You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

792 lines
22 KiB

  1. // Copyright 2020 ConsenSys AG
  2. //
  3. // Licensed under the Apache License, Version 2.0 (the "License");
  4. // you may not use this file except in compliance with the License.
  5. // You may obtain a copy of the License at
  6. //
  7. // http://www.apache.org/licenses/LICENSE-2.0
  8. //
  9. // Unless required by applicable law or agreed to in writing, software
  10. // distributed under the License is distributed on an "AS IS" BASIS,
  11. // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  12. // See the License for the specific language governing permissions and
  13. // limitations under the License.
  14. // field modulus q =
  15. //
  16. // 21888242871839275222246405745257275088548364400416034343698204186575808495617
  17. // Code generated by goff DO NOT EDIT
  18. // goff version: - build:
  19. // Element are assumed to be in Montgomery form in all methods
  20. // Package ff (generated by goff) contains field arithmetics operations
  21. package ff
  22. import (
  23. "crypto/rand"
  24. "encoding/binary"
  25. "io"
  26. "math/big"
  27. "math/bits"
  28. "sync"
  29. "unsafe"
  30. )
  31. // Element represents a field element stored on 4 words (uint64)
  32. // Element are assumed to be in Montgomery form in all methods
  33. type Element [4]uint64
  34. // ElementLimbs number of 64 bits words needed to represent Element
  35. const ElementLimbs = 4
  36. // ElementBits number bits needed to represent Element
  37. const ElementBits = 254
  38. // SetUint64 z = v, sets z LSB to v (non-Montgomery form) and convert z to Montgomery form
  39. func (z *Element) SetUint64(v uint64) *Element {
  40. z[0] = v
  41. z[1] = 0
  42. z[2] = 0
  43. z[3] = 0
  44. return z.ToMont()
  45. }
  46. // Set z = x
  47. func (z *Element) Set(x *Element) *Element {
  48. z[0] = x[0]
  49. z[1] = x[1]
  50. z[2] = x[2]
  51. z[3] = x[3]
  52. return z
  53. }
  54. // SetZero z = 0
  55. func (z *Element) SetZero() *Element {
  56. z[0] = 0
  57. z[1] = 0
  58. z[2] = 0
  59. z[3] = 0
  60. return z
  61. }
  62. // SetOne z = 1 (in Montgomery form)
  63. func (z *Element) SetOne() *Element {
  64. z[0] = 12436184717236109307
  65. z[1] = 3962172157175319849
  66. z[2] = 7381016538464732718
  67. z[3] = 1011752739694698287
  68. return z
  69. }
  70. // Neg z = q - x
  71. func (z *Element) Neg(x *Element) *Element {
  72. if x.IsZero() {
  73. return z.SetZero()
  74. }
  75. var borrow uint64
  76. z[0], borrow = bits.Sub64(4891460686036598785, x[0], 0)
  77. z[1], borrow = bits.Sub64(2896914383306846353, x[1], borrow)
  78. z[2], borrow = bits.Sub64(13281191951274694749, x[2], borrow)
  79. z[3], _ = bits.Sub64(3486998266802970665, x[3], borrow)
  80. return z
  81. }
  82. // Div z = x*y^-1 mod q
  83. func (z *Element) Div(x, y *Element) *Element {
  84. var yInv Element
  85. yInv.Inverse(y)
  86. z.Mul(x, &yInv)
  87. return z
  88. }
  89. // Equal returns z == x
  90. func (z *Element) Equal(x *Element) bool {
  91. return (z[3] == x[3]) && (z[2] == x[2]) && (z[1] == x[1]) && (z[0] == x[0])
  92. }
  93. // IsZero returns z == 0
  94. func (z *Element) IsZero() bool {
  95. return (z[3] | z[2] | z[1] | z[0]) == 0
  96. }
  97. // field modulus stored as big.Int
  98. var _elementModulusBigInt big.Int
  99. var onceelementModulus sync.Once
  100. func elementModulusBigInt() *big.Int {
  101. onceelementModulus.Do(func() {
  102. _elementModulusBigInt.SetString("21888242871839275222246405745257275088548364400416034343698204186575808495617", 10)
  103. })
  104. return &_elementModulusBigInt
  105. }
  106. // Inverse z = x^-1 mod q
  107. // Algorithm 16 in "Efficient Software-Implementation of Finite Fields with Applications to Cryptography"
  108. // if x == 0, sets and returns z = x
  109. func (z *Element) Inverse(x *Element) *Element {
  110. if x.IsZero() {
  111. return z.Set(x)
  112. }
  113. // initialize u = q
  114. var u = Element{
  115. 4891460686036598785,
  116. 2896914383306846353,
  117. 13281191951274694749,
  118. 3486998266802970665,
  119. }
  120. // initialize s = r^2
  121. var s = Element{
  122. 1997599621687373223,
  123. 6052339484930628067,
  124. 10108755138030829701,
  125. 150537098327114917,
  126. }
  127. // r = 0
  128. r := Element{}
  129. v := *x
  130. var carry, borrow, t, t2 uint64
  131. var bigger, uIsOne, vIsOne bool
  132. for !uIsOne && !vIsOne {
  133. for v[0]&1 == 0 {
  134. // v = v >> 1
  135. t2 = v[3] << 63
  136. v[3] >>= 1
  137. t = t2
  138. t2 = v[2] << 63
  139. v[2] = (v[2] >> 1) | t
  140. t = t2
  141. t2 = v[1] << 63
  142. v[1] = (v[1] >> 1) | t
  143. t = t2
  144. v[0] = (v[0] >> 1) | t
  145. if s[0]&1 == 1 {
  146. // s = s + q
  147. s[0], carry = bits.Add64(s[0], 4891460686036598785, 0)
  148. s[1], carry = bits.Add64(s[1], 2896914383306846353, carry)
  149. s[2], carry = bits.Add64(s[2], 13281191951274694749, carry)
  150. s[3], _ = bits.Add64(s[3], 3486998266802970665, carry)
  151. }
  152. // s = s >> 1
  153. t2 = s[3] << 63
  154. s[3] >>= 1
  155. t = t2
  156. t2 = s[2] << 63
  157. s[2] = (s[2] >> 1) | t
  158. t = t2
  159. t2 = s[1] << 63
  160. s[1] = (s[1] >> 1) | t
  161. t = t2
  162. s[0] = (s[0] >> 1) | t
  163. }
  164. for u[0]&1 == 0 {
  165. // u = u >> 1
  166. t2 = u[3] << 63
  167. u[3] >>= 1
  168. t = t2
  169. t2 = u[2] << 63
  170. u[2] = (u[2] >> 1) | t
  171. t = t2
  172. t2 = u[1] << 63
  173. u[1] = (u[1] >> 1) | t
  174. t = t2
  175. u[0] = (u[0] >> 1) | t
  176. if r[0]&1 == 1 {
  177. // r = r + q
  178. r[0], carry = bits.Add64(r[0], 4891460686036598785, 0)
  179. r[1], carry = bits.Add64(r[1], 2896914383306846353, carry)
  180. r[2], carry = bits.Add64(r[2], 13281191951274694749, carry)
  181. r[3], _ = bits.Add64(r[3], 3486998266802970665, carry)
  182. }
  183. // r = r >> 1
  184. t2 = r[3] << 63
  185. r[3] >>= 1
  186. t = t2
  187. t2 = r[2] << 63
  188. r[2] = (r[2] >> 1) | t
  189. t = t2
  190. t2 = r[1] << 63
  191. r[1] = (r[1] >> 1) | t
  192. t = t2
  193. r[0] = (r[0] >> 1) | t
  194. }
  195. // v >= u
  196. bigger = !(v[3] < u[3] || (v[3] == u[3] && (v[2] < u[2] || (v[2] == u[2] && (v[1] < u[1] || (v[1] == u[1] && (v[0] < u[0])))))))
  197. if bigger {
  198. // v = v - u
  199. v[0], borrow = bits.Sub64(v[0], u[0], 0)
  200. v[1], borrow = bits.Sub64(v[1], u[1], borrow)
  201. v[2], borrow = bits.Sub64(v[2], u[2], borrow)
  202. v[3], _ = bits.Sub64(v[3], u[3], borrow)
  203. // r >= s
  204. bigger = !(r[3] < s[3] || (r[3] == s[3] && (r[2] < s[2] || (r[2] == s[2] && (r[1] < s[1] || (r[1] == s[1] && (r[0] < s[0])))))))
  205. if bigger {
  206. // s = s + q
  207. s[0], carry = bits.Add64(s[0], 4891460686036598785, 0)
  208. s[1], carry = bits.Add64(s[1], 2896914383306846353, carry)
  209. s[2], carry = bits.Add64(s[2], 13281191951274694749, carry)
  210. s[3], _ = bits.Add64(s[3], 3486998266802970665, carry)
  211. }
  212. // s = s - r
  213. s[0], borrow = bits.Sub64(s[0], r[0], 0)
  214. s[1], borrow = bits.Sub64(s[1], r[1], borrow)
  215. s[2], borrow = bits.Sub64(s[2], r[2], borrow)
  216. s[3], _ = bits.Sub64(s[3], r[3], borrow)
  217. } else {
  218. // u = u - v
  219. u[0], borrow = bits.Sub64(u[0], v[0], 0)
  220. u[1], borrow = bits.Sub64(u[1], v[1], borrow)
  221. u[2], borrow = bits.Sub64(u[2], v[2], borrow)
  222. u[3], _ = bits.Sub64(u[3], v[3], borrow)
  223. // s >= r
  224. bigger = !(s[3] < r[3] || (s[3] == r[3] && (s[2] < r[2] || (s[2] == r[2] && (s[1] < r[1] || (s[1] == r[1] && (s[0] < r[0])))))))
  225. if bigger {
  226. // r = r + q
  227. r[0], carry = bits.Add64(r[0], 4891460686036598785, 0)
  228. r[1], carry = bits.Add64(r[1], 2896914383306846353, carry)
  229. r[2], carry = bits.Add64(r[2], 13281191951274694749, carry)
  230. r[3], _ = bits.Add64(r[3], 3486998266802970665, carry)
  231. }
  232. // r = r - s
  233. r[0], borrow = bits.Sub64(r[0], s[0], 0)
  234. r[1], borrow = bits.Sub64(r[1], s[1], borrow)
  235. r[2], borrow = bits.Sub64(r[2], s[2], borrow)
  236. r[3], _ = bits.Sub64(r[3], s[3], borrow)
  237. }
  238. uIsOne = (u[0] == 1) && (u[3]|u[2]|u[1]) == 0
  239. vIsOne = (v[0] == 1) && (v[3]|v[2]|v[1]) == 0
  240. }
  241. if uIsOne {
  242. z.Set(&r)
  243. } else {
  244. z.Set(&s)
  245. }
  246. return z
  247. }
  248. // SetRandom sets z to a random element < q
  249. func (z *Element) SetRandom() *Element {
  250. bytes := make([]byte, 32)
  251. io.ReadFull(rand.Reader, bytes)
  252. z[0] = binary.BigEndian.Uint64(bytes[0:8])
  253. z[1] = binary.BigEndian.Uint64(bytes[8:16])
  254. z[2] = binary.BigEndian.Uint64(bytes[16:24])
  255. z[3] = binary.BigEndian.Uint64(bytes[24:32])
  256. z[3] %= 3486998266802970665
  257. // if z > q --> z -= q
  258. if !(z[3] < 3486998266802970665 || (z[3] == 3486998266802970665 && (z[2] < 13281191951274694749 || (z[2] == 13281191951274694749 && (z[1] < 2896914383306846353 || (z[1] == 2896914383306846353 && (z[0] < 4891460686036598785))))))) {
  259. var b uint64
  260. z[0], b = bits.Sub64(z[0], 4891460686036598785, 0)
  261. z[1], b = bits.Sub64(z[1], 2896914383306846353, b)
  262. z[2], b = bits.Sub64(z[2], 13281191951274694749, b)
  263. z[3], _ = bits.Sub64(z[3], 3486998266802970665, b)
  264. }
  265. return z
  266. }
  267. // Add z = x + y mod q
  268. func (z *Element) Add(x, y *Element) *Element {
  269. var carry uint64
  270. z[0], carry = bits.Add64(x[0], y[0], 0)
  271. z[1], carry = bits.Add64(x[1], y[1], carry)
  272. z[2], carry = bits.Add64(x[2], y[2], carry)
  273. z[3], _ = bits.Add64(x[3], y[3], carry)
  274. // if z > q --> z -= q
  275. if !(z[3] < 3486998266802970665 || (z[3] == 3486998266802970665 && (z[2] < 13281191951274694749 || (z[2] == 13281191951274694749 && (z[1] < 2896914383306846353 || (z[1] == 2896914383306846353 && (z[0] < 4891460686036598785))))))) {
  276. var b uint64
  277. z[0], b = bits.Sub64(z[0], 4891460686036598785, 0)
  278. z[1], b = bits.Sub64(z[1], 2896914383306846353, b)
  279. z[2], b = bits.Sub64(z[2], 13281191951274694749, b)
  280. z[3], _ = bits.Sub64(z[3], 3486998266802970665, b)
  281. }
  282. return z
  283. }
  284. // AddAssign z = z + x mod q
  285. func (z *Element) AddAssign(x *Element) *Element {
  286. var carry uint64
  287. z[0], carry = bits.Add64(z[0], x[0], 0)
  288. z[1], carry = bits.Add64(z[1], x[1], carry)
  289. z[2], carry = bits.Add64(z[2], x[2], carry)
  290. z[3], _ = bits.Add64(z[3], x[3], carry)
  291. // if z > q --> z -= q
  292. if !(z[3] < 3486998266802970665 || (z[3] == 3486998266802970665 && (z[2] < 13281191951274694749 || (z[2] == 13281191951274694749 && (z[1] < 2896914383306846353 || (z[1] == 2896914383306846353 && (z[0] < 4891460686036598785))))))) {
  293. var b uint64
  294. z[0], b = bits.Sub64(z[0], 4891460686036598785, 0)
  295. z[1], b = bits.Sub64(z[1], 2896914383306846353, b)
  296. z[2], b = bits.Sub64(z[2], 13281191951274694749, b)
  297. z[3], _ = bits.Sub64(z[3], 3486998266802970665, b)
  298. }
  299. return z
  300. }
  301. // Double z = x + x mod q, aka Lsh 1
  302. func (z *Element) Double(x *Element) *Element {
  303. var carry uint64
  304. z[0], carry = bits.Add64(x[0], x[0], 0)
  305. z[1], carry = bits.Add64(x[1], x[1], carry)
  306. z[2], carry = bits.Add64(x[2], x[2], carry)
  307. z[3], _ = bits.Add64(x[3], x[3], carry)
  308. // if z > q --> z -= q
  309. if !(z[3] < 3486998266802970665 || (z[3] == 3486998266802970665 && (z[2] < 13281191951274694749 || (z[2] == 13281191951274694749 && (z[1] < 2896914383306846353 || (z[1] == 2896914383306846353 && (z[0] < 4891460686036598785))))))) {
  310. var b uint64
  311. z[0], b = bits.Sub64(z[0], 4891460686036598785, 0)
  312. z[1], b = bits.Sub64(z[1], 2896914383306846353, b)
  313. z[2], b = bits.Sub64(z[2], 13281191951274694749, b)
  314. z[3], _ = bits.Sub64(z[3], 3486998266802970665, b)
  315. }
  316. return z
  317. }
  318. // Sub z = x - y mod q
  319. func (z *Element) Sub(x, y *Element) *Element {
  320. var b uint64
  321. z[0], b = bits.Sub64(x[0], y[0], 0)
  322. z[1], b = bits.Sub64(x[1], y[1], b)
  323. z[2], b = bits.Sub64(x[2], y[2], b)
  324. z[3], b = bits.Sub64(x[3], y[3], b)
  325. if b != 0 {
  326. var c uint64
  327. z[0], c = bits.Add64(z[0], 4891460686036598785, 0)
  328. z[1], c = bits.Add64(z[1], 2896914383306846353, c)
  329. z[2], c = bits.Add64(z[2], 13281191951274694749, c)
  330. z[3], _ = bits.Add64(z[3], 3486998266802970665, c)
  331. }
  332. return z
  333. }
  334. // SubAssign z = z - x mod q
  335. func (z *Element) SubAssign(x *Element) *Element {
  336. var b uint64
  337. z[0], b = bits.Sub64(z[0], x[0], 0)
  338. z[1], b = bits.Sub64(z[1], x[1], b)
  339. z[2], b = bits.Sub64(z[2], x[2], b)
  340. z[3], b = bits.Sub64(z[3], x[3], b)
  341. if b != 0 {
  342. var c uint64
  343. z[0], c = bits.Add64(z[0], 4891460686036598785, 0)
  344. z[1], c = bits.Add64(z[1], 2896914383306846353, c)
  345. z[2], c = bits.Add64(z[2], 13281191951274694749, c)
  346. z[3], _ = bits.Add64(z[3], 3486998266802970665, c)
  347. }
  348. return z
  349. }
  350. // Exp z = x^e mod q
  351. func (z *Element) Exp(x Element, e uint64) *Element {
  352. if e == 0 {
  353. return z.SetOne()
  354. }
  355. z.Set(&x)
  356. l := bits.Len64(e) - 2
  357. for i := l; i >= 0; i-- {
  358. z.Square(z)
  359. if e&(1<<uint(i)) != 0 {
  360. z.MulAssign(&x)
  361. }
  362. }
  363. return z
  364. }
  365. // FromMont converts z in place (i.e. mutates) from Montgomery to regular representation
  366. // sets and returns z = z * 1
  367. func (z *Element) FromMont() *Element {
  368. // the following lines implement z = z * 1
  369. // with a modified CIOS montgomery multiplication
  370. {
  371. // m = z[0]n'[0] mod W
  372. m := z[0] * 14042775128853446655
  373. C := madd0(m, 4891460686036598785, z[0])
  374. C, z[0] = madd2(m, 2896914383306846353, z[1], C)
  375. C, z[1] = madd2(m, 13281191951274694749, z[2], C)
  376. C, z[2] = madd2(m, 3486998266802970665, z[3], C)
  377. z[3] = C
  378. }
  379. {
  380. // m = z[0]n'[0] mod W
  381. m := z[0] * 14042775128853446655
  382. C := madd0(m, 4891460686036598785, z[0])
  383. C, z[0] = madd2(m, 2896914383306846353, z[1], C)
  384. C, z[1] = madd2(m, 13281191951274694749, z[2], C)
  385. C, z[2] = madd2(m, 3486998266802970665, z[3], C)
  386. z[3] = C
  387. }
  388. {
  389. // m = z[0]n'[0] mod W
  390. m := z[0] * 14042775128853446655
  391. C := madd0(m, 4891460686036598785, z[0])
  392. C, z[0] = madd2(m, 2896914383306846353, z[1], C)
  393. C, z[1] = madd2(m, 13281191951274694749, z[2], C)
  394. C, z[2] = madd2(m, 3486998266802970665, z[3], C)
  395. z[3] = C
  396. }
  397. {
  398. // m = z[0]n'[0] mod W
  399. m := z[0] * 14042775128853446655
  400. C := madd0(m, 4891460686036598785, z[0])
  401. C, z[0] = madd2(m, 2896914383306846353, z[1], C)
  402. C, z[1] = madd2(m, 13281191951274694749, z[2], C)
  403. C, z[2] = madd2(m, 3486998266802970665, z[3], C)
  404. z[3] = C
  405. }
  406. // if z > q --> z -= q
  407. if !(z[3] < 3486998266802970665 || (z[3] == 3486998266802970665 && (z[2] < 13281191951274694749 || (z[2] == 13281191951274694749 && (z[1] < 2896914383306846353 || (z[1] == 2896914383306846353 && (z[0] < 4891460686036598785))))))) {
  408. var b uint64
  409. z[0], b = bits.Sub64(z[0], 4891460686036598785, 0)
  410. z[1], b = bits.Sub64(z[1], 2896914383306846353, b)
  411. z[2], b = bits.Sub64(z[2], 13281191951274694749, b)
  412. z[3], _ = bits.Sub64(z[3], 3486998266802970665, b)
  413. }
  414. return z
  415. }
  416. // ToMont converts z to Montgomery form
  417. // sets and returns z = z * r^2
  418. func (z *Element) ToMont() *Element {
  419. var rSquare = Element{
  420. 1997599621687373223,
  421. 6052339484930628067,
  422. 10108755138030829701,
  423. 150537098327114917,
  424. }
  425. return z.MulAssign(&rSquare)
  426. }
  427. // ToRegular returns z in regular form (doesn't mutate z)
  428. func (z Element) ToRegular() Element {
  429. return *z.FromMont()
  430. }
  431. // String returns the string form of an Element in Montgomery form
  432. func (z *Element) String() string {
  433. var _z big.Int
  434. return z.ToBigIntRegular(&_z).String()
  435. }
  436. // ToBigInt returns z as a big.Int in Montgomery form
  437. func (z *Element) ToBigInt(res *big.Int) *big.Int {
  438. if bits.UintSize == 64 {
  439. bits := (*[4]big.Word)(unsafe.Pointer(z))
  440. return res.SetBits(bits[:])
  441. } else {
  442. var bits [8]big.Word
  443. for i := 0; i < len(z); i++ {
  444. bits[i*2] = big.Word(z[i])
  445. bits[i*2+1] = big.Word(z[i] >> 32)
  446. }
  447. return res.SetBits(bits[:])
  448. }
  449. }
  450. // ToBigIntRegular returns z as a big.Int in regular form
  451. func (z Element) ToBigIntRegular(res *big.Int) *big.Int {
  452. z.FromMont()
  453. if bits.UintSize == 64 {
  454. bits := (*[4]big.Word)(unsafe.Pointer(&z))
  455. return res.SetBits(bits[:])
  456. } else {
  457. var bits [8]big.Word
  458. for i := 0; i < len(z); i++ {
  459. bits[i*2] = big.Word(z[i])
  460. bits[i*2+1] = big.Word(z[i] >> 32)
  461. }
  462. return res.SetBits(bits[:])
  463. }
  464. }
  465. // SetBigInt sets z to v (regular form) and returns z in Montgomery form
  466. func (z *Element) SetBigInt(v *big.Int) *Element {
  467. z.SetZero()
  468. zero := big.NewInt(0)
  469. q := elementModulusBigInt()
  470. // copy input
  471. vv := new(big.Int).Set(v)
  472. // while v < 0, v+=q
  473. for vv.Cmp(zero) == -1 {
  474. vv.Add(vv, q)
  475. }
  476. // while v > q, v-=q
  477. for vv.Cmp(q) == 1 {
  478. vv.Sub(vv, q)
  479. }
  480. // if v == q, return 0
  481. if vv.Cmp(q) == 0 {
  482. return z
  483. }
  484. // v should
  485. vBits := vv.Bits()
  486. if bits.UintSize == 64 {
  487. for i := 0; i < len(vBits); i++ {
  488. z[i] = uint64(vBits[i])
  489. }
  490. } else {
  491. for i := 0; i < len(vBits); i++ {
  492. if i%2 == 0 {
  493. z[i/2] = uint64(vBits[i])
  494. } else {
  495. z[i/2] |= uint64(vBits[i]) << 32
  496. }
  497. }
  498. }
  499. return z.ToMont()
  500. }
  501. // SetString creates a big.Int with s (in base 10) and calls SetBigInt on z
  502. func (z *Element) SetString(s string) *Element {
  503. x, ok := new(big.Int).SetString(s, 10)
  504. if !ok {
  505. panic("Element.SetString failed -> can't parse number in base10 into a big.Int")
  506. }
  507. return z.SetBigInt(x)
  508. }
  509. // Mul z = x * y mod q
  510. func (z *Element) Mul(x, y *Element) *Element {
  511. var t [4]uint64
  512. var c [3]uint64
  513. {
  514. // round 0
  515. v := x[0]
  516. c[1], c[0] = bits.Mul64(v, y[0])
  517. m := c[0] * 14042775128853446655
  518. c[2] = madd0(m, 4891460686036598785, c[0])
  519. c[1], c[0] = madd1(v, y[1], c[1])
  520. c[2], t[0] = madd2(m, 2896914383306846353, c[2], c[0])
  521. c[1], c[0] = madd1(v, y[2], c[1])
  522. c[2], t[1] = madd2(m, 13281191951274694749, c[2], c[0])
  523. c[1], c[0] = madd1(v, y[3], c[1])
  524. t[3], t[2] = madd3(m, 3486998266802970665, c[0], c[2], c[1])
  525. }
  526. {
  527. // round 1
  528. v := x[1]
  529. c[1], c[0] = madd1(v, y[0], t[0])
  530. m := c[0] * 14042775128853446655
  531. c[2] = madd0(m, 4891460686036598785, c[0])
  532. c[1], c[0] = madd2(v, y[1], c[1], t[1])
  533. c[2], t[0] = madd2(m, 2896914383306846353, c[2], c[0])
  534. c[1], c[0] = madd2(v, y[2], c[1], t[2])
  535. c[2], t[1] = madd2(m, 13281191951274694749, c[2], c[0])
  536. c[1], c[0] = madd2(v, y[3], c[1], t[3])
  537. t[3], t[2] = madd3(m, 3486998266802970665, c[0], c[2], c[1])
  538. }
  539. {
  540. // round 2
  541. v := x[2]
  542. c[1], c[0] = madd1(v, y[0], t[0])
  543. m := c[0] * 14042775128853446655
  544. c[2] = madd0(m, 4891460686036598785, c[0])
  545. c[1], c[0] = madd2(v, y[1], c[1], t[1])
  546. c[2], t[0] = madd2(m, 2896914383306846353, c[2], c[0])
  547. c[1], c[0] = madd2(v, y[2], c[1], t[2])
  548. c[2], t[1] = madd2(m, 13281191951274694749, c[2], c[0])
  549. c[1], c[0] = madd2(v, y[3], c[1], t[3])
  550. t[3], t[2] = madd3(m, 3486998266802970665, c[0], c[2], c[1])
  551. }
  552. {
  553. // round 3
  554. v := x[3]
  555. c[1], c[0] = madd1(v, y[0], t[0])
  556. m := c[0] * 14042775128853446655
  557. c[2] = madd0(m, 4891460686036598785, c[0])
  558. c[1], c[0] = madd2(v, y[1], c[1], t[1])
  559. c[2], z[0] = madd2(m, 2896914383306846353, c[2], c[0])
  560. c[1], c[0] = madd2(v, y[2], c[1], t[2])
  561. c[2], z[1] = madd2(m, 13281191951274694749, c[2], c[0])
  562. c[1], c[0] = madd2(v, y[3], c[1], t[3])
  563. z[3], z[2] = madd3(m, 3486998266802970665, c[0], c[2], c[1])
  564. }
  565. // if z > q --> z -= q
  566. if !(z[3] < 3486998266802970665 || (z[3] == 3486998266802970665 && (z[2] < 13281191951274694749 || (z[2] == 13281191951274694749 && (z[1] < 2896914383306846353 || (z[1] == 2896914383306846353 && (z[0] < 4891460686036598785))))))) {
  567. var b uint64
  568. z[0], b = bits.Sub64(z[0], 4891460686036598785, 0)
  569. z[1], b = bits.Sub64(z[1], 2896914383306846353, b)
  570. z[2], b = bits.Sub64(z[2], 13281191951274694749, b)
  571. z[3], _ = bits.Sub64(z[3], 3486998266802970665, b)
  572. }
  573. return z
  574. }
  575. // MulAssign z = z * x mod q
  576. func (z *Element) MulAssign(x *Element) *Element {
  577. var t [4]uint64
  578. var c [3]uint64
  579. {
  580. // round 0
  581. v := z[0]
  582. c[1], c[0] = bits.Mul64(v, x[0])
  583. m := c[0] * 14042775128853446655
  584. c[2] = madd0(m, 4891460686036598785, c[0])
  585. c[1], c[0] = madd1(v, x[1], c[1])
  586. c[2], t[0] = madd2(m, 2896914383306846353, c[2], c[0])
  587. c[1], c[0] = madd1(v, x[2], c[1])
  588. c[2], t[1] = madd2(m, 13281191951274694749, c[2], c[0])
  589. c[1], c[0] = madd1(v, x[3], c[1])
  590. t[3], t[2] = madd3(m, 3486998266802970665, c[0], c[2], c[1])
  591. }
  592. {
  593. // round 1
  594. v := z[1]
  595. c[1], c[0] = madd1(v, x[0], t[0])
  596. m := c[0] * 14042775128853446655
  597. c[2] = madd0(m, 4891460686036598785, c[0])
  598. c[1], c[0] = madd2(v, x[1], c[1], t[1])
  599. c[2], t[0] = madd2(m, 2896914383306846353, c[2], c[0])
  600. c[1], c[0] = madd2(v, x[2], c[1], t[2])
  601. c[2], t[1] = madd2(m, 13281191951274694749, c[2], c[0])
  602. c[1], c[0] = madd2(v, x[3], c[1], t[3])
  603. t[3], t[2] = madd3(m, 3486998266802970665, c[0], c[2], c[1])
  604. }
  605. {
  606. // round 2
  607. v := z[2]
  608. c[1], c[0] = madd1(v, x[0], t[0])
  609. m := c[0] * 14042775128853446655
  610. c[2] = madd0(m, 4891460686036598785, c[0])
  611. c[1], c[0] = madd2(v, x[1], c[1], t[1])
  612. c[2], t[0] = madd2(m, 2896914383306846353, c[2], c[0])
  613. c[1], c[0] = madd2(v, x[2], c[1], t[2])
  614. c[2], t[1] = madd2(m, 13281191951274694749, c[2], c[0])
  615. c[1], c[0] = madd2(v, x[3], c[1], t[3])
  616. t[3], t[2] = madd3(m, 3486998266802970665, c[0], c[2], c[1])
  617. }
  618. {
  619. // round 3
  620. v := z[3]
  621. c[1], c[0] = madd1(v, x[0], t[0])
  622. m := c[0] * 14042775128853446655
  623. c[2] = madd0(m, 4891460686036598785, c[0])
  624. c[1], c[0] = madd2(v, x[1], c[1], t[1])
  625. c[2], z[0] = madd2(m, 2896914383306846353, c[2], c[0])
  626. c[1], c[0] = madd2(v, x[2], c[1], t[2])
  627. c[2], z[1] = madd2(m, 13281191951274694749, c[2], c[0])
  628. c[1], c[0] = madd2(v, x[3], c[1], t[3])
  629. z[3], z[2] = madd3(m, 3486998266802970665, c[0], c[2], c[1])
  630. }
  631. // if z > q --> z -= q
  632. if !(z[3] < 3486998266802970665 || (z[3] == 3486998266802970665 && (z[2] < 13281191951274694749 || (z[2] == 13281191951274694749 && (z[1] < 2896914383306846353 || (z[1] == 2896914383306846353 && (z[0] < 4891460686036598785))))))) {
  633. var b uint64
  634. z[0], b = bits.Sub64(z[0], 4891460686036598785, 0)
  635. z[1], b = bits.Sub64(z[1], 2896914383306846353, b)
  636. z[2], b = bits.Sub64(z[2], 13281191951274694749, b)
  637. z[3], _ = bits.Sub64(z[3], 3486998266802970665, b)
  638. }
  639. return z
  640. }
  641. // Square z = x * x mod q
  642. func (z *Element) Square(x *Element) *Element {
  643. var p [4]uint64
  644. var u, v uint64
  645. {
  646. // round 0
  647. u, p[0] = bits.Mul64(x[0], x[0])
  648. m := p[0] * 14042775128853446655
  649. C := madd0(m, 4891460686036598785, p[0])
  650. var t uint64
  651. t, u, v = madd1sb(x[0], x[1], u)
  652. C, p[0] = madd2(m, 2896914383306846353, v, C)
  653. t, u, v = madd1s(x[0], x[2], t, u)
  654. C, p[1] = madd2(m, 13281191951274694749, v, C)
  655. _, u, v = madd1s(x[0], x[3], t, u)
  656. p[3], p[2] = madd3(m, 3486998266802970665, v, C, u)
  657. }
  658. {
  659. // round 1
  660. m := p[0] * 14042775128853446655
  661. C := madd0(m, 4891460686036598785, p[0])
  662. u, v = madd1(x[1], x[1], p[1])
  663. C, p[0] = madd2(m, 2896914383306846353, v, C)
  664. var t uint64
  665. t, u, v = madd2sb(x[1], x[2], p[2], u)
  666. C, p[1] = madd2(m, 13281191951274694749, v, C)
  667. _, u, v = madd2s(x[1], x[3], p[3], t, u)
  668. p[3], p[2] = madd3(m, 3486998266802970665, v, C, u)
  669. }
  670. {
  671. // round 2
  672. m := p[0] * 14042775128853446655
  673. C := madd0(m, 4891460686036598785, p[0])
  674. C, p[0] = madd2(m, 2896914383306846353, p[1], C)
  675. u, v = madd1(x[2], x[2], p[2])
  676. C, p[1] = madd2(m, 13281191951274694749, v, C)
  677. _, u, v = madd2sb(x[2], x[3], p[3], u)
  678. p[3], p[2] = madd3(m, 3486998266802970665, v, C, u)
  679. }
  680. {
  681. // round 3
  682. m := p[0] * 14042775128853446655
  683. C := madd0(m, 4891460686036598785, p[0])
  684. C, z[0] = madd2(m, 2896914383306846353, p[1], C)
  685. C, z[1] = madd2(m, 13281191951274694749, p[2], C)
  686. u, v = madd1(x[3], x[3], p[3])
  687. z[3], z[2] = madd3(m, 3486998266802970665, v, C, u)
  688. }
  689. // if z > q --> z -= q
  690. if !(z[3] < 3486998266802970665 || (z[3] == 3486998266802970665 && (z[2] < 13281191951274694749 || (z[2] == 13281191951274694749 && (z[1] < 2896914383306846353 || (z[1] == 2896914383306846353 && (z[0] < 4891460686036598785))))))) {
  691. var b uint64
  692. z[0], b = bits.Sub64(z[0], 4891460686036598785, 0)
  693. z[1], b = bits.Sub64(z[1], 2896914383306846353, b)
  694. z[2], b = bits.Sub64(z[2], 13281191951274694749, b)
  695. z[3], _ = bits.Sub64(z[3], 3486998266802970665, b)
  696. }
  697. return z
  698. }