fiat_crypto/
curve25519_32.rs

1//! Autogenerated: 'src/ExtractionOCaml/unsaturated_solinas' --lang Rust --inline 25519 32 '(auto)' '2^255 - 19' carry_mul carry_square carry add sub opp selectznz to_bytes from_bytes relax carry_scmul121666
2//! curve description: 25519
3//! machine_wordsize = 32 (from "32")
4//! requested operations: carry_mul, carry_square, carry, add, sub, opp, selectznz, to_bytes, from_bytes, relax, carry_scmul121666
5//! n = 10 (from "(auto)")
6//! s-c = 2^255 - [(1, 19)] (from "2^255 - 19")
7//! tight_bounds_multiplier = 1 (from "")
8//!
9//! Computed values:
10//!   carry_chain = [0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 0, 1]
11//!   eval z = z[0] + (z[1] << 26) + (z[2] << 51) + (z[3] << 77) + (z[4] << 102) + (z[5] << 128) + (z[6] << 153) + (z[7] << 179) + (z[8] << 204) + (z[9] << 230)
12//!   bytes_eval z = z[0] + (z[1] << 8) + (z[2] << 16) + (z[3] << 24) + (z[4] << 32) + (z[5] << 40) + (z[6] << 48) + (z[7] << 56) + (z[8] << 64) + (z[9] << 72) + (z[10] << 80) + (z[11] << 88) + (z[12] << 96) + (z[13] << 104) + (z[14] << 112) + (z[15] << 120) + (z[16] << 128) + (z[17] << 136) + (z[18] << 144) + (z[19] << 152) + (z[20] << 160) + (z[21] << 168) + (z[22] << 176) + (z[23] << 184) + (z[24] << 192) + (z[25] << 200) + (z[26] << 208) + (z[27] << 216) + (z[28] << 224) + (z[29] << 232) + (z[30] << 240) + (z[31] << 248)
13//!   balance = [0x7ffffda, 0x3fffffe, 0x7fffffe, 0x3fffffe, 0x7fffffe, 0x3fffffe, 0x7fffffe, 0x3fffffe, 0x7fffffe, 0x3fffffe]
14
15#![allow(unused_parens)]
16#![allow(non_camel_case_types)]
17
18/** fiat_25519_u1 represents values of 1 bits, stored in one byte. */
19pub type fiat_25519_u1 = u8;
20/** fiat_25519_i1 represents values of 1 bits, stored in one byte. */
21pub type fiat_25519_i1 = i8;
22/** fiat_25519_u2 represents values of 2 bits, stored in one byte. */
23pub type fiat_25519_u2 = u8;
24/** fiat_25519_i2 represents values of 2 bits, stored in one byte. */
25pub type fiat_25519_i2 = i8;
26
27/** The type fiat_25519_loose_field_element is a field element with loose bounds. */
28/** Bounds: [[0x0 ~> 0xc000000], [0x0 ~> 0x6000000], [0x0 ~> 0xc000000], [0x0 ~> 0x6000000], [0x0 ~> 0xc000000], [0x0 ~> 0x6000000], [0x0 ~> 0xc000000], [0x0 ~> 0x6000000], [0x0 ~> 0xc000000], [0x0 ~> 0x6000000]] */
29#[derive(Clone, Copy)]
30pub struct fiat_25519_loose_field_element(pub [u32; 10]);
31
32impl core::ops::Index<usize> for fiat_25519_loose_field_element {
33    type Output = u32;
34    #[inline]
35    fn index(&self, index: usize) -> &Self::Output {
36        &self.0[index]
37    }
38}
39
40impl core::ops::IndexMut<usize> for fiat_25519_loose_field_element {
41    #[inline]
42    fn index_mut(&mut self, index: usize) -> &mut Self::Output {
43        &mut self.0[index]
44    }
45}
46
47/** The type fiat_25519_tight_field_element is a field element with tight bounds. */
48/** Bounds: [[0x0 ~> 0x4000000], [0x0 ~> 0x2000000], [0x0 ~> 0x4000000], [0x0 ~> 0x2000000], [0x0 ~> 0x4000000], [0x0 ~> 0x2000000], [0x0 ~> 0x4000000], [0x0 ~> 0x2000000], [0x0 ~> 0x4000000], [0x0 ~> 0x2000000]] */
49#[derive(Clone, Copy)]
50pub struct fiat_25519_tight_field_element(pub [u32; 10]);
51
52impl core::ops::Index<usize> for fiat_25519_tight_field_element {
53    type Output = u32;
54    #[inline]
55    fn index(&self, index: usize) -> &Self::Output {
56        &self.0[index]
57    }
58}
59
60impl core::ops::IndexMut<usize> for fiat_25519_tight_field_element {
61    #[inline]
62    fn index_mut(&mut self, index: usize) -> &mut Self::Output {
63        &mut self.0[index]
64    }
65}
66
67
68/// The function fiat_25519_addcarryx_u26 is an addition with carry.
69///
70/// Postconditions:
71///   out1 = (arg1 + arg2 + arg3) mod 2^26
72///   out2 = ⌊(arg1 + arg2 + arg3) / 2^26⌋
73///
74/// Input Bounds:
75///   arg1: [0x0 ~> 0x1]
76///   arg2: [0x0 ~> 0x3ffffff]
77///   arg3: [0x0 ~> 0x3ffffff]
78/// Output Bounds:
79///   out1: [0x0 ~> 0x3ffffff]
80///   out2: [0x0 ~> 0x1]
81#[inline]
82pub fn fiat_25519_addcarryx_u26(out1: &mut u32, out2: &mut fiat_25519_u1, arg1: fiat_25519_u1, arg2: u32, arg3: u32) {
83  let x1: u32 = (((arg1 as u32) + arg2) + arg3);
84  let x2: u32 = (x1 & 0x3ffffff);
85  let x3: fiat_25519_u1 = ((x1 >> 26) as fiat_25519_u1);
86  *out1 = x2;
87  *out2 = x3;
88}
89
90/// The function fiat_25519_subborrowx_u26 is a subtraction with borrow.
91///
92/// Postconditions:
93///   out1 = (-arg1 + arg2 + -arg3) mod 2^26
94///   out2 = -⌊(-arg1 + arg2 + -arg3) / 2^26⌋
95///
96/// Input Bounds:
97///   arg1: [0x0 ~> 0x1]
98///   arg2: [0x0 ~> 0x3ffffff]
99///   arg3: [0x0 ~> 0x3ffffff]
100/// Output Bounds:
101///   out1: [0x0 ~> 0x3ffffff]
102///   out2: [0x0 ~> 0x1]
103#[inline]
104pub fn fiat_25519_subborrowx_u26(out1: &mut u32, out2: &mut fiat_25519_u1, arg1: fiat_25519_u1, arg2: u32, arg3: u32) {
105  let x1: i32 = ((((((arg2 as i64) - (arg1 as i64)) as i32) as i64) - (arg3 as i64)) as i32);
106  let x2: fiat_25519_i1 = ((x1 >> 26) as fiat_25519_i1);
107  let x3: u32 = (((x1 as i64) & (0x3ffffff as i64)) as u32);
108  *out1 = x3;
109  *out2 = (((0x0 as fiat_25519_i2) - (x2 as fiat_25519_i2)) as fiat_25519_u1);
110}
111
112/// The function fiat_25519_addcarryx_u25 is an addition with carry.
113///
114/// Postconditions:
115///   out1 = (arg1 + arg2 + arg3) mod 2^25
116///   out2 = ⌊(arg1 + arg2 + arg3) / 2^25⌋
117///
118/// Input Bounds:
119///   arg1: [0x0 ~> 0x1]
120///   arg2: [0x0 ~> 0x1ffffff]
121///   arg3: [0x0 ~> 0x1ffffff]
122/// Output Bounds:
123///   out1: [0x0 ~> 0x1ffffff]
124///   out2: [0x0 ~> 0x1]
125#[inline]
126pub fn fiat_25519_addcarryx_u25(out1: &mut u32, out2: &mut fiat_25519_u1, arg1: fiat_25519_u1, arg2: u32, arg3: u32) {
127  let x1: u32 = (((arg1 as u32) + arg2) + arg3);
128  let x2: u32 = (x1 & 0x1ffffff);
129  let x3: fiat_25519_u1 = ((x1 >> 25) as fiat_25519_u1);
130  *out1 = x2;
131  *out2 = x3;
132}
133
134/// The function fiat_25519_subborrowx_u25 is a subtraction with borrow.
135///
136/// Postconditions:
137///   out1 = (-arg1 + arg2 + -arg3) mod 2^25
138///   out2 = -⌊(-arg1 + arg2 + -arg3) / 2^25⌋
139///
140/// Input Bounds:
141///   arg1: [0x0 ~> 0x1]
142///   arg2: [0x0 ~> 0x1ffffff]
143///   arg3: [0x0 ~> 0x1ffffff]
144/// Output Bounds:
145///   out1: [0x0 ~> 0x1ffffff]
146///   out2: [0x0 ~> 0x1]
147#[inline]
148pub fn fiat_25519_subborrowx_u25(out1: &mut u32, out2: &mut fiat_25519_u1, arg1: fiat_25519_u1, arg2: u32, arg3: u32) {
149  let x1: i32 = ((((((arg2 as i64) - (arg1 as i64)) as i32) as i64) - (arg3 as i64)) as i32);
150  let x2: fiat_25519_i1 = ((x1 >> 25) as fiat_25519_i1);
151  let x3: u32 = (((x1 as i64) & (0x1ffffff as i64)) as u32);
152  *out1 = x3;
153  *out2 = (((0x0 as fiat_25519_i2) - (x2 as fiat_25519_i2)) as fiat_25519_u1);
154}
155
156/// The function fiat_25519_cmovznz_u32 is a single-word conditional move.
157///
158/// Postconditions:
159///   out1 = (if arg1 = 0 then arg2 else arg3)
160///
161/// Input Bounds:
162///   arg1: [0x0 ~> 0x1]
163///   arg2: [0x0 ~> 0xffffffff]
164///   arg3: [0x0 ~> 0xffffffff]
165/// Output Bounds:
166///   out1: [0x0 ~> 0xffffffff]
167#[inline]
168pub fn fiat_25519_cmovznz_u32(out1: &mut u32, arg1: fiat_25519_u1, arg2: u32, arg3: u32) {
169  let x1: fiat_25519_u1 = (!(!arg1));
170  let x2: u32 = ((((((0x0 as fiat_25519_i2) - (x1 as fiat_25519_i2)) as fiat_25519_i1) as i64) & (0xffffffff as i64)) as u32);
171  let x3: u32 = ((x2 & arg3) | ((!x2) & arg2));
172  *out1 = x3;
173}
174
175/// The function fiat_25519_carry_mul multiplies two field elements and reduces the result.
176///
177/// Postconditions:
178///   eval out1 mod m = (eval arg1 * eval arg2) mod m
179///
180#[inline]
181pub fn fiat_25519_carry_mul(out1: &mut fiat_25519_tight_field_element, arg1: &fiat_25519_loose_field_element, arg2: &fiat_25519_loose_field_element) {
182  let x1: u64 = (((arg1[9]) as u64) * (((arg2[9]) * 0x26) as u64));
183  let x2: u64 = (((arg1[9]) as u64) * (((arg2[8]) * 0x13) as u64));
184  let x3: u64 = (((arg1[9]) as u64) * (((arg2[7]) * 0x26) as u64));
185  let x4: u64 = (((arg1[9]) as u64) * (((arg2[6]) * 0x13) as u64));
186  let x5: u64 = (((arg1[9]) as u64) * (((arg2[5]) * 0x26) as u64));
187  let x6: u64 = (((arg1[9]) as u64) * (((arg2[4]) * 0x13) as u64));
188  let x7: u64 = (((arg1[9]) as u64) * (((arg2[3]) * 0x26) as u64));
189  let x8: u64 = (((arg1[9]) as u64) * (((arg2[2]) * 0x13) as u64));
190  let x9: u64 = (((arg1[9]) as u64) * (((arg2[1]) * 0x26) as u64));
191  let x10: u64 = (((arg1[8]) as u64) * (((arg2[9]) * 0x13) as u64));
192  let x11: u64 = (((arg1[8]) as u64) * (((arg2[8]) * 0x13) as u64));
193  let x12: u64 = (((arg1[8]) as u64) * (((arg2[7]) * 0x13) as u64));
194  let x13: u64 = (((arg1[8]) as u64) * (((arg2[6]) * 0x13) as u64));
195  let x14: u64 = (((arg1[8]) as u64) * (((arg2[5]) * 0x13) as u64));
196  let x15: u64 = (((arg1[8]) as u64) * (((arg2[4]) * 0x13) as u64));
197  let x16: u64 = (((arg1[8]) as u64) * (((arg2[3]) * 0x13) as u64));
198  let x17: u64 = (((arg1[8]) as u64) * (((arg2[2]) * 0x13) as u64));
199  let x18: u64 = (((arg1[7]) as u64) * (((arg2[9]) * 0x26) as u64));
200  let x19: u64 = (((arg1[7]) as u64) * (((arg2[8]) * 0x13) as u64));
201  let x20: u64 = (((arg1[7]) as u64) * (((arg2[7]) * 0x26) as u64));
202  let x21: u64 = (((arg1[7]) as u64) * (((arg2[6]) * 0x13) as u64));
203  let x22: u64 = (((arg1[7]) as u64) * (((arg2[5]) * 0x26) as u64));
204  let x23: u64 = (((arg1[7]) as u64) * (((arg2[4]) * 0x13) as u64));
205  let x24: u64 = (((arg1[7]) as u64) * (((arg2[3]) * 0x26) as u64));
206  let x25: u64 = (((arg1[6]) as u64) * (((arg2[9]) * 0x13) as u64));
207  let x26: u64 = (((arg1[6]) as u64) * (((arg2[8]) * 0x13) as u64));
208  let x27: u64 = (((arg1[6]) as u64) * (((arg2[7]) * 0x13) as u64));
209  let x28: u64 = (((arg1[6]) as u64) * (((arg2[6]) * 0x13) as u64));
210  let x29: u64 = (((arg1[6]) as u64) * (((arg2[5]) * 0x13) as u64));
211  let x30: u64 = (((arg1[6]) as u64) * (((arg2[4]) * 0x13) as u64));
212  let x31: u64 = (((arg1[5]) as u64) * (((arg2[9]) * 0x26) as u64));
213  let x32: u64 = (((arg1[5]) as u64) * (((arg2[8]) * 0x13) as u64));
214  let x33: u64 = (((arg1[5]) as u64) * (((arg2[7]) * 0x26) as u64));
215  let x34: u64 = (((arg1[5]) as u64) * (((arg2[6]) * 0x13) as u64));
216  let x35: u64 = (((arg1[5]) as u64) * (((arg2[5]) * 0x26) as u64));
217  let x36: u64 = (((arg1[4]) as u64) * (((arg2[9]) * 0x13) as u64));
218  let x37: u64 = (((arg1[4]) as u64) * (((arg2[8]) * 0x13) as u64));
219  let x38: u64 = (((arg1[4]) as u64) * (((arg2[7]) * 0x13) as u64));
220  let x39: u64 = (((arg1[4]) as u64) * (((arg2[6]) * 0x13) as u64));
221  let x40: u64 = (((arg1[3]) as u64) * (((arg2[9]) * 0x26) as u64));
222  let x41: u64 = (((arg1[3]) as u64) * (((arg2[8]) * 0x13) as u64));
223  let x42: u64 = (((arg1[3]) as u64) * (((arg2[7]) * 0x26) as u64));
224  let x43: u64 = (((arg1[2]) as u64) * (((arg2[9]) * 0x13) as u64));
225  let x44: u64 = (((arg1[2]) as u64) * (((arg2[8]) * 0x13) as u64));
226  let x45: u64 = (((arg1[1]) as u64) * (((arg2[9]) * 0x26) as u64));
227  let x46: u64 = (((arg1[9]) as u64) * ((arg2[0]) as u64));
228  let x47: u64 = (((arg1[8]) as u64) * ((arg2[1]) as u64));
229  let x48: u64 = (((arg1[8]) as u64) * ((arg2[0]) as u64));
230  let x49: u64 = (((arg1[7]) as u64) * ((arg2[2]) as u64));
231  let x50: u64 = (((arg1[7]) as u64) * (((arg2[1]) * 0x2) as u64));
232  let x51: u64 = (((arg1[7]) as u64) * ((arg2[0]) as u64));
233  let x52: u64 = (((arg1[6]) as u64) * ((arg2[3]) as u64));
234  let x53: u64 = (((arg1[6]) as u64) * ((arg2[2]) as u64));
235  let x54: u64 = (((arg1[6]) as u64) * ((arg2[1]) as u64));
236  let x55: u64 = (((arg1[6]) as u64) * ((arg2[0]) as u64));
237  let x56: u64 = (((arg1[5]) as u64) * ((arg2[4]) as u64));
238  let x57: u64 = (((arg1[5]) as u64) * (((arg2[3]) * 0x2) as u64));
239  let x58: u64 = (((arg1[5]) as u64) * ((arg2[2]) as u64));
240  let x59: u64 = (((arg1[5]) as u64) * (((arg2[1]) * 0x2) as u64));
241  let x60: u64 = (((arg1[5]) as u64) * ((arg2[0]) as u64));
242  let x61: u64 = (((arg1[4]) as u64) * ((arg2[5]) as u64));
243  let x62: u64 = (((arg1[4]) as u64) * ((arg2[4]) as u64));
244  let x63: u64 = (((arg1[4]) as u64) * ((arg2[3]) as u64));
245  let x64: u64 = (((arg1[4]) as u64) * ((arg2[2]) as u64));
246  let x65: u64 = (((arg1[4]) as u64) * ((arg2[1]) as u64));
247  let x66: u64 = (((arg1[4]) as u64) * ((arg2[0]) as u64));
248  let x67: u64 = (((arg1[3]) as u64) * ((arg2[6]) as u64));
249  let x68: u64 = (((arg1[3]) as u64) * (((arg2[5]) * 0x2) as u64));
250  let x69: u64 = (((arg1[3]) as u64) * ((arg2[4]) as u64));
251  let x70: u64 = (((arg1[3]) as u64) * (((arg2[3]) * 0x2) as u64));
252  let x71: u64 = (((arg1[3]) as u64) * ((arg2[2]) as u64));
253  let x72: u64 = (((arg1[3]) as u64) * (((arg2[1]) * 0x2) as u64));
254  let x73: u64 = (((arg1[3]) as u64) * ((arg2[0]) as u64));
255  let x74: u64 = (((arg1[2]) as u64) * ((arg2[7]) as u64));
256  let x75: u64 = (((arg1[2]) as u64) * ((arg2[6]) as u64));
257  let x76: u64 = (((arg1[2]) as u64) * ((arg2[5]) as u64));
258  let x77: u64 = (((arg1[2]) as u64) * ((arg2[4]) as u64));
259  let x78: u64 = (((arg1[2]) as u64) * ((arg2[3]) as u64));
260  let x79: u64 = (((arg1[2]) as u64) * ((arg2[2]) as u64));
261  let x80: u64 = (((arg1[2]) as u64) * ((arg2[1]) as u64));
262  let x81: u64 = (((arg1[2]) as u64) * ((arg2[0]) as u64));
263  let x82: u64 = (((arg1[1]) as u64) * ((arg2[8]) as u64));
264  let x83: u64 = (((arg1[1]) as u64) * (((arg2[7]) * 0x2) as u64));
265  let x84: u64 = (((arg1[1]) as u64) * ((arg2[6]) as u64));
266  let x85: u64 = (((arg1[1]) as u64) * (((arg2[5]) * 0x2) as u64));
267  let x86: u64 = (((arg1[1]) as u64) * ((arg2[4]) as u64));
268  let x87: u64 = (((arg1[1]) as u64) * (((arg2[3]) * 0x2) as u64));
269  let x88: u64 = (((arg1[1]) as u64) * ((arg2[2]) as u64));
270  let x89: u64 = (((arg1[1]) as u64) * (((arg2[1]) * 0x2) as u64));
271  let x90: u64 = (((arg1[1]) as u64) * ((arg2[0]) as u64));
272  let x91: u64 = (((arg1[0]) as u64) * ((arg2[9]) as u64));
273  let x92: u64 = (((arg1[0]) as u64) * ((arg2[8]) as u64));
274  let x93: u64 = (((arg1[0]) as u64) * ((arg2[7]) as u64));
275  let x94: u64 = (((arg1[0]) as u64) * ((arg2[6]) as u64));
276  let x95: u64 = (((arg1[0]) as u64) * ((arg2[5]) as u64));
277  let x96: u64 = (((arg1[0]) as u64) * ((arg2[4]) as u64));
278  let x97: u64 = (((arg1[0]) as u64) * ((arg2[3]) as u64));
279  let x98: u64 = (((arg1[0]) as u64) * ((arg2[2]) as u64));
280  let x99: u64 = (((arg1[0]) as u64) * ((arg2[1]) as u64));
281  let x100: u64 = (((arg1[0]) as u64) * ((arg2[0]) as u64));
282  let x101: u64 = (x100 + (x45 + (x44 + (x42 + (x39 + (x35 + (x30 + (x24 + (x17 + x9)))))))));
283  let x102: u64 = (x101 >> 26);
284  let x103: u32 = ((x101 & (0x3ffffff as u64)) as u32);
285  let x104: u64 = (x91 + (x82 + (x74 + (x67 + (x61 + (x56 + (x52 + (x49 + (x47 + x46)))))))));
286  let x105: u64 = (x92 + (x83 + (x75 + (x68 + (x62 + (x57 + (x53 + (x50 + (x48 + x1)))))))));
287  let x106: u64 = (x93 + (x84 + (x76 + (x69 + (x63 + (x58 + (x54 + (x51 + (x10 + x2)))))))));
288  let x107: u64 = (x94 + (x85 + (x77 + (x70 + (x64 + (x59 + (x55 + (x18 + (x11 + x3)))))))));
289  let x108: u64 = (x95 + (x86 + (x78 + (x71 + (x65 + (x60 + (x25 + (x19 + (x12 + x4)))))))));
290  let x109: u64 = (x96 + (x87 + (x79 + (x72 + (x66 + (x31 + (x26 + (x20 + (x13 + x5)))))))));
291  let x110: u64 = (x97 + (x88 + (x80 + (x73 + (x36 + (x32 + (x27 + (x21 + (x14 + x6)))))))));
292  let x111: u64 = (x98 + (x89 + (x81 + (x40 + (x37 + (x33 + (x28 + (x22 + (x15 + x7)))))))));
293  let x112: u64 = (x99 + (x90 + (x43 + (x41 + (x38 + (x34 + (x29 + (x23 + (x16 + x8)))))))));
294  let x113: u64 = (x102 + x112);
295  let x114: u64 = (x113 >> 25);
296  let x115: u32 = ((x113 & (0x1ffffff as u64)) as u32);
297  let x116: u64 = (x114 + x111);
298  let x117: u64 = (x116 >> 26);
299  let x118: u32 = ((x116 & (0x3ffffff as u64)) as u32);
300  let x119: u64 = (x117 + x110);
301  let x120: u64 = (x119 >> 25);
302  let x121: u32 = ((x119 & (0x1ffffff as u64)) as u32);
303  let x122: u64 = (x120 + x109);
304  let x123: u64 = (x122 >> 26);
305  let x124: u32 = ((x122 & (0x3ffffff as u64)) as u32);
306  let x125: u64 = (x123 + x108);
307  let x126: u64 = (x125 >> 25);
308  let x127: u32 = ((x125 & (0x1ffffff as u64)) as u32);
309  let x128: u64 = (x126 + x107);
310  let x129: u64 = (x128 >> 26);
311  let x130: u32 = ((x128 & (0x3ffffff as u64)) as u32);
312  let x131: u64 = (x129 + x106);
313  let x132: u64 = (x131 >> 25);
314  let x133: u32 = ((x131 & (0x1ffffff as u64)) as u32);
315  let x134: u64 = (x132 + x105);
316  let x135: u64 = (x134 >> 26);
317  let x136: u32 = ((x134 & (0x3ffffff as u64)) as u32);
318  let x137: u64 = (x135 + x104);
319  let x138: u64 = (x137 >> 25);
320  let x139: u32 = ((x137 & (0x1ffffff as u64)) as u32);
321  let x140: u64 = (x138 * (0x13 as u64));
322  let x141: u64 = ((x103 as u64) + x140);
323  let x142: u32 = ((x141 >> 26) as u32);
324  let x143: u32 = ((x141 & (0x3ffffff as u64)) as u32);
325  let x144: u32 = (x142 + x115);
326  let x145: fiat_25519_u1 = ((x144 >> 25) as fiat_25519_u1);
327  let x146: u32 = (x144 & 0x1ffffff);
328  let x147: u32 = ((x145 as u32) + x118);
329  out1[0] = x143;
330  out1[1] = x146;
331  out1[2] = x147;
332  out1[3] = x121;
333  out1[4] = x124;
334  out1[5] = x127;
335  out1[6] = x130;
336  out1[7] = x133;
337  out1[8] = x136;
338  out1[9] = x139;
339}
340
341/// The function fiat_25519_carry_square squares a field element and reduces the result.
342///
343/// Postconditions:
344///   eval out1 mod m = (eval arg1 * eval arg1) mod m
345///
346#[inline]
347pub fn fiat_25519_carry_square(out1: &mut fiat_25519_tight_field_element, arg1: &fiat_25519_loose_field_element) {
348  let x1: u32 = ((arg1[9]) * 0x13);
349  let x2: u32 = (x1 * 0x2);
350  let x3: u32 = ((arg1[9]) * 0x2);
351  let x4: u32 = ((arg1[8]) * 0x13);
352  let x5: u64 = ((x4 as u64) * (0x2 as u64));
353  let x6: u32 = ((arg1[8]) * 0x2);
354  let x7: u32 = ((arg1[7]) * 0x13);
355  let x8: u32 = (x7 * 0x2);
356  let x9: u32 = ((arg1[7]) * 0x2);
357  let x10: u32 = ((arg1[6]) * 0x13);
358  let x11: u64 = ((x10 as u64) * (0x2 as u64));
359  let x12: u32 = ((arg1[6]) * 0x2);
360  let x13: u32 = ((arg1[5]) * 0x13);
361  let x14: u32 = ((arg1[5]) * 0x2);
362  let x15: u32 = ((arg1[4]) * 0x2);
363  let x16: u32 = ((arg1[3]) * 0x2);
364  let x17: u32 = ((arg1[2]) * 0x2);
365  let x18: u32 = ((arg1[1]) * 0x2);
366  let x19: u64 = (((arg1[9]) as u64) * ((x1 * 0x2) as u64));
367  let x20: u64 = (((arg1[8]) as u64) * (x2 as u64));
368  let x21: u64 = (((arg1[8]) as u64) * (x4 as u64));
369  let x22: u64 = (((arg1[7]) as u64) * ((x2 as u64) * (0x2 as u64)));
370  let x23: u64 = (((arg1[7]) as u64) * x5);
371  let x24: u64 = (((arg1[7]) as u64) * ((x7 * 0x2) as u64));
372  let x25: u64 = (((arg1[6]) as u64) * (x2 as u64));
373  let x26: u64 = (((arg1[6]) as u64) * x5);
374  let x27: u64 = (((arg1[6]) as u64) * (x8 as u64));
375  let x28: u64 = (((arg1[6]) as u64) * (x10 as u64));
376  let x29: u64 = (((arg1[5]) as u64) * ((x2 as u64) * (0x2 as u64)));
377  let x30: u64 = (((arg1[5]) as u64) * x5);
378  let x31: u64 = (((arg1[5]) as u64) * ((x8 as u64) * (0x2 as u64)));
379  let x32: u64 = (((arg1[5]) as u64) * x11);
380  let x33: u64 = (((arg1[5]) as u64) * ((x13 * 0x2) as u64));
381  let x34: u64 = (((arg1[4]) as u64) * (x2 as u64));
382  let x35: u64 = (((arg1[4]) as u64) * x5);
383  let x36: u64 = (((arg1[4]) as u64) * (x8 as u64));
384  let x37: u64 = (((arg1[4]) as u64) * x11);
385  let x38: u64 = (((arg1[4]) as u64) * (x14 as u64));
386  let x39: u64 = (((arg1[4]) as u64) * ((arg1[4]) as u64));
387  let x40: u64 = (((arg1[3]) as u64) * ((x2 as u64) * (0x2 as u64)));
388  let x41: u64 = (((arg1[3]) as u64) * x5);
389  let x42: u64 = (((arg1[3]) as u64) * ((x8 as u64) * (0x2 as u64)));
390  let x43: u64 = (((arg1[3]) as u64) * (x12 as u64));
391  let x44: u64 = (((arg1[3]) as u64) * ((x14 * 0x2) as u64));
392  let x45: u64 = (((arg1[3]) as u64) * (x15 as u64));
393  let x46: u64 = (((arg1[3]) as u64) * (((arg1[3]) * 0x2) as u64));
394  let x47: u64 = (((arg1[2]) as u64) * (x2 as u64));
395  let x48: u64 = (((arg1[2]) as u64) * x5);
396  let x49: u64 = (((arg1[2]) as u64) * (x9 as u64));
397  let x50: u64 = (((arg1[2]) as u64) * (x12 as u64));
398  let x51: u64 = (((arg1[2]) as u64) * (x14 as u64));
399  let x52: u64 = (((arg1[2]) as u64) * (x15 as u64));
400  let x53: u64 = (((arg1[2]) as u64) * (x16 as u64));
401  let x54: u64 = (((arg1[2]) as u64) * ((arg1[2]) as u64));
402  let x55: u64 = (((arg1[1]) as u64) * ((x2 as u64) * (0x2 as u64)));
403  let x56: u64 = (((arg1[1]) as u64) * (x6 as u64));
404  let x57: u64 = (((arg1[1]) as u64) * ((x9 * 0x2) as u64));
405  let x58: u64 = (((arg1[1]) as u64) * (x12 as u64));
406  let x59: u64 = (((arg1[1]) as u64) * ((x14 * 0x2) as u64));
407  let x60: u64 = (((arg1[1]) as u64) * (x15 as u64));
408  let x61: u64 = (((arg1[1]) as u64) * ((x16 * 0x2) as u64));
409  let x62: u64 = (((arg1[1]) as u64) * (x17 as u64));
410  let x63: u64 = (((arg1[1]) as u64) * (((arg1[1]) * 0x2) as u64));
411  let x64: u64 = (((arg1[0]) as u64) * (x3 as u64));
412  let x65: u64 = (((arg1[0]) as u64) * (x6 as u64));
413  let x66: u64 = (((arg1[0]) as u64) * (x9 as u64));
414  let x67: u64 = (((arg1[0]) as u64) * (x12 as u64));
415  let x68: u64 = (((arg1[0]) as u64) * (x14 as u64));
416  let x69: u64 = (((arg1[0]) as u64) * (x15 as u64));
417  let x70: u64 = (((arg1[0]) as u64) * (x16 as u64));
418  let x71: u64 = (((arg1[0]) as u64) * (x17 as u64));
419  let x72: u64 = (((arg1[0]) as u64) * (x18 as u64));
420  let x73: u64 = (((arg1[0]) as u64) * ((arg1[0]) as u64));
421  let x74: u64 = (x73 + (x55 + (x48 + (x42 + (x37 + x33)))));
422  let x75: u64 = (x74 >> 26);
423  let x76: u32 = ((x74 & (0x3ffffff as u64)) as u32);
424  let x77: u64 = (x64 + (x56 + (x49 + (x43 + x38))));
425  let x78: u64 = (x65 + (x57 + (x50 + (x44 + (x39 + x19)))));
426  let x79: u64 = (x66 + (x58 + (x51 + (x45 + x20))));
427  let x80: u64 = (x67 + (x59 + (x52 + (x46 + (x22 + x21)))));
428  let x81: u64 = (x68 + (x60 + (x53 + (x25 + x23))));
429  let x82: u64 = (x69 + (x61 + (x54 + (x29 + (x26 + x24)))));
430  let x83: u64 = (x70 + (x62 + (x34 + (x30 + x27))));
431  let x84: u64 = (x71 + (x63 + (x40 + (x35 + (x31 + x28)))));
432  let x85: u64 = (x72 + (x47 + (x41 + (x36 + x32))));
433  let x86: u64 = (x75 + x85);
434  let x87: u64 = (x86 >> 25);
435  let x88: u32 = ((x86 & (0x1ffffff as u64)) as u32);
436  let x89: u64 = (x87 + x84);
437  let x90: u64 = (x89 >> 26);
438  let x91: u32 = ((x89 & (0x3ffffff as u64)) as u32);
439  let x92: u64 = (x90 + x83);
440  let x93: u64 = (x92 >> 25);
441  let x94: u32 = ((x92 & (0x1ffffff as u64)) as u32);
442  let x95: u64 = (x93 + x82);
443  let x96: u64 = (x95 >> 26);
444  let x97: u32 = ((x95 & (0x3ffffff as u64)) as u32);
445  let x98: u64 = (x96 + x81);
446  let x99: u64 = (x98 >> 25);
447  let x100: u32 = ((x98 & (0x1ffffff as u64)) as u32);
448  let x101: u64 = (x99 + x80);
449  let x102: u64 = (x101 >> 26);
450  let x103: u32 = ((x101 & (0x3ffffff as u64)) as u32);
451  let x104: u64 = (x102 + x79);
452  let x105: u64 = (x104 >> 25);
453  let x106: u32 = ((x104 & (0x1ffffff as u64)) as u32);
454  let x107: u64 = (x105 + x78);
455  let x108: u64 = (x107 >> 26);
456  let x109: u32 = ((x107 & (0x3ffffff as u64)) as u32);
457  let x110: u64 = (x108 + x77);
458  let x111: u64 = (x110 >> 25);
459  let x112: u32 = ((x110 & (0x1ffffff as u64)) as u32);
460  let x113: u64 = (x111 * (0x13 as u64));
461  let x114: u64 = ((x76 as u64) + x113);
462  let x115: u32 = ((x114 >> 26) as u32);
463  let x116: u32 = ((x114 & (0x3ffffff as u64)) as u32);
464  let x117: u32 = (x115 + x88);
465  let x118: fiat_25519_u1 = ((x117 >> 25) as fiat_25519_u1);
466  let x119: u32 = (x117 & 0x1ffffff);
467  let x120: u32 = ((x118 as u32) + x91);
468  out1[0] = x116;
469  out1[1] = x119;
470  out1[2] = x120;
471  out1[3] = x94;
472  out1[4] = x97;
473  out1[5] = x100;
474  out1[6] = x103;
475  out1[7] = x106;
476  out1[8] = x109;
477  out1[9] = x112;
478}
479
480/// The function fiat_25519_carry reduces a field element.
481///
482/// Postconditions:
483///   eval out1 mod m = eval arg1 mod m
484///
485#[inline]
486pub fn fiat_25519_carry(out1: &mut fiat_25519_tight_field_element, arg1: &fiat_25519_loose_field_element) {
487  let x1: u32 = (arg1[0]);
488  let x2: u32 = ((x1 >> 26) + (arg1[1]));
489  let x3: u32 = ((x2 >> 25) + (arg1[2]));
490  let x4: u32 = ((x3 >> 26) + (arg1[3]));
491  let x5: u32 = ((x4 >> 25) + (arg1[4]));
492  let x6: u32 = ((x5 >> 26) + (arg1[5]));
493  let x7: u32 = ((x6 >> 25) + (arg1[6]));
494  let x8: u32 = ((x7 >> 26) + (arg1[7]));
495  let x9: u32 = ((x8 >> 25) + (arg1[8]));
496  let x10: u32 = ((x9 >> 26) + (arg1[9]));
497  let x11: u32 = ((x1 & 0x3ffffff) + ((x10 >> 25) * 0x13));
498  let x12: u32 = ((((x11 >> 26) as fiat_25519_u1) as u32) + (x2 & 0x1ffffff));
499  let x13: u32 = (x11 & 0x3ffffff);
500  let x14: u32 = (x12 & 0x1ffffff);
501  let x15: u32 = ((((x12 >> 25) as fiat_25519_u1) as u32) + (x3 & 0x3ffffff));
502  let x16: u32 = (x4 & 0x1ffffff);
503  let x17: u32 = (x5 & 0x3ffffff);
504  let x18: u32 = (x6 & 0x1ffffff);
505  let x19: u32 = (x7 & 0x3ffffff);
506  let x20: u32 = (x8 & 0x1ffffff);
507  let x21: u32 = (x9 & 0x3ffffff);
508  let x22: u32 = (x10 & 0x1ffffff);
509  out1[0] = x13;
510  out1[1] = x14;
511  out1[2] = x15;
512  out1[3] = x16;
513  out1[4] = x17;
514  out1[5] = x18;
515  out1[6] = x19;
516  out1[7] = x20;
517  out1[8] = x21;
518  out1[9] = x22;
519}
520
521/// The function fiat_25519_add adds two field elements.
522///
523/// Postconditions:
524///   eval out1 mod m = (eval arg1 + eval arg2) mod m
525///
526#[inline]
527pub fn fiat_25519_add(out1: &mut fiat_25519_loose_field_element, arg1: &fiat_25519_tight_field_element, arg2: &fiat_25519_tight_field_element) {
528  let x1: u32 = ((arg1[0]) + (arg2[0]));
529  let x2: u32 = ((arg1[1]) + (arg2[1]));
530  let x3: u32 = ((arg1[2]) + (arg2[2]));
531  let x4: u32 = ((arg1[3]) + (arg2[3]));
532  let x5: u32 = ((arg1[4]) + (arg2[4]));
533  let x6: u32 = ((arg1[5]) + (arg2[5]));
534  let x7: u32 = ((arg1[6]) + (arg2[6]));
535  let x8: u32 = ((arg1[7]) + (arg2[7]));
536  let x9: u32 = ((arg1[8]) + (arg2[8]));
537  let x10: u32 = ((arg1[9]) + (arg2[9]));
538  out1[0] = x1;
539  out1[1] = x2;
540  out1[2] = x3;
541  out1[3] = x4;
542  out1[4] = x5;
543  out1[5] = x6;
544  out1[6] = x7;
545  out1[7] = x8;
546  out1[8] = x9;
547  out1[9] = x10;
548}
549
550/// The function fiat_25519_sub subtracts two field elements.
551///
552/// Postconditions:
553///   eval out1 mod m = (eval arg1 - eval arg2) mod m
554///
555#[inline]
556pub fn fiat_25519_sub(out1: &mut fiat_25519_loose_field_element, arg1: &fiat_25519_tight_field_element, arg2: &fiat_25519_tight_field_element) {
557  let x1: u32 = ((0x7ffffda + (arg1[0])) - (arg2[0]));
558  let x2: u32 = ((0x3fffffe + (arg1[1])) - (arg2[1]));
559  let x3: u32 = ((0x7fffffe + (arg1[2])) - (arg2[2]));
560  let x4: u32 = ((0x3fffffe + (arg1[3])) - (arg2[3]));
561  let x5: u32 = ((0x7fffffe + (arg1[4])) - (arg2[4]));
562  let x6: u32 = ((0x3fffffe + (arg1[5])) - (arg2[5]));
563  let x7: u32 = ((0x7fffffe + (arg1[6])) - (arg2[6]));
564  let x8: u32 = ((0x3fffffe + (arg1[7])) - (arg2[7]));
565  let x9: u32 = ((0x7fffffe + (arg1[8])) - (arg2[8]));
566  let x10: u32 = ((0x3fffffe + (arg1[9])) - (arg2[9]));
567  out1[0] = x1;
568  out1[1] = x2;
569  out1[2] = x3;
570  out1[3] = x4;
571  out1[4] = x5;
572  out1[5] = x6;
573  out1[6] = x7;
574  out1[7] = x8;
575  out1[8] = x9;
576  out1[9] = x10;
577}
578
579/// The function fiat_25519_opp negates a field element.
580///
581/// Postconditions:
582///   eval out1 mod m = -eval arg1 mod m
583///
584#[inline]
585pub fn fiat_25519_opp(out1: &mut fiat_25519_loose_field_element, arg1: &fiat_25519_tight_field_element) {
586  let x1: u32 = (0x7ffffda - (arg1[0]));
587  let x2: u32 = (0x3fffffe - (arg1[1]));
588  let x3: u32 = (0x7fffffe - (arg1[2]));
589  let x4: u32 = (0x3fffffe - (arg1[3]));
590  let x5: u32 = (0x7fffffe - (arg1[4]));
591  let x6: u32 = (0x3fffffe - (arg1[5]));
592  let x7: u32 = (0x7fffffe - (arg1[6]));
593  let x8: u32 = (0x3fffffe - (arg1[7]));
594  let x9: u32 = (0x7fffffe - (arg1[8]));
595  let x10: u32 = (0x3fffffe - (arg1[9]));
596  out1[0] = x1;
597  out1[1] = x2;
598  out1[2] = x3;
599  out1[3] = x4;
600  out1[4] = x5;
601  out1[5] = x6;
602  out1[6] = x7;
603  out1[7] = x8;
604  out1[8] = x9;
605  out1[9] = x10;
606}
607
608/// The function fiat_25519_selectznz is a multi-limb conditional select.
609///
610/// Postconditions:
611///   out1 = (if arg1 = 0 then arg2 else arg3)
612///
613/// Input Bounds:
614///   arg1: [0x0 ~> 0x1]
615///   arg2: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]]
616///   arg3: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]]
617/// Output Bounds:
618///   out1: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]]
619#[inline]
620pub fn fiat_25519_selectznz(out1: &mut [u32; 10], arg1: fiat_25519_u1, arg2: &[u32; 10], arg3: &[u32; 10]) {
621  let mut x1: u32 = 0;
622  fiat_25519_cmovznz_u32(&mut x1, arg1, (arg2[0]), (arg3[0]));
623  let mut x2: u32 = 0;
624  fiat_25519_cmovznz_u32(&mut x2, arg1, (arg2[1]), (arg3[1]));
625  let mut x3: u32 = 0;
626  fiat_25519_cmovznz_u32(&mut x3, arg1, (arg2[2]), (arg3[2]));
627  let mut x4: u32 = 0;
628  fiat_25519_cmovznz_u32(&mut x4, arg1, (arg2[3]), (arg3[3]));
629  let mut x5: u32 = 0;
630  fiat_25519_cmovznz_u32(&mut x5, arg1, (arg2[4]), (arg3[4]));
631  let mut x6: u32 = 0;
632  fiat_25519_cmovznz_u32(&mut x6, arg1, (arg2[5]), (arg3[5]));
633  let mut x7: u32 = 0;
634  fiat_25519_cmovznz_u32(&mut x7, arg1, (arg2[6]), (arg3[6]));
635  let mut x8: u32 = 0;
636  fiat_25519_cmovznz_u32(&mut x8, arg1, (arg2[7]), (arg3[7]));
637  let mut x9: u32 = 0;
638  fiat_25519_cmovznz_u32(&mut x9, arg1, (arg2[8]), (arg3[8]));
639  let mut x10: u32 = 0;
640  fiat_25519_cmovznz_u32(&mut x10, arg1, (arg2[9]), (arg3[9]));
641  out1[0] = x1;
642  out1[1] = x2;
643  out1[2] = x3;
644  out1[3] = x4;
645  out1[4] = x5;
646  out1[5] = x6;
647  out1[6] = x7;
648  out1[7] = x8;
649  out1[8] = x9;
650  out1[9] = x10;
651}
652
653/// The function fiat_25519_to_bytes serializes a field element to bytes in little-endian order.
654///
655/// Postconditions:
656///   out1 = map (λ x, ⌊((eval arg1 mod m) mod 2^(8 * (x + 1))) / 2^(8 * x)⌋) [0..31]
657///
658/// Output Bounds:
659///   out1: [[0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0x7f]]
660#[inline]
661pub fn fiat_25519_to_bytes(out1: &mut [u8; 32], arg1: &fiat_25519_tight_field_element) {
662  let mut x1: u32 = 0;
663  let mut x2: fiat_25519_u1 = 0;
664  fiat_25519_subborrowx_u26(&mut x1, &mut x2, 0x0, (arg1[0]), 0x3ffffed);
665  let mut x3: u32 = 0;
666  let mut x4: fiat_25519_u1 = 0;
667  fiat_25519_subborrowx_u25(&mut x3, &mut x4, x2, (arg1[1]), 0x1ffffff);
668  let mut x5: u32 = 0;
669  let mut x6: fiat_25519_u1 = 0;
670  fiat_25519_subborrowx_u26(&mut x5, &mut x6, x4, (arg1[2]), 0x3ffffff);
671  let mut x7: u32 = 0;
672  let mut x8: fiat_25519_u1 = 0;
673  fiat_25519_subborrowx_u25(&mut x7, &mut x8, x6, (arg1[3]), 0x1ffffff);
674  let mut x9: u32 = 0;
675  let mut x10: fiat_25519_u1 = 0;
676  fiat_25519_subborrowx_u26(&mut x9, &mut x10, x8, (arg1[4]), 0x3ffffff);
677  let mut x11: u32 = 0;
678  let mut x12: fiat_25519_u1 = 0;
679  fiat_25519_subborrowx_u25(&mut x11, &mut x12, x10, (arg1[5]), 0x1ffffff);
680  let mut x13: u32 = 0;
681  let mut x14: fiat_25519_u1 = 0;
682  fiat_25519_subborrowx_u26(&mut x13, &mut x14, x12, (arg1[6]), 0x3ffffff);
683  let mut x15: u32 = 0;
684  let mut x16: fiat_25519_u1 = 0;
685  fiat_25519_subborrowx_u25(&mut x15, &mut x16, x14, (arg1[7]), 0x1ffffff);
686  let mut x17: u32 = 0;
687  let mut x18: fiat_25519_u1 = 0;
688  fiat_25519_subborrowx_u26(&mut x17, &mut x18, x16, (arg1[8]), 0x3ffffff);
689  let mut x19: u32 = 0;
690  let mut x20: fiat_25519_u1 = 0;
691  fiat_25519_subborrowx_u25(&mut x19, &mut x20, x18, (arg1[9]), 0x1ffffff);
692  let mut x21: u32 = 0;
693  fiat_25519_cmovznz_u32(&mut x21, x20, (0x0 as u32), 0xffffffff);
694  let mut x22: u32 = 0;
695  let mut x23: fiat_25519_u1 = 0;
696  fiat_25519_addcarryx_u26(&mut x22, &mut x23, 0x0, x1, (x21 & 0x3ffffed));
697  let mut x24: u32 = 0;
698  let mut x25: fiat_25519_u1 = 0;
699  fiat_25519_addcarryx_u25(&mut x24, &mut x25, x23, x3, (x21 & 0x1ffffff));
700  let mut x26: u32 = 0;
701  let mut x27: fiat_25519_u1 = 0;
702  fiat_25519_addcarryx_u26(&mut x26, &mut x27, x25, x5, (x21 & 0x3ffffff));
703  let mut x28: u32 = 0;
704  let mut x29: fiat_25519_u1 = 0;
705  fiat_25519_addcarryx_u25(&mut x28, &mut x29, x27, x7, (x21 & 0x1ffffff));
706  let mut x30: u32 = 0;
707  let mut x31: fiat_25519_u1 = 0;
708  fiat_25519_addcarryx_u26(&mut x30, &mut x31, x29, x9, (x21 & 0x3ffffff));
709  let mut x32: u32 = 0;
710  let mut x33: fiat_25519_u1 = 0;
711  fiat_25519_addcarryx_u25(&mut x32, &mut x33, x31, x11, (x21 & 0x1ffffff));
712  let mut x34: u32 = 0;
713  let mut x35: fiat_25519_u1 = 0;
714  fiat_25519_addcarryx_u26(&mut x34, &mut x35, x33, x13, (x21 & 0x3ffffff));
715  let mut x36: u32 = 0;
716  let mut x37: fiat_25519_u1 = 0;
717  fiat_25519_addcarryx_u25(&mut x36, &mut x37, x35, x15, (x21 & 0x1ffffff));
718  let mut x38: u32 = 0;
719  let mut x39: fiat_25519_u1 = 0;
720  fiat_25519_addcarryx_u26(&mut x38, &mut x39, x37, x17, (x21 & 0x3ffffff));
721  let mut x40: u32 = 0;
722  let mut x41: fiat_25519_u1 = 0;
723  fiat_25519_addcarryx_u25(&mut x40, &mut x41, x39, x19, (x21 & 0x1ffffff));
724  let x42: u32 = (x40 << 6);
725  let x43: u32 = (x38 << 4);
726  let x44: u32 = (x36 << 3);
727  let x45: u32 = (x34 * (0x2 as u32));
728  let x46: u32 = (x30 << 6);
729  let x47: u32 = (x28 << 5);
730  let x48: u32 = (x26 << 3);
731  let x49: u32 = (x24 << 2);
732  let x50: u8 = ((x22 & (0xff as u32)) as u8);
733  let x51: u32 = (x22 >> 8);
734  let x52: u8 = ((x51 & (0xff as u32)) as u8);
735  let x53: u32 = (x51 >> 8);
736  let x54: u8 = ((x53 & (0xff as u32)) as u8);
737  let x55: u8 = ((x53 >> 8) as u8);
738  let x56: u32 = (x49 + (x55 as u32));
739  let x57: u8 = ((x56 & (0xff as u32)) as u8);
740  let x58: u32 = (x56 >> 8);
741  let x59: u8 = ((x58 & (0xff as u32)) as u8);
742  let x60: u32 = (x58 >> 8);
743  let x61: u8 = ((x60 & (0xff as u32)) as u8);
744  let x62: u8 = ((x60 >> 8) as u8);
745  let x63: u32 = (x48 + (x62 as u32));
746  let x64: u8 = ((x63 & (0xff as u32)) as u8);
747  let x65: u32 = (x63 >> 8);
748  let x66: u8 = ((x65 & (0xff as u32)) as u8);
749  let x67: u32 = (x65 >> 8);
750  let x68: u8 = ((x67 & (0xff as u32)) as u8);
751  let x69: u8 = ((x67 >> 8) as u8);
752  let x70: u32 = (x47 + (x69 as u32));
753  let x71: u8 = ((x70 & (0xff as u32)) as u8);
754  let x72: u32 = (x70 >> 8);
755  let x73: u8 = ((x72 & (0xff as u32)) as u8);
756  let x74: u32 = (x72 >> 8);
757  let x75: u8 = ((x74 & (0xff as u32)) as u8);
758  let x76: u8 = ((x74 >> 8) as u8);
759  let x77: u32 = (x46 + (x76 as u32));
760  let x78: u8 = ((x77 & (0xff as u32)) as u8);
761  let x79: u32 = (x77 >> 8);
762  let x80: u8 = ((x79 & (0xff as u32)) as u8);
763  let x81: u32 = (x79 >> 8);
764  let x82: u8 = ((x81 & (0xff as u32)) as u8);
765  let x83: u8 = ((x81 >> 8) as u8);
766  let x84: u8 = ((x32 & (0xff as u32)) as u8);
767  let x85: u32 = (x32 >> 8);
768  let x86: u8 = ((x85 & (0xff as u32)) as u8);
769  let x87: u32 = (x85 >> 8);
770  let x88: u8 = ((x87 & (0xff as u32)) as u8);
771  let x89: fiat_25519_u1 = ((x87 >> 8) as fiat_25519_u1);
772  let x90: u32 = (x45 + (x89 as u32));
773  let x91: u8 = ((x90 & (0xff as u32)) as u8);
774  let x92: u32 = (x90 >> 8);
775  let x93: u8 = ((x92 & (0xff as u32)) as u8);
776  let x94: u32 = (x92 >> 8);
777  let x95: u8 = ((x94 & (0xff as u32)) as u8);
778  let x96: u8 = ((x94 >> 8) as u8);
779  let x97: u32 = (x44 + (x96 as u32));
780  let x98: u8 = ((x97 & (0xff as u32)) as u8);
781  let x99: u32 = (x97 >> 8);
782  let x100: u8 = ((x99 & (0xff as u32)) as u8);
783  let x101: u32 = (x99 >> 8);
784  let x102: u8 = ((x101 & (0xff as u32)) as u8);
785  let x103: u8 = ((x101 >> 8) as u8);
786  let x104: u32 = (x43 + (x103 as u32));
787  let x105: u8 = ((x104 & (0xff as u32)) as u8);
788  let x106: u32 = (x104 >> 8);
789  let x107: u8 = ((x106 & (0xff as u32)) as u8);
790  let x108: u32 = (x106 >> 8);
791  let x109: u8 = ((x108 & (0xff as u32)) as u8);
792  let x110: u8 = ((x108 >> 8) as u8);
793  let x111: u32 = (x42 + (x110 as u32));
794  let x112: u8 = ((x111 & (0xff as u32)) as u8);
795  let x113: u32 = (x111 >> 8);
796  let x114: u8 = ((x113 & (0xff as u32)) as u8);
797  let x115: u32 = (x113 >> 8);
798  let x116: u8 = ((x115 & (0xff as u32)) as u8);
799  let x117: u8 = ((x115 >> 8) as u8);
800  out1[0] = x50;
801  out1[1] = x52;
802  out1[2] = x54;
803  out1[3] = x57;
804  out1[4] = x59;
805  out1[5] = x61;
806  out1[6] = x64;
807  out1[7] = x66;
808  out1[8] = x68;
809  out1[9] = x71;
810  out1[10] = x73;
811  out1[11] = x75;
812  out1[12] = x78;
813  out1[13] = x80;
814  out1[14] = x82;
815  out1[15] = x83;
816  out1[16] = x84;
817  out1[17] = x86;
818  out1[18] = x88;
819  out1[19] = x91;
820  out1[20] = x93;
821  out1[21] = x95;
822  out1[22] = x98;
823  out1[23] = x100;
824  out1[24] = x102;
825  out1[25] = x105;
826  out1[26] = x107;
827  out1[27] = x109;
828  out1[28] = x112;
829  out1[29] = x114;
830  out1[30] = x116;
831  out1[31] = x117;
832}
833
834/// The function fiat_25519_from_bytes deserializes a field element from bytes in little-endian order.
835///
836/// Postconditions:
837///   eval out1 mod m = bytes_eval arg1 mod m
838///
839/// Input Bounds:
840///   arg1: [[0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0x7f]]
841#[inline]
842pub fn fiat_25519_from_bytes(out1: &mut fiat_25519_tight_field_element, arg1: &[u8; 32]) {
843  let x1: u32 = (((arg1[31]) as u32) << 18);
844  let x2: u32 = (((arg1[30]) as u32) << 10);
845  let x3: u32 = (((arg1[29]) as u32) << 2);
846  let x4: u32 = (((arg1[28]) as u32) << 20);
847  let x5: u32 = (((arg1[27]) as u32) << 12);
848  let x6: u32 = (((arg1[26]) as u32) << 4);
849  let x7: u32 = (((arg1[25]) as u32) << 21);
850  let x8: u32 = (((arg1[24]) as u32) << 13);
851  let x9: u32 = (((arg1[23]) as u32) << 5);
852  let x10: u32 = (((arg1[22]) as u32) << 23);
853  let x11: u32 = (((arg1[21]) as u32) << 15);
854  let x12: u32 = (((arg1[20]) as u32) << 7);
855  let x13: u32 = (((arg1[19]) as u32) << 24);
856  let x14: u32 = (((arg1[18]) as u32) << 16);
857  let x15: u32 = (((arg1[17]) as u32) << 8);
858  let x16: u8 = (arg1[16]);
859  let x17: u32 = (((arg1[15]) as u32) << 18);
860  let x18: u32 = (((arg1[14]) as u32) << 10);
861  let x19: u32 = (((arg1[13]) as u32) << 2);
862  let x20: u32 = (((arg1[12]) as u32) << 19);
863  let x21: u32 = (((arg1[11]) as u32) << 11);
864  let x22: u32 = (((arg1[10]) as u32) << 3);
865  let x23: u32 = (((arg1[9]) as u32) << 21);
866  let x24: u32 = (((arg1[8]) as u32) << 13);
867  let x25: u32 = (((arg1[7]) as u32) << 5);
868  let x26: u32 = (((arg1[6]) as u32) << 22);
869  let x27: u32 = (((arg1[5]) as u32) << 14);
870  let x28: u32 = (((arg1[4]) as u32) << 6);
871  let x29: u32 = (((arg1[3]) as u32) << 24);
872  let x30: u32 = (((arg1[2]) as u32) << 16);
873  let x31: u32 = (((arg1[1]) as u32) << 8);
874  let x32: u8 = (arg1[0]);
875  let x33: u32 = (x31 + (x32 as u32));
876  let x34: u32 = (x30 + x33);
877  let x35: u32 = (x29 + x34);
878  let x36: u32 = (x35 & 0x3ffffff);
879  let x37: u8 = ((x35 >> 26) as u8);
880  let x38: u32 = (x28 + (x37 as u32));
881  let x39: u32 = (x27 + x38);
882  let x40: u32 = (x26 + x39);
883  let x41: u32 = (x40 & 0x1ffffff);
884  let x42: u8 = ((x40 >> 25) as u8);
885  let x43: u32 = (x25 + (x42 as u32));
886  let x44: u32 = (x24 + x43);
887  let x45: u32 = (x23 + x44);
888  let x46: u32 = (x45 & 0x3ffffff);
889  let x47: u8 = ((x45 >> 26) as u8);
890  let x48: u32 = (x22 + (x47 as u32));
891  let x49: u32 = (x21 + x48);
892  let x50: u32 = (x20 + x49);
893  let x51: u32 = (x50 & 0x1ffffff);
894  let x52: u8 = ((x50 >> 25) as u8);
895  let x53: u32 = (x19 + (x52 as u32));
896  let x54: u32 = (x18 + x53);
897  let x55: u32 = (x17 + x54);
898  let x56: u32 = (x15 + (x16 as u32));
899  let x57: u32 = (x14 + x56);
900  let x58: u32 = (x13 + x57);
901  let x59: u32 = (x58 & 0x1ffffff);
902  let x60: u8 = ((x58 >> 25) as u8);
903  let x61: u32 = (x12 + (x60 as u32));
904  let x62: u32 = (x11 + x61);
905  let x63: u32 = (x10 + x62);
906  let x64: u32 = (x63 & 0x3ffffff);
907  let x65: u8 = ((x63 >> 26) as u8);
908  let x66: u32 = (x9 + (x65 as u32));
909  let x67: u32 = (x8 + x66);
910  let x68: u32 = (x7 + x67);
911  let x69: u32 = (x68 & 0x1ffffff);
912  let x70: u8 = ((x68 >> 25) as u8);
913  let x71: u32 = (x6 + (x70 as u32));
914  let x72: u32 = (x5 + x71);
915  let x73: u32 = (x4 + x72);
916  let x74: u32 = (x73 & 0x3ffffff);
917  let x75: u8 = ((x73 >> 26) as u8);
918  let x76: u32 = (x3 + (x75 as u32));
919  let x77: u32 = (x2 + x76);
920  let x78: u32 = (x1 + x77);
921  out1[0] = x36;
922  out1[1] = x41;
923  out1[2] = x46;
924  out1[3] = x51;
925  out1[4] = x55;
926  out1[5] = x59;
927  out1[6] = x64;
928  out1[7] = x69;
929  out1[8] = x74;
930  out1[9] = x78;
931}
932
933/// The function fiat_25519_relax is the identity function converting from tight field elements to loose field elements.
934///
935/// Postconditions:
936///   out1 = arg1
937///
938#[inline]
939pub fn fiat_25519_relax(out1: &mut fiat_25519_loose_field_element, arg1: &fiat_25519_tight_field_element) {
940  let x1: u32 = (arg1[0]);
941  let x2: u32 = (arg1[1]);
942  let x3: u32 = (arg1[2]);
943  let x4: u32 = (arg1[3]);
944  let x5: u32 = (arg1[4]);
945  let x6: u32 = (arg1[5]);
946  let x7: u32 = (arg1[6]);
947  let x8: u32 = (arg1[7]);
948  let x9: u32 = (arg1[8]);
949  let x10: u32 = (arg1[9]);
950  out1[0] = x1;
951  out1[1] = x2;
952  out1[2] = x3;
953  out1[3] = x4;
954  out1[4] = x5;
955  out1[5] = x6;
956  out1[6] = x7;
957  out1[7] = x8;
958  out1[8] = x9;
959  out1[9] = x10;
960}
961
962/// The function fiat_25519_carry_scmul_121666 multiplies a field element by 121666 and reduces the result.
963///
964/// Postconditions:
965///   eval out1 mod m = (121666 * eval arg1) mod m
966///
967#[inline]
968pub fn fiat_25519_carry_scmul_121666(out1: &mut fiat_25519_tight_field_element, arg1: &fiat_25519_loose_field_element) {
969  let x1: u64 = ((0x1db42 as u64) * ((arg1[9]) as u64));
970  let x2: u64 = ((0x1db42 as u64) * ((arg1[8]) as u64));
971  let x3: u64 = ((0x1db42 as u64) * ((arg1[7]) as u64));
972  let x4: u64 = ((0x1db42 as u64) * ((arg1[6]) as u64));
973  let x5: u64 = ((0x1db42 as u64) * ((arg1[5]) as u64));
974  let x6: u64 = ((0x1db42 as u64) * ((arg1[4]) as u64));
975  let x7: u64 = ((0x1db42 as u64) * ((arg1[3]) as u64));
976  let x8: u64 = ((0x1db42 as u64) * ((arg1[2]) as u64));
977  let x9: u64 = ((0x1db42 as u64) * ((arg1[1]) as u64));
978  let x10: u64 = ((0x1db42 as u64) * ((arg1[0]) as u64));
979  let x11: u32 = ((x10 >> 26) as u32);
980  let x12: u32 = ((x10 & (0x3ffffff as u64)) as u32);
981  let x13: u64 = ((x11 as u64) + x9);
982  let x14: u32 = ((x13 >> 25) as u32);
983  let x15: u32 = ((x13 & (0x1ffffff as u64)) as u32);
984  let x16: u64 = ((x14 as u64) + x8);
985  let x17: u32 = ((x16 >> 26) as u32);
986  let x18: u32 = ((x16 & (0x3ffffff as u64)) as u32);
987  let x19: u64 = ((x17 as u64) + x7);
988  let x20: u32 = ((x19 >> 25) as u32);
989  let x21: u32 = ((x19 & (0x1ffffff as u64)) as u32);
990  let x22: u64 = ((x20 as u64) + x6);
991  let x23: u32 = ((x22 >> 26) as u32);
992  let x24: u32 = ((x22 & (0x3ffffff as u64)) as u32);
993  let x25: u64 = ((x23 as u64) + x5);
994  let x26: u32 = ((x25 >> 25) as u32);
995  let x27: u32 = ((x25 & (0x1ffffff as u64)) as u32);
996  let x28: u64 = ((x26 as u64) + x4);
997  let x29: u32 = ((x28 >> 26) as u32);
998  let x30: u32 = ((x28 & (0x3ffffff as u64)) as u32);
999  let x31: u64 = ((x29 as u64) + x3);
1000  let x32: u32 = ((x31 >> 25) as u32);
1001  let x33: u32 = ((x31 & (0x1ffffff as u64)) as u32);
1002  let x34: u64 = ((x32 as u64) + x2);
1003  let x35: u32 = ((x34 >> 26) as u32);
1004  let x36: u32 = ((x34 & (0x3ffffff as u64)) as u32);
1005  let x37: u64 = ((x35 as u64) + x1);
1006  let x38: u32 = ((x37 >> 25) as u32);
1007  let x39: u32 = ((x37 & (0x1ffffff as u64)) as u32);
1008  let x40: u32 = (x38 * 0x13);
1009  let x41: u32 = (x12 + x40);
1010  let x42: fiat_25519_u1 = ((x41 >> 26) as fiat_25519_u1);
1011  let x43: u32 = (x41 & 0x3ffffff);
1012  let x44: u32 = ((x42 as u32) + x15);
1013  let x45: fiat_25519_u1 = ((x44 >> 25) as fiat_25519_u1);
1014  let x46: u32 = (x44 & 0x1ffffff);
1015  let x47: u32 = ((x45 as u32) + x18);
1016  out1[0] = x43;
1017  out1[1] = x46;
1018  out1[2] = x47;
1019  out1[3] = x21;
1020  out1[4] = x24;
1021  out1[5] = x27;
1022  out1[6] = x30;
1023  out1[7] = x33;
1024  out1[8] = x36;
1025  out1[9] = x39;
1026}
fiat_crypto/curve25519_32.rs

fiat_crypto/
curve25519_32.rs
