fiat_crypto/
curve25519_64.rs

1//! Autogenerated: 'src/ExtractionOCaml/unsaturated_solinas' --lang Rust --inline 25519 64 '(auto)' '2^255 - 19' carry_mul carry_square carry add sub opp selectznz to_bytes from_bytes relax carry_scmul121666
2//! curve description: 25519
3//! machine_wordsize = 64 (from "64")
4//! requested operations: carry_mul, carry_square, carry, add, sub, opp, selectznz, to_bytes, from_bytes, relax, carry_scmul121666
5//! n = 5 (from "(auto)")
6//! s-c = 2^255 - [(1, 19)] (from "2^255 - 19")
7//! tight_bounds_multiplier = 1 (from "")
8//!
9//! Computed values:
10//!   carry_chain = [0, 1, 2, 3, 4, 0, 1]
11//!   eval z = z[0] + (z[1] << 51) + (z[2] << 102) + (z[3] << 153) + (z[4] << 204)
12//!   bytes_eval z = z[0] + (z[1] << 8) + (z[2] << 16) + (z[3] << 24) + (z[4] << 32) + (z[5] << 40) + (z[6] << 48) + (z[7] << 56) + (z[8] << 64) + (z[9] << 72) + (z[10] << 80) + (z[11] << 88) + (z[12] << 96) + (z[13] << 104) + (z[14] << 112) + (z[15] << 120) + (z[16] << 128) + (z[17] << 136) + (z[18] << 144) + (z[19] << 152) + (z[20] << 160) + (z[21] << 168) + (z[22] << 176) + (z[23] << 184) + (z[24] << 192) + (z[25] << 200) + (z[26] << 208) + (z[27] << 216) + (z[28] << 224) + (z[29] << 232) + (z[30] << 240) + (z[31] << 248)
13//!   balance = [0xfffffffffffda, 0xffffffffffffe, 0xffffffffffffe, 0xffffffffffffe, 0xffffffffffffe]
14
15#![allow(unused_parens)]
16#![allow(non_camel_case_types)]
17
18/** fiat_25519_u1 represents values of 1 bits, stored in one byte. */
19pub type fiat_25519_u1 = u8;
20/** fiat_25519_i1 represents values of 1 bits, stored in one byte. */
21pub type fiat_25519_i1 = i8;
22/** fiat_25519_u2 represents values of 2 bits, stored in one byte. */
23pub type fiat_25519_u2 = u8;
24/** fiat_25519_i2 represents values of 2 bits, stored in one byte. */
25pub type fiat_25519_i2 = i8;
26
27/** The type fiat_25519_loose_field_element is a field element with loose bounds. */
28/** Bounds: [[0x0 ~> 0x18000000000000], [0x0 ~> 0x18000000000000], [0x0 ~> 0x18000000000000], [0x0 ~> 0x18000000000000], [0x0 ~> 0x18000000000000]] */
29#[derive(Clone, Copy)]
30pub struct fiat_25519_loose_field_element(pub [u64; 5]);
31
32impl core::ops::Index<usize> for fiat_25519_loose_field_element {
33    type Output = u64;
34    #[inline]
35    fn index(&self, index: usize) -> &Self::Output {
36        &self.0[index]
37    }
38}
39
40impl core::ops::IndexMut<usize> for fiat_25519_loose_field_element {
41    #[inline]
42    fn index_mut(&mut self, index: usize) -> &mut Self::Output {
43        &mut self.0[index]
44    }
45}
46
47/** The type fiat_25519_tight_field_element is a field element with tight bounds. */
48/** Bounds: [[0x0 ~> 0x8000000000000], [0x0 ~> 0x8000000000000], [0x0 ~> 0x8000000000000], [0x0 ~> 0x8000000000000], [0x0 ~> 0x8000000000000]] */
49#[derive(Clone, Copy)]
50pub struct fiat_25519_tight_field_element(pub [u64; 5]);
51
52impl core::ops::Index<usize> for fiat_25519_tight_field_element {
53    type Output = u64;
54    #[inline]
55    fn index(&self, index: usize) -> &Self::Output {
56        &self.0[index]
57    }
58}
59
60impl core::ops::IndexMut<usize> for fiat_25519_tight_field_element {
61    #[inline]
62    fn index_mut(&mut self, index: usize) -> &mut Self::Output {
63        &mut self.0[index]
64    }
65}
66
67
68/// The function fiat_25519_addcarryx_u51 is an addition with carry.
69///
70/// Postconditions:
71///   out1 = (arg1 + arg2 + arg3) mod 2^51
72///   out2 = ⌊(arg1 + arg2 + arg3) / 2^51⌋
73///
74/// Input Bounds:
75///   arg1: [0x0 ~> 0x1]
76///   arg2: [0x0 ~> 0x7ffffffffffff]
77///   arg3: [0x0 ~> 0x7ffffffffffff]
78/// Output Bounds:
79///   out1: [0x0 ~> 0x7ffffffffffff]
80///   out2: [0x0 ~> 0x1]
81#[inline]
82pub fn fiat_25519_addcarryx_u51(out1: &mut u64, out2: &mut fiat_25519_u1, arg1: fiat_25519_u1, arg2: u64, arg3: u64) {
83  let x1: u64 = (((arg1 as u64) + arg2) + arg3);
84  let x2: u64 = (x1 & 0x7ffffffffffff);
85  let x3: fiat_25519_u1 = ((x1 >> 51) as fiat_25519_u1);
86  *out1 = x2;
87  *out2 = x3;
88}
89
90/// The function fiat_25519_subborrowx_u51 is a subtraction with borrow.
91///
92/// Postconditions:
93///   out1 = (-arg1 + arg2 + -arg3) mod 2^51
94///   out2 = -⌊(-arg1 + arg2 + -arg3) / 2^51⌋
95///
96/// Input Bounds:
97///   arg1: [0x0 ~> 0x1]
98///   arg2: [0x0 ~> 0x7ffffffffffff]
99///   arg3: [0x0 ~> 0x7ffffffffffff]
100/// Output Bounds:
101///   out1: [0x0 ~> 0x7ffffffffffff]
102///   out2: [0x0 ~> 0x1]
103#[inline]
104pub fn fiat_25519_subborrowx_u51(out1: &mut u64, out2: &mut fiat_25519_u1, arg1: fiat_25519_u1, arg2: u64, arg3: u64) {
105  let x1: i64 = ((((((arg2 as i128) - (arg1 as i128)) as i64) as i128) - (arg3 as i128)) as i64);
106  let x2: fiat_25519_i1 = ((x1 >> 51) as fiat_25519_i1);
107  let x3: u64 = (((x1 as i128) & (0x7ffffffffffff as i128)) as u64);
108  *out1 = x3;
109  *out2 = (((0x0 as fiat_25519_i2) - (x2 as fiat_25519_i2)) as fiat_25519_u1);
110}
111
112/// The function fiat_25519_cmovznz_u64 is a single-word conditional move.
113///
114/// Postconditions:
115///   out1 = (if arg1 = 0 then arg2 else arg3)
116///
117/// Input Bounds:
118///   arg1: [0x0 ~> 0x1]
119///   arg2: [0x0 ~> 0xffffffffffffffff]
120///   arg3: [0x0 ~> 0xffffffffffffffff]
121/// Output Bounds:
122///   out1: [0x0 ~> 0xffffffffffffffff]
123#[inline]
124pub fn fiat_25519_cmovznz_u64(out1: &mut u64, arg1: fiat_25519_u1, arg2: u64, arg3: u64) {
125  let x1: fiat_25519_u1 = (!(!arg1));
126  let x2: u64 = ((((((0x0 as fiat_25519_i2) - (x1 as fiat_25519_i2)) as fiat_25519_i1) as i128) & (0xffffffffffffffff as i128)) as u64);
127  let x3: u64 = ((x2 & arg3) | ((!x2) & arg2));
128  *out1 = x3;
129}
130
131/// The function fiat_25519_carry_mul multiplies two field elements and reduces the result.
132///
133/// Postconditions:
134///   eval out1 mod m = (eval arg1 * eval arg2) mod m
135///
136#[inline]
137pub fn fiat_25519_carry_mul(out1: &mut fiat_25519_tight_field_element, arg1: &fiat_25519_loose_field_element, arg2: &fiat_25519_loose_field_element) {
138  let x1: u128 = (((arg1[4]) as u128) * (((arg2[4]) * 0x13) as u128));
139  let x2: u128 = (((arg1[4]) as u128) * (((arg2[3]) * 0x13) as u128));
140  let x3: u128 = (((arg1[4]) as u128) * (((arg2[2]) * 0x13) as u128));
141  let x4: u128 = (((arg1[4]) as u128) * (((arg2[1]) * 0x13) as u128));
142  let x5: u128 = (((arg1[3]) as u128) * (((arg2[4]) * 0x13) as u128));
143  let x6: u128 = (((arg1[3]) as u128) * (((arg2[3]) * 0x13) as u128));
144  let x7: u128 = (((arg1[3]) as u128) * (((arg2[2]) * 0x13) as u128));
145  let x8: u128 = (((arg1[2]) as u128) * (((arg2[4]) * 0x13) as u128));
146  let x9: u128 = (((arg1[2]) as u128) * (((arg2[3]) * 0x13) as u128));
147  let x10: u128 = (((arg1[1]) as u128) * (((arg2[4]) * 0x13) as u128));
148  let x11: u128 = (((arg1[4]) as u128) * ((arg2[0]) as u128));
149  let x12: u128 = (((arg1[3]) as u128) * ((arg2[1]) as u128));
150  let x13: u128 = (((arg1[3]) as u128) * ((arg2[0]) as u128));
151  let x14: u128 = (((arg1[2]) as u128) * ((arg2[2]) as u128));
152  let x15: u128 = (((arg1[2]) as u128) * ((arg2[1]) as u128));
153  let x16: u128 = (((arg1[2]) as u128) * ((arg2[0]) as u128));
154  let x17: u128 = (((arg1[1]) as u128) * ((arg2[3]) as u128));
155  let x18: u128 = (((arg1[1]) as u128) * ((arg2[2]) as u128));
156  let x19: u128 = (((arg1[1]) as u128) * ((arg2[1]) as u128));
157  let x20: u128 = (((arg1[1]) as u128) * ((arg2[0]) as u128));
158  let x21: u128 = (((arg1[0]) as u128) * ((arg2[4]) as u128));
159  let x22: u128 = (((arg1[0]) as u128) * ((arg2[3]) as u128));
160  let x23: u128 = (((arg1[0]) as u128) * ((arg2[2]) as u128));
161  let x24: u128 = (((arg1[0]) as u128) * ((arg2[1]) as u128));
162  let x25: u128 = (((arg1[0]) as u128) * ((arg2[0]) as u128));
163  let x26: u128 = (x25 + (x10 + (x9 + (x7 + x4))));
164  let x27: u64 = ((x26 >> 51) as u64);
165  let x28: u64 = ((x26 & (0x7ffffffffffff as u128)) as u64);
166  let x29: u128 = (x21 + (x17 + (x14 + (x12 + x11))));
167  let x30: u128 = (x22 + (x18 + (x15 + (x13 + x1))));
168  let x31: u128 = (x23 + (x19 + (x16 + (x5 + x2))));
169  let x32: u128 = (x24 + (x20 + (x8 + (x6 + x3))));
170  let x33: u128 = ((x27 as u128) + x32);
171  let x34: u64 = ((x33 >> 51) as u64);
172  let x35: u64 = ((x33 & (0x7ffffffffffff as u128)) as u64);
173  let x36: u128 = ((x34 as u128) + x31);
174  let x37: u64 = ((x36 >> 51) as u64);
175  let x38: u64 = ((x36 & (0x7ffffffffffff as u128)) as u64);
176  let x39: u128 = ((x37 as u128) + x30);
177  let x40: u64 = ((x39 >> 51) as u64);
178  let x41: u64 = ((x39 & (0x7ffffffffffff as u128)) as u64);
179  let x42: u128 = ((x40 as u128) + x29);
180  let x43: u64 = ((x42 >> 51) as u64);
181  let x44: u64 = ((x42 & (0x7ffffffffffff as u128)) as u64);
182  let x45: u64 = (x43 * 0x13);
183  let x46: u64 = (x28 + x45);
184  let x47: u64 = (x46 >> 51);
185  let x48: u64 = (x46 & 0x7ffffffffffff);
186  let x49: u64 = (x47 + x35);
187  let x50: fiat_25519_u1 = ((x49 >> 51) as fiat_25519_u1);
188  let x51: u64 = (x49 & 0x7ffffffffffff);
189  let x52: u64 = ((x50 as u64) + x38);
190  out1[0] = x48;
191  out1[1] = x51;
192  out1[2] = x52;
193  out1[3] = x41;
194  out1[4] = x44;
195}
196
197/// The function fiat_25519_carry_square squares a field element and reduces the result.
198///
199/// Postconditions:
200///   eval out1 mod m = (eval arg1 * eval arg1) mod m
201///
202#[inline]
203pub fn fiat_25519_carry_square(out1: &mut fiat_25519_tight_field_element, arg1: &fiat_25519_loose_field_element) {
204  let x1: u64 = ((arg1[4]) * 0x13);
205  let x2: u64 = (x1 * 0x2);
206  let x3: u64 = ((arg1[4]) * 0x2);
207  let x4: u64 = ((arg1[3]) * 0x13);
208  let x5: u64 = (x4 * 0x2);
209  let x6: u64 = ((arg1[3]) * 0x2);
210  let x7: u64 = ((arg1[2]) * 0x2);
211  let x8: u64 = ((arg1[1]) * 0x2);
212  let x9: u128 = (((arg1[4]) as u128) * (x1 as u128));
213  let x10: u128 = (((arg1[3]) as u128) * (x2 as u128));
214  let x11: u128 = (((arg1[3]) as u128) * (x4 as u128));
215  let x12: u128 = (((arg1[2]) as u128) * (x2 as u128));
216  let x13: u128 = (((arg1[2]) as u128) * (x5 as u128));
217  let x14: u128 = (((arg1[2]) as u128) * ((arg1[2]) as u128));
218  let x15: u128 = (((arg1[1]) as u128) * (x2 as u128));
219  let x16: u128 = (((arg1[1]) as u128) * (x6 as u128));
220  let x17: u128 = (((arg1[1]) as u128) * (x7 as u128));
221  let x18: u128 = (((arg1[1]) as u128) * ((arg1[1]) as u128));
222  let x19: u128 = (((arg1[0]) as u128) * (x3 as u128));
223  let x20: u128 = (((arg1[0]) as u128) * (x6 as u128));
224  let x21: u128 = (((arg1[0]) as u128) * (x7 as u128));
225  let x22: u128 = (((arg1[0]) as u128) * (x8 as u128));
226  let x23: u128 = (((arg1[0]) as u128) * ((arg1[0]) as u128));
227  let x24: u128 = (x23 + (x15 + x13));
228  let x25: u64 = ((x24 >> 51) as u64);
229  let x26: u64 = ((x24 & (0x7ffffffffffff as u128)) as u64);
230  let x27: u128 = (x19 + (x16 + x14));
231  let x28: u128 = (x20 + (x17 + x9));
232  let x29: u128 = (x21 + (x18 + x10));
233  let x30: u128 = (x22 + (x12 + x11));
234  let x31: u128 = ((x25 as u128) + x30);
235  let x32: u64 = ((x31 >> 51) as u64);
236  let x33: u64 = ((x31 & (0x7ffffffffffff as u128)) as u64);
237  let x34: u128 = ((x32 as u128) + x29);
238  let x35: u64 = ((x34 >> 51) as u64);
239  let x36: u64 = ((x34 & (0x7ffffffffffff as u128)) as u64);
240  let x37: u128 = ((x35 as u128) + x28);
241  let x38: u64 = ((x37 >> 51) as u64);
242  let x39: u64 = ((x37 & (0x7ffffffffffff as u128)) as u64);
243  let x40: u128 = ((x38 as u128) + x27);
244  let x41: u64 = ((x40 >> 51) as u64);
245  let x42: u64 = ((x40 & (0x7ffffffffffff as u128)) as u64);
246  let x43: u64 = (x41 * 0x13);
247  let x44: u64 = (x26 + x43);
248  let x45: u64 = (x44 >> 51);
249  let x46: u64 = (x44 & 0x7ffffffffffff);
250  let x47: u64 = (x45 + x33);
251  let x48: fiat_25519_u1 = ((x47 >> 51) as fiat_25519_u1);
252  let x49: u64 = (x47 & 0x7ffffffffffff);
253  let x50: u64 = ((x48 as u64) + x36);
254  out1[0] = x46;
255  out1[1] = x49;
256  out1[2] = x50;
257  out1[3] = x39;
258  out1[4] = x42;
259}
260
261/// The function fiat_25519_carry reduces a field element.
262///
263/// Postconditions:
264///   eval out1 mod m = eval arg1 mod m
265///
266#[inline]
267pub fn fiat_25519_carry(out1: &mut fiat_25519_tight_field_element, arg1: &fiat_25519_loose_field_element) {
268  let x1: u64 = (arg1[0]);
269  let x2: u64 = ((x1 >> 51) + (arg1[1]));
270  let x3: u64 = ((x2 >> 51) + (arg1[2]));
271  let x4: u64 = ((x3 >> 51) + (arg1[3]));
272  let x5: u64 = ((x4 >> 51) + (arg1[4]));
273  let x6: u64 = ((x1 & 0x7ffffffffffff) + ((x5 >> 51) * 0x13));
274  let x7: u64 = ((((x6 >> 51) as fiat_25519_u1) as u64) + (x2 & 0x7ffffffffffff));
275  let x8: u64 = (x6 & 0x7ffffffffffff);
276  let x9: u64 = (x7 & 0x7ffffffffffff);
277  let x10: u64 = ((((x7 >> 51) as fiat_25519_u1) as u64) + (x3 & 0x7ffffffffffff));
278  let x11: u64 = (x4 & 0x7ffffffffffff);
279  let x12: u64 = (x5 & 0x7ffffffffffff);
280  out1[0] = x8;
281  out1[1] = x9;
282  out1[2] = x10;
283  out1[3] = x11;
284  out1[4] = x12;
285}
286
287/// The function fiat_25519_add adds two field elements.
288///
289/// Postconditions:
290///   eval out1 mod m = (eval arg1 + eval arg2) mod m
291///
292#[inline]
293pub fn fiat_25519_add(out1: &mut fiat_25519_loose_field_element, arg1: &fiat_25519_tight_field_element, arg2: &fiat_25519_tight_field_element) {
294  let x1: u64 = ((arg1[0]) + (arg2[0]));
295  let x2: u64 = ((arg1[1]) + (arg2[1]));
296  let x3: u64 = ((arg1[2]) + (arg2[2]));
297  let x4: u64 = ((arg1[3]) + (arg2[3]));
298  let x5: u64 = ((arg1[4]) + (arg2[4]));
299  out1[0] = x1;
300  out1[1] = x2;
301  out1[2] = x3;
302  out1[3] = x4;
303  out1[4] = x5;
304}
305
306/// The function fiat_25519_sub subtracts two field elements.
307///
308/// Postconditions:
309///   eval out1 mod m = (eval arg1 - eval arg2) mod m
310///
311#[inline]
312pub fn fiat_25519_sub(out1: &mut fiat_25519_loose_field_element, arg1: &fiat_25519_tight_field_element, arg2: &fiat_25519_tight_field_element) {
313  let x1: u64 = ((0xfffffffffffda + (arg1[0])) - (arg2[0]));
314  let x2: u64 = ((0xffffffffffffe + (arg1[1])) - (arg2[1]));
315  let x3: u64 = ((0xffffffffffffe + (arg1[2])) - (arg2[2]));
316  let x4: u64 = ((0xffffffffffffe + (arg1[3])) - (arg2[3]));
317  let x5: u64 = ((0xffffffffffffe + (arg1[4])) - (arg2[4]));
318  out1[0] = x1;
319  out1[1] = x2;
320  out1[2] = x3;
321  out1[3] = x4;
322  out1[4] = x5;
323}
324
325/// The function fiat_25519_opp negates a field element.
326///
327/// Postconditions:
328///   eval out1 mod m = -eval arg1 mod m
329///
330#[inline]
331pub fn fiat_25519_opp(out1: &mut fiat_25519_loose_field_element, arg1: &fiat_25519_tight_field_element) {
332  let x1: u64 = (0xfffffffffffda - (arg1[0]));
333  let x2: u64 = (0xffffffffffffe - (arg1[1]));
334  let x3: u64 = (0xffffffffffffe - (arg1[2]));
335  let x4: u64 = (0xffffffffffffe - (arg1[3]));
336  let x5: u64 = (0xffffffffffffe - (arg1[4]));
337  out1[0] = x1;
338  out1[1] = x2;
339  out1[2] = x3;
340  out1[3] = x4;
341  out1[4] = x5;
342}
343
344/// The function fiat_25519_selectznz is a multi-limb conditional select.
345///
346/// Postconditions:
347///   out1 = (if arg1 = 0 then arg2 else arg3)
348///
349/// Input Bounds:
350///   arg1: [0x0 ~> 0x1]
351///   arg2: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]]
352///   arg3: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]]
353/// Output Bounds:
354///   out1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]]
355#[inline]
356pub fn fiat_25519_selectznz(out1: &mut [u64; 5], arg1: fiat_25519_u1, arg2: &[u64; 5], arg3: &[u64; 5]) {
357  let mut x1: u64 = 0;
358  fiat_25519_cmovznz_u64(&mut x1, arg1, (arg2[0]), (arg3[0]));
359  let mut x2: u64 = 0;
360  fiat_25519_cmovznz_u64(&mut x2, arg1, (arg2[1]), (arg3[1]));
361  let mut x3: u64 = 0;
362  fiat_25519_cmovznz_u64(&mut x3, arg1, (arg2[2]), (arg3[2]));
363  let mut x4: u64 = 0;
364  fiat_25519_cmovznz_u64(&mut x4, arg1, (arg2[3]), (arg3[3]));
365  let mut x5: u64 = 0;
366  fiat_25519_cmovznz_u64(&mut x5, arg1, (arg2[4]), (arg3[4]));
367  out1[0] = x1;
368  out1[1] = x2;
369  out1[2] = x3;
370  out1[3] = x4;
371  out1[4] = x5;
372}
373
374/// The function fiat_25519_to_bytes serializes a field element to bytes in little-endian order.
375///
376/// Postconditions:
377///   out1 = map (λ x, ⌊((eval arg1 mod m) mod 2^(8 * (x + 1))) / 2^(8 * x)⌋) [0..31]
378///
379/// Output Bounds:
380///   out1: [[0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0x7f]]
381#[inline]
382pub fn fiat_25519_to_bytes(out1: &mut [u8; 32], arg1: &fiat_25519_tight_field_element) {
383  let mut x1: u64 = 0;
384  let mut x2: fiat_25519_u1 = 0;
385  fiat_25519_subborrowx_u51(&mut x1, &mut x2, 0x0, (arg1[0]), 0x7ffffffffffed);
386  let mut x3: u64 = 0;
387  let mut x4: fiat_25519_u1 = 0;
388  fiat_25519_subborrowx_u51(&mut x3, &mut x4, x2, (arg1[1]), 0x7ffffffffffff);
389  let mut x5: u64 = 0;
390  let mut x6: fiat_25519_u1 = 0;
391  fiat_25519_subborrowx_u51(&mut x5, &mut x6, x4, (arg1[2]), 0x7ffffffffffff);
392  let mut x7: u64 = 0;
393  let mut x8: fiat_25519_u1 = 0;
394  fiat_25519_subborrowx_u51(&mut x7, &mut x8, x6, (arg1[3]), 0x7ffffffffffff);
395  let mut x9: u64 = 0;
396  let mut x10: fiat_25519_u1 = 0;
397  fiat_25519_subborrowx_u51(&mut x9, &mut x10, x8, (arg1[4]), 0x7ffffffffffff);
398  let mut x11: u64 = 0;
399  fiat_25519_cmovznz_u64(&mut x11, x10, (0x0 as u64), 0xffffffffffffffff);
400  let mut x12: u64 = 0;
401  let mut x13: fiat_25519_u1 = 0;
402  fiat_25519_addcarryx_u51(&mut x12, &mut x13, 0x0, x1, (x11 & 0x7ffffffffffed));
403  let mut x14: u64 = 0;
404  let mut x15: fiat_25519_u1 = 0;
405  fiat_25519_addcarryx_u51(&mut x14, &mut x15, x13, x3, (x11 & 0x7ffffffffffff));
406  let mut x16: u64 = 0;
407  let mut x17: fiat_25519_u1 = 0;
408  fiat_25519_addcarryx_u51(&mut x16, &mut x17, x15, x5, (x11 & 0x7ffffffffffff));
409  let mut x18: u64 = 0;
410  let mut x19: fiat_25519_u1 = 0;
411  fiat_25519_addcarryx_u51(&mut x18, &mut x19, x17, x7, (x11 & 0x7ffffffffffff));
412  let mut x20: u64 = 0;
413  let mut x21: fiat_25519_u1 = 0;
414  fiat_25519_addcarryx_u51(&mut x20, &mut x21, x19, x9, (x11 & 0x7ffffffffffff));
415  let x22: u64 = (x20 << 4);
416  let x23: u64 = (x18 * (0x2 as u64));
417  let x24: u64 = (x16 << 6);
418  let x25: u64 = (x14 << 3);
419  let x26: u8 = ((x12 & (0xff as u64)) as u8);
420  let x27: u64 = (x12 >> 8);
421  let x28: u8 = ((x27 & (0xff as u64)) as u8);
422  let x29: u64 = (x27 >> 8);
423  let x30: u8 = ((x29 & (0xff as u64)) as u8);
424  let x31: u64 = (x29 >> 8);
425  let x32: u8 = ((x31 & (0xff as u64)) as u8);
426  let x33: u64 = (x31 >> 8);
427  let x34: u8 = ((x33 & (0xff as u64)) as u8);
428  let x35: u64 = (x33 >> 8);
429  let x36: u8 = ((x35 & (0xff as u64)) as u8);
430  let x37: u8 = ((x35 >> 8) as u8);
431  let x38: u64 = (x25 + (x37 as u64));
432  let x39: u8 = ((x38 & (0xff as u64)) as u8);
433  let x40: u64 = (x38 >> 8);
434  let x41: u8 = ((x40 & (0xff as u64)) as u8);
435  let x42: u64 = (x40 >> 8);
436  let x43: u8 = ((x42 & (0xff as u64)) as u8);
437  let x44: u64 = (x42 >> 8);
438  let x45: u8 = ((x44 & (0xff as u64)) as u8);
439  let x46: u64 = (x44 >> 8);
440  let x47: u8 = ((x46 & (0xff as u64)) as u8);
441  let x48: u64 = (x46 >> 8);
442  let x49: u8 = ((x48 & (0xff as u64)) as u8);
443  let x50: u8 = ((x48 >> 8) as u8);
444  let x51: u64 = (x24 + (x50 as u64));
445  let x52: u8 = ((x51 & (0xff as u64)) as u8);
446  let x53: u64 = (x51 >> 8);
447  let x54: u8 = ((x53 & (0xff as u64)) as u8);
448  let x55: u64 = (x53 >> 8);
449  let x56: u8 = ((x55 & (0xff as u64)) as u8);
450  let x57: u64 = (x55 >> 8);
451  let x58: u8 = ((x57 & (0xff as u64)) as u8);
452  let x59: u64 = (x57 >> 8);
453  let x60: u8 = ((x59 & (0xff as u64)) as u8);
454  let x61: u64 = (x59 >> 8);
455  let x62: u8 = ((x61 & (0xff as u64)) as u8);
456  let x63: u64 = (x61 >> 8);
457  let x64: u8 = ((x63 & (0xff as u64)) as u8);
458  let x65: fiat_25519_u1 = ((x63 >> 8) as fiat_25519_u1);
459  let x66: u64 = (x23 + (x65 as u64));
460  let x67: u8 = ((x66 & (0xff as u64)) as u8);
461  let x68: u64 = (x66 >> 8);
462  let x69: u8 = ((x68 & (0xff as u64)) as u8);
463  let x70: u64 = (x68 >> 8);
464  let x71: u8 = ((x70 & (0xff as u64)) as u8);
465  let x72: u64 = (x70 >> 8);
466  let x73: u8 = ((x72 & (0xff as u64)) as u8);
467  let x74: u64 = (x72 >> 8);
468  let x75: u8 = ((x74 & (0xff as u64)) as u8);
469  let x76: u64 = (x74 >> 8);
470  let x77: u8 = ((x76 & (0xff as u64)) as u8);
471  let x78: u8 = ((x76 >> 8) as u8);
472  let x79: u64 = (x22 + (x78 as u64));
473  let x80: u8 = ((x79 & (0xff as u64)) as u8);
474  let x81: u64 = (x79 >> 8);
475  let x82: u8 = ((x81 & (0xff as u64)) as u8);
476  let x83: u64 = (x81 >> 8);
477  let x84: u8 = ((x83 & (0xff as u64)) as u8);
478  let x85: u64 = (x83 >> 8);
479  let x86: u8 = ((x85 & (0xff as u64)) as u8);
480  let x87: u64 = (x85 >> 8);
481  let x88: u8 = ((x87 & (0xff as u64)) as u8);
482  let x89: u64 = (x87 >> 8);
483  let x90: u8 = ((x89 & (0xff as u64)) as u8);
484  let x91: u8 = ((x89 >> 8) as u8);
485  out1[0] = x26;
486  out1[1] = x28;
487  out1[2] = x30;
488  out1[3] = x32;
489  out1[4] = x34;
490  out1[5] = x36;
491  out1[6] = x39;
492  out1[7] = x41;
493  out1[8] = x43;
494  out1[9] = x45;
495  out1[10] = x47;
496  out1[11] = x49;
497  out1[12] = x52;
498  out1[13] = x54;
499  out1[14] = x56;
500  out1[15] = x58;
501  out1[16] = x60;
502  out1[17] = x62;
503  out1[18] = x64;
504  out1[19] = x67;
505  out1[20] = x69;
506  out1[21] = x71;
507  out1[22] = x73;
508  out1[23] = x75;
509  out1[24] = x77;
510  out1[25] = x80;
511  out1[26] = x82;
512  out1[27] = x84;
513  out1[28] = x86;
514  out1[29] = x88;
515  out1[30] = x90;
516  out1[31] = x91;
517}
518
519/// The function fiat_25519_from_bytes deserializes a field element from bytes in little-endian order.
520///
521/// Postconditions:
522///   eval out1 mod m = bytes_eval arg1 mod m
523///
524/// Input Bounds:
525///   arg1: [[0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0x7f]]
526#[inline]
527pub fn fiat_25519_from_bytes(out1: &mut fiat_25519_tight_field_element, arg1: &[u8; 32]) {
528  let x1: u64 = (((arg1[31]) as u64) << 44);
529  let x2: u64 = (((arg1[30]) as u64) << 36);
530  let x3: u64 = (((arg1[29]) as u64) << 28);
531  let x4: u64 = (((arg1[28]) as u64) << 20);
532  let x5: u64 = (((arg1[27]) as u64) << 12);
533  let x6: u64 = (((arg1[26]) as u64) << 4);
534  let x7: u64 = (((arg1[25]) as u64) << 47);
535  let x8: u64 = (((arg1[24]) as u64) << 39);
536  let x9: u64 = (((arg1[23]) as u64) << 31);
537  let x10: u64 = (((arg1[22]) as u64) << 23);
538  let x11: u64 = (((arg1[21]) as u64) << 15);
539  let x12: u64 = (((arg1[20]) as u64) << 7);
540  let x13: u64 = (((arg1[19]) as u64) << 50);
541  let x14: u64 = (((arg1[18]) as u64) << 42);
542  let x15: u64 = (((arg1[17]) as u64) << 34);
543  let x16: u64 = (((arg1[16]) as u64) << 26);
544  let x17: u64 = (((arg1[15]) as u64) << 18);
545  let x18: u64 = (((arg1[14]) as u64) << 10);
546  let x19: u64 = (((arg1[13]) as u64) << 2);
547  let x20: u64 = (((arg1[12]) as u64) << 45);
548  let x21: u64 = (((arg1[11]) as u64) << 37);
549  let x22: u64 = (((arg1[10]) as u64) << 29);
550  let x23: u64 = (((arg1[9]) as u64) << 21);
551  let x24: u64 = (((arg1[8]) as u64) << 13);
552  let x25: u64 = (((arg1[7]) as u64) << 5);
553  let x26: u64 = (((arg1[6]) as u64) << 48);
554  let x27: u64 = (((arg1[5]) as u64) << 40);
555  let x28: u64 = (((arg1[4]) as u64) << 32);
556  let x29: u64 = (((arg1[3]) as u64) << 24);
557  let x30: u64 = (((arg1[2]) as u64) << 16);
558  let x31: u64 = (((arg1[1]) as u64) << 8);
559  let x32: u8 = (arg1[0]);
560  let x33: u64 = (x31 + (x32 as u64));
561  let x34: u64 = (x30 + x33);
562  let x35: u64 = (x29 + x34);
563  let x36: u64 = (x28 + x35);
564  let x37: u64 = (x27 + x36);
565  let x38: u64 = (x26 + x37);
566  let x39: u64 = (x38 & 0x7ffffffffffff);
567  let x40: u8 = ((x38 >> 51) as u8);
568  let x41: u64 = (x25 + (x40 as u64));
569  let x42: u64 = (x24 + x41);
570  let x43: u64 = (x23 + x42);
571  let x44: u64 = (x22 + x43);
572  let x45: u64 = (x21 + x44);
573  let x46: u64 = (x20 + x45);
574  let x47: u64 = (x46 & 0x7ffffffffffff);
575  let x48: u8 = ((x46 >> 51) as u8);
576  let x49: u64 = (x19 + (x48 as u64));
577  let x50: u64 = (x18 + x49);
578  let x51: u64 = (x17 + x50);
579  let x52: u64 = (x16 + x51);
580  let x53: u64 = (x15 + x52);
581  let x54: u64 = (x14 + x53);
582  let x55: u64 = (x13 + x54);
583  let x56: u64 = (x55 & 0x7ffffffffffff);
584  let x57: u8 = ((x55 >> 51) as u8);
585  let x58: u64 = (x12 + (x57 as u64));
586  let x59: u64 = (x11 + x58);
587  let x60: u64 = (x10 + x59);
588  let x61: u64 = (x9 + x60);
589  let x62: u64 = (x8 + x61);
590  let x63: u64 = (x7 + x62);
591  let x64: u64 = (x63 & 0x7ffffffffffff);
592  let x65: u8 = ((x63 >> 51) as u8);
593  let x66: u64 = (x6 + (x65 as u64));
594  let x67: u64 = (x5 + x66);
595  let x68: u64 = (x4 + x67);
596  let x69: u64 = (x3 + x68);
597  let x70: u64 = (x2 + x69);
598  let x71: u64 = (x1 + x70);
599  out1[0] = x39;
600  out1[1] = x47;
601  out1[2] = x56;
602  out1[3] = x64;
603  out1[4] = x71;
604}
605
606/// The function fiat_25519_relax is the identity function converting from tight field elements to loose field elements.
607///
608/// Postconditions:
609///   out1 = arg1
610///
611#[inline]
612pub fn fiat_25519_relax(out1: &mut fiat_25519_loose_field_element, arg1: &fiat_25519_tight_field_element) {
613  let x1: u64 = (arg1[0]);
614  let x2: u64 = (arg1[1]);
615  let x3: u64 = (arg1[2]);
616  let x4: u64 = (arg1[3]);
617  let x5: u64 = (arg1[4]);
618  out1[0] = x1;
619  out1[1] = x2;
620  out1[2] = x3;
621  out1[3] = x4;
622  out1[4] = x5;
623}
624
625/// The function fiat_25519_carry_scmul_121666 multiplies a field element by 121666 and reduces the result.
626///
627/// Postconditions:
628///   eval out1 mod m = (121666 * eval arg1) mod m
629///
630#[inline]
631pub fn fiat_25519_carry_scmul_121666(out1: &mut fiat_25519_tight_field_element, arg1: &fiat_25519_loose_field_element) {
632  let x1: u128 = ((0x1db42 as u128) * ((arg1[4]) as u128));
633  let x2: u128 = ((0x1db42 as u128) * ((arg1[3]) as u128));
634  let x3: u128 = ((0x1db42 as u128) * ((arg1[2]) as u128));
635  let x4: u128 = ((0x1db42 as u128) * ((arg1[1]) as u128));
636  let x5: u128 = ((0x1db42 as u128) * ((arg1[0]) as u128));
637  let x6: u64 = ((x5 >> 51) as u64);
638  let x7: u64 = ((x5 & (0x7ffffffffffff as u128)) as u64);
639  let x8: u128 = ((x6 as u128) + x4);
640  let x9: u64 = ((x8 >> 51) as u64);
641  let x10: u64 = ((x8 & (0x7ffffffffffff as u128)) as u64);
642  let x11: u128 = ((x9 as u128) + x3);
643  let x12: u64 = ((x11 >> 51) as u64);
644  let x13: u64 = ((x11 & (0x7ffffffffffff as u128)) as u64);
645  let x14: u128 = ((x12 as u128) + x2);
646  let x15: u64 = ((x14 >> 51) as u64);
647  let x16: u64 = ((x14 & (0x7ffffffffffff as u128)) as u64);
648  let x17: u128 = ((x15 as u128) + x1);
649  let x18: u64 = ((x17 >> 51) as u64);
650  let x19: u64 = ((x17 & (0x7ffffffffffff as u128)) as u64);
651  let x20: u64 = (x18 * 0x13);
652  let x21: u64 = (x7 + x20);
653  let x22: fiat_25519_u1 = ((x21 >> 51) as fiat_25519_u1);
654  let x23: u64 = (x21 & 0x7ffffffffffff);
655  let x24: u64 = ((x22 as u64) + x10);
656  let x25: fiat_25519_u1 = ((x24 >> 51) as fiat_25519_u1);
657  let x26: u64 = (x24 & 0x7ffffffffffff);
658  let x27: u64 = ((x25 as u64) + x13);
659  out1[0] = x23;
660  out1[1] = x26;
661  out1[2] = x27;
662  out1[3] = x16;
663  out1[4] = x19;
664}
fiat_crypto/curve25519_64.rs

fiat_crypto/
curve25519_64.rs
