scalar_fiat.mx raw
1 // Code generated by Fiat Cryptography. DO NOT EDIT.
2 //
3 // Autogenerated: word_by_word_montgomery --lang Go --cmovznz-by-mul --relax-primitive-carry-to-bitwidth 32,64 --public-function-case camelCase --public-type-case camelCase --private-function-case camelCase --private-type-case camelCase --doc-text-before-function-name '' --doc-newline-before-package-declaration --doc-prepend-header 'Code generated by Fiat Cryptography. DO NOT EDIT.' --package-name edwards25519 Scalar 64 '2^252 + 27742317777372353535851937790883648493' mul add sub opp nonzero from_montgomery to_montgomery to_bytes from_bytes
4 //
5 // curve description: Scalar
6 //
7 // machine_wordsize = 64 (from "64")
8 //
9 // requested operations: mul, add, sub, opp, nonzero, from_montgomery, to_montgomery, to_bytes, from_bytes
10 //
11 // m = 0x1000000000000000000000000000000014def9dea2f79cd65812631a5cf5d3ed (from "2^252 + 27742317777372353535851937790883648493")
12 //
13 //
14 //
15 // NOTE: In addition to the bounds specified above each function, all
16 //
17 // functions synthesized for this Montgomery arithmetic require the
18 //
19 // input to be strictly less than the prime modulus (m), and also
20 //
21 // require the input to be in the unique saturated representation.
22 //
23 // All functions also ensure that these two properties are true of
24 //
25 // return values.
26 //
27 //
28 //
29 // Computed values:
30 //
31 // eval z = z[0] + (z[1] << 64) + (z[2] << 128) + (z[3] << 192)
32 //
33 // bytes_eval z = z[0] + (z[1] << 8) + (z[2] << 16) + (z[3] << 24) + (z[4] << 32) + (z[5] << 40) + (z[6] << 48) + (z[7] << 56) + (z[8] << 64) + (z[9] << 72) + (z[10] << 80) + (z[11] << 88) + (z[12] << 96) + (z[13] << 104) + (z[14] << 112) + (z[15] << 120) + (z[16] << 128) + (z[17] << 136) + (z[18] << 144) + (z[19] << 152) + (z[20] << 160) + (z[21] << 168) + (z[22] << 176) + (z[23] << 184) + (z[24] << 192) + (z[25] << 200) + (z[26] << 208) + (z[27] << 216) + (z[28] << 224) + (z[29] << 232) + (z[30] << 240) + (z[31] << 248)
34 //
35 // twos_complement_eval z = let x1 := z[0] + (z[1] << 64) + (z[2] << 128) + (z[3] << 192) in
36 //
37 // if x1 & (2^256-1) < 2^255 then x1 & (2^256-1) else (x1 & (2^256-1)) - 2^256
38
39 package edwards25519
40
41 import "math/bits"
42
43 type fiatScalarUint1 uint64 // We use uint64 instead of a more narrow type for performance reasons; see https://github.com/mit-plv/fiat-crypto/pull/1006#issuecomment-892625927
44 type fiatScalarInt1 int64 // We use uint64 instead of a more narrow type for performance reasons; see https://github.com/mit-plv/fiat-crypto/pull/1006#issuecomment-892625927
45
46 // The type fiatScalarMontgomeryDomainFieldElement is a field element in the Montgomery domain.
47 //
48 // Bounds: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]]
49 type fiatScalarMontgomeryDomainFieldElement [4]uint64
50
51 // The type fiatScalarNonMontgomeryDomainFieldElement is a field element NOT in the Montgomery domain.
52 //
53 // Bounds: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]]
54 type fiatScalarNonMontgomeryDomainFieldElement [4]uint64
55
56 // fiatScalarCmovznzU64 is a single-word conditional move.
57 //
58 // Postconditions:
59 //
60 // out1 = (if arg1 = 0 then arg2 else arg3)
61 //
62 // Input Bounds:
63 //
64 // arg1: [0x0 ~> 0x1]
65 // arg2: [0x0 ~> 0xffffffffffffffff]
66 // arg3: [0x0 ~> 0xffffffffffffffff]
67 //
68 // Output Bounds:
69 //
70 // out1: [0x0 ~> 0xffffffffffffffff]
71 func fiatScalarCmovznzU64(out1 *uint64, arg1 fiatScalarUint1, arg2 uint64, arg3 uint64) {
72 x1 := (uint64(arg1) * 0xffffffffffffffff)
73 x2 := ((x1 & arg3) | ((^x1) & arg2))
74 *out1 = x2
75 }
76
77 // fiatScalarMul multiplies two field elements in the Montgomery domain.
78 //
79 // Preconditions:
80 //
81 // 0 ≤ eval arg1 < m
82 // 0 ≤ eval arg2 < m
83 //
84 // Postconditions:
85 //
86 // eval (from_montgomery out1) mod m = (eval (from_montgomery arg1) * eval (from_montgomery arg2)) mod m
87 // 0 ≤ eval out1 < m
88 func fiatScalarMul(out1 *fiatScalarMontgomeryDomainFieldElement, arg1 *fiatScalarMontgomeryDomainFieldElement, arg2 *fiatScalarMontgomeryDomainFieldElement) {
89 x1 := arg1[1]
90 x2 := arg1[2]
91 x3 := arg1[3]
92 x4 := arg1[0]
93 var x5 uint64
94 var x6 uint64
95 x6, x5 = bits.Mul64(x4, arg2[3])
96 var x7 uint64
97 var x8 uint64
98 x8, x7 = bits.Mul64(x4, arg2[2])
99 var x9 uint64
100 var x10 uint64
101 x10, x9 = bits.Mul64(x4, arg2[1])
102 var x11 uint64
103 var x12 uint64
104 x12, x11 = bits.Mul64(x4, arg2[0])
105 var x13 uint64
106 var x14 uint64
107 x13, x14 = bits.Add64(x12, x9, uint64(0x0))
108 var x15 uint64
109 var x16 uint64
110 x15, x16 = bits.Add64(x10, x7, uint64(fiatScalarUint1(x14)))
111 var x17 uint64
112 var x18 uint64
113 x17, x18 = bits.Add64(x8, x5, uint64(fiatScalarUint1(x16)))
114 x19 := (uint64(fiatScalarUint1(x18)) + x6)
115 var x20 uint64
116 _, x20 = bits.Mul64(x11, 0xd2b51da312547e1b)
117 var x22 uint64
118 var x23 uint64
119 x23, x22 = bits.Mul64(x20, 0x1000000000000000)
120 var x24 uint64
121 var x25 uint64
122 x25, x24 = bits.Mul64(x20, 0x14def9dea2f79cd6)
123 var x26 uint64
124 var x27 uint64
125 x27, x26 = bits.Mul64(x20, 0x5812631a5cf5d3ed)
126 var x28 uint64
127 var x29 uint64
128 x28, x29 = bits.Add64(x27, x24, uint64(0x0))
129 x30 := (uint64(fiatScalarUint1(x29)) + x25)
130 var x32 uint64
131 _, x32 = bits.Add64(x11, x26, uint64(0x0))
132 var x33 uint64
133 var x34 uint64
134 x33, x34 = bits.Add64(x13, x28, uint64(fiatScalarUint1(x32)))
135 var x35 uint64
136 var x36 uint64
137 x35, x36 = bits.Add64(x15, x30, uint64(fiatScalarUint1(x34)))
138 var x37 uint64
139 var x38 uint64
140 x37, x38 = bits.Add64(x17, x22, uint64(fiatScalarUint1(x36)))
141 var x39 uint64
142 var x40 uint64
143 x39, x40 = bits.Add64(x19, x23, uint64(fiatScalarUint1(x38)))
144 var x41 uint64
145 var x42 uint64
146 x42, x41 = bits.Mul64(x1, arg2[3])
147 var x43 uint64
148 var x44 uint64
149 x44, x43 = bits.Mul64(x1, arg2[2])
150 var x45 uint64
151 var x46 uint64
152 x46, x45 = bits.Mul64(x1, arg2[1])
153 var x47 uint64
154 var x48 uint64
155 x48, x47 = bits.Mul64(x1, arg2[0])
156 var x49 uint64
157 var x50 uint64
158 x49, x50 = bits.Add64(x48, x45, uint64(0x0))
159 var x51 uint64
160 var x52 uint64
161 x51, x52 = bits.Add64(x46, x43, uint64(fiatScalarUint1(x50)))
162 var x53 uint64
163 var x54 uint64
164 x53, x54 = bits.Add64(x44, x41, uint64(fiatScalarUint1(x52)))
165 x55 := (uint64(fiatScalarUint1(x54)) + x42)
166 var x56 uint64
167 var x57 uint64
168 x56, x57 = bits.Add64(x33, x47, uint64(0x0))
169 var x58 uint64
170 var x59 uint64
171 x58, x59 = bits.Add64(x35, x49, uint64(fiatScalarUint1(x57)))
172 var x60 uint64
173 var x61 uint64
174 x60, x61 = bits.Add64(x37, x51, uint64(fiatScalarUint1(x59)))
175 var x62 uint64
176 var x63 uint64
177 x62, x63 = bits.Add64(x39, x53, uint64(fiatScalarUint1(x61)))
178 var x64 uint64
179 var x65 uint64
180 x64, x65 = bits.Add64(uint64(fiatScalarUint1(x40)), x55, uint64(fiatScalarUint1(x63)))
181 var x66 uint64
182 _, x66 = bits.Mul64(x56, 0xd2b51da312547e1b)
183 var x68 uint64
184 var x69 uint64
185 x69, x68 = bits.Mul64(x66, 0x1000000000000000)
186 var x70 uint64
187 var x71 uint64
188 x71, x70 = bits.Mul64(x66, 0x14def9dea2f79cd6)
189 var x72 uint64
190 var x73 uint64
191 x73, x72 = bits.Mul64(x66, 0x5812631a5cf5d3ed)
192 var x74 uint64
193 var x75 uint64
194 x74, x75 = bits.Add64(x73, x70, uint64(0x0))
195 x76 := (uint64(fiatScalarUint1(x75)) + x71)
196 var x78 uint64
197 _, x78 = bits.Add64(x56, x72, uint64(0x0))
198 var x79 uint64
199 var x80 uint64
200 x79, x80 = bits.Add64(x58, x74, uint64(fiatScalarUint1(x78)))
201 var x81 uint64
202 var x82 uint64
203 x81, x82 = bits.Add64(x60, x76, uint64(fiatScalarUint1(x80)))
204 var x83 uint64
205 var x84 uint64
206 x83, x84 = bits.Add64(x62, x68, uint64(fiatScalarUint1(x82)))
207 var x85 uint64
208 var x86 uint64
209 x85, x86 = bits.Add64(x64, x69, uint64(fiatScalarUint1(x84)))
210 x87 := (uint64(fiatScalarUint1(x86)) + uint64(fiatScalarUint1(x65)))
211 var x88 uint64
212 var x89 uint64
213 x89, x88 = bits.Mul64(x2, arg2[3])
214 var x90 uint64
215 var x91 uint64
216 x91, x90 = bits.Mul64(x2, arg2[2])
217 var x92 uint64
218 var x93 uint64
219 x93, x92 = bits.Mul64(x2, arg2[1])
220 var x94 uint64
221 var x95 uint64
222 x95, x94 = bits.Mul64(x2, arg2[0])
223 var x96 uint64
224 var x97 uint64
225 x96, x97 = bits.Add64(x95, x92, uint64(0x0))
226 var x98 uint64
227 var x99 uint64
228 x98, x99 = bits.Add64(x93, x90, uint64(fiatScalarUint1(x97)))
229 var x100 uint64
230 var x101 uint64
231 x100, x101 = bits.Add64(x91, x88, uint64(fiatScalarUint1(x99)))
232 x102 := (uint64(fiatScalarUint1(x101)) + x89)
233 var x103 uint64
234 var x104 uint64
235 x103, x104 = bits.Add64(x79, x94, uint64(0x0))
236 var x105 uint64
237 var x106 uint64
238 x105, x106 = bits.Add64(x81, x96, uint64(fiatScalarUint1(x104)))
239 var x107 uint64
240 var x108 uint64
241 x107, x108 = bits.Add64(x83, x98, uint64(fiatScalarUint1(x106)))
242 var x109 uint64
243 var x110 uint64
244 x109, x110 = bits.Add64(x85, x100, uint64(fiatScalarUint1(x108)))
245 var x111 uint64
246 var x112 uint64
247 x111, x112 = bits.Add64(x87, x102, uint64(fiatScalarUint1(x110)))
248 var x113 uint64
249 _, x113 = bits.Mul64(x103, 0xd2b51da312547e1b)
250 var x115 uint64
251 var x116 uint64
252 x116, x115 = bits.Mul64(x113, 0x1000000000000000)
253 var x117 uint64
254 var x118 uint64
255 x118, x117 = bits.Mul64(x113, 0x14def9dea2f79cd6)
256 var x119 uint64
257 var x120 uint64
258 x120, x119 = bits.Mul64(x113, 0x5812631a5cf5d3ed)
259 var x121 uint64
260 var x122 uint64
261 x121, x122 = bits.Add64(x120, x117, uint64(0x0))
262 x123 := (uint64(fiatScalarUint1(x122)) + x118)
263 var x125 uint64
264 _, x125 = bits.Add64(x103, x119, uint64(0x0))
265 var x126 uint64
266 var x127 uint64
267 x126, x127 = bits.Add64(x105, x121, uint64(fiatScalarUint1(x125)))
268 var x128 uint64
269 var x129 uint64
270 x128, x129 = bits.Add64(x107, x123, uint64(fiatScalarUint1(x127)))
271 var x130 uint64
272 var x131 uint64
273 x130, x131 = bits.Add64(x109, x115, uint64(fiatScalarUint1(x129)))
274 var x132 uint64
275 var x133 uint64
276 x132, x133 = bits.Add64(x111, x116, uint64(fiatScalarUint1(x131)))
277 x134 := (uint64(fiatScalarUint1(x133)) + uint64(fiatScalarUint1(x112)))
278 var x135 uint64
279 var x136 uint64
280 x136, x135 = bits.Mul64(x3, arg2[3])
281 var x137 uint64
282 var x138 uint64
283 x138, x137 = bits.Mul64(x3, arg2[2])
284 var x139 uint64
285 var x140 uint64
286 x140, x139 = bits.Mul64(x3, arg2[1])
287 var x141 uint64
288 var x142 uint64
289 x142, x141 = bits.Mul64(x3, arg2[0])
290 var x143 uint64
291 var x144 uint64
292 x143, x144 = bits.Add64(x142, x139, uint64(0x0))
293 var x145 uint64
294 var x146 uint64
295 x145, x146 = bits.Add64(x140, x137, uint64(fiatScalarUint1(x144)))
296 var x147 uint64
297 var x148 uint64
298 x147, x148 = bits.Add64(x138, x135, uint64(fiatScalarUint1(x146)))
299 x149 := (uint64(fiatScalarUint1(x148)) + x136)
300 var x150 uint64
301 var x151 uint64
302 x150, x151 = bits.Add64(x126, x141, uint64(0x0))
303 var x152 uint64
304 var x153 uint64
305 x152, x153 = bits.Add64(x128, x143, uint64(fiatScalarUint1(x151)))
306 var x154 uint64
307 var x155 uint64
308 x154, x155 = bits.Add64(x130, x145, uint64(fiatScalarUint1(x153)))
309 var x156 uint64
310 var x157 uint64
311 x156, x157 = bits.Add64(x132, x147, uint64(fiatScalarUint1(x155)))
312 var x158 uint64
313 var x159 uint64
314 x158, x159 = bits.Add64(x134, x149, uint64(fiatScalarUint1(x157)))
315 var x160 uint64
316 _, x160 = bits.Mul64(x150, 0xd2b51da312547e1b)
317 var x162 uint64
318 var x163 uint64
319 x163, x162 = bits.Mul64(x160, 0x1000000000000000)
320 var x164 uint64
321 var x165 uint64
322 x165, x164 = bits.Mul64(x160, 0x14def9dea2f79cd6)
323 var x166 uint64
324 var x167 uint64
325 x167, x166 = bits.Mul64(x160, 0x5812631a5cf5d3ed)
326 var x168 uint64
327 var x169 uint64
328 x168, x169 = bits.Add64(x167, x164, uint64(0x0))
329 x170 := (uint64(fiatScalarUint1(x169)) + x165)
330 var x172 uint64
331 _, x172 = bits.Add64(x150, x166, uint64(0x0))
332 var x173 uint64
333 var x174 uint64
334 x173, x174 = bits.Add64(x152, x168, uint64(fiatScalarUint1(x172)))
335 var x175 uint64
336 var x176 uint64
337 x175, x176 = bits.Add64(x154, x170, uint64(fiatScalarUint1(x174)))
338 var x177 uint64
339 var x178 uint64
340 x177, x178 = bits.Add64(x156, x162, uint64(fiatScalarUint1(x176)))
341 var x179 uint64
342 var x180 uint64
343 x179, x180 = bits.Add64(x158, x163, uint64(fiatScalarUint1(x178)))
344 x181 := (uint64(fiatScalarUint1(x180)) + uint64(fiatScalarUint1(x159)))
345 var x182 uint64
346 var x183 uint64
347 x182, x183 = bits.Sub64(x173, 0x5812631a5cf5d3ed, uint64(0x0))
348 var x184 uint64
349 var x185 uint64
350 x184, x185 = bits.Sub64(x175, 0x14def9dea2f79cd6, uint64(fiatScalarUint1(x183)))
351 var x186 uint64
352 var x187 uint64
353 x186, x187 = bits.Sub64(x177, uint64(0x0), uint64(fiatScalarUint1(x185)))
354 var x188 uint64
355 var x189 uint64
356 x188, x189 = bits.Sub64(x179, 0x1000000000000000, uint64(fiatScalarUint1(x187)))
357 var x191 uint64
358 _, x191 = bits.Sub64(x181, uint64(0x0), uint64(fiatScalarUint1(x189)))
359 var x192 uint64
360 fiatScalarCmovznzU64(&x192, fiatScalarUint1(x191), x182, x173)
361 var x193 uint64
362 fiatScalarCmovznzU64(&x193, fiatScalarUint1(x191), x184, x175)
363 var x194 uint64
364 fiatScalarCmovznzU64(&x194, fiatScalarUint1(x191), x186, x177)
365 var x195 uint64
366 fiatScalarCmovznzU64(&x195, fiatScalarUint1(x191), x188, x179)
367 out1[0] = x192
368 out1[1] = x193
369 out1[2] = x194
370 out1[3] = x195
371 }
372
373 // fiatScalarAdd adds two field elements in the Montgomery domain.
374 //
375 // Preconditions:
376 //
377 // 0 ≤ eval arg1 < m
378 // 0 ≤ eval arg2 < m
379 //
380 // Postconditions:
381 //
382 // eval (from_montgomery out1) mod m = (eval (from_montgomery arg1) + eval (from_montgomery arg2)) mod m
383 // 0 ≤ eval out1 < m
384 func fiatScalarAdd(out1 *fiatScalarMontgomeryDomainFieldElement, arg1 *fiatScalarMontgomeryDomainFieldElement, arg2 *fiatScalarMontgomeryDomainFieldElement) {
385 var x1 uint64
386 var x2 uint64
387 x1, x2 = bits.Add64(arg1[0], arg2[0], uint64(0x0))
388 var x3 uint64
389 var x4 uint64
390 x3, x4 = bits.Add64(arg1[1], arg2[1], uint64(fiatScalarUint1(x2)))
391 var x5 uint64
392 var x6 uint64
393 x5, x6 = bits.Add64(arg1[2], arg2[2], uint64(fiatScalarUint1(x4)))
394 var x7 uint64
395 var x8 uint64
396 x7, x8 = bits.Add64(arg1[3], arg2[3], uint64(fiatScalarUint1(x6)))
397 var x9 uint64
398 var x10 uint64
399 x9, x10 = bits.Sub64(x1, 0x5812631a5cf5d3ed, uint64(0x0))
400 var x11 uint64
401 var x12 uint64
402 x11, x12 = bits.Sub64(x3, 0x14def9dea2f79cd6, uint64(fiatScalarUint1(x10)))
403 var x13 uint64
404 var x14 uint64
405 x13, x14 = bits.Sub64(x5, uint64(0x0), uint64(fiatScalarUint1(x12)))
406 var x15 uint64
407 var x16 uint64
408 x15, x16 = bits.Sub64(x7, 0x1000000000000000, uint64(fiatScalarUint1(x14)))
409 var x18 uint64
410 _, x18 = bits.Sub64(uint64(fiatScalarUint1(x8)), uint64(0x0), uint64(fiatScalarUint1(x16)))
411 var x19 uint64
412 fiatScalarCmovznzU64(&x19, fiatScalarUint1(x18), x9, x1)
413 var x20 uint64
414 fiatScalarCmovznzU64(&x20, fiatScalarUint1(x18), x11, x3)
415 var x21 uint64
416 fiatScalarCmovznzU64(&x21, fiatScalarUint1(x18), x13, x5)
417 var x22 uint64
418 fiatScalarCmovznzU64(&x22, fiatScalarUint1(x18), x15, x7)
419 out1[0] = x19
420 out1[1] = x20
421 out1[2] = x21
422 out1[3] = x22
423 }
424
425 // fiatScalarSub subtracts two field elements in the Montgomery domain.
426 //
427 // Preconditions:
428 //
429 // 0 ≤ eval arg1 < m
430 // 0 ≤ eval arg2 < m
431 //
432 // Postconditions:
433 //
434 // eval (from_montgomery out1) mod m = (eval (from_montgomery arg1) - eval (from_montgomery arg2)) mod m
435 // 0 ≤ eval out1 < m
436 func fiatScalarSub(out1 *fiatScalarMontgomeryDomainFieldElement, arg1 *fiatScalarMontgomeryDomainFieldElement, arg2 *fiatScalarMontgomeryDomainFieldElement) {
437 var x1 uint64
438 var x2 uint64
439 x1, x2 = bits.Sub64(arg1[0], arg2[0], uint64(0x0))
440 var x3 uint64
441 var x4 uint64
442 x3, x4 = bits.Sub64(arg1[1], arg2[1], uint64(fiatScalarUint1(x2)))
443 var x5 uint64
444 var x6 uint64
445 x5, x6 = bits.Sub64(arg1[2], arg2[2], uint64(fiatScalarUint1(x4)))
446 var x7 uint64
447 var x8 uint64
448 x7, x8 = bits.Sub64(arg1[3], arg2[3], uint64(fiatScalarUint1(x6)))
449 var x9 uint64
450 fiatScalarCmovznzU64(&x9, fiatScalarUint1(x8), uint64(0x0), 0xffffffffffffffff)
451 var x10 uint64
452 var x11 uint64
453 x10, x11 = bits.Add64(x1, (x9 & 0x5812631a5cf5d3ed), uint64(0x0))
454 var x12 uint64
455 var x13 uint64
456 x12, x13 = bits.Add64(x3, (x9 & 0x14def9dea2f79cd6), uint64(fiatScalarUint1(x11)))
457 var x14 uint64
458 var x15 uint64
459 x14, x15 = bits.Add64(x5, uint64(0x0), uint64(fiatScalarUint1(x13)))
460 var x16 uint64
461 x16, _ = bits.Add64(x7, (x9 & 0x1000000000000000), uint64(fiatScalarUint1(x15)))
462 out1[0] = x10
463 out1[1] = x12
464 out1[2] = x14
465 out1[3] = x16
466 }
467
468 // fiatScalarOpp negates a field element in the Montgomery domain.
469 //
470 // Preconditions:
471 //
472 // 0 ≤ eval arg1 < m
473 //
474 // Postconditions:
475 //
476 // eval (from_montgomery out1) mod m = -eval (from_montgomery arg1) mod m
477 // 0 ≤ eval out1 < m
478 func fiatScalarOpp(out1 *fiatScalarMontgomeryDomainFieldElement, arg1 *fiatScalarMontgomeryDomainFieldElement) {
479 var x1 uint64
480 var x2 uint64
481 x1, x2 = bits.Sub64(uint64(0x0), arg1[0], uint64(0x0))
482 var x3 uint64
483 var x4 uint64
484 x3, x4 = bits.Sub64(uint64(0x0), arg1[1], uint64(fiatScalarUint1(x2)))
485 var x5 uint64
486 var x6 uint64
487 x5, x6 = bits.Sub64(uint64(0x0), arg1[2], uint64(fiatScalarUint1(x4)))
488 var x7 uint64
489 var x8 uint64
490 x7, x8 = bits.Sub64(uint64(0x0), arg1[3], uint64(fiatScalarUint1(x6)))
491 var x9 uint64
492 fiatScalarCmovznzU64(&x9, fiatScalarUint1(x8), uint64(0x0), 0xffffffffffffffff)
493 var x10 uint64
494 var x11 uint64
495 x10, x11 = bits.Add64(x1, (x9 & 0x5812631a5cf5d3ed), uint64(0x0))
496 var x12 uint64
497 var x13 uint64
498 x12, x13 = bits.Add64(x3, (x9 & 0x14def9dea2f79cd6), uint64(fiatScalarUint1(x11)))
499 var x14 uint64
500 var x15 uint64
501 x14, x15 = bits.Add64(x5, uint64(0x0), uint64(fiatScalarUint1(x13)))
502 var x16 uint64
503 x16, _ = bits.Add64(x7, (x9 & 0x1000000000000000), uint64(fiatScalarUint1(x15)))
504 out1[0] = x10
505 out1[1] = x12
506 out1[2] = x14
507 out1[3] = x16
508 }
509
510 // fiatScalarNonzero outputs a single non-zero word if the input is non-zero and zero otherwise.
511 //
512 // Preconditions:
513 //
514 // 0 ≤ eval arg1 < m
515 //
516 // Postconditions:
517 //
518 // out1 = 0 ↔ eval (from_montgomery arg1) mod m = 0
519 //
520 // Input Bounds:
521 //
522 // arg1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]]
523 //
524 // Output Bounds:
525 //
526 // out1: [0x0 ~> 0xffffffffffffffff]
527 func fiatScalarNonzero(out1 *uint64, arg1 *[4]uint64) {
528 x1 := (arg1[0] | (arg1[1] | (arg1[2] | arg1[3])))
529 *out1 = x1
530 }
531
532 // fiatScalarFromMontgomery translates a field element out of the Montgomery domain.
533 //
534 // Preconditions:
535 //
536 // 0 ≤ eval arg1 < m
537 //
538 // Postconditions:
539 //
540 // eval out1 mod m = (eval arg1 * ((2^64)⁻¹ mod m)^4) mod m
541 // 0 ≤ eval out1 < m
542 func fiatScalarFromMontgomery(out1 *fiatScalarNonMontgomeryDomainFieldElement, arg1 *fiatScalarMontgomeryDomainFieldElement) {
543 x1 := arg1[0]
544 var x2 uint64
545 _, x2 = bits.Mul64(x1, 0xd2b51da312547e1b)
546 var x4 uint64
547 var x5 uint64
548 x5, x4 = bits.Mul64(x2, 0x1000000000000000)
549 var x6 uint64
550 var x7 uint64
551 x7, x6 = bits.Mul64(x2, 0x14def9dea2f79cd6)
552 var x8 uint64
553 var x9 uint64
554 x9, x8 = bits.Mul64(x2, 0x5812631a5cf5d3ed)
555 var x10 uint64
556 var x11 uint64
557 x10, x11 = bits.Add64(x9, x6, uint64(0x0))
558 var x13 uint64
559 _, x13 = bits.Add64(x1, x8, uint64(0x0))
560 var x14 uint64
561 var x15 uint64
562 x14, x15 = bits.Add64(uint64(0x0), x10, uint64(fiatScalarUint1(x13)))
563 var x16 uint64
564 var x17 uint64
565 x16, x17 = bits.Add64(x14, arg1[1], uint64(0x0))
566 var x18 uint64
567 _, x18 = bits.Mul64(x16, 0xd2b51da312547e1b)
568 var x20 uint64
569 var x21 uint64
570 x21, x20 = bits.Mul64(x18, 0x1000000000000000)
571 var x22 uint64
572 var x23 uint64
573 x23, x22 = bits.Mul64(x18, 0x14def9dea2f79cd6)
574 var x24 uint64
575 var x25 uint64
576 x25, x24 = bits.Mul64(x18, 0x5812631a5cf5d3ed)
577 var x26 uint64
578 var x27 uint64
579 x26, x27 = bits.Add64(x25, x22, uint64(0x0))
580 var x29 uint64
581 _, x29 = bits.Add64(x16, x24, uint64(0x0))
582 var x30 uint64
583 var x31 uint64
584 x30, x31 = bits.Add64((uint64(fiatScalarUint1(x17)) + (uint64(fiatScalarUint1(x15)) + (uint64(fiatScalarUint1(x11)) + x7))), x26, uint64(fiatScalarUint1(x29)))
585 var x32 uint64
586 var x33 uint64
587 x32, x33 = bits.Add64(x4, (uint64(fiatScalarUint1(x27)) + x23), uint64(fiatScalarUint1(x31)))
588 var x34 uint64
589 var x35 uint64
590 x34, x35 = bits.Add64(x5, x20, uint64(fiatScalarUint1(x33)))
591 var x36 uint64
592 var x37 uint64
593 x36, x37 = bits.Add64(x30, arg1[2], uint64(0x0))
594 var x38 uint64
595 var x39 uint64
596 x38, x39 = bits.Add64(x32, uint64(0x0), uint64(fiatScalarUint1(x37)))
597 var x40 uint64
598 var x41 uint64
599 x40, x41 = bits.Add64(x34, uint64(0x0), uint64(fiatScalarUint1(x39)))
600 var x42 uint64
601 _, x42 = bits.Mul64(x36, 0xd2b51da312547e1b)
602 var x44 uint64
603 var x45 uint64
604 x45, x44 = bits.Mul64(x42, 0x1000000000000000)
605 var x46 uint64
606 var x47 uint64
607 x47, x46 = bits.Mul64(x42, 0x14def9dea2f79cd6)
608 var x48 uint64
609 var x49 uint64
610 x49, x48 = bits.Mul64(x42, 0x5812631a5cf5d3ed)
611 var x50 uint64
612 var x51 uint64
613 x50, x51 = bits.Add64(x49, x46, uint64(0x0))
614 var x53 uint64
615 _, x53 = bits.Add64(x36, x48, uint64(0x0))
616 var x54 uint64
617 var x55 uint64
618 x54, x55 = bits.Add64(x38, x50, uint64(fiatScalarUint1(x53)))
619 var x56 uint64
620 var x57 uint64
621 x56, x57 = bits.Add64(x40, (uint64(fiatScalarUint1(x51)) + x47), uint64(fiatScalarUint1(x55)))
622 var x58 uint64
623 var x59 uint64
624 x58, x59 = bits.Add64((uint64(fiatScalarUint1(x41)) + (uint64(fiatScalarUint1(x35)) + x21)), x44, uint64(fiatScalarUint1(x57)))
625 var x60 uint64
626 var x61 uint64
627 x60, x61 = bits.Add64(x54, arg1[3], uint64(0x0))
628 var x62 uint64
629 var x63 uint64
630 x62, x63 = bits.Add64(x56, uint64(0x0), uint64(fiatScalarUint1(x61)))
631 var x64 uint64
632 var x65 uint64
633 x64, x65 = bits.Add64(x58, uint64(0x0), uint64(fiatScalarUint1(x63)))
634 var x66 uint64
635 _, x66 = bits.Mul64(x60, 0xd2b51da312547e1b)
636 var x68 uint64
637 var x69 uint64
638 x69, x68 = bits.Mul64(x66, 0x1000000000000000)
639 var x70 uint64
640 var x71 uint64
641 x71, x70 = bits.Mul64(x66, 0x14def9dea2f79cd6)
642 var x72 uint64
643 var x73 uint64
644 x73, x72 = bits.Mul64(x66, 0x5812631a5cf5d3ed)
645 var x74 uint64
646 var x75 uint64
647 x74, x75 = bits.Add64(x73, x70, uint64(0x0))
648 var x77 uint64
649 _, x77 = bits.Add64(x60, x72, uint64(0x0))
650 var x78 uint64
651 var x79 uint64
652 x78, x79 = bits.Add64(x62, x74, uint64(fiatScalarUint1(x77)))
653 var x80 uint64
654 var x81 uint64
655 x80, x81 = bits.Add64(x64, (uint64(fiatScalarUint1(x75)) + x71), uint64(fiatScalarUint1(x79)))
656 var x82 uint64
657 var x83 uint64
658 x82, x83 = bits.Add64((uint64(fiatScalarUint1(x65)) + (uint64(fiatScalarUint1(x59)) + x45)), x68, uint64(fiatScalarUint1(x81)))
659 x84 := (uint64(fiatScalarUint1(x83)) + x69)
660 var x85 uint64
661 var x86 uint64
662 x85, x86 = bits.Sub64(x78, 0x5812631a5cf5d3ed, uint64(0x0))
663 var x87 uint64
664 var x88 uint64
665 x87, x88 = bits.Sub64(x80, 0x14def9dea2f79cd6, uint64(fiatScalarUint1(x86)))
666 var x89 uint64
667 var x90 uint64
668 x89, x90 = bits.Sub64(x82, uint64(0x0), uint64(fiatScalarUint1(x88)))
669 var x91 uint64
670 var x92 uint64
671 x91, x92 = bits.Sub64(x84, 0x1000000000000000, uint64(fiatScalarUint1(x90)))
672 var x94 uint64
673 _, x94 = bits.Sub64(uint64(0x0), uint64(0x0), uint64(fiatScalarUint1(x92)))
674 var x95 uint64
675 fiatScalarCmovznzU64(&x95, fiatScalarUint1(x94), x85, x78)
676 var x96 uint64
677 fiatScalarCmovznzU64(&x96, fiatScalarUint1(x94), x87, x80)
678 var x97 uint64
679 fiatScalarCmovznzU64(&x97, fiatScalarUint1(x94), x89, x82)
680 var x98 uint64
681 fiatScalarCmovznzU64(&x98, fiatScalarUint1(x94), x91, x84)
682 out1[0] = x95
683 out1[1] = x96
684 out1[2] = x97
685 out1[3] = x98
686 }
687
688 // fiatScalarToMontgomery translates a field element into the Montgomery domain.
689 //
690 // Preconditions:
691 //
692 // 0 ≤ eval arg1 < m
693 //
694 // Postconditions:
695 //
696 // eval (from_montgomery out1) mod m = eval arg1 mod m
697 // 0 ≤ eval out1 < m
698 func fiatScalarToMontgomery(out1 *fiatScalarMontgomeryDomainFieldElement, arg1 *fiatScalarNonMontgomeryDomainFieldElement) {
699 x1 := arg1[1]
700 x2 := arg1[2]
701 x3 := arg1[3]
702 x4 := arg1[0]
703 var x5 uint64
704 var x6 uint64
705 x6, x5 = bits.Mul64(x4, 0x399411b7c309a3d)
706 var x7 uint64
707 var x8 uint64
708 x8, x7 = bits.Mul64(x4, 0xceec73d217f5be65)
709 var x9 uint64
710 var x10 uint64
711 x10, x9 = bits.Mul64(x4, 0xd00e1ba768859347)
712 var x11 uint64
713 var x12 uint64
714 x12, x11 = bits.Mul64(x4, 0xa40611e3449c0f01)
715 var x13 uint64
716 var x14 uint64
717 x13, x14 = bits.Add64(x12, x9, uint64(0x0))
718 var x15 uint64
719 var x16 uint64
720 x15, x16 = bits.Add64(x10, x7, uint64(fiatScalarUint1(x14)))
721 var x17 uint64
722 var x18 uint64
723 x17, x18 = bits.Add64(x8, x5, uint64(fiatScalarUint1(x16)))
724 var x19 uint64
725 _, x19 = bits.Mul64(x11, 0xd2b51da312547e1b)
726 var x21 uint64
727 var x22 uint64
728 x22, x21 = bits.Mul64(x19, 0x1000000000000000)
729 var x23 uint64
730 var x24 uint64
731 x24, x23 = bits.Mul64(x19, 0x14def9dea2f79cd6)
732 var x25 uint64
733 var x26 uint64
734 x26, x25 = bits.Mul64(x19, 0x5812631a5cf5d3ed)
735 var x27 uint64
736 var x28 uint64
737 x27, x28 = bits.Add64(x26, x23, uint64(0x0))
738 var x30 uint64
739 _, x30 = bits.Add64(x11, x25, uint64(0x0))
740 var x31 uint64
741 var x32 uint64
742 x31, x32 = bits.Add64(x13, x27, uint64(fiatScalarUint1(x30)))
743 var x33 uint64
744 var x34 uint64
745 x33, x34 = bits.Add64(x15, (uint64(fiatScalarUint1(x28)) + x24), uint64(fiatScalarUint1(x32)))
746 var x35 uint64
747 var x36 uint64
748 x35, x36 = bits.Add64(x17, x21, uint64(fiatScalarUint1(x34)))
749 var x37 uint64
750 var x38 uint64
751 x38, x37 = bits.Mul64(x1, 0x399411b7c309a3d)
752 var x39 uint64
753 var x40 uint64
754 x40, x39 = bits.Mul64(x1, 0xceec73d217f5be65)
755 var x41 uint64
756 var x42 uint64
757 x42, x41 = bits.Mul64(x1, 0xd00e1ba768859347)
758 var x43 uint64
759 var x44 uint64
760 x44, x43 = bits.Mul64(x1, 0xa40611e3449c0f01)
761 var x45 uint64
762 var x46 uint64
763 x45, x46 = bits.Add64(x44, x41, uint64(0x0))
764 var x47 uint64
765 var x48 uint64
766 x47, x48 = bits.Add64(x42, x39, uint64(fiatScalarUint1(x46)))
767 var x49 uint64
768 var x50 uint64
769 x49, x50 = bits.Add64(x40, x37, uint64(fiatScalarUint1(x48)))
770 var x51 uint64
771 var x52 uint64
772 x51, x52 = bits.Add64(x31, x43, uint64(0x0))
773 var x53 uint64
774 var x54 uint64
775 x53, x54 = bits.Add64(x33, x45, uint64(fiatScalarUint1(x52)))
776 var x55 uint64
777 var x56 uint64
778 x55, x56 = bits.Add64(x35, x47, uint64(fiatScalarUint1(x54)))
779 var x57 uint64
780 var x58 uint64
781 x57, x58 = bits.Add64(((uint64(fiatScalarUint1(x36)) + (uint64(fiatScalarUint1(x18)) + x6)) + x22), x49, uint64(fiatScalarUint1(x56)))
782 var x59 uint64
783 _, x59 = bits.Mul64(x51, 0xd2b51da312547e1b)
784 var x61 uint64
785 var x62 uint64
786 x62, x61 = bits.Mul64(x59, 0x1000000000000000)
787 var x63 uint64
788 var x64 uint64
789 x64, x63 = bits.Mul64(x59, 0x14def9dea2f79cd6)
790 var x65 uint64
791 var x66 uint64
792 x66, x65 = bits.Mul64(x59, 0x5812631a5cf5d3ed)
793 var x67 uint64
794 var x68 uint64
795 x67, x68 = bits.Add64(x66, x63, uint64(0x0))
796 var x70 uint64
797 _, x70 = bits.Add64(x51, x65, uint64(0x0))
798 var x71 uint64
799 var x72 uint64
800 x71, x72 = bits.Add64(x53, x67, uint64(fiatScalarUint1(x70)))
801 var x73 uint64
802 var x74 uint64
803 x73, x74 = bits.Add64(x55, (uint64(fiatScalarUint1(x68)) + x64), uint64(fiatScalarUint1(x72)))
804 var x75 uint64
805 var x76 uint64
806 x75, x76 = bits.Add64(x57, x61, uint64(fiatScalarUint1(x74)))
807 var x77 uint64
808 var x78 uint64
809 x78, x77 = bits.Mul64(x2, 0x399411b7c309a3d)
810 var x79 uint64
811 var x80 uint64
812 x80, x79 = bits.Mul64(x2, 0xceec73d217f5be65)
813 var x81 uint64
814 var x82 uint64
815 x82, x81 = bits.Mul64(x2, 0xd00e1ba768859347)
816 var x83 uint64
817 var x84 uint64
818 x84, x83 = bits.Mul64(x2, 0xa40611e3449c0f01)
819 var x85 uint64
820 var x86 uint64
821 x85, x86 = bits.Add64(x84, x81, uint64(0x0))
822 var x87 uint64
823 var x88 uint64
824 x87, x88 = bits.Add64(x82, x79, uint64(fiatScalarUint1(x86)))
825 var x89 uint64
826 var x90 uint64
827 x89, x90 = bits.Add64(x80, x77, uint64(fiatScalarUint1(x88)))
828 var x91 uint64
829 var x92 uint64
830 x91, x92 = bits.Add64(x71, x83, uint64(0x0))
831 var x93 uint64
832 var x94 uint64
833 x93, x94 = bits.Add64(x73, x85, uint64(fiatScalarUint1(x92)))
834 var x95 uint64
835 var x96 uint64
836 x95, x96 = bits.Add64(x75, x87, uint64(fiatScalarUint1(x94)))
837 var x97 uint64
838 var x98 uint64
839 x97, x98 = bits.Add64(((uint64(fiatScalarUint1(x76)) + (uint64(fiatScalarUint1(x58)) + (uint64(fiatScalarUint1(x50)) + x38))) + x62), x89, uint64(fiatScalarUint1(x96)))
840 var x99 uint64
841 _, x99 = bits.Mul64(x91, 0xd2b51da312547e1b)
842 var x101 uint64
843 var x102 uint64
844 x102, x101 = bits.Mul64(x99, 0x1000000000000000)
845 var x103 uint64
846 var x104 uint64
847 x104, x103 = bits.Mul64(x99, 0x14def9dea2f79cd6)
848 var x105 uint64
849 var x106 uint64
850 x106, x105 = bits.Mul64(x99, 0x5812631a5cf5d3ed)
851 var x107 uint64
852 var x108 uint64
853 x107, x108 = bits.Add64(x106, x103, uint64(0x0))
854 var x110 uint64
855 _, x110 = bits.Add64(x91, x105, uint64(0x0))
856 var x111 uint64
857 var x112 uint64
858 x111, x112 = bits.Add64(x93, x107, uint64(fiatScalarUint1(x110)))
859 var x113 uint64
860 var x114 uint64
861 x113, x114 = bits.Add64(x95, (uint64(fiatScalarUint1(x108)) + x104), uint64(fiatScalarUint1(x112)))
862 var x115 uint64
863 var x116 uint64
864 x115, x116 = bits.Add64(x97, x101, uint64(fiatScalarUint1(x114)))
865 var x117 uint64
866 var x118 uint64
867 x118, x117 = bits.Mul64(x3, 0x399411b7c309a3d)
868 var x119 uint64
869 var x120 uint64
870 x120, x119 = bits.Mul64(x3, 0xceec73d217f5be65)
871 var x121 uint64
872 var x122 uint64
873 x122, x121 = bits.Mul64(x3, 0xd00e1ba768859347)
874 var x123 uint64
875 var x124 uint64
876 x124, x123 = bits.Mul64(x3, 0xa40611e3449c0f01)
877 var x125 uint64
878 var x126 uint64
879 x125, x126 = bits.Add64(x124, x121, uint64(0x0))
880 var x127 uint64
881 var x128 uint64
882 x127, x128 = bits.Add64(x122, x119, uint64(fiatScalarUint1(x126)))
883 var x129 uint64
884 var x130 uint64
885 x129, x130 = bits.Add64(x120, x117, uint64(fiatScalarUint1(x128)))
886 var x131 uint64
887 var x132 uint64
888 x131, x132 = bits.Add64(x111, x123, uint64(0x0))
889 var x133 uint64
890 var x134 uint64
891 x133, x134 = bits.Add64(x113, x125, uint64(fiatScalarUint1(x132)))
892 var x135 uint64
893 var x136 uint64
894 x135, x136 = bits.Add64(x115, x127, uint64(fiatScalarUint1(x134)))
895 var x137 uint64
896 var x138 uint64
897 x137, x138 = bits.Add64(((uint64(fiatScalarUint1(x116)) + (uint64(fiatScalarUint1(x98)) + (uint64(fiatScalarUint1(x90)) + x78))) + x102), x129, uint64(fiatScalarUint1(x136)))
898 var x139 uint64
899 _, x139 = bits.Mul64(x131, 0xd2b51da312547e1b)
900 var x141 uint64
901 var x142 uint64
902 x142, x141 = bits.Mul64(x139, 0x1000000000000000)
903 var x143 uint64
904 var x144 uint64
905 x144, x143 = bits.Mul64(x139, 0x14def9dea2f79cd6)
906 var x145 uint64
907 var x146 uint64
908 x146, x145 = bits.Mul64(x139, 0x5812631a5cf5d3ed)
909 var x147 uint64
910 var x148 uint64
911 x147, x148 = bits.Add64(x146, x143, uint64(0x0))
912 var x150 uint64
913 _, x150 = bits.Add64(x131, x145, uint64(0x0))
914 var x151 uint64
915 var x152 uint64
916 x151, x152 = bits.Add64(x133, x147, uint64(fiatScalarUint1(x150)))
917 var x153 uint64
918 var x154 uint64
919 x153, x154 = bits.Add64(x135, (uint64(fiatScalarUint1(x148)) + x144), uint64(fiatScalarUint1(x152)))
920 var x155 uint64
921 var x156 uint64
922 x155, x156 = bits.Add64(x137, x141, uint64(fiatScalarUint1(x154)))
923 x157 := ((uint64(fiatScalarUint1(x156)) + (uint64(fiatScalarUint1(x138)) + (uint64(fiatScalarUint1(x130)) + x118))) + x142)
924 var x158 uint64
925 var x159 uint64
926 x158, x159 = bits.Sub64(x151, 0x5812631a5cf5d3ed, uint64(0x0))
927 var x160 uint64
928 var x161 uint64
929 x160, x161 = bits.Sub64(x153, 0x14def9dea2f79cd6, uint64(fiatScalarUint1(x159)))
930 var x162 uint64
931 var x163 uint64
932 x162, x163 = bits.Sub64(x155, uint64(0x0), uint64(fiatScalarUint1(x161)))
933 var x164 uint64
934 var x165 uint64
935 x164, x165 = bits.Sub64(x157, 0x1000000000000000, uint64(fiatScalarUint1(x163)))
936 var x167 uint64
937 _, x167 = bits.Sub64(uint64(0x0), uint64(0x0), uint64(fiatScalarUint1(x165)))
938 var x168 uint64
939 fiatScalarCmovznzU64(&x168, fiatScalarUint1(x167), x158, x151)
940 var x169 uint64
941 fiatScalarCmovznzU64(&x169, fiatScalarUint1(x167), x160, x153)
942 var x170 uint64
943 fiatScalarCmovznzU64(&x170, fiatScalarUint1(x167), x162, x155)
944 var x171 uint64
945 fiatScalarCmovznzU64(&x171, fiatScalarUint1(x167), x164, x157)
946 out1[0] = x168
947 out1[1] = x169
948 out1[2] = x170
949 out1[3] = x171
950 }
951
952 // fiatScalarToBytes serializes a field element NOT in the Montgomery domain to bytes in little-endian order.
953 //
954 // Preconditions:
955 //
956 // 0 ≤ eval arg1 < m
957 //
958 // Postconditions:
959 //
960 // out1 = map (λ x, ⌊((eval arg1 mod m) mod 2^(8 * (x + 1))) / 2^(8 * x)⌋) [0..31]
961 //
962 // Input Bounds:
963 //
964 // arg1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0x1fffffffffffffff]]
965 //
966 // Output Bounds:
967 //
968 // out1: [[0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0x1f]]
969 func fiatScalarToBytes(out1 *[32]uint8, arg1 *[4]uint64) {
970 x1 := arg1[3]
971 x2 := arg1[2]
972 x3 := arg1[1]
973 x4 := arg1[0]
974 x5 := (uint8(x4) & 0xff)
975 x6 := (x4 >> 8)
976 x7 := (uint8(x6) & 0xff)
977 x8 := (x6 >> 8)
978 x9 := (uint8(x8) & 0xff)
979 x10 := (x8 >> 8)
980 x11 := (uint8(x10) & 0xff)
981 x12 := (x10 >> 8)
982 x13 := (uint8(x12) & 0xff)
983 x14 := (x12 >> 8)
984 x15 := (uint8(x14) & 0xff)
985 x16 := (x14 >> 8)
986 x17 := (uint8(x16) & 0xff)
987 x18 := uint8((x16 >> 8))
988 x19 := (uint8(x3) & 0xff)
989 x20 := (x3 >> 8)
990 x21 := (uint8(x20) & 0xff)
991 x22 := (x20 >> 8)
992 x23 := (uint8(x22) & 0xff)
993 x24 := (x22 >> 8)
994 x25 := (uint8(x24) & 0xff)
995 x26 := (x24 >> 8)
996 x27 := (uint8(x26) & 0xff)
997 x28 := (x26 >> 8)
998 x29 := (uint8(x28) & 0xff)
999 x30 := (x28 >> 8)
1000 x31 := (uint8(x30) & 0xff)
1001 x32 := uint8((x30 >> 8))
1002 x33 := (uint8(x2) & 0xff)
1003 x34 := (x2 >> 8)
1004 x35 := (uint8(x34) & 0xff)
1005 x36 := (x34 >> 8)
1006 x37 := (uint8(x36) & 0xff)
1007 x38 := (x36 >> 8)
1008 x39 := (uint8(x38) & 0xff)
1009 x40 := (x38 >> 8)
1010 x41 := (uint8(x40) & 0xff)
1011 x42 := (x40 >> 8)
1012 x43 := (uint8(x42) & 0xff)
1013 x44 := (x42 >> 8)
1014 x45 := (uint8(x44) & 0xff)
1015 x46 := uint8((x44 >> 8))
1016 x47 := (uint8(x1) & 0xff)
1017 x48 := (x1 >> 8)
1018 x49 := (uint8(x48) & 0xff)
1019 x50 := (x48 >> 8)
1020 x51 := (uint8(x50) & 0xff)
1021 x52 := (x50 >> 8)
1022 x53 := (uint8(x52) & 0xff)
1023 x54 := (x52 >> 8)
1024 x55 := (uint8(x54) & 0xff)
1025 x56 := (x54 >> 8)
1026 x57 := (uint8(x56) & 0xff)
1027 x58 := (x56 >> 8)
1028 x59 := (uint8(x58) & 0xff)
1029 x60 := uint8((x58 >> 8))
1030 out1[0] = x5
1031 out1[1] = x7
1032 out1[2] = x9
1033 out1[3] = x11
1034 out1[4] = x13
1035 out1[5] = x15
1036 out1[6] = x17
1037 out1[7] = x18
1038 out1[8] = x19
1039 out1[9] = x21
1040 out1[10] = x23
1041 out1[11] = x25
1042 out1[12] = x27
1043 out1[13] = x29
1044 out1[14] = x31
1045 out1[15] = x32
1046 out1[16] = x33
1047 out1[17] = x35
1048 out1[18] = x37
1049 out1[19] = x39
1050 out1[20] = x41
1051 out1[21] = x43
1052 out1[22] = x45
1053 out1[23] = x46
1054 out1[24] = x47
1055 out1[25] = x49
1056 out1[26] = x51
1057 out1[27] = x53
1058 out1[28] = x55
1059 out1[29] = x57
1060 out1[30] = x59
1061 out1[31] = x60
1062 }
1063
1064 // fiatScalarFromBytes deserializes a field element NOT in the Montgomery domain from bytes in little-endian order.
1065 //
1066 // Preconditions:
1067 //
1068 // 0 ≤ bytes_eval arg1 < m
1069 //
1070 // Postconditions:
1071 //
1072 // eval out1 mod m = bytes_eval arg1 mod m
1073 // 0 ≤ eval out1 < m
1074 //
1075 // Input Bounds:
1076 //
1077 // arg1: [[0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0x1f]]
1078 //
1079 // Output Bounds:
1080 //
1081 // out1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0x1fffffffffffffff]]
1082 func fiatScalarFromBytes(out1 *[4]uint64, arg1 *[32]uint8) {
1083 x1 := (uint64(arg1[31]) << 56)
1084 x2 := (uint64(arg1[30]) << 48)
1085 x3 := (uint64(arg1[29]) << 40)
1086 x4 := (uint64(arg1[28]) << 32)
1087 x5 := (uint64(arg1[27]) << 24)
1088 x6 := (uint64(arg1[26]) << 16)
1089 x7 := (uint64(arg1[25]) << 8)
1090 x8 := arg1[24]
1091 x9 := (uint64(arg1[23]) << 56)
1092 x10 := (uint64(arg1[22]) << 48)
1093 x11 := (uint64(arg1[21]) << 40)
1094 x12 := (uint64(arg1[20]) << 32)
1095 x13 := (uint64(arg1[19]) << 24)
1096 x14 := (uint64(arg1[18]) << 16)
1097 x15 := (uint64(arg1[17]) << 8)
1098 x16 := arg1[16]
1099 x17 := (uint64(arg1[15]) << 56)
1100 x18 := (uint64(arg1[14]) << 48)
1101 x19 := (uint64(arg1[13]) << 40)
1102 x20 := (uint64(arg1[12]) << 32)
1103 x21 := (uint64(arg1[11]) << 24)
1104 x22 := (uint64(arg1[10]) << 16)
1105 x23 := (uint64(arg1[9]) << 8)
1106 x24 := arg1[8]
1107 x25 := (uint64(arg1[7]) << 56)
1108 x26 := (uint64(arg1[6]) << 48)
1109 x27 := (uint64(arg1[5]) << 40)
1110 x28 := (uint64(arg1[4]) << 32)
1111 x29 := (uint64(arg1[3]) << 24)
1112 x30 := (uint64(arg1[2]) << 16)
1113 x31 := (uint64(arg1[1]) << 8)
1114 x32 := arg1[0]
1115 x33 := (x31 + uint64(x32))
1116 x34 := (x30 + x33)
1117 x35 := (x29 + x34)
1118 x36 := (x28 + x35)
1119 x37 := (x27 + x36)
1120 x38 := (x26 + x37)
1121 x39 := (x25 + x38)
1122 x40 := (x23 + uint64(x24))
1123 x41 := (x22 + x40)
1124 x42 := (x21 + x41)
1125 x43 := (x20 + x42)
1126 x44 := (x19 + x43)
1127 x45 := (x18 + x44)
1128 x46 := (x17 + x45)
1129 x47 := (x15 + uint64(x16))
1130 x48 := (x14 + x47)
1131 x49 := (x13 + x48)
1132 x50 := (x12 + x49)
1133 x51 := (x11 + x50)
1134 x52 := (x10 + x51)
1135 x53 := (x9 + x52)
1136 x54 := (x7 + uint64(x8))
1137 x55 := (x6 + x54)
1138 x56 := (x5 + x55)
1139 x57 := (x4 + x56)
1140 x58 := (x3 + x57)
1141 x59 := (x2 + x58)
1142 x60 := (x1 + x59)
1143 out1[0] = x39
1144 out1[1] = x46
1145 out1[2] = x53
1146 out1[3] = x60
1147 }
1148