p521-0.13.3/.cargo_vcs_info.json0000644000000001420000000000100116040ustar { "git": { "sha1": "4d6a0f46b90ad127d2ed475913024f6a57f1e467" }, "path_in_vcs": "p521" }p521-0.13.3/CHANGELOG.md000064400000000000000000000024451046102023000122150ustar 00000000000000# Changelog All notable changes to this project will be documented in this file. The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html). ## 0.13.3 (2023-11-11) ### Added - Implement hash2curve ([#964]) ### Fixed - Panics when decoding `FieldElement`s ([#967]) [#964]: https://github.com/RustCrypto/elliptic-curves/pull/964 [#967]: https://github.com/RustCrypto/elliptic-curves/pull/967 ## 0.13.2 (2023-11-09) ### Added - `serde` feature ([#962]) ### Changed - Remove `pub` from `arithmetic` module ([#961]) [#961]: https://github.com/RustCrypto/elliptic-curves/pull/961 [#962]: https://github.com/RustCrypto/elliptic-curves/pull/962 ## 0.13.1 (2023-11-09) [YANKED] ### Added - Bernstein-Yang scalar inversions ([#786]) - VOPRF support ([#924]) - `arithmetic` feature ([#953]) - `ecdh` feature ([#954]) - `ecdsa` feature ([#956]) [#786]: https://github.com/RustCrypto/elliptic-curves/pull/786 [#924]: https://github.com/RustCrypto/elliptic-curves/pull/924 [#953]: https://github.com/RustCrypto/elliptic-curves/pull/953 [#954]: https://github.com/RustCrypto/elliptic-curves/pull/954 [#956]: https://github.com/RustCrypto/elliptic-curves/pull/956 ## 0.13.0 (2023-03-03) [YANKED] - Initial release p521-0.13.3/Cargo.toml0000644000000060210000000000100076040ustar # THIS FILE IS AUTOMATICALLY GENERATED BY CARGO # # When uploading crates to the registry Cargo will automatically # "normalize" Cargo.toml files for maximal compatibility # with all versions of Cargo and also rewrite `path` dependencies # to registry (e.g., crates.io) dependencies. # # If you are reading this file be aware that the original Cargo.toml # will likely look very different (and much more reasonable). # See Cargo.toml.orig for the original contents. [package] edition = "2021" rust-version = "1.65" name = "p521" version = "0.13.3" authors = ["RustCrypto Developers"] description = """ Pure Rust implementation of the NIST P-521 (a.k.a. secp521r1) elliptic curve as defined in SP 800-186 """ documentation = "https://docs.rs/p521" readme = "README.md" keywords = [ "crypto", "ecc", "nist", "secp521r1", ] categories = [ "cryptography", "no-std", ] license = "Apache-2.0 OR MIT" repository = "https://github.com/RustCrypto/elliptic-curves/tree/master/p521" [package.metadata.docs.rs] all-features = true rustdoc-args = [ "--cfg", "docsrs", ] [dependencies.base16ct] version = "0.2" [dependencies.ecdsa-core] version = "0.16.5" features = ["der"] optional = true default-features = false package = "ecdsa" [dependencies.elliptic-curve] version = "0.13" features = [ "hazmat", "sec1", ] default-features = false [dependencies.hex-literal] version = "0.4" optional = true [dependencies.primeorder] version = "0.13.3" optional = true [dependencies.rand_core] version = "0.6" optional = true default-features = false [dependencies.serdect] version = "0.2" optional = true default-features = false [dependencies.sha2] version = "0.10" optional = true default-features = false [dev-dependencies.blobby] version = "0.3" [dev-dependencies.ecdsa-core] version = "0.16" features = ["dev"] default-features = false package = "ecdsa" [dev-dependencies.hex-literal] version = "0.4" [dev-dependencies.primeorder] version = "0.13.3" features = ["dev"] [dev-dependencies.proptest] version = "1.3" [dev-dependencies.rand_core] version = "0.6" features = ["getrandom"] [features] alloc = [ "ecdsa-core?/alloc", "elliptic-curve/alloc", ] arithmetic = ["dep:primeorder"] default = [ "arithmetic", "ecdsa", "getrandom", "pem", "std", ] digest = [ "ecdsa-core/digest", "ecdsa-core/hazmat", ] ecdh = [ "arithmetic", "elliptic-curve/ecdh", ] ecdsa = [ "arithmetic", "ecdsa-core/signing", "ecdsa-core/verifying", "sha512", ] getrandom = ["rand_core/getrandom"] hash2curve = [ "arithmetic", "elliptic-curve/hash2curve", ] jwk = ["elliptic-curve/jwk"] pem = [ "elliptic-curve/pem", "pkcs8", ] pkcs8 = [ "ecdsa-core?/pkcs8", "elliptic-curve/pkcs8", ] serde = [ "ecdsa-core?/serde", "elliptic-curve/serde", "primeorder?/serde", "serdect", ] sha512 = [ "digest", "dep:sha2", ] std = [ "alloc", "ecdsa-core?/std", "elliptic-curve/std", ] test-vectors = ["dep:hex-literal"] voprf = [ "elliptic-curve/voprf", "dep:sha2", ] p521-0.13.3/Cargo.toml.orig000064400000000000000000000044131046102023000132700ustar 00000000000000[package] name = "p521" version = "0.13.3" description = """ Pure Rust implementation of the NIST P-521 (a.k.a. secp521r1) elliptic curve as defined in SP 800-186 """ authors = ["RustCrypto Developers"] license = "Apache-2.0 OR MIT" documentation = "https://docs.rs/p521" repository = "https://github.com/RustCrypto/elliptic-curves/tree/master/p521" readme = "README.md" categories = ["cryptography", "no-std"] keywords = ["crypto", "ecc", "nist", "secp521r1"] edition = "2021" rust-version = "1.65" [dependencies] base16ct = "0.2" elliptic-curve = { version = "0.13", default-features = false, features = ["hazmat", "sec1"] } # optional dependencies ecdsa-core = { version = "0.16.5", package = "ecdsa", optional = true, default-features = false, features = ["der"] } hex-literal = { version = "0.4", optional = true } primeorder = { version = "0.13.3", optional = true, path = "../primeorder" } rand_core = { version = "0.6", optional = true, default-features = false } serdect = { version = "0.2", optional = true, default-features = false } sha2 = { version = "0.10", optional = true, default-features = false } [dev-dependencies] blobby = "0.3" ecdsa-core = { version = "0.16", package = "ecdsa", default-features = false, features = ["dev"] } hex-literal = "0.4" primeorder = { version = "0.13.3", features = ["dev"], path = "../primeorder" } proptest = "1.3" rand_core = { version = "0.6", features = ["getrandom"] } [features] default = ["arithmetic", "ecdsa", "getrandom", "pem", "std"] alloc = ["ecdsa-core?/alloc", "elliptic-curve/alloc"] std = ["alloc", "ecdsa-core?/std", "elliptic-curve/std"] arithmetic = ["dep:primeorder"] digest = ["ecdsa-core/digest", "ecdsa-core/hazmat"] ecdh = ["arithmetic", "elliptic-curve/ecdh"] ecdsa = ["arithmetic", "ecdsa-core/signing", "ecdsa-core/verifying", "sha512"] getrandom = ["rand_core/getrandom"] hash2curve = ["arithmetic", "elliptic-curve/hash2curve"] jwk = ["elliptic-curve/jwk"] pem = ["elliptic-curve/pem", "pkcs8"] pkcs8 = ["ecdsa-core?/pkcs8", "elliptic-curve/pkcs8"] serde = ["ecdsa-core?/serde", "elliptic-curve/serde", "primeorder?/serde", "serdect"] sha512 = ["digest", "dep:sha2"] test-vectors = ["dep:hex-literal"] voprf = ["elliptic-curve/voprf", "dep:sha2"] [package.metadata.docs.rs] all-features = true rustdoc-args = ["--cfg", "docsrs"] p521-0.13.3/LICENSE-APACHE000064400000000000000000000251411046102023000123260ustar 00000000000000 Apache License Version 2.0, January 2004 http://www.apache.org/licenses/ TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION 1. Definitions. "License" shall mean the terms and conditions for use, reproduction, and distribution as defined by Sections 1 through 9 of this document. "Licensor" shall mean the copyright owner or entity authorized by the copyright owner that is granting the License. "Legal Entity" shall mean the union of the acting entity and all other entities that control, are controlled by, or are under common control with that entity. For the purposes of this definition, "control" means (i) the power, direct or indirect, to cause the direction or management of such entity, whether by contract or otherwise, or (ii) ownership of fifty percent (50%) or more of the outstanding shares, or (iii) beneficial ownership of such entity. "You" (or "Your") shall mean an individual or Legal Entity exercising permissions granted by this License. "Source" form shall mean the preferred form for making modifications, including but not limited to software source code, documentation source, and configuration files. "Object" form shall mean any form resulting from mechanical transformation or translation of a Source form, including but not limited to compiled object code, generated documentation, and conversions to other media types. "Work" shall mean the work of authorship, whether in Source or Object form, made available under the License, as indicated by a copyright notice that is included in or attached to the work (an example is provided in the Appendix below). "Derivative Works" shall mean any work, whether in Source or Object form, that is based on (or derived from) the Work and for which the editorial revisions, annotations, elaborations, or other modifications represent, as a whole, an original work of authorship. For the purposes of this License, Derivative Works shall not include works that remain separable from, or merely link (or bind by name) to the interfaces of, the Work and Derivative Works thereof. "Contribution" shall mean any work of authorship, including the original version of the Work and any modifications or additions to that Work or Derivative Works thereof, that is intentionally submitted to Licensor for inclusion in the Work by the copyright owner or by an individual or Legal Entity authorized to submit on behalf of the copyright owner. For the purposes of this definition, "submitted" means any form of electronic, verbal, or written communication sent to the Licensor or its representatives, including but not limited to communication on electronic mailing lists, source code control systems, and issue tracking systems that are managed by, or on behalf of, the Licensor for the purpose of discussing and improving the Work, but excluding communication that is conspicuously marked or otherwise designated in writing by the copyright owner as "Not a Contribution." "Contributor" shall mean Licensor and any individual or Legal Entity on behalf of whom a Contribution has been received by Licensor and subsequently incorporated within the Work. 2. Grant of Copyright License. Subject to the terms and conditions of this License, each Contributor hereby grants to You a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable copyright license to reproduce, prepare Derivative Works of, publicly display, publicly perform, sublicense, and distribute the Work and such Derivative Works in Source or Object form. 3. Grant of Patent License. Subject to the terms and conditions of this License, each Contributor hereby grants to You a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable (except as stated in this section) patent license to make, have made, use, offer to sell, sell, import, and otherwise transfer the Work, where such license applies only to those patent claims licensable by such Contributor that are necessarily infringed by their Contribution(s) alone or by combination of their Contribution(s) with the Work to which such Contribution(s) was submitted. If You institute patent litigation against any entity (including a cross-claim or counterclaim in a lawsuit) alleging that the Work or a Contribution incorporated within the Work constitutes direct or contributory patent infringement, then any patent licenses granted to You under this License for that Work shall terminate as of the date such litigation is filed. 4. Redistribution. You may reproduce and distribute copies of the Work or Derivative Works thereof in any medium, with or without modifications, and in Source or Object form, provided that You meet the following conditions: (a) You must give any other recipients of the Work or Derivative Works a copy of this License; and (b) You must cause any modified files to carry prominent notices stating that You changed the files; and (c) You must retain, in the Source form of any Derivative Works that You distribute, all copyright, patent, trademark, and attribution notices from the Source form of the Work, excluding those notices that do not pertain to any part of the Derivative Works; and (d) If the Work includes a "NOTICE" text file as part of its distribution, then any Derivative Works that You distribute must include a readable copy of the attribution notices contained within such NOTICE file, excluding those notices that do not pertain to any part of the Derivative Works, in at least one of the following places: within a NOTICE text file distributed as part of the Derivative Works; within the Source form or documentation, if provided along with the Derivative Works; or, within a display generated by the Derivative Works, if and wherever such third-party notices normally appear. The contents of the NOTICE file are for informational purposes only and do not modify the License. You may add Your own attribution notices within Derivative Works that You distribute, alongside or as an addendum to the NOTICE text from the Work, provided that such additional attribution notices cannot be construed as modifying the License. You may add Your own copyright statement to Your modifications and may provide additional or different license terms and conditions for use, reproduction, or distribution of Your modifications, or for any such Derivative Works as a whole, provided Your use, reproduction, and distribution of the Work otherwise complies with the conditions stated in this License. 5. Submission of Contributions. Unless You explicitly state otherwise, any Contribution intentionally submitted for inclusion in the Work by You to the Licensor shall be under the terms and conditions of this License, without any additional terms or conditions. Notwithstanding the above, nothing herein shall supersede or modify the terms of any separate license agreement you may have executed with Licensor regarding such Contributions. 6. Trademarks. This License does not grant permission to use the trade names, trademarks, service marks, or product names of the Licensor, except as required for reasonable and customary use in describing the origin of the Work and reproducing the content of the NOTICE file. 7. Disclaimer of Warranty. Unless required by applicable law or agreed to in writing, Licensor provides the Work (and each Contributor provides its Contributions) on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied, including, without limitation, any warranties or conditions of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A PARTICULAR PURPOSE. You are solely responsible for determining the appropriateness of using or redistributing the Work and assume any risks associated with Your exercise of permissions under this License. 8. Limitation of Liability. In no event and under no legal theory, whether in tort (including negligence), contract, or otherwise, unless required by applicable law (such as deliberate and grossly negligent acts) or agreed to in writing, shall any Contributor be liable to You for damages, including any direct, indirect, special, incidental, or consequential damages of any character arising as a result of this License or out of the use or inability to use the Work (including but not limited to damages for loss of goodwill, work stoppage, computer failure or malfunction, or any and all other commercial damages or losses), even if such Contributor has been advised of the possibility of such damages. 9. Accepting Warranty or Additional Liability. While redistributing the Work or Derivative Works thereof, You may choose to offer, and charge a fee for, acceptance of support, warranty, indemnity, or other liability obligations and/or rights consistent with this License. However, in accepting such obligations, You may act only on Your own behalf and on Your sole responsibility, not on behalf of any other Contributor, and only if You agree to indemnify, defend, and hold each Contributor harmless for any liability incurred by, or claims asserted against, such Contributor by reason of your accepting any such warranty or additional liability. END OF TERMS AND CONDITIONS APPENDIX: How to apply the Apache License to your work. To apply the Apache License to your work, attach the following boilerplate notice, with the fields enclosed by brackets "[]" replaced with your own identifying information. (Don't include the brackets!) The text should be enclosed in the appropriate comment syntax for the file format. We also recommend that a file or class name and description of purpose be included on the same "printed page" as the copyright notice for easier identification within third-party archives. Copyright [yyyy] [name of copyright owner] Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0 Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License. p521-0.13.3/LICENSE-MIT000064400000000000000000000020561046102023000120360ustar 00000000000000Copyright (c) 2020-2022 RustCrypto Developers Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software. THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. p521-0.13.3/README.md000064400000000000000000000057311046102023000116640ustar 00000000000000# [RustCrypto]: NIST P-521 (secp521r1) elliptic curve [![crate][crate-image]][crate-link] [![Docs][docs-image]][docs-link] [![Build Status][build-image]][build-link] ![Apache2/MIT licensed][license-image] ![Rust Version][rustc-image] [![Project Chat][chat-image]][chat-link] Pure Rust implementation of the NIST P-521 (a.k.a. secp521r1) elliptic curve. [Documentation][docs-link] ## ⚠️ Security Warning The elliptic curve arithmetic contained in this crate has never been independently audited! This crate has been designed with the goal of ensuring that secret-dependent operations are performed in constant time (using the `subtle` crate and constant-time formulas). However, it has not been thoroughly assessed to ensure that generated assembly is constant time on common CPU architectures. USE AT YOUR OWN RISK! ## Supported Algorithms - [Elliptic Curve Diffie-Hellman (ECDH)][ECDH]: gated under the `ecdh` feature. - [Elliptic Curve Digital Signature Algorithm (ECDSA)][ECDSA]: gated under the `ecdsa` feature. ## About P-521 NIST P-521 is a Weierstrass curve specified in [SP 800-186]: Recommendations for Discrete Logarithm-based Cryptography: Elliptic Curve Domain Parameters. Also known as secp521r1 (SECG). ## Minimum Supported Rust Version Rust **1.65** or higher. Minimum supported Rust version can be changed in the future, but it will be done with a minor version bump. ## SemVer Policy - All on-by-default features of this library are covered by SemVer - MSRV is considered exempt from SemVer as noted above ## License All crates licensed under either of * [Apache License, Version 2.0](http://www.apache.org/licenses/LICENSE-2.0) * [MIT license](http://opensource.org/licenses/MIT) at your option. ### Contribution Unless you explicitly state otherwise, any contribution intentionally submitted for inclusion in the work by you, as defined in the Apache-2.0 license, shall be dual licensed as above, without any additional terms or conditions. [//]: # (badges) [crate-image]: https://buildstats.info/crate/p521 [crate-link]: https://crates.io/crates/p521 [docs-image]: https://docs.rs/p521/badge.svg [docs-link]: https://docs.rs/p521/ [build-image]: https://github.com/RustCrypto/elliptic-curves/actions/workflows/p521.yml/badge.svg [build-link]: https://github.com/RustCrypto/elliptic-curves/actions/workflows/p521.yml [license-image]: https://img.shields.io/badge/license-Apache2.0/MIT-blue.svg [rustc-image]: https://img.shields.io/badge/rustc-1.65+-blue.svg [chat-image]: https://img.shields.io/badge/zulip-join_chat-blue.svg [chat-link]: https://rustcrypto.zulipchat.com/#narrow/stream/260040-elliptic-curves [//]: # (links) [RustCrypto]: https://github.com/rustcrypto/ [`elliptic-curve`]: https://github.com/RustCrypto/traits/tree/master/elliptic-curve [ECDH]: https://en.wikipedia.org/wiki/Elliptic-curve_Diffie-Hellman [ECDSA]: https://en.wikipedia.org/wiki/Elliptic_Curve_Digital_Signature_Algorithm [SP 800-186]: https://csrc.nist.gov/publications/detail/sp/800-186/final p521-0.13.3/src/arithmetic/field/loose.rs000064400000000000000000000036021046102023000160720ustar 00000000000000use super::{field_impl::*, FieldElement}; use core::ops::Mul; /// "Loose" field element. pub(crate) struct LooseFieldElement(pub(super) fiat_p521_loose_field_element); impl LooseFieldElement { /// Reduce field element. pub(crate) const fn carry(&self) -> FieldElement { FieldElement(fiat_p521_carry(&self.0)) } /// Multiplies two field elements and reduces the result. pub(crate) const fn mul(&self, rhs: &Self) -> FieldElement { FieldElement(fiat_p521_carry_mul(&self.0, &rhs.0)) } /// Squares a field element and reduces the result. pub(crate) const fn square(&self) -> FieldElement { FieldElement(fiat_p521_carry_square(&self.0)) } } impl From for LooseFieldElement { #[inline] fn from(tight: FieldElement) -> LooseFieldElement { LooseFieldElement::from(&tight) } } impl From<&FieldElement> for LooseFieldElement { #[inline] fn from(tight: &FieldElement) -> LooseFieldElement { tight.relax() } } impl From for FieldElement { #[inline] fn from(loose: LooseFieldElement) -> FieldElement { FieldElement::from(&loose) } } impl From<&LooseFieldElement> for FieldElement { #[inline] fn from(loose: &LooseFieldElement) -> FieldElement { loose.carry() } } impl Mul for LooseFieldElement { type Output = FieldElement; #[inline] fn mul(self, rhs: LooseFieldElement) -> FieldElement { Self::mul(&self, &rhs) } } impl Mul<&LooseFieldElement> for LooseFieldElement { type Output = FieldElement; #[inline] fn mul(self, rhs: &LooseFieldElement) -> FieldElement { Self::mul(&self, rhs) } } impl Mul<&LooseFieldElement> for &LooseFieldElement { type Output = FieldElement; #[inline] fn mul(self, rhs: &LooseFieldElement) -> FieldElement { LooseFieldElement::mul(self, rhs) } } p521-0.13.3/src/arithmetic/field/p521_64.rs000064400000000000000000001501651046102023000157600ustar 00000000000000#![doc = " fiat-crypto output postprocessed by fiat-constify: "] #![doc = " Autogenerated: './unsaturated_solinas' --lang Rust --inline p521 64 9 '2^521 - 1'"] #![doc = " curve description: p521"] #![doc = " machine_wordsize = 64 (from \"64\")"] #![doc = " requested operations: (all)"] #![doc = " n = 9 (from \"9\")"] #![doc = " s-c = 2^521 - [(1, 1)] (from \"2^521 - 1\")"] #![doc = " tight_bounds_multiplier = 1 (from \"\")"] #![doc = ""] #![doc = " Computed values:"] #![doc = " carry_chain = [0, 1, 2, 3, 4, 5, 6, 7, 8, 0, 1]"] #![doc = " eval z = z[0] + (z[1] << 58) + (z[2] << 116) + (z[3] << 174) + (z[4] << 232) + (z[5] << 0x122) + (z[6] << 0x15c) + (z[7] << 0x196) + (z[8] << 0x1d0)"] #![doc = " bytes_eval z = z[0] + (z[1] << 8) + (z[2] << 16) + (z[3] << 24) + (z[4] << 32) + (z[5] << 40) + (z[6] << 48) + (z[7] << 56) + (z[8] << 64) + (z[9] << 72) + (z[10] << 80) + (z[11] << 88) + (z[12] << 96) + (z[13] << 104) + (z[14] << 112) + (z[15] << 120) + (z[16] << 128) + (z[17] << 136) + (z[18] << 144) + (z[19] << 152) + (z[20] << 160) + (z[21] << 168) + (z[22] << 176) + (z[23] << 184) + (z[24] << 192) + (z[25] << 200) + (z[26] << 208) + (z[27] << 216) + (z[28] << 224) + (z[29] << 232) + (z[30] << 240) + (z[31] << 248) + (z[32] << 256) + (z[33] << 0x108) + (z[34] << 0x110) + (z[35] << 0x118) + (z[36] << 0x120) + (z[37] << 0x128) + (z[38] << 0x130) + (z[39] << 0x138) + (z[40] << 0x140) + (z[41] << 0x148) + (z[42] << 0x150) + (z[43] << 0x158) + (z[44] << 0x160) + (z[45] << 0x168) + (z[46] << 0x170) + (z[47] << 0x178) + (z[48] << 0x180) + (z[49] << 0x188) + (z[50] << 0x190) + (z[51] << 0x198) + (z[52] << 0x1a0) + (z[53] << 0x1a8) + (z[54] << 0x1b0) + (z[55] << 0x1b8) + (z[56] << 0x1c0) + (z[57] << 0x1c8) + (z[58] << 0x1d0) + (z[59] << 0x1d8) + (z[60] << 0x1e0) + (z[61] << 0x1e8) + (z[62] << 0x1f0) + (z[63] << 0x1f8) + (z[64] << 2^9) + (z[65] << 0x208)"] #![doc = " balance = [0x7fffffffffffffe, 0x7fffffffffffffe, 0x7fffffffffffffe, 0x7fffffffffffffe, 0x7fffffffffffffe, 0x7fffffffffffffe, 0x7fffffffffffffe, 0x7fffffffffffffe, 0x3fffffffffffffe]"] #![allow(unused_parens)] #![allow(non_camel_case_types)] #![allow( clippy::identity_op, clippy::unnecessary_cast, dead_code, rustdoc::broken_intra_doc_links, unused_assignments, unused_mut, unused_variables )] pub type fiat_p521_u1 = u8; pub type fiat_p521_i1 = i8; pub type fiat_p521_u2 = u8; pub type fiat_p521_i2 = i8; pub type fiat_p521_loose_field_element = [u64; 9]; pub type fiat_p521_tight_field_element = [u64; 9]; #[doc = " The function fiat_p521_addcarryx_u58 is an addition with carry."] #[doc = ""] #[doc = " Postconditions:"] #[doc = " out1 = (arg1 + arg2 + arg3) mod 2^58"] #[doc = " out2 = ⌊(arg1 + arg2 + arg3) / 2^58⌋"] #[doc = ""] #[doc = " Input Bounds:"] #[doc = " arg1: [0x0 ~> 0x1]"] #[doc = " arg2: [0x0 ~> 0x3ffffffffffffff]"] #[doc = " arg3: [0x0 ~> 0x3ffffffffffffff]"] #[doc = " Output Bounds:"] #[doc = " out1: [0x0 ~> 0x3ffffffffffffff]"] #[doc = " out2: [0x0 ~> 0x1]"] #[inline] pub const fn fiat_p521_addcarryx_u58( arg1: fiat_p521_u1, arg2: u64, arg3: u64, ) -> (u64, fiat_p521_u1) { let mut out1: u64 = 0; let mut out2: fiat_p521_u1 = 0; let x1: u64 = (((arg1 as u64) + arg2) + arg3); let x2: u64 = (x1 & 0x3ffffffffffffff); let x3: fiat_p521_u1 = ((x1 >> 58) as fiat_p521_u1); out1 = x2; out2 = x3; (out1, out2) } #[doc = " The function fiat_p521_subborrowx_u58 is a subtraction with borrow."] #[doc = ""] #[doc = " Postconditions:"] #[doc = " out1 = (-arg1 + arg2 + -arg3) mod 2^58"] #[doc = " out2 = -⌊(-arg1 + arg2 + -arg3) / 2^58⌋"] #[doc = ""] #[doc = " Input Bounds:"] #[doc = " arg1: [0x0 ~> 0x1]"] #[doc = " arg2: [0x0 ~> 0x3ffffffffffffff]"] #[doc = " arg3: [0x0 ~> 0x3ffffffffffffff]"] #[doc = " Output Bounds:"] #[doc = " out1: [0x0 ~> 0x3ffffffffffffff]"] #[doc = " out2: [0x0 ~> 0x1]"] #[inline] pub const fn fiat_p521_subborrowx_u58( arg1: fiat_p521_u1, arg2: u64, arg3: u64, ) -> (u64, fiat_p521_u1) { let mut out1: u64 = 0; let mut out2: fiat_p521_u1 = 0; let x1: i64 = ((((((arg2 as i128) - (arg1 as i128)) as i64) as i128) - (arg3 as i128)) as i64); let x2: fiat_p521_i1 = ((x1 >> 58) as fiat_p521_i1); let x3: u64 = (((x1 as i128) & (0x3ffffffffffffff as i128)) as u64); out1 = x3; out2 = (((0x0 as fiat_p521_i2) - (x2 as fiat_p521_i2)) as fiat_p521_u1); (out1, out2) } #[doc = " The function fiat_p521_addcarryx_u57 is an addition with carry."] #[doc = ""] #[doc = " Postconditions:"] #[doc = " out1 = (arg1 + arg2 + arg3) mod 2^57"] #[doc = " out2 = ⌊(arg1 + arg2 + arg3) / 2^57⌋"] #[doc = ""] #[doc = " Input Bounds:"] #[doc = " arg1: [0x0 ~> 0x1]"] #[doc = " arg2: [0x0 ~> 0x1ffffffffffffff]"] #[doc = " arg3: [0x0 ~> 0x1ffffffffffffff]"] #[doc = " Output Bounds:"] #[doc = " out1: [0x0 ~> 0x1ffffffffffffff]"] #[doc = " out2: [0x0 ~> 0x1]"] #[inline] pub const fn fiat_p521_addcarryx_u57( arg1: fiat_p521_u1, arg2: u64, arg3: u64, ) -> (u64, fiat_p521_u1) { let mut out1: u64 = 0; let mut out2: fiat_p521_u1 = 0; let x1: u64 = (((arg1 as u64) + arg2) + arg3); let x2: u64 = (x1 & 0x1ffffffffffffff); let x3: fiat_p521_u1 = ((x1 >> 57) as fiat_p521_u1); out1 = x2; out2 = x3; (out1, out2) } #[doc = " The function fiat_p521_subborrowx_u57 is a subtraction with borrow."] #[doc = ""] #[doc = " Postconditions:"] #[doc = " out1 = (-arg1 + arg2 + -arg3) mod 2^57"] #[doc = " out2 = -⌊(-arg1 + arg2 + -arg3) / 2^57⌋"] #[doc = ""] #[doc = " Input Bounds:"] #[doc = " arg1: [0x0 ~> 0x1]"] #[doc = " arg2: [0x0 ~> 0x1ffffffffffffff]"] #[doc = " arg3: [0x0 ~> 0x1ffffffffffffff]"] #[doc = " Output Bounds:"] #[doc = " out1: [0x0 ~> 0x1ffffffffffffff]"] #[doc = " out2: [0x0 ~> 0x1]"] #[inline] pub const fn fiat_p521_subborrowx_u57( arg1: fiat_p521_u1, arg2: u64, arg3: u64, ) -> (u64, fiat_p521_u1) { let mut out1: u64 = 0; let mut out2: fiat_p521_u1 = 0; let x1: i64 = ((((((arg2 as i128) - (arg1 as i128)) as i64) as i128) - (arg3 as i128)) as i64); let x2: fiat_p521_i1 = ((x1 >> 57) as fiat_p521_i1); let x3: u64 = (((x1 as i128) & (0x1ffffffffffffff as i128)) as u64); out1 = x3; out2 = (((0x0 as fiat_p521_i2) - (x2 as fiat_p521_i2)) as fiat_p521_u1); (out1, out2) } #[doc = " The function fiat_p521_cmovznz_u64 is a single-word conditional move."] #[doc = ""] #[doc = " Postconditions:"] #[doc = " out1 = (if arg1 = 0 then arg2 else arg3)"] #[doc = ""] #[doc = " Input Bounds:"] #[doc = " arg1: [0x0 ~> 0x1]"] #[doc = " arg2: [0x0 ~> 0xffffffffffffffff]"] #[doc = " arg3: [0x0 ~> 0xffffffffffffffff]"] #[doc = " Output Bounds:"] #[doc = " out1: [0x0 ~> 0xffffffffffffffff]"] #[inline] pub const fn fiat_p521_cmovznz_u64(arg1: fiat_p521_u1, arg2: u64, arg3: u64) -> u64 { let mut out1: u64 = 0; let x1: fiat_p521_u1 = (!(!arg1)); let x2: u64 = ((((((0x0 as fiat_p521_i2) - (x1 as fiat_p521_i2)) as fiat_p521_i1) as i128) & (0xffffffffffffffff as i128)) as u64); let x3: u64 = ((x2 & arg3) | ((!x2) & arg2)); out1 = x3; out1 } #[doc = " The function fiat_p521_carry_mul multiplies two field elements and reduces the result."] #[doc = ""] #[doc = " Postconditions:"] #[doc = " eval out1 mod m = (eval arg1 * eval arg2) mod m"] #[doc = ""] #[inline] pub const fn fiat_p521_carry_mul( arg1: &fiat_p521_loose_field_element, arg2: &fiat_p521_loose_field_element, ) -> fiat_p521_tight_field_element { let mut out1: fiat_p521_tight_field_element = [0; 9]; let x1: u128 = (((arg1[8]) as u128) * (((arg2[8]) * 0x2) as u128)); let x2: u128 = (((arg1[8]) as u128) * (((arg2[7]) * 0x2) as u128)); let x3: u128 = (((arg1[8]) as u128) * (((arg2[6]) * 0x2) as u128)); let x4: u128 = (((arg1[8]) as u128) * (((arg2[5]) * 0x2) as u128)); let x5: u128 = (((arg1[8]) as u128) * (((arg2[4]) * 0x2) as u128)); let x6: u128 = (((arg1[8]) as u128) * (((arg2[3]) * 0x2) as u128)); let x7: u128 = (((arg1[8]) as u128) * (((arg2[2]) * 0x2) as u128)); let x8: u128 = (((arg1[8]) as u128) * (((arg2[1]) * 0x2) as u128)); let x9: u128 = (((arg1[7]) as u128) * (((arg2[8]) * 0x2) as u128)); let x10: u128 = (((arg1[7]) as u128) * (((arg2[7]) * 0x2) as u128)); let x11: u128 = (((arg1[7]) as u128) * (((arg2[6]) * 0x2) as u128)); let x12: u128 = (((arg1[7]) as u128) * (((arg2[5]) * 0x2) as u128)); let x13: u128 = (((arg1[7]) as u128) * (((arg2[4]) * 0x2) as u128)); let x14: u128 = (((arg1[7]) as u128) * (((arg2[3]) * 0x2) as u128)); let x15: u128 = (((arg1[7]) as u128) * (((arg2[2]) * 0x2) as u128)); let x16: u128 = (((arg1[6]) as u128) * (((arg2[8]) * 0x2) as u128)); let x17: u128 = (((arg1[6]) as u128) * (((arg2[7]) * 0x2) as u128)); let x18: u128 = (((arg1[6]) as u128) * (((arg2[6]) * 0x2) as u128)); let x19: u128 = (((arg1[6]) as u128) * (((arg2[5]) * 0x2) as u128)); let x20: u128 = (((arg1[6]) as u128) * (((arg2[4]) * 0x2) as u128)); let x21: u128 = (((arg1[6]) as u128) * (((arg2[3]) * 0x2) as u128)); let x22: u128 = (((arg1[5]) as u128) * (((arg2[8]) * 0x2) as u128)); let x23: u128 = (((arg1[5]) as u128) * (((arg2[7]) * 0x2) as u128)); let x24: u128 = (((arg1[5]) as u128) * (((arg2[6]) * 0x2) as u128)); let x25: u128 = (((arg1[5]) as u128) * (((arg2[5]) * 0x2) as u128)); let x26: u128 = (((arg1[5]) as u128) * (((arg2[4]) * 0x2) as u128)); let x27: u128 = (((arg1[4]) as u128) * (((arg2[8]) * 0x2) as u128)); let x28: u128 = (((arg1[4]) as u128) * (((arg2[7]) * 0x2) as u128)); let x29: u128 = (((arg1[4]) as u128) * (((arg2[6]) * 0x2) as u128)); let x30: u128 = (((arg1[4]) as u128) * (((arg2[5]) * 0x2) as u128)); let x31: u128 = (((arg1[3]) as u128) * (((arg2[8]) * 0x2) as u128)); let x32: u128 = (((arg1[3]) as u128) * (((arg2[7]) * 0x2) as u128)); let x33: u128 = (((arg1[3]) as u128) * (((arg2[6]) * 0x2) as u128)); let x34: u128 = (((arg1[2]) as u128) * (((arg2[8]) * 0x2) as u128)); let x35: u128 = (((arg1[2]) as u128) * (((arg2[7]) * 0x2) as u128)); let x36: u128 = (((arg1[1]) as u128) * (((arg2[8]) * 0x2) as u128)); let x37: u128 = (((arg1[8]) as u128) * ((arg2[0]) as u128)); let x38: u128 = (((arg1[7]) as u128) * ((arg2[1]) as u128)); let x39: u128 = (((arg1[7]) as u128) * ((arg2[0]) as u128)); let x40: u128 = (((arg1[6]) as u128) * ((arg2[2]) as u128)); let x41: u128 = (((arg1[6]) as u128) * ((arg2[1]) as u128)); let x42: u128 = (((arg1[6]) as u128) * ((arg2[0]) as u128)); let x43: u128 = (((arg1[5]) as u128) * ((arg2[3]) as u128)); let x44: u128 = (((arg1[5]) as u128) * ((arg2[2]) as u128)); let x45: u128 = (((arg1[5]) as u128) * ((arg2[1]) as u128)); let x46: u128 = (((arg1[5]) as u128) * ((arg2[0]) as u128)); let x47: u128 = (((arg1[4]) as u128) * ((arg2[4]) as u128)); let x48: u128 = (((arg1[4]) as u128) * ((arg2[3]) as u128)); let x49: u128 = (((arg1[4]) as u128) * ((arg2[2]) as u128)); let x50: u128 = (((arg1[4]) as u128) * ((arg2[1]) as u128)); let x51: u128 = (((arg1[4]) as u128) * ((arg2[0]) as u128)); let x52: u128 = (((arg1[3]) as u128) * ((arg2[5]) as u128)); let x53: u128 = (((arg1[3]) as u128) * ((arg2[4]) as u128)); let x54: u128 = (((arg1[3]) as u128) * ((arg2[3]) as u128)); let x55: u128 = (((arg1[3]) as u128) * ((arg2[2]) as u128)); let x56: u128 = (((arg1[3]) as u128) * ((arg2[1]) as u128)); let x57: u128 = (((arg1[3]) as u128) * ((arg2[0]) as u128)); let x58: u128 = (((arg1[2]) as u128) * ((arg2[6]) as u128)); let x59: u128 = (((arg1[2]) as u128) * ((arg2[5]) as u128)); let x60: u128 = (((arg1[2]) as u128) * ((arg2[4]) as u128)); let x61: u128 = (((arg1[2]) as u128) * ((arg2[3]) as u128)); let x62: u128 = (((arg1[2]) as u128) * ((arg2[2]) as u128)); let x63: u128 = (((arg1[2]) as u128) * ((arg2[1]) as u128)); let x64: u128 = (((arg1[2]) as u128) * ((arg2[0]) as u128)); let x65: u128 = (((arg1[1]) as u128) * ((arg2[7]) as u128)); let x66: u128 = (((arg1[1]) as u128) * ((arg2[6]) as u128)); let x67: u128 = (((arg1[1]) as u128) * ((arg2[5]) as u128)); let x68: u128 = (((arg1[1]) as u128) * ((arg2[4]) as u128)); let x69: u128 = (((arg1[1]) as u128) * ((arg2[3]) as u128)); let x70: u128 = (((arg1[1]) as u128) * ((arg2[2]) as u128)); let x71: u128 = (((arg1[1]) as u128) * ((arg2[1]) as u128)); let x72: u128 = (((arg1[1]) as u128) * ((arg2[0]) as u128)); let x73: u128 = (((arg1[0]) as u128) * ((arg2[8]) as u128)); let x74: u128 = (((arg1[0]) as u128) * ((arg2[7]) as u128)); let x75: u128 = (((arg1[0]) as u128) * ((arg2[6]) as u128)); let x76: u128 = (((arg1[0]) as u128) * ((arg2[5]) as u128)); let x77: u128 = (((arg1[0]) as u128) * ((arg2[4]) as u128)); let x78: u128 = (((arg1[0]) as u128) * ((arg2[3]) as u128)); let x79: u128 = (((arg1[0]) as u128) * ((arg2[2]) as u128)); let x80: u128 = (((arg1[0]) as u128) * ((arg2[1]) as u128)); let x81: u128 = (((arg1[0]) as u128) * ((arg2[0]) as u128)); let x82: u128 = (x81 + (x36 + (x35 + (x33 + (x30 + (x26 + (x21 + (x15 + x8)))))))); let x83: u128 = (x82 >> 58); let x84: u64 = ((x82 & (0x3ffffffffffffff as u128)) as u64); let x85: u128 = (x73 + (x65 + (x58 + (x52 + (x47 + (x43 + (x40 + (x38 + x37)))))))); let x86: u128 = (x74 + (x66 + (x59 + (x53 + (x48 + (x44 + (x41 + (x39 + x1)))))))); let x87: u128 = (x75 + (x67 + (x60 + (x54 + (x49 + (x45 + (x42 + (x9 + x2)))))))); let x88: u128 = (x76 + (x68 + (x61 + (x55 + (x50 + (x46 + (x16 + (x10 + x3)))))))); let x89: u128 = (x77 + (x69 + (x62 + (x56 + (x51 + (x22 + (x17 + (x11 + x4)))))))); let x90: u128 = (x78 + (x70 + (x63 + (x57 + (x27 + (x23 + (x18 + (x12 + x5)))))))); let x91: u128 = (x79 + (x71 + (x64 + (x31 + (x28 + (x24 + (x19 + (x13 + x6)))))))); let x92: u128 = (x80 + (x72 + (x34 + (x32 + (x29 + (x25 + (x20 + (x14 + x7)))))))); let x93: u128 = (x83 + x92); let x94: u128 = (x93 >> 58); let x95: u64 = ((x93 & (0x3ffffffffffffff as u128)) as u64); let x96: u128 = (x94 + x91); let x97: u128 = (x96 >> 58); let x98: u64 = ((x96 & (0x3ffffffffffffff as u128)) as u64); let x99: u128 = (x97 + x90); let x100: u128 = (x99 >> 58); let x101: u64 = ((x99 & (0x3ffffffffffffff as u128)) as u64); let x102: u128 = (x100 + x89); let x103: u128 = (x102 >> 58); let x104: u64 = ((x102 & (0x3ffffffffffffff as u128)) as u64); let x105: u128 = (x103 + x88); let x106: u128 = (x105 >> 58); let x107: u64 = ((x105 & (0x3ffffffffffffff as u128)) as u64); let x108: u128 = (x106 + x87); let x109: u128 = (x108 >> 58); let x110: u64 = ((x108 & (0x3ffffffffffffff as u128)) as u64); let x111: u128 = (x109 + x86); let x112: u128 = (x111 >> 58); let x113: u64 = ((x111 & (0x3ffffffffffffff as u128)) as u64); let x114: u128 = (x112 + x85); let x115: u128 = (x114 >> 57); let x116: u64 = ((x114 & (0x1ffffffffffffff as u128)) as u64); let x117: u128 = ((x84 as u128) + x115); let x118: u64 = ((x117 >> 58) as u64); let x119: u64 = ((x117 & (0x3ffffffffffffff as u128)) as u64); let x120: u64 = (x118 + x95); let x121: fiat_p521_u1 = ((x120 >> 58) as fiat_p521_u1); let x122: u64 = (x120 & 0x3ffffffffffffff); let x123: u64 = ((x121 as u64) + x98); out1[0] = x119; out1[1] = x122; out1[2] = x123; out1[3] = x101; out1[4] = x104; out1[5] = x107; out1[6] = x110; out1[7] = x113; out1[8] = x116; out1 } #[doc = " The function fiat_p521_carry_square squares a field element and reduces the result."] #[doc = ""] #[doc = " Postconditions:"] #[doc = " eval out1 mod m = (eval arg1 * eval arg1) mod m"] #[doc = ""] #[inline] pub const fn fiat_p521_carry_square( arg1: &fiat_p521_loose_field_element, ) -> fiat_p521_tight_field_element { let mut out1: fiat_p521_tight_field_element = [0; 9]; let x1: u64 = (arg1[8]); let x2: u64 = (x1 * 0x2); let x3: u64 = ((arg1[8]) * 0x2); let x4: u64 = (arg1[7]); let x5: u64 = (x4 * 0x2); let x6: u64 = ((arg1[7]) * 0x2); let x7: u64 = (arg1[6]); let x8: u64 = (x7 * 0x2); let x9: u64 = ((arg1[6]) * 0x2); let x10: u64 = (arg1[5]); let x11: u64 = (x10 * 0x2); let x12: u64 = ((arg1[5]) * 0x2); let x13: u64 = ((arg1[4]) * 0x2); let x14: u64 = ((arg1[3]) * 0x2); let x15: u64 = ((arg1[2]) * 0x2); let x16: u64 = ((arg1[1]) * 0x2); let x17: u128 = (((arg1[8]) as u128) * ((x1 * 0x2) as u128)); let x18: u128 = (((arg1[7]) as u128) * ((x2 * 0x2) as u128)); let x19: u128 = (((arg1[7]) as u128) * ((x4 * 0x2) as u128)); let x20: u128 = (((arg1[6]) as u128) * ((x2 * 0x2) as u128)); let x21: u128 = (((arg1[6]) as u128) * ((x5 * 0x2) as u128)); let x22: u128 = (((arg1[6]) as u128) * ((x7 * 0x2) as u128)); let x23: u128 = (((arg1[5]) as u128) * ((x2 * 0x2) as u128)); let x24: u128 = (((arg1[5]) as u128) * ((x5 * 0x2) as u128)); let x25: u128 = (((arg1[5]) as u128) * ((x8 * 0x2) as u128)); let x26: u128 = (((arg1[5]) as u128) * ((x10 * 0x2) as u128)); let x27: u128 = (((arg1[4]) as u128) * ((x2 * 0x2) as u128)); let x28: u128 = (((arg1[4]) as u128) * ((x5 * 0x2) as u128)); let x29: u128 = (((arg1[4]) as u128) * ((x8 * 0x2) as u128)); let x30: u128 = (((arg1[4]) as u128) * ((x11 * 0x2) as u128)); let x31: u128 = (((arg1[4]) as u128) * ((arg1[4]) as u128)); let x32: u128 = (((arg1[3]) as u128) * ((x2 * 0x2) as u128)); let x33: u128 = (((arg1[3]) as u128) * ((x5 * 0x2) as u128)); let x34: u128 = (((arg1[3]) as u128) * ((x8 * 0x2) as u128)); let x35: u128 = (((arg1[3]) as u128) * (x12 as u128)); let x36: u128 = (((arg1[3]) as u128) * (x13 as u128)); let x37: u128 = (((arg1[3]) as u128) * ((arg1[3]) as u128)); let x38: u128 = (((arg1[2]) as u128) * ((x2 * 0x2) as u128)); let x39: u128 = (((arg1[2]) as u128) * ((x5 * 0x2) as u128)); let x40: u128 = (((arg1[2]) as u128) * (x9 as u128)); let x41: u128 = (((arg1[2]) as u128) * (x12 as u128)); let x42: u128 = (((arg1[2]) as u128) * (x13 as u128)); let x43: u128 = (((arg1[2]) as u128) * (x14 as u128)); let x44: u128 = (((arg1[2]) as u128) * ((arg1[2]) as u128)); let x45: u128 = (((arg1[1]) as u128) * ((x2 * 0x2) as u128)); let x46: u128 = (((arg1[1]) as u128) * (x6 as u128)); let x47: u128 = (((arg1[1]) as u128) * (x9 as u128)); let x48: u128 = (((arg1[1]) as u128) * (x12 as u128)); let x49: u128 = (((arg1[1]) as u128) * (x13 as u128)); let x50: u128 = (((arg1[1]) as u128) * (x14 as u128)); let x51: u128 = (((arg1[1]) as u128) * (x15 as u128)); let x52: u128 = (((arg1[1]) as u128) * ((arg1[1]) as u128)); let x53: u128 = (((arg1[0]) as u128) * (x3 as u128)); let x54: u128 = (((arg1[0]) as u128) * (x6 as u128)); let x55: u128 = (((arg1[0]) as u128) * (x9 as u128)); let x56: u128 = (((arg1[0]) as u128) * (x12 as u128)); let x57: u128 = (((arg1[0]) as u128) * (x13 as u128)); let x58: u128 = (((arg1[0]) as u128) * (x14 as u128)); let x59: u128 = (((arg1[0]) as u128) * (x15 as u128)); let x60: u128 = (((arg1[0]) as u128) * (x16 as u128)); let x61: u128 = (((arg1[0]) as u128) * ((arg1[0]) as u128)); let x62: u128 = (x61 + (x45 + (x39 + (x34 + x30)))); let x63: u128 = (x62 >> 58); let x64: u64 = ((x62 & (0x3ffffffffffffff as u128)) as u64); let x65: u128 = (x53 + (x46 + (x40 + (x35 + x31)))); let x66: u128 = (x54 + (x47 + (x41 + (x36 + x17)))); let x67: u128 = (x55 + (x48 + (x42 + (x37 + x18)))); let x68: u128 = (x56 + (x49 + (x43 + (x20 + x19)))); let x69: u128 = (x57 + (x50 + (x44 + (x23 + x21)))); let x70: u128 = (x58 + (x51 + (x27 + (x24 + x22)))); let x71: u128 = (x59 + (x52 + (x32 + (x28 + x25)))); let x72: u128 = (x60 + (x38 + (x33 + (x29 + x26)))); let x73: u128 = (x63 + x72); let x74: u128 = (x73 >> 58); let x75: u64 = ((x73 & (0x3ffffffffffffff as u128)) as u64); let x76: u128 = (x74 + x71); let x77: u128 = (x76 >> 58); let x78: u64 = ((x76 & (0x3ffffffffffffff as u128)) as u64); let x79: u128 = (x77 + x70); let x80: u128 = (x79 >> 58); let x81: u64 = ((x79 & (0x3ffffffffffffff as u128)) as u64); let x82: u128 = (x80 + x69); let x83: u128 = (x82 >> 58); let x84: u64 = ((x82 & (0x3ffffffffffffff as u128)) as u64); let x85: u128 = (x83 + x68); let x86: u128 = (x85 >> 58); let x87: u64 = ((x85 & (0x3ffffffffffffff as u128)) as u64); let x88: u128 = (x86 + x67); let x89: u128 = (x88 >> 58); let x90: u64 = ((x88 & (0x3ffffffffffffff as u128)) as u64); let x91: u128 = (x89 + x66); let x92: u128 = (x91 >> 58); let x93: u64 = ((x91 & (0x3ffffffffffffff as u128)) as u64); let x94: u128 = (x92 + x65); let x95: u128 = (x94 >> 57); let x96: u64 = ((x94 & (0x1ffffffffffffff as u128)) as u64); let x97: u128 = ((x64 as u128) + x95); let x98: u64 = ((x97 >> 58) as u64); let x99: u64 = ((x97 & (0x3ffffffffffffff as u128)) as u64); let x100: u64 = (x98 + x75); let x101: fiat_p521_u1 = ((x100 >> 58) as fiat_p521_u1); let x102: u64 = (x100 & 0x3ffffffffffffff); let x103: u64 = ((x101 as u64) + x78); out1[0] = x99; out1[1] = x102; out1[2] = x103; out1[3] = x81; out1[4] = x84; out1[5] = x87; out1[6] = x90; out1[7] = x93; out1[8] = x96; out1 } #[doc = " The function fiat_p521_carry reduces a field element."] #[doc = ""] #[doc = " Postconditions:"] #[doc = " eval out1 mod m = eval arg1 mod m"] #[doc = ""] #[inline] pub const fn fiat_p521_carry( arg1: &fiat_p521_loose_field_element, ) -> fiat_p521_tight_field_element { let mut out1: fiat_p521_tight_field_element = [0; 9]; let x1: u64 = (arg1[0]); let x2: u64 = ((x1 >> 58) + (arg1[1])); let x3: u64 = ((x2 >> 58) + (arg1[2])); let x4: u64 = ((x3 >> 58) + (arg1[3])); let x5: u64 = ((x4 >> 58) + (arg1[4])); let x6: u64 = ((x5 >> 58) + (arg1[5])); let x7: u64 = ((x6 >> 58) + (arg1[6])); let x8: u64 = ((x7 >> 58) + (arg1[7])); let x9: u64 = ((x8 >> 58) + (arg1[8])); let x10: u64 = ((x1 & 0x3ffffffffffffff) + (x9 >> 57)); let x11: u64 = ((((x10 >> 58) as fiat_p521_u1) as u64) + (x2 & 0x3ffffffffffffff)); let x12: u64 = (x10 & 0x3ffffffffffffff); let x13: u64 = (x11 & 0x3ffffffffffffff); let x14: u64 = ((((x11 >> 58) as fiat_p521_u1) as u64) + (x3 & 0x3ffffffffffffff)); let x15: u64 = (x4 & 0x3ffffffffffffff); let x16: u64 = (x5 & 0x3ffffffffffffff); let x17: u64 = (x6 & 0x3ffffffffffffff); let x18: u64 = (x7 & 0x3ffffffffffffff); let x19: u64 = (x8 & 0x3ffffffffffffff); let x20: u64 = (x9 & 0x1ffffffffffffff); out1[0] = x12; out1[1] = x13; out1[2] = x14; out1[3] = x15; out1[4] = x16; out1[5] = x17; out1[6] = x18; out1[7] = x19; out1[8] = x20; out1 } #[doc = " The function fiat_p521_add adds two field elements."] #[doc = ""] #[doc = " Postconditions:"] #[doc = " eval out1 mod m = (eval arg1 + eval arg2) mod m"] #[doc = ""] #[inline] pub const fn fiat_p521_add( arg1: &fiat_p521_tight_field_element, arg2: &fiat_p521_tight_field_element, ) -> fiat_p521_loose_field_element { let mut out1: fiat_p521_loose_field_element = [0; 9]; let x1: u64 = ((arg1[0]) + (arg2[0])); let x2: u64 = ((arg1[1]) + (arg2[1])); let x3: u64 = ((arg1[2]) + (arg2[2])); let x4: u64 = ((arg1[3]) + (arg2[3])); let x5: u64 = ((arg1[4]) + (arg2[4])); let x6: u64 = ((arg1[5]) + (arg2[5])); let x7: u64 = ((arg1[6]) + (arg2[6])); let x8: u64 = ((arg1[7]) + (arg2[7])); let x9: u64 = ((arg1[8]) + (arg2[8])); out1[0] = x1; out1[1] = x2; out1[2] = x3; out1[3] = x4; out1[4] = x5; out1[5] = x6; out1[6] = x7; out1[7] = x8; out1[8] = x9; out1 } #[doc = " The function fiat_p521_sub subtracts two field elements."] #[doc = ""] #[doc = " Postconditions:"] #[doc = " eval out1 mod m = (eval arg1 - eval arg2) mod m"] #[doc = ""] #[inline] pub const fn fiat_p521_sub( arg1: &fiat_p521_tight_field_element, arg2: &fiat_p521_tight_field_element, ) -> fiat_p521_loose_field_element { let mut out1: fiat_p521_loose_field_element = [0; 9]; let x1: u64 = ((0x7fffffffffffffe + (arg1[0])) - (arg2[0])); let x2: u64 = ((0x7fffffffffffffe + (arg1[1])) - (arg2[1])); let x3: u64 = ((0x7fffffffffffffe + (arg1[2])) - (arg2[2])); let x4: u64 = ((0x7fffffffffffffe + (arg1[3])) - (arg2[3])); let x5: u64 = ((0x7fffffffffffffe + (arg1[4])) - (arg2[4])); let x6: u64 = ((0x7fffffffffffffe + (arg1[5])) - (arg2[5])); let x7: u64 = ((0x7fffffffffffffe + (arg1[6])) - (arg2[6])); let x8: u64 = ((0x7fffffffffffffe + (arg1[7])) - (arg2[7])); let x9: u64 = ((0x3fffffffffffffe + (arg1[8])) - (arg2[8])); out1[0] = x1; out1[1] = x2; out1[2] = x3; out1[3] = x4; out1[4] = x5; out1[5] = x6; out1[6] = x7; out1[7] = x8; out1[8] = x9; out1 } #[doc = " The function fiat_p521_opp negates a field element."] #[doc = ""] #[doc = " Postconditions:"] #[doc = " eval out1 mod m = -eval arg1 mod m"] #[doc = ""] #[inline] pub const fn fiat_p521_opp(arg1: &fiat_p521_tight_field_element) -> fiat_p521_loose_field_element { let mut out1: fiat_p521_loose_field_element = [0; 9]; let x1: u64 = (0x7fffffffffffffe - (arg1[0])); let x2: u64 = (0x7fffffffffffffe - (arg1[1])); let x3: u64 = (0x7fffffffffffffe - (arg1[2])); let x4: u64 = (0x7fffffffffffffe - (arg1[3])); let x5: u64 = (0x7fffffffffffffe - (arg1[4])); let x6: u64 = (0x7fffffffffffffe - (arg1[5])); let x7: u64 = (0x7fffffffffffffe - (arg1[6])); let x8: u64 = (0x7fffffffffffffe - (arg1[7])); let x9: u64 = (0x3fffffffffffffe - (arg1[8])); out1[0] = x1; out1[1] = x2; out1[2] = x3; out1[3] = x4; out1[4] = x5; out1[5] = x6; out1[6] = x7; out1[7] = x8; out1[8] = x9; out1 } #[doc = " The function fiat_p521_carry_add adds two field elements."] #[doc = ""] #[doc = " Postconditions:"] #[doc = " eval out1 mod m = (eval arg1 + eval arg2) mod m"] #[doc = ""] #[inline] pub const fn fiat_p521_carry_add( arg1: &fiat_p521_tight_field_element, arg2: &fiat_p521_tight_field_element, ) -> fiat_p521_tight_field_element { let mut out1: fiat_p521_tight_field_element = [0; 9]; let x1: u64 = ((arg1[0]) + (arg2[0])); let x2: u64 = ((x1 >> 58) + ((arg1[1]) + (arg2[1]))); let x3: u64 = ((x2 >> 58) + ((arg1[2]) + (arg2[2]))); let x4: u64 = ((x3 >> 58) + ((arg1[3]) + (arg2[3]))); let x5: u64 = ((x4 >> 58) + ((arg1[4]) + (arg2[4]))); let x6: u64 = ((x5 >> 58) + ((arg1[5]) + (arg2[5]))); let x7: u64 = ((x6 >> 58) + ((arg1[6]) + (arg2[6]))); let x8: u64 = ((x7 >> 58) + ((arg1[7]) + (arg2[7]))); let x9: u64 = ((x8 >> 58) + ((arg1[8]) + (arg2[8]))); let x10: u64 = ((x1 & 0x3ffffffffffffff) + (x9 >> 57)); let x11: u64 = ((((x10 >> 58) as fiat_p521_u1) as u64) + (x2 & 0x3ffffffffffffff)); let x12: u64 = (x10 & 0x3ffffffffffffff); let x13: u64 = (x11 & 0x3ffffffffffffff); let x14: u64 = ((((x11 >> 58) as fiat_p521_u1) as u64) + (x3 & 0x3ffffffffffffff)); let x15: u64 = (x4 & 0x3ffffffffffffff); let x16: u64 = (x5 & 0x3ffffffffffffff); let x17: u64 = (x6 & 0x3ffffffffffffff); let x18: u64 = (x7 & 0x3ffffffffffffff); let x19: u64 = (x8 & 0x3ffffffffffffff); let x20: u64 = (x9 & 0x1ffffffffffffff); out1[0] = x12; out1[1] = x13; out1[2] = x14; out1[3] = x15; out1[4] = x16; out1[5] = x17; out1[6] = x18; out1[7] = x19; out1[8] = x20; out1 } #[doc = " The function fiat_p521_carry_sub subtracts two field elements."] #[doc = ""] #[doc = " Postconditions:"] #[doc = " eval out1 mod m = (eval arg1 - eval arg2) mod m"] #[doc = ""] #[inline] pub const fn fiat_p521_carry_sub( arg1: &fiat_p521_tight_field_element, arg2: &fiat_p521_tight_field_element, ) -> fiat_p521_tight_field_element { let mut out1: fiat_p521_tight_field_element = [0; 9]; let x1: u64 = ((0x7fffffffffffffe + (arg1[0])) - (arg2[0])); let x2: u64 = ((x1 >> 58) + ((0x7fffffffffffffe + (arg1[1])) - (arg2[1]))); let x3: u64 = ((x2 >> 58) + ((0x7fffffffffffffe + (arg1[2])) - (arg2[2]))); let x4: u64 = ((x3 >> 58) + ((0x7fffffffffffffe + (arg1[3])) - (arg2[3]))); let x5: u64 = ((x4 >> 58) + ((0x7fffffffffffffe + (arg1[4])) - (arg2[4]))); let x6: u64 = ((x5 >> 58) + ((0x7fffffffffffffe + (arg1[5])) - (arg2[5]))); let x7: u64 = ((x6 >> 58) + ((0x7fffffffffffffe + (arg1[6])) - (arg2[6]))); let x8: u64 = ((x7 >> 58) + ((0x7fffffffffffffe + (arg1[7])) - (arg2[7]))); let x9: u64 = ((x8 >> 58) + ((0x3fffffffffffffe + (arg1[8])) - (arg2[8]))); let x10: u64 = ((x1 & 0x3ffffffffffffff) + (x9 >> 57)); let x11: u64 = ((((x10 >> 58) as fiat_p521_u1) as u64) + (x2 & 0x3ffffffffffffff)); let x12: u64 = (x10 & 0x3ffffffffffffff); let x13: u64 = (x11 & 0x3ffffffffffffff); let x14: u64 = ((((x11 >> 58) as fiat_p521_u1) as u64) + (x3 & 0x3ffffffffffffff)); let x15: u64 = (x4 & 0x3ffffffffffffff); let x16: u64 = (x5 & 0x3ffffffffffffff); let x17: u64 = (x6 & 0x3ffffffffffffff); let x18: u64 = (x7 & 0x3ffffffffffffff); let x19: u64 = (x8 & 0x3ffffffffffffff); let x20: u64 = (x9 & 0x1ffffffffffffff); out1[0] = x12; out1[1] = x13; out1[2] = x14; out1[3] = x15; out1[4] = x16; out1[5] = x17; out1[6] = x18; out1[7] = x19; out1[8] = x20; out1 } #[doc = " The function fiat_p521_carry_opp negates a field element."] #[doc = ""] #[doc = " Postconditions:"] #[doc = " eval out1 mod m = -eval arg1 mod m"] #[doc = ""] #[inline] pub const fn fiat_p521_carry_opp( arg1: &fiat_p521_tight_field_element, ) -> fiat_p521_tight_field_element { let mut out1: fiat_p521_tight_field_element = [0; 9]; let x1: u64 = (0x7fffffffffffffe - (arg1[0])); let x2: u64 = ((((x1 >> 58) as fiat_p521_u1) as u64) + (0x7fffffffffffffe - (arg1[1]))); let x3: u64 = ((((x2 >> 58) as fiat_p521_u1) as u64) + (0x7fffffffffffffe - (arg1[2]))); let x4: u64 = ((((x3 >> 58) as fiat_p521_u1) as u64) + (0x7fffffffffffffe - (arg1[3]))); let x5: u64 = ((((x4 >> 58) as fiat_p521_u1) as u64) + (0x7fffffffffffffe - (arg1[4]))); let x6: u64 = ((((x5 >> 58) as fiat_p521_u1) as u64) + (0x7fffffffffffffe - (arg1[5]))); let x7: u64 = ((((x6 >> 58) as fiat_p521_u1) as u64) + (0x7fffffffffffffe - (arg1[6]))); let x8: u64 = ((((x7 >> 58) as fiat_p521_u1) as u64) + (0x7fffffffffffffe - (arg1[7]))); let x9: u64 = ((((x8 >> 58) as fiat_p521_u1) as u64) + (0x3fffffffffffffe - (arg1[8]))); let x10: u64 = ((x1 & 0x3ffffffffffffff) + (((x9 >> 57) as fiat_p521_u1) as u64)); let x11: u64 = ((((x10 >> 58) as fiat_p521_u1) as u64) + (x2 & 0x3ffffffffffffff)); let x12: u64 = (x10 & 0x3ffffffffffffff); let x13: u64 = (x11 & 0x3ffffffffffffff); let x14: u64 = ((((x11 >> 58) as fiat_p521_u1) as u64) + (x3 & 0x3ffffffffffffff)); let x15: u64 = (x4 & 0x3ffffffffffffff); let x16: u64 = (x5 & 0x3ffffffffffffff); let x17: u64 = (x6 & 0x3ffffffffffffff); let x18: u64 = (x7 & 0x3ffffffffffffff); let x19: u64 = (x8 & 0x3ffffffffffffff); let x20: u64 = (x9 & 0x1ffffffffffffff); out1[0] = x12; out1[1] = x13; out1[2] = x14; out1[3] = x15; out1[4] = x16; out1[5] = x17; out1[6] = x18; out1[7] = x19; out1[8] = x20; out1 } #[doc = " The function fiat_p521_relax is the identity function converting from tight field elements to loose field elements."] #[doc = ""] #[doc = " Postconditions:"] #[doc = " out1 = arg1"] #[doc = ""] #[inline] pub const fn fiat_p521_relax( arg1: &fiat_p521_tight_field_element, ) -> fiat_p521_loose_field_element { let mut out1: fiat_p521_loose_field_element = [0; 9]; let x1: u64 = (arg1[0]); let x2: u64 = (arg1[1]); let x3: u64 = (arg1[2]); let x4: u64 = (arg1[3]); let x5: u64 = (arg1[4]); let x6: u64 = (arg1[5]); let x7: u64 = (arg1[6]); let x8: u64 = (arg1[7]); let x9: u64 = (arg1[8]); out1[0] = x1; out1[1] = x2; out1[2] = x3; out1[3] = x4; out1[4] = x5; out1[5] = x6; out1[6] = x7; out1[7] = x8; out1[8] = x9; out1 } #[doc = " The function fiat_p521_selectznz is a multi-limb conditional select."] #[doc = ""] #[doc = " Postconditions:"] #[doc = " out1 = (if arg1 = 0 then arg2 else arg3)"] #[doc = ""] #[doc = " Input Bounds:"] #[doc = " arg1: [0x0 ~> 0x1]"] #[doc = " arg2: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]]"] #[doc = " arg3: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]]"] #[doc = " Output Bounds:"] #[doc = " out1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]]"] #[inline] pub const fn fiat_p521_selectznz(arg1: fiat_p521_u1, arg2: &[u64; 9], arg3: &[u64; 9]) -> [u64; 9] { let mut out1: [u64; 9] = [0; 9]; let mut x1: u64 = 0; let (x1) = fiat_p521_cmovznz_u64(arg1, (arg2[0]), (arg3[0])); let mut x2: u64 = 0; let (x2) = fiat_p521_cmovznz_u64(arg1, (arg2[1]), (arg3[1])); let mut x3: u64 = 0; let (x3) = fiat_p521_cmovznz_u64(arg1, (arg2[2]), (arg3[2])); let mut x4: u64 = 0; let (x4) = fiat_p521_cmovznz_u64(arg1, (arg2[3]), (arg3[3])); let mut x5: u64 = 0; let (x5) = fiat_p521_cmovznz_u64(arg1, (arg2[4]), (arg3[4])); let mut x6: u64 = 0; let (x6) = fiat_p521_cmovznz_u64(arg1, (arg2[5]), (arg3[5])); let mut x7: u64 = 0; let (x7) = fiat_p521_cmovznz_u64(arg1, (arg2[6]), (arg3[6])); let mut x8: u64 = 0; let (x8) = fiat_p521_cmovznz_u64(arg1, (arg2[7]), (arg3[7])); let mut x9: u64 = 0; let (x9) = fiat_p521_cmovznz_u64(arg1, (arg2[8]), (arg3[8])); out1[0] = x1; out1[1] = x2; out1[2] = x3; out1[3] = x4; out1[4] = x5; out1[5] = x6; out1[6] = x7; out1[7] = x8; out1[8] = x9; out1 } #[doc = " The function fiat_p521_to_bytes serializes a field element to bytes in little-endian order."] #[doc = ""] #[doc = " Postconditions:"] #[doc = " out1 = map (λ x, ⌊((eval arg1 mod m) mod 2^(8 * (x + 1))) / 2^(8 * x)⌋) [0..65]"] #[doc = ""] #[doc = " Output Bounds:"] #[doc = " out1: [[0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0x1]]"] #[inline] pub const fn fiat_p521_to_bytes(arg1: &fiat_p521_tight_field_element) -> [u8; 66] { let mut out1: [u8; 66] = [0; 66]; let mut x1: u64 = 0; let mut x2: fiat_p521_u1 = 0; let (x1, x2) = fiat_p521_subborrowx_u58(0x0, (arg1[0]), 0x3ffffffffffffff); let mut x3: u64 = 0; let mut x4: fiat_p521_u1 = 0; let (x3, x4) = fiat_p521_subborrowx_u58(x2, (arg1[1]), 0x3ffffffffffffff); let mut x5: u64 = 0; let mut x6: fiat_p521_u1 = 0; let (x5, x6) = fiat_p521_subborrowx_u58(x4, (arg1[2]), 0x3ffffffffffffff); let mut x7: u64 = 0; let mut x8: fiat_p521_u1 = 0; let (x7, x8) = fiat_p521_subborrowx_u58(x6, (arg1[3]), 0x3ffffffffffffff); let mut x9: u64 = 0; let mut x10: fiat_p521_u1 = 0; let (x9, x10) = fiat_p521_subborrowx_u58(x8, (arg1[4]), 0x3ffffffffffffff); let mut x11: u64 = 0; let mut x12: fiat_p521_u1 = 0; let (x11, x12) = fiat_p521_subborrowx_u58(x10, (arg1[5]), 0x3ffffffffffffff); let mut x13: u64 = 0; let mut x14: fiat_p521_u1 = 0; let (x13, x14) = fiat_p521_subborrowx_u58(x12, (arg1[6]), 0x3ffffffffffffff); let mut x15: u64 = 0; let mut x16: fiat_p521_u1 = 0; let (x15, x16) = fiat_p521_subborrowx_u58(x14, (arg1[7]), 0x3ffffffffffffff); let mut x17: u64 = 0; let mut x18: fiat_p521_u1 = 0; let (x17, x18) = fiat_p521_subborrowx_u57(x16, (arg1[8]), 0x1ffffffffffffff); let mut x19: u64 = 0; let (x19) = fiat_p521_cmovznz_u64(x18, (0x0 as u64), 0xffffffffffffffff); let mut x20: u64 = 0; let mut x21: fiat_p521_u1 = 0; let (x20, x21) = fiat_p521_addcarryx_u58(0x0, x1, (x19 & 0x3ffffffffffffff)); let mut x22: u64 = 0; let mut x23: fiat_p521_u1 = 0; let (x22, x23) = fiat_p521_addcarryx_u58(x21, x3, (x19 & 0x3ffffffffffffff)); let mut x24: u64 = 0; let mut x25: fiat_p521_u1 = 0; let (x24, x25) = fiat_p521_addcarryx_u58(x23, x5, (x19 & 0x3ffffffffffffff)); let mut x26: u64 = 0; let mut x27: fiat_p521_u1 = 0; let (x26, x27) = fiat_p521_addcarryx_u58(x25, x7, (x19 & 0x3ffffffffffffff)); let mut x28: u64 = 0; let mut x29: fiat_p521_u1 = 0; let (x28, x29) = fiat_p521_addcarryx_u58(x27, x9, (x19 & 0x3ffffffffffffff)); let mut x30: u64 = 0; let mut x31: fiat_p521_u1 = 0; let (x30, x31) = fiat_p521_addcarryx_u58(x29, x11, (x19 & 0x3ffffffffffffff)); let mut x32: u64 = 0; let mut x33: fiat_p521_u1 = 0; let (x32, x33) = fiat_p521_addcarryx_u58(x31, x13, (x19 & 0x3ffffffffffffff)); let mut x34: u64 = 0; let mut x35: fiat_p521_u1 = 0; let (x34, x35) = fiat_p521_addcarryx_u58(x33, x15, (x19 & 0x3ffffffffffffff)); let mut x36: u64 = 0; let mut x37: fiat_p521_u1 = 0; let (x36, x37) = fiat_p521_addcarryx_u57(x35, x17, (x19 & 0x1ffffffffffffff)); let x38: u64 = (x34 << 6); let x39: u64 = (x32 << 4); let x40: u64 = (x30 << 2); let x41: u64 = (x26 << 6); let x42: u64 = (x24 << 4); let x43: u64 = (x22 << 2); let x44: u8 = ((x20 & (0xff as u64)) as u8); let x45: u64 = (x20 >> 8); let x46: u8 = ((x45 & (0xff as u64)) as u8); let x47: u64 = (x45 >> 8); let x48: u8 = ((x47 & (0xff as u64)) as u8); let x49: u64 = (x47 >> 8); let x50: u8 = ((x49 & (0xff as u64)) as u8); let x51: u64 = (x49 >> 8); let x52: u8 = ((x51 & (0xff as u64)) as u8); let x53: u64 = (x51 >> 8); let x54: u8 = ((x53 & (0xff as u64)) as u8); let x55: u64 = (x53 >> 8); let x56: u8 = ((x55 & (0xff as u64)) as u8); let x57: u8 = ((x55 >> 8) as u8); let x58: u64 = (x43 + (x57 as u64)); let x59: u8 = ((x58 & (0xff as u64)) as u8); let x60: u64 = (x58 >> 8); let x61: u8 = ((x60 & (0xff as u64)) as u8); let x62: u64 = (x60 >> 8); let x63: u8 = ((x62 & (0xff as u64)) as u8); let x64: u64 = (x62 >> 8); let x65: u8 = ((x64 & (0xff as u64)) as u8); let x66: u64 = (x64 >> 8); let x67: u8 = ((x66 & (0xff as u64)) as u8); let x68: u64 = (x66 >> 8); let x69: u8 = ((x68 & (0xff as u64)) as u8); let x70: u64 = (x68 >> 8); let x71: u8 = ((x70 & (0xff as u64)) as u8); let x72: u8 = ((x70 >> 8) as u8); let x73: u64 = (x42 + (x72 as u64)); let x74: u8 = ((x73 & (0xff as u64)) as u8); let x75: u64 = (x73 >> 8); let x76: u8 = ((x75 & (0xff as u64)) as u8); let x77: u64 = (x75 >> 8); let x78: u8 = ((x77 & (0xff as u64)) as u8); let x79: u64 = (x77 >> 8); let x80: u8 = ((x79 & (0xff as u64)) as u8); let x81: u64 = (x79 >> 8); let x82: u8 = ((x81 & (0xff as u64)) as u8); let x83: u64 = (x81 >> 8); let x84: u8 = ((x83 & (0xff as u64)) as u8); let x85: u64 = (x83 >> 8); let x86: u8 = ((x85 & (0xff as u64)) as u8); let x87: u8 = ((x85 >> 8) as u8); let x88: u64 = (x41 + (x87 as u64)); let x89: u8 = ((x88 & (0xff as u64)) as u8); let x90: u64 = (x88 >> 8); let x91: u8 = ((x90 & (0xff as u64)) as u8); let x92: u64 = (x90 >> 8); let x93: u8 = ((x92 & (0xff as u64)) as u8); let x94: u64 = (x92 >> 8); let x95: u8 = ((x94 & (0xff as u64)) as u8); let x96: u64 = (x94 >> 8); let x97: u8 = ((x96 & (0xff as u64)) as u8); let x98: u64 = (x96 >> 8); let x99: u8 = ((x98 & (0xff as u64)) as u8); let x100: u64 = (x98 >> 8); let x101: u8 = ((x100 & (0xff as u64)) as u8); let x102: u8 = ((x100 >> 8) as u8); let x103: u8 = ((x28 & (0xff as u64)) as u8); let x104: u64 = (x28 >> 8); let x105: u8 = ((x104 & (0xff as u64)) as u8); let x106: u64 = (x104 >> 8); let x107: u8 = ((x106 & (0xff as u64)) as u8); let x108: u64 = (x106 >> 8); let x109: u8 = ((x108 & (0xff as u64)) as u8); let x110: u64 = (x108 >> 8); let x111: u8 = ((x110 & (0xff as u64)) as u8); let x112: u64 = (x110 >> 8); let x113: u8 = ((x112 & (0xff as u64)) as u8); let x114: u64 = (x112 >> 8); let x115: u8 = ((x114 & (0xff as u64)) as u8); let x116: u8 = ((x114 >> 8) as u8); let x117: u64 = (x40 + (x116 as u64)); let x118: u8 = ((x117 & (0xff as u64)) as u8); let x119: u64 = (x117 >> 8); let x120: u8 = ((x119 & (0xff as u64)) as u8); let x121: u64 = (x119 >> 8); let x122: u8 = ((x121 & (0xff as u64)) as u8); let x123: u64 = (x121 >> 8); let x124: u8 = ((x123 & (0xff as u64)) as u8); let x125: u64 = (x123 >> 8); let x126: u8 = ((x125 & (0xff as u64)) as u8); let x127: u64 = (x125 >> 8); let x128: u8 = ((x127 & (0xff as u64)) as u8); let x129: u64 = (x127 >> 8); let x130: u8 = ((x129 & (0xff as u64)) as u8); let x131: u8 = ((x129 >> 8) as u8); let x132: u64 = (x39 + (x131 as u64)); let x133: u8 = ((x132 & (0xff as u64)) as u8); let x134: u64 = (x132 >> 8); let x135: u8 = ((x134 & (0xff as u64)) as u8); let x136: u64 = (x134 >> 8); let x137: u8 = ((x136 & (0xff as u64)) as u8); let x138: u64 = (x136 >> 8); let x139: u8 = ((x138 & (0xff as u64)) as u8); let x140: u64 = (x138 >> 8); let x141: u8 = ((x140 & (0xff as u64)) as u8); let x142: u64 = (x140 >> 8); let x143: u8 = ((x142 & (0xff as u64)) as u8); let x144: u64 = (x142 >> 8); let x145: u8 = ((x144 & (0xff as u64)) as u8); let x146: u8 = ((x144 >> 8) as u8); let x147: u64 = (x38 + (x146 as u64)); let x148: u8 = ((x147 & (0xff as u64)) as u8); let x149: u64 = (x147 >> 8); let x150: u8 = ((x149 & (0xff as u64)) as u8); let x151: u64 = (x149 >> 8); let x152: u8 = ((x151 & (0xff as u64)) as u8); let x153: u64 = (x151 >> 8); let x154: u8 = ((x153 & (0xff as u64)) as u8); let x155: u64 = (x153 >> 8); let x156: u8 = ((x155 & (0xff as u64)) as u8); let x157: u64 = (x155 >> 8); let x158: u8 = ((x157 & (0xff as u64)) as u8); let x159: u64 = (x157 >> 8); let x160: u8 = ((x159 & (0xff as u64)) as u8); let x161: u8 = ((x159 >> 8) as u8); let x162: u8 = ((x36 & (0xff as u64)) as u8); let x163: u64 = (x36 >> 8); let x164: u8 = ((x163 & (0xff as u64)) as u8); let x165: u64 = (x163 >> 8); let x166: u8 = ((x165 & (0xff as u64)) as u8); let x167: u64 = (x165 >> 8); let x168: u8 = ((x167 & (0xff as u64)) as u8); let x169: u64 = (x167 >> 8); let x170: u8 = ((x169 & (0xff as u64)) as u8); let x171: u64 = (x169 >> 8); let x172: u8 = ((x171 & (0xff as u64)) as u8); let x173: u64 = (x171 >> 8); let x174: u8 = ((x173 & (0xff as u64)) as u8); let x175: fiat_p521_u1 = ((x173 >> 8) as fiat_p521_u1); out1[0] = x44; out1[1] = x46; out1[2] = x48; out1[3] = x50; out1[4] = x52; out1[5] = x54; out1[6] = x56; out1[7] = x59; out1[8] = x61; out1[9] = x63; out1[10] = x65; out1[11] = x67; out1[12] = x69; out1[13] = x71; out1[14] = x74; out1[15] = x76; out1[16] = x78; out1[17] = x80; out1[18] = x82; out1[19] = x84; out1[20] = x86; out1[21] = x89; out1[22] = x91; out1[23] = x93; out1[24] = x95; out1[25] = x97; out1[26] = x99; out1[27] = x101; out1[28] = x102; out1[29] = x103; out1[30] = x105; out1[31] = x107; out1[32] = x109; out1[33] = x111; out1[34] = x113; out1[35] = x115; out1[36] = x118; out1[37] = x120; out1[38] = x122; out1[39] = x124; out1[40] = x126; out1[41] = x128; out1[42] = x130; out1[43] = x133; out1[44] = x135; out1[45] = x137; out1[46] = x139; out1[47] = x141; out1[48] = x143; out1[49] = x145; out1[50] = x148; out1[51] = x150; out1[52] = x152; out1[53] = x154; out1[54] = x156; out1[55] = x158; out1[56] = x160; out1[57] = x161; out1[58] = x162; out1[59] = x164; out1[60] = x166; out1[61] = x168; out1[62] = x170; out1[63] = x172; out1[64] = x174; out1[65] = (x175 as u8); out1 } #[doc = " The function fiat_p521_from_bytes deserializes a field element from bytes in little-endian order."] #[doc = ""] #[doc = " Postconditions:"] #[doc = " eval out1 mod m = bytes_eval arg1 mod m"] #[doc = ""] #[doc = " Input Bounds:"] #[doc = " arg1: [[0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0x1]]"] #[inline] pub const fn fiat_p521_from_bytes(arg1: &[u8; 66]) -> fiat_p521_tight_field_element { let mut out1: fiat_p521_tight_field_element = [0; 9]; let x1: u64 = ((((arg1[65]) as fiat_p521_u1) as u64) << 56); let x2: u64 = (((arg1[64]) as u64) << 48); let x3: u64 = (((arg1[63]) as u64) << 40); let x4: u64 = (((arg1[62]) as u64) << 32); let x5: u64 = (((arg1[61]) as u64) << 24); let x6: u64 = (((arg1[60]) as u64) << 16); let x7: u64 = (((arg1[59]) as u64) << 8); let x8: u8 = (arg1[58]); let x9: u64 = (((arg1[57]) as u64) << 50); let x10: u64 = (((arg1[56]) as u64) << 42); let x11: u64 = (((arg1[55]) as u64) << 34); let x12: u64 = (((arg1[54]) as u64) << 26); let x13: u64 = (((arg1[53]) as u64) << 18); let x14: u64 = (((arg1[52]) as u64) << 10); let x15: u64 = (((arg1[51]) as u64) << 2); let x16: u64 = (((arg1[50]) as u64) << 52); let x17: u64 = (((arg1[49]) as u64) << 44); let x18: u64 = (((arg1[48]) as u64) << 36); let x19: u64 = (((arg1[47]) as u64) << 28); let x20: u64 = (((arg1[46]) as u64) << 20); let x21: u64 = (((arg1[45]) as u64) << 12); let x22: u64 = (((arg1[44]) as u64) << 4); let x23: u64 = (((arg1[43]) as u64) << 54); let x24: u64 = (((arg1[42]) as u64) << 46); let x25: u64 = (((arg1[41]) as u64) << 38); let x26: u64 = (((arg1[40]) as u64) << 30); let x27: u64 = (((arg1[39]) as u64) << 22); let x28: u64 = (((arg1[38]) as u64) << 14); let x29: u64 = (((arg1[37]) as u64) << 6); let x30: u64 = (((arg1[36]) as u64) << 56); let x31: u64 = (((arg1[35]) as u64) << 48); let x32: u64 = (((arg1[34]) as u64) << 40); let x33: u64 = (((arg1[33]) as u64) << 32); let x34: u64 = (((arg1[32]) as u64) << 24); let x35: u64 = (((arg1[31]) as u64) << 16); let x36: u64 = (((arg1[30]) as u64) << 8); let x37: u8 = (arg1[29]); let x38: u64 = (((arg1[28]) as u64) << 50); let x39: u64 = (((arg1[27]) as u64) << 42); let x40: u64 = (((arg1[26]) as u64) << 34); let x41: u64 = (((arg1[25]) as u64) << 26); let x42: u64 = (((arg1[24]) as u64) << 18); let x43: u64 = (((arg1[23]) as u64) << 10); let x44: u64 = (((arg1[22]) as u64) << 2); let x45: u64 = (((arg1[21]) as u64) << 52); let x46: u64 = (((arg1[20]) as u64) << 44); let x47: u64 = (((arg1[19]) as u64) << 36); let x48: u64 = (((arg1[18]) as u64) << 28); let x49: u64 = (((arg1[17]) as u64) << 20); let x50: u64 = (((arg1[16]) as u64) << 12); let x51: u64 = (((arg1[15]) as u64) << 4); let x52: u64 = (((arg1[14]) as u64) << 54); let x53: u64 = (((arg1[13]) as u64) << 46); let x54: u64 = (((arg1[12]) as u64) << 38); let x55: u64 = (((arg1[11]) as u64) << 30); let x56: u64 = (((arg1[10]) as u64) << 22); let x57: u64 = (((arg1[9]) as u64) << 14); let x58: u64 = (((arg1[8]) as u64) << 6); let x59: u64 = (((arg1[7]) as u64) << 56); let x60: u64 = (((arg1[6]) as u64) << 48); let x61: u64 = (((arg1[5]) as u64) << 40); let x62: u64 = (((arg1[4]) as u64) << 32); let x63: u64 = (((arg1[3]) as u64) << 24); let x64: u64 = (((arg1[2]) as u64) << 16); let x65: u64 = (((arg1[1]) as u64) << 8); let x66: u8 = (arg1[0]); let x67: u64 = (x65 + (x66 as u64)); let x68: u64 = (x64 + x67); let x69: u64 = (x63 + x68); let x70: u64 = (x62 + x69); let x71: u64 = (x61 + x70); let x72: u64 = (x60 + x71); let x73: u64 = (x59 + x72); let x74: u64 = (x73 & 0x3ffffffffffffff); let x75: u8 = ((x73 >> 58) as u8); let x76: u64 = (x58 + (x75 as u64)); let x77: u64 = (x57 + x76); let x78: u64 = (x56 + x77); let x79: u64 = (x55 + x78); let x80: u64 = (x54 + x79); let x81: u64 = (x53 + x80); let x82: u64 = (x52 + x81); let x83: u64 = (x82 & 0x3ffffffffffffff); let x84: u8 = ((x82 >> 58) as u8); let x85: u64 = (x51 + (x84 as u64)); let x86: u64 = (x50 + x85); let x87: u64 = (x49 + x86); let x88: u64 = (x48 + x87); let x89: u64 = (x47 + x88); let x90: u64 = (x46 + x89); let x91: u64 = (x45 + x90); let x92: u64 = (x91 & 0x3ffffffffffffff); let x93: u8 = ((x91 >> 58) as u8); let x94: u64 = (x44 + (x93 as u64)); let x95: u64 = (x43 + x94); let x96: u64 = (x42 + x95); let x97: u64 = (x41 + x96); let x98: u64 = (x40 + x97); let x99: u64 = (x39 + x98); let x100: u64 = (x38 + x99); let x101: u64 = (x36 + (x37 as u64)); let x102: u64 = (x35 + x101); let x103: u64 = (x34 + x102); let x104: u64 = (x33 + x103); let x105: u64 = (x32 + x104); let x106: u64 = (x31 + x105); let x107: u64 = (x30 + x106); let x108: u64 = (x107 & 0x3ffffffffffffff); let x109: u8 = ((x107 >> 58) as u8); let x110: u64 = (x29 + (x109 as u64)); let x111: u64 = (x28 + x110); let x112: u64 = (x27 + x111); let x113: u64 = (x26 + x112); let x114: u64 = (x25 + x113); let x115: u64 = (x24 + x114); let x116: u64 = (x23 + x115); let x117: u64 = (x116 & 0x3ffffffffffffff); let x118: u8 = ((x116 >> 58) as u8); let x119: u64 = (x22 + (x118 as u64)); let x120: u64 = (x21 + x119); let x121: u64 = (x20 + x120); let x122: u64 = (x19 + x121); let x123: u64 = (x18 + x122); let x124: u64 = (x17 + x123); let x125: u64 = (x16 + x124); let x126: u64 = (x125 & 0x3ffffffffffffff); let x127: u8 = ((x125 >> 58) as u8); let x128: u64 = (x15 + (x127 as u64)); let x129: u64 = (x14 + x128); let x130: u64 = (x13 + x129); let x131: u64 = (x12 + x130); let x132: u64 = (x11 + x131); let x133: u64 = (x10 + x132); let x134: u64 = (x9 + x133); let x135: u64 = (x7 + (x8 as u64)); let x136: u64 = (x6 + x135); let x137: u64 = (x5 + x136); let x138: u64 = (x4 + x137); let x139: u64 = (x3 + x138); let x140: u64 = (x2 + x139); let x141: u64 = (x1 + x140); out1[0] = x74; out1[1] = x83; out1[2] = x92; out1[3] = x100; out1[4] = x108; out1[5] = x117; out1[6] = x126; out1[7] = x134; out1[8] = x141; out1 } p521-0.13.3/src/arithmetic/field.rs000064400000000000000000000435751046102023000147660ustar 00000000000000//! Field arithmetic modulo p = 2^{521} − 1 //! //! Arithmetic implementations have been synthesized using fiat-crypto. //! //! # License //! //! Copyright (c) 2015-2020 the fiat-crypto authors //! //! fiat-crypto is distributed under the terms of the MIT License, the //! Apache License (Version 2.0), and the BSD 1-Clause License; //! users may pick which license to apply. #![allow( clippy::should_implement_trait, clippy::suspicious_op_assign_impl, clippy::unused_unit, clippy::unnecessary_cast, clippy::too_many_arguments, clippy::identity_op, rustdoc::bare_urls )] // TODO(tarcieri): 32-bit backend? #[path = "field/p521_64.rs"] mod field_impl; mod loose; pub(crate) use self::loose::LooseFieldElement; use self::field_impl::*; use crate::{FieldBytes, NistP521, U576}; use core::{ fmt::{self, Debug}, iter::{Product, Sum}, ops::{Add, AddAssign, Mul, MulAssign, Neg, Sub, SubAssign}, }; use elliptic_curve::{ ff::{self, Field, PrimeField}, generic_array::GenericArray, rand_core::RngCore, subtle::{Choice, ConditionallySelectable, ConstantTimeEq, ConstantTimeLess, CtOption}, zeroize::DefaultIsZeroes, Error, FieldBytesEncoding, }; use super::util::u576_to_le_bytes; /// Constant representing the modulus serialized as hex. /// p = 2^{521} − 1 const MODULUS_HEX: &str = "00000000000001ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff"; pub(crate) const MODULUS: U576 = U576::from_be_hex(MODULUS_HEX); /// Element of the secp521r1 base field used for curve coordinates. #[derive(Clone, Copy)] pub struct FieldElement(pub(crate) fiat_p521_tight_field_element); impl FieldElement { /// Zero element. pub const ZERO: Self = Self::from_u64(0); /// Multiplicative identity. pub const ONE: Self = Self::from_u64(1); /// Number of bytes in the serialized representation. const BYTES: usize = 66; /// Create a [`FieldElement`] from a canonical big-endian representation. pub fn from_bytes(repr: &FieldBytes) -> CtOption { let uint = >::decode_field_bytes(repr); Self::from_uint(uint) } /// Decode [`FieldElement`] from a big endian byte slice. pub fn from_slice(slice: &[u8]) -> elliptic_curve::Result { if slice.len() != Self::BYTES { return Err(Error); } Option::from(Self::from_bytes(GenericArray::from_slice(slice))).ok_or(Error) } /// Decode [`FieldElement`] from [`U576`]. pub fn from_uint(uint: U576) -> CtOption { let is_some = uint.ct_lt(&MODULUS); CtOption::new(Self::from_uint_unchecked(uint), is_some) } /// Parse a [`FieldElement`] from big endian hex-encoded bytes. /// /// Does *not* perform a check that the field element does not overflow the order. /// /// This method is primarily intended for defining internal constants. pub(crate) const fn from_hex(hex: &str) -> Self { Self::from_uint_unchecked(U576::from_be_hex(hex)) } /// Convert a `u64` into a [`FieldElement`]. pub const fn from_u64(w: u64) -> Self { Self::from_uint_unchecked(U576::from_u64(w)) } /// Decode [`FieldElement`] from [`U576`]. /// /// Does *not* perform a check that the field element does not overflow the order. /// /// Used incorrectly this can lead to invalid results! pub(crate) const fn from_uint_unchecked(w: U576) -> Self { Self(fiat_p521_from_bytes(&u576_to_le_bytes(w))) } /// Returns the big-endian encoding of this [`FieldElement`]. pub fn to_bytes(self) -> FieldBytes { let mut ret = fiat_p521_to_bytes(&self.0); ret.reverse(); GenericArray::clone_from_slice(&ret) } /// Determine if this [`FieldElement`] is odd in the SEC1 sense: `self mod 2 == 1`. /// /// # Returns /// /// If odd, return `Choice(1)`. Otherwise, return `Choice(0)`. pub fn is_odd(&self) -> Choice { Choice::from(self.0[0] as u8 & 1) } /// Determine if this [`FieldElement`] is even in the SEC1 sense: `self mod 2 == 0`. /// /// # Returns /// /// If even, return `Choice(1)`. Otherwise, return `Choice(0)`. pub fn is_even(&self) -> Choice { !self.is_odd() } /// Determine if this [`FieldElement`] is zero. /// /// # Returns /// /// If zero, return `Choice(1)`. Otherwise, return `Choice(0)`. pub fn is_zero(&self) -> Choice { self.ct_eq(&Self::ZERO) } /// Add elements. #[allow(dead_code)] // TODO(tarcieri): currently unused pub(crate) const fn add_loose(&self, rhs: &Self) -> LooseFieldElement { LooseFieldElement(fiat_p521_add(&self.0, &rhs.0)) } /// Double element (add it to itself). #[allow(dead_code)] // TODO(tarcieri): currently unused #[must_use] pub(crate) const fn double_loose(&self) -> LooseFieldElement { Self::add_loose(self, self) } /// Subtract elements, returning a loose field element. #[allow(dead_code)] // TODO(tarcieri): currently unused pub(crate) const fn sub_loose(&self, rhs: &Self) -> LooseFieldElement { LooseFieldElement(fiat_p521_sub(&self.0, &rhs.0)) } /// Negate element, returning a loose field element. #[allow(dead_code)] // TODO(tarcieri): currently unused pub(crate) const fn neg_loose(&self) -> LooseFieldElement { LooseFieldElement(fiat_p521_opp(&self.0)) } /// Add two field elements. pub const fn add(&self, rhs: &Self) -> Self { Self(fiat_p521_carry_add(&self.0, &rhs.0)) } /// Subtract field elements. pub const fn sub(&self, rhs: &Self) -> Self { Self(fiat_p521_carry_sub(&self.0, &rhs.0)) } /// Negate element. pub const fn neg(&self) -> Self { Self(fiat_p521_carry_opp(&self.0)) } /// Double element (add it to itself). #[must_use] pub const fn double(&self) -> Self { self.add(self) } /// Multiply elements. pub const fn multiply(&self, rhs: &Self) -> Self { LooseFieldElement::mul(&self.relax(), &rhs.relax()) } /// Square element. pub const fn square(&self) -> Self { self.relax().square() } /// Returns self^(2^n) mod p const fn sqn(&self, n: usize) -> Self { let mut x = self.square(); let mut i = 1; while i < n { x = x.square(); i += 1; } x } /// Returns `self^exp`, where `exp` is a little-endian integer exponent. /// /// **This operation is variable time with respect to the exponent.** /// /// If the exponent is fixed, this operation is effectively constant time. pub const fn pow_vartime(&self, exp: &[u64]) -> Self { let mut res = Self::ONE; let mut i = exp.len(); while i > 0 { i -= 1; let mut j = 64; while j > 0 { j -= 1; res = res.square(); if ((exp[i] >> j) & 1) == 1 { res = Self::multiply(&res, self); } } } res } /// Compute [`FieldElement`] inversion: `1 / self`. pub fn invert(&self) -> CtOption { CtOption::new(self.invert_unchecked(), !self.is_zero()) } /// Returns the multiplicative inverse of self. /// /// Does not check that self is non-zero. const fn invert_unchecked(&self) -> Self { // Adapted from addchain: github.com/mmcloughlin/addchain let z = self.square(); let z = self.multiply(&z); let t0 = z.sqn(2); let z = z.multiply(&t0); let t0 = z.sqn(4); let z = z.multiply(&t0); let t0 = z.sqn(8); let z = z.multiply(&t0); let t0 = z.sqn(16); let z = z.multiply(&t0); let t0 = z.sqn(32); let z = z.multiply(&t0); let t0 = z.square(); let t0 = self.multiply(&t0); let t0 = t0.sqn(64); let z = z.multiply(&t0); let t0 = z.square(); let t0 = self.multiply(&t0); let t0 = t0.sqn(129); let z = z.multiply(&t0); let t0 = z.square(); let t0 = self.multiply(&t0); let t0 = t0.sqn(259); let z = z.multiply(&t0); let z = z.sqn(2); self.multiply(&z) } /// Returns the square root of self mod p, or `None` if no square root /// exists. /// /// # Implementation details /// If _x_ has a sqrt, then due to Euler's criterion this implies x(p - 1)/2 = 1. /// 1. x(p + 1)/2 = x. /// 2. There's a special property due to _p ≡ 3 (mod 4)_ which implies _(p + 1)/4_ is an integer. /// 3. We can rewrite `1.` as x((p+1)/4)2 /// 4. x(p+1)/4 is the square root. /// 5. This is simplified as (2251 - 1 + 1) /4 = 2519 /// 6. Hence, x2519 is the square root iff _result.square() == self_ pub fn sqrt(&self) -> CtOption { let sqrt = self.sqn(519); CtOption::new(sqrt, sqrt.square().ct_eq(self)) } /// Relax a tight field element into a loose one. pub(crate) const fn relax(&self) -> LooseFieldElement { LooseFieldElement(fiat_p521_relax(&self.0)) } } impl AsRef for FieldElement { fn as_ref(&self) -> &fiat_p521_tight_field_element { &self.0 } } impl Default for FieldElement { fn default() -> Self { Self::ZERO } } impl Debug for FieldElement { /// Formatting machinery for [`FieldElement`] /// /// # Why /// ```ignore /// let fe1 = FieldElement([9, 0, 0, 0, 0, 0, 0, 0, 0]); /// let fe2 = FieldElement([ /// 8, /// 0, /// 288230376151711744, /// 288230376151711743, /// 288230376151711743, /// 288230376151711743, /// 288230376151711743, /// 288230376151711743, /// 144115188075855871, /// ]); /// ``` /// /// For the above example, deriving [`core::fmt::Debug`] will result in returning 2 different /// strings, which are in reality the same due to p521's unsaturated math, instead print the /// output as a hex string in big-endian. /// /// This makes debugging easier. fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result { let mut bytes = fiat_p521_to_bytes(&self.0); bytes.reverse(); let formatter = base16ct::HexDisplay(&bytes); f.debug_tuple("FieldElement") .field(&format_args!("0x{formatter:X}")) .finish() } } impl Eq for FieldElement {} impl PartialEq for FieldElement { fn eq(&self, rhs: &Self) -> bool { self.ct_eq(rhs).into() } } impl From for FieldElement { fn from(n: u32) -> FieldElement { Self::from_uint_unchecked(U576::from(n)) } } impl From for FieldElement { fn from(n: u64) -> FieldElement { Self::from_uint_unchecked(U576::from(n)) } } impl From for FieldElement { fn from(n: u128) -> FieldElement { Self::from_uint_unchecked(U576::from(n)) } } impl ConditionallySelectable for FieldElement { fn conditional_select(a: &Self, b: &Self, choice: Choice) -> Self { let mut ret = Self::ZERO; for i in 0..ret.0.len() { ret.0[i] = u64::conditional_select(&a.0[i], &b.0[i], choice); } ret } } impl ConstantTimeEq for FieldElement { fn ct_eq(&self, other: &Self) -> Choice { let a = fiat_p521_to_bytes(&self.0); let b = fiat_p521_to_bytes(&other.0); a.ct_eq(&b) } } impl DefaultIsZeroes for FieldElement {} impl Field for FieldElement { const ZERO: Self = Self::ZERO; const ONE: Self = Self::ONE; fn random(mut rng: impl RngCore) -> Self { // NOTE: can't use ScalarPrimitive::random due to CryptoRng bound let mut bytes = ::default(); loop { rng.fill_bytes(&mut bytes); if let Some(fe) = Self::from_bytes(&bytes).into() { return fe; } } } fn is_zero(&self) -> Choice { Self::ZERO.ct_eq(self) } #[must_use] fn square(&self) -> Self { self.square() } #[must_use] fn double(&self) -> Self { self.double() } fn invert(&self) -> CtOption { self.invert() } fn sqrt(&self) -> CtOption { self.sqrt() } fn sqrt_ratio(num: &Self, div: &Self) -> (Choice, Self) { ff::helpers::sqrt_ratio_generic(num, div) } } impl PrimeField for FieldElement { type Repr = FieldBytes; const MODULUS: &'static str = MODULUS_HEX; const NUM_BITS: u32 = 521; const CAPACITY: u32 = 520; const TWO_INV: Self = Self::from_u64(2).invert_unchecked(); const MULTIPLICATIVE_GENERATOR: Self = Self::from_u64(3); const S: u32 = 1; const ROOT_OF_UNITY: Self = Self::from_hex("00000000000001fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffe"); const ROOT_OF_UNITY_INV: Self = Self::ROOT_OF_UNITY.invert_unchecked(); const DELTA: Self = Self::from_u64(9); #[inline] fn from_repr(bytes: FieldBytes) -> CtOption { Self::from_bytes(&bytes) } #[inline] fn to_repr(&self) -> FieldBytes { self.to_bytes() } #[inline] fn is_odd(&self) -> Choice { self.is_odd() } } // // `core::ops` impls // impl Add for FieldElement { type Output = FieldElement; #[inline] fn add(self, rhs: FieldElement) -> FieldElement { Self::add(&self, &rhs) } } impl Add<&FieldElement> for FieldElement { type Output = FieldElement; #[inline] fn add(self, rhs: &FieldElement) -> FieldElement { Self::add(&self, rhs) } } impl Add<&FieldElement> for &FieldElement { type Output = FieldElement; #[inline] fn add(self, rhs: &FieldElement) -> FieldElement { FieldElement::add(self, rhs) } } impl AddAssign for FieldElement { #[inline] fn add_assign(&mut self, other: FieldElement) { *self = *self + other; } } impl AddAssign<&FieldElement> for FieldElement { #[inline] fn add_assign(&mut self, other: &FieldElement) { *self = *self + other; } } impl Sub for FieldElement { type Output = FieldElement; #[inline] fn sub(self, rhs: FieldElement) -> FieldElement { Self::sub(&self, &rhs) } } impl Sub<&FieldElement> for FieldElement { type Output = FieldElement; #[inline] fn sub(self, rhs: &FieldElement) -> FieldElement { Self::sub(&self, rhs) } } impl Sub<&FieldElement> for &FieldElement { type Output = FieldElement; #[inline] fn sub(self, rhs: &FieldElement) -> FieldElement { FieldElement::sub(self, rhs) } } impl SubAssign for FieldElement { #[inline] fn sub_assign(&mut self, other: FieldElement) { *self = *self - other; } } impl SubAssign<&FieldElement> for FieldElement { #[inline] fn sub_assign(&mut self, other: &FieldElement) { *self = *self - other; } } impl Mul for FieldElement { type Output = FieldElement; #[inline] fn mul(self, rhs: FieldElement) -> FieldElement { self.relax().mul(&rhs.relax()) } } impl Mul<&FieldElement> for FieldElement { type Output = FieldElement; #[inline] fn mul(self, rhs: &FieldElement) -> FieldElement { self.relax().mul(&rhs.relax()) } } impl Mul<&FieldElement> for &FieldElement { type Output = FieldElement; #[inline] fn mul(self, rhs: &FieldElement) -> FieldElement { self.relax().mul(&rhs.relax()) } } impl MulAssign<&FieldElement> for FieldElement { #[inline] fn mul_assign(&mut self, other: &FieldElement) { *self = *self * other; } } impl MulAssign for FieldElement { #[inline] fn mul_assign(&mut self, other: FieldElement) { *self = *self * other; } } impl Neg for FieldElement { type Output = FieldElement; #[inline] fn neg(self) -> FieldElement { Self::neg(&self) } } // // `core::iter` trait impls // impl Sum for FieldElement { fn sum>(iter: I) -> Self { iter.reduce(core::ops::Add::add).unwrap_or(Self::ZERO) } } impl<'a> Sum<&'a FieldElement> for FieldElement { fn sum>(iter: I) -> Self { iter.copied().sum() } } impl Product for FieldElement { fn product>(iter: I) -> Self { iter.reduce(core::ops::Mul::mul).unwrap_or(Self::ONE) } } impl<'a> Product<&'a FieldElement> for FieldElement { fn product>(iter: I) -> Self { iter.copied().product() } } #[cfg(test)] mod tests { use super::FieldElement; use elliptic_curve::ff::PrimeField; use hex_literal::hex; use primeorder::{ impl_field_identity_tests, impl_field_invert_tests, impl_field_sqrt_tests, impl_primefield_tests, }; /// t = (modulus - 1) >> S const T: [u64; 9] = [ 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0x00000000000000ff, ]; impl_field_identity_tests!(FieldElement); impl_field_invert_tests!(FieldElement); impl_field_sqrt_tests!(FieldElement); impl_primefield_tests!(FieldElement, T); /// Regression test for RustCrypto/elliptic-curves#965 #[test] fn decode_invalid_field_element_returns_err() { let overflowing_bytes = hex!("FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"); let ct_option = FieldElement::from_bytes(overflowing_bytes.as_ref().into()); assert!(bool::from(ct_option.is_none())); } } p521-0.13.3/src/arithmetic/hash2curve.rs000064400000000000000000000452351046102023000157500ustar 00000000000000use super::FieldElement; use crate::{AffinePoint, NistP521, ProjectivePoint, Scalar}; use elliptic_curve::{ bigint::{ArrayEncoding, U576}, consts::U98, generic_array::GenericArray, hash2curve::{FromOkm, GroupDigest, MapToCurve, OsswuMap, OsswuMapParams, Sgn0}, ops::Reduce, point::DecompressPoint, subtle::Choice, }; impl GroupDigest for NistP521 { type FieldElement = FieldElement; } impl FromOkm for FieldElement { type Length = U98; fn from_okm(data: &GenericArray) -> Self { const F_2_392: FieldElement = FieldElement::from_hex( "000000000000000000000000000000000000000000000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000", ); let mut d0 = GenericArray::default(); d0[23..].copy_from_slice(&data[0..49]); let d0 = FieldElement::from_uint_unchecked(U576::from_be_byte_array(d0)); let mut d1 = GenericArray::default(); d1[23..].copy_from_slice(&data[49..]); let d1 = FieldElement::from_uint_unchecked(U576::from_be_byte_array(d1)); d0 * F_2_392 + d1 } } impl Sgn0 for FieldElement { fn sgn0(&self) -> Choice { self.is_odd() } } impl OsswuMap for FieldElement { const PARAMS: OsswuMapParams = OsswuMapParams { c1: &[ 0xffff_ffff_ffff_ffff, 0xffff_ffff_ffff_ffff, 0xffff_ffff_ffff_ffff, 0xffff_ffff_ffff_ffff, 0xffff_ffff_ffff_ffff, 0xffff_ffff_ffff_ffff, 0xffff_ffff_ffff_ffff, 0xffff_ffff_ffff_ffff, 0x0000_0000_0000_007f, ], c2: FieldElement::from_hex( "000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002", ), map_a: FieldElement::from_u64(3).neg(), map_b: FieldElement::from_hex( "0000000000000051953eb9618e1c9a1f929a21a0b68540eea2da725b99b315f3b8b489918ef109e156193951ec7e937b1652c0bd3bb1bf073573df883d2c34f1ef451fd46b503f00", ), z: FieldElement::from_u64(4).neg(), }; } impl MapToCurve for FieldElement { type Output = ProjectivePoint; fn map_to_curve(&self) -> Self::Output { let (qx, qy) = self.osswu(); // TODO(tarcieri): assert that `qy` is correct? less circuitous conversion? AffinePoint::decompress(&qx.to_bytes(), qy.is_odd()) .unwrap() .into() } } impl FromOkm for Scalar { type Length = U98; fn from_okm(data: &GenericArray) -> Self { const F_2_392: Scalar = Scalar::from_hex( "000000000000000000000000000000000000000000000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000", ); let mut d0 = GenericArray::default(); d0[23..].copy_from_slice(&data[0..49]); let d0 = Scalar::reduce(U576::from_be_byte_array(d0)); let mut d1 = GenericArray::default(); d1[23..].copy_from_slice(&data[49..]); let d1 = Scalar::reduce(U576::from_be_byte_array(d1)); d0 * F_2_392 + d1 } } #[cfg(test)] mod tests { use crate::{ arithmetic::field::{FieldElement, MODULUS}, NistP521, Scalar, }; use elliptic_curve::{ bigint::{ArrayEncoding, CheckedSub, NonZero, U576, U896}, consts::U98, generic_array::GenericArray, group::cofactor::CofactorGroup, hash2curve::{self, ExpandMsgXmd, FromOkm, GroupDigest, MapToCurve, OsswuMap}, ops::Reduce, sec1::{self, ToEncodedPoint}, Curve, }; use hex_literal::hex; use proptest::{num, prelude::ProptestConfig, proptest}; use sha2::Sha512; #[test] fn params() { let params = ::PARAMS; let c1 = MODULUS.checked_sub(&U576::from_u8(3)).unwrap() / NonZero::new(U576::from_u8(4)).unwrap(); assert_eq!( GenericArray::from_iter(params.c1.iter().rev().flat_map(|v| v.to_be_bytes())), c1.to_be_byte_array() ); let c2 = FieldElement::from_u64(4).sqrt().unwrap(); assert_eq!(params.c2, c2); } #[test] fn hash_to_curve() { struct TestVector { msg: &'static [u8], p_x: [u8; 66], p_y: [u8; 66], u_0: [u8; 66], u_1: [u8; 66], q0_x: [u8; 66], q0_y: [u8; 66], q1_x: [u8; 66], q1_y: [u8; 66], } const DST: &[u8] = b"QUUX-V01-CS02-with-P521_XMD:SHA-512_SSWU_RO_"; const TEST_VECTORS: &[TestVector] = &[ TestVector { msg: b"", p_x: hex!("00fd767cebb2452030358d0e9cf907f525f50920c8f607889a6a35680727f64f4d66b161fafeb2654bea0d35086bec0a10b30b14adef3556ed9f7f1bc23cecc9c088"), p_y: hex!("0169ba78d8d851e930680322596e39c78f4fe31b97e57629ef6460ddd68f8763fd7bd767a4e94a80d3d21a3c2ee98347e024fc73ee1c27166dc3fe5eeef782be411d"), u_0: hex!("01e5f09974e5724f25286763f00ce76238c7a6e03dc396600350ee2c4135fb17dc555be99a4a4bae0fd303d4f66d984ed7b6a3ba386093752a855d26d559d69e7e9e"), u_1: hex!("00ae593b42ca2ef93ac488e9e09a5fe5a2f6fb330d18913734ff602f2a761fcaaf5f596e790bcc572c9140ec03f6cccc38f767f1c1975a0b4d70b392d95a0c7278aa"), q0_x: hex!("00b70ae99b6339fffac19cb9bfde2098b84f75e50ac1e80d6acb954e4534af5f0e9c4a5b8a9c10317b8e6421574bae2b133b4f2b8c6ce4b3063da1d91d34fa2b3a3c"), q0_y: hex!("007f368d98a4ddbf381fb354de40e44b19e43bb11a1278759f4ea7b485e1b6db33e750507c071250e3e443c1aaed61f2c28541bb54b1b456843eda1eb15ec2a9b36e"), q1_x: hex!("01143d0e9cddcdacd6a9aafe1bcf8d218c0afc45d4451239e821f5d2a56df92be942660b532b2aa59a9c635ae6b30e803c45a6ac871432452e685d661cd41cf67214"), q1_y: hex!("00ff75515df265e996d702a5380defffab1a6d2bc232234c7bcffa433cd8aa791fbc8dcf667f08818bffa739ae25773b32073213cae9a0f2a917a0b1301a242dda0c"), }, TestVector { msg: b"abc", p_x: hex!("002f89a1677b28054b50d15e1f81ed6669b5a2158211118ebdef8a6efc77f8ccaa528f698214e4340155abc1fa08f8f613ef14a043717503d57e267d57155cf784a4"), p_y: hex!("010e0be5dc8e753da8ce51091908b72396d3deed14ae166f66d8ebf0a4e7059ead169ea4bead0232e9b700dd380b316e9361cfdba55a08c73545563a80966ecbb86d"), u_0: hex!("003d00c37e95f19f358adeeaa47288ec39998039c3256e13c2a4c00a7cb61a34c8969472960150a27276f2390eb5e53e47ab193351c2d2d9f164a85c6a5696d94fe8"), u_1: hex!("01f3cbd3df3893a45a2f1fecdac4d525eb16f345b03e2820d69bc580f5cbe9cb89196fdf720ef933c4c0361fcfe29940fd0db0a5da6bafb0bee8876b589c41365f15"), q0_x: hex!("01b254e1c99c835836f0aceebba7d77750c48366ecb07fb658e4f5b76e229ae6ca5d271bb0006ffcc42324e15a6d3daae587f9049de2dbb0494378ffb60279406f56"), q0_y: hex!("01845f4af72fc2b1a5a2fe966f6a97298614288b456cfc385a425b686048b25c952fbb5674057e1eb055d04568c0679a8e2dda3158dc16ac598dbb1d006f5ad915b0"), q1_x: hex!("007f08e813c620e527c961b717ffc74aac7afccb9158cebc347d5715d5c2214f952c97e194f11d114d80d3481ed766ac0a3dba3eb73f6ff9ccb9304ad10bbd7b4a36"), q1_y: hex!("0022468f92041f9970a7cc025d71d5b647f822784d29ca7b3bc3b0829d6bb8581e745f8d0cc9dc6279d0450e779ac2275c4c3608064ad6779108a7828ebd9954caeb"), }, TestVector { msg: b"abcdef0123456789", p_x: hex!("006e200e276a4a81760099677814d7f8794a4a5f3658442de63c18d2244dcc957c645e94cb0754f95fcf103b2aeaf94411847c24187b89fb7462ad3679066337cbc4"), p_y: hex!("001dd8dfa9775b60b1614f6f169089d8140d4b3e4012949b52f98db2deff3e1d97bf73a1fa4d437d1dcdf39b6360cc518d8ebcc0f899018206fded7617b654f6b168"), u_0: hex!("00183ee1a9bbdc37181b09ec336bcaa34095f91ef14b66b1485c166720523dfb81d5c470d44afcb52a87b704dbc5c9bc9d0ef524dec29884a4795f55c1359945baf3"), u_1: hex!("00504064fd137f06c81a7cf0f84aa7e92b6b3d56c2368f0a08f44776aa8930480da1582d01d7f52df31dca35ee0a7876500ece3d8fe0293cd285f790c9881c998d5e"), q0_x: hex!("0021482e8622aac14da60e656043f79a6a110cbae5012268a62dd6a152c41594549f373910ebed170ade892dd5a19f5d687fae7095a461d583f8c4295f7aaf8cd7da"), q0_y: hex!("0177e2d8c6356b7de06e0b5712d8387d529b848748e54a8bc0ef5f1475aa569f8f492fa85c3ad1c5edc51faf7911f11359bfa2a12d2ef0bd73df9cb5abd1b101c8b1"), q1_x: hex!("00abeafb16fdbb5eb95095678d5a65c1f293291dfd20a3751dbe05d0a9bfe2d2eef19449fe59ec32cdd4a4adc3411177c0f2dffd0159438706159a1bbd0567d9b3d0"), q1_y: hex!("007cc657f847db9db651d91c801741060d63dab4056d0a1d3524e2eb0e819954d8f677aa353bd056244a88f00017e00c3ce8beeedb4382d83d74418bd48930c6c182"), }, TestVector { msg: b"q128_qqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqq", p_x: hex!("01b264a630bd6555be537b000b99a06761a9325c53322b65bdc41bf196711f9708d58d34b3b90faf12640c27b91c70a507998e55940648caa8e71098bf2bc8d24664"), p_y: hex!("01ea9f445bee198b3ee4c812dcf7b0f91e0881f0251aab272a12201fd89b1a95733fd2a699c162b639e9acdcc54fdc2f6536129b6beb0432be01aa8da02df5e59aaa"), u_0: hex!("0159871e222689aad7694dc4c3480a49807b1eedd9c8cb4ae1b219d5ba51655ea5b38e2e4f56b36bf3e3da44a7b139849d28f598c816fe1bc7ed15893b22f63363c3"), u_1: hex!("004ef0cffd475152f3858c0a8ccbdf7902d8261da92744e98df9b7fadb0a5502f29c5086e76e2cf498f47321434a40b1504911552ce44ad7356a04e08729ad9411f5"), q0_x: hex!("0005eac7b0b81e38727efcab1e375f6779aea949c3e409b53a1d37aa2acbac87a7e6ad24aafbf3c52f82f7f0e21b872e88c55e17b7fa21ce08a94ea2121c42c2eb73"), q0_y: hex!("00a173b6a53a7420dbd61d4a21a7c0a52de7a5c6ce05f31403bef747d16cc8604a039a73bdd6e114340e55dacd6bea8e217ffbadfb8c292afa3e1b2afc839a6ce7bb"), q1_x: hex!("01881e3c193a69e4d88d8180a6879b74782a0bc7e529233e9f84bf7f17d2f319c36920ffba26f9e57a1e045cc7822c834c239593b6e142a694aa00c757b0db79e5e8"), q1_y: hex!("01558b16d396d866e476e001f2dd0758927655450b84e12f154032c7c2a6db837942cd9f44b814f79b4d729996ced61eec61d85c675139cbffe3fbf071d2c21cfecb"), }, TestVector { msg: b"a512_aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa", p_x: hex!("00c12bc3e28db07b6b4d2a2b1167ab9e26fc2fa85c7b0498a17b0347edf52392856d7e28b8fa7a2dd004611159505835b687ecf1a764857e27e9745848c436ef3925"), p_y: hex!("01cd287df9a50c22a9231beb452346720bb163344a41c5f5a24e8335b6ccc595fd436aea89737b1281aecb411eb835f0b939073fdd1dd4d5a2492e91ef4a3c55bcbd"), u_0: hex!("0033d06d17bc3b9a3efc081a05d65805a14a3050a0dd4dfb4884618eb5c73980a59c5a246b18f58ad022dd3630faa22889fbb8ba1593466515e6ab4aeb7381c26334"), u_1: hex!("0092290ab99c3fea1a5b8fb2ca49f859994a04faee3301cefab312d34227f6a2d0c3322cf76861c6a3683bdaa2dd2a6daa5d6906c663e065338b2344d20e313f1114"), q0_x: hex!("00041f6eb92af8777260718e4c22328a7d74203350c6c8f5794d99d5789766698f459b83d5068276716f01429934e40af3d1111a22780b1e07e72238d2207e5386be"), q0_y: hex!("001c712f0182813942b87cab8e72337db017126f52ed797dd234584ac9ae7e80dfe7abea11db02cf1855312eae1447dbaecc9d7e8c880a5e76a39f6258074e1bc2e0"), q1_x: hex!("0125c0b69bcf55eab49280b14f707883405028e05c927cd7625d4e04115bd0e0e6323b12f5d43d0d6d2eff16dbcf244542f84ec058911260dc3bb6512ab5db285fbd"), q1_y: hex!("008bddfb803b3f4c761458eb5f8a0aee3e1f7f68e9d7424405fa69172919899317fb6ac1d6903a432d967d14e0f80af63e7035aaae0c123e56862ce969456f99f102"), }, ]; for test_vector in TEST_VECTORS { // in parts let mut u = [FieldElement::default(), FieldElement::default()]; hash2curve::hash_to_field::, FieldElement>( &[test_vector.msg], &[DST], &mut u, ) .unwrap(); /// Assert that the provided projective point matches the given test vector. // TODO(tarcieri): use coordinate APIs. See zkcrypto/group#30 macro_rules! assert_point_eq { ($actual:expr, $expected_x:expr, $expected_y:expr) => { let point = $actual.to_affine().to_encoded_point(false); let (actual_x, actual_y) = match point.coordinates() { sec1::Coordinates::Uncompressed { x, y } => (x, y), _ => unreachable!(), }; assert_eq!(&$expected_x, actual_x.as_slice()); assert_eq!(&$expected_y, actual_y.as_slice()); }; } assert_eq!(u[0].to_bytes().as_slice(), test_vector.u_0); assert_eq!(u[1].to_bytes().as_slice(), test_vector.u_1); let q0 = u[0].map_to_curve(); assert_point_eq!(q0, test_vector.q0_x, test_vector.q0_y); let q1 = u[1].map_to_curve(); assert_point_eq!(q1, test_vector.q1_x, test_vector.q1_y); let p = q0.clear_cofactor() + q1.clear_cofactor(); assert_point_eq!(p, test_vector.p_x, test_vector.p_y); // complete run let pt = NistP521::hash_from_bytes::>(&[test_vector.msg], &[DST]) .unwrap(); assert_point_eq!(pt, test_vector.p_x, test_vector.p_y); } } /// Taken from . #[test] fn hash_to_scalar_voprf() { struct TestVector { dst: &'static [u8], key_info: &'static [u8], seed: &'static [u8], sk_sm: &'static [u8], } const TEST_VECTORS: &[TestVector] = &[ TestVector { dst: b"DeriveKeyPairOPRFV1-\x00-P521-SHA512", key_info: &hex!("74657374206b6579"), seed: &hex!("a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3"), sk_sm: &hex!("0153441b8faedb0340439036d6aed06d1217b34c42f17f8db4c5cc610a4a955d698a688831b16d0dc7713a1aa3611ec60703bffc7dc9c84e3ed673b3dbe1d5fccea6"), }, TestVector { dst: b"DeriveKeyPairOPRFV1-\x01-P521-SHA512", key_info: b"test key", seed: &hex!("a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3"), sk_sm: &hex!("015c7fc1b4a0b1390925bae915bd9f3d72009d44d9241b962428aad5d13f22803311e7102632a39addc61ea440810222715c9d2f61f03ea424ec9ab1fe5e31cf9238"), }, TestVector { dst: b"DeriveKeyPairOPRFV1-\x02-P521-SHA512", key_info: b"test key", seed: &hex!("a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3"), sk_sm: &hex!("014893130030ce69cf714f536498a02ff6b396888f9bb507985c32928c4427d6d39de10ef509aca4240e8569e3a88debc0d392e3361bcd934cb9bdd59e339dff7b27"), }, ]; 'outer: for test_vector in TEST_VECTORS { let key_info_len = u16::try_from(test_vector.key_info.len()) .unwrap() .to_be_bytes(); for counter in 0_u8..=u8::MAX { let scalar = NistP521::hash_to_scalar::>( &[ test_vector.seed, &key_info_len, test_vector.key_info, &counter.to_be_bytes(), ], &[test_vector.dst], ) .unwrap(); if !bool::from(scalar.is_zero()) { assert_eq!(scalar.to_bytes().as_slice(), test_vector.sk_sm); continue 'outer; } } panic!("deriving key failed"); } } #[test] fn from_okm_fuzz() { let mut wide_order = GenericArray::default(); wide_order[40..].copy_from_slice(NistP521::ORDER.to_be_byte_array().as_slice()); // TODO: This could be reduced to `U832` when `crypto-bigint` implements `ArrayEncoding`. let wide_order = NonZero::new(U896::from_be_byte_array(wide_order)).unwrap(); let simple_from_okm = move |data: GenericArray| -> Scalar { let mut wide_data = GenericArray::default(); wide_data[14..].copy_from_slice(data.as_slice()); let wide_data = U896::from_be_byte_array(wide_data); let scalar = wide_data % wide_order; let reduced_scalar = U576::from_be_slice(&scalar.to_be_byte_array()[40..]); Scalar::reduce(reduced_scalar) }; proptest!( ProptestConfig::with_cases(1000), |( b0 in num::u64::ANY, b1 in num::u64::ANY, b2 in num::u64::ANY, b3 in num::u64::ANY, b4 in num::u64::ANY, b5 in num::u64::ANY, b6 in num::u64::ANY, b7 in num::u64::ANY, b8 in num::u64::ANY, b9 in num::u64::ANY, b10 in num::u64::ANY, b11 in num::u64::ANY, b12 in num::u16::ANY, )| { let mut data = GenericArray::default(); data[..8].copy_from_slice(&b0.to_be_bytes()); data[8..16].copy_from_slice(&b1.to_be_bytes()); data[16..24].copy_from_slice(&b2.to_be_bytes()); data[24..32].copy_from_slice(&b3.to_be_bytes()); data[32..40].copy_from_slice(&b4.to_be_bytes()); data[40..48].copy_from_slice(&b5.to_be_bytes()); data[48..56].copy_from_slice(&b6.to_be_bytes()); data[56..64].copy_from_slice(&b7.to_be_bytes()); data[64..72].copy_from_slice(&b8.to_be_bytes()); data[72..80].copy_from_slice(&b9.to_be_bytes()); data[80..88].copy_from_slice(&b10.to_be_bytes()); data[88..96].copy_from_slice(&b11.to_be_bytes()); data[96..].copy_from_slice(&b12.to_be_bytes()); let from_okm = Scalar::from_okm(&data); let simple_from_okm = simple_from_okm(data); assert_eq!(from_okm, simple_from_okm); } ); } } p521-0.13.3/src/arithmetic/scalar/p521_scalar_64.rs000064400000000000000000011645611046102023000174750ustar 00000000000000#![doc = " fiat-crypto output postprocessed by fiat-constify: "] #![doc = " Autogenerated: './word_by_word_montgomery' --lang Rust --inline p521_scalar 64 0x1fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffa51868783bf2f966b7fcc0148f709a5d03bb5c9b8899c47aebb6fb71e91386409"] #![doc = " curve description: p521_scalar"] #![doc = " machine_wordsize = 64 (from \"64\")"] #![doc = " requested operations: (all)"] #![doc = " m = 0x1fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffa51868783bf2f966b7fcc0148f709a5d03bb5c9b8899c47aebb6fb71e91386409 (from \"0x1fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffa51868783bf2f966b7fcc0148f709a5d03bb5c9b8899c47aebb6fb71e91386409\")"] #![doc = ""] #![doc = " NOTE: In addition to the bounds specified above each function, all"] #![doc = " functions synthesized for this Montgomery arithmetic require the"] #![doc = " input to be strictly less than the prime modulus (m), and also"] #![doc = " require the input to be in the unique saturated representation."] #![doc = " All functions also ensure that these two properties are true of"] #![doc = " return values."] #![doc = ""] #![doc = " Computed values:"] #![doc = " eval z = z[0] + (z[1] << 64) + (z[2] << 128) + (z[3] << 192) + (z[4] << 256) + (z[5] << 0x140) + (z[6] << 0x180) + (z[7] << 0x1c0) + (z[8] << 2^9)"] #![doc = " bytes_eval z = z[0] + (z[1] << 8) + (z[2] << 16) + (z[3] << 24) + (z[4] << 32) + (z[5] << 40) + (z[6] << 48) + (z[7] << 56) + (z[8] << 64) + (z[9] << 72) + (z[10] << 80) + (z[11] << 88) + (z[12] << 96) + (z[13] << 104) + (z[14] << 112) + (z[15] << 120) + (z[16] << 128) + (z[17] << 136) + (z[18] << 144) + (z[19] << 152) + (z[20] << 160) + (z[21] << 168) + (z[22] << 176) + (z[23] << 184) + (z[24] << 192) + (z[25] << 200) + (z[26] << 208) + (z[27] << 216) + (z[28] << 224) + (z[29] << 232) + (z[30] << 240) + (z[31] << 248) + (z[32] << 256) + (z[33] << 0x108) + (z[34] << 0x110) + (z[35] << 0x118) + (z[36] << 0x120) + (z[37] << 0x128) + (z[38] << 0x130) + (z[39] << 0x138) + (z[40] << 0x140) + (z[41] << 0x148) + (z[42] << 0x150) + (z[43] << 0x158) + (z[44] << 0x160) + (z[45] << 0x168) + (z[46] << 0x170) + (z[47] << 0x178) + (z[48] << 0x180) + (z[49] << 0x188) + (z[50] << 0x190) + (z[51] << 0x198) + (z[52] << 0x1a0) + (z[53] << 0x1a8) + (z[54] << 0x1b0) + (z[55] << 0x1b8) + (z[56] << 0x1c0) + (z[57] << 0x1c8) + (z[58] << 0x1d0) + (z[59] << 0x1d8) + (z[60] << 0x1e0) + (z[61] << 0x1e8) + (z[62] << 0x1f0) + (z[63] << 0x1f8) + (z[64] << 2^9) + (z[65] << 0x208)"] #![doc = " twos_complement_eval z = let x1 := z[0] + (z[1] << 64) + (z[2] << 128) + (z[3] << 192) + (z[4] << 256) + (z[5] << 0x140) + (z[6] << 0x180) + (z[7] << 0x1c0) + (z[8] << 2^9) in"] #![doc = " if x1 & (2^576-1) < 2^575 then x1 & (2^576-1) else (x1 & (2^576-1)) - 2^576"] #![allow(unused_parens)] #![allow(non_camel_case_types)] #![allow( clippy::identity_op, clippy::unnecessary_cast, dead_code, rustdoc::broken_intra_doc_links, unused_assignments, unused_mut, unused_variables )] pub type fiat_p521_scalar_u1 = u8; pub type fiat_p521_scalar_i1 = i8; pub type fiat_p521_scalar_u2 = u8; pub type fiat_p521_scalar_i2 = i8; pub type fiat_p521_scalar_montgomery_domain_field_element = [u64; 9]; pub type fiat_p521_scalar_non_montgomery_domain_field_element = [u64; 9]; #[doc = " The function fiat_p521_scalar_addcarryx_u64 is an addition with carry."] #[doc = ""] #[doc = " Postconditions:"] #[doc = " out1 = (arg1 + arg2 + arg3) mod 2^64"] #[doc = " out2 = ⌊(arg1 + arg2 + arg3) / 2^64⌋"] #[doc = ""] #[doc = " Input Bounds:"] #[doc = " arg1: [0x0 ~> 0x1]"] #[doc = " arg2: [0x0 ~> 0xffffffffffffffff]"] #[doc = " arg3: [0x0 ~> 0xffffffffffffffff]"] #[doc = " Output Bounds:"] #[doc = " out1: [0x0 ~> 0xffffffffffffffff]"] #[doc = " out2: [0x0 ~> 0x1]"] #[inline] pub const fn fiat_p521_scalar_addcarryx_u64( arg1: fiat_p521_scalar_u1, arg2: u64, arg3: u64, ) -> (u64, fiat_p521_scalar_u1) { let mut out1: u64 = 0; let mut out2: fiat_p521_scalar_u1 = 0; let x1: u128 = (((arg1 as u128) + (arg2 as u128)) + (arg3 as u128)); let x2: u64 = ((x1 & (0xffffffffffffffff as u128)) as u64); let x3: fiat_p521_scalar_u1 = ((x1 >> 64) as fiat_p521_scalar_u1); out1 = x2; out2 = x3; (out1, out2) } #[doc = " The function fiat_p521_scalar_subborrowx_u64 is a subtraction with borrow."] #[doc = ""] #[doc = " Postconditions:"] #[doc = " out1 = (-arg1 + arg2 + -arg3) mod 2^64"] #[doc = " out2 = -⌊(-arg1 + arg2 + -arg3) / 2^64⌋"] #[doc = ""] #[doc = " Input Bounds:"] #[doc = " arg1: [0x0 ~> 0x1]"] #[doc = " arg2: [0x0 ~> 0xffffffffffffffff]"] #[doc = " arg3: [0x0 ~> 0xffffffffffffffff]"] #[doc = " Output Bounds:"] #[doc = " out1: [0x0 ~> 0xffffffffffffffff]"] #[doc = " out2: [0x0 ~> 0x1]"] #[inline] pub const fn fiat_p521_scalar_subborrowx_u64( arg1: fiat_p521_scalar_u1, arg2: u64, arg3: u64, ) -> (u64, fiat_p521_scalar_u1) { let mut out1: u64 = 0; let mut out2: fiat_p521_scalar_u1 = 0; let x1: i128 = (((arg2 as i128) - (arg1 as i128)) - (arg3 as i128)); let x2: fiat_p521_scalar_i1 = ((x1 >> 64) as fiat_p521_scalar_i1); let x3: u64 = ((x1 & (0xffffffffffffffff as i128)) as u64); out1 = x3; out2 = (((0x0 as fiat_p521_scalar_i2) - (x2 as fiat_p521_scalar_i2)) as fiat_p521_scalar_u1); (out1, out2) } #[doc = " The function fiat_p521_scalar_mulx_u64 is a multiplication, returning the full double-width result."] #[doc = ""] #[doc = " Postconditions:"] #[doc = " out1 = (arg1 * arg2) mod 2^64"] #[doc = " out2 = ⌊arg1 * arg2 / 2^64⌋"] #[doc = ""] #[doc = " Input Bounds:"] #[doc = " arg1: [0x0 ~> 0xffffffffffffffff]"] #[doc = " arg2: [0x0 ~> 0xffffffffffffffff]"] #[doc = " Output Bounds:"] #[doc = " out1: [0x0 ~> 0xffffffffffffffff]"] #[doc = " out2: [0x0 ~> 0xffffffffffffffff]"] #[inline] pub const fn fiat_p521_scalar_mulx_u64(arg1: u64, arg2: u64) -> (u64, u64) { let mut out1: u64 = 0; let mut out2: u64 = 0; let x1: u128 = ((arg1 as u128) * (arg2 as u128)); let x2: u64 = ((x1 & (0xffffffffffffffff as u128)) as u64); let x3: u64 = ((x1 >> 64) as u64); out1 = x2; out2 = x3; (out1, out2) } #[doc = " The function fiat_p521_scalar_cmovznz_u64 is a single-word conditional move."] #[doc = ""] #[doc = " Postconditions:"] #[doc = " out1 = (if arg1 = 0 then arg2 else arg3)"] #[doc = ""] #[doc = " Input Bounds:"] #[doc = " arg1: [0x0 ~> 0x1]"] #[doc = " arg2: [0x0 ~> 0xffffffffffffffff]"] #[doc = " arg3: [0x0 ~> 0xffffffffffffffff]"] #[doc = " Output Bounds:"] #[doc = " out1: [0x0 ~> 0xffffffffffffffff]"] #[inline] pub const fn fiat_p521_scalar_cmovznz_u64(arg1: fiat_p521_scalar_u1, arg2: u64, arg3: u64) -> u64 { let mut out1: u64 = 0; let x1: fiat_p521_scalar_u1 = (!(!arg1)); let x2: u64 = ((((((0x0 as fiat_p521_scalar_i2) - (x1 as fiat_p521_scalar_i2)) as fiat_p521_scalar_i1) as i128) & (0xffffffffffffffff as i128)) as u64); let x3: u64 = ((x2 & arg3) | ((!x2) & arg2)); out1 = x3; out1 } #[doc = " The function fiat_p521_scalar_mul multiplies two field elements in the Montgomery domain."] #[doc = ""] #[doc = " Preconditions:"] #[doc = " 0 ≤ eval arg1 < m"] #[doc = " 0 ≤ eval arg2 < m"] #[doc = " Postconditions:"] #[doc = " eval (from_montgomery out1) mod m = (eval (from_montgomery arg1) * eval (from_montgomery arg2)) mod m"] #[doc = " 0 ≤ eval out1 < m"] #[doc = ""] #[inline] pub const fn fiat_p521_scalar_mul( arg1: &fiat_p521_scalar_montgomery_domain_field_element, arg2: &fiat_p521_scalar_montgomery_domain_field_element, ) -> fiat_p521_scalar_montgomery_domain_field_element { let mut out1: fiat_p521_scalar_montgomery_domain_field_element = [0; 9]; let x1: u64 = (arg1[1]); let x2: u64 = (arg1[2]); let x3: u64 = (arg1[3]); let x4: u64 = (arg1[4]); let x5: u64 = (arg1[5]); let x6: u64 = (arg1[6]); let x7: u64 = (arg1[7]); let x8: u64 = (arg1[8]); let x9: u64 = (arg1[0]); let mut x10: u64 = 0; let mut x11: u64 = 0; let (x10, x11) = fiat_p521_scalar_mulx_u64(x9, (arg2[8])); let mut x12: u64 = 0; let mut x13: u64 = 0; let (x12, x13) = fiat_p521_scalar_mulx_u64(x9, (arg2[7])); let mut x14: u64 = 0; let mut x15: u64 = 0; let (x14, x15) = fiat_p521_scalar_mulx_u64(x9, (arg2[6])); let mut x16: u64 = 0; let mut x17: u64 = 0; let (x16, x17) = fiat_p521_scalar_mulx_u64(x9, (arg2[5])); let mut x18: u64 = 0; let mut x19: u64 = 0; let (x18, x19) = fiat_p521_scalar_mulx_u64(x9, (arg2[4])); let mut x20: u64 = 0; let mut x21: u64 = 0; let (x20, x21) = fiat_p521_scalar_mulx_u64(x9, (arg2[3])); let mut x22: u64 = 0; let mut x23: u64 = 0; let (x22, x23) = fiat_p521_scalar_mulx_u64(x9, (arg2[2])); let mut x24: u64 = 0; let mut x25: u64 = 0; let (x24, x25) = fiat_p521_scalar_mulx_u64(x9, (arg2[1])); let mut x26: u64 = 0; let mut x27: u64 = 0; let (x26, x27) = fiat_p521_scalar_mulx_u64(x9, (arg2[0])); let mut x28: u64 = 0; let mut x29: fiat_p521_scalar_u1 = 0; let (x28, x29) = fiat_p521_scalar_addcarryx_u64(0x0, x27, x24); let mut x30: u64 = 0; let mut x31: fiat_p521_scalar_u1 = 0; let (x30, x31) = fiat_p521_scalar_addcarryx_u64(x29, x25, x22); let mut x32: u64 = 0; let mut x33: fiat_p521_scalar_u1 = 0; let (x32, x33) = fiat_p521_scalar_addcarryx_u64(x31, x23, x20); let mut x34: u64 = 0; let mut x35: fiat_p521_scalar_u1 = 0; let (x34, x35) = fiat_p521_scalar_addcarryx_u64(x33, x21, x18); let mut x36: u64 = 0; let mut x37: fiat_p521_scalar_u1 = 0; let (x36, x37) = fiat_p521_scalar_addcarryx_u64(x35, x19, x16); let mut x38: u64 = 0; let mut x39: fiat_p521_scalar_u1 = 0; let (x38, x39) = fiat_p521_scalar_addcarryx_u64(x37, x17, x14); let mut x40: u64 = 0; let mut x41: fiat_p521_scalar_u1 = 0; let (x40, x41) = fiat_p521_scalar_addcarryx_u64(x39, x15, x12); let mut x42: u64 = 0; let mut x43: fiat_p521_scalar_u1 = 0; let (x42, x43) = fiat_p521_scalar_addcarryx_u64(x41, x13, x10); let x44: u64 = ((x43 as u64) + x11); let mut x45: u64 = 0; let mut x46: u64 = 0; let (x45, x46) = fiat_p521_scalar_mulx_u64(x26, 0x1d2f5ccd79a995c7); let mut x47: u64 = 0; let mut x48: u64 = 0; let (x47, x48) = fiat_p521_scalar_mulx_u64(x45, 0x1ff); let mut x49: u64 = 0; let mut x50: u64 = 0; let (x49, x50) = fiat_p521_scalar_mulx_u64(x45, 0xffffffffffffffff); let mut x51: u64 = 0; let mut x52: u64 = 0; let (x51, x52) = fiat_p521_scalar_mulx_u64(x45, 0xffffffffffffffff); let mut x53: u64 = 0; let mut x54: u64 = 0; let (x53, x54) = fiat_p521_scalar_mulx_u64(x45, 0xffffffffffffffff); let mut x55: u64 = 0; let mut x56: u64 = 0; let (x55, x56) = fiat_p521_scalar_mulx_u64(x45, 0xfffffffffffffffa); let mut x57: u64 = 0; let mut x58: u64 = 0; let (x57, x58) = fiat_p521_scalar_mulx_u64(x45, 0x51868783bf2f966b); let mut x59: u64 = 0; let mut x60: u64 = 0; let (x59, x60) = fiat_p521_scalar_mulx_u64(x45, 0x7fcc0148f709a5d0); let mut x61: u64 = 0; let mut x62: u64 = 0; let (x61, x62) = fiat_p521_scalar_mulx_u64(x45, 0x3bb5c9b8899c47ae); let mut x63: u64 = 0; let mut x64: u64 = 0; let (x63, x64) = fiat_p521_scalar_mulx_u64(x45, 0xbb6fb71e91386409); let mut x65: u64 = 0; let mut x66: fiat_p521_scalar_u1 = 0; let (x65, x66) = fiat_p521_scalar_addcarryx_u64(0x0, x64, x61); let mut x67: u64 = 0; let mut x68: fiat_p521_scalar_u1 = 0; let (x67, x68) = fiat_p521_scalar_addcarryx_u64(x66, x62, x59); let mut x69: u64 = 0; let mut x70: fiat_p521_scalar_u1 = 0; let (x69, x70) = fiat_p521_scalar_addcarryx_u64(x68, x60, x57); let mut x71: u64 = 0; let mut x72: fiat_p521_scalar_u1 = 0; let (x71, x72) = fiat_p521_scalar_addcarryx_u64(x70, x58, x55); let mut x73: u64 = 0; let mut x74: fiat_p521_scalar_u1 = 0; let (x73, x74) = fiat_p521_scalar_addcarryx_u64(x72, x56, x53); let mut x75: u64 = 0; let mut x76: fiat_p521_scalar_u1 = 0; let (x75, x76) = fiat_p521_scalar_addcarryx_u64(x74, x54, x51); let mut x77: u64 = 0; let mut x78: fiat_p521_scalar_u1 = 0; let (x77, x78) = fiat_p521_scalar_addcarryx_u64(x76, x52, x49); let mut x79: u64 = 0; let mut x80: fiat_p521_scalar_u1 = 0; let (x79, x80) = fiat_p521_scalar_addcarryx_u64(x78, x50, x47); let x81: u64 = ((x80 as u64) + x48); let mut x82: u64 = 0; let mut x83: fiat_p521_scalar_u1 = 0; let (x82, x83) = fiat_p521_scalar_addcarryx_u64(0x0, x26, x63); let mut x84: u64 = 0; let mut x85: fiat_p521_scalar_u1 = 0; let (x84, x85) = fiat_p521_scalar_addcarryx_u64(x83, x28, x65); let mut x86: u64 = 0; let mut x87: fiat_p521_scalar_u1 = 0; let (x86, x87) = fiat_p521_scalar_addcarryx_u64(x85, x30, x67); let mut x88: u64 = 0; let mut x89: fiat_p521_scalar_u1 = 0; let (x88, x89) = fiat_p521_scalar_addcarryx_u64(x87, x32, x69); let mut x90: u64 = 0; let mut x91: fiat_p521_scalar_u1 = 0; let (x90, x91) = fiat_p521_scalar_addcarryx_u64(x89, x34, x71); let mut x92: u64 = 0; let mut x93: fiat_p521_scalar_u1 = 0; let (x92, x93) = fiat_p521_scalar_addcarryx_u64(x91, x36, x73); let mut x94: u64 = 0; let mut x95: fiat_p521_scalar_u1 = 0; let (x94, x95) = fiat_p521_scalar_addcarryx_u64(x93, x38, x75); let mut x96: u64 = 0; let mut x97: fiat_p521_scalar_u1 = 0; let (x96, x97) = fiat_p521_scalar_addcarryx_u64(x95, x40, x77); let mut x98: u64 = 0; let mut x99: fiat_p521_scalar_u1 = 0; let (x98, x99) = fiat_p521_scalar_addcarryx_u64(x97, x42, x79); let mut x100: u64 = 0; let mut x101: fiat_p521_scalar_u1 = 0; let (x100, x101) = fiat_p521_scalar_addcarryx_u64(x99, x44, x81); let mut x102: u64 = 0; let mut x103: u64 = 0; let (x102, x103) = fiat_p521_scalar_mulx_u64(x1, (arg2[8])); let mut x104: u64 = 0; let mut x105: u64 = 0; let (x104, x105) = fiat_p521_scalar_mulx_u64(x1, (arg2[7])); let mut x106: u64 = 0; let mut x107: u64 = 0; let (x106, x107) = fiat_p521_scalar_mulx_u64(x1, (arg2[6])); let mut x108: u64 = 0; let mut x109: u64 = 0; let (x108, x109) = fiat_p521_scalar_mulx_u64(x1, (arg2[5])); let mut x110: u64 = 0; let mut x111: u64 = 0; let (x110, x111) = fiat_p521_scalar_mulx_u64(x1, (arg2[4])); let mut x112: u64 = 0; let mut x113: u64 = 0; let (x112, x113) = fiat_p521_scalar_mulx_u64(x1, (arg2[3])); let mut x114: u64 = 0; let mut x115: u64 = 0; let (x114, x115) = fiat_p521_scalar_mulx_u64(x1, (arg2[2])); let mut x116: u64 = 0; let mut x117: u64 = 0; let (x116, x117) = fiat_p521_scalar_mulx_u64(x1, (arg2[1])); let mut x118: u64 = 0; let mut x119: u64 = 0; let (x118, x119) = fiat_p521_scalar_mulx_u64(x1, (arg2[0])); let mut x120: u64 = 0; let mut x121: fiat_p521_scalar_u1 = 0; let (x120, x121) = fiat_p521_scalar_addcarryx_u64(0x0, x119, x116); let mut x122: u64 = 0; let mut x123: fiat_p521_scalar_u1 = 0; let (x122, x123) = fiat_p521_scalar_addcarryx_u64(x121, x117, x114); let mut x124: u64 = 0; let mut x125: fiat_p521_scalar_u1 = 0; let (x124, x125) = fiat_p521_scalar_addcarryx_u64(x123, x115, x112); let mut x126: u64 = 0; let mut x127: fiat_p521_scalar_u1 = 0; let (x126, x127) = fiat_p521_scalar_addcarryx_u64(x125, x113, x110); let mut x128: u64 = 0; let mut x129: fiat_p521_scalar_u1 = 0; let (x128, x129) = fiat_p521_scalar_addcarryx_u64(x127, x111, x108); let mut x130: u64 = 0; let mut x131: fiat_p521_scalar_u1 = 0; let (x130, x131) = fiat_p521_scalar_addcarryx_u64(x129, x109, x106); let mut x132: u64 = 0; let mut x133: fiat_p521_scalar_u1 = 0; let (x132, x133) = fiat_p521_scalar_addcarryx_u64(x131, x107, x104); let mut x134: u64 = 0; let mut x135: fiat_p521_scalar_u1 = 0; let (x134, x135) = fiat_p521_scalar_addcarryx_u64(x133, x105, x102); let x136: u64 = ((x135 as u64) + x103); let mut x137: u64 = 0; let mut x138: fiat_p521_scalar_u1 = 0; let (x137, x138) = fiat_p521_scalar_addcarryx_u64(0x0, x84, x118); let mut x139: u64 = 0; let mut x140: fiat_p521_scalar_u1 = 0; let (x139, x140) = fiat_p521_scalar_addcarryx_u64(x138, x86, x120); let mut x141: u64 = 0; let mut x142: fiat_p521_scalar_u1 = 0; let (x141, x142) = fiat_p521_scalar_addcarryx_u64(x140, x88, x122); let mut x143: u64 = 0; let mut x144: fiat_p521_scalar_u1 = 0; let (x143, x144) = fiat_p521_scalar_addcarryx_u64(x142, x90, x124); let mut x145: u64 = 0; let mut x146: fiat_p521_scalar_u1 = 0; let (x145, x146) = fiat_p521_scalar_addcarryx_u64(x144, x92, x126); let mut x147: u64 = 0; let mut x148: fiat_p521_scalar_u1 = 0; let (x147, x148) = fiat_p521_scalar_addcarryx_u64(x146, x94, x128); let mut x149: u64 = 0; let mut x150: fiat_p521_scalar_u1 = 0; let (x149, x150) = fiat_p521_scalar_addcarryx_u64(x148, x96, x130); let mut x151: u64 = 0; let mut x152: fiat_p521_scalar_u1 = 0; let (x151, x152) = fiat_p521_scalar_addcarryx_u64(x150, x98, x132); let mut x153: u64 = 0; let mut x154: fiat_p521_scalar_u1 = 0; let (x153, x154) = fiat_p521_scalar_addcarryx_u64(x152, x100, x134); let mut x155: u64 = 0; let mut x156: fiat_p521_scalar_u1 = 0; let (x155, x156) = fiat_p521_scalar_addcarryx_u64(x154, (x101 as u64), x136); let mut x157: u64 = 0; let mut x158: u64 = 0; let (x157, x158) = fiat_p521_scalar_mulx_u64(x137, 0x1d2f5ccd79a995c7); let mut x159: u64 = 0; let mut x160: u64 = 0; let (x159, x160) = fiat_p521_scalar_mulx_u64(x157, 0x1ff); let mut x161: u64 = 0; let mut x162: u64 = 0; let (x161, x162) = fiat_p521_scalar_mulx_u64(x157, 0xffffffffffffffff); let mut x163: u64 = 0; let mut x164: u64 = 0; let (x163, x164) = fiat_p521_scalar_mulx_u64(x157, 0xffffffffffffffff); let mut x165: u64 = 0; let mut x166: u64 = 0; let (x165, x166) = fiat_p521_scalar_mulx_u64(x157, 0xffffffffffffffff); let mut x167: u64 = 0; let mut x168: u64 = 0; let (x167, x168) = fiat_p521_scalar_mulx_u64(x157, 0xfffffffffffffffa); let mut x169: u64 = 0; let mut x170: u64 = 0; let (x169, x170) = fiat_p521_scalar_mulx_u64(x157, 0x51868783bf2f966b); let mut x171: u64 = 0; let mut x172: u64 = 0; let (x171, x172) = fiat_p521_scalar_mulx_u64(x157, 0x7fcc0148f709a5d0); let mut x173: u64 = 0; let mut x174: u64 = 0; let (x173, x174) = fiat_p521_scalar_mulx_u64(x157, 0x3bb5c9b8899c47ae); let mut x175: u64 = 0; let mut x176: u64 = 0; let (x175, x176) = fiat_p521_scalar_mulx_u64(x157, 0xbb6fb71e91386409); let mut x177: u64 = 0; let mut x178: fiat_p521_scalar_u1 = 0; let (x177, x178) = fiat_p521_scalar_addcarryx_u64(0x0, x176, x173); let mut x179: u64 = 0; let mut x180: fiat_p521_scalar_u1 = 0; let (x179, x180) = fiat_p521_scalar_addcarryx_u64(x178, x174, x171); let mut x181: u64 = 0; let mut x182: fiat_p521_scalar_u1 = 0; let (x181, x182) = fiat_p521_scalar_addcarryx_u64(x180, x172, x169); let mut x183: u64 = 0; let mut x184: fiat_p521_scalar_u1 = 0; let (x183, x184) = fiat_p521_scalar_addcarryx_u64(x182, x170, x167); let mut x185: u64 = 0; let mut x186: fiat_p521_scalar_u1 = 0; let (x185, x186) = fiat_p521_scalar_addcarryx_u64(x184, x168, x165); let mut x187: u64 = 0; let mut x188: fiat_p521_scalar_u1 = 0; let (x187, x188) = fiat_p521_scalar_addcarryx_u64(x186, x166, x163); let mut x189: u64 = 0; let mut x190: fiat_p521_scalar_u1 = 0; let (x189, x190) = fiat_p521_scalar_addcarryx_u64(x188, x164, x161); let mut x191: u64 = 0; let mut x192: fiat_p521_scalar_u1 = 0; let (x191, x192) = fiat_p521_scalar_addcarryx_u64(x190, x162, x159); let x193: u64 = ((x192 as u64) + x160); let mut x194: u64 = 0; let mut x195: fiat_p521_scalar_u1 = 0; let (x194, x195) = fiat_p521_scalar_addcarryx_u64(0x0, x137, x175); let mut x196: u64 = 0; let mut x197: fiat_p521_scalar_u1 = 0; let (x196, x197) = fiat_p521_scalar_addcarryx_u64(x195, x139, x177); let mut x198: u64 = 0; let mut x199: fiat_p521_scalar_u1 = 0; let (x198, x199) = fiat_p521_scalar_addcarryx_u64(x197, x141, x179); let mut x200: u64 = 0; let mut x201: fiat_p521_scalar_u1 = 0; let (x200, x201) = fiat_p521_scalar_addcarryx_u64(x199, x143, x181); let mut x202: u64 = 0; let mut x203: fiat_p521_scalar_u1 = 0; let (x202, x203) = fiat_p521_scalar_addcarryx_u64(x201, x145, x183); let mut x204: u64 = 0; let mut x205: fiat_p521_scalar_u1 = 0; let (x204, x205) = fiat_p521_scalar_addcarryx_u64(x203, x147, x185); let mut x206: u64 = 0; let mut x207: fiat_p521_scalar_u1 = 0; let (x206, x207) = fiat_p521_scalar_addcarryx_u64(x205, x149, x187); let mut x208: u64 = 0; let mut x209: fiat_p521_scalar_u1 = 0; let (x208, x209) = fiat_p521_scalar_addcarryx_u64(x207, x151, x189); let mut x210: u64 = 0; let mut x211: fiat_p521_scalar_u1 = 0; let (x210, x211) = fiat_p521_scalar_addcarryx_u64(x209, x153, x191); let mut x212: u64 = 0; let mut x213: fiat_p521_scalar_u1 = 0; let (x212, x213) = fiat_p521_scalar_addcarryx_u64(x211, x155, x193); let x214: u64 = ((x213 as u64) + (x156 as u64)); let mut x215: u64 = 0; let mut x216: u64 = 0; let (x215, x216) = fiat_p521_scalar_mulx_u64(x2, (arg2[8])); let mut x217: u64 = 0; let mut x218: u64 = 0; let (x217, x218) = fiat_p521_scalar_mulx_u64(x2, (arg2[7])); let mut x219: u64 = 0; let mut x220: u64 = 0; let (x219, x220) = fiat_p521_scalar_mulx_u64(x2, (arg2[6])); let mut x221: u64 = 0; let mut x222: u64 = 0; let (x221, x222) = fiat_p521_scalar_mulx_u64(x2, (arg2[5])); let mut x223: u64 = 0; let mut x224: u64 = 0; let (x223, x224) = fiat_p521_scalar_mulx_u64(x2, (arg2[4])); let mut x225: u64 = 0; let mut x226: u64 = 0; let (x225, x226) = fiat_p521_scalar_mulx_u64(x2, (arg2[3])); let mut x227: u64 = 0; let mut x228: u64 = 0; let (x227, x228) = fiat_p521_scalar_mulx_u64(x2, (arg2[2])); let mut x229: u64 = 0; let mut x230: u64 = 0; let (x229, x230) = fiat_p521_scalar_mulx_u64(x2, (arg2[1])); let mut x231: u64 = 0; let mut x232: u64 = 0; let (x231, x232) = fiat_p521_scalar_mulx_u64(x2, (arg2[0])); let mut x233: u64 = 0; let mut x234: fiat_p521_scalar_u1 = 0; let (x233, x234) = fiat_p521_scalar_addcarryx_u64(0x0, x232, x229); let mut x235: u64 = 0; let mut x236: fiat_p521_scalar_u1 = 0; let (x235, x236) = fiat_p521_scalar_addcarryx_u64(x234, x230, x227); let mut x237: u64 = 0; let mut x238: fiat_p521_scalar_u1 = 0; let (x237, x238) = fiat_p521_scalar_addcarryx_u64(x236, x228, x225); let mut x239: u64 = 0; let mut x240: fiat_p521_scalar_u1 = 0; let (x239, x240) = fiat_p521_scalar_addcarryx_u64(x238, x226, x223); let mut x241: u64 = 0; let mut x242: fiat_p521_scalar_u1 = 0; let (x241, x242) = fiat_p521_scalar_addcarryx_u64(x240, x224, x221); let mut x243: u64 = 0; let mut x244: fiat_p521_scalar_u1 = 0; let (x243, x244) = fiat_p521_scalar_addcarryx_u64(x242, x222, x219); let mut x245: u64 = 0; let mut x246: fiat_p521_scalar_u1 = 0; let (x245, x246) = fiat_p521_scalar_addcarryx_u64(x244, x220, x217); let mut x247: u64 = 0; let mut x248: fiat_p521_scalar_u1 = 0; let (x247, x248) = fiat_p521_scalar_addcarryx_u64(x246, x218, x215); let x249: u64 = ((x248 as u64) + x216); let mut x250: u64 = 0; let mut x251: fiat_p521_scalar_u1 = 0; let (x250, x251) = fiat_p521_scalar_addcarryx_u64(0x0, x196, x231); let mut x252: u64 = 0; let mut x253: fiat_p521_scalar_u1 = 0; let (x252, x253) = fiat_p521_scalar_addcarryx_u64(x251, x198, x233); let mut x254: u64 = 0; let mut x255: fiat_p521_scalar_u1 = 0; let (x254, x255) = fiat_p521_scalar_addcarryx_u64(x253, x200, x235); let mut x256: u64 = 0; let mut x257: fiat_p521_scalar_u1 = 0; let (x256, x257) = fiat_p521_scalar_addcarryx_u64(x255, x202, x237); let mut x258: u64 = 0; let mut x259: fiat_p521_scalar_u1 = 0; let (x258, x259) = fiat_p521_scalar_addcarryx_u64(x257, x204, x239); let mut x260: u64 = 0; let mut x261: fiat_p521_scalar_u1 = 0; let (x260, x261) = fiat_p521_scalar_addcarryx_u64(x259, x206, x241); let mut x262: u64 = 0; let mut x263: fiat_p521_scalar_u1 = 0; let (x262, x263) = fiat_p521_scalar_addcarryx_u64(x261, x208, x243); let mut x264: u64 = 0; let mut x265: fiat_p521_scalar_u1 = 0; let (x264, x265) = fiat_p521_scalar_addcarryx_u64(x263, x210, x245); let mut x266: u64 = 0; let mut x267: fiat_p521_scalar_u1 = 0; let (x266, x267) = fiat_p521_scalar_addcarryx_u64(x265, x212, x247); let mut x268: u64 = 0; let mut x269: fiat_p521_scalar_u1 = 0; let (x268, x269) = fiat_p521_scalar_addcarryx_u64(x267, x214, x249); let mut x270: u64 = 0; let mut x271: u64 = 0; let (x270, x271) = fiat_p521_scalar_mulx_u64(x250, 0x1d2f5ccd79a995c7); let mut x272: u64 = 0; let mut x273: u64 = 0; let (x272, x273) = fiat_p521_scalar_mulx_u64(x270, 0x1ff); let mut x274: u64 = 0; let mut x275: u64 = 0; let (x274, x275) = fiat_p521_scalar_mulx_u64(x270, 0xffffffffffffffff); let mut x276: u64 = 0; let mut x277: u64 = 0; let (x276, x277) = fiat_p521_scalar_mulx_u64(x270, 0xffffffffffffffff); let mut x278: u64 = 0; let mut x279: u64 = 0; let (x278, x279) = fiat_p521_scalar_mulx_u64(x270, 0xffffffffffffffff); let mut x280: u64 = 0; let mut x281: u64 = 0; let (x280, x281) = fiat_p521_scalar_mulx_u64(x270, 0xfffffffffffffffa); let mut x282: u64 = 0; let mut x283: u64 = 0; let (x282, x283) = fiat_p521_scalar_mulx_u64(x270, 0x51868783bf2f966b); let mut x284: u64 = 0; let mut x285: u64 = 0; let (x284, x285) = fiat_p521_scalar_mulx_u64(x270, 0x7fcc0148f709a5d0); let mut x286: u64 = 0; let mut x287: u64 = 0; let (x286, x287) = fiat_p521_scalar_mulx_u64(x270, 0x3bb5c9b8899c47ae); let mut x288: u64 = 0; let mut x289: u64 = 0; let (x288, x289) = fiat_p521_scalar_mulx_u64(x270, 0xbb6fb71e91386409); let mut x290: u64 = 0; let mut x291: fiat_p521_scalar_u1 = 0; let (x290, x291) = fiat_p521_scalar_addcarryx_u64(0x0, x289, x286); let mut x292: u64 = 0; let mut x293: fiat_p521_scalar_u1 = 0; let (x292, x293) = fiat_p521_scalar_addcarryx_u64(x291, x287, x284); let mut x294: u64 = 0; let mut x295: fiat_p521_scalar_u1 = 0; let (x294, x295) = fiat_p521_scalar_addcarryx_u64(x293, x285, x282); let mut x296: u64 = 0; let mut x297: fiat_p521_scalar_u1 = 0; let (x296, x297) = fiat_p521_scalar_addcarryx_u64(x295, x283, x280); let mut x298: u64 = 0; let mut x299: fiat_p521_scalar_u1 = 0; let (x298, x299) = fiat_p521_scalar_addcarryx_u64(x297, x281, x278); let mut x300: u64 = 0; let mut x301: fiat_p521_scalar_u1 = 0; let (x300, x301) = fiat_p521_scalar_addcarryx_u64(x299, x279, x276); let mut x302: u64 = 0; let mut x303: fiat_p521_scalar_u1 = 0; let (x302, x303) = fiat_p521_scalar_addcarryx_u64(x301, x277, x274); let mut x304: u64 = 0; let mut x305: fiat_p521_scalar_u1 = 0; let (x304, x305) = fiat_p521_scalar_addcarryx_u64(x303, x275, x272); let x306: u64 = ((x305 as u64) + x273); let mut x307: u64 = 0; let mut x308: fiat_p521_scalar_u1 = 0; let (x307, x308) = fiat_p521_scalar_addcarryx_u64(0x0, x250, x288); let mut x309: u64 = 0; let mut x310: fiat_p521_scalar_u1 = 0; let (x309, x310) = fiat_p521_scalar_addcarryx_u64(x308, x252, x290); let mut x311: u64 = 0; let mut x312: fiat_p521_scalar_u1 = 0; let (x311, x312) = fiat_p521_scalar_addcarryx_u64(x310, x254, x292); let mut x313: u64 = 0; let mut x314: fiat_p521_scalar_u1 = 0; let (x313, x314) = fiat_p521_scalar_addcarryx_u64(x312, x256, x294); let mut x315: u64 = 0; let mut x316: fiat_p521_scalar_u1 = 0; let (x315, x316) = fiat_p521_scalar_addcarryx_u64(x314, x258, x296); let mut x317: u64 = 0; let mut x318: fiat_p521_scalar_u1 = 0; let (x317, x318) = fiat_p521_scalar_addcarryx_u64(x316, x260, x298); let mut x319: u64 = 0; let mut x320: fiat_p521_scalar_u1 = 0; let (x319, x320) = fiat_p521_scalar_addcarryx_u64(x318, x262, x300); let mut x321: u64 = 0; let mut x322: fiat_p521_scalar_u1 = 0; let (x321, x322) = fiat_p521_scalar_addcarryx_u64(x320, x264, x302); let mut x323: u64 = 0; let mut x324: fiat_p521_scalar_u1 = 0; let (x323, x324) = fiat_p521_scalar_addcarryx_u64(x322, x266, x304); let mut x325: u64 = 0; let mut x326: fiat_p521_scalar_u1 = 0; let (x325, x326) = fiat_p521_scalar_addcarryx_u64(x324, x268, x306); let x327: u64 = ((x326 as u64) + (x269 as u64)); let mut x328: u64 = 0; let mut x329: u64 = 0; let (x328, x329) = fiat_p521_scalar_mulx_u64(x3, (arg2[8])); let mut x330: u64 = 0; let mut x331: u64 = 0; let (x330, x331) = fiat_p521_scalar_mulx_u64(x3, (arg2[7])); let mut x332: u64 = 0; let mut x333: u64 = 0; let (x332, x333) = fiat_p521_scalar_mulx_u64(x3, (arg2[6])); let mut x334: u64 = 0; let mut x335: u64 = 0; let (x334, x335) = fiat_p521_scalar_mulx_u64(x3, (arg2[5])); let mut x336: u64 = 0; let mut x337: u64 = 0; let (x336, x337) = fiat_p521_scalar_mulx_u64(x3, (arg2[4])); let mut x338: u64 = 0; let mut x339: u64 = 0; let (x338, x339) = fiat_p521_scalar_mulx_u64(x3, (arg2[3])); let mut x340: u64 = 0; let mut x341: u64 = 0; let (x340, x341) = fiat_p521_scalar_mulx_u64(x3, (arg2[2])); let mut x342: u64 = 0; let mut x343: u64 = 0; let (x342, x343) = fiat_p521_scalar_mulx_u64(x3, (arg2[1])); let mut x344: u64 = 0; let mut x345: u64 = 0; let (x344, x345) = fiat_p521_scalar_mulx_u64(x3, (arg2[0])); let mut x346: u64 = 0; let mut x347: fiat_p521_scalar_u1 = 0; let (x346, x347) = fiat_p521_scalar_addcarryx_u64(0x0, x345, x342); let mut x348: u64 = 0; let mut x349: fiat_p521_scalar_u1 = 0; let (x348, x349) = fiat_p521_scalar_addcarryx_u64(x347, x343, x340); let mut x350: u64 = 0; let mut x351: fiat_p521_scalar_u1 = 0; let (x350, x351) = fiat_p521_scalar_addcarryx_u64(x349, x341, x338); let mut x352: u64 = 0; let mut x353: fiat_p521_scalar_u1 = 0; let (x352, x353) = fiat_p521_scalar_addcarryx_u64(x351, x339, x336); let mut x354: u64 = 0; let mut x355: fiat_p521_scalar_u1 = 0; let (x354, x355) = fiat_p521_scalar_addcarryx_u64(x353, x337, x334); let mut x356: u64 = 0; let mut x357: fiat_p521_scalar_u1 = 0; let (x356, x357) = fiat_p521_scalar_addcarryx_u64(x355, x335, x332); let mut x358: u64 = 0; let mut x359: fiat_p521_scalar_u1 = 0; let (x358, x359) = fiat_p521_scalar_addcarryx_u64(x357, x333, x330); let mut x360: u64 = 0; let mut x361: fiat_p521_scalar_u1 = 0; let (x360, x361) = fiat_p521_scalar_addcarryx_u64(x359, x331, x328); let x362: u64 = ((x361 as u64) + x329); let mut x363: u64 = 0; let mut x364: fiat_p521_scalar_u1 = 0; let (x363, x364) = fiat_p521_scalar_addcarryx_u64(0x0, x309, x344); let mut x365: u64 = 0; let mut x366: fiat_p521_scalar_u1 = 0; let (x365, x366) = fiat_p521_scalar_addcarryx_u64(x364, x311, x346); let mut x367: u64 = 0; let mut x368: fiat_p521_scalar_u1 = 0; let (x367, x368) = fiat_p521_scalar_addcarryx_u64(x366, x313, x348); let mut x369: u64 = 0; let mut x370: fiat_p521_scalar_u1 = 0; let (x369, x370) = fiat_p521_scalar_addcarryx_u64(x368, x315, x350); let mut x371: u64 = 0; let mut x372: fiat_p521_scalar_u1 = 0; let (x371, x372) = fiat_p521_scalar_addcarryx_u64(x370, x317, x352); let mut x373: u64 = 0; let mut x374: fiat_p521_scalar_u1 = 0; let (x373, x374) = fiat_p521_scalar_addcarryx_u64(x372, x319, x354); let mut x375: u64 = 0; let mut x376: fiat_p521_scalar_u1 = 0; let (x375, x376) = fiat_p521_scalar_addcarryx_u64(x374, x321, x356); let mut x377: u64 = 0; let mut x378: fiat_p521_scalar_u1 = 0; let (x377, x378) = fiat_p521_scalar_addcarryx_u64(x376, x323, x358); let mut x379: u64 = 0; let mut x380: fiat_p521_scalar_u1 = 0; let (x379, x380) = fiat_p521_scalar_addcarryx_u64(x378, x325, x360); let mut x381: u64 = 0; let mut x382: fiat_p521_scalar_u1 = 0; let (x381, x382) = fiat_p521_scalar_addcarryx_u64(x380, x327, x362); let mut x383: u64 = 0; let mut x384: u64 = 0; let (x383, x384) = fiat_p521_scalar_mulx_u64(x363, 0x1d2f5ccd79a995c7); let mut x385: u64 = 0; let mut x386: u64 = 0; let (x385, x386) = fiat_p521_scalar_mulx_u64(x383, 0x1ff); let mut x387: u64 = 0; let mut x388: u64 = 0; let (x387, x388) = fiat_p521_scalar_mulx_u64(x383, 0xffffffffffffffff); let mut x389: u64 = 0; let mut x390: u64 = 0; let (x389, x390) = fiat_p521_scalar_mulx_u64(x383, 0xffffffffffffffff); let mut x391: u64 = 0; let mut x392: u64 = 0; let (x391, x392) = fiat_p521_scalar_mulx_u64(x383, 0xffffffffffffffff); let mut x393: u64 = 0; let mut x394: u64 = 0; let (x393, x394) = fiat_p521_scalar_mulx_u64(x383, 0xfffffffffffffffa); let mut x395: u64 = 0; let mut x396: u64 = 0; let (x395, x396) = fiat_p521_scalar_mulx_u64(x383, 0x51868783bf2f966b); let mut x397: u64 = 0; let mut x398: u64 = 0; let (x397, x398) = fiat_p521_scalar_mulx_u64(x383, 0x7fcc0148f709a5d0); let mut x399: u64 = 0; let mut x400: u64 = 0; let (x399, x400) = fiat_p521_scalar_mulx_u64(x383, 0x3bb5c9b8899c47ae); let mut x401: u64 = 0; let mut x402: u64 = 0; let (x401, x402) = fiat_p521_scalar_mulx_u64(x383, 0xbb6fb71e91386409); let mut x403: u64 = 0; let mut x404: fiat_p521_scalar_u1 = 0; let (x403, x404) = fiat_p521_scalar_addcarryx_u64(0x0, x402, x399); let mut x405: u64 = 0; let mut x406: fiat_p521_scalar_u1 = 0; let (x405, x406) = fiat_p521_scalar_addcarryx_u64(x404, x400, x397); let mut x407: u64 = 0; let mut x408: fiat_p521_scalar_u1 = 0; let (x407, x408) = fiat_p521_scalar_addcarryx_u64(x406, x398, x395); let mut x409: u64 = 0; let mut x410: fiat_p521_scalar_u1 = 0; let (x409, x410) = fiat_p521_scalar_addcarryx_u64(x408, x396, x393); let mut x411: u64 = 0; let mut x412: fiat_p521_scalar_u1 = 0; let (x411, x412) = fiat_p521_scalar_addcarryx_u64(x410, x394, x391); let mut x413: u64 = 0; let mut x414: fiat_p521_scalar_u1 = 0; let (x413, x414) = fiat_p521_scalar_addcarryx_u64(x412, x392, x389); let mut x415: u64 = 0; let mut x416: fiat_p521_scalar_u1 = 0; let (x415, x416) = fiat_p521_scalar_addcarryx_u64(x414, x390, x387); let mut x417: u64 = 0; let mut x418: fiat_p521_scalar_u1 = 0; let (x417, x418) = fiat_p521_scalar_addcarryx_u64(x416, x388, x385); let x419: u64 = ((x418 as u64) + x386); let mut x420: u64 = 0; let mut x421: fiat_p521_scalar_u1 = 0; let (x420, x421) = fiat_p521_scalar_addcarryx_u64(0x0, x363, x401); let mut x422: u64 = 0; let mut x423: fiat_p521_scalar_u1 = 0; let (x422, x423) = fiat_p521_scalar_addcarryx_u64(x421, x365, x403); let mut x424: u64 = 0; let mut x425: fiat_p521_scalar_u1 = 0; let (x424, x425) = fiat_p521_scalar_addcarryx_u64(x423, x367, x405); let mut x426: u64 = 0; let mut x427: fiat_p521_scalar_u1 = 0; let (x426, x427) = fiat_p521_scalar_addcarryx_u64(x425, x369, x407); let mut x428: u64 = 0; let mut x429: fiat_p521_scalar_u1 = 0; let (x428, x429) = fiat_p521_scalar_addcarryx_u64(x427, x371, x409); let mut x430: u64 = 0; let mut x431: fiat_p521_scalar_u1 = 0; let (x430, x431) = fiat_p521_scalar_addcarryx_u64(x429, x373, x411); let mut x432: u64 = 0; let mut x433: fiat_p521_scalar_u1 = 0; let (x432, x433) = fiat_p521_scalar_addcarryx_u64(x431, x375, x413); let mut x434: u64 = 0; let mut x435: fiat_p521_scalar_u1 = 0; let (x434, x435) = fiat_p521_scalar_addcarryx_u64(x433, x377, x415); let mut x436: u64 = 0; let mut x437: fiat_p521_scalar_u1 = 0; let (x436, x437) = fiat_p521_scalar_addcarryx_u64(x435, x379, x417); let mut x438: u64 = 0; let mut x439: fiat_p521_scalar_u1 = 0; let (x438, x439) = fiat_p521_scalar_addcarryx_u64(x437, x381, x419); let x440: u64 = ((x439 as u64) + (x382 as u64)); let mut x441: u64 = 0; let mut x442: u64 = 0; let (x441, x442) = fiat_p521_scalar_mulx_u64(x4, (arg2[8])); let mut x443: u64 = 0; let mut x444: u64 = 0; let (x443, x444) = fiat_p521_scalar_mulx_u64(x4, (arg2[7])); let mut x445: u64 = 0; let mut x446: u64 = 0; let (x445, x446) = fiat_p521_scalar_mulx_u64(x4, (arg2[6])); let mut x447: u64 = 0; let mut x448: u64 = 0; let (x447, x448) = fiat_p521_scalar_mulx_u64(x4, (arg2[5])); let mut x449: u64 = 0; let mut x450: u64 = 0; let (x449, x450) = fiat_p521_scalar_mulx_u64(x4, (arg2[4])); let mut x451: u64 = 0; let mut x452: u64 = 0; let (x451, x452) = fiat_p521_scalar_mulx_u64(x4, (arg2[3])); let mut x453: u64 = 0; let mut x454: u64 = 0; let (x453, x454) = fiat_p521_scalar_mulx_u64(x4, (arg2[2])); let mut x455: u64 = 0; let mut x456: u64 = 0; let (x455, x456) = fiat_p521_scalar_mulx_u64(x4, (arg2[1])); let mut x457: u64 = 0; let mut x458: u64 = 0; let (x457, x458) = fiat_p521_scalar_mulx_u64(x4, (arg2[0])); let mut x459: u64 = 0; let mut x460: fiat_p521_scalar_u1 = 0; let (x459, x460) = fiat_p521_scalar_addcarryx_u64(0x0, x458, x455); let mut x461: u64 = 0; let mut x462: fiat_p521_scalar_u1 = 0; let (x461, x462) = fiat_p521_scalar_addcarryx_u64(x460, x456, x453); let mut x463: u64 = 0; let mut x464: fiat_p521_scalar_u1 = 0; let (x463, x464) = fiat_p521_scalar_addcarryx_u64(x462, x454, x451); let mut x465: u64 = 0; let mut x466: fiat_p521_scalar_u1 = 0; let (x465, x466) = fiat_p521_scalar_addcarryx_u64(x464, x452, x449); let mut x467: u64 = 0; let mut x468: fiat_p521_scalar_u1 = 0; let (x467, x468) = fiat_p521_scalar_addcarryx_u64(x466, x450, x447); let mut x469: u64 = 0; let mut x470: fiat_p521_scalar_u1 = 0; let (x469, x470) = fiat_p521_scalar_addcarryx_u64(x468, x448, x445); let mut x471: u64 = 0; let mut x472: fiat_p521_scalar_u1 = 0; let (x471, x472) = fiat_p521_scalar_addcarryx_u64(x470, x446, x443); let mut x473: u64 = 0; let mut x474: fiat_p521_scalar_u1 = 0; let (x473, x474) = fiat_p521_scalar_addcarryx_u64(x472, x444, x441); let x475: u64 = ((x474 as u64) + x442); let mut x476: u64 = 0; let mut x477: fiat_p521_scalar_u1 = 0; let (x476, x477) = fiat_p521_scalar_addcarryx_u64(0x0, x422, x457); let mut x478: u64 = 0; let mut x479: fiat_p521_scalar_u1 = 0; let (x478, x479) = fiat_p521_scalar_addcarryx_u64(x477, x424, x459); let mut x480: u64 = 0; let mut x481: fiat_p521_scalar_u1 = 0; let (x480, x481) = fiat_p521_scalar_addcarryx_u64(x479, x426, x461); let mut x482: u64 = 0; let mut x483: fiat_p521_scalar_u1 = 0; let (x482, x483) = fiat_p521_scalar_addcarryx_u64(x481, x428, x463); let mut x484: u64 = 0; let mut x485: fiat_p521_scalar_u1 = 0; let (x484, x485) = fiat_p521_scalar_addcarryx_u64(x483, x430, x465); let mut x486: u64 = 0; let mut x487: fiat_p521_scalar_u1 = 0; let (x486, x487) = fiat_p521_scalar_addcarryx_u64(x485, x432, x467); let mut x488: u64 = 0; let mut x489: fiat_p521_scalar_u1 = 0; let (x488, x489) = fiat_p521_scalar_addcarryx_u64(x487, x434, x469); let mut x490: u64 = 0; let mut x491: fiat_p521_scalar_u1 = 0; let (x490, x491) = fiat_p521_scalar_addcarryx_u64(x489, x436, x471); let mut x492: u64 = 0; let mut x493: fiat_p521_scalar_u1 = 0; let (x492, x493) = fiat_p521_scalar_addcarryx_u64(x491, x438, x473); let mut x494: u64 = 0; let mut x495: fiat_p521_scalar_u1 = 0; let (x494, x495) = fiat_p521_scalar_addcarryx_u64(x493, x440, x475); let mut x496: u64 = 0; let mut x497: u64 = 0; let (x496, x497) = fiat_p521_scalar_mulx_u64(x476, 0x1d2f5ccd79a995c7); let mut x498: u64 = 0; let mut x499: u64 = 0; let (x498, x499) = fiat_p521_scalar_mulx_u64(x496, 0x1ff); let mut x500: u64 = 0; let mut x501: u64 = 0; let (x500, x501) = fiat_p521_scalar_mulx_u64(x496, 0xffffffffffffffff); let mut x502: u64 = 0; let mut x503: u64 = 0; let (x502, x503) = fiat_p521_scalar_mulx_u64(x496, 0xffffffffffffffff); let mut x504: u64 = 0; let mut x505: u64 = 0; let (x504, x505) = fiat_p521_scalar_mulx_u64(x496, 0xffffffffffffffff); let mut x506: u64 = 0; let mut x507: u64 = 0; let (x506, x507) = fiat_p521_scalar_mulx_u64(x496, 0xfffffffffffffffa); let mut x508: u64 = 0; let mut x509: u64 = 0; let (x508, x509) = fiat_p521_scalar_mulx_u64(x496, 0x51868783bf2f966b); let mut x510: u64 = 0; let mut x511: u64 = 0; let (x510, x511) = fiat_p521_scalar_mulx_u64(x496, 0x7fcc0148f709a5d0); let mut x512: u64 = 0; let mut x513: u64 = 0; let (x512, x513) = fiat_p521_scalar_mulx_u64(x496, 0x3bb5c9b8899c47ae); let mut x514: u64 = 0; let mut x515: u64 = 0; let (x514, x515) = fiat_p521_scalar_mulx_u64(x496, 0xbb6fb71e91386409); let mut x516: u64 = 0; let mut x517: fiat_p521_scalar_u1 = 0; let (x516, x517) = fiat_p521_scalar_addcarryx_u64(0x0, x515, x512); let mut x518: u64 = 0; let mut x519: fiat_p521_scalar_u1 = 0; let (x518, x519) = fiat_p521_scalar_addcarryx_u64(x517, x513, x510); let mut x520: u64 = 0; let mut x521: fiat_p521_scalar_u1 = 0; let (x520, x521) = fiat_p521_scalar_addcarryx_u64(x519, x511, x508); let mut x522: u64 = 0; let mut x523: fiat_p521_scalar_u1 = 0; let (x522, x523) = fiat_p521_scalar_addcarryx_u64(x521, x509, x506); let mut x524: u64 = 0; let mut x525: fiat_p521_scalar_u1 = 0; let (x524, x525) = fiat_p521_scalar_addcarryx_u64(x523, x507, x504); let mut x526: u64 = 0; let mut x527: fiat_p521_scalar_u1 = 0; let (x526, x527) = fiat_p521_scalar_addcarryx_u64(x525, x505, x502); let mut x528: u64 = 0; let mut x529: fiat_p521_scalar_u1 = 0; let (x528, x529) = fiat_p521_scalar_addcarryx_u64(x527, x503, x500); let mut x530: u64 = 0; let mut x531: fiat_p521_scalar_u1 = 0; let (x530, x531) = fiat_p521_scalar_addcarryx_u64(x529, x501, x498); let x532: u64 = ((x531 as u64) + x499); let mut x533: u64 = 0; let mut x534: fiat_p521_scalar_u1 = 0; let (x533, x534) = fiat_p521_scalar_addcarryx_u64(0x0, x476, x514); let mut x535: u64 = 0; let mut x536: fiat_p521_scalar_u1 = 0; let (x535, x536) = fiat_p521_scalar_addcarryx_u64(x534, x478, x516); let mut x537: u64 = 0; let mut x538: fiat_p521_scalar_u1 = 0; let (x537, x538) = fiat_p521_scalar_addcarryx_u64(x536, x480, x518); let mut x539: u64 = 0; let mut x540: fiat_p521_scalar_u1 = 0; let (x539, x540) = fiat_p521_scalar_addcarryx_u64(x538, x482, x520); let mut x541: u64 = 0; let mut x542: fiat_p521_scalar_u1 = 0; let (x541, x542) = fiat_p521_scalar_addcarryx_u64(x540, x484, x522); let mut x543: u64 = 0; let mut x544: fiat_p521_scalar_u1 = 0; let (x543, x544) = fiat_p521_scalar_addcarryx_u64(x542, x486, x524); let mut x545: u64 = 0; let mut x546: fiat_p521_scalar_u1 = 0; let (x545, x546) = fiat_p521_scalar_addcarryx_u64(x544, x488, x526); let mut x547: u64 = 0; let mut x548: fiat_p521_scalar_u1 = 0; let (x547, x548) = fiat_p521_scalar_addcarryx_u64(x546, x490, x528); let mut x549: u64 = 0; let mut x550: fiat_p521_scalar_u1 = 0; let (x549, x550) = fiat_p521_scalar_addcarryx_u64(x548, x492, x530); let mut x551: u64 = 0; let mut x552: fiat_p521_scalar_u1 = 0; let (x551, x552) = fiat_p521_scalar_addcarryx_u64(x550, x494, x532); let x553: u64 = ((x552 as u64) + (x495 as u64)); let mut x554: u64 = 0; let mut x555: u64 = 0; let (x554, x555) = fiat_p521_scalar_mulx_u64(x5, (arg2[8])); let mut x556: u64 = 0; let mut x557: u64 = 0; let (x556, x557) = fiat_p521_scalar_mulx_u64(x5, (arg2[7])); let mut x558: u64 = 0; let mut x559: u64 = 0; let (x558, x559) = fiat_p521_scalar_mulx_u64(x5, (arg2[6])); let mut x560: u64 = 0; let mut x561: u64 = 0; let (x560, x561) = fiat_p521_scalar_mulx_u64(x5, (arg2[5])); let mut x562: u64 = 0; let mut x563: u64 = 0; let (x562, x563) = fiat_p521_scalar_mulx_u64(x5, (arg2[4])); let mut x564: u64 = 0; let mut x565: u64 = 0; let (x564, x565) = fiat_p521_scalar_mulx_u64(x5, (arg2[3])); let mut x566: u64 = 0; let mut x567: u64 = 0; let (x566, x567) = fiat_p521_scalar_mulx_u64(x5, (arg2[2])); let mut x568: u64 = 0; let mut x569: u64 = 0; let (x568, x569) = fiat_p521_scalar_mulx_u64(x5, (arg2[1])); let mut x570: u64 = 0; let mut x571: u64 = 0; let (x570, x571) = fiat_p521_scalar_mulx_u64(x5, (arg2[0])); let mut x572: u64 = 0; let mut x573: fiat_p521_scalar_u1 = 0; let (x572, x573) = fiat_p521_scalar_addcarryx_u64(0x0, x571, x568); let mut x574: u64 = 0; let mut x575: fiat_p521_scalar_u1 = 0; let (x574, x575) = fiat_p521_scalar_addcarryx_u64(x573, x569, x566); let mut x576: u64 = 0; let mut x577: fiat_p521_scalar_u1 = 0; let (x576, x577) = fiat_p521_scalar_addcarryx_u64(x575, x567, x564); let mut x578: u64 = 0; let mut x579: fiat_p521_scalar_u1 = 0; let (x578, x579) = fiat_p521_scalar_addcarryx_u64(x577, x565, x562); let mut x580: u64 = 0; let mut x581: fiat_p521_scalar_u1 = 0; let (x580, x581) = fiat_p521_scalar_addcarryx_u64(x579, x563, x560); let mut x582: u64 = 0; let mut x583: fiat_p521_scalar_u1 = 0; let (x582, x583) = fiat_p521_scalar_addcarryx_u64(x581, x561, x558); let mut x584: u64 = 0; let mut x585: fiat_p521_scalar_u1 = 0; let (x584, x585) = fiat_p521_scalar_addcarryx_u64(x583, x559, x556); let mut x586: u64 = 0; let mut x587: fiat_p521_scalar_u1 = 0; let (x586, x587) = fiat_p521_scalar_addcarryx_u64(x585, x557, x554); let x588: u64 = ((x587 as u64) + x555); let mut x589: u64 = 0; let mut x590: fiat_p521_scalar_u1 = 0; let (x589, x590) = fiat_p521_scalar_addcarryx_u64(0x0, x535, x570); let mut x591: u64 = 0; let mut x592: fiat_p521_scalar_u1 = 0; let (x591, x592) = fiat_p521_scalar_addcarryx_u64(x590, x537, x572); let mut x593: u64 = 0; let mut x594: fiat_p521_scalar_u1 = 0; let (x593, x594) = fiat_p521_scalar_addcarryx_u64(x592, x539, x574); let mut x595: u64 = 0; let mut x596: fiat_p521_scalar_u1 = 0; let (x595, x596) = fiat_p521_scalar_addcarryx_u64(x594, x541, x576); let mut x597: u64 = 0; let mut x598: fiat_p521_scalar_u1 = 0; let (x597, x598) = fiat_p521_scalar_addcarryx_u64(x596, x543, x578); let mut x599: u64 = 0; let mut x600: fiat_p521_scalar_u1 = 0; let (x599, x600) = fiat_p521_scalar_addcarryx_u64(x598, x545, x580); let mut x601: u64 = 0; let mut x602: fiat_p521_scalar_u1 = 0; let (x601, x602) = fiat_p521_scalar_addcarryx_u64(x600, x547, x582); let mut x603: u64 = 0; let mut x604: fiat_p521_scalar_u1 = 0; let (x603, x604) = fiat_p521_scalar_addcarryx_u64(x602, x549, x584); let mut x605: u64 = 0; let mut x606: fiat_p521_scalar_u1 = 0; let (x605, x606) = fiat_p521_scalar_addcarryx_u64(x604, x551, x586); let mut x607: u64 = 0; let mut x608: fiat_p521_scalar_u1 = 0; let (x607, x608) = fiat_p521_scalar_addcarryx_u64(x606, x553, x588); let mut x609: u64 = 0; let mut x610: u64 = 0; let (x609, x610) = fiat_p521_scalar_mulx_u64(x589, 0x1d2f5ccd79a995c7); let mut x611: u64 = 0; let mut x612: u64 = 0; let (x611, x612) = fiat_p521_scalar_mulx_u64(x609, 0x1ff); let mut x613: u64 = 0; let mut x614: u64 = 0; let (x613, x614) = fiat_p521_scalar_mulx_u64(x609, 0xffffffffffffffff); let mut x615: u64 = 0; let mut x616: u64 = 0; let (x615, x616) = fiat_p521_scalar_mulx_u64(x609, 0xffffffffffffffff); let mut x617: u64 = 0; let mut x618: u64 = 0; let (x617, x618) = fiat_p521_scalar_mulx_u64(x609, 0xffffffffffffffff); let mut x619: u64 = 0; let mut x620: u64 = 0; let (x619, x620) = fiat_p521_scalar_mulx_u64(x609, 0xfffffffffffffffa); let mut x621: u64 = 0; let mut x622: u64 = 0; let (x621, x622) = fiat_p521_scalar_mulx_u64(x609, 0x51868783bf2f966b); let mut x623: u64 = 0; let mut x624: u64 = 0; let (x623, x624) = fiat_p521_scalar_mulx_u64(x609, 0x7fcc0148f709a5d0); let mut x625: u64 = 0; let mut x626: u64 = 0; let (x625, x626) = fiat_p521_scalar_mulx_u64(x609, 0x3bb5c9b8899c47ae); let mut x627: u64 = 0; let mut x628: u64 = 0; let (x627, x628) = fiat_p521_scalar_mulx_u64(x609, 0xbb6fb71e91386409); let mut x629: u64 = 0; let mut x630: fiat_p521_scalar_u1 = 0; let (x629, x630) = fiat_p521_scalar_addcarryx_u64(0x0, x628, x625); let mut x631: u64 = 0; let mut x632: fiat_p521_scalar_u1 = 0; let (x631, x632) = fiat_p521_scalar_addcarryx_u64(x630, x626, x623); let mut x633: u64 = 0; let mut x634: fiat_p521_scalar_u1 = 0; let (x633, x634) = fiat_p521_scalar_addcarryx_u64(x632, x624, x621); let mut x635: u64 = 0; let mut x636: fiat_p521_scalar_u1 = 0; let (x635, x636) = fiat_p521_scalar_addcarryx_u64(x634, x622, x619); let mut x637: u64 = 0; let mut x638: fiat_p521_scalar_u1 = 0; let (x637, x638) = fiat_p521_scalar_addcarryx_u64(x636, x620, x617); let mut x639: u64 = 0; let mut x640: fiat_p521_scalar_u1 = 0; let (x639, x640) = fiat_p521_scalar_addcarryx_u64(x638, x618, x615); let mut x641: u64 = 0; let mut x642: fiat_p521_scalar_u1 = 0; let (x641, x642) = fiat_p521_scalar_addcarryx_u64(x640, x616, x613); let mut x643: u64 = 0; let mut x644: fiat_p521_scalar_u1 = 0; let (x643, x644) = fiat_p521_scalar_addcarryx_u64(x642, x614, x611); let x645: u64 = ((x644 as u64) + x612); let mut x646: u64 = 0; let mut x647: fiat_p521_scalar_u1 = 0; let (x646, x647) = fiat_p521_scalar_addcarryx_u64(0x0, x589, x627); let mut x648: u64 = 0; let mut x649: fiat_p521_scalar_u1 = 0; let (x648, x649) = fiat_p521_scalar_addcarryx_u64(x647, x591, x629); let mut x650: u64 = 0; let mut x651: fiat_p521_scalar_u1 = 0; let (x650, x651) = fiat_p521_scalar_addcarryx_u64(x649, x593, x631); let mut x652: u64 = 0; let mut x653: fiat_p521_scalar_u1 = 0; let (x652, x653) = fiat_p521_scalar_addcarryx_u64(x651, x595, x633); let mut x654: u64 = 0; let mut x655: fiat_p521_scalar_u1 = 0; let (x654, x655) = fiat_p521_scalar_addcarryx_u64(x653, x597, x635); let mut x656: u64 = 0; let mut x657: fiat_p521_scalar_u1 = 0; let (x656, x657) = fiat_p521_scalar_addcarryx_u64(x655, x599, x637); let mut x658: u64 = 0; let mut x659: fiat_p521_scalar_u1 = 0; let (x658, x659) = fiat_p521_scalar_addcarryx_u64(x657, x601, x639); let mut x660: u64 = 0; let mut x661: fiat_p521_scalar_u1 = 0; let (x660, x661) = fiat_p521_scalar_addcarryx_u64(x659, x603, x641); let mut x662: u64 = 0; let mut x663: fiat_p521_scalar_u1 = 0; let (x662, x663) = fiat_p521_scalar_addcarryx_u64(x661, x605, x643); let mut x664: u64 = 0; let mut x665: fiat_p521_scalar_u1 = 0; let (x664, x665) = fiat_p521_scalar_addcarryx_u64(x663, x607, x645); let x666: u64 = ((x665 as u64) + (x608 as u64)); let mut x667: u64 = 0; let mut x668: u64 = 0; let (x667, x668) = fiat_p521_scalar_mulx_u64(x6, (arg2[8])); let mut x669: u64 = 0; let mut x670: u64 = 0; let (x669, x670) = fiat_p521_scalar_mulx_u64(x6, (arg2[7])); let mut x671: u64 = 0; let mut x672: u64 = 0; let (x671, x672) = fiat_p521_scalar_mulx_u64(x6, (arg2[6])); let mut x673: u64 = 0; let mut x674: u64 = 0; let (x673, x674) = fiat_p521_scalar_mulx_u64(x6, (arg2[5])); let mut x675: u64 = 0; let mut x676: u64 = 0; let (x675, x676) = fiat_p521_scalar_mulx_u64(x6, (arg2[4])); let mut x677: u64 = 0; let mut x678: u64 = 0; let (x677, x678) = fiat_p521_scalar_mulx_u64(x6, (arg2[3])); let mut x679: u64 = 0; let mut x680: u64 = 0; let (x679, x680) = fiat_p521_scalar_mulx_u64(x6, (arg2[2])); let mut x681: u64 = 0; let mut x682: u64 = 0; let (x681, x682) = fiat_p521_scalar_mulx_u64(x6, (arg2[1])); let mut x683: u64 = 0; let mut x684: u64 = 0; let (x683, x684) = fiat_p521_scalar_mulx_u64(x6, (arg2[0])); let mut x685: u64 = 0; let mut x686: fiat_p521_scalar_u1 = 0; let (x685, x686) = fiat_p521_scalar_addcarryx_u64(0x0, x684, x681); let mut x687: u64 = 0; let mut x688: fiat_p521_scalar_u1 = 0; let (x687, x688) = fiat_p521_scalar_addcarryx_u64(x686, x682, x679); let mut x689: u64 = 0; let mut x690: fiat_p521_scalar_u1 = 0; let (x689, x690) = fiat_p521_scalar_addcarryx_u64(x688, x680, x677); let mut x691: u64 = 0; let mut x692: fiat_p521_scalar_u1 = 0; let (x691, x692) = fiat_p521_scalar_addcarryx_u64(x690, x678, x675); let mut x693: u64 = 0; let mut x694: fiat_p521_scalar_u1 = 0; let (x693, x694) = fiat_p521_scalar_addcarryx_u64(x692, x676, x673); let mut x695: u64 = 0; let mut x696: fiat_p521_scalar_u1 = 0; let (x695, x696) = fiat_p521_scalar_addcarryx_u64(x694, x674, x671); let mut x697: u64 = 0; let mut x698: fiat_p521_scalar_u1 = 0; let (x697, x698) = fiat_p521_scalar_addcarryx_u64(x696, x672, x669); let mut x699: u64 = 0; let mut x700: fiat_p521_scalar_u1 = 0; let (x699, x700) = fiat_p521_scalar_addcarryx_u64(x698, x670, x667); let x701: u64 = ((x700 as u64) + x668); let mut x702: u64 = 0; let mut x703: fiat_p521_scalar_u1 = 0; let (x702, x703) = fiat_p521_scalar_addcarryx_u64(0x0, x648, x683); let mut x704: u64 = 0; let mut x705: fiat_p521_scalar_u1 = 0; let (x704, x705) = fiat_p521_scalar_addcarryx_u64(x703, x650, x685); let mut x706: u64 = 0; let mut x707: fiat_p521_scalar_u1 = 0; let (x706, x707) = fiat_p521_scalar_addcarryx_u64(x705, x652, x687); let mut x708: u64 = 0; let mut x709: fiat_p521_scalar_u1 = 0; let (x708, x709) = fiat_p521_scalar_addcarryx_u64(x707, x654, x689); let mut x710: u64 = 0; let mut x711: fiat_p521_scalar_u1 = 0; let (x710, x711) = fiat_p521_scalar_addcarryx_u64(x709, x656, x691); let mut x712: u64 = 0; let mut x713: fiat_p521_scalar_u1 = 0; let (x712, x713) = fiat_p521_scalar_addcarryx_u64(x711, x658, x693); let mut x714: u64 = 0; let mut x715: fiat_p521_scalar_u1 = 0; let (x714, x715) = fiat_p521_scalar_addcarryx_u64(x713, x660, x695); let mut x716: u64 = 0; let mut x717: fiat_p521_scalar_u1 = 0; let (x716, x717) = fiat_p521_scalar_addcarryx_u64(x715, x662, x697); let mut x718: u64 = 0; let mut x719: fiat_p521_scalar_u1 = 0; let (x718, x719) = fiat_p521_scalar_addcarryx_u64(x717, x664, x699); let mut x720: u64 = 0; let mut x721: fiat_p521_scalar_u1 = 0; let (x720, x721) = fiat_p521_scalar_addcarryx_u64(x719, x666, x701); let mut x722: u64 = 0; let mut x723: u64 = 0; let (x722, x723) = fiat_p521_scalar_mulx_u64(x702, 0x1d2f5ccd79a995c7); let mut x724: u64 = 0; let mut x725: u64 = 0; let (x724, x725) = fiat_p521_scalar_mulx_u64(x722, 0x1ff); let mut x726: u64 = 0; let mut x727: u64 = 0; let (x726, x727) = fiat_p521_scalar_mulx_u64(x722, 0xffffffffffffffff); let mut x728: u64 = 0; let mut x729: u64 = 0; let (x728, x729) = fiat_p521_scalar_mulx_u64(x722, 0xffffffffffffffff); let mut x730: u64 = 0; let mut x731: u64 = 0; let (x730, x731) = fiat_p521_scalar_mulx_u64(x722, 0xffffffffffffffff); let mut x732: u64 = 0; let mut x733: u64 = 0; let (x732, x733) = fiat_p521_scalar_mulx_u64(x722, 0xfffffffffffffffa); let mut x734: u64 = 0; let mut x735: u64 = 0; let (x734, x735) = fiat_p521_scalar_mulx_u64(x722, 0x51868783bf2f966b); let mut x736: u64 = 0; let mut x737: u64 = 0; let (x736, x737) = fiat_p521_scalar_mulx_u64(x722, 0x7fcc0148f709a5d0); let mut x738: u64 = 0; let mut x739: u64 = 0; let (x738, x739) = fiat_p521_scalar_mulx_u64(x722, 0x3bb5c9b8899c47ae); let mut x740: u64 = 0; let mut x741: u64 = 0; let (x740, x741) = fiat_p521_scalar_mulx_u64(x722, 0xbb6fb71e91386409); let mut x742: u64 = 0; let mut x743: fiat_p521_scalar_u1 = 0; let (x742, x743) = fiat_p521_scalar_addcarryx_u64(0x0, x741, x738); let mut x744: u64 = 0; let mut x745: fiat_p521_scalar_u1 = 0; let (x744, x745) = fiat_p521_scalar_addcarryx_u64(x743, x739, x736); let mut x746: u64 = 0; let mut x747: fiat_p521_scalar_u1 = 0; let (x746, x747) = fiat_p521_scalar_addcarryx_u64(x745, x737, x734); let mut x748: u64 = 0; let mut x749: fiat_p521_scalar_u1 = 0; let (x748, x749) = fiat_p521_scalar_addcarryx_u64(x747, x735, x732); let mut x750: u64 = 0; let mut x751: fiat_p521_scalar_u1 = 0; let (x750, x751) = fiat_p521_scalar_addcarryx_u64(x749, x733, x730); let mut x752: u64 = 0; let mut x753: fiat_p521_scalar_u1 = 0; let (x752, x753) = fiat_p521_scalar_addcarryx_u64(x751, x731, x728); let mut x754: u64 = 0; let mut x755: fiat_p521_scalar_u1 = 0; let (x754, x755) = fiat_p521_scalar_addcarryx_u64(x753, x729, x726); let mut x756: u64 = 0; let mut x757: fiat_p521_scalar_u1 = 0; let (x756, x757) = fiat_p521_scalar_addcarryx_u64(x755, x727, x724); let x758: u64 = ((x757 as u64) + x725); let mut x759: u64 = 0; let mut x760: fiat_p521_scalar_u1 = 0; let (x759, x760) = fiat_p521_scalar_addcarryx_u64(0x0, x702, x740); let mut x761: u64 = 0; let mut x762: fiat_p521_scalar_u1 = 0; let (x761, x762) = fiat_p521_scalar_addcarryx_u64(x760, x704, x742); let mut x763: u64 = 0; let mut x764: fiat_p521_scalar_u1 = 0; let (x763, x764) = fiat_p521_scalar_addcarryx_u64(x762, x706, x744); let mut x765: u64 = 0; let mut x766: fiat_p521_scalar_u1 = 0; let (x765, x766) = fiat_p521_scalar_addcarryx_u64(x764, x708, x746); let mut x767: u64 = 0; let mut x768: fiat_p521_scalar_u1 = 0; let (x767, x768) = fiat_p521_scalar_addcarryx_u64(x766, x710, x748); let mut x769: u64 = 0; let mut x770: fiat_p521_scalar_u1 = 0; let (x769, x770) = fiat_p521_scalar_addcarryx_u64(x768, x712, x750); let mut x771: u64 = 0; let mut x772: fiat_p521_scalar_u1 = 0; let (x771, x772) = fiat_p521_scalar_addcarryx_u64(x770, x714, x752); let mut x773: u64 = 0; let mut x774: fiat_p521_scalar_u1 = 0; let (x773, x774) = fiat_p521_scalar_addcarryx_u64(x772, x716, x754); let mut x775: u64 = 0; let mut x776: fiat_p521_scalar_u1 = 0; let (x775, x776) = fiat_p521_scalar_addcarryx_u64(x774, x718, x756); let mut x777: u64 = 0; let mut x778: fiat_p521_scalar_u1 = 0; let (x777, x778) = fiat_p521_scalar_addcarryx_u64(x776, x720, x758); let x779: u64 = ((x778 as u64) + (x721 as u64)); let mut x780: u64 = 0; let mut x781: u64 = 0; let (x780, x781) = fiat_p521_scalar_mulx_u64(x7, (arg2[8])); let mut x782: u64 = 0; let mut x783: u64 = 0; let (x782, x783) = fiat_p521_scalar_mulx_u64(x7, (arg2[7])); let mut x784: u64 = 0; let mut x785: u64 = 0; let (x784, x785) = fiat_p521_scalar_mulx_u64(x7, (arg2[6])); let mut x786: u64 = 0; let mut x787: u64 = 0; let (x786, x787) = fiat_p521_scalar_mulx_u64(x7, (arg2[5])); let mut x788: u64 = 0; let mut x789: u64 = 0; let (x788, x789) = fiat_p521_scalar_mulx_u64(x7, (arg2[4])); let mut x790: u64 = 0; let mut x791: u64 = 0; let (x790, x791) = fiat_p521_scalar_mulx_u64(x7, (arg2[3])); let mut x792: u64 = 0; let mut x793: u64 = 0; let (x792, x793) = fiat_p521_scalar_mulx_u64(x7, (arg2[2])); let mut x794: u64 = 0; let mut x795: u64 = 0; let (x794, x795) = fiat_p521_scalar_mulx_u64(x7, (arg2[1])); let mut x796: u64 = 0; let mut x797: u64 = 0; let (x796, x797) = fiat_p521_scalar_mulx_u64(x7, (arg2[0])); let mut x798: u64 = 0; let mut x799: fiat_p521_scalar_u1 = 0; let (x798, x799) = fiat_p521_scalar_addcarryx_u64(0x0, x797, x794); let mut x800: u64 = 0; let mut x801: fiat_p521_scalar_u1 = 0; let (x800, x801) = fiat_p521_scalar_addcarryx_u64(x799, x795, x792); let mut x802: u64 = 0; let mut x803: fiat_p521_scalar_u1 = 0; let (x802, x803) = fiat_p521_scalar_addcarryx_u64(x801, x793, x790); let mut x804: u64 = 0; let mut x805: fiat_p521_scalar_u1 = 0; let (x804, x805) = fiat_p521_scalar_addcarryx_u64(x803, x791, x788); let mut x806: u64 = 0; let mut x807: fiat_p521_scalar_u1 = 0; let (x806, x807) = fiat_p521_scalar_addcarryx_u64(x805, x789, x786); let mut x808: u64 = 0; let mut x809: fiat_p521_scalar_u1 = 0; let (x808, x809) = fiat_p521_scalar_addcarryx_u64(x807, x787, x784); let mut x810: u64 = 0; let mut x811: fiat_p521_scalar_u1 = 0; let (x810, x811) = fiat_p521_scalar_addcarryx_u64(x809, x785, x782); let mut x812: u64 = 0; let mut x813: fiat_p521_scalar_u1 = 0; let (x812, x813) = fiat_p521_scalar_addcarryx_u64(x811, x783, x780); let x814: u64 = ((x813 as u64) + x781); let mut x815: u64 = 0; let mut x816: fiat_p521_scalar_u1 = 0; let (x815, x816) = fiat_p521_scalar_addcarryx_u64(0x0, x761, x796); let mut x817: u64 = 0; let mut x818: fiat_p521_scalar_u1 = 0; let (x817, x818) = fiat_p521_scalar_addcarryx_u64(x816, x763, x798); let mut x819: u64 = 0; let mut x820: fiat_p521_scalar_u1 = 0; let (x819, x820) = fiat_p521_scalar_addcarryx_u64(x818, x765, x800); let mut x821: u64 = 0; let mut x822: fiat_p521_scalar_u1 = 0; let (x821, x822) = fiat_p521_scalar_addcarryx_u64(x820, x767, x802); let mut x823: u64 = 0; let mut x824: fiat_p521_scalar_u1 = 0; let (x823, x824) = fiat_p521_scalar_addcarryx_u64(x822, x769, x804); let mut x825: u64 = 0; let mut x826: fiat_p521_scalar_u1 = 0; let (x825, x826) = fiat_p521_scalar_addcarryx_u64(x824, x771, x806); let mut x827: u64 = 0; let mut x828: fiat_p521_scalar_u1 = 0; let (x827, x828) = fiat_p521_scalar_addcarryx_u64(x826, x773, x808); let mut x829: u64 = 0; let mut x830: fiat_p521_scalar_u1 = 0; let (x829, x830) = fiat_p521_scalar_addcarryx_u64(x828, x775, x810); let mut x831: u64 = 0; let mut x832: fiat_p521_scalar_u1 = 0; let (x831, x832) = fiat_p521_scalar_addcarryx_u64(x830, x777, x812); let mut x833: u64 = 0; let mut x834: fiat_p521_scalar_u1 = 0; let (x833, x834) = fiat_p521_scalar_addcarryx_u64(x832, x779, x814); let mut x835: u64 = 0; let mut x836: u64 = 0; let (x835, x836) = fiat_p521_scalar_mulx_u64(x815, 0x1d2f5ccd79a995c7); let mut x837: u64 = 0; let mut x838: u64 = 0; let (x837, x838) = fiat_p521_scalar_mulx_u64(x835, 0x1ff); let mut x839: u64 = 0; let mut x840: u64 = 0; let (x839, x840) = fiat_p521_scalar_mulx_u64(x835, 0xffffffffffffffff); let mut x841: u64 = 0; let mut x842: u64 = 0; let (x841, x842) = fiat_p521_scalar_mulx_u64(x835, 0xffffffffffffffff); let mut x843: u64 = 0; let mut x844: u64 = 0; let (x843, x844) = fiat_p521_scalar_mulx_u64(x835, 0xffffffffffffffff); let mut x845: u64 = 0; let mut x846: u64 = 0; let (x845, x846) = fiat_p521_scalar_mulx_u64(x835, 0xfffffffffffffffa); let mut x847: u64 = 0; let mut x848: u64 = 0; let (x847, x848) = fiat_p521_scalar_mulx_u64(x835, 0x51868783bf2f966b); let mut x849: u64 = 0; let mut x850: u64 = 0; let (x849, x850) = fiat_p521_scalar_mulx_u64(x835, 0x7fcc0148f709a5d0); let mut x851: u64 = 0; let mut x852: u64 = 0; let (x851, x852) = fiat_p521_scalar_mulx_u64(x835, 0x3bb5c9b8899c47ae); let mut x853: u64 = 0; let mut x854: u64 = 0; let (x853, x854) = fiat_p521_scalar_mulx_u64(x835, 0xbb6fb71e91386409); let mut x855: u64 = 0; let mut x856: fiat_p521_scalar_u1 = 0; let (x855, x856) = fiat_p521_scalar_addcarryx_u64(0x0, x854, x851); let mut x857: u64 = 0; let mut x858: fiat_p521_scalar_u1 = 0; let (x857, x858) = fiat_p521_scalar_addcarryx_u64(x856, x852, x849); let mut x859: u64 = 0; let mut x860: fiat_p521_scalar_u1 = 0; let (x859, x860) = fiat_p521_scalar_addcarryx_u64(x858, x850, x847); let mut x861: u64 = 0; let mut x862: fiat_p521_scalar_u1 = 0; let (x861, x862) = fiat_p521_scalar_addcarryx_u64(x860, x848, x845); let mut x863: u64 = 0; let mut x864: fiat_p521_scalar_u1 = 0; let (x863, x864) = fiat_p521_scalar_addcarryx_u64(x862, x846, x843); let mut x865: u64 = 0; let mut x866: fiat_p521_scalar_u1 = 0; let (x865, x866) = fiat_p521_scalar_addcarryx_u64(x864, x844, x841); let mut x867: u64 = 0; let mut x868: fiat_p521_scalar_u1 = 0; let (x867, x868) = fiat_p521_scalar_addcarryx_u64(x866, x842, x839); let mut x869: u64 = 0; let mut x870: fiat_p521_scalar_u1 = 0; let (x869, x870) = fiat_p521_scalar_addcarryx_u64(x868, x840, x837); let x871: u64 = ((x870 as u64) + x838); let mut x872: u64 = 0; let mut x873: fiat_p521_scalar_u1 = 0; let (x872, x873) = fiat_p521_scalar_addcarryx_u64(0x0, x815, x853); let mut x874: u64 = 0; let mut x875: fiat_p521_scalar_u1 = 0; let (x874, x875) = fiat_p521_scalar_addcarryx_u64(x873, x817, x855); let mut x876: u64 = 0; let mut x877: fiat_p521_scalar_u1 = 0; let (x876, x877) = fiat_p521_scalar_addcarryx_u64(x875, x819, x857); let mut x878: u64 = 0; let mut x879: fiat_p521_scalar_u1 = 0; let (x878, x879) = fiat_p521_scalar_addcarryx_u64(x877, x821, x859); let mut x880: u64 = 0; let mut x881: fiat_p521_scalar_u1 = 0; let (x880, x881) = fiat_p521_scalar_addcarryx_u64(x879, x823, x861); let mut x882: u64 = 0; let mut x883: fiat_p521_scalar_u1 = 0; let (x882, x883) = fiat_p521_scalar_addcarryx_u64(x881, x825, x863); let mut x884: u64 = 0; let mut x885: fiat_p521_scalar_u1 = 0; let (x884, x885) = fiat_p521_scalar_addcarryx_u64(x883, x827, x865); let mut x886: u64 = 0; let mut x887: fiat_p521_scalar_u1 = 0; let (x886, x887) = fiat_p521_scalar_addcarryx_u64(x885, x829, x867); let mut x888: u64 = 0; let mut x889: fiat_p521_scalar_u1 = 0; let (x888, x889) = fiat_p521_scalar_addcarryx_u64(x887, x831, x869); let mut x890: u64 = 0; let mut x891: fiat_p521_scalar_u1 = 0; let (x890, x891) = fiat_p521_scalar_addcarryx_u64(x889, x833, x871); let x892: u64 = ((x891 as u64) + (x834 as u64)); let mut x893: u64 = 0; let mut x894: u64 = 0; let (x893, x894) = fiat_p521_scalar_mulx_u64(x8, (arg2[8])); let mut x895: u64 = 0; let mut x896: u64 = 0; let (x895, x896) = fiat_p521_scalar_mulx_u64(x8, (arg2[7])); let mut x897: u64 = 0; let mut x898: u64 = 0; let (x897, x898) = fiat_p521_scalar_mulx_u64(x8, (arg2[6])); let mut x899: u64 = 0; let mut x900: u64 = 0; let (x899, x900) = fiat_p521_scalar_mulx_u64(x8, (arg2[5])); let mut x901: u64 = 0; let mut x902: u64 = 0; let (x901, x902) = fiat_p521_scalar_mulx_u64(x8, (arg2[4])); let mut x903: u64 = 0; let mut x904: u64 = 0; let (x903, x904) = fiat_p521_scalar_mulx_u64(x8, (arg2[3])); let mut x905: u64 = 0; let mut x906: u64 = 0; let (x905, x906) = fiat_p521_scalar_mulx_u64(x8, (arg2[2])); let mut x907: u64 = 0; let mut x908: u64 = 0; let (x907, x908) = fiat_p521_scalar_mulx_u64(x8, (arg2[1])); let mut x909: u64 = 0; let mut x910: u64 = 0; let (x909, x910) = fiat_p521_scalar_mulx_u64(x8, (arg2[0])); let mut x911: u64 = 0; let mut x912: fiat_p521_scalar_u1 = 0; let (x911, x912) = fiat_p521_scalar_addcarryx_u64(0x0, x910, x907); let mut x913: u64 = 0; let mut x914: fiat_p521_scalar_u1 = 0; let (x913, x914) = fiat_p521_scalar_addcarryx_u64(x912, x908, x905); let mut x915: u64 = 0; let mut x916: fiat_p521_scalar_u1 = 0; let (x915, x916) = fiat_p521_scalar_addcarryx_u64(x914, x906, x903); let mut x917: u64 = 0; let mut x918: fiat_p521_scalar_u1 = 0; let (x917, x918) = fiat_p521_scalar_addcarryx_u64(x916, x904, x901); let mut x919: u64 = 0; let mut x920: fiat_p521_scalar_u1 = 0; let (x919, x920) = fiat_p521_scalar_addcarryx_u64(x918, x902, x899); let mut x921: u64 = 0; let mut x922: fiat_p521_scalar_u1 = 0; let (x921, x922) = fiat_p521_scalar_addcarryx_u64(x920, x900, x897); let mut x923: u64 = 0; let mut x924: fiat_p521_scalar_u1 = 0; let (x923, x924) = fiat_p521_scalar_addcarryx_u64(x922, x898, x895); let mut x925: u64 = 0; let mut x926: fiat_p521_scalar_u1 = 0; let (x925, x926) = fiat_p521_scalar_addcarryx_u64(x924, x896, x893); let x927: u64 = ((x926 as u64) + x894); let mut x928: u64 = 0; let mut x929: fiat_p521_scalar_u1 = 0; let (x928, x929) = fiat_p521_scalar_addcarryx_u64(0x0, x874, x909); let mut x930: u64 = 0; let mut x931: fiat_p521_scalar_u1 = 0; let (x930, x931) = fiat_p521_scalar_addcarryx_u64(x929, x876, x911); let mut x932: u64 = 0; let mut x933: fiat_p521_scalar_u1 = 0; let (x932, x933) = fiat_p521_scalar_addcarryx_u64(x931, x878, x913); let mut x934: u64 = 0; let mut x935: fiat_p521_scalar_u1 = 0; let (x934, x935) = fiat_p521_scalar_addcarryx_u64(x933, x880, x915); let mut x936: u64 = 0; let mut x937: fiat_p521_scalar_u1 = 0; let (x936, x937) = fiat_p521_scalar_addcarryx_u64(x935, x882, x917); let mut x938: u64 = 0; let mut x939: fiat_p521_scalar_u1 = 0; let (x938, x939) = fiat_p521_scalar_addcarryx_u64(x937, x884, x919); let mut x940: u64 = 0; let mut x941: fiat_p521_scalar_u1 = 0; let (x940, x941) = fiat_p521_scalar_addcarryx_u64(x939, x886, x921); let mut x942: u64 = 0; let mut x943: fiat_p521_scalar_u1 = 0; let (x942, x943) = fiat_p521_scalar_addcarryx_u64(x941, x888, x923); let mut x944: u64 = 0; let mut x945: fiat_p521_scalar_u1 = 0; let (x944, x945) = fiat_p521_scalar_addcarryx_u64(x943, x890, x925); let mut x946: u64 = 0; let mut x947: fiat_p521_scalar_u1 = 0; let (x946, x947) = fiat_p521_scalar_addcarryx_u64(x945, x892, x927); let mut x948: u64 = 0; let mut x949: u64 = 0; let (x948, x949) = fiat_p521_scalar_mulx_u64(x928, 0x1d2f5ccd79a995c7); let mut x950: u64 = 0; let mut x951: u64 = 0; let (x950, x951) = fiat_p521_scalar_mulx_u64(x948, 0x1ff); let mut x952: u64 = 0; let mut x953: u64 = 0; let (x952, x953) = fiat_p521_scalar_mulx_u64(x948, 0xffffffffffffffff); let mut x954: u64 = 0; let mut x955: u64 = 0; let (x954, x955) = fiat_p521_scalar_mulx_u64(x948, 0xffffffffffffffff); let mut x956: u64 = 0; let mut x957: u64 = 0; let (x956, x957) = fiat_p521_scalar_mulx_u64(x948, 0xffffffffffffffff); let mut x958: u64 = 0; let mut x959: u64 = 0; let (x958, x959) = fiat_p521_scalar_mulx_u64(x948, 0xfffffffffffffffa); let mut x960: u64 = 0; let mut x961: u64 = 0; let (x960, x961) = fiat_p521_scalar_mulx_u64(x948, 0x51868783bf2f966b); let mut x962: u64 = 0; let mut x963: u64 = 0; let (x962, x963) = fiat_p521_scalar_mulx_u64(x948, 0x7fcc0148f709a5d0); let mut x964: u64 = 0; let mut x965: u64 = 0; let (x964, x965) = fiat_p521_scalar_mulx_u64(x948, 0x3bb5c9b8899c47ae); let mut x966: u64 = 0; let mut x967: u64 = 0; let (x966, x967) = fiat_p521_scalar_mulx_u64(x948, 0xbb6fb71e91386409); let mut x968: u64 = 0; let mut x969: fiat_p521_scalar_u1 = 0; let (x968, x969) = fiat_p521_scalar_addcarryx_u64(0x0, x967, x964); let mut x970: u64 = 0; let mut x971: fiat_p521_scalar_u1 = 0; let (x970, x971) = fiat_p521_scalar_addcarryx_u64(x969, x965, x962); let mut x972: u64 = 0; let mut x973: fiat_p521_scalar_u1 = 0; let (x972, x973) = fiat_p521_scalar_addcarryx_u64(x971, x963, x960); let mut x974: u64 = 0; let mut x975: fiat_p521_scalar_u1 = 0; let (x974, x975) = fiat_p521_scalar_addcarryx_u64(x973, x961, x958); let mut x976: u64 = 0; let mut x977: fiat_p521_scalar_u1 = 0; let (x976, x977) = fiat_p521_scalar_addcarryx_u64(x975, x959, x956); let mut x978: u64 = 0; let mut x979: fiat_p521_scalar_u1 = 0; let (x978, x979) = fiat_p521_scalar_addcarryx_u64(x977, x957, x954); let mut x980: u64 = 0; let mut x981: fiat_p521_scalar_u1 = 0; let (x980, x981) = fiat_p521_scalar_addcarryx_u64(x979, x955, x952); let mut x982: u64 = 0; let mut x983: fiat_p521_scalar_u1 = 0; let (x982, x983) = fiat_p521_scalar_addcarryx_u64(x981, x953, x950); let x984: u64 = ((x983 as u64) + x951); let mut x985: u64 = 0; let mut x986: fiat_p521_scalar_u1 = 0; let (x985, x986) = fiat_p521_scalar_addcarryx_u64(0x0, x928, x966); let mut x987: u64 = 0; let mut x988: fiat_p521_scalar_u1 = 0; let (x987, x988) = fiat_p521_scalar_addcarryx_u64(x986, x930, x968); let mut x989: u64 = 0; let mut x990: fiat_p521_scalar_u1 = 0; let (x989, x990) = fiat_p521_scalar_addcarryx_u64(x988, x932, x970); let mut x991: u64 = 0; let mut x992: fiat_p521_scalar_u1 = 0; let (x991, x992) = fiat_p521_scalar_addcarryx_u64(x990, x934, x972); let mut x993: u64 = 0; let mut x994: fiat_p521_scalar_u1 = 0; let (x993, x994) = fiat_p521_scalar_addcarryx_u64(x992, x936, x974); let mut x995: u64 = 0; let mut x996: fiat_p521_scalar_u1 = 0; let (x995, x996) = fiat_p521_scalar_addcarryx_u64(x994, x938, x976); let mut x997: u64 = 0; let mut x998: fiat_p521_scalar_u1 = 0; let (x997, x998) = fiat_p521_scalar_addcarryx_u64(x996, x940, x978); let mut x999: u64 = 0; let mut x1000: fiat_p521_scalar_u1 = 0; let (x999, x1000) = fiat_p521_scalar_addcarryx_u64(x998, x942, x980); let mut x1001: u64 = 0; let mut x1002: fiat_p521_scalar_u1 = 0; let (x1001, x1002) = fiat_p521_scalar_addcarryx_u64(x1000, x944, x982); let mut x1003: u64 = 0; let mut x1004: fiat_p521_scalar_u1 = 0; let (x1003, x1004) = fiat_p521_scalar_addcarryx_u64(x1002, x946, x984); let x1005: u64 = ((x1004 as u64) + (x947 as u64)); let mut x1006: u64 = 0; let mut x1007: fiat_p521_scalar_u1 = 0; let (x1006, x1007) = fiat_p521_scalar_subborrowx_u64(0x0, x987, 0xbb6fb71e91386409); let mut x1008: u64 = 0; let mut x1009: fiat_p521_scalar_u1 = 0; let (x1008, x1009) = fiat_p521_scalar_subborrowx_u64(x1007, x989, 0x3bb5c9b8899c47ae); let mut x1010: u64 = 0; let mut x1011: fiat_p521_scalar_u1 = 0; let (x1010, x1011) = fiat_p521_scalar_subborrowx_u64(x1009, x991, 0x7fcc0148f709a5d0); let mut x1012: u64 = 0; let mut x1013: fiat_p521_scalar_u1 = 0; let (x1012, x1013) = fiat_p521_scalar_subborrowx_u64(x1011, x993, 0x51868783bf2f966b); let mut x1014: u64 = 0; let mut x1015: fiat_p521_scalar_u1 = 0; let (x1014, x1015) = fiat_p521_scalar_subborrowx_u64(x1013, x995, 0xfffffffffffffffa); let mut x1016: u64 = 0; let mut x1017: fiat_p521_scalar_u1 = 0; let (x1016, x1017) = fiat_p521_scalar_subborrowx_u64(x1015, x997, 0xffffffffffffffff); let mut x1018: u64 = 0; let mut x1019: fiat_p521_scalar_u1 = 0; let (x1018, x1019) = fiat_p521_scalar_subborrowx_u64(x1017, x999, 0xffffffffffffffff); let mut x1020: u64 = 0; let mut x1021: fiat_p521_scalar_u1 = 0; let (x1020, x1021) = fiat_p521_scalar_subborrowx_u64(x1019, x1001, 0xffffffffffffffff); let mut x1022: u64 = 0; let mut x1023: fiat_p521_scalar_u1 = 0; let (x1022, x1023) = fiat_p521_scalar_subborrowx_u64(x1021, x1003, 0x1ff); let mut x1024: u64 = 0; let mut x1025: fiat_p521_scalar_u1 = 0; let (x1024, x1025) = fiat_p521_scalar_subborrowx_u64(x1023, x1005, (0x0 as u64)); let mut x1026: u64 = 0; let (x1026) = fiat_p521_scalar_cmovznz_u64(x1025, x1006, x987); let mut x1027: u64 = 0; let (x1027) = fiat_p521_scalar_cmovznz_u64(x1025, x1008, x989); let mut x1028: u64 = 0; let (x1028) = fiat_p521_scalar_cmovznz_u64(x1025, x1010, x991); let mut x1029: u64 = 0; let (x1029) = fiat_p521_scalar_cmovznz_u64(x1025, x1012, x993); let mut x1030: u64 = 0; let (x1030) = fiat_p521_scalar_cmovznz_u64(x1025, x1014, x995); let mut x1031: u64 = 0; let (x1031) = fiat_p521_scalar_cmovznz_u64(x1025, x1016, x997); let mut x1032: u64 = 0; let (x1032) = fiat_p521_scalar_cmovznz_u64(x1025, x1018, x999); let mut x1033: u64 = 0; let (x1033) = fiat_p521_scalar_cmovznz_u64(x1025, x1020, x1001); let mut x1034: u64 = 0; let (x1034) = fiat_p521_scalar_cmovznz_u64(x1025, x1022, x1003); out1[0] = x1026; out1[1] = x1027; out1[2] = x1028; out1[3] = x1029; out1[4] = x1030; out1[5] = x1031; out1[6] = x1032; out1[7] = x1033; out1[8] = x1034; out1 } #[doc = " The function fiat_p521_scalar_square squares a field element in the Montgomery domain."] #[doc = ""] #[doc = " Preconditions:"] #[doc = " 0 ≤ eval arg1 < m"] #[doc = " Postconditions:"] #[doc = " eval (from_montgomery out1) mod m = (eval (from_montgomery arg1) * eval (from_montgomery arg1)) mod m"] #[doc = " 0 ≤ eval out1 < m"] #[doc = ""] #[inline] pub const fn fiat_p521_scalar_square( arg1: &fiat_p521_scalar_montgomery_domain_field_element, ) -> fiat_p521_scalar_montgomery_domain_field_element { let mut out1: fiat_p521_scalar_montgomery_domain_field_element = [0; 9]; let x1: u64 = (arg1[1]); let x2: u64 = (arg1[2]); let x3: u64 = (arg1[3]); let x4: u64 = (arg1[4]); let x5: u64 = (arg1[5]); let x6: u64 = (arg1[6]); let x7: u64 = (arg1[7]); let x8: u64 = (arg1[8]); let x9: u64 = (arg1[0]); let mut x10: u64 = 0; let mut x11: u64 = 0; let (x10, x11) = fiat_p521_scalar_mulx_u64(x9, (arg1[8])); let mut x12: u64 = 0; let mut x13: u64 = 0; let (x12, x13) = fiat_p521_scalar_mulx_u64(x9, (arg1[7])); let mut x14: u64 = 0; let mut x15: u64 = 0; let (x14, x15) = fiat_p521_scalar_mulx_u64(x9, (arg1[6])); let mut x16: u64 = 0; let mut x17: u64 = 0; let (x16, x17) = fiat_p521_scalar_mulx_u64(x9, (arg1[5])); let mut x18: u64 = 0; let mut x19: u64 = 0; let (x18, x19) = fiat_p521_scalar_mulx_u64(x9, (arg1[4])); let mut x20: u64 = 0; let mut x21: u64 = 0; let (x20, x21) = fiat_p521_scalar_mulx_u64(x9, (arg1[3])); let mut x22: u64 = 0; let mut x23: u64 = 0; let (x22, x23) = fiat_p521_scalar_mulx_u64(x9, (arg1[2])); let mut x24: u64 = 0; let mut x25: u64 = 0; let (x24, x25) = fiat_p521_scalar_mulx_u64(x9, (arg1[1])); let mut x26: u64 = 0; let mut x27: u64 = 0; let (x26, x27) = fiat_p521_scalar_mulx_u64(x9, (arg1[0])); let mut x28: u64 = 0; let mut x29: fiat_p521_scalar_u1 = 0; let (x28, x29) = fiat_p521_scalar_addcarryx_u64(0x0, x27, x24); let mut x30: u64 = 0; let mut x31: fiat_p521_scalar_u1 = 0; let (x30, x31) = fiat_p521_scalar_addcarryx_u64(x29, x25, x22); let mut x32: u64 = 0; let mut x33: fiat_p521_scalar_u1 = 0; let (x32, x33) = fiat_p521_scalar_addcarryx_u64(x31, x23, x20); let mut x34: u64 = 0; let mut x35: fiat_p521_scalar_u1 = 0; let (x34, x35) = fiat_p521_scalar_addcarryx_u64(x33, x21, x18); let mut x36: u64 = 0; let mut x37: fiat_p521_scalar_u1 = 0; let (x36, x37) = fiat_p521_scalar_addcarryx_u64(x35, x19, x16); let mut x38: u64 = 0; let mut x39: fiat_p521_scalar_u1 = 0; let (x38, x39) = fiat_p521_scalar_addcarryx_u64(x37, x17, x14); let mut x40: u64 = 0; let mut x41: fiat_p521_scalar_u1 = 0; let (x40, x41) = fiat_p521_scalar_addcarryx_u64(x39, x15, x12); let mut x42: u64 = 0; let mut x43: fiat_p521_scalar_u1 = 0; let (x42, x43) = fiat_p521_scalar_addcarryx_u64(x41, x13, x10); let x44: u64 = ((x43 as u64) + x11); let mut x45: u64 = 0; let mut x46: u64 = 0; let (x45, x46) = fiat_p521_scalar_mulx_u64(x26, 0x1d2f5ccd79a995c7); let mut x47: u64 = 0; let mut x48: u64 = 0; let (x47, x48) = fiat_p521_scalar_mulx_u64(x45, 0x1ff); let mut x49: u64 = 0; let mut x50: u64 = 0; let (x49, x50) = fiat_p521_scalar_mulx_u64(x45, 0xffffffffffffffff); let mut x51: u64 = 0; let mut x52: u64 = 0; let (x51, x52) = fiat_p521_scalar_mulx_u64(x45, 0xffffffffffffffff); let mut x53: u64 = 0; let mut x54: u64 = 0; let (x53, x54) = fiat_p521_scalar_mulx_u64(x45, 0xffffffffffffffff); let mut x55: u64 = 0; let mut x56: u64 = 0; let (x55, x56) = fiat_p521_scalar_mulx_u64(x45, 0xfffffffffffffffa); let mut x57: u64 = 0; let mut x58: u64 = 0; let (x57, x58) = fiat_p521_scalar_mulx_u64(x45, 0x51868783bf2f966b); let mut x59: u64 = 0; let mut x60: u64 = 0; let (x59, x60) = fiat_p521_scalar_mulx_u64(x45, 0x7fcc0148f709a5d0); let mut x61: u64 = 0; let mut x62: u64 = 0; let (x61, x62) = fiat_p521_scalar_mulx_u64(x45, 0x3bb5c9b8899c47ae); let mut x63: u64 = 0; let mut x64: u64 = 0; let (x63, x64) = fiat_p521_scalar_mulx_u64(x45, 0xbb6fb71e91386409); let mut x65: u64 = 0; let mut x66: fiat_p521_scalar_u1 = 0; let (x65, x66) = fiat_p521_scalar_addcarryx_u64(0x0, x64, x61); let mut x67: u64 = 0; let mut x68: fiat_p521_scalar_u1 = 0; let (x67, x68) = fiat_p521_scalar_addcarryx_u64(x66, x62, x59); let mut x69: u64 = 0; let mut x70: fiat_p521_scalar_u1 = 0; let (x69, x70) = fiat_p521_scalar_addcarryx_u64(x68, x60, x57); let mut x71: u64 = 0; let mut x72: fiat_p521_scalar_u1 = 0; let (x71, x72) = fiat_p521_scalar_addcarryx_u64(x70, x58, x55); let mut x73: u64 = 0; let mut x74: fiat_p521_scalar_u1 = 0; let (x73, x74) = fiat_p521_scalar_addcarryx_u64(x72, x56, x53); let mut x75: u64 = 0; let mut x76: fiat_p521_scalar_u1 = 0; let (x75, x76) = fiat_p521_scalar_addcarryx_u64(x74, x54, x51); let mut x77: u64 = 0; let mut x78: fiat_p521_scalar_u1 = 0; let (x77, x78) = fiat_p521_scalar_addcarryx_u64(x76, x52, x49); let mut x79: u64 = 0; let mut x80: fiat_p521_scalar_u1 = 0; let (x79, x80) = fiat_p521_scalar_addcarryx_u64(x78, x50, x47); let x81: u64 = ((x80 as u64) + x48); let mut x82: u64 = 0; let mut x83: fiat_p521_scalar_u1 = 0; let (x82, x83) = fiat_p521_scalar_addcarryx_u64(0x0, x26, x63); let mut x84: u64 = 0; let mut x85: fiat_p521_scalar_u1 = 0; let (x84, x85) = fiat_p521_scalar_addcarryx_u64(x83, x28, x65); let mut x86: u64 = 0; let mut x87: fiat_p521_scalar_u1 = 0; let (x86, x87) = fiat_p521_scalar_addcarryx_u64(x85, x30, x67); let mut x88: u64 = 0; let mut x89: fiat_p521_scalar_u1 = 0; let (x88, x89) = fiat_p521_scalar_addcarryx_u64(x87, x32, x69); let mut x90: u64 = 0; let mut x91: fiat_p521_scalar_u1 = 0; let (x90, x91) = fiat_p521_scalar_addcarryx_u64(x89, x34, x71); let mut x92: u64 = 0; let mut x93: fiat_p521_scalar_u1 = 0; let (x92, x93) = fiat_p521_scalar_addcarryx_u64(x91, x36, x73); let mut x94: u64 = 0; let mut x95: fiat_p521_scalar_u1 = 0; let (x94, x95) = fiat_p521_scalar_addcarryx_u64(x93, x38, x75); let mut x96: u64 = 0; let mut x97: fiat_p521_scalar_u1 = 0; let (x96, x97) = fiat_p521_scalar_addcarryx_u64(x95, x40, x77); let mut x98: u64 = 0; let mut x99: fiat_p521_scalar_u1 = 0; let (x98, x99) = fiat_p521_scalar_addcarryx_u64(x97, x42, x79); let mut x100: u64 = 0; let mut x101: fiat_p521_scalar_u1 = 0; let (x100, x101) = fiat_p521_scalar_addcarryx_u64(x99, x44, x81); let mut x102: u64 = 0; let mut x103: u64 = 0; let (x102, x103) = fiat_p521_scalar_mulx_u64(x1, (arg1[8])); let mut x104: u64 = 0; let mut x105: u64 = 0; let (x104, x105) = fiat_p521_scalar_mulx_u64(x1, (arg1[7])); let mut x106: u64 = 0; let mut x107: u64 = 0; let (x106, x107) = fiat_p521_scalar_mulx_u64(x1, (arg1[6])); let mut x108: u64 = 0; let mut x109: u64 = 0; let (x108, x109) = fiat_p521_scalar_mulx_u64(x1, (arg1[5])); let mut x110: u64 = 0; let mut x111: u64 = 0; let (x110, x111) = fiat_p521_scalar_mulx_u64(x1, (arg1[4])); let mut x112: u64 = 0; let mut x113: u64 = 0; let (x112, x113) = fiat_p521_scalar_mulx_u64(x1, (arg1[3])); let mut x114: u64 = 0; let mut x115: u64 = 0; let (x114, x115) = fiat_p521_scalar_mulx_u64(x1, (arg1[2])); let mut x116: u64 = 0; let mut x117: u64 = 0; let (x116, x117) = fiat_p521_scalar_mulx_u64(x1, (arg1[1])); let mut x118: u64 = 0; let mut x119: u64 = 0; let (x118, x119) = fiat_p521_scalar_mulx_u64(x1, (arg1[0])); let mut x120: u64 = 0; let mut x121: fiat_p521_scalar_u1 = 0; let (x120, x121) = fiat_p521_scalar_addcarryx_u64(0x0, x119, x116); let mut x122: u64 = 0; let mut x123: fiat_p521_scalar_u1 = 0; let (x122, x123) = fiat_p521_scalar_addcarryx_u64(x121, x117, x114); let mut x124: u64 = 0; let mut x125: fiat_p521_scalar_u1 = 0; let (x124, x125) = fiat_p521_scalar_addcarryx_u64(x123, x115, x112); let mut x126: u64 = 0; let mut x127: fiat_p521_scalar_u1 = 0; let (x126, x127) = fiat_p521_scalar_addcarryx_u64(x125, x113, x110); let mut x128: u64 = 0; let mut x129: fiat_p521_scalar_u1 = 0; let (x128, x129) = fiat_p521_scalar_addcarryx_u64(x127, x111, x108); let mut x130: u64 = 0; let mut x131: fiat_p521_scalar_u1 = 0; let (x130, x131) = fiat_p521_scalar_addcarryx_u64(x129, x109, x106); let mut x132: u64 = 0; let mut x133: fiat_p521_scalar_u1 = 0; let (x132, x133) = fiat_p521_scalar_addcarryx_u64(x131, x107, x104); let mut x134: u64 = 0; let mut x135: fiat_p521_scalar_u1 = 0; let (x134, x135) = fiat_p521_scalar_addcarryx_u64(x133, x105, x102); let x136: u64 = ((x135 as u64) + x103); let mut x137: u64 = 0; let mut x138: fiat_p521_scalar_u1 = 0; let (x137, x138) = fiat_p521_scalar_addcarryx_u64(0x0, x84, x118); let mut x139: u64 = 0; let mut x140: fiat_p521_scalar_u1 = 0; let (x139, x140) = fiat_p521_scalar_addcarryx_u64(x138, x86, x120); let mut x141: u64 = 0; let mut x142: fiat_p521_scalar_u1 = 0; let (x141, x142) = fiat_p521_scalar_addcarryx_u64(x140, x88, x122); let mut x143: u64 = 0; let mut x144: fiat_p521_scalar_u1 = 0; let (x143, x144) = fiat_p521_scalar_addcarryx_u64(x142, x90, x124); let mut x145: u64 = 0; let mut x146: fiat_p521_scalar_u1 = 0; let (x145, x146) = fiat_p521_scalar_addcarryx_u64(x144, x92, x126); let mut x147: u64 = 0; let mut x148: fiat_p521_scalar_u1 = 0; let (x147, x148) = fiat_p521_scalar_addcarryx_u64(x146, x94, x128); let mut x149: u64 = 0; let mut x150: fiat_p521_scalar_u1 = 0; let (x149, x150) = fiat_p521_scalar_addcarryx_u64(x148, x96, x130); let mut x151: u64 = 0; let mut x152: fiat_p521_scalar_u1 = 0; let (x151, x152) = fiat_p521_scalar_addcarryx_u64(x150, x98, x132); let mut x153: u64 = 0; let mut x154: fiat_p521_scalar_u1 = 0; let (x153, x154) = fiat_p521_scalar_addcarryx_u64(x152, x100, x134); let mut x155: u64 = 0; let mut x156: fiat_p521_scalar_u1 = 0; let (x155, x156) = fiat_p521_scalar_addcarryx_u64(x154, (x101 as u64), x136); let mut x157: u64 = 0; let mut x158: u64 = 0; let (x157, x158) = fiat_p521_scalar_mulx_u64(x137, 0x1d2f5ccd79a995c7); let mut x159: u64 = 0; let mut x160: u64 = 0; let (x159, x160) = fiat_p521_scalar_mulx_u64(x157, 0x1ff); let mut x161: u64 = 0; let mut x162: u64 = 0; let (x161, x162) = fiat_p521_scalar_mulx_u64(x157, 0xffffffffffffffff); let mut x163: u64 = 0; let mut x164: u64 = 0; let (x163, x164) = fiat_p521_scalar_mulx_u64(x157, 0xffffffffffffffff); let mut x165: u64 = 0; let mut x166: u64 = 0; let (x165, x166) = fiat_p521_scalar_mulx_u64(x157, 0xffffffffffffffff); let mut x167: u64 = 0; let mut x168: u64 = 0; let (x167, x168) = fiat_p521_scalar_mulx_u64(x157, 0xfffffffffffffffa); let mut x169: u64 = 0; let mut x170: u64 = 0; let (x169, x170) = fiat_p521_scalar_mulx_u64(x157, 0x51868783bf2f966b); let mut x171: u64 = 0; let mut x172: u64 = 0; let (x171, x172) = fiat_p521_scalar_mulx_u64(x157, 0x7fcc0148f709a5d0); let mut x173: u64 = 0; let mut x174: u64 = 0; let (x173, x174) = fiat_p521_scalar_mulx_u64(x157, 0x3bb5c9b8899c47ae); let mut x175: u64 = 0; let mut x176: u64 = 0; let (x175, x176) = fiat_p521_scalar_mulx_u64(x157, 0xbb6fb71e91386409); let mut x177: u64 = 0; let mut x178: fiat_p521_scalar_u1 = 0; let (x177, x178) = fiat_p521_scalar_addcarryx_u64(0x0, x176, x173); let mut x179: u64 = 0; let mut x180: fiat_p521_scalar_u1 = 0; let (x179, x180) = fiat_p521_scalar_addcarryx_u64(x178, x174, x171); let mut x181: u64 = 0; let mut x182: fiat_p521_scalar_u1 = 0; let (x181, x182) = fiat_p521_scalar_addcarryx_u64(x180, x172, x169); let mut x183: u64 = 0; let mut x184: fiat_p521_scalar_u1 = 0; let (x183, x184) = fiat_p521_scalar_addcarryx_u64(x182, x170, x167); let mut x185: u64 = 0; let mut x186: fiat_p521_scalar_u1 = 0; let (x185, x186) = fiat_p521_scalar_addcarryx_u64(x184, x168, x165); let mut x187: u64 = 0; let mut x188: fiat_p521_scalar_u1 = 0; let (x187, x188) = fiat_p521_scalar_addcarryx_u64(x186, x166, x163); let mut x189: u64 = 0; let mut x190: fiat_p521_scalar_u1 = 0; let (x189, x190) = fiat_p521_scalar_addcarryx_u64(x188, x164, x161); let mut x191: u64 = 0; let mut x192: fiat_p521_scalar_u1 = 0; let (x191, x192) = fiat_p521_scalar_addcarryx_u64(x190, x162, x159); let x193: u64 = ((x192 as u64) + x160); let mut x194: u64 = 0; let mut x195: fiat_p521_scalar_u1 = 0; let (x194, x195) = fiat_p521_scalar_addcarryx_u64(0x0, x137, x175); let mut x196: u64 = 0; let mut x197: fiat_p521_scalar_u1 = 0; let (x196, x197) = fiat_p521_scalar_addcarryx_u64(x195, x139, x177); let mut x198: u64 = 0; let mut x199: fiat_p521_scalar_u1 = 0; let (x198, x199) = fiat_p521_scalar_addcarryx_u64(x197, x141, x179); let mut x200: u64 = 0; let mut x201: fiat_p521_scalar_u1 = 0; let (x200, x201) = fiat_p521_scalar_addcarryx_u64(x199, x143, x181); let mut x202: u64 = 0; let mut x203: fiat_p521_scalar_u1 = 0; let (x202, x203) = fiat_p521_scalar_addcarryx_u64(x201, x145, x183); let mut x204: u64 = 0; let mut x205: fiat_p521_scalar_u1 = 0; let (x204, x205) = fiat_p521_scalar_addcarryx_u64(x203, x147, x185); let mut x206: u64 = 0; let mut x207: fiat_p521_scalar_u1 = 0; let (x206, x207) = fiat_p521_scalar_addcarryx_u64(x205, x149, x187); let mut x208: u64 = 0; let mut x209: fiat_p521_scalar_u1 = 0; let (x208, x209) = fiat_p521_scalar_addcarryx_u64(x207, x151, x189); let mut x210: u64 = 0; let mut x211: fiat_p521_scalar_u1 = 0; let (x210, x211) = fiat_p521_scalar_addcarryx_u64(x209, x153, x191); let mut x212: u64 = 0; let mut x213: fiat_p521_scalar_u1 = 0; let (x212, x213) = fiat_p521_scalar_addcarryx_u64(x211, x155, x193); let x214: u64 = ((x213 as u64) + (x156 as u64)); let mut x215: u64 = 0; let mut x216: u64 = 0; let (x215, x216) = fiat_p521_scalar_mulx_u64(x2, (arg1[8])); let mut x217: u64 = 0; let mut x218: u64 = 0; let (x217, x218) = fiat_p521_scalar_mulx_u64(x2, (arg1[7])); let mut x219: u64 = 0; let mut x220: u64 = 0; let (x219, x220) = fiat_p521_scalar_mulx_u64(x2, (arg1[6])); let mut x221: u64 = 0; let mut x222: u64 = 0; let (x221, x222) = fiat_p521_scalar_mulx_u64(x2, (arg1[5])); let mut x223: u64 = 0; let mut x224: u64 = 0; let (x223, x224) = fiat_p521_scalar_mulx_u64(x2, (arg1[4])); let mut x225: u64 = 0; let mut x226: u64 = 0; let (x225, x226) = fiat_p521_scalar_mulx_u64(x2, (arg1[3])); let mut x227: u64 = 0; let mut x228: u64 = 0; let (x227, x228) = fiat_p521_scalar_mulx_u64(x2, (arg1[2])); let mut x229: u64 = 0; let mut x230: u64 = 0; let (x229, x230) = fiat_p521_scalar_mulx_u64(x2, (arg1[1])); let mut x231: u64 = 0; let mut x232: u64 = 0; let (x231, x232) = fiat_p521_scalar_mulx_u64(x2, (arg1[0])); let mut x233: u64 = 0; let mut x234: fiat_p521_scalar_u1 = 0; let (x233, x234) = fiat_p521_scalar_addcarryx_u64(0x0, x232, x229); let mut x235: u64 = 0; let mut x236: fiat_p521_scalar_u1 = 0; let (x235, x236) = fiat_p521_scalar_addcarryx_u64(x234, x230, x227); let mut x237: u64 = 0; let mut x238: fiat_p521_scalar_u1 = 0; let (x237, x238) = fiat_p521_scalar_addcarryx_u64(x236, x228, x225); let mut x239: u64 = 0; let mut x240: fiat_p521_scalar_u1 = 0; let (x239, x240) = fiat_p521_scalar_addcarryx_u64(x238, x226, x223); let mut x241: u64 = 0; let mut x242: fiat_p521_scalar_u1 = 0; let (x241, x242) = fiat_p521_scalar_addcarryx_u64(x240, x224, x221); let mut x243: u64 = 0; let mut x244: fiat_p521_scalar_u1 = 0; let (x243, x244) = fiat_p521_scalar_addcarryx_u64(x242, x222, x219); let mut x245: u64 = 0; let mut x246: fiat_p521_scalar_u1 = 0; let (x245, x246) = fiat_p521_scalar_addcarryx_u64(x244, x220, x217); let mut x247: u64 = 0; let mut x248: fiat_p521_scalar_u1 = 0; let (x247, x248) = fiat_p521_scalar_addcarryx_u64(x246, x218, x215); let x249: u64 = ((x248 as u64) + x216); let mut x250: u64 = 0; let mut x251: fiat_p521_scalar_u1 = 0; let (x250, x251) = fiat_p521_scalar_addcarryx_u64(0x0, x196, x231); let mut x252: u64 = 0; let mut x253: fiat_p521_scalar_u1 = 0; let (x252, x253) = fiat_p521_scalar_addcarryx_u64(x251, x198, x233); let mut x254: u64 = 0; let mut x255: fiat_p521_scalar_u1 = 0; let (x254, x255) = fiat_p521_scalar_addcarryx_u64(x253, x200, x235); let mut x256: u64 = 0; let mut x257: fiat_p521_scalar_u1 = 0; let (x256, x257) = fiat_p521_scalar_addcarryx_u64(x255, x202, x237); let mut x258: u64 = 0; let mut x259: fiat_p521_scalar_u1 = 0; let (x258, x259) = fiat_p521_scalar_addcarryx_u64(x257, x204, x239); let mut x260: u64 = 0; let mut x261: fiat_p521_scalar_u1 = 0; let (x260, x261) = fiat_p521_scalar_addcarryx_u64(x259, x206, x241); let mut x262: u64 = 0; let mut x263: fiat_p521_scalar_u1 = 0; let (x262, x263) = fiat_p521_scalar_addcarryx_u64(x261, x208, x243); let mut x264: u64 = 0; let mut x265: fiat_p521_scalar_u1 = 0; let (x264, x265) = fiat_p521_scalar_addcarryx_u64(x263, x210, x245); let mut x266: u64 = 0; let mut x267: fiat_p521_scalar_u1 = 0; let (x266, x267) = fiat_p521_scalar_addcarryx_u64(x265, x212, x247); let mut x268: u64 = 0; let mut x269: fiat_p521_scalar_u1 = 0; let (x268, x269) = fiat_p521_scalar_addcarryx_u64(x267, x214, x249); let mut x270: u64 = 0; let mut x271: u64 = 0; let (x270, x271) = fiat_p521_scalar_mulx_u64(x250, 0x1d2f5ccd79a995c7); let mut x272: u64 = 0; let mut x273: u64 = 0; let (x272, x273) = fiat_p521_scalar_mulx_u64(x270, 0x1ff); let mut x274: u64 = 0; let mut x275: u64 = 0; let (x274, x275) = fiat_p521_scalar_mulx_u64(x270, 0xffffffffffffffff); let mut x276: u64 = 0; let mut x277: u64 = 0; let (x276, x277) = fiat_p521_scalar_mulx_u64(x270, 0xffffffffffffffff); let mut x278: u64 = 0; let mut x279: u64 = 0; let (x278, x279) = fiat_p521_scalar_mulx_u64(x270, 0xffffffffffffffff); let mut x280: u64 = 0; let mut x281: u64 = 0; let (x280, x281) = fiat_p521_scalar_mulx_u64(x270, 0xfffffffffffffffa); let mut x282: u64 = 0; let mut x283: u64 = 0; let (x282, x283) = fiat_p521_scalar_mulx_u64(x270, 0x51868783bf2f966b); let mut x284: u64 = 0; let mut x285: u64 = 0; let (x284, x285) = fiat_p521_scalar_mulx_u64(x270, 0x7fcc0148f709a5d0); let mut x286: u64 = 0; let mut x287: u64 = 0; let (x286, x287) = fiat_p521_scalar_mulx_u64(x270, 0x3bb5c9b8899c47ae); let mut x288: u64 = 0; let mut x289: u64 = 0; let (x288, x289) = fiat_p521_scalar_mulx_u64(x270, 0xbb6fb71e91386409); let mut x290: u64 = 0; let mut x291: fiat_p521_scalar_u1 = 0; let (x290, x291) = fiat_p521_scalar_addcarryx_u64(0x0, x289, x286); let mut x292: u64 = 0; let mut x293: fiat_p521_scalar_u1 = 0; let (x292, x293) = fiat_p521_scalar_addcarryx_u64(x291, x287, x284); let mut x294: u64 = 0; let mut x295: fiat_p521_scalar_u1 = 0; let (x294, x295) = fiat_p521_scalar_addcarryx_u64(x293, x285, x282); let mut x296: u64 = 0; let mut x297: fiat_p521_scalar_u1 = 0; let (x296, x297) = fiat_p521_scalar_addcarryx_u64(x295, x283, x280); let mut x298: u64 = 0; let mut x299: fiat_p521_scalar_u1 = 0; let (x298, x299) = fiat_p521_scalar_addcarryx_u64(x297, x281, x278); let mut x300: u64 = 0; let mut x301: fiat_p521_scalar_u1 = 0; let (x300, x301) = fiat_p521_scalar_addcarryx_u64(x299, x279, x276); let mut x302: u64 = 0; let mut x303: fiat_p521_scalar_u1 = 0; let (x302, x303) = fiat_p521_scalar_addcarryx_u64(x301, x277, x274); let mut x304: u64 = 0; let mut x305: fiat_p521_scalar_u1 = 0; let (x304, x305) = fiat_p521_scalar_addcarryx_u64(x303, x275, x272); let x306: u64 = ((x305 as u64) + x273); let mut x307: u64 = 0; let mut x308: fiat_p521_scalar_u1 = 0; let (x307, x308) = fiat_p521_scalar_addcarryx_u64(0x0, x250, x288); let mut x309: u64 = 0; let mut x310: fiat_p521_scalar_u1 = 0; let (x309, x310) = fiat_p521_scalar_addcarryx_u64(x308, x252, x290); let mut x311: u64 = 0; let mut x312: fiat_p521_scalar_u1 = 0; let (x311, x312) = fiat_p521_scalar_addcarryx_u64(x310, x254, x292); let mut x313: u64 = 0; let mut x314: fiat_p521_scalar_u1 = 0; let (x313, x314) = fiat_p521_scalar_addcarryx_u64(x312, x256, x294); let mut x315: u64 = 0; let mut x316: fiat_p521_scalar_u1 = 0; let (x315, x316) = fiat_p521_scalar_addcarryx_u64(x314, x258, x296); let mut x317: u64 = 0; let mut x318: fiat_p521_scalar_u1 = 0; let (x317, x318) = fiat_p521_scalar_addcarryx_u64(x316, x260, x298); let mut x319: u64 = 0; let mut x320: fiat_p521_scalar_u1 = 0; let (x319, x320) = fiat_p521_scalar_addcarryx_u64(x318, x262, x300); let mut x321: u64 = 0; let mut x322: fiat_p521_scalar_u1 = 0; let (x321, x322) = fiat_p521_scalar_addcarryx_u64(x320, x264, x302); let mut x323: u64 = 0; let mut x324: fiat_p521_scalar_u1 = 0; let (x323, x324) = fiat_p521_scalar_addcarryx_u64(x322, x266, x304); let mut x325: u64 = 0; let mut x326: fiat_p521_scalar_u1 = 0; let (x325, x326) = fiat_p521_scalar_addcarryx_u64(x324, x268, x306); let x327: u64 = ((x326 as u64) + (x269 as u64)); let mut x328: u64 = 0; let mut x329: u64 = 0; let (x328, x329) = fiat_p521_scalar_mulx_u64(x3, (arg1[8])); let mut x330: u64 = 0; let mut x331: u64 = 0; let (x330, x331) = fiat_p521_scalar_mulx_u64(x3, (arg1[7])); let mut x332: u64 = 0; let mut x333: u64 = 0; let (x332, x333) = fiat_p521_scalar_mulx_u64(x3, (arg1[6])); let mut x334: u64 = 0; let mut x335: u64 = 0; let (x334, x335) = fiat_p521_scalar_mulx_u64(x3, (arg1[5])); let mut x336: u64 = 0; let mut x337: u64 = 0; let (x336, x337) = fiat_p521_scalar_mulx_u64(x3, (arg1[4])); let mut x338: u64 = 0; let mut x339: u64 = 0; let (x338, x339) = fiat_p521_scalar_mulx_u64(x3, (arg1[3])); let mut x340: u64 = 0; let mut x341: u64 = 0; let (x340, x341) = fiat_p521_scalar_mulx_u64(x3, (arg1[2])); let mut x342: u64 = 0; let mut x343: u64 = 0; let (x342, x343) = fiat_p521_scalar_mulx_u64(x3, (arg1[1])); let mut x344: u64 = 0; let mut x345: u64 = 0; let (x344, x345) = fiat_p521_scalar_mulx_u64(x3, (arg1[0])); let mut x346: u64 = 0; let mut x347: fiat_p521_scalar_u1 = 0; let (x346, x347) = fiat_p521_scalar_addcarryx_u64(0x0, x345, x342); let mut x348: u64 = 0; let mut x349: fiat_p521_scalar_u1 = 0; let (x348, x349) = fiat_p521_scalar_addcarryx_u64(x347, x343, x340); let mut x350: u64 = 0; let mut x351: fiat_p521_scalar_u1 = 0; let (x350, x351) = fiat_p521_scalar_addcarryx_u64(x349, x341, x338); let mut x352: u64 = 0; let mut x353: fiat_p521_scalar_u1 = 0; let (x352, x353) = fiat_p521_scalar_addcarryx_u64(x351, x339, x336); let mut x354: u64 = 0; let mut x355: fiat_p521_scalar_u1 = 0; let (x354, x355) = fiat_p521_scalar_addcarryx_u64(x353, x337, x334); let mut x356: u64 = 0; let mut x357: fiat_p521_scalar_u1 = 0; let (x356, x357) = fiat_p521_scalar_addcarryx_u64(x355, x335, x332); let mut x358: u64 = 0; let mut x359: fiat_p521_scalar_u1 = 0; let (x358, x359) = fiat_p521_scalar_addcarryx_u64(x357, x333, x330); let mut x360: u64 = 0; let mut x361: fiat_p521_scalar_u1 = 0; let (x360, x361) = fiat_p521_scalar_addcarryx_u64(x359, x331, x328); let x362: u64 = ((x361 as u64) + x329); let mut x363: u64 = 0; let mut x364: fiat_p521_scalar_u1 = 0; let (x363, x364) = fiat_p521_scalar_addcarryx_u64(0x0, x309, x344); let mut x365: u64 = 0; let mut x366: fiat_p521_scalar_u1 = 0; let (x365, x366) = fiat_p521_scalar_addcarryx_u64(x364, x311, x346); let mut x367: u64 = 0; let mut x368: fiat_p521_scalar_u1 = 0; let (x367, x368) = fiat_p521_scalar_addcarryx_u64(x366, x313, x348); let mut x369: u64 = 0; let mut x370: fiat_p521_scalar_u1 = 0; let (x369, x370) = fiat_p521_scalar_addcarryx_u64(x368, x315, x350); let mut x371: u64 = 0; let mut x372: fiat_p521_scalar_u1 = 0; let (x371, x372) = fiat_p521_scalar_addcarryx_u64(x370, x317, x352); let mut x373: u64 = 0; let mut x374: fiat_p521_scalar_u1 = 0; let (x373, x374) = fiat_p521_scalar_addcarryx_u64(x372, x319, x354); let mut x375: u64 = 0; let mut x376: fiat_p521_scalar_u1 = 0; let (x375, x376) = fiat_p521_scalar_addcarryx_u64(x374, x321, x356); let mut x377: u64 = 0; let mut x378: fiat_p521_scalar_u1 = 0; let (x377, x378) = fiat_p521_scalar_addcarryx_u64(x376, x323, x358); let mut x379: u64 = 0; let mut x380: fiat_p521_scalar_u1 = 0; let (x379, x380) = fiat_p521_scalar_addcarryx_u64(x378, x325, x360); let mut x381: u64 = 0; let mut x382: fiat_p521_scalar_u1 = 0; let (x381, x382) = fiat_p521_scalar_addcarryx_u64(x380, x327, x362); let mut x383: u64 = 0; let mut x384: u64 = 0; let (x383, x384) = fiat_p521_scalar_mulx_u64(x363, 0x1d2f5ccd79a995c7); let mut x385: u64 = 0; let mut x386: u64 = 0; let (x385, x386) = fiat_p521_scalar_mulx_u64(x383, 0x1ff); let mut x387: u64 = 0; let mut x388: u64 = 0; let (x387, x388) = fiat_p521_scalar_mulx_u64(x383, 0xffffffffffffffff); let mut x389: u64 = 0; let mut x390: u64 = 0; let (x389, x390) = fiat_p521_scalar_mulx_u64(x383, 0xffffffffffffffff); let mut x391: u64 = 0; let mut x392: u64 = 0; let (x391, x392) = fiat_p521_scalar_mulx_u64(x383, 0xffffffffffffffff); let mut x393: u64 = 0; let mut x394: u64 = 0; let (x393, x394) = fiat_p521_scalar_mulx_u64(x383, 0xfffffffffffffffa); let mut x395: u64 = 0; let mut x396: u64 = 0; let (x395, x396) = fiat_p521_scalar_mulx_u64(x383, 0x51868783bf2f966b); let mut x397: u64 = 0; let mut x398: u64 = 0; let (x397, x398) = fiat_p521_scalar_mulx_u64(x383, 0x7fcc0148f709a5d0); let mut x399: u64 = 0; let mut x400: u64 = 0; let (x399, x400) = fiat_p521_scalar_mulx_u64(x383, 0x3bb5c9b8899c47ae); let mut x401: u64 = 0; let mut x402: u64 = 0; let (x401, x402) = fiat_p521_scalar_mulx_u64(x383, 0xbb6fb71e91386409); let mut x403: u64 = 0; let mut x404: fiat_p521_scalar_u1 = 0; let (x403, x404) = fiat_p521_scalar_addcarryx_u64(0x0, x402, x399); let mut x405: u64 = 0; let mut x406: fiat_p521_scalar_u1 = 0; let (x405, x406) = fiat_p521_scalar_addcarryx_u64(x404, x400, x397); let mut x407: u64 = 0; let mut x408: fiat_p521_scalar_u1 = 0; let (x407, x408) = fiat_p521_scalar_addcarryx_u64(x406, x398, x395); let mut x409: u64 = 0; let mut x410: fiat_p521_scalar_u1 = 0; let (x409, x410) = fiat_p521_scalar_addcarryx_u64(x408, x396, x393); let mut x411: u64 = 0; let mut x412: fiat_p521_scalar_u1 = 0; let (x411, x412) = fiat_p521_scalar_addcarryx_u64(x410, x394, x391); let mut x413: u64 = 0; let mut x414: fiat_p521_scalar_u1 = 0; let (x413, x414) = fiat_p521_scalar_addcarryx_u64(x412, x392, x389); let mut x415: u64 = 0; let mut x416: fiat_p521_scalar_u1 = 0; let (x415, x416) = fiat_p521_scalar_addcarryx_u64(x414, x390, x387); let mut x417: u64 = 0; let mut x418: fiat_p521_scalar_u1 = 0; let (x417, x418) = fiat_p521_scalar_addcarryx_u64(x416, x388, x385); let x419: u64 = ((x418 as u64) + x386); let mut x420: u64 = 0; let mut x421: fiat_p521_scalar_u1 = 0; let (x420, x421) = fiat_p521_scalar_addcarryx_u64(0x0, x363, x401); let mut x422: u64 = 0; let mut x423: fiat_p521_scalar_u1 = 0; let (x422, x423) = fiat_p521_scalar_addcarryx_u64(x421, x365, x403); let mut x424: u64 = 0; let mut x425: fiat_p521_scalar_u1 = 0; let (x424, x425) = fiat_p521_scalar_addcarryx_u64(x423, x367, x405); let mut x426: u64 = 0; let mut x427: fiat_p521_scalar_u1 = 0; let (x426, x427) = fiat_p521_scalar_addcarryx_u64(x425, x369, x407); let mut x428: u64 = 0; let mut x429: fiat_p521_scalar_u1 = 0; let (x428, x429) = fiat_p521_scalar_addcarryx_u64(x427, x371, x409); let mut x430: u64 = 0; let mut x431: fiat_p521_scalar_u1 = 0; let (x430, x431) = fiat_p521_scalar_addcarryx_u64(x429, x373, x411); let mut x432: u64 = 0; let mut x433: fiat_p521_scalar_u1 = 0; let (x432, x433) = fiat_p521_scalar_addcarryx_u64(x431, x375, x413); let mut x434: u64 = 0; let mut x435: fiat_p521_scalar_u1 = 0; let (x434, x435) = fiat_p521_scalar_addcarryx_u64(x433, x377, x415); let mut x436: u64 = 0; let mut x437: fiat_p521_scalar_u1 = 0; let (x436, x437) = fiat_p521_scalar_addcarryx_u64(x435, x379, x417); let mut x438: u64 = 0; let mut x439: fiat_p521_scalar_u1 = 0; let (x438, x439) = fiat_p521_scalar_addcarryx_u64(x437, x381, x419); let x440: u64 = ((x439 as u64) + (x382 as u64)); let mut x441: u64 = 0; let mut x442: u64 = 0; let (x441, x442) = fiat_p521_scalar_mulx_u64(x4, (arg1[8])); let mut x443: u64 = 0; let mut x444: u64 = 0; let (x443, x444) = fiat_p521_scalar_mulx_u64(x4, (arg1[7])); let mut x445: u64 = 0; let mut x446: u64 = 0; let (x445, x446) = fiat_p521_scalar_mulx_u64(x4, (arg1[6])); let mut x447: u64 = 0; let mut x448: u64 = 0; let (x447, x448) = fiat_p521_scalar_mulx_u64(x4, (arg1[5])); let mut x449: u64 = 0; let mut x450: u64 = 0; let (x449, x450) = fiat_p521_scalar_mulx_u64(x4, (arg1[4])); let mut x451: u64 = 0; let mut x452: u64 = 0; let (x451, x452) = fiat_p521_scalar_mulx_u64(x4, (arg1[3])); let mut x453: u64 = 0; let mut x454: u64 = 0; let (x453, x454) = fiat_p521_scalar_mulx_u64(x4, (arg1[2])); let mut x455: u64 = 0; let mut x456: u64 = 0; let (x455, x456) = fiat_p521_scalar_mulx_u64(x4, (arg1[1])); let mut x457: u64 = 0; let mut x458: u64 = 0; let (x457, x458) = fiat_p521_scalar_mulx_u64(x4, (arg1[0])); let mut x459: u64 = 0; let mut x460: fiat_p521_scalar_u1 = 0; let (x459, x460) = fiat_p521_scalar_addcarryx_u64(0x0, x458, x455); let mut x461: u64 = 0; let mut x462: fiat_p521_scalar_u1 = 0; let (x461, x462) = fiat_p521_scalar_addcarryx_u64(x460, x456, x453); let mut x463: u64 = 0; let mut x464: fiat_p521_scalar_u1 = 0; let (x463, x464) = fiat_p521_scalar_addcarryx_u64(x462, x454, x451); let mut x465: u64 = 0; let mut x466: fiat_p521_scalar_u1 = 0; let (x465, x466) = fiat_p521_scalar_addcarryx_u64(x464, x452, x449); let mut x467: u64 = 0; let mut x468: fiat_p521_scalar_u1 = 0; let (x467, x468) = fiat_p521_scalar_addcarryx_u64(x466, x450, x447); let mut x469: u64 = 0; let mut x470: fiat_p521_scalar_u1 = 0; let (x469, x470) = fiat_p521_scalar_addcarryx_u64(x468, x448, x445); let mut x471: u64 = 0; let mut x472: fiat_p521_scalar_u1 = 0; let (x471, x472) = fiat_p521_scalar_addcarryx_u64(x470, x446, x443); let mut x473: u64 = 0; let mut x474: fiat_p521_scalar_u1 = 0; let (x473, x474) = fiat_p521_scalar_addcarryx_u64(x472, x444, x441); let x475: u64 = ((x474 as u64) + x442); let mut x476: u64 = 0; let mut x477: fiat_p521_scalar_u1 = 0; let (x476, x477) = fiat_p521_scalar_addcarryx_u64(0x0, x422, x457); let mut x478: u64 = 0; let mut x479: fiat_p521_scalar_u1 = 0; let (x478, x479) = fiat_p521_scalar_addcarryx_u64(x477, x424, x459); let mut x480: u64 = 0; let mut x481: fiat_p521_scalar_u1 = 0; let (x480, x481) = fiat_p521_scalar_addcarryx_u64(x479, x426, x461); let mut x482: u64 = 0; let mut x483: fiat_p521_scalar_u1 = 0; let (x482, x483) = fiat_p521_scalar_addcarryx_u64(x481, x428, x463); let mut x484: u64 = 0; let mut x485: fiat_p521_scalar_u1 = 0; let (x484, x485) = fiat_p521_scalar_addcarryx_u64(x483, x430, x465); let mut x486: u64 = 0; let mut x487: fiat_p521_scalar_u1 = 0; let (x486, x487) = fiat_p521_scalar_addcarryx_u64(x485, x432, x467); let mut x488: u64 = 0; let mut x489: fiat_p521_scalar_u1 = 0; let (x488, x489) = fiat_p521_scalar_addcarryx_u64(x487, x434, x469); let mut x490: u64 = 0; let mut x491: fiat_p521_scalar_u1 = 0; let (x490, x491) = fiat_p521_scalar_addcarryx_u64(x489, x436, x471); let mut x492: u64 = 0; let mut x493: fiat_p521_scalar_u1 = 0; let (x492, x493) = fiat_p521_scalar_addcarryx_u64(x491, x438, x473); let mut x494: u64 = 0; let mut x495: fiat_p521_scalar_u1 = 0; let (x494, x495) = fiat_p521_scalar_addcarryx_u64(x493, x440, x475); let mut x496: u64 = 0; let mut x497: u64 = 0; let (x496, x497) = fiat_p521_scalar_mulx_u64(x476, 0x1d2f5ccd79a995c7); let mut x498: u64 = 0; let mut x499: u64 = 0; let (x498, x499) = fiat_p521_scalar_mulx_u64(x496, 0x1ff); let mut x500: u64 = 0; let mut x501: u64 = 0; let (x500, x501) = fiat_p521_scalar_mulx_u64(x496, 0xffffffffffffffff); let mut x502: u64 = 0; let mut x503: u64 = 0; let (x502, x503) = fiat_p521_scalar_mulx_u64(x496, 0xffffffffffffffff); let mut x504: u64 = 0; let mut x505: u64 = 0; let (x504, x505) = fiat_p521_scalar_mulx_u64(x496, 0xffffffffffffffff); let mut x506: u64 = 0; let mut x507: u64 = 0; let (x506, x507) = fiat_p521_scalar_mulx_u64(x496, 0xfffffffffffffffa); let mut x508: u64 = 0; let mut x509: u64 = 0; let (x508, x509) = fiat_p521_scalar_mulx_u64(x496, 0x51868783bf2f966b); let mut x510: u64 = 0; let mut x511: u64 = 0; let (x510, x511) = fiat_p521_scalar_mulx_u64(x496, 0x7fcc0148f709a5d0); let mut x512: u64 = 0; let mut x513: u64 = 0; let (x512, x513) = fiat_p521_scalar_mulx_u64(x496, 0x3bb5c9b8899c47ae); let mut x514: u64 = 0; let mut x515: u64 = 0; let (x514, x515) = fiat_p521_scalar_mulx_u64(x496, 0xbb6fb71e91386409); let mut x516: u64 = 0; let mut x517: fiat_p521_scalar_u1 = 0; let (x516, x517) = fiat_p521_scalar_addcarryx_u64(0x0, x515, x512); let mut x518: u64 = 0; let mut x519: fiat_p521_scalar_u1 = 0; let (x518, x519) = fiat_p521_scalar_addcarryx_u64(x517, x513, x510); let mut x520: u64 = 0; let mut x521: fiat_p521_scalar_u1 = 0; let (x520, x521) = fiat_p521_scalar_addcarryx_u64(x519, x511, x508); let mut x522: u64 = 0; let mut x523: fiat_p521_scalar_u1 = 0; let (x522, x523) = fiat_p521_scalar_addcarryx_u64(x521, x509, x506); let mut x524: u64 = 0; let mut x525: fiat_p521_scalar_u1 = 0; let (x524, x525) = fiat_p521_scalar_addcarryx_u64(x523, x507, x504); let mut x526: u64 = 0; let mut x527: fiat_p521_scalar_u1 = 0; let (x526, x527) = fiat_p521_scalar_addcarryx_u64(x525, x505, x502); let mut x528: u64 = 0; let mut x529: fiat_p521_scalar_u1 = 0; let (x528, x529) = fiat_p521_scalar_addcarryx_u64(x527, x503, x500); let mut x530: u64 = 0; let mut x531: fiat_p521_scalar_u1 = 0; let (x530, x531) = fiat_p521_scalar_addcarryx_u64(x529, x501, x498); let x532: u64 = ((x531 as u64) + x499); let mut x533: u64 = 0; let mut x534: fiat_p521_scalar_u1 = 0; let (x533, x534) = fiat_p521_scalar_addcarryx_u64(0x0, x476, x514); let mut x535: u64 = 0; let mut x536: fiat_p521_scalar_u1 = 0; let (x535, x536) = fiat_p521_scalar_addcarryx_u64(x534, x478, x516); let mut x537: u64 = 0; let mut x538: fiat_p521_scalar_u1 = 0; let (x537, x538) = fiat_p521_scalar_addcarryx_u64(x536, x480, x518); let mut x539: u64 = 0; let mut x540: fiat_p521_scalar_u1 = 0; let (x539, x540) = fiat_p521_scalar_addcarryx_u64(x538, x482, x520); let mut x541: u64 = 0; let mut x542: fiat_p521_scalar_u1 = 0; let (x541, x542) = fiat_p521_scalar_addcarryx_u64(x540, x484, x522); let mut x543: u64 = 0; let mut x544: fiat_p521_scalar_u1 = 0; let (x543, x544) = fiat_p521_scalar_addcarryx_u64(x542, x486, x524); let mut x545: u64 = 0; let mut x546: fiat_p521_scalar_u1 = 0; let (x545, x546) = fiat_p521_scalar_addcarryx_u64(x544, x488, x526); let mut x547: u64 = 0; let mut x548: fiat_p521_scalar_u1 = 0; let (x547, x548) = fiat_p521_scalar_addcarryx_u64(x546, x490, x528); let mut x549: u64 = 0; let mut x550: fiat_p521_scalar_u1 = 0; let (x549, x550) = fiat_p521_scalar_addcarryx_u64(x548, x492, x530); let mut x551: u64 = 0; let mut x552: fiat_p521_scalar_u1 = 0; let (x551, x552) = fiat_p521_scalar_addcarryx_u64(x550, x494, x532); let x553: u64 = ((x552 as u64) + (x495 as u64)); let mut x554: u64 = 0; let mut x555: u64 = 0; let (x554, x555) = fiat_p521_scalar_mulx_u64(x5, (arg1[8])); let mut x556: u64 = 0; let mut x557: u64 = 0; let (x556, x557) = fiat_p521_scalar_mulx_u64(x5, (arg1[7])); let mut x558: u64 = 0; let mut x559: u64 = 0; let (x558, x559) = fiat_p521_scalar_mulx_u64(x5, (arg1[6])); let mut x560: u64 = 0; let mut x561: u64 = 0; let (x560, x561) = fiat_p521_scalar_mulx_u64(x5, (arg1[5])); let mut x562: u64 = 0; let mut x563: u64 = 0; let (x562, x563) = fiat_p521_scalar_mulx_u64(x5, (arg1[4])); let mut x564: u64 = 0; let mut x565: u64 = 0; let (x564, x565) = fiat_p521_scalar_mulx_u64(x5, (arg1[3])); let mut x566: u64 = 0; let mut x567: u64 = 0; let (x566, x567) = fiat_p521_scalar_mulx_u64(x5, (arg1[2])); let mut x568: u64 = 0; let mut x569: u64 = 0; let (x568, x569) = fiat_p521_scalar_mulx_u64(x5, (arg1[1])); let mut x570: u64 = 0; let mut x571: u64 = 0; let (x570, x571) = fiat_p521_scalar_mulx_u64(x5, (arg1[0])); let mut x572: u64 = 0; let mut x573: fiat_p521_scalar_u1 = 0; let (x572, x573) = fiat_p521_scalar_addcarryx_u64(0x0, x571, x568); let mut x574: u64 = 0; let mut x575: fiat_p521_scalar_u1 = 0; let (x574, x575) = fiat_p521_scalar_addcarryx_u64(x573, x569, x566); let mut x576: u64 = 0; let mut x577: fiat_p521_scalar_u1 = 0; let (x576, x577) = fiat_p521_scalar_addcarryx_u64(x575, x567, x564); let mut x578: u64 = 0; let mut x579: fiat_p521_scalar_u1 = 0; let (x578, x579) = fiat_p521_scalar_addcarryx_u64(x577, x565, x562); let mut x580: u64 = 0; let mut x581: fiat_p521_scalar_u1 = 0; let (x580, x581) = fiat_p521_scalar_addcarryx_u64(x579, x563, x560); let mut x582: u64 = 0; let mut x583: fiat_p521_scalar_u1 = 0; let (x582, x583) = fiat_p521_scalar_addcarryx_u64(x581, x561, x558); let mut x584: u64 = 0; let mut x585: fiat_p521_scalar_u1 = 0; let (x584, x585) = fiat_p521_scalar_addcarryx_u64(x583, x559, x556); let mut x586: u64 = 0; let mut x587: fiat_p521_scalar_u1 = 0; let (x586, x587) = fiat_p521_scalar_addcarryx_u64(x585, x557, x554); let x588: u64 = ((x587 as u64) + x555); let mut x589: u64 = 0; let mut x590: fiat_p521_scalar_u1 = 0; let (x589, x590) = fiat_p521_scalar_addcarryx_u64(0x0, x535, x570); let mut x591: u64 = 0; let mut x592: fiat_p521_scalar_u1 = 0; let (x591, x592) = fiat_p521_scalar_addcarryx_u64(x590, x537, x572); let mut x593: u64 = 0; let mut x594: fiat_p521_scalar_u1 = 0; let (x593, x594) = fiat_p521_scalar_addcarryx_u64(x592, x539, x574); let mut x595: u64 = 0; let mut x596: fiat_p521_scalar_u1 = 0; let (x595, x596) = fiat_p521_scalar_addcarryx_u64(x594, x541, x576); let mut x597: u64 = 0; let mut x598: fiat_p521_scalar_u1 = 0; let (x597, x598) = fiat_p521_scalar_addcarryx_u64(x596, x543, x578); let mut x599: u64 = 0; let mut x600: fiat_p521_scalar_u1 = 0; let (x599, x600) = fiat_p521_scalar_addcarryx_u64(x598, x545, x580); let mut x601: u64 = 0; let mut x602: fiat_p521_scalar_u1 = 0; let (x601, x602) = fiat_p521_scalar_addcarryx_u64(x600, x547, x582); let mut x603: u64 = 0; let mut x604: fiat_p521_scalar_u1 = 0; let (x603, x604) = fiat_p521_scalar_addcarryx_u64(x602, x549, x584); let mut x605: u64 = 0; let mut x606: fiat_p521_scalar_u1 = 0; let (x605, x606) = fiat_p521_scalar_addcarryx_u64(x604, x551, x586); let mut x607: u64 = 0; let mut x608: fiat_p521_scalar_u1 = 0; let (x607, x608) = fiat_p521_scalar_addcarryx_u64(x606, x553, x588); let mut x609: u64 = 0; let mut x610: u64 = 0; let (x609, x610) = fiat_p521_scalar_mulx_u64(x589, 0x1d2f5ccd79a995c7); let mut x611: u64 = 0; let mut x612: u64 = 0; let (x611, x612) = fiat_p521_scalar_mulx_u64(x609, 0x1ff); let mut x613: u64 = 0; let mut x614: u64 = 0; let (x613, x614) = fiat_p521_scalar_mulx_u64(x609, 0xffffffffffffffff); let mut x615: u64 = 0; let mut x616: u64 = 0; let (x615, x616) = fiat_p521_scalar_mulx_u64(x609, 0xffffffffffffffff); let mut x617: u64 = 0; let mut x618: u64 = 0; let (x617, x618) = fiat_p521_scalar_mulx_u64(x609, 0xffffffffffffffff); let mut x619: u64 = 0; let mut x620: u64 = 0; let (x619, x620) = fiat_p521_scalar_mulx_u64(x609, 0xfffffffffffffffa); let mut x621: u64 = 0; let mut x622: u64 = 0; let (x621, x622) = fiat_p521_scalar_mulx_u64(x609, 0x51868783bf2f966b); let mut x623: u64 = 0; let mut x624: u64 = 0; let (x623, x624) = fiat_p521_scalar_mulx_u64(x609, 0x7fcc0148f709a5d0); let mut x625: u64 = 0; let mut x626: u64 = 0; let (x625, x626) = fiat_p521_scalar_mulx_u64(x609, 0x3bb5c9b8899c47ae); let mut x627: u64 = 0; let mut x628: u64 = 0; let (x627, x628) = fiat_p521_scalar_mulx_u64(x609, 0xbb6fb71e91386409); let mut x629: u64 = 0; let mut x630: fiat_p521_scalar_u1 = 0; let (x629, x630) = fiat_p521_scalar_addcarryx_u64(0x0, x628, x625); let mut x631: u64 = 0; let mut x632: fiat_p521_scalar_u1 = 0; let (x631, x632) = fiat_p521_scalar_addcarryx_u64(x630, x626, x623); let mut x633: u64 = 0; let mut x634: fiat_p521_scalar_u1 = 0; let (x633, x634) = fiat_p521_scalar_addcarryx_u64(x632, x624, x621); let mut x635: u64 = 0; let mut x636: fiat_p521_scalar_u1 = 0; let (x635, x636) = fiat_p521_scalar_addcarryx_u64(x634, x622, x619); let mut x637: u64 = 0; let mut x638: fiat_p521_scalar_u1 = 0; let (x637, x638) = fiat_p521_scalar_addcarryx_u64(x636, x620, x617); let mut x639: u64 = 0; let mut x640: fiat_p521_scalar_u1 = 0; let (x639, x640) = fiat_p521_scalar_addcarryx_u64(x638, x618, x615); let mut x641: u64 = 0; let mut x642: fiat_p521_scalar_u1 = 0; let (x641, x642) = fiat_p521_scalar_addcarryx_u64(x640, x616, x613); let mut x643: u64 = 0; let mut x644: fiat_p521_scalar_u1 = 0; let (x643, x644) = fiat_p521_scalar_addcarryx_u64(x642, x614, x611); let x645: u64 = ((x644 as u64) + x612); let mut x646: u64 = 0; let mut x647: fiat_p521_scalar_u1 = 0; let (x646, x647) = fiat_p521_scalar_addcarryx_u64(0x0, x589, x627); let mut x648: u64 = 0; let mut x649: fiat_p521_scalar_u1 = 0; let (x648, x649) = fiat_p521_scalar_addcarryx_u64(x647, x591, x629); let mut x650: u64 = 0; let mut x651: fiat_p521_scalar_u1 = 0; let (x650, x651) = fiat_p521_scalar_addcarryx_u64(x649, x593, x631); let mut x652: u64 = 0; let mut x653: fiat_p521_scalar_u1 = 0; let (x652, x653) = fiat_p521_scalar_addcarryx_u64(x651, x595, x633); let mut x654: u64 = 0; let mut x655: fiat_p521_scalar_u1 = 0; let (x654, x655) = fiat_p521_scalar_addcarryx_u64(x653, x597, x635); let mut x656: u64 = 0; let mut x657: fiat_p521_scalar_u1 = 0; let (x656, x657) = fiat_p521_scalar_addcarryx_u64(x655, x599, x637); let mut x658: u64 = 0; let mut x659: fiat_p521_scalar_u1 = 0; let (x658, x659) = fiat_p521_scalar_addcarryx_u64(x657, x601, x639); let mut x660: u64 = 0; let mut x661: fiat_p521_scalar_u1 = 0; let (x660, x661) = fiat_p521_scalar_addcarryx_u64(x659, x603, x641); let mut x662: u64 = 0; let mut x663: fiat_p521_scalar_u1 = 0; let (x662, x663) = fiat_p521_scalar_addcarryx_u64(x661, x605, x643); let mut x664: u64 = 0; let mut x665: fiat_p521_scalar_u1 = 0; let (x664, x665) = fiat_p521_scalar_addcarryx_u64(x663, x607, x645); let x666: u64 = ((x665 as u64) + (x608 as u64)); let mut x667: u64 = 0; let mut x668: u64 = 0; let (x667, x668) = fiat_p521_scalar_mulx_u64(x6, (arg1[8])); let mut x669: u64 = 0; let mut x670: u64 = 0; let (x669, x670) = fiat_p521_scalar_mulx_u64(x6, (arg1[7])); let mut x671: u64 = 0; let mut x672: u64 = 0; let (x671, x672) = fiat_p521_scalar_mulx_u64(x6, (arg1[6])); let mut x673: u64 = 0; let mut x674: u64 = 0; let (x673, x674) = fiat_p521_scalar_mulx_u64(x6, (arg1[5])); let mut x675: u64 = 0; let mut x676: u64 = 0; let (x675, x676) = fiat_p521_scalar_mulx_u64(x6, (arg1[4])); let mut x677: u64 = 0; let mut x678: u64 = 0; let (x677, x678) = fiat_p521_scalar_mulx_u64(x6, (arg1[3])); let mut x679: u64 = 0; let mut x680: u64 = 0; let (x679, x680) = fiat_p521_scalar_mulx_u64(x6, (arg1[2])); let mut x681: u64 = 0; let mut x682: u64 = 0; let (x681, x682) = fiat_p521_scalar_mulx_u64(x6, (arg1[1])); let mut x683: u64 = 0; let mut x684: u64 = 0; let (x683, x684) = fiat_p521_scalar_mulx_u64(x6, (arg1[0])); let mut x685: u64 = 0; let mut x686: fiat_p521_scalar_u1 = 0; let (x685, x686) = fiat_p521_scalar_addcarryx_u64(0x0, x684, x681); let mut x687: u64 = 0; let mut x688: fiat_p521_scalar_u1 = 0; let (x687, x688) = fiat_p521_scalar_addcarryx_u64(x686, x682, x679); let mut x689: u64 = 0; let mut x690: fiat_p521_scalar_u1 = 0; let (x689, x690) = fiat_p521_scalar_addcarryx_u64(x688, x680, x677); let mut x691: u64 = 0; let mut x692: fiat_p521_scalar_u1 = 0; let (x691, x692) = fiat_p521_scalar_addcarryx_u64(x690, x678, x675); let mut x693: u64 = 0; let mut x694: fiat_p521_scalar_u1 = 0; let (x693, x694) = fiat_p521_scalar_addcarryx_u64(x692, x676, x673); let mut x695: u64 = 0; let mut x696: fiat_p521_scalar_u1 = 0; let (x695, x696) = fiat_p521_scalar_addcarryx_u64(x694, x674, x671); let mut x697: u64 = 0; let mut x698: fiat_p521_scalar_u1 = 0; let (x697, x698) = fiat_p521_scalar_addcarryx_u64(x696, x672, x669); let mut x699: u64 = 0; let mut x700: fiat_p521_scalar_u1 = 0; let (x699, x700) = fiat_p521_scalar_addcarryx_u64(x698, x670, x667); let x701: u64 = ((x700 as u64) + x668); let mut x702: u64 = 0; let mut x703: fiat_p521_scalar_u1 = 0; let (x702, x703) = fiat_p521_scalar_addcarryx_u64(0x0, x648, x683); let mut x704: u64 = 0; let mut x705: fiat_p521_scalar_u1 = 0; let (x704, x705) = fiat_p521_scalar_addcarryx_u64(x703, x650, x685); let mut x706: u64 = 0; let mut x707: fiat_p521_scalar_u1 = 0; let (x706, x707) = fiat_p521_scalar_addcarryx_u64(x705, x652, x687); let mut x708: u64 = 0; let mut x709: fiat_p521_scalar_u1 = 0; let (x708, x709) = fiat_p521_scalar_addcarryx_u64(x707, x654, x689); let mut x710: u64 = 0; let mut x711: fiat_p521_scalar_u1 = 0; let (x710, x711) = fiat_p521_scalar_addcarryx_u64(x709, x656, x691); let mut x712: u64 = 0; let mut x713: fiat_p521_scalar_u1 = 0; let (x712, x713) = fiat_p521_scalar_addcarryx_u64(x711, x658, x693); let mut x714: u64 = 0; let mut x715: fiat_p521_scalar_u1 = 0; let (x714, x715) = fiat_p521_scalar_addcarryx_u64(x713, x660, x695); let mut x716: u64 = 0; let mut x717: fiat_p521_scalar_u1 = 0; let (x716, x717) = fiat_p521_scalar_addcarryx_u64(x715, x662, x697); let mut x718: u64 = 0; let mut x719: fiat_p521_scalar_u1 = 0; let (x718, x719) = fiat_p521_scalar_addcarryx_u64(x717, x664, x699); let mut x720: u64 = 0; let mut x721: fiat_p521_scalar_u1 = 0; let (x720, x721) = fiat_p521_scalar_addcarryx_u64(x719, x666, x701); let mut x722: u64 = 0; let mut x723: u64 = 0; let (x722, x723) = fiat_p521_scalar_mulx_u64(x702, 0x1d2f5ccd79a995c7); let mut x724: u64 = 0; let mut x725: u64 = 0; let (x724, x725) = fiat_p521_scalar_mulx_u64(x722, 0x1ff); let mut x726: u64 = 0; let mut x727: u64 = 0; let (x726, x727) = fiat_p521_scalar_mulx_u64(x722, 0xffffffffffffffff); let mut x728: u64 = 0; let mut x729: u64 = 0; let (x728, x729) = fiat_p521_scalar_mulx_u64(x722, 0xffffffffffffffff); let mut x730: u64 = 0; let mut x731: u64 = 0; let (x730, x731) = fiat_p521_scalar_mulx_u64(x722, 0xffffffffffffffff); let mut x732: u64 = 0; let mut x733: u64 = 0; let (x732, x733) = fiat_p521_scalar_mulx_u64(x722, 0xfffffffffffffffa); let mut x734: u64 = 0; let mut x735: u64 = 0; let (x734, x735) = fiat_p521_scalar_mulx_u64(x722, 0x51868783bf2f966b); let mut x736: u64 = 0; let mut x737: u64 = 0; let (x736, x737) = fiat_p521_scalar_mulx_u64(x722, 0x7fcc0148f709a5d0); let mut x738: u64 = 0; let mut x739: u64 = 0; let (x738, x739) = fiat_p521_scalar_mulx_u64(x722, 0x3bb5c9b8899c47ae); let mut x740: u64 = 0; let mut x741: u64 = 0; let (x740, x741) = fiat_p521_scalar_mulx_u64(x722, 0xbb6fb71e91386409); let mut x742: u64 = 0; let mut x743: fiat_p521_scalar_u1 = 0; let (x742, x743) = fiat_p521_scalar_addcarryx_u64(0x0, x741, x738); let mut x744: u64 = 0; let mut x745: fiat_p521_scalar_u1 = 0; let (x744, x745) = fiat_p521_scalar_addcarryx_u64(x743, x739, x736); let mut x746: u64 = 0; let mut x747: fiat_p521_scalar_u1 = 0; let (x746, x747) = fiat_p521_scalar_addcarryx_u64(x745, x737, x734); let mut x748: u64 = 0; let mut x749: fiat_p521_scalar_u1 = 0; let (x748, x749) = fiat_p521_scalar_addcarryx_u64(x747, x735, x732); let mut x750: u64 = 0; let mut x751: fiat_p521_scalar_u1 = 0; let (x750, x751) = fiat_p521_scalar_addcarryx_u64(x749, x733, x730); let mut x752: u64 = 0; let mut x753: fiat_p521_scalar_u1 = 0; let (x752, x753) = fiat_p521_scalar_addcarryx_u64(x751, x731, x728); let mut x754: u64 = 0; let mut x755: fiat_p521_scalar_u1 = 0; let (x754, x755) = fiat_p521_scalar_addcarryx_u64(x753, x729, x726); let mut x756: u64 = 0; let mut x757: fiat_p521_scalar_u1 = 0; let (x756, x757) = fiat_p521_scalar_addcarryx_u64(x755, x727, x724); let x758: u64 = ((x757 as u64) + x725); let mut x759: u64 = 0; let mut x760: fiat_p521_scalar_u1 = 0; let (x759, x760) = fiat_p521_scalar_addcarryx_u64(0x0, x702, x740); let mut x761: u64 = 0; let mut x762: fiat_p521_scalar_u1 = 0; let (x761, x762) = fiat_p521_scalar_addcarryx_u64(x760, x704, x742); let mut x763: u64 = 0; let mut x764: fiat_p521_scalar_u1 = 0; let (x763, x764) = fiat_p521_scalar_addcarryx_u64(x762, x706, x744); let mut x765: u64 = 0; let mut x766: fiat_p521_scalar_u1 = 0; let (x765, x766) = fiat_p521_scalar_addcarryx_u64(x764, x708, x746); let mut x767: u64 = 0; let mut x768: fiat_p521_scalar_u1 = 0; let (x767, x768) = fiat_p521_scalar_addcarryx_u64(x766, x710, x748); let mut x769: u64 = 0; let mut x770: fiat_p521_scalar_u1 = 0; let (x769, x770) = fiat_p521_scalar_addcarryx_u64(x768, x712, x750); let mut x771: u64 = 0; let mut x772: fiat_p521_scalar_u1 = 0; let (x771, x772) = fiat_p521_scalar_addcarryx_u64(x770, x714, x752); let mut x773: u64 = 0; let mut x774: fiat_p521_scalar_u1 = 0; let (x773, x774) = fiat_p521_scalar_addcarryx_u64(x772, x716, x754); let mut x775: u64 = 0; let mut x776: fiat_p521_scalar_u1 = 0; let (x775, x776) = fiat_p521_scalar_addcarryx_u64(x774, x718, x756); let mut x777: u64 = 0; let mut x778: fiat_p521_scalar_u1 = 0; let (x777, x778) = fiat_p521_scalar_addcarryx_u64(x776, x720, x758); let x779: u64 = ((x778 as u64) + (x721 as u64)); let mut x780: u64 = 0; let mut x781: u64 = 0; let (x780, x781) = fiat_p521_scalar_mulx_u64(x7, (arg1[8])); let mut x782: u64 = 0; let mut x783: u64 = 0; let (x782, x783) = fiat_p521_scalar_mulx_u64(x7, (arg1[7])); let mut x784: u64 = 0; let mut x785: u64 = 0; let (x784, x785) = fiat_p521_scalar_mulx_u64(x7, (arg1[6])); let mut x786: u64 = 0; let mut x787: u64 = 0; let (x786, x787) = fiat_p521_scalar_mulx_u64(x7, (arg1[5])); let mut x788: u64 = 0; let mut x789: u64 = 0; let (x788, x789) = fiat_p521_scalar_mulx_u64(x7, (arg1[4])); let mut x790: u64 = 0; let mut x791: u64 = 0; let (x790, x791) = fiat_p521_scalar_mulx_u64(x7, (arg1[3])); let mut x792: u64 = 0; let mut x793: u64 = 0; let (x792, x793) = fiat_p521_scalar_mulx_u64(x7, (arg1[2])); let mut x794: u64 = 0; let mut x795: u64 = 0; let (x794, x795) = fiat_p521_scalar_mulx_u64(x7, (arg1[1])); let mut x796: u64 = 0; let mut x797: u64 = 0; let (x796, x797) = fiat_p521_scalar_mulx_u64(x7, (arg1[0])); let mut x798: u64 = 0; let mut x799: fiat_p521_scalar_u1 = 0; let (x798, x799) = fiat_p521_scalar_addcarryx_u64(0x0, x797, x794); let mut x800: u64 = 0; let mut x801: fiat_p521_scalar_u1 = 0; let (x800, x801) = fiat_p521_scalar_addcarryx_u64(x799, x795, x792); let mut x802: u64 = 0; let mut x803: fiat_p521_scalar_u1 = 0; let (x802, x803) = fiat_p521_scalar_addcarryx_u64(x801, x793, x790); let mut x804: u64 = 0; let mut x805: fiat_p521_scalar_u1 = 0; let (x804, x805) = fiat_p521_scalar_addcarryx_u64(x803, x791, x788); let mut x806: u64 = 0; let mut x807: fiat_p521_scalar_u1 = 0; let (x806, x807) = fiat_p521_scalar_addcarryx_u64(x805, x789, x786); let mut x808: u64 = 0; let mut x809: fiat_p521_scalar_u1 = 0; let (x808, x809) = fiat_p521_scalar_addcarryx_u64(x807, x787, x784); let mut x810: u64 = 0; let mut x811: fiat_p521_scalar_u1 = 0; let (x810, x811) = fiat_p521_scalar_addcarryx_u64(x809, x785, x782); let mut x812: u64 = 0; let mut x813: fiat_p521_scalar_u1 = 0; let (x812, x813) = fiat_p521_scalar_addcarryx_u64(x811, x783, x780); let x814: u64 = ((x813 as u64) + x781); let mut x815: u64 = 0; let mut x816: fiat_p521_scalar_u1 = 0; let (x815, x816) = fiat_p521_scalar_addcarryx_u64(0x0, x761, x796); let mut x817: u64 = 0; let mut x818: fiat_p521_scalar_u1 = 0; let (x817, x818) = fiat_p521_scalar_addcarryx_u64(x816, x763, x798); let mut x819: u64 = 0; let mut x820: fiat_p521_scalar_u1 = 0; let (x819, x820) = fiat_p521_scalar_addcarryx_u64(x818, x765, x800); let mut x821: u64 = 0; let mut x822: fiat_p521_scalar_u1 = 0; let (x821, x822) = fiat_p521_scalar_addcarryx_u64(x820, x767, x802); let mut x823: u64 = 0; let mut x824: fiat_p521_scalar_u1 = 0; let (x823, x824) = fiat_p521_scalar_addcarryx_u64(x822, x769, x804); let mut x825: u64 = 0; let mut x826: fiat_p521_scalar_u1 = 0; let (x825, x826) = fiat_p521_scalar_addcarryx_u64(x824, x771, x806); let mut x827: u64 = 0; let mut x828: fiat_p521_scalar_u1 = 0; let (x827, x828) = fiat_p521_scalar_addcarryx_u64(x826, x773, x808); let mut x829: u64 = 0; let mut x830: fiat_p521_scalar_u1 = 0; let (x829, x830) = fiat_p521_scalar_addcarryx_u64(x828, x775, x810); let mut x831: u64 = 0; let mut x832: fiat_p521_scalar_u1 = 0; let (x831, x832) = fiat_p521_scalar_addcarryx_u64(x830, x777, x812); let mut x833: u64 = 0; let mut x834: fiat_p521_scalar_u1 = 0; let (x833, x834) = fiat_p521_scalar_addcarryx_u64(x832, x779, x814); let mut x835: u64 = 0; let mut x836: u64 = 0; let (x835, x836) = fiat_p521_scalar_mulx_u64(x815, 0x1d2f5ccd79a995c7); let mut x837: u64 = 0; let mut x838: u64 = 0; let (x837, x838) = fiat_p521_scalar_mulx_u64(x835, 0x1ff); let mut x839: u64 = 0; let mut x840: u64 = 0; let (x839, x840) = fiat_p521_scalar_mulx_u64(x835, 0xffffffffffffffff); let mut x841: u64 = 0; let mut x842: u64 = 0; let (x841, x842) = fiat_p521_scalar_mulx_u64(x835, 0xffffffffffffffff); let mut x843: u64 = 0; let mut x844: u64 = 0; let (x843, x844) = fiat_p521_scalar_mulx_u64(x835, 0xffffffffffffffff); let mut x845: u64 = 0; let mut x846: u64 = 0; let (x845, x846) = fiat_p521_scalar_mulx_u64(x835, 0xfffffffffffffffa); let mut x847: u64 = 0; let mut x848: u64 = 0; let (x847, x848) = fiat_p521_scalar_mulx_u64(x835, 0x51868783bf2f966b); let mut x849: u64 = 0; let mut x850: u64 = 0; let (x849, x850) = fiat_p521_scalar_mulx_u64(x835, 0x7fcc0148f709a5d0); let mut x851: u64 = 0; let mut x852: u64 = 0; let (x851, x852) = fiat_p521_scalar_mulx_u64(x835, 0x3bb5c9b8899c47ae); let mut x853: u64 = 0; let mut x854: u64 = 0; let (x853, x854) = fiat_p521_scalar_mulx_u64(x835, 0xbb6fb71e91386409); let mut x855: u64 = 0; let mut x856: fiat_p521_scalar_u1 = 0; let (x855, x856) = fiat_p521_scalar_addcarryx_u64(0x0, x854, x851); let mut x857: u64 = 0; let mut x858: fiat_p521_scalar_u1 = 0; let (x857, x858) = fiat_p521_scalar_addcarryx_u64(x856, x852, x849); let mut x859: u64 = 0; let mut x860: fiat_p521_scalar_u1 = 0; let (x859, x860) = fiat_p521_scalar_addcarryx_u64(x858, x850, x847); let mut x861: u64 = 0; let mut x862: fiat_p521_scalar_u1 = 0; let (x861, x862) = fiat_p521_scalar_addcarryx_u64(x860, x848, x845); let mut x863: u64 = 0; let mut x864: fiat_p521_scalar_u1 = 0; let (x863, x864) = fiat_p521_scalar_addcarryx_u64(x862, x846, x843); let mut x865: u64 = 0; let mut x866: fiat_p521_scalar_u1 = 0; let (x865, x866) = fiat_p521_scalar_addcarryx_u64(x864, x844, x841); let mut x867: u64 = 0; let mut x868: fiat_p521_scalar_u1 = 0; let (x867, x868) = fiat_p521_scalar_addcarryx_u64(x866, x842, x839); let mut x869: u64 = 0; let mut x870: fiat_p521_scalar_u1 = 0; let (x869, x870) = fiat_p521_scalar_addcarryx_u64(x868, x840, x837); let x871: u64 = ((x870 as u64) + x838); let mut x872: u64 = 0; let mut x873: fiat_p521_scalar_u1 = 0; let (x872, x873) = fiat_p521_scalar_addcarryx_u64(0x0, x815, x853); let mut x874: u64 = 0; let mut x875: fiat_p521_scalar_u1 = 0; let (x874, x875) = fiat_p521_scalar_addcarryx_u64(x873, x817, x855); let mut x876: u64 = 0; let mut x877: fiat_p521_scalar_u1 = 0; let (x876, x877) = fiat_p521_scalar_addcarryx_u64(x875, x819, x857); let mut x878: u64 = 0; let mut x879: fiat_p521_scalar_u1 = 0; let (x878, x879) = fiat_p521_scalar_addcarryx_u64(x877, x821, x859); let mut x880: u64 = 0; let mut x881: fiat_p521_scalar_u1 = 0; let (x880, x881) = fiat_p521_scalar_addcarryx_u64(x879, x823, x861); let mut x882: u64 = 0; let mut x883: fiat_p521_scalar_u1 = 0; let (x882, x883) = fiat_p521_scalar_addcarryx_u64(x881, x825, x863); let mut x884: u64 = 0; let mut x885: fiat_p521_scalar_u1 = 0; let (x884, x885) = fiat_p521_scalar_addcarryx_u64(x883, x827, x865); let mut x886: u64 = 0; let mut x887: fiat_p521_scalar_u1 = 0; let (x886, x887) = fiat_p521_scalar_addcarryx_u64(x885, x829, x867); let mut x888: u64 = 0; let mut x889: fiat_p521_scalar_u1 = 0; let (x888, x889) = fiat_p521_scalar_addcarryx_u64(x887, x831, x869); let mut x890: u64 = 0; let mut x891: fiat_p521_scalar_u1 = 0; let (x890, x891) = fiat_p521_scalar_addcarryx_u64(x889, x833, x871); let x892: u64 = ((x891 as u64) + (x834 as u64)); let mut x893: u64 = 0; let mut x894: u64 = 0; let (x893, x894) = fiat_p521_scalar_mulx_u64(x8, (arg1[8])); let mut x895: u64 = 0; let mut x896: u64 = 0; let (x895, x896) = fiat_p521_scalar_mulx_u64(x8, (arg1[7])); let mut x897: u64 = 0; let mut x898: u64 = 0; let (x897, x898) = fiat_p521_scalar_mulx_u64(x8, (arg1[6])); let mut x899: u64 = 0; let mut x900: u64 = 0; let (x899, x900) = fiat_p521_scalar_mulx_u64(x8, (arg1[5])); let mut x901: u64 = 0; let mut x902: u64 = 0; let (x901, x902) = fiat_p521_scalar_mulx_u64(x8, (arg1[4])); let mut x903: u64 = 0; let mut x904: u64 = 0; let (x903, x904) = fiat_p521_scalar_mulx_u64(x8, (arg1[3])); let mut x905: u64 = 0; let mut x906: u64 = 0; let (x905, x906) = fiat_p521_scalar_mulx_u64(x8, (arg1[2])); let mut x907: u64 = 0; let mut x908: u64 = 0; let (x907, x908) = fiat_p521_scalar_mulx_u64(x8, (arg1[1])); let mut x909: u64 = 0; let mut x910: u64 = 0; let (x909, x910) = fiat_p521_scalar_mulx_u64(x8, (arg1[0])); let mut x911: u64 = 0; let mut x912: fiat_p521_scalar_u1 = 0; let (x911, x912) = fiat_p521_scalar_addcarryx_u64(0x0, x910, x907); let mut x913: u64 = 0; let mut x914: fiat_p521_scalar_u1 = 0; let (x913, x914) = fiat_p521_scalar_addcarryx_u64(x912, x908, x905); let mut x915: u64 = 0; let mut x916: fiat_p521_scalar_u1 = 0; let (x915, x916) = fiat_p521_scalar_addcarryx_u64(x914, x906, x903); let mut x917: u64 = 0; let mut x918: fiat_p521_scalar_u1 = 0; let (x917, x918) = fiat_p521_scalar_addcarryx_u64(x916, x904, x901); let mut x919: u64 = 0; let mut x920: fiat_p521_scalar_u1 = 0; let (x919, x920) = fiat_p521_scalar_addcarryx_u64(x918, x902, x899); let mut x921: u64 = 0; let mut x922: fiat_p521_scalar_u1 = 0; let (x921, x922) = fiat_p521_scalar_addcarryx_u64(x920, x900, x897); let mut x923: u64 = 0; let mut x924: fiat_p521_scalar_u1 = 0; let (x923, x924) = fiat_p521_scalar_addcarryx_u64(x922, x898, x895); let mut x925: u64 = 0; let mut x926: fiat_p521_scalar_u1 = 0; let (x925, x926) = fiat_p521_scalar_addcarryx_u64(x924, x896, x893); let x927: u64 = ((x926 as u64) + x894); let mut x928: u64 = 0; let mut x929: fiat_p521_scalar_u1 = 0; let (x928, x929) = fiat_p521_scalar_addcarryx_u64(0x0, x874, x909); let mut x930: u64 = 0; let mut x931: fiat_p521_scalar_u1 = 0; let (x930, x931) = fiat_p521_scalar_addcarryx_u64(x929, x876, x911); let mut x932: u64 = 0; let mut x933: fiat_p521_scalar_u1 = 0; let (x932, x933) = fiat_p521_scalar_addcarryx_u64(x931, x878, x913); let mut x934: u64 = 0; let mut x935: fiat_p521_scalar_u1 = 0; let (x934, x935) = fiat_p521_scalar_addcarryx_u64(x933, x880, x915); let mut x936: u64 = 0; let mut x937: fiat_p521_scalar_u1 = 0; let (x936, x937) = fiat_p521_scalar_addcarryx_u64(x935, x882, x917); let mut x938: u64 = 0; let mut x939: fiat_p521_scalar_u1 = 0; let (x938, x939) = fiat_p521_scalar_addcarryx_u64(x937, x884, x919); let mut x940: u64 = 0; let mut x941: fiat_p521_scalar_u1 = 0; let (x940, x941) = fiat_p521_scalar_addcarryx_u64(x939, x886, x921); let mut x942: u64 = 0; let mut x943: fiat_p521_scalar_u1 = 0; let (x942, x943) = fiat_p521_scalar_addcarryx_u64(x941, x888, x923); let mut x944: u64 = 0; let mut x945: fiat_p521_scalar_u1 = 0; let (x944, x945) = fiat_p521_scalar_addcarryx_u64(x943, x890, x925); let mut x946: u64 = 0; let mut x947: fiat_p521_scalar_u1 = 0; let (x946, x947) = fiat_p521_scalar_addcarryx_u64(x945, x892, x927); let mut x948: u64 = 0; let mut x949: u64 = 0; let (x948, x949) = fiat_p521_scalar_mulx_u64(x928, 0x1d2f5ccd79a995c7); let mut x950: u64 = 0; let mut x951: u64 = 0; let (x950, x951) = fiat_p521_scalar_mulx_u64(x948, 0x1ff); let mut x952: u64 = 0; let mut x953: u64 = 0; let (x952, x953) = fiat_p521_scalar_mulx_u64(x948, 0xffffffffffffffff); let mut x954: u64 = 0; let mut x955: u64 = 0; let (x954, x955) = fiat_p521_scalar_mulx_u64(x948, 0xffffffffffffffff); let mut x956: u64 = 0; let mut x957: u64 = 0; let (x956, x957) = fiat_p521_scalar_mulx_u64(x948, 0xffffffffffffffff); let mut x958: u64 = 0; let mut x959: u64 = 0; let (x958, x959) = fiat_p521_scalar_mulx_u64(x948, 0xfffffffffffffffa); let mut x960: u64 = 0; let mut x961: u64 = 0; let (x960, x961) = fiat_p521_scalar_mulx_u64(x948, 0x51868783bf2f966b); let mut x962: u64 = 0; let mut x963: u64 = 0; let (x962, x963) = fiat_p521_scalar_mulx_u64(x948, 0x7fcc0148f709a5d0); let mut x964: u64 = 0; let mut x965: u64 = 0; let (x964, x965) = fiat_p521_scalar_mulx_u64(x948, 0x3bb5c9b8899c47ae); let mut x966: u64 = 0; let mut x967: u64 = 0; let (x966, x967) = fiat_p521_scalar_mulx_u64(x948, 0xbb6fb71e91386409); let mut x968: u64 = 0; let mut x969: fiat_p521_scalar_u1 = 0; let (x968, x969) = fiat_p521_scalar_addcarryx_u64(0x0, x967, x964); let mut x970: u64 = 0; let mut x971: fiat_p521_scalar_u1 = 0; let (x970, x971) = fiat_p521_scalar_addcarryx_u64(x969, x965, x962); let mut x972: u64 = 0; let mut x973: fiat_p521_scalar_u1 = 0; let (x972, x973) = fiat_p521_scalar_addcarryx_u64(x971, x963, x960); let mut x974: u64 = 0; let mut x975: fiat_p521_scalar_u1 = 0; let (x974, x975) = fiat_p521_scalar_addcarryx_u64(x973, x961, x958); let mut x976: u64 = 0; let mut x977: fiat_p521_scalar_u1 = 0; let (x976, x977) = fiat_p521_scalar_addcarryx_u64(x975, x959, x956); let mut x978: u64 = 0; let mut x979: fiat_p521_scalar_u1 = 0; let (x978, x979) = fiat_p521_scalar_addcarryx_u64(x977, x957, x954); let mut x980: u64 = 0; let mut x981: fiat_p521_scalar_u1 = 0; let (x980, x981) = fiat_p521_scalar_addcarryx_u64(x979, x955, x952); let mut x982: u64 = 0; let mut x983: fiat_p521_scalar_u1 = 0; let (x982, x983) = fiat_p521_scalar_addcarryx_u64(x981, x953, x950); let x984: u64 = ((x983 as u64) + x951); let mut x985: u64 = 0; let mut x986: fiat_p521_scalar_u1 = 0; let (x985, x986) = fiat_p521_scalar_addcarryx_u64(0x0, x928, x966); let mut x987: u64 = 0; let mut x988: fiat_p521_scalar_u1 = 0; let (x987, x988) = fiat_p521_scalar_addcarryx_u64(x986, x930, x968); let mut x989: u64 = 0; let mut x990: fiat_p521_scalar_u1 = 0; let (x989, x990) = fiat_p521_scalar_addcarryx_u64(x988, x932, x970); let mut x991: u64 = 0; let mut x992: fiat_p521_scalar_u1 = 0; let (x991, x992) = fiat_p521_scalar_addcarryx_u64(x990, x934, x972); let mut x993: u64 = 0; let mut x994: fiat_p521_scalar_u1 = 0; let (x993, x994) = fiat_p521_scalar_addcarryx_u64(x992, x936, x974); let mut x995: u64 = 0; let mut x996: fiat_p521_scalar_u1 = 0; let (x995, x996) = fiat_p521_scalar_addcarryx_u64(x994, x938, x976); let mut x997: u64 = 0; let mut x998: fiat_p521_scalar_u1 = 0; let (x997, x998) = fiat_p521_scalar_addcarryx_u64(x996, x940, x978); let mut x999: u64 = 0; let mut x1000: fiat_p521_scalar_u1 = 0; let (x999, x1000) = fiat_p521_scalar_addcarryx_u64(x998, x942, x980); let mut x1001: u64 = 0; let mut x1002: fiat_p521_scalar_u1 = 0; let (x1001, x1002) = fiat_p521_scalar_addcarryx_u64(x1000, x944, x982); let mut x1003: u64 = 0; let mut x1004: fiat_p521_scalar_u1 = 0; let (x1003, x1004) = fiat_p521_scalar_addcarryx_u64(x1002, x946, x984); let x1005: u64 = ((x1004 as u64) + (x947 as u64)); let mut x1006: u64 = 0; let mut x1007: fiat_p521_scalar_u1 = 0; let (x1006, x1007) = fiat_p521_scalar_subborrowx_u64(0x0, x987, 0xbb6fb71e91386409); let mut x1008: u64 = 0; let mut x1009: fiat_p521_scalar_u1 = 0; let (x1008, x1009) = fiat_p521_scalar_subborrowx_u64(x1007, x989, 0x3bb5c9b8899c47ae); let mut x1010: u64 = 0; let mut x1011: fiat_p521_scalar_u1 = 0; let (x1010, x1011) = fiat_p521_scalar_subborrowx_u64(x1009, x991, 0x7fcc0148f709a5d0); let mut x1012: u64 = 0; let mut x1013: fiat_p521_scalar_u1 = 0; let (x1012, x1013) = fiat_p521_scalar_subborrowx_u64(x1011, x993, 0x51868783bf2f966b); let mut x1014: u64 = 0; let mut x1015: fiat_p521_scalar_u1 = 0; let (x1014, x1015) = fiat_p521_scalar_subborrowx_u64(x1013, x995, 0xfffffffffffffffa); let mut x1016: u64 = 0; let mut x1017: fiat_p521_scalar_u1 = 0; let (x1016, x1017) = fiat_p521_scalar_subborrowx_u64(x1015, x997, 0xffffffffffffffff); let mut x1018: u64 = 0; let mut x1019: fiat_p521_scalar_u1 = 0; let (x1018, x1019) = fiat_p521_scalar_subborrowx_u64(x1017, x999, 0xffffffffffffffff); let mut x1020: u64 = 0; let mut x1021: fiat_p521_scalar_u1 = 0; let (x1020, x1021) = fiat_p521_scalar_subborrowx_u64(x1019, x1001, 0xffffffffffffffff); let mut x1022: u64 = 0; let mut x1023: fiat_p521_scalar_u1 = 0; let (x1022, x1023) = fiat_p521_scalar_subborrowx_u64(x1021, x1003, 0x1ff); let mut x1024: u64 = 0; let mut x1025: fiat_p521_scalar_u1 = 0; let (x1024, x1025) = fiat_p521_scalar_subborrowx_u64(x1023, x1005, (0x0 as u64)); let mut x1026: u64 = 0; let (x1026) = fiat_p521_scalar_cmovznz_u64(x1025, x1006, x987); let mut x1027: u64 = 0; let (x1027) = fiat_p521_scalar_cmovznz_u64(x1025, x1008, x989); let mut x1028: u64 = 0; let (x1028) = fiat_p521_scalar_cmovznz_u64(x1025, x1010, x991); let mut x1029: u64 = 0; let (x1029) = fiat_p521_scalar_cmovznz_u64(x1025, x1012, x993); let mut x1030: u64 = 0; let (x1030) = fiat_p521_scalar_cmovznz_u64(x1025, x1014, x995); let mut x1031: u64 = 0; let (x1031) = fiat_p521_scalar_cmovznz_u64(x1025, x1016, x997); let mut x1032: u64 = 0; let (x1032) = fiat_p521_scalar_cmovznz_u64(x1025, x1018, x999); let mut x1033: u64 = 0; let (x1033) = fiat_p521_scalar_cmovznz_u64(x1025, x1020, x1001); let mut x1034: u64 = 0; let (x1034) = fiat_p521_scalar_cmovznz_u64(x1025, x1022, x1003); out1[0] = x1026; out1[1] = x1027; out1[2] = x1028; out1[3] = x1029; out1[4] = x1030; out1[5] = x1031; out1[6] = x1032; out1[7] = x1033; out1[8] = x1034; out1 } #[doc = " The function fiat_p521_scalar_add adds two field elements in the Montgomery domain."] #[doc = ""] #[doc = " Preconditions:"] #[doc = " 0 ≤ eval arg1 < m"] #[doc = " 0 ≤ eval arg2 < m"] #[doc = " Postconditions:"] #[doc = " eval (from_montgomery out1) mod m = (eval (from_montgomery arg1) + eval (from_montgomery arg2)) mod m"] #[doc = " 0 ≤ eval out1 < m"] #[doc = ""] #[inline] pub const fn fiat_p521_scalar_add( arg1: &fiat_p521_scalar_montgomery_domain_field_element, arg2: &fiat_p521_scalar_montgomery_domain_field_element, ) -> fiat_p521_scalar_montgomery_domain_field_element { let mut out1: fiat_p521_scalar_montgomery_domain_field_element = [0; 9]; let mut x1: u64 = 0; let mut x2: fiat_p521_scalar_u1 = 0; let (x1, x2) = fiat_p521_scalar_addcarryx_u64(0x0, (arg1[0]), (arg2[0])); let mut x3: u64 = 0; let mut x4: fiat_p521_scalar_u1 = 0; let (x3, x4) = fiat_p521_scalar_addcarryx_u64(x2, (arg1[1]), (arg2[1])); let mut x5: u64 = 0; let mut x6: fiat_p521_scalar_u1 = 0; let (x5, x6) = fiat_p521_scalar_addcarryx_u64(x4, (arg1[2]), (arg2[2])); let mut x7: u64 = 0; let mut x8: fiat_p521_scalar_u1 = 0; let (x7, x8) = fiat_p521_scalar_addcarryx_u64(x6, (arg1[3]), (arg2[3])); let mut x9: u64 = 0; let mut x10: fiat_p521_scalar_u1 = 0; let (x9, x10) = fiat_p521_scalar_addcarryx_u64(x8, (arg1[4]), (arg2[4])); let mut x11: u64 = 0; let mut x12: fiat_p521_scalar_u1 = 0; let (x11, x12) = fiat_p521_scalar_addcarryx_u64(x10, (arg1[5]), (arg2[5])); let mut x13: u64 = 0; let mut x14: fiat_p521_scalar_u1 = 0; let (x13, x14) = fiat_p521_scalar_addcarryx_u64(x12, (arg1[6]), (arg2[6])); let mut x15: u64 = 0; let mut x16: fiat_p521_scalar_u1 = 0; let (x15, x16) = fiat_p521_scalar_addcarryx_u64(x14, (arg1[7]), (arg2[7])); let mut x17: u64 = 0; let mut x18: fiat_p521_scalar_u1 = 0; let (x17, x18) = fiat_p521_scalar_addcarryx_u64(x16, (arg1[8]), (arg2[8])); let mut x19: u64 = 0; let mut x20: fiat_p521_scalar_u1 = 0; let (x19, x20) = fiat_p521_scalar_subborrowx_u64(0x0, x1, 0xbb6fb71e91386409); let mut x21: u64 = 0; let mut x22: fiat_p521_scalar_u1 = 0; let (x21, x22) = fiat_p521_scalar_subborrowx_u64(x20, x3, 0x3bb5c9b8899c47ae); let mut x23: u64 = 0; let mut x24: fiat_p521_scalar_u1 = 0; let (x23, x24) = fiat_p521_scalar_subborrowx_u64(x22, x5, 0x7fcc0148f709a5d0); let mut x25: u64 = 0; let mut x26: fiat_p521_scalar_u1 = 0; let (x25, x26) = fiat_p521_scalar_subborrowx_u64(x24, x7, 0x51868783bf2f966b); let mut x27: u64 = 0; let mut x28: fiat_p521_scalar_u1 = 0; let (x27, x28) = fiat_p521_scalar_subborrowx_u64(x26, x9, 0xfffffffffffffffa); let mut x29: u64 = 0; let mut x30: fiat_p521_scalar_u1 = 0; let (x29, x30) = fiat_p521_scalar_subborrowx_u64(x28, x11, 0xffffffffffffffff); let mut x31: u64 = 0; let mut x32: fiat_p521_scalar_u1 = 0; let (x31, x32) = fiat_p521_scalar_subborrowx_u64(x30, x13, 0xffffffffffffffff); let mut x33: u64 = 0; let mut x34: fiat_p521_scalar_u1 = 0; let (x33, x34) = fiat_p521_scalar_subborrowx_u64(x32, x15, 0xffffffffffffffff); let mut x35: u64 = 0; let mut x36: fiat_p521_scalar_u1 = 0; let (x35, x36) = fiat_p521_scalar_subborrowx_u64(x34, x17, 0x1ff); let mut x37: u64 = 0; let mut x38: fiat_p521_scalar_u1 = 0; let (x37, x38) = fiat_p521_scalar_subborrowx_u64(x36, (x18 as u64), (0x0 as u64)); let mut x39: u64 = 0; let (x39) = fiat_p521_scalar_cmovznz_u64(x38, x19, x1); let mut x40: u64 = 0; let (x40) = fiat_p521_scalar_cmovznz_u64(x38, x21, x3); let mut x41: u64 = 0; let (x41) = fiat_p521_scalar_cmovznz_u64(x38, x23, x5); let mut x42: u64 = 0; let (x42) = fiat_p521_scalar_cmovznz_u64(x38, x25, x7); let mut x43: u64 = 0; let (x43) = fiat_p521_scalar_cmovznz_u64(x38, x27, x9); let mut x44: u64 = 0; let (x44) = fiat_p521_scalar_cmovznz_u64(x38, x29, x11); let mut x45: u64 = 0; let (x45) = fiat_p521_scalar_cmovznz_u64(x38, x31, x13); let mut x46: u64 = 0; let (x46) = fiat_p521_scalar_cmovznz_u64(x38, x33, x15); let mut x47: u64 = 0; let (x47) = fiat_p521_scalar_cmovznz_u64(x38, x35, x17); out1[0] = x39; out1[1] = x40; out1[2] = x41; out1[3] = x42; out1[4] = x43; out1[5] = x44; out1[6] = x45; out1[7] = x46; out1[8] = x47; out1 } #[doc = " The function fiat_p521_scalar_sub subtracts two field elements in the Montgomery domain."] #[doc = ""] #[doc = " Preconditions:"] #[doc = " 0 ≤ eval arg1 < m"] #[doc = " 0 ≤ eval arg2 < m"] #[doc = " Postconditions:"] #[doc = " eval (from_montgomery out1) mod m = (eval (from_montgomery arg1) - eval (from_montgomery arg2)) mod m"] #[doc = " 0 ≤ eval out1 < m"] #[doc = ""] #[inline] pub const fn fiat_p521_scalar_sub( arg1: &fiat_p521_scalar_montgomery_domain_field_element, arg2: &fiat_p521_scalar_montgomery_domain_field_element, ) -> fiat_p521_scalar_montgomery_domain_field_element { let mut out1: fiat_p521_scalar_montgomery_domain_field_element = [0; 9]; let mut x1: u64 = 0; let mut x2: fiat_p521_scalar_u1 = 0; let (x1, x2) = fiat_p521_scalar_subborrowx_u64(0x0, (arg1[0]), (arg2[0])); let mut x3: u64 = 0; let mut x4: fiat_p521_scalar_u1 = 0; let (x3, x4) = fiat_p521_scalar_subborrowx_u64(x2, (arg1[1]), (arg2[1])); let mut x5: u64 = 0; let mut x6: fiat_p521_scalar_u1 = 0; let (x5, x6) = fiat_p521_scalar_subborrowx_u64(x4, (arg1[2]), (arg2[2])); let mut x7: u64 = 0; let mut x8: fiat_p521_scalar_u1 = 0; let (x7, x8) = fiat_p521_scalar_subborrowx_u64(x6, (arg1[3]), (arg2[3])); let mut x9: u64 = 0; let mut x10: fiat_p521_scalar_u1 = 0; let (x9, x10) = fiat_p521_scalar_subborrowx_u64(x8, (arg1[4]), (arg2[4])); let mut x11: u64 = 0; let mut x12: fiat_p521_scalar_u1 = 0; let (x11, x12) = fiat_p521_scalar_subborrowx_u64(x10, (arg1[5]), (arg2[5])); let mut x13: u64 = 0; let mut x14: fiat_p521_scalar_u1 = 0; let (x13, x14) = fiat_p521_scalar_subborrowx_u64(x12, (arg1[6]), (arg2[6])); let mut x15: u64 = 0; let mut x16: fiat_p521_scalar_u1 = 0; let (x15, x16) = fiat_p521_scalar_subborrowx_u64(x14, (arg1[7]), (arg2[7])); let mut x17: u64 = 0; let mut x18: fiat_p521_scalar_u1 = 0; let (x17, x18) = fiat_p521_scalar_subborrowx_u64(x16, (arg1[8]), (arg2[8])); let mut x19: u64 = 0; let (x19) = fiat_p521_scalar_cmovznz_u64(x18, (0x0 as u64), 0xffffffffffffffff); let mut x20: u64 = 0; let mut x21: fiat_p521_scalar_u1 = 0; let (x20, x21) = fiat_p521_scalar_addcarryx_u64(0x0, x1, (x19 & 0xbb6fb71e91386409)); let mut x22: u64 = 0; let mut x23: fiat_p521_scalar_u1 = 0; let (x22, x23) = fiat_p521_scalar_addcarryx_u64(x21, x3, (x19 & 0x3bb5c9b8899c47ae)); let mut x24: u64 = 0; let mut x25: fiat_p521_scalar_u1 = 0; let (x24, x25) = fiat_p521_scalar_addcarryx_u64(x23, x5, (x19 & 0x7fcc0148f709a5d0)); let mut x26: u64 = 0; let mut x27: fiat_p521_scalar_u1 = 0; let (x26, x27) = fiat_p521_scalar_addcarryx_u64(x25, x7, (x19 & 0x51868783bf2f966b)); let mut x28: u64 = 0; let mut x29: fiat_p521_scalar_u1 = 0; let (x28, x29) = fiat_p521_scalar_addcarryx_u64(x27, x9, (x19 & 0xfffffffffffffffa)); let mut x30: u64 = 0; let mut x31: fiat_p521_scalar_u1 = 0; let (x30, x31) = fiat_p521_scalar_addcarryx_u64(x29, x11, x19); let mut x32: u64 = 0; let mut x33: fiat_p521_scalar_u1 = 0; let (x32, x33) = fiat_p521_scalar_addcarryx_u64(x31, x13, x19); let mut x34: u64 = 0; let mut x35: fiat_p521_scalar_u1 = 0; let (x34, x35) = fiat_p521_scalar_addcarryx_u64(x33, x15, x19); let mut x36: u64 = 0; let mut x37: fiat_p521_scalar_u1 = 0; let (x36, x37) = fiat_p521_scalar_addcarryx_u64(x35, x17, (x19 & 0x1ff)); out1[0] = x20; out1[1] = x22; out1[2] = x24; out1[3] = x26; out1[4] = x28; out1[5] = x30; out1[6] = x32; out1[7] = x34; out1[8] = x36; out1 } #[doc = " The function fiat_p521_scalar_opp negates a field element in the Montgomery domain."] #[doc = ""] #[doc = " Preconditions:"] #[doc = " 0 ≤ eval arg1 < m"] #[doc = " Postconditions:"] #[doc = " eval (from_montgomery out1) mod m = -eval (from_montgomery arg1) mod m"] #[doc = " 0 ≤ eval out1 < m"] #[doc = ""] #[inline] pub const fn fiat_p521_scalar_opp( arg1: &fiat_p521_scalar_montgomery_domain_field_element, ) -> fiat_p521_scalar_montgomery_domain_field_element { let mut out1: fiat_p521_scalar_montgomery_domain_field_element = [0; 9]; let mut x1: u64 = 0; let mut x2: fiat_p521_scalar_u1 = 0; let (x1, x2) = fiat_p521_scalar_subborrowx_u64(0x0, (0x0 as u64), (arg1[0])); let mut x3: u64 = 0; let mut x4: fiat_p521_scalar_u1 = 0; let (x3, x4) = fiat_p521_scalar_subborrowx_u64(x2, (0x0 as u64), (arg1[1])); let mut x5: u64 = 0; let mut x6: fiat_p521_scalar_u1 = 0; let (x5, x6) = fiat_p521_scalar_subborrowx_u64(x4, (0x0 as u64), (arg1[2])); let mut x7: u64 = 0; let mut x8: fiat_p521_scalar_u1 = 0; let (x7, x8) = fiat_p521_scalar_subborrowx_u64(x6, (0x0 as u64), (arg1[3])); let mut x9: u64 = 0; let mut x10: fiat_p521_scalar_u1 = 0; let (x9, x10) = fiat_p521_scalar_subborrowx_u64(x8, (0x0 as u64), (arg1[4])); let mut x11: u64 = 0; let mut x12: fiat_p521_scalar_u1 = 0; let (x11, x12) = fiat_p521_scalar_subborrowx_u64(x10, (0x0 as u64), (arg1[5])); let mut x13: u64 = 0; let mut x14: fiat_p521_scalar_u1 = 0; let (x13, x14) = fiat_p521_scalar_subborrowx_u64(x12, (0x0 as u64), (arg1[6])); let mut x15: u64 = 0; let mut x16: fiat_p521_scalar_u1 = 0; let (x15, x16) = fiat_p521_scalar_subborrowx_u64(x14, (0x0 as u64), (arg1[7])); let mut x17: u64 = 0; let mut x18: fiat_p521_scalar_u1 = 0; let (x17, x18) = fiat_p521_scalar_subborrowx_u64(x16, (0x0 as u64), (arg1[8])); let mut x19: u64 = 0; let (x19) = fiat_p521_scalar_cmovznz_u64(x18, (0x0 as u64), 0xffffffffffffffff); let mut x20: u64 = 0; let mut x21: fiat_p521_scalar_u1 = 0; let (x20, x21) = fiat_p521_scalar_addcarryx_u64(0x0, x1, (x19 & 0xbb6fb71e91386409)); let mut x22: u64 = 0; let mut x23: fiat_p521_scalar_u1 = 0; let (x22, x23) = fiat_p521_scalar_addcarryx_u64(x21, x3, (x19 & 0x3bb5c9b8899c47ae)); let mut x24: u64 = 0; let mut x25: fiat_p521_scalar_u1 = 0; let (x24, x25) = fiat_p521_scalar_addcarryx_u64(x23, x5, (x19 & 0x7fcc0148f709a5d0)); let mut x26: u64 = 0; let mut x27: fiat_p521_scalar_u1 = 0; let (x26, x27) = fiat_p521_scalar_addcarryx_u64(x25, x7, (x19 & 0x51868783bf2f966b)); let mut x28: u64 = 0; let mut x29: fiat_p521_scalar_u1 = 0; let (x28, x29) = fiat_p521_scalar_addcarryx_u64(x27, x9, (x19 & 0xfffffffffffffffa)); let mut x30: u64 = 0; let mut x31: fiat_p521_scalar_u1 = 0; let (x30, x31) = fiat_p521_scalar_addcarryx_u64(x29, x11, x19); let mut x32: u64 = 0; let mut x33: fiat_p521_scalar_u1 = 0; let (x32, x33) = fiat_p521_scalar_addcarryx_u64(x31, x13, x19); let mut x34: u64 = 0; let mut x35: fiat_p521_scalar_u1 = 0; let (x34, x35) = fiat_p521_scalar_addcarryx_u64(x33, x15, x19); let mut x36: u64 = 0; let mut x37: fiat_p521_scalar_u1 = 0; let (x36, x37) = fiat_p521_scalar_addcarryx_u64(x35, x17, (x19 & 0x1ff)); out1[0] = x20; out1[1] = x22; out1[2] = x24; out1[3] = x26; out1[4] = x28; out1[5] = x30; out1[6] = x32; out1[7] = x34; out1[8] = x36; out1 } #[doc = " The function fiat_p521_scalar_from_montgomery translates a field element out of the Montgomery domain."] #[doc = ""] #[doc = " Preconditions:"] #[doc = " 0 ≤ eval arg1 < m"] #[doc = " Postconditions:"] #[doc = " eval out1 mod m = (eval arg1 * ((2^64)⁻¹ mod m)^9) mod m"] #[doc = " 0 ≤ eval out1 < m"] #[doc = ""] #[inline] pub const fn fiat_p521_scalar_from_montgomery( arg1: &fiat_p521_scalar_montgomery_domain_field_element, ) -> fiat_p521_scalar_non_montgomery_domain_field_element { let mut out1: fiat_p521_scalar_non_montgomery_domain_field_element = [0; 9]; let x1: u64 = (arg1[0]); let mut x2: u64 = 0; let mut x3: u64 = 0; let (x2, x3) = fiat_p521_scalar_mulx_u64(x1, 0x1d2f5ccd79a995c7); let mut x4: u64 = 0; let mut x5: u64 = 0; let (x4, x5) = fiat_p521_scalar_mulx_u64(x2, 0x1ff); let mut x6: u64 = 0; let mut x7: u64 = 0; let (x6, x7) = fiat_p521_scalar_mulx_u64(x2, 0xffffffffffffffff); let mut x8: u64 = 0; let mut x9: u64 = 0; let (x8, x9) = fiat_p521_scalar_mulx_u64(x2, 0xffffffffffffffff); let mut x10: u64 = 0; let mut x11: u64 = 0; let (x10, x11) = fiat_p521_scalar_mulx_u64(x2, 0xffffffffffffffff); let mut x12: u64 = 0; let mut x13: u64 = 0; let (x12, x13) = fiat_p521_scalar_mulx_u64(x2, 0xfffffffffffffffa); let mut x14: u64 = 0; let mut x15: u64 = 0; let (x14, x15) = fiat_p521_scalar_mulx_u64(x2, 0x51868783bf2f966b); let mut x16: u64 = 0; let mut x17: u64 = 0; let (x16, x17) = fiat_p521_scalar_mulx_u64(x2, 0x7fcc0148f709a5d0); let mut x18: u64 = 0; let mut x19: u64 = 0; let (x18, x19) = fiat_p521_scalar_mulx_u64(x2, 0x3bb5c9b8899c47ae); let mut x20: u64 = 0; let mut x21: u64 = 0; let (x20, x21) = fiat_p521_scalar_mulx_u64(x2, 0xbb6fb71e91386409); let mut x22: u64 = 0; let mut x23: fiat_p521_scalar_u1 = 0; let (x22, x23) = fiat_p521_scalar_addcarryx_u64(0x0, x21, x18); let mut x24: u64 = 0; let mut x25: fiat_p521_scalar_u1 = 0; let (x24, x25) = fiat_p521_scalar_addcarryx_u64(x23, x19, x16); let mut x26: u64 = 0; let mut x27: fiat_p521_scalar_u1 = 0; let (x26, x27) = fiat_p521_scalar_addcarryx_u64(x25, x17, x14); let mut x28: u64 = 0; let mut x29: fiat_p521_scalar_u1 = 0; let (x28, x29) = fiat_p521_scalar_addcarryx_u64(x27, x15, x12); let mut x30: u64 = 0; let mut x31: fiat_p521_scalar_u1 = 0; let (x30, x31) = fiat_p521_scalar_addcarryx_u64(x29, x13, x10); let mut x32: u64 = 0; let mut x33: fiat_p521_scalar_u1 = 0; let (x32, x33) = fiat_p521_scalar_addcarryx_u64(x31, x11, x8); let mut x34: u64 = 0; let mut x35: fiat_p521_scalar_u1 = 0; let (x34, x35) = fiat_p521_scalar_addcarryx_u64(x33, x9, x6); let mut x36: u64 = 0; let mut x37: fiat_p521_scalar_u1 = 0; let (x36, x37) = fiat_p521_scalar_addcarryx_u64(x35, x7, x4); let mut x38: u64 = 0; let mut x39: fiat_p521_scalar_u1 = 0; let (x38, x39) = fiat_p521_scalar_addcarryx_u64(0x0, x1, x20); let mut x40: u64 = 0; let mut x41: fiat_p521_scalar_u1 = 0; let (x40, x41) = fiat_p521_scalar_addcarryx_u64(x39, (0x0 as u64), x22); let mut x42: u64 = 0; let mut x43: fiat_p521_scalar_u1 = 0; let (x42, x43) = fiat_p521_scalar_addcarryx_u64(x41, (0x0 as u64), x24); let mut x44: u64 = 0; let mut x45: fiat_p521_scalar_u1 = 0; let (x44, x45) = fiat_p521_scalar_addcarryx_u64(x43, (0x0 as u64), x26); let mut x46: u64 = 0; let mut x47: fiat_p521_scalar_u1 = 0; let (x46, x47) = fiat_p521_scalar_addcarryx_u64(x45, (0x0 as u64), x28); let mut x48: u64 = 0; let mut x49: fiat_p521_scalar_u1 = 0; let (x48, x49) = fiat_p521_scalar_addcarryx_u64(x47, (0x0 as u64), x30); let mut x50: u64 = 0; let mut x51: fiat_p521_scalar_u1 = 0; let (x50, x51) = fiat_p521_scalar_addcarryx_u64(x49, (0x0 as u64), x32); let mut x52: u64 = 0; let mut x53: fiat_p521_scalar_u1 = 0; let (x52, x53) = fiat_p521_scalar_addcarryx_u64(x51, (0x0 as u64), x34); let mut x54: u64 = 0; let mut x55: fiat_p521_scalar_u1 = 0; let (x54, x55) = fiat_p521_scalar_addcarryx_u64(x53, (0x0 as u64), x36); let mut x56: u64 = 0; let mut x57: fiat_p521_scalar_u1 = 0; let (x56, x57) = fiat_p521_scalar_addcarryx_u64(0x0, x40, (arg1[1])); let mut x58: u64 = 0; let mut x59: fiat_p521_scalar_u1 = 0; let (x58, x59) = fiat_p521_scalar_addcarryx_u64(x57, x42, (0x0 as u64)); let mut x60: u64 = 0; let mut x61: fiat_p521_scalar_u1 = 0; let (x60, x61) = fiat_p521_scalar_addcarryx_u64(x59, x44, (0x0 as u64)); let mut x62: u64 = 0; let mut x63: fiat_p521_scalar_u1 = 0; let (x62, x63) = fiat_p521_scalar_addcarryx_u64(x61, x46, (0x0 as u64)); let mut x64: u64 = 0; let mut x65: fiat_p521_scalar_u1 = 0; let (x64, x65) = fiat_p521_scalar_addcarryx_u64(x63, x48, (0x0 as u64)); let mut x66: u64 = 0; let mut x67: fiat_p521_scalar_u1 = 0; let (x66, x67) = fiat_p521_scalar_addcarryx_u64(x65, x50, (0x0 as u64)); let mut x68: u64 = 0; let mut x69: fiat_p521_scalar_u1 = 0; let (x68, x69) = fiat_p521_scalar_addcarryx_u64(x67, x52, (0x0 as u64)); let mut x70: u64 = 0; let mut x71: fiat_p521_scalar_u1 = 0; let (x70, x71) = fiat_p521_scalar_addcarryx_u64(x69, x54, (0x0 as u64)); let mut x72: u64 = 0; let mut x73: u64 = 0; let (x72, x73) = fiat_p521_scalar_mulx_u64(x56, 0x1d2f5ccd79a995c7); let mut x74: u64 = 0; let mut x75: u64 = 0; let (x74, x75) = fiat_p521_scalar_mulx_u64(x72, 0x1ff); let mut x76: u64 = 0; let mut x77: u64 = 0; let (x76, x77) = fiat_p521_scalar_mulx_u64(x72, 0xffffffffffffffff); let mut x78: u64 = 0; let mut x79: u64 = 0; let (x78, x79) = fiat_p521_scalar_mulx_u64(x72, 0xffffffffffffffff); let mut x80: u64 = 0; let mut x81: u64 = 0; let (x80, x81) = fiat_p521_scalar_mulx_u64(x72, 0xffffffffffffffff); let mut x82: u64 = 0; let mut x83: u64 = 0; let (x82, x83) = fiat_p521_scalar_mulx_u64(x72, 0xfffffffffffffffa); let mut x84: u64 = 0; let mut x85: u64 = 0; let (x84, x85) = fiat_p521_scalar_mulx_u64(x72, 0x51868783bf2f966b); let mut x86: u64 = 0; let mut x87: u64 = 0; let (x86, x87) = fiat_p521_scalar_mulx_u64(x72, 0x7fcc0148f709a5d0); let mut x88: u64 = 0; let mut x89: u64 = 0; let (x88, x89) = fiat_p521_scalar_mulx_u64(x72, 0x3bb5c9b8899c47ae); let mut x90: u64 = 0; let mut x91: u64 = 0; let (x90, x91) = fiat_p521_scalar_mulx_u64(x72, 0xbb6fb71e91386409); let mut x92: u64 = 0; let mut x93: fiat_p521_scalar_u1 = 0; let (x92, x93) = fiat_p521_scalar_addcarryx_u64(0x0, x91, x88); let mut x94: u64 = 0; let mut x95: fiat_p521_scalar_u1 = 0; let (x94, x95) = fiat_p521_scalar_addcarryx_u64(x93, x89, x86); let mut x96: u64 = 0; let mut x97: fiat_p521_scalar_u1 = 0; let (x96, x97) = fiat_p521_scalar_addcarryx_u64(x95, x87, x84); let mut x98: u64 = 0; let mut x99: fiat_p521_scalar_u1 = 0; let (x98, x99) = fiat_p521_scalar_addcarryx_u64(x97, x85, x82); let mut x100: u64 = 0; let mut x101: fiat_p521_scalar_u1 = 0; let (x100, x101) = fiat_p521_scalar_addcarryx_u64(x99, x83, x80); let mut x102: u64 = 0; let mut x103: fiat_p521_scalar_u1 = 0; let (x102, x103) = fiat_p521_scalar_addcarryx_u64(x101, x81, x78); let mut x104: u64 = 0; let mut x105: fiat_p521_scalar_u1 = 0; let (x104, x105) = fiat_p521_scalar_addcarryx_u64(x103, x79, x76); let mut x106: u64 = 0; let mut x107: fiat_p521_scalar_u1 = 0; let (x106, x107) = fiat_p521_scalar_addcarryx_u64(x105, x77, x74); let mut x108: u64 = 0; let mut x109: fiat_p521_scalar_u1 = 0; let (x108, x109) = fiat_p521_scalar_addcarryx_u64(0x0, x56, x90); let mut x110: u64 = 0; let mut x111: fiat_p521_scalar_u1 = 0; let (x110, x111) = fiat_p521_scalar_addcarryx_u64(x109, x58, x92); let mut x112: u64 = 0; let mut x113: fiat_p521_scalar_u1 = 0; let (x112, x113) = fiat_p521_scalar_addcarryx_u64(x111, x60, x94); let mut x114: u64 = 0; let mut x115: fiat_p521_scalar_u1 = 0; let (x114, x115) = fiat_p521_scalar_addcarryx_u64(x113, x62, x96); let mut x116: u64 = 0; let mut x117: fiat_p521_scalar_u1 = 0; let (x116, x117) = fiat_p521_scalar_addcarryx_u64(x115, x64, x98); let mut x118: u64 = 0; let mut x119: fiat_p521_scalar_u1 = 0; let (x118, x119) = fiat_p521_scalar_addcarryx_u64(x117, x66, x100); let mut x120: u64 = 0; let mut x121: fiat_p521_scalar_u1 = 0; let (x120, x121) = fiat_p521_scalar_addcarryx_u64(x119, x68, x102); let mut x122: u64 = 0; let mut x123: fiat_p521_scalar_u1 = 0; let (x122, x123) = fiat_p521_scalar_addcarryx_u64(x121, x70, x104); let mut x124: u64 = 0; let mut x125: fiat_p521_scalar_u1 = 0; let (x124, x125) = fiat_p521_scalar_addcarryx_u64( x123, ((x71 as u64) + ((x55 as u64) + ((x37 as u64) + x5))), x106, ); let mut x126: u64 = 0; let mut x127: fiat_p521_scalar_u1 = 0; let (x126, x127) = fiat_p521_scalar_addcarryx_u64(0x0, x110, (arg1[2])); let mut x128: u64 = 0; let mut x129: fiat_p521_scalar_u1 = 0; let (x128, x129) = fiat_p521_scalar_addcarryx_u64(x127, x112, (0x0 as u64)); let mut x130: u64 = 0; let mut x131: fiat_p521_scalar_u1 = 0; let (x130, x131) = fiat_p521_scalar_addcarryx_u64(x129, x114, (0x0 as u64)); let mut x132: u64 = 0; let mut x133: fiat_p521_scalar_u1 = 0; let (x132, x133) = fiat_p521_scalar_addcarryx_u64(x131, x116, (0x0 as u64)); let mut x134: u64 = 0; let mut x135: fiat_p521_scalar_u1 = 0; let (x134, x135) = fiat_p521_scalar_addcarryx_u64(x133, x118, (0x0 as u64)); let mut x136: u64 = 0; let mut x137: fiat_p521_scalar_u1 = 0; let (x136, x137) = fiat_p521_scalar_addcarryx_u64(x135, x120, (0x0 as u64)); let mut x138: u64 = 0; let mut x139: fiat_p521_scalar_u1 = 0; let (x138, x139) = fiat_p521_scalar_addcarryx_u64(x137, x122, (0x0 as u64)); let mut x140: u64 = 0; let mut x141: fiat_p521_scalar_u1 = 0; let (x140, x141) = fiat_p521_scalar_addcarryx_u64(x139, x124, (0x0 as u64)); let mut x142: u64 = 0; let mut x143: u64 = 0; let (x142, x143) = fiat_p521_scalar_mulx_u64(x126, 0x1d2f5ccd79a995c7); let mut x144: u64 = 0; let mut x145: u64 = 0; let (x144, x145) = fiat_p521_scalar_mulx_u64(x142, 0x1ff); let mut x146: u64 = 0; let mut x147: u64 = 0; let (x146, x147) = fiat_p521_scalar_mulx_u64(x142, 0xffffffffffffffff); let mut x148: u64 = 0; let mut x149: u64 = 0; let (x148, x149) = fiat_p521_scalar_mulx_u64(x142, 0xffffffffffffffff); let mut x150: u64 = 0; let mut x151: u64 = 0; let (x150, x151) = fiat_p521_scalar_mulx_u64(x142, 0xffffffffffffffff); let mut x152: u64 = 0; let mut x153: u64 = 0; let (x152, x153) = fiat_p521_scalar_mulx_u64(x142, 0xfffffffffffffffa); let mut x154: u64 = 0; let mut x155: u64 = 0; let (x154, x155) = fiat_p521_scalar_mulx_u64(x142, 0x51868783bf2f966b); let mut x156: u64 = 0; let mut x157: u64 = 0; let (x156, x157) = fiat_p521_scalar_mulx_u64(x142, 0x7fcc0148f709a5d0); let mut x158: u64 = 0; let mut x159: u64 = 0; let (x158, x159) = fiat_p521_scalar_mulx_u64(x142, 0x3bb5c9b8899c47ae); let mut x160: u64 = 0; let mut x161: u64 = 0; let (x160, x161) = fiat_p521_scalar_mulx_u64(x142, 0xbb6fb71e91386409); let mut x162: u64 = 0; let mut x163: fiat_p521_scalar_u1 = 0; let (x162, x163) = fiat_p521_scalar_addcarryx_u64(0x0, x161, x158); let mut x164: u64 = 0; let mut x165: fiat_p521_scalar_u1 = 0; let (x164, x165) = fiat_p521_scalar_addcarryx_u64(x163, x159, x156); let mut x166: u64 = 0; let mut x167: fiat_p521_scalar_u1 = 0; let (x166, x167) = fiat_p521_scalar_addcarryx_u64(x165, x157, x154); let mut x168: u64 = 0; let mut x169: fiat_p521_scalar_u1 = 0; let (x168, x169) = fiat_p521_scalar_addcarryx_u64(x167, x155, x152); let mut x170: u64 = 0; let mut x171: fiat_p521_scalar_u1 = 0; let (x170, x171) = fiat_p521_scalar_addcarryx_u64(x169, x153, x150); let mut x172: u64 = 0; let mut x173: fiat_p521_scalar_u1 = 0; let (x172, x173) = fiat_p521_scalar_addcarryx_u64(x171, x151, x148); let mut x174: u64 = 0; let mut x175: fiat_p521_scalar_u1 = 0; let (x174, x175) = fiat_p521_scalar_addcarryx_u64(x173, x149, x146); let mut x176: u64 = 0; let mut x177: fiat_p521_scalar_u1 = 0; let (x176, x177) = fiat_p521_scalar_addcarryx_u64(x175, x147, x144); let mut x178: u64 = 0; let mut x179: fiat_p521_scalar_u1 = 0; let (x178, x179) = fiat_p521_scalar_addcarryx_u64(0x0, x126, x160); let mut x180: u64 = 0; let mut x181: fiat_p521_scalar_u1 = 0; let (x180, x181) = fiat_p521_scalar_addcarryx_u64(x179, x128, x162); let mut x182: u64 = 0; let mut x183: fiat_p521_scalar_u1 = 0; let (x182, x183) = fiat_p521_scalar_addcarryx_u64(x181, x130, x164); let mut x184: u64 = 0; let mut x185: fiat_p521_scalar_u1 = 0; let (x184, x185) = fiat_p521_scalar_addcarryx_u64(x183, x132, x166); let mut x186: u64 = 0; let mut x187: fiat_p521_scalar_u1 = 0; let (x186, x187) = fiat_p521_scalar_addcarryx_u64(x185, x134, x168); let mut x188: u64 = 0; let mut x189: fiat_p521_scalar_u1 = 0; let (x188, x189) = fiat_p521_scalar_addcarryx_u64(x187, x136, x170); let mut x190: u64 = 0; let mut x191: fiat_p521_scalar_u1 = 0; let (x190, x191) = fiat_p521_scalar_addcarryx_u64(x189, x138, x172); let mut x192: u64 = 0; let mut x193: fiat_p521_scalar_u1 = 0; let (x192, x193) = fiat_p521_scalar_addcarryx_u64(x191, x140, x174); let mut x194: u64 = 0; let mut x195: fiat_p521_scalar_u1 = 0; let (x194, x195) = fiat_p521_scalar_addcarryx_u64( x193, ((x141 as u64) + ((x125 as u64) + ((x107 as u64) + x75))), x176, ); let mut x196: u64 = 0; let mut x197: fiat_p521_scalar_u1 = 0; let (x196, x197) = fiat_p521_scalar_addcarryx_u64(0x0, x180, (arg1[3])); let mut x198: u64 = 0; let mut x199: fiat_p521_scalar_u1 = 0; let (x198, x199) = fiat_p521_scalar_addcarryx_u64(x197, x182, (0x0 as u64)); let mut x200: u64 = 0; let mut x201: fiat_p521_scalar_u1 = 0; let (x200, x201) = fiat_p521_scalar_addcarryx_u64(x199, x184, (0x0 as u64)); let mut x202: u64 = 0; let mut x203: fiat_p521_scalar_u1 = 0; let (x202, x203) = fiat_p521_scalar_addcarryx_u64(x201, x186, (0x0 as u64)); let mut x204: u64 = 0; let mut x205: fiat_p521_scalar_u1 = 0; let (x204, x205) = fiat_p521_scalar_addcarryx_u64(x203, x188, (0x0 as u64)); let mut x206: u64 = 0; let mut x207: fiat_p521_scalar_u1 = 0; let (x206, x207) = fiat_p521_scalar_addcarryx_u64(x205, x190, (0x0 as u64)); let mut x208: u64 = 0; let mut x209: fiat_p521_scalar_u1 = 0; let (x208, x209) = fiat_p521_scalar_addcarryx_u64(x207, x192, (0x0 as u64)); let mut x210: u64 = 0; let mut x211: fiat_p521_scalar_u1 = 0; let (x210, x211) = fiat_p521_scalar_addcarryx_u64(x209, x194, (0x0 as u64)); let mut x212: u64 = 0; let mut x213: u64 = 0; let (x212, x213) = fiat_p521_scalar_mulx_u64(x196, 0x1d2f5ccd79a995c7); let mut x214: u64 = 0; let mut x215: u64 = 0; let (x214, x215) = fiat_p521_scalar_mulx_u64(x212, 0x1ff); let mut x216: u64 = 0; let mut x217: u64 = 0; let (x216, x217) = fiat_p521_scalar_mulx_u64(x212, 0xffffffffffffffff); let mut x218: u64 = 0; let mut x219: u64 = 0; let (x218, x219) = fiat_p521_scalar_mulx_u64(x212, 0xffffffffffffffff); let mut x220: u64 = 0; let mut x221: u64 = 0; let (x220, x221) = fiat_p521_scalar_mulx_u64(x212, 0xffffffffffffffff); let mut x222: u64 = 0; let mut x223: u64 = 0; let (x222, x223) = fiat_p521_scalar_mulx_u64(x212, 0xfffffffffffffffa); let mut x224: u64 = 0; let mut x225: u64 = 0; let (x224, x225) = fiat_p521_scalar_mulx_u64(x212, 0x51868783bf2f966b); let mut x226: u64 = 0; let mut x227: u64 = 0; let (x226, x227) = fiat_p521_scalar_mulx_u64(x212, 0x7fcc0148f709a5d0); let mut x228: u64 = 0; let mut x229: u64 = 0; let (x228, x229) = fiat_p521_scalar_mulx_u64(x212, 0x3bb5c9b8899c47ae); let mut x230: u64 = 0; let mut x231: u64 = 0; let (x230, x231) = fiat_p521_scalar_mulx_u64(x212, 0xbb6fb71e91386409); let mut x232: u64 = 0; let mut x233: fiat_p521_scalar_u1 = 0; let (x232, x233) = fiat_p521_scalar_addcarryx_u64(0x0, x231, x228); let mut x234: u64 = 0; let mut x235: fiat_p521_scalar_u1 = 0; let (x234, x235) = fiat_p521_scalar_addcarryx_u64(x233, x229, x226); let mut x236: u64 = 0; let mut x237: fiat_p521_scalar_u1 = 0; let (x236, x237) = fiat_p521_scalar_addcarryx_u64(x235, x227, x224); let mut x238: u64 = 0; let mut x239: fiat_p521_scalar_u1 = 0; let (x238, x239) = fiat_p521_scalar_addcarryx_u64(x237, x225, x222); let mut x240: u64 = 0; let mut x241: fiat_p521_scalar_u1 = 0; let (x240, x241) = fiat_p521_scalar_addcarryx_u64(x239, x223, x220); let mut x242: u64 = 0; let mut x243: fiat_p521_scalar_u1 = 0; let (x242, x243) = fiat_p521_scalar_addcarryx_u64(x241, x221, x218); let mut x244: u64 = 0; let mut x245: fiat_p521_scalar_u1 = 0; let (x244, x245) = fiat_p521_scalar_addcarryx_u64(x243, x219, x216); let mut x246: u64 = 0; let mut x247: fiat_p521_scalar_u1 = 0; let (x246, x247) = fiat_p521_scalar_addcarryx_u64(x245, x217, x214); let mut x248: u64 = 0; let mut x249: fiat_p521_scalar_u1 = 0; let (x248, x249) = fiat_p521_scalar_addcarryx_u64(0x0, x196, x230); let mut x250: u64 = 0; let mut x251: fiat_p521_scalar_u1 = 0; let (x250, x251) = fiat_p521_scalar_addcarryx_u64(x249, x198, x232); let mut x252: u64 = 0; let mut x253: fiat_p521_scalar_u1 = 0; let (x252, x253) = fiat_p521_scalar_addcarryx_u64(x251, x200, x234); let mut x254: u64 = 0; let mut x255: fiat_p521_scalar_u1 = 0; let (x254, x255) = fiat_p521_scalar_addcarryx_u64(x253, x202, x236); let mut x256: u64 = 0; let mut x257: fiat_p521_scalar_u1 = 0; let (x256, x257) = fiat_p521_scalar_addcarryx_u64(x255, x204, x238); let mut x258: u64 = 0; let mut x259: fiat_p521_scalar_u1 = 0; let (x258, x259) = fiat_p521_scalar_addcarryx_u64(x257, x206, x240); let mut x260: u64 = 0; let mut x261: fiat_p521_scalar_u1 = 0; let (x260, x261) = fiat_p521_scalar_addcarryx_u64(x259, x208, x242); let mut x262: u64 = 0; let mut x263: fiat_p521_scalar_u1 = 0; let (x262, x263) = fiat_p521_scalar_addcarryx_u64(x261, x210, x244); let mut x264: u64 = 0; let mut x265: fiat_p521_scalar_u1 = 0; let (x264, x265) = fiat_p521_scalar_addcarryx_u64( x263, ((x211 as u64) + ((x195 as u64) + ((x177 as u64) + x145))), x246, ); let mut x266: u64 = 0; let mut x267: fiat_p521_scalar_u1 = 0; let (x266, x267) = fiat_p521_scalar_addcarryx_u64(0x0, x250, (arg1[4])); let mut x268: u64 = 0; let mut x269: fiat_p521_scalar_u1 = 0; let (x268, x269) = fiat_p521_scalar_addcarryx_u64(x267, x252, (0x0 as u64)); let mut x270: u64 = 0; let mut x271: fiat_p521_scalar_u1 = 0; let (x270, x271) = fiat_p521_scalar_addcarryx_u64(x269, x254, (0x0 as u64)); let mut x272: u64 = 0; let mut x273: fiat_p521_scalar_u1 = 0; let (x272, x273) = fiat_p521_scalar_addcarryx_u64(x271, x256, (0x0 as u64)); let mut x274: u64 = 0; let mut x275: fiat_p521_scalar_u1 = 0; let (x274, x275) = fiat_p521_scalar_addcarryx_u64(x273, x258, (0x0 as u64)); let mut x276: u64 = 0; let mut x277: fiat_p521_scalar_u1 = 0; let (x276, x277) = fiat_p521_scalar_addcarryx_u64(x275, x260, (0x0 as u64)); let mut x278: u64 = 0; let mut x279: fiat_p521_scalar_u1 = 0; let (x278, x279) = fiat_p521_scalar_addcarryx_u64(x277, x262, (0x0 as u64)); let mut x280: u64 = 0; let mut x281: fiat_p521_scalar_u1 = 0; let (x280, x281) = fiat_p521_scalar_addcarryx_u64(x279, x264, (0x0 as u64)); let mut x282: u64 = 0; let mut x283: u64 = 0; let (x282, x283) = fiat_p521_scalar_mulx_u64(x266, 0x1d2f5ccd79a995c7); let mut x284: u64 = 0; let mut x285: u64 = 0; let (x284, x285) = fiat_p521_scalar_mulx_u64(x282, 0x1ff); let mut x286: u64 = 0; let mut x287: u64 = 0; let (x286, x287) = fiat_p521_scalar_mulx_u64(x282, 0xffffffffffffffff); let mut x288: u64 = 0; let mut x289: u64 = 0; let (x288, x289) = fiat_p521_scalar_mulx_u64(x282, 0xffffffffffffffff); let mut x290: u64 = 0; let mut x291: u64 = 0; let (x290, x291) = fiat_p521_scalar_mulx_u64(x282, 0xffffffffffffffff); let mut x292: u64 = 0; let mut x293: u64 = 0; let (x292, x293) = fiat_p521_scalar_mulx_u64(x282, 0xfffffffffffffffa); let mut x294: u64 = 0; let mut x295: u64 = 0; let (x294, x295) = fiat_p521_scalar_mulx_u64(x282, 0x51868783bf2f966b); let mut x296: u64 = 0; let mut x297: u64 = 0; let (x296, x297) = fiat_p521_scalar_mulx_u64(x282, 0x7fcc0148f709a5d0); let mut x298: u64 = 0; let mut x299: u64 = 0; let (x298, x299) = fiat_p521_scalar_mulx_u64(x282, 0x3bb5c9b8899c47ae); let mut x300: u64 = 0; let mut x301: u64 = 0; let (x300, x301) = fiat_p521_scalar_mulx_u64(x282, 0xbb6fb71e91386409); let mut x302: u64 = 0; let mut x303: fiat_p521_scalar_u1 = 0; let (x302, x303) = fiat_p521_scalar_addcarryx_u64(0x0, x301, x298); let mut x304: u64 = 0; let mut x305: fiat_p521_scalar_u1 = 0; let (x304, x305) = fiat_p521_scalar_addcarryx_u64(x303, x299, x296); let mut x306: u64 = 0; let mut x307: fiat_p521_scalar_u1 = 0; let (x306, x307) = fiat_p521_scalar_addcarryx_u64(x305, x297, x294); let mut x308: u64 = 0; let mut x309: fiat_p521_scalar_u1 = 0; let (x308, x309) = fiat_p521_scalar_addcarryx_u64(x307, x295, x292); let mut x310: u64 = 0; let mut x311: fiat_p521_scalar_u1 = 0; let (x310, x311) = fiat_p521_scalar_addcarryx_u64(x309, x293, x290); let mut x312: u64 = 0; let mut x313: fiat_p521_scalar_u1 = 0; let (x312, x313) = fiat_p521_scalar_addcarryx_u64(x311, x291, x288); let mut x314: u64 = 0; let mut x315: fiat_p521_scalar_u1 = 0; let (x314, x315) = fiat_p521_scalar_addcarryx_u64(x313, x289, x286); let mut x316: u64 = 0; let mut x317: fiat_p521_scalar_u1 = 0; let (x316, x317) = fiat_p521_scalar_addcarryx_u64(x315, x287, x284); let mut x318: u64 = 0; let mut x319: fiat_p521_scalar_u1 = 0; let (x318, x319) = fiat_p521_scalar_addcarryx_u64(0x0, x266, x300); let mut x320: u64 = 0; let mut x321: fiat_p521_scalar_u1 = 0; let (x320, x321) = fiat_p521_scalar_addcarryx_u64(x319, x268, x302); let mut x322: u64 = 0; let mut x323: fiat_p521_scalar_u1 = 0; let (x322, x323) = fiat_p521_scalar_addcarryx_u64(x321, x270, x304); let mut x324: u64 = 0; let mut x325: fiat_p521_scalar_u1 = 0; let (x324, x325) = fiat_p521_scalar_addcarryx_u64(x323, x272, x306); let mut x326: u64 = 0; let mut x327: fiat_p521_scalar_u1 = 0; let (x326, x327) = fiat_p521_scalar_addcarryx_u64(x325, x274, x308); let mut x328: u64 = 0; let mut x329: fiat_p521_scalar_u1 = 0; let (x328, x329) = fiat_p521_scalar_addcarryx_u64(x327, x276, x310); let mut x330: u64 = 0; let mut x331: fiat_p521_scalar_u1 = 0; let (x330, x331) = fiat_p521_scalar_addcarryx_u64(x329, x278, x312); let mut x332: u64 = 0; let mut x333: fiat_p521_scalar_u1 = 0; let (x332, x333) = fiat_p521_scalar_addcarryx_u64(x331, x280, x314); let mut x334: u64 = 0; let mut x335: fiat_p521_scalar_u1 = 0; let (x334, x335) = fiat_p521_scalar_addcarryx_u64( x333, ((x281 as u64) + ((x265 as u64) + ((x247 as u64) + x215))), x316, ); let mut x336: u64 = 0; let mut x337: fiat_p521_scalar_u1 = 0; let (x336, x337) = fiat_p521_scalar_addcarryx_u64(0x0, x320, (arg1[5])); let mut x338: u64 = 0; let mut x339: fiat_p521_scalar_u1 = 0; let (x338, x339) = fiat_p521_scalar_addcarryx_u64(x337, x322, (0x0 as u64)); let mut x340: u64 = 0; let mut x341: fiat_p521_scalar_u1 = 0; let (x340, x341) = fiat_p521_scalar_addcarryx_u64(x339, x324, (0x0 as u64)); let mut x342: u64 = 0; let mut x343: fiat_p521_scalar_u1 = 0; let (x342, x343) = fiat_p521_scalar_addcarryx_u64(x341, x326, (0x0 as u64)); let mut x344: u64 = 0; let mut x345: fiat_p521_scalar_u1 = 0; let (x344, x345) = fiat_p521_scalar_addcarryx_u64(x343, x328, (0x0 as u64)); let mut x346: u64 = 0; let mut x347: fiat_p521_scalar_u1 = 0; let (x346, x347) = fiat_p521_scalar_addcarryx_u64(x345, x330, (0x0 as u64)); let mut x348: u64 = 0; let mut x349: fiat_p521_scalar_u1 = 0; let (x348, x349) = fiat_p521_scalar_addcarryx_u64(x347, x332, (0x0 as u64)); let mut x350: u64 = 0; let mut x351: fiat_p521_scalar_u1 = 0; let (x350, x351) = fiat_p521_scalar_addcarryx_u64(x349, x334, (0x0 as u64)); let mut x352: u64 = 0; let mut x353: u64 = 0; let (x352, x353) = fiat_p521_scalar_mulx_u64(x336, 0x1d2f5ccd79a995c7); let mut x354: u64 = 0; let mut x355: u64 = 0; let (x354, x355) = fiat_p521_scalar_mulx_u64(x352, 0x1ff); let mut x356: u64 = 0; let mut x357: u64 = 0; let (x356, x357) = fiat_p521_scalar_mulx_u64(x352, 0xffffffffffffffff); let mut x358: u64 = 0; let mut x359: u64 = 0; let (x358, x359) = fiat_p521_scalar_mulx_u64(x352, 0xffffffffffffffff); let mut x360: u64 = 0; let mut x361: u64 = 0; let (x360, x361) = fiat_p521_scalar_mulx_u64(x352, 0xffffffffffffffff); let mut x362: u64 = 0; let mut x363: u64 = 0; let (x362, x363) = fiat_p521_scalar_mulx_u64(x352, 0xfffffffffffffffa); let mut x364: u64 = 0; let mut x365: u64 = 0; let (x364, x365) = fiat_p521_scalar_mulx_u64(x352, 0x51868783bf2f966b); let mut x366: u64 = 0; let mut x367: u64 = 0; let (x366, x367) = fiat_p521_scalar_mulx_u64(x352, 0x7fcc0148f709a5d0); let mut x368: u64 = 0; let mut x369: u64 = 0; let (x368, x369) = fiat_p521_scalar_mulx_u64(x352, 0x3bb5c9b8899c47ae); let mut x370: u64 = 0; let mut x371: u64 = 0; let (x370, x371) = fiat_p521_scalar_mulx_u64(x352, 0xbb6fb71e91386409); let mut x372: u64 = 0; let mut x373: fiat_p521_scalar_u1 = 0; let (x372, x373) = fiat_p521_scalar_addcarryx_u64(0x0, x371, x368); let mut x374: u64 = 0; let mut x375: fiat_p521_scalar_u1 = 0; let (x374, x375) = fiat_p521_scalar_addcarryx_u64(x373, x369, x366); let mut x376: u64 = 0; let mut x377: fiat_p521_scalar_u1 = 0; let (x376, x377) = fiat_p521_scalar_addcarryx_u64(x375, x367, x364); let mut x378: u64 = 0; let mut x379: fiat_p521_scalar_u1 = 0; let (x378, x379) = fiat_p521_scalar_addcarryx_u64(x377, x365, x362); let mut x380: u64 = 0; let mut x381: fiat_p521_scalar_u1 = 0; let (x380, x381) = fiat_p521_scalar_addcarryx_u64(x379, x363, x360); let mut x382: u64 = 0; let mut x383: fiat_p521_scalar_u1 = 0; let (x382, x383) = fiat_p521_scalar_addcarryx_u64(x381, x361, x358); let mut x384: u64 = 0; let mut x385: fiat_p521_scalar_u1 = 0; let (x384, x385) = fiat_p521_scalar_addcarryx_u64(x383, x359, x356); let mut x386: u64 = 0; let mut x387: fiat_p521_scalar_u1 = 0; let (x386, x387) = fiat_p521_scalar_addcarryx_u64(x385, x357, x354); let mut x388: u64 = 0; let mut x389: fiat_p521_scalar_u1 = 0; let (x388, x389) = fiat_p521_scalar_addcarryx_u64(0x0, x336, x370); let mut x390: u64 = 0; let mut x391: fiat_p521_scalar_u1 = 0; let (x390, x391) = fiat_p521_scalar_addcarryx_u64(x389, x338, x372); let mut x392: u64 = 0; let mut x393: fiat_p521_scalar_u1 = 0; let (x392, x393) = fiat_p521_scalar_addcarryx_u64(x391, x340, x374); let mut x394: u64 = 0; let mut x395: fiat_p521_scalar_u1 = 0; let (x394, x395) = fiat_p521_scalar_addcarryx_u64(x393, x342, x376); let mut x396: u64 = 0; let mut x397: fiat_p521_scalar_u1 = 0; let (x396, x397) = fiat_p521_scalar_addcarryx_u64(x395, x344, x378); let mut x398: u64 = 0; let mut x399: fiat_p521_scalar_u1 = 0; let (x398, x399) = fiat_p521_scalar_addcarryx_u64(x397, x346, x380); let mut x400: u64 = 0; let mut x401: fiat_p521_scalar_u1 = 0; let (x400, x401) = fiat_p521_scalar_addcarryx_u64(x399, x348, x382); let mut x402: u64 = 0; let mut x403: fiat_p521_scalar_u1 = 0; let (x402, x403) = fiat_p521_scalar_addcarryx_u64(x401, x350, x384); let mut x404: u64 = 0; let mut x405: fiat_p521_scalar_u1 = 0; let (x404, x405) = fiat_p521_scalar_addcarryx_u64( x403, ((x351 as u64) + ((x335 as u64) + ((x317 as u64) + x285))), x386, ); let mut x406: u64 = 0; let mut x407: fiat_p521_scalar_u1 = 0; let (x406, x407) = fiat_p521_scalar_addcarryx_u64(0x0, x390, (arg1[6])); let mut x408: u64 = 0; let mut x409: fiat_p521_scalar_u1 = 0; let (x408, x409) = fiat_p521_scalar_addcarryx_u64(x407, x392, (0x0 as u64)); let mut x410: u64 = 0; let mut x411: fiat_p521_scalar_u1 = 0; let (x410, x411) = fiat_p521_scalar_addcarryx_u64(x409, x394, (0x0 as u64)); let mut x412: u64 = 0; let mut x413: fiat_p521_scalar_u1 = 0; let (x412, x413) = fiat_p521_scalar_addcarryx_u64(x411, x396, (0x0 as u64)); let mut x414: u64 = 0; let mut x415: fiat_p521_scalar_u1 = 0; let (x414, x415) = fiat_p521_scalar_addcarryx_u64(x413, x398, (0x0 as u64)); let mut x416: u64 = 0; let mut x417: fiat_p521_scalar_u1 = 0; let (x416, x417) = fiat_p521_scalar_addcarryx_u64(x415, x400, (0x0 as u64)); let mut x418: u64 = 0; let mut x419: fiat_p521_scalar_u1 = 0; let (x418, x419) = fiat_p521_scalar_addcarryx_u64(x417, x402, (0x0 as u64)); let mut x420: u64 = 0; let mut x421: fiat_p521_scalar_u1 = 0; let (x420, x421) = fiat_p521_scalar_addcarryx_u64(x419, x404, (0x0 as u64)); let mut x422: u64 = 0; let mut x423: u64 = 0; let (x422, x423) = fiat_p521_scalar_mulx_u64(x406, 0x1d2f5ccd79a995c7); let mut x424: u64 = 0; let mut x425: u64 = 0; let (x424, x425) = fiat_p521_scalar_mulx_u64(x422, 0x1ff); let mut x426: u64 = 0; let mut x427: u64 = 0; let (x426, x427) = fiat_p521_scalar_mulx_u64(x422, 0xffffffffffffffff); let mut x428: u64 = 0; let mut x429: u64 = 0; let (x428, x429) = fiat_p521_scalar_mulx_u64(x422, 0xffffffffffffffff); let mut x430: u64 = 0; let mut x431: u64 = 0; let (x430, x431) = fiat_p521_scalar_mulx_u64(x422, 0xffffffffffffffff); let mut x432: u64 = 0; let mut x433: u64 = 0; let (x432, x433) = fiat_p521_scalar_mulx_u64(x422, 0xfffffffffffffffa); let mut x434: u64 = 0; let mut x435: u64 = 0; let (x434, x435) = fiat_p521_scalar_mulx_u64(x422, 0x51868783bf2f966b); let mut x436: u64 = 0; let mut x437: u64 = 0; let (x436, x437) = fiat_p521_scalar_mulx_u64(x422, 0x7fcc0148f709a5d0); let mut x438: u64 = 0; let mut x439: u64 = 0; let (x438, x439) = fiat_p521_scalar_mulx_u64(x422, 0x3bb5c9b8899c47ae); let mut x440: u64 = 0; let mut x441: u64 = 0; let (x440, x441) = fiat_p521_scalar_mulx_u64(x422, 0xbb6fb71e91386409); let mut x442: u64 = 0; let mut x443: fiat_p521_scalar_u1 = 0; let (x442, x443) = fiat_p521_scalar_addcarryx_u64(0x0, x441, x438); let mut x444: u64 = 0; let mut x445: fiat_p521_scalar_u1 = 0; let (x444, x445) = fiat_p521_scalar_addcarryx_u64(x443, x439, x436); let mut x446: u64 = 0; let mut x447: fiat_p521_scalar_u1 = 0; let (x446, x447) = fiat_p521_scalar_addcarryx_u64(x445, x437, x434); let mut x448: u64 = 0; let mut x449: fiat_p521_scalar_u1 = 0; let (x448, x449) = fiat_p521_scalar_addcarryx_u64(x447, x435, x432); let mut x450: u64 = 0; let mut x451: fiat_p521_scalar_u1 = 0; let (x450, x451) = fiat_p521_scalar_addcarryx_u64(x449, x433, x430); let mut x452: u64 = 0; let mut x453: fiat_p521_scalar_u1 = 0; let (x452, x453) = fiat_p521_scalar_addcarryx_u64(x451, x431, x428); let mut x454: u64 = 0; let mut x455: fiat_p521_scalar_u1 = 0; let (x454, x455) = fiat_p521_scalar_addcarryx_u64(x453, x429, x426); let mut x456: u64 = 0; let mut x457: fiat_p521_scalar_u1 = 0; let (x456, x457) = fiat_p521_scalar_addcarryx_u64(x455, x427, x424); let mut x458: u64 = 0; let mut x459: fiat_p521_scalar_u1 = 0; let (x458, x459) = fiat_p521_scalar_addcarryx_u64(0x0, x406, x440); let mut x460: u64 = 0; let mut x461: fiat_p521_scalar_u1 = 0; let (x460, x461) = fiat_p521_scalar_addcarryx_u64(x459, x408, x442); let mut x462: u64 = 0; let mut x463: fiat_p521_scalar_u1 = 0; let (x462, x463) = fiat_p521_scalar_addcarryx_u64(x461, x410, x444); let mut x464: u64 = 0; let mut x465: fiat_p521_scalar_u1 = 0; let (x464, x465) = fiat_p521_scalar_addcarryx_u64(x463, x412, x446); let mut x466: u64 = 0; let mut x467: fiat_p521_scalar_u1 = 0; let (x466, x467) = fiat_p521_scalar_addcarryx_u64(x465, x414, x448); let mut x468: u64 = 0; let mut x469: fiat_p521_scalar_u1 = 0; let (x468, x469) = fiat_p521_scalar_addcarryx_u64(x467, x416, x450); let mut x470: u64 = 0; let mut x471: fiat_p521_scalar_u1 = 0; let (x470, x471) = fiat_p521_scalar_addcarryx_u64(x469, x418, x452); let mut x472: u64 = 0; let mut x473: fiat_p521_scalar_u1 = 0; let (x472, x473) = fiat_p521_scalar_addcarryx_u64(x471, x420, x454); let mut x474: u64 = 0; let mut x475: fiat_p521_scalar_u1 = 0; let (x474, x475) = fiat_p521_scalar_addcarryx_u64( x473, ((x421 as u64) + ((x405 as u64) + ((x387 as u64) + x355))), x456, ); let mut x476: u64 = 0; let mut x477: fiat_p521_scalar_u1 = 0; let (x476, x477) = fiat_p521_scalar_addcarryx_u64(0x0, x460, (arg1[7])); let mut x478: u64 = 0; let mut x479: fiat_p521_scalar_u1 = 0; let (x478, x479) = fiat_p521_scalar_addcarryx_u64(x477, x462, (0x0 as u64)); let mut x480: u64 = 0; let mut x481: fiat_p521_scalar_u1 = 0; let (x480, x481) = fiat_p521_scalar_addcarryx_u64(x479, x464, (0x0 as u64)); let mut x482: u64 = 0; let mut x483: fiat_p521_scalar_u1 = 0; let (x482, x483) = fiat_p521_scalar_addcarryx_u64(x481, x466, (0x0 as u64)); let mut x484: u64 = 0; let mut x485: fiat_p521_scalar_u1 = 0; let (x484, x485) = fiat_p521_scalar_addcarryx_u64(x483, x468, (0x0 as u64)); let mut x486: u64 = 0; let mut x487: fiat_p521_scalar_u1 = 0; let (x486, x487) = fiat_p521_scalar_addcarryx_u64(x485, x470, (0x0 as u64)); let mut x488: u64 = 0; let mut x489: fiat_p521_scalar_u1 = 0; let (x488, x489) = fiat_p521_scalar_addcarryx_u64(x487, x472, (0x0 as u64)); let mut x490: u64 = 0; let mut x491: fiat_p521_scalar_u1 = 0; let (x490, x491) = fiat_p521_scalar_addcarryx_u64(x489, x474, (0x0 as u64)); let mut x492: u64 = 0; let mut x493: u64 = 0; let (x492, x493) = fiat_p521_scalar_mulx_u64(x476, 0x1d2f5ccd79a995c7); let mut x494: u64 = 0; let mut x495: u64 = 0; let (x494, x495) = fiat_p521_scalar_mulx_u64(x492, 0x1ff); let mut x496: u64 = 0; let mut x497: u64 = 0; let (x496, x497) = fiat_p521_scalar_mulx_u64(x492, 0xffffffffffffffff); let mut x498: u64 = 0; let mut x499: u64 = 0; let (x498, x499) = fiat_p521_scalar_mulx_u64(x492, 0xffffffffffffffff); let mut x500: u64 = 0; let mut x501: u64 = 0; let (x500, x501) = fiat_p521_scalar_mulx_u64(x492, 0xffffffffffffffff); let mut x502: u64 = 0; let mut x503: u64 = 0; let (x502, x503) = fiat_p521_scalar_mulx_u64(x492, 0xfffffffffffffffa); let mut x504: u64 = 0; let mut x505: u64 = 0; let (x504, x505) = fiat_p521_scalar_mulx_u64(x492, 0x51868783bf2f966b); let mut x506: u64 = 0; let mut x507: u64 = 0; let (x506, x507) = fiat_p521_scalar_mulx_u64(x492, 0x7fcc0148f709a5d0); let mut x508: u64 = 0; let mut x509: u64 = 0; let (x508, x509) = fiat_p521_scalar_mulx_u64(x492, 0x3bb5c9b8899c47ae); let mut x510: u64 = 0; let mut x511: u64 = 0; let (x510, x511) = fiat_p521_scalar_mulx_u64(x492, 0xbb6fb71e91386409); let mut x512: u64 = 0; let mut x513: fiat_p521_scalar_u1 = 0; let (x512, x513) = fiat_p521_scalar_addcarryx_u64(0x0, x511, x508); let mut x514: u64 = 0; let mut x515: fiat_p521_scalar_u1 = 0; let (x514, x515) = fiat_p521_scalar_addcarryx_u64(x513, x509, x506); let mut x516: u64 = 0; let mut x517: fiat_p521_scalar_u1 = 0; let (x516, x517) = fiat_p521_scalar_addcarryx_u64(x515, x507, x504); let mut x518: u64 = 0; let mut x519: fiat_p521_scalar_u1 = 0; let (x518, x519) = fiat_p521_scalar_addcarryx_u64(x517, x505, x502); let mut x520: u64 = 0; let mut x521: fiat_p521_scalar_u1 = 0; let (x520, x521) = fiat_p521_scalar_addcarryx_u64(x519, x503, x500); let mut x522: u64 = 0; let mut x523: fiat_p521_scalar_u1 = 0; let (x522, x523) = fiat_p521_scalar_addcarryx_u64(x521, x501, x498); let mut x524: u64 = 0; let mut x525: fiat_p521_scalar_u1 = 0; let (x524, x525) = fiat_p521_scalar_addcarryx_u64(x523, x499, x496); let mut x526: u64 = 0; let mut x527: fiat_p521_scalar_u1 = 0; let (x526, x527) = fiat_p521_scalar_addcarryx_u64(x525, x497, x494); let mut x528: u64 = 0; let mut x529: fiat_p521_scalar_u1 = 0; let (x528, x529) = fiat_p521_scalar_addcarryx_u64(0x0, x476, x510); let mut x530: u64 = 0; let mut x531: fiat_p521_scalar_u1 = 0; let (x530, x531) = fiat_p521_scalar_addcarryx_u64(x529, x478, x512); let mut x532: u64 = 0; let mut x533: fiat_p521_scalar_u1 = 0; let (x532, x533) = fiat_p521_scalar_addcarryx_u64(x531, x480, x514); let mut x534: u64 = 0; let mut x535: fiat_p521_scalar_u1 = 0; let (x534, x535) = fiat_p521_scalar_addcarryx_u64(x533, x482, x516); let mut x536: u64 = 0; let mut x537: fiat_p521_scalar_u1 = 0; let (x536, x537) = fiat_p521_scalar_addcarryx_u64(x535, x484, x518); let mut x538: u64 = 0; let mut x539: fiat_p521_scalar_u1 = 0; let (x538, x539) = fiat_p521_scalar_addcarryx_u64(x537, x486, x520); let mut x540: u64 = 0; let mut x541: fiat_p521_scalar_u1 = 0; let (x540, x541) = fiat_p521_scalar_addcarryx_u64(x539, x488, x522); let mut x542: u64 = 0; let mut x543: fiat_p521_scalar_u1 = 0; let (x542, x543) = fiat_p521_scalar_addcarryx_u64(x541, x490, x524); let mut x544: u64 = 0; let mut x545: fiat_p521_scalar_u1 = 0; let (x544, x545) = fiat_p521_scalar_addcarryx_u64( x543, ((x491 as u64) + ((x475 as u64) + ((x457 as u64) + x425))), x526, ); let mut x546: u64 = 0; let mut x547: fiat_p521_scalar_u1 = 0; let (x546, x547) = fiat_p521_scalar_addcarryx_u64(0x0, x530, (arg1[8])); let mut x548: u64 = 0; let mut x549: fiat_p521_scalar_u1 = 0; let (x548, x549) = fiat_p521_scalar_addcarryx_u64(x547, x532, (0x0 as u64)); let mut x550: u64 = 0; let mut x551: fiat_p521_scalar_u1 = 0; let (x550, x551) = fiat_p521_scalar_addcarryx_u64(x549, x534, (0x0 as u64)); let mut x552: u64 = 0; let mut x553: fiat_p521_scalar_u1 = 0; let (x552, x553) = fiat_p521_scalar_addcarryx_u64(x551, x536, (0x0 as u64)); let mut x554: u64 = 0; let mut x555: fiat_p521_scalar_u1 = 0; let (x554, x555) = fiat_p521_scalar_addcarryx_u64(x553, x538, (0x0 as u64)); let mut x556: u64 = 0; let mut x557: fiat_p521_scalar_u1 = 0; let (x556, x557) = fiat_p521_scalar_addcarryx_u64(x555, x540, (0x0 as u64)); let mut x558: u64 = 0; let mut x559: fiat_p521_scalar_u1 = 0; let (x558, x559) = fiat_p521_scalar_addcarryx_u64(x557, x542, (0x0 as u64)); let mut x560: u64 = 0; let mut x561: fiat_p521_scalar_u1 = 0; let (x560, x561) = fiat_p521_scalar_addcarryx_u64(x559, x544, (0x0 as u64)); let mut x562: u64 = 0; let mut x563: u64 = 0; let (x562, x563) = fiat_p521_scalar_mulx_u64(x546, 0x1d2f5ccd79a995c7); let mut x564: u64 = 0; let mut x565: u64 = 0; let (x564, x565) = fiat_p521_scalar_mulx_u64(x562, 0x1ff); let mut x566: u64 = 0; let mut x567: u64 = 0; let (x566, x567) = fiat_p521_scalar_mulx_u64(x562, 0xffffffffffffffff); let mut x568: u64 = 0; let mut x569: u64 = 0; let (x568, x569) = fiat_p521_scalar_mulx_u64(x562, 0xffffffffffffffff); let mut x570: u64 = 0; let mut x571: u64 = 0; let (x570, x571) = fiat_p521_scalar_mulx_u64(x562, 0xffffffffffffffff); let mut x572: u64 = 0; let mut x573: u64 = 0; let (x572, x573) = fiat_p521_scalar_mulx_u64(x562, 0xfffffffffffffffa); let mut x574: u64 = 0; let mut x575: u64 = 0; let (x574, x575) = fiat_p521_scalar_mulx_u64(x562, 0x51868783bf2f966b); let mut x576: u64 = 0; let mut x577: u64 = 0; let (x576, x577) = fiat_p521_scalar_mulx_u64(x562, 0x7fcc0148f709a5d0); let mut x578: u64 = 0; let mut x579: u64 = 0; let (x578, x579) = fiat_p521_scalar_mulx_u64(x562, 0x3bb5c9b8899c47ae); let mut x580: u64 = 0; let mut x581: u64 = 0; let (x580, x581) = fiat_p521_scalar_mulx_u64(x562, 0xbb6fb71e91386409); let mut x582: u64 = 0; let mut x583: fiat_p521_scalar_u1 = 0; let (x582, x583) = fiat_p521_scalar_addcarryx_u64(0x0, x581, x578); let mut x584: u64 = 0; let mut x585: fiat_p521_scalar_u1 = 0; let (x584, x585) = fiat_p521_scalar_addcarryx_u64(x583, x579, x576); let mut x586: u64 = 0; let mut x587: fiat_p521_scalar_u1 = 0; let (x586, x587) = fiat_p521_scalar_addcarryx_u64(x585, x577, x574); let mut x588: u64 = 0; let mut x589: fiat_p521_scalar_u1 = 0; let (x588, x589) = fiat_p521_scalar_addcarryx_u64(x587, x575, x572); let mut x590: u64 = 0; let mut x591: fiat_p521_scalar_u1 = 0; let (x590, x591) = fiat_p521_scalar_addcarryx_u64(x589, x573, x570); let mut x592: u64 = 0; let mut x593: fiat_p521_scalar_u1 = 0; let (x592, x593) = fiat_p521_scalar_addcarryx_u64(x591, x571, x568); let mut x594: u64 = 0; let mut x595: fiat_p521_scalar_u1 = 0; let (x594, x595) = fiat_p521_scalar_addcarryx_u64(x593, x569, x566); let mut x596: u64 = 0; let mut x597: fiat_p521_scalar_u1 = 0; let (x596, x597) = fiat_p521_scalar_addcarryx_u64(x595, x567, x564); let mut x598: u64 = 0; let mut x599: fiat_p521_scalar_u1 = 0; let (x598, x599) = fiat_p521_scalar_addcarryx_u64(0x0, x546, x580); let mut x600: u64 = 0; let mut x601: fiat_p521_scalar_u1 = 0; let (x600, x601) = fiat_p521_scalar_addcarryx_u64(x599, x548, x582); let mut x602: u64 = 0; let mut x603: fiat_p521_scalar_u1 = 0; let (x602, x603) = fiat_p521_scalar_addcarryx_u64(x601, x550, x584); let mut x604: u64 = 0; let mut x605: fiat_p521_scalar_u1 = 0; let (x604, x605) = fiat_p521_scalar_addcarryx_u64(x603, x552, x586); let mut x606: u64 = 0; let mut x607: fiat_p521_scalar_u1 = 0; let (x606, x607) = fiat_p521_scalar_addcarryx_u64(x605, x554, x588); let mut x608: u64 = 0; let mut x609: fiat_p521_scalar_u1 = 0; let (x608, x609) = fiat_p521_scalar_addcarryx_u64(x607, x556, x590); let mut x610: u64 = 0; let mut x611: fiat_p521_scalar_u1 = 0; let (x610, x611) = fiat_p521_scalar_addcarryx_u64(x609, x558, x592); let mut x612: u64 = 0; let mut x613: fiat_p521_scalar_u1 = 0; let (x612, x613) = fiat_p521_scalar_addcarryx_u64(x611, x560, x594); let mut x614: u64 = 0; let mut x615: fiat_p521_scalar_u1 = 0; let (x614, x615) = fiat_p521_scalar_addcarryx_u64( x613, ((x561 as u64) + ((x545 as u64) + ((x527 as u64) + x495))), x596, ); let x616: u64 = ((x615 as u64) + ((x597 as u64) + x565)); let mut x617: u64 = 0; let mut x618: fiat_p521_scalar_u1 = 0; let (x617, x618) = fiat_p521_scalar_subborrowx_u64(0x0, x600, 0xbb6fb71e91386409); let mut x619: u64 = 0; let mut x620: fiat_p521_scalar_u1 = 0; let (x619, x620) = fiat_p521_scalar_subborrowx_u64(x618, x602, 0x3bb5c9b8899c47ae); let mut x621: u64 = 0; let mut x622: fiat_p521_scalar_u1 = 0; let (x621, x622) = fiat_p521_scalar_subborrowx_u64(x620, x604, 0x7fcc0148f709a5d0); let mut x623: u64 = 0; let mut x624: fiat_p521_scalar_u1 = 0; let (x623, x624) = fiat_p521_scalar_subborrowx_u64(x622, x606, 0x51868783bf2f966b); let mut x625: u64 = 0; let mut x626: fiat_p521_scalar_u1 = 0; let (x625, x626) = fiat_p521_scalar_subborrowx_u64(x624, x608, 0xfffffffffffffffa); let mut x627: u64 = 0; let mut x628: fiat_p521_scalar_u1 = 0; let (x627, x628) = fiat_p521_scalar_subborrowx_u64(x626, x610, 0xffffffffffffffff); let mut x629: u64 = 0; let mut x630: fiat_p521_scalar_u1 = 0; let (x629, x630) = fiat_p521_scalar_subborrowx_u64(x628, x612, 0xffffffffffffffff); let mut x631: u64 = 0; let mut x632: fiat_p521_scalar_u1 = 0; let (x631, x632) = fiat_p521_scalar_subborrowx_u64(x630, x614, 0xffffffffffffffff); let mut x633: u64 = 0; let mut x634: fiat_p521_scalar_u1 = 0; let (x633, x634) = fiat_p521_scalar_subborrowx_u64(x632, x616, 0x1ff); let mut x635: u64 = 0; let mut x636: fiat_p521_scalar_u1 = 0; let (x635, x636) = fiat_p521_scalar_subborrowx_u64(x634, (0x0 as u64), (0x0 as u64)); let mut x637: u64 = 0; let (x637) = fiat_p521_scalar_cmovznz_u64(x636, x617, x600); let mut x638: u64 = 0; let (x638) = fiat_p521_scalar_cmovznz_u64(x636, x619, x602); let mut x639: u64 = 0; let (x639) = fiat_p521_scalar_cmovznz_u64(x636, x621, x604); let mut x640: u64 = 0; let (x640) = fiat_p521_scalar_cmovznz_u64(x636, x623, x606); let mut x641: u64 = 0; let (x641) = fiat_p521_scalar_cmovznz_u64(x636, x625, x608); let mut x642: u64 = 0; let (x642) = fiat_p521_scalar_cmovznz_u64(x636, x627, x610); let mut x643: u64 = 0; let (x643) = fiat_p521_scalar_cmovznz_u64(x636, x629, x612); let mut x644: u64 = 0; let (x644) = fiat_p521_scalar_cmovznz_u64(x636, x631, x614); let mut x645: u64 = 0; let (x645) = fiat_p521_scalar_cmovznz_u64(x636, x633, x616); out1[0] = x637; out1[1] = x638; out1[2] = x639; out1[3] = x640; out1[4] = x641; out1[5] = x642; out1[6] = x643; out1[7] = x644; out1[8] = x645; out1 } #[doc = " The function fiat_p521_scalar_to_montgomery translates a field element into the Montgomery domain."] #[doc = ""] #[doc = " Preconditions:"] #[doc = " 0 ≤ eval arg1 < m"] #[doc = " Postconditions:"] #[doc = " eval (from_montgomery out1) mod m = eval arg1 mod m"] #[doc = " 0 ≤ eval out1 < m"] #[doc = ""] #[inline] pub const fn fiat_p521_scalar_to_montgomery( arg1: &fiat_p521_scalar_non_montgomery_domain_field_element, ) -> fiat_p521_scalar_montgomery_domain_field_element { let mut out1: fiat_p521_scalar_montgomery_domain_field_element = [0; 9]; let x1: u64 = (arg1[1]); let x2: u64 = (arg1[2]); let x3: u64 = (arg1[3]); let x4: u64 = (arg1[4]); let x5: u64 = (arg1[5]); let x6: u64 = (arg1[6]); let x7: u64 = (arg1[7]); let x8: u64 = (arg1[8]); let x9: u64 = (arg1[0]); let mut x10: u64 = 0; let mut x11: u64 = 0; let (x10, x11) = fiat_p521_scalar_mulx_u64(x9, 0x3d); let mut x12: u64 = 0; let mut x13: u64 = 0; let (x12, x13) = fiat_p521_scalar_mulx_u64(x9, 0x2d8e03d1492d0d45); let mut x14: u64 = 0; let mut x15: u64 = 0; let (x14, x15) = fiat_p521_scalar_mulx_u64(x9, 0x5bcc6d61a8e567bc); let mut x16: u64 = 0; let mut x17: u64 = 0; let (x16, x17) = fiat_p521_scalar_mulx_u64(x9, 0xcff3d142b7756e3e); let mut x18: u64 = 0; let mut x19: u64 = 0; let (x18, x19) = fiat_p521_scalar_mulx_u64(x9, 0xdd6e23d82e49c7db); let mut x20: u64 = 0; let mut x21: u64 = 0; let (x20, x21) = fiat_p521_scalar_mulx_u64(x9, 0xd3721ef557f75e06); let mut x22: u64 = 0; let mut x23: u64 = 0; let (x22, x23) = fiat_p521_scalar_mulx_u64(x9, 0x12a78d38794573ff); let mut x24: u64 = 0; let mut x25: u64 = 0; let (x24, x25) = fiat_p521_scalar_mulx_u64(x9, 0xf707badce5547ea3); let mut x26: u64 = 0; let mut x27: u64 = 0; let (x26, x27) = fiat_p521_scalar_mulx_u64(x9, 0x137cd04dcf15dd04); let mut x28: u64 = 0; let mut x29: fiat_p521_scalar_u1 = 0; let (x28, x29) = fiat_p521_scalar_addcarryx_u64(0x0, x27, x24); let mut x30: u64 = 0; let mut x31: fiat_p521_scalar_u1 = 0; let (x30, x31) = fiat_p521_scalar_addcarryx_u64(x29, x25, x22); let mut x32: u64 = 0; let mut x33: fiat_p521_scalar_u1 = 0; let (x32, x33) = fiat_p521_scalar_addcarryx_u64(x31, x23, x20); let mut x34: u64 = 0; let mut x35: fiat_p521_scalar_u1 = 0; let (x34, x35) = fiat_p521_scalar_addcarryx_u64(x33, x21, x18); let mut x36: u64 = 0; let mut x37: fiat_p521_scalar_u1 = 0; let (x36, x37) = fiat_p521_scalar_addcarryx_u64(x35, x19, x16); let mut x38: u64 = 0; let mut x39: fiat_p521_scalar_u1 = 0; let (x38, x39) = fiat_p521_scalar_addcarryx_u64(x37, x17, x14); let mut x40: u64 = 0; let mut x41: fiat_p521_scalar_u1 = 0; let (x40, x41) = fiat_p521_scalar_addcarryx_u64(x39, x15, x12); let mut x42: u64 = 0; let mut x43: fiat_p521_scalar_u1 = 0; let (x42, x43) = fiat_p521_scalar_addcarryx_u64(x41, x13, x10); let mut x44: u64 = 0; let mut x45: u64 = 0; let (x44, x45) = fiat_p521_scalar_mulx_u64(x26, 0x1d2f5ccd79a995c7); let mut x46: u64 = 0; let mut x47: u64 = 0; let (x46, x47) = fiat_p521_scalar_mulx_u64(x44, 0x1ff); let mut x48: u64 = 0; let mut x49: u64 = 0; let (x48, x49) = fiat_p521_scalar_mulx_u64(x44, 0xffffffffffffffff); let mut x50: u64 = 0; let mut x51: u64 = 0; let (x50, x51) = fiat_p521_scalar_mulx_u64(x44, 0xffffffffffffffff); let mut x52: u64 = 0; let mut x53: u64 = 0; let (x52, x53) = fiat_p521_scalar_mulx_u64(x44, 0xffffffffffffffff); let mut x54: u64 = 0; let mut x55: u64 = 0; let (x54, x55) = fiat_p521_scalar_mulx_u64(x44, 0xfffffffffffffffa); let mut x56: u64 = 0; let mut x57: u64 = 0; let (x56, x57) = fiat_p521_scalar_mulx_u64(x44, 0x51868783bf2f966b); let mut x58: u64 = 0; let mut x59: u64 = 0; let (x58, x59) = fiat_p521_scalar_mulx_u64(x44, 0x7fcc0148f709a5d0); let mut x60: u64 = 0; let mut x61: u64 = 0; let (x60, x61) = fiat_p521_scalar_mulx_u64(x44, 0x3bb5c9b8899c47ae); let mut x62: u64 = 0; let mut x63: u64 = 0; let (x62, x63) = fiat_p521_scalar_mulx_u64(x44, 0xbb6fb71e91386409); let mut x64: u64 = 0; let mut x65: fiat_p521_scalar_u1 = 0; let (x64, x65) = fiat_p521_scalar_addcarryx_u64(0x0, x63, x60); let mut x66: u64 = 0; let mut x67: fiat_p521_scalar_u1 = 0; let (x66, x67) = fiat_p521_scalar_addcarryx_u64(x65, x61, x58); let mut x68: u64 = 0; let mut x69: fiat_p521_scalar_u1 = 0; let (x68, x69) = fiat_p521_scalar_addcarryx_u64(x67, x59, x56); let mut x70: u64 = 0; let mut x71: fiat_p521_scalar_u1 = 0; let (x70, x71) = fiat_p521_scalar_addcarryx_u64(x69, x57, x54); let mut x72: u64 = 0; let mut x73: fiat_p521_scalar_u1 = 0; let (x72, x73) = fiat_p521_scalar_addcarryx_u64(x71, x55, x52); let mut x74: u64 = 0; let mut x75: fiat_p521_scalar_u1 = 0; let (x74, x75) = fiat_p521_scalar_addcarryx_u64(x73, x53, x50); let mut x76: u64 = 0; let mut x77: fiat_p521_scalar_u1 = 0; let (x76, x77) = fiat_p521_scalar_addcarryx_u64(x75, x51, x48); let mut x78: u64 = 0; let mut x79: fiat_p521_scalar_u1 = 0; let (x78, x79) = fiat_p521_scalar_addcarryx_u64(x77, x49, x46); let mut x80: u64 = 0; let mut x81: fiat_p521_scalar_u1 = 0; let (x80, x81) = fiat_p521_scalar_addcarryx_u64(0x0, x26, x62); let mut x82: u64 = 0; let mut x83: fiat_p521_scalar_u1 = 0; let (x82, x83) = fiat_p521_scalar_addcarryx_u64(x81, x28, x64); let mut x84: u64 = 0; let mut x85: fiat_p521_scalar_u1 = 0; let (x84, x85) = fiat_p521_scalar_addcarryx_u64(x83, x30, x66); let mut x86: u64 = 0; let mut x87: fiat_p521_scalar_u1 = 0; let (x86, x87) = fiat_p521_scalar_addcarryx_u64(x85, x32, x68); let mut x88: u64 = 0; let mut x89: fiat_p521_scalar_u1 = 0; let (x88, x89) = fiat_p521_scalar_addcarryx_u64(x87, x34, x70); let mut x90: u64 = 0; let mut x91: fiat_p521_scalar_u1 = 0; let (x90, x91) = fiat_p521_scalar_addcarryx_u64(x89, x36, x72); let mut x92: u64 = 0; let mut x93: fiat_p521_scalar_u1 = 0; let (x92, x93) = fiat_p521_scalar_addcarryx_u64(x91, x38, x74); let mut x94: u64 = 0; let mut x95: fiat_p521_scalar_u1 = 0; let (x94, x95) = fiat_p521_scalar_addcarryx_u64(x93, x40, x76); let mut x96: u64 = 0; let mut x97: fiat_p521_scalar_u1 = 0; let (x96, x97) = fiat_p521_scalar_addcarryx_u64(x95, x42, x78); let mut x98: u64 = 0; let mut x99: u64 = 0; let (x98, x99) = fiat_p521_scalar_mulx_u64(x1, 0x3d); let mut x100: u64 = 0; let mut x101: u64 = 0; let (x100, x101) = fiat_p521_scalar_mulx_u64(x1, 0x2d8e03d1492d0d45); let mut x102: u64 = 0; let mut x103: u64 = 0; let (x102, x103) = fiat_p521_scalar_mulx_u64(x1, 0x5bcc6d61a8e567bc); let mut x104: u64 = 0; let mut x105: u64 = 0; let (x104, x105) = fiat_p521_scalar_mulx_u64(x1, 0xcff3d142b7756e3e); let mut x106: u64 = 0; let mut x107: u64 = 0; let (x106, x107) = fiat_p521_scalar_mulx_u64(x1, 0xdd6e23d82e49c7db); let mut x108: u64 = 0; let mut x109: u64 = 0; let (x108, x109) = fiat_p521_scalar_mulx_u64(x1, 0xd3721ef557f75e06); let mut x110: u64 = 0; let mut x111: u64 = 0; let (x110, x111) = fiat_p521_scalar_mulx_u64(x1, 0x12a78d38794573ff); let mut x112: u64 = 0; let mut x113: u64 = 0; let (x112, x113) = fiat_p521_scalar_mulx_u64(x1, 0xf707badce5547ea3); let mut x114: u64 = 0; let mut x115: u64 = 0; let (x114, x115) = fiat_p521_scalar_mulx_u64(x1, 0x137cd04dcf15dd04); let mut x116: u64 = 0; let mut x117: fiat_p521_scalar_u1 = 0; let (x116, x117) = fiat_p521_scalar_addcarryx_u64(0x0, x115, x112); let mut x118: u64 = 0; let mut x119: fiat_p521_scalar_u1 = 0; let (x118, x119) = fiat_p521_scalar_addcarryx_u64(x117, x113, x110); let mut x120: u64 = 0; let mut x121: fiat_p521_scalar_u1 = 0; let (x120, x121) = fiat_p521_scalar_addcarryx_u64(x119, x111, x108); let mut x122: u64 = 0; let mut x123: fiat_p521_scalar_u1 = 0; let (x122, x123) = fiat_p521_scalar_addcarryx_u64(x121, x109, x106); let mut x124: u64 = 0; let mut x125: fiat_p521_scalar_u1 = 0; let (x124, x125) = fiat_p521_scalar_addcarryx_u64(x123, x107, x104); let mut x126: u64 = 0; let mut x127: fiat_p521_scalar_u1 = 0; let (x126, x127) = fiat_p521_scalar_addcarryx_u64(x125, x105, x102); let mut x128: u64 = 0; let mut x129: fiat_p521_scalar_u1 = 0; let (x128, x129) = fiat_p521_scalar_addcarryx_u64(x127, x103, x100); let mut x130: u64 = 0; let mut x131: fiat_p521_scalar_u1 = 0; let (x130, x131) = fiat_p521_scalar_addcarryx_u64(x129, x101, x98); let mut x132: u64 = 0; let mut x133: fiat_p521_scalar_u1 = 0; let (x132, x133) = fiat_p521_scalar_addcarryx_u64(0x0, x82, x114); let mut x134: u64 = 0; let mut x135: fiat_p521_scalar_u1 = 0; let (x134, x135) = fiat_p521_scalar_addcarryx_u64(x133, x84, x116); let mut x136: u64 = 0; let mut x137: fiat_p521_scalar_u1 = 0; let (x136, x137) = fiat_p521_scalar_addcarryx_u64(x135, x86, x118); let mut x138: u64 = 0; let mut x139: fiat_p521_scalar_u1 = 0; let (x138, x139) = fiat_p521_scalar_addcarryx_u64(x137, x88, x120); let mut x140: u64 = 0; let mut x141: fiat_p521_scalar_u1 = 0; let (x140, x141) = fiat_p521_scalar_addcarryx_u64(x139, x90, x122); let mut x142: u64 = 0; let mut x143: fiat_p521_scalar_u1 = 0; let (x142, x143) = fiat_p521_scalar_addcarryx_u64(x141, x92, x124); let mut x144: u64 = 0; let mut x145: fiat_p521_scalar_u1 = 0; let (x144, x145) = fiat_p521_scalar_addcarryx_u64(x143, x94, x126); let mut x146: u64 = 0; let mut x147: fiat_p521_scalar_u1 = 0; let (x146, x147) = fiat_p521_scalar_addcarryx_u64(x145, x96, x128); let mut x148: u64 = 0; let mut x149: fiat_p521_scalar_u1 = 0; let (x148, x149) = fiat_p521_scalar_addcarryx_u64( x147, (((x97 as u64) + ((x43 as u64) + x11)) + ((x79 as u64) + x47)), x130, ); let mut x150: u64 = 0; let mut x151: u64 = 0; let (x150, x151) = fiat_p521_scalar_mulx_u64(x132, 0x1d2f5ccd79a995c7); let mut x152: u64 = 0; let mut x153: u64 = 0; let (x152, x153) = fiat_p521_scalar_mulx_u64(x150, 0x1ff); let mut x154: u64 = 0; let mut x155: u64 = 0; let (x154, x155) = fiat_p521_scalar_mulx_u64(x150, 0xffffffffffffffff); let mut x156: u64 = 0; let mut x157: u64 = 0; let (x156, x157) = fiat_p521_scalar_mulx_u64(x150, 0xffffffffffffffff); let mut x158: u64 = 0; let mut x159: u64 = 0; let (x158, x159) = fiat_p521_scalar_mulx_u64(x150, 0xffffffffffffffff); let mut x160: u64 = 0; let mut x161: u64 = 0; let (x160, x161) = fiat_p521_scalar_mulx_u64(x150, 0xfffffffffffffffa); let mut x162: u64 = 0; let mut x163: u64 = 0; let (x162, x163) = fiat_p521_scalar_mulx_u64(x150, 0x51868783bf2f966b); let mut x164: u64 = 0; let mut x165: u64 = 0; let (x164, x165) = fiat_p521_scalar_mulx_u64(x150, 0x7fcc0148f709a5d0); let mut x166: u64 = 0; let mut x167: u64 = 0; let (x166, x167) = fiat_p521_scalar_mulx_u64(x150, 0x3bb5c9b8899c47ae); let mut x168: u64 = 0; let mut x169: u64 = 0; let (x168, x169) = fiat_p521_scalar_mulx_u64(x150, 0xbb6fb71e91386409); let mut x170: u64 = 0; let mut x171: fiat_p521_scalar_u1 = 0; let (x170, x171) = fiat_p521_scalar_addcarryx_u64(0x0, x169, x166); let mut x172: u64 = 0; let mut x173: fiat_p521_scalar_u1 = 0; let (x172, x173) = fiat_p521_scalar_addcarryx_u64(x171, x167, x164); let mut x174: u64 = 0; let mut x175: fiat_p521_scalar_u1 = 0; let (x174, x175) = fiat_p521_scalar_addcarryx_u64(x173, x165, x162); let mut x176: u64 = 0; let mut x177: fiat_p521_scalar_u1 = 0; let (x176, x177) = fiat_p521_scalar_addcarryx_u64(x175, x163, x160); let mut x178: u64 = 0; let mut x179: fiat_p521_scalar_u1 = 0; let (x178, x179) = fiat_p521_scalar_addcarryx_u64(x177, x161, x158); let mut x180: u64 = 0; let mut x181: fiat_p521_scalar_u1 = 0; let (x180, x181) = fiat_p521_scalar_addcarryx_u64(x179, x159, x156); let mut x182: u64 = 0; let mut x183: fiat_p521_scalar_u1 = 0; let (x182, x183) = fiat_p521_scalar_addcarryx_u64(x181, x157, x154); let mut x184: u64 = 0; let mut x185: fiat_p521_scalar_u1 = 0; let (x184, x185) = fiat_p521_scalar_addcarryx_u64(x183, x155, x152); let mut x186: u64 = 0; let mut x187: fiat_p521_scalar_u1 = 0; let (x186, x187) = fiat_p521_scalar_addcarryx_u64(0x0, x132, x168); let mut x188: u64 = 0; let mut x189: fiat_p521_scalar_u1 = 0; let (x188, x189) = fiat_p521_scalar_addcarryx_u64(x187, x134, x170); let mut x190: u64 = 0; let mut x191: fiat_p521_scalar_u1 = 0; let (x190, x191) = fiat_p521_scalar_addcarryx_u64(x189, x136, x172); let mut x192: u64 = 0; let mut x193: fiat_p521_scalar_u1 = 0; let (x192, x193) = fiat_p521_scalar_addcarryx_u64(x191, x138, x174); let mut x194: u64 = 0; let mut x195: fiat_p521_scalar_u1 = 0; let (x194, x195) = fiat_p521_scalar_addcarryx_u64(x193, x140, x176); let mut x196: u64 = 0; let mut x197: fiat_p521_scalar_u1 = 0; let (x196, x197) = fiat_p521_scalar_addcarryx_u64(x195, x142, x178); let mut x198: u64 = 0; let mut x199: fiat_p521_scalar_u1 = 0; let (x198, x199) = fiat_p521_scalar_addcarryx_u64(x197, x144, x180); let mut x200: u64 = 0; let mut x201: fiat_p521_scalar_u1 = 0; let (x200, x201) = fiat_p521_scalar_addcarryx_u64(x199, x146, x182); let mut x202: u64 = 0; let mut x203: fiat_p521_scalar_u1 = 0; let (x202, x203) = fiat_p521_scalar_addcarryx_u64(x201, x148, x184); let mut x204: u64 = 0; let mut x205: u64 = 0; let (x204, x205) = fiat_p521_scalar_mulx_u64(x2, 0x3d); let mut x206: u64 = 0; let mut x207: u64 = 0; let (x206, x207) = fiat_p521_scalar_mulx_u64(x2, 0x2d8e03d1492d0d45); let mut x208: u64 = 0; let mut x209: u64 = 0; let (x208, x209) = fiat_p521_scalar_mulx_u64(x2, 0x5bcc6d61a8e567bc); let mut x210: u64 = 0; let mut x211: u64 = 0; let (x210, x211) = fiat_p521_scalar_mulx_u64(x2, 0xcff3d142b7756e3e); let mut x212: u64 = 0; let mut x213: u64 = 0; let (x212, x213) = fiat_p521_scalar_mulx_u64(x2, 0xdd6e23d82e49c7db); let mut x214: u64 = 0; let mut x215: u64 = 0; let (x214, x215) = fiat_p521_scalar_mulx_u64(x2, 0xd3721ef557f75e06); let mut x216: u64 = 0; let mut x217: u64 = 0; let (x216, x217) = fiat_p521_scalar_mulx_u64(x2, 0x12a78d38794573ff); let mut x218: u64 = 0; let mut x219: u64 = 0; let (x218, x219) = fiat_p521_scalar_mulx_u64(x2, 0xf707badce5547ea3); let mut x220: u64 = 0; let mut x221: u64 = 0; let (x220, x221) = fiat_p521_scalar_mulx_u64(x2, 0x137cd04dcf15dd04); let mut x222: u64 = 0; let mut x223: fiat_p521_scalar_u1 = 0; let (x222, x223) = fiat_p521_scalar_addcarryx_u64(0x0, x221, x218); let mut x224: u64 = 0; let mut x225: fiat_p521_scalar_u1 = 0; let (x224, x225) = fiat_p521_scalar_addcarryx_u64(x223, x219, x216); let mut x226: u64 = 0; let mut x227: fiat_p521_scalar_u1 = 0; let (x226, x227) = fiat_p521_scalar_addcarryx_u64(x225, x217, x214); let mut x228: u64 = 0; let mut x229: fiat_p521_scalar_u1 = 0; let (x228, x229) = fiat_p521_scalar_addcarryx_u64(x227, x215, x212); let mut x230: u64 = 0; let mut x231: fiat_p521_scalar_u1 = 0; let (x230, x231) = fiat_p521_scalar_addcarryx_u64(x229, x213, x210); let mut x232: u64 = 0; let mut x233: fiat_p521_scalar_u1 = 0; let (x232, x233) = fiat_p521_scalar_addcarryx_u64(x231, x211, x208); let mut x234: u64 = 0; let mut x235: fiat_p521_scalar_u1 = 0; let (x234, x235) = fiat_p521_scalar_addcarryx_u64(x233, x209, x206); let mut x236: u64 = 0; let mut x237: fiat_p521_scalar_u1 = 0; let (x236, x237) = fiat_p521_scalar_addcarryx_u64(x235, x207, x204); let mut x238: u64 = 0; let mut x239: fiat_p521_scalar_u1 = 0; let (x238, x239) = fiat_p521_scalar_addcarryx_u64(0x0, x188, x220); let mut x240: u64 = 0; let mut x241: fiat_p521_scalar_u1 = 0; let (x240, x241) = fiat_p521_scalar_addcarryx_u64(x239, x190, x222); let mut x242: u64 = 0; let mut x243: fiat_p521_scalar_u1 = 0; let (x242, x243) = fiat_p521_scalar_addcarryx_u64(x241, x192, x224); let mut x244: u64 = 0; let mut x245: fiat_p521_scalar_u1 = 0; let (x244, x245) = fiat_p521_scalar_addcarryx_u64(x243, x194, x226); let mut x246: u64 = 0; let mut x247: fiat_p521_scalar_u1 = 0; let (x246, x247) = fiat_p521_scalar_addcarryx_u64(x245, x196, x228); let mut x248: u64 = 0; let mut x249: fiat_p521_scalar_u1 = 0; let (x248, x249) = fiat_p521_scalar_addcarryx_u64(x247, x198, x230); let mut x250: u64 = 0; let mut x251: fiat_p521_scalar_u1 = 0; let (x250, x251) = fiat_p521_scalar_addcarryx_u64(x249, x200, x232); let mut x252: u64 = 0; let mut x253: fiat_p521_scalar_u1 = 0; let (x252, x253) = fiat_p521_scalar_addcarryx_u64(x251, x202, x234); let mut x254: u64 = 0; let mut x255: fiat_p521_scalar_u1 = 0; let (x254, x255) = fiat_p521_scalar_addcarryx_u64( x253, (((x203 as u64) + ((x149 as u64) + ((x131 as u64) + x99))) + ((x185 as u64) + x153)), x236, ); let mut x256: u64 = 0; let mut x257: u64 = 0; let (x256, x257) = fiat_p521_scalar_mulx_u64(x238, 0x1d2f5ccd79a995c7); let mut x258: u64 = 0; let mut x259: u64 = 0; let (x258, x259) = fiat_p521_scalar_mulx_u64(x256, 0x1ff); let mut x260: u64 = 0; let mut x261: u64 = 0; let (x260, x261) = fiat_p521_scalar_mulx_u64(x256, 0xffffffffffffffff); let mut x262: u64 = 0; let mut x263: u64 = 0; let (x262, x263) = fiat_p521_scalar_mulx_u64(x256, 0xffffffffffffffff); let mut x264: u64 = 0; let mut x265: u64 = 0; let (x264, x265) = fiat_p521_scalar_mulx_u64(x256, 0xffffffffffffffff); let mut x266: u64 = 0; let mut x267: u64 = 0; let (x266, x267) = fiat_p521_scalar_mulx_u64(x256, 0xfffffffffffffffa); let mut x268: u64 = 0; let mut x269: u64 = 0; let (x268, x269) = fiat_p521_scalar_mulx_u64(x256, 0x51868783bf2f966b); let mut x270: u64 = 0; let mut x271: u64 = 0; let (x270, x271) = fiat_p521_scalar_mulx_u64(x256, 0x7fcc0148f709a5d0); let mut x272: u64 = 0; let mut x273: u64 = 0; let (x272, x273) = fiat_p521_scalar_mulx_u64(x256, 0x3bb5c9b8899c47ae); let mut x274: u64 = 0; let mut x275: u64 = 0; let (x274, x275) = fiat_p521_scalar_mulx_u64(x256, 0xbb6fb71e91386409); let mut x276: u64 = 0; let mut x277: fiat_p521_scalar_u1 = 0; let (x276, x277) = fiat_p521_scalar_addcarryx_u64(0x0, x275, x272); let mut x278: u64 = 0; let mut x279: fiat_p521_scalar_u1 = 0; let (x278, x279) = fiat_p521_scalar_addcarryx_u64(x277, x273, x270); let mut x280: u64 = 0; let mut x281: fiat_p521_scalar_u1 = 0; let (x280, x281) = fiat_p521_scalar_addcarryx_u64(x279, x271, x268); let mut x282: u64 = 0; let mut x283: fiat_p521_scalar_u1 = 0; let (x282, x283) = fiat_p521_scalar_addcarryx_u64(x281, x269, x266); let mut x284: u64 = 0; let mut x285: fiat_p521_scalar_u1 = 0; let (x284, x285) = fiat_p521_scalar_addcarryx_u64(x283, x267, x264); let mut x286: u64 = 0; let mut x287: fiat_p521_scalar_u1 = 0; let (x286, x287) = fiat_p521_scalar_addcarryx_u64(x285, x265, x262); let mut x288: u64 = 0; let mut x289: fiat_p521_scalar_u1 = 0; let (x288, x289) = fiat_p521_scalar_addcarryx_u64(x287, x263, x260); let mut x290: u64 = 0; let mut x291: fiat_p521_scalar_u1 = 0; let (x290, x291) = fiat_p521_scalar_addcarryx_u64(x289, x261, x258); let mut x292: u64 = 0; let mut x293: fiat_p521_scalar_u1 = 0; let (x292, x293) = fiat_p521_scalar_addcarryx_u64(0x0, x238, x274); let mut x294: u64 = 0; let mut x295: fiat_p521_scalar_u1 = 0; let (x294, x295) = fiat_p521_scalar_addcarryx_u64(x293, x240, x276); let mut x296: u64 = 0; let mut x297: fiat_p521_scalar_u1 = 0; let (x296, x297) = fiat_p521_scalar_addcarryx_u64(x295, x242, x278); let mut x298: u64 = 0; let mut x299: fiat_p521_scalar_u1 = 0; let (x298, x299) = fiat_p521_scalar_addcarryx_u64(x297, x244, x280); let mut x300: u64 = 0; let mut x301: fiat_p521_scalar_u1 = 0; let (x300, x301) = fiat_p521_scalar_addcarryx_u64(x299, x246, x282); let mut x302: u64 = 0; let mut x303: fiat_p521_scalar_u1 = 0; let (x302, x303) = fiat_p521_scalar_addcarryx_u64(x301, x248, x284); let mut x304: u64 = 0; let mut x305: fiat_p521_scalar_u1 = 0; let (x304, x305) = fiat_p521_scalar_addcarryx_u64(x303, x250, x286); let mut x306: u64 = 0; let mut x307: fiat_p521_scalar_u1 = 0; let (x306, x307) = fiat_p521_scalar_addcarryx_u64(x305, x252, x288); let mut x308: u64 = 0; let mut x309: fiat_p521_scalar_u1 = 0; let (x308, x309) = fiat_p521_scalar_addcarryx_u64(x307, x254, x290); let mut x310: u64 = 0; let mut x311: u64 = 0; let (x310, x311) = fiat_p521_scalar_mulx_u64(x3, 0x3d); let mut x312: u64 = 0; let mut x313: u64 = 0; let (x312, x313) = fiat_p521_scalar_mulx_u64(x3, 0x2d8e03d1492d0d45); let mut x314: u64 = 0; let mut x315: u64 = 0; let (x314, x315) = fiat_p521_scalar_mulx_u64(x3, 0x5bcc6d61a8e567bc); let mut x316: u64 = 0; let mut x317: u64 = 0; let (x316, x317) = fiat_p521_scalar_mulx_u64(x3, 0xcff3d142b7756e3e); let mut x318: u64 = 0; let mut x319: u64 = 0; let (x318, x319) = fiat_p521_scalar_mulx_u64(x3, 0xdd6e23d82e49c7db); let mut x320: u64 = 0; let mut x321: u64 = 0; let (x320, x321) = fiat_p521_scalar_mulx_u64(x3, 0xd3721ef557f75e06); let mut x322: u64 = 0; let mut x323: u64 = 0; let (x322, x323) = fiat_p521_scalar_mulx_u64(x3, 0x12a78d38794573ff); let mut x324: u64 = 0; let mut x325: u64 = 0; let (x324, x325) = fiat_p521_scalar_mulx_u64(x3, 0xf707badce5547ea3); let mut x326: u64 = 0; let mut x327: u64 = 0; let (x326, x327) = fiat_p521_scalar_mulx_u64(x3, 0x137cd04dcf15dd04); let mut x328: u64 = 0; let mut x329: fiat_p521_scalar_u1 = 0; let (x328, x329) = fiat_p521_scalar_addcarryx_u64(0x0, x327, x324); let mut x330: u64 = 0; let mut x331: fiat_p521_scalar_u1 = 0; let (x330, x331) = fiat_p521_scalar_addcarryx_u64(x329, x325, x322); let mut x332: u64 = 0; let mut x333: fiat_p521_scalar_u1 = 0; let (x332, x333) = fiat_p521_scalar_addcarryx_u64(x331, x323, x320); let mut x334: u64 = 0; let mut x335: fiat_p521_scalar_u1 = 0; let (x334, x335) = fiat_p521_scalar_addcarryx_u64(x333, x321, x318); let mut x336: u64 = 0; let mut x337: fiat_p521_scalar_u1 = 0; let (x336, x337) = fiat_p521_scalar_addcarryx_u64(x335, x319, x316); let mut x338: u64 = 0; let mut x339: fiat_p521_scalar_u1 = 0; let (x338, x339) = fiat_p521_scalar_addcarryx_u64(x337, x317, x314); let mut x340: u64 = 0; let mut x341: fiat_p521_scalar_u1 = 0; let (x340, x341) = fiat_p521_scalar_addcarryx_u64(x339, x315, x312); let mut x342: u64 = 0; let mut x343: fiat_p521_scalar_u1 = 0; let (x342, x343) = fiat_p521_scalar_addcarryx_u64(x341, x313, x310); let mut x344: u64 = 0; let mut x345: fiat_p521_scalar_u1 = 0; let (x344, x345) = fiat_p521_scalar_addcarryx_u64(0x0, x294, x326); let mut x346: u64 = 0; let mut x347: fiat_p521_scalar_u1 = 0; let (x346, x347) = fiat_p521_scalar_addcarryx_u64(x345, x296, x328); let mut x348: u64 = 0; let mut x349: fiat_p521_scalar_u1 = 0; let (x348, x349) = fiat_p521_scalar_addcarryx_u64(x347, x298, x330); let mut x350: u64 = 0; let mut x351: fiat_p521_scalar_u1 = 0; let (x350, x351) = fiat_p521_scalar_addcarryx_u64(x349, x300, x332); let mut x352: u64 = 0; let mut x353: fiat_p521_scalar_u1 = 0; let (x352, x353) = fiat_p521_scalar_addcarryx_u64(x351, x302, x334); let mut x354: u64 = 0; let mut x355: fiat_p521_scalar_u1 = 0; let (x354, x355) = fiat_p521_scalar_addcarryx_u64(x353, x304, x336); let mut x356: u64 = 0; let mut x357: fiat_p521_scalar_u1 = 0; let (x356, x357) = fiat_p521_scalar_addcarryx_u64(x355, x306, x338); let mut x358: u64 = 0; let mut x359: fiat_p521_scalar_u1 = 0; let (x358, x359) = fiat_p521_scalar_addcarryx_u64(x357, x308, x340); let mut x360: u64 = 0; let mut x361: fiat_p521_scalar_u1 = 0; let (x360, x361) = fiat_p521_scalar_addcarryx_u64( x359, (((x309 as u64) + ((x255 as u64) + ((x237 as u64) + x205))) + ((x291 as u64) + x259)), x342, ); let mut x362: u64 = 0; let mut x363: u64 = 0; let (x362, x363) = fiat_p521_scalar_mulx_u64(x344, 0x1d2f5ccd79a995c7); let mut x364: u64 = 0; let mut x365: u64 = 0; let (x364, x365) = fiat_p521_scalar_mulx_u64(x362, 0x1ff); let mut x366: u64 = 0; let mut x367: u64 = 0; let (x366, x367) = fiat_p521_scalar_mulx_u64(x362, 0xffffffffffffffff); let mut x368: u64 = 0; let mut x369: u64 = 0; let (x368, x369) = fiat_p521_scalar_mulx_u64(x362, 0xffffffffffffffff); let mut x370: u64 = 0; let mut x371: u64 = 0; let (x370, x371) = fiat_p521_scalar_mulx_u64(x362, 0xffffffffffffffff); let mut x372: u64 = 0; let mut x373: u64 = 0; let (x372, x373) = fiat_p521_scalar_mulx_u64(x362, 0xfffffffffffffffa); let mut x374: u64 = 0; let mut x375: u64 = 0; let (x374, x375) = fiat_p521_scalar_mulx_u64(x362, 0x51868783bf2f966b); let mut x376: u64 = 0; let mut x377: u64 = 0; let (x376, x377) = fiat_p521_scalar_mulx_u64(x362, 0x7fcc0148f709a5d0); let mut x378: u64 = 0; let mut x379: u64 = 0; let (x378, x379) = fiat_p521_scalar_mulx_u64(x362, 0x3bb5c9b8899c47ae); let mut x380: u64 = 0; let mut x381: u64 = 0; let (x380, x381) = fiat_p521_scalar_mulx_u64(x362, 0xbb6fb71e91386409); let mut x382: u64 = 0; let mut x383: fiat_p521_scalar_u1 = 0; let (x382, x383) = fiat_p521_scalar_addcarryx_u64(0x0, x381, x378); let mut x384: u64 = 0; let mut x385: fiat_p521_scalar_u1 = 0; let (x384, x385) = fiat_p521_scalar_addcarryx_u64(x383, x379, x376); let mut x386: u64 = 0; let mut x387: fiat_p521_scalar_u1 = 0; let (x386, x387) = fiat_p521_scalar_addcarryx_u64(x385, x377, x374); let mut x388: u64 = 0; let mut x389: fiat_p521_scalar_u1 = 0; let (x388, x389) = fiat_p521_scalar_addcarryx_u64(x387, x375, x372); let mut x390: u64 = 0; let mut x391: fiat_p521_scalar_u1 = 0; let (x390, x391) = fiat_p521_scalar_addcarryx_u64(x389, x373, x370); let mut x392: u64 = 0; let mut x393: fiat_p521_scalar_u1 = 0; let (x392, x393) = fiat_p521_scalar_addcarryx_u64(x391, x371, x368); let mut x394: u64 = 0; let mut x395: fiat_p521_scalar_u1 = 0; let (x394, x395) = fiat_p521_scalar_addcarryx_u64(x393, x369, x366); let mut x396: u64 = 0; let mut x397: fiat_p521_scalar_u1 = 0; let (x396, x397) = fiat_p521_scalar_addcarryx_u64(x395, x367, x364); let mut x398: u64 = 0; let mut x399: fiat_p521_scalar_u1 = 0; let (x398, x399) = fiat_p521_scalar_addcarryx_u64(0x0, x344, x380); let mut x400: u64 = 0; let mut x401: fiat_p521_scalar_u1 = 0; let (x400, x401) = fiat_p521_scalar_addcarryx_u64(x399, x346, x382); let mut x402: u64 = 0; let mut x403: fiat_p521_scalar_u1 = 0; let (x402, x403) = fiat_p521_scalar_addcarryx_u64(x401, x348, x384); let mut x404: u64 = 0; let mut x405: fiat_p521_scalar_u1 = 0; let (x404, x405) = fiat_p521_scalar_addcarryx_u64(x403, x350, x386); let mut x406: u64 = 0; let mut x407: fiat_p521_scalar_u1 = 0; let (x406, x407) = fiat_p521_scalar_addcarryx_u64(x405, x352, x388); let mut x408: u64 = 0; let mut x409: fiat_p521_scalar_u1 = 0; let (x408, x409) = fiat_p521_scalar_addcarryx_u64(x407, x354, x390); let mut x410: u64 = 0; let mut x411: fiat_p521_scalar_u1 = 0; let (x410, x411) = fiat_p521_scalar_addcarryx_u64(x409, x356, x392); let mut x412: u64 = 0; let mut x413: fiat_p521_scalar_u1 = 0; let (x412, x413) = fiat_p521_scalar_addcarryx_u64(x411, x358, x394); let mut x414: u64 = 0; let mut x415: fiat_p521_scalar_u1 = 0; let (x414, x415) = fiat_p521_scalar_addcarryx_u64(x413, x360, x396); let mut x416: u64 = 0; let mut x417: u64 = 0; let (x416, x417) = fiat_p521_scalar_mulx_u64(x4, 0x3d); let mut x418: u64 = 0; let mut x419: u64 = 0; let (x418, x419) = fiat_p521_scalar_mulx_u64(x4, 0x2d8e03d1492d0d45); let mut x420: u64 = 0; let mut x421: u64 = 0; let (x420, x421) = fiat_p521_scalar_mulx_u64(x4, 0x5bcc6d61a8e567bc); let mut x422: u64 = 0; let mut x423: u64 = 0; let (x422, x423) = fiat_p521_scalar_mulx_u64(x4, 0xcff3d142b7756e3e); let mut x424: u64 = 0; let mut x425: u64 = 0; let (x424, x425) = fiat_p521_scalar_mulx_u64(x4, 0xdd6e23d82e49c7db); let mut x426: u64 = 0; let mut x427: u64 = 0; let (x426, x427) = fiat_p521_scalar_mulx_u64(x4, 0xd3721ef557f75e06); let mut x428: u64 = 0; let mut x429: u64 = 0; let (x428, x429) = fiat_p521_scalar_mulx_u64(x4, 0x12a78d38794573ff); let mut x430: u64 = 0; let mut x431: u64 = 0; let (x430, x431) = fiat_p521_scalar_mulx_u64(x4, 0xf707badce5547ea3); let mut x432: u64 = 0; let mut x433: u64 = 0; let (x432, x433) = fiat_p521_scalar_mulx_u64(x4, 0x137cd04dcf15dd04); let mut x434: u64 = 0; let mut x435: fiat_p521_scalar_u1 = 0; let (x434, x435) = fiat_p521_scalar_addcarryx_u64(0x0, x433, x430); let mut x436: u64 = 0; let mut x437: fiat_p521_scalar_u1 = 0; let (x436, x437) = fiat_p521_scalar_addcarryx_u64(x435, x431, x428); let mut x438: u64 = 0; let mut x439: fiat_p521_scalar_u1 = 0; let (x438, x439) = fiat_p521_scalar_addcarryx_u64(x437, x429, x426); let mut x440: u64 = 0; let mut x441: fiat_p521_scalar_u1 = 0; let (x440, x441) = fiat_p521_scalar_addcarryx_u64(x439, x427, x424); let mut x442: u64 = 0; let mut x443: fiat_p521_scalar_u1 = 0; let (x442, x443) = fiat_p521_scalar_addcarryx_u64(x441, x425, x422); let mut x444: u64 = 0; let mut x445: fiat_p521_scalar_u1 = 0; let (x444, x445) = fiat_p521_scalar_addcarryx_u64(x443, x423, x420); let mut x446: u64 = 0; let mut x447: fiat_p521_scalar_u1 = 0; let (x446, x447) = fiat_p521_scalar_addcarryx_u64(x445, x421, x418); let mut x448: u64 = 0; let mut x449: fiat_p521_scalar_u1 = 0; let (x448, x449) = fiat_p521_scalar_addcarryx_u64(x447, x419, x416); let mut x450: u64 = 0; let mut x451: fiat_p521_scalar_u1 = 0; let (x450, x451) = fiat_p521_scalar_addcarryx_u64(0x0, x400, x432); let mut x452: u64 = 0; let mut x453: fiat_p521_scalar_u1 = 0; let (x452, x453) = fiat_p521_scalar_addcarryx_u64(x451, x402, x434); let mut x454: u64 = 0; let mut x455: fiat_p521_scalar_u1 = 0; let (x454, x455) = fiat_p521_scalar_addcarryx_u64(x453, x404, x436); let mut x456: u64 = 0; let mut x457: fiat_p521_scalar_u1 = 0; let (x456, x457) = fiat_p521_scalar_addcarryx_u64(x455, x406, x438); let mut x458: u64 = 0; let mut x459: fiat_p521_scalar_u1 = 0; let (x458, x459) = fiat_p521_scalar_addcarryx_u64(x457, x408, x440); let mut x460: u64 = 0; let mut x461: fiat_p521_scalar_u1 = 0; let (x460, x461) = fiat_p521_scalar_addcarryx_u64(x459, x410, x442); let mut x462: u64 = 0; let mut x463: fiat_p521_scalar_u1 = 0; let (x462, x463) = fiat_p521_scalar_addcarryx_u64(x461, x412, x444); let mut x464: u64 = 0; let mut x465: fiat_p521_scalar_u1 = 0; let (x464, x465) = fiat_p521_scalar_addcarryx_u64(x463, x414, x446); let mut x466: u64 = 0; let mut x467: fiat_p521_scalar_u1 = 0; let (x466, x467) = fiat_p521_scalar_addcarryx_u64( x465, (((x415 as u64) + ((x361 as u64) + ((x343 as u64) + x311))) + ((x397 as u64) + x365)), x448, ); let mut x468: u64 = 0; let mut x469: u64 = 0; let (x468, x469) = fiat_p521_scalar_mulx_u64(x450, 0x1d2f5ccd79a995c7); let mut x470: u64 = 0; let mut x471: u64 = 0; let (x470, x471) = fiat_p521_scalar_mulx_u64(x468, 0x1ff); let mut x472: u64 = 0; let mut x473: u64 = 0; let (x472, x473) = fiat_p521_scalar_mulx_u64(x468, 0xffffffffffffffff); let mut x474: u64 = 0; let mut x475: u64 = 0; let (x474, x475) = fiat_p521_scalar_mulx_u64(x468, 0xffffffffffffffff); let mut x476: u64 = 0; let mut x477: u64 = 0; let (x476, x477) = fiat_p521_scalar_mulx_u64(x468, 0xffffffffffffffff); let mut x478: u64 = 0; let mut x479: u64 = 0; let (x478, x479) = fiat_p521_scalar_mulx_u64(x468, 0xfffffffffffffffa); let mut x480: u64 = 0; let mut x481: u64 = 0; let (x480, x481) = fiat_p521_scalar_mulx_u64(x468, 0x51868783bf2f966b); let mut x482: u64 = 0; let mut x483: u64 = 0; let (x482, x483) = fiat_p521_scalar_mulx_u64(x468, 0x7fcc0148f709a5d0); let mut x484: u64 = 0; let mut x485: u64 = 0; let (x484, x485) = fiat_p521_scalar_mulx_u64(x468, 0x3bb5c9b8899c47ae); let mut x486: u64 = 0; let mut x487: u64 = 0; let (x486, x487) = fiat_p521_scalar_mulx_u64(x468, 0xbb6fb71e91386409); let mut x488: u64 = 0; let mut x489: fiat_p521_scalar_u1 = 0; let (x488, x489) = fiat_p521_scalar_addcarryx_u64(0x0, x487, x484); let mut x490: u64 = 0; let mut x491: fiat_p521_scalar_u1 = 0; let (x490, x491) = fiat_p521_scalar_addcarryx_u64(x489, x485, x482); let mut x492: u64 = 0; let mut x493: fiat_p521_scalar_u1 = 0; let (x492, x493) = fiat_p521_scalar_addcarryx_u64(x491, x483, x480); let mut x494: u64 = 0; let mut x495: fiat_p521_scalar_u1 = 0; let (x494, x495) = fiat_p521_scalar_addcarryx_u64(x493, x481, x478); let mut x496: u64 = 0; let mut x497: fiat_p521_scalar_u1 = 0; let (x496, x497) = fiat_p521_scalar_addcarryx_u64(x495, x479, x476); let mut x498: u64 = 0; let mut x499: fiat_p521_scalar_u1 = 0; let (x498, x499) = fiat_p521_scalar_addcarryx_u64(x497, x477, x474); let mut x500: u64 = 0; let mut x501: fiat_p521_scalar_u1 = 0; let (x500, x501) = fiat_p521_scalar_addcarryx_u64(x499, x475, x472); let mut x502: u64 = 0; let mut x503: fiat_p521_scalar_u1 = 0; let (x502, x503) = fiat_p521_scalar_addcarryx_u64(x501, x473, x470); let mut x504: u64 = 0; let mut x505: fiat_p521_scalar_u1 = 0; let (x504, x505) = fiat_p521_scalar_addcarryx_u64(0x0, x450, x486); let mut x506: u64 = 0; let mut x507: fiat_p521_scalar_u1 = 0; let (x506, x507) = fiat_p521_scalar_addcarryx_u64(x505, x452, x488); let mut x508: u64 = 0; let mut x509: fiat_p521_scalar_u1 = 0; let (x508, x509) = fiat_p521_scalar_addcarryx_u64(x507, x454, x490); let mut x510: u64 = 0; let mut x511: fiat_p521_scalar_u1 = 0; let (x510, x511) = fiat_p521_scalar_addcarryx_u64(x509, x456, x492); let mut x512: u64 = 0; let mut x513: fiat_p521_scalar_u1 = 0; let (x512, x513) = fiat_p521_scalar_addcarryx_u64(x511, x458, x494); let mut x514: u64 = 0; let mut x515: fiat_p521_scalar_u1 = 0; let (x514, x515) = fiat_p521_scalar_addcarryx_u64(x513, x460, x496); let mut x516: u64 = 0; let mut x517: fiat_p521_scalar_u1 = 0; let (x516, x517) = fiat_p521_scalar_addcarryx_u64(x515, x462, x498); let mut x518: u64 = 0; let mut x519: fiat_p521_scalar_u1 = 0; let (x518, x519) = fiat_p521_scalar_addcarryx_u64(x517, x464, x500); let mut x520: u64 = 0; let mut x521: fiat_p521_scalar_u1 = 0; let (x520, x521) = fiat_p521_scalar_addcarryx_u64(x519, x466, x502); let mut x522: u64 = 0; let mut x523: u64 = 0; let (x522, x523) = fiat_p521_scalar_mulx_u64(x5, 0x3d); let mut x524: u64 = 0; let mut x525: u64 = 0; let (x524, x525) = fiat_p521_scalar_mulx_u64(x5, 0x2d8e03d1492d0d45); let mut x526: u64 = 0; let mut x527: u64 = 0; let (x526, x527) = fiat_p521_scalar_mulx_u64(x5, 0x5bcc6d61a8e567bc); let mut x528: u64 = 0; let mut x529: u64 = 0; let (x528, x529) = fiat_p521_scalar_mulx_u64(x5, 0xcff3d142b7756e3e); let mut x530: u64 = 0; let mut x531: u64 = 0; let (x530, x531) = fiat_p521_scalar_mulx_u64(x5, 0xdd6e23d82e49c7db); let mut x532: u64 = 0; let mut x533: u64 = 0; let (x532, x533) = fiat_p521_scalar_mulx_u64(x5, 0xd3721ef557f75e06); let mut x534: u64 = 0; let mut x535: u64 = 0; let (x534, x535) = fiat_p521_scalar_mulx_u64(x5, 0x12a78d38794573ff); let mut x536: u64 = 0; let mut x537: u64 = 0; let (x536, x537) = fiat_p521_scalar_mulx_u64(x5, 0xf707badce5547ea3); let mut x538: u64 = 0; let mut x539: u64 = 0; let (x538, x539) = fiat_p521_scalar_mulx_u64(x5, 0x137cd04dcf15dd04); let mut x540: u64 = 0; let mut x541: fiat_p521_scalar_u1 = 0; let (x540, x541) = fiat_p521_scalar_addcarryx_u64(0x0, x539, x536); let mut x542: u64 = 0; let mut x543: fiat_p521_scalar_u1 = 0; let (x542, x543) = fiat_p521_scalar_addcarryx_u64(x541, x537, x534); let mut x544: u64 = 0; let mut x545: fiat_p521_scalar_u1 = 0; let (x544, x545) = fiat_p521_scalar_addcarryx_u64(x543, x535, x532); let mut x546: u64 = 0; let mut x547: fiat_p521_scalar_u1 = 0; let (x546, x547) = fiat_p521_scalar_addcarryx_u64(x545, x533, x530); let mut x548: u64 = 0; let mut x549: fiat_p521_scalar_u1 = 0; let (x548, x549) = fiat_p521_scalar_addcarryx_u64(x547, x531, x528); let mut x550: u64 = 0; let mut x551: fiat_p521_scalar_u1 = 0; let (x550, x551) = fiat_p521_scalar_addcarryx_u64(x549, x529, x526); let mut x552: u64 = 0; let mut x553: fiat_p521_scalar_u1 = 0; let (x552, x553) = fiat_p521_scalar_addcarryx_u64(x551, x527, x524); let mut x554: u64 = 0; let mut x555: fiat_p521_scalar_u1 = 0; let (x554, x555) = fiat_p521_scalar_addcarryx_u64(x553, x525, x522); let mut x556: u64 = 0; let mut x557: fiat_p521_scalar_u1 = 0; let (x556, x557) = fiat_p521_scalar_addcarryx_u64(0x0, x506, x538); let mut x558: u64 = 0; let mut x559: fiat_p521_scalar_u1 = 0; let (x558, x559) = fiat_p521_scalar_addcarryx_u64(x557, x508, x540); let mut x560: u64 = 0; let mut x561: fiat_p521_scalar_u1 = 0; let (x560, x561) = fiat_p521_scalar_addcarryx_u64(x559, x510, x542); let mut x562: u64 = 0; let mut x563: fiat_p521_scalar_u1 = 0; let (x562, x563) = fiat_p521_scalar_addcarryx_u64(x561, x512, x544); let mut x564: u64 = 0; let mut x565: fiat_p521_scalar_u1 = 0; let (x564, x565) = fiat_p521_scalar_addcarryx_u64(x563, x514, x546); let mut x566: u64 = 0; let mut x567: fiat_p521_scalar_u1 = 0; let (x566, x567) = fiat_p521_scalar_addcarryx_u64(x565, x516, x548); let mut x568: u64 = 0; let mut x569: fiat_p521_scalar_u1 = 0; let (x568, x569) = fiat_p521_scalar_addcarryx_u64(x567, x518, x550); let mut x570: u64 = 0; let mut x571: fiat_p521_scalar_u1 = 0; let (x570, x571) = fiat_p521_scalar_addcarryx_u64(x569, x520, x552); let mut x572: u64 = 0; let mut x573: fiat_p521_scalar_u1 = 0; let (x572, x573) = fiat_p521_scalar_addcarryx_u64( x571, (((x521 as u64) + ((x467 as u64) + ((x449 as u64) + x417))) + ((x503 as u64) + x471)), x554, ); let mut x574: u64 = 0; let mut x575: u64 = 0; let (x574, x575) = fiat_p521_scalar_mulx_u64(x556, 0x1d2f5ccd79a995c7); let mut x576: u64 = 0; let mut x577: u64 = 0; let (x576, x577) = fiat_p521_scalar_mulx_u64(x574, 0x1ff); let mut x578: u64 = 0; let mut x579: u64 = 0; let (x578, x579) = fiat_p521_scalar_mulx_u64(x574, 0xffffffffffffffff); let mut x580: u64 = 0; let mut x581: u64 = 0; let (x580, x581) = fiat_p521_scalar_mulx_u64(x574, 0xffffffffffffffff); let mut x582: u64 = 0; let mut x583: u64 = 0; let (x582, x583) = fiat_p521_scalar_mulx_u64(x574, 0xffffffffffffffff); let mut x584: u64 = 0; let mut x585: u64 = 0; let (x584, x585) = fiat_p521_scalar_mulx_u64(x574, 0xfffffffffffffffa); let mut x586: u64 = 0; let mut x587: u64 = 0; let (x586, x587) = fiat_p521_scalar_mulx_u64(x574, 0x51868783bf2f966b); let mut x588: u64 = 0; let mut x589: u64 = 0; let (x588, x589) = fiat_p521_scalar_mulx_u64(x574, 0x7fcc0148f709a5d0); let mut x590: u64 = 0; let mut x591: u64 = 0; let (x590, x591) = fiat_p521_scalar_mulx_u64(x574, 0x3bb5c9b8899c47ae); let mut x592: u64 = 0; let mut x593: u64 = 0; let (x592, x593) = fiat_p521_scalar_mulx_u64(x574, 0xbb6fb71e91386409); let mut x594: u64 = 0; let mut x595: fiat_p521_scalar_u1 = 0; let (x594, x595) = fiat_p521_scalar_addcarryx_u64(0x0, x593, x590); let mut x596: u64 = 0; let mut x597: fiat_p521_scalar_u1 = 0; let (x596, x597) = fiat_p521_scalar_addcarryx_u64(x595, x591, x588); let mut x598: u64 = 0; let mut x599: fiat_p521_scalar_u1 = 0; let (x598, x599) = fiat_p521_scalar_addcarryx_u64(x597, x589, x586); let mut x600: u64 = 0; let mut x601: fiat_p521_scalar_u1 = 0; let (x600, x601) = fiat_p521_scalar_addcarryx_u64(x599, x587, x584); let mut x602: u64 = 0; let mut x603: fiat_p521_scalar_u1 = 0; let (x602, x603) = fiat_p521_scalar_addcarryx_u64(x601, x585, x582); let mut x604: u64 = 0; let mut x605: fiat_p521_scalar_u1 = 0; let (x604, x605) = fiat_p521_scalar_addcarryx_u64(x603, x583, x580); let mut x606: u64 = 0; let mut x607: fiat_p521_scalar_u1 = 0; let (x606, x607) = fiat_p521_scalar_addcarryx_u64(x605, x581, x578); let mut x608: u64 = 0; let mut x609: fiat_p521_scalar_u1 = 0; let (x608, x609) = fiat_p521_scalar_addcarryx_u64(x607, x579, x576); let mut x610: u64 = 0; let mut x611: fiat_p521_scalar_u1 = 0; let (x610, x611) = fiat_p521_scalar_addcarryx_u64(0x0, x556, x592); let mut x612: u64 = 0; let mut x613: fiat_p521_scalar_u1 = 0; let (x612, x613) = fiat_p521_scalar_addcarryx_u64(x611, x558, x594); let mut x614: u64 = 0; let mut x615: fiat_p521_scalar_u1 = 0; let (x614, x615) = fiat_p521_scalar_addcarryx_u64(x613, x560, x596); let mut x616: u64 = 0; let mut x617: fiat_p521_scalar_u1 = 0; let (x616, x617) = fiat_p521_scalar_addcarryx_u64(x615, x562, x598); let mut x618: u64 = 0; let mut x619: fiat_p521_scalar_u1 = 0; let (x618, x619) = fiat_p521_scalar_addcarryx_u64(x617, x564, x600); let mut x620: u64 = 0; let mut x621: fiat_p521_scalar_u1 = 0; let (x620, x621) = fiat_p521_scalar_addcarryx_u64(x619, x566, x602); let mut x622: u64 = 0; let mut x623: fiat_p521_scalar_u1 = 0; let (x622, x623) = fiat_p521_scalar_addcarryx_u64(x621, x568, x604); let mut x624: u64 = 0; let mut x625: fiat_p521_scalar_u1 = 0; let (x624, x625) = fiat_p521_scalar_addcarryx_u64(x623, x570, x606); let mut x626: u64 = 0; let mut x627: fiat_p521_scalar_u1 = 0; let (x626, x627) = fiat_p521_scalar_addcarryx_u64(x625, x572, x608); let mut x628: u64 = 0; let mut x629: u64 = 0; let (x628, x629) = fiat_p521_scalar_mulx_u64(x6, 0x3d); let mut x630: u64 = 0; let mut x631: u64 = 0; let (x630, x631) = fiat_p521_scalar_mulx_u64(x6, 0x2d8e03d1492d0d45); let mut x632: u64 = 0; let mut x633: u64 = 0; let (x632, x633) = fiat_p521_scalar_mulx_u64(x6, 0x5bcc6d61a8e567bc); let mut x634: u64 = 0; let mut x635: u64 = 0; let (x634, x635) = fiat_p521_scalar_mulx_u64(x6, 0xcff3d142b7756e3e); let mut x636: u64 = 0; let mut x637: u64 = 0; let (x636, x637) = fiat_p521_scalar_mulx_u64(x6, 0xdd6e23d82e49c7db); let mut x638: u64 = 0; let mut x639: u64 = 0; let (x638, x639) = fiat_p521_scalar_mulx_u64(x6, 0xd3721ef557f75e06); let mut x640: u64 = 0; let mut x641: u64 = 0; let (x640, x641) = fiat_p521_scalar_mulx_u64(x6, 0x12a78d38794573ff); let mut x642: u64 = 0; let mut x643: u64 = 0; let (x642, x643) = fiat_p521_scalar_mulx_u64(x6, 0xf707badce5547ea3); let mut x644: u64 = 0; let mut x645: u64 = 0; let (x644, x645) = fiat_p521_scalar_mulx_u64(x6, 0x137cd04dcf15dd04); let mut x646: u64 = 0; let mut x647: fiat_p521_scalar_u1 = 0; let (x646, x647) = fiat_p521_scalar_addcarryx_u64(0x0, x645, x642); let mut x648: u64 = 0; let mut x649: fiat_p521_scalar_u1 = 0; let (x648, x649) = fiat_p521_scalar_addcarryx_u64(x647, x643, x640); let mut x650: u64 = 0; let mut x651: fiat_p521_scalar_u1 = 0; let (x650, x651) = fiat_p521_scalar_addcarryx_u64(x649, x641, x638); let mut x652: u64 = 0; let mut x653: fiat_p521_scalar_u1 = 0; let (x652, x653) = fiat_p521_scalar_addcarryx_u64(x651, x639, x636); let mut x654: u64 = 0; let mut x655: fiat_p521_scalar_u1 = 0; let (x654, x655) = fiat_p521_scalar_addcarryx_u64(x653, x637, x634); let mut x656: u64 = 0; let mut x657: fiat_p521_scalar_u1 = 0; let (x656, x657) = fiat_p521_scalar_addcarryx_u64(x655, x635, x632); let mut x658: u64 = 0; let mut x659: fiat_p521_scalar_u1 = 0; let (x658, x659) = fiat_p521_scalar_addcarryx_u64(x657, x633, x630); let mut x660: u64 = 0; let mut x661: fiat_p521_scalar_u1 = 0; let (x660, x661) = fiat_p521_scalar_addcarryx_u64(x659, x631, x628); let mut x662: u64 = 0; let mut x663: fiat_p521_scalar_u1 = 0; let (x662, x663) = fiat_p521_scalar_addcarryx_u64(0x0, x612, x644); let mut x664: u64 = 0; let mut x665: fiat_p521_scalar_u1 = 0; let (x664, x665) = fiat_p521_scalar_addcarryx_u64(x663, x614, x646); let mut x666: u64 = 0; let mut x667: fiat_p521_scalar_u1 = 0; let (x666, x667) = fiat_p521_scalar_addcarryx_u64(x665, x616, x648); let mut x668: u64 = 0; let mut x669: fiat_p521_scalar_u1 = 0; let (x668, x669) = fiat_p521_scalar_addcarryx_u64(x667, x618, x650); let mut x670: u64 = 0; let mut x671: fiat_p521_scalar_u1 = 0; let (x670, x671) = fiat_p521_scalar_addcarryx_u64(x669, x620, x652); let mut x672: u64 = 0; let mut x673: fiat_p521_scalar_u1 = 0; let (x672, x673) = fiat_p521_scalar_addcarryx_u64(x671, x622, x654); let mut x674: u64 = 0; let mut x675: fiat_p521_scalar_u1 = 0; let (x674, x675) = fiat_p521_scalar_addcarryx_u64(x673, x624, x656); let mut x676: u64 = 0; let mut x677: fiat_p521_scalar_u1 = 0; let (x676, x677) = fiat_p521_scalar_addcarryx_u64(x675, x626, x658); let mut x678: u64 = 0; let mut x679: fiat_p521_scalar_u1 = 0; let (x678, x679) = fiat_p521_scalar_addcarryx_u64( x677, (((x627 as u64) + ((x573 as u64) + ((x555 as u64) + x523))) + ((x609 as u64) + x577)), x660, ); let mut x680: u64 = 0; let mut x681: u64 = 0; let (x680, x681) = fiat_p521_scalar_mulx_u64(x662, 0x1d2f5ccd79a995c7); let mut x682: u64 = 0; let mut x683: u64 = 0; let (x682, x683) = fiat_p521_scalar_mulx_u64(x680, 0x1ff); let mut x684: u64 = 0; let mut x685: u64 = 0; let (x684, x685) = fiat_p521_scalar_mulx_u64(x680, 0xffffffffffffffff); let mut x686: u64 = 0; let mut x687: u64 = 0; let (x686, x687) = fiat_p521_scalar_mulx_u64(x680, 0xffffffffffffffff); let mut x688: u64 = 0; let mut x689: u64 = 0; let (x688, x689) = fiat_p521_scalar_mulx_u64(x680, 0xffffffffffffffff); let mut x690: u64 = 0; let mut x691: u64 = 0; let (x690, x691) = fiat_p521_scalar_mulx_u64(x680, 0xfffffffffffffffa); let mut x692: u64 = 0; let mut x693: u64 = 0; let (x692, x693) = fiat_p521_scalar_mulx_u64(x680, 0x51868783bf2f966b); let mut x694: u64 = 0; let mut x695: u64 = 0; let (x694, x695) = fiat_p521_scalar_mulx_u64(x680, 0x7fcc0148f709a5d0); let mut x696: u64 = 0; let mut x697: u64 = 0; let (x696, x697) = fiat_p521_scalar_mulx_u64(x680, 0x3bb5c9b8899c47ae); let mut x698: u64 = 0; let mut x699: u64 = 0; let (x698, x699) = fiat_p521_scalar_mulx_u64(x680, 0xbb6fb71e91386409); let mut x700: u64 = 0; let mut x701: fiat_p521_scalar_u1 = 0; let (x700, x701) = fiat_p521_scalar_addcarryx_u64(0x0, x699, x696); let mut x702: u64 = 0; let mut x703: fiat_p521_scalar_u1 = 0; let (x702, x703) = fiat_p521_scalar_addcarryx_u64(x701, x697, x694); let mut x704: u64 = 0; let mut x705: fiat_p521_scalar_u1 = 0; let (x704, x705) = fiat_p521_scalar_addcarryx_u64(x703, x695, x692); let mut x706: u64 = 0; let mut x707: fiat_p521_scalar_u1 = 0; let (x706, x707) = fiat_p521_scalar_addcarryx_u64(x705, x693, x690); let mut x708: u64 = 0; let mut x709: fiat_p521_scalar_u1 = 0; let (x708, x709) = fiat_p521_scalar_addcarryx_u64(x707, x691, x688); let mut x710: u64 = 0; let mut x711: fiat_p521_scalar_u1 = 0; let (x710, x711) = fiat_p521_scalar_addcarryx_u64(x709, x689, x686); let mut x712: u64 = 0; let mut x713: fiat_p521_scalar_u1 = 0; let (x712, x713) = fiat_p521_scalar_addcarryx_u64(x711, x687, x684); let mut x714: u64 = 0; let mut x715: fiat_p521_scalar_u1 = 0; let (x714, x715) = fiat_p521_scalar_addcarryx_u64(x713, x685, x682); let mut x716: u64 = 0; let mut x717: fiat_p521_scalar_u1 = 0; let (x716, x717) = fiat_p521_scalar_addcarryx_u64(0x0, x662, x698); let mut x718: u64 = 0; let mut x719: fiat_p521_scalar_u1 = 0; let (x718, x719) = fiat_p521_scalar_addcarryx_u64(x717, x664, x700); let mut x720: u64 = 0; let mut x721: fiat_p521_scalar_u1 = 0; let (x720, x721) = fiat_p521_scalar_addcarryx_u64(x719, x666, x702); let mut x722: u64 = 0; let mut x723: fiat_p521_scalar_u1 = 0; let (x722, x723) = fiat_p521_scalar_addcarryx_u64(x721, x668, x704); let mut x724: u64 = 0; let mut x725: fiat_p521_scalar_u1 = 0; let (x724, x725) = fiat_p521_scalar_addcarryx_u64(x723, x670, x706); let mut x726: u64 = 0; let mut x727: fiat_p521_scalar_u1 = 0; let (x726, x727) = fiat_p521_scalar_addcarryx_u64(x725, x672, x708); let mut x728: u64 = 0; let mut x729: fiat_p521_scalar_u1 = 0; let (x728, x729) = fiat_p521_scalar_addcarryx_u64(x727, x674, x710); let mut x730: u64 = 0; let mut x731: fiat_p521_scalar_u1 = 0; let (x730, x731) = fiat_p521_scalar_addcarryx_u64(x729, x676, x712); let mut x732: u64 = 0; let mut x733: fiat_p521_scalar_u1 = 0; let (x732, x733) = fiat_p521_scalar_addcarryx_u64(x731, x678, x714); let mut x734: u64 = 0; let mut x735: u64 = 0; let (x734, x735) = fiat_p521_scalar_mulx_u64(x7, 0x3d); let mut x736: u64 = 0; let mut x737: u64 = 0; let (x736, x737) = fiat_p521_scalar_mulx_u64(x7, 0x2d8e03d1492d0d45); let mut x738: u64 = 0; let mut x739: u64 = 0; let (x738, x739) = fiat_p521_scalar_mulx_u64(x7, 0x5bcc6d61a8e567bc); let mut x740: u64 = 0; let mut x741: u64 = 0; let (x740, x741) = fiat_p521_scalar_mulx_u64(x7, 0xcff3d142b7756e3e); let mut x742: u64 = 0; let mut x743: u64 = 0; let (x742, x743) = fiat_p521_scalar_mulx_u64(x7, 0xdd6e23d82e49c7db); let mut x744: u64 = 0; let mut x745: u64 = 0; let (x744, x745) = fiat_p521_scalar_mulx_u64(x7, 0xd3721ef557f75e06); let mut x746: u64 = 0; let mut x747: u64 = 0; let (x746, x747) = fiat_p521_scalar_mulx_u64(x7, 0x12a78d38794573ff); let mut x748: u64 = 0; let mut x749: u64 = 0; let (x748, x749) = fiat_p521_scalar_mulx_u64(x7, 0xf707badce5547ea3); let mut x750: u64 = 0; let mut x751: u64 = 0; let (x750, x751) = fiat_p521_scalar_mulx_u64(x7, 0x137cd04dcf15dd04); let mut x752: u64 = 0; let mut x753: fiat_p521_scalar_u1 = 0; let (x752, x753) = fiat_p521_scalar_addcarryx_u64(0x0, x751, x748); let mut x754: u64 = 0; let mut x755: fiat_p521_scalar_u1 = 0; let (x754, x755) = fiat_p521_scalar_addcarryx_u64(x753, x749, x746); let mut x756: u64 = 0; let mut x757: fiat_p521_scalar_u1 = 0; let (x756, x757) = fiat_p521_scalar_addcarryx_u64(x755, x747, x744); let mut x758: u64 = 0; let mut x759: fiat_p521_scalar_u1 = 0; let (x758, x759) = fiat_p521_scalar_addcarryx_u64(x757, x745, x742); let mut x760: u64 = 0; let mut x761: fiat_p521_scalar_u1 = 0; let (x760, x761) = fiat_p521_scalar_addcarryx_u64(x759, x743, x740); let mut x762: u64 = 0; let mut x763: fiat_p521_scalar_u1 = 0; let (x762, x763) = fiat_p521_scalar_addcarryx_u64(x761, x741, x738); let mut x764: u64 = 0; let mut x765: fiat_p521_scalar_u1 = 0; let (x764, x765) = fiat_p521_scalar_addcarryx_u64(x763, x739, x736); let mut x766: u64 = 0; let mut x767: fiat_p521_scalar_u1 = 0; let (x766, x767) = fiat_p521_scalar_addcarryx_u64(x765, x737, x734); let mut x768: u64 = 0; let mut x769: fiat_p521_scalar_u1 = 0; let (x768, x769) = fiat_p521_scalar_addcarryx_u64(0x0, x718, x750); let mut x770: u64 = 0; let mut x771: fiat_p521_scalar_u1 = 0; let (x770, x771) = fiat_p521_scalar_addcarryx_u64(x769, x720, x752); let mut x772: u64 = 0; let mut x773: fiat_p521_scalar_u1 = 0; let (x772, x773) = fiat_p521_scalar_addcarryx_u64(x771, x722, x754); let mut x774: u64 = 0; let mut x775: fiat_p521_scalar_u1 = 0; let (x774, x775) = fiat_p521_scalar_addcarryx_u64(x773, x724, x756); let mut x776: u64 = 0; let mut x777: fiat_p521_scalar_u1 = 0; let (x776, x777) = fiat_p521_scalar_addcarryx_u64(x775, x726, x758); let mut x778: u64 = 0; let mut x779: fiat_p521_scalar_u1 = 0; let (x778, x779) = fiat_p521_scalar_addcarryx_u64(x777, x728, x760); let mut x780: u64 = 0; let mut x781: fiat_p521_scalar_u1 = 0; let (x780, x781) = fiat_p521_scalar_addcarryx_u64(x779, x730, x762); let mut x782: u64 = 0; let mut x783: fiat_p521_scalar_u1 = 0; let (x782, x783) = fiat_p521_scalar_addcarryx_u64(x781, x732, x764); let mut x784: u64 = 0; let mut x785: fiat_p521_scalar_u1 = 0; let (x784, x785) = fiat_p521_scalar_addcarryx_u64( x783, (((x733 as u64) + ((x679 as u64) + ((x661 as u64) + x629))) + ((x715 as u64) + x683)), x766, ); let mut x786: u64 = 0; let mut x787: u64 = 0; let (x786, x787) = fiat_p521_scalar_mulx_u64(x768, 0x1d2f5ccd79a995c7); let mut x788: u64 = 0; let mut x789: u64 = 0; let (x788, x789) = fiat_p521_scalar_mulx_u64(x786, 0x1ff); let mut x790: u64 = 0; let mut x791: u64 = 0; let (x790, x791) = fiat_p521_scalar_mulx_u64(x786, 0xffffffffffffffff); let mut x792: u64 = 0; let mut x793: u64 = 0; let (x792, x793) = fiat_p521_scalar_mulx_u64(x786, 0xffffffffffffffff); let mut x794: u64 = 0; let mut x795: u64 = 0; let (x794, x795) = fiat_p521_scalar_mulx_u64(x786, 0xffffffffffffffff); let mut x796: u64 = 0; let mut x797: u64 = 0; let (x796, x797) = fiat_p521_scalar_mulx_u64(x786, 0xfffffffffffffffa); let mut x798: u64 = 0; let mut x799: u64 = 0; let (x798, x799) = fiat_p521_scalar_mulx_u64(x786, 0x51868783bf2f966b); let mut x800: u64 = 0; let mut x801: u64 = 0; let (x800, x801) = fiat_p521_scalar_mulx_u64(x786, 0x7fcc0148f709a5d0); let mut x802: u64 = 0; let mut x803: u64 = 0; let (x802, x803) = fiat_p521_scalar_mulx_u64(x786, 0x3bb5c9b8899c47ae); let mut x804: u64 = 0; let mut x805: u64 = 0; let (x804, x805) = fiat_p521_scalar_mulx_u64(x786, 0xbb6fb71e91386409); let mut x806: u64 = 0; let mut x807: fiat_p521_scalar_u1 = 0; let (x806, x807) = fiat_p521_scalar_addcarryx_u64(0x0, x805, x802); let mut x808: u64 = 0; let mut x809: fiat_p521_scalar_u1 = 0; let (x808, x809) = fiat_p521_scalar_addcarryx_u64(x807, x803, x800); let mut x810: u64 = 0; let mut x811: fiat_p521_scalar_u1 = 0; let (x810, x811) = fiat_p521_scalar_addcarryx_u64(x809, x801, x798); let mut x812: u64 = 0; let mut x813: fiat_p521_scalar_u1 = 0; let (x812, x813) = fiat_p521_scalar_addcarryx_u64(x811, x799, x796); let mut x814: u64 = 0; let mut x815: fiat_p521_scalar_u1 = 0; let (x814, x815) = fiat_p521_scalar_addcarryx_u64(x813, x797, x794); let mut x816: u64 = 0; let mut x817: fiat_p521_scalar_u1 = 0; let (x816, x817) = fiat_p521_scalar_addcarryx_u64(x815, x795, x792); let mut x818: u64 = 0; let mut x819: fiat_p521_scalar_u1 = 0; let (x818, x819) = fiat_p521_scalar_addcarryx_u64(x817, x793, x790); let mut x820: u64 = 0; let mut x821: fiat_p521_scalar_u1 = 0; let (x820, x821) = fiat_p521_scalar_addcarryx_u64(x819, x791, x788); let mut x822: u64 = 0; let mut x823: fiat_p521_scalar_u1 = 0; let (x822, x823) = fiat_p521_scalar_addcarryx_u64(0x0, x768, x804); let mut x824: u64 = 0; let mut x825: fiat_p521_scalar_u1 = 0; let (x824, x825) = fiat_p521_scalar_addcarryx_u64(x823, x770, x806); let mut x826: u64 = 0; let mut x827: fiat_p521_scalar_u1 = 0; let (x826, x827) = fiat_p521_scalar_addcarryx_u64(x825, x772, x808); let mut x828: u64 = 0; let mut x829: fiat_p521_scalar_u1 = 0; let (x828, x829) = fiat_p521_scalar_addcarryx_u64(x827, x774, x810); let mut x830: u64 = 0; let mut x831: fiat_p521_scalar_u1 = 0; let (x830, x831) = fiat_p521_scalar_addcarryx_u64(x829, x776, x812); let mut x832: u64 = 0; let mut x833: fiat_p521_scalar_u1 = 0; let (x832, x833) = fiat_p521_scalar_addcarryx_u64(x831, x778, x814); let mut x834: u64 = 0; let mut x835: fiat_p521_scalar_u1 = 0; let (x834, x835) = fiat_p521_scalar_addcarryx_u64(x833, x780, x816); let mut x836: u64 = 0; let mut x837: fiat_p521_scalar_u1 = 0; let (x836, x837) = fiat_p521_scalar_addcarryx_u64(x835, x782, x818); let mut x838: u64 = 0; let mut x839: fiat_p521_scalar_u1 = 0; let (x838, x839) = fiat_p521_scalar_addcarryx_u64(x837, x784, x820); let mut x840: u64 = 0; let mut x841: u64 = 0; let (x840, x841) = fiat_p521_scalar_mulx_u64(x8, 0x3d); let mut x842: u64 = 0; let mut x843: u64 = 0; let (x842, x843) = fiat_p521_scalar_mulx_u64(x8, 0x2d8e03d1492d0d45); let mut x844: u64 = 0; let mut x845: u64 = 0; let (x844, x845) = fiat_p521_scalar_mulx_u64(x8, 0x5bcc6d61a8e567bc); let mut x846: u64 = 0; let mut x847: u64 = 0; let (x846, x847) = fiat_p521_scalar_mulx_u64(x8, 0xcff3d142b7756e3e); let mut x848: u64 = 0; let mut x849: u64 = 0; let (x848, x849) = fiat_p521_scalar_mulx_u64(x8, 0xdd6e23d82e49c7db); let mut x850: u64 = 0; let mut x851: u64 = 0; let (x850, x851) = fiat_p521_scalar_mulx_u64(x8, 0xd3721ef557f75e06); let mut x852: u64 = 0; let mut x853: u64 = 0; let (x852, x853) = fiat_p521_scalar_mulx_u64(x8, 0x12a78d38794573ff); let mut x854: u64 = 0; let mut x855: u64 = 0; let (x854, x855) = fiat_p521_scalar_mulx_u64(x8, 0xf707badce5547ea3); let mut x856: u64 = 0; let mut x857: u64 = 0; let (x856, x857) = fiat_p521_scalar_mulx_u64(x8, 0x137cd04dcf15dd04); let mut x858: u64 = 0; let mut x859: fiat_p521_scalar_u1 = 0; let (x858, x859) = fiat_p521_scalar_addcarryx_u64(0x0, x857, x854); let mut x860: u64 = 0; let mut x861: fiat_p521_scalar_u1 = 0; let (x860, x861) = fiat_p521_scalar_addcarryx_u64(x859, x855, x852); let mut x862: u64 = 0; let mut x863: fiat_p521_scalar_u1 = 0; let (x862, x863) = fiat_p521_scalar_addcarryx_u64(x861, x853, x850); let mut x864: u64 = 0; let mut x865: fiat_p521_scalar_u1 = 0; let (x864, x865) = fiat_p521_scalar_addcarryx_u64(x863, x851, x848); let mut x866: u64 = 0; let mut x867: fiat_p521_scalar_u1 = 0; let (x866, x867) = fiat_p521_scalar_addcarryx_u64(x865, x849, x846); let mut x868: u64 = 0; let mut x869: fiat_p521_scalar_u1 = 0; let (x868, x869) = fiat_p521_scalar_addcarryx_u64(x867, x847, x844); let mut x870: u64 = 0; let mut x871: fiat_p521_scalar_u1 = 0; let (x870, x871) = fiat_p521_scalar_addcarryx_u64(x869, x845, x842); let mut x872: u64 = 0; let mut x873: fiat_p521_scalar_u1 = 0; let (x872, x873) = fiat_p521_scalar_addcarryx_u64(x871, x843, x840); let mut x874: u64 = 0; let mut x875: fiat_p521_scalar_u1 = 0; let (x874, x875) = fiat_p521_scalar_addcarryx_u64(0x0, x824, x856); let mut x876: u64 = 0; let mut x877: fiat_p521_scalar_u1 = 0; let (x876, x877) = fiat_p521_scalar_addcarryx_u64(x875, x826, x858); let mut x878: u64 = 0; let mut x879: fiat_p521_scalar_u1 = 0; let (x878, x879) = fiat_p521_scalar_addcarryx_u64(x877, x828, x860); let mut x880: u64 = 0; let mut x881: fiat_p521_scalar_u1 = 0; let (x880, x881) = fiat_p521_scalar_addcarryx_u64(x879, x830, x862); let mut x882: u64 = 0; let mut x883: fiat_p521_scalar_u1 = 0; let (x882, x883) = fiat_p521_scalar_addcarryx_u64(x881, x832, x864); let mut x884: u64 = 0; let mut x885: fiat_p521_scalar_u1 = 0; let (x884, x885) = fiat_p521_scalar_addcarryx_u64(x883, x834, x866); let mut x886: u64 = 0; let mut x887: fiat_p521_scalar_u1 = 0; let (x886, x887) = fiat_p521_scalar_addcarryx_u64(x885, x836, x868); let mut x888: u64 = 0; let mut x889: fiat_p521_scalar_u1 = 0; let (x888, x889) = fiat_p521_scalar_addcarryx_u64(x887, x838, x870); let mut x890: u64 = 0; let mut x891: fiat_p521_scalar_u1 = 0; let (x890, x891) = fiat_p521_scalar_addcarryx_u64( x889, (((x839 as u64) + ((x785 as u64) + ((x767 as u64) + x735))) + ((x821 as u64) + x789)), x872, ); let mut x892: u64 = 0; let mut x893: u64 = 0; let (x892, x893) = fiat_p521_scalar_mulx_u64(x874, 0x1d2f5ccd79a995c7); let mut x894: u64 = 0; let mut x895: u64 = 0; let (x894, x895) = fiat_p521_scalar_mulx_u64(x892, 0x1ff); let mut x896: u64 = 0; let mut x897: u64 = 0; let (x896, x897) = fiat_p521_scalar_mulx_u64(x892, 0xffffffffffffffff); let mut x898: u64 = 0; let mut x899: u64 = 0; let (x898, x899) = fiat_p521_scalar_mulx_u64(x892, 0xffffffffffffffff); let mut x900: u64 = 0; let mut x901: u64 = 0; let (x900, x901) = fiat_p521_scalar_mulx_u64(x892, 0xffffffffffffffff); let mut x902: u64 = 0; let mut x903: u64 = 0; let (x902, x903) = fiat_p521_scalar_mulx_u64(x892, 0xfffffffffffffffa); let mut x904: u64 = 0; let mut x905: u64 = 0; let (x904, x905) = fiat_p521_scalar_mulx_u64(x892, 0x51868783bf2f966b); let mut x906: u64 = 0; let mut x907: u64 = 0; let (x906, x907) = fiat_p521_scalar_mulx_u64(x892, 0x7fcc0148f709a5d0); let mut x908: u64 = 0; let mut x909: u64 = 0; let (x908, x909) = fiat_p521_scalar_mulx_u64(x892, 0x3bb5c9b8899c47ae); let mut x910: u64 = 0; let mut x911: u64 = 0; let (x910, x911) = fiat_p521_scalar_mulx_u64(x892, 0xbb6fb71e91386409); let mut x912: u64 = 0; let mut x913: fiat_p521_scalar_u1 = 0; let (x912, x913) = fiat_p521_scalar_addcarryx_u64(0x0, x911, x908); let mut x914: u64 = 0; let mut x915: fiat_p521_scalar_u1 = 0; let (x914, x915) = fiat_p521_scalar_addcarryx_u64(x913, x909, x906); let mut x916: u64 = 0; let mut x917: fiat_p521_scalar_u1 = 0; let (x916, x917) = fiat_p521_scalar_addcarryx_u64(x915, x907, x904); let mut x918: u64 = 0; let mut x919: fiat_p521_scalar_u1 = 0; let (x918, x919) = fiat_p521_scalar_addcarryx_u64(x917, x905, x902); let mut x920: u64 = 0; let mut x921: fiat_p521_scalar_u1 = 0; let (x920, x921) = fiat_p521_scalar_addcarryx_u64(x919, x903, x900); let mut x922: u64 = 0; let mut x923: fiat_p521_scalar_u1 = 0; let (x922, x923) = fiat_p521_scalar_addcarryx_u64(x921, x901, x898); let mut x924: u64 = 0; let mut x925: fiat_p521_scalar_u1 = 0; let (x924, x925) = fiat_p521_scalar_addcarryx_u64(x923, x899, x896); let mut x926: u64 = 0; let mut x927: fiat_p521_scalar_u1 = 0; let (x926, x927) = fiat_p521_scalar_addcarryx_u64(x925, x897, x894); let mut x928: u64 = 0; let mut x929: fiat_p521_scalar_u1 = 0; let (x928, x929) = fiat_p521_scalar_addcarryx_u64(0x0, x874, x910); let mut x930: u64 = 0; let mut x931: fiat_p521_scalar_u1 = 0; let (x930, x931) = fiat_p521_scalar_addcarryx_u64(x929, x876, x912); let mut x932: u64 = 0; let mut x933: fiat_p521_scalar_u1 = 0; let (x932, x933) = fiat_p521_scalar_addcarryx_u64(x931, x878, x914); let mut x934: u64 = 0; let mut x935: fiat_p521_scalar_u1 = 0; let (x934, x935) = fiat_p521_scalar_addcarryx_u64(x933, x880, x916); let mut x936: u64 = 0; let mut x937: fiat_p521_scalar_u1 = 0; let (x936, x937) = fiat_p521_scalar_addcarryx_u64(x935, x882, x918); let mut x938: u64 = 0; let mut x939: fiat_p521_scalar_u1 = 0; let (x938, x939) = fiat_p521_scalar_addcarryx_u64(x937, x884, x920); let mut x940: u64 = 0; let mut x941: fiat_p521_scalar_u1 = 0; let (x940, x941) = fiat_p521_scalar_addcarryx_u64(x939, x886, x922); let mut x942: u64 = 0; let mut x943: fiat_p521_scalar_u1 = 0; let (x942, x943) = fiat_p521_scalar_addcarryx_u64(x941, x888, x924); let mut x944: u64 = 0; let mut x945: fiat_p521_scalar_u1 = 0; let (x944, x945) = fiat_p521_scalar_addcarryx_u64(x943, x890, x926); let x946: u64 = (((x945 as u64) + ((x891 as u64) + ((x873 as u64) + x841))) + ((x927 as u64) + x895)); let mut x947: u64 = 0; let mut x948: fiat_p521_scalar_u1 = 0; let (x947, x948) = fiat_p521_scalar_subborrowx_u64(0x0, x930, 0xbb6fb71e91386409); let mut x949: u64 = 0; let mut x950: fiat_p521_scalar_u1 = 0; let (x949, x950) = fiat_p521_scalar_subborrowx_u64(x948, x932, 0x3bb5c9b8899c47ae); let mut x951: u64 = 0; let mut x952: fiat_p521_scalar_u1 = 0; let (x951, x952) = fiat_p521_scalar_subborrowx_u64(x950, x934, 0x7fcc0148f709a5d0); let mut x953: u64 = 0; let mut x954: fiat_p521_scalar_u1 = 0; let (x953, x954) = fiat_p521_scalar_subborrowx_u64(x952, x936, 0x51868783bf2f966b); let mut x955: u64 = 0; let mut x956: fiat_p521_scalar_u1 = 0; let (x955, x956) = fiat_p521_scalar_subborrowx_u64(x954, x938, 0xfffffffffffffffa); let mut x957: u64 = 0; let mut x958: fiat_p521_scalar_u1 = 0; let (x957, x958) = fiat_p521_scalar_subborrowx_u64(x956, x940, 0xffffffffffffffff); let mut x959: u64 = 0; let mut x960: fiat_p521_scalar_u1 = 0; let (x959, x960) = fiat_p521_scalar_subborrowx_u64(x958, x942, 0xffffffffffffffff); let mut x961: u64 = 0; let mut x962: fiat_p521_scalar_u1 = 0; let (x961, x962) = fiat_p521_scalar_subborrowx_u64(x960, x944, 0xffffffffffffffff); let mut x963: u64 = 0; let mut x964: fiat_p521_scalar_u1 = 0; let (x963, x964) = fiat_p521_scalar_subborrowx_u64(x962, x946, 0x1ff); let mut x965: u64 = 0; let mut x966: fiat_p521_scalar_u1 = 0; let (x965, x966) = fiat_p521_scalar_subborrowx_u64(x964, (0x0 as u64), (0x0 as u64)); let mut x967: u64 = 0; let (x967) = fiat_p521_scalar_cmovznz_u64(x966, x947, x930); let mut x968: u64 = 0; let (x968) = fiat_p521_scalar_cmovznz_u64(x966, x949, x932); let mut x969: u64 = 0; let (x969) = fiat_p521_scalar_cmovznz_u64(x966, x951, x934); let mut x970: u64 = 0; let (x970) = fiat_p521_scalar_cmovznz_u64(x966, x953, x936); let mut x971: u64 = 0; let (x971) = fiat_p521_scalar_cmovznz_u64(x966, x955, x938); let mut x972: u64 = 0; let (x972) = fiat_p521_scalar_cmovznz_u64(x966, x957, x940); let mut x973: u64 = 0; let (x973) = fiat_p521_scalar_cmovznz_u64(x966, x959, x942); let mut x974: u64 = 0; let (x974) = fiat_p521_scalar_cmovznz_u64(x966, x961, x944); let mut x975: u64 = 0; let (x975) = fiat_p521_scalar_cmovznz_u64(x966, x963, x946); out1[0] = x967; out1[1] = x968; out1[2] = x969; out1[3] = x970; out1[4] = x971; out1[5] = x972; out1[6] = x973; out1[7] = x974; out1[8] = x975; out1 } #[doc = " The function fiat_p521_scalar_nonzero outputs a single non-zero word if the input is non-zero and zero otherwise."] #[doc = ""] #[doc = " Preconditions:"] #[doc = " 0 ≤ eval arg1 < m"] #[doc = " Postconditions:"] #[doc = " out1 = 0 ↔ eval (from_montgomery arg1) mod m = 0"] #[doc = ""] #[doc = " Input Bounds:"] #[doc = " arg1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]]"] #[doc = " Output Bounds:"] #[doc = " out1: [0x0 ~> 0xffffffffffffffff]"] #[inline] pub const fn fiat_p521_scalar_nonzero(arg1: &[u64; 9]) -> u64 { let mut out1: u64 = 0; let x1: u64 = ((arg1[0]) | ((arg1[1]) | ((arg1[2]) | ((arg1[3]) | ((arg1[4]) | ((arg1[5]) | ((arg1[6]) | ((arg1[7]) | (arg1[8]))))))))); out1 = x1; out1 } #[doc = " The function fiat_p521_scalar_selectznz is a multi-limb conditional select."] #[doc = ""] #[doc = " Postconditions:"] #[doc = " out1 = (if arg1 = 0 then arg2 else arg3)"] #[doc = ""] #[doc = " Input Bounds:"] #[doc = " arg1: [0x0 ~> 0x1]"] #[doc = " arg2: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]]"] #[doc = " arg3: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]]"] #[doc = " Output Bounds:"] #[doc = " out1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]]"] #[inline] pub const fn fiat_p521_scalar_selectznz( arg1: fiat_p521_scalar_u1, arg2: &[u64; 9], arg3: &[u64; 9], ) -> [u64; 9] { let mut out1: [u64; 9] = [0; 9]; let mut x1: u64 = 0; let (x1) = fiat_p521_scalar_cmovznz_u64(arg1, (arg2[0]), (arg3[0])); let mut x2: u64 = 0; let (x2) = fiat_p521_scalar_cmovznz_u64(arg1, (arg2[1]), (arg3[1])); let mut x3: u64 = 0; let (x3) = fiat_p521_scalar_cmovznz_u64(arg1, (arg2[2]), (arg3[2])); let mut x4: u64 = 0; let (x4) = fiat_p521_scalar_cmovznz_u64(arg1, (arg2[3]), (arg3[3])); let mut x5: u64 = 0; let (x5) = fiat_p521_scalar_cmovznz_u64(arg1, (arg2[4]), (arg3[4])); let mut x6: u64 = 0; let (x6) = fiat_p521_scalar_cmovznz_u64(arg1, (arg2[5]), (arg3[5])); let mut x7: u64 = 0; let (x7) = fiat_p521_scalar_cmovznz_u64(arg1, (arg2[6]), (arg3[6])); let mut x8: u64 = 0; let (x8) = fiat_p521_scalar_cmovznz_u64(arg1, (arg2[7]), (arg3[7])); let mut x9: u64 = 0; let (x9) = fiat_p521_scalar_cmovznz_u64(arg1, (arg2[8]), (arg3[8])); out1[0] = x1; out1[1] = x2; out1[2] = x3; out1[3] = x4; out1[4] = x5; out1[5] = x6; out1[6] = x7; out1[7] = x8; out1[8] = x9; out1 } #[doc = " The function fiat_p521_scalar_to_bytes serializes a field element NOT in the Montgomery domain to bytes in little-endian order."] #[doc = ""] #[doc = " Preconditions:"] #[doc = " 0 ≤ eval arg1 < m"] #[doc = " Postconditions:"] #[doc = " out1 = map (λ x, ⌊((eval arg1 mod m) mod 2^(8 * (x + 1))) / 2^(8 * x)⌋) [0..65]"] #[doc = ""] #[doc = " Input Bounds:"] #[doc = " arg1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0x1ff]]"] #[doc = " Output Bounds:"] #[doc = " out1: [[0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0x1]]"] #[inline] pub const fn fiat_p521_scalar_to_bytes(arg1: &[u64; 9]) -> [u8; 66] { let mut out1: [u8; 66] = [0; 66]; let x1: u64 = (arg1[8]); let x2: u64 = (arg1[7]); let x3: u64 = (arg1[6]); let x4: u64 = (arg1[5]); let x5: u64 = (arg1[4]); let x6: u64 = (arg1[3]); let x7: u64 = (arg1[2]); let x8: u64 = (arg1[1]); let x9: u64 = (arg1[0]); let x10: u8 = ((x9 & (0xff as u64)) as u8); let x11: u64 = (x9 >> 8); let x12: u8 = ((x11 & (0xff as u64)) as u8); let x13: u64 = (x11 >> 8); let x14: u8 = ((x13 & (0xff as u64)) as u8); let x15: u64 = (x13 >> 8); let x16: u8 = ((x15 & (0xff as u64)) as u8); let x17: u64 = (x15 >> 8); let x18: u8 = ((x17 & (0xff as u64)) as u8); let x19: u64 = (x17 >> 8); let x20: u8 = ((x19 & (0xff as u64)) as u8); let x21: u64 = (x19 >> 8); let x22: u8 = ((x21 & (0xff as u64)) as u8); let x23: u8 = ((x21 >> 8) as u8); let x24: u8 = ((x8 & (0xff as u64)) as u8); let x25: u64 = (x8 >> 8); let x26: u8 = ((x25 & (0xff as u64)) as u8); let x27: u64 = (x25 >> 8); let x28: u8 = ((x27 & (0xff as u64)) as u8); let x29: u64 = (x27 >> 8); let x30: u8 = ((x29 & (0xff as u64)) as u8); let x31: u64 = (x29 >> 8); let x32: u8 = ((x31 & (0xff as u64)) as u8); let x33: u64 = (x31 >> 8); let x34: u8 = ((x33 & (0xff as u64)) as u8); let x35: u64 = (x33 >> 8); let x36: u8 = ((x35 & (0xff as u64)) as u8); let x37: u8 = ((x35 >> 8) as u8); let x38: u8 = ((x7 & (0xff as u64)) as u8); let x39: u64 = (x7 >> 8); let x40: u8 = ((x39 & (0xff as u64)) as u8); let x41: u64 = (x39 >> 8); let x42: u8 = ((x41 & (0xff as u64)) as u8); let x43: u64 = (x41 >> 8); let x44: u8 = ((x43 & (0xff as u64)) as u8); let x45: u64 = (x43 >> 8); let x46: u8 = ((x45 & (0xff as u64)) as u8); let x47: u64 = (x45 >> 8); let x48: u8 = ((x47 & (0xff as u64)) as u8); let x49: u64 = (x47 >> 8); let x50: u8 = ((x49 & (0xff as u64)) as u8); let x51: u8 = ((x49 >> 8) as u8); let x52: u8 = ((x6 & (0xff as u64)) as u8); let x53: u64 = (x6 >> 8); let x54: u8 = ((x53 & (0xff as u64)) as u8); let x55: u64 = (x53 >> 8); let x56: u8 = ((x55 & (0xff as u64)) as u8); let x57: u64 = (x55 >> 8); let x58: u8 = ((x57 & (0xff as u64)) as u8); let x59: u64 = (x57 >> 8); let x60: u8 = ((x59 & (0xff as u64)) as u8); let x61: u64 = (x59 >> 8); let x62: u8 = ((x61 & (0xff as u64)) as u8); let x63: u64 = (x61 >> 8); let x64: u8 = ((x63 & (0xff as u64)) as u8); let x65: u8 = ((x63 >> 8) as u8); let x66: u8 = ((x5 & (0xff as u64)) as u8); let x67: u64 = (x5 >> 8); let x68: u8 = ((x67 & (0xff as u64)) as u8); let x69: u64 = (x67 >> 8); let x70: u8 = ((x69 & (0xff as u64)) as u8); let x71: u64 = (x69 >> 8); let x72: u8 = ((x71 & (0xff as u64)) as u8); let x73: u64 = (x71 >> 8); let x74: u8 = ((x73 & (0xff as u64)) as u8); let x75: u64 = (x73 >> 8); let x76: u8 = ((x75 & (0xff as u64)) as u8); let x77: u64 = (x75 >> 8); let x78: u8 = ((x77 & (0xff as u64)) as u8); let x79: u8 = ((x77 >> 8) as u8); let x80: u8 = ((x4 & (0xff as u64)) as u8); let x81: u64 = (x4 >> 8); let x82: u8 = ((x81 & (0xff as u64)) as u8); let x83: u64 = (x81 >> 8); let x84: u8 = ((x83 & (0xff as u64)) as u8); let x85: u64 = (x83 >> 8); let x86: u8 = ((x85 & (0xff as u64)) as u8); let x87: u64 = (x85 >> 8); let x88: u8 = ((x87 & (0xff as u64)) as u8); let x89: u64 = (x87 >> 8); let x90: u8 = ((x89 & (0xff as u64)) as u8); let x91: u64 = (x89 >> 8); let x92: u8 = ((x91 & (0xff as u64)) as u8); let x93: u8 = ((x91 >> 8) as u8); let x94: u8 = ((x3 & (0xff as u64)) as u8); let x95: u64 = (x3 >> 8); let x96: u8 = ((x95 & (0xff as u64)) as u8); let x97: u64 = (x95 >> 8); let x98: u8 = ((x97 & (0xff as u64)) as u8); let x99: u64 = (x97 >> 8); let x100: u8 = ((x99 & (0xff as u64)) as u8); let x101: u64 = (x99 >> 8); let x102: u8 = ((x101 & (0xff as u64)) as u8); let x103: u64 = (x101 >> 8); let x104: u8 = ((x103 & (0xff as u64)) as u8); let x105: u64 = (x103 >> 8); let x106: u8 = ((x105 & (0xff as u64)) as u8); let x107: u8 = ((x105 >> 8) as u8); let x108: u8 = ((x2 & (0xff as u64)) as u8); let x109: u64 = (x2 >> 8); let x110: u8 = ((x109 & (0xff as u64)) as u8); let x111: u64 = (x109 >> 8); let x112: u8 = ((x111 & (0xff as u64)) as u8); let x113: u64 = (x111 >> 8); let x114: u8 = ((x113 & (0xff as u64)) as u8); let x115: u64 = (x113 >> 8); let x116: u8 = ((x115 & (0xff as u64)) as u8); let x117: u64 = (x115 >> 8); let x118: u8 = ((x117 & (0xff as u64)) as u8); let x119: u64 = (x117 >> 8); let x120: u8 = ((x119 & (0xff as u64)) as u8); let x121: u8 = ((x119 >> 8) as u8); let x122: u8 = ((x1 & (0xff as u64)) as u8); let x123: fiat_p521_scalar_u1 = ((x1 >> 8) as fiat_p521_scalar_u1); out1[0] = x10; out1[1] = x12; out1[2] = x14; out1[3] = x16; out1[4] = x18; out1[5] = x20; out1[6] = x22; out1[7] = x23; out1[8] = x24; out1[9] = x26; out1[10] = x28; out1[11] = x30; out1[12] = x32; out1[13] = x34; out1[14] = x36; out1[15] = x37; out1[16] = x38; out1[17] = x40; out1[18] = x42; out1[19] = x44; out1[20] = x46; out1[21] = x48; out1[22] = x50; out1[23] = x51; out1[24] = x52; out1[25] = x54; out1[26] = x56; out1[27] = x58; out1[28] = x60; out1[29] = x62; out1[30] = x64; out1[31] = x65; out1[32] = x66; out1[33] = x68; out1[34] = x70; out1[35] = x72; out1[36] = x74; out1[37] = x76; out1[38] = x78; out1[39] = x79; out1[40] = x80; out1[41] = x82; out1[42] = x84; out1[43] = x86; out1[44] = x88; out1[45] = x90; out1[46] = x92; out1[47] = x93; out1[48] = x94; out1[49] = x96; out1[50] = x98; out1[51] = x100; out1[52] = x102; out1[53] = x104; out1[54] = x106; out1[55] = x107; out1[56] = x108; out1[57] = x110; out1[58] = x112; out1[59] = x114; out1[60] = x116; out1[61] = x118; out1[62] = x120; out1[63] = x121; out1[64] = x122; out1[65] = (x123 as u8); out1 } #[doc = " The function fiat_p521_scalar_from_bytes deserializes a field element NOT in the Montgomery domain from bytes in little-endian order."] #[doc = ""] #[doc = " Preconditions:"] #[doc = " 0 ≤ bytes_eval arg1 < m"] #[doc = " Postconditions:"] #[doc = " eval out1 mod m = bytes_eval arg1 mod m"] #[doc = " 0 ≤ eval out1 < m"] #[doc = ""] #[doc = " Input Bounds:"] #[doc = " arg1: [[0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0x1]]"] #[doc = " Output Bounds:"] #[doc = " out1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0x1ff]]"] #[inline] pub const fn fiat_p521_scalar_from_bytes(arg1: &[u8; 66]) -> [u64; 9] { let mut out1: [u64; 9] = [0; 9]; let x1: u64 = ((((arg1[65]) as fiat_p521_scalar_u1) as u64) << 8); let x2: u8 = (arg1[64]); let x3: u64 = (((arg1[63]) as u64) << 56); let x4: u64 = (((arg1[62]) as u64) << 48); let x5: u64 = (((arg1[61]) as u64) << 40); let x6: u64 = (((arg1[60]) as u64) << 32); let x7: u64 = (((arg1[59]) as u64) << 24); let x8: u64 = (((arg1[58]) as u64) << 16); let x9: u64 = (((arg1[57]) as u64) << 8); let x10: u8 = (arg1[56]); let x11: u64 = (((arg1[55]) as u64) << 56); let x12: u64 = (((arg1[54]) as u64) << 48); let x13: u64 = (((arg1[53]) as u64) << 40); let x14: u64 = (((arg1[52]) as u64) << 32); let x15: u64 = (((arg1[51]) as u64) << 24); let x16: u64 = (((arg1[50]) as u64) << 16); let x17: u64 = (((arg1[49]) as u64) << 8); let x18: u8 = (arg1[48]); let x19: u64 = (((arg1[47]) as u64) << 56); let x20: u64 = (((arg1[46]) as u64) << 48); let x21: u64 = (((arg1[45]) as u64) << 40); let x22: u64 = (((arg1[44]) as u64) << 32); let x23: u64 = (((arg1[43]) as u64) << 24); let x24: u64 = (((arg1[42]) as u64) << 16); let x25: u64 = (((arg1[41]) as u64) << 8); let x26: u8 = (arg1[40]); let x27: u64 = (((arg1[39]) as u64) << 56); let x28: u64 = (((arg1[38]) as u64) << 48); let x29: u64 = (((arg1[37]) as u64) << 40); let x30: u64 = (((arg1[36]) as u64) << 32); let x31: u64 = (((arg1[35]) as u64) << 24); let x32: u64 = (((arg1[34]) as u64) << 16); let x33: u64 = (((arg1[33]) as u64) << 8); let x34: u8 = (arg1[32]); let x35: u64 = (((arg1[31]) as u64) << 56); let x36: u64 = (((arg1[30]) as u64) << 48); let x37: u64 = (((arg1[29]) as u64) << 40); let x38: u64 = (((arg1[28]) as u64) << 32); let x39: u64 = (((arg1[27]) as u64) << 24); let x40: u64 = (((arg1[26]) as u64) << 16); let x41: u64 = (((arg1[25]) as u64) << 8); let x42: u8 = (arg1[24]); let x43: u64 = (((arg1[23]) as u64) << 56); let x44: u64 = (((arg1[22]) as u64) << 48); let x45: u64 = (((arg1[21]) as u64) << 40); let x46: u64 = (((arg1[20]) as u64) << 32); let x47: u64 = (((arg1[19]) as u64) << 24); let x48: u64 = (((arg1[18]) as u64) << 16); let x49: u64 = (((arg1[17]) as u64) << 8); let x50: u8 = (arg1[16]); let x51: u64 = (((arg1[15]) as u64) << 56); let x52: u64 = (((arg1[14]) as u64) << 48); let x53: u64 = (((arg1[13]) as u64) << 40); let x54: u64 = (((arg1[12]) as u64) << 32); let x55: u64 = (((arg1[11]) as u64) << 24); let x56: u64 = (((arg1[10]) as u64) << 16); let x57: u64 = (((arg1[9]) as u64) << 8); let x58: u8 = (arg1[8]); let x59: u64 = (((arg1[7]) as u64) << 56); let x60: u64 = (((arg1[6]) as u64) << 48); let x61: u64 = (((arg1[5]) as u64) << 40); let x62: u64 = (((arg1[4]) as u64) << 32); let x63: u64 = (((arg1[3]) as u64) << 24); let x64: u64 = (((arg1[2]) as u64) << 16); let x65: u64 = (((arg1[1]) as u64) << 8); let x66: u8 = (arg1[0]); let x67: u64 = (x65 + (x66 as u64)); let x68: u64 = (x64 + x67); let x69: u64 = (x63 + x68); let x70: u64 = (x62 + x69); let x71: u64 = (x61 + x70); let x72: u64 = (x60 + x71); let x73: u64 = (x59 + x72); let x74: u64 = (x57 + (x58 as u64)); let x75: u64 = (x56 + x74); let x76: u64 = (x55 + x75); let x77: u64 = (x54 + x76); let x78: u64 = (x53 + x77); let x79: u64 = (x52 + x78); let x80: u64 = (x51 + x79); let x81: u64 = (x49 + (x50 as u64)); let x82: u64 = (x48 + x81); let x83: u64 = (x47 + x82); let x84: u64 = (x46 + x83); let x85: u64 = (x45 + x84); let x86: u64 = (x44 + x85); let x87: u64 = (x43 + x86); let x88: u64 = (x41 + (x42 as u64)); let x89: u64 = (x40 + x88); let x90: u64 = (x39 + x89); let x91: u64 = (x38 + x90); let x92: u64 = (x37 + x91); let x93: u64 = (x36 + x92); let x94: u64 = (x35 + x93); let x95: u64 = (x33 + (x34 as u64)); let x96: u64 = (x32 + x95); let x97: u64 = (x31 + x96); let x98: u64 = (x30 + x97); let x99: u64 = (x29 + x98); let x100: u64 = (x28 + x99); let x101: u64 = (x27 + x100); let x102: u64 = (x25 + (x26 as u64)); let x103: u64 = (x24 + x102); let x104: u64 = (x23 + x103); let x105: u64 = (x22 + x104); let x106: u64 = (x21 + x105); let x107: u64 = (x20 + x106); let x108: u64 = (x19 + x107); let x109: u64 = (x17 + (x18 as u64)); let x110: u64 = (x16 + x109); let x111: u64 = (x15 + x110); let x112: u64 = (x14 + x111); let x113: u64 = (x13 + x112); let x114: u64 = (x12 + x113); let x115: u64 = (x11 + x114); let x116: u64 = (x9 + (x10 as u64)); let x117: u64 = (x8 + x116); let x118: u64 = (x7 + x117); let x119: u64 = (x6 + x118); let x120: u64 = (x5 + x119); let x121: u64 = (x4 + x120); let x122: u64 = (x3 + x121); let x123: u64 = (x1 + (x2 as u64)); out1[0] = x73; out1[1] = x80; out1[2] = x87; out1[3] = x94; out1[4] = x101; out1[5] = x108; out1[6] = x115; out1[7] = x122; out1[8] = x123; out1 } #[doc = " The function fiat_p521_scalar_set_one returns the field element one in the Montgomery domain."] #[doc = ""] #[doc = " Postconditions:"] #[doc = " eval (from_montgomery out1) mod m = 1 mod m"] #[doc = " 0 ≤ eval out1 < m"] #[doc = ""] #[inline] pub const fn fiat_p521_scalar_set_one() -> fiat_p521_scalar_montgomery_domain_field_element { let mut out1: fiat_p521_scalar_montgomery_domain_field_element = [0; 9]; out1[0] = 0xfb80000000000000; out1[1] = 0x28a2482470b763cd; out1[2] = 0x17e2251b23bb31dc; out1[3] = 0xca4019ff5b847b2d; out1[4] = 0x2d73cbc3e206834; out1[5] = (0x0 as u64); out1[6] = (0x0 as u64); out1[7] = (0x0 as u64); out1[8] = (0x0 as u64); out1 } #[doc = " The function fiat_p521_scalar_msat returns the saturated representation of the prime modulus."] #[doc = ""] #[doc = " Postconditions:"] #[doc = " twos_complement_eval out1 = m"] #[doc = " 0 ≤ eval out1 < m"] #[doc = ""] #[doc = " Output Bounds:"] #[doc = " out1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]]"] #[inline] pub const fn fiat_p521_scalar_msat() -> [u64; 10] { let mut out1: [u64; 10] = [0; 10]; out1[0] = 0xbb6fb71e91386409; out1[1] = 0x3bb5c9b8899c47ae; out1[2] = 0x7fcc0148f709a5d0; out1[3] = 0x51868783bf2f966b; out1[4] = 0xfffffffffffffffa; out1[5] = 0xffffffffffffffff; out1[6] = 0xffffffffffffffff; out1[7] = 0xffffffffffffffff; out1[8] = 0x1ff; out1[9] = (0x0 as u64); out1 } #[doc = " The function fiat_p521_scalar_divstep_precomp returns the precomputed value for Bernstein-Yang-inversion (in montgomery form)."] #[doc = ""] #[doc = " Postconditions:"] #[doc = " eval (from_montgomery out1) = ⌊(m - 1) / 2⌋^(if ⌊log2 m⌋ + 1 < 46 then ⌊(49 * (⌊log2 m⌋ + 1) + 80) / 17⌋ else ⌊(49 * (⌊log2 m⌋ + 1) + 57) / 17⌋)"] #[doc = " 0 ≤ eval out1 < m"] #[doc = ""] #[doc = " Output Bounds:"] #[doc = " out1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]]"] #[inline] pub const fn fiat_p521_scalar_divstep_precomp() -> [u64; 9] { let mut out1: [u64; 9] = [0; 9]; out1[0] = 0x7b27a0cb33d1884b; out1[1] = 0x9ef6cb011f2467d8; out1[2] = 0x5fbc88e1d6e7fce; out1[3] = 0xb08222d0fe97e1dc; out1[4] = 0x1624870c44df3fce; out1[5] = 0xb7f07b8eedbce602; out1[6] = 0x62da93cf721f63bc; out1[7] = 0xafd209c16c4f0d20; out1[8] = 0x1c7; out1 } #[doc = " The function fiat_p521_scalar_divstep computes a divstep."] #[doc = ""] #[doc = " Preconditions:"] #[doc = " 0 ≤ eval arg4 < m"] #[doc = " 0 ≤ eval arg5 < m"] #[doc = " Postconditions:"] #[doc = " out1 = (if 0 < arg1 ∧ (twos_complement_eval arg3) is odd then 1 - arg1 else 1 + arg1)"] #[doc = " twos_complement_eval out2 = (if 0 < arg1 ∧ (twos_complement_eval arg3) is odd then twos_complement_eval arg3 else twos_complement_eval arg2)"] #[doc = " twos_complement_eval out3 = (if 0 < arg1 ∧ (twos_complement_eval arg3) is odd then ⌊(twos_complement_eval arg3 - twos_complement_eval arg2) / 2⌋ else ⌊(twos_complement_eval arg3 + (twos_complement_eval arg3 mod 2) * twos_complement_eval arg2) / 2⌋)"] #[doc = " eval (from_montgomery out4) mod m = (if 0 < arg1 ∧ (twos_complement_eval arg3) is odd then (2 * eval (from_montgomery arg5)) mod m else (2 * eval (from_montgomery arg4)) mod m)"] #[doc = " eval (from_montgomery out5) mod m = (if 0 < arg1 ∧ (twos_complement_eval arg3) is odd then (eval (from_montgomery arg4) - eval (from_montgomery arg4)) mod m else (eval (from_montgomery arg5) + (twos_complement_eval arg3 mod 2) * eval (from_montgomery arg4)) mod m)"] #[doc = " 0 ≤ eval out5 < m"] #[doc = " 0 ≤ eval out5 < m"] #[doc = " 0 ≤ eval out2 < m"] #[doc = " 0 ≤ eval out3 < m"] #[doc = ""] #[doc = " Input Bounds:"] #[doc = " arg1: [0x0 ~> 0xffffffffffffffff]"] #[doc = " arg2: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]]"] #[doc = " arg3: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]]"] #[doc = " arg4: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]]"] #[doc = " arg5: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]]"] #[doc = " Output Bounds:"] #[doc = " out1: [0x0 ~> 0xffffffffffffffff]"] #[doc = " out2: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]]"] #[doc = " out3: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]]"] #[doc = " out4: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]]"] #[doc = " out5: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]]"] #[inline] pub const fn fiat_p521_scalar_divstep( arg1: u64, arg2: &[u64; 10], arg3: &[u64; 10], arg4: &[u64; 9], arg5: &[u64; 9], ) -> (u64, [u64; 10], [u64; 10], [u64; 9], [u64; 9]) { let mut out1: u64 = 0; let mut out2: [u64; 10] = [0; 10]; let mut out3: [u64; 10] = [0; 10]; let mut out4: [u64; 9] = [0; 9]; let mut out5: [u64; 9] = [0; 9]; let mut x1: u64 = 0; let mut x2: fiat_p521_scalar_u1 = 0; let (x1, x2) = fiat_p521_scalar_addcarryx_u64(0x0, (!arg1), (0x1 as u64)); let x3: fiat_p521_scalar_u1 = (((x1 >> 63) as fiat_p521_scalar_u1) & (((arg3[0]) & (0x1 as u64)) as fiat_p521_scalar_u1)); let mut x4: u64 = 0; let mut x5: fiat_p521_scalar_u1 = 0; let (x4, x5) = fiat_p521_scalar_addcarryx_u64(0x0, (!arg1), (0x1 as u64)); let mut x6: u64 = 0; let (x6) = fiat_p521_scalar_cmovznz_u64(x3, arg1, x4); let mut x7: u64 = 0; let (x7) = fiat_p521_scalar_cmovznz_u64(x3, (arg2[0]), (arg3[0])); let mut x8: u64 = 0; let (x8) = fiat_p521_scalar_cmovznz_u64(x3, (arg2[1]), (arg3[1])); let mut x9: u64 = 0; let (x9) = fiat_p521_scalar_cmovznz_u64(x3, (arg2[2]), (arg3[2])); let mut x10: u64 = 0; let (x10) = fiat_p521_scalar_cmovznz_u64(x3, (arg2[3]), (arg3[3])); let mut x11: u64 = 0; let (x11) = fiat_p521_scalar_cmovznz_u64(x3, (arg2[4]), (arg3[4])); let mut x12: u64 = 0; let (x12) = fiat_p521_scalar_cmovznz_u64(x3, (arg2[5]), (arg3[5])); let mut x13: u64 = 0; let (x13) = fiat_p521_scalar_cmovznz_u64(x3, (arg2[6]), (arg3[6])); let mut x14: u64 = 0; let (x14) = fiat_p521_scalar_cmovznz_u64(x3, (arg2[7]), (arg3[7])); let mut x15: u64 = 0; let (x15) = fiat_p521_scalar_cmovznz_u64(x3, (arg2[8]), (arg3[8])); let mut x16: u64 = 0; let (x16) = fiat_p521_scalar_cmovznz_u64(x3, (arg2[9]), (arg3[9])); let mut x17: u64 = 0; let mut x18: fiat_p521_scalar_u1 = 0; let (x17, x18) = fiat_p521_scalar_addcarryx_u64(0x0, (0x1 as u64), (!(arg2[0]))); let mut x19: u64 = 0; let mut x20: fiat_p521_scalar_u1 = 0; let (x19, x20) = fiat_p521_scalar_addcarryx_u64(x18, (0x0 as u64), (!(arg2[1]))); let mut x21: u64 = 0; let mut x22: fiat_p521_scalar_u1 = 0; let (x21, x22) = fiat_p521_scalar_addcarryx_u64(x20, (0x0 as u64), (!(arg2[2]))); let mut x23: u64 = 0; let mut x24: fiat_p521_scalar_u1 = 0; let (x23, x24) = fiat_p521_scalar_addcarryx_u64(x22, (0x0 as u64), (!(arg2[3]))); let mut x25: u64 = 0; let mut x26: fiat_p521_scalar_u1 = 0; let (x25, x26) = fiat_p521_scalar_addcarryx_u64(x24, (0x0 as u64), (!(arg2[4]))); let mut x27: u64 = 0; let mut x28: fiat_p521_scalar_u1 = 0; let (x27, x28) = fiat_p521_scalar_addcarryx_u64(x26, (0x0 as u64), (!(arg2[5]))); let mut x29: u64 = 0; let mut x30: fiat_p521_scalar_u1 = 0; let (x29, x30) = fiat_p521_scalar_addcarryx_u64(x28, (0x0 as u64), (!(arg2[6]))); let mut x31: u64 = 0; let mut x32: fiat_p521_scalar_u1 = 0; let (x31, x32) = fiat_p521_scalar_addcarryx_u64(x30, (0x0 as u64), (!(arg2[7]))); let mut x33: u64 = 0; let mut x34: fiat_p521_scalar_u1 = 0; let (x33, x34) = fiat_p521_scalar_addcarryx_u64(x32, (0x0 as u64), (!(arg2[8]))); let mut x35: u64 = 0; let mut x36: fiat_p521_scalar_u1 = 0; let (x35, x36) = fiat_p521_scalar_addcarryx_u64(x34, (0x0 as u64), (!(arg2[9]))); let mut x37: u64 = 0; let (x37) = fiat_p521_scalar_cmovznz_u64(x3, (arg3[0]), x17); let mut x38: u64 = 0; let (x38) = fiat_p521_scalar_cmovznz_u64(x3, (arg3[1]), x19); let mut x39: u64 = 0; let (x39) = fiat_p521_scalar_cmovznz_u64(x3, (arg3[2]), x21); let mut x40: u64 = 0; let (x40) = fiat_p521_scalar_cmovznz_u64(x3, (arg3[3]), x23); let mut x41: u64 = 0; let (x41) = fiat_p521_scalar_cmovznz_u64(x3, (arg3[4]), x25); let mut x42: u64 = 0; let (x42) = fiat_p521_scalar_cmovznz_u64(x3, (arg3[5]), x27); let mut x43: u64 = 0; let (x43) = fiat_p521_scalar_cmovznz_u64(x3, (arg3[6]), x29); let mut x44: u64 = 0; let (x44) = fiat_p521_scalar_cmovznz_u64(x3, (arg3[7]), x31); let mut x45: u64 = 0; let (x45) = fiat_p521_scalar_cmovznz_u64(x3, (arg3[8]), x33); let mut x46: u64 = 0; let (x46) = fiat_p521_scalar_cmovznz_u64(x3, (arg3[9]), x35); let mut x47: u64 = 0; let (x47) = fiat_p521_scalar_cmovznz_u64(x3, (arg4[0]), (arg5[0])); let mut x48: u64 = 0; let (x48) = fiat_p521_scalar_cmovznz_u64(x3, (arg4[1]), (arg5[1])); let mut x49: u64 = 0; let (x49) = fiat_p521_scalar_cmovznz_u64(x3, (arg4[2]), (arg5[2])); let mut x50: u64 = 0; let (x50) = fiat_p521_scalar_cmovznz_u64(x3, (arg4[3]), (arg5[3])); let mut x51: u64 = 0; let (x51) = fiat_p521_scalar_cmovznz_u64(x3, (arg4[4]), (arg5[4])); let mut x52: u64 = 0; let (x52) = fiat_p521_scalar_cmovznz_u64(x3, (arg4[5]), (arg5[5])); let mut x53: u64 = 0; let (x53) = fiat_p521_scalar_cmovznz_u64(x3, (arg4[6]), (arg5[6])); let mut x54: u64 = 0; let (x54) = fiat_p521_scalar_cmovznz_u64(x3, (arg4[7]), (arg5[7])); let mut x55: u64 = 0; let (x55) = fiat_p521_scalar_cmovznz_u64(x3, (arg4[8]), (arg5[8])); let mut x56: u64 = 0; let mut x57: fiat_p521_scalar_u1 = 0; let (x56, x57) = fiat_p521_scalar_addcarryx_u64(0x0, x47, x47); let mut x58: u64 = 0; let mut x59: fiat_p521_scalar_u1 = 0; let (x58, x59) = fiat_p521_scalar_addcarryx_u64(x57, x48, x48); let mut x60: u64 = 0; let mut x61: fiat_p521_scalar_u1 = 0; let (x60, x61) = fiat_p521_scalar_addcarryx_u64(x59, x49, x49); let mut x62: u64 = 0; let mut x63: fiat_p521_scalar_u1 = 0; let (x62, x63) = fiat_p521_scalar_addcarryx_u64(x61, x50, x50); let mut x64: u64 = 0; let mut x65: fiat_p521_scalar_u1 = 0; let (x64, x65) = fiat_p521_scalar_addcarryx_u64(x63, x51, x51); let mut x66: u64 = 0; let mut x67: fiat_p521_scalar_u1 = 0; let (x66, x67) = fiat_p521_scalar_addcarryx_u64(x65, x52, x52); let mut x68: u64 = 0; let mut x69: fiat_p521_scalar_u1 = 0; let (x68, x69) = fiat_p521_scalar_addcarryx_u64(x67, x53, x53); let mut x70: u64 = 0; let mut x71: fiat_p521_scalar_u1 = 0; let (x70, x71) = fiat_p521_scalar_addcarryx_u64(x69, x54, x54); let mut x72: u64 = 0; let mut x73: fiat_p521_scalar_u1 = 0; let (x72, x73) = fiat_p521_scalar_addcarryx_u64(x71, x55, x55); let mut x74: u64 = 0; let mut x75: fiat_p521_scalar_u1 = 0; let (x74, x75) = fiat_p521_scalar_subborrowx_u64(0x0, x56, 0xbb6fb71e91386409); let mut x76: u64 = 0; let mut x77: fiat_p521_scalar_u1 = 0; let (x76, x77) = fiat_p521_scalar_subborrowx_u64(x75, x58, 0x3bb5c9b8899c47ae); let mut x78: u64 = 0; let mut x79: fiat_p521_scalar_u1 = 0; let (x78, x79) = fiat_p521_scalar_subborrowx_u64(x77, x60, 0x7fcc0148f709a5d0); let mut x80: u64 = 0; let mut x81: fiat_p521_scalar_u1 = 0; let (x80, x81) = fiat_p521_scalar_subborrowx_u64(x79, x62, 0x51868783bf2f966b); let mut x82: u64 = 0; let mut x83: fiat_p521_scalar_u1 = 0; let (x82, x83) = fiat_p521_scalar_subborrowx_u64(x81, x64, 0xfffffffffffffffa); let mut x84: u64 = 0; let mut x85: fiat_p521_scalar_u1 = 0; let (x84, x85) = fiat_p521_scalar_subborrowx_u64(x83, x66, 0xffffffffffffffff); let mut x86: u64 = 0; let mut x87: fiat_p521_scalar_u1 = 0; let (x86, x87) = fiat_p521_scalar_subborrowx_u64(x85, x68, 0xffffffffffffffff); let mut x88: u64 = 0; let mut x89: fiat_p521_scalar_u1 = 0; let (x88, x89) = fiat_p521_scalar_subborrowx_u64(x87, x70, 0xffffffffffffffff); let mut x90: u64 = 0; let mut x91: fiat_p521_scalar_u1 = 0; let (x90, x91) = fiat_p521_scalar_subborrowx_u64(x89, x72, 0x1ff); let mut x92: u64 = 0; let mut x93: fiat_p521_scalar_u1 = 0; let (x92, x93) = fiat_p521_scalar_subborrowx_u64(x91, (x73 as u64), (0x0 as u64)); let x94: u64 = (arg4[8]); let x95: u64 = (arg4[7]); let x96: u64 = (arg4[6]); let x97: u64 = (arg4[5]); let x98: u64 = (arg4[4]); let x99: u64 = (arg4[3]); let x100: u64 = (arg4[2]); let x101: u64 = (arg4[1]); let x102: u64 = (arg4[0]); let mut x103: u64 = 0; let mut x104: fiat_p521_scalar_u1 = 0; let (x103, x104) = fiat_p521_scalar_subborrowx_u64(0x0, (0x0 as u64), x102); let mut x105: u64 = 0; let mut x106: fiat_p521_scalar_u1 = 0; let (x105, x106) = fiat_p521_scalar_subborrowx_u64(x104, (0x0 as u64), x101); let mut x107: u64 = 0; let mut x108: fiat_p521_scalar_u1 = 0; let (x107, x108) = fiat_p521_scalar_subborrowx_u64(x106, (0x0 as u64), x100); let mut x109: u64 = 0; let mut x110: fiat_p521_scalar_u1 = 0; let (x109, x110) = fiat_p521_scalar_subborrowx_u64(x108, (0x0 as u64), x99); let mut x111: u64 = 0; let mut x112: fiat_p521_scalar_u1 = 0; let (x111, x112) = fiat_p521_scalar_subborrowx_u64(x110, (0x0 as u64), x98); let mut x113: u64 = 0; let mut x114: fiat_p521_scalar_u1 = 0; let (x113, x114) = fiat_p521_scalar_subborrowx_u64(x112, (0x0 as u64), x97); let mut x115: u64 = 0; let mut x116: fiat_p521_scalar_u1 = 0; let (x115, x116) = fiat_p521_scalar_subborrowx_u64(x114, (0x0 as u64), x96); let mut x117: u64 = 0; let mut x118: fiat_p521_scalar_u1 = 0; let (x117, x118) = fiat_p521_scalar_subborrowx_u64(x116, (0x0 as u64), x95); let mut x119: u64 = 0; let mut x120: fiat_p521_scalar_u1 = 0; let (x119, x120) = fiat_p521_scalar_subborrowx_u64(x118, (0x0 as u64), x94); let mut x121: u64 = 0; let (x121) = fiat_p521_scalar_cmovznz_u64(x120, (0x0 as u64), 0xffffffffffffffff); let mut x122: u64 = 0; let mut x123: fiat_p521_scalar_u1 = 0; let (x122, x123) = fiat_p521_scalar_addcarryx_u64(0x0, x103, (x121 & 0xbb6fb71e91386409)); let mut x124: u64 = 0; let mut x125: fiat_p521_scalar_u1 = 0; let (x124, x125) = fiat_p521_scalar_addcarryx_u64(x123, x105, (x121 & 0x3bb5c9b8899c47ae)); let mut x126: u64 = 0; let mut x127: fiat_p521_scalar_u1 = 0; let (x126, x127) = fiat_p521_scalar_addcarryx_u64(x125, x107, (x121 & 0x7fcc0148f709a5d0)); let mut x128: u64 = 0; let mut x129: fiat_p521_scalar_u1 = 0; let (x128, x129) = fiat_p521_scalar_addcarryx_u64(x127, x109, (x121 & 0x51868783bf2f966b)); let mut x130: u64 = 0; let mut x131: fiat_p521_scalar_u1 = 0; let (x130, x131) = fiat_p521_scalar_addcarryx_u64(x129, x111, (x121 & 0xfffffffffffffffa)); let mut x132: u64 = 0; let mut x133: fiat_p521_scalar_u1 = 0; let (x132, x133) = fiat_p521_scalar_addcarryx_u64(x131, x113, x121); let mut x134: u64 = 0; let mut x135: fiat_p521_scalar_u1 = 0; let (x134, x135) = fiat_p521_scalar_addcarryx_u64(x133, x115, x121); let mut x136: u64 = 0; let mut x137: fiat_p521_scalar_u1 = 0; let (x136, x137) = fiat_p521_scalar_addcarryx_u64(x135, x117, x121); let mut x138: u64 = 0; let mut x139: fiat_p521_scalar_u1 = 0; let (x138, x139) = fiat_p521_scalar_addcarryx_u64(x137, x119, (x121 & 0x1ff)); let mut x140: u64 = 0; let (x140) = fiat_p521_scalar_cmovznz_u64(x3, (arg5[0]), x122); let mut x141: u64 = 0; let (x141) = fiat_p521_scalar_cmovznz_u64(x3, (arg5[1]), x124); let mut x142: u64 = 0; let (x142) = fiat_p521_scalar_cmovznz_u64(x3, (arg5[2]), x126); let mut x143: u64 = 0; let (x143) = fiat_p521_scalar_cmovznz_u64(x3, (arg5[3]), x128); let mut x144: u64 = 0; let (x144) = fiat_p521_scalar_cmovznz_u64(x3, (arg5[4]), x130); let mut x145: u64 = 0; let (x145) = fiat_p521_scalar_cmovznz_u64(x3, (arg5[5]), x132); let mut x146: u64 = 0; let (x146) = fiat_p521_scalar_cmovznz_u64(x3, (arg5[6]), x134); let mut x147: u64 = 0; let (x147) = fiat_p521_scalar_cmovznz_u64(x3, (arg5[7]), x136); let mut x148: u64 = 0; let (x148) = fiat_p521_scalar_cmovznz_u64(x3, (arg5[8]), x138); let x149: fiat_p521_scalar_u1 = ((x37 & (0x1 as u64)) as fiat_p521_scalar_u1); let mut x150: u64 = 0; let (x150) = fiat_p521_scalar_cmovznz_u64(x149, (0x0 as u64), x7); let mut x151: u64 = 0; let (x151) = fiat_p521_scalar_cmovznz_u64(x149, (0x0 as u64), x8); let mut x152: u64 = 0; let (x152) = fiat_p521_scalar_cmovznz_u64(x149, (0x0 as u64), x9); let mut x153: u64 = 0; let (x153) = fiat_p521_scalar_cmovznz_u64(x149, (0x0 as u64), x10); let mut x154: u64 = 0; let (x154) = fiat_p521_scalar_cmovznz_u64(x149, (0x0 as u64), x11); let mut x155: u64 = 0; let (x155) = fiat_p521_scalar_cmovznz_u64(x149, (0x0 as u64), x12); let mut x156: u64 = 0; let (x156) = fiat_p521_scalar_cmovznz_u64(x149, (0x0 as u64), x13); let mut x157: u64 = 0; let (x157) = fiat_p521_scalar_cmovznz_u64(x149, (0x0 as u64), x14); let mut x158: u64 = 0; let (x158) = fiat_p521_scalar_cmovznz_u64(x149, (0x0 as u64), x15); let mut x159: u64 = 0; let (x159) = fiat_p521_scalar_cmovznz_u64(x149, (0x0 as u64), x16); let mut x160: u64 = 0; let mut x161: fiat_p521_scalar_u1 = 0; let (x160, x161) = fiat_p521_scalar_addcarryx_u64(0x0, x37, x150); let mut x162: u64 = 0; let mut x163: fiat_p521_scalar_u1 = 0; let (x162, x163) = fiat_p521_scalar_addcarryx_u64(x161, x38, x151); let mut x164: u64 = 0; let mut x165: fiat_p521_scalar_u1 = 0; let (x164, x165) = fiat_p521_scalar_addcarryx_u64(x163, x39, x152); let mut x166: u64 = 0; let mut x167: fiat_p521_scalar_u1 = 0; let (x166, x167) = fiat_p521_scalar_addcarryx_u64(x165, x40, x153); let mut x168: u64 = 0; let mut x169: fiat_p521_scalar_u1 = 0; let (x168, x169) = fiat_p521_scalar_addcarryx_u64(x167, x41, x154); let mut x170: u64 = 0; let mut x171: fiat_p521_scalar_u1 = 0; let (x170, x171) = fiat_p521_scalar_addcarryx_u64(x169, x42, x155); let mut x172: u64 = 0; let mut x173: fiat_p521_scalar_u1 = 0; let (x172, x173) = fiat_p521_scalar_addcarryx_u64(x171, x43, x156); let mut x174: u64 = 0; let mut x175: fiat_p521_scalar_u1 = 0; let (x174, x175) = fiat_p521_scalar_addcarryx_u64(x173, x44, x157); let mut x176: u64 = 0; let mut x177: fiat_p521_scalar_u1 = 0; let (x176, x177) = fiat_p521_scalar_addcarryx_u64(x175, x45, x158); let mut x178: u64 = 0; let mut x179: fiat_p521_scalar_u1 = 0; let (x178, x179) = fiat_p521_scalar_addcarryx_u64(x177, x46, x159); let mut x180: u64 = 0; let (x180) = fiat_p521_scalar_cmovznz_u64(x149, (0x0 as u64), x47); let mut x181: u64 = 0; let (x181) = fiat_p521_scalar_cmovznz_u64(x149, (0x0 as u64), x48); let mut x182: u64 = 0; let (x182) = fiat_p521_scalar_cmovznz_u64(x149, (0x0 as u64), x49); let mut x183: u64 = 0; let (x183) = fiat_p521_scalar_cmovznz_u64(x149, (0x0 as u64), x50); let mut x184: u64 = 0; let (x184) = fiat_p521_scalar_cmovznz_u64(x149, (0x0 as u64), x51); let mut x185: u64 = 0; let (x185) = fiat_p521_scalar_cmovznz_u64(x149, (0x0 as u64), x52); let mut x186: u64 = 0; let (x186) = fiat_p521_scalar_cmovznz_u64(x149, (0x0 as u64), x53); let mut x187: u64 = 0; let (x187) = fiat_p521_scalar_cmovznz_u64(x149, (0x0 as u64), x54); let mut x188: u64 = 0; let (x188) = fiat_p521_scalar_cmovznz_u64(x149, (0x0 as u64), x55); let mut x189: u64 = 0; let mut x190: fiat_p521_scalar_u1 = 0; let (x189, x190) = fiat_p521_scalar_addcarryx_u64(0x0, x140, x180); let mut x191: u64 = 0; let mut x192: fiat_p521_scalar_u1 = 0; let (x191, x192) = fiat_p521_scalar_addcarryx_u64(x190, x141, x181); let mut x193: u64 = 0; let mut x194: fiat_p521_scalar_u1 = 0; let (x193, x194) = fiat_p521_scalar_addcarryx_u64(x192, x142, x182); let mut x195: u64 = 0; let mut x196: fiat_p521_scalar_u1 = 0; let (x195, x196) = fiat_p521_scalar_addcarryx_u64(x194, x143, x183); let mut x197: u64 = 0; let mut x198: fiat_p521_scalar_u1 = 0; let (x197, x198) = fiat_p521_scalar_addcarryx_u64(x196, x144, x184); let mut x199: u64 = 0; let mut x200: fiat_p521_scalar_u1 = 0; let (x199, x200) = fiat_p521_scalar_addcarryx_u64(x198, x145, x185); let mut x201: u64 = 0; let mut x202: fiat_p521_scalar_u1 = 0; let (x201, x202) = fiat_p521_scalar_addcarryx_u64(x200, x146, x186); let mut x203: u64 = 0; let mut x204: fiat_p521_scalar_u1 = 0; let (x203, x204) = fiat_p521_scalar_addcarryx_u64(x202, x147, x187); let mut x205: u64 = 0; let mut x206: fiat_p521_scalar_u1 = 0; let (x205, x206) = fiat_p521_scalar_addcarryx_u64(x204, x148, x188); let mut x207: u64 = 0; let mut x208: fiat_p521_scalar_u1 = 0; let (x207, x208) = fiat_p521_scalar_subborrowx_u64(0x0, x189, 0xbb6fb71e91386409); let mut x209: u64 = 0; let mut x210: fiat_p521_scalar_u1 = 0; let (x209, x210) = fiat_p521_scalar_subborrowx_u64(x208, x191, 0x3bb5c9b8899c47ae); let mut x211: u64 = 0; let mut x212: fiat_p521_scalar_u1 = 0; let (x211, x212) = fiat_p521_scalar_subborrowx_u64(x210, x193, 0x7fcc0148f709a5d0); let mut x213: u64 = 0; let mut x214: fiat_p521_scalar_u1 = 0; let (x213, x214) = fiat_p521_scalar_subborrowx_u64(x212, x195, 0x51868783bf2f966b); let mut x215: u64 = 0; let mut x216: fiat_p521_scalar_u1 = 0; let (x215, x216) = fiat_p521_scalar_subborrowx_u64(x214, x197, 0xfffffffffffffffa); let mut x217: u64 = 0; let mut x218: fiat_p521_scalar_u1 = 0; let (x217, x218) = fiat_p521_scalar_subborrowx_u64(x216, x199, 0xffffffffffffffff); let mut x219: u64 = 0; let mut x220: fiat_p521_scalar_u1 = 0; let (x219, x220) = fiat_p521_scalar_subborrowx_u64(x218, x201, 0xffffffffffffffff); let mut x221: u64 = 0; let mut x222: fiat_p521_scalar_u1 = 0; let (x221, x222) = fiat_p521_scalar_subborrowx_u64(x220, x203, 0xffffffffffffffff); let mut x223: u64 = 0; let mut x224: fiat_p521_scalar_u1 = 0; let (x223, x224) = fiat_p521_scalar_subborrowx_u64(x222, x205, 0x1ff); let mut x225: u64 = 0; let mut x226: fiat_p521_scalar_u1 = 0; let (x225, x226) = fiat_p521_scalar_subborrowx_u64(x224, (x206 as u64), (0x0 as u64)); let mut x227: u64 = 0; let mut x228: fiat_p521_scalar_u1 = 0; let (x227, x228) = fiat_p521_scalar_addcarryx_u64(0x0, x6, (0x1 as u64)); let x229: u64 = ((x160 >> 1) | ((x162 << 63) & 0xffffffffffffffff)); let x230: u64 = ((x162 >> 1) | ((x164 << 63) & 0xffffffffffffffff)); let x231: u64 = ((x164 >> 1) | ((x166 << 63) & 0xffffffffffffffff)); let x232: u64 = ((x166 >> 1) | ((x168 << 63) & 0xffffffffffffffff)); let x233: u64 = ((x168 >> 1) | ((x170 << 63) & 0xffffffffffffffff)); let x234: u64 = ((x170 >> 1) | ((x172 << 63) & 0xffffffffffffffff)); let x235: u64 = ((x172 >> 1) | ((x174 << 63) & 0xffffffffffffffff)); let x236: u64 = ((x174 >> 1) | ((x176 << 63) & 0xffffffffffffffff)); let x237: u64 = ((x176 >> 1) | ((x178 << 63) & 0xffffffffffffffff)); let x238: u64 = ((x178 & 0x8000000000000000) | (x178 >> 1)); let mut x239: u64 = 0; let (x239) = fiat_p521_scalar_cmovznz_u64(x93, x74, x56); let mut x240: u64 = 0; let (x240) = fiat_p521_scalar_cmovznz_u64(x93, x76, x58); let mut x241: u64 = 0; let (x241) = fiat_p521_scalar_cmovznz_u64(x93, x78, x60); let mut x242: u64 = 0; let (x242) = fiat_p521_scalar_cmovznz_u64(x93, x80, x62); let mut x243: u64 = 0; let (x243) = fiat_p521_scalar_cmovznz_u64(x93, x82, x64); let mut x244: u64 = 0; let (x244) = fiat_p521_scalar_cmovznz_u64(x93, x84, x66); let mut x245: u64 = 0; let (x245) = fiat_p521_scalar_cmovznz_u64(x93, x86, x68); let mut x246: u64 = 0; let (x246) = fiat_p521_scalar_cmovznz_u64(x93, x88, x70); let mut x247: u64 = 0; let (x247) = fiat_p521_scalar_cmovznz_u64(x93, x90, x72); let mut x248: u64 = 0; let (x248) = fiat_p521_scalar_cmovznz_u64(x226, x207, x189); let mut x249: u64 = 0; let (x249) = fiat_p521_scalar_cmovznz_u64(x226, x209, x191); let mut x250: u64 = 0; let (x250) = fiat_p521_scalar_cmovznz_u64(x226, x211, x193); let mut x251: u64 = 0; let (x251) = fiat_p521_scalar_cmovznz_u64(x226, x213, x195); let mut x252: u64 = 0; let (x252) = fiat_p521_scalar_cmovznz_u64(x226, x215, x197); let mut x253: u64 = 0; let (x253) = fiat_p521_scalar_cmovznz_u64(x226, x217, x199); let mut x254: u64 = 0; let (x254) = fiat_p521_scalar_cmovznz_u64(x226, x219, x201); let mut x255: u64 = 0; let (x255) = fiat_p521_scalar_cmovznz_u64(x226, x221, x203); let mut x256: u64 = 0; let (x256) = fiat_p521_scalar_cmovznz_u64(x226, x223, x205); out1 = x227; out2[0] = x7; out2[1] = x8; out2[2] = x9; out2[3] = x10; out2[4] = x11; out2[5] = x12; out2[6] = x13; out2[7] = x14; out2[8] = x15; out2[9] = x16; out3[0] = x229; out3[1] = x230; out3[2] = x231; out3[3] = x232; out3[4] = x233; out3[5] = x234; out3[6] = x235; out3[7] = x236; out3[8] = x237; out3[9] = x238; out4[0] = x239; out4[1] = x240; out4[2] = x241; out4[3] = x242; out4[4] = x243; out4[5] = x244; out4[6] = x245; out4[7] = x246; out4[8] = x247; out5[0] = x248; out5[1] = x249; out5[2] = x250; out5[3] = x251; out5[4] = x252; out5[5] = x253; out5[6] = x254; out5[7] = x255; out5[8] = x256; (out1, out2, out3, out4, out5) } p521-0.13.3/src/arithmetic/scalar.rs000064400000000000000000000450761046102023000151460ustar 00000000000000//! secp521r1 scalar field elements. //! //! Arithmetic implementations have been synthesized using fiat-crypto. //! //! # License //! //! Copyright (c) 2015-2020 the fiat-crypto authors //! //! fiat-crypto is distributed under the terms of the MIT License, the //! Apache License (Version 2.0), and the BSD 1-Clause License; //! users may pick which license to apply. // TODO(tarcieri): 32-bit backend? #[path = "scalar/p521_scalar_64.rs"] mod scalar_impl; use self::scalar_impl::*; use crate::{FieldBytes, NistP521, SecretKey, U576}; use core::{ iter::{Product, Sum}, ops::{AddAssign, MulAssign, Neg, Shr, ShrAssign, SubAssign}, }; use elliptic_curve::{ bigint::{self, Integer}, ff::{self, Field, PrimeField}, generic_array::GenericArray, ops::{Invert, Reduce}, rand_core::RngCore, scalar::{FromUintUnchecked, IsHigh}, subtle::{ Choice, ConditionallySelectable, ConstantTimeEq, ConstantTimeGreater, ConstantTimeLess, CtOption, }, zeroize::DefaultIsZeroes, Curve as _, Error, FieldBytesEncoding, Result, ScalarPrimitive, }; use primeorder::{impl_bernstein_yang_invert, impl_field_op}; #[cfg(feature = "bits")] use {crate::ScalarBits, elliptic_curve::group::ff::PrimeFieldBits}; #[cfg(feature = "serde")] use serdect::serde::{de, ser, Deserialize, Serialize}; #[cfg(doc)] use core::ops::{Add, Mul, Sub}; #[cfg(target_pointer_width = "32")] use super::util::{u32x18_to_u64x9, u64x9_to_u32x18}; /// Scalars are elements in the finite field modulo `n`. /// /// # Trait impls /// /// Much of the important functionality of scalars is provided by traits from /// the [`ff`](https://docs.rs/ff/) crate, which is re-exported as /// `p521::elliptic_curve::ff`: /// /// - [`Field`](https://docs.rs/ff/latest/ff/trait.Field.html) - /// represents elements of finite fields and provides: /// - [`Field::random`](https://docs.rs/ff/latest/ff/trait.Field.html#tymethod.random) - /// generate a random scalar /// - `double`, `square`, and `invert` operations /// - Bounds for [`Add`], [`Sub`], [`Mul`], and [`Neg`] (as well as `*Assign` equivalents) /// - Bounds for [`ConditionallySelectable`] from the `subtle` crate /// - [`PrimeField`](https://docs.rs/ff/latest/ff/trait.PrimeField.html) - /// represents elements of prime fields and provides: /// - `from_repr`/`to_repr` for converting field elements from/to big integers. /// - `multiplicative_generator` and `root_of_unity` constants. /// - [`PrimeFieldBits`](https://docs.rs/ff/latest/ff/trait.PrimeFieldBits.html) - /// operations over field elements represented as bits (requires `bits` feature) /// /// Please see the documentation for the relevant traits for more information. #[derive(Clone, Copy, Debug, PartialOrd, Ord)] pub struct Scalar(fiat_p521_scalar_montgomery_domain_field_element); impl Scalar { /// Zero element. pub const ZERO: Self = Self::from_u64(0); /// Multiplicative identity. pub const ONE: Self = Self::from_u64(1); /// Number of bytes in the serialized representation. const BYTES: usize = 66; /// Create a [`Scalar`] from a canonical big-endian representation. pub fn from_bytes(repr: &FieldBytes) -> CtOption { Self::from_uint(FieldBytesEncoding::::decode_field_bytes(repr)) } /// Decode [`Scalar`] from a big endian byte slice. pub fn from_slice(slice: &[u8]) -> Result { if slice.len() != Self::BYTES { return Err(Error); } Option::from(Self::from_bytes(GenericArray::from_slice(slice))).ok_or(Error) } /// Decode [`Scalar`] from [`U576`] converting it into Montgomery form: /// /// ```text /// w * R^2 * R^-1 mod p = wR mod p /// ``` pub fn from_uint(uint: U576) -> CtOption { let is_some = uint.ct_lt(&NistP521::ORDER); CtOption::new(Self::from_uint_unchecked(uint), is_some) } /// Parse a [`Scalar`] from big endian hex-encoded bytes. /// /// Does *not* perform a check that the field element does not overflow the order. /// /// This method is primarily intended for defining internal constants. #[allow(dead_code)] pub(crate) const fn from_hex(hex: &str) -> Self { Self::from_uint_unchecked(U576::from_be_hex(hex)) } /// Convert a `u64` into a [`Scalar`]. pub const fn from_u64(w: u64) -> Self { Self::from_uint_unchecked(U576::from_u64(w)) } /// Decode [`Scalar`] from [`U576`] converting it into Montgomery form. /// /// Does *not* perform a check that the field element does not overflow the order. /// /// Used incorrectly this can lead to invalid results! #[cfg(target_pointer_width = "32")] pub(crate) const fn from_uint_unchecked(w: U576) -> Self { Self(fiat_p521_scalar_to_montgomery(&u32x18_to_u64x9( w.as_words(), ))) } /// Decode [`Scalar`] from [`U576`] converting it into Montgomery form. /// /// Does *not* perform a check that the field element does not overflow the order. /// /// Used incorrectly this can lead to invalid results! #[cfg(target_pointer_width = "64")] pub(crate) const fn from_uint_unchecked(w: U576) -> Self { Self(fiat_p521_scalar_to_montgomery(w.as_words())) } /// Returns the big-endian encoding of this [`Scalar`]. pub fn to_bytes(self) -> FieldBytes { FieldBytesEncoding::::encode_field_bytes(&self.to_canonical()) } /// Translate [`Scalar`] out of the Montgomery domain, returning a [`U576`] /// in canonical form. #[inline] #[cfg(target_pointer_width = "32")] pub const fn to_canonical(self) -> U576 { U576::from_words(u64x9_to_u32x18(&fiat_p521_scalar_from_montgomery(&self.0))) } /// Translate [`Scalar`] out of the Montgomery domain, returning a [`U576`] /// in canonical form. #[inline] #[cfg(target_pointer_width = "64")] pub const fn to_canonical(self) -> U576 { U576::from_words(fiat_p521_scalar_from_montgomery(&self.0)) } /// Determine if this [`Scalar`] is odd in the SEC1 sense: `self mod 2 == 1`. /// /// # Returns /// /// If odd, return `Choice(1)`. Otherwise, return `Choice(0)`. pub fn is_odd(&self) -> Choice { self.to_canonical().is_odd() } /// Determine if this [`Scalar`] is even in the SEC1 sense: `self mod 2 == 0`. /// /// # Returns /// /// If even, return `Choice(1)`. Otherwise, return `Choice(0)`. pub fn is_even(&self) -> Choice { !self.is_odd() } /// Determine if this [`Scalar`] is zero. /// /// # Returns /// /// If zero, return `Choice(1)`. Otherwise, return `Choice(0)`. pub fn is_zero(&self) -> Choice { self.ct_eq(&Self::ZERO) } /// Add elements. pub const fn add(&self, rhs: &Self) -> Self { Self(fiat_p521_scalar_add(&self.0, &rhs.0)) } /// Double element (add it to itself). #[must_use] pub const fn double(&self) -> Self { self.add(self) } /// Subtract elements. pub const fn sub(&self, rhs: &Self) -> Self { Self(fiat_p521_scalar_sub(&self.0, &rhs.0)) } /// Negate element. pub const fn neg(&self) -> Self { Self(fiat_p521_scalar_opp(&self.0)) } /// Multiply elements. pub const fn multiply(&self, rhs: &Self) -> Self { Self(fiat_p521_scalar_mul(&self.0, &rhs.0)) } /// Compute [`Scalar`] inversion: `1 / self`. pub fn invert(&self) -> CtOption { CtOption::new(self.invert_unchecked(), !self.is_zero()) } /// Compute [`Scalar`] inversion: `1 / self`. /// /// Does not check that self is non-zero. const fn invert_unchecked(&self) -> Self { let words = impl_bernstein_yang_invert!( &self.0, Self::ONE.0, 521, 9, u64, fiat_p521_scalar_from_montgomery, fiat_p521_scalar_mul, fiat_p521_scalar_opp, fiat_p521_scalar_divstep_precomp, fiat_p521_scalar_divstep, fiat_p521_scalar_msat, fiat_p521_scalar_selectznz, ); Self(words) } /// Compute modular square. #[must_use] pub const fn square(&self) -> Self { Self(fiat_p521_scalar_square(&self.0)) } /// Compute modular square root. pub fn sqrt(&self) -> CtOption { todo!("`sqrt` not yet implemented") } /// Returns `self^exp`, where `exp` is a little-endian integer exponent. /// /// **This operation is variable time with respect to the exponent.** /// /// If the exponent is fixed, this operation is effectively constant time. pub const fn pow_vartime(&self, exp: &[u64]) -> Self { let mut res = Self::ONE; let mut i = exp.len(); while i > 0 { i -= 1; let mut j = 64; while j > 0 { j -= 1; res = res.square(); if ((exp[i] >> j) & 1) == 1 { res = res.multiply(self); } } } res } /// Right shifts the scalar. /// /// Note: not constant-time with respect to the `shift` parameter. #[cfg(target_pointer_width = "32")] pub const fn shr_vartime(&self, shift: usize) -> Scalar { Self(u32x18_to_u64x9( &U576::from_words(u64x9_to_u32x18(&self.0)) .shr_vartime(shift) .to_words(), )) } /// Right shifts the scalar. /// /// Note: not constant-time with respect to the `shift` parameter. #[cfg(target_pointer_width = "64")] pub const fn shr_vartime(&self, shift: usize) -> Scalar { Self(U576::from_words(self.0).shr_vartime(shift).to_words()) } } impl AsRef for Scalar { fn as_ref(&self) -> &fiat_p521_scalar_montgomery_domain_field_element { &self.0 } } impl Default for Scalar { fn default() -> Self { Self::ZERO } } impl Eq for Scalar {} impl PartialEq for Scalar { fn eq(&self, rhs: &Self) -> bool { self.0.ct_eq(&(rhs.0)).into() } } impl From for Scalar { fn from(n: u32) -> Scalar { Self::from_uint_unchecked(U576::from(n)) } } impl From for Scalar { fn from(n: u64) -> Scalar { Self::from_uint_unchecked(U576::from(n)) } } impl From for Scalar { fn from(n: u128) -> Scalar { Self::from_uint_unchecked(U576::from(n)) } } impl ConditionallySelectable for Scalar { fn conditional_select(a: &Self, b: &Self, choice: Choice) -> Self { let mut ret = Self::ZERO; for i in 0..ret.0.len() { ret.0[i] = u64::conditional_select(&a.0[i], &b.0[i], choice); } ret } } impl ConstantTimeEq for Scalar { fn ct_eq(&self, other: &Self) -> Choice { self.0.ct_eq(&other.0) } } impl DefaultIsZeroes for Scalar {} impl Field for Scalar { const ZERO: Self = Self::ZERO; const ONE: Self = Self::ONE; fn random(mut rng: impl RngCore) -> Self { // NOTE: can't use ScalarPrimitive::random due to CryptoRng bound let mut bytes = ::default(); loop { rng.fill_bytes(&mut bytes); if let Some(fe) = Self::from_bytes(&bytes).into() { return fe; } } } fn is_zero(&self) -> Choice { Self::ZERO.ct_eq(self) } #[must_use] fn square(&self) -> Self { self.square() } #[must_use] fn double(&self) -> Self { self.double() } fn invert(&self) -> CtOption { self.invert() } fn sqrt(&self) -> CtOption { self.sqrt() } fn sqrt_ratio(num: &Self, div: &Self) -> (Choice, Self) { ff::helpers::sqrt_ratio_generic(num, div) } } impl_field_op!(Scalar, Add, add, fiat_p521_scalar_add); impl_field_op!(Scalar, Sub, sub, fiat_p521_scalar_sub); impl_field_op!(Scalar, Mul, mul, fiat_p521_scalar_mul); impl AddAssign for Scalar { #[inline] fn add_assign(&mut self, other: Scalar) { *self = *self + other; } } impl AddAssign<&Scalar> for Scalar { #[inline] fn add_assign(&mut self, other: &Scalar) { *self = *self + other; } } impl SubAssign for Scalar { #[inline] fn sub_assign(&mut self, other: Scalar) { *self = *self - other; } } impl SubAssign<&Scalar> for Scalar { #[inline] fn sub_assign(&mut self, other: &Scalar) { *self = *self - other; } } impl MulAssign<&Scalar> for Scalar { #[inline] fn mul_assign(&mut self, other: &Scalar) { *self = *self * other; } } impl MulAssign for Scalar { #[inline] fn mul_assign(&mut self, other: Scalar) { *self = *self * other; } } impl Neg for Scalar { type Output = Scalar; #[inline] fn neg(self) -> Scalar { Self::neg(&self) } } impl Sum for Scalar { fn sum>(iter: I) -> Self { iter.reduce(core::ops::Add::add).unwrap_or(Self::ZERO) } } impl<'a> Sum<&'a Scalar> for Scalar { fn sum>(iter: I) -> Self { iter.copied().sum() } } impl Product for Scalar { fn product>(iter: I) -> Self { iter.reduce(core::ops::Mul::mul).unwrap_or(Self::ONE) } } impl<'a> Product<&'a Scalar> for Scalar { fn product>(iter: I) -> Self { iter.copied().product() } } impl AsRef for Scalar { fn as_ref(&self) -> &Scalar { self } } impl FromUintUnchecked for Scalar { type Uint = U576; fn from_uint_unchecked(uint: Self::Uint) -> Self { Self::from_uint_unchecked(uint) } } impl Invert for Scalar { type Output = CtOption; fn invert(&self) -> CtOption { self.invert() } } impl IsHigh for Scalar { fn is_high(&self) -> Choice { const MODULUS_SHR1: U576 = NistP521::ORDER.shr_vartime(1); self.to_canonical().ct_gt(&MODULUS_SHR1) } } impl Shr for Scalar { type Output = Self; fn shr(self, rhs: usize) -> Self::Output { self.shr_vartime(rhs) } } impl Shr for &Scalar { type Output = Scalar; fn shr(self, rhs: usize) -> Self::Output { self.shr_vartime(rhs) } } impl ShrAssign for Scalar { fn shr_assign(&mut self, rhs: usize) { *self = *self >> rhs; } } impl PrimeField for Scalar { type Repr = FieldBytes; const MODULUS: &'static str = "01fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffa51868783bf2f966b7fcc0148f709a5d03bb5c9b8899c47aebb6fb71e91386409"; const CAPACITY: u32 = 520; const NUM_BITS: u32 = 521; const TWO_INV: Self = Self::from_u64(2).invert_unchecked(); const MULTIPLICATIVE_GENERATOR: Self = Self::from_u64(3); const S: u32 = 3; const ROOT_OF_UNITY: Self = Self::from_hex("000000000000009a0a650d44b28c17f3d708ad2fa8c4fbc7e6000d7c12dafa92fcc5673a3055276d535f79ff391dcdbcd998b7836647d3a72472b3da861ac810a7f9c7b7b63e2205"); const ROOT_OF_UNITY_INV: Self = Self::ROOT_OF_UNITY.invert_unchecked(); const DELTA: Self = Self::from_u64(6561); #[inline] fn from_repr(bytes: FieldBytes) -> CtOption { Self::from_bytes(&bytes) } #[inline] fn to_repr(&self) -> FieldBytes { self.to_bytes() } #[inline] fn is_odd(&self) -> Choice { self.is_odd() } } #[cfg(feature = "bits")] impl PrimeFieldBits for Scalar { type ReprBits = fiat_p521_scalar_montgomery_domain_field_element; fn to_le_bits(&self) -> ScalarBits { self.to_canonical().to_words().into() } fn char_le_bits() -> ScalarBits { NistP521::ORDER.to_words().into() } } impl Reduce for Scalar { type Bytes = FieldBytes; fn reduce(w: U576) -> Self { let (r, underflow) = w.sbb(&NistP521::ORDER, bigint::Limb::ZERO); let underflow = Choice::from((underflow.0 >> (bigint::Limb::BITS - 1)) as u8); Self::from_uint_unchecked(U576::conditional_select(&w, &r, !underflow)) } #[inline] fn reduce_bytes(bytes: &FieldBytes) -> Self { let w = >::decode_field_bytes(bytes); Self::reduce(w) } } impl From> for Scalar { fn from(w: ScalarPrimitive) -> Self { Scalar::from(&w) } } impl From<&ScalarPrimitive> for Scalar { fn from(w: &ScalarPrimitive) -> Scalar { Scalar::from_uint_unchecked(*w.as_uint()) } } impl From for ScalarPrimitive { fn from(scalar: Scalar) -> ScalarPrimitive { ScalarPrimitive::from(&scalar) } } impl From<&Scalar> for ScalarPrimitive { fn from(scalar: &Scalar) -> ScalarPrimitive { ScalarPrimitive::new(scalar.into()).unwrap() } } impl From for FieldBytes { fn from(scalar: Scalar) -> Self { scalar.to_repr() } } impl From<&Scalar> for FieldBytes { fn from(scalar: &Scalar) -> Self { scalar.to_repr() } } impl From for U576 { fn from(scalar: Scalar) -> U576 { U576::from(&scalar) } } impl From<&Scalar> for U576 { fn from(scalar: &Scalar) -> U576 { scalar.to_canonical() } } impl From<&SecretKey> for Scalar { fn from(secret_key: &SecretKey) -> Scalar { *secret_key.to_nonzero_scalar() } } impl TryFrom for Scalar { type Error = Error; fn try_from(w: U576) -> Result { Option::from(Self::from_uint(w)).ok_or(Error) } } #[cfg(feature = "serde")] impl Serialize for Scalar { fn serialize(&self, serializer: S) -> core::result::Result where S: ser::Serializer, { ScalarPrimitive::from(self).serialize(serializer) } } #[cfg(feature = "serde")] impl<'de> Deserialize<'de> for Scalar { fn deserialize(deserializer: D) -> core::result::Result where D: de::Deserializer<'de>, { Ok(ScalarPrimitive::deserialize(deserializer)?.into()) } } #[cfg(test)] mod tests { use super::Scalar; use elliptic_curve::PrimeField; use primeorder::{impl_field_identity_tests, impl_field_invert_tests, impl_primefield_tests}; /// t = (modulus - 1) >> S const T: [u64; 9] = [ 0xd76df6e3d2270c81, 0x0776b937113388f5, 0x6ff980291ee134ba, 0x4a30d0f077e5f2cd, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0x000000000000003f, ]; impl_field_identity_tests!(Scalar); impl_field_invert_tests!(Scalar); impl_primefield_tests!(Scalar, T); } p521-0.13.3/src/arithmetic/util.rs000064400000000000000000000034331046102023000146450ustar 00000000000000//! Utility functions. use elliptic_curve::bigint::U576; /// Convert an 18-element array of `u32` into a 9-element array of `u16`, /// assuming integer arrays are in little-endian order. #[cfg(target_pointer_width = "32")] pub(crate) const fn u32x18_to_u64x9(w: &[u32; 18]) -> [u64; 9] { let mut ret = [0u64; 9]; let mut i = 0; while i < 9 { ret[i] = (w[i * 2] as u64) | ((w[(i * 2) + 1] as u64) << 32); i += 1; } ret } /// Convert a 9-element array of `u64` into an 18-element array of `u32`, /// assuming integers are in little-endian order. #[cfg(target_pointer_width = "32")] pub(crate) const fn u64x9_to_u32x18(w: &[u64; 9]) -> [u32; 18] { let mut ret = [0u32; 18]; let mut i = 0; while i < 9 { ret[i * 2] = (w[i] & 0xFFFFFFFF) as u32; ret[(i * 2) + 1] = (w[i] >> 32) as u32; i += 1; } ret } /// Converts the saturated representation [`U576`] into a 528bit array. Each /// word is copied in little-endian. pub const fn u576_to_le_bytes(w: U576) -> [u8; 66] { #[cfg(target_pointer_width = "32")] let words = u32x18_to_u64x9(w.as_words()); #[cfg(target_pointer_width = "64")] let words = w.as_words(); let mut result: [u8; 66] = [0u8; 66]; let mut i = 0; while i < words.len() - 1 { let word = words[i].to_le_bytes(); let start = i * 8; result[start] = word[0]; result[start + 1] = word[1]; result[start + 2] = word[2]; result[start + 3] = word[3]; result[start + 4] = word[4]; result[start + 5] = word[5]; result[start + 6] = word[6]; result[start + 7] = word[7]; i += 1; } let last_word = words[8].to_le_bytes(); result[i * 8] = last_word[0]; result[(i * 8) + 1] = last_word[1]; result } p521-0.13.3/src/arithmetic.rs000064400000000000000000000054541046102023000136750ustar 00000000000000//! Pure Rust implementation of group operations on secp521r1. //! //! Curve parameters can be found in [NIST SP 800-186] § 3.2.1.5: P-521. //! //! [NIST SP 800-186]: https://csrc.nist.gov/publications/detail/sp/800-186/final pub(crate) mod field; #[cfg(feature = "hash2curve")] mod hash2curve; pub(crate) mod scalar; mod util; pub use self::scalar::Scalar; use self::field::FieldElement; use crate::NistP521; use elliptic_curve::{CurveArithmetic, PrimeCurveArithmetic}; use primeorder::{point_arithmetic, PrimeCurveParams}; /// Elliptic curve point in affine coordinates. pub type AffinePoint = primeorder::AffinePoint; /// Elliptic curve point in projective coordinates. pub type ProjectivePoint = primeorder::ProjectivePoint; impl CurveArithmetic for NistP521 { type AffinePoint = AffinePoint; type ProjectivePoint = ProjectivePoint; type Scalar = Scalar; } impl PrimeCurveArithmetic for NistP521 { type CurveGroup = ProjectivePoint; } /// Adapted from [NIST SP 800-186] § 3.2.1.5: P-521. /// /// [NIST SP 800-186]: https://csrc.nist.gov/publications/detail/sp/800-186/final impl PrimeCurveParams for NistP521 { type FieldElement = FieldElement; type PointArithmetic = point_arithmetic::EquationAIsMinusThree; /// a = -3 (0x1ff ffffffff ffffffff ffffffff ffffffff ffffffff ffffffff /// ffffffff ffffffff ffffffff ffffffff ffffffff ffffffff /// ffffffff ffffffff ffffffff fffffffc) const EQUATION_A: FieldElement = FieldElement::from_u64(3).neg(); /// b = 0x051 953eb961 8e1c9a1f 929a21a0 b68540ee a2da725b 99b315f3 /// b8b48991 8ef109e1 56193951 ec7e937b 1652c0bd 3bb1bf07 /// 3573df88 3d2c34f1 ef451fd4 6b503f00 const EQUATION_B: FieldElement = FieldElement::from_hex("0000000000000051953eb9618e1c9a1f929a21a0b68540eea2da725b99b315f3b8b489918ef109e156193951ec7e937b1652c0bd3bb1bf073573df883d2c34f1ef451fd46b503f00"); /// Base point of P-521. /// /// ```text /// Gₓ = 0x0c6 858e06b7 0404e9cd 9e3ecb66 2395b442 9c648139 053fb521 /// f828af60 6b4d3dba a14b5e77 efe75928 fe1dc127 a2ffa8de /// 3348b3c1 856a429b f97e7e31 c2e5bd66 /// Gᵧ = 0x118 39296a78 9a3bc004 5c8a5fb4 2c7d1bd9 98f54449 579b4468 /// 17afbd17 273e662c 97ee7299 5ef42640 c550b901 3fad0761 /// 353c7086 a272c240 88be9476 9fd16650 /// ``` const GENERATOR: (FieldElement, FieldElement) = ( FieldElement::from_hex("00000000000000c6858e06b70404e9cd9e3ecb662395b4429c648139053fb521f828af606b4d3dbaa14b5e77efe75928fe1dc127a2ffa8de3348b3c1856a429bf97e7e31c2e5bd66"), FieldElement::from_hex("000000000000011839296a789a3bc0045c8a5fb42c7d1bd998f54449579b446817afbd17273e662c97ee72995ef42640c550b9013fad0761353c7086a272c24088be94769fd16650"), ); } p521-0.13.3/src/ecdh.rs000064400000000000000000000035331046102023000124430ustar 00000000000000//! Elliptic Curve Diffie-Hellman (Ephemeral) Support. //! //! This module contains a high-level interface for performing ephemeral //! Diffie-Hellman key exchanges using the secp521r1 elliptic curve. //! //! # Usage //! //! This usage example is from the perspective of two participants in the //! exchange, nicknamed "Alice" and "Bob". //! //! ``` //! use p521::{EncodedPoint, PublicKey, ecdh::EphemeralSecret}; //! use rand_core::OsRng; // requires 'getrandom' feature //! //! // Alice //! let alice_secret = EphemeralSecret::random(&mut OsRng); //! let alice_pk_bytes = EncodedPoint::from(alice_secret.public_key()); //! //! // Bob //! let bob_secret = EphemeralSecret::random(&mut OsRng); //! let bob_pk_bytes = EncodedPoint::from(bob_secret.public_key()); //! //! // Alice decodes Bob's serialized public key and computes a shared secret from it //! let bob_public = PublicKey::from_sec1_bytes(bob_pk_bytes.as_ref()) //! .expect("bob's public key is invalid!"); // In real usage, don't panic, handle this! //! //! let alice_shared = alice_secret.diffie_hellman(&bob_public); //! //! // Bob decodes Alice's serialized public key and computes the same shared secret //! let alice_public = PublicKey::from_sec1_bytes(alice_pk_bytes.as_ref()) //! .expect("alice's public key is invalid!"); // In real usage, don't panic, handle this! //! //! let bob_shared = bob_secret.diffie_hellman(&alice_public); //! //! // Both participants arrive on the same shared secret //! assert_eq!(alice_shared.raw_secret_bytes(), bob_shared.raw_secret_bytes()); //! ``` pub use elliptic_curve::ecdh::diffie_hellman; use crate::NistP521; /// NIST P-521 Ephemeral Diffie-Hellman Secret. pub type EphemeralSecret = elliptic_curve::ecdh::EphemeralSecret; /// Shared secret value computed via ECDH key agreement. pub type SharedSecret = elliptic_curve::ecdh::SharedSecret; p521-0.13.3/src/ecdsa.rs000064400000000000000000000270251046102023000126210ustar 00000000000000//! Elliptic Curve Digital Signature Algorithm (ECDSA) //! //! This module contains support for computing and verifying ECDSA signatures. //! To use it, you will need to enable one of the two following Cargo features: //! //! - `ecdsa-core`: provides only the [`Signature`] type (which represents an //! ECDSA/P-521 signature). Does not require the `arithmetic` feature. This is //! useful for 3rd-party crates which wish to use the `Signature` type for //! interoperability purposes (particularly in conjunction with the //! [`signature::Signer`] trait. Example use cases for this include other //! software implementations of ECDSA/P-521 and wrappers for cloud KMS //! services or hardware devices (HSM or crypto hardware wallet). //! - `ecdsa`: provides `ecdsa-core` features plus the [`SigningKey`] and //! [`VerifyingKey`] types which natively implement ECDSA/P-521 signing and //! verification. //! //! ## Signing/Verification Example //! //! This example requires the `ecdsa` Cargo feature is enabled: //! //! ``` //! # #[cfg(feature = "ecdsa")] //! # { //! use p521::ecdsa::{signature::Signer, Signature, SigningKey}; //! use rand_core::OsRng; // requires 'getrandom' feature //! //! // Signing //! let signing_key = SigningKey::random(&mut OsRng); // Serialize with `::to_bytes()` //! let message = b"ECDSA proves knowledge of a secret number in the context of a single message"; //! let signature: Signature = signing_key.sign(message); //! //! // Verification //! use p521::ecdsa::{signature::Verifier, VerifyingKey}; //! //! let verifying_key = VerifyingKey::from(&signing_key); // Serialize with `::to_encoded_point()` //! assert!(verifying_key.verify(message, &signature).is_ok()); //! # } //! ``` // TODO(tarcieri): use RFC6979 + upstream types from the `ecdsa` crate pub use ecdsa_core::signature::{self, Error, Result}; #[cfg(feature = "ecdsa")] use { crate::{AffinePoint, EncodedPoint, FieldBytes, NonZeroScalar, Scalar}, ecdsa_core::{ hazmat::{bits2field, sign_prehashed, SignPrimitive, VerifyPrimitive}, signature::{ hazmat::{PrehashVerifier, RandomizedPrehashSigner}, rand_core::CryptoRngCore, RandomizedSigner, Verifier, }, }, elliptic_curve::Field, sha2::{Digest, Sha512}, }; #[cfg(all(feature = "ecdsa", feature = "getrandom"))] use { ecdsa_core::signature::{hazmat::PrehashSigner, Signer}, rand_core::OsRng, }; use super::NistP521; /// ECDSA/P-521 signature (fixed-size) pub type Signature = ecdsa_core::Signature; /// ECDSA/P-521 signature (ASN.1 DER encoded) pub type DerSignature = ecdsa_core::der::Signature; #[cfg(feature = "ecdsa")] impl SignPrimitive for Scalar {} #[cfg(feature = "ecdsa")] impl VerifyPrimitive for AffinePoint {} /// ECDSA/P-521 signing key #[cfg(feature = "ecdsa")] #[derive(Clone)] pub struct SigningKey(ecdsa_core::SigningKey); #[cfg(feature = "ecdsa")] impl SigningKey { /// Generate a cryptographically random [`SigningKey`]. pub fn random(rng: &mut impl CryptoRngCore) -> Self { ecdsa_core::SigningKey::::random(rng).into() } /// Initialize signing key from a raw scalar serialized as a byte array. pub fn from_bytes(bytes: &FieldBytes) -> Result { ecdsa_core::SigningKey::::from_bytes(bytes).map(Into::into) } /// Initialize signing key from a raw scalar serialized as a byte slice. pub fn from_slice(bytes: &[u8]) -> Result { ecdsa_core::SigningKey::::from_slice(bytes).map(Into::into) } /// Serialize this [`SigningKey`] as bytes pub fn to_bytes(&self) -> FieldBytes { self.0.to_bytes() } /// Borrow the secret [`NonZeroScalar`] value for this key. /// /// # ⚠️ Warning /// /// This value is key material. /// /// Please treat it with the care it deserves! pub fn as_nonzero_scalar(&self) -> &NonZeroScalar { self.0.as_nonzero_scalar() } /// Get the [`VerifyingKey`] which corresponds to this [`SigningKey`]. #[cfg(feature = "verifying")] pub fn verifying_key(&self) -> VerifyingKey { VerifyingKey::from(self) } } #[cfg(feature = "ecdsa")] impl From> for SigningKey { fn from(inner: ecdsa_core::SigningKey) -> SigningKey { SigningKey(inner) } } #[cfg(all(feature = "ecdsa", feature = "getrandom"))] impl PrehashSigner for SigningKey { fn sign_prehash(&self, prehash: &[u8]) -> Result { self.sign_prehash_with_rng(&mut OsRng, prehash) } } #[cfg(feature = "ecdsa")] impl RandomizedPrehashSigner for SigningKey { fn sign_prehash_with_rng( &self, rng: &mut impl CryptoRngCore, prehash: &[u8], ) -> Result { let z = bits2field::(prehash)?; let k = Scalar::random(rng); sign_prehashed(self.0.as_nonzero_scalar().as_ref(), k, &z).map(|sig| sig.0) } } #[cfg(feature = "ecdsa")] impl RandomizedSigner for SigningKey { fn try_sign_with_rng(&self, rng: &mut impl CryptoRngCore, msg: &[u8]) -> Result { self.sign_prehash_with_rng(rng, &Sha512::digest(msg)) } } #[cfg(all(feature = "ecdsa", feature = "getrandom"))] impl Signer for SigningKey { fn try_sign(&self, msg: &[u8]) -> Result { self.try_sign_with_rng(&mut OsRng, msg) } } /// ECDSA/P-521 verification key (i.e. public key) #[cfg(feature = "ecdsa")] #[derive(Clone)] pub struct VerifyingKey(ecdsa_core::VerifyingKey); #[cfg(feature = "ecdsa")] impl VerifyingKey { /// Initialize [`VerifyingKey`] from a SEC1-encoded public key. pub fn from_sec1_bytes(bytes: &[u8]) -> Result { ecdsa_core::VerifyingKey::::from_sec1_bytes(bytes).map(Into::into) } /// Initialize [`VerifyingKey`] from an affine point. /// /// Returns an [`Error`] if the given affine point is the additive identity /// (a.k.a. point at infinity). pub fn from_affine(affine: AffinePoint) -> Result { ecdsa_core::VerifyingKey::::from_affine(affine).map(Into::into) } /// Initialize [`VerifyingKey`] from an [`EncodedPoint`]. pub fn from_encoded_point(public_key: &EncodedPoint) -> Result { ecdsa_core::VerifyingKey::::from_encoded_point(public_key).map(Into::into) } /// Serialize this [`VerifyingKey`] as a SEC1 [`EncodedPoint`], optionally /// applying point compression. pub fn to_encoded_point(&self, compress: bool) -> EncodedPoint { self.0.to_encoded_point(compress) } /// Borrow the inner [`AffinePoint`] for this public key. pub fn as_affine(&self) -> &AffinePoint { self.0.as_affine() } } #[cfg(feature = "ecdsa")] impl From<&SigningKey> for VerifyingKey { fn from(signing_key: &SigningKey) -> VerifyingKey { Self::from(*signing_key.0.verifying_key()) } } #[cfg(feature = "ecdsa")] impl From> for VerifyingKey { fn from(inner: ecdsa_core::VerifyingKey) -> VerifyingKey { VerifyingKey(inner) } } #[cfg(feature = "ecdsa")] impl PrehashVerifier for VerifyingKey { fn verify_prehash(&self, prehash: &[u8], signature: &Signature) -> Result<()> { self.0.verify_prehash(prehash, signature) } } #[cfg(feature = "ecdsa")] impl Verifier for VerifyingKey { fn verify(&self, msg: &[u8], signature: &Signature) -> Result<()> { self.verify_prehash(&Sha512::digest(msg), signature) } } #[cfg(all(test, feature = "ecdsa", feature = "getrandom"))] mod tests { // TODO(tarcieri): RFC6979 support + test vectors mod sign { use crate::{test_vectors::ecdsa::ECDSA_TEST_VECTORS, NistP521}; ecdsa_core::new_signing_test!(NistP521, ECDSA_TEST_VECTORS); } mod verify { use crate::{test_vectors::ecdsa::ECDSA_TEST_VECTORS, NistP521}; ecdsa_core::new_verification_test!(NistP521, ECDSA_TEST_VECTORS); } mod wycheproof { use crate::{ ecdsa::{Signature, Verifier, VerifyingKey}, EncodedPoint, NistP521, }; // TODO: use ecdsa_core::new_wycheproof_test!(wycheproof, "wycheproof", NistP521); #[test] fn wycheproof() { use blobby::Blob5Iterator; use elliptic_curve::generic_array::typenum::Unsigned; // Build a field element but allow for too-short input (left pad with zeros) // or too-long input (check excess leftmost bytes are zeros). fn element_from_padded_slice( data: &[u8], ) -> elliptic_curve::FieldBytes { let point_len = C::FieldBytesSize::USIZE; if data.len() >= point_len { let offset = data.len() - point_len; for v in data.iter().take(offset) { assert_eq!(*v, 0, "EcdsaVerifier: point too large"); } elliptic_curve::FieldBytes::::clone_from_slice(&data[offset..]) } else { // Provided slice is too short and needs to be padded with zeros // on the left. Build a combined exact iterator to do this. let iter = core::iter::repeat(0) .take(point_len - data.len()) .chain(data.iter().cloned()); elliptic_curve::FieldBytes::::from_exact_iter(iter).unwrap() } } fn run_test( wx: &[u8], wy: &[u8], msg: &[u8], sig: &[u8], pass: bool, ) -> Option<&'static str> { let x = element_from_padded_slice::(wx); let y = element_from_padded_slice::(wy); let q_encoded = EncodedPoint::from_affine_coordinates(&x, &y, /* compress= */ false); let verifying_key = VerifyingKey::from_encoded_point(&q_encoded).unwrap(); let sig = match Signature::from_der(sig) { Ok(s) => s, Err(_) if !pass => return None, Err(_) => return Some("failed to parse signature ASN.1"), }; match verifying_key.verify(msg, &sig) { Ok(_) if pass => None, Ok(_) => Some("signature verify unexpectedly succeeded"), Err(_) if !pass => None, Err(_) => Some("signature verify failed"), } } let data = include_bytes!(concat!("test_vectors/data/wycheproof.blb")); for (i, row) in Blob5Iterator::new(data).unwrap().enumerate() { let [wx, wy, msg, sig, status] = row.unwrap(); let pass = match status[0] { 0 => false, 1 => true, _ => panic!("invalid value for pass flag"), }; if let Some(desc) = run_test(wx, wy, msg, sig, pass) { panic!( "\n\ Failed test №{}: {}\n\ wx:\t{:?}\n\ wy:\t{:?}\n\ msg:\t{:?}\n\ sig:\t{:?}\n\ pass:\t{}\n", i, desc, wx, wy, msg, sig, pass, ); } } } } } p521-0.13.3/src/lib.rs000064400000000000000000000070421046102023000123050ustar 00000000000000#![no_std] #![cfg_attr(docsrs, feature(doc_auto_cfg))] #![doc = include_str!("../README.md")] #![doc( html_logo_url = "https://raw.githubusercontent.com/RustCrypto/meta/master/logo.svg", html_favicon_url = "https://raw.githubusercontent.com/RustCrypto/meta/master/logo.svg" )] #![forbid(unsafe_code)] #![warn( clippy::mod_module_files, clippy::unwrap_used, missing_docs, rust_2018_idioms, unused_lifetimes, unused_qualifications )] //! ## `serde` support //! //! When the `serde` feature of this crate is enabled, `Serialize` and //! `Deserialize` are impl'd for the following types: //! //! - [`AffinePoint`] //! - [`Scalar`] //! //! Please see type-specific documentation for more information. #[cfg(feature = "arithmetic")] mod arithmetic; #[cfg(feature = "ecdh")] pub mod ecdh; #[cfg(feature = "ecdsa-core")] pub mod ecdsa; #[cfg(any(feature = "test-vectors", test))] pub mod test_vectors; #[cfg(feature = "arithmetic")] pub use arithmetic::{scalar::Scalar, AffinePoint, ProjectivePoint}; pub use elliptic_curve::{self, bigint::U576}; #[cfg(feature = "pkcs8")] pub use elliptic_curve::pkcs8; use elliptic_curve::{consts::U66, generic_array::GenericArray, FieldBytesEncoding}; /// NIST P-521 elliptic curve. #[derive(Copy, Clone, Debug, Default, Eq, PartialEq, PartialOrd, Ord)] pub struct NistP521; impl elliptic_curve::Curve for NistP521 { /// 66-byte serialized field elements. type FieldBytesSize = U66; /// 521-bit integer type used for internally representing field elements. type Uint = U576; /// Order of NIST P-521's elliptic curve group (i.e. scalar modulus). const ORDER: U576 = U576::from_be_hex("00000000000001fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffa51868783bf2f966b7fcc0148f709a5d03bb5c9b8899c47aebb6fb71e91386409"); } impl elliptic_curve::PrimeCurve for NistP521 {} impl elliptic_curve::point::PointCompression for NistP521 { /// NIST P-521 points are typically uncompressed. const COMPRESS_POINTS: bool = false; } impl elliptic_curve::point::PointCompaction for NistP521 { /// NIST P-521 points are typically uncompacted. const COMPACT_POINTS: bool = false; } #[cfg(feature = "jwk")] impl elliptic_curve::JwkParameters for NistP521 { const CRV: &'static str = "P-521"; } #[cfg(feature = "pkcs8")] impl pkcs8::AssociatedOid for NistP521 { const OID: pkcs8::ObjectIdentifier = pkcs8::ObjectIdentifier::new_unwrap("1.3.132.0.35"); } /// Compressed SEC1-encoded NIST P-521 curve point. pub type CompressedPoint = GenericArray; /// NIST P-521 SEC1 encoded point. pub type EncodedPoint = elliptic_curve::sec1::EncodedPoint; /// NIST P-521 field element serialized as bytes. /// /// Byte array containing a serialized field element value (base field or /// scalar). pub type FieldBytes = elliptic_curve::FieldBytes; impl FieldBytesEncoding for U576 {} /// Non-zero NIST P-521 scalar field element. #[cfg(feature = "arithmetic")] pub type NonZeroScalar = elliptic_curve::NonZeroScalar; /// NIST P-521 public key. #[cfg(feature = "arithmetic")] pub type PublicKey = elliptic_curve::PublicKey; /// NIST P-521 secret key. pub type SecretKey = elliptic_curve::SecretKey; #[cfg(feature = "voprf")] impl elliptic_curve::VoprfParameters for NistP521 { /// See . const ID: &'static str = "P521-SHA512"; /// See . type Hash = sha2::Sha512; } p521-0.13.3/src/test_vectors/data/wycheproof.blb000064400000000000000000002037061046102023000175010ustar 00000000000000Axx.KMilc<= G2Yyaw!zxƋ?~NVb=YB˃A\dWS/H Z<VY⯔\ǩ\dOVw9-݆MƐi ;*RlVJE123400MessageA0K=0#f骼Úv>HE`RW>[_4h(PdΛيB*[p{߮t)I-Y#&@DR b~,3/>%O:;[ eB#32b<76eڃ>;{ɰE^j_Q,@ KoƙB黂| Bƅ͞>f#Bd9?!(`kM=K^wY('3HjB~~1fA ◚ vܭwA"`pSόcgT߱5KrEk>a Be5hs^cTmcy;NzrS޲bBdg@,g=0yI)3LPzՈV/ɵ`(E9_6{eiB]R/GUd2O;XFMEM(܋kL8D |5B̦31BwпxǶ, V_U \=OEnl{ 1l59Qm-qUpnB8R9)ZE|g筻5]D~婬6EƌRns/PCq3φ h̳;d*w][M 6J J|~kZJXO}%AI;t\=&KwD'lSz|,DVBX&vg"w\[1 OA2| 4қ'da7j"m BXɡPsRjR'͡`~`A1z|>+7+"v[PV ZvDPD>?J舿_ 0B˝ Nm<ߌwvUk:}aK-E9FiZg:B ̔Bÿ#(`{ Qlrn%Ux2F =FB)Y$8:ic 0BsP2RC2zƲ}j̩Ox V-jHM ְG+="]=AI$I$I$I$I$I$I$I$I$I$I$y\\Xx#Jfeʄ =}r鸀0@C#Xy[ͭIͅ 9M33V#!u{0|a Xʨᬲ~]4/AI$I$I$I$I$I$I$I$I$I$I$y\\Xx#Jfeʄ =}r0Bsᘔ԰:o#BeluD{:Ǵ+ٸW꜍#Eh} QIQ5{dB:Kr}zOFfiF3|  qе6UH؆/>&BoΟ7[)hWU!÷=ZJy߻frC ]{>XʌO*'BDSQ)xj;qL'}SyBTM6bI=B` B9)jx;\_,}٘DIWDh'>f,r^&@P?a5÷M4 NA(ВjArI.K-#Djͬ۠)=itۢtq"pii(^J0"1 0BNB#Cˉ;9y,z=7J_&X Eu.*nQ+xGB"<A(ВjArI.K-#Djͬ۠)=itۢtq"pii(^J0"1 0A4v!=}ӅOBAȵ8S qe %DO(H yA(ВjArI.K-#Djͬ۠)=itۢtq"pii(^J0"1 0B4v!=}ӅOBAȵ8 '٧NzՑnԇxah[Q8gUXA(ВjArI.K-#Djͬ۠)=itۢtq"pii(^J0"1 0B4v!=}ӅOBAȵ8̘[]{=Y, vMCDo g;`?!bT1Y@,ZATDAeN-u,5/JE&odMvT@w>MD |.6(y439491941720B o{o/vBavmA:E\q9ew«hzxLx\%(MM8tBkX:2Tc0U!E}^'F &oDG4j^psEb=d53676418770B,:E\HCY!`6.QA!g4,pFmI2Z i|}X4'B&c\Ư 5aYg%ê$\VG00Mmh53D@# 56714810950A MMGyY~ٴ Ѹ m7b|9T0=rʬ^>'BS_Vw1 Lvut8Cp2Wi\=^ݥ112071729090B N%#%׏N(brL2,NDLAFu I0i}S [A'41]ӝ w[XC|lI6շJGKsg^+C2d%:P112980342360Bӱz4GsCJ*Wߴļ!>V/@İэ?%~ıNv"erŏټ>7hB"ۥ J~A)I]Xl. Fwe>=[?3eLej6Ϧ10874911850BObJ o碐e#& ND M;8e#(J Ȥ G(B]م@sA]ҸZ3 Hea 8kbg$`MMfg82 32366785000A,-~a | .Ć8 cykT\NeP yg8K(YMB_et][b5 B5m[ _e/8k6ӭ tW+ y6L]12q:*k14489977030By%zS9)"IKgjZ]@#@G0^ BsWW\],*<Pl_fg *rT{6*dоK0bL.57146328070Ajɳp{+W]mh]ߋ:TH"&Veuߖul`B6xr,wBG7 [g}UL>xj:)wƚݸR/_AfH6o `2264874920Bļe2D" o~N֔in-Z-8v޳ƭe 5\;^GL432ym:4IAb޾Uv ZR芃|1s k dd~e9x~рmߑtXn ?z53534494790BtD1 / mU+ZscA3Y ÜRW*y .WgB/Yʒ|J1gQN*aaD1v5!rpt^W>q?r47873038800BQ:|:0(Y/؟k9thDu wֻ=%KApKshvȄHu[ 107393919170B$1X k+(t߽сC׎ yk#8 `Gu X5Y|B9l.$OSaW+M&Yuaz ^g.@0X$`:Dw18810273150BH_?bdwZik[8in.脚d-z*dg/ o2Q"L_wᗝBsrmfT m&ɫrG}Pg 0g4nGuu;ψ60616939070B 'o߄IjׂlہX+?xN+lݧcaw~{ U&,&BFW:DȺl92fluC|y*xv:߫:ԧ 88952270940BkubGҌ(me(Z'OWs0Ds=m9^%Qo=1VA3pKJsfVO>Xdf?9g \]#i7' 3v`=S15802340940BU@5Q "#)(~;^%_"eVjfxXs#ѲNFؗ:UBkQvGw'j)3̔oB0@i+_EJ QO,_Ҿ$39659915120A)>guA"={g8k76'Q{CCC\텋h;|8A,}}GH22Hs},E EW @/A]-ז22887321980Bj:Y_kAqk7f;4 8 49u] 4>z;YYB»َDлOuc`*v`97đ:DX.ȊBU{Ų!~j'q/¢[7D'22308873190A;GRVce15 nNN>nףRIJHD=^1WJJ\.tztưB$t-z$WR}y8nKPI`]B3c6iF7w1290569370B(*{D#\;i)6Z@(0v{C0ۖ$შyghts=aBDǢ+FwrlR#qnQρiF0 027486564380B^[v-hsa0[,D`Z<-=jClg$h'A.:|qV3 P[ wH}([ʡ@%˷ۮ63VAy?P75835026040BaK4St36Qh㊃@ FM|zQAn.2y˒tj*BoIioOm$ƀWD.0m65Bwk"fy{&`23277542790B:o].'j߰r%dt@p>N>lB+upS{*:ʏ.I8ppnςDB 5mS{cE ] K4~?_^+vuMd嬨=h"]/K@ݨhz166778270570B0}\ T{X= |J&c 8A?92N!01eKlBv`Mi|eQ sC#ERΝm1_ b@vPuܔ:ME7kDC}&OBmb?We7> 5 :"n^Ml`\MU-އ668424960450BF]Ķcz2fc4ZKa&^ɡz-Q>pXhҞB\~NDq|-dN2gmsQ(+":v`p@xF(s?q>&Ɍ32698973210B,Њz-@:`N^:R'ApgaFZq* Jv "B5;Bo/%s; Fc>nJLЭ7wUҫ`V=**4-X H13873246920Bʕ2zA8bȋ.&u.|&Õ'Vk4rgwF[ۢALbB@m%:2/䁣v$/dWVeɿ%3X$[߸v2r ͬv@:7ecH41188875360B XmAh.v 2CI@uQOvO3+:!лP\jŏB$M$G9eu1oKyI\W/6N.:Ҟ:DpMj*9886065450A7uݩޘKUGeYڠ 'q9|?&ݥO$c_9cō&B ⶑZl kT9LQvmYN WnV?5KC~ %,24791158450Bz 0ȏcx[žIf|X aq6H{Y)F/e*kl'@BuH}a)XW !~z5 ,-?]#}a GYtsBYOO50768873670A;+PB@3*/ z\9mA <߹DWZ!c)𗾹:4⠇8AV}\gL4:Y3s>0^(ZXuѵ p1UG^9885069670B24v%4?Q&E}yUX.BFU.ž>D5^ ts"_'fr/%B.=!Si}0.I8u /s\,buf# |~b9'YEj׬{27213061310A/wRMg~iy+0+󳻕/Kx:m`fwB(`J$[',;}ԧ߄$ +$}32041016550B*Epӿ> 9`I^KT*ƹ$õNyQ /eLjFtVٴB\X^ !:!~}8Rge M,%I TS\^QK6l䛌#m8;& 31506809500B&SJg?(=M >v`2ʥPʜǪάe6X?T\q~^AIDHKFxz##|m'-DnaDqN@[DerԍUh17274601030BHU,9OZEBzؑ\3$%23fk$36״M\ LBCcNBO p`jEN¦d%A(\p+b4T[4L ]DSFE145714612250BEI|'鬬G4M2 TNNVgL/ ?aɁӗ:ԞB)^CŶ΀DCKJtUcSX&E]sMV(AAW=XlV541795160900A 68аXIBTWw^_#Izߧ.G9FCf RF^̓}GC;Ba쮒~V3z ^(]qk?nݤ; Mt[s4WLvVrBP58927130540BŅ΍M3Yۓx^ ηWF/EZFWAEpɣZ1@5 u@l*%^vACu}(/L%?,)< UC`ANs Y pjg."tCŋjix38961822970B$ ~{q7>4z "I7_5bt{yZvMMKIwEvB~âAS'KV^]}^QZ/!T\+_7:j=0az_{<N&˱82833467320BSmUo롏QsXD56'#}W1/9dj< 6Z&ږEPiB@˧47c;quq,8C%A쩣9‚ڡ )]*33669748910B?r3PrT =f SnT2;~>_iD-@oRO8!?9_* /#21991532290Bgݳ-)~`ɴvʵh·b+]*$aեl>2S[8{e %BϞy<*餹/!pZ= {3T湍\Y.o5c‰g~I~ec56003168220Bxc&tVKq8J(2h|F<İ=-x^V;`T{v*mBEaJԺ\ludwֲb x1ELu]!^k*xO>m65839263720B;gȐkCk6@1ZU%$+䘹-+qPE\~)N+Up뎻O B=^\˒x&l|E;k/dwܧvWqN.CR? (m820825394290Bm^=;Oӷ(pQdwg3 )>)ez`MZ>I ;Bk!-tMnyiu#_92n?km< T&FLJ^Ir@l vkGmJ100659566970BbOZjN'._Rq,w #a]e% Ĭc3 R9~ .?aA,ar)s%󽇦2ЀaK,Ȩ@,#\&MbQ̾9TZ^30241816040B+`厊f= vukwR l`z4˅Q3*)z [xãB..uY߳rQ0K9{9DΟoͦ ,(m@ 77678528740BJ3 ~`IQ xBA(?W"/mj nS!U0IoVsB2Ť5č ~G)rQ406QBRCvIp(}5441999740BF{E`U{2J噘GlujQ4hZ .+2v R-LJ1OBjagYh5R0ІrAE~XX0b ƿ}WPR58434803910Azb'u}eUyhwŞ؟u8&8[bw6K]`hCZIQU=mq ybv\y IX16140369880Ax(mK@-$S >ȴ0^coWS!>Fk]NB*3Is.!'͌v'jmEEkvK >3?ߜj%$.U0]z20954256850Aj;f UdcY''ϳgVinv9<7达B11)uvuK`bȼ!/m}G3HkiK`(ԁ) 110080989830B2P_(Ĥ(_j@7oq~Qf# |9F= 4lhyFqFP%zR~A1f"ٰ2"?vv[j:Wb}IBO,{54$BX%g15741479270A`A-,JvTFbz1hM;c۴;;{N$h.B\AcbHtbJmR)ZIs#!%&.\H˱ނ'Q?27g~1\28667715220B)۟E8;m`a x:¦e@)Wi-_1$pR4kKC{X/oVEB\ ;hyly~j+B*Dʄ)>m!I/1WŶj $rR16942807870AZȣx+/VeBN)s BVI~ f|*qGg ibDAnB4Rk(Q,e~Te4B,ݲdVc/೪^ Lj"99216925680AZ6lT9gI^D\ɕþ>B/UFW h>M@9+ B}p^&{BvEњ-izZPTם.ɠ =ɯ U 116094397980B`)jv;$IV `lsȧ6Da`UaK&A0~'-A48,{ o:|Ҿr]/9ɑ!>5FW_>ރ9lQ9>RKyJ 71861621000B~)d^&-.G$ R6dzz s :Մi؅#y6UwEI)B`*,}2G@HQ p+M٘ UDs|[plA32943471770Aɂ 7n<BhPGn#O!QܱO_MU!f 3^#]6*z185144551200B&N<*!x|NV f9R86蔱OEo!gNm(˽K,젳SEA\-k:G wM] 5DqΡpLzp̲ێ5(^&^4760439300B8txuHU~_KrJC&;yw74RT!6.Wzy2VYgB]f`fGBKl-é]fJxש}*SVWY'撏SBg3`E}LR25673787410B{qJ BX0AڻJFa'aN|?E/c(Q.i ^\IAAwI'w192664109200Aj.$sׁ:6&%ܗox#LjqWo9 >-áBʖLV]"nDӹt ֐4 26俰,`"fĈO8N/,uH@21955303770BVPG^wB 0%ʧrA6K0ɞ^*3sCrD Nʐ/{^F/.143319265380BƸ yȻœ)| yTG՘LVP"R Bt W A_COrSKBLEATD-V&4Yot 6@tlw68298359290B$Ǝ9ĺ7sp#)Ι.M"At#oT߆!82c;$x*A*(~{ !XVęOx硟h%_mv?DxnvΣP_ex\34451580230BLn * `Ɂ f6j4&cN~t'khA5 iC<9[(Aj I1Ƽ*  )?oBg7KuQ74s\HO}˴ϞSpOI126979876440BJE:v}Ӏ%,fMxJ`E;+aYHEd[ \\1$BnY+rKV7SYw[ !3ׂR4<%55 j70042529990BI`lc !xj)~KPѣޔÀUk ʶ{Ɏ>8;B{+0O?4tGB`Np3Sz\a[tWANp:' 15653252830@&TR] @}O2❤A͹0XYq{^ ~rv(AE0Bkĺ{Dwq]ָG|5G3͐˦(| >8>.¯Ѐ g238263423500BW/^u]20Z<Zq܈նђ7uq?Z &_uBJt>`b^o 6篐'6(-?%ƅvp]?m]43*%114478470650B+Ct!M%(ժɧZ}oyʽ6Co;{dRTSat،m6R+Br>rL+#WzF)G[ ۗT=*fcT,[:tKRڊ142602055440B@%QtT)kS\]ZU\(Z_.rJ4V TjRVfB`'"Jpl9FPQMׯ4L h3ŲI|Rs.6Yڇ19938352850BǶEEr#1n O. uwMh4A6V'(rH.|h1B!Ht/h<ѷۏϊƣ^IqU6֍ nJ#[B#O~*gylleL42921535230Bp+5K?klڌF %F߾ю{)v/B>>CfAK_L-Bՙޯ#h+J=SB]W>k$s(Fӌkɩ {mԩ= Y/44599014960Al q4]G$Ă*|Iwr%x. 1>0V.X\NhxHB _cL3mo%4F2w&[sje>ƫ!RMEn)/13939711710BNyBX]%\]e堹,=6sFT "T5\j&@:2&,ʳkB{h/Qh@6J R]T(Ǚ_# r&s.R= n?_N 23906964950B=5/x `ȘUQ9)r+,R>z\S8h d'Z!<Bϫ?nr%Dig\46850047500Be?9P`H=seީtث}89R2. ZBPYQ/E*Bl q8f-%N$VԑJ}S_s?j^MžH~vFjq'ǪЖ222053606190A iq_md:gn$-.]mEMaUX5H( XIpBD{hLh Rg~H#)"uf 酝xDQPß+:%\+hMg62156651240Bw*6ưo=#K5\ptSG7Tks7Ɉ0Q#*B]XSƏ\;Xʖ HvrE>E hxC~M[@8if#2q/vcE@]6w8NM9n$g5 0BQ/kH ;ɸGo8dBQ/kH ;ɸGo8d3m]u F6PM%T8r e Y+hƓ6Sqc^!CNtԍ`15FH"a8Jx폎 J Vk s)/{[<~g 0BBҷUEb١cN쵣E)X'mrPCxcbMbZੈaǿq fo7,(|c?Rl 4,&!qWjЇVdtlt^[Ժ7\)P(b'm/(2HqK5bPveao/'vChEaVs\Na 0BAvEX:7eG]GdzIyDٲ n׻NrO&6T7*$(v^~ `ݰNLҙPb'<"73 }k;iy @+F&5]xgC{vhSv+⼞F1eq)Z,(DIm3|%͝ 1 ݜ}|v82נr,cXjU7P oݚ@_tm/حEV!@~hcXA)Q(`$]ɺj'yj h;~+!!S 0') 0') 0GBQ/kH ;ɸGo8d gEkR*]LJq*-%/estNgBq+bmp. '1Wy8M,xP; V(n&]g*`MfDz24p!(̈́S#-ph߂ 0GBQ/kH ;ɸGoK:h׵!GfsJtaԙ5$D7}PB2^4#RP:s:YBŒR"#;MᓝfNFOTelRRӰDY ΠX,Bئ[׋ 0HB߿~߿~߿~߿~߿~{Muv9@Pd&0$?JŬ;"2'k.X5sS_r//qo/c)`#cڭfnqA7wʁ׮EPd<]0 \$]f@3*B`n>ܦ\P 0M-M4yRBP4ނue L-Jy7yhxLep,?,>g HyI/c~h'Jº`i+iz@a`8Q>^Gam ,*$DtJQz ,/R630j1BYj7^G/bY7ߜjJdy!! *0S 3~7+DUNB<<<<<<<<<<<<<<<<9?c*dP{ՙdX| |uF|w2VznKNUS;Dx6Y^H(/HUeop/?(ƀ$&>ձw^`]p{Zne.ǖ9`RMxDMW 0HBTYe{F/뼟9~̑Cߣ05T ?{i{x1+8sJc!|| Z~90!C?Řg7.Ƙ||B:m#Tcw̫|$BTYe{F/뼟9~̑Cߣ05T ?{{WJgNHRHTJ9s֓!C%n=oIf†&| ktնX~HbAv>:{_UeZ:C³,I> E]rbА,85 0BQ/kH ;ɸGo8cBUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUQuU2ny1%t|$ z[53 0GBׂ?y*U7Ei<؉m:>z_v53 0GBׂ?y*U7Ei<؉m:>z_v*?>[yBo/K1KN4v:;-c(iΝ7Uu~K$Sj;2:з 0$N 4H0d`,?0$zr3kȑZz 0B(Cߗ5{D#]ۏH2Bׂ?y*U7Ei<؉m:>z_vK<ڞP(T"Z\:ҴC{C+&F*f _7 0B(Cߗ5{D#]ۏH2B(Cߗ5{D#]ۏH2dT8^>S}& "ej\JxJp$]V\YH=]1C?0ƽQܦZ5ǟ!6YgHnl!*?+SP-F\zps@qR;1ݍ3ޠ 0 0B(Cߗ5{D#]ۏH2B(Cߗ5{D#]ۏH2`8B3Gd/9h40M6ûb~ Fԣ-C'JBU&8/c.nH0$65XbRb7MܿUʽbIgPmZP>}vLpD6_2`6xGmb 0Bׂ?y*U7Ei<؉m:>z_v@C#Xy[ͭIͅ 9M33V#!u{0|a Xʨᬲ~]4/Qj5Pp•vrSי4"kd3b ٯmrUyRQ,Zla'u5nܲGdWNo,?GfxX$-mzK˅@+/ (>xс>F>M 0Bׂ?y*U7Ei<؉m:>z_vBsP2RC2zƲ}j̩Ox V-jHM ְG+="]=`zlK#N5GxO5gUCu.V'{4eDݨ 4NinIOjxD3V$sתgm#YO6L-T+yx6?F 0Bׂ?y*U7Ei<؉m:>z_vBׂ?y*U7Ei<؉m:>z_v2m$arB`I nz5pda: Y֌i.JNJUw.*| }@PlAhوۼbgHHQE>`o37g۾y9 0Bׂ?y*U7Ei<؉m:>z_vBUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUQuU2ny1%t|$ z\E wgMJ&r'v"/v; HN#s96 0TDffr:`V']ZҚƔS 6` ѴaJit)J> X,I=x|[I$'Lv%pq:tY p/F-`S:7` NcOT^/ kjЧq4GGnN 0BB"cf`ێtԆJ_hvO^xYW)~ާEЉޙMIR : E)oE[7Re{8vAV inGtN`x&͑[FQ!LY&]_ 0BBa7_trķg~"&L])_,pd:{wVcmEA5mtvwNE(-_f҃枫~6ӟ*JJ^=-)GJ.QFj֞vb6v_5XfrG<|XuD)05~ 0BB黽d' hb>H>{<󟶈JgǕCWC>iƖlc=5rLt|4B2 ?J[&fG;>TJ@AT-A9 X,F^ćh {O O0Ʋ'E-YYc3RIU]v}L"A7A\>8p@ 0BBDIo7X㰅yqOi>|UEZ 0BBUJU+XzFkc)](̿'I5{ozi `= =:dOd0;Q/tҸǫdHYƝ|G0ٷa};c>xO_6z-'hz>fs,>{/cc-z*MbuIգ>Nkl**űF 0BBV&׌S<~QB;#INjd\xmo۪:c tX:N:\IcpAY0Á;<\(M?j@3n"I'+ cnbX[l#FOaߍ-]P'Ŏ,Y؊|4O"A$D9 6H`֫j|: 0BB n9ӨCR)}=yYf>fTo~#D!qy(j[X0&Gl@ #Oq[6FW]q?T'srS%eo"K!2t?rE%It%F 1˶p,medM$(;֞% +(zK 9gCM 0BB3u Ӏ|\3EjǾQ wܔnV޼i ckрf ኺ s WIֈ.n4jnϸ ƒZƼy>>/":8ghׄ 0BBWp~x,N35; R2⺲w]+HZS(4™p}=haŞR4FӯQk {7X;¥n7MWҰB}pPNcfۏ+%%Qf̥CelY<fO [Mǩ~>/yLL!CR]2*, 0BAhُ68 {?Aˮ}DF-B[4Ii[ _52'(M)'Y dbu$QL0w\S4^ǽ9s 9D0B=D.ơQ78R PwIx8LcL>5ͥAF`LcfX<^ZjVh4('8 仆<|'0{iHV&tԽl9"5#%>hsS~uv*D:OQ9Q 0BBfo9T!/Wۣ)%B93Kαc2]]gc\vls>1U8XJ6 ;*8au]@ %u .1, +}zXxfH͓/zK^b , 0BB\y!!X <1h m'DxlCfc#^P\<%}GlD\TH~TPhaGL5vY ;yžb778GZIn7'GSٲMΝf 0BBL6Rb3#)-j(!ū?#a_0@Al{Pl;-G)} Ҡq~쨢 > \`+=ED_ 4:űm*"F %6x{S%}rCvV5 G?A1 0BA"......<?4-=WŌ1W^W --}@豇WQ^kH S087,JAKq HCc( 3sbcDvn6 ZH?SvN07FRg;+iLV&$- KC61PtKY+W" 0BBBY !d,BY !d,BY !d)~ZCYzT-124^9b '2ǛB=);M "&,q-&̠;ۚN}dt6NZ;(g:z I=l@}O_|g\S!SbQIr}ENM$ 0BBI$I$I$I$I$I$I$I$I$I$DEp7A%AuyL3TQIEdH4y@x$P=qY#z?9lI6?1ފFD~O!y\'0aikbejL"eiCJ/G}Zi7ڮy]B= 0BBUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUO!VL^%   s捹_1'Wu.M`{ɽ( MG(O b:"sd [~# ܀؋vӤ{Qh,|o=UfйvկهË~@t?I a.kNjlP$B+1BRM )Ex-T?B[LI(+a'm u [IR0P&CCmiK69GzCP8LOh 0GBׂ?y*U7Ei<؉m:>z_vƓ%(B9r_*\|w0`1DF#=?XǕB\TC1_eC>ܼppŤӕE5HВ&^GsUvRфQzoĴ 0BAffffffffffffffffffffffffffffffffeCNMd (XW}{#gtCft74`t2]+ekQt|Lz_vAffffffffffffffffffffffffffffffffeCNMd (XWm#9s@%4~yA,g[91 +ON9b(N@y9/3]Hc~ < Ћ@v"#8'h=reLJ+l=m0Jҷ 0AC93mx=Bׂ?y*U7Ei<؉m:>z_vPStMS؈8ӣExre; 4<'B,OoCX!%ɞԌ|ZZtHmL6|Vk,;7@?iBdaG6 i$Rfc;kp m^Ҙ 0AC93mx=AI$I$I$I$I$I$I$I$I$I$I$y\\Xx#Jfeʄ =}r.&Yls}kJv+|(.t:K:Qg }~@=~kﭯcƶ ]<>Dԁ`gJ+YVVxcFOgRw 0AC93mx=B962xUgmn@/ġ`nY_K`P"ΩW@daVnĤȞ<$sM2708{-2!}[)v@0rL%$gzqk3j[e')Vk^܉i0ǔIez+ޙN^ 0AC93mx=AffffffffffffffffffffffffffffffffeCNMd (XWKA΃HOW~9)vjˮ 93mx=Bmmmmmmmmmmh*+6(nӿ iWc¿=q2 |yzQ{ 0^ݟJȦZ=8+]/Ϯ1Kq,9()$M]ѯ=;I 4xB+!w "f_C*U EWf?z?\U1 0AC93mx=AZ_/&08Og֧Zl9vMMr) 3J#J! G}#t|'#htOGB*^ЛbnD+Q*%&7Pda $PA8:AYv84PtUW"c\]:/wY, 0Bƅ͞>f#Bd9?!(`kM=K^wY('3HjB~~1fBׂ?y*U7Ei<؉m:>z_v O(deÑM,Xp 7o8\BIiOK.U"~)b# ,9""ݍu XUmjӏy`> 0Bƅ͞>f#Bd9?!(`kM=K^wY('3HjB~~1fAI$I$I$I$I$I$I$I$I$I$I$y\\Xx#Jfeʄ =}r/ǟ[Pc+QJf#Bd9?!(`kM=K^wY('3HjB~~1fB962xUgmn@/ġ`nY_K`P"dP^фW&![<)GZ&n AC}>hN"X$vX60 Qix>٭z)Jq]O21ں;/݃#'UsONm?Ȧ;$A`>l) 0Bƅ͞>f#Bd9?!(`kM=K^wY('3HjB~~1fAffffffffffffffffffffffffffffffffeCNMd (XW!嚯&0O> Vf#Bd9?!(`kM=K^wY('3HjB~~1fBmmmmmmmmmmh*+6(nӿ iWc¿=q2 |yzQf#ܒKITes]OӁ+HpS΃ E/w#mk+ZL@#?f#Bd9?!(`kM=K^wY('3HjB~~1fAZ_/&08Og֧Zl9vMMr) 3J#J! G; /; -= /= -0Bb]a *.BZ8Ȳ3^ "Z4!%mc,zCe*i!UQ-KZV%4B?&I%EUw{l21K\"WDu7 ,tRwFt=/Msg0AZ܃<aAWMz(]u%}\3Bm΍D:u}QL1A_iGC{y#Qs،-a\^~}Oh5ʰ)D(3*smvf 0BAAJXGfp<&M$EՃv汚 ez~}6}}zɺ%B4LhqC3o _F{e݋E./Ox4h GwUwؗ(0A]?oVC)=xCrVj Q)\)0[p[i@vJYAwRB4RVQp aurilaEɇ3/߄\a"bCFqUJ_hn # 0Bm'(As0S5g$q`HJ>u Uz9/Oj[g%tbA4XHiC HBI^ߋTkF7Kwc}"1= {#- # 0A|GhbVH͊1LA)%; 6KK,ԣPgOI=~DH^B'҄[I|3TW?1 SVnQn P0kq5?&FmSDȣC  # 0Bc@{TR&TsVg+!EF7[=`tq\y6aLBޔw*R̬Y}>KC@0R1%8M_hyhE&PZ3  0Bd+9v ]EB(ġr0=^8\2L@?\՝icHnWk A"6nTQ5fHBըkk=f$:D%X=Y#*GTk  0Bf}m\3:^t(Y ^8i\@ܑt@ [͚``m^WNޢB.ûZ @1fd6ۂN2Oj@6 < ԀF#dTYx)D1F;%H  0BR8madHmne%vGnvm =>7ESKD;'zRBe[.V:I=đ(,>=ۚL_ F"<_ϩ}ő*XPZ [ʥ 0BG,|\Xq!s#$'s ^w)>;%MFaD%pFBsQڌJFiѐ/P"q`YMUuP6TAB!(UAwP 1PS?bvW+ 0B#F⴬;PO=-@- ryU*;RA&jN:EʬhBGZP/x`JQtF Ma4U7LH~j(^n  0BvMPv`ǕPM)u/pK{Ώbmnܶf\nB&0fj&T]ƵJ:[c4W+>w^Y[z-ƓEndW 0AN֒Ѵ\:]no땅B2JcE*Bj"Ĝ/Ec8Azέf6 4%#SlMvJnܻ |vF G@.."O=oJ 0Bz.o@􌜓QC%洕A>m_)U+%'6BH~Of.d- :WggqãުV  ^I`-қa;IL e 0BҖ)"8 3fWhU]ۓss 54vj71 E1*;YBxYCBYy Ა=a;$:zp3O u3rEW@~w^YBdcI3ĩ! 0Bx\QZ͓H{\J3!zYfSht5x-ooDH;;,NLQϕYdl\!B"v>|7$ m qgOpJA{B&حlƧH ލn ! 0BUKW ueGާb[{Sb>͜©O%vrEGBN₣сX]~,Bk>2Y$!c$5}.o's[\Ei/"! 0B)Łʆ|1KV?$벭(#~-hDj0C ~;Bт.98=iغP$zgqAx5Jby3;mp521-0.13.3/src/test_vectors/ecdsa.rs000064400000000000000000000413121046102023000153400ustar 00000000000000//! ECDSA/secp224r1 test vectors use ecdsa_core::dev::TestVector; use hex_literal::hex; /// ECDSA/P-521 test vectors. /// /// Adapted from the FIPS 186-4 ECDSA test vectors /// (P-521, SHA-521, from `SigGen.txt` in `186-4ecdsatestvectors.zip`) /// /// /// The `m` field contains a SHA-512 prehash of the `Msg` field in the /// original `SigTen.txt`. pub const ECDSA_TEST_VECTORS: &[TestVector] = &[ TestVector { m: &hex!("000065f83408092261bda599389df03382c5be01a81fe00a36f3f4bb6541263f801627c440e50809712b0cace7c217e6e5051af81de9bfec3204dcd63c4f9a741047"), d: &hex!("00f749d32704bc533ca82cef0acf103d8f4fba67f08d2678e515ed7db886267ffaf02fab0080dca2359b72f574ccc29a0f218c8655c0cccf9fee6c5e567aa14cb926"), q_x: &hex!("0061387fd6b95914e885f912edfbb5fb274655027f216c4091ca83e19336740fd81aedfe047f51b42bdf68161121013e0d55b117a14e4303f926c8debb77a7fdaad1"), q_y: &hex!("00e7d0c75c38626e895ca21526b9f9fdf84dcecb93f2b233390550d2b1463b7ee3f58df7346435ff0434199583c97c665a97f12f706f2357da4b40288def888e59e6"), k: &hex!("003af5ab6caa29a6de86a5bab9aa83c3b16a17ffcd52b5c60c769be3053cdddeac60812d12fecf46cfe1f3db9ac9dcf881fcec3f0aa733d4ecbb83c7593e864c6df1"), r: &hex!("004de826ea704ad10bc0f7538af8a3843f284f55c8b946af9235af5af74f2b76e099e4bc72fd79d28a380f8d4b4c919ac290d248c37983ba05aea42e2dd79fdd33e8"), s: &hex!("0087488c859a96fea266ea13bf6d114c429b163be97a57559086edb64aed4a18594b46fb9efc7fd25d8b2de8f09ca0587f54bd287299f47b2ff124aac566e8ee3b43"), }, TestVector { m: &hex!("0000a6200971c6a289e2fcb80f78ec08a5079ea2675efd68bcab479552aa5bcb8edf3c993c79d7cebcc23c20e5af41723052b871134cc71d5c57206182a7068cc39b"), d: &hex!("01a4d2623a7d59c55f408331ba8d1523b94d6bf8ac83375ceb57a2b395a5bcf977cfc16234d4a97d6f6ee25a99aa5bff15ff535891bcb7ae849a583e01ac49e0e9b6"), q_x: &hex!("004d5c8afee038984d2ea96681ec0dccb6b52dfa4ee2e2a77a23c8cf43ef19905a34d6f5d8c5cf0981ed804d89d175b17d1a63522ceb1e785c0f5a1d2f3d15e51352"), q_y: &hex!("0014368b8e746807b2b68f3615cd78d761a464ddd7918fc8df51d225962fdf1e3dc243e265100ff0ec133359e332e44dd49afd8e5f38fe86133573432d33c02fa0a3"), k: &hex!("00bc2c0f37155859303de6fa539a39714e195c37c6ea826e224c8218584ae09cd0d1cc14d94d93f2d83c96e4ef68517fdb3f383da5404e5a426bfc5d424e253c181b"), r: &hex!("01a3c4a6386c4fb614fba2cb9e74201e1aaa0001aa931a2a939c92e04b8344535a20f53c6e3c69c75c2e5d2fe3549ed27e6713cb0f4a9a94f6189eb33bff7d453fce"), s: &hex!("016a997f81aa0bea2e1469c8c1dab7df02a8b2086ba482c43af04f2174831f2b1761658795adfbdd44190a9b06fe10e578987369f3a2eced147cff89d8c2818f7471"), }, TestVector { m: &hex!("000046ff533622cc90321a3aeb077ec4db4fbf372c7a9db48b59de7c5d59e6314110676ba5491bd20d0f02774eef96fc2e88ca99857d21ef255184c93fb1ff4f01d3"), d: &hex!("014787f95fb1057a2f3867b8407e54abb91740c097dac5024be92d5d65666bb16e4879f3d3904d6eab269cf5e7b632ab3c5f342108d1d4230c30165fba3a1bf1c66f"), q_x: &hex!("00c2d540a7557f4530de35bbd94da8a6defbff783f54a65292f8f76341c996cea38795805a1b97174a9147a8644282e0d7040a6f83423ef2a0453248156393a1782e"), q_y: &hex!("0119f746c5df8cec24e4849ac1870d0d8594c799d2ceb6c3bdf891dfbd2242e7ea24d6aec3166214734acc4cbf4da8f71e2429c5c187b2b3a048527c861f58a9b97f"), k: &hex!("0186cd803e6e0c9925022e41cb68671adba3ead5548c2b1cd09348ab19612b7af3820fd14da5fe1d7b550ed1a3c8d2f30592cd7745a3c09ee7b5dcfa9ed31bdd0f1f"), r: &hex!("010ed3ab6d07a15dc3376494501c27ce5f78c8a2b30cc809d3f9c3bf1aef437e590ef66abae4e49065ead1af5f752ec145acfa98329f17bca9991a199579c41f9229"), s: &hex!("008c3457fe1f93d635bb52df9218bf3b49a7a345b8a8a988ac0a254340546752cddf02e6ce47eee58ea398fdc9130e55a4c09f5ae548c715f5bcd539f07a34034d78"), }, TestVector { m: &hex!("00006b514f8d85145e30ced23b4b22c85d79ed2bfcfed5b6b2b03f7c730f1981d46d4dadd6699c28627d41c8684bac305b59eb1d9c966de184ae3d7470a801c99fd4"), d: &hex!("015807c101099c8d1d3f24b212af2c0ce525432d7779262eed0709275de9a1d8a8eeeadf2f909cf08b4720815bc1205a23ad1f825618cb78bde747acad8049ca9742"), q_x: &hex!("0160d7ea2e128ab3fabd1a3ad5455cb45e2f977c2354a1345d4ae0c7ce4e492fb9ff958eddc2aa61735e5c1971fa6c99beda0f424a20c3ce969380aaa52ef5f5daa8"), q_y: &hex!("014e4c83f90d196945fb4fe1e41913488aa53e24c1d2142d35a1eed69fed784c0ef44d71bc21afe0a0065b3b87069217a5abab4355cf8f4ceae5657cd4b9c8008f1f"), k: &hex!("0096731f8c52e72ffcc095dd2ee4eec3da13c628f570dba169b4a7460ab471149abdede0b63e4f96faf57eab809c7d2f203fd5ab406c7bd79869b7fae9c62f97c794"), r: &hex!("01e2bf98d1186d7bd3509f517c220de51c9200981e9b344b9fb0d36f34d969026c80311e7e73bb13789a99e0d59e82ebe0e9595d9747204c5f5550c30d934aa30c05"), s: &hex!("012fed45cc874dc3ed3a11dd70f7d5c61451fbea497dd63e226e10364e0718d3722c27c7b4e5027051d54b8f2a57fc58bc070a55b1a5877b0f388d768837ef2e9cec"), }, TestVector { m: &hex!("000053c86e0b08b28e22131324f6bfad52984879ab09363d6b6c051aac78bf3568be3faeade6a2dda57dece4527abaa148326d3adbd2d725374bdac9ccb8ac39e51e"), d: &hex!("018692def0b516edcdd362f42669999cf27a65482f9358fcab312c6869e22ac469b82ca9036fe123935b8b9ed064acb347227a6e377fb156ec833dab9f170c2ac697"), q_x: &hex!("01ceee0be3293d8c0fc3e38a78df55e85e6b4bbce0b9995251f0ac55234140f82ae0a434b2bb41dc0aa5ecf950d4628f82c7f4f67651b804d55d844a02c1da6606f7"), q_y: &hex!("01f775eb6b3c5e43fc754052d1f7fc5b99137afc15d231a0199a702fc065c917e628a54e038cbfebe05c90988b65183b368a2061e5b5c1b025bbf2b748fae00ba297"), k: &hex!("0161cf5d37953e09e12dc0091dc35d5fb3754c5c874e474d2b4a4f1a90b870dff6d99fb156498516e25b9a6a0763170702bb8507fdba4a6131c7258f6ffc3add81fd"), r: &hex!("014dfa43046302b81fd9a34a454dea25ccb594ace8df4f9d98556ca5076bcd44b2a9775dfaca50282b2c8988868e5a31d9eb08e794016996942088d43ad3379eb9a1"), s: &hex!("0120be63bd97691f6258b5e78817f2dd6bf5a7bf79d01b8b1c3382860c4b00f89894c72f93a69f3119cb74c90b03e9ede27bd298b357b9616a7282d176f3899aaa24"), }, TestVector { m: &hex!("0000a9e9a9cb1febc380a22c03bacd18f8c46761180badd2e58b94703bd82d5987c52baec418388bc3f1e6831a130c400b3c865c51b73514f5b0a9026d9e8da2e342"), d: &hex!("00a63f9cdefbccdd0d5c9630b309027fa139c31e39ca26686d76c22d4093a2a5e5ec4e2308ce43eb8e563187b5bd811cc6b626eace4063047ac0420c3fdcff5bdc04"), q_x: &hex!("014cab9759d4487987b8a00afd16d7199585b730fb0bfe63796272dde9135e7cb9e27cec51207c876d9214214b8c76f82e7363f5086902a577e1c50b4fbf35ce9966"), q_y: &hex!("01a83f0caa01ca2166e1206292342f47f358009e8b891d3cb817aec290e0cf2f47e7fc637e39dca03949391839684f76b94d34e5abc7bb750cb44486cce525eb0093"), k: &hex!("001e51fd877dbbcd2ab138fd215d508879298d10c7fcbdcc918802407088eb6ca0f18976a13f2c0a57867b0298512fc85515b209c4435e9ef30ab01ba649838bc7a0"), r: &hex!("011a1323f6132d85482d9b0f73be838d8f9e78647934f2570fededca7c234cc46aa1b97da5ac1b27b714f7a171dc4209cbb0d90e4f793c4c192dc039c31310d6d99b"), s: &hex!("00386a5a0fc55d36ca7231a9537fee6b9e51c2255363d9c9e7cb7185669b302660e23133eb21eb56d305d36e69a79f5b6fa25b46ec61b7f699e1e9e927fb0bceca06"), }, TestVector { m: &hex!("00007e324819033de8f2bffded5472853c3e68f4872ed25db79636249aecc24242cc3ca229ce7bd6d74eac8ba32f779e7002095f5d452d0bf24b30e1ce2eb56bb413"), d: &hex!("0024f7d67dfc0d43a26cc7c19cb511d30a097a1e27e5efe29e9e76e43849af170fd9ad57d5b22b1c8840b59ebf562371871e12d2c1baefc1abaedc872ed5d2666ad6"), q_x: &hex!("009da1536154b46e3169265ccba2b4da9b4b06a7462a067c6909f6c0dd8e19a7bc2ac1a47763ec4be06c1bec57d28c55ee936cb19588cc1398fe4ea3bd07e6676b7f"), q_y: &hex!("014150cdf25da0925926422e1fd4dcfcffb05bdf8682c54d67a9bd438d21de5af43a15d979b320a847683b6d12ac1383a7183095e9da491c3b4a7c28874625e70f87"), k: &hex!("01c1308f31716d85294b3b5f1dc87d616093b7654907f55289499b419f38ceeb906d2c9fe4cc3d80c5a38c53f9739311b0b198111fede72ebde3b0d2bc4c2ef090d2"), r: &hex!("000dbf787ce07c453c6c6a67b0bf6850c8d6ca693a3e9818d7453487844c9048a7a2e48ff982b64eb9712461b26b5127c4dc57f9a6ad1e15d8cd56d4fd6da7186429"), s: &hex!("00c6f1c7774caf198fc189beb7e21ca92ceccc3f9875f0e2d07dc1d15bcc8f210b6dd376bf65bb6a454bf563d7f563c1041d62d6078828a57538b25ba54723170665"), }, TestVector { m: &hex!("00004541f9a04b289cd3b13d31d2f513d9243b7e8c3a0cbd3e0c790892235a4d4569ef8aef62444ecc64608509e6ad082bf7cd060d172550faa158b2fd396aa1e37b"), d: &hex!("00349471460c205d836aa37dcd6c7322809e4e8ef81501e5da87284b267d843897746b33016f50a7b702964910361ed51d0afd9d8559a47f0b7c25b2bc952ce8ed9e"), q_x: &hex!("000bbd4e8a016b0c254e754f68f0f4ed081320d529ecdc7899cfb5a67dd04bc85b3aa6891a3ed2c9861ae76c3847d81780c23ad84153ea2042d7fd5d517a26ff3ce4"), q_y: &hex!("00645953afc3c1b3b74fdf503e7d3f982d7ee17611d60f8eb42a4bddbec2b67db1f09b54440c30b44e8071d404658285cb571462001218fc8c5e5b98b9fae28272e6"), k: &hex!("000eb2bd8bb56b9d2e97c51247baf734cc655c39e0bfda35375f0ac2fe82fad699bf1989577e24afb33c3868f91111e24fefe7dec802f3323ac013bec6c048fe5568"), r: &hex!("014bf63bdbc014aa352544bd1e83ede484807ed760619fa6bc38c4f8640840195e1f2f149b29903ca4b6934404fb1f7de5e39b1ea04dba42819c75dbef6a93ebe269"), s: &hex!("005d1bcf2295240ce4415042306abd494b4bda7cf36f2ee2931518d2454faa01c606be120b057062f2f3a174cb09c14f57ab6ef41cb3802140da22074d0e46f908d4"), }, TestVector { m: &hex!("00007ec0906f9fbe0e001460852c0b6111b1cd01c9306c0c57a5e746d43f48f50ebb111551d04a90255b22690d79ea60e58bed88220d485daaf9b6431740bb499e39"), d: &hex!("007788d34758b20efc330c67483be3999d1d1a16fd0da81ed28895ebb35ee21093d37ea1ac808946c275c44454a216195eb3eb3aea1b53a329eca4eb82dd48c784f5"), q_x: &hex!("00157d80bd426f6c3cee903c24b73faa02e758607c3e102d6e643b7269c299684fdaba1acddb83ee686a60acca53cddb2fe976149205c8b8ab6ad1458bc00993cc43"), q_y: &hex!("016e33cbed05721b284dacc8c8fbe2d118c347fc2e2670e691d5d53daf6ef2dfec464a5fbf46f8efce81ac226915e11d43c11c8229fca2327815e1f8da5fe95021fc"), k: &hex!("00a73477264a9cc69d359464abb1ac098a18c0fb3ea35e4f2e6e1b060dab05bef1255d9f9c9b9fbb89712e5afe13745ae6fd5917a9aedb0f2860d03a0d8f113ea10c"), r: &hex!("007e315d8d958b8ce27eaf4f3782294341d2a46fb1457a60eb9fe93a9ae86f3764716c4f5f124bd6b114781ed59c3f24e18aa35c903211b2f2039d85862932987d68"), s: &hex!("01bcc1d211ebc120a97d465b603a1bb1e470109e0a55d2f1b5c597803931bd6d7718f010d7d289b31533e9fcef3d141974e5955bc7f0ee342b9cad05e29a3dded30e"), }, TestVector { m: &hex!("00007230642b79eed2fd50f19f79f943d67d6ef609ec06c9adbb4b0a62126926080ecd474922d1af6c01f4c354affde016b284b13dbb3122555dea2a2e6ca2a357dc"), d: &hex!("01f98696772221e6cccd5569ed8aed3c435ee86a04689c7a64d20c30f6fe1c59cc10c6d2910261d30c3b96117a669e19cfe5b696b68feeacf61f6a3dea55e6e5837a"), q_x: &hex!("007002872c200e16d57e8e53f7bce6e9a7832c387f6f9c29c6b75526262c57bc2b56d63e9558c5761c1d62708357f586d3aab41c6a7ca3bf6c32d9c3ca40f9a2796a"), q_y: &hex!("01fe3e52472ef224fb38d5a0a14875b52c2f50b82b99eea98d826c77e6a9ccf798de5ffa92a0d65965f740c702a3027be66b9c844f1b2e96c134eb3fdf3edddcf11c"), k: &hex!("01a277cf0414c6adb621d1cc0311ec908401ce040c6687ed45a0cdf2910c42c9f1954a4572d8e659733d5e26cbd35e3260be40017b2f5d38ec42315f5c0b056c596d"), r: &hex!("00d732ba8b3e9c9e0a495249e152e5bee69d94e9ff012d001b140d4b5d082aa9df77e10b65f115a594a50114722db42fa5fbe457c5bd05e7ac7ee510aa68fe7b1e7f"), s: &hex!("0134ac5e1ee339727df80c35ff5b2891596dd14d6cfd137bafd50ab98e2c1ab4008a0bd03552618d217912a9ec502a902f2353e757c3b5776309f7f2cfebf913e9cd"), }, TestVector { m: &hex!("0000d209f43006e29ada2b9fe840afdf5fe6b0abeeef5662acf3fbca7e6d1bf4538f7e860332ef6122020e70104b541c30c3c0581e2b1daa0d767271769d0f073133"), d: &hex!("013c3852a6bc8825b45fd7da1754078913d77f4e586216a6eb08b6f03adce7464f5dbc2bea0eb7b12d103870ef045f53d67e3600d7eba07aac5db03f71b64db1cceb"), q_x: &hex!("00c97a4ebcbbe701c9f7be127e87079edf479b76d3c14bfbee693e1638e5bff8d4705ac0c14597529dbe13356ca85eb03a418edfe144ce6cbf3533016d4efc29dbd4"), q_y: &hex!("011c75b7a8894ef64109ac2dea972e7fd5f79b75dab1bf9441a5b8b86f1dc1324426fa6cf4e7b973b44e3d0576c52e5c9edf8ce2fc18cb3c28742d44419f044667f8"), k: &hex!("01e25b86db041f21c2503d547e2b1b655f0b99d5b6c0e1cf2bdbd8a8c6a053f5d79d78c55b4ef75bff764a74edc920b35536e3c470b6f6b8fd53898f3bbc467539ef"), r: &hex!("01dce45ea592b34d016497882c48dc0c7afb1c8e0f81a051800d7ab8da9d237efd892207bc9401f1d30650f66af8d5349fc5b19727756270722d5a8adb0a49b72d0a"), s: &hex!("00b79ffcdc33e028b1ab894cb751ec792a69e3011b201a76f3b878655bc31efd1c0bf3b98aea2b14f262c19d142e008b98e890ebbf464d3b025764dd2f73c4251b1a"), }, TestVector { m: &hex!("0000c992314e8d282d10554b2e6e8769e8b10f85686cccafb30e7db62beaad080e0da6b5cf7cd1fc5614df56705fb1a841987cb950101e2f66d55f3a285fc75829ff"), d: &hex!("01654eaa1f6eec7159ee2d36fb24d15d6d33a128f36c52e2437f7d1b5a44ea4fa965c0a26d0066f92c8b82bd136491e929686c8bde61b7c704daab54ed1e1bdf6b77"), q_x: &hex!("01f269692c47a55242bb08731ff920f4915bfcecf4d4431a8b487c90d08565272c52ca90c47397f7604bc643982e34d05178e979c2cff7ea1b9eaec18d69ca7382de"), q_y: &hex!("00750bdd866fba3e92c29599c002ac6f9e2bf39af8521b7b133f70510e9918a94d3c279edec97ab75ecda95e3dd7861af84c543371c055dc74eeeff7061726818327"), k: &hex!("01b7519becd00d750459d63a72f13318b6ac61b8c8e7077cf9415c9b4b924f35514c9c28a0fae43d06e31c670a873716156aa7bc744577d62476e038b116576a9e53"), r: &hex!("0183bddb46c249e868ef231a1ebd85d0773bf8105a092ab7d884d677a1e9b7d6014d6358c09538a99d9dca8f36f163ac1827df420c3f9360cc66900a9737a7f756f3"), s: &hex!("00d05ee3e64bac4e56d9d8bd511c8a43941e953cba4e5d83c0553acb87091ff54f3aad4d69d9f15e520a2551cc14f2c86bb45513fef0295e381a7635486bd3917b50"), }, TestVector { m: &hex!("00006e14c91db5309a075fe69f6fe8ecd663a5ba7fab14770f96b05c22e1f631cde9e086c44335a25f63d5a43ddf57da899fcedbc4a3a4350ad2edd6f70c01bb051e"), d: &hex!("01cba5d561bf18656991eba9a1dde8bde547885ea1f0abe7f2837e569ca52f53df5e64e4a547c4f26458b5d9626ed6d702e5ab1dd585cf36a0c84f768fac946cfd4c"), q_x: &hex!("012857c2244fa04db3b73db4847927db63cce2fa6cb22724466d3e20bc950a9250a15eafd99f236a801e5271e8f90d9e8a97f37c12f7da65bce8a2c93bcd25526205"), q_y: &hex!("00f394e37c17d5b8e35b488fa05a607dbc74264965043a1fb60e92edc212296ae72d7d6fe2e3457e67be853664e1da64f57e44bd259076b3bb2b06a2c604fea1be9d"), k: &hex!("00e790238796fee7b5885dc0784c7041a4cc7ca4ba757d9f7906ad1fcbab5667e3734bc2309a48047442535ff89144b518f730ff55c0c67eeb4c880c2dfd2fb60d69"), r: &hex!("01d7ce382295a2a109064ea03f0ad8761dd60eefb9c207a20e3c5551e82ac6d2ee5922b3e9655a65ba6c359dcbf8fa843fbe87239a5c3e3eaecec0407d2fcdb687c2"), s: &hex!("0161963a6237b8955a8a756d8df5dbd303140bb90143b1da5f07b32f9cb64733dc6316080924733f1e2c81ade9d0be71b5b95b55666026a035a93ab3004d0bc0b19f"), }, TestVector { m: &hex!("000026b4f562053f7aed8b7268e95eff336ac80a448fae52329d2771b138c9c7f70de936ef54158446afa72b0a27c2a73ca45dfa38a2ba2bf323d31aba499651128f"), d: &hex!("00972e7ff25adf8a032535e5b19463cfe306b90803bf27fabc6046ae0807d2312fbab85d1da61b80b2d5d48f4e5886f27fca050b84563aee1926ae6b2564cd756d63"), q_x: &hex!("01d7f1e9e610619daa9d2efa563610a371677fe8b58048fdc55a98a49970f6afa6649c516f9c72085ca3722aa595f45f2803402b01c832d28aac63d9941f1a25dfea"), q_y: &hex!("01571facce3fcfe733a8eef4e8305dfe99103a370f82b3f8d75085414f2592ad44969a2ef8196c8b9809f0eca2f7ddc71c47879e3f37a40b9fecf97992b97af29721"), k: &hex!("00517f6e4002479dc89e8cbb55b7c426d128776ca82cf81be8c1da9557178783f40e3d047db7e77867f1af030a51de470ee3128c22e9c2d642d71e4904ab5a76edfa"), r: &hex!("01c3262a3a3fb74fa5124b71a6c7f7b7e6d56738eabaf7666b372b299b0c99ee8a16be3df88dd955de093fc8c049f76ee83a4138cee41e5fe94755d27a52ee44032f"), s: &hex!("0072fd88bb1684c4ca9531748dfce4c161037fcd6ae5c2803b7117fb60d3db5df7df380591aaf3073a3031306b76f062dcc547ded23f6690293c34a710e7e9a226c3"), }, TestVector { m: &hex!("0000ea13b25b80ec89ffa649a00ce85a494892f9fb7389df56eed084d670efb020c05508ac3f04872843c92a67ee5ea02e0445dad8495cd823ca16f5510d5863002b"), d: &hex!("01f0ec8da29295394f2f072672db014861be33bfd9f91349dad5566ff396bea055e53b1d61c8c4e5c9f6e129ed75a49f91cce1d5530ad4e78c2b793a63195eb9f0da"), q_x: &hex!("009ec1a3761fe3958073b9647f34202c5e8ca2428d056facc4f3fedc7077fa87f1d1eb30cc74f6e3ff3d3f82df2641cea1eb3ff1529e8a3866ae2055aacec0bf68c4"), q_y: &hex!("00bed0261b91f664c3ff53e337d8321cb988c3edc03b46754680097e5a8585245d80d0b7045c75a9c5be7f599d3b5eea08d828acb6294ae515a3df57a37f903ef62e"), k: &hex!("00ac3b6d61ebda99e23301fa198d686a13c0832af594b289c9a55669ce6d62011384769013748b68465527a597ed6858a06a99d50493562b3a7dbcee975ad34657d8"), r: &hex!("00cef3f4babe6f9875e5db28c27d6a197d607c3641a90f10c2cc2cb302ba658aa151dc76c507488b99f4b3c8bb404fb5c852f959273f412cbdd5e713c5e3f0e67f94"), s: &hex!("00097ed9e005416fc944e26bcc3661a09b35c128fcccdc2742739c8a301a338dd77d9d13571612a3b9524a6164b09fe73643bbc31447ee31ef44a490843e4e7db23f"), }, ]; p521-0.13.3/src/test_vectors/group.rs000064400000000000000000000521361046102023000154230ustar 00000000000000//! Test vectors for the secp521r1 group. use hex_literal::hex; /// Repeated addition of the generator. /// /// These are the first 20 test vectors for P-521 from: pub const ADD_TEST_VECTORS: &[([u8; 66], [u8; 66])] = &[ ( hex!("00C6858E06B70404E9CD9E3ECB662395B4429C648139053FB521F828AF606B4D3DBAA14B5E77EFE75928FE1DC127A2FFA8DE3348B3C1856A429BF97E7E31C2E5BD66"), hex!("011839296A789A3BC0045C8A5FB42C7D1BD998F54449579B446817AFBD17273E662C97EE72995EF42640C550B9013FAD0761353C7086A272C24088BE94769FD16650"), ), ( hex!("00433C219024277E7E682FCB288148C282747403279B1CCC06352C6E5505D769BE97B3B204DA6EF55507AA104A3A35C5AF41CF2FA364D60FD967F43E3933BA6D783D"), hex!("00F4BB8CC7F86DB26700A7F3ECEEEED3F0B5C6B5107C4DA97740AB21A29906C42DBBB3E377DE9F251F6B93937FA99A3248F4EAFCBE95EDC0F4F71BE356D661F41B02"), ), ( hex!("01A73D352443DE29195DD91D6A64B5959479B52A6E5B123D9AB9E5AD7A112D7A8DD1AD3F164A3A4832051DA6BD16B59FE21BAEB490862C32EA05A5919D2EDE37AD7D"), hex!("013E9B03B97DFA62DDD9979F86C6CAB814F2F1557FA82A9D0317D2F8AB1FA355CEEC2E2DD4CF8DC575B02D5ACED1DEC3C70CF105C9BC93A590425F588CA1EE86C0E5"), ), ( hex!("0035B5DF64AE2AC204C354B483487C9070CDC61C891C5FF39AFC06C5D55541D3CEAC8659E24AFE3D0750E8B88E9F078AF066A1D5025B08E5A5E2FBC87412871902F3"), hex!("0082096F84261279D2B673E0178EB0B4ABB65521AEF6E6E32E1B5AE63FE2F19907F279F283E54BA385405224F750A95B85EEBB7FAEF04699D1D9E21F47FC346E4D0D"), ), ( hex!("00652BF3C52927A432C73DBC3391C04EB0BF7A596EFDB53F0D24CF03DAB8F177ACE4383C0C6D5E3014237112FEAF137E79A329D7E1E6D8931738D5AB5096EC8F3078"), hex!("015BE6EF1BDD6601D6EC8A2B73114A8112911CD8FE8E872E0051EDD817C9A0347087BB6897C9072CF374311540211CF5FF79D1F007257354F7F8173CC3E8DEB090CB"), ), ( hex!("01EE4569D6CDB59219532EFF34F94480D195623D30977FD71CF3981506ADE4AB01525FBCCA16153F7394E0727A239531BE8C2F66E95657F380AE23731BEDF79206B9"), hex!("01DE0255AD0CC64F586AE2DD270546E3B1112AABBB73DA5A808E7240A926201A8A96CAB72D0E56648C9DF96C984DE274F2203DC7B8B55CA0DADE1EACCD7858D44F17"), ), ( hex!("0056D5D1D99D5B7F6346EEB65FDA0B073A0C5F22E0E8F5483228F018D2C2F7114C5D8C308D0ABFC698D8C9A6DF30DCE3BBC46F953F50FDC2619A01CEAD882816ECD4"), hex!("003D2D1B7D9BAAA2A110D1D8317A39D68478B5C582D02824F0DD71DBD98A26CBDE556BD0F293CDEC9E2B9523A34591CE1A5F9E76712A5DDEFC7B5C6B8BC90525251B"), ), ( hex!("000822C40FB6301F7262A8348396B010E25BD4E29D8A9B003E0A8B8A3B05F826298F5BFEA5B8579F49F08B598C1BC8D79E1AB56289B5A6F4040586F9EA54AA78CE68"), hex!("016331911D5542FC482048FDAB6E78853B9A44F8EDE9E2C0715B5083DE610677A8F189E9C0AA5911B4BFF0BA0DF065C578699F3BA940094713538AD642F11F17801C"), ), ( hex!("01585389E359E1E21826A2F5BF157156D488ED34541B988746992C4AB145B8C6B6657429E1396134DA35F3C556DF725A318F4F50BABD85CD28661F45627967CBE207"), hex!("002A2E618C9A8AEDF39F0B55557A27AE938E3088A654EE1CEBB6C825BA263DDB446E0D69E5756057AC840FF56ECF4ABFD87D736C2AE928880F343AA0EA86B9AD2A4E"), ), ( hex!("0190EB8F22BDA61F281DFCFE7BB6721EC4CD901D879AC09AC7C34A9246B11ADA8910A2C7C178FCC263299DAA4DA9842093F37C2E411F1A8E819A87FF09A04F2F3320"), hex!("01EB5D96B8491614BA9DBAEAB3B0CA2BA760C2EEB2144251B20BA97FD78A62EF62D2BF5349D44D9864BB536F6163DC57EBEFF3689639739FAA172954BC98135EC759"), ), ( hex!("008A75841259FDEDFF546F1A39573B4315CFED5DC7ED7C17849543EF2C54F2991652F3DBC5332663DA1BD19B1AEBE3191085015C024FA4C9A902ECC0E02DDA0CDB9A"), hex!("0096FB303FCBBA2129849D0CA877054FB2293ADD566210BD0493ED2E95D4E0B9B82B1BC8A90E8B42A4AB3892331914A95336DCAC80E3F4819B5D58874F92CE48C808"), ), ( hex!("01C0D9DCEC93F8221C5DE4FAE9749C7FDE1E81874157958457B6107CF7A5967713A644E90B7C3FB81B31477FEE9A60E938013774C75C530928B17BE69571BF842D8C"), hex!("014048B5946A4927C0FE3CE1D103A682CA4763FE65AB71494DA45E404ABF6A17C097D6D18843D86FCDB6CC10A6F951B9B630884BA72224F5AE6C79E7B1A3281B17F0"), ), ( hex!("007E3E98F984C396AD9CD7865D2B4924861A93F736CDE1B4C2384EEDD2BEAF5B866132C45908E03C996A3550A5E79AB88EE94BEC3B00AB38EFF81887848D32FBCDA7"), hex!("0108EE58EB6D781FEDA91A1926DAA3ED5A08CED50A386D5421C69C7A67AE5C1E212AC1BD5D5838BC763F26DFDD351CBFBBC36199EAAF9117E9F7291A01FB022A71C9"), ), ( hex!("01875BC7DC551B1B65A9E1B8CCFAAF84DED1958B401494116A2FD4FB0BABE0B3199974FC06C8B897222D79DF3E4B7BC744AA6767F6B812EFBF5D2C9E682DD3432D74"), hex!("005CA4923575DACB5BD2D66290BBABB4BDFB8470122B8E51826A0847CE9B86D7ED62D07781B1B4F3584C11E89BF1D133DC0D5B690F53A87C84BE41669F852700D54A"), ), ( hex!("006B6AD89ABCB92465F041558FC546D4300FB8FBCC30B40A0852D697B532DF128E11B91CCE27DBD00FFE7875BD1C8FC0331D9B8D96981E3F92BDE9AFE337BCB8DB55"), hex!("01B468DA271571391D6A7CE64D2333EDBF63DF0496A9BAD20CBA4B62106997485ED57E9062C899470A802148E2232C96C99246FD90CC446ABDD956343480A1475465"), ), ( hex!("01D17D10D8A89C8AD05DDA97DA26AC743B0B2A87F66192FD3F3DD632F8D20B188A52943FF18861CA00A0E5965DA7985630DF0DBF5C8007DCDC533A6C508F81A8402F"), hex!("007A37343C582D77001FC714B18D3D3E69721335E4C3B800D50EC7CA30C94B6B82C1C182E1398DB547AA0B3075AC9D9988529E3004D28D18633352E272F89BC73ABE"), ), ( hex!("01B00DDB707F130EDA13A0B874645923906A99EE9E269FA2B3B4D66524F269250858760A69E674FE0287DF4E799B5681380FF8C3042AF0D1A41076F817A853110AE0"), hex!("0085683F1D7DB16576DBC111D4E4AEDDD106B799534CF69910A98D68AC2B22A1323DF9DA564EF6DD0BF0D2F6757F16ADF420E6905594C2B755F535B9CB7C70E64647"), ), ( hex!("01BC33425E72A12779EACB2EDCC5B63D1281F7E86DBC7BF99A7ABD0CFE367DE4666D6EDBB8525BFFE5222F0702C3096DEC0884CE572F5A15C423FDF44D01DD99C61D"), hex!("010D06E999885B63535DE3E74D33D9E63D024FB07CE0D196F2552C8E4A00AC84C044234AEB201F7A9133915D1B4B45209B9DA79FE15B19F84FD135D841E2D8F9A86A"), ), ( hex!("00998DCCE486419C3487C0F948C2D5A1A07245B77E0755DF547EFFF0ACDB3790E7F1FA3B3096362669679232557D7A45970DFECF431E725BBDE478FF0B2418D6A19B"), hex!("0137D5DA0626A021ED5CC3942497535B245D67D28AEE2B7BCF4ACC50EEE36545772773AD963FF2EB8CF9B0EC39991631C377F5A4D89EA9FBFE44A9091A695BFD0575"), ), ( hex!("018BDD7F1B889598A4653DEEAE39CC6F8CC2BD767C2AB0D93FB12E968FBED342B51709506339CB1049CB11DD48B9BDB3CD5CAD792E43B74E16D8E2603BFB11B0344F"), hex!("00C5AADBE63F68CA5B6B6908296959BF0AF89EE7F52B410B9444546C550952D311204DA3BDDDC6D4EAE7EDFAEC1030DA8EF837CCB22EEE9CFC94DD3287FED0990F94"), ) ]; /// Scalar multiplication with the generator. /// /// These are the test vectors for P-521 from /// that are not part of [`ADD_TEST_VECTORS`]. pub const MUL_TEST_VECTORS: &[([u8; 66], [u8; 66], [u8; 66])] = &[ ( hex!("00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000018ebbb95eed0e13"), hex!("01650048FBD63E8C30B305BF36BD7643B91448EF2206E8A0CA84A140789A99B0423A0A2533EA079CA7E049843E69E5FA2C25A163819110CEC1A30ACBBB3A422A40D8"), hex!("010C9C64A0E0DB6052DBC5646687D06DECE5E9E0703153EFE9CB816FE025E85354D3C5F869D6DB3F4C0C01B5F97919A5E72CEEBE03042E5AA99112691CFFC2724828"), ), ( hex!("000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000159d893d4cdd747246cdca43590e13"), hex!("017E1370D39C9C63925DAEEAC571E21CAAF60BD169191BAEE8352E0F54674443B29786243564ABB705F6FC0FE5FC5D3F98086B67CA0BE7AC8A9DEC421D9F1BC6B37F"), hex!("01CD559605EAD19FBD99E83600A6A81A0489E6F20306EE0789AE00CE16A6EFEA2F42F7534186CF1C60DF230BD9BCF8CB95E5028AD9820B2B1C0E15597EE54C4614A6"), ), ( hex!("0083ff83fffffc03fff80007fffc000f8003ffe00007ffe0fffc000f8000000007ffffff00ffff000ffffff001fffc000000001c0000400000003803ffffffcfffff"), hex!("00B45CB84651C9D4F08858B867F82D816E84E94FE4CAE3DA5F65E420B08398D0C5BF019253A6C26D20671BDEF0B8E6C1D348A4B0734687F73AC6A4CBB2E085C68B3F"), hex!("01C84942BBF538903062170A4BA8B3410D385719BA2037D29CA5248BFCBC8478220FEC79244DCD45D31885A1764DEE479CE20B12CEAB62F9001C7AA4282CE4BE7F56"), ), ( hex!("000001ffffe03ffff1ffff801fffffffff8000001fffff800ffffff8001fffc7ffff820000040007ffffe000001f800007fffffffc00001c007c0007000070000007"), hex!("01CCEF4CDA108CEBE6568820B54A3CA3A3997E4EF0EDA6C350E7ED3DBB1861EDD80181C650CEBE5440FEBA880F9C8A7A86F8B82659794F6F5B88E501E5DD84E65D7E"), hex!("01026565F8B195D03C3F6139C3A63EAA1C29F7090AB2A8F75027939EC05109035F1B38E6C508E0C14CE53AB7E2DA33AA28140EDBF3964862FB157119517454E60F07"), ), ( hex!("00007fffffe0003f00000007f00007ffff80000000001ffc000000fff030001f0000fffff0000038000000000002003f007ffffff0000000000000ffe00000000000"), hex!("00C1002DC2884EEDADB3F9B468BBEBD55980799852C506D37271FFCD006919DB3A96DF8FE91EF6ED4B9081B1809E8F2C2B28AF5FCBF524147C73CB0B913D6FAB0995"), hex!("01614E8A62C8293DD2AA6EF27D30974A4FD185019FA8EF4F982DA48698CECF706581F69EE9ED67A9C231EC9D0934D0F674646153273BCBB345E923B1EC1386A1A4AD"), ), ( hex!("00001fffc1000003fe0003ffffffe0001ffffffffffffff00001fffff83ffffffffffffe003ffffffffffff7ffffc03ff807fffe0001fffff800fff800001ffff000"), hex!("010ED3E085ECDE1E66874286B5D5642B9D37853A026A0A025C7B84936E2ECEEC5F342E14C80C79CCF814D5AD085C5303F2823251F2B9276F88C9D7A43E387EBD87AC"), hex!("01BE399A7666B29E79BBF3D277531A97CE05CAC0B49BECE4781E7AEE0D6E80FEE883C76E9F08453DC1ADE4E49300F3D56FEE6A1510DA1B1F12EEAA39A05AA0508119"), ), ( hex!("000000000fff80fffffffe03fffc07fffc800070000fc0007ffc00000000000fffe1fbff81ff9fffff81fff81fc000000000ff801fffc0f81f01fff8001fc005ffff"), hex!("013070A29B059D317AF37089E40FCB135868F52290EFF3E9F3E32CDADCA18EA234D8589C665A4B8E3D0714DE004A419DEA7091A3BBA97263C438FE9413AA598FD4A5"), hex!("00238A27FD9E5E7324C8B538EF2E334B71AC2611A95F42F4F2544D8C4A65D2A32A8BAFA15EFD4FC2BD8AB2B0C51F65B680879589F4D5FE8A84CEB17A2E8D3587F011"), ), ( hex!("000fffffc01ffffff01fffffe000000fc0ffffff00063ffdffbffff87ffffffffe03fffffffff0000000000ff8001f8000000008007ff800003ffff00000fffc01ff"), hex!("01A3D88799878EC74E66FF1AD8C7DFA9A9B4445A17F0810FF8189DD27AE3B6C580D352476DBDAEB08D7DA0DE3866F7C7FDBEBB8418E19710F1F7AFA88C22280B1404"), hex!("00B39703D2053EC7B8812BDFEBFD81B4CB76F245FE535A1F1E46801C35DE03C15063A99A203981529C146132863CA0E68544D0F0A638D8A2859D82B4DD266F27C3AE"), ), ( hex!("000000003ffe001ffffffc7ffe00000000fffbff00000007ffe00ffffff803ffffff3ffffc003f8000000007fe03ff8000fff8007ffffffffc0003ffe0001fc0000f"), hex!("01D16B4365DEFE6FD356DC1F31727AF2A32C7E86C5AE87ED2950A08BC8653F203C7F7860E80F95AA27C93EA76E8CD094127B15ED42CC5F96DC0A0F9A1C1E31D0D526"), hex!("006E3710A0F9366E0BB8A14FFE8EBC2722EECF4A123EC9BA98DCCCA335D6FAFD289DC69FD90903C9AC982FEB46DF93F03A7C8C9549D32C1C386D17F37340E63822A8"), ), ( hex!("00007f0000003ffc00000001fff007fff008000000ff0000000fffc03fffffff800000030fff80fe00000000c00001ffff8001ffffffffe0000000000003fffffff3"), hex!("01B1220F67C985E9FC9C588C0C86BB16E6FE4CC11E168A98D701AE4670724B3D030ED9965FADF4207C7A1BE9BE0F40DEF2BBFFF0C7EABCB5B42526CE1D3CAA468F52"), hex!("006CDAD2860F6D2C37159A5A866D11605F2E7D87430DCFE6E6816AB6423CD9003CA6F2527B9C2A2483C541D456C963D18A0D2A46E158CB2A44C0BF42D562881FB748"), ), ( hex!("00f07f80ffffff00003ff8003ff87fffff007fe07e0000003ffffff80007fe0000000000000003fc00000000007ffc07ff807f7f1fffef07fffff8000000000003ff"), hex!("00F25E545213C8C074BE38A0612EA9B66336B14A874372548D9716392DFA31CD0D13E94F86CD48B8D43B80B5299144E01245C873B39F6AC6C4FB397746AF034AD67C"), hex!("01733ABB21147CC27E35F41FAF40290AFD1EEB221D983FFABBD88E5DC8776450A409EACDC1BCA2B9F517289C68645BB96781808FEAE42573C2BB289F16E2AECECE17"), ), ( hex!("000000000003fff7ffffffffffffffe007ffffffe3fffffffffc01ffe0001fe01fffffff0000000000ffffffc0000000007ffffff03ff8000000000000c000000000"), hex!("0172CD22CBE0634B6BFEE24BB1D350F384A945ED618ECAD48AADC6C1BC0DCC107F0FFE9FE14DC929F90153F390C25BE5D3A73A56F9ACCB0C72C768753869732D0DC4"), hex!("00D249CFB570DA4CC48FB5426A928B43D7922F787373B6182408FBC71706E7527E8414C79167F3C999FF58DE352D238F1FE7168C658D338F72696F2F889A97DE23C5"), ), ( hex!("01fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffa51868783bf2f966b7fcc0148f709a5d03bb5c9b8899c47aebb6fb71e913863f5"), hex!("018BDD7F1B889598A4653DEEAE39CC6F8CC2BD767C2AB0D93FB12E968FBED342B51709506339CB1049CB11DD48B9BDB3CD5CAD792E43B74E16D8E2603BFB11B0344F"), hex!("013A552419C09735A49496F7D696A640F50761180AD4BEF46BBBAB93AAF6AD2CEEDFB25C4222392B1518120513EFCF257107C8334DD11163036B22CD78012F66F06B"), ), ( hex!("01fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffa51868783bf2f966b7fcc0148f709a5d03bb5c9b8899c47aebb6fb71e913863f6"), hex!("00998DCCE486419C3487C0F948C2D5A1A07245B77E0755DF547EFFF0ACDB3790E7F1FA3B3096362669679232557D7A45970DFECF431E725BBDE478FF0B2418D6A19B"), hex!("00C82A25F9D95FDE12A33C6BDB68ACA4DBA2982D7511D48430B533AF111C9ABA88D88C5269C00D1473064F13C666E9CE3C880A5B2761560401BB56F6E596A402FA8A"), ), ( hex!("01fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffa51868783bf2f966b7fcc0148f709a5d03bb5c9b8899c47aebb6fb71e913863f7"), hex!("01BC33425E72A12779EACB2EDCC5B63D1281F7E86DBC7BF99A7ABD0CFE367DE4666D6EDBB8525BFFE5222F0702C3096DEC0884CE572F5A15C423FDF44D01DD99C61D"), hex!("00F2F9166677A49CACA21C18B2CC2619C2FDB04F831F2E690DAAD371B5FF537B3FBBDCB514DFE0856ECC6EA2E4B4BADF646258601EA4E607B02ECA27BE1D27065795"), ), ( hex!("01fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffa51868783bf2f966b7fcc0148f709a5d03bb5c9b8899c47aebb6fb71e913863f8"), hex!("01B00DDB707F130EDA13A0B874645923906A99EE9E269FA2B3B4D66524F269250858760A69E674FE0287DF4E799B5681380FF8C3042AF0D1A41076F817A853110AE0"), hex!("017A97C0E2824E9A89243EEE2B1B51222EF94866ACB30966EF56729753D4DD5ECDC20625A9B10922F40F2D098A80E9520BDF196FAA6B3D48AA0ACA4634838F19B9B8"), ), ( hex!("01fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffa51868783bf2f966b7fcc0148f709a5d03bb5c9b8899c47aebb6fb71e913863f9"), hex!("01D17D10D8A89C8AD05DDA97DA26AC743B0B2A87F66192FD3F3DD632F8D20B188A52943FF18861CA00A0E5965DA7985630DF0DBF5C8007DCDC533A6C508F81A8402F"), hex!("0185C8CBC3A7D288FFE038EB4E72C2C1968DECCA1B3C47FF2AF13835CF36B4947D3E3E7D1EC6724AB855F4CF8A53626677AD61CFFB2D72E79CCCAD1D8D076438C541"), ), ( hex!("01fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffa51868783bf2f966b7fcc0148f709a5d03bb5c9b8899c47aebb6fb71e913863fa"), hex!("006B6AD89ABCB92465F041558FC546D4300FB8FBCC30B40A0852D697B532DF128E11B91CCE27DBD00FFE7875BD1C8FC0331D9B8D96981E3F92BDE9AFE337BCB8DB55"), hex!("004B9725D8EA8EC6E2958319B2DCCC12409C20FB6956452DF345B49DEF9668B7A12A816F9D3766B8F57FDEB71DDCD369366DB9026F33BB954226A9CBCB7F5EB8AB9A"), ), ( hex!("01fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffa51868783bf2f966b7fcc0148f709a5d03bb5c9b8899c47aebb6fb71e913863fb"), hex!("01875BC7DC551B1B65A9E1B8CCFAAF84DED1958B401494116A2FD4FB0BABE0B3199974FC06C8B897222D79DF3E4B7BC744AA6767F6B812EFBF5D2C9E682DD3432D74"), hex!("01A35B6DCA8A2534A42D299D6F44544B42047B8FEDD471AE7D95F7B831647928129D2F887E4E4B0CA7B3EE17640E2ECC23F2A496F0AC57837B41BE99607AD8FF2AB5"), ), ( hex!("01fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffa51868783bf2f966b7fcc0148f709a5d03bb5c9b8899c47aebb6fb71e913863fc"), hex!("007E3E98F984C396AD9CD7865D2B4924861A93F736CDE1B4C2384EEDD2BEAF5B866132C45908E03C996A3550A5E79AB88EE94BEC3B00AB38EFF81887848D32FBCDA7"), hex!("00F711A7149287E01256E5E6D9255C12A5F7312AF5C792ABDE3963859851A3E1DED53E42A2A7C74389C0D92022CAE340443C9E6615506EE81608D6E5FE04FDD58E36"), ), ( hex!("01fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffa51868783bf2f966b7fcc0148f709a5d03bb5c9b8899c47aebb6fb71e913863fd"), hex!("01C0D9DCEC93F8221C5DE4FAE9749C7FDE1E81874157958457B6107CF7A5967713A644E90B7C3FB81B31477FEE9A60E938013774C75C530928B17BE69571BF842D8C"), hex!("00BFB74A6B95B6D83F01C31E2EFC597D35B89C019A548EB6B25BA1BFB54095E83F68292E77BC2790324933EF5906AE4649CF77B458DDDB0A519386184E5CD7E4E80F"), ), ( hex!("01fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffa51868783bf2f966b7fcc0148f709a5d03bb5c9b8899c47aebb6fb71e913863fe"), hex!("008A75841259FDEDFF546F1A39573B4315CFED5DC7ED7C17849543EF2C54F2991652F3DBC5332663DA1BD19B1AEBE3191085015C024FA4C9A902ECC0E02DDA0CDB9A"), hex!("016904CFC03445DED67B62F35788FAB04DD6C522A99DEF42FB6C12D16A2B1F4647D4E43756F174BD5B54C76DCCE6EB56ACC923537F1C0B7E64A2A778B06D31B737F7"), ), ( hex!("01fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffa51868783bf2f966b7fcc0148f709a5d03bb5c9b8899c47aebb6fb71e913863ff"), hex!("0190EB8F22BDA61F281DFCFE7BB6721EC4CD901D879AC09AC7C34A9246B11ADA8910A2C7C178FCC263299DAA4DA9842093F37C2E411F1A8E819A87FF09A04F2F3320"), hex!("0014A26947B6E9EB456245154C4F35D4589F3D114DEBBDAE4DF4568028759D109D2D40ACB62BB2679B44AC909E9C23A814100C9769C68C6055E8D6AB4367ECA138A6"), ), ( hex!("01fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffa51868783bf2f966b7fcc0148f709a5d03bb5c9b8899c47aebb6fb71e91386400"), hex!("01585389E359E1E21826A2F5BF157156D488ED34541B988746992C4AB145B8C6B6657429E1396134DA35F3C556DF725A318F4F50BABD85CD28661F45627967CBE207"), hex!("01D5D19E736575120C60F4AAAA85D8516C71CF7759AB11E3144937DA45D9C224BB91F2961A8A9FA8537BF00A9130B54027828C93D516D777F0CBC55F15794652D5B1"), ), ( hex!("01fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffa51868783bf2f966b7fcc0148f709a5d03bb5c9b8899c47aebb6fb71e91386401"), hex!("000822C40FB6301F7262A8348396B010E25BD4E29D8A9B003E0A8B8A3B05F826298F5BFEA5B8579F49F08B598C1BC8D79E1AB56289B5A6F4040586F9EA54AA78CE68"), hex!("009CCE6EE2AABD03B7DFB7025491877AC465BB0712161D3F8EA4AF7C219EF988570E76163F55A6EE4B400F45F20F9A3A879660C456BFF6B8ECAC7529BD0EE0E87FE3"), ), ( hex!("01fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffa51868783bf2f966b7fcc0148f709a5d03bb5c9b8899c47aebb6fb71e91386402"), hex!("0056D5D1D99D5B7F6346EEB65FDA0B073A0C5F22E0E8F5483228F018D2C2F7114C5D8C308D0ABFC698D8C9A6DF30DCE3BBC46F953F50FDC2619A01CEAD882816ECD4"), hex!("01C2D2E48264555D5EEF2E27CE85C6297B874A3A7D2FD7DB0F228E242675D93421AA942F0D6C321361D46ADC5CBA6E31E5A061898ED5A2210384A3947436FADADAE4"), ), ( hex!("01fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffa51868783bf2f966b7fcc0148f709a5d03bb5c9b8899c47aebb6fb71e91386403"), hex!("01EE4569D6CDB59219532EFF34F94480D195623D30977FD71CF3981506ADE4AB01525FBCCA16153F7394E0727A239531BE8C2F66E95657F380AE23731BEDF79206B9"), hex!("0021FDAA52F339B0A7951D22D8FAB91C4EEED554448C25A57F718DBF56D9DFE575693548D2F1A99B7362069367B21D8B0DDFC238474AA35F2521E1533287A72BB0E8"), ), ( hex!("01fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffa51868783bf2f966b7fcc0148f709a5d03bb5c9b8899c47aebb6fb71e91386404"), hex!("00652BF3C52927A432C73DBC3391C04EB0BF7A596EFDB53F0D24CF03DAB8F177ACE4383C0C6D5E3014237112FEAF137E79A329D7E1E6D8931738D5AB5096EC8F3078"), hex!("00A41910E42299FE291375D48CEEB57EED6EE327017178D1FFAE1227E8365FCB8F7844976836F8D30C8BCEEABFDEE30A00862E0FF8DA8CAB0807E8C33C17214F6F34"), ), ( hex!("01fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffa51868783bf2f966b7fcc0148f709a5d03bb5c9b8899c47aebb6fb71e91386405"), hex!("0035B5DF64AE2AC204C354B483487C9070CDC61C891C5FF39AFC06C5D55541D3CEAC8659E24AFE3D0750E8B88E9F078AF066A1D5025B08E5A5E2FBC87412871902F3"), hex!("017DF6907BD9ED862D498C1FE8714F4B5449AADE5109191CD1E4A519C01D0E66F80D860D7C1AB45C7ABFADDB08AF56A47A114480510FB9662E261DE0B803CB91B2F2"), ), ( hex!("01fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffa51868783bf2f966b7fcc0148f709a5d03bb5c9b8899c47aebb6fb71e91386406"), hex!("01A73D352443DE29195DD91D6A64B5959479B52A6E5B123D9AB9E5AD7A112D7A8DD1AD3F164A3A4832051DA6BD16B59FE21BAEB490862C32EA05A5919D2EDE37AD7D"), hex!("00C164FC4682059D2226686079393547EB0D0EAA8057D562FCE82D0754E05CAA3113D1D22B30723A8A4FD2A5312E213C38F30EFA36436C5A6FBDA0A7735E11793F1A"), ), ( hex!("01fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffa51868783bf2f966b7fcc0148f709a5d03bb5c9b8899c47aebb6fb71e91386407"), hex!("00433C219024277E7E682FCB288148C282747403279B1CCC06352C6E5505D769BE97B3B204DA6EF55507AA104A3A35C5AF41CF2FA364D60FD967F43E3933BA6D783D"), hex!("010B44733807924D98FF580C1311112C0F4A394AEF83B25688BF54DE5D66F93BD2444C1C882160DAE0946C6C805665CDB70B1503416A123F0B08E41CA9299E0BE4FD"), ), ( hex!("01fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffa51868783bf2f966b7fcc0148f709a5d03bb5c9b8899c47aebb6fb71e91386408"), hex!("00C6858E06B70404E9CD9E3ECB662395B4429C648139053FB521F828AF606B4D3DBAA14B5E77EFE75928FE1DC127A2FFA8DE3348B3C1856A429BF97E7E31C2E5BD66"), hex!("00E7C6D6958765C43FFBA375A04BD382E426670ABBB6A864BB97E85042E8D8C199D368118D66A10BD9BF3AAF46FEC052F89ECAC38F795D8D3DBF77416B89602E99AF"), ) ]; p521-0.13.3/src/test_vectors.rs000064400000000000000000000001101046102023000142500ustar 00000000000000//! secp521r1 test vectors. #[cfg(test)] pub mod ecdsa; pub mod group; p521-0.13.3/tests/projective.rs000064400000000000000000000007601046102023000142640ustar 00000000000000//! Projective arithmetic tests. #![cfg(all(feature = "arithmetic", feature = "test-vectors"))] use elliptic_curve::{ group::ff::PrimeField, sec1::{self, ToEncodedPoint}, }; use p521::{ test_vectors::group::{ADD_TEST_VECTORS, MUL_TEST_VECTORS}, AffinePoint, ProjectivePoint, Scalar, }; use primeorder::{impl_projective_arithmetic_tests, Double}; impl_projective_arithmetic_tests!( AffinePoint, ProjectivePoint, Scalar, ADD_TEST_VECTORS, MUL_TEST_VECTORS );