Bitcoin Core  22.99.0
P2P Digital Currency
field_10x26_impl.h
Go to the documentation of this file.
1 /***********************************************************************
2  * Copyright (c) 2013, 2014 Pieter Wuille *
3  * Distributed under the MIT software license, see the accompanying *
4  * file COPYING or https://www.opensource.org/licenses/mit-license.php.*
5  ***********************************************************************/
6 
7 #ifndef SECP256K1_FIELD_REPR_IMPL_H
8 #define SECP256K1_FIELD_REPR_IMPL_H
9 
10 #include "util.h"
11 #include "field.h"
12 #include "modinv32_impl.h"
13 
14 #ifdef VERIFY
15 static void secp256k1_fe_verify(const secp256k1_fe *a) {
16  const uint32_t *d = a->n;
17  int m = a->normalized ? 1 : 2 * a->magnitude, r = 1;
18  r &= (d[0] <= 0x3FFFFFFUL * m);
19  r &= (d[1] <= 0x3FFFFFFUL * m);
20  r &= (d[2] <= 0x3FFFFFFUL * m);
21  r &= (d[3] <= 0x3FFFFFFUL * m);
22  r &= (d[4] <= 0x3FFFFFFUL * m);
23  r &= (d[5] <= 0x3FFFFFFUL * m);
24  r &= (d[6] <= 0x3FFFFFFUL * m);
25  r &= (d[7] <= 0x3FFFFFFUL * m);
26  r &= (d[8] <= 0x3FFFFFFUL * m);
27  r &= (d[9] <= 0x03FFFFFUL * m);
28  r &= (a->magnitude >= 0);
29  r &= (a->magnitude <= 32);
30  if (a->normalized) {
31  r &= (a->magnitude <= 1);
32  if (r && (d[9] == 0x03FFFFFUL)) {
33  uint32_t mid = d[8] & d[7] & d[6] & d[5] & d[4] & d[3] & d[2];
34  if (mid == 0x3FFFFFFUL) {
35  r &= ((d[1] + 0x40UL + ((d[0] + 0x3D1UL) >> 26)) <= 0x3FFFFFFUL);
36  }
37  }
38  }
39  VERIFY_CHECK(r == 1);
40 }
41 #endif
42 
44  uint32_t t0 = r->n[0], t1 = r->n[1], t2 = r->n[2], t3 = r->n[3], t4 = r->n[4],
45  t5 = r->n[5], t6 = r->n[6], t7 = r->n[7], t8 = r->n[8], t9 = r->n[9];
46 
47  /* Reduce t9 at the start so there will be at most a single carry from the first pass */
48  uint32_t m;
49  uint32_t x = t9 >> 22; t9 &= 0x03FFFFFUL;
50 
51  /* The first pass ensures the magnitude is 1, ... */
52  t0 += x * 0x3D1UL; t1 += (x << 6);
53  t1 += (t0 >> 26); t0 &= 0x3FFFFFFUL;
54  t2 += (t1 >> 26); t1 &= 0x3FFFFFFUL;
55  t3 += (t2 >> 26); t2 &= 0x3FFFFFFUL; m = t2;
56  t4 += (t3 >> 26); t3 &= 0x3FFFFFFUL; m &= t3;
57  t5 += (t4 >> 26); t4 &= 0x3FFFFFFUL; m &= t4;
58  t6 += (t5 >> 26); t5 &= 0x3FFFFFFUL; m &= t5;
59  t7 += (t6 >> 26); t6 &= 0x3FFFFFFUL; m &= t6;
60  t8 += (t7 >> 26); t7 &= 0x3FFFFFFUL; m &= t7;
61  t9 += (t8 >> 26); t8 &= 0x3FFFFFFUL; m &= t8;
62 
63  /* ... except for a possible carry at bit 22 of t9 (i.e. bit 256 of the field element) */
64  VERIFY_CHECK(t9 >> 23 == 0);
65 
66  /* At most a single final reduction is needed; check if the value is >= the field characteristic */
67  x = (t9 >> 22) | ((t9 == 0x03FFFFFUL) & (m == 0x3FFFFFFUL)
68  & ((t1 + 0x40UL + ((t0 + 0x3D1UL) >> 26)) > 0x3FFFFFFUL));
69 
70  /* Apply the final reduction (for constant-time behaviour, we do it always) */
71  t0 += x * 0x3D1UL; t1 += (x << 6);
72  t1 += (t0 >> 26); t0 &= 0x3FFFFFFUL;
73  t2 += (t1 >> 26); t1 &= 0x3FFFFFFUL;
74  t3 += (t2 >> 26); t2 &= 0x3FFFFFFUL;
75  t4 += (t3 >> 26); t3 &= 0x3FFFFFFUL;
76  t5 += (t4 >> 26); t4 &= 0x3FFFFFFUL;
77  t6 += (t5 >> 26); t5 &= 0x3FFFFFFUL;
78  t7 += (t6 >> 26); t6 &= 0x3FFFFFFUL;
79  t8 += (t7 >> 26); t7 &= 0x3FFFFFFUL;
80  t9 += (t8 >> 26); t8 &= 0x3FFFFFFUL;
81 
82  /* If t9 didn't carry to bit 22 already, then it should have after any final reduction */
83  VERIFY_CHECK(t9 >> 22 == x);
84 
85  /* Mask off the possible multiple of 2^256 from the final reduction */
86  t9 &= 0x03FFFFFUL;
87 
88  r->n[0] = t0; r->n[1] = t1; r->n[2] = t2; r->n[3] = t3; r->n[4] = t4;
89  r->n[5] = t5; r->n[6] = t6; r->n[7] = t7; r->n[8] = t8; r->n[9] = t9;
90 
91 #ifdef VERIFY
92  r->magnitude = 1;
93  r->normalized = 1;
94  secp256k1_fe_verify(r);
95 #endif
96 }
97 
99  uint32_t t0 = r->n[0], t1 = r->n[1], t2 = r->n[2], t3 = r->n[3], t4 = r->n[4],
100  t5 = r->n[5], t6 = r->n[6], t7 = r->n[7], t8 = r->n[8], t9 = r->n[9];
101 
102  /* Reduce t9 at the start so there will be at most a single carry from the first pass */
103  uint32_t x = t9 >> 22; t9 &= 0x03FFFFFUL;
104 
105  /* The first pass ensures the magnitude is 1, ... */
106  t0 += x * 0x3D1UL; t1 += (x << 6);
107  t1 += (t0 >> 26); t0 &= 0x3FFFFFFUL;
108  t2 += (t1 >> 26); t1 &= 0x3FFFFFFUL;
109  t3 += (t2 >> 26); t2 &= 0x3FFFFFFUL;
110  t4 += (t3 >> 26); t3 &= 0x3FFFFFFUL;
111  t5 += (t4 >> 26); t4 &= 0x3FFFFFFUL;
112  t6 += (t5 >> 26); t5 &= 0x3FFFFFFUL;
113  t7 += (t6 >> 26); t6 &= 0x3FFFFFFUL;
114  t8 += (t7 >> 26); t7 &= 0x3FFFFFFUL;
115  t9 += (t8 >> 26); t8 &= 0x3FFFFFFUL;
116 
117  /* ... except for a possible carry at bit 22 of t9 (i.e. bit 256 of the field element) */
118  VERIFY_CHECK(t9 >> 23 == 0);
119 
120  r->n[0] = t0; r->n[1] = t1; r->n[2] = t2; r->n[3] = t3; r->n[4] = t4;
121  r->n[5] = t5; r->n[6] = t6; r->n[7] = t7; r->n[8] = t8; r->n[9] = t9;
122 
123 #ifdef VERIFY
124  r->magnitude = 1;
125  secp256k1_fe_verify(r);
126 #endif
127 }
128 
130  uint32_t t0 = r->n[0], t1 = r->n[1], t2 = r->n[2], t3 = r->n[3], t4 = r->n[4],
131  t5 = r->n[5], t6 = r->n[6], t7 = r->n[7], t8 = r->n[8], t9 = r->n[9];
132 
133  /* Reduce t9 at the start so there will be at most a single carry from the first pass */
134  uint32_t m;
135  uint32_t x = t9 >> 22; t9 &= 0x03FFFFFUL;
136 
137  /* The first pass ensures the magnitude is 1, ... */
138  t0 += x * 0x3D1UL; t1 += (x << 6);
139  t1 += (t0 >> 26); t0 &= 0x3FFFFFFUL;
140  t2 += (t1 >> 26); t1 &= 0x3FFFFFFUL;
141  t3 += (t2 >> 26); t2 &= 0x3FFFFFFUL; m = t2;
142  t4 += (t3 >> 26); t3 &= 0x3FFFFFFUL; m &= t3;
143  t5 += (t4 >> 26); t4 &= 0x3FFFFFFUL; m &= t4;
144  t6 += (t5 >> 26); t5 &= 0x3FFFFFFUL; m &= t5;
145  t7 += (t6 >> 26); t6 &= 0x3FFFFFFUL; m &= t6;
146  t8 += (t7 >> 26); t7 &= 0x3FFFFFFUL; m &= t7;
147  t9 += (t8 >> 26); t8 &= 0x3FFFFFFUL; m &= t8;
148 
149  /* ... except for a possible carry at bit 22 of t9 (i.e. bit 256 of the field element) */
150  VERIFY_CHECK(t9 >> 23 == 0);
151 
152  /* At most a single final reduction is needed; check if the value is >= the field characteristic */
153  x = (t9 >> 22) | ((t9 == 0x03FFFFFUL) & (m == 0x3FFFFFFUL)
154  & ((t1 + 0x40UL + ((t0 + 0x3D1UL) >> 26)) > 0x3FFFFFFUL));
155 
156  if (x) {
157  t0 += 0x3D1UL; t1 += (x << 6);
158  t1 += (t0 >> 26); t0 &= 0x3FFFFFFUL;
159  t2 += (t1 >> 26); t1 &= 0x3FFFFFFUL;
160  t3 += (t2 >> 26); t2 &= 0x3FFFFFFUL;
161  t4 += (t3 >> 26); t3 &= 0x3FFFFFFUL;
162  t5 += (t4 >> 26); t4 &= 0x3FFFFFFUL;
163  t6 += (t5 >> 26); t5 &= 0x3FFFFFFUL;
164  t7 += (t6 >> 26); t6 &= 0x3FFFFFFUL;
165  t8 += (t7 >> 26); t7 &= 0x3FFFFFFUL;
166  t9 += (t8 >> 26); t8 &= 0x3FFFFFFUL;
167 
168  /* If t9 didn't carry to bit 22 already, then it should have after any final reduction */
169  VERIFY_CHECK(t9 >> 22 == x);
170 
171  /* Mask off the possible multiple of 2^256 from the final reduction */
172  t9 &= 0x03FFFFFUL;
173  }
174 
175  r->n[0] = t0; r->n[1] = t1; r->n[2] = t2; r->n[3] = t3; r->n[4] = t4;
176  r->n[5] = t5; r->n[6] = t6; r->n[7] = t7; r->n[8] = t8; r->n[9] = t9;
177 
178 #ifdef VERIFY
179  r->magnitude = 1;
180  r->normalized = 1;
181  secp256k1_fe_verify(r);
182 #endif
183 }
184 
186  uint32_t t0 = r->n[0], t1 = r->n[1], t2 = r->n[2], t3 = r->n[3], t4 = r->n[4],
187  t5 = r->n[5], t6 = r->n[6], t7 = r->n[7], t8 = r->n[8], t9 = r->n[9];
188 
189  /* z0 tracks a possible raw value of 0, z1 tracks a possible raw value of P */
190  uint32_t z0, z1;
191 
192  /* Reduce t9 at the start so there will be at most a single carry from the first pass */
193  uint32_t x = t9 >> 22; t9 &= 0x03FFFFFUL;
194 
195  /* The first pass ensures the magnitude is 1, ... */
196  t0 += x * 0x3D1UL; t1 += (x << 6);
197  t1 += (t0 >> 26); t0 &= 0x3FFFFFFUL; z0 = t0; z1 = t0 ^ 0x3D0UL;
198  t2 += (t1 >> 26); t1 &= 0x3FFFFFFUL; z0 |= t1; z1 &= t1 ^ 0x40UL;
199  t3 += (t2 >> 26); t2 &= 0x3FFFFFFUL; z0 |= t2; z1 &= t2;
200  t4 += (t3 >> 26); t3 &= 0x3FFFFFFUL; z0 |= t3; z1 &= t3;
201  t5 += (t4 >> 26); t4 &= 0x3FFFFFFUL; z0 |= t4; z1 &= t4;
202  t6 += (t5 >> 26); t5 &= 0x3FFFFFFUL; z0 |= t5; z1 &= t5;
203  t7 += (t6 >> 26); t6 &= 0x3FFFFFFUL; z0 |= t6; z1 &= t6;
204  t8 += (t7 >> 26); t7 &= 0x3FFFFFFUL; z0 |= t7; z1 &= t7;
205  t9 += (t8 >> 26); t8 &= 0x3FFFFFFUL; z0 |= t8; z1 &= t8;
206  z0 |= t9; z1 &= t9 ^ 0x3C00000UL;
207 
208  /* ... except for a possible carry at bit 22 of t9 (i.e. bit 256 of the field element) */
209  VERIFY_CHECK(t9 >> 23 == 0);
210 
211  return (z0 == 0) | (z1 == 0x3FFFFFFUL);
212 }
213 
215  uint32_t t0, t1, t2, t3, t4, t5, t6, t7, t8, t9;
216  uint32_t z0, z1;
217  uint32_t x;
218 
219  t0 = r->n[0];
220  t9 = r->n[9];
221 
222  /* Reduce t9 at the start so there will be at most a single carry from the first pass */
223  x = t9 >> 22;
224 
225  /* The first pass ensures the magnitude is 1, ... */
226  t0 += x * 0x3D1UL;
227 
228  /* z0 tracks a possible raw value of 0, z1 tracks a possible raw value of P */
229  z0 = t0 & 0x3FFFFFFUL;
230  z1 = z0 ^ 0x3D0UL;
231 
232  /* Fast return path should catch the majority of cases */
233  if ((z0 != 0UL) & (z1 != 0x3FFFFFFUL)) {
234  return 0;
235  }
236 
237  t1 = r->n[1];
238  t2 = r->n[2];
239  t3 = r->n[3];
240  t4 = r->n[4];
241  t5 = r->n[5];
242  t6 = r->n[6];
243  t7 = r->n[7];
244  t8 = r->n[8];
245 
246  t9 &= 0x03FFFFFUL;
247  t1 += (x << 6);
248 
249  t1 += (t0 >> 26);
250  t2 += (t1 >> 26); t1 &= 0x3FFFFFFUL; z0 |= t1; z1 &= t1 ^ 0x40UL;
251  t3 += (t2 >> 26); t2 &= 0x3FFFFFFUL; z0 |= t2; z1 &= t2;
252  t4 += (t3 >> 26); t3 &= 0x3FFFFFFUL; z0 |= t3; z1 &= t3;
253  t5 += (t4 >> 26); t4 &= 0x3FFFFFFUL; z0 |= t4; z1 &= t4;
254  t6 += (t5 >> 26); t5 &= 0x3FFFFFFUL; z0 |= t5; z1 &= t5;
255  t7 += (t6 >> 26); t6 &= 0x3FFFFFFUL; z0 |= t6; z1 &= t6;
256  t8 += (t7 >> 26); t7 &= 0x3FFFFFFUL; z0 |= t7; z1 &= t7;
257  t9 += (t8 >> 26); t8 &= 0x3FFFFFFUL; z0 |= t8; z1 &= t8;
258  z0 |= t9; z1 &= t9 ^ 0x3C00000UL;
259 
260  /* ... except for a possible carry at bit 22 of t9 (i.e. bit 256 of the field element) */
261  VERIFY_CHECK(t9 >> 23 == 0);
262 
263  return (z0 == 0) | (z1 == 0x3FFFFFFUL);
264 }
265 
267  VERIFY_CHECK(0 <= a && a <= 0x7FFF);
268  r->n[0] = a;
269  r->n[1] = r->n[2] = r->n[3] = r->n[4] = r->n[5] = r->n[6] = r->n[7] = r->n[8] = r->n[9] = 0;
270 #ifdef VERIFY
271  r->magnitude = (a != 0);
272  r->normalized = 1;
273  secp256k1_fe_verify(r);
274 #endif
275 }
276 
278  const uint32_t *t = a->n;
279 #ifdef VERIFY
280  VERIFY_CHECK(a->normalized);
281  secp256k1_fe_verify(a);
282 #endif
283  return (t[0] | t[1] | t[2] | t[3] | t[4] | t[5] | t[6] | t[7] | t[8] | t[9]) == 0;
284 }
285 
287 #ifdef VERIFY
288  VERIFY_CHECK(a->normalized);
289  secp256k1_fe_verify(a);
290 #endif
291  return a->n[0] & 1;
292 }
293 
295  int i;
296 #ifdef VERIFY
297  a->magnitude = 0;
298  a->normalized = 1;
299 #endif
300  for (i=0; i<10; i++) {
301  a->n[i] = 0;
302  }
303 }
304 
305 static int secp256k1_fe_cmp_var(const secp256k1_fe *a, const secp256k1_fe *b) {
306  int i;
307 #ifdef VERIFY
308  VERIFY_CHECK(a->normalized);
309  VERIFY_CHECK(b->normalized);
310  secp256k1_fe_verify(a);
311  secp256k1_fe_verify(b);
312 #endif
313  for (i = 9; i >= 0; i--) {
314  if (a->n[i] > b->n[i]) {
315  return 1;
316  }
317  if (a->n[i] < b->n[i]) {
318  return -1;
319  }
320  }
321  return 0;
322 }
323 
324 static int secp256k1_fe_set_b32(secp256k1_fe *r, const unsigned char *a) {
325  int ret;
326  r->n[0] = (uint32_t)a[31] | ((uint32_t)a[30] << 8) | ((uint32_t)a[29] << 16) | ((uint32_t)(a[28] & 0x3) << 24);
327  r->n[1] = (uint32_t)((a[28] >> 2) & 0x3f) | ((uint32_t)a[27] << 6) | ((uint32_t)a[26] << 14) | ((uint32_t)(a[25] & 0xf) << 22);
328  r->n[2] = (uint32_t)((a[25] >> 4) & 0xf) | ((uint32_t)a[24] << 4) | ((uint32_t)a[23] << 12) | ((uint32_t)(a[22] & 0x3f) << 20);
329  r->n[3] = (uint32_t)((a[22] >> 6) & 0x3) | ((uint32_t)a[21] << 2) | ((uint32_t)a[20] << 10) | ((uint32_t)a[19] << 18);
330  r->n[4] = (uint32_t)a[18] | ((uint32_t)a[17] << 8) | ((uint32_t)a[16] << 16) | ((uint32_t)(a[15] & 0x3) << 24);
331  r->n[5] = (uint32_t)((a[15] >> 2) & 0x3f) | ((uint32_t)a[14] << 6) | ((uint32_t)a[13] << 14) | ((uint32_t)(a[12] & 0xf) << 22);
332  r->n[6] = (uint32_t)((a[12] >> 4) & 0xf) | ((uint32_t)a[11] << 4) | ((uint32_t)a[10] << 12) | ((uint32_t)(a[9] & 0x3f) << 20);
333  r->n[7] = (uint32_t)((a[9] >> 6) & 0x3) | ((uint32_t)a[8] << 2) | ((uint32_t)a[7] << 10) | ((uint32_t)a[6] << 18);
334  r->n[8] = (uint32_t)a[5] | ((uint32_t)a[4] << 8) | ((uint32_t)a[3] << 16) | ((uint32_t)(a[2] & 0x3) << 24);
335  r->n[9] = (uint32_t)((a[2] >> 2) & 0x3f) | ((uint32_t)a[1] << 6) | ((uint32_t)a[0] << 14);
336 
337  ret = !((r->n[9] == 0x3FFFFFUL) & ((r->n[8] & r->n[7] & r->n[6] & r->n[5] & r->n[4] & r->n[3] & r->n[2]) == 0x3FFFFFFUL) & ((r->n[1] + 0x40UL + ((r->n[0] + 0x3D1UL) >> 26)) > 0x3FFFFFFUL));
338 #ifdef VERIFY
339  r->magnitude = 1;
340  if (ret) {
341  r->normalized = 1;
342  secp256k1_fe_verify(r);
343  } else {
344  r->normalized = 0;
345  }
346 #endif
347  return ret;
348 }
349 
351 static void secp256k1_fe_get_b32(unsigned char *r, const secp256k1_fe *a) {
352 #ifdef VERIFY
353  VERIFY_CHECK(a->normalized);
354  secp256k1_fe_verify(a);
355 #endif
356  r[0] = (a->n[9] >> 14) & 0xff;
357  r[1] = (a->n[9] >> 6) & 0xff;
358  r[2] = ((a->n[9] & 0x3F) << 2) | ((a->n[8] >> 24) & 0x3);
359  r[3] = (a->n[8] >> 16) & 0xff;
360  r[4] = (a->n[8] >> 8) & 0xff;
361  r[5] = a->n[8] & 0xff;
362  r[6] = (a->n[7] >> 18) & 0xff;
363  r[7] = (a->n[7] >> 10) & 0xff;
364  r[8] = (a->n[7] >> 2) & 0xff;
365  r[9] = ((a->n[7] & 0x3) << 6) | ((a->n[6] >> 20) & 0x3f);
366  r[10] = (a->n[6] >> 12) & 0xff;
367  r[11] = (a->n[6] >> 4) & 0xff;
368  r[12] = ((a->n[6] & 0xf) << 4) | ((a->n[5] >> 22) & 0xf);
369  r[13] = (a->n[5] >> 14) & 0xff;
370  r[14] = (a->n[5] >> 6) & 0xff;
371  r[15] = ((a->n[5] & 0x3f) << 2) | ((a->n[4] >> 24) & 0x3);
372  r[16] = (a->n[4] >> 16) & 0xff;
373  r[17] = (a->n[4] >> 8) & 0xff;
374  r[18] = a->n[4] & 0xff;
375  r[19] = (a->n[3] >> 18) & 0xff;
376  r[20] = (a->n[3] >> 10) & 0xff;
377  r[21] = (a->n[3] >> 2) & 0xff;
378  r[22] = ((a->n[3] & 0x3) << 6) | ((a->n[2] >> 20) & 0x3f);
379  r[23] = (a->n[2] >> 12) & 0xff;
380  r[24] = (a->n[2] >> 4) & 0xff;
381  r[25] = ((a->n[2] & 0xf) << 4) | ((a->n[1] >> 22) & 0xf);
382  r[26] = (a->n[1] >> 14) & 0xff;
383  r[27] = (a->n[1] >> 6) & 0xff;
384  r[28] = ((a->n[1] & 0x3f) << 2) | ((a->n[0] >> 24) & 0x3);
385  r[29] = (a->n[0] >> 16) & 0xff;
386  r[30] = (a->n[0] >> 8) & 0xff;
387  r[31] = a->n[0] & 0xff;
388 }
389 
391 #ifdef VERIFY
392  VERIFY_CHECK(a->magnitude <= m);
393  secp256k1_fe_verify(a);
394 #endif
395  r->n[0] = 0x3FFFC2FUL * 2 * (m + 1) - a->n[0];
396  r->n[1] = 0x3FFFFBFUL * 2 * (m + 1) - a->n[1];
397  r->n[2] = 0x3FFFFFFUL * 2 * (m + 1) - a->n[2];
398  r->n[3] = 0x3FFFFFFUL * 2 * (m + 1) - a->n[3];
399  r->n[4] = 0x3FFFFFFUL * 2 * (m + 1) - a->n[4];
400  r->n[5] = 0x3FFFFFFUL * 2 * (m + 1) - a->n[5];
401  r->n[6] = 0x3FFFFFFUL * 2 * (m + 1) - a->n[6];
402  r->n[7] = 0x3FFFFFFUL * 2 * (m + 1) - a->n[7];
403  r->n[8] = 0x3FFFFFFUL * 2 * (m + 1) - a->n[8];
404  r->n[9] = 0x03FFFFFUL * 2 * (m + 1) - a->n[9];
405 #ifdef VERIFY
406  r->magnitude = m + 1;
407  r->normalized = 0;
408  secp256k1_fe_verify(r);
409 #endif
410 }
411 
413  r->n[0] *= a;
414  r->n[1] *= a;
415  r->n[2] *= a;
416  r->n[3] *= a;
417  r->n[4] *= a;
418  r->n[5] *= a;
419  r->n[6] *= a;
420  r->n[7] *= a;
421  r->n[8] *= a;
422  r->n[9] *= a;
423 #ifdef VERIFY
424  r->magnitude *= a;
425  r->normalized = 0;
426  secp256k1_fe_verify(r);
427 #endif
428 }
429 
431 #ifdef VERIFY
432  secp256k1_fe_verify(a);
433 #endif
434  r->n[0] += a->n[0];
435  r->n[1] += a->n[1];
436  r->n[2] += a->n[2];
437  r->n[3] += a->n[3];
438  r->n[4] += a->n[4];
439  r->n[5] += a->n[5];
440  r->n[6] += a->n[6];
441  r->n[7] += a->n[7];
442  r->n[8] += a->n[8];
443  r->n[9] += a->n[9];
444 #ifdef VERIFY
445  r->magnitude += a->magnitude;
446  r->normalized = 0;
447  secp256k1_fe_verify(r);
448 #endif
449 }
450 
451 #if defined(USE_EXTERNAL_ASM)
452 
453 /* External assembler implementation */
454 void secp256k1_fe_mul_inner(uint32_t *r, const uint32_t *a, const uint32_t * SECP256K1_RESTRICT b);
455 void secp256k1_fe_sqr_inner(uint32_t *r, const uint32_t *a);
456 
457 #else
458 
459 #ifdef VERIFY
460 #define VERIFY_BITS(x, n) VERIFY_CHECK(((x) >> (n)) == 0)
461 #else
462 #define VERIFY_BITS(x, n) do { } while(0)
463 #endif
464 
465 SECP256K1_INLINE static void secp256k1_fe_mul_inner(uint32_t *r, const uint32_t *a, const uint32_t * SECP256K1_RESTRICT b) {
466  uint64_t c, d;
467  uint64_t u0, u1, u2, u3, u4, u5, u6, u7, u8;
468  uint32_t t9, t1, t0, t2, t3, t4, t5, t6, t7;
469  const uint32_t M = 0x3FFFFFFUL, R0 = 0x3D10UL, R1 = 0x400UL;
470 
471  VERIFY_BITS(a[0], 30);
472  VERIFY_BITS(a[1], 30);
473  VERIFY_BITS(a[2], 30);
474  VERIFY_BITS(a[3], 30);
475  VERIFY_BITS(a[4], 30);
476  VERIFY_BITS(a[5], 30);
477  VERIFY_BITS(a[6], 30);
478  VERIFY_BITS(a[7], 30);
479  VERIFY_BITS(a[8], 30);
480  VERIFY_BITS(a[9], 26);
481  VERIFY_BITS(b[0], 30);
482  VERIFY_BITS(b[1], 30);
483  VERIFY_BITS(b[2], 30);
484  VERIFY_BITS(b[3], 30);
485  VERIFY_BITS(b[4], 30);
486  VERIFY_BITS(b[5], 30);
487  VERIFY_BITS(b[6], 30);
488  VERIFY_BITS(b[7], 30);
489  VERIFY_BITS(b[8], 30);
490  VERIFY_BITS(b[9], 26);
491 
498  d = (uint64_t)a[0] * b[9]
499  + (uint64_t)a[1] * b[8]
500  + (uint64_t)a[2] * b[7]
501  + (uint64_t)a[3] * b[6]
502  + (uint64_t)a[4] * b[5]
503  + (uint64_t)a[5] * b[4]
504  + (uint64_t)a[6] * b[3]
505  + (uint64_t)a[7] * b[2]
506  + (uint64_t)a[8] * b[1]
507  + (uint64_t)a[9] * b[0];
508  /* VERIFY_BITS(d, 64); */
509  /* [d 0 0 0 0 0 0 0 0 0] = [p9 0 0 0 0 0 0 0 0 0] */
510  t9 = d & M; d >>= 26;
511  VERIFY_BITS(t9, 26);
512  VERIFY_BITS(d, 38);
513  /* [d t9 0 0 0 0 0 0 0 0 0] = [p9 0 0 0 0 0 0 0 0 0] */
514 
515  c = (uint64_t)a[0] * b[0];
516  VERIFY_BITS(c, 60);
517  /* [d t9 0 0 0 0 0 0 0 0 c] = [p9 0 0 0 0 0 0 0 0 p0] */
518  d += (uint64_t)a[1] * b[9]
519  + (uint64_t)a[2] * b[8]
520  + (uint64_t)a[3] * b[7]
521  + (uint64_t)a[4] * b[6]
522  + (uint64_t)a[5] * b[5]
523  + (uint64_t)a[6] * b[4]
524  + (uint64_t)a[7] * b[3]
525  + (uint64_t)a[8] * b[2]
526  + (uint64_t)a[9] * b[1];
527  VERIFY_BITS(d, 63);
528  /* [d t9 0 0 0 0 0 0 0 0 c] = [p10 p9 0 0 0 0 0 0 0 0 p0] */
529  u0 = d & M; d >>= 26; c += u0 * R0;
530  VERIFY_BITS(u0, 26);
531  VERIFY_BITS(d, 37);
532  VERIFY_BITS(c, 61);
533  /* [d u0 t9 0 0 0 0 0 0 0 0 c-u0*R0] = [p10 p9 0 0 0 0 0 0 0 0 p0] */
534  t0 = c & M; c >>= 26; c += u0 * R1;
535  VERIFY_BITS(t0, 26);
536  VERIFY_BITS(c, 37);
537  /* [d u0 t9 0 0 0 0 0 0 0 c-u0*R1 t0-u0*R0] = [p10 p9 0 0 0 0 0 0 0 0 p0] */
538  /* [d 0 t9 0 0 0 0 0 0 0 c t0] = [p10 p9 0 0 0 0 0 0 0 0 p0] */
539 
540  c += (uint64_t)a[0] * b[1]
541  + (uint64_t)a[1] * b[0];
542  VERIFY_BITS(c, 62);
543  /* [d 0 t9 0 0 0 0 0 0 0 c t0] = [p10 p9 0 0 0 0 0 0 0 p1 p0] */
544  d += (uint64_t)a[2] * b[9]
545  + (uint64_t)a[3] * b[8]
546  + (uint64_t)a[4] * b[7]
547  + (uint64_t)a[5] * b[6]
548  + (uint64_t)a[6] * b[5]
549  + (uint64_t)a[7] * b[4]
550  + (uint64_t)a[8] * b[3]
551  + (uint64_t)a[9] * b[2];
552  VERIFY_BITS(d, 63);
553  /* [d 0 t9 0 0 0 0 0 0 0 c t0] = [p11 p10 p9 0 0 0 0 0 0 0 p1 p0] */
554  u1 = d & M; d >>= 26; c += u1 * R0;
555  VERIFY_BITS(u1, 26);
556  VERIFY_BITS(d, 37);
557  VERIFY_BITS(c, 63);
558  /* [d u1 0 t9 0 0 0 0 0 0 0 c-u1*R0 t0] = [p11 p10 p9 0 0 0 0 0 0 0 p1 p0] */
559  t1 = c & M; c >>= 26; c += u1 * R1;
560  VERIFY_BITS(t1, 26);
561  VERIFY_BITS(c, 38);
562  /* [d u1 0 t9 0 0 0 0 0 0 c-u1*R1 t1-u1*R0 t0] = [p11 p10 p9 0 0 0 0 0 0 0 p1 p0] */
563  /* [d 0 0 t9 0 0 0 0 0 0 c t1 t0] = [p11 p10 p9 0 0 0 0 0 0 0 p1 p0] */
564 
565  c += (uint64_t)a[0] * b[2]
566  + (uint64_t)a[1] * b[1]
567  + (uint64_t)a[2] * b[0];
568  VERIFY_BITS(c, 62);
569  /* [d 0 0 t9 0 0 0 0 0 0 c t1 t0] = [p11 p10 p9 0 0 0 0 0 0 p2 p1 p0] */
570  d += (uint64_t)a[3] * b[9]
571  + (uint64_t)a[4] * b[8]
572  + (uint64_t)a[5] * b[7]
573  + (uint64_t)a[6] * b[6]
574  + (uint64_t)a[7] * b[5]
575  + (uint64_t)a[8] * b[4]
576  + (uint64_t)a[9] * b[3];
577  VERIFY_BITS(d, 63);
578  /* [d 0 0 t9 0 0 0 0 0 0 c t1 t0] = [p12 p11 p10 p9 0 0 0 0 0 0 p2 p1 p0] */
579  u2 = d & M; d >>= 26; c += u2 * R0;
580  VERIFY_BITS(u2, 26);
581  VERIFY_BITS(d, 37);
582  VERIFY_BITS(c, 63);
583  /* [d u2 0 0 t9 0 0 0 0 0 0 c-u2*R0 t1 t0] = [p12 p11 p10 p9 0 0 0 0 0 0 p2 p1 p0] */
584  t2 = c & M; c >>= 26; c += u2 * R1;
585  VERIFY_BITS(t2, 26);
586  VERIFY_BITS(c, 38);
587  /* [d u2 0 0 t9 0 0 0 0 0 c-u2*R1 t2-u2*R0 t1 t0] = [p12 p11 p10 p9 0 0 0 0 0 0 p2 p1 p0] */
588  /* [d 0 0 0 t9 0 0 0 0 0 c t2 t1 t0] = [p12 p11 p10 p9 0 0 0 0 0 0 p2 p1 p0] */
589 
590  c += (uint64_t)a[0] * b[3]
591  + (uint64_t)a[1] * b[2]
592  + (uint64_t)a[2] * b[1]
593  + (uint64_t)a[3] * b[0];
594  VERIFY_BITS(c, 63);
595  /* [d 0 0 0 t9 0 0 0 0 0 c t2 t1 t0] = [p12 p11 p10 p9 0 0 0 0 0 p3 p2 p1 p0] */
596  d += (uint64_t)a[4] * b[9]
597  + (uint64_t)a[5] * b[8]
598  + (uint64_t)a[6] * b[7]
599  + (uint64_t)a[7] * b[6]
600  + (uint64_t)a[8] * b[5]
601  + (uint64_t)a[9] * b[4];
602  VERIFY_BITS(d, 63);
603  /* [d 0 0 0 t9 0 0 0 0 0 c t2 t1 t0] = [p13 p12 p11 p10 p9 0 0 0 0 0 p3 p2 p1 p0] */
604  u3 = d & M; d >>= 26; c += u3 * R0;
605  VERIFY_BITS(u3, 26);
606  VERIFY_BITS(d, 37);
607  /* VERIFY_BITS(c, 64); */
608  /* [d u3 0 0 0 t9 0 0 0 0 0 c-u3*R0 t2 t1 t0] = [p13 p12 p11 p10 p9 0 0 0 0 0 p3 p2 p1 p0] */
609  t3 = c & M; c >>= 26; c += u3 * R1;
610  VERIFY_BITS(t3, 26);
611  VERIFY_BITS(c, 39);
612  /* [d u3 0 0 0 t9 0 0 0 0 c-u3*R1 t3-u3*R0 t2 t1 t0] = [p13 p12 p11 p10 p9 0 0 0 0 0 p3 p2 p1 p0] */
613  /* [d 0 0 0 0 t9 0 0 0 0 c t3 t2 t1 t0] = [p13 p12 p11 p10 p9 0 0 0 0 0 p3 p2 p1 p0] */
614 
615  c += (uint64_t)a[0] * b[4]
616  + (uint64_t)a[1] * b[3]
617  + (uint64_t)a[2] * b[2]
618  + (uint64_t)a[3] * b[1]
619  + (uint64_t)a[4] * b[0];
620  VERIFY_BITS(c, 63);
621  /* [d 0 0 0 0 t9 0 0 0 0 c t3 t2 t1 t0] = [p13 p12 p11 p10 p9 0 0 0 0 p4 p3 p2 p1 p0] */
622  d += (uint64_t)a[5] * b[9]
623  + (uint64_t)a[6] * b[8]
624  + (uint64_t)a[7] * b[7]
625  + (uint64_t)a[8] * b[6]
626  + (uint64_t)a[9] * b[5];
627  VERIFY_BITS(d, 62);
628  /* [d 0 0 0 0 t9 0 0 0 0 c t3 t2 t1 t0] = [p14 p13 p12 p11 p10 p9 0 0 0 0 p4 p3 p2 p1 p0] */
629  u4 = d & M; d >>= 26; c += u4 * R0;
630  VERIFY_BITS(u4, 26);
631  VERIFY_BITS(d, 36);
632  /* VERIFY_BITS(c, 64); */
633  /* [d u4 0 0 0 0 t9 0 0 0 0 c-u4*R0 t3 t2 t1 t0] = [p14 p13 p12 p11 p10 p9 0 0 0 0 p4 p3 p2 p1 p0] */
634  t4 = c & M; c >>= 26; c += u4 * R1;
635  VERIFY_BITS(t4, 26);
636  VERIFY_BITS(c, 39);
637  /* [d u4 0 0 0 0 t9 0 0 0 c-u4*R1 t4-u4*R0 t3 t2 t1 t0] = [p14 p13 p12 p11 p10 p9 0 0 0 0 p4 p3 p2 p1 p0] */
638  /* [d 0 0 0 0 0 t9 0 0 0 c t4 t3 t2 t1 t0] = [p14 p13 p12 p11 p10 p9 0 0 0 0 p4 p3 p2 p1 p0] */
639 
640  c += (uint64_t)a[0] * b[5]
641  + (uint64_t)a[1] * b[4]
642  + (uint64_t)a[2] * b[3]
643  + (uint64_t)a[3] * b[2]
644  + (uint64_t)a[4] * b[1]
645  + (uint64_t)a[5] * b[0];
646  VERIFY_BITS(c, 63);
647  /* [d 0 0 0 0 0 t9 0 0 0 c t4 t3 t2 t1 t0] = [p14 p13 p12 p11 p10 p9 0 0 0 p5 p4 p3 p2 p1 p0] */
648  d += (uint64_t)a[6] * b[9]
649  + (uint64_t)a[7] * b[8]
650  + (uint64_t)a[8] * b[7]
651  + (uint64_t)a[9] * b[6];
652  VERIFY_BITS(d, 62);
653  /* [d 0 0 0 0 0 t9 0 0 0 c t4 t3 t2 t1 t0] = [p15 p14 p13 p12 p11 p10 p9 0 0 0 p5 p4 p3 p2 p1 p0] */
654  u5 = d & M; d >>= 26; c += u5 * R0;
655  VERIFY_BITS(u5, 26);
656  VERIFY_BITS(d, 36);
657  /* VERIFY_BITS(c, 64); */
658  /* [d u5 0 0 0 0 0 t9 0 0 0 c-u5*R0 t4 t3 t2 t1 t0] = [p15 p14 p13 p12 p11 p10 p9 0 0 0 p5 p4 p3 p2 p1 p0] */
659  t5 = c & M; c >>= 26; c += u5 * R1;
660  VERIFY_BITS(t5, 26);
661  VERIFY_BITS(c, 39);
662  /* [d u5 0 0 0 0 0 t9 0 0 c-u5*R1 t5-u5*R0 t4 t3 t2 t1 t0] = [p15 p14 p13 p12 p11 p10 p9 0 0 0 p5 p4 p3 p2 p1 p0] */
663  /* [d 0 0 0 0 0 0 t9 0 0 c t5 t4 t3 t2 t1 t0] = [p15 p14 p13 p12 p11 p10 p9 0 0 0 p5 p4 p3 p2 p1 p0] */
664 
665  c += (uint64_t)a[0] * b[6]
666  + (uint64_t)a[1] * b[5]
667  + (uint64_t)a[2] * b[4]
668  + (uint64_t)a[3] * b[3]
669  + (uint64_t)a[4] * b[2]
670  + (uint64_t)a[5] * b[1]
671  + (uint64_t)a[6] * b[0];
672  VERIFY_BITS(c, 63);
673  /* [d 0 0 0 0 0 0 t9 0 0 c t5 t4 t3 t2 t1 t0] = [p15 p14 p13 p12 p11 p10 p9 0 0 p6 p5 p4 p3 p2 p1 p0] */
674  d += (uint64_t)a[7] * b[9]
675  + (uint64_t)a[8] * b[8]
676  + (uint64_t)a[9] * b[7];
677  VERIFY_BITS(d, 61);
678  /* [d 0 0 0 0 0 0 t9 0 0 c t5 t4 t3 t2 t1 t0] = [p16 p15 p14 p13 p12 p11 p10 p9 0 0 p6 p5 p4 p3 p2 p1 p0] */
679  u6 = d & M; d >>= 26; c += u6 * R0;
680  VERIFY_BITS(u6, 26);
681  VERIFY_BITS(d, 35);
682  /* VERIFY_BITS(c, 64); */
683  /* [d u6 0 0 0 0 0 0 t9 0 0 c-u6*R0 t5 t4 t3 t2 t1 t0] = [p16 p15 p14 p13 p12 p11 p10 p9 0 0 p6 p5 p4 p3 p2 p1 p0] */
684  t6 = c & M; c >>= 26; c += u6 * R1;
685  VERIFY_BITS(t6, 26);
686  VERIFY_BITS(c, 39);
687  /* [d u6 0 0 0 0 0 0 t9 0 c-u6*R1 t6-u6*R0 t5 t4 t3 t2 t1 t0] = [p16 p15 p14 p13 p12 p11 p10 p9 0 0 p6 p5 p4 p3 p2 p1 p0] */
688  /* [d 0 0 0 0 0 0 0 t9 0 c t6 t5 t4 t3 t2 t1 t0] = [p16 p15 p14 p13 p12 p11 p10 p9 0 0 p6 p5 p4 p3 p2 p1 p0] */
689 
690  c += (uint64_t)a[0] * b[7]
691  + (uint64_t)a[1] * b[6]
692  + (uint64_t)a[2] * b[5]
693  + (uint64_t)a[3] * b[4]
694  + (uint64_t)a[4] * b[3]
695  + (uint64_t)a[5] * b[2]
696  + (uint64_t)a[6] * b[1]
697  + (uint64_t)a[7] * b[0];
698  /* VERIFY_BITS(c, 64); */
699  VERIFY_CHECK(c <= 0x8000007C00000007ULL);
700  /* [d 0 0 0 0 0 0 0 t9 0 c t6 t5 t4 t3 t2 t1 t0] = [p16 p15 p14 p13 p12 p11 p10 p9 0 p7 p6 p5 p4 p3 p2 p1 p0] */
701  d += (uint64_t)a[8] * b[9]
702  + (uint64_t)a[9] * b[8];
703  VERIFY_BITS(d, 58);
704  /* [d 0 0 0 0 0 0 0 t9 0 c t6 t5 t4 t3 t2 t1 t0] = [p17 p16 p15 p14 p13 p12 p11 p10 p9 0 p7 p6 p5 p4 p3 p2 p1 p0] */
705  u7 = d & M; d >>= 26; c += u7 * R0;
706  VERIFY_BITS(u7, 26);
707  VERIFY_BITS(d, 32);
708  /* VERIFY_BITS(c, 64); */
709  VERIFY_CHECK(c <= 0x800001703FFFC2F7ULL);
710  /* [d u7 0 0 0 0 0 0 0 t9 0 c-u7*R0 t6 t5 t4 t3 t2 t1 t0] = [p17 p16 p15 p14 p13 p12 p11 p10 p9 0 p7 p6 p5 p4 p3 p2 p1 p0] */
711  t7 = c & M; c >>= 26; c += u7 * R1;
712  VERIFY_BITS(t7, 26);
713  VERIFY_BITS(c, 38);
714  /* [d u7 0 0 0 0 0 0 0 t9 c-u7*R1 t7-u7*R0 t6 t5 t4 t3 t2 t1 t0] = [p17 p16 p15 p14 p13 p12 p11 p10 p9 0 p7 p6 p5 p4 p3 p2 p1 p0] */
715  /* [d 0 0 0 0 0 0 0 0 t9 c t7 t6 t5 t4 t3 t2 t1 t0] = [p17 p16 p15 p14 p13 p12 p11 p10 p9 0 p7 p6 p5 p4 p3 p2 p1 p0] */
716 
717  c += (uint64_t)a[0] * b[8]
718  + (uint64_t)a[1] * b[7]
719  + (uint64_t)a[2] * b[6]
720  + (uint64_t)a[3] * b[5]
721  + (uint64_t)a[4] * b[4]
722  + (uint64_t)a[5] * b[3]
723  + (uint64_t)a[6] * b[2]
724  + (uint64_t)a[7] * b[1]
725  + (uint64_t)a[8] * b[0];
726  /* VERIFY_BITS(c, 64); */
727  VERIFY_CHECK(c <= 0x9000007B80000008ULL);
728  /* [d 0 0 0 0 0 0 0 0 t9 c t7 t6 t5 t4 t3 t2 t1 t0] = [p17 p16 p15 p14 p13 p12 p11 p10 p9 p8 p7 p6 p5 p4 p3 p2 p1 p0] */
729  d += (uint64_t)a[9] * b[9];
730  VERIFY_BITS(d, 57);
731  /* [d 0 0 0 0 0 0 0 0 t9 c t7 t6 t5 t4 t3 t2 t1 t0] = [p18 p17 p16 p15 p14 p13 p12 p11 p10 p9 p8 p7 p6 p5 p4 p3 p2 p1 p0] */
732  u8 = d & M; d >>= 26; c += u8 * R0;
733  VERIFY_BITS(u8, 26);
734  VERIFY_BITS(d, 31);
735  /* VERIFY_BITS(c, 64); */
736  VERIFY_CHECK(c <= 0x9000016FBFFFC2F8ULL);
737  /* [d u8 0 0 0 0 0 0 0 0 t9 c-u8*R0 t7 t6 t5 t4 t3 t2 t1 t0] = [p18 p17 p16 p15 p14 p13 p12 p11 p10 p9 p8 p7 p6 p5 p4 p3 p2 p1 p0] */
738 
739  r[3] = t3;
740  VERIFY_BITS(r[3], 26);
741  /* [d u8 0 0 0 0 0 0 0 0 t9 c-u8*R0 t7 t6 t5 t4 r3 t2 t1 t0] = [p18 p17 p16 p15 p14 p13 p12 p11 p10 p9 p8 p7 p6 p5 p4 p3 p2 p1 p0] */
742  r[4] = t4;
743  VERIFY_BITS(r[4], 26);
744  /* [d u8 0 0 0 0 0 0 0 0 t9 c-u8*R0 t7 t6 t5 r4 r3 t2 t1 t0] = [p18 p17 p16 p15 p14 p13 p12 p11 p10 p9 p8 p7 p6 p5 p4 p3 p2 p1 p0] */
745  r[5] = t5;
746  VERIFY_BITS(r[5], 26);
747  /* [d u8 0 0 0 0 0 0 0 0 t9 c-u8*R0 t7 t6 r5 r4 r3 t2 t1 t0] = [p18 p17 p16 p15 p14 p13 p12 p11 p10 p9 p8 p7 p6 p5 p4 p3 p2 p1 p0] */
748  r[6] = t6;
749  VERIFY_BITS(r[6], 26);
750  /* [d u8 0 0 0 0 0 0 0 0 t9 c-u8*R0 t7 r6 r5 r4 r3 t2 t1 t0] = [p18 p17 p16 p15 p14 p13 p12 p11 p10 p9 p8 p7 p6 p5 p4 p3 p2 p1 p0] */
751  r[7] = t7;
752  VERIFY_BITS(r[7], 26);
753  /* [d u8 0 0 0 0 0 0 0 0 t9 c-u8*R0 r7 r6 r5 r4 r3 t2 t1 t0] = [p18 p17 p16 p15 p14 p13 p12 p11 p10 p9 p8 p7 p6 p5 p4 p3 p2 p1 p0] */
754 
755  r[8] = c & M; c >>= 26; c += u8 * R1;
756  VERIFY_BITS(r[8], 26);
757  VERIFY_BITS(c, 39);
758  /* [d u8 0 0 0 0 0 0 0 0 t9+c-u8*R1 r8-u8*R0 r7 r6 r5 r4 r3 t2 t1 t0] = [p18 p17 p16 p15 p14 p13 p12 p11 p10 p9 p8 p7 p6 p5 p4 p3 p2 p1 p0] */
759  /* [d 0 0 0 0 0 0 0 0 0 t9+c r8 r7 r6 r5 r4 r3 t2 t1 t0] = [p18 p17 p16 p15 p14 p13 p12 p11 p10 p9 p8 p7 p6 p5 p4 p3 p2 p1 p0] */
760  c += d * R0 + t9;
761  VERIFY_BITS(c, 45);
762  /* [d 0 0 0 0 0 0 0 0 0 c-d*R0 r8 r7 r6 r5 r4 r3 t2 t1 t0] = [p18 p17 p16 p15 p14 p13 p12 p11 p10 p9 p8 p7 p6 p5 p4 p3 p2 p1 p0] */
763  r[9] = c & (M >> 4); c >>= 22; c += d * (R1 << 4);
764  VERIFY_BITS(r[9], 22);
765  VERIFY_BITS(c, 46);
766  /* [d 0 0 0 0 0 0 0 0 r9+((c-d*R1<<4)<<22)-d*R0 r8 r7 r6 r5 r4 r3 t2 t1 t0] = [p18 p17 p16 p15 p14 p13 p12 p11 p10 p9 p8 p7 p6 p5 p4 p3 p2 p1 p0] */
767  /* [d 0 0 0 0 0 0 0 -d*R1 r9+(c<<22)-d*R0 r8 r7 r6 r5 r4 r3 t2 t1 t0] = [p18 p17 p16 p15 p14 p13 p12 p11 p10 p9 p8 p7 p6 p5 p4 p3 p2 p1 p0] */
768  /* [r9+(c<<22) r8 r7 r6 r5 r4 r3 t2 t1 t0] = [p18 p17 p16 p15 p14 p13 p12 p11 p10 p9 p8 p7 p6 p5 p4 p3 p2 p1 p0] */
769 
770  d = c * (R0 >> 4) + t0;
771  VERIFY_BITS(d, 56);
772  /* [r9+(c<<22) r8 r7 r6 r5 r4 r3 t2 t1 d-c*R0>>4] = [p18 p17 p16 p15 p14 p13 p12 p11 p10 p9 p8 p7 p6 p5 p4 p3 p2 p1 p0] */
773  r[0] = d & M; d >>= 26;
774  VERIFY_BITS(r[0], 26);
775  VERIFY_BITS(d, 30);
776  /* [r9+(c<<22) r8 r7 r6 r5 r4 r3 t2 t1+d r0-c*R0>>4] = [p18 p17 p16 p15 p14 p13 p12 p11 p10 p9 p8 p7 p6 p5 p4 p3 p2 p1 p0] */
777  d += c * (R1 >> 4) + t1;
778  VERIFY_BITS(d, 53);
779  VERIFY_CHECK(d <= 0x10000003FFFFBFULL);
780  /* [r9+(c<<22) r8 r7 r6 r5 r4 r3 t2 d-c*R1>>4 r0-c*R0>>4] = [p18 p17 p16 p15 p14 p13 p12 p11 p10 p9 p8 p7 p6 p5 p4 p3 p2 p1 p0] */
781  /* [r9 r8 r7 r6 r5 r4 r3 t2 d r0] = [p18 p17 p16 p15 p14 p13 p12 p11 p10 p9 p8 p7 p6 p5 p4 p3 p2 p1 p0] */
782  r[1] = d & M; d >>= 26;
783  VERIFY_BITS(r[1], 26);
784  VERIFY_BITS(d, 27);
785  VERIFY_CHECK(d <= 0x4000000ULL);
786  /* [r9 r8 r7 r6 r5 r4 r3 t2+d r1 r0] = [p18 p17 p16 p15 p14 p13 p12 p11 p10 p9 p8 p7 p6 p5 p4 p3 p2 p1 p0] */
787  d += t2;
788  VERIFY_BITS(d, 27);
789  /* [r9 r8 r7 r6 r5 r4 r3 d r1 r0] = [p18 p17 p16 p15 p14 p13 p12 p11 p10 p9 p8 p7 p6 p5 p4 p3 p2 p1 p0] */
790  r[2] = d;
791  VERIFY_BITS(r[2], 27);
792  /* [r9 r8 r7 r6 r5 r4 r3 r2 r1 r0] = [p18 p17 p16 p15 p14 p13 p12 p11 p10 p9 p8 p7 p6 p5 p4 p3 p2 p1 p0] */
793 }
794 
795 SECP256K1_INLINE static void secp256k1_fe_sqr_inner(uint32_t *r, const uint32_t *a) {
796  uint64_t c, d;
797  uint64_t u0, u1, u2, u3, u4, u5, u6, u7, u8;
798  uint32_t t9, t0, t1, t2, t3, t4, t5, t6, t7;
799  const uint32_t M = 0x3FFFFFFUL, R0 = 0x3D10UL, R1 = 0x400UL;
800 
801  VERIFY_BITS(a[0], 30);
802  VERIFY_BITS(a[1], 30);
803  VERIFY_BITS(a[2], 30);
804  VERIFY_BITS(a[3], 30);
805  VERIFY_BITS(a[4], 30);
806  VERIFY_BITS(a[5], 30);
807  VERIFY_BITS(a[6], 30);
808  VERIFY_BITS(a[7], 30);
809  VERIFY_BITS(a[8], 30);
810  VERIFY_BITS(a[9], 26);
811 
817  d = (uint64_t)(a[0]*2) * a[9]
818  + (uint64_t)(a[1]*2) * a[8]
819  + (uint64_t)(a[2]*2) * a[7]
820  + (uint64_t)(a[3]*2) * a[6]
821  + (uint64_t)(a[4]*2) * a[5];
822  /* VERIFY_BITS(d, 64); */
823  /* [d 0 0 0 0 0 0 0 0 0] = [p9 0 0 0 0 0 0 0 0 0] */
824  t9 = d & M; d >>= 26;
825  VERIFY_BITS(t9, 26);
826  VERIFY_BITS(d, 38);
827  /* [d t9 0 0 0 0 0 0 0 0 0] = [p9 0 0 0 0 0 0 0 0 0] */
828 
829  c = (uint64_t)a[0] * a[0];
830  VERIFY_BITS(c, 60);
831  /* [d t9 0 0 0 0 0 0 0 0 c] = [p9 0 0 0 0 0 0 0 0 p0] */
832  d += (uint64_t)(a[1]*2) * a[9]
833  + (uint64_t)(a[2]*2) * a[8]
834  + (uint64_t)(a[3]*2) * a[7]
835  + (uint64_t)(a[4]*2) * a[6]
836  + (uint64_t)a[5] * a[5];
837  VERIFY_BITS(d, 63);
838  /* [d t9 0 0 0 0 0 0 0 0 c] = [p10 p9 0 0 0 0 0 0 0 0 p0] */
839  u0 = d & M; d >>= 26; c += u0 * R0;
840  VERIFY_BITS(u0, 26);
841  VERIFY_BITS(d, 37);
842  VERIFY_BITS(c, 61);
843  /* [d u0 t9 0 0 0 0 0 0 0 0 c-u0*R0] = [p10 p9 0 0 0 0 0 0 0 0 p0] */
844  t0 = c & M; c >>= 26; c += u0 * R1;
845  VERIFY_BITS(t0, 26);
846  VERIFY_BITS(c, 37);
847  /* [d u0 t9 0 0 0 0 0 0 0 c-u0*R1 t0-u0*R0] = [p10 p9 0 0 0 0 0 0 0 0 p0] */
848  /* [d 0 t9 0 0 0 0 0 0 0 c t0] = [p10 p9 0 0 0 0 0 0 0 0 p0] */
849 
850  c += (uint64_t)(a[0]*2) * a[1];
851  VERIFY_BITS(c, 62);
852  /* [d 0 t9 0 0 0 0 0 0 0 c t0] = [p10 p9 0 0 0 0 0 0 0 p1 p0] */
853  d += (uint64_t)(a[2]*2) * a[9]
854  + (uint64_t)(a[3]*2) * a[8]
855  + (uint64_t)(a[4]*2) * a[7]
856  + (uint64_t)(a[5]*2) * a[6];
857  VERIFY_BITS(d, 63);
858  /* [d 0 t9 0 0 0 0 0 0 0 c t0] = [p11 p10 p9 0 0 0 0 0 0 0 p1 p0] */
859  u1 = d & M; d >>= 26; c += u1 * R0;
860  VERIFY_BITS(u1, 26);
861  VERIFY_BITS(d, 37);
862  VERIFY_BITS(c, 63);
863  /* [d u1 0 t9 0 0 0 0 0 0 0 c-u1*R0 t0] = [p11 p10 p9 0 0 0 0 0 0 0 p1 p0] */
864  t1 = c & M; c >>= 26; c += u1 * R1;
865  VERIFY_BITS(t1, 26);
866  VERIFY_BITS(c, 38);
867  /* [d u1 0 t9 0 0 0 0 0 0 c-u1*R1 t1-u1*R0 t0] = [p11 p10 p9 0 0 0 0 0 0 0 p1 p0] */
868  /* [d 0 0 t9 0 0 0 0 0 0 c t1 t0] = [p11 p10 p9 0 0 0 0 0 0 0 p1 p0] */
869 
870  c += (uint64_t)(a[0]*2) * a[2]
871  + (uint64_t)a[1] * a[1];
872  VERIFY_BITS(c, 62);
873  /* [d 0 0 t9 0 0 0 0 0 0 c t1 t0] = [p11 p10 p9 0 0 0 0 0 0 p2 p1 p0] */
874  d += (uint64_t)(a[3]*2) * a[9]
875  + (uint64_t)(a[4]*2) * a[8]
876  + (uint64_t)(a[5]*2) * a[7]
877  + (uint64_t)a[6] * a[6];
878  VERIFY_BITS(d, 63);
879  /* [d 0 0 t9 0 0 0 0 0 0 c t1 t0] = [p12 p11 p10 p9 0 0 0 0 0 0 p2 p1 p0] */
880  u2 = d & M; d >>= 26; c += u2 * R0;
881  VERIFY_BITS(u2, 26);
882  VERIFY_BITS(d, 37);
883  VERIFY_BITS(c, 63);
884  /* [d u2 0 0 t9 0 0 0 0 0 0 c-u2*R0 t1 t0] = [p12 p11 p10 p9 0 0 0 0 0 0 p2 p1 p0] */
885  t2 = c & M; c >>= 26; c += u2 * R1;
886  VERIFY_BITS(t2, 26);
887  VERIFY_BITS(c, 38);
888  /* [d u2 0 0 t9 0 0 0 0 0 c-u2*R1 t2-u2*R0 t1 t0] = [p12 p11 p10 p9 0 0 0 0 0 0 p2 p1 p0] */
889  /* [d 0 0 0 t9 0 0 0 0 0 c t2 t1 t0] = [p12 p11 p10 p9 0 0 0 0 0 0 p2 p1 p0] */
890 
891  c += (uint64_t)(a[0]*2) * a[3]
892  + (uint64_t)(a[1]*2) * a[2];
893  VERIFY_BITS(c, 63);
894  /* [d 0 0 0 t9 0 0 0 0 0 c t2 t1 t0] = [p12 p11 p10 p9 0 0 0 0 0 p3 p2 p1 p0] */
895  d += (uint64_t)(a[4]*2) * a[9]
896  + (uint64_t)(a[5]*2) * a[8]
897  + (uint64_t)(a[6]*2) * a[7];
898  VERIFY_BITS(d, 63);
899  /* [d 0 0 0 t9 0 0 0 0 0 c t2 t1 t0] = [p13 p12 p11 p10 p9 0 0 0 0 0 p3 p2 p1 p0] */
900  u3 = d & M; d >>= 26; c += u3 * R0;
901  VERIFY_BITS(u3, 26);
902  VERIFY_BITS(d, 37);
903  /* VERIFY_BITS(c, 64); */
904  /* [d u3 0 0 0 t9 0 0 0 0 0 c-u3*R0 t2 t1 t0] = [p13 p12 p11 p10 p9 0 0 0 0 0 p3 p2 p1 p0] */
905  t3 = c & M; c >>= 26; c += u3 * R1;
906  VERIFY_BITS(t3, 26);
907  VERIFY_BITS(c, 39);
908  /* [d u3 0 0 0 t9 0 0 0 0 c-u3*R1 t3-u3*R0 t2 t1 t0] = [p13 p12 p11 p10 p9 0 0 0 0 0 p3 p2 p1 p0] */
909  /* [d 0 0 0 0 t9 0 0 0 0 c t3 t2 t1 t0] = [p13 p12 p11 p10 p9 0 0 0 0 0 p3 p2 p1 p0] */
910 
911  c += (uint64_t)(a[0]*2) * a[4]
912  + (uint64_t)(a[1]*2) * a[3]
913  + (uint64_t)a[2] * a[2];
914  VERIFY_BITS(c, 63);
915  /* [d 0 0 0 0 t9 0 0 0 0 c t3 t2 t1 t0] = [p13 p12 p11 p10 p9 0 0 0 0 p4 p3 p2 p1 p0] */
916  d += (uint64_t)(a[5]*2) * a[9]
917  + (uint64_t)(a[6]*2) * a[8]
918  + (uint64_t)a[7] * a[7];
919  VERIFY_BITS(d, 62);
920  /* [d 0 0 0 0 t9 0 0 0 0 c t3 t2 t1 t0] = [p14 p13 p12 p11 p10 p9 0 0 0 0 p4 p3 p2 p1 p0] */
921  u4 = d & M; d >>= 26; c += u4 * R0;
922  VERIFY_BITS(u4, 26);
923  VERIFY_BITS(d, 36);
924  /* VERIFY_BITS(c, 64); */
925  /* [d u4 0 0 0 0 t9 0 0 0 0 c-u4*R0 t3 t2 t1 t0] = [p14 p13 p12 p11 p10 p9 0 0 0 0 p4 p3 p2 p1 p0] */
926  t4 = c & M; c >>= 26; c += u4 * R1;
927  VERIFY_BITS(t4, 26);
928  VERIFY_BITS(c, 39);
929  /* [d u4 0 0 0 0 t9 0 0 0 c-u4*R1 t4-u4*R0 t3 t2 t1 t0] = [p14 p13 p12 p11 p10 p9 0 0 0 0 p4 p3 p2 p1 p0] */
930  /* [d 0 0 0 0 0 t9 0 0 0 c t4 t3 t2 t1 t0] = [p14 p13 p12 p11 p10 p9 0 0 0 0 p4 p3 p2 p1 p0] */
931 
932  c += (uint64_t)(a[0]*2) * a[5]
933  + (uint64_t)(a[1]*2) * a[4]
934  + (uint64_t)(a[2]*2) * a[3];
935  VERIFY_BITS(c, 63);
936  /* [d 0 0 0 0 0 t9 0 0 0 c t4 t3 t2 t1 t0] = [p14 p13 p12 p11 p10 p9 0 0 0 p5 p4 p3 p2 p1 p0] */
937  d += (uint64_t)(a[6]*2) * a[9]
938  + (uint64_t)(a[7]*2) * a[8];
939  VERIFY_BITS(d, 62);
940  /* [d 0 0 0 0 0 t9 0 0 0 c t4 t3 t2 t1 t0] = [p15 p14 p13 p12 p11 p10 p9 0 0 0 p5 p4 p3 p2 p1 p0] */
941  u5 = d & M; d >>= 26; c += u5 * R0;
942  VERIFY_BITS(u5, 26);
943  VERIFY_BITS(d, 36);
944  /* VERIFY_BITS(c, 64); */
945  /* [d u5 0 0 0 0 0 t9 0 0 0 c-u5*R0 t4 t3 t2 t1 t0] = [p15 p14 p13 p12 p11 p10 p9 0 0 0 p5 p4 p3 p2 p1 p0] */
946  t5 = c & M; c >>= 26; c += u5 * R1;
947  VERIFY_BITS(t5, 26);
948  VERIFY_BITS(c, 39);
949  /* [d u5 0 0 0 0 0 t9 0 0 c-u5*R1 t5-u5*R0 t4 t3 t2 t1 t0] = [p15 p14 p13 p12 p11 p10 p9 0 0 0 p5 p4 p3 p2 p1 p0] */
950  /* [d 0 0 0 0 0 0 t9 0 0 c t5 t4 t3 t2 t1 t0] = [p15 p14 p13 p12 p11 p10 p9 0 0 0 p5 p4 p3 p2 p1 p0] */
951 
952  c += (uint64_t)(a[0]*2) * a[6]
953  + (uint64_t)(a[1]*2) * a[5]
954  + (uint64_t)(a[2]*2) * a[4]
955  + (uint64_t)a[3] * a[3];
956  VERIFY_BITS(c, 63);
957  /* [d 0 0 0 0 0 0 t9 0 0 c t5 t4 t3 t2 t1 t0] = [p15 p14 p13 p12 p11 p10 p9 0 0 p6 p5 p4 p3 p2 p1 p0] */
958  d += (uint64_t)(a[7]*2) * a[9]
959  + (uint64_t)a[8] * a[8];
960  VERIFY_BITS(d, 61);
961  /* [d 0 0 0 0 0 0 t9 0 0 c t5 t4 t3 t2 t1 t0] = [p16 p15 p14 p13 p12 p11 p10 p9 0 0 p6 p5 p4 p3 p2 p1 p0] */
962  u6 = d & M; d >>= 26; c += u6 * R0;
963  VERIFY_BITS(u6, 26);
964  VERIFY_BITS(d, 35);
965  /* VERIFY_BITS(c, 64); */
966  /* [d u6 0 0 0 0 0 0 t9 0 0 c-u6*R0 t5 t4 t3 t2 t1 t0] = [p16 p15 p14 p13 p12 p11 p10 p9 0 0 p6 p5 p4 p3 p2 p1 p0] */
967  t6 = c & M; c >>= 26; c += u6 * R1;
968  VERIFY_BITS(t6, 26);
969  VERIFY_BITS(c, 39);
970  /* [d u6 0 0 0 0 0 0 t9 0 c-u6*R1 t6-u6*R0 t5 t4 t3 t2 t1 t0] = [p16 p15 p14 p13 p12 p11 p10 p9 0 0 p6 p5 p4 p3 p2 p1 p0] */
971  /* [d 0 0 0 0 0 0 0 t9 0 c t6 t5 t4 t3 t2 t1 t0] = [p16 p15 p14 p13 p12 p11 p10 p9 0 0 p6 p5 p4 p3 p2 p1 p0] */
972 
973  c += (uint64_t)(a[0]*2) * a[7]
974  + (uint64_t)(a[1]*2) * a[6]
975  + (uint64_t)(a[2]*2) * a[5]
976  + (uint64_t)(a[3]*2) * a[4];
977  /* VERIFY_BITS(c, 64); */
978  VERIFY_CHECK(c <= 0x8000007C00000007ULL);
979  /* [d 0 0 0 0 0 0 0 t9 0 c t6 t5 t4 t3 t2 t1 t0] = [p16 p15 p14 p13 p12 p11 p10 p9 0 p7 p6 p5 p4 p3 p2 p1 p0] */
980  d += (uint64_t)(a[8]*2) * a[9];
981  VERIFY_BITS(d, 58);
982  /* [d 0 0 0 0 0 0 0 t9 0 c t6 t5 t4 t3 t2 t1 t0] = [p17 p16 p15 p14 p13 p12 p11 p10 p9 0 p7 p6 p5 p4 p3 p2 p1 p0] */
983  u7 = d & M; d >>= 26; c += u7 * R0;
984  VERIFY_BITS(u7, 26);
985  VERIFY_BITS(d, 32);
986  /* VERIFY_BITS(c, 64); */
987  VERIFY_CHECK(c <= 0x800001703FFFC2F7ULL);
988  /* [d u7 0 0 0 0 0 0 0 t9 0 c-u7*R0 t6 t5 t4 t3 t2 t1 t0] = [p17 p16 p15 p14 p13 p12 p11 p10 p9 0 p7 p6 p5 p4 p3 p2 p1 p0] */
989  t7 = c & M; c >>= 26; c += u7 * R1;
990  VERIFY_BITS(t7, 26);
991  VERIFY_BITS(c, 38);
992  /* [d u7 0 0 0 0 0 0 0 t9 c-u7*R1 t7-u7*R0 t6 t5 t4 t3 t2 t1 t0] = [p17 p16 p15 p14 p13 p12 p11 p10 p9 0 p7 p6 p5 p4 p3 p2 p1 p0] */
993  /* [d 0 0 0 0 0 0 0 0 t9 c t7 t6 t5 t4 t3 t2 t1 t0] = [p17 p16 p15 p14 p13 p12 p11 p10 p9 0 p7 p6 p5 p4 p3 p2 p1 p0] */
994 
995  c += (uint64_t)(a[0]*2) * a[8]
996  + (uint64_t)(a[1]*2) * a[7]
997  + (uint64_t)(a[2]*2) * a[6]
998  + (uint64_t)(a[3]*2) * a[5]
999  + (uint64_t)a[4] * a[4];
1000  /* VERIFY_BITS(c, 64); */
1001  VERIFY_CHECK(c <= 0x9000007B80000008ULL);
1002  /* [d 0 0 0 0 0 0 0 0 t9 c t7 t6 t5 t4 t3 t2 t1 t0] = [p17 p16 p15 p14 p13 p12 p11 p10 p9 p8 p7 p6 p5 p4 p3 p2 p1 p0] */
1003  d += (uint64_t)a[9] * a[9];
1004  VERIFY_BITS(d, 57);
1005  /* [d 0 0 0 0 0 0 0 0 t9 c t7 t6 t5 t4 t3 t2 t1 t0] = [p18 p17 p16 p15 p14 p13 p12 p11 p10 p9 p8 p7 p6 p5 p4 p3 p2 p1 p0] */
1006  u8 = d & M; d >>= 26; c += u8 * R0;
1007  VERIFY_BITS(u8, 26);
1008  VERIFY_BITS(d, 31);
1009  /* VERIFY_BITS(c, 64); */
1010  VERIFY_CHECK(c <= 0x9000016FBFFFC2F8ULL);
1011  /* [d u8 0 0 0 0 0 0 0 0 t9 c-u8*R0 t7 t6 t5 t4 t3 t2 t1 t0] = [p18 p17 p16 p15 p14 p13 p12 p11 p10 p9 p8 p7 p6 p5 p4 p3 p2 p1 p0] */
1012 
1013  r[3] = t3;
1014  VERIFY_BITS(r[3], 26);
1015  /* [d u8 0 0 0 0 0 0 0 0 t9 c-u8*R0 t7 t6 t5 t4 r3 t2 t1 t0] = [p18 p17 p16 p15 p14 p13 p12 p11 p10 p9 p8 p7 p6 p5 p4 p3 p2 p1 p0] */
1016  r[4] = t4;
1017  VERIFY_BITS(r[4], 26);
1018  /* [d u8 0 0 0 0 0 0 0 0 t9 c-u8*R0 t7 t6 t5 r4 r3 t2 t1 t0] = [p18 p17 p16 p15 p14 p13 p12 p11 p10 p9 p8 p7 p6 p5 p4 p3 p2 p1 p0] */
1019  r[5] = t5;
1020  VERIFY_BITS(r[5], 26);
1021  /* [d u8 0 0 0 0 0 0 0 0 t9 c-u8*R0 t7 t6 r5 r4 r3 t2 t1 t0] = [p18 p17 p16 p15 p14 p13 p12 p11 p10 p9 p8 p7 p6 p5 p4 p3 p2 p1 p0] */
1022  r[6] = t6;
1023  VERIFY_BITS(r[6], 26);
1024  /* [d u8 0 0 0 0 0 0 0 0 t9 c-u8*R0 t7 r6 r5 r4 r3 t2 t1 t0] = [p18 p17 p16 p15 p14 p13 p12 p11 p10 p9 p8 p7 p6 p5 p4 p3 p2 p1 p0] */
1025  r[7] = t7;
1026  VERIFY_BITS(r[7], 26);
1027  /* [d u8 0 0 0 0 0 0 0 0 t9 c-u8*R0 r7 r6 r5 r4 r3 t2 t1 t0] = [p18 p17 p16 p15 p14 p13 p12 p11 p10 p9 p8 p7 p6 p5 p4 p3 p2 p1 p0] */
1028 
1029  r[8] = c & M; c >>= 26; c += u8 * R1;
1030  VERIFY_BITS(r[8], 26);
1031  VERIFY_BITS(c, 39);
1032  /* [d u8 0 0 0 0 0 0 0 0 t9+c-u8*R1 r8-u8*R0 r7 r6 r5 r4 r3 t2 t1 t0] = [p18 p17 p16 p15 p14 p13 p12 p11 p10 p9 p8 p7 p6 p5 p4 p3 p2 p1 p0] */
1033  /* [d 0 0 0 0 0 0 0 0 0 t9+c r8 r7 r6 r5 r4 r3 t2 t1 t0] = [p18 p17 p16 p15 p14 p13 p12 p11 p10 p9 p8 p7 p6 p5 p4 p3 p2 p1 p0] */
1034  c += d * R0 + t9;
1035  VERIFY_BITS(c, 45);
1036  /* [d 0 0 0 0 0 0 0 0 0 c-d*R0 r8 r7 r6 r5 r4 r3 t2 t1 t0] = [p18 p17 p16 p15 p14 p13 p12 p11 p10 p9 p8 p7 p6 p5 p4 p3 p2 p1 p0] */
1037  r[9] = c & (M >> 4); c >>= 22; c += d * (R1 << 4);
1038  VERIFY_BITS(r[9], 22);
1039  VERIFY_BITS(c, 46);
1040  /* [d 0 0 0 0 0 0 0 0 r9+((c-d*R1<<4)<<22)-d*R0 r8 r7 r6 r5 r4 r3 t2 t1 t0] = [p18 p17 p16 p15 p14 p13 p12 p11 p10 p9 p8 p7 p6 p5 p4 p3 p2 p1 p0] */
1041  /* [d 0 0 0 0 0 0 0 -d*R1 r9+(c<<22)-d*R0 r8 r7 r6 r5 r4 r3 t2 t1 t0] = [p18 p17 p16 p15 p14 p13 p12 p11 p10 p9 p8 p7 p6 p5 p4 p3 p2 p1 p0] */
1042  /* [r9+(c<<22) r8 r7 r6 r5 r4 r3 t2 t1 t0] = [p18 p17 p16 p15 p14 p13 p12 p11 p10 p9 p8 p7 p6 p5 p4 p3 p2 p1 p0] */
1043 
1044  d = c * (R0 >> 4) + t0;
1045  VERIFY_BITS(d, 56);
1046  /* [r9+(c<<22) r8 r7 r6 r5 r4 r3 t2 t1 d-c*R0>>4] = [p18 p17 p16 p15 p14 p13 p12 p11 p10 p9 p8 p7 p6 p5 p4 p3 p2 p1 p0] */
1047  r[0] = d & M; d >>= 26;
1048  VERIFY_BITS(r[0], 26);
1049  VERIFY_BITS(d, 30);
1050  /* [r9+(c<<22) r8 r7 r6 r5 r4 r3 t2 t1+d r0-c*R0>>4] = [p18 p17 p16 p15 p14 p13 p12 p11 p10 p9 p8 p7 p6 p5 p4 p3 p2 p1 p0] */
1051  d += c * (R1 >> 4) + t1;
1052  VERIFY_BITS(d, 53);
1053  VERIFY_CHECK(d <= 0x10000003FFFFBFULL);
1054  /* [r9+(c<<22) r8 r7 r6 r5 r4 r3 t2 d-c*R1>>4 r0-c*R0>>4] = [p18 p17 p16 p15 p14 p13 p12 p11 p10 p9 p8 p7 p6 p5 p4 p3 p2 p1 p0] */
1055  /* [r9 r8 r7 r6 r5 r4 r3 t2 d r0] = [p18 p17 p16 p15 p14 p13 p12 p11 p10 p9 p8 p7 p6 p5 p4 p3 p2 p1 p0] */
1056  r[1] = d & M; d >>= 26;
1057  VERIFY_BITS(r[1], 26);
1058  VERIFY_BITS(d, 27);
1059  VERIFY_CHECK(d <= 0x4000000ULL);
1060  /* [r9 r8 r7 r6 r5 r4 r3 t2+d r1 r0] = [p18 p17 p16 p15 p14 p13 p12 p11 p10 p9 p8 p7 p6 p5 p4 p3 p2 p1 p0] */
1061  d += t2;
1062  VERIFY_BITS(d, 27);
1063  /* [r9 r8 r7 r6 r5 r4 r3 d r1 r0] = [p18 p17 p16 p15 p14 p13 p12 p11 p10 p9 p8 p7 p6 p5 p4 p3 p2 p1 p0] */
1064  r[2] = d;
1065  VERIFY_BITS(r[2], 27);
1066  /* [r9 r8 r7 r6 r5 r4 r3 r2 r1 r0] = [p18 p17 p16 p15 p14 p13 p12 p11 p10 p9 p8 p7 p6 p5 p4 p3 p2 p1 p0] */
1067 }
1068 #endif
1069 
1071 #ifdef VERIFY
1072  VERIFY_CHECK(a->magnitude <= 8);
1073  VERIFY_CHECK(b->magnitude <= 8);
1074  secp256k1_fe_verify(a);
1075  secp256k1_fe_verify(b);
1076  VERIFY_CHECK(r != b);
1077  VERIFY_CHECK(a != b);
1078 #endif
1079  secp256k1_fe_mul_inner(r->n, a->n, b->n);
1080 #ifdef VERIFY
1081  r->magnitude = 1;
1082  r->normalized = 0;
1083  secp256k1_fe_verify(r);
1084 #endif
1085 }
1086 
1087 static void secp256k1_fe_sqr(secp256k1_fe *r, const secp256k1_fe *a) {
1088 #ifdef VERIFY
1089  VERIFY_CHECK(a->magnitude <= 8);
1090  secp256k1_fe_verify(a);
1091 #endif
1092  secp256k1_fe_sqr_inner(r->n, a->n);
1093 #ifdef VERIFY
1094  r->magnitude = 1;
1095  r->normalized = 0;
1096  secp256k1_fe_verify(r);
1097 #endif
1098 }
1099 
1100 static SECP256K1_INLINE void secp256k1_fe_cmov(secp256k1_fe *r, const secp256k1_fe *a, int flag) {
1101  uint32_t mask0, mask1;
1102  VG_CHECK_VERIFY(r->n, sizeof(r->n));
1103  mask0 = flag + ~((uint32_t)0);
1104  mask1 = ~mask0;
1105  r->n[0] = (r->n[0] & mask0) | (a->n[0] & mask1);
1106  r->n[1] = (r->n[1] & mask0) | (a->n[1] & mask1);
1107  r->n[2] = (r->n[2] & mask0) | (a->n[2] & mask1);
1108  r->n[3] = (r->n[3] & mask0) | (a->n[3] & mask1);
1109  r->n[4] = (r->n[4] & mask0) | (a->n[4] & mask1);
1110  r->n[5] = (r->n[5] & mask0) | (a->n[5] & mask1);
1111  r->n[6] = (r->n[6] & mask0) | (a->n[6] & mask1);
1112  r->n[7] = (r->n[7] & mask0) | (a->n[7] & mask1);
1113  r->n[8] = (r->n[8] & mask0) | (a->n[8] & mask1);
1114  r->n[9] = (r->n[9] & mask0) | (a->n[9] & mask1);
1115 #ifdef VERIFY
1116  if (flag) {
1117  r->magnitude = a->magnitude;
1118  r->normalized = a->normalized;
1119  }
1120 #endif
1121 }
1122 
1124  uint32_t mask0, mask1;
1125  VG_CHECK_VERIFY(r->n, sizeof(r->n));
1126  mask0 = flag + ~((uint32_t)0);
1127  mask1 = ~mask0;
1128  r->n[0] = (r->n[0] & mask0) | (a->n[0] & mask1);
1129  r->n[1] = (r->n[1] & mask0) | (a->n[1] & mask1);
1130  r->n[2] = (r->n[2] & mask0) | (a->n[2] & mask1);
1131  r->n[3] = (r->n[3] & mask0) | (a->n[3] & mask1);
1132  r->n[4] = (r->n[4] & mask0) | (a->n[4] & mask1);
1133  r->n[5] = (r->n[5] & mask0) | (a->n[5] & mask1);
1134  r->n[6] = (r->n[6] & mask0) | (a->n[6] & mask1);
1135  r->n[7] = (r->n[7] & mask0) | (a->n[7] & mask1);
1136 }
1137 
1139 #ifdef VERIFY
1140  VERIFY_CHECK(a->normalized);
1141 #endif
1142  r->n[0] = a->n[0] | a->n[1] << 26;
1143  r->n[1] = a->n[1] >> 6 | a->n[2] << 20;
1144  r->n[2] = a->n[2] >> 12 | a->n[3] << 14;
1145  r->n[3] = a->n[3] >> 18 | a->n[4] << 8;
1146  r->n[4] = a->n[4] >> 24 | a->n[5] << 2 | a->n[6] << 28;
1147  r->n[5] = a->n[6] >> 4 | a->n[7] << 22;
1148  r->n[6] = a->n[7] >> 10 | a->n[8] << 16;
1149  r->n[7] = a->n[8] >> 16 | a->n[9] << 10;
1150 }
1151 
1153  r->n[0] = a->n[0] & 0x3FFFFFFUL;
1154  r->n[1] = a->n[0] >> 26 | ((a->n[1] << 6) & 0x3FFFFFFUL);
1155  r->n[2] = a->n[1] >> 20 | ((a->n[2] << 12) & 0x3FFFFFFUL);
1156  r->n[3] = a->n[2] >> 14 | ((a->n[3] << 18) & 0x3FFFFFFUL);
1157  r->n[4] = a->n[3] >> 8 | ((a->n[4] << 24) & 0x3FFFFFFUL);
1158  r->n[5] = (a->n[4] >> 2) & 0x3FFFFFFUL;
1159  r->n[6] = a->n[4] >> 28 | ((a->n[5] << 4) & 0x3FFFFFFUL);
1160  r->n[7] = a->n[5] >> 22 | ((a->n[6] << 10) & 0x3FFFFFFUL);
1161  r->n[8] = a->n[6] >> 16 | ((a->n[7] << 16) & 0x3FFFFFFUL);
1162  r->n[9] = a->n[7] >> 10;
1163 #ifdef VERIFY
1164  r->magnitude = 1;
1165  r->normalized = 1;
1166  secp256k1_fe_verify(r);
1167 #endif
1168 }
1169 
1171  const uint32_t M26 = UINT32_MAX >> 6;
1172  const uint32_t a0 = a->v[0], a1 = a->v[1], a2 = a->v[2], a3 = a->v[3], a4 = a->v[4],
1173  a5 = a->v[5], a6 = a->v[6], a7 = a->v[7], a8 = a->v[8];
1174 
1175  /* The output from secp256k1_modinv32{_var} should be normalized to range [0,modulus), and
1176  * have limbs in [0,2^30). The modulus is < 2^256, so the top limb must be below 2^(256-30*8).
1177  */
1178  VERIFY_CHECK(a0 >> 30 == 0);
1179  VERIFY_CHECK(a1 >> 30 == 0);
1180  VERIFY_CHECK(a2 >> 30 == 0);
1181  VERIFY_CHECK(a3 >> 30 == 0);
1182  VERIFY_CHECK(a4 >> 30 == 0);
1183  VERIFY_CHECK(a5 >> 30 == 0);
1184  VERIFY_CHECK(a6 >> 30 == 0);
1185  VERIFY_CHECK(a7 >> 30 == 0);
1186  VERIFY_CHECK(a8 >> 16 == 0);
1187 
1188  r->n[0] = a0 & M26;
1189  r->n[1] = (a0 >> 26 | a1 << 4) & M26;
1190  r->n[2] = (a1 >> 22 | a2 << 8) & M26;
1191  r->n[3] = (a2 >> 18 | a3 << 12) & M26;
1192  r->n[4] = (a3 >> 14 | a4 << 16) & M26;
1193  r->n[5] = (a4 >> 10 | a5 << 20) & M26;
1194  r->n[6] = (a5 >> 6 | a6 << 24) & M26;
1195  r->n[7] = (a6 >> 2 ) & M26;
1196  r->n[8] = (a6 >> 28 | a7 << 2) & M26;
1197  r->n[9] = (a7 >> 24 | a8 << 6);
1198 
1199 #ifdef VERIFY
1200  r->magnitude = 1;
1201  r->normalized = 1;
1202  secp256k1_fe_verify(r);
1203 #endif
1204 }
1205 
1207  const uint32_t M30 = UINT32_MAX >> 2;
1208  const uint64_t a0 = a->n[0], a1 = a->n[1], a2 = a->n[2], a3 = a->n[3], a4 = a->n[4],
1209  a5 = a->n[5], a6 = a->n[6], a7 = a->n[7], a8 = a->n[8], a9 = a->n[9];
1210 
1211 #ifdef VERIFY
1212  VERIFY_CHECK(a->normalized);
1213 #endif
1214 
1215  r->v[0] = (a0 | a1 << 26) & M30;
1216  r->v[1] = (a1 >> 4 | a2 << 22) & M30;
1217  r->v[2] = (a2 >> 8 | a3 << 18) & M30;
1218  r->v[3] = (a3 >> 12 | a4 << 14) & M30;
1219  r->v[4] = (a4 >> 16 | a5 << 10) & M30;
1220  r->v[5] = (a5 >> 20 | a6 << 6) & M30;
1221  r->v[6] = (a6 >> 24 | a7 << 2
1222  | a8 << 28) & M30;
1223  r->v[7] = (a8 >> 2 | a9 << 24) & M30;
1224  r->v[8] = a9 >> 6;
1225 }
1226 
1228  {{-0x3D1, -4, 0, 0, 0, 0, 0, 0, 65536}},
1229  0x2DDACACFL
1230 };
1231 
1232 static void secp256k1_fe_inv(secp256k1_fe *r, const secp256k1_fe *x) {
1233  secp256k1_fe tmp;
1235 
1236  tmp = *x;
1237  secp256k1_fe_normalize(&tmp);
1238  secp256k1_fe_to_signed30(&s, &tmp);
1241 
1243 }
1244 
1246  secp256k1_fe tmp;
1248 
1249  tmp = *x;
1251  secp256k1_fe_to_signed30(&s, &tmp);
1254 
1256 }
1257 
1258 #endif /* SECP256K1_FIELD_REPR_IMPL_H */
secp256k1_fe_set_b32
static int secp256k1_fe_set_b32(secp256k1_fe *r, const unsigned char *a)
Definition: field_10x26_impl.h:324
VERIFY_CHECK
#define VERIFY_CHECK(cond)
Definition: util.h:95
ByteUnit::M
@ M
secp256k1_fe_storage
Definition: field_10x26.h:43
secp256k1_fe_storage_cmov
static SECP256K1_INLINE void secp256k1_fe_storage_cmov(secp256k1_fe_storage *r, const secp256k1_fe_storage *a, int flag)
Definition: field_10x26_impl.h:1123
secp256k1_fe_from_storage
static SECP256K1_INLINE void secp256k1_fe_from_storage(secp256k1_fe *r, const secp256k1_fe_storage *a)
Definition: field_10x26_impl.h:1152
secp256k1_fe_inv
static void secp256k1_fe_inv(secp256k1_fe *r, const secp256k1_fe *x)
Definition: field_10x26_impl.h:1232
secp256k1_fe_to_storage
static void secp256k1_fe_to_storage(secp256k1_fe_storage *r, const secp256k1_fe *a)
Definition: field_10x26_impl.h:1138
SECP256K1_RESTRICT
#define SECP256K1_RESTRICT
Definition: util.h:155
secp256k1_modinv32_signed30::v
int32_t v[9]
Definition: modinv32.h:24
modinv32_impl.h
secp256k1_modinv32_var
static void secp256k1_modinv32_var(secp256k1_modinv32_signed30 *x, const secp256k1_modinv32_modinfo *modinfo)
util.h
secp256k1_fe_negate
static SECP256K1_INLINE void secp256k1_fe_negate(secp256k1_fe *r, const secp256k1_fe *a, int m)
Definition: field_10x26_impl.h:390
secp256k1_fe_from_signed30
static void secp256k1_fe_from_signed30(secp256k1_fe *r, const secp256k1_modinv32_signed30 *a)
Definition: field_10x26_impl.h:1170
secp256k1_fe_normalizes_to_zero
static int secp256k1_fe_normalizes_to_zero(const secp256k1_fe *r)
Definition: field_10x26_impl.h:185
secp256k1_fe_storage::n
uint32_t n[8]
Definition: field_10x26.h:44
secp256k1_fe_set_int
static SECP256K1_INLINE void secp256k1_fe_set_int(secp256k1_fe *r, int a)
Definition: field_10x26_impl.h:266
secp256k1_fe::n
uint32_t n[10]
Definition: field_10x26.h:20
secp256k1_fe_is_odd
static SECP256K1_INLINE int secp256k1_fe_is_odd(const secp256k1_fe *a)
Definition: field_10x26_impl.h:286
secp256k1_fe_normalizes_to_zero_var
static int secp256k1_fe_normalizes_to_zero_var(const secp256k1_fe *r)
Definition: field_10x26_impl.h:214
secp256k1_fe_normalize
static void secp256k1_fe_normalize(secp256k1_fe *r)
Definition: field_10x26_impl.h:43
secp256k1_fe_sqr_inner
static SECP256K1_INLINE void secp256k1_fe_sqr_inner(uint32_t *r, const uint32_t *a)
Definition: field_10x26_impl.h:795
secp256k1_fe
Definition: field_10x26.h:12
u8
unsigned char u8
Definition: crypto_diff_fuzz_chacha20.cpp:21
secp256k1_fe_mul_int
static SECP256K1_INLINE void secp256k1_fe_mul_int(secp256k1_fe *r, int a)
Definition: field_10x26_impl.h:412
secp256k1_fe_inv_var
static void secp256k1_fe_inv_var(secp256k1_fe *r, const secp256k1_fe *x)
Definition: field_10x26_impl.h:1245
secp256k1_fe_add
static SECP256K1_INLINE void secp256k1_fe_add(secp256k1_fe *r, const secp256k1_fe *a)
Definition: field_10x26_impl.h:430
field.h
secp256k1_fe_cmov
static SECP256K1_INLINE void secp256k1_fe_cmov(secp256k1_fe *r, const secp256k1_fe *a, int flag)
Definition: field_10x26_impl.h:1100
VG_CHECK_VERIFY
#define VG_CHECK_VERIFY(x, y)
Definition: util.h:115
secp256k1_fe_mul_inner
static SECP256K1_INLINE void secp256k1_fe_mul_inner(uint32_t *r, const uint32_t *a, const uint32_t *SECP256K1_RESTRICT b)
Definition: field_10x26_impl.h:465
secp256k1_modinv32_modinfo
Definition: modinv32.h:23
secp256k1_fe_normalize_var
static void secp256k1_fe_normalize_var(secp256k1_fe *r)
Definition: field_10x26_impl.h:129
secp256k1_modinv32
static void secp256k1_modinv32(secp256k1_modinv32_signed30 *x, const secp256k1_modinv32_modinfo *modinfo)
secp256k1_fe_cmp_var
static int secp256k1_fe_cmp_var(const secp256k1_fe *a, const secp256k1_fe *b)
Definition: field_10x26_impl.h:305
secp256k1_fe_normalize_weak
static void secp256k1_fe_normalize_weak(secp256k1_fe *r)
Definition: field_10x26_impl.h:98
secp256k1_fe_sqr
static void secp256k1_fe_sqr(secp256k1_fe *r, const secp256k1_fe *a)
Definition: field_10x26_impl.h:1087
secp256k1_fe_to_signed30
static void secp256k1_fe_to_signed30(secp256k1_modinv32_signed30 *r, const secp256k1_fe *a)
Definition: field_10x26_impl.h:1206
secp256k1_fe_is_zero
static SECP256K1_INLINE int secp256k1_fe_is_zero(const secp256k1_fe *a)
Definition: field_10x26_impl.h:277
VERIFY_BITS
#define VERIFY_BITS(x, n)
Definition: field_10x26_impl.h:462
SECP256K1_INLINE
#define SECP256K1_INLINE
Definition: secp256k1.h:127
secp256k1_fe_get_b32
static void secp256k1_fe_get_b32(unsigned char *r, const secp256k1_fe *a)
Convert a field element to a 32-byte big endian value.
Definition: field_10x26_impl.h:351
ByteUnit::m
@ m
secp256k1_fe_clear
static SECP256K1_INLINE void secp256k1_fe_clear(secp256k1_fe *a)
Definition: field_10x26_impl.h:294
secp256k1_fe_mul
static void secp256k1_fe_mul(secp256k1_fe *r, const secp256k1_fe *a, const secp256k1_fe *SECP256K1_RESTRICT b)
Definition: field_10x26_impl.h:1070
ByteUnit::t
@ t
secp256k1_modinv32_signed30
Definition: modinv32.h:19
secp256k1_const_modinfo_fe
static const secp256k1_modinv32_modinfo secp256k1_const_modinfo_fe
Definition: field_10x26_impl.h:1227