) - var x59 uint64 - var x60 uint64 - x60, x59 = bits.Mul64((arg1[5]), (arg2[3])) - var x61 uint64 - var x62 uint64 - x62, x61 = bits.Mul64((arg1[4]), (arg2[7])) - var x63 uint64 - var x64 uint64 - x64, x63 = bits.Mul64((arg1[4]), (arg2[6])) - var x65 uint64 - var x66 uint64 - x66, x65 = bits.Mul64((arg1[4]), (arg2[5])) - var x67 uint64 - var x68 uint64 - x68, x67 = bits.Mul64((arg1[4]), (arg2[4])) - var x69 uint64 - var x70 uint64 - x70, x69 = bits.Mul64((arg1[3]), (arg2[7])) - var x71 uint64 - var x72 uint64 - x72, x71 = bits.Mul64((arg1[3]), (arg2[6])) - var x73 uint64 - var x74 uint64 - x74, x73 = bits.Mul64((arg1[3]), (arg2[5])) - var x75 uint64 - var x76 uint64 - x76, x75 = bits.Mul64((arg1[2]), (arg2[7])) - var x77 uint64 - var x78 uint64 - x78, x77 = bits.Mul64((arg1[2]), (arg2[6])) - var x79 uint64 - var x80 uint64 - x80, x79 = bits.Mul64((arg1[1]), (arg2[7])) - var x81 uint64 - var x82 uint64 - x82, x81 = bits.Mul64((arg1[7]), (arg2[4])) - var x83 uint64 - var x84 uint64 - x84, x83 = bits.Mul64((arg1[7]), (arg2[3])) - var x85 uint64 - var x86 uint64 - x86, x85 = bits.Mul64((arg1[7]), (arg2[2])) - var x87 uint64 - var x88 uint64 - x88, x87 = bits.Mul64((arg1[7]), (arg2[1])) - var x89 uint64 - var x90 uint64 - x90, x89 = bits.Mul64((arg1[6]), (arg2[5])) - var x91 uint64 - var x92 uint64 - x92, x91 = bits.Mul64((arg1[6]), (arg2[4])) - var x93 uint64 - var x94 uint64 - x94, x93 = bits.Mul64((arg1[6]), (arg2[3])) - var x95 uint64 - var x96 uint64 - x96, x95 = bits.Mul64((arg1[6]), (arg2[2])) - var x97 uint64 - var x98 uint64 - x98, x97 = bits.Mul64((arg1[5]), (arg2[6])) - var x99 uint64 - var x100 uint64 - x100, x99 = bits.Mul64((arg1[5]), (arg2[5])) - var x101 uint64 - var x102 uint64 - x102, x101 = bits.Mul64((arg1[5]), (arg2[4])) - var x103 uint64 - var x104 uint64 - x104, x103 = bits.Mul64((arg1[5]), (arg2[3])) - var x105 uint64 - var x106 uint64 - x106, x105 = bits.Mul64((arg1[4]), (arg2[7])) - var x107 uint64 - var x108 uint64 - x108, x107 = bits.Mul64((arg1[4]), (arg2[6])) - var x109 uint64 - var x110 uint64 - x110, x109 = bits.Mul64((arg1[4]), (arg2[5])) - var x111 uint64 - var x112 uint64 - x112, x111 = bits.Mul64((arg1[4]), (arg2[4])) - var x113 uint64 - var x114 uint64 - x114, x113 = bits.Mul64((arg1[3]), (arg2[7])) - var x115 uint64 - var x116 uint64 - x116, x115 = bits.Mul64((arg1[3]), (arg2[6])) - var x117 uint64 - var x118 uint64 - x118, x117 = bits.Mul64((arg1[3]), (arg2[5])) - var x119 uint64 - var x120 uint64 - x120, x119 = bits.Mul64((arg1[2]), (arg2[7])) - var x121 uint64 - var x122 uint64 - x122, x121 = bits.Mul64((arg1[2]), (arg2[6])) - var x123 uint64 - var x124 uint64 - x124, x123 = bits.Mul64((arg1[1]), (arg2[7])) - var x125 uint64 - var x126 uint64 - x126, x125 = bits.Mul64((arg1[7]), (arg2[0])) - var x127 uint64 - var x128 uint64 - x128, x127 = bits.Mul64((arg1[6]), (arg2[1])) - var x129 uint64 - var x130 uint64 - x130, x129 = bits.Mul64((arg1[6]), (arg2[0])) - var x131 uint64 - var x132 uint64 - x132, x131 = bits.Mul64((arg1[5]), (arg2[2])) - var x133 uint64 - var x134 uint64 - x134, x133 = bits.Mul64((arg1[5]), (arg2[1])) - var x135 uint64 - var x136 uint64 - x136, x135 = bits.Mul64((arg1[5]), (arg2[0])) - var x137 uint64 - var x138 uint64 - x138, x137 = bits.Mul64((arg1[4]), (arg2[3])) - var x139 uint64 - var x140 uint64 - x140, x139 = bits.Mul64((arg1[4]), (arg2[2])) - var x141 uint64 - var x142 uint64 - x142, x141 = bits.Mul64((arg1[4]), (arg2[1])) - var x143 uint64 - var x144 uint64 - x144, x143 = bits.Mul64((arg1[4]), (arg2[0])) - var x145 uint64 - var x146 uint64 - x146, x145 = bits.Mul64((arg1[3]), (arg2[4])) - var x147 uint64 - var x148 uint64 - x148, x147 = bits.Mul64((arg1[3]), (arg2[3])) - var x149 uint64 - var x150 uint64 - x150, x149 = bits.Mul64((arg1[3]), (arg2[2])) - var x151 uint64 - var x152 uint64 - x152, x151 = bits.Mul64((arg1[3]), (arg2[1])) - var x153 uint64 - var x154 uint64 - x154, x153 = bits.Mul64((arg1[3]), (arg2[0])) - var x155 uint64 - var x156 uint64 - x156, x155 = bits.Mul64((arg1[2]), (arg2[5])) - var x157 uint64 - var x158 uint64 - x158, x157 = bits.Mul64((arg1[2]), (arg2[4])) - var x159 uint64 - var x160 uint64 - x160, x159 = bits.Mul64((arg1[2]), (arg2[3])) - var x161 uint64 - var x162 uint64 - x162, x161 = bits.Mul64((arg1[2]), (arg2[2])) - var x163 uint64 - var x164 uint64 - x164, x163 = bits.Mul64((arg1[2]), (arg2[1])) - var x165 uint64 - var x166 uint64 - x166, x165 = bits.Mul64((arg1[2]), (arg2[0])) - var x167 uint64 - var x168 uint64 - x168, x167 = bits.Mul64((arg1[1]), (arg2[6])) - var x169 uint64 - var x170 uint64 - x170, x169 = bits.Mul64((arg1[1]), (arg2[5])) - var x171 uint64 - var x172 uint64 - x172, x171 = bits.Mul64((arg1[1]), (arg2[4])) - var x173 uint64 - var x174 uint64 - x174, x173 = bits.Mul64((arg1[1]), (arg2[3])) - var x175 uint64 - var x176 uint64 - x176, x175 = bits.Mul64((arg1[1]), (arg2[2])) - var x177 uint64 - var x178 uint64 - x178, x177 = bits.Mul64((arg1[1]), (arg2[1])) - var x179 uint64 - var x180 uint64 - x180, x179 = bits.Mul64((arg1[1]), (arg2[0])) - var x181 uint64 - var x182 uint64 - x182, x181 = bits.Mul64((arg1[0]), (arg2[7])) - var x183 uint64 - var x184 uint64 - x184, x183 = bits.Mul64((arg1[0]), (arg2[6])) - var x185 uint64 - var x186 uint64 - x186, x185 = bits.Mul64((arg1[0]), (arg2[5])) - var x187 uint64 - var x188 uint64 - x188, x187 = bits.Mul64((arg1[0]), (arg2[4])) - var x189 uint64 - var x190 uint64 - x190, x189 = bits.Mul64((arg1[0]), (arg2[3])) - var x191 uint64 - var x192 uint64 - x192, x191 = bits.Mul64((arg1[0]), (arg2[2])) - var x193 uint64 - var x194 uint64 - x194, x193 = bits.Mul64((arg1[0]), (arg2[1])) - var x195 uint64 - var x196 uint64 - x196, x195 = bits.Mul64((arg1[0]), (arg2[0])) - var x197 uint64 - var x198 uint1 - x197, x198 = addcarryxU64(x43, x31, 0x0) - var x199 uint64 - x199, _ = addcarryxU64(x44, x32, x198) - var x201 uint64 - var x202 uint1 - x201, x202 = addcarryxU64(x53, x197, 0x0) - var x203 uint64 - x203, _ = addcarryxU64(x54, x199, x202) - var x205 uint64 - var x206 uint1 - x205, x206 = addcarryxU64(x61, x201, 0x0) - var x207 uint64 - x207, _ = addcarryxU64(x62, x203, x206) - var x209 uint64 - var x210 uint1 - x209, x210 = addcarryxU64(x153, x205, 0x0) - var x211 uint64 - x211, _ = addcarryxU64(x154, x207, x210) - var x213 uint64 - var x214 uint1 - x213, x214 = addcarryxU64(x163, x209, 0x0) - var x215 uint64 - x215, _ = addcarryxU64(x164, x211, x214) - var x217 uint64 - var x218 uint1 - x217, x218 = addcarryxU64(x175, x213, 0x0) - var x219 uint64 - x219, _ = addcarryxU64(x176, x215, x218) - var x221 uint64 - var x222 uint1 - x221, x222 = addcarryxU64(x189, x217, 0x0) - var x223 uint64 - x223, _ = addcarryxU64(x190, x219, x222) - var x225 uint64 = ((x221 >> 56) | ((x223 << 8) & 0xffffffffffffffff)) - var x226 uint64 = (x221 & 0xffffffffffffff) - var x227 uint64 - var x228 uint1 - x227, x228 = addcarryxU64(x89, x81, 0x0) - var x229 uint64 - x229, _ = addcarryxU64(x90, x82, x228) - var x231 uint64 - var x232 uint1 - x231, x232 = addcarryxU64(x97, x227, 0x0) - var x233 uint64 - x233, _ = addcarryxU64(x98, x229, x232) - var x235 uint64 - var x236 uint1 - x235, x236 = addcarryxU64(x105, x231, 0x0) - var x237 uint64 - x237, _ = addcarryxU64(x106, x233, x236) - var x239 uint64 - var x240 uint1 - x239, x240 = addcarryxU64(x125, x235, 0x0) - var x241 uint64 - x241, _ = addcarryxU64(x126, x237, x240) - var x243 uint64 - var x244 uint1 - x243, x244 = addcarryxU64(x127, x239, 0x0) - var x245 uint64 - x245, _ = addcarryxU64(x128, x241, x244) - var x247 uint64 - var x248 uint1 - x247, x248 = addcarryxU64(x131, x243, 0x0) - var x249 uint64 - x249, _ = addcarryxU64(x132, x245, x248) - var x251 uint64 - var x252 uint1 - x251, x252 = addcarryxU64(x137, x247, 0x0) - var x253 uint64 - x253, _ = addcarryxU64(x138, x249, x252) - var x255 uint64 - var x256 uint1 - x255, x256 = addcarryxU64(x145, x251, 0x0) - var x257 uint64 - x257, _ = addcarryxU64(x146, x253, x256) - var x259 uint64 - var x260 uint1 - x259, x260 = addcarryxU64(x155, x255, 0x0) - var x261 uint64 - x261, _ = addcarryxU64(x156, x257, x260) - var x263 uint64 - var x264 uint1 - x263, x264 = addcarryxU64(x167, x259, 0x0) - var x265 uint64 - x265, _ = addcarryxU64(x168, x261, x264) - var x267 uint64 - var x268 uint1 - x267, x268 = addcarryxU64(x181, x263, 0x0) - var x269 uint64 - x269, _ = addcarryxU64(x182, x265, x268) - var x271 uint64 - var x272 uint1 - x271, x272 = addcarryxU64(x25, x13, 0x0) - var x273 uint64 - x273, _ = addcarryxU64(x26, x14, x272) - var x275 uint64 - var x276 uint1 - x275, x276 = addcarryxU64(x83, x271, 0x0) - var x277 uint64 - x277, _ = addcarryxU64(x84, x273, x276) - var x279 uint64 - var x280 uint1 - x279, x280 = addcarryxU64(x91, x275, 0x0) - var x281 uint64 - x281, _ = addcarryxU64(x92, x277, x280) - var x283 uint64 - var x284 uint1 - x283, x284 = addcarryxU64(x99, x279, 0x0) - var x285 uint64 - x285, _ = addcarryxU64(x100, x281, x284) - var x287 uint64 - var x288 uint1 - x287, x288 = addcarryxU64(x107, x283, 0x0) - var x289 uint64 - x289, _ = addcarryxU64(x108, x285, x288) - var x291 uint64 - var x292 uint1 - x291, x292 = addcarryxU64(x113, x287, 0x0) - var x293 uint64 - x293, _ = addcarryxU64(x114, x289, x292) - var x295 uint64 - var x296 uint1 - x295, x296 = addcarryxU64(x129, x291, 0x0) - var x297 uint64 - x297, _ = addcarryxU64(x130, x293, x296) - var x299 uint64 - var x300 uint1 - x299, x300 = addcarryxU64(x133, x295, 0x0) - var x301 uint64 - x301, _ = addcarryxU64(x134, x297, x300) - var x303 uint64 - var x304 uint1 - x303, x304 = addcarryxU64(x139, x299, 0x0) - var x305 uint64 - x305, _ = addcarryxU64(x140, x301, x304) - var x307 uint64 - var x308 uint1 - x307, x308 = addcarryxU64(x147, x303, 0x0) - var x309 uint64 - x309, _ = addcarryxU64(x148, x305, x308) - var x311 uint64 - var x312 uint1 - x311, x312 = addcarryxU64(x157, x307, 0x0) - var x313 uint64 - x313, _ = addcarryxU64(x158, x309, x312) - var x315 uint64 - var x316 uint1 - x315, x316 = addcarryxU64(x169, x311, 0x0) - var x317 uint64 - x317, _ = addcarryxU64(x170, x313, x316) - var x319 uint64 - var x320 uint1 - x319, x320 = addcarryxU64(x183, x315, 0x0) - var x321 uint64 - x321, _ = addcarryxU64(x184, x317, x320) - var x323 uint64 - var x324 uint1 - x323, x324 = addcarryxU64(x19, x15, 0x0) - var x325 uint64 - x325, _ = addcarryxU64(x20, x16, x324) - var x327 uint64 - var x328 uint1 - x327, x328 = addcarryxU64(x27, x323, 0x0) - var x329 uint64 - x329, _ = addcarryxU64(x28, x325, x328) - var x331 uint64 - var x332 uint1 - x331, x332 = addcarryxU64(x39, x327, 0x0) - var x333 uint64 - x333, _ = addcarryxU64(x40, x329, x332) - var x335 uint64 - var x336 uint1 - x335, x336 = addcarryxU64(x85, x331, 0x0) - var x337 uint64 - x337, _ = addcarryxU64(x86, x333, x336) - var x339 uint64 - var x340 uint1 - x339, x340 = addcarryxU64(x93, x335, 0x0) - var x341 uint64 - x341, _ = addcarryxU64(x94, x337, x340) - var x343 uint64 - var x344 uint1 - x343, x344 = addcarryxU64(x101, x339, 0x0) - var x345 uint64 - x345, _ = addcarryxU64(x102, x341, x344) - var x347 uint64 - var x348 uint1 - x347, x348 = addcarryxU64(x109, x343, 0x0) - var x349 uint64 - x349, _ = addcarryxU64(x110, x345, x348) - var x351 uint64 - var x352 uint1 - x351, x352 = addcarryxU64(x115, x347, 0x0) - var x353 uint64 - x353, _ = addcarryxU64(x116, x349, x352) - var x355 uint64 - var x356 uint1 - x355, x356 = addcarryxU64(x119, x351, 0x0) - var x357 uint64 - x357, _ = addcarryxU64(x120, x353, x356) - var x359 uint64 - var x360 uint1 - x359, x360 = addcarryxU64(x135, x355, 0x0) - var x361 uint64 - x361, _ = addcarryxU64(x136, x357, x360) - var x363 uint64 - var x364 uint1 - x363, x364 = addcarryxU64(x141, x359, 0x0) - var x365 uint64 - x365, _ = addcarryxU64(x142, x361, x364) - var x367 uint64 - var x368 uint1 - x367, x368 = addcarryxU64(x149, x363, 0x0) - var x369 uint64 - x369, _ = addcarryxU64(x150, x365, x368) - var x371 uint64 - var x372 uint1 - x371, x372 = addcarryxU64(x159, x367, 0x0) - var x373 uint64 - x373, _ = addcarryxU64(x160, x369, x372) - var x375 uint64 - var x376 uint1 - x375, x376 = addcarryxU64(x171, x371, 0x0) - var x377 uint64 - x377, _ = addcarryxU64(x172, x373, x376) - var x379 uint64 - var x380 uint1 - x379, x380 = addcarryxU64(x185, x375, 0x0) - var x381 uint64 - x381, _ = addcarryxU64(x186, x377, x380) - var x383 uint64 - var x384 uint1 - x383, x384 = addcarryxU64(x21, x17, 0x0) - var x385 uint64 - x385, _ = addcarryxU64(x22, x18, x384) - var x387 uint64 - var x388 uint1 - x387, x388 = addcarryxU64(x23, x383, 0x0) - var x389 uint64 - x389, _ = addcarryxU64(x24, x385, x388) - var x391 uint64 - var x392 uint1 - x391, x392 = addcarryxU64(x29, x387, 0x0) - var x393 uint64 - x393, _ = addcarryxU64(x30, x389, x392) - var x395 uint64 - var x396 uint1 - x395, x396 = addcarryxU64(x41, x391, 0x0) - var x397 uint64 - x397, _ = addcarryxU64(x42, x393, x396) - var x399 uint64 - var x400 uint1 - x399, x400 = addcarryxU64(x51, x395, 0x0) - var x401 uint64 - x401, _ = addcarryxU64(x52, x397, x400) - var x403 uint64 - var x404 uint1 - x403, x404 = addcarryxU64(x87, x399, 0x0) - var x405 uint64 - x405, _ = addcarryxU64(x88, x401, x404) - var x407 uint64 - var x408 uint1 - x407, x408 = addcarryxU64(x95, x403, 0x0) - var x409 uint64 - x409, _ = addcarryxU64(x96, x405, x408) - var x411 uint64 - var x412 uint1 - x411, x412 = addcarryxU64(x103, x407, 0x0) - var x413 uint64 - x413, _ = addcarryxU64(x104, x409, x412) - var x415 uint64 - var x416 uint1 - x415, x416 = addcarryxU64(x111, x411, 0x0) - var x417 uint64 - x417, _ = addcarryxU64(x112, x413, x416) - var x419 uint64 - var x420 uint1 - x419, x420 = addcarryxU64(x117, x415, 0x0) - var x421 uint64 - x421, _ = addcarryxU64(x118, x417, x420) - var x423 uint64 - var x424 uint1 - x423, x424 = addcarryxU64(x121, x419, 0x0) - var x425 uint64 - x425, _ = addcarryxU64(x122, x421, x424) - var x427 uint64 - var x428 uint1 - x427, x428 = addcarryxU64(x123, x423, 0x0) - var x429 uint64 - x429, _ = addcarryxU64(x124, x425, x428) - var x431 uint64 - var x432 uint1 - x431, x432 = addcarryxU64(x143, x427, 0x0) - var x433 uint64 - x433, _ = addcarryxU64(x144, x429, x432) - var x435 uint64 - var x436 uint1 - x435, x436 = addcarryxU64(x151, x431, 0x0) - var x437 uint64 - x437, _ = addcarryxU64(x152, x433, x436) - var x439 uint64 - var x440 uint1 - x439, x440 = addcarryxU64(x161, x435, 0x0) - var x441 uint64 - x441, _ = addcarryxU64(x162, x437, x440) - var x443 uint64 - var x444 uint1 - x443, x444 = addcarryxU64(x173, x439, 0x0) - var x445 uint64 - x445, _ = addcarryxU64(x174, x441, x444) - var x447 uint64 - var x448 uint1 - x447, x448 = addcarryxU64(x187, x443, 0x0) - var x449 uint64 - x449, _ = addcarryxU64(x188, x445, x448) - var x451 uint64 - var x452 uint1 - x451, x452 = addcarryxU64(x33, x1, 0x0) - var x453 uint64 - x453, _ = addcarryxU64(x34, x2, x452) - var x455 uint64 - var x456 uint1 - x455, x456 = addcarryxU64(x45, x451, 0x0) - var x457 uint64 - x457, _ = addcarryxU64(x46, x453, x456) - var x459 uint64 - var x460 uint1 - x459, x460 = addcarryxU64(x55, x455, 0x0) - var x461 uint64 - x461, _ = addcarryxU64(x56, x457, x460) - var x463 uint64 - var x464 uint1 - x463, x464 = addcarryxU64(x63, x459, 0x0) - var x465 uint64 - x465, _ = addcarryxU64(x64, x461, x464) - var x467 uint64 - var x468 uint1 - x467, x468 = addcarryxU64(x69, x463, 0x0) - var x469 uint64 - x469, _ = addcarryxU64(x70, x465, x468) - var x471 uint64 - var x472 uint1 - x471, x472 = addcarryxU64(x165, x467, 0x0) - var x473 uint64 - x473, _ = addcarryxU64(x166, x469, x472) - var x475 uint64 - var x476 uint1 - x475, x476 = addcarryxU64(x177, x471, 0x0) - var x477 uint64 - x477, _ = addcarryxU64(x178, x473, x476) - var x479 uint64 - var x480 uint1 - x479, x480 = addcarryxU64(x191, x475, 0x0) - var x481 uint64 - x481, _ = addcarryxU64(x192, x477, x480) - var x483 uint64 - var x484 uint1 - x483, x484 = addcarryxU64(x7, x3, 0x0) - var x485 uint64 - x485, _ = addcarryxU64(x8, x4, x484) - var x487 uint64 - var x488 uint1 - x487, x488 = addcarryxU64(x35, x483, 0x0) - var x489 uint64 - x489, _ = addcarryxU64(x36, x485, x488) - var x491 uint64 - var x492 uint1 - x491, x492 = addcarryxU64(x47, x487, 0x0) - var x493 uint64 - x493, _ = addcarryxU64(x48, x489, x492) - var x495 uint64 - var x496 uint1 - x495, x496 = addcarryxU64(x57, x491, 0x0) - var x497 uint64 - x497, _ = addcarryxU64(x58, x493, x496) - var x499 uint64 - var x500 uint1 - x499, x500 = addcarryxU64(x65, x495, 0x0) - var x501 uint64 - x501, _ = addcarryxU64(x66, x497, x500) - var x503 uint64 - var x504 uint1 - x503, x504 = addcarryxU64(x71, x499, 0x0) - var x505 uint64 - x505, _ = addcarryxU64(x72, x501, x504) - var x507 uint64 - var x508 uint1 - x507, x508 = addcarryxU64(x75, x503, 0x0) - var x509 uint64 - x509, _ = addcarryxU64(x76, x505, x508) - var x511 uint64 - var x512 uint1 - x511, x512 = addcarryxU64(x179, x507, 0x0) - var x513 uint64 - x513, _ = addcarryxU64(x180, x509, x512) - var x515 uint64 - var x516 uint1 - x515, x516 = addcarryxU64(x193, x511, 0x0) - var x517 uint64 - x517, _ = addcarryxU64(x194, x513, x516) - var x519 uint64 - var x520 uint1 - x519, x520 = addcarryxU64(x9, x5, 0x0) - var x521 uint64 - x521, _ = addcarryxU64(x10, x6, x520) - var x523 uint64 - var x524 uint1 - x523, x524 = addcarryxU64(x11, x519, 0x0) - var x525 uint64 - x525, _ = addcarryxU64(x12, x521, x524) - var x527 uint64 - var x528 uint1 - x527, x528 = addcarryxU64(x37, x523, 0x0) - var x529 uint64 - x529, _ = addcarryxU64(x38, x525, x528) - var x531 uint64 - var x532 uint1 - x531, x532 = addcarryxU64(x49, x527, 0x0) - var x533 uint64 - x533, _ = addcarryxU64(x50, x529, x532) - var x535 uint64 - var x536 uint1 - x535, x536 = addcarryxU64(x59, x531, 0x0) - var x537 uint64 - x537, _ = addcarryxU64(x60, x533, x536) - var x539 uint64 - var x540 uint1 - x539, x540 = addcarryxU64(x67, x535, 0x0) - var x541 uint64 - x541, _ = addcarryxU64(x68, x537, x540) - var x543 uint64 - var x544 uint1 - x543, x544 = addcarryxU64(x73, x539, 0x0) - var x545 uint64 - x545, _ = addcarryxU64(x74, x541, x544) - var x547 uint64 - var x548 uint1 - x547, x548 = addcarryxU64(x77, x543, 0x0) - var x549 uint64 - x549, _ = addcarryxU64(x78, x545, x548) - var x551 uint64 - var x552 uint1 - x551, x552 = addcarryxU64(x79, x547, 0x0) - var x553 uint64 - x553, _ = addcarryxU64(x80, x549, x552) - var x555 uint64 - var x556 uint1 - x555, x556 = addcarryxU64(x195, x551, 0x0) - var x557 uint64 - x557, _ = addcarryxU64(x196, x553, x556) - var x559 uint64 - var x560 uint1 - x559, x560 = addcarryxU64(x225, x447, 0x0) - var x561 uint64 = (uint64(x560) + x449) - var x562 uint64 = ((x267 >> 56) | ((x269 << 8) & 0xffffffffffffffff)) - var x563 uint64 = (x267 & 0xffffffffffffff) - var x564 uint64 - var x565 uint1 - x564, x565 = addcarryxU64(x559, x562, 0x0) - var x566 uint64 = (uint64(x565) + x561) - var x567 uint64 = ((x564 >> 56) | ((x566 << 8) & 0xffffffffffffffff)) - var x568 uint64 = (x564 & 0xffffffffffffff) - var x569 uint64 - var x570 uint1 - x569, x570 = addcarryxU64(x555, x562, 0x0) - var x571 uint64 = (uint64(x570) + x557) - var x572 uint64 - var x573 uint1 - x572, x573 = addcarryxU64(x567, x379, 0x0) - var x574 uint64 = (uint64(x573) + x381) - var x575 uint64 = ((x569 >> 56) | ((x571 << 8) & 0xffffffffffffffff)) - var x576 uint64 = (x569 & 0xffffffffffffff) - var x577 uint64 - var x578 uint1 - x577, x578 = addcarryxU64(x575, x515, 0x0) - var x579 uint64 = (uint64(x578) + x517) - var x580 uint64 = ((x572 >> 56) | ((x574 << 8) & 0xffffffffffffffff)) - var x581 uint64 = (x572 & 0xffffffffffffff) - var x582 uint64 - var x583 uint1 - x582, x583 = addcarryxU64(x580, x319, 0x0) - var x584 uint64 = (uint64(x583) + x321) - var x585 uint64 = ((x577 >> 56) | ((x579 << 8) & 0xffffffffffffffff)) - var x586 uint64 = (x577 & 0xffffffffffffff) - var x587 uint64 - var x588 uint1 - x587, x588 = addcarryxU64(x585, x479, 0x0) - var x589 uint64 = (uint64(x588) + x481) - var x590 uint64 = ((x582 >> 56) | ((x584 << 8) & 0xffffffffffffffff)) - var x591 uint64 = (x582 & 0xffffffffffffff) - var x592 uint64 = (x590 + x563) - var x593 uint64 = ((x587 >> 56) | ((x589 << 8) & 0xffffffffffffffff)) - var x594 uint64 = (x587 & 0xffffffffffffff) - var x595 uint64 = (x593 + x226) - var x596 uint64 = (x592 >> 56) - var x597 uint64 = (x592 & 0xffffffffffffff) - var x598 uint64 = (x595 >> 56) - var x599 uint64 = (x595 & 0xffffffffffffff) - var x600 uint64 = (x568 + x596) - var x601 uint64 = (x576 + x596) - var x602 uint64 = (x598 + x600) - var x603 uint1 = uint1((x602 >> 56)) - var x604 uint64 = (x602 & 0xffffffffffffff) - var x605 uint64 = (uint64(x603) + x581) - var x606 uint1 = uint1((x601 >> 56)) - var x607 uint64 = (x601 & 0xffffffffffffff) - var x608 uint64 = (uint64(x606) + x586) - out1[0] = x607 - out1[1] = x608 - out1[2] = x594 - out1[3] = x599 - out1[4] = x604 - out1[5] = x605 - out1[6] = x591 - out1[7] = x597 + var x1 uint64 + var x2 uint64 + x2, x1 = bits.Mul64(arg1[7], arg2[7]) + var x3 uint64 + var x4 uint64 + x4, x3 = bits.Mul64(arg1[7], arg2[6]) + var x5 uint64 + var x6 uint64 + x6, x5 = bits.Mul64(arg1[7], arg2[5]) + var x7 uint64 + var x8 uint64 + x8, x7 = bits.Mul64(arg1[6], arg2[7]) + var x9 uint64 + var x10 uint64 + x10, x9 = bits.Mul64(arg1[6], arg2[6]) + var x11 uint64 + var x12 uint64 + x12, x11 = bits.Mul64(arg1[5], arg2[7]) + var x13 uint64 + var x14 uint64 + x14, x13 = bits.Mul64(arg1[7], arg2[7]) + var x15 uint64 + var x16 uint64 + x16, x15 = bits.Mul64(arg1[7], arg2[6]) + var x17 uint64 + var x18 uint64 + x18, x17 = bits.Mul64(arg1[7], arg2[5]) + var x19 uint64 + var x20 uint64 + x20, x19 = bits.Mul64(arg1[6], arg2[7]) + var x21 uint64 + var x22 uint64 + x22, x21 = bits.Mul64(arg1[6], arg2[6]) + var x23 uint64 + var x24 uint64 + x24, x23 = bits.Mul64(arg1[5], arg2[7]) + var x25 uint64 + var x26 uint64 + x26, x25 = bits.Mul64(arg1[7], arg2[7]) + var x27 uint64 + var x28 uint64 + x28, x27 = bits.Mul64(arg1[7], arg2[6]) + var x29 uint64 + var x30 uint64 + x30, x29 = bits.Mul64(arg1[7], arg2[5]) + var x31 uint64 + var x32 uint64 + x32, x31 = bits.Mul64(arg1[7], arg2[4]) + var x33 uint64 + var x34 uint64 + x34, x33 = bits.Mul64(arg1[7], arg2[3]) + var x35 uint64 + var x36 uint64 + x36, x35 = bits.Mul64(arg1[7], arg2[2]) + var x37 uint64 + var x38 uint64 + x38, x37 = bits.Mul64(arg1[7], arg2[1]) + var x39 uint64 + var x40 uint64 + x40, x39 = bits.Mul64(arg1[6], arg2[7]) + var x41 uint64 + var x42 uint64 + x42, x41 = bits.Mul64(arg1[6], arg2[6]) + var x43 uint64 + var x44 uint64 + x44, x43 = bits.Mul64(arg1[6], arg2[5]) + var x45 uint64 + var x46 uint64 + x46, x45 = bits.Mul64(arg1[6], arg2[4]) + var x47 uint64 + var x48 uint64 + x48, x47 = bits.Mul64(arg1[6], arg2[3]) + var x49 uint64 + var x50 uint64 + x50, x49 = bits.Mul64(arg1[6], arg2[2]) + var x51 uint64 + var x52 uint64 + x52, x51 = bits.Mul64(arg1[5], arg2[7]) + var x53 uint64 + var x54 uint64 + x54, x53 = bits.Mul64(arg1[5], arg2[6]) + var x55 uint64 + var x56 uint64 + x56, x55 = bits.Mul64(arg1[5], arg2[5]) + var x57 uint64 + var x58 uint64 + x58, x57 = bits.Mul64(arg1[5], arg2[4]) + var x59 uint64 + var x60 uint64 + x60, x59 = bits.Mul64(arg1[5], arg2[3]) + var x61 uint64 + var x62 uint64 + x62, x61 = bits.Mul64(arg1[4], arg2[7]) + var x63 uint64 + var x64 uint64 + x64, x63 = bits.Mul64(arg1[4], arg2[6]) + var x65 uint64 + var x66 uint64 + x66, x65 = bits.Mul64(arg1[4], arg2[5]) + var x67 uint64 + var x68 uint64 + x68, x67 = bits.Mul64(arg1[4], arg2[4]) + var x69 uint64 + var x70 uint64 + x70, x69 = bits.Mul64(arg1[3], arg2[7]) + var x71 uint64 + var x72 uint64 + x72, x71 = bits.Mul64(arg1[3], arg2[6]) + var x73 uint64 + var x74 uint64 + x74, x73 = bits.Mul64(arg1[3], arg2[5]) + var x75 uint64 + var x76 uint64 + x76, x75 = bits.Mul64(arg1[2], arg2[7]) + var x77 uint64 + var x78 uint64 + x78, x77 = bits.Mul64(arg1[2], arg2[6]) + var x79 uint64 + var x80 uint64 + x80, x79 = bits.Mul64(arg1[1], arg2[7]) + var x81 uint64 + var x82 uint64 + x82, x81 = bits.Mul64(arg1[7], arg2[4]) + var x83 uint64 + var x84 uint64 + x84, x83 = bits.Mul64(arg1[7], arg2[3]) + var x85 uint64 + var x86 uint64 + x86, x85 = bits.Mul64(arg1[7], arg2[2]) + var x87 uint64 + var x88 uint64 + x88, x87 = bits.Mul64(arg1[7], arg2[1]) + var x89 uint64 + var x90 uint64 + x90, x89 = bits.Mul64(arg1[6], arg2[5]) + var x91 uint64 + var x92 uint64 + x92, x91 = bits.Mul64(arg1[6], arg2[4]) + var x93 uint64 + var x94 uint64 + x94, x93 = bits.Mul64(arg1[6], arg2[3]) + var x95 uint64 + var x96 uint64 + x96, x95 = bits.Mul64(arg1[6], arg2[2]) + var x97 uint64 + var x98 uint64 + x98, x97 = bits.Mul64(arg1[5], arg2[6]) + var x99 uint64 + var x100 uint64 + x100, x99 = bits.Mul64(arg1[5], arg2[5]) + var x101 uint64 + var x102 uint64 + x102, x101 = bits.Mul64(arg1[5], arg2[4]) + var x103 uint64 + var x104 uint64 + x104, x103 = bits.Mul64(arg1[5], arg2[3]) + var x105 uint64 + var x106 uint64 + x106, x105 = bits.Mul64(arg1[4], arg2[7]) + var x107 uint64 + var x108 uint64 + x108, x107 = bits.Mul64(arg1[4], arg2[6]) + var x109 uint64 + var x110 uint64 + x110, x109 = bits.Mul64(arg1[4], arg2[5]) + var x111 uint64 + var x112 uint64 + x112, x111 = bits.Mul64(arg1[4], arg2[4]) + var x113 uint64 + var x114 uint64 + x114, x113 = bits.Mul64(arg1[3], arg2[7]) + var x115 uint64 + var x116 uint64 + x116, x115 = bits.Mul64(arg1[3], arg2[6]) + var x117 uint64 + var x118 uint64 + x118, x117 = bits.Mul64(arg1[3], arg2[5]) + var x119 uint64 + var x120 uint64 + x120, x119 = bits.Mul64(arg1[2], arg2[7]) + var x121 uint64 + var x122 uint64 + x122, x121 = bits.Mul64(arg1[2], arg2[6]) + var x123 uint64 + var x124 uint64 + x124, x123 = bits.Mul64(arg1[1], arg2[7]) + var x125 uint64 + var x126 uint64 + x126, x125 = bits.Mul64(arg1[7], arg2[0]) + var x127 uint64 + var x128 uint64 + x128, x127 = bits.Mul64(arg1[6], arg2[1]) + var x129 uint64 + var x130 uint64 + x130, x129 = bits.Mul64(arg1[6], arg2[0]) + var x131 uint64 + var x132 uint64 + x132, x131 = bits.Mul64(arg1[5], arg2[2]) + var x133 uint64 + var x134 uint64 + x134, x133 = bits.Mul64(arg1[5], arg2[1]) + var x135 uint64 + var x136 uint64 + x136, x135 = bits.Mul64(arg1[5], arg2[0]) + var x137 uint64 + var x138 uint64 + x138, x137 = bits.Mul64(arg1[4], arg2[3]) + var x139 uint64 + var x140 uint64 + x140, x139 = bits.Mul64(arg1[4], arg2[2]) + var x141 uint64 + var x142 uint64 + x142, x141 = bits.Mul64(arg1[4], arg2[1]) + var x143 uint64 + var x144 uint64 + x144, x143 = bits.Mul64(arg1[4], arg2[0]) + var x145 uint64 + var x146 uint64 + x146, x145 = bits.Mul64(arg1[3], arg2[4]) + var x147 uint64 + var x148 uint64 + x148, x147 = bits.Mul64(arg1[3], arg2[3]) + var x149 uint64 + var x150 uint64 + x150, x149 = bits.Mul64(arg1[3], arg2[2]) + var x151 uint64 + var x152 uint64 + x152, x151 = bits.Mul64(arg1[3], arg2[1]) + var x153 uint64 + var x154 uint64 + x154, x153 = bits.Mul64(arg1[3], arg2[0]) + var x155 uint64 + var x156 uint64 + x156, x155 = bits.Mul64(arg1[2], arg2[5]) + var x157 uint64 + var x158 uint64 + x158, x157 = bits.Mul64(arg1[2], arg2[4]) + var x159 uint64 + var x160 uint64 + x160, x159 = bits.Mul64(arg1[2], arg2[3]) + var x161 uint64 + var x162 uint64 + x162, x161 = bits.Mul64(arg1[2], arg2[2]) + var x163 uint64 + var x164 uint64 + x164, x163 = bits.Mul64(arg1[2], arg2[1]) + var x165 uint64 + var x166 uint64 + x166, x165 = bits.Mul64(arg1[2], arg2[0]) + var x167 uint64 + var x168 uint64 + x168, x167 = bits.Mul64(arg1[1], arg2[6]) + var x169 uint64 + var x170 uint64 + x170, x169 = bits.Mul64(arg1[1], arg2[5]) + var x171 uint64 + var x172 uint64 + x172, x171 = bits.Mul64(arg1[1], arg2[4]) + var x173 uint64 + var x174 uint64 + x174, x173 = bits.Mul64(arg1[1], arg2[3]) + var x175 uint64 + var x176 uint64 + x176, x175 = bits.Mul64(arg1[1], arg2[2]) + var x177 uint64 + var x178 uint64 + x178, x177 = bits.Mul64(arg1[1], arg2[1]) + var x179 uint64 + var x180 uint64 + x180, x179 = bits.Mul64(arg1[1], arg2[0]) + var x181 uint64 + var x182 uint64 + x182, x181 = bits.Mul64(arg1[0], arg2[7]) + var x183 uint64 + var x184 uint64 + x184, x183 = bits.Mul64(arg1[0], arg2[6]) + var x185 uint64 + var x186 uint64 + x186, x185 = bits.Mul64(arg1[0], arg2[5]) + var x187 uint64 + var x188 uint64 + x188, x187 = bits.Mul64(arg1[0], arg2[4]) + var x189 uint64 + var x190 uint64 + x190, x189 = bits.Mul64(arg1[0], arg2[3]) + var x191 uint64 + var x192 uint64 + x192, x191 = bits.Mul64(arg1[0], arg2[2]) + var x193 uint64 + var x194 uint64 + x194, x193 = bits.Mul64(arg1[0], arg2[1]) + var x195 uint64 + var x196 uint64 + x196, x195 = bits.Mul64(arg1[0], arg2[0]) + var x197 uint64 + var x198 uint1 + x197, x198 = addcarryxU64(x43, x31, 0x0) + var x199 uint64 + x199, _ = addcarryxU64(x44, x32, x198) + var x201 uint64 + var x202 uint1 + x201, x202 = addcarryxU64(x53, x197, 0x0) + var x203 uint64 + x203, _ = addcarryxU64(x54, x199, x202) + var x205 uint64 + var x206 uint1 + x205, x206 = addcarryxU64(x61, x201, 0x0) + var x207 uint64 + x207, _ = addcarryxU64(x62, x203, x206) + var x209 uint64 + var x210 uint1 + x209, x210 = addcarryxU64(x153, x205, 0x0) + var x211 uint64 + x211, _ = addcarryxU64(x154, x207, x210) + var x213 uint64 + var x214 uint1 + x213, x214 = addcarryxU64(x163, x209, 0x0) + var x215 uint64 + x215, _ = addcarryxU64(x164, x211, x214) + var x217 uint64 + var x218 uint1 + x217, x218 = addcarryxU64(x175, x213, 0x0) + var x219 uint64 + x219, _ = addcarryxU64(x176, x215, x218) + var x221 uint64 + var x222 uint1 + x221, x222 = addcarryxU64(x189, x217, 0x0) + var x223 uint64 + x223, _ = addcarryxU64(x190, x219, x222) + x225 := ((x221 >> 56) | ((x223 << 8) & 0xffffffffffffffff)) + x226 := (x221 & 0xffffffffffffff) + var x227 uint64 + var x228 uint1 + x227, x228 = addcarryxU64(x89, x81, 0x0) + var x229 uint64 + x229, _ = addcarryxU64(x90, x82, x228) + var x231 uint64 + var x232 uint1 + x231, x232 = addcarryxU64(x97, x227, 0x0) + var x233 uint64 + x233, _ = addcarryxU64(x98, x229, x232) + var x235 uint64 + var x236 uint1 + x235, x236 = addcarryxU64(x105, x231, 0x0) + var x237 uint64 + x237, _ = addcarryxU64(x106, x233, x236) + var x239 uint64 + var x240 uint1 + x239, x240 = addcarryxU64(x125, x235, 0x0) + var x241 uint64 + x241, _ = addcarryxU64(x126, x237, x240) + var x243 uint64 + var x244 uint1 + x243, x244 = addcarryxU64(x127, x239, 0x0) + var x245 uint64 + x245, _ = addcarryxU64(x128, x241, x244) + var x247 uint64 + var x248 uint1 + x247, x248 = addcarryxU64(x131, x243, 0x0) + var x249 uint64 + x249, _ = addcarryxU64(x132, x245, x248) + var x251 uint64 + var x252 uint1 + x251, x252 = addcarryxU64(x137, x247, 0x0) + var x253 uint64 + x253, _ = addcarryxU64(x138, x249, x252) + var x255 uint64 + var x256 uint1 + x255, x256 = addcarryxU64(x145, x251, 0x0) + var x257 uint64 + x257, _ = addcarryxU64(x146, x253, x256) + var x259 uint64 + var x260 uint1 + x259, x260 = addcarryxU64(x155, x255, 0x0) + var x261 uint64 + x261, _ = addcarryxU64(x156, x257, x260) + var x263 uint64 + var x264 uint1 + x263, x264 = addcarryxU64(x167, x259, 0x0) + var x265 uint64 + x265, _ = addcarryxU64(x168, x261, x264) + var x267 uint64 + var x268 uint1 + x267, x268 = addcarryxU64(x181, x263, 0x0) + var x269 uint64 + x269, _ = addcarryxU64(x182, x265, x268) + var x271 uint64 + var x272 uint1 + x271, x272 = addcarryxU64(x25, x13, 0x0) + var x273 uint64 + x273, _ = addcarryxU64(x26, x14, x272) + var x275 uint64 + var x276 uint1 + x275, x276 = addcarryxU64(x83, x271, 0x0) + var x277 uint64 + x277, _ = addcarryxU64(x84, x273, x276) + var x279 uint64 + var x280 uint1 + x279, x280 = addcarryxU64(x91, x275, 0x0) + var x281 uint64 + x281, _ = addcarryxU64(x92, x277, x280) + var x283 uint64 + var x284 uint1 + x283, x284 = addcarryxU64(x99, x279, 0x0) + var x285 uint64 + x285, _ = addcarryxU64(x100, x281, x284) + var x287 uint64 + var x288 uint1 + x287, x288 = addcarryxU64(x107, x283, 0x0) + var x289 uint64 + x289, _ = addcarryxU64(x108, x285, x288) + var x291 uint64 + var x292 uint1 + x291, x292 = addcarryxU64(x113, x287, 0x0) + var x293 uint64 + x293, _ = addcarryxU64(x114, x289, x292) + var x295 uint64 + var x296 uint1 + x295, x296 = addcarryxU64(x129, x291, 0x0) + var x297 uint64 + x297, _ = addcarryxU64(x130, x293, x296) + var x299 uint64 + var x300 uint1 + x299, x300 = addcarryxU64(x133, x295, 0x0) + var x301 uint64 + x301, _ = addcarryxU64(x134, x297, x300) + var x303 uint64 + var x304 uint1 + x303, x304 = addcarryxU64(x139, x299, 0x0) + var x305 uint64 + x305, _ = addcarryxU64(x140, x301, x304) + var x307 uint64 + var x308 uint1 + x307, x308 = addcarryxU64(x147, x303, 0x0) + var x309 uint64 + x309, _ = addcarryxU64(x148, x305, x308) + var x311 uint64 + var x312 uint1 + x311, x312 = addcarryxU64(x157, x307, 0x0) + var x313 uint64 + x313, _ = addcarryxU64(x158, x309, x312) + var x315 uint64 + var x316 uint1 + x315, x316 = addcarryxU64(x169, x311, 0x0) + var x317 uint64 + x317, _ = addcarryxU64(x170, x313, x316) + var x319 uint64 + var x320 uint1 + x319, x320 = addcarryxU64(x183, x315, 0x0) + var x321 uint64 + x321, _ = addcarryxU64(x184, x317, x320) + var x323 uint64 + var x324 uint1 + x323, x324 = addcarryxU64(x19, x15, 0x0) + var x325 uint64 + x325, _ = addcarryxU64(x20, x16, x324) + var x327 uint64 + var x328 uint1 + x327, x328 = addcarryxU64(x27, x323, 0x0) + var x329 uint64 + x329, _ = addcarryxU64(x28, x325, x328) + var x331 uint64 + var x332 uint1 + x331, x332 = addcarryxU64(x39, x327, 0x0) + var x333 uint64 + x333, _ = addcarryxU64(x40, x329, x332) + var x335 uint64 + var x336 uint1 + x335, x336 = addcarryxU64(x85, x331, 0x0) + var x337 uint64 + x337, _ = addcarryxU64(x86, x333, x336) + var x339 uint64 + var x340 uint1 + x339, x340 = addcarryxU64(x93, x335, 0x0) + var x341 uint64 + x341, _ = addcarryxU64(x94, x337, x340) + var x343 uint64 + var x344 uint1 + x343, x344 = addcarryxU64(x101, x339, 0x0) + var x345 uint64 + x345, _ = addcarryxU64(x102, x341, x344) + var x347 uint64 + var x348 uint1 + x347, x348 = addcarryxU64(x109, x343, 0x0) + var x349 uint64 + x349, _ = addcarryxU64(x110, x345, x348) + var x351 uint64 + var x352 uint1 + x351, x352 = addcarryxU64(x115, x347, 0x0) + var x353 uint64 + x353, _ = addcarryxU64(x116, x349, x352) + var x355 uint64 + var x356 uint1 + x355, x356 = addcarryxU64(x119, x351, 0x0) + var x357 uint64 + x357, _ = addcarryxU64(x120, x353, x356) + var x359 uint64 + var x360 uint1 + x359, x360 = addcarryxU64(x135, x355, 0x0) + var x361 uint64 + x361, _ = addcarryxU64(x136, x357, x360) + var x363 uint64 + var x364 uint1 + x363, x364 = addcarryxU64(x141, x359, 0x0) + var x365 uint64 + x365, _ = addcarryxU64(x142, x361, x364) + var x367 uint64 + var x368 uint1 + x367, x368 = addcarryxU64(x149, x363, 0x0) + var x369 uint64 + x369, _ = addcarryxU64(x150, x365, x368) + var x371 uint64 + var x372 uint1 + x371, x372 = addcarryxU64(x159, x367, 0x0) + var x373 uint64 + x373, _ = addcarryxU64(x160, x369, x372) + var x375 uint64 + var x376 uint1 + x375, x376 = addcarryxU64(x171, x371, 0x0) + var x377 uint64 + x377, _ = addcarryxU64(x172, x373, x376) + var x379 uint64 + var x380 uint1 + x379, x380 = addcarryxU64(x185, x375, 0x0) + var x381 uint64 + x381, _ = addcarryxU64(x186, x377, x380) + var x383 uint64 + var x384 uint1 + x383, x384 = addcarryxU64(x21, x17, 0x0) + var x385 uint64 + x385, _ = addcarryxU64(x22, x18, x384) + var x387 uint64 + var x388 uint1 + x387, x388 = addcarryxU64(x23, x383, 0x0) + var x389 uint64 + x389, _ = addcarryxU64(x24, x385, x388) + var x391 uint64 + var x392 uint1 + x391, x392 = addcarryxU64(x29, x387, 0x0) + var x393 uint64 + x393, _ = addcarryxU64(x30, x389, x392) + var x395 uint64 + var x396 uint1 + x395, x396 = addcarryxU64(x41, x391, 0x0) + var x397 uint64 + x397, _ = addcarryxU64(x42, x393, x396) + var x399 uint64 + var x400 uint1 + x399, x400 = addcarryxU64(x51, x395, 0x0) + var x401 uint64 + x401, _ = addcarryxU64(x52, x397, x400) + var x403 uint64 + var x404 uint1 + x403, x404 = addcarryxU64(x87, x399, 0x0) + var x405 uint64 + x405, _ = addcarryxU64(x88, x401, x404) + var x407 uint64 + var x408 uint1 + x407, x408 = addcarryxU64(x95, x403, 0x0) + var x409 uint64 + x409, _ = addcarryxU64(x96, x405, x408) + var x411 uint64 + var x412 uint1 + x411, x412 = addcarryxU64(x103, x407, 0x0) + var x413 uint64 + x413, _ = addcarryxU64(x104, x409, x412) + var x415 uint64 + var x416 uint1 + x415, x416 = addcarryxU64(x111, x411, 0x0) + var x417 uint64 + x417, _ = addcarryxU64(x112, x413, x416) + var x419 uint64 + var x420 uint1 + x419, x420 = addcarryxU64(x117, x415, 0x0) + var x421 uint64 + x421, _ = addcarryxU64(x118, x417, x420) + var x423 uint64 + var x424 uint1 + x423, x424 = addcarryxU64(x121, x419, 0x0) + var x425 uint64 + x425, _ = addcarryxU64(x122, x421, x424) + var x427 uint64 + var x428 uint1 + x427, x428 = addcarryxU64(x123, x423, 0x0) + var x429 uint64 + x429, _ = addcarryxU64(x124, x425, x428) + var x431 uint64 + var x432 uint1 + x431, x432 = addcarryxU64(x143, x427, 0x0) + var x433 uint64 + x433, _ = addcarryxU64(x144, x429, x432) + var x435 uint64 + var x436 uint1 + x435, x436 = addcarryxU64(x151, x431, 0x0) + var x437 uint64 + x437, _ = addcarryxU64(x152, x433, x436) + var x439 uint64 + var x440 uint1 + x439, x440 = addcarryxU64(x161, x435, 0x0) + var x441 uint64 + x441, _ = addcarryxU64(x162, x437, x440) + var x443 uint64 + var x444 uint1 + x443, x444 = addcarryxU64(x173, x439, 0x0) + var x445 uint64 + x445, _ = addcarryxU64(x174, x441, x444) + var x447 uint64 + var x448 uint1 + x447, x448 = addcarryxU64(x187, x443, 0x0) + var x449 uint64 + x449, _ = addcarryxU64(x188, x445, x448) + var x451 uint64 + var x452 uint1 + x451, x452 = addcarryxU64(x33, x1, 0x0) + var x453 uint64 + x453, _ = addcarryxU64(x34, x2, x452) + var x455 uint64 + var x456 uint1 + x455, x456 = addcarryxU64(x45, x451, 0x0) + var x457 uint64 + x457, _ = addcarryxU64(x46, x453, x456) + var x459 uint64 + var x460 uint1 + x459, x460 = addcarryxU64(x55, x455, 0x0) + var x461 uint64 + x461, _ = addcarryxU64(x56, x457, x460) + var x463 uint64 + var x464 uint1 + x463, x464 = addcarryxU64(x63, x459, 0x0) + var x465 uint64 + x465, _ = addcarryxU64(x64, x461, x464) + var x467 uint64 + var x468 uint1 + x467, x468 = addcarryxU64(x69, x463, 0x0) + var x469 uint64 + x469, _ = addcarryxU64(x70, x465, x468) + var x471 uint64 + var x472 uint1 + x471, x472 = addcarryxU64(x165, x467, 0x0) + var x473 uint64 + x473, _ = addcarryxU64(x166, x469, x472) + var x475 uint64 + var x476 uint1 + x475, x476 = addcarryxU64(x177, x471, 0x0) + var x477 uint64 + x477, _ = addcarryxU64(x178, x473, x476) + var x479 uint64 + var x480 uint1 + x479, x480 = addcarryxU64(x191, x475, 0x0) + var x481 uint64 + x481, _ = addcarryxU64(x192, x477, x480) + var x483 uint64 + var x484 uint1 + x483, x484 = addcarryxU64(x7, x3, 0x0) + var x485 uint64 + x485, _ = addcarryxU64(x8, x4, x484) + var x487 uint64 + var x488 uint1 + x487, x488 = addcarryxU64(x35, x483, 0x0) + var x489 uint64 + x489, _ = addcarryxU64(x36, x485, x488) + var x491 uint64 + var x492 uint1 + x491, x492 = addcarryxU64(x47, x487, 0x0) + var x493 uint64 + x493, _ = addcarryxU64(x48, x489, x492) + var x495 uint64 + var x496 uint1 + x495, x496 = addcarryxU64(x57, x491, 0x0) + var x497 uint64 + x497, _ = addcarryxU64(x58, x493, x496) + var x499 uint64 + var x500 uint1 + x499, x500 = addcarryxU64(x65, x495, 0x0) + var x501 uint64 + x501, _ = addcarryxU64(x66, x497, x500) + var x503 uint64 + var x504 uint1 + x503, x504 = addcarryxU64(x71, x499, 0x0) + var x505 uint64 + x505, _ = addcarryxU64(x72, x501, x504) + var x507 uint64 + var x508 uint1 + x507, x508 = addcarryxU64(x75, x503, 0x0) + var x509 uint64 + x509, _ = addcarryxU64(x76, x505, x508) + var x511 uint64 + var x512 uint1 + x511, x512 = addcarryxU64(x179, x507, 0x0) + var x513 uint64 + x513, _ = addcarryxU64(x180, x509, x512) + var x515 uint64 + var x516 uint1 + x515, x516 = addcarryxU64(x193, x511, 0x0) + var x517 uint64 + x517, _ = addcarryxU64(x194, x513, x516) + var x519 uint64 + var x520 uint1 + x519, x520 = addcarryxU64(x9, x5, 0x0) + var x521 uint64 + x521, _ = addcarryxU64(x10, x6, x520) + var x523 uint64 + var x524 uint1 + x523, x524 = addcarryxU64(x11, x519, 0x0) + var x525 uint64 + x525, _ = addcarryxU64(x12, x521, x524) + var x527 uint64 + var x528 uint1 + x527, x528 = addcarryxU64(x37, x523, 0x0) + var x529 uint64 + x529, _ = addcarryxU64(x38, x525, x528) + var x531 uint64 + var x532 uint1 + x531, x532 = addcarryxU64(x49, x527, 0x0) + var x533 uint64 + x533, _ = addcarryxU64(x50, x529, x532) + var x535 uint64 + var x536 uint1 + x535, x536 = addcarryxU64(x59, x531, 0x0) + var x537 uint64 + x537, _ = addcarryxU64(x60, x533, x536) + var x539 uint64 + var x540 uint1 + x539, x540 = addcarryxU64(x67, x535, 0x0) + var x541 uint64 + x541, _ = addcarryxU64(x68, x537, x540) + var x543 uint64 + var x544 uint1 + x543, x544 = addcarryxU64(x73, x539, 0x0) + var x545 uint64 + x545, _ = addcarryxU64(x74, x541, x544) + var x547 uint64 + var x548 uint1 + x547, x548 = addcarryxU64(x77, x543, 0x0) + var x549 uint64 + x549, _ = addcarryxU64(x78, x545, x548) + var x551 uint64 + var x552 uint1 + x551, x552 = addcarryxU64(x79, x547, 0x0) + var x553 uint64 + x553, _ = addcarryxU64(x80, x549, x552) + var x555 uint64 + var x556 uint1 + x555, x556 = addcarryxU64(x195, x551, 0x0) + var x557 uint64 + x557, _ = addcarryxU64(x196, x553, x556) + var x559 uint64 + var x560 uint1 + x559, x560 = addcarryxU64(x225, x447, 0x0) + x561 := (uint64(x560) + x449) + x562 := ((x267 >> 56) | ((x269 << 8) & 0xffffffffffffffff)) + x563 := (x267 & 0xffffffffffffff) + var x564 uint64 + var x565 uint1 + x564, x565 = addcarryxU64(x559, x562, 0x0) + x566 := (uint64(x565) + x561) + x567 := ((x564 >> 56) | ((x566 << 8) & 0xffffffffffffffff)) + x568 := (x564 & 0xffffffffffffff) + var x569 uint64 + var x570 uint1 + x569, x570 = addcarryxU64(x555, x562, 0x0) + x571 := (uint64(x570) + x557) + var x572 uint64 + var x573 uint1 + x572, x573 = addcarryxU64(x567, x379, 0x0) + x574 := (uint64(x573) + x381) + x575 := ((x569 >> 56) | ((x571 << 8) & 0xffffffffffffffff)) + x576 := (x569 & 0xffffffffffffff) + var x577 uint64 + var x578 uint1 + x577, x578 = addcarryxU64(x575, x515, 0x0) + x579 := (uint64(x578) + x517) + x580 := ((x572 >> 56) | ((x574 << 8) & 0xffffffffffffffff)) + x581 := (x572 & 0xffffffffffffff) + var x582 uint64 + var x583 uint1 + x582, x583 = addcarryxU64(x580, x319, 0x0) + x584 := (uint64(x583) + x321) + x585 := ((x577 >> 56) | ((x579 << 8) & 0xffffffffffffffff)) + x586 := (x577 & 0xffffffffffffff) + var x587 uint64 + var x588 uint1 + x587, x588 = addcarryxU64(x585, x479, 0x0) + x589 := (uint64(x588) + x481) + x590 := ((x582 >> 56) | ((x584 << 8) & 0xffffffffffffffff)) + x591 := (x582 & 0xffffffffffffff) + x592 := (x590 + x563) + x593 := ((x587 >> 56) | ((x589 << 8) & 0xffffffffffffffff)) + x594 := (x587 & 0xffffffffffffff) + x595 := (x593 + x226) + x596 := (x592 >> 56) + x597 := (x592 & 0xffffffffffffff) + x598 := (x595 >> 56) + x599 := (x595 & 0xffffffffffffff) + x600 := (x568 + x596) + x601 := (x576 + x596) + x602 := (x598 + x600) + x603 := uint1((x602 >> 56)) + x604 := (x602 & 0xffffffffffffff) + x605 := (uint64(x603) + x581) + x606 := uint1((x601 >> 56)) + x607 := (x601 & 0xffffffffffffff) + x608 := (uint64(x606) + x586) + out1[0] = x607 + out1[1] = x608 + out1[2] = x594 + out1[3] = x599 + out1[4] = x604 + out1[5] = x605 + out1[6] = x591 + out1[7] = x597 } -/* - The function CarrySquare squares a field element and reduces the result. - Postconditions: - eval out1 mod m = (eval arg1 * eval arg1) mod m - - Input Bounds: - arg1: [[0x0 ~> 0x300000000000000], [0x0 ~> 0x300000000000000], [0x0 ~> 0x300000000000000], [0x0 ~> 0x300000000000000], [0x0 ~> 0x300000000000000], [0x0 ~> 0x300000000000000], [0x0 ~> 0x300000000000000], [0x0 ~> 0x300000000000000]] - Output Bounds: - out1: [[0x0 ~> 0x100000000000000], [0x0 ~> 0x100000000000000], [0x0 ~> 0x100000000000000], [0x0 ~> 0x100000000000000], [0x0 ~> 0x100000000000000], [0x0 ~> 0x100000000000000], [0x0 ~> 0x100000000000000], [0x0 ~> 0x100000000000000]] - */ -/*inline*/ +// CarrySquare squares a field element and reduces the result. +// +// Postconditions: +// eval out1 mod m = (eval arg1 * eval arg1) mod m +// +// Input Bounds: +// arg1: [[0x0 ~> 0x300000000000000], [0x0 ~> 0x300000000000000], [0x0 ~> 0x300000000000000], [0x0 ~> 0x300000000000000], [0x0 ~> 0x300000000000000], [0x0 ~> 0x300000000000000], [0x0 ~> 0x300000000000000], [0x0 ~> 0x300000000000000]] +// Output Bounds: +// out1: [[0x0 ~> 0x100000000000000], [0x0 ~> 0x100000000000000], [0x0 ~> 0x100000000000000], [0x0 ~> 0x100000000000000], [0x0 ~> 0x100000000000000], [0x0 ~> 0x100000000000000], [0x0 ~> 0x100000000000000], [0x0 ~> 0x100000000000000]] func CarrySquare(out1 *[8]uint64, arg1 *[8]uint64) { - var x1 uint64 = (arg1[7]) - var x2 uint64 = (arg1[7]) - var x3 uint64 = (x1 * 0x2) - var x4 uint64 = (x2 * 0x2) - var x5 uint64 = ((arg1[7]) * 0x2) - var x6 uint64 = (arg1[6]) - var x7 uint64 = (arg1[6]) - var x8 uint64 = (x6 * 0x2) - var x9 uint64 = (x7 * 0x2) - var x10 uint64 = ((arg1[6]) * 0x2) - var x11 uint64 = (arg1[5]) - var x12 uint64 = (arg1[5]) - var x13 uint64 = (x11 * 0x2) - var x14 uint64 = (x12 * 0x2) - var x15 uint64 = ((arg1[5]) * 0x2) - var x16 uint64 = (arg1[4]) - var x17 uint64 = (arg1[4]) - var x18 uint64 = ((arg1[4]) * 0x2) - var x19 uint64 = ((arg1[3]) * 0x2) - var x20 uint64 = ((arg1[2]) * 0x2) - var x21 uint64 = ((arg1[1]) * 0x2) - var x22 uint64 - var x23 uint64 - x23, x22 = bits.Mul64((arg1[7]), x1) - var x24 uint64 - var x25 uint64 - x25, x24 = bits.Mul64((arg1[6]), x3) - var x26 uint64 - var x27 uint64 - x27, x26 = bits.Mul64((arg1[6]), x6) - var x28 uint64 - var x29 uint64 - x29, x28 = bits.Mul64((arg1[5]), x3) - var x30 uint64 - var x31 uint64 - x31, x30 = bits.Mul64((arg1[7]), x1) - var x32 uint64 - var x33 uint64 - x33, x32 = bits.Mul64((arg1[6]), x3) - var x34 uint64 - var x35 uint64 - x35, x34 = bits.Mul64((arg1[6]), x6) - var x36 uint64 - var x37 uint64 - x37, x36 = bits.Mul64((arg1[5]), x3) - var x38 uint64 - var x39 uint64 - x39, x38 = bits.Mul64((arg1[7]), x2) - var x40 uint64 - var x41 uint64 - x41, x40 = bits.Mul64((arg1[6]), x4) - var x42 uint64 - var x43 uint64 - x43, x42 = bits.Mul64((arg1[6]), x7) - var x44 uint64 - var x45 uint64 - x45, x44 = bits.Mul64((arg1[5]), x4) - var x46 uint64 - var x47 uint64 - x47, x46 = bits.Mul64((arg1[5]), x9) - var x48 uint64 - var x49 uint64 - x49, x48 = bits.Mul64((arg1[5]), x8) - var x50 uint64 - var x51 uint64 - x51, x50 = bits.Mul64((arg1[5]), x12) - var x52 uint64 - var x53 uint64 - x53, x52 = bits.Mul64((arg1[5]), x11) - var x54 uint64 - var x55 uint64 - x55, x54 = bits.Mul64((arg1[4]), x4) - var x56 uint64 - var x57 uint64 - x57, x56 = bits.Mul64((arg1[4]), x3) - var x58 uint64 - var x59 uint64 - x59, x58 = bits.Mul64((arg1[4]), x9) - var x60 uint64 - var x61 uint64 - x61, x60 = bits.Mul64((arg1[4]), x8) - var x62 uint64 - var x63 uint64 - x63, x62 = bits.Mul64((arg1[4]), x14) - var x64 uint64 - var x65 uint64 - x65, x64 = bits.Mul64((arg1[4]), x13) - var x66 uint64 - var x67 uint64 - x67, x66 = bits.Mul64((arg1[4]), x17) - var x68 uint64 - var x69 uint64 - x69, x68 = bits.Mul64((arg1[4]), x16) - var x70 uint64 - var x71 uint64 - x71, x70 = bits.Mul64((arg1[3]), x4) - var x72 uint64 - var x73 uint64 - x73, x72 = bits.Mul64((arg1[3]), x3) - var x74 uint64 - var x75 uint64 - x75, x74 = bits.Mul64((arg1[3]), x9) - var x76 uint64 - var x77 uint64 - x77, x76 = bits.Mul64((arg1[3]), x8) - var x78 uint64 - var x79 uint64 - x79, x78 = bits.Mul64((arg1[3]), x14) - var x80 uint64 - var x81 uint64 - x81, x80 = bits.Mul64((arg1[3]), x13) - var x82 uint64 - var x83 uint64 - x83, x82 = bits.Mul64((arg1[3]), x18) - var x84 uint64 - var x85 uint64 - x85, x84 = bits.Mul64((arg1[3]), (arg1[3])) - var x86 uint64 - var x87 uint64 - x87, x86 = bits.Mul64((arg1[2]), x4) - var x88 uint64 - var x89 uint64 - x89, x88 = bits.Mul64((arg1[2]), x3) - var x90 uint64 - var x91 uint64 - x91, x90 = bits.Mul64((arg1[2]), x9) - var x92 uint64 - var x93 uint64 - x93, x92 = bits.Mul64((arg1[2]), x8) - var x94 uint64 - var x95 uint64 - x95, x94 = bits.Mul64((arg1[2]), x15) - var x96 uint64 - var x97 uint64 - x97, x96 = bits.Mul64((arg1[2]), x18) - var x98 uint64 - var x99 uint64 - x99, x98 = bits.Mul64((arg1[2]), x19) - var x100 uint64 - var x101 uint64 - x101, x100 = bits.Mul64((arg1[2]), (arg1[2])) - var x102 uint64 - var x103 uint64 - x103, x102 = bits.Mul64((arg1[1]), x4) - var x104 uint64 - var x105 uint64 - x105, x104 = bits.Mul64((arg1[1]), x3) - var x106 uint64 - var x107 uint64 - x107, x106 = bits.Mul64((arg1[1]), x10) - var x108 uint64 - var x109 uint64 - x109, x108 = bits.Mul64((arg1[1]), x15) - var x110 uint64 - var x111 uint64 - x111, x110 = bits.Mul64((arg1[1]), x18) - var x112 uint64 - var x113 uint64 - x113, x112 = bits.Mul64((arg1[1]), x19) - var x114 uint64 - var x115 uint64 - x115, x114 = bits.Mul64((arg1[1]), x20) - var x116 uint64 - var x117 uint64 - x117, x116 = bits.Mul64((arg1[1]), (arg1[1])) - var x118 uint64 - var x119 uint64 - x119, x118 = bits.Mul64((arg1[0]), x5) - var x120 uint64 - var x121 uint64 - x121, x120 = bits.Mul64((arg1[0]), x10) - var x122 uint64 - var x123 uint64 - x123, x122 = bits.Mul64((arg1[0]), x15) - var x124 uint64 - var x125 uint64 - x125, x124 = bits.Mul64((arg1[0]), x18) - var x126 uint64 - var x127 uint64 - x127, x126 = bits.Mul64((arg1[0]), x19) - var x128 uint64 - var x129 uint64 - x129, x128 = bits.Mul64((arg1[0]), x20) - var x130 uint64 - var x131 uint64 - x131, x130 = bits.Mul64((arg1[0]), x21) - var x132 uint64 - var x133 uint64 - x133, x132 = bits.Mul64((arg1[0]), (arg1[0])) - var x134 uint64 - var x135 uint1 - x134, x135 = addcarryxU64(x54, x46, 0x0) - var x136 uint64 - x136, _ = addcarryxU64(x55, x47, x135) - var x138 uint64 - var x139 uint1 - x138, x139 = addcarryxU64(x114, x134, 0x0) - var x140 uint64 - x140, _ = addcarryxU64(x115, x136, x139) - var x142 uint64 - var x143 uint1 - x142, x143 = addcarryxU64(x126, x138, 0x0) - var x144 uint64 - x144, _ = addcarryxU64(x127, x140, x143) - var x146 uint64 = ((x142 >> 56) | ((x144 << 8) & 0xffffffffffffffff)) - var x147 uint64 = (x142 & 0xffffffffffffff) - var x148 uint64 - var x149 uint1 - x148, x149 = addcarryxU64(x56, x48, 0x0) - var x150 uint64 - x150, _ = addcarryxU64(x57, x49, x149) - var x152 uint64 - var x153 uint1 - x152, x153 = addcarryxU64(x82, x148, 0x0) - var x154 uint64 - x154, _ = addcarryxU64(x83, x150, x153) - var x156 uint64 - var x157 uint1 - x156, x157 = addcarryxU64(x94, x152, 0x0) - var x158 uint64 - x158, _ = addcarryxU64(x95, x154, x157) - var x160 uint64 - var x161 uint1 - x160, x161 = addcarryxU64(x106, x156, 0x0) - var x162 uint64 - x162, _ = addcarryxU64(x107, x158, x161) - var x164 uint64 - var x165 uint1 - x164, x165 = addcarryxU64(x118, x160, 0x0) - var x166 uint64 - x166, _ = addcarryxU64(x119, x162, x165) - var x168 uint64 - var x169 uint1 - x168, x169 = addcarryxU64(x38, x30, 0x0) - var x170 uint64 - x170, _ = addcarryxU64(x39, x31, x169) - var x172 uint64 - var x173 uint1 - x172, x173 = addcarryxU64(x52, x168, 0x0) - var x174 uint64 - x174, _ = addcarryxU64(x53, x170, x173) - var x176 uint64 - var x177 uint1 - x176, x177 = addcarryxU64(x60, x172, 0x0) - var x178 uint64 - x178, _ = addcarryxU64(x61, x174, x177) - var x180 uint64 - var x181 uint1 - x180, x181 = addcarryxU64(x72, x176, 0x0) - var x182 uint64 - x182, _ = addcarryxU64(x73, x178, x181) - var x184 uint64 - var x185 uint1 - x184, x185 = addcarryxU64(x84, x180, 0x0) - var x186 uint64 - x186, _ = addcarryxU64(x85, x182, x185) - var x188 uint64 - var x189 uint1 - x188, x189 = addcarryxU64(x96, x184, 0x0) - var x190 uint64 - x190, _ = addcarryxU64(x97, x186, x189) - var x192 uint64 - var x193 uint1 - x192, x193 = addcarryxU64(x108, x188, 0x0) - var x194 uint64 - x194, _ = addcarryxU64(x109, x190, x193) - var x196 uint64 - var x197 uint1 - x196, x197 = addcarryxU64(x120, x192, 0x0) - var x198 uint64 - x198, _ = addcarryxU64(x121, x194, x197) - var x200 uint64 - var x201 uint1 - x200, x201 = addcarryxU64(x40, x32, 0x0) - var x202 uint64 - x202, _ = addcarryxU64(x41, x33, x201) - var x204 uint64 - var x205 uint1 - x204, x205 = addcarryxU64(x64, x200, 0x0) - var x206 uint64 - x206, _ = addcarryxU64(x65, x202, x205) - var x208 uint64 - var x209 uint1 - x208, x209 = addcarryxU64(x76, x204, 0x0) - var x210 uint64 - x210, _ = addcarryxU64(x77, x206, x209) - var x212 uint64 - var x213 uint1 - x212, x213 = addcarryxU64(x88, x208, 0x0) - var x214 uint64 - x214, _ = addcarryxU64(x89, x210, x213) - var x216 uint64 - var x217 uint1 - x216, x217 = addcarryxU64(x98, x212, 0x0) - var x218 uint64 - x218, _ = addcarryxU64(x99, x214, x217) - var x220 uint64 - var x221 uint1 - x220, x221 = addcarryxU64(x110, x216, 0x0) - var x222 uint64 - x222, _ = addcarryxU64(x111, x218, x221) - var x224 uint64 - var x225 uint1 - x224, x225 = addcarryxU64(x122, x220, 0x0) - var x226 uint64 - x226, _ = addcarryxU64(x123, x222, x225) - var x228 uint64 - var x229 uint1 - x228, x229 = addcarryxU64(x36, x34, 0x0) - var x230 uint64 - x230, _ = addcarryxU64(x37, x35, x229) - var x232 uint64 - var x233 uint1 - x232, x233 = addcarryxU64(x42, x228, 0x0) - var x234 uint64 - x234, _ = addcarryxU64(x43, x230, x233) - var x236 uint64 - var x237 uint1 - x236, x237 = addcarryxU64(x44, x232, 0x0) - var x238 uint64 - x238, _ = addcarryxU64(x45, x234, x237) - var x240 uint64 - var x241 uint1 - x240, x241 = addcarryxU64(x68, x236, 0x0) - var x242 uint64 - x242, _ = addcarryxU64(x69, x238, x241) - var x244 uint64 - var x245 uint1 - x244, x245 = addcarryxU64(x80, x240, 0x0) - var x246 uint64 - x246, _ = addcarryxU64(x81, x242, x245) - var x248 uint64 - var x249 uint1 - x248, x249 = addcarryxU64(x92, x244, 0x0) - var x250 uint64 - x250, _ = addcarryxU64(x93, x246, x249) - var x252 uint64 - var x253 uint1 - x252, x253 = addcarryxU64(x100, x248, 0x0) - var x254 uint64 - x254, _ = addcarryxU64(x101, x250, x253) - var x256 uint64 - var x257 uint1 - x256, x257 = addcarryxU64(x104, x252, 0x0) - var x258 uint64 - x258, _ = addcarryxU64(x105, x254, x257) - var x260 uint64 - var x261 uint1 - x260, x261 = addcarryxU64(x112, x256, 0x0) - var x262 uint64 - x262, _ = addcarryxU64(x113, x258, x261) - var x264 uint64 - var x265 uint1 - x264, x265 = addcarryxU64(x124, x260, 0x0) - var x266 uint64 - x266, _ = addcarryxU64(x125, x262, x265) - var x268 uint64 - var x269 uint1 - x268, x269 = addcarryxU64(x50, x22, 0x0) - var x270 uint64 - x270, _ = addcarryxU64(x51, x23, x269) - var x272 uint64 - var x273 uint1 - x272, x273 = addcarryxU64(x58, x268, 0x0) - var x274 uint64 - x274, _ = addcarryxU64(x59, x270, x273) - var x276 uint64 - var x277 uint1 - x276, x277 = addcarryxU64(x70, x272, 0x0) - var x278 uint64 - x278, _ = addcarryxU64(x71, x274, x277) - var x280 uint64 - var x281 uint1 - x280, x281 = addcarryxU64(x116, x276, 0x0) - var x282 uint64 - x282, _ = addcarryxU64(x117, x278, x281) - var x284 uint64 - var x285 uint1 - x284, x285 = addcarryxU64(x128, x280, 0x0) - var x286 uint64 - x286, _ = addcarryxU64(x129, x282, x285) - var x288 uint64 - var x289 uint1 - x288, x289 = addcarryxU64(x62, x24, 0x0) - var x290 uint64 - x290, _ = addcarryxU64(x63, x25, x289) - var x292 uint64 - var x293 uint1 - x292, x293 = addcarryxU64(x74, x288, 0x0) - var x294 uint64 - x294, _ = addcarryxU64(x75, x290, x293) - var x296 uint64 - var x297 uint1 - x296, x297 = addcarryxU64(x86, x292, 0x0) - var x298 uint64 - x298, _ = addcarryxU64(x87, x294, x297) - var x300 uint64 - var x301 uint1 - x300, x301 = addcarryxU64(x130, x296, 0x0) - var x302 uint64 - x302, _ = addcarryxU64(x131, x298, x301) - var x304 uint64 - var x305 uint1 - x304, x305 = addcarryxU64(x28, x26, 0x0) - var x306 uint64 - x306, _ = addcarryxU64(x29, x27, x305) - var x308 uint64 - var x309 uint1 - x308, x309 = addcarryxU64(x66, x304, 0x0) - var x310 uint64 - x310, _ = addcarryxU64(x67, x306, x309) - var x312 uint64 - var x313 uint1 - x312, x313 = addcarryxU64(x78, x308, 0x0) - var x314 uint64 - x314, _ = addcarryxU64(x79, x310, x313) - var x316 uint64 - var x317 uint1 - x316, x317 = addcarryxU64(x90, x312, 0x0) - var x318 uint64 - x318, _ = addcarryxU64(x91, x314, x317) - var x320 uint64 - var x321 uint1 - x320, x321 = addcarryxU64(x102, x316, 0x0) - var x322 uint64 - x322, _ = addcarryxU64(x103, x318, x321) - var x324 uint64 - var x325 uint1 - x324, x325 = addcarryxU64(x132, x320, 0x0) - var x326 uint64 - x326, _ = addcarryxU64(x133, x322, x325) - var x328 uint64 - var x329 uint1 - x328, x329 = addcarryxU64(x146, x264, 0x0) - var x330 uint64 = (uint64(x329) + x266) - var x331 uint64 = ((x164 >> 56) | ((x166 << 8) & 0xffffffffffffffff)) - var x332 uint64 = (x164 & 0xffffffffffffff) - var x333 uint64 - var x334 uint1 - x333, x334 = addcarryxU64(x328, x331, 0x0) - var x335 uint64 = (uint64(x334) + x330) - var x336 uint64 = ((x333 >> 56) | ((x335 << 8) & 0xffffffffffffffff)) - var x337 uint64 = (x333 & 0xffffffffffffff) - var x338 uint64 - var x339 uint1 - x338, x339 = addcarryxU64(x324, x331, 0x0) - var x340 uint64 = (uint64(x339) + x326) - var x341 uint64 - var x342 uint1 - x341, x342 = addcarryxU64(x336, x224, 0x0) - var x343 uint64 = (uint64(x342) + x226) - var x344 uint64 = ((x338 >> 56) | ((x340 << 8) & 0xffffffffffffffff)) - var x345 uint64 = (x338 & 0xffffffffffffff) - var x346 uint64 - var x347 uint1 - x346, x347 = addcarryxU64(x344, x300, 0x0) - var x348 uint64 = (uint64(x347) + x302) - var x349 uint64 = ((x341 >> 56) | ((x343 << 8) & 0xffffffffffffffff)) - var x350 uint64 = (x341 & 0xffffffffffffff) - var x351 uint64 - var x352 uint1 - x351, x352 = addcarryxU64(x349, x196, 0x0) - var x353 uint64 = (uint64(x352) + x198) - var x354 uint64 = ((x346 >> 56) | ((x348 << 8) & 0xffffffffffffffff)) - var x355 uint64 = (x346 & 0xffffffffffffff) - var x356 uint64 - var x357 uint1 - x356, x357 = addcarryxU64(x354, x284, 0x0) - var x358 uint64 = (uint64(x357) + x286) - var x359 uint64 = ((x351 >> 56) | ((x353 << 8) & 0xffffffffffffffff)) - var x360 uint64 = (x351 & 0xffffffffffffff) - var x361 uint64 = (x359 + x332) - var x362 uint64 = ((x356 >> 56) | ((x358 << 8) & 0xffffffffffffffff)) - var x363 uint64 = (x356 & 0xffffffffffffff) - var x364 uint64 = (x362 + x147) - var x365 uint64 = (x361 >> 56) - var x366 uint64 = (x361 & 0xffffffffffffff) - var x367 uint64 = (x364 >> 56) - var x368 uint64 = (x364 & 0xffffffffffffff) - var x369 uint64 = (x337 + x365) - var x370 uint64 = (x345 + x365) - var x371 uint64 = (x367 + x369) - var x372 uint1 = uint1((x371 >> 56)) - var x373 uint64 = (x371 & 0xffffffffffffff) - var x374 uint64 = (uint64(x372) + x350) - var x375 uint1 = uint1((x370 >> 56)) - var x376 uint64 = (x370 & 0xffffffffffffff) - var x377 uint64 = (uint64(x375) + x355) - out1[0] = x376 - out1[1] = x377 - out1[2] = x363 - out1[3] = x368 - out1[4] = x373 - out1[5] = x374 - out1[6] = x360 - out1[7] = x366 + x1 := arg1[7] + x2 := arg1[7] + x3 := (x1 * 0x2) + x4 := (x2 * 0x2) + x5 := (arg1[7] * 0x2) + x6 := arg1[6] + x7 := arg1[6] + x8 := (x6 * 0x2) + x9 := (x7 * 0x2) + x10 := (arg1[6] * 0x2) + x11 := arg1[5] + x12 := arg1[5] + x13 := (x11 * 0x2) + x14 := (x12 * 0x2) + x15 := (arg1[5] * 0x2) + x16 := arg1[4] + x17 := arg1[4] + x18 := (arg1[4] * 0x2) + x19 := (arg1[3] * 0x2) + x20 := (arg1[2] * 0x2) + x21 := (arg1[1] * 0x2) + var x22 uint64 + var x23 uint64 + x23, x22 = bits.Mul64(arg1[7], x1) + var x24 uint64 + var x25 uint64 + x25, x24 = bits.Mul64(arg1[6], x3) + var x26 uint64 + var x27 uint64 + x27, x26 = bits.Mul64(arg1[6], x6) + var x28 uint64 + var x29 uint64 + x29, x28 = bits.Mul64(arg1[5], x3) + var x30 uint64 + var x31 uint64 + x31, x30 = bits.Mul64(arg1[7], x1) + var x32 uint64 + var x33 uint64 + x33, x32 = bits.Mul64(arg1[6], x3) + var x34 uint64 + var x35 uint64 + x35, x34 = bits.Mul64(arg1[6], x6) + var x36 uint64 + var x37 uint64 + x37, x36 = bits.Mul64(arg1[5], x3) + var x38 uint64 + var x39 uint64 + x39, x38 = bits.Mul64(arg1[7], x2) + var x40 uint64 + var x41 uint64 + x41, x40 = bits.Mul64(arg1[6], x4) + var x42 uint64 + var x43 uint64 + x43, x42 = bits.Mul64(arg1[6], x7) + var x44 uint64 + var x45 uint64 + x45, x44 = bits.Mul64(arg1[5], x4) + var x46 uint64 + var x47 uint64 + x47, x46 = bits.Mul64(arg1[5], x9) + var x48 uint64 + var x49 uint64 + x49, x48 = bits.Mul64(arg1[5], x8) + var x50 uint64 + var x51 uint64 + x51, x50 = bits.Mul64(arg1[5], x12) + var x52 uint64 + var x53 uint64 + x53, x52 = bits.Mul64(arg1[5], x11) + var x54 uint64 + var x55 uint64 + x55, x54 = bits.Mul64(arg1[4], x4) + var x56 uint64 + var x57 uint64 + x57, x56 = bits.Mul64(arg1[4], x3) + var x58 uint64 + var x59 uint64 + x59, x58 = bits.Mul64(arg1[4], x9) + var x60 uint64 + var x61 uint64 + x61, x60 = bits.Mul64(arg1[4], x8) + var x62 uint64 + var x63 uint64 + x63, x62 = bits.Mul64(arg1[4], x14) + var x64 uint64 + var x65 uint64 + x65, x64 = bits.Mul64(arg1[4], x13) + var x66 uint64 + var x67 uint64 + x67, x66 = bits.Mul64(arg1[4], x17) + var x68 uint64 + var x69 uint64 + x69, x68 = bits.Mul64(arg1[4], x16) + var x70 uint64 + var x71 uint64 + x71, x70 = bits.Mul64(arg1[3], x4) + var x72 uint64 + var x73 uint64 + x73, x72 = bits.Mul64(arg1[3], x3) + var x74 uint64 + var x75 uint64 + x75, x74 = bits.Mul64(arg1[3], x9) + var x76 uint64 + var x77 uint64 + x77, x76 = bits.Mul64(arg1[3], x8) + var x78 uint64 + var x79 uint64 + x79, x78 = bits.Mul64(arg1[3], x14) + var x80 uint64 + var x81 uint64 + x81, x80 = bits.Mul64(arg1[3], x13) + var x82 uint64 + var x83 uint64 + x83, x82 = bits.Mul64(arg1[3], x18) + var x84 uint64 + var x85 uint64 + x85, x84 = bits.Mul64(arg1[3], arg1[3]) + var x86 uint64 + var x87 uint64 + x87, x86 = bits.Mul64(arg1[2], x4) + var x88 uint64 + var x89 uint64 + x89, x88 = bits.Mul64(arg1[2], x3) + var x90 uint64 + var x91 uint64 + x91, x90 = bits.Mul64(arg1[2], x9) + var x92 uint64 + var x93 uint64 + x93, x92 = bits.Mul64(arg1[2], x8) + var x94 uint64 + var x95 uint64 + x95, x94 = bits.Mul64(arg1[2], x15) + var x96 uint64 + var x97 uint64 + x97, x96 = bits.Mul64(arg1[2], x18) + var x98 uint64 + var x99 uint64 + x99, x98 = bits.Mul64(arg1[2], x19) + var x100 uint64 + var x101 uint64 + x101, x100 = bits.Mul64(arg1[2], arg1[2]) + var x102 uint64 + var x103 uint64 + x103, x102 = bits.Mul64(arg1[1], x4) + var x104 uint64 + var x105 uint64 + x105, x104 = bits.Mul64(arg1[1], x3) + var x106 uint64 + var x107 uint64 + x107, x106 = bits.Mul64(arg1[1], x10) + var x108 uint64 + var x109 uint64 + x109, x108 = bits.Mul64(arg1[1], x15) + var x110 uint64 + var x111 uint64 + x111, x110 = bits.Mul64(arg1[1], x18) + var x112 uint64 + var x113 uint64 + x113, x112 = bits.Mul64(arg1[1], x19) + var x114 uint64 + var x115 uint64 + x115, x114 = bits.Mul64(arg1[1], x20) + var x116 uint64 + var x117 uint64 + x117, x116 = bits.Mul64(arg1[1], arg1[1]) + var x118 uint64 + var x119 uint64 + x119, x118 = bits.Mul64(arg1[0], x5) + var x120 uint64 + var x121 uint64 + x121, x120 = bits.Mul64(arg1[0], x10) + var x122 uint64 + var x123 uint64 + x123, x122 = bits.Mul64(arg1[0], x15) + var x124 uint64 + var x125 uint64 + x125, x124 = bits.Mul64(arg1[0], x18) + var x126 uint64 + var x127 uint64 + x127, x126 = bits.Mul64(arg1[0], x19) + var x128 uint64 + var x129 uint64 + x129, x128 = bits.Mul64(arg1[0], x20) + var x130 uint64 + var x131 uint64 + x131, x130 = bits.Mul64(arg1[0], x21) + var x132 uint64 + var x133 uint64 + x133, x132 = bits.Mul64(arg1[0], arg1[0]) + var x134 uint64 + var x135 uint1 + x134, x135 = addcarryxU64(x54, x46, 0x0) + var x136 uint64 + x136, _ = addcarryxU64(x55, x47, x135) + var x138 uint64 + var x139 uint1 + x138, x139 = addcarryxU64(x114, x134, 0x0) + var x140 uint64 + x140, _ = addcarryxU64(x115, x136, x139) + var x142 uint64 + var x143 uint1 + x142, x143 = addcarryxU64(x126, x138, 0x0) + var x144 uint64 + x144, _ = addcarryxU64(x127, x140, x143) + x146 := ((x142 >> 56) | ((x144 << 8) & 0xffffffffffffffff)) + x147 := (x142 & 0xffffffffffffff) + var x148 uint64 + var x149 uint1 + x148, x149 = addcarryxU64(x56, x48, 0x0) + var x150 uint64 + x150, _ = addcarryxU64(x57, x49, x149) + var x152 uint64 + var x153 uint1 + x152, x153 = addcarryxU64(x82, x148, 0x0) + var x154 uint64 + x154, _ = addcarryxU64(x83, x150, x153) + var x156 uint64 + var x157 uint1 + x156, x157 = addcarryxU64(x94, x152, 0x0) + var x158 uint64 + x158, _ = addcarryxU64(x95, x154, x157) + var x160 uint64 + var x161 uint1 + x160, x161 = addcarryxU64(x106, x156, 0x0) + var x162 uint64 + x162, _ = addcarryxU64(x107, x158, x161) + var x164 uint64 + var x165 uint1 + x164, x165 = addcarryxU64(x118, x160, 0x0) + var x166 uint64 + x166, _ = addcarryxU64(x119, x162, x165) + var x168 uint64 + var x169 uint1 + x168, x169 = addcarryxU64(x38, x30, 0x0) + var x170 uint64 + x170, _ = addcarryxU64(x39, x31, x169) + var x172 uint64 + var x173 uint1 + x172, x173 = addcarryxU64(x52, x168, 0x0) + var x174 uint64 + x174, _ = addcarryxU64(x53, x170, x173) + var x176 uint64 + var x177 uint1 + x176, x177 = addcarryxU64(x60, x172, 0x0) + var x178 uint64 + x178, _ = addcarryxU64(x61, x174, x177) + var x180 uint64 + var x181 uint1 + x180, x181 = addcarryxU64(x72, x176, 0x0) + var x182 uint64 + x182, _ = addcarryxU64(x73, x178, x181) + var x184 uint64 + var x185 uint1 + x184, x185 = addcarryxU64(x84, x180, 0x0) + var x186 uint64 + x186, _ = addcarryxU64(x85, x182, x185) + var x188 uint64 + var x189 uint1 + x188, x189 = addcarryxU64(x96, x184, 0x0) + var x190 uint64 + x190, _ = addcarryxU64(x97, x186, x189) + var x192 uint64 + var x193 uint1 + x192, x193 = addcarryxU64(x108, x188, 0x0) + var x194 uint64 + x194, _ = addcarryxU64(x109, x190, x193) + var x196 uint64 + var x197 uint1 + x196, x197 = addcarryxU64(x120, x192, 0x0) + var x198 uint64 + x198, _ = addcarryxU64(x121, x194, x197) + var x200 uint64 + var x201 uint1 + x200, x201 = addcarryxU64(x40, x32, 0x0) + var x202 uint64 + x202, _ = addcarryxU64(x41, x33, x201) + var x204 uint64 + var x205 uint1 + x204, x205 = addcarryxU64(x64, x200, 0x0) + var x206 uint64 + x206, _ = addcarryxU64(x65, x202, x205) + var x208 uint64 + var x209 uint1 + x208, x209 = addcarryxU64(x76, x204, 0x0) + var x210 uint64 + x210, _ = addcarryxU64(x77, x206, x209) + var x212 uint64 + var x213 uint1 + x212, x213 = addcarryxU64(x88, x208, 0x0) + var x214 uint64 + x214, _ = addcarryxU64(x89, x210, x213) + var x216 uint64 + var x217 uint1 + x216, x217 = addcarryxU64(x98, x212, 0x0) + var x218 uint64 + x218, _ = addcarryxU64(x99, x214, x217) + var x220 uint64 + var x221 uint1 + x220, x221 = addcarryxU64(x110, x216, 0x0) + var x222 uint64 + x222, _ = addcarryxU64(x111, x218, x221) + var x224 uint64 + var x225 uint1 + x224, x225 = addcarryxU64(x122, x220, 0x0) + var x226 uint64 + x226, _ = addcarryxU64(x123, x222, x225) + var x228 uint64 + var x229 uint1 + x228, x229 = addcarryxU64(x36, x34, 0x0) + var x230 uint64 + x230, _ = addcarryxU64(x37, x35, x229) + var x232 uint64 + var x233 uint1 + x232, x233 = addcarryxU64(x42, x228, 0x0) + var x234 uint64 + x234, _ = addcarryxU64(x43, x230, x233) + var x236 uint64 + var x237 uint1 + x236, x237 = addcarryxU64(x44, x232, 0x0) + var x238 uint64 + x238, _ = addcarryxU64(x45, x234, x237) + var x240 uint64 + var x241 uint1 + x240, x241 = addcarryxU64(x68, x236, 0x0) + var x242 uint64 + x242, _ = addcarryxU64(x69, x238, x241) + var x244 uint64 + var x245 uint1 + x244, x245 = addcarryxU64(x80, x240, 0x0) + var x246 uint64 + x246, _ = addcarryxU64(x81, x242, x245) + var x248 uint64 + var x249 uint1 + x248, x249 = addcarryxU64(x92, x244, 0x0) + var x250 uint64 + x250, _ = addcarryxU64(x93, x246, x249) + var x252 uint64 + var x253 uint1 + x252, x253 = addcarryxU64(x100, x248, 0x0) + var x254 uint64 + x254, _ = addcarryxU64(x101, x250, x253) + var x256 uint64 + var x257 uint1 + x256, x257 = addcarryxU64(x104, x252, 0x0) + var x258 uint64 + x258, _ = addcarryxU64(x105, x254, x257) + var x260 uint64 + var x261 uint1 + x260, x261 = addcarryxU64(x112, x256, 0x0) + var x262 uint64 + x262, _ = addcarryxU64(x113, x258, x261) + var x264 uint64 + var x265 uint1 + x264, x265 = addcarryxU64(x124, x260, 0x0) + var x266 uint64 + x266, _ = addcarryxU64(x125, x262, x265) + var x268 uint64 + var x269 uint1 + x268, x269 = addcarryxU64(x50, x22, 0x0) + var x270 uint64 + x270, _ = addcarryxU64(x51, x23, x269) + var x272 uint64 + var x273 uint1 + x272, x273 = addcarryxU64(x58, x268, 0x0) + var x274 uint64 + x274, _ = addcarryxU64(x59, x270, x273) + var x276 uint64 + var x277 uint1 + x276, x277 = addcarryxU64(x70, x272, 0x0) + var x278 uint64 + x278, _ = addcarryxU64(x71, x274, x277) + var x280 uint64 + var x281 uint1 + x280, x281 = addcarryxU64(x116, x276, 0x0) + var x282 uint64 + x282, _ = addcarryxU64(x117, x278, x281) + var x284 uint64 + var x285 uint1 + x284, x285 = addcarryxU64(x128, x280, 0x0) + var x286 uint64 + x286, _ = addcarryxU64(x129, x282, x285) + var x288 uint64 + var x289 uint1 + x288, x289 = addcarryxU64(x62, x24, 0x0) + var x290 uint64 + x290, _ = addcarryxU64(x63, x25, x289) + var x292 uint64 + var x293 uint1 + x292, x293 = addcarryxU64(x74, x288, 0x0) + var x294 uint64 + x294, _ = addcarryxU64(x75, x290, x293) + var x296 uint64 + var x297 uint1 + x296, x297 = addcarryxU64(x86, x292, 0x0) + var x298 uint64 + x298, _ = addcarryxU64(x87, x294, x297) + var x300 uint64 + var x301 uint1 + x300, x301 = addcarryxU64(x130, x296, 0x0) + var x302 uint64 + x302, _ = addcarryxU64(x131, x298, x301) + var x304 uint64 + var x305 uint1 + x304, x305 = addcarryxU64(x28, x26, 0x0) + var x306 uint64 + x306, _ = addcarryxU64(x29, x27, x305) + var x308 uint64 + var x309 uint1 + x308, x309 = addcarryxU64(x66, x304, 0x0) + var x310 uint64 + x310, _ = addcarryxU64(x67, x306, x309) + var x312 uint64 + var x313 uint1 + x312, x313 = addcarryxU64(x78, x308, 0x0) + var x314 uint64 + x314, _ = addcarryxU64(x79, x310, x313) + var x316 uint64 + var x317 uint1 + x316, x317 = addcarryxU64(x90, x312, 0x0) + var x318 uint64 + x318, _ = addcarryxU64(x91, x314, x317) + var x320 uint64 + var x321 uint1 + x320, x321 = addcarryxU64(x102, x316, 0x0) + var x322 uint64 + x322, _ = addcarryxU64(x103, x318, x321) + var x324 uint64 + var x325 uint1 + x324, x325 = addcarryxU64(x132, x320, 0x0) + var x326 uint64 + x326, _ = addcarryxU64(x133, x322, x325) + var x328 uint64 + var x329 uint1 + x328, x329 = addcarryxU64(x146, x264, 0x0) + x330 := (uint64(x329) + x266) + x331 := ((x164 >> 56) | ((x166 << 8) & 0xffffffffffffffff)) + x332 := (x164 & 0xffffffffffffff) + var x333 uint64 + var x334 uint1 + x333, x334 = addcarryxU64(x328, x331, 0x0) + x335 := (uint64(x334) + x330) + x336 := ((x333 >> 56) | ((x335 << 8) & 0xffffffffffffffff)) + x337 := (x333 & 0xffffffffffffff) + var x338 uint64 + var x339 uint1 + x338, x339 = addcarryxU64(x324, x331, 0x0) + x340 := (uint64(x339) + x326) + var x341 uint64 + var x342 uint1 + x341, x342 = addcarryxU64(x336, x224, 0x0) + x343 := (uint64(x342) + x226) + x344 := ((x338 >> 56) | ((x340 << 8) & 0xffffffffffffffff)) + x345 := (x338 & 0xffffffffffffff) + var x346 uint64 + var x347 uint1 + x346, x347 = addcarryxU64(x344, x300, 0x0) + x348 := (uint64(x347) + x302) + x349 := ((x341 >> 56) | ((x343 << 8) & 0xffffffffffffffff)) + x350 := (x341 & 0xffffffffffffff) + var x351 uint64 + var x352 uint1 + x351, x352 = addcarryxU64(x349, x196, 0x0) + x353 := (uint64(x352) + x198) + x354 := ((x346 >> 56) | ((x348 << 8) & 0xffffffffffffffff)) + x355 := (x346 & 0xffffffffffffff) + var x356 uint64 + var x357 uint1 + x356, x357 = addcarryxU64(x354, x284, 0x0) + x358 := (uint64(x357) + x286) + x359 := ((x351 >> 56) | ((x353 << 8) & 0xffffffffffffffff)) + x360 := (x351 & 0xffffffffffffff) + x361 := (x359 + x332) + x362 := ((x356 >> 56) | ((x358 << 8) & 0xffffffffffffffff)) + x363 := (x356 & 0xffffffffffffff) + x364 := (x362 + x147) + x365 := (x361 >> 56) + x366 := (x361 & 0xffffffffffffff) + x367 := (x364 >> 56) + x368 := (x364 & 0xffffffffffffff) + x369 := (x337 + x365) + x370 := (x345 + x365) + x371 := (x367 + x369) + x372 := uint1((x371 >> 56)) + x373 := (x371 & 0xffffffffffffff) + x374 := (uint64(x372) + x350) + x375 := uint1((x370 >> 56)) + x376 := (x370 & 0xffffffffffffff) + x377 := (uint64(x375) + x355) + out1[0] = x376 + out1[1] = x377 + out1[2] = x363 + out1[3] = x368 + out1[4] = x373 + out1[5] = x374 + out1[6] = x360 + out1[7] = x366 } -/* - The function Carry reduces a field element. - Postconditions: - eval out1 mod m = eval arg1 mod m - - Input Bounds: - arg1: [[0x0 ~> 0x300000000000000], [0x0 ~> 0x300000000000000], [0x0 ~> 0x300000000000000], [0x0 ~> 0x300000000000000], [0x0 ~> 0x300000000000000], [0x0 ~> 0x300000000000000], [0x0 ~> 0x300000000000000], [0x0 ~> 0x300000000000000]] - Output Bounds: - out1: [[0x0 ~> 0x100000000000000], [0x0 ~> 0x100000000000000], [0x0 ~> 0x100000000000000], [0x0 ~> 0x100000000000000], [0x0 ~> 0x100000000000000], [0x0 ~> 0x100000000000000], [0x0 ~> 0x100000000000000], [0x0 ~> 0x100000000000000]] - */ -/*inline*/ +// Carry reduces a field element. +// +// Postconditions: +// eval out1 mod m = eval arg1 mod m +// +// Input Bounds: +// arg1: [[0x0 ~> 0x300000000000000], [0x0 ~> 0x300000000000000], [0x0 ~> 0x300000000000000], [0x0 ~> 0x300000000000000], [0x0 ~> 0x300000000000000], [0x0 ~> 0x300000000000000], [0x0 ~> 0x300000000000000], [0x0 ~> 0x300000000000000]] +// Output Bounds: +// out1: [[0x0 ~> 0x100000000000000], [0x0 ~> 0x100000000000000], [0x0 ~> 0x100000000000000], [0x0 ~> 0x100000000000000], [0x0 ~> 0x100000000000000], [0x0 ~> 0x100000000000000], [0x0 ~> 0x100000000000000], [0x0 ~> 0x100000000000000]] func Carry(out1 *[8]uint64, arg1 *[8]uint64) { - var x1 uint64 = (arg1[3]) - var x2 uint64 = (arg1[7]) - var x3 uint64 = (x2 >> 56) - var x4 uint64 = (((x1 >> 56) + (arg1[4])) + x3) - var x5 uint64 = ((arg1[0]) + x3) - var x6 uint64 = ((x4 >> 56) + (arg1[5])) - var x7 uint64 = ((x5 >> 56) + (arg1[1])) - var x8 uint64 = ((x6 >> 56) + (arg1[6])) - var x9 uint64 = ((x7 >> 56) + (arg1[2])) - var x10 uint64 = ((x8 >> 56) + (x2 & 0xffffffffffffff)) - var x11 uint64 = ((x9 >> 56) + (x1 & 0xffffffffffffff)) - var x12 uint1 = uint1((x10 >> 56)) - var x13 uint64 = ((x5 & 0xffffffffffffff) + uint64(x12)) - var x14 uint64 = (uint64(uint1((x11 >> 56))) + ((x4 & 0xffffffffffffff) + uint64(x12))) - var x15 uint64 = (x13 & 0xffffffffffffff) - var x16 uint64 = (uint64(uint1((x13 >> 56))) + (x7 & 0xffffffffffffff)) - var x17 uint64 = (x9 & 0xffffffffffffff) - var x18 uint64 = (x11 & 0xffffffffffffff) - var x19 uint64 = (x14 & 0xffffffffffffff) - var x20 uint64 = (uint64(uint1((x14 >> 56))) + (x6 & 0xffffffffffffff)) - var x21 uint64 = (x8 & 0xffffffffffffff) - var x22 uint64 = (x10 & 0xffffffffffffff) - out1[0] = x15 - out1[1] = x16 - out1[2] = x17 - out1[3] = x18 - out1[4] = x19 - out1[5] = x20 - out1[6] = x21 - out1[7] = x22 + x1 := arg1[3] + x2 := arg1[7] + x3 := (x2 >> 56) + x4 := (((x1 >> 56) + arg1[4]) + x3) + x5 := (arg1[0] + x3) + x6 := ((x4 >> 56) + arg1[5]) + x7 := ((x5 >> 56) + arg1[1]) + x8 := ((x6 >> 56) + arg1[6]) + x9 := ((x7 >> 56) + arg1[2]) + x10 := ((x8 >> 56) + (x2 & 0xffffffffffffff)) + x11 := ((x9 >> 56) + (x1 & 0xffffffffffffff)) + x12 := uint1((x10 >> 56)) + x13 := ((x5 & 0xffffffffffffff) + uint64(x12)) + x14 := (uint64(uint1((x11 >> 56))) + ((x4 & 0xffffffffffffff) + uint64(x12))) + x15 := (x13 & 0xffffffffffffff) + x16 := (uint64(uint1((x13 >> 56))) + (x7 & 0xffffffffffffff)) + x17 := (x9 & 0xffffffffffffff) + x18 := (x11 & 0xffffffffffffff) + x19 := (x14 & 0xffffffffffffff) + x20 := (uint64(uint1((x14 >> 56))) + (x6 & 0xffffffffffffff)) + x21 := (x8 & 0xffffffffffffff) + x22 := (x10 & 0xffffffffffffff) + out1[0] = x15 + out1[1] = x16 + out1[2] = x17 + out1[3] = x18 + out1[4] = x19 + out1[5] = x20 + out1[6] = x21 + out1[7] = x22 } -/* - The function Add adds two field elements. - Postconditions: - eval out1 mod m = (eval arg1 + eval arg2) mod m - - Input Bounds: - arg1: [[0x0 ~> 0x100000000000000], [0x0 ~> 0x100000000000000], [0x0 ~> 0x100000000000000], [0x0 ~> 0x100000000000000], [0x0 ~> 0x100000000000000], [0x0 ~> 0x100000000000000], [0x0 ~> 0x100000000000000], [0x0 ~> 0x100000000000000]] - arg2: [[0x0 ~> 0x100000000000000], [0x0 ~> 0x100000000000000], [0x0 ~> 0x100000000000000], [0x0 ~> 0x100000000000000], [0x0 ~> 0x100000000000000], [0x0 ~> 0x100000000000000], [0x0 ~> 0x100000000000000], [0x0 ~> 0x100000000000000]] - Output Bounds: - out1: [[0x0 ~> 0x300000000000000], [0x0 ~> 0x300000000000000], [0x0 ~> 0x300000000000000], [0x0 ~> 0x300000000000000], [0x0 ~> 0x300000000000000], [0x0 ~> 0x300000000000000], [0x0 ~> 0x300000000000000], [0x0 ~> 0x300000000000000]] - */ -/*inline*/ +// Add adds two field elements. +// +// Postconditions: +// eval out1 mod m = (eval arg1 + eval arg2) mod m +// +// Input Bounds: +// arg1: [[0x0 ~> 0x100000000000000], [0x0 ~> 0x100000000000000], [0x0 ~> 0x100000000000000], [0x0 ~> 0x100000000000000], [0x0 ~> 0x100000000000000], [0x0 ~> 0x100000000000000], [0x0 ~> 0x100000000000000], [0x0 ~> 0x100000000000000]] +// arg2: [[0x0 ~> 0x100000000000000], [0x0 ~> 0x100000000000000], [0x0 ~> 0x100000000000000], [0x0 ~> 0x100000000000000], [0x0 ~> 0x100000000000000], [0x0 ~> 0x100000000000000], [0x0 ~> 0x100000000000000], [0x0 ~> 0x100000000000000]] +// Output Bounds: +// out1: [[0x0 ~> 0x300000000000000], [0x0 ~> 0x300000000000000], [0x0 ~> 0x300000000000000], [0x0 ~> 0x300000000000000], [0x0 ~> 0x300000000000000], [0x0 ~> 0x300000000000000], [0x0 ~> 0x300000000000000], [0x0 ~> 0x300000000000000]] func Add(out1 *[8]uint64, arg1 *[8]uint64, arg2 *[8]uint64) { - var x1 uint64 = ((arg1[0]) + (arg2[0])) - var x2 uint64 = ((arg1[1]) + (arg2[1])) - var x3 uint64 = ((arg1[2]) + (arg2[2])) - var x4 uint64 = ((arg1[3]) + (arg2[3])) - var x5 uint64 = ((arg1[4]) + (arg2[4])) - var x6 uint64 = ((arg1[5]) + (arg2[5])) - var x7 uint64 = ((arg1[6]) + (arg2[6])) - var x8 uint64 = ((arg1[7]) + (arg2[7])) - out1[0] = x1 - out1[1] = x2 - out1[2] = x3 - out1[3] = x4 - out1[4] = x5 - out1[5] = x6 - out1[6] = x7 - out1[7] = x8 + x1 := (arg1[0] + arg2[0]) + x2 := (arg1[1] + arg2[1]) + x3 := (arg1[2] + arg2[2]) + x4 := (arg1[3] + arg2[3]) + x5 := (arg1[4] + arg2[4]) + x6 := (arg1[5] + arg2[5]) + x7 := (arg1[6] + arg2[6]) + x8 := (arg1[7] + arg2[7]) + out1[0] = x1 + out1[1] = x2 + out1[2] = x3 + out1[3] = x4 + out1[4] = x5 + out1[5] = x6 + out1[6] = x7 + out1[7] = x8 } -/* - The function Sub subtracts two field elements. - Postconditions: - eval out1 mod m = (eval arg1 - eval arg2) mod m - - Input Bounds: - arg1: [[0x0 ~> 0x100000000000000], [0x0 ~> 0x100000000000000], [0x0 ~> 0x100000000000000], [0x0 ~> 0x100000000000000], [0x0 ~> 0x100000000000000], [0x0 ~> 0x100000000000000], [0x0 ~> 0x100000000000000], [0x0 ~> 0x100000000000000]] - arg2: [[0x0 ~> 0x100000000000000], [0x0 ~> 0x100000000000000], [0x0 ~> 0x100000000000000], [0x0 ~> 0x100000000000000], [0x0 ~> 0x100000000000000], [0x0 ~> 0x100000000000000], [0x0 ~> 0x100000000000000], [0x0 ~> 0x100000000000000]] - Output Bounds: - out1: [[0x0 ~> 0x300000000000000], [0x0 ~> 0x300000000000000], [0x0 ~> 0x300000000000000], [0x0 ~> 0x300000000000000], [0x0 ~> 0x300000000000000], [0x0 ~> 0x300000000000000], [0x0 ~> 0x300000000000000], [0x0 ~> 0x300000000000000]] - */ -/*inline*/ +// Sub subtracts two field elements. +// +// Postconditions: +// eval out1 mod m = (eval arg1 - eval arg2) mod m +// +// Input Bounds: +// arg1: [[0x0 ~> 0x100000000000000], [0x0 ~> 0x100000000000000], [0x0 ~> 0x100000000000000], [0x0 ~> 0x100000000000000], [0x0 ~> 0x100000000000000], [0x0 ~> 0x100000000000000], [0x0 ~> 0x100000000000000], [0x0 ~> 0x100000000000000]] +// arg2: [[0x0 ~> 0x100000000000000], [0x0 ~> 0x100000000000000], [0x0 ~> 0x100000000000000], [0x0 ~> 0x100000000000000], [0x0 ~> 0x100000000000000], [0x0 ~> 0x100000000000000], [0x0 ~> 0x100000000000000], [0x0 ~> 0x100000000000000]] +// Output Bounds: +// out1: [[0x0 ~> 0x300000000000000], [0x0 ~> 0x300000000000000], [0x0 ~> 0x300000000000000], [0x0 ~> 0x300000000000000], [0x0 ~> 0x300000000000000], [0x0 ~> 0x300000000000000], [0x0 ~> 0x300000000000000], [0x0 ~> 0x300000000000000]] func Sub(out1 *[8]uint64, arg1 *[8]uint64, arg2 *[8]uint64) { - var x1 uint64 = ((0x1fffffffffffffe + (arg1[0])) - (arg2[0])) - var x2 uint64 = ((0x1fffffffffffffe + (arg1[1])) - (arg2[1])) - var x3 uint64 = ((0x1fffffffffffffe + (arg1[2])) - (arg2[2])) - var x4 uint64 = ((0x1fffffffffffffe + (arg1[3])) - (arg2[3])) - var x5 uint64 = ((0x1fffffffffffffc + (arg1[4])) - (arg2[4])) - var x6 uint64 = ((0x1fffffffffffffe + (arg1[5])) - (arg2[5])) - var x7 uint64 = ((0x1fffffffffffffe + (arg1[6])) - (arg2[6])) - var x8 uint64 = ((0x1fffffffffffffe + (arg1[7])) - (arg2[7])) - out1[0] = x1 - out1[1] = x2 - out1[2] = x3 - out1[3] = x4 - out1[4] = x5 - out1[5] = x6 - out1[6] = x7 - out1[7] = x8 + x1 := ((0x1fffffffffffffe + arg1[0]) - arg2[0]) + x2 := ((0x1fffffffffffffe + arg1[1]) - arg2[1]) + x3 := ((0x1fffffffffffffe + arg1[2]) - arg2[2]) + x4 := ((0x1fffffffffffffe + arg1[3]) - arg2[3]) + x5 := ((0x1fffffffffffffc + arg1[4]) - arg2[4]) + x6 := ((0x1fffffffffffffe + arg1[5]) - arg2[5]) + x7 := ((0x1fffffffffffffe + arg1[6]) - arg2[6]) + x8 := ((0x1fffffffffffffe + arg1[7]) - arg2[7]) + out1[0] = x1 + out1[1] = x2 + out1[2] = x3 + out1[3] = x4 + out1[4] = x5 + out1[5] = x6 + out1[6] = x7 + out1[7] = x8 } -/* - The function Opp negates a field element. - Postconditions: - eval out1 mod m = -eval arg1 mod m - - Input Bounds: - arg1: [[0x0 ~> 0x100000000000000], [0x0 ~> 0x100000000000000], [0x0 ~> 0x100000000000000], [0x0 ~> 0x100000000000000], [0x0 ~> 0x100000000000000], [0x0 ~> 0x100000000000000], [0x0 ~> 0x100000000000000], [0x0 ~> 0x100000000000000]] - Output Bounds: - out1: [[0x0 ~> 0x300000000000000], [0x0 ~> 0x300000000000000], [0x0 ~> 0x300000000000000], [0x0 ~> 0x300000000000000], [0x0 ~> 0x300000000000000], [0x0 ~> 0x300000000000000], [0x0 ~> 0x300000000000000], [0x0 ~> 0x300000000000000]] - */ -/*inline*/ +// Opp negates a field element. +// +// Postconditions: +// eval out1 mod m = -eval arg1 mod m +// +// Input Bounds: +// arg1: [[0x0 ~> 0x100000000000000], [0x0 ~> 0x100000000000000], [0x0 ~> 0x100000000000000], [0x0 ~> 0x100000000000000], [0x0 ~> 0x100000000000000], [0x0 ~> 0x100000000000000], [0x0 ~> 0x100000000000000], [0x0 ~> 0x100000000000000]] +// Output Bounds: +// out1: [[0x0 ~> 0x300000000000000], [0x0 ~> 0x300000000000000], [0x0 ~> 0x300000000000000], [0x0 ~> 0x300000000000000], [0x0 ~> 0x300000000000000], [0x0 ~> 0x300000000000000], [0x0 ~> 0x300000000000000], [0x0 ~> 0x300000000000000]] func Opp(out1 *[8]uint64, arg1 *[8]uint64) { - var x1 uint64 = (0x1fffffffffffffe - (arg1[0])) - var x2 uint64 = (0x1fffffffffffffe - (arg1[1])) - var x3 uint64 = (0x1fffffffffffffe - (arg1[2])) - var x4 uint64 = (0x1fffffffffffffe - (arg1[3])) - var x5 uint64 = (0x1fffffffffffffc - (arg1[4])) - var x6 uint64 = (0x1fffffffffffffe - (arg1[5])) - var x7 uint64 = (0x1fffffffffffffe - (arg1[6])) - var x8 uint64 = (0x1fffffffffffffe - (arg1[7])) - out1[0] = x1 - out1[1] = x2 - out1[2] = x3 - out1[3] = x4 - out1[4] = x5 - out1[5] = x6 - out1[6] = x7 - out1[7] = x8 + x1 := (0x1fffffffffffffe - arg1[0]) + x2 := (0x1fffffffffffffe - arg1[1]) + x3 := (0x1fffffffffffffe - arg1[2]) + x4 := (0x1fffffffffffffe - arg1[3]) + x5 := (0x1fffffffffffffc - arg1[4]) + x6 := (0x1fffffffffffffe - arg1[5]) + x7 := (0x1fffffffffffffe - arg1[6]) + x8 := (0x1fffffffffffffe - arg1[7]) + out1[0] = x1 + out1[1] = x2 + out1[2] = x3 + out1[3] = x4 + out1[4] = x5 + out1[5] = x6 + out1[6] = x7 + out1[7] = x8 } -/* - The function Selectznz is a multi-limb conditional select. - Postconditions: - eval out1 = (if arg1 = 0 then eval arg2 else eval arg3) - - Input Bounds: - arg1: [0x0 ~> 0x1] - arg2: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] - arg3: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] - Output Bounds: - out1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] - */ -/*inline*/ +// Selectznz is a multi-limb conditional select. +// +// Postconditions: +// eval out1 = (if arg1 = 0 then eval arg2 else eval arg3) +// +// Input Bounds: +// arg1: [0x0 ~> 0x1] +// arg2: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] +// arg3: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] +// Output Bounds: +// out1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] func Selectznz(out1 *[8]uint64, arg1 uint1, arg2 *[8]uint64, arg3 *[8]uint64) { - var x1 uint64 - cmovznzU64(&x1, arg1, (arg2[0]), (arg3[0])) - var x2 uint64 - cmovznzU64(&x2, arg1, (arg2[1]), (arg3[1])) - var x3 uint64 - cmovznzU64(&x3, arg1, (arg2[2]), (arg3[2])) - var x4 uint64 - cmovznzU64(&x4, arg1, (arg2[3]), (arg3[3])) - var x5 uint64 - cmovznzU64(&x5, arg1, (arg2[4]), (arg3[4])) - var x6 uint64 - cmovznzU64(&x6, arg1, (arg2[5]), (arg3[5])) - var x7 uint64 - cmovznzU64(&x7, arg1, (arg2[6]), (arg3[6])) - var x8 uint64 - cmovznzU64(&x8, arg1, (arg2[7]), (arg3[7])) - out1[0] = x1 - out1[1] = x2 - out1[2] = x3 - out1[3] = x4 - out1[4] = x5 - out1[5] = x6 - out1[6] = x7 - out1[7] = x8 + var x1 uint64 + cmovznzU64(&x1, arg1, arg2[0], arg3[0]) + var x2 uint64 + cmovznzU64(&x2, arg1, arg2[1], arg3[1]) + var x3 uint64 + cmovznzU64(&x3, arg1, arg2[2], arg3[2]) + var x4 uint64 + cmovznzU64(&x4, arg1, arg2[3], arg3[3]) + var x5 uint64 + cmovznzU64(&x5, arg1, arg2[4], arg3[4]) + var x6 uint64 + cmovznzU64(&x6, arg1, arg2[5], arg3[5]) + var x7 uint64 + cmovznzU64(&x7, arg1, arg2[6], arg3[6]) + var x8 uint64 + cmovznzU64(&x8, arg1, arg2[7], arg3[7]) + out1[0] = x1 + out1[1] = x2 + out1[2] = x3 + out1[3] = x4 + out1[4] = x5 + out1[5] = x6 + out1[6] = x7 + out1[7] = x8 } -/* - The function ToBytes serializes a field element to bytes in little-endian order. - Postconditions: - out1 = map (λ x, ⌊((eval arg1 mod m) mod 2^(8 * (x + 1))) / 2^(8 * x)⌋) [0..55] - - Input Bounds: - arg1: [[0x0 ~> 0x100000000000000], [0x0 ~> 0x100000000000000], [0x0 ~> 0x100000000000000], [0x0 ~> 0x100000000000000], [0x0 ~> 0x100000000000000], [0x0 ~> 0x100000000000000], [0x0 ~> 0x100000000000000], [0x0 ~> 0x100000000000000]] - Output Bounds: - out1: [[0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff]] - */ -/*inline*/ +// ToBytes serializes a field element to bytes in little-endian order. +// +// Postconditions: +// out1 = map (λ x, ⌊((eval arg1 mod m) mod 2^(8 * (x + 1))) / 2^(8 * x)⌋) [0..55] +// +// Input Bounds: +// arg1: [[0x0 ~> 0x100000000000000], [0x0 ~> 0x100000000000000], [0x0 ~> 0x100000000000000], [0x0 ~> 0x100000000000000], [0x0 ~> 0x100000000000000], [0x0 ~> 0x100000000000000], [0x0 ~> 0x100000000000000], [0x0 ~> 0x100000000000000]] +// Output Bounds: +// out1: [[0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff]] func ToBytes(out1 *[56]uint8, arg1 *[8]uint64) { - var x1 uint64 - var x2 uint1 - subborrowxU56(&x1, &x2, 0x0, (arg1[0]), 0xffffffffffffff) - var x3 uint64 - var x4 uint1 - subborrowxU56(&x3, &x4, x2, (arg1[1]), 0xffffffffffffff) - var x5 uint64 - var x6 uint1 - subborrowxU56(&x5, &x6, x4, (arg1[2]), 0xffffffffffffff) - var x7 uint64 - var x8 uint1 - subborrowxU56(&x7, &x8, x6, (arg1[3]), 0xffffffffffffff) - var x9 uint64 - var x10 uint1 - subborrowxU56(&x9, &x10, x8, (arg1[4]), 0xfffffffffffffe) - var x11 uint64 - var x12 uint1 - subborrowxU56(&x11, &x12, x10, (arg1[5]), 0xffffffffffffff) - var x13 uint64 - var x14 uint1 - subborrowxU56(&x13, &x14, x12, (arg1[6]), 0xffffffffffffff) - var x15 uint64 - var x16 uint1 - subborrowxU56(&x15, &x16, x14, (arg1[7]), 0xffffffffffffff) - var x17 uint64 - cmovznzU64(&x17, x16, uint64(0x0), 0xffffffffffffffff) - var x18 uint64 - var x19 uint1 - addcarryxU56(&x18, &x19, 0x0, x1, (x17 & 0xffffffffffffff)) - var x20 uint64 - var x21 uint1 - addcarryxU56(&x20, &x21, x19, x3, (x17 & 0xffffffffffffff)) - var x22 uint64 - var x23 uint1 - addcarryxU56(&x22, &x23, x21, x5, (x17 & 0xffffffffffffff)) - var x24 uint64 - var x25 uint1 - addcarryxU56(&x24, &x25, x23, x7, (x17 & 0xffffffffffffff)) - var x26 uint64 - var x27 uint1 - addcarryxU56(&x26, &x27, x25, x9, (x17 & 0xfffffffffffffe)) - var x28 uint64 - var x29 uint1 - addcarryxU56(&x28, &x29, x27, x11, (x17 & 0xffffffffffffff)) - var x30 uint64 - var x31 uint1 - addcarryxU56(&x30, &x31, x29, x13, (x17 & 0xffffffffffffff)) - var x32 uint64 - var x33 uint1 - addcarryxU56(&x32, &x33, x31, x15, (x17 & 0xffffffffffffff)) - var x34 uint8 = (uint8(x18) & 0xff) - var x35 uint64 = (x18 >> 8) - var x36 uint8 = (uint8(x35) & 0xff) - var x37 uint64 = (x35 >> 8) - var x38 uint8 = (uint8(x37) & 0xff) - var x39 uint64 = (x37 >> 8) - var x40 uint8 = (uint8(x39) & 0xff) - var x41 uint64 = (x39 >> 8) - var x42 uint8 = (uint8(x41) & 0xff) - var x43 uint64 = (x41 >> 8) - var x44 uint8 = (uint8(x43) & 0xff) - var x45 uint8 = uint8((x43 >> 8)) - var x46 uint8 = (uint8(x20) & 0xff) - var x47 uint64 = (x20 >> 8) - var x48 uint8 = (uint8(x47) & 0xff) - var x49 uint64 = (x47 >> 8) - var x50 uint8 = (uint8(x49) & 0xff) - var x51 uint64 = (x49 >> 8) - var x52 uint8 = (uint8(x51) & 0xff) - var x53 uint64 = (x51 >> 8) - var x54 uint8 = (uint8(x53) & 0xff) - var x55 uint64 = (x53 >> 8) - var x56 uint8 = (uint8(x55) & 0xff) - var x57 uint8 = uint8((x55 >> 8)) - var x58 uint8 = (uint8(x22) & 0xff) - var x59 uint64 = (x22 >> 8) - var x60 uint8 = (uint8(x59) & 0xff) - var x61 uint64 = (x59 >> 8) - var x62 uint8 = (uint8(x61) & 0xff) - var x63 uint64 = (x61 >> 8) - var x64 uint8 = (uint8(x63) & 0xff) - var x65 uint64 = (x63 >> 8) - var x66 uint8 = (uint8(x65) & 0xff) - var x67 uint64 = (x65 >> 8) - var x68 uint8 = (uint8(x67) & 0xff) - var x69 uint8 = uint8((x67 >> 8)) - var x70 uint8 = (uint8(x24) & 0xff) - var x71 uint64 = (x24 >> 8) - var x72 uint8 = (uint8(x71) & 0xff) - var x73 uint64 = (x71 >> 8) - var x74 uint8 = (uint8(x73) & 0xff) - var x75 uint64 = (x73 >> 8) - var x76 uint8 = (uint8(x75) & 0xff) - var x77 uint64 = (x75 >> 8) - var x78 uint8 = (uint8(x77) & 0xff) - var x79 uint64 = (x77 >> 8) - var x80 uint8 = (uint8(x79) & 0xff) - var x81 uint8 = uint8((x79 >> 8)) - var x82 uint8 = (uint8(x26) & 0xff) - var x83 uint64 = (x26 >> 8) - var x84 uint8 = (uint8(x83) & 0xff) - var x85 uint64 = (x83 >> 8) - var x86 uint8 = (uint8(x85) & 0xff) - var x87 uint64 = (x85 >> 8) - var x88 uint8 = (uint8(x87) & 0xff) - var x89 uint64 = (x87 >> 8) - var x90 uint8 = (uint8(x89) & 0xff) - var x91 uint64 = (x89 >> 8) - var x92 uint8 = (uint8(x91) & 0xff) - var x93 uint8 = uint8((x91 >> 8)) - var x94 uint8 = (uint8(x28) & 0xff) - var x95 uint64 = (x28 >> 8) - var x96 uint8 = (uint8(x95) & 0xff) - var x97 uint64 = (x95 >> 8) - var x98 uint8 = (uint8(x97) & 0xff) - var x99 uint64 = (x97 >> 8) - var x100 uint8 = (uint8(x99) & 0xff) - var x101 uint64 = (x99 >> 8) - var x102 uint8 = (uint8(x101) & 0xff) - var x103 uint64 = (x101 >> 8) - var x104 uint8 = (uint8(x103) & 0xff) - var x105 uint8 = uint8((x103 >> 8)) - var x106 uint8 = (uint8(x30) & 0xff) - var x107 uint64 = (x30 >> 8) - var x108 uint8 = (uint8(x107) & 0xff) - var x109 uint64 = (x107 >> 8) - var x110 uint8 = (uint8(x109) & 0xff) - var x111 uint64 = (x109 >> 8) - var x112 uint8 = (uint8(x111) & 0xff) - var x113 uint64 = (x111 >> 8) - var x114 uint8 = (uint8(x113) & 0xff) - var x115 uint64 = (x113 >> 8) - var x116 uint8 = (uint8(x115) & 0xff) - var x117 uint8 = uint8((x115 >> 8)) - var x118 uint8 = (uint8(x32) & 0xff) - var x119 uint64 = (x32 >> 8) - var x120 uint8 = (uint8(x119) & 0xff) - var x121 uint64 = (x119 >> 8) - var x122 uint8 = (uint8(x121) & 0xff) - var x123 uint64 = (x121 >> 8) - var x124 uint8 = (uint8(x123) & 0xff) - var x125 uint64 = (x123 >> 8) - var x126 uint8 = (uint8(x125) & 0xff) - var x127 uint64 = (x125 >> 8) - var x128 uint8 = (uint8(x127) & 0xff) - var x129 uint8 = uint8((x127 >> 8)) - out1[0] = x34 - out1[1] = x36 - out1[2] = x38 - out1[3] = x40 - out1[4] = x42 - out1[5] = x44 - out1[6] = x45 - out1[7] = x46 - out1[8] = x48 - out1[9] = x50 - out1[10] = x52 - out1[11] = x54 - out1[12] = x56 - out1[13] = x57 - out1[14] = x58 - out1[15] = x60 - out1[16] = x62 - out1[17] = x64 - out1[18] = x66 - out1[19] = x68 - out1[20] = x69 - out1[21] = x70 - out1[22] = x72 - out1[23] = x74 - out1[24] = x76 - out1[25] = x78 - out1[26] = x80 - out1[27] = x81 - out1[28] = x82 - out1[29] = x84 - out1[30] = x86 - out1[31] = x88 - out1[32] = x90 - out1[33] = x92 - out1[34] = x93 - out1[35] = x94 - out1[36] = x96 - out1[37] = x98 - out1[38] = x100 - out1[39] = x102 - out1[40] = x104 - out1[41] = x105 - out1[42] = x106 - out1[43] = x108 - out1[44] = x110 - out1[45] = x112 - out1[46] = x114 - out1[47] = x116 - out1[48] = x117 - out1[49] = x118 - out1[50] = x120 - out1[51] = x122 - out1[52] = x124 - out1[53] = x126 - out1[54] = x128 - out1[55] = x129 + var x1 uint64 + var x2 uint1 + subborrowxU56(&x1, &x2, 0x0, arg1[0], 0xffffffffffffff) + var x3 uint64 + var x4 uint1 + subborrowxU56(&x3, &x4, x2, arg1[1], 0xffffffffffffff) + var x5 uint64 + var x6 uint1 + subborrowxU56(&x5, &x6, x4, arg1[2], 0xffffffffffffff) + var x7 uint64 + var x8 uint1 + subborrowxU56(&x7, &x8, x6, arg1[3], 0xffffffffffffff) + var x9 uint64 + var x10 uint1 + subborrowxU56(&x9, &x10, x8, arg1[4], 0xfffffffffffffe) + var x11 uint64 + var x12 uint1 + subborrowxU56(&x11, &x12, x10, arg1[5], 0xffffffffffffff) + var x13 uint64 + var x14 uint1 + subborrowxU56(&x13, &x14, x12, arg1[6], 0xffffffffffffff) + var x15 uint64 + var x16 uint1 + subborrowxU56(&x15, &x16, x14, arg1[7], 0xffffffffffffff) + var x17 uint64 + cmovznzU64(&x17, x16, uint64(0x0), 0xffffffffffffffff) + var x18 uint64 + var x19 uint1 + addcarryxU56(&x18, &x19, 0x0, x1, (x17 & 0xffffffffffffff)) + var x20 uint64 + var x21 uint1 + addcarryxU56(&x20, &x21, x19, x3, (x17 & 0xffffffffffffff)) + var x22 uint64 + var x23 uint1 + addcarryxU56(&x22, &x23, x21, x5, (x17 & 0xffffffffffffff)) + var x24 uint64 + var x25 uint1 + addcarryxU56(&x24, &x25, x23, x7, (x17 & 0xffffffffffffff)) + var x26 uint64 + var x27 uint1 + addcarryxU56(&x26, &x27, x25, x9, (x17 & 0xfffffffffffffe)) + var x28 uint64 + var x29 uint1 + addcarryxU56(&x28, &x29, x27, x11, (x17 & 0xffffffffffffff)) + var x30 uint64 + var x31 uint1 + addcarryxU56(&x30, &x31, x29, x13, (x17 & 0xffffffffffffff)) + var x32 uint64 + var x33 uint1 + addcarryxU56(&x32, &x33, x31, x15, (x17 & 0xffffffffffffff)) + x34 := (uint8(x18) & 0xff) + x35 := (x18 >> 8) + x36 := (uint8(x35) & 0xff) + x37 := (x35 >> 8) + x38 := (uint8(x37) & 0xff) + x39 := (x37 >> 8) + x40 := (uint8(x39) & 0xff) + x41 := (x39 >> 8) + x42 := (uint8(x41) & 0xff) + x43 := (x41 >> 8) + x44 := (uint8(x43) & 0xff) + x45 := uint8((x43 >> 8)) + x46 := (uint8(x20) & 0xff) + x47 := (x20 >> 8) + x48 := (uint8(x47) & 0xff) + x49 := (x47 >> 8) + x50 := (uint8(x49) & 0xff) + x51 := (x49 >> 8) + x52 := (uint8(x51) & 0xff) + x53 := (x51 >> 8) + x54 := (uint8(x53) & 0xff) + x55 := (x53 >> 8) + x56 := (uint8(x55) & 0xff) + x57 := uint8((x55 >> 8)) + x58 := (uint8(x22) & 0xff) + x59 := (x22 >> 8) + x60 := (uint8(x59) & 0xff) + x61 := (x59 >> 8) + x62 := (uint8(x61) & 0xff) + x63 := (x61 >> 8) + x64 := (uint8(x63) & 0xff) + x65 := (x63 >> 8) + x66 := (uint8(x65) & 0xff) + x67 := (x65 >> 8) + x68 := (uint8(x67) & 0xff) + x69 := uint8((x67 >> 8)) + x70 := (uint8(x24) & 0xff) + x71 := (x24 >> 8) + x72 := (uint8(x71) & 0xff) + x73 := (x71 >> 8) + x74 := (uint8(x73) & 0xff) + x75 := (x73 >> 8) + x76 := (uint8(x75) & 0xff) + x77 := (x75 >> 8) + x78 := (uint8(x77) & 0xff) + x79 := (x77 >> 8) + x80 := (uint8(x79) & 0xff) + x81 := uint8((x79 >> 8)) + x82 := (uint8(x26) & 0xff) + x83 := (x26 >> 8) + x84 := (uint8(x83) & 0xff) + x85 := (x83 >> 8) + x86 := (uint8(x85) & 0xff) + x87 := (x85 >> 8) + x88 := (uint8(x87) & 0xff) + x89 := (x87 >> 8) + x90 := (uint8(x89) & 0xff) + x91 := (x89 >> 8) + x92 := (uint8(x91) & 0xff) + x93 := uint8((x91 >> 8)) + x94 := (uint8(x28) & 0xff) + x95 := (x28 >> 8) + x96 := (uint8(x95) & 0xff) + x97 := (x95 >> 8) + x98 := (uint8(x97) & 0xff) + x99 := (x97 >> 8) + x100 := (uint8(x99) & 0xff) + x101 := (x99 >> 8) + x102 := (uint8(x101) & 0xff) + x103 := (x101 >> 8) + x104 := (uint8(x103) & 0xff) + x105 := uint8((x103 >> 8)) + x106 := (uint8(x30) & 0xff) + x107 := (x30 >> 8) + x108 := (uint8(x107) & 0xff) + x109 := (x107 >> 8) + x110 := (uint8(x109) & 0xff) + x111 := (x109 >> 8) + x112 := (uint8(x111) & 0xff) + x113 := (x111 >> 8) + x114 := (uint8(x113) & 0xff) + x115 := (x113 >> 8) + x116 := (uint8(x115) & 0xff) + x117 := uint8((x115 >> 8)) + x118 := (uint8(x32) & 0xff) + x119 := (x32 >> 8) + x120 := (uint8(x119) & 0xff) + x121 := (x119 >> 8) + x122 := (uint8(x121) & 0xff) + x123 := (x121 >> 8) + x124 := (uint8(x123) & 0xff) + x125 := (x123 >> 8) + x126 := (uint8(x125) & 0xff) + x127 := (x125 >> 8) + x128 := (uint8(x127) & 0xff) + x129 := uint8((x127 >> 8)) + out1[0] = x34 + out1[1] = x36 + out1[2] = x38 + out1[3] = x40 + out1[4] = x42 + out1[5] = x44 + out1[6] = x45 + out1[7] = x46 + out1[8] = x48 + out1[9] = x50 + out1[10] = x52 + out1[11] = x54 + out1[12] = x56 + out1[13] = x57 + out1[14] = x58 + out1[15] = x60 + out1[16] = x62 + out1[17] = x64 + out1[18] = x66 + out1[19] = x68 + out1[20] = x69 + out1[21] = x70 + out1[22] = x72 + out1[23] = x74 + out1[24] = x76 + out1[25] = x78 + out1[26] = x80 + out1[27] = x81 + out1[28] = x82 + out1[29] = x84 + out1[30] = x86 + out1[31] = x88 + out1[32] = x90 + out1[33] = x92 + out1[34] = x93 + out1[35] = x94 + out1[36] = x96 + out1[37] = x98 + out1[38] = x100 + out1[39] = x102 + out1[40] = x104 + out1[41] = x105 + out1[42] = x106 + out1[43] = x108 + out1[44] = x110 + out1[45] = x112 + out1[46] = x114 + out1[47] = x116 + out1[48] = x117 + out1[49] = x118 + out1[50] = x120 + out1[51] = x122 + out1[52] = x124 + out1[53] = x126 + out1[54] = x128 + out1[55] = x129 } -/* - The function FromBytes deserializes a field element from bytes in little-endian order. - Postconditions: - eval out1 mod m = bytes_eval arg1 mod m - - Input Bounds: - arg1: [[0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff]] - Output Bounds: - out1: [[0x0 ~> 0x100000000000000], [0x0 ~> 0x100000000000000], [0x0 ~> 0x100000000000000], [0x0 ~> 0x100000000000000], [0x0 ~> 0x100000000000000], [0x0 ~> 0x100000000000000], [0x0 ~> 0x100000000000000], [0x0 ~> 0x100000000000000]] - */ -/*inline*/ +// FromBytes deserializes a field element from bytes in little-endian order. +// +// Postconditions: +// eval out1 mod m = bytes_eval arg1 mod m +// +// Input Bounds: +// arg1: [[0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff]] +// Output Bounds: +// out1: [[0x0 ~> 0x100000000000000], [0x0 ~> 0x100000000000000], [0x0 ~> 0x100000000000000], [0x0 ~> 0x100000000000000], [0x0 ~> 0x100000000000000], [0x0 ~> 0x100000000000000], [0x0 ~> 0x100000000000000], [0x0 ~> 0x100000000000000]] func FromBytes(out1 *[8]uint64, arg1 *[56]uint8) { - var x1 uint64 = (uint64((arg1[55])) << 48) - var x2 uint64 = (uint64((arg1[54])) << 40) - var x3 uint64 = (uint64((arg1[53])) << 32) - var x4 uint64 = (uint64((arg1[52])) << 24) - var x5 uint64 = (uint64((arg1[51])) << 16) - var x6 uint64 = (uint64((arg1[50])) << 8) - var x7 uint8 = (arg1[49]) - var x8 uint64 = (uint64((arg1[48])) << 48) - var x9 uint64 = (uint64((arg1[47])) << 40) - var x10 uint64 = (uint64((arg1[46])) << 32) - var x11 uint64 = (uint64((arg1[45])) << 24) - var x12 uint64 = (uint64((arg1[44])) << 16) - var x13 uint64 = (uint64((arg1[43])) << 8) - var x14 uint8 = (arg1[42]) - var x15 uint64 = (uint64((arg1[41])) << 48) - var x16 uint64 = (uint64((arg1[40])) << 40) - var x17 uint64 = (uint64((arg1[39])) << 32) - var x18 uint64 = (uint64((arg1[38])) << 24) - var x19 uint64 = (uint64((arg1[37])) << 16) - var x20 uint64 = (uint64((arg1[36])) << 8) - var x21 uint8 = (arg1[35]) - var x22 uint64 = (uint64((arg1[34])) << 48) - var x23 uint64 = (uint64((arg1[33])) << 40) - var x24 uint64 = (uint64((arg1[32])) << 32) - var x25 uint64 = (uint64((arg1[31])) << 24) - var x26 uint64 = (uint64((arg1[30])) << 16) - var x27 uint64 = (uint64((arg1[29])) << 8) - var x28 uint8 = (arg1[28]) - var x29 uint64 = (uint64((arg1[27])) << 48) - var x30 uint64 = (uint64((arg1[26])) << 40) - var x31 uint64 = (uint64((arg1[25])) << 32) - var x32 uint64 = (uint64((arg1[24])) << 24) - var x33 uint64 = (uint64((arg1[23])) << 16) - var x34 uint64 = (uint64((arg1[22])) << 8) - var x35 uint8 = (arg1[21]) - var x36 uint64 = (uint64((arg1[20])) << 48) - var x37 uint64 = (uint64((arg1[19])) << 40) - var x38 uint64 = (uint64((arg1[18])) << 32) - var x39 uint64 = (uint64((arg1[17])) << 24) - var x40 uint64 = (uint64((arg1[16])) << 16) - var x41 uint64 = (uint64((arg1[15])) << 8) - var x42 uint8 = (arg1[14]) - var x43 uint64 = (uint64((arg1[13])) << 48) - var x44 uint64 = (uint64((arg1[12])) << 40) - var x45 uint64 = (uint64((arg1[11])) << 32) - var x46 uint64 = (uint64((arg1[10])) << 24) - var x47 uint64 = (uint64((arg1[9])) << 16) - var x48 uint64 = (uint64((arg1[8])) << 8) - var x49 uint8 = (arg1[7]) - var x50 uint64 = (uint64((arg1[6])) << 48) - var x51 uint64 = (uint64((arg1[5])) << 40) - var x52 uint64 = (uint64((arg1[4])) << 32) - var x53 uint64 = (uint64((arg1[3])) << 24) - var x54 uint64 = (uint64((arg1[2])) << 16) - var x55 uint64 = (uint64((arg1[1])) << 8) - var x56 uint8 = (arg1[0]) - var x57 uint64 = (x55 + uint64(x56)) - var x58 uint64 = (x54 + x57) - var x59 uint64 = (x53 + x58) - var x60 uint64 = (x52 + x59) - var x61 uint64 = (x51 + x60) - var x62 uint64 = (x50 + x61) - var x63 uint64 = (x48 + uint64(x49)) - var x64 uint64 = (x47 + x63) - var x65 uint64 = (x46 + x64) - var x66 uint64 = (x45 + x65) - var x67 uint64 = (x44 + x66) - var x68 uint64 = (x43 + x67) - var x69 uint64 = (x41 + uint64(x42)) - var x70 uint64 = (x40 + x69) - var x71 uint64 = (x39 + x70) - var x72 uint64 = (x38 + x71) - var x73 uint64 = (x37 + x72) - var x74 uint64 = (x36 + x73) - var x75 uint64 = (x34 + uint64(x35)) - var x76 uint64 = (x33 + x75) - var x77 uint64 = (x32 + x76) - var x78 uint64 = (x31 + x77) - var x79 uint64 = (x30 + x78) - var x80 uint64 = (x29 + x79) - var x81 uint64 = (x27 + uint64(x28)) - var x82 uint64 = (x26 + x81) - var x83 uint64 = (x25 + x82) - var x84 uint64 = (x24 + x83) - var x85 uint64 = (x23 + x84) - var x86 uint64 = (x22 + x85) - var x87 uint64 = (x20 + uint64(x21)) - var x88 uint64 = (x19 + x87) - var x89 uint64 = (x18 + x88) - var x90 uint64 = (x17 + x89) - var x91 uint64 = (x16 + x90) - var x92 uint64 = (x15 + x91) - var x93 uint64 = (x13 + uint64(x14)) - var x94 uint64 = (x12 + x93) - var x95 uint64 = (x11 + x94) - var x96 uint64 = (x10 + x95) - var x97 uint64 = (x9 + x96) - var x98 uint64 = (x8 + x97) - var x99 uint64 = (x6 + uint64(x7)) - var x100 uint64 = (x5 + x99) - var x101 uint64 = (x4 + x100) - var x102 uint64 = (x3 + x101) - var x103 uint64 = (x2 + x102) - var x104 uint64 = (x1 + x103) - out1[0] = x62 - out1[1] = x68 - out1[2] = x74 - out1[3] = x80 - out1[4] = x86 - out1[5] = x92 - out1[6] = x98 - out1[7] = x104 + x1 := (uint64(arg1[55]) << 48) + x2 := (uint64(arg1[54]) << 40) + x3 := (uint64(arg1[53]) << 32) + x4 := (uint64(arg1[52]) << 24) + x5 := (uint64(arg1[51]) << 16) + x6 := (uint64(arg1[50]) << 8) + x7 := arg1[49] + x8 := (uint64(arg1[48]) << 48) + x9 := (uint64(arg1[47]) << 40) + x10 := (uint64(arg1[46]) << 32) + x11 := (uint64(arg1[45]) << 24) + x12 := (uint64(arg1[44]) << 16) + x13 := (uint64(arg1[43]) << 8) + x14 := arg1[42] + x15 := (uint64(arg1[41]) << 48) + x16 := (uint64(arg1[40]) << 40) + x17 := (uint64(arg1[39]) << 32) + x18 := (uint64(arg1[38]) << 24) + x19 := (uint64(arg1[37]) << 16) + x20 := (uint64(arg1[36]) << 8) + x21 := arg1[35] + x22 := (uint64(arg1[34]) << 48) + x23 := (uint64(arg1[33]) << 40) + x24 := (uint64(arg1[32]) << 32) + x25 := (uint64(arg1[31]) << 24) + x26 := (uint64(arg1[30]) << 16) + x27 := (uint64(arg1[29]) << 8) + x28 := arg1[28] + x29 := (uint64(arg1[27]) << 48) + x30 := (uint64(arg1[26]) << 40) + x31 := (uint64(arg1[25]) << 32) + x32 := (uint64(arg1[24]) << 24) + x33 := (uint64(arg1[23]) << 16) + x34 := (uint64(arg1[22]) << 8) + x35 := arg1[21] + x36 := (uint64(arg1[20]) << 48) + x37 := (uint64(arg1[19]) << 40) + x38 := (uint64(arg1[18]) << 32) + x39 := (uint64(arg1[17]) << 24) + x40 := (uint64(arg1[16]) << 16) + x41 := (uint64(arg1[15]) << 8) + x42 := arg1[14] + x43 := (uint64(arg1[13]) << 48) + x44 := (uint64(arg1[12]) << 40) + x45 := (uint64(arg1[11]) << 32) + x46 := (uint64(arg1[10]) << 24) + x47 := (uint64(arg1[9]) << 16) + x48 := (uint64(arg1[8]) << 8) + x49 := arg1[7] + x50 := (uint64(arg1[6]) << 48) + x51 := (uint64(arg1[5]) << 40) + x52 := (uint64(arg1[4]) << 32) + x53 := (uint64(arg1[3]) << 24) + x54 := (uint64(arg1[2]) << 16) + x55 := (uint64(arg1[1]) << 8) + x56 := arg1[0] + x57 := (x55 + uint64(x56)) + x58 := (x54 + x57) + x59 := (x53 + x58) + x60 := (x52 + x59) + x61 := (x51 + x60) + x62 := (x50 + x61) + x63 := (x48 + uint64(x49)) + x64 := (x47 + x63) + x65 := (x46 + x64) + x66 := (x45 + x65) + x67 := (x44 + x66) + x68 := (x43 + x67) + x69 := (x41 + uint64(x42)) + x70 := (x40 + x69) + x71 := (x39 + x70) + x72 := (x38 + x71) + x73 := (x37 + x72) + x74 := (x36 + x73) + x75 := (x34 + uint64(x35)) + x76 := (x33 + x75) + x77 := (x32 + x76) + x78 := (x31 + x77) + x79 := (x30 + x78) + x80 := (x29 + x79) + x81 := (x27 + uint64(x28)) + x82 := (x26 + x81) + x83 := (x25 + x82) + x84 := (x24 + x83) + x85 := (x23 + x84) + x86 := (x22 + x85) + x87 := (x20 + uint64(x21)) + x88 := (x19 + x87) + x89 := (x18 + x88) + x90 := (x17 + x89) + x91 := (x16 + x90) + x92 := (x15 + x91) + x93 := (x13 + uint64(x14)) + x94 := (x12 + x93) + x95 := (x11 + x94) + x96 := (x10 + x95) + x97 := (x9 + x96) + x98 := (x8 + x97) + x99 := (x6 + uint64(x7)) + x100 := (x5 + x99) + x101 := (x4 + x100) + x102 := (x3 + x101) + x103 := (x2 + x102) + x104 := (x1 + x103) + out1[0] = x62 + out1[1] = x68 + out1[2] = x74 + out1[3] = x80 + out1[4] = x86 + out1[5] = x92 + out1[6] = x98 + out1[7] = x104 } - diff --git a/fiat-go/64/p521/p521.go b/fiat-go/64/p521/p521.go index a96493a8de8..61da0793592 100644 --- a/fiat-go/64/p521/p521.go +++ b/fiat-go/64/p521/p521.go @@ -1,1918 +1,1885 @@ -/* - Autogenerated: 'src/ExtractionOCaml/unsaturated_solinas' --lang Go --no-wide-int --cmovznz-by-mul --internal-static --package-case flatcase --public-function-case UpperCamelCase --private-function-case camelCase --public-type-case UpperCamelCase --private-type-case camelCase --no-prefix-fiat --package-name p521 '' 64 9 '2^521 - 1' carry_mul carry_square carry add sub opp selectznz to_bytes from_bytes - - curve description (via package name): p521 - - machine_wordsize = 64 (from "64") - - requested operations: carry_mul, carry_square, carry, add, sub, opp, selectznz, to_bytes, from_bytes - - n = 9 (from "9") - - s-c = 2^521 - [(1, 1)] (from "2^521 - 1") - - tight_bounds_multiplier = 1 (from "") - - - - Computed values: - - carry_chain = [0, 1, 2, 3, 4, 5, 6, 7, 8, 0, 1] - - eval z = z[0] + (z[1] << 58) + (z[2] << 116) + (z[3] << 174) + (z[4] << 232) + (z[5] << 0x122) + (z[6] << 0x15c) + (z[7] << 0x196) + (z[8] << 0x1d0) - - bytes_eval z = z[0] + (z[1] << 8) + (z[2] << 16) + (z[3] << 24) + (z[4] << 32) + (z[5] << 40) + (z[6] << 48) + (z[7] << 56) + (z[8] << 64) + (z[9] << 72) + (z[10] << 80) + (z[11] << 88) + (z[12] << 96) + (z[13] << 104) + (z[14] << 112) + (z[15] << 120) + (z[16] << 128) + (z[17] << 136) + (z[18] << 144) + (z[19] << 152) + (z[20] << 160) + (z[21] << 168) + (z[22] << 176) + (z[23] << 184) + (z[24] << 192) + (z[25] << 200) + (z[26] << 208) + (z[27] << 216) + (z[28] << 224) + (z[29] << 232) + (z[30] << 240) + (z[31] << 248) + (z[32] << 256) + (z[33] << 0x108) + (z[34] << 0x110) + (z[35] << 0x118) + (z[36] << 0x120) + (z[37] << 0x128) + (z[38] << 0x130) + (z[39] << 0x138) + (z[40] << 0x140) + (z[41] << 0x148) + (z[42] << 0x150) + (z[43] << 0x158) + (z[44] << 0x160) + (z[45] << 0x168) + (z[46] << 0x170) + (z[47] << 0x178) + (z[48] << 0x180) + (z[49] << 0x188) + (z[50] << 0x190) + (z[51] << 0x198) + (z[52] << 0x1a0) + (z[53] << 0x1a8) + (z[54] << 0x1b0) + (z[55] << 0x1b8) + (z[56] << 0x1c0) + (z[57] << 0x1c8) + (z[58] << 0x1d0) + (z[59] << 0x1d8) + (z[60] << 0x1e0) + (z[61] << 0x1e8) + (z[62] << 0x1f0) + (z[63] << 0x1f8) + (z[64] << 2^9) + (z[65] << 0x208) - - balance = [0x7fffffffffffffe, 0x7fffffffffffffe, 0x7fffffffffffffe, 0x7fffffffffffffe, 0x7fffffffffffffe, 0x7fffffffffffffe, 0x7fffffffffffffe, 0x7fffffffffffffe, 0x3fffffffffffffe] - */ +// Code generated by Fiat Cryptography. DO NOT EDIT. +// +// Autogenerated: 'src/ExtractionOCaml/unsaturated_solinas' --lang Go --no-wide-int --cmovznz-by-mul --internal-static --package-case flatcase --public-function-case UpperCamelCase --private-function-case camelCase --public-type-case UpperCamelCase --private-type-case camelCase --no-prefix-fiat --doc-prepend-header 'Code generated by Fiat Cryptography. DO NOT EDIT.' --doc-text-before-function-name '' --package-name p521 '' 64 9 '2^521 - 1' carry_mul carry_square carry add sub opp selectznz to_bytes from_bytes +// +// curve description (via package name): p521 +// +// machine_wordsize = 64 (from "64") +// +// requested operations: carry_mul, carry_square, carry, add, sub, opp, selectznz, to_bytes, from_bytes +// +// n = 9 (from "9") +// +// s-c = 2^521 - [(1, 1)] (from "2^521 - 1") +// +// tight_bounds_multiplier = 1 (from "") +// +// +// +// Computed values: +// +// carry_chain = [0, 1, 2, 3, 4, 5, 6, 7, 8, 0, 1] +// +// eval z = z[0] + (z[1] << 58) + (z[2] << 116) + (z[3] << 174) + (z[4] << 232) + (z[5] << 0x122) + (z[6] << 0x15c) + (z[7] << 0x196) + (z[8] << 0x1d0) +// +// bytes_eval z = z[0] + (z[1] << 8) + (z[2] << 16) + (z[3] << 24) + (z[4] << 32) + (z[5] << 40) + (z[6] << 48) + (z[7] << 56) + (z[8] << 64) + (z[9] << 72) + (z[10] << 80) + (z[11] << 88) + (z[12] << 96) + (z[13] << 104) + (z[14] << 112) + (z[15] << 120) + (z[16] << 128) + (z[17] << 136) + (z[18] << 144) + (z[19] << 152) + (z[20] << 160) + (z[21] << 168) + (z[22] << 176) + (z[23] << 184) + (z[24] << 192) + (z[25] << 200) + (z[26] << 208) + (z[27] << 216) + (z[28] << 224) + (z[29] << 232) + (z[30] << 240) + (z[31] << 248) + (z[32] << 256) + (z[33] << 0x108) + (z[34] << 0x110) + (z[35] << 0x118) + (z[36] << 0x120) + (z[37] << 0x128) + (z[38] << 0x130) + (z[39] << 0x138) + (z[40] << 0x140) + (z[41] << 0x148) + (z[42] << 0x150) + (z[43] << 0x158) + (z[44] << 0x160) + (z[45] << 0x168) + (z[46] << 0x170) + (z[47] << 0x178) + (z[48] << 0x180) + (z[49] << 0x188) + (z[50] << 0x190) + (z[51] << 0x198) + (z[52] << 0x1a0) + (z[53] << 0x1a8) + (z[54] << 0x1b0) + (z[55] << 0x1b8) + (z[56] << 0x1c0) + (z[57] << 0x1c8) + (z[58] << 0x1d0) + (z[59] << 0x1d8) + (z[60] << 0x1e0) + (z[61] << 0x1e8) + (z[62] << 0x1f0) + (z[63] << 0x1f8) + (z[64] << 2^9) + (z[65] << 0x208) +// +// balance = [0x7fffffffffffffe, 0x7fffffffffffffe, 0x7fffffffffffffe, 0x7fffffffffffffe, 0x7fffffffffffffe, 0x7fffffffffffffe, 0x7fffffffffffffe, 0x7fffffffffffffe, 0x3fffffffffffffe] package p521 import "math/bits" + type uint1 uint8 type int1 int8 -/* The function addcarryxU64 is a thin wrapper around bits.Add64 that uses uint1 rather than uint64 */ +// addcarryxU64 is a thin wrapper around bits.Add64 that uses uint1 rather than uint64 func addcarryxU64(x uint64, y uint64, carry uint1) (uint64, uint1) { - var sum uint64 - var carryOut uint64 - sum, carryOut = bits.Add64(x, y, uint64(carry)) - return sum, uint1(carryOut) + sum, carryOut := bits.Add64(x, y, uint64(carry)) + return sum, uint1(carryOut) } -/* The function subborrowxU64 is a thin wrapper around bits.Sub64 that uses uint1 rather than uint64 */ +// subborrowxU64 is a thin wrapper around bits.Sub64 that uses uint1 rather than uint64 func subborrowxU64(x uint64, y uint64, carry uint1) (uint64, uint1) { - var sum uint64 - var carryOut uint64 - sum, carryOut = bits.Sub64(x, y, uint64(carry)) - return sum, uint1(carryOut) + sum, carryOut := bits.Sub64(x, y, uint64(carry)) + return sum, uint1(carryOut) } - -/* - The function addcarryxU58 is an addition with carry. - Postconditions: - out1 = (arg1 + arg2 + arg3) mod 2^58 - out2 = ⌊(arg1 + arg2 + arg3) / 2^58⌋ - - Input Bounds: - arg1: [0x0 ~> 0x1] - arg2: [0x0 ~> 0x3ffffffffffffff] - arg3: [0x0 ~> 0x3ffffffffffffff] - Output Bounds: - out1: [0x0 ~> 0x3ffffffffffffff] - out2: [0x0 ~> 0x1] - */ -/*inline*/ +// addcarryxU58 is an addition with carry. +// +// Postconditions: +// out1 = (arg1 + arg2 + arg3) mod 2^58 +// out2 = ⌊(arg1 + arg2 + arg3) / 2^58⌋ +// +// Input Bounds: +// arg1: [0x0 ~> 0x1] +// arg2: [0x0 ~> 0x3ffffffffffffff] +// arg3: [0x0 ~> 0x3ffffffffffffff] +// Output Bounds: +// out1: [0x0 ~> 0x3ffffffffffffff] +// out2: [0x0 ~> 0x1] func addcarryxU58(out1 *uint64, out2 *uint1, arg1 uint1, arg2 uint64, arg3 uint64) { - var x1 uint64 = ((uint64(arg1) + arg2) + arg3) - var x2 uint64 = (x1 & 0x3ffffffffffffff) - var x3 uint1 = uint1((x1 >> 58)) - *out1 = x2 - *out2 = x3 + x1 := ((uint64(arg1) + arg2) + arg3) + x2 := (x1 & 0x3ffffffffffffff) + x3 := uint1((x1 >> 58)) + *out1 = x2 + *out2 = x3 } -/* - The function subborrowxU58 is a subtraction with borrow. - Postconditions: - out1 = (-arg1 + arg2 + -arg3) mod 2^58 - out2 = -⌊(-arg1 + arg2 + -arg3) / 2^58⌋ - - Input Bounds: - arg1: [0x0 ~> 0x1] - arg2: [0x0 ~> 0x3ffffffffffffff] - arg3: [0x0 ~> 0x3ffffffffffffff] - Output Bounds: - out1: [0x0 ~> 0x3ffffffffffffff] - out2: [0x0 ~> 0x1] - */ -/*inline*/ +// subborrowxU58 is a subtraction with borrow. +// +// Postconditions: +// out1 = (-arg1 + arg2 + -arg3) mod 2^58 +// out2 = -⌊(-arg1 + arg2 + -arg3) / 2^58⌋ +// +// Input Bounds: +// arg1: [0x0 ~> 0x1] +// arg2: [0x0 ~> 0x3ffffffffffffff] +// arg3: [0x0 ~> 0x3ffffffffffffff] +// Output Bounds: +// out1: [0x0 ~> 0x3ffffffffffffff] +// out2: [0x0 ~> 0x1] func subborrowxU58(out1 *uint64, out2 *uint1, arg1 uint1, arg2 uint64, arg3 uint64) { - var x1 int64 = ((int64(arg2) - int64(arg1)) - int64(arg3)) - var x2 int1 = int1((x1 >> 58)) - var x3 uint64 = (uint64(x1) & 0x3ffffffffffffff) - *out1 = x3 - *out2 = (0x0 - uint1(x2)) + x1 := ((int64(arg2) - int64(arg1)) - int64(arg3)) + x2 := int1((x1 >> 58)) + x3 := (uint64(x1) & 0x3ffffffffffffff) + *out1 = x3 + *out2 = (0x0 - uint1(x2)) } -/* - The function addcarryxU57 is an addition with carry. - Postconditions: - out1 = (arg1 + arg2 + arg3) mod 2^57 - out2 = ⌊(arg1 + arg2 + arg3) / 2^57⌋ - - Input Bounds: - arg1: [0x0 ~> 0x1] - arg2: [0x0 ~> 0x1ffffffffffffff] - arg3: [0x0 ~> 0x1ffffffffffffff] - Output Bounds: - out1: [0x0 ~> 0x1ffffffffffffff] - out2: [0x0 ~> 0x1] - */ -/*inline*/ +// addcarryxU57 is an addition with carry. +// +// Postconditions: +// out1 = (arg1 + arg2 + arg3) mod 2^57 +// out2 = ⌊(arg1 + arg2 + arg3) / 2^57⌋ +// +// Input Bounds: +// arg1: [0x0 ~> 0x1] +// arg2: [0x0 ~> 0x1ffffffffffffff] +// arg3: [0x0 ~> 0x1ffffffffffffff] +// Output Bounds: +// out1: [0x0 ~> 0x1ffffffffffffff] +// out2: [0x0 ~> 0x1] func addcarryxU57(out1 *uint64, out2 *uint1, arg1 uint1, arg2 uint64, arg3 uint64) { - var x1 uint64 = ((uint64(arg1) + arg2) + arg3) - var x2 uint64 = (x1 & 0x1ffffffffffffff) - var x3 uint1 = uint1((x1 >> 57)) - *out1 = x2 - *out2 = x3 + x1 := ((uint64(arg1) + arg2) + arg3) + x2 := (x1 & 0x1ffffffffffffff) + x3 := uint1((x1 >> 57)) + *out1 = x2 + *out2 = x3 } -/* - The function subborrowxU57 is a subtraction with borrow. - Postconditions: - out1 = (-arg1 + arg2 + -arg3) mod 2^57 - out2 = -⌊(-arg1 + arg2 + -arg3) / 2^57⌋ - - Input Bounds: - arg1: [0x0 ~> 0x1] - arg2: [0x0 ~> 0x1ffffffffffffff] - arg3: [0x0 ~> 0x1ffffffffffffff] - Output Bounds: - out1: [0x0 ~> 0x1ffffffffffffff] - out2: [0x0 ~> 0x1] - */ -/*inline*/ +// subborrowxU57 is a subtraction with borrow. +// +// Postconditions: +// out1 = (-arg1 + arg2 + -arg3) mod 2^57 +// out2 = -⌊(-arg1 + arg2 + -arg3) / 2^57⌋ +// +// Input Bounds: +// arg1: [0x0 ~> 0x1] +// arg2: [0x0 ~> 0x1ffffffffffffff] +// arg3: [0x0 ~> 0x1ffffffffffffff] +// Output Bounds: +// out1: [0x0 ~> 0x1ffffffffffffff] +// out2: [0x0 ~> 0x1] func subborrowxU57(out1 *uint64, out2 *uint1, arg1 uint1, arg2 uint64, arg3 uint64) { - var x1 int64 = ((int64(arg2) - int64(arg1)) - int64(arg3)) - var x2 int1 = int1((x1 >> 57)) - var x3 uint64 = (uint64(x1) & 0x1ffffffffffffff) - *out1 = x3 - *out2 = (0x0 - uint1(x2)) + x1 := ((int64(arg2) - int64(arg1)) - int64(arg3)) + x2 := int1((x1 >> 57)) + x3 := (uint64(x1) & 0x1ffffffffffffff) + *out1 = x3 + *out2 = (0x0 - uint1(x2)) } -/* - The function cmovznzU64 is a single-word conditional move. - Postconditions: - out1 = (if arg1 = 0 then arg2 else arg3) - - Input Bounds: - arg1: [0x0 ~> 0x1] - arg2: [0x0 ~> 0xffffffffffffffff] - arg3: [0x0 ~> 0xffffffffffffffff] - Output Bounds: - out1: [0x0 ~> 0xffffffffffffffff] - */ -/*inline*/ +// cmovznzU64 is a single-word conditional move. +// +// Postconditions: +// out1 = (if arg1 = 0 then arg2 else arg3) +// +// Input Bounds: +// arg1: [0x0 ~> 0x1] +// arg2: [0x0 ~> 0xffffffffffffffff] +// arg3: [0x0 ~> 0xffffffffffffffff] +// Output Bounds: +// out1: [0x0 ~> 0xffffffffffffffff] func cmovznzU64(out1 *uint64, arg1 uint1, arg2 uint64, arg3 uint64) { - var x1 uint64 = (uint64(arg1) * 0xffffffffffffffff) - var x2 uint64 = ((x1 & arg3) | ((^x1) & arg2)) - *out1 = x2 + x1 := (uint64(arg1) * 0xffffffffffffffff) + x2 := ((x1 & arg3) | ((^x1) & arg2)) + *out1 = x2 } -/* - The function CarryMul multiplies two field elements and reduces the result. - Postconditions: - eval out1 mod m = (eval arg1 * eval arg2) mod m - - Input Bounds: - arg1: [[0x0 ~> 0xc00000000000000], [0x0 ~> 0xc00000000000000], [0x0 ~> 0xc00000000000000], [0x0 ~> 0xc00000000000000], [0x0 ~> 0xc00000000000000], [0x0 ~> 0xc00000000000000], [0x0 ~> 0xc00000000000000], [0x0 ~> 0xc00000000000000], [0x0 ~> 0x600000000000000]] - arg2: [[0x0 ~> 0xc00000000000000], [0x0 ~> 0xc00000000000000], [0x0 ~> 0xc00000000000000], [0x0 ~> 0xc00000000000000], [0x0 ~> 0xc00000000000000], [0x0 ~> 0xc00000000000000], [0x0 ~> 0xc00000000000000], [0x0 ~> 0xc00000000000000], [0x0 ~> 0x600000000000000]] - Output Bounds: - out1: [[0x0 ~> 0x400000000000000], [0x0 ~> 0x400000000000000], [0x0 ~> 0x400000000000000], [0x0 ~> 0x400000000000000], [0x0 ~> 0x400000000000000], [0x0 ~> 0x400000000000000], [0x0 ~> 0x400000000000000], [0x0 ~> 0x400000000000000], [0x0 ~> 0x200000000000000]] - */ -/*inline*/ +// CarryMul multiplies two field elements and reduces the result. +// +// Postconditions: +// eval out1 mod m = (eval arg1 * eval arg2) mod m +// +// Input Bounds: +// arg1: [[0x0 ~> 0xc00000000000000], [0x0 ~> 0xc00000000000000], [0x0 ~> 0xc00000000000000], [0x0 ~> 0xc00000000000000], [0x0 ~> 0xc00000000000000], [0x0 ~> 0xc00000000000000], [0x0 ~> 0xc00000000000000], [0x0 ~> 0xc00000000000000], [0x0 ~> 0x600000000000000]] +// arg2: [[0x0 ~> 0xc00000000000000], [0x0 ~> 0xc00000000000000], [0x0 ~> 0xc00000000000000], [0x0 ~> 0xc00000000000000], [0x0 ~> 0xc00000000000000], [0x0 ~> 0xc00000000000000], [0x0 ~> 0xc00000000000000], [0x0 ~> 0xc00000000000000], [0x0 ~> 0x600000000000000]] +// Output Bounds: +// out1: [[0x0 ~> 0x400000000000000], [0x0 ~> 0x400000000000000], [0x0 ~> 0x400000000000000], [0x0 ~> 0x400000000000000], [0x0 ~> 0x400000000000000], [0x0 ~> 0x400000000000000], [0x0 ~> 0x400000000000000], [0x0 ~> 0x400000000000000], [0x0 ~> 0x200000000000000]] func CarryMul(out1 *[9]uint64, arg1 *[9]uint64, arg2 *[9]uint64) { - var x1 uint64 - var x2 uint64 - x2, x1 = bits.Mul64((arg1[8]), ((arg2[8]) * 0x2)) - var x3 uint64 - var x4 uint64 - x4, x3 = bits.Mul64((arg1[8]), ((arg2[7]) * 0x2)) - var x5 uint64 - var x6 uint64 - x6, x5 = bits.Mul64((arg1[8]), ((arg2[6]) * 0x2)) - var x7 uint64 - var x8 uint64 - x8, x7 = bits.Mul64((arg1[8]), ((arg2[5]) * 0x2)) - var x9 uint64 - var x10 uint64 - x10, x9 = bits.Mul64((arg1[8]), ((arg2[4]) * 0x2)) - var x11 uint64 - var x12 uint64 - x12, x11 = bits.Mul64((arg1[8]), ((arg2[3]) * 0x2)) - var x13 uint64 - var x14 uint64 - x14, x13 = bits.Mul64((arg1[8]), ((arg2[2]) * 0x2)) - var x15 uint64 - var x16 uint64 - x16, x15 = bits.Mul64((arg1[8]), ((arg2[1]) * 0x2)) - var x17 uint64 - var x18 uint64 - x18, x17 = bits.Mul64((arg1[7]), ((arg2[8]) * 0x2)) - var x19 uint64 - var x20 uint64 - x20, x19 = bits.Mul64((arg1[7]), ((arg2[7]) * 0x2)) - var x21 uint64 - var x22 uint64 - x22, x21 = bits.Mul64((arg1[7]), ((arg2[6]) * 0x2)) - var x23 uint64 - var x24 uint64 - x24, x23 = bits.Mul64((arg1[7]), ((arg2[5]) * 0x2)) - var x25 uint64 - var x26 uint64 - x26, x25 = bits.Mul64((arg1[7]), ((arg2[4]) * 0x2)) - var x27 uint64 - var x28 uint64 - x28, x27 = bits.Mul64((arg1[7]), ((arg2[3]) * 0x2)) - var x29 uint64 - var x30 uint64 - x30, x29 = bits.Mul64((arg1[7]), ((arg2[2]) * 0x2)) - var x31 uint64 - var x32 uint64 - x32, x31 = bits.Mul64((arg1[6]), ((arg2[8]) * 0x2)) - var x33 uint64 - var x34 uint64 - x34, x33 = bits.Mul64((arg1[6]), ((arg2[7]) * 0x2)) - var x35 uint64 - var x36 uint64 - x36, x35 = bits.Mul64((arg1[6]), ((arg2[6]) * 0x2)) - var x37 uint64 - var x38 uint64 - x38, x37 = bits.Mul64((arg1[6]), ((arg2[5]) * 0x2)) - var x39 uint64 - var x40 uint64 - x40, x39 = bits.Mul64((arg1[6]), ((arg2[4]) * 0x2)) - var x41 uint64 - var x42 uint64 - x42, x41 = bits.Mul64((arg1[6]), ((arg2[3]) * 0x2)) - var x43 uint64 - var x44 uint64 - x44, x43 = bits.Mul64((arg1[5]), ((arg2[8]) * 0x2)) - var x45 uint64 - var x46 uint64 - x46, x45 = bits.Mul64((arg1[5]), ((arg2[7]) * 0x2)) - var x47 uint64 - var x48 uint64 - x48, x47 = bits.Mul64((arg1[5]), ((arg2[6]) * 0x2)) - var x49 uint64 - var x50 uint64 - x50, x49 = bits.Mul64((arg1[5]), ((arg2[5]) * 0x2)) - var x51 uint64 - var x52 uint64 - x52, x51 = bits.Mul64((arg1[5]), ((arg2[4]) * 0x2)) - var x53 uint64 - var x54 uint64 - x54, x53 = bits.Mul64((arg1[4]), ((arg2[8]) * 0x2)) - var x55 uint64 - var x56 uint64 - x56, x55 = bits.Mul64((arg1[4]), ((arg2[7]) * 0x2)) - var x57 uint64 - var x58 uint64 - x58, x57 = bits.Mul64((arg1[4]), ((arg2[6]) * 0x2)) - var x59 uint64 - var x60 uint64 - x60, x59 = bits.Mul64((arg1[4]), ((arg2[5]) * 0x2)) - var x61 uint64 - var x62 uint64 - x62, x61 = bits.Mul64((arg1[3]), ((arg2[8]) * 0x2)) - var x63 uint64 - var x64 uint64 - x64, x63 = bits.Mul64((arg1[3]), ((arg2[7]) * 0x2)) - var x65 uint64 - var x66 uint64 - x66, x65 = bits.Mul64((arg1[3]), ((arg2[6]) * 0x2)) - var x67 uint64 - var x68 uint64 - x68, x67 = bits.Mul64((arg1[2]), ((arg2[8]) * 0x2)) - var x69 uint64 - var x70 uint64 - x70, x69 = bits.Mul64((arg1[2]), ((arg2[7]) * 0x2)) - var x71 uint64 - var x72 uint64 - x72, x71 = bits.Mul64((arg1[1]), ((arg2[8]) * 0x2)) - var x73 uint64 - var x74 uint64 - x74, x73 = bits.Mul64((arg1[8]), (arg2[0])) - var x75 uint64 - var x76 uint64 - x76, x75 = bits.Mul64((arg1[7]), (arg2[1])) - var x77 uint64 - var x78 uint64 - x78, x77 = bits.Mul64((arg1[7]), (arg2[0])) - var x79 uint64 - var x80 uint64 - x80, x79 = bits.Mul64((arg1[6]), (arg2[2])) - var x81 uint64 - var x82 uint64 - x82, x81 = bits.Mul64((arg1[6]), (arg2[1])) - var x83 uint64 - var x84 uint64 - x84, x83 = bits.Mul64((arg1[6]), (arg2[0])) - var x85 uint64 - var x86 uint64 - x86, x85 = bits.Mul64((arg1[5]), (arg2[3])) - var x87 uint64 - var x88 uint64 - x88, x87 = bits.Mul64((arg1[5]), (arg2[2])) - var x89 uint64 - var x90 uint64 - x90, x89 = bits.Mul64((arg1[5]), (arg2[1])) - var x91 uint64 - var x92 uint64 - x92, x91 = bits.Mul64((arg1[5]), (arg2[0])) - var x93 uint64 - var x94 uint64 - x94, x93 = bits.Mul64((arg1[4]), (arg2[4])) - var x95 uint64 - var x96 uint64 - x96, x95 = bits.Mul64((arg1[4]), (arg2[3])) - var x97 uint64 - var x98 uint64 - x98, x97 = bits.Mul64((arg1[4]), (arg2[2])) - var x99 uint64 - var x100 uint64 - x100, x99 = bits.Mul64((arg1[4]), (arg2[1])) - var x101 uint64 - var x102 uint64 - x102, x101 = bits.Mul64((arg1[4]), (arg2[0])) - var x103 uint64 - var x104 uint64 - x104, x103 = bits.Mul64((arg1[3]), (arg2[5])) - var x105 uint64 - var x106 uint64 - x106, x105 = bits.Mul64((arg1[3]), (arg2[4])) - var x107 uint64 - var x108 uint64 - x108, x107 = bits.Mul64((arg1[3]), (arg2[3])) - var x109 uint64 - var x110 uint64 - x110, x109 = bits.Mul64((arg1[3]), (arg2[2])) - var x111 uint64 - var x112 uint64 - x112, x111 = bits.Mul64((arg1[3]), (arg2[1])) - var x113 uint64 - var x114 uint64 - x114, x113 = bits.Mul64((arg1[3]), (arg2[0])) - var x115 uint64 - var x116 uint64 - x116, x115 = bits.Mul64((arg1[2]), (arg2[6])) - var x117 uint64 - var x118 uint64 - x118, x117 = bits.Mul64((arg1[2]), (arg2[5])) - var x119 uint64 - var x120 uint64 - x120, x119 = bits.Mul64((arg1[2]), (arg2[4])) - var x121 uint64 - var x122 uint64 - x122, x121 = bits.Mul64((arg1[2]), (arg2[3])) - var x123 uint64 - var x124 uint64 - x124, x123 = bits.Mul64((arg1[2]), (arg2[2])) - var x125 uint64 - var x126 uint64 - x126, x125 = bits.Mul64((arg1[2]), (arg2[1])) - var x127 uint64 - var x128 uint64 - x128, x127 = bits.Mul64((arg1[2]), (arg2[0])) - var x129 uint64 - var x130 uint64 - x130, x129 = bits.Mul64((arg1[1]), (arg2[7])) - var x131 uint64 - var x132 uint64 - x132, x131 = bits.Mul64((arg1[1]), (arg2[6])) - var x133 uint64 - var x134 uint64 - x134, x133 = bits.Mul64((arg1[1]), (arg2[5])) - var x135 uint64 - var x136 uint64 - x136, x135 = bits.Mul64((arg1[1]), (arg2[4])) - var x137 uint64 - var x138 uint64 - x138, x137 = bits.Mul64((arg1[1]), (arg2[3])) - var x139 uint64 - var x140 uint64 - x140, x139 = bits.Mul64((arg1[1]), (arg2[2])) - var x141 uint64 - var x142 uint64 - x142, x141 = bits.Mul64((arg1[1]), (arg2[1])) - var x143 uint64 - var x144 uint64 - x144, x143 = bits.Mul64((arg1[1]), (arg2[0])) - var x145 uint64 - var x146 uint64 - x146, x145 = bits.Mul64((arg1[0]), (arg2[8])) - var x147 uint64 - var x148 uint64 - x148, x147 = bits.Mul64((arg1[0]), (arg2[7])) - var x149 uint64 - var x150 uint64 - x150, x149 = bits.Mul64((arg1[0]), (arg2[6])) - var x151 uint64 - var x152 uint64 - x152, x151 = bits.Mul64((arg1[0]), (arg2[5])) - var x153 uint64 - var x154 uint64 - x154, x153 = bits.Mul64((arg1[0]), (arg2[4])) - var x155 uint64 - var x156 uint64 - x156, x155 = bits.Mul64((arg1[0]), (arg2[3])) - var x157 uint64 - var x158 uint64 - x158, x157 = bits.Mul64((arg1[0]), (arg2[2])) - var x159 uint64 - var x160 uint64 - x160, x159 = bits.Mul64((arg1[0]), (arg2[1])) - var x161 uint64 - var x162 uint64 - x162, x161 = bits.Mul64((arg1[0]), (arg2[0])) - var x163 uint64 - var x164 uint1 - x163, x164 = addcarryxU64(x29, x15, 0x0) - var x165 uint64 - x165, _ = addcarryxU64(x30, x16, x164) - var x167 uint64 - var x168 uint1 - x167, x168 = addcarryxU64(x41, x163, 0x0) - var x169 uint64 - x169, _ = addcarryxU64(x42, x165, x168) - var x171 uint64 - var x172 uint1 - x171, x172 = addcarryxU64(x51, x167, 0x0) - var x173 uint64 - x173, _ = addcarryxU64(x52, x169, x172) - var x175 uint64 - var x176 uint1 - x175, x176 = addcarryxU64(x59, x171, 0x0) - var x177 uint64 - x177, _ = addcarryxU64(x60, x173, x176) - var x179 uint64 - var x180 uint1 - x179, x180 = addcarryxU64(x65, x175, 0x0) - var x181 uint64 - x181, _ = addcarryxU64(x66, x177, x180) - var x183 uint64 - var x184 uint1 - x183, x184 = addcarryxU64(x69, x179, 0x0) - var x185 uint64 - x185, _ = addcarryxU64(x70, x181, x184) - var x187 uint64 - var x188 uint1 - x187, x188 = addcarryxU64(x71, x183, 0x0) - var x189 uint64 - x189, _ = addcarryxU64(x72, x185, x188) - var x191 uint64 - var x192 uint1 - x191, x192 = addcarryxU64(x161, x187, 0x0) - var x193 uint64 - x193, _ = addcarryxU64(x162, x189, x192) - var x195 uint64 = ((x191 >> 58) | ((x193 << 6) & 0xffffffffffffffff)) - var x196 uint64 = (x193 >> 58) - var x197 uint64 = (x191 & 0x3ffffffffffffff) - var x198 uint64 - var x199 uint1 - x198, x199 = addcarryxU64(x75, x73, 0x0) - var x200 uint64 - x200, _ = addcarryxU64(x76, x74, x199) - var x202 uint64 - var x203 uint1 - x202, x203 = addcarryxU64(x79, x198, 0x0) - var x204 uint64 - x204, _ = addcarryxU64(x80, x200, x203) - var x206 uint64 - var x207 uint1 - x206, x207 = addcarryxU64(x85, x202, 0x0) - var x208 uint64 - x208, _ = addcarryxU64(x86, x204, x207) - var x210 uint64 - var x211 uint1 - x210, x211 = addcarryxU64(x93, x206, 0x0) - var x212 uint64 - x212, _ = addcarryxU64(x94, x208, x211) - var x214 uint64 - var x215 uint1 - x214, x215 = addcarryxU64(x103, x210, 0x0) - var x216 uint64 - x216, _ = addcarryxU64(x104, x212, x215) - var x218 uint64 - var x219 uint1 - x218, x219 = addcarryxU64(x115, x214, 0x0) - var x220 uint64 - x220, _ = addcarryxU64(x116, x216, x219) - var x222 uint64 - var x223 uint1 - x222, x223 = addcarryxU64(x129, x218, 0x0) - var x224 uint64 - x224, _ = addcarryxU64(x130, x220, x223) - var x226 uint64 - var x227 uint1 - x226, x227 = addcarryxU64(x145, x222, 0x0) - var x228 uint64 - x228, _ = addcarryxU64(x146, x224, x227) - var x230 uint64 - var x231 uint1 - x230, x231 = addcarryxU64(x77, x1, 0x0) - var x232 uint64 - x232, _ = addcarryxU64(x78, x2, x231) - var x234 uint64 - var x235 uint1 - x234, x235 = addcarryxU64(x81, x230, 0x0) - var x236 uint64 - x236, _ = addcarryxU64(x82, x232, x235) - var x238 uint64 - var x239 uint1 - x238, x239 = addcarryxU64(x87, x234, 0x0) - var x240 uint64 - x240, _ = addcarryxU64(x88, x236, x239) - var x242 uint64 - var x243 uint1 - x242, x243 = addcarryxU64(x95, x238, 0x0) - var x244 uint64 - x244, _ = addcarryxU64(x96, x240, x243) - var x246 uint64 - var x247 uint1 - x246, x247 = addcarryxU64(x105, x242, 0x0) - var x248 uint64 - x248, _ = addcarryxU64(x106, x244, x247) - var x250 uint64 - var x251 uint1 - x250, x251 = addcarryxU64(x117, x246, 0x0) - var x252 uint64 - x252, _ = addcarryxU64(x118, x248, x251) - var x254 uint64 - var x255 uint1 - x254, x255 = addcarryxU64(x131, x250, 0x0) - var x256 uint64 - x256, _ = addcarryxU64(x132, x252, x255) - var x258 uint64 - var x259 uint1 - x258, x259 = addcarryxU64(x147, x254, 0x0) - var x260 uint64 - x260, _ = addcarryxU64(x148, x256, x259) - var x262 uint64 - var x263 uint1 - x262, x263 = addcarryxU64(x17, x3, 0x0) - var x264 uint64 - x264, _ = addcarryxU64(x18, x4, x263) - var x266 uint64 - var x267 uint1 - x266, x267 = addcarryxU64(x83, x262, 0x0) - var x268 uint64 - x268, _ = addcarryxU64(x84, x264, x267) - var x270 uint64 - var x271 uint1 - x270, x271 = addcarryxU64(x89, x266, 0x0) - var x272 uint64 - x272, _ = addcarryxU64(x90, x268, x271) - var x274 uint64 - var x275 uint1 - x274, x275 = addcarryxU64(x97, x270, 0x0) - var x276 uint64 - x276, _ = addcarryxU64(x98, x272, x275) - var x278 uint64 - var x279 uint1 - x278, x279 = addcarryxU64(x107, x274, 0x0) - var x280 uint64 - x280, _ = addcarryxU64(x108, x276, x279) - var x282 uint64 - var x283 uint1 - x282, x283 = addcarryxU64(x119, x278, 0x0) - var x284 uint64 - x284, _ = addcarryxU64(x120, x280, x283) - var x286 uint64 - var x287 uint1 - x286, x287 = addcarryxU64(x133, x282, 0x0) - var x288 uint64 - x288, _ = addcarryxU64(x134, x284, x287) - var x290 uint64 - var x291 uint1 - x290, x291 = addcarryxU64(x149, x286, 0x0) - var x292 uint64 - x292, _ = addcarryxU64(x150, x288, x291) - var x294 uint64 - var x295 uint1 - x294, x295 = addcarryxU64(x19, x5, 0x0) - var x296 uint64 - x296, _ = addcarryxU64(x20, x6, x295) - var x298 uint64 - var x299 uint1 - x298, x299 = addcarryxU64(x31, x294, 0x0) - var x300 uint64 - x300, _ = addcarryxU64(x32, x296, x299) - var x302 uint64 - var x303 uint1 - x302, x303 = addcarryxU64(x91, x298, 0x0) - var x304 uint64 - x304, _ = addcarryxU64(x92, x300, x303) - var x306 uint64 - var x307 uint1 - x306, x307 = addcarryxU64(x99, x302, 0x0) - var x308 uint64 - x308, _ = addcarryxU64(x100, x304, x307) - var x310 uint64 - var x311 uint1 - x310, x311 = addcarryxU64(x109, x306, 0x0) - var x312 uint64 - x312, _ = addcarryxU64(x110, x308, x311) - var x314 uint64 - var x315 uint1 - x314, x315 = addcarryxU64(x121, x310, 0x0) - var x316 uint64 - x316, _ = addcarryxU64(x122, x312, x315) - var x318 uint64 - var x319 uint1 - x318, x319 = addcarryxU64(x135, x314, 0x0) - var x320 uint64 - x320, _ = addcarryxU64(x136, x316, x319) - var x322 uint64 - var x323 uint1 - x322, x323 = addcarryxU64(x151, x318, 0x0) - var x324 uint64 - x324, _ = addcarryxU64(x152, x320, x323) - var x326 uint64 - var x327 uint1 - x326, x327 = addcarryxU64(x21, x7, 0x0) - var x328 uint64 - x328, _ = addcarryxU64(x22, x8, x327) - var x330 uint64 - var x331 uint1 - x330, x331 = addcarryxU64(x33, x326, 0x0) - var x332 uint64 - x332, _ = addcarryxU64(x34, x328, x331) - var x334 uint64 - var x335 uint1 - x334, x335 = addcarryxU64(x43, x330, 0x0) - var x336 uint64 - x336, _ = addcarryxU64(x44, x332, x335) - var x338 uint64 - var x339 uint1 - x338, x339 = addcarryxU64(x101, x334, 0x0) - var x340 uint64 - x340, _ = addcarryxU64(x102, x336, x339) - var x342 uint64 - var x343 uint1 - x342, x343 = addcarryxU64(x111, x338, 0x0) - var x344 uint64 - x344, _ = addcarryxU64(x112, x340, x343) - var x346 uint64 - var x347 uint1 - x346, x347 = addcarryxU64(x123, x342, 0x0) - var x348 uint64 - x348, _ = addcarryxU64(x124, x344, x347) - var x350 uint64 - var x351 uint1 - x350, x351 = addcarryxU64(x137, x346, 0x0) - var x352 uint64 - x352, _ = addcarryxU64(x138, x348, x351) - var x354 uint64 - var x355 uint1 - x354, x355 = addcarryxU64(x153, x350, 0x0) - var x356 uint64 - x356, _ = addcarryxU64(x154, x352, x355) - var x358 uint64 - var x359 uint1 - x358, x359 = addcarryxU64(x23, x9, 0x0) - var x360 uint64 - x360, _ = addcarryxU64(x24, x10, x359) - var x362 uint64 - var x363 uint1 - x362, x363 = addcarryxU64(x35, x358, 0x0) - var x364 uint64 - x364, _ = addcarryxU64(x36, x360, x363) - var x366 uint64 - var x367 uint1 - x366, x367 = addcarryxU64(x45, x362, 0x0) - var x368 uint64 - x368, _ = addcarryxU64(x46, x364, x367) - var x370 uint64 - var x371 uint1 - x370, x371 = addcarryxU64(x53, x366, 0x0) - var x372 uint64 - x372, _ = addcarryxU64(x54, x368, x371) - var x374 uint64 - var x375 uint1 - x374, x375 = addcarryxU64(x113, x370, 0x0) - var x376 uint64 - x376, _ = addcarryxU64(x114, x372, x375) - var x378 uint64 - var x379 uint1 - x378, x379 = addcarryxU64(x125, x374, 0x0) - var x380 uint64 - x380, _ = addcarryxU64(x126, x376, x379) - var x382 uint64 - var x383 uint1 - x382, x383 = addcarryxU64(x139, x378, 0x0) - var x384 uint64 - x384, _ = addcarryxU64(x140, x380, x383) - var x386 uint64 - var x387 uint1 - x386, x387 = addcarryxU64(x155, x382, 0x0) - var x388 uint64 - x388, _ = addcarryxU64(x156, x384, x387) - var x390 uint64 - var x391 uint1 - x390, x391 = addcarryxU64(x25, x11, 0x0) - var x392 uint64 - x392, _ = addcarryxU64(x26, x12, x391) - var x394 uint64 - var x395 uint1 - x394, x395 = addcarryxU64(x37, x390, 0x0) - var x396 uint64 - x396, _ = addcarryxU64(x38, x392, x395) - var x398 uint64 - var x399 uint1 - x398, x399 = addcarryxU64(x47, x394, 0x0) - var x400 uint64 - x400, _ = addcarryxU64(x48, x396, x399) - var x402 uint64 - var x403 uint1 - x402, x403 = addcarryxU64(x55, x398, 0x0) - var x404 uint64 - x404, _ = addcarryxU64(x56, x400, x403) - var x406 uint64 - var x407 uint1 - x406, x407 = addcarryxU64(x61, x402, 0x0) - var x408 uint64 - x408, _ = addcarryxU64(x62, x404, x407) - var x410 uint64 - var x411 uint1 - x410, x411 = addcarryxU64(x127, x406, 0x0) - var x412 uint64 - x412, _ = addcarryxU64(x128, x408, x411) - var x414 uint64 - var x415 uint1 - x414, x415 = addcarryxU64(x141, x410, 0x0) - var x416 uint64 - x416, _ = addcarryxU64(x142, x412, x415) - var x418 uint64 - var x419 uint1 - x418, x419 = addcarryxU64(x157, x414, 0x0) - var x420 uint64 - x420, _ = addcarryxU64(x158, x416, x419) - var x422 uint64 - var x423 uint1 - x422, x423 = addcarryxU64(x27, x13, 0x0) - var x424 uint64 - x424, _ = addcarryxU64(x28, x14, x423) - var x426 uint64 - var x427 uint1 - x426, x427 = addcarryxU64(x39, x422, 0x0) - var x428 uint64 - x428, _ = addcarryxU64(x40, x424, x427) - var x430 uint64 - var x431 uint1 - x430, x431 = addcarryxU64(x49, x426, 0x0) - var x432 uint64 - x432, _ = addcarryxU64(x50, x428, x431) - var x434 uint64 - var x435 uint1 - x434, x435 = addcarryxU64(x57, x430, 0x0) - var x436 uint64 - x436, _ = addcarryxU64(x58, x432, x435) - var x438 uint64 - var x439 uint1 - x438, x439 = addcarryxU64(x63, x434, 0x0) - var x440 uint64 - x440, _ = addcarryxU64(x64, x436, x439) - var x442 uint64 - var x443 uint1 - x442, x443 = addcarryxU64(x67, x438, 0x0) - var x444 uint64 - x444, _ = addcarryxU64(x68, x440, x443) - var x446 uint64 - var x447 uint1 - x446, x447 = addcarryxU64(x143, x442, 0x0) - var x448 uint64 - x448, _ = addcarryxU64(x144, x444, x447) - var x450 uint64 - var x451 uint1 - x450, x451 = addcarryxU64(x159, x446, 0x0) - var x452 uint64 - x452, _ = addcarryxU64(x160, x448, x451) - var x454 uint64 - var x455 uint1 - x454, x455 = addcarryxU64(x195, x450, 0x0) - var x456 uint64 - x456, _ = addcarryxU64(x196, x452, x455) - var x458 uint64 = ((x454 >> 58) | ((x456 << 6) & 0xffffffffffffffff)) - var x459 uint64 = (x456 >> 58) - var x460 uint64 = (x454 & 0x3ffffffffffffff) - var x461 uint64 - var x462 uint1 - x461, x462 = addcarryxU64(x458, x418, 0x0) - var x463 uint64 - x463, _ = addcarryxU64(x459, x420, x462) - var x465 uint64 = ((x461 >> 58) | ((x463 << 6) & 0xffffffffffffffff)) - var x466 uint64 = (x463 >> 58) - var x467 uint64 = (x461 & 0x3ffffffffffffff) - var x468 uint64 - var x469 uint1 - x468, x469 = addcarryxU64(x465, x386, 0x0) - var x470 uint64 - x470, _ = addcarryxU64(x466, x388, x469) - var x472 uint64 = ((x468 >> 58) | ((x470 << 6) & 0xffffffffffffffff)) - var x473 uint64 = (x470 >> 58) - var x474 uint64 = (x468 & 0x3ffffffffffffff) - var x475 uint64 - var x476 uint1 - x475, x476 = addcarryxU64(x472, x354, 0x0) - var x477 uint64 - x477, _ = addcarryxU64(x473, x356, x476) - var x479 uint64 = ((x475 >> 58) | ((x477 << 6) & 0xffffffffffffffff)) - var x480 uint64 = (x477 >> 58) - var x481 uint64 = (x475 & 0x3ffffffffffffff) - var x482 uint64 - var x483 uint1 - x482, x483 = addcarryxU64(x479, x322, 0x0) - var x484 uint64 - x484, _ = addcarryxU64(x480, x324, x483) - var x486 uint64 = ((x482 >> 58) | ((x484 << 6) & 0xffffffffffffffff)) - var x487 uint64 = (x484 >> 58) - var x488 uint64 = (x482 & 0x3ffffffffffffff) - var x489 uint64 - var x490 uint1 - x489, x490 = addcarryxU64(x486, x290, 0x0) - var x491 uint64 - x491, _ = addcarryxU64(x487, x292, x490) - var x493 uint64 = ((x489 >> 58) | ((x491 << 6) & 0xffffffffffffffff)) - var x494 uint64 = (x491 >> 58) - var x495 uint64 = (x489 & 0x3ffffffffffffff) - var x496 uint64 - var x497 uint1 - x496, x497 = addcarryxU64(x493, x258, 0x0) - var x498 uint64 - x498, _ = addcarryxU64(x494, x260, x497) - var x500 uint64 = ((x496 >> 58) | ((x498 << 6) & 0xffffffffffffffff)) - var x501 uint64 = (x498 >> 58) - var x502 uint64 = (x496 & 0x3ffffffffffffff) - var x503 uint64 - var x504 uint1 - x503, x504 = addcarryxU64(x500, x226, 0x0) - var x505 uint64 - x505, _ = addcarryxU64(x501, x228, x504) - var x507 uint64 = ((x503 >> 57) | ((x505 << 7) & 0xffffffffffffffff)) - var x508 uint64 = (x505 >> 57) - var x509 uint64 = (x503 & 0x1ffffffffffffff) - var x510 uint64 - var x511 uint1 - x510, x511 = addcarryxU64(x197, x507, 0x0) - var x512 uint64 = (uint64(x511) + x508) - var x513 uint64 = ((x510 >> 58) | ((x512 << 6) & 0xffffffffffffffff)) - var x514 uint64 = (x510 & 0x3ffffffffffffff) - var x515 uint64 = (x513 + x460) - var x516 uint1 = uint1((x515 >> 58)) - var x517 uint64 = (x515 & 0x3ffffffffffffff) - var x518 uint64 = (uint64(x516) + x467) - out1[0] = x514 - out1[1] = x517 - out1[2] = x518 - out1[3] = x474 - out1[4] = x481 - out1[5] = x488 - out1[6] = x495 - out1[7] = x502 - out1[8] = x509 + var x1 uint64 + var x2 uint64 + x2, x1 = bits.Mul64(arg1[8], (arg2[8] * 0x2)) + var x3 uint64 + var x4 uint64 + x4, x3 = bits.Mul64(arg1[8], (arg2[7] * 0x2)) + var x5 uint64 + var x6 uint64 + x6, x5 = bits.Mul64(arg1[8], (arg2[6] * 0x2)) + var x7 uint64 + var x8 uint64 + x8, x7 = bits.Mul64(arg1[8], (arg2[5] * 0x2)) + var x9 uint64 + var x10 uint64 + x10, x9 = bits.Mul64(arg1[8], (arg2[4] * 0x2)) + var x11 uint64 + var x12 uint64 + x12, x11 = bits.Mul64(arg1[8], (arg2[3] * 0x2)) + var x13 uint64 + var x14 uint64 + x14, x13 = bits.Mul64(arg1[8], (arg2[2] * 0x2)) + var x15 uint64 + var x16 uint64 + x16, x15 = bits.Mul64(arg1[8], (arg2[1] * 0x2)) + var x17 uint64 + var x18 uint64 + x18, x17 = bits.Mul64(arg1[7], (arg2[8] * 0x2)) + var x19 uint64 + var x20 uint64 + x20, x19 = bits.Mul64(arg1[7], (arg2[7] * 0x2)) + var x21 uint64 + var x22 uint64 + x22, x21 = bits.Mul64(arg1[7], (arg2[6] * 0x2)) + var x23 uint64 + var x24 uint64 + x24, x23 = bits.Mul64(arg1[7], (arg2[5] * 0x2)) + var x25 uint64 + var x26 uint64 + x26, x25 = bits.Mul64(arg1[7], (arg2[4] * 0x2)) + var x27 uint64 + var x28 uint64 + x28, x27 = bits.Mul64(arg1[7], (arg2[3] * 0x2)) + var x29 uint64 + var x30 uint64 + x30, x29 = bits.Mul64(arg1[7], (arg2[2] * 0x2)) + var x31 uint64 + var x32 uint64 + x32, x31 = bits.Mul64(arg1[6], (arg2[8] * 0x2)) + var x33 uint64 + var x34 uint64 + x34, x33 = bits.Mul64(arg1[6], (arg2[7] * 0x2)) + var x35 uint64 + var x36 uint64 + x36, x35 = bits.Mul64(arg1[6], (arg2[6] * 0x2)) + var x37 uint64 + var x38 uint64 + x38, x37 = bits.Mul64(arg1[6], (arg2[5] * 0x2)) + var x39 uint64 + var x40 uint64 + x40, x39 = bits.Mul64(arg1[6], (arg2[4] * 0x2)) + var x41 uint64 + var x42 uint64 + x42, x41 = bits.Mul64(arg1[6], (arg2[3] * 0x2)) + var x43 uint64 + var x44 uint64 + x44, x43 = bits.Mul64(arg1[5], (arg2[8] * 0x2)) + var x45 uint64 + var x46 uint64 + x46, x45 = bits.Mul64(arg1[5], (arg2[7] * 0x2)) + var x47 uint64 + var x48 uint64 + x48, x47 = bits.Mul64(arg1[5], (arg2[6] * 0x2)) + var x49 uint64 + var x50 uint64 + x50, x49 = bits.Mul64(arg1[5], (arg2[5] * 0x2)) + var x51 uint64 + var x52 uint64 + x52, x51 = bits.Mul64(arg1[5], (arg2[4] * 0x2)) + var x53 uint64 + var x54 uint64 + x54, x53 = bits.Mul64(arg1[4], (arg2[8] * 0x2)) + var x55 uint64 + var x56 uint64 + x56, x55 = bits.Mul64(arg1[4], (arg2[7] * 0x2)) + var x57 uint64 + var x58 uint64 + x58, x57 = bits.Mul64(arg1[4], (arg2[6] * 0x2)) + var x59 uint64 + var x60 uint64 + x60, x59 = bits.Mul64(arg1[4], (arg2[5] * 0x2)) + var x61 uint64 + var x62 uint64 + x62, x61 = bits.Mul64(arg1[3], (arg2[8] * 0x2)) + var x63 uint64 + var x64 uint64 + x64, x63 = bits.Mul64(arg1[3], (arg2[7] * 0x2)) + var x65 uint64 + var x66 uint64 + x66, x65 = bits.Mul64(arg1[3], (arg2[6] * 0x2)) + var x67 uint64 + var x68 uint64 + x68, x67 = bits.Mul64(arg1[2], (arg2[8] * 0x2)) + var x69 uint64 + var x70 uint64 + x70, x69 = bits.Mul64(arg1[2], (arg2[7] * 0x2)) + var x71 uint64 + var x72 uint64 + x72, x71 = bits.Mul64(arg1[1], (arg2[8] * 0x2)) + var x73 uint64 + var x74 uint64 + x74, x73 = bits.Mul64(arg1[8], arg2[0]) + var x75 uint64 + var x76 uint64 + x76, x75 = bits.Mul64(arg1[7], arg2[1]) + var x77 uint64 + var x78 uint64 + x78, x77 = bits.Mul64(arg1[7], arg2[0]) + var x79 uint64 + var x80 uint64 + x80, x79 = bits.Mul64(arg1[6], arg2[2]) + var x81 uint64 + var x82 uint64 + x82, x81 = bits.Mul64(arg1[6], arg2[1]) + var x83 uint64 + var x84 uint64 + x84, x83 = bits.Mul64(arg1[6], arg2[0]) + var x85 uint64 + var x86 uint64 + x86, x85 = bits.Mul64(arg1[5], arg2[3]) + var x87 uint64 + var x88 uint64 + x88, x87 = bits.Mul64(arg1[5], arg2[2]) + var x89 uint64 + var x90 uint64 + x90, x89 = bits.Mul64(arg1[5], arg2[1]) + var x91 uint64 + var x92 uint64 + x92, x91 = bits.Mul64(arg1[5], arg2[0]) + var x93 uint64 + var x94 uint64 + x94, x93 = bits.Mul64(arg1[4], arg2[4]) + var x95 uint64 + var x96 uint64 + x96, x95 = bits.Mul64(arg1[4], arg2[3]) + var x97 uint64 + var x98 uint64 + x98, x97 = bits.Mul64(arg1[4], arg2[2]) + var x99 uint64 + var x100 uint64 + x100, x99 = bits.Mul64(arg1[4], arg2[1]) + var x101 uint64 + var x102 uint64 + x102, x101 = bits.Mul64(arg1[4], arg2[0]) + var x103 uint64 + var x104 uint64 + x104, x103 = bits.Mul64(arg1[3], arg2[5]) + var x105 uint64 + var x106 uint64 + x106, x105 = bits.Mul64(arg1[3], arg2[4]) + var x107 uint64 + var x108 uint64 + x108, x107 = bits.Mul64(arg1[3], arg2[3]) + var x109 uint64 + var x110 uint64 + x110, x109 = bits.Mul64(arg1[3], arg2[2]) + var x111 uint64 + var x112 uint64 + x112, x111 = bits.Mul64(arg1[3], arg2[1]) + var x113 uint64 + var x114 uint64 + x114, x113 = bits.Mul64(arg1[3], arg2[0]) + var x115 uint64 + var x116 uint64 + x116, x115 = bits.Mul64(arg1[2], arg2[6]) + var x117 uint64 + var x118 uint64 + x118, x117 = bits.Mul64(arg1[2], arg2[5]) + var x119 uint64 + var x120 uint64 + x120, x119 = bits.Mul64(arg1[2], arg2[4]) + var x121 uint64 + var x122 uint64 + x122, x121 = bits.Mul64(arg1[2], arg2[3]) + var x123 uint64 + var x124 uint64 + x124, x123 = bits.Mul64(arg1[2], arg2[2]) + var x125 uint64 + var x126 uint64 + x126, x125 = bits.Mul64(arg1[2], arg2[1]) + var x127 uint64 + var x128 uint64 + x128, x127 = bits.Mul64(arg1[2], arg2[0]) + var x129 uint64 + var x130 uint64 + x130, x129 = bits.Mul64(arg1[1], arg2[7]) + var x131 uint64 + var x132 uint64 + x132, x131 = bits.Mul64(arg1[1], arg2[6]) + var x133 uint64 + var x134 uint64 + x134, x133 = bits.Mul64(arg1[1], arg2[5]) + var x135 uint64 + var x136 uint64 + x136, x135 = bits.Mul64(arg1[1], arg2[4]) + var x137 uint64 + var x138 uint64 + x138, x137 = bits.Mul64(arg1[1], arg2[3]) + var x139 uint64 + var x140 uint64 + x140, x139 = bits.Mul64(arg1[1], arg2[2]) + var x141 uint64 + var x142 uint64 + x142, x141 = bits.Mul64(arg1[1], arg2[1]) + var x143 uint64 + var x144 uint64 + x144, x143 = bits.Mul64(arg1[1], arg2[0]) + var x145 uint64 + var x146 uint64 + x146, x145 = bits.Mul64(arg1[0], arg2[8]) + var x147 uint64 + var x148 uint64 + x148, x147 = bits.Mul64(arg1[0], arg2[7]) + var x149 uint64 + var x150 uint64 + x150, x149 = bits.Mul64(arg1[0], arg2[6]) + var x151 uint64 + var x152 uint64 + x152, x151 = bits.Mul64(arg1[0], arg2[5]) + var x153 uint64 + var x154 uint64 + x154, x153 = bits.Mul64(arg1[0], arg2[4]) + var x155 uint64 + var x156 uint64 + x156, x155 = bits.Mul64(arg1[0], arg2[3]) + var x157 uint64 + var x158 uint64 + x158, x157 = bits.Mul64(arg1[0], arg2[2]) + var x159 uint64 + var x160 uint64 + x160, x159 = bits.Mul64(arg1[0], arg2[1]) + var x161 uint64 + var x162 uint64 + x162, x161 = bits.Mul64(arg1[0], arg2[0]) + var x163 uint64 + var x164 uint1 + x163, x164 = addcarryxU64(x29, x15, 0x0) + var x165 uint64 + x165, _ = addcarryxU64(x30, x16, x164) + var x167 uint64 + var x168 uint1 + x167, x168 = addcarryxU64(x41, x163, 0x0) + var x169 uint64 + x169, _ = addcarryxU64(x42, x165, x168) + var x171 uint64 + var x172 uint1 + x171, x172 = addcarryxU64(x51, x167, 0x0) + var x173 uint64 + x173, _ = addcarryxU64(x52, x169, x172) + var x175 uint64 + var x176 uint1 + x175, x176 = addcarryxU64(x59, x171, 0x0) + var x177 uint64 + x177, _ = addcarryxU64(x60, x173, x176) + var x179 uint64 + var x180 uint1 + x179, x180 = addcarryxU64(x65, x175, 0x0) + var x181 uint64 + x181, _ = addcarryxU64(x66, x177, x180) + var x183 uint64 + var x184 uint1 + x183, x184 = addcarryxU64(x69, x179, 0x0) + var x185 uint64 + x185, _ = addcarryxU64(x70, x181, x184) + var x187 uint64 + var x188 uint1 + x187, x188 = addcarryxU64(x71, x183, 0x0) + var x189 uint64 + x189, _ = addcarryxU64(x72, x185, x188) + var x191 uint64 + var x192 uint1 + x191, x192 = addcarryxU64(x161, x187, 0x0) + var x193 uint64 + x193, _ = addcarryxU64(x162, x189, x192) + x195 := ((x191 >> 58) | ((x193 << 6) & 0xffffffffffffffff)) + x196 := (x193 >> 58) + x197 := (x191 & 0x3ffffffffffffff) + var x198 uint64 + var x199 uint1 + x198, x199 = addcarryxU64(x75, x73, 0x0) + var x200 uint64 + x200, _ = addcarryxU64(x76, x74, x199) + var x202 uint64 + var x203 uint1 + x202, x203 = addcarryxU64(x79, x198, 0x0) + var x204 uint64 + x204, _ = addcarryxU64(x80, x200, x203) + var x206 uint64 + var x207 uint1 + x206, x207 = addcarryxU64(x85, x202, 0x0) + var x208 uint64 + x208, _ = addcarryxU64(x86, x204, x207) + var x210 uint64 + var x211 uint1 + x210, x211 = addcarryxU64(x93, x206, 0x0) + var x212 uint64 + x212, _ = addcarryxU64(x94, x208, x211) + var x214 uint64 + var x215 uint1 + x214, x215 = addcarryxU64(x103, x210, 0x0) + var x216 uint64 + x216, _ = addcarryxU64(x104, x212, x215) + var x218 uint64 + var x219 uint1 + x218, x219 = addcarryxU64(x115, x214, 0x0) + var x220 uint64 + x220, _ = addcarryxU64(x116, x216, x219) + var x222 uint64 + var x223 uint1 + x222, x223 = addcarryxU64(x129, x218, 0x0) + var x224 uint64 + x224, _ = addcarryxU64(x130, x220, x223) + var x226 uint64 + var x227 uint1 + x226, x227 = addcarryxU64(x145, x222, 0x0) + var x228 uint64 + x228, _ = addcarryxU64(x146, x224, x227) + var x230 uint64 + var x231 uint1 + x230, x231 = addcarryxU64(x77, x1, 0x0) + var x232 uint64 + x232, _ = addcarryxU64(x78, x2, x231) + var x234 uint64 + var x235 uint1 + x234, x235 = addcarryxU64(x81, x230, 0x0) + var x236 uint64 + x236, _ = addcarryxU64(x82, x232, x235) + var x238 uint64 + var x239 uint1 + x238, x239 = addcarryxU64(x87, x234, 0x0) + var x240 uint64 + x240, _ = addcarryxU64(x88, x236, x239) + var x242 uint64 + var x243 uint1 + x242, x243 = addcarryxU64(x95, x238, 0x0) + var x244 uint64 + x244, _ = addcarryxU64(x96, x240, x243) + var x246 uint64 + var x247 uint1 + x246, x247 = addcarryxU64(x105, x242, 0x0) + var x248 uint64 + x248, _ = addcarryxU64(x106, x244, x247) + var x250 uint64 + var x251 uint1 + x250, x251 = addcarryxU64(x117, x246, 0x0) + var x252 uint64 + x252, _ = addcarryxU64(x118, x248, x251) + var x254 uint64 + var x255 uint1 + x254, x255 = addcarryxU64(x131, x250, 0x0) + var x256 uint64 + x256, _ = addcarryxU64(x132, x252, x255) + var x258 uint64 + var x259 uint1 + x258, x259 = addcarryxU64(x147, x254, 0x0) + var x260 uint64 + x260, _ = addcarryxU64(x148, x256, x259) + var x262 uint64 + var x263 uint1 + x262, x263 = addcarryxU64(x17, x3, 0x0) + var x264 uint64 + x264, _ = addcarryxU64(x18, x4, x263) + var x266 uint64 + var x267 uint1 + x266, x267 = addcarryxU64(x83, x262, 0x0) + var x268 uint64 + x268, _ = addcarryxU64(x84, x264, x267) + var x270 uint64 + var x271 uint1 + x270, x271 = addcarryxU64(x89, x266, 0x0) + var x272 uint64 + x272, _ = addcarryxU64(x90, x268, x271) + var x274 uint64 + var x275 uint1 + x274, x275 = addcarryxU64(x97, x270, 0x0) + var x276 uint64 + x276, _ = addcarryxU64(x98, x272, x275) + var x278 uint64 + var x279 uint1 + x278, x279 = addcarryxU64(x107, x274, 0x0) + var x280 uint64 + x280, _ = addcarryxU64(x108, x276, x279) + var x282 uint64 + var x283 uint1 + x282, x283 = addcarryxU64(x119, x278, 0x0) + var x284 uint64 + x284, _ = addcarryxU64(x120, x280, x283) + var x286 uint64 + var x287 uint1 + x286, x287 = addcarryxU64(x133, x282, 0x0) + var x288 uint64 + x288, _ = addcarryxU64(x134, x284, x287) + var x290 uint64 + var x291 uint1 + x290, x291 = addcarryxU64(x149, x286, 0x0) + var x292 uint64 + x292, _ = addcarryxU64(x150, x288, x291) + var x294 uint64 + var x295 uint1 + x294, x295 = addcarryxU64(x19, x5, 0x0) + var x296 uint64 + x296, _ = addcarryxU64(x20, x6, x295) + var x298 uint64 + var x299 uint1 + x298, x299 = addcarryxU64(x31, x294, 0x0) + var x300 uint64 + x300, _ = addcarryxU64(x32, x296, x299) + var x302 uint64 + var x303 uint1 + x302, x303 = addcarryxU64(x91, x298, 0x0) + var x304 uint64 + x304, _ = addcarryxU64(x92, x300, x303) + var x306 uint64 + var x307 uint1 + x306, x307 = addcarryxU64(x99, x302, 0x0) + var x308 uint64 + x308, _ = addcarryxU64(x100, x304, x307) + var x310 uint64 + var x311 uint1 + x310, x311 = addcarryxU64(x109, x306, 0x0) + var x312 uint64 + x312, _ = addcarryxU64(x110, x308, x311) + var x314 uint64 + var x315 uint1 + x314, x315 = addcarryxU64(x121, x310, 0x0) + var x316 uint64 + x316, _ = addcarryxU64(x122, x312, x315) + var x318 uint64 + var x319 uint1 + x318, x319 = addcarryxU64(x135, x314, 0x0) + var x320 uint64 + x320, _ = addcarryxU64(x136, x316, x319) + var x322 uint64 + var x323 uint1 + x322, x323 = addcarryxU64(x151, x318, 0x0) + var x324 uint64 + x324, _ = addcarryxU64(x152, x320, x323) + var x326 uint64 + var x327 uint1 + x326, x327 = addcarryxU64(x21, x7, 0x0) + var x328 uint64 + x328, _ = addcarryxU64(x22, x8, x327) + var x330 uint64 + var x331 uint1 + x330, x331 = addcarryxU64(x33, x326, 0x0) + var x332 uint64 + x332, _ = addcarryxU64(x34, x328, x331) + var x334 uint64 + var x335 uint1 + x334, x335 = addcarryxU64(x43, x330, 0x0) + var x336 uint64 + x336, _ = addcarryxU64(x44, x332, x335) + var x338 uint64 + var x339 uint1 + x338, x339 = addcarryxU64(x101, x334, 0x0) + var x340 uint64 + x340, _ = addcarryxU64(x102, x336, x339) + var x342 uint64 + var x343 uint1 + x342, x343 = addcarryxU64(x111, x338, 0x0) + var x344 uint64 + x344, _ = addcarryxU64(x112, x340, x343) + var x346 uint64 + var x347 uint1 + x346, x347 = addcarryxU64(x123, x342, 0x0) + var x348 uint64 + x348, _ = addcarryxU64(x124, x344, x347) + var x350 uint64 + var x351 uint1 + x350, x351 = addcarryxU64(x137, x346, 0x0) + var x352 uint64 + x352, _ = addcarryxU64(x138, x348, x351) + var x354 uint64 + var x355 uint1 + x354, x355 = addcarryxU64(x153, x350, 0x0) + var x356 uint64 + x356, _ = addcarryxU64(x154, x352, x355) + var x358 uint64 + var x359 uint1 + x358, x359 = addcarryxU64(x23, x9, 0x0) + var x360 uint64 + x360, _ = addcarryxU64(x24, x10, x359) + var x362 uint64 + var x363 uint1 + x362, x363 = addcarryxU64(x35, x358, 0x0) + var x364 uint64 + x364, _ = addcarryxU64(x36, x360, x363) + var x366 uint64 + var x367 uint1 + x366, x367 = addcarryxU64(x45, x362, 0x0) + var x368 uint64 + x368, _ = addcarryxU64(x46, x364, x367) + var x370 uint64 + var x371 uint1 + x370, x371 = addcarryxU64(x53, x366, 0x0) + var x372 uint64 + x372, _ = addcarryxU64(x54, x368, x371) + var x374 uint64 + var x375 uint1 + x374, x375 = addcarryxU64(x113, x370, 0x0) + var x376 uint64 + x376, _ = addcarryxU64(x114, x372, x375) + var x378 uint64 + var x379 uint1 + x378, x379 = addcarryxU64(x125, x374, 0x0) + var x380 uint64 + x380, _ = addcarryxU64(x126, x376, x379) + var x382 uint64 + var x383 uint1 + x382, x383 = addcarryxU64(x139, x378, 0x0) + var x384 uint64 + x384, _ = addcarryxU64(x140, x380, x383) + var x386 uint64 + var x387 uint1 + x386, x387 = addcarryxU64(x155, x382, 0x0) + var x388 uint64 + x388, _ = addcarryxU64(x156, x384, x387) + var x390 uint64 + var x391 uint1 + x390, x391 = addcarryxU64(x25, x11, 0x0) + var x392 uint64 + x392, _ = addcarryxU64(x26, x12, x391) + var x394 uint64 + var x395 uint1 + x394, x395 = addcarryxU64(x37, x390, 0x0) + var x396 uint64 + x396, _ = addcarryxU64(x38, x392, x395) + var x398 uint64 + var x399 uint1 + x398, x399 = addcarryxU64(x47, x394, 0x0) + var x400 uint64 + x400, _ = addcarryxU64(x48, x396, x399) + var x402 uint64 + var x403 uint1 + x402, x403 = addcarryxU64(x55, x398, 0x0) + var x404 uint64 + x404, _ = addcarryxU64(x56, x400, x403) + var x406 uint64 + var x407 uint1 + x406, x407 = addcarryxU64(x61, x402, 0x0) + var x408 uint64 + x408, _ = addcarryxU64(x62, x404, x407) + var x410 uint64 + var x411 uint1 + x410, x411 = addcarryxU64(x127, x406, 0x0) + var x412 uint64 + x412, _ = addcarryxU64(x128, x408, x411) + var x414 uint64 + var x415 uint1 + x414, x415 = addcarryxU64(x141, x410, 0x0) + var x416 uint64 + x416, _ = addcarryxU64(x142, x412, x415) + var x418 uint64 + var x419 uint1 + x418, x419 = addcarryxU64(x157, x414, 0x0) + var x420 uint64 + x420, _ = addcarryxU64(x158, x416, x419) + var x422 uint64 + var x423 uint1 + x422, x423 = addcarryxU64(x27, x13, 0x0) + var x424 uint64 + x424, _ = addcarryxU64(x28, x14, x423) + var x426 uint64 + var x427 uint1 + x426, x427 = addcarryxU64(x39, x422, 0x0) + var x428 uint64 + x428, _ = addcarryxU64(x40, x424, x427) + var x430 uint64 + var x431 uint1 + x430, x431 = addcarryxU64(x49, x426, 0x0) + var x432 uint64 + x432, _ = addcarryxU64(x50, x428, x431) + var x434 uint64 + var x435 uint1 + x434, x435 = addcarryxU64(x57, x430, 0x0) + var x436 uint64 + x436, _ = addcarryxU64(x58, x432, x435) + var x438 uint64 + var x439 uint1 + x438, x439 = addcarryxU64(x63, x434, 0x0) + var x440 uint64 + x440, _ = addcarryxU64(x64, x436, x439) + var x442 uint64 + var x443 uint1 + x442, x443 = addcarryxU64(x67, x438, 0x0) + var x444 uint64 + x444, _ = addcarryxU64(x68, x440, x443) + var x446 uint64 + var x447 uint1 + x446, x447 = addcarryxU64(x143, x442, 0x0) + var x448 uint64 + x448, _ = addcarryxU64(x144, x444, x447) + var x450 uint64 + var x451 uint1 + x450, x451 = addcarryxU64(x159, x446, 0x0) + var x452 uint64 + x452, _ = addcarryxU64(x160, x448, x451) + var x454 uint64 + var x455 uint1 + x454, x455 = addcarryxU64(x195, x450, 0x0) + var x456 uint64 + x456, _ = addcarryxU64(x196, x452, x455) + x458 := ((x454 >> 58) | ((x456 << 6) & 0xffffffffffffffff)) + x459 := (x456 >> 58) + x460 := (x454 & 0x3ffffffffffffff) + var x461 uint64 + var x462 uint1 + x461, x462 = addcarryxU64(x458, x418, 0x0) + var x463 uint64 + x463, _ = addcarryxU64(x459, x420, x462) + x465 := ((x461 >> 58) | ((x463 << 6) & 0xffffffffffffffff)) + x466 := (x463 >> 58) + x467 := (x461 & 0x3ffffffffffffff) + var x468 uint64 + var x469 uint1 + x468, x469 = addcarryxU64(x465, x386, 0x0) + var x470 uint64 + x470, _ = addcarryxU64(x466, x388, x469) + x472 := ((x468 >> 58) | ((x470 << 6) & 0xffffffffffffffff)) + x473 := (x470 >> 58) + x474 := (x468 & 0x3ffffffffffffff) + var x475 uint64 + var x476 uint1 + x475, x476 = addcarryxU64(x472, x354, 0x0) + var x477 uint64 + x477, _ = addcarryxU64(x473, x356, x476) + x479 := ((x475 >> 58) | ((x477 << 6) & 0xffffffffffffffff)) + x480 := (x477 >> 58) + x481 := (x475 & 0x3ffffffffffffff) + var x482 uint64 + var x483 uint1 + x482, x483 = addcarryxU64(x479, x322, 0x0) + var x484 uint64 + x484, _ = addcarryxU64(x480, x324, x483) + x486 := ((x482 >> 58) | ((x484 << 6) & 0xffffffffffffffff)) + x487 := (x484 >> 58) + x488 := (x482 & 0x3ffffffffffffff) + var x489 uint64 + var x490 uint1 + x489, x490 = addcarryxU64(x486, x290, 0x0) + var x491 uint64 + x491, _ = addcarryxU64(x487, x292, x490) + x493 := ((x489 >> 58) | ((x491 << 6) & 0xffffffffffffffff)) + x494 := (x491 >> 58) + x495 := (x489 & 0x3ffffffffffffff) + var x496 uint64 + var x497 uint1 + x496, x497 = addcarryxU64(x493, x258, 0x0) + var x498 uint64 + x498, _ = addcarryxU64(x494, x260, x497) + x500 := ((x496 >> 58) | ((x498 << 6) & 0xffffffffffffffff)) + x501 := (x498 >> 58) + x502 := (x496 & 0x3ffffffffffffff) + var x503 uint64 + var x504 uint1 + x503, x504 = addcarryxU64(x500, x226, 0x0) + var x505 uint64 + x505, _ = addcarryxU64(x501, x228, x504) + x507 := ((x503 >> 57) | ((x505 << 7) & 0xffffffffffffffff)) + x508 := (x505 >> 57) + x509 := (x503 & 0x1ffffffffffffff) + var x510 uint64 + var x511 uint1 + x510, x511 = addcarryxU64(x197, x507, 0x0) + x512 := (uint64(x511) + x508) + x513 := ((x510 >> 58) | ((x512 << 6) & 0xffffffffffffffff)) + x514 := (x510 & 0x3ffffffffffffff) + x515 := (x513 + x460) + x516 := uint1((x515 >> 58)) + x517 := (x515 & 0x3ffffffffffffff) + x518 := (uint64(x516) + x467) + out1[0] = x514 + out1[1] = x517 + out1[2] = x518 + out1[3] = x474 + out1[4] = x481 + out1[5] = x488 + out1[6] = x495 + out1[7] = x502 + out1[8] = x509 } -/* - The function CarrySquare squares a field element and reduces the result. - Postconditions: - eval out1 mod m = (eval arg1 * eval arg1) mod m - - Input Bounds: - arg1: [[0x0 ~> 0xc00000000000000], [0x0 ~> 0xc00000000000000], [0x0 ~> 0xc00000000000000], [0x0 ~> 0xc00000000000000], [0x0 ~> 0xc00000000000000], [0x0 ~> 0xc00000000000000], [0x0 ~> 0xc00000000000000], [0x0 ~> 0xc00000000000000], [0x0 ~> 0x600000000000000]] - Output Bounds: - out1: [[0x0 ~> 0x400000000000000], [0x0 ~> 0x400000000000000], [0x0 ~> 0x400000000000000], [0x0 ~> 0x400000000000000], [0x0 ~> 0x400000000000000], [0x0 ~> 0x400000000000000], [0x0 ~> 0x400000000000000], [0x0 ~> 0x400000000000000], [0x0 ~> 0x200000000000000]] - */ -/*inline*/ +// CarrySquare squares a field element and reduces the result. +// +// Postconditions: +// eval out1 mod m = (eval arg1 * eval arg1) mod m +// +// Input Bounds: +// arg1: [[0x0 ~> 0xc00000000000000], [0x0 ~> 0xc00000000000000], [0x0 ~> 0xc00000000000000], [0x0 ~> 0xc00000000000000], [0x0 ~> 0xc00000000000000], [0x0 ~> 0xc00000000000000], [0x0 ~> 0xc00000000000000], [0x0 ~> 0xc00000000000000], [0x0 ~> 0x600000000000000]] +// Output Bounds: +// out1: [[0x0 ~> 0x400000000000000], [0x0 ~> 0x400000000000000], [0x0 ~> 0x400000000000000], [0x0 ~> 0x400000000000000], [0x0 ~> 0x400000000000000], [0x0 ~> 0x400000000000000], [0x0 ~> 0x400000000000000], [0x0 ~> 0x400000000000000], [0x0 ~> 0x200000000000000]] func CarrySquare(out1 *[9]uint64, arg1 *[9]uint64) { - var x1 uint64 = (arg1[8]) - var x2 uint64 = (x1 * 0x2) - var x3 uint64 = ((arg1[8]) * 0x2) - var x4 uint64 = (arg1[7]) - var x5 uint64 = (x4 * 0x2) - var x6 uint64 = ((arg1[7]) * 0x2) - var x7 uint64 = (arg1[6]) - var x8 uint64 = (x7 * 0x2) - var x9 uint64 = ((arg1[6]) * 0x2) - var x10 uint64 = (arg1[5]) - var x11 uint64 = (x10 * 0x2) - var x12 uint64 = ((arg1[5]) * 0x2) - var x13 uint64 = ((arg1[4]) * 0x2) - var x14 uint64 = ((arg1[3]) * 0x2) - var x15 uint64 = ((arg1[2]) * 0x2) - var x16 uint64 = ((arg1[1]) * 0x2) - var x17 uint64 - var x18 uint64 - x18, x17 = bits.Mul64((arg1[8]), (x1 * 0x2)) - var x19 uint64 - var x20 uint64 - x20, x19 = bits.Mul64((arg1[7]), (x2 * 0x2)) - var x21 uint64 - var x22 uint64 - x22, x21 = bits.Mul64((arg1[7]), (x4 * 0x2)) - var x23 uint64 - var x24 uint64 - x24, x23 = bits.Mul64((arg1[6]), (x2 * 0x2)) - var x25 uint64 - var x26 uint64 - x26, x25 = bits.Mul64((arg1[6]), (x5 * 0x2)) - var x27 uint64 - var x28 uint64 - x28, x27 = bits.Mul64((arg1[6]), (x7 * 0x2)) - var x29 uint64 - var x30 uint64 - x30, x29 = bits.Mul64((arg1[5]), (x2 * 0x2)) - var x31 uint64 - var x32 uint64 - x32, x31 = bits.Mul64((arg1[5]), (x5 * 0x2)) - var x33 uint64 - var x34 uint64 - x34, x33 = bits.Mul64((arg1[5]), (x8 * 0x2)) - var x35 uint64 - var x36 uint64 - x36, x35 = bits.Mul64((arg1[5]), (x10 * 0x2)) - var x37 uint64 - var x38 uint64 - x38, x37 = bits.Mul64((arg1[4]), (x2 * 0x2)) - var x39 uint64 - var x40 uint64 - x40, x39 = bits.Mul64((arg1[4]), (x5 * 0x2)) - var x41 uint64 - var x42 uint64 - x42, x41 = bits.Mul64((arg1[4]), (x8 * 0x2)) - var x43 uint64 - var x44 uint64 - x44, x43 = bits.Mul64((arg1[4]), (x11 * 0x2)) - var x45 uint64 - var x46 uint64 - x46, x45 = bits.Mul64((arg1[4]), (arg1[4])) - var x47 uint64 - var x48 uint64 - x48, x47 = bits.Mul64((arg1[3]), (x2 * 0x2)) - var x49 uint64 - var x50 uint64 - x50, x49 = bits.Mul64((arg1[3]), (x5 * 0x2)) - var x51 uint64 - var x52 uint64 - x52, x51 = bits.Mul64((arg1[3]), (x8 * 0x2)) - var x53 uint64 - var x54 uint64 - x54, x53 = bits.Mul64((arg1[3]), x12) - var x55 uint64 - var x56 uint64 - x56, x55 = bits.Mul64((arg1[3]), x13) - var x57 uint64 - var x58 uint64 - x58, x57 = bits.Mul64((arg1[3]), (arg1[3])) - var x59 uint64 - var x60 uint64 - x60, x59 = bits.Mul64((arg1[2]), (x2 * 0x2)) - var x61 uint64 - var x62 uint64 - x62, x61 = bits.Mul64((arg1[2]), (x5 * 0x2)) - var x63 uint64 - var x64 uint64 - x64, x63 = bits.Mul64((arg1[2]), x9) - var x65 uint64 - var x66 uint64 - x66, x65 = bits.Mul64((arg1[2]), x12) - var x67 uint64 - var x68 uint64 - x68, x67 = bits.Mul64((arg1[2]), x13) - var x69 uint64 - var x70 uint64 - x70, x69 = bits.Mul64((arg1[2]), x14) - var x71 uint64 - var x72 uint64 - x72, x71 = bits.Mul64((arg1[2]), (arg1[2])) - var x73 uint64 - var x74 uint64 - x74, x73 = bits.Mul64((arg1[1]), (x2 * 0x2)) - var x75 uint64 - var x76 uint64 - x76, x75 = bits.Mul64((arg1[1]), x6) - var x77 uint64 - var x78 uint64 - x78, x77 = bits.Mul64((arg1[1]), x9) - var x79 uint64 - var x80 uint64 - x80, x79 = bits.Mul64((arg1[1]), x12) - var x81 uint64 - var x82 uint64 - x82, x81 = bits.Mul64((arg1[1]), x13) - var x83 uint64 - var x84 uint64 - x84, x83 = bits.Mul64((arg1[1]), x14) - var x85 uint64 - var x86 uint64 - x86, x85 = bits.Mul64((arg1[1]), x15) - var x87 uint64 - var x88 uint64 - x88, x87 = bits.Mul64((arg1[1]), (arg1[1])) - var x89 uint64 - var x90 uint64 - x90, x89 = bits.Mul64((arg1[0]), x3) - var x91 uint64 - var x92 uint64 - x92, x91 = bits.Mul64((arg1[0]), x6) - var x93 uint64 - var x94 uint64 - x94, x93 = bits.Mul64((arg1[0]), x9) - var x95 uint64 - var x96 uint64 - x96, x95 = bits.Mul64((arg1[0]), x12) - var x97 uint64 - var x98 uint64 - x98, x97 = bits.Mul64((arg1[0]), x13) - var x99 uint64 - var x100 uint64 - x100, x99 = bits.Mul64((arg1[0]), x14) - var x101 uint64 - var x102 uint64 - x102, x101 = bits.Mul64((arg1[0]), x15) - var x103 uint64 - var x104 uint64 - x104, x103 = bits.Mul64((arg1[0]), x16) - var x105 uint64 - var x106 uint64 - x106, x105 = bits.Mul64((arg1[0]), (arg1[0])) - var x107 uint64 - var x108 uint1 - x107, x108 = addcarryxU64(x51, x43, 0x0) - var x109 uint64 - x109, _ = addcarryxU64(x52, x44, x108) - var x111 uint64 - var x112 uint1 - x111, x112 = addcarryxU64(x61, x107, 0x0) - var x113 uint64 - x113, _ = addcarryxU64(x62, x109, x112) - var x115 uint64 - var x116 uint1 - x115, x116 = addcarryxU64(x73, x111, 0x0) - var x117 uint64 - x117, _ = addcarryxU64(x74, x113, x116) - var x119 uint64 - var x120 uint1 - x119, x120 = addcarryxU64(x105, x115, 0x0) - var x121 uint64 - x121, _ = addcarryxU64(x106, x117, x120) - var x123 uint64 = ((x119 >> 58) | ((x121 << 6) & 0xffffffffffffffff)) - var x124 uint64 = (x121 >> 58) - var x125 uint64 = (x119 & 0x3ffffffffffffff) - var x126 uint64 - var x127 uint1 - x126, x127 = addcarryxU64(x53, x45, 0x0) - var x128 uint64 - x128, _ = addcarryxU64(x54, x46, x127) - var x130 uint64 - var x131 uint1 - x130, x131 = addcarryxU64(x63, x126, 0x0) - var x132 uint64 - x132, _ = addcarryxU64(x64, x128, x131) - var x134 uint64 - var x135 uint1 - x134, x135 = addcarryxU64(x75, x130, 0x0) - var x136 uint64 - x136, _ = addcarryxU64(x76, x132, x135) - var x138 uint64 - var x139 uint1 - x138, x139 = addcarryxU64(x89, x134, 0x0) - var x140 uint64 - x140, _ = addcarryxU64(x90, x136, x139) - var x142 uint64 - var x143 uint1 - x142, x143 = addcarryxU64(x55, x17, 0x0) - var x144 uint64 - x144, _ = addcarryxU64(x56, x18, x143) - var x146 uint64 - var x147 uint1 - x146, x147 = addcarryxU64(x65, x142, 0x0) - var x148 uint64 - x148, _ = addcarryxU64(x66, x144, x147) - var x150 uint64 - var x151 uint1 - x150, x151 = addcarryxU64(x77, x146, 0x0) - var x152 uint64 - x152, _ = addcarryxU64(x78, x148, x151) - var x154 uint64 - var x155 uint1 - x154, x155 = addcarryxU64(x91, x150, 0x0) - var x156 uint64 - x156, _ = addcarryxU64(x92, x152, x155) - var x158 uint64 - var x159 uint1 - x158, x159 = addcarryxU64(x57, x19, 0x0) - var x160 uint64 - x160, _ = addcarryxU64(x58, x20, x159) - var x162 uint64 - var x163 uint1 - x162, x163 = addcarryxU64(x67, x158, 0x0) - var x164 uint64 - x164, _ = addcarryxU64(x68, x160, x163) - var x166 uint64 - var x167 uint1 - x166, x167 = addcarryxU64(x79, x162, 0x0) - var x168 uint64 - x168, _ = addcarryxU64(x80, x164, x167) - var x170 uint64 - var x171 uint1 - x170, x171 = addcarryxU64(x93, x166, 0x0) - var x172 uint64 - x172, _ = addcarryxU64(x94, x168, x171) - var x174 uint64 - var x175 uint1 - x174, x175 = addcarryxU64(x23, x21, 0x0) - var x176 uint64 - x176, _ = addcarryxU64(x24, x22, x175) - var x178 uint64 - var x179 uint1 - x178, x179 = addcarryxU64(x69, x174, 0x0) - var x180 uint64 - x180, _ = addcarryxU64(x70, x176, x179) - var x182 uint64 - var x183 uint1 - x182, x183 = addcarryxU64(x81, x178, 0x0) - var x184 uint64 - x184, _ = addcarryxU64(x82, x180, x183) - var x186 uint64 - var x187 uint1 - x186, x187 = addcarryxU64(x95, x182, 0x0) - var x188 uint64 - x188, _ = addcarryxU64(x96, x184, x187) - var x190 uint64 - var x191 uint1 - x190, x191 = addcarryxU64(x29, x25, 0x0) - var x192 uint64 - x192, _ = addcarryxU64(x30, x26, x191) - var x194 uint64 - var x195 uint1 - x194, x195 = addcarryxU64(x71, x190, 0x0) - var x196 uint64 - x196, _ = addcarryxU64(x72, x192, x195) - var x198 uint64 - var x199 uint1 - x198, x199 = addcarryxU64(x83, x194, 0x0) - var x200 uint64 - x200, _ = addcarryxU64(x84, x196, x199) - var x202 uint64 - var x203 uint1 - x202, x203 = addcarryxU64(x97, x198, 0x0) - var x204 uint64 - x204, _ = addcarryxU64(x98, x200, x203) - var x206 uint64 - var x207 uint1 - x206, x207 = addcarryxU64(x31, x27, 0x0) - var x208 uint64 - x208, _ = addcarryxU64(x32, x28, x207) - var x210 uint64 - var x211 uint1 - x210, x211 = addcarryxU64(x37, x206, 0x0) - var x212 uint64 - x212, _ = addcarryxU64(x38, x208, x211) - var x214 uint64 - var x215 uint1 - x214, x215 = addcarryxU64(x85, x210, 0x0) - var x216 uint64 - x216, _ = addcarryxU64(x86, x212, x215) - var x218 uint64 - var x219 uint1 - x218, x219 = addcarryxU64(x99, x214, 0x0) - var x220 uint64 - x220, _ = addcarryxU64(x100, x216, x219) - var x222 uint64 - var x223 uint1 - x222, x223 = addcarryxU64(x39, x33, 0x0) - var x224 uint64 - x224, _ = addcarryxU64(x40, x34, x223) - var x226 uint64 - var x227 uint1 - x226, x227 = addcarryxU64(x47, x222, 0x0) - var x228 uint64 - x228, _ = addcarryxU64(x48, x224, x227) - var x230 uint64 - var x231 uint1 - x230, x231 = addcarryxU64(x87, x226, 0x0) - var x232 uint64 - x232, _ = addcarryxU64(x88, x228, x231) - var x234 uint64 - var x235 uint1 - x234, x235 = addcarryxU64(x101, x230, 0x0) - var x236 uint64 - x236, _ = addcarryxU64(x102, x232, x235) - var x238 uint64 - var x239 uint1 - x238, x239 = addcarryxU64(x41, x35, 0x0) - var x240 uint64 - x240, _ = addcarryxU64(x42, x36, x239) - var x242 uint64 - var x243 uint1 - x242, x243 = addcarryxU64(x49, x238, 0x0) - var x244 uint64 - x244, _ = addcarryxU64(x50, x240, x243) - var x246 uint64 - var x247 uint1 - x246, x247 = addcarryxU64(x59, x242, 0x0) - var x248 uint64 - x248, _ = addcarryxU64(x60, x244, x247) - var x250 uint64 - var x251 uint1 - x250, x251 = addcarryxU64(x103, x246, 0x0) - var x252 uint64 - x252, _ = addcarryxU64(x104, x248, x251) - var x254 uint64 - var x255 uint1 - x254, x255 = addcarryxU64(x123, x250, 0x0) - var x256 uint64 - x256, _ = addcarryxU64(x124, x252, x255) - var x258 uint64 = ((x254 >> 58) | ((x256 << 6) & 0xffffffffffffffff)) - var x259 uint64 = (x256 >> 58) - var x260 uint64 = (x254 & 0x3ffffffffffffff) - var x261 uint64 - var x262 uint1 - x261, x262 = addcarryxU64(x258, x234, 0x0) - var x263 uint64 - x263, _ = addcarryxU64(x259, x236, x262) - var x265 uint64 = ((x261 >> 58) | ((x263 << 6) & 0xffffffffffffffff)) - var x266 uint64 = (x263 >> 58) - var x267 uint64 = (x261 & 0x3ffffffffffffff) - var x268 uint64 - var x269 uint1 - x268, x269 = addcarryxU64(x265, x218, 0x0) - var x270 uint64 - x270, _ = addcarryxU64(x266, x220, x269) - var x272 uint64 = ((x268 >> 58) | ((x270 << 6) & 0xffffffffffffffff)) - var x273 uint64 = (x270 >> 58) - var x274 uint64 = (x268 & 0x3ffffffffffffff) - var x275 uint64 - var x276 uint1 - x275, x276 = addcarryxU64(x272, x202, 0x0) - var x277 uint64 - x277, _ = addcarryxU64(x273, x204, x276) - var x279 uint64 = ((x275 >> 58) | ((x277 << 6) & 0xffffffffffffffff)) - var x280 uint64 = (x277 >> 58) - var x281 uint64 = (x275 & 0x3ffffffffffffff) - var x282 uint64 - var x283 uint1 - x282, x283 = addcarryxU64(x279, x186, 0x0) - var x284 uint64 - x284, _ = addcarryxU64(x280, x188, x283) - var x286 uint64 = ((x282 >> 58) | ((x284 << 6) & 0xffffffffffffffff)) - var x287 uint64 = (x284 >> 58) - var x288 uint64 = (x282 & 0x3ffffffffffffff) - var x289 uint64 - var x290 uint1 - x289, x290 = addcarryxU64(x286, x170, 0x0) - var x291 uint64 - x291, _ = addcarryxU64(x287, x172, x290) - var x293 uint64 = ((x289 >> 58) | ((x291 << 6) & 0xffffffffffffffff)) - var x294 uint64 = (x291 >> 58) - var x295 uint64 = (x289 & 0x3ffffffffffffff) - var x296 uint64 - var x297 uint1 - x296, x297 = addcarryxU64(x293, x154, 0x0) - var x298 uint64 - x298, _ = addcarryxU64(x294, x156, x297) - var x300 uint64 = ((x296 >> 58) | ((x298 << 6) & 0xffffffffffffffff)) - var x301 uint64 = (x298 >> 58) - var x302 uint64 = (x296 & 0x3ffffffffffffff) - var x303 uint64 - var x304 uint1 - x303, x304 = addcarryxU64(x300, x138, 0x0) - var x305 uint64 - x305, _ = addcarryxU64(x301, x140, x304) - var x307 uint64 = ((x303 >> 57) | ((x305 << 7) & 0xffffffffffffffff)) - var x308 uint64 = (x305 >> 57) - var x309 uint64 = (x303 & 0x1ffffffffffffff) - var x310 uint64 - var x311 uint1 - x310, x311 = addcarryxU64(x125, x307, 0x0) - var x312 uint64 = (uint64(x311) + x308) - var x313 uint64 = ((x310 >> 58) | ((x312 << 6) & 0xffffffffffffffff)) - var x314 uint64 = (x310 & 0x3ffffffffffffff) - var x315 uint64 = (x313 + x260) - var x316 uint1 = uint1((x315 >> 58)) - var x317 uint64 = (x315 & 0x3ffffffffffffff) - var x318 uint64 = (uint64(x316) + x267) - out1[0] = x314 - out1[1] = x317 - out1[2] = x318 - out1[3] = x274 - out1[4] = x281 - out1[5] = x288 - out1[6] = x295 - out1[7] = x302 - out1[8] = x309 + x1 := arg1[8] + x2 := (x1 * 0x2) + x3 := (arg1[8] * 0x2) + x4 := arg1[7] + x5 := (x4 * 0x2) + x6 := (arg1[7] * 0x2) + x7 := arg1[6] + x8 := (x7 * 0x2) + x9 := (arg1[6] * 0x2) + x10 := arg1[5] + x11 := (x10 * 0x2) + x12 := (arg1[5] * 0x2) + x13 := (arg1[4] * 0x2) + x14 := (arg1[3] * 0x2) + x15 := (arg1[2] * 0x2) + x16 := (arg1[1] * 0x2) + var x17 uint64 + var x18 uint64 + x18, x17 = bits.Mul64(arg1[8], (x1 * 0x2)) + var x19 uint64 + var x20 uint64 + x20, x19 = bits.Mul64(arg1[7], (x2 * 0x2)) + var x21 uint64 + var x22 uint64 + x22, x21 = bits.Mul64(arg1[7], (x4 * 0x2)) + var x23 uint64 + var x24 uint64 + x24, x23 = bits.Mul64(arg1[6], (x2 * 0x2)) + var x25 uint64 + var x26 uint64 + x26, x25 = bits.Mul64(arg1[6], (x5 * 0x2)) + var x27 uint64 + var x28 uint64 + x28, x27 = bits.Mul64(arg1[6], (x7 * 0x2)) + var x29 uint64 + var x30 uint64 + x30, x29 = bits.Mul64(arg1[5], (x2 * 0x2)) + var x31 uint64 + var x32 uint64 + x32, x31 = bits.Mul64(arg1[5], (x5 * 0x2)) + var x33 uint64 + var x34 uint64 + x34, x33 = bits.Mul64(arg1[5], (x8 * 0x2)) + var x35 uint64 + var x36 uint64 + x36, x35 = bits.Mul64(arg1[5], (x10 * 0x2)) + var x37 uint64 + var x38 uint64 + x38, x37 = bits.Mul64(arg1[4], (x2 * 0x2)) + var x39 uint64 + var x40 uint64 + x40, x39 = bits.Mul64(arg1[4], (x5 * 0x2)) + var x41 uint64 + var x42 uint64 + x42, x41 = bits.Mul64(arg1[4], (x8 * 0x2)) + var x43 uint64 + var x44 uint64 + x44, x43 = bits.Mul64(arg1[4], (x11 * 0x2)) + var x45 uint64 + var x46 uint64 + x46, x45 = bits.Mul64(arg1[4], arg1[4]) + var x47 uint64 + var x48 uint64 + x48, x47 = bits.Mul64(arg1[3], (x2 * 0x2)) + var x49 uint64 + var x50 uint64 + x50, x49 = bits.Mul64(arg1[3], (x5 * 0x2)) + var x51 uint64 + var x52 uint64 + x52, x51 = bits.Mul64(arg1[3], (x8 * 0x2)) + var x53 uint64 + var x54 uint64 + x54, x53 = bits.Mul64(arg1[3], x12) + var x55 uint64 + var x56 uint64 + x56, x55 = bits.Mul64(arg1[3], x13) + var x57 uint64 + var x58 uint64 + x58, x57 = bits.Mul64(arg1[3], arg1[3]) + var x59 uint64 + var x60 uint64 + x60, x59 = bits.Mul64(arg1[2], (x2 * 0x2)) + var x61 uint64 + var x62 uint64 + x62, x61 = bits.Mul64(arg1[2], (x5 * 0x2)) + var x63 uint64 + var x64 uint64 + x64, x63 = bits.Mul64(arg1[2], x9) + var x65 uint64 + var x66 uint64 + x66, x65 = bits.Mul64(arg1[2], x12) + var x67 uint64 + var x68 uint64 + x68, x67 = bits.Mul64(arg1[2], x13) + var x69 uint64 + var x70 uint64 + x70, x69 = bits.Mul64(arg1[2], x14) + var x71 uint64 + var x72 uint64 + x72, x71 = bits.Mul64(arg1[2], arg1[2]) + var x73 uint64 + var x74 uint64 + x74, x73 = bits.Mul64(arg1[1], (x2 * 0x2)) + var x75 uint64 + var x76 uint64 + x76, x75 = bits.Mul64(arg1[1], x6) + var x77 uint64 + var x78 uint64 + x78, x77 = bits.Mul64(arg1[1], x9) + var x79 uint64 + var x80 uint64 + x80, x79 = bits.Mul64(arg1[1], x12) + var x81 uint64 + var x82 uint64 + x82, x81 = bits.Mul64(arg1[1], x13) + var x83 uint64 + var x84 uint64 + x84, x83 = bits.Mul64(arg1[1], x14) + var x85 uint64 + var x86 uint64 + x86, x85 = bits.Mul64(arg1[1], x15) + var x87 uint64 + var x88 uint64 + x88, x87 = bits.Mul64(arg1[1], arg1[1]) + var x89 uint64 + var x90 uint64 + x90, x89 = bits.Mul64(arg1[0], x3) + var x91 uint64 + var x92 uint64 + x92, x91 = bits.Mul64(arg1[0], x6) + var x93 uint64 + var x94 uint64 + x94, x93 = bits.Mul64(arg1[0], x9) + var x95 uint64 + var x96 uint64 + x96, x95 = bits.Mul64(arg1[0], x12) + var x97 uint64 + var x98 uint64 + x98, x97 = bits.Mul64(arg1[0], x13) + var x99 uint64 + var x100 uint64 + x100, x99 = bits.Mul64(arg1[0], x14) + var x101 uint64 + var x102 uint64 + x102, x101 = bits.Mul64(arg1[0], x15) + var x103 uint64 + var x104 uint64 + x104, x103 = bits.Mul64(arg1[0], x16) + var x105 uint64 + var x106 uint64 + x106, x105 = bits.Mul64(arg1[0], arg1[0]) + var x107 uint64 + var x108 uint1 + x107, x108 = addcarryxU64(x51, x43, 0x0) + var x109 uint64 + x109, _ = addcarryxU64(x52, x44, x108) + var x111 uint64 + var x112 uint1 + x111, x112 = addcarryxU64(x61, x107, 0x0) + var x113 uint64 + x113, _ = addcarryxU64(x62, x109, x112) + var x115 uint64 + var x116 uint1 + x115, x116 = addcarryxU64(x73, x111, 0x0) + var x117 uint64 + x117, _ = addcarryxU64(x74, x113, x116) + var x119 uint64 + var x120 uint1 + x119, x120 = addcarryxU64(x105, x115, 0x0) + var x121 uint64 + x121, _ = addcarryxU64(x106, x117, x120) + x123 := ((x119 >> 58) | ((x121 << 6) & 0xffffffffffffffff)) + x124 := (x121 >> 58) + x125 := (x119 & 0x3ffffffffffffff) + var x126 uint64 + var x127 uint1 + x126, x127 = addcarryxU64(x53, x45, 0x0) + var x128 uint64 + x128, _ = addcarryxU64(x54, x46, x127) + var x130 uint64 + var x131 uint1 + x130, x131 = addcarryxU64(x63, x126, 0x0) + var x132 uint64 + x132, _ = addcarryxU64(x64, x128, x131) + var x134 uint64 + var x135 uint1 + x134, x135 = addcarryxU64(x75, x130, 0x0) + var x136 uint64 + x136, _ = addcarryxU64(x76, x132, x135) + var x138 uint64 + var x139 uint1 + x138, x139 = addcarryxU64(x89, x134, 0x0) + var x140 uint64 + x140, _ = addcarryxU64(x90, x136, x139) + var x142 uint64 + var x143 uint1 + x142, x143 = addcarryxU64(x55, x17, 0x0) + var x144 uint64 + x144, _ = addcarryxU64(x56, x18, x143) + var x146 uint64 + var x147 uint1 + x146, x147 = addcarryxU64(x65, x142, 0x0) + var x148 uint64 + x148, _ = addcarryxU64(x66, x144, x147) + var x150 uint64 + var x151 uint1 + x150, x151 = addcarryxU64(x77, x146, 0x0) + var x152 uint64 + x152, _ = addcarryxU64(x78, x148, x151) + var x154 uint64 + var x155 uint1 + x154, x155 = addcarryxU64(x91, x150, 0x0) + var x156 uint64 + x156, _ = addcarryxU64(x92, x152, x155) + var x158 uint64 + var x159 uint1 + x158, x159 = addcarryxU64(x57, x19, 0x0) + var x160 uint64 + x160, _ = addcarryxU64(x58, x20, x159) + var x162 uint64 + var x163 uint1 + x162, x163 = addcarryxU64(x67, x158, 0x0) + var x164 uint64 + x164, _ = addcarryxU64(x68, x160, x163) + var x166 uint64 + var x167 uint1 + x166, x167 = addcarryxU64(x79, x162, 0x0) + var x168 uint64 + x168, _ = addcarryxU64(x80, x164, x167) + var x170 uint64 + var x171 uint1 + x170, x171 = addcarryxU64(x93, x166, 0x0) + var x172 uint64 + x172, _ = addcarryxU64(x94, x168, x171) + var x174 uint64 + var x175 uint1 + x174, x175 = addcarryxU64(x23, x21, 0x0) + var x176 uint64 + x176, _ = addcarryxU64(x24, x22, x175) + var x178 uint64 + var x179 uint1 + x178, x179 = addcarryxU64(x69, x174, 0x0) + var x180 uint64 + x180, _ = addcarryxU64(x70, x176, x179) + var x182 uint64 + var x183 uint1 + x182, x183 = addcarryxU64(x81, x178, 0x0) + var x184 uint64 + x184, _ = addcarryxU64(x82, x180, x183) + var x186 uint64 + var x187 uint1 + x186, x187 = addcarryxU64(x95, x182, 0x0) + var x188 uint64 + x188, _ = addcarryxU64(x96, x184, x187) + var x190 uint64 + var x191 uint1 + x190, x191 = addcarryxU64(x29, x25, 0x0) + var x192 uint64 + x192, _ = addcarryxU64(x30, x26, x191) + var x194 uint64 + var x195 uint1 + x194, x195 = addcarryxU64(x71, x190, 0x0) + var x196 uint64 + x196, _ = addcarryxU64(x72, x192, x195) + var x198 uint64 + var x199 uint1 + x198, x199 = addcarryxU64(x83, x194, 0x0) + var x200 uint64 + x200, _ = addcarryxU64(x84, x196, x199) + var x202 uint64 + var x203 uint1 + x202, x203 = addcarryxU64(x97, x198, 0x0) + var x204 uint64 + x204, _ = addcarryxU64(x98, x200, x203) + var x206 uint64 + var x207 uint1 + x206, x207 = addcarryxU64(x31, x27, 0x0) + var x208 uint64 + x208, _ = addcarryxU64(x32, x28, x207) + var x210 uint64 + var x211 uint1 + x210, x211 = addcarryxU64(x37, x206, 0x0) + var x212 uint64 + x212, _ = addcarryxU64(x38, x208, x211) + var x214 uint64 + var x215 uint1 + x214, x215 = addcarryxU64(x85, x210, 0x0) + var x216 uint64 + x216, _ = addcarryxU64(x86, x212, x215) + var x218 uint64 + var x219 uint1 + x218, x219 = addcarryxU64(x99, x214, 0x0) + var x220 uint64 + x220, _ = addcarryxU64(x100, x216, x219) + var x222 uint64 + var x223 uint1 + x222, x223 = addcarryxU64(x39, x33, 0x0) + var x224 uint64 + x224, _ = addcarryxU64(x40, x34, x223) + var x226 uint64 + var x227 uint1 + x226, x227 = addcarryxU64(x47, x222, 0x0) + var x228 uint64 + x228, _ = addcarryxU64(x48, x224, x227) + var x230 uint64 + var x231 uint1 + x230, x231 = addcarryxU64(x87, x226, 0x0) + var x232 uint64 + x232, _ = addcarryxU64(x88, x228, x231) + var x234 uint64 + var x235 uint1 + x234, x235 = addcarryxU64(x101, x230, 0x0) + var x236 uint64 + x236, _ = addcarryxU64(x102, x232, x235) + var x238 uint64 + var x239 uint1 + x238, x239 = addcarryxU64(x41, x35, 0x0) + var x240 uint64 + x240, _ = addcarryxU64(x42, x36, x239) + var x242 uint64 + var x243 uint1 + x242, x243 = addcarryxU64(x49, x238, 0x0) + var x244 uint64 + x244, _ = addcarryxU64(x50, x240, x243) + var x246 uint64 + var x247 uint1 + x246, x247 = addcarryxU64(x59, x242, 0x0) + var x248 uint64 + x248, _ = addcarryxU64(x60, x244, x247) + var x250 uint64 + var x251 uint1 + x250, x251 = addcarryxU64(x103, x246, 0x0) + var x252 uint64 + x252, _ = addcarryxU64(x104, x248, x251) + var x254 uint64 + var x255 uint1 + x254, x255 = addcarryxU64(x123, x250, 0x0) + var x256 uint64 + x256, _ = addcarryxU64(x124, x252, x255) + x258 := ((x254 >> 58) | ((x256 << 6) & 0xffffffffffffffff)) + x259 := (x256 >> 58) + x260 := (x254 & 0x3ffffffffffffff) + var x261 uint64 + var x262 uint1 + x261, x262 = addcarryxU64(x258, x234, 0x0) + var x263 uint64 + x263, _ = addcarryxU64(x259, x236, x262) + x265 := ((x261 >> 58) | ((x263 << 6) & 0xffffffffffffffff)) + x266 := (x263 >> 58) + x267 := (x261 & 0x3ffffffffffffff) + var x268 uint64 + var x269 uint1 + x268, x269 = addcarryxU64(x265, x218, 0x0) + var x270 uint64 + x270, _ = addcarryxU64(x266, x220, x269) + x272 := ((x268 >> 58) | ((x270 << 6) & 0xffffffffffffffff)) + x273 := (x270 >> 58) + x274 := (x268 & 0x3ffffffffffffff) + var x275 uint64 + var x276 uint1 + x275, x276 = addcarryxU64(x272, x202, 0x0) + var x277 uint64 + x277, _ = addcarryxU64(x273, x204, x276) + x279 := ((x275 >> 58) | ((x277 << 6) & 0xffffffffffffffff)) + x280 := (x277 >> 58) + x281 := (x275 & 0x3ffffffffffffff) + var x282 uint64 + var x283 uint1 + x282, x283 = addcarryxU64(x279, x186, 0x0) + var x284 uint64 + x284, _ = addcarryxU64(x280, x188, x283) + x286 := ((x282 >> 58) | ((x284 << 6) & 0xffffffffffffffff)) + x287 := (x284 >> 58) + x288 := (x282 & 0x3ffffffffffffff) + var x289 uint64 + var x290 uint1 + x289, x290 = addcarryxU64(x286, x170, 0x0) + var x291 uint64 + x291, _ = addcarryxU64(x287, x172, x290) + x293 := ((x289 >> 58) | ((x291 << 6) & 0xffffffffffffffff)) + x294 := (x291 >> 58) + x295 := (x289 & 0x3ffffffffffffff) + var x296 uint64 + var x297 uint1 + x296, x297 = addcarryxU64(x293, x154, 0x0) + var x298 uint64 + x298, _ = addcarryxU64(x294, x156, x297) + x300 := ((x296 >> 58) | ((x298 << 6) & 0xffffffffffffffff)) + x301 := (x298 >> 58) + x302 := (x296 & 0x3ffffffffffffff) + var x303 uint64 + var x304 uint1 + x303, x304 = addcarryxU64(x300, x138, 0x0) + var x305 uint64 + x305, _ = addcarryxU64(x301, x140, x304) + x307 := ((x303 >> 57) | ((x305 << 7) & 0xffffffffffffffff)) + x308 := (x305 >> 57) + x309 := (x303 & 0x1ffffffffffffff) + var x310 uint64 + var x311 uint1 + x310, x311 = addcarryxU64(x125, x307, 0x0) + x312 := (uint64(x311) + x308) + x313 := ((x310 >> 58) | ((x312 << 6) & 0xffffffffffffffff)) + x314 := (x310 & 0x3ffffffffffffff) + x315 := (x313 + x260) + x316 := uint1((x315 >> 58)) + x317 := (x315 & 0x3ffffffffffffff) + x318 := (uint64(x316) + x267) + out1[0] = x314 + out1[1] = x317 + out1[2] = x318 + out1[3] = x274 + out1[4] = x281 + out1[5] = x288 + out1[6] = x295 + out1[7] = x302 + out1[8] = x309 } -/* - The function Carry reduces a field element. - Postconditions: - eval out1 mod m = eval arg1 mod m - - Input Bounds: - arg1: [[0x0 ~> 0xc00000000000000], [0x0 ~> 0xc00000000000000], [0x0 ~> 0xc00000000000000], [0x0 ~> 0xc00000000000000], [0x0 ~> 0xc00000000000000], [0x0 ~> 0xc00000000000000], [0x0 ~> 0xc00000000000000], [0x0 ~> 0xc00000000000000], [0x0 ~> 0x600000000000000]] - Output Bounds: - out1: [[0x0 ~> 0x400000000000000], [0x0 ~> 0x400000000000000], [0x0 ~> 0x400000000000000], [0x0 ~> 0x400000000000000], [0x0 ~> 0x400000000000000], [0x0 ~> 0x400000000000000], [0x0 ~> 0x400000000000000], [0x0 ~> 0x400000000000000], [0x0 ~> 0x200000000000000]] - */ -/*inline*/ +// Carry reduces a field element. +// +// Postconditions: +// eval out1 mod m = eval arg1 mod m +// +// Input Bounds: +// arg1: [[0x0 ~> 0xc00000000000000], [0x0 ~> 0xc00000000000000], [0x0 ~> 0xc00000000000000], [0x0 ~> 0xc00000000000000], [0x0 ~> 0xc00000000000000], [0x0 ~> 0xc00000000000000], [0x0 ~> 0xc00000000000000], [0x0 ~> 0xc00000000000000], [0x0 ~> 0x600000000000000]] +// Output Bounds: +// out1: [[0x0 ~> 0x400000000000000], [0x0 ~> 0x400000000000000], [0x0 ~> 0x400000000000000], [0x0 ~> 0x400000000000000], [0x0 ~> 0x400000000000000], [0x0 ~> 0x400000000000000], [0x0 ~> 0x400000000000000], [0x0 ~> 0x400000000000000], [0x0 ~> 0x200000000000000]] func Carry(out1 *[9]uint64, arg1 *[9]uint64) { - var x1 uint64 = (arg1[0]) - var x2 uint64 = ((x1 >> 58) + (arg1[1])) - var x3 uint64 = ((x2 >> 58) + (arg1[2])) - var x4 uint64 = ((x3 >> 58) + (arg1[3])) - var x5 uint64 = ((x4 >> 58) + (arg1[4])) - var x6 uint64 = ((x5 >> 58) + (arg1[5])) - var x7 uint64 = ((x6 >> 58) + (arg1[6])) - var x8 uint64 = ((x7 >> 58) + (arg1[7])) - var x9 uint64 = ((x8 >> 58) + (arg1[8])) - var x10 uint64 = ((x1 & 0x3ffffffffffffff) + (x9 >> 57)) - var x11 uint64 = (uint64(uint1((x10 >> 58))) + (x2 & 0x3ffffffffffffff)) - var x12 uint64 = (x10 & 0x3ffffffffffffff) - var x13 uint64 = (x11 & 0x3ffffffffffffff) - var x14 uint64 = (uint64(uint1((x11 >> 58))) + (x3 & 0x3ffffffffffffff)) - var x15 uint64 = (x4 & 0x3ffffffffffffff) - var x16 uint64 = (x5 & 0x3ffffffffffffff) - var x17 uint64 = (x6 & 0x3ffffffffffffff) - var x18 uint64 = (x7 & 0x3ffffffffffffff) - var x19 uint64 = (x8 & 0x3ffffffffffffff) - var x20 uint64 = (x9 & 0x1ffffffffffffff) - out1[0] = x12 - out1[1] = x13 - out1[2] = x14 - out1[3] = x15 - out1[4] = x16 - out1[5] = x17 - out1[6] = x18 - out1[7] = x19 - out1[8] = x20 + x1 := arg1[0] + x2 := ((x1 >> 58) + arg1[1]) + x3 := ((x2 >> 58) + arg1[2]) + x4 := ((x3 >> 58) + arg1[3]) + x5 := ((x4 >> 58) + arg1[4]) + x6 := ((x5 >> 58) + arg1[5]) + x7 := ((x6 >> 58) + arg1[6]) + x8 := ((x7 >> 58) + arg1[7]) + x9 := ((x8 >> 58) + arg1[8]) + x10 := ((x1 & 0x3ffffffffffffff) + (x9 >> 57)) + x11 := (uint64(uint1((x10 >> 58))) + (x2 & 0x3ffffffffffffff)) + x12 := (x10 & 0x3ffffffffffffff) + x13 := (x11 & 0x3ffffffffffffff) + x14 := (uint64(uint1((x11 >> 58))) + (x3 & 0x3ffffffffffffff)) + x15 := (x4 & 0x3ffffffffffffff) + x16 := (x5 & 0x3ffffffffffffff) + x17 := (x6 & 0x3ffffffffffffff) + x18 := (x7 & 0x3ffffffffffffff) + x19 := (x8 & 0x3ffffffffffffff) + x20 := (x9 & 0x1ffffffffffffff) + out1[0] = x12 + out1[1] = x13 + out1[2] = x14 + out1[3] = x15 + out1[4] = x16 + out1[5] = x17 + out1[6] = x18 + out1[7] = x19 + out1[8] = x20 } -/* - The function Add adds two field elements. - Postconditions: - eval out1 mod m = (eval arg1 + eval arg2) mod m - - Input Bounds: - arg1: [[0x0 ~> 0x400000000000000], [0x0 ~> 0x400000000000000], [0x0 ~> 0x400000000000000], [0x0 ~> 0x400000000000000], [0x0 ~> 0x400000000000000], [0x0 ~> 0x400000000000000], [0x0 ~> 0x400000000000000], [0x0 ~> 0x400000000000000], [0x0 ~> 0x200000000000000]] - arg2: [[0x0 ~> 0x400000000000000], [0x0 ~> 0x400000000000000], [0x0 ~> 0x400000000000000], [0x0 ~> 0x400000000000000], [0x0 ~> 0x400000000000000], [0x0 ~> 0x400000000000000], [0x0 ~> 0x400000000000000], [0x0 ~> 0x400000000000000], [0x0 ~> 0x200000000000000]] - Output Bounds: - out1: [[0x0 ~> 0xc00000000000000], [0x0 ~> 0xc00000000000000], [0x0 ~> 0xc00000000000000], [0x0 ~> 0xc00000000000000], [0x0 ~> 0xc00000000000000], [0x0 ~> 0xc00000000000000], [0x0 ~> 0xc00000000000000], [0x0 ~> 0xc00000000000000], [0x0 ~> 0x600000000000000]] - */ -/*inline*/ +// Add adds two field elements. +// +// Postconditions: +// eval out1 mod m = (eval arg1 + eval arg2) mod m +// +// Input Bounds: +// arg1: [[0x0 ~> 0x400000000000000], [0x0 ~> 0x400000000000000], [0x0 ~> 0x400000000000000], [0x0 ~> 0x400000000000000], [0x0 ~> 0x400000000000000], [0x0 ~> 0x400000000000000], [0x0 ~> 0x400000000000000], [0x0 ~> 0x400000000000000], [0x0 ~> 0x200000000000000]] +// arg2: [[0x0 ~> 0x400000000000000], [0x0 ~> 0x400000000000000], [0x0 ~> 0x400000000000000], [0x0 ~> 0x400000000000000], [0x0 ~> 0x400000000000000], [0x0 ~> 0x400000000000000], [0x0 ~> 0x400000000000000], [0x0 ~> 0x400000000000000], [0x0 ~> 0x200000000000000]] +// Output Bounds: +// out1: [[0x0 ~> 0xc00000000000000], [0x0 ~> 0xc00000000000000], [0x0 ~> 0xc00000000000000], [0x0 ~> 0xc00000000000000], [0x0 ~> 0xc00000000000000], [0x0 ~> 0xc00000000000000], [0x0 ~> 0xc00000000000000], [0x0 ~> 0xc00000000000000], [0x0 ~> 0x600000000000000]] func Add(out1 *[9]uint64, arg1 *[9]uint64, arg2 *[9]uint64) { - var x1 uint64 = ((arg1[0]) + (arg2[0])) - var x2 uint64 = ((arg1[1]) + (arg2[1])) - var x3 uint64 = ((arg1[2]) + (arg2[2])) - var x4 uint64 = ((arg1[3]) + (arg2[3])) - var x5 uint64 = ((arg1[4]) + (arg2[4])) - var x6 uint64 = ((arg1[5]) + (arg2[5])) - var x7 uint64 = ((arg1[6]) + (arg2[6])) - var x8 uint64 = ((arg1[7]) + (arg2[7])) - var x9 uint64 = ((arg1[8]) + (arg2[8])) - out1[0] = x1 - out1[1] = x2 - out1[2] = x3 - out1[3] = x4 - out1[4] = x5 - out1[5] = x6 - out1[6] = x7 - out1[7] = x8 - out1[8] = x9 + x1 := (arg1[0] + arg2[0]) + x2 := (arg1[1] + arg2[1]) + x3 := (arg1[2] + arg2[2]) + x4 := (arg1[3] + arg2[3]) + x5 := (arg1[4] + arg2[4]) + x6 := (arg1[5] + arg2[5]) + x7 := (arg1[6] + arg2[6]) + x8 := (arg1[7] + arg2[7]) + x9 := (arg1[8] + arg2[8]) + out1[0] = x1 + out1[1] = x2 + out1[2] = x3 + out1[3] = x4 + out1[4] = x5 + out1[5] = x6 + out1[6] = x7 + out1[7] = x8 + out1[8] = x9 } -/* - The function Sub subtracts two field elements. - Postconditions: - eval out1 mod m = (eval arg1 - eval arg2) mod m - - Input Bounds: - arg1: [[0x0 ~> 0x400000000000000], [0x0 ~> 0x400000000000000], [0x0 ~> 0x400000000000000], [0x0 ~> 0x400000000000000], [0x0 ~> 0x400000000000000], [0x0 ~> 0x400000000000000], [0x0 ~> 0x400000000000000], [0x0 ~> 0x400000000000000], [0x0 ~> 0x200000000000000]] - arg2: [[0x0 ~> 0x400000000000000], [0x0 ~> 0x400000000000000], [0x0 ~> 0x400000000000000], [0x0 ~> 0x400000000000000], [0x0 ~> 0x400000000000000], [0x0 ~> 0x400000000000000], [0x0 ~> 0x400000000000000], [0x0 ~> 0x400000000000000], [0x0 ~> 0x200000000000000]] - Output Bounds: - out1: [[0x0 ~> 0xc00000000000000], [0x0 ~> 0xc00000000000000], [0x0 ~> 0xc00000000000000], [0x0 ~> 0xc00000000000000], [0x0 ~> 0xc00000000000000], [0x0 ~> 0xc00000000000000], [0x0 ~> 0xc00000000000000], [0x0 ~> 0xc00000000000000], [0x0 ~> 0x600000000000000]] - */ -/*inline*/ +// Sub subtracts two field elements. +// +// Postconditions: +// eval out1 mod m = (eval arg1 - eval arg2) mod m +// +// Input Bounds: +// arg1: [[0x0 ~> 0x400000000000000], [0x0 ~> 0x400000000000000], [0x0 ~> 0x400000000000000], [0x0 ~> 0x400000000000000], [0x0 ~> 0x400000000000000], [0x0 ~> 0x400000000000000], [0x0 ~> 0x400000000000000], [0x0 ~> 0x400000000000000], [0x0 ~> 0x200000000000000]] +// arg2: [[0x0 ~> 0x400000000000000], [0x0 ~> 0x400000000000000], [0x0 ~> 0x400000000000000], [0x0 ~> 0x400000000000000], [0x0 ~> 0x400000000000000], [0x0 ~> 0x400000000000000], [0x0 ~> 0x400000000000000], [0x0 ~> 0x400000000000000], [0x0 ~> 0x200000000000000]] +// Output Bounds: +// out1: [[0x0 ~> 0xc00000000000000], [0x0 ~> 0xc00000000000000], [0x0 ~> 0xc00000000000000], [0x0 ~> 0xc00000000000000], [0x0 ~> 0xc00000000000000], [0x0 ~> 0xc00000000000000], [0x0 ~> 0xc00000000000000], [0x0 ~> 0xc00000000000000], [0x0 ~> 0x600000000000000]] func Sub(out1 *[9]uint64, arg1 *[9]uint64, arg2 *[9]uint64) { - var x1 uint64 = ((0x7fffffffffffffe + (arg1[0])) - (arg2[0])) - var x2 uint64 = ((0x7fffffffffffffe + (arg1[1])) - (arg2[1])) - var x3 uint64 = ((0x7fffffffffffffe + (arg1[2])) - (arg2[2])) - var x4 uint64 = ((0x7fffffffffffffe + (arg1[3])) - (arg2[3])) - var x5 uint64 = ((0x7fffffffffffffe + (arg1[4])) - (arg2[4])) - var x6 uint64 = ((0x7fffffffffffffe + (arg1[5])) - (arg2[5])) - var x7 uint64 = ((0x7fffffffffffffe + (arg1[6])) - (arg2[6])) - var x8 uint64 = ((0x7fffffffffffffe + (arg1[7])) - (arg2[7])) - var x9 uint64 = ((0x3fffffffffffffe + (arg1[8])) - (arg2[8])) - out1[0] = x1 - out1[1] = x2 - out1[2] = x3 - out1[3] = x4 - out1[4] = x5 - out1[5] = x6 - out1[6] = x7 - out1[7] = x8 - out1[8] = x9 + x1 := ((0x7fffffffffffffe + arg1[0]) - arg2[0]) + x2 := ((0x7fffffffffffffe + arg1[1]) - arg2[1]) + x3 := ((0x7fffffffffffffe + arg1[2]) - arg2[2]) + x4 := ((0x7fffffffffffffe + arg1[3]) - arg2[3]) + x5 := ((0x7fffffffffffffe + arg1[4]) - arg2[4]) + x6 := ((0x7fffffffffffffe + arg1[5]) - arg2[5]) + x7 := ((0x7fffffffffffffe + arg1[6]) - arg2[6]) + x8 := ((0x7fffffffffffffe + arg1[7]) - arg2[7]) + x9 := ((0x3fffffffffffffe + arg1[8]) - arg2[8]) + out1[0] = x1 + out1[1] = x2 + out1[2] = x3 + out1[3] = x4 + out1[4] = x5 + out1[5] = x6 + out1[6] = x7 + out1[7] = x8 + out1[8] = x9 } -/* - The function Opp negates a field element. - Postconditions: - eval out1 mod m = -eval arg1 mod m - - Input Bounds: - arg1: [[0x0 ~> 0x400000000000000], [0x0 ~> 0x400000000000000], [0x0 ~> 0x400000000000000], [0x0 ~> 0x400000000000000], [0x0 ~> 0x400000000000000], [0x0 ~> 0x400000000000000], [0x0 ~> 0x400000000000000], [0x0 ~> 0x400000000000000], [0x0 ~> 0x200000000000000]] - Output Bounds: - out1: [[0x0 ~> 0xc00000000000000], [0x0 ~> 0xc00000000000000], [0x0 ~> 0xc00000000000000], [0x0 ~> 0xc00000000000000], [0x0 ~> 0xc00000000000000], [0x0 ~> 0xc00000000000000], [0x0 ~> 0xc00000000000000], [0x0 ~> 0xc00000000000000], [0x0 ~> 0x600000000000000]] - */ -/*inline*/ +// Opp negates a field element. +// +// Postconditions: +// eval out1 mod m = -eval arg1 mod m +// +// Input Bounds: +// arg1: [[0x0 ~> 0x400000000000000], [0x0 ~> 0x400000000000000], [0x0 ~> 0x400000000000000], [0x0 ~> 0x400000000000000], [0x0 ~> 0x400000000000000], [0x0 ~> 0x400000000000000], [0x0 ~> 0x400000000000000], [0x0 ~> 0x400000000000000], [0x0 ~> 0x200000000000000]] +// Output Bounds: +// out1: [[0x0 ~> 0xc00000000000000], [0x0 ~> 0xc00000000000000], [0x0 ~> 0xc00000000000000], [0x0 ~> 0xc00000000000000], [0x0 ~> 0xc00000000000000], [0x0 ~> 0xc00000000000000], [0x0 ~> 0xc00000000000000], [0x0 ~> 0xc00000000000000], [0x0 ~> 0x600000000000000]] func Opp(out1 *[9]uint64, arg1 *[9]uint64) { - var x1 uint64 = (0x7fffffffffffffe - (arg1[0])) - var x2 uint64 = (0x7fffffffffffffe - (arg1[1])) - var x3 uint64 = (0x7fffffffffffffe - (arg1[2])) - var x4 uint64 = (0x7fffffffffffffe - (arg1[3])) - var x5 uint64 = (0x7fffffffffffffe - (arg1[4])) - var x6 uint64 = (0x7fffffffffffffe - (arg1[5])) - var x7 uint64 = (0x7fffffffffffffe - (arg1[6])) - var x8 uint64 = (0x7fffffffffffffe - (arg1[7])) - var x9 uint64 = (0x3fffffffffffffe - (arg1[8])) - out1[0] = x1 - out1[1] = x2 - out1[2] = x3 - out1[3] = x4 - out1[4] = x5 - out1[5] = x6 - out1[6] = x7 - out1[7] = x8 - out1[8] = x9 + x1 := (0x7fffffffffffffe - arg1[0]) + x2 := (0x7fffffffffffffe - arg1[1]) + x3 := (0x7fffffffffffffe - arg1[2]) + x4 := (0x7fffffffffffffe - arg1[3]) + x5 := (0x7fffffffffffffe - arg1[4]) + x6 := (0x7fffffffffffffe - arg1[5]) + x7 := (0x7fffffffffffffe - arg1[6]) + x8 := (0x7fffffffffffffe - arg1[7]) + x9 := (0x3fffffffffffffe - arg1[8]) + out1[0] = x1 + out1[1] = x2 + out1[2] = x3 + out1[3] = x4 + out1[4] = x5 + out1[5] = x6 + out1[6] = x7 + out1[7] = x8 + out1[8] = x9 } -/* - The function Selectznz is a multi-limb conditional select. - Postconditions: - eval out1 = (if arg1 = 0 then eval arg2 else eval arg3) - - Input Bounds: - arg1: [0x0 ~> 0x1] - arg2: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] - arg3: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] - Output Bounds: - out1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] - */ -/*inline*/ +// Selectznz is a multi-limb conditional select. +// +// Postconditions: +// eval out1 = (if arg1 = 0 then eval arg2 else eval arg3) +// +// Input Bounds: +// arg1: [0x0 ~> 0x1] +// arg2: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] +// arg3: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] +// Output Bounds: +// out1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] func Selectznz(out1 *[9]uint64, arg1 uint1, arg2 *[9]uint64, arg3 *[9]uint64) { - var x1 uint64 - cmovznzU64(&x1, arg1, (arg2[0]), (arg3[0])) - var x2 uint64 - cmovznzU64(&x2, arg1, (arg2[1]), (arg3[1])) - var x3 uint64 - cmovznzU64(&x3, arg1, (arg2[2]), (arg3[2])) - var x4 uint64 - cmovznzU64(&x4, arg1, (arg2[3]), (arg3[3])) - var x5 uint64 - cmovznzU64(&x5, arg1, (arg2[4]), (arg3[4])) - var x6 uint64 - cmovznzU64(&x6, arg1, (arg2[5]), (arg3[5])) - var x7 uint64 - cmovznzU64(&x7, arg1, (arg2[6]), (arg3[6])) - var x8 uint64 - cmovznzU64(&x8, arg1, (arg2[7]), (arg3[7])) - var x9 uint64 - cmovznzU64(&x9, arg1, (arg2[8]), (arg3[8])) - out1[0] = x1 - out1[1] = x2 - out1[2] = x3 - out1[3] = x4 - out1[4] = x5 - out1[5] = x6 - out1[6] = x7 - out1[7] = x8 - out1[8] = x9 + var x1 uint64 + cmovznzU64(&x1, arg1, arg2[0], arg3[0]) + var x2 uint64 + cmovznzU64(&x2, arg1, arg2[1], arg3[1]) + var x3 uint64 + cmovznzU64(&x3, arg1, arg2[2], arg3[2]) + var x4 uint64 + cmovznzU64(&x4, arg1, arg2[3], arg3[3]) + var x5 uint64 + cmovznzU64(&x5, arg1, arg2[4], arg3[4]) + var x6 uint64 + cmovznzU64(&x6, arg1, arg2[5], arg3[5]) + var x7 uint64 + cmovznzU64(&x7, arg1, arg2[6], arg3[6]) + var x8 uint64 + cmovznzU64(&x8, arg1, arg2[7], arg3[7]) + var x9 uint64 + cmovznzU64(&x9, arg1, arg2[8], arg3[8]) + out1[0] = x1 + out1[1] = x2 + out1[2] = x3 + out1[3] = x4 + out1[4] = x5 + out1[5] = x6 + out1[6] = x7 + out1[7] = x8 + out1[8] = x9 } -/* - The function ToBytes serializes a field element to bytes in little-endian order. - Postconditions: - out1 = map (λ x, ⌊((eval arg1 mod m) mod 2^(8 * (x + 1))) / 2^(8 * x)⌋) [0..65] - - Input Bounds: - arg1: [[0x0 ~> 0x400000000000000], [0x0 ~> 0x400000000000000], [0x0 ~> 0x400000000000000], [0x0 ~> 0x400000000000000], [0x0 ~> 0x400000000000000], [0x0 ~> 0x400000000000000], [0x0 ~> 0x400000000000000], [0x0 ~> 0x400000000000000], [0x0 ~> 0x200000000000000]] - Output Bounds: - out1: [[0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0x1]] - */ -/*inline*/ +// ToBytes serializes a field element to bytes in little-endian order. +// +// Postconditions: +// out1 = map (λ x, ⌊((eval arg1 mod m) mod 2^(8 * (x + 1))) / 2^(8 * x)⌋) [0..65] +// +// Input Bounds: +// arg1: [[0x0 ~> 0x400000000000000], [0x0 ~> 0x400000000000000], [0x0 ~> 0x400000000000000], [0x0 ~> 0x400000000000000], [0x0 ~> 0x400000000000000], [0x0 ~> 0x400000000000000], [0x0 ~> 0x400000000000000], [0x0 ~> 0x400000000000000], [0x0 ~> 0x200000000000000]] +// Output Bounds: +// out1: [[0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0x1]] func ToBytes(out1 *[66]uint8, arg1 *[9]uint64) { - var x1 uint64 - var x2 uint1 - subborrowxU58(&x1, &x2, 0x0, (arg1[0]), 0x3ffffffffffffff) - var x3 uint64 - var x4 uint1 - subborrowxU58(&x3, &x4, x2, (arg1[1]), 0x3ffffffffffffff) - var x5 uint64 - var x6 uint1 - subborrowxU58(&x5, &x6, x4, (arg1[2]), 0x3ffffffffffffff) - var x7 uint64 - var x8 uint1 - subborrowxU58(&x7, &x8, x6, (arg1[3]), 0x3ffffffffffffff) - var x9 uint64 - var x10 uint1 - subborrowxU58(&x9, &x10, x8, (arg1[4]), 0x3ffffffffffffff) - var x11 uint64 - var x12 uint1 - subborrowxU58(&x11, &x12, x10, (arg1[5]), 0x3ffffffffffffff) - var x13 uint64 - var x14 uint1 - subborrowxU58(&x13, &x14, x12, (arg1[6]), 0x3ffffffffffffff) - var x15 uint64 - var x16 uint1 - subborrowxU58(&x15, &x16, x14, (arg1[7]), 0x3ffffffffffffff) - var x17 uint64 - var x18 uint1 - subborrowxU57(&x17, &x18, x16, (arg1[8]), 0x1ffffffffffffff) - var x19 uint64 - cmovznzU64(&x19, x18, uint64(0x0), 0xffffffffffffffff) - var x20 uint64 - var x21 uint1 - addcarryxU58(&x20, &x21, 0x0, x1, (x19 & 0x3ffffffffffffff)) - var x22 uint64 - var x23 uint1 - addcarryxU58(&x22, &x23, x21, x3, (x19 & 0x3ffffffffffffff)) - var x24 uint64 - var x25 uint1 - addcarryxU58(&x24, &x25, x23, x5, (x19 & 0x3ffffffffffffff)) - var x26 uint64 - var x27 uint1 - addcarryxU58(&x26, &x27, x25, x7, (x19 & 0x3ffffffffffffff)) - var x28 uint64 - var x29 uint1 - addcarryxU58(&x28, &x29, x27, x9, (x19 & 0x3ffffffffffffff)) - var x30 uint64 - var x31 uint1 - addcarryxU58(&x30, &x31, x29, x11, (x19 & 0x3ffffffffffffff)) - var x32 uint64 - var x33 uint1 - addcarryxU58(&x32, &x33, x31, x13, (x19 & 0x3ffffffffffffff)) - var x34 uint64 - var x35 uint1 - addcarryxU58(&x34, &x35, x33, x15, (x19 & 0x3ffffffffffffff)) - var x36 uint64 - var x37 uint1 - addcarryxU57(&x36, &x37, x35, x17, (x19 & 0x1ffffffffffffff)) - var x38 uint64 = (x34 << 6) - var x39 uint64 = (x32 << 4) - var x40 uint64 = (x30 << 2) - var x41 uint64 = (x26 << 6) - var x42 uint64 = (x24 << 4) - var x43 uint64 = (x22 << 2) - var x44 uint8 = (uint8(x20) & 0xff) - var x45 uint64 = (x20 >> 8) - var x46 uint8 = (uint8(x45) & 0xff) - var x47 uint64 = (x45 >> 8) - var x48 uint8 = (uint8(x47) & 0xff) - var x49 uint64 = (x47 >> 8) - var x50 uint8 = (uint8(x49) & 0xff) - var x51 uint64 = (x49 >> 8) - var x52 uint8 = (uint8(x51) & 0xff) - var x53 uint64 = (x51 >> 8) - var x54 uint8 = (uint8(x53) & 0xff) - var x55 uint64 = (x53 >> 8) - var x56 uint8 = (uint8(x55) & 0xff) - var x57 uint8 = uint8((x55 >> 8)) - var x58 uint64 = (x43 + uint64(x57)) - var x59 uint8 = (uint8(x58) & 0xff) - var x60 uint64 = (x58 >> 8) - var x61 uint8 = (uint8(x60) & 0xff) - var x62 uint64 = (x60 >> 8) - var x63 uint8 = (uint8(x62) & 0xff) - var x64 uint64 = (x62 >> 8) - var x65 uint8 = (uint8(x64) & 0xff) - var x66 uint64 = (x64 >> 8) - var x67 uint8 = (uint8(x66) & 0xff) - var x68 uint64 = (x66 >> 8) - var x69 uint8 = (uint8(x68) & 0xff) - var x70 uint64 = (x68 >> 8) - var x71 uint8 = (uint8(x70) & 0xff) - var x72 uint8 = uint8((x70 >> 8)) - var x73 uint64 = (x42 + uint64(x72)) - var x74 uint8 = (uint8(x73) & 0xff) - var x75 uint64 = (x73 >> 8) - var x76 uint8 = (uint8(x75) & 0xff) - var x77 uint64 = (x75 >> 8) - var x78 uint8 = (uint8(x77) & 0xff) - var x79 uint64 = (x77 >> 8) - var x80 uint8 = (uint8(x79) & 0xff) - var x81 uint64 = (x79 >> 8) - var x82 uint8 = (uint8(x81) & 0xff) - var x83 uint64 = (x81 >> 8) - var x84 uint8 = (uint8(x83) & 0xff) - var x85 uint64 = (x83 >> 8) - var x86 uint8 = (uint8(x85) & 0xff) - var x87 uint8 = uint8((x85 >> 8)) - var x88 uint64 = (x41 + uint64(x87)) - var x89 uint8 = (uint8(x88) & 0xff) - var x90 uint64 = (x88 >> 8) - var x91 uint8 = (uint8(x90) & 0xff) - var x92 uint64 = (x90 >> 8) - var x93 uint8 = (uint8(x92) & 0xff) - var x94 uint64 = (x92 >> 8) - var x95 uint8 = (uint8(x94) & 0xff) - var x96 uint64 = (x94 >> 8) - var x97 uint8 = (uint8(x96) & 0xff) - var x98 uint64 = (x96 >> 8) - var x99 uint8 = (uint8(x98) & 0xff) - var x100 uint64 = (x98 >> 8) - var x101 uint8 = (uint8(x100) & 0xff) - var x102 uint8 = uint8((x100 >> 8)) - var x103 uint8 = (uint8(x28) & 0xff) - var x104 uint64 = (x28 >> 8) - var x105 uint8 = (uint8(x104) & 0xff) - var x106 uint64 = (x104 >> 8) - var x107 uint8 = (uint8(x106) & 0xff) - var x108 uint64 = (x106 >> 8) - var x109 uint8 = (uint8(x108) & 0xff) - var x110 uint64 = (x108 >> 8) - var x111 uint8 = (uint8(x110) & 0xff) - var x112 uint64 = (x110 >> 8) - var x113 uint8 = (uint8(x112) & 0xff) - var x114 uint64 = (x112 >> 8) - var x115 uint8 = (uint8(x114) & 0xff) - var x116 uint8 = uint8((x114 >> 8)) - var x117 uint64 = (x40 + uint64(x116)) - var x118 uint8 = (uint8(x117) & 0xff) - var x119 uint64 = (x117 >> 8) - var x120 uint8 = (uint8(x119) & 0xff) - var x121 uint64 = (x119 >> 8) - var x122 uint8 = (uint8(x121) & 0xff) - var x123 uint64 = (x121 >> 8) - var x124 uint8 = (uint8(x123) & 0xff) - var x125 uint64 = (x123 >> 8) - var x126 uint8 = (uint8(x125) & 0xff) - var x127 uint64 = (x125 >> 8) - var x128 uint8 = (uint8(x127) & 0xff) - var x129 uint64 = (x127 >> 8) - var x130 uint8 = (uint8(x129) & 0xff) - var x131 uint8 = uint8((x129 >> 8)) - var x132 uint64 = (x39 + uint64(x131)) - var x133 uint8 = (uint8(x132) & 0xff) - var x134 uint64 = (x132 >> 8) - var x135 uint8 = (uint8(x134) & 0xff) - var x136 uint64 = (x134 >> 8) - var x137 uint8 = (uint8(x136) & 0xff) - var x138 uint64 = (x136 >> 8) - var x139 uint8 = (uint8(x138) & 0xff) - var x140 uint64 = (x138 >> 8) - var x141 uint8 = (uint8(x140) & 0xff) - var x142 uint64 = (x140 >> 8) - var x143 uint8 = (uint8(x142) & 0xff) - var x144 uint64 = (x142 >> 8) - var x145 uint8 = (uint8(x144) & 0xff) - var x146 uint8 = uint8((x144 >> 8)) - var x147 uint64 = (x38 + uint64(x146)) - var x148 uint8 = (uint8(x147) & 0xff) - var x149 uint64 = (x147 >> 8) - var x150 uint8 = (uint8(x149) & 0xff) - var x151 uint64 = (x149 >> 8) - var x152 uint8 = (uint8(x151) & 0xff) - var x153 uint64 = (x151 >> 8) - var x154 uint8 = (uint8(x153) & 0xff) - var x155 uint64 = (x153 >> 8) - var x156 uint8 = (uint8(x155) & 0xff) - var x157 uint64 = (x155 >> 8) - var x158 uint8 = (uint8(x157) & 0xff) - var x159 uint64 = (x157 >> 8) - var x160 uint8 = (uint8(x159) & 0xff) - var x161 uint8 = uint8((x159 >> 8)) - var x162 uint8 = (uint8(x36) & 0xff) - var x163 uint64 = (x36 >> 8) - var x164 uint8 = (uint8(x163) & 0xff) - var x165 uint64 = (x163 >> 8) - var x166 uint8 = (uint8(x165) & 0xff) - var x167 uint64 = (x165 >> 8) - var x168 uint8 = (uint8(x167) & 0xff) - var x169 uint64 = (x167 >> 8) - var x170 uint8 = (uint8(x169) & 0xff) - var x171 uint64 = (x169 >> 8) - var x172 uint8 = (uint8(x171) & 0xff) - var x173 uint64 = (x171 >> 8) - var x174 uint8 = (uint8(x173) & 0xff) - var x175 uint1 = uint1((x173 >> 8)) - out1[0] = x44 - out1[1] = x46 - out1[2] = x48 - out1[3] = x50 - out1[4] = x52 - out1[5] = x54 - out1[6] = x56 - out1[7] = x59 - out1[8] = x61 - out1[9] = x63 - out1[10] = x65 - out1[11] = x67 - out1[12] = x69 - out1[13] = x71 - out1[14] = x74 - out1[15] = x76 - out1[16] = x78 - out1[17] = x80 - out1[18] = x82 - out1[19] = x84 - out1[20] = x86 - out1[21] = x89 - out1[22] = x91 - out1[23] = x93 - out1[24] = x95 - out1[25] = x97 - out1[26] = x99 - out1[27] = x101 - out1[28] = x102 - out1[29] = x103 - out1[30] = x105 - out1[31] = x107 - out1[32] = x109 - out1[33] = x111 - out1[34] = x113 - out1[35] = x115 - out1[36] = x118 - out1[37] = x120 - out1[38] = x122 - out1[39] = x124 - out1[40] = x126 - out1[41] = x128 - out1[42] = x130 - out1[43] = x133 - out1[44] = x135 - out1[45] = x137 - out1[46] = x139 - out1[47] = x141 - out1[48] = x143 - out1[49] = x145 - out1[50] = x148 - out1[51] = x150 - out1[52] = x152 - out1[53] = x154 - out1[54] = x156 - out1[55] = x158 - out1[56] = x160 - out1[57] = x161 - out1[58] = x162 - out1[59] = x164 - out1[60] = x166 - out1[61] = x168 - out1[62] = x170 - out1[63] = x172 - out1[64] = x174 - out1[65] = uint8(x175) + var x1 uint64 + var x2 uint1 + subborrowxU58(&x1, &x2, 0x0, arg1[0], 0x3ffffffffffffff) + var x3 uint64 + var x4 uint1 + subborrowxU58(&x3, &x4, x2, arg1[1], 0x3ffffffffffffff) + var x5 uint64 + var x6 uint1 + subborrowxU58(&x5, &x6, x4, arg1[2], 0x3ffffffffffffff) + var x7 uint64 + var x8 uint1 + subborrowxU58(&x7, &x8, x6, arg1[3], 0x3ffffffffffffff) + var x9 uint64 + var x10 uint1 + subborrowxU58(&x9, &x10, x8, arg1[4], 0x3ffffffffffffff) + var x11 uint64 + var x12 uint1 + subborrowxU58(&x11, &x12, x10, arg1[5], 0x3ffffffffffffff) + var x13 uint64 + var x14 uint1 + subborrowxU58(&x13, &x14, x12, arg1[6], 0x3ffffffffffffff) + var x15 uint64 + var x16 uint1 + subborrowxU58(&x15, &x16, x14, arg1[7], 0x3ffffffffffffff) + var x17 uint64 + var x18 uint1 + subborrowxU57(&x17, &x18, x16, arg1[8], 0x1ffffffffffffff) + var x19 uint64 + cmovznzU64(&x19, x18, uint64(0x0), 0xffffffffffffffff) + var x20 uint64 + var x21 uint1 + addcarryxU58(&x20, &x21, 0x0, x1, (x19 & 0x3ffffffffffffff)) + var x22 uint64 + var x23 uint1 + addcarryxU58(&x22, &x23, x21, x3, (x19 & 0x3ffffffffffffff)) + var x24 uint64 + var x25 uint1 + addcarryxU58(&x24, &x25, x23, x5, (x19 & 0x3ffffffffffffff)) + var x26 uint64 + var x27 uint1 + addcarryxU58(&x26, &x27, x25, x7, (x19 & 0x3ffffffffffffff)) + var x28 uint64 + var x29 uint1 + addcarryxU58(&x28, &x29, x27, x9, (x19 & 0x3ffffffffffffff)) + var x30 uint64 + var x31 uint1 + addcarryxU58(&x30, &x31, x29, x11, (x19 & 0x3ffffffffffffff)) + var x32 uint64 + var x33 uint1 + addcarryxU58(&x32, &x33, x31, x13, (x19 & 0x3ffffffffffffff)) + var x34 uint64 + var x35 uint1 + addcarryxU58(&x34, &x35, x33, x15, (x19 & 0x3ffffffffffffff)) + var x36 uint64 + var x37 uint1 + addcarryxU57(&x36, &x37, x35, x17, (x19 & 0x1ffffffffffffff)) + x38 := (x34 << 6) + x39 := (x32 << 4) + x40 := (x30 << 2) + x41 := (x26 << 6) + x42 := (x24 << 4) + x43 := (x22 << 2) + x44 := (uint8(x20) & 0xff) + x45 := (x20 >> 8) + x46 := (uint8(x45) & 0xff) + x47 := (x45 >> 8) + x48 := (uint8(x47) & 0xff) + x49 := (x47 >> 8) + x50 := (uint8(x49) & 0xff) + x51 := (x49 >> 8) + x52 := (uint8(x51) & 0xff) + x53 := (x51 >> 8) + x54 := (uint8(x53) & 0xff) + x55 := (x53 >> 8) + x56 := (uint8(x55) & 0xff) + x57 := uint8((x55 >> 8)) + x58 := (x43 + uint64(x57)) + x59 := (uint8(x58) & 0xff) + x60 := (x58 >> 8) + x61 := (uint8(x60) & 0xff) + x62 := (x60 >> 8) + x63 := (uint8(x62) & 0xff) + x64 := (x62 >> 8) + x65 := (uint8(x64) & 0xff) + x66 := (x64 >> 8) + x67 := (uint8(x66) & 0xff) + x68 := (x66 >> 8) + x69 := (uint8(x68) & 0xff) + x70 := (x68 >> 8) + x71 := (uint8(x70) & 0xff) + x72 := uint8((x70 >> 8)) + x73 := (x42 + uint64(x72)) + x74 := (uint8(x73) & 0xff) + x75 := (x73 >> 8) + x76 := (uint8(x75) & 0xff) + x77 := (x75 >> 8) + x78 := (uint8(x77) & 0xff) + x79 := (x77 >> 8) + x80 := (uint8(x79) & 0xff) + x81 := (x79 >> 8) + x82 := (uint8(x81) & 0xff) + x83 := (x81 >> 8) + x84 := (uint8(x83) & 0xff) + x85 := (x83 >> 8) + x86 := (uint8(x85) & 0xff) + x87 := uint8((x85 >> 8)) + x88 := (x41 + uint64(x87)) + x89 := (uint8(x88) & 0xff) + x90 := (x88 >> 8) + x91 := (uint8(x90) & 0xff) + x92 := (x90 >> 8) + x93 := (uint8(x92) & 0xff) + x94 := (x92 >> 8) + x95 := (uint8(x94) & 0xff) + x96 := (x94 >> 8) + x97 := (uint8(x96) & 0xff) + x98 := (x96 >> 8) + x99 := (uint8(x98) & 0xff) + x100 := (x98 >> 8) + x101 := (uint8(x100) & 0xff) + x102 := uint8((x100 >> 8)) + x103 := (uint8(x28) & 0xff) + x104 := (x28 >> 8) + x105 := (uint8(x104) & 0xff) + x106 := (x104 >> 8) + x107 := (uint8(x106) & 0xff) + x108 := (x106 >> 8) + x109 := (uint8(x108) & 0xff) + x110 := (x108 >> 8) + x111 := (uint8(x110) & 0xff) + x112 := (x110 >> 8) + x113 := (uint8(x112) & 0xff) + x114 := (x112 >> 8) + x115 := (uint8(x114) & 0xff) + x116 := uint8((x114 >> 8)) + x117 := (x40 + uint64(x116)) + x118 := (uint8(x117) & 0xff) + x119 := (x117 >> 8) + x120 := (uint8(x119) & 0xff) + x121 := (x119 >> 8) + x122 := (uint8(x121) & 0xff) + x123 := (x121 >> 8) + x124 := (uint8(x123) & 0xff) + x125 := (x123 >> 8) + x126 := (uint8(x125) & 0xff) + x127 := (x125 >> 8) + x128 := (uint8(x127) & 0xff) + x129 := (x127 >> 8) + x130 := (uint8(x129) & 0xff) + x131 := uint8((x129 >> 8)) + x132 := (x39 + uint64(x131)) + x133 := (uint8(x132) & 0xff) + x134 := (x132 >> 8) + x135 := (uint8(x134) & 0xff) + x136 := (x134 >> 8) + x137 := (uint8(x136) & 0xff) + x138 := (x136 >> 8) + x139 := (uint8(x138) & 0xff) + x140 := (x138 >> 8) + x141 := (uint8(x140) & 0xff) + x142 := (x140 >> 8) + x143 := (uint8(x142) & 0xff) + x144 := (x142 >> 8) + x145 := (uint8(x144) & 0xff) + x146 := uint8((x144 >> 8)) + x147 := (x38 + uint64(x146)) + x148 := (uint8(x147) & 0xff) + x149 := (x147 >> 8) + x150 := (uint8(x149) & 0xff) + x151 := (x149 >> 8) + x152 := (uint8(x151) & 0xff) + x153 := (x151 >> 8) + x154 := (uint8(x153) & 0xff) + x155 := (x153 >> 8) + x156 := (uint8(x155) & 0xff) + x157 := (x155 >> 8) + x158 := (uint8(x157) & 0xff) + x159 := (x157 >> 8) + x160 := (uint8(x159) & 0xff) + x161 := uint8((x159 >> 8)) + x162 := (uint8(x36) & 0xff) + x163 := (x36 >> 8) + x164 := (uint8(x163) & 0xff) + x165 := (x163 >> 8) + x166 := (uint8(x165) & 0xff) + x167 := (x165 >> 8) + x168 := (uint8(x167) & 0xff) + x169 := (x167 >> 8) + x170 := (uint8(x169) & 0xff) + x171 := (x169 >> 8) + x172 := (uint8(x171) & 0xff) + x173 := (x171 >> 8) + x174 := (uint8(x173) & 0xff) + x175 := uint1((x173 >> 8)) + out1[0] = x44 + out1[1] = x46 + out1[2] = x48 + out1[3] = x50 + out1[4] = x52 + out1[5] = x54 + out1[6] = x56 + out1[7] = x59 + out1[8] = x61 + out1[9] = x63 + out1[10] = x65 + out1[11] = x67 + out1[12] = x69 + out1[13] = x71 + out1[14] = x74 + out1[15] = x76 + out1[16] = x78 + out1[17] = x80 + out1[18] = x82 + out1[19] = x84 + out1[20] = x86 + out1[21] = x89 + out1[22] = x91 + out1[23] = x93 + out1[24] = x95 + out1[25] = x97 + out1[26] = x99 + out1[27] = x101 + out1[28] = x102 + out1[29] = x103 + out1[30] = x105 + out1[31] = x107 + out1[32] = x109 + out1[33] = x111 + out1[34] = x113 + out1[35] = x115 + out1[36] = x118 + out1[37] = x120 + out1[38] = x122 + out1[39] = x124 + out1[40] = x126 + out1[41] = x128 + out1[42] = x130 + out1[43] = x133 + out1[44] = x135 + out1[45] = x137 + out1[46] = x139 + out1[47] = x141 + out1[48] = x143 + out1[49] = x145 + out1[50] = x148 + out1[51] = x150 + out1[52] = x152 + out1[53] = x154 + out1[54] = x156 + out1[55] = x158 + out1[56] = x160 + out1[57] = x161 + out1[58] = x162 + out1[59] = x164 + out1[60] = x166 + out1[61] = x168 + out1[62] = x170 + out1[63] = x172 + out1[64] = x174 + out1[65] = uint8(x175) } -/* - The function FromBytes deserializes a field element from bytes in little-endian order. - Postconditions: - eval out1 mod m = bytes_eval arg1 mod m - - Input Bounds: - arg1: [[0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0x1]] - Output Bounds: - out1: [[0x0 ~> 0x400000000000000], [0x0 ~> 0x400000000000000], [0x0 ~> 0x400000000000000], [0x0 ~> 0x400000000000000], [0x0 ~> 0x400000000000000], [0x0 ~> 0x400000000000000], [0x0 ~> 0x400000000000000], [0x0 ~> 0x400000000000000], [0x0 ~> 0x200000000000000]] - */ -/*inline*/ +// FromBytes deserializes a field element from bytes in little-endian order. +// +// Postconditions: +// eval out1 mod m = bytes_eval arg1 mod m +// +// Input Bounds: +// arg1: [[0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0x1]] +// Output Bounds: +// out1: [[0x0 ~> 0x400000000000000], [0x0 ~> 0x400000000000000], [0x0 ~> 0x400000000000000], [0x0 ~> 0x400000000000000], [0x0 ~> 0x400000000000000], [0x0 ~> 0x400000000000000], [0x0 ~> 0x400000000000000], [0x0 ~> 0x400000000000000], [0x0 ~> 0x200000000000000]] func FromBytes(out1 *[9]uint64, arg1 *[66]uint8) { - var x1 uint64 = (uint64(uint1((arg1[65]))) << 56) - var x2 uint64 = (uint64((arg1[64])) << 48) - var x3 uint64 = (uint64((arg1[63])) << 40) - var x4 uint64 = (uint64((arg1[62])) << 32) - var x5 uint64 = (uint64((arg1[61])) << 24) - var x6 uint64 = (uint64((arg1[60])) << 16) - var x7 uint64 = (uint64((arg1[59])) << 8) - var x8 uint8 = (arg1[58]) - var x9 uint64 = (uint64((arg1[57])) << 50) - var x10 uint64 = (uint64((arg1[56])) << 42) - var x11 uint64 = (uint64((arg1[55])) << 34) - var x12 uint64 = (uint64((arg1[54])) << 26) - var x13 uint64 = (uint64((arg1[53])) << 18) - var x14 uint64 = (uint64((arg1[52])) << 10) - var x15 uint64 = (uint64((arg1[51])) << 2) - var x16 uint64 = (uint64((arg1[50])) << 52) - var x17 uint64 = (uint64((arg1[49])) << 44) - var x18 uint64 = (uint64((arg1[48])) << 36) - var x19 uint64 = (uint64((arg1[47])) << 28) - var x20 uint64 = (uint64((arg1[46])) << 20) - var x21 uint64 = (uint64((arg1[45])) << 12) - var x22 uint64 = (uint64((arg1[44])) << 4) - var x23 uint64 = (uint64((arg1[43])) << 54) - var x24 uint64 = (uint64((arg1[42])) << 46) - var x25 uint64 = (uint64((arg1[41])) << 38) - var x26 uint64 = (uint64((arg1[40])) << 30) - var x27 uint64 = (uint64((arg1[39])) << 22) - var x28 uint64 = (uint64((arg1[38])) << 14) - var x29 uint64 = (uint64((arg1[37])) << 6) - var x30 uint64 = (uint64((arg1[36])) << 56) - var x31 uint64 = (uint64((arg1[35])) << 48) - var x32 uint64 = (uint64((arg1[34])) << 40) - var x33 uint64 = (uint64((arg1[33])) << 32) - var x34 uint64 = (uint64((arg1[32])) << 24) - var x35 uint64 = (uint64((arg1[31])) << 16) - var x36 uint64 = (uint64((arg1[30])) << 8) - var x37 uint8 = (arg1[29]) - var x38 uint64 = (uint64((arg1[28])) << 50) - var x39 uint64 = (uint64((arg1[27])) << 42) - var x40 uint64 = (uint64((arg1[26])) << 34) - var x41 uint64 = (uint64((arg1[25])) << 26) - var x42 uint64 = (uint64((arg1[24])) << 18) - var x43 uint64 = (uint64((arg1[23])) << 10) - var x44 uint64 = (uint64((arg1[22])) << 2) - var x45 uint64 = (uint64((arg1[21])) << 52) - var x46 uint64 = (uint64((arg1[20])) << 44) - var x47 uint64 = (uint64((arg1[19])) << 36) - var x48 uint64 = (uint64((arg1[18])) << 28) - var x49 uint64 = (uint64((arg1[17])) << 20) - var x50 uint64 = (uint64((arg1[16])) << 12) - var x51 uint64 = (uint64((arg1[15])) << 4) - var x52 uint64 = (uint64((arg1[14])) << 54) - var x53 uint64 = (uint64((arg1[13])) << 46) - var x54 uint64 = (uint64((arg1[12])) << 38) - var x55 uint64 = (uint64((arg1[11])) << 30) - var x56 uint64 = (uint64((arg1[10])) << 22) - var x57 uint64 = (uint64((arg1[9])) << 14) - var x58 uint64 = (uint64((arg1[8])) << 6) - var x59 uint64 = (uint64((arg1[7])) << 56) - var x60 uint64 = (uint64((arg1[6])) << 48) - var x61 uint64 = (uint64((arg1[5])) << 40) - var x62 uint64 = (uint64((arg1[4])) << 32) - var x63 uint64 = (uint64((arg1[3])) << 24) - var x64 uint64 = (uint64((arg1[2])) << 16) - var x65 uint64 = (uint64((arg1[1])) << 8) - var x66 uint8 = (arg1[0]) - var x67 uint64 = (x65 + uint64(x66)) - var x68 uint64 = (x64 + x67) - var x69 uint64 = (x63 + x68) - var x70 uint64 = (x62 + x69) - var x71 uint64 = (x61 + x70) - var x72 uint64 = (x60 + x71) - var x73 uint64 = (x59 + x72) - var x74 uint64 = (x73 & 0x3ffffffffffffff) - var x75 uint8 = uint8((x73 >> 58)) - var x76 uint64 = (x58 + uint64(x75)) - var x77 uint64 = (x57 + x76) - var x78 uint64 = (x56 + x77) - var x79 uint64 = (x55 + x78) - var x80 uint64 = (x54 + x79) - var x81 uint64 = (x53 + x80) - var x82 uint64 = (x52 + x81) - var x83 uint64 = (x82 & 0x3ffffffffffffff) - var x84 uint8 = uint8((x82 >> 58)) - var x85 uint64 = (x51 + uint64(x84)) - var x86 uint64 = (x50 + x85) - var x87 uint64 = (x49 + x86) - var x88 uint64 = (x48 + x87) - var x89 uint64 = (x47 + x88) - var x90 uint64 = (x46 + x89) - var x91 uint64 = (x45 + x90) - var x92 uint64 = (x91 & 0x3ffffffffffffff) - var x93 uint8 = uint8((x91 >> 58)) - var x94 uint64 = (x44 + uint64(x93)) - var x95 uint64 = (x43 + x94) - var x96 uint64 = (x42 + x95) - var x97 uint64 = (x41 + x96) - var x98 uint64 = (x40 + x97) - var x99 uint64 = (x39 + x98) - var x100 uint64 = (x38 + x99) - var x101 uint64 = (x36 + uint64(x37)) - var x102 uint64 = (x35 + x101) - var x103 uint64 = (x34 + x102) - var x104 uint64 = (x33 + x103) - var x105 uint64 = (x32 + x104) - var x106 uint64 = (x31 + x105) - var x107 uint64 = (x30 + x106) - var x108 uint64 = (x107 & 0x3ffffffffffffff) - var x109 uint8 = uint8((x107 >> 58)) - var x110 uint64 = (x29 + uint64(x109)) - var x111 uint64 = (x28 + x110) - var x112 uint64 = (x27 + x111) - var x113 uint64 = (x26 + x112) - var x114 uint64 = (x25 + x113) - var x115 uint64 = (x24 + x114) - var x116 uint64 = (x23 + x115) - var x117 uint64 = (x116 & 0x3ffffffffffffff) - var x118 uint8 = uint8((x116 >> 58)) - var x119 uint64 = (x22 + uint64(x118)) - var x120 uint64 = (x21 + x119) - var x121 uint64 = (x20 + x120) - var x122 uint64 = (x19 + x121) - var x123 uint64 = (x18 + x122) - var x124 uint64 = (x17 + x123) - var x125 uint64 = (x16 + x124) - var x126 uint64 = (x125 & 0x3ffffffffffffff) - var x127 uint8 = uint8((x125 >> 58)) - var x128 uint64 = (x15 + uint64(x127)) - var x129 uint64 = (x14 + x128) - var x130 uint64 = (x13 + x129) - var x131 uint64 = (x12 + x130) - var x132 uint64 = (x11 + x131) - var x133 uint64 = (x10 + x132) - var x134 uint64 = (x9 + x133) - var x135 uint64 = (x7 + uint64(x8)) - var x136 uint64 = (x6 + x135) - var x137 uint64 = (x5 + x136) - var x138 uint64 = (x4 + x137) - var x139 uint64 = (x3 + x138) - var x140 uint64 = (x2 + x139) - var x141 uint64 = (x1 + x140) - out1[0] = x74 - out1[1] = x83 - out1[2] = x92 - out1[3] = x100 - out1[4] = x108 - out1[5] = x117 - out1[6] = x126 - out1[7] = x134 - out1[8] = x141 + x1 := (uint64(uint1(arg1[65])) << 56) + x2 := (uint64(arg1[64]) << 48) + x3 := (uint64(arg1[63]) << 40) + x4 := (uint64(arg1[62]) << 32) + x5 := (uint64(arg1[61]) << 24) + x6 := (uint64(arg1[60]) << 16) + x7 := (uint64(arg1[59]) << 8) + x8 := arg1[58] + x9 := (uint64(arg1[57]) << 50) + x10 := (uint64(arg1[56]) << 42) + x11 := (uint64(arg1[55]) << 34) + x12 := (uint64(arg1[54]) << 26) + x13 := (uint64(arg1[53]) << 18) + x14 := (uint64(arg1[52]) << 10) + x15 := (uint64(arg1[51]) << 2) + x16 := (uint64(arg1[50]) << 52) + x17 := (uint64(arg1[49]) << 44) + x18 := (uint64(arg1[48]) << 36) + x19 := (uint64(arg1[47]) << 28) + x20 := (uint64(arg1[46]) << 20) + x21 := (uint64(arg1[45]) << 12) + x22 := (uint64(arg1[44]) << 4) + x23 := (uint64(arg1[43]) << 54) + x24 := (uint64(arg1[42]) << 46) + x25 := (uint64(arg1[41]) << 38) + x26 := (uint64(arg1[40]) << 30) + x27 := (uint64(arg1[39]) << 22) + x28 := (uint64(arg1[38]) << 14) + x29 := (uint64(arg1[37]) << 6) + x30 := (uint64(arg1[36]) << 56) + x31 := (uint64(arg1[35]) << 48) + x32 := (uint64(arg1[34]) << 40) + x33 := (uint64(arg1[33]) << 32) + x34 := (uint64(arg1[32]) << 24) + x35 := (uint64(arg1[31]) << 16) + x36 := (uint64(arg1[30]) << 8) + x37 := arg1[29] + x38 := (uint64(arg1[28]) << 50) + x39 := (uint64(arg1[27]) << 42) + x40 := (uint64(arg1[26]) << 34) + x41 := (uint64(arg1[25]) << 26) + x42 := (uint64(arg1[24]) << 18) + x43 := (uint64(arg1[23]) << 10) + x44 := (uint64(arg1[22]) << 2) + x45 := (uint64(arg1[21]) << 52) + x46 := (uint64(arg1[20]) << 44) + x47 := (uint64(arg1[19]) << 36) + x48 := (uint64(arg1[18]) << 28) + x49 := (uint64(arg1[17]) << 20) + x50 := (uint64(arg1[16]) << 12) + x51 := (uint64(arg1[15]) << 4) + x52 := (uint64(arg1[14]) << 54) + x53 := (uint64(arg1[13]) << 46) + x54 := (uint64(arg1[12]) << 38) + x55 := (uint64(arg1[11]) << 30) + x56 := (uint64(arg1[10]) << 22) + x57 := (uint64(arg1[9]) << 14) + x58 := (uint64(arg1[8]) << 6) + x59 := (uint64(arg1[7]) << 56) + x60 := (uint64(arg1[6]) << 48) + x61 := (uint64(arg1[5]) << 40) + x62 := (uint64(arg1[4]) << 32) + x63 := (uint64(arg1[3]) << 24) + x64 := (uint64(arg1[2]) << 16) + x65 := (uint64(arg1[1]) << 8) + x66 := arg1[0] + x67 := (x65 + uint64(x66)) + x68 := (x64 + x67) + x69 := (x63 + x68) + x70 := (x62 + x69) + x71 := (x61 + x70) + x72 := (x60 + x71) + x73 := (x59 + x72) + x74 := (x73 & 0x3ffffffffffffff) + x75 := uint8((x73 >> 58)) + x76 := (x58 + uint64(x75)) + x77 := (x57 + x76) + x78 := (x56 + x77) + x79 := (x55 + x78) + x80 := (x54 + x79) + x81 := (x53 + x80) + x82 := (x52 + x81) + x83 := (x82 & 0x3ffffffffffffff) + x84 := uint8((x82 >> 58)) + x85 := (x51 + uint64(x84)) + x86 := (x50 + x85) + x87 := (x49 + x86) + x88 := (x48 + x87) + x89 := (x47 + x88) + x90 := (x46 + x89) + x91 := (x45 + x90) + x92 := (x91 & 0x3ffffffffffffff) + x93 := uint8((x91 >> 58)) + x94 := (x44 + uint64(x93)) + x95 := (x43 + x94) + x96 := (x42 + x95) + x97 := (x41 + x96) + x98 := (x40 + x97) + x99 := (x39 + x98) + x100 := (x38 + x99) + x101 := (x36 + uint64(x37)) + x102 := (x35 + x101) + x103 := (x34 + x102) + x104 := (x33 + x103) + x105 := (x32 + x104) + x106 := (x31 + x105) + x107 := (x30 + x106) + x108 := (x107 & 0x3ffffffffffffff) + x109 := uint8((x107 >> 58)) + x110 := (x29 + uint64(x109)) + x111 := (x28 + x110) + x112 := (x27 + x111) + x113 := (x26 + x112) + x114 := (x25 + x113) + x115 := (x24 + x114) + x116 := (x23 + x115) + x117 := (x116 & 0x3ffffffffffffff) + x118 := uint8((x116 >> 58)) + x119 := (x22 + uint64(x118)) + x120 := (x21 + x119) + x121 := (x20 + x120) + x122 := (x19 + x121) + x123 := (x18 + x122) + x124 := (x17 + x123) + x125 := (x16 + x124) + x126 := (x125 & 0x3ffffffffffffff) + x127 := uint8((x125 >> 58)) + x128 := (x15 + uint64(x127)) + x129 := (x14 + x128) + x130 := (x13 + x129) + x131 := (x12 + x130) + x132 := (x11 + x131) + x133 := (x10 + x132) + x134 := (x9 + x133) + x135 := (x7 + uint64(x8)) + x136 := (x6 + x135) + x137 := (x5 + x136) + x138 := (x4 + x137) + x139 := (x3 + x138) + x140 := (x2 + x139) + x141 := (x1 + x140) + out1[0] = x74 + out1[1] = x83 + out1[2] = x92 + out1[3] = x100 + out1[4] = x108 + out1[5] = x117 + out1[6] = x126 + out1[7] = x134 + out1[8] = x141 } - diff --git a/fiat-go/64/poly1305/poly1305.go b/fiat-go/64/poly1305/poly1305.go index 0f47eba477f..69373a8e4bd 100644 --- a/fiat-go/64/poly1305/poly1305.go +++ b/fiat-go/64/poly1305/poly1305.go @@ -1,587 +1,554 @@ -/* - Autogenerated: 'src/ExtractionOCaml/unsaturated_solinas' --lang Go --no-wide-int --cmovznz-by-mul --internal-static --package-case flatcase --public-function-case UpperCamelCase --private-function-case camelCase --public-type-case UpperCamelCase --private-type-case camelCase --no-prefix-fiat --package-name poly1305 '' 64 3 '2^130 - 5' carry_mul carry_square carry add sub opp selectznz to_bytes from_bytes - - curve description (via package name): poly1305 - - machine_wordsize = 64 (from "64") - - requested operations: carry_mul, carry_square, carry, add, sub, opp, selectznz, to_bytes, from_bytes - - n = 3 (from "3") - - s-c = 2^130 - [(1, 5)] (from "2^130 - 5") - - tight_bounds_multiplier = 1 (from "") - - - - Computed values: - - carry_chain = [0, 1, 2, 0, 1] - - eval z = z[0] + (z[1] << 44) + (z[2] << 87) - - bytes_eval z = z[0] + (z[1] << 8) + (z[2] << 16) + (z[3] << 24) + (z[4] << 32) + (z[5] << 40) + (z[6] << 48) + (z[7] << 56) + (z[8] << 64) + (z[9] << 72) + (z[10] << 80) + (z[11] << 88) + (z[12] << 96) + (z[13] << 104) + (z[14] << 112) + (z[15] << 120) + (z[16] << 128) - - balance = [0x1ffffffffff6, 0xffffffffffe, 0xffffffffffe] - */ +// Code generated by Fiat Cryptography. DO NOT EDIT. +// +// Autogenerated: 'src/ExtractionOCaml/unsaturated_solinas' --lang Go --no-wide-int --cmovznz-by-mul --internal-static --package-case flatcase --public-function-case UpperCamelCase --private-function-case camelCase --public-type-case UpperCamelCase --private-type-case camelCase --no-prefix-fiat --doc-prepend-header 'Code generated by Fiat Cryptography. DO NOT EDIT.' --doc-text-before-function-name '' --package-name poly1305 '' 64 3 '2^130 - 5' carry_mul carry_square carry add sub opp selectznz to_bytes from_bytes +// +// curve description (via package name): poly1305 +// +// machine_wordsize = 64 (from "64") +// +// requested operations: carry_mul, carry_square, carry, add, sub, opp, selectznz, to_bytes, from_bytes +// +// n = 3 (from "3") +// +// s-c = 2^130 - [(1, 5)] (from "2^130 - 5") +// +// tight_bounds_multiplier = 1 (from "") +// +// +// +// Computed values: +// +// carry_chain = [0, 1, 2, 0, 1] +// +// eval z = z[0] + (z[1] << 44) + (z[2] << 87) +// +// bytes_eval z = z[0] + (z[1] << 8) + (z[2] << 16) + (z[3] << 24) + (z[4] << 32) + (z[5] << 40) + (z[6] << 48) + (z[7] << 56) + (z[8] << 64) + (z[9] << 72) + (z[10] << 80) + (z[11] << 88) + (z[12] << 96) + (z[13] << 104) + (z[14] << 112) + (z[15] << 120) + (z[16] << 128) +// +// balance = [0x1ffffffffff6, 0xffffffffffe, 0xffffffffffe] package poly1305 import "math/bits" + type uint1 uint8 type int1 int8 -/* The function addcarryxU64 is a thin wrapper around bits.Add64 that uses uint1 rather than uint64 */ +// addcarryxU64 is a thin wrapper around bits.Add64 that uses uint1 rather than uint64 func addcarryxU64(x uint64, y uint64, carry uint1) (uint64, uint1) { - var sum uint64 - var carryOut uint64 - sum, carryOut = bits.Add64(x, y, uint64(carry)) - return sum, uint1(carryOut) + sum, carryOut := bits.Add64(x, y, uint64(carry)) + return sum, uint1(carryOut) } -/* The function subborrowxU64 is a thin wrapper around bits.Sub64 that uses uint1 rather than uint64 */ +// subborrowxU64 is a thin wrapper around bits.Sub64 that uses uint1 rather than uint64 func subborrowxU64(x uint64, y uint64, carry uint1) (uint64, uint1) { - var sum uint64 - var carryOut uint64 - sum, carryOut = bits.Sub64(x, y, uint64(carry)) - return sum, uint1(carryOut) + sum, carryOut := bits.Sub64(x, y, uint64(carry)) + return sum, uint1(carryOut) } - -/* - The function addcarryxU44 is an addition with carry. - Postconditions: - out1 = (arg1 + arg2 + arg3) mod 2^44 - out2 = ⌊(arg1 + arg2 + arg3) / 2^44⌋ - - Input Bounds: - arg1: [0x0 ~> 0x1] - arg2: [0x0 ~> 0xfffffffffff] - arg3: [0x0 ~> 0xfffffffffff] - Output Bounds: - out1: [0x0 ~> 0xfffffffffff] - out2: [0x0 ~> 0x1] - */ -/*inline*/ +// addcarryxU44 is an addition with carry. +// +// Postconditions: +// out1 = (arg1 + arg2 + arg3) mod 2^44 +// out2 = ⌊(arg1 + arg2 + arg3) / 2^44⌋ +// +// Input Bounds: +// arg1: [0x0 ~> 0x1] +// arg2: [0x0 ~> 0xfffffffffff] +// arg3: [0x0 ~> 0xfffffffffff] +// Output Bounds: +// out1: [0x0 ~> 0xfffffffffff] +// out2: [0x0 ~> 0x1] func addcarryxU44(out1 *uint64, out2 *uint1, arg1 uint1, arg2 uint64, arg3 uint64) { - var x1 uint64 = ((uint64(arg1) + arg2) + arg3) - var x2 uint64 = (x1 & 0xfffffffffff) - var x3 uint1 = uint1((x1 >> 44)) - *out1 = x2 - *out2 = x3 + x1 := ((uint64(arg1) + arg2) + arg3) + x2 := (x1 & 0xfffffffffff) + x3 := uint1((x1 >> 44)) + *out1 = x2 + *out2 = x3 } -/* - The function subborrowxU44 is a subtraction with borrow. - Postconditions: - out1 = (-arg1 + arg2 + -arg3) mod 2^44 - out2 = -⌊(-arg1 + arg2 + -arg3) / 2^44⌋ - - Input Bounds: - arg1: [0x0 ~> 0x1] - arg2: [0x0 ~> 0xfffffffffff] - arg3: [0x0 ~> 0xfffffffffff] - Output Bounds: - out1: [0x0 ~> 0xfffffffffff] - out2: [0x0 ~> 0x1] - */ -/*inline*/ +// subborrowxU44 is a subtraction with borrow. +// +// Postconditions: +// out1 = (-arg1 + arg2 + -arg3) mod 2^44 +// out2 = -⌊(-arg1 + arg2 + -arg3) / 2^44⌋ +// +// Input Bounds: +// arg1: [0x0 ~> 0x1] +// arg2: [0x0 ~> 0xfffffffffff] +// arg3: [0x0 ~> 0xfffffffffff] +// Output Bounds: +// out1: [0x0 ~> 0xfffffffffff] +// out2: [0x0 ~> 0x1] func subborrowxU44(out1 *uint64, out2 *uint1, arg1 uint1, arg2 uint64, arg3 uint64) { - var x1 int64 = ((int64(arg2) - int64(arg1)) - int64(arg3)) - var x2 int1 = int1((x1 >> 44)) - var x3 uint64 = (uint64(x1) & 0xfffffffffff) - *out1 = x3 - *out2 = (0x0 - uint1(x2)) + x1 := ((int64(arg2) - int64(arg1)) - int64(arg3)) + x2 := int1((x1 >> 44)) + x3 := (uint64(x1) & 0xfffffffffff) + *out1 = x3 + *out2 = (0x0 - uint1(x2)) } -/* - The function addcarryxU43 is an addition with carry. - Postconditions: - out1 = (arg1 + arg2 + arg3) mod 2^43 - out2 = ⌊(arg1 + arg2 + arg3) / 2^43⌋ - - Input Bounds: - arg1: [0x0 ~> 0x1] - arg2: [0x0 ~> 0x7ffffffffff] - arg3: [0x0 ~> 0x7ffffffffff] - Output Bounds: - out1: [0x0 ~> 0x7ffffffffff] - out2: [0x0 ~> 0x1] - */ -/*inline*/ +// addcarryxU43 is an addition with carry. +// +// Postconditions: +// out1 = (arg1 + arg2 + arg3) mod 2^43 +// out2 = ⌊(arg1 + arg2 + arg3) / 2^43⌋ +// +// Input Bounds: +// arg1: [0x0 ~> 0x1] +// arg2: [0x0 ~> 0x7ffffffffff] +// arg3: [0x0 ~> 0x7ffffffffff] +// Output Bounds: +// out1: [0x0 ~> 0x7ffffffffff] +// out2: [0x0 ~> 0x1] func addcarryxU43(out1 *uint64, out2 *uint1, arg1 uint1, arg2 uint64, arg3 uint64) { - var x1 uint64 = ((uint64(arg1) + arg2) + arg3) - var x2 uint64 = (x1 & 0x7ffffffffff) - var x3 uint1 = uint1((x1 >> 43)) - *out1 = x2 - *out2 = x3 + x1 := ((uint64(arg1) + arg2) + arg3) + x2 := (x1 & 0x7ffffffffff) + x3 := uint1((x1 >> 43)) + *out1 = x2 + *out2 = x3 } -/* - The function subborrowxU43 is a subtraction with borrow. - Postconditions: - out1 = (-arg1 + arg2 + -arg3) mod 2^43 - out2 = -⌊(-arg1 + arg2 + -arg3) / 2^43⌋ - - Input Bounds: - arg1: [0x0 ~> 0x1] - arg2: [0x0 ~> 0x7ffffffffff] - arg3: [0x0 ~> 0x7ffffffffff] - Output Bounds: - out1: [0x0 ~> 0x7ffffffffff] - out2: [0x0 ~> 0x1] - */ -/*inline*/ +// subborrowxU43 is a subtraction with borrow. +// +// Postconditions: +// out1 = (-arg1 + arg2 + -arg3) mod 2^43 +// out2 = -⌊(-arg1 + arg2 + -arg3) / 2^43⌋ +// +// Input Bounds: +// arg1: [0x0 ~> 0x1] +// arg2: [0x0 ~> 0x7ffffffffff] +// arg3: [0x0 ~> 0x7ffffffffff] +// Output Bounds: +// out1: [0x0 ~> 0x7ffffffffff] +// out2: [0x0 ~> 0x1] func subborrowxU43(out1 *uint64, out2 *uint1, arg1 uint1, arg2 uint64, arg3 uint64) { - var x1 int64 = ((int64(arg2) - int64(arg1)) - int64(arg3)) - var x2 int1 = int1((x1 >> 43)) - var x3 uint64 = (uint64(x1) & 0x7ffffffffff) - *out1 = x3 - *out2 = (0x0 - uint1(x2)) + x1 := ((int64(arg2) - int64(arg1)) - int64(arg3)) + x2 := int1((x1 >> 43)) + x3 := (uint64(x1) & 0x7ffffffffff) + *out1 = x3 + *out2 = (0x0 - uint1(x2)) } -/* - The function cmovznzU64 is a single-word conditional move. - Postconditions: - out1 = (if arg1 = 0 then arg2 else arg3) - - Input Bounds: - arg1: [0x0 ~> 0x1] - arg2: [0x0 ~> 0xffffffffffffffff] - arg3: [0x0 ~> 0xffffffffffffffff] - Output Bounds: - out1: [0x0 ~> 0xffffffffffffffff] - */ -/*inline*/ +// cmovznzU64 is a single-word conditional move. +// +// Postconditions: +// out1 = (if arg1 = 0 then arg2 else arg3) +// +// Input Bounds: +// arg1: [0x0 ~> 0x1] +// arg2: [0x0 ~> 0xffffffffffffffff] +// arg3: [0x0 ~> 0xffffffffffffffff] +// Output Bounds: +// out1: [0x0 ~> 0xffffffffffffffff] func cmovznzU64(out1 *uint64, arg1 uint1, arg2 uint64, arg3 uint64) { - var x1 uint64 = (uint64(arg1) * 0xffffffffffffffff) - var x2 uint64 = ((x1 & arg3) | ((^x1) & arg2)) - *out1 = x2 + x1 := (uint64(arg1) * 0xffffffffffffffff) + x2 := ((x1 & arg3) | ((^x1) & arg2)) + *out1 = x2 } -/* - The function CarryMul multiplies two field elements and reduces the result. - Postconditions: - eval out1 mod m = (eval arg1 * eval arg2) mod m - - Input Bounds: - arg1: [[0x0 ~> 0x300000000000], [0x0 ~> 0x180000000000], [0x0 ~> 0x180000000000]] - arg2: [[0x0 ~> 0x300000000000], [0x0 ~> 0x180000000000], [0x0 ~> 0x180000000000]] - Output Bounds: - out1: [[0x0 ~> 0x100000000000], [0x0 ~> 0x80000000000], [0x0 ~> 0x80000000000]] - */ -/*inline*/ +// CarryMul multiplies two field elements and reduces the result. +// +// Postconditions: +// eval out1 mod m = (eval arg1 * eval arg2) mod m +// +// Input Bounds: +// arg1: [[0x0 ~> 0x300000000000], [0x0 ~> 0x180000000000], [0x0 ~> 0x180000000000]] +// arg2: [[0x0 ~> 0x300000000000], [0x0 ~> 0x180000000000], [0x0 ~> 0x180000000000]] +// Output Bounds: +// out1: [[0x0 ~> 0x100000000000], [0x0 ~> 0x80000000000], [0x0 ~> 0x80000000000]] func CarryMul(out1 *[3]uint64, arg1 *[3]uint64, arg2 *[3]uint64) { - var x1 uint64 - var x2 uint64 - x2, x1 = bits.Mul64((arg1[2]), ((arg2[2]) * 0x5)) - var x3 uint64 - var x4 uint64 - x4, x3 = bits.Mul64((arg1[2]), ((arg2[1]) * 0xa)) - var x5 uint64 - var x6 uint64 - x6, x5 = bits.Mul64((arg1[1]), ((arg2[2]) * 0xa)) - var x7 uint64 - var x8 uint64 - x8, x7 = bits.Mul64((arg1[2]), (arg2[0])) - var x9 uint64 - var x10 uint64 - x10, x9 = bits.Mul64((arg1[1]), ((arg2[1]) * 0x2)) - var x11 uint64 - var x12 uint64 - x12, x11 = bits.Mul64((arg1[1]), (arg2[0])) - var x13 uint64 - var x14 uint64 - x14, x13 = bits.Mul64((arg1[0]), (arg2[2])) - var x15 uint64 - var x16 uint64 - x16, x15 = bits.Mul64((arg1[0]), (arg2[1])) - var x17 uint64 - var x18 uint64 - x18, x17 = bits.Mul64((arg1[0]), (arg2[0])) - var x19 uint64 - var x20 uint1 - x19, x20 = addcarryxU64(x5, x3, 0x0) - var x21 uint64 - x21, _ = addcarryxU64(x6, x4, x20) - var x23 uint64 - var x24 uint1 - x23, x24 = addcarryxU64(x17, x19, 0x0) - var x25 uint64 - x25, _ = addcarryxU64(x18, x21, x24) - var x27 uint64 = ((x23 >> 44) | ((x25 << 20) & 0xffffffffffffffff)) - var x28 uint64 = (x23 & 0xfffffffffff) - var x29 uint64 - var x30 uint1 - x29, x30 = addcarryxU64(x9, x7, 0x0) - var x31 uint64 - x31, _ = addcarryxU64(x10, x8, x30) - var x33 uint64 - var x34 uint1 - x33, x34 = addcarryxU64(x13, x29, 0x0) - var x35 uint64 - x35, _ = addcarryxU64(x14, x31, x34) - var x37 uint64 - var x38 uint1 - x37, x38 = addcarryxU64(x11, x1, 0x0) - var x39 uint64 - x39, _ = addcarryxU64(x12, x2, x38) - var x41 uint64 - var x42 uint1 - x41, x42 = addcarryxU64(x15, x37, 0x0) - var x43 uint64 - x43, _ = addcarryxU64(x16, x39, x42) - var x45 uint64 - var x46 uint1 - x45, x46 = addcarryxU64(x27, x41, 0x0) - var x47 uint64 = (uint64(x46) + x43) - var x48 uint64 = ((x45 >> 43) | ((x47 << 21) & 0xffffffffffffffff)) - var x49 uint64 = (x45 & 0x7ffffffffff) - var x50 uint64 - var x51 uint1 - x50, x51 = addcarryxU64(x48, x33, 0x0) - var x52 uint64 = (uint64(x51) + x35) - var x53 uint64 = ((x50 >> 43) | ((x52 << 21) & 0xffffffffffffffff)) - var x54 uint64 = (x50 & 0x7ffffffffff) - var x55 uint64 = (x53 * 0x5) - var x56 uint64 = (x28 + x55) - var x57 uint64 = (x56 >> 44) - var x58 uint64 = (x56 & 0xfffffffffff) - var x59 uint64 = (x57 + x49) - var x60 uint1 = uint1((x59 >> 43)) - var x61 uint64 = (x59 & 0x7ffffffffff) - var x62 uint64 = (uint64(x60) + x54) - out1[0] = x58 - out1[1] = x61 - out1[2] = x62 + var x1 uint64 + var x2 uint64 + x2, x1 = bits.Mul64(arg1[2], (arg2[2] * 0x5)) + var x3 uint64 + var x4 uint64 + x4, x3 = bits.Mul64(arg1[2], (arg2[1] * 0xa)) + var x5 uint64 + var x6 uint64 + x6, x5 = bits.Mul64(arg1[1], (arg2[2] * 0xa)) + var x7 uint64 + var x8 uint64 + x8, x7 = bits.Mul64(arg1[2], arg2[0]) + var x9 uint64 + var x10 uint64 + x10, x9 = bits.Mul64(arg1[1], (arg2[1] * 0x2)) + var x11 uint64 + var x12 uint64 + x12, x11 = bits.Mul64(arg1[1], arg2[0]) + var x13 uint64 + var x14 uint64 + x14, x13 = bits.Mul64(arg1[0], arg2[2]) + var x15 uint64 + var x16 uint64 + x16, x15 = bits.Mul64(arg1[0], arg2[1]) + var x17 uint64 + var x18 uint64 + x18, x17 = bits.Mul64(arg1[0], arg2[0]) + var x19 uint64 + var x20 uint1 + x19, x20 = addcarryxU64(x5, x3, 0x0) + var x21 uint64 + x21, _ = addcarryxU64(x6, x4, x20) + var x23 uint64 + var x24 uint1 + x23, x24 = addcarryxU64(x17, x19, 0x0) + var x25 uint64 + x25, _ = addcarryxU64(x18, x21, x24) + x27 := ((x23 >> 44) | ((x25 << 20) & 0xffffffffffffffff)) + x28 := (x23 & 0xfffffffffff) + var x29 uint64 + var x30 uint1 + x29, x30 = addcarryxU64(x9, x7, 0x0) + var x31 uint64 + x31, _ = addcarryxU64(x10, x8, x30) + var x33 uint64 + var x34 uint1 + x33, x34 = addcarryxU64(x13, x29, 0x0) + var x35 uint64 + x35, _ = addcarryxU64(x14, x31, x34) + var x37 uint64 + var x38 uint1 + x37, x38 = addcarryxU64(x11, x1, 0x0) + var x39 uint64 + x39, _ = addcarryxU64(x12, x2, x38) + var x41 uint64 + var x42 uint1 + x41, x42 = addcarryxU64(x15, x37, 0x0) + var x43 uint64 + x43, _ = addcarryxU64(x16, x39, x42) + var x45 uint64 + var x46 uint1 + x45, x46 = addcarryxU64(x27, x41, 0x0) + x47 := (uint64(x46) + x43) + x48 := ((x45 >> 43) | ((x47 << 21) & 0xffffffffffffffff)) + x49 := (x45 & 0x7ffffffffff) + var x50 uint64 + var x51 uint1 + x50, x51 = addcarryxU64(x48, x33, 0x0) + x52 := (uint64(x51) + x35) + x53 := ((x50 >> 43) | ((x52 << 21) & 0xffffffffffffffff)) + x54 := (x50 & 0x7ffffffffff) + x55 := (x53 * 0x5) + x56 := (x28 + x55) + x57 := (x56 >> 44) + x58 := (x56 & 0xfffffffffff) + x59 := (x57 + x49) + x60 := uint1((x59 >> 43)) + x61 := (x59 & 0x7ffffffffff) + x62 := (uint64(x60) + x54) + out1[0] = x58 + out1[1] = x61 + out1[2] = x62 } -/* - The function CarrySquare squares a field element and reduces the result. - Postconditions: - eval out1 mod m = (eval arg1 * eval arg1) mod m - - Input Bounds: - arg1: [[0x0 ~> 0x300000000000], [0x0 ~> 0x180000000000], [0x0 ~> 0x180000000000]] - Output Bounds: - out1: [[0x0 ~> 0x100000000000], [0x0 ~> 0x80000000000], [0x0 ~> 0x80000000000]] - */ -/*inline*/ +// CarrySquare squares a field element and reduces the result. +// +// Postconditions: +// eval out1 mod m = (eval arg1 * eval arg1) mod m +// +// Input Bounds: +// arg1: [[0x0 ~> 0x300000000000], [0x0 ~> 0x180000000000], [0x0 ~> 0x180000000000]] +// Output Bounds: +// out1: [[0x0 ~> 0x100000000000], [0x0 ~> 0x80000000000], [0x0 ~> 0x80000000000]] func CarrySquare(out1 *[3]uint64, arg1 *[3]uint64) { - var x1 uint64 = ((arg1[2]) * 0x5) - var x2 uint64 = (x1 * 0x2) - var x3 uint64 = ((arg1[2]) * 0x2) - var x4 uint64 = ((arg1[1]) * 0x2) - var x5 uint64 - var x6 uint64 - x6, x5 = bits.Mul64((arg1[2]), x1) - var x7 uint64 - var x8 uint64 - x8, x7 = bits.Mul64((arg1[1]), (x2 * 0x2)) - var x9 uint64 - var x10 uint64 - x10, x9 = bits.Mul64((arg1[1]), ((arg1[1]) * 0x2)) - var x11 uint64 - var x12 uint64 - x12, x11 = bits.Mul64((arg1[0]), x3) - var x13 uint64 - var x14 uint64 - x14, x13 = bits.Mul64((arg1[0]), x4) - var x15 uint64 - var x16 uint64 - x16, x15 = bits.Mul64((arg1[0]), (arg1[0])) - var x17 uint64 - var x18 uint1 - x17, x18 = addcarryxU64(x15, x7, 0x0) - var x19 uint64 - x19, _ = addcarryxU64(x16, x8, x18) - var x21 uint64 = ((x17 >> 44) | ((x19 << 20) & 0xffffffffffffffff)) - var x22 uint64 = (x17 & 0xfffffffffff) - var x23 uint64 - var x24 uint1 - x23, x24 = addcarryxU64(x11, x9, 0x0) - var x25 uint64 - x25, _ = addcarryxU64(x12, x10, x24) - var x27 uint64 - var x28 uint1 - x27, x28 = addcarryxU64(x13, x5, 0x0) - var x29 uint64 - x29, _ = addcarryxU64(x14, x6, x28) - var x31 uint64 - var x32 uint1 - x31, x32 = addcarryxU64(x21, x27, 0x0) - var x33 uint64 = (uint64(x32) + x29) - var x34 uint64 = ((x31 >> 43) | ((x33 << 21) & 0xffffffffffffffff)) - var x35 uint64 = (x31 & 0x7ffffffffff) - var x36 uint64 - var x37 uint1 - x36, x37 = addcarryxU64(x34, x23, 0x0) - var x38 uint64 = (uint64(x37) + x25) - var x39 uint64 = ((x36 >> 43) | ((x38 << 21) & 0xffffffffffffffff)) - var x40 uint64 = (x36 & 0x7ffffffffff) - var x41 uint64 = (x39 * 0x5) - var x42 uint64 = (x22 + x41) - var x43 uint64 = (x42 >> 44) - var x44 uint64 = (x42 & 0xfffffffffff) - var x45 uint64 = (x43 + x35) - var x46 uint1 = uint1((x45 >> 43)) - var x47 uint64 = (x45 & 0x7ffffffffff) - var x48 uint64 = (uint64(x46) + x40) - out1[0] = x44 - out1[1] = x47 - out1[2] = x48 + x1 := (arg1[2] * 0x5) + x2 := (x1 * 0x2) + x3 := (arg1[2] * 0x2) + x4 := (arg1[1] * 0x2) + var x5 uint64 + var x6 uint64 + x6, x5 = bits.Mul64(arg1[2], x1) + var x7 uint64 + var x8 uint64 + x8, x7 = bits.Mul64(arg1[1], (x2 * 0x2)) + var x9 uint64 + var x10 uint64 + x10, x9 = bits.Mul64(arg1[1], (arg1[1] * 0x2)) + var x11 uint64 + var x12 uint64 + x12, x11 = bits.Mul64(arg1[0], x3) + var x13 uint64 + var x14 uint64 + x14, x13 = bits.Mul64(arg1[0], x4) + var x15 uint64 + var x16 uint64 + x16, x15 = bits.Mul64(arg1[0], arg1[0]) + var x17 uint64 + var x18 uint1 + x17, x18 = addcarryxU64(x15, x7, 0x0) + var x19 uint64 + x19, _ = addcarryxU64(x16, x8, x18) + x21 := ((x17 >> 44) | ((x19 << 20) & 0xffffffffffffffff)) + x22 := (x17 & 0xfffffffffff) + var x23 uint64 + var x24 uint1 + x23, x24 = addcarryxU64(x11, x9, 0x0) + var x25 uint64 + x25, _ = addcarryxU64(x12, x10, x24) + var x27 uint64 + var x28 uint1 + x27, x28 = addcarryxU64(x13, x5, 0x0) + var x29 uint64 + x29, _ = addcarryxU64(x14, x6, x28) + var x31 uint64 + var x32 uint1 + x31, x32 = addcarryxU64(x21, x27, 0x0) + x33 := (uint64(x32) + x29) + x34 := ((x31 >> 43) | ((x33 << 21) & 0xffffffffffffffff)) + x35 := (x31 & 0x7ffffffffff) + var x36 uint64 + var x37 uint1 + x36, x37 = addcarryxU64(x34, x23, 0x0) + x38 := (uint64(x37) + x25) + x39 := ((x36 >> 43) | ((x38 << 21) & 0xffffffffffffffff)) + x40 := (x36 & 0x7ffffffffff) + x41 := (x39 * 0x5) + x42 := (x22 + x41) + x43 := (x42 >> 44) + x44 := (x42 & 0xfffffffffff) + x45 := (x43 + x35) + x46 := uint1((x45 >> 43)) + x47 := (x45 & 0x7ffffffffff) + x48 := (uint64(x46) + x40) + out1[0] = x44 + out1[1] = x47 + out1[2] = x48 } -/* - The function Carry reduces a field element. - Postconditions: - eval out1 mod m = eval arg1 mod m - - Input Bounds: - arg1: [[0x0 ~> 0x300000000000], [0x0 ~> 0x180000000000], [0x0 ~> 0x180000000000]] - Output Bounds: - out1: [[0x0 ~> 0x100000000000], [0x0 ~> 0x80000000000], [0x0 ~> 0x80000000000]] - */ -/*inline*/ +// Carry reduces a field element. +// +// Postconditions: +// eval out1 mod m = eval arg1 mod m +// +// Input Bounds: +// arg1: [[0x0 ~> 0x300000000000], [0x0 ~> 0x180000000000], [0x0 ~> 0x180000000000]] +// Output Bounds: +// out1: [[0x0 ~> 0x100000000000], [0x0 ~> 0x80000000000], [0x0 ~> 0x80000000000]] func Carry(out1 *[3]uint64, arg1 *[3]uint64) { - var x1 uint64 = (arg1[0]) - var x2 uint64 = ((x1 >> 44) + (arg1[1])) - var x3 uint64 = ((x2 >> 43) + (arg1[2])) - var x4 uint64 = ((x1 & 0xfffffffffff) + ((x3 >> 43) * 0x5)) - var x5 uint64 = (uint64(uint1((x4 >> 44))) + (x2 & 0x7ffffffffff)) - var x6 uint64 = (x4 & 0xfffffffffff) - var x7 uint64 = (x5 & 0x7ffffffffff) - var x8 uint64 = (uint64(uint1((x5 >> 43))) + (x3 & 0x7ffffffffff)) - out1[0] = x6 - out1[1] = x7 - out1[2] = x8 + x1 := arg1[0] + x2 := ((x1 >> 44) + arg1[1]) + x3 := ((x2 >> 43) + arg1[2]) + x4 := ((x1 & 0xfffffffffff) + ((x3 >> 43) * 0x5)) + x5 := (uint64(uint1((x4 >> 44))) + (x2 & 0x7ffffffffff)) + x6 := (x4 & 0xfffffffffff) + x7 := (x5 & 0x7ffffffffff) + x8 := (uint64(uint1((x5 >> 43))) + (x3 & 0x7ffffffffff)) + out1[0] = x6 + out1[1] = x7 + out1[2] = x8 } -/* - The function Add adds two field elements. - Postconditions: - eval out1 mod m = (eval arg1 + eval arg2) mod m - - Input Bounds: - arg1: [[0x0 ~> 0x100000000000], [0x0 ~> 0x80000000000], [0x0 ~> 0x80000000000]] - arg2: [[0x0 ~> 0x100000000000], [0x0 ~> 0x80000000000], [0x0 ~> 0x80000000000]] - Output Bounds: - out1: [[0x0 ~> 0x300000000000], [0x0 ~> 0x180000000000], [0x0 ~> 0x180000000000]] - */ -/*inline*/ +// Add adds two field elements. +// +// Postconditions: +// eval out1 mod m = (eval arg1 + eval arg2) mod m +// +// Input Bounds: +// arg1: [[0x0 ~> 0x100000000000], [0x0 ~> 0x80000000000], [0x0 ~> 0x80000000000]] +// arg2: [[0x0 ~> 0x100000000000], [0x0 ~> 0x80000000000], [0x0 ~> 0x80000000000]] +// Output Bounds: +// out1: [[0x0 ~> 0x300000000000], [0x0 ~> 0x180000000000], [0x0 ~> 0x180000000000]] func Add(out1 *[3]uint64, arg1 *[3]uint64, arg2 *[3]uint64) { - var x1 uint64 = ((arg1[0]) + (arg2[0])) - var x2 uint64 = ((arg1[1]) + (arg2[1])) - var x3 uint64 = ((arg1[2]) + (arg2[2])) - out1[0] = x1 - out1[1] = x2 - out1[2] = x3 + x1 := (arg1[0] + arg2[0]) + x2 := (arg1[1] + arg2[1]) + x3 := (arg1[2] + arg2[2]) + out1[0] = x1 + out1[1] = x2 + out1[2] = x3 } -/* - The function Sub subtracts two field elements. - Postconditions: - eval out1 mod m = (eval arg1 - eval arg2) mod m - - Input Bounds: - arg1: [[0x0 ~> 0x100000000000], [0x0 ~> 0x80000000000], [0x0 ~> 0x80000000000]] - arg2: [[0x0 ~> 0x100000000000], [0x0 ~> 0x80000000000], [0x0 ~> 0x80000000000]] - Output Bounds: - out1: [[0x0 ~> 0x300000000000], [0x0 ~> 0x180000000000], [0x0 ~> 0x180000000000]] - */ -/*inline*/ +// Sub subtracts two field elements. +// +// Postconditions: +// eval out1 mod m = (eval arg1 - eval arg2) mod m +// +// Input Bounds: +// arg1: [[0x0 ~> 0x100000000000], [0x0 ~> 0x80000000000], [0x0 ~> 0x80000000000]] +// arg2: [[0x0 ~> 0x100000000000], [0x0 ~> 0x80000000000], [0x0 ~> 0x80000000000]] +// Output Bounds: +// out1: [[0x0 ~> 0x300000000000], [0x0 ~> 0x180000000000], [0x0 ~> 0x180000000000]] func Sub(out1 *[3]uint64, arg1 *[3]uint64, arg2 *[3]uint64) { - var x1 uint64 = ((0x1ffffffffff6 + (arg1[0])) - (arg2[0])) - var x2 uint64 = ((0xffffffffffe + (arg1[1])) - (arg2[1])) - var x3 uint64 = ((0xffffffffffe + (arg1[2])) - (arg2[2])) - out1[0] = x1 - out1[1] = x2 - out1[2] = x3 + x1 := ((0x1ffffffffff6 + arg1[0]) - arg2[0]) + x2 := ((0xffffffffffe + arg1[1]) - arg2[1]) + x3 := ((0xffffffffffe + arg1[2]) - arg2[2]) + out1[0] = x1 + out1[1] = x2 + out1[2] = x3 } -/* - The function Opp negates a field element. - Postconditions: - eval out1 mod m = -eval arg1 mod m - - Input Bounds: - arg1: [[0x0 ~> 0x100000000000], [0x0 ~> 0x80000000000], [0x0 ~> 0x80000000000]] - Output Bounds: - out1: [[0x0 ~> 0x300000000000], [0x0 ~> 0x180000000000], [0x0 ~> 0x180000000000]] - */ -/*inline*/ +// Opp negates a field element. +// +// Postconditions: +// eval out1 mod m = -eval arg1 mod m +// +// Input Bounds: +// arg1: [[0x0 ~> 0x100000000000], [0x0 ~> 0x80000000000], [0x0 ~> 0x80000000000]] +// Output Bounds: +// out1: [[0x0 ~> 0x300000000000], [0x0 ~> 0x180000000000], [0x0 ~> 0x180000000000]] func Opp(out1 *[3]uint64, arg1 *[3]uint64) { - var x1 uint64 = (0x1ffffffffff6 - (arg1[0])) - var x2 uint64 = (0xffffffffffe - (arg1[1])) - var x3 uint64 = (0xffffffffffe - (arg1[2])) - out1[0] = x1 - out1[1] = x2 - out1[2] = x3 + x1 := (0x1ffffffffff6 - arg1[0]) + x2 := (0xffffffffffe - arg1[1]) + x3 := (0xffffffffffe - arg1[2]) + out1[0] = x1 + out1[1] = x2 + out1[2] = x3 } -/* - The function Selectznz is a multi-limb conditional select. - Postconditions: - eval out1 = (if arg1 = 0 then eval arg2 else eval arg3) - - Input Bounds: - arg1: [0x0 ~> 0x1] - arg2: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] - arg3: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] - Output Bounds: - out1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] - */ -/*inline*/ +// Selectznz is a multi-limb conditional select. +// +// Postconditions: +// eval out1 = (if arg1 = 0 then eval arg2 else eval arg3) +// +// Input Bounds: +// arg1: [0x0 ~> 0x1] +// arg2: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] +// arg3: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] +// Output Bounds: +// out1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] func Selectznz(out1 *[3]uint64, arg1 uint1, arg2 *[3]uint64, arg3 *[3]uint64) { - var x1 uint64 - cmovznzU64(&x1, arg1, (arg2[0]), (arg3[0])) - var x2 uint64 - cmovznzU64(&x2, arg1, (arg2[1]), (arg3[1])) - var x3 uint64 - cmovznzU64(&x3, arg1, (arg2[2]), (arg3[2])) - out1[0] = x1 - out1[1] = x2 - out1[2] = x3 + var x1 uint64 + cmovznzU64(&x1, arg1, arg2[0], arg3[0]) + var x2 uint64 + cmovznzU64(&x2, arg1, arg2[1], arg3[1]) + var x3 uint64 + cmovznzU64(&x3, arg1, arg2[2], arg3[2]) + out1[0] = x1 + out1[1] = x2 + out1[2] = x3 } -/* - The function ToBytes serializes a field element to bytes in little-endian order. - Postconditions: - out1 = map (λ x, ⌊((eval arg1 mod m) mod 2^(8 * (x + 1))) / 2^(8 * x)⌋) [0..16] - - Input Bounds: - arg1: [[0x0 ~> 0x100000000000], [0x0 ~> 0x80000000000], [0x0 ~> 0x80000000000]] - Output Bounds: - out1: [[0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0x3]] - */ -/*inline*/ +// ToBytes serializes a field element to bytes in little-endian order. +// +// Postconditions: +// out1 = map (λ x, ⌊((eval arg1 mod m) mod 2^(8 * (x + 1))) / 2^(8 * x)⌋) [0..16] +// +// Input Bounds: +// arg1: [[0x0 ~> 0x100000000000], [0x0 ~> 0x80000000000], [0x0 ~> 0x80000000000]] +// Output Bounds: +// out1: [[0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0x3]] func ToBytes(out1 *[17]uint8, arg1 *[3]uint64) { - var x1 uint64 - var x2 uint1 - subborrowxU44(&x1, &x2, 0x0, (arg1[0]), 0xffffffffffb) - var x3 uint64 - var x4 uint1 - subborrowxU43(&x3, &x4, x2, (arg1[1]), 0x7ffffffffff) - var x5 uint64 - var x6 uint1 - subborrowxU43(&x5, &x6, x4, (arg1[2]), 0x7ffffffffff) - var x7 uint64 - cmovznzU64(&x7, x6, uint64(0x0), 0xffffffffffffffff) - var x8 uint64 - var x9 uint1 - addcarryxU44(&x8, &x9, 0x0, x1, (x7 & 0xffffffffffb)) - var x10 uint64 - var x11 uint1 - addcarryxU43(&x10, &x11, x9, x3, (x7 & 0x7ffffffffff)) - var x12 uint64 - var x13 uint1 - addcarryxU43(&x12, &x13, x11, x5, (x7 & 0x7ffffffffff)) - var x14 uint64 = (x12 << 7) - var x15 uint64 = (x10 << 4) - var x16 uint8 = (uint8(x8) & 0xff) - var x17 uint64 = (x8 >> 8) - var x18 uint8 = (uint8(x17) & 0xff) - var x19 uint64 = (x17 >> 8) - var x20 uint8 = (uint8(x19) & 0xff) - var x21 uint64 = (x19 >> 8) - var x22 uint8 = (uint8(x21) & 0xff) - var x23 uint64 = (x21 >> 8) - var x24 uint8 = (uint8(x23) & 0xff) - var x25 uint8 = uint8((x23 >> 8)) - var x26 uint64 = (x15 + uint64(x25)) - var x27 uint8 = (uint8(x26) & 0xff) - var x28 uint64 = (x26 >> 8) - var x29 uint8 = (uint8(x28) & 0xff) - var x30 uint64 = (x28 >> 8) - var x31 uint8 = (uint8(x30) & 0xff) - var x32 uint64 = (x30 >> 8) - var x33 uint8 = (uint8(x32) & 0xff) - var x34 uint64 = (x32 >> 8) - var x35 uint8 = (uint8(x34) & 0xff) - var x36 uint8 = uint8((x34 >> 8)) - var x37 uint64 = (x14 + uint64(x36)) - var x38 uint8 = (uint8(x37) & 0xff) - var x39 uint64 = (x37 >> 8) - var x40 uint8 = (uint8(x39) & 0xff) - var x41 uint64 = (x39 >> 8) - var x42 uint8 = (uint8(x41) & 0xff) - var x43 uint64 = (x41 >> 8) - var x44 uint8 = (uint8(x43) & 0xff) - var x45 uint64 = (x43 >> 8) - var x46 uint8 = (uint8(x45) & 0xff) - var x47 uint64 = (x45 >> 8) - var x48 uint8 = (uint8(x47) & 0xff) - var x49 uint8 = uint8((x47 >> 8)) - out1[0] = x16 - out1[1] = x18 - out1[2] = x20 - out1[3] = x22 - out1[4] = x24 - out1[5] = x27 - out1[6] = x29 - out1[7] = x31 - out1[8] = x33 - out1[9] = x35 - out1[10] = x38 - out1[11] = x40 - out1[12] = x42 - out1[13] = x44 - out1[14] = x46 - out1[15] = x48 - out1[16] = x49 + var x1 uint64 + var x2 uint1 + subborrowxU44(&x1, &x2, 0x0, arg1[0], 0xffffffffffb) + var x3 uint64 + var x4 uint1 + subborrowxU43(&x3, &x4, x2, arg1[1], 0x7ffffffffff) + var x5 uint64 + var x6 uint1 + subborrowxU43(&x5, &x6, x4, arg1[2], 0x7ffffffffff) + var x7 uint64 + cmovznzU64(&x7, x6, uint64(0x0), 0xffffffffffffffff) + var x8 uint64 + var x9 uint1 + addcarryxU44(&x8, &x9, 0x0, x1, (x7 & 0xffffffffffb)) + var x10 uint64 + var x11 uint1 + addcarryxU43(&x10, &x11, x9, x3, (x7 & 0x7ffffffffff)) + var x12 uint64 + var x13 uint1 + addcarryxU43(&x12, &x13, x11, x5, (x7 & 0x7ffffffffff)) + x14 := (x12 << 7) + x15 := (x10 << 4) + x16 := (uint8(x8) & 0xff) + x17 := (x8 >> 8) + x18 := (uint8(x17) & 0xff) + x19 := (x17 >> 8) + x20 := (uint8(x19) & 0xff) + x21 := (x19 >> 8) + x22 := (uint8(x21) & 0xff) + x23 := (x21 >> 8) + x24 := (uint8(x23) & 0xff) + x25 := uint8((x23 >> 8)) + x26 := (x15 + uint64(x25)) + x27 := (uint8(x26) & 0xff) + x28 := (x26 >> 8) + x29 := (uint8(x28) & 0xff) + x30 := (x28 >> 8) + x31 := (uint8(x30) & 0xff) + x32 := (x30 >> 8) + x33 := (uint8(x32) & 0xff) + x34 := (x32 >> 8) + x35 := (uint8(x34) & 0xff) + x36 := uint8((x34 >> 8)) + x37 := (x14 + uint64(x36)) + x38 := (uint8(x37) & 0xff) + x39 := (x37 >> 8) + x40 := (uint8(x39) & 0xff) + x41 := (x39 >> 8) + x42 := (uint8(x41) & 0xff) + x43 := (x41 >> 8) + x44 := (uint8(x43) & 0xff) + x45 := (x43 >> 8) + x46 := (uint8(x45) & 0xff) + x47 := (x45 >> 8) + x48 := (uint8(x47) & 0xff) + x49 := uint8((x47 >> 8)) + out1[0] = x16 + out1[1] = x18 + out1[2] = x20 + out1[3] = x22 + out1[4] = x24 + out1[5] = x27 + out1[6] = x29 + out1[7] = x31 + out1[8] = x33 + out1[9] = x35 + out1[10] = x38 + out1[11] = x40 + out1[12] = x42 + out1[13] = x44 + out1[14] = x46 + out1[15] = x48 + out1[16] = x49 } -/* - The function FromBytes deserializes a field element from bytes in little-endian order. - Postconditions: - eval out1 mod m = bytes_eval arg1 mod m - - Input Bounds: - arg1: [[0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0x3]] - Output Bounds: - out1: [[0x0 ~> 0x100000000000], [0x0 ~> 0x80000000000], [0x0 ~> 0x80000000000]] - */ -/*inline*/ +// FromBytes deserializes a field element from bytes in little-endian order. +// +// Postconditions: +// eval out1 mod m = bytes_eval arg1 mod m +// +// Input Bounds: +// arg1: [[0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0x3]] +// Output Bounds: +// out1: [[0x0 ~> 0x100000000000], [0x0 ~> 0x80000000000], [0x0 ~> 0x80000000000]] func FromBytes(out1 *[3]uint64, arg1 *[17]uint8) { - var x1 uint64 = (uint64((arg1[16])) << 41) - var x2 uint64 = (uint64((arg1[15])) << 33) - var x3 uint64 = (uint64((arg1[14])) << 25) - var x4 uint64 = (uint64((arg1[13])) << 17) - var x5 uint64 = (uint64((arg1[12])) << 9) - var x6 uint64 = (uint64((arg1[11])) * uint64(0x2)) - var x7 uint64 = (uint64((arg1[10])) << 36) - var x8 uint64 = (uint64((arg1[9])) << 28) - var x9 uint64 = (uint64((arg1[8])) << 20) - var x10 uint64 = (uint64((arg1[7])) << 12) - var x11 uint64 = (uint64((arg1[6])) << 4) - var x12 uint64 = (uint64((arg1[5])) << 40) - var x13 uint64 = (uint64((arg1[4])) << 32) - var x14 uint64 = (uint64((arg1[3])) << 24) - var x15 uint64 = (uint64((arg1[2])) << 16) - var x16 uint64 = (uint64((arg1[1])) << 8) - var x17 uint8 = (arg1[0]) - var x18 uint64 = (x16 + uint64(x17)) - var x19 uint64 = (x15 + x18) - var x20 uint64 = (x14 + x19) - var x21 uint64 = (x13 + x20) - var x22 uint64 = (x12 + x21) - var x23 uint64 = (x22 & 0xfffffffffff) - var x24 uint8 = uint8((x22 >> 44)) - var x25 uint64 = (x11 + uint64(x24)) - var x26 uint64 = (x10 + x25) - var x27 uint64 = (x9 + x26) - var x28 uint64 = (x8 + x27) - var x29 uint64 = (x7 + x28) - var x30 uint64 = (x29 & 0x7ffffffffff) - var x31 uint1 = uint1((x29 >> 43)) - var x32 uint64 = (x6 + uint64(x31)) - var x33 uint64 = (x5 + x32) - var x34 uint64 = (x4 + x33) - var x35 uint64 = (x3 + x34) - var x36 uint64 = (x2 + x35) - var x37 uint64 = (x1 + x36) - out1[0] = x23 - out1[1] = x30 - out1[2] = x37 + x1 := (uint64(arg1[16]) << 41) + x2 := (uint64(arg1[15]) << 33) + x3 := (uint64(arg1[14]) << 25) + x4 := (uint64(arg1[13]) << 17) + x5 := (uint64(arg1[12]) << 9) + x6 := (uint64(arg1[11]) * uint64(0x2)) + x7 := (uint64(arg1[10]) << 36) + x8 := (uint64(arg1[9]) << 28) + x9 := (uint64(arg1[8]) << 20) + x10 := (uint64(arg1[7]) << 12) + x11 := (uint64(arg1[6]) << 4) + x12 := (uint64(arg1[5]) << 40) + x13 := (uint64(arg1[4]) << 32) + x14 := (uint64(arg1[3]) << 24) + x15 := (uint64(arg1[2]) << 16) + x16 := (uint64(arg1[1]) << 8) + x17 := arg1[0] + x18 := (x16 + uint64(x17)) + x19 := (x15 + x18) + x20 := (x14 + x19) + x21 := (x13 + x20) + x22 := (x12 + x21) + x23 := (x22 & 0xfffffffffff) + x24 := uint8((x22 >> 44)) + x25 := (x11 + uint64(x24)) + x26 := (x10 + x25) + x27 := (x9 + x26) + x28 := (x8 + x27) + x29 := (x7 + x28) + x30 := (x29 & 0x7ffffffffff) + x31 := uint1((x29 >> 43)) + x32 := (x6 + uint64(x31)) + x33 := (x5 + x32) + x34 := (x4 + x33) + x35 := (x3 + x34) + x36 := (x2 + x35) + x37 := (x1 + x36) + out1[0] = x23 + out1[1] = x30 + out1[2] = x37 } - diff --git a/fiat-go/64/secp256k1/secp256k1.go b/fiat-go/64/secp256k1/secp256k1.go index 2527f3cb00a..0095c767ed3 100644 --- a/fiat-go/64/secp256k1/secp256k1.go +++ b/fiat-go/64/secp256k1/secp256k1.go @@ -1,1921 +1,1884 @@ -/* - Autogenerated: 'src/ExtractionOCaml/word_by_word_montgomery' --lang Go --no-wide-int --cmovznz-by-mul --internal-static --package-case flatcase --public-function-case UpperCamelCase --private-function-case camelCase --public-type-case UpperCamelCase --private-type-case camelCase --no-prefix-fiat --package-name secp256k1 '' 64 '2^256 - 2^32 - 977' mul square add sub opp from_montgomery to_montgomery nonzero selectznz to_bytes from_bytes one msat divstep divstep_precomp - - curve description (via package name): secp256k1 - - machine_wordsize = 64 (from "64") - - requested operations: mul, square, add, sub, opp, from_montgomery, to_montgomery, nonzero, selectznz, to_bytes, from_bytes, one, msat, divstep, divstep_precomp - - m = 0xfffffffffffffffffffffffffffffffffffffffffffffffffffffffefffffc2f (from "2^256 - 2^32 - 977") - - - - NOTE: In addition to the bounds specified above each function, all - - functions synthesized for this Montgomery arithmetic require the - - input to be strictly less than the prime modulus (m), and also - - require the input to be in the unique saturated representation. - - All functions also ensure that these two properties are true of - - return values. - - - - Computed values: - - eval z = z[0] + (z[1] << 64) + (z[2] << 128) + (z[3] << 192) - - bytes_eval z = z[0] + (z[1] << 8) + (z[2] << 16) + (z[3] << 24) + (z[4] << 32) + (z[5] << 40) + (z[6] << 48) + (z[7] << 56) + (z[8] << 64) + (z[9] << 72) + (z[10] << 80) + (z[11] << 88) + (z[12] << 96) + (z[13] << 104) + (z[14] << 112) + (z[15] << 120) + (z[16] << 128) + (z[17] << 136) + (z[18] << 144) + (z[19] << 152) + (z[20] << 160) + (z[21] << 168) + (z[22] << 176) + (z[23] << 184) + (z[24] << 192) + (z[25] << 200) + (z[26] << 208) + (z[27] << 216) + (z[28] << 224) + (z[29] << 232) + (z[30] << 240) + (z[31] << 248) - - twos_complement_eval z = let x1 := z[0] + (z[1] << 64) + (z[2] << 128) + (z[3] << 192) in - - if x1 & (2^256-1) < 2^255 then x1 & (2^256-1) else (x1 & (2^256-1)) - 2^256 - */ +// Code generated by Fiat Cryptography. DO NOT EDIT. +// +// Autogenerated: 'src/ExtractionOCaml/word_by_word_montgomery' --lang Go --no-wide-int --cmovznz-by-mul --internal-static --package-case flatcase --public-function-case UpperCamelCase --private-function-case camelCase --public-type-case UpperCamelCase --private-type-case camelCase --no-prefix-fiat --doc-prepend-header 'Code generated by Fiat Cryptography. DO NOT EDIT.' --doc-text-before-function-name '' --package-name secp256k1 '' 64 '2^256 - 2^32 - 977' mul square add sub opp from_montgomery to_montgomery nonzero selectznz to_bytes from_bytes one msat divstep divstep_precomp +// +// curve description (via package name): secp256k1 +// +// machine_wordsize = 64 (from "64") +// +// requested operations: mul, square, add, sub, opp, from_montgomery, to_montgomery, nonzero, selectznz, to_bytes, from_bytes, one, msat, divstep, divstep_precomp +// +// m = 0xfffffffffffffffffffffffffffffffffffffffffffffffffffffffefffffc2f (from "2^256 - 2^32 - 977") +// +// +// +// NOTE: In addition to the bounds specified above each function, all +// +// functions synthesized for this Montgomery arithmetic require the +// +// input to be strictly less than the prime modulus (m), and also +// +// require the input to be in the unique saturated representation. +// +// All functions also ensure that these two properties are true of +// +// return values. +// +// +// +// Computed values: +// +// eval z = z[0] + (z[1] << 64) + (z[2] << 128) + (z[3] << 192) +// +// bytes_eval z = z[0] + (z[1] << 8) + (z[2] << 16) + (z[3] << 24) + (z[4] << 32) + (z[5] << 40) + (z[6] << 48) + (z[7] << 56) + (z[8] << 64) + (z[9] << 72) + (z[10] << 80) + (z[11] << 88) + (z[12] << 96) + (z[13] << 104) + (z[14] << 112) + (z[15] << 120) + (z[16] << 128) + (z[17] << 136) + (z[18] << 144) + (z[19] << 152) + (z[20] << 160) + (z[21] << 168) + (z[22] << 176) + (z[23] << 184) + (z[24] << 192) + (z[25] << 200) + (z[26] << 208) + (z[27] << 216) + (z[28] << 224) + (z[29] << 232) + (z[30] << 240) + (z[31] << 248) +// +// twos_complement_eval z = let x1 := z[0] + (z[1] << 64) + (z[2] << 128) + (z[3] << 192) in +// +// if x1 & (2^256-1) < 2^255 then x1 & (2^256-1) else (x1 & (2^256-1)) - 2^256 package secp256k1 import "math/bits" + type uint1 uint8 type int1 int8 -/* The function addcarryxU64 is a thin wrapper around bits.Add64 that uses uint1 rather than uint64 */ +// addcarryxU64 is a thin wrapper around bits.Add64 that uses uint1 rather than uint64 func addcarryxU64(x uint64, y uint64, carry uint1) (uint64, uint1) { - var sum uint64 - var carryOut uint64 - sum, carryOut = bits.Add64(x, y, uint64(carry)) - return sum, uint1(carryOut) + sum, carryOut := bits.Add64(x, y, uint64(carry)) + return sum, uint1(carryOut) } -/* The function subborrowxU64 is a thin wrapper around bits.Sub64 that uses uint1 rather than uint64 */ +// subborrowxU64 is a thin wrapper around bits.Sub64 that uses uint1 rather than uint64 func subborrowxU64(x uint64, y uint64, carry uint1) (uint64, uint1) { - var sum uint64 - var carryOut uint64 - sum, carryOut = bits.Sub64(x, y, uint64(carry)) - return sum, uint1(carryOut) + sum, carryOut := bits.Sub64(x, y, uint64(carry)) + return sum, uint1(carryOut) } - -/* - The function cmovznzU64 is a single-word conditional move. - Postconditions: - out1 = (if arg1 = 0 then arg2 else arg3) - - Input Bounds: - arg1: [0x0 ~> 0x1] - arg2: [0x0 ~> 0xffffffffffffffff] - arg3: [0x0 ~> 0xffffffffffffffff] - Output Bounds: - out1: [0x0 ~> 0xffffffffffffffff] - */ -/*inline*/ +// cmovznzU64 is a single-word conditional move. +// +// Postconditions: +// out1 = (if arg1 = 0 then arg2 else arg3) +// +// Input Bounds: +// arg1: [0x0 ~> 0x1] +// arg2: [0x0 ~> 0xffffffffffffffff] +// arg3: [0x0 ~> 0xffffffffffffffff] +// Output Bounds: +// out1: [0x0 ~> 0xffffffffffffffff] func cmovznzU64(out1 *uint64, arg1 uint1, arg2 uint64, arg3 uint64) { - var x1 uint64 = (uint64(arg1) * 0xffffffffffffffff) - var x2 uint64 = ((x1 & arg3) | ((^x1) & arg2)) - *out1 = x2 + x1 := (uint64(arg1) * 0xffffffffffffffff) + x2 := ((x1 & arg3) | ((^x1) & arg2)) + *out1 = x2 } -/* - The function Mul multiplies two field elements in the Montgomery domain. - Preconditions: - 0 ≤ eval arg1 < m - 0 ≤ eval arg2 < m - Postconditions: - eval (from_montgomery out1) mod m = (eval (from_montgomery arg1) * eval (from_montgomery arg2)) mod m - 0 ≤ eval out1 < m - - Input Bounds: - arg1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] - arg2: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] - Output Bounds: - out1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] - */ -/*inline*/ +// Mul multiplies two field elements in the Montgomery domain. +// +// Preconditions: +// 0 ≤ eval arg1 < m +// 0 ≤ eval arg2 < m +// Postconditions: +// eval (from_montgomery out1) mod m = (eval (from_montgomery arg1) * eval (from_montgomery arg2)) mod m +// 0 ≤ eval out1 < m +// +// Input Bounds: +// arg1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] +// arg2: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] +// Output Bounds: +// out1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] func Mul(out1 *[4]uint64, arg1 *[4]uint64, arg2 *[4]uint64) { - var x1 uint64 = (arg1[1]) - var x2 uint64 = (arg1[2]) - var x3 uint64 = (arg1[3]) - var x4 uint64 = (arg1[0]) - var x5 uint64 - var x6 uint64 - x6, x5 = bits.Mul64(x4, (arg2[3])) - var x7 uint64 - var x8 uint64 - x8, x7 = bits.Mul64(x4, (arg2[2])) - var x9 uint64 - var x10 uint64 - x10, x9 = bits.Mul64(x4, (arg2[1])) - var x11 uint64 - var x12 uint64 - x12, x11 = bits.Mul64(x4, (arg2[0])) - var x13 uint64 - var x14 uint1 - x13, x14 = addcarryxU64(x12, x9, 0x0) - var x15 uint64 - var x16 uint1 - x15, x16 = addcarryxU64(x10, x7, x14) - var x17 uint64 - var x18 uint1 - x17, x18 = addcarryxU64(x8, x5, x16) - var x19 uint64 = (uint64(x18) + x6) - var x20 uint64 - _, x20 = bits.Mul64(x11, 0xd838091dd2253531) - var x22 uint64 - var x23 uint64 - x23, x22 = bits.Mul64(x20, 0xffffffffffffffff) - var x24 uint64 - var x25 uint64 - x25, x24 = bits.Mul64(x20, 0xffffffffffffffff) - var x26 uint64 - var x27 uint64 - x27, x26 = bits.Mul64(x20, 0xffffffffffffffff) - var x28 uint64 - var x29 uint64 - x29, x28 = bits.Mul64(x20, 0xfffffffefffffc2f) - var x30 uint64 - var x31 uint1 - x30, x31 = addcarryxU64(x29, x26, 0x0) - var x32 uint64 - var x33 uint1 - x32, x33 = addcarryxU64(x27, x24, x31) - var x34 uint64 - var x35 uint1 - x34, x35 = addcarryxU64(x25, x22, x33) - var x36 uint64 = (uint64(x35) + x23) - var x38 uint1 - _, x38 = addcarryxU64(x11, x28, 0x0) - var x39 uint64 - var x40 uint1 - x39, x40 = addcarryxU64(x13, x30, x38) - var x41 uint64 - var x42 uint1 - x41, x42 = addcarryxU64(x15, x32, x40) - var x43 uint64 - var x44 uint1 - x43, x44 = addcarryxU64(x17, x34, x42) - var x45 uint64 - var x46 uint1 - x45, x46 = addcarryxU64(x19, x36, x44) - var x47 uint64 - var x48 uint64 - x48, x47 = bits.Mul64(x1, (arg2[3])) - var x49 uint64 - var x50 uint64 - x50, x49 = bits.Mul64(x1, (arg2[2])) - var x51 uint64 - var x52 uint64 - x52, x51 = bits.Mul64(x1, (arg2[1])) - var x53 uint64 - var x54 uint64 - x54, x53 = bits.Mul64(x1, (arg2[0])) - var x55 uint64 - var x56 uint1 - x55, x56 = addcarryxU64(x54, x51, 0x0) - var x57 uint64 - var x58 uint1 - x57, x58 = addcarryxU64(x52, x49, x56) - var x59 uint64 - var x60 uint1 - x59, x60 = addcarryxU64(x50, x47, x58) - var x61 uint64 = (uint64(x60) + x48) - var x62 uint64 - var x63 uint1 - x62, x63 = addcarryxU64(x39, x53, 0x0) - var x64 uint64 - var x65 uint1 - x64, x65 = addcarryxU64(x41, x55, x63) - var x66 uint64 - var x67 uint1 - x66, x67 = addcarryxU64(x43, x57, x65) - var x68 uint64 - var x69 uint1 - x68, x69 = addcarryxU64(x45, x59, x67) - var x70 uint64 - var x71 uint1 - x70, x71 = addcarryxU64(uint64(x46), x61, x69) - var x72 uint64 - _, x72 = bits.Mul64(x62, 0xd838091dd2253531) - var x74 uint64 - var x75 uint64 - x75, x74 = bits.Mul64(x72, 0xffffffffffffffff) - var x76 uint64 - var x77 uint64 - x77, x76 = bits.Mul64(x72, 0xffffffffffffffff) - var x78 uint64 - var x79 uint64 - x79, x78 = bits.Mul64(x72, 0xffffffffffffffff) - var x80 uint64 - var x81 uint64 - x81, x80 = bits.Mul64(x72, 0xfffffffefffffc2f) - var x82 uint64 - var x83 uint1 - x82, x83 = addcarryxU64(x81, x78, 0x0) - var x84 uint64 - var x85 uint1 - x84, x85 = addcarryxU64(x79, x76, x83) - var x86 uint64 - var x87 uint1 - x86, x87 = addcarryxU64(x77, x74, x85) - var x88 uint64 = (uint64(x87) + x75) - var x90 uint1 - _, x90 = addcarryxU64(x62, x80, 0x0) - var x91 uint64 - var x92 uint1 - x91, x92 = addcarryxU64(x64, x82, x90) - var x93 uint64 - var x94 uint1 - x93, x94 = addcarryxU64(x66, x84, x92) - var x95 uint64 - var x96 uint1 - x95, x96 = addcarryxU64(x68, x86, x94) - var x97 uint64 - var x98 uint1 - x97, x98 = addcarryxU64(x70, x88, x96) - var x99 uint64 = (uint64(x98) + uint64(x71)) - var x100 uint64 - var x101 uint64 - x101, x100 = bits.Mul64(x2, (arg2[3])) - var x102 uint64 - var x103 uint64 - x103, x102 = bits.Mul64(x2, (arg2[2])) - var x104 uint64 - var x105 uint64 - x105, x104 = bits.Mul64(x2, (arg2[1])) - var x106 uint64 - var x107 uint64 - x107, x106 = bits.Mul64(x2, (arg2[0])) - var x108 uint64 - var x109 uint1 - x108, x109 = addcarryxU64(x107, x104, 0x0) - var x110 uint64 - var x111 uint1 - x110, x111 = addcarryxU64(x105, x102, x109) - var x112 uint64 - var x113 uint1 - x112, x113 = addcarryxU64(x103, x100, x111) - var x114 uint64 = (uint64(x113) + x101) - var x115 uint64 - var x116 uint1 - x115, x116 = addcarryxU64(x91, x106, 0x0) - var x117 uint64 - var x118 uint1 - x117, x118 = addcarryxU64(x93, x108, x116) - var x119 uint64 - var x120 uint1 - x119, x120 = addcarryxU64(x95, x110, x118) - var x121 uint64 - var x122 uint1 - x121, x122 = addcarryxU64(x97, x112, x120) - var x123 uint64 - var x124 uint1 - x123, x124 = addcarryxU64(x99, x114, x122) - var x125 uint64 - _, x125 = bits.Mul64(x115, 0xd838091dd2253531) - var x127 uint64 - var x128 uint64 - x128, x127 = bits.Mul64(x125, 0xffffffffffffffff) - var x129 uint64 - var x130 uint64 - x130, x129 = bits.Mul64(x125, 0xffffffffffffffff) - var x131 uint64 - var x132 uint64 - x132, x131 = bits.Mul64(x125, 0xffffffffffffffff) - var x133 uint64 - var x134 uint64 - x134, x133 = bits.Mul64(x125, 0xfffffffefffffc2f) - var x135 uint64 - var x136 uint1 - x135, x136 = addcarryxU64(x134, x131, 0x0) - var x137 uint64 - var x138 uint1 - x137, x138 = addcarryxU64(x132, x129, x136) - var x139 uint64 - var x140 uint1 - x139, x140 = addcarryxU64(x130, x127, x138) - var x141 uint64 = (uint64(x140) + x128) - var x143 uint1 - _, x143 = addcarryxU64(x115, x133, 0x0) - var x144 uint64 - var x145 uint1 - x144, x145 = addcarryxU64(x117, x135, x143) - var x146 uint64 - var x147 uint1 - x146, x147 = addcarryxU64(x119, x137, x145) - var x148 uint64 - var x149 uint1 - x148, x149 = addcarryxU64(x121, x139, x147) - var x150 uint64 - var x151 uint1 - x150, x151 = addcarryxU64(x123, x141, x149) - var x152 uint64 = (uint64(x151) + uint64(x124)) - var x153 uint64 - var x154 uint64 - x154, x153 = bits.Mul64(x3, (arg2[3])) - var x155 uint64 - var x156 uint64 - x156, x155 = bits.Mul64(x3, (arg2[2])) - var x157 uint64 - var x158 uint64 - x158, x157 = bits.Mul64(x3, (arg2[1])) - var x159 uint64 - var x160 uint64 - x160, x159 = bits.Mul64(x3, (arg2[0])) - var x161 uint64 - var x162 uint1 - x161, x162 = addcarryxU64(x160, x157, 0x0) - var x163 uint64 - var x164 uint1 - x163, x164 = addcarryxU64(x158, x155, x162) - var x165 uint64 - var x166 uint1 - x165, x166 = addcarryxU64(x156, x153, x164) - var x167 uint64 = (uint64(x166) + x154) - var x168 uint64 - var x169 uint1 - x168, x169 = addcarryxU64(x144, x159, 0x0) - var x170 uint64 - var x171 uint1 - x170, x171 = addcarryxU64(x146, x161, x169) - var x172 uint64 - var x173 uint1 - x172, x173 = addcarryxU64(x148, x163, x171) - var x174 uint64 - var x175 uint1 - x174, x175 = addcarryxU64(x150, x165, x173) - var x176 uint64 - var x177 uint1 - x176, x177 = addcarryxU64(x152, x167, x175) - var x178 uint64 - _, x178 = bits.Mul64(x168, 0xd838091dd2253531) - var x180 uint64 - var x181 uint64 - x181, x180 = bits.Mul64(x178, 0xffffffffffffffff) - var x182 uint64 - var x183 uint64 - x183, x182 = bits.Mul64(x178, 0xffffffffffffffff) - var x184 uint64 - var x185 uint64 - x185, x184 = bits.Mul64(x178, 0xffffffffffffffff) - var x186 uint64 - var x187 uint64 - x187, x186 = bits.Mul64(x178, 0xfffffffefffffc2f) - var x188 uint64 - var x189 uint1 - x188, x189 = addcarryxU64(x187, x184, 0x0) - var x190 uint64 - var x191 uint1 - x190, x191 = addcarryxU64(x185, x182, x189) - var x192 uint64 - var x193 uint1 - x192, x193 = addcarryxU64(x183, x180, x191) - var x194 uint64 = (uint64(x193) + x181) - var x196 uint1 - _, x196 = addcarryxU64(x168, x186, 0x0) - var x197 uint64 - var x198 uint1 - x197, x198 = addcarryxU64(x170, x188, x196) - var x199 uint64 - var x200 uint1 - x199, x200 = addcarryxU64(x172, x190, x198) - var x201 uint64 - var x202 uint1 - x201, x202 = addcarryxU64(x174, x192, x200) - var x203 uint64 - var x204 uint1 - x203, x204 = addcarryxU64(x176, x194, x202) - var x205 uint64 = (uint64(x204) + uint64(x177)) - var x206 uint64 - var x207 uint1 - x206, x207 = subborrowxU64(x197, 0xfffffffefffffc2f, 0x0) - var x208 uint64 - var x209 uint1 - x208, x209 = subborrowxU64(x199, 0xffffffffffffffff, x207) - var x210 uint64 - var x211 uint1 - x210, x211 = subborrowxU64(x201, 0xffffffffffffffff, x209) - var x212 uint64 - var x213 uint1 - x212, x213 = subborrowxU64(x203, 0xffffffffffffffff, x211) - var x215 uint1 - _, x215 = subborrowxU64(x205, uint64(0x0), x213) - var x216 uint64 - cmovznzU64(&x216, x215, x206, x197) - var x217 uint64 - cmovznzU64(&x217, x215, x208, x199) - var x218 uint64 - cmovznzU64(&x218, x215, x210, x201) - var x219 uint64 - cmovznzU64(&x219, x215, x212, x203) - out1[0] = x216 - out1[1] = x217 - out1[2] = x218 - out1[3] = x219 + x1 := arg1[1] + x2 := arg1[2] + x3 := arg1[3] + x4 := arg1[0] + var x5 uint64 + var x6 uint64 + x6, x5 = bits.Mul64(x4, arg2[3]) + var x7 uint64 + var x8 uint64 + x8, x7 = bits.Mul64(x4, arg2[2]) + var x9 uint64 + var x10 uint64 + x10, x9 = bits.Mul64(x4, arg2[1]) + var x11 uint64 + var x12 uint64 + x12, x11 = bits.Mul64(x4, arg2[0]) + var x13 uint64 + var x14 uint1 + x13, x14 = addcarryxU64(x12, x9, 0x0) + var x15 uint64 + var x16 uint1 + x15, x16 = addcarryxU64(x10, x7, x14) + var x17 uint64 + var x18 uint1 + x17, x18 = addcarryxU64(x8, x5, x16) + x19 := (uint64(x18) + x6) + var x20 uint64 + _, x20 = bits.Mul64(x11, 0xd838091dd2253531) + var x22 uint64 + var x23 uint64 + x23, x22 = bits.Mul64(x20, 0xffffffffffffffff) + var x24 uint64 + var x25 uint64 + x25, x24 = bits.Mul64(x20, 0xffffffffffffffff) + var x26 uint64 + var x27 uint64 + x27, x26 = bits.Mul64(x20, 0xffffffffffffffff) + var x28 uint64 + var x29 uint64 + x29, x28 = bits.Mul64(x20, 0xfffffffefffffc2f) + var x30 uint64 + var x31 uint1 + x30, x31 = addcarryxU64(x29, x26, 0x0) + var x32 uint64 + var x33 uint1 + x32, x33 = addcarryxU64(x27, x24, x31) + var x34 uint64 + var x35 uint1 + x34, x35 = addcarryxU64(x25, x22, x33) + x36 := (uint64(x35) + x23) + var x38 uint1 + _, x38 = addcarryxU64(x11, x28, 0x0) + var x39 uint64 + var x40 uint1 + x39, x40 = addcarryxU64(x13, x30, x38) + var x41 uint64 + var x42 uint1 + x41, x42 = addcarryxU64(x15, x32, x40) + var x43 uint64 + var x44 uint1 + x43, x44 = addcarryxU64(x17, x34, x42) + var x45 uint64 + var x46 uint1 + x45, x46 = addcarryxU64(x19, x36, x44) + var x47 uint64 + var x48 uint64 + x48, x47 = bits.Mul64(x1, arg2[3]) + var x49 uint64 + var x50 uint64 + x50, x49 = bits.Mul64(x1, arg2[2]) + var x51 uint64 + var x52 uint64 + x52, x51 = bits.Mul64(x1, arg2[1]) + var x53 uint64 + var x54 uint64 + x54, x53 = bits.Mul64(x1, arg2[0]) + var x55 uint64 + var x56 uint1 + x55, x56 = addcarryxU64(x54, x51, 0x0) + var x57 uint64 + var x58 uint1 + x57, x58 = addcarryxU64(x52, x49, x56) + var x59 uint64 + var x60 uint1 + x59, x60 = addcarryxU64(x50, x47, x58) + x61 := (uint64(x60) + x48) + var x62 uint64 + var x63 uint1 + x62, x63 = addcarryxU64(x39, x53, 0x0) + var x64 uint64 + var x65 uint1 + x64, x65 = addcarryxU64(x41, x55, x63) + var x66 uint64 + var x67 uint1 + x66, x67 = addcarryxU64(x43, x57, x65) + var x68 uint64 + var x69 uint1 + x68, x69 = addcarryxU64(x45, x59, x67) + var x70 uint64 + var x71 uint1 + x70, x71 = addcarryxU64(uint64(x46), x61, x69) + var x72 uint64 + _, x72 = bits.Mul64(x62, 0xd838091dd2253531) + var x74 uint64 + var x75 uint64 + x75, x74 = bits.Mul64(x72, 0xffffffffffffffff) + var x76 uint64 + var x77 uint64 + x77, x76 = bits.Mul64(x72, 0xffffffffffffffff) + var x78 uint64 + var x79 uint64 + x79, x78 = bits.Mul64(x72, 0xffffffffffffffff) + var x80 uint64 + var x81 uint64 + x81, x80 = bits.Mul64(x72, 0xfffffffefffffc2f) + var x82 uint64 + var x83 uint1 + x82, x83 = addcarryxU64(x81, x78, 0x0) + var x84 uint64 + var x85 uint1 + x84, x85 = addcarryxU64(x79, x76, x83) + var x86 uint64 + var x87 uint1 + x86, x87 = addcarryxU64(x77, x74, x85) + x88 := (uint64(x87) + x75) + var x90 uint1 + _, x90 = addcarryxU64(x62, x80, 0x0) + var x91 uint64 + var x92 uint1 + x91, x92 = addcarryxU64(x64, x82, x90) + var x93 uint64 + var x94 uint1 + x93, x94 = addcarryxU64(x66, x84, x92) + var x95 uint64 + var x96 uint1 + x95, x96 = addcarryxU64(x68, x86, x94) + var x97 uint64 + var x98 uint1 + x97, x98 = addcarryxU64(x70, x88, x96) + x99 := (uint64(x98) + uint64(x71)) + var x100 uint64 + var x101 uint64 + x101, x100 = bits.Mul64(x2, arg2[3]) + var x102 uint64 + var x103 uint64 + x103, x102 = bits.Mul64(x2, arg2[2]) + var x104 uint64 + var x105 uint64 + x105, x104 = bits.Mul64(x2, arg2[1]) + var x106 uint64 + var x107 uint64 + x107, x106 = bits.Mul64(x2, arg2[0]) + var x108 uint64 + var x109 uint1 + x108, x109 = addcarryxU64(x107, x104, 0x0) + var x110 uint64 + var x111 uint1 + x110, x111 = addcarryxU64(x105, x102, x109) + var x112 uint64 + var x113 uint1 + x112, x113 = addcarryxU64(x103, x100, x111) + x114 := (uint64(x113) + x101) + var x115 uint64 + var x116 uint1 + x115, x116 = addcarryxU64(x91, x106, 0x0) + var x117 uint64 + var x118 uint1 + x117, x118 = addcarryxU64(x93, x108, x116) + var x119 uint64 + var x120 uint1 + x119, x120 = addcarryxU64(x95, x110, x118) + var x121 uint64 + var x122 uint1 + x121, x122 = addcarryxU64(x97, x112, x120) + var x123 uint64 + var x124 uint1 + x123, x124 = addcarryxU64(x99, x114, x122) + var x125 uint64 + _, x125 = bits.Mul64(x115, 0xd838091dd2253531) + var x127 uint64 + var x128 uint64 + x128, x127 = bits.Mul64(x125, 0xffffffffffffffff) + var x129 uint64 + var x130 uint64 + x130, x129 = bits.Mul64(x125, 0xffffffffffffffff) + var x131 uint64 + var x132 uint64 + x132, x131 = bits.Mul64(x125, 0xffffffffffffffff) + var x133 uint64 + var x134 uint64 + x134, x133 = bits.Mul64(x125, 0xfffffffefffffc2f) + var x135 uint64 + var x136 uint1 + x135, x136 = addcarryxU64(x134, x131, 0x0) + var x137 uint64 + var x138 uint1 + x137, x138 = addcarryxU64(x132, x129, x136) + var x139 uint64 + var x140 uint1 + x139, x140 = addcarryxU64(x130, x127, x138) + x141 := (uint64(x140) + x128) + var x143 uint1 + _, x143 = addcarryxU64(x115, x133, 0x0) + var x144 uint64 + var x145 uint1 + x144, x145 = addcarryxU64(x117, x135, x143) + var x146 uint64 + var x147 uint1 + x146, x147 = addcarryxU64(x119, x137, x145) + var x148 uint64 + var x149 uint1 + x148, x149 = addcarryxU64(x121, x139, x147) + var x150 uint64 + var x151 uint1 + x150, x151 = addcarryxU64(x123, x141, x149) + x152 := (uint64(x151) + uint64(x124)) + var x153 uint64 + var x154 uint64 + x154, x153 = bits.Mul64(x3, arg2[3]) + var x155 uint64 + var x156 uint64 + x156, x155 = bits.Mul64(x3, arg2[2]) + var x157 uint64 + var x158 uint64 + x158, x157 = bits.Mul64(x3, arg2[1]) + var x159 uint64 + var x160 uint64 + x160, x159 = bits.Mul64(x3, arg2[0]) + var x161 uint64 + var x162 uint1 + x161, x162 = addcarryxU64(x160, x157, 0x0) + var x163 uint64 + var x164 uint1 + x163, x164 = addcarryxU64(x158, x155, x162) + var x165 uint64 + var x166 uint1 + x165, x166 = addcarryxU64(x156, x153, x164) + x167 := (uint64(x166) + x154) + var x168 uint64 + var x169 uint1 + x168, x169 = addcarryxU64(x144, x159, 0x0) + var x170 uint64 + var x171 uint1 + x170, x171 = addcarryxU64(x146, x161, x169) + var x172 uint64 + var x173 uint1 + x172, x173 = addcarryxU64(x148, x163, x171) + var x174 uint64 + var x175 uint1 + x174, x175 = addcarryxU64(x150, x165, x173) + var x176 uint64 + var x177 uint1 + x176, x177 = addcarryxU64(x152, x167, x175) + var x178 uint64 + _, x178 = bits.Mul64(x168, 0xd838091dd2253531) + var x180 uint64 + var x181 uint64 + x181, x180 = bits.Mul64(x178, 0xffffffffffffffff) + var x182 uint64 + var x183 uint64 + x183, x182 = bits.Mul64(x178, 0xffffffffffffffff) + var x184 uint64 + var x185 uint64 + x185, x184 = bits.Mul64(x178, 0xffffffffffffffff) + var x186 uint64 + var x187 uint64 + x187, x186 = bits.Mul64(x178, 0xfffffffefffffc2f) + var x188 uint64 + var x189 uint1 + x188, x189 = addcarryxU64(x187, x184, 0x0) + var x190 uint64 + var x191 uint1 + x190, x191 = addcarryxU64(x185, x182, x189) + var x192 uint64 + var x193 uint1 + x192, x193 = addcarryxU64(x183, x180, x191) + x194 := (uint64(x193) + x181) + var x196 uint1 + _, x196 = addcarryxU64(x168, x186, 0x0) + var x197 uint64 + var x198 uint1 + x197, x198 = addcarryxU64(x170, x188, x196) + var x199 uint64 + var x200 uint1 + x199, x200 = addcarryxU64(x172, x190, x198) + var x201 uint64 + var x202 uint1 + x201, x202 = addcarryxU64(x174, x192, x200) + var x203 uint64 + var x204 uint1 + x203, x204 = addcarryxU64(x176, x194, x202) + x205 := (uint64(x204) + uint64(x177)) + var x206 uint64 + var x207 uint1 + x206, x207 = subborrowxU64(x197, 0xfffffffefffffc2f, 0x0) + var x208 uint64 + var x209 uint1 + x208, x209 = subborrowxU64(x199, 0xffffffffffffffff, x207) + var x210 uint64 + var x211 uint1 + x210, x211 = subborrowxU64(x201, 0xffffffffffffffff, x209) + var x212 uint64 + var x213 uint1 + x212, x213 = subborrowxU64(x203, 0xffffffffffffffff, x211) + var x215 uint1 + _, x215 = subborrowxU64(x205, uint64(0x0), x213) + var x216 uint64 + cmovznzU64(&x216, x215, x206, x197) + var x217 uint64 + cmovznzU64(&x217, x215, x208, x199) + var x218 uint64 + cmovznzU64(&x218, x215, x210, x201) + var x219 uint64 + cmovznzU64(&x219, x215, x212, x203) + out1[0] = x216 + out1[1] = x217 + out1[2] = x218 + out1[3] = x219 } -/* - The function Square squares a field element in the Montgomery domain. - Preconditions: - 0 ≤ eval arg1 < m - Postconditions: - eval (from_montgomery out1) mod m = (eval (from_montgomery arg1) * eval (from_montgomery arg1)) mod m - 0 ≤ eval out1 < m - - Input Bounds: - arg1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] - Output Bounds: - out1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] - */ -/*inline*/ +// Square squares a field element in the Montgomery domain. +// +// Preconditions: +// 0 ≤ eval arg1 < m +// Postconditions: +// eval (from_montgomery out1) mod m = (eval (from_montgomery arg1) * eval (from_montgomery arg1)) mod m +// 0 ≤ eval out1 < m +// +// Input Bounds: +// arg1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] +// Output Bounds: +// out1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] func Square(out1 *[4]uint64, arg1 *[4]uint64) { - var x1 uint64 = (arg1[1]) - var x2 uint64 = (arg1[2]) - var x3 uint64 = (arg1[3]) - var x4 uint64 = (arg1[0]) - var x5 uint64 - var x6 uint64 - x6, x5 = bits.Mul64(x4, (arg1[3])) - var x7 uint64 - var x8 uint64 - x8, x7 = bits.Mul64(x4, (arg1[2])) - var x9 uint64 - var x10 uint64 - x10, x9 = bits.Mul64(x4, (arg1[1])) - var x11 uint64 - var x12 uint64 - x12, x11 = bits.Mul64(x4, (arg1[0])) - var x13 uint64 - var x14 uint1 - x13, x14 = addcarryxU64(x12, x9, 0x0) - var x15 uint64 - var x16 uint1 - x15, x16 = addcarryxU64(x10, x7, x14) - var x17 uint64 - var x18 uint1 - x17, x18 = addcarryxU64(x8, x5, x16) - var x19 uint64 = (uint64(x18) + x6) - var x20 uint64 - _, x20 = bits.Mul64(x11, 0xd838091dd2253531) - var x22 uint64 - var x23 uint64 - x23, x22 = bits.Mul64(x20, 0xffffffffffffffff) - var x24 uint64 - var x25 uint64 - x25, x24 = bits.Mul64(x20, 0xffffffffffffffff) - var x26 uint64 - var x27 uint64 - x27, x26 = bits.Mul64(x20, 0xffffffffffffffff) - var x28 uint64 - var x29 uint64 - x29, x28 = bits.Mul64(x20, 0xfffffffefffffc2f) - var x30 uint64 - var x31 uint1 - x30, x31 = addcarryxU64(x29, x26, 0x0) - var x32 uint64 - var x33 uint1 - x32, x33 = addcarryxU64(x27, x24, x31) - var x34 uint64 - var x35 uint1 - x34, x35 = addcarryxU64(x25, x22, x33) - var x36 uint64 = (uint64(x35) + x23) - var x38 uint1 - _, x38 = addcarryxU64(x11, x28, 0x0) - var x39 uint64 - var x40 uint1 - x39, x40 = addcarryxU64(x13, x30, x38) - var x41 uint64 - var x42 uint1 - x41, x42 = addcarryxU64(x15, x32, x40) - var x43 uint64 - var x44 uint1 - x43, x44 = addcarryxU64(x17, x34, x42) - var x45 uint64 - var x46 uint1 - x45, x46 = addcarryxU64(x19, x36, x44) - var x47 uint64 - var x48 uint64 - x48, x47 = bits.Mul64(x1, (arg1[3])) - var x49 uint64 - var x50 uint64 - x50, x49 = bits.Mul64(x1, (arg1[2])) - var x51 uint64 - var x52 uint64 - x52, x51 = bits.Mul64(x1, (arg1[1])) - var x53 uint64 - var x54 uint64 - x54, x53 = bits.Mul64(x1, (arg1[0])) - var x55 uint64 - var x56 uint1 - x55, x56 = addcarryxU64(x54, x51, 0x0) - var x57 uint64 - var x58 uint1 - x57, x58 = addcarryxU64(x52, x49, x56) - var x59 uint64 - var x60 uint1 - x59, x60 = addcarryxU64(x50, x47, x58) - var x61 uint64 = (uint64(x60) + x48) - var x62 uint64 - var x63 uint1 - x62, x63 = addcarryxU64(x39, x53, 0x0) - var x64 uint64 - var x65 uint1 - x64, x65 = addcarryxU64(x41, x55, x63) - var x66 uint64 - var x67 uint1 - x66, x67 = addcarryxU64(x43, x57, x65) - var x68 uint64 - var x69 uint1 - x68, x69 = addcarryxU64(x45, x59, x67) - var x70 uint64 - var x71 uint1 - x70, x71 = addcarryxU64(uint64(x46), x61, x69) - var x72 uint64 - _, x72 = bits.Mul64(x62, 0xd838091dd2253531) - var x74 uint64 - var x75 uint64 - x75, x74 = bits.Mul64(x72, 0xffffffffffffffff) - var x76 uint64 - var x77 uint64 - x77, x76 = bits.Mul64(x72, 0xffffffffffffffff) - var x78 uint64 - var x79 uint64 - x79, x78 = bits.Mul64(x72, 0xffffffffffffffff) - var x80 uint64 - var x81 uint64 - x81, x80 = bits.Mul64(x72, 0xfffffffefffffc2f) - var x82 uint64 - var x83 uint1 - x82, x83 = addcarryxU64(x81, x78, 0x0) - var x84 uint64 - var x85 uint1 - x84, x85 = addcarryxU64(x79, x76, x83) - var x86 uint64 - var x87 uint1 - x86, x87 = addcarryxU64(x77, x74, x85) - var x88 uint64 = (uint64(x87) + x75) - var x90 uint1 - _, x90 = addcarryxU64(x62, x80, 0x0) - var x91 uint64 - var x92 uint1 - x91, x92 = addcarryxU64(x64, x82, x90) - var x93 uint64 - var x94 uint1 - x93, x94 = addcarryxU64(x66, x84, x92) - var x95 uint64 - var x96 uint1 - x95, x96 = addcarryxU64(x68, x86, x94) - var x97 uint64 - var x98 uint1 - x97, x98 = addcarryxU64(x70, x88, x96) - var x99 uint64 = (uint64(x98) + uint64(x71)) - var x100 uint64 - var x101 uint64 - x101, x100 = bits.Mul64(x2, (arg1[3])) - var x102 uint64 - var x103 uint64 - x103, x102 = bits.Mul64(x2, (arg1[2])) - var x104 uint64 - var x105 uint64 - x105, x104 = bits.Mul64(x2, (arg1[1])) - var x106 uint64 - var x107 uint64 - x107, x106 = bits.Mul64(x2, (arg1[0])) - var x108 uint64 - var x109 uint1 - x108, x109 = addcarryxU64(x107, x104, 0x0) - var x110 uint64 - var x111 uint1 - x110, x111 = addcarryxU64(x105, x102, x109) - var x112 uint64 - var x113 uint1 - x112, x113 = addcarryxU64(x103, x100, x111) - var x114 uint64 = (uint64(x113) + x101) - var x115 uint64 - var x116 uint1 - x115, x116 = addcarryxU64(x91, x106, 0x0) - var x117 uint64 - var x118 uint1 - x117, x118 = addcarryxU64(x93, x108, x116) - var x119 uint64 - var x120 uint1 - x119, x120 = addcarryxU64(x95, x110, x118) - var x121 uint64 - var x122 uint1 - x121, x122 = addcarryxU64(x97, x112, x120) - var x123 uint64 - var x124 uint1 - x123, x124 = addcarryxU64(x99, x114, x122) - var x125 uint64 - _, x125 = bits.Mul64(x115, 0xd838091dd2253531) - var x127 uint64 - var x128 uint64 - x128, x127 = bits.Mul64(x125, 0xffffffffffffffff) - var x129 uint64 - var x130 uint64 - x130, x129 = bits.Mul64(x125, 0xffffffffffffffff) - var x131 uint64 - var x132 uint64 - x132, x131 = bits.Mul64(x125, 0xffffffffffffffff) - var x133 uint64 - var x134 uint64 - x134, x133 = bits.Mul64(x125, 0xfffffffefffffc2f) - var x135 uint64 - var x136 uint1 - x135, x136 = addcarryxU64(x134, x131, 0x0) - var x137 uint64 - var x138 uint1 - x137, x138 = addcarryxU64(x132, x129, x136) - var x139 uint64 - var x140 uint1 - x139, x140 = addcarryxU64(x130, x127, x138) - var x141 uint64 = (uint64(x140) + x128) - var x143 uint1 - _, x143 = addcarryxU64(x115, x133, 0x0) - var x144 uint64 - var x145 uint1 - x144, x145 = addcarryxU64(x117, x135, x143) - var x146 uint64 - var x147 uint1 - x146, x147 = addcarryxU64(x119, x137, x145) - var x148 uint64 - var x149 uint1 - x148, x149 = addcarryxU64(x121, x139, x147) - var x150 uint64 - var x151 uint1 - x150, x151 = addcarryxU64(x123, x141, x149) - var x152 uint64 = (uint64(x151) + uint64(x124)) - var x153 uint64 - var x154 uint64 - x154, x153 = bits.Mul64(x3, (arg1[3])) - var x155 uint64 - var x156 uint64 - x156, x155 = bits.Mul64(x3, (arg1[2])) - var x157 uint64 - var x158 uint64 - x158, x157 = bits.Mul64(x3, (arg1[1])) - var x159 uint64 - var x160 uint64 - x160, x159 = bits.Mul64(x3, (arg1[0])) - var x161 uint64 - var x162 uint1 - x161, x162 = addcarryxU64(x160, x157, 0x0) - var x163 uint64 - var x164 uint1 - x163, x164 = addcarryxU64(x158, x155, x162) - var x165 uint64 - var x166 uint1 - x165, x166 = addcarryxU64(x156, x153, x164) - var x167 uint64 = (uint64(x166) + x154) - var x168 uint64 - var x169 uint1 - x168, x169 = addcarryxU64(x144, x159, 0x0) - var x170 uint64 - var x171 uint1 - x170, x171 = addcarryxU64(x146, x161, x169) - var x172 uint64 - var x173 uint1 - x172, x173 = addcarryxU64(x148, x163, x171) - var x174 uint64 - var x175 uint1 - x174, x175 = addcarryxU64(x150, x165, x173) - var x176 uint64 - var x177 uint1 - x176, x177 = addcarryxU64(x152, x167, x175) - var x178 uint64 - _, x178 = bits.Mul64(x168, 0xd838091dd2253531) - var x180 uint64 - var x181 uint64 - x181, x180 = bits.Mul64(x178, 0xffffffffffffffff) - var x182 uint64 - var x183 uint64 - x183, x182 = bits.Mul64(x178, 0xffffffffffffffff) - var x184 uint64 - var x185 uint64 - x185, x184 = bits.Mul64(x178, 0xffffffffffffffff) - var x186 uint64 - var x187 uint64 - x187, x186 = bits.Mul64(x178, 0xfffffffefffffc2f) - var x188 uint64 - var x189 uint1 - x188, x189 = addcarryxU64(x187, x184, 0x0) - var x190 uint64 - var x191 uint1 - x190, x191 = addcarryxU64(x185, x182, x189) - var x192 uint64 - var x193 uint1 - x192, x193 = addcarryxU64(x183, x180, x191) - var x194 uint64 = (uint64(x193) + x181) - var x196 uint1 - _, x196 = addcarryxU64(x168, x186, 0x0) - var x197 uint64 - var x198 uint1 - x197, x198 = addcarryxU64(x170, x188, x196) - var x199 uint64 - var x200 uint1 - x199, x200 = addcarryxU64(x172, x190, x198) - var x201 uint64 - var x202 uint1 - x201, x202 = addcarryxU64(x174, x192, x200) - var x203 uint64 - var x204 uint1 - x203, x204 = addcarryxU64(x176, x194, x202) - var x205 uint64 = (uint64(x204) + uint64(x177)) - var x206 uint64 - var x207 uint1 - x206, x207 = subborrowxU64(x197, 0xfffffffefffffc2f, 0x0) - var x208 uint64 - var x209 uint1 - x208, x209 = subborrowxU64(x199, 0xffffffffffffffff, x207) - var x210 uint64 - var x211 uint1 - x210, x211 = subborrowxU64(x201, 0xffffffffffffffff, x209) - var x212 uint64 - var x213 uint1 - x212, x213 = subborrowxU64(x203, 0xffffffffffffffff, x211) - var x215 uint1 - _, x215 = subborrowxU64(x205, uint64(0x0), x213) - var x216 uint64 - cmovznzU64(&x216, x215, x206, x197) - var x217 uint64 - cmovznzU64(&x217, x215, x208, x199) - var x218 uint64 - cmovznzU64(&x218, x215, x210, x201) - var x219 uint64 - cmovznzU64(&x219, x215, x212, x203) - out1[0] = x216 - out1[1] = x217 - out1[2] = x218 - out1[3] = x219 + x1 := arg1[1] + x2 := arg1[2] + x3 := arg1[3] + x4 := arg1[0] + var x5 uint64 + var x6 uint64 + x6, x5 = bits.Mul64(x4, arg1[3]) + var x7 uint64 + var x8 uint64 + x8, x7 = bits.Mul64(x4, arg1[2]) + var x9 uint64 + var x10 uint64 + x10, x9 = bits.Mul64(x4, arg1[1]) + var x11 uint64 + var x12 uint64 + x12, x11 = bits.Mul64(x4, arg1[0]) + var x13 uint64 + var x14 uint1 + x13, x14 = addcarryxU64(x12, x9, 0x0) + var x15 uint64 + var x16 uint1 + x15, x16 = addcarryxU64(x10, x7, x14) + var x17 uint64 + var x18 uint1 + x17, x18 = addcarryxU64(x8, x5, x16) + x19 := (uint64(x18) + x6) + var x20 uint64 + _, x20 = bits.Mul64(x11, 0xd838091dd2253531) + var x22 uint64 + var x23 uint64 + x23, x22 = bits.Mul64(x20, 0xffffffffffffffff) + var x24 uint64 + var x25 uint64 + x25, x24 = bits.Mul64(x20, 0xffffffffffffffff) + var x26 uint64 + var x27 uint64 + x27, x26 = bits.Mul64(x20, 0xffffffffffffffff) + var x28 uint64 + var x29 uint64 + x29, x28 = bits.Mul64(x20, 0xfffffffefffffc2f) + var x30 uint64 + var x31 uint1 + x30, x31 = addcarryxU64(x29, x26, 0x0) + var x32 uint64 + var x33 uint1 + x32, x33 = addcarryxU64(x27, x24, x31) + var x34 uint64 + var x35 uint1 + x34, x35 = addcarryxU64(x25, x22, x33) + x36 := (uint64(x35) + x23) + var x38 uint1 + _, x38 = addcarryxU64(x11, x28, 0x0) + var x39 uint64 + var x40 uint1 + x39, x40 = addcarryxU64(x13, x30, x38) + var x41 uint64 + var x42 uint1 + x41, x42 = addcarryxU64(x15, x32, x40) + var x43 uint64 + var x44 uint1 + x43, x44 = addcarryxU64(x17, x34, x42) + var x45 uint64 + var x46 uint1 + x45, x46 = addcarryxU64(x19, x36, x44) + var x47 uint64 + var x48 uint64 + x48, x47 = bits.Mul64(x1, arg1[3]) + var x49 uint64 + var x50 uint64 + x50, x49 = bits.Mul64(x1, arg1[2]) + var x51 uint64 + var x52 uint64 + x52, x51 = bits.Mul64(x1, arg1[1]) + var x53 uint64 + var x54 uint64 + x54, x53 = bits.Mul64(x1, arg1[0]) + var x55 uint64 + var x56 uint1 + x55, x56 = addcarryxU64(x54, x51, 0x0) + var x57 uint64 + var x58 uint1 + x57, x58 = addcarryxU64(x52, x49, x56) + var x59 uint64 + var x60 uint1 + x59, x60 = addcarryxU64(x50, x47, x58) + x61 := (uint64(x60) + x48) + var x62 uint64 + var x63 uint1 + x62, x63 = addcarryxU64(x39, x53, 0x0) + var x64 uint64 + var x65 uint1 + x64, x65 = addcarryxU64(x41, x55, x63) + var x66 uint64 + var x67 uint1 + x66, x67 = addcarryxU64(x43, x57, x65) + var x68 uint64 + var x69 uint1 + x68, x69 = addcarryxU64(x45, x59, x67) + var x70 uint64 + var x71 uint1 + x70, x71 = addcarryxU64(uint64(x46), x61, x69) + var x72 uint64 + _, x72 = bits.Mul64(x62, 0xd838091dd2253531) + var x74 uint64 + var x75 uint64 + x75, x74 = bits.Mul64(x72, 0xffffffffffffffff) + var x76 uint64 + var x77 uint64 + x77, x76 = bits.Mul64(x72, 0xffffffffffffffff) + var x78 uint64 + var x79 uint64 + x79, x78 = bits.Mul64(x72, 0xffffffffffffffff) + var x80 uint64 + var x81 uint64 + x81, x80 = bits.Mul64(x72, 0xfffffffefffffc2f) + var x82 uint64 + var x83 uint1 + x82, x83 = addcarryxU64(x81, x78, 0x0) + var x84 uint64 + var x85 uint1 + x84, x85 = addcarryxU64(x79, x76, x83) + var x86 uint64 + var x87 uint1 + x86, x87 = addcarryxU64(x77, x74, x85) + x88 := (uint64(x87) + x75) + var x90 uint1 + _, x90 = addcarryxU64(x62, x80, 0x0) + var x91 uint64 + var x92 uint1 + x91, x92 = addcarryxU64(x64, x82, x90) + var x93 uint64 + var x94 uint1 + x93, x94 = addcarryxU64(x66, x84, x92) + var x95 uint64 + var x96 uint1 + x95, x96 = addcarryxU64(x68, x86, x94) + var x97 uint64 + var x98 uint1 + x97, x98 = addcarryxU64(x70, x88, x96) + x99 := (uint64(x98) + uint64(x71)) + var x100 uint64 + var x101 uint64 + x101, x100 = bits.Mul64(x2, arg1[3]) + var x102 uint64 + var x103 uint64 + x103, x102 = bits.Mul64(x2, arg1[2]) + var x104 uint64 + var x105 uint64 + x105, x104 = bits.Mul64(x2, arg1[1]) + var x106 uint64 + var x107 uint64 + x107, x106 = bits.Mul64(x2, arg1[0]) + var x108 uint64 + var x109 uint1 + x108, x109 = addcarryxU64(x107, x104, 0x0) + var x110 uint64 + var x111 uint1 + x110, x111 = addcarryxU64(x105, x102, x109) + var x112 uint64 + var x113 uint1 + x112, x113 = addcarryxU64(x103, x100, x111) + x114 := (uint64(x113) + x101) + var x115 uint64 + var x116 uint1 + x115, x116 = addcarryxU64(x91, x106, 0x0) + var x117 uint64 + var x118 uint1 + x117, x118 = addcarryxU64(x93, x108, x116) + var x119 uint64 + var x120 uint1 + x119, x120 = addcarryxU64(x95, x110, x118) + var x121 uint64 + var x122 uint1 + x121, x122 = addcarryxU64(x97, x112, x120) + var x123 uint64 + var x124 uint1 + x123, x124 = addcarryxU64(x99, x114, x122) + var x125 uint64 + _, x125 = bits.Mul64(x115, 0xd838091dd2253531) + var x127 uint64 + var x128 uint64 + x128, x127 = bits.Mul64(x125, 0xffffffffffffffff) + var x129 uint64 + var x130 uint64 + x130, x129 = bits.Mul64(x125, 0xffffffffffffffff) + var x131 uint64 + var x132 uint64 + x132, x131 = bits.Mul64(x125, 0xffffffffffffffff) + var x133 uint64 + var x134 uint64 + x134, x133 = bits.Mul64(x125, 0xfffffffefffffc2f) + var x135 uint64 + var x136 uint1 + x135, x136 = addcarryxU64(x134, x131, 0x0) + var x137 uint64 + var x138 uint1 + x137, x138 = addcarryxU64(x132, x129, x136) + var x139 uint64 + var x140 uint1 + x139, x140 = addcarryxU64(x130, x127, x138) + x141 := (uint64(x140) + x128) + var x143 uint1 + _, x143 = addcarryxU64(x115, x133, 0x0) + var x144 uint64 + var x145 uint1 + x144, x145 = addcarryxU64(x117, x135, x143) + var x146 uint64 + var x147 uint1 + x146, x147 = addcarryxU64(x119, x137, x145) + var x148 uint64 + var x149 uint1 + x148, x149 = addcarryxU64(x121, x139, x147) + var x150 uint64 + var x151 uint1 + x150, x151 = addcarryxU64(x123, x141, x149) + x152 := (uint64(x151) + uint64(x124)) + var x153 uint64 + var x154 uint64 + x154, x153 = bits.Mul64(x3, arg1[3]) + var x155 uint64 + var x156 uint64 + x156, x155 = bits.Mul64(x3, arg1[2]) + var x157 uint64 + var x158 uint64 + x158, x157 = bits.Mul64(x3, arg1[1]) + var x159 uint64 + var x160 uint64 + x160, x159 = bits.Mul64(x3, arg1[0]) + var x161 uint64 + var x162 uint1 + x161, x162 = addcarryxU64(x160, x157, 0x0) + var x163 uint64 + var x164 uint1 + x163, x164 = addcarryxU64(x158, x155, x162) + var x165 uint64 + var x166 uint1 + x165, x166 = addcarryxU64(x156, x153, x164) + x167 := (uint64(x166) + x154) + var x168 uint64 + var x169 uint1 + x168, x169 = addcarryxU64(x144, x159, 0x0) + var x170 uint64 + var x171 uint1 + x170, x171 = addcarryxU64(x146, x161, x169) + var x172 uint64 + var x173 uint1 + x172, x173 = addcarryxU64(x148, x163, x171) + var x174 uint64 + var x175 uint1 + x174, x175 = addcarryxU64(x150, x165, x173) + var x176 uint64 + var x177 uint1 + x176, x177 = addcarryxU64(x152, x167, x175) + var x178 uint64 + _, x178 = bits.Mul64(x168, 0xd838091dd2253531) + var x180 uint64 + var x181 uint64 + x181, x180 = bits.Mul64(x178, 0xffffffffffffffff) + var x182 uint64 + var x183 uint64 + x183, x182 = bits.Mul64(x178, 0xffffffffffffffff) + var x184 uint64 + var x185 uint64 + x185, x184 = bits.Mul64(x178, 0xffffffffffffffff) + var x186 uint64 + var x187 uint64 + x187, x186 = bits.Mul64(x178, 0xfffffffefffffc2f) + var x188 uint64 + var x189 uint1 + x188, x189 = addcarryxU64(x187, x184, 0x0) + var x190 uint64 + var x191 uint1 + x190, x191 = addcarryxU64(x185, x182, x189) + var x192 uint64 + var x193 uint1 + x192, x193 = addcarryxU64(x183, x180, x191) + x194 := (uint64(x193) + x181) + var x196 uint1 + _, x196 = addcarryxU64(x168, x186, 0x0) + var x197 uint64 + var x198 uint1 + x197, x198 = addcarryxU64(x170, x188, x196) + var x199 uint64 + var x200 uint1 + x199, x200 = addcarryxU64(x172, x190, x198) + var x201 uint64 + var x202 uint1 + x201, x202 = addcarryxU64(x174, x192, x200) + var x203 uint64 + var x204 uint1 + x203, x204 = addcarryxU64(x176, x194, x202) + x205 := (uint64(x204) + uint64(x177)) + var x206 uint64 + var x207 uint1 + x206, x207 = subborrowxU64(x197, 0xfffffffefffffc2f, 0x0) + var x208 uint64 + var x209 uint1 + x208, x209 = subborrowxU64(x199, 0xffffffffffffffff, x207) + var x210 uint64 + var x211 uint1 + x210, x211 = subborrowxU64(x201, 0xffffffffffffffff, x209) + var x212 uint64 + var x213 uint1 + x212, x213 = subborrowxU64(x203, 0xffffffffffffffff, x211) + var x215 uint1 + _, x215 = subborrowxU64(x205, uint64(0x0), x213) + var x216 uint64 + cmovznzU64(&x216, x215, x206, x197) + var x217 uint64 + cmovznzU64(&x217, x215, x208, x199) + var x218 uint64 + cmovznzU64(&x218, x215, x210, x201) + var x219 uint64 + cmovznzU64(&x219, x215, x212, x203) + out1[0] = x216 + out1[1] = x217 + out1[2] = x218 + out1[3] = x219 } -/* - The function Add adds two field elements in the Montgomery domain. - Preconditions: - 0 ≤ eval arg1 < m - 0 ≤ eval arg2 < m - Postconditions: - eval (from_montgomery out1) mod m = (eval (from_montgomery arg1) + eval (from_montgomery arg2)) mod m - 0 ≤ eval out1 < m - - Input Bounds: - arg1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] - arg2: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] - Output Bounds: - out1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] - */ -/*inline*/ +// Add adds two field elements in the Montgomery domain. +// +// Preconditions: +// 0 ≤ eval arg1 < m +// 0 ≤ eval arg2 < m +// Postconditions: +// eval (from_montgomery out1) mod m = (eval (from_montgomery arg1) + eval (from_montgomery arg2)) mod m +// 0 ≤ eval out1 < m +// +// Input Bounds: +// arg1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] +// arg2: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] +// Output Bounds: +// out1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] func Add(out1 *[4]uint64, arg1 *[4]uint64, arg2 *[4]uint64) { - var x1 uint64 - var x2 uint1 - x1, x2 = addcarryxU64((arg1[0]), (arg2[0]), 0x0) - var x3 uint64 - var x4 uint1 - x3, x4 = addcarryxU64((arg1[1]), (arg2[1]), x2) - var x5 uint64 - var x6 uint1 - x5, x6 = addcarryxU64((arg1[2]), (arg2[2]), x4) - var x7 uint64 - var x8 uint1 - x7, x8 = addcarryxU64((arg1[3]), (arg2[3]), x6) - var x9 uint64 - var x10 uint1 - x9, x10 = subborrowxU64(x1, 0xfffffffefffffc2f, 0x0) - var x11 uint64 - var x12 uint1 - x11, x12 = subborrowxU64(x3, 0xffffffffffffffff, x10) - var x13 uint64 - var x14 uint1 - x13, x14 = subborrowxU64(x5, 0xffffffffffffffff, x12) - var x15 uint64 - var x16 uint1 - x15, x16 = subborrowxU64(x7, 0xffffffffffffffff, x14) - var x18 uint1 - _, x18 = subborrowxU64(uint64(x8), uint64(0x0), x16) - var x19 uint64 - cmovznzU64(&x19, x18, x9, x1) - var x20 uint64 - cmovznzU64(&x20, x18, x11, x3) - var x21 uint64 - cmovznzU64(&x21, x18, x13, x5) - var x22 uint64 - cmovznzU64(&x22, x18, x15, x7) - out1[0] = x19 - out1[1] = x20 - out1[2] = x21 - out1[3] = x22 + var x1 uint64 + var x2 uint1 + x1, x2 = addcarryxU64(arg1[0], arg2[0], 0x0) + var x3 uint64 + var x4 uint1 + x3, x4 = addcarryxU64(arg1[1], arg2[1], x2) + var x5 uint64 + var x6 uint1 + x5, x6 = addcarryxU64(arg1[2], arg2[2], x4) + var x7 uint64 + var x8 uint1 + x7, x8 = addcarryxU64(arg1[3], arg2[3], x6) + var x9 uint64 + var x10 uint1 + x9, x10 = subborrowxU64(x1, 0xfffffffefffffc2f, 0x0) + var x11 uint64 + var x12 uint1 + x11, x12 = subborrowxU64(x3, 0xffffffffffffffff, x10) + var x13 uint64 + var x14 uint1 + x13, x14 = subborrowxU64(x5, 0xffffffffffffffff, x12) + var x15 uint64 + var x16 uint1 + x15, x16 = subborrowxU64(x7, 0xffffffffffffffff, x14) + var x18 uint1 + _, x18 = subborrowxU64(uint64(x8), uint64(0x0), x16) + var x19 uint64 + cmovznzU64(&x19, x18, x9, x1) + var x20 uint64 + cmovznzU64(&x20, x18, x11, x3) + var x21 uint64 + cmovznzU64(&x21, x18, x13, x5) + var x22 uint64 + cmovznzU64(&x22, x18, x15, x7) + out1[0] = x19 + out1[1] = x20 + out1[2] = x21 + out1[3] = x22 } -/* - The function Sub subtracts two field elements in the Montgomery domain. - Preconditions: - 0 ≤ eval arg1 < m - 0 ≤ eval arg2 < m - Postconditions: - eval (from_montgomery out1) mod m = (eval (from_montgomery arg1) - eval (from_montgomery arg2)) mod m - 0 ≤ eval out1 < m - - Input Bounds: - arg1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] - arg2: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] - Output Bounds: - out1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] - */ -/*inline*/ +// Sub subtracts two field elements in the Montgomery domain. +// +// Preconditions: +// 0 ≤ eval arg1 < m +// 0 ≤ eval arg2 < m +// Postconditions: +// eval (from_montgomery out1) mod m = (eval (from_montgomery arg1) - eval (from_montgomery arg2)) mod m +// 0 ≤ eval out1 < m +// +// Input Bounds: +// arg1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] +// arg2: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] +// Output Bounds: +// out1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] func Sub(out1 *[4]uint64, arg1 *[4]uint64, arg2 *[4]uint64) { - var x1 uint64 - var x2 uint1 - x1, x2 = subborrowxU64((arg1[0]), (arg2[0]), 0x0) - var x3 uint64 - var x4 uint1 - x3, x4 = subborrowxU64((arg1[1]), (arg2[1]), x2) - var x5 uint64 - var x6 uint1 - x5, x6 = subborrowxU64((arg1[2]), (arg2[2]), x4) - var x7 uint64 - var x8 uint1 - x7, x8 = subborrowxU64((arg1[3]), (arg2[3]), x6) - var x9 uint64 - cmovznzU64(&x9, x8, uint64(0x0), 0xffffffffffffffff) - var x10 uint64 - var x11 uint1 - x10, x11 = addcarryxU64(x1, (x9 & 0xfffffffefffffc2f), 0x0) - var x12 uint64 - var x13 uint1 - x12, x13 = addcarryxU64(x3, x9, x11) - var x14 uint64 - var x15 uint1 - x14, x15 = addcarryxU64(x5, x9, x13) - var x16 uint64 - x16, _ = addcarryxU64(x7, x9, x15) - out1[0] = x10 - out1[1] = x12 - out1[2] = x14 - out1[3] = x16 + var x1 uint64 + var x2 uint1 + x1, x2 = subborrowxU64(arg1[0], arg2[0], 0x0) + var x3 uint64 + var x4 uint1 + x3, x4 = subborrowxU64(arg1[1], arg2[1], x2) + var x5 uint64 + var x6 uint1 + x5, x6 = subborrowxU64(arg1[2], arg2[2], x4) + var x7 uint64 + var x8 uint1 + x7, x8 = subborrowxU64(arg1[3], arg2[3], x6) + var x9 uint64 + cmovznzU64(&x9, x8, uint64(0x0), 0xffffffffffffffff) + var x10 uint64 + var x11 uint1 + x10, x11 = addcarryxU64(x1, (x9 & 0xfffffffefffffc2f), 0x0) + var x12 uint64 + var x13 uint1 + x12, x13 = addcarryxU64(x3, x9, x11) + var x14 uint64 + var x15 uint1 + x14, x15 = addcarryxU64(x5, x9, x13) + var x16 uint64 + x16, _ = addcarryxU64(x7, x9, x15) + out1[0] = x10 + out1[1] = x12 + out1[2] = x14 + out1[3] = x16 } -/* - The function Opp negates a field element in the Montgomery domain. - Preconditions: - 0 ≤ eval arg1 < m - Postconditions: - eval (from_montgomery out1) mod m = -eval (from_montgomery arg1) mod m - 0 ≤ eval out1 < m - - Input Bounds: - arg1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] - Output Bounds: - out1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] - */ -/*inline*/ +// Opp negates a field element in the Montgomery domain. +// +// Preconditions: +// 0 ≤ eval arg1 < m +// Postconditions: +// eval (from_montgomery out1) mod m = -eval (from_montgomery arg1) mod m +// 0 ≤ eval out1 < m +// +// Input Bounds: +// arg1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] +// Output Bounds: +// out1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] func Opp(out1 *[4]uint64, arg1 *[4]uint64) { - var x1 uint64 - var x2 uint1 - x1, x2 = subborrowxU64(uint64(0x0), (arg1[0]), 0x0) - var x3 uint64 - var x4 uint1 - x3, x4 = subborrowxU64(uint64(0x0), (arg1[1]), x2) - var x5 uint64 - var x6 uint1 - x5, x6 = subborrowxU64(uint64(0x0), (arg1[2]), x4) - var x7 uint64 - var x8 uint1 - x7, x8 = subborrowxU64(uint64(0x0), (arg1[3]), x6) - var x9 uint64 - cmovznzU64(&x9, x8, uint64(0x0), 0xffffffffffffffff) - var x10 uint64 - var x11 uint1 - x10, x11 = addcarryxU64(x1, (x9 & 0xfffffffefffffc2f), 0x0) - var x12 uint64 - var x13 uint1 - x12, x13 = addcarryxU64(x3, x9, x11) - var x14 uint64 - var x15 uint1 - x14, x15 = addcarryxU64(x5, x9, x13) - var x16 uint64 - x16, _ = addcarryxU64(x7, x9, x15) - out1[0] = x10 - out1[1] = x12 - out1[2] = x14 - out1[3] = x16 + var x1 uint64 + var x2 uint1 + x1, x2 = subborrowxU64(uint64(0x0), arg1[0], 0x0) + var x3 uint64 + var x4 uint1 + x3, x4 = subborrowxU64(uint64(0x0), arg1[1], x2) + var x5 uint64 + var x6 uint1 + x5, x6 = subborrowxU64(uint64(0x0), arg1[2], x4) + var x7 uint64 + var x8 uint1 + x7, x8 = subborrowxU64(uint64(0x0), arg1[3], x6) + var x9 uint64 + cmovznzU64(&x9, x8, uint64(0x0), 0xffffffffffffffff) + var x10 uint64 + var x11 uint1 + x10, x11 = addcarryxU64(x1, (x9 & 0xfffffffefffffc2f), 0x0) + var x12 uint64 + var x13 uint1 + x12, x13 = addcarryxU64(x3, x9, x11) + var x14 uint64 + var x15 uint1 + x14, x15 = addcarryxU64(x5, x9, x13) + var x16 uint64 + x16, _ = addcarryxU64(x7, x9, x15) + out1[0] = x10 + out1[1] = x12 + out1[2] = x14 + out1[3] = x16 } -/* - The function FromMontgomery translates a field element out of the Montgomery domain. - Preconditions: - 0 ≤ eval arg1 < m - Postconditions: - eval out1 mod m = (eval arg1 * ((2^64)⁻¹ mod m)^4) mod m - 0 ≤ eval out1 < m - - Input Bounds: - arg1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] - Output Bounds: - out1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] - */ -/*inline*/ +// FromMontgomery translates a field element out of the Montgomery domain. +// +// Preconditions: +// 0 ≤ eval arg1 < m +// Postconditions: +// eval out1 mod m = (eval arg1 * ((2^64)⁻¹ mod m)^4) mod m +// 0 ≤ eval out1 < m +// +// Input Bounds: +// arg1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] +// Output Bounds: +// out1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] func FromMontgomery(out1 *[4]uint64, arg1 *[4]uint64) { - var x1 uint64 = (arg1[0]) - var x2 uint64 - _, x2 = bits.Mul64(x1, 0xd838091dd2253531) - var x4 uint64 - var x5 uint64 - x5, x4 = bits.Mul64(x2, 0xffffffffffffffff) - var x6 uint64 - var x7 uint64 - x7, x6 = bits.Mul64(x2, 0xffffffffffffffff) - var x8 uint64 - var x9 uint64 - x9, x8 = bits.Mul64(x2, 0xffffffffffffffff) - var x10 uint64 - var x11 uint64 - x11, x10 = bits.Mul64(x2, 0xfffffffefffffc2f) - var x12 uint64 - var x13 uint1 - x12, x13 = addcarryxU64(x11, x8, 0x0) - var x14 uint64 - var x15 uint1 - x14, x15 = addcarryxU64(x9, x6, x13) - var x16 uint64 - var x17 uint1 - x16, x17 = addcarryxU64(x7, x4, x15) - var x19 uint1 - _, x19 = addcarryxU64(x1, x10, 0x0) - var x20 uint64 - var x21 uint1 - x20, x21 = addcarryxU64(uint64(0x0), x12, x19) - var x22 uint64 - var x23 uint1 - x22, x23 = addcarryxU64(uint64(0x0), x14, x21) - var x24 uint64 - var x25 uint1 - x24, x25 = addcarryxU64(uint64(0x0), x16, x23) - var x26 uint64 - var x27 uint1 - x26, x27 = addcarryxU64(uint64(0x0), (uint64(x17) + x5), x25) - var x28 uint64 - var x29 uint1 - x28, x29 = addcarryxU64(x20, (arg1[1]), 0x0) - var x30 uint64 - var x31 uint1 - x30, x31 = addcarryxU64(x22, uint64(0x0), x29) - var x32 uint64 - var x33 uint1 - x32, x33 = addcarryxU64(x24, uint64(0x0), x31) - var x34 uint64 - var x35 uint1 - x34, x35 = addcarryxU64(x26, uint64(0x0), x33) - var x36 uint64 - _, x36 = bits.Mul64(x28, 0xd838091dd2253531) - var x38 uint64 - var x39 uint64 - x39, x38 = bits.Mul64(x36, 0xffffffffffffffff) - var x40 uint64 - var x41 uint64 - x41, x40 = bits.Mul64(x36, 0xffffffffffffffff) - var x42 uint64 - var x43 uint64 - x43, x42 = bits.Mul64(x36, 0xffffffffffffffff) - var x44 uint64 - var x45 uint64 - x45, x44 = bits.Mul64(x36, 0xfffffffefffffc2f) - var x46 uint64 - var x47 uint1 - x46, x47 = addcarryxU64(x45, x42, 0x0) - var x48 uint64 - var x49 uint1 - x48, x49 = addcarryxU64(x43, x40, x47) - var x50 uint64 - var x51 uint1 - x50, x51 = addcarryxU64(x41, x38, x49) - var x53 uint1 - _, x53 = addcarryxU64(x28, x44, 0x0) - var x54 uint64 - var x55 uint1 - x54, x55 = addcarryxU64(x30, x46, x53) - var x56 uint64 - var x57 uint1 - x56, x57 = addcarryxU64(x32, x48, x55) - var x58 uint64 - var x59 uint1 - x58, x59 = addcarryxU64(x34, x50, x57) - var x60 uint64 - var x61 uint1 - x60, x61 = addcarryxU64((uint64(x35) + uint64(x27)), (uint64(x51) + x39), x59) - var x62 uint64 - var x63 uint1 - x62, x63 = addcarryxU64(x54, (arg1[2]), 0x0) - var x64 uint64 - var x65 uint1 - x64, x65 = addcarryxU64(x56, uint64(0x0), x63) - var x66 uint64 - var x67 uint1 - x66, x67 = addcarryxU64(x58, uint64(0x0), x65) - var x68 uint64 - var x69 uint1 - x68, x69 = addcarryxU64(x60, uint64(0x0), x67) - var x70 uint64 - _, x70 = bits.Mul64(x62, 0xd838091dd2253531) - var x72 uint64 - var x73 uint64 - x73, x72 = bits.Mul64(x70, 0xffffffffffffffff) - var x74 uint64 - var x75 uint64 - x75, x74 = bits.Mul64(x70, 0xffffffffffffffff) - var x76 uint64 - var x77 uint64 - x77, x76 = bits.Mul64(x70, 0xffffffffffffffff) - var x78 uint64 - var x79 uint64 - x79, x78 = bits.Mul64(x70, 0xfffffffefffffc2f) - var x80 uint64 - var x81 uint1 - x80, x81 = addcarryxU64(x79, x76, 0x0) - var x82 uint64 - var x83 uint1 - x82, x83 = addcarryxU64(x77, x74, x81) - var x84 uint64 - var x85 uint1 - x84, x85 = addcarryxU64(x75, x72, x83) - var x87 uint1 - _, x87 = addcarryxU64(x62, x78, 0x0) - var x88 uint64 - var x89 uint1 - x88, x89 = addcarryxU64(x64, x80, x87) - var x90 uint64 - var x91 uint1 - x90, x91 = addcarryxU64(x66, x82, x89) - var x92 uint64 - var x93 uint1 - x92, x93 = addcarryxU64(x68, x84, x91) - var x94 uint64 - var x95 uint1 - x94, x95 = addcarryxU64((uint64(x69) + uint64(x61)), (uint64(x85) + x73), x93) - var x96 uint64 - var x97 uint1 - x96, x97 = addcarryxU64(x88, (arg1[3]), 0x0) - var x98 uint64 - var x99 uint1 - x98, x99 = addcarryxU64(x90, uint64(0x0), x97) - var x100 uint64 - var x101 uint1 - x100, x101 = addcarryxU64(x92, uint64(0x0), x99) - var x102 uint64 - var x103 uint1 - x102, x103 = addcarryxU64(x94, uint64(0x0), x101) - var x104 uint64 - _, x104 = bits.Mul64(x96, 0xd838091dd2253531) - var x106 uint64 - var x107 uint64 - x107, x106 = bits.Mul64(x104, 0xffffffffffffffff) - var x108 uint64 - var x109 uint64 - x109, x108 = bits.Mul64(x104, 0xffffffffffffffff) - var x110 uint64 - var x111 uint64 - x111, x110 = bits.Mul64(x104, 0xffffffffffffffff) - var x112 uint64 - var x113 uint64 - x113, x112 = bits.Mul64(x104, 0xfffffffefffffc2f) - var x114 uint64 - var x115 uint1 - x114, x115 = addcarryxU64(x113, x110, 0x0) - var x116 uint64 - var x117 uint1 - x116, x117 = addcarryxU64(x111, x108, x115) - var x118 uint64 - var x119 uint1 - x118, x119 = addcarryxU64(x109, x106, x117) - var x121 uint1 - _, x121 = addcarryxU64(x96, x112, 0x0) - var x122 uint64 - var x123 uint1 - x122, x123 = addcarryxU64(x98, x114, x121) - var x124 uint64 - var x125 uint1 - x124, x125 = addcarryxU64(x100, x116, x123) - var x126 uint64 - var x127 uint1 - x126, x127 = addcarryxU64(x102, x118, x125) - var x128 uint64 - var x129 uint1 - x128, x129 = addcarryxU64((uint64(x103) + uint64(x95)), (uint64(x119) + x107), x127) - var x130 uint64 - var x131 uint1 - x130, x131 = subborrowxU64(x122, 0xfffffffefffffc2f, 0x0) - var x132 uint64 - var x133 uint1 - x132, x133 = subborrowxU64(x124, 0xffffffffffffffff, x131) - var x134 uint64 - var x135 uint1 - x134, x135 = subborrowxU64(x126, 0xffffffffffffffff, x133) - var x136 uint64 - var x137 uint1 - x136, x137 = subborrowxU64(x128, 0xffffffffffffffff, x135) - var x139 uint1 - _, x139 = subborrowxU64(uint64(x129), uint64(0x0), x137) - var x140 uint64 - cmovznzU64(&x140, x139, x130, x122) - var x141 uint64 - cmovznzU64(&x141, x139, x132, x124) - var x142 uint64 - cmovznzU64(&x142, x139, x134, x126) - var x143 uint64 - cmovznzU64(&x143, x139, x136, x128) - out1[0] = x140 - out1[1] = x141 - out1[2] = x142 - out1[3] = x143 + x1 := arg1[0] + var x2 uint64 + _, x2 = bits.Mul64(x1, 0xd838091dd2253531) + var x4 uint64 + var x5 uint64 + x5, x4 = bits.Mul64(x2, 0xffffffffffffffff) + var x6 uint64 + var x7 uint64 + x7, x6 = bits.Mul64(x2, 0xffffffffffffffff) + var x8 uint64 + var x9 uint64 + x9, x8 = bits.Mul64(x2, 0xffffffffffffffff) + var x10 uint64 + var x11 uint64 + x11, x10 = bits.Mul64(x2, 0xfffffffefffffc2f) + var x12 uint64 + var x13 uint1 + x12, x13 = addcarryxU64(x11, x8, 0x0) + var x14 uint64 + var x15 uint1 + x14, x15 = addcarryxU64(x9, x6, x13) + var x16 uint64 + var x17 uint1 + x16, x17 = addcarryxU64(x7, x4, x15) + var x19 uint1 + _, x19 = addcarryxU64(x1, x10, 0x0) + var x20 uint64 + var x21 uint1 + x20, x21 = addcarryxU64(uint64(0x0), x12, x19) + var x22 uint64 + var x23 uint1 + x22, x23 = addcarryxU64(uint64(0x0), x14, x21) + var x24 uint64 + var x25 uint1 + x24, x25 = addcarryxU64(uint64(0x0), x16, x23) + var x26 uint64 + var x27 uint1 + x26, x27 = addcarryxU64(uint64(0x0), (uint64(x17) + x5), x25) + var x28 uint64 + var x29 uint1 + x28, x29 = addcarryxU64(x20, arg1[1], 0x0) + var x30 uint64 + var x31 uint1 + x30, x31 = addcarryxU64(x22, uint64(0x0), x29) + var x32 uint64 + var x33 uint1 + x32, x33 = addcarryxU64(x24, uint64(0x0), x31) + var x34 uint64 + var x35 uint1 + x34, x35 = addcarryxU64(x26, uint64(0x0), x33) + var x36 uint64 + _, x36 = bits.Mul64(x28, 0xd838091dd2253531) + var x38 uint64 + var x39 uint64 + x39, x38 = bits.Mul64(x36, 0xffffffffffffffff) + var x40 uint64 + var x41 uint64 + x41, x40 = bits.Mul64(x36, 0xffffffffffffffff) + var x42 uint64 + var x43 uint64 + x43, x42 = bits.Mul64(x36, 0xffffffffffffffff) + var x44 uint64 + var x45 uint64 + x45, x44 = bits.Mul64(x36, 0xfffffffefffffc2f) + var x46 uint64 + var x47 uint1 + x46, x47 = addcarryxU64(x45, x42, 0x0) + var x48 uint64 + var x49 uint1 + x48, x49 = addcarryxU64(x43, x40, x47) + var x50 uint64 + var x51 uint1 + x50, x51 = addcarryxU64(x41, x38, x49) + var x53 uint1 + _, x53 = addcarryxU64(x28, x44, 0x0) + var x54 uint64 + var x55 uint1 + x54, x55 = addcarryxU64(x30, x46, x53) + var x56 uint64 + var x57 uint1 + x56, x57 = addcarryxU64(x32, x48, x55) + var x58 uint64 + var x59 uint1 + x58, x59 = addcarryxU64(x34, x50, x57) + var x60 uint64 + var x61 uint1 + x60, x61 = addcarryxU64((uint64(x35) + uint64(x27)), (uint64(x51) + x39), x59) + var x62 uint64 + var x63 uint1 + x62, x63 = addcarryxU64(x54, arg1[2], 0x0) + var x64 uint64 + var x65 uint1 + x64, x65 = addcarryxU64(x56, uint64(0x0), x63) + var x66 uint64 + var x67 uint1 + x66, x67 = addcarryxU64(x58, uint64(0x0), x65) + var x68 uint64 + var x69 uint1 + x68, x69 = addcarryxU64(x60, uint64(0x0), x67) + var x70 uint64 + _, x70 = bits.Mul64(x62, 0xd838091dd2253531) + var x72 uint64 + var x73 uint64 + x73, x72 = bits.Mul64(x70, 0xffffffffffffffff) + var x74 uint64 + var x75 uint64 + x75, x74 = bits.Mul64(x70, 0xffffffffffffffff) + var x76 uint64 + var x77 uint64 + x77, x76 = bits.Mul64(x70, 0xffffffffffffffff) + var x78 uint64 + var x79 uint64 + x79, x78 = bits.Mul64(x70, 0xfffffffefffffc2f) + var x80 uint64 + var x81 uint1 + x80, x81 = addcarryxU64(x79, x76, 0x0) + var x82 uint64 + var x83 uint1 + x82, x83 = addcarryxU64(x77, x74, x81) + var x84 uint64 + var x85 uint1 + x84, x85 = addcarryxU64(x75, x72, x83) + var x87 uint1 + _, x87 = addcarryxU64(x62, x78, 0x0) + var x88 uint64 + var x89 uint1 + x88, x89 = addcarryxU64(x64, x80, x87) + var x90 uint64 + var x91 uint1 + x90, x91 = addcarryxU64(x66, x82, x89) + var x92 uint64 + var x93 uint1 + x92, x93 = addcarryxU64(x68, x84, x91) + var x94 uint64 + var x95 uint1 + x94, x95 = addcarryxU64((uint64(x69) + uint64(x61)), (uint64(x85) + x73), x93) + var x96 uint64 + var x97 uint1 + x96, x97 = addcarryxU64(x88, arg1[3], 0x0) + var x98 uint64 + var x99 uint1 + x98, x99 = addcarryxU64(x90, uint64(0x0), x97) + var x100 uint64 + var x101 uint1 + x100, x101 = addcarryxU64(x92, uint64(0x0), x99) + var x102 uint64 + var x103 uint1 + x102, x103 = addcarryxU64(x94, uint64(0x0), x101) + var x104 uint64 + _, x104 = bits.Mul64(x96, 0xd838091dd2253531) + var x106 uint64 + var x107 uint64 + x107, x106 = bits.Mul64(x104, 0xffffffffffffffff) + var x108 uint64 + var x109 uint64 + x109, x108 = bits.Mul64(x104, 0xffffffffffffffff) + var x110 uint64 + var x111 uint64 + x111, x110 = bits.Mul64(x104, 0xffffffffffffffff) + var x112 uint64 + var x113 uint64 + x113, x112 = bits.Mul64(x104, 0xfffffffefffffc2f) + var x114 uint64 + var x115 uint1 + x114, x115 = addcarryxU64(x113, x110, 0x0) + var x116 uint64 + var x117 uint1 + x116, x117 = addcarryxU64(x111, x108, x115) + var x118 uint64 + var x119 uint1 + x118, x119 = addcarryxU64(x109, x106, x117) + var x121 uint1 + _, x121 = addcarryxU64(x96, x112, 0x0) + var x122 uint64 + var x123 uint1 + x122, x123 = addcarryxU64(x98, x114, x121) + var x124 uint64 + var x125 uint1 + x124, x125 = addcarryxU64(x100, x116, x123) + var x126 uint64 + var x127 uint1 + x126, x127 = addcarryxU64(x102, x118, x125) + var x128 uint64 + var x129 uint1 + x128, x129 = addcarryxU64((uint64(x103) + uint64(x95)), (uint64(x119) + x107), x127) + var x130 uint64 + var x131 uint1 + x130, x131 = subborrowxU64(x122, 0xfffffffefffffc2f, 0x0) + var x132 uint64 + var x133 uint1 + x132, x133 = subborrowxU64(x124, 0xffffffffffffffff, x131) + var x134 uint64 + var x135 uint1 + x134, x135 = subborrowxU64(x126, 0xffffffffffffffff, x133) + var x136 uint64 + var x137 uint1 + x136, x137 = subborrowxU64(x128, 0xffffffffffffffff, x135) + var x139 uint1 + _, x139 = subborrowxU64(uint64(x129), uint64(0x0), x137) + var x140 uint64 + cmovznzU64(&x140, x139, x130, x122) + var x141 uint64 + cmovznzU64(&x141, x139, x132, x124) + var x142 uint64 + cmovznzU64(&x142, x139, x134, x126) + var x143 uint64 + cmovznzU64(&x143, x139, x136, x128) + out1[0] = x140 + out1[1] = x141 + out1[2] = x142 + out1[3] = x143 } -/* - The function ToMontgomery translates a field element into the Montgomery domain. - Preconditions: - 0 ≤ eval arg1 < m - Postconditions: - eval (from_montgomery out1) mod m = eval arg1 mod m - 0 ≤ eval out1 < m - - Input Bounds: - arg1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] - Output Bounds: - out1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] - */ -/*inline*/ +// ToMontgomery translates a field element into the Montgomery domain. +// +// Preconditions: +// 0 ≤ eval arg1 < m +// Postconditions: +// eval (from_montgomery out1) mod m = eval arg1 mod m +// 0 ≤ eval out1 < m +// +// Input Bounds: +// arg1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] +// Output Bounds: +// out1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] func ToMontgomery(out1 *[4]uint64, arg1 *[4]uint64) { - var x1 uint64 = (arg1[1]) - var x2 uint64 = (arg1[2]) - var x3 uint64 = (arg1[3]) - var x4 uint64 = (arg1[0]) - var x5 uint64 - var x6 uint64 - x6, x5 = bits.Mul64(x4, 0x7a2000e90a1) - var x7 uint64 - var x8 uint1 - x7, x8 = addcarryxU64(x6, x4, 0x0) - var x9 uint64 - _, x9 = bits.Mul64(x5, 0xd838091dd2253531) - var x11 uint64 - var x12 uint64 - x12, x11 = bits.Mul64(x9, 0xffffffffffffffff) - var x13 uint64 - var x14 uint64 - x14, x13 = bits.Mul64(x9, 0xffffffffffffffff) - var x15 uint64 - var x16 uint64 - x16, x15 = bits.Mul64(x9, 0xffffffffffffffff) - var x17 uint64 - var x18 uint64 - x18, x17 = bits.Mul64(x9, 0xfffffffefffffc2f) - var x19 uint64 - var x20 uint1 - x19, x20 = addcarryxU64(x18, x15, 0x0) - var x21 uint64 - var x22 uint1 - x21, x22 = addcarryxU64(x16, x13, x20) - var x23 uint64 - var x24 uint1 - x23, x24 = addcarryxU64(x14, x11, x22) - var x26 uint1 - _, x26 = addcarryxU64(x5, x17, 0x0) - var x27 uint64 - var x28 uint1 - x27, x28 = addcarryxU64(x7, x19, x26) - var x29 uint64 - var x30 uint1 - x29, x30 = addcarryxU64(uint64(x8), x21, x28) - var x31 uint64 - var x32 uint1 - x31, x32 = addcarryxU64(uint64(0x0), x23, x30) - var x33 uint64 - var x34 uint1 - x33, x34 = addcarryxU64(uint64(0x0), (uint64(x24) + x12), x32) - var x35 uint64 - var x36 uint64 - x36, x35 = bits.Mul64(x1, 0x7a2000e90a1) - var x37 uint64 - var x38 uint1 - x37, x38 = addcarryxU64(x36, x1, 0x0) - var x39 uint64 - var x40 uint1 - x39, x40 = addcarryxU64(x27, x35, 0x0) - var x41 uint64 - var x42 uint1 - x41, x42 = addcarryxU64(x29, x37, x40) - var x43 uint64 - var x44 uint1 - x43, x44 = addcarryxU64(x31, uint64(x38), x42) - var x45 uint64 - var x46 uint1 - x45, x46 = addcarryxU64(x33, uint64(0x0), x44) - var x47 uint64 - _, x47 = bits.Mul64(x39, 0xd838091dd2253531) - var x49 uint64 - var x50 uint64 - x50, x49 = bits.Mul64(x47, 0xffffffffffffffff) - var x51 uint64 - var x52 uint64 - x52, x51 = bits.Mul64(x47, 0xffffffffffffffff) - var x53 uint64 - var x54 uint64 - x54, x53 = bits.Mul64(x47, 0xffffffffffffffff) - var x55 uint64 - var x56 uint64 - x56, x55 = bits.Mul64(x47, 0xfffffffefffffc2f) - var x57 uint64 - var x58 uint1 - x57, x58 = addcarryxU64(x56, x53, 0x0) - var x59 uint64 - var x60 uint1 - x59, x60 = addcarryxU64(x54, x51, x58) - var x61 uint64 - var x62 uint1 - x61, x62 = addcarryxU64(x52, x49, x60) - var x64 uint1 - _, x64 = addcarryxU64(x39, x55, 0x0) - var x65 uint64 - var x66 uint1 - x65, x66 = addcarryxU64(x41, x57, x64) - var x67 uint64 - var x68 uint1 - x67, x68 = addcarryxU64(x43, x59, x66) - var x69 uint64 - var x70 uint1 - x69, x70 = addcarryxU64(x45, x61, x68) - var x71 uint64 - var x72 uint1 - x71, x72 = addcarryxU64((uint64(x46) + uint64(x34)), (uint64(x62) + x50), x70) - var x73 uint64 - var x74 uint64 - x74, x73 = bits.Mul64(x2, 0x7a2000e90a1) - var x75 uint64 - var x76 uint1 - x75, x76 = addcarryxU64(x74, x2, 0x0) - var x77 uint64 - var x78 uint1 - x77, x78 = addcarryxU64(x65, x73, 0x0) - var x79 uint64 - var x80 uint1 - x79, x80 = addcarryxU64(x67, x75, x78) - var x81 uint64 - var x82 uint1 - x81, x82 = addcarryxU64(x69, uint64(x76), x80) - var x83 uint64 - var x84 uint1 - x83, x84 = addcarryxU64(x71, uint64(0x0), x82) - var x85 uint64 - _, x85 = bits.Mul64(x77, 0xd838091dd2253531) - var x87 uint64 - var x88 uint64 - x88, x87 = bits.Mul64(x85, 0xffffffffffffffff) - var x89 uint64 - var x90 uint64 - x90, x89 = bits.Mul64(x85, 0xffffffffffffffff) - var x91 uint64 - var x92 uint64 - x92, x91 = bits.Mul64(x85, 0xffffffffffffffff) - var x93 uint64 - var x94 uint64 - x94, x93 = bits.Mul64(x85, 0xfffffffefffffc2f) - var x95 uint64 - var x96 uint1 - x95, x96 = addcarryxU64(x94, x91, 0x0) - var x97 uint64 - var x98 uint1 - x97, x98 = addcarryxU64(x92, x89, x96) - var x99 uint64 - var x100 uint1 - x99, x100 = addcarryxU64(x90, x87, x98) - var x102 uint1 - _, x102 = addcarryxU64(x77, x93, 0x0) - var x103 uint64 - var x104 uint1 - x103, x104 = addcarryxU64(x79, x95, x102) - var x105 uint64 - var x106 uint1 - x105, x106 = addcarryxU64(x81, x97, x104) - var x107 uint64 - var x108 uint1 - x107, x108 = addcarryxU64(x83, x99, x106) - var x109 uint64 - var x110 uint1 - x109, x110 = addcarryxU64((uint64(x84) + uint64(x72)), (uint64(x100) + x88), x108) - var x111 uint64 - var x112 uint64 - x112, x111 = bits.Mul64(x3, 0x7a2000e90a1) - var x113 uint64 - var x114 uint1 - x113, x114 = addcarryxU64(x112, x3, 0x0) - var x115 uint64 - var x116 uint1 - x115, x116 = addcarryxU64(x103, x111, 0x0) - var x117 uint64 - var x118 uint1 - x117, x118 = addcarryxU64(x105, x113, x116) - var x119 uint64 - var x120 uint1 - x119, x120 = addcarryxU64(x107, uint64(x114), x118) - var x121 uint64 - var x122 uint1 - x121, x122 = addcarryxU64(x109, uint64(0x0), x120) - var x123 uint64 - _, x123 = bits.Mul64(x115, 0xd838091dd2253531) - var x125 uint64 - var x126 uint64 - x126, x125 = bits.Mul64(x123, 0xffffffffffffffff) - var x127 uint64 - var x128 uint64 - x128, x127 = bits.Mul64(x123, 0xffffffffffffffff) - var x129 uint64 - var x130 uint64 - x130, x129 = bits.Mul64(x123, 0xffffffffffffffff) - var x131 uint64 - var x132 uint64 - x132, x131 = bits.Mul64(x123, 0xfffffffefffffc2f) - var x133 uint64 - var x134 uint1 - x133, x134 = addcarryxU64(x132, x129, 0x0) - var x135 uint64 - var x136 uint1 - x135, x136 = addcarryxU64(x130, x127, x134) - var x137 uint64 - var x138 uint1 - x137, x138 = addcarryxU64(x128, x125, x136) - var x140 uint1 - _, x140 = addcarryxU64(x115, x131, 0x0) - var x141 uint64 - var x142 uint1 - x141, x142 = addcarryxU64(x117, x133, x140) - var x143 uint64 - var x144 uint1 - x143, x144 = addcarryxU64(x119, x135, x142) - var x145 uint64 - var x146 uint1 - x145, x146 = addcarryxU64(x121, x137, x144) - var x147 uint64 - var x148 uint1 - x147, x148 = addcarryxU64((uint64(x122) + uint64(x110)), (uint64(x138) + x126), x146) - var x149 uint64 - var x150 uint1 - x149, x150 = subborrowxU64(x141, 0xfffffffefffffc2f, 0x0) - var x151 uint64 - var x152 uint1 - x151, x152 = subborrowxU64(x143, 0xffffffffffffffff, x150) - var x153 uint64 - var x154 uint1 - x153, x154 = subborrowxU64(x145, 0xffffffffffffffff, x152) - var x155 uint64 - var x156 uint1 - x155, x156 = subborrowxU64(x147, 0xffffffffffffffff, x154) - var x158 uint1 - _, x158 = subborrowxU64(uint64(x148), uint64(0x0), x156) - var x159 uint64 - cmovznzU64(&x159, x158, x149, x141) - var x160 uint64 - cmovznzU64(&x160, x158, x151, x143) - var x161 uint64 - cmovznzU64(&x161, x158, x153, x145) - var x162 uint64 - cmovznzU64(&x162, x158, x155, x147) - out1[0] = x159 - out1[1] = x160 - out1[2] = x161 - out1[3] = x162 + x1 := arg1[1] + x2 := arg1[2] + x3 := arg1[3] + x4 := arg1[0] + var x5 uint64 + var x6 uint64 + x6, x5 = bits.Mul64(x4, 0x7a2000e90a1) + var x7 uint64 + var x8 uint1 + x7, x8 = addcarryxU64(x6, x4, 0x0) + var x9 uint64 + _, x9 = bits.Mul64(x5, 0xd838091dd2253531) + var x11 uint64 + var x12 uint64 + x12, x11 = bits.Mul64(x9, 0xffffffffffffffff) + var x13 uint64 + var x14 uint64 + x14, x13 = bits.Mul64(x9, 0xffffffffffffffff) + var x15 uint64 + var x16 uint64 + x16, x15 = bits.Mul64(x9, 0xffffffffffffffff) + var x17 uint64 + var x18 uint64 + x18, x17 = bits.Mul64(x9, 0xfffffffefffffc2f) + var x19 uint64 + var x20 uint1 + x19, x20 = addcarryxU64(x18, x15, 0x0) + var x21 uint64 + var x22 uint1 + x21, x22 = addcarryxU64(x16, x13, x20) + var x23 uint64 + var x24 uint1 + x23, x24 = addcarryxU64(x14, x11, x22) + var x26 uint1 + _, x26 = addcarryxU64(x5, x17, 0x0) + var x27 uint64 + var x28 uint1 + x27, x28 = addcarryxU64(x7, x19, x26) + var x29 uint64 + var x30 uint1 + x29, x30 = addcarryxU64(uint64(x8), x21, x28) + var x31 uint64 + var x32 uint1 + x31, x32 = addcarryxU64(uint64(0x0), x23, x30) + var x33 uint64 + var x34 uint1 + x33, x34 = addcarryxU64(uint64(0x0), (uint64(x24) + x12), x32) + var x35 uint64 + var x36 uint64 + x36, x35 = bits.Mul64(x1, 0x7a2000e90a1) + var x37 uint64 + var x38 uint1 + x37, x38 = addcarryxU64(x36, x1, 0x0) + var x39 uint64 + var x40 uint1 + x39, x40 = addcarryxU64(x27, x35, 0x0) + var x41 uint64 + var x42 uint1 + x41, x42 = addcarryxU64(x29, x37, x40) + var x43 uint64 + var x44 uint1 + x43, x44 = addcarryxU64(x31, uint64(x38), x42) + var x45 uint64 + var x46 uint1 + x45, x46 = addcarryxU64(x33, uint64(0x0), x44) + var x47 uint64 + _, x47 = bits.Mul64(x39, 0xd838091dd2253531) + var x49 uint64 + var x50 uint64 + x50, x49 = bits.Mul64(x47, 0xffffffffffffffff) + var x51 uint64 + var x52 uint64 + x52, x51 = bits.Mul64(x47, 0xffffffffffffffff) + var x53 uint64 + var x54 uint64 + x54, x53 = bits.Mul64(x47, 0xffffffffffffffff) + var x55 uint64 + var x56 uint64 + x56, x55 = bits.Mul64(x47, 0xfffffffefffffc2f) + var x57 uint64 + var x58 uint1 + x57, x58 = addcarryxU64(x56, x53, 0x0) + var x59 uint64 + var x60 uint1 + x59, x60 = addcarryxU64(x54, x51, x58) + var x61 uint64 + var x62 uint1 + x61, x62 = addcarryxU64(x52, x49, x60) + var x64 uint1 + _, x64 = addcarryxU64(x39, x55, 0x0) + var x65 uint64 + var x66 uint1 + x65, x66 = addcarryxU64(x41, x57, x64) + var x67 uint64 + var x68 uint1 + x67, x68 = addcarryxU64(x43, x59, x66) + var x69 uint64 + var x70 uint1 + x69, x70 = addcarryxU64(x45, x61, x68) + var x71 uint64 + var x72 uint1 + x71, x72 = addcarryxU64((uint64(x46) + uint64(x34)), (uint64(x62) + x50), x70) + var x73 uint64 + var x74 uint64 + x74, x73 = bits.Mul64(x2, 0x7a2000e90a1) + var x75 uint64 + var x76 uint1 + x75, x76 = addcarryxU64(x74, x2, 0x0) + var x77 uint64 + var x78 uint1 + x77, x78 = addcarryxU64(x65, x73, 0x0) + var x79 uint64 + var x80 uint1 + x79, x80 = addcarryxU64(x67, x75, x78) + var x81 uint64 + var x82 uint1 + x81, x82 = addcarryxU64(x69, uint64(x76), x80) + var x83 uint64 + var x84 uint1 + x83, x84 = addcarryxU64(x71, uint64(0x0), x82) + var x85 uint64 + _, x85 = bits.Mul64(x77, 0xd838091dd2253531) + var x87 uint64 + var x88 uint64 + x88, x87 = bits.Mul64(x85, 0xffffffffffffffff) + var x89 uint64 + var x90 uint64 + x90, x89 = bits.Mul64(x85, 0xffffffffffffffff) + var x91 uint64 + var x92 uint64 + x92, x91 = bits.Mul64(x85, 0xffffffffffffffff) + var x93 uint64 + var x94 uint64 + x94, x93 = bits.Mul64(x85, 0xfffffffefffffc2f) + var x95 uint64 + var x96 uint1 + x95, x96 = addcarryxU64(x94, x91, 0x0) + var x97 uint64 + var x98 uint1 + x97, x98 = addcarryxU64(x92, x89, x96) + var x99 uint64 + var x100 uint1 + x99, x100 = addcarryxU64(x90, x87, x98) + var x102 uint1 + _, x102 = addcarryxU64(x77, x93, 0x0) + var x103 uint64 + var x104 uint1 + x103, x104 = addcarryxU64(x79, x95, x102) + var x105 uint64 + var x106 uint1 + x105, x106 = addcarryxU64(x81, x97, x104) + var x107 uint64 + var x108 uint1 + x107, x108 = addcarryxU64(x83, x99, x106) + var x109 uint64 + var x110 uint1 + x109, x110 = addcarryxU64((uint64(x84) + uint64(x72)), (uint64(x100) + x88), x108) + var x111 uint64 + var x112 uint64 + x112, x111 = bits.Mul64(x3, 0x7a2000e90a1) + var x113 uint64 + var x114 uint1 + x113, x114 = addcarryxU64(x112, x3, 0x0) + var x115 uint64 + var x116 uint1 + x115, x116 = addcarryxU64(x103, x111, 0x0) + var x117 uint64 + var x118 uint1 + x117, x118 = addcarryxU64(x105, x113, x116) + var x119 uint64 + var x120 uint1 + x119, x120 = addcarryxU64(x107, uint64(x114), x118) + var x121 uint64 + var x122 uint1 + x121, x122 = addcarryxU64(x109, uint64(0x0), x120) + var x123 uint64 + _, x123 = bits.Mul64(x115, 0xd838091dd2253531) + var x125 uint64 + var x126 uint64 + x126, x125 = bits.Mul64(x123, 0xffffffffffffffff) + var x127 uint64 + var x128 uint64 + x128, x127 = bits.Mul64(x123, 0xffffffffffffffff) + var x129 uint64 + var x130 uint64 + x130, x129 = bits.Mul64(x123, 0xffffffffffffffff) + var x131 uint64 + var x132 uint64 + x132, x131 = bits.Mul64(x123, 0xfffffffefffffc2f) + var x133 uint64 + var x134 uint1 + x133, x134 = addcarryxU64(x132, x129, 0x0) + var x135 uint64 + var x136 uint1 + x135, x136 = addcarryxU64(x130, x127, x134) + var x137 uint64 + var x138 uint1 + x137, x138 = addcarryxU64(x128, x125, x136) + var x140 uint1 + _, x140 = addcarryxU64(x115, x131, 0x0) + var x141 uint64 + var x142 uint1 + x141, x142 = addcarryxU64(x117, x133, x140) + var x143 uint64 + var x144 uint1 + x143, x144 = addcarryxU64(x119, x135, x142) + var x145 uint64 + var x146 uint1 + x145, x146 = addcarryxU64(x121, x137, x144) + var x147 uint64 + var x148 uint1 + x147, x148 = addcarryxU64((uint64(x122) + uint64(x110)), (uint64(x138) + x126), x146) + var x149 uint64 + var x150 uint1 + x149, x150 = subborrowxU64(x141, 0xfffffffefffffc2f, 0x0) + var x151 uint64 + var x152 uint1 + x151, x152 = subborrowxU64(x143, 0xffffffffffffffff, x150) + var x153 uint64 + var x154 uint1 + x153, x154 = subborrowxU64(x145, 0xffffffffffffffff, x152) + var x155 uint64 + var x156 uint1 + x155, x156 = subborrowxU64(x147, 0xffffffffffffffff, x154) + var x158 uint1 + _, x158 = subborrowxU64(uint64(x148), uint64(0x0), x156) + var x159 uint64 + cmovznzU64(&x159, x158, x149, x141) + var x160 uint64 + cmovznzU64(&x160, x158, x151, x143) + var x161 uint64 + cmovznzU64(&x161, x158, x153, x145) + var x162 uint64 + cmovznzU64(&x162, x158, x155, x147) + out1[0] = x159 + out1[1] = x160 + out1[2] = x161 + out1[3] = x162 } -/* - The function Nonzero outputs a single non-zero word if the input is non-zero and zero otherwise. - Preconditions: - 0 ≤ eval arg1 < m - Postconditions: - out1 = 0 ↔ eval (from_montgomery arg1) mod m = 0 - - Input Bounds: - arg1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] - Output Bounds: - out1: [0x0 ~> 0xffffffffffffffff] - */ -/*inline*/ +// Nonzero outputs a single non-zero word if the input is non-zero and zero otherwise. +// +// Preconditions: +// 0 ≤ eval arg1 < m +// Postconditions: +// out1 = 0 ↔ eval (from_montgomery arg1) mod m = 0 +// +// Input Bounds: +// arg1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] +// Output Bounds: +// out1: [0x0 ~> 0xffffffffffffffff] func Nonzero(out1 *uint64, arg1 *[4]uint64) { - var x1 uint64 = ((arg1[0]) | ((arg1[1]) | ((arg1[2]) | (arg1[3])))) - *out1 = x1 + x1 := (arg1[0] | (arg1[1] | (arg1[2] | arg1[3]))) + *out1 = x1 } -/* - The function Selectznz is a multi-limb conditional select. - Postconditions: - eval out1 = (if arg1 = 0 then eval arg2 else eval arg3) - - Input Bounds: - arg1: [0x0 ~> 0x1] - arg2: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] - arg3: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] - Output Bounds: - out1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] - */ -/*inline*/ +// Selectznz is a multi-limb conditional select. +// +// Postconditions: +// eval out1 = (if arg1 = 0 then eval arg2 else eval arg3) +// +// Input Bounds: +// arg1: [0x0 ~> 0x1] +// arg2: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] +// arg3: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] +// Output Bounds: +// out1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] func Selectznz(out1 *[4]uint64, arg1 uint1, arg2 *[4]uint64, arg3 *[4]uint64) { - var x1 uint64 - cmovznzU64(&x1, arg1, (arg2[0]), (arg3[0])) - var x2 uint64 - cmovznzU64(&x2, arg1, (arg2[1]), (arg3[1])) - var x3 uint64 - cmovznzU64(&x3, arg1, (arg2[2]), (arg3[2])) - var x4 uint64 - cmovznzU64(&x4, arg1, (arg2[3]), (arg3[3])) - out1[0] = x1 - out1[1] = x2 - out1[2] = x3 - out1[3] = x4 + var x1 uint64 + cmovznzU64(&x1, arg1, arg2[0], arg3[0]) + var x2 uint64 + cmovznzU64(&x2, arg1, arg2[1], arg3[1]) + var x3 uint64 + cmovznzU64(&x3, arg1, arg2[2], arg3[2]) + var x4 uint64 + cmovznzU64(&x4, arg1, arg2[3], arg3[3]) + out1[0] = x1 + out1[1] = x2 + out1[2] = x3 + out1[3] = x4 } -/* - The function ToBytes serializes a field element NOT in the Montgomery domain to bytes in little-endian order. - Preconditions: - 0 ≤ eval arg1 < m - Postconditions: - out1 = map (λ x, ⌊((eval arg1 mod m) mod 2^(8 * (x + 1))) / 2^(8 * x)⌋) [0..31] - - Input Bounds: - arg1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] - Output Bounds: - out1: [[0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff]] - */ -/*inline*/ +// ToBytes serializes a field element NOT in the Montgomery domain to bytes in little-endian order. +// +// Preconditions: +// 0 ≤ eval arg1 < m +// Postconditions: +// out1 = map (λ x, ⌊((eval arg1 mod m) mod 2^(8 * (x + 1))) / 2^(8 * x)⌋) [0..31] +// +// Input Bounds: +// arg1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] +// Output Bounds: +// out1: [[0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff]] func ToBytes(out1 *[32]uint8, arg1 *[4]uint64) { - var x1 uint64 = (arg1[3]) - var x2 uint64 = (arg1[2]) - var x3 uint64 = (arg1[1]) - var x4 uint64 = (arg1[0]) - var x5 uint8 = (uint8(x4) & 0xff) - var x6 uint64 = (x4 >> 8) - var x7 uint8 = (uint8(x6) & 0xff) - var x8 uint64 = (x6 >> 8) - var x9 uint8 = (uint8(x8) & 0xff) - var x10 uint64 = (x8 >> 8) - var x11 uint8 = (uint8(x10) & 0xff) - var x12 uint64 = (x10 >> 8) - var x13 uint8 = (uint8(x12) & 0xff) - var x14 uint64 = (x12 >> 8) - var x15 uint8 = (uint8(x14) & 0xff) - var x16 uint64 = (x14 >> 8) - var x17 uint8 = (uint8(x16) & 0xff) - var x18 uint8 = uint8((x16 >> 8)) - var x19 uint8 = (uint8(x3) & 0xff) - var x20 uint64 = (x3 >> 8) - var x21 uint8 = (uint8(x20) & 0xff) - var x22 uint64 = (x20 >> 8) - var x23 uint8 = (uint8(x22) & 0xff) - var x24 uint64 = (x22 >> 8) - var x25 uint8 = (uint8(x24) & 0xff) - var x26 uint64 = (x24 >> 8) - var x27 uint8 = (uint8(x26) & 0xff) - var x28 uint64 = (x26 >> 8) - var x29 uint8 = (uint8(x28) & 0xff) - var x30 uint64 = (x28 >> 8) - var x31 uint8 = (uint8(x30) & 0xff) - var x32 uint8 = uint8((x30 >> 8)) - var x33 uint8 = (uint8(x2) & 0xff) - var x34 uint64 = (x2 >> 8) - var x35 uint8 = (uint8(x34) & 0xff) - var x36 uint64 = (x34 >> 8) - var x37 uint8 = (uint8(x36) & 0xff) - var x38 uint64 = (x36 >> 8) - var x39 uint8 = (uint8(x38) & 0xff) - var x40 uint64 = (x38 >> 8) - var x41 uint8 = (uint8(x40) & 0xff) - var x42 uint64 = (x40 >> 8) - var x43 uint8 = (uint8(x42) & 0xff) - var x44 uint64 = (x42 >> 8) - var x45 uint8 = (uint8(x44) & 0xff) - var x46 uint8 = uint8((x44 >> 8)) - var x47 uint8 = (uint8(x1) & 0xff) - var x48 uint64 = (x1 >> 8) - var x49 uint8 = (uint8(x48) & 0xff) - var x50 uint64 = (x48 >> 8) - var x51 uint8 = (uint8(x50) & 0xff) - var x52 uint64 = (x50 >> 8) - var x53 uint8 = (uint8(x52) & 0xff) - var x54 uint64 = (x52 >> 8) - var x55 uint8 = (uint8(x54) & 0xff) - var x56 uint64 = (x54 >> 8) - var x57 uint8 = (uint8(x56) & 0xff) - var x58 uint64 = (x56 >> 8) - var x59 uint8 = (uint8(x58) & 0xff) - var x60 uint8 = uint8((x58 >> 8)) - out1[0] = x5 - out1[1] = x7 - out1[2] = x9 - out1[3] = x11 - out1[4] = x13 - out1[5] = x15 - out1[6] = x17 - out1[7] = x18 - out1[8] = x19 - out1[9] = x21 - out1[10] = x23 - out1[11] = x25 - out1[12] = x27 - out1[13] = x29 - out1[14] = x31 - out1[15] = x32 - out1[16] = x33 - out1[17] = x35 - out1[18] = x37 - out1[19] = x39 - out1[20] = x41 - out1[21] = x43 - out1[22] = x45 - out1[23] = x46 - out1[24] = x47 - out1[25] = x49 - out1[26] = x51 - out1[27] = x53 - out1[28] = x55 - out1[29] = x57 - out1[30] = x59 - out1[31] = x60 + x1 := arg1[3] + x2 := arg1[2] + x3 := arg1[1] + x4 := arg1[0] + x5 := (uint8(x4) & 0xff) + x6 := (x4 >> 8) + x7 := (uint8(x6) & 0xff) + x8 := (x6 >> 8) + x9 := (uint8(x8) & 0xff) + x10 := (x8 >> 8) + x11 := (uint8(x10) & 0xff) + x12 := (x10 >> 8) + x13 := (uint8(x12) & 0xff) + x14 := (x12 >> 8) + x15 := (uint8(x14) & 0xff) + x16 := (x14 >> 8) + x17 := (uint8(x16) & 0xff) + x18 := uint8((x16 >> 8)) + x19 := (uint8(x3) & 0xff) + x20 := (x3 >> 8) + x21 := (uint8(x20) & 0xff) + x22 := (x20 >> 8) + x23 := (uint8(x22) & 0xff) + x24 := (x22 >> 8) + x25 := (uint8(x24) & 0xff) + x26 := (x24 >> 8) + x27 := (uint8(x26) & 0xff) + x28 := (x26 >> 8) + x29 := (uint8(x28) & 0xff) + x30 := (x28 >> 8) + x31 := (uint8(x30) & 0xff) + x32 := uint8((x30 >> 8)) + x33 := (uint8(x2) & 0xff) + x34 := (x2 >> 8) + x35 := (uint8(x34) & 0xff) + x36 := (x34 >> 8) + x37 := (uint8(x36) & 0xff) + x38 := (x36 >> 8) + x39 := (uint8(x38) & 0xff) + x40 := (x38 >> 8) + x41 := (uint8(x40) & 0xff) + x42 := (x40 >> 8) + x43 := (uint8(x42) & 0xff) + x44 := (x42 >> 8) + x45 := (uint8(x44) & 0xff) + x46 := uint8((x44 >> 8)) + x47 := (uint8(x1) & 0xff) + x48 := (x1 >> 8) + x49 := (uint8(x48) & 0xff) + x50 := (x48 >> 8) + x51 := (uint8(x50) & 0xff) + x52 := (x50 >> 8) + x53 := (uint8(x52) & 0xff) + x54 := (x52 >> 8) + x55 := (uint8(x54) & 0xff) + x56 := (x54 >> 8) + x57 := (uint8(x56) & 0xff) + x58 := (x56 >> 8) + x59 := (uint8(x58) & 0xff) + x60 := uint8((x58 >> 8)) + out1[0] = x5 + out1[1] = x7 + out1[2] = x9 + out1[3] = x11 + out1[4] = x13 + out1[5] = x15 + out1[6] = x17 + out1[7] = x18 + out1[8] = x19 + out1[9] = x21 + out1[10] = x23 + out1[11] = x25 + out1[12] = x27 + out1[13] = x29 + out1[14] = x31 + out1[15] = x32 + out1[16] = x33 + out1[17] = x35 + out1[18] = x37 + out1[19] = x39 + out1[20] = x41 + out1[21] = x43 + out1[22] = x45 + out1[23] = x46 + out1[24] = x47 + out1[25] = x49 + out1[26] = x51 + out1[27] = x53 + out1[28] = x55 + out1[29] = x57 + out1[30] = x59 + out1[31] = x60 } -/* - The function FromBytes deserializes a field element NOT in the Montgomery domain from bytes in little-endian order. - Preconditions: - 0 ≤ bytes_eval arg1 < m - Postconditions: - eval out1 mod m = bytes_eval arg1 mod m - 0 ≤ eval out1 < m - - Input Bounds: - arg1: [[0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff]] - Output Bounds: - out1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] - */ -/*inline*/ +// FromBytes deserializes a field element NOT in the Montgomery domain from bytes in little-endian order. +// +// Preconditions: +// 0 ≤ bytes_eval arg1 < m +// Postconditions: +// eval out1 mod m = bytes_eval arg1 mod m +// 0 ≤ eval out1 < m +// +// Input Bounds: +// arg1: [[0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff]] +// Output Bounds: +// out1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] func FromBytes(out1 *[4]uint64, arg1 *[32]uint8) { - var x1 uint64 = (uint64((arg1[31])) << 56) - var x2 uint64 = (uint64((arg1[30])) << 48) - var x3 uint64 = (uint64((arg1[29])) << 40) - var x4 uint64 = (uint64((arg1[28])) << 32) - var x5 uint64 = (uint64((arg1[27])) << 24) - var x6 uint64 = (uint64((arg1[26])) << 16) - var x7 uint64 = (uint64((arg1[25])) << 8) - var x8 uint8 = (arg1[24]) - var x9 uint64 = (uint64((arg1[23])) << 56) - var x10 uint64 = (uint64((arg1[22])) << 48) - var x11 uint64 = (uint64((arg1[21])) << 40) - var x12 uint64 = (uint64((arg1[20])) << 32) - var x13 uint64 = (uint64((arg1[19])) << 24) - var x14 uint64 = (uint64((arg1[18])) << 16) - var x15 uint64 = (uint64((arg1[17])) << 8) - var x16 uint8 = (arg1[16]) - var x17 uint64 = (uint64((arg1[15])) << 56) - var x18 uint64 = (uint64((arg1[14])) << 48) - var x19 uint64 = (uint64((arg1[13])) << 40) - var x20 uint64 = (uint64((arg1[12])) << 32) - var x21 uint64 = (uint64((arg1[11])) << 24) - var x22 uint64 = (uint64((arg1[10])) << 16) - var x23 uint64 = (uint64((arg1[9])) << 8) - var x24 uint8 = (arg1[8]) - var x25 uint64 = (uint64((arg1[7])) << 56) - var x26 uint64 = (uint64((arg1[6])) << 48) - var x27 uint64 = (uint64((arg1[5])) << 40) - var x28 uint64 = (uint64((arg1[4])) << 32) - var x29 uint64 = (uint64((arg1[3])) << 24) - var x30 uint64 = (uint64((arg1[2])) << 16) - var x31 uint64 = (uint64((arg1[1])) << 8) - var x32 uint8 = (arg1[0]) - var x33 uint64 = (x31 + uint64(x32)) - var x34 uint64 = (x30 + x33) - var x35 uint64 = (x29 + x34) - var x36 uint64 = (x28 + x35) - var x37 uint64 = (x27 + x36) - var x38 uint64 = (x26 + x37) - var x39 uint64 = (x25 + x38) - var x40 uint64 = (x23 + uint64(x24)) - var x41 uint64 = (x22 + x40) - var x42 uint64 = (x21 + x41) - var x43 uint64 = (x20 + x42) - var x44 uint64 = (x19 + x43) - var x45 uint64 = (x18 + x44) - var x46 uint64 = (x17 + x45) - var x47 uint64 = (x15 + uint64(x16)) - var x48 uint64 = (x14 + x47) - var x49 uint64 = (x13 + x48) - var x50 uint64 = (x12 + x49) - var x51 uint64 = (x11 + x50) - var x52 uint64 = (x10 + x51) - var x53 uint64 = (x9 + x52) - var x54 uint64 = (x7 + uint64(x8)) - var x55 uint64 = (x6 + x54) - var x56 uint64 = (x5 + x55) - var x57 uint64 = (x4 + x56) - var x58 uint64 = (x3 + x57) - var x59 uint64 = (x2 + x58) - var x60 uint64 = (x1 + x59) - out1[0] = x39 - out1[1] = x46 - out1[2] = x53 - out1[3] = x60 + x1 := (uint64(arg1[31]) << 56) + x2 := (uint64(arg1[30]) << 48) + x3 := (uint64(arg1[29]) << 40) + x4 := (uint64(arg1[28]) << 32) + x5 := (uint64(arg1[27]) << 24) + x6 := (uint64(arg1[26]) << 16) + x7 := (uint64(arg1[25]) << 8) + x8 := arg1[24] + x9 := (uint64(arg1[23]) << 56) + x10 := (uint64(arg1[22]) << 48) + x11 := (uint64(arg1[21]) << 40) + x12 := (uint64(arg1[20]) << 32) + x13 := (uint64(arg1[19]) << 24) + x14 := (uint64(arg1[18]) << 16) + x15 := (uint64(arg1[17]) << 8) + x16 := arg1[16] + x17 := (uint64(arg1[15]) << 56) + x18 := (uint64(arg1[14]) << 48) + x19 := (uint64(arg1[13]) << 40) + x20 := (uint64(arg1[12]) << 32) + x21 := (uint64(arg1[11]) << 24) + x22 := (uint64(arg1[10]) << 16) + x23 := (uint64(arg1[9]) << 8) + x24 := arg1[8] + x25 := (uint64(arg1[7]) << 56) + x26 := (uint64(arg1[6]) << 48) + x27 := (uint64(arg1[5]) << 40) + x28 := (uint64(arg1[4]) << 32) + x29 := (uint64(arg1[3]) << 24) + x30 := (uint64(arg1[2]) << 16) + x31 := (uint64(arg1[1]) << 8) + x32 := arg1[0] + x33 := (x31 + uint64(x32)) + x34 := (x30 + x33) + x35 := (x29 + x34) + x36 := (x28 + x35) + x37 := (x27 + x36) + x38 := (x26 + x37) + x39 := (x25 + x38) + x40 := (x23 + uint64(x24)) + x41 := (x22 + x40) + x42 := (x21 + x41) + x43 := (x20 + x42) + x44 := (x19 + x43) + x45 := (x18 + x44) + x46 := (x17 + x45) + x47 := (x15 + uint64(x16)) + x48 := (x14 + x47) + x49 := (x13 + x48) + x50 := (x12 + x49) + x51 := (x11 + x50) + x52 := (x10 + x51) + x53 := (x9 + x52) + x54 := (x7 + uint64(x8)) + x55 := (x6 + x54) + x56 := (x5 + x55) + x57 := (x4 + x56) + x58 := (x3 + x57) + x59 := (x2 + x58) + x60 := (x1 + x59) + out1[0] = x39 + out1[1] = x46 + out1[2] = x53 + out1[3] = x60 } -/* - The function SetOne returns the field element one in the Montgomery domain. - Postconditions: - eval (from_montgomery out1) mod m = 1 mod m - 0 ≤ eval out1 < m - - Input Bounds: - Output Bounds: - out1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] - */ -/*inline*/ +// SetOne returns the field element one in the Montgomery domain. +// +// Postconditions: +// eval (from_montgomery out1) mod m = 1 mod m +// 0 ≤ eval out1 < m +// +// Input Bounds: +// Output Bounds: +// out1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] func SetOne(out1 *[4]uint64) { - out1[0] = 0x1000003d1 - out1[1] = uint64(0x0) - out1[2] = uint64(0x0) - out1[3] = uint64(0x0) + out1[0] = 0x1000003d1 + out1[1] = uint64(0x0) + out1[2] = uint64(0x0) + out1[3] = uint64(0x0) } -/* - The function Msat returns the saturated representation of the prime modulus. - Postconditions: - twos_complement_eval out1 = m - 0 ≤ eval out1 < m - - Input Bounds: - Output Bounds: - out1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] - */ -/*inline*/ +// Msat returns the saturated representation of the prime modulus. +// +// Postconditions: +// twos_complement_eval out1 = m +// 0 ≤ eval out1 < m +// +// Input Bounds: +// Output Bounds: +// out1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] func Msat(out1 *[5]uint64) { - out1[0] = 0xfffffffefffffc2f - out1[1] = 0xffffffffffffffff - out1[2] = 0xffffffffffffffff - out1[3] = 0xffffffffffffffff - out1[4] = uint64(0x0) + out1[0] = 0xfffffffefffffc2f + out1[1] = 0xffffffffffffffff + out1[2] = 0xffffffffffffffff + out1[3] = 0xffffffffffffffff + out1[4] = uint64(0x0) } -/* - The function Divstep computes a divstep. - Preconditions: - 0 ≤ eval arg4 < m - 0 ≤ eval arg5 < m - Postconditions: - out1 = (if 0 < arg1 ∧ (twos_complement_eval arg3) is odd then 1 - arg1 else 1 + arg1) - twos_complement_eval out2 = (if 0 < arg1 ∧ (twos_complement_eval arg3) is odd then twos_complement_eval arg3 else twos_complement_eval arg2) - twos_complement_eval out3 = (if 0 < arg1 ∧ (twos_complement_eval arg3) is odd then ⌊(twos_complement_eval arg3 - twos_complement_eval arg2) / 2⌋ else ⌊(twos_complement_eval arg3 + (twos_complement_eval arg3 mod 2) * twos_complement_eval arg2) / 2⌋) - eval (from_montgomery out4) mod m = (if 0 < arg1 ∧ (twos_complement_eval arg3) is odd then (2 * eval (from_montgomery arg5)) mod m else (2 * eval (from_montgomery arg4)) mod m) - eval (from_montgomery out5) mod m = (if 0 < arg1 ∧ (twos_complement_eval arg3) is odd then (eval (from_montgomery arg4) - eval (from_montgomery arg4)) mod m else (eval (from_montgomery arg5) + (twos_complement_eval arg3 mod 2) * eval (from_montgomery arg4)) mod m) - 0 ≤ eval out5 < m - 0 ≤ eval out5 < m - 0 ≤ eval out2 < m - 0 ≤ eval out3 < m - - Input Bounds: - arg1: [0x0 ~> 0xffffffffffffffff] - arg2: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] - arg3: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] - arg4: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] - arg5: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] - Output Bounds: - out1: [0x0 ~> 0xffffffffffffffff] - out2: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] - out3: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] - out4: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] - out5: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] - */ -/*inline*/ +// Divstep computes a divstep. +// +// Preconditions: +// 0 ≤ eval arg4 < m +// 0 ≤ eval arg5 < m +// Postconditions: +// out1 = (if 0 < arg1 ∧ (twos_complement_eval arg3) is odd then 1 - arg1 else 1 + arg1) +// twos_complement_eval out2 = (if 0 < arg1 ∧ (twos_complement_eval arg3) is odd then twos_complement_eval arg3 else twos_complement_eval arg2) +// twos_complement_eval out3 = (if 0 < arg1 ∧ (twos_complement_eval arg3) is odd then ⌊(twos_complement_eval arg3 - twos_complement_eval arg2) / 2⌋ else ⌊(twos_complement_eval arg3 + (twos_complement_eval arg3 mod 2) * twos_complement_eval arg2) / 2⌋) +// eval (from_montgomery out4) mod m = (if 0 < arg1 ∧ (twos_complement_eval arg3) is odd then (2 * eval (from_montgomery arg5)) mod m else (2 * eval (from_montgomery arg4)) mod m) +// eval (from_montgomery out5) mod m = (if 0 < arg1 ∧ (twos_complement_eval arg3) is odd then (eval (from_montgomery arg4) - eval (from_montgomery arg4)) mod m else (eval (from_montgomery arg5) + (twos_complement_eval arg3 mod 2) * eval (from_montgomery arg4)) mod m) +// 0 ≤ eval out5 < m +// 0 ≤ eval out5 < m +// 0 ≤ eval out2 < m +// 0 ≤ eval out3 < m +// +// Input Bounds: +// arg1: [0x0 ~> 0xffffffffffffffff] +// arg2: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] +// arg3: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] +// arg4: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] +// arg5: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] +// Output Bounds: +// out1: [0x0 ~> 0xffffffffffffffff] +// out2: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] +// out3: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] +// out4: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] +// out5: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] func Divstep(out1 *uint64, out2 *[5]uint64, out3 *[5]uint64, out4 *[4]uint64, out5 *[4]uint64, arg1 uint64, arg2 *[5]uint64, arg3 *[5]uint64, arg4 *[4]uint64, arg5 *[4]uint64) { - var x1 uint64 - x1, _ = addcarryxU64((^arg1), uint64(0x1), 0x0) - var x3 uint1 = (uint1((x1 >> 63)) & (uint1((arg3[0])) & 0x1)) - var x4 uint64 - x4, _ = addcarryxU64((^arg1), uint64(0x1), 0x0) - var x6 uint64 - cmovznzU64(&x6, x3, arg1, x4) - var x7 uint64 - cmovznzU64(&x7, x3, (arg2[0]), (arg3[0])) - var x8 uint64 - cmovznzU64(&x8, x3, (arg2[1]), (arg3[1])) - var x9 uint64 - cmovznzU64(&x9, x3, (arg2[2]), (arg3[2])) - var x10 uint64 - cmovznzU64(&x10, x3, (arg2[3]), (arg3[3])) - var x11 uint64 - cmovznzU64(&x11, x3, (arg2[4]), (arg3[4])) - var x12 uint64 - var x13 uint1 - x12, x13 = addcarryxU64(uint64(0x1), (^(arg2[0])), 0x0) - var x14 uint64 - var x15 uint1 - x14, x15 = addcarryxU64(uint64(0x0), (^(arg2[1])), x13) - var x16 uint64 - var x17 uint1 - x16, x17 = addcarryxU64(uint64(0x0), (^(arg2[2])), x15) - var x18 uint64 - var x19 uint1 - x18, x19 = addcarryxU64(uint64(0x0), (^(arg2[3])), x17) - var x20 uint64 - x20, _ = addcarryxU64(uint64(0x0), (^(arg2[4])), x19) - var x22 uint64 - cmovznzU64(&x22, x3, (arg3[0]), x12) - var x23 uint64 - cmovznzU64(&x23, x3, (arg3[1]), x14) - var x24 uint64 - cmovznzU64(&x24, x3, (arg3[2]), x16) - var x25 uint64 - cmovznzU64(&x25, x3, (arg3[3]), x18) - var x26 uint64 - cmovznzU64(&x26, x3, (arg3[4]), x20) - var x27 uint64 - cmovznzU64(&x27, x3, (arg4[0]), (arg5[0])) - var x28 uint64 - cmovznzU64(&x28, x3, (arg4[1]), (arg5[1])) - var x29 uint64 - cmovznzU64(&x29, x3, (arg4[2]), (arg5[2])) - var x30 uint64 - cmovznzU64(&x30, x3, (arg4[3]), (arg5[3])) - var x31 uint64 - var x32 uint1 - x31, x32 = addcarryxU64(x27, x27, 0x0) - var x33 uint64 - var x34 uint1 - x33, x34 = addcarryxU64(x28, x28, x32) - var x35 uint64 - var x36 uint1 - x35, x36 = addcarryxU64(x29, x29, x34) - var x37 uint64 - var x38 uint1 - x37, x38 = addcarryxU64(x30, x30, x36) - var x39 uint64 - var x40 uint1 - x39, x40 = subborrowxU64(x31, 0xfffffffefffffc2f, 0x0) - var x41 uint64 - var x42 uint1 - x41, x42 = subborrowxU64(x33, 0xffffffffffffffff, x40) - var x43 uint64 - var x44 uint1 - x43, x44 = subborrowxU64(x35, 0xffffffffffffffff, x42) - var x45 uint64 - var x46 uint1 - x45, x46 = subborrowxU64(x37, 0xffffffffffffffff, x44) - var x48 uint1 - _, x48 = subborrowxU64(uint64(x38), uint64(0x0), x46) - var x49 uint64 = (arg4[3]) - var x50 uint64 = (arg4[2]) - var x51 uint64 = (arg4[1]) - var x52 uint64 = (arg4[0]) - var x53 uint64 - var x54 uint1 - x53, x54 = subborrowxU64(uint64(0x0), x52, 0x0) - var x55 uint64 - var x56 uint1 - x55, x56 = subborrowxU64(uint64(0x0), x51, x54) - var x57 uint64 - var x58 uint1 - x57, x58 = subborrowxU64(uint64(0x0), x50, x56) - var x59 uint64 - var x60 uint1 - x59, x60 = subborrowxU64(uint64(0x0), x49, x58) - var x61 uint64 - cmovznzU64(&x61, x60, uint64(0x0), 0xffffffffffffffff) - var x62 uint64 - var x63 uint1 - x62, x63 = addcarryxU64(x53, (x61 & 0xfffffffefffffc2f), 0x0) - var x64 uint64 - var x65 uint1 - x64, x65 = addcarryxU64(x55, x61, x63) - var x66 uint64 - var x67 uint1 - x66, x67 = addcarryxU64(x57, x61, x65) - var x68 uint64 - x68, _ = addcarryxU64(x59, x61, x67) - var x70 uint64 - cmovznzU64(&x70, x3, (arg5[0]), x62) - var x71 uint64 - cmovznzU64(&x71, x3, (arg5[1]), x64) - var x72 uint64 - cmovznzU64(&x72, x3, (arg5[2]), x66) - var x73 uint64 - cmovznzU64(&x73, x3, (arg5[3]), x68) - var x74 uint1 = (uint1(x22) & 0x1) - var x75 uint64 - cmovznzU64(&x75, x74, uint64(0x0), x7) - var x76 uint64 - cmovznzU64(&x76, x74, uint64(0x0), x8) - var x77 uint64 - cmovznzU64(&x77, x74, uint64(0x0), x9) - var x78 uint64 - cmovznzU64(&x78, x74, uint64(0x0), x10) - var x79 uint64 - cmovznzU64(&x79, x74, uint64(0x0), x11) - var x80 uint64 - var x81 uint1 - x80, x81 = addcarryxU64(x22, x75, 0x0) - var x82 uint64 - var x83 uint1 - x82, x83 = addcarryxU64(x23, x76, x81) - var x84 uint64 - var x85 uint1 - x84, x85 = addcarryxU64(x24, x77, x83) - var x86 uint64 - var x87 uint1 - x86, x87 = addcarryxU64(x25, x78, x85) - var x88 uint64 - x88, _ = addcarryxU64(x26, x79, x87) - var x90 uint64 - cmovznzU64(&x90, x74, uint64(0x0), x27) - var x91 uint64 - cmovznzU64(&x91, x74, uint64(0x0), x28) - var x92 uint64 - cmovznzU64(&x92, x74, uint64(0x0), x29) - var x93 uint64 - cmovznzU64(&x93, x74, uint64(0x0), x30) - var x94 uint64 - var x95 uint1 - x94, x95 = addcarryxU64(x70, x90, 0x0) - var x96 uint64 - var x97 uint1 - x96, x97 = addcarryxU64(x71, x91, x95) - var x98 uint64 - var x99 uint1 - x98, x99 = addcarryxU64(x72, x92, x97) - var x100 uint64 - var x101 uint1 - x100, x101 = addcarryxU64(x73, x93, x99) - var x102 uint64 - var x103 uint1 - x102, x103 = subborrowxU64(x94, 0xfffffffefffffc2f, 0x0) - var x104 uint64 - var x105 uint1 - x104, x105 = subborrowxU64(x96, 0xffffffffffffffff, x103) - var x106 uint64 - var x107 uint1 - x106, x107 = subborrowxU64(x98, 0xffffffffffffffff, x105) - var x108 uint64 - var x109 uint1 - x108, x109 = subborrowxU64(x100, 0xffffffffffffffff, x107) - var x111 uint1 - _, x111 = subborrowxU64(uint64(x101), uint64(0x0), x109) - var x112 uint64 - x112, _ = addcarryxU64(x6, uint64(0x1), 0x0) - var x114 uint64 = ((x80 >> 1) | ((x82 << 63) & 0xffffffffffffffff)) - var x115 uint64 = ((x82 >> 1) | ((x84 << 63) & 0xffffffffffffffff)) - var x116 uint64 = ((x84 >> 1) | ((x86 << 63) & 0xffffffffffffffff)) - var x117 uint64 = ((x86 >> 1) | ((x88 << 63) & 0xffffffffffffffff)) - var x118 uint64 = ((x88 & 0x8000000000000000) | (x88 >> 1)) - var x119 uint64 - cmovznzU64(&x119, x48, x39, x31) - var x120 uint64 - cmovznzU64(&x120, x48, x41, x33) - var x121 uint64 - cmovznzU64(&x121, x48, x43, x35) - var x122 uint64 - cmovznzU64(&x122, x48, x45, x37) - var x123 uint64 - cmovznzU64(&x123, x111, x102, x94) - var x124 uint64 - cmovznzU64(&x124, x111, x104, x96) - var x125 uint64 - cmovznzU64(&x125, x111, x106, x98) - var x126 uint64 - cmovznzU64(&x126, x111, x108, x100) - *out1 = x112 - out2[0] = x7 - out2[1] = x8 - out2[2] = x9 - out2[3] = x10 - out2[4] = x11 - out3[0] = x114 - out3[1] = x115 - out3[2] = x116 - out3[3] = x117 - out3[4] = x118 - out4[0] = x119 - out4[1] = x120 - out4[2] = x121 - out4[3] = x122 - out5[0] = x123 - out5[1] = x124 - out5[2] = x125 - out5[3] = x126 + var x1 uint64 + x1, _ = addcarryxU64((^arg1), uint64(0x1), 0x0) + x3 := (uint1((x1 >> 63)) & (uint1(arg3[0]) & 0x1)) + var x4 uint64 + x4, _ = addcarryxU64((^arg1), uint64(0x1), 0x0) + var x6 uint64 + cmovznzU64(&x6, x3, arg1, x4) + var x7 uint64 + cmovznzU64(&x7, x3, arg2[0], arg3[0]) + var x8 uint64 + cmovznzU64(&x8, x3, arg2[1], arg3[1]) + var x9 uint64 + cmovznzU64(&x9, x3, arg2[2], arg3[2]) + var x10 uint64 + cmovznzU64(&x10, x3, arg2[3], arg3[3]) + var x11 uint64 + cmovznzU64(&x11, x3, arg2[4], arg3[4]) + var x12 uint64 + var x13 uint1 + x12, x13 = addcarryxU64(uint64(0x1), (^arg2[0]), 0x0) + var x14 uint64 + var x15 uint1 + x14, x15 = addcarryxU64(uint64(0x0), (^arg2[1]), x13) + var x16 uint64 + var x17 uint1 + x16, x17 = addcarryxU64(uint64(0x0), (^arg2[2]), x15) + var x18 uint64 + var x19 uint1 + x18, x19 = addcarryxU64(uint64(0x0), (^arg2[3]), x17) + var x20 uint64 + x20, _ = addcarryxU64(uint64(0x0), (^arg2[4]), x19) + var x22 uint64 + cmovznzU64(&x22, x3, arg3[0], x12) + var x23 uint64 + cmovznzU64(&x23, x3, arg3[1], x14) + var x24 uint64 + cmovznzU64(&x24, x3, arg3[2], x16) + var x25 uint64 + cmovznzU64(&x25, x3, arg3[3], x18) + var x26 uint64 + cmovznzU64(&x26, x3, arg3[4], x20) + var x27 uint64 + cmovznzU64(&x27, x3, arg4[0], arg5[0]) + var x28 uint64 + cmovznzU64(&x28, x3, arg4[1], arg5[1]) + var x29 uint64 + cmovznzU64(&x29, x3, arg4[2], arg5[2]) + var x30 uint64 + cmovznzU64(&x30, x3, arg4[3], arg5[3]) + var x31 uint64 + var x32 uint1 + x31, x32 = addcarryxU64(x27, x27, 0x0) + var x33 uint64 + var x34 uint1 + x33, x34 = addcarryxU64(x28, x28, x32) + var x35 uint64 + var x36 uint1 + x35, x36 = addcarryxU64(x29, x29, x34) + var x37 uint64 + var x38 uint1 + x37, x38 = addcarryxU64(x30, x30, x36) + var x39 uint64 + var x40 uint1 + x39, x40 = subborrowxU64(x31, 0xfffffffefffffc2f, 0x0) + var x41 uint64 + var x42 uint1 + x41, x42 = subborrowxU64(x33, 0xffffffffffffffff, x40) + var x43 uint64 + var x44 uint1 + x43, x44 = subborrowxU64(x35, 0xffffffffffffffff, x42) + var x45 uint64 + var x46 uint1 + x45, x46 = subborrowxU64(x37, 0xffffffffffffffff, x44) + var x48 uint1 + _, x48 = subborrowxU64(uint64(x38), uint64(0x0), x46) + x49 := arg4[3] + x50 := arg4[2] + x51 := arg4[1] + x52 := arg4[0] + var x53 uint64 + var x54 uint1 + x53, x54 = subborrowxU64(uint64(0x0), x52, 0x0) + var x55 uint64 + var x56 uint1 + x55, x56 = subborrowxU64(uint64(0x0), x51, x54) + var x57 uint64 + var x58 uint1 + x57, x58 = subborrowxU64(uint64(0x0), x50, x56) + var x59 uint64 + var x60 uint1 + x59, x60 = subborrowxU64(uint64(0x0), x49, x58) + var x61 uint64 + cmovznzU64(&x61, x60, uint64(0x0), 0xffffffffffffffff) + var x62 uint64 + var x63 uint1 + x62, x63 = addcarryxU64(x53, (x61 & 0xfffffffefffffc2f), 0x0) + var x64 uint64 + var x65 uint1 + x64, x65 = addcarryxU64(x55, x61, x63) + var x66 uint64 + var x67 uint1 + x66, x67 = addcarryxU64(x57, x61, x65) + var x68 uint64 + x68, _ = addcarryxU64(x59, x61, x67) + var x70 uint64 + cmovznzU64(&x70, x3, arg5[0], x62) + var x71 uint64 + cmovznzU64(&x71, x3, arg5[1], x64) + var x72 uint64 + cmovznzU64(&x72, x3, arg5[2], x66) + var x73 uint64 + cmovznzU64(&x73, x3, arg5[3], x68) + x74 := (uint1(x22) & 0x1) + var x75 uint64 + cmovznzU64(&x75, x74, uint64(0x0), x7) + var x76 uint64 + cmovznzU64(&x76, x74, uint64(0x0), x8) + var x77 uint64 + cmovznzU64(&x77, x74, uint64(0x0), x9) + var x78 uint64 + cmovznzU64(&x78, x74, uint64(0x0), x10) + var x79 uint64 + cmovznzU64(&x79, x74, uint64(0x0), x11) + var x80 uint64 + var x81 uint1 + x80, x81 = addcarryxU64(x22, x75, 0x0) + var x82 uint64 + var x83 uint1 + x82, x83 = addcarryxU64(x23, x76, x81) + var x84 uint64 + var x85 uint1 + x84, x85 = addcarryxU64(x24, x77, x83) + var x86 uint64 + var x87 uint1 + x86, x87 = addcarryxU64(x25, x78, x85) + var x88 uint64 + x88, _ = addcarryxU64(x26, x79, x87) + var x90 uint64 + cmovznzU64(&x90, x74, uint64(0x0), x27) + var x91 uint64 + cmovznzU64(&x91, x74, uint64(0x0), x28) + var x92 uint64 + cmovznzU64(&x92, x74, uint64(0x0), x29) + var x93 uint64 + cmovznzU64(&x93, x74, uint64(0x0), x30) + var x94 uint64 + var x95 uint1 + x94, x95 = addcarryxU64(x70, x90, 0x0) + var x96 uint64 + var x97 uint1 + x96, x97 = addcarryxU64(x71, x91, x95) + var x98 uint64 + var x99 uint1 + x98, x99 = addcarryxU64(x72, x92, x97) + var x100 uint64 + var x101 uint1 + x100, x101 = addcarryxU64(x73, x93, x99) + var x102 uint64 + var x103 uint1 + x102, x103 = subborrowxU64(x94, 0xfffffffefffffc2f, 0x0) + var x104 uint64 + var x105 uint1 + x104, x105 = subborrowxU64(x96, 0xffffffffffffffff, x103) + var x106 uint64 + var x107 uint1 + x106, x107 = subborrowxU64(x98, 0xffffffffffffffff, x105) + var x108 uint64 + var x109 uint1 + x108, x109 = subborrowxU64(x100, 0xffffffffffffffff, x107) + var x111 uint1 + _, x111 = subborrowxU64(uint64(x101), uint64(0x0), x109) + var x112 uint64 + x112, _ = addcarryxU64(x6, uint64(0x1), 0x0) + x114 := ((x80 >> 1) | ((x82 << 63) & 0xffffffffffffffff)) + x115 := ((x82 >> 1) | ((x84 << 63) & 0xffffffffffffffff)) + x116 := ((x84 >> 1) | ((x86 << 63) & 0xffffffffffffffff)) + x117 := ((x86 >> 1) | ((x88 << 63) & 0xffffffffffffffff)) + x118 := ((x88 & 0x8000000000000000) | (x88 >> 1)) + var x119 uint64 + cmovznzU64(&x119, x48, x39, x31) + var x120 uint64 + cmovznzU64(&x120, x48, x41, x33) + var x121 uint64 + cmovznzU64(&x121, x48, x43, x35) + var x122 uint64 + cmovznzU64(&x122, x48, x45, x37) + var x123 uint64 + cmovznzU64(&x123, x111, x102, x94) + var x124 uint64 + cmovznzU64(&x124, x111, x104, x96) + var x125 uint64 + cmovznzU64(&x125, x111, x106, x98) + var x126 uint64 + cmovznzU64(&x126, x111, x108, x100) + *out1 = x112 + out2[0] = x7 + out2[1] = x8 + out2[2] = x9 + out2[3] = x10 + out2[4] = x11 + out3[0] = x114 + out3[1] = x115 + out3[2] = x116 + out3[3] = x117 + out3[4] = x118 + out4[0] = x119 + out4[1] = x120 + out4[2] = x121 + out4[3] = x122 + out5[0] = x123 + out5[1] = x124 + out5[2] = x125 + out5[3] = x126 } -/* - The function DivstepPrecomp returns the precomputed value for Bernstein-Yang-inversion (in montgomery form). - Postconditions: - eval (from_montgomery out1) = ⌊(m - 1) / 2⌋^(if (log2 m) + 1 < 46 then ⌊(49 * ((log2 m) + 1) + 80) / 17⌋ else ⌊(49 * ((log2 m) + 1) + 57) / 17⌋) - 0 ≤ eval out1 < m - - Input Bounds: - Output Bounds: - out1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] - */ -/*inline*/ +// DivstepPrecomp returns the precomputed value for Bernstein-Yang-inversion (in montgomery form). +// +// Postconditions: +// eval (from_montgomery out1) = ⌊(m - 1) / 2⌋^(if (log2 m) + 1 < 46 then ⌊(49 * ((log2 m) + 1) + 80) / 17⌋ else ⌊(49 * ((log2 m) + 1) + 57) / 17⌋) +// 0 ≤ eval out1 < m +// +// Input Bounds: +// Output Bounds: +// out1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] func DivstepPrecomp(out1 *[4]uint64) { - out1[0] = 0xf201a41831525e0a - out1[1] = 0x9953f9ddcd648d85 - out1[2] = 0xe86029463db210a9 - out1[3] = 0x24fb8a3104b03709 + out1[0] = 0xf201a41831525e0a + out1[1] = 0x9953f9ddcd648d85 + out1[2] = 0xe86029463db210a9 + out1[3] = 0x24fb8a3104b03709 } - diff --git a/fiat-java/src/FiatCurve25519.java b/fiat-java/src/FiatCurve25519.java index d26b298ef53..472156e0c3b 100644 --- a/fiat-java/src/FiatCurve25519.java +++ b/fiat-java/src/FiatCurve25519.java @@ -7,10 +7,10 @@ /* tight_bounds_multiplier = 1 (from "") */ /* */ /* Computed values: */ -/* carry_chain = [0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 0, 1] */ -/* eval z = z[0] + (z[1] << 26) + (z[2] << 51) + (z[3] << 77) + (z[4] << 102) + (z[5] << 128) + (z[6] << 153) + (z[7] << 179) + (z[8] << 204) + (z[9] << 230) */ -/* bytes_eval z = z[0] + (z[1] << 8) + (z[2] << 16) + (z[3] << 24) + (z[4] << 32) + (z[5] << 40) + (z[6] << 48) + (z[7] << 56) + (z[8] << 64) + (z[9] << 72) + (z[10] << 80) + (z[11] << 88) + (z[12] << 96) + (z[13] << 104) + (z[14] << 112) + (z[15] << 120) + (z[16] << 128) + (z[17] << 136) + (z[18] << 144) + (z[19] << 152) + (z[20] << 160) + (z[21] << 168) + (z[22] << 176) + (z[23] << 184) + (z[24] << 192) + (z[25] << 200) + (z[26] << 208) + (z[27] << 216) + (z[28] << 224) + (z[29] << 232) + (z[30] << 240) + (z[31] << 248) */ -/* balance = [0x7ffffda, 0x3fffffe, 0x7fffffe, 0x3fffffe, 0x7fffffe, 0x3fffffe, 0x7fffffe, 0x3fffffe, 0x7fffffe, 0x3fffffe] */ +/* carry_chain = [0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 0, 1] */ +/* eval z = z[0] + (z[1] << 26) + (z[2] << 51) + (z[3] << 77) + (z[4] << 102) + (z[5] << 128) + (z[6] << 153) + (z[7] << 179) + (z[8] << 204) + (z[9] << 230) */ +/* bytes_eval z = z[0] + (z[1] << 8) + (z[2] << 16) + (z[3] << 24) + (z[4] << 32) + (z[5] << 40) + (z[6] << 48) + (z[7] << 56) + (z[8] << 64) + (z[9] << 72) + (z[10] << 80) + (z[11] << 88) + (z[12] << 96) + (z[13] << 104) + (z[14] << 112) + (z[15] << 120) + (z[16] << 128) + (z[17] << 136) + (z[18] << 144) + (z[19] << 152) + (z[20] << 160) + (z[21] << 168) + (z[22] << 176) + (z[23] << 184) + (z[24] << 192) + (z[25] << 200) + (z[26] << 208) + (z[27] << 216) + (z[28] << 224) + (z[29] << 232) + (z[30] << 240) + (z[31] << 248) */ +/* balance = [0x7ffffda, 0x3fffffe, 0x7fffffe, 0x3fffffe, 0x7fffffe, 0x3fffffe, 0x7fffffe, 0x3fffffe, 0x7fffffe, 0x3fffffe] */ package fiat_crypto; @@ -27,6 +27,7 @@ static class Box { /** * The function fiat_Curve25519_addcarryx_u26 is an addition with carry.

+ *

* Postconditions:

* out1 = (arg1 + arg2 + arg3) mod 2^26

* out2 = ⌊(arg1 + arg2 + arg3) / 2^26⌋

@@ -49,6 +50,7 @@ static void fiat_Curve25519_addcarryx_u26(Box out1, Box out2, /** * The function fiat_Curve25519_subborrowx_u26 is a subtraction with borrow.

+ *

* Postconditions:

* out1 = (-arg1 + arg2 + -arg3) mod 2^26

* out2 = -⌊(-arg1 + arg2 + -arg3) / 2^26⌋

@@ -71,6 +73,7 @@ static void fiat_Curve25519_subborrowx_u26(Box out1, Box out2, /** * The function fiat_Curve25519_addcarryx_u25 is an addition with carry.

+ *

* Postconditions:

* out1 = (arg1 + arg2 + arg3) mod 2^25

* out2 = ⌊(arg1 + arg2 + arg3) / 2^25⌋

@@ -93,6 +96,7 @@ static void fiat_Curve25519_addcarryx_u25(Box out1, Box out2, /** * The function fiat_Curve25519_subborrowx_u25 is a subtraction with borrow.

+ *

* Postconditions:

* out1 = (-arg1 + arg2 + -arg3) mod 2^25

* out2 = -⌊(-arg1 + arg2 + -arg3) / 2^25⌋

@@ -115,6 +119,7 @@ static void fiat_Curve25519_subborrowx_u25(Box out1, Box out2, /** * The function fiat_Curve25519_cmovznz_u64 is a single-word conditional move.

+ *

* Postconditions:

* out1 = (if arg1 = 0 then arg2 else arg3)

*

@@ -133,6 +138,7 @@ static void fiat_Curve25519_cmovznz_u64(Box out1, int arg1, long arg2, lon /** * The function fiat_Curve25519_carry_mul multiplies two field elements and reduces the result.

+ *

* Postconditions:

* eval out1 mod m = (eval arg1 * eval arg2) mod m

*

@@ -304,6 +310,7 @@ public static void fiat_Curve25519_carry_mul(int[] out1, final int[] arg1, final /** * The function fiat_Curve25519_carry_square squares a field element and reduces the result.

+ *

* Postconditions:

* eval out1 mod m = (eval arg1 * eval arg1) mod m

*

@@ -447,6 +454,7 @@ public static void fiat_Curve25519_carry_square(int[] out1, final int[] arg1) { /** * The function fiat_Curve25519_carry reduces a field element.

+ *

* Postconditions:

* eval out1 mod m = eval arg1 mod m

*

@@ -492,6 +500,7 @@ public static void fiat_Curve25519_carry(int[] out1, final int[] arg1) { /** * The function fiat_Curve25519_add adds two field elements.

+ *

* Postconditions:

* eval out1 mod m = (eval arg1 + eval arg2) mod m

*

@@ -526,6 +535,7 @@ public static void fiat_Curve25519_add(int[] out1, final int[] arg1, final int[] /** * The function fiat_Curve25519_sub subtracts two field elements.

+ *

* Postconditions:

* eval out1 mod m = (eval arg1 - eval arg2) mod m

*

@@ -560,6 +570,7 @@ public static void fiat_Curve25519_sub(int[] out1, final int[] arg1, final int[] /** * The function fiat_Curve25519_opp negates a field element.

+ *

* Postconditions:

* eval out1 mod m = -eval arg1 mod m

*

@@ -593,6 +604,7 @@ public static void fiat_Curve25519_opp(int[] out1, final int[] arg1) { /** * The function fiat_Curve25519_selectznz is a multi-limb conditional select.

+ *

* Postconditions:

* eval out1 = (if arg1 = 0 then eval arg2 else eval arg3)

*

@@ -638,6 +650,7 @@ public static void fiat_Curve25519_selectznz(long[] out1, int arg1, final long[] /** * The function fiat_Curve25519_to_bytes serializes a field element to bytes in little-endian order.

+ *

* Postconditions:

* out1 = map (λ x, ⌊((eval arg1 mod m) mod 2^(8 * (x + 1))) / 2^(8 * x)⌋) [0..31]

*

@@ -821,6 +834,7 @@ public static void fiat_Curve25519_to_bytes(int[] out1, final int[] arg1) { /** * The function fiat_Curve25519_from_bytes deserializes a field element from bytes in little-endian order.

+ *

* Postconditions:

* eval out1 mod m = bytes_eval arg1 mod m

*

@@ -922,6 +936,7 @@ public static void fiat_Curve25519_from_bytes(int[] out1, final int[] arg1) { /** * The function fiat_Curve25519_carry_scmul_121666 multiplies a field element by 121666 and reduces the result.

+ *

* Postconditions:

* eval out1 mod m = (121666 * eval arg1) mod m

*

@@ -991,4 +1006,3 @@ public static void fiat_Curve25519_carry_scmul_121666(int[] out1, final int[] ar } } - diff --git a/fiat-java/src/FiatP224.java b/fiat-java/src/FiatP224.java index c28b7dd09b2..22ce7809790 100644 --- a/fiat-java/src/FiatP224.java +++ b/fiat-java/src/FiatP224.java @@ -12,10 +12,10 @@ /* return values. */ /* */ /* Computed values: */ -/* eval z = z[0] + (z[1] << 32) + (z[2] << 64) + (z[3] << 96) + (z[4] << 128) + (z[5] << 160) + (z[6] << 192) */ -/* bytes_eval z = z[0] + (z[1] << 8) + (z[2] << 16) + (z[3] << 24) + (z[4] << 32) + (z[5] << 40) + (z[6] << 48) + (z[7] << 56) + (z[8] << 64) + (z[9] << 72) + (z[10] << 80) + (z[11] << 88) + (z[12] << 96) + (z[13] << 104) + (z[14] << 112) + (z[15] << 120) + (z[16] << 128) + (z[17] << 136) + (z[18] << 144) + (z[19] << 152) + (z[20] << 160) + (z[21] << 168) + (z[22] << 176) + (z[23] << 184) + (z[24] << 192) + (z[25] << 200) + (z[26] << 208) + (z[27] << 216) */ -/* twos_complement_eval z = let x1 := z[0] + (z[1] << 32) + (z[2] << 64) + (z[3] << 96) + (z[4] << 128) + (z[5] << 160) + (z[6] << 192) in */ -/* if x1 & (2^224-1) < 2^223 then x1 & (2^224-1) else (x1 & (2^224-1)) - 2^224 */ +/* eval z = z[0] + (z[1] << 32) + (z[2] << 64) + (z[3] << 96) + (z[4] << 128) + (z[5] << 160) + (z[6] << 192) */ +/* bytes_eval z = z[0] + (z[1] << 8) + (z[2] << 16) + (z[3] << 24) + (z[4] << 32) + (z[5] << 40) + (z[6] << 48) + (z[7] << 56) + (z[8] << 64) + (z[9] << 72) + (z[10] << 80) + (z[11] << 88) + (z[12] << 96) + (z[13] << 104) + (z[14] << 112) + (z[15] << 120) + (z[16] << 128) + (z[17] << 136) + (z[18] << 144) + (z[19] << 152) + (z[20] << 160) + (z[21] << 168) + (z[22] << 176) + (z[23] << 184) + (z[24] << 192) + (z[25] << 200) + (z[26] << 208) + (z[27] << 216) */ +/* twos_complement_eval z = let x1 := z[0] + (z[1] << 32) + (z[2] << 64) + (z[3] << 96) + (z[4] << 128) + (z[5] << 160) + (z[6] << 192) in */ +/* if x1 & (2^224-1) < 2^223 then x1 & (2^224-1) else (x1 & (2^224-1)) - 2^224 */ package fiat_crypto; @@ -32,6 +32,7 @@ static class Box { /** * The function fiat_P224_addcarryx_u32 is an addition with carry.

+ *

* Postconditions:

* out1 = (arg1 + arg2 + arg3) mod 2^32

* out2 = ⌊(arg1 + arg2 + arg3) / 2^32⌋

@@ -54,6 +55,7 @@ static void fiat_P224_addcarryx_u32(Box out1, Box out2, int arg1, /** * The function fiat_P224_subborrowx_u32 is a subtraction with borrow.

+ *

* Postconditions:

* out1 = (-arg1 + arg2 + -arg3) mod 2^32

* out2 = -⌊(-arg1 + arg2 + -arg3) / 2^32⌋

@@ -76,6 +78,7 @@ static void fiat_P224_subborrowx_u32(Box out1, Box out2, int arg1 /** * The function fiat_P224_mulx_u32 is a multiplication, returning the full double-width result.

+ *

* Postconditions:

* out1 = (arg1 * arg2) mod 2^32

* out2 = ⌊arg1 * arg2 / 2^32⌋

@@ -97,6 +100,7 @@ static void fiat_P224_mulx_u32(Box out1, Box out2, long arg1, long a /** * The function fiat_P224_cmovznz_u64 is a single-word conditional move.

+ *

* Postconditions:

* out1 = (if arg1 = 0 then arg2 else arg3)

*

@@ -115,6 +119,7 @@ static void fiat_P224_cmovznz_u64(Box out1, int arg1, long arg2, long arg3 /** * The function fiat_P224_mul multiplies two field elements in the Montgomery domain.

+ *

* Preconditions:

* 0 ≤ eval arg1 < m

* 0 ≤ eval arg2 < m

@@ -958,6 +963,7 @@ public static void fiat_P224_mul(long[] out1, final long[] arg1, final long[] ar /** * The function fiat_P224_square squares a field element in the Montgomery domain.

+ *

* Preconditions:

* 0 ≤ eval arg1 < m

* Postconditions:

@@ -1799,6 +1805,7 @@ public static void fiat_P224_square(long[] out1, final long[] arg1) { /** * The function fiat_P224_add adds two field elements in the Montgomery domain.

+ *

* Preconditions:

* 0 ≤ eval arg1 < m

* 0 ≤ eval arg2 < m

@@ -1883,6 +1890,7 @@ public static void fiat_P224_add(long[] out1, final long[] arg1, final long[] ar /** * The function fiat_P224_sub subtracts two field elements in the Montgomery domain.

+ *

* Preconditions:

* 0 ≤ eval arg1 < m

* 0 ≤ eval arg2 < m

@@ -1952,6 +1960,7 @@ public static void fiat_P224_sub(long[] out1, final long[] arg1, final long[] ar /** * The function fiat_P224_opp negates a field element in the Montgomery domain.

+ *

* Preconditions:

* 0 ≤ eval arg1 < m

* Postconditions:

@@ -2019,6 +2028,7 @@ public static void fiat_P224_opp(long[] out1, final long[] arg1) { /** * The function fiat_P224_from_montgomery translates a field element out of the Montgomery domain.

+ *

* Preconditions:

* 0 ≤ eval arg1 < m

* Postconditions:

@@ -2498,6 +2508,7 @@ public static void fiat_P224_from_montgomery(long[] out1, final long[] arg1) { /** * The function fiat_P224_to_montgomery translates a field element into the Montgomery domain.

+ *

* Preconditions:

* 0 ≤ eval arg1 < m

* Postconditions:

@@ -3115,6 +3126,7 @@ public static void fiat_P224_to_montgomery(long[] out1, final long[] arg1) { /** * The function fiat_P224_nonzero outputs a single non-zero word if the input is non-zero and zero otherwise.

+ *

* Preconditions:

* 0 ≤ eval arg1 < m

* Postconditions:

@@ -3132,6 +3144,7 @@ public static void fiat_P224_nonzero(Box out1, final long[] arg1) { /** * The function fiat_P224_selectznz is a multi-limb conditional select.

+ *

* Postconditions:

* eval out1 = (if arg1 = 0 then eval arg2 else eval arg3)

*

@@ -3168,6 +3181,7 @@ public static void fiat_P224_selectznz(long[] out1, int arg1, final long[] arg2, /** * The function fiat_P224_to_bytes serializes a field element NOT in the Montgomery domain to bytes in little-endian order.

+ *

* Preconditions:

* 0 ≤ eval arg1 < m

* Postconditions:

@@ -3260,6 +3274,7 @@ public static void fiat_P224_to_bytes(int[] out1, final long[] arg1) { /** * The function fiat_P224_from_bytes deserializes a field element NOT in the Montgomery domain from bytes in little-endian order.

+ *

* Preconditions:

* 0 ≤ bytes_eval arg1 < m

* Postconditions:

@@ -3332,6 +3347,7 @@ public static void fiat_P224_from_bytes(long[] out1, final int[] arg1) { /** * The function fiat_P224_set_one returns the field element one in the Montgomery domain.

+ *

* Postconditions:

* eval (from_montgomery out1) mod m = 1 mod m

* 0 ≤ eval out1 < m

@@ -3352,6 +3368,7 @@ public static void fiat_P224_set_one(long[] out1) { /** * The function fiat_P224_msat returns the saturated representation of the prime modulus.

+ *

* Postconditions:

* twos_complement_eval out1 = m

* 0 ≤ eval out1 < m

@@ -3373,6 +3390,7 @@ public static void fiat_P224_msat(long[] out1) { /** * The function fiat_P224_divstep computes a divstep.

+ *

* Preconditions:

* 0 ≤ eval arg4 < m

* 0 ≤ eval arg5 < m

@@ -3764,6 +3782,7 @@ public static void fiat_P224_divstep(Box out1, long[] out2, long[] out3, l /** * The function fiat_P224_divstep_precomp returns the precomputed value for Bernstein-Yang-inversion (in montgomery form).

+ *

* Postconditions:

* eval (from_montgomery out1) = ⌊(m - 1) / 2⌋^(if (log2 m) + 1 < 46 then ⌊(49 * ((log2 m) + 1) + 80) / 17⌋ else ⌊(49 * ((log2 m) + 1) + 57) / 17⌋)

* 0 ≤ eval out1 < m

@@ -3783,4 +3802,3 @@ public static void fiat_P224_divstep_precomp(long[] out1) { } } - diff --git a/fiat-java/src/FiatP256.java b/fiat-java/src/FiatP256.java index fd1a93472d3..29632e941dc 100644 --- a/fiat-java/src/FiatP256.java +++ b/fiat-java/src/FiatP256.java @@ -12,10 +12,10 @@ /* return values. */ /* */ /* Computed values: */ -/* eval z = z[0] + (z[1] << 32) + (z[2] << 64) + (z[3] << 96) + (z[4] << 128) + (z[5] << 160) + (z[6] << 192) + (z[7] << 224) */ -/* bytes_eval z = z[0] + (z[1] << 8) + (z[2] << 16) + (z[3] << 24) + (z[4] << 32) + (z[5] << 40) + (z[6] << 48) + (z[7] << 56) + (z[8] << 64) + (z[9] << 72) + (z[10] << 80) + (z[11] << 88) + (z[12] << 96) + (z[13] << 104) + (z[14] << 112) + (z[15] << 120) + (z[16] << 128) + (z[17] << 136) + (z[18] << 144) + (z[19] << 152) + (z[20] << 160) + (z[21] << 168) + (z[22] << 176) + (z[23] << 184) + (z[24] << 192) + (z[25] << 200) + (z[26] << 208) + (z[27] << 216) + (z[28] << 224) + (z[29] << 232) + (z[30] << 240) + (z[31] << 248) */ -/* twos_complement_eval z = let x1 := z[0] + (z[1] << 32) + (z[2] << 64) + (z[3] << 96) + (z[4] << 128) + (z[5] << 160) + (z[6] << 192) + (z[7] << 224) in */ -/* if x1 & (2^256-1) < 2^255 then x1 & (2^256-1) else (x1 & (2^256-1)) - 2^256 */ +/* eval z = z[0] + (z[1] << 32) + (z[2] << 64) + (z[3] << 96) + (z[4] << 128) + (z[5] << 160) + (z[6] << 192) + (z[7] << 224) */ +/* bytes_eval z = z[0] + (z[1] << 8) + (z[2] << 16) + (z[3] << 24) + (z[4] << 32) + (z[5] << 40) + (z[6] << 48) + (z[7] << 56) + (z[8] << 64) + (z[9] << 72) + (z[10] << 80) + (z[11] << 88) + (z[12] << 96) + (z[13] << 104) + (z[14] << 112) + (z[15] << 120) + (z[16] << 128) + (z[17] << 136) + (z[18] << 144) + (z[19] << 152) + (z[20] << 160) + (z[21] << 168) + (z[22] << 176) + (z[23] << 184) + (z[24] << 192) + (z[25] << 200) + (z[26] << 208) + (z[27] << 216) + (z[28] << 224) + (z[29] << 232) + (z[30] << 240) + (z[31] << 248) */ +/* twos_complement_eval z = let x1 := z[0] + (z[1] << 32) + (z[2] << 64) + (z[3] << 96) + (z[4] << 128) + (z[5] << 160) + (z[6] << 192) + (z[7] << 224) in */ +/* if x1 & (2^256-1) < 2^255 then x1 & (2^256-1) else (x1 & (2^256-1)) - 2^256 */ package fiat_crypto; @@ -32,6 +32,7 @@ static class Box { /** * The function fiat_P256_addcarryx_u32 is an addition with carry.

+ *

* Postconditions:

* out1 = (arg1 + arg2 + arg3) mod 2^32

* out2 = ⌊(arg1 + arg2 + arg3) / 2^32⌋

@@ -54,6 +55,7 @@ static void fiat_P256_addcarryx_u32(Box out1, Box out2, int arg1, /** * The function fiat_P256_subborrowx_u32 is a subtraction with borrow.

+ *

* Postconditions:

* out1 = (-arg1 + arg2 + -arg3) mod 2^32

* out2 = -⌊(-arg1 + arg2 + -arg3) / 2^32⌋

@@ -76,6 +78,7 @@ static void fiat_P256_subborrowx_u32(Box out1, Box out2, int arg1 /** * The function fiat_P256_mulx_u32 is a multiplication, returning the full double-width result.

+ *

* Postconditions:

* out1 = (arg1 * arg2) mod 2^32

* out2 = ⌊arg1 * arg2 / 2^32⌋

@@ -97,6 +100,7 @@ static void fiat_P256_mulx_u32(Box out1, Box out2, long arg1, long a /** * The function fiat_P256_cmovznz_u64 is a single-word conditional move.

+ *

* Postconditions:

* out1 = (if arg1 = 0 then arg2 else arg3)

*

@@ -115,6 +119,7 @@ static void fiat_P256_cmovznz_u64(Box out1, int arg1, long arg2, long arg3 /** * The function fiat_P256_mul multiplies two field elements in the Montgomery domain.

+ *

* Preconditions:

* 0 ≤ eval arg1 < m

* 0 ≤ eval arg2 < m

@@ -1124,6 +1129,7 @@ public static void fiat_P256_mul(long[] out1, final long[] arg1, final long[] ar /** * The function fiat_P256_square squares a field element in the Montgomery domain.

+ *

* Preconditions:

* 0 ≤ eval arg1 < m

* Postconditions:

@@ -2131,6 +2137,7 @@ public static void fiat_P256_square(long[] out1, final long[] arg1) { /** * The function fiat_P256_add adds two field elements in the Montgomery domain.

+ *

* Preconditions:

* 0 ≤ eval arg1 < m

* 0 ≤ eval arg2 < m

@@ -2224,6 +2231,7 @@ public static void fiat_P256_add(long[] out1, final long[] arg1, final long[] ar /** * The function fiat_P256_sub subtracts two field elements in the Montgomery domain.

+ *

* Preconditions:

* 0 ≤ eval arg1 < m

* 0 ≤ eval arg2 < m

@@ -2300,6 +2308,7 @@ public static void fiat_P256_sub(long[] out1, final long[] arg1, final long[] ar /** * The function fiat_P256_opp negates a field element in the Montgomery domain.

+ *

* Preconditions:

* 0 ≤ eval arg1 < m

* Postconditions:

@@ -2374,6 +2383,7 @@ public static void fiat_P256_opp(long[] out1, final long[] arg1) { /** * The function fiat_P256_from_montgomery translates a field element out of the Montgomery domain.

+ *

* Preconditions:

* 0 ≤ eval arg1 < m

* Postconditions:

@@ -2913,6 +2923,7 @@ public static void fiat_P256_from_montgomery(long[] out1, final long[] arg1) { /** * The function fiat_P256_to_montgomery translates a field element into the Montgomery domain.

+ *

* Preconditions:

* 0 ≤ eval arg1 < m

* Postconditions:

@@ -3804,6 +3815,7 @@ public static void fiat_P256_to_montgomery(long[] out1, final long[] arg1) { /** * The function fiat_P256_nonzero outputs a single non-zero word if the input is non-zero and zero otherwise.

+ *

* Preconditions:

* 0 ≤ eval arg1 < m

* Postconditions:

@@ -3821,6 +3833,7 @@ public static void fiat_P256_nonzero(Box out1, final long[] arg1) { /** * The function fiat_P256_selectznz is a multi-limb conditional select.

+ *

* Postconditions:

* eval out1 = (if arg1 = 0 then eval arg2 else eval arg3)

*

@@ -3860,6 +3873,7 @@ public static void fiat_P256_selectznz(long[] out1, int arg1, final long[] arg2, /** * The function fiat_P256_to_bytes serializes a field element NOT in the Montgomery domain to bytes in little-endian order.

+ *

* Preconditions:

* 0 ≤ eval arg1 < m

* Postconditions:

@@ -3963,6 +3977,7 @@ public static void fiat_P256_to_bytes(int[] out1, final long[] arg1) { /** * The function fiat_P256_from_bytes deserializes a field element NOT in the Montgomery domain from bytes in little-endian order.

+ *

* Preconditions:

* 0 ≤ bytes_eval arg1 < m

* Postconditions:

@@ -4043,6 +4058,7 @@ public static void fiat_P256_from_bytes(long[] out1, final int[] arg1) { /** * The function fiat_P256_set_one returns the field element one in the Montgomery domain.

+ *

* Postconditions:

* eval (from_montgomery out1) mod m = 1 mod m

* 0 ≤ eval out1 < m

@@ -4064,6 +4080,7 @@ public static void fiat_P256_set_one(long[] out1) { /** * The function fiat_P256_msat returns the saturated representation of the prime modulus.

+ *

* Postconditions:

* twos_complement_eval out1 = m

* 0 ≤ eval out1 < m

@@ -4086,6 +4103,7 @@ public static void fiat_P256_msat(long[] out1) { /** * The function fiat_P256_divstep computes a divstep.

+ *

* Preconditions:

* 0 ≤ eval arg4 < m

* 0 ≤ eval arg5 < m

@@ -4523,6 +4541,7 @@ public static void fiat_P256_divstep(Box out1, long[] out2, long[] out3, l /** * The function fiat_P256_divstep_precomp returns the precomputed value for Bernstein-Yang-inversion (in montgomery form).

+ *

* Postconditions:

* eval (from_montgomery out1) = ⌊(m - 1) / 2⌋^(if (log2 m) + 1 < 46 then ⌊(49 * ((log2 m) + 1) + 80) / 17⌋ else ⌊(49 * ((log2 m) + 1) + 57) / 17⌋)

* 0 ≤ eval out1 < m

@@ -4543,4 +4562,3 @@ public static void fiat_P256_divstep_precomp(long[] out1) { } } - diff --git a/fiat-java/src/FiatP384.java b/fiat-java/src/FiatP384.java index 37336e2731e..62fa4e82a72 100644 --- a/fiat-java/src/FiatP384.java +++ b/fiat-java/src/FiatP384.java @@ -12,10 +12,10 @@ /* return values. */ /* */ /* Computed values: */ -/* eval z = z[0] + (z[1] << 32) + (z[2] << 64) + (z[3] << 96) + (z[4] << 128) + (z[5] << 160) + (z[6] << 192) + (z[7] << 224) + (z[8] << 256) + (z[9] << 0x120) + (z[10] << 0x140) + (z[11] << 0x160) */ -/* bytes_eval z = z[0] + (z[1] << 8) + (z[2] << 16) + (z[3] << 24) + (z[4] << 32) + (z[5] << 40) + (z[6] << 48) + (z[7] << 56) + (z[8] << 64) + (z[9] << 72) + (z[10] << 80) + (z[11] << 88) + (z[12] << 96) + (z[13] << 104) + (z[14] << 112) + (z[15] << 120) + (z[16] << 128) + (z[17] << 136) + (z[18] << 144) + (z[19] << 152) + (z[20] << 160) + (z[21] << 168) + (z[22] << 176) + (z[23] << 184) + (z[24] << 192) + (z[25] << 200) + (z[26] << 208) + (z[27] << 216) + (z[28] << 224) + (z[29] << 232) + (z[30] << 240) + (z[31] << 248) + (z[32] << 256) + (z[33] << 0x108) + (z[34] << 0x110) + (z[35] << 0x118) + (z[36] << 0x120) + (z[37] << 0x128) + (z[38] << 0x130) + (z[39] << 0x138) + (z[40] << 0x140) + (z[41] << 0x148) + (z[42] << 0x150) + (z[43] << 0x158) + (z[44] << 0x160) + (z[45] << 0x168) + (z[46] << 0x170) + (z[47] << 0x178) */ -/* twos_complement_eval z = let x1 := z[0] + (z[1] << 32) + (z[2] << 64) + (z[3] << 96) + (z[4] << 128) + (z[5] << 160) + (z[6] << 192) + (z[7] << 224) + (z[8] << 256) + (z[9] << 0x120) + (z[10] << 0x140) + (z[11] << 0x160) in */ -/* if x1 & (2^384-1) < 2^383 then x1 & (2^384-1) else (x1 & (2^384-1)) - 2^384 */ +/* eval z = z[0] + (z[1] << 32) + (z[2] << 64) + (z[3] << 96) + (z[4] << 128) + (z[5] << 160) + (z[6] << 192) + (z[7] << 224) + (z[8] << 256) + (z[9] << 0x120) + (z[10] << 0x140) + (z[11] << 0x160) */ +/* bytes_eval z = z[0] + (z[1] << 8) + (z[2] << 16) + (z[3] << 24) + (z[4] << 32) + (z[5] << 40) + (z[6] << 48) + (z[7] << 56) + (z[8] << 64) + (z[9] << 72) + (z[10] << 80) + (z[11] << 88) + (z[12] << 96) + (z[13] << 104) + (z[14] << 112) + (z[15] << 120) + (z[16] << 128) + (z[17] << 136) + (z[18] << 144) + (z[19] << 152) + (z[20] << 160) + (z[21] << 168) + (z[22] << 176) + (z[23] << 184) + (z[24] << 192) + (z[25] << 200) + (z[26] << 208) + (z[27] << 216) + (z[28] << 224) + (z[29] << 232) + (z[30] << 240) + (z[31] << 248) + (z[32] << 256) + (z[33] << 0x108) + (z[34] << 0x110) + (z[35] << 0x118) + (z[36] << 0x120) + (z[37] << 0x128) + (z[38] << 0x130) + (z[39] << 0x138) + (z[40] << 0x140) + (z[41] << 0x148) + (z[42] << 0x150) + (z[43] << 0x158) + (z[44] << 0x160) + (z[45] << 0x168) + (z[46] << 0x170) + (z[47] << 0x178) */ +/* twos_complement_eval z = let x1 := z[0] + (z[1] << 32) + (z[2] << 64) + (z[3] << 96) + (z[4] << 128) + (z[5] << 160) + (z[6] << 192) + (z[7] << 224) + (z[8] << 256) + (z[9] << 0x120) + (z[10] << 0x140) + (z[11] << 0x160) in */ +/* if x1 & (2^384-1) < 2^383 then x1 & (2^384-1) else (x1 & (2^384-1)) - 2^384 */ package fiat_crypto; @@ -32,6 +32,7 @@ static class Box { /** * The function fiat_P384_addcarryx_u32 is an addition with carry.

+ *

* Postconditions:

* out1 = (arg1 + arg2 + arg3) mod 2^32

* out2 = ⌊(arg1 + arg2 + arg3) / 2^32⌋

@@ -54,6 +55,7 @@ static void fiat_P384_addcarryx_u32(Box out1, Box out2, int arg1, /** * The function fiat_P384_subborrowx_u32 is a subtraction with borrow.

+ *

* Postconditions:

* out1 = (-arg1 + arg2 + -arg3) mod 2^32

* out2 = -⌊(-arg1 + arg2 + -arg3) / 2^32⌋

@@ -76,6 +78,7 @@ static void fiat_P384_subborrowx_u32(Box out1, Box out2, int arg1 /** * The function fiat_P384_mulx_u32 is a multiplication, returning the full double-width result.

+ *

* Postconditions:

* out1 = (arg1 * arg2) mod 2^32

* out2 = ⌊arg1 * arg2 / 2^32⌋

@@ -97,6 +100,7 @@ static void fiat_P384_mulx_u32(Box out1, Box out2, long arg1, long a /** * The function fiat_P384_cmovznz_u64 is a single-word conditional move.

+ *

* Postconditions:

* out1 = (if arg1 = 0 then arg2 else arg3)

*

@@ -115,6 +119,7 @@ static void fiat_P384_cmovznz_u64(Box out1, int arg1, long arg2, long arg3 /** * The function fiat_P384_mul multiplies two field elements in the Montgomery domain.

+ *

* Preconditions:

* 0 ≤ eval arg1 < m

* 0 ≤ eval arg2 < m

@@ -2628,6 +2633,7 @@ public static void fiat_P384_mul(long[] out1, final long[] arg1, final long[] ar /** * The function fiat_P384_square squares a field element in the Montgomery domain.

+ *

* Preconditions:

* 0 ≤ eval arg1 < m

* Postconditions:

@@ -5139,6 +5145,7 @@ public static void fiat_P384_square(long[] out1, final long[] arg1) { /** * The function fiat_P384_add adds two field elements in the Montgomery domain.

+ *

* Preconditions:

* 0 ≤ eval arg1 < m

* 0 ≤ eval arg2 < m

@@ -5268,6 +5275,7 @@ public static void fiat_P384_add(long[] out1, final long[] arg1, final long[] ar /** * The function fiat_P384_sub subtracts two field elements in the Montgomery domain.

+ *

* Preconditions:

* 0 ≤ eval arg1 < m

* 0 ≤ eval arg2 < m

@@ -5372,6 +5380,7 @@ public static void fiat_P384_sub(long[] out1, final long[] arg1, final long[] ar /** * The function fiat_P384_opp negates a field element in the Montgomery domain.

+ *

* Preconditions:

* 0 ≤ eval arg1 < m

* Postconditions:

@@ -5474,6 +5483,7 @@ public static void fiat_P384_opp(long[] out1, final long[] arg1) { /** * The function fiat_P384_from_montgomery translates a field element out of the Montgomery domain.

+ *

* Preconditions:

* 0 ≤ eval arg1 < m

* Postconditions:

@@ -7009,6 +7019,7 @@ public static void fiat_P384_from_montgomery(long[] out1, final long[] arg1) { /** * The function fiat_P384_to_montgomery translates a field element into the Montgomery domain.

+ *

* Preconditions:

* 0 ≤ eval arg1 < m

* Postconditions:

@@ -8801,6 +8812,7 @@ public static void fiat_P384_to_montgomery(long[] out1, final long[] arg1) { /** * The function fiat_P384_nonzero outputs a single non-zero word if the input is non-zero and zero otherwise.

+ *

* Preconditions:

* 0 ≤ eval arg1 < m

* Postconditions:

@@ -8818,6 +8830,7 @@ public static void fiat_P384_nonzero(Box out1, final long[] arg1) { /** * The function fiat_P384_selectznz is a multi-limb conditional select.

+ *

* Postconditions:

* eval out1 = (if arg1 = 0 then eval arg2 else eval arg3)

*

@@ -8869,6 +8882,7 @@ public static void fiat_P384_selectznz(long[] out1, int arg1, final long[] arg2, /** * The function fiat_P384_to_bytes serializes a field element NOT in the Montgomery domain to bytes in little-endian order.

+ *

* Preconditions:

* 0 ≤ eval arg1 < m

* Postconditions:

@@ -9016,6 +9030,7 @@ public static void fiat_P384_to_bytes(int[] out1, final long[] arg1) { /** * The function fiat_P384_from_bytes deserializes a field element NOT in the Montgomery domain from bytes in little-endian order.

+ *

* Preconditions:

* 0 ≤ bytes_eval arg1 < m

* Postconditions:

@@ -9128,6 +9143,7 @@ public static void fiat_P384_from_bytes(long[] out1, final int[] arg1) { /** * The function fiat_P384_set_one returns the field element one in the Montgomery domain.

+ *

* Postconditions:

* eval (from_montgomery out1) mod m = 1 mod m

* 0 ≤ eval out1 < m

@@ -9153,6 +9169,7 @@ public static void fiat_P384_set_one(long[] out1) { /** * The function fiat_P384_msat returns the saturated representation of the prime modulus.

+ *

* Postconditions:

* twos_complement_eval out1 = m

* 0 ≤ eval out1 < m

@@ -9179,6 +9196,7 @@ public static void fiat_P384_msat(long[] out1) { /** * The function fiat_P384_divstep computes a divstep.

+ *

* Preconditions:

* 0 ≤ eval arg4 < m

* 0 ≤ eval arg5 < m

@@ -9800,6 +9818,7 @@ public static void fiat_P384_divstep(Box out1, long[] out2, long[] out3, l /** * The function fiat_P384_divstep_precomp returns the precomputed value for Bernstein-Yang-inversion (in montgomery form).

+ *

* Postconditions:

* eval (from_montgomery out1) = ⌊(m - 1) / 2⌋^(if (log2 m) + 1 < 46 then ⌊(49 * ((log2 m) + 1) + 80) / 17⌋ else ⌊(49 * ((log2 m) + 1) + 57) / 17⌋)

* 0 ≤ eval out1 < m

@@ -9824,4 +9843,3 @@ public static void fiat_P384_divstep_precomp(long[] out1) { } } - diff --git a/fiat-java/src/FiatPoly1305.java b/fiat-java/src/FiatPoly1305.java index cf5ce98ffde..00920d26c38 100644 --- a/fiat-java/src/FiatPoly1305.java +++ b/fiat-java/src/FiatPoly1305.java @@ -7,10 +7,10 @@ /* tight_bounds_multiplier = 1 (from "") */ /* */ /* Computed values: */ -/* carry_chain = [0, 1, 2, 3, 4, 0, 1] */ -/* eval z = z[0] + (z[1] << 26) + (z[2] << 52) + (z[3] << 78) + (z[4] << 104) */ -/* bytes_eval z = z[0] + (z[1] << 8) + (z[2] << 16) + (z[3] << 24) + (z[4] << 32) + (z[5] << 40) + (z[6] << 48) + (z[7] << 56) + (z[8] << 64) + (z[9] << 72) + (z[10] << 80) + (z[11] << 88) + (z[12] << 96) + (z[13] << 104) + (z[14] << 112) + (z[15] << 120) + (z[16] << 128) */ -/* balance = [0x7fffff6, 0x7fffffe, 0x7fffffe, 0x7fffffe, 0x7fffffe] */ +/* carry_chain = [0, 1, 2, 3, 4, 0, 1] */ +/* eval z = z[0] + (z[1] << 26) + (z[2] << 52) + (z[3] << 78) + (z[4] << 104) */ +/* bytes_eval z = z[0] + (z[1] << 8) + (z[2] << 16) + (z[3] << 24) + (z[4] << 32) + (z[5] << 40) + (z[6] << 48) + (z[7] << 56) + (z[8] << 64) + (z[9] << 72) + (z[10] << 80) + (z[11] << 88) + (z[12] << 96) + (z[13] << 104) + (z[14] << 112) + (z[15] << 120) + (z[16] << 128) */ +/* balance = [0x7fffff6, 0x7fffffe, 0x7fffffe, 0x7fffffe, 0x7fffffe] */ package fiat_crypto; @@ -27,6 +27,7 @@ static class Box { /** * The function fiat_Poly1305_addcarryx_u26 is an addition with carry.

+ *

* Postconditions:

* out1 = (arg1 + arg2 + arg3) mod 2^26

* out2 = ⌊(arg1 + arg2 + arg3) / 2^26⌋

@@ -49,6 +50,7 @@ static void fiat_Poly1305_addcarryx_u26(Box out1, Box out2, in /** * The function fiat_Poly1305_subborrowx_u26 is a subtraction with borrow.

+ *

* Postconditions:

* out1 = (-arg1 + arg2 + -arg3) mod 2^26

* out2 = -⌊(-arg1 + arg2 + -arg3) / 2^26⌋

@@ -71,6 +73,7 @@ static void fiat_Poly1305_subborrowx_u26(Box out1, Box out2, i /** * The function fiat_Poly1305_cmovznz_u64 is a single-word conditional move.

+ *

* Postconditions:

* out1 = (if arg1 = 0 then arg2 else arg3)

*

@@ -89,6 +92,7 @@ static void fiat_Poly1305_cmovznz_u64(Box out1, int arg1, long arg2, long /** * The function fiat_Poly1305_carry_mul multiplies two field elements and reduces the result.

+ *

* Postconditions:

* eval out1 mod m = (eval arg1 * eval arg2) mod m

*

@@ -160,6 +164,7 @@ public static void fiat_Poly1305_carry_mul(int[] out1, final int[] arg1, final i /** * The function fiat_Poly1305_carry_square squares a field element and reduces the result.

+ *

* Postconditions:

* eval out1 mod m = (eval arg1 * eval arg1) mod m

*

@@ -228,6 +233,7 @@ public static void fiat_Poly1305_carry_square(int[] out1, final int[] arg1) { /** * The function fiat_Poly1305_carry reduces a field element.

+ *

* Postconditions:

* eval out1 mod m = eval arg1 mod m

*

@@ -258,6 +264,7 @@ public static void fiat_Poly1305_carry(int[] out1, final int[] arg1) { /** * The function fiat_Poly1305_add adds two field elements.

+ *

* Postconditions:

* eval out1 mod m = (eval arg1 + eval arg2) mod m

*

@@ -282,6 +289,7 @@ public static void fiat_Poly1305_add(int[] out1, final int[] arg1, final int[] a /** * The function fiat_Poly1305_sub subtracts two field elements.

+ *

* Postconditions:

* eval out1 mod m = (eval arg1 - eval arg2) mod m

*

@@ -306,6 +314,7 @@ public static void fiat_Poly1305_sub(int[] out1, final int[] arg1, final int[] a /** * The function fiat_Poly1305_opp negates a field element.

+ *

* Postconditions:

* eval out1 mod m = -eval arg1 mod m

*

@@ -329,6 +338,7 @@ public static void fiat_Poly1305_opp(int[] out1, final int[] arg1) { /** * The function fiat_Poly1305_selectznz is a multi-limb conditional select.

+ *

* Postconditions:

* eval out1 = (if arg1 = 0 then eval arg2 else eval arg3)

*

@@ -359,6 +369,7 @@ public static void fiat_Poly1305_selectznz(long[] out1, int arg1, final long[] a /** * The function fiat_Poly1305_to_bytes serializes a field element to bytes in little-endian order.

+ *

* Postconditions:

* out1 = map (λ x, ⌊((eval arg1 mod m) mod 2^(8 * (x + 1))) / 2^(8 * x)⌋) [0..16]

*

@@ -457,6 +468,7 @@ public static void fiat_Poly1305_to_bytes(int[] out1, final int[] arg1) { /** * The function fiat_Poly1305_from_bytes deserializes a field element from bytes in little-endian order.

+ *

* Postconditions:

* eval out1 mod m = bytes_eval arg1 mod m

*

@@ -512,4 +524,3 @@ public static void fiat_Poly1305_from_bytes(int[] out1, final int[] arg1) { } } - diff --git a/fiat-java/src/FiatSecp256K1.java b/fiat-java/src/FiatSecp256K1.java index 8547d413aff..b44b7ef6917 100644 --- a/fiat-java/src/FiatSecp256K1.java +++ b/fiat-java/src/FiatSecp256K1.java @@ -12,10 +12,10 @@ /* return values. */ /* */ /* Computed values: */ -/* eval z = z[0] + (z[1] << 32) + (z[2] << 64) + (z[3] << 96) + (z[4] << 128) + (z[5] << 160) + (z[6] << 192) + (z[7] << 224) */ -/* bytes_eval z = z[0] + (z[1] << 8) + (z[2] << 16) + (z[3] << 24) + (z[4] << 32) + (z[5] << 40) + (z[6] << 48) + (z[7] << 56) + (z[8] << 64) + (z[9] << 72) + (z[10] << 80) + (z[11] << 88) + (z[12] << 96) + (z[13] << 104) + (z[14] << 112) + (z[15] << 120) + (z[16] << 128) + (z[17] << 136) + (z[18] << 144) + (z[19] << 152) + (z[20] << 160) + (z[21] << 168) + (z[22] << 176) + (z[23] << 184) + (z[24] << 192) + (z[25] << 200) + (z[26] << 208) + (z[27] << 216) + (z[28] << 224) + (z[29] << 232) + (z[30] << 240) + (z[31] << 248) */ -/* twos_complement_eval z = let x1 := z[0] + (z[1] << 32) + (z[2] << 64) + (z[3] << 96) + (z[4] << 128) + (z[5] << 160) + (z[6] << 192) + (z[7] << 224) in */ -/* if x1 & (2^256-1) < 2^255 then x1 & (2^256-1) else (x1 & (2^256-1)) - 2^256 */ +/* eval z = z[0] + (z[1] << 32) + (z[2] << 64) + (z[3] << 96) + (z[4] << 128) + (z[5] << 160) + (z[6] << 192) + (z[7] << 224) */ +/* bytes_eval z = z[0] + (z[1] << 8) + (z[2] << 16) + (z[3] << 24) + (z[4] << 32) + (z[5] << 40) + (z[6] << 48) + (z[7] << 56) + (z[8] << 64) + (z[9] << 72) + (z[10] << 80) + (z[11] << 88) + (z[12] << 96) + (z[13] << 104) + (z[14] << 112) + (z[15] << 120) + (z[16] << 128) + (z[17] << 136) + (z[18] << 144) + (z[19] << 152) + (z[20] << 160) + (z[21] << 168) + (z[22] << 176) + (z[23] << 184) + (z[24] << 192) + (z[25] << 200) + (z[26] << 208) + (z[27] << 216) + (z[28] << 224) + (z[29] << 232) + (z[30] << 240) + (z[31] << 248) */ +/* twos_complement_eval z = let x1 := z[0] + (z[1] << 32) + (z[2] << 64) + (z[3] << 96) + (z[4] << 128) + (z[5] << 160) + (z[6] << 192) + (z[7] << 224) in */ +/* if x1 & (2^256-1) < 2^255 then x1 & (2^256-1) else (x1 & (2^256-1)) - 2^256 */ package fiat_crypto; @@ -32,6 +32,7 @@ static class Box { /** * The function fiat_Secp256K1_addcarryx_u32 is an addition with carry.

+ *

* Postconditions:

* out1 = (arg1 + arg2 + arg3) mod 2^32

* out2 = ⌊(arg1 + arg2 + arg3) / 2^32⌋

@@ -54,6 +55,7 @@ static void fiat_Secp256K1_addcarryx_u32(Box out1, Box out2, int /** * The function fiat_Secp256K1_subborrowx_u32 is a subtraction with borrow.

+ *

* Postconditions:

* out1 = (-arg1 + arg2 + -arg3) mod 2^32

* out2 = -⌊(-arg1 + arg2 + -arg3) / 2^32⌋

@@ -76,6 +78,7 @@ static void fiat_Secp256K1_subborrowx_u32(Box out1, Box out2, int /** * The function fiat_Secp256K1_mulx_u32 is a multiplication, returning the full double-width result.

+ *

* Postconditions:

* out1 = (arg1 * arg2) mod 2^32

* out2 = ⌊arg1 * arg2 / 2^32⌋

@@ -97,6 +100,7 @@ static void fiat_Secp256K1_mulx_u32(Box out1, Box out2, long arg1, l /** * The function fiat_Secp256K1_cmovznz_u64 is a single-word conditional move.

+ *

* Postconditions:

* out1 = (if arg1 = 0 then arg2 else arg3)

*

@@ -115,6 +119,7 @@ static void fiat_Secp256K1_cmovznz_u64(Box out1, int arg1, long arg2, long /** * The function fiat_Secp256K1_mul multiplies two field elements in the Montgomery domain.

+ *

* Preconditions:

* 0 ≤ eval arg1 < m

* 0 ≤ eval arg2 < m

@@ -1364,6 +1369,7 @@ public static void fiat_Secp256K1_mul(long[] out1, final long[] arg1, final long /** * The function fiat_Secp256K1_square squares a field element in the Montgomery domain.

+ *

* Preconditions:

* 0 ≤ eval arg1 < m

* Postconditions:

@@ -2611,6 +2617,7 @@ public static void fiat_Secp256K1_square(long[] out1, final long[] arg1) { /** * The function fiat_Secp256K1_add adds two field elements in the Montgomery domain.

+ *

* Preconditions:

* 0 ≤ eval arg1 < m

* 0 ≤ eval arg2 < m

@@ -2704,6 +2711,7 @@ public static void fiat_Secp256K1_add(long[] out1, final long[] arg1, final long /** * The function fiat_Secp256K1_sub subtracts two field elements in the Montgomery domain.

+ *

* Preconditions:

* 0 ≤ eval arg1 < m

* 0 ≤ eval arg2 < m

@@ -2780,6 +2788,7 @@ public static void fiat_Secp256K1_sub(long[] out1, final long[] arg1, final long /** * The function fiat_Secp256K1_opp negates a field element in the Montgomery domain.

+ *

* Preconditions:

* 0 ≤ eval arg1 < m

* Postconditions:

@@ -2854,6 +2863,7 @@ public static void fiat_Secp256K1_opp(long[] out1, final long[] arg1) { /** * The function fiat_Secp256K1_from_montgomery translates a field element out of the Montgomery domain.

+ *

* Preconditions:

* 0 ≤ eval arg1 < m

* Postconditions:

@@ -3690,6 +3700,7 @@ public static void fiat_Secp256K1_from_montgomery(long[] out1, final long[] arg1 /** * The function fiat_Secp256K1_to_montgomery translates a field element into the Montgomery domain.

+ *

* Preconditions:

* 0 ≤ eval arg1 < m

* Postconditions:

@@ -4629,6 +4640,7 @@ public static void fiat_Secp256K1_to_montgomery(long[] out1, final long[] arg1) /** * The function fiat_Secp256K1_nonzero outputs a single non-zero word if the input is non-zero and zero otherwise.

+ *

* Preconditions:

* 0 ≤ eval arg1 < m

* Postconditions:

@@ -4646,6 +4658,7 @@ public static void fiat_Secp256K1_nonzero(Box out1, final long[] arg1) { /** * The function fiat_Secp256K1_selectznz is a multi-limb conditional select.

+ *

* Postconditions:

* eval out1 = (if arg1 = 0 then eval arg2 else eval arg3)

*

@@ -4685,6 +4698,7 @@ public static void fiat_Secp256K1_selectznz(long[] out1, int arg1, final long[] /** * The function fiat_Secp256K1_to_bytes serializes a field element NOT in the Montgomery domain to bytes in little-endian order.

+ *

* Preconditions:

* 0 ≤ eval arg1 < m

* Postconditions:

@@ -4788,6 +4802,7 @@ public static void fiat_Secp256K1_to_bytes(int[] out1, final long[] arg1) { /** * The function fiat_Secp256K1_from_bytes deserializes a field element NOT in the Montgomery domain from bytes in little-endian order.

+ *

* Preconditions:

* 0 ≤ bytes_eval arg1 < m

* Postconditions:

@@ -4868,6 +4883,7 @@ public static void fiat_Secp256K1_from_bytes(long[] out1, final int[] arg1) { /** * The function fiat_Secp256K1_set_one returns the field element one in the Montgomery domain.

+ *

* Postconditions:

* eval (from_montgomery out1) mod m = 1 mod m

* 0 ≤ eval out1 < m

@@ -4889,6 +4905,7 @@ public static void fiat_Secp256K1_set_one(int[] out1) { /** * The function fiat_Secp256K1_msat returns the saturated representation of the prime modulus.

+ *

* Postconditions:

* twos_complement_eval out1 = m

* 0 ≤ eval out1 < m

@@ -4911,6 +4928,7 @@ public static void fiat_Secp256K1_msat(long[] out1) { /** * The function fiat_Secp256K1_divstep computes a divstep.

+ *

* Preconditions:

* 0 ≤ eval arg4 < m

* 0 ≤ eval arg5 < m

@@ -5348,6 +5366,7 @@ public static void fiat_Secp256K1_divstep(Box out1, long[] out2, long[] ou /** * The function fiat_Secp256K1_divstep_precomp returns the precomputed value for Bernstein-Yang-inversion (in montgomery form).

+ *

* Postconditions:

* eval (from_montgomery out1) = ⌊(m - 1) / 2⌋^(if (log2 m) + 1 < 46 then ⌊(49 * ((log2 m) + 1) + 80) / 17⌋ else ⌊(49 * ((log2 m) + 1) + 57) / 17⌋)

* 0 ≤ eval out1 < m

@@ -5368,4 +5387,3 @@ public static void fiat_Secp256K1_divstep_precomp(long[] out1) { } } - diff --git a/fiat-rust/src/curve25519_32.rs b/fiat-rust/src/curve25519_32.rs index 8e1730f20df..db5942c1234 100644 --- a/fiat-rust/src/curve25519_32.rs +++ b/fiat-rust/src/curve25519_32.rs @@ -7,10 +7,10 @@ //! tight_bounds_multiplier = 1 (from "") //! //! Computed values: -//! carry_chain = [0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 0, 1] -//! eval z = z[0] + (z[1] << 26) + (z[2] << 51) + (z[3] << 77) + (z[4] << 102) + (z[5] << 128) + (z[6] << 153) + (z[7] << 179) + (z[8] << 204) + (z[9] << 230) -//! bytes_eval z = z[0] + (z[1] << 8) + (z[2] << 16) + (z[3] << 24) + (z[4] << 32) + (z[5] << 40) + (z[6] << 48) + (z[7] << 56) + (z[8] << 64) + (z[9] << 72) + (z[10] << 80) + (z[11] << 88) + (z[12] << 96) + (z[13] << 104) + (z[14] << 112) + (z[15] << 120) + (z[16] << 128) + (z[17] << 136) + (z[18] << 144) + (z[19] << 152) + (z[20] << 160) + (z[21] << 168) + (z[22] << 176) + (z[23] << 184) + (z[24] << 192) + (z[25] << 200) + (z[26] << 208) + (z[27] << 216) + (z[28] << 224) + (z[29] << 232) + (z[30] << 240) + (z[31] << 248) -//! balance = [0x7ffffda, 0x3fffffe, 0x7fffffe, 0x3fffffe, 0x7fffffe, 0x3fffffe, 0x7fffffe, 0x3fffffe, 0x7fffffe, 0x3fffffe] +//! carry_chain = [0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 0, 1] +//! eval z = z[0] + (z[1] << 26) + (z[2] << 51) + (z[3] << 77) + (z[4] << 102) + (z[5] << 128) + (z[6] << 153) + (z[7] << 179) + (z[8] << 204) + (z[9] << 230) +//! bytes_eval z = z[0] + (z[1] << 8) + (z[2] << 16) + (z[3] << 24) + (z[4] << 32) + (z[5] << 40) + (z[6] << 48) + (z[7] << 56) + (z[8] << 64) + (z[9] << 72) + (z[10] << 80) + (z[11] << 88) + (z[12] << 96) + (z[13] << 104) + (z[14] << 112) + (z[15] << 120) + (z[16] << 128) + (z[17] << 136) + (z[18] << 144) + (z[19] << 152) + (z[20] << 160) + (z[21] << 168) + (z[22] << 176) + (z[23] << 184) + (z[24] << 192) + (z[25] << 200) + (z[26] << 208) + (z[27] << 216) + (z[28] << 224) + (z[29] << 232) + (z[30] << 240) + (z[31] << 248) +//! balance = [0x7ffffda, 0x3fffffe, 0x7fffffe, 0x3fffffe, 0x7fffffe, 0x3fffffe, 0x7fffffe, 0x3fffffe, 0x7fffffe, 0x3fffffe] #![allow(unused_parens)] #[allow(non_camel_case_types)] @@ -22,6 +22,7 @@ pub type fiat_25519_i2 = i8; /// The function fiat_25519_addcarryx_u26 is an addition with carry. +/// /// Postconditions: /// out1 = (arg1 + arg2 + arg3) mod 2^26 /// out2 = ⌊(arg1 + arg2 + arg3) / 2^26⌋ @@ -43,6 +44,7 @@ pub fn fiat_25519_addcarryx_u26(out1: &mut u32, out2: &mut fiat_25519_u1, arg1: } /// The function fiat_25519_subborrowx_u26 is a subtraction with borrow. +/// /// Postconditions: /// out1 = (-arg1 + arg2 + -arg3) mod 2^26 /// out2 = -⌊(-arg1 + arg2 + -arg3) / 2^26⌋ @@ -64,6 +66,7 @@ pub fn fiat_25519_subborrowx_u26(out1: &mut u32, out2: &mut fiat_25519_u1, arg1: } /// The function fiat_25519_addcarryx_u25 is an addition with carry. +/// /// Postconditions: /// out1 = (arg1 + arg2 + arg3) mod 2^25 /// out2 = ⌊(arg1 + arg2 + arg3) / 2^25⌋ @@ -85,6 +88,7 @@ pub fn fiat_25519_addcarryx_u25(out1: &mut u32, out2: &mut fiat_25519_u1, arg1: } /// The function fiat_25519_subborrowx_u25 is a subtraction with borrow. +/// /// Postconditions: /// out1 = (-arg1 + arg2 + -arg3) mod 2^25 /// out2 = -⌊(-arg1 + arg2 + -arg3) / 2^25⌋ @@ -106,6 +110,7 @@ pub fn fiat_25519_subborrowx_u25(out1: &mut u32, out2: &mut fiat_25519_u1, arg1: } /// The function fiat_25519_cmovznz_u32 is a single-word conditional move. +/// /// Postconditions: /// out1 = (if arg1 = 0 then arg2 else arg3) /// @@ -124,6 +129,7 @@ pub fn fiat_25519_cmovznz_u32(out1: &mut u32, arg1: fiat_25519_u1, arg2: u32, ar } /// The function fiat_25519_carry_mul multiplies two field elements and reduces the result. +/// /// Postconditions: /// eval out1 mod m = (eval arg1 * eval arg2) mod m /// @@ -294,6 +300,7 @@ pub fn fiat_25519_carry_mul(out1: &mut [u32; 10], arg1: &[u32; 10], arg2: &[u32; } /// The function fiat_25519_carry_square squares a field element and reduces the result. +/// /// Postconditions: /// eval out1 mod m = (eval arg1 * eval arg1) mod m /// @@ -436,6 +443,7 @@ pub fn fiat_25519_carry_square(out1: &mut [u32; 10], arg1: &[u32; 10]) -> () { } /// The function fiat_25519_carry reduces a field element. +/// /// Postconditions: /// eval out1 mod m = eval arg1 mod m /// @@ -480,6 +488,7 @@ pub fn fiat_25519_carry(out1: &mut [u32; 10], arg1: &[u32; 10]) -> () { } /// The function fiat_25519_add adds two field elements. +/// /// Postconditions: /// eval out1 mod m = (eval arg1 + eval arg2) mod m /// @@ -513,6 +522,7 @@ pub fn fiat_25519_add(out1: &mut [u32; 10], arg1: &[u32; 10], arg2: &[u32; 10]) } /// The function fiat_25519_sub subtracts two field elements. +/// /// Postconditions: /// eval out1 mod m = (eval arg1 - eval arg2) mod m /// @@ -546,6 +556,7 @@ pub fn fiat_25519_sub(out1: &mut [u32; 10], arg1: &[u32; 10], arg2: &[u32; 10]) } /// The function fiat_25519_opp negates a field element. +/// /// Postconditions: /// eval out1 mod m = -eval arg1 mod m /// @@ -578,6 +589,7 @@ pub fn fiat_25519_opp(out1: &mut [u32; 10], arg1: &[u32; 10]) -> () { } /// The function fiat_25519_selectznz is a multi-limb conditional select. +/// /// Postconditions: /// eval out1 = (if arg1 = 0 then eval arg2 else eval arg3) /// @@ -622,6 +634,7 @@ pub fn fiat_25519_selectznz(out1: &mut [u32; 10], arg1: fiat_25519_u1, arg2: &[u } /// The function fiat_25519_to_bytes serializes a field element to bytes in little-endian order. +/// /// Postconditions: /// out1 = map (λ x, ⌊((eval arg1 mod m) mod 2^(8 * (x + 1))) / 2^(8 * x)⌋) [0..31] /// @@ -804,6 +817,7 @@ pub fn fiat_25519_to_bytes(out1: &mut [u8; 32], arg1: &[u32; 10]) -> () { } /// The function fiat_25519_from_bytes deserializes a field element from bytes in little-endian order. +/// /// Postconditions: /// eval out1 mod m = bytes_eval arg1 mod m /// @@ -904,6 +918,7 @@ pub fn fiat_25519_from_bytes(out1: &mut [u32; 10], arg1: &[u8; 32]) -> () { } /// The function fiat_25519_carry_scmul_121666 multiplies a field element by 121666 and reduces the result. +/// /// Postconditions: /// eval out1 mod m = (121666 * eval arg1) mod m /// @@ -971,4 +986,3 @@ pub fn fiat_25519_carry_scmul_121666(out1: &mut [u32; 10], arg1: &[u32; 10]) -> out1[8] = x36; out1[9] = x39; } - diff --git a/fiat-rust/src/curve25519_64.rs b/fiat-rust/src/curve25519_64.rs index cce20f897b9..4b96dd054b1 100644 --- a/fiat-rust/src/curve25519_64.rs +++ b/fiat-rust/src/curve25519_64.rs @@ -7,10 +7,10 @@ //! tight_bounds_multiplier = 1 (from "") //! //! Computed values: -//! carry_chain = [0, 1, 2, 3, 4, 0, 1] -//! eval z = z[0] + (z[1] << 51) + (z[2] << 102) + (z[3] << 153) + (z[4] << 204) -//! bytes_eval z = z[0] + (z[1] << 8) + (z[2] << 16) + (z[3] << 24) + (z[4] << 32) + (z[5] << 40) + (z[6] << 48) + (z[7] << 56) + (z[8] << 64) + (z[9] << 72) + (z[10] << 80) + (z[11] << 88) + (z[12] << 96) + (z[13] << 104) + (z[14] << 112) + (z[15] << 120) + (z[16] << 128) + (z[17] << 136) + (z[18] << 144) + (z[19] << 152) + (z[20] << 160) + (z[21] << 168) + (z[22] << 176) + (z[23] << 184) + (z[24] << 192) + (z[25] << 200) + (z[26] << 208) + (z[27] << 216) + (z[28] << 224) + (z[29] << 232) + (z[30] << 240) + (z[31] << 248) -//! balance = [0xfffffffffffda, 0xffffffffffffe, 0xffffffffffffe, 0xffffffffffffe, 0xffffffffffffe] +//! carry_chain = [0, 1, 2, 3, 4, 0, 1] +//! eval z = z[0] + (z[1] << 51) + (z[2] << 102) + (z[3] << 153) + (z[4] << 204) +//! bytes_eval z = z[0] + (z[1] << 8) + (z[2] << 16) + (z[3] << 24) + (z[4] << 32) + (z[5] << 40) + (z[6] << 48) + (z[7] << 56) + (z[8] << 64) + (z[9] << 72) + (z[10] << 80) + (z[11] << 88) + (z[12] << 96) + (z[13] << 104) + (z[14] << 112) + (z[15] << 120) + (z[16] << 128) + (z[17] << 136) + (z[18] << 144) + (z[19] << 152) + (z[20] << 160) + (z[21] << 168) + (z[22] << 176) + (z[23] << 184) + (z[24] << 192) + (z[25] << 200) + (z[26] << 208) + (z[27] << 216) + (z[28] << 224) + (z[29] << 232) + (z[30] << 240) + (z[31] << 248) +//! balance = [0xfffffffffffda, 0xffffffffffffe, 0xffffffffffffe, 0xffffffffffffe, 0xffffffffffffe] #![allow(unused_parens)] #[allow(non_camel_case_types)] @@ -22,6 +22,7 @@ pub type fiat_25519_i2 = i8; /// The function fiat_25519_addcarryx_u51 is an addition with carry. +/// /// Postconditions: /// out1 = (arg1 + arg2 + arg3) mod 2^51 /// out2 = ⌊(arg1 + arg2 + arg3) / 2^51⌋ @@ -43,6 +44,7 @@ pub fn fiat_25519_addcarryx_u51(out1: &mut u64, out2: &mut fiat_25519_u1, arg1: } /// The function fiat_25519_subborrowx_u51 is a subtraction with borrow. +/// /// Postconditions: /// out1 = (-arg1 + arg2 + -arg3) mod 2^51 /// out2 = -⌊(-arg1 + arg2 + -arg3) / 2^51⌋ @@ -64,6 +66,7 @@ pub fn fiat_25519_subborrowx_u51(out1: &mut u64, out2: &mut fiat_25519_u1, arg1: } /// The function fiat_25519_cmovznz_u64 is a single-word conditional move. +/// /// Postconditions: /// out1 = (if arg1 = 0 then arg2 else arg3) /// @@ -82,6 +85,7 @@ pub fn fiat_25519_cmovznz_u64(out1: &mut u64, arg1: fiat_25519_u1, arg2: u64, ar } /// The function fiat_25519_carry_mul multiplies two field elements and reduces the result. +/// /// Postconditions: /// eval out1 mod m = (eval arg1 * eval arg2) mod m /// @@ -152,6 +156,7 @@ pub fn fiat_25519_carry_mul(out1: &mut [u64; 5], arg1: &[u64; 5], arg2: &[u64; 5 } /// The function fiat_25519_carry_square squares a field element and reduces the result. +/// /// Postconditions: /// eval out1 mod m = (eval arg1 * eval arg1) mod m /// @@ -219,6 +224,7 @@ pub fn fiat_25519_carry_square(out1: &mut [u64; 5], arg1: &[u64; 5]) -> () { } /// The function fiat_25519_carry reduces a field element. +/// /// Postconditions: /// eval out1 mod m = eval arg1 mod m /// @@ -248,6 +254,7 @@ pub fn fiat_25519_carry(out1: &mut [u64; 5], arg1: &[u64; 5]) -> () { } /// The function fiat_25519_add adds two field elements. +/// /// Postconditions: /// eval out1 mod m = (eval arg1 + eval arg2) mod m /// @@ -271,6 +278,7 @@ pub fn fiat_25519_add(out1: &mut [u64; 5], arg1: &[u64; 5], arg2: &[u64; 5]) -> } /// The function fiat_25519_sub subtracts two field elements. +/// /// Postconditions: /// eval out1 mod m = (eval arg1 - eval arg2) mod m /// @@ -294,6 +302,7 @@ pub fn fiat_25519_sub(out1: &mut [u64; 5], arg1: &[u64; 5], arg2: &[u64; 5]) -> } /// The function fiat_25519_opp negates a field element. +/// /// Postconditions: /// eval out1 mod m = -eval arg1 mod m /// @@ -316,6 +325,7 @@ pub fn fiat_25519_opp(out1: &mut [u64; 5], arg1: &[u64; 5]) -> () { } /// The function fiat_25519_selectznz is a multi-limb conditional select. +/// /// Postconditions: /// eval out1 = (if arg1 = 0 then eval arg2 else eval arg3) /// @@ -345,6 +355,7 @@ pub fn fiat_25519_selectznz(out1: &mut [u64; 5], arg1: fiat_25519_u1, arg2: &[u6 } /// The function fiat_25519_to_bytes serializes a field element to bytes in little-endian order. +/// /// Postconditions: /// out1 = map (λ x, ⌊((eval arg1 mod m) mod 2^(8 * (x + 1))) / 2^(8 * x)⌋) [0..31] /// @@ -491,6 +502,7 @@ pub fn fiat_25519_to_bytes(out1: &mut [u8; 32], arg1: &[u64; 5]) -> () { } /// The function fiat_25519_from_bytes deserializes a field element from bytes in little-endian order. +/// /// Postconditions: /// eval out1 mod m = bytes_eval arg1 mod m /// @@ -579,6 +591,7 @@ pub fn fiat_25519_from_bytes(out1: &mut [u64; 5], arg1: &[u8; 32]) -> () { } /// The function fiat_25519_carry_scmul_121666 multiplies a field element by 121666 and reduces the result. +/// /// Postconditions: /// eval out1 mod m = (121666 * eval arg1) mod m /// @@ -621,4 +634,3 @@ pub fn fiat_25519_carry_scmul_121666(out1: &mut [u64; 5], arg1: &[u64; 5]) -> () out1[3] = x16; out1[4] = x19; } - diff --git a/fiat-rust/src/p224_32.rs b/fiat-rust/src/p224_32.rs index 661be883aed..d91ee36150f 100644 --- a/fiat-rust/src/p224_32.rs +++ b/fiat-rust/src/p224_32.rs @@ -12,10 +12,10 @@ //! return values. //! //! Computed values: -//! eval z = z[0] + (z[1] << 32) + (z[2] << 64) + (z[3] << 96) + (z[4] << 128) + (z[5] << 160) + (z[6] << 192) -//! bytes_eval z = z[0] + (z[1] << 8) + (z[2] << 16) + (z[3] << 24) + (z[4] << 32) + (z[5] << 40) + (z[6] << 48) + (z[7] << 56) + (z[8] << 64) + (z[9] << 72) + (z[10] << 80) + (z[11] << 88) + (z[12] << 96) + (z[13] << 104) + (z[14] << 112) + (z[15] << 120) + (z[16] << 128) + (z[17] << 136) + (z[18] << 144) + (z[19] << 152) + (z[20] << 160) + (z[21] << 168) + (z[22] << 176) + (z[23] << 184) + (z[24] << 192) + (z[25] << 200) + (z[26] << 208) + (z[27] << 216) -//! twos_complement_eval z = let x1 := z[0] + (z[1] << 32) + (z[2] << 64) + (z[3] << 96) + (z[4] << 128) + (z[5] << 160) + (z[6] << 192) in -//! if x1 & (2^224-1) < 2^223 then x1 & (2^224-1) else (x1 & (2^224-1)) - 2^224 +//! eval z = z[0] + (z[1] << 32) + (z[2] << 64) + (z[3] << 96) + (z[4] << 128) + (z[5] << 160) + (z[6] << 192) +//! bytes_eval z = z[0] + (z[1] << 8) + (z[2] << 16) + (z[3] << 24) + (z[4] << 32) + (z[5] << 40) + (z[6] << 48) + (z[7] << 56) + (z[8] << 64) + (z[9] << 72) + (z[10] << 80) + (z[11] << 88) + (z[12] << 96) + (z[13] << 104) + (z[14] << 112) + (z[15] << 120) + (z[16] << 128) + (z[17] << 136) + (z[18] << 144) + (z[19] << 152) + (z[20] << 160) + (z[21] << 168) + (z[22] << 176) + (z[23] << 184) + (z[24] << 192) + (z[25] << 200) + (z[26] << 208) + (z[27] << 216) +//! twos_complement_eval z = let x1 := z[0] + (z[1] << 32) + (z[2] << 64) + (z[3] << 96) + (z[4] << 128) + (z[5] << 160) + (z[6] << 192) in +//! if x1 & (2^224-1) < 2^223 then x1 & (2^224-1) else (x1 & (2^224-1)) - 2^224 #![allow(unused_parens)] #[allow(non_camel_case_types)] @@ -27,6 +27,7 @@ pub type fiat_p224_i2 = i8; /// The function fiat_p224_addcarryx_u32 is an addition with carry. +/// /// Postconditions: /// out1 = (arg1 + arg2 + arg3) mod 2^32 /// out2 = ⌊(arg1 + arg2 + arg3) / 2^32⌋ @@ -48,6 +49,7 @@ pub fn fiat_p224_addcarryx_u32(out1: &mut u32, out2: &mut fiat_p224_u1, arg1: fi } /// The function fiat_p224_subborrowx_u32 is a subtraction with borrow. +/// /// Postconditions: /// out1 = (-arg1 + arg2 + -arg3) mod 2^32 /// out2 = -⌊(-arg1 + arg2 + -arg3) / 2^32⌋ @@ -69,6 +71,7 @@ pub fn fiat_p224_subborrowx_u32(out1: &mut u32, out2: &mut fiat_p224_u1, arg1: f } /// The function fiat_p224_mulx_u32 is a multiplication, returning the full double-width result. +/// /// Postconditions: /// out1 = (arg1 * arg2) mod 2^32 /// out2 = ⌊arg1 * arg2 / 2^32⌋ @@ -89,6 +92,7 @@ pub fn fiat_p224_mulx_u32(out1: &mut u32, out2: &mut u32, arg1: u32, arg2: u32) } /// The function fiat_p224_cmovznz_u32 is a single-word conditional move. +/// /// Postconditions: /// out1 = (if arg1 = 0 then arg2 else arg3) /// @@ -107,6 +111,7 @@ pub fn fiat_p224_cmovznz_u32(out1: &mut u32, arg1: fiat_p224_u1, arg2: u32, arg3 } /// The function fiat_p224_mul multiplies two field elements in the Montgomery domain. +/// /// Preconditions: /// 0 ≤ eval arg1 < m /// 0 ≤ eval arg2 < m @@ -949,6 +954,7 @@ pub fn fiat_p224_mul(out1: &mut [u32; 7], arg1: &[u32; 7], arg2: &[u32; 7]) -> ( } /// The function fiat_p224_square squares a field element in the Montgomery domain. +/// /// Preconditions: /// 0 ≤ eval arg1 < m /// Postconditions: @@ -1789,6 +1795,7 @@ pub fn fiat_p224_square(out1: &mut [u32; 7], arg1: &[u32; 7]) -> () { } /// The function fiat_p224_add adds two field elements in the Montgomery domain. +/// /// Preconditions: /// 0 ≤ eval arg1 < m /// 0 ≤ eval arg2 < m @@ -1872,6 +1879,7 @@ pub fn fiat_p224_add(out1: &mut [u32; 7], arg1: &[u32; 7], arg2: &[u32; 7]) -> ( } /// The function fiat_p224_sub subtracts two field elements in the Montgomery domain. +/// /// Preconditions: /// 0 ≤ eval arg1 < m /// 0 ≤ eval arg2 < m @@ -1940,6 +1948,7 @@ pub fn fiat_p224_sub(out1: &mut [u32; 7], arg1: &[u32; 7], arg2: &[u32; 7]) -> ( } /// The function fiat_p224_opp negates a field element in the Montgomery domain. +/// /// Preconditions: /// 0 ≤ eval arg1 < m /// Postconditions: @@ -2006,6 +2015,7 @@ pub fn fiat_p224_opp(out1: &mut [u32; 7], arg1: &[u32; 7]) -> () { } /// The function fiat_p224_from_montgomery translates a field element out of the Montgomery domain. +/// /// Preconditions: /// 0 ≤ eval arg1 < m /// Postconditions: @@ -2484,6 +2494,7 @@ pub fn fiat_p224_from_montgomery(out1: &mut [u32; 7], arg1: &[u32; 7]) -> () { } /// The function fiat_p224_to_montgomery translates a field element into the Montgomery domain. +/// /// Preconditions: /// 0 ≤ eval arg1 < m /// Postconditions: @@ -3100,6 +3111,7 @@ pub fn fiat_p224_to_montgomery(out1: &mut [u32; 7], arg1: &[u32; 7]) -> () { } /// The function fiat_p224_nonzero outputs a single non-zero word if the input is non-zero and zero otherwise. +/// /// Preconditions: /// 0 ≤ eval arg1 < m /// Postconditions: @@ -3116,6 +3128,7 @@ pub fn fiat_p224_nonzero(out1: &mut u32, arg1: &[u32; 7]) -> () { } /// The function fiat_p224_selectznz is a multi-limb conditional select. +/// /// Postconditions: /// eval out1 = (if arg1 = 0 then eval arg2 else eval arg3) /// @@ -3151,6 +3164,7 @@ pub fn fiat_p224_selectznz(out1: &mut [u32; 7], arg1: fiat_p224_u1, arg2: &[u32; } /// The function fiat_p224_to_bytes serializes a field element NOT in the Montgomery domain to bytes in little-endian order. +/// /// Preconditions: /// 0 ≤ eval arg1 < m /// Postconditions: @@ -3242,6 +3256,7 @@ pub fn fiat_p224_to_bytes(out1: &mut [u8; 28], arg1: &[u32; 7]) -> () { } /// The function fiat_p224_from_bytes deserializes a field element NOT in the Montgomery domain from bytes in little-endian order. +/// /// Preconditions: /// 0 ≤ bytes_eval arg1 < m /// Postconditions: @@ -3313,6 +3328,7 @@ pub fn fiat_p224_from_bytes(out1: &mut [u32; 7], arg1: &[u8; 28]) -> () { } /// The function fiat_p224_set_one returns the field element one in the Montgomery domain. +/// /// Postconditions: /// eval (from_montgomery out1) mod m = 1 mod m /// 0 ≤ eval out1 < m @@ -3332,6 +3348,7 @@ pub fn fiat_p224_set_one(out1: &mut [u32; 7]) -> () { } /// The function fiat_p224_msat returns the saturated representation of the prime modulus. +/// /// Postconditions: /// twos_complement_eval out1 = m /// 0 ≤ eval out1 < m @@ -3352,6 +3369,7 @@ pub fn fiat_p224_msat(out1: &mut [u32; 8]) -> () { } /// The function fiat_p224_divstep computes a divstep. +/// /// Preconditions: /// 0 ≤ eval arg4 < m /// 0 ≤ eval arg5 < m @@ -3742,6 +3760,7 @@ pub fn fiat_p224_divstep(out1: &mut u32, out2: &mut [u32; 8], out3: &mut [u32; 8 } /// The function fiat_p224_divstep_precomp returns the precomputed value for Bernstein-Yang-inversion (in montgomery form). +/// /// Postconditions: /// eval (from_montgomery out1) = ⌊(m - 1) / 2⌋^(if (log2 m) + 1 < 46 then ⌊(49 * ((log2 m) + 1) + 80) / 17⌋ else ⌊(49 * ((log2 m) + 1) + 57) / 17⌋) /// 0 ≤ eval out1 < m @@ -3759,4 +3778,3 @@ pub fn fiat_p224_divstep_precomp(out1: &mut [u32; 7]) -> () { out1[5] = 0xff800000; out1[6] = 0x17fffff; } - diff --git a/fiat-rust/src/p224_64.rs b/fiat-rust/src/p224_64.rs index c6553f523a1..0cdfdd0633e 100644 --- a/fiat-rust/src/p224_64.rs +++ b/fiat-rust/src/p224_64.rs @@ -12,10 +12,10 @@ //! return values. //! //! Computed values: -//! eval z = z[0] + (z[1] << 64) + (z[2] << 128) + (z[3] << 192) -//! bytes_eval z = z[0] + (z[1] << 8) + (z[2] << 16) + (z[3] << 24) + (z[4] << 32) + (z[5] << 40) + (z[6] << 48) + (z[7] << 56) + (z[8] << 64) + (z[9] << 72) + (z[10] << 80) + (z[11] << 88) + (z[12] << 96) + (z[13] << 104) + (z[14] << 112) + (z[15] << 120) + (z[16] << 128) + (z[17] << 136) + (z[18] << 144) + (z[19] << 152) + (z[20] << 160) + (z[21] << 168) + (z[22] << 176) + (z[23] << 184) + (z[24] << 192) + (z[25] << 200) + (z[26] << 208) + (z[27] << 216) -//! twos_complement_eval z = let x1 := z[0] + (z[1] << 64) + (z[2] << 128) + (z[3] << 192) in -//! if x1 & (2^256-1) < 2^255 then x1 & (2^256-1) else (x1 & (2^256-1)) - 2^256 +//! eval z = z[0] + (z[1] << 64) + (z[2] << 128) + (z[3] << 192) +//! bytes_eval z = z[0] + (z[1] << 8) + (z[2] << 16) + (z[3] << 24) + (z[4] << 32) + (z[5] << 40) + (z[6] << 48) + (z[7] << 56) + (z[8] << 64) + (z[9] << 72) + (z[10] << 80) + (z[11] << 88) + (z[12] << 96) + (z[13] << 104) + (z[14] << 112) + (z[15] << 120) + (z[16] << 128) + (z[17] << 136) + (z[18] << 144) + (z[19] << 152) + (z[20] << 160) + (z[21] << 168) + (z[22] << 176) + (z[23] << 184) + (z[24] << 192) + (z[25] << 200) + (z[26] << 208) + (z[27] << 216) +//! twos_complement_eval z = let x1 := z[0] + (z[1] << 64) + (z[2] << 128) + (z[3] << 192) in +//! if x1 & (2^256-1) < 2^255 then x1 & (2^256-1) else (x1 & (2^256-1)) - 2^256 #![allow(unused_parens)] #[allow(non_camel_case_types)] @@ -27,6 +27,7 @@ pub type fiat_p224_i2 = i8; /// The function fiat_p224_addcarryx_u64 is an addition with carry. +/// /// Postconditions: /// out1 = (arg1 + arg2 + arg3) mod 2^64 /// out2 = ⌊(arg1 + arg2 + arg3) / 2^64⌋ @@ -48,6 +49,7 @@ pub fn fiat_p224_addcarryx_u64(out1: &mut u64, out2: &mut fiat_p224_u1, arg1: fi } /// The function fiat_p224_subborrowx_u64 is a subtraction with borrow. +/// /// Postconditions: /// out1 = (-arg1 + arg2 + -arg3) mod 2^64 /// out2 = -⌊(-arg1 + arg2 + -arg3) / 2^64⌋ @@ -69,6 +71,7 @@ pub fn fiat_p224_subborrowx_u64(out1: &mut u64, out2: &mut fiat_p224_u1, arg1: f } /// The function fiat_p224_mulx_u64 is a multiplication, returning the full double-width result. +/// /// Postconditions: /// out1 = (arg1 * arg2) mod 2^64 /// out2 = ⌊arg1 * arg2 / 2^64⌋ @@ -89,6 +92,7 @@ pub fn fiat_p224_mulx_u64(out1: &mut u64, out2: &mut u64, arg1: u64, arg2: u64) } /// The function fiat_p224_cmovznz_u64 is a single-word conditional move. +/// /// Postconditions: /// out1 = (if arg1 = 0 then arg2 else arg3) /// @@ -107,6 +111,7 @@ pub fn fiat_p224_cmovznz_u64(out1: &mut u64, arg1: fiat_p224_u1, arg2: u64, arg3 } /// The function fiat_p224_mul multiplies two field elements in the Montgomery domain. +/// /// Preconditions: /// 0 ≤ eval arg1 < m /// 0 ≤ eval arg2 < m @@ -427,6 +432,7 @@ pub fn fiat_p224_mul(out1: &mut [u64; 4], arg1: &[u64; 4], arg2: &[u64; 4]) -> ( } /// The function fiat_p224_square squares a field element in the Montgomery domain. +/// /// Preconditions: /// 0 ≤ eval arg1 < m /// Postconditions: @@ -745,6 +751,7 @@ pub fn fiat_p224_square(out1: &mut [u64; 4], arg1: &[u64; 4]) -> () { } /// The function fiat_p224_add adds two field elements in the Montgomery domain. +/// /// Preconditions: /// 0 ≤ eval arg1 < m /// 0 ≤ eval arg2 < m @@ -801,6 +808,7 @@ pub fn fiat_p224_add(out1: &mut [u64; 4], arg1: &[u64; 4], arg2: &[u64; 4]) -> ( } /// The function fiat_p224_sub subtracts two field elements in the Montgomery domain. +/// /// Preconditions: /// 0 ≤ eval arg1 < m /// 0 ≤ eval arg2 < m @@ -848,6 +856,7 @@ pub fn fiat_p224_sub(out1: &mut [u64; 4], arg1: &[u64; 4], arg2: &[u64; 4]) -> ( } /// The function fiat_p224_opp negates a field element in the Montgomery domain. +/// /// Preconditions: /// 0 ≤ eval arg1 < m /// Postconditions: @@ -893,6 +902,7 @@ pub fn fiat_p224_opp(out1: &mut [u64; 4], arg1: &[u64; 4]) -> () { } /// The function fiat_p224_from_montgomery translates a field element out of the Montgomery domain. +/// /// Preconditions: /// 0 ≤ eval arg1 < m /// Postconditions: @@ -1084,6 +1094,7 @@ pub fn fiat_p224_from_montgomery(out1: &mut [u64; 4], arg1: &[u64; 4]) -> () { } /// The function fiat_p224_to_montgomery translates a field element into the Montgomery domain. +/// /// Preconditions: /// 0 ≤ eval arg1 < m /// Postconditions: @@ -1371,6 +1382,7 @@ pub fn fiat_p224_to_montgomery(out1: &mut [u64; 4], arg1: &[u64; 4]) -> () { } /// The function fiat_p224_nonzero outputs a single non-zero word if the input is non-zero and zero otherwise. +/// /// Preconditions: /// 0 ≤ eval arg1 < m /// Postconditions: @@ -1387,6 +1399,7 @@ pub fn fiat_p224_nonzero(out1: &mut u64, arg1: &[u64; 4]) -> () { } /// The function fiat_p224_selectznz is a multi-limb conditional select. +/// /// Postconditions: /// eval out1 = (if arg1 = 0 then eval arg2 else eval arg3) /// @@ -1413,6 +1426,7 @@ pub fn fiat_p224_selectznz(out1: &mut [u64; 4], arg1: fiat_p224_u1, arg2: &[u64; } /// The function fiat_p224_to_bytes serializes a field element NOT in the Montgomery domain to bytes in little-endian order. +/// /// Preconditions: /// 0 ≤ eval arg1 < m /// Postconditions: @@ -1507,6 +1521,7 @@ pub fn fiat_p224_to_bytes(out1: &mut [u8; 28], arg1: &[u64; 4]) -> () { } /// The function fiat_p224_from_bytes deserializes a field element NOT in the Montgomery domain from bytes in little-endian order. +/// /// Preconditions: /// 0 ≤ bytes_eval arg1 < m /// Postconditions: @@ -1578,6 +1593,7 @@ pub fn fiat_p224_from_bytes(out1: &mut [u64; 4], arg1: &[u8; 28]) -> () { } /// The function fiat_p224_set_one returns the field element one in the Montgomery domain. +/// /// Postconditions: /// eval (from_montgomery out1) mod m = 1 mod m /// 0 ≤ eval out1 < m @@ -1594,6 +1610,7 @@ pub fn fiat_p224_set_one(out1: &mut [u64; 4]) -> () { } /// The function fiat_p224_msat returns the saturated representation of the prime modulus. +/// /// Postconditions: /// twos_complement_eval out1 = m /// 0 ≤ eval out1 < m @@ -1611,6 +1628,7 @@ pub fn fiat_p224_msat(out1: &mut [u64; 5]) -> () { } /// The function fiat_p224_divstep computes a divstep. +/// /// Preconditions: /// 0 ≤ eval arg4 < m /// 0 ≤ eval arg5 < m @@ -1863,6 +1881,7 @@ pub fn fiat_p224_divstep(out1: &mut u64, out2: &mut [u64; 5], out3: &mut [u64; 5 } /// The function fiat_p224_divstep_precomp returns the precomputed value for Bernstein-Yang-inversion (in montgomery form). +/// /// Postconditions: /// eval (from_montgomery out1) = ⌊(m - 1) / 2⌋^(if (log2 m) + 1 < 46 then ⌊(49 * ((log2 m) + 1) + 80) / 17⌋ else ⌊(49 * ((log2 m) + 1) + 57) / 17⌋) /// 0 ≤ eval out1 < m @@ -1877,4 +1896,3 @@ pub fn fiat_p224_divstep_precomp(out1: &mut [u64; 4]) -> () { out1[2] = 0xffffff; out1[3] = 0xff800000; } - diff --git a/fiat-rust/src/p256_32.rs b/fiat-rust/src/p256_32.rs index 0a8ff4313bc..93ff4c62f6a 100644 --- a/fiat-rust/src/p256_32.rs +++ b/fiat-rust/src/p256_32.rs @@ -12,10 +12,10 @@ //! return values. //! //! Computed values: -//! eval z = z[0] + (z[1] << 32) + (z[2] << 64) + (z[3] << 96) + (z[4] << 128) + (z[5] << 160) + (z[6] << 192) + (z[7] << 224) -//! bytes_eval z = z[0] + (z[1] << 8) + (z[2] << 16) + (z[3] << 24) + (z[4] << 32) + (z[5] << 40) + (z[6] << 48) + (z[7] << 56) + (z[8] << 64) + (z[9] << 72) + (z[10] << 80) + (z[11] << 88) + (z[12] << 96) + (z[13] << 104) + (z[14] << 112) + (z[15] << 120) + (z[16] << 128) + (z[17] << 136) + (z[18] << 144) + (z[19] << 152) + (z[20] << 160) + (z[21] << 168) + (z[22] << 176) + (z[23] << 184) + (z[24] << 192) + (z[25] << 200) + (z[26] << 208) + (z[27] << 216) + (z[28] << 224) + (z[29] << 232) + (z[30] << 240) + (z[31] << 248) -//! twos_complement_eval z = let x1 := z[0] + (z[1] << 32) + (z[2] << 64) + (z[3] << 96) + (z[4] << 128) + (z[5] << 160) + (z[6] << 192) + (z[7] << 224) in -//! if x1 & (2^256-1) < 2^255 then x1 & (2^256-1) else (x1 & (2^256-1)) - 2^256 +//! eval z = z[0] + (z[1] << 32) + (z[2] << 64) + (z[3] << 96) + (z[4] << 128) + (z[5] << 160) + (z[6] << 192) + (z[7] << 224) +//! bytes_eval z = z[0] + (z[1] << 8) + (z[2] << 16) + (z[3] << 24) + (z[4] << 32) + (z[5] << 40) + (z[6] << 48) + (z[7] << 56) + (z[8] << 64) + (z[9] << 72) + (z[10] << 80) + (z[11] << 88) + (z[12] << 96) + (z[13] << 104) + (z[14] << 112) + (z[15] << 120) + (z[16] << 128) + (z[17] << 136) + (z[18] << 144) + (z[19] << 152) + (z[20] << 160) + (z[21] << 168) + (z[22] << 176) + (z[23] << 184) + (z[24] << 192) + (z[25] << 200) + (z[26] << 208) + (z[27] << 216) + (z[28] << 224) + (z[29] << 232) + (z[30] << 240) + (z[31] << 248) +//! twos_complement_eval z = let x1 := z[0] + (z[1] << 32) + (z[2] << 64) + (z[3] << 96) + (z[4] << 128) + (z[5] << 160) + (z[6] << 192) + (z[7] << 224) in +//! if x1 & (2^256-1) < 2^255 then x1 & (2^256-1) else (x1 & (2^256-1)) - 2^256 #![allow(unused_parens)] #[allow(non_camel_case_types)] @@ -27,6 +27,7 @@ pub type fiat_p256_i2 = i8; /// The function fiat_p256_addcarryx_u32 is an addition with carry. +/// /// Postconditions: /// out1 = (arg1 + arg2 + arg3) mod 2^32 /// out2 = ⌊(arg1 + arg2 + arg3) / 2^32⌋ @@ -48,6 +49,7 @@ pub fn fiat_p256_addcarryx_u32(out1: &mut u32, out2: &mut fiat_p256_u1, arg1: fi } /// The function fiat_p256_subborrowx_u32 is a subtraction with borrow. +/// /// Postconditions: /// out1 = (-arg1 + arg2 + -arg3) mod 2^32 /// out2 = -⌊(-arg1 + arg2 + -arg3) / 2^32⌋ @@ -69,6 +71,7 @@ pub fn fiat_p256_subborrowx_u32(out1: &mut u32, out2: &mut fiat_p256_u1, arg1: f } /// The function fiat_p256_mulx_u32 is a multiplication, returning the full double-width result. +/// /// Postconditions: /// out1 = (arg1 * arg2) mod 2^32 /// out2 = ⌊arg1 * arg2 / 2^32⌋ @@ -89,6 +92,7 @@ pub fn fiat_p256_mulx_u32(out1: &mut u32, out2: &mut u32, arg1: u32, arg2: u32) } /// The function fiat_p256_cmovznz_u32 is a single-word conditional move. +/// /// Postconditions: /// out1 = (if arg1 = 0 then arg2 else arg3) /// @@ -107,6 +111,7 @@ pub fn fiat_p256_cmovznz_u32(out1: &mut u32, arg1: fiat_p256_u1, arg2: u32, arg3 } /// The function fiat_p256_mul multiplies two field elements in the Montgomery domain. +/// /// Preconditions: /// 0 ≤ eval arg1 < m /// 0 ≤ eval arg2 < m @@ -1115,6 +1120,7 @@ pub fn fiat_p256_mul(out1: &mut [u32; 8], arg1: &[u32; 8], arg2: &[u32; 8]) -> ( } /// The function fiat_p256_square squares a field element in the Montgomery domain. +/// /// Preconditions: /// 0 ≤ eval arg1 < m /// Postconditions: @@ -2121,6 +2127,7 @@ pub fn fiat_p256_square(out1: &mut [u32; 8], arg1: &[u32; 8]) -> () { } /// The function fiat_p256_add adds two field elements in the Montgomery domain. +/// /// Preconditions: /// 0 ≤ eval arg1 < m /// 0 ≤ eval arg2 < m @@ -2213,6 +2220,7 @@ pub fn fiat_p256_add(out1: &mut [u32; 8], arg1: &[u32; 8], arg2: &[u32; 8]) -> ( } /// The function fiat_p256_sub subtracts two field elements in the Montgomery domain. +/// /// Preconditions: /// 0 ≤ eval arg1 < m /// 0 ≤ eval arg2 < m @@ -2288,6 +2296,7 @@ pub fn fiat_p256_sub(out1: &mut [u32; 8], arg1: &[u32; 8], arg2: &[u32; 8]) -> ( } /// The function fiat_p256_opp negates a field element in the Montgomery domain. +/// /// Preconditions: /// 0 ≤ eval arg1 < m /// Postconditions: @@ -2361,6 +2370,7 @@ pub fn fiat_p256_opp(out1: &mut [u32; 8], arg1: &[u32; 8]) -> () { } /// The function fiat_p256_from_montgomery translates a field element out of the Montgomery domain. +/// /// Preconditions: /// 0 ≤ eval arg1 < m /// Postconditions: @@ -2899,6 +2909,7 @@ pub fn fiat_p256_from_montgomery(out1: &mut [u32; 8], arg1: &[u32; 8]) -> () { } /// The function fiat_p256_to_montgomery translates a field element into the Montgomery domain. +/// /// Preconditions: /// 0 ≤ eval arg1 < m /// Postconditions: @@ -3789,6 +3800,7 @@ pub fn fiat_p256_to_montgomery(out1: &mut [u32; 8], arg1: &[u32; 8]) -> () { } /// The function fiat_p256_nonzero outputs a single non-zero word if the input is non-zero and zero otherwise. +/// /// Preconditions: /// 0 ≤ eval arg1 < m /// Postconditions: @@ -3805,6 +3817,7 @@ pub fn fiat_p256_nonzero(out1: &mut u32, arg1: &[u32; 8]) -> () { } /// The function fiat_p256_selectznz is a multi-limb conditional select. +/// /// Postconditions: /// eval out1 = (if arg1 = 0 then eval arg2 else eval arg3) /// @@ -3843,6 +3856,7 @@ pub fn fiat_p256_selectznz(out1: &mut [u32; 8], arg1: fiat_p256_u1, arg2: &[u32; } /// The function fiat_p256_to_bytes serializes a field element NOT in the Montgomery domain to bytes in little-endian order. +/// /// Preconditions: /// 0 ≤ eval arg1 < m /// Postconditions: @@ -3945,6 +3959,7 @@ pub fn fiat_p256_to_bytes(out1: &mut [u8; 32], arg1: &[u32; 8]) -> () { } /// The function fiat_p256_from_bytes deserializes a field element NOT in the Montgomery domain from bytes in little-endian order. +/// /// Preconditions: /// 0 ≤ bytes_eval arg1 < m /// Postconditions: @@ -4024,6 +4039,7 @@ pub fn fiat_p256_from_bytes(out1: &mut [u32; 8], arg1: &[u8; 32]) -> () { } /// The function fiat_p256_set_one returns the field element one in the Montgomery domain. +/// /// Postconditions: /// eval (from_montgomery out1) mod m = 1 mod m /// 0 ≤ eval out1 < m @@ -4044,6 +4060,7 @@ pub fn fiat_p256_set_one(out1: &mut [u32; 8]) -> () { } /// The function fiat_p256_msat returns the saturated representation of the prime modulus. +/// /// Postconditions: /// twos_complement_eval out1 = m /// 0 ≤ eval out1 < m @@ -4065,6 +4082,7 @@ pub fn fiat_p256_msat(out1: &mut [u32; 9]) -> () { } /// The function fiat_p256_divstep computes a divstep. +/// /// Preconditions: /// 0 ≤ eval arg4 < m /// 0 ≤ eval arg5 < m @@ -4501,6 +4519,7 @@ pub fn fiat_p256_divstep(out1: &mut u32, out2: &mut [u32; 9], out3: &mut [u32; 9 } /// The function fiat_p256_divstep_precomp returns the precomputed value for Bernstein-Yang-inversion (in montgomery form). +/// /// Postconditions: /// eval (from_montgomery out1) = ⌊(m - 1) / 2⌋^(if (log2 m) + 1 < 46 then ⌊(49 * ((log2 m) + 1) + 80) / 17⌋ else ⌊(49 * ((log2 m) + 1) + 57) / 17⌋) /// 0 ≤ eval out1 < m @@ -4519,4 +4538,3 @@ pub fn fiat_p256_divstep_precomp(out1: &mut [u32; 8]) -> () { out1[6] = 0xffffffff; out1[7] = 0x2fffffff; } - diff --git a/fiat-rust/src/p256_64.rs b/fiat-rust/src/p256_64.rs index f86e8a8880b..1819c4fd81a 100644 --- a/fiat-rust/src/p256_64.rs +++ b/fiat-rust/src/p256_64.rs @@ -12,10 +12,10 @@ //! return values. //! //! Computed values: -//! eval z = z[0] + (z[1] << 64) + (z[2] << 128) + (z[3] << 192) -//! bytes_eval z = z[0] + (z[1] << 8) + (z[2] << 16) + (z[3] << 24) + (z[4] << 32) + (z[5] << 40) + (z[6] << 48) + (z[7] << 56) + (z[8] << 64) + (z[9] << 72) + (z[10] << 80) + (z[11] << 88) + (z[12] << 96) + (z[13] << 104) + (z[14] << 112) + (z[15] << 120) + (z[16] << 128) + (z[17] << 136) + (z[18] << 144) + (z[19] << 152) + (z[20] << 160) + (z[21] << 168) + (z[22] << 176) + (z[23] << 184) + (z[24] << 192) + (z[25] << 200) + (z[26] << 208) + (z[27] << 216) + (z[28] << 224) + (z[29] << 232) + (z[30] << 240) + (z[31] << 248) -//! twos_complement_eval z = let x1 := z[0] + (z[1] << 64) + (z[2] << 128) + (z[3] << 192) in -//! if x1 & (2^256-1) < 2^255 then x1 & (2^256-1) else (x1 & (2^256-1)) - 2^256 +//! eval z = z[0] + (z[1] << 64) + (z[2] << 128) + (z[3] << 192) +//! bytes_eval z = z[0] + (z[1] << 8) + (z[2] << 16) + (z[3] << 24) + (z[4] << 32) + (z[5] << 40) + (z[6] << 48) + (z[7] << 56) + (z[8] << 64) + (z[9] << 72) + (z[10] << 80) + (z[11] << 88) + (z[12] << 96) + (z[13] << 104) + (z[14] << 112) + (z[15] << 120) + (z[16] << 128) + (z[17] << 136) + (z[18] << 144) + (z[19] << 152) + (z[20] << 160) + (z[21] << 168) + (z[22] << 176) + (z[23] << 184) + (z[24] << 192) + (z[25] << 200) + (z[26] << 208) + (z[27] << 216) + (z[28] << 224) + (z[29] << 232) + (z[30] << 240) + (z[31] << 248) +//! twos_complement_eval z = let x1 := z[0] + (z[1] << 64) + (z[2] << 128) + (z[3] << 192) in +//! if x1 & (2^256-1) < 2^255 then x1 & (2^256-1) else (x1 & (2^256-1)) - 2^256 #![allow(unused_parens)] #[allow(non_camel_case_types)] @@ -27,6 +27,7 @@ pub type fiat_p256_i2 = i8; /// The function fiat_p256_addcarryx_u64 is an addition with carry. +/// /// Postconditions: /// out1 = (arg1 + arg2 + arg3) mod 2^64 /// out2 = ⌊(arg1 + arg2 + arg3) / 2^64⌋ @@ -48,6 +49,7 @@ pub fn fiat_p256_addcarryx_u64(out1: &mut u64, out2: &mut fiat_p256_u1, arg1: fi } /// The function fiat_p256_subborrowx_u64 is a subtraction with borrow. +/// /// Postconditions: /// out1 = (-arg1 + arg2 + -arg3) mod 2^64 /// out2 = -⌊(-arg1 + arg2 + -arg3) / 2^64⌋ @@ -69,6 +71,7 @@ pub fn fiat_p256_subborrowx_u64(out1: &mut u64, out2: &mut fiat_p256_u1, arg1: f } /// The function fiat_p256_mulx_u64 is a multiplication, returning the full double-width result. +/// /// Postconditions: /// out1 = (arg1 * arg2) mod 2^64 /// out2 = ⌊arg1 * arg2 / 2^64⌋ @@ -89,6 +92,7 @@ pub fn fiat_p256_mulx_u64(out1: &mut u64, out2: &mut u64, arg1: u64, arg2: u64) } /// The function fiat_p256_cmovznz_u64 is a single-word conditional move. +/// /// Postconditions: /// out1 = (if arg1 = 0 then arg2 else arg3) /// @@ -107,6 +111,7 @@ pub fn fiat_p256_cmovznz_u64(out1: &mut u64, arg1: fiat_p256_u1, arg2: u64, arg3 } /// The function fiat_p256_mul multiplies two field elements in the Montgomery domain. +/// /// Preconditions: /// 0 ≤ eval arg1 < m /// 0 ≤ eval arg2 < m @@ -403,6 +408,7 @@ pub fn fiat_p256_mul(out1: &mut [u64; 4], arg1: &[u64; 4], arg2: &[u64; 4]) -> ( } /// The function fiat_p256_square squares a field element in the Montgomery domain. +/// /// Preconditions: /// 0 ≤ eval arg1 < m /// Postconditions: @@ -697,6 +703,7 @@ pub fn fiat_p256_square(out1: &mut [u64; 4], arg1: &[u64; 4]) -> () { } /// The function fiat_p256_add adds two field elements in the Montgomery domain. +/// /// Preconditions: /// 0 ≤ eval arg1 < m /// 0 ≤ eval arg2 < m @@ -753,6 +760,7 @@ pub fn fiat_p256_add(out1: &mut [u64; 4], arg1: &[u64; 4], arg2: &[u64; 4]) -> ( } /// The function fiat_p256_sub subtracts two field elements in the Montgomery domain. +/// /// Preconditions: /// 0 ≤ eval arg1 < m /// 0 ≤ eval arg2 < m @@ -800,6 +808,7 @@ pub fn fiat_p256_sub(out1: &mut [u64; 4], arg1: &[u64; 4], arg2: &[u64; 4]) -> ( } /// The function fiat_p256_opp negates a field element in the Montgomery domain. +/// /// Preconditions: /// 0 ≤ eval arg1 < m /// Postconditions: @@ -845,6 +854,7 @@ pub fn fiat_p256_opp(out1: &mut [u64; 4], arg1: &[u64; 4]) -> () { } /// The function fiat_p256_from_montgomery translates a field element out of the Montgomery domain. +/// /// Preconditions: /// 0 ≤ eval arg1 < m /// Postconditions: @@ -1000,6 +1010,7 @@ pub fn fiat_p256_from_montgomery(out1: &mut [u64; 4], arg1: &[u64; 4]) -> () { } /// The function fiat_p256_to_montgomery translates a field element into the Montgomery domain. +/// /// Preconditions: /// 0 ≤ eval arg1 < m /// Postconditions: @@ -1274,6 +1285,7 @@ pub fn fiat_p256_to_montgomery(out1: &mut [u64; 4], arg1: &[u64; 4]) -> () { } /// The function fiat_p256_nonzero outputs a single non-zero word if the input is non-zero and zero otherwise. +/// /// Preconditions: /// 0 ≤ eval arg1 < m /// Postconditions: @@ -1290,6 +1302,7 @@ pub fn fiat_p256_nonzero(out1: &mut u64, arg1: &[u64; 4]) -> () { } /// The function fiat_p256_selectznz is a multi-limb conditional select. +/// /// Postconditions: /// eval out1 = (if arg1 = 0 then eval arg2 else eval arg3) /// @@ -1316,6 +1329,7 @@ pub fn fiat_p256_selectznz(out1: &mut [u64; 4], arg1: fiat_p256_u1, arg2: &[u64; } /// The function fiat_p256_to_bytes serializes a field element NOT in the Montgomery domain to bytes in little-endian order. +/// /// Preconditions: /// 0 ≤ eval arg1 < m /// Postconditions: @@ -1422,6 +1436,7 @@ pub fn fiat_p256_to_bytes(out1: &mut [u8; 32], arg1: &[u64; 4]) -> () { } /// The function fiat_p256_from_bytes deserializes a field element NOT in the Montgomery domain from bytes in little-endian order. +/// /// Preconditions: /// 0 ≤ bytes_eval arg1 < m /// Postconditions: @@ -1501,6 +1516,7 @@ pub fn fiat_p256_from_bytes(out1: &mut [u64; 4], arg1: &[u8; 32]) -> () { } /// The function fiat_p256_set_one returns the field element one in the Montgomery domain. +/// /// Postconditions: /// eval (from_montgomery out1) mod m = 1 mod m /// 0 ≤ eval out1 < m @@ -1517,6 +1533,7 @@ pub fn fiat_p256_set_one(out1: &mut [u64; 4]) -> () { } /// The function fiat_p256_msat returns the saturated representation of the prime modulus. +/// /// Postconditions: /// twos_complement_eval out1 = m /// 0 ≤ eval out1 < m @@ -1534,6 +1551,7 @@ pub fn fiat_p256_msat(out1: &mut [u64; 5]) -> () { } /// The function fiat_p256_divstep computes a divstep. +/// /// Preconditions: /// 0 ≤ eval arg4 < m /// 0 ≤ eval arg5 < m @@ -1786,6 +1804,7 @@ pub fn fiat_p256_divstep(out1: &mut u64, out2: &mut [u64; 5], out3: &mut [u64; 5 } /// The function fiat_p256_divstep_precomp returns the precomputed value for Bernstein-Yang-inversion (in montgomery form). +/// /// Postconditions: /// eval (from_montgomery out1) = ⌊(m - 1) / 2⌋^(if (log2 m) + 1 < 46 then ⌊(49 * ((log2 m) + 1) + 80) / 17⌋ else ⌊(49 * ((log2 m) + 1) + 57) / 17⌋) /// 0 ≤ eval out1 < m @@ -1800,4 +1819,3 @@ pub fn fiat_p256_divstep_precomp(out1: &mut [u64; 4]) -> () { out1[2] = 0xd80000007fffffff; out1[3] = 0x2fffffffffffffff; } - diff --git a/fiat-rust/src/p384_32.rs b/fiat-rust/src/p384_32.rs index 296e220b9b2..6b5cc8d762e 100644 --- a/fiat-rust/src/p384_32.rs +++ b/fiat-rust/src/p384_32.rs @@ -12,10 +12,10 @@ //! return values. //! //! Computed values: -//! eval z = z[0] + (z[1] << 32) + (z[2] << 64) + (z[3] << 96) + (z[4] << 128) + (z[5] << 160) + (z[6] << 192) + (z[7] << 224) + (z[8] << 256) + (z[9] << 0x120) + (z[10] << 0x140) + (z[11] << 0x160) -//! bytes_eval z = z[0] + (z[1] << 8) + (z[2] << 16) + (z[3] << 24) + (z[4] << 32) + (z[5] << 40) + (z[6] << 48) + (z[7] << 56) + (z[8] << 64) + (z[9] << 72) + (z[10] << 80) + (z[11] << 88) + (z[12] << 96) + (z[13] << 104) + (z[14] << 112) + (z[15] << 120) + (z[16] << 128) + (z[17] << 136) + (z[18] << 144) + (z[19] << 152) + (z[20] << 160) + (z[21] << 168) + (z[22] << 176) + (z[23] << 184) + (z[24] << 192) + (z[25] << 200) + (z[26] << 208) + (z[27] << 216) + (z[28] << 224) + (z[29] << 232) + (z[30] << 240) + (z[31] << 248) + (z[32] << 256) + (z[33] << 0x108) + (z[34] << 0x110) + (z[35] << 0x118) + (z[36] << 0x120) + (z[37] << 0x128) + (z[38] << 0x130) + (z[39] << 0x138) + (z[40] << 0x140) + (z[41] << 0x148) + (z[42] << 0x150) + (z[43] << 0x158) + (z[44] << 0x160) + (z[45] << 0x168) + (z[46] << 0x170) + (z[47] << 0x178) -//! twos_complement_eval z = let x1 := z[0] + (z[1] << 32) + (z[2] << 64) + (z[3] << 96) + (z[4] << 128) + (z[5] << 160) + (z[6] << 192) + (z[7] << 224) + (z[8] << 256) + (z[9] << 0x120) + (z[10] << 0x140) + (z[11] << 0x160) in -//! if x1 & (2^384-1) < 2^383 then x1 & (2^384-1) else (x1 & (2^384-1)) - 2^384 +//! eval z = z[0] + (z[1] << 32) + (z[2] << 64) + (z[3] << 96) + (z[4] << 128) + (z[5] << 160) + (z[6] << 192) + (z[7] << 224) + (z[8] << 256) + (z[9] << 0x120) + (z[10] << 0x140) + (z[11] << 0x160) +//! bytes_eval z = z[0] + (z[1] << 8) + (z[2] << 16) + (z[3] << 24) + (z[4] << 32) + (z[5] << 40) + (z[6] << 48) + (z[7] << 56) + (z[8] << 64) + (z[9] << 72) + (z[10] << 80) + (z[11] << 88) + (z[12] << 96) + (z[13] << 104) + (z[14] << 112) + (z[15] << 120) + (z[16] << 128) + (z[17] << 136) + (z[18] << 144) + (z[19] << 152) + (z[20] << 160) + (z[21] << 168) + (z[22] << 176) + (z[23] << 184) + (z[24] << 192) + (z[25] << 200) + (z[26] << 208) + (z[27] << 216) + (z[28] << 224) + (z[29] << 232) + (z[30] << 240) + (z[31] << 248) + (z[32] << 256) + (z[33] << 0x108) + (z[34] << 0x110) + (z[35] << 0x118) + (z[36] << 0x120) + (z[37] << 0x128) + (z[38] << 0x130) + (z[39] << 0x138) + (z[40] << 0x140) + (z[41] << 0x148) + (z[42] << 0x150) + (z[43] << 0x158) + (z[44] << 0x160) + (z[45] << 0x168) + (z[46] << 0x170) + (z[47] << 0x178) +//! twos_complement_eval z = let x1 := z[0] + (z[1] << 32) + (z[2] << 64) + (z[3] << 96) + (z[4] << 128) + (z[5] << 160) + (z[6] << 192) + (z[7] << 224) + (z[8] << 256) + (z[9] << 0x120) + (z[10] << 0x140) + (z[11] << 0x160) in +//! if x1 & (2^384-1) < 2^383 then x1 & (2^384-1) else (x1 & (2^384-1)) - 2^384 #![allow(unused_parens)] #[allow(non_camel_case_types)] @@ -27,6 +27,7 @@ pub type fiat_p384_i2 = i8; /// The function fiat_p384_addcarryx_u32 is an addition with carry. +/// /// Postconditions: /// out1 = (arg1 + arg2 + arg3) mod 2^32 /// out2 = ⌊(arg1 + arg2 + arg3) / 2^32⌋ @@ -48,6 +49,7 @@ pub fn fiat_p384_addcarryx_u32(out1: &mut u32, out2: &mut fiat_p384_u1, arg1: fi } /// The function fiat_p384_subborrowx_u32 is a subtraction with borrow. +/// /// Postconditions: /// out1 = (-arg1 + arg2 + -arg3) mod 2^32 /// out2 = -⌊(-arg1 + arg2 + -arg3) / 2^32⌋ @@ -69,6 +71,7 @@ pub fn fiat_p384_subborrowx_u32(out1: &mut u32, out2: &mut fiat_p384_u1, arg1: f } /// The function fiat_p384_mulx_u32 is a multiplication, returning the full double-width result. +/// /// Postconditions: /// out1 = (arg1 * arg2) mod 2^32 /// out2 = ⌊arg1 * arg2 / 2^32⌋ @@ -89,6 +92,7 @@ pub fn fiat_p384_mulx_u32(out1: &mut u32, out2: &mut u32, arg1: u32, arg2: u32) } /// The function fiat_p384_cmovznz_u32 is a single-word conditional move. +/// /// Postconditions: /// out1 = (if arg1 = 0 then arg2 else arg3) /// @@ -107,6 +111,7 @@ pub fn fiat_p384_cmovznz_u32(out1: &mut u32, arg1: fiat_p384_u1, arg2: u32, arg3 } /// The function fiat_p384_mul multiplies two field elements in the Montgomery domain. +/// /// Preconditions: /// 0 ≤ eval arg1 < m /// 0 ≤ eval arg2 < m @@ -2619,6 +2624,7 @@ pub fn fiat_p384_mul(out1: &mut [u32; 12], arg1: &[u32; 12], arg2: &[u32; 12]) - } /// The function fiat_p384_square squares a field element in the Montgomery domain. +/// /// Preconditions: /// 0 ≤ eval arg1 < m /// Postconditions: @@ -5129,6 +5135,7 @@ pub fn fiat_p384_square(out1: &mut [u32; 12], arg1: &[u32; 12]) -> () { } /// The function fiat_p384_add adds two field elements in the Montgomery domain. +/// /// Preconditions: /// 0 ≤ eval arg1 < m /// 0 ≤ eval arg2 < m @@ -5257,6 +5264,7 @@ pub fn fiat_p384_add(out1: &mut [u32; 12], arg1: &[u32; 12], arg2: &[u32; 12]) - } /// The function fiat_p384_sub subtracts two field elements in the Montgomery domain. +/// /// Preconditions: /// 0 ≤ eval arg1 < m /// 0 ≤ eval arg2 < m @@ -5360,6 +5368,7 @@ pub fn fiat_p384_sub(out1: &mut [u32; 12], arg1: &[u32; 12], arg2: &[u32; 12]) - } /// The function fiat_p384_opp negates a field element in the Montgomery domain. +/// /// Preconditions: /// 0 ≤ eval arg1 < m /// Postconditions: @@ -5461,6 +5470,7 @@ pub fn fiat_p384_opp(out1: &mut [u32; 12], arg1: &[u32; 12]) -> () { } /// The function fiat_p384_from_montgomery translates a field element out of the Montgomery domain. +/// /// Preconditions: /// 0 ≤ eval arg1 < m /// Postconditions: @@ -6995,6 +7005,7 @@ pub fn fiat_p384_from_montgomery(out1: &mut [u32; 12], arg1: &[u32; 12]) -> () { } /// The function fiat_p384_to_montgomery translates a field element into the Montgomery domain. +/// /// Preconditions: /// 0 ≤ eval arg1 < m /// Postconditions: @@ -8786,6 +8797,7 @@ pub fn fiat_p384_to_montgomery(out1: &mut [u32; 12], arg1: &[u32; 12]) -> () { } /// The function fiat_p384_nonzero outputs a single non-zero word if the input is non-zero and zero otherwise. +/// /// Preconditions: /// 0 ≤ eval arg1 < m /// Postconditions: @@ -8802,6 +8814,7 @@ pub fn fiat_p384_nonzero(out1: &mut u32, arg1: &[u32; 12]) -> () { } /// The function fiat_p384_selectznz is a multi-limb conditional select. +/// /// Postconditions: /// eval out1 = (if arg1 = 0 then eval arg2 else eval arg3) /// @@ -8852,6 +8865,7 @@ pub fn fiat_p384_selectznz(out1: &mut [u32; 12], arg1: fiat_p384_u1, arg2: &[u32 } /// The function fiat_p384_to_bytes serializes a field element NOT in the Montgomery domain to bytes in little-endian order. +/// /// Preconditions: /// 0 ≤ eval arg1 < m /// Postconditions: @@ -8998,6 +9012,7 @@ pub fn fiat_p384_to_bytes(out1: &mut [u8; 48], arg1: &[u32; 12]) -> () { } /// The function fiat_p384_from_bytes deserializes a field element NOT in the Montgomery domain from bytes in little-endian order. +/// /// Preconditions: /// 0 ≤ bytes_eval arg1 < m /// Postconditions: @@ -9109,6 +9124,7 @@ pub fn fiat_p384_from_bytes(out1: &mut [u32; 12], arg1: &[u8; 48]) -> () { } /// The function fiat_p384_set_one returns the field element one in the Montgomery domain. +/// /// Postconditions: /// eval (from_montgomery out1) mod m = 1 mod m /// 0 ≤ eval out1 < m @@ -9133,6 +9149,7 @@ pub fn fiat_p384_set_one(out1: &mut [u32; 12]) -> () { } /// The function fiat_p384_msat returns the saturated representation of the prime modulus. +/// /// Postconditions: /// twos_complement_eval out1 = m /// 0 ≤ eval out1 < m @@ -9158,6 +9175,7 @@ pub fn fiat_p384_msat(out1: &mut [u32; 13]) -> () { } /// The function fiat_p384_divstep computes a divstep. +/// /// Preconditions: /// 0 ≤ eval arg4 < m /// 0 ≤ eval arg5 < m @@ -9778,6 +9796,7 @@ pub fn fiat_p384_divstep(out1: &mut u32, out2: &mut [u32; 13], out3: &mut [u32; } /// The function fiat_p384_divstep_precomp returns the precomputed value for Bernstein-Yang-inversion (in montgomery form). +/// /// Postconditions: /// eval (from_montgomery out1) = ⌊(m - 1) / 2⌋^(if (log2 m) + 1 < 46 then ⌊(49 * ((log2 m) + 1) + 80) / 17⌋ else ⌊(49 * ((log2 m) + 1) + 57) / 17⌋) /// 0 ≤ eval out1 < m @@ -9800,4 +9819,3 @@ pub fn fiat_p384_divstep_precomp(out1: &mut [u32; 12]) -> () { out1[10] = 0x38000; out1[11] = 0xfffc4800; } - diff --git a/fiat-rust/src/p384_64.rs b/fiat-rust/src/p384_64.rs index 41473713157..088d1503cf3 100644 --- a/fiat-rust/src/p384_64.rs +++ b/fiat-rust/src/p384_64.rs @@ -12,10 +12,10 @@ //! return values. //! //! Computed values: -//! eval z = z[0] + (z[1] << 64) + (z[2] << 128) + (z[3] << 192) + (z[4] << 256) + (z[5] << 0x140) -//! bytes_eval z = z[0] + (z[1] << 8) + (z[2] << 16) + (z[3] << 24) + (z[4] << 32) + (z[5] << 40) + (z[6] << 48) + (z[7] << 56) + (z[8] << 64) + (z[9] << 72) + (z[10] << 80) + (z[11] << 88) + (z[12] << 96) + (z[13] << 104) + (z[14] << 112) + (z[15] << 120) + (z[16] << 128) + (z[17] << 136) + (z[18] << 144) + (z[19] << 152) + (z[20] << 160) + (z[21] << 168) + (z[22] << 176) + (z[23] << 184) + (z[24] << 192) + (z[25] << 200) + (z[26] << 208) + (z[27] << 216) + (z[28] << 224) + (z[29] << 232) + (z[30] << 240) + (z[31] << 248) + (z[32] << 256) + (z[33] << 0x108) + (z[34] << 0x110) + (z[35] << 0x118) + (z[36] << 0x120) + (z[37] << 0x128) + (z[38] << 0x130) + (z[39] << 0x138) + (z[40] << 0x140) + (z[41] << 0x148) + (z[42] << 0x150) + (z[43] << 0x158) + (z[44] << 0x160) + (z[45] << 0x168) + (z[46] << 0x170) + (z[47] << 0x178) -//! twos_complement_eval z = let x1 := z[0] + (z[1] << 64) + (z[2] << 128) + (z[3] << 192) + (z[4] << 256) + (z[5] << 0x140) in -//! if x1 & (2^384-1) < 2^383 then x1 & (2^384-1) else (x1 & (2^384-1)) - 2^384 +//! eval z = z[0] + (z[1] << 64) + (z[2] << 128) + (z[3] << 192) + (z[4] << 256) + (z[5] << 0x140) +//! bytes_eval z = z[0] + (z[1] << 8) + (z[2] << 16) + (z[3] << 24) + (z[4] << 32) + (z[5] << 40) + (z[6] << 48) + (z[7] << 56) + (z[8] << 64) + (z[9] << 72) + (z[10] << 80) + (z[11] << 88) + (z[12] << 96) + (z[13] << 104) + (z[14] << 112) + (z[15] << 120) + (z[16] << 128) + (z[17] << 136) + (z[18] << 144) + (z[19] << 152) + (z[20] << 160) + (z[21] << 168) + (z[22] << 176) + (z[23] << 184) + (z[24] << 192) + (z[25] << 200) + (z[26] << 208) + (z[27] << 216) + (z[28] << 224) + (z[29] << 232) + (z[30] << 240) + (z[31] << 248) + (z[32] << 256) + (z[33] << 0x108) + (z[34] << 0x110) + (z[35] << 0x118) + (z[36] << 0x120) + (z[37] << 0x128) + (z[38] << 0x130) + (z[39] << 0x138) + (z[40] << 0x140) + (z[41] << 0x148) + (z[42] << 0x150) + (z[43] << 0x158) + (z[44] << 0x160) + (z[45] << 0x168) + (z[46] << 0x170) + (z[47] << 0x178) +//! twos_complement_eval z = let x1 := z[0] + (z[1] << 64) + (z[2] << 128) + (z[3] << 192) + (z[4] << 256) + (z[5] << 0x140) in +//! if x1 & (2^384-1) < 2^383 then x1 & (2^384-1) else (x1 & (2^384-1)) - 2^384 #![allow(unused_parens)] #[allow(non_camel_case_types)] @@ -27,6 +27,7 @@ pub type fiat_p384_i2 = i8; /// The function fiat_p384_addcarryx_u64 is an addition with carry. +/// /// Postconditions: /// out1 = (arg1 + arg2 + arg3) mod 2^64 /// out2 = ⌊(arg1 + arg2 + arg3) / 2^64⌋ @@ -48,6 +49,7 @@ pub fn fiat_p384_addcarryx_u64(out1: &mut u64, out2: &mut fiat_p384_u1, arg1: fi } /// The function fiat_p384_subborrowx_u64 is a subtraction with borrow. +/// /// Postconditions: /// out1 = (-arg1 + arg2 + -arg3) mod 2^64 /// out2 = -⌊(-arg1 + arg2 + -arg3) / 2^64⌋ @@ -69,6 +71,7 @@ pub fn fiat_p384_subborrowx_u64(out1: &mut u64, out2: &mut fiat_p384_u1, arg1: f } /// The function fiat_p384_mulx_u64 is a multiplication, returning the full double-width result. +/// /// Postconditions: /// out1 = (arg1 * arg2) mod 2^64 /// out2 = ⌊arg1 * arg2 / 2^64⌋ @@ -89,6 +92,7 @@ pub fn fiat_p384_mulx_u64(out1: &mut u64, out2: &mut u64, arg1: u64, arg2: u64) } /// The function fiat_p384_cmovznz_u64 is a single-word conditional move. +/// /// Postconditions: /// out1 = (if arg1 = 0 then arg2 else arg3) /// @@ -107,6 +111,7 @@ pub fn fiat_p384_cmovznz_u64(out1: &mut u64, arg1: fiat_p384_u1, arg2: u64, arg3 } /// The function fiat_p384_mul multiplies two field elements in the Montgomery domain. +/// /// Preconditions: /// 0 ≤ eval arg1 < m /// 0 ≤ eval arg2 < m @@ -831,6 +836,7 @@ pub fn fiat_p384_mul(out1: &mut [u64; 6], arg1: &[u64; 6], arg2: &[u64; 6]) -> ( } /// The function fiat_p384_square squares a field element in the Montgomery domain. +/// /// Preconditions: /// 0 ≤ eval arg1 < m /// Postconditions: @@ -1553,6 +1559,7 @@ pub fn fiat_p384_square(out1: &mut [u64; 6], arg1: &[u64; 6]) -> () { } /// The function fiat_p384_add adds two field elements in the Montgomery domain. +/// /// Preconditions: /// 0 ≤ eval arg1 < m /// 0 ≤ eval arg2 < m @@ -1627,6 +1634,7 @@ pub fn fiat_p384_add(out1: &mut [u64; 6], arg1: &[u64; 6], arg2: &[u64; 6]) -> ( } /// The function fiat_p384_sub subtracts two field elements in the Montgomery domain. +/// /// Preconditions: /// 0 ≤ eval arg1 < m /// 0 ≤ eval arg2 < m @@ -1688,6 +1696,7 @@ pub fn fiat_p384_sub(out1: &mut [u64; 6], arg1: &[u64; 6], arg2: &[u64; 6]) -> ( } /// The function fiat_p384_opp negates a field element in the Montgomery domain. +/// /// Preconditions: /// 0 ≤ eval arg1 < m /// Postconditions: @@ -1747,6 +1756,7 @@ pub fn fiat_p384_opp(out1: &mut [u64; 6], arg1: &[u64; 6]) -> () { } /// The function fiat_p384_from_montgomery translates a field element out of the Montgomery domain. +/// /// Preconditions: /// 0 ≤ eval arg1 < m /// Postconditions: @@ -2234,6 +2244,7 @@ pub fn fiat_p384_from_montgomery(out1: &mut [u64; 6], arg1: &[u64; 6]) -> () { } /// The function fiat_p384_to_montgomery translates a field element into the Montgomery domain. +/// /// Preconditions: /// 0 ≤ eval arg1 < m /// Postconditions: @@ -2870,6 +2881,7 @@ pub fn fiat_p384_to_montgomery(out1: &mut [u64; 6], arg1: &[u64; 6]) -> () { } /// The function fiat_p384_nonzero outputs a single non-zero word if the input is non-zero and zero otherwise. +/// /// Preconditions: /// 0 ≤ eval arg1 < m /// Postconditions: @@ -2886,6 +2898,7 @@ pub fn fiat_p384_nonzero(out1: &mut u64, arg1: &[u64; 6]) -> () { } /// The function fiat_p384_selectznz is a multi-limb conditional select. +/// /// Postconditions: /// eval out1 = (if arg1 = 0 then eval arg2 else eval arg3) /// @@ -2918,6 +2931,7 @@ pub fn fiat_p384_selectznz(out1: &mut [u64; 6], arg1: fiat_p384_u1, arg2: &[u64; } /// The function fiat_p384_to_bytes serializes a field element NOT in the Montgomery domain to bytes in little-endian order. +/// /// Preconditions: /// 0 ≤ eval arg1 < m /// Postconditions: @@ -3070,6 +3084,7 @@ pub fn fiat_p384_to_bytes(out1: &mut [u8; 48], arg1: &[u64; 6]) -> () { } /// The function fiat_p384_from_bytes deserializes a field element NOT in the Montgomery domain from bytes in little-endian order. +/// /// Preconditions: /// 0 ≤ bytes_eval arg1 < m /// Postconditions: @@ -3181,6 +3196,7 @@ pub fn fiat_p384_from_bytes(out1: &mut [u64; 6], arg1: &[u8; 48]) -> () { } /// The function fiat_p384_set_one returns the field element one in the Montgomery domain. +/// /// Postconditions: /// eval (from_montgomery out1) mod m = 1 mod m /// 0 ≤ eval out1 < m @@ -3199,6 +3215,7 @@ pub fn fiat_p384_set_one(out1: &mut [u64; 6]) -> () { } /// The function fiat_p384_msat returns the saturated representation of the prime modulus. +/// /// Postconditions: /// twos_complement_eval out1 = m /// 0 ≤ eval out1 < m @@ -3218,6 +3235,7 @@ pub fn fiat_p384_msat(out1: &mut [u64; 7]) -> () { } /// The function fiat_p384_divstep computes a divstep. +/// /// Preconditions: /// 0 ≤ eval arg4 < m /// 0 ≤ eval arg5 < m @@ -3562,6 +3580,7 @@ pub fn fiat_p384_divstep(out1: &mut u64, out2: &mut [u64; 7], out3: &mut [u64; 7 } /// The function fiat_p384_divstep_precomp returns the precomputed value for Bernstein-Yang-inversion (in montgomery form). +/// /// Postconditions: /// eval (from_montgomery out1) = ⌊(m - 1) / 2⌋^(if (log2 m) + 1 < 46 then ⌊(49 * ((log2 m) + 1) + 80) / 17⌋ else ⌊(49 * ((log2 m) + 1) + 57) / 17⌋) /// 0 ≤ eval out1 < m @@ -3578,4 +3597,3 @@ pub fn fiat_p384_divstep_precomp(out1: &mut [u64; 6]) -> () { out1[4] = 0x6040000050400; out1[5] = 0xfffc480000038000; } - diff --git a/fiat-rust/src/p434_64.rs b/fiat-rust/src/p434_64.rs index 7b0d61694c8..4f891375ea8 100644 --- a/fiat-rust/src/p434_64.rs +++ b/fiat-rust/src/p434_64.rs @@ -12,10 +12,10 @@ //! return values. //! //! Computed values: -//! eval z = z[0] + (z[1] << 64) + (z[2] << 128) + (z[3] << 192) + (z[4] << 256) + (z[5] << 0x140) + (z[6] << 0x180) -//! bytes_eval z = z[0] + (z[1] << 8) + (z[2] << 16) + (z[3] << 24) + (z[4] << 32) + (z[5] << 40) + (z[6] << 48) + (z[7] << 56) + (z[8] << 64) + (z[9] << 72) + (z[10] << 80) + (z[11] << 88) + (z[12] << 96) + (z[13] << 104) + (z[14] << 112) + (z[15] << 120) + (z[16] << 128) + (z[17] << 136) + (z[18] << 144) + (z[19] << 152) + (z[20] << 160) + (z[21] << 168) + (z[22] << 176) + (z[23] << 184) + (z[24] << 192) + (z[25] << 200) + (z[26] << 208) + (z[27] << 216) + (z[28] << 224) + (z[29] << 232) + (z[30] << 240) + (z[31] << 248) + (z[32] << 256) + (z[33] << 0x108) + (z[34] << 0x110) + (z[35] << 0x118) + (z[36] << 0x120) + (z[37] << 0x128) + (z[38] << 0x130) + (z[39] << 0x138) + (z[40] << 0x140) + (z[41] << 0x148) + (z[42] << 0x150) + (z[43] << 0x158) + (z[44] << 0x160) + (z[45] << 0x168) + (z[46] << 0x170) + (z[47] << 0x178) + (z[48] << 0x180) + (z[49] << 0x188) + (z[50] << 0x190) + (z[51] << 0x198) + (z[52] << 0x1a0) + (z[53] << 0x1a8) + (z[54] << 0x1b0) -//! twos_complement_eval z = let x1 := z[0] + (z[1] << 64) + (z[2] << 128) + (z[3] << 192) + (z[4] << 256) + (z[5] << 0x140) + (z[6] << 0x180) in -//! if x1 & (2^448-1) < 2^447 then x1 & (2^448-1) else (x1 & (2^448-1)) - 2^448 +//! eval z = z[0] + (z[1] << 64) + (z[2] << 128) + (z[3] << 192) + (z[4] << 256) + (z[5] << 0x140) + (z[6] << 0x180) +//! bytes_eval z = z[0] + (z[1] << 8) + (z[2] << 16) + (z[3] << 24) + (z[4] << 32) + (z[5] << 40) + (z[6] << 48) + (z[7] << 56) + (z[8] << 64) + (z[9] << 72) + (z[10] << 80) + (z[11] << 88) + (z[12] << 96) + (z[13] << 104) + (z[14] << 112) + (z[15] << 120) + (z[16] << 128) + (z[17] << 136) + (z[18] << 144) + (z[19] << 152) + (z[20] << 160) + (z[21] << 168) + (z[22] << 176) + (z[23] << 184) + (z[24] << 192) + (z[25] << 200) + (z[26] << 208) + (z[27] << 216) + (z[28] << 224) + (z[29] << 232) + (z[30] << 240) + (z[31] << 248) + (z[32] << 256) + (z[33] << 0x108) + (z[34] << 0x110) + (z[35] << 0x118) + (z[36] << 0x120) + (z[37] << 0x128) + (z[38] << 0x130) + (z[39] << 0x138) + (z[40] << 0x140) + (z[41] << 0x148) + (z[42] << 0x150) + (z[43] << 0x158) + (z[44] << 0x160) + (z[45] << 0x168) + (z[46] << 0x170) + (z[47] << 0x178) + (z[48] << 0x180) + (z[49] << 0x188) + (z[50] << 0x190) + (z[51] << 0x198) + (z[52] << 0x1a0) + (z[53] << 0x1a8) + (z[54] << 0x1b0) +//! twos_complement_eval z = let x1 := z[0] + (z[1] << 64) + (z[2] << 128) + (z[3] << 192) + (z[4] << 256) + (z[5] << 0x140) + (z[6] << 0x180) in +//! if x1 & (2^448-1) < 2^447 then x1 & (2^448-1) else (x1 & (2^448-1)) - 2^448 #![allow(unused_parens)] #[allow(non_camel_case_types)] @@ -27,6 +27,7 @@ pub type fiat_p434_i2 = i8; /// The function fiat_p434_addcarryx_u64 is an addition with carry. +/// /// Postconditions: /// out1 = (arg1 + arg2 + arg3) mod 2^64 /// out2 = ⌊(arg1 + arg2 + arg3) / 2^64⌋ @@ -48,6 +49,7 @@ pub fn fiat_p434_addcarryx_u64(out1: &mut u64, out2: &mut fiat_p434_u1, arg1: fi } /// The function fiat_p434_subborrowx_u64 is a subtraction with borrow. +/// /// Postconditions: /// out1 = (-arg1 + arg2 + -arg3) mod 2^64 /// out2 = -⌊(-arg1 + arg2 + -arg3) / 2^64⌋ @@ -69,6 +71,7 @@ pub fn fiat_p434_subborrowx_u64(out1: &mut u64, out2: &mut fiat_p434_u1, arg1: f } /// The function fiat_p434_mulx_u64 is a multiplication, returning the full double-width result. +/// /// Postconditions: /// out1 = (arg1 * arg2) mod 2^64 /// out2 = ⌊arg1 * arg2 / 2^64⌋ @@ -89,6 +92,7 @@ pub fn fiat_p434_mulx_u64(out1: &mut u64, out2: &mut u64, arg1: u64, arg2: u64) } /// The function fiat_p434_cmovznz_u64 is a single-word conditional move. +/// /// Postconditions: /// out1 = (if arg1 = 0 then arg2 else arg3) /// @@ -107,6 +111,7 @@ pub fn fiat_p434_cmovznz_u64(out1: &mut u64, arg1: fiat_p434_u1, arg2: u64, arg3 } /// The function fiat_p434_mul multiplies two field elements in the Montgomery domain. +/// /// Preconditions: /// 0 ≤ eval arg1 < m /// 0 ≤ eval arg2 < m @@ -1054,6 +1059,7 @@ pub fn fiat_p434_mul(out1: &mut [u64; 7], arg1: &[u64; 7], arg2: &[u64; 7]) -> ( } /// The function fiat_p434_square squares a field element in the Montgomery domain. +/// /// Preconditions: /// 0 ≤ eval arg1 < m /// Postconditions: @@ -1999,6 +2005,7 @@ pub fn fiat_p434_square(out1: &mut [u64; 7], arg1: &[u64; 7]) -> () { } /// The function fiat_p434_add adds two field elements in the Montgomery domain. +/// /// Preconditions: /// 0 ≤ eval arg1 < m /// 0 ≤ eval arg2 < m @@ -2082,6 +2089,7 @@ pub fn fiat_p434_add(out1: &mut [u64; 7], arg1: &[u64; 7], arg2: &[u64; 7]) -> ( } /// The function fiat_p434_sub subtracts two field elements in the Montgomery domain. +/// /// Preconditions: /// 0 ≤ eval arg1 < m /// 0 ≤ eval arg2 < m @@ -2150,6 +2158,7 @@ pub fn fiat_p434_sub(out1: &mut [u64; 7], arg1: &[u64; 7], arg2: &[u64; 7]) -> ( } /// The function fiat_p434_opp negates a field element in the Montgomery domain. +/// /// Preconditions: /// 0 ≤ eval arg1 < m /// Postconditions: @@ -2216,6 +2225,7 @@ pub fn fiat_p434_opp(out1: &mut [u64; 7], arg1: &[u64; 7]) -> () { } /// The function fiat_p434_from_montgomery translates a field element out of the Montgomery domain. +/// /// Preconditions: /// 0 ≤ eval arg1 < m /// Postconditions: @@ -2806,6 +2816,7 @@ pub fn fiat_p434_from_montgomery(out1: &mut [u64; 7], arg1: &[u64; 7]) -> () { } /// The function fiat_p434_to_montgomery translates a field element into the Montgomery domain. +/// /// Preconditions: /// 0 ≤ eval arg1 < m /// Postconditions: @@ -3693,6 +3704,7 @@ pub fn fiat_p434_to_montgomery(out1: &mut [u64; 7], arg1: &[u64; 7]) -> () { } /// The function fiat_p434_nonzero outputs a single non-zero word if the input is non-zero and zero otherwise. +/// /// Preconditions: /// 0 ≤ eval arg1 < m /// Postconditions: @@ -3709,6 +3721,7 @@ pub fn fiat_p434_nonzero(out1: &mut u64, arg1: &[u64; 7]) -> () { } /// The function fiat_p434_selectznz is a multi-limb conditional select. +/// /// Postconditions: /// eval out1 = (if arg1 = 0 then eval arg2 else eval arg3) /// @@ -3744,6 +3757,7 @@ pub fn fiat_p434_selectznz(out1: &mut [u64; 7], arg1: fiat_p434_u1, arg2: &[u64; } /// The function fiat_p434_to_bytes serializes a field element NOT in the Montgomery domain to bytes in little-endian order. +/// /// Preconditions: /// 0 ≤ eval arg1 < m /// Postconditions: @@ -3916,6 +3930,7 @@ pub fn fiat_p434_to_bytes(out1: &mut [u8; 55], arg1: &[u64; 7]) -> () { } /// The function fiat_p434_from_bytes deserializes a field element NOT in the Montgomery domain from bytes in little-endian order. +/// /// Preconditions: /// 0 ≤ bytes_eval arg1 < m /// Postconditions: @@ -4041,6 +4056,7 @@ pub fn fiat_p434_from_bytes(out1: &mut [u64; 7], arg1: &[u8; 55]) -> () { } /// The function fiat_p434_set_one returns the field element one in the Montgomery domain. +/// /// Postconditions: /// eval (from_montgomery out1) mod m = 1 mod m /// 0 ≤ eval out1 < m @@ -4060,6 +4076,7 @@ pub fn fiat_p434_set_one(out1: &mut [u64; 7]) -> () { } /// The function fiat_p434_msat returns the saturated representation of the prime modulus. +/// /// Postconditions: /// twos_complement_eval out1 = m /// 0 ≤ eval out1 < m @@ -4080,6 +4097,7 @@ pub fn fiat_p434_msat(out1: &mut [u64; 8]) -> () { } /// The function fiat_p434_divstep computes a divstep. +/// /// Preconditions: /// 0 ≤ eval arg4 < m /// 0 ≤ eval arg5 < m @@ -4470,6 +4488,7 @@ pub fn fiat_p434_divstep(out1: &mut u64, out2: &mut [u64; 8], out3: &mut [u64; 8 } /// The function fiat_p434_divstep_precomp returns the precomputed value for Bernstein-Yang-inversion (in montgomery form). +/// /// Postconditions: /// eval (from_montgomery out1) = ⌊(m - 1) / 2⌋^(if (log2 m) + 1 < 46 then ⌊(49 * ((log2 m) + 1) + 80) / 17⌋ else ⌊(49 * ((log2 m) + 1) + 57) / 17⌋) /// 0 ≤ eval out1 < m @@ -4487,4 +4506,3 @@ pub fn fiat_p434_divstep_precomp(out1: &mut [u64; 7]) -> () { out1[5] = 0x6e1ddae1d9609ae1; out1[6] = 0x6df82285eec6; } - diff --git a/fiat-rust/src/p448_solinas_32.rs b/fiat-rust/src/p448_solinas_32.rs index 8c8141b33eb..8019780f24e 100644 --- a/fiat-rust/src/p448_solinas_32.rs +++ b/fiat-rust/src/p448_solinas_32.rs @@ -7,10 +7,10 @@ //! tight_bounds_multiplier = 1 (from "") //! //! Computed values: -//! carry_chain = [7, 15, 8, 0, 9, 1, 10, 2, 11, 3, 12, 4, 13, 5, 14, 6, 15, 7, 8, 0] -//! eval z = z[0] + (z[1] << 28) + (z[2] << 56) + (z[3] << 84) + (z[4] << 112) + (z[5] << 140) + (z[6] << 168) + (z[7] << 196) + (z[8] << 224) + (z[9] << 252) + (z[10] << 0x118) + (z[11] << 0x134) + (z[12] << 0x150) + (z[13] << 0x16c) + (z[14] << 0x188) + (z[15] << 0x1a4) -//! bytes_eval z = z[0] + (z[1] << 8) + (z[2] << 16) + (z[3] << 24) + (z[4] << 32) + (z[5] << 40) + (z[6] << 48) + (z[7] << 56) + (z[8] << 64) + (z[9] << 72) + (z[10] << 80) + (z[11] << 88) + (z[12] << 96) + (z[13] << 104) + (z[14] << 112) + (z[15] << 120) + (z[16] << 128) + (z[17] << 136) + (z[18] << 144) + (z[19] << 152) + (z[20] << 160) + (z[21] << 168) + (z[22] << 176) + (z[23] << 184) + (z[24] << 192) + (z[25] << 200) + (z[26] << 208) + (z[27] << 216) + (z[28] << 224) + (z[29] << 232) + (z[30] << 240) + (z[31] << 248) + (z[32] << 256) + (z[33] << 0x108) + (z[34] << 0x110) + (z[35] << 0x118) + (z[36] << 0x120) + (z[37] << 0x128) + (z[38] << 0x130) + (z[39] << 0x138) + (z[40] << 0x140) + (z[41] << 0x148) + (z[42] << 0x150) + (z[43] << 0x158) + (z[44] << 0x160) + (z[45] << 0x168) + (z[46] << 0x170) + (z[47] << 0x178) + (z[48] << 0x180) + (z[49] << 0x188) + (z[50] << 0x190) + (z[51] << 0x198) + (z[52] << 0x1a0) + (z[53] << 0x1a8) + (z[54] << 0x1b0) + (z[55] << 0x1b8) -//! balance = [0x1ffffffe, 0x1ffffffe, 0x1ffffffe, 0x1ffffffe, 0x1ffffffe, 0x1ffffffe, 0x1ffffffe, 0x1ffffffe, 0x1ffffffc, 0x1ffffffe, 0x1ffffffe, 0x1ffffffe, 0x1ffffffe, 0x1ffffffe, 0x1ffffffe, 0x1ffffffe] +//! carry_chain = [7, 15, 8, 0, 9, 1, 10, 2, 11, 3, 12, 4, 13, 5, 14, 6, 15, 7, 8, 0] +//! eval z = z[0] + (z[1] << 28) + (z[2] << 56) + (z[3] << 84) + (z[4] << 112) + (z[5] << 140) + (z[6] << 168) + (z[7] << 196) + (z[8] << 224) + (z[9] << 252) + (z[10] << 0x118) + (z[11] << 0x134) + (z[12] << 0x150) + (z[13] << 0x16c) + (z[14] << 0x188) + (z[15] << 0x1a4) +//! bytes_eval z = z[0] + (z[1] << 8) + (z[2] << 16) + (z[3] << 24) + (z[4] << 32) + (z[5] << 40) + (z[6] << 48) + (z[7] << 56) + (z[8] << 64) + (z[9] << 72) + (z[10] << 80) + (z[11] << 88) + (z[12] << 96) + (z[13] << 104) + (z[14] << 112) + (z[15] << 120) + (z[16] << 128) + (z[17] << 136) + (z[18] << 144) + (z[19] << 152) + (z[20] << 160) + (z[21] << 168) + (z[22] << 176) + (z[23] << 184) + (z[24] << 192) + (z[25] << 200) + (z[26] << 208) + (z[27] << 216) + (z[28] << 224) + (z[29] << 232) + (z[30] << 240) + (z[31] << 248) + (z[32] << 256) + (z[33] << 0x108) + (z[34] << 0x110) + (z[35] << 0x118) + (z[36] << 0x120) + (z[37] << 0x128) + (z[38] << 0x130) + (z[39] << 0x138) + (z[40] << 0x140) + (z[41] << 0x148) + (z[42] << 0x150) + (z[43] << 0x158) + (z[44] << 0x160) + (z[45] << 0x168) + (z[46] << 0x170) + (z[47] << 0x178) + (z[48] << 0x180) + (z[49] << 0x188) + (z[50] << 0x190) + (z[51] << 0x198) + (z[52] << 0x1a0) + (z[53] << 0x1a8) + (z[54] << 0x1b0) + (z[55] << 0x1b8) +//! balance = [0x1ffffffe, 0x1ffffffe, 0x1ffffffe, 0x1ffffffe, 0x1ffffffe, 0x1ffffffe, 0x1ffffffe, 0x1ffffffe, 0x1ffffffc, 0x1ffffffe, 0x1ffffffe, 0x1ffffffe, 0x1ffffffe, 0x1ffffffe, 0x1ffffffe, 0x1ffffffe] #![allow(unused_parens)] #[allow(non_camel_case_types)] @@ -22,6 +22,7 @@ pub type fiat_p448_i2 = i8; /// The function fiat_p448_addcarryx_u28 is an addition with carry. +/// /// Postconditions: /// out1 = (arg1 + arg2 + arg3) mod 2^28 /// out2 = ⌊(arg1 + arg2 + arg3) / 2^28⌋ @@ -43,6 +44,7 @@ pub fn fiat_p448_addcarryx_u28(out1: &mut u32, out2: &mut fiat_p448_u1, arg1: fi } /// The function fiat_p448_subborrowx_u28 is a subtraction with borrow. +/// /// Postconditions: /// out1 = (-arg1 + arg2 + -arg3) mod 2^28 /// out2 = -⌊(-arg1 + arg2 + -arg3) / 2^28⌋ @@ -64,6 +66,7 @@ pub fn fiat_p448_subborrowx_u28(out1: &mut u32, out2: &mut fiat_p448_u1, arg1: f } /// The function fiat_p448_cmovznz_u32 is a single-word conditional move. +/// /// Postconditions: /// out1 = (if arg1 = 0 then arg2 else arg3) /// @@ -82,6 +85,7 @@ pub fn fiat_p448_cmovznz_u32(out1: &mut u32, arg1: fiat_p448_u1, arg2: u32, arg3 } /// The function fiat_p448_carry_mul multiplies two field elements and reduces the result. +/// /// Postconditions: /// eval out1 mod m = (eval arg1 * eval arg2) mod m /// @@ -593,6 +597,7 @@ pub fn fiat_p448_carry_mul(out1: &mut [u32; 16], arg1: &[u32; 16], arg2: &[u32; } /// The function fiat_p448_carry_square squares a field element and reduces the result. +/// /// Postconditions: /// eval out1 mod m = (eval arg1 * eval arg1) mod m /// @@ -960,6 +965,7 @@ pub fn fiat_p448_carry_square(out1: &mut [u32; 16], arg1: &[u32; 16]) -> () { } /// The function fiat_p448_carry reduces a field element. +/// /// Postconditions: /// eval out1 mod m = eval arg1 mod m /// @@ -1026,6 +1032,7 @@ pub fn fiat_p448_carry(out1: &mut [u32; 16], arg1: &[u32; 16]) -> () { } /// The function fiat_p448_add adds two field elements. +/// /// Postconditions: /// eval out1 mod m = (eval arg1 + eval arg2) mod m /// @@ -1071,6 +1078,7 @@ pub fn fiat_p448_add(out1: &mut [u32; 16], arg1: &[u32; 16], arg2: &[u32; 16]) - } /// The function fiat_p448_sub subtracts two field elements. +/// /// Postconditions: /// eval out1 mod m = (eval arg1 - eval arg2) mod m /// @@ -1116,6 +1124,7 @@ pub fn fiat_p448_sub(out1: &mut [u32; 16], arg1: &[u32; 16], arg2: &[u32; 16]) - } /// The function fiat_p448_opp negates a field element. +/// /// Postconditions: /// eval out1 mod m = -eval arg1 mod m /// @@ -1160,6 +1169,7 @@ pub fn fiat_p448_opp(out1: &mut [u32; 16], arg1: &[u32; 16]) -> () { } /// The function fiat_p448_selectznz is a multi-limb conditional select. +/// /// Postconditions: /// eval out1 = (if arg1 = 0 then eval arg2 else eval arg3) /// @@ -1222,6 +1232,7 @@ pub fn fiat_p448_selectznz(out1: &mut [u32; 16], arg1: fiat_p448_u1, arg2: &[u32 } /// The function fiat_p448_to_bytes serializes a field element to bytes in little-endian order. +/// /// Postconditions: /// out1 = map (λ x, ⌊((eval arg1 mod m) mod 2^(8 * (x + 1))) / 2^(8 * x)⌋) [0..55] /// @@ -1500,6 +1511,7 @@ pub fn fiat_p448_to_bytes(out1: &mut [u8; 56], arg1: &[u32; 16]) -> () { } /// The function fiat_p448_from_bytes deserializes a field element from bytes in little-endian order. +/// /// Postconditions: /// eval out1 mod m = bytes_eval arg1 mod m /// @@ -1646,4 +1658,3 @@ pub fn fiat_p448_from_bytes(out1: &mut [u32; 16], arg1: &[u8; 56]) -> () { out1[14] = x116; out1[15] = x120; } - diff --git a/fiat-rust/src/p448_solinas_64.rs b/fiat-rust/src/p448_solinas_64.rs index 45d09044a8a..c52d9406b89 100644 --- a/fiat-rust/src/p448_solinas_64.rs +++ b/fiat-rust/src/p448_solinas_64.rs @@ -7,10 +7,10 @@ //! tight_bounds_multiplier = 1 (from "") //! //! Computed values: -//! carry_chain = [3, 7, 4, 0, 5, 1, 6, 2, 7, 3, 4, 0] -//! eval z = z[0] + (z[1] << 56) + (z[2] << 112) + (z[3] << 168) + (z[4] << 224) + (z[5] << 0x118) + (z[6] << 0x150) + (z[7] << 0x188) -//! bytes_eval z = z[0] + (z[1] << 8) + (z[2] << 16) + (z[3] << 24) + (z[4] << 32) + (z[5] << 40) + (z[6] << 48) + (z[7] << 56) + (z[8] << 64) + (z[9] << 72) + (z[10] << 80) + (z[11] << 88) + (z[12] << 96) + (z[13] << 104) + (z[14] << 112) + (z[15] << 120) + (z[16] << 128) + (z[17] << 136) + (z[18] << 144) + (z[19] << 152) + (z[20] << 160) + (z[21] << 168) + (z[22] << 176) + (z[23] << 184) + (z[24] << 192) + (z[25] << 200) + (z[26] << 208) + (z[27] << 216) + (z[28] << 224) + (z[29] << 232) + (z[30] << 240) + (z[31] << 248) + (z[32] << 256) + (z[33] << 0x108) + (z[34] << 0x110) + (z[35] << 0x118) + (z[36] << 0x120) + (z[37] << 0x128) + (z[38] << 0x130) + (z[39] << 0x138) + (z[40] << 0x140) + (z[41] << 0x148) + (z[42] << 0x150) + (z[43] << 0x158) + (z[44] << 0x160) + (z[45] << 0x168) + (z[46] << 0x170) + (z[47] << 0x178) + (z[48] << 0x180) + (z[49] << 0x188) + (z[50] << 0x190) + (z[51] << 0x198) + (z[52] << 0x1a0) + (z[53] << 0x1a8) + (z[54] << 0x1b0) + (z[55] << 0x1b8) -//! balance = [0x1fffffffffffffe, 0x1fffffffffffffe, 0x1fffffffffffffe, 0x1fffffffffffffe, 0x1fffffffffffffc, 0x1fffffffffffffe, 0x1fffffffffffffe, 0x1fffffffffffffe] +//! carry_chain = [3, 7, 4, 0, 5, 1, 6, 2, 7, 3, 4, 0] +//! eval z = z[0] + (z[1] << 56) + (z[2] << 112) + (z[3] << 168) + (z[4] << 224) + (z[5] << 0x118) + (z[6] << 0x150) + (z[7] << 0x188) +//! bytes_eval z = z[0] + (z[1] << 8) + (z[2] << 16) + (z[3] << 24) + (z[4] << 32) + (z[5] << 40) + (z[6] << 48) + (z[7] << 56) + (z[8] << 64) + (z[9] << 72) + (z[10] << 80) + (z[11] << 88) + (z[12] << 96) + (z[13] << 104) + (z[14] << 112) + (z[15] << 120) + (z[16] << 128) + (z[17] << 136) + (z[18] << 144) + (z[19] << 152) + (z[20] << 160) + (z[21] << 168) + (z[22] << 176) + (z[23] << 184) + (z[24] << 192) + (z[25] << 200) + (z[26] << 208) + (z[27] << 216) + (z[28] << 224) + (z[29] << 232) + (z[30] << 240) + (z[31] << 248) + (z[32] << 256) + (z[33] << 0x108) + (z[34] << 0x110) + (z[35] << 0x118) + (z[36] << 0x120) + (z[37] << 0x128) + (z[38] << 0x130) + (z[39] << 0x138) + (z[40] << 0x140) + (z[41] << 0x148) + (z[42] << 0x150) + (z[43] << 0x158) + (z[44] << 0x160) + (z[45] << 0x168) + (z[46] << 0x170) + (z[47] << 0x178) + (z[48] << 0x180) + (z[49] << 0x188) + (z[50] << 0x190) + (z[51] << 0x198) + (z[52] << 0x1a0) + (z[53] << 0x1a8) + (z[54] << 0x1b0) + (z[55] << 0x1b8) +//! balance = [0x1fffffffffffffe, 0x1fffffffffffffe, 0x1fffffffffffffe, 0x1fffffffffffffe, 0x1fffffffffffffc, 0x1fffffffffffffe, 0x1fffffffffffffe, 0x1fffffffffffffe] #![allow(unused_parens)] #[allow(non_camel_case_types)] @@ -22,6 +22,7 @@ pub type fiat_p448_i2 = i8; /// The function fiat_p448_addcarryx_u56 is an addition with carry. +/// /// Postconditions: /// out1 = (arg1 + arg2 + arg3) mod 2^56 /// out2 = ⌊(arg1 + arg2 + arg3) / 2^56⌋ @@ -43,6 +44,7 @@ pub fn fiat_p448_addcarryx_u56(out1: &mut u64, out2: &mut fiat_p448_u1, arg1: fi } /// The function fiat_p448_subborrowx_u56 is a subtraction with borrow. +/// /// Postconditions: /// out1 = (-arg1 + arg2 + -arg3) mod 2^56 /// out2 = -⌊(-arg1 + arg2 + -arg3) / 2^56⌋ @@ -64,6 +66,7 @@ pub fn fiat_p448_subborrowx_u56(out1: &mut u64, out2: &mut fiat_p448_u1, arg1: f } /// The function fiat_p448_cmovznz_u64 is a single-word conditional move. +/// /// Postconditions: /// out1 = (if arg1 = 0 then arg2 else arg3) /// @@ -82,6 +85,7 @@ pub fn fiat_p448_cmovznz_u64(out1: &mut u64, arg1: fiat_p448_u1, arg2: u64, arg3 } /// The function fiat_p448_carry_mul multiplies two field elements and reduces the result. +/// /// Postconditions: /// eval out1 mod m = (eval arg1 * eval arg2) mod m /// @@ -247,6 +251,7 @@ pub fn fiat_p448_carry_mul(out1: &mut [u64; 8], arg1: &[u64; 8], arg2: &[u64; 8] } /// The function fiat_p448_carry_square squares a field element and reduces the result. +/// /// Postconditions: /// eval out1 mod m = (eval arg1 * eval arg1) mod m /// @@ -390,6 +395,7 @@ pub fn fiat_p448_carry_square(out1: &mut [u64; 8], arg1: &[u64; 8]) -> () { } /// The function fiat_p448_carry reduces a field element. +/// /// Postconditions: /// eval out1 mod m = eval arg1 mod m /// @@ -432,6 +438,7 @@ pub fn fiat_p448_carry(out1: &mut [u64; 8], arg1: &[u64; 8]) -> () { } /// The function fiat_p448_add adds two field elements. +/// /// Postconditions: /// eval out1 mod m = (eval arg1 + eval arg2) mod m /// @@ -461,6 +468,7 @@ pub fn fiat_p448_add(out1: &mut [u64; 8], arg1: &[u64; 8], arg2: &[u64; 8]) -> ( } /// The function fiat_p448_sub subtracts two field elements. +/// /// Postconditions: /// eval out1 mod m = (eval arg1 - eval arg2) mod m /// @@ -490,6 +498,7 @@ pub fn fiat_p448_sub(out1: &mut [u64; 8], arg1: &[u64; 8], arg2: &[u64; 8]) -> ( } /// The function fiat_p448_opp negates a field element. +/// /// Postconditions: /// eval out1 mod m = -eval arg1 mod m /// @@ -518,6 +527,7 @@ pub fn fiat_p448_opp(out1: &mut [u64; 8], arg1: &[u64; 8]) -> () { } /// The function fiat_p448_selectznz is a multi-limb conditional select. +/// /// Postconditions: /// eval out1 = (if arg1 = 0 then eval arg2 else eval arg3) /// @@ -556,6 +566,7 @@ pub fn fiat_p448_selectznz(out1: &mut [u64; 8], arg1: fiat_p448_u1, arg2: &[u64; } /// The function fiat_p448_to_bytes serializes a field element to bytes in little-endian order. +/// /// Postconditions: /// out1 = map (λ x, ⌊((eval arg1 mod m) mod 2^(8 * (x + 1))) / 2^(8 * x)⌋) [0..55] /// @@ -770,6 +781,7 @@ pub fn fiat_p448_to_bytes(out1: &mut [u8; 56], arg1: &[u64; 8]) -> () { } /// The function fiat_p448_from_bytes deserializes a field element from bytes in little-endian order. +/// /// Postconditions: /// eval out1 mod m = bytes_eval arg1 mod m /// @@ -892,4 +904,3 @@ pub fn fiat_p448_from_bytes(out1: &mut [u64; 8], arg1: &[u8; 56]) -> () { out1[6] = x98; out1[7] = x104; } - diff --git a/fiat-rust/src/p521_64.rs b/fiat-rust/src/p521_64.rs index 22c04f71f01..d655f77b4f2 100644 --- a/fiat-rust/src/p521_64.rs +++ b/fiat-rust/src/p521_64.rs @@ -7,10 +7,10 @@ //! tight_bounds_multiplier = 1 (from "") //! //! Computed values: -//! carry_chain = [0, 1, 2, 3, 4, 5, 6, 7, 8, 0, 1] -//! eval z = z[0] + (z[1] << 58) + (z[2] << 116) + (z[3] << 174) + (z[4] << 232) + (z[5] << 0x122) + (z[6] << 0x15c) + (z[7] << 0x196) + (z[8] << 0x1d0) -//! bytes_eval z = z[0] + (z[1] << 8) + (z[2] << 16) + (z[3] << 24) + (z[4] << 32) + (z[5] << 40) + (z[6] << 48) + (z[7] << 56) + (z[8] << 64) + (z[9] << 72) + (z[10] << 80) + (z[11] << 88) + (z[12] << 96) + (z[13] << 104) + (z[14] << 112) + (z[15] << 120) + (z[16] << 128) + (z[17] << 136) + (z[18] << 144) + (z[19] << 152) + (z[20] << 160) + (z[21] << 168) + (z[22] << 176) + (z[23] << 184) + (z[24] << 192) + (z[25] << 200) + (z[26] << 208) + (z[27] << 216) + (z[28] << 224) + (z[29] << 232) + (z[30] << 240) + (z[31] << 248) + (z[32] << 256) + (z[33] << 0x108) + (z[34] << 0x110) + (z[35] << 0x118) + (z[36] << 0x120) + (z[37] << 0x128) + (z[38] << 0x130) + (z[39] << 0x138) + (z[40] << 0x140) + (z[41] << 0x148) + (z[42] << 0x150) + (z[43] << 0x158) + (z[44] << 0x160) + (z[45] << 0x168) + (z[46] << 0x170) + (z[47] << 0x178) + (z[48] << 0x180) + (z[49] << 0x188) + (z[50] << 0x190) + (z[51] << 0x198) + (z[52] << 0x1a0) + (z[53] << 0x1a8) + (z[54] << 0x1b0) + (z[55] << 0x1b8) + (z[56] << 0x1c0) + (z[57] << 0x1c8) + (z[58] << 0x1d0) + (z[59] << 0x1d8) + (z[60] << 0x1e0) + (z[61] << 0x1e8) + (z[62] << 0x1f0) + (z[63] << 0x1f8) + (z[64] << 2^9) + (z[65] << 0x208) -//! balance = [0x7fffffffffffffe, 0x7fffffffffffffe, 0x7fffffffffffffe, 0x7fffffffffffffe, 0x7fffffffffffffe, 0x7fffffffffffffe, 0x7fffffffffffffe, 0x7fffffffffffffe, 0x3fffffffffffffe] +//! carry_chain = [0, 1, 2, 3, 4, 5, 6, 7, 8, 0, 1] +//! eval z = z[0] + (z[1] << 58) + (z[2] << 116) + (z[3] << 174) + (z[4] << 232) + (z[5] << 0x122) + (z[6] << 0x15c) + (z[7] << 0x196) + (z[8] << 0x1d0) +//! bytes_eval z = z[0] + (z[1] << 8) + (z[2] << 16) + (z[3] << 24) + (z[4] << 32) + (z[5] << 40) + (z[6] << 48) + (z[7] << 56) + (z[8] << 64) + (z[9] << 72) + (z[10] << 80) + (z[11] << 88) + (z[12] << 96) + (z[13] << 104) + (z[14] << 112) + (z[15] << 120) + (z[16] << 128) + (z[17] << 136) + (z[18] << 144) + (z[19] << 152) + (z[20] << 160) + (z[21] << 168) + (z[22] << 176) + (z[23] << 184) + (z[24] << 192) + (z[25] << 200) + (z[26] << 208) + (z[27] << 216) + (z[28] << 224) + (z[29] << 232) + (z[30] << 240) + (z[31] << 248) + (z[32] << 256) + (z[33] << 0x108) + (z[34] << 0x110) + (z[35] << 0x118) + (z[36] << 0x120) + (z[37] << 0x128) + (z[38] << 0x130) + (z[39] << 0x138) + (z[40] << 0x140) + (z[41] << 0x148) + (z[42] << 0x150) + (z[43] << 0x158) + (z[44] << 0x160) + (z[45] << 0x168) + (z[46] << 0x170) + (z[47] << 0x178) + (z[48] << 0x180) + (z[49] << 0x188) + (z[50] << 0x190) + (z[51] << 0x198) + (z[52] << 0x1a0) + (z[53] << 0x1a8) + (z[54] << 0x1b0) + (z[55] << 0x1b8) + (z[56] << 0x1c0) + (z[57] << 0x1c8) + (z[58] << 0x1d0) + (z[59] << 0x1d8) + (z[60] << 0x1e0) + (z[61] << 0x1e8) + (z[62] << 0x1f0) + (z[63] << 0x1f8) + (z[64] << 2^9) + (z[65] << 0x208) +//! balance = [0x7fffffffffffffe, 0x7fffffffffffffe, 0x7fffffffffffffe, 0x7fffffffffffffe, 0x7fffffffffffffe, 0x7fffffffffffffe, 0x7fffffffffffffe, 0x7fffffffffffffe, 0x3fffffffffffffe] #![allow(unused_parens)] #[allow(non_camel_case_types)] @@ -22,6 +22,7 @@ pub type fiat_p521_i2 = i8; /// The function fiat_p521_addcarryx_u58 is an addition with carry. +/// /// Postconditions: /// out1 = (arg1 + arg2 + arg3) mod 2^58 /// out2 = ⌊(arg1 + arg2 + arg3) / 2^58⌋ @@ -43,6 +44,7 @@ pub fn fiat_p521_addcarryx_u58(out1: &mut u64, out2: &mut fiat_p521_u1, arg1: fi } /// The function fiat_p521_subborrowx_u58 is a subtraction with borrow. +/// /// Postconditions: /// out1 = (-arg1 + arg2 + -arg3) mod 2^58 /// out2 = -⌊(-arg1 + arg2 + -arg3) / 2^58⌋ @@ -64,6 +66,7 @@ pub fn fiat_p521_subborrowx_u58(out1: &mut u64, out2: &mut fiat_p521_u1, arg1: f } /// The function fiat_p521_addcarryx_u57 is an addition with carry. +/// /// Postconditions: /// out1 = (arg1 + arg2 + arg3) mod 2^57 /// out2 = ⌊(arg1 + arg2 + arg3) / 2^57⌋ @@ -85,6 +88,7 @@ pub fn fiat_p521_addcarryx_u57(out1: &mut u64, out2: &mut fiat_p521_u1, arg1: fi } /// The function fiat_p521_subborrowx_u57 is a subtraction with borrow. +/// /// Postconditions: /// out1 = (-arg1 + arg2 + -arg3) mod 2^57 /// out2 = -⌊(-arg1 + arg2 + -arg3) / 2^57⌋ @@ -106,6 +110,7 @@ pub fn fiat_p521_subborrowx_u57(out1: &mut u64, out2: &mut fiat_p521_u1, arg1: f } /// The function fiat_p521_cmovznz_u64 is a single-word conditional move. +/// /// Postconditions: /// out1 = (if arg1 = 0 then arg2 else arg3) /// @@ -124,6 +129,7 @@ pub fn fiat_p521_cmovznz_u64(out1: &mut u64, arg1: fiat_p521_u1, arg2: u64, arg3 } /// The function fiat_p521_carry_mul multiplies two field elements and reduces the result. +/// /// Postconditions: /// eval out1 mod m = (eval arg1 * eval arg2) mod m /// @@ -269,6 +275,7 @@ pub fn fiat_p521_carry_mul(out1: &mut [u64; 9], arg1: &[u64; 9], arg2: &[u64; 9] } /// The function fiat_p521_carry_square squares a field element and reduces the result. +/// /// Postconditions: /// eval out1 mod m = (eval arg1 * eval arg1) mod m /// @@ -393,6 +400,7 @@ pub fn fiat_p521_carry_square(out1: &mut [u64; 9], arg1: &[u64; 9]) -> () { } /// The function fiat_p521_carry reduces a field element. +/// /// Postconditions: /// eval out1 mod m = eval arg1 mod m /// @@ -434,6 +442,7 @@ pub fn fiat_p521_carry(out1: &mut [u64; 9], arg1: &[u64; 9]) -> () { } /// The function fiat_p521_add adds two field elements. +/// /// Postconditions: /// eval out1 mod m = (eval arg1 + eval arg2) mod m /// @@ -465,6 +474,7 @@ pub fn fiat_p521_add(out1: &mut [u64; 9], arg1: &[u64; 9], arg2: &[u64; 9]) -> ( } /// The function fiat_p521_sub subtracts two field elements. +/// /// Postconditions: /// eval out1 mod m = (eval arg1 - eval arg2) mod m /// @@ -496,6 +506,7 @@ pub fn fiat_p521_sub(out1: &mut [u64; 9], arg1: &[u64; 9], arg2: &[u64; 9]) -> ( } /// The function fiat_p521_opp negates a field element. +/// /// Postconditions: /// eval out1 mod m = -eval arg1 mod m /// @@ -526,6 +537,7 @@ pub fn fiat_p521_opp(out1: &mut [u64; 9], arg1: &[u64; 9]) -> () { } /// The function fiat_p521_selectznz is a multi-limb conditional select. +/// /// Postconditions: /// eval out1 = (if arg1 = 0 then eval arg2 else eval arg3) /// @@ -567,6 +579,7 @@ pub fn fiat_p521_selectznz(out1: &mut [u64; 9], arg1: fiat_p521_u1, arg2: &[u64; } /// The function fiat_p521_to_bytes serializes a field element to bytes in little-endian order. +/// /// Postconditions: /// out1 = map (λ x, ⌊((eval arg1 mod m) mod 2^(8 * (x + 1))) / 2^(8 * x)⌋) [0..65] /// @@ -839,6 +852,7 @@ pub fn fiat_p521_to_bytes(out1: &mut [u8; 66], arg1: &[u64; 9]) -> () { } /// The function fiat_p521_from_bytes deserializes a field element from bytes in little-endian order. +/// /// Postconditions: /// eval out1 mod m = bytes_eval arg1 mod m /// @@ -999,4 +1013,3 @@ pub fn fiat_p521_from_bytes(out1: &mut [u64; 9], arg1: &[u8; 66]) -> () { out1[7] = x134; out1[8] = x141; } - diff --git a/fiat-rust/src/poly1305_32.rs b/fiat-rust/src/poly1305_32.rs index 417eaa7d363..4388b75dd6a 100644 --- a/fiat-rust/src/poly1305_32.rs +++ b/fiat-rust/src/poly1305_32.rs @@ -7,10 +7,10 @@ //! tight_bounds_multiplier = 1 (from "") //! //! Computed values: -//! carry_chain = [0, 1, 2, 3, 4, 0, 1] -//! eval z = z[0] + (z[1] << 26) + (z[2] << 52) + (z[3] << 78) + (z[4] << 104) -//! bytes_eval z = z[0] + (z[1] << 8) + (z[2] << 16) + (z[3] << 24) + (z[4] << 32) + (z[5] << 40) + (z[6] << 48) + (z[7] << 56) + (z[8] << 64) + (z[9] << 72) + (z[10] << 80) + (z[11] << 88) + (z[12] << 96) + (z[13] << 104) + (z[14] << 112) + (z[15] << 120) + (z[16] << 128) -//! balance = [0x7fffff6, 0x7fffffe, 0x7fffffe, 0x7fffffe, 0x7fffffe] +//! carry_chain = [0, 1, 2, 3, 4, 0, 1] +//! eval z = z[0] + (z[1] << 26) + (z[2] << 52) + (z[3] << 78) + (z[4] << 104) +//! bytes_eval z = z[0] + (z[1] << 8) + (z[2] << 16) + (z[3] << 24) + (z[4] << 32) + (z[5] << 40) + (z[6] << 48) + (z[7] << 56) + (z[8] << 64) + (z[9] << 72) + (z[10] << 80) + (z[11] << 88) + (z[12] << 96) + (z[13] << 104) + (z[14] << 112) + (z[15] << 120) + (z[16] << 128) +//! balance = [0x7fffff6, 0x7fffffe, 0x7fffffe, 0x7fffffe, 0x7fffffe] #![allow(unused_parens)] #[allow(non_camel_case_types)] @@ -22,6 +22,7 @@ pub type fiat_poly1305_i2 = i8; /// The function fiat_poly1305_addcarryx_u26 is an addition with carry. +/// /// Postconditions: /// out1 = (arg1 + arg2 + arg3) mod 2^26 /// out2 = ⌊(arg1 + arg2 + arg3) / 2^26⌋ @@ -43,6 +44,7 @@ pub fn fiat_poly1305_addcarryx_u26(out1: &mut u32, out2: &mut fiat_poly1305_u1, } /// The function fiat_poly1305_subborrowx_u26 is a subtraction with borrow. +/// /// Postconditions: /// out1 = (-arg1 + arg2 + -arg3) mod 2^26 /// out2 = -⌊(-arg1 + arg2 + -arg3) / 2^26⌋ @@ -64,6 +66,7 @@ pub fn fiat_poly1305_subborrowx_u26(out1: &mut u32, out2: &mut fiat_poly1305_u1, } /// The function fiat_poly1305_cmovznz_u32 is a single-word conditional move. +/// /// Postconditions: /// out1 = (if arg1 = 0 then arg2 else arg3) /// @@ -82,6 +85,7 @@ pub fn fiat_poly1305_cmovznz_u32(out1: &mut u32, arg1: fiat_poly1305_u1, arg2: u } /// The function fiat_poly1305_carry_mul multiplies two field elements and reduces the result. +/// /// Postconditions: /// eval out1 mod m = (eval arg1 * eval arg2) mod m /// @@ -152,6 +156,7 @@ pub fn fiat_poly1305_carry_mul(out1: &mut [u32; 5], arg1: &[u32; 5], arg2: &[u32 } /// The function fiat_poly1305_carry_square squares a field element and reduces the result. +/// /// Postconditions: /// eval out1 mod m = (eval arg1 * eval arg1) mod m /// @@ -219,6 +224,7 @@ pub fn fiat_poly1305_carry_square(out1: &mut [u32; 5], arg1: &[u32; 5]) -> () { } /// The function fiat_poly1305_carry reduces a field element. +/// /// Postconditions: /// eval out1 mod m = eval arg1 mod m /// @@ -248,6 +254,7 @@ pub fn fiat_poly1305_carry(out1: &mut [u32; 5], arg1: &[u32; 5]) -> () { } /// The function fiat_poly1305_add adds two field elements. +/// /// Postconditions: /// eval out1 mod m = (eval arg1 + eval arg2) mod m /// @@ -271,6 +278,7 @@ pub fn fiat_poly1305_add(out1: &mut [u32; 5], arg1: &[u32; 5], arg2: &[u32; 5]) } /// The function fiat_poly1305_sub subtracts two field elements. +/// /// Postconditions: /// eval out1 mod m = (eval arg1 - eval arg2) mod m /// @@ -294,6 +302,7 @@ pub fn fiat_poly1305_sub(out1: &mut [u32; 5], arg1: &[u32; 5], arg2: &[u32; 5]) } /// The function fiat_poly1305_opp negates a field element. +/// /// Postconditions: /// eval out1 mod m = -eval arg1 mod m /// @@ -316,6 +325,7 @@ pub fn fiat_poly1305_opp(out1: &mut [u32; 5], arg1: &[u32; 5]) -> () { } /// The function fiat_poly1305_selectznz is a multi-limb conditional select. +/// /// Postconditions: /// eval out1 = (if arg1 = 0 then eval arg2 else eval arg3) /// @@ -345,6 +355,7 @@ pub fn fiat_poly1305_selectznz(out1: &mut [u32; 5], arg1: fiat_poly1305_u1, arg2 } /// The function fiat_poly1305_to_bytes serializes a field element to bytes in little-endian order. +/// /// Postconditions: /// out1 = map (λ x, ⌊((eval arg1 mod m) mod 2^(8 * (x + 1))) / 2^(8 * x)⌋) [0..16] /// @@ -442,6 +453,7 @@ pub fn fiat_poly1305_to_bytes(out1: &mut [u8; 17], arg1: &[u32; 5]) -> () { } /// The function fiat_poly1305_from_bytes deserializes a field element from bytes in little-endian order. +/// /// Postconditions: /// eval out1 mod m = bytes_eval arg1 mod m /// @@ -495,4 +507,3 @@ pub fn fiat_poly1305_from_bytes(out1: &mut [u32; 5], arg1: &[u8; 17]) -> () { out1[3] = x35; out1[4] = x38; } - diff --git a/fiat-rust/src/poly1305_64.rs b/fiat-rust/src/poly1305_64.rs index 54c96de8cde..5d1b040d336 100644 --- a/fiat-rust/src/poly1305_64.rs +++ b/fiat-rust/src/poly1305_64.rs @@ -7,10 +7,10 @@ //! tight_bounds_multiplier = 1 (from "") //! //! Computed values: -//! carry_chain = [0, 1, 2, 0, 1] -//! eval z = z[0] + (z[1] << 44) + (z[2] << 87) -//! bytes_eval z = z[0] + (z[1] << 8) + (z[2] << 16) + (z[3] << 24) + (z[4] << 32) + (z[5] << 40) + (z[6] << 48) + (z[7] << 56) + (z[8] << 64) + (z[9] << 72) + (z[10] << 80) + (z[11] << 88) + (z[12] << 96) + (z[13] << 104) + (z[14] << 112) + (z[15] << 120) + (z[16] << 128) -//! balance = [0x1ffffffffff6, 0xffffffffffe, 0xffffffffffe] +//! carry_chain = [0, 1, 2, 0, 1] +//! eval z = z[0] + (z[1] << 44) + (z[2] << 87) +//! bytes_eval z = z[0] + (z[1] << 8) + (z[2] << 16) + (z[3] << 24) + (z[4] << 32) + (z[5] << 40) + (z[6] << 48) + (z[7] << 56) + (z[8] << 64) + (z[9] << 72) + (z[10] << 80) + (z[11] << 88) + (z[12] << 96) + (z[13] << 104) + (z[14] << 112) + (z[15] << 120) + (z[16] << 128) +//! balance = [0x1ffffffffff6, 0xffffffffffe, 0xffffffffffe] #![allow(unused_parens)] #[allow(non_camel_case_types)] @@ -22,6 +22,7 @@ pub type fiat_poly1305_i2 = i8; /// The function fiat_poly1305_addcarryx_u44 is an addition with carry. +/// /// Postconditions: /// out1 = (arg1 + arg2 + arg3) mod 2^44 /// out2 = ⌊(arg1 + arg2 + arg3) / 2^44⌋ @@ -43,6 +44,7 @@ pub fn fiat_poly1305_addcarryx_u44(out1: &mut u64, out2: &mut fiat_poly1305_u1, } /// The function fiat_poly1305_subborrowx_u44 is a subtraction with borrow. +/// /// Postconditions: /// out1 = (-arg1 + arg2 + -arg3) mod 2^44 /// out2 = -⌊(-arg1 + arg2 + -arg3) / 2^44⌋ @@ -64,6 +66,7 @@ pub fn fiat_poly1305_subborrowx_u44(out1: &mut u64, out2: &mut fiat_poly1305_u1, } /// The function fiat_poly1305_addcarryx_u43 is an addition with carry. +/// /// Postconditions: /// out1 = (arg1 + arg2 + arg3) mod 2^43 /// out2 = ⌊(arg1 + arg2 + arg3) / 2^43⌋ @@ -85,6 +88,7 @@ pub fn fiat_poly1305_addcarryx_u43(out1: &mut u64, out2: &mut fiat_poly1305_u1, } /// The function fiat_poly1305_subborrowx_u43 is a subtraction with borrow. +/// /// Postconditions: /// out1 = (-arg1 + arg2 + -arg3) mod 2^43 /// out2 = -⌊(-arg1 + arg2 + -arg3) / 2^43⌋ @@ -106,6 +110,7 @@ pub fn fiat_poly1305_subborrowx_u43(out1: &mut u64, out2: &mut fiat_poly1305_u1, } /// The function fiat_poly1305_cmovznz_u64 is a single-word conditional move. +/// /// Postconditions: /// out1 = (if arg1 = 0 then arg2 else arg3) /// @@ -124,6 +129,7 @@ pub fn fiat_poly1305_cmovznz_u64(out1: &mut u64, arg1: fiat_poly1305_u1, arg2: u } /// The function fiat_poly1305_carry_mul multiplies two field elements and reduces the result. +/// /// Postconditions: /// eval out1 mod m = (eval arg1 * eval arg2) mod m /// @@ -168,6 +174,7 @@ pub fn fiat_poly1305_carry_mul(out1: &mut [u64; 3], arg1: &[u64; 3], arg2: &[u64 } /// The function fiat_poly1305_carry_square squares a field element and reduces the result. +/// /// Postconditions: /// eval out1 mod m = (eval arg1 * eval arg1) mod m /// @@ -212,6 +219,7 @@ pub fn fiat_poly1305_carry_square(out1: &mut [u64; 3], arg1: &[u64; 3]) -> () { } /// The function fiat_poly1305_carry reduces a field element. +/// /// Postconditions: /// eval out1 mod m = eval arg1 mod m /// @@ -235,6 +243,7 @@ pub fn fiat_poly1305_carry(out1: &mut [u64; 3], arg1: &[u64; 3]) -> () { } /// The function fiat_poly1305_add adds two field elements. +/// /// Postconditions: /// eval out1 mod m = (eval arg1 + eval arg2) mod m /// @@ -254,6 +263,7 @@ pub fn fiat_poly1305_add(out1: &mut [u64; 3], arg1: &[u64; 3], arg2: &[u64; 3]) } /// The function fiat_poly1305_sub subtracts two field elements. +/// /// Postconditions: /// eval out1 mod m = (eval arg1 - eval arg2) mod m /// @@ -273,6 +283,7 @@ pub fn fiat_poly1305_sub(out1: &mut [u64; 3], arg1: &[u64; 3], arg2: &[u64; 3]) } /// The function fiat_poly1305_opp negates a field element. +/// /// Postconditions: /// eval out1 mod m = -eval arg1 mod m /// @@ -291,6 +302,7 @@ pub fn fiat_poly1305_opp(out1: &mut [u64; 3], arg1: &[u64; 3]) -> () { } /// The function fiat_poly1305_selectznz is a multi-limb conditional select. +/// /// Postconditions: /// eval out1 = (if arg1 = 0 then eval arg2 else eval arg3) /// @@ -314,6 +326,7 @@ pub fn fiat_poly1305_selectznz(out1: &mut [u64; 3], arg1: fiat_poly1305_u1, arg2 } /// The function fiat_poly1305_to_bytes serializes a field element to bytes in little-endian order. +/// /// Postconditions: /// out1 = map (λ x, ⌊((eval arg1 mod m) mod 2^(8 * (x + 1))) / 2^(8 * x)⌋) [0..16] /// @@ -399,6 +412,7 @@ pub fn fiat_poly1305_to_bytes(out1: &mut [u8; 17], arg1: &[u64; 3]) -> () { } /// The function fiat_poly1305_from_bytes deserializes a field element from bytes in little-endian order. +/// /// Postconditions: /// eval out1 mod m = bytes_eval arg1 mod m /// @@ -449,4 +463,3 @@ pub fn fiat_poly1305_from_bytes(out1: &mut [u64; 3], arg1: &[u8; 17]) -> () { out1[1] = x30; out1[2] = x37; } - diff --git a/fiat-rust/src/secp256k1_32.rs b/fiat-rust/src/secp256k1_32.rs index 7937ffa3802..02fcd52fd40 100644 --- a/fiat-rust/src/secp256k1_32.rs +++ b/fiat-rust/src/secp256k1_32.rs @@ -12,10 +12,10 @@ //! return values. //! //! Computed values: -//! eval z = z[0] + (z[1] << 32) + (z[2] << 64) + (z[3] << 96) + (z[4] << 128) + (z[5] << 160) + (z[6] << 192) + (z[7] << 224) -//! bytes_eval z = z[0] + (z[1] << 8) + (z[2] << 16) + (z[3] << 24) + (z[4] << 32) + (z[5] << 40) + (z[6] << 48) + (z[7] << 56) + (z[8] << 64) + (z[9] << 72) + (z[10] << 80) + (z[11] << 88) + (z[12] << 96) + (z[13] << 104) + (z[14] << 112) + (z[15] << 120) + (z[16] << 128) + (z[17] << 136) + (z[18] << 144) + (z[19] << 152) + (z[20] << 160) + (z[21] << 168) + (z[22] << 176) + (z[23] << 184) + (z[24] << 192) + (z[25] << 200) + (z[26] << 208) + (z[27] << 216) + (z[28] << 224) + (z[29] << 232) + (z[30] << 240) + (z[31] << 248) -//! twos_complement_eval z = let x1 := z[0] + (z[1] << 32) + (z[2] << 64) + (z[3] << 96) + (z[4] << 128) + (z[5] << 160) + (z[6] << 192) + (z[7] << 224) in -//! if x1 & (2^256-1) < 2^255 then x1 & (2^256-1) else (x1 & (2^256-1)) - 2^256 +//! eval z = z[0] + (z[1] << 32) + (z[2] << 64) + (z[3] << 96) + (z[4] << 128) + (z[5] << 160) + (z[6] << 192) + (z[7] << 224) +//! bytes_eval z = z[0] + (z[1] << 8) + (z[2] << 16) + (z[3] << 24) + (z[4] << 32) + (z[5] << 40) + (z[6] << 48) + (z[7] << 56) + (z[8] << 64) + (z[9] << 72) + (z[10] << 80) + (z[11] << 88) + (z[12] << 96) + (z[13] << 104) + (z[14] << 112) + (z[15] << 120) + (z[16] << 128) + (z[17] << 136) + (z[18] << 144) + (z[19] << 152) + (z[20] << 160) + (z[21] << 168) + (z[22] << 176) + (z[23] << 184) + (z[24] << 192) + (z[25] << 200) + (z[26] << 208) + (z[27] << 216) + (z[28] << 224) + (z[29] << 232) + (z[30] << 240) + (z[31] << 248) +//! twos_complement_eval z = let x1 := z[0] + (z[1] << 32) + (z[2] << 64) + (z[3] << 96) + (z[4] << 128) + (z[5] << 160) + (z[6] << 192) + (z[7] << 224) in +//! if x1 & (2^256-1) < 2^255 then x1 & (2^256-1) else (x1 & (2^256-1)) - 2^256 #![allow(unused_parens)] #[allow(non_camel_case_types)] @@ -27,6 +27,7 @@ pub type fiat_secp256k1_i2 = i8; /// The function fiat_secp256k1_addcarryx_u32 is an addition with carry. +/// /// Postconditions: /// out1 = (arg1 + arg2 + arg3) mod 2^32 /// out2 = ⌊(arg1 + arg2 + arg3) / 2^32⌋ @@ -48,6 +49,7 @@ pub fn fiat_secp256k1_addcarryx_u32(out1: &mut u32, out2: &mut fiat_secp256k1_u1 } /// The function fiat_secp256k1_subborrowx_u32 is a subtraction with borrow. +/// /// Postconditions: /// out1 = (-arg1 + arg2 + -arg3) mod 2^32 /// out2 = -⌊(-arg1 + arg2 + -arg3) / 2^32⌋ @@ -69,6 +71,7 @@ pub fn fiat_secp256k1_subborrowx_u32(out1: &mut u32, out2: &mut fiat_secp256k1_u } /// The function fiat_secp256k1_mulx_u32 is a multiplication, returning the full double-width result. +/// /// Postconditions: /// out1 = (arg1 * arg2) mod 2^32 /// out2 = ⌊arg1 * arg2 / 2^32⌋ @@ -89,6 +92,7 @@ pub fn fiat_secp256k1_mulx_u32(out1: &mut u32, out2: &mut u32, arg1: u32, arg2: } /// The function fiat_secp256k1_cmovznz_u32 is a single-word conditional move. +/// /// Postconditions: /// out1 = (if arg1 = 0 then arg2 else arg3) /// @@ -107,6 +111,7 @@ pub fn fiat_secp256k1_cmovznz_u32(out1: &mut u32, arg1: fiat_secp256k1_u1, arg2: } /// The function fiat_secp256k1_mul multiplies two field elements in the Montgomery domain. +/// /// Preconditions: /// 0 ≤ eval arg1 < m /// 0 ≤ eval arg2 < m @@ -1355,6 +1360,7 @@ pub fn fiat_secp256k1_mul(out1: &mut [u32; 8], arg1: &[u32; 8], arg2: &[u32; 8]) } /// The function fiat_secp256k1_square squares a field element in the Montgomery domain. +/// /// Preconditions: /// 0 ≤ eval arg1 < m /// Postconditions: @@ -2601,6 +2607,7 @@ pub fn fiat_secp256k1_square(out1: &mut [u32; 8], arg1: &[u32; 8]) -> () { } /// The function fiat_secp256k1_add adds two field elements in the Montgomery domain. +/// /// Preconditions: /// 0 ≤ eval arg1 < m /// 0 ≤ eval arg2 < m @@ -2693,6 +2700,7 @@ pub fn fiat_secp256k1_add(out1: &mut [u32; 8], arg1: &[u32; 8], arg2: &[u32; 8]) } /// The function fiat_secp256k1_sub subtracts two field elements in the Montgomery domain. +/// /// Preconditions: /// 0 ≤ eval arg1 < m /// 0 ≤ eval arg2 < m @@ -2768,6 +2776,7 @@ pub fn fiat_secp256k1_sub(out1: &mut [u32; 8], arg1: &[u32; 8], arg2: &[u32; 8]) } /// The function fiat_secp256k1_opp negates a field element in the Montgomery domain. +/// /// Preconditions: /// 0 ≤ eval arg1 < m /// Postconditions: @@ -2841,6 +2850,7 @@ pub fn fiat_secp256k1_opp(out1: &mut [u32; 8], arg1: &[u32; 8]) -> () { } /// The function fiat_secp256k1_from_montgomery translates a field element out of the Montgomery domain. +/// /// Preconditions: /// 0 ≤ eval arg1 < m /// Postconditions: @@ -3676,6 +3686,7 @@ pub fn fiat_secp256k1_from_montgomery(out1: &mut [u32; 8], arg1: &[u32; 8]) -> ( } /// The function fiat_secp256k1_to_montgomery translates a field element into the Montgomery domain. +/// /// Preconditions: /// 0 ≤ eval arg1 < m /// Postconditions: @@ -4614,6 +4625,7 @@ pub fn fiat_secp256k1_to_montgomery(out1: &mut [u32; 8], arg1: &[u32; 8]) -> () } /// The function fiat_secp256k1_nonzero outputs a single non-zero word if the input is non-zero and zero otherwise. +/// /// Preconditions: /// 0 ≤ eval arg1 < m /// Postconditions: @@ -4630,6 +4642,7 @@ pub fn fiat_secp256k1_nonzero(out1: &mut u32, arg1: &[u32; 8]) -> () { } /// The function fiat_secp256k1_selectznz is a multi-limb conditional select. +/// /// Postconditions: /// eval out1 = (if arg1 = 0 then eval arg2 else eval arg3) /// @@ -4668,6 +4681,7 @@ pub fn fiat_secp256k1_selectznz(out1: &mut [u32; 8], arg1: fiat_secp256k1_u1, ar } /// The function fiat_secp256k1_to_bytes serializes a field element NOT in the Montgomery domain to bytes in little-endian order. +/// /// Preconditions: /// 0 ≤ eval arg1 < m /// Postconditions: @@ -4770,6 +4784,7 @@ pub fn fiat_secp256k1_to_bytes(out1: &mut [u8; 32], arg1: &[u32; 8]) -> () { } /// The function fiat_secp256k1_from_bytes deserializes a field element NOT in the Montgomery domain from bytes in little-endian order. +/// /// Preconditions: /// 0 ≤ bytes_eval arg1 < m /// Postconditions: @@ -4849,6 +4864,7 @@ pub fn fiat_secp256k1_from_bytes(out1: &mut [u32; 8], arg1: &[u8; 32]) -> () { } /// The function fiat_secp256k1_set_one returns the field element one in the Montgomery domain. +/// /// Postconditions: /// eval (from_montgomery out1) mod m = 1 mod m /// 0 ≤ eval out1 < m @@ -4869,6 +4885,7 @@ pub fn fiat_secp256k1_set_one(out1: &mut [u32; 8]) -> () { } /// The function fiat_secp256k1_msat returns the saturated representation of the prime modulus. +/// /// Postconditions: /// twos_complement_eval out1 = m /// 0 ≤ eval out1 < m @@ -4890,6 +4907,7 @@ pub fn fiat_secp256k1_msat(out1: &mut [u32; 9]) -> () { } /// The function fiat_secp256k1_divstep computes a divstep. +/// /// Preconditions: /// 0 ≤ eval arg4 < m /// 0 ≤ eval arg5 < m @@ -5326,6 +5344,7 @@ pub fn fiat_secp256k1_divstep(out1: &mut u32, out2: &mut [u32; 9], out3: &mut [u } /// The function fiat_secp256k1_divstep_precomp returns the precomputed value for Bernstein-Yang-inversion (in montgomery form). +/// /// Postconditions: /// eval (from_montgomery out1) = ⌊(m - 1) / 2⌋^(if (log2 m) + 1 < 46 then ⌊(49 * ((log2 m) + 1) + 80) / 17⌋ else ⌊(49 * ((log2 m) + 1) + 57) / 17⌋) /// 0 ≤ eval out1 < m @@ -5344,4 +5363,3 @@ pub fn fiat_secp256k1_divstep_precomp(out1: &mut [u32; 8]) -> () { out1[6] = 0x4b03709; out1[7] = 0x24fb8a31; } - diff --git a/fiat-rust/src/secp256k1_64.rs b/fiat-rust/src/secp256k1_64.rs index 55042903c1f..f2f97b15c3c 100644 --- a/fiat-rust/src/secp256k1_64.rs +++ b/fiat-rust/src/secp256k1_64.rs @@ -12,10 +12,10 @@ //! return values. //! //! Computed values: -//! eval z = z[0] + (z[1] << 64) + (z[2] << 128) + (z[3] << 192) -//! bytes_eval z = z[0] + (z[1] << 8) + (z[2] << 16) + (z[3] << 24) + (z[4] << 32) + (z[5] << 40) + (z[6] << 48) + (z[7] << 56) + (z[8] << 64) + (z[9] << 72) + (z[10] << 80) + (z[11] << 88) + (z[12] << 96) + (z[13] << 104) + (z[14] << 112) + (z[15] << 120) + (z[16] << 128) + (z[17] << 136) + (z[18] << 144) + (z[19] << 152) + (z[20] << 160) + (z[21] << 168) + (z[22] << 176) + (z[23] << 184) + (z[24] << 192) + (z[25] << 200) + (z[26] << 208) + (z[27] << 216) + (z[28] << 224) + (z[29] << 232) + (z[30] << 240) + (z[31] << 248) -//! twos_complement_eval z = let x1 := z[0] + (z[1] << 64) + (z[2] << 128) + (z[3] << 192) in -//! if x1 & (2^256-1) < 2^255 then x1 & (2^256-1) else (x1 & (2^256-1)) - 2^256 +//! eval z = z[0] + (z[1] << 64) + (z[2] << 128) + (z[3] << 192) +//! bytes_eval z = z[0] + (z[1] << 8) + (z[2] << 16) + (z[3] << 24) + (z[4] << 32) + (z[5] << 40) + (z[6] << 48) + (z[7] << 56) + (z[8] << 64) + (z[9] << 72) + (z[10] << 80) + (z[11] << 88) + (z[12] << 96) + (z[13] << 104) + (z[14] << 112) + (z[15] << 120) + (z[16] << 128) + (z[17] << 136) + (z[18] << 144) + (z[19] << 152) + (z[20] << 160) + (z[21] << 168) + (z[22] << 176) + (z[23] << 184) + (z[24] << 192) + (z[25] << 200) + (z[26] << 208) + (z[27] << 216) + (z[28] << 224) + (z[29] << 232) + (z[30] << 240) + (z[31] << 248) +//! twos_complement_eval z = let x1 := z[0] + (z[1] << 64) + (z[2] << 128) + (z[3] << 192) in +//! if x1 & (2^256-1) < 2^255 then x1 & (2^256-1) else (x1 & (2^256-1)) - 2^256 #![allow(unused_parens)] #[allow(non_camel_case_types)] @@ -27,6 +27,7 @@ pub type fiat_secp256k1_i2 = i8; /// The function fiat_secp256k1_addcarryx_u64 is an addition with carry. +/// /// Postconditions: /// out1 = (arg1 + arg2 + arg3) mod 2^64 /// out2 = ⌊(arg1 + arg2 + arg3) / 2^64⌋ @@ -48,6 +49,7 @@ pub fn fiat_secp256k1_addcarryx_u64(out1: &mut u64, out2: &mut fiat_secp256k1_u1 } /// The function fiat_secp256k1_subborrowx_u64 is a subtraction with borrow. +/// /// Postconditions: /// out1 = (-arg1 + arg2 + -arg3) mod 2^64 /// out2 = -⌊(-arg1 + arg2 + -arg3) / 2^64⌋ @@ -69,6 +71,7 @@ pub fn fiat_secp256k1_subborrowx_u64(out1: &mut u64, out2: &mut fiat_secp256k1_u } /// The function fiat_secp256k1_mulx_u64 is a multiplication, returning the full double-width result. +/// /// Postconditions: /// out1 = (arg1 * arg2) mod 2^64 /// out2 = ⌊arg1 * arg2 / 2^64⌋ @@ -89,6 +92,7 @@ pub fn fiat_secp256k1_mulx_u64(out1: &mut u64, out2: &mut u64, arg1: u64, arg2: } /// The function fiat_secp256k1_cmovznz_u64 is a single-word conditional move. +/// /// Postconditions: /// out1 = (if arg1 = 0 then arg2 else arg3) /// @@ -107,6 +111,7 @@ pub fn fiat_secp256k1_cmovznz_u64(out1: &mut u64, arg1: fiat_secp256k1_u1, arg2: } /// The function fiat_secp256k1_mul multiplies two field elements in the Montgomery domain. +/// /// Preconditions: /// 0 ≤ eval arg1 < m /// 0 ≤ eval arg2 < m @@ -451,6 +456,7 @@ pub fn fiat_secp256k1_mul(out1: &mut [u64; 4], arg1: &[u64; 4], arg2: &[u64; 4]) } /// The function fiat_secp256k1_square squares a field element in the Montgomery domain. +/// /// Preconditions: /// 0 ≤ eval arg1 < m /// Postconditions: @@ -793,6 +799,7 @@ pub fn fiat_secp256k1_square(out1: &mut [u64; 4], arg1: &[u64; 4]) -> () { } /// The function fiat_secp256k1_add adds two field elements in the Montgomery domain. +/// /// Preconditions: /// 0 ≤ eval arg1 < m /// 0 ≤ eval arg2 < m @@ -849,6 +856,7 @@ pub fn fiat_secp256k1_add(out1: &mut [u64; 4], arg1: &[u64; 4], arg2: &[u64; 4]) } /// The function fiat_secp256k1_sub subtracts two field elements in the Montgomery domain. +/// /// Preconditions: /// 0 ≤ eval arg1 < m /// 0 ≤ eval arg2 < m @@ -896,6 +904,7 @@ pub fn fiat_secp256k1_sub(out1: &mut [u64; 4], arg1: &[u64; 4], arg2: &[u64; 4]) } /// The function fiat_secp256k1_opp negates a field element in the Montgomery domain. +/// /// Preconditions: /// 0 ≤ eval arg1 < m /// Postconditions: @@ -941,6 +950,7 @@ pub fn fiat_secp256k1_opp(out1: &mut [u64; 4], arg1: &[u64; 4]) -> () { } /// The function fiat_secp256k1_from_montgomery translates a field element out of the Montgomery domain. +/// /// Preconditions: /// 0 ≤ eval arg1 < m /// Postconditions: @@ -1176,6 +1186,7 @@ pub fn fiat_secp256k1_from_montgomery(out1: &mut [u64; 4], arg1: &[u64; 4]) -> ( } /// The function fiat_secp256k1_to_montgomery translates a field element into the Montgomery domain. +/// /// Preconditions: /// 0 ≤ eval arg1 < m /// Postconditions: @@ -1438,6 +1449,7 @@ pub fn fiat_secp256k1_to_montgomery(out1: &mut [u64; 4], arg1: &[u64; 4]) -> () } /// The function fiat_secp256k1_nonzero outputs a single non-zero word if the input is non-zero and zero otherwise. +/// /// Preconditions: /// 0 ≤ eval arg1 < m /// Postconditions: @@ -1454,6 +1466,7 @@ pub fn fiat_secp256k1_nonzero(out1: &mut u64, arg1: &[u64; 4]) -> () { } /// The function fiat_secp256k1_selectznz is a multi-limb conditional select. +/// /// Postconditions: /// eval out1 = (if arg1 = 0 then eval arg2 else eval arg3) /// @@ -1480,6 +1493,7 @@ pub fn fiat_secp256k1_selectznz(out1: &mut [u64; 4], arg1: fiat_secp256k1_u1, ar } /// The function fiat_secp256k1_to_bytes serializes a field element NOT in the Montgomery domain to bytes in little-endian order. +/// /// Preconditions: /// 0 ≤ eval arg1 < m /// Postconditions: @@ -1586,6 +1600,7 @@ pub fn fiat_secp256k1_to_bytes(out1: &mut [u8; 32], arg1: &[u64; 4]) -> () { } /// The function fiat_secp256k1_from_bytes deserializes a field element NOT in the Montgomery domain from bytes in little-endian order. +/// /// Preconditions: /// 0 ≤ bytes_eval arg1 < m /// Postconditions: @@ -1665,6 +1680,7 @@ pub fn fiat_secp256k1_from_bytes(out1: &mut [u64; 4], arg1: &[u8; 32]) -> () { } /// The function fiat_secp256k1_set_one returns the field element one in the Montgomery domain. +/// /// Postconditions: /// eval (from_montgomery out1) mod m = 1 mod m /// 0 ≤ eval out1 < m @@ -1681,6 +1697,7 @@ pub fn fiat_secp256k1_set_one(out1: &mut [u64; 4]) -> () { } /// The function fiat_secp256k1_msat returns the saturated representation of the prime modulus. +/// /// Postconditions: /// twos_complement_eval out1 = m /// 0 ≤ eval out1 < m @@ -1698,6 +1715,7 @@ pub fn fiat_secp256k1_msat(out1: &mut [u64; 5]) -> () { } /// The function fiat_secp256k1_divstep computes a divstep. +/// /// Preconditions: /// 0 ≤ eval arg4 < m /// 0 ≤ eval arg5 < m @@ -1950,6 +1968,7 @@ pub fn fiat_secp256k1_divstep(out1: &mut u64, out2: &mut [u64; 5], out3: &mut [u } /// The function fiat_secp256k1_divstep_precomp returns the precomputed value for Bernstein-Yang-inversion (in montgomery form). +/// /// Postconditions: /// eval (from_montgomery out1) = ⌊(m - 1) / 2⌋^(if (log2 m) + 1 < 46 then ⌊(49 * ((log2 m) + 1) + 80) / 17⌋ else ⌊(49 * ((log2 m) + 1) + 57) / 17⌋) /// 0 ≤ eval out1 < m @@ -1964,4 +1983,3 @@ pub fn fiat_secp256k1_divstep_precomp(out1: &mut [u64; 4]) -> () { out1[2] = 0xe86029463db210a9; out1[3] = 0x24fb8a3104b03709; } - diff --git a/fiat-zig/src/curve25519_32.zig b/fiat-zig/src/curve25519_32.zig index 994808ed441..514c1cc8f5f 100644 --- a/fiat-zig/src/curve25519_32.zig +++ b/fiat-zig/src/curve25519_32.zig @@ -7,17 +7,17 @@ // tight_bounds_multiplier = 1 (from "") // // Computed values: -// carry_chain = [0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 0, 1] -// eval z = z[0] + (z[1] << 26) + (z[2] << 51) + (z[3] << 77) + (z[4] << 102) + (z[5] << 128) + (z[6] << 153) + (z[7] << 179) + (z[8] << 204) + (z[9] << 230) -// bytes_eval z = z[0] + (z[1] << 8) + (z[2] << 16) + (z[3] << 24) + (z[4] << 32) + (z[5] << 40) + (z[6] << 48) + (z[7] << 56) + (z[8] << 64) + (z[9] << 72) + (z[10] << 80) + (z[11] << 88) + (z[12] << 96) + (z[13] << 104) + (z[14] << 112) + (z[15] << 120) + (z[16] << 128) + (z[17] << 136) + (z[18] << 144) + (z[19] << 152) + (z[20] << 160) + (z[21] << 168) + (z[22] << 176) + (z[23] << 184) + (z[24] << 192) + (z[25] << 200) + (z[26] << 208) + (z[27] << 216) + (z[28] << 224) + (z[29] << 232) + (z[30] << 240) + (z[31] << 248) -// balance = [0x7ffffda, 0x3fffffe, 0x7fffffe, 0x3fffffe, 0x7fffffe, 0x3fffffe, 0x7fffffe, 0x3fffffe, 0x7fffffe, 0x3fffffe] +// carry_chain = [0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 0, 1] +// eval z = z[0] + (z[1] << 26) + (z[2] << 51) + (z[3] << 77) + (z[4] << 102) + (z[5] << 128) + (z[6] << 153) + (z[7] << 179) + (z[8] << 204) + (z[9] << 230) +// bytes_eval z = z[0] + (z[1] << 8) + (z[2] << 16) + (z[3] << 24) + (z[4] << 32) + (z[5] << 40) + (z[6] << 48) + (z[7] << 56) + (z[8] << 64) + (z[9] << 72) + (z[10] << 80) + (z[11] << 88) + (z[12] << 96) + (z[13] << 104) + (z[14] << 112) + (z[15] << 120) + (z[16] << 128) + (z[17] << 136) + (z[18] << 144) + (z[19] << 152) + (z[20] << 160) + (z[21] << 168) + (z[22] << 176) + (z[23] << 184) + (z[24] << 192) + (z[25] << 200) + (z[26] << 208) + (z[27] << 216) + (z[28] << 224) + (z[29] << 232) + (z[30] << 240) + (z[31] << 248) +// balance = [0x7ffffda, 0x3fffffe, 0x7fffffe, 0x3fffffe, 0x7fffffe, 0x3fffffe, 0x7fffffe, 0x3fffffe, 0x7fffffe, 0x3fffffe] const std = @import("std"); const cast = std.meta.cast; const mode = std.builtin.mode; // Checked arithmetic is disabled in non-debug modes to avoid side channels - /// The function addcarryxU26 is an addition with carry. +/// /// Postconditions: /// out1 = (arg1 + arg2 + arg3) mod 2^26 /// out2 = ⌊(arg1 + arg2 + arg3) / 2^26⌋ @@ -40,6 +40,7 @@ fn addcarryxU26(out1: *u32, out2: *u1, arg1: u1, arg2: u32, arg3: u32) callconv( } /// The function subborrowxU26 is a subtraction with borrow. +/// /// Postconditions: /// out1 = (-arg1 + arg2 + -arg3) mod 2^26 /// out2 = -⌊(-arg1 + arg2 + -arg3) / 2^26⌋ @@ -62,6 +63,7 @@ fn subborrowxU26(out1: *u32, out2: *u1, arg1: u1, arg2: u32, arg3: u32) callconv } /// The function addcarryxU25 is an addition with carry. +/// /// Postconditions: /// out1 = (arg1 + arg2 + arg3) mod 2^25 /// out2 = ⌊(arg1 + arg2 + arg3) / 2^25⌋ @@ -84,6 +86,7 @@ fn addcarryxU25(out1: *u32, out2: *u1, arg1: u1, arg2: u32, arg3: u32) callconv( } /// The function subborrowxU25 is a subtraction with borrow. +/// /// Postconditions: /// out1 = (-arg1 + arg2 + -arg3) mod 2^25 /// out2 = -⌊(-arg1 + arg2 + -arg3) / 2^25⌋ @@ -106,6 +109,7 @@ fn subborrowxU25(out1: *u32, out2: *u1, arg1: u1, arg2: u32, arg3: u32) callconv } /// The function cmovznzU32 is a single-word conditional move. +/// /// Postconditions: /// out1 = (if arg1 = 0 then arg2 else arg3) /// @@ -125,6 +129,7 @@ fn cmovznzU32(out1: *u32, arg1: u1, arg2: u32, arg3: u32) callconv(.Inline) void } /// The function carryMul multiplies two field elements and reduces the result. +/// /// Postconditions: /// eval out1 mod m = (eval arg1 * eval arg2) mod m /// @@ -296,6 +301,7 @@ pub fn carryMul(out1: *[10]u32, arg1: [10]u32, arg2: [10]u32) void { } /// The function carrySquare squares a field element and reduces the result. +/// /// Postconditions: /// eval out1 mod m = (eval arg1 * eval arg1) mod m /// @@ -439,6 +445,7 @@ pub fn carrySquare(out1: *[10]u32, arg1: [10]u32) void { } /// The function carry reduces a field element. +/// /// Postconditions: /// eval out1 mod m = eval arg1 mod m /// @@ -484,6 +491,7 @@ pub fn carry(out1: *[10]u32, arg1: [10]u32) void { } /// The function add adds two field elements. +/// /// Postconditions: /// eval out1 mod m = (eval arg1 + eval arg2) mod m /// @@ -518,6 +526,7 @@ pub fn add(out1: *[10]u32, arg1: [10]u32, arg2: [10]u32) void { } /// The function sub subtracts two field elements. +/// /// Postconditions: /// eval out1 mod m = (eval arg1 - eval arg2) mod m /// @@ -552,6 +561,7 @@ pub fn sub(out1: *[10]u32, arg1: [10]u32, arg2: [10]u32) void { } /// The function opp negates a field element. +/// /// Postconditions: /// eval out1 mod m = -eval arg1 mod m /// @@ -585,6 +595,7 @@ pub fn opp(out1: *[10]u32, arg1: [10]u32) void { } /// The function selectznz is a multi-limb conditional select. +/// /// Postconditions: /// eval out1 = (if arg1 = 0 then eval arg2 else eval arg3) /// @@ -630,6 +641,7 @@ pub fn selectznz(out1: *[10]u32, arg1: u1, arg2: [10]u32, arg3: [10]u32) void { } /// The function toBytes serializes a field element to bytes in little-endian order. +/// /// Postconditions: /// out1 = map (λ x, ⌊((eval arg1 mod m) mod 2^(8 * (x + 1))) / 2^(8 * x)⌋) [0..31] /// @@ -813,6 +825,7 @@ pub fn toBytes(out1: *[32]u8, arg1: [10]u32) void { } /// The function fromBytes deserializes a field element from bytes in little-endian order. +/// /// Postconditions: /// eval out1 mod m = bytes_eval arg1 mod m /// @@ -914,6 +927,7 @@ pub fn fromBytes(out1: *[10]u32, arg1: [32]u8) void { } /// The function carryScmul121666 multiplies a field element by 121666 and reduces the result. +/// /// Postconditions: /// eval out1 mod m = (121666 * eval arg1) mod m /// @@ -982,4 +996,3 @@ pub fn carryScmul121666(out1: *[10]u32, arg1: [10]u32) void { out1[8] = x36; out1[9] = x39; } - diff --git a/fiat-zig/src/curve25519_64.zig b/fiat-zig/src/curve25519_64.zig index 45dcf6a2f8e..48bb4a6fe70 100644 --- a/fiat-zig/src/curve25519_64.zig +++ b/fiat-zig/src/curve25519_64.zig @@ -7,17 +7,17 @@ // tight_bounds_multiplier = 1 (from "") // // Computed values: -// carry_chain = [0, 1, 2, 3, 4, 0, 1] -// eval z = z[0] + (z[1] << 51) + (z[2] << 102) + (z[3] << 153) + (z[4] << 204) -// bytes_eval z = z[0] + (z[1] << 8) + (z[2] << 16) + (z[3] << 24) + (z[4] << 32) + (z[5] << 40) + (z[6] << 48) + (z[7] << 56) + (z[8] << 64) + (z[9] << 72) + (z[10] << 80) + (z[11] << 88) + (z[12] << 96) + (z[13] << 104) + (z[14] << 112) + (z[15] << 120) + (z[16] << 128) + (z[17] << 136) + (z[18] << 144) + (z[19] << 152) + (z[20] << 160) + (z[21] << 168) + (z[22] << 176) + (z[23] << 184) + (z[24] << 192) + (z[25] << 200) + (z[26] << 208) + (z[27] << 216) + (z[28] << 224) + (z[29] << 232) + (z[30] << 240) + (z[31] << 248) -// balance = [0xfffffffffffda, 0xffffffffffffe, 0xffffffffffffe, 0xffffffffffffe, 0xffffffffffffe] +// carry_chain = [0, 1, 2, 3, 4, 0, 1] +// eval z = z[0] + (z[1] << 51) + (z[2] << 102) + (z[3] << 153) + (z[4] << 204) +// bytes_eval z = z[0] + (z[1] << 8) + (z[2] << 16) + (z[3] << 24) + (z[4] << 32) + (z[5] << 40) + (z[6] << 48) + (z[7] << 56) + (z[8] << 64) + (z[9] << 72) + (z[10] << 80) + (z[11] << 88) + (z[12] << 96) + (z[13] << 104) + (z[14] << 112) + (z[15] << 120) + (z[16] << 128) + (z[17] << 136) + (z[18] << 144) + (z[19] << 152) + (z[20] << 160) + (z[21] << 168) + (z[22] << 176) + (z[23] << 184) + (z[24] << 192) + (z[25] << 200) + (z[26] << 208) + (z[27] << 216) + (z[28] << 224) + (z[29] << 232) + (z[30] << 240) + (z[31] << 248) +// balance = [0xfffffffffffda, 0xffffffffffffe, 0xffffffffffffe, 0xffffffffffffe, 0xffffffffffffe] const std = @import("std"); const cast = std.meta.cast; const mode = std.builtin.mode; // Checked arithmetic is disabled in non-debug modes to avoid side channels - /// The function addcarryxU51 is an addition with carry. +/// /// Postconditions: /// out1 = (arg1 + arg2 + arg3) mod 2^51 /// out2 = ⌊(arg1 + arg2 + arg3) / 2^51⌋ @@ -40,6 +40,7 @@ fn addcarryxU51(out1: *u64, out2: *u1, arg1: u1, arg2: u64, arg3: u64) callconv( } /// The function subborrowxU51 is a subtraction with borrow. +/// /// Postconditions: /// out1 = (-arg1 + arg2 + -arg3) mod 2^51 /// out2 = -⌊(-arg1 + arg2 + -arg3) / 2^51⌋ @@ -62,6 +63,7 @@ fn subborrowxU51(out1: *u64, out2: *u1, arg1: u1, arg2: u64, arg3: u64) callconv } /// The function cmovznzU64 is a single-word conditional move. +/// /// Postconditions: /// out1 = (if arg1 = 0 then arg2 else arg3) /// @@ -81,6 +83,7 @@ fn cmovznzU64(out1: *u64, arg1: u1, arg2: u64, arg3: u64) callconv(.Inline) void } /// The function carryMul multiplies two field elements and reduces the result. +/// /// Postconditions: /// eval out1 mod m = (eval arg1 * eval arg2) mod m /// @@ -152,6 +155,7 @@ pub fn carryMul(out1: *[5]u64, arg1: [5]u64, arg2: [5]u64) void { } /// The function carrySquare squares a field element and reduces the result. +/// /// Postconditions: /// eval out1 mod m = (eval arg1 * eval arg1) mod m /// @@ -220,6 +224,7 @@ pub fn carrySquare(out1: *[5]u64, arg1: [5]u64) void { } /// The function carry reduces a field element. +/// /// Postconditions: /// eval out1 mod m = eval arg1 mod m /// @@ -250,6 +255,7 @@ pub fn carry(out1: *[5]u64, arg1: [5]u64) void { } /// The function add adds two field elements. +/// /// Postconditions: /// eval out1 mod m = (eval arg1 + eval arg2) mod m /// @@ -274,6 +280,7 @@ pub fn add(out1: *[5]u64, arg1: [5]u64, arg2: [5]u64) void { } /// The function sub subtracts two field elements. +/// /// Postconditions: /// eval out1 mod m = (eval arg1 - eval arg2) mod m /// @@ -298,6 +305,7 @@ pub fn sub(out1: *[5]u64, arg1: [5]u64, arg2: [5]u64) void { } /// The function opp negates a field element. +/// /// Postconditions: /// eval out1 mod m = -eval arg1 mod m /// @@ -321,6 +329,7 @@ pub fn opp(out1: *[5]u64, arg1: [5]u64) void { } /// The function selectznz is a multi-limb conditional select. +/// /// Postconditions: /// eval out1 = (if arg1 = 0 then eval arg2 else eval arg3) /// @@ -351,6 +360,7 @@ pub fn selectznz(out1: *[5]u64, arg1: u1, arg2: [5]u64, arg3: [5]u64) void { } /// The function toBytes serializes a field element to bytes in little-endian order. +/// /// Postconditions: /// out1 = map (λ x, ⌊((eval arg1 mod m) mod 2^(8 * (x + 1))) / 2^(8 * x)⌋) [0..31] /// @@ -498,6 +508,7 @@ pub fn toBytes(out1: *[32]u8, arg1: [5]u64) void { } /// The function fromBytes deserializes a field element from bytes in little-endian order. +/// /// Postconditions: /// eval out1 mod m = bytes_eval arg1 mod m /// @@ -587,6 +598,7 @@ pub fn fromBytes(out1: *[5]u64, arg1: [32]u8) void { } /// The function carryScmul121666 multiplies a field element by 121666 and reduces the result. +/// /// Postconditions: /// eval out1 mod m = (121666 * eval arg1) mod m /// @@ -630,4 +642,3 @@ pub fn carryScmul121666(out1: *[5]u64, arg1: [5]u64) void { out1[3] = x16; out1[4] = x19; } - diff --git a/fiat-zig/src/p224_32.zig b/fiat-zig/src/p224_32.zig index 7326e16a4b0..6c055e7cda3 100644 --- a/fiat-zig/src/p224_32.zig +++ b/fiat-zig/src/p224_32.zig @@ -12,17 +12,17 @@ // return values. // // Computed values: -// eval z = z[0] + (z[1] << 32) + (z[2] << 64) + (z[3] << 96) + (z[4] << 128) + (z[5] << 160) + (z[6] << 192) -// bytes_eval z = z[0] + (z[1] << 8) + (z[2] << 16) + (z[3] << 24) + (z[4] << 32) + (z[5] << 40) + (z[6] << 48) + (z[7] << 56) + (z[8] << 64) + (z[9] << 72) + (z[10] << 80) + (z[11] << 88) + (z[12] << 96) + (z[13] << 104) + (z[14] << 112) + (z[15] << 120) + (z[16] << 128) + (z[17] << 136) + (z[18] << 144) + (z[19] << 152) + (z[20] << 160) + (z[21] << 168) + (z[22] << 176) + (z[23] << 184) + (z[24] << 192) + (z[25] << 200) + (z[26] << 208) + (z[27] << 216) -// twos_complement_eval z = let x1 := z[0] + (z[1] << 32) + (z[2] << 64) + (z[3] << 96) + (z[4] << 128) + (z[5] << 160) + (z[6] << 192) in -// if x1 & (2^224-1) < 2^223 then x1 & (2^224-1) else (x1 & (2^224-1)) - 2^224 +// eval z = z[0] + (z[1] << 32) + (z[2] << 64) + (z[3] << 96) + (z[4] << 128) + (z[5] << 160) + (z[6] << 192) +// bytes_eval z = z[0] + (z[1] << 8) + (z[2] << 16) + (z[3] << 24) + (z[4] << 32) + (z[5] << 40) + (z[6] << 48) + (z[7] << 56) + (z[8] << 64) + (z[9] << 72) + (z[10] << 80) + (z[11] << 88) + (z[12] << 96) + (z[13] << 104) + (z[14] << 112) + (z[15] << 120) + (z[16] << 128) + (z[17] << 136) + (z[18] << 144) + (z[19] << 152) + (z[20] << 160) + (z[21] << 168) + (z[22] << 176) + (z[23] << 184) + (z[24] << 192) + (z[25] << 200) + (z[26] << 208) + (z[27] << 216) +// twos_complement_eval z = let x1 := z[0] + (z[1] << 32) + (z[2] << 64) + (z[3] << 96) + (z[4] << 128) + (z[5] << 160) + (z[6] << 192) in +// if x1 & (2^224-1) < 2^223 then x1 & (2^224-1) else (x1 & (2^224-1)) - 2^224 const std = @import("std"); const cast = std.meta.cast; const mode = std.builtin.mode; // Checked arithmetic is disabled in non-debug modes to avoid side channels - /// The function addcarryxU32 is an addition with carry. +/// /// Postconditions: /// out1 = (arg1 + arg2 + arg3) mod 2^32 /// out2 = ⌊(arg1 + arg2 + arg3) / 2^32⌋ @@ -45,6 +45,7 @@ fn addcarryxU32(out1: *u32, out2: *u1, arg1: u1, arg2: u32, arg3: u32) callconv( } /// The function subborrowxU32 is a subtraction with borrow. +/// /// Postconditions: /// out1 = (-arg1 + arg2 + -arg3) mod 2^32 /// out2 = -⌊(-arg1 + arg2 + -arg3) / 2^32⌋ @@ -67,6 +68,7 @@ fn subborrowxU32(out1: *u32, out2: *u1, arg1: u1, arg2: u32, arg3: u32) callconv } /// The function mulxU32 is a multiplication, returning the full double-width result. +/// /// Postconditions: /// out1 = (arg1 * arg2) mod 2^32 /// out2 = ⌊arg1 * arg2 / 2^32⌋ @@ -88,6 +90,7 @@ fn mulxU32(out1: *u32, out2: *u32, arg1: u32, arg2: u32) callconv(.Inline) void } /// The function cmovznzU32 is a single-word conditional move. +/// /// Postconditions: /// out1 = (if arg1 = 0 then arg2 else arg3) /// @@ -107,6 +110,7 @@ fn cmovznzU32(out1: *u32, arg1: u1, arg2: u32, arg3: u32) callconv(.Inline) void } /// The function mul multiplies two field elements in the Montgomery domain. +/// /// Preconditions: /// 0 ≤ eval arg1 < m /// 0 ≤ eval arg2 < m @@ -950,6 +954,7 @@ pub fn mul(out1: *[7]u32, arg1: [7]u32, arg2: [7]u32) void { } /// The function square squares a field element in the Montgomery domain. +/// /// Preconditions: /// 0 ≤ eval arg1 < m /// Postconditions: @@ -1791,6 +1796,7 @@ pub fn square(out1: *[7]u32, arg1: [7]u32) void { } /// The function add adds two field elements in the Montgomery domain. +/// /// Preconditions: /// 0 ≤ eval arg1 < m /// 0 ≤ eval arg2 < m @@ -1875,6 +1881,7 @@ pub fn add(out1: *[7]u32, arg1: [7]u32, arg2: [7]u32) void { } /// The function sub subtracts two field elements in the Montgomery domain. +/// /// Preconditions: /// 0 ≤ eval arg1 < m /// 0 ≤ eval arg2 < m @@ -1944,6 +1951,7 @@ pub fn sub(out1: *[7]u32, arg1: [7]u32, arg2: [7]u32) void { } /// The function opp negates a field element in the Montgomery domain. +/// /// Preconditions: /// 0 ≤ eval arg1 < m /// Postconditions: @@ -2011,6 +2019,7 @@ pub fn opp(out1: *[7]u32, arg1: [7]u32) void { } /// The function fromMontgomery translates a field element out of the Montgomery domain. +/// /// Preconditions: /// 0 ≤ eval arg1 < m /// Postconditions: @@ -2490,6 +2499,7 @@ pub fn fromMontgomery(out1: *[7]u32, arg1: [7]u32) void { } /// The function toMontgomery translates a field element into the Montgomery domain. +/// /// Preconditions: /// 0 ≤ eval arg1 < m /// Postconditions: @@ -3107,6 +3117,7 @@ pub fn toMontgomery(out1: *[7]u32, arg1: [7]u32) void { } /// The function nonzero outputs a single non-zero word if the input is non-zero and zero otherwise. +/// /// Preconditions: /// 0 ≤ eval arg1 < m /// Postconditions: @@ -3124,6 +3135,7 @@ pub fn nonzero(out1: *u32, arg1: [7]u32) void { } /// The function selectznz is a multi-limb conditional select. +/// /// Postconditions: /// eval out1 = (if arg1 = 0 then eval arg2 else eval arg3) /// @@ -3160,6 +3172,7 @@ pub fn selectznz(out1: *[7]u32, arg1: u1, arg2: [7]u32, arg3: [7]u32) void { } /// The function toBytes serializes a field element NOT in the Montgomery domain to bytes in little-endian order. +/// /// Preconditions: /// 0 ≤ eval arg1 < m /// Postconditions: @@ -3252,6 +3265,7 @@ pub fn toBytes(out1: *[28]u8, arg1: [7]u32) void { } /// The function fromBytes deserializes a field element NOT in the Montgomery domain from bytes in little-endian order. +/// /// Preconditions: /// 0 ≤ bytes_eval arg1 < m /// Postconditions: @@ -3324,6 +3338,7 @@ pub fn fromBytes(out1: *[7]u32, arg1: [28]u8) void { } /// The function setOne returns the field element one in the Montgomery domain. +/// /// Postconditions: /// eval (from_montgomery out1) mod m = 1 mod m /// 0 ≤ eval out1 < m @@ -3344,6 +3359,7 @@ pub fn setOne(out1: *[7]u32) void { } /// The function msat returns the saturated representation of the prime modulus. +/// /// Postconditions: /// twos_complement_eval out1 = m /// 0 ≤ eval out1 < m @@ -3365,6 +3381,7 @@ pub fn msat(out1: *[8]u32) void { } /// The function divstep computes a divstep. +/// /// Preconditions: /// 0 ≤ eval arg4 < m /// 0 ≤ eval arg5 < m @@ -3756,6 +3773,7 @@ pub fn divstep(out1: *u32, out2: *[8]u32, out3: *[8]u32, out4: *[7]u32, out5: *[ } /// The function divstepPrecomp returns the precomputed value for Bernstein-Yang-inversion (in montgomery form). +/// /// Postconditions: /// eval (from_montgomery out1) = ⌊(m - 1) / 2⌋^(if (log2 m) + 1 < 46 then ⌊(49 * ((log2 m) + 1) + 80) / 17⌋ else ⌊(49 * ((log2 m) + 1) + 57) / 17⌋) /// 0 ≤ eval out1 < m @@ -3774,4 +3792,3 @@ pub fn divstepPrecomp(out1: *[7]u32) void { out1[5] = 0xff800000; out1[6] = 0x17fffff; } - diff --git a/fiat-zig/src/p224_64.zig b/fiat-zig/src/p224_64.zig index f19d2b6e19b..9fb4e67b19e 100644 --- a/fiat-zig/src/p224_64.zig +++ b/fiat-zig/src/p224_64.zig @@ -12,17 +12,17 @@ // return values. // // Computed values: -// eval z = z[0] + (z[1] << 64) + (z[2] << 128) + (z[3] << 192) -// bytes_eval z = z[0] + (z[1] << 8) + (z[2] << 16) + (z[3] << 24) + (z[4] << 32) + (z[5] << 40) + (z[6] << 48) + (z[7] << 56) + (z[8] << 64) + (z[9] << 72) + (z[10] << 80) + (z[11] << 88) + (z[12] << 96) + (z[13] << 104) + (z[14] << 112) + (z[15] << 120) + (z[16] << 128) + (z[17] << 136) + (z[18] << 144) + (z[19] << 152) + (z[20] << 160) + (z[21] << 168) + (z[22] << 176) + (z[23] << 184) + (z[24] << 192) + (z[25] << 200) + (z[26] << 208) + (z[27] << 216) -// twos_complement_eval z = let x1 := z[0] + (z[1] << 64) + (z[2] << 128) + (z[3] << 192) in -// if x1 & (2^256-1) < 2^255 then x1 & (2^256-1) else (x1 & (2^256-1)) - 2^256 +// eval z = z[0] + (z[1] << 64) + (z[2] << 128) + (z[3] << 192) +// bytes_eval z = z[0] + (z[1] << 8) + (z[2] << 16) + (z[3] << 24) + (z[4] << 32) + (z[5] << 40) + (z[6] << 48) + (z[7] << 56) + (z[8] << 64) + (z[9] << 72) + (z[10] << 80) + (z[11] << 88) + (z[12] << 96) + (z[13] << 104) + (z[14] << 112) + (z[15] << 120) + (z[16] << 128) + (z[17] << 136) + (z[18] << 144) + (z[19] << 152) + (z[20] << 160) + (z[21] << 168) + (z[22] << 176) + (z[23] << 184) + (z[24] << 192) + (z[25] << 200) + (z[26] << 208) + (z[27] << 216) +// twos_complement_eval z = let x1 := z[0] + (z[1] << 64) + (z[2] << 128) + (z[3] << 192) in +// if x1 & (2^256-1) < 2^255 then x1 & (2^256-1) else (x1 & (2^256-1)) - 2^256 const std = @import("std"); const cast = std.meta.cast; const mode = std.builtin.mode; // Checked arithmetic is disabled in non-debug modes to avoid side channels - /// The function addcarryxU64 is an addition with carry. +/// /// Postconditions: /// out1 = (arg1 + arg2 + arg3) mod 2^64 /// out2 = ⌊(arg1 + arg2 + arg3) / 2^64⌋ @@ -45,6 +45,7 @@ fn addcarryxU64(out1: *u64, out2: *u1, arg1: u1, arg2: u64, arg3: u64) callconv( } /// The function subborrowxU64 is a subtraction with borrow. +/// /// Postconditions: /// out1 = (-arg1 + arg2 + -arg3) mod 2^64 /// out2 = -⌊(-arg1 + arg2 + -arg3) / 2^64⌋ @@ -67,6 +68,7 @@ fn subborrowxU64(out1: *u64, out2: *u1, arg1: u1, arg2: u64, arg3: u64) callconv } /// The function mulxU64 is a multiplication, returning the full double-width result. +/// /// Postconditions: /// out1 = (arg1 * arg2) mod 2^64 /// out2 = ⌊arg1 * arg2 / 2^64⌋ @@ -88,6 +90,7 @@ fn mulxU64(out1: *u64, out2: *u64, arg1: u64, arg2: u64) callconv(.Inline) void } /// The function cmovznzU64 is a single-word conditional move. +/// /// Postconditions: /// out1 = (if arg1 = 0 then arg2 else arg3) /// @@ -107,6 +110,7 @@ fn cmovznzU64(out1: *u64, arg1: u1, arg2: u64, arg3: u64) callconv(.Inline) void } /// The function mul multiplies two field elements in the Montgomery domain. +/// /// Preconditions: /// 0 ≤ eval arg1 < m /// 0 ≤ eval arg2 < m @@ -428,6 +432,7 @@ pub fn mul(out1: *[4]u64, arg1: [4]u64, arg2: [4]u64) void { } /// The function square squares a field element in the Montgomery domain. +/// /// Preconditions: /// 0 ≤ eval arg1 < m /// Postconditions: @@ -747,6 +752,7 @@ pub fn square(out1: *[4]u64, arg1: [4]u64) void { } /// The function add adds two field elements in the Montgomery domain. +/// /// Preconditions: /// 0 ≤ eval arg1 < m /// 0 ≤ eval arg2 < m @@ -804,6 +810,7 @@ pub fn add(out1: *[4]u64, arg1: [4]u64, arg2: [4]u64) void { } /// The function sub subtracts two field elements in the Montgomery domain. +/// /// Preconditions: /// 0 ≤ eval arg1 < m /// 0 ≤ eval arg2 < m @@ -852,6 +859,7 @@ pub fn sub(out1: *[4]u64, arg1: [4]u64, arg2: [4]u64) void { } /// The function opp negates a field element in the Montgomery domain. +/// /// Preconditions: /// 0 ≤ eval arg1 < m /// Postconditions: @@ -898,6 +906,7 @@ pub fn opp(out1: *[4]u64, arg1: [4]u64) void { } /// The function fromMontgomery translates a field element out of the Montgomery domain. +/// /// Preconditions: /// 0 ≤ eval arg1 < m /// Postconditions: @@ -1090,6 +1099,7 @@ pub fn fromMontgomery(out1: *[4]u64, arg1: [4]u64) void { } /// The function toMontgomery translates a field element into the Montgomery domain. +/// /// Preconditions: /// 0 ≤ eval arg1 < m /// Postconditions: @@ -1378,6 +1388,7 @@ pub fn toMontgomery(out1: *[4]u64, arg1: [4]u64) void { } /// The function nonzero outputs a single non-zero word if the input is non-zero and zero otherwise. +/// /// Preconditions: /// 0 ≤ eval arg1 < m /// Postconditions: @@ -1395,6 +1406,7 @@ pub fn nonzero(out1: *u64, arg1: [4]u64) void { } /// The function selectznz is a multi-limb conditional select. +/// /// Postconditions: /// eval out1 = (if arg1 = 0 then eval arg2 else eval arg3) /// @@ -1422,6 +1434,7 @@ pub fn selectznz(out1: *[4]u64, arg1: u1, arg2: [4]u64, arg3: [4]u64) void { } /// The function toBytes serializes a field element NOT in the Montgomery domain to bytes in little-endian order. +/// /// Preconditions: /// 0 ≤ eval arg1 < m /// Postconditions: @@ -1517,6 +1530,7 @@ pub fn toBytes(out1: *[28]u8, arg1: [4]u64) void { } /// The function fromBytes deserializes a field element NOT in the Montgomery domain from bytes in little-endian order. +/// /// Preconditions: /// 0 ≤ bytes_eval arg1 < m /// Postconditions: @@ -1589,6 +1603,7 @@ pub fn fromBytes(out1: *[4]u64, arg1: [28]u8) void { } /// The function setOne returns the field element one in the Montgomery domain. +/// /// Postconditions: /// eval (from_montgomery out1) mod m = 1 mod m /// 0 ≤ eval out1 < m @@ -1606,6 +1621,7 @@ pub fn setOne(out1: *[4]u64) void { } /// The function msat returns the saturated representation of the prime modulus. +/// /// Postconditions: /// twos_complement_eval out1 = m /// 0 ≤ eval out1 < m @@ -1624,6 +1640,7 @@ pub fn msat(out1: *[5]u64) void { } /// The function divstep computes a divstep. +/// /// Preconditions: /// 0 ≤ eval arg4 < m /// 0 ≤ eval arg5 < m @@ -1877,6 +1894,7 @@ pub fn divstep(out1: *u64, out2: *[5]u64, out3: *[5]u64, out4: *[4]u64, out5: *[ } /// The function divstepPrecomp returns the precomputed value for Bernstein-Yang-inversion (in montgomery form). +/// /// Postconditions: /// eval (from_montgomery out1) = ⌊(m - 1) / 2⌋^(if (log2 m) + 1 < 46 then ⌊(49 * ((log2 m) + 1) + 80) / 17⌋ else ⌊(49 * ((log2 m) + 1) + 57) / 17⌋) /// 0 ≤ eval out1 < m @@ -1892,4 +1910,3 @@ pub fn divstepPrecomp(out1: *[4]u64) void { out1[2] = 0xffffff; out1[3] = 0xff800000; } - diff --git a/fiat-zig/src/p256_32.zig b/fiat-zig/src/p256_32.zig index 8f7314b29cd..f96fb1c0715 100644 --- a/fiat-zig/src/p256_32.zig +++ b/fiat-zig/src/p256_32.zig @@ -12,17 +12,17 @@ // return values. // // Computed values: -// eval z = z[0] + (z[1] << 32) + (z[2] << 64) + (z[3] << 96) + (z[4] << 128) + (z[5] << 160) + (z[6] << 192) + (z[7] << 224) -// bytes_eval z = z[0] + (z[1] << 8) + (z[2] << 16) + (z[3] << 24) + (z[4] << 32) + (z[5] << 40) + (z[6] << 48) + (z[7] << 56) + (z[8] << 64) + (z[9] << 72) + (z[10] << 80) + (z[11] << 88) + (z[12] << 96) + (z[13] << 104) + (z[14] << 112) + (z[15] << 120) + (z[16] << 128) + (z[17] << 136) + (z[18] << 144) + (z[19] << 152) + (z[20] << 160) + (z[21] << 168) + (z[22] << 176) + (z[23] << 184) + (z[24] << 192) + (z[25] << 200) + (z[26] << 208) + (z[27] << 216) + (z[28] << 224) + (z[29] << 232) + (z[30] << 240) + (z[31] << 248) -// twos_complement_eval z = let x1 := z[0] + (z[1] << 32) + (z[2] << 64) + (z[3] << 96) + (z[4] << 128) + (z[5] << 160) + (z[6] << 192) + (z[7] << 224) in -// if x1 & (2^256-1) < 2^255 then x1 & (2^256-1) else (x1 & (2^256-1)) - 2^256 +// eval z = z[0] + (z[1] << 32) + (z[2] << 64) + (z[3] << 96) + (z[4] << 128) + (z[5] << 160) + (z[6] << 192) + (z[7] << 224) +// bytes_eval z = z[0] + (z[1] << 8) + (z[2] << 16) + (z[3] << 24) + (z[4] << 32) + (z[5] << 40) + (z[6] << 48) + (z[7] << 56) + (z[8] << 64) + (z[9] << 72) + (z[10] << 80) + (z[11] << 88) + (z[12] << 96) + (z[13] << 104) + (z[14] << 112) + (z[15] << 120) + (z[16] << 128) + (z[17] << 136) + (z[18] << 144) + (z[19] << 152) + (z[20] << 160) + (z[21] << 168) + (z[22] << 176) + (z[23] << 184) + (z[24] << 192) + (z[25] << 200) + (z[26] << 208) + (z[27] << 216) + (z[28] << 224) + (z[29] << 232) + (z[30] << 240) + (z[31] << 248) +// twos_complement_eval z = let x1 := z[0] + (z[1] << 32) + (z[2] << 64) + (z[3] << 96) + (z[4] << 128) + (z[5] << 160) + (z[6] << 192) + (z[7] << 224) in +// if x1 & (2^256-1) < 2^255 then x1 & (2^256-1) else (x1 & (2^256-1)) - 2^256 const std = @import("std"); const cast = std.meta.cast; const mode = std.builtin.mode; // Checked arithmetic is disabled in non-debug modes to avoid side channels - /// The function addcarryxU32 is an addition with carry. +/// /// Postconditions: /// out1 = (arg1 + arg2 + arg3) mod 2^32 /// out2 = ⌊(arg1 + arg2 + arg3) / 2^32⌋ @@ -45,6 +45,7 @@ fn addcarryxU32(out1: *u32, out2: *u1, arg1: u1, arg2: u32, arg3: u32) callconv( } /// The function subborrowxU32 is a subtraction with borrow. +/// /// Postconditions: /// out1 = (-arg1 + arg2 + -arg3) mod 2^32 /// out2 = -⌊(-arg1 + arg2 + -arg3) / 2^32⌋ @@ -67,6 +68,7 @@ fn subborrowxU32(out1: *u32, out2: *u1, arg1: u1, arg2: u32, arg3: u32) callconv } /// The function mulxU32 is a multiplication, returning the full double-width result. +/// /// Postconditions: /// out1 = (arg1 * arg2) mod 2^32 /// out2 = ⌊arg1 * arg2 / 2^32⌋ @@ -88,6 +90,7 @@ fn mulxU32(out1: *u32, out2: *u32, arg1: u32, arg2: u32) callconv(.Inline) void } /// The function cmovznzU32 is a single-word conditional move. +/// /// Postconditions: /// out1 = (if arg1 = 0 then arg2 else arg3) /// @@ -107,6 +110,7 @@ fn cmovznzU32(out1: *u32, arg1: u1, arg2: u32, arg3: u32) callconv(.Inline) void } /// The function mul multiplies two field elements in the Montgomery domain. +/// /// Preconditions: /// 0 ≤ eval arg1 < m /// 0 ≤ eval arg2 < m @@ -1116,6 +1120,7 @@ pub fn mul(out1: *[8]u32, arg1: [8]u32, arg2: [8]u32) void { } /// The function square squares a field element in the Montgomery domain. +/// /// Preconditions: /// 0 ≤ eval arg1 < m /// Postconditions: @@ -2123,6 +2128,7 @@ pub fn square(out1: *[8]u32, arg1: [8]u32) void { } /// The function add adds two field elements in the Montgomery domain. +/// /// Preconditions: /// 0 ≤ eval arg1 < m /// 0 ≤ eval arg2 < m @@ -2216,6 +2222,7 @@ pub fn add(out1: *[8]u32, arg1: [8]u32, arg2: [8]u32) void { } /// The function sub subtracts two field elements in the Montgomery domain. +/// /// Preconditions: /// 0 ≤ eval arg1 < m /// 0 ≤ eval arg2 < m @@ -2292,6 +2299,7 @@ pub fn sub(out1: *[8]u32, arg1: [8]u32, arg2: [8]u32) void { } /// The function opp negates a field element in the Montgomery domain. +/// /// Preconditions: /// 0 ≤ eval arg1 < m /// Postconditions: @@ -2366,6 +2374,7 @@ pub fn opp(out1: *[8]u32, arg1: [8]u32) void { } /// The function fromMontgomery translates a field element out of the Montgomery domain. +/// /// Preconditions: /// 0 ≤ eval arg1 < m /// Postconditions: @@ -2905,6 +2914,7 @@ pub fn fromMontgomery(out1: *[8]u32, arg1: [8]u32) void { } /// The function toMontgomery translates a field element into the Montgomery domain. +/// /// Preconditions: /// 0 ≤ eval arg1 < m /// Postconditions: @@ -3796,6 +3806,7 @@ pub fn toMontgomery(out1: *[8]u32, arg1: [8]u32) void { } /// The function nonzero outputs a single non-zero word if the input is non-zero and zero otherwise. +/// /// Preconditions: /// 0 ≤ eval arg1 < m /// Postconditions: @@ -3813,6 +3824,7 @@ pub fn nonzero(out1: *u32, arg1: [8]u32) void { } /// The function selectznz is a multi-limb conditional select. +/// /// Postconditions: /// eval out1 = (if arg1 = 0 then eval arg2 else eval arg3) /// @@ -3852,6 +3864,7 @@ pub fn selectznz(out1: *[8]u32, arg1: u1, arg2: [8]u32, arg3: [8]u32) void { } /// The function toBytes serializes a field element NOT in the Montgomery domain to bytes in little-endian order. +/// /// Preconditions: /// 0 ≤ eval arg1 < m /// Postconditions: @@ -3955,6 +3968,7 @@ pub fn toBytes(out1: *[32]u8, arg1: [8]u32) void { } /// The function fromBytes deserializes a field element NOT in the Montgomery domain from bytes in little-endian order. +/// /// Preconditions: /// 0 ≤ bytes_eval arg1 < m /// Postconditions: @@ -4035,6 +4049,7 @@ pub fn fromBytes(out1: *[8]u32, arg1: [32]u8) void { } /// The function setOne returns the field element one in the Montgomery domain. +/// /// Postconditions: /// eval (from_montgomery out1) mod m = 1 mod m /// 0 ≤ eval out1 < m @@ -4056,6 +4071,7 @@ pub fn setOne(out1: *[8]u32) void { } /// The function msat returns the saturated representation of the prime modulus. +/// /// Postconditions: /// twos_complement_eval out1 = m /// 0 ≤ eval out1 < m @@ -4078,6 +4094,7 @@ pub fn msat(out1: *[9]u32) void { } /// The function divstep computes a divstep. +/// /// Preconditions: /// 0 ≤ eval arg4 < m /// 0 ≤ eval arg5 < m @@ -4515,6 +4532,7 @@ pub fn divstep(out1: *u32, out2: *[9]u32, out3: *[9]u32, out4: *[8]u32, out5: *[ } /// The function divstepPrecomp returns the precomputed value for Bernstein-Yang-inversion (in montgomery form). +/// /// Postconditions: /// eval (from_montgomery out1) = ⌊(m - 1) / 2⌋^(if (log2 m) + 1 < 46 then ⌊(49 * ((log2 m) + 1) + 80) / 17⌋ else ⌊(49 * ((log2 m) + 1) + 57) / 17⌋) /// 0 ≤ eval out1 < m @@ -4534,4 +4552,3 @@ pub fn divstepPrecomp(out1: *[8]u32) void { out1[6] = 0xffffffff; out1[7] = 0x2fffffff; } - diff --git a/fiat-zig/src/p256_64.zig b/fiat-zig/src/p256_64.zig index a3e05bb5965..96ae1ebdd4e 100644 --- a/fiat-zig/src/p256_64.zig +++ b/fiat-zig/src/p256_64.zig @@ -12,17 +12,17 @@ // return values. // // Computed values: -// eval z = z[0] + (z[1] << 64) + (z[2] << 128) + (z[3] << 192) -// bytes_eval z = z[0] + (z[1] << 8) + (z[2] << 16) + (z[3] << 24) + (z[4] << 32) + (z[5] << 40) + (z[6] << 48) + (z[7] << 56) + (z[8] << 64) + (z[9] << 72) + (z[10] << 80) + (z[11] << 88) + (z[12] << 96) + (z[13] << 104) + (z[14] << 112) + (z[15] << 120) + (z[16] << 128) + (z[17] << 136) + (z[18] << 144) + (z[19] << 152) + (z[20] << 160) + (z[21] << 168) + (z[22] << 176) + (z[23] << 184) + (z[24] << 192) + (z[25] << 200) + (z[26] << 208) + (z[27] << 216) + (z[28] << 224) + (z[29] << 232) + (z[30] << 240) + (z[31] << 248) -// twos_complement_eval z = let x1 := z[0] + (z[1] << 64) + (z[2] << 128) + (z[3] << 192) in -// if x1 & (2^256-1) < 2^255 then x1 & (2^256-1) else (x1 & (2^256-1)) - 2^256 +// eval z = z[0] + (z[1] << 64) + (z[2] << 128) + (z[3] << 192) +// bytes_eval z = z[0] + (z[1] << 8) + (z[2] << 16) + (z[3] << 24) + (z[4] << 32) + (z[5] << 40) + (z[6] << 48) + (z[7] << 56) + (z[8] << 64) + (z[9] << 72) + (z[10] << 80) + (z[11] << 88) + (z[12] << 96) + (z[13] << 104) + (z[14] << 112) + (z[15] << 120) + (z[16] << 128) + (z[17] << 136) + (z[18] << 144) + (z[19] << 152) + (z[20] << 160) + (z[21] << 168) + (z[22] << 176) + (z[23] << 184) + (z[24] << 192) + (z[25] << 200) + (z[26] << 208) + (z[27] << 216) + (z[28] << 224) + (z[29] << 232) + (z[30] << 240) + (z[31] << 248) +// twos_complement_eval z = let x1 := z[0] + (z[1] << 64) + (z[2] << 128) + (z[3] << 192) in +// if x1 & (2^256-1) < 2^255 then x1 & (2^256-1) else (x1 & (2^256-1)) - 2^256 const std = @import("std"); const cast = std.meta.cast; const mode = std.builtin.mode; // Checked arithmetic is disabled in non-debug modes to avoid side channels - /// The function addcarryxU64 is an addition with carry. +/// /// Postconditions: /// out1 = (arg1 + arg2 + arg3) mod 2^64 /// out2 = ⌊(arg1 + arg2 + arg3) / 2^64⌋ @@ -45,6 +45,7 @@ fn addcarryxU64(out1: *u64, out2: *u1, arg1: u1, arg2: u64, arg3: u64) callconv( } /// The function subborrowxU64 is a subtraction with borrow. +/// /// Postconditions: /// out1 = (-arg1 + arg2 + -arg3) mod 2^64 /// out2 = -⌊(-arg1 + arg2 + -arg3) / 2^64⌋ @@ -67,6 +68,7 @@ fn subborrowxU64(out1: *u64, out2: *u1, arg1: u1, arg2: u64, arg3: u64) callconv } /// The function mulxU64 is a multiplication, returning the full double-width result. +/// /// Postconditions: /// out1 = (arg1 * arg2) mod 2^64 /// out2 = ⌊arg1 * arg2 / 2^64⌋ @@ -88,6 +90,7 @@ fn mulxU64(out1: *u64, out2: *u64, arg1: u64, arg2: u64) callconv(.Inline) void } /// The function cmovznzU64 is a single-word conditional move. +/// /// Postconditions: /// out1 = (if arg1 = 0 then arg2 else arg3) /// @@ -107,6 +110,7 @@ fn cmovznzU64(out1: *u64, arg1: u1, arg2: u64, arg3: u64) callconv(.Inline) void } /// The function mul multiplies two field elements in the Montgomery domain. +/// /// Preconditions: /// 0 ≤ eval arg1 < m /// 0 ≤ eval arg2 < m @@ -404,6 +408,7 @@ pub fn mul(out1: *[4]u64, arg1: [4]u64, arg2: [4]u64) void { } /// The function square squares a field element in the Montgomery domain. +/// /// Preconditions: /// 0 ≤ eval arg1 < m /// Postconditions: @@ -699,6 +704,7 @@ pub fn square(out1: *[4]u64, arg1: [4]u64) void { } /// The function add adds two field elements in the Montgomery domain. +/// /// Preconditions: /// 0 ≤ eval arg1 < m /// 0 ≤ eval arg2 < m @@ -756,6 +762,7 @@ pub fn add(out1: *[4]u64, arg1: [4]u64, arg2: [4]u64) void { } /// The function sub subtracts two field elements in the Montgomery domain. +/// /// Preconditions: /// 0 ≤ eval arg1 < m /// 0 ≤ eval arg2 < m @@ -804,6 +811,7 @@ pub fn sub(out1: *[4]u64, arg1: [4]u64, arg2: [4]u64) void { } /// The function opp negates a field element in the Montgomery domain. +/// /// Preconditions: /// 0 ≤ eval arg1 < m /// Postconditions: @@ -850,6 +858,7 @@ pub fn opp(out1: *[4]u64, arg1: [4]u64) void { } /// The function fromMontgomery translates a field element out of the Montgomery domain. +/// /// Preconditions: /// 0 ≤ eval arg1 < m /// Postconditions: @@ -1006,6 +1015,7 @@ pub fn fromMontgomery(out1: *[4]u64, arg1: [4]u64) void { } /// The function toMontgomery translates a field element into the Montgomery domain. +/// /// Preconditions: /// 0 ≤ eval arg1 < m /// Postconditions: @@ -1281,6 +1291,7 @@ pub fn toMontgomery(out1: *[4]u64, arg1: [4]u64) void { } /// The function nonzero outputs a single non-zero word if the input is non-zero and zero otherwise. +/// /// Preconditions: /// 0 ≤ eval arg1 < m /// Postconditions: @@ -1298,6 +1309,7 @@ pub fn nonzero(out1: *u64, arg1: [4]u64) void { } /// The function selectznz is a multi-limb conditional select. +/// /// Postconditions: /// eval out1 = (if arg1 = 0 then eval arg2 else eval arg3) /// @@ -1325,6 +1337,7 @@ pub fn selectznz(out1: *[4]u64, arg1: u1, arg2: [4]u64, arg3: [4]u64) void { } /// The function toBytes serializes a field element NOT in the Montgomery domain to bytes in little-endian order. +/// /// Preconditions: /// 0 ≤ eval arg1 < m /// Postconditions: @@ -1432,6 +1445,7 @@ pub fn toBytes(out1: *[32]u8, arg1: [4]u64) void { } /// The function fromBytes deserializes a field element NOT in the Montgomery domain from bytes in little-endian order. +/// /// Preconditions: /// 0 ≤ bytes_eval arg1 < m /// Postconditions: @@ -1512,6 +1526,7 @@ pub fn fromBytes(out1: *[4]u64, arg1: [32]u8) void { } /// The function setOne returns the field element one in the Montgomery domain. +/// /// Postconditions: /// eval (from_montgomery out1) mod m = 1 mod m /// 0 ≤ eval out1 < m @@ -1529,6 +1544,7 @@ pub fn setOne(out1: *[4]u64) void { } /// The function msat returns the saturated representation of the prime modulus. +/// /// Postconditions: /// twos_complement_eval out1 = m /// 0 ≤ eval out1 < m @@ -1547,6 +1563,7 @@ pub fn msat(out1: *[5]u64) void { } /// The function divstep computes a divstep. +/// /// Preconditions: /// 0 ≤ eval arg4 < m /// 0 ≤ eval arg5 < m @@ -1800,6 +1817,7 @@ pub fn divstep(out1: *u64, out2: *[5]u64, out3: *[5]u64, out4: *[4]u64, out5: *[ } /// The function divstepPrecomp returns the precomputed value for Bernstein-Yang-inversion (in montgomery form). +/// /// Postconditions: /// eval (from_montgomery out1) = ⌊(m - 1) / 2⌋^(if (log2 m) + 1 < 46 then ⌊(49 * ((log2 m) + 1) + 80) / 17⌋ else ⌊(49 * ((log2 m) + 1) + 57) / 17⌋) /// 0 ≤ eval out1 < m @@ -1815,4 +1833,3 @@ pub fn divstepPrecomp(out1: *[4]u64) void { out1[2] = 0xd80000007fffffff; out1[3] = 0x2fffffffffffffff; } - diff --git a/fiat-zig/src/p384_32.zig b/fiat-zig/src/p384_32.zig index d48e3bd641c..c85d7df5dc5 100644 --- a/fiat-zig/src/p384_32.zig +++ b/fiat-zig/src/p384_32.zig @@ -12,17 +12,17 @@ // return values. // // Computed values: -// eval z = z[0] + (z[1] << 32) + (z[2] << 64) + (z[3] << 96) + (z[4] << 128) + (z[5] << 160) + (z[6] << 192) + (z[7] << 224) + (z[8] << 256) + (z[9] << 0x120) + (z[10] << 0x140) + (z[11] << 0x160) -// bytes_eval z = z[0] + (z[1] << 8) + (z[2] << 16) + (z[3] << 24) + (z[4] << 32) + (z[5] << 40) + (z[6] << 48) + (z[7] << 56) + (z[8] << 64) + (z[9] << 72) + (z[10] << 80) + (z[11] << 88) + (z[12] << 96) + (z[13] << 104) + (z[14] << 112) + (z[15] << 120) + (z[16] << 128) + (z[17] << 136) + (z[18] << 144) + (z[19] << 152) + (z[20] << 160) + (z[21] << 168) + (z[22] << 176) + (z[23] << 184) + (z[24] << 192) + (z[25] << 200) + (z[26] << 208) + (z[27] << 216) + (z[28] << 224) + (z[29] << 232) + (z[30] << 240) + (z[31] << 248) + (z[32] << 256) + (z[33] << 0x108) + (z[34] << 0x110) + (z[35] << 0x118) + (z[36] << 0x120) + (z[37] << 0x128) + (z[38] << 0x130) + (z[39] << 0x138) + (z[40] << 0x140) + (z[41] << 0x148) + (z[42] << 0x150) + (z[43] << 0x158) + (z[44] << 0x160) + (z[45] << 0x168) + (z[46] << 0x170) + (z[47] << 0x178) -// twos_complement_eval z = let x1 := z[0] + (z[1] << 32) + (z[2] << 64) + (z[3] << 96) + (z[4] << 128) + (z[5] << 160) + (z[6] << 192) + (z[7] << 224) + (z[8] << 256) + (z[9] << 0x120) + (z[10] << 0x140) + (z[11] << 0x160) in -// if x1 & (2^384-1) < 2^383 then x1 & (2^384-1) else (x1 & (2^384-1)) - 2^384 +// eval z = z[0] + (z[1] << 32) + (z[2] << 64) + (z[3] << 96) + (z[4] << 128) + (z[5] << 160) + (z[6] << 192) + (z[7] << 224) + (z[8] << 256) + (z[9] << 0x120) + (z[10] << 0x140) + (z[11] << 0x160) +// bytes_eval z = z[0] + (z[1] << 8) + (z[2] << 16) + (z[3] << 24) + (z[4] << 32) + (z[5] << 40) + (z[6] << 48) + (z[7] << 56) + (z[8] << 64) + (z[9] << 72) + (z[10] << 80) + (z[11] << 88) + (z[12] << 96) + (z[13] << 104) + (z[14] << 112) + (z[15] << 120) + (z[16] << 128) + (z[17] << 136) + (z[18] << 144) + (z[19] << 152) + (z[20] << 160) + (z[21] << 168) + (z[22] << 176) + (z[23] << 184) + (z[24] << 192) + (z[25] << 200) + (z[26] << 208) + (z[27] << 216) + (z[28] << 224) + (z[29] << 232) + (z[30] << 240) + (z[31] << 248) + (z[32] << 256) + (z[33] << 0x108) + (z[34] << 0x110) + (z[35] << 0x118) + (z[36] << 0x120) + (z[37] << 0x128) + (z[38] << 0x130) + (z[39] << 0x138) + (z[40] << 0x140) + (z[41] << 0x148) + (z[42] << 0x150) + (z[43] << 0x158) + (z[44] << 0x160) + (z[45] << 0x168) + (z[46] << 0x170) + (z[47] << 0x178) +// twos_complement_eval z = let x1 := z[0] + (z[1] << 32) + (z[2] << 64) + (z[3] << 96) + (z[4] << 128) + (z[5] << 160) + (z[6] << 192) + (z[7] << 224) + (z[8] << 256) + (z[9] << 0x120) + (z[10] << 0x140) + (z[11] << 0x160) in +// if x1 & (2^384-1) < 2^383 then x1 & (2^384-1) else (x1 & (2^384-1)) - 2^384 const std = @import("std"); const cast = std.meta.cast; const mode = std.builtin.mode; // Checked arithmetic is disabled in non-debug modes to avoid side channels - /// The function addcarryxU32 is an addition with carry. +/// /// Postconditions: /// out1 = (arg1 + arg2 + arg3) mod 2^32 /// out2 = ⌊(arg1 + arg2 + arg3) / 2^32⌋ @@ -45,6 +45,7 @@ fn addcarryxU32(out1: *u32, out2: *u1, arg1: u1, arg2: u32, arg3: u32) callconv( } /// The function subborrowxU32 is a subtraction with borrow. +/// /// Postconditions: /// out1 = (-arg1 + arg2 + -arg3) mod 2^32 /// out2 = -⌊(-arg1 + arg2 + -arg3) / 2^32⌋ @@ -67,6 +68,7 @@ fn subborrowxU32(out1: *u32, out2: *u1, arg1: u1, arg2: u32, arg3: u32) callconv } /// The function mulxU32 is a multiplication, returning the full double-width result. +/// /// Postconditions: /// out1 = (arg1 * arg2) mod 2^32 /// out2 = ⌊arg1 * arg2 / 2^32⌋ @@ -88,6 +90,7 @@ fn mulxU32(out1: *u32, out2: *u32, arg1: u32, arg2: u32) callconv(.Inline) void } /// The function cmovznzU32 is a single-word conditional move. +/// /// Postconditions: /// out1 = (if arg1 = 0 then arg2 else arg3) /// @@ -107,6 +110,7 @@ fn cmovznzU32(out1: *u32, arg1: u1, arg2: u32, arg3: u32) callconv(.Inline) void } /// The function mul multiplies two field elements in the Montgomery domain. +/// /// Preconditions: /// 0 ≤ eval arg1 < m /// 0 ≤ eval arg2 < m @@ -2620,6 +2624,7 @@ pub fn mul(out1: *[12]u32, arg1: [12]u32, arg2: [12]u32) void { } /// The function square squares a field element in the Montgomery domain. +/// /// Preconditions: /// 0 ≤ eval arg1 < m /// Postconditions: @@ -5131,6 +5136,7 @@ pub fn square(out1: *[12]u32, arg1: [12]u32) void { } /// The function add adds two field elements in the Montgomery domain. +/// /// Preconditions: /// 0 ≤ eval arg1 < m /// 0 ≤ eval arg2 < m @@ -5260,6 +5266,7 @@ pub fn add(out1: *[12]u32, arg1: [12]u32, arg2: [12]u32) void { } /// The function sub subtracts two field elements in the Montgomery domain. +/// /// Preconditions: /// 0 ≤ eval arg1 < m /// 0 ≤ eval arg2 < m @@ -5364,6 +5371,7 @@ pub fn sub(out1: *[12]u32, arg1: [12]u32, arg2: [12]u32) void { } /// The function opp negates a field element in the Montgomery domain. +/// /// Preconditions: /// 0 ≤ eval arg1 < m /// Postconditions: @@ -5466,6 +5474,7 @@ pub fn opp(out1: *[12]u32, arg1: [12]u32) void { } /// The function fromMontgomery translates a field element out of the Montgomery domain. +/// /// Preconditions: /// 0 ≤ eval arg1 < m /// Postconditions: @@ -7001,6 +7010,7 @@ pub fn fromMontgomery(out1: *[12]u32, arg1: [12]u32) void { } /// The function toMontgomery translates a field element into the Montgomery domain. +/// /// Preconditions: /// 0 ≤ eval arg1 < m /// Postconditions: @@ -8793,6 +8803,7 @@ pub fn toMontgomery(out1: *[12]u32, arg1: [12]u32) void { } /// The function nonzero outputs a single non-zero word if the input is non-zero and zero otherwise. +/// /// Preconditions: /// 0 ≤ eval arg1 < m /// Postconditions: @@ -8810,6 +8821,7 @@ pub fn nonzero(out1: *u32, arg1: [12]u32) void { } /// The function selectznz is a multi-limb conditional select. +/// /// Postconditions: /// eval out1 = (if arg1 = 0 then eval arg2 else eval arg3) /// @@ -8861,6 +8873,7 @@ pub fn selectznz(out1: *[12]u32, arg1: u1, arg2: [12]u32, arg3: [12]u32) void { } /// The function toBytes serializes a field element NOT in the Montgomery domain to bytes in little-endian order. +/// /// Preconditions: /// 0 ≤ eval arg1 < m /// Postconditions: @@ -9008,6 +9021,7 @@ pub fn toBytes(out1: *[48]u8, arg1: [12]u32) void { } /// The function fromBytes deserializes a field element NOT in the Montgomery domain from bytes in little-endian order. +/// /// Preconditions: /// 0 ≤ bytes_eval arg1 < m /// Postconditions: @@ -9120,6 +9134,7 @@ pub fn fromBytes(out1: *[12]u32, arg1: [48]u8) void { } /// The function setOne returns the field element one in the Montgomery domain. +/// /// Postconditions: /// eval (from_montgomery out1) mod m = 1 mod m /// 0 ≤ eval out1 < m @@ -9145,6 +9160,7 @@ pub fn setOne(out1: *[12]u32) void { } /// The function msat returns the saturated representation of the prime modulus. +/// /// Postconditions: /// twos_complement_eval out1 = m /// 0 ≤ eval out1 < m @@ -9171,6 +9187,7 @@ pub fn msat(out1: *[13]u32) void { } /// The function divstep computes a divstep. +/// /// Preconditions: /// 0 ≤ eval arg4 < m /// 0 ≤ eval arg5 < m @@ -9792,6 +9809,7 @@ pub fn divstep(out1: *u32, out2: *[13]u32, out3: *[13]u32, out4: *[12]u32, out5: } /// The function divstepPrecomp returns the precomputed value for Bernstein-Yang-inversion (in montgomery form). +/// /// Postconditions: /// eval (from_montgomery out1) = ⌊(m - 1) / 2⌋^(if (log2 m) + 1 < 46 then ⌊(49 * ((log2 m) + 1) + 80) / 17⌋ else ⌊(49 * ((log2 m) + 1) + 57) / 17⌋) /// 0 ≤ eval out1 < m @@ -9815,4 +9833,3 @@ pub fn divstepPrecomp(out1: *[12]u32) void { out1[10] = 0x38000; out1[11] = 0xfffc4800; } - diff --git a/fiat-zig/src/p384_64.zig b/fiat-zig/src/p384_64.zig index 7d4e9736be6..4e27ba24325 100644 --- a/fiat-zig/src/p384_64.zig +++ b/fiat-zig/src/p384_64.zig @@ -12,17 +12,17 @@ // return values. // // Computed values: -// eval z = z[0] + (z[1] << 64) + (z[2] << 128) + (z[3] << 192) + (z[4] << 256) + (z[5] << 0x140) -// bytes_eval z = z[0] + (z[1] << 8) + (z[2] << 16) + (z[3] << 24) + (z[4] << 32) + (z[5] << 40) + (z[6] << 48) + (z[7] << 56) + (z[8] << 64) + (z[9] << 72) + (z[10] << 80) + (z[11] << 88) + (z[12] << 96) + (z[13] << 104) + (z[14] << 112) + (z[15] << 120) + (z[16] << 128) + (z[17] << 136) + (z[18] << 144) + (z[19] << 152) + (z[20] << 160) + (z[21] << 168) + (z[22] << 176) + (z[23] << 184) + (z[24] << 192) + (z[25] << 200) + (z[26] << 208) + (z[27] << 216) + (z[28] << 224) + (z[29] << 232) + (z[30] << 240) + (z[31] << 248) + (z[32] << 256) + (z[33] << 0x108) + (z[34] << 0x110) + (z[35] << 0x118) + (z[36] << 0x120) + (z[37] << 0x128) + (z[38] << 0x130) + (z[39] << 0x138) + (z[40] << 0x140) + (z[41] << 0x148) + (z[42] << 0x150) + (z[43] << 0x158) + (z[44] << 0x160) + (z[45] << 0x168) + (z[46] << 0x170) + (z[47] << 0x178) -// twos_complement_eval z = let x1 := z[0] + (z[1] << 64) + (z[2] << 128) + (z[3] << 192) + (z[4] << 256) + (z[5] << 0x140) in -// if x1 & (2^384-1) < 2^383 then x1 & (2^384-1) else (x1 & (2^384-1)) - 2^384 +// eval z = z[0] + (z[1] << 64) + (z[2] << 128) + (z[3] << 192) + (z[4] << 256) + (z[5] << 0x140) +// bytes_eval z = z[0] + (z[1] << 8) + (z[2] << 16) + (z[3] << 24) + (z[4] << 32) + (z[5] << 40) + (z[6] << 48) + (z[7] << 56) + (z[8] << 64) + (z[9] << 72) + (z[10] << 80) + (z[11] << 88) + (z[12] << 96) + (z[13] << 104) + (z[14] << 112) + (z[15] << 120) + (z[16] << 128) + (z[17] << 136) + (z[18] << 144) + (z[19] << 152) + (z[20] << 160) + (z[21] << 168) + (z[22] << 176) + (z[23] << 184) + (z[24] << 192) + (z[25] << 200) + (z[26] << 208) + (z[27] << 216) + (z[28] << 224) + (z[29] << 232) + (z[30] << 240) + (z[31] << 248) + (z[32] << 256) + (z[33] << 0x108) + (z[34] << 0x110) + (z[35] << 0x118) + (z[36] << 0x120) + (z[37] << 0x128) + (z[38] << 0x130) + (z[39] << 0x138) + (z[40] << 0x140) + (z[41] << 0x148) + (z[42] << 0x150) + (z[43] << 0x158) + (z[44] << 0x160) + (z[45] << 0x168) + (z[46] << 0x170) + (z[47] << 0x178) +// twos_complement_eval z = let x1 := z[0] + (z[1] << 64) + (z[2] << 128) + (z[3] << 192) + (z[4] << 256) + (z[5] << 0x140) in +// if x1 & (2^384-1) < 2^383 then x1 & (2^384-1) else (x1 & (2^384-1)) - 2^384 const std = @import("std"); const cast = std.meta.cast; const mode = std.builtin.mode; // Checked arithmetic is disabled in non-debug modes to avoid side channels - /// The function addcarryxU64 is an addition with carry. +/// /// Postconditions: /// out1 = (arg1 + arg2 + arg3) mod 2^64 /// out2 = ⌊(arg1 + arg2 + arg3) / 2^64⌋ @@ -45,6 +45,7 @@ fn addcarryxU64(out1: *u64, out2: *u1, arg1: u1, arg2: u64, arg3: u64) callconv( } /// The function subborrowxU64 is a subtraction with borrow. +/// /// Postconditions: /// out1 = (-arg1 + arg2 + -arg3) mod 2^64 /// out2 = -⌊(-arg1 + arg2 + -arg3) / 2^64⌋ @@ -67,6 +68,7 @@ fn subborrowxU64(out1: *u64, out2: *u1, arg1: u1, arg2: u64, arg3: u64) callconv } /// The function mulxU64 is a multiplication, returning the full double-width result. +/// /// Postconditions: /// out1 = (arg1 * arg2) mod 2^64 /// out2 = ⌊arg1 * arg2 / 2^64⌋ @@ -88,6 +90,7 @@ fn mulxU64(out1: *u64, out2: *u64, arg1: u64, arg2: u64) callconv(.Inline) void } /// The function cmovznzU64 is a single-word conditional move. +/// /// Postconditions: /// out1 = (if arg1 = 0 then arg2 else arg3) /// @@ -107,6 +110,7 @@ fn cmovznzU64(out1: *u64, arg1: u1, arg2: u64, arg3: u64) callconv(.Inline) void } /// The function mul multiplies two field elements in the Montgomery domain. +/// /// Preconditions: /// 0 ≤ eval arg1 < m /// 0 ≤ eval arg2 < m @@ -832,6 +836,7 @@ pub fn mul(out1: *[6]u64, arg1: [6]u64, arg2: [6]u64) void { } /// The function square squares a field element in the Montgomery domain. +/// /// Preconditions: /// 0 ≤ eval arg1 < m /// Postconditions: @@ -1555,6 +1560,7 @@ pub fn square(out1: *[6]u64, arg1: [6]u64) void { } /// The function add adds two field elements in the Montgomery domain. +/// /// Preconditions: /// 0 ≤ eval arg1 < m /// 0 ≤ eval arg2 < m @@ -1630,6 +1636,7 @@ pub fn add(out1: *[6]u64, arg1: [6]u64, arg2: [6]u64) void { } /// The function sub subtracts two field elements in the Montgomery domain. +/// /// Preconditions: /// 0 ≤ eval arg1 < m /// 0 ≤ eval arg2 < m @@ -1692,6 +1699,7 @@ pub fn sub(out1: *[6]u64, arg1: [6]u64, arg2: [6]u64) void { } /// The function opp negates a field element in the Montgomery domain. +/// /// Preconditions: /// 0 ≤ eval arg1 < m /// Postconditions: @@ -1752,6 +1760,7 @@ pub fn opp(out1: *[6]u64, arg1: [6]u64) void { } /// The function fromMontgomery translates a field element out of the Montgomery domain. +/// /// Preconditions: /// 0 ≤ eval arg1 < m /// Postconditions: @@ -2240,6 +2249,7 @@ pub fn fromMontgomery(out1: *[6]u64, arg1: [6]u64) void { } /// The function toMontgomery translates a field element into the Montgomery domain. +/// /// Preconditions: /// 0 ≤ eval arg1 < m /// Postconditions: @@ -2877,6 +2887,7 @@ pub fn toMontgomery(out1: *[6]u64, arg1: [6]u64) void { } /// The function nonzero outputs a single non-zero word if the input is non-zero and zero otherwise. +/// /// Preconditions: /// 0 ≤ eval arg1 < m /// Postconditions: @@ -2894,6 +2905,7 @@ pub fn nonzero(out1: *u64, arg1: [6]u64) void { } /// The function selectznz is a multi-limb conditional select. +/// /// Postconditions: /// eval out1 = (if arg1 = 0 then eval arg2 else eval arg3) /// @@ -2927,6 +2939,7 @@ pub fn selectznz(out1: *[6]u64, arg1: u1, arg2: [6]u64, arg3: [6]u64) void { } /// The function toBytes serializes a field element NOT in the Montgomery domain to bytes in little-endian order. +/// /// Preconditions: /// 0 ≤ eval arg1 < m /// Postconditions: @@ -3080,6 +3093,7 @@ pub fn toBytes(out1: *[48]u8, arg1: [6]u64) void { } /// The function fromBytes deserializes a field element NOT in the Montgomery domain from bytes in little-endian order. +/// /// Preconditions: /// 0 ≤ bytes_eval arg1 < m /// Postconditions: @@ -3192,6 +3206,7 @@ pub fn fromBytes(out1: *[6]u64, arg1: [48]u8) void { } /// The function setOne returns the field element one in the Montgomery domain. +/// /// Postconditions: /// eval (from_montgomery out1) mod m = 1 mod m /// 0 ≤ eval out1 < m @@ -3211,6 +3226,7 @@ pub fn setOne(out1: *[6]u64) void { } /// The function msat returns the saturated representation of the prime modulus. +/// /// Postconditions: /// twos_complement_eval out1 = m /// 0 ≤ eval out1 < m @@ -3231,6 +3247,7 @@ pub fn msat(out1: *[7]u64) void { } /// The function divstep computes a divstep. +/// /// Preconditions: /// 0 ≤ eval arg4 < m /// 0 ≤ eval arg5 < m @@ -3576,6 +3593,7 @@ pub fn divstep(out1: *u64, out2: *[7]u64, out3: *[7]u64, out4: *[6]u64, out5: *[ } /// The function divstepPrecomp returns the precomputed value for Bernstein-Yang-inversion (in montgomery form). +/// /// Postconditions: /// eval (from_montgomery out1) = ⌊(m - 1) / 2⌋^(if (log2 m) + 1 < 46 then ⌊(49 * ((log2 m) + 1) + 80) / 17⌋ else ⌊(49 * ((log2 m) + 1) + 57) / 17⌋) /// 0 ≤ eval out1 < m @@ -3593,4 +3611,3 @@ pub fn divstepPrecomp(out1: *[6]u64) void { out1[4] = 0x6040000050400; out1[5] = 0xfffc480000038000; } - diff --git a/fiat-zig/src/p434_64.zig b/fiat-zig/src/p434_64.zig index d8888225757..fca2d40be7e 100644 --- a/fiat-zig/src/p434_64.zig +++ b/fiat-zig/src/p434_64.zig @@ -12,17 +12,17 @@ // return values. // // Computed values: -// eval z = z[0] + (z[1] << 64) + (z[2] << 128) + (z[3] << 192) + (z[4] << 256) + (z[5] << 0x140) + (z[6] << 0x180) -// bytes_eval z = z[0] + (z[1] << 8) + (z[2] << 16) + (z[3] << 24) + (z[4] << 32) + (z[5] << 40) + (z[6] << 48) + (z[7] << 56) + (z[8] << 64) + (z[9] << 72) + (z[10] << 80) + (z[11] << 88) + (z[12] << 96) + (z[13] << 104) + (z[14] << 112) + (z[15] << 120) + (z[16] << 128) + (z[17] << 136) + (z[18] << 144) + (z[19] << 152) + (z[20] << 160) + (z[21] << 168) + (z[22] << 176) + (z[23] << 184) + (z[24] << 192) + (z[25] << 200) + (z[26] << 208) + (z[27] << 216) + (z[28] << 224) + (z[29] << 232) + (z[30] << 240) + (z[31] << 248) + (z[32] << 256) + (z[33] << 0x108) + (z[34] << 0x110) + (z[35] << 0x118) + (z[36] << 0x120) + (z[37] << 0x128) + (z[38] << 0x130) + (z[39] << 0x138) + (z[40] << 0x140) + (z[41] << 0x148) + (z[42] << 0x150) + (z[43] << 0x158) + (z[44] << 0x160) + (z[45] << 0x168) + (z[46] << 0x170) + (z[47] << 0x178) + (z[48] << 0x180) + (z[49] << 0x188) + (z[50] << 0x190) + (z[51] << 0x198) + (z[52] << 0x1a0) + (z[53] << 0x1a8) + (z[54] << 0x1b0) -// twos_complement_eval z = let x1 := z[0] + (z[1] << 64) + (z[2] << 128) + (z[3] << 192) + (z[4] << 256) + (z[5] << 0x140) + (z[6] << 0x180) in -// if x1 & (2^448-1) < 2^447 then x1 & (2^448-1) else (x1 & (2^448-1)) - 2^448 +// eval z = z[0] + (z[1] << 64) + (z[2] << 128) + (z[3] << 192) + (z[4] << 256) + (z[5] << 0x140) + (z[6] << 0x180) +// bytes_eval z = z[0] + (z[1] << 8) + (z[2] << 16) + (z[3] << 24) + (z[4] << 32) + (z[5] << 40) + (z[6] << 48) + (z[7] << 56) + (z[8] << 64) + (z[9] << 72) + (z[10] << 80) + (z[11] << 88) + (z[12] << 96) + (z[13] << 104) + (z[14] << 112) + (z[15] << 120) + (z[16] << 128) + (z[17] << 136) + (z[18] << 144) + (z[19] << 152) + (z[20] << 160) + (z[21] << 168) + (z[22] << 176) + (z[23] << 184) + (z[24] << 192) + (z[25] << 200) + (z[26] << 208) + (z[27] << 216) + (z[28] << 224) + (z[29] << 232) + (z[30] << 240) + (z[31] << 248) + (z[32] << 256) + (z[33] << 0x108) + (z[34] << 0x110) + (z[35] << 0x118) + (z[36] << 0x120) + (z[37] << 0x128) + (z[38] << 0x130) + (z[39] << 0x138) + (z[40] << 0x140) + (z[41] << 0x148) + (z[42] << 0x150) + (z[43] << 0x158) + (z[44] << 0x160) + (z[45] << 0x168) + (z[46] << 0x170) + (z[47] << 0x178) + (z[48] << 0x180) + (z[49] << 0x188) + (z[50] << 0x190) + (z[51] << 0x198) + (z[52] << 0x1a0) + (z[53] << 0x1a8) + (z[54] << 0x1b0) +// twos_complement_eval z = let x1 := z[0] + (z[1] << 64) + (z[2] << 128) + (z[3] << 192) + (z[4] << 256) + (z[5] << 0x140) + (z[6] << 0x180) in +// if x1 & (2^448-1) < 2^447 then x1 & (2^448-1) else (x1 & (2^448-1)) - 2^448 const std = @import("std"); const cast = std.meta.cast; const mode = std.builtin.mode; // Checked arithmetic is disabled in non-debug modes to avoid side channels - /// The function addcarryxU64 is an addition with carry. +/// /// Postconditions: /// out1 = (arg1 + arg2 + arg3) mod 2^64 /// out2 = ⌊(arg1 + arg2 + arg3) / 2^64⌋ @@ -45,6 +45,7 @@ fn addcarryxU64(out1: *u64, out2: *u1, arg1: u1, arg2: u64, arg3: u64) callconv( } /// The function subborrowxU64 is a subtraction with borrow. +/// /// Postconditions: /// out1 = (-arg1 + arg2 + -arg3) mod 2^64 /// out2 = -⌊(-arg1 + arg2 + -arg3) / 2^64⌋ @@ -67,6 +68,7 @@ fn subborrowxU64(out1: *u64, out2: *u1, arg1: u1, arg2: u64, arg3: u64) callconv } /// The function mulxU64 is a multiplication, returning the full double-width result. +/// /// Postconditions: /// out1 = (arg1 * arg2) mod 2^64 /// out2 = ⌊arg1 * arg2 / 2^64⌋ @@ -88,6 +90,7 @@ fn mulxU64(out1: *u64, out2: *u64, arg1: u64, arg2: u64) callconv(.Inline) void } /// The function cmovznzU64 is a single-word conditional move. +/// /// Postconditions: /// out1 = (if arg1 = 0 then arg2 else arg3) /// @@ -107,6 +110,7 @@ fn cmovznzU64(out1: *u64, arg1: u1, arg2: u64, arg3: u64) callconv(.Inline) void } /// The function mul multiplies two field elements in the Montgomery domain. +/// /// Preconditions: /// 0 ≤ eval arg1 < m /// 0 ≤ eval arg2 < m @@ -1055,6 +1059,7 @@ pub fn mul(out1: *[7]u64, arg1: [7]u64, arg2: [7]u64) void { } /// The function square squares a field element in the Montgomery domain. +/// /// Preconditions: /// 0 ≤ eval arg1 < m /// Postconditions: @@ -2001,6 +2006,7 @@ pub fn square(out1: *[7]u64, arg1: [7]u64) void { } /// The function add adds two field elements in the Montgomery domain. +/// /// Preconditions: /// 0 ≤ eval arg1 < m /// 0 ≤ eval arg2 < m @@ -2085,6 +2091,7 @@ pub fn add(out1: *[7]u64, arg1: [7]u64, arg2: [7]u64) void { } /// The function sub subtracts two field elements in the Montgomery domain. +/// /// Preconditions: /// 0 ≤ eval arg1 < m /// 0 ≤ eval arg2 < m @@ -2154,6 +2161,7 @@ pub fn sub(out1: *[7]u64, arg1: [7]u64, arg2: [7]u64) void { } /// The function opp negates a field element in the Montgomery domain. +/// /// Preconditions: /// 0 ≤ eval arg1 < m /// Postconditions: @@ -2221,6 +2229,7 @@ pub fn opp(out1: *[7]u64, arg1: [7]u64) void { } /// The function fromMontgomery translates a field element out of the Montgomery domain. +/// /// Preconditions: /// 0 ≤ eval arg1 < m /// Postconditions: @@ -2812,6 +2821,7 @@ pub fn fromMontgomery(out1: *[7]u64, arg1: [7]u64) void { } /// The function toMontgomery translates a field element into the Montgomery domain. +/// /// Preconditions: /// 0 ≤ eval arg1 < m /// Postconditions: @@ -3700,6 +3710,7 @@ pub fn toMontgomery(out1: *[7]u64, arg1: [7]u64) void { } /// The function nonzero outputs a single non-zero word if the input is non-zero and zero otherwise. +/// /// Preconditions: /// 0 ≤ eval arg1 < m /// Postconditions: @@ -3717,6 +3728,7 @@ pub fn nonzero(out1: *u64, arg1: [7]u64) void { } /// The function selectznz is a multi-limb conditional select. +/// /// Postconditions: /// eval out1 = (if arg1 = 0 then eval arg2 else eval arg3) /// @@ -3753,6 +3765,7 @@ pub fn selectznz(out1: *[7]u64, arg1: u1, arg2: [7]u64, arg3: [7]u64) void { } /// The function toBytes serializes a field element NOT in the Montgomery domain to bytes in little-endian order. +/// /// Preconditions: /// 0 ≤ eval arg1 < m /// Postconditions: @@ -3926,6 +3939,7 @@ pub fn toBytes(out1: *[55]u8, arg1: [7]u64) void { } /// The function fromBytes deserializes a field element NOT in the Montgomery domain from bytes in little-endian order. +/// /// Preconditions: /// 0 ≤ bytes_eval arg1 < m /// Postconditions: @@ -4052,6 +4066,7 @@ pub fn fromBytes(out1: *[7]u64, arg1: [55]u8) void { } /// The function setOne returns the field element one in the Montgomery domain. +/// /// Postconditions: /// eval (from_montgomery out1) mod m = 1 mod m /// 0 ≤ eval out1 < m @@ -4072,6 +4087,7 @@ pub fn setOne(out1: *[7]u64) void { } /// The function msat returns the saturated representation of the prime modulus. +/// /// Postconditions: /// twos_complement_eval out1 = m /// 0 ≤ eval out1 < m @@ -4093,6 +4109,7 @@ pub fn msat(out1: *[8]u64) void { } /// The function divstep computes a divstep. +/// /// Preconditions: /// 0 ≤ eval arg4 < m /// 0 ≤ eval arg5 < m @@ -4484,6 +4501,7 @@ pub fn divstep(out1: *u64, out2: *[8]u64, out3: *[8]u64, out4: *[7]u64, out5: *[ } /// The function divstepPrecomp returns the precomputed value for Bernstein-Yang-inversion (in montgomery form). +/// /// Postconditions: /// eval (from_montgomery out1) = ⌊(m - 1) / 2⌋^(if (log2 m) + 1 < 46 then ⌊(49 * ((log2 m) + 1) + 80) / 17⌋ else ⌊(49 * ((log2 m) + 1) + 57) / 17⌋) /// 0 ≤ eval out1 < m @@ -4502,4 +4520,3 @@ pub fn divstepPrecomp(out1: *[7]u64) void { out1[5] = 0x6e1ddae1d9609ae1; out1[6] = 0x6df82285eec6; } - diff --git a/fiat-zig/src/p448_solinas_32.zig b/fiat-zig/src/p448_solinas_32.zig index a741697dd63..f07b71742b5 100644 --- a/fiat-zig/src/p448_solinas_32.zig +++ b/fiat-zig/src/p448_solinas_32.zig @@ -7,17 +7,17 @@ // tight_bounds_multiplier = 1 (from "") // // Computed values: -// carry_chain = [7, 15, 8, 0, 9, 1, 10, 2, 11, 3, 12, 4, 13, 5, 14, 6, 15, 7, 8, 0] -// eval z = z[0] + (z[1] << 28) + (z[2] << 56) + (z[3] << 84) + (z[4] << 112) + (z[5] << 140) + (z[6] << 168) + (z[7] << 196) + (z[8] << 224) + (z[9] << 252) + (z[10] << 0x118) + (z[11] << 0x134) + (z[12] << 0x150) + (z[13] << 0x16c) + (z[14] << 0x188) + (z[15] << 0x1a4) -// bytes_eval z = z[0] + (z[1] << 8) + (z[2] << 16) + (z[3] << 24) + (z[4] << 32) + (z[5] << 40) + (z[6] << 48) + (z[7] << 56) + (z[8] << 64) + (z[9] << 72) + (z[10] << 80) + (z[11] << 88) + (z[12] << 96) + (z[13] << 104) + (z[14] << 112) + (z[15] << 120) + (z[16] << 128) + (z[17] << 136) + (z[18] << 144) + (z[19] << 152) + (z[20] << 160) + (z[21] << 168) + (z[22] << 176) + (z[23] << 184) + (z[24] << 192) + (z[25] << 200) + (z[26] << 208) + (z[27] << 216) + (z[28] << 224) + (z[29] << 232) + (z[30] << 240) + (z[31] << 248) + (z[32] << 256) + (z[33] << 0x108) + (z[34] << 0x110) + (z[35] << 0x118) + (z[36] << 0x120) + (z[37] << 0x128) + (z[38] << 0x130) + (z[39] << 0x138) + (z[40] << 0x140) + (z[41] << 0x148) + (z[42] << 0x150) + (z[43] << 0x158) + (z[44] << 0x160) + (z[45] << 0x168) + (z[46] << 0x170) + (z[47] << 0x178) + (z[48] << 0x180) + (z[49] << 0x188) + (z[50] << 0x190) + (z[51] << 0x198) + (z[52] << 0x1a0) + (z[53] << 0x1a8) + (z[54] << 0x1b0) + (z[55] << 0x1b8) -// balance = [0x1ffffffe, 0x1ffffffe, 0x1ffffffe, 0x1ffffffe, 0x1ffffffe, 0x1ffffffe, 0x1ffffffe, 0x1ffffffe, 0x1ffffffc, 0x1ffffffe, 0x1ffffffe, 0x1ffffffe, 0x1ffffffe, 0x1ffffffe, 0x1ffffffe, 0x1ffffffe] +// carry_chain = [7, 15, 8, 0, 9, 1, 10, 2, 11, 3, 12, 4, 13, 5, 14, 6, 15, 7, 8, 0] +// eval z = z[0] + (z[1] << 28) + (z[2] << 56) + (z[3] << 84) + (z[4] << 112) + (z[5] << 140) + (z[6] << 168) + (z[7] << 196) + (z[8] << 224) + (z[9] << 252) + (z[10] << 0x118) + (z[11] << 0x134) + (z[12] << 0x150) + (z[13] << 0x16c) + (z[14] << 0x188) + (z[15] << 0x1a4) +// bytes_eval z = z[0] + (z[1] << 8) + (z[2] << 16) + (z[3] << 24) + (z[4] << 32) + (z[5] << 40) + (z[6] << 48) + (z[7] << 56) + (z[8] << 64) + (z[9] << 72) + (z[10] << 80) + (z[11] << 88) + (z[12] << 96) + (z[13] << 104) + (z[14] << 112) + (z[15] << 120) + (z[16] << 128) + (z[17] << 136) + (z[18] << 144) + (z[19] << 152) + (z[20] << 160) + (z[21] << 168) + (z[22] << 176) + (z[23] << 184) + (z[24] << 192) + (z[25] << 200) + (z[26] << 208) + (z[27] << 216) + (z[28] << 224) + (z[29] << 232) + (z[30] << 240) + (z[31] << 248) + (z[32] << 256) + (z[33] << 0x108) + (z[34] << 0x110) + (z[35] << 0x118) + (z[36] << 0x120) + (z[37] << 0x128) + (z[38] << 0x130) + (z[39] << 0x138) + (z[40] << 0x140) + (z[41] << 0x148) + (z[42] << 0x150) + (z[43] << 0x158) + (z[44] << 0x160) + (z[45] << 0x168) + (z[46] << 0x170) + (z[47] << 0x178) + (z[48] << 0x180) + (z[49] << 0x188) + (z[50] << 0x190) + (z[51] << 0x198) + (z[52] << 0x1a0) + (z[53] << 0x1a8) + (z[54] << 0x1b0) + (z[55] << 0x1b8) +// balance = [0x1ffffffe, 0x1ffffffe, 0x1ffffffe, 0x1ffffffe, 0x1ffffffe, 0x1ffffffe, 0x1ffffffe, 0x1ffffffe, 0x1ffffffc, 0x1ffffffe, 0x1ffffffe, 0x1ffffffe, 0x1ffffffe, 0x1ffffffe, 0x1ffffffe, 0x1ffffffe] const std = @import("std"); const cast = std.meta.cast; const mode = std.builtin.mode; // Checked arithmetic is disabled in non-debug modes to avoid side channels - /// The function addcarryxU28 is an addition with carry. +/// /// Postconditions: /// out1 = (arg1 + arg2 + arg3) mod 2^28 /// out2 = ⌊(arg1 + arg2 + arg3) / 2^28⌋ @@ -40,6 +40,7 @@ fn addcarryxU28(out1: *u32, out2: *u1, arg1: u1, arg2: u32, arg3: u32) callconv( } /// The function subborrowxU28 is a subtraction with borrow. +/// /// Postconditions: /// out1 = (-arg1 + arg2 + -arg3) mod 2^28 /// out2 = -⌊(-arg1 + arg2 + -arg3) / 2^28⌋ @@ -62,6 +63,7 @@ fn subborrowxU28(out1: *u32, out2: *u1, arg1: u1, arg2: u32, arg3: u32) callconv } /// The function cmovznzU32 is a single-word conditional move. +/// /// Postconditions: /// out1 = (if arg1 = 0 then arg2 else arg3) /// @@ -81,6 +83,7 @@ fn cmovznzU32(out1: *u32, arg1: u1, arg2: u32, arg3: u32) callconv(.Inline) void } /// The function carryMul multiplies two field elements and reduces the result. +/// /// Postconditions: /// eval out1 mod m = (eval arg1 * eval arg2) mod m /// @@ -593,6 +596,7 @@ pub fn carryMul(out1: *[16]u32, arg1: [16]u32, arg2: [16]u32) void { } /// The function carrySquare squares a field element and reduces the result. +/// /// Postconditions: /// eval out1 mod m = (eval arg1 * eval arg1) mod m /// @@ -961,6 +965,7 @@ pub fn carrySquare(out1: *[16]u32, arg1: [16]u32) void { } /// The function carry reduces a field element. +/// /// Postconditions: /// eval out1 mod m = eval arg1 mod m /// @@ -1028,6 +1033,7 @@ pub fn carry(out1: *[16]u32, arg1: [16]u32) void { } /// The function add adds two field elements. +/// /// Postconditions: /// eval out1 mod m = (eval arg1 + eval arg2) mod m /// @@ -1074,6 +1080,7 @@ pub fn add(out1: *[16]u32, arg1: [16]u32, arg2: [16]u32) void { } /// The function sub subtracts two field elements. +/// /// Postconditions: /// eval out1 mod m = (eval arg1 - eval arg2) mod m /// @@ -1120,6 +1127,7 @@ pub fn sub(out1: *[16]u32, arg1: [16]u32, arg2: [16]u32) void { } /// The function opp negates a field element. +/// /// Postconditions: /// eval out1 mod m = -eval arg1 mod m /// @@ -1165,6 +1173,7 @@ pub fn opp(out1: *[16]u32, arg1: [16]u32) void { } /// The function selectznz is a multi-limb conditional select. +/// /// Postconditions: /// eval out1 = (if arg1 = 0 then eval arg2 else eval arg3) /// @@ -1228,6 +1237,7 @@ pub fn selectznz(out1: *[16]u32, arg1: u1, arg2: [16]u32, arg3: [16]u32) void { } /// The function toBytes serializes a field element to bytes in little-endian order. +/// /// Postconditions: /// out1 = map (λ x, ⌊((eval arg1 mod m) mod 2^(8 * (x + 1))) / 2^(8 * x)⌋) [0..55] /// @@ -1507,6 +1517,7 @@ pub fn toBytes(out1: *[56]u8, arg1: [16]u32) void { } /// The function fromBytes deserializes a field element from bytes in little-endian order. +/// /// Postconditions: /// eval out1 mod m = bytes_eval arg1 mod m /// @@ -1654,4 +1665,3 @@ pub fn fromBytes(out1: *[16]u32, arg1: [56]u8) void { out1[14] = x116; out1[15] = x120; } - diff --git a/fiat-zig/src/p448_solinas_64.zig b/fiat-zig/src/p448_solinas_64.zig index c51ba2d9848..e5020ac21c5 100644 --- a/fiat-zig/src/p448_solinas_64.zig +++ b/fiat-zig/src/p448_solinas_64.zig @@ -7,17 +7,17 @@ // tight_bounds_multiplier = 1 (from "") // // Computed values: -// carry_chain = [3, 7, 4, 0, 5, 1, 6, 2, 7, 3, 4, 0] -// eval z = z[0] + (z[1] << 56) + (z[2] << 112) + (z[3] << 168) + (z[4] << 224) + (z[5] << 0x118) + (z[6] << 0x150) + (z[7] << 0x188) -// bytes_eval z = z[0] + (z[1] << 8) + (z[2] << 16) + (z[3] << 24) + (z[4] << 32) + (z[5] << 40) + (z[6] << 48) + (z[7] << 56) + (z[8] << 64) + (z[9] << 72) + (z[10] << 80) + (z[11] << 88) + (z[12] << 96) + (z[13] << 104) + (z[14] << 112) + (z[15] << 120) + (z[16] << 128) + (z[17] << 136) + (z[18] << 144) + (z[19] << 152) + (z[20] << 160) + (z[21] << 168) + (z[22] << 176) + (z[23] << 184) + (z[24] << 192) + (z[25] << 200) + (z[26] << 208) + (z[27] << 216) + (z[28] << 224) + (z[29] << 232) + (z[30] << 240) + (z[31] << 248) + (z[32] << 256) + (z[33] << 0x108) + (z[34] << 0x110) + (z[35] << 0x118) + (z[36] << 0x120) + (z[37] << 0x128) + (z[38] << 0x130) + (z[39] << 0x138) + (z[40] << 0x140) + (z[41] << 0x148) + (z[42] << 0x150) + (z[43] << 0x158) + (z[44] << 0x160) + (z[45] << 0x168) + (z[46] << 0x170) + (z[47] << 0x178) + (z[48] << 0x180) + (z[49] << 0x188) + (z[50] << 0x190) + (z[51] << 0x198) + (z[52] << 0x1a0) + (z[53] << 0x1a8) + (z[54] << 0x1b0) + (z[55] << 0x1b8) -// balance = [0x1fffffffffffffe, 0x1fffffffffffffe, 0x1fffffffffffffe, 0x1fffffffffffffe, 0x1fffffffffffffc, 0x1fffffffffffffe, 0x1fffffffffffffe, 0x1fffffffffffffe] +// carry_chain = [3, 7, 4, 0, 5, 1, 6, 2, 7, 3, 4, 0] +// eval z = z[0] + (z[1] << 56) + (z[2] << 112) + (z[3] << 168) + (z[4] << 224) + (z[5] << 0x118) + (z[6] << 0x150) + (z[7] << 0x188) +// bytes_eval z = z[0] + (z[1] << 8) + (z[2] << 16) + (z[3] << 24) + (z[4] << 32) + (z[5] << 40) + (z[6] << 48) + (z[7] << 56) + (z[8] << 64) + (z[9] << 72) + (z[10] << 80) + (z[11] << 88) + (z[12] << 96) + (z[13] << 104) + (z[14] << 112) + (z[15] << 120) + (z[16] << 128) + (z[17] << 136) + (z[18] << 144) + (z[19] << 152) + (z[20] << 160) + (z[21] << 168) + (z[22] << 176) + (z[23] << 184) + (z[24] << 192) + (z[25] << 200) + (z[26] << 208) + (z[27] << 216) + (z[28] << 224) + (z[29] << 232) + (z[30] << 240) + (z[31] << 248) + (z[32] << 256) + (z[33] << 0x108) + (z[34] << 0x110) + (z[35] << 0x118) + (z[36] << 0x120) + (z[37] << 0x128) + (z[38] << 0x130) + (z[39] << 0x138) + (z[40] << 0x140) + (z[41] << 0x148) + (z[42] << 0x150) + (z[43] << 0x158) + (z[44] << 0x160) + (z[45] << 0x168) + (z[46] << 0x170) + (z[47] << 0x178) + (z[48] << 0x180) + (z[49] << 0x188) + (z[50] << 0x190) + (z[51] << 0x198) + (z[52] << 0x1a0) + (z[53] << 0x1a8) + (z[54] << 0x1b0) + (z[55] << 0x1b8) +// balance = [0x1fffffffffffffe, 0x1fffffffffffffe, 0x1fffffffffffffe, 0x1fffffffffffffe, 0x1fffffffffffffc, 0x1fffffffffffffe, 0x1fffffffffffffe, 0x1fffffffffffffe] const std = @import("std"); const cast = std.meta.cast; const mode = std.builtin.mode; // Checked arithmetic is disabled in non-debug modes to avoid side channels - /// The function addcarryxU56 is an addition with carry. +/// /// Postconditions: /// out1 = (arg1 + arg2 + arg3) mod 2^56 /// out2 = ⌊(arg1 + arg2 + arg3) / 2^56⌋ @@ -40,6 +40,7 @@ fn addcarryxU56(out1: *u64, out2: *u1, arg1: u1, arg2: u64, arg3: u64) callconv( } /// The function subborrowxU56 is a subtraction with borrow. +/// /// Postconditions: /// out1 = (-arg1 + arg2 + -arg3) mod 2^56 /// out2 = -⌊(-arg1 + arg2 + -arg3) / 2^56⌋ @@ -62,6 +63,7 @@ fn subborrowxU56(out1: *u64, out2: *u1, arg1: u1, arg2: u64, arg3: u64) callconv } /// The function cmovznzU64 is a single-word conditional move. +/// /// Postconditions: /// out1 = (if arg1 = 0 then arg2 else arg3) /// @@ -81,6 +83,7 @@ fn cmovznzU64(out1: *u64, arg1: u1, arg2: u64, arg3: u64) callconv(.Inline) void } /// The function carryMul multiplies two field elements and reduces the result. +/// /// Postconditions: /// eval out1 mod m = (eval arg1 * eval arg2) mod m /// @@ -247,6 +250,7 @@ pub fn carryMul(out1: *[8]u64, arg1: [8]u64, arg2: [8]u64) void { } /// The function carrySquare squares a field element and reduces the result. +/// /// Postconditions: /// eval out1 mod m = (eval arg1 * eval arg1) mod m /// @@ -391,6 +395,7 @@ pub fn carrySquare(out1: *[8]u64, arg1: [8]u64) void { } /// The function carry reduces a field element. +/// /// Postconditions: /// eval out1 mod m = eval arg1 mod m /// @@ -434,6 +439,7 @@ pub fn carry(out1: *[8]u64, arg1: [8]u64) void { } /// The function add adds two field elements. +/// /// Postconditions: /// eval out1 mod m = (eval arg1 + eval arg2) mod m /// @@ -464,6 +470,7 @@ pub fn add(out1: *[8]u64, arg1: [8]u64, arg2: [8]u64) void { } /// The function sub subtracts two field elements. +/// /// Postconditions: /// eval out1 mod m = (eval arg1 - eval arg2) mod m /// @@ -494,6 +501,7 @@ pub fn sub(out1: *[8]u64, arg1: [8]u64, arg2: [8]u64) void { } /// The function opp negates a field element. +/// /// Postconditions: /// eval out1 mod m = -eval arg1 mod m /// @@ -523,6 +531,7 @@ pub fn opp(out1: *[8]u64, arg1: [8]u64) void { } /// The function selectznz is a multi-limb conditional select. +/// /// Postconditions: /// eval out1 = (if arg1 = 0 then eval arg2 else eval arg3) /// @@ -562,6 +571,7 @@ pub fn selectznz(out1: *[8]u64, arg1: u1, arg2: [8]u64, arg3: [8]u64) void { } /// The function toBytes serializes a field element to bytes in little-endian order. +/// /// Postconditions: /// out1 = map (λ x, ⌊((eval arg1 mod m) mod 2^(8 * (x + 1))) / 2^(8 * x)⌋) [0..55] /// @@ -777,6 +787,7 @@ pub fn toBytes(out1: *[56]u8, arg1: [8]u64) void { } /// The function fromBytes deserializes a field element from bytes in little-endian order. +/// /// Postconditions: /// eval out1 mod m = bytes_eval arg1 mod m /// @@ -900,4 +911,3 @@ pub fn fromBytes(out1: *[8]u64, arg1: [56]u8) void { out1[6] = x98; out1[7] = x104; } - diff --git a/fiat-zig/src/p521_64.zig b/fiat-zig/src/p521_64.zig index 2eb565e4d54..7a2cb03d64f 100644 --- a/fiat-zig/src/p521_64.zig +++ b/fiat-zig/src/p521_64.zig @@ -7,17 +7,17 @@ // tight_bounds_multiplier = 1 (from "") // // Computed values: -// carry_chain = [0, 1, 2, 3, 4, 5, 6, 7, 8, 0, 1] -// eval z = z[0] + (z[1] << 58) + (z[2] << 116) + (z[3] << 174) + (z[4] << 232) + (z[5] << 0x122) + (z[6] << 0x15c) + (z[7] << 0x196) + (z[8] << 0x1d0) -// bytes_eval z = z[0] + (z[1] << 8) + (z[2] << 16) + (z[3] << 24) + (z[4] << 32) + (z[5] << 40) + (z[6] << 48) + (z[7] << 56) + (z[8] << 64) + (z[9] << 72) + (z[10] << 80) + (z[11] << 88) + (z[12] << 96) + (z[13] << 104) + (z[14] << 112) + (z[15] << 120) + (z[16] << 128) + (z[17] << 136) + (z[18] << 144) + (z[19] << 152) + (z[20] << 160) + (z[21] << 168) + (z[22] << 176) + (z[23] << 184) + (z[24] << 192) + (z[25] << 200) + (z[26] << 208) + (z[27] << 216) + (z[28] << 224) + (z[29] << 232) + (z[30] << 240) + (z[31] << 248) + (z[32] << 256) + (z[33] << 0x108) + (z[34] << 0x110) + (z[35] << 0x118) + (z[36] << 0x120) + (z[37] << 0x128) + (z[38] << 0x130) + (z[39] << 0x138) + (z[40] << 0x140) + (z[41] << 0x148) + (z[42] << 0x150) + (z[43] << 0x158) + (z[44] << 0x160) + (z[45] << 0x168) + (z[46] << 0x170) + (z[47] << 0x178) + (z[48] << 0x180) + (z[49] << 0x188) + (z[50] << 0x190) + (z[51] << 0x198) + (z[52] << 0x1a0) + (z[53] << 0x1a8) + (z[54] << 0x1b0) + (z[55] << 0x1b8) + (z[56] << 0x1c0) + (z[57] << 0x1c8) + (z[58] << 0x1d0) + (z[59] << 0x1d8) + (z[60] << 0x1e0) + (z[61] << 0x1e8) + (z[62] << 0x1f0) + (z[63] << 0x1f8) + (z[64] << 2^9) + (z[65] << 0x208) -// balance = [0x7fffffffffffffe, 0x7fffffffffffffe, 0x7fffffffffffffe, 0x7fffffffffffffe, 0x7fffffffffffffe, 0x7fffffffffffffe, 0x7fffffffffffffe, 0x7fffffffffffffe, 0x3fffffffffffffe] +// carry_chain = [0, 1, 2, 3, 4, 5, 6, 7, 8, 0, 1] +// eval z = z[0] + (z[1] << 58) + (z[2] << 116) + (z[3] << 174) + (z[4] << 232) + (z[5] << 0x122) + (z[6] << 0x15c) + (z[7] << 0x196) + (z[8] << 0x1d0) +// bytes_eval z = z[0] + (z[1] << 8) + (z[2] << 16) + (z[3] << 24) + (z[4] << 32) + (z[5] << 40) + (z[6] << 48) + (z[7] << 56) + (z[8] << 64) + (z[9] << 72) + (z[10] << 80) + (z[11] << 88) + (z[12] << 96) + (z[13] << 104) + (z[14] << 112) + (z[15] << 120) + (z[16] << 128) + (z[17] << 136) + (z[18] << 144) + (z[19] << 152) + (z[20] << 160) + (z[21] << 168) + (z[22] << 176) + (z[23] << 184) + (z[24] << 192) + (z[25] << 200) + (z[26] << 208) + (z[27] << 216) + (z[28] << 224) + (z[29] << 232) + (z[30] << 240) + (z[31] << 248) + (z[32] << 256) + (z[33] << 0x108) + (z[34] << 0x110) + (z[35] << 0x118) + (z[36] << 0x120) + (z[37] << 0x128) + (z[38] << 0x130) + (z[39] << 0x138) + (z[40] << 0x140) + (z[41] << 0x148) + (z[42] << 0x150) + (z[43] << 0x158) + (z[44] << 0x160) + (z[45] << 0x168) + (z[46] << 0x170) + (z[47] << 0x178) + (z[48] << 0x180) + (z[49] << 0x188) + (z[50] << 0x190) + (z[51] << 0x198) + (z[52] << 0x1a0) + (z[53] << 0x1a8) + (z[54] << 0x1b0) + (z[55] << 0x1b8) + (z[56] << 0x1c0) + (z[57] << 0x1c8) + (z[58] << 0x1d0) + (z[59] << 0x1d8) + (z[60] << 0x1e0) + (z[61] << 0x1e8) + (z[62] << 0x1f0) + (z[63] << 0x1f8) + (z[64] << 2^9) + (z[65] << 0x208) +// balance = [0x7fffffffffffffe, 0x7fffffffffffffe, 0x7fffffffffffffe, 0x7fffffffffffffe, 0x7fffffffffffffe, 0x7fffffffffffffe, 0x7fffffffffffffe, 0x7fffffffffffffe, 0x3fffffffffffffe] const std = @import("std"); const cast = std.meta.cast; const mode = std.builtin.mode; // Checked arithmetic is disabled in non-debug modes to avoid side channels - /// The function addcarryxU58 is an addition with carry. +/// /// Postconditions: /// out1 = (arg1 + arg2 + arg3) mod 2^58 /// out2 = ⌊(arg1 + arg2 + arg3) / 2^58⌋ @@ -40,6 +40,7 @@ fn addcarryxU58(out1: *u64, out2: *u1, arg1: u1, arg2: u64, arg3: u64) callconv( } /// The function subborrowxU58 is a subtraction with borrow. +/// /// Postconditions: /// out1 = (-arg1 + arg2 + -arg3) mod 2^58 /// out2 = -⌊(-arg1 + arg2 + -arg3) / 2^58⌋ @@ -62,6 +63,7 @@ fn subborrowxU58(out1: *u64, out2: *u1, arg1: u1, arg2: u64, arg3: u64) callconv } /// The function addcarryxU57 is an addition with carry. +/// /// Postconditions: /// out1 = (arg1 + arg2 + arg3) mod 2^57 /// out2 = ⌊(arg1 + arg2 + arg3) / 2^57⌋ @@ -84,6 +86,7 @@ fn addcarryxU57(out1: *u64, out2: *u1, arg1: u1, arg2: u64, arg3: u64) callconv( } /// The function subborrowxU57 is a subtraction with borrow. +/// /// Postconditions: /// out1 = (-arg1 + arg2 + -arg3) mod 2^57 /// out2 = -⌊(-arg1 + arg2 + -arg3) / 2^57⌋ @@ -106,6 +109,7 @@ fn subborrowxU57(out1: *u64, out2: *u1, arg1: u1, arg2: u64, arg3: u64) callconv } /// The function cmovznzU64 is a single-word conditional move. +/// /// Postconditions: /// out1 = (if arg1 = 0 then arg2 else arg3) /// @@ -125,6 +129,7 @@ fn cmovznzU64(out1: *u64, arg1: u1, arg2: u64, arg3: u64) callconv(.Inline) void } /// The function carryMul multiplies two field elements and reduces the result. +/// /// Postconditions: /// eval out1 mod m = (eval arg1 * eval arg2) mod m /// @@ -271,6 +276,7 @@ pub fn carryMul(out1: *[9]u64, arg1: [9]u64, arg2: [9]u64) void { } /// The function carrySquare squares a field element and reduces the result. +/// /// Postconditions: /// eval out1 mod m = (eval arg1 * eval arg1) mod m /// @@ -396,6 +402,7 @@ pub fn carrySquare(out1: *[9]u64, arg1: [9]u64) void { } /// The function carry reduces a field element. +/// /// Postconditions: /// eval out1 mod m = eval arg1 mod m /// @@ -438,6 +445,7 @@ pub fn carry(out1: *[9]u64, arg1: [9]u64) void { } /// The function add adds two field elements. +/// /// Postconditions: /// eval out1 mod m = (eval arg1 + eval arg2) mod m /// @@ -470,6 +478,7 @@ pub fn add(out1: *[9]u64, arg1: [9]u64, arg2: [9]u64) void { } /// The function sub subtracts two field elements. +/// /// Postconditions: /// eval out1 mod m = (eval arg1 - eval arg2) mod m /// @@ -502,6 +511,7 @@ pub fn sub(out1: *[9]u64, arg1: [9]u64, arg2: [9]u64) void { } /// The function opp negates a field element. +/// /// Postconditions: /// eval out1 mod m = -eval arg1 mod m /// @@ -533,6 +543,7 @@ pub fn opp(out1: *[9]u64, arg1: [9]u64) void { } /// The function selectznz is a multi-limb conditional select. +/// /// Postconditions: /// eval out1 = (if arg1 = 0 then eval arg2 else eval arg3) /// @@ -575,6 +586,7 @@ pub fn selectznz(out1: *[9]u64, arg1: u1, arg2: [9]u64, arg3: [9]u64) void { } /// The function toBytes serializes a field element to bytes in little-endian order. +/// /// Postconditions: /// out1 = map (λ x, ⌊((eval arg1 mod m) mod 2^(8 * (x + 1))) / 2^(8 * x)⌋) [0..65] /// @@ -848,6 +860,7 @@ pub fn toBytes(out1: *[66]u8, arg1: [9]u64) void { } /// The function fromBytes deserializes a field element from bytes in little-endian order. +/// /// Postconditions: /// eval out1 mod m = bytes_eval arg1 mod m /// @@ -1009,4 +1022,3 @@ pub fn fromBytes(out1: *[9]u64, arg1: [66]u8) void { out1[7] = x134; out1[8] = x141; } - diff --git a/fiat-zig/src/poly1305_32.zig b/fiat-zig/src/poly1305_32.zig index 7bbc13c27bf..3b4a96b65f0 100644 --- a/fiat-zig/src/poly1305_32.zig +++ b/fiat-zig/src/poly1305_32.zig @@ -7,17 +7,17 @@ // tight_bounds_multiplier = 1 (from "") // // Computed values: -// carry_chain = [0, 1, 2, 3, 4, 0, 1] -// eval z = z[0] + (z[1] << 26) + (z[2] << 52) + (z[3] << 78) + (z[4] << 104) -// bytes_eval z = z[0] + (z[1] << 8) + (z[2] << 16) + (z[3] << 24) + (z[4] << 32) + (z[5] << 40) + (z[6] << 48) + (z[7] << 56) + (z[8] << 64) + (z[9] << 72) + (z[10] << 80) + (z[11] << 88) + (z[12] << 96) + (z[13] << 104) + (z[14] << 112) + (z[15] << 120) + (z[16] << 128) -// balance = [0x7fffff6, 0x7fffffe, 0x7fffffe, 0x7fffffe, 0x7fffffe] +// carry_chain = [0, 1, 2, 3, 4, 0, 1] +// eval z = z[0] + (z[1] << 26) + (z[2] << 52) + (z[3] << 78) + (z[4] << 104) +// bytes_eval z = z[0] + (z[1] << 8) + (z[2] << 16) + (z[3] << 24) + (z[4] << 32) + (z[5] << 40) + (z[6] << 48) + (z[7] << 56) + (z[8] << 64) + (z[9] << 72) + (z[10] << 80) + (z[11] << 88) + (z[12] << 96) + (z[13] << 104) + (z[14] << 112) + (z[15] << 120) + (z[16] << 128) +// balance = [0x7fffff6, 0x7fffffe, 0x7fffffe, 0x7fffffe, 0x7fffffe] const std = @import("std"); const cast = std.meta.cast; const mode = std.builtin.mode; // Checked arithmetic is disabled in non-debug modes to avoid side channels - /// The function addcarryxU26 is an addition with carry. +/// /// Postconditions: /// out1 = (arg1 + arg2 + arg3) mod 2^26 /// out2 = ⌊(arg1 + arg2 + arg3) / 2^26⌋ @@ -40,6 +40,7 @@ fn addcarryxU26(out1: *u32, out2: *u1, arg1: u1, arg2: u32, arg3: u32) callconv( } /// The function subborrowxU26 is a subtraction with borrow. +/// /// Postconditions: /// out1 = (-arg1 + arg2 + -arg3) mod 2^26 /// out2 = -⌊(-arg1 + arg2 + -arg3) / 2^26⌋ @@ -62,6 +63,7 @@ fn subborrowxU26(out1: *u32, out2: *u1, arg1: u1, arg2: u32, arg3: u32) callconv } /// The function cmovznzU32 is a single-word conditional move. +/// /// Postconditions: /// out1 = (if arg1 = 0 then arg2 else arg3) /// @@ -81,6 +83,7 @@ fn cmovznzU32(out1: *u32, arg1: u1, arg2: u32, arg3: u32) callconv(.Inline) void } /// The function carryMul multiplies two field elements and reduces the result. +/// /// Postconditions: /// eval out1 mod m = (eval arg1 * eval arg2) mod m /// @@ -152,6 +155,7 @@ pub fn carryMul(out1: *[5]u32, arg1: [5]u32, arg2: [5]u32) void { } /// The function carrySquare squares a field element and reduces the result. +/// /// Postconditions: /// eval out1 mod m = (eval arg1 * eval arg1) mod m /// @@ -220,6 +224,7 @@ pub fn carrySquare(out1: *[5]u32, arg1: [5]u32) void { } /// The function carry reduces a field element. +/// /// Postconditions: /// eval out1 mod m = eval arg1 mod m /// @@ -250,6 +255,7 @@ pub fn carry(out1: *[5]u32, arg1: [5]u32) void { } /// The function add adds two field elements. +/// /// Postconditions: /// eval out1 mod m = (eval arg1 + eval arg2) mod m /// @@ -274,6 +280,7 @@ pub fn add(out1: *[5]u32, arg1: [5]u32, arg2: [5]u32) void { } /// The function sub subtracts two field elements. +/// /// Postconditions: /// eval out1 mod m = (eval arg1 - eval arg2) mod m /// @@ -298,6 +305,7 @@ pub fn sub(out1: *[5]u32, arg1: [5]u32, arg2: [5]u32) void { } /// The function opp negates a field element. +/// /// Postconditions: /// eval out1 mod m = -eval arg1 mod m /// @@ -321,6 +329,7 @@ pub fn opp(out1: *[5]u32, arg1: [5]u32) void { } /// The function selectznz is a multi-limb conditional select. +/// /// Postconditions: /// eval out1 = (if arg1 = 0 then eval arg2 else eval arg3) /// @@ -351,6 +360,7 @@ pub fn selectznz(out1: *[5]u32, arg1: u1, arg2: [5]u32, arg3: [5]u32) void { } /// The function toBytes serializes a field element to bytes in little-endian order. +/// /// Postconditions: /// out1 = map (λ x, ⌊((eval arg1 mod m) mod 2^(8 * (x + 1))) / 2^(8 * x)⌋) [0..16] /// @@ -449,6 +459,7 @@ pub fn toBytes(out1: *[17]u8, arg1: [5]u32) void { } /// The function fromBytes deserializes a field element from bytes in little-endian order. +/// /// Postconditions: /// eval out1 mod m = bytes_eval arg1 mod m /// @@ -503,4 +514,3 @@ pub fn fromBytes(out1: *[5]u32, arg1: [17]u8) void { out1[3] = x35; out1[4] = x38; } - diff --git a/fiat-zig/src/poly1305_64.zig b/fiat-zig/src/poly1305_64.zig index 7e8ab279c77..216fc62cf64 100644 --- a/fiat-zig/src/poly1305_64.zig +++ b/fiat-zig/src/poly1305_64.zig @@ -7,17 +7,17 @@ // tight_bounds_multiplier = 1 (from "") // // Computed values: -// carry_chain = [0, 1, 2, 0, 1] -// eval z = z[0] + (z[1] << 44) + (z[2] << 87) -// bytes_eval z = z[0] + (z[1] << 8) + (z[2] << 16) + (z[3] << 24) + (z[4] << 32) + (z[5] << 40) + (z[6] << 48) + (z[7] << 56) + (z[8] << 64) + (z[9] << 72) + (z[10] << 80) + (z[11] << 88) + (z[12] << 96) + (z[13] << 104) + (z[14] << 112) + (z[15] << 120) + (z[16] << 128) -// balance = [0x1ffffffffff6, 0xffffffffffe, 0xffffffffffe] +// carry_chain = [0, 1, 2, 0, 1] +// eval z = z[0] + (z[1] << 44) + (z[2] << 87) +// bytes_eval z = z[0] + (z[1] << 8) + (z[2] << 16) + (z[3] << 24) + (z[4] << 32) + (z[5] << 40) + (z[6] << 48) + (z[7] << 56) + (z[8] << 64) + (z[9] << 72) + (z[10] << 80) + (z[11] << 88) + (z[12] << 96) + (z[13] << 104) + (z[14] << 112) + (z[15] << 120) + (z[16] << 128) +// balance = [0x1ffffffffff6, 0xffffffffffe, 0xffffffffffe] const std = @import("std"); const cast = std.meta.cast; const mode = std.builtin.mode; // Checked arithmetic is disabled in non-debug modes to avoid side channels - /// The function addcarryxU44 is an addition with carry. +/// /// Postconditions: /// out1 = (arg1 + arg2 + arg3) mod 2^44 /// out2 = ⌊(arg1 + arg2 + arg3) / 2^44⌋ @@ -40,6 +40,7 @@ fn addcarryxU44(out1: *u64, out2: *u1, arg1: u1, arg2: u64, arg3: u64) callconv( } /// The function subborrowxU44 is a subtraction with borrow. +/// /// Postconditions: /// out1 = (-arg1 + arg2 + -arg3) mod 2^44 /// out2 = -⌊(-arg1 + arg2 + -arg3) / 2^44⌋ @@ -62,6 +63,7 @@ fn subborrowxU44(out1: *u64, out2: *u1, arg1: u1, arg2: u64, arg3: u64) callconv } /// The function addcarryxU43 is an addition with carry. +/// /// Postconditions: /// out1 = (arg1 + arg2 + arg3) mod 2^43 /// out2 = ⌊(arg1 + arg2 + arg3) / 2^43⌋ @@ -84,6 +86,7 @@ fn addcarryxU43(out1: *u64, out2: *u1, arg1: u1, arg2: u64, arg3: u64) callconv( } /// The function subborrowxU43 is a subtraction with borrow. +/// /// Postconditions: /// out1 = (-arg1 + arg2 + -arg3) mod 2^43 /// out2 = -⌊(-arg1 + arg2 + -arg3) / 2^43⌋ @@ -106,6 +109,7 @@ fn subborrowxU43(out1: *u64, out2: *u1, arg1: u1, arg2: u64, arg3: u64) callconv } /// The function cmovznzU64 is a single-word conditional move. +/// /// Postconditions: /// out1 = (if arg1 = 0 then arg2 else arg3) /// @@ -125,6 +129,7 @@ fn cmovznzU64(out1: *u64, arg1: u1, arg2: u64, arg3: u64) callconv(.Inline) void } /// The function carryMul multiplies two field elements and reduces the result. +/// /// Postconditions: /// eval out1 mod m = (eval arg1 * eval arg2) mod m /// @@ -170,6 +175,7 @@ pub fn carryMul(out1: *[3]u64, arg1: [3]u64, arg2: [3]u64) void { } /// The function carrySquare squares a field element and reduces the result. +/// /// Postconditions: /// eval out1 mod m = (eval arg1 * eval arg1) mod m /// @@ -215,6 +221,7 @@ pub fn carrySquare(out1: *[3]u64, arg1: [3]u64) void { } /// The function carry reduces a field element. +/// /// Postconditions: /// eval out1 mod m = eval arg1 mod m /// @@ -239,6 +246,7 @@ pub fn carry(out1: *[3]u64, arg1: [3]u64) void { } /// The function add adds two field elements. +/// /// Postconditions: /// eval out1 mod m = (eval arg1 + eval arg2) mod m /// @@ -259,6 +267,7 @@ pub fn add(out1: *[3]u64, arg1: [3]u64, arg2: [3]u64) void { } /// The function sub subtracts two field elements. +/// /// Postconditions: /// eval out1 mod m = (eval arg1 - eval arg2) mod m /// @@ -279,6 +288,7 @@ pub fn sub(out1: *[3]u64, arg1: [3]u64, arg2: [3]u64) void { } /// The function opp negates a field element. +/// /// Postconditions: /// eval out1 mod m = -eval arg1 mod m /// @@ -298,6 +308,7 @@ pub fn opp(out1: *[3]u64, arg1: [3]u64) void { } /// The function selectznz is a multi-limb conditional select. +/// /// Postconditions: /// eval out1 = (if arg1 = 0 then eval arg2 else eval arg3) /// @@ -322,6 +333,7 @@ pub fn selectznz(out1: *[3]u64, arg1: u1, arg2: [3]u64, arg3: [3]u64) void { } /// The function toBytes serializes a field element to bytes in little-endian order. +/// /// Postconditions: /// out1 = map (λ x, ⌊((eval arg1 mod m) mod 2^(8 * (x + 1))) / 2^(8 * x)⌋) [0..16] /// @@ -408,6 +420,7 @@ pub fn toBytes(out1: *[17]u8, arg1: [3]u64) void { } /// The function fromBytes deserializes a field element from bytes in little-endian order. +/// /// Postconditions: /// eval out1 mod m = bytes_eval arg1 mod m /// @@ -459,4 +472,3 @@ pub fn fromBytes(out1: *[3]u64, arg1: [17]u8) void { out1[1] = x30; out1[2] = x37; } - diff --git a/fiat-zig/src/secp256k1_32.zig b/fiat-zig/src/secp256k1_32.zig index 4f627f135cd..e8070fd6bd8 100644 --- a/fiat-zig/src/secp256k1_32.zig +++ b/fiat-zig/src/secp256k1_32.zig @@ -12,17 +12,17 @@ // return values. // // Computed values: -// eval z = z[0] + (z[1] << 32) + (z[2] << 64) + (z[3] << 96) + (z[4] << 128) + (z[5] << 160) + (z[6] << 192) + (z[7] << 224) -// bytes_eval z = z[0] + (z[1] << 8) + (z[2] << 16) + (z[3] << 24) + (z[4] << 32) + (z[5] << 40) + (z[6] << 48) + (z[7] << 56) + (z[8] << 64) + (z[9] << 72) + (z[10] << 80) + (z[11] << 88) + (z[12] << 96) + (z[13] << 104) + (z[14] << 112) + (z[15] << 120) + (z[16] << 128) + (z[17] << 136) + (z[18] << 144) + (z[19] << 152) + (z[20] << 160) + (z[21] << 168) + (z[22] << 176) + (z[23] << 184) + (z[24] << 192) + (z[25] << 200) + (z[26] << 208) + (z[27] << 216) + (z[28] << 224) + (z[29] << 232) + (z[30] << 240) + (z[31] << 248) -// twos_complement_eval z = let x1 := z[0] + (z[1] << 32) + (z[2] << 64) + (z[3] << 96) + (z[4] << 128) + (z[5] << 160) + (z[6] << 192) + (z[7] << 224) in -// if x1 & (2^256-1) < 2^255 then x1 & (2^256-1) else (x1 & (2^256-1)) - 2^256 +// eval z = z[0] + (z[1] << 32) + (z[2] << 64) + (z[3] << 96) + (z[4] << 128) + (z[5] << 160) + (z[6] << 192) + (z[7] << 224) +// bytes_eval z = z[0] + (z[1] << 8) + (z[2] << 16) + (z[3] << 24) + (z[4] << 32) + (z[5] << 40) + (z[6] << 48) + (z[7] << 56) + (z[8] << 64) + (z[9] << 72) + (z[10] << 80) + (z[11] << 88) + (z[12] << 96) + (z[13] << 104) + (z[14] << 112) + (z[15] << 120) + (z[16] << 128) + (z[17] << 136) + (z[18] << 144) + (z[19] << 152) + (z[20] << 160) + (z[21] << 168) + (z[22] << 176) + (z[23] << 184) + (z[24] << 192) + (z[25] << 200) + (z[26] << 208) + (z[27] << 216) + (z[28] << 224) + (z[29] << 232) + (z[30] << 240) + (z[31] << 248) +// twos_complement_eval z = let x1 := z[0] + (z[1] << 32) + (z[2] << 64) + (z[3] << 96) + (z[4] << 128) + (z[5] << 160) + (z[6] << 192) + (z[7] << 224) in +// if x1 & (2^256-1) < 2^255 then x1 & (2^256-1) else (x1 & (2^256-1)) - 2^256 const std = @import("std"); const cast = std.meta.cast; const mode = std.builtin.mode; // Checked arithmetic is disabled in non-debug modes to avoid side channels - /// The function addcarryxU32 is an addition with carry. +/// /// Postconditions: /// out1 = (arg1 + arg2 + arg3) mod 2^32 /// out2 = ⌊(arg1 + arg2 + arg3) / 2^32⌋ @@ -45,6 +45,7 @@ fn addcarryxU32(out1: *u32, out2: *u1, arg1: u1, arg2: u32, arg3: u32) callconv( } /// The function subborrowxU32 is a subtraction with borrow. +/// /// Postconditions: /// out1 = (-arg1 + arg2 + -arg3) mod 2^32 /// out2 = -⌊(-arg1 + arg2 + -arg3) / 2^32⌋ @@ -67,6 +68,7 @@ fn subborrowxU32(out1: *u32, out2: *u1, arg1: u1, arg2: u32, arg3: u32) callconv } /// The function mulxU32 is a multiplication, returning the full double-width result. +/// /// Postconditions: /// out1 = (arg1 * arg2) mod 2^32 /// out2 = ⌊arg1 * arg2 / 2^32⌋ @@ -88,6 +90,7 @@ fn mulxU32(out1: *u32, out2: *u32, arg1: u32, arg2: u32) callconv(.Inline) void } /// The function cmovznzU32 is a single-word conditional move. +/// /// Postconditions: /// out1 = (if arg1 = 0 then arg2 else arg3) /// @@ -107,6 +110,7 @@ fn cmovznzU32(out1: *u32, arg1: u1, arg2: u32, arg3: u32) callconv(.Inline) void } /// The function mul multiplies two field elements in the Montgomery domain. +/// /// Preconditions: /// 0 ≤ eval arg1 < m /// 0 ≤ eval arg2 < m @@ -1356,6 +1360,7 @@ pub fn mul(out1: *[8]u32, arg1: [8]u32, arg2: [8]u32) void { } /// The function square squares a field element in the Montgomery domain. +/// /// Preconditions: /// 0 ≤ eval arg1 < m /// Postconditions: @@ -2603,6 +2608,7 @@ pub fn square(out1: *[8]u32, arg1: [8]u32) void { } /// The function add adds two field elements in the Montgomery domain. +/// /// Preconditions: /// 0 ≤ eval arg1 < m /// 0 ≤ eval arg2 < m @@ -2696,6 +2702,7 @@ pub fn add(out1: *[8]u32, arg1: [8]u32, arg2: [8]u32) void { } /// The function sub subtracts two field elements in the Montgomery domain. +/// /// Preconditions: /// 0 ≤ eval arg1 < m /// 0 ≤ eval arg2 < m @@ -2772,6 +2779,7 @@ pub fn sub(out1: *[8]u32, arg1: [8]u32, arg2: [8]u32) void { } /// The function opp negates a field element in the Montgomery domain. +/// /// Preconditions: /// 0 ≤ eval arg1 < m /// Postconditions: @@ -2846,6 +2854,7 @@ pub fn opp(out1: *[8]u32, arg1: [8]u32) void { } /// The function fromMontgomery translates a field element out of the Montgomery domain. +/// /// Preconditions: /// 0 ≤ eval arg1 < m /// Postconditions: @@ -3682,6 +3691,7 @@ pub fn fromMontgomery(out1: *[8]u32, arg1: [8]u32) void { } /// The function toMontgomery translates a field element into the Montgomery domain. +/// /// Preconditions: /// 0 ≤ eval arg1 < m /// Postconditions: @@ -4621,6 +4631,7 @@ pub fn toMontgomery(out1: *[8]u32, arg1: [8]u32) void { } /// The function nonzero outputs a single non-zero word if the input is non-zero and zero otherwise. +/// /// Preconditions: /// 0 ≤ eval arg1 < m /// Postconditions: @@ -4638,6 +4649,7 @@ pub fn nonzero(out1: *u32, arg1: [8]u32) void { } /// The function selectznz is a multi-limb conditional select. +/// /// Postconditions: /// eval out1 = (if arg1 = 0 then eval arg2 else eval arg3) /// @@ -4677,6 +4689,7 @@ pub fn selectznz(out1: *[8]u32, arg1: u1, arg2: [8]u32, arg3: [8]u32) void { } /// The function toBytes serializes a field element NOT in the Montgomery domain to bytes in little-endian order. +/// /// Preconditions: /// 0 ≤ eval arg1 < m /// Postconditions: @@ -4780,6 +4793,7 @@ pub fn toBytes(out1: *[32]u8, arg1: [8]u32) void { } /// The function fromBytes deserializes a field element NOT in the Montgomery domain from bytes in little-endian order. +/// /// Preconditions: /// 0 ≤ bytes_eval arg1 < m /// Postconditions: @@ -4860,6 +4874,7 @@ pub fn fromBytes(out1: *[8]u32, arg1: [32]u8) void { } /// The function setOne returns the field element one in the Montgomery domain. +/// /// Postconditions: /// eval (from_montgomery out1) mod m = 1 mod m /// 0 ≤ eval out1 < m @@ -4881,6 +4896,7 @@ pub fn setOne(out1: *[8]u32) void { } /// The function msat returns the saturated representation of the prime modulus. +/// /// Postconditions: /// twos_complement_eval out1 = m /// 0 ≤ eval out1 < m @@ -4903,6 +4919,7 @@ pub fn msat(out1: *[9]u32) void { } /// The function divstep computes a divstep. +/// /// Preconditions: /// 0 ≤ eval arg4 < m /// 0 ≤ eval arg5 < m @@ -5340,6 +5357,7 @@ pub fn divstep(out1: *u32, out2: *[9]u32, out3: *[9]u32, out4: *[8]u32, out5: *[ } /// The function divstepPrecomp returns the precomputed value for Bernstein-Yang-inversion (in montgomery form). +/// /// Postconditions: /// eval (from_montgomery out1) = ⌊(m - 1) / 2⌋^(if (log2 m) + 1 < 46 then ⌊(49 * ((log2 m) + 1) + 80) / 17⌋ else ⌊(49 * ((log2 m) + 1) + 57) / 17⌋) /// 0 ≤ eval out1 < m @@ -5359,4 +5377,3 @@ pub fn divstepPrecomp(out1: *[8]u32) void { out1[6] = 0x4b03709; out1[7] = 0x24fb8a31; } - diff --git a/fiat-zig/src/secp256k1_64.zig b/fiat-zig/src/secp256k1_64.zig index 85482c5ce0d..5de1d671c3f 100644 --- a/fiat-zig/src/secp256k1_64.zig +++ b/fiat-zig/src/secp256k1_64.zig @@ -12,17 +12,17 @@ // return values. // // Computed values: -// eval z = z[0] + (z[1] << 64) + (z[2] << 128) + (z[3] << 192) -// bytes_eval z = z[0] + (z[1] << 8) + (z[2] << 16) + (z[3] << 24) + (z[4] << 32) + (z[5] << 40) + (z[6] << 48) + (z[7] << 56) + (z[8] << 64) + (z[9] << 72) + (z[10] << 80) + (z[11] << 88) + (z[12] << 96) + (z[13] << 104) + (z[14] << 112) + (z[15] << 120) + (z[16] << 128) + (z[17] << 136) + (z[18] << 144) + (z[19] << 152) + (z[20] << 160) + (z[21] << 168) + (z[22] << 176) + (z[23] << 184) + (z[24] << 192) + (z[25] << 200) + (z[26] << 208) + (z[27] << 216) + (z[28] << 224) + (z[29] << 232) + (z[30] << 240) + (z[31] << 248) -// twos_complement_eval z = let x1 := z[0] + (z[1] << 64) + (z[2] << 128) + (z[3] << 192) in -// if x1 & (2^256-1) < 2^255 then x1 & (2^256-1) else (x1 & (2^256-1)) - 2^256 +// eval z = z[0] + (z[1] << 64) + (z[2] << 128) + (z[3] << 192) +// bytes_eval z = z[0] + (z[1] << 8) + (z[2] << 16) + (z[3] << 24) + (z[4] << 32) + (z[5] << 40) + (z[6] << 48) + (z[7] << 56) + (z[8] << 64) + (z[9] << 72) + (z[10] << 80) + (z[11] << 88) + (z[12] << 96) + (z[13] << 104) + (z[14] << 112) + (z[15] << 120) + (z[16] << 128) + (z[17] << 136) + (z[18] << 144) + (z[19] << 152) + (z[20] << 160) + (z[21] << 168) + (z[22] << 176) + (z[23] << 184) + (z[24] << 192) + (z[25] << 200) + (z[26] << 208) + (z[27] << 216) + (z[28] << 224) + (z[29] << 232) + (z[30] << 240) + (z[31] << 248) +// twos_complement_eval z = let x1 := z[0] + (z[1] << 64) + (z[2] << 128) + (z[3] << 192) in +// if x1 & (2^256-1) < 2^255 then x1 & (2^256-1) else (x1 & (2^256-1)) - 2^256 const std = @import("std"); const cast = std.meta.cast; const mode = std.builtin.mode; // Checked arithmetic is disabled in non-debug modes to avoid side channels - /// The function addcarryxU64 is an addition with carry. +/// /// Postconditions: /// out1 = (arg1 + arg2 + arg3) mod 2^64 /// out2 = ⌊(arg1 + arg2 + arg3) / 2^64⌋ @@ -45,6 +45,7 @@ fn addcarryxU64(out1: *u64, out2: *u1, arg1: u1, arg2: u64, arg3: u64) callconv( } /// The function subborrowxU64 is a subtraction with borrow. +/// /// Postconditions: /// out1 = (-arg1 + arg2 + -arg3) mod 2^64 /// out2 = -⌊(-arg1 + arg2 + -arg3) / 2^64⌋ @@ -67,6 +68,7 @@ fn subborrowxU64(out1: *u64, out2: *u1, arg1: u1, arg2: u64, arg3: u64) callconv } /// The function mulxU64 is a multiplication, returning the full double-width result. +/// /// Postconditions: /// out1 = (arg1 * arg2) mod 2^64 /// out2 = ⌊arg1 * arg2 / 2^64⌋ @@ -88,6 +90,7 @@ fn mulxU64(out1: *u64, out2: *u64, arg1: u64, arg2: u64) callconv(.Inline) void } /// The function cmovznzU64 is a single-word conditional move. +/// /// Postconditions: /// out1 = (if arg1 = 0 then arg2 else arg3) /// @@ -107,6 +110,7 @@ fn cmovznzU64(out1: *u64, arg1: u1, arg2: u64, arg3: u64) callconv(.Inline) void } /// The function mul multiplies two field elements in the Montgomery domain. +/// /// Preconditions: /// 0 ≤ eval arg1 < m /// 0 ≤ eval arg2 < m @@ -452,6 +456,7 @@ pub fn mul(out1: *[4]u64, arg1: [4]u64, arg2: [4]u64) void { } /// The function square squares a field element in the Montgomery domain. +/// /// Preconditions: /// 0 ≤ eval arg1 < m /// Postconditions: @@ -795,6 +800,7 @@ pub fn square(out1: *[4]u64, arg1: [4]u64) void { } /// The function add adds two field elements in the Montgomery domain. +/// /// Preconditions: /// 0 ≤ eval arg1 < m /// 0 ≤ eval arg2 < m @@ -852,6 +858,7 @@ pub fn add(out1: *[4]u64, arg1: [4]u64, arg2: [4]u64) void { } /// The function sub subtracts two field elements in the Montgomery domain. +/// /// Preconditions: /// 0 ≤ eval arg1 < m /// 0 ≤ eval arg2 < m @@ -900,6 +907,7 @@ pub fn sub(out1: *[4]u64, arg1: [4]u64, arg2: [4]u64) void { } /// The function opp negates a field element in the Montgomery domain. +/// /// Preconditions: /// 0 ≤ eval arg1 < m /// Postconditions: @@ -946,6 +954,7 @@ pub fn opp(out1: *[4]u64, arg1: [4]u64) void { } /// The function fromMontgomery translates a field element out of the Montgomery domain. +/// /// Preconditions: /// 0 ≤ eval arg1 < m /// Postconditions: @@ -1182,6 +1191,7 @@ pub fn fromMontgomery(out1: *[4]u64, arg1: [4]u64) void { } /// The function toMontgomery translates a field element into the Montgomery domain. +/// /// Preconditions: /// 0 ≤ eval arg1 < m /// Postconditions: @@ -1445,6 +1455,7 @@ pub fn toMontgomery(out1: *[4]u64, arg1: [4]u64) void { } /// The function nonzero outputs a single non-zero word if the input is non-zero and zero otherwise. +/// /// Preconditions: /// 0 ≤ eval arg1 < m /// Postconditions: @@ -1462,6 +1473,7 @@ pub fn nonzero(out1: *u64, arg1: [4]u64) void { } /// The function selectznz is a multi-limb conditional select. +/// /// Postconditions: /// eval out1 = (if arg1 = 0 then eval arg2 else eval arg3) /// @@ -1489,6 +1501,7 @@ pub fn selectznz(out1: *[4]u64, arg1: u1, arg2: [4]u64, arg3: [4]u64) void { } /// The function toBytes serializes a field element NOT in the Montgomery domain to bytes in little-endian order. +/// /// Preconditions: /// 0 ≤ eval arg1 < m /// Postconditions: @@ -1596,6 +1609,7 @@ pub fn toBytes(out1: *[32]u8, arg1: [4]u64) void { } /// The function fromBytes deserializes a field element NOT in the Montgomery domain from bytes in little-endian order. +/// /// Preconditions: /// 0 ≤ bytes_eval arg1 < m /// Postconditions: @@ -1676,6 +1690,7 @@ pub fn fromBytes(out1: *[4]u64, arg1: [32]u8) void { } /// The function setOne returns the field element one in the Montgomery domain. +/// /// Postconditions: /// eval (from_montgomery out1) mod m = 1 mod m /// 0 ≤ eval out1 < m @@ -1693,6 +1708,7 @@ pub fn setOne(out1: *[4]u64) void { } /// The function msat returns the saturated representation of the prime modulus. +/// /// Postconditions: /// twos_complement_eval out1 = m /// 0 ≤ eval out1 < m @@ -1711,6 +1727,7 @@ pub fn msat(out1: *[5]u64) void { } /// The function divstep computes a divstep. +/// /// Preconditions: /// 0 ≤ eval arg4 < m /// 0 ≤ eval arg5 < m @@ -1964,6 +1981,7 @@ pub fn divstep(out1: *u64, out2: *[5]u64, out3: *[5]u64, out4: *[4]u64, out5: *[ } /// The function divstepPrecomp returns the precomputed value for Bernstein-Yang-inversion (in montgomery form). +/// /// Postconditions: /// eval (from_montgomery out1) = ⌊(m - 1) / 2⌋^(if (log2 m) + 1 < 46 then ⌊(49 * ((log2 m) + 1) + 80) / 17⌋ else ⌊(49 * ((log2 m) + 1) + 57) / 17⌋) /// 0 ≤ eval out1 < m @@ -1979,4 +1997,3 @@ pub fn divstepPrecomp(out1: *[4]u64) void { out1[2] = 0xe86029463db210a9; out1[3] = 0x24fb8a3104b03709; } - diff --git a/src/Bedrock/Field/Stringification/Stringification.v b/src/Bedrock/Field/Stringification/Stringification.v index b7d08777a1e..98f0005bc50 100644 --- a/src/Bedrock/Field/Stringification/Stringification.v +++ b/src/Bedrock/Field/Stringification/Stringification.v @@ -147,6 +147,7 @@ Notation wrapper_relax_zrange relax_zrange Definition Bedrock2_ToFunctionLines {relax_zrange : relax_zrange_opt} {language_naming_conventions : language_naming_conventions_opt} + {documentation_options : documentation_options_opt} (machine_wordsize : Z) (do_bounds_check : bool) (internal_static : bool) (static : bool) (prefix : string) (name : string) {t} @@ -230,9 +231,9 @@ Definition OutputBedrock2API : ToString.OutputLanguageAPI := ToString.ToFunctionLines := @Bedrock2_ToFunctionLines; - ToString.header := fun _ _ _ _ _ _ _ _ => [""; ToCString.prelude]; + ToString.header := fun _ _ _ _ _ _ _ _ _ => [""; ToCString.prelude]; - ToString.footer := fun _ _ _ _ _ _ _ _ => []; + ToString.footer := fun _ _ _ _ _ _ _ _ _ => []; (** No special handling for any functions *) ToString.strip_special_infos machine_wordsize infos := infos; diff --git a/src/BoundsPipeline.v b/src/BoundsPipeline.v index 30ddc13f8f8..fa8f324da84 100644 --- a/src/BoundsPipeline.v +++ b/src/BoundsPipeline.v @@ -363,6 +363,7 @@ Module Pipeline. : ShowLines (Expr t) := fun with_parens syntax_tree => let __ := default_language_naming_conventions in + let __ := default_documentation_options in match ToString.ToFunctionLines (relax_zrange := fun r => r) machine_wordsize @@ -381,6 +382,7 @@ Module Pipeline. Global Instance show_lines_ErrorMessage : ShowLines ErrorMessage := fun parens e => let __ := default_language_naming_conventions in + let __ := default_documentation_options in maybe_wrap_parens_lines parens match e with @@ -606,6 +608,7 @@ Module Pipeline. Definition BoundsPipelineToExtendedResult {output_language_api : ToString.OutputLanguageAPI} {language_naming_conventions : language_naming_conventions_opt} + {documentation_options : documentation_options_opt} {internal_static : internal_static_opt} {static : static_opt} {low_level_rewriter_method : low_level_rewriter_method_opt} @@ -649,6 +652,7 @@ Module Pipeline. Definition BoundsPipelineToStrings {output_language_api : ToString.OutputLanguageAPI} {language_naming_conventions : language_naming_conventions_opt} + {documentation_options : documentation_options_opt} {internal_static : internal_static_opt} {static : static_opt} {low_level_rewriter_method : low_level_rewriter_method_opt} @@ -688,6 +692,7 @@ Module Pipeline. Definition BoundsPipelineToString {output_language_api : ToString.OutputLanguageAPI} {language_naming_conventions : language_naming_conventions_opt} + {documentation_options : documentation_options_opt} {internal_static : internal_static_opt} {static : static_opt} {low_level_rewriter_method : low_level_rewriter_method_opt} diff --git a/src/CLI.v b/src/CLI.v index 19a5be8adcd..3bcd2be901a 100644 --- a/src/CLI.v +++ b/src/CLI.v @@ -397,6 +397,23 @@ Module ForExtraction. := ([Arg.long_key "asm-reg-rtl"], Arg.Unit, ["By default, registers are assumed to be assigned to function arguments from left to right in the hints file. This flag reverses that convention to be right-to-left. Note that this flag interacts with --asm-input-first, which determines whether the output pointers are to the left or to the right of the input arguments."]). + Definition doc_text_before_function_name_spec : named_argT + := ([Arg.long_key "doc-text-before-function-name"], + Arg.String, + ["Documentation Option: A custom string to insert before the function name in each docstring. Default: " ++ default_text_before_function_name]). + Definition doc_newline_before_package_declaration_spec : named_argT + := ([Arg.long_key "doc-newline-before-package-declaration"], + Arg.Unit, + ["Documentation Option: For languages that emit package declarations, add an extra newline before the declaration. Primarily useful to detach the header from the Go package."]). + Definition doc_prepend_header_raw_spec : named_argT + := ([Arg.long_key "doc-prepend-header-raw"], + Arg.String, + ["Documentation Option: Prepend a line before the documentation header at the top of the file. This argument can be passed multiple times to insert multiple lines."]). + Definition doc_prepend_header_spec : named_argT + := ([Arg.long_key "doc-prepend-header"], + Arg.String, + ["Documentation Option: Prepend a line at the beginning of the documentation header at the top of the file. This argument can be passed multiple times to insert multiple lines. Lines will be automatically commented."]). + Definition collapse_list_default {A} (default : A) (ls : list A) := List.hd default (List.rev ls). @@ -445,6 +462,8 @@ Module ForExtraction. ; internal_class_name :> class_name_opt (** What's are the naming conventions to use? *) ; language_naming_conventions :> language_naming_conventions_opt + (** Documentation options *) + ; documentation_options :> documentation_options_opt (** list of registers for calling assembly functions *) ; assembly_calling_registers :> assembly_calling_registers_opt (** size of the stack in bytes *) @@ -457,6 +476,10 @@ Module ForExtraction. ; assembly_argument_registers_left_to_right :> assembly_argument_registers_left_to_right_opt (** don't prepend fiat to prefix *) ; no_prefix_fiat : bool + (** Extra lines before the documentation header *) + ; before_header_lines : list string + (** Extra lines at the beginning of the documentation header *) + ; extra_early_header_lines : list string }. Class SynthesizeOptions := { @@ -524,6 +547,10 @@ Module ForExtraction. ; no_error_on_unused_asm_functions_spec ; asm_input_first_spec ; asm_reg_rtl_spec + ; doc_text_before_function_name_spec + ; doc_newline_before_package_declaration_spec + ; doc_prepend_header_raw_spec + ; doc_prepend_header_spec ]. Definition parse_common_optional_options @@ -560,6 +587,10 @@ Module ForExtraction. , no_error_on_unused_asm_functionsv , asm_input_firstv , asm_reg_rtlv + , doc_text_before_function_namev + , doc_newline_before_package_declarationv + , doc_prepend_header_rawv + , doc_prepend_headerv ) := data in let to_bool ls := (0 "curve description: " ++ curve_description - | _, Some pkg, _ - => "curve description (via package name): " ++ pkg - | _, _, Some cls - => "curve description (via class name): " ++ cls - end - ; "machine_wordsize = " ++ show false (machine_wordsize:Z) ++ " (from """ ++ str_machine_wordsize ++ """)"]%string) + ((extra_early_header_lines + ++ ["Autogenerated: " ++ invocation + ; match (curve_description =? ""), internal_package_name, internal_class_name with + | false, _, _ + | _, (None | Some ""), (None | Some "") + => "curve description: " ++ curve_description + | _, Some pkg, _ + => "curve description (via package name): " ++ pkg + | _, _, Some cls + => "curve description (via class name): " ++ cls + end + ; "machine_wordsize = " ++ show false (machine_wordsize:Z) ++ " (from """ ++ str_machine_wordsize ++ """)"]%string) ++ show_lines_args args)%list in inl (Synthesize (snd args) header prefix). - Definition strip_trailing_spaces (s : string) : string - := String.concat String.NewLine (List.map String.rtrim (String.split String.NewLine s)). - Definition ProcessedLines {output_language_api : ToString.OutputLanguageAPI} {synthesize_opts : SynthesizeOptions} @@ -705,10 +740,13 @@ Module ForExtraction. : ((* normal *) list string * (* asm *) list string) + list string := match CollectErrors (PipelineLines invocation curve_description str_machine_wordsize args) with | inl (ls_normal, ls_asm) - => let postprocess_lines - := List.flat_map (fun s => ((List.map (fun s => s ++ String.NewLine) (List.map strip_trailing_spaces s))%string) - ++ [String.NewLine])%list in - inl (postprocess_lines ls_normal, postprocess_lines ls_asm) + => let before_header := List.map (fun s => s ++ String.NewLine) before_header_lines in + let postprocess_lines ls + := String.strip_trailing_newlines + (List.flat_map (fun s => ((List.map (fun s => s ++ String.NewLine) (List.map String.strip_trailing_spaces s))%string) + ++ [String.NewLine]) + ls)%list in + inl (before_header ++ postprocess_lines ls_normal, postprocess_lines ls_asm)%list | inr nil => inr nil | inr (l :: ls) => inr (l ++ (List.flat_map diff --git a/src/PushButtonSynthesis/BarrettReduction.v b/src/PushButtonSynthesis/BarrettReduction.v index dcbf8100fa0..ca730d499cf 100644 --- a/src/PushButtonSynthesis/BarrettReduction.v +++ b/src/PushButtonSynthesis/BarrettReduction.v @@ -59,6 +59,7 @@ Section rbarrett_red. Let possible_values := possible_values_of_machine_wordsize. Local Existing Instance default_language_naming_conventions. + Local Existing Instance default_documentation_options. Local Instance widen_carry : widen_carry_opt := false. Local Instance widen_bytes : widen_bytes_opt := true. Local Instance only_signed : only_signed_opt := false. diff --git a/src/PushButtonSynthesis/BaseConversion.v b/src/PushButtonSynthesis/BaseConversion.v index 6b0bc09833b..81e55dfd5f8 100644 --- a/src/PushButtonSynthesis/BaseConversion.v +++ b/src/PushButtonSynthesis/BaseConversion.v @@ -79,6 +79,7 @@ Definition default_bounds : bounds := use_prime. Section __. Context {output_language_api : ToString.OutputLanguageAPI} {language_naming_conventions : language_naming_conventions_opt} + {documentation_options : documentation_options_opt} {package_namev : package_name_opt} {class_namev : class_name_opt} {static : static_opt} @@ -289,7 +290,7 @@ Section __. FromPipelineToString machine_wordsize prefix "convert_bases" convert_bases (docstring_with_summary_from_lemma! - (fun fname : string => ["The function " ++ fname ++ " converts a field element from base " ++ Decimal.show_Q false src_limbwidth ++ " to base " ++ Decimal.show_Q false dst_limbwidth ++ " in little-endian order."]%string) + (fun fname : string => [text_before_function_name ++ fname ++ " converts a field element from base " ++ Decimal.show_Q false src_limbwidth ++ " to base " ++ Decimal.show_Q false dst_limbwidth ++ " in little-endian order."]%string) (convert_bases_correct src_weight dst_weight src_n dst_n in_bounds)). Local Ltac solve_extra_bounds_side_conditions := @@ -356,7 +357,7 @@ Section __. (comment_header ++ [""; "Computed values:"; - "dst_n = " ++ show false dst_n]%string))) + " dst_n = " ++ show false dst_n]%string))) function_name_prefix requests. End for_stringification. End __. diff --git a/src/PushButtonSynthesis/FancyMontgomeryReduction.v b/src/PushButtonSynthesis/FancyMontgomeryReduction.v index e05362a91f6..ed8d8f8aab0 100644 --- a/src/PushButtonSynthesis/FancyMontgomeryReduction.v +++ b/src/PushButtonSynthesis/FancyMontgomeryReduction.v @@ -66,6 +66,7 @@ Section rmontred. Let possible_values := possible_values_of_machine_wordsize. Local Existing Instance default_language_naming_conventions. + Local Existing Instance default_documentation_options. Local Instance widen_carry : widen_carry_opt := false. Local Instance widen_bytes : widen_bytes_opt := true. Local Instance only_signed : only_signed_opt := false. diff --git a/src/PushButtonSynthesis/Primitives.v b/src/PushButtonSynthesis/Primitives.v index 2858b58d660..c5b2ae3c0f4 100644 --- a/src/PushButtonSynthesis/Primitives.v +++ b/src/PushButtonSynthesis/Primitives.v @@ -672,7 +672,7 @@ Module CorrectnessStringification. := constr:((["Postconditions:"] ++ List.map (fun s => " " ++ s)%string postconditions)%list%string) in (eval cbv [List.map List.app] in - (preconditions_list_string ++ postconditions_list_string ++ [""])%list%string) + ([""] ++ preconditions_list_string ++ postconditions_list_string ++ [""])%list%string) end. Ltac strip_lambdas v := @@ -729,6 +729,7 @@ Notation wrap_s v := (fun s => existT (fun t => prod string (Pipeline.ErrorT (Pi Section __. Context {output_language_api : ToString.OutputLanguageAPI} {language_naming_conventions : language_naming_conventions_opt} + {documentation_options : documentation_options_opt} {package_namev : package_name_opt} {class_namev : class_name_opt} {static : static_opt} @@ -804,7 +805,7 @@ Section __. FromPipelineToString machine_wordsize prefix "selectznz" selectznz (docstring_with_summary_from_lemma! - (fun fname : string => ["The function " ++ fname ++ " is a multi-limb conditional select."]%string) + (fun fname : string => [text_before_function_name ++ fname ++ " is a multi-limb conditional select."]%string) (selectznz_correct dummy_weight n saturated_bounds_list)). Definition mulx (s : Z) @@ -823,7 +824,7 @@ Section __. FromPipelineToInternalString machine_wordsize prefix ("mulx_u" ++ Decimal.Z.to_string s) (mulx s) (docstring_with_summary_from_lemma! - (fun fname : string => ["The function " ++ fname ++ " is a multiplication, returning the full double-width result."]%string) + (fun fname : string => [text_before_function_name ++ fname ++ " is a multiplication, returning the full double-width result."]%string) (mulx_correct s)). Definition addcarryx (s : Z) @@ -843,7 +844,7 @@ Section __. FromPipelineToInternalString machine_wordsize prefix ("addcarryx_u" ++ Decimal.Z.to_string s) (addcarryx s) (docstring_with_summary_from_lemma! - (fun fname : string => ["The function " ++ fname ++ " is an addition with carry."]%string) + (fun fname : string => [text_before_function_name ++ fname ++ " is an addition with carry."]%string) (addcarryx_correct s)). Definition subborrowx (s : Z) @@ -862,7 +863,7 @@ Section __. FromPipelineToInternalString machine_wordsize prefix ("subborrowx_u" ++ Decimal.Z.to_string s) (subborrowx s) (docstring_with_summary_from_lemma! - (fun fname : string => ["The function " ++ fname ++ " is a subtraction with borrow."]%string) + (fun fname : string => [text_before_function_name ++ fname ++ " is a subtraction with borrow."]%string) (subborrowx_correct s)). @@ -881,7 +882,7 @@ Section __. FromPipelineToInternalString machine_wordsize prefix ("value_barrier_" ++ (if int.is_unsigned s then "u" else "") ++ Decimal.Z.to_string (int.bitwidth_of s)) (value_barrier s) (docstring_with_summary_from_lemma! - (fun fname : string => ["The function " ++ fname ++ " is a single-word conditional move."]%string) + (fun fname : string => [text_before_function_name ++ fname ++ " is a single-word conditional move."]%string) (value_barrier_correct (int.is_signed s) (int.bitwidth_of s))). @@ -901,7 +902,7 @@ Section __. FromPipelineToInternalString machine_wordsize prefix ("cmovznz_u" ++ Decimal.Z.to_string s) (cmovznz s) (docstring_with_summary_from_lemma! - (fun fname : string => ["The function " ++ fname ++ " is a single-word conditional move."]%string) + (fun fname : string => [text_before_function_name ++ fname ++ " is a single-word conditional move."]%string) (cmovznz_correct false s)). Definition cmovznz_by_mul (s : Z) @@ -920,7 +921,7 @@ Section __. FromPipelineToInternalString machine_wordsize prefix ("cmovznz_u" ++ Decimal.Z.to_string s) (cmovznz_by_mul s) (docstring_with_summary_from_lemma! - (fun fname : string => ["The function " ++ fname ++ " is a single-word conditional move."]%string) + (fun fname : string => [text_before_function_name ++ fname ++ " is a single-word conditional move."]%string) (cmovznz_correct false s)). Local Ltac solve_extra_bounds_side_conditions := @@ -1174,8 +1175,7 @@ Section __. (ToString.ident_info_of_bitwidths_used extra_bit_widths) in let header := (comment_header - ++ ToString.header machine_wordsize (orb internal_static static) static function_name_prefix infos - ++ [""]) in + ++ ToString.header machine_wordsize (orb internal_static static) static function_name_prefix infos) in let footer := ToString.footer machine_wordsize (orb internal_static static) static function_name_prefix infos in [(normal_output, diff --git a/src/PushButtonSynthesis/SaturatedSolinas.v b/src/PushButtonSynthesis/SaturatedSolinas.v index 8c2add46042..afe1a39da9f 100644 --- a/src/PushButtonSynthesis/SaturatedSolinas.v +++ b/src/PushButtonSynthesis/SaturatedSolinas.v @@ -61,6 +61,7 @@ Local Opaque expr.Interp. Section __. Context {output_language_api : ToString.OutputLanguageAPI} {language_naming_conventions : language_naming_conventions_opt} + {documentation_options : documentation_options_opt} {package_namev : package_name_opt} {class_namev : class_name_opt} {static : static_opt} @@ -200,7 +201,7 @@ Section __. FromPipelineToString machine_wordsize prefix "mul" mul (docstring_with_summary_from_lemma! - (fun fname : string => ["The function " ++ fname ++ " multiplies two field elements."]%string) + (fun fname : string => [text_before_function_name ++ fname ++ " multiplies two field elements."]%string) (mul_correct weightf n m boundsn)). Local Ltac solve_extra_bounds_side_conditions := @@ -241,7 +242,8 @@ Section __. (comment_header ++ [""; "Computed values:"; - "# reductions = " ++ show false nreductions]%string))) + ""; + " # reductions = " ++ show false nreductions]%string))) function_name_prefix requests. End for_stringification. End __. diff --git a/src/PushButtonSynthesis/SmallExamples.v b/src/PushButtonSynthesis/SmallExamples.v index 2591daff10d..f64d637a4cc 100644 --- a/src/PushButtonSynthesis/SmallExamples.v +++ b/src/PushButtonSynthesis/SmallExamples.v @@ -70,6 +70,7 @@ Time Redirect "log" Compute Local Existing Instance ToString.C.OutputCAPI. Local Existing Instance default_language_naming_conventions. +Local Existing Instance default_documentation_options. Local Instance : package_name_opt := None. Local Instance : class_name_opt := None. Local Instance : static_opt := true. diff --git a/src/PushButtonSynthesis/UnsaturatedSolinas.v b/src/PushButtonSynthesis/UnsaturatedSolinas.v index f39a371381d..8852b7ffb22 100644 --- a/src/PushButtonSynthesis/UnsaturatedSolinas.v +++ b/src/PushButtonSynthesis/UnsaturatedSolinas.v @@ -81,6 +81,7 @@ Local Opaque Section __. Context {output_language_api : ToString.OutputLanguageAPI} {language_naming_conventions : language_naming_conventions_opt} + {documentation_options : documentation_options_opt} {package_namev : package_name_opt} {class_namev : class_name_opt} {static : static_opt} @@ -318,7 +319,7 @@ Section __. FromPipelineToString machine_wordsize prefix "carry_mul" carry_mul (docstring_with_summary_from_lemma! - (fun fname : string => ["The function " ++ fname ++ " multiplies two field elements and reduces the result."]%string) + (fun fname : string => [text_before_function_name ++ fname ++ " multiplies two field elements and reduces the result."]%string) (carry_mul_correct weightf n m tight_bounds loose_bounds)). Definition carry_square @@ -337,7 +338,7 @@ Section __. FromPipelineToString machine_wordsize prefix "carry_square" carry_square (docstring_with_summary_from_lemma! - (fun fname : string => ["The function " ++ fname ++ " squares a field element and reduces the result."]%string) + (fun fname : string => [text_before_function_name ++ fname ++ " squares a field element and reduces the result."]%string) (carry_square_correct weightf n m tight_bounds loose_bounds)). Definition carry_scmul_const (x : Z) @@ -356,7 +357,7 @@ Section __. FromPipelineToString machine_wordsize prefix ("carry_scmul_" ++ Decimal.Z.to_string x) (carry_scmul_const x) (docstring_with_summary_from_lemma! - (fun fname : string => ["The function " ++ fname ++ " multiplies a field element by " ++ Decimal.Z.to_string x ++ " and reduces the result."]%string) + (fun fname : string => [text_before_function_name ++ fname ++ " multiplies a field element by " ++ Decimal.Z.to_string x ++ " and reduces the result."]%string) (carry_scmul_const_correct weightf n m tight_bounds loose_bounds x)). Definition carry @@ -375,7 +376,7 @@ Section __. FromPipelineToString machine_wordsize prefix "carry" carry (docstring_with_summary_from_lemma! - (fun fname : string => ["The function " ++ fname ++ " reduces a field element."]%string) + (fun fname : string => [text_before_function_name ++ fname ++ " reduces a field element."]%string) (carry_correct weightf n m tight_bounds loose_bounds)). Definition add @@ -394,7 +395,7 @@ Section __. FromPipelineToString machine_wordsize prefix "add" add (docstring_with_summary_from_lemma! - (fun fname : string => ["The function " ++ fname ++ " adds two field elements."]%string) + (fun fname : string => [text_before_function_name ++ fname ++ " adds two field elements."]%string) (add_correct weightf n m tight_bounds loose_bounds)). Definition sub @@ -413,7 +414,7 @@ Section __. FromPipelineToString machine_wordsize prefix "sub" sub (docstring_with_summary_from_lemma! - (fun fname : string => ["The function " ++ fname ++ " subtracts two field elements."]%string) + (fun fname : string => [text_before_function_name ++ fname ++ " subtracts two field elements."]%string) (sub_correct weightf n m tight_bounds loose_bounds)). Definition opp @@ -432,7 +433,7 @@ Section __. FromPipelineToString machine_wordsize prefix "opp" opp (docstring_with_summary_from_lemma! - (fun fname : string => ["The function " ++ fname ++ " negates a field element."]%string) + (fun fname : string => [text_before_function_name ++ fname ++ " negates a field element."]%string) (opp_correct weightf n m tight_bounds loose_bounds)). Definition to_bytes @@ -451,7 +452,7 @@ Section __. FromPipelineToString machine_wordsize prefix "to_bytes" to_bytes (docstring_with_summary_from_lemma! - (fun fname : string => ["The function " ++ fname ++ " serializes a field element to bytes in little-endian order."]%string) + (fun fname : string => [text_before_function_name ++ fname ++ " serializes a field element to bytes in little-endian order."]%string) (to_bytes_correct weightf n n_bytes m tight_bounds)). Definition from_bytes @@ -470,7 +471,7 @@ Section __. FromPipelineToString machine_wordsize prefix "from_bytes" from_bytes (docstring_with_summary_from_lemma! - (fun fname : string => ["The function " ++ fname ++ " deserializes a field element from bytes in little-endian order."]%string) + (fun fname : string => [text_before_function_name ++ fname ++ " deserializes a field element from bytes in little-endian order."]%string) (from_bytes_correct weightf n n_bytes m s tight_bounds)). Definition encode @@ -489,7 +490,7 @@ Section __. FromPipelineToString machine_wordsize prefix "encode" encode (docstring_with_summary_from_lemma! - (fun fname : string => ["The function " ++ fname ++ " encodes an integer as a field element."]%string) + (fun fname : string => [text_before_function_name ++ fname ++ " encodes an integer as a field element."]%string) (encode_correct weightf n m tight_bounds)). Definition zero @@ -508,7 +509,7 @@ Section __. FromPipelineToString machine_wordsize prefix "zero" zero (docstring_with_summary_from_lemma! - (fun fname => ["The function " ++ fname ++ " returns the field element zero."]%string) + (fun fname => [text_before_function_name ++ fname ++ " returns the field element zero."]%string) (zero_correct weightf n m tight_bounds)). Definition one @@ -527,7 +528,7 @@ Section __. FromPipelineToString machine_wordsize prefix "one" one (docstring_with_summary_from_lemma! - (fun fname => ["The function " ++ fname ++ " returns the field element one."]%string) + (fun fname => [text_before_function_name ++ fname ++ " returns the field element one."]%string) (one_correct weightf n m tight_bounds)). Definition reval (* r for reified *) @@ -822,10 +823,12 @@ Section __. (comment_header ++ ["" ; "Computed values:"] - ++ (ToString.prefix_and_indent "carry_chain = " [show false idxs]) - ++ (ToString.prefix_and_indent "eval z = " [seval "z" false]) - ++ (ToString.prefix_and_indent "bytes_eval z = " [sbytes_eval "z" false]) - ++ (ToString.prefix_and_indent "balance = " [let show_Z := Hex.show_Z in show false balance]))) + ++ (List.map + (fun s => " " ++ s)%string + ((ToString.prefix_and_indent "carry_chain = " [show false idxs]) + ++ (ToString.prefix_and_indent "eval z = " [seval "z" false]) + ++ (ToString.prefix_and_indent "bytes_eval z = " [sbytes_eval "z" false]) + ++ (ToString.prefix_and_indent "balance = " [let show_Z := Hex.show_Z in show false balance]))))) function_name_prefix requests. End for_stringification. End __. diff --git a/src/PushButtonSynthesis/WordByWordMontgomery.v b/src/PushButtonSynthesis/WordByWordMontgomery.v index d95c1bdcfb2..6a8f320d282 100644 --- a/src/PushButtonSynthesis/WordByWordMontgomery.v +++ b/src/PushButtonSynthesis/WordByWordMontgomery.v @@ -96,6 +96,7 @@ Local Opaque Section __. Context {output_language_api : ToString.OutputLanguageAPI} {language_naming_conventions : language_naming_conventions_opt} + {documentation_options : documentation_options_opt} {package_namev : package_name_opt} {class_namev : class_name_opt} {static : static_opt} @@ -323,7 +324,7 @@ Section __. machine_wordsize prefix "mul" mul (docstring_with_summary_from_lemma! prefix - (fun fname : string => ["The function " ++ fname ++ " multiplies two field elements in the Montgomery domain."]%string) + (fun fname : string => [text_before_function_name ++ fname ++ " multiplies two field elements in the Montgomery domain."]%string) (mul_correct machine_wordsize n m valid from_montgomery_res)). Definition square @@ -343,7 +344,7 @@ Section __. machine_wordsize prefix "square" square (docstring_with_summary_from_lemma! prefix - (fun fname : string => ["The function " ++ fname ++ " squares a field element in the Montgomery domain."]%string) + (fun fname : string => [text_before_function_name ++ fname ++ " squares a field element in the Montgomery domain."]%string) (square_correct machine_wordsize n m valid from_montgomery_res)). Definition add @@ -363,7 +364,7 @@ Section __. machine_wordsize prefix "add" add (docstring_with_summary_from_lemma! prefix - (fun fname : string => ["The function " ++ fname ++ " adds two field elements in the Montgomery domain."]%string) + (fun fname : string => [text_before_function_name ++ fname ++ " adds two field elements in the Montgomery domain."]%string) (add_correct machine_wordsize n m valid from_montgomery_res)). Definition sub @@ -383,7 +384,7 @@ Section __. machine_wordsize prefix "sub" sub (docstring_with_summary_from_lemma! prefix - (fun fname : string => ["The function " ++ fname ++ " subtracts two field elements in the Montgomery domain."]%string) + (fun fname : string => [text_before_function_name ++ fname ++ " subtracts two field elements in the Montgomery domain."]%string) (sub_correct machine_wordsize n m valid from_montgomery_res)). Definition opp @@ -403,7 +404,7 @@ Section __. machine_wordsize prefix "opp" opp (docstring_with_summary_from_lemma! prefix - (fun fname : string => ["The function " ++ fname ++ " negates a field element in the Montgomery domain."]%string) + (fun fname : string => [text_before_function_name ++ fname ++ " negates a field element in the Montgomery domain."]%string) (opp_correct machine_wordsize n m valid from_montgomery_res)). Definition from_montgomery @@ -423,7 +424,7 @@ Section __. machine_wordsize prefix "from_montgomery" from_montgomery (docstring_with_summary_from_lemma! prefix - (fun fname : string => ["The function " ++ fname ++ " translates a field element out of the Montgomery domain."]%string) + (fun fname : string => [text_before_function_name ++ fname ++ " translates a field element out of the Montgomery domain."]%string) (from_montgomery_correct machine_wordsize n m r' valid)). Definition to_montgomery @@ -443,7 +444,7 @@ Section __. machine_wordsize prefix "to_montgomery" to_montgomery (docstring_with_summary_from_lemma! prefix - (fun fname : string => ["The function " ++ fname ++ " translates a field element into the Montgomery domain."]%string) + (fun fname : string => [text_before_function_name ++ fname ++ " translates a field element into the Montgomery domain."]%string) (to_montgomery_correct machine_wordsize n m valid from_montgomery_res)). Definition nonzero @@ -462,7 +463,7 @@ Section __. machine_wordsize prefix "nonzero" nonzero (docstring_with_summary_from_lemma! prefix - (fun fname : string => ["The function " ++ fname ++ " outputs a single non-zero word if the input is non-zero and zero otherwise."]%string) + (fun fname : string => [text_before_function_name ++ fname ++ " outputs a single non-zero word if the input is non-zero and zero otherwise."]%string) (nonzero_correct machine_wordsize n m valid from_montgomery_res)). Definition to_bytes @@ -482,7 +483,7 @@ Section __. machine_wordsize prefix "to_bytes" to_bytes (docstring_with_summary_from_lemma! prefix - (fun fname : string => ["The function " ++ fname ++ " serializes a field element NOT in the Montgomery domain to bytes in little-endian order."]%string) + (fun fname : string => [text_before_function_name ++ fname ++ " serializes a field element NOT in the Montgomery domain to bytes in little-endian order."]%string) (to_bytes_correct machine_wordsize n n_bytes m valid)). Definition from_bytes @@ -502,7 +503,7 @@ Section __. machine_wordsize prefix "from_bytes" from_bytes (docstring_with_summary_from_lemma! prefix - (fun fname : string => ["The function " ++ fname ++ " deserializes a field element NOT in the Montgomery domain from bytes in little-endian order."]%string) + (fun fname : string => [text_before_function_name ++ fname ++ " deserializes a field element NOT in the Montgomery domain from bytes in little-endian order."]%string) (from_bytes_correct machine_wordsize n n_bytes m valid bytes_valid)). Definition encode @@ -522,7 +523,7 @@ Section __. machine_wordsize prefix "encode" encode (docstring_with_summary_from_lemma! prefix - (fun fname : string => ["The function " ++ fname ++ " encodes an integer as a field element in the Montgomery domain."]%string) + (fun fname : string => [text_before_function_name ++ fname ++ " encodes an integer as a field element in the Montgomery domain."]%string) (encode_correct machine_wordsize n m valid from_montgomery_res)). Definition zero @@ -542,7 +543,7 @@ Section __. machine_wordsize prefix "zero" zero (docstring_with_summary_from_lemma! prefix - (fun fname => ["The function " ++ fname ++ " returns the field element zero in the Montgomery domain."]%string) + (fun fname => [text_before_function_name ++ fname ++ " returns the field element zero in the Montgomery domain."]%string) (zero_correct machine_wordsize n m valid from_montgomery_res)). Definition one @@ -562,7 +563,7 @@ Section __. machine_wordsize prefix "set_one" one (* to avoid conflict with boringSSL *) (docstring_with_summary_from_lemma! prefix - (fun fname => ["The function " ++ fname ++ " returns the field element one in the Montgomery domain."]%string) + (fun fname => [text_before_function_name ++ fname ++ " returns the field element one in the Montgomery domain."]%string) (one_correct machine_wordsize n m valid from_montgomery_res)). Definition reval (* r for reified *) @@ -630,7 +631,7 @@ Section __. machine_wordsize prefix "msat" msat (docstring_with_summary_from_lemma! prefix - (fun fname => ["The function " ++ fname ++ " returns the saturated representation of the prime modulus."]%string) + (fun fname => [text_before_function_name ++ fname ++ " returns the saturated representation of the prime modulus."]%string) (msat_correct machine_wordsize n m valid)). Definition divstep_precomp @@ -650,7 +651,7 @@ Section __. machine_wordsize prefix "divstep_precomp" divstep_precomp (docstring_with_summary_from_lemma! prefix - (fun fname => ["The function " ++ fname ++ " returns the precomputed value for Bernstein-Yang-inversion (in montgomery form)."]%string) + (fun fname => [text_before_function_name ++ fname ++ " returns the precomputed value for Bernstein-Yang-inversion (in montgomery form)."]%string) (divstep_precomp_correct machine_wordsize n m valid from_montgomery_res)). Definition divstep @@ -670,7 +671,7 @@ Section __. machine_wordsize prefix "divstep" divstep (docstring_with_summary_from_lemma! prefix - (fun fname : string => ["The function " ++ fname ++ " computes a divstep."]%string) + (fun fname : string => [text_before_function_name ++ fname ++ " computes a divstep."]%string) (divstep_correct machine_wordsize n m valid from_montgomery_res)). Lemma bounded_by_of_valid x @@ -1088,11 +1089,13 @@ Section __. check_args (ToString.comment_file_header_block (comment_header - ++ ["" - ; "Computed values:"] - ++ (ToString.prefix_and_indent "eval z = " [seval "z" false]) - ++ (ToString.prefix_and_indent "bytes_eval z = " [sbytes_eval "z" false]) - ++ (ToString.prefix_and_indent "twos_complement_eval z = " [seval_twos_complement "z" false]))) + ++ ["" + ; "Computed values:"] + ++ (List.map + (fun s => " " ++ s)%string + ((ToString.prefix_and_indent "eval z = " [seval "z" false]) + ++ (ToString.prefix_and_indent "bytes_eval z = " [sbytes_eval "z" false]) + ++ (ToString.prefix_and_indent "twos_complement_eval z = " [seval_twos_complement "z" false]))))) function_name_prefix requests. End for_stringification. End __. diff --git a/src/Rewriter/PerfTesting/Core.v b/src/Rewriter/PerfTesting/Core.v index 4c8f4362b96..906c7e94a32 100644 --- a/src/Rewriter/PerfTesting/Core.v +++ b/src/Rewriter/PerfTesting/Core.v @@ -45,6 +45,7 @@ Import Local Existing Instance Stringification.C.Compilers.ToString.C.OutputCAPI. Local Existing Instance default_language_naming_conventions. +Local Existing Instance default_documentation_options. Local Instance : package_name_opt := None. Local Instance : class_name_opt := None. Local Instance : static_opt := true. diff --git a/src/SlowPrimeSynthesisExamples.v b/src/SlowPrimeSynthesisExamples.v index 6a780026b25..2fdad78f4d4 100644 --- a/src/SlowPrimeSynthesisExamples.v +++ b/src/SlowPrimeSynthesisExamples.v @@ -41,6 +41,7 @@ Local Instance : unfold_value_barrier_opt := true. Local Instance : assembly_hints_lines_opt := None. Local Instance : tight_upperbound_fraction_opt := default_tight_upperbound_fraction. Local Existing Instance default_language_naming_conventions. +Local Existing Instance default_documentation_options. Local Instance : package_name_opt := None. Local Instance : class_name_opt := None. diff --git a/src/Stringification/C.v b/src/Stringification/C.v index 4e812428c48..e49deb256c7 100644 --- a/src/Stringification/C.v +++ b/src/Stringification/C.v @@ -92,6 +92,7 @@ Module Compilers. Definition header {language_naming_conventions : language_naming_conventions_opt} + {documentation_options : documentation_options_opt} {package_namev : package_name_opt} {class_namev : class_name_opt} (machine_wordsize : Z) (internal_static : bool) (static : bool) (prefix : string) (infos : ident_infos) @@ -121,7 +122,8 @@ Module Compilers. ; "#endif"] ++ (List.flat_map (value_barrier_func internal_static prefix) - (IntSet.elements value_barrier_bitwidths)))%list. + (IntSet.elements value_barrier_bitwidths)) + ++ [""])%list. End String. Module primitive. @@ -530,6 +532,7 @@ Module Compilers. Definition ToFunctionLines {relax_zrange : relax_zrange_opt} {language_naming_conventions : language_naming_conventions_opt} + {documentation_options : documentation_options_opt} (machine_wordsize : Z) (do_bounds_check : bool) (internal_static : bool) (static : bool) (prefix : string) (name : string) {t} @@ -561,6 +564,7 @@ Module Compilers. Definition ToFunctionString {relax_zrange : relax_zrange_opt} {language_naming_conventions : language_naming_conventions_opt} + {documentation_options : documentation_options_opt} (machine_wordsize : Z) (do_bounds_check : bool) (internal_static : bool) (static : bool) (prefix : string) (name : string) {t} @@ -585,7 +589,7 @@ Module Compilers. ToString.header := @String.header; - ToString.footer := fun _ _ _ _ _ _ _ _ => []; + ToString.footer := fun _ _ _ _ _ _ _ _ _ => []; (** We handle value_barrier specially *) ToString.strip_special_infos machine_wordsize infos diff --git a/src/Stringification/Go.v b/src/Stringification/Go.v index 9e899108c47..cafa23efe8c 100644 --- a/src/Stringification/Go.v +++ b/src/Stringification/Go.v @@ -12,6 +12,7 @@ From Crypto Require Import IR Stringification.Language AbstractInterpretation.ZR Import ListNotations. +Local Open Scope string_scope. Local Open Scope zrange_scope. Local Open Scope Z_scope. @@ -27,21 +28,19 @@ Module Go. := match lines with | [] => [] | [""] => [""] - | [line] => ["/* " ++ line ++ " */"]%string - | lines => ["/*"] ++ List.map (fun s => if (String.length s =? 0)%nat then "" else " " ++ s)%string lines ++ [" */"] + | [line] => ["// " ++ line]%string + | lines => List.map (fun s => if (String.length s =? 0)%nat then "//" else "// " ++ s)%string lines end%list%string. Definition comment_block_extra_newlines (lines : list string) : list string := match lines with | [] => [] | [""] => [""] - | [line] => ["/* " ++ line ++ " */"]%string - | lines => ["/*"] - ++ List.tl (List.flat_map (fun s => [""; - if (String.length s =? 0)%nat - then "" - else " " ++ s])%string lines) - ++ [" */"] + | [line] => ["// " ++ line]%string + | lines => List.tl (List.flat_map (fun s => ["//"; + if (String.length s =? 0)%nat + then "//" + else "// " ++ s])%string lines) end%list%string. (* Supported integer bitwidths *) @@ -57,6 +56,7 @@ Module Go. (* Header imports and type defs *) Definition header {language_naming_conventions : language_naming_conventions_opt} + {documentation_options : documentation_options_opt} {package_namev : package_name_opt} {class_namev : class_name_opt} (machine_wordsize : Z) (internal_private : bool) (private : bool) (prefix : string) (infos : ToString.ident_infos) @@ -79,36 +79,42 @@ Module Go. else if IntSet.mem uint8 bitwidths_used || IntSet.mem int8 bitwidths_used then int_type_to_string internal_private prefix uint8 else int_type_to_string internal_private prefix (int.of_bitwidth false(*unsigned*) machine_wordsize)) in - ((["package " ++ package_name prefix; - ""]%string) - ++ (if needs_bits_import then ["import ""math/bits"""]%string else []) - ++ (List.flat_map - (fun bw - => (if IntSet.mem (int.of_bitwidth false bw) bitwidths_used || IntSet.mem (int.of_bitwidth true bw) bitwidths_used - then [type_prefix ++ int_type_to_string internal_private prefix (int.of_bitwidth false bw) ++ " uint8"; - type_prefix ++ int_type_to_string internal_private prefix (int.of_bitwidth true bw) ++ " int8" ]%string (* C: typedef signed char prefix_int1 *) - else [])) - [1; 2]) - ++ (if IntSet.mem uint128 bitwidths_used || IntSet.mem int128 bitwidths_used - then ["var _ = error_Go_output_does_not_support_128_bit_integers___instead_use_rewriting_rules_for_removing_128_bit_integers"]%string - else []) - ++ (List.flat_map - (fun bw - => let s_bw := Decimal.Z.to_string bw in - List.flat_map - (fun '(newname, bitsname) - => [""%string] - ++ (comment_block - ["The function " ++ newname ++ " is a thin wrapper around " ++ bitsname ++ " that uses " ++ carry_type ++ " rather than uint" ++ s_bw]%string) - ++ ["func " ++ newname ++ "(x uint" ++ s_bw ++ ", y uint" ++ s_bw ++ ", carry " ++ carry_type ++ ") (uint" ++ s_bw ++ ", " ++ carry_type ++ ") {" - ; " var sum uint" ++ s_bw - ; " var carryOut uint" ++ s_bw - ; " sum, carryOut = " ++ bitsname ++ "(x, y, uint" ++ s_bw ++ "(carry))" - ; " return sum, " ++ carry_type ++ "(carryOut)" - ; "}"]%string) - [(ToString.format_special_function_name internal_private prefix "addcarryx" false(*unsigned*) bw, "bits.Add" ++ s_bw) - ; (ToString.format_special_function_name internal_private prefix "subborrowx" false(*unsigned*) bw, "bits.Sub" ++ s_bw)]%string) - special_addcarryx_lg_splits))%list. + strip_trailing_newlines + (((if newline_before_package_declaration then [""] else []) + ++ ["package " ++ package_name prefix; + ""]%string) + ++ (if needs_bits_import then ["import ""math/bits"""; ""]%string else []) + ++ (let typedefs + := List.flat_map + (fun bw + => (if IntSet.mem (int.of_bitwidth false bw) bitwidths_used || IntSet.mem (int.of_bitwidth true bw) bitwidths_used + then [type_prefix ++ int_type_to_string internal_private prefix (int.of_bitwidth false bw) ++ " uint8"; + type_prefix ++ int_type_to_string internal_private prefix (int.of_bitwidth true bw) ++ " int8"]%string (* C: typedef signed challr prefix_int1 *) + else [])) + [1; 2] in + match typedefs with + | [] => [] + | _::_ => typedefs ++ [""] + end) + ++ (if IntSet.mem uint128 bitwidths_used || IntSet.mem int128 bitwidths_used + then ["var _ = error_Go_output_does_not_support_128_bit_integers___instead_use_rewriting_rules_for_removing_128_bit_integers"]%string + else []) + ++ (List.tl + (List.flat_map + (fun bw + => let s_bw := Decimal.Z.to_string bw in + List.flat_map + (fun '(newname, bitsname) + => [""%string] + ++ (comment_block + [text_before_function_name ++ newname ++ " is a thin wrapper around " ++ bitsname ++ " that uses " ++ carry_type ++ " rather than uint" ++ s_bw]%string) + ++ ["func " ++ newname ++ "(x uint" ++ s_bw ++ ", y uint" ++ s_bw ++ ", carry " ++ carry_type ++ ") (uint" ++ s_bw ++ ", " ++ carry_type ++ ") {" + ; String.Tab ++ "sum, carryOut := " ++ bitsname ++ "(x, y, uint" ++ s_bw ++ "(carry))" + ; String.Tab ++ "return sum, " ++ carry_type ++ "(carryOut)" + ; "}"]%string) + [(ToString.format_special_function_name internal_private prefix "addcarryx" false(*unsigned*) bw, "bits.Add" ++ s_bw) + ; (ToString.format_special_function_name internal_private prefix "subborrowx" false(*unsigned*) bw, "bits.Sub" ++ s_bw)]%string) + special_addcarryx_lg_splits)))%list. (* Instead of "macros for minimum-width integer constants" we tried to use numeric casts in Go. It turns out that it wasn't needed and Go @@ -159,7 +165,7 @@ Module Go. (* integer literals *) | (IR.literal v @@@ _) => int_literal_to_string prefix IR.type.Z v (* array dereference *) - | (IR.List_nth n @@@ IR.Var _ v) => "(" ++ v ++ "[" ++ Decimal.Z.to_string (Z.of_nat n) ++ "])" + | (IR.List_nth n @@@ IR.Var _ v) => v ++ "[" ++ Decimal.Z.to_string (Z.of_nat n) ++ "]" (* (de)referencing *) | (IR.Addr @@@ IR.Var _ v) => "&" ++ v | (IR.Dereference @@@ e) => "( *" ++ arith_to_string internal_private prefix e ++ " )" @@ -263,7 +269,7 @@ Module Go. | IR.Call val => arith_to_string internal_private prefix val | IR.Assign true t sz name val => (* local non-mutable declaration with initialization *) - "var " ++ name ++ " " ++ primitive_type_to_string internal_private prefix t sz ++ " = " ++ arith_to_string internal_private prefix val + name ++ " := " ++ arith_to_string internal_private prefix val | IR.Assign false _ sz name val => (* This corresponds to assignment to a non-pointer variable and should never ever happen in our generated code. Fiat-crypto handles it but I @@ -420,9 +426,16 @@ Module Go. get_Zcast_down_if_needed desired_type (Some ty), (** always cast to the width of the type, unless we are already exactly that type (which the machinery in IR handles *) Some ty) - | Z_bneg + | IR.Z_bneg => ((* bneg is !, i.e., takes the argument to 1 if its not zero, and to zero if it is zero; so we don't ever need to cast *) None, None) + | IR.Z_value_barrier ty + => ((* if the result is too big, we cast it down; we + don't need to upcast it because it'll get + picked up by implicit casts if necessary *) + get_Zcast_down_if_needed desired_type (Some ty), + (** always cast to the width of the type, unless we are already exactly that type (which the machinery in IR handles *) + Some ty) end. Local Instance GoLanguageCasts : LanguageCasts := @@ -439,9 +452,9 @@ Module Go. (f : type.for_each_lhs_of_arrow var_data t * var_data (type.base (type.final_codomain t)) * IR.expr) : list string := let '(args, rets, body) := f in - ("/*inline*/" ++ String.NewLine ++ "func " ++ name ++ + ("func " ++ name ++ "(" ++ String.concat ", " (to_arg_list internal_private prefix Out rets ++ to_arg_list_for_each_lhs_of_arrow internal_private prefix args) ++ - ") {")%string :: (List.map (fun s => " " ++ s)%string (to_strings internal_private prefix body)) ++ ["}"%string]%list. + ") {")%string :: (List.map (fun s => String.Tab ++ s)%string (to_strings internal_private prefix body)) ++ ["}"%string]%list. Definition strip_special_infos (infos : ToString.ident_infos) : ToString.ident_infos := ToString.ident_info_diff @@ -459,6 +472,7 @@ Module Go. Definition ToFunctionLines {relax_zrange : relax_zrange_opt} {language_naming_conventions : language_naming_conventions_opt} + {documentation_options : documentation_options_opt} (machine_wordsize : Z) (do_bounds_check : bool) (internal_private : bool) (private : bool) (prefix : string) (name : string) {t} @@ -491,7 +505,7 @@ Module Go. ToString.comment_file_header_block := comment_block_extra_newlines; ToString.ToFunctionLines := @ToFunctionLines; ToString.header := @header; - ToString.footer := fun _ _ _ _ _ _ _ _ => []; + ToString.footer := fun _ _ _ _ _ _ _ _ _ => []; ToString.strip_special_infos machine_wordsize := strip_special_infos |}. End Go. diff --git a/src/Stringification/JSON.v b/src/Stringification/JSON.v index c7f83b3f2d1..1bcc3d1dbb6 100644 --- a/src/Stringification/JSON.v +++ b/src/Stringification/JSON.v @@ -368,6 +368,7 @@ Module JSON. Definition ToFunctionLines {relax_zrange : relax_zrange_opt} {language_naming_conventions : language_naming_conventions_opt} + {documentation_options : documentation_options_opt} (machine_wordsize : Z) (do_bounds_check : bool) (internal_static : bool) (static : bool) (prefix : string) (name : string) {t} @@ -397,8 +398,8 @@ Module JSON. {| ToString.comment_block _ := []; ToString.comment_file_header_block _ := []; ToString.ToFunctionLines := @ToFunctionLines; - ToString.header := fun _ _ _ _ _ _ _ _ => []; - ToString.footer := fun _ _ _ _ _ _ _ _ => []; + ToString.header := fun _ _ _ _ _ _ _ _ _ => []; + ToString.footer := fun _ _ _ _ _ _ _ _ _ => []; (** No special handling for any functions *) ToString.strip_special_infos machine_wordsize infos := infos |}. diff --git a/src/Stringification/Java.v b/src/Stringification/Java.v index da310f232c7..f4a330860d3 100644 --- a/src/Stringification/Java.v +++ b/src/Stringification/Java.v @@ -29,6 +29,7 @@ Module Java. (* Header imports and type defs *) Definition header {language_naming_conventions : language_naming_conventions_opt} + {documentation_options : documentation_options_opt} {package_namev : package_name_opt} {class_namev : class_name_opt} (machine_wordsize : Z) (internal_private : bool) (private : bool) (prefix : string) (infos : ToString.ident_infos) @@ -48,9 +49,11 @@ Module Java. " public void set(T value) { this.value = value; }"; " public T get() { return this.value; }"; "}"; + ""; ""]%string)). Definition footer {language_naming_conventions : language_naming_conventions_opt} + {documentation_options : documentation_options_opt} {package_namev : package_name_opt} {class_namev : class_name_opt} (machine_wordsize : Z) (internal_private : bool) (private : bool) (prefix : string) (infos : ToString.ident_infos) @@ -382,6 +385,7 @@ Module Java. Definition ToFunctionLines {relax_zrange : relax_zrange_opt} {language_naming_conventions : language_naming_conventions_opt} + {documentation_options : documentation_options_opt} (machine_wordsize : Z) (do_bounds_check : bool) (internal_private : bool) (internal : bool) (prefix : string) (name : string) {t} diff --git a/src/Stringification/Language.v b/src/Stringification/Language.v index 1b9ca563f86..6db473f2c22 100644 --- a/src/Stringification/Language.v +++ b/src/Stringification/Language.v @@ -95,6 +95,22 @@ Module Compilers. class_naming_convention (if String.endswith "_" prefix then substring 0 (String.length prefix - 1) prefix else prefix) end. + + Definition default_text_before_function_name : string := "The function ". + + Class documentation_options_opt := + { + (** Text to insert before the function name *) + text_before_function_name_opt : option string; + text_before_function_name : string := Option.value text_before_function_name_opt default_text_before_function_name; + (** Stick an extra newline before the package declaration *) + newline_before_package_declaration : bool; + }. + + Definition default_documentation_options : documentation_options_opt + := {| text_before_function_name_opt := None + ; newline_before_package_declaration := false + |}. End Options. Module ToString. @@ -1271,6 +1287,7 @@ Module Compilers. ToFunctionLines : forall {relax_zrange : relax_zrange_opt} {language_naming_conventions : language_naming_conventions_opt} + {documentation_options : documentation_options_opt} (machine_wordsize : Z) (do_bounds_check : bool) (internal_static : bool) (static : bool) (prefix : string) (name : string) {t} @@ -1284,6 +1301,7 @@ Module Compilers. (** Generates a header of any needed typedefs, etc based on the idents used and the curve-specific prefix *) header : forall {language_naming_conventions : language_naming_conventions_opt} + {documentation_options : documentation_options_opt} {package_name : package_name_opt} {class_name : class_name_opt} (machine_wordsize : Z) (internal_static : bool) (static : bool) (prefix : string) (ident_info : ident_infos), @@ -1292,6 +1310,7 @@ Module Compilers. (** The footer on the file, if any *) footer : forall {language_naming_conventions : language_naming_conventions_opt} + {documentation_options : documentation_options_opt} {package_name : package_name_opt} {class_name : class_name_opt} (machine_wordsize : Z) (internal_static : bool) (static : bool) (prefix : string) (ident_info : ident_infos), @@ -1303,7 +1322,6 @@ Module Compilers. strip_special_infos : forall (machine_wordsize : Z), ident_infos -> ident_infos; - }. End ToString. End Compilers. diff --git a/src/Stringification/Rust.v b/src/Stringification/Rust.v index e26e92d7caa..37925e7bc4f 100644 --- a/src/Stringification/Rust.v +++ b/src/Stringification/Rust.v @@ -37,6 +37,7 @@ Module Rust. (* Header imports and type defs *) Definition header {language_naming_conventions : language_naming_conventions_opt} + {documentation_options : documentation_options_opt} {package_namev : package_name_opt} {class_namev : class_name_opt} (machine_wordsize : Z) (internal_private : bool) (private : bool) (prefix : string) (infos : ToString.ident_infos) @@ -53,7 +54,8 @@ Module Rust. then [type_prefix ++ int_type_to_string internal_private prefix (int.of_bitwidth false bw) ++ " = u8;"; (* C: typedef unsigned char prefix_uint1 *) type_prefix ++ int_type_to_string internal_private prefix (int.of_bitwidth true bw) ++ " = i8;" ]%string (* C: typedef signed char prefix_int1 *) else [])) - [1; 2]))%list. + [1; 2]) + ++ [""])%list%string. (* Instead of "macros for minimum-width integer constants" we tried to use numeric casts in Rust. It turns out that it wasn't needed and Rust @@ -335,6 +337,7 @@ Module Rust. Definition ToFunctionLines {relax_zrange : relax_zrange_opt} {language_naming_conventions : language_naming_conventions_opt} + {documentation_options : documentation_options_opt} (machine_wordsize : Z) (do_bounds_check : bool) (internal_private : bool) (private : bool) (prefix : string) (name : string) {t} @@ -366,7 +369,7 @@ Module Rust. ToString.comment_file_header_block := comment_module_header_block; ToString.ToFunctionLines := @ToFunctionLines; ToString.header := @header; - ToString.footer := fun _ _ _ _ _ _ _ _ => []; + ToString.footer := fun _ _ _ _ _ _ _ _ _ => []; (** No special handling for any functions *) ToString.strip_special_infos machine_wordsize infos := infos |}. diff --git a/src/Stringification/Zig.v b/src/Stringification/Zig.v index 4e80c6e7b68..d47000a1ed8 100644 --- a/src/Stringification/Zig.v +++ b/src/Stringification/Zig.v @@ -27,6 +27,7 @@ Module Zig. Definition header {language_naming_conventions : language_naming_conventions_opt} + {documentation_options : documentation_options_opt} {package_namev : package_name_opt} {class_namev : class_name_opt} (machine_wordsize : Z) (internal_private : bool) (private : bool) (prefix : string) (infos : ToString.ident_infos) @@ -270,6 +271,7 @@ Module Zig. Definition ToFunctionLines {relax_zrange : relax_zrange_opt} {language_naming_conventions : language_naming_conventions_opt} + {documentation_options : documentation_options_opt} (machine_wordsize : Z) (do_bounds_check : bool) (internal_private : bool) (private : bool) (prefix : string) (name : string) {t} @@ -301,7 +303,7 @@ Module Zig. ToString.comment_file_header_block := comment_module_header_block; ToString.ToFunctionLines := @ToFunctionLines; ToString.header := @header; - ToString.footer := fun _ _ _ _ _ _ _ _ => []; + ToString.footer := fun _ _ _ _ _ _ _ _ _ => []; ToString.strip_special_infos machine_wordsize infos := infos |}. End Zig. diff --git a/src/Util/Strings/String.v b/src/Util/Strings/String.v index 07031a4278a..6ffcbc436a8 100644 --- a/src/Util/Strings/String.v +++ b/src/Util/Strings/String.v @@ -337,6 +337,7 @@ Notation NewLine := (String Ascii.NewLine ""). Notation CR := (String Ascii.CR ""). Notation LF := (String Ascii.LF ""). Notation CRLF := (String Ascii.CR (String Ascii.LF "")). +Notation Tab := (String Ascii.Tab ""). (** Given a list of strings, breaks all strings within the list at CFLF, CF, and LF. Useful for normalizing a newline-separated list @@ -395,3 +396,17 @@ Definition rfill (ch : ascii) (ls : list string) : list string := let len := List.fold_right Nat.max 0 (List.map String.length ls) in let fill s := s ++ repeat ch (len - String.length s) in List.map fill ls. + +Definition strip_trailing_spaces (s : string) : string + := concat NewLine (List.map rtrim (split NewLine s)). + +Fixpoint strip_leading_newlines (s : list string) : list string + := match s with + | nil => nil + | s :: ls => if (rtrim s =? "")%string + then strip_leading_newlines ls + else s :: ls + end. + +Definition strip_trailing_newlines (s : list string) : list string + := List.rev (strip_leading_newlines (List.rev s)).