]> git.proxmox.com Git - rustc.git/blame - vendor/fiat-crypto/src/p224_64.rs
projects / rustc.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
New upstream version 1.71.1+dfsg1
[rustc.git] / vendor / fiat-crypto / src / p224_64.rs
CommitLineData
0a29b90c
FG		 1//! Autogenerated: 'src/ExtractionOCaml/word_by_word_montgomery' --lang Rust --inline p224 64 '2^224 - 2^96 + 1' mul square add sub opp from_montgomery to_montgomery nonzero selectznz to_bytes from_bytes one msat divstep divstep_precomp
2//! curve description: p224
3//! machine_wordsize = 64 (from "64")
4//! requested operations: mul, square, add, sub, opp, from_montgomery, to_montgomery, nonzero, selectznz, to_bytes, from_bytes, one, msat, divstep, divstep_precomp
5//! m = 0xffffffffffffffffffffffffffffffff000000000000000000000001 (from "2^224 - 2^96 + 1")
6//!
7//! NOTE: In addition to the bounds specified above each function, all
8//! functions synthesized for this Montgomery arithmetic require the
9//! input to be strictly less than the prime modulus (m), and also
10//! require the input to be in the unique saturated representation.
11//! All functions also ensure that these two properties are true of
12//! return values.
13//!
14//! Computed values:
15//! eval z = z[0] + (z[1] << 64) + (z[2] << 128) + (z[3] << 192)
16//! bytes_eval z = z[0] + (z[1] << 8) + (z[2] << 16) + (z[3] << 24) + (z[4] << 32) + (z[5] << 40) + (z[6] << 48) + (z[7] << 56) + (z[8] << 64) + (z[9] << 72) + (z[10] << 80) + (z[11] << 88) + (z[12] << 96) + (z[13] << 104) + (z[14] << 112) + (z[15] << 120) + (z[16] << 128) + (z[17] << 136) + (z[18] << 144) + (z[19] << 152) + (z[20] << 160) + (z[21] << 168) + (z[22] << 176) + (z[23] << 184) + (z[24] << 192) + (z[25] << 200) + (z[26] << 208) + (z[27] << 216)
17//! twos_complement_eval z = let x1 := z[0] + (z[1] << 64) + (z[2] << 128) + (z[3] << 192) in
18//! if x1 & (2^256-1) < 2^255 then x1 & (2^256-1) else (x1 & (2^256-1)) - 2^256
19
20#![allow(unused_parens)]
21#![allow(non_camel_case_types)]
22
23pub type fiat_p224_u1 = u8;
24pub type fiat_p224_i1 = i8;
25pub type fiat_p224_u2 = u8;
26pub type fiat_p224_i2 = i8;
27
28/* The type fiat_p224_montgomery_domain_field_element is a field element in the Montgomery domain. */
29/* Bounds: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] */
30pub type fiat_p224_montgomery_domain_field_element = [u64; 4];
31
32/* The type fiat_p224_non_montgomery_domain_field_element is a field element NOT in the Montgomery domain. */
33/* Bounds: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] */
34pub type fiat_p224_non_montgomery_domain_field_element = [u64; 4];
35
36
37/// The function fiat_p224_addcarryx_u64 is an addition with carry.
38///
39/// Postconditions:
40/// out1 = (arg1 + arg2 + arg3) mod 2^64
41/// out2 = ⌊(arg1 + arg2 + arg3) / 2^64⌋
42///
43/// Input Bounds:
44/// arg1: [0x0 ~> 0x1]
45/// arg2: [0x0 ~> 0xffffffffffffffff]
46/// arg3: [0x0 ~> 0xffffffffffffffff]
47/// Output Bounds:
48/// out1: [0x0 ~> 0xffffffffffffffff]
49/// out2: [0x0 ~> 0x1]
50#[inline]
51pub fn fiat_p224_addcarryx_u64(out1: &mut u64, out2: &mut fiat_p224_u1, arg1: fiat_p224_u1, arg2: u64, arg3: u64) -> () {
52 let x1: u128 = (((arg1 as u128) + (arg2 as u128)) + (arg3 as u128));
53 let x2: u64 = ((x1 & (0xffffffffffffffff as u128)) as u64);
54 let x3: fiat_p224_u1 = ((x1 >> 64) as fiat_p224_u1);
55 *out1 = x2;
56 *out2 = x3;
57}
58
59/// The function fiat_p224_subborrowx_u64 is a subtraction with borrow.
60///
61/// Postconditions:
62/// out1 = (-arg1 + arg2 + -arg3) mod 2^64
63/// out2 = -⌊(-arg1 + arg2 + -arg3) / 2^64⌋
64///
65/// Input Bounds:
66/// arg1: [0x0 ~> 0x1]
67/// arg2: [0x0 ~> 0xffffffffffffffff]
68/// arg3: [0x0 ~> 0xffffffffffffffff]
69/// Output Bounds:
70/// out1: [0x0 ~> 0xffffffffffffffff]
71/// out2: [0x0 ~> 0x1]
72#[inline]
73pub fn fiat_p224_subborrowx_u64(out1: &mut u64, out2: &mut fiat_p224_u1, arg1: fiat_p224_u1, arg2: u64, arg3: u64) -> () {
74 let x1: i128 = (((arg2 as i128) - (arg1 as i128)) - (arg3 as i128));
75 let x2: fiat_p224_i1 = ((x1 >> 64) as fiat_p224_i1);
76 let x3: u64 = ((x1 & (0xffffffffffffffff as i128)) as u64);
77 *out1 = x3;
78 *out2 = (((0x0 as fiat_p224_i2) - (x2 as fiat_p224_i2)) as fiat_p224_u1);
79}
80
81/// The function fiat_p224_mulx_u64 is a multiplication, returning the full double-width result.
82///
83/// Postconditions:
84/// out1 = (arg1 * arg2) mod 2^64
85/// out2 = ⌊arg1 * arg2 / 2^64⌋
86///
87/// Input Bounds:
88/// arg1: [0x0 ~> 0xffffffffffffffff]
89/// arg2: [0x0 ~> 0xffffffffffffffff]
90/// Output Bounds:
91/// out1: [0x0 ~> 0xffffffffffffffff]
92/// out2: [0x0 ~> 0xffffffffffffffff]
93#[inline]
94pub fn fiat_p224_mulx_u64(out1: &mut u64, out2: &mut u64, arg1: u64, arg2: u64) -> () {
95 let x1: u128 = ((arg1 as u128) * (arg2 as u128));
96 let x2: u64 = ((x1 & (0xffffffffffffffff as u128)) as u64);
97 let x3: u64 = ((x1 >> 64) as u64);
98 *out1 = x2;
99 *out2 = x3;
100}
101
102/// The function fiat_p224_cmovznz_u64 is a single-word conditional move.
103///
104/// Postconditions:
105/// out1 = (if arg1 = 0 then arg2 else arg3)
106///
107/// Input Bounds:
108/// arg1: [0x0 ~> 0x1]
109/// arg2: [0x0 ~> 0xffffffffffffffff]
110/// arg3: [0x0 ~> 0xffffffffffffffff]
111/// Output Bounds:
112/// out1: [0x0 ~> 0xffffffffffffffff]
113#[inline]
114pub fn fiat_p224_cmovznz_u64(out1: &mut u64, arg1: fiat_p224_u1, arg2: u64, arg3: u64) -> () {
115 let x1: fiat_p224_u1 = (!(!arg1));
116 let x2: u64 = ((((((0x0 as fiat_p224_i2) - (x1 as fiat_p224_i2)) as fiat_p224_i1) as i128) & (0xffffffffffffffff as i128)) as u64);
117 let x3: u64 = ((x2 & arg3) | ((!x2) & arg2));
118 *out1 = x3;
119}
120
121/// The function fiat_p224_mul multiplies two field elements in the Montgomery domain.
122///
123/// Preconditions:
124/// 0 ≤ eval arg1 < m
125/// 0 ≤ eval arg2 < m
126/// Postconditions:
127/// eval (from_montgomery out1) mod m = (eval (from_montgomery arg1) * eval (from_montgomery arg2)) mod m
128/// 0 ≤ eval out1 < m
129///
130#[inline]
131pub fn fiat_p224_mul(out1: &mut fiat_p224_montgomery_domain_field_element, arg1: &fiat_p224_montgomery_domain_field_element, arg2: &fiat_p224_montgomery_domain_field_element) -> () {
132 let x1: u64 = (arg1[1]);
133 let x2: u64 = (arg1[2]);
134 let x3: u64 = (arg1[3]);
135 let x4: u64 = (arg1[0]);
136 let mut x5: u64 = 0;
137 let mut x6: u64 = 0;
138 fiat_p224_mulx_u64(&mut x5, &mut x6, x4, (arg2[3]));
139 let mut x7: u64 = 0;
140 let mut x8: u64 = 0;
141 fiat_p224_mulx_u64(&mut x7, &mut x8, x4, (arg2[2]));
142 let mut x9: u64 = 0;
143 let mut x10: u64 = 0;
144 fiat_p224_mulx_u64(&mut x9, &mut x10, x4, (arg2[1]));
145 let mut x11: u64 = 0;
146 let mut x12: u64 = 0;
147 fiat_p224_mulx_u64(&mut x11, &mut x12, x4, (arg2[0]));
148 let mut x13: u64 = 0;
149 let mut x14: fiat_p224_u1 = 0;
150 fiat_p224_addcarryx_u64(&mut x13, &mut x14, 0x0, x12, x9);
151 let mut x15: u64 = 0;
152 let mut x16: fiat_p224_u1 = 0;
153 fiat_p224_addcarryx_u64(&mut x15, &mut x16, x14, x10, x7);
154 let mut x17: u64 = 0;
155 let mut x18: fiat_p224_u1 = 0;
156 fiat_p224_addcarryx_u64(&mut x17, &mut x18, x16, x8, x5);
157 let x19: u64 = ((x18 as u64) + x6);
158 let mut x20: u64 = 0;
159 let mut x21: u64 = 0;
160 fiat_p224_mulx_u64(&mut x20, &mut x21, x11, 0xffffffffffffffff);
161 let mut x22: u64 = 0;
162 let mut x23: u64 = 0;
163 fiat_p224_mulx_u64(&mut x22, &mut x23, x20, 0xffffffff);
164 let mut x24: u64 = 0;
165 let mut x25: u64 = 0;
166 fiat_p224_mulx_u64(&mut x24, &mut x25, x20, 0xffffffffffffffff);
167 let mut x26: u64 = 0;
168 let mut x27: u64 = 0;
169 fiat_p224_mulx_u64(&mut x26, &mut x27, x20, 0xffffffff00000000);
170 let mut x28: u64 = 0;
171 let mut x29: fiat_p224_u1 = 0;
172 fiat_p224_addcarryx_u64(&mut x28, &mut x29, 0x0, x27, x24);
173 let mut x30: u64 = 0;
174 let mut x31: fiat_p224_u1 = 0;
175 fiat_p224_addcarryx_u64(&mut x30, &mut x31, x29, x25, x22);
176 let x32: u64 = ((x31 as u64) + x23);
177 let mut x33: u64 = 0;
178 let mut x34: fiat_p224_u1 = 0;
179 fiat_p224_addcarryx_u64(&mut x33, &mut x34, 0x0, x11, x20);
180 let mut x35: u64 = 0;
181 let mut x36: fiat_p224_u1 = 0;
182 fiat_p224_addcarryx_u64(&mut x35, &mut x36, x34, x13, x26);
183 let mut x37: u64 = 0;
184 let mut x38: fiat_p224_u1 = 0;
185 fiat_p224_addcarryx_u64(&mut x37, &mut x38, x36, x15, x28);
186 let mut x39: u64 = 0;
187 let mut x40: fiat_p224_u1 = 0;
188 fiat_p224_addcarryx_u64(&mut x39, &mut x40, x38, x17, x30);
189 let mut x41: u64 = 0;
190 let mut x42: fiat_p224_u1 = 0;
191 fiat_p224_addcarryx_u64(&mut x41, &mut x42, x40, x19, x32);
192 let mut x43: u64 = 0;
193 let mut x44: u64 = 0;
194 fiat_p224_mulx_u64(&mut x43, &mut x44, x1, (arg2[3]));
195 let mut x45: u64 = 0;
196 let mut x46: u64 = 0;
197 fiat_p224_mulx_u64(&mut x45, &mut x46, x1, (arg2[2]));
198 let mut x47: u64 = 0;
199 let mut x48: u64 = 0;
200 fiat_p224_mulx_u64(&mut x47, &mut x48, x1, (arg2[1]));
201 let mut x49: u64 = 0;
202 let mut x50: u64 = 0;
203 fiat_p224_mulx_u64(&mut x49, &mut x50, x1, (arg2[0]));
204 let mut x51: u64 = 0;
205 let mut x52: fiat_p224_u1 = 0;
206 fiat_p224_addcarryx_u64(&mut x51, &mut x52, 0x0, x50, x47);
207 let mut x53: u64 = 0;
208 let mut x54: fiat_p224_u1 = 0;
209 fiat_p224_addcarryx_u64(&mut x53, &mut x54, x52, x48, x45);
210 let mut x55: u64 = 0;
211 let mut x56: fiat_p224_u1 = 0;
212 fiat_p224_addcarryx_u64(&mut x55, &mut x56, x54, x46, x43);
213 let x57: u64 = ((x56 as u64) + x44);
214 let mut x58: u64 = 0;
215 let mut x59: fiat_p224_u1 = 0;
216 fiat_p224_addcarryx_u64(&mut x58, &mut x59, 0x0, x35, x49);
217 let mut x60: u64 = 0;
218 let mut x61: fiat_p224_u1 = 0;
219 fiat_p224_addcarryx_u64(&mut x60, &mut x61, x59, x37, x51);
220 let mut x62: u64 = 0;
221 let mut x63: fiat_p224_u1 = 0;
222 fiat_p224_addcarryx_u64(&mut x62, &mut x63, x61, x39, x53);
223 let mut x64: u64 = 0;
224 let mut x65: fiat_p224_u1 = 0;
225 fiat_p224_addcarryx_u64(&mut x64, &mut x65, x63, x41, x55);
226 let mut x66: u64 = 0;
227 let mut x67: fiat_p224_u1 = 0;
228 fiat_p224_addcarryx_u64(&mut x66, &mut x67, x65, (x42 as u64), x57);
229 let mut x68: u64 = 0;
230 let mut x69: u64 = 0;
231 fiat_p224_mulx_u64(&mut x68, &mut x69, x58, 0xffffffffffffffff);
232 let mut x70: u64 = 0;
233 let mut x71: u64 = 0;
234 fiat_p224_mulx_u64(&mut x70, &mut x71, x68, 0xffffffff);
235 let mut x72: u64 = 0;
236 let mut x73: u64 = 0;
237 fiat_p224_mulx_u64(&mut x72, &mut x73, x68, 0xffffffffffffffff);
238 let mut x74: u64 = 0;
239 let mut x75: u64 = 0;
240 fiat_p224_mulx_u64(&mut x74, &mut x75, x68, 0xffffffff00000000);
241 let mut x76: u64 = 0;
242 let mut x77: fiat_p224_u1 = 0;
243 fiat_p224_addcarryx_u64(&mut x76, &mut x77, 0x0, x75, x72);
244 let mut x78: u64 = 0;
245 let mut x79: fiat_p224_u1 = 0;
246 fiat_p224_addcarryx_u64(&mut x78, &mut x79, x77, x73, x70);
247 let x80: u64 = ((x79 as u64) + x71);
248 let mut x81: u64 = 0;
249 let mut x82: fiat_p224_u1 = 0;
250 fiat_p224_addcarryx_u64(&mut x81, &mut x82, 0x0, x58, x68);
251 let mut x83: u64 = 0;
252 let mut x84: fiat_p224_u1 = 0;
253 fiat_p224_addcarryx_u64(&mut x83, &mut x84, x82, x60, x74);
254 let mut x85: u64 = 0;
255 let mut x86: fiat_p224_u1 = 0;
256 fiat_p224_addcarryx_u64(&mut x85, &mut x86, x84, x62, x76);
257 let mut x87: u64 = 0;
258 let mut x88: fiat_p224_u1 = 0;
259 fiat_p224_addcarryx_u64(&mut x87, &mut x88, x86, x64, x78);
260 let mut x89: u64 = 0;
261 let mut x90: fiat_p224_u1 = 0;
262 fiat_p224_addcarryx_u64(&mut x89, &mut x90, x88, x66, x80);
263 let x91: u64 = ((x90 as u64) + (x67 as u64));
264 let mut x92: u64 = 0;
265 let mut x93: u64 = 0;
266 fiat_p224_mulx_u64(&mut x92, &mut x93, x2, (arg2[3]));
267 let mut x94: u64 = 0;
268 let mut x95: u64 = 0;
269 fiat_p224_mulx_u64(&mut x94, &mut x95, x2, (arg2[2]));
270 let mut x96: u64 = 0;
271 let mut x97: u64 = 0;
272 fiat_p224_mulx_u64(&mut x96, &mut x97, x2, (arg2[1]));
273 let mut x98: u64 = 0;
274 let mut x99: u64 = 0;
275 fiat_p224_mulx_u64(&mut x98, &mut x99, x2, (arg2[0]));
276 let mut x100: u64 = 0;
277 let mut x101: fiat_p224_u1 = 0;
278 fiat_p224_addcarryx_u64(&mut x100, &mut x101, 0x0, x99, x96);
279 let mut x102: u64 = 0;
280 let mut x103: fiat_p224_u1 = 0;
281 fiat_p224_addcarryx_u64(&mut x102, &mut x103, x101, x97, x94);
282 let mut x104: u64 = 0;
283 let mut x105: fiat_p224_u1 = 0;
284 fiat_p224_addcarryx_u64(&mut x104, &mut x105, x103, x95, x92);
285 let x106: u64 = ((x105 as u64) + x93);
286 let mut x107: u64 = 0;
287 let mut x108: fiat_p224_u1 = 0;
288 fiat_p224_addcarryx_u64(&mut x107, &mut x108, 0x0, x83, x98);
289 let mut x109: u64 = 0;
290 let mut x110: fiat_p224_u1 = 0;
291 fiat_p224_addcarryx_u64(&mut x109, &mut x110, x108, x85, x100);
292 let mut x111: u64 = 0;
293 let mut x112: fiat_p224_u1 = 0;
294 fiat_p224_addcarryx_u64(&mut x111, &mut x112, x110, x87, x102);
295 let mut x113: u64 = 0;
296 let mut x114: fiat_p224_u1 = 0;
297 fiat_p224_addcarryx_u64(&mut x113, &mut x114, x112, x89, x104);
298 let mut x115: u64 = 0;
299 let mut x116: fiat_p224_u1 = 0;
300 fiat_p224_addcarryx_u64(&mut x115, &mut x116, x114, x91, x106);
301 let mut x117: u64 = 0;
302 let mut x118: u64 = 0;
303 fiat_p224_mulx_u64(&mut x117, &mut x118, x107, 0xffffffffffffffff);
304 let mut x119: u64 = 0;
305 let mut x120: u64 = 0;
306 fiat_p224_mulx_u64(&mut x119, &mut x120, x117, 0xffffffff);
307 let mut x121: u64 = 0;
308 let mut x122: u64 = 0;
309 fiat_p224_mulx_u64(&mut x121, &mut x122, x117, 0xffffffffffffffff);
310 let mut x123: u64 = 0;
311 let mut x124: u64 = 0;
312 fiat_p224_mulx_u64(&mut x123, &mut x124, x117, 0xffffffff00000000);
313 let mut x125: u64 = 0;
314 let mut x126: fiat_p224_u1 = 0;
315 fiat_p224_addcarryx_u64(&mut x125, &mut x126, 0x0, x124, x121);
316 let mut x127: u64 = 0;
317 let mut x128: fiat_p224_u1 = 0;
318 fiat_p224_addcarryx_u64(&mut x127, &mut x128, x126, x122, x119);
319 let x129: u64 = ((x128 as u64) + x120);
320 let mut x130: u64 = 0;
321 let mut x131: fiat_p224_u1 = 0;
322 fiat_p224_addcarryx_u64(&mut x130, &mut x131, 0x0, x107, x117);
323 let mut x132: u64 = 0;
324 let mut x133: fiat_p224_u1 = 0;
325 fiat_p224_addcarryx_u64(&mut x132, &mut x133, x131, x109, x123);
326 let mut x134: u64 = 0;
327 let mut x135: fiat_p224_u1 = 0;
328 fiat_p224_addcarryx_u64(&mut x134, &mut x135, x133, x111, x125);
329 let mut x136: u64 = 0;
330 let mut x137: fiat_p224_u1 = 0;
331 fiat_p224_addcarryx_u64(&mut x136, &mut x137, x135, x113, x127);
332 let mut x138: u64 = 0;
333 let mut x139: fiat_p224_u1 = 0;
334 fiat_p224_addcarryx_u64(&mut x138, &mut x139, x137, x115, x129);
335 let x140: u64 = ((x139 as u64) + (x116 as u64));
336 let mut x141: u64 = 0;
337 let mut x142: u64 = 0;
338 fiat_p224_mulx_u64(&mut x141, &mut x142, x3, (arg2[3]));
339 let mut x143: u64 = 0;
340 let mut x144: u64 = 0;
341 fiat_p224_mulx_u64(&mut x143, &mut x144, x3, (arg2[2]));
342 let mut x145: u64 = 0;
343 let mut x146: u64 = 0;
344 fiat_p224_mulx_u64(&mut x145, &mut x146, x3, (arg2[1]));
345 let mut x147: u64 = 0;
346 let mut x148: u64 = 0;
347 fiat_p224_mulx_u64(&mut x147, &mut x148, x3, (arg2[0]));
348 let mut x149: u64 = 0;
349 let mut x150: fiat_p224_u1 = 0;
350 fiat_p224_addcarryx_u64(&mut x149, &mut x150, 0x0, x148, x145);
351 let mut x151: u64 = 0;
352 let mut x152: fiat_p224_u1 = 0;
353 fiat_p224_addcarryx_u64(&mut x151, &mut x152, x150, x146, x143);
354 let mut x153: u64 = 0;
355 let mut x154: fiat_p224_u1 = 0;
356 fiat_p224_addcarryx_u64(&mut x153, &mut x154, x152, x144, x141);
357 let x155: u64 = ((x154 as u64) + x142);
358 let mut x156: u64 = 0;
359 let mut x157: fiat_p224_u1 = 0;
360 fiat_p224_addcarryx_u64(&mut x156, &mut x157, 0x0, x132, x147);
361 let mut x158: u64 = 0;
362 let mut x159: fiat_p224_u1 = 0;
363 fiat_p224_addcarryx_u64(&mut x158, &mut x159, x157, x134, x149);
364 let mut x160: u64 = 0;
365 let mut x161: fiat_p224_u1 = 0;
366 fiat_p224_addcarryx_u64(&mut x160, &mut x161, x159, x136, x151);
367 let mut x162: u64 = 0;
368 let mut x163: fiat_p224_u1 = 0;
369 fiat_p224_addcarryx_u64(&mut x162, &mut x163, x161, x138, x153);
370 let mut x164: u64 = 0;
371 let mut x165: fiat_p224_u1 = 0;
372 fiat_p224_addcarryx_u64(&mut x164, &mut x165, x163, x140, x155);
373 let mut x166: u64 = 0;
374 let mut x167: u64 = 0;
375 fiat_p224_mulx_u64(&mut x166, &mut x167, x156, 0xffffffffffffffff);
376 let mut x168: u64 = 0;
377 let mut x169: u64 = 0;
378 fiat_p224_mulx_u64(&mut x168, &mut x169, x166, 0xffffffff);
379 let mut x170: u64 = 0;
380 let mut x171: u64 = 0;
381 fiat_p224_mulx_u64(&mut x170, &mut x171, x166, 0xffffffffffffffff);
382 let mut x172: u64 = 0;
383 let mut x173: u64 = 0;
384 fiat_p224_mulx_u64(&mut x172, &mut x173, x166, 0xffffffff00000000);
385 let mut x174: u64 = 0;
386 let mut x175: fiat_p224_u1 = 0;
387 fiat_p224_addcarryx_u64(&mut x174, &mut x175, 0x0, x173, x170);
388 let mut x176: u64 = 0;
389 let mut x177: fiat_p224_u1 = 0;
390 fiat_p224_addcarryx_u64(&mut x176, &mut x177, x175, x171, x168);
391 let x178: u64 = ((x177 as u64) + x169);
392 let mut x179: u64 = 0;
393 let mut x180: fiat_p224_u1 = 0;
394 fiat_p224_addcarryx_u64(&mut x179, &mut x180, 0x0, x156, x166);
395 let mut x181: u64 = 0;
396 let mut x182: fiat_p224_u1 = 0;
397 fiat_p224_addcarryx_u64(&mut x181, &mut x182, x180, x158, x172);
398 let mut x183: u64 = 0;
399 let mut x184: fiat_p224_u1 = 0;
400 fiat_p224_addcarryx_u64(&mut x183, &mut x184, x182, x160, x174);
401 let mut x185: u64 = 0;
402 let mut x186: fiat_p224_u1 = 0;
403 fiat_p224_addcarryx_u64(&mut x185, &mut x186, x184, x162, x176);
404 let mut x187: u64 = 0;
405 let mut x188: fiat_p224_u1 = 0;
406 fiat_p224_addcarryx_u64(&mut x187, &mut x188, x186, x164, x178);
407 let x189: u64 = ((x188 as u64) + (x165 as u64));
408 let mut x190: u64 = 0;
409 let mut x191: fiat_p224_u1 = 0;
410 fiat_p224_subborrowx_u64(&mut x190, &mut x191, 0x0, x181, (0x1 as u64));
411 let mut x192: u64 = 0;
412 let mut x193: fiat_p224_u1 = 0;
413 fiat_p224_subborrowx_u64(&mut x192, &mut x193, x191, x183, 0xffffffff00000000);
414 let mut x194: u64 = 0;
415 let mut x195: fiat_p224_u1 = 0;
416 fiat_p224_subborrowx_u64(&mut x194, &mut x195, x193, x185, 0xffffffffffffffff);
417 let mut x196: u64 = 0;
418 let mut x197: fiat_p224_u1 = 0;
419 fiat_p224_subborrowx_u64(&mut x196, &mut x197, x195, x187, 0xffffffff);
420 let mut x198: u64 = 0;
421 let mut x199: fiat_p224_u1 = 0;
422 fiat_p224_subborrowx_u64(&mut x198, &mut x199, x197, x189, (0x0 as u64));
423 let mut x200: u64 = 0;
424 fiat_p224_cmovznz_u64(&mut x200, x199, x190, x181);
425 let mut x201: u64 = 0;
426 fiat_p224_cmovznz_u64(&mut x201, x199, x192, x183);
427 let mut x202: u64 = 0;
428 fiat_p224_cmovznz_u64(&mut x202, x199, x194, x185);
429 let mut x203: u64 = 0;
430 fiat_p224_cmovznz_u64(&mut x203, x199, x196, x187);
431 out1[0] = x200;
432 out1[1] = x201;
433 out1[2] = x202;
434 out1[3] = x203;
435}
436
437/// The function fiat_p224_square squares a field element in the Montgomery domain.
438///
439/// Preconditions:
440/// 0 ≤ eval arg1 < m
441/// Postconditions:
442/// eval (from_montgomery out1) mod m = (eval (from_montgomery arg1) * eval (from_montgomery arg1)) mod m
443/// 0 ≤ eval out1 < m
444///
445#[inline]
446pub fn fiat_p224_square(out1: &mut fiat_p224_montgomery_domain_field_element, arg1: &fiat_p224_montgomery_domain_field_element) -> () {
447 let x1: u64 = (arg1[1]);
448 let x2: u64 = (arg1[2]);
449 let x3: u64 = (arg1[3]);
450 let x4: u64 = (arg1[0]);
451 let mut x5: u64 = 0;
452 let mut x6: u64 = 0;
453 fiat_p224_mulx_u64(&mut x5, &mut x6, x4, (arg1[3]));
454 let mut x7: u64 = 0;
455 let mut x8: u64 = 0;
456 fiat_p224_mulx_u64(&mut x7, &mut x8, x4, (arg1[2]));
457 let mut x9: u64 = 0;
458 let mut x10: u64 = 0;
459 fiat_p224_mulx_u64(&mut x9, &mut x10, x4, (arg1[1]));
460 let mut x11: u64 = 0;
461 let mut x12: u64 = 0;
462 fiat_p224_mulx_u64(&mut x11, &mut x12, x4, (arg1[0]));
463 let mut x13: u64 = 0;
464 let mut x14: fiat_p224_u1 = 0;
465 fiat_p224_addcarryx_u64(&mut x13, &mut x14, 0x0, x12, x9);
466 let mut x15: u64 = 0;
467 let mut x16: fiat_p224_u1 = 0;
468 fiat_p224_addcarryx_u64(&mut x15, &mut x16, x14, x10, x7);
469 let mut x17: u64 = 0;
470 let mut x18: fiat_p224_u1 = 0;
471 fiat_p224_addcarryx_u64(&mut x17, &mut x18, x16, x8, x5);
472 let x19: u64 = ((x18 as u64) + x6);
473 let mut x20: u64 = 0;
474 let mut x21: u64 = 0;
475 fiat_p224_mulx_u64(&mut x20, &mut x21, x11, 0xffffffffffffffff);
476 let mut x22: u64 = 0;
477 let mut x23: u64 = 0;
478 fiat_p224_mulx_u64(&mut x22, &mut x23, x20, 0xffffffff);
479 let mut x24: u64 = 0;
480 let mut x25: u64 = 0;
481 fiat_p224_mulx_u64(&mut x24, &mut x25, x20, 0xffffffffffffffff);
482 let mut x26: u64 = 0;
483 let mut x27: u64 = 0;
484 fiat_p224_mulx_u64(&mut x26, &mut x27, x20, 0xffffffff00000000);
485 let mut x28: u64 = 0;
486 let mut x29: fiat_p224_u1 = 0;
487 fiat_p224_addcarryx_u64(&mut x28, &mut x29, 0x0, x27, x24);
488 let mut x30: u64 = 0;
489 let mut x31: fiat_p224_u1 = 0;
490 fiat_p224_addcarryx_u64(&mut x30, &mut x31, x29, x25, x22);
491 let x32: u64 = ((x31 as u64) + x23);
492 let mut x33: u64 = 0;
493 let mut x34: fiat_p224_u1 = 0;
494 fiat_p224_addcarryx_u64(&mut x33, &mut x34, 0x0, x11, x20);
495 let mut x35: u64 = 0;
496 let mut x36: fiat_p224_u1 = 0;
497 fiat_p224_addcarryx_u64(&mut x35, &mut x36, x34, x13, x26);
498 let mut x37: u64 = 0;
499 let mut x38: fiat_p224_u1 = 0;
500 fiat_p224_addcarryx_u64(&mut x37, &mut x38, x36, x15, x28);
501 let mut x39: u64 = 0;
502 let mut x40: fiat_p224_u1 = 0;
503 fiat_p224_addcarryx_u64(&mut x39, &mut x40, x38, x17, x30);
504 let mut x41: u64 = 0;
505 let mut x42: fiat_p224_u1 = 0;
506 fiat_p224_addcarryx_u64(&mut x41, &mut x42, x40, x19, x32);
507 let mut x43: u64 = 0;
508 let mut x44: u64 = 0;
509 fiat_p224_mulx_u64(&mut x43, &mut x44, x1, (arg1[3]));
510 let mut x45: u64 = 0;
511 let mut x46: u64 = 0;
512 fiat_p224_mulx_u64(&mut x45, &mut x46, x1, (arg1[2]));
513 let mut x47: u64 = 0;
514 let mut x48: u64 = 0;
515 fiat_p224_mulx_u64(&mut x47, &mut x48, x1, (arg1[1]));
516 let mut x49: u64 = 0;
517 let mut x50: u64 = 0;
518 fiat_p224_mulx_u64(&mut x49, &mut x50, x1, (arg1[0]));
519 let mut x51: u64 = 0;
520 let mut x52: fiat_p224_u1 = 0;
521 fiat_p224_addcarryx_u64(&mut x51, &mut x52, 0x0, x50, x47);
522 let mut x53: u64 = 0;
523 let mut x54: fiat_p224_u1 = 0;
524 fiat_p224_addcarryx_u64(&mut x53, &mut x54, x52, x48, x45);
525 let mut x55: u64 = 0;
526 let mut x56: fiat_p224_u1 = 0;
527 fiat_p224_addcarryx_u64(&mut x55, &mut x56, x54, x46, x43);
528 let x57: u64 = ((x56 as u64) + x44);
529 let mut x58: u64 = 0;
530 let mut x59: fiat_p224_u1 = 0;
531 fiat_p224_addcarryx_u64(&mut x58, &mut x59, 0x0, x35, x49);
532 let mut x60: u64 = 0;
533 let mut x61: fiat_p224_u1 = 0;
534 fiat_p224_addcarryx_u64(&mut x60, &mut x61, x59, x37, x51);
535 let mut x62: u64 = 0;
536 let mut x63: fiat_p224_u1 = 0;
537 fiat_p224_addcarryx_u64(&mut x62, &mut x63, x61, x39, x53);
538 let mut x64: u64 = 0;
539 let mut x65: fiat_p224_u1 = 0;
540 fiat_p224_addcarryx_u64(&mut x64, &mut x65, x63, x41, x55);
541 let mut x66: u64 = 0;
542 let mut x67: fiat_p224_u1 = 0;
543 fiat_p224_addcarryx_u64(&mut x66, &mut x67, x65, (x42 as u64), x57);
544 let mut x68: u64 = 0;
545 let mut x69: u64 = 0;
546 fiat_p224_mulx_u64(&mut x68, &mut x69, x58, 0xffffffffffffffff);
547 let mut x70: u64 = 0;
548 let mut x71: u64 = 0;
549 fiat_p224_mulx_u64(&mut x70, &mut x71, x68, 0xffffffff);
550 let mut x72: u64 = 0;
551 let mut x73: u64 = 0;
552 fiat_p224_mulx_u64(&mut x72, &mut x73, x68, 0xffffffffffffffff);
553 let mut x74: u64 = 0;
554 let mut x75: u64 = 0;
555 fiat_p224_mulx_u64(&mut x74, &mut x75, x68, 0xffffffff00000000);
556 let mut x76: u64 = 0;
557 let mut x77: fiat_p224_u1 = 0;
558 fiat_p224_addcarryx_u64(&mut x76, &mut x77, 0x0, x75, x72);
559 let mut x78: u64 = 0;
560 let mut x79: fiat_p224_u1 = 0;
561 fiat_p224_addcarryx_u64(&mut x78, &mut x79, x77, x73, x70);
562 let x80: u64 = ((x79 as u64) + x71);
563 let mut x81: u64 = 0;
564 let mut x82: fiat_p224_u1 = 0;
565 fiat_p224_addcarryx_u64(&mut x81, &mut x82, 0x0, x58, x68);
566 let mut x83: u64 = 0;
567 let mut x84: fiat_p224_u1 = 0;
568 fiat_p224_addcarryx_u64(&mut x83, &mut x84, x82, x60, x74);
569 let mut x85: u64 = 0;
570 let mut x86: fiat_p224_u1 = 0;
571 fiat_p224_addcarryx_u64(&mut x85, &mut x86, x84, x62, x76);
572 let mut x87: u64 = 0;
573 let mut x88: fiat_p224_u1 = 0;
574 fiat_p224_addcarryx_u64(&mut x87, &mut x88, x86, x64, x78);
575 let mut x89: u64 = 0;
576 let mut x90: fiat_p224_u1 = 0;
577 fiat_p224_addcarryx_u64(&mut x89, &mut x90, x88, x66, x80);
578 let x91: u64 = ((x90 as u64) + (x67 as u64));
579 let mut x92: u64 = 0;
580 let mut x93: u64 = 0;
581 fiat_p224_mulx_u64(&mut x92, &mut x93, x2, (arg1[3]));
582 let mut x94: u64 = 0;
583 let mut x95: u64 = 0;
584 fiat_p224_mulx_u64(&mut x94, &mut x95, x2, (arg1[2]));
585 let mut x96: u64 = 0;
586 let mut x97: u64 = 0;
587 fiat_p224_mulx_u64(&mut x96, &mut x97, x2, (arg1[1]));
588 let mut x98: u64 = 0;
589 let mut x99: u64 = 0;
590 fiat_p224_mulx_u64(&mut x98, &mut x99, x2, (arg1[0]));
591 let mut x100: u64 = 0;
592 let mut x101: fiat_p224_u1 = 0;
593 fiat_p224_addcarryx_u64(&mut x100, &mut x101, 0x0, x99, x96);
594 let mut x102: u64 = 0;
595 let mut x103: fiat_p224_u1 = 0;
596 fiat_p224_addcarryx_u64(&mut x102, &mut x103, x101, x97, x94);
597 let mut x104: u64 = 0;
598 let mut x105: fiat_p224_u1 = 0;
599 fiat_p224_addcarryx_u64(&mut x104, &mut x105, x103, x95, x92);
600 let x106: u64 = ((x105 as u64) + x93);
601 let mut x107: u64 = 0;
602 let mut x108: fiat_p224_u1 = 0;
603 fiat_p224_addcarryx_u64(&mut x107, &mut x108, 0x0, x83, x98);
604 let mut x109: u64 = 0;
605 let mut x110: fiat_p224_u1 = 0;
606 fiat_p224_addcarryx_u64(&mut x109, &mut x110, x108, x85, x100);
607 let mut x111: u64 = 0;
608 let mut x112: fiat_p224_u1 = 0;
609 fiat_p224_addcarryx_u64(&mut x111, &mut x112, x110, x87, x102);
610 let mut x113: u64 = 0;
611 let mut x114: fiat_p224_u1 = 0;
612 fiat_p224_addcarryx_u64(&mut x113, &mut x114, x112, x89, x104);
613 let mut x115: u64 = 0;
614 let mut x116: fiat_p224_u1 = 0;
615 fiat_p224_addcarryx_u64(&mut x115, &mut x116, x114, x91, x106);
616 let mut x117: u64 = 0;
617 let mut x118: u64 = 0;
618 fiat_p224_mulx_u64(&mut x117, &mut x118, x107, 0xffffffffffffffff);
619 let mut x119: u64 = 0;
620 let mut x120: u64 = 0;
621 fiat_p224_mulx_u64(&mut x119, &mut x120, x117, 0xffffffff);
622 let mut x121: u64 = 0;
623 let mut x122: u64 = 0;
624 fiat_p224_mulx_u64(&mut x121, &mut x122, x117, 0xffffffffffffffff);
625 let mut x123: u64 = 0;
626 let mut x124: u64 = 0;
627 fiat_p224_mulx_u64(&mut x123, &mut x124, x117, 0xffffffff00000000);
628 let mut x125: u64 = 0;
629 let mut x126: fiat_p224_u1 = 0;
630 fiat_p224_addcarryx_u64(&mut x125, &mut x126, 0x0, x124, x121);
631 let mut x127: u64 = 0;
632 let mut x128: fiat_p224_u1 = 0;
633 fiat_p224_addcarryx_u64(&mut x127, &mut x128, x126, x122, x119);
634 let x129: u64 = ((x128 as u64) + x120);
635 let mut x130: u64 = 0;
636 let mut x131: fiat_p224_u1 = 0;
637 fiat_p224_addcarryx_u64(&mut x130, &mut x131, 0x0, x107, x117);
638 let mut x132: u64 = 0;
639 let mut x133: fiat_p224_u1 = 0;
640 fiat_p224_addcarryx_u64(&mut x132, &mut x133, x131, x109, x123);
641 let mut x134: u64 = 0;
642 let mut x135: fiat_p224_u1 = 0;
643 fiat_p224_addcarryx_u64(&mut x134, &mut x135, x133, x111, x125);
644 let mut x136: u64 = 0;
645 let mut x137: fiat_p224_u1 = 0;
646 fiat_p224_addcarryx_u64(&mut x136, &mut x137, x135, x113, x127);
647 let mut x138: u64 = 0;
648 let mut x139: fiat_p224_u1 = 0;
649 fiat_p224_addcarryx_u64(&mut x138, &mut x139, x137, x115, x129);
650 let x140: u64 = ((x139 as u64) + (x116 as u64));
651 let mut x141: u64 = 0;
652 let mut x142: u64 = 0;
653 fiat_p224_mulx_u64(&mut x141, &mut x142, x3, (arg1[3]));
654 let mut x143: u64 = 0;
655 let mut x144: u64 = 0;
656 fiat_p224_mulx_u64(&mut x143, &mut x144, x3, (arg1[2]));
657 let mut x145: u64 = 0;
658 let mut x146: u64 = 0;
659 fiat_p224_mulx_u64(&mut x145, &mut x146, x3, (arg1[1]));
660 let mut x147: u64 = 0;
661 let mut x148: u64 = 0;
662 fiat_p224_mulx_u64(&mut x147, &mut x148, x3, (arg1[0]));
663 let mut x149: u64 = 0;
664 let mut x150: fiat_p224_u1 = 0;
665 fiat_p224_addcarryx_u64(&mut x149, &mut x150, 0x0, x148, x145);
666 let mut x151: u64 = 0;
667 let mut x152: fiat_p224_u1 = 0;
668 fiat_p224_addcarryx_u64(&mut x151, &mut x152, x150, x146, x143);
669 let mut x153: u64 = 0;
670 let mut x154: fiat_p224_u1 = 0;
671 fiat_p224_addcarryx_u64(&mut x153, &mut x154, x152, x144, x141);
672 let x155: u64 = ((x154 as u64) + x142);
673 let mut x156: u64 = 0;
674 let mut x157: fiat_p224_u1 = 0;
675 fiat_p224_addcarryx_u64(&mut x156, &mut x157, 0x0, x132, x147);
676 let mut x158: u64 = 0;
677 let mut x159: fiat_p224_u1 = 0;
678 fiat_p224_addcarryx_u64(&mut x158, &mut x159, x157, x134, x149);
679 let mut x160: u64 = 0;
680 let mut x161: fiat_p224_u1 = 0;
681 fiat_p224_addcarryx_u64(&mut x160, &mut x161, x159, x136, x151);
682 let mut x162: u64 = 0;
683 let mut x163: fiat_p224_u1 = 0;
684 fiat_p224_addcarryx_u64(&mut x162, &mut x163, x161, x138, x153);
685 let mut x164: u64 = 0;
686 let mut x165: fiat_p224_u1 = 0;
687 fiat_p224_addcarryx_u64(&mut x164, &mut x165, x163, x140, x155);
688 let mut x166: u64 = 0;
689 let mut x167: u64 = 0;
690 fiat_p224_mulx_u64(&mut x166, &mut x167, x156, 0xffffffffffffffff);
691 let mut x168: u64 = 0;
692 let mut x169: u64 = 0;
693 fiat_p224_mulx_u64(&mut x168, &mut x169, x166, 0xffffffff);
694 let mut x170: u64 = 0;
695 let mut x171: u64 = 0;
696 fiat_p224_mulx_u64(&mut x170, &mut x171, x166, 0xffffffffffffffff);
697 let mut x172: u64 = 0;
698 let mut x173: u64 = 0;
699 fiat_p224_mulx_u64(&mut x172, &mut x173, x166, 0xffffffff00000000);
700 let mut x174: u64 = 0;
701 let mut x175: fiat_p224_u1 = 0;
702 fiat_p224_addcarryx_u64(&mut x174, &mut x175, 0x0, x173, x170);
703 let mut x176: u64 = 0;
704 let mut x177: fiat_p224_u1 = 0;
705 fiat_p224_addcarryx_u64(&mut x176, &mut x177, x175, x171, x168);
706 let x178: u64 = ((x177 as u64) + x169);
707 let mut x179: u64 = 0;
708 let mut x180: fiat_p224_u1 = 0;
709 fiat_p224_addcarryx_u64(&mut x179, &mut x180, 0x0, x156, x166);
710 let mut x181: u64 = 0;
711 let mut x182: fiat_p224_u1 = 0;
712 fiat_p224_addcarryx_u64(&mut x181, &mut x182, x180, x158, x172);
713 let mut x183: u64 = 0;
714 let mut x184: fiat_p224_u1 = 0;
715 fiat_p224_addcarryx_u64(&mut x183, &mut x184, x182, x160, x174);
716 let mut x185: u64 = 0;
717 let mut x186: fiat_p224_u1 = 0;
718 fiat_p224_addcarryx_u64(&mut x185, &mut x186, x184, x162, x176);
719 let mut x187: u64 = 0;
720 let mut x188: fiat_p224_u1 = 0;
721 fiat_p224_addcarryx_u64(&mut x187, &mut x188, x186, x164, x178);
722 let x189: u64 = ((x188 as u64) + (x165 as u64));
723 let mut x190: u64 = 0;
724 let mut x191: fiat_p224_u1 = 0;
725 fiat_p224_subborrowx_u64(&mut x190, &mut x191, 0x0, x181, (0x1 as u64));
726 let mut x192: u64 = 0;
727 let mut x193: fiat_p224_u1 = 0;
728 fiat_p224_subborrowx_u64(&mut x192, &mut x193, x191, x183, 0xffffffff00000000);
729 let mut x194: u64 = 0;
730 let mut x195: fiat_p224_u1 = 0;
731 fiat_p224_subborrowx_u64(&mut x194, &mut x195, x193, x185, 0xffffffffffffffff);
732 let mut x196: u64 = 0;
733 let mut x197: fiat_p224_u1 = 0;
734 fiat_p224_subborrowx_u64(&mut x196, &mut x197, x195, x187, 0xffffffff);
735 let mut x198: u64 = 0;
736 let mut x199: fiat_p224_u1 = 0;
737 fiat_p224_subborrowx_u64(&mut x198, &mut x199, x197, x189, (0x0 as u64));
738 let mut x200: u64 = 0;
739 fiat_p224_cmovznz_u64(&mut x200, x199, x190, x181);
740 let mut x201: u64 = 0;
741 fiat_p224_cmovznz_u64(&mut x201, x199, x192, x183);
742 let mut x202: u64 = 0;
743 fiat_p224_cmovznz_u64(&mut x202, x199, x194, x185);
744 let mut x203: u64 = 0;
745 fiat_p224_cmovznz_u64(&mut x203, x199, x196, x187);
746 out1[0] = x200;
747 out1[1] = x201;
748 out1[2] = x202;
749 out1[3] = x203;
750}
751
752/// The function fiat_p224_add adds two field elements in the Montgomery domain.
753///
754/// Preconditions:
755/// 0 ≤ eval arg1 < m
756/// 0 ≤ eval arg2 < m
757/// Postconditions:
758/// eval (from_montgomery out1) mod m = (eval (from_montgomery arg1) + eval (from_montgomery arg2)) mod m
759/// 0 ≤ eval out1 < m
760///
761#[inline]
762pub fn fiat_p224_add(out1: &mut fiat_p224_montgomery_domain_field_element, arg1: &fiat_p224_montgomery_domain_field_element, arg2: &fiat_p224_montgomery_domain_field_element) -> () {
763 let mut x1: u64 = 0;
764 let mut x2: fiat_p224_u1 = 0;
765 fiat_p224_addcarryx_u64(&mut x1, &mut x2, 0x0, (arg1[0]), (arg2[0]));
766 let mut x3: u64 = 0;
767 let mut x4: fiat_p224_u1 = 0;
768 fiat_p224_addcarryx_u64(&mut x3, &mut x4, x2, (arg1[1]), (arg2[1]));
769 let mut x5: u64 = 0;
770 let mut x6: fiat_p224_u1 = 0;
771 fiat_p224_addcarryx_u64(&mut x5, &mut x6, x4, (arg1[2]), (arg2[2]));
772 let mut x7: u64 = 0;
773 let mut x8: fiat_p224_u1 = 0;
774 fiat_p224_addcarryx_u64(&mut x7, &mut x8, x6, (arg1[3]), (arg2[3]));
775 let mut x9: u64 = 0;
776 let mut x10: fiat_p224_u1 = 0;
777 fiat_p224_subborrowx_u64(&mut x9, &mut x10, 0x0, x1, (0x1 as u64));
778 let mut x11: u64 = 0;
779 let mut x12: fiat_p224_u1 = 0;
780 fiat_p224_subborrowx_u64(&mut x11, &mut x12, x10, x3, 0xffffffff00000000);
781 let mut x13: u64 = 0;
782 let mut x14: fiat_p224_u1 = 0;
783 fiat_p224_subborrowx_u64(&mut x13, &mut x14, x12, x5, 0xffffffffffffffff);
784 let mut x15: u64 = 0;
785 let mut x16: fiat_p224_u1 = 0;
786 fiat_p224_subborrowx_u64(&mut x15, &mut x16, x14, x7, 0xffffffff);
787 let mut x17: u64 = 0;
788 let mut x18: fiat_p224_u1 = 0;
789 fiat_p224_subborrowx_u64(&mut x17, &mut x18, x16, (x8 as u64), (0x0 as u64));
790 let mut x19: u64 = 0;
791 fiat_p224_cmovznz_u64(&mut x19, x18, x9, x1);
792 let mut x20: u64 = 0;
793 fiat_p224_cmovznz_u64(&mut x20, x18, x11, x3);
794 let mut x21: u64 = 0;
795 fiat_p224_cmovznz_u64(&mut x21, x18, x13, x5);
796 let mut x22: u64 = 0;
797 fiat_p224_cmovznz_u64(&mut x22, x18, x15, x7);
798 out1[0] = x19;
799 out1[1] = x20;
800 out1[2] = x21;
801 out1[3] = x22;
802}
803
804/// The function fiat_p224_sub subtracts two field elements in the Montgomery domain.
805///
806/// Preconditions:
807/// 0 ≤ eval arg1 < m
808/// 0 ≤ eval arg2 < m
809/// Postconditions:
810/// eval (from_montgomery out1) mod m = (eval (from_montgomery arg1) - eval (from_montgomery arg2)) mod m
811/// 0 ≤ eval out1 < m
812///
813#[inline]
814pub fn fiat_p224_sub(out1: &mut fiat_p224_montgomery_domain_field_element, arg1: &fiat_p224_montgomery_domain_field_element, arg2: &fiat_p224_montgomery_domain_field_element) -> () {
815 let mut x1: u64 = 0;
816 let mut x2: fiat_p224_u1 = 0;
817 fiat_p224_subborrowx_u64(&mut x1, &mut x2, 0x0, (arg1[0]), (arg2[0]));
818 let mut x3: u64 = 0;
819 let mut x4: fiat_p224_u1 = 0;
820 fiat_p224_subborrowx_u64(&mut x3, &mut x4, x2, (arg1[1]), (arg2[1]));
821 let mut x5: u64 = 0;
822 let mut x6: fiat_p224_u1 = 0;
823 fiat_p224_subborrowx_u64(&mut x5, &mut x6, x4, (arg1[2]), (arg2[2]));
824 let mut x7: u64 = 0;
825 let mut x8: fiat_p224_u1 = 0;
826 fiat_p224_subborrowx_u64(&mut x7, &mut x8, x6, (arg1[3]), (arg2[3]));
827 let mut x9: u64 = 0;
828 fiat_p224_cmovznz_u64(&mut x9, x8, (0x0 as u64), 0xffffffffffffffff);
829 let mut x10: u64 = 0;
830 let mut x11: fiat_p224_u1 = 0;
831 fiat_p224_addcarryx_u64(&mut x10, &mut x11, 0x0, x1, (((x9 & (0x1 as u64)) as fiat_p224_u1) as u64));
832 let mut x12: u64 = 0;
833 let mut x13: fiat_p224_u1 = 0;
834 fiat_p224_addcarryx_u64(&mut x12, &mut x13, x11, x3, (x9 & 0xffffffff00000000));
835 let mut x14: u64 = 0;
836 let mut x15: fiat_p224_u1 = 0;
837 fiat_p224_addcarryx_u64(&mut x14, &mut x15, x13, x5, x9);
838 let mut x16: u64 = 0;
839 let mut x17: fiat_p224_u1 = 0;
840 fiat_p224_addcarryx_u64(&mut x16, &mut x17, x15, x7, (x9 & 0xffffffff));
841 out1[0] = x10;
842 out1[1] = x12;
843 out1[2] = x14;
844 out1[3] = x16;
845}
846
847/// The function fiat_p224_opp negates a field element in the Montgomery domain.
848///
849/// Preconditions:
850/// 0 ≤ eval arg1 < m
851/// Postconditions:
852/// eval (from_montgomery out1) mod m = -eval (from_montgomery arg1) mod m
853/// 0 ≤ eval out1 < m
854///
855#[inline]
856pub fn fiat_p224_opp(out1: &mut fiat_p224_montgomery_domain_field_element, arg1: &fiat_p224_montgomery_domain_field_element) -> () {
857 let mut x1: u64 = 0;
858 let mut x2: fiat_p224_u1 = 0;
859 fiat_p224_subborrowx_u64(&mut x1, &mut x2, 0x0, (0x0 as u64), (arg1[0]));
860 let mut x3: u64 = 0;
861 let mut x4: fiat_p224_u1 = 0;
862 fiat_p224_subborrowx_u64(&mut x3, &mut x4, x2, (0x0 as u64), (arg1[1]));
863 let mut x5: u64 = 0;
864 let mut x6: fiat_p224_u1 = 0;
865 fiat_p224_subborrowx_u64(&mut x5, &mut x6, x4, (0x0 as u64), (arg1[2]));
866 let mut x7: u64 = 0;
867 let mut x8: fiat_p224_u1 = 0;
868 fiat_p224_subborrowx_u64(&mut x7, &mut x8, x6, (0x0 as u64), (arg1[3]));
869 let mut x9: u64 = 0;
870 fiat_p224_cmovznz_u64(&mut x9, x8, (0x0 as u64), 0xffffffffffffffff);
871 let mut x10: u64 = 0;
872 let mut x11: fiat_p224_u1 = 0;
873 fiat_p224_addcarryx_u64(&mut x10, &mut x11, 0x0, x1, (((x9 & (0x1 as u64)) as fiat_p224_u1) as u64));
874 let mut x12: u64 = 0;
875 let mut x13: fiat_p224_u1 = 0;
876 fiat_p224_addcarryx_u64(&mut x12, &mut x13, x11, x3, (x9 & 0xffffffff00000000));
877 let mut x14: u64 = 0;
878 let mut x15: fiat_p224_u1 = 0;
879 fiat_p224_addcarryx_u64(&mut x14, &mut x15, x13, x5, x9);
880 let mut x16: u64 = 0;
881 let mut x17: fiat_p224_u1 = 0;
882 fiat_p224_addcarryx_u64(&mut x16, &mut x17, x15, x7, (x9 & 0xffffffff));
883 out1[0] = x10;
884 out1[1] = x12;
885 out1[2] = x14;
886 out1[3] = x16;
887}
888
889/// The function fiat_p224_from_montgomery translates a field element out of the Montgomery domain.
890///
891/// Preconditions:
892/// 0 ≤ eval arg1 < m
893/// Postconditions:
894/// eval out1 mod m = (eval arg1 * ((2^64)⁻¹ mod m)^4) mod m
895/// 0 ≤ eval out1 < m
896///
897#[inline]
898pub fn fiat_p224_from_montgomery(out1: &mut fiat_p224_non_montgomery_domain_field_element, arg1: &fiat_p224_montgomery_domain_field_element) -> () {
899 let x1: u64 = (arg1[0]);
900 let mut x2: u64 = 0;
901 let mut x3: u64 = 0;
902 fiat_p224_mulx_u64(&mut x2, &mut x3, x1, 0xffffffffffffffff);
903 let mut x4: u64 = 0;
904 let mut x5: u64 = 0;
905 fiat_p224_mulx_u64(&mut x4, &mut x5, x2, 0xffffffff);
906 let mut x6: u64 = 0;
907 let mut x7: u64 = 0;
908 fiat_p224_mulx_u64(&mut x6, &mut x7, x2, 0xffffffffffffffff);
909 let mut x8: u64 = 0;
910 let mut x9: u64 = 0;
911 fiat_p224_mulx_u64(&mut x8, &mut x9, x2, 0xffffffff00000000);
912 let mut x10: u64 = 0;
913 let mut x11: fiat_p224_u1 = 0;
914 fiat_p224_addcarryx_u64(&mut x10, &mut x11, 0x0, x9, x6);
915 let mut x12: u64 = 0;
916 let mut x13: fiat_p224_u1 = 0;
917 fiat_p224_addcarryx_u64(&mut x12, &mut x13, x11, x7, x4);
918 let mut x14: u64 = 0;
919 let mut x15: fiat_p224_u1 = 0;
920 fiat_p224_addcarryx_u64(&mut x14, &mut x15, 0x0, x1, x2);
921 let mut x16: u64 = 0;
922 let mut x17: fiat_p224_u1 = 0;
923 fiat_p224_addcarryx_u64(&mut x16, &mut x17, x15, (0x0 as u64), x8);
924 let mut x18: u64 = 0;
925 let mut x19: fiat_p224_u1 = 0;
926 fiat_p224_addcarryx_u64(&mut x18, &mut x19, x17, (0x0 as u64), x10);
927 let mut x20: u64 = 0;
928 let mut x21: fiat_p224_u1 = 0;
929 fiat_p224_addcarryx_u64(&mut x20, &mut x21, x19, (0x0 as u64), x12);
930 let mut x22: u64 = 0;
931 let mut x23: fiat_p224_u1 = 0;
932 fiat_p224_addcarryx_u64(&mut x22, &mut x23, 0x0, x16, (arg1[1]));
933 let mut x24: u64 = 0;
934 let mut x25: fiat_p224_u1 = 0;
935 fiat_p224_addcarryx_u64(&mut x24, &mut x25, x23, x18, (0x0 as u64));
936 let mut x26: u64 = 0;
937 let mut x27: fiat_p224_u1 = 0;
938 fiat_p224_addcarryx_u64(&mut x26, &mut x27, x25, x20, (0x0 as u64));
939 let mut x28: u64 = 0;
940 let mut x29: u64 = 0;
941 fiat_p224_mulx_u64(&mut x28, &mut x29, x22, 0xffffffffffffffff);
942 let mut x30: u64 = 0;
943 let mut x31: u64 = 0;
944 fiat_p224_mulx_u64(&mut x30, &mut x31, x28, 0xffffffff);
945 let mut x32: u64 = 0;
946 let mut x33: u64 = 0;
947 fiat_p224_mulx_u64(&mut x32, &mut x33, x28, 0xffffffffffffffff);
948 let mut x34: u64 = 0;
949 let mut x35: u64 = 0;
950 fiat_p224_mulx_u64(&mut x34, &mut x35, x28, 0xffffffff00000000);
951 let mut x36: u64 = 0;
952 let mut x37: fiat_p224_u1 = 0;
953 fiat_p224_addcarryx_u64(&mut x36, &mut x37, 0x0, x35, x32);
954 let mut x38: u64 = 0;
955 let mut x39: fiat_p224_u1 = 0;
956 fiat_p224_addcarryx_u64(&mut x38, &mut x39, x37, x33, x30);
957 let mut x40: u64 = 0;
958 let mut x41: fiat_p224_u1 = 0;
959 fiat_p224_addcarryx_u64(&mut x40, &mut x41, 0x0, x22, x28);
960 let mut x42: u64 = 0;
961 let mut x43: fiat_p224_u1 = 0;
962 fiat_p224_addcarryx_u64(&mut x42, &mut x43, x41, x24, x34);
963 let mut x44: u64 = 0;
964 let mut x45: fiat_p224_u1 = 0;
965 fiat_p224_addcarryx_u64(&mut x44, &mut x45, x43, x26, x36);
966 let mut x46: u64 = 0;
967 let mut x47: fiat_p224_u1 = 0;
968 fiat_p224_addcarryx_u64(&mut x46, &mut x47, x45, ((x27 as u64) + ((x21 as u64) + ((x13 as u64) + x5))), x38);
969 let mut x48: u64 = 0;
970 let mut x49: fiat_p224_u1 = 0;
971 fiat_p224_addcarryx_u64(&mut x48, &mut x49, 0x0, x42, (arg1[2]));
972 let mut x50: u64 = 0;
973 let mut x51: fiat_p224_u1 = 0;
974 fiat_p224_addcarryx_u64(&mut x50, &mut x51, x49, x44, (0x0 as u64));
975 let mut x52: u64 = 0;
976 let mut x53: fiat_p224_u1 = 0;
977 fiat_p224_addcarryx_u64(&mut x52, &mut x53, x51, x46, (0x0 as u64));
978 let mut x54: u64 = 0;
979 let mut x55: u64 = 0;
980 fiat_p224_mulx_u64(&mut x54, &mut x55, x48, 0xffffffffffffffff);
981 let mut x56: u64 = 0;
982 let mut x57: u64 = 0;
983 fiat_p224_mulx_u64(&mut x56, &mut x57, x54, 0xffffffff);
984 let mut x58: u64 = 0;
985 let mut x59: u64 = 0;
986 fiat_p224_mulx_u64(&mut x58, &mut x59, x54, 0xffffffffffffffff);
987 let mut x60: u64 = 0;
988 let mut x61: u64 = 0;
989 fiat_p224_mulx_u64(&mut x60, &mut x61, x54, 0xffffffff00000000);
990 let mut x62: u64 = 0;
991 let mut x63: fiat_p224_u1 = 0;
992 fiat_p224_addcarryx_u64(&mut x62, &mut x63, 0x0, x61, x58);
993 let mut x64: u64 = 0;
994 let mut x65: fiat_p224_u1 = 0;
995 fiat_p224_addcarryx_u64(&mut x64, &mut x65, x63, x59, x56);
996 let mut x66: u64 = 0;
997 let mut x67: fiat_p224_u1 = 0;
998 fiat_p224_addcarryx_u64(&mut x66, &mut x67, 0x0, x48, x54);
999 let mut x68: u64 = 0;
1000 let mut x69: fiat_p224_u1 = 0;
1001 fiat_p224_addcarryx_u64(&mut x68, &mut x69, x67, x50, x60);
1002 let mut x70: u64 = 0;
1003 let mut x71: fiat_p224_u1 = 0;
1004 fiat_p224_addcarryx_u64(&mut x70, &mut x71, x69, x52, x62);
1005 let mut x72: u64 = 0;
1006 let mut x73: fiat_p224_u1 = 0;
1007 fiat_p224_addcarryx_u64(&mut x72, &mut x73, x71, ((x53 as u64) + ((x47 as u64) + ((x39 as u64) + x31))), x64);
1008 let mut x74: u64 = 0;
1009 let mut x75: fiat_p224_u1 = 0;
1010 fiat_p224_addcarryx_u64(&mut x74, &mut x75, 0x0, x68, (arg1[3]));
1011 let mut x76: u64 = 0;
1012 let mut x77: fiat_p224_u1 = 0;
1013 fiat_p224_addcarryx_u64(&mut x76, &mut x77, x75, x70, (0x0 as u64));
1014 let mut x78: u64 = 0;
1015 let mut x79: fiat_p224_u1 = 0;
1016 fiat_p224_addcarryx_u64(&mut x78, &mut x79, x77, x72, (0x0 as u64));
1017 let mut x80: u64 = 0;
1018 let mut x81: u64 = 0;
1019 fiat_p224_mulx_u64(&mut x80, &mut x81, x74, 0xffffffffffffffff);
1020 let mut x82: u64 = 0;
1021 let mut x83: u64 = 0;
1022 fiat_p224_mulx_u64(&mut x82, &mut x83, x80, 0xffffffff);
1023 let mut x84: u64 = 0;
1024 let mut x85: u64 = 0;
1025 fiat_p224_mulx_u64(&mut x84, &mut x85, x80, 0xffffffffffffffff);
1026 let mut x86: u64 = 0;
1027 let mut x87: u64 = 0;
1028 fiat_p224_mulx_u64(&mut x86, &mut x87, x80, 0xffffffff00000000);
1029 let mut x88: u64 = 0;
1030 let mut x89: fiat_p224_u1 = 0;
1031 fiat_p224_addcarryx_u64(&mut x88, &mut x89, 0x0, x87, x84);
1032 let mut x90: u64 = 0;
1033 let mut x91: fiat_p224_u1 = 0;
1034 fiat_p224_addcarryx_u64(&mut x90, &mut x91, x89, x85, x82);
1035 let mut x92: u64 = 0;
1036 let mut x93: fiat_p224_u1 = 0;
1037 fiat_p224_addcarryx_u64(&mut x92, &mut x93, 0x0, x74, x80);
1038 let mut x94: u64 = 0;
1039 let mut x95: fiat_p224_u1 = 0;
1040 fiat_p224_addcarryx_u64(&mut x94, &mut x95, x93, x76, x86);
1041 let mut x96: u64 = 0;
1042 let mut x97: fiat_p224_u1 = 0;
1043 fiat_p224_addcarryx_u64(&mut x96, &mut x97, x95, x78, x88);
1044 let mut x98: u64 = 0;
1045 let mut x99: fiat_p224_u1 = 0;
1046 fiat_p224_addcarryx_u64(&mut x98, &mut x99, x97, ((x79 as u64) + ((x73 as u64) + ((x65 as u64) + x57))), x90);
1047 let x100: u64 = ((x99 as u64) + ((x91 as u64) + x83));
1048 let mut x101: u64 = 0;
1049 let mut x102: fiat_p224_u1 = 0;
1050 fiat_p224_subborrowx_u64(&mut x101, &mut x102, 0x0, x94, (0x1 as u64));
1051 let mut x103: u64 = 0;
1052 let mut x104: fiat_p224_u1 = 0;
1053 fiat_p224_subborrowx_u64(&mut x103, &mut x104, x102, x96, 0xffffffff00000000);
1054 let mut x105: u64 = 0;
1055 let mut x106: fiat_p224_u1 = 0;
1056 fiat_p224_subborrowx_u64(&mut x105, &mut x106, x104, x98, 0xffffffffffffffff);
1057 let mut x107: u64 = 0;
1058 let mut x108: fiat_p224_u1 = 0;
1059 fiat_p224_subborrowx_u64(&mut x107, &mut x108, x106, x100, 0xffffffff);
1060 let mut x109: u64 = 0;
1061 let mut x110: fiat_p224_u1 = 0;
1062 fiat_p224_subborrowx_u64(&mut x109, &mut x110, x108, (0x0 as u64), (0x0 as u64));
1063 let mut x111: u64 = 0;
1064 fiat_p224_cmovznz_u64(&mut x111, x110, x101, x94);
1065 let mut x112: u64 = 0;
1066 fiat_p224_cmovznz_u64(&mut x112, x110, x103, x96);
1067 let mut x113: u64 = 0;
1068 fiat_p224_cmovznz_u64(&mut x113, x110, x105, x98);
1069 let mut x114: u64 = 0;
1070 fiat_p224_cmovznz_u64(&mut x114, x110, x107, x100);
1071 out1[0] = x111;
1072 out1[1] = x112;
1073 out1[2] = x113;
1074 out1[3] = x114;
1075}
1076
1077/// The function fiat_p224_to_montgomery translates a field element into the Montgomery domain.
1078///
1079/// Preconditions:
1080/// 0 ≤ eval arg1 < m
1081/// Postconditions:
1082/// eval (from_montgomery out1) mod m = eval arg1 mod m
1083/// 0 ≤ eval out1 < m
1084///
1085#[inline]
1086pub fn fiat_p224_to_montgomery(out1: &mut fiat_p224_montgomery_domain_field_element, arg1: &fiat_p224_non_montgomery_domain_field_element) -> () {
1087 let x1: u64 = (arg1[1]);
1088 let x2: u64 = (arg1[2]);
1089 let x3: u64 = (arg1[3]);
1090 let x4: u64 = (arg1[0]);
1091 let mut x5: u64 = 0;
1092 let mut x6: u64 = 0;
1093 fiat_p224_mulx_u64(&mut x5, &mut x6, x4, 0xffffffff);
1094 let mut x7: u64 = 0;
1095 let mut x8: u64 = 0;
1096 fiat_p224_mulx_u64(&mut x7, &mut x8, x4, 0xfffffffe00000000);
1097 let mut x9: u64 = 0;
1098 let mut x10: u64 = 0;
1099 fiat_p224_mulx_u64(&mut x9, &mut x10, x4, 0xffffffff00000000);
1100 let mut x11: u64 = 0;
1101 let mut x12: u64 = 0;
1102 fiat_p224_mulx_u64(&mut x11, &mut x12, x4, 0xffffffff00000001);
1103 let mut x13: u64 = 0;
1104 let mut x14: fiat_p224_u1 = 0;
1105 fiat_p224_addcarryx_u64(&mut x13, &mut x14, 0x0, x12, x9);
1106 let mut x15: u64 = 0;
1107 let mut x16: fiat_p224_u1 = 0;
1108 fiat_p224_addcarryx_u64(&mut x15, &mut x16, x14, x10, x7);
1109 let mut x17: u64 = 0;
1110 let mut x18: fiat_p224_u1 = 0;
1111 fiat_p224_addcarryx_u64(&mut x17, &mut x18, x16, x8, x5);
1112 let mut x19: u64 = 0;
1113 let mut x20: u64 = 0;
1114 fiat_p224_mulx_u64(&mut x19, &mut x20, x11, 0xffffffffffffffff);
1115 let mut x21: u64 = 0;
1116 let mut x22: u64 = 0;
1117 fiat_p224_mulx_u64(&mut x21, &mut x22, x19, 0xffffffff);
1118 let mut x23: u64 = 0;
1119 let mut x24: u64 = 0;
1120 fiat_p224_mulx_u64(&mut x23, &mut x24, x19, 0xffffffffffffffff);
1121 let mut x25: u64 = 0;
1122 let mut x26: u64 = 0;
1123 fiat_p224_mulx_u64(&mut x25, &mut x26, x19, 0xffffffff00000000);
1124 let mut x27: u64 = 0;
1125 let mut x28: fiat_p224_u1 = 0;
1126 fiat_p224_addcarryx_u64(&mut x27, &mut x28, 0x0, x26, x23);
1127 let mut x29: u64 = 0;
1128 let mut x30: fiat_p224_u1 = 0;
1129 fiat_p224_addcarryx_u64(&mut x29, &mut x30, x28, x24, x21);
1130 let mut x31: u64 = 0;
1131 let mut x32: fiat_p224_u1 = 0;
1132 fiat_p224_addcarryx_u64(&mut x31, &mut x32, 0x0, x11, x19);
1133 let mut x33: u64 = 0;
1134 let mut x34: fiat_p224_u1 = 0;
1135 fiat_p224_addcarryx_u64(&mut x33, &mut x34, x32, x13, x25);
1136 let mut x35: u64 = 0;
1137 let mut x36: fiat_p224_u1 = 0;
1138 fiat_p224_addcarryx_u64(&mut x35, &mut x36, x34, x15, x27);
1139 let mut x37: u64 = 0;
1140 let mut x38: fiat_p224_u1 = 0;
1141 fiat_p224_addcarryx_u64(&mut x37, &mut x38, x36, x17, x29);
1142 let mut x39: u64 = 0;
1143 let mut x40: u64 = 0;
1144 fiat_p224_mulx_u64(&mut x39, &mut x40, x1, 0xffffffff);
1145 let mut x41: u64 = 0;
1146 let mut x42: u64 = 0;
1147 fiat_p224_mulx_u64(&mut x41, &mut x42, x1, 0xfffffffe00000000);
1148 let mut x43: u64 = 0;
1149 let mut x44: u64 = 0;
1150 fiat_p224_mulx_u64(&mut x43, &mut x44, x1, 0xffffffff00000000);
1151 let mut x45: u64 = 0;
1152 let mut x46: u64 = 0;
1153 fiat_p224_mulx_u64(&mut x45, &mut x46, x1, 0xffffffff00000001);
1154 let mut x47: u64 = 0;
1155 let mut x48: fiat_p224_u1 = 0;
1156 fiat_p224_addcarryx_u64(&mut x47, &mut x48, 0x0, x46, x43);
1157 let mut x49: u64 = 0;
1158 let mut x50: fiat_p224_u1 = 0;
1159 fiat_p224_addcarryx_u64(&mut x49, &mut x50, x48, x44, x41);
1160 let mut x51: u64 = 0;
1161 let mut x52: fiat_p224_u1 = 0;
1162 fiat_p224_addcarryx_u64(&mut x51, &mut x52, x50, x42, x39);
1163 let mut x53: u64 = 0;
1164 let mut x54: fiat_p224_u1 = 0;
1165 fiat_p224_addcarryx_u64(&mut x53, &mut x54, 0x0, x33, x45);
1166 let mut x55: u64 = 0;
1167 let mut x56: fiat_p224_u1 = 0;
1168 fiat_p224_addcarryx_u64(&mut x55, &mut x56, x54, x35, x47);
1169 let mut x57: u64 = 0;
1170 let mut x58: fiat_p224_u1 = 0;
1171 fiat_p224_addcarryx_u64(&mut x57, &mut x58, x56, x37, x49);
1172 let mut x59: u64 = 0;
1173 let mut x60: fiat_p224_u1 = 0;
1174 fiat_p224_addcarryx_u64(&mut x59, &mut x60, x58, (((x38 as u64) + ((x18 as u64) + x6)) + ((x30 as u64) + x22)), x51);
1175 let mut x61: u64 = 0;
1176 let mut x62: u64 = 0;
1177 fiat_p224_mulx_u64(&mut x61, &mut x62, x53, 0xffffffffffffffff);
1178 let mut x63: u64 = 0;
1179 let mut x64: u64 = 0;
1180 fiat_p224_mulx_u64(&mut x63, &mut x64, x61, 0xffffffff);
1181 let mut x65: u64 = 0;
1182 let mut x66: u64 = 0;
1183 fiat_p224_mulx_u64(&mut x65, &mut x66, x61, 0xffffffffffffffff);
1184 let mut x67: u64 = 0;
1185 let mut x68: u64 = 0;
1186 fiat_p224_mulx_u64(&mut x67, &mut x68, x61, 0xffffffff00000000);
1187 let mut x69: u64 = 0;
1188 let mut x70: fiat_p224_u1 = 0;
1189 fiat_p224_addcarryx_u64(&mut x69, &mut x70, 0x0, x68, x65);
1190 let mut x71: u64 = 0;
1191 let mut x72: fiat_p224_u1 = 0;
1192 fiat_p224_addcarryx_u64(&mut x71, &mut x72, x70, x66, x63);
1193 let mut x73: u64 = 0;
1194 let mut x74: fiat_p224_u1 = 0;
1195 fiat_p224_addcarryx_u64(&mut x73, &mut x74, 0x0, x53, x61);
1196 let mut x75: u64 = 0;
1197 let mut x76: fiat_p224_u1 = 0;
1198 fiat_p224_addcarryx_u64(&mut x75, &mut x76, x74, x55, x67);
1199 let mut x77: u64 = 0;
1200 let mut x78: fiat_p224_u1 = 0;
1201 fiat_p224_addcarryx_u64(&mut x77, &mut x78, x76, x57, x69);
1202 let mut x79: u64 = 0;
1203 let mut x80: fiat_p224_u1 = 0;
1204 fiat_p224_addcarryx_u64(&mut x79, &mut x80, x78, x59, x71);
1205 let mut x81: u64 = 0;
1206 let mut x82: u64 = 0;
1207 fiat_p224_mulx_u64(&mut x81, &mut x82, x2, 0xffffffff);
1208 let mut x83: u64 = 0;
1209 let mut x84: u64 = 0;
1210 fiat_p224_mulx_u64(&mut x83, &mut x84, x2, 0xfffffffe00000000);
1211 let mut x85: u64 = 0;
1212 let mut x86: u64 = 0;
1213 fiat_p224_mulx_u64(&mut x85, &mut x86, x2, 0xffffffff00000000);
1214 let mut x87: u64 = 0;
1215 let mut x88: u64 = 0;
1216 fiat_p224_mulx_u64(&mut x87, &mut x88, x2, 0xffffffff00000001);
1217 let mut x89: u64 = 0;
1218 let mut x90: fiat_p224_u1 = 0;
1219 fiat_p224_addcarryx_u64(&mut x89, &mut x90, 0x0, x88, x85);
1220 let mut x91: u64 = 0;
1221 let mut x92: fiat_p224_u1 = 0;
1222 fiat_p224_addcarryx_u64(&mut x91, &mut x92, x90, x86, x83);
1223 let mut x93: u64 = 0;
1224 let mut x94: fiat_p224_u1 = 0;
1225 fiat_p224_addcarryx_u64(&mut x93, &mut x94, x92, x84, x81);
1226 let mut x95: u64 = 0;
1227 let mut x96: fiat_p224_u1 = 0;
1228 fiat_p224_addcarryx_u64(&mut x95, &mut x96, 0x0, x75, x87);
1229 let mut x97: u64 = 0;
1230 let mut x98: fiat_p224_u1 = 0;
1231 fiat_p224_addcarryx_u64(&mut x97, &mut x98, x96, x77, x89);
1232 let mut x99: u64 = 0;
1233 let mut x100: fiat_p224_u1 = 0;
1234 fiat_p224_addcarryx_u64(&mut x99, &mut x100, x98, x79, x91);
1235 let mut x101: u64 = 0;
1236 let mut x102: fiat_p224_u1 = 0;
1237 fiat_p224_addcarryx_u64(&mut x101, &mut x102, x100, (((x80 as u64) + ((x60 as u64) + ((x52 as u64) + x40))) + ((x72 as u64) + x64)), x93);
1238 let mut x103: u64 = 0;
1239 let mut x104: u64 = 0;
1240 fiat_p224_mulx_u64(&mut x103, &mut x104, x95, 0xffffffffffffffff);
1241 let mut x105: u64 = 0;
1242 let mut x106: u64 = 0;
1243 fiat_p224_mulx_u64(&mut x105, &mut x106, x103, 0xffffffff);
1244 let mut x107: u64 = 0;
1245 let mut x108: u64 = 0;
1246 fiat_p224_mulx_u64(&mut x107, &mut x108, x103, 0xffffffffffffffff);
1247 let mut x109: u64 = 0;
1248 let mut x110: u64 = 0;
1249 fiat_p224_mulx_u64(&mut x109, &mut x110, x103, 0xffffffff00000000);
1250 let mut x111: u64 = 0;
1251 let mut x112: fiat_p224_u1 = 0;
1252 fiat_p224_addcarryx_u64(&mut x111, &mut x112, 0x0, x110, x107);
1253 let mut x113: u64 = 0;
1254 let mut x114: fiat_p224_u1 = 0;
1255 fiat_p224_addcarryx_u64(&mut x113, &mut x114, x112, x108, x105);
1256 let mut x115: u64 = 0;
1257 let mut x116: fiat_p224_u1 = 0;
1258 fiat_p224_addcarryx_u64(&mut x115, &mut x116, 0x0, x95, x103);
1259 let mut x117: u64 = 0;
1260 let mut x118: fiat_p224_u1 = 0;
1261 fiat_p224_addcarryx_u64(&mut x117, &mut x118, x116, x97, x109);
1262 let mut x119: u64 = 0;
1263 let mut x120: fiat_p224_u1 = 0;
1264 fiat_p224_addcarryx_u64(&mut x119, &mut x120, x118, x99, x111);
1265 let mut x121: u64 = 0;
1266 let mut x122: fiat_p224_u1 = 0;
1267 fiat_p224_addcarryx_u64(&mut x121, &mut x122, x120, x101, x113);
1268 let mut x123: u64 = 0;
1269 let mut x124: u64 = 0;
1270 fiat_p224_mulx_u64(&mut x123, &mut x124, x3, 0xffffffff);
1271 let mut x125: u64 = 0;
1272 let mut x126: u64 = 0;
1273 fiat_p224_mulx_u64(&mut x125, &mut x126, x3, 0xfffffffe00000000);
1274 let mut x127: u64 = 0;
1275 let mut x128: u64 = 0;
1276 fiat_p224_mulx_u64(&mut x127, &mut x128, x3, 0xffffffff00000000);
1277 let mut x129: u64 = 0;
1278 let mut x130: u64 = 0;
1279 fiat_p224_mulx_u64(&mut x129, &mut x130, x3, 0xffffffff00000001);
1280 let mut x131: u64 = 0;
1281 let mut x132: fiat_p224_u1 = 0;
1282 fiat_p224_addcarryx_u64(&mut x131, &mut x132, 0x0, x130, x127);
1283 let mut x133: u64 = 0;
1284 let mut x134: fiat_p224_u1 = 0;
1285 fiat_p224_addcarryx_u64(&mut x133, &mut x134, x132, x128, x125);
1286 let mut x135: u64 = 0;
1287 let mut x136: fiat_p224_u1 = 0;
1288 fiat_p224_addcarryx_u64(&mut x135, &mut x136, x134, x126, x123);
1289 let mut x137: u64 = 0;
1290 let mut x138: fiat_p224_u1 = 0;
1291 fiat_p224_addcarryx_u64(&mut x137, &mut x138, 0x0, x117, x129);
1292 let mut x139: u64 = 0;
1293 let mut x140: fiat_p224_u1 = 0;
1294 fiat_p224_addcarryx_u64(&mut x139, &mut x140, x138, x119, x131);
1295 let mut x141: u64 = 0;
1296 let mut x142: fiat_p224_u1 = 0;
1297 fiat_p224_addcarryx_u64(&mut x141, &mut x142, x140, x121, x133);
1298 let mut x143: u64 = 0;
1299 let mut x144: fiat_p224_u1 = 0;
1300 fiat_p224_addcarryx_u64(&mut x143, &mut x144, x142, (((x122 as u64) + ((x102 as u64) + ((x94 as u64) + x82))) + ((x114 as u64) + x106)), x135);
1301 let mut x145: u64 = 0;
1302 let mut x146: u64 = 0;
1303 fiat_p224_mulx_u64(&mut x145, &mut x146, x137, 0xffffffffffffffff);
1304 let mut x147: u64 = 0;
1305 let mut x148: u64 = 0;
1306 fiat_p224_mulx_u64(&mut x147, &mut x148, x145, 0xffffffff);
1307 let mut x149: u64 = 0;
1308 let mut x150: u64 = 0;
1309 fiat_p224_mulx_u64(&mut x149, &mut x150, x145, 0xffffffffffffffff);
1310 let mut x151: u64 = 0;
1311 let mut x152: u64 = 0;
1312 fiat_p224_mulx_u64(&mut x151, &mut x152, x145, 0xffffffff00000000);
1313 let mut x153: u64 = 0;
1314 let mut x154: fiat_p224_u1 = 0;
1315 fiat_p224_addcarryx_u64(&mut x153, &mut x154, 0x0, x152, x149);
1316 let mut x155: u64 = 0;
1317 let mut x156: fiat_p224_u1 = 0;
1318 fiat_p224_addcarryx_u64(&mut x155, &mut x156, x154, x150, x147);
1319 let mut x157: u64 = 0;
1320 let mut x158: fiat_p224_u1 = 0;
1321 fiat_p224_addcarryx_u64(&mut x157, &mut x158, 0x0, x137, x145);
1322 let mut x159: u64 = 0;
1323 let mut x160: fiat_p224_u1 = 0;
1324 fiat_p224_addcarryx_u64(&mut x159, &mut x160, x158, x139, x151);
1325 let mut x161: u64 = 0;
1326 let mut x162: fiat_p224_u1 = 0;
1327 fiat_p224_addcarryx_u64(&mut x161, &mut x162, x160, x141, x153);
1328 let mut x163: u64 = 0;
1329 let mut x164: fiat_p224_u1 = 0;
1330 fiat_p224_addcarryx_u64(&mut x163, &mut x164, x162, x143, x155);
1331 let x165: u64 = (((x164 as u64) + ((x144 as u64) + ((x136 as u64) + x124))) + ((x156 as u64) + x148));
1332 let mut x166: u64 = 0;
1333 let mut x167: fiat_p224_u1 = 0;
1334 fiat_p224_subborrowx_u64(&mut x166, &mut x167, 0x0, x159, (0x1 as u64));
1335 let mut x168: u64 = 0;
1336 let mut x169: fiat_p224_u1 = 0;
1337 fiat_p224_subborrowx_u64(&mut x168, &mut x169, x167, x161, 0xffffffff00000000);
1338 let mut x170: u64 = 0;
1339 let mut x171: fiat_p224_u1 = 0;
1340 fiat_p224_subborrowx_u64(&mut x170, &mut x171, x169, x163, 0xffffffffffffffff);
1341 let mut x172: u64 = 0;
1342 let mut x173: fiat_p224_u1 = 0;
1343 fiat_p224_subborrowx_u64(&mut x172, &mut x173, x171, x165, 0xffffffff);
1344 let mut x174: u64 = 0;
1345 let mut x175: fiat_p224_u1 = 0;
1346 fiat_p224_subborrowx_u64(&mut x174, &mut x175, x173, (0x0 as u64), (0x0 as u64));
1347 let mut x176: u64 = 0;
1348 fiat_p224_cmovznz_u64(&mut x176, x175, x166, x159);
1349 let mut x177: u64 = 0;
1350 fiat_p224_cmovznz_u64(&mut x177, x175, x168, x161);
1351 let mut x178: u64 = 0;
1352 fiat_p224_cmovznz_u64(&mut x178, x175, x170, x163);
1353 let mut x179: u64 = 0;
1354 fiat_p224_cmovznz_u64(&mut x179, x175, x172, x165);
1355 out1[0] = x176;
1356 out1[1] = x177;
1357 out1[2] = x178;
1358 out1[3] = x179;
1359}
1360
1361/// The function fiat_p224_nonzero outputs a single non-zero word if the input is non-zero and zero otherwise.
1362///
1363/// Preconditions:
1364/// 0 ≤ eval arg1 < m
1365/// Postconditions:
1366/// out1 = 0 ↔ eval (from_montgomery arg1) mod m = 0
1367///
1368/// Input Bounds:
1369/// arg1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]]
1370/// Output Bounds:
1371/// out1: [0x0 ~> 0xffffffffffffffff]
1372#[inline]
1373pub fn fiat_p224_nonzero(out1: &mut u64, arg1: &[u64; 4]) -> () {
1374 let x1: u64 = ((arg1[0]) | ((arg1[1]) | ((arg1[2]) | (arg1[3]))));
1375 *out1 = x1;
1376}
1377
1378/// The function fiat_p224_selectznz is a multi-limb conditional select.
1379///
1380/// Postconditions:
1381/// out1 = (if arg1 = 0 then arg2 else arg3)
1382///
1383/// Input Bounds:
1384/// arg1: [0x0 ~> 0x1]
1385/// arg2: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]]
1386/// arg3: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]]
1387/// Output Bounds:
1388/// out1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]]
1389#[inline]
1390pub fn fiat_p224_selectznz(out1: &mut [u64; 4], arg1: fiat_p224_u1, arg2: &[u64; 4], arg3: &[u64; 4]) -> () {
1391 let mut x1: u64 = 0;
1392 fiat_p224_cmovznz_u64(&mut x1, arg1, (arg2[0]), (arg3[0]));
1393 let mut x2: u64 = 0;
1394 fiat_p224_cmovznz_u64(&mut x2, arg1, (arg2[1]), (arg3[1]));
1395 let mut x3: u64 = 0;
1396 fiat_p224_cmovznz_u64(&mut x3, arg1, (arg2[2]), (arg3[2]));
1397 let mut x4: u64 = 0;
1398 fiat_p224_cmovznz_u64(&mut x4, arg1, (arg2[3]), (arg3[3]));
1399 out1[0] = x1;
1400 out1[1] = x2;
1401 out1[2] = x3;
1402 out1[3] = x4;
1403}
1404
1405/// The function fiat_p224_to_bytes serializes a field element NOT in the Montgomery domain to bytes in little-endian order.
1406///
1407/// Preconditions:
1408/// 0 ≤ eval arg1 < m
1409/// Postconditions:
1410/// out1 = map (λ x, ⌊((eval arg1 mod m) mod 2^(8 * (x + 1))) / 2^(8 * x)⌋) [0..27]
1411///
1412/// Input Bounds:
1413/// arg1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffff]]
1414/// Output Bounds:
1415/// out1: [[0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff]]
1416#[inline]
1417pub fn fiat_p224_to_bytes(out1: &mut [u8; 28], arg1: &[u64; 4]) -> () {
1418 let x1: u64 = (arg1[3]);
1419 let x2: u64 = (arg1[2]);
1420 let x3: u64 = (arg1[1]);
1421 let x4: u64 = (arg1[0]);
1422 let x5: u8 = ((x4 & (0xff as u64)) as u8);
1423 let x6: u64 = (x4 >> 8);
1424 let x7: u8 = ((x6 & (0xff as u64)) as u8);
1425 let x8: u64 = (x6 >> 8);
1426 let x9: u8 = ((x8 & (0xff as u64)) as u8);
1427 let x10: u64 = (x8 >> 8);
1428 let x11: u8 = ((x10 & (0xff as u64)) as u8);
1429 let x12: u64 = (x10 >> 8);
1430 let x13: u8 = ((x12 & (0xff as u64)) as u8);
1431 let x14: u64 = (x12 >> 8);
1432 let x15: u8 = ((x14 & (0xff as u64)) as u8);
1433 let x16: u64 = (x14 >> 8);
1434 let x17: u8 = ((x16 & (0xff as u64)) as u8);
1435 let x18: u8 = ((x16 >> 8) as u8);
1436 let x19: u8 = ((x3 & (0xff as u64)) as u8);
1437 let x20: u64 = (x3 >> 8);
1438 let x21: u8 = ((x20 & (0xff as u64)) as u8);
1439 let x22: u64 = (x20 >> 8);
1440 let x23: u8 = ((x22 & (0xff as u64)) as u8);
1441 let x24: u64 = (x22 >> 8);
1442 let x25: u8 = ((x24 & (0xff as u64)) as u8);
1443 let x26: u64 = (x24 >> 8);
1444 let x27: u8 = ((x26 & (0xff as u64)) as u8);
1445 let x28: u64 = (x26 >> 8);
1446 let x29: u8 = ((x28 & (0xff as u64)) as u8);
1447 let x30: u64 = (x28 >> 8);
1448 let x31: u8 = ((x30 & (0xff as u64)) as u8);
1449 let x32: u8 = ((x30 >> 8) as u8);
1450 let x33: u8 = ((x2 & (0xff as u64)) as u8);
1451 let x34: u64 = (x2 >> 8);
1452 let x35: u8 = ((x34 & (0xff as u64)) as u8);
1453 let x36: u64 = (x34 >> 8);
1454 let x37: u8 = ((x36 & (0xff as u64)) as u8);
1455 let x38: u64 = (x36 >> 8);
1456 let x39: u8 = ((x38 & (0xff as u64)) as u8);
1457 let x40: u64 = (x38 >> 8);
1458 let x41: u8 = ((x40 & (0xff as u64)) as u8);
1459 let x42: u64 = (x40 >> 8);
1460 let x43: u8 = ((x42 & (0xff as u64)) as u8);
1461 let x44: u64 = (x42 >> 8);
1462 let x45: u8 = ((x44 & (0xff as u64)) as u8);
1463 let x46: u8 = ((x44 >> 8) as u8);
1464 let x47: u8 = ((x1 & (0xff as u64)) as u8);
1465 let x48: u64 = (x1 >> 8);
1466 let x49: u8 = ((x48 & (0xff as u64)) as u8);
1467 let x50: u64 = (x48 >> 8);
1468 let x51: u8 = ((x50 & (0xff as u64)) as u8);
1469 let x52: u8 = ((x50 >> 8) as u8);
1470 out1[0] = x5;
1471 out1[1] = x7;
1472 out1[2] = x9;
1473 out1[3] = x11;
1474 out1[4] = x13;
1475 out1[5] = x15;
1476 out1[6] = x17;
1477 out1[7] = x18;
1478 out1[8] = x19;
1479 out1[9] = x21;
1480 out1[10] = x23;
1481 out1[11] = x25;
1482 out1[12] = x27;
1483 out1[13] = x29;
1484 out1[14] = x31;
1485 out1[15] = x32;
1486 out1[16] = x33;
1487 out1[17] = x35;
1488 out1[18] = x37;
1489 out1[19] = x39;
1490 out1[20] = x41;
1491 out1[21] = x43;
1492 out1[22] = x45;
1493 out1[23] = x46;
1494 out1[24] = x47;
1495 out1[25] = x49;
1496 out1[26] = x51;
1497 out1[27] = x52;
1498}
1499
1500/// The function fiat_p224_from_bytes deserializes a field element NOT in the Montgomery domain from bytes in little-endian order.
1501///
1502/// Preconditions:
1503/// 0 ≤ bytes_eval arg1 < m
1504/// Postconditions:
1505/// eval out1 mod m = bytes_eval arg1 mod m
1506/// 0 ≤ eval out1 < m
1507///
1508/// Input Bounds:
1509/// arg1: [[0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff]]
1510/// Output Bounds:
1511/// out1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffff]]
1512#[inline]
1513pub fn fiat_p224_from_bytes(out1: &mut [u64; 4], arg1: &[u8; 28]) -> () {
1514 let x1: u64 = (((arg1[27]) as u64) << 24);
1515 let x2: u64 = (((arg1[26]) as u64) << 16);
1516 let x3: u64 = (((arg1[25]) as u64) << 8);
1517 let x4: u8 = (arg1[24]);
1518 let x5: u64 = (((arg1[23]) as u64) << 56);
1519 let x6: u64 = (((arg1[22]) as u64) << 48);
1520 let x7: u64 = (((arg1[21]) as u64) << 40);
1521 let x8: u64 = (((arg1[20]) as u64) << 32);
1522 let x9: u64 = (((arg1[19]) as u64) << 24);
1523 let x10: u64 = (((arg1[18]) as u64) << 16);
1524 let x11: u64 = (((arg1[17]) as u64) << 8);
1525 let x12: u8 = (arg1[16]);
1526 let x13: u64 = (((arg1[15]) as u64) << 56);
1527 let x14: u64 = (((arg1[14]) as u64) << 48);
1528 let x15: u64 = (((arg1[13]) as u64) << 40);
1529 let x16: u64 = (((arg1[12]) as u64) << 32);
1530 let x17: u64 = (((arg1[11]) as u64) << 24);
1531 let x18: u64 = (((arg1[10]) as u64) << 16);
1532 let x19: u64 = (((arg1[9]) as u64) << 8);
1533 let x20: u8 = (arg1[8]);
1534 let x21: u64 = (((arg1[7]) as u64) << 56);
1535 let x22: u64 = (((arg1[6]) as u64) << 48);
1536 let x23: u64 = (((arg1[5]) as u64) << 40);
1537 let x24: u64 = (((arg1[4]) as u64) << 32);
1538 let x25: u64 = (((arg1[3]) as u64) << 24);
1539 let x26: u64 = (((arg1[2]) as u64) << 16);
1540 let x27: u64 = (((arg1[1]) as u64) << 8);
1541 let x28: u8 = (arg1[0]);
1542 let x29: u64 = (x27 + (x28 as u64));
1543 let x30: u64 = (x26 + x29);
1544 let x31: u64 = (x25 + x30);
1545 let x32: u64 = (x24 + x31);
1546 let x33: u64 = (x23 + x32);
1547 let x34: u64 = (x22 + x33);
1548 let x35: u64 = (x21 + x34);
1549 let x36: u64 = (x19 + (x20 as u64));
1550 let x37: u64 = (x18 + x36);
1551 let x38: u64 = (x17 + x37);
1552 let x39: u64 = (x16 + x38);
1553 let x40: u64 = (x15 + x39);
1554 let x41: u64 = (x14 + x40);
1555 let x42: u64 = (x13 + x41);
1556 let x43: u64 = (x11 + (x12 as u64));
1557 let x44: u64 = (x10 + x43);
1558 let x45: u64 = (x9 + x44);
1559 let x46: u64 = (x8 + x45);
1560 let x47: u64 = (x7 + x46);
1561 let x48: u64 = (x6 + x47);
1562 let x49: u64 = (x5 + x48);
1563 let x50: u64 = (x3 + (x4 as u64));
1564 let x51: u64 = (x2 + x50);
1565 let x52: u64 = (x1 + x51);
1566 out1[0] = x35;
1567 out1[1] = x42;
1568 out1[2] = x49;
1569 out1[3] = x52;
1570}
1571
1572/// The function fiat_p224_set_one returns the field element one in the Montgomery domain.
1573///
1574/// Postconditions:
1575/// eval (from_montgomery out1) mod m = 1 mod m
1576/// 0 ≤ eval out1 < m
1577///
1578#[inline]
1579pub fn fiat_p224_set_one(out1: &mut fiat_p224_montgomery_domain_field_element) -> () {
1580 out1[0] = 0xffffffff00000000;
1581 out1[1] = 0xffffffffffffffff;
1582 out1[2] = (0x0 as u64);
1583 out1[3] = (0x0 as u64);
1584}
1585
1586/// The function fiat_p224_msat returns the saturated representation of the prime modulus.
1587///
1588/// Postconditions:
1589/// twos_complement_eval out1 = m
1590/// 0 ≤ eval out1 < m
1591///
1592/// Output Bounds:
1593/// out1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]]
1594#[inline]
1595pub fn fiat_p224_msat(out1: &mut [u64; 5]) -> () {
1596 out1[0] = (0x1 as u64);
1597 out1[1] = 0xffffffff00000000;
1598 out1[2] = 0xffffffffffffffff;
1599 out1[3] = 0xffffffff;
1600 out1[4] = (0x0 as u64);
1601}
1602
1603/// The function fiat_p224_divstep computes a divstep.
1604///
1605/// Preconditions:
1606/// 0 ≤ eval arg4 < m
1607/// 0 ≤ eval arg5 < m
1608/// Postconditions:
1609/// out1 = (if 0 < arg1 ∧ (twos_complement_eval arg3) is odd then 1 - arg1 else 1 + arg1)
1610/// twos_complement_eval out2 = (if 0 < arg1 ∧ (twos_complement_eval arg3) is odd then twos_complement_eval arg3 else twos_complement_eval arg2)
1611/// twos_complement_eval out3 = (if 0 < arg1 ∧ (twos_complement_eval arg3) is odd then ⌊(twos_complement_eval arg3 - twos_complement_eval arg2) / 2⌋ else ⌊(twos_complement_eval arg3 + (twos_complement_eval arg3 mod 2) * twos_complement_eval arg2) / 2⌋)
1612/// eval (from_montgomery out4) mod m = (if 0 < arg1 ∧ (twos_complement_eval arg3) is odd then (2 * eval (from_montgomery arg5)) mod m else (2 * eval (from_montgomery arg4)) mod m)
1613/// eval (from_montgomery out5) mod m = (if 0 < arg1 ∧ (twos_complement_eval arg3) is odd then (eval (from_montgomery arg4) - eval (from_montgomery arg4)) mod m else (eval (from_montgomery arg5) + (twos_complement_eval arg3 mod 2) * eval (from_montgomery arg4)) mod m)
1614/// 0 ≤ eval out5 < m
1615/// 0 ≤ eval out5 < m
1616/// 0 ≤ eval out2 < m
1617/// 0 ≤ eval out3 < m
1618///
1619/// Input Bounds:
1620/// arg1: [0x0 ~> 0xffffffffffffffff]
1621/// arg2: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]]
1622/// arg3: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]]
1623/// arg4: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]]
1624/// arg5: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]]
1625/// Output Bounds:
1626/// out1: [0x0 ~> 0xffffffffffffffff]
1627/// out2: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]]
1628/// out3: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]]
1629/// out4: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]]
1630/// out5: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]]
1631#[inline]
1632pub fn fiat_p224_divstep(out1: &mut u64, out2: &mut [u64; 5], out3: &mut [u64; 5], out4: &mut [u64; 4], out5: &mut [u64; 4], arg1: u64, arg2: &[u64; 5], arg3: &[u64; 5], arg4: &[u64; 4], arg5: &[u64; 4]) -> () {
1633 let mut x1: u64 = 0;
1634 let mut x2: fiat_p224_u1 = 0;
1635 fiat_p224_addcarryx_u64(&mut x1, &mut x2, 0x0, (!arg1), (0x1 as u64));
1636 let x3: fiat_p224_u1 = (((x1 >> 63) as fiat_p224_u1) & (((arg3[0]) & (0x1 as u64)) as fiat_p224_u1));
1637 let mut x4: u64 = 0;
1638 let mut x5: fiat_p224_u1 = 0;
1639 fiat_p224_addcarryx_u64(&mut x4, &mut x5, 0x0, (!arg1), (0x1 as u64));
1640 let mut x6: u64 = 0;
1641 fiat_p224_cmovznz_u64(&mut x6, x3, arg1, x4);
1642 let mut x7: u64 = 0;
1643 fiat_p224_cmovznz_u64(&mut x7, x3, (arg2[0]), (arg3[0]));
1644 let mut x8: u64 = 0;
1645 fiat_p224_cmovznz_u64(&mut x8, x3, (arg2[1]), (arg3[1]));
1646 let mut x9: u64 = 0;
1647 fiat_p224_cmovznz_u64(&mut x9, x3, (arg2[2]), (arg3[2]));
1648 let mut x10: u64 = 0;
1649 fiat_p224_cmovznz_u64(&mut x10, x3, (arg2[3]), (arg3[3]));
1650 let mut x11: u64 = 0;
1651 fiat_p224_cmovznz_u64(&mut x11, x3, (arg2[4]), (arg3[4]));
1652 let mut x12: u64 = 0;
1653 let mut x13: fiat_p224_u1 = 0;
1654 fiat_p224_addcarryx_u64(&mut x12, &mut x13, 0x0, (0x1 as u64), (!(arg2[0])));
1655 let mut x14: u64 = 0;
1656 let mut x15: fiat_p224_u1 = 0;
1657 fiat_p224_addcarryx_u64(&mut x14, &mut x15, x13, (0x0 as u64), (!(arg2[1])));
1658 let mut x16: u64 = 0;
1659 let mut x17: fiat_p224_u1 = 0;
1660 fiat_p224_addcarryx_u64(&mut x16, &mut x17, x15, (0x0 as u64), (!(arg2[2])));
1661 let mut x18: u64 = 0;
1662 let mut x19: fiat_p224_u1 = 0;
1663 fiat_p224_addcarryx_u64(&mut x18, &mut x19, x17, (0x0 as u64), (!(arg2[3])));
1664 let mut x20: u64 = 0;
1665 let mut x21: fiat_p224_u1 = 0;
1666 fiat_p224_addcarryx_u64(&mut x20, &mut x21, x19, (0x0 as u64), (!(arg2[4])));
1667 let mut x22: u64 = 0;
1668 fiat_p224_cmovznz_u64(&mut x22, x3, (arg3[0]), x12);
1669 let mut x23: u64 = 0;
1670 fiat_p224_cmovznz_u64(&mut x23, x3, (arg3[1]), x14);
1671 let mut x24: u64 = 0;
1672 fiat_p224_cmovznz_u64(&mut x24, x3, (arg3[2]), x16);
1673 let mut x25: u64 = 0;
1674 fiat_p224_cmovznz_u64(&mut x25, x3, (arg3[3]), x18);
1675 let mut x26: u64 = 0;
1676 fiat_p224_cmovznz_u64(&mut x26, x3, (arg3[4]), x20);
1677 let mut x27: u64 = 0;
1678 fiat_p224_cmovznz_u64(&mut x27, x3, (arg4[0]), (arg5[0]));
1679 let mut x28: u64 = 0;
1680 fiat_p224_cmovznz_u64(&mut x28, x3, (arg4[1]), (arg5[1]));
1681 let mut x29: u64 = 0;
1682 fiat_p224_cmovznz_u64(&mut x29, x3, (arg4[2]), (arg5[2]));
1683 let mut x30: u64 = 0;
1684 fiat_p224_cmovznz_u64(&mut x30, x3, (arg4[3]), (arg5[3]));
1685 let mut x31: u64 = 0;
1686 let mut x32: fiat_p224_u1 = 0;
1687 fiat_p224_addcarryx_u64(&mut x31, &mut x32, 0x0, x27, x27);
1688 let mut x33: u64 = 0;
1689 let mut x34: fiat_p224_u1 = 0;
1690 fiat_p224_addcarryx_u64(&mut x33, &mut x34, x32, x28, x28);
1691 let mut x35: u64 = 0;
1692 let mut x36: fiat_p224_u1 = 0;
1693 fiat_p224_addcarryx_u64(&mut x35, &mut x36, x34, x29, x29);
1694 let mut x37: u64 = 0;
1695 let mut x38: fiat_p224_u1 = 0;
1696 fiat_p224_addcarryx_u64(&mut x37, &mut x38, x36, x30, x30);
1697 let mut x39: u64 = 0;
1698 let mut x40: fiat_p224_u1 = 0;
1699 fiat_p224_subborrowx_u64(&mut x39, &mut x40, 0x0, x31, (0x1 as u64));
1700 let mut x41: u64 = 0;
1701 let mut x42: fiat_p224_u1 = 0;
1702 fiat_p224_subborrowx_u64(&mut x41, &mut x42, x40, x33, 0xffffffff00000000);
1703 let mut x43: u64 = 0;
1704 let mut x44: fiat_p224_u1 = 0;
1705 fiat_p224_subborrowx_u64(&mut x43, &mut x44, x42, x35, 0xffffffffffffffff);
1706 let mut x45: u64 = 0;
1707 let mut x46: fiat_p224_u1 = 0;
1708 fiat_p224_subborrowx_u64(&mut x45, &mut x46, x44, x37, 0xffffffff);
1709 let mut x47: u64 = 0;
1710 let mut x48: fiat_p224_u1 = 0;
1711 fiat_p224_subborrowx_u64(&mut x47, &mut x48, x46, (x38 as u64), (0x0 as u64));
1712 let x49: u64 = (arg4[3]);
1713 let x50: u64 = (arg4[2]);
1714 let x51: u64 = (arg4[1]);
1715 let x52: u64 = (arg4[0]);
1716 let mut x53: u64 = 0;
1717 let mut x54: fiat_p224_u1 = 0;
1718 fiat_p224_subborrowx_u64(&mut x53, &mut x54, 0x0, (0x0 as u64), x52);
1719 let mut x55: u64 = 0;
1720 let mut x56: fiat_p224_u1 = 0;
1721 fiat_p224_subborrowx_u64(&mut x55, &mut x56, x54, (0x0 as u64), x51);
1722 let mut x57: u64 = 0;
1723 let mut x58: fiat_p224_u1 = 0;
1724 fiat_p224_subborrowx_u64(&mut x57, &mut x58, x56, (0x0 as u64), x50);
1725 let mut x59: u64 = 0;
1726 let mut x60: fiat_p224_u1 = 0;
1727 fiat_p224_subborrowx_u64(&mut x59, &mut x60, x58, (0x0 as u64), x49);
1728 let mut x61: u64 = 0;
1729 fiat_p224_cmovznz_u64(&mut x61, x60, (0x0 as u64), 0xffffffffffffffff);
1730 let mut x62: u64 = 0;
1731 let mut x63: fiat_p224_u1 = 0;
1732 fiat_p224_addcarryx_u64(&mut x62, &mut x63, 0x0, x53, (((x61 & (0x1 as u64)) as fiat_p224_u1) as u64));
1733 let mut x64: u64 = 0;
1734 let mut x65: fiat_p224_u1 = 0;
1735 fiat_p224_addcarryx_u64(&mut x64, &mut x65, x63, x55, (x61 & 0xffffffff00000000));
1736 let mut x66: u64 = 0;
1737 let mut x67: fiat_p224_u1 = 0;
1738 fiat_p224_addcarryx_u64(&mut x66, &mut x67, x65, x57, x61);
1739 let mut x68: u64 = 0;
1740 let mut x69: fiat_p224_u1 = 0;
1741 fiat_p224_addcarryx_u64(&mut x68, &mut x69, x67, x59, (x61 & 0xffffffff));
1742 let mut x70: u64 = 0;
1743 fiat_p224_cmovznz_u64(&mut x70, x3, (arg5[0]), x62);
1744 let mut x71: u64 = 0;
1745 fiat_p224_cmovznz_u64(&mut x71, x3, (arg5[1]), x64);
1746 let mut x72: u64 = 0;
1747 fiat_p224_cmovznz_u64(&mut x72, x3, (arg5[2]), x66);
1748 let mut x73: u64 = 0;
1749 fiat_p224_cmovznz_u64(&mut x73, x3, (arg5[3]), x68);
1750 let x74: fiat_p224_u1 = ((x22 & (0x1 as u64)) as fiat_p224_u1);
1751 let mut x75: u64 = 0;
1752 fiat_p224_cmovznz_u64(&mut x75, x74, (0x0 as u64), x7);
1753 let mut x76: u64 = 0;
1754 fiat_p224_cmovznz_u64(&mut x76, x74, (0x0 as u64), x8);
1755 let mut x77: u64 = 0;
1756 fiat_p224_cmovznz_u64(&mut x77, x74, (0x0 as u64), x9);
1757 let mut x78: u64 = 0;
1758 fiat_p224_cmovznz_u64(&mut x78, x74, (0x0 as u64), x10);
1759 let mut x79: u64 = 0;
1760 fiat_p224_cmovznz_u64(&mut x79, x74, (0x0 as u64), x11);
1761 let mut x80: u64 = 0;
1762 let mut x81: fiat_p224_u1 = 0;
1763 fiat_p224_addcarryx_u64(&mut x80, &mut x81, 0x0, x22, x75);
1764 let mut x82: u64 = 0;
1765 let mut x83: fiat_p224_u1 = 0;
1766 fiat_p224_addcarryx_u64(&mut x82, &mut x83, x81, x23, x76);
1767 let mut x84: u64 = 0;
1768 let mut x85: fiat_p224_u1 = 0;
1769 fiat_p224_addcarryx_u64(&mut x84, &mut x85, x83, x24, x77);
1770 let mut x86: u64 = 0;
1771 let mut x87: fiat_p224_u1 = 0;
1772 fiat_p224_addcarryx_u64(&mut x86, &mut x87, x85, x25, x78);
1773 let mut x88: u64 = 0;
1774 let mut x89: fiat_p224_u1 = 0;
1775 fiat_p224_addcarryx_u64(&mut x88, &mut x89, x87, x26, x79);
1776 let mut x90: u64 = 0;
1777 fiat_p224_cmovznz_u64(&mut x90, x74, (0x0 as u64), x27);
1778 let mut x91: u64 = 0;
1779 fiat_p224_cmovznz_u64(&mut x91, x74, (0x0 as u64), x28);
1780 let mut x92: u64 = 0;
1781 fiat_p224_cmovznz_u64(&mut x92, x74, (0x0 as u64), x29);
1782 let mut x93: u64 = 0;
1783 fiat_p224_cmovznz_u64(&mut x93, x74, (0x0 as u64), x30);
1784 let mut x94: u64 = 0;
1785 let mut x95: fiat_p224_u1 = 0;
1786 fiat_p224_addcarryx_u64(&mut x94, &mut x95, 0x0, x70, x90);
1787 let mut x96: u64 = 0;
1788 let mut x97: fiat_p224_u1 = 0;
1789 fiat_p224_addcarryx_u64(&mut x96, &mut x97, x95, x71, x91);
1790 let mut x98: u64 = 0;
1791 let mut x99: fiat_p224_u1 = 0;
1792 fiat_p224_addcarryx_u64(&mut x98, &mut x99, x97, x72, x92);
1793 let mut x100: u64 = 0;
1794 let mut x101: fiat_p224_u1 = 0;
1795 fiat_p224_addcarryx_u64(&mut x100, &mut x101, x99, x73, x93);
1796 let mut x102: u64 = 0;
1797 let mut x103: fiat_p224_u1 = 0;
1798 fiat_p224_subborrowx_u64(&mut x102, &mut x103, 0x0, x94, (0x1 as u64));
1799 let mut x104: u64 = 0;
1800 let mut x105: fiat_p224_u1 = 0;
1801 fiat_p224_subborrowx_u64(&mut x104, &mut x105, x103, x96, 0xffffffff00000000);
1802 let mut x106: u64 = 0;
1803 let mut x107: fiat_p224_u1 = 0;
1804 fiat_p224_subborrowx_u64(&mut x106, &mut x107, x105, x98, 0xffffffffffffffff);
1805 let mut x108: u64 = 0;
1806 let mut x109: fiat_p224_u1 = 0;
1807 fiat_p224_subborrowx_u64(&mut x108, &mut x109, x107, x100, 0xffffffff);
1808 let mut x110: u64 = 0;
1809 let mut x111: fiat_p224_u1 = 0;
1810 fiat_p224_subborrowx_u64(&mut x110, &mut x111, x109, (x101 as u64), (0x0 as u64));
1811 let mut x112: u64 = 0;
1812 let mut x113: fiat_p224_u1 = 0;
1813 fiat_p224_addcarryx_u64(&mut x112, &mut x113, 0x0, x6, (0x1 as u64));
1814 let x114: u64 = ((x80 >> 1) | ((x82 << 63) & 0xffffffffffffffff));
1815 let x115: u64 = ((x82 >> 1) | ((x84 << 63) & 0xffffffffffffffff));
1816 let x116: u64 = ((x84 >> 1) | ((x86 << 63) & 0xffffffffffffffff));
1817 let x117: u64 = ((x86 >> 1) | ((x88 << 63) & 0xffffffffffffffff));
1818 let x118: u64 = ((x88 & 0x8000000000000000) | (x88 >> 1));
1819 let mut x119: u64 = 0;
1820 fiat_p224_cmovznz_u64(&mut x119, x48, x39, x31);
1821 let mut x120: u64 = 0;
1822 fiat_p224_cmovznz_u64(&mut x120, x48, x41, x33);
1823 let mut x121: u64 = 0;
1824 fiat_p224_cmovznz_u64(&mut x121, x48, x43, x35);
1825 let mut x122: u64 = 0;
1826 fiat_p224_cmovznz_u64(&mut x122, x48, x45, x37);
1827 let mut x123: u64 = 0;
1828 fiat_p224_cmovznz_u64(&mut x123, x111, x102, x94);
1829 let mut x124: u64 = 0;
1830 fiat_p224_cmovznz_u64(&mut x124, x111, x104, x96);
1831 let mut x125: u64 = 0;
1832 fiat_p224_cmovznz_u64(&mut x125, x111, x106, x98);
1833 let mut x126: u64 = 0;
1834 fiat_p224_cmovznz_u64(&mut x126, x111, x108, x100);
1835 *out1 = x112;
1836 out2[0] = x7;
1837 out2[1] = x8;
1838 out2[2] = x9;
1839 out2[3] = x10;
1840 out2[4] = x11;
1841 out3[0] = x114;
1842 out3[1] = x115;
1843 out3[2] = x116;
1844 out3[3] = x117;
1845 out3[4] = x118;
1846 out4[0] = x119;
1847 out4[1] = x120;
1848 out4[2] = x121;
1849 out4[3] = x122;
1850 out5[0] = x123;
1851 out5[1] = x124;
1852 out5[2] = x125;
1853 out5[3] = x126;
1854}
1855
1856/// The function fiat_p224_divstep_precomp returns the precomputed value for Bernstein-Yang-inversion (in montgomery form).
1857///
1858/// Postconditions:
1859/// eval (from_montgomery out1) = ⌊(m - 1) / 2⌋^(if ⌊log2 m⌋ + 1 < 46 then ⌊(49 * (⌊log2 m⌋ + 1) + 80) / 17⌋ else ⌊(49 * (⌊log2 m⌋ + 1) + 57) / 17⌋)
1860/// 0 ≤ eval out1 < m
1861///
1862/// Output Bounds:
1863/// out1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]]
1864#[inline]
1865pub fn fiat_p224_divstep_precomp(out1: &mut [u64; 4]) -> () {
1866 out1[0] = 0x7ffffffe800001;
1867 out1[1] = 0xff7fffff00800000;
1868 out1[2] = 0xffffff;
1869 out1[3] = 0xff800000;
1870}
backport for Debian buster